<TABLE width=500>
* z7 o- h7 A+ K9 O<TBODY>
~& R) V# ~( J# k# ?7 u3 x- k<TR>
4 f4 O4 {8 @$ @( ]<TD><PRE>Method 01
, b, s/ C" j4 z" I% [& l=========) V4 Y2 I' m! c7 ^* W
$ _3 |- b, ?% D' c0 rThis method of detection of SoftICE (as well as the following one) is
8 X; _3 s! F$ @( h3 n+ Aused by the majority of packers/encryptors found on Internet./ h! k }8 f1 y' e
It seeks the signature of BoundsChecker in SoftICE; ]& C9 s% _# `+ _# A
8 X+ B' ^$ r' N3 y mov ebp, 04243484Bh ; 'BCHK'# f9 o6 L% x0 v1 g4 e! J7 s+ ^# d
mov ax, 04h
( q% y. ?! I" Q. X int 3
0 l$ _2 i: J. A cmp al,41 V; u, v2 M# w* f
jnz SoftICE_Detected
1 z4 {' Q" s: k* W! h7 V, i1 C0 U' t( p9 U! P; R4 o1 {
___________________________________________________________________________
1 R. P7 V0 ~% |" a8 }2 {2 }( t( }8 \. F/ [# G
Method 027 ]& X6 K W+ U P5 [7 V
=========
8 Z; h0 v, V9 y. F8 R# a) c0 L F& i- w* u/ w8 I- q% |# D/ C
Still a method very much used (perhaps the most frequent one). It is used- y; A% K* ^' S# p2 \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 h. z2 o8 u' O2 W Xor execute SoftICE commands...1 S& l/ a; ^6 d8 }# W' l/ p
It is also used to crash SoftICE and to force it to execute any commands
5 `. ?) V1 \* V# M+ u5 M( q2 m4 |( |(HBOOT...) :-(( . ]( ?1 A% {/ u! X
) t4 g8 A, i5 H: D& ~) xHere is a quick description:9 o: k/ |% z. y: n# ^( l8 H! f
-AX = 0910h (Display string in SIce windows)/ W" ]% i2 u0 h# B; D4 o# a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 g6 o7 t& o4 Q- w" o( r# v
-AX = 0912h (Get breakpoint infos)$ M" ~- u0 L3 ?; G) V
-AX = 0913h (Set Sice breakpoints)
5 C, R3 ~" E* k-AX = 0914h (Remove SIce breakoints); n" x( s8 M, ^" U7 t# _8 t
: \% ~4 G* r$ O7 mEach time you'll meet this trick, you'll see:% D/ s( c, B. w) w
-SI = 4647h
I ?- d( c( I-DI = 4A4Dh
4 v3 w* }& z, d# u( q2 HWhich are the 'magic values' used by SoftIce.
% o5 c V4 V- z. Q$ r1 w8 G- uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 k `6 B* c8 b% M$ h% w# }' `
f7 d! K3 N/ b3 D. F5 H* IHere is one example from the file "Haspinst.exe" which is the dongle HASP: \% G: {1 N' i$ r7 E* d3 k
Envelope utility use to protect DOS applications:3 \: D5 w+ p% b' n9 _
) ?7 h c3 q' ^4 a9 h
; M. v) k: d2 x: |9 @- X4C19:0095 MOV AX,0911 ; execute command.
! }8 ?3 Q: K; ~, U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( x) `3 i( t. {" c! Z* b
4C19:009A MOV SI,4647 ; 1st magic value.' P L+ `1 {+ P0 [5 l, @' ?$ u" S
4C19:009D MOV DI,4A4D ; 2nd magic value.
- h& e: r; b& H1 B! y1 J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ M' f' w8 I5 T6 C4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; g( u! D( s$ D% D" b4C19:00A4 INC CX
" b1 h/ n9 @2 [7 n' ^( L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 T0 a! g$ X s3 z4C19:00A8 JB 0095 ; 6 different commands." J+ m- t1 _+ o- \$ j
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( \2 N5 o& v0 I; r E, {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ `) k2 h: H, d* {9 ]
, q. t e: w8 X$ W' jThe program will execute 6 different SIce commands located at ds:dx, which
5 z) g+ z( a3 n- M* `2 j* {+ eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. q8 y% P# Y5 f' H/ C! A5 b+ O
$ w& }/ b, j" I# \# M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 h \" Z5 L1 N0 g2 |9 o
___________________________________________________________________________* s S+ q0 w( Z& t S
8 d, A* s: Y1 n; v
9 @, m+ ?$ W5 m, z9 FMethod 03
$ w7 p) {, Q1 f7 u6 P6 q=========$ a! e6 H/ H9 i* d
# b; F; a6 l, Q& `/ L" _
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 W/ ^. X6 i( F( m
(API Get entry point), _0 [9 M2 g; I
( c2 `3 W0 s- D9 P O
4 a4 S5 I' `' q xor di,di
. u, G& B' G) r5 \* H8 f e$ G v mov es,di
8 I0 O+ G) R. c; | mov ax, 1684h , c. j. a3 {3 H& h! v
mov bx, 0202h ; VxD ID of winice
+ L @1 E! W* ` int 2Fh
2 H" k$ G1 b+ r: N- a( N; \ mov ax, es ; ES:DI -> VxD API entry point
& ]( ]( c( C6 T5 |6 O9 { add ax, di7 Y$ I$ b7 H" H( k0 g9 G
test ax,ax
/ D/ e+ h; T6 |# {8 _* \; s jnz SoftICE_Detected5 u7 \( G9 z+ [7 L7 c3 @( P
4 L1 c, q) }( W, U2 ^___________________________________________________________________________9 R A* y/ L; X
' O5 s" {: A1 E% ^8 |: K( x( \2 _1 V
Method 04: w0 W6 T2 ?# m3 h, r$ \3 |, `: w
=========0 E6 {9 m! w" _. {/ h' M
1 N7 j4 A. R! O7 L; nMethod identical to the preceding one except that it seeks the ID of SoftICE" \0 J) k. P& r8 _* k, C
GFX VxD.( @) N9 J, e, \2 }; R: ?* k
% o) p3 c% m6 M( ~2 [( j! L* a1 z
xor di,di% E) E: T* F4 A+ @ q |5 I7 F( R
mov es,di8 W5 L1 I( B7 R7 W: d
mov ax, 1684h 4 q. r. Q. a; \ m Y
mov bx, 7a5Fh ; VxD ID of SIWVID! S5 G# [3 w' ^" N* p0 y- s
int 2fh# R, k% \/ V/ V% m
mov ax, es ; ES:DI -> VxD API entry point
" ~& F8 u: d6 `, H3 M; y add ax, di
0 z+ R0 D7 W/ x! w& X0 n* ^/ B test ax,ax# c# W/ R ~2 W* v8 }! v
jnz SoftICE_Detected. g" P- N* l N. M
5 E E( o. Q0 @
__________________________________________________________________________# h Q1 Z. d: t7 O0 i7 V, D
( K3 w1 l* j5 L+ L3 Z" f' `( `* C% Y7 t( [# R" s
Method 05
+ _9 o: b9 Y+ {" I# f=========8 l* a; y9 a& p. y8 b0 M: s
6 B! k$ n8 c& `; q1 ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
. g1 ]) T% q$ g" P! T/ jdebugger. It calls the int 41h, function 4Fh.7 }( z& n! E2 y3 T
There are several alternatives. % s+ \7 }: e1 f4 U ]# W2 ]2 t
2 z s9 m% q) `) T" LThe following one is the simplest:
^& F1 y: f( |. ]0 v1 t0 j& O4 [4 |' ^' {) Z: m9 D& r) ^
mov ax,4fh
' l5 Q" e" C$ k9 K int 41h
* N% r) c9 Y* u3 X/ n cmp ax, 0F3864 y% B& T) m; e
jz SoftICE_detected
% s6 x/ k6 N( q9 d# N5 @4 I8 X
" q/ |2 s3 r, d: f. D" Z0 }( e# [, b- l
Next method as well as the following one are 2 examples from Stone's
0 d+ E" j' m1 n5 u# K) |"stn-wid.zip" (www.cracking.net):
; }. o, }2 f# U( W6 f" W1 _2 f) Q9 w1 Q6 q8 ~$ P5 Y
mov bx, cs
7 X8 ]: l* L- H; ]5 B G' z6 l lea dx, int41handler2
3 t# a& H6 K7 S- J! ]% N8 C2 z4 y xchg dx, es:[41h*4]
) R6 P; g" M- P& o+ j% ` xchg bx, es:[41h*4+2]
, M/ z! w& q) N2 m7 f0 c+ S mov ax,4fh
* A3 N3 d' M5 [- L- m* Z$ n: O int 41h+ m. C- \" k% i& Z& C/ z1 F
xchg dx, es:[41h*4]
; }: ]4 a* c5 P# M7 b: w- c, _ xchg bx, es:[41h*4+2]
+ }. |# g2 F5 `- D3 @ cmp ax, 0f386h
& T/ U% J4 d+ j* L1 D8 ]8 y) j. l @ jz SoftICE_detected" W" L9 y4 U; R7 L) r" P5 X
2 O& @+ q+ g+ A1 {6 C, q% {, H
int41handler2 PROC
7 F- I4 L9 Y4 J7 q6 M% T# p) y iret
$ K# c9 G' y/ @' Cint41handler2 ENDP
* w* R4 @! e2 ?; N9 E+ F/ U3 @# s% T/ E" t
0 m. A& G+ A! _* u- P8 |_________________________________________________________________________
- ~9 d4 J; u( ^% D1 }" d! `( x$ N; [6 X7 [6 S" j$ v' M
$ L ~7 Q& `: v' }3 b- _Method 06' y- H( ? y0 w! ?2 U R3 F
=========
& V8 ~4 D }4 A: z% E
/ I( s7 n8 @/ n$ J7 l+ }9 Q7 e' |& t, p. O" R, A; K$ O: C# q
2nd method similar to the preceding one but more difficult to detect:! M% n6 s/ {- y
8 [ Y7 x+ ]; n2 J8 m' M& T9 G7 j& y7 K: o- C7 z
int41handler PROC
5 S# M! K3 F* r mov cl,al8 W V( L* {0 A: d$ Z) H- @
iret
2 ~* q( N) d4 a. t6 n. Wint41handler ENDP
& v; y1 L! ]% m Z% j% W' i$ N
1 O1 N J- S x; `1 N
) `2 N/ y! C' X' Y! f& S xor ax,ax
9 Z% a+ ?* V2 u: D: Q, g0 d1 B( ` mov es,ax- o0 G h* Y3 U. P; ?4 v, F% a
mov bx, cs$ F1 ?5 x+ f* s" C+ ?
lea dx, int41handler
/ U0 o0 L$ ~) a xchg dx, es:[41h*4]& J& d G' R) D! |- [# h( i" T
xchg bx, es:[41h*4+2]: C3 S$ z7 f- m z" B
in al, 40h
6 o$ |& k. z% B xor cx,cx
4 u _5 ^3 t4 f int 41h
/ E( o- S: p0 n/ K* t xchg dx, es:[41h*4]. d( }: E& q! m: f
xchg bx, es:[41h*4+2]5 E9 o; g8 W' x( j# G5 u5 x. q
cmp cl,al) ^8 k" U& k, Y, K" |; _$ E
jnz SoftICE_detected
$ M2 `! v7 X: ~4 P, {/ ~3 m! A0 i- a& v( j, k3 [0 D
_________________________________________________________________________
, _* O0 ?0 M5 q$ V0 t# {
5 f+ O' y1 t2 F8 s( H2 hMethod 07
0 y3 ^1 a' m0 r+ H3 `6 |=========; A' Q& B+ U2 m! I* @
- `7 k- S- H s) x* P* t4 TMethod of detection of the WinICE handler in the int68h (V86)6 @9 s0 b: g& R O$ Q, R" P
1 v3 s/ k% p1 t+ g, h
mov ah,43h1 F$ o" m' j5 T8 c$ J' ?
int 68h
5 i+ m, y5 Y% R0 }% R5 A% g cmp ax,0F386h9 M8 F# N& j) n0 q' N1 [4 h
jz SoftICE_Detected6 H. Z. o! q& S: [
% \8 ?3 v- N1 a! r X8 f
4 j; s% |( m) Z$ Z, e- |# `7 F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. N3 M2 C8 N$ D0 Q" W8 Q: ?
app like this:: |3 @7 l# m+ d* x
! ]& ]5 T9 W8 `$ K0 j* P
BPX exec_int if ax==68
' N- {% g, U+ f3 \3 T+ N, V (function called is located at byte ptr [ebp+1Dh] and client eip is. B- Y1 J, N: D n! n; i# F
located at [ebp+48h] for 32Bit apps)2 I3 ]7 x0 u# d5 P/ R. F- G3 ~
__________________________________________________________________________
: N! o. |% j& R, r& J& k' _
, N/ u$ F9 w9 y/ U9 i) u" H# f' U9 a3 o$ h- l
Method 08
5 J7 @3 b% e. g) @=========
4 [* J5 G$ |, L% z: U+ k+ ~: [. q1 y* B6 \. M
It is not a method of detection of SoftICE but a possibility to crash the# \# o; {) X6 K( S: c6 E1 [
system by intercepting int 01h and int 03h and redirecting them to another
3 `9 c" L) @7 u5 E: Xroutine.
/ ~: f+ }, m$ @/ @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 ?+ [% a6 f' { Fto the new routine to execute (hangs computer...)
7 m( o9 J3 O0 u) D3 X/ \5 W2 a0 l9 H: o
mov ah, 25h {9 ]" ~: U) G
mov al, Int_Number (01h or 03h)( Y; L+ x# L( |1 r6 n2 x$ y# ~9 z* k
mov dx, offset New_Int_Routine
9 w# Y6 P% [% ]) X0 Z3 a int 21h
$ n8 W) O9 g6 i W
3 |' c- N) W$ m* t" N__________________________________________________________________________
N/ l4 n+ |8 H7 X( t$ ^& |" b. q
' s/ q1 ]9 f2 hMethod 09
, T w" G2 w2 S" y5 d. s* p=========
9 m8 R+ T3 u- [6 y; [# Y' p: ?8 e6 ?; q' S* u+ d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( h/ ]! Y. T" Z8 R& g3 Y! sperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 ^& q* S7 ~/ @: V1 hThe Get_DDB service is used to determine whether or not a VxD is installed
$ C- C5 ^* A! D/ L jfor the specified device and returns a Device Description Block (in ecx) for+ V) \" L6 }& L o0 t+ B, n
that device if it is installed.
4 ~2 e4 Y4 h5 Y( s; _* J$ G
' K! F y) J" } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 {2 k: w- z% ^8 T) h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ z* P* t. n3 P0 |$ v( L) L, ` VMMCall Get_DDB3 A( |: F& Y+ }. o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& E4 P6 l9 ~/ X- L
, l" s( y9 ^1 d: F* R# W' l0 {
Note as well that you can easily detect this method with SoftICE:
7 q& _6 H( o0 ~+ e& v8 h bpx Get_DDB if ax==0202 || ax==7a5fh, g% G {# ]& }- o' G# s
, ]. o/ s" G% p# Y6 j; J s
__________________________________________________________________________
. X& y6 C4 |+ P6 r
2 Z4 j5 V# e. o @* FMethod 10
2 E& R' q, n7 W8 i9 p8 V5 U=========6 H4 f# `6 X7 K2 U. l6 y r
# e9 c: q# s2 p4 e+ V' C% l
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ @/ \' A! S/ e; r# A3 s# R. K( b
SoftICE while the option is enable!!& k; e* T4 p- }* ?2 G1 s4 L
9 l8 A" t# O+ oThis trick is very efficient:3 y. q4 A5 U& s" N: k
by checking the Debug Registers, you can detect if SoftICE is loaded
' F, |& [+ L( }; H! t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- N3 ?2 k7 G# A" U$ I+ F& o2 l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* {2 Q L) B7 o1 H1 W& Qvalue (in ring0 only). Values can be manipulated and or changed as well
# {+ h* ]# R% s( R) L" p(clearing BPMs for instance), t" H* C, G/ l, \+ p) v
& ?$ e7 e* m0 m. t" Z
__________________________________________________________________________ h O V6 s. ?9 j7 }& a0 U/ C
8 y5 {9 |- Z, O6 rMethod 11
9 i! v$ w5 ?+ p$ w3 o6 ?# D=========
- N! n9 x! T+ D/ S
" D4 }8 T9 K4 E6 W- BThis method is most known as 'MeltICE' because it has been freely distributed
/ x0 _$ y) U: o9 L" Y9 Zvia www.winfiles.com. However it was first used by NuMega people to allow( V0 Y+ W1 P/ S" p# U4 {
Symbol Loader to check if SoftICE was active or not (the code is located4 W& k2 I7 ~3 N& g3 R8 Y7 y4 ]; y
inside nmtrans.dll).
1 i; ^4 I2 E7 E) a
0 H7 `0 [' d2 W; O7 @The way it works is very simple:& C0 P( E1 i6 x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, ?, c9 p1 T/ y
WinNT) with the CreateFileA API.
% d' h) m$ w1 \7 s: j8 C4 {% D& r0 F2 [$ ^$ z. U* d0 N! X) d
Here is a sample (checking for 'SICE'):
& |8 ?$ L$ V/ |4 A
9 z( B/ N; [4 |, s2 V" j9 L) s) hBOOL IsSoftIce95Loaded()
) `, }# e3 K# x5 q- `{
9 S) `/ Y- u [2 }$ D( ~2 K: p) X: } HANDLE hFile;
5 C1 h6 m) a/ t% H- u" R' h& ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, @5 {* O4 y- M3 R" G) H7 w7 I
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 @7 p$ Q2 T* M! ^ x F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( m% W5 H2 y g# T
if( hFile != INVALID_HANDLE_VALUE )6 H I. j- r% F5 C6 _, J- u) A
{/ A' I/ ?" F6 \/ T1 N, {& y, a/ z
CloseHandle(hFile); M* J6 h. Q! t5 L+ {
return TRUE;1 A& Q" @1 S N* H: k
}
# k# Z- u0 h3 Z7 Z( O4 X return FALSE;
( D! y3 M* O2 g: q}8 g6 V# `0 A( g# r
. R+ ~! S- b. b* v ~, }! H
Although this trick calls the CreateFileA function, don't even expect to be, f9 S; h% @! v/ a R5 U4 i
able to intercept it by installing a IFS hook: it will not work, no way!! {# }* G4 k; [4 g+ i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 R+ O5 G' u- F# U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! N- I/ U3 Q: A0 Q% C, C! D- o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. L8 I, G5 \7 O
field.; I( Y, x# F5 H- [/ U/ N& x
In fact, its purpose is not to load/unload VxDs but only to send a & Y" ]' _: n$ b+ ~+ z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 ?1 }: F. j5 \; f! y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
M7 L! A: z7 ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).- S7 H+ _1 K6 r4 v K6 k
If the VxD is loaded, it will always clear eax and the Carry flag to allow }- D2 z! t4 H) C# T
its handle to be opened and then, will be detected.
' Q) E! D4 f. BYou can check that simply by hooking Winice.exe control proc entry point' w! v$ @5 d" d( ?8 O8 ~8 H
while running MeltICE.
% y. ^/ f' j# Z- @; Z; v* g# _ T# v1 M' i- A2 T u
$ X1 {+ L5 d s& { 00401067: push 00402025 ; \\.\SICE4 i# M( D) P) F/ ^* X3 R
0040106C: call CreateFileA
) S# P/ i' u- Z& l9 @$ b$ z- u 00401071: cmp eax,-001 A5 y( l. U. w% M2 z
00401074: je 00401091
, q7 \" A1 Y" h2 s' T
# ?( V% J0 i s: R. Z: b3 e7 E0 c+ i) T d- o3 R! T; L
There could be hundreds of BPX you could use to detect this trick.
& T' c) I e1 H9 @-The most classical one is:
) K( M% Z3 r# R8 k BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- S& L- \% ]; b *(esp->4+4)=='NTIC'3 V" N* @( R7 ^0 M* _' v7 r: V
6 c7 n+ D, ]6 p4 | R4 o; r; X-The most exotic ones (could be very slooooow :-(
1 h8 \; y/ w& _/ ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ Z) e7 v; r, k$ T, \ ;will break 3 times :-(/ e: ?5 o5 \; c! Z' P3 P% D
% |2 \0 H# y3 e3 I-or (a bit) faster: - E; @, D2 z( X+ O8 N- a( n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), `8 m% S+ ]- i/ O7 F
1 o8 o0 J8 g% Q6 Z' H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' \$ f/ }5 B ]8 S- X+ z. ~
;will break 3 times :-( y; u5 t) e' m0 S, i2 M
) m' l4 G7 n8 }) G
-Much faster:
7 e( ^0 y, z! Q9 [9 u BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# r6 V N6 i" U0 r* U& Y/ \% A+ l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& v3 o3 D s, n6 c" a
function to do the same job:+ w" k s& A& P3 B$ `& G
& h( K1 `8 x0 b6 r push 00 ; OF_READ
5 D( S1 L8 y- ]! P mov eax,[00656634] ; '\\.\SICE',0" \) j, H( Z0 r0 t/ m+ u% A& I o( X r
push eax( I- y" S0 s3 m, `: `" c, B$ a
call KERNEL32!_lopen: N4 c9 d' m2 h6 D
inc eax
% d7 J. |7 m5 [5 L7 e& D jnz 00650589 ; detected/ n4 C2 q) ]5 A$ j* u$ @! A9 w. o
push 00 ; OF_READ/ }0 w# p) K8 `" q- p
mov eax,[00656638] ; '\\.\SICE'( A) B1 O: @9 P0 A! G9 j I
push eax
% ]; V1 S$ ~6 x: D7 C call KERNEL32!_lopen1 @- [* `( A3 F) s: N. {- b8 a% B
inc eax' i/ c) Z# j5 r1 x0 H- h V3 f
jz 006505ae ; not detected: |: ~$ g- l! H @( X
& Y) y. I1 C7 R' }! n$ j( E3 G: L5 k$ g. {$ }
__________________________________________________________________________) _3 z8 \9 N) z
5 F- Y3 F A7 ~6 h7 q* e3 {% @5 PMethod 12
* o8 g! E* |6 P9 c=========8 ^" L1 f5 m0 [! P7 \" x
+ \& P$ T! p5 tThis trick is similar to int41h/4fh Debugger installation check (code 055 W; D! p9 L, w9 z! p5 p
& 06) but very limited because it's only available for Win95/98 (not NT)
3 X! l4 c0 M+ I5 \" ?1 |2 ^7 _, |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 J0 s M! g; |) I7 k5 G( m$ |: @( @4 ~
push 0000004fh ; function 4fh
+ _: B4 s' l. A% h ~ push 002a002ah ; high word specifies which VxD (VWIN32)
; t- h+ ~/ j z6 L1 V i& W) l ; low word specifies which service
. A- m8 J& m* n' C, I8 m' J (VWIN32_Int41Dispatch)
, b" P: T' e5 W4 O s! T4 u" L call Kernel32!ORD_001 ; VxdCall+ O. {# i! {) t5 l
cmp ax, 0f386h ; magic number returned by system debuggers# a8 P! V* A% c8 E" b) u- a
jz SoftICE_detected- O8 C( i! |8 g2 A
5 K5 r0 F! z0 U. hHere again, several ways to detect it:3 }$ `% Q3 i# ?# x+ |4 J) J
q- o$ q( v" l( U0 x8 _ BPINT 41 if ax==4f# l& e" M$ W# A, j" d0 f5 e" o; T
/ o1 a1 n8 `( |) }! T) ~2 d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 n' K6 }% r# P$ w( ~, Q" W
9 k2 `+ Q" V3 a2 A; j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 ~4 J. _' m n' j3 B3 ^9 X5 ~* [/ W
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; z' R5 O, Q( Q$ g# b. n& c
3 a! O9 x( E6 l5 W7 K8 [, R__________________________________________________________________________& x9 B- i1 F; {3 @& m
* V1 P4 a! w6 p1 U2 F( ^) V0 {Method 13
2 x$ h+ A0 \7 O& F b) s=========
& u+ b6 \) O$ } F6 W
, p: Q4 K% y. l( |- iNot a real method of detection, but a good way to know if SoftICE is2 e4 B, u+ k R9 r+ E
installed on a computer and to locate its installation directory.
$ d! {( Z; b# b1 NIt is used by few softs which access the following registry keys (usually #2) :, U6 c1 n5 e/ |9 P* w7 ]) I6 F% S
+ `4 G, X1 b1 [+ Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& d' e; @+ h2 i+ \\Uninstall\SoftICE: f9 \, L) U4 y$ ]- Y, V8 R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! M, W8 I4 D t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ K/ d! N- t1 l! e; X, a' s3 x\App Paths\Loader32.Exe
( d1 A- l2 I/ S2 n6 h1 o6 y2 T* x# S: n1 k; U H" `; s' [
; W) @% _: |) f! I3 }) G
Note that some nasty apps could then erase all files from SoftICE directory
* C {- q# R; ?# q; r g(I faced that once :-(3 p: S5 a; r* i1 [" v
$ S: Z: m" k, L. G. e- MUseful breakpoint to detect it:
! ], j& B5 f* D& q) Q; H3 [' n3 x9 g
, n$ a" b$ x% U/ K" ~ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ C& Z8 s4 |9 e. f& v! H# W3 Q. z$ ?+ e/ k7 m5 |
__________________________________________________________________________
6 M, C, ^9 C4 p7 u) k
0 S/ H- @3 Q. C* H- s4 i/ U. n& F; z2 }2 r8 L1 \5 A: \4 o1 a$ O2 l/ e# E
Method 14
$ z- L& M* S$ w+ A! p: ^/ K=========" H% g' n; I1 P7 L4 u2 U) |, e
3 s) }: B$ z% b5 xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% Q) ~; O9 F* v, p w4 G6 ais to determines whether a debugger is running on your system (ring0 only).( ?6 p0 [0 r c/ B
- x4 F* E" h. k1 {$ \% d: ], | VMMCall Test_Debug_Installed5 h* P+ X8 b4 I) W; w/ _5 @" D4 S; e
je not_installed3 H% [0 K9 ]5 J" e! }; { a Z
4 Y/ b* K3 G" v( p8 W4 kThis service just checks a flag.
5 P1 ?# G1 \! g# b7 {</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡