<TABLE width=500>! i0 H9 E7 Z2 B. E2 S. j7 h0 N
<TBODY>
+ v0 \9 l9 Z) @<TR>1 t3 x2 [% k6 R6 W; M
<TD><PRE>Method 01 " g0 W) Z$ ]0 n' @$ d
=========6 |$ a3 M5 o% d" {+ o
1 f( h" G2 g% N4 L
This method of detection of SoftICE (as well as the following one) is
" D" ]: y: L- I5 M' uused by the majority of packers/encryptors found on Internet.6 l8 V/ \% X/ R
It seeks the signature of BoundsChecker in SoftICE
' p) `' X3 T/ c# P8 q/ g$ y$ _1 d: L$ M3 |5 i: @
mov ebp, 04243484Bh ; 'BCHK'
) k+ P- m4 L2 j2 h/ R mov ax, 04h
& H, J7 ?' f6 k2 Z- L int 3 : Z" s& g9 o f' p# o7 a, B0 V
cmp al,49 v7 S, s3 {0 J' J: I" ?
jnz SoftICE_Detected5 x& ]9 m0 v C% c- k
$ U1 I# J' s' e) z7 [___________________________________________________________________________
+ A, U8 _5 }0 K* ~* h; }) L+ D4 e. f4 B( r; X* O
Method 02
W8 G) B9 K2 A=========: g6 k2 w O. K% R4 R6 I$ J
% i1 P* A% c! C/ FStill a method very much used (perhaps the most frequent one). It is used
' a, |* x; D4 t, [7 ?: cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: S; R' |+ r+ h: E' y! j* J
or execute SoftICE commands...2 u) L6 z0 K0 g! A
It is also used to crash SoftICE and to force it to execute any commands. v( f( k' _2 L9 C c5 ?
(HBOOT...) :-((
3 X, _% ?* [) H+ N* ^. i4 ?, b, X
$ k' L2 Q6 I! x" ~6 }' s" y/ H4 gHere is a quick description:5 T: B' d/ N! ?8 |
-AX = 0910h (Display string in SIce windows)
G6 R( z' x g/ c+ n3 y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
Q7 h; B' B3 ?/ }-AX = 0912h (Get breakpoint infos)
' Y4 r3 N) s; R/ a2 t' ?-AX = 0913h (Set Sice breakpoints)
/ r0 t# M' u) D6 [! b9 |+ h-AX = 0914h (Remove SIce breakoints)
; P0 L1 f: ^1 c i) H) |
. J5 S; \- [. o( C0 }3 K- [6 MEach time you'll meet this trick, you'll see:8 R+ N" X7 }6 Y6 U k* Q0 x% x
-SI = 4647h) ^9 z4 A3 |( ], y- i) ]$ o5 u
-DI = 4A4Dh
0 b& O* v+ z! F4 R% RWhich are the 'magic values' used by SoftIce.
# S$ R* s3 z7 }9 _4 hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 n# B% \4 v1 N
3 q) @8 c" H5 dHere is one example from the file "Haspinst.exe" which is the dongle HASP
6 @4 y3 l8 T' ^2 U. G9 ]. H, S: M, hEnvelope utility use to protect DOS applications:
! G: A' f7 b# x: A& S
X& O: `4 L7 u. c0 y; m1 e$ [4 K" v! P! s2 C& i, x& ~0 b# Y
4C19:0095 MOV AX,0911 ; execute command.
. d* b" H: P! E4 C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 f. G# i/ v0 I. `6 {' V, D4C19:009A MOV SI,4647 ; 1st magic value.! W3 F' Z1 H' z
4C19:009D MOV DI,4A4D ; 2nd magic value.$ {: m+ B2 k( x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' {- v2 p7 D, B8 M9 E* I4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 t1 Q1 e; o* t4 k7 Y" t4C19:00A4 INC CX
5 s) |$ o# n1 J" O) [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 n; \) k- z9 G/ t
4C19:00A8 JB 0095 ; 6 different commands.
8 G1 E' x2 Y8 Q) T/ a' ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 Z( H5 f. B5 b- g# [2 B/ a0 [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) _ r f7 q7 M) {- m9 Q
t, g) C8 P$ T5 h) p0 EThe program will execute 6 different SIce commands located at ds:dx, which+ G( \0 b. H9 \& S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 d. @% t$ t- i$ [
1 t+ D S% }8 y- O w3 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ a1 x7 |% ?; a' A___________________________________________________________________________. M1 p& p& G" \# W' M5 i, l
0 N* J8 K' S5 z3 {6 N- {; j$ B
4 U( p$ y" V L; z" \Method 031 W* P- P; h6 @+ u9 W3 u" y% x3 V" m5 p
=========
/ o% {* d. G7 J# N9 y5 u, g/ Q7 e$ `0 d0 q5 K; w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* e" i7 c% I, m% ](API Get entry point)
+ N3 K* W: F9 u# u) x 5 u. ]7 g. s& m( r
& t* o3 b8 i9 n$ _+ @5 [( w1 q
xor di,di7 D" e% s0 D Y' C* ^' L: E h
mov es,di& r/ t0 Z" i5 B& @: V( F4 \6 {
mov ax, 1684h 9 D. }& b% i1 [& ]
mov bx, 0202h ; VxD ID of winice6 Q! ^. G8 W/ \* G9 M
int 2Fh
' U+ w, l* a/ s" w) h& h: y4 } mov ax, es ; ES:DI -> VxD API entry point
, @3 c$ X5 |! ]7 z a' U add ax, di
) O; n7 T. c8 v" C test ax,ax
: Q+ ~$ V* O1 b9 q0 R" v7 x jnz SoftICE_Detected
/ R" d& l* K$ r% a* l5 a7 U7 I
$ f& k0 b; ]% ]___________________________________________________________________________
% Z6 [+ Y: i; q( Q! b
3 [! h; F3 U$ Y) ?6 b3 T6 eMethod 04
+ ?- { I& m8 J# u- P=========: G' F+ q1 H# ?% G. w/ q {3 t
$ I3 ?' \+ b( X7 J8 R0 sMethod identical to the preceding one except that it seeks the ID of SoftICE
- Y6 T: t7 o+ {8 ]GFX VxD.
x5 b& c; a! ]. t* H- R; W! }7 s3 Z
xor di,di
1 {0 L* O" @* U* u2 e mov es,di
$ y; J9 g- _8 O( r4 i& Z- j mov ax, 1684h * q6 `: f/ ?: A
mov bx, 7a5Fh ; VxD ID of SIWVID; T; ]8 T3 n+ n% ^/ W( A" {
int 2fh
9 B+ X* n4 j+ M4 @- y' W mov ax, es ; ES:DI -> VxD API entry point/ e! E, u5 L N+ Z0 P9 i6 G
add ax, di0 [' l3 }4 _0 z. W) n% [2 c& H
test ax,ax; k& @( f+ ]8 l+ F
jnz SoftICE_Detected5 F0 q4 K* W/ K% v& i# m! {0 }4 N) E
' H: ~' m& l) p' ___________________________________________________________________________$ P$ }) ^& \/ ]! H6 y5 \$ ?
# l$ h2 }" t$ u7 E, E6 D
8 I5 _$ ]* R2 {& a9 ?! {( AMethod 05; T5 @) a" _( `
=========
, `; I% Z) e# G, i) p" w
9 W9 ?$ m6 |* \9 E1 E. N* d1 pMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ Z7 |) I% D5 }0 E" a
debugger. It calls the int 41h, function 4Fh.
* `6 R; B) Y9 A+ [1 c! WThere are several alternatives. * ^" f8 ^ O6 \) F
" c8 C- @* b' d/ Y" K
The following one is the simplest:
" l& Y, ^9 X6 X8 }. x+ Y Q( z1 I- I Q
mov ax,4fh
3 _% j8 o2 @% h int 41h
" p- q# H, y. Z cmp ax, 0F3868 d% ]# A5 L) M" @* f. H0 T) l. g
jz SoftICE_detected
* d9 q1 \& O, |4 d' u( {
& u" \" [ o; h
3 v& d, M0 b+ L, Z% ?; HNext method as well as the following one are 2 examples from Stone's % D6 f/ E5 ?+ Y. \4 J1 n1 Y
"stn-wid.zip" (www.cracking.net):6 K0 F) B7 q+ ^* D% ]% u, c" B+ {
( p! d# Z7 N4 v
mov bx, cs
* F6 Q) G2 K6 I lea dx, int41handler2
+ F8 L0 D0 R* P: B1 y xchg dx, es:[41h*4]/ \# C2 P) m: [7 J" G2 Z- y+ c
xchg bx, es:[41h*4+2]
. o% ?2 R \0 G# @4 i# y mov ax,4fh
+ N/ A8 k8 m/ G9 { int 41h
; K2 g7 s6 t$ _3 F; h1 C" K! r$ ~+ g) P xchg dx, es:[41h*4]
( S% }, D1 S& b, q xchg bx, es:[41h*4+2]% u8 p) ?& L" p2 x; V
cmp ax, 0f386h
, @9 P6 [6 \8 q jz SoftICE_detected
1 v( N. ~: g: R6 ~4 _
" R/ Y* K% P6 ^9 M& M9 v& N! Yint41handler2 PROC
4 h0 P" E) V' w- n: i8 V iret5 [/ ]" K, X* R6 O$ ^* G
int41handler2 ENDP
. A: o* o& t9 {" ^/ j- q' F" @1 K0 L0 d! h) K
6 D5 ^8 q+ I/ s7 J! q
_________________________________________________________________________
R! k9 K' r. Y+ l& H% Z) W- X% x4 X0 @/ x8 Y0 Z1 Y
8 T; p# s4 W' ?: {
Method 06
8 Z% C! t% F. ^ @$ X) _=========
! u1 k1 p; q. U2 p Z2 w
' C) b7 Z' @# I; y
2 D( p, X" x- N8 i2nd method similar to the preceding one but more difficult to detect:
7 ], v4 X' c4 r* w
1 i: Z; L, W" S7 {4 |" l( ~: M; |- t& Z
/ Z6 y$ r* s+ w( w# gint41handler PROC; N7 R% L8 q3 j; a# H2 K* E- _+ P2 m3 }
mov cl,al+ F+ `0 s; E1 U8 o0 V% _1 }
iret
' h7 H1 i$ t4 _8 e& Dint41handler ENDP
5 L8 j4 G! v, Y6 ]* ^
5 r3 _' A+ M9 J; Y) y% L9 N _4 u; |% a/ k
xor ax,ax
% G. g! b8 {) P+ [ mov es,ax+ }3 D g* w. e
mov bx, cs
7 W/ s) P- T9 s& i0 Q9 C$ ~* E lea dx, int41handler. I/ X. Q3 k) q" A+ B5 y( D
xchg dx, es:[41h*4]
2 O# |6 j6 D, K* Z; W xchg bx, es:[41h*4+2]
2 V4 A9 q$ O' m( B* A3 E- v in al, 40h
! ] a; Q- W, ~" D xor cx,cx
5 J8 G& [6 G: n# | int 41h: r7 b0 E9 a8 J% b; H0 w9 ]4 ^
xchg dx, es:[41h*4]
# Q/ p( T# F5 x/ @ xchg bx, es:[41h*4+2]# ?. U2 K* p% s+ r v6 R
cmp cl,al
1 I: \" r+ ?! T- G4 P2 F% M! W jnz SoftICE_detected
) W( W7 @5 l6 m8 I# p P/ W% C% r" u6 a( s
_________________________________________________________________________
- t" ]- g: G) U! t
$ E7 u" p& f B* V8 nMethod 07
t }, x$ M- _# _$ ]=========
; ?2 b; Q9 Z9 n8 d7 p; Z5 N; ]$ q U5 |3 ~3 T
Method of detection of the WinICE handler in the int68h (V86) \! ^# U0 b! S+ m) K6 f
$ a6 h) B t# H/ ]. U3 w: d mov ah,43h2 u* {; t5 ^3 D" ?& h
int 68h8 f5 H$ w K( c, E, \1 `
cmp ax,0F386h
. U2 T1 s$ j j4 W jz SoftICE_Detected
2 b' V2 t9 W- `4 {7 W# [+ G, |' S* [" v4 h) S
/ T6 L( Y4 C+ _8 w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 {# p5 z1 ]8 r& X
app like this:
L3 K" a0 R9 I; s' Y
, g x2 o! Y: R BPX exec_int if ax==68% L' F6 {3 F9 M# c# f" _2 D/ m
(function called is located at byte ptr [ebp+1Dh] and client eip is& O6 p$ _% S* Q6 G! n+ [
located at [ebp+48h] for 32Bit apps)
. A7 i# f" E4 z+ q+ L! B__________________________________________________________________________( p) E- x6 G+ G8 p
6 @) @( q6 X7 G6 [* b6 D5 R
# V% a; {; V' i+ h# m$ d( r9 ^
Method 08
* i9 D9 H+ {, T=========
6 L( U7 B% f& a3 M. x& M9 Z; w3 w! { ~6 n" A$ O1 k4 h( G3 h
It is not a method of detection of SoftICE but a possibility to crash the# W' P! K m5 E) V" V# p8 y
system by intercepting int 01h and int 03h and redirecting them to another) k! n0 l9 d; |# \
routine.+ P4 Z2 [5 {& K- w, h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) S5 e! c! ^% G7 i& z! C
to the new routine to execute (hangs computer...)
" ~) _: t( X1 \1 m
% X0 M6 F4 K+ k8 p% x mov ah, 25h6 O9 J9 p7 T8 l
mov al, Int_Number (01h or 03h)
+ }; Z/ C1 x. C9 Y6 U mov dx, offset New_Int_Routine
0 J9 Z2 [' }" x: H( w int 21h
, H, |( K- q+ M7 K6 l8 E% j; Z
+ B) T% x6 b6 @8 x4 e, j__________________________________________________________________________
# B0 Q1 @; q& v1 P1 ~+ p$ `5 Z
0 Q' v% s2 }; f4 p% S( `Method 09& x9 V7 W& v. V, Y
=========$ b9 n2 k7 k& g
# L `3 @, y6 TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( n' t# L( A7 d1 |$ f1 r7 ]
performed in ring0 (VxD or a ring3 app using the VxdCall).- b' g2 U+ H, ~5 r( W) m% S
The Get_DDB service is used to determine whether or not a VxD is installed
$ Y2 l( R: m R, G! P9 yfor the specified device and returns a Device Description Block (in ecx) for
9 K7 {' c) a. @0 ithat device if it is installed.
- _% P* ^- j0 f4 s8 f0 i% A7 |- x- Q r4 n6 T4 n+ E4 h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: a$ `2 |& q1 E: g& z5 J mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: n" R8 d6 O6 v VMMCall Get_DDB
: [2 {9 C* H2 W- l, S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ m- \9 b0 V1 m$ _9 [! A
6 n4 @2 A4 A$ ^
Note as well that you can easily detect this method with SoftICE:" w+ n& ~0 N6 w0 P
bpx Get_DDB if ax==0202 || ax==7a5fh$ w& q. g" L8 h( O* I' U/ g3 `
' N% Q4 O. \1 p" m! k- o
__________________________________________________________________________
& B: l5 p" S' w% g! b7 ~# s6 z8 C9 X6 N' r
Method 10; H4 S$ B4 W6 h1 W5 d+ Y% ?. @' p
=========. `+ L' Z8 F" k8 s9 f
* Z1 t- Q1 H# K. ]& V6 q. O
=>Disable or clear breakpoints before using this feature. DO NOT trace with T7 n" O: ^; ?" h; P. a
SoftICE while the option is enable!!, v4 s1 H; x1 Q6 t2 z, q, m7 I @
+ k. w; b( N5 R( A
This trick is very efficient:/ v: `- Z" A+ K3 e7 ^
by checking the Debug Registers, you can detect if SoftICE is loaded& Z& t3 h( N7 ^# W0 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! o X% c! [# ?3 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 ?- O+ w, N2 B+ ?/ X& Jvalue (in ring0 only). Values can be manipulated and or changed as well
$ e% K+ u. U/ E% U(clearing BPMs for instance)3 M9 z, y y' E/ C0 y6 T
6 V4 |9 T1 @ [& }8 N4 T__________________________________________________________________________
/ k* V7 w! V% E# X0 ~% h$ k0 r @; m
Method 11
9 n2 Q! A# P, ~5 R=========
; _" l- w2 J) W% e. e
5 q" e# d2 W0 DThis method is most known as 'MeltICE' because it has been freely distributed
' I) F' _! X& V# \! i& i4 Z, Nvia www.winfiles.com. However it was first used by NuMega people to allow9 a! N" C) {9 d! v
Symbol Loader to check if SoftICE was active or not (the code is located
4 b- S9 }/ D, Q/ i" V; ~8 Oinside nmtrans.dll).
% b. a* j9 k* D9 y0 H# ^
6 K1 F/ L! \, j$ r2 O& uThe way it works is very simple:
7 U4 L8 Q1 a' a9 s5 QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) F+ x R- J3 F
WinNT) with the CreateFileA API.
. n1 Q- R" q6 ~! R- i' e9 l0 J" T1 P- E; e6 k9 u
Here is a sample (checking for 'SICE'):
; D: Q7 Z' l2 y& u/ h# A
\# f+ v" J1 G' n3 p+ HBOOL IsSoftIce95Loaded()2 p" l8 L+ ~: ^8 V) q' c# A. i
{
/ _. d( R; ^/ q/ ^5 M+ T HANDLE hFile; 9 m: h" L. ~: I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: D! x- z& t, ^7 \7 r: G8 h FILE_SHARE_READ | FILE_SHARE_WRITE,
; g% y4 H" R+ B3 ]8 ^3 m; h: ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 y0 N, F4 a1 w$ Q if( hFile != INVALID_HANDLE_VALUE ) E+ t# V- v6 S6 y. O. V5 g; T
{0 h8 W) |9 r, M, ~1 [- o U& ]! F
CloseHandle(hFile);
+ a' B4 N0 J% ^: N/ J2 d, T return TRUE;, J% l/ r; t4 d% C) h; f
}6 I7 M, P9 g# i, R8 ^' p! G/ L2 D
return FALSE;9 w5 i# d2 n6 f4 A
}+ i) n( |3 e2 i! A4 k
2 P: r! a2 {7 q% g( p
Although this trick calls the CreateFileA function, don't even expect to be
4 z& j% B v+ g, g( Uable to intercept it by installing a IFS hook: it will not work, no way!
2 e$ Z$ W7 Z6 bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, Q* S3 z' K; b, {8 sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) w9 k6 f6 }% ~" Q7 N- @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& Y* Z& o/ h% T M7 u
field.
6 F( o$ e/ ^7 h: V0 H. \In fact, its purpose is not to load/unload VxDs but only to send a , }5 k8 R4 E8 h5 q6 ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 }; s% V: n" y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! w( o' z$ |1 n' A+ ~: ]to load/unload a non-dynamically loadable driver such as SoftICE ;-)." O2 s9 N, I, k7 P a" r
If the VxD is loaded, it will always clear eax and the Carry flag to allow" Z( ?6 X' B- L
its handle to be opened and then, will be detected.
/ l: N% ]3 M, ^! [9 mYou can check that simply by hooking Winice.exe control proc entry point
* Z( J* V% P2 M) L$ b: fwhile running MeltICE.
7 Z1 ~7 Q' I6 s' o; m1 {! A3 w( z$ O6 O
5 a& r% p9 ~7 ~4 J4 a, { j 00401067: push 00402025 ; \\.\SICE) E7 W, \+ K8 j" y
0040106C: call CreateFileA
4 x% a" ^: _9 E/ p" ` 00401071: cmp eax,-001
& T" e5 Y+ }* T/ ~" ]7 e: i) B6 R) | 00401074: je 00401091
. C% W) r8 Q3 _5 T- L+ M" b) H$ C% y, N& [+ V
& I, m d! Z% X; ]( R/ \( N
There could be hundreds of BPX you could use to detect this trick./ j8 P; x6 X" K) b( _. y3 y# Q) Z+ k
-The most classical one is:
$ ^6 U( `8 e3 `, [( _4 A4 N BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! k, m& Q) r$ N/ `3 ^
*(esp->4+4)=='NTIC'$ m1 y4 h; Y6 u* e8 ^
3 \; t: U+ n0 n c0 l
-The most exotic ones (could be very slooooow :-(4 J0 E- T/ E1 `# T0 D2 l; {2 U8 n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 `; Z. g; P; o" ^8 V1 Y ;will break 3 times :-(
; u) f' ~. ]2 [& B0 W4 G% L2 [4 x1 t4 p; U9 X$ t
-or (a bit) faster: ) G( u( [9 c9 ?1 {! F! _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. M% C3 v `3 o; O9 d6 T2 x7 C/ W( x- Y+ M, d' s$ R
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " r# o5 A. @* O3 n, B
;will break 3 times :-(& i; K. T% |% R2 l: a8 s$ B j5 s; X% g
2 o" y& K+ U/ X2 r0 P0 F8 K# i
-Much faster:
3 j7 n2 Q2 _+ | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( S9 G( S2 t- N9 E# n% A& O
6 y8 F( Q i+ {) v3 D* kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( c* e0 T4 c0 v. ^
function to do the same job:; E- @$ [9 J. a3 q0 u4 ]
# `8 a5 j Z4 i @9 {0 S push 00 ; OF_READ: F& ~) `* T: }/ A2 l* o
mov eax,[00656634] ; '\\.\SICE',0
: y' v* H2 ^. G9 k& S2 i2 X( Y, N; i push eax! e h' D9 f" | S
call KERNEL32!_lopen
! k. H( E# I) x; D2 r+ o" l- J# t inc eax
2 ^: i+ D) s6 x( u& W jnz 00650589 ; detected
6 r. ~2 G0 \' V push 00 ; OF_READ
" A$ F# T0 G1 j* Q0 P# m6 ^- [5 i mov eax,[00656638] ; '\\.\SICE'# w% w' X! [! s; n" O, v
push eax
- R; }8 Z4 o3 O9 Y2 x" H6 E. c' K call KERNEL32!_lopen; ~2 H- D2 k0 b; U- J8 R; J
inc eax+ h5 v9 o0 E4 f4 h/ W" O# J, h% T
jz 006505ae ; not detected
- i* y3 {( ~) L5 `* b; o. G' T: b; L) c
! D$ H) F7 h" i% \ _- F
__________________________________________________________________________
2 ?/ v4 o6 ]9 A# W1 k: S& W' K K! M$ @8 m: x+ R! k
Method 12
8 k* s9 Z5 v6 T* F8 c& c=========
$ |% d3 l( |) W. f$ r$ v2 h! K% H: f' l+ J" G" K g
This trick is similar to int41h/4fh Debugger installation check (code 05& l7 [$ E7 s4 }8 ?5 [( h
& 06) but very limited because it's only available for Win95/98 (not NT)
& ~6 ~; Y$ q! b: ~) C7 E2 }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. _ i3 a2 n" x8 }: T Z& j5 A
5 ` z1 O L' F/ S! d9 I( K
push 0000004fh ; function 4fh) u* M. U2 j5 W; z
push 002a002ah ; high word specifies which VxD (VWIN32)
& `( O* B3 v% }' F0 d3 [ ; low word specifies which service
8 a) U/ }6 x+ d (VWIN32_Int41Dispatch). k$ w6 u7 G( O
call Kernel32!ORD_001 ; VxdCall" |0 b. A2 a, x4 ~
cmp ax, 0f386h ; magic number returned by system debuggers
$ p+ c. v. ] N& b& D' l2 Q jz SoftICE_detected
8 ]7 _9 W; ~3 E( K) H3 n0 h; |/ a+ j& a, @6 {8 m8 v
Here again, several ways to detect it:; M H: Z; V+ ~1 j: r* L
- [" x% A0 w+ [) Q4 `; L BPINT 41 if ax==4f
( c T+ r* V1 x" v! g% x# P
" t) d, w6 A. ]+ |! L& p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% m; h8 S/ Y* Z+ [# ]
! W l! V1 _7 j0 k/ Y7 A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ I1 y; m5 n2 }6 h0 t4 ?
0 l9 { e6 |7 A, N5 h: w# ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- t; q! }7 P# K/ f% m
( d ~: o0 X0 f0 I* e; C6 k
__________________________________________________________________________' I$ B' o$ @5 g
' n/ `8 g# v# s/ X( E2 u6 S
Method 138 R* P' N& Z! d
=========1 s, U; k' f3 q3 _3 C0 B3 |
9 G* z! q0 i8 P zNot a real method of detection, but a good way to know if SoftICE is8 K. o$ P7 z9 S) r% z, U
installed on a computer and to locate its installation directory.) _- I1 {, |" a: b9 N
It is used by few softs which access the following registry keys (usually #2) :
2 H% v: G! W, M; f. _# _. s5 ]# q5 j8 I2 q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 w$ N( x8 t; q) ~9 C\Uninstall\SoftICE
f" \6 o" F+ v' J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ h) _7 ~4 ]+ K; U5 J( j8 o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' E, n& _2 A/ ~3 A/ x0 x
\App Paths\Loader32.Exe4 ^: S" B5 E7 w
: a; f0 a+ H6 P5 v$ {/ N" l1 D% u! S
Note that some nasty apps could then erase all files from SoftICE directory
. _' F; q6 T3 {4 l9 X4 o(I faced that once :-(' U0 u0 _" A9 Q* V- c! V2 A$ c
( A! ]3 r# h/ p R" M" GUseful breakpoint to detect it:
% `/ G9 N+ w( Z# t
) e. ?, a- G$ g% G/ x1 G" \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 z" E# |. q! ?" `. w' H& M4 y- X/ W& I7 I
__________________________________________________________________________$ S5 h; X |1 Q1 O
2 f. a# t: j ^
/ P8 A7 R5 i/ b
Method 14
$ E4 k) ^3 W9 T=========
+ ^/ t( \7 H" V% ~, b* w
" b0 F0 P1 w7 J; H( LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) T' s: T4 y% k: l
is to determines whether a debugger is running on your system (ring0 only).
[. {( g+ N- R5 t, }8 E! {0 j" U' ~& u" P) l3 ~, N2 j
VMMCall Test_Debug_Installed; R: X- Z. e5 g Y/ K* c8 z
je not_installed& Q% t4 b/ Y: ]+ T: j
7 n4 `8 m- L- j) {/ e# M3 g
This service just checks a flag.
; F" L# W1 p* Q1 c, b2 ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡