<TABLE width=500>
1 u* F. ~& i$ W: y# J; X' W<TBODY>4 L9 a7 I+ m) V, w# e
<TR>. W; M; R2 \) d' A1 _
<TD><PRE>Method 01
7 K- z* w9 S, D6 l# `* ]: l=========7 N3 G* t) z/ e
; \( O5 [& I9 e u9 k
This method of detection of SoftICE (as well as the following one) is
8 e3 l8 r; M Z, \) G Rused by the majority of packers/encryptors found on Internet.
! G7 S+ H5 d$ `9 ZIt seeks the signature of BoundsChecker in SoftICE. N5 S& w( z1 u0 |, ~, j s& @: R
4 A! P' i. z# s( j1 Q mov ebp, 04243484Bh ; 'BCHK': Q2 A8 Y/ C/ _' w$ l# m
mov ax, 04h
6 t! i6 k+ K' v4 b9 Z6 u0 ? int 3
0 m1 c: q9 k. f$ `, U1 n' Z* H- E4 t8 x cmp al,4
* I: R! j, v4 h jnz SoftICE_Detected
/ u+ T5 g: ]/ U. {+ S
- t8 J! A8 q" H* k" k8 C, j3 b: O___________________________________________________________________________
+ ~$ `1 h! Y. r# I) V m9 ^% B, {* x
Method 02& I$ C! x# \0 ?1 A' E8 J1 ]+ S" A% s
=========
% I- a- S' u' ?+ G. \( k% H
; i: p. N4 a* F1 z2 oStill a method very much used (perhaps the most frequent one). It is used3 Q. Z, t5 R6 k/ c5 S# u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; y% n6 i" T* B" U% M4 r! eor execute SoftICE commands...$ {* O7 L Z3 I3 K7 Z& V
It is also used to crash SoftICE and to force it to execute any commands
+ @! m% @. Q+ [# o8 X(HBOOT...) :-((
4 C1 x& M% M* b* B( D3 k# V* u7 @( Z {6 D* w+ _; d
Here is a quick description:
( k' R9 d2 S: L- n8 g, [-AX = 0910h (Display string in SIce windows)
; i9 g* \7 a/ e5 b-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% o: \# I6 [# ?3 G2 l9 E; [
-AX = 0912h (Get breakpoint infos)& E3 k3 L9 g( V
-AX = 0913h (Set Sice breakpoints)
+ O: T! d) B; z: m5 ?9 Y-AX = 0914h (Remove SIce breakoints)4 |, n7 u8 X1 ]4 l/ c
6 B( T% {0 y7 ~9 f1 {0 I5 T( }Each time you'll meet this trick, you'll see:4 R/ q0 W/ e2 S: P
-SI = 4647h- m9 X! F; d5 N. h! f' p
-DI = 4A4Dh. J) v5 W- P3 P# s7 h l- }
Which are the 'magic values' used by SoftIce.
1 O; p& f% o2 i5 iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 M0 O; y. J; u1 w0 g8 q
' _* f) ^0 y1 CHere is one example from the file "Haspinst.exe" which is the dongle HASP, C- F o8 c0 f1 k0 q
Envelope utility use to protect DOS applications:& Q0 X% V) p: O+ |4 q
$ n$ x+ B9 _5 }% M% _& i, T1 x) X8 H8 k8 c) o4 ^
4C19:0095 MOV AX,0911 ; execute command.
D- \" D8 P, T+ k* O: z, Z4 X9 w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' v$ h) {- R1 K' Q+ D4C19:009A MOV SI,4647 ; 1st magic value.
& n/ t4 ^! O7 L% p4C19:009D MOV DI,4A4D ; 2nd magic value.1 w! P4 Q+ f! c2 q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ h% v! s) }/ X( C l) I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% o/ x( i/ X3 z/ ]: r4C19:00A4 INC CX0 o9 h8 _0 O8 K: |- K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" O: D/ Y# t5 `3 A9 g
4C19:00A8 JB 0095 ; 6 different commands.
" f* R+ [) M- O8 J; p4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. h5 m* N8 ~% I$ o6 \6 O& [ d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 a) U3 a. q f3 Y8 B, D+ M
) r+ h7 p3 X/ TThe program will execute 6 different SIce commands located at ds:dx, which
0 A2 U$ @2 ^* xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 J. M1 _1 w5 c8 P
# u8 R. X* f4 X7 f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
b9 P" ^' q9 E' s) A3 {___________________________________________________________________________. }: H" V4 Z8 o3 l9 e G, K" Q
+ V' h/ g: k1 K% e$ S" D
; M# G- r2 t5 P! m- r7 ?Method 03
s* `$ T* ]6 G0 F+ ]7 y: `0 h4 f4 s=========
+ t- Z. I; b0 o" I. N# r# X# O( L
5 B* h9 b. h2 ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. |' I/ r9 W: j
(API Get entry point)4 v3 r. \0 M, a# i/ F. S
: V z* h; R5 _) n3 C
- C# {0 s- u0 r" |' L! U" m5 [. @ xor di,di7 A( t7 i y& R) |) c
mov es,di
. @8 e! ^- g) G9 A7 ^2 ~# _3 T mov ax, 1684h
* L& j# e8 T# T& J5 u. V6 @* ` mov bx, 0202h ; VxD ID of winice
3 q9 d1 {) w+ n5 o+ H$ {* ` int 2Fh' ~" m7 c( S- G. R1 l
mov ax, es ; ES:DI -> VxD API entry point& J1 C7 X2 V5 A9 J7 @
add ax, di6 O& i1 v% f% C3 ?: P2 w
test ax,ax
2 G! d# X8 U1 O8 A9 D jnz SoftICE_Detected
" A9 R- P. y$ b$ u& s+ x6 M. m( A# b7 v/ p4 w
___________________________________________________________________________; q! N4 Z7 H0 l$ w" t5 V
; Q& Z) t* m C6 d# n% w- R3 XMethod 04: x( {9 Q2 R7 I- H4 s1 s* d) j
=========
4 P, i7 y% X# W+ p0 H* b5 D* R- o# G4 t
Method identical to the preceding one except that it seeks the ID of SoftICE
& H F- N# H+ PGFX VxD.
' i( L2 h; @( ?. U3 C8 D. A7 ~7 x3 D6 f ?
xor di,di5 K6 v9 n9 Z) e% @! s
mov es,di
; ~2 D5 j) n, ~' [/ J mov ax, 1684h
" v" m; g+ i3 w" ] mov bx, 7a5Fh ; VxD ID of SIWVID
8 `5 g' o# t, z/ K int 2fh ]: N1 s* L) ^: |
mov ax, es ; ES:DI -> VxD API entry point
" B6 _2 j, y! e! N) y6 `9 ` add ax, di
8 p/ n9 v- H6 i: W# P test ax,ax9 E8 \1 [ S6 h5 Y2 w. D- Z3 Y
jnz SoftICE_Detected
0 z+ g' s \- O, i% E
9 \6 m+ k3 \. x__________________________________________________________________________
' x& d4 Z% G" p/ y/ w
$ {! A6 i1 `" B" R/ s [" V" H3 h( E: J1 V( a$ b- J z6 h4 s; j
Method 05
: V ~& A8 p9 [; X* e=========
3 s* R# ~; s; E3 \" {
' K# p* R6 p) x6 }9 I& {3 N! GMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( X$ R; n& H8 rdebugger. It calls the int 41h, function 4Fh.
" Z a1 n' v! t% t) e3 G. BThere are several alternatives.
: ]: n2 h; o* y- x) X2 E, u1 q: p8 v9 n* r5 w5 N! D
The following one is the simplest:
2 [/ |5 P% n& z2 Q- e/ C, `7 z# A* G3 X+ j" Q* K' k
mov ax,4fh7 V" W4 |% D- K& |/ Y/ K$ J
int 41h
* M. N; j9 `, h cmp ax, 0F386
9 `. B( Y' `2 A" {$ } jz SoftICE_detected
$ `$ M1 v {! J" s7 U( k/ ]; {# z
6 d1 a+ b: y6 _+ s& p. [) k+ y6 b! V0 G( P0 \4 j& g% z! |
Next method as well as the following one are 2 examples from Stone's
/ w; `% e/ C! l+ K5 `4 H"stn-wid.zip" (www.cracking.net):
* M( l- I& G+ c) L$ q0 x1 P8 V) T! ~2 U( v
mov bx, cs1 C1 _* d( q# Q6 g
lea dx, int41handler23 W, U7 T+ v% u1 O1 q: g
xchg dx, es:[41h*4]
4 }" F- J/ { r+ A& W5 v xchg bx, es:[41h*4+2]
! d5 ] X9 h3 X$ }( b mov ax,4fh
# C5 h$ E1 X5 T7 r& H5 J int 41h
& v4 V$ G9 q, O' X/ y' f" H, Q& F xchg dx, es:[41h*4]' q9 I3 z- L4 H
xchg bx, es:[41h*4+2]
; h7 n1 |1 T2 u' K cmp ax, 0f386h
% e# z# _: x5 V9 v( v: @, U jz SoftICE_detected
: d: h2 q0 o! i! ~% Q1 m, Y6 G
G. F& p @! g5 [, u/ O! b* rint41handler2 PROC
' `# q$ ]+ }: I/ z& W* a- s, u: G% \ iret
* F* p, Q2 L" e+ E# s7 Q' tint41handler2 ENDP
' p: k! `( X( b! G+ t" a* ]. p. F4 _9 I" _$ Y8 Z
- a4 ]3 r& Z- T+ Y/ e
_________________________________________________________________________
7 |/ {1 b8 @% e3 b
( r' @3 A; L" v5 ]( m2 N! Z3 O4 ]2 Y; U; p% _
Method 06: x' ~/ z$ w4 W* t+ Z$ A; _
=========
+ |" d0 f. }' ]- k3 x' {: s& d9 k$ p
+ n- m, |0 e* K: t/ h; S4 F; z {
/ y1 i1 k$ U8 R! V7 p% [( X2nd method similar to the preceding one but more difficult to detect:' J& `4 F2 e; ^4 A. H
8 r7 |: P' W7 b4 D0 x3 m) i) N
. k6 N# ]" d7 [. p3 A5 `& ~, Z
int41handler PROC
, u+ I4 {4 t* E2 E mov cl,al3 u% g, l9 x" s; i6 n3 K
iret/ u( I+ u: w$ [5 F
int41handler ENDP- \& x$ B1 r/ c" c0 A
9 _: X- _' \7 Z% N4 o
1 Y% R; c7 d4 d' o- I6 j xor ax,ax: F* K( d z# L5 o2 y
mov es,ax
( S5 A% `9 v/ c! ^ mov bx, cs
; i9 j/ V7 V. U7 }4 F lea dx, int41handler
8 ^: c P+ a3 P: b xchg dx, es:[41h*4]1 L/ F* c/ X0 W* A) y
xchg bx, es:[41h*4+2]
" l4 g9 T( O5 a2 Z: f in al, 40h2 X9 o6 f& f1 y1 P4 r' a
xor cx,cx, v) f4 p @ N- O
int 41h
+ t5 V" V. j# `) w$ ~; U xchg dx, es:[41h*4]
5 F }$ o c q+ A8 {% V$ e+ A, k xchg bx, es:[41h*4+2]% O: p2 } _7 ~
cmp cl,al# t+ j1 l2 X6 ?. |- F6 C
jnz SoftICE_detected" g+ j- U& I& i& W
/ q$ U& N! U% v4 L i
_________________________________________________________________________/ `( v4 d, e" h; D. |
) E. t" V3 ^" c O5 r n
Method 079 |) U( B% r( B& V) o# O
=========
% d0 s% L: K( o. Y2 x2 d6 R. C A+ r3 V
Method of detection of the WinICE handler in the int68h (V86)6 [/ I% Y1 [' i5 e! n# M4 Y
5 f4 ]+ D; v5 v7 M) f! n* J
mov ah,43h$ J4 k% Q+ q+ |! [" Z/ ~' O
int 68h
( {6 C0 S0 r! t9 t cmp ax,0F386h' Q3 ~" V0 i' }8 B
jz SoftICE_Detected
; h7 U8 @& m7 v1 G8 ^, n& q
5 S& R& R3 j5 |& P- L2 m/ T- J% g7 ?1 R0 _1 p6 z W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ r" y4 s& D) i2 u, t# h1 b/ ~/ F
app like this:
5 L% g0 R. M' x- j3 H
! o0 x# ~5 a0 u. M BPX exec_int if ax==680 v! }5 y/ {! w+ J# p3 m* g/ E
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 S( z% E6 I, I located at [ebp+48h] for 32Bit apps)
B2 e# {" w4 ^ U% M; _( D__________________________________________________________________________
5 K6 {% F5 M6 D" R* K( o( b, E
. X* a0 T8 ` v$ z4 c; q3 M8 c: U0 M( i# p
Method 087 M% f v0 v+ @& t- u; C! _% J
=========
/ c9 x) I& d1 f8 H [( c" ^9 |% p* N8 s
It is not a method of detection of SoftICE but a possibility to crash the d5 j7 U8 C8 M6 ^% H* s
system by intercepting int 01h and int 03h and redirecting them to another$ h- K6 K: d" g
routine.
% O: j8 r5 {. f9 n! }. UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% a- b6 ]/ `% N( X9 \
to the new routine to execute (hangs computer...)% w3 @5 i$ c: K
, m/ @7 t. Z# v! r+ ^ Y mov ah, 25h
& O7 x: O3 V3 {$ h mov al, Int_Number (01h or 03h)
9 A/ [5 y% ~+ l S# ^ mov dx, offset New_Int_Routine2 X4 Q3 u8 m/ T
int 21h' Z, u5 j5 l) r4 @
- \' d( \4 a4 L- {3 |1 ]& v) c__________________________________________________________________________
/ L" p U" T: v% @$ D& B% U
; B) |# @$ p( L2 _2 @6 ~5 TMethod 09$ E- d& F% ?' b# V3 f1 x
=========7 Y) `; @# D- U
8 Y0 _4 G# | K$ Q0 xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- s; w9 i" P4 p% Y
performed in ring0 (VxD or a ring3 app using the VxdCall).) G* O5 S! u0 P9 g, Q0 ~5 T
The Get_DDB service is used to determine whether or not a VxD is installed
+ o; v, `; s9 S& g- |for the specified device and returns a Device Description Block (in ecx) for9 D+ m, U% Q. e; L, J
that device if it is installed.. m- g7 f" N5 i4 e( u0 Y: l
5 {0 | p0 j8 b# h* }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! s3 d" S* \+ }; `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 q4 k5 J8 A3 H9 Z# R
VMMCall Get_DDB
( @& q' m* x0 B1 Z# w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% i/ n% }2 J- t4 H3 `7 p* M# D, u% i! ^4 u8 H# S
Note as well that you can easily detect this method with SoftICE:
$ ?1 R1 V. L! K( w* l0 N bpx Get_DDB if ax==0202 || ax==7a5fh
# i1 x9 Y% D5 e2 w. G Y, l: {0 o) l# h9 M6 Y' z
__________________________________________________________________________
' i) L$ t! Q/ e7 m
; O& ^% N& W- b$ EMethod 10- G5 Y5 W( Z. o& T/ d
=========
/ u, z/ l) {$ S
# c2 s3 O0 w( h# G/ K=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 ^6 z: b9 C2 o0 p+ C: i0 o SoftICE while the option is enable!!
: J S$ x' @% V# z+ |+ ]8 e% h0 f% M W. i z+ r! J
This trick is very efficient:
* w6 ^! q4 @# j9 Z$ jby checking the Debug Registers, you can detect if SoftICE is loaded
- f! w" Z+ m" ], u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 ^5 e4 P( Z t9 w( F( z% P- X
there are some memory breakpoints set (dr0 to dr3) simply by reading their: N9 e E, v+ d" O
value (in ring0 only). Values can be manipulated and or changed as well: X( q9 T, P$ H9 w$ W/ e2 f: A
(clearing BPMs for instance)
$ _# i u2 a9 U% ?% Q0 B+ j% `% X
: Y# ]2 _: U% {- F. x; N__________________________________________________________________________ t; E( p4 F' D1 W/ D; `, ?
4 H' w% x9 r' T* n, }0 k/ j: E6 `6 `
Method 11
) w( F4 @* I- k6 K7 _4 C' Z/ V/ ~6 t8 j=========& _) M% e5 ` l5 l" }
+ [ y9 [% ?3 U6 r; t- ~; d& OThis method is most known as 'MeltICE' because it has been freely distributed" k( l: r: |0 Z- V
via www.winfiles.com. However it was first used by NuMega people to allow7 Q4 z. k" E$ y2 k$ |, k: V
Symbol Loader to check if SoftICE was active or not (the code is located8 j! _4 P& j6 z; r1 a
inside nmtrans.dll).
7 z' ^2 L! l/ U/ a5 Y
$ n$ Q! Z* \" s' q6 HThe way it works is very simple:; E% t/ ]; T3 B1 P2 l6 c7 y+ t9 f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, ?/ v/ e' d+ R" qWinNT) with the CreateFileA API.
3 n1 l9 o. S% ?- u& p4 R( {; l. }6 V0 p2 w
Here is a sample (checking for 'SICE'):
0 ^1 B& Q- h, n3 n, O
- h- s& e& M# q* K! gBOOL IsSoftIce95Loaded()
/ B* N/ q+ A' @, H- k$ X1 E0 V{
8 F4 k$ F/ f( k HANDLE hFile;
. }) S T* L9 P1 m5 p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 d9 M7 {# w& Z5 p0 i" K) y+ j FILE_SHARE_READ | FILE_SHARE_WRITE,7 Q% Y( ?- I" @ b4 f& \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 f2 w7 r% X0 }3 t) A/ t4 X
if( hFile != INVALID_HANDLE_VALUE )
" k9 E: l6 J$ g6 Y6 r( J2 p {; A3 P3 A4 ~$ @3 \* y; T8 K, }
CloseHandle(hFile);7 D1 L9 ]9 |1 y% i/ X" s
return TRUE;
x6 e" Y0 b* t; X' e( P+ v }
6 r+ q; r9 u% r; H return FALSE;2 R$ b$ g; A, C5 c) G/ ~! y
}
1 j/ F+ z& `# }8 W" W& P, M6 c7 ^
$ u( ?/ N0 ]6 l4 }Although this trick calls the CreateFileA function, don't even expect to be& V$ h: O3 @( D
able to intercept it by installing a IFS hook: it will not work, no way!
! \. \. r& b# I6 @ ^" ]5 _In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 g! i* C, M$ U/ ?& }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 I( b/ l( q2 j' Iand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 F/ a+ E" i- m- hfield.
# u' b; H4 ^% [# S# y* |8 {4 ~In fact, its purpose is not to load/unload VxDs but only to send a & w, I' M$ @' w6 P, c! f- j% _- k/ N& T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 V2 R9 Z2 L, E. r. W% d- u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& g3 y# Z2 o: F4 Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# h- z* }- o+ a- R& s& Y2 GIf the VxD is loaded, it will always clear eax and the Carry flag to allow* @0 z% H! N" n3 ~+ b: l8 |$ i
its handle to be opened and then, will be detected.
; H- y3 K2 v5 @. }+ eYou can check that simply by hooking Winice.exe control proc entry point
2 }, ~' s: ^3 {1 W$ `4 K$ J% X' S, uwhile running MeltICE.1 W3 z- t7 x' @7 o2 ?/ p2 W
- Q2 T& \" B; X, G
! ~* l9 U4 e' i6 @
00401067: push 00402025 ; \\.\SICE# | \6 M1 w% q4 Z2 x9 b
0040106C: call CreateFileA
6 i t; w* \. y% l 00401071: cmp eax,-001
3 Y5 J6 [2 a& a: D 00401074: je 004010917 i4 H2 }% s) q" e, z2 T! P
9 O+ b7 ^. x# F/ N6 r7 L0 G. V
% ], d1 w2 y3 j2 g. P- S4 Y+ lThere could be hundreds of BPX you could use to detect this trick.
- v. D" S/ k3 s5 S U-The most classical one is:9 |7 _- e! i* J* _; j: ~; O, w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 B1 M, b( r. c8 G i' ]
*(esp->4+4)=='NTIC'# i+ B& g, k' L l
" R7 {: p: y& N1 |
-The most exotic ones (could be very slooooow :-(
& j& j% o c7 K; P; v4 }9 I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 G' T w$ d% H ;will break 3 times :-(
! T+ @/ C {: \, A& R# i
1 f3 q. r+ `) E6 X/ ^3 `-or (a bit) faster:
& k0 {+ {; J: _* ~/ w% A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 @/ ?4 @1 j3 a0 H4 N( N& ^# E
9 m# g6 a' z* e BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! L# j: Y8 Z1 x Q/ D% _2 J ;will break 3 times :-(
- T" ~0 P! X, N* u- E- e( M4 k- J! c% Z# q" t7 H! }- _2 u' m
-Much faster:
9 V% s6 {. o( M/ A$ W, T, s- N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( Q L% C$ P/ A% o
$ ]/ \# r* o. t( uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) P! N7 m* Q" J% o8 h4 `
function to do the same job:! I7 }* O3 b/ `# s8 \: f
6 y/ H C/ U( R' |
push 00 ; OF_READ
; F, `! e: L6 e. f; h) H mov eax,[00656634] ; '\\.\SICE',0# E A- t* Q8 c
push eax6 q7 |( q5 w1 i4 S5 a. x u; C
call KERNEL32!_lopen
" R }! M- c1 z$ c4 E inc eax% d! H$ s. {: L9 ?/ N
jnz 00650589 ; detected. g' m8 c$ a4 _% S: x
push 00 ; OF_READ, Q6 m' j8 J$ k( t) }" }2 _; ~2 ?; J! [
mov eax,[00656638] ; '\\.\SICE'' s6 k$ i: F: A5 L, Y$ y
push eax
5 I+ l n. X3 O& K call KERNEL32!_lopen
5 H! e( q% w, S7 E! {, V inc eax& H1 s" c4 Y0 I
jz 006505ae ; not detected
) p! } Z& u6 l" g/ f, a
+ l, R" G3 g1 u5 _8 ]; _1 F g: o. J; }1 e* @+ m4 \: _& O
__________________________________________________________________________* V5 x O3 x% Q) ?, v; k
- [$ Q7 t3 { h( u5 s: b
Method 12
$ v4 |8 ~$ ?4 P3 Y=========
5 ~, [ ^. }4 S) d1 _+ v' T4 m8 P" R
This trick is similar to int41h/4fh Debugger installation check (code 05
8 L- t$ f% E1 \6 h' T9 H& 06) but very limited because it's only available for Win95/98 (not NT)/ j8 x' l" w0 ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* n; Q2 V4 V5 g' d3 j! @- o" J
& G) g! _8 l3 h& U, H+ X! s
push 0000004fh ; function 4fh3 X, O: f- _8 @/ T# N
push 002a002ah ; high word specifies which VxD (VWIN32). Z: e) l0 y, u( l7 r
; low word specifies which service5 T1 D$ d, n- q: w1 N2 |3 {- X
(VWIN32_Int41Dispatch)
1 M$ L" i- {- z% ?* ?0 f call Kernel32!ORD_001 ; VxdCall2 Z( I" _# R; D, k5 L
cmp ax, 0f386h ; magic number returned by system debuggers
7 U }/ W, }2 \' o* A jz SoftICE_detected
* I( w9 Q9 Q/ S+ G4 w- I9 Q. H ?: K% f3 M* M
Here again, several ways to detect it:
- {" P- q: m! N6 ^% J- `5 m& }* G# R6 h# T; Z/ m
BPINT 41 if ax==4f) ?- U% a# P/ }0 O6 h# T8 q) t
/ u! i1 p* F9 j, N" ~, J7 F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 h2 v# \4 y6 M; J! m
6 w2 A R8 l4 N' O+ Q" O" E- {$ ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 \" E8 _5 b0 W E; [
% M/ U* o) P& L3 j4 Y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. |/ T+ `2 r0 J6 ^3 e) \7 g
4 @6 y, ]' o; h0 [" C$ |
__________________________________________________________________________
. a% f/ S" c( }8 {0 v
7 B* [* s3 d- X& T5 V6 S6 {/ p' _/ YMethod 137 H, z2 {7 U! ]. \. F% r
=========
) q% [! ~/ b/ P" H! W
$ ?; E% J- ~1 f8 _8 ]/ j2 T! YNot a real method of detection, but a good way to know if SoftICE is$ G: y( X3 ]) {7 I s
installed on a computer and to locate its installation directory.
+ U! D; t# V( J" @2 M3 u0 N1 E# L" z! lIt is used by few softs which access the following registry keys (usually #2) :* P) | U1 @/ _- x/ \; l) P" y3 ~& x
9 j, S: A. ?, k% C! o! Y" t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 i% F8 A3 D3 L0 m\Uninstall\SoftICE1 e, D/ [- f7 D8 D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) j" C2 r2 F% B7 }& N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 p2 S0 [7 H3 a' x2 b) ~5 f' l: w; [
\App Paths\Loader32.Exe' ?/ V" R4 q, F9 j$ r
) D4 P; Q j+ _4 b& H1 D( h Y+ a0 t, \$ @9 u% B) r9 p
Note that some nasty apps could then erase all files from SoftICE directory
; o! T7 E' D" v" D/ O. `(I faced that once :-(
* P% e5 z% d9 n. o
4 i+ G7 `8 Y5 N! B' d# }% NUseful breakpoint to detect it:: n8 k/ ]+ v8 L* }
% G) d5 X( N) P- d/ W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" S7 M& [/ z+ s2 }5 ~
. E! O$ a8 w. D! L& p__________________________________________________________________________
! A, u6 c6 d$ |0 f/ D5 `: l+ S; P' ^9 Q6 ~1 E: j
! F, I# S3 _+ T: |, ]$ N/ o
Method 14
. Q: \ c' b) ~=========
4 w# }" ^# E, l! [- a
1 c% ^" V& y# r; y0 [) |7 SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
m9 Y; p% z% I9 ]: Ais to determines whether a debugger is running on your system (ring0 only).8 f+ e, h J+ U5 u# \9 ?1 b* D
v- \6 e" R" O6 f" I
VMMCall Test_Debug_Installed
' Q4 V: b( G: L) Z8 P8 c4 o0 G je not_installed
; K0 S( R1 N4 }9 c) m9 N8 Y# s$ ?" ?2 h. q+ n- v/ R" s- O
This service just checks a flag.
6 x( V* f7 L! [# l* G2 o</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡