<TABLE width=500>
8 L) B& C* E* V5 Z1 h/ w! E$ G<TBODY>
+ I9 ~ e6 p8 X( Q! l<TR>
/ v! o. z0 {- j4 M4 h. y<TD><PRE>Method 01
1 v' E# O6 B( v3 u/ i7 [=========
, Z$ C2 I( `" B7 e3 A$ X5 n0 \+ M' k, v
This method of detection of SoftICE (as well as the following one) is
h' A5 k1 T7 n; x: M4 {used by the majority of packers/encryptors found on Internet.! _' @& L1 d; \( z& D# L7 Q
It seeks the signature of BoundsChecker in SoftICE4 D! y6 N0 f4 J6 K- P$ A4 W
/ y# h; y8 {/ W1 Y mov ebp, 04243484Bh ; 'BCHK'& O3 e- S: M, y: L7 y2 d
mov ax, 04h
E7 E* J$ F( k' Y9 E int 3
; B# c; u- \3 U1 o/ H( z. R7 i cmp al,4
/ c9 O( T7 c. v/ Z+ g. y. C$ R g jnz SoftICE_Detected
/ N$ v2 x5 L3 ~4 W8 o: D' a' G4 S) Y! ^) m% U8 P, U2 q
___________________________________________________________________________$ T- V: p J" c' {3 t
- u( _- X6 T7 D1 s2 A
Method 02
! C, a) ~) k0 C4 _4 p" Z' |- C* I=========
! \7 f6 @5 n, u" P5 k+ ] x
% u5 B- {. H& [. T' y- \& c YStill a method very much used (perhaps the most frequent one). It is used, } J, e$ S9 _2 R9 H/ D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 v" g5 r, V- P/ \. `or execute SoftICE commands...3 z, `! T( a1 i8 x+ B
It is also used to crash SoftICE and to force it to execute any commands# _; z# D, U% G$ {2 Q) Y
(HBOOT...) :-(( * _+ g$ d% |: {; Z
2 r5 K4 C- |0 w* [Here is a quick description:
* D8 C- F4 ]" M7 ]/ A: }: P% [ {-AX = 0910h (Display string in SIce windows)
. O; t! m, ]5 \% Q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" z3 y" ?9 l* Z+ G. _9 k-AX = 0912h (Get breakpoint infos)
0 n( l3 O6 ?% d. V9 x* R-AX = 0913h (Set Sice breakpoints)9 S1 r. X8 ~9 B$ `* _' F& [
-AX = 0914h (Remove SIce breakoints)
: C6 A8 V/ |( K: L" a- l# ?4 l, z, j0 X' F/ E
Each time you'll meet this trick, you'll see:5 l: r4 Q) X9 W. J/ L: U
-SI = 4647h8 q% m" l( J8 J; n
-DI = 4A4Dh
2 ]% W( k- z, w0 z/ }' sWhich are the 'magic values' used by SoftIce.
O9 f: ?2 Y, fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) M0 Q4 Z" K5 L- R( O& g) ?, `5 r9 [- m6 i: R- B2 Z2 I
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 d- i" C3 D( H7 s. R( K; O0 a yEnvelope utility use to protect DOS applications:; c* Y( P6 _+ |' U( n, S
" e3 n1 ^: z; B- w2 b" |
! G2 Y0 d) }8 P( D! I( ~- q) Z4C19:0095 MOV AX,0911 ; execute command.7 K7 {9 A, r/ j6 e/ P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# R, j, P1 m1 ?4 c4C19:009A MOV SI,4647 ; 1st magic value.
! n$ ?$ U+ G& }8 h" k$ A4C19:009D MOV DI,4A4D ; 2nd magic value.- S" A, k' y) B$ j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* y5 d- L( i8 x0 c6 h% F) y. w" [. O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% M+ F( S4 O% ^( T2 E4C19:00A4 INC CX) Y/ Z, Q5 N1 N1 ~- W U# k: p
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 u, C% P0 A' [( I) d
4C19:00A8 JB 0095 ; 6 different commands.
" y6 S+ \' j3 ?5 K4C19:00AA JMP 0002 ; Bad_Guy jmp back." V2 ]' P3 L; Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 c1 p( ?3 `8 \. _! ?
1 ~/ o, N# X( rThe program will execute 6 different SIce commands located at ds:dx, which. i- u$ M+ c2 I! u- u& \4 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
E* | D2 G. ^) ^1 Y' s! G% t* T3 I3 y. {; @4 w
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( i- L! _+ b. l* b* _% m2 v___________________________________________________________________________
4 P; @8 s: h: C+ x* D- [4 T3 I; L6 h3 S: n7 ]
: ?- Q) G% F$ i" v
Method 03
7 O. z1 }( a% }( S% N=========) G( @3 C( N3 q. d$ V7 [
7 u) U# Z& l4 t1 T( K& GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ S* X4 ]- }3 w( F6 Q5 ?
(API Get entry point)
- u7 Y/ Q: g1 }3 V; R; U2 X: ?7 j ) o0 o x( m+ I
) X% Z$ W" w- A2 a, a. w. ? xor di,di, z; e6 j }# R4 i
mov es,di
Y Q4 i6 l; \: Z' ~1 O mov ax, 1684h & Q9 ] P8 S' _
mov bx, 0202h ; VxD ID of winice
6 b( |. h0 @, v# i( K3 { int 2Fh
& _7 d: A( P: j( ]7 I) H mov ax, es ; ES:DI -> VxD API entry point
6 s% B* e) f k$ m: q add ax, di9 ] t: S$ D6 U1 K* m
test ax,ax
' f- q; O# I- \4 ?, T jnz SoftICE_Detected, x) S5 E {* t
9 I# s6 `# A2 |+ w* P& k___________________________________________________________________________- s8 W, I$ v: Y7 ?+ n
0 Q/ u9 c6 h/ fMethod 04
7 L" C2 \5 ]+ e1 H0 s7 }2 z t3 R' t8 p=========
# b* J- ]( ]5 J6 `: P$ L6 v9 v4 P+ _7 T6 N
Method identical to the preceding one except that it seeks the ID of SoftICE4 O' q/ P" f3 S5 j
GFX VxD.% M: z2 y: j7 v& u W+ N! M
8 i4 ^8 `' I; r5 i- W( k# T
xor di,di
8 J7 [" F5 N7 V1 l! j- d mov es,di
8 Y; S( }/ u/ {- }3 u mov ax, 1684h - u* D5 ~: ]. v1 `
mov bx, 7a5Fh ; VxD ID of SIWVID# O- B }- Z8 n3 I
int 2fh
: n. y! H; Z; X% |/ B/ J$ e mov ax, es ; ES:DI -> VxD API entry point! ~3 F+ K! E+ Q0 N
add ax, di
' {; F K* n0 q G$ \ test ax,ax
0 @8 t1 H+ e& ?# ]' H/ E( r. G- M jnz SoftICE_Detected( [9 f& C. @( Q4 S# a
, o+ z. C! V. r! V7 Q( i0 u
__________________________________________________________________________
: ~) z3 ]' L5 x4 R1 O: {
0 b% y3 J, H* y. w+ R R: u1 l) i' r0 g! d( |0 s
Method 05, \$ G) Q5 H- S4 @8 I2 ]! X* w
=========
" ]) e$ ^2 ]: ^1 S8 l) E3 X& @
. h1 U: }$ x6 D }Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 D: P: c) o8 rdebugger. It calls the int 41h, function 4Fh.% p9 V2 W* k/ g1 {, U
There are several alternatives.
: i4 g5 `4 U( Q! m
& v0 e" L3 q0 B3 b2 rThe following one is the simplest:
- W6 \& c3 z. Y v% _5 s n$ t, @ |$ E" z% Z
mov ax,4fh
9 \$ n9 H, G( L% ~" W int 41h2 r3 M. q4 N A- R4 {+ N
cmp ax, 0F386
" E+ E- N1 i. Y& {, F jz SoftICE_detected
2 }8 s+ f1 n- d
" x5 c) ~7 C+ l8 j$ a5 p
8 a0 ^$ M+ ~3 A' b7 UNext method as well as the following one are 2 examples from Stone's
5 C" B/ s( d9 o"stn-wid.zip" (www.cracking.net):3 H/ v' i3 F0 e/ ?
a& U, w3 p4 F9 Z& _' t, e! Q/ b
mov bx, cs9 W6 H$ @$ ~8 F# [
lea dx, int41handler2
& X7 a* s |+ r9 d9 G5 B4 m2 W xchg dx, es:[41h*4] o; Y1 K. a5 Z/ }" W
xchg bx, es:[41h*4+2]
1 {# `7 S; i [( [& ^3 h$ z4 @ mov ax,4fh& ]8 A+ ~2 v( d
int 41h5 ?* f1 L) b% L2 L5 W5 W
xchg dx, es:[41h*4]
( E: L( i0 q* j9 ]' c3 h xchg bx, es:[41h*4+2]
( a, M) ]# Q$ y, I. Q' {# c8 Z cmp ax, 0f386h( H8 U$ u# d! G
jz SoftICE_detected, m5 } p9 m! \$ P' \% A! R) i
8 ^9 i Q! B8 ?( ?; L' l% zint41handler2 PROC
1 T4 M( D, d$ L0 I9 H- l iret
3 ^) S2 r: t4 a6 k/ ^7 b! S Hint41handler2 ENDP$ t* B0 b! y+ j+ y9 b9 h
- k( \, u* w: ?$ B3 ?. _( j# @/ I' j' j) |& d
_________________________________________________________________________2 Z& S1 M# z( X( E/ N7 ]% ?
. \$ i+ F9 f& s- t8 O0 g5 u
9 r: g9 T6 R7 \4 CMethod 06
" ]) ]' v( |+ |0 ^5 {4 C=========9 x7 f, j1 w, g$ L1 l
% g" ~$ b8 u2 \$ g; {
& [" e& j# E5 l- ]& k! T+ c2nd method similar to the preceding one but more difficult to detect:
2 O- V3 |9 [; C( P% V4 E9 h
2 E& A& z. z# n+ @! b2 g( Y# O
, x' @+ K8 i0 T+ ^int41handler PROC
" {4 i+ ~! N, O# I& w' a, ?, f mov cl,al
1 }1 J" W' l' q V9 P iret& _) I0 t$ d: \
int41handler ENDP
K" p$ X5 A3 Q2 ^* Z6 D5 ?1 s8 l# c* h
6 M% @9 c: o C9 k, v( @
xor ax,ax# S. S8 L: M" n/ R2 S; o; @
mov es,ax3 h8 w0 h" F: y A& N
mov bx, cs! d% w, J' o; W3 p* B+ _
lea dx, int41handler# m/ t0 H; A, O" o1 j/ }
xchg dx, es:[41h*4]
# C! H8 p2 c! `+ b. M& V% _/ @ xchg bx, es:[41h*4+2]
( v; S, T! Z: ]7 Z* O in al, 40h
; J2 Z1 k) j- t, U; U xor cx,cx
- a! D/ y3 H9 p: J int 41h- K* a; v, T% k
xchg dx, es:[41h*4]
5 ?2 E( w, F& W+ K0 L4 { xchg bx, es:[41h*4+2]
/ U9 o. P1 C9 e7 _ cmp cl,al
$ w5 B$ g/ O" Z7 A( C jnz SoftICE_detected
, {6 q4 ~7 X* G0 `5 F* q1 u* D* C: _( V
_________________________________________________________________________
# S/ m& \. n; R N- l
: @8 V+ g4 D- r! fMethod 07
/ e# s; x5 A# t- @8 r5 Q7 v=========
; r* o6 e9 P- ~2 `" n
9 q1 I1 |, F) k5 FMethod of detection of the WinICE handler in the int68h (V86)9 x7 j f" F2 z3 O" q, V* [5 p# W
- [ p8 F- ?1 @6 X3 O+ \$ n, s5 f mov ah,43h
/ x8 w, @& B. `+ g2 t& D9 W) C" Q int 68h& E3 q( q) s# e& A+ d! }% r
cmp ax,0F386h
$ y/ _# c, `+ X4 |- ? jz SoftICE_Detected
2 Y& ~% A7 C6 Z7 l/ O9 W
3 }( L( v+ Z! G9 g1 `. b' J8 _, e9 ~2 L- d, D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. P1 q; r* }$ q% n( y% U
app like this:2 M2 u+ D K9 C2 G9 _' M
& o n. \1 [$ G8 ]
BPX exec_int if ax==68
& c# ?# K$ k2 \: [$ X3 G (function called is located at byte ptr [ebp+1Dh] and client eip is8 p& [+ w% x" _0 t% }6 A: |
located at [ebp+48h] for 32Bit apps)
! n# I) j: p* P2 B. w! m( R0 F__________________________________________________________________________
. b0 E) ^' C* z. f
2 g o4 B, f- G0 d" q- q9 C" p9 k0 a) @
Method 083 w5 S( |2 ?9 n3 {; E+ v- N
=========
% P5 ` ]& _1 J5 N+ t1 j7 G! \5 u. I
It is not a method of detection of SoftICE but a possibility to crash the
7 c' f3 Q3 [" h. e+ msystem by intercepting int 01h and int 03h and redirecting them to another- _8 @& k# x" W$ ?4 E
routine.
: U# P9 ? A7 m) q% o! W- V+ rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 d# X1 J5 _$ f* bto the new routine to execute (hangs computer...)
/ ~8 ]: x4 g: M- \0 A0 Z( R* L' o! W- Y4 _/ U8 ~; g* R9 b! a
mov ah, 25h
7 b$ F6 q) w+ R+ b5 Z0 e! e* l mov al, Int_Number (01h or 03h)
8 o. _ L3 j0 ^' V" ~3 l2 x mov dx, offset New_Int_Routine
. Y6 w1 P5 w" ?/ F, ? int 21h
9 `" L- C7 _" @- f' @2 U v
) Y, U- e! r% S2 p4 h4 f" m# f* G__________________________________________________________________________
* @5 P9 ] z- q: f* A6 |' [( @6 @3 \
, l2 \ \7 ?, ~7 s/ DMethod 09
8 j9 k$ v3 T' E, Z4 C" w/ o=========
1 b6 M' B8 d* z4 J5 e! c: I* ^% Q+ q) S( C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ e6 K1 e9 j( [' ]% Y Z* {8 `performed in ring0 (VxD or a ring3 app using the VxdCall).
9 n/ Z% f" K; Z9 G) {3 k3 C6 ?1 n# CThe Get_DDB service is used to determine whether or not a VxD is installed$ Q2 J) J. n6 C, a5 _' O9 I
for the specified device and returns a Device Description Block (in ecx) for9 @- O0 z- w. A
that device if it is installed.
) j" \$ x# K" m% D. m+ w; U7 W
+ \* _# a' e. V- }% t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) n6 |' V! k' c- Q1 C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" U7 d3 H* @9 g$ Z& H
VMMCall Get_DDB/ M. e5 G+ ]3 T6 k- n; E$ h2 ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ ?" ~& B) q5 N( b' u
$ c0 y- [8 Z/ u; l' }/ H! D# b$ uNote as well that you can easily detect this method with SoftICE:: R! V6 a; [4 N0 Z) g# _
bpx Get_DDB if ax==0202 || ax==7a5fh
1 W# M& l3 \, a0 f- \6 ?4 o- V1 R( @
__________________________________________________________________________& U; J4 g3 D' p
8 i/ @ X* c/ P* A( B: [$ k8 b3 ?Method 10: Q5 q# E: E8 T: ]' D. D3 c
=========- Q$ m8 m$ f, j; k+ m* Q
9 x4 c1 S) [: d+ X7 i5 r4 c; c5 p
=>Disable or clear breakpoints before using this feature. DO NOT trace with) ?# [1 j, n/ r$ t
SoftICE while the option is enable!!- M' X0 `, z2 l! \# `& \
. u5 W, l( t2 U3 h& _! bThis trick is very efficient:3 P6 G0 Q2 w7 M6 W$ P1 R% S
by checking the Debug Registers, you can detect if SoftICE is loaded
/ L9 M' @$ l6 x7 A2 T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" \/ [( u; A7 X; T# h6 C% jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( Y+ ]% D0 d) y2 t9 K: A0 jvalue (in ring0 only). Values can be manipulated and or changed as well6 Z; [5 I' p9 A$ C, o. ]
(clearing BPMs for instance)
1 Z# _4 P7 G8 F( v4 k+ i) D0 `5 Z I
__________________________________________________________________________
7 N' o& A+ l( q' z
. |: G& Y) t# j }Method 11
0 m/ n' V% T! ~! }2 y4 ?=========
3 s$ I- B3 d5 _ a5 C9 a$ ]% l9 Y3 ^$ q% m: d; F
This method is most known as 'MeltICE' because it has been freely distributed e" m+ G3 B! u
via www.winfiles.com. However it was first used by NuMega people to allow( P& @) j, u5 w, ^8 J ?
Symbol Loader to check if SoftICE was active or not (the code is located
. [8 n M+ q8 t A% q0 e# Finside nmtrans.dll).3 @) M* j* a8 _7 [/ }
' i$ f8 I# W7 r2 p6 @
The way it works is very simple:
% r+ y. Y; L9 ?4 E( aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 F: @6 k; j' m# m' [WinNT) with the CreateFileA API.
; p2 r+ o9 `% X+ S1 L1 o5 K$ X: G3 h( Y+ E& a2 A
Here is a sample (checking for 'SICE'):
0 D5 e$ V" R ^9 {- C. y! n5 z, b. V2 M
BOOL IsSoftIce95Loaded()5 V L- {. w J% i4 C! H# S
{
( @) g& S4 K7 R HANDLE hFile; ! @- T, p+ t x( {$ R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; S3 m2 G6 |9 ]: V: e2 Y
FILE_SHARE_READ | FILE_SHARE_WRITE,
]4 Y9 U4 u$ B5 S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 o1 k+ u, b( ^& C! v! }6 ?
if( hFile != INVALID_HANDLE_VALUE )
5 z! [( R3 r' Y- _ {4 a$ w' M: T1 s; U1 z- Q+ V
CloseHandle(hFile);
# F, C, \" d( n return TRUE;+ E0 n( k1 I, }3 E/ C7 ^
}
3 u" f! M3 v% p$ J2 | return FALSE;
4 x) V! u) z4 y2 ]# h}
2 ] z K. w/ I$ e- [
: B& h; a8 x: s, S4 Z% NAlthough this trick calls the CreateFileA function, don't even expect to be
+ K8 |* u& X# g& L+ r" Eable to intercept it by installing a IFS hook: it will not work, no way!
1 @7 Z5 @8 K r. F& }In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 m2 ~2 J! H6 ]9 Y( d- k% u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- }9 B. O7 L- Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' U$ r9 W) k1 W) R3 o
field.8 C: K& [' {+ x6 X c
In fact, its purpose is not to load/unload VxDs but only to send a
# }- K+ V+ R$ k& L d+ r4 |1 hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" `: k8 u9 s" y: j; i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 ]% z2 T R: \) m6 U$ fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
S9 L. Q& u/ F0 z6 H* hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
* z2 D5 g2 z R, [ c8 Cits handle to be opened and then, will be detected.' b) ^3 G% O# ~+ A3 U- h, r5 N
You can check that simply by hooking Winice.exe control proc entry point
: }* @ H2 ]4 U- e x7 B& Iwhile running MeltICE.
) V" b# c5 X% e1 A3 I( C1 t4 O. ^7 T* J6 r, J6 T
3 e# F; n& i! h$ d
00401067: push 00402025 ; \\.\SICE( X3 y1 u4 x6 P( M) w7 f
0040106C: call CreateFileA
7 H% o- L& f/ c3 n 00401071: cmp eax,-001
; a' i1 f6 c/ G) ]: K6 y* D/ r% { 00401074: je 00401091
& z) ?0 o) @5 x$ N4 p0 V1 S: x6 j( h/ k" o: W
: \8 P2 D7 s- i4 o. j D3 |
There could be hundreds of BPX you could use to detect this trick.0 }: @$ p- \4 w/ R
-The most classical one is:, H& z8 @5 p8 @6 o; d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' `. C$ Y, j6 q, ]- X( C
*(esp->4+4)=='NTIC'/ N. C) [8 A- @8 W
( z* u' W2 J( S, s6 S
-The most exotic ones (could be very slooooow :-(8 O" p3 {9 I# }0 p- J
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 P5 A J8 z6 t4 J" W1 V ;will break 3 times :-(. _% q7 c( A! j- n
0 J5 |1 t3 p1 {-or (a bit) faster: - l5 u6 o8 f4 a" p% N/ U4 m
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), G0 K' S5 P3 h- e! F) G+ |
! _. K2 [/ A; ~& v* A8 M' \9 }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 A" e% W$ e' R% S# s- T! f ;will break 3 times :-(
; ^* C0 \+ A* r4 \, t8 P1 ]1 r0 K$ w& S8 P2 Q
-Much faster:
- U$ ]$ O4 U+ |% L( g: V& L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 S# t) ?& `+ G- `5 H: S3 @8 V! n' k7 R* H" U# N% U* H6 D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 z! J7 E' n3 sfunction to do the same job:7 f+ f$ V; _3 D" z% `" Q# g
* w0 ~- B2 ^9 o+ g push 00 ; OF_READ( G9 g3 r! s! o; q& J E9 u% b* [
mov eax,[00656634] ; '\\.\SICE',0! {; ?( `) H4 V5 l- f9 H
push eax; [: P0 Q) {. f# }8 d7 @
call KERNEL32!_lopen! D" k9 } C, C( b3 A
inc eax+ Q" X* l$ L; {& G
jnz 00650589 ; detected. H* I. j! I9 q! A
push 00 ; OF_READ
: @/ ]! I- j; z: h mov eax,[00656638] ; '\\.\SICE'# h% y `. a; w2 E9 ` k
push eax
" ]% l% l3 W+ n; y' y/ y call KERNEL32!_lopen' Z% j; g2 \6 _
inc eax
0 s. G [ D6 @% P1 J% j9 } jz 006505ae ; not detected
, Y9 f0 j5 M2 e: G3 ~$ z* P# f" Y% L4 d- t7 y [ q
2 U: F9 @7 n+ d* ]6 k
__________________________________________________________________________. g' ?' x3 T2 R+ d7 t
0 Y2 C4 J6 c! J' Y8 {
Method 12: d( Q6 I8 V! L, o3 `8 P, s1 t
=========: G% S* G, {; o( U
4 U, O( J1 l- v2 ]
This trick is similar to int41h/4fh Debugger installation check (code 05
5 | q y4 d5 `) R5 ^+ f& 06) but very limited because it's only available for Win95/98 (not NT)9 [+ _% `: ~) ~. e7 V! e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 E! r! l4 C4 d _; ^5 W( l
' J1 c, w( e' A$ v( P8 ?( q
push 0000004fh ; function 4fh
: t, ^. S5 Z1 `# w6 m push 002a002ah ; high word specifies which VxD (VWIN32)
" _! R' l; P1 n' C3 A! k ; low word specifies which service
- i K7 Q. s* g9 A# n! s- q3 e (VWIN32_Int41Dispatch)
* v `, D6 l' H d8 n1 E call Kernel32!ORD_001 ; VxdCall
- z" k( m9 {6 u& u cmp ax, 0f386h ; magic number returned by system debuggers$ y0 l! p* ?. c2 D( K( ^ q# r
jz SoftICE_detected" y1 k* f, ^1 { K0 D
% i' h. \; x# e' c7 H
Here again, several ways to detect it:
" a9 w( p, m2 D. I8 B1 }+ i3 y1 N3 O2 N) r
BPINT 41 if ax==4f
; o+ P9 i( _4 ]2 }$ W0 g
; V1 T" u9 E2 |# ]7 w& b+ Z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 {3 ~6 l; g2 @8 Y( Y, e# w( k* _' r" z ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ j6 I. \ e$ s7 m
! J, I3 d. Q- Q0 Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. G: c, N% [- k
4 `; Q# _+ N0 u- O% E__________________________________________________________________________ |9 A; C W0 z3 w. q. O3 I( ^
( `3 K/ o; y+ V/ z7 x7 c8 TMethod 13
# b9 d: ? M1 y: A8 D=========$ P+ O( t& K* k9 R
! p8 r% J6 S2 A, g/ \Not a real method of detection, but a good way to know if SoftICE is
- k P/ p+ m N! Hinstalled on a computer and to locate its installation directory.
; I0 e _* f8 X* W7 nIt is used by few softs which access the following registry keys (usually #2) :
" n- a }) J( P F' m; V5 V8 i, B) p5 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# V& _! z$ v5 W K- }$ K, s1 g\Uninstall\SoftICE' q' i# Q; f0 D6 i o9 X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 o, [8 ]9 ~& { o: v3 o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
u& I. U* A4 W( D8 c$ h( ~\App Paths\Loader32.Exe
9 J/ ?# }0 r( U1 p, G9 M3 w6 w$ l7 P8 W: \
* Z9 o* l8 u. D2 m
Note that some nasty apps could then erase all files from SoftICE directory0 ? W, v6 K. }* E3 `
(I faced that once :-(8 D0 S+ j6 ^ U* K3 s2 r
( v2 U. J8 N) W- z8 ]7 XUseful breakpoint to detect it:
; H& x+ v- f. g% f6 e$ e& k5 d5 m+ \% x) l/ p( d( j3 x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 V$ ]% M0 F3 t- b v) I
; q$ n8 |- {) x* t: {- F
__________________________________________________________________________& c; l1 i0 G8 J. i6 x# m8 B4 Y
) D! s o1 ^% H Q9 a( r# U0 {! n* K0 \7 J, S# v
Method 14
3 ?& S5 { j$ M5 A=========2 R4 L+ n( l# E( S
# D6 i! P) U+ j! J" H! G* ]+ ^; vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 p$ o0 z$ `* E% q: m3 p
is to determines whether a debugger is running on your system (ring0 only).
' B) X$ o: t+ V' K* A; g8 @+ ?" T5 H- k6 M! v
VMMCall Test_Debug_Installed
3 g) ^0 ^8 ^, m, |% O je not_installed
- u! J: X; J2 x: {1 e4 o& r8 T8 _. H8 U! C/ ^
This service just checks a flag.# ^8 Y! z& V1 ?8 a0 [6 K/ f, m% ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡