<TABLE width=500>
8 T7 S G5 V6 [8 h3 ~+ N; a& j<TBODY>
, L5 M# H- A7 l/ ?<TR>
; J4 B: C" [3 ?<TD><PRE>Method 01 % q4 I" w) n' Y: b
=========& S l' _. w! y7 ?# D0 {
- a0 q& ^9 o& z9 p
This method of detection of SoftICE (as well as the following one) is7 {+ |. o2 w4 i7 O4 t
used by the majority of packers/encryptors found on Internet.
, P/ j& H3 v. s' j% gIt seeks the signature of BoundsChecker in SoftICE9 V" O% X; d9 n* W$ e
7 b2 M4 Q8 C. }5 H mov ebp, 04243484Bh ; 'BCHK'9 P; Z# }1 _: H( a" ] q! L3 y
mov ax, 04h
0 }+ N# K2 r2 ]- i0 n2 g int 3
9 I: E+ }" {- _/ y3 { cmp al,4
( p1 _0 {5 m* p; R. }) N" ]8 d jnz SoftICE_Detected
% Z6 E' g# L. g' Y- p4 `5 e" [7 n% G- E' H M
___________________________________________________________________________
X: v( j; e; ^$ ~& j
. N. @+ O+ _6 b: X& i- U) AMethod 026 y8 N2 ?4 m( Z6 J# W. @9 f
=========
" L% F% d6 C0 t" L/ j3 N w& A' h, v7 F) l1 _0 b9 f( Q' h
Still a method very much used (perhaps the most frequent one). It is used
' v4 r' i5 d: `7 w/ @- `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 b, g8 W H6 N+ }8 ?3 jor execute SoftICE commands...
( y. ~' r! R( Y+ [It is also used to crash SoftICE and to force it to execute any commands
5 C9 U0 C" w9 \: a# m1 r(HBOOT...) :-((
3 p8 k' G9 d( [# j, X7 W- G/ U1 E% W2 V& m) `4 N% J
Here is a quick description:% r3 g1 H* s; ]5 {
-AX = 0910h (Display string in SIce windows)
% `. R2 z. S0 K" a+ m3 r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! I* N: l4 ~: I) g% l% b2 f-AX = 0912h (Get breakpoint infos)
' C, N+ ~4 j% e' U-AX = 0913h (Set Sice breakpoints)2 N7 X' V$ r! J+ _& i* T* T) K0 |
-AX = 0914h (Remove SIce breakoints)
8 u# H% h5 S" J o
2 D- b6 \* X) }- bEach time you'll meet this trick, you'll see:: i( z2 e8 B+ Q$ z/ N
-SI = 4647h
f* u9 v, u' H, D% |0 B-DI = 4A4Dh: P6 C5 b* N/ U
Which are the 'magic values' used by SoftIce.
1 |8 F& B0 B- F! v+ o9 G# b* lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 X* \ b0 o v2 v/ ~* z6 `# k9 K- ^! i2 b
Here is one example from the file "Haspinst.exe" which is the dongle HASP& `2 E0 C( M! Y( X; b* e
Envelope utility use to protect DOS applications:
4 A/ g9 I- _2 v0 m) V% b; i( |
$ T9 i+ O7 z% R9 [$ o/ Y
! y6 W- a7 K. B% ]5 ^+ k4C19:0095 MOV AX,0911 ; execute command.0 d" c$ `- k1 F' l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 {7 e$ r7 N& K& @
4C19:009A MOV SI,4647 ; 1st magic value.
* E% R- u' r f+ M( i& ^# |6 L4C19:009D MOV DI,4A4D ; 2nd magic value.9 @2 Q% \% B% s: W7 i/ w. l' ?* r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ B, l1 Z# K$ `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( y$ y/ f( J) [+ _) {. T8 ]2 ~8 f5 O4C19:00A4 INC CX+ g8 h5 P2 \6 p0 d. E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, {* o1 Q, o3 D9 t" p4C19:00A8 JB 0095 ; 6 different commands.
+ j J2 F9 J3 |' O ~% @/ A/ V. Z4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 ]; k+ \1 i; d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 e4 J/ T7 U+ K d
- \! s+ p3 y% g n) H- nThe program will execute 6 different SIce commands located at ds:dx, which
( R6 Z7 w4 L3 b, `- y8 Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; m( C+ Z7 ?& H1 n0 p
; a0 M, K; C% r& C0 }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ w7 [) k, T6 H4 W
___________________________________________________________________________1 J8 v+ S" i4 L7 ?- U
. z- W3 H6 n. D0 o0 x- s
9 c9 @- q3 C0 @* I. p) lMethod 03
9 D" C$ a4 S! p8 R" }% H# T, D=========" c/ @. k# I* }8 _) p; k9 v
3 i4 |6 m9 J4 t* `. c* ~# L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# \& P3 H. W9 u5 [( H6 L
(API Get entry point)
9 A: p+ o- k; l8 G( C
% X5 M9 B: ^; v& O* J
4 O" L2 y6 w3 V8 {9 F0 j' i$ z% J xor di,di7 Q0 R, A6 ]9 Y3 `& k% f) k( k
mov es,di
% g" x0 ^0 o. Q' j( Q+ a mov ax, 1684h K/ _$ o7 Y/ q6 T- G, a% |
mov bx, 0202h ; VxD ID of winice- W$ n( i a+ V' `- g
int 2Fh( ^( X1 U9 C& s. A+ i% j
mov ax, es ; ES:DI -> VxD API entry point
* S( `- G1 ?/ I8 i5 { c5 s* W7 x add ax, di
0 l1 z4 Q/ E8 F. m2 O3 f test ax,ax. t2 o6 c8 |" R6 x$ n- g( P' n
jnz SoftICE_Detected# t+ t/ }' \4 q
% O! G$ s# \ N
___________________________________________________________________________
6 y* _3 b- r' y, B. n
7 v& u/ R$ W7 JMethod 04
/ N0 x% F! x( a; Z! W9 c=========; t1 A' x" d. W. f8 J7 k6 Z- q4 t
4 Z/ Y9 i7 z3 r" u% n) s* LMethod identical to the preceding one except that it seeks the ID of SoftICE. j7 b; {2 Q9 b
GFX VxD.3 v* t( K y: ]6 O
; i: K2 p) ]. g/ L/ ?( b xor di,di
! }" w' g! X1 K, \ mov es,di- I( M' d6 f' M4 ]" L
mov ax, 1684h 7 W; L9 y5 w9 D# y
mov bx, 7a5Fh ; VxD ID of SIWVID- B7 l2 {1 H) c0 M- z: u- C% w
int 2fh
2 E" K+ F" l1 K% F4 v mov ax, es ; ES:DI -> VxD API entry point2 d# N: F0 T' M6 a q! B4 s* M* k
add ax, di. q3 F: w$ e0 }$ J" E0 J4 E/ O
test ax,ax
& @+ r$ [1 U; y" S+ v jnz SoftICE_Detected* S1 A% V% k% h8 E
$ m# K+ R' w& q+ [- B. {+ A__________________________________________________________________________! Y# ^; v u7 K9 W& z
( ]6 S ^1 j. P( X) t7 F5 q+ M
9 K& Q( W, g1 m; p8 q3 g2 dMethod 05
- g8 G2 k* ?8 d! G. ?=========% W% |9 _& S- |" J/ Q3 J
1 r0 u5 Z* [& t; B2 `0 v( k6 [
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ }* S. R3 \/ A3 `0 r+ g
debugger. It calls the int 41h, function 4Fh.
! Y# u [9 p' ~6 |- U3 ]There are several alternatives.
8 q# V H8 Z# o/ I8 ]* U- `+ f ?% ^5 Q( y. f+ Z
The following one is the simplest:
1 s- T$ \3 Q3 z6 i# s7 S+ v) l5 H% ?' b6 T
mov ax,4fh
) S+ g0 M: [: l1 ~6 Q int 41h0 h- M3 y! k+ ] r) V
cmp ax, 0F386
# T# _; J* a, ] jz SoftICE_detected
( S" f, P0 {0 P6 c7 h4 Q- j
0 M5 z5 P5 g7 c5 o* ?8 c- @6 D: x8 e3 Y' { I
Next method as well as the following one are 2 examples from Stone's " o) @3 }) G) U9 y6 E; k" e
"stn-wid.zip" (www.cracking.net):
5 l. ] E( m; ~+ K' Y: K+ p1 N V* C, b- B( v: P
mov bx, cs, v* v+ b+ b0 m" u8 b. {9 F
lea dx, int41handler2
8 q2 s! C8 g5 M; d. _6 `8 R xchg dx, es:[41h*4]* t7 u- e6 A: o- {5 [+ G% E
xchg bx, es:[41h*4+2]4 W& |7 M. E* B: J
mov ax,4fh' f. K) t% m) @# _" ^7 c
int 41h
9 y3 C O) t- p- Z xchg dx, es:[41h*4]
0 w, b* ?: C5 d0 e8 o- D h% C xchg bx, es:[41h*4+2]
* W/ W( `( y3 Q2 ^, @ cmp ax, 0f386h/ B0 F$ x o/ i( {
jz SoftICE_detected
- c. x4 w0 u% [
" C% v, L* D1 A: V+ u1 jint41handler2 PROC
" n' h* M! L$ J3 w7 u iret* E8 j9 L$ ^ r5 g k( ~
int41handler2 ENDP/ _1 ?$ z. P/ m& T% ^- e
7 {8 p/ t8 A& [2 W! T3 i7 W, b
_________________________________________________________________________# F w) \& q) z* X, d
$ a8 Q+ i" G# m/ n8 \8 K4 A! }% ]) S0 k& l; a3 M0 N
Method 06* m: s! h, o/ V0 s+ r" z/ u$ t
=========) }& m, \/ i5 [+ E6 N2 l
, R2 H8 D0 d# S3 F- ?4 Z4 Y& w( v# h" g' n& s
2nd method similar to the preceding one but more difficult to detect:' G: L: [2 P* U( U% z
5 D0 R7 w# k+ f# B+ k" f
- O9 V P0 {# Kint41handler PROC
& `5 p% r+ Y# j' |, ^8 V mov cl,al
& A$ ~, X' L; `( L iret
" B" ^) Y. x, r3 C4 {int41handler ENDP
$ c' P$ L. m5 b6 M7 `5 M$ E3 c+ f/ q$ M4 q$ P$ s* Z4 E
# O( W S- r; f9 Y: Z
xor ax,ax
* X$ [# M: w7 L, R! R. \ L: B mov es,ax
9 z8 c% E- I9 V! L! d$ l mov bx, cs
& U" j T! }4 x/ q lea dx, int41handler1 ]( u0 i2 j# ^
xchg dx, es:[41h*4], D- o. X& Y6 @
xchg bx, es:[41h*4+2]- ?+ Q& u- x! u; z0 G
in al, 40h Z# M% d3 @$ b: e2 M
xor cx,cx
, L$ g5 N0 z6 u+ W( Y int 41h
; g+ _3 y/ `4 E2 Z* n- d: J xchg dx, es:[41h*4]
' R8 n3 F7 V2 h# I) A% d$ k8 t xchg bx, es:[41h*4+2]: r; {- l& ?( e5 s2 X' a4 Z
cmp cl,al6 Y F3 k# F5 s [
jnz SoftICE_detected
J' O/ [# g) k2 @6 B) D# q! |* `5 h2 \& d2 y
_________________________________________________________________________8 |7 \! [3 r1 u
/ Z3 i4 [$ H, g5 y' I8 d- tMethod 07
5 u2 s# c& y5 P# _=========* I i1 I( w& a6 C0 d( Y- R
: x3 k/ f# z% X# {( ^- [: nMethod of detection of the WinICE handler in the int68h (V86)
8 \( |9 y* k4 x0 K* F* P6 s. D( }" x7 P6 v8 U
mov ah,43h
+ g; ]- Z$ P* W5 v5 A* M0 p int 68h% M! e, B* t ~- G( F2 C! @0 z z
cmp ax,0F386h
% q a/ k- L- l+ R9 W jz SoftICE_Detected
/ A# |# p; \1 z* D4 t$ q/ C! C2 `5 a, s8 u
2 ?+ e8 M- y9 S3 F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 v' |! F( P( Y; T
app like this:6 F( y2 [7 V1 n& K* t
( _/ l2 s+ s7 D$ J1 T BPX exec_int if ax==68. e8 e ]) }7 H. I
(function called is located at byte ptr [ebp+1Dh] and client eip is& T, d1 ]# p3 t) `3 @# R
located at [ebp+48h] for 32Bit apps)
" J- `' _# z# H7 h. T__________________________________________________________________________
$ ~0 C# ]0 v( `" X
& W/ c( [2 L5 b" \2 Q- R2 L# K
% r& m. V+ V- A6 C! q/ ^- }Method 083 {$ _! n% ]3 ]" a( |% H, q
=========
7 }. n2 c& v9 W8 k% E+ y
t1 {3 w: R3 H, ^- y' _/ {1 ]It is not a method of detection of SoftICE but a possibility to crash the5 i0 A3 p0 n7 l/ `9 P" x
system by intercepting int 01h and int 03h and redirecting them to another4 q# n8 t a# P% x
routine.6 o+ l! X) G# d+ ~& E0 c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& p( L# o0 a4 e9 q( x. C. |
to the new routine to execute (hangs computer...)
+ T; c T8 Q9 u* g4 z
& ]% z$ ]7 @* y+ K) L' V0 k- E mov ah, 25h1 a4 ]. k' s+ F
mov al, Int_Number (01h or 03h); H; W0 r. U6 `# A
mov dx, offset New_Int_Routine+ K" ~; K3 K) q, W$ ^! @
int 21h" m% ^, D7 M$ h
" K; L4 x" O2 a+ \; m
__________________________________________________________________________
; }8 e! Z- S7 C
! k r/ S3 U& ^9 [! f& [. KMethod 09
' \' W! j4 a% B" W$ c4 k% U5 a1 y" h=========+ F* @. B4 x9 W6 m, @$ G
4 l/ k) [0 w Z, dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. K, ^# J0 b u7 A9 b% {performed in ring0 (VxD or a ring3 app using the VxdCall).
6 u% E3 j2 b' [: Z) X% @4 U' fThe Get_DDB service is used to determine whether or not a VxD is installed
4 v( N* ?- W" P: xfor the specified device and returns a Device Description Block (in ecx) for: ]' N, ?1 u& r, M
that device if it is installed.3 @& G" g8 l M9 A, \) N4 @ K% `, W q
( |' j6 x; \2 X: p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( ?5 W& y3 @0 X# B5 i6 x- q, N w I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 |) O l3 v+ n& T; c- U VMMCall Get_DDB j! T; h' p1 d& O+ w5 V, S$ t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. M. a8 v6 ~. G5 H4 K8 i7 R& B
0 F6 y6 L! C, {
Note as well that you can easily detect this method with SoftICE:+ S4 m/ o. Q5 x
bpx Get_DDB if ax==0202 || ax==7a5fh% c' R* @$ H! Q" F; z
$ u3 D, u! u! ^+ W. N# C+ Y
__________________________________________________________________________
6 ?; W' A0 O- t1 l! S# C" ]4 R* S
Method 10
, M+ R) r! H; N8 J4 `8 K( _! G=========
& n# ]! d% C# C1 u! Q8 Z( k' E% u. I7 c i
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 v" ]( K) N2 P) G9 B* N3 M
SoftICE while the option is enable!!& k' _3 J" a/ H; Z0 U! {
& A$ D! ^ S( Y, `$ o% gThis trick is very efficient: ?# W& [( M- X% @. B
by checking the Debug Registers, you can detect if SoftICE is loaded% A" T- K% j% v+ x/ H$ C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 l F. \' j$ Z+ o) T" x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& `1 B& s( K1 bvalue (in ring0 only). Values can be manipulated and or changed as well
$ J1 ^! D1 ?3 P' j(clearing BPMs for instance)
' H# i6 {- U3 f1 ^6 a5 D
* H2 G7 I! f; {- p" B__________________________________________________________________________
- L3 a1 {, I ^ a! v8 {9 S. q( C+ o1 _ S
Method 118 I% f/ S3 {+ L1 C G# `. P
=========5 S/ X+ F. |# R8 H/ q0 `, @
( `. @9 p6 g: @* S1 ~0 a* {8 DThis method is most known as 'MeltICE' because it has been freely distributed# o5 V- M T) ^ k3 I9 R
via www.winfiles.com. However it was first used by NuMega people to allow/ S7 }1 V* A0 J0 K8 O# [
Symbol Loader to check if SoftICE was active or not (the code is located
, h! L2 q9 e; tinside nmtrans.dll).
+ `* B/ _4 r% L) ?! k
0 y7 g6 @* J: _8 X/ h9 N! g& m: TThe way it works is very simple:
G- _+ r" J" q B: ^1 K3 V/ a0 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 k; q9 @- W/ rWinNT) with the CreateFileA API.. F- E+ `9 {; M- Z) ]/ L6 w! E2 S' N
0 ?0 m- p, o# _$ Z+ eHere is a sample (checking for 'SICE'):
3 B8 d t, K; o* Q e" z2 B9 p5 F' \
( V' Z W# ^2 A3 DBOOL IsSoftIce95Loaded()
; Z, a) N* R0 {6 z1 K{7 r! V7 }# L4 w* v
HANDLE hFile; - d! a/ ~, Y' } c; u. N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ P$ O P. x( E% p0 r
FILE_SHARE_READ | FILE_SHARE_WRITE,! O3 g0 ~ c3 T4 a, d5 a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* [/ Y1 W: U, |$ {9 h! x
if( hFile != INVALID_HANDLE_VALUE ); h. ~! @# I3 M. w9 \3 _- O2 w
{$ o& H4 r! R, [# t" p3 {9 _
CloseHandle(hFile);
& p4 S3 M! S/ j( B* v; C return TRUE;7 a. B7 R: |: J) ]4 `' n
}
. q, \" V5 E) x" R return FALSE;$ |. \' l4 }. W( B0 j: k
} i$ d8 k d3 Z; g
; l$ v+ D: m5 s3 d! rAlthough this trick calls the CreateFileA function, don't even expect to be6 O2 a5 f3 q; M. [( X
able to intercept it by installing a IFS hook: it will not work, no way!
% o, U$ b& W$ J, V. [In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 d7 i. ^* v, [5 `2 b; U: R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) z1 A' g2 t) r2 c9 n0 b- I+ y. s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 i/ B6 _: s/ o2 m& q' z# Efield.
+ D5 S9 K: H g, v) @6 NIn fact, its purpose is not to load/unload VxDs but only to send a , P7 _' l3 O! r+ w1 ]( h$ |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 {% X' L" e& `* W z6 n" b6 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( |/ s8 r' U' z8 G5 I6 N2 `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 g" q$ T0 x8 @ b' t2 s# Q/ J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 }. f2 e( L. ^' ]& O$ Dits handle to be opened and then, will be detected.
1 |# S( B% g( X3 eYou can check that simply by hooking Winice.exe control proc entry point4 C1 E$ r! _5 L9 H
while running MeltICE.
9 d1 u7 P3 Z g( r- ^& N h% S' I! B3 J0 w8 B/ r
6 p/ @$ i2 `3 F; v) ]
00401067: push 00402025 ; \\.\SICE
1 T5 u6 ?( e2 p, c" v; W. C5 P 0040106C: call CreateFileA( y' {4 P7 ], @5 ~2 i& t% U; V+ C* ?& O
00401071: cmp eax,-0017 R1 f4 J% g. P" Q' a/ F) A
00401074: je 00401091
) y' ?8 C3 X) e3 k8 e9 W4 u1 `* c! z9 ?0 B4 h1 `% q( Y2 h
) B8 q: P" i8 k- j! H. h. c' I
There could be hundreds of BPX you could use to detect this trick.# S6 d8 N5 K* u2 T* ^1 X
-The most classical one is:# o- D( o( {+ U1 c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* E, u; | ?6 a5 D- K+ c; |: m4 i
*(esp->4+4)=='NTIC'
. } d5 I. z5 @8 D! \" R
4 g, S+ ?* H" O-The most exotic ones (could be very slooooow :-(
* z3 k& z% [! r BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( Y4 `% M9 _2 F" Y
;will break 3 times :-(
- u5 U( f, y; {1 A. u7 k) l" q+ l& l6 s. {6 O9 Z
-or (a bit) faster: D0 j( R! J6 c7 ~' o0 J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' _& ^' R7 ?7 l! q8 w
. _" m* n5 f9 X+ k1 Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 d. Z4 p+ r9 ]7 Q( E" J
;will break 3 times :-(
& Z6 @0 z$ v" T: {" o8 _0 M1 I
, p6 m4 D' z2 @, z( n; T: z" U-Much faster:1 x/ s* w4 G! i( D% P, h G* E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', k9 ?. N. U3 ]+ N. G- ~
: V7 J, x7 r8 ?5 J. r H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- A9 F% h- E; U9 P7 H: k4 ^0 hfunction to do the same job:: G1 e$ A1 T. h6 T' V6 l% ?: R
! o! `, I) x8 u
push 00 ; OF_READ! R5 x6 S4 Y% I* D# V8 b
mov eax,[00656634] ; '\\.\SICE',0' @% f+ J5 Q( s P
push eax* J, w5 U$ b; e
call KERNEL32!_lopen
% v/ e% y3 x) Q! d+ G5 y inc eax7 `# o8 s, s8 j% @
jnz 00650589 ; detected- C7 |1 r1 E1 I/ K3 V
push 00 ; OF_READ. Q+ p! D- ]& s! k+ K. x0 k
mov eax,[00656638] ; '\\.\SICE' R2 K' p3 {$ m. F- @, n
push eax* B G& ~5 R7 x, R& \3 D
call KERNEL32!_lopen6 P) u8 \% ^( ^/ g- |2 h2 Y
inc eax, h9 O; @/ c) ~$ u, i; l. W' v6 [. r
jz 006505ae ; not detected; I* }6 D( f4 o6 @- _! w8 {
+ J/ h' w' c4 ~6 [" R7 V0 v
+ C, @/ B$ `1 f. K" @__________________________________________________________________________' b- |. S5 ]' l+ t& R
9 o* \' V/ J. }- w! e. w8 gMethod 12( x; l5 b6 v+ }) ]0 X4 v9 _
=========
0 \$ q: r- R) f3 N1 w7 v( ^* i5 n" r% {0 o) {7 \; n
This trick is similar to int41h/4fh Debugger installation check (code 055 e) [1 `: E2 X- m; j3 e
& 06) but very limited because it's only available for Win95/98 (not NT)
) r/ c4 e2 p3 b8 S% l3 f1 Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 C' J! o A1 v8 E
& i7 B4 T4 {# Q6 t0 }9 a! Z( Y! |
push 0000004fh ; function 4fh% x% N% I" c" Q" {; V I
push 002a002ah ; high word specifies which VxD (VWIN32)
5 f& w9 U i' r5 i" @( E ; low word specifies which service m0 z/ Q, k$ Q+ n
(VWIN32_Int41Dispatch)' U, S' c: B( \0 y& b3 M
call Kernel32!ORD_001 ; VxdCall
& {0 D$ m |$ H* I cmp ax, 0f386h ; magic number returned by system debuggers
# M/ A, Y1 u) B' J6 ]3 v3 e% C jz SoftICE_detected
& ~; ` S: _- v( E' x( L( K
4 B" ~8 ]9 \8 q- @Here again, several ways to detect it:
* U% [5 w/ n h4 M2 k( ]3 T3 _
# \3 a$ L. a/ B- K1 x% c0 z BPINT 41 if ax==4f* N6 Q" ~* Z/ j! ], b& b7 @
$ f# ?& K+ P( h: m4 k
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 f1 n2 |/ e. U$ u4 {& q
$ z7 [" l2 ]8 Z" p; M9 A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& l! R+ E2 R! K% y. H
$ Q. A- f q$ y7 E6 N; O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) j- Z# ?' |& O# g
( K4 l& `! T( ?: V+ m! j* ~+ v6 F! @__________________________________________________________________________
& B7 h$ t3 ~6 u5 J3 i
a9 R8 ?4 _9 u: `1 s% u% Y3 @Method 13) T6 _: w! V6 @* O
=========. H: T3 b( t m4 `/ D
; A% }4 Y: s; P& b# ]Not a real method of detection, but a good way to know if SoftICE is5 d( Y" z6 V) W# O5 Y
installed on a computer and to locate its installation directory.
+ C$ ~; U( Y; `( {+ PIt is used by few softs which access the following registry keys (usually #2) :
: K6 e) r7 {: z/ I+ U: S C0 I. k, {- _% [$ C! a5 _7 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& e" H0 v& @& s9 o$ E5 S q
\Uninstall\SoftICE
5 U* W3 ]2 q1 E9 e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ g K8 b$ D$ B$ ^. g. _4 s/ t1 `! S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& p4 P& d5 \; i: Q4 B: e) h. |
\App Paths\Loader32.Exe/ i& p& |- d3 y( y
. u0 W% g" I& t& d
) X- l% F5 l) m8 C% H
Note that some nasty apps could then erase all files from SoftICE directory
) Z V3 i5 F6 l2 V9 q! X v(I faced that once :-(0 b: O+ n4 W' i- y1 x
/ k8 h4 W2 t( U: W6 H- y- JUseful breakpoint to detect it:' T% w- K0 Z3 B, n! I4 b
- [* D! J5 m8 a i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- S! [7 H7 n3 x4 F" \; i: W' n* D* s4 J) ~3 G, U8 }9 q
__________________________________________________________________________
2 Y! ]( Q8 W/ \ x- _% |6 h z
4 h( ^6 M; @+ s9 K @0 A: F, B7 l# F4 F7 l/ O5 J$ b
Method 14 3 R d5 y, S. C# I0 Q: O" U. B
=========
0 k* p' ~- V& K6 `2 U* \
4 r- T5 m2 I% r ? V' ]. F( o2 BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, f# X' j- d1 }is to determines whether a debugger is running on your system (ring0 only).) Q; t. p+ o/ N/ k, l# \4 y3 x* v
( i/ E2 X, O( L9 \4 v9 z3 ^( f
VMMCall Test_Debug_Installed
* ~5 S2 h9 f2 i% r2 ]) N- L, p! K je not_installed: q( W$ O5 A+ t$ P* T
+ V! a0 ]0 B [
This service just checks a flag.
- E" _0 S5 E1 M" G8 C</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡