<TABLE width=500>
- Y' ]& y+ e. h; @* z$ I<TBODY>
6 O' Y# s |( {2 q" {$ n<TR>
. s; H' n( D5 E, X$ A<TD><PRE>Method 01 ; a# P$ s5 b8 K0 q9 h- z, y
=========3 E& s) W3 O# N
" }# U8 F3 q0 s7 {7 O2 U/ q% c4 lThis method of detection of SoftICE (as well as the following one) is( o6 j( V9 X0 r( n0 S1 b4 [, t4 H9 `; j
used by the majority of packers/encryptors found on Internet. k' P" g7 p# y5 V: ^! ?
It seeks the signature of BoundsChecker in SoftICE0 V, d* u9 A g) B. P9 n
% X7 M: y( l {- H, s mov ebp, 04243484Bh ; 'BCHK'6 ^' g. Q, y) W* s0 W
mov ax, 04h
2 T8 S! F9 M2 C% ]' C int 3
1 C$ Q* m) [6 _/ @4 N6 I$ I; J cmp al,4
; a8 N4 @0 X7 B( W: F; C jnz SoftICE_Detected
" u$ R* R7 H: ]/ T) o
6 D6 t' {3 `, y8 v___________________________________________________________________________
( Q2 u) C( w9 B2 q( f3 r* ]1 l$ Y" ~* H6 a* _
Method 022 {1 |: _. x# `; M0 T- D
=========. D' z/ ]4 W' b, @# k5 T, d
4 Z* H9 F7 G7 ~) Q0 x; q
Still a method very much used (perhaps the most frequent one). It is used
$ `; J# _! R# n& ^: L3 p& \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% C3 F* Y/ S9 L, Q8 B" o" q8 o
or execute SoftICE commands..." @/ L. ]& {- C
It is also used to crash SoftICE and to force it to execute any commands
& G3 Z9 b& e" B/ D3 E; f(HBOOT...) :-(( ; E0 i& s" }" `! c: l
; ?* ]& q7 g2 B7 X" O, n/ tHere is a quick description:& E" Z& O) v* g9 U! Z! D# b+ P! q2 |9 m
-AX = 0910h (Display string in SIce windows)4 h6 Q- g& J2 n: ^0 U1 i
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 \; S- u5 i; d, j' o$ H( I4 x& T-AX = 0912h (Get breakpoint infos), \4 t8 l& E: S1 |
-AX = 0913h (Set Sice breakpoints), z( ~7 }9 L7 B) |8 p6 o5 O
-AX = 0914h (Remove SIce breakoints)
3 C# D% S0 n) q, x2 D5 N2 Q& W! B }* X5 m Q
Each time you'll meet this trick, you'll see:
, `6 ?3 _+ c# z/ W-SI = 4647h9 R$ L2 f; q" f! b7 q% u+ b) n+ t& V/ z
-DI = 4A4Dh5 K+ v5 h( I; S+ v6 c, \+ |
Which are the 'magic values' used by SoftIce.
+ M1 ]- a# h) q8 V) B' [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ [, O( P$ {, {1 X* b/ g- q& }
4 s& y$ B1 H8 x: A) z5 IHere is one example from the file "Haspinst.exe" which is the dongle HASP# O* E3 I, y# e- r+ U0 @4 N% p
Envelope utility use to protect DOS applications:
& a0 a& Z! x2 X8 S; z9 t A0 \7 C
' t' k. I3 J6 g* Y, u# m, I
% i! W1 x \1 S2 [+ T3 ~4C19:0095 MOV AX,0911 ; execute command.0 J4 W. Q/ z6 U. q3 f8 R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' k3 u: g# j) z$ l# B' A% A9 D8 \4C19:009A MOV SI,4647 ; 1st magic value.8 `6 M1 B/ H4 [, n7 @
4C19:009D MOV DI,4A4D ; 2nd magic value.
. D" E2 n) e) t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 e- R+ t2 A+ \0 t' |, y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 F0 T; U3 G. j, F! F% R% S
4C19:00A4 INC CX3 F) @. W2 O$ n7 o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ V2 o k8 o7 R) e4C19:00A8 JB 0095 ; 6 different commands.& x, r1 M- T( M! o4 b; p! ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 @: A$ A1 w$ m% @, O( o. r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 E% F$ k0 ?9 r5 m
3 `( q# b) X x. Y/ o
The program will execute 6 different SIce commands located at ds:dx, which$ o! ` O+ T3 |' s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( n8 q4 g ~9 W6 Y* z) q
$ a5 ]1 @- U+ m6 |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ |5 v) S' A" I6 a5 K___________________________________________________________________________% [2 C: J0 g* r$ Z
6 e' d4 L! [7 y* T& M* s
% a. m# O) P5 j/ \% ?$ ]" gMethod 032 ]/ Z4 D/ ^& S2 h7 U/ I+ h. b4 x
=========8 g+ I/ A0 o4 L5 o+ V
, H2 C$ D8 E& F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 d8 R6 Q6 h& I9 J: M(API Get entry point)
/ b9 g% Q) k" G& C! Y! l, e ~! S- {6 g* `" o: k
' U+ }$ T3 j0 j# g- M- c xor di,di) R9 X% \( s; q0 q! O1 B
mov es,di
5 i% x; q4 n) X" r5 ^2 W% ] mov ax, 1684h ) }1 p0 b$ o5 V( a
mov bx, 0202h ; VxD ID of winice/ H. s, g( o5 d8 F x" h9 Z
int 2Fh j5 Y3 ~8 s t- |+ i( D# G
mov ax, es ; ES:DI -> VxD API entry point
+ I/ j& H7 F& ^5 D# U9 x3 C. T add ax, di
4 x/ h& D- U6 u6 G$ y( ] test ax,ax5 |; b' }5 G% ~" k6 M8 \9 ?
jnz SoftICE_Detected
: _* D6 A& l3 ~+ }( k( S/ c
& ^. A2 u4 \6 D- c4 m___________________________________________________________________________' a% V8 c% ]) d
; U* }5 F; {* l+ [- u& i" |) f
Method 04- ^' P v# J3 ?7 R) ~$ m3 r- T
=========8 a3 C' b0 N" M/ p: o8 g9 [' u2 ~
& ^0 g" |, u6 S. P
Method identical to the preceding one except that it seeks the ID of SoftICE
; ~/ K. h( l/ P% V, F/ x0 y4 ZGFX VxD.
$ Z) K, n0 ~9 C4 r+ i* @' p
+ g% l3 u- b' L2 Q% T! b! [2 ? xor di,di j% K8 _- g/ q( F7 o. g
mov es,di
X' ~4 L: s+ d mov ax, 1684h ; l! p* l# f4 G* B6 N4 Z
mov bx, 7a5Fh ; VxD ID of SIWVID
9 S' k$ j/ x- `, \ D, V int 2fh n- B, Y8 d% z F5 I7 q8 c
mov ax, es ; ES:DI -> VxD API entry point
+ L! K) m+ U! C) j3 W5 g& ] add ax, di
2 N$ c" i2 k( n$ K& } test ax,ax
+ E5 \: i! u4 {) L# c8 s" c7 z jnz SoftICE_Detected
, L- S5 z* z" h+ _8 l I& C2 n+ q( X2 N
__________________________________________________________________________9 c0 O, r' h" u
/ L/ ~8 K! H+ w# @
; ]+ }/ |+ Z0 P! w+ }' Z! `Method 05
! @* V$ I! G' N% P=========# L/ a8 D9 ~) x
. U( y1 V X% E
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; _3 p4 w+ a" L x9 }9 N4 l. `debugger. It calls the int 41h, function 4Fh.( y& l3 M' }7 A8 x4 d. _; ^- X2 ~9 G7 M
There are several alternatives.
; s% q7 g! E% D* j8 N& W- x0 H! f8 f: f% P
The following one is the simplest:& V) `6 t( b, `: T
0 `4 Q& R7 W! Q. C' l mov ax,4fh+ I& \* Q# m% t1 l
int 41h( y; f0 _ R2 t4 ^. D \
cmp ax, 0F386
/ X, V6 V9 `+ {. y4 D9 q. Q jz SoftICE_detected, D ^3 O; I. Z
: u. W' F2 i P' z- x7 s0 K6 ?# h+ a$ I
Next method as well as the following one are 2 examples from Stone's
- }% P3 x" d' j7 l) G% G' {"stn-wid.zip" (www.cracking.net):
+ P5 w+ Q a* @( D
7 r4 o' E" }! n" G( G S mov bx, cs. [6 d( _6 s- c6 r4 f$ t
lea dx, int41handler2' ]. B1 J% X4 F5 {
xchg dx, es:[41h*4]
% a) \( r* C0 s4 Y# x6 W( c xchg bx, es:[41h*4+2]! b* J7 B; v7 [. G3 b5 |5 b
mov ax,4fh; s2 u! d1 _8 ?. H
int 41h
2 ^' d$ p( q% H) P' b8 }4 |, p xchg dx, es:[41h*4]
* s1 [1 V5 \* G' S xchg bx, es:[41h*4+2]
7 `: M% h H- Q8 O cmp ax, 0f386h
) u2 v! C- W5 H5 A$ T* W* G jz SoftICE_detected6 a( x) g5 v( {
/ ?0 ]2 r5 @3 H: x* }int41handler2 PROC
. b. \, \; M: A; T% S; n iret
& u+ K/ a% z& P: C# y7 V1 Y4 aint41handler2 ENDP4 y% M& r. c2 j) [
, {0 b0 t9 a) p' \. l
( j6 j& h, q5 Z9 X0 E" ~_________________________________________________________________________3 _+ v E- e& M9 B/ ~
. S% `" g! {9 ~, [8 O
( {1 r5 X2 [: EMethod 06
5 k* }$ z3 V; V0 q( g/ E8 T0 I=========
R3 {" O7 M9 B) l
" G% R6 W% [' B0 c6 [$ c2 @" _. _, \) L2 O! j' X
2nd method similar to the preceding one but more difficult to detect:+ |# q/ Y- i M' p+ ^: t' z
) Q r C% I/ a: M# S
" ~ z/ l/ N, C8 v9 K. xint41handler PROC
- M. g3 I9 p4 p# J) ? mov cl,al
: N" l( o9 |8 k7 y iret
8 q" X' v- Z) r2 t1 a6 \) Sint41handler ENDP
/ T0 r8 j* X2 J" l' [" [6 q- O B7 r8 g" m% ~/ U: V
& e, ^1 r) k! D& f4 n+ x xor ax,ax
% } B2 W* s+ s; M$ T mov es,ax
7 x( D" h! y) W# `8 m# F mov bx, cs
# d0 j, J! Y: S5 b" P0 @+ c lea dx, int41handler" w0 {5 j5 M* G
xchg dx, es:[41h*4]2 u' E, Z% Y; A" d' [
xchg bx, es:[41h*4+2]
, e7 q% s1 v3 S; Z5 ?8 x4 { in al, 40h5 E, e# Y. [! }6 U5 c, J4 o
xor cx,cx
; J) ~- k2 l6 e int 41h
4 {+ m, }# R5 M! X xchg dx, es:[41h*4]$ y& b6 _% e# _4 t1 H4 e
xchg bx, es:[41h*4+2]
; D+ Y% E$ K* y$ r% \9 H cmp cl,al1 a: k1 I5 E" b A/ k E0 x
jnz SoftICE_detected
% h% k: @0 r% k0 ^/ W( n
* V: R! g8 g$ R% ~* u6 `% [_________________________________________________________________________# n/ {! A0 q: T7 w* L8 g
- j$ a6 F+ K3 X& n+ oMethod 07
& Z5 M5 E% F/ ~/ p$ Z=========
. h1 i8 U2 z% y! w7 l! n; L/ h2 V$ D" ?/ N8 d3 m9 c
Method of detection of the WinICE handler in the int68h (V86)$ B* F8 d% C) }4 H* D
5 c: t5 e; h# j
mov ah,43h' a4 H1 D2 R1 I& q
int 68h
- K' {# I/ @+ u2 k4 o( B, }3 z: s cmp ax,0F386h
w; G! u2 G' K1 M! C" \2 V7 e jz SoftICE_Detected
0 Y2 X+ ]8 D( V0 I* _
0 G, L* P: n7 p- E5 b0 @7 |& p6 E( `7 f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. F9 `- m6 _) j, n$ d& V3 P app like this:6 @9 b* `4 F! i/ d I
# i% Y5 ~5 S# [/ K' G% R
BPX exec_int if ax==68
7 i; R; C% \" k& p. F T! a, N0 ~ (function called is located at byte ptr [ebp+1Dh] and client eip is% @( w- s0 N. Z1 M
located at [ebp+48h] for 32Bit apps)5 f) E( [7 C5 d
__________________________________________________________________________! ?7 D# N+ \ G8 Q" x) e; H
( A! ~# f! Y) w$ l4 n( ? O! G( g
5 J* p+ y" B2 j1 c3 R* l I$ p
Method 08
7 `2 y! d. U0 W=========
9 h- Q E. O4 D. P* H3 f" ~
5 y" e- s4 [! i) zIt is not a method of detection of SoftICE but a possibility to crash the8 b* u' S( V: J. O% X L
system by intercepting int 01h and int 03h and redirecting them to another7 Z# Q8 C9 H) Q$ _5 a5 X2 E' H
routine.& {- e& b& v0 s9 }5 }7 c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 {3 I( G8 r) n+ u
to the new routine to execute (hangs computer...)
* ]( r# y! |9 G* I
+ q" [* j: d' W7 \% Z4 P8 u' _ mov ah, 25h1 U8 O M2 K5 V0 f
mov al, Int_Number (01h or 03h)
; C) c0 Z" Y* m; ~7 j mov dx, offset New_Int_Routine
9 ?$ E( @8 H! W- \6 _ int 21h2 i* G2 @8 c/ G! j
- q4 t! N ~+ z! w- l# j2 a
__________________________________________________________________________
' z# W# s) Q4 W, v+ M
* x! }& q3 o' H* x, T _Method 09 v# x Y6 H# W6 V
=========6 S1 @6 w2 v# E* h& Y
4 O: M) t! r) T5 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, V8 o% V1 d$ g8 T0 Rperformed in ring0 (VxD or a ring3 app using the VxdCall).# P/ \8 q, b& q) H6 v! [5 w( X
The Get_DDB service is used to determine whether or not a VxD is installed
, `& k. A, U$ x4 l1 `9 W, g. Efor the specified device and returns a Device Description Block (in ecx) for
3 {6 ~. e' g, O$ F- }that device if it is installed.
! }: |! A) i( b) Q! G* l e3 n2 h) M6 ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. h! D) H1 X; a* `& B5 |) `0 d' N% R mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" q1 D' s6 d8 \: r5 Y# e
VMMCall Get_DDB
* J$ W l. o6 S- U# w9 U( I mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- G( @- g4 V1 S" U$ F t! R9 B+ W% E5 ]' l6 j
Note as well that you can easily detect this method with SoftICE:
5 h+ |! M8 q* Z4 V# o2 Z2 V bpx Get_DDB if ax==0202 || ax==7a5fh- f3 ?0 r% {3 j/ I6 r
6 i6 O3 c$ \; [1 s9 v* ]__________________________________________________________________________5 u' y1 { ~* T; D+ X* h% N$ Y
g. G! V" N5 k2 N$ Q
Method 10' d- H- b( m! B5 Y( M' C
=========9 t G: D. M1 u& v3 \4 f" K
3 x/ ?& m) l9 G1 `
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 p8 G/ M8 k/ F) `% t
SoftICE while the option is enable!!
. ~. x& Q/ ]& i: s9 v/ W$ f, j- [7 [/ p1 m+ f! H8 ]
This trick is very efficient:
# J ^3 d! W# p0 W$ oby checking the Debug Registers, you can detect if SoftICE is loaded
2 k9 {$ O1 L- M! z( e0 s- P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' Z4 f- c* t, _there are some memory breakpoints set (dr0 to dr3) simply by reading their$ ^2 ?- {1 \/ L; v
value (in ring0 only). Values can be manipulated and or changed as well
% w) a% d+ o8 O3 s5 p9 X! w8 L(clearing BPMs for instance)" f* s R0 R' [5 b, O. C6 C
! Y* F1 C( {& k$ ?7 S
__________________________________________________________________________
7 u! C0 C4 @7 u; [# e, a! Q! b. D; r8 K" X5 x: ]1 t" V, C: z
Method 117 ^, A- |3 g& m, C0 ^4 y1 o) M$ g( M$ J
=========/ {- |! I7 n! |% H A
. x# k2 E6 p8 P7 q [, G( j5 _
This method is most known as 'MeltICE' because it has been freely distributed' U* g3 P8 J4 n% P
via www.winfiles.com. However it was first used by NuMega people to allow; @- l% Q. O- Z5 `0 `
Symbol Loader to check if SoftICE was active or not (the code is located% \/ M9 v! h: Y4 g+ }( L, { W
inside nmtrans.dll).
! a b/ V. F, |/ L& K7 k) H8 ]3 k7 ^( k7 i& S
The way it works is very simple:
# I( C2 E( R0 wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. I: J1 t$ n! U. c9 i0 m" o
WinNT) with the CreateFileA API.
3 o P5 b5 P" w0 J1 a$ ^4 n2 [3 g- C: f3 e) F: j; M0 Q
Here is a sample (checking for 'SICE'):; D5 R+ c: y- y# a
: C/ V& ^0 w% \! o1 k2 A" {BOOL IsSoftIce95Loaded()
* G i7 u# e6 Z6 y# `: X9 v{3 O2 ^7 ~5 I* v
HANDLE hFile; $ V2 T/ i! V* K s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 `6 X* N8 B7 z, E FILE_SHARE_READ | FILE_SHARE_WRITE,8 }+ Y7 K4 r. e- h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 b+ i' L3 `& I$ D: p3 _$ O
if( hFile != INVALID_HANDLE_VALUE ), ]( t8 g$ H0 A7 _ B
{
2 U( b3 _+ t2 A# ~3 Q2 W) {4 S CloseHandle(hFile);5 O# Y, j# F- o/ v2 Y ~+ |
return TRUE;
. Z- ~9 T0 S7 ^7 Y }# r0 G* H5 k1 M3 n2 |
return FALSE; i* O) V8 w! H' E5 A( _6 ]
}
6 Y9 J% `8 i1 Y3 ]8 D+ F+ x: i. e5 |/ z% Q3 V% k
Although this trick calls the CreateFileA function, don't even expect to be
8 k5 v4 _. g# ?7 ^/ }- Oable to intercept it by installing a IFS hook: it will not work, no way!. B% U6 Y9 B/ O' n/ i) v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, m9 T$ X3 Z: @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); ~# s# j- u/ Y* X- H7 I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 J+ m2 n7 c" O0 w" W7 T; H- M
field.
# m; F4 e4 X% G/ J& n- L9 N4 h( V, OIn fact, its purpose is not to load/unload VxDs but only to send a ! ^! b; M" F( {. E) L, M: A$ S) H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ |5 |2 l7 ~4 wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# |4 d P [: D- Y6 Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# g _# c# A% S. OIf the VxD is loaded, it will always clear eax and the Carry flag to allow' P$ n" e4 q5 a3 T, ~
its handle to be opened and then, will be detected.
2 A, ~' l4 |7 L. C& PYou can check that simply by hooking Winice.exe control proc entry point- `" B3 |& [5 E: m5 U8 k, \, K
while running MeltICE.
" s5 W) b6 p6 I7 S. ^9 v) L4 p2 S9 i6 q2 e6 M* V+ ^0 I
1 J$ x, M3 z* a5 n" Y
00401067: push 00402025 ; \\.\SICE
1 b& o! S0 B3 w 0040106C: call CreateFileA
' N2 |" P0 q! I8 ]: i; M 00401071: cmp eax,-001/ @6 s, E& A. \& J
00401074: je 00401091
* n6 L8 k9 }' ^* Y5 b) ~/ H
; K& d8 M0 C2 e% k1 |: y2 N) s) C Y4 d2 z
There could be hundreds of BPX you could use to detect this trick.
! }8 Z2 c% j# l& W-The most classical one is:$ a( V6 }- H6 ^% E( y6 w. Z' A; D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 Y2 o( [4 N1 j3 G
*(esp->4+4)=='NTIC'
; h; B* ]9 M% w0 C( l6 I& ?2 \3 t3 _, ^/ y& B1 v
-The most exotic ones (could be very slooooow :-(
; `" e; q' B: ^6 S9 l4 x BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + w, j* ^! m" P* u, _2 D" M% |
;will break 3 times :-(
; T( b+ e' Q% e% w4 d/ V8 U" g
5 h0 `- Z; o& M/ N# l0 k-or (a bit) faster: ( u \0 z+ F0 T9 V- v9 `% o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 H5 p* w- [ w& X
$ Y# u# I' [* G6 Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ s/ [; W( i; x ;will break 3 times :-(
6 [8 [. O3 u. m; ?# L: o; l
d; F" d; ~3 [& A8 n/ d6 [-Much faster:
T- T1 A/ w9 f, }5 H/ f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" S* ~, x6 P! `$ r6 W/ F' A4 P' T/ T& c! ?% G4 q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 ]0 x8 t/ L3 V$ b0 t
function to do the same job:
; l+ _ u, I% U; A
- d2 K2 M2 t! `% o) S push 00 ; OF_READ: x: z, x1 g% r" [
mov eax,[00656634] ; '\\.\SICE',0) B" n J: z( C8 t) ]
push eax3 L5 ^% N8 ]5 @2 |' K
call KERNEL32!_lopen
4 V! J& ^! \! [$ {$ n; ~% G inc eax
& b# z/ _- k) o1 T7 H7 H jnz 00650589 ; detected$ e. J# f4 H( R# h {
push 00 ; OF_READ
' Q4 H, S/ |1 s" ~( C+ F8 F3 ^ mov eax,[00656638] ; '\\.\SICE'
0 }6 z5 q3 G- ?# N- l* L: D push eax4 Y/ G3 N5 h; A. D
call KERNEL32!_lopen8 B( \: U" ]/ y- {7 G& n
inc eax' p+ v, s5 U" ^
jz 006505ae ; not detected
* a5 u. d% o" l G" p; x
. C! ~! d1 r7 L$ W8 ~/ Z1 M4 o8 Z# q5 W2 d. X
__________________________________________________________________________
4 l/ x( @/ Y o2 |3 n
3 c% {6 L4 l& ~ LMethod 126 D! ~" \& I$ i: I2 P" {) n$ O
=========
( X5 }. J2 A# t+ n9 i" D
k; J% R4 G: |% I; X- sThis trick is similar to int41h/4fh Debugger installation check (code 05
8 b: z! H( g' |$ B, Y& [# K3 Q& 06) but very limited because it's only available for Win95/98 (not NT)& R! Z# \8 |( Q/ l1 ^% Z+ y& ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" Y( V3 y, U# c/ S. I& t, J4 h
5 ^) ?# D5 l- `) J& X push 0000004fh ; function 4fh
- A: l) W. q. `2 u push 002a002ah ; high word specifies which VxD (VWIN32)/ a4 Y$ s7 c, U
; low word specifies which service4 R* r4 }- K' ]8 [* }9 f
(VWIN32_Int41Dispatch)
& O, ], I4 T( f; i# ?) `3 ~9 y call Kernel32!ORD_001 ; VxdCall7 N% D/ T# z$ U* Y' {- \6 w
cmp ax, 0f386h ; magic number returned by system debuggers) x! t! J0 @ K/ k6 C
jz SoftICE_detected
+ _2 c9 P) ~- V5 ~$ ~! g4 s8 z' R8 [! D6 {; S: A3 O9 r
Here again, several ways to detect it:) l1 U6 v" m7 V: ~
7 ?1 q1 V* f' n' G: C4 G
BPINT 41 if ax==4f4 p* Y, J9 O9 K9 C: ^# o3 V
% P, q7 L( U9 z' Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, K Z( x/ u$ k" l1 L- P% o+ _5 F
$ @" q, o0 x/ ~: ?3 S. y$ h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 a- y! ^3 i9 N; r
7 e! l( c5 D |/ v7 l5 q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 G$ w( [( ]' T1 M2 N/ z) o, |
% i% ~8 R. @0 x7 @) R; F D0 ]* H9 @__________________________________________________________________________7 ?, [) }" ]/ v, h
' z) Y% a8 W0 R: p0 ]Method 132 T$ d! g2 ~! r$ X' W- q2 y$ M
=========5 j0 ^' Y: V5 s0 Q7 j* E2 Y7 }' r
+ L+ Q2 m4 l5 j& `) P, R
Not a real method of detection, but a good way to know if SoftICE is0 t) \6 q# O) M* J- u' @
installed on a computer and to locate its installation directory.# C7 t' p" t% R
It is used by few softs which access the following registry keys (usually #2) :, b" v8 K1 [0 k- g
" P( \: y- v: P2 h8 `6 q/ O0 N- Z5 n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 \; v& S2 D# f9 G\Uninstall\SoftICE
0 e! T' L+ v; t* U# r. G; ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" L3 _: X+ ~, j! ]+ M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 S$ X* @: ~" P% y% d9 y) G( j+ u6 C\App Paths\Loader32.Exe
, I0 X! E# p0 o# S8 d" X
. I5 z/ i+ p. s1 m( C1 n2 J( `$ g: n( {( H4 |* w: e3 }. i) O
Note that some nasty apps could then erase all files from SoftICE directory$ z8 y( D/ q) R( V& {8 T" ]% t
(I faced that once :-(
' Q7 n. _# ]* z; ]! m2 D
' [: D7 p/ D5 [: bUseful breakpoint to detect it:
} a4 m$ i6 p- l' Z, m
3 ^' K @* D$ O/ o2 g6 w8 J7 } BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; G# g3 k1 ]! }+ k t, r" `: V9 o5 Z) x) G; l+ @7 r
__________________________________________________________________________1 I2 L0 c- I1 u7 q; i. Y/ b# p
' T! n( k1 B+ K2 d
: V' J+ |6 ?) ~2 P! |1 J) GMethod 14
3 n5 _" @" s- g4 S=========
. m: O* L' h0 B; P+ _- x. t* ^# y
8 Z8 ]9 X: B, F7 L9 kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# ?+ m# X8 f2 c, _( Sis to determines whether a debugger is running on your system (ring0 only).: U% V9 N8 \0 G5 R# r* r! v9 R
. R0 R5 c. M8 _+ b1 j$ U
VMMCall Test_Debug_Installed
5 H' M' c3 }3 W) j7 ` je not_installed( e0 Y4 ]+ \* d9 l7 I
/ r. B/ r4 k& y5 sThis service just checks a flag.
, n1 D$ S/ B9 Q</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡