<TABLE width=500>
c& \) ?- G5 k0 I/ d( A<TBODY>
- J- M) q7 c2 t9 y: B% k. Z' H! d<TR>
6 Z: P$ b9 v# l<TD><PRE>Method 01 ' L4 t& T3 Z+ n8 q3 C6 e: K
=========. H+ b8 ?8 S; v* h$ z# l$ h7 X
6 t3 w: D' K' Z `9 T: w& bThis method of detection of SoftICE (as well as the following one) is' C$ H9 q6 r# S& {
used by the majority of packers/encryptors found on Internet.
! t; S4 h7 w$ R% @3 _+ L5 pIt seeks the signature of BoundsChecker in SoftICE
/ ]/ k. q# ]4 A6 P# e0 l- A! Q |8 V7 [) e" ?. V3 ?# x) i4 F
mov ebp, 04243484Bh ; 'BCHK'1 T: _" [, z7 Z7 k
mov ax, 04h
) S8 E2 O% y* X$ C2 M# X! A8 t int 3
9 ^! K! J$ s+ d5 }) D4 x9 r cmp al,4
1 r% S8 Z' J7 E9 w& I9 \2 \* ] jnz SoftICE_Detected" q* n- \+ n r, N+ ]
. Z; `+ v+ Z& e4 p___________________________________________________________________________( D1 Z/ A9 r- \7 |7 a: E4 X
+ @ H2 k2 Q+ H
Method 02
# E+ H, x7 Q: H I=========% X/ m0 w! C$ h5 z7 L
- t$ V+ A$ n8 b9 |
Still a method very much used (perhaps the most frequent one). It is used
( T7 B% \$ _& |! Y' \. o" ^; vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 v8 y( @+ x7 H, `1 Q( e) M6 L8 [8 Y
or execute SoftICE commands...
9 r7 N+ j1 {' G u, n8 R, y7 U# fIt is also used to crash SoftICE and to force it to execute any commands6 J& d$ E/ b' R! Q) K
(HBOOT...) :-((
8 N( L7 K" G n) H, ^3 m8 k; b$ n# p
Here is a quick description:8 G6 p5 w+ _5 D8 g3 ]- g
-AX = 0910h (Display string in SIce windows)! ?) ?3 @% @ ?& a( x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* U5 G, d0 d' S-AX = 0912h (Get breakpoint infos)
* M6 C2 Y4 x# J$ Z9 E2 S: U-AX = 0913h (Set Sice breakpoints)! F+ Y( n0 @+ C
-AX = 0914h (Remove SIce breakoints)
2 B6 N7 o" j' K. {" g3 D p
8 V j. U$ _0 m& s( aEach time you'll meet this trick, you'll see:' A, s! ?: ~- g
-SI = 4647h9 u0 M: [3 u8 m5 b3 q4 m' o+ a& V+ v
-DI = 4A4Dh
3 H: i7 K! Z2 ?* W. s$ mWhich are the 'magic values' used by SoftIce.4 o' G! X' \0 w) Q( z, s4 M% Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 o7 G( z; Y" [/ d8 o6 J+ a& @/ v; H: D$ U3 Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 c y6 i2 G7 v `# I' i. VEnvelope utility use to protect DOS applications:4 P& Y% A7 V3 E0 C$ r8 j( j
9 Y6 @/ D# O6 M9 V3 |& h# x* A
" r; j/ P- P7 {: `! l4C19:0095 MOV AX,0911 ; execute command. p' Y. X0 s% U5 K7 O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 y. P! x% N! c
4C19:009A MOV SI,4647 ; 1st magic value.. s/ Q0 s3 ~6 F- Z. O
4C19:009D MOV DI,4A4D ; 2nd magic value., b) E- B( r+ Z3 u- k( C7 K2 j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& F) t! R: n, n6 i
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* ~% L1 Q) J7 }4C19:00A4 INC CX
, H7 S- k L- Q: Z* [" B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' M7 u0 C: e* q6 Q( J0 {+ X
4C19:00A8 JB 0095 ; 6 different commands.2 u5 U+ ~' @1 R# j( g
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ J" X' C2 p' ?. ?6 F- m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" k. K; o, ]" y. r
9 K4 @: w1 J9 i- `
The program will execute 6 different SIce commands located at ds:dx, which* [0 R9 G0 P' K4 c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" C8 M( _- i8 Y3 j: Q3 a/ A g1 Y- k" z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 P+ ]7 o2 [( `; @' I! q___________________________________________________________________________! O2 R. F" ~+ o( [- {
* K5 U5 _5 v6 g9 M
) v( U( ]) B, E B$ r6 }! V: [* lMethod 03
. i! f5 K# P) [* p9 M3 _7 z4 A=========
1 C w2 Z k4 g) S$ W) z% z1 C: ]# { B8 s& P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- g0 a |3 Y3 s0 g* ]
(API Get entry point)4 \( l; Q: ^' u
7 j; |( v! l$ F; I; @# D- W! N! H- M; j2 q! t8 Y9 L
xor di,di( H G3 I4 _& v
mov es,di
- L1 g- Z$ M$ [/ D! \; V/ R mov ax, 1684h 3 ~# J) f' |- U7 x; I
mov bx, 0202h ; VxD ID of winice
% Z/ n% } ~* a2 I7 r1 A6 K int 2Fh
& y+ n1 p# P& u# y _/ W mov ax, es ; ES:DI -> VxD API entry point
& h) r) \7 J5 Z& c+ Q add ax, di9 r) A Y% z) [% J& u [7 ?1 ?
test ax,ax
- L6 E, i t0 k+ v jnz SoftICE_Detected7 d/ _+ }. G% u
b" n" [+ Z g. z
___________________________________________________________________________& s0 N+ H" K2 V
) j9 q/ d, C- l. g) n$ s
Method 04
5 X+ ]- C1 X4 I" p% U& S* \ k |=========7 F4 L+ l8 i E9 e# M4 w( [
% l' ^8 V8 v* ^3 ]) y& ^Method identical to the preceding one except that it seeks the ID of SoftICE3 N" C! ^, E! L; b
GFX VxD.& L) O' K: G* }7 w/ f
9 Q( n5 |, w5 G9 t( d o
xor di,di; C6 R2 x6 G% p; [0 Y0 @% c+ z
mov es,di8 V" J0 j9 r0 C% ?/ n) W
mov ax, 1684h
1 p/ u8 {( ^8 s' V7 Y& |) b mov bx, 7a5Fh ; VxD ID of SIWVID
* n) }6 W( [" V- Z" O% ? int 2fh# m5 u' }3 S- x; K6 f' n- u
mov ax, es ; ES:DI -> VxD API entry point
7 i5 y M4 Y! Y/ p add ax, di8 C: B$ ^& i* @6 n6 {% U# Y# m* n
test ax,ax
4 d' c5 y# @ R! U& J jnz SoftICE_Detected
! o4 U0 {, R& T7 [7 i, ^8 j2 f% W' e5 N# _% g; U: C' ?
__________________________________________________________________________# o- R) B0 U) e( N! @
2 f- q9 C z8 Q( z( z! p
8 N/ j0 x* I4 B1 L+ a
Method 056 ~+ H/ ?8 w1 {2 i
=========4 B4 }# j* f @
% m& } X2 \5 S6 JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 Q# |4 w" G" u% m9 A( n( [debugger. It calls the int 41h, function 4Fh.
6 H7 x+ o$ C# {+ v5 \4 e% HThere are several alternatives.
6 Q! Y- [% W$ f* b7 u+ x' e/ ^, F( h9 ~2 ` W& V$ d# D
The following one is the simplest:! x5 E6 z- Q. L% X& I3 R
5 S/ S2 }* y5 X" q6 @ mov ax,4fh
8 l5 u; {) m6 }" {9 D7 q( x int 41h
- p' R( h1 x. N( c8 C! { cmp ax, 0F3867 P' `$ N/ t0 C: I6 |
jz SoftICE_detected3 g1 l. |2 r( \( G% o2 g
7 o, o' G! J( Z& j$ U" s9 y6 B. s: ]3 T/ `
Next method as well as the following one are 2 examples from Stone's - z+ D$ H! ^3 d3 i# w, Y
"stn-wid.zip" (www.cracking.net):
" e: J2 |- D* o% @, S2 ~$ V- t3 `9 {# s' j' x
mov bx, cs
7 A7 G# o' c# m) b. e8 V lea dx, int41handler2
; R9 ?& G2 L6 K2 y" K# \ xchg dx, es:[41h*4]
2 @6 a9 v& \# f8 s4 M9 l xchg bx, es:[41h*4+2]/ b, L( k9 P: x+ s
mov ax,4fh
' r+ T6 s1 Q Y2 z8 j int 41h
) z% Z) o4 j, s xchg dx, es:[41h*4]
/ G) P) y# A) p9 ^4 N+ l2 Z( U3 G" m3 P xchg bx, es:[41h*4+2]
. ~1 [0 A' X6 y4 K. A cmp ax, 0f386h* _4 {/ }5 v) T( h) o7 t$ f* D7 R
jz SoftICE_detected: L* i$ d) |3 r6 Y& L- d/ ]
5 | c h; [, E' i; `% j
int41handler2 PROC+ E p" T/ t5 P) N' {7 F2 x* L
iret
) U4 e' m" h- f; A# P. B' c# z- _' iint41handler2 ENDP
( t) M! }! W' L! S0 p8 f& F( Y0 _8 Y% K0 z* |! n* J" ]5 P
. B: T5 k; c& r0 _% q, H+ G
_________________________________________________________________________
3 G: B, o& ?2 ^ `' D. L! i
- |( \/ G- T0 O% Y7 b0 A
! V% w; M0 U& ]+ }Method 06
; q7 |4 a% z; q=========
! L9 x- n4 }5 n1 H" @0 `0 T
6 X# ?% y, j( F
! S! |9 x @: _2nd method similar to the preceding one but more difficult to detect:
) O* r8 g6 [! R: E8 ?# K/ y" K6 {! r0 \. U. B
. c9 M2 g# @) E4 vint41handler PROC0 G* s: s l( b" C }- w& w
mov cl,al
* @; C" r4 h z iret, B. T3 ]' b( `9 R" m" Y
int41handler ENDP; r- p$ e; V4 e
2 N: A+ Y1 b5 ~8 s& H
/ |" {, M/ l) x, X% T4 J& u
xor ax,ax1 r% |4 J7 L9 I* \
mov es,ax
( B* W5 L/ h- y& e( V( L mov bx, cs
" H S; D9 ]- m lea dx, int41handler
; a$ w( z$ U3 _4 Q/ J( v0 a xchg dx, es:[41h*4]9 I; a7 m4 |# z- C T' _: C
xchg bx, es:[41h*4+2]% x# l& D6 N n, R
in al, 40h
/ J+ u8 y5 S0 F xor cx,cx
, o' E* W8 U# [ int 41h* s7 R/ V- `- j3 _6 t
xchg dx, es:[41h*4]8 z: ?4 {: O' i6 l8 L; G
xchg bx, es:[41h*4+2]
: t6 ]+ P/ j8 V cmp cl,al$ u2 N# N+ S* }# [( ~
jnz SoftICE_detected
7 J# W& L/ c6 h# N/ U) t" _% q# Q* k- A
_________________________________________________________________________
) ^% M/ \/ e: a: J. D4 X# U0 \# Q' R5 R; |
Method 07, \* c& [' U! E9 A4 S1 {) {5 p
=========6 f% ~9 r2 O& {. M5 V
0 V, \8 c/ U1 V
Method of detection of the WinICE handler in the int68h (V86)
7 i9 U. E$ U; {: J+ b2 z( A* w
9 |# F+ _& N/ i/ M* B mov ah,43h1 }% {* j' C) F5 I8 \6 f$ ^1 C4 D
int 68h* R% r% j% L6 ^" ^# l4 x5 v2 E7 V# p
cmp ax,0F386h
: X8 M6 B5 \' L# M& D jz SoftICE_Detected' h5 x I( ]3 ]% b3 ?$ G3 O
; y, o" N3 b5 |3 L# ]* v+ E1 B
4 ?) ^& D+ ^ c4 P* {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* c* \! B2 X+ l `5 W6 [& t! j app like this:
, z, f; [# z& l& t* Z+ A! E K) W- l8 N$ r/ q
BPX exec_int if ax==68( e8 W( A8 o2 ], a
(function called is located at byte ptr [ebp+1Dh] and client eip is
) M( g6 m% W8 a4 }# g/ k located at [ebp+48h] for 32Bit apps)( |; j% R D( F
__________________________________________________________________________
0 i$ `+ n- s# B2 j8 a1 Q6 P! D2 s8 ~$ `) N! r7 ~
4 I# i' `+ Q7 ^$ W/ Y: T# f% K$ Q3 }
Method 08
8 h4 w6 q0 a$ K) {4 ^) [=========6 T, {. a2 o6 v+ e, f
, V' n; R4 }( `# P( v( _
It is not a method of detection of SoftICE but a possibility to crash the; q+ H/ B# ?1 S, ?! y1 A
system by intercepting int 01h and int 03h and redirecting them to another
9 {4 F6 x v/ m* m& }- m2 m- Wroutine.
2 ]0 }* @. c1 r! S- f. |: B2 FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! i: N6 w2 S9 }8 |. c( B
to the new routine to execute (hangs computer...) i; K5 U- `0 _+ F
V6 S& T p- U# u; N
mov ah, 25h
0 t- ~" N! G5 V; g mov al, Int_Number (01h or 03h)
- @% J( `# }) Y9 Y5 c mov dx, offset New_Int_Routine9 R" i7 W0 Q3 X, z) c6 Q, m
int 21h
1 f2 }+ K, Y- Z+ _+ ^5 b0 ~: G% U; `* |
__________________________________________________________________________, m$ ] D: s. _" s! m
$ b' W( w/ p _" r0 K; V
Method 096 Y5 s" l3 _5 Q8 V: x$ S
=========' m- [# a6 I+ E( \" Q4 ]. b: }
( D6 {* p' x, ?1 F& K; w% B
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. k" f* C8 R+ v d* ]* @2 j% E
performed in ring0 (VxD or a ring3 app using the VxdCall).
) ]0 P0 p" k- L) o7 O9 D' A9 XThe Get_DDB service is used to determine whether or not a VxD is installed5 M8 ?. y \9 l9 }0 y( ~5 u: f
for the specified device and returns a Device Description Block (in ecx) for0 n8 j: t$ W- b& y0 a
that device if it is installed.
1 b! J9 R# ]5 X) `
$ m7 W |& U7 z* C! L+ y0 ]% d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- L) S* Q# z4 i/ z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- x' G" T ]( s" K
VMMCall Get_DDB7 p T; G6 \2 w4 v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 |- }. g1 i4 p" ^% a: ?+ H7 u: L# K
Note as well that you can easily detect this method with SoftICE:0 Z P& z: k f1 b g* u
bpx Get_DDB if ax==0202 || ax==7a5fh4 ]* k( T; C+ R) A- Y Z S
7 u6 A. Y1 k" d; }4 D7 o
__________________________________________________________________________- p9 W+ t. k+ ^7 q" k; V
. m; P# Z' i# T. E4 |6 @" UMethod 10) l: F% Q* V7 D" f; D
=========$ }5 m# m+ D/ O+ E4 |+ s5 g
g2 `( I+ j$ z3 w) U' W=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 v) t% s4 Q8 @- o: G8 Q SoftICE while the option is enable!!; f# b& p* K1 y, R- n# ?& i
2 a: M S( g. k' wThis trick is very efficient:
6 |& C2 ?! Y7 Jby checking the Debug Registers, you can detect if SoftICE is loaded
$ c9 V: s4 C/ ~ l# U7 k6 h+ F4 S2 @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ T0 ^# Z. d9 D) [, d* Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their. O; a$ t5 e6 J, _0 n0 p3 W
value (in ring0 only). Values can be manipulated and or changed as well
1 W" `) S0 h% Y1 A(clearing BPMs for instance)% I. _2 i( S0 e7 R- M
/ e( U# P: S! Q: f4 q- z
__________________________________________________________________________
1 {0 q- D4 ~6 c0 I7 c; K F
# x& T$ S: h3 r/ F! P( IMethod 11
' U; b: U [, [5 g, T% F=========
7 {) [* d. a4 E, j& E/ ^) ^
" p6 @0 J# Z1 ?2 @; Y7 vThis method is most known as 'MeltICE' because it has been freely distributed1 ?8 ^- A8 `8 s0 i4 f
via www.winfiles.com. However it was first used by NuMega people to allow
4 o" F- p& x' o" u$ a& i$ O4 PSymbol Loader to check if SoftICE was active or not (the code is located7 }( B/ M/ N6 J9 C
inside nmtrans.dll).
# h N) C* x- l: n3 O6 D% e7 ^
. Q! C |6 `. l9 o9 kThe way it works is very simple:
$ e) M9 \, i; s# rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ L) i, V( P9 q3 A- }8 ?5 h
WinNT) with the CreateFileA API.
. [6 [0 g5 @, A+ Y7 A9 [; K
$ h' a y- G4 oHere is a sample (checking for 'SICE'):
) ~! e- K7 C8 ]0 |0 J8 [# S- @5 h3 g; _/ F4 [- J( p2 X9 x, |
BOOL IsSoftIce95Loaded()+ v8 R" o6 b( x" a7 o# z
{
) W* i" E( D& V HANDLE hFile;
. T h9 P$ A3 O; h8 `' Q+ x) D% { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: M' }' m* e% N4 ?7 i: |8 g# [
FILE_SHARE_READ | FILE_SHARE_WRITE,! g% j( T+ S0 _6 J# k* v9 |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, y; M. ], `6 A$ F) m, W& ~; _
if( hFile != INVALID_HANDLE_VALUE )
4 ~7 J2 }# _" Z$ V {' }% w) B' a) e, b* R+ p
CloseHandle(hFile);+ c0 r$ A* t, I n, e
return TRUE;* ?+ t* Z2 g4 c8 C6 z
}
4 C2 Q. ?( }9 z return FALSE;, I3 N2 e# z' x' z) K/ m, U
}: u8 D1 j5 z( I9 e0 \+ n3 z
1 e" q' L" {) g. K% K9 t% B) n+ jAlthough this trick calls the CreateFileA function, don't even expect to be+ e( L# [9 u5 _7 p0 d$ `$ h, x
able to intercept it by installing a IFS hook: it will not work, no way!
1 X& ~$ j( J$ ~4 k. h, O9 iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) R) u& Z9 N' E% ]4 r6 r$ W" Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 k: L# t$ [, O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ p6 v! }5 T) p# Qfield.3 a8 T7 }- b# ?0 Q9 x: G8 p. G8 _
In fact, its purpose is not to load/unload VxDs but only to send a
" E3 F e' }5 `/ NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 j8 {+ x; ?$ Y1 J0 i6 Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 o* h5 P3 c! ^; j' h9 z8 @; nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. l$ F6 r9 r5 E1 T& ]+ ]6 hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 d) H$ D5 ]! g; y+ H' bits handle to be opened and then, will be detected.
# C" b" K/ ^2 o: ~! ], C8 o, iYou can check that simply by hooking Winice.exe control proc entry point6 C$ ]/ [) J# R! T* Y4 \
while running MeltICE.% T& w! b1 E$ c! c, g6 o. D0 Q
1 D' ~ l, r+ ^( E _
# j7 e. h+ z/ x; g( f& a
00401067: push 00402025 ; \\.\SICE- }! T% l9 m- U; Z5 M* R
0040106C: call CreateFileA; n' V, g! e/ [& ]* } [
00401071: cmp eax,-001* Z* s! u8 [* O- l: {) O" U% B
00401074: je 00401091- \4 B" P9 s4 K# }
) S+ m1 W% S' f, e8 Q1 r5 ~0 [
. J# i8 X M3 l f+ Q3 Q+ r+ i( L
There could be hundreds of BPX you could use to detect this trick.% i8 u6 M, [8 N. d+ ], q0 k
-The most classical one is:
+ @7 q- F w" X4 d# S5 E BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 o% ?0 o3 g2 r6 y5 R6 ` *(esp->4+4)=='NTIC'
9 d* U+ q1 ]* x- h8 W
9 @* Z8 {+ K: w& }+ m4 F) S-The most exotic ones (could be very slooooow :-(
5 |' w4 B B+ g) w. V0 v" a: P6 | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + O7 U9 p+ Z% F- W, p6 R
;will break 3 times :-(
+ n; X: Z- E' w L; `) G- z0 x# ?* t6 T& `) k3 J
-or (a bit) faster:
/ h5 r' K+ }6 ~% F x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" X2 J5 ~" U- i$ g' \5 [
9 R9 _. Z! m4 F" v7 h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 k1 n& Y }; @
;will break 3 times :-(
) w7 h4 _% E, D0 _
! }; G, ~# B/ t1 I-Much faster:! g( W C5 e$ Z' k, `3 u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' m1 R2 k% M g0 X- b
1 u# s5 \ D8 h/ K8 O0 c! @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( ^6 o, J; E( h. `
function to do the same job:' [- |/ W% v5 r' Z& _& T8 W
$ E& t% h7 @9 z$ C+ s, D
push 00 ; OF_READ; W6 Q V6 C) s* m
mov eax,[00656634] ; '\\.\SICE',0
. g/ h0 w& l1 b. i( \7 ^& S push eax; ?' B* z1 e. H+ [( ^
call KERNEL32!_lopen
; d6 j' t& O% a9 m inc eax1 C, K0 H% `! u# U) L/ m/ X
jnz 00650589 ; detected: p0 a6 _3 z8 X e
push 00 ; OF_READ$ ]" \6 M3 G6 W
mov eax,[00656638] ; '\\.\SICE'
( { D( ~6 u O# ^ push eax' d: U( \. @. ~
call KERNEL32!_lopen
! s0 x5 T* m9 ]: k$ d. q inc eax9 F+ b+ o8 o' e3 I
jz 006505ae ; not detected( E7 \& b* [3 E# q" }+ b2 r% v
% m2 C A5 w- d! B
1 q$ i* z, V8 Y8 t c" x4 T9 D* J__________________________________________________________________________% g$ Z9 P+ g! f. l: J/ s& y
4 j3 _5 E. |* C: n2 |2 t! C# w
Method 12
( S2 Q t1 e. P7 \! _=========
9 x7 C5 [" ^7 W9 s9 e% @& y6 \1 o0 W: y+ o# J1 U' D7 E% D
This trick is similar to int41h/4fh Debugger installation check (code 05
( f: E3 l* Q) U# _ f% Z" E( |& 06) but very limited because it's only available for Win95/98 (not NT)
; f' @5 k+ R( d$ K0 `7 V4 q' w( oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& _7 C2 g& b" u& v8 O; f( R( V8 y% x) s1 V
push 0000004fh ; function 4fh2 O' M+ o, Q" | ], z7 m+ B
push 002a002ah ; high word specifies which VxD (VWIN32)2 S) k0 i* w0 j" |2 O2 E v
; low word specifies which service& y( l! E Z* I" A. i+ e* a
(VWIN32_Int41Dispatch)
6 Q' J l/ S+ Q: d5 G% u. K) R4 o call Kernel32!ORD_001 ; VxdCall Z% x2 ?5 A. M+ [+ `
cmp ax, 0f386h ; magic number returned by system debuggers
7 V5 R0 J. o7 d7 @ jz SoftICE_detected2 \4 b1 I5 k6 X6 C' q( |6 r$ J
- O1 V, a2 v6 d( |
Here again, several ways to detect it:, q$ i0 R5 ]6 J B: {7 ]; E
% S4 s4 ^; {& w
BPINT 41 if ax==4f
6 n+ _2 s: K4 `6 s' f c+ K
% f7 r9 A4 ^7 j. x* F8 a ]) B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ a3 l9 K, F" ~0 ~- b
! ?' f" E$ B7 | P% d2 J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# M- J+ B" A3 ], b' K9 E2 G* M# c$ q" t" e2 w. B& q( m2 m4 m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: H7 R! }7 y$ T0 m; l4 o* D( @
" j! R* P* p! N1 Y; d4 _4 ^__________________________________________________________________________
) |) g" a$ Q* T' { W6 D
# z5 q# O* n5 e+ x: jMethod 13
9 h& | O& g+ y) Q=========8 k8 o) b$ X" w5 D$ @" i
7 T/ i1 H N0 f% W9 {
Not a real method of detection, but a good way to know if SoftICE is
9 i: `. \4 T2 P7 ainstalled on a computer and to locate its installation directory., y; ]) m, |0 E5 O) y( D" R
It is used by few softs which access the following registry keys (usually #2) :
8 _' U5 H7 }- _! M6 Q2 M6 }6 I" U0 s) Q7 R3 g( F" v& u) O7 N. w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" z: F' u2 p; [
\Uninstall\SoftICE
; q% g: q) i: F1 p1 ]" X4 _- D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' ` Q7 p% {; R. }' V O* I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 [, T3 ^; E1 v9 j( u" J0 p
\App Paths\Loader32.Exe
. P2 P& Y4 Q) l' Y( t! u, T8 [2 v1 o( J
* u6 A6 E9 A L; V
Note that some nasty apps could then erase all files from SoftICE directory
, J- G& l8 Q$ Z# V2 z(I faced that once :-( N# }8 k, D/ d% X( Z
' Q3 U. u/ E5 Y( t) H% x. M
Useful breakpoint to detect it:8 @: w, f& @8 U2 A; J2 c1 G/ U1 }8 G
" a7 f# Y) I# p5 u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 a+ n) X" F& D3 Y6 W' Z
/ R9 x1 ~$ f6 H; c__________________________________________________________________________8 V1 V: p- F! U
" ]' G( t$ I5 r; [- E6 Y6 }1 X
$ f1 V; S: Q* ^: k$ U9 e* q! \1 GMethod 14
0 w3 G( r% m! p# {( [=========
( t; D8 _! W9 a; J/ w3 D" k6 y- t; i% a% \, q9 X0 ?! q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( l# L$ b( m6 R0 i$ Eis to determines whether a debugger is running on your system (ring0 only).5 J# H g# M% T5 [" `) G7 u
/ C* T# J, @: r, r
VMMCall Test_Debug_Installed
/ v( k d( Y# U2 c& m je not_installed1 T ^: @- v: b% E/ t; F# c6 p u2 ^ x
1 U' }) G/ `- m4 \* _This service just checks a flag.2 l7 C0 u' k% \; I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡