<TABLE width=500> @1 H1 C( G' i
<TBODY>
# M( L. I7 @5 }# _; w8 ~<TR>
6 \) q/ K7 M; B) T& D<TD><PRE>Method 01 7 G: f, }- a2 z/ M" g. F
=========
# `* t) Y! |: _5 m0 V$ O) p& U& M$ ?4 I7 k. `
This method of detection of SoftICE (as well as the following one) is
7 g6 N- p6 t7 o3 F0 \used by the majority of packers/encryptors found on Internet." c. T9 r/ |5 @6 y; |5 Y- |
It seeks the signature of BoundsChecker in SoftICE
; g0 h+ r8 N. y1 ~, W
8 [" i! x6 B5 f mov ebp, 04243484Bh ; 'BCHK'
( L" a+ q: \0 [3 L4 E mov ax, 04h% w; Y8 {# {+ O. s& \( Y; c
int 3 ' U( `' w5 G; U0 U& r
cmp al,4+ f; V9 z* X5 w; _: [8 e7 a2 `- u
jnz SoftICE_Detected2 l! c9 \" p" P& O8 ^
# H0 B1 y7 M! u- m1 X- [; H9 H___________________________________________________________________________; d* J' _ C4 M- @& ?5 ^
, y, _( R: F ~, s" ?0 _Method 02
% ]+ ^, f: [: Z=========
; j- j, |2 U9 N! \9 C
8 K! F$ W1 @8 V6 n+ R$ XStill a method very much used (perhaps the most frequent one). It is used; u# n+ }+ \: ]( b S, M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' h3 v# e* ]* r% \
or execute SoftICE commands...
- x' H- B/ s: N1 ?3 z: H5 p7 qIt is also used to crash SoftICE and to force it to execute any commands3 i: e) E' e7 P$ B1 E) C R2 ^
(HBOOT...) :-((
! e3 g5 {3 h2 ?' o& k. c
& J& G( Q( @9 \* Z6 \. RHere is a quick description:# E. m n" z- A K* q) Z0 G
-AX = 0910h (Display string in SIce windows)6 F$ V% |2 R) b' W3 ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; D3 g: _4 c7 ?) H$ G-AX = 0912h (Get breakpoint infos)# I9 I+ D6 \' b' `# l/ o# O
-AX = 0913h (Set Sice breakpoints)
/ I' G! l! V' J7 U-AX = 0914h (Remove SIce breakoints)
2 `2 t& A' ?- [2 o; [" p$ B) E/ G' P& k! U/ w. l
Each time you'll meet this trick, you'll see:% q' K% H4 }0 p7 p
-SI = 4647h
( _" l& S+ P8 y( ^-DI = 4A4Dh( b F1 O. Y- Y$ T( ?
Which are the 'magic values' used by SoftIce.
3 d* W4 i- g2 I( M, n& w# UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 q" K. k% o6 G, n6 l* A/ B5 i; Q3 P) p. e8 j% t, i$ t
Here is one example from the file "Haspinst.exe" which is the dongle HASP& v: c9 a4 S* ^9 L2 j* _
Envelope utility use to protect DOS applications:
0 ^! z3 K2 S6 F% b) I q2 r& m6 M5 _8 B4 h) d6 e
& q: V9 I/ ]! [3 o4C19:0095 MOV AX,0911 ; execute command.7 A0 V4 @% g3 `2 E7 J
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: r/ k8 ]4 ?/ [2 O/ U& B# v4C19:009A MOV SI,4647 ; 1st magic value.
7 Y+ D6 U1 @" ]8 d0 R' @4C19:009D MOV DI,4A4D ; 2nd magic value.
4 R* R+ i# j7 A) V2 ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 k, b! Y. k Y4 s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ R, h+ n% u' o, R9 d3 j6 R* ]8 L1 B4C19:00A4 INC CX* o/ C; s' A4 ^6 l1 h4 k' T
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ H7 P& j' I$ a. U0 R$ y$ K4C19:00A8 JB 0095 ; 6 different commands.2 V' ?( O. u+ d: }
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 t) m) |4 C" X ]: Q! ?# L8 \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 S8 @3 L) M& J# h
4 n4 ^7 U5 w3 D; P0 I) B% l( MThe program will execute 6 different SIce commands located at ds:dx, which% _9 V/ ^1 |6 g2 f" |4 x- Z8 M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: P* K" }7 V% e' p# t+ y$ T
% ]" e8 z7 k6 \: X5 J- x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# p! X3 I9 F5 h5 E" v5 z; c. W
___________________________________________________________________________
! k r) g h4 r9 v7 T1 M# t% v
8 V# J5 h; S" u
2 g; e7 Y m2 w7 B8 H4 [Method 03
- I d+ ^: g f: t=========
3 s: W8 v x% \( c3 b" ?! d6 b7 h# G a% n7 r6 U( M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 K2 C6 K+ m( w(API Get entry point)" K) _7 N" A4 b: d; A
+ r, k `1 J( y3 v/ c$ o
; P; M: v/ {2 G2 C xor di,di4 l1 V5 V: i/ h6 r; p
mov es,di
: s5 v2 f% B+ k# ?2 m mov ax, 1684h
- p8 K6 a' Z, [$ K, p mov bx, 0202h ; VxD ID of winice
o! d: f) i' E int 2Fh
' B, _; Q" W$ }1 J, n+ n2 f mov ax, es ; ES:DI -> VxD API entry point% {( i+ Z! j) i7 Y
add ax, di- M1 P7 p! |1 w9 p2 q1 [# ^) {& {
test ax,ax1 O6 ~( x7 A- @8 _" g
jnz SoftICE_Detected$ i0 w% J# V: d4 p; ]9 h
3 F6 Q( ?# x6 c ?& I
___________________________________________________________________________
/ ~( N" u8 N; w9 Y) P0 {& z' l9 x* y' D. c
Method 04
- d g& d, r# g% }=========' m; d# D4 K- h" @, l6 ?' V9 G
h2 t5 Y$ P; k5 |5 ?
Method identical to the preceding one except that it seeks the ID of SoftICE: g8 c3 ?; z. r! D, E# n/ l
GFX VxD.3 X( J9 @5 e* b h3 H
; e4 b( n7 D( H2 V3 `' i9 |
xor di,di
7 H' _7 T9 ]6 x' C mov es,di$ x4 f" C) _* ?) w, m
mov ax, 1684h
6 C8 _' k0 Z6 Z8 j' T mov bx, 7a5Fh ; VxD ID of SIWVID4 ^! V7 p3 e g5 ]( A2 W+ f) G2 i
int 2fh+ ~. J& i) b7 E/ g0 |8 m2 D! N
mov ax, es ; ES:DI -> VxD API entry point. A3 E- z7 K" f0 a7 f" ?) @ H
add ax, di
( e i z) o o6 [0 K9 t) ` test ax,ax4 a* N' S" P7 @2 T8 q! s
jnz SoftICE_Detected
* w4 m/ D S( v, G0 F* S+ y- @) {) o
__________________________________________________________________________
0 H7 e& j5 L5 i5 k
( D0 ?/ X& l: F4 I5 d. T
- r5 B: S0 f+ m* a4 g, nMethod 05
' ? p1 h+ }2 m) P) {=========2 Y, ~' c$ b- E3 ~3 z+ c
' u/ |# K n. c$ MMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 u. O- t* X3 c& ]& N, C4 mdebugger. It calls the int 41h, function 4Fh.) a! _1 g. W W4 O1 V
There are several alternatives. + m* n. A+ r# W, t
2 e1 s7 M V" f: [: x/ {" G
The following one is the simplest:
3 z9 }' h# S- d* J- m$ q& B) q% _* L0 E3 I/ f7 R
mov ax,4fh
* m3 a9 O& M/ e4 y% S int 41h3 p( ~# b D# z P+ P) X: M
cmp ax, 0F386
1 c) J8 A2 ?" \3 ~4 B" B% i- @6 g; ` jz SoftICE_detected
6 Z# L4 `% z3 {% Y8 j/ s: B( Z, O% P( b5 r) U$ z; G) [
- o; N% d) @5 v+ G, \4 Q, C. ]
Next method as well as the following one are 2 examples from Stone's
2 [: m: M# K$ B6 n"stn-wid.zip" (www.cracking.net):8 j0 m( P, E& t3 u% a% F
2 T5 u0 D$ i5 {8 F- \ I& Z& Z mov bx, cs! |, V U/ k$ s; Y+ c+ e; N
lea dx, int41handler2
& t! F5 K" b6 [- t$ r7 }- U xchg dx, es:[41h*4]
; Q2 \) O+ K7 v/ y8 ` xchg bx, es:[41h*4+2]
9 o. A& [" n1 i! T& b mov ax,4fh' C6 P% Z( Z* ^+ n: W1 b$ o) d
int 41h7 z) H, q9 }( N" M
xchg dx, es:[41h*4]
% T, h1 r, C2 L2 v xchg bx, es:[41h*4+2]
" }2 f/ r; j: E2 _ cmp ax, 0f386h
' L3 `. M" O$ l) y, L jz SoftICE_detected
- J/ V! b2 D8 @4 N' X% f
/ C$ u9 \/ w- v& zint41handler2 PROC
- o! \% H8 a% s8 N2 d iret+ @4 n0 a6 M6 W7 V: I
int41handler2 ENDP
! |4 `2 F" k" \$ u. a( l
7 a6 u, Q- y$ [' f* g: I. G, w& ]; h. o; q7 c9 R6 n2 k
_________________________________________________________________________
2 X0 `0 ~) X* O* Q' c9 i# K* A4 N- ~8 z
8 O# y6 \) b) T6 y" H* MMethod 06, i3 H" _9 q8 M9 K/ O) p' E
=========6 q9 Y+ E9 F+ b; Y
6 E2 n( ]" a9 d% t/ ^; f
2 l7 x: `0 @& t& N2nd method similar to the preceding one but more difficult to detect:
+ X8 f" Q3 I* Q
4 g( ~, {0 q. Q! K; u, G( [3 D8 N4 {# p7 V0 |; G6 m0 J
int41handler PROC E+ {; |% k2 t, u7 f: ?
mov cl,al! ]! y# P2 Y/ `/ B
iret" G4 V5 A- `" K* o3 C3 r
int41handler ENDP% p% P: ~* t6 }. x
3 v) ]; F' `+ ]# d2 q, i+ i# U6 f
- E; f% Q! C. o3 k xor ax,ax0 Q7 n# _- l- g% W
mov es,ax! Z# R9 u( J, f# F9 Q2 Q5 @* o2 h
mov bx, cs
4 U9 ?0 y2 d) _ lea dx, int41handler: D' M" n; P4 ?% @: t# H
xchg dx, es:[41h*4]
% c; X7 D4 V4 Y# E xchg bx, es:[41h*4+2]
* S" S6 |$ D7 o; O in al, 40h, u3 T4 f1 F+ P' Q
xor cx,cx5 b" j; v6 Z' s5 g5 a! B9 p, \' r
int 41h
2 w& [% p$ }# R- A xchg dx, es:[41h*4]
+ f! W7 ~* C; c! k! m xchg bx, es:[41h*4+2]
5 \ H' [# b n* m. S, X cmp cl,al; D. ^ \ i* U/ A& ?! u
jnz SoftICE_detected
/ ]+ v8 N) L0 _6 c; t+ z2 w) I3 ?
4 h c& k$ V" ?5 [, \, P_________________________________________________________________________2 I7 ~6 H+ f9 w9 B" _
. J O5 a: Q l
Method 07
& m3 N; O* a' Q/ J3 i" o' |=========
' z; h+ w0 I( o+ u! `, z( P
# f: {0 }# w$ c2 xMethod of detection of the WinICE handler in the int68h (V86)+ P# k W* k9 C1 |1 D
" X; Q$ V5 G5 G: s/ O, B
mov ah,43h5 W$ U4 L. b7 N' D$ u9 {
int 68h
# X; F$ [7 O/ n6 C6 l( E cmp ax,0F386h
0 B3 A3 I3 [/ g) H" X5 ]9 P$ D jz SoftICE_Detected! ~( \3 Y: m2 c& I$ u7 F5 { Z
O' Q8 {. [# A k6 t+ N
7 N5 d% E/ A3 s/ X, u4 @# e9 p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 h2 i/ a$ ]. E6 N5 j. g" X* C
app like this:2 k. g, j6 f. o7 @. @
1 a4 [1 n. o- X+ m BPX exec_int if ax==68
9 r8 u5 c1 U. Z v, X. j (function called is located at byte ptr [ebp+1Dh] and client eip is
1 k( Z ? A, w) _ located at [ebp+48h] for 32Bit apps)
9 t# r8 U) K( h9 r' S0 e; ? J__________________________________________________________________________; a$ D+ M- |! b' `6 w
+ K$ I% d0 L! A0 j p6 v- ?
/ z- t: H- A9 w+ J+ [: \0 EMethod 08
5 K' v; [" q w6 p' x=========
: `2 `7 f$ A1 n2 ~: H
, q* V' `, y8 p7 s ~% z% t# BIt is not a method of detection of SoftICE but a possibility to crash the6 y+ V% {6 O% l% p8 t
system by intercepting int 01h and int 03h and redirecting them to another
6 B( p3 l/ g5 {routine.* g) m4 w, ]2 I- F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# P, u) g5 w( |% |
to the new routine to execute (hangs computer...)3 d Q1 M( K/ A) l# L- |* K
0 @$ T) \+ U& p% Y2 X% S9 t+ s mov ah, 25h S: X: r: O) \7 T) g
mov al, Int_Number (01h or 03h)7 P( I; z' p6 Q: ]$ B
mov dx, offset New_Int_Routine
% {0 f3 j" E; Y# B int 21h
/ t1 ^3 m6 L# U, H9 w* ~) a. L. M B8 ^. ]
__________________________________________________________________________& s8 h# Q7 B) ]9 z
1 W3 J$ b$ L$ P. T8 Q7 a/ i" q4 PMethod 09" J$ u) J$ M9 d Q/ I- d: V" [
=========
; E* B' v# P) ~' P
) d9 S v$ D' LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 `9 T1 j0 A7 I" A y. Pperformed in ring0 (VxD or a ring3 app using the VxdCall).4 b$ X7 ^) u5 h6 K8 J
The Get_DDB service is used to determine whether or not a VxD is installed
- F4 h- m4 c( B4 h/ l zfor the specified device and returns a Device Description Block (in ecx) for
6 f5 Q1 u+ R% {, Y. Kthat device if it is installed.1 a4 ~ p- c0 F- L8 q
: t1 z+ e3 R7 i9 f! E* f5 i3 y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 C) N4 D$ k: b4 w) i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 Q, C1 ^( P# ~% _! U% X VMMCall Get_DDB% [* D, Y& s( U8 j+ V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ O5 q: E. Z# h4 Q. q f
! X9 T& {$ r5 xNote as well that you can easily detect this method with SoftICE:
" t: o9 Q2 Y- G: ~ bpx Get_DDB if ax==0202 || ax==7a5fh
& c2 c q6 r( @3 V; o
" g1 \, k9 @( x( y# P' F__________________________________________________________________________4 n' X. n- V5 p8 f2 m- K
% L8 h0 B( v9 t5 @/ x
Method 10
* q3 j; q& l" x( [- h=========& h5 ` d, J6 }
9 _0 N9 l; v1 u( s
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ ~. z+ [* X7 H
SoftICE while the option is enable!!
% d- \* t- a( [3 d0 e% L q6 |: R3 f$ a
This trick is very efficient:7 a4 j' Z" Z$ O8 p3 B
by checking the Debug Registers, you can detect if SoftICE is loaded9 P$ c& K' a, C% S# h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 G4 \3 M' r( a" e/ b6 u9 ~there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 G& Y0 X8 J+ A. |* k: K$ @value (in ring0 only). Values can be manipulated and or changed as well7 Y# K+ n. \4 t* W2 N! q
(clearing BPMs for instance)* f4 m$ G5 R# D9 M) ^2 z" k$ x
* ~# R: e& A8 K9 Y3 w
__________________________________________________________________________" ]5 j. a" s g( s1 H
" N( V" w" |1 g9 R. U) i
Method 11
# Z" B/ }- r. v=========
: F5 {5 w+ u7 `$ H/ p5 j
, p8 _/ ]3 a! h2 ZThis method is most known as 'MeltICE' because it has been freely distributed
, ~. R( w; n# I" h! k+ I! H. gvia www.winfiles.com. However it was first used by NuMega people to allow
& l- B' O6 {9 ^Symbol Loader to check if SoftICE was active or not (the code is located
2 s! u# k) \ B+ Y& ?2 _' x$ _inside nmtrans.dll).
5 b( w1 v' [% J8 X$ a9 p7 v4 R/ o$ m5 L2 ?2 j O
The way it works is very simple:
" T4 v/ x8 V! d1 jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 M; ?: s$ B4 u% m, BWinNT) with the CreateFileA API.
9 ^' k- @' _+ D' R0 c
/ ?+ D4 p& f+ PHere is a sample (checking for 'SICE'):9 G. k2 T& Z. v1 Y
7 k2 Q* ?# z+ w T1 EBOOL IsSoftIce95Loaded()) B: l! H. i) A$ p4 ?
{8 s: t, q& g6 Q1 f
HANDLE hFile; 2 [& ?1 A; Z" o9 Y% A0 z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 {$ v( j( c: U4 P& D FILE_SHARE_READ | FILE_SHARE_WRITE,
1 O+ I& R7 H6 z/ t$ z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; e9 b6 p/ ^# @" `8 m6 T+ E5 H if( hFile != INVALID_HANDLE_VALUE )
; `: x4 g$ n6 Y {
9 @" _# e% @$ b( F/ r3 }' w& G CloseHandle(hFile);* J+ Q$ ~' Y, s( Q, l# m
return TRUE;
8 v1 }: @0 a ]8 Y" Q8 O* ]! b }
! s8 C# ]* M0 Y4 Y0 ^) z) s return FALSE;
! ?7 K+ J" G; f6 [1 _; p}
. H/ V- h( M9 y1 W4 \5 r
: I& r, }8 _' ^ V, r9 _* B/ Z; tAlthough this trick calls the CreateFileA function, don't even expect to be# Z/ y, z' a% U( Y- B3 O
able to intercept it by installing a IFS hook: it will not work, no way!* ~; }' N: G2 B$ c& ?+ M( }$ B
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 ^% u2 L; n8 ^: S: Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 x$ z8 ` p% X# S$ W+ {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* Y8 p8 t) Q: w4 W b& Hfield.
4 o& k& n6 A2 ^9 {In fact, its purpose is not to load/unload VxDs but only to send a 0 ]9 Y- E& u' ]1 F" R2 J! k# V" R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), P4 M% Q4 g8 u. K' l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 H/ {0 S) n! H' P& ]3 |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( e4 K' Q3 V1 A; ]4 }4 K: T
If the VxD is loaded, it will always clear eax and the Carry flag to allow. U" b, k. P% C
its handle to be opened and then, will be detected.6 f' [9 X- a& O5 @9 u8 l
You can check that simply by hooking Winice.exe control proc entry point1 `. \ C3 x. i: k
while running MeltICE.
5 |6 y' n: E' Q$ b2 H0 u2 s" _
4 M1 Y" G4 s7 L; b, l2 `6 L, v: K; W2 e" L; L; x+ T
00401067: push 00402025 ; \\.\SICE
2 r9 O& S9 G9 {+ J; r" P7 I 0040106C: call CreateFileA
) n: V6 p9 m( E) \9 z1 h, ]1 M6 [ 00401071: cmp eax,-001
' D2 j( E8 k5 @4 s 00401074: je 004010918 F% A/ \4 S, \5 T3 D$ N
( ^) P* I# r( O: @& S& E; U* g( U
! W8 Q3 B( g# t! `! h, h, `; j
There could be hundreds of BPX you could use to detect this trick.
1 e$ }& [3 x0 F-The most classical one is:
6 ]& r& l* o9 o3 D+ i2 ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 h& |; u) r( |/ N! O, ?2 {5 U *(esp->4+4)=='NTIC'$ f1 z& S' @+ [* V) e- g2 ]4 [
8 o* }$ a, o, b7 S/ s-The most exotic ones (could be very slooooow :-(' y* `3 z5 Z! J
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - n: c# ^- n+ o, f- h/ w. N) x" i
;will break 3 times :-(, s. }$ F- Y) w3 k
/ q6 v, y4 _; c# S' h+ v+ C
-or (a bit) faster: % a! `/ _: k- h' T2 ^8 g$ |0 l. I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& C, V- t& [* W/ ?5 J
) f) K* [- h$ j; `' e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 M+ g/ A& O J- y
;will break 3 times :-(
- O9 ?1 o% \$ J2 H* m. Q. d
! x1 @- S" ~) t" w-Much faster:$ a( E& }+ ~ L$ U2 l9 I- T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 u* M1 z# B- w3 J2 n7 l
9 C' K# I: `. H. r0 j M0 ?# W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 _: ^/ a! `, f
function to do the same job:2 g) I# Y$ _ k# x$ J6 A0 }3 N7 g8 H
2 b _5 v+ S2 a( c
push 00 ; OF_READ
. n& s: {( w7 v mov eax,[00656634] ; '\\.\SICE',0
" }' M' N* k4 Y/ U) q$ \7 s push eax
4 G3 b' l3 v4 Z call KERNEL32!_lopen
; N* V. T \0 U* f$ O* g inc eax
6 G* u0 K1 ]5 f& g0 ] jnz 00650589 ; detected
2 r1 u! V3 ]; a' V' } push 00 ; OF_READ, ^4 _# f- A! \6 a" w
mov eax,[00656638] ; '\\.\SICE'- R( G, V9 D w$ \5 L6 j
push eax* S2 ^2 }' V j, g* v) ` J( [ y
call KERNEL32!_lopen
2 `) \. V# F% @1 v# c- }+ @ inc eax1 i4 A( O- U3 x! U! g" d/ M! f3 h
jz 006505ae ; not detected
0 c# y L7 a& }" M
- y% Q4 F. r* ~$ ?" N1 F3 v% M P- P% a: E% R; j% y2 p
__________________________________________________________________________0 l( L. }# x6 C0 V# |: D1 h
+ A' [+ ~6 L4 V( P9 z
Method 12
+ I6 q8 Z' b- y& W& ]9 [# x& J( |& A=========7 p8 F8 ?+ q7 P0 c
% S6 Q$ K6 y+ g* f0 ]This trick is similar to int41h/4fh Debugger installation check (code 055 T/ P1 B. I9 e3 x1 ?
& 06) but very limited because it's only available for Win95/98 (not NT)4 {6 V. p& `/ R% F a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: n4 h" ~8 j3 u* y2 a
+ o, I' \ w4 ^/ w- ]. q1 R push 0000004fh ; function 4fh8 C: F4 ?* X# F8 w* v
push 002a002ah ; high word specifies which VxD (VWIN32)
' g& y$ {0 g* U2 ]! b ; low word specifies which service6 C! X7 W: x+ u( u0 l4 E% n
(VWIN32_Int41Dispatch)2 B& w( A( j$ }. u3 X! B6 |. \
call Kernel32!ORD_001 ; VxdCall8 m) ]9 V! r4 F9 }
cmp ax, 0f386h ; magic number returned by system debuggers
% K1 [* {" d5 D$ ^3 \( ^" b# I jz SoftICE_detected) F( E: L5 i" n+ \4 \
* K; Q! }/ @- E8 x; W; K$ s& eHere again, several ways to detect it:
( L3 Y& g- g! R7 W3 y
. d, r/ t0 x1 W+ q BPINT 41 if ax==4f& r/ |% I6 u z5 ?& i5 m$ G' L: K& i: v
$ B; r9 [ |! K$ [: J
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 R( \. ]* w8 ^4 a+ L1 P3 W
T( z! S" q ^3 q& } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) a3 ^: V' S2 s
* c; b) @2 R" S7 p! u/ F3 o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 ?$ l& r7 N/ B) x
0 O1 g/ n b, \6 p* w; k__________________________________________________________________________6 K* z7 F/ W3 T" \5 M+ s
* i4 P6 R. s4 b; j0 zMethod 13% q. v% z4 }$ ?6 v+ G: C% L" G9 K
=========2 p1 a) i& {( f3 V- f1 A- u m! w" z
3 ^. d. `7 f& P; Z
Not a real method of detection, but a good way to know if SoftICE is' G" F. K* I! n
installed on a computer and to locate its installation directory.
* M. O0 Z# b+ ]& ^It is used by few softs which access the following registry keys (usually #2) :
1 g& [, G( p: T8 d: u
9 g3 M$ \$ j& s1 a1 G$ S# T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& d' c; `. e. v
\Uninstall\SoftICE
/ j5 k9 ^% E& @% g6 p1 b) }; b2 |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 W! z% V9 ^ T/ r" w/ `8 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% n, V# p. c* z\App Paths\Loader32.Exe- L v8 S0 C3 U$ \! r! c7 w
* M t3 G4 ~% g0 I4 g
/ F' T7 }3 ^" r9 q* y2 V: DNote that some nasty apps could then erase all files from SoftICE directory/ V& E4 F8 O/ i1 {, M3 ^
(I faced that once :-(! Z$ B' f5 T# N! n3 X# a9 X4 j1 s; q: V
% z4 O9 Y& D# v) ^6 |8 kUseful breakpoint to detect it:5 ?( j' Z( ^; d- W) e* t
v3 x0 y5 K; P7 Y+ T w4 K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 \6 u) W) G4 ?
1 j0 W1 u4 R; n( q d9 M/ X__________________________________________________________________________. a; D$ E I8 \# d
/ m/ F: i" c5 {8 t V" U
5 {( g- U' G7 m, {& yMethod 14
, S7 |' E$ K0 B! f& W2 c! W" H=========
: z) I- Y, d7 r, k6 C2 j. `0 ]6 x8 L5 n ^6 v* N! ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 |) @- D* B8 P5 @+ Yis to determines whether a debugger is running on your system (ring0 only).& `$ S1 Y* ~" I! T% [6 e/ ?1 v
( A3 l2 Z- p. B$ S# k6 g
VMMCall Test_Debug_Installed
* X9 P; q1 N0 |; ?) A& P8 X { je not_installed" n/ I# K* Y% o, k
9 k* F7 p( y7 |0 g
This service just checks a flag.+ z8 }7 E! |, h/ [* E$ H' P6 t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡