<TABLE width=500>5 j0 Q0 M1 |; x
<TBODY>2 a( i7 b/ b, E2 i; b% a
<TR>
; J- }$ }. \) d# K2 Y$ N1 C, s<TD><PRE>Method 01 $ h' S' |: Z5 N- `3 X4 ~
=========2 r; I. V7 X& H0 I
) H4 }+ v+ `, Y6 K: M3 U( ?2 q3 lThis method of detection of SoftICE (as well as the following one) is% \& \; h& x4 P8 ] F
used by the majority of packers/encryptors found on Internet.
+ b2 n$ @ d" _9 `5 o) {6 ~It seeks the signature of BoundsChecker in SoftICE: d0 f0 L% [7 |. d+ O: d
8 B* X) L- k; z# t, U/ R3 l% d mov ebp, 04243484Bh ; 'BCHK'
0 ]4 ?2 V' T. }( B mov ax, 04h
3 Y) z' P8 E& B& T" p9 H! O int 3 7 _' U2 e7 ?7 s$ t
cmp al,4# V% _) i. M2 Y
jnz SoftICE_Detected
/ o- I3 s) t9 f& i/ C
# u( p ?5 C: I' s5 i2 X7 p___________________________________________________________________________6 B3 h, s+ `- Z. b# E; F3 t8 t4 f
# a! a6 t7 g0 X' v+ C8 b
Method 02
" M+ x( e" v& P4 W7 |# V=========
5 k+ o+ q% u9 A( u) ]" k( f4 S8 o$ @ C. k: E! a) l
Still a method very much used (perhaps the most frequent one). It is used2 I9 u. U& P; w6 x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 c% h0 ^4 D3 [/ x" N
or execute SoftICE commands...
! P" s& z5 W2 n7 V' D6 o" D/ R7 |It is also used to crash SoftICE and to force it to execute any commands! }+ S4 M; y0 @! V/ @2 B/ g
(HBOOT...) :-(( . ?: _' Y4 d) l" o1 r1 P: \
' Q+ _$ R) J' X" D) X0 x9 Z$ UHere is a quick description:( z& r/ \6 e0 I$ h
-AX = 0910h (Display string in SIce windows)7 [/ F: h+ W' L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# R( q; n5 E$ j' [" q
-AX = 0912h (Get breakpoint infos)
' H/ ~4 H8 i9 o* y8 @/ t-AX = 0913h (Set Sice breakpoints)
: l1 }" ` R$ @& \-AX = 0914h (Remove SIce breakoints)
: x( J. A+ _& w- B# d
. s9 X! ~1 f5 f- h% m- R; ~% QEach time you'll meet this trick, you'll see:# w8 }7 [# O- N8 i/ h& S
-SI = 4647h( I, @' g( P% x8 H. T
-DI = 4A4Dh
) r) J( e& ?8 CWhich are the 'magic values' used by SoftIce.% [5 j6 }" e* a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 L" Q4 [* {( w9 m0 D6 V8 }' C2 G. p; |
Here is one example from the file "Haspinst.exe" which is the dongle HASP' E' B! A/ S9 g- M* ~: C
Envelope utility use to protect DOS applications:/ K/ T! O& B+ L' `
) }' c5 o: b6 G8 v5 `& W3 X" _
3 R* U& R/ |# K7 p9 T
4C19:0095 MOV AX,0911 ; execute command.4 O1 H: W, d) y; V) Z; x$ S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% y' C! X4 D4 N) G+ |7 T4C19:009A MOV SI,4647 ; 1st magic value.
. M4 S4 M$ r( G. S2 t' Z8 ?4C19:009D MOV DI,4A4D ; 2nd magic value.8 }: U& @8 P, w0 h
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( n- I! V* G! `. i/ ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 q; @( c4 Y, v' X
4C19:00A4 INC CX
. ^- r- O5 k: n2 D# Q. N0 K4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 J, U: X o3 S9 ^! }
4C19:00A8 JB 0095 ; 6 different commands.( B1 y( f% p- o2 m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; R4 P) ~2 S/ I2 b) j G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ ~3 x+ Z5 d3 C8 {% q
& a, _; m) I# ]The program will execute 6 different SIce commands located at ds:dx, which
- J2 z4 t" G5 y# t, A' H( ~( U% I2 Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 D# d& ^6 O8 f: [$ D% \8 p0 Z0 a O2 E' j) o$ l( e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 c3 `8 e9 Z) T
___________________________________________________________________________
( y: d8 g2 b. j+ y0 k4 |
( W: W. T+ v- R6 v3 @7 p0 C1 Y( g5 U- e2 ~( u/ d% V* j
Method 03+ T s* R F+ h# \
=========
2 M0 B: f7 O2 ^; E
; D- P O8 W0 Z% WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" F% H0 L$ ^! j; O' Q
(API Get entry point)$ f. R! U3 D5 f
' o1 K* o, x! K2 U& m
# l! H9 K1 j! S' E$ p xor di,di, v- D) I9 T0 I* R6 M: u
mov es,di0 h$ o4 S, `' J* }; P+ @
mov ax, 1684h
1 u* n6 b/ l$ i- _* g% ^* e" e5 Q! Z mov bx, 0202h ; VxD ID of winice; S! R" t" ]$ A" T
int 2Fh5 E$ e: W" e) l# w( K
mov ax, es ; ES:DI -> VxD API entry point
, U' Q5 Q# h; a6 v add ax, di2 S+ H. e% z5 x9 @! |& z
test ax,ax
) g5 x+ G9 y+ k3 c jnz SoftICE_Detected% V8 u* u' N+ ]! v( `: f) K3 x
; v4 r3 _8 ]2 H8 }___________________________________________________________________________- ^+ f. m5 Q- u. ]' k* i
3 k) r+ e+ \) H% |" m. G5 uMethod 04: k! l% H/ O' i+ N9 R$ D9 w' L
=========+ Y. ~0 q. K4 X- G/ d4 Q; {
U" a$ e+ t5 y' C, Z8 b
Method identical to the preceding one except that it seeks the ID of SoftICE/ Y, z% a- d& [! _0 n w' |
GFX VxD.
( P2 c$ e' Q; [0 ^# l/ Y- I- a6 }2 ?$ |9 Z: Y' G
xor di,di
" R1 d! u: U' z) Z mov es,di
1 a3 s( E6 ~ j% Q: B, e mov ax, 1684h 4 X$ U, M' {' ?
mov bx, 7a5Fh ; VxD ID of SIWVID
6 u- h2 v8 y; C/ s+ i+ g int 2fh, `! K6 p8 p" T2 q8 t
mov ax, es ; ES:DI -> VxD API entry point
{) H" a O9 q8 ^! b& ~ Q8 V$ q add ax, di5 @& F4 H! H5 d7 {
test ax,ax, ~: x# a a7 u6 n9 }
jnz SoftICE_Detected! u& e' H; K% x: B5 F* x, p
0 `+ P- r8 G+ g* K. x9 z__________________________________________________________________________
# r6 r3 a r7 k6 l
0 q; L! h( z$ q7 y' q- y- j6 {$ K; ]3 f8 ?
Method 05
& \ \, N+ p5 i6 F* w' j; l=========/ M* z& Z6 [& j0 c+ D
/ r0 O: V' A: f6 E* u- s( eMethod seeking the 'magic number' 0F386h returned (in ax) by all system# w a+ v- ^ e, s+ o% Z; U$ i( M
debugger. It calls the int 41h, function 4Fh.% B5 s: F3 d c6 v- f1 H1 c
There are several alternatives. 4 v. e9 c$ g3 L/ G6 G
3 y" g5 n" l9 m- }+ }, A9 G
The following one is the simplest:# D" u% E3 e3 [, k+ v U' a
/ }7 k7 E& f1 \4 a) L mov ax,4fh# H1 H: x4 ]. J- }5 }0 d" I
int 41h. W k# [7 M1 ~6 w& H
cmp ax, 0F386
1 }0 f8 \( ~) ?0 ~# C+ K+ J jz SoftICE_detected
& V* X# _7 f+ _5 | S7 j/ l1 E+ [$ H& R
% x! X4 t; I+ e V! y+ d/ ]7 bNext method as well as the following one are 2 examples from Stone's 4 w! {5 s& f% o. g
"stn-wid.zip" (www.cracking.net):/ N8 c7 Y' l3 G$ x& _2 @6 N
6 T2 \6 i8 l. j$ y. O, } mov bx, cs
3 O# [8 j; q p, ^1 p9 e$ A9 E lea dx, int41handler27 Z- H! r+ g9 o
xchg dx, es:[41h*4]- B# Z; Y7 q' i }& H2 Y0 m6 T
xchg bx, es:[41h*4+2]8 d" g( ~- g$ u- M- P1 R9 B
mov ax,4fh
3 l. l9 O9 k) `- p W% t/ ~ int 41h
4 F/ y& p, B! _( J! S% k, R& m% c xchg dx, es:[41h*4]! P: M; q7 |8 W& G- Q" F4 |+ ~
xchg bx, es:[41h*4+2]
' z. U! g1 S+ i cmp ax, 0f386h
8 f1 @& u) O( o8 b! E8 Z jz SoftICE_detected2 V2 Y/ @) {+ p7 U
) n0 ~2 d& |. hint41handler2 PROC
$ l% z* F& R+ @ iret" G x2 P) p$ j; i6 B2 ]% o, i! X
int41handler2 ENDP% H4 A" b O2 }. f8 }
2 p# S2 }* e4 R M; U+ S
; B5 t7 @% F- J# q9 C+ h: G _4 r_________________________________________________________________________
( P5 j) a" G# A0 p' Y& X/ F% W
/ t Q8 g) s" R+ s
7 Q8 ~% Y7 V/ |Method 067 d7 \+ }' T. F6 ~1 j" a3 Y
=========# A D. j1 z! W- f$ N% q& N( N1 z
) f( X5 N5 w( H! o: x i
1 b1 N; k/ F. l2nd method similar to the preceding one but more difficult to detect: n# S2 Z$ b2 J) I; D6 t) `
6 H0 r4 h- z5 }0 \9 q9 @2 ~
7 h" [# H1 {5 [5 cint41handler PROC1 K8 N# Z% ?" G! r9 ]; u
mov cl,al. K* ~% s0 O4 d8 I! D3 d
iret9 R' f6 S+ ~! C' E. G+ M
int41handler ENDP4 ^3 m% D, }7 E* G8 F
: _9 s( {( A' b) Z9 D/ m$ f
# _ a+ T1 D1 H! ?- Y M xor ax,ax
) \) T3 i0 T$ M2 r9 k1 z mov es,ax
% p# n M( O6 A mov bx, cs3 k% o' D( o; o. c3 O$ A
lea dx, int41handler6 v1 ~) ~$ C+ A3 _) t
xchg dx, es:[41h*4]
% J3 j0 V. g' w9 [ xchg bx, es:[41h*4+2]
5 L' W$ A* a& }' T5 O/ Q* U in al, 40h
- |; Z% {9 C/ J+ ?( ` xor cx,cx
% y- T% F" f" \3 Q int 41h* {" O; x* X6 m' W
xchg dx, es:[41h*4]
5 {' {1 W9 W) o, h xchg bx, es:[41h*4+2]
% d; V! b6 c; c" p5 \ v( X cmp cl,al1 b" `' k4 D0 ]8 z* X- b
jnz SoftICE_detected# ?+ ]0 \' D4 L+ {
u* B4 U9 R4 @$ b_________________________________________________________________________1 [3 w' x7 G0 ] c& u( b0 g( D2 u
' c# \* A+ {: u i# O1 fMethod 07
$ J) x9 N9 U9 D0 a" ] e=========9 n6 s" w; T) i: U+ `; V3 t, L! R
& M: f; h7 g( A9 c: E
Method of detection of the WinICE handler in the int68h (V86)' t, H i( }- J" W9 i
5 Y: z* ~3 _: j
mov ah,43h( b: Q1 Y- ~, ^1 R* E1 e, r
int 68h
$ \! e- @, }8 e9 T; {6 o cmp ax,0F386h& g0 }+ \. Z" ~8 k/ @- h
jz SoftICE_Detected
* n+ [) F- u" l; J' h: J* U; V1 H: V* F7 a V
+ _9 w2 |' X! d; j' Z0 D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 A& a* O! f) O& E app like this:
7 z% u; u+ J% U x8 B; U, F
2 M$ ~9 `$ X: {1 x! s BPX exec_int if ax==68
9 ?& @( B9 p0 X (function called is located at byte ptr [ebp+1Dh] and client eip is
! e d- h, [0 Z) {( j located at [ebp+48h] for 32Bit apps)
0 l' [) p0 z- E2 v$ b5 U% a* ]& ]__________________________________________________________________________& `+ ]( G3 g, @3 B6 d2 k* h/ I
3 {9 j% [0 M( }6 ?6 ]
, X1 N+ H" g4 D. r: t: C& ^1 dMethod 08; c9 E- A" W1 s$ O; h: {
=========# O+ x/ ]% X0 J9 }& p/ T
9 y3 C- ]" L; K# d, gIt is not a method of detection of SoftICE but a possibility to crash the6 F8 S- t3 e. X* i' ]' p% M9 Z: z# ?- o
system by intercepting int 01h and int 03h and redirecting them to another
* K/ q( H; U8 yroutine.+ ^ s8 j1 @2 B, p F* d; _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ @! x- s: U) a7 v/ ~0 t, _to the new routine to execute (hangs computer...)0 E9 w# M2 ~6 b6 r0 a; ~
1 J% _( X: I' m mov ah, 25h
3 ~1 g3 G$ ?7 _; W mov al, Int_Number (01h or 03h)
1 x9 c! j* ^6 V/ ~ mov dx, offset New_Int_Routine
& S5 x3 |1 [7 ~1 k6 B" [" U int 21h+ k* s4 `) v$ X
8 R! u( k3 E; @3 h0 e& q2 |, v/ h__________________________________________________________________________
* [- ~5 X8 [+ C$ q g, d R7 Z4 A4 Q- E$ v3 h2 w
Method 09
8 v: s; F) G8 G! o5 f=========) g* r K* h" q1 \. t$ c
3 H. X8 _/ d5 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 \1 t5 g% @1 ?9 a9 b% Y9 `- l0 _performed in ring0 (VxD or a ring3 app using the VxdCall).
) [2 L( p' h0 R: n; l' QThe Get_DDB service is used to determine whether or not a VxD is installed/ z! y3 ]: F6 q+ {. O7 D# }: Q, Y
for the specified device and returns a Device Description Block (in ecx) for
8 `& k9 L" Z2 r" L, ithat device if it is installed.4 v; V {. Z, y: X6 t
3 l+ T, \' n7 K& J' h mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 L+ |. y/ U# R. r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 S4 A" T+ h9 l
VMMCall Get_DDB
4 c2 l, g. _+ i1 ?* p z8 R9 a mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. |0 O; D. |1 J/ b6 _/ \ Q1 E1 U0 P" ?; p) ?
Note as well that you can easily detect this method with SoftICE:, z' K3 o! k) N0 Z, r
bpx Get_DDB if ax==0202 || ax==7a5fh
' L% q& z' Q$ p5 H% i# _& L
q' S, q' U4 ^) V6 P( |__________________________________________________________________________
7 l, \' r! D/ \" t$ z& Q
2 H* z; c8 ~" b& q; p& }Method 100 l. ~* [) o! A+ Y
=========5 h7 P- Y0 _% k+ @- x
/ q3 m. j8 R3 {4 C* q- |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 p, T: s3 ]- c$ X, ? SoftICE while the option is enable!!" o( V# u5 Y9 P* z' K
3 U. g: ?) W/ q0 R$ n1 d* U
This trick is very efficient:
, J, y7 M% {9 E9 a7 A4 C2 T8 Nby checking the Debug Registers, you can detect if SoftICE is loaded
2 P' W- q" q7 l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 t: h# r% Q( L$ T- I! p9 e
there are some memory breakpoints set (dr0 to dr3) simply by reading their- `0 c) }1 ^# T8 f- W1 l
value (in ring0 only). Values can be manipulated and or changed as well
% X( F$ B0 _* B, R( ~6 G- U2 o(clearing BPMs for instance)1 A" @# y$ ?0 G0 V5 U1 a
0 p& c Y' u" {2 M" q/ ~__________________________________________________________________________
3 e- V2 i6 [; i
' F1 j: I+ i" h2 p" D* {Method 11
+ M3 w; A' D3 N2 ]( Y2 K=========, N2 h7 w( ^% n6 P5 Q
2 ^3 Q4 x9 I& d: n$ nThis method is most known as 'MeltICE' because it has been freely distributed
. H x9 R8 G# s, x2 @# Zvia www.winfiles.com. However it was first used by NuMega people to allow
! {* s0 D* B2 j9 v* a- wSymbol Loader to check if SoftICE was active or not (the code is located. T9 }4 W1 u$ W4 k1 N( Z0 C1 E
inside nmtrans.dll).; T( u( v' l; X# J9 N! ]
& W9 A y" G: l
The way it works is very simple:6 u; u7 B6 u! D; z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 f7 s2 t+ m" L8 k _
WinNT) with the CreateFileA API.; \4 _6 Y2 H6 B$ {
4 `0 r* Z: Y4 J1 N
Here is a sample (checking for 'SICE'):
/ r+ a5 H ]1 V; [& _; [% Z4 d4 K+ ~
BOOL IsSoftIce95Loaded()
# \3 c1 c9 L+ w5 u{$ n; s, z( K- r5 n
HANDLE hFile; & l" @- e/ X5 ^/ w2 A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ D6 z7 M, S6 c FILE_SHARE_READ | FILE_SHARE_WRITE," a7 U3 {/ j, a8 F+ C. M& X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. S$ ?; i* r/ X. j9 R5 X if( hFile != INVALID_HANDLE_VALUE )
+ k+ r; c- \( {) m( w {
- Z- {- A% e' }9 P! ^; I' V. G CloseHandle(hFile);0 |. T" M: X1 ?" D3 p
return TRUE;
) y9 Q3 f) g- ~0 T4 j7 V V" d8 D }6 B* h5 D- z. E% w; {
return FALSE;
( ?4 [ s6 H# o! Z( Y5 m7 W}/ P2 F4 a4 o7 i0 F6 ]$ o4 t
' M& Z) l2 u% n) ?3 H. K( `Although this trick calls the CreateFileA function, don't even expect to be
3 B9 s- |/ J+ I/ _able to intercept it by installing a IFS hook: it will not work, no way!4 J. H0 u0 T* U0 q" p. x
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# m8 h: }3 c% lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 |1 w; E2 t) R8 I' h) `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; B* L3 Y( V( ~4 r3 U9 ^ H) Zfield.
+ d. h+ z* J6 u3 T$ YIn fact, its purpose is not to load/unload VxDs but only to send a : L7 A9 e0 o: F! ~/ D1 h2 a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
_) [" {! T. K9 c3 qto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 N# [! q( }. h t0 k/ L' q# b
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; F2 J' m$ g; A) C; kIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 d+ a6 V m; N0 Q! k/ H8 H
its handle to be opened and then, will be detected.! \$ d% o/ b+ O6 [ g
You can check that simply by hooking Winice.exe control proc entry point
& ?7 k9 e4 a( {3 G, s- Ewhile running MeltICE.8 K. z% A6 X! q: e* j- C8 O3 g
U- ]$ H( W; I( R$ y% x( I
* C4 ~- x/ Y8 R l$ N9 A. ?* p
00401067: push 00402025 ; \\.\SICE; H7 i8 b' F# _5 m# j( |
0040106C: call CreateFileA
; K7 ~9 G' U/ q1 b! g, J+ C( q/ M 00401071: cmp eax,-001
; Q* p+ p q. i* U8 ] 00401074: je 00401091
* z n# b, `4 O/ C- J2 E
$ _# }# A9 F! t6 q, C/ \& Q& u" m# w
There could be hundreds of BPX you could use to detect this trick.- Q7 d7 `6 ^/ j8 @: p
-The most classical one is:' C& ?' w. y8 @. e+ l, y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 ^/ R; P* t, e
*(esp->4+4)=='NTIC'7 }5 D3 B6 @9 V0 |3 y
7 z9 @$ B0 j4 G
-The most exotic ones (could be very slooooow :-(6 T$ W [2 f! h# C8 \8 @* o1 T8 H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & q7 [* z& X7 e) A( `
;will break 3 times :-(" g6 s* G6 B4 Z) X, G2 y
& B7 L% X! i# |( E9 F% `-or (a bit) faster:
3 J2 D! y* k8 g9 m6 S) K0 M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* o* ]! G U1 k$ Z4 S
! ~0 i) z* S p" `/ X; a( p" j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . d' h$ }' n1 v2 v5 k0 W* D. J
;will break 3 times :-(
( B- ?+ F2 L8 ~# M8 B1 V5 [2 K+ w, [
-Much faster:
% P( M g1 Y2 C4 [" q% n0 T. B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 B0 l- a' w$ t) X9 M
; Q" ?, e/ [4 k# p n% DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' {# n) S( P% Z+ K$ M; W! ofunction to do the same job:
1 b4 o: z3 p) T6 c/ g7 L9 O/ |2 R/ |; p& z/ X- ~( z
push 00 ; OF_READ
" v# r8 ]- E K$ D1 k! F! N2 M0 @ mov eax,[00656634] ; '\\.\SICE',01 k. K: I( Y1 F
push eax) D% o" N1 v) a+ Z: A. V0 n6 Z
call KERNEL32!_lopen. e* Q% I! A2 F/ k# P# \% F0 Z
inc eax% C% m0 Q# I' P$ M: d
jnz 00650589 ; detected
* z& e. p6 P7 n& ]' f2 a7 _ push 00 ; OF_READ9 a# l, S2 `9 `4 }% T- j+ i
mov eax,[00656638] ; '\\.\SICE'
3 `& V, i8 z9 b; E3 }* z6 u push eax1 h, q- B% i7 J7 r! s" N. {
call KERNEL32!_lopen/ y5 j; P& U3 ]$ V+ g- X
inc eax5 p+ S0 t+ N T% U4 t
jz 006505ae ; not detected
+ J( K3 W+ [6 h5 @7 a- L
& D1 l' C, F1 R: k3 p. Y+ G% n6 w4 n7 l- O! u% ?- I# C
__________________________________________________________________________5 D; `8 H, Z: {$ x
: T: `( C/ t. X1 nMethod 12+ s8 q6 B3 A! E+ P/ Y4 ?: j
=========: t. f% X. n4 B- @$ G2 ]
! m+ I& m. z$ O) G4 k/ L
This trick is similar to int41h/4fh Debugger installation check (code 05+ H9 C5 }9 t3 o
& 06) but very limited because it's only available for Win95/98 (not NT)& w# H$ I7 a8 I# p! [( X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 j( T$ [0 R+ n! [3 v
" ^$ H. ?" Y# R H3 h. Y, {1 _ D; i push 0000004fh ; function 4fh
7 ^, ^; a6 `! w1 c push 002a002ah ; high word specifies which VxD (VWIN32)* I3 I& \# M f z) s
; low word specifies which service7 T* Y2 h X; H) ]# A& \( n
(VWIN32_Int41Dispatch)' j6 j8 i( C' S+ l5 X
call Kernel32!ORD_001 ; VxdCall) ^; p: [1 t6 V% ^& d7 m
cmp ax, 0f386h ; magic number returned by system debuggers3 H! z: h0 K# m+ e2 k$ I2 l% J2 f& D
jz SoftICE_detected1 {9 f! K) M3 J! n
" s1 _8 h' R8 ?Here again, several ways to detect it:
0 b2 n% K7 \' G* N2 Q3 [" f7 F4 W5 t, t8 `: }
BPINT 41 if ax==4f
+ T4 o% ?9 y1 k) Y) u! C
: u/ M' g. F7 O+ K BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) H" x, F( m: W( q8 U% Y w! e6 r1 h7 `0 i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! U- c$ X$ D! L2 I' _+ W( d/ m) Y3 l# ]. [3 b3 j- S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) ^# o/ i, d, F; D7 z
" A" B* `# q! a- u, ___________________________________________________________________________7 v; _* W/ y+ d1 b$ f& ]! P# h
6 j! |/ R7 s* o6 Z; e4 y
Method 13
/ r9 b7 [/ ]$ D0 {% X=========# P& d" E6 j& C" g
J8 g* Q7 p! pNot a real method of detection, but a good way to know if SoftICE is3 M' ~" Q6 c5 `
installed on a computer and to locate its installation directory.
8 x/ k- V8 V* MIt is used by few softs which access the following registry keys (usually #2) :
0 p% Z; |- R0 O: b
9 R* s) b( d! D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ @, d6 g9 G v' B) A P\Uninstall\SoftICE* {. w- C- v W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* j/ L5 H) } B. Q% z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( B" C1 r5 r* K2 ~
\App Paths\Loader32.Exe
- J8 }5 j X' P+ Q2 b& a6 A, T( \' o7 `! _4 e
, M% ]3 G. C' z. B$ E: h6 Z* z& }
Note that some nasty apps could then erase all files from SoftICE directory: _6 V2 h4 s: J6 |" L! V
(I faced that once :-(
3 u6 ^* ^& `, Z6 ^# Y% n; X
2 ?/ I j4 h8 m# r: RUseful breakpoint to detect it:( r; Q+ |' W+ L! G/ \& ~4 F- }
3 z* c! t2 d& P$ a2 d; w BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 G# ^. }: C; Y5 \
\/ l* j, n$ e8 B5 C; ~__________________________________________________________________________' Z! t! [: J7 T5 A# F9 a. g v; u
- Q, g8 j* D9 l* R7 [% P' p5 X
7 f& I6 } H& l
Method 14
0 U+ g& Y& x1 ^" f+ Z, Z7 E) c& F. Z H=========
7 ^4 C$ g; n; R, K
9 t7 N" \$ k& ^# N' vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& t: q; l! Z; P* Z5 L1 |is to determines whether a debugger is running on your system (ring0 only)., k3 |8 Q) Q1 y- _4 y/ K0 y% c# i
5 c* h& x( ^. b" D
VMMCall Test_Debug_Installed: `1 Y- k# W6 t$ |0 L+ B( O
je not_installed
W; n2 p" s* R, ]( N1 c: O, K; b8 C) t: S. j' v# i! A
This service just checks a flag.$ j* H+ t+ Y* g! K' Q
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機版|小黑屋|汶上信息港
( 魯ICP備19052200號-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡