<TABLE width=500>
' r- n9 y9 e- U<TBODY>
: t, J5 |9 u$ ]- X; K+ A8 A8 ]<TR>+ {7 L$ M; K5 k5 g
<TD><PRE>Method 01
3 \4 z+ @& V' y9 f=========
. S. ]+ f8 `+ ]/ n& Z% C W( H% ~/ v
This method of detection of SoftICE (as well as the following one) is
0 L6 }2 Z+ F, `used by the majority of packers/encryptors found on Internet.
9 z1 \/ g2 r5 C- P& X, j4 \It seeks the signature of BoundsChecker in SoftICE) b5 A6 s- C) O" X5 s9 r
" g7 u) L$ b7 y* O- m2 u
mov ebp, 04243484Bh ; 'BCHK'
2 N0 Q q1 S+ k4 w- ` mov ax, 04h8 K: n2 V/ i3 M9 [6 `" x
int 3
$ R6 B# s/ ?( G K0 Z# m cmp al,4
/ V: I( T3 m A; F% N: |3 x jnz SoftICE_Detected
) G: O, m* q& u3 }9 ] }
% v6 g. U& D9 M3 H9 D% W) E6 Z% y$ m___________________________________________________________________________5 w0 m0 u! k1 w& b) H- w
# t: D" \' ]0 X" o0 a# f1 t! [Method 021 c1 H! l( ?+ v5 f7 C# Q+ W
=========
& b6 _' q/ W" h7 ~
( Z3 N9 A$ h# H2 g) \5 YStill a method very much used (perhaps the most frequent one). It is used4 i. ~9 P( U% o( X' v2 u1 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: S8 M+ S7 A: q, gor execute SoftICE commands...
; D/ \' r+ ^4 s( P3 l- UIt is also used to crash SoftICE and to force it to execute any commands
& Z, Q+ d3 {! U Z0 Y(HBOOT...) :-(( 0 l+ \6 D* X$ f
7 }, ^2 h+ O& D9 S8 B- P
Here is a quick description:
y9 c; S5 C4 G, w-AX = 0910h (Display string in SIce windows)4 c( `5 L0 o( w1 W" V" z. e* m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% x2 ^$ e5 y& f
-AX = 0912h (Get breakpoint infos)
& v: O) D# H# R; l-AX = 0913h (Set Sice breakpoints)
( o @1 E) m( A4 U-AX = 0914h (Remove SIce breakoints)
( k \5 ?- e# B) G) L) q% }
3 Y6 ]: | G4 o9 K {3 EEach time you'll meet this trick, you'll see:: d( G; W8 U3 b) n7 b
-SI = 4647h* g/ [6 r& }/ ^ v4 ~" i$ E
-DI = 4A4Dh) w! `; l2 B1 u0 Y
Which are the 'magic values' used by SoftIce.: t% T8 {/ J+ H" ]$ S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% E: i5 X9 H: }1 F* M9 f5 {/ ?0 O4 [/ t7 s% u
Here is one example from the file "Haspinst.exe" which is the dongle HASP: h: ]8 F/ B& P
Envelope utility use to protect DOS applications:3 n1 n; H) U; s( T" E1 R# Y
# C* ^0 R* V' v; B, C
6 X7 ]) c: g3 N5 T4C19:0095 MOV AX,0911 ; execute command.
6 z9 I% _- @$ q% Z/ C& Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 s' i6 i, z2 z2 h7 k- K5 `4C19:009A MOV SI,4647 ; 1st magic value.9 v- x9 R, Z, C% ~( N
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 B2 O C; U" q @/ j- q9 C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% j9 w; c9 I' C9 I: ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% P( h3 T' e9 e5 S4C19:00A4 INC CX! ^- h) v' Y2 L* u4 x h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ F4 @% p2 s+ `0 a; l3 h4C19:00A8 JB 0095 ; 6 different commands.
" ^. `2 \9 V% d3 C8 Y4C19:00AA JMP 0002 ; Bad_Guy jmp back., n+ H' E0 Y" p: g+ ]4 q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 V2 I6 g3 ]6 u: x2 Y! P
2 z# D; w4 p; gThe program will execute 6 different SIce commands located at ds:dx, which
x7 `" U2 D8 C( ?2 n }" Jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 d! o2 S/ X6 G$ {1 V8 r7 `2 n
3 A7 }, n4 G( C9 h5 Y6 a* n9 V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ d8 u v2 i& D6 r% i6 K
___________________________________________________________________________
" r4 d6 `3 f4 `$ v1 e# }( A5 m$ k& X0 T" t# N
" J6 D- k( \2 H. n& L( y
Method 033 a8 E7 j5 n* ~; D) Y. M; M' G: O
=========" p$ |1 s( J* Z( y7 q# `% t. w
. c7 S7 B8 N& p2 B$ zLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h c# Z3 h5 F: z, O7 D
(API Get entry point)
6 K/ S, {# z! n! Z) X + U; [; Y" a8 V Q N! T! W
3 b5 d# G! n3 q, r- E
xor di,di3 b2 L8 C X; p" r. ]
mov es,di0 q' v. l! B5 |# J; I0 k0 _( U! I8 ?6 Y) ^4 U
mov ax, 1684h
! z4 a: W N1 y9 b mov bx, 0202h ; VxD ID of winice
& d% |7 }3 n5 f8 ?! F- n int 2Fh6 k+ Q" n }5 ]; q
mov ax, es ; ES:DI -> VxD API entry point! l1 N! N2 J; z! P3 B
add ax, di
% b+ A( n9 s) H9 o; x test ax,ax/ J/ T h% `# n% T4 i& Y
jnz SoftICE_Detected
/ |9 O& V: B1 U) L3 Z4 @
3 r$ d( S3 `( t9 b) e F: t___________________________________________________________________________( m: T" j. I, \' w* T* e
, J5 _$ [) Q7 \, V/ I) d, ~, F) T; jMethod 04: l5 F \6 \/ r. ^' A7 m
=========5 A! S9 h+ P/ c; @- m
0 @& N) `+ a: H& N( MMethod identical to the preceding one except that it seeks the ID of SoftICE" m, k, `6 N+ z8 s
GFX VxD.
4 s' d0 R/ E1 u- r. h" W) N0 @- E k9 r' |6 N6 e3 N+ ]# N4 R
xor di,di8 V% c8 @4 ~' n; A8 K) T) n
mov es,di/ w# z y* t8 G: V6 A! k9 {* u
mov ax, 1684h / [; }4 ]7 K: s
mov bx, 7a5Fh ; VxD ID of SIWVID
, J( k& c8 L' J4 F; T/ T int 2fh* ^# N- J+ w V" W& j; \
mov ax, es ; ES:DI -> VxD API entry point; Y) d0 D$ T, P) m! e( M( q$ {2 a4 R6 H
add ax, di5 s( T. @4 t- m2 v3 e4 g
test ax,ax4 E- a% C% {" f2 U$ _- }
jnz SoftICE_Detected9 B3 {$ R ~2 s. T; i! p
! r, L1 V/ |- c3 t2 V3 P__________________________________________________________________________
S( e. K& k( d7 `5 Z# {$ F
$ I2 x( K# T' p3 G% Q
' j! K b' c5 u( E; ]Method 05- u6 Z! {' @8 [' F: [
=========& A8 _" ^+ O; m# y8 Y" E
0 ^! g* C2 ~7 o
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 t" G+ _' Q+ H' k f" \8 Qdebugger. It calls the int 41h, function 4Fh.( Q* s% u% E4 \3 f
There are several alternatives.
$ t4 y$ H( e* ]# a% g4 k2 h1 Q* S" l. j/ v% m* E) h# ^$ c* \! l
The following one is the simplest:
5 _* n6 a0 h/ z& n" \, b- B. F6 y6 [0 M# R( Y0 g
mov ax,4fh
S& t; D8 Z. Z P& g int 41h1 C h5 t1 h8 L- ]
cmp ax, 0F386
( @/ m2 `9 |( O: E0 J0 A+ m jz SoftICE_detected1 c' R4 U: b$ k& y5 d; r7 O% {
3 p8 c9 ?- }" S3 E' G5 W7 w9 I9 k
2 i% k" x; ]1 h- q1 E8 eNext method as well as the following one are 2 examples from Stone's
/ Z4 E( |' a5 a# s: {+ g"stn-wid.zip" (www.cracking.net):
/ R' S- C* e# ^# H# ?: [1 M
; H6 d8 w. o6 b6 I3 Q% S mov bx, cs# D8 F D* @: Q
lea dx, int41handler2
' E! Q( j2 g# J xchg dx, es:[41h*4]
# o6 [7 q; \2 ^1 F: S xchg bx, es:[41h*4+2]0 y# r3 B2 {- t' @" T" c4 d# ^# U
mov ax,4fh
9 p/ d' N0 G, C' [6 N# C int 41h
; |! f7 }( Z% ~' b xchg dx, es:[41h*4]
k- B- ^/ \) ?" ? xchg bx, es:[41h*4+2]2 e4 {# u* I: `8 S5 L) G; O
cmp ax, 0f386h
5 {2 Y# |9 g5 a jz SoftICE_detected8 g( s' R/ u* S9 \/ q
1 i5 m3 v( b/ m# i) h) yint41handler2 PROC2 ]1 W) V! ^6 p6 i
iret; B3 T( T m4 o
int41handler2 ENDP
3 E& R @9 H' q9 p0 Z# \$ }. ~/ T/ M# }
6 O7 k" }( A' ?& U_________________________________________________________________________9 A2 o, P) F. Z3 f; ?6 t; g
8 d# |# ]# ^$ @+ X0 \5 j+ U2 l A8 t. a+ ?: S7 _8 ?+ f4 ]
Method 06' z! g$ D p( p0 y/ M
=========
N. i% @, y% f6 J, Z1 s6 X5 I( u& F5 P8 C v
9 L5 H" P+ w- f$ ^; b' K2nd method similar to the preceding one but more difficult to detect:
% |' j/ J. X& d9 w/ ]( @
, R5 q3 v8 R, X( l# ~1 o2 X: q: T) Z) P* C
int41handler PROC0 X1 _2 b) z/ i) a. Z
mov cl,al: L% i' I: h9 B
iret
7 e5 p! B9 U c! c8 d0 j) xint41handler ENDP! n& z4 d7 L- \% x& F. P8 h+ \
1 ^, c! ~8 o8 \2 M" K
2 n$ s/ E, n& r) j# Z. H
xor ax,ax* X$ ~1 ?9 k6 B2 }
mov es,ax
$ a) x2 i5 Q; ?9 @4 n) J mov bx, cs
- L8 x) M, K% b/ f lea dx, int41handler
$ h# g4 B; r/ H. A- l xchg dx, es:[41h*4]* N2 `* t3 M5 ~; y. A
xchg bx, es:[41h*4+2]
) ~, g% s; \" m S8 H in al, 40h
* t0 E+ E) d& H& d! Q q2 @ xor cx,cx
& I" \/ p" c$ [. U5 u int 41h
O/ x/ w( ^3 H- A7 ~ xchg dx, es:[41h*4]
# p! V6 R6 ~8 u; T, G& _/ L4 B* c xchg bx, es:[41h*4+2]0 ^9 A1 C% `8 q8 Z8 o7 e i I
cmp cl,al
8 E. H0 t! x3 w& M7 |6 d6 `3 t jnz SoftICE_detected
, s' I1 a7 E7 l* a# P& I3 g3 e! \2 A; |% ^( u o7 G% {% K4 R* m
_________________________________________________________________________
' o. M3 f9 y$ X& i5 R7 ?9 E8 R/ E, F8 g, E
Method 076 k: f2 J9 \* P6 c
=========
4 Z) B# C% x5 t3 ~9 M" G* Y
- N/ ?* u1 h( ~Method of detection of the WinICE handler in the int68h (V86)4 ]7 o9 O& N, @1 x, ~5 a! `1 a1 n
* t& D. Q4 H y1 Q mov ah,43h! @; v2 d' l) y9 f
int 68h* e/ N$ i% }; J* D2 {$ L- r& S
cmp ax,0F386h! w" b! X3 x* u3 Z- r! `
jz SoftICE_Detected
2 P% r! G+ R& ]4 Q) w4 R" @: S v1 P8 ^
2 F: n2 W$ r+ F; _6 b) G% S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 J/ b" a9 N( \% r1 x7 b app like this:' f# K2 B: o" p% [; u+ |* R
! o% k8 A; W' K3 L: g- @. w$ i
BPX exec_int if ax==68
9 R+ Q* A+ s# _' T (function called is located at byte ptr [ebp+1Dh] and client eip is
8 D7 P& p8 M3 c g located at [ebp+48h] for 32Bit apps)
! _' X4 f/ h% F__________________________________________________________________________
& w) f( h/ y" Q' M; |: z" M( h J5 E; H4 J R& T
. S+ ~7 E$ r; S: Q, K) n* m8 A& j& _
Method 08
! C' l @& J: Z w! i=========' Y' r2 }8 b8 M, L* `3 D6 t
. ]8 d* n9 m1 S7 ^# E1 NIt is not a method of detection of SoftICE but a possibility to crash the6 `9 f- n, w# h2 q9 x4 @
system by intercepting int 01h and int 03h and redirecting them to another
7 m P! P: l9 i, v7 P8 I9 o, q/ Iroutine.
: u0 o, J4 t( W+ Z ^9 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! m1 j* T' H* G( nto the new routine to execute (hangs computer...)9 Q, S6 \ Y' t
9 Z2 d% L, s' w/ w) W; J
mov ah, 25h* \1 v7 G+ X& J2 c# d# |) \+ O; |
mov al, Int_Number (01h or 03h)
5 k( q- d2 o8 p, h2 f4 f mov dx, offset New_Int_Routine
2 f% u5 L. m+ k- b int 21h4 [ P$ E/ t0 \
! O- {# S1 m3 k7 ], E! o__________________________________________________________________________7 p$ B8 H- B7 F& u- t: @
; g0 q" E/ n; H( m2 a+ v+ u
Method 09
9 s. q4 \ _* K$ v# z* L: N. A=========' }+ \: M- p t1 ^
' k% }* E9 `+ {9 T3 C r& y( sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: F* {$ _: q4 O6 H: n4 eperformed in ring0 (VxD or a ring3 app using the VxdCall)./ b3 `8 U( I2 U5 i
The Get_DDB service is used to determine whether or not a VxD is installed, k: y n+ S. m& e: ?: j# G5 [
for the specified device and returns a Device Description Block (in ecx) for
( u( u: Q2 |) J/ l6 @- zthat device if it is installed.# b9 `; b- v2 H9 [
9 ^5 E4 D% v% P9 D2 N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 ~1 l, R& i6 q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); a7 @" O0 B" }* a; ~% }6 k
VMMCall Get_DDB Z( l- T g, H2 c$ O# G$ U8 I
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' @: f, Z$ l G# ~
- m8 F5 B" ?: a8 f4 g2 \5 R7 \Note as well that you can easily detect this method with SoftICE:
. F# m T. F8 o6 } bpx Get_DDB if ax==0202 || ax==7a5fh/ {: L# C9 |3 X) ?' Y
" n4 z( u6 i5 G! f, b: x
__________________________________________________________________________
+ t" Z- P, V! ]: b+ y0 j; K# ^& W4 f' |7 \' Y, k- m7 g. Q& B- L
Method 108 `9 s& ]- }, E4 l S
=========
! {5 `+ k+ Q% W( G6 v. y- {, Y" d* @: {; q% i
=>Disable or clear breakpoints before using this feature. DO NOT trace with& w6 U; c$ t! W" W! \' Z/ J: O% R) n
SoftICE while the option is enable!!
N3 i1 P& s# r' ^) H9 U0 }% V" A! t4 i( I( P# Z
This trick is very efficient:
/ z8 l- w6 S" a6 Dby checking the Debug Registers, you can detect if SoftICE is loaded1 `$ i1 J( i8 I, Y* N# P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 I6 I4 b% m! \5 `$ t& Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" `! a6 `( Y! O) m, |value (in ring0 only). Values can be manipulated and or changed as well# e/ p, K3 E! `6 Z
(clearing BPMs for instance)
. G1 N% f' M; _% T |7 G5 T
4 G, G% x9 L) h7 F& T8 n$ }) h* u0 B__________________________________________________________________________9 w- V/ L$ C8 [# D( u
) o% Z, f8 @0 \Method 11
/ ?2 T+ h& r1 p3 n1 H% G=========2 c: D: J- w2 e
8 U7 C; I* ^) j: X$ J- \6 }: D9 Q" j
This method is most known as 'MeltICE' because it has been freely distributed
1 }2 k' e% _; bvia www.winfiles.com. However it was first used by NuMega people to allow# G$ i* z$ c; r; j* A+ q
Symbol Loader to check if SoftICE was active or not (the code is located
6 o! n( E7 D. q+ ^' ^6 W% iinside nmtrans.dll).) i& D, u& I0 B
! C1 B& c$ n8 @4 IThe way it works is very simple:
6 d- c b& \- q) o7 S" {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; ~0 ^) z. a: r1 d+ gWinNT) with the CreateFileA API.
/ a8 G8 d# w- L; Z$ b, H+ R! V6 h0 k' d" r& H4 i
Here is a sample (checking for 'SICE'):
! [3 @! Z" s! V, P+ A% T) j% W) ~5 O2 e! x* W% G' r
BOOL IsSoftIce95Loaded()% j& ]: M4 J5 s2 E
{
: `, r/ e; A. `" T, N( w HANDLE hFile; % z2 W8 f. I: p& Z ]4 l$ ~3 ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- h: i+ b" m' x: B. y9 _ FILE_SHARE_READ | FILE_SHARE_WRITE,4 d5 S) F' H% E2 T0 C
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 i. ^. n$ ~% u
if( hFile != INVALID_HANDLE_VALUE )$ a% }. f z% f9 s
{: N" y( }% U# T
CloseHandle(hFile);$ w6 s0 r% O! b: w A
return TRUE;
4 Y/ y$ D' j* D C9 l }
$ I/ C, R# m4 W& ~! ]& J return FALSE;8 B( \1 p; Z& U( v5 @! |) O, [$ x
}: M: i( X* P2 c p. ]) E
+ I5 Y7 Q) f' h5 e% c: R% G" pAlthough this trick calls the CreateFileA function, don't even expect to be
) k: b& @- k1 `' X# w/ Sable to intercept it by installing a IFS hook: it will not work, no way!0 L$ I3 a1 ]) y& ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; @( O7 P: p4 F0 M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ j# S- k. F7 r" p# K1 w" S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" ~( \$ E- z( p5 S+ O% N
field.! Q6 S; z$ @0 C, d- w
In fact, its purpose is not to load/unload VxDs but only to send a
3 \, [" A$ u& p2 M0 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); Z- `0 D4 N# q2 V* d" z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 r) L3 T, Q3 `$ b* [8 g9 Dto load/unload a non-dynamically loadable driver such as SoftICE ;-). ]- c% k* C4 F2 f9 v4 F
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 M) ^2 y. n* h" L: n2 P! f6 d1 g
its handle to be opened and then, will be detected.6 q) a: |! M, ~) K
You can check that simply by hooking Winice.exe control proc entry point
1 o6 f, L7 |5 b) q1 O& Rwhile running MeltICE.3 O1 |2 {' d g" x% i# V
) ^# v" @! e- w( q' d1 V) N- g: C5 e, ?* g1 j
00401067: push 00402025 ; \\.\SICE
7 l7 q6 U, [9 Q v: _7 m' s1 g 0040106C: call CreateFileA
& u/ F5 c, j% R) F' w 00401071: cmp eax,-001
; p& n$ t6 S0 J/ [" A0 ] 00401074: je 00401091% g' A# z- e/ z, J: Y
6 z* ^' O+ ^0 s8 }( w2 Q6 W
3 ]- W1 v; d8 W/ sThere could be hundreds of BPX you could use to detect this trick.
, K' u1 U2 Z) ]1 R; ]4 V" ^-The most classical one is:
6 G' i! c" v( F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* }. j! |- M9 f) y' l; W
*(esp->4+4)=='NTIC'
) f R3 e7 V+ d2 n- }
: Y9 x6 v" a' n' D$ r-The most exotic ones (could be very slooooow :-(
+ z* G8 N4 @* A, v BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ o7 F) \5 K1 Q' f- v ;will break 3 times :-(
8 h! f' \" \8 o
1 t) N5 e6 t. a2 J1 Q-or (a bit) faster:
& k8 ]* T0 I; m3 Y# r |# _2 t5 V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 Y- }6 n; X. G! L% }( U
8 i$ A7 { t' Q( f& e* v* |: h$ J# d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 I: [. x/ s" } k- }9 C ;will break 3 times :-(& t) t. Y; W* k: X9 @& ]' H
4 K: h" _3 o5 m+ t# v$ a6 w; H6 b% _-Much faster:3 P+ [/ j% l: j1 i! I& v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ T) t7 q+ U+ ]+ @6 T' @; W, I, p% w- H: Y( Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; z5 M# ?9 \$ G( f% t, ~: w. | P
function to do the same job:
, f7 s& m, K$ _7 g2 j' W" ^& ?! N! d
push 00 ; OF_READ
) h" h. K$ \8 v. ^ mov eax,[00656634] ; '\\.\SICE',0( r$ B; x# T) _$ H) C5 a
push eax" k2 `0 n5 e3 l
call KERNEL32!_lopen; c- l! C, k. O: r7 u" Q
inc eax
* l1 R) J# g4 I, E( t jnz 00650589 ; detected
/ ]7 I- N9 p2 p8 @8 c( F push 00 ; OF_READ
, \) @& c" ~' `/ K5 e; F9 D- E# V& H mov eax,[00656638] ; '\\.\SICE'4 H h( I6 K) T: G c+ u
push eax$ h/ Z$ G' B1 K1 v
call KERNEL32!_lopen
8 \. }4 |% k, {' }8 Y& ~9 G" \ inc eax
$ v; T N9 ` V% R4 L$ e jz 006505ae ; not detected
7 h" R4 E/ u) B
5 O5 x+ U" Y" _0 h+ c
; O0 K* A0 f1 r! x$ X__________________________________________________________________________) z6 o" J: F" M6 ^: j0 R* e
7 V. d9 I/ z* ]/ a- M" q
Method 12
! K7 m8 B3 R2 I0 t9 L0 M=========& B: _9 y3 `: y8 L: d [) k
2 X% p, p% R/ z4 {: k9 XThis trick is similar to int41h/4fh Debugger installation check (code 05
: R$ R. \0 @* P% s5 K" h9 D& 06) but very limited because it's only available for Win95/98 (not NT)
* |2 c- U* j% `7 nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 G$ K# J& B; N7 w( Y& g
' X& n9 }1 j( T push 0000004fh ; function 4fh) g' G1 P) L6 W& b, I
push 002a002ah ; high word specifies which VxD (VWIN32)' g# G! u& {7 M1 x2 H
; low word specifies which service
& U' L: I. U2 J3 S (VWIN32_Int41Dispatch)7 q! \: ]3 F. \! i7 x E1 ~8 q
call Kernel32!ORD_001 ; VxdCall
}# v- s E8 A! D0 ? cmp ax, 0f386h ; magic number returned by system debuggers
1 P" H v7 w. n E9 ^& ^ jz SoftICE_detected
& _3 {/ Z& v1 `: b. c
/ z! q9 e9 u/ t. FHere again, several ways to detect it:' J4 b3 H+ G; t- C6 Q6 w) I' E3 @
0 c3 d' {) C( t: }" A3 {6 r- W
BPINT 41 if ax==4f9 @4 l O2 t# D/ X( W* A! n
' k: r9 _2 c% H, Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& _4 J9 x8 {' X* T9 V. j
1 ]4 b8 _; i8 _' v% G7 V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* z- V8 b L. J/ J. I# D7 F
/ Z$ g( U! ?' F7 g) c( R. L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 p" S# z8 h5 I
7 U7 O% _/ w7 A2 g3 ~% z: N1 d__________________________________________________________________________
2 ?& ?* n: Q3 L! T2 e( n1 i: {; _! V3 m9 Z! c! @: Z
Method 130 [1 h2 J, N+ D4 g9 x4 \2 b, z/ ~
=========
3 ]3 l: {/ i) H. d; c- J/ X
+ D8 f0 w. U: f( i7 A) Z. M k* a$ ?2 lNot a real method of detection, but a good way to know if SoftICE is
# r5 P! o$ _. l2 J* T8 R" J* f) ]installed on a computer and to locate its installation directory.6 ^# N4 x# _- c, T: {& d
It is used by few softs which access the following registry keys (usually #2) :
& o& G7 h- z0 ]- l
) k8 ^( v: H% W8 |" i/ t! X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 K: p3 L& P/ g- H
\Uninstall\SoftICE
/ O4 d/ ]6 C" @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 B% C1 e* ?) c- Q% }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( b7 l [& n6 Y& I% ^' A
\App Paths\Loader32.Exe
: ]+ B. V! e4 R' W3 J
5 \/ O( V" l! ~' y; \% b
8 L9 b7 V$ b/ @7 jNote that some nasty apps could then erase all files from SoftICE directory
3 S+ W' I9 d6 c2 k/ w0 H4 d1 w(I faced that once :-() F# A5 r9 f0 g$ r& e) N
' D" H3 t5 v8 @# T7 z% JUseful breakpoint to detect it:
+ W+ g* K. |5 ^1 g R; W, L3 z( q+ A/ k5 C C
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; ?% y. m: g: ?" }0 T3 V" c4 m
__________________________________________________________________________' i D, M& S* d6 b& o) Y6 g
2 t0 F. M8 A3 r/ p( Q! O/ p
! f8 u, g- j. @Method 14
M0 m7 V& |( s+ P* c=========
( e2 m* q, d$ ~' ?" D, K" a* z' |( v- d$ l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 l5 }1 S' N8 v3 y4 h6 d
is to determines whether a debugger is running on your system (ring0 only).
3 A) o+ F9 a5 U! r
4 g" {' T( m9 a: T( j4 y$ R, g VMMCall Test_Debug_Installed
+ a; g8 Z) S2 v) O! M je not_installed: U, U( _6 V4 u- z# H8 n' R5 P
5 m, k$ w- G7 @# v* qThis service just checks a flag.& E0 ?/ s3 Q( ~0 u3 j. b& X4 I1 K
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡