<TABLE width=500>! }6 F0 ~7 x7 o4 z" Y
<TBODY>
+ @* w8 ]3 ]2 x0 l<TR>
f/ B7 h0 s- J% {3 N e4 k# V7 N$ T9 I<TD><PRE>Method 01
/ c! p- J! Y5 A& q=========+ D( B; ~9 p8 d9 _2 _8 g
4 P+ r3 i' t; R. } ]& sThis method of detection of SoftICE (as well as the following one) is g+ q* k: i* r5 q, g" C0 _
used by the majority of packers/encryptors found on Internet./ _' L( |5 l R! U& ^; q
It seeks the signature of BoundsChecker in SoftICE! C) o, z: h# I, B
: M) k8 i: `- E/ _) ^; [9 Y, c
mov ebp, 04243484Bh ; 'BCHK'( z; R3 C& X5 s4 Y; c) G, o8 \1 u2 {' M
mov ax, 04h
9 j) m$ p/ A- r0 D; U0 ~: c% A) k/ |7 K. t int 3
3 Y" Y/ [7 P1 X2 r! a$ E0 | cmp al,4
' t% `8 f j% q. E/ z jnz SoftICE_Detected
/ P% n' j/ v) v0 J
- o4 L+ h, X* j [$ d___________________________________________________________________________
# ~$ k3 E, q* x4 w
7 z3 z8 k5 G2 l: G! qMethod 02, C5 P( H! i) D9 s& O
=========* s7 g$ G) ]1 h+ p- x: ]% }+ E# q
- |' j8 X' s# \
Still a method very much used (perhaps the most frequent one). It is used. a% I, u2 K+ w7 Z. G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 @# D7 Z5 h0 Q7 h0 K# Hor execute SoftICE commands...( y4 U3 Z$ w, m) G; e
It is also used to crash SoftICE and to force it to execute any commands
3 b `- r4 u9 H8 h' M& M9 @(HBOOT...) :-((
. C4 [- V2 Q$ I" I4 Z0 t, W6 S4 V' h+ `& O5 f
Here is a quick description:4 Z* A. P5 B4 W
-AX = 0910h (Display string in SIce windows)
" G0 G) t' l3 U& q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& H& Y+ E' k9 r" W% _. W-AX = 0912h (Get breakpoint infos)
3 Y% C& E! n. r-AX = 0913h (Set Sice breakpoints)
$ F3 U+ y( ~5 y& P9 S-AX = 0914h (Remove SIce breakoints)9 L* F! h9 X0 @1 Z( P s
5 e' X6 ]" G5 S' }4 a ^' p
Each time you'll meet this trick, you'll see:
/ e z, j% g9 b" i1 f2 w8 y# i-SI = 4647h
$ F7 @% z; @* C2 m# E, |-DI = 4A4Dh6 I; _$ l# ` r5 V# _/ @
Which are the 'magic values' used by SoftIce.; Y& D& H6 E. `4 H1 W& g, X. ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! b! d+ J' Q. x* N
8 o: y2 n9 @+ O
Here is one example from the file "Haspinst.exe" which is the dongle HASP- i. Z% ], Q' l
Envelope utility use to protect DOS applications:
- ]+ m0 t. Z+ b6 {0 u" r* x5 u0 n. q [" ?
, K/ u; q/ e2 r! w* x" H1 {4C19:0095 MOV AX,0911 ; execute command.6 m, e9 k \- z' T/ ^$ g7 h' H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ ~! k: \2 a) B5 R1 J# s4C19:009A MOV SI,4647 ; 1st magic value.
% j% m8 Y) M/ H8 W7 |9 r4C19:009D MOV DI,4A4D ; 2nd magic value.
3 f4 l6 u! Y! l( {1 w1 h4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 a0 c3 X3 |' }. D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" F+ E" W' J* x. g0 j1 P4C19:00A4 INC CX% g* l0 f" p: F4 @: x0 D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute O" U5 r' z1 Q) y( y3 m
4C19:00A8 JB 0095 ; 6 different commands.
- T+ @) _7 Q9 {; @4 J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ c/ b2 {- R. m- {# t8 w3 r4C19:00AD MOV BX,SP ; Good_Guy go ahead :); v8 H" N+ L9 u" \' r0 O. m
' {8 M; L- o( x A D- YThe program will execute 6 different SIce commands located at ds:dx, which
% t$ L8 v5 d" Q$ Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) u, y9 q9 `8 t$ k4 ^
7 {; Q# I8 w3 ]$ ~$ P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." Y$ K, H( ]: T |9 S h: i+ X S! P
___________________________________________________________________________. {8 u2 ^) Q- J/ J6 h3 E
% K. E7 [; N5 p" z/ D4 J1 V6 ?3 p$ |4 l# f
Method 03
% h; V; q, V$ e8 }=========
# @! B. Q( G. m
! X* [8 r' _3 |4 M9 y Q, |. L' uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* _! }+ y! ~: d1 g$ Y/ K
(API Get entry point)
u$ M; k+ q) w, e1 ^( `
& Z) ~2 b) S! ] P2 b, ?1 U+ R
! a' \+ c& G! U$ i ` xor di,di
. Q) m8 ?+ p* S- S mov es,di1 s% j; J; u, L) i0 j) ] P: L
mov ax, 1684h / W+ t( ?, y- H% J, ^: i6 ~
mov bx, 0202h ; VxD ID of winice7 ~0 a' u& g7 A# W9 W
int 2Fh7 @2 v K+ d. u# X2 X( J
mov ax, es ; ES:DI -> VxD API entry point$ m; k/ x5 q& W0 ^8 o/ D7 B; f. e
add ax, di
9 ~" w" n! x9 q6 }; j, \5 A# j test ax,ax4 I M) t4 B' _
jnz SoftICE_Detected) U7 L4 _7 I6 J; `# L2 P6 h
, g9 M6 e7 J" B) c
___________________________________________________________________________
: t+ @1 g: X6 l
+ D$ r" @+ `- G/ q; PMethod 04
/ c# a- C6 }8 N8 j6 t& l# [=========% A) A: Z; I2 I% v3 p9 E0 e
% R7 @1 b8 D7 W* S2 s3 ?# nMethod identical to the preceding one except that it seeks the ID of SoftICE
/ w3 B- Q% r9 G: |! [9 {- |6 A) jGFX VxD.& W, e' m2 a+ J' ~! L2 l
' n- Y! R9 @' N% r* t% F+ W. Z
xor di,di
* {; X: j- t5 w. P: \ mov es,di
# Q* ~0 Z- u2 p) \% v mov ax, 1684h
7 T* W' o% p4 Y mov bx, 7a5Fh ; VxD ID of SIWVID# r, J& [. o8 {4 w+ Q6 t3 X: l
int 2fh
+ I n; @& G3 }+ O7 J, z mov ax, es ; ES:DI -> VxD API entry point/ c) F: J: K: D/ w2 S
add ax, di
$ w0 S( t5 w/ b5 R0 v( Q test ax,ax
' S' x( |. k- n) \; C jnz SoftICE_Detected
. q) X% q% ^- \! w7 p. x! r8 U9 o# c( E& e
__________________________________________________________________________; Y# k/ C% L5 j+ |
0 i) x- _- ~# r6 h$ X" c' b+ d5 m" E! q- {
Method 05
4 ~! J& o8 ?5 k) t+ V" I8 X" e=========( w% ~6 u; M! \& x' p+ M/ e& R
! H' f6 i) H2 tMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 d, W4 }1 o# W) F, j2 E; q- _$ bdebugger. It calls the int 41h, function 4Fh.
9 j4 _6 a% u! z: EThere are several alternatives. " I0 s, b- r( t. g! T; O, Q0 U) Z) _" x
. v. g; G7 A4 D* mThe following one is the simplest:3 a0 q" j$ @& k2 W5 C) i7 ^0 s! N
! U6 N1 K6 c3 K) ]1 Z$ t" z mov ax,4fh
6 V* m; p6 b% j" B7 y! l int 41h) u0 N, S' T; F5 \0 `
cmp ax, 0F386
! }8 ?; h$ ?8 h. ?3 ]( {1 @ jz SoftICE_detected
; [: G2 a& c+ [
& @$ Q" Y, h: N
9 z8 N( I' q' PNext method as well as the following one are 2 examples from Stone's
" ? x- d4 t- H* v" z"stn-wid.zip" (www.cracking.net):1 Z$ s$ j* o2 C/ m
! R$ j: K1 r: q B) A# Y9 i
mov bx, cs' ?* ? [5 y+ m/ n4 D5 A3 x
lea dx, int41handler2
" g* Z0 ^4 ~4 | xchg dx, es:[41h*4]8 j7 _6 c# @% l$ L" ^; L S! _1 b5 ]3 B
xchg bx, es:[41h*4+2]
( B9 I% f$ Y% [; Y6 }, {" k1 A9 x mov ax,4fh q0 x N3 M+ G' U) n
int 41h9 {5 \+ @9 \, s2 `
xchg dx, es:[41h*4]# f; W2 S* [) z, V
xchg bx, es:[41h*4+2], u9 E: y: ~# a! H a
cmp ax, 0f386h# b. n6 i1 \ y5 m P5 ~
jz SoftICE_detected
1 q% B) a; u: Y5 n8 q, ?) s
% N! J' Y% {8 J9 F0 Hint41handler2 PROC _2 {8 J! Y( Z) b
iret# x' f+ c4 E. e7 U* V" W: F! S6 y
int41handler2 ENDP9 j" D" l. U5 \8 ]' V/ R
, I$ H: L, G- V S+ N O2 d7 t$ M9 g4 Y1 x j; e) L: _
_________________________________________________________________________/ L. }" q2 @- }
) I) s5 F+ X/ Y a% {1 _9 Z) w
6 k% |2 r+ |1 t- l1 f& I$ d: H, d) K0 hMethod 06
& }' a1 C. _+ n! l) n5 C=========' {% D3 l: P+ I, f
2 s7 [; V9 V, R- g9 N6 \+ r, J! |* j9 g7 r7 I! ^; G
2nd method similar to the preceding one but more difficult to detect:; d$ w. e9 b" V( o
w @; v7 p9 _( _2 v( a& \+ Q O) g
2 t; Y9 Z6 l' N' l
int41handler PROC
i5 i! V1 A7 {! g# q- B( f mov cl,al
' H N. a( m; ~" F) P iret
5 j5 P, C9 i4 [# ?; ~2 qint41handler ENDP
. Y0 t, w8 ^4 {" r; g/ e: @
# I2 N# I8 W2 F7 y- A0 ?" P# B* [# d t: l2 K/ D' v
xor ax,ax
" Z" f3 d6 t0 O mov es,ax
$ h5 N t1 `# T mov bx, cs C( ^3 B- _/ A! g" w' t% b& W
lea dx, int41handler2 | n3 y* E5 v" L
xchg dx, es:[41h*4]: I) [5 z0 ^, V$ _( ~# ^5 t) x
xchg bx, es:[41h*4+2]
& r8 l0 L/ ~/ Z D in al, 40h
H/ b3 @6 e' E0 b& C0 J; v xor cx,cx3 E+ c3 H7 _% y ]# n- [
int 41h
+ X" Q+ i4 m9 I8 h5 v xchg dx, es:[41h*4]
2 {5 P: d; I9 E( w- q: o, l, V xchg bx, es:[41h*4+2]
1 I S' ]/ v; b9 n cmp cl,al
; I, a9 J6 x/ T) [6 F* b7 e jnz SoftICE_detected1 n# v7 ^& Z# E% ~
& t* v, L, T* x) p
_________________________________________________________________________
* R) |+ A. }2 P( e
2 I g- T5 n, f6 M& fMethod 070 q9 R/ ?- G6 y
=========
. O+ s. F- D" h; u$ C" \
( L& P+ Z T& @3 p" T2 E3 tMethod of detection of the WinICE handler in the int68h (V86)
! }- n0 J% r; l T: o8 w! H$ D& M' ?9 L/ e8 b C5 E- f& }0 f* u
mov ah,43h5 D. C) k1 E3 x# w7 J9 M
int 68h
+ {5 N; ^( u, S. P cmp ax,0F386h
# y1 ^+ ~/ U- v7 L jz SoftICE_Detected
' @! r% M9 O: N* [' G
! P% C8 n3 ]; k: R8 e- @' @
5 y# m4 R% ]8 p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; t5 J% d/ c2 j' s' N app like this:! z4 z1 r1 n4 z$ W6 f! U8 q
! J) Q) C! X0 |+ K# @+ s; n BPX exec_int if ax==68* G, d/ B: J4 `7 F2 c
(function called is located at byte ptr [ebp+1Dh] and client eip is5 f9 b! L. W: Z5 J
located at [ebp+48h] for 32Bit apps)
k; p3 R' g! U7 D- A__________________________________________________________________________# O. k5 h! j" i! i4 W) n- t' e7 b
/ ~( |1 l q" G# u, j
4 t: q5 G9 J# l
Method 08+ L+ b* \; W2 {' P( h% X k; H
=========. ~1 I3 e0 ~" m2 ^; I7 N; b5 c
! n5 ^0 v. r3 T# T0 QIt is not a method of detection of SoftICE but a possibility to crash the
/ U8 }3 }* R# A, F+ q5 I% zsystem by intercepting int 01h and int 03h and redirecting them to another
- X2 |! a; S+ F: croutine.
/ U, R9 ^+ A- O8 C2 j- nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" K8 p* A D% c* Q, ^. Y: d: yto the new routine to execute (hangs computer...)+ A# A2 _+ l" C& t
" S% ?+ `, ]/ i' k$ V: o; ] mov ah, 25h5 G; n# I) @7 n3 t" G7 z" y
mov al, Int_Number (01h or 03h)
( i& B* W$ b' ] mov dx, offset New_Int_Routine
, T) D6 z0 M! | int 21h: a5 o$ C& `! @( t% U
5 x' t7 L9 J3 d0 h
__________________________________________________________________________2 n' d b5 s& `0 }0 Y( B
; H% K, ^; J( ]" F5 N! RMethod 09
& q- T; R7 P5 N=========
% P4 s# M6 \ v# A. J5 X3 U" r9 T; C7 L5 S H4 ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( P0 [) v! Z: i& x0 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).& k9 e# K$ W* H* \6 d
The Get_DDB service is used to determine whether or not a VxD is installed) X, i" q* G0 C( @6 h: i8 C
for the specified device and returns a Device Description Block (in ecx) for8 O/ e% h: n* q$ y8 `3 |8 m& N2 p
that device if it is installed.6 N J; k2 X% F
+ m6 `. }/ ~5 @4 P5 o3 u4 y0 A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( H# A& r8 x) m9 q! @$ R) v! c" G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ H: _6 n! _; Q1 k) J2 X
VMMCall Get_DDB W$ v% w' B, A* ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' ~; q4 S8 e/ |$ ^$ F# l" I/ k/ q0 Z
& Z+ M! }" \# L; d7 d' U
Note as well that you can easily detect this method with SoftICE:
: z3 ~9 o ~7 g: g- @. N4 k bpx Get_DDB if ax==0202 || ax==7a5fh5 B \, J2 o0 k& A: q ?
5 O; K' o6 R; w. m4 G& |- O, Z__________________________________________________________________________, R0 C6 e5 e! u$ P8 U7 P" b v- n
, a/ E7 k4 m" k( }- }7 CMethod 10) {! [3 i: M" G0 [
=========
0 o6 \0 r7 Q6 ^$ v. ?( ^6 Q; c+ ]: W. c/ I. Z' |( u9 z
=>Disable or clear breakpoints before using this feature. DO NOT trace with% K* |- g1 E" ?: r1 o K
SoftICE while the option is enable!!
1 O& B- { q4 H# M! {9 ^- c4 w Q0 s' i$ Y8 g' P' b8 x
This trick is very efficient:
, n( j; M" N: x+ ^4 hby checking the Debug Registers, you can detect if SoftICE is loaded$ V' _9 ]% J) g! @. h8 N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& K8 i# d L3 U2 i/ \ @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, ?8 q3 S+ q0 n. M/ l( Q7 Uvalue (in ring0 only). Values can be manipulated and or changed as well
+ _& F0 V( o) [4 A(clearing BPMs for instance)8 K( S3 \0 N4 U) U
6 e. r5 y& ^5 B__________________________________________________________________________+ w% G) |( [# d6 @1 T
; k# D( E# U" l. j9 W! s6 Y
Method 11+ C/ }; {6 P8 g" M2 _+ o
=========6 X1 h/ ]# B1 v* J
8 d) x# y5 I8 x: A0 p5 E* N
This method is most known as 'MeltICE' because it has been freely distributed
: R, k! ]) F3 }3 svia www.winfiles.com. However it was first used by NuMega people to allow
& ]- J5 t r$ V$ u1 I4 t% p/ ?) MSymbol Loader to check if SoftICE was active or not (the code is located
# A. f N' g3 h8 I1 a3 ginside nmtrans.dll).
9 D% R! r& ^2 q- i+ e- T+ I
4 N7 W) }2 t5 r/ E1 K& ~ DThe way it works is very simple:! C0 j6 \ Q X/ M( z) o8 T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' [4 V" T# m6 W
WinNT) with the CreateFileA API.
: i. B" y: l# e: O/ R' |1 p: C- O. q: A' L9 x# H4 _& c7 }2 p
Here is a sample (checking for 'SICE'):
. B5 C/ q2 b* n0 J" B5 ?: @' @5 A. u1 X3 p; n9 U
BOOL IsSoftIce95Loaded()8 w) l9 `6 w+ r6 Y/ z2 B. H
{
# {3 J1 }, I7 W0 G% N+ L/ } HANDLE hFile; 2 A* l5 U/ T( I. A" u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 v( V# n; `- g( v8 I( Q FILE_SHARE_READ | FILE_SHARE_WRITE,
/ L/ w5 s; o# v: b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 R( b, K5 i9 @; ^
if( hFile != INVALID_HANDLE_VALUE )
3 E. O4 N* N/ t {1 b5 R7 S5 O0 S& W) I7 a1 ]
CloseHandle(hFile);$ @% C/ ^" ]0 Y7 f2 x# @7 u/ \( G
return TRUE;/ x7 \- X" D3 L
}9 C- j$ n( p# \4 Y9 S/ C/ ~
return FALSE;
[. Y2 V; _2 j: w! B% x8 i}
- p1 G" ^3 M! b4 B9 R* b) ?' e& w6 [! a! O6 f+ u
Although this trick calls the CreateFileA function, don't even expect to be
v9 N, J. T2 N+ d4 a; |able to intercept it by installing a IFS hook: it will not work, no way!
& E/ I5 o% G* v' {- \In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! R7 q7 U \! Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 M: V2 s% u* h" Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 @9 y7 d1 W1 Hfield.% m( i( E; V- y5 y
In fact, its purpose is not to load/unload VxDs but only to send a 7 ]& |+ d! t1 ^4 \( h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' q2 I! _5 Z# ]# M |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. [* t& k: x" F% {$ f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; ]# u! H+ c5 w! z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% F2 {1 z8 Y1 {6 Y, f7 dits handle to be opened and then, will be detected.& K Q% V4 J) Q1 P& s& ~- [! r
You can check that simply by hooking Winice.exe control proc entry point3 T6 P; _& [0 }* O# H( {
while running MeltICE.
2 M" u4 S* m+ N: h! {% Y5 V6 p& L5 @1 W% v* Y' B @3 @. L7 K
$ H) Y- r* Y: L# i( {# C 00401067: push 00402025 ; \\.\SICE; o/ H X0 \+ C. D! f: D7 s
0040106C: call CreateFileA
k; p- n) s K 00401071: cmp eax,-001
* Y3 [4 n0 y6 @5 ` w 00401074: je 00401091
5 P' ^ x. V! O3 x* o2 Z- @2 c+ [
8 q- s9 D7 `/ s" _5 _% f$ k3 V
; C& [, ? P- |2 y* x3 c. W' S, bThere could be hundreds of BPX you could use to detect this trick.
/ m, G; D. M# r) `) A# {-The most classical one is:
; R0 F0 c/ o. W t BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ k4 W7 L+ z3 `& A. h) f! Z$ \
*(esp->4+4)=='NTIC'
9 O1 u7 Q9 ?+ [8 U
0 H3 u4 j$ S* v-The most exotic ones (could be very slooooow :-(9 @4 E- I+ i8 z1 w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 N4 l! `* v$ ?, w R: \ ;will break 3 times :-( ~. n* A( m A! i1 g: s `' ~! s
! ^) a, N+ \3 d7 f8 G" W: R
-or (a bit) faster:
0 s, |$ L8 j9 h' i8 m/ \3 r: [$ k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! I/ i# V! G) p
( s+ C+ @* |) E- k7 N9 m# {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 I$ {5 f* F! `7 a3 z- ]
;will break 3 times :-(
. O6 n% q X8 l
! _/ l& P8 d% w* e' x: A-Much faster:3 d7 O- C$ h' A! |' c* u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( ^8 Q9 C2 w' o8 Y8 c$ }1 `' X- {
- T( E* G5 t' \) M6 X# m/ uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) v0 S% b0 j, X- d Q* nfunction to do the same job:
& z8 e) z& A) F$ z5 y* \
1 f1 |3 x) f9 m) ]: D# I: \2 }! L push 00 ; OF_READ
9 V u3 a5 D; i% h5 ^ mov eax,[00656634] ; '\\.\SICE',0
% H0 {9 R, W8 k. d% m r* _ push eax
) ?) R+ X& z% T; { call KERNEL32!_lopen
) o8 H M5 M- \% }+ p- n3 D inc eax
- I6 z1 n, r9 A jnz 00650589 ; detected. x& c/ q7 c7 x4 G( v1 A' L5 z; {
push 00 ; OF_READ5 _: O! ^8 ~2 k. G, W
mov eax,[00656638] ; '\\.\SICE'. k1 h8 \& h* s" z1 [; ]
push eax: N0 U6 [7 r/ L5 N: C. u% V; q
call KERNEL32!_lopen0 A' r( E. Q( T3 R) \8 N
inc eax
! K3 Z+ e4 ]! _1 @& m5 D' }% A0 Z jz 006505ae ; not detected" @ f. q; P2 i
6 @0 A- y O! B) o, X8 p4 U; `; j. e
2 U# U$ I5 h* D' W0 c2 _0 \* Q# a__________________________________________________________________________6 R* k* Q/ f/ ^7 O- W! H
H# K8 R% ~, C2 a8 _
Method 12! T4 ?2 }. ~) O2 U
=========8 E- u0 ^" F9 c8 t
( l2 I8 J5 u6 T/ X V9 W0 i# m. zThis trick is similar to int41h/4fh Debugger installation check (code 050 l. ]2 R- K, L$ r
& 06) but very limited because it's only available for Win95/98 (not NT)
8 }# p* R" |. }1 has it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ D n; H- K) r1 i5 V6 w6 {; e
1 u' g" e" f" a" t push 0000004fh ; function 4fh; R- Y* u4 A; v9 l& r: ~! ]+ a7 E' g7 n
push 002a002ah ; high word specifies which VxD (VWIN32); A* f [1 B2 M" H' |
; low word specifies which service
7 I1 ]% W" O$ [0 |: u3 ~2 P- R& n' v (VWIN32_Int41Dispatch)
2 Q- s2 `+ t; w% a9 u5 p+ K call Kernel32!ORD_001 ; VxdCall% f: V: s n9 g9 a O
cmp ax, 0f386h ; magic number returned by system debuggers0 X! S1 j( c( K9 W% i) X
jz SoftICE_detected& `+ r' @9 Y' O- v6 l
# o" b$ @: ~; w& o) j9 f7 J. r
Here again, several ways to detect it:
- l; C+ ]2 ~ V8 ^$ Q! A6 L1 h% E6 g U) {
BPINT 41 if ax==4f
* ~2 E4 K0 [9 `9 D* `! c$ N' g$ D$ Y; X) z9 Z2 n, n3 ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# r ^8 |- B1 z+ M+ a; c* \- l3 k9 E, E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- L0 ^3 B% C+ S/ a6 P/ A
+ _$ L9 W- z, F; q2 N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 {, U) w8 A% `: G& `. T! Y/ T) Q- ?
__________________________________________________________________________5 l: H' C7 P0 |6 s6 ]/ s
6 x, d5 b0 `" M0 W8 xMethod 13
- V9 X- G+ {$ Y4 e# K- {# A=========6 b+ `, R; n v
* D8 Q4 I% L" V- F3 \1 V9 Z4 q
Not a real method of detection, but a good way to know if SoftICE is
3 h! b6 V3 R, T: y6 a! \installed on a computer and to locate its installation directory.$ _& g! L# p/ c% f5 u" e: y6 K
It is used by few softs which access the following registry keys (usually #2) :9 e' F4 \! \; Y
9 p' |. U- W* e: P) H/ P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! L: a5 ]4 Q9 @6 G, E\Uninstall\SoftICE
1 {" x7 X w/ b# \, z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 c' [' N4 x" c! x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, a, N7 u+ |& [, Y D4 L) _: K\App Paths\Loader32.Exe- W5 \7 T U5 Y/ Z' `
, W! t/ Q8 g' x. _
0 c0 V8 c% X5 G. h3 f
Note that some nasty apps could then erase all files from SoftICE directory
! X% M+ [: f7 P1 x1 ^(I faced that once :-(
$ J A! ?+ ` o& a& Y8 s0 h1 I3 Y+ g u( I- z1 v+ M: _! C6 h, m
Useful breakpoint to detect it:
2 U/ ` K5 m) d, p( g! i! [, } ~& `
) f8 P/ p) w. x* ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( W* ]& c% y* z. p" w2 a! ?2 J* ^; j
__________________________________________________________________________8 {0 C: N3 } Q: A, J0 p& T, d
( `" }$ z z- g. g6 H2 y
' @9 f. S) ^* l9 |+ V
Method 14 8 F6 E! `; I) f( K6 L' G% {7 ^
=========% S1 X( }1 B4 E' J; C
- M" g4 s( l- Q3 O3 l h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( G( w! h& U4 [ u2 W% c( [is to determines whether a debugger is running on your system (ring0 only).
7 e, `: M3 h- G1 C! M+ X( A( h, C8 @! _
VMMCall Test_Debug_Installed$ ]7 m; Q3 D& g5 v; Y- z
je not_installed. N; _% e2 u1 N8 I1 ?& {
! t) i8 D( I& q; @1 M( |( Y
This service just checks a flag.5 p" B1 T8 w! G
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡