<TABLE width=500>
3 O( f a* R. Q5 a2 l, k' |<TBODY>3 d, h* j8 ^2 x( Z
<TR>8 r5 q0 h/ ?, i4 v
<TD><PRE>Method 01
- G" v! p3 c/ E5 J=========* D: y; ]- m% n0 D# D0 Y2 C
$ y7 S9 A5 S2 F5 j) o
This method of detection of SoftICE (as well as the following one) is$ s/ P7 `# c/ q; Y5 N
used by the majority of packers/encryptors found on Internet.: y7 G- q* X/ T2 v1 m1 V
It seeks the signature of BoundsChecker in SoftICE$ }% Q$ }/ r3 D9 i7 ^7 a5 ]+ o, Y
3 [) }' X1 V" A6 }5 N7 l' P6 d+ z
mov ebp, 04243484Bh ; 'BCHK'
6 b* z( O9 ?4 Z- Z$ u* o mov ax, 04h) L' H+ D8 b/ `0 A. }
int 3 ' V3 P# h* Q2 \: L5 u7 x
cmp al,4, r# a( D( `1 L+ R* B. x
jnz SoftICE_Detected1 ~2 S8 s. w0 }
?5 K# X) B1 f1 O# e0 s; I7 k___________________________________________________________________________, E: R* w8 n& ?% u; r5 H4 \; J
0 `. l4 V ~3 mMethod 02' \# x0 V4 T# j5 }3 g X& g
=========& p! L, p& R1 g/ y3 b; }
- \6 `; ]0 `6 t
Still a method very much used (perhaps the most frequent one). It is used. |7 M9 R( \" K* e% R3 ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ _8 j) d5 W0 ^6 g* o4 [ F
or execute SoftICE commands...
: Q! f9 l' x2 \8 e2 KIt is also used to crash SoftICE and to force it to execute any commands
+ o" \1 a# D' T2 j2 L3 |(HBOOT...) :-(( : e: e7 Y% w. ? \3 n0 b
. W' o6 P7 T$ h6 Y
Here is a quick description:
* L# J4 m: x& j! U/ T% e5 P-AX = 0910h (Display string in SIce windows)
/ Q V7 [ p" \& I3 S0 a4 g4 H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 @1 @* c5 f1 x0 ~# M-AX = 0912h (Get breakpoint infos)
2 }' y7 u! k* K* V3 a-AX = 0913h (Set Sice breakpoints)+ a0 r6 B# r0 Y
-AX = 0914h (Remove SIce breakoints)
7 D& O4 V8 W% U* J* q& l; X3 `- F8 |7 u3 M- R( p8 E
Each time you'll meet this trick, you'll see:
5 R6 E; e* ]' H( ]/ A# ~) f-SI = 4647h
& H" @5 s P4 v0 r-DI = 4A4Dh0 v# Y/ C& @7 N6 l& I* J
Which are the 'magic values' used by SoftIce.5 ]- B! |* j( |( n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 \6 G; Q4 c1 o8 Z, V$ |& V2 u
9 }2 c0 @4 U0 SHere is one example from the file "Haspinst.exe" which is the dongle HASP; l& k8 `& y, f# N/ G1 K: z
Envelope utility use to protect DOS applications:* o1 N1 k0 ^; ^- t- {1 |
7 r$ C3 z" l' B) A2 g
9 l4 v7 d R* w4 }3 `& c3 c$ N4C19:0095 MOV AX,0911 ; execute command.! |* z- x. j( m% k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" {4 w# p7 E {. X* J: m5 ]5 T4C19:009A MOV SI,4647 ; 1st magic value.
1 U) o$ @0 d2 {2 Z% F6 @$ z2 D% C4C19:009D MOV DI,4A4D ; 2nd magic value.
9 n, k% v2 Z; ^8 _ a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 m. I7 o+ f& a1 B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% |( Z# E4 ~( p$ f( {4 c( F' }' {
4C19:00A4 INC CX4 T3 a, k) \% k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* D0 S- l) n" G+ r, b' A4C19:00A8 JB 0095 ; 6 different commands.
3 o& y/ x; I `+ p) {. e4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* j0 h. f- L) ~& r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 r& z8 \% N$ W! x
# g% _1 {' j) _) i0 G! K5 \The program will execute 6 different SIce commands located at ds:dx, which/ O: Y0 J1 h7 S& D$ e! x( ?" G% a' s1 b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 }2 p1 j$ I9 q& u3 ]0 Y! ~' i& o# z9 b4 m$ l6 B3 X& A" A1 r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- t. a! B0 A) w) i) V/ z5 U4 u
___________________________________________________________________________
7 W, w8 Z3 P2 }4 O9 G1 \" P) J4 ^# L
) q' e D2 }* U4 ~' Y; X
Method 032 F0 c2 L' h6 {% U
=========
, B. @. a; Y3 Z* z( ]3 ^. r
! ^+ k7 R5 V6 K9 a# n d. A8 hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 V9 x5 A! }0 f. h(API Get entry point)
- z+ V) p3 {3 X- A 1 ^# s# g5 [3 i* o3 Z5 M, `
. i5 A/ S5 j, [
xor di,di0 K% @# a' ~; q2 Z
mov es,di
: @* T8 ?. V& Q$ o6 p mov ax, 1684h # ?& r$ y+ f6 W' H, ^+ G) J
mov bx, 0202h ; VxD ID of winice
3 z# f N. Q6 k; g& X J. F: _ int 2Fh
5 \% F8 Z* P& y3 \5 }: ]) n* ~ mov ax, es ; ES:DI -> VxD API entry point
3 f7 U+ J0 w' r0 G) _* D add ax, di: @) Z' K0 `* K8 G% j
test ax,ax
' F2 ~. k/ [+ P" h; N+ P$ J jnz SoftICE_Detected1 \# r7 Q) Z4 Q2 e* n% X+ a5 |
* @( U k% u4 p, ]3 l7 L4 S% p
___________________________________________________________________________7 N& T! j U- @" b3 c: ~7 i
8 \3 [- o, w) R `+ Y" UMethod 04$ |$ L2 A* c) f0 R
=========4 X& @% c q5 F" I: u1 e4 d S+ I
% e, w% v" n8 q1 p' X& ]Method identical to the preceding one except that it seeks the ID of SoftICE1 \, i. U. u+ e' s) Q
GFX VxD.( s; B" p3 d1 @5 [4 i
9 s% N5 N. E6 O* e* F xor di,di- a4 v: d4 T8 w( B
mov es,di# C2 C2 p6 @/ M
mov ax, 1684h ) K, d$ X8 D# R9 }4 Q u5 s
mov bx, 7a5Fh ; VxD ID of SIWVID
. B- r3 Q" c7 S9 P' d5 I int 2fh* c, R0 J3 k3 K3 s
mov ax, es ; ES:DI -> VxD API entry point
4 n* C g" b1 [7 Y1 C( r add ax, di
: a! e$ w' G+ k) b test ax,ax1 z5 Y6 m7 Z- o" Q1 q Q6 m
jnz SoftICE_Detected1 k: m0 J! C9 b3 X
. J: \3 k: q! Z F
__________________________________________________________________________
0 n- S M. t2 l0 ~7 Y
0 ^7 ]$ e1 O# W5 \9 L7 a: B+ N X4 b$ R: F3 B0 d
Method 05
1 O4 B I- \; _9 u- h( {=========
& H7 q# g: ^" M
2 ^1 _8 a# @' l& vMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 @/ x J& ?/ ~: S. Z6 y( @% E1 z
debugger. It calls the int 41h, function 4Fh.
9 r" D5 p5 R/ w: x) P2 ]There are several alternatives. 9 l' Q, v% N$ n9 g9 {
. ^8 p! ]: s% O2 b/ H) H# VThe following one is the simplest:. f0 e/ T) {1 o5 Y: H# K
$ I. U# A0 L) H& k
mov ax,4fh
x( F8 a8 h5 }" I int 41h/ s2 n& q8 B5 f9 R1 |
cmp ax, 0F386
Q ]/ G9 \9 w, u& M& M2 N jz SoftICE_detected$ ^2 ?) E6 R; t- D& b/ ^* j% ~- ?
; L+ g- \% x- `. G8 y- T; i, ^% Y- A$ Y1 [+ A! q
Next method as well as the following one are 2 examples from Stone's
" l7 @, Y' Z0 N"stn-wid.zip" (www.cracking.net):
6 }) C$ [/ t+ C& A+ d; f9 z% S6 K2 B9 @% X: J3 q$ ?. U
mov bx, cs- ^0 ]- J! ~6 z, Y8 B
lea dx, int41handler2( L( J R. s, |
xchg dx, es:[41h*4]; q) z* l5 g2 x! A
xchg bx, es:[41h*4+2]
: l9 ~* I3 V @+ A. j7 |" w$ Z mov ax,4fh
, ^8 x4 L( L( A' @3 {: N; A int 41h
$ L- R" c2 p: S xchg dx, es:[41h*4]5 B' v+ m9 p r, s/ p) y
xchg bx, es:[41h*4+2]
5 q0 J6 P8 V; D% o0 f+ m cmp ax, 0f386h
/ `4 s5 l7 {7 u: T jz SoftICE_detected
9 N- L/ X+ Q i0 P; t" u3 A8 X( b8 f+ f7 o; h! Z0 Y. D' m7 G
int41handler2 PROC, V& S7 g& W7 L7 y* i, u: `
iret/ T1 t8 y" F) j
int41handler2 ENDP
2 r3 u& q+ d& |6 h0 X+ R% d, I, T! y. z' F2 v+ T
7 l" D9 f/ e; K
_________________________________________________________________________0 F0 |) n+ X- @6 e2 W$ T# E3 p: d
! n4 L- @& y/ P4 f1 X. q2 k! I3 o% t, x8 j+ ]% u
Method 06& y! [* J2 G& m. z" n
=========& U8 P& ?% ?' H+ B. [5 h. k
& x2 F0 G& X# W/ x7 s- O% M! ?
3 b) m- b4 Y" _2nd method similar to the preceding one but more difficult to detect:! m$ d. v% S1 h) X/ |* [
" |3 m% q+ A3 v# ~
% T8 A4 A! M4 I! J# ~
int41handler PROC( x7 t( ^1 u* I8 j1 T
mov cl,al, t! ]" a8 ^* _( @) k2 _+ E* H
iret P& S; ]/ R7 E u( h. v( t+ Q. H
int41handler ENDP$ q/ q, z+ K' A8 g9 z8 k
8 G+ N- W; ~- }. ~6 b
! v# n5 p% z4 U' S. |
xor ax,ax* t2 |" a$ c" \( d8 Y# H
mov es,ax
: u* ^8 p6 ~) ?: D& c$ h5 A mov bx, cs) @" E L/ e0 h0 f
lea dx, int41handler
- c# N" M, e$ p1 o: H2 X xchg dx, es:[41h*4]
6 q* v6 [1 [+ E/ p# J xchg bx, es:[41h*4+2]
6 k' f% ~) s& Y G4 A in al, 40h1 n( x& b( I7 |% Z0 B/ x! |1 d
xor cx,cx
# t* ]' u0 V" b1 }8 W" Z int 41h
' `' p$ z% d/ P8 r3 F, q' d* t4 z xchg dx, es:[41h*4]
/ A+ r f0 E, C. X! |, H xchg bx, es:[41h*4+2]
- a5 L. w' q) `- d cmp cl,al
9 m4 {% S) U& M5 ^: F( X9 s" o jnz SoftICE_detected+ f5 p7 P0 X' U
$ @. P- z `( V+ D5 Z. F3 y
_________________________________________________________________________# M7 ^2 g1 p+ Y9 E8 B/ g
+ J+ [" p6 f/ R9 Q
Method 07
B; _ H4 M' s5 B" a0 D- Q2 @=========
3 V& e/ I m6 |8 I$ i4 z3 Z# i- k* w
Method of detection of the WinICE handler in the int68h (V86)) w) \: @( ~8 g# g
3 I- d2 k) [( A ]" C- b5 j- v, P mov ah,43h2 x; x! S! M; D$ Z0 P6 R
int 68h
: e X/ M7 _" d/ T cmp ax,0F386h
3 u4 _, p$ p8 v jz SoftICE_Detected' g) M# d, Y4 K/ z9 T
" f6 E. r' b q( d. I( [
( I" ^: Z( w& a% S& i3 [7 s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: o8 J, Q5 E8 |: r' c6 k app like this:8 X4 c& a' S- _6 v
! b% x4 B9 P( d& L% W
BPX exec_int if ax==68
* ]: t6 x- ?4 T' U (function called is located at byte ptr [ebp+1Dh] and client eip is- z7 k, ~3 Q* {* A( ~. `' p
located at [ebp+48h] for 32Bit apps)4 |0 |; p, W u: Y6 O1 I0 R
__________________________________________________________________________
/ o6 X7 G) Y4 g: I5 b
. T$ x$ i# r! ?) `" @3 z1 j) T# s8 f: }9 }9 l
Method 086 i; {: [. q4 ?9 E7 r+ |
=========% W* ?3 q' D* g6 Y0 X
O5 K- R$ P* I8 t6 |0 w; n
It is not a method of detection of SoftICE but a possibility to crash the
1 Q+ e$ B, H% U& W1 i4 bsystem by intercepting int 01h and int 03h and redirecting them to another
3 y* |1 U* ~' X/ d+ Proutine.
; K- F r$ c& i5 w- JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 C8 Y; q" w* l' |. g& S( [; F
to the new routine to execute (hangs computer...)
7 {- ~7 n8 s" i; w( b
1 a! O' K8 o5 A: U mov ah, 25h5 D; Y* h: E$ l* K& |) |& G2 H
mov al, Int_Number (01h or 03h)" U5 J5 d( ~7 a$ x
mov dx, offset New_Int_Routine$ ]1 [; l6 M- C! U4 s
int 21h5 [$ X2 R9 r9 j0 ^/ W% l
/ B1 N7 c" H% u9 C C* j0 |+ L" }- @__________________________________________________________________________/ d j& S* U- K3 I3 T+ |
9 e+ T7 ~# t1 r/ u2 Q0 h/ p0 _( Y1 GMethod 09
. N B q# ]5 v c& g; L=========
# F# r; M0 j- Q- [* R" {& X1 Y3 P; c0 M( u3 e7 M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- e7 r1 `" U2 v. H
performed in ring0 (VxD or a ring3 app using the VxdCall).& l! Q( v, k% C& ^
The Get_DDB service is used to determine whether or not a VxD is installed
; N3 f5 H0 y# k5 I& nfor the specified device and returns a Device Description Block (in ecx) for8 h$ b- s5 q B! e6 O- o/ l6 i
that device if it is installed.$ X9 h- }- \) G$ H+ G4 o: ^
0 _/ a' f9 l& o1 J! u% p' ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 f- n6 J5 o+ N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* U C/ R5 o% K: u V
VMMCall Get_DDB
* Z) r1 m+ `) o/ Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" y6 ^, g) L3 c
, F9 s* {' T7 F! nNote as well that you can easily detect this method with SoftICE:" K+ I r+ `% B0 z+ a; O
bpx Get_DDB if ax==0202 || ax==7a5fh6 A Q: j- t) p0 D
' r; i+ |. }! J( h" M__________________________________________________________________________
4 R! P! q% ]0 g' s1 @
& @! i0 u( x+ s# ?Method 10
9 W$ A) z& _6 m% t f=========
m- t6 T* x' |8 p) b; l: ~$ p' V! j5 z# l0 c$ j$ E: Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with C7 B& E: K/ ~0 b! K# U
SoftICE while the option is enable!!& x% E' p; w- z. W3 f
0 A( e" e2 o* N5 v8 z
This trick is very efficient:9 H5 Z( x1 e0 @3 I0 }( e
by checking the Debug Registers, you can detect if SoftICE is loaded9 }5 _, _6 b5 d2 D- m4 c' ]' B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- c1 |" P; w6 N3 ^% uthere are some memory breakpoints set (dr0 to dr3) simply by reading their& A% `& D1 ]: y1 }
value (in ring0 only). Values can be manipulated and or changed as well# k2 ~/ e2 V6 n* p
(clearing BPMs for instance)
_4 q" M0 ~2 E: C. k2 Z+ V) I% k
2 }# }" ~" S* ~6 w6 w0 d- S__________________________________________________________________________
+ a. o; y3 O/ t8 l& C" z% t$ D7 u0 g: C# C% z. x4 ]
Method 11
( [5 i" ~4 J7 ]2 e=========
; W6 S5 Q4 y* d% P4 \3 E; r* I' Y* {+ n6 N# A
This method is most known as 'MeltICE' because it has been freely distributed$ r* R. g9 d4 F- ~
via www.winfiles.com. However it was first used by NuMega people to allow F) }4 K8 Q3 I7 a- _; R3 c
Symbol Loader to check if SoftICE was active or not (the code is located
9 V5 o# |7 S- r9 k; l8 Z! iinside nmtrans.dll).
2 n) @7 g6 U# c2 ]3 A) M, W _+ \4 |* o# }4 p. p
The way it works is very simple:
( e7 J& K$ S$ S8 k: e bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 h: n+ g2 }4 Q$ C$ j5 m3 rWinNT) with the CreateFileA API.
$ T6 ~6 z' A6 a+ k6 i* T
# m2 n# q* s- p: t7 W0 ^- FHere is a sample (checking for 'SICE'):, A; ~3 ]; M# j
5 L5 s" c W, Z5 a" A7 P; FBOOL IsSoftIce95Loaded()$ z' F! h1 [1 d
{
/ ^: M9 v$ F2 M( Y& i HANDLE hFile; 1 g4 O; ~3 F7 D3 Q0 F5 }1 j
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 ? c' x8 D' z4 C: U
FILE_SHARE_READ | FILE_SHARE_WRITE,9 O1 K* G6 E4 e* d! d* B! p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 I' i0 ]) N5 t; Y if( hFile != INVALID_HANDLE_VALUE )$ ?7 Y( T. w7 B7 k+ i7 `; t
{
6 X( y0 ?9 g ^$ M CloseHandle(hFile);3 Y/ K4 [- S5 i
return TRUE;
, M- S/ D5 F8 V5 x }8 g/ Z! p. S' m. w
return FALSE;
0 e; M! H; ?1 i T: E" d}
" c2 ~! ~+ j! w6 L/ h N% h% D' U9 q" @ C
Although this trick calls the CreateFileA function, don't even expect to be' n8 y( P" }7 _8 v3 l
able to intercept it by installing a IFS hook: it will not work, no way!+ d- ~8 z; w% m& B+ E! i8 T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, s$ q; F4 M+ B i$ G& p! i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 O; b# |) c9 ]6 d7 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) X6 C& z% C8 x, c
field.
) F9 o( g3 l A3 H" X3 m7 UIn fact, its purpose is not to load/unload VxDs but only to send a 8 n2 k2 S2 U b& C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: I( Y- o" B) V0 U: pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 J9 q- I% d* d. Y& N; e8 y9 z' b+ Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 W- b) M+ Y* V( m' C$ |4 N0 RIf the VxD is loaded, it will always clear eax and the Carry flag to allow* f) x' j8 R6 r! k! G8 Z, {
its handle to be opened and then, will be detected. ~6 c, N" ^( \) B+ p
You can check that simply by hooking Winice.exe control proc entry point
. X4 x0 F, c; s! D( Jwhile running MeltICE.
5 @4 d% N( p8 z9 e% u# w5 w; }* T$ V
( x/ Q" A& {) r! F/ l. a! o+ M) Q
0 g" M, s. ?7 c$ X c: v1 @ 00401067: push 00402025 ; \\.\SICE
* d* f" u$ z% O/ h0 E 0040106C: call CreateFileA1 K4 B& A3 [! W* G9 m4 ^
00401071: cmp eax,-0018 f- l/ k. o6 @/ t) j1 a
00401074: je 00401091
( ~' j6 t% i M* S4 N2 L& w+ V, J5 Q+ B
' ~3 J& i' P4 o$ D0 k8 M! n/ C
There could be hundreds of BPX you could use to detect this trick.: u+ E ]8 d( e; ]& t( F' A
-The most classical one is:
6 e# P l; b; u/ f( r( `4 c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* `2 S+ H9 w& a* g4 R6 k5 D
*(esp->4+4)=='NTIC'
* _2 Z0 Q% K% K1 W J8 Z; ^% x! R" w8 y4 J4 L, L
-The most exotic ones (could be very slooooow :-(
% d. r. |* L4 ?4 T. |- ?" M- [% a BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 q# `# t! @% a! q8 p$ D! W
;will break 3 times :-(
/ y- t, J" L/ Q; B5 E( ]+ q5 @4 B: I* L% R; v8 w
-or (a bit) faster: . \. n! l, |. A5 }5 W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 a* d$ k( E; A8 z
' ?! N8 \9 X" M: c2 P; f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ O0 s/ s0 `' i ;will break 3 times :-(7 B+ @0 H- Q# ^! g k" V
. D* Z5 Y3 |7 r9 i-Much faster:1 j R# I; T+ p# e& {9 c( t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 H/ r3 N) c( R8 O1 W6 M
7 |& ~& G" l. C8 X. E: b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 ]% b8 M( O) C$ W3 a$ sfunction to do the same job:% x1 I" V/ B# j2 I) D/ k
: [, u0 n7 B) m/ ]* C push 00 ; OF_READ
0 q2 k0 m J0 s3 m/ I mov eax,[00656634] ; '\\.\SICE',0- q; g: }' ]" Q6 g
push eax/ g e9 q2 n7 K- s
call KERNEL32!_lopen- l4 s) o0 ~% G d- J% Q0 n! x
inc eax) D0 Q1 D! J m* T0 P' `4 q
jnz 00650589 ; detected
9 t# v8 K! d4 G9 ] push 00 ; OF_READ
+ `7 K, P! P4 }9 V& B mov eax,[00656638] ; '\\.\SICE'5 t! g8 L5 K' j, b. W- J- A: ^
push eax, ?2 [7 f1 Y/ }# ?- T
call KERNEL32!_lopen3 g5 w) \ @5 c( b4 Y
inc eax
' x' y/ m0 J# B/ E" c# ^0 B jz 006505ae ; not detected- I K# l' |/ t% p+ O' I1 M/ H
9 D+ T7 w; `* d# e3 m
# I0 b! \) b% J5 p) Z/ [: L* e% H4 Z
__________________________________________________________________________
/ W W6 E+ D5 W' W" P. d! H$ [7 J# H8 x; l6 @
Method 12( I9 o& E J2 ^* x" }
=========& l. L' R# c6 ?9 T
; P; G4 v: }. @' c" b2 r# u" ^: _+ z
This trick is similar to int41h/4fh Debugger installation check (code 05
' L& w1 L1 O+ E" Y0 k& 06) but very limited because it's only available for Win95/98 (not NT)+ `" H+ H9 J( K9 h# Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. h/ ], j6 s8 T+ c/ V
& `1 _3 S4 `3 r6 b
push 0000004fh ; function 4fh2 ]' `' U" T! ]# M6 l- {/ _& j
push 002a002ah ; high word specifies which VxD (VWIN32): O9 |1 N$ c4 J k0 `1 k
; low word specifies which service
% z0 V) o1 F/ k0 {4 o (VWIN32_Int41Dispatch); q C$ L# e6 F: h& X
call Kernel32!ORD_001 ; VxdCall
2 ?$ L$ p9 p$ V. \! x4 B cmp ax, 0f386h ; magic number returned by system debuggers% b5 Q5 S0 \! k% W
jz SoftICE_detected
6 K) o! A2 Q6 b/ J" M' z- l3 z( E! k5 J0 K1 |/ V# g
Here again, several ways to detect it:
4 ?! j7 h9 W' S( Y7 X# b# X: l( I+ U( `' O% j2 X
BPINT 41 if ax==4f
L1 h8 g% _0 r9 y+ E3 }
7 ~# V% n2 }) W' p7 i2 u. a- n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. C: |, S' m( F& H. \8 Q1 b0 `$ k' y" x9 l6 C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! F, l2 o0 _4 p1 X6 h
9 Q; q) x, X) r. B/ U: N* C" I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& v8 e' |1 ` r7 F: P v: z1 R
6 D7 `( P) V" U+ A" E1 c__________________________________________________________________________
* l- O2 e; ?7 y# e3 P! X- a% ^7 k' _/ v J( r: A8 {
Method 13
9 ^7 Y4 Y$ c! K=========
# ^/ d2 a K( i" o2 M7 m
5 [8 P9 m2 U' ]. U! O( kNot a real method of detection, but a good way to know if SoftICE is ~: J6 J! J: T8 d7 K' ~
installed on a computer and to locate its installation directory.
7 F2 a7 p2 f2 n4 T0 ]It is used by few softs which access the following registry keys (usually #2) :
9 a0 ]( Y- P; u U
( D6 W( L( [) |3 w5 @9 Y9 \- I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" u/ B! z4 D8 k9 Z4 \% H\Uninstall\SoftICE
: D9 Z% M( f* t3 H' ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 H3 e& t; a W. w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# N+ }; o3 C8 q" E
\App Paths\Loader32.Exe3 [/ n: s! _3 A! I$ ~
$ G$ m$ w; O5 W
& B7 N$ R0 A! \' v, [$ DNote that some nasty apps could then erase all files from SoftICE directory# q* k, _0 M1 s7 q
(I faced that once :-(( c9 M ^. t: t
4 M, \/ S2 X: h, e3 L- W' T, @. VUseful breakpoint to detect it:5 u! [1 }3 l+ B& g- ~6 t/ N! c
' H* Y/ u9 D6 z6 z2 ]* S8 U9 p$ m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 z; B: C. f$ S0 Y" x( r3 \+ Y& f8 {3 ]! s# W. R9 }
__________________________________________________________________________
8 g0 `5 E0 b4 p& l( U# m" y
' ~0 p2 u/ _+ C5 S5 M! f! e
5 }, K1 v+ K! K ^Method 14 ' L. {0 B# q2 i/ j$ y" x4 L
=========" M: J+ e: [9 x
* r& a, c4 R3 W8 J3 Z Z6 PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: a& K( a4 b/ }. L) F3 }5 D8 E- Z1 }
is to determines whether a debugger is running on your system (ring0 only).- l3 |7 J# C& _* Z
0 d e! s8 B% N- ]! |
VMMCall Test_Debug_Installed0 g7 E+ d# D: W6 V0 |1 E8 Z
je not_installed
4 ?2 l3 s0 O2 T$ h4 Z" m% r2 u8 Q, x: r
This service just checks a flag.
- \% }; s0 R9 j1 D- U" [8 ~& |9 a</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡