<TABLE width=500>
# h' a/ ?) {6 _, u9 u<TBODY>" Z# M+ I6 A/ D8 O+ _* S6 q
<TR>
% j+ Y; D* \5 ^$ g: _% F<TD><PRE>Method 01
5 f( G- A( `! @; }# @9 V8 x=========# F4 k4 h) J1 ? y- w* M7 S' o
8 c' r9 {" ~9 T+ Y2 C0 } x; X: Y
This method of detection of SoftICE (as well as the following one) is9 ^. ~6 n4 a, b% L1 `
used by the majority of packers/encryptors found on Internet. {2 E( @" ~2 s" D
It seeks the signature of BoundsChecker in SoftICE+ x3 B6 e, @' L7 [7 f
" s' l6 [4 B7 Z1 `! F mov ebp, 04243484Bh ; 'BCHK'% R: t3 n6 T9 g& R4 |
mov ax, 04h
! o1 W& r+ `1 M- s! `! M1 j int 3 * r# ?8 s5 {( Y& o- _) G
cmp al,4
1 X. _" v/ m( }' T9 J jnz SoftICE_Detected
; x: m% f! B9 u% [8 H
A- q8 S' F# K" |. i___________________________________________________________________________
. b: Y5 k6 G+ S, m
% E2 z0 G# c7 R& v" {) sMethod 02- o7 C( V4 ?2 }) e
=========
- N, |; H- K7 C( R, K; V! V1 N/ M
Still a method very much used (perhaps the most frequent one). It is used
~% n0 F! Y, ~; a! O9 x( [8 s, b- k; Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" A g4 `8 s. f' ?* c: Eor execute SoftICE commands...3 e- a8 p& C* c
It is also used to crash SoftICE and to force it to execute any commands1 K; X0 Q! n( H* M% ^5 ~: e
(HBOOT...) :-(( - v) @+ }" s9 H! u+ i
5 }5 S3 ]: p+ Z# {& n6 q+ e9 v
Here is a quick description:
- x) e: R) E0 j: R9 [# Z+ f-AX = 0910h (Display string in SIce windows)
5 D" l9 i! t7 ~( r3 o% p; u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 u" K& I1 e9 D | W-AX = 0912h (Get breakpoint infos)6 D" n! }+ t/ x
-AX = 0913h (Set Sice breakpoints): z# W& a0 K w" v4 y# ]
-AX = 0914h (Remove SIce breakoints)
7 G1 t; s, N6 G) E
4 N+ h$ {1 ]) z4 N6 JEach time you'll meet this trick, you'll see:4 y- i- R2 J7 k: v: R: l) |
-SI = 4647h
! J5 ?! Y% y1 j/ C# u9 _-DI = 4A4Dh
6 [$ P4 Q$ v8 E Q, k! R* \Which are the 'magic values' used by SoftIce.+ ]# i% I' q/ d4 a! V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ `0 ]9 R% f) w4 D, o
: J2 ?; [! h4 k) \5 g) F, p; U/ S
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; A) `. g# q& L* ]Envelope utility use to protect DOS applications:# j% S& {. H2 m. ?& B' C: ~
K' N% w+ c2 g* n
. c9 o6 z3 S6 _/ m* X. b. d" U7 f0 x. W
4C19:0095 MOV AX,0911 ; execute command.
: ?% z4 }3 d) Z8 f5 Q3 @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ t# o; C+ o6 l4C19:009A MOV SI,4647 ; 1st magic value.
' O; _7 H/ R% J# ^" U' D( F& E4C19:009D MOV DI,4A4D ; 2nd magic value.
9 c2 \& o1 r1 o6 j1 @/ F4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; v- T8 f" l. B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 K& y; H3 i8 z7 K$ l4C19:00A4 INC CX: \8 B- K. @" r3 d( j% F/ c/ P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ X' D# k8 J" p" e: E% j4C19:00A8 JB 0095 ; 6 different commands.
% v. k, F+ P9 _4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 Y7 G) T, z' e' |* }, O9 x' I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# \3 h$ e! j8 o X7 o( R
7 ^5 D4 \ I+ }The program will execute 6 different SIce commands located at ds:dx, which
4 t( V3 @7 W/ U% S4 \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 {. ^) {/ t3 r
9 A5 Z7 v+ H' _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 {! C: U% b! l1 k
___________________________________________________________________________
& f H1 b7 i* p- N, [8 ~/ G0 \ y
# D0 l) }7 Y$ V5 @" z, n
Method 03, I; G* w, r4 I3 \1 A0 [5 G
=========- a4 D' U( K$ l! J* W/ I" [7 K' y
+ ^" N1 t& p0 v# F% ^* d$ ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 v: R2 p# X, H$ v8 j; V' V ?/ ?( G
(API Get entry point)6 o3 ?# t9 _9 Z: K" [- e+ P
0 l& m$ E) x) {9 Y/ d- J! b {
6 F. s6 ?" @5 L. J xor di,di
/ L @. P3 B$ e mov es,di
' c% w8 h* V* K) _1 { mov ax, 1684h 7 M4 N& G0 Z6 N: t0 p6 j
mov bx, 0202h ; VxD ID of winice
: h j. j" a, j! x6 y* N int 2Fh
0 H" N3 n5 B* l: q( c3 x( j- i mov ax, es ; ES:DI -> VxD API entry point
; H. M2 \$ X3 o$ f add ax, di
, s& ?. G: m/ }" z7 W) q test ax,ax
8 f9 [/ y) \. o. v3 b. r jnz SoftICE_Detected
( m) K& n& t, ~6 `% M+ M7 j; f0 S9 {8 V8 Y+ V; e' ?1 P+ k
___________________________________________________________________________- M2 | W y; c! x& b
$ t( r5 H4 ?. d' MMethod 04
" e/ V/ t6 B- A# Z7 t g=========0 d, J3 `) M0 g8 a0 f4 f
3 R. m* P8 C. @
Method identical to the preceding one except that it seeks the ID of SoftICE1 N% f6 ]5 X' N& O' l
GFX VxD.* }6 o* \* Y7 i7 d
- r6 a; n6 Y. l4 v xor di,di/ `" D4 {" e: X5 C) p0 g
mov es,di
( K( k. e5 _/ V0 r0 @+ c mov ax, 1684h ; y9 ~- }5 m7 T4 @# R' f
mov bx, 7a5Fh ; VxD ID of SIWVID
* Q$ g5 L% H/ f0 L, J8 [" Y7 l: P int 2fh
E' _; [1 U. J5 K mov ax, es ; ES:DI -> VxD API entry point
& d6 ^/ X/ L2 T- C add ax, di
1 p% B# r6 E. u; z4 ] test ax,ax
, F& R, \6 M6 c) |5 Y jnz SoftICE_Detected$ D2 f& O7 K2 R9 h3 G
9 C8 y9 ~. f8 F: [. n3 o3 I
__________________________________________________________________________
# k3 G% e$ |3 ~ ^. I0 Y
- m, _* F+ B, Z4 d6 f
, f3 N' n% w( m- NMethod 05
# Y$ W% x' d( u/ U6 H) B$ N6 Z=========
( i$ @6 T7 M {+ p) f
1 i+ a& u) F! w/ F+ B2 N& zMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 [* C! ?6 k) w6 _$ a* p& c
debugger. It calls the int 41h, function 4Fh.4 F" p% F' r) I& Y
There are several alternatives. . r8 t- D( z4 z$ N& ^
- G( B$ {' K! }; P+ cThe following one is the simplest:
! m. C. Q% h2 G
& q) x$ b, j# G$ ?1 ?5 U( ]! P mov ax,4fh0 r$ K [2 I |* _4 V! B6 N% }
int 41h
2 h. R8 E1 L( @2 _7 ` cmp ax, 0F386: ?% z/ j9 q2 s3 X, R2 B
jz SoftICE_detected
: W' [ ?; ]8 U# M5 ^- _$ W. E- l4 l5 J* t
1 D# U$ c* l4 j
Next method as well as the following one are 2 examples from Stone's ! B" A6 O: V3 X7 G2 L
"stn-wid.zip" (www.cracking.net):; T. L* Q; y/ P% }/ [" y
( v6 X( ]+ P$ ?
mov bx, cs
9 r0 i( @8 K; t U lea dx, int41handler2
( i3 b; I! H# m3 W xchg dx, es:[41h*4]/ h. O) K) ~6 O, e# h
xchg bx, es:[41h*4+2]4 q! ^9 V6 [& A! ?+ C' j! K
mov ax,4fh
4 z' }. d4 a4 O D. R int 41h+ a* K$ d1 g; g+ M( p% I
xchg dx, es:[41h*4]
& D4 b4 J+ R, [% g5 x9 z6 x6 Q$ a xchg bx, es:[41h*4+2]
4 l2 B; O9 Z6 ^1 b. V1 U cmp ax, 0f386h
+ R& c: z2 U- ~& ? jz SoftICE_detected
5 L" Q" l \+ {
/ `! l, x4 q5 h- @! `0 ]* `3 \* S. |int41handler2 PROC. |% _6 {& @! ~- s5 [) N0 m! n4 o
iret% F8 X2 j* ?" K4 T3 i/ @& Z
int41handler2 ENDP
; C' j! W; D$ y- ]: l% M
, B( @0 w7 @3 R Y7 D
6 q e; k5 C! X! E- i4 J( B+ }_________________________________________________________________________' u3 D5 V3 P7 M7 c8 y+ ?7 f
1 \5 Y( k3 s% ^) \) R8 U8 O% Q- Y5 x# a3 H
Method 06
1 F0 A' N2 \/ T& T' K=========" |) }8 J! s9 T+ c
2 F6 x4 |& i/ L' I8 x' l
9 q0 Z( A. ?4 o6 f
2nd method similar to the preceding one but more difficult to detect:/ _& A+ a$ d+ u( V
6 U0 o; r; B) X" K; b6 w# ?. ^8 @$ R0 p( L4 @' I7 y
int41handler PROC, N; F# h4 B% I8 O X9 M8 @# Q
mov cl,al
" Z- G/ v2 T: z j8 q' X iret: E6 X/ G7 W$ Z8 D6 y* G+ o
int41handler ENDP! L5 _5 Y1 f' S2 u5 {9 |8 Y- x
# c8 q7 h7 E( k/ x- {( Y$ O
; }7 H0 O l1 `" w xor ax,ax9 R% R" p, e( B
mov es,ax- p! i4 L7 t# {$ H
mov bx, cs
7 R* }" m' f. l5 ^5 i lea dx, int41handler; t8 c/ F4 P: t* Q4 _0 R
xchg dx, es:[41h*4]
* I: \6 m9 q2 g& |% [ xchg bx, es:[41h*4+2]# ^# W% n. Y* |
in al, 40h9 M7 s3 E; Q# t) r& T, z# D
xor cx,cx1 G/ b% j3 l7 s1 C7 Z" ~0 g
int 41h
: U% N" P8 x# F: k xchg dx, es:[41h*4]9 d5 V# {8 k6 j# Y* Q# B
xchg bx, es:[41h*4+2]* R5 u# N& Z4 X: r; p+ |
cmp cl,al
& x( \: t( o. I( S3 B4 M4 s jnz SoftICE_detected# Q) X" k u9 G6 L6 X2 Z; Y: l
5 ~- Z4 T, o1 P) Z+ G
_________________________________________________________________________
1 \5 |; w) _5 |& p% K- E8 ~! e+ V$ G, e5 \6 ?( J0 k
Method 07+ P) O3 q% A. ~2 V% m2 F u4 B' I/ s* y
=========
8 L: D; Q" l! J% D+ s. H6 I( b8 ~. N' v- Y" p; E
Method of detection of the WinICE handler in the int68h (V86)" h% h5 a" [; w2 O8 V% }
* r! _, A- c' {" Z" g3 J
mov ah,43h
& Z, W: I q6 @! _7 a6 l% N int 68h! v5 d% s7 i' H# R4 a% w" E
cmp ax,0F386h
* t1 @' }0 p, k8 B( V; t* s5 \6 S jz SoftICE_Detected0 N0 p1 l X7 e& I
) S- F. ~# x; {1 L1 a5 y; L
, S' V* m* a6 M( z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
C- q& Y N: w; Y' y' l5 J app like this:
* D$ s; |) ~1 o- p' n" Z+ v$ o9 a4 B3 H
BPX exec_int if ax==684 |! e5 [3 _& B! R5 y- i1 q! p
(function called is located at byte ptr [ebp+1Dh] and client eip is
) [- D; ~6 Q- z8 I" V located at [ebp+48h] for 32Bit apps)
- |' J( [5 | O$ t% \4 ]& }8 x: r1 K__________________________________________________________________________
9 g6 I% f- S# ^- d O1 E) J, s& j; {& S# E$ M( O1 J
7 K3 G) H! O5 w k5 W5 S& P
Method 08
0 n" S W1 ?( K1 S B=========
( w& m4 l; i+ Q- r& a( U3 m
" g: e: z. w. D# kIt is not a method of detection of SoftICE but a possibility to crash the: R6 D: x$ u9 ~' V$ e
system by intercepting int 01h and int 03h and redirecting them to another
+ Z% N& q' U+ c8 B; {. J3 U# troutine.! a8 R) q6 m/ B" X# P- y0 L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 ]) K! Q5 Q7 X. F: y
to the new routine to execute (hangs computer...)0 T( n! [$ i2 Q8 d" D
1 \% _- i1 I* Y, l6 S8 m1 e
mov ah, 25h
6 V3 \( o! I' K0 v0 M. A5 v mov al, Int_Number (01h or 03h)% \) Z* W2 d+ [! @+ f
mov dx, offset New_Int_Routine. `, I5 w. o4 u+ ~( Z6 K* v4 R
int 21h7 e1 M2 s) |! A8 i6 j
- l9 h! B- F; t2 T( w# W5 i__________________________________________________________________________; \5 r! Z. G) H. l+ w- ?( a0 G
. L* K+ V1 Y& r& Y$ F. rMethod 09& }4 @8 G; v8 r2 F5 F9 p
=========
' a0 L. q! o* r
$ ]9 z, m- k$ _( t aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 B3 s" x7 g- O3 {- Z+ u
performed in ring0 (VxD or a ring3 app using the VxdCall).- o1 U( l) M- N- R
The Get_DDB service is used to determine whether or not a VxD is installed
/ B) {$ \( ]) a1 p' ~; wfor the specified device and returns a Device Description Block (in ecx) for
& Y% E- G2 a+ @* B& u: _" J0 Uthat device if it is installed.6 G; w2 _0 R+ b
8 C; F! ?0 Y' l9 \8 B, D8 F! ^- ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* `3 V' K! h7 A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* _3 g3 J0 q6 ? VMMCall Get_DDB! [; x, e% [ r1 l# A3 m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" U( i5 P- f9 _2 f
' y* }4 Q1 l5 ?# f7 K$ h: i
Note as well that you can easily detect this method with SoftICE:' }& A" }; \/ o( |
bpx Get_DDB if ax==0202 || ax==7a5fh2 s: u. A* e# Q9 q( x3 g+ U
1 `% r$ Q7 \; `7 v. y, G6 ~__________________________________________________________________________
0 C% C- R9 i6 l$ v3 Y' z% ?4 j# r$ e
" P5 u% l) O) a; P. k/ D7 c7 mMethod 100 [' k ~3 U0 y3 @
=========7 J! L6 j& [ R0 i) {+ P' X
+ [+ E' ?* u% _; v8 Q! g$ d
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 I. }5 Z" z& @* T
SoftICE while the option is enable!!
; P; |- i7 x3 H2 a8 g8 j; ~* X7 V
# ^9 P' X6 v0 E2 k9 xThis trick is very efficient:; y1 ~% l4 n2 K0 q% v3 M/ ~/ g
by checking the Debug Registers, you can detect if SoftICE is loaded
* W, L U9 o' E0 o- c- \% X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. D5 h' L" v; Q. A# `* Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their% b' o7 g' {( }/ A k* ^' c# X
value (in ring0 only). Values can be manipulated and or changed as well
" _6 H. }3 s& O+ e+ R, o(clearing BPMs for instance)) l% L; A- N' ~! A; V
- E3 U" K- `. j# o
__________________________________________________________________________
& k1 x1 ~, z" d: ^& A+ u/ S% ^5 t8 s" g% N: P
Method 118 n3 d& K% @; V) Z- D! f
=========! h2 m2 L7 h' _; w
+ V" e/ L& J6 \& r iThis method is most known as 'MeltICE' because it has been freely distributed
, m. y: ~/ B$ q) q- }via www.winfiles.com. However it was first used by NuMega people to allow+ M' c; A& R0 z0 u- U! _ v0 j0 o
Symbol Loader to check if SoftICE was active or not (the code is located
1 f- f7 s6 [% S8 }inside nmtrans.dll).6 r& d* } B9 Y. [* t
6 Q8 f: X5 B4 [, h( u
The way it works is very simple:- i& i# g/ Q% w) N5 S1 k
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 U( q+ X0 {% n G- t3 X
WinNT) with the CreateFileA API.) O( H/ u4 T2 E- c
- r1 |5 B+ E7 V y8 ^9 vHere is a sample (checking for 'SICE'):
! P. M& x m; U7 T
* h' P3 J, n" g+ G- lBOOL IsSoftIce95Loaded(), Z7 q: p D% a [2 \( o5 k; x
{1 g( M- O) [& N& X6 N! v6 Y; Y
HANDLE hFile;
7 f& u' q/ |9 q5 q* K8 c& Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! Q5 }' n8 w( o4 E* [; f FILE_SHARE_READ | FILE_SHARE_WRITE,: R% Q7 B& o9 K
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 B4 [7 Y/ c5 L, ~( H
if( hFile != INVALID_HANDLE_VALUE ), \( D; F, @) P3 `9 l) x8 U) t
{4 r. n4 S5 w3 X
CloseHandle(hFile);; A$ Z! z: C- K0 E! b
return TRUE;* P& p+ q L+ \% @6 n; h
}) l! J6 W4 Z7 ?8 D* s# k2 i" ^7 k
return FALSE;
+ W' Y" K& J& H0 l! L! k}7 K7 O5 d* Y' c9 L5 |$ z( T% t3 w
% X- `1 F' U# Q7 E& a
Although this trick calls the CreateFileA function, don't even expect to be, j3 J4 {2 `$ n" q+ Q8 q5 x; z
able to intercept it by installing a IFS hook: it will not work, no way!
/ s3 |4 {2 B: M8 r/ YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, _ ?& [) A+ I0 a6 [) }" iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 [7 {" J, B# U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 L! W- w- Q4 w3 j
field.
$ A4 G0 K' g8 BIn fact, its purpose is not to load/unload VxDs but only to send a : F* N( P: |% m; n( L: X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ x: B, B+ M" s4 mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* p" `. W4 s( l2 Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 T6 s$ t/ J+ e. R+ l
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ O6 Q1 h; N# d/ f$ z
its handle to be opened and then, will be detected.
8 O# J6 w- L$ y7 y5 ^You can check that simply by hooking Winice.exe control proc entry point
0 u! y# O4 e: D% b$ h, `; Hwhile running MeltICE.( M( A1 ?1 V# ~) N/ T7 x' |5 t
. r$ h3 B$ a, R; a
7 e, |1 _% l/ b& j- Z( H- t9 r v9 B 00401067: push 00402025 ; \\.\SICE" f; w; k0 q7 h9 f1 @5 W% ?& G* \
0040106C: call CreateFileA
' M, q5 v' b( N6 j$ | 00401071: cmp eax,-001
# O$ Q$ h3 h ^ 00401074: je 00401091
/ E; L: I8 R, b3 C4 ~. ^, S
& [+ Z' U1 c/ B# E2 A
& C( E/ _3 @$ Q# s6 iThere could be hundreds of BPX you could use to detect this trick.
: o0 S# q2 f/ A, Y i* h# g-The most classical one is:
8 n& J' ?# o# c Z7 y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: t4 G- C# S/ ~' U
*(esp->4+4)=='NTIC'
4 O' i! U# {; w' m& s# M% o' _6 |( J
-The most exotic ones (could be very slooooow :-( c! s& v9 N" i+ Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) Q, @, ?0 }% g" z" X: N
;will break 3 times :-(9 @# B8 G! \; m! {$ }4 J
% _. `4 m3 }4 I; @3 U2 l+ |: K: A
-or (a bit) faster:
2 s8 N1 Y1 }* B+ q, ]3 c, J- d, L6 }* ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* d: y0 }3 D+ ^
" {0 g2 U' _$ O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + t% m, Z+ Z- h) X2 e, v* E8 W
;will break 3 times :-(
/ d$ s% W* A2 d' U8 p
, `/ E. @" w! {3 u-Much faster:1 o# P" o7 Y- H/ ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# Z. l( s2 a# `4 Q1 {+ l" {0 P- l. Z- J0 s6 ~/ p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) m' b2 H8 d( @9 U N7 _- j6 y
function to do the same job:
! r# u/ U" `* A, E- j; e5 k' [# h5 L% l0 Q- [/ K6 v
push 00 ; OF_READ9 g. P% e' e# @! f8 q6 a, E0 l9 g
mov eax,[00656634] ; '\\.\SICE',00 n2 o& J3 `/ ~' b* Q# Y% B
push eax
, N5 r" ?4 t. h* _ call KERNEL32!_lopen# o. E4 _. W6 [
inc eax* M; v0 G( B& m# N2 L" j) X: q0 }
jnz 00650589 ; detected
& D- R! t5 W( f( n8 k; x! e push 00 ; OF_READ
1 B2 j0 Q; K8 m& @3 n mov eax,[00656638] ; '\\.\SICE'
& v" b5 b/ O% v5 i% l9 ~ push eax
* O; d8 g, X0 f! u7 ~0 v- x call KERNEL32!_lopen2 Q4 p# _4 e# _- G% V- M
inc eax! w. h# J" |9 |0 z4 T
jz 006505ae ; not detected' U$ i( z! t8 t( o
2 u. d2 C/ I5 x0 Q! u7 C/ r
# n- F" Y2 u1 {" N' W7 D__________________________________________________________________________5 |/ S1 w5 g# o( ]0 A
# Z6 o( D1 d& q
Method 12: l' Z0 V3 l0 L7 t8 C: ]( p
=========
# a' d$ y, m! N' J, N) n- Y! R7 T$ ]
This trick is similar to int41h/4fh Debugger installation check (code 05
, I5 z I* C; I/ a8 j. m+ w2 c& 06) but very limited because it's only available for Win95/98 (not NT)
+ b2 v$ f: D+ ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! T; L) g7 q3 O1 `3 g4 t5 t- l* i3 b% u3 d& l- X
push 0000004fh ; function 4fh% J: s) m& [8 F/ A; _7 {
push 002a002ah ; high word specifies which VxD (VWIN32)' c5 I) x. d4 \8 O4 {
; low word specifies which service' B+ x* W* M" k; l+ d) D! A
(VWIN32_Int41Dispatch)3 `. \6 k" P7 v
call Kernel32!ORD_001 ; VxdCall# O" h# Q0 ^& }& K
cmp ax, 0f386h ; magic number returned by system debuggers; k, |7 {# B* G* r$ ^. G
jz SoftICE_detected/ d& c! @8 z s
1 G; o1 j5 B5 K* O' tHere again, several ways to detect it:
' x+ A) i1 v! a# W, a2 U5 b- x' z+ M8 C. j1 C+ Z
BPINT 41 if ax==4f( L# o& ^) S; Y% b1 M
, y( f7 }6 ?0 j/ {: Q# n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 N1 N( F+ R5 k2 f8 j, K' _2 @6 T' @! k4 K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ y# a4 v8 o$ X6 f
5 ?9 N$ E: [/ ~' Z. V0 d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 Y' h9 P- t5 i B3 \$ e0 G& v# y
Q% z/ ]3 A. \* U* _% v; M__________________________________________________________________________7 Q! _8 E, ^$ ?- {( A8 K
: `: a0 `% X( z, A
Method 13
8 g% }, J/ H: T=========& o) n' r8 K8 J* }+ o: G) y! _
* q0 A7 \" j" } ]( INot a real method of detection, but a good way to know if SoftICE is
7 Z' J/ o, K$ [. I5 s- O6 r- U1 a. Tinstalled on a computer and to locate its installation directory.# u4 o! ]4 K7 Y1 {: O& E+ A
It is used by few softs which access the following registry keys (usually #2) :
- U+ R' X Q0 n( o. \+ J* |7 Y/ A) O: o6 M \% S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 k3 d& q; J3 l1 U0 @8 F& R
\Uninstall\SoftICE
1 A7 P! Y ~/ I! ?8 @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ S) A! X. b4 `$ Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ w! _+ k- r$ n\App Paths\Loader32.Exe4 N! v: f& Q! A4 y
$ I0 g ]. c1 \* x! T( n( g0 |: M+ i/ j, x' h* w
Note that some nasty apps could then erase all files from SoftICE directory
! _$ x, M# f$ S(I faced that once :-(& U4 K5 s. c% G8 W0 `$ G7 }6 y
, k6 A* n& n( P1 w/ R$ ?6 p$ F' Z
Useful breakpoint to detect it:& a" w: t! e7 @2 a ]3 p
) E' w8 @7 e* f7 Y! ~9 G9 }2 ~/ C) D2 c n# g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 o( ~ ?+ t9 C' x/ h; K
9 r3 h: V$ t D( }__________________________________________________________________________3 N* _( ~! d2 @4 p( O4 i
& a0 _" L7 C, Z' _# H- u$ o4 B6 a
( p' s+ ~& y( X2 ]1 J7 T' eMethod 14 4 k- x, k2 M1 w+ z
=========
4 b+ e4 `, e8 v; p# N3 n. V6 S; B' S- |4 S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ h9 H- P# \8 N* ris to determines whether a debugger is running on your system (ring0 only).: [3 X: ~4 g+ q6 a# Z( O& E
# @) X8 |6 O7 W$ ]# B2 x) P# Z; ?1 b VMMCall Test_Debug_Installed9 R$ {6 n# u8 T4 i9 z$ C
je not_installed# [$ {+ K, c8 A2 }) U. y! P
2 M0 y! V: [# _8 ?This service just checks a flag.
: X& P9 e, t1 C; I9 i0 O2 d</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡