<TABLE width=500>
' v4 L$ V, t$ B! S8 v<TBODY>1 o+ C# y' ]8 d7 u1 N
<TR>
4 @9 ~% s( u6 @& y7 ^<TD><PRE>Method 01 3 u% O9 V5 G3 Y% H- ~
=========
9 _8 ]8 G$ [7 g0 ?& b& T* {6 ]
) b2 d7 S% Q6 r' |; X9 S8 O0 z1 g$ lThis method of detection of SoftICE (as well as the following one) is
' y8 m. N. q( v: L3 c, u% ~! ^used by the majority of packers/encryptors found on Internet.
( ^: i- I4 z- ]/ U' j6 z& lIt seeks the signature of BoundsChecker in SoftICE
0 g" J' a/ N) L6 e5 [
' e* p2 ]' I" \. m$ f) _ mov ebp, 04243484Bh ; 'BCHK'
5 R, m; ]7 n2 l6 W mov ax, 04h
q% |: P& Y/ p$ P# [ int 3
- F+ c; j& |; b6 k8 k2 M cmp al,4/ l1 o l& t0 x
jnz SoftICE_Detected, F8 b7 Z- }( l
8 l/ F' w3 u, g7 U Q# r B: x% g) N___________________________________________________________________________0 F( P2 t: @3 z
$ S5 y, f. w8 ^! r* V' a# N
Method 02; j1 ?3 K4 Q( Y& a7 [
=========
$ F" I1 _; T( q' {; X
/ @0 M( G7 _# x% `2 [Still a method very much used (perhaps the most frequent one). It is used2 w: G! N2 `+ u4 E% ?& w7 e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 T& H) |% Y/ W) c7 uor execute SoftICE commands...
" t& y- ^8 q6 E hIt is also used to crash SoftICE and to force it to execute any commands" `7 W9 e( Y$ n4 B" K
(HBOOT...) :-(( + ?6 _8 T2 @! z9 w. f) I% Z
* l( g4 T+ E: zHere is a quick description:
! j" q: z: ^/ Q+ _-AX = 0910h (Display string in SIce windows)
' C. |4 E3 A" G! @) @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); h4 s e8 w1 U, O7 U, }, R5 s
-AX = 0912h (Get breakpoint infos) I8 g9 R, K: h r) Y+ V. s& m
-AX = 0913h (Set Sice breakpoints)
" E4 Y' Y6 J: `; Z3 l8 Z) e( N0 r-AX = 0914h (Remove SIce breakoints)+ V! k% x2 @1 S) F0 l
' D+ O7 [& u* C' {6 w' l
Each time you'll meet this trick, you'll see:" }3 J, }7 u4 W0 o. A/ G
-SI = 4647h0 R- v) d# U' H# X/ T$ U4 L
-DI = 4A4Dh6 A) T' o! \# i0 x; j$ x& P
Which are the 'magic values' used by SoftIce.. E0 K, f1 V# ~2 N9 p6 _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., ^% |: E3 W: a4 l( H: R
2 `8 F) _) q! w% S4 K4 f) aHere is one example from the file "Haspinst.exe" which is the dongle HASP( O" F5 L* K: v; c" Y/ k% {
Envelope utility use to protect DOS applications: a! Y4 H# p. ~& ]2 G# p; |
h X1 G# H! F. v i8 _. O
; J' A( }' w- S, {4C19:0095 MOV AX,0911 ; execute command.7 H9 o% V, a, W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; y9 S- M5 z m* o; P' i
4C19:009A MOV SI,4647 ; 1st magic value.
5 V( a8 q2 H) w# H# i+ P4C19:009D MOV DI,4A4D ; 2nd magic value.6 L. H- }. K/ k1 x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 R7 L j7 O8 g6 S, A- L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" W) K; V0 s3 I1 m: k t, @- U8 ?4C19:00A4 INC CX
' I, { X7 |9 t$ Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 u8 f2 Z% o* u5 X
4C19:00A8 JB 0095 ; 6 different commands.
$ l& \) v& j5 Y" l4 l& w4C19:00AA JMP 0002 ; Bad_Guy jmp back.& e* ?0 B7 \& t+ S6 n& e
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 M) B } s# A* e0 |
! W1 m! f u1 d; LThe program will execute 6 different SIce commands located at ds:dx, which
* e2 w$ J1 t! N9 a1 X6 Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 M+ P* p" Z# K6 f6 _
; V, _& d: V5 }3 y9 ?# m8 Q, I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 `6 Y. P, |' |. k* S3 ?___________________________________________________________________________
* _8 @% i F1 t8 w+ U
& ]0 y$ F7 n( y) ]4 i% R. D5 f' `# N! e) Q
Method 03
/ m$ n+ d4 B0 z. [6 N# w=========
5 V+ [5 m( S2 d# @- Y: {' Q0 s0 ^: ^. D. w) b" @4 {' C
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: j V' E2 Z I; I$ m; [+ g y3 N$ i! e
(API Get entry point)( f% f$ n+ }! W9 K( P* D ]- p
8 B' b8 t! d# U4 b: m" N8 k4 ~7 _, c, z3 }* }
xor di,di2 \ B8 W8 x1 Q
mov es,di) w8 h5 G' ^% b. ^6 c1 U
mov ax, 1684h 6 |7 w/ H( L& w( w& U" l/ d6 T
mov bx, 0202h ; VxD ID of winice
# ?( E& t1 B- a. n8 N int 2Fh
# \1 c5 a; B: c mov ax, es ; ES:DI -> VxD API entry point
) E- o( ~9 R- z! o6 _8 e% F add ax, di: m: o8 _. f5 U8 P
test ax,ax
2 q) E; c; \) y% k) Z% f$ i2 C jnz SoftICE_Detected9 q/ M% O+ E- c! R
6 k* |$ `" r" F N Z___________________________________________________________________________
3 F) j' W0 ?" {7 e! Y
: s( e- j; `! wMethod 04
" t) F. c" f6 c8 m=========* p/ J6 O! _- x; P! w1 K4 T
6 D9 q+ j" I8 T; g: N* A
Method identical to the preceding one except that it seeks the ID of SoftICE
: Y& |; I9 ?4 _GFX VxD.
) ~2 u; Y& ~' d/ v' w+ g- E0 M; O- Z$ V
xor di,di
' n, N( c% a. U0 f& l9 l3 ~ mov es,di/ W2 ?! T* w3 T6 P6 B& n& r
mov ax, 1684h
. w, |* l; _. E mov bx, 7a5Fh ; VxD ID of SIWVID
& \9 L% k( t% ^' p/ f int 2fh
) y% K; h' h8 u* } mov ax, es ; ES:DI -> VxD API entry point1 @( B2 k1 f" o0 n& g
add ax, di
, g5 j! R& [' p. z$ ` test ax,ax: V+ n$ M& ]& x; z# e P/ O4 V
jnz SoftICE_Detected8 q7 L& q- W p, c. p5 C" I
9 L: ~3 R/ h# Z: H) }__________________________________________________________________________
! x! T6 ^, p) g: b7 Q( r+ R4 C+ \0 k0 d7 p9 l
c0 O/ ]' N/ S) Y5 T" h$ O6 L+ OMethod 05+ [. n* o9 a j! y% p$ p
=========
$ `7 V/ R1 ]9 @+ y( E
|. M( _6 k; y/ F; T1 b/ E* AMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, E7 j' a1 u8 B6 `3 G& W6 tdebugger. It calls the int 41h, function 4Fh.
- m q8 P' t5 C; hThere are several alternatives. ' {4 g1 o# s* ~9 ]
) _! J! v, g) M2 j- _$ W& R
The following one is the simplest:1 W/ W: |) x: i$ p1 v
9 [5 D6 Z( e" F( h
mov ax,4fh
7 n. }# a) M" j, p' A* d int 41h
7 C, B2 |3 }6 V8 s cmp ax, 0F3860 |* ?: d! N% a( |9 P
jz SoftICE_detected5 U3 l0 N% d5 s9 [1 ^
$ e2 ^: B6 Y6 |$ c2 J0 n
( A' S$ w0 I a- N% h! E: H8 b* WNext method as well as the following one are 2 examples from Stone's 0 f- c* s9 \1 b% F3 V$ P% k7 z% A
"stn-wid.zip" (www.cracking.net):
8 ?, ~8 c9 k: d/ ^+ ?2 @5 r) X2 [
mov bx, cs4 B9 X) ] t0 Q0 m4 W v
lea dx, int41handler25 k' b1 X+ d' E9 X
xchg dx, es:[41h*4]
" V( y# O+ y) G- F! X) [ r- H xchg bx, es:[41h*4+2]
- Y' p) X% P+ h3 Q# T' ?: A% Z mov ax,4fh+ g. T* {& C% b
int 41h( B! u6 y b7 Y6 {: J
xchg dx, es:[41h*4]& C1 f/ _9 U# z& _! T
xchg bx, es:[41h*4+2]
% | p/ V- i: B# | cmp ax, 0f386h
* T, b4 V. ]" r& _/ v# H! f& H jz SoftICE_detected/ U) t2 q" `" l' u
. ^# Y% A, |- f
int41handler2 PROC q0 F9 v0 R/ h
iret
- A* h$ R3 b0 Q5 W5 e5 v9 b. Qint41handler2 ENDP: b3 }! W' t4 T+ n
& b3 n, S9 Z) q. j& h& p. L, C C4 ^6 O* L% J/ c! k
_________________________________________________________________________; z; {' V; {$ ^( j5 _( K
2 v1 C1 {) p, v4 \ z v) H$ {( ~; I# ?
Method 063 m- p5 j k& J8 Z$ y. X
=========( [) I2 g6 p( q$ Z( y
' W( x1 h6 A' _, w3 p$ l, a1 E/ D9 [7 W* B
2nd method similar to the preceding one but more difficult to detect:% m3 u0 e* D' E, }0 H& J' l, M+ x
& Z, E& \1 `7 d. R: @) q i. C/ o, ~7 ]/ i9 X; l
int41handler PROC; s+ U- A' T% j, U N# n
mov cl,al5 w! m; ^2 U" l* V; }/ B
iret
: I. [, k" l! g) x6 ~4 d: ^int41handler ENDP
* }" q" m P7 @
5 }' K( s5 t9 `+ r6 b4 |
8 v! k+ L% z9 Y$ y' H xor ax,ax7 j9 B' O9 T$ z% |* j
mov es,ax0 k) I. B- L$ D- o k9 c
mov bx, cs, c; t% s3 @0 N6 ~( U4 m
lea dx, int41handler' e+ Y6 r' B* p' n6 M1 B$ X
xchg dx, es:[41h*4]& C5 H: D# J1 J8 Y, p& c
xchg bx, es:[41h*4+2]: _3 g' i2 E. ~; F9 G
in al, 40h
- u8 ]8 \$ \, t# x6 u5 L, A xor cx,cx
) p- z1 J1 c7 \, I% d( v int 41h* ^7 I/ E0 ~5 s' ?) s
xchg dx, es:[41h*4]
# k# P" @2 k) Z' e: _ a2 m xchg bx, es:[41h*4+2]! Q9 ?8 c2 I) k9 Q1 s
cmp cl,al
+ f0 s1 h# E, _! h; {& O jnz SoftICE_detected5 ^8 P! i+ R. Y+ U) q" w
$ O3 d9 R" v4 q_________________________________________________________________________
2 d/ I( R- b1 q; l
- D! W* ^, D5 h, a/ n" i. iMethod 07' O( |* Q, B5 L& l1 i# A6 ?
=========9 G# R& q4 K7 ]! I$ L- U
+ U1 \9 Y. `+ @- J) k* D0 R
Method of detection of the WinICE handler in the int68h (V86)
9 h% ^7 [9 [9 [! D3 Q2 k- W- }: `: d8 B
% r% S' O+ O M8 n" l7 g6 r& ` mov ah,43h5 Q; V4 |+ E) j1 E, P
int 68h
8 G) Y5 I2 Y+ t9 x% Q+ @ cmp ax,0F386h
4 X# ^4 ] y7 r" Q5 l ]3 G4 j jz SoftICE_Detected
$ q( r9 N u" G% F2 D
) O3 R* P5 p: [/ G
4 ?3 O0 m- J" l4 {$ w4 \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* Y5 c2 k- Z2 {) s+ f app like this:
. N+ z; K3 w( ^$ L+ y% V0 n
; j+ R ]% n' @ Z4 J: P, ? BPX exec_int if ax==689 a3 |9 u$ j5 d9 d
(function called is located at byte ptr [ebp+1Dh] and client eip is0 H0 p6 M5 t$ {3 \, t
located at [ebp+48h] for 32Bit apps)
6 d/ K- x0 _9 Q+ v6 G__________________________________________________________________________. X. N) n- a: \$ w* ?
t8 @) N) z! a# A: d$ u8 n/ Q& H R; a6 @3 B9 T" ^9 Y
Method 08
) O. t6 Q4 X" x4 ~9 |4 f+ f6 M" `# s=========
6 z3 P) d9 m, n: w- Y) w8 s" M- X( O. {& ~, X' k
It is not a method of detection of SoftICE but a possibility to crash the5 {9 R+ U/ ]' e+ z" T# X
system by intercepting int 01h and int 03h and redirecting them to another( R' S$ }4 g& F/ B" ?
routine./ u# ]9 a# e$ K, R% M% Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% z0 b( |6 Q6 _& ato the new routine to execute (hangs computer...)+ U( i, @+ e. A# |% |* J
) s9 m4 r" X2 |
mov ah, 25h3 [7 n8 |, w J9 c- K( G
mov al, Int_Number (01h or 03h)
9 {2 J, r. D+ w/ W. [$ o: m$ x mov dx, offset New_Int_Routine- S: `- I( \0 c( x O6 A
int 21h
Y. C7 I4 X" ?
; U3 |; S" s; ~: I__________________________________________________________________________
o" Q' Q7 u, A) f1 o' |( Q! }# C* ]! @+ V
Method 09
+ } F3 q; U5 N+ c4 d5 P6 _8 I- t=========
% d3 ^; c! b7 ~' u0 |0 z$ @' c/ c+ K1 C9 d4 ?! u) ?( b9 X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 j" f6 B8 W, J$ ]9 }& Kperformed in ring0 (VxD or a ring3 app using the VxdCall).
* d, [& G3 h% z0 X/ L5 ~4 MThe Get_DDB service is used to determine whether or not a VxD is installed
. z# w" a0 e( ^: j4 M/ [1 o0 rfor the specified device and returns a Device Description Block (in ecx) for
: G4 u5 T& [6 @* B* f# N4 W' cthat device if it is installed.
5 ^. H+ H8 i/ K0 j. D) j, \* [0 d( j; {$ X* p. \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) _, m- u/ i( t3 \- D; e- R7 z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). A+ Y8 C7 R3 T5 M6 j
VMMCall Get_DDB7 {; Y) n% ]/ a r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ t. Q: Y! f' _$ U
" q2 O! |; F$ _1 g/ C1 ]Note as well that you can easily detect this method with SoftICE:4 b9 u7 H \' |" c; X2 ?9 @
bpx Get_DDB if ax==0202 || ax==7a5fh
( F+ p+ N i6 j9 {$ U* E) V" c$ O: a
__________________________________________________________________________
( }0 H$ G7 j: E1 K" M' |. H+ x; ?( S( r# D: C: [6 Q
Method 10. b9 X% T0 k% q$ ^5 m0 U$ F
=========3 N' C' M% }! ^- E$ ]
( _/ A( ?. o2 ]+ O
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 N8 |4 F% B+ j/ F7 J/ a% F& t
SoftICE while the option is enable!!
/ J4 s6 r8 T# T, O8 o5 C; m. y4 O4 o8 v8 ]
This trick is very efficient:
7 e/ {' Z* A5 Mby checking the Debug Registers, you can detect if SoftICE is loaded& M3 k( U! t) m4 K& z" d' H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. c, d8 Z% w' @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! S Z& q3 }4 Qvalue (in ring0 only). Values can be manipulated and or changed as well
! [8 ^ `( l( d8 e(clearing BPMs for instance)
% G2 c. [$ n, f6 L/ H, H8 n8 j* Q# s4 p F3 u
__________________________________________________________________________
6 `3 V# H5 C5 {! g4 M# N+ H5 y. D7 F# O
Method 11, p& f8 H o6 l# x, Q6 W# d
=========- K6 N) e& F, W1 y( G
2 u+ _! }! r K4 jThis method is most known as 'MeltICE' because it has been freely distributed
_& L5 ^' W+ \9 }$ A+ V( ?via www.winfiles.com. However it was first used by NuMega people to allow
2 P2 b5 ^* l8 f5 v: D! z2 q4 [Symbol Loader to check if SoftICE was active or not (the code is located
# Y0 H. e8 r: ^# kinside nmtrans.dll).
. z! N0 g7 f* o; [0 m; a% q8 E A3 Z& Z+ \% I
The way it works is very simple:
6 a R! U( X; X+ OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' J, J6 X8 W) \9 u: |
WinNT) with the CreateFileA API.9 T& X( } s, _. }# Y5 N
. c+ S! y; m# NHere is a sample (checking for 'SICE'):
9 W C1 ~) y0 h, ?+ K, n+ ] J6 Y6 j F; b2 c, M; N h6 K
BOOL IsSoftIce95Loaded()
0 g7 z* d+ N; x5 j7 N2 K, K! L{- [5 G9 l9 } A$ ~$ @
HANDLE hFile; ; _" B7 V! l% f* Q& v" s- }- q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, X+ d4 o( a; ?4 r4 y8 K w4 v7 x9 y0 f8 _
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 M; }$ N/ ^, x NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ S D( r8 N" T& J
if( hFile != INVALID_HANDLE_VALUE )
; S/ t2 u9 ]1 X {/ h/ i/ x$ b4 a0 y* ]5 r F
CloseHandle(hFile);
1 z6 H# K5 k' | o3 e, H+ E return TRUE;
8 ^* m1 j5 J* ] }$ N( U/ e: k3 h& E$ N2 Z w
return FALSE;% b v+ E [' y7 C; D) w
}
4 T9 K1 ?) p) P& |6 i) T! g* e T1 j; I$ J% o
Although this trick calls the CreateFileA function, don't even expect to be
8 V' v9 T" E& B; ?7 U6 t) bable to intercept it by installing a IFS hook: it will not work, no way!2 ^6 |' J- ?% M: O3 {# z' ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- e$ E4 `7 L$ O2 |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- N- o3 V i- uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, m t( O% A/ Efield.
H& I0 \0 Q4 rIn fact, its purpose is not to load/unload VxDs but only to send a # W( Q' J% t, m+ d7 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 [4 ?5 f. [0 ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 m7 L- z, S8 `' b% Y/ p% n1 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 _" n- W0 q# zIf the VxD is loaded, it will always clear eax and the Carry flag to allow, N2 Z, V/ l3 Q) @
its handle to be opened and then, will be detected.
5 V5 j6 y& ~3 R R/ n1 n6 J, P/ iYou can check that simply by hooking Winice.exe control proc entry point
7 P0 J9 N" I" o K( b mwhile running MeltICE.0 J" M5 \! y$ m, Z$ }. |
' M l! B& q3 \4 D- d- h5 X+ a( p- r! z! q$ S0 y0 G7 Z
00401067: push 00402025 ; \\.\SICE
+ [6 s+ N# j7 |( }* \7 g0 j7 S7 {; b 0040106C: call CreateFileA% |" M* C- P/ r M6 X7 q4 j: R
00401071: cmp eax,-001) ]- F W! B$ ~) A2 X A
00401074: je 00401091; v+ a% |* m* R" r6 F" [. s
6 M9 r" o% Z: z2 G3 p- p; R/ I) u
0 w" G# Y8 b- j rThere could be hundreds of BPX you could use to detect this trick.5 @* c+ x" b1 h7 Y9 h
-The most classical one is:
2 O9 { b( t) f0 i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& a3 q& D& ?5 ~; O. J" n/ m
*(esp->4+4)=='NTIC': D2 y; k2 l' F; a. i0 ^1 z. x+ k
% ~& S7 u' z2 V$ h: O4 N) z& ?! `-The most exotic ones (could be very slooooow :-(
, H" B- A% I" h* [3 `% w* n; g) N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 q5 y+ }/ ]+ G% y4 X4 t
;will break 3 times :-(
0 q9 R; S6 d: L
2 v0 P6 J+ O/ b, l-or (a bit) faster:
( h: l/ M9 j% C9 R( }/ p" }5 S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ O0 |# q$ ^ z+ l* {+ J4 _6 |0 V. N3 L4 N/ A4 |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 v8 X: Y8 w$ `5 u( t9 I6 _ ;will break 3 times :-(0 M$ W8 F& D$ R% _7 b1 W2 g
9 C+ W- b1 n+ `* F4 g9 q
-Much faster:
" Y9 A5 A( I- I5 w- f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" \3 T2 ^$ E7 |) _
* V ], J f8 M/ ~+ v$ w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 ~% g4 n1 {4 g" dfunction to do the same job:& _% B/ v$ q& b3 N9 h
; ~8 q: k2 e4 N& K% p) \6 G push 00 ; OF_READ
( c( m# E2 V2 \& A mov eax,[00656634] ; '\\.\SICE',0
v* M) m4 p. C& y, x7 h push eax
2 D; k& h+ }4 }: T1 I call KERNEL32!_lopen( \; X: S! y# f+ M. x
inc eax
' Y& p& L' |. o5 k jnz 00650589 ; detected/ q: k. P. ~) t3 r' Q& c+ J1 G t
push 00 ; OF_READ
2 ^9 j" p9 O" W, W2 b. {) a5 ^ mov eax,[00656638] ; '\\.\SICE'4 Q1 X4 i! t8 p0 ? K! t7 c
push eax
8 m4 M. u$ n3 o5 u' e% V call KERNEL32!_lopen7 M4 m+ H% o2 s( ]6 }4 b
inc eax3 }9 t n9 I7 P) v2 e" ^2 T5 |2 ?1 M
jz 006505ae ; not detected+ s7 h$ ~ d& o# {; M& |
- m* u' B& D; H! A$ u& S' F
! ]3 `8 c8 H6 t2 m__________________________________________________________________________
6 J* ~3 c% k1 G" a H, N! s7 _9 h6 \( p4 P }
Method 12
8 \: [4 |/ B" m6 r. F& N8 J6 u+ c=========$ Z9 a2 ~0 j+ G0 A
) _4 }3 o6 R, R$ ]& r
This trick is similar to int41h/4fh Debugger installation check (code 05
. h4 v j; J$ h5 ~! x% P& 06) but very limited because it's only available for Win95/98 (not NT)
0 u) U4 D* c ]4 E' L! Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ S/ d& p: d6 [* U7 o s. ~4 C- v" S3 y f! `- @/ G* c7 b4 ?2 w( f
push 0000004fh ; function 4fh- I0 u( d% F; N& H
push 002a002ah ; high word specifies which VxD (VWIN32)
) ~* m' P. \ P2 t6 l ; low word specifies which service( n; j4 i6 j; O' X4 \4 T: V' _
(VWIN32_Int41Dispatch)- A1 i% d3 H. @) x0 D, ]! g
call Kernel32!ORD_001 ; VxdCall2 U' ~, U9 ^7 M) W" x# g- ^ ]
cmp ax, 0f386h ; magic number returned by system debuggers6 w0 i4 n" Z0 x
jz SoftICE_detected
. z! n& D1 K6 c* u8 `8 ?4 d5 z5 |4 S. M9 o% c F9 h4 \" L5 Y
Here again, several ways to detect it:' {6 r& O6 T: a! _9 s
, Q- @3 X9 e' C+ n `+ }! `8 K BPINT 41 if ax==4f b) H" B: P7 Z" K
% f4 g Z4 E( B5 h$ S+ p% j
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 E7 C. J; N! J. Y& ?5 O2 T
r& | T) }# W7 {# H* V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, w- c) u, j* @: d3 g! n
6 `, |; g( @, C% M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 h. Y$ a, o; H! ]6 F( ~
& ?, e5 ^6 t3 z3 C- H2 Y3 q$ P0 s3 ?__________________________________________________________________________( z' l1 l, U' D* j
) `4 c# ?! I# v0 R; f0 a7 x& \& @
Method 13
5 X% m& {" I/ y=========8 E0 [3 c) b: n& w/ O6 A1 n
. n$ [0 Y- @0 ]0 bNot a real method of detection, but a good way to know if SoftICE is6 A$ }; B$ ] q3 T9 N4 h8 f9 n1 `& F
installed on a computer and to locate its installation directory.8 R' A! I( x9 ]! i+ I
It is used by few softs which access the following registry keys (usually #2) :: q r5 A% w. b. A" u
0 ~5 _, S6 ~( @. @& b; \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! y1 H6 N% o5 j
\Uninstall\SoftICE
/ H" Z) x* D: K% E9 B y |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& g! C: O4 i* ]. ]: I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 s+ S$ K$ o' ~( h6 y5 m% B\App Paths\Loader32.Exe
) u7 |& L( F5 D/ x5 N. F
$ S1 j4 T5 R; G+ b% q& w" z, v& x2 Y
2 g: ^3 y# M; s7 ~' oNote that some nasty apps could then erase all files from SoftICE directory. f6 W8 d5 ~! S3 I; k! a9 k, R
(I faced that once :-(
) m) H0 y6 z" f" f# Q
2 d5 b- v9 ~$ [6 ]' [: j- g" ~$ ]Useful breakpoint to detect it:- m$ J* O: O" ^& Z. r
1 q l" Q7 q8 ?3 g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" @( X* k: C& o
4 v1 z& E; X1 S% w
__________________________________________________________________________# P# B- s4 y+ V
; |; p7 z8 a- Y% z2 E6 d
" w9 B: Z' R( J" y+ Q+ E2 L
Method 14
* l) B" X9 I" m- |& U=========- P9 f0 x q' y4 |) S8 ~7 ?
+ |1 V# z! r) x1 s2 r5 p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( u. N0 R( {( F5 O$ Z% l
is to determines whether a debugger is running on your system (ring0 only).
$ B) [. k, M W; N: s8 P) }+ t
; r" p; z, E$ W VMMCall Test_Debug_Installed( N. T1 f* V+ b, C
je not_installed
( K* y' @; y+ N% h( h) [* X
8 A/ w' v6 e- A1 GThis service just checks a flag.
4 \. U3 } ]7 `# P% b</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡