<TABLE width=500>
- J: p3 ?7 b6 c$ M1 G+ n<TBODY>
3 C$ V8 i1 ?$ I. s y<TR>
; h1 C6 F+ I0 ?8 H5 o<TD><PRE>Method 01
) |. L. n& n/ C* p! G: q" I=========
; S* L% l( n( [+ m! d: z. C
; d+ i8 U: ]+ a4 \5 c" t* DThis method of detection of SoftICE (as well as the following one) is, N/ }8 J ~5 G* ^& i7 Y6 z$ q' j
used by the majority of packers/encryptors found on Internet.
- n+ M; ^; T+ i, u! J! u0 ]) G9 M' NIt seeks the signature of BoundsChecker in SoftICE
" N5 g! G( f9 k; j
! P w0 d" I) c. e r0 z" @ mov ebp, 04243484Bh ; 'BCHK'
1 a" [" ~+ u- m8 Q mov ax, 04h2 t0 j: \% u4 J/ d6 f
int 3 + f( r8 j2 H; }/ u' \
cmp al,4
4 k% ?! L$ l. c5 P# O jnz SoftICE_Detected) D# W- W# U+ d+ t7 u
! b7 }# W7 G/ R___________________________________________________________________________/ N* D2 |% ?9 j x1 r
& v" o6 u0 M7 _% s3 s
Method 02/ P) I& K) _$ {
=========, t7 u- n4 _# }4 {' ^2 E3 Z
/ Y. I7 O- ~% m) O1 Y3 D( r# zStill a method very much used (perhaps the most frequent one). It is used) F, ^- Y" r: _' k, T- T+ }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ t6 H. H6 e s Dor execute SoftICE commands...' Y7 P1 Q. G: ^
It is also used to crash SoftICE and to force it to execute any commands
, P7 r o& U3 A) f: v1 w(HBOOT...) :-((
7 D+ e/ n1 L6 f
& d: V9 n0 K" ?Here is a quick description:
' G* I: p% Y0 P" A% ^/ }-AX = 0910h (Display string in SIce windows)
4 \8 }& S: R) `( H) D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 ?6 G" {" R K! V: g
-AX = 0912h (Get breakpoint infos)( | u, B' E3 B# U
-AX = 0913h (Set Sice breakpoints)& l0 e" W' ^, p/ k% Z6 k
-AX = 0914h (Remove SIce breakoints)
! M. {9 u- \, f) r* A# \# R4 P
9 }2 C/ L, F7 _& S5 j% wEach time you'll meet this trick, you'll see:
2 }; A* ]6 r0 e0 t/ C- _, W-SI = 4647h
! a+ G" e; B( @+ C+ r Q-DI = 4A4Dh
5 L- y [6 F! S* xWhich are the 'magic values' used by SoftIce.
4 i7 @+ v( _) v6 z3 C3 p1 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* V; ~+ \ N& y) x+ A+ `
( ?, O- p, h# a6 e# WHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 ]5 E7 M& `/ pEnvelope utility use to protect DOS applications:" m* Q- K8 z5 C" a# J/ Q) v' w
! x3 b+ m3 L6 s1 C9 D2 I% U+ y$ N& c; s: p' P2 f9 m7 w% F8 k1 B
4C19:0095 MOV AX,0911 ; execute command.
/ I! h6 B) m T0 v! ]4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( Y! L# f7 ~9 U; E1 A" f4C19:009A MOV SI,4647 ; 1st magic value.5 Q- ?! Q. [0 E/ O7 x6 S4 Q# i
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 {: B( ~" e/ H+ T3 m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# G6 p5 Q, h! t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- C; @" b& t/ @4C19:00A4 INC CX8 ~2 W* z3 t0 v' {" M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 c4 I! B. W5 C9 h; Q1 r) g# x
4C19:00A8 JB 0095 ; 6 different commands.9 m8 @2 A; n6 A- J) ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ s% s6 [9 y4 h; s( ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 L, W! h( l; z% j7 h& w4 w- X" [/ D
The program will execute 6 different SIce commands located at ds:dx, which( K% U+ X7 [, m8 w5 Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 ^& T" H) o/ q3 v! x8 w$ J& p
" H! ~9 F% k4 C* }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! j/ i5 t# w# w5 O
___________________________________________________________________________
7 l! z$ X+ U0 G/ E( T8 e& |& M) N# a G& J2 }
% o1 b. r9 c- {: K9 Z5 c4 H5 A
Method 03( w" W% W1 Y) H
=========
5 g3 |5 b5 x7 _& r' y+ D$ T9 t& N8 F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ Q7 {. @6 e$ b* E5 t
(API Get entry point)
; z5 e3 V& U+ {2 @/ z2 D / a3 c) G0 U. Y: |) P# j
6 t9 W B* P, Q! h+ D) e xor di,di$ B8 u, T ~/ \6 n- e$ g8 D
mov es,di
+ t' C- h7 a8 {$ A# `& o' P1 u" [$ i mov ax, 1684h
r" ]3 \# m7 _" G0 ` mov bx, 0202h ; VxD ID of winice
, r% g, L# i) n- u x/ u, F4 M int 2Fh' Y1 V3 |% W5 l0 v
mov ax, es ; ES:DI -> VxD API entry point
# ~- ^7 ^ G7 S2 y3 B; d' j, ` add ax, di
& j( x I: ^& U/ | test ax,ax* `- |7 }! P; n# v0 F; i
jnz SoftICE_Detected
. T* g( ]7 {4 c% g% @3 S6 X. s1 Y" u L
___________________________________________________________________________
( ]) h# {0 ]0 C$ C2 t. a& @
2 r$ A% s; o! ]+ y3 AMethod 04: D5 l2 k% J! S% d' f
=========1 u3 [( r5 k5 [9 g( U
~+ g: _6 F5 G% {0 Q
Method identical to the preceding one except that it seeks the ID of SoftICE
- u5 O. r% I$ A# q2 R- d! CGFX VxD.
) C6 {% D7 Z9 i5 z1 m6 Y: ` s( C: }" H
xor di,di
& [% t1 S, y+ I' Q( `4 O mov es,di; D; n0 O1 P5 D6 U% t) K0 I/ w. [+ A8 M
mov ax, 1684h 5 [; v& k4 E+ N1 t
mov bx, 7a5Fh ; VxD ID of SIWVID: H8 ~, @6 [3 T' ]
int 2fh1 K5 x9 F" O6 Y0 a" p4 N
mov ax, es ; ES:DI -> VxD API entry point/ n* G8 d4 U: w; k
add ax, di
; l3 b) w) u9 i! _ test ax,ax+ V; ~3 b8 X! t4 d7 X) A( `
jnz SoftICE_Detected7 f/ p% _! } s7 v$ m1 C/ Q
% ]4 q G' g4 c2 E
__________________________________________________________________________
- \+ \( O$ V7 \9 b" \/ O
- {( s$ g$ Z+ m) F- @) ]% O5 q( x$ g: H8 Z' {7 K
Method 05
7 b) ]6 {% E: I( Q$ m=========5 B7 W# r1 U5 C3 d, z5 E( G, f
+ F3 Z/ ]/ L% X5 M/ {: X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 E# k7 E4 D. _debugger. It calls the int 41h, function 4Fh.6 W+ C* o0 x" {
There are several alternatives.
+ h+ D/ i; \: S; X6 @
& F$ {! m6 v% B4 b1 Z% AThe following one is the simplest:' v# d. W0 K7 D+ W5 S. K* ]
; f- t3 }4 f2 r9 Y1 I4 O
mov ax,4fh4 l% N$ V2 V0 S6 ?& d+ K: E' l
int 41h
& Z: L4 L$ d0 N/ m. E+ s cmp ax, 0F386
- m8 l: q) a3 p* e0 [ jz SoftICE_detected
: M4 B- z0 i% e4 {* R: C
0 @8 r( V2 p$ S! N
+ Z V! a" h! i4 \, pNext method as well as the following one are 2 examples from Stone's ; Y9 d+ h, N& S. p2 |+ b
"stn-wid.zip" (www.cracking.net):" y8 {' L6 N3 [, T" t7 F
# w- C; R. R, C$ c+ I5 K mov bx, cs# H2 n2 W! e) e+ a/ f- @
lea dx, int41handler2, |4 d- A2 o7 K
xchg dx, es:[41h*4]
% L$ a: }) q, a+ V xchg bx, es:[41h*4+2]
8 R+ s( m: x, u4 W* T; Y mov ax,4fh# x1 M+ ]; X+ y& r0 C6 ^# `* @% v
int 41h9 _7 ]$ W2 i4 l7 K' t( S9 {& ?3 ]
xchg dx, es:[41h*4], Q/ p& ^7 q! n6 [* ]3 K F+ _
xchg bx, es:[41h*4+2]" R% k1 G! R+ v6 C W6 C
cmp ax, 0f386h
6 X6 H" H+ q+ x( r8 }& j jz SoftICE_detected: w0 Y6 z8 K6 ?: ]9 o
+ @7 D% z/ L* ?7 aint41handler2 PROC; V( K+ F8 X) a; v
iret
4 }7 G3 w& S iint41handler2 ENDP8 F7 w9 n5 O5 C& {4 ^ @, S, l5 [
: C; M. S) ]- S, R, z% N
' Q, z8 J, D( Z_________________________________________________________________________
% X- O) h6 ~1 v0 b# r) [4 @" T0 T1 K' m; @+ B! ?# C
* S4 A( s" i) u, K; [Method 06
( T6 A& @) W: Z$ d$ x1 c& z=========
P8 w+ W R( p5 u6 v
+ R. p. U- J- ~: H
, `7 a: h5 ]; i* h r6 e2nd method similar to the preceding one but more difficult to detect:
0 ], A8 n% b+ O- |- T; B1 L
5 J1 u0 m/ F; _( M+ I8 E& @$ f1 F O
int41handler PROC
. `1 L% C& e, E5 g4 t6 Z mov cl,al& w i1 A1 z2 C) B! T/ G
iret
( r$ o0 c, V. J8 w( Mint41handler ENDP4 a4 I- | y7 t+ S9 o$ S; [
. j- h' ~. e: d! `+ n: U3 E' h/ J7 e2 b7 \' ]/ p/ n+ J
xor ax,ax4 i' Q5 E9 o7 \
mov es,ax
+ J* r5 B4 ]' r mov bx, cs
8 I9 b4 Q9 J8 a* I2 s" l8 m4 x% T lea dx, int41handler
2 A/ j3 Q1 O1 k xchg dx, es:[41h*4]
+ ~7 C* |) |/ l0 C7 i7 w xchg bx, es:[41h*4+2]/ w P, h$ S7 k0 {0 |2 h
in al, 40h4 E% D" p8 p" i1 ?( K# A
xor cx,cx
( w2 M( Z" F4 t3 p- p& g int 41h" Q" ]$ P4 z2 u a. B d& ~. e
xchg dx, es:[41h*4]9 O! E4 o( a0 {- \! J4 T3 S
xchg bx, es:[41h*4+2]
# r) e. S, j2 k" M; F$ j E8 N5 e cmp cl,al- e! U6 K" b/ G4 u- N# Z1 f) r
jnz SoftICE_detected* S( H4 K7 F( b4 d3 }8 v) w) s& g
$ f4 m: g' D4 w, ~' z# t$ P+ J& |1 s_________________________________________________________________________
7 K, Z8 S m2 o+ x- \8 x+ ^$ x( ]" n# S! ~- V1 t. R4 G# f. K
Method 07
- D0 |7 x9 C4 H# T& _0 p) L=========
) A0 j4 g1 j# o6 p& y- ]& ^! m
0 h8 F2 N7 h( U# K! y, kMethod of detection of the WinICE handler in the int68h (V86)
0 x1 w, J8 x9 g; D L+ S
5 v6 v/ g# I4 M0 z mov ah,43h
$ o" {* N' P9 I* @6 p4 V, [6 k* U! l int 68h
# H6 g; t; g9 [4 }1 A cmp ax,0F386h
! h) ^5 N9 W) t& I jz SoftICE_Detected" ^ ?5 I; m1 w2 ^
F' ?4 e I. f
: m9 [5 Z2 p# _' D( E/ {/ X. w, U
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. p- ~7 e" t. T- n% x) w* z
app like this:8 g* Q" N7 i' V+ M/ t$ K
+ s, P8 D: j5 K G; I7 D
BPX exec_int if ax==68; N& q. V0 O8 k8 Q3 ?
(function called is located at byte ptr [ebp+1Dh] and client eip is- O7 ?( n, B' K
located at [ebp+48h] for 32Bit apps)
, q% F& a$ ]5 }: H. B__________________________________________________________________________
, i" O+ \2 q g3 r
/ [( B' r! v7 }0 ~7 N3 B7 i1 X8 k7 Y8 w% M% v& R. ^+ ]5 B
Method 08+ q( \8 ~- t5 ^* D" Z* s/ ~
=========( _* R" s; C& \- z5 f" T
9 }1 Z! k7 N/ I; YIt is not a method of detection of SoftICE but a possibility to crash the+ I) X5 t& g% k! W
system by intercepting int 01h and int 03h and redirecting them to another
3 n* D2 f, l- p6 a" |, i, o. }routine.) Q# u; q+ [3 q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! R1 V) |/ F/ e0 G) d h- jto the new routine to execute (hangs computer...)' v' }! `, B3 t2 }8 I
s4 Z8 ]( o9 Q mov ah, 25h
3 N7 N' o O+ Q v* | mov al, Int_Number (01h or 03h), r% j$ p' C1 q: k
mov dx, offset New_Int_Routine
3 j5 s! N2 F4 D0 l9 S0 c+ c int 21h
v5 ~5 D/ x) k+ v3 i" ]$ m% Q, H# \% G) o
__________________________________________________________________________
$ t( d3 E0 a( p/ X
! p8 f- y( b% {, K, p" m. I9 x- @Method 09 n s$ o6 z6 i6 d# _
=========( |! q: l; [- F: T. X
" x& t* K* ]0 L) yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
V% G8 N' U9 D( l+ a% N ~( operformed in ring0 (VxD or a ring3 app using the VxdCall).
! F5 g. Q, Q/ g: g% EThe Get_DDB service is used to determine whether or not a VxD is installed+ [7 C7 o% V' |: B2 ?! ~
for the specified device and returns a Device Description Block (in ecx) for
: a& d8 M5 ^0 U- q$ t4 l+ |that device if it is installed.
0 e' h! ?' K8 u5 o! X* O8 C3 \( [, a! F9 Q, c% z% z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) J2 [7 Z7 F- C: r- ]2 [. K& p
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ g+ r% M, r9 J! e# j
VMMCall Get_DDB" t G8 ]3 P$ l, e/ d0 H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% N8 [+ W, i& _* @+ U
+ H; H! P! ~# }Note as well that you can easily detect this method with SoftICE:
( g% E& f; A! ^$ N @ bpx Get_DDB if ax==0202 || ax==7a5fh
! D) E0 H* {! `: u2 ?: F6 k$ H$ t4 @# t, B# j$ Q- f' w
__________________________________________________________________________
& c1 T6 |: t) y' U5 [2 l3 X: {. W: z! ?$ O9 m
Method 10" [- {: z1 ?! D: R6 i. J
=========
' l& Y1 h& j) o: b
9 K3 y2 k& ]" K3 I4 U- C=>Disable or clear breakpoints before using this feature. DO NOT trace with
& }& g4 p5 g+ X% {1 R/ X' r SoftICE while the option is enable!!8 v4 M, z O3 a; g5 z( m9 Q! @
; A$ \+ x' T8 n* z# c
This trick is very efficient:: O" R# b* J4 A9 ^
by checking the Debug Registers, you can detect if SoftICE is loaded
2 U. I: H6 b _* `" c& n! l& V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 _0 r% B7 x" ~4 X! q0 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
; J$ M; E \2 }# u7 V' Uvalue (in ring0 only). Values can be manipulated and or changed as well4 _/ r7 _6 s( ?1 V( A
(clearing BPMs for instance)# k( l) i) }5 n5 A- E
' G2 w, h6 o H8 {! i M__________________________________________________________________________ A1 Q: |$ t1 f! X1 ?
) n6 B% n' }! E: i# M
Method 11
, c( C9 c- E+ X- h=========+ y- b1 e" M' O! F/ v
& S8 c! B, Z* F! D+ ?This method is most known as 'MeltICE' because it has been freely distributed8 P- G. E( y, n3 M# b9 ?
via www.winfiles.com. However it was first used by NuMega people to allow: y# G! Q- O1 c. L/ _6 H# J
Symbol Loader to check if SoftICE was active or not (the code is located
- W1 F) x( [. L8 D9 n, o- M. sinside nmtrans.dll).
; Q5 t8 {9 {; q; J9 J4 o$ I6 w
7 V6 [* ^6 u/ _* q0 bThe way it works is very simple:4 `5 {' y% k$ ^- c f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 o8 ^/ U: o0 ]( T! B: ` i1 `
WinNT) with the CreateFileA API.
2 j4 Z# Q1 A+ r' b2 q! z- {7 I
$ S3 q" B" n) Q- H$ _9 g4 K- o/ Y8 RHere is a sample (checking for 'SICE'):
/ U0 m) `$ c. t; W
* v7 `. b* O& _0 l7 j: H8 r* xBOOL IsSoftIce95Loaded(). }# Z) _( J+ K) g: x! A/ t
{6 {8 H5 K- g( C7 C
HANDLE hFile;
; a Q( x: y! u; L6 b% x4 r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: x) A& v* x( A3 q1 O* L" Q FILE_SHARE_READ | FILE_SHARE_WRITE,
# |1 i, ?0 \' x7 [, d NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& C$ T% M& e, R6 r( `
if( hFile != INVALID_HANDLE_VALUE )
$ N" {9 {5 I8 I4 `' B# P9 P! G {2 t* E7 H$ P: N8 l
CloseHandle(hFile);7 }& x# ?1 p& M
return TRUE;# I0 O! F# M# b5 p6 ?, k
}4 V( w( j, F, d% g: i. Q
return FALSE;3 V }; b$ n+ J4 O. `+ ]) a
}& W7 b6 ~& l I9 a \' ?
/ a. }8 m: h! Y% f
Although this trick calls the CreateFileA function, don't even expect to be( ^. y3 S+ o. G2 s0 T4 n5 u
able to intercept it by installing a IFS hook: it will not work, no way!
/ n3 C5 g9 W# T: Q6 V" zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
L& M2 z( B7 Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 G! N! @, u, R% z# D4 K# ^" @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 H$ n5 X. \& E4 [5 X% v. v
field.' |/ k f/ J) L+ ?6 l; q: Z) {
In fact, its purpose is not to load/unload VxDs but only to send a $ E: u) X8 v$ C( j" Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: I( Y0 C3 ~6 p6 }2 |to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, ^2 u N+ Z {to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 |3 q+ D7 P$ U1 c4 f/ e# G
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, I+ v& w7 v3 a. Y1 Z* Oits handle to be opened and then, will be detected.
8 ?. T h4 b5 b5 J# x' _You can check that simply by hooking Winice.exe control proc entry point) L' u+ r& x0 y3 `4 w
while running MeltICE.
. H7 h1 I$ d) T4 D$ ~/ ^
, Q" {, [4 g* y( L; r: c2 C M
, t q1 n9 D# N0 A/ O% @ 00401067: push 00402025 ; \\.\SICE
' d9 W) W+ @ l1 V8 Q 0040106C: call CreateFileA) y5 J0 E+ v) O7 _: h
00401071: cmp eax,-0016 k2 G& [6 ^6 K
00401074: je 00401091
3 `8 O" [. Y" i' e9 ]8 T7 |6 g9 H4 v8 \0 P/ P
! _* h. P3 \5 g$ d! IThere could be hundreds of BPX you could use to detect this trick.3 M, U Q! M0 t
-The most classical one is:
- q7 h8 C' y7 {9 w, b. F& d BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 ^5 F/ n, `5 R2 U% G$ t *(esp->4+4)=='NTIC'
; ?" `9 G4 v. y" w) j# c$ u
3 t) G7 E/ ~6 f( d; y" ~9 c-The most exotic ones (could be very slooooow :-() ~ h5 @/ R1 h2 t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# F* f+ |2 {2 i2 b3 y) q. E ;will break 3 times :-(
* H4 r2 Q" U: q( h$ z
, N# W F1 l% D) u5 q-or (a bit) faster: $ x. A1 `2 c# @7 r
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 j" T: f0 c1 ~- z8 k0 Z
0 e' h! @* `" c) m; Q1 K: I BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) g/ Y) F+ B, b: m5 b, e6 } ;will break 3 times :-(8 j+ j& i" P+ c- U A# D4 z) D
+ l6 X: p5 p4 x% G$ B8 ?-Much faster:
9 [; | H8 y+ V6 J3 b$ n) P7 @; V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' v# p' Y$ _! m( W! A
' B) q% j/ E* H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ x; D+ }! K9 V( {6 e/ f
function to do the same job:4 ?2 I/ P) u2 f) |, j5 Z5 O' d
/ h- D3 ]2 a& ]2 H
push 00 ; OF_READ
6 e) K5 u8 u5 \& N* K6 M/ {! _# c mov eax,[00656634] ; '\\.\SICE',01 j+ C9 `- B) q4 l
push eax9 z$ L! x6 z6 A) T8 N. l
call KERNEL32!_lopen
" }& `0 k' y# K; R& f7 ` inc eax
: n0 j0 R+ S7 @6 g) Q5 o jnz 00650589 ; detected6 T H( S+ @* h9 S1 V
push 00 ; OF_READ
: s! y6 y$ [9 I0 p8 q mov eax,[00656638] ; '\\.\SICE'6 {7 ~& T. E: \' G( Q: Y: _
push eax
/ p, k, U5 X, L4 e call KERNEL32!_lopen2 G' A8 ?7 Z$ Y/ d5 F1 |
inc eax
8 ?# r+ V, N+ V, o" B jz 006505ae ; not detected/ ?( x! E9 ^; {9 H
/ K% ~5 J/ i8 r8 o- |
* y) O' E# a( ^: h% ]% t# |/ A__________________________________________________________________________
4 ?! j' C" a. Z( p
& w3 k7 Q8 h" m8 O; OMethod 12
$ f8 Y( u' t% G k6 ~: g* _=========2 L8 X5 l# j8 j7 e7 F
8 b& m6 i; E3 |) Q2 h$ W( k0 A1 ^0 O
This trick is similar to int41h/4fh Debugger installation check (code 05( B* _7 a) S( @+ i
& 06) but very limited because it's only available for Win95/98 (not NT)9 [6 G0 A: [' D+ l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ a* p' u4 I# y$ }8 i1 Z" ?! a" y a; J6 ?3 z2 ]
push 0000004fh ; function 4fh ?, G- K; F# x3 _ q. Z4 Z+ p
push 002a002ah ; high word specifies which VxD (VWIN32)
% o* o- d- L( @; z+ K+ a ; low word specifies which service
+ L0 j Y( Z0 S( w& b7 S& X (VWIN32_Int41Dispatch); a; R+ R7 W& ]' m0 y& ?4 A
call Kernel32!ORD_001 ; VxdCall
' T" `- c# @6 D- | cmp ax, 0f386h ; magic number returned by system debuggers
& N: x6 z# b. t) n+ A jz SoftICE_detected
- n E& ?# Y, l A3 T, n- M& f* b: o6 j2 ?/ D" j# a( p0 O
Here again, several ways to detect it:
3 A, ^' W4 C. w6 C6 s8 `7 A# j! D( c
BPINT 41 if ax==4f
3 Q6 S* @: i" G1 r
* T/ T# b* z5 `9 a6 l8 ~- P5 ?- o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, B7 z! W" M( ^" x/ ], L
$ X- D/ f% c3 n; ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: A9 U% J9 C! I3 x5 D
0 M3 A( ~7 b( z+ |+ r7 L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% J3 C; E0 E+ y- N& p0 i% l1 E& M0 S
__________________________________________________________________________& L9 j: X) I: }9 o& m3 ^+ ]: H
! L" _9 {3 h" b/ F, r" j' D/ P
Method 13
$ T. A2 l- q0 z9 T& U=========
" _: X3 Q) _; }6 ?& }
" h" J( Z& Z' f1 J: @Not a real method of detection, but a good way to know if SoftICE is
3 Y. y+ f$ g7 E+ _installed on a computer and to locate its installation directory.! L2 |' }* ~ k* Z' Y; ~
It is used by few softs which access the following registry keys (usually #2) :$ F8 i* c/ g: U% R+ x
3 l% j' G. t; y P2 e, w1 T2 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
x' j- O3 M6 v/ ?" m* n\Uninstall\SoftICE# H0 f' ?% a2 M4 W7 L3 u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 b& O% @# |5 @% N& x3 H
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% y/ C' s8 ~! h4 y1 w3 B2 q
\App Paths\Loader32.Exe
, E# H0 |' R* B9 ^& h; R. j$ E% i8 O3 C n' c$ G& {
* E/ J `2 G' r# |8 P) D
Note that some nasty apps could then erase all files from SoftICE directory
% Y- k D- {' |; c) O(I faced that once :-(
$ k4 f- _9 ~. m6 i" n; U2 J! B# g' C
" x B- g+ ~2 CUseful breakpoint to detect it:
$ e7 z P5 e! h3 M( |
3 q( p/ L% b; i" J7 }) x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 n- I, o, K0 T9 C. R1 `: g# P7 Q0 j2 a& t* W
__________________________________________________________________________2 q; Y! T: h% a
: X9 [& v r& c: y- l* n! ^1 s
) a' r8 K3 S/ c" `! VMethod 14 : V/ t+ J& l) X+ B# s9 r9 l( z
=========
# u) q$ o3 _7 k
0 O7 D; W' v0 s0 L* R: Y+ e4 AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, h$ T" M2 |( t7 g$ {, d' Mis to determines whether a debugger is running on your system (ring0 only)., z4 M" r' v( W5 v5 n# g" l, v) ^
' N0 z5 Z: T4 i# ]! S VMMCall Test_Debug_Installed; n6 c+ U0 ] i4 f
je not_installed% e h( Z* _6 o7 ?& t% n) v6 ]# H
* c# r4 ~0 j9 ?9 ?/ ^% H7 R
This service just checks a flag.
: D$ W7 Z( y8 Y `, w s( p5 k</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡