<TABLE width=500>2 Q5 t5 W8 O3 Q8 e) P
<TBODY>
0 M- u, l+ E- }<TR>
$ n* b/ L9 w- l9 ]$ O( J1 G<TD><PRE>Method 01 8 N8 @& s; q4 @0 ]6 ?+ U
=========
/ r1 ~# M8 k+ E9 C& t. ]) y. T0 u$ ~, t% O4 N* {* G/ i
This method of detection of SoftICE (as well as the following one) is
' f8 Q9 ^; G$ E* X8 i {. n7 k# \used by the majority of packers/encryptors found on Internet.
% g+ j0 m4 `. G) h" y0 C6 U+ f* R# qIt seeks the signature of BoundsChecker in SoftICE( O$ y7 M9 ?. }; O! w% u4 E: I
5 F, ~- `" [; l+ a mov ebp, 04243484Bh ; 'BCHK', s! V9 m- K. K7 A" c! l
mov ax, 04h& l* N! R4 ?% u$ V
int 3
( [, ?# m2 p8 V+ ~2 Q+ x' ~ cmp al,47 } `0 W0 [; K$ z& ?- ]
jnz SoftICE_Detected
9 t, B) [( z1 [$ `4 @
6 ?2 L1 O# o! B; g% M4 `0 Z; H___________________________________________________________________________+ U3 ]- Z2 R' \. \- X
; `1 W, i: m! e( ^2 DMethod 02
' f, R6 v) N; {2 r' x& [0 a" p=========
. ]+ p; O9 q1 I3 f6 ~/ D7 [3 E0 O1 |+ w( D* _
Still a method very much used (perhaps the most frequent one). It is used2 x; j K8 ?- w8 O( F/ u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* @; y$ B1 \5 g$ D$ L; M* Ior execute SoftICE commands.../ J! f) w! ]0 f
It is also used to crash SoftICE and to force it to execute any commands
) H8 R- ~" {: V* a. Y8 b(HBOOT...) :-((
% ]: k1 u$ s# V$ v; {0 P& O4 U8 I. G8 G5 v+ U
Here is a quick description:
) _! d9 p, B2 u* Q-AX = 0910h (Display string in SIce windows)) W# F1 o5 Q9 c- y+ b; W I
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). x6 N& H0 c! T- N7 [
-AX = 0912h (Get breakpoint infos), X. k3 Z. t- y. m2 ^1 V6 O
-AX = 0913h (Set Sice breakpoints)
# r* D& b7 k' H* c-AX = 0914h (Remove SIce breakoints)
% L) k: T' Q2 M$ A) N$ K1 n0 p" \( I: L5 L0 P4 t3 ?
Each time you'll meet this trick, you'll see:9 d! k- Z& v" w- `# R; T& v
-SI = 4647h
+ [8 N' R8 f7 t; X" d/ t3 |4 n-DI = 4A4Dh
+ {( t) Z$ C2 P1 R2 v# bWhich are the 'magic values' used by SoftIce.
. S5 t6 p) a* L9 P1 Z- C" V; VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 K* c( v$ b; j8 B( Q4 i5 c( h* p3 Z1 t6 P! f5 q! O; u
Here is one example from the file "Haspinst.exe" which is the dongle HASP% s S1 q/ @- `% l
Envelope utility use to protect DOS applications:
: e L! F, m2 z" a f) q1 Y8 L) _4 @6 J2 g
# N/ N) g3 d; q* }! I4 n3 _/ n5 A3 [
4C19:0095 MOV AX,0911 ; execute command.
$ y5 t+ ] a; D8 R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( Z- z$ n! r) j) C+ [6 X4C19:009A MOV SI,4647 ; 1st magic value.6 c9 _5 u" b6 u) M" P8 U
4C19:009D MOV DI,4A4D ; 2nd magic value.; ^' x% c; I' `* E1 ^# A$ U" v# n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 C( ?+ F6 a/ U6 r8 t$ Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& g0 a/ J) d Z8 }- C7 P6 Z( M& A4C19:00A4 INC CX
^ V* I1 s) ^9 o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, q' P# C# x g
4C19:00A8 JB 0095 ; 6 different commands.+ c2 |, D; d! Z% \5 y1 s |' I5 L
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% z) r) X7 G/ Y. i) c0 _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 v( e* { A! x: A5 b# @
8 [; X- |6 {' m6 @- ?- F. b4 oThe program will execute 6 different SIce commands located at ds:dx, which9 `( V1 c* l$ G: I0 G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 U) [4 q3 p1 o6 p* p3 X* O5 R: ~, R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ R% e; a3 {0 I___________________________________________________________________________
/ ` z$ `* j1 C$ d# `! N3 N4 j! ^/ ^7 Q Y+ @ y
, U' s* p- L' R1 w1 y3 V
Method 03
$ A: A _+ k; n8 s$ m5 w* S5 @=========$ j* d% q1 r, M# Y$ C
% d3 X% M. W% D8 G9 `$ V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) l( `# O& P9 a& _/ t* u+ y
(API Get entry point); ^& Y) j7 Q; _/ v4 D% m( M2 m
- K$ @- g3 g7 K* O
2 `0 {, P7 P8 N. x4 r' c
xor di,di
# B" ?" }3 M0 o, N% d; e mov es,di
" g. }4 C8 C( G1 O# k% l mov ax, 1684h 0 Y7 F' E5 Y# K3 g; S
mov bx, 0202h ; VxD ID of winice" R4 @# U6 y' O/ }3 X9 ?
int 2Fh
- ], e2 A+ F. s ]; n3 n mov ax, es ; ES:DI -> VxD API entry point+ n7 T6 ?; S7 }5 |
add ax, di/ o( ]8 e/ U. x7 p0 K: d
test ax,ax( { i. S$ E* W
jnz SoftICE_Detected4 @4 Y6 _/ ?; v/ Z
' x% t$ Y# h, `___________________________________________________________________________" b4 m- U$ o9 a- F M. H
) k$ w& V2 H+ l- b& ^1 _Method 04
0 v+ F' `" t0 X* ]! v" O) t* a=========
4 U% u3 x# n4 A% h4 g3 a1 Z6 m
_3 p' T0 A3 o: D2 ~# {5 z! n& lMethod identical to the preceding one except that it seeks the ID of SoftICE
9 P4 u9 ~. A/ u l+ A- TGFX VxD." r3 V0 e5 P# l6 ^
. L: o) q3 s. K n5 L, p- c xor di,di1 z/ G- t% m- R0 P8 I* h3 t
mov es,di* R8 G- }+ l$ e* z: G2 Y
mov ax, 1684h
2 G. K' w4 U. ~& F" v mov bx, 7a5Fh ; VxD ID of SIWVID
1 ?( ~0 t* L6 o# p int 2fh! x, c L4 d/ T* @% Q! m5 o7 {
mov ax, es ; ES:DI -> VxD API entry point5 C, K9 p2 h7 n8 R7 \
add ax, di
! F) z& n8 f! _- e( T test ax,ax
5 W2 [: f9 Y/ D5 U+ u, a$ o+ o jnz SoftICE_Detected2 Y, \( \2 L p2 D8 ~
/ U0 k6 y7 q3 j* `__________________________________________________________________________
7 e" v) R4 G, F% A6 M
; h( ~% ]8 C$ v' f; i; ^; C# N% r! x- ~& f( t1 C0 \/ q
Method 05
5 }1 u8 q5 `9 P8 {) o! ?=========
; R/ Y* j8 r: B) w$ _. u0 |" O: M+ P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) j( j0 ^# k' b! D6 Xdebugger. It calls the int 41h, function 4Fh., H, B$ H" Z; j' \; q5 z6 i) K
There are several alternatives. - y0 Z- a* \3 j# I7 m8 M% U& @, j
2 w3 _, B' @4 H6 f. L
The following one is the simplest:
& c( L3 O* r+ q
3 ^) \ F& ]: d mov ax,4fh* f$ _3 j; _, T. p& M, Z/ }
int 41h- d) A) n: C( {! m
cmp ax, 0F386
+ c" t& a7 F! A' d6 z: ?( { jz SoftICE_detected, F+ R, l% f$ N/ W. Y8 z y
# { R' n8 H! H. D% F" u6 Q
4 _" L1 E; q# b7 Q
Next method as well as the following one are 2 examples from Stone's 4 R9 e$ t; ]6 _* i6 }- z7 L1 B
"stn-wid.zip" (www.cracking.net):, t- K* m$ d3 m4 i5 Y& Q: E7 A
2 p' g. y6 e+ v) y; \! x$ ^
mov bx, cs
F3 K! F5 V$ @5 V; e: \. P lea dx, int41handler2
7 j. M! o6 F/ o3 J6 _ xchg dx, es:[41h*4]
0 V9 W+ P/ |0 E. ~ xchg bx, es:[41h*4+2]3 c* v3 ~) x j' ~+ p- r' x/ i: ?
mov ax,4fh
$ e$ i. g- v* n- T int 41h1 l6 |3 c8 N: n; Z3 B, M
xchg dx, es:[41h*4]9 V7 z! _6 d5 p
xchg bx, es:[41h*4+2]
( X- v# N5 e8 f2 L4 U; W* J; U/ H cmp ax, 0f386h
: v& y: U) Z. E2 G, B+ ^ jz SoftICE_detected
5 ?; b0 k5 U [7 _7 ]# h) o& g, `" V
int41handler2 PROC. L `0 q" Q. p6 [, R
iret
: b7 h1 z7 x+ sint41handler2 ENDP3 n5 s, A* _! r+ c% B* E5 j, [
4 y' |8 c0 L( A& G+ H1 y; Q
1 Z. w" Q$ B( e# q7 Y# ^6 C_________________________________________________________________________8 q! S7 t" h# }. J- B
! `4 u* E1 ?% O' `7 [ i; m+ l5 C) t! P. K
Method 06( ^0 d$ R+ l4 Z. a
=========7 C* F1 Z: |( W' h' y
! I" v/ e \& p: S- J, a: ?/ E/ l1 j; |4 S$ p
2nd method similar to the preceding one but more difficult to detect:
6 ^3 C& }; j7 V) g3 x" A5 k0 M2 K1 D1 y$ _, @& A
% C* W* A! ^% I8 p" bint41handler PROC
% Z. C! n. D) s, ]$ U mov cl,al( M/ ~" I% a7 w$ L$ R
iret
0 D: Y4 Z7 U' m7 lint41handler ENDP, L: V4 c* j- }5 u$ Q* @1 G, ^4 }, E
5 ~+ k. C) F6 l' Q, i0 |* i
2 {2 k# Z9 m. C! _4 {9 o
xor ax,ax
; B2 j4 ~ h3 m' V; f7 I+ I mov es,ax
* {* D- S- {0 p! S, l+ P mov bx, cs
1 T. \3 J/ R! q; r( s lea dx, int41handler7 k+ \& c; n- D! A# q
xchg dx, es:[41h*4]
/ S& D/ Q' z& t: o* u7 y xchg bx, es:[41h*4+2]5 |; o1 g' {& o3 V1 h$ f
in al, 40h& V& Y5 ~4 `7 _8 L0 B, ^
xor cx,cx
0 _$ {! S( f# Y7 v8 m+ _1 W( \ int 41h
F3 E' R3 o4 ?' A2 y4 x xchg dx, es:[41h*4]2 q& x& e5 H' e! R2 i
xchg bx, es:[41h*4+2]4 p" m) h1 z& `1 a T2 V' p; c
cmp cl,al% N' v5 e5 I3 `' \) @7 F& w* T
jnz SoftICE_detected" o4 }- ?2 ?8 p# f9 g
: Y% F- F- J. J9 s! n
_________________________________________________________________________( Q2 Z; p! e( A0 W
2 b3 r# x' a2 m* Z
Method 07
6 }( {8 ], |& R=========5 [6 {/ c: t3 I3 d& Z' ?( E
- [# `* [1 }" s7 RMethod of detection of the WinICE handler in the int68h (V86)
( m* g! G0 q) ?8 c
& B& p% l% p; }; C6 q mov ah,43h4 i8 ?" x ?+ Y0 @/ `6 Y
int 68h5 W: K# r2 c+ @: f! i+ z
cmp ax,0F386h
% I) i$ \% z0 i jz SoftICE_Detected
( V3 A! [! P$ W1 C" ` _
4 D _3 O: c0 y
: W H+ ~4 c2 B8 m @4 d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# ~& M5 l* x. Z) H- k app like this:9 t) D% e( b2 |( i! w1 \% |. E
9 u5 R+ `) q& H: f q1 t! r9 G
BPX exec_int if ax==68& m2 n |* l8 K& l( g
(function called is located at byte ptr [ebp+1Dh] and client eip is
: o" D0 @! w. Y! b) q+ j located at [ebp+48h] for 32Bit apps)
w7 E) c7 `0 s0 u: e2 ^8 G__________________________________________________________________________
) Y& j. V" W9 J1 v. t4 n, T3 O9 ^3 R! A( P- Q- l
4 F$ Z# [0 Z1 E% R: dMethod 08
% O( V( I8 S U$ D5 g A8 M! C7 a=========
. K" B8 B# G. F% u5 c" G
3 b9 L F: {* Z, H6 \* L+ RIt is not a method of detection of SoftICE but a possibility to crash the$ H7 P* m5 p% P0 J" F! Z
system by intercepting int 01h and int 03h and redirecting them to another
- K: D$ B- s i2 _2 U$ Proutine.
) J* ?2 S. M: Z$ b% j1 NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 D' k2 n3 Z& B: l' o7 s5 f2 \ I( w
to the new routine to execute (hangs computer...)
" L' @% H% D9 J; }% p' J6 N2 _: O' L' X) p) o$ B
mov ah, 25h
9 z, k* m6 c1 H+ M y mov al, Int_Number (01h or 03h)& C, j- g( S+ K, `
mov dx, offset New_Int_Routine
# D2 z1 M- {6 Z Y* m9 j5 j1 M int 21h
. I: J' ]7 o4 _! [3 y S9 p) p) L
$ v) D0 y( K% R9 ?# ^. E__________________________________________________________________________; p* n1 k- C2 i Q
. J* X! h K6 tMethod 09
- q$ O/ \/ ~& {4 ^- H+ h% v=========
* U R+ r7 M+ f' `$ z) d) T* G8 h a5 H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( _+ R: R% }' I1 ] q
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 _6 b) @6 w7 ]# y2 ?" @: T3 DThe Get_DDB service is used to determine whether or not a VxD is installed g! V ^. r P6 ^6 \
for the specified device and returns a Device Description Block (in ecx) for( C; n# D. u: T2 W' O
that device if it is installed.8 V8 g& M f; W" j4 x: @
# R* T) P' C* W) N- ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% T1 b3 l. ^0 P7 x" V$ f6 A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 \9 p! Y* o/ @, ]/ X7 k5 j VMMCall Get_DDB# ~5 \" u9 m! q0 T2 Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 V7 M. J) R$ s, |) E; k$ U& q5 B3 X3 n
4 h4 {5 q4 N) n ]# JNote as well that you can easily detect this method with SoftICE:
8 V; ^& L9 G) O5 ? bpx Get_DDB if ax==0202 || ax==7a5fh9 }3 y! p3 }( N( @& W) I" {
, i: V4 \6 g- P7 B& }( R8 i" v__________________________________________________________________________# [- D5 H/ Z+ m% a% q: S; ^+ g
: T6 p% s6 _' l2 c
Method 10( D d8 u9 }* n- D0 F
=========+ i6 L9 y4 B; c3 ?2 \. ?
" ~+ t0 X, `, A _! l% H=>Disable or clear breakpoints before using this feature. DO NOT trace with: |: H5 c8 r6 h, _' a
SoftICE while the option is enable!!; C( @7 Z- t# p1 E2 `
/ z8 [- o4 a: }. {% OThis trick is very efficient:: O0 k! h* N2 K( Q- W+ L
by checking the Debug Registers, you can detect if SoftICE is loaded
4 T" G" e, d8 w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 i+ \$ T4 s+ v; l4 O0 G* e$ ~there are some memory breakpoints set (dr0 to dr3) simply by reading their: v c1 l+ \, }) F1 d; Y
value (in ring0 only). Values can be manipulated and or changed as well/ d# x5 M1 x# ~6 U
(clearing BPMs for instance)0 c$ ], M& N- Q ]9 e" r
/ l D9 t: y6 {( p; b" u. ?: V__________________________________________________________________________' j7 e |# Q8 p% p9 s
: S& R# b( ~, G" gMethod 11
& J5 w1 ~; ~3 s" M0 x `=========) v% `" m. C; Z* O! K% N6 e3 f& q
Q8 D9 L, k5 J. [( H5 [
This method is most known as 'MeltICE' because it has been freely distributed
. ~& Z9 h* d7 R$ { Hvia www.winfiles.com. However it was first used by NuMega people to allow- n7 @, E0 i7 u R
Symbol Loader to check if SoftICE was active or not (the code is located% g Q/ ?% a8 X/ Q- j/ _" f9 L; l
inside nmtrans.dll).! u8 B' L8 Q7 F
2 l! S, H4 N% e, K/ d, S/ r3 a. S. X
The way it works is very simple:# T& G! L4 z% j5 e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! [) E; p$ S9 W6 J y6 C" {WinNT) with the CreateFileA API.$ d. M9 b. f8 P w
" I a* M6 z5 }9 IHere is a sample (checking for 'SICE'):
2 ~+ r% j# d+ B/ \6 I
9 a5 r4 j) e9 W" hBOOL IsSoftIce95Loaded()5 z M; l3 Y$ g8 N
{; Y0 h* p; `5 C, h
HANDLE hFile;
3 ]9 K+ |$ [ z; g6 H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ i6 |: y* g6 f! I
FILE_SHARE_READ | FILE_SHARE_WRITE,
- c% ?5 u6 h3 u1 ?6 R( x+ a# A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ Q5 l5 w+ t4 o! O0 m
if( hFile != INVALID_HANDLE_VALUE )
V J+ Q( t: Q0 E: O7 x& B C {
0 ]7 B2 h* q, m5 P% B6 r4 n$ k CloseHandle(hFile);: M6 T/ q/ [ |" X- ?9 |9 p
return TRUE;
1 s# i, e K9 I7 I- ~ }
7 o0 v$ \) N# _5 L" P6 ?: J return FALSE;; l M' R9 R+ Q
}2 N$ d4 Z; P+ s
! g8 r1 E) q; M) c/ n
Although this trick calls the CreateFileA function, don't even expect to be j b( U: u/ N0 R
able to intercept it by installing a IFS hook: it will not work, no way!; ~/ B0 N% w& Z# W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' b% ]: G6 A3 Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- m% Z- ^! m8 W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& N8 G% ?% V. Xfield.
: A D- V8 G! ZIn fact, its purpose is not to load/unload VxDs but only to send a
5 C5 Q- h' l: M+ S( l3 s- _8 wW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 K$ e* I( R2 @1 d! Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 k# V2 Q$ c, H) a; o: z5 k% Q l; X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- @* r1 b4 k) z) O3 @+ AIf the VxD is loaded, it will always clear eax and the Carry flag to allow; B# |- V7 R. \' Q
its handle to be opened and then, will be detected.
* z! K$ y* @+ T U7 F. S: f' jYou can check that simply by hooking Winice.exe control proc entry point! X5 m$ p: ?" D
while running MeltICE.
- K* \# \% J/ c+ X, e* S1 a, w
4 X4 A7 Z5 e% x% R0 ~% u6 D7 T% ]8 K1 W, t
00401067: push 00402025 ; \\.\SICE
0 U- Z8 E5 S! y. s: y5 v 0040106C: call CreateFileA
! k9 K/ Y( p6 a8 J$ Z/ y9 ^& v3 O 00401071: cmp eax,-001' \4 B" X; s& C6 P. e
00401074: je 004010917 d% y4 t* X( {# y9 u
% e3 l: c7 p+ n) G4 l8 ^
8 M8 t" i) c0 Q+ j7 _There could be hundreds of BPX you could use to detect this trick.
7 U, [7 J2 k& c! i: M% E-The most classical one is:
2 a. W7 S5 b/ A1 k0 Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# p" K5 ?( _+ o5 F *(esp->4+4)=='NTIC'
1 B% T; b& f3 m, U5 N6 ]. ?) S0 x& y/ \
-The most exotic ones (could be very slooooow :-(
2 ^8 e w- _7 ~5 `# z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( F7 d& ~1 E* |- \7 ~, { ;will break 3 times :-(
3 N; d' ~; a! i5 N6 j& y0 S
% S/ }5 }3 {% e* M5 m3 i6 [% ^4 O-or (a bit) faster:
4 M0 G; S8 ?7 O0 z; w; g# l% y( r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! d$ `' e+ o: p0 F, F4 M8 ]
7 ~& g6 H- F9 d7 z7 P, a) x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# u0 Q" l D* Q0 m% [2 o ;will break 3 times :-(7 T& n* g2 R% D( B9 p1 C. ]3 X( _
- e; v. U( |) O2 p% K% g
-Much faster:6 Y. j7 _& b' M2 h3 Y" H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' p2 G% w& F% \# A8 X
' j: R V4 d& c) H& wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! G) }' I. M( S+ Efunction to do the same job:
# _3 Z/ `: V) i: h, _6 ~5 C7 V4 t2 t; w
push 00 ; OF_READ
8 O/ l; J: x% E! L3 p8 d mov eax,[00656634] ; '\\.\SICE',05 n( t* @+ v2 h5 z. o! W
push eax
6 ^3 B6 P: h0 b4 t* X# G1 x call KERNEL32!_lopen- O: l3 M S% L4 t/ X, g* ?
inc eax- Y" [8 U" m: h# ^$ i
jnz 00650589 ; detected
7 V8 P# p3 X7 _) u push 00 ; OF_READ
" d2 E0 a) S% u6 X7 x* U! ^ mov eax,[00656638] ; '\\.\SICE'
+ z _4 _: ^$ A* h( q push eax& Z2 g4 ~$ S9 L+ z6 h+ E6 k
call KERNEL32!_lopen' C1 B3 y' w5 o; q5 X
inc eax9 e8 j! \9 J6 Z5 E' ~( }
jz 006505ae ; not detected
( j1 r0 Y; @$ {! v+ O2 y% k+ f3 M
" U2 e2 S% _% v) z/ J$ v; p7 `/ a9 [8 A; y1 Y1 f9 _ @ w, F! j
__________________________________________________________________________
, @+ m+ o6 k- H0 k m2 Q) ^: z. y; O4 E; I5 L
Method 12
# I2 H' N$ E$ `6 c=========
* K$ X l# D8 i ]4 }* u6 d% L O2 d' Z
This trick is similar to int41h/4fh Debugger installation check (code 058 J* k9 @" l. j. G. H; ~
& 06) but very limited because it's only available for Win95/98 (not NT)* I& {* q1 C6 u- u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; a; P0 ]! U" S& o0 G
0 _$ t5 ? }& S$ u, w' z push 0000004fh ; function 4fh B! k" Y( T8 P$ l
push 002a002ah ; high word specifies which VxD (VWIN32)
, K5 E# E) N; T5 ~8 l ; low word specifies which service
1 N/ p! k) {8 _9 j8 e: R (VWIN32_Int41Dispatch)( ?1 B* H0 w2 p! x& P+ j
call Kernel32!ORD_001 ; VxdCall
: u2 y; T' b8 G5 k! Z) w+ e2 f# M: D cmp ax, 0f386h ; magic number returned by system debuggers" b! \: [: O4 B5 Z% b! O1 X7 p
jz SoftICE_detected* ~! z& |* q3 j+ G& ?# N& W
2 k9 h8 J2 o& N6 e) f& C/ {- l0 pHere again, several ways to detect it:
' x! f) J+ N0 ?2 S B( t/ l6 q# @5 K' ?1 @7 v
BPINT 41 if ax==4f
9 r& q4 X8 b( {4 J+ M6 v; U2 O& U4 v/ F+ H& {; f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ I) ?6 g+ Z9 J J! i
) ?) W: ?( C) B0 D4 q' t BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- @* t, W v$ b' O+ b/ {/ Q
( m! X8 e) l9 X' u( P' d) A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ z- c! m& Z+ r o# z" P8 I- w# |
# D8 U* r4 _3 h/ }, x$ k( ~__________________________________________________________________________
" Y* v2 C( U" r( _) a
9 W- |: d3 f+ f( q: RMethod 13: E# t( ]! {1 ~2 f
=========9 }3 T9 M7 C2 w! `8 a9 Y
! ]. `- i$ I2 [* ?& D& yNot a real method of detection, but a good way to know if SoftICE is
H' H/ s: x7 ]$ N, m. p4 E/ cinstalled on a computer and to locate its installation directory., T. o) u6 a2 }2 R* X
It is used by few softs which access the following registry keys (usually #2) : W: y. L0 R# c S9 R# m
! N8 K( Y$ v+ N2 F5 N3 d' [4 U; \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 E3 M+ H8 e- G. `
\Uninstall\SoftICE- `$ F' ?4 d8 o3 W5 N# E( Z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" g) h* }% h4 o+ `! w1 d1 Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 f# b" @; ?; I. j0 P7 V$ q+ W
\App Paths\Loader32.Exe7 U) _9 X, `. P8 c! k, @7 L
$ t9 _' z+ Q: E6 Y/ c* U( K2 ]8 U# X0 d. y! o# v7 i
Note that some nasty apps could then erase all files from SoftICE directory; C/ W. w# H* i3 P
(I faced that once :-(1 a1 C0 h5 T" g. y
) a$ t! ]# j- [( s4 KUseful breakpoint to detect it:
( b8 ^9 y- M; t9 |* Q' f/ j R% n- D4 `4 i7 X
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': m. z( I2 [6 R, i, F$ j
; I! v) h, U2 b4 y% T
__________________________________________________________________________
, _3 K. I q1 I% z% R8 F1 v" g" q# E. `6 F. l9 [0 ~
- O2 K; u9 B; b, aMethod 14 4 r2 L; s! E% a6 e/ o
=========
' v& C+ {# Q* }, Y
$ [: C+ P# q7 Y" SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" f) ~, K) I9 j' E1 R
is to determines whether a debugger is running on your system (ring0 only).- k; U3 e5 a4 d3 i
. G: S+ q2 O6 A, j
VMMCall Test_Debug_Installed% ]' P# f: `' m A ~7 _: B
je not_installed, W. h# O7 Q' ~! ?( [
Y8 B$ i4 i3 }
This service just checks a flag.
& L S& F+ ^ j$ R% O" ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡