<TABLE width=500>
5 C7 A" u" ^: `- e* G# L. U+ l( H; F<TBODY># W0 h$ p4 c# W, X
<TR>7 |6 s# K- C. z6 t/ l( j4 G" ~
<TD><PRE>Method 01
" t7 I0 {0 q/ r8 M) W H% a=========
5 c8 W8 y( C J4 Q) e: d: m
7 q1 Q# k4 {+ t I3 _This method of detection of SoftICE (as well as the following one) is
: c! {: M+ L4 T, M* ?7 U: sused by the majority of packers/encryptors found on Internet.
4 p9 Y9 |( `$ ~" M' |8 y# C- e& PIt seeks the signature of BoundsChecker in SoftICE4 y. [2 \9 k }
% |+ V3 I! `$ D s' I( V# [ mov ebp, 04243484Bh ; 'BCHK'* {- @8 y- @5 ]: B
mov ax, 04h
, P7 G, S/ W2 J int 3
; F/ P" i! D9 a& _3 q y8 ? cmp al,4
) ~, V/ n7 g% C. h jnz SoftICE_Detected# J, L1 w% v5 d- r. u: X: ~
1 V( ~' F; ] n5 q6 }3 f0 I
___________________________________________________________________________
* H3 X% i% A4 e7 G$ @. L. x8 m
4 E; d& g: f, I, N: S \- c4 vMethod 021 o4 g% g1 N8 a, b5 ? m: V9 x
=========
, ~9 e0 d, P% `$ M4 [/ V
" v& Q# l0 H! F% ^3 zStill a method very much used (perhaps the most frequent one). It is used1 o6 Z- l/ P J' }8 u- }; Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- b! u2 U1 Z- o
or execute SoftICE commands..., f) U5 U4 J' H. O$ t
It is also used to crash SoftICE and to force it to execute any commands
+ }! M# f- n) @7 b1 A F(HBOOT...) :-(( . R) z' }6 C. P, P
5 S4 a4 b' |2 m" [# Q. JHere is a quick description:
* _1 l7 G/ j9 \-AX = 0910h (Display string in SIce windows)+ b% S5 G# }. i0 \* C; u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ u# ~, [# y( ^# v8 s-AX = 0912h (Get breakpoint infos)
* I& J0 N* p+ e-AX = 0913h (Set Sice breakpoints)
' S. v; u9 C: N9 Z) }! b-AX = 0914h (Remove SIce breakoints)
7 S* j% r- ^5 {* z& k5 |, f# X7 ], [3 t, A4 z/ l4 [
Each time you'll meet this trick, you'll see: f" P2 R. {0 T* Y# ^
-SI = 4647h
; r N! L2 |# ^: g% k# d-DI = 4A4Dh
& E6 t7 b3 O9 D' DWhich are the 'magic values' used by SoftIce.' R. G- b" @- u7 f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. ]7 w. ?9 t# n% T. m3 t N* [
5 J9 o- p* X. h* i. j# e
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 A7 P D! q* i0 h4 ?- o2 _Envelope utility use to protect DOS applications: J: c$ j. `2 O5 j& |6 Q8 u/ ]
7 j% U7 P: [1 o2 F# H( s
/ r2 p& i( b% s2 d& P# _* D
4C19:0095 MOV AX,0911 ; execute command.5 z1 b; Q/ |' ` [5 m" \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 c: x- ]6 c& Y& V* @4C19:009A MOV SI,4647 ; 1st magic value.3 a G% L" d5 C0 `1 \# I
4C19:009D MOV DI,4A4D ; 2nd magic value. d& J( s3 h0 P, l! p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
l. Q7 c: C' P7 M3 W& U5 [$ H4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% r% U! \6 T5 |, o+ {+ L* ]
4C19:00A4 INC CX3 E" A9 n4 W8 G+ T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. ?0 q' J: i6 U/ r
4C19:00A8 JB 0095 ; 6 different commands.0 }2 q2 J, F# W/ {# s" ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 K3 R9 ?$ j% b5 _1 F; R/ m& y' N, Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 b. b& Z1 U Z4 y, @
7 y# _* A! A7 {3 ~& d0 jThe program will execute 6 different SIce commands located at ds:dx, which0 G+ d/ Q# B* D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 O- ?; R2 c5 ^. M
8 O6 l* v1 o5 W( p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) x) Q' `9 z6 k H2 p: V
___________________________________________________________________________! X* i! O z* r% ]4 ]
$ Z8 B0 ]' X8 y9 s
9 a, @9 s% t4 ^5 {' j( K' x
Method 032 L: |% S$ F& O& e' H
=========7 B2 N2 n1 r% J
; Z! ^2 w+ u+ _3 N$ S2 U1 S
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& K$ Z2 b/ U( C5 _
(API Get entry point)
( a* W# {' ~0 [0 J8 y0 \ 9 R1 Z8 \: s8 s* y5 c* h4 j
/ T3 w- D7 i+ q xor di,di. z g t; }5 g' R: a G* i
mov es,di; _! t' K& f# } P" B \( u3 i9 l2 B/ p2 C
mov ax, 1684h
* [! c0 T( @; a9 C1 _ P& ^ mov bx, 0202h ; VxD ID of winice3 _5 u, W- j( V( B$ F0 ?. q
int 2Fh
& W% o4 m/ @- Y, P$ h mov ax, es ; ES:DI -> VxD API entry point
! ?' N* d) Q$ d6 p+ T add ax, di8 R4 @% K+ y: [! |
test ax,ax9 _9 G! ^6 T1 L% B) }0 j; }
jnz SoftICE_Detected5 V& y7 s) A% H9 c
1 E+ u4 B& Y4 ]* ^* y0 B
___________________________________________________________________________
+ A! J+ M. @! H. v) E b# [: A( L. g, h* E, y
Method 042 g9 P+ E# r1 e
=========) t" p# T- I- L9 A9 s6 T( g
8 s" V, |: x2 ~( E+ N6 J
Method identical to the preceding one except that it seeks the ID of SoftICE, k/ G: A+ w2 P& S9 E
GFX VxD.4 Q. _0 \+ Q0 H& S& k) @( C& Z
, R U" n# f4 J! m xor di,di) t- R! O, Y# d0 a& N( D3 \7 J% X* K# I! n
mov es,di3 L+ v- d9 ]( }
mov ax, 1684h : R* e7 o& ?" D: h
mov bx, 7a5Fh ; VxD ID of SIWVID
6 x( t- w8 v y7 u1 {+ n4 e8 E3 C! T- Y int 2fh d; x/ R6 _, o
mov ax, es ; ES:DI -> VxD API entry point
# m" D7 I3 s! m& ?* M; S1 e add ax, di! C0 [% n, x7 U0 e# O& I( Q
test ax,ax9 l7 p6 m, j' z" v! c$ M6 @& \
jnz SoftICE_Detected5 G, b( V4 ]. D& Z
+ Z; x% K/ S. G8 u, j__________________________________________________________________________
' [% P" [7 x; Q; c. z3 l. ^ I
+ L, |, M9 }( X6 k7 w: W2 A" @ @" o% w. u9 \3 y
Method 05
% @' r! v- c( p% e' t& ?0 [=========. I: G5 B" l4 M0 k1 P4 S
5 h6 Y# ]' r* ^4 ~* x% X" v
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 C) C0 O0 |" R% Hdebugger. It calls the int 41h, function 4Fh.
% M% Y f9 ]5 e2 t7 l t6 zThere are several alternatives.
4 h; X5 D: r* q0 }6 ^: n% H) C( W( r* s' }5 _$ F
The following one is the simplest:- P) d/ |* a$ C0 q
7 I* ?2 G9 S, z3 C) Q! v- J$ I+ s
mov ax,4fh- X# x0 Y" \7 \) T
int 41h
# r3 D# G9 I! {5 N' P# I( E cmp ax, 0F386% O" W* W7 i- g2 T, @
jz SoftICE_detected
& j1 {( U9 e# e: B+ X0 `) M9 _7 A. Y+ f/ K
# i4 O) \, ]0 D" H" l% A3 R
Next method as well as the following one are 2 examples from Stone's
7 V" g3 P, A$ P( d0 S) B"stn-wid.zip" (www.cracking.net):
- T9 M/ U) n* z) y
# C: y0 [& u+ [- ~9 ]( u9 q mov bx, cs
$ l" B" F* S6 E! P' t" U' l. _8 Q lea dx, int41handler2
: a {, b; p' V! M- Z% s d& M a xchg dx, es:[41h*4]- ]& m5 t- L( z: c1 H: W
xchg bx, es:[41h*4+2]2 R9 V# ^* b" `$ [/ g7 P3 ]* W3 p
mov ax,4fh, n0 ~5 X' x0 l4 t; C
int 41h
/ Q- ]. R8 m7 u1 ]4 P( V xchg dx, es:[41h*4]
& u2 ]: J9 a4 c9 D0 { xchg bx, es:[41h*4+2]+ @8 l2 u) y- V r) ~, D1 z
cmp ax, 0f386h
T+ l! J% a" m jz SoftICE_detected! n" D# L: |; M4 O, _' e
R8 Q9 ~8 W) T! B3 @2 r, Xint41handler2 PROC
' k+ d: {0 `) ^ iret0 v# v$ T# q2 X3 s3 ~* e! ]
int41handler2 ENDP
* v; h: c$ K* v8 A% _' W! F& k, x Y/ D' K
( [ V m3 L/ S) k6 {
_________________________________________________________________________4 O p' @/ g3 z) X$ B, O+ B& I
9 y5 _# _/ f0 G+ K% x& u
# v! |) j( L* {
Method 06
' A7 I/ E# b. l) v8 A2 @=========& d* x" e# S3 {! J {3 U5 R" b
8 G+ \( x P% Q# A! n, F; O, w0 T$ h) C5 v. P {: R
2nd method similar to the preceding one but more difficult to detect:1 X* g [3 b% A4 F+ m# \
) x/ T5 e( g+ w; x9 c
8 k5 J5 k5 J, g. B6 ^/ c
int41handler PROC: y6 J4 i( b( F
mov cl,al9 K% r2 ]. @, K
iret
& l( o! l( w2 C, r7 H, Z( tint41handler ENDP
5 M+ C. ^/ i: \4 ^' {# A- E, Q( N B* k6 L1 L( J
( C# u/ n% \; o. q
xor ax,ax
6 d9 ?7 q( H7 \8 Q! r! ?5 I mov es,ax
- V: F6 r3 L5 y- P5 I5 Y mov bx, cs
5 s4 _8 ^3 |: B9 [ lea dx, int41handler
2 u8 H3 s( {0 ~1 G5 W8 ? xchg dx, es:[41h*4]
6 H5 k% Q1 j9 u9 u; d xchg bx, es:[41h*4+2]1 U4 ^: h$ G. M j+ G
in al, 40h
; [; |8 F$ ]4 O0 N* U- L5 z xor cx,cx
7 x/ E D8 i+ s/ o- z1 P: }; Z( ^ q int 41h
6 u) Y' s5 e2 J9 y xchg dx, es:[41h*4]/ X' X+ b5 h+ e" s7 m
xchg bx, es:[41h*4+2]
& E4 R' P& c# N cmp cl,al/ [& h; [' b- i/ i! a
jnz SoftICE_detected# p5 Z& E* H* y: h8 D
$ i, @, l# i" j9 i `7 G5 F
_________________________________________________________________________
( _" f% a- n7 d, T
: _" `3 H5 N$ a6 O" i) \! ?Method 07
, T9 m) p, l W' L0 c: J5 J% P=========
! F. {+ v7 ]) _; T, S
9 L+ a" v9 S3 V5 p# j/ K% @Method of detection of the WinICE handler in the int68h (V86)
8 n) m, [, s) d
! Z4 q+ {' U) h3 m6 C2 V5 U9 |" @ mov ah,43h- ^! o' V K W. _0 e* _. _" x
int 68h
( _9 f5 ]* ?) v1 M cmp ax,0F386h
' S. r" m4 ^7 r; U$ ~: I jz SoftICE_Detected/ V4 l: [+ T; d d7 `
' A5 f( m5 r! k) ~( d a2 T9 g% Z5 r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ a- w: Z! D/ G app like this:* ?- |( g% H: X& Y1 i9 z
8 d8 N! P' e. `1 T# H1 a. {9 P" a BPX exec_int if ax==68
% y* [- _3 y3 p( Z1 _ (function called is located at byte ptr [ebp+1Dh] and client eip is) {- C2 y( O- b( U2 M& L
located at [ebp+48h] for 32Bit apps)
0 q _% u$ D- v' L" u% V4 x. X__________________________________________________________________________ i, x5 u/ Y% ^5 O t( S
% E1 W# r( [8 z2 C& w
# k- b* U2 r" f. t3 d( q2 jMethod 08
7 w# N' ^; M. g* e- F& n5 ~: K& n=========
2 W% z( d k8 G" T% D# X5 X- u' H9 y7 G# e+ W" G' w% E
It is not a method of detection of SoftICE but a possibility to crash the: u6 ~* R; B$ W3 Z! ?% u' C
system by intercepting int 01h and int 03h and redirecting them to another
. ` X7 m1 h$ h0 w' groutine.9 H8 r! M( W% c! o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ B' B+ F! ^1 o" ~& C7 \$ \2 |+ i7 M
to the new routine to execute (hangs computer...)+ x& d6 k$ `7 k1 u4 C9 U
4 c. K0 K2 J8 O* X
mov ah, 25h4 W r) b1 h% |- j
mov al, Int_Number (01h or 03h)+ a9 `% O3 \# L5 E. X- c! D& r
mov dx, offset New_Int_Routine
8 S& h% k& ?! x2 w1 L: t, y9 f3 Z5 W int 21h
' g" T/ H& |9 W- G7 u$ G
( M% G8 d: K0 Z$ ]6 s- h8 R* Y. @__________________________________________________________________________ ~& l" B( N4 e3 ]6 ?
0 d: m$ K- K+ I
Method 09 h8 A, o$ s. T. |- P
=========
/ m; R/ N2 e- K- G* k3 h& D6 T- M+ y( S/ a' d+ e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& Q: [% Y3 O" q4 Q4 }performed in ring0 (VxD or a ring3 app using the VxdCall).( u1 B, g# l A3 | ` N& n
The Get_DDB service is used to determine whether or not a VxD is installed
- ]; I# y1 ^9 S3 K) rfor the specified device and returns a Device Description Block (in ecx) for# w2 r2 q% n, R2 \- {' C! ]' \& ?
that device if it is installed.1 S: b! x& v7 T5 c( v+ v- h
% d) z2 Q( i# ]4 @" r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( [- Z# L: A/ b1 u2 O, Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* J! I( R6 |; j$ m VMMCall Get_DDB
0 D/ g6 b/ g- L7 C. H+ ?8 i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 w7 m1 j9 o4 n$ R+ l1 l) d
8 t7 E- g6 m8 Q. C) O! S9 _Note as well that you can easily detect this method with SoftICE: T+ W C4 O! B5 x6 V; f. D& s; D
bpx Get_DDB if ax==0202 || ax==7a5fh3 Q8 ?% O+ T, `- A; M* H. U
a6 M( o& n5 M# Q" \1 n1 T1 W
__________________________________________________________________________
4 ]& l6 U% F& Q6 Y
* z3 c+ u5 C3 `5 [3 {- tMethod 10
7 y4 W C! E* q! ^=========& y2 q* C; o# X, w
1 y9 r$ t; y: c* p
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# V t2 ]" M! f2 l! A2 F8 h2 U SoftICE while the option is enable!!
* m: m7 i; O0 V+ O; M" p
$ m- M @1 i6 X2 eThis trick is very efficient:
j+ x q% B$ [8 |0 q3 [" L$ l; dby checking the Debug Registers, you can detect if SoftICE is loaded5 y% [9 ^3 O ?7 p/ Y; y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 I0 b6 d6 C3 s9 T4 j
there are some memory breakpoints set (dr0 to dr3) simply by reading their: ?/ Q5 @: L0 l5 L
value (in ring0 only). Values can be manipulated and or changed as well
. v o- @3 Y5 k6 Y0 A: O(clearing BPMs for instance)
! f& C" a5 t$ P+ F0 N+ G# [$ j1 \: u& L5 Y6 T/ b
__________________________________________________________________________% c7 E" c @; i) O
8 u. u* d- D9 L- n# t, d# g, k8 wMethod 11
. u5 X9 c# k8 X9 [ l=========; I) L% {- y1 @' ^; `
9 @/ H3 e4 j% O( c, pThis method is most known as 'MeltICE' because it has been freely distributed# E) @3 i3 A1 C0 W* Q& t! m
via www.winfiles.com. However it was first used by NuMega people to allow
m9 N+ b: T# H; Z; }Symbol Loader to check if SoftICE was active or not (the code is located
% @' g% W+ @. G9 |4 S1 D7 K. iinside nmtrans.dll).
" C/ e0 R2 h- g% P( B* |3 x$ x8 ], U9 @9 U8 a" r
The way it works is very simple:
' { _- |' ~8 N8 e3 BIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& I! D. a! K6 [ c
WinNT) with the CreateFileA API.+ n' @5 r4 B# m# C+ u% M9 n
1 n2 I& w# I( @4 D. J }# s
Here is a sample (checking for 'SICE'):
3 V# V" ]- y( V- P- P
' L8 ^$ A4 s. ^3 \" u f/ C+ }BOOL IsSoftIce95Loaded()# }0 S- N3 x# t% w
{
7 R* H# _9 V# \, I# m6 @ HANDLE hFile;
$ @5 v( i( Q. G9 J/ G2 P6 E0 p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 z8 n) b! T/ x" Q
FILE_SHARE_READ | FILE_SHARE_WRITE,8 E4 J9 w$ [9 j7 k, n& [4 S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" N1 @% E. p/ Q" j- r( n, {1 Z
if( hFile != INVALID_HANDLE_VALUE )! ` U, m! ^' f$ h1 E3 a8 a1 q4 i
{6 T+ U ~0 _. d- P# f7 u
CloseHandle(hFile);
2 Y6 N6 }5 g' b return TRUE;6 r: G3 o+ B' S8 m1 H
}4 _7 K" f0 m D- H3 T8 |* F3 n) x
return FALSE;! l I' c2 v# _; i2 ^8 R1 n
}
" A2 v* F: e! I& K: H0 H. Y
- Q/ {, v% N) ?1 c/ Y* W* PAlthough this trick calls the CreateFileA function, don't even expect to be9 x6 e V4 a; P# v V" P- _; j* Z
able to intercept it by installing a IFS hook: it will not work, no way!
. Q% ]1 p4 L" W& B# @ EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. B) j% c3 J$ mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 R0 P0 V+ o4 o. D. l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 T$ l( _( B/ B! Bfield.7 z! c& Y% ] C7 X
In fact, its purpose is not to load/unload VxDs but only to send a 4 h) }* T3 Q6 D: F$ H8 J- r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ w4 _8 }7 X! zto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 p4 e: H, H- K3 C3 X; A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. i( @% W6 `9 _# hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 k) A& @. p0 V% Qits handle to be opened and then, will be detected./ a9 d/ T- J7 i& a K G* Q
You can check that simply by hooking Winice.exe control proc entry point/ h& [. j" Q: V
while running MeltICE.
; i! L, U) q, |' u& ?0 V$ E6 [/ o0 D/ @8 \5 ]
: v' N* L+ @" P
00401067: push 00402025 ; \\.\SICE
* m3 p( ~- j$ V8 S: l3 M0 \ 0040106C: call CreateFileA
M: d2 r3 J6 a% D9 I. D 00401071: cmp eax,-001
- z! j& X8 J! s3 F 00401074: je 00401091. o, u$ O) J7 l
6 w2 I' ]; e9 I( k! r* T( f4 @9 |2 X9 S
There could be hundreds of BPX you could use to detect this trick.% }( V& M, c/ r6 N
-The most classical one is:
- U! a3 ? t" Z6 y7 J BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) q8 } q3 j4 d4 j( m- l
*(esp->4+4)=='NTIC'
( c8 e+ F0 Y3 x; A) ]: `
: E$ p( W5 H1 l8 I6 b4 R; v$ o ]-The most exotic ones (could be very slooooow :-(. F4 a8 s- p# }4 M; \0 \$ V2 M2 q( u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ E/ X: `4 a4 c9 z ;will break 3 times :-(
! m( w; S: O4 x' g6 i( j2 e' S+ l) _8 u1 N& V
-or (a bit) faster:
; k) F8 q4 y; y1 x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ O3 h+ X7 g8 z
; c; t2 b( v/ S# P1 o7 l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ M; F; G, }4 E$ ? ;will break 3 times :-(
* d. G& r6 E* ]- @( ^
/ l2 ?! n5 O5 K-Much faster:5 @, g4 [& j- g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 p7 U& O7 p3 \, Y% I0 Y$ p
5 }2 x8 F4 U1 U xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) A! g" F% T: y- b# |+ k+ z
function to do the same job:$ W9 n( \& g) Y- a
" i" O. m/ D2 y6 r/ ]6 j push 00 ; OF_READ
f1 K- S# |* \$ S$ _1 u0 u8 V mov eax,[00656634] ; '\\.\SICE',0
. E: m" q; S% O& o$ e push eax1 j7 }3 u1 t( T# k) r
call KERNEL32!_lopen
0 Q5 H) d4 m& e; X' G inc eax# d2 p, u$ p8 a; A: C# ~6 X
jnz 00650589 ; detected/ t2 X0 A3 L& [
push 00 ; OF_READ' b; Q K7 O5 r( l7 }. w) u
mov eax,[00656638] ; '\\.\SICE'1 e) s3 w l4 D! r3 V$ v: ]0 x' F
push eax$ x" V3 k S1 N! j5 i( l( D- B$ Y
call KERNEL32!_lopen, I. H( e, N# I$ o# p# p" B
inc eax
6 {+ C3 W% c. U' Z" z* H n2 b V jz 006505ae ; not detected
$ X3 L6 k0 q% z8 e( i
! m- K$ Q& S- ?2 ?2 u" h v
% y8 {* {, B2 M3 q( u__________________________________________________________________________
& c3 f, C8 A- I7 F b3 [ H5 v$ D* Y% B
Method 12- o) C6 \# C3 L
=========
9 P4 k5 f5 e; ^9 M: n' Z( a h! x3 |. l. W
This trick is similar to int41h/4fh Debugger installation check (code 05
4 y% [4 k) B1 d+ W" ?) D& 06) but very limited because it's only available for Win95/98 (not NT)
5 g- D) S6 Y; }( Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 b% }* T( x+ f: e
. U/ d s# V: B9 R8 A, O: W push 0000004fh ; function 4fh3 O3 [, h/ }/ I$ f% ?9 h
push 002a002ah ; high word specifies which VxD (VWIN32)
2 f1 ?9 ~+ C7 i/ l ; low word specifies which service
) C; s$ f% L+ ], d5 c, X' o) p/ o; a (VWIN32_Int41Dispatch)
' {0 B" l" g9 O. ]' ]. X% O+ v& z call Kernel32!ORD_001 ; VxdCall
& e! [/ w( k0 R( ?3 j5 i cmp ax, 0f386h ; magic number returned by system debuggers
2 W# Z- E- Y6 C+ J: r! a, \ jz SoftICE_detected
! b. @& c, e0 n1 O4 O& ~
$ k# i( I6 O( Y( V! _Here again, several ways to detect it:
. Z6 M3 E; {+ T" R' @5 n1 i$ c& b8 v
BPINT 41 if ax==4f
; \ L9 Z3 [3 s% `0 k! T# s- B1 }# w, j0 [9 J: s$ ]8 m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& R1 L! m, b4 b! a4 J
' Q% c: ?2 a5 r6 S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A N# T& [; I& N8 g
D, v4 B+ \2 X! @3 E: p( r9 } BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) y4 w# w1 y) H2 A& D H! g! v, T
+ ?6 r3 O+ C! g; W
__________________________________________________________________________
; `: j: V5 |& {7 W/ M9 A/ F9 l& Z6 e: b( M
Method 13
) t$ r m1 g% i$ s0 T=========5 @5 U5 ^3 s" W3 g, e* m3 L- {9 p* V
& @2 Q2 D1 H# A6 N% ZNot a real method of detection, but a good way to know if SoftICE is
& Q$ ~& `4 l6 U( ~2 j+ xinstalled on a computer and to locate its installation directory.6 Q4 O6 p6 H4 F! C$ V6 l( ~: S
It is used by few softs which access the following registry keys (usually #2) :
! Z* f* U! y( j! w
" ]4 H! j. x' x- k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 v/ |- U3 c8 e\Uninstall\SoftICE: w8 V; E" p, ]0 M2 g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 q, T# T4 a6 U ]' I; i8 H/ ~8 Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. t& ~* S( f/ F$ R6 U: K. i\App Paths\Loader32.Exe( L6 c& D+ |, K, n) i, j3 C
# K, a" z( L+ A9 g
1 h' Q% G" U+ c q/ V% r* b
Note that some nasty apps could then erase all files from SoftICE directory
$ @* e- a. F* ^1 M(I faced that once :-(
" o7 z3 M3 p' f. q% f8 _& `" ?+ Q" W# y& a& N0 i3 q
Useful breakpoint to detect it:3 W! F- E0 l# M9 h- [- i$ v
/ n# N6 A8 q7 X; ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 W# R5 P% B6 ? w) _/ l& k& u6 s& q/ @5 E7 Y4 f! J; S& g
__________________________________________________________________________
1 {9 {' m1 _7 w3 G& j( O; }- \* P: m" D, s$ e4 D4 s' D
- [% e$ G! \. }/ ~5 Q, P9 y
Method 14 ' x, C- U. D7 y% g9 \7 W# s
=========
0 R7 N6 Q2 J! ^& Y! a6 [+ g
1 j9 }: h& V" a2 HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
@) I t I1 _4 I2 @is to determines whether a debugger is running on your system (ring0 only).9 Y* F6 P( c4 i- j$ ]
/ V$ P) _( x4 z. \- ]7 S9 t
VMMCall Test_Debug_Installed: Y, O3 W2 N5 S, g2 |
je not_installed$ u4 ^# q1 z% p8 t- {
$ h1 |$ W7 }# r* I3 ~* u
This service just checks a flag.1 ^0 R7 W% S H3 X
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡