<TABLE width=500>
/ T( h) Y N, ~. {6 c/ m# J$ h# j1 }<TBODY>2 a" H" z5 K& i d4 u
<TR>
5 \8 M+ z4 l9 P; O. E+ Y" I<TD><PRE>Method 01 8 a! s9 X, \/ E7 H' y
=========; z f7 @; K! T+ N' {' r8 F
/ q- v# m8 g# I1 ?9 |
This method of detection of SoftICE (as well as the following one) is
1 D( h; c' U- t- o6 J. Dused by the majority of packers/encryptors found on Internet.
3 X/ r+ C2 e/ ]$ eIt seeks the signature of BoundsChecker in SoftICE
+ |: d% ?; @0 }8 [4 p) p8 f/ A: \( R5 [' Q+ _/ l- _
mov ebp, 04243484Bh ; 'BCHK'
$ R% @+ m# n' o4 a$ @# |7 w mov ax, 04h
) R) v; s0 i, {! K& A% W" `6 n int 3
) I" {. s# d9 \9 b4 k cmp al,45 [2 l* Q# X6 f( }) K
jnz SoftICE_Detected
( g4 p- q4 k6 s+ }
, \4 k7 f) ] W2 Y: }% W4 e+ t___________________________________________________________________________
/ u+ f; ]& o3 a D( g
, ^+ x' N4 \6 |: b* ]+ I7 qMethod 02
# M( E9 F2 C8 u$ i# n4 z=========
, s- E$ Z- B: j% j) a
4 K+ b( p7 R: b9 Y9 e8 zStill a method very much used (perhaps the most frequent one). It is used
- p0 T Z- ~) j& ~2 l3 xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 d# s, R% K/ ^' C% U" ^' d
or execute SoftICE commands...) S1 ~) V8 L2 }$ X1 r, f. N, p
It is also used to crash SoftICE and to force it to execute any commands
4 y! T2 v) ]0 Y4 `(HBOOT...) :-((
9 C/ y2 I5 P+ [
1 F* L: b9 \! c2 j# x, c: @6 ]Here is a quick description:
) F! B" V- l* \-AX = 0910h (Display string in SIce windows) B- G1 S6 g! [/ m1 L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' A! M$ ^% I" R* ^/ R# n
-AX = 0912h (Get breakpoint infos)
9 Q% `4 R8 ]/ O+ O/ _) z% Q-AX = 0913h (Set Sice breakpoints)
9 U* n! d- j& k-AX = 0914h (Remove SIce breakoints)
. ]0 t" i; s) ?3 E7 V G9 V$ I
# r5 b$ `9 h+ F! sEach time you'll meet this trick, you'll see:
3 \ B% G5 h2 ~-SI = 4647h
7 T' Q' i. z. u-DI = 4A4Dh) l0 h5 X) A& {) D% \& W x
Which are the 'magic values' used by SoftIce.4 ?( u, W) X# @* {3 z8 \3 | D1 D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' y( y6 w1 P: c' K( i1 N% c: z: u: O7 {
9 _: P1 \" [) _5 ~' u
Here is one example from the file "Haspinst.exe" which is the dongle HASP U0 b5 B$ R# `
Envelope utility use to protect DOS applications:' n ^. L+ d% [0 y
/ |, A# Y+ L7 x" c8 N. ~
- H- B! |$ E( g5 c4 n4 _
4C19:0095 MOV AX,0911 ; execute command.( a# y! ?. I( f2 @7 \1 @. C W8 h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; w' R9 l& E2 _; H' y4 ^: m4C19:009A MOV SI,4647 ; 1st magic value.6 x- d9 R2 @6 Z+ V" k0 `
4C19:009D MOV DI,4A4D ; 2nd magic value.
& \8 q0 p9 G0 J8 T. s! @% E" x* ? J1 L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 x" R: ?, h E( S! f1 B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 o8 W, E' A2 w2 v. c% d" P8 d
4C19:00A4 INC CX
8 ^$ e# L0 E+ v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" e5 p$ |1 ~7 ~; Y" h4C19:00A8 JB 0095 ; 6 different commands.$ M. _& y( D) ~3 J6 L3 L! ?) c0 V/ \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- }0 D( ^. L) d1 T6 X1 T4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 x1 r6 p, y) k9 Q! [$ C& H
' x9 ]4 A/ J% P) I7 }* \7 VThe program will execute 6 different SIce commands located at ds:dx, which' O2 T" S9 J: e( G4 f( i7 v& }. F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# r; |" V# z6 |$ |6 f1 U6 }+ o* P+ O6 {% J4 c5 a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* U% e: Z% g" g
___________________________________________________________________________
( y1 S4 c1 `+ G* j: M: K, C4 j6 ?$ I
6 ^" i9 Y& a8 }; l9 d& T7 a
Method 03
1 G4 C; p! z8 r. u=========
* ?7 D+ V5 `( r# J) a) V
6 e0 C a+ F, k9 f7 X) @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) e E& A$ G* ]7 x e+ }4 {; w(API Get entry point)
; Y, V) e4 O6 `1 U s " R8 O- i% g# ?
/ J O* j& X- Z" S5 A4 g0 r4 M* H xor di,di0 Q1 x8 Z# I: Q$ l9 D6 C
mov es,di
2 d( L1 Y1 x1 R% M* e L' ?1 X mov ax, 1684h
1 d3 p3 S* d6 ^1 b9 R mov bx, 0202h ; VxD ID of winice
+ P, E0 }7 j y0 L" f H6 r, ]1 N, @ int 2Fh* n2 H, N$ |: }& ?$ S- E
mov ax, es ; ES:DI -> VxD API entry point
2 M$ N7 a* l8 C& T7 P" A; C, O add ax, di
3 w0 n. s- v Q+ N$ p+ O test ax,ax# H/ C( ~/ T M* B/ h) m( I
jnz SoftICE_Detected* `. |3 @& M# }# Z( c$ T M
6 L3 ~8 B7 W+ v8 D% c. W
___________________________________________________________________________$ L$ G. U; d8 d/ ]* Q: [
2 g0 m% x( _; v& q4 x
Method 044 O8 g6 Q, t$ a. D7 g
=========- p1 ~. J2 H' y3 S/ }: B
b3 w4 }4 z7 u7 m B( S) f; `9 o
Method identical to the preceding one except that it seeks the ID of SoftICE
6 I! Y; e* x; A& P4 h" f' Y) fGFX VxD.
' N% V4 g7 s. }: a+ \% I' ?6 A% K! n4 ^# C9 X
xor di,di
6 m+ p, Y! D- U Y" A* k mov es,di
( H: |& n+ { P' J5 {; [( S mov ax, 1684h # {! @6 ?% q$ _$ m1 q2 D
mov bx, 7a5Fh ; VxD ID of SIWVID
( T+ T& F5 A5 d9 u, I int 2fh
7 ]7 `' P1 ]/ I: G0 c mov ax, es ; ES:DI -> VxD API entry point
. K4 h3 h+ q" ] add ax, di0 {# F3 U# T3 t8 t" D w/ t
test ax,ax
- v2 L- X( i% B6 M jnz SoftICE_Detected% D8 f; G0 ~+ X) b7 K- |5 I
7 r# p5 ^. \" r) ?6 [- `__________________________________________________________________________+ I# \1 J/ {* \) {
" u0 |9 h; v8 z( {5 u) U8 b$ D q+ w0 ^
Method 05
0 ] h6 H4 i8 P* @=========
' s; r. t. Q V$ W, a
7 ?( m3 N p7 A$ z: [; AMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# \1 `4 \+ u4 G9 D1 e" Cdebugger. It calls the int 41h, function 4Fh.3 }8 N: s+ z+ F# h
There are several alternatives.
1 \/ u2 u. i+ g }' G9 Z& | k; V% \8 [3 }- U2 `) W7 s. h
The following one is the simplest:0 n& f7 k- }0 K J- r# _7 v# d+ B
: J! u1 M- p2 B5 i/ x: u5 h, w
mov ax,4fh
* m, ^) G/ I$ h6 ? R int 41h
4 s! g1 x& u; i( @$ W cmp ax, 0F386* S2 K+ j* C- h) L. P
jz SoftICE_detected
6 z( o% z6 K2 @ q
7 B4 D/ g3 Y9 r9 n/ N) I9 S' J3 V% n' a
Next method as well as the following one are 2 examples from Stone's
, |3 v* S1 p: x; i* K"stn-wid.zip" (www.cracking.net):
9 T4 g( _8 ?( Z ]/ X1 ^% H b+ W$ l5 J
mov bx, cs
3 V% ?7 F4 I6 S# a2 E0 o lea dx, int41handler2& x3 q p( h3 A, m. W
xchg dx, es:[41h*4]7 C' l2 S9 q) O8 q2 f$ d
xchg bx, es:[41h*4+2]
) F7 L. g9 I3 p mov ax,4fh1 c6 s& `$ n4 n3 \
int 41h- s% W) }2 _$ H) m& y8 q* o
xchg dx, es:[41h*4]+ ]! \9 G( ~/ ?6 Q
xchg bx, es:[41h*4+2]' @5 L1 r0 s3 B
cmp ax, 0f386h
( |- m, j0 W7 [1 X/ H+ X* ]- @ jz SoftICE_detected
+ C) W3 x3 C# Q) G: ]% K" h* Q6 B& r
int41handler2 PROC
{ k' A5 D" R' a5 j iret- _$ n/ P5 |9 i s
int41handler2 ENDP" K7 |9 I3 H9 D Y& }$ |
% k- ]7 d4 @, A1 D; W" B5 B. D& n5 R4 e: v' r& a g
_________________________________________________________________________
7 O& e L- |5 c$ c, |2 ~* P U+ F: Q1 n; t/ n, J
, K( g1 n- G Z( ]5 JMethod 067 T# i$ J; w- a# b, _! r; {3 A& z3 a S
=========! `7 g1 a$ ]8 J# D# k
3 p6 f( _" |6 m/ {1 X
: L4 v7 ^5 Z& B! r! w: v0 M. E2nd method similar to the preceding one but more difficult to detect:
4 c) [/ M: T- c9 s# s
- @6 {; U( ]6 I- |& N! G Y+ V2 h5 k/ v7 l$ w5 ]5 _
int41handler PROC
8 l3 t% x7 c2 y' K( W mov cl,al# {6 g q& @9 \! r8 P: g" t
iret
8 R$ }: s4 n4 |" W& V8 aint41handler ENDP
9 `" m j9 D& a& y6 E
5 M/ U: x) x! [% u- z3 x h" F
xor ax,ax/ g6 H. {- J' n
mov es,ax
7 m1 D9 h; o) e J0 l" k: L, g mov bx, cs4 l0 S" o4 G* R
lea dx, int41handler4 C' @5 m+ E5 D0 V V
xchg dx, es:[41h*4], o8 t" t m/ W' ]& ]+ h
xchg bx, es:[41h*4+2]. C! ^6 J3 H+ r6 K ]! |
in al, 40h. f- U8 p# ?% c& f9 T
xor cx,cx
) S: {, t& F3 R, L! W int 41h1 }5 I; z0 |& j0 ~8 @' y
xchg dx, es:[41h*4]5 X1 [: @4 {1 C' G! T
xchg bx, es:[41h*4+2]
7 W/ N3 D J0 l# x6 P* I cmp cl,al' f# u1 l4 }3 v/ Z* M% s; M
jnz SoftICE_detected* s9 D2 e U; ]
e+ e8 y/ y1 }* Y; D% B4 T5 W
_________________________________________________________________________) b- ?& [; _" P$ J! ~, j
3 K7 F/ Z) {" _( j- f" c8 @5 S
Method 07
3 q7 M7 I$ L/ L" T7 _: Y+ G. I=========7 O5 u {, _+ _" A& ~3 \0 l1 P
' t/ l: [; J8 _% m4 H3 b
Method of detection of the WinICE handler in the int68h (V86)3 C2 c& |; E, X7 j, {
; [ W. x! v1 ]6 |, y mov ah,43h. W+ ?- L4 s1 H) Y/ s
int 68h. W; o, U+ {1 U t
cmp ax,0F386h1 h4 V! c, Z9 S4 e( C
jz SoftICE_Detected
/ |( k2 Z; b9 X+ U8 j% U; z% ^9 d: M; z( B; y' U& F
7 }5 p2 x+ l4 M( u$ r3 u2 J' ?. B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, K9 R) G8 O7 Z: \9 g app like this:5 W X4 b* q5 {' k5 h7 J& Q2 k/ u
3 T4 X0 Y* W" ]4 n$ s4 W BPX exec_int if ax==68
. d* c( |3 d0 K (function called is located at byte ptr [ebp+1Dh] and client eip is: b# O( w: v" R$ S( t
located at [ebp+48h] for 32Bit apps)
) D" [. y3 l0 n4 ]/ n2 [; z/ i__________________________________________________________________________5 R \/ @; b9 ?3 F: [
! W" h: h3 k3 M
/ _5 l* t, r7 q0 X6 q2 n
Method 08
4 ]7 p4 D& d" w& Z9 z. V8 z=========
1 M) a% Y; u8 S
, ^7 V0 z! c3 qIt is not a method of detection of SoftICE but a possibility to crash the
7 r" w4 |. v. z: @. Tsystem by intercepting int 01h and int 03h and redirecting them to another
+ [& |. i- {8 ~& v+ aroutine./ t3 P8 X- G/ p6 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 m) w% C2 @7 V
to the new routine to execute (hangs computer...)
9 B" A6 p; {+ X0 M+ B2 m2 }8 l. W0 s! z7 P! T% ~, G
mov ah, 25h
+ d+ [1 a4 B" p5 t v. Q; S% ~ K% Q mov al, Int_Number (01h or 03h)
1 N: s( ?3 \0 [- ?9 I2 K mov dx, offset New_Int_Routine v' M5 C: ~8 V1 \8 Q
int 21h8 l6 }# T% M G# Y
6 T6 l( M! J% X3 i) Z) h__________________________________________________________________________
! H! `2 P. t+ m' h4 i& T: k% s/ j0 u% e
Method 093 V6 _" y$ L- a. I
=========0 z2 w- I9 ]! o7 n
4 S8 ]0 n+ i/ b/ U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 t& i9 ^% j1 x4 tperformed in ring0 (VxD or a ring3 app using the VxdCall).
; K7 T% i* o/ Z4 }; w5 qThe Get_DDB service is used to determine whether or not a VxD is installed. `1 {, W1 C5 G; r; c! [
for the specified device and returns a Device Description Block (in ecx) for
( m2 @& z+ l5 c6 l" lthat device if it is installed.
, @3 O7 A! M4 U
( }' G$ c3 x e& V; b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" u" P9 a2 I6 \6 a7 ?* _" o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ ^6 k3 O7 a# ]* i* C+ F# |
VMMCall Get_DDB
# E7 ~, g& d9 l ?5 Q; K5 L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 l, g( U/ ]5 U
# P9 }: } e, ~Note as well that you can easily detect this method with SoftICE:
7 k ^* \; B4 M bpx Get_DDB if ax==0202 || ax==7a5fh, c8 }) g! [) u+ E3 a( A( y! |
' ~6 N* x8 E' E
__________________________________________________________________________
4 c! Q+ n8 X. _6 o5 Z
7 o# K$ O# u; G n' l7 Z6 g. UMethod 10( O+ D4 _5 _7 I: W8 i e* x( g( Y
=========
6 h: _+ e1 R0 o8 {; f8 S& G2 |0 G4 l6 T) ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with( {& Q& \ W+ f H9 S5 s/ }: z h: W h
SoftICE while the option is enable!!- E: w& F" W2 u8 N
- o$ ~2 L: b3 E
This trick is very efficient:
2 n( f% D/ w1 G, ^# u5 N+ ~* Nby checking the Debug Registers, you can detect if SoftICE is loaded" T6 T- h+ H8 j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 m$ `: @( n7 {& T" uthere are some memory breakpoints set (dr0 to dr3) simply by reading their; D( H K2 m0 c5 |0 ]9 |& p
value (in ring0 only). Values can be manipulated and or changed as well' S' R: b% W" Q/ y! s' J: r6 h
(clearing BPMs for instance)- E" L% T: i3 i- `3 L4 C
/ o8 |4 ?, w8 O( J" ?$ T
__________________________________________________________________________3 O* k8 h) Z r# b5 }# g# @
# d$ _4 u8 W! ~( k
Method 11
) E. b( v9 w0 f=========
* y8 O# }$ B1 g8 z$ S/ K4 E9 J& T* t7 o5 S
This method is most known as 'MeltICE' because it has been freely distributed; H% @7 E& d1 |$ x! D1 ~
via www.winfiles.com. However it was first used by NuMega people to allow
* ~8 L+ b& v9 x6 qSymbol Loader to check if SoftICE was active or not (the code is located g9 h) y1 {7 p7 o1 Z8 ]9 D7 F
inside nmtrans.dll)./ N1 v. u1 W# i1 {. U( B# _
4 _& W$ z6 `2 S7 a6 G1 LThe way it works is very simple:
# c2 M% a( G! G& w) J; pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- O! w: [3 o% s5 k! H
WinNT) with the CreateFileA API.
1 e% W5 ^5 x4 g4 U: Y8 d* M1 |0 b7 d) D7 w. Q5 j: e* E7 m
Here is a sample (checking for 'SICE'):
: l7 v3 ^- m; E
6 `$ V$ w Y, |" n4 s, E% {BOOL IsSoftIce95Loaded()
2 {, s N& A s! }1 M6 D7 Y7 U{
5 h: L$ V7 D5 {* K: b HANDLE hFile; 1 P% p5 q0 f5 c3 d; I9 T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 ~. }4 |) W0 _2 V ^ FILE_SHARE_READ | FILE_SHARE_WRITE,8 B& C0 m0 r+ s
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ E% J5 e/ t( D5 }: H" W! I! Q! Y if( hFile != INVALID_HANDLE_VALUE )3 U9 ?: x6 k+ G3 t7 @: |# C! F4 ]
{/ G- r1 g( v7 c2 U O- U
CloseHandle(hFile);
- m7 a5 o. G4 N6 G+ k+ v. Z return TRUE;
6 T- @5 `+ C! X2 Y. p% h' | }% Y% A/ ?+ @2 x$ r8 C( X! W1 V
return FALSE;2 ^3 {0 _# }0 c, {5 e3 m
}2 Q7 Y* h0 ~' u) b/ v# h2 e# `" T
) p+ l5 Q! I2 g
Although this trick calls the CreateFileA function, don't even expect to be# v* v1 ~5 c" u/ _2 S
able to intercept it by installing a IFS hook: it will not work, no way!; @2 S1 Z' V1 b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' }) T' C' q8 K1 F1 l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 s X3 V) S8 |# h0 _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 A- x7 p2 Y% k1 G0 U; K- D
field.
$ t$ S/ X% V S- I: M* mIn fact, its purpose is not to load/unload VxDs but only to send a [( `9 X' M' U3 C* g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" n0 l+ l$ J) j% P, S5 l" q6 Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try; g9 X6 R' Y. X, I: s7 V9 x' U
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ ^/ l5 T3 \6 n4 m6 Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' o1 i3 w& D; |( k l) P8 J: R- qits handle to be opened and then, will be detected.9 T% T7 G/ a+ ]. A6 |
You can check that simply by hooking Winice.exe control proc entry point
; E3 C( V% j3 c5 dwhile running MeltICE.
. T# t/ H& w+ ^# b1 H& L* Q2 K. f" q1 J" u j7 u, l
, m, {# l0 _3 h! b0 T" q4 d 00401067: push 00402025 ; \\.\SICE3 @6 Q9 l6 v# G9 s: T5 T( j
0040106C: call CreateFileA
) g" a8 Q" q9 _7 W; l0 ?6 ^ 00401071: cmp eax,-001
' E5 D+ j5 d' @, N2 ?6 p 00401074: je 00401091+ a+ F: @* L5 }
4 [( f: S- s+ k5 ~8 q; ^
. G" W4 Y; W* }2 R( R) J; CThere could be hundreds of BPX you could use to detect this trick.
; U: [: u& w3 ~3 d-The most classical one is:
' T+ n. l& t; t- v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ f2 C" x q6 }* d
*(esp->4+4)=='NTIC'' d9 h5 _" ~2 U0 e
^8 T5 k& j0 j% W: h
-The most exotic ones (could be very slooooow :-(
3 e0 S, C8 [! F9 q/ a1 Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( U: }1 C+ g' e% w0 V: A- v) Q
;will break 3 times :-(
! S! l0 ?: [, Y7 m0 e) `. P! T! V* g% f5 a4 b: Z7 i
-or (a bit) faster:
( K& L4 k% X& Q9 r7 n! n# @- g5 x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 \, l0 X* {6 {& h9 O: N
: h5 q, a6 V: S/ |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 E6 @/ E: o1 q2 l ;will break 3 times :-(
9 P. i$ L2 h9 |- g3 O0 R; N/ e, e, H
-Much faster:
^ U: G# M' e0 t: @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 c8 V5 N; [! U
/ X3 c7 v3 ?& T+ g* f- I: l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 l( p5 x5 f7 k7 n, \function to do the same job:
% A, ^7 I) z9 N3 R( @
% J# ?! W4 {, Q push 00 ; OF_READ& f& b5 E" v( L; V8 @" o j4 E* g _
mov eax,[00656634] ; '\\.\SICE',0/ C7 I6 M5 a3 i
push eax
0 a% l& i' g% Q2 P4 U call KERNEL32!_lopen
( u# h+ U) B3 f- i% u' g inc eax6 Z+ r. d2 y4 U) J% M' ]
jnz 00650589 ; detected
+ p. L- h% \" m: \; u9 B push 00 ; OF_READ2 x4 L5 H v" \8 F( B
mov eax,[00656638] ; '\\.\SICE': O" D6 q/ e# ]- ~6 d: i
push eax+ Y) |, u. R( }
call KERNEL32!_lopen
% k5 ]% S, \ e8 o' Y7 B$ }% i inc eax
, h- S- P! I* n jz 006505ae ; not detected) w& ^( i# G9 w f6 T
# B! _7 b( C% y, l6 }" b7 u( |
7 X- u J, ?( s& E. o2 F, J: X
__________________________________________________________________________
, D; Z" P( v- d# Q8 I& @5 x1 G, I* g$ t7 z) ?4 \
Method 12
7 b s: ~) e, w+ ~8 F. R# a! S! ~=========; q1 t7 x6 R" l% x# l+ @
5 R9 X3 @9 S; D5 O: P) }/ OThis trick is similar to int41h/4fh Debugger installation check (code 05( t) N* `# M7 Z1 K
& 06) but very limited because it's only available for Win95/98 (not NT)
3 n: [! l- _4 k+ |8 D8 S6 {7 [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 G- z% t, F/ t! b% }
2 h& A: O! p; z5 H' h push 0000004fh ; function 4fh
# Q( F b2 {- X9 }) Y push 002a002ah ; high word specifies which VxD (VWIN32)2 q% } w' ^4 L
; low word specifies which service0 b' U% S2 F6 e. s) M2 p
(VWIN32_Int41Dispatch)
6 a$ s* S% V( M: K call Kernel32!ORD_001 ; VxdCall5 E/ q4 X/ g- _+ H9 p* ~
cmp ax, 0f386h ; magic number returned by system debuggers
+ Y' G1 C5 V$ `6 Y3 H jz SoftICE_detected! [8 z; X( n3 e- @: X9 O1 M) R" e
% I: n) Y8 I0 H- q' h5 {! r4 Q
Here again, several ways to detect it:: E; b3 T- x5 k" J* I; K
/ A; s/ ]. m8 @% n4 e% R; Z' P! m2 w BPINT 41 if ax==4f
5 d0 ^1 }8 Z$ |4 H/ I! k9 a7 |9 g
( Z5 y* q0 c, P; j9 H4 o3 ^& U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 `1 u, X8 r5 P; b3 V: V; a* b) @3 u' _' p A' L! r% B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 z- e3 ]( ]4 G) q1 z
2 c5 |- C. G8 P: K X; U- t) s/ T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 K1 C5 D. J7 {$ s0 J* s% x* m
; K1 F& {0 z0 t, ?5 Y* l
__________________________________________________________________________ d2 e( ?1 H# }- V6 e2 _
8 F* S; [" U& M0 I- J
Method 13
' c) u; S* e9 L7 v# a# a+ I p& F) n=========# E' d0 _4 P. ]$ |3 c* Q
0 h) l. b7 M- f6 KNot a real method of detection, but a good way to know if SoftICE is
: Z% l3 [8 U5 _( |installed on a computer and to locate its installation directory.
- d( w6 w8 _0 `1 C2 `It is used by few softs which access the following registry keys (usually #2) :; ]. @% g6 {" P! W( M; @
* x* p+ X/ \% u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 k L% t2 F0 U2 a) W) L\Uninstall\SoftICE
5 y5 p H; C R" M1 z T6 r" {# e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 R# A: M" K! X7 ], a. O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ I6 u8 x/ O9 C. Y r\App Paths\Loader32.Exe% O( e+ B) K: A& g S
/ j5 p* P2 ]' R; d* d
0 Q3 o. m7 [. T5 j
Note that some nasty apps could then erase all files from SoftICE directory
7 t' B; h8 k% v% t* M6 g8 F(I faced that once :-(9 A* B& C* f; l' O
, _4 q" K2 I( C! @% K2 e9 dUseful breakpoint to detect it:
2 ~6 i: }; ]6 ^" {4 I' w' S5 K) t0 f& w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! c/ \2 A! g: D" m5 w
. a8 r; H4 x% ] q' e__________________________________________________________________________. A6 u' B. y$ M- o
! k+ \) K4 {, w+ b t' |
8 T9 h+ z) @9 F$ yMethod 14
' J% ]$ A8 R4 s2 X0 U9 T=========' h; @: p2 g$ Z9 y/ {3 I8 ] [+ R
1 x& T% a' U7 l2 k" Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 P0 B$ F7 Y% u
is to determines whether a debugger is running on your system (ring0 only).4 ~( D6 ]1 G5 Y3 e4 {" d
2 O0 O2 k0 I4 `. }" o: m
VMMCall Test_Debug_Installed
1 }, a% ?. \# q* U$ J9 b4 D je not_installed' Z% ~# J( ]+ ]: c- \, B
+ ^+ ^, M$ i4 n& n- ?+ d. C" p
This service just checks a flag./ ~& ^6 I4 m' ^2 Q
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡