<TABLE width=500>0 |7 n1 S5 h9 @5 T
<TBODY>
, f, R) j9 j- p- f) W; ]<TR>2 w6 [# K5 f. X! U
<TD><PRE>Method 01 & s( h% [4 O. o! h) z9 |: }# D B
=========: P5 J4 I5 |6 O% A! [
& V4 n+ _% t o$ q) D6 Y6 WThis method of detection of SoftICE (as well as the following one) is
$ o' |' M8 v- Xused by the majority of packers/encryptors found on Internet. P' t* C0 A( |/ G8 B9 q" m
It seeks the signature of BoundsChecker in SoftICE2 X: D, n8 B6 ?- m! }0 v
1 K* k2 N0 A7 E1 ?; `& t mov ebp, 04243484Bh ; 'BCHK', X& y$ l! K4 K1 _
mov ax, 04h
; Z' }+ L: S- w+ } int 3 / A6 z# x# M5 Q0 t
cmp al,4
) ~) M0 I+ `% i: d6 j5 S$ B7 Q jnz SoftICE_Detected
9 `7 G6 g/ b1 y; a3 j* f( `8 @
: r7 q: M& V% E1 r9 {+ k___________________________________________________________________________
0 L, M2 {: g3 z5 n* n+ n I6 M/ K8 V" F1 D
Method 020 M6 f$ d- {6 j- N
=========
. F7 }5 D* `5 o7 X- U- V& G+ D& d9 N5 G; X6 |5 \
Still a method very much used (perhaps the most frequent one). It is used$ P) l1 W* R z1 C( ^2 R7 Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ E" ]" `" m+ Z9 V* X1 K) ] X. U
or execute SoftICE commands...; [$ F, g: G3 O' M# {- x
It is also used to crash SoftICE and to force it to execute any commands. X; k1 f1 l1 O" p- b/ W
(HBOOT...) :-(( 0 k: A$ K1 A5 c( m6 d
, A, m$ [- O1 w9 o3 Z. OHere is a quick description:' S* A* F. d5 ^! u# z! ]' l
-AX = 0910h (Display string in SIce windows)
* G9 v; x: s! r" N& y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: T% L" T2 S% \7 p-AX = 0912h (Get breakpoint infos)
J' M* l2 S+ ]% r' C* `: B- K5 ]-AX = 0913h (Set Sice breakpoints)$ W9 n/ y3 `1 f5 W3 P m
-AX = 0914h (Remove SIce breakoints)' V4 v: d7 V, x h& ]4 v# f
9 g7 y2 [2 g8 u
Each time you'll meet this trick, you'll see:
- m0 b5 n) ]. B: e- C' K-SI = 4647h
# E/ Z% i9 v4 f( I-DI = 4A4Dh( b- t* m1 ?: ]5 e9 T7 ?
Which are the 'magic values' used by SoftIce.( A- B! f# {" N9 I, r* n0 [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ }3 E5 B# m. J' @6 M; U
3 w6 q) r3 d6 [Here is one example from the file "Haspinst.exe" which is the dongle HASP4 B" x2 {: f+ V
Envelope utility use to protect DOS applications:! a4 f5 [4 w4 h$ z" I, O! c2 H1 g
/ E! s$ Z6 O+ a, r4 \4 }
1 v2 k0 l* f( G* Q! U* F
4C19:0095 MOV AX,0911 ; execute command./ Q- N4 u6 {* P1 J @9 J- [" y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; C4 i. N! v, x9 R' M4C19:009A MOV SI,4647 ; 1st magic value.
( P D( ?6 m' P4 J) @4C19:009D MOV DI,4A4D ; 2nd magic value.
/ C$ Y6 G: c) A, k' ^. I" g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% h7 A$ y% B' q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" g& T) a, V# d |! _% P
4C19:00A4 INC CX
1 Z- f+ T& h. W: s+ a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 j" O" n% F+ f1 P# u* t4C19:00A8 JB 0095 ; 6 different commands.) B! }& j- j# p* T! ?2 ~' d
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) z+ Q0 w& \% W- ^5 E! W1 T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), n1 u& B+ d" A7 D) y( R- ~
. k9 Z& Y0 X6 Q. K
The program will execute 6 different SIce commands located at ds:dx, which
2 A% n9 V* u7 Q2 _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 D5 P$ x9 g8 d4 B% ^, X, Z, K0 k- Q. S. b. |1 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 i) s1 O! j# B$ x4 }; K
___________________________________________________________________________
% E0 g Q# v; i! t
7 t! {& ~9 `0 U5 Z z% s; ]/ w3 x& N2 p7 z- {- q) Q
Method 03
4 d5 }) A" y+ z0 g8 g2 g- S) g6 C=========& \& [3 q2 I2 u; o' \) r0 D
# E7 ~' m4 o1 e3 k) A r0 {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 i( D- ?& W0 J4 P" D
(API Get entry point)
0 i( @1 b, |5 N% ?, w- g
9 ]8 b' [3 T% ^ y6 ?1 T. |: \3 M7 t6 l% c
xor di,di
' |" F( _% d+ R5 q" @4 p* E0 N mov es,di! H, o+ L* ^4 B+ M3 X
mov ax, 1684h
' c7 G, I; q2 ?% y1 q' Y* A mov bx, 0202h ; VxD ID of winice6 E- p' ~! y( t1 I6 E
int 2Fh! S& @+ K- p( d( d6 t3 H
mov ax, es ; ES:DI -> VxD API entry point
! F: ?3 @! g4 Z4 q# n" I! Y add ax, di
8 d; n4 Y7 a v! A$ W9 K9 ^ test ax,ax
. C) q7 _6 V1 ]# U1 s jnz SoftICE_Detected) i2 ?3 T, N; E5 t
* H7 M3 u" N' A% w8 n2 K9 Q
___________________________________________________________________________
p: {% k* o$ R% d5 i; g$ L
" m5 Q* i: ?4 i4 _' L0 G9 ]Method 04
$ K7 V/ Q @5 i3 o' n2 }=========
0 U0 @( \- l& A0 d- V* [" N9 a7 O2 m' X4 b, h0 [: f9 N5 K* F
Method identical to the preceding one except that it seeks the ID of SoftICE+ f9 N# U0 Q3 ]% H# Y
GFX VxD.3 f* U8 J' h- Y5 a9 Y/ F: b
5 D- O: H) U* s8 V" M( a& `3 _ xor di,di- k, D4 P0 N, ?
mov es,di
! P3 {4 ]! ~, o9 S$ }; H( a! A' _9 Z mov ax, 1684h * x* v: U9 S' e' G
mov bx, 7a5Fh ; VxD ID of SIWVID
6 w, K: Y# g/ M" H8 V int 2fh# J: J/ ]- ^& x) a0 S% m b4 W
mov ax, es ; ES:DI -> VxD API entry point
! c0 ~: r6 p$ H add ax, di
9 U& D# \* ^$ I+ T' Q test ax,ax
$ }; S4 n) n8 S7 I/ w% Z, A jnz SoftICE_Detected
( K$ o+ m0 w9 {3 Z: k# ?+ P+ t% w5 q6 C r% }. ^' a/ V# C& R
__________________________________________________________________________; i* n) u3 H& U
, p S% r) v: ^
4 M6 J) J# E# `' ]Method 05
" O* @" A4 |# l6 ~4 {=========2 w& d3 n7 |. H9 S0 q% I# A5 \( a
. X) W% k7 R: }$ r2 G) J; l+ p* a6 MMethod seeking the 'magic number' 0F386h returned (in ax) by all system. K. m7 ]' e4 q$ o6 J9 \' e1 N- f
debugger. It calls the int 41h, function 4Fh.
- q2 C" ]% [1 N! v: V7 UThere are several alternatives.
# Y* x: L- Z" f- L+ ~; F* ~/ S, R3 i8 S& p9 i2 M; g# Y+ g2 K5 B4 i
The following one is the simplest:
& Z. E3 \' p1 B \% t3 w
- Y! D6 t+ ^: Y* z mov ax,4fh! {) L2 m( t, ]" M9 _8 j3 s
int 41h
: ^/ B+ O# d; M0 G% E cmp ax, 0F386
& S. o- ^; b2 r. q jz SoftICE_detected
[& ^4 |% Y8 y
& U- i2 {. v7 r' U: J4 d' n
+ _1 Z+ q m( W7 f* T0 XNext method as well as the following one are 2 examples from Stone's
( Q8 o- h" t$ e$ Y3 k"stn-wid.zip" (www.cracking.net):3 ?* i! _4 W3 h+ u
! \! t9 Y4 i$ n8 \* F
mov bx, cs
7 U2 R/ `$ a; U3 p lea dx, int41handler2
0 n1 J6 s+ C% \7 E3 _, Z1 x xchg dx, es:[41h*4]
1 J' t4 G ?: {0 D xchg bx, es:[41h*4+2]
V- A& l& N* B mov ax,4fh' w1 T; W& y D! {
int 41h1 z3 ?2 B+ q2 ~
xchg dx, es:[41h*4]
( A' K6 R6 I) n( O/ C xchg bx, es:[41h*4+2]. h* A& {* W( L5 m- S
cmp ax, 0f386h5 r- r* j4 A/ B0 Q
jz SoftICE_detected. j, V$ t+ p9 P u2 p! m
; O$ S$ e) x8 q, ?0 o7 v' }int41handler2 PROC
* v4 U! B$ Y7 @" @$ W iret v: d7 i# ^) f, I1 `" B: r
int41handler2 ENDP
' j9 N5 T; f0 v" Z2 q3 y
% x- \4 X5 u& S8 F! S" u
; l, o0 e* C9 b9 H_________________________________________________________________________
9 p% _- r0 a" c1 ^' c- b3 y; l6 y! ~6 R" L- ?
`' _) O& u5 f+ ~- R: kMethod 060 M5 C ]3 O. c' F
=========
3 d0 }7 F3 X# m n
$ b g& q9 P: n. g g
7 ^& v* {- j& c3 z% ^2nd method similar to the preceding one but more difficult to detect:
+ D+ }5 _7 \0 L) T, W
0 P5 y) W* }1 ?2 ]# I$ W1 s# h1 h
, P% e8 C* x. w& E! r6 g( d; Oint41handler PROC
4 |, C6 X' e8 L {+ X mov cl,al
2 [9 Q, o$ H% H iret* a+ J: I, ]4 ^2 Q
int41handler ENDP
; j: z) w6 Z( J/ K( g# F H, l# N
, L' I& ?2 n' x0 t xor ax,ax) d- R" G9 Z+ z
mov es,ax
. _# y1 f5 T U mov bx, cs. O) k$ p: Q2 B5 _+ d
lea dx, int41handler+ _. I( _; g8 y( U
xchg dx, es:[41h*4]
( K4 O: G% T C- }2 h6 F xchg bx, es:[41h*4+2]+ n, x e4 E( \! [
in al, 40h
3 z5 X! `5 R, d r3 T3 ? xor cx,cx2 ]; [8 t6 i$ y1 I- h: ~, r# ]0 ^
int 41h
; |+ U( H( F2 o9 q7 _ xchg dx, es:[41h*4]6 j) S8 V( z: Y
xchg bx, es:[41h*4+2]; L% y7 T C+ n. v% D6 Y& B T' V
cmp cl,al; H9 _% q& D% l
jnz SoftICE_detected# t0 d5 X7 F6 w) n; [
6 r! g q y6 d1 a
_________________________________________________________________________) y3 p+ ^' }" b8 w8 `- v
5 l5 x6 g. F" z* t; DMethod 07$ W0 K b% \, L2 T; J/ @
=========9 @3 y6 i0 ?0 x, ?8 K% `6 a
* C8 D6 K0 E5 a9 X1 _Method of detection of the WinICE handler in the int68h (V86)
" @" h5 k" D! K% l4 b) K9 Z2 B% g1 M x: ]% o& q! ?# d
mov ah,43h* j! E! Y/ b% t" s$ k
int 68h' Z# X8 ~+ o( o* p a, u- r1 t a
cmp ax,0F386h3 H. c3 B0 i, Y
jz SoftICE_Detected
7 `5 B* w6 _$ l) z& h+ m
" U+ |0 B# G% |; p) I" e* P9 f. g- [! R9 ^1 ]: b2 ~" C0 k4 ?
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 d9 I$ b; g8 T: T* h5 W( P, p app like this:
5 O& _2 S) ?7 U' L
0 H& c/ o0 g1 z1 P BPX exec_int if ax==68* \" k6 A/ V( o# D2 r1 V! F
(function called is located at byte ptr [ebp+1Dh] and client eip is$ x2 M1 a( M6 D% s
located at [ebp+48h] for 32Bit apps). m# I* T3 n- i% F; m7 h W' w" }' M
__________________________________________________________________________
9 \1 A, |/ Q" V h
! @& Q4 { F6 |
; L2 s2 p5 a7 ^$ I5 X( w5 ZMethod 08' E, {; N: ]8 g; u# g
=========% _1 ]4 `$ ?" I; t
2 j2 v+ |8 f* G' O5 mIt is not a method of detection of SoftICE but a possibility to crash the
% i- T% i# ]' ~system by intercepting int 01h and int 03h and redirecting them to another# ^8 \) e" y# n2 @
routine.
6 C, z* c: V0 _$ D9 a6 u! b% o. `' U! fIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: I/ R7 [: a3 e" Z' D
to the new routine to execute (hangs computer...)
1 t+ h0 ?7 c* {) r9 [6 e
. J7 m7 Y7 N, o$ U& G( L. ` mov ah, 25h1 V& V& t$ n3 j. V+ ]8 q" x
mov al, Int_Number (01h or 03h)& G) E- X' x9 Q! \
mov dx, offset New_Int_Routine6 B( i5 t( R# x7 ~0 H3 B) z, d2 P
int 21h
A( r& v5 R) a. }0 i$ h+ q! A* W2 C* @* |3 R1 Y9 p$ b$ M
__________________________________________________________________________9 D( t" t* q) M7 n6 o2 k( [, r) k
3 }' y! y+ X2 \0 n" ], O, t8 [, X
Method 09. i2 [ y5 D" S( K
=========
, D/ L* H, |: R! V$ ^9 a* N/ ~: z6 ^% J8 a$ P) H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, o* v) v, I) e4 b/ rperformed in ring0 (VxD or a ring3 app using the VxdCall).4 w; o+ x1 v7 ]& P, N/ c. W9 L& G
The Get_DDB service is used to determine whether or not a VxD is installed
: L O1 g9 A! |8 J1 {1 k; R9 xfor the specified device and returns a Device Description Block (in ecx) for
, R" Q! p; X0 A; e: o8 I) T/ f+ othat device if it is installed., U5 q/ @6 y7 H" J& R% n. Q
: j2 i4 m4 I+ I& V. u9 M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* A. K1 A/ y* a% n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( e' q# ?8 n% k* M& C1 T* } VMMCall Get_DDB0 H% Z' Y% W: t* t: i$ v) I- z3 L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed s& g$ p1 z9 d. X! v; f
7 @, t5 i/ X3 @- u
Note as well that you can easily detect this method with SoftICE:5 [9 N! z3 t& J6 E& x x
bpx Get_DDB if ax==0202 || ax==7a5fh* @; }( o( a& j
# r$ y! o# f$ u( u3 }# j__________________________________________________________________________
1 J: c" B- c7 Z3 k7 b s- K, m* s( d+ I+ M4 C
Method 10% l3 p) ^7 @4 u: f3 J2 V
=========
7 \ g$ c, L/ A- B
1 r( c$ n3 H, z v=>Disable or clear breakpoints before using this feature. DO NOT trace with2 t( j& S) m8 G! ^' u
SoftICE while the option is enable!!* B3 M+ g. M5 _; l
7 @" i% R1 q% L" e
This trick is very efficient:; {# v+ C( f4 l* V! a5 N$ G. L
by checking the Debug Registers, you can detect if SoftICE is loaded& m( \/ r8 T1 Y0 N/ T& `( {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. l% d. C0 w( s4 w! F% ?; [$ T; \there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 h) d% w" \1 y; {value (in ring0 only). Values can be manipulated and or changed as well
! s2 Z- ?# e) X' M(clearing BPMs for instance). u: ?0 [* t+ l7 L4 c5 ^7 G
. ~, N, Y" X* [6 W% h+ \0 H; ^$ W__________________________________________________________________________
! N1 A4 o4 r$ Y9 ]3 u* A `/ E' A4 w Z8 y3 x" L6 G
Method 11
- A# [; I) N9 s4 i=========
% j' H) E0 t/ A7 d( h/ j- I$ V# K0 }' Z% g3 x8 [8 K
This method is most known as 'MeltICE' because it has been freely distributed0 H% r% _' @& B1 O
via www.winfiles.com. However it was first used by NuMega people to allow
3 d6 z4 T3 d m( w$ |0 R2 vSymbol Loader to check if SoftICE was active or not (the code is located
, K! I3 p. b5 p8 h$ Qinside nmtrans.dll).
7 r: }, v, w- x" R, u9 {; T; o8 D6 [+ }* Q Y9 P2 w
The way it works is very simple:
1 `/ J4 {, z7 F- X E% L6 L5 iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, j3 D! L5 g2 {1 B
WinNT) with the CreateFileA API.
( Z7 w4 a* ?# n0 \: G; s$ e, W$ {- _- s# o- \5 m% l
Here is a sample (checking for 'SICE'):- Y! Z. x& O( F* M7 `- n
. r' B ?1 T8 X- L4 E" Y- dBOOL IsSoftIce95Loaded()
3 f9 j3 T! c9 j2 n1 `{0 X8 f6 W- e% ]
HANDLE hFile; # j% u4 D( g7 X& v, |4 f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. Q8 \9 D3 D0 `4 p* j8 J2 S" b FILE_SHARE_READ | FILE_SHARE_WRITE,* X( W# r- B( j4 f4 j8 w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 w4 |3 J. w/ f) F! E. r
if( hFile != INVALID_HANDLE_VALUE )
( i; U$ i8 L) q4 a+ H& g0 I! A {
5 z2 ^. o9 A: Q! M p8 K CloseHandle(hFile);& S+ J7 n; M3 v) x% }; l0 F: T9 s
return TRUE; @7 v# }. z/ U3 \4 H" W5 p" h- g# V
}
/ T& x7 q: ]. G- ~$ x return FALSE;
s' G5 c- u2 V5 t% b( m! n& b}
* O4 R& j5 h: g) g/ y' \% W3 g+ ]3 w; o" j4 u) c2 O: M
Although this trick calls the CreateFileA function, don't even expect to be: j: |% H2 i) t0 Z+ S: l- A
able to intercept it by installing a IFS hook: it will not work, no way!
# A2 N) {' V7 [In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 @7 v+ ~" u8 g2 Y0 L7 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' z \9 D6 c5 \. ~: ?6 J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 c j0 j/ e- ]5 B( B, A Sfield.1 g" e3 j4 J3 m! v. r+ s% Q
In fact, its purpose is not to load/unload VxDs but only to send a
" b. y5 g3 {4 O+ TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' `- F, l( s9 R3 T7 M2 ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ i' `& u7 S7 x$ Q" Y3 _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 R- U3 _8 x, D) N) D
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- Q' d6 I. \, k4 C0 {! vits handle to be opened and then, will be detected.; ^8 V7 J% H, {, w
You can check that simply by hooking Winice.exe control proc entry point
+ _- r( p* J% x; w, Kwhile running MeltICE.
$ v) W2 y* j# k' B
( O. O1 V8 r c5 b& f. O9 B. D; ?
, g0 Q. e6 B; Y# b+ h) {" E 00401067: push 00402025 ; \\.\SICE* x) c3 G4 Y4 X: c5 G
0040106C: call CreateFileA2 D' u" A3 V# j
00401071: cmp eax,-001
/ w1 C1 _) t/ H' w, I 00401074: je 00401091
0 W. k# [- W5 Y/ `+ a# l1 I6 L0 c7 K W. L/ X# N9 k. v
; D6 h# S: Z) Y; f$ _/ [) AThere could be hundreds of BPX you could use to detect this trick.* g; Q4 ~0 t4 c5 k
-The most classical one is:- s. E5 |1 t' G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 _4 k+ q' k0 }/ f
*(esp->4+4)=='NTIC'
6 E" H" d, U5 b- y6 z/ r
6 P* ?: Q [2 t0 D V8 c-The most exotic ones (could be very slooooow :-(4 r4 t- d. u) ^7 P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: D! b, K; {# J ;will break 3 times :-(
( @) T% s4 K; O3 ^4 P
6 v! U5 {7 u3 l0 p2 A H% s-or (a bit) faster:
) V( ?5 l: A3 G+ T6 M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# [: v' c/ [ ]! J1 L
" g7 F( s* T& T9 M7 }6 ~1 t3 u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 {3 U2 ]$ q M5 x ;will break 3 times :-(! s! o$ `/ O2 N- `- _
9 ?) V" t8 j, d% {-Much faster: T9 n! A9 N. D! C
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 H' _$ o" X$ F s
9 r: G6 j4 `* {6 } d' A3 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 ~) p! `7 N; X* N* Rfunction to do the same job:' w3 T, ]& i, d
. V6 ^! z- E( L, V! a9 l3 P
push 00 ; OF_READ
2 _! Y% G- G+ M/ _' w& q6 | mov eax,[00656634] ; '\\.\SICE',0
7 S7 v. F% b9 P# P+ T1 ^7 t push eax9 Y, h3 A0 t, N# z Z; T7 m" ^
call KERNEL32!_lopen7 m6 k9 ?2 v! ?# L K5 g6 f* o
inc eax
) r0 B' g, b2 P S jnz 00650589 ; detected! R$ r* K) l4 p# c/ ]7 O
push 00 ; OF_READ& R& B( W! x/ x, @+ z0 D
mov eax,[00656638] ; '\\.\SICE'
8 t9 b6 A; j( ^ push eax
* h; I% s. p3 m5 q3 ^6 p: w call KERNEL32!_lopen }1 P3 ]0 i& Q- |$ `
inc eax
1 |5 Q$ R- O9 i: P jz 006505ae ; not detected
0 {. P4 E J4 s( _& Z6 y3 h) O1 e; |; g6 _( h8 T" Z
2 L$ [) W. u4 z3 A2 c6 R, v x__________________________________________________________________________
4 E/ e- G! }* H, ?6 p+ n& r: ~% p
Method 12
- C6 j F4 B5 R: N8 c=========
+ Y$ V- N, V2 j: p! V/ q+ I. l
7 h: L" i2 K' Q. b* Z0 VThis trick is similar to int41h/4fh Debugger installation check (code 051 k. w8 \' o% M+ S3 h4 x, d& r( r
& 06) but very limited because it's only available for Win95/98 (not NT)
, l( M- O C) j4 y8 ~. k; das it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 n- Z$ A7 |3 X) j7 y8 h
3 k% h( n' O- \ push 0000004fh ; function 4fh
0 h# P# U# d/ p: r8 V4 ^4 J push 002a002ah ; high word specifies which VxD (VWIN32)/ K5 {' @5 |& J0 F# k4 W+ U2 K
; low word specifies which service
# K$ n2 ^5 l6 G7 Z# h, ] (VWIN32_Int41Dispatch)
g2 h% b+ j/ n4 K( F! }) k call Kernel32!ORD_001 ; VxdCall! s8 N, ` O5 |6 }# w9 Q
cmp ax, 0f386h ; magic number returned by system debuggers
2 t; J4 J7 Z E jz SoftICE_detected* W3 @5 @. s C7 n
3 A9 K7 J& g7 q" H( O8 A" ^Here again, several ways to detect it:1 [& s9 k; w8 f( B. b }2 x
3 {- Q4 u! w/ {: b
BPINT 41 if ax==4f
. t( r5 ~! J. J6 M/ Y+ O. r8 D! ^! x/ A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* K* o8 ^6 r* z: I6 e/ t9 y6 A( R- t
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 k! G& P. y7 [" p! N+ A9 s; d# Y1 ^$ s1 |$ O( W3 [1 g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 ?, i" x4 v. o9 F, q
" ? I/ L# N4 P5 t
__________________________________________________________________________9 j( ], L7 W: V4 j+ I, p: k
" [# v) x7 B! KMethod 13
8 f/ k4 R" h# _) E* }=========! l8 m/ O; m6 Z$ M( D. v
' ~' P1 R" i7 H! D: dNot a real method of detection, but a good way to know if SoftICE is
9 V( i4 ^- |; S7 U' Linstalled on a computer and to locate its installation directory. c: T) a: p6 C+ v
It is used by few softs which access the following registry keys (usually #2) :- m' ?' B T5 i" [- b
& G* F# H1 |- J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- u8 o: ^+ T. u3 b# S. _" H
\Uninstall\SoftICE2 d5 k$ O p+ N" P, t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 R: [: h- \$ V+ a6 n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, D9 C# y! K9 {8 t* q
\App Paths\Loader32.Exe
0 w1 P5 @, `5 t6 }- E' d' M3 Q- F& m8 `
" t% b9 K7 P/ ?2 CNote that some nasty apps could then erase all files from SoftICE directory
; d. |: u# u8 f7 G* t(I faced that once :-(
8 q. |, L5 ?7 r
; x5 @8 @( Q* ~, GUseful breakpoint to detect it:
( \6 }9 G- j- f0 K. e, M+ x
8 d/ Y2 N. u' h5 ~ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 l; t# G0 Q* }& I2 v( e* x7 p9 d0 a1 a/ _7 g/ V9 T" K% Z
__________________________________________________________________________
$ U$ R! b P a6 Z; z. X9 d8 K) S' V+ x3 {; K2 x* f. X
6 g& e$ W: V( i3 \
Method 14
/ o$ j& L7 _4 N+ N=========
9 D- k$ H8 U |# Y+ G5 ~
/ A Z- P& f& h3 vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' b4 Z# C, E1 i" uis to determines whether a debugger is running on your system (ring0 only).
F9 T9 G( E7 W3 i' P- T4 h
5 E4 Z# [- R0 {1 ?, ?$ G VMMCall Test_Debug_Installed( ~8 x; ~6 M; Q% P+ y! |
je not_installed
& i) r( r4 P1 F9 K" R+ E, Z% k. X# W5 q* ` T
This service just checks a flag.
M5 U* I1 q7 B. T& X& v3 \+ ^</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡