<TABLE width=500>
- O' N4 ?' o& d! W3 y3 C8 G d<TBODY>$ Z1 _& f$ E# x R
<TR>
6 ]2 |; P# R1 F<TD><PRE>Method 01 * Y4 i; q7 }2 G9 l- y; ^
=========% B; o" l0 N/ |
& X" f6 ~' S! A. i. v. L8 }
This method of detection of SoftICE (as well as the following one) is
: ?1 q" C, Q _8 `. z, W& B8 {4 Iused by the majority of packers/encryptors found on Internet.
+ ~8 e1 _! U( F) |; o) N, T: s6 ]6 BIt seeks the signature of BoundsChecker in SoftICE
u4 x: Z3 Q' X: Y a, j8 u; D0 u$ o3 ]: T% w
mov ebp, 04243484Bh ; 'BCHK'
' F5 d$ I( n! o' b" ~, \% O/ Y* @ mov ax, 04h
/ b( j3 s4 g9 O# j7 z" e int 3
* X+ l" ~5 a+ A# ?5 Z8 a0 q cmp al,4 U; a. W# D. `$ T
jnz SoftICE_Detected l a# q1 w! m/ P
: ^( O% P( T1 Y1 Q. q___________________________________________________________________________
3 X% b5 N/ q: x6 I% t) U) e1 I- K% m& Y; l7 [- T
Method 02
& [- @. {) V0 Q9 C* q=========" _8 O& d, M. f: g" V F; s
' { s m1 f8 P# L% C8 F" `2 h# zStill a method very much used (perhaps the most frequent one). It is used0 t# B5 Z/ M4 k( u' ~6 A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* w# s- q9 _$ J. r( |9 _
or execute SoftICE commands.../ a4 P" y" g9 W' b7 O7 f! Q
It is also used to crash SoftICE and to force it to execute any commands% Q7 c i/ a3 K9 s) P7 M
(HBOOT...) :-(( % H. `1 l- c8 t; |
) G9 C, Y; g6 B+ RHere is a quick description:4 T$ g: x$ K' W- c; k: ^5 C
-AX = 0910h (Display string in SIce windows). G- R2 L! k" ~* O- B( T# o- @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" Z( q0 ]5 j3 j/ z6 J! m
-AX = 0912h (Get breakpoint infos)/ [+ S& k: y* u! o6 R% [& G% E
-AX = 0913h (Set Sice breakpoints)' b% A& v0 u/ N: ~, B
-AX = 0914h (Remove SIce breakoints)( ]+ u f1 D2 p" J0 X
5 A; k' }7 ?6 U
Each time you'll meet this trick, you'll see:
' l' e6 v+ L7 m+ M W2 R7 k8 D-SI = 4647h5 }4 O! n5 P% b- Z6 f4 B0 @2 {3 x
-DI = 4A4Dh
& `9 U. \! f: m. qWhich are the 'magic values' used by SoftIce.- j* f4 A/ H8 I9 `: V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! h+ D, \4 J4 S+ u: S* Q$ _& s* z& Q4 H3 I c# U) J
Here is one example from the file "Haspinst.exe" which is the dongle HASP! j+ l! S: v! O$ ~
Envelope utility use to protect DOS applications:' H2 x% Q$ W& H
/ ]8 E; r9 R4 R' I! `
$ o: D. H# u/ d+ n4C19:0095 MOV AX,0911 ; execute command.& P M% c2 A9 o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; L/ j+ y) ?: _6 c
4C19:009A MOV SI,4647 ; 1st magic value.% [- s+ \; u! U, T
4C19:009D MOV DI,4A4D ; 2nd magic value.
, E1 w# i) Z- R9 ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 r5 ^" |$ {; Y. T$ D! p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ z5 A; s( ?+ m
4C19:00A4 INC CX
9 I3 b G' x9 u- S! g8 x$ r+ [" L! a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 b5 L9 N9 y- T, R9 Q4C19:00A8 JB 0095 ; 6 different commands." ~9 A6 ~! e# e- p3 s
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ O& v% F! H( Z* f4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 r( E- @, K1 E2 r
9 Q4 s6 k7 j1 m/ J( Y: T
The program will execute 6 different SIce commands located at ds:dx, which
" y+ ]* W, l! X" X2 Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 L0 `$ l6 t3 ?; X8 j) g* J
( g8 U+ Z' H4 ~2 p6 Q4 v/ c/ A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 A4 d% e* ]3 p1 S+ V& T
___________________________________________________________________________# o7 G9 T9 [: K/ y0 s+ F
, v8 E; a1 a' k
3 \# y1 _; S( X* N, I5 m" O! L2 F& RMethod 03
; Y, u/ j1 Q7 T% ?. a$ A( B=========
/ J* _# n2 U; L. U+ B5 ]. s7 c+ e' f# l
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' K8 _6 n- N0 x1 o0 X% e
(API Get entry point)
9 a1 E; U6 @( V) c" u- Y4 Y5 l& M7 @
7 q8 c- t* G7 _' y0 [
" `$ n, K9 n+ ~ xor di,di
4 w7 W" O: C, n3 l mov es,di3 i" H$ {8 T. ?7 U) `
mov ax, 1684h 1 i% V- Z2 M2 }. M
mov bx, 0202h ; VxD ID of winice* k4 v0 R, k2 {3 C: {+ ]/ V. G- |
int 2Fh
9 D+ B. H$ }. m0 s0 U3 E mov ax, es ; ES:DI -> VxD API entry point
* y- s. V L+ F- V, F; g add ax, di
: E7 U) W" _* O! w5 y- h test ax,ax3 Z* |8 `) n, Z" ^5 J% a# j
jnz SoftICE_Detected
1 u z; e' g3 y6 Y' ~! j3 b- v0 C/ T) Q' u% ?) a5 s2 H
___________________________________________________________________________
( G+ C6 f/ E4 |: o: ^) h+ z/ O1 C) y* t+ T& G
Method 048 V8 s! x2 F" a: [# ^
=========
$ V1 G, C v& e) W# R
. `8 h! y8 V+ y# {: a7 KMethod identical to the preceding one except that it seeks the ID of SoftICE. y \3 N. `. P
GFX VxD.0 H/ r( x1 H2 ^5 c7 h- r; I, Q8 ?
, |+ ^* q. l% M7 o7 E2 ^4 D xor di,di' e5 z! t7 F. ~0 B4 x
mov es,di
2 ]% h% U% P6 q$ n( y, A# P# T- m mov ax, 1684h 9 [ s6 L, L0 _. R7 ~4 F- R
mov bx, 7a5Fh ; VxD ID of SIWVID z3 c& A8 g9 @: p0 ~* g3 A' d' K
int 2fh
. W# { m: M3 R" G mov ax, es ; ES:DI -> VxD API entry point! `( @0 G5 J7 ?7 x3 h
add ax, di* ]$ [9 ~1 L# s% r+ F
test ax,ax9 m% t7 ~/ J, S @
jnz SoftICE_Detected2 B% V( t% t. y8 t0 b
& p ~( d% R1 W' s" N4 G
__________________________________________________________________________
4 G' g9 o' j0 x9 s/ U8 Q, A2 a9 _! }' S: r% G) S% E
: ?4 L5 ?+ _/ d8 n" y5 |Method 05
; {% [2 L+ F% W3 T- x9 }=========, t* H, W* _$ Q
) {0 g! M& Q3 n" U( K# h
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 U$ ~ c5 t; H, |" _4 _1 ~+ K
debugger. It calls the int 41h, function 4Fh.
5 `' D! |2 y4 L- Q# m$ ^There are several alternatives. % Y# j1 r2 S$ U- z( f- w
6 w; r% a' ]9 X) {7 M* v
The following one is the simplest: z3 Z5 t9 Q% V( M; k
- G( |/ F, z- A Y G
mov ax,4fh
( ]; v" m$ k; V+ |( p& N" V( I. \ int 41h
1 J" w# Q6 t: C* ?# J8 X cmp ax, 0F386( z3 P) b" L6 X( j& }6 Q
jz SoftICE_detected7 g! g5 O4 V6 }
( t/ ^* d: M1 t
' ?! J0 u5 e( {; zNext method as well as the following one are 2 examples from Stone's
3 Y9 e6 ?& c6 L: K& }"stn-wid.zip" (www.cracking.net):4 T0 k+ Q T n- {8 z. k
7 @' b( m }# E- `& | mov bx, cs7 W# U3 u5 L. Z0 h
lea dx, int41handler26 |7 G0 B- z8 y# L, ?
xchg dx, es:[41h*4]
) q# s& P/ v/ [' p& t' R" n xchg bx, es:[41h*4+2]
4 |3 ~5 a6 R, n* \6 ? mov ax,4fh8 D# b! q5 H& E9 v6 t4 D
int 41h4 W" j; z: {' n
xchg dx, es:[41h*4]& A" Q. D4 g6 H1 Z' P- |; p
xchg bx, es:[41h*4+2]& Y) m8 w) p! B2 Q5 U
cmp ax, 0f386h
% H* ^2 Z1 P9 ?1 b# c- @4 P3 k jz SoftICE_detected
' T* n# t! W! v# E" l; {* k
; S# G# S7 \$ M7 g' l6 {int41handler2 PROC* Z# S1 x$ w' S
iret1 s2 r; l1 s* q/ f$ b9 K
int41handler2 ENDP& ?% B5 n2 u2 h& s
1 n8 _2 R( M4 N9 {' T6 f$ i! T8 z
+ Y4 X) h/ x0 ^3 S. {3 `_________________________________________________________________________
: } v' P! P7 u7 b+ `2 Q# |, `( S+ l
& n$ ^+ v4 u5 j) W; ?) jMethod 06) S" e# E( e6 \' k' z0 W
=========
4 f1 ]/ E- f. T9 ?; @% _* o
- ]& w& O' h6 ]6 W
7 x& q$ C8 _5 V( z; X2nd method similar to the preceding one but more difficult to detect:
/ h2 Q1 ^* p& u) V/ E
1 x! L4 c1 L% W& J1 U6 k; |6 Y7 C: q' r
int41handler PROC$ C% s+ c, k. Q a9 H4 N* ~9 X) k
mov cl,al7 l4 O. Q4 L+ p5 I U9 K$ i% c! c3 |
iret; f3 u% F; N7 B, E/ q9 U& ]
int41handler ENDP' J) U0 C# K1 ]# Z
9 G& @5 S" {5 {0 Z/ Y* G5 w" {( g9 _9 k+ _& q9 @6 j
xor ax,ax; f% I9 Q! ^' C( ]. ~$ v4 Y7 N
mov es,ax
9 W7 A" V$ O7 B! |" M/ q7 \) @ mov bx, cs
5 p1 d, C& w" r0 M% R4 h lea dx, int41handler# ?' F2 j1 f# f+ `& R
xchg dx, es:[41h*4]4 v: Q1 V j+ x% @
xchg bx, es:[41h*4+2]" j3 {3 n( g. E( o1 H+ C
in al, 40h
( q, q% {) o1 M8 i" W4 D D xor cx,cx9 j! ~# N) z5 [$ v+ a
int 41h" P1 a/ |8 O, m( D+ S4 S
xchg dx, es:[41h*4]+ Z! T5 t/ e. ?5 i/ D
xchg bx, es:[41h*4+2]
1 c0 V9 e2 k( q1 L( L cmp cl,al4 M% |! L8 a9 W) {% S: V
jnz SoftICE_detected" V. Z0 K" A! u* n
! I, W! J% v/ I& c& P& F_________________________________________________________________________2 \+ x _8 F: K1 G+ ~9 j1 s2 f! p
6 c* v3 M8 F* `3 p$ V
Method 07* L& n# l: Y# B A7 s4 |# a
=========
" T4 I' S" x N- \# _" b
; F, u% q% ~0 G+ bMethod of detection of the WinICE handler in the int68h (V86) K) ~' l+ ?, {$ N$ R
' S4 U$ D$ ?0 F( L mov ah,43h
/ b1 M5 f" q% R4 b, {9 X# k/ |4 Q int 68h
0 D- l9 h3 s8 |8 A cmp ax,0F386h8 V' ]: C" ]( X! U# K& W' Y
jz SoftICE_Detected
7 e: s) C. ?, x9 |5 K. V) ?- x9 r: j& q( u% A8 f
) g- D. t1 \8 Q8 {8 ] ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( ^1 _9 r$ y o. [* o# B5 p+ i: u app like this:$ G) B6 _/ y- n* G: d* M
! L$ f. f7 U" B' \$ R( { BPX exec_int if ax==68! ?( v: S1 t2 W' q
(function called is located at byte ptr [ebp+1Dh] and client eip is' Y. g& f0 Z. @% Y/ D
located at [ebp+48h] for 32Bit apps)
7 R! s1 f! w* {: O2 C& Y! s__________________________________________________________________________
1 _4 z. `0 w- y$ d5 g; `7 `& n
( ]; ~/ Y. G, B$ W7 U3 x Y
N& K3 n. Y5 c* yMethod 083 {) k r3 j. Q5 B+ s
=========9 C7 N5 ?. Q% b6 j) I
; o1 {9 q* d6 W: t+ g* X+ |* F, l0 B
It is not a method of detection of SoftICE but a possibility to crash the
/ R8 f. T1 {6 ~/ e* s; S3 {1 ]system by intercepting int 01h and int 03h and redirecting them to another/ Z- p! z! i/ r2 g% I
routine.$ R; p) @* i' t1 c) \! W% [3 q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! @' e- q6 v) k2 x
to the new routine to execute (hangs computer...)
$ j: j3 S$ i( v K7 g' ] J% J8 K$ y# d+ G' P8 ^6 A, r$ w- K
mov ah, 25h" y/ u/ I# Y0 g8 z% | G# P
mov al, Int_Number (01h or 03h)
8 Y' C- c4 B2 S) t mov dx, offset New_Int_Routine
1 J" b" c$ R% {0 Z. s int 21h
5 ^) i& g& J+ x4 |. W& o8 k9 J7 b: D! ^7 n, A0 \, d$ W
__________________________________________________________________________
5 g) ^! Q/ \1 k: E R3 ~+ y% [$ {, X
Method 09
# }$ C* O% @: t4 M=========
- d( A2 T2 j% n4 j) c. \) v$ ]
) I* {$ I/ a: }+ \. W" JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' V. I# g$ T/ h: U1 @& ^; Q' Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 C4 @4 H5 f9 `* }The Get_DDB service is used to determine whether or not a VxD is installed, g# t& l9 V( l+ ^
for the specified device and returns a Device Description Block (in ecx) for" X2 w! t0 i& K
that device if it is installed.
. J6 ]8 g! a- g9 f$ R$ Y ~( e- t$ j0 d t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 G2 T; B, a% r& y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 u6 g" ?; ?8 O* }9 [) V VMMCall Get_DDB
4 d b9 I+ P. t7 _ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 p5 N& C# |$ V6 R9 e4 G- r; D- g: |* Y+ K% [6 ~5 h
Note as well that you can easily detect this method with SoftICE:
F7 n! r7 j- i9 E. n' q8 ~ bpx Get_DDB if ax==0202 || ax==7a5fh
+ }% j. I- o9 ? ~, v+ Y( T+ `4 N0 `; b w
__________________________________________________________________________7 }; ^' @/ G* B9 L: q
: g' A5 t( K9 q- W" a" ^7 WMethod 10/ R Y& X1 F5 ~# J" t# S3 ~
=========
) {# J1 V. B N9 i8 \# S8 I5 f& g) G2 Z9 v+ |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; q( p0 j4 _! ^# P SoftICE while the option is enable!!
" t0 u& g* m$ u' M6 h
4 x7 L+ [, A m! F7 n: m2 @This trick is very efficient:
0 w" V% g6 o/ I- |+ \by checking the Debug Registers, you can detect if SoftICE is loaded( M: V. K7 t# F- N1 o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! M. }6 P7 ~% M; n( H a1 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
- B! n. k* r( B- m2 @* \value (in ring0 only). Values can be manipulated and or changed as well) M! I' O' Q& }# w: C
(clearing BPMs for instance)
/ y+ b! y ]* [0 e8 t' t# z/ A7 E; `8 n
__________________________________________________________________________
6 `: |0 h* x: x) K7 ]7 D+ S% n# @5 a5 d# l+ ]! {
Method 11) z) u; e0 I: u! W7 {
=========
$ _0 i. U- u7 p. u( m3 u8 u5 n! M! D' T
This method is most known as 'MeltICE' because it has been freely distributed2 A$ B- L3 I5 w/ t8 b j4 V) G' x
via www.winfiles.com. However it was first used by NuMega people to allow
* J0 c0 R4 a3 ^8 }- q4 W$ L7 iSymbol Loader to check if SoftICE was active or not (the code is located
( Z: w) b* k' Qinside nmtrans.dll).
3 ^% m+ g' w/ b# C4 O: N2 P2 x
4 B/ y& W* |& }! MThe way it works is very simple:
! J2 a* C$ y8 ~* f7 u0 `7 oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. P" {; o4 c) HWinNT) with the CreateFileA API.# e5 u0 {+ l4 }! `
# u3 |- d5 J4 s# mHere is a sample (checking for 'SICE'):- S' m0 i! V% e E. h% ]
$ i5 _& k5 v- m: }! J# j# t2 O$ WBOOL IsSoftIce95Loaded()6 [+ m, ?' K' x, W/ S3 r8 z0 ^
{
2 C7 N7 X3 i, V! k0 Y( d HANDLE hFile; 9 |4 m- H. ]7 a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) ^7 H3 A# T R8 w4 C1 b FILE_SHARE_READ | FILE_SHARE_WRITE,
7 [6 O* [) l# m/ A+ J' h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 m6 Z. r. U* N6 D4 u; a if( hFile != INVALID_HANDLE_VALUE )! X- U: K7 F& p
{
/ a2 x, M F m" I V) G CloseHandle(hFile);
' H0 ~4 s- }' o. C+ p2 \ return TRUE;! S. k1 l C! w; z0 h" R* K
}
/ Z; g- M1 e' d" Y+ M return FALSE;! ]" P: |- \1 I* W, u' g+ m# r: f
}
, Z1 ]5 x& P/ r, R
2 }) P, @& O3 X+ d' |4 I0 uAlthough this trick calls the CreateFileA function, don't even expect to be. \# @' M5 X& W
able to intercept it by installing a IFS hook: it will not work, no way!1 C0 s* U8 l6 \' u& G( H P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 d# C2 q% x, G* |* yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ Q( A( a( ~. P2 _and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 x8 a4 A& ^% `
field.
# ]0 Q. C7 `( B0 YIn fact, its purpose is not to load/unload VxDs but only to send a
& n( `3 W% S! E% ?: {3 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 ]5 v7 N g$ l$ |7 }% k2 I* Y) Z1 u0 e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 d/ ^; x2 \" O- f+ O1 G9 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. w( V$ E0 Q( B# p/ p. q, f# t3 n5 eIf the VxD is loaded, it will always clear eax and the Carry flag to allow' E. Q) r6 Q3 U% E5 I6 L5 N$ K
its handle to be opened and then, will be detected.) k4 _3 C" g" i0 y+ c/ u9 b
You can check that simply by hooking Winice.exe control proc entry point
' n) `( E- i& ~# W Hwhile running MeltICE.
, t) {' t) W7 x- q9 b: Z/ c
+ ~* C R" e8 q8 b3 U2 Y; m% ?/ e6 J# I9 f. I% Y+ P& V; o
00401067: push 00402025 ; \\.\SICE
: p7 D/ y _0 J% M/ ?) ~; j 0040106C: call CreateFileA
4 b' e$ C! `! \+ l 00401071: cmp eax,-001
* }6 ~: j9 O* m5 w 00401074: je 00401091% Q; I$ W8 _: q9 i2 ^
2 D% I: F9 [% {% D* R: S9 R
O6 o$ C/ d' J# r' K
There could be hundreds of BPX you could use to detect this trick.
7 ~ u+ b$ F3 E7 ~1 }6 S) K$ r: }-The most classical one is:* S# X% f7 _$ L$ O x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 G( x6 h/ z, o+ F* o. j6 y
*(esp->4+4)=='NTIC'( {4 k) z8 V I. y
3 | c; @4 H7 l8 u
-The most exotic ones (could be very slooooow :-(; P" [, P$ L) @. n) i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ f% U/ L) {( E3 [0 d f ;will break 3 times :-($ p- o$ k& X5 q+ y3 h$ V$ e
; a; ?& e6 h- q
-or (a bit) faster: 4 Q7 O# X8 B2 E; Q2 n/ ?1 c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; e. l7 s& H$ v- B( r7 \
% l) X V; t5 {" H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) Y8 R) @* c2 }* G7 o ;will break 3 times :-(
2 V" X3 l2 j) G/ a7 V! E9 N9 \- i8 g
-Much faster:# d! I4 j" j3 ~1 v/ d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 W) ]" f$ j5 R: o( M4 s( `
. H% B( l& R# p/ A/ q( bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 C) ~8 z0 X) I8 n: F; t7 p, p
function to do the same job:
7 ?4 ~, R! [; p0 A9 }! `; Z9 ^# a8 O7 J
push 00 ; OF_READ: ~# `2 j2 [ ~7 y. w* A! X
mov eax,[00656634] ; '\\.\SICE',0
+ T& ]( l0 K5 z' W: f push eax/ f8 U/ J; S. o
call KERNEL32!_lopen: ^$ @& `$ _+ k& O P
inc eax8 k0 V- ?8 G" ^. H/ \
jnz 00650589 ; detected; z( {1 j' J" D7 b+ r
push 00 ; OF_READ
& `% H. [2 J: _/ W mov eax,[00656638] ; '\\.\SICE'
* b% t: s7 M9 q0 H2 s+ }9 L push eax
& U {; a& j" \6 S& V( o call KERNEL32!_lopen
8 _- K! J" f8 ? inc eax
+ b1 K- q/ f& E% Z/ } jz 006505ae ; not detected* k5 E6 a4 e. P, e
' z0 }% K+ z2 }$ q
0 s; r3 N* S1 d7 d' [- r" C__________________________________________________________________________
# j* f, _$ c8 o1 B6 s, T" x6 i2 H+ O+ o: p9 x- ^$ L
Method 12# N# @$ X# i! |6 N6 O$ K
=========: ^% G3 A. P# A( W
$ H4 L* M' L: I' _
This trick is similar to int41h/4fh Debugger installation check (code 05% b$ B& B. B' A+ N6 x5 J1 M
& 06) but very limited because it's only available for Win95/98 (not NT)$ ^' P0 C4 ^2 K0 ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 y* d4 A5 @- L j9 n) X8 O4 M) X, @" F7 |) z
push 0000004fh ; function 4fh) n% X1 w% R" X
push 002a002ah ; high word specifies which VxD (VWIN32)
+ b# ^) P) u, V# M% n; U ; low word specifies which service
1 r6 |) \: g; P/ V+ t( W3 m (VWIN32_Int41Dispatch)
! F0 e5 H% _4 X! L$ X M( m call Kernel32!ORD_001 ; VxdCall
' C" A( I- n5 G$ R) m3 ~' o cmp ax, 0f386h ; magic number returned by system debuggers8 L& t! ?8 r3 ^/ w1 G; V
jz SoftICE_detected
$ U! }: R, E' i( F; [1 W N+ [2 ?; }& q
Here again, several ways to detect it:
2 X( q. }7 F1 y
8 @1 u; c f; u# [+ k, J5 X4 F* v BPINT 41 if ax==4f
0 R. _, E4 B3 Q. x
. J- n+ I/ u, z+ ` D2 a* g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. ^, ^" H& n0 F" u9 o
. n* v: x( l7 H0 O# |, w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( Y3 }" M3 M& M7 I: w
' H+ C/ F3 A: i! H5 _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" H2 I8 d: F* {0 \# `; p
' ~% O" y2 F1 l- j& Y9 p__________________________________________________________________________
, R% C9 t ?& {. M! Z0 n( U: k6 L4 Y' x% v( |8 @
Method 132 \' I* D& C0 r
=========6 g% u1 p8 @7 K1 ~
! g4 Q d/ X; L; C4 WNot a real method of detection, but a good way to know if SoftICE is. V% U* h. p% H6 ?) L. P9 E6 t
installed on a computer and to locate its installation directory. ^ a! k$ J, u, [1 d! c
It is used by few softs which access the following registry keys (usually #2) :
* _9 m( t u+ }8 a L7 b& j% H$ t+ v c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 `0 G+ }! R6 E$ I- L3 z
\Uninstall\SoftICE
5 d2 W; W# b$ Z6 ]# V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 t$ P0 c, Q% R. u6 I2 k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& ^6 Y5 x) C8 Q% b, e" I
\App Paths\Loader32.Exe
, N$ ^' h2 \9 }4 R+ ~& A* c
$ j, L- }0 j8 C4 m) @
A7 T9 ~$ H" I$ D: ONote that some nasty apps could then erase all files from SoftICE directory
5 r& f! x1 C4 C% R4 K0 }. w(I faced that once :-(
$ @$ E4 G& w7 B4 ~3 w' p2 h' M
$ V3 D2 }4 w' A5 ~/ U" [# hUseful breakpoint to detect it:% o! D. u" i, V
6 [2 W( i' H" d, C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 g) X; `/ O3 U
) \( _' ^/ K5 L. D__________________________________________________________________________
! M; F% T* e$ Z0 X7 ?4 d# O6 r
: d1 n1 i1 d) {$ F) W! D5 [0 x! X5 \
: t! ~: _$ k, I& wMethod 14 % B2 Y9 i }( _! Y
=========
2 g5 s4 E; L. ~ I/ S8 h0 d E' W6 k9 A, y3 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 k0 v9 f$ I! L: T! t' K# `2 kis to determines whether a debugger is running on your system (ring0 only).
' z/ a+ I, s$ f$ Q+ t/ ^5 V" ~$ T' x" ~
VMMCall Test_Debug_Installed
4 Y+ u! {' y, b, R C8 Y4 ~, q3 y je not_installed
# E+ {- {4 r# ]( R2 V
9 G5 l( }3 t$ N4 l* Q4 ZThis service just checks a flag.# {# D5 X# f: L! I+ I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡