<TABLE width=500>) S, D3 ]* l# F
<TBODY>$ k1 A7 s' T5 s8 E# n$ B S* K1 p1 Y
<TR>, N$ y4 F, Z, {* S
<TD><PRE>Method 01
9 f6 x& W" }, \=========, e# G1 p, v& x; z! n, A; D
. o, C& E+ z: A/ CThis method of detection of SoftICE (as well as the following one) is
! @, G- R( V( g; F; S/ k3 a1 ^7 Vused by the majority of packers/encryptors found on Internet.6 b. h# }/ ]( u0 N1 ^7 ~
It seeks the signature of BoundsChecker in SoftICE
) r2 J P: s8 o, k% {- }/ S) k( W: N- @9 i
mov ebp, 04243484Bh ; 'BCHK'8 x1 ?& H8 o' j8 |' ^% y5 _) a2 L% k( a
mov ax, 04h
3 a. J8 B: G8 C int 3 ) T2 n) X9 k, B0 e! U1 v0 ]! x
cmp al,4
' A$ ^6 A# k; b" f' v jnz SoftICE_Detected
s. V& n, z# C5 w9 C z( n% \2 x- k
___________________________________________________________________________
4 ~4 K" v: Q" R& d: }. A5 B- V1 M1 F& e3 b) _1 N5 ~
Method 02
# q& N/ S( T) M; Y. U" @) ^=========7 m# f/ J1 f: |% ?0 ?# B8 ^8 D
, [0 J$ g+ b- f3 m
Still a method very much used (perhaps the most frequent one). It is used
& c- S) r9 k' ]; hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 v; ]5 X, O" p% Z ior execute SoftICE commands...9 Z! J( d( i& q2 E" [
It is also used to crash SoftICE and to force it to execute any commands5 Z. x, X" a& ~9 j D" d+ N
(HBOOT...) :-(( 5 I2 `0 S) P" k
) g! X' P5 d2 E7 L7 F3 J" W
Here is a quick description: E2 O# b& B+ t! @+ P. J0 B
-AX = 0910h (Display string in SIce windows)
$ L. T2 D7 e& w' f: d- G9 e9 J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 }2 f5 \5 p. ~0 g& ~% N- q% a-AX = 0912h (Get breakpoint infos)
! d0 ~6 J- F& o' l7 O% {/ n6 i-AX = 0913h (Set Sice breakpoints)# G: @1 b* |4 v/ q
-AX = 0914h (Remove SIce breakoints)
8 ?* {7 n( m6 \5 g/ h- S# M. O9 u
& ]* E& D5 ~5 [. Q) REach time you'll meet this trick, you'll see:/ o' x& A# M M
-SI = 4647h" B7 M8 x# C- y! L. ]% K
-DI = 4A4Dh
9 [5 L5 C$ N) k* sWhich are the 'magic values' used by SoftIce.% k0 m) l1 \6 q! `4 u0 E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( L2 ~0 u. t( c8 Q
1 A. F9 G9 M( @! lHere is one example from the file "Haspinst.exe" which is the dongle HASP# @9 i# q" N8 I) B/ A( i# u
Envelope utility use to protect DOS applications:
1 W8 g7 y# [( J5 I" F! l& V' O& ?: t# X4 H
% {, M0 H) g' ?) q0 c* w r# }* h
4C19:0095 MOV AX,0911 ; execute command.1 t0 g7 o1 n$ Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 E; G/ ~/ d% y( J4C19:009A MOV SI,4647 ; 1st magic value. S: E3 @9 P; X% r
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 j: v3 w+ H) T, @7 s7 R+ o# C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# d) i% I, Z6 X1 ?" O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 C$ [4 c; i/ t, T2 |4 v+ s) y* G4C19:00A4 INC CX
H* w% m2 _% C ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, k& [: A! F, G9 b
4C19:00A8 JB 0095 ; 6 different commands.( }! D8 _, R' }8 l( V; m) C* n3 {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 x, f9 J: U2 l: |4 Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
N$ R. R. `8 N" X' R4 ^ j9 T
% w0 A3 @0 o B) m! z( |The program will execute 6 different SIce commands located at ds:dx, which
* {! p5 Y x' k1 q+ R) Y$ r( z# w+ care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; Y6 H, m5 n/ j/ w+ L' W q
1 i: n, d& U, t: R2 z2 Z! c. I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 R1 X4 S$ K# ?
___________________________________________________________________________
' e7 Q' l/ `1 r* S; h7 d" v8 y) _7 r8 ]. k0 T3 a
3 C/ P# I8 K [, D. j0 I) x1 q' a! x
Method 03" q; n/ j5 |3 C0 r$ }, m* T
=========
5 [; y: B; o; U% G0 P8 f& E$ X5 k1 {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 T3 n7 w' i/ L; s" m(API Get entry point)/ q' H/ D1 J1 e1 E, F! D7 l' _
1 a3 u" b" q M
/ b/ Y4 B+ ?4 q0 b) X
xor di,di
# |4 H# x+ @" N8 p N mov es,di
0 B) X5 n% t b& Q2 O" c2 H mov ax, 1684h ; G4 {9 D! A. O' J$ e% F
mov bx, 0202h ; VxD ID of winice
, u0 j) x" a8 e& p( S int 2Fh
8 s( ]& a) e+ g$ a% E0 z# o mov ax, es ; ES:DI -> VxD API entry point( \$ n. `+ [7 t1 P; b- H
add ax, di
+ W8 M1 N' u4 S' F, E# o test ax,ax c1 L1 v& k2 l" Q7 j b
jnz SoftICE_Detected" F) n. _- A6 q0 J
: G2 O. H( E; T$ P" C a( {8 @$ y
___________________________________________________________________________
( f/ j4 [. |: C" ` m1 O& j3 [0 I0 _) j; G
Method 04' ?9 d& B, O# b8 J- J
=========
6 q. d' E* f1 M; L8 R! ^) ]
6 X9 O$ I' k' M, U, J6 [Method identical to the preceding one except that it seeks the ID of SoftICE
8 l# z0 R! O& zGFX VxD.0 r5 d; _+ q# P
; l* x6 f% |4 q: i xor di,di
# R* p" G9 Z+ a- n0 ^ mov es,di, q" B5 Z$ c0 W7 ~* y- c/ I6 Y: e5 ~
mov ax, 1684h
5 K/ c8 L0 y! P* V4 M mov bx, 7a5Fh ; VxD ID of SIWVID
# j, g J7 |2 l& G, n/ W int 2fh$ r+ T( K b* p; q; q
mov ax, es ; ES:DI -> VxD API entry point! F4 W0 f+ M6 E9 i7 [ }% T& x
add ax, di1 y Q( I! g6 t# g" H3 C
test ax,ax/ ^/ _5 [: S6 X( E
jnz SoftICE_Detected0 V. T6 o% E$ s W' U/ f0 a9 } w
! }8 B* M4 \; I# e0 G, a; G
__________________________________________________________________________; C# l5 ]9 x7 j& s
! t2 \5 e+ F1 Q# J' ~
6 q( E5 Q% W& y2 tMethod 05: R4 a; U/ w% X, ~. {; ]
=========
0 H0 i- l1 [8 M8 }2 a- }
* z" q0 X \! G3 hMethod seeking the 'magic number' 0F386h returned (in ax) by all system- b) l. l; I, r6 @
debugger. It calls the int 41h, function 4Fh.# }) _4 `8 q4 j% k( h/ n* e
There are several alternatives.
1 i& I% V& t5 n2 S' C8 q* s1 e2 A% _6 }- p/ w
The following one is the simplest: M. l8 y$ y/ `0 Y/ S' c4 {
$ f, U% c7 X' u: O0 @6 `* _
mov ax,4fh
$ G( k. a/ i0 x int 41h% ]* Q. w3 C* ]
cmp ax, 0F3866 ^' g4 K# R. r+ }% q2 B' e3 w: ^+ f
jz SoftICE_detected( ` R# M, t5 n( K$ Y
$ y- p4 h' J/ n) i% X5 S$ w0 q/ r8 o! y, t
Next method as well as the following one are 2 examples from Stone's 1 Y' k5 Q1 H1 A. |
"stn-wid.zip" (www.cracking.net):/ x3 S, X- q4 ]+ V/ k, w
0 e& X5 c7 b# X d3 W9 ^7 Z mov bx, cs: L7 l, c, Y3 K1 X/ B! Q1 w4 u
lea dx, int41handler2: U9 H, j+ J: b
xchg dx, es:[41h*4]1 D/ U- s$ Q" T9 u" v
xchg bx, es:[41h*4+2]
! v( \; A7 W1 n, \ mov ax,4fh+ ~& T* v" b9 f `
int 41h' n6 W/ }) r( K$ W9 Z9 r8 D
xchg dx, es:[41h*4] i4 y4 {7 Y. u7 H3 \) |; c
xchg bx, es:[41h*4+2]
; M$ F0 t3 f: E) Y s cmp ax, 0f386h
9 z* X& Y5 J1 \. z# J6 E. j" T jz SoftICE_detected4 ]( R' ?& R+ L: O
/ ~: Z5 a* ~1 t& T m+ e
int41handler2 PROC5 _* j% ^* g4 K+ G
iret( v9 w$ o3 J( q6 _ _( ]1 [
int41handler2 ENDP. Y/ `: U, k. S M
" F) R; F7 ]- _7 f( B2 Q7 L; ^- |( q0 f+ J5 E) m
_________________________________________________________________________
3 B2 L' d+ n: \* ^( K- ], t N6 Y9 i, d* Z3 ?
% c+ j! f9 v3 V: g5 {; w+ c
Method 06
, Y0 z7 ]% {0 g- c& h0 ?% q=========8 a+ m) V; O9 x" M) m
( v" Z9 \5 G; x% E
* i+ S& k# b ^8 f3 J1 t' A2nd method similar to the preceding one but more difficult to detect:
@% V7 w- j* B) w5 Y! O/ ~ G; l$ L+ G! e8 c$ d
) Y ?' g/ W( h$ N! L: C# O8 T; M
int41handler PROC/ V: f+ u; W6 ?' F) i7 t( T2 z
mov cl,al+ b a+ y& R( r
iret
2 K) ~5 g w( fint41handler ENDP' I6 A- v3 X( L1 z/ \2 }
# _. ~2 u6 A8 w2 M$ n$ N* C3 q3 k. T
* ~7 {. N6 y) n$ V6 X b xor ax,ax/ x+ v: B& M9 u+ M, k" y+ X
mov es,ax9 M" p( u) g, d5 m9 J
mov bx, cs
% S! o N O/ y: B) M% f8 J lea dx, int41handler
O& o+ ]) Y( |. t! N- X1 r8 b xchg dx, es:[41h*4]# F E+ F/ k W6 z- S% V
xchg bx, es:[41h*4+2]& [. I4 o; I" r' t L, O
in al, 40h+ T$ x3 |" j+ F$ n) b
xor cx,cx
5 }$ y" T W' R5 m" e# y$ _7 w int 41h
. o2 t1 e1 z$ ?: S2 i! W7 g xchg dx, es:[41h*4]9 C4 i- B! u3 V3 J
xchg bx, es:[41h*4+2]
- I; }, p5 v: n0 z% A& n cmp cl,al( }; h+ O' \# B9 h0 i) K+ {8 Y
jnz SoftICE_detected' L& a. l: L. Q( w( Q7 @1 ]
0 Z% l7 A1 f; p% y! X/ M
_________________________________________________________________________
* e! D! D% R/ I" g2 `! J) ^' l* s* \# x6 j
Method 07# U+ K8 R" s; ~3 x4 a9 o- X
=========: q- X/ u a; Y$ f: w
2 X' g/ W9 X2 xMethod of detection of the WinICE handler in the int68h (V86)5 v1 x* }' V$ \9 k, _9 A
: ~' M$ F8 L1 p1 d: _ mov ah,43h
8 {3 C% u; ?# r# h int 68h7 r0 {% Q' |! Y9 z
cmp ax,0F386h+ o5 x1 u7 f7 t/ w
jz SoftICE_Detected
- ]3 ^4 b* Z% T: `* J* Z2 t+ `
9 G; q' e& E1 v! [. E
& }$ G* G2 i6 H1 p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ n) n" m6 X% _9 L3 _
app like this:' ~; v- u0 ^3 c9 Z7 |) a+ M+ R5 H
9 ]) M# B' t' }7 K# T BPX exec_int if ax==685 p$ |' G& P. _* V3 i+ S* D
(function called is located at byte ptr [ebp+1Dh] and client eip is" i9 W" p! S9 m( k; j. B. ~
located at [ebp+48h] for 32Bit apps), s% F2 Z2 q- s% f
__________________________________________________________________________0 g4 h) e& G8 W. Q: `. o
( K# m# t' ?4 | l
. S9 W1 a, U7 O+ _Method 08
/ x. L! B! E) Y" A5 X, V=========
6 ^4 F5 e0 X8 d) X
! b$ D# p! `8 p5 yIt is not a method of detection of SoftICE but a possibility to crash the
$ q5 A& n) M8 e, z. @system by intercepting int 01h and int 03h and redirecting them to another
# v2 q, P' F4 R Aroutine.
: \4 t6 B' Z/ JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 Q m9 e3 |& H8 G' jto the new routine to execute (hangs computer...)
5 V) J) h' P/ s' J8 L1 S3 m$ C7 T5 l. F1 l2 s% w
mov ah, 25h9 F: |' R1 Q1 r I: l. B- j
mov al, Int_Number (01h or 03h)( |. ^" H) ]+ x1 D+ C
mov dx, offset New_Int_Routine' Z) Z4 c% c9 t8 m$ N
int 21h# T' {8 {9 |! e( }
) X, g0 h+ k' x* j+ W! v1 {__________________________________________________________________________
: [5 ?) S# e. D$ g* N
3 n0 m; m, c4 z( g0 ?+ d `Method 096 @4 B& |% @3 C, _
=========( o+ i# P" O2 z" u2 A9 {
7 ?' t3 W' T" e0 _* a% RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% J$ r2 c+ F. z* T: ^. M! p
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 l8 T# B; n$ m' @1 U+ O8 GThe Get_DDB service is used to determine whether or not a VxD is installed
! q# z% w. Y. C) M& ^+ B0 ofor the specified device and returns a Device Description Block (in ecx) for
9 t& T# L# X8 w! [6 ?7 P! T6 S! hthat device if it is installed.
/ q5 A' j8 B. l) A' b ]( o* B$ E& y9 N5 A" w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 @) @+ g U6 q7 w+ \6 N* O. o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 Y& u$ t& e' c! F4 b; E VMMCall Get_DDB' |0 h7 v! M3 E* G3 A( s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 {$ g& z' }% a3 Z1 Y) l
- H2 H! G3 |6 `" \. H1 j6 kNote as well that you can easily detect this method with SoftICE:
$ J5 B% W1 i1 I# Q bpx Get_DDB if ax==0202 || ax==7a5fh( P/ v5 R! \% M+ `7 M) @
, O8 P; d) E3 C, t3 t" Q- o. d__________________________________________________________________________
0 J9 w _) C; Y
6 Q' o) z" ?: W8 xMethod 10
\+ _7 e& t2 n6 D=========, }6 h8 R' a% q4 a7 W) n
! K1 G5 H: S7 \6 d: o0 c=>Disable or clear breakpoints before using this feature. DO NOT trace with
# q" W1 _3 o# `; n/ B SoftICE while the option is enable!! _4 t) F& y- H. V( A+ @. d0 |$ G; b
3 P6 I1 z% n8 D9 E0 e. G5 d* e$ S% e
This trick is very efficient:
( Q- }9 ?! m/ c( kby checking the Debug Registers, you can detect if SoftICE is loaded
/ r/ ^+ G9 D. _$ j5 ]* E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 x+ O/ C2 n6 `# l6 a; Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 Y* `+ ^4 O( g6 Y* ?6 Tvalue (in ring0 only). Values can be manipulated and or changed as well
* R8 _: H0 E% P+ r/ g' u m* k(clearing BPMs for instance)
j7 N9 q0 v) p+ {/ F/ |( w. p3 F9 }6 m- j5 l# s3 F
__________________________________________________________________________0 @+ D" n& S" B; n4 R6 n
( ?5 Y* G% V) C$ M* c) h+ y
Method 11
, v1 v7 }9 Q8 O+ o' `=========: ?: F5 s& A! x/ o
3 t* Q$ J6 f8 D# s/ c2 C' W
This method is most known as 'MeltICE' because it has been freely distributed
( U+ c, Z, J; Qvia www.winfiles.com. However it was first used by NuMega people to allow
6 O# a- r" c2 ?9 z FSymbol Loader to check if SoftICE was active or not (the code is located
4 h; I- B. J$ L* I+ kinside nmtrans.dll).; T# y, L2 n& S3 S, j3 [
& }# v( b! {/ s- i& }) X IThe way it works is very simple:
& f2 o5 y- P5 ?1 u6 UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; h/ q) z# H0 `WinNT) with the CreateFileA API.
) ^: f: q) L2 S% L# ?
* O) H$ q$ K( z7 s& s$ ]6 {Here is a sample (checking for 'SICE'):: p% m" r. p" T9 }. L
/ J! T0 T2 q9 W; m: bBOOL IsSoftIce95Loaded()1 J+ o/ d1 D: L# p
{2 f/ Q0 n G! L8 _! R& |9 Q
HANDLE hFile; 5 \2 i! Y. ~; w7 D5 m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* n& P! _6 K+ }1 ^& K FILE_SHARE_READ | FILE_SHARE_WRITE,
& E% R. i5 w" q* i1 P- O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 K; N# e* w" p7 i9 Y1 n+ M3 H if( hFile != INVALID_HANDLE_VALUE )0 {! Q- \! V' V+ c8 L8 R
{. G& X$ C' y9 k8 ?. G
CloseHandle(hFile);
. T# r6 @# w9 `/ Q2 R: \, n+ B, x7 p return TRUE;
8 G! _5 i1 _( {5 e2 z9 G }
. l4 F7 |) R% G# D. @ return FALSE;
2 I/ Y# a: N& `. ^4 [}
# n. t# Y$ [! O3 e P8 G3 b* ?$ @9 K4 M% v2 B6 H/ t" u0 U& F
Although this trick calls the CreateFileA function, don't even expect to be
$ Q3 P, X0 A% l6 U5 Z# I: \7 Jable to intercept it by installing a IFS hook: it will not work, no way!+ J* E6 y4 e2 d5 L4 v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* o, n8 n; ], c9 V e6 oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 z$ ^9 e$ n" r! R3 Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 N5 x3 |) [+ X' v5 x% S( p2 F
field.
1 v4 Y. w$ h0 X/ @- lIn fact, its purpose is not to load/unload VxDs but only to send a 6 G7 ~* b$ f: q$ C6 `, |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ y: L( Z o9 h0 l; I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try' I/ \) d! M0 }: O4 v$ n3 z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 p9 o2 V' H3 NIf the VxD is loaded, it will always clear eax and the Carry flag to allow% |% Z6 k$ c: O' W
its handle to be opened and then, will be detected.
" [- @2 y) b; V+ f6 H5 R6 O0 BYou can check that simply by hooking Winice.exe control proc entry point1 i% |& {3 D; @& G; v1 h
while running MeltICE.
6 j/ i4 O$ w. b2 ?9 q) ^
G9 r" w% ~$ v/ e) P K* t
( a$ |' w7 E: S 00401067: push 00402025 ; \\.\SICE
( ~- l9 c' H" U ] 0040106C: call CreateFileA- l* ?' \. Q) e
00401071: cmp eax,-001
9 `7 }. w: ]! v$ k+ X) { 00401074: je 00401091
: k; ^% D+ `$ ~: r
) F5 K" M; o- U. h$ n* }& f
% I# F" x) b0 J" q9 S- u2 ?3 @0 }! {There could be hundreds of BPX you could use to detect this trick.8 Y4 o9 G1 X9 X# `! b
-The most classical one is:
6 O6 l: Y' B; q: T( m$ B; S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 I1 k& d1 D; P' J0 l3 r3 w& W
*(esp->4+4)=='NTIC'. N' c0 E g7 D
4 y& N, l9 T' c-The most exotic ones (could be very slooooow :-(
: T' {* Y; g H1 F4 x BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: c& D5 k7 \ T( l+ Q! l+ g ;will break 3 times :-(
: o, A+ ~+ @! t6 O, |5 M: x/ u% ^/ N6 Y6 ]& k4 e! |9 g
-or (a bit) faster: ( ] S3 j/ N7 C3 C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 r$ {9 K' `4 h' ?" W
) r: s) a" \" o. m$ D' }# S% U% M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 m6 r: k. Q# e! k$ |2 _: x
;will break 3 times :-(1 J3 b1 [ t. ?# x# ^ B' w
- J. O4 X3 z: l( e
-Much faster:/ X; s7 j& ~% c7 g1 Q3 {/ b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 n+ b M+ b, Q1 s& a
! ^! q* b" h" G0 H2 zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: |! }* }4 l; ?& z4 c5 e0 b
function to do the same job:
; ^! j1 ?' r2 ~# K ~6 C9 S3 i; M5 w7 N! Q7 A. }* h" y4 O2 A. a- V
push 00 ; OF_READ5 ^$ H# b. D1 _% E O/ W, a
mov eax,[00656634] ; '\\.\SICE',0, }5 y* u$ E" ~- A- K' ?" n
push eax
$ k) |4 D& P7 d8 a1 k. J call KERNEL32!_lopen1 A9 E, y' d* M- k
inc eax
. u7 G. T* h& U. _ jnz 00650589 ; detected
$ @: L1 S5 O, ?* W& p+ _: g# s' F6 v: S push 00 ; OF_READ
" o% ]8 `# N; t3 S d mov eax,[00656638] ; '\\.\SICE'
- _& i, w5 x9 K" A* W push eax/ m% T9 d% ~& U, O; l
call KERNEL32!_lopen/ U0 J7 u2 z0 z1 M3 _7 y: U. J
inc eax9 o2 `2 S/ F; V$ P: c5 j
jz 006505ae ; not detected7 k0 Y( C0 l5 f% z5 j, | h. ^8 ^
+ e/ _, K% B: N2 k+ A; F6 e+ ^# z
* b! Y' r. e; x__________________________________________________________________________$ z: \5 N" k7 W2 x3 i
0 B' V. b% v" x4 D. D) p3 oMethod 12
! ?: Q9 F% T5 [( {/ w) k- l3 W=========' Z6 A; a: O: r( e% O7 q+ f
: M' p6 r8 e5 }- y% JThis trick is similar to int41h/4fh Debugger installation check (code 05
1 D$ b# Q3 r3 o) G& 06) but very limited because it's only available for Win95/98 (not NT)
7 G2 {* @/ `3 j9 oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, |" J% S5 N" ?4 |& ^9 o( J
" d& N, X2 J: z( K, c8 g. A" p* D K2 y push 0000004fh ; function 4fh
/ P# h, ?9 }8 X/ ?; a; J push 002a002ah ; high word specifies which VxD (VWIN32)
( `7 E- [/ d5 ~& n# q+ Q: u ; low word specifies which service3 t3 m5 Q. _% d9 N0 M8 }! S
(VWIN32_Int41Dispatch)
* W, V8 B% A. U8 Z. Y. Z7 {7 n call Kernel32!ORD_001 ; VxdCall& E2 y7 \8 {. x3 i/ O# t' D+ {- l
cmp ax, 0f386h ; magic number returned by system debuggers: Z5 {0 ], G7 W8 U; o' R) x
jz SoftICE_detected
# ^) `3 W; h5 ^0 d
" f; U( ~$ D6 [& {8 ^# nHere again, several ways to detect it:) Z' f. p; f1 e5 @) d0 f
! Z5 [) J' M2 ?2 `$ G
BPINT 41 if ax==4f
& b& M5 {! m. D- x# A
9 Z0 u3 Y3 e% S3 _& g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, S6 y! b+ b8 j. O" R7 ^8 {; I4 j3 C) h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- X7 O, e! E T0 G0 H6 v
( R: ^6 r( ^& i& ]$ ]; U: H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' u3 n! I+ Z7 R: y2 X0 e2 W i9 o. p, m6 \! [8 ~. _
__________________________________________________________________________
1 @3 }3 ?6 `2 b; A! j& j% p3 N
3 g* `, _6 H" ?' f3 d/ gMethod 13% o% J/ u2 J% m( ~" w2 H7 m
=========
* n& M- x% X+ l) m/ _5 i& a1 W% A) V1 @) C, K9 d
Not a real method of detection, but a good way to know if SoftICE is
$ h* L- y$ E* ]7 a# F1 d J; pinstalled on a computer and to locate its installation directory.& l0 D2 I" V* V: D+ q! I
It is used by few softs which access the following registry keys (usually #2) :
- }# o' n2 {1 @: s% y7 w B4 H8 S! q$ L" `/ ]- Q- R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& m" w" }) w2 {3 o. f+ k
\Uninstall\SoftICE( o2 ]- @! a' ^) S, x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ X$ D& a5 e' l& K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- j. a" A3 _, b q- M% y
\App Paths\Loader32.Exe7 k4 u# I+ i4 j1 g4 {& T+ l) R" u% q& X9 Q
9 F5 X5 s9 l% L0 d
) M" U, ~* _6 n oNote that some nasty apps could then erase all files from SoftICE directory, r' V/ |: I; d w) x: T
(I faced that once :-(
* H% M% Y, n5 F9 p, ^5 m* T. p7 u/ u y; Z0 i3 d6 [
Useful breakpoint to detect it:
! ^2 _1 \, t8 c' U% E
, Q- q6 ~+ ]; c: G1 U3 c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ Z* J$ N6 x5 @. o! g. a! H
6 b+ l5 A" V V6 ]7 A4 p
__________________________________________________________________________
5 C$ D7 c4 x5 @5 s1 n
2 v5 K) p& [* P% U( O7 b/ P3 T
2 @6 M1 w) z; r: B# S& xMethod 14
" ^8 i! T. d7 D9 G! J6 X4 K! m=========
7 i. Y5 n+ i2 L. s# _% N
" H# N8 U( l1 _0 a- D4 F$ u% BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: H! N9 ]( O2 a" p
is to determines whether a debugger is running on your system (ring0 only).- \# u6 S k! k' B; \ k
5 l. l0 v, s' A1 B7 b VMMCall Test_Debug_Installed5 v5 a7 R: D! m H
je not_installed) J' D. Z$ ]% E
1 ^5 g _ ^9 u' V/ u- ^, g
This service just checks a flag.
M( z0 O1 D# C7 f</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡