<TABLE width=500>
/ a- a0 y8 ]) U4 C" Z0 l8 K( h<TBODY>
* b" o! r* n8 \" {<TR>' x; ?! P8 O( y- x2 }; Q
<TD><PRE>Method 01
' ]! x0 S( h6 G0 k8 p5 U, p( M=========, }! z! }7 E8 U, c0 \0 S6 l
n: |, C4 ?: U
This method of detection of SoftICE (as well as the following one) is5 @' y$ X0 t4 R* `: ]! n! p
used by the majority of packers/encryptors found on Internet./ u6 e! y! _- K0 g; C
It seeks the signature of BoundsChecker in SoftICE
( J- }- h- y9 V9 `/ O ^& n Q8 o* Q
+ W2 w: B" b W5 X! c mov ebp, 04243484Bh ; 'BCHK'5 m R- G+ }4 j; c+ g
mov ax, 04h
* D% L* {+ w2 z int 3 7 C* [0 a1 q2 I* X5 g6 B+ \
cmp al,4; d T6 A- h, z) S: z1 h9 u/ N4 J
jnz SoftICE_Detected* L& G+ i. f4 @0 h" u- @: s
+ @3 a4 F/ u! v$ h k4 @$ E+ S
___________________________________________________________________________
2 b5 B$ e1 D3 V) ?' v: Y* E' \/ C! z3 W1 C
Method 024 d( \6 t# ]* V3 A8 v
=========
4 A8 i& n' Z8 O9 `
5 V1 t* P! n" b+ o5 |Still a method very much used (perhaps the most frequent one). It is used2 u! ]# M: E) ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 U+ ^. F/ o1 `% P1 ~or execute SoftICE commands...
# U, g G7 u& \" M( S: Q6 FIt is also used to crash SoftICE and to force it to execute any commands
$ H) V- B& e# r: i3 r(HBOOT...) :-(( ( |. Q5 K) {" L1 |1 ~4 |
2 J5 o; S& a4 u$ s
Here is a quick description:0 O6 y) m: m/ z1 G {- `; A) n
-AX = 0910h (Display string in SIce windows)
7 w0 [" G0 f8 B* j) c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 P& D( v) H! X5 Y8 t) F-AX = 0912h (Get breakpoint infos)
8 N8 q$ Z# g) z9 X. m6 s% o9 @0 i m-AX = 0913h (Set Sice breakpoints)
5 X2 h9 i( r" y& p. K; A5 _-AX = 0914h (Remove SIce breakoints)
+ ]3 n# V, f0 R
, L! t c4 b" k7 |7 F' L6 |Each time you'll meet this trick, you'll see:
, c9 L) { Y6 b0 g9 d _-SI = 4647h
" `" Z3 C( r8 @$ l# g-DI = 4A4Dh; E" }. ^0 B7 p8 v% o% Q7 l
Which are the 'magic values' used by SoftIce.
: n0 ~/ |2 J- x" AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 S+ e8 P# U$ O- ]. t' d. t4 \
, G8 c# j M( w6 kHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 E, T4 z0 x3 REnvelope utility use to protect DOS applications:- g: C7 r* i: A: W
. i8 r e5 O) b$ I; N( f: Z! W" j# k' a- h9 h" \: _ K) ?
4C19:0095 MOV AX,0911 ; execute command.
% H/ j9 o, B3 ^8 {9 w: \2 Q) C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* i# Q8 p) _9 h) L0 T' i4C19:009A MOV SI,4647 ; 1st magic value.
# x( U7 O: _0 l# o3 e! p# q: m" ]4C19:009D MOV DI,4A4D ; 2nd magic value.$ i- \6 D1 w( N- p m% u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! Z+ }7 h: z- E4 I& Z$ n- S2 y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 Y9 T, `4 ]$ v4 j& A' V5 z4C19:00A4 INC CX% j7 s; F* H& U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 x4 z3 Z% V( g/ J) ~- r. ^" \4C19:00A8 JB 0095 ; 6 different commands.6 }! z& N/ f' J! ^8 `
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 w' s$ x. }" A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, E, S4 J: n! ]4 ~0 I8 v
; [1 E1 C( k3 A: o) K& S2 eThe program will execute 6 different SIce commands located at ds:dx, which
+ D+ ^' e; @6 F3 F, bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' e8 y0 R2 u# U1 P. k
* b% z/ Y0 h4 F) I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., h4 P7 Z6 {6 p4 f; e+ R, c
___________________________________________________________________________" B$ S1 a) G7 Z2 q
/ ~; m4 D3 O* p5 h/ e: T# @7 F8 A
) C" T1 Y# u! k8 M+ o3 kMethod 034 W6 Z5 Y6 Z7 R8 ^" C/ R
=========
6 T' G% w T: ^7 V: v/ {; _# f! U$ }, y( L. l `- ^0 p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 ^" p! w3 q/ \" t( U7 w
(API Get entry point)
% L3 `* s9 I& q* [ j + m7 V( L0 A: _1 Y- P5 S$ p
5 \0 B7 d0 ~3 w; G- z
xor di,di: `! c7 K* H. P4 M
mov es,di: b/ Y( F3 t3 m2 [ M
mov ax, 1684h
9 b* w! Y7 z1 g' S mov bx, 0202h ; VxD ID of winice
3 R, {8 J* Z. O; ^ int 2Fh4 q9 H" _! h( M2 s' s: I U# c' p
mov ax, es ; ES:DI -> VxD API entry point
4 P# l5 }6 o7 m9 t% h' | add ax, di
- V# F5 |$ {* u( ]! y! q* t. d: A- j test ax,ax
: Y* I8 ]6 z/ {" l; j! Z jnz SoftICE_Detected
4 v' m' I( m: r# }2 A. z2 T3 j, n5 H+ N$ L; B/ N4 F; R& T- ^
___________________________________________________________________________7 q7 S& Q: g4 V7 a; U# @
8 E: m% x$ D% s0 t, y$ ?Method 049 j5 {) l; y1 O, L' [! X$ j4 i
=========
8 w5 _1 C% J q. G% W4 N2 k7 G" V
# t. h* C0 w, NMethod identical to the preceding one except that it seeks the ID of SoftICE) ~% X8 w* B! Z( @1 H/ G
GFX VxD.
% F, x* g! W; S+ X& ^2 x" F- c8 `/ D5 f/ U- O" N
xor di,di, p" L y5 @! O9 q4 \) B
mov es,di
9 @0 L' W/ O7 s6 i mov ax, 1684h 0 U {7 l# L/ I% h
mov bx, 7a5Fh ; VxD ID of SIWVID. v$ N9 d$ C c
int 2fh
L7 l! t2 T8 N mov ax, es ; ES:DI -> VxD API entry point! X- N9 \9 R" e) |. G( |9 y7 C) \% y
add ax, di8 ?( [( U/ _5 ]9 G5 G8 x }
test ax,ax
* a3 N5 Z( z3 ` jnz SoftICE_Detected/ ]! Y, l2 {8 ?
x' C% @; ^% u1 g
__________________________________________________________________________
$ z7 k8 s {% u: B4 l$ @
. e+ z% y& T' ~+ B1 ?8 D/ ~ g& _0 N! `% J! d6 m- U" ^
Method 05; @# j! y8 U8 x7 J1 P
=========$ P- q; h# y" B; j. g: A" r" M
/ P& t! s& W* f1 q0 w
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 Y0 A" I* t( V! C, g t8 A
debugger. It calls the int 41h, function 4Fh.; X2 j0 x& Q4 M! d
There are several alternatives. / E) u# J( ?$ T: U* C$ Q
* }* z i- a( c- m qThe following one is the simplest:
; Z7 w _ t) Q6 [) c `' m, G# N+ \- i: p7 c5 F/ e6 K
mov ax,4fh
, O! J5 p4 s! z" r) {! V( u6 q% { int 41h
% A& ]/ F% v `. w' _ cmp ax, 0F386
. m+ e$ q# s) @/ v0 Y jz SoftICE_detected: e" `. w- ` l. L! m z
# ]+ H* k. M O9 V& l
) v4 B) y- p/ d( d/ H9 `& P; W/ s( Y- C; e
Next method as well as the following one are 2 examples from Stone's ( q- |, m0 T2 E/ q/ ^7 z! U Y# P
"stn-wid.zip" (www.cracking.net):( y8 v3 |, a1 S
; ]# t( g# m( `! n( a- O
mov bx, cs4 Y! O7 @3 m9 K$ m/ {0 `0 b( ~
lea dx, int41handler2
; F. _ G9 q8 P xchg dx, es:[41h*4]
" O7 L, g0 r: J xchg bx, es:[41h*4+2]+ G B9 ~4 s V* E n
mov ax,4fh0 e3 s% b: x( G& n8 `. d6 M
int 41h" u+ |. V. M% [7 F# h- I
xchg dx, es:[41h*4]# _- j" z7 l5 ~3 V1 W% ^4 a
xchg bx, es:[41h*4+2], K/ N2 c' u8 N$ H3 V
cmp ax, 0f386h
" k/ ?) R+ ], A8 k m* r" D; l' D# a jz SoftICE_detected
; |: x% V! K- z) e1 Z1 c1 O
+ o# v& I. T) o. ]1 Rint41handler2 PROC/ p+ B9 G3 W) V+ O
iret
" e- J# A: X: M7 R+ B2 n# {1 Cint41handler2 ENDP# G; _5 o1 _. S2 ~; }- K9 D
5 M* H. x" N9 ]9 p$ v# H0 @4 O) e0 r0 E, z$ V! v& n
_________________________________________________________________________' ?+ i4 q" B3 y2 W
" W" K1 d' V& _
+ q% u2 g7 e5 W* k
Method 06
2 p# o! P7 C! q9 q========= ?8 z \! ?' c- ]' \/ x
# u) x( I' a; s
/ U# O/ Q- X$ d$ }. |2nd method similar to the preceding one but more difficult to detect:
8 M6 T1 v5 }- H9 k& T* b9 V* A3 y- d
# e. g O6 `9 d# A* c9 D$ N- e8 j, T# Hint41handler PROC
" N0 C/ |% E/ R: K+ q4 @5 d mov cl,al) r- s# l+ l3 Y1 m6 u# q J
iret
, T9 A) n9 J; C% w. M8 K& ~. |int41handler ENDP
% }1 q, W- L: \$ J& J' P% R; ~9 y u" I4 B( V# y2 m! y
_" u, P) {* x2 } xor ax,ax
$ A* v, v2 C0 Z0 J: J mov es,ax
: }7 s4 P4 [6 e mov bx, cs5 W: _5 E- M& N* }1 u" k
lea dx, int41handler! @: w6 \% V! C% e
xchg dx, es:[41h*4]
" Q) |+ Y0 Y) r! z. l xchg bx, es:[41h*4+2]
2 u" `/ t( b& E8 ? in al, 40h
, e( B, {6 `6 x3 \ xor cx,cx5 }' Y5 A9 G1 b# \1 l8 M) k* o! }
int 41h( E! x1 [) [& E4 f. K
xchg dx, es:[41h*4]
0 X5 N# y5 `" v. f4 _8 Y xchg bx, es:[41h*4+2]: H* O* e9 _, W$ F& V
cmp cl,al
% F+ ~7 y4 E& T9 ~, V+ B jnz SoftICE_detected
! N7 @# d- Z4 A
% g1 Y9 t- A! D% Q a+ v. q_________________________________________________________________________
/ m9 q# S. O' H4 g! G
. d% w% F: A( `Method 07$ [* c ]) I- X# u0 z
=========/ H' H9 F& _6 K
+ q; D- r1 A$ @! u( R9 T9 q2 g# x9 \Method of detection of the WinICE handler in the int68h (V86)8 d0 O |4 x7 c
6 u3 ^5 c/ B( l' D4 g! L" M
mov ah,43h7 g( D8 `8 {' ]& @+ X9 P6 k. j
int 68h
8 r# \; K0 ~9 | cmp ax,0F386h, H0 w2 F3 D1 p
jz SoftICE_Detected
) o" ^" r6 u$ ^; \" }9 e0 j9 @
8 D" Z* ?8 M0 [6 {
9 c3 ?+ D6 i' x! @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# l; J; a) L; \. B
app like this:
: c+ N: w% d1 l: s# ?
; Q9 A" s' ~2 `3 [+ p' @ BPX exec_int if ax==68) ]3 n" W. R- W$ T! Q
(function called is located at byte ptr [ebp+1Dh] and client eip is/ f2 R0 ~; ]+ p X1 a
located at [ebp+48h] for 32Bit apps)
* E: u: H3 E. ^% c d__________________________________________________________________________8 H( f1 {# Y- X
9 }4 }; Z5 M. t. ?, }3 W
- f/ ]9 |2 K, {& z4 m3 t
Method 08
3 C0 ~1 `0 j) w" ~3 ^" X R=========. c6 W9 g$ U+ J) A' _* q4 P1 P8 Q
9 q# Z; ? X; U7 }: o9 Y6 e, a9 iIt is not a method of detection of SoftICE but a possibility to crash the C# o2 O( ?; A9 k
system by intercepting int 01h and int 03h and redirecting them to another
0 E) P7 o q3 C. C! oroutine.
$ o f' h9 ?! ^ f/ X4 B% Y: O( [0 [, yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" W' l" K$ c5 j; G2 r# ]3 P
to the new routine to execute (hangs computer...)! ]$ g; y* _; O/ V Z
& W' u. `: G6 A, m# A4 v
mov ah, 25h7 Z2 \% k2 ]* G. e0 j) d
mov al, Int_Number (01h or 03h)& Y/ V1 X4 r- t, h) ]( N
mov dx, offset New_Int_Routine
' ~& @& @8 W" B# a+ _8 E1 t4 L int 21h+ O* z' _/ _4 a2 G( \( D
+ b. A, a5 n5 R/ _; v__________________________________________________________________________
, O% V d4 V: [
1 b* s! J, E& q& MMethod 09
& t. y$ h( t9 g0 J=========
' N, n& z+ T; m( F; z, t! \- Z
& j, ? Y# W% p" WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 P! X. Y4 b) u E! c2 Mperformed in ring0 (VxD or a ring3 app using the VxdCall).
" C/ Z2 t# Q: R+ y% Q7 ?1 iThe Get_DDB service is used to determine whether or not a VxD is installed0 N; r* B; [9 K! W3 B5 @
for the specified device and returns a Device Description Block (in ecx) for. p6 U: |0 ]( T+ @/ R% D/ m+ r
that device if it is installed.9 H6 `/ ~) r6 q
& a6 C5 `2 y6 y5 `, b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 L7 Q0 L3 \1 ?, P$ i) U mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 N2 J8 |: k! P: V VMMCall Get_DDB9 [+ {* P. ?2 j8 M
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 B- a' H: C! X
- z' Y2 M0 k4 q3 L, x0 U1 }$ ^
Note as well that you can easily detect this method with SoftICE:7 e* w: e" z9 m. m
bpx Get_DDB if ax==0202 || ax==7a5fh% j/ F5 V; u8 K- `* V6 D/ ?) l# w& w
" N* e! Y( t; {' ^
__________________________________________________________________________
: q3 ^* k: G l. h6 Y, ^" r8 t% W' d6 \1 K
Method 10
, g( t7 T' T% _=========
& ?* }8 A9 v7 W# ?
+ K: s) i0 j8 {( |=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 g3 ?- v6 j6 l SoftICE while the option is enable!!9 ?# b" ? Q8 {2 d$ e. X
# L8 ^7 z& {$ SThis trick is very efficient:9 R3 a7 L( |9 A2 u$ \
by checking the Debug Registers, you can detect if SoftICE is loaded" z% e+ i+ d8 w. S7 x& n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( l2 d' ?+ m8 e/ q9 P/ e4 g$ ?# x! {+ ithere are some memory breakpoints set (dr0 to dr3) simply by reading their% O1 r1 `. b8 Z: k9 N, T( l) \5 n
value (in ring0 only). Values can be manipulated and or changed as well/ s! P: c& l( L
(clearing BPMs for instance)* V5 ], P) G# V: m( }1 }9 k
! e$ F- }- C/ \: i2 C4 f
__________________________________________________________________________" G9 d8 N! J! E( e' S- ~
: }& o. q9 l0 j& o7 I. [Method 115 C4 }2 S) \- i; ^8 U1 _
=========
9 Y6 M/ I/ r; A! k5 {( T$ ?
, ^6 n) E/ ?( i, O( v6 y cThis method is most known as 'MeltICE' because it has been freely distributed0 e5 D! O$ X7 i* D
via www.winfiles.com. However it was first used by NuMega people to allow
8 }- Z9 D, @/ X3 q) J& I0 s: j. ]Symbol Loader to check if SoftICE was active or not (the code is located
2 H6 T/ g) Z! zinside nmtrans.dll).
$ S8 Y( @$ c% e' o' V: J0 I: r$ y0 F+ t0 k( w/ K6 I5 n9 e
The way it works is very simple:
1 ^# z- x% {, rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 `( ~3 |6 K: D4 ^, y6 ~
WinNT) with the CreateFileA API.
. H5 @2 _. p' G* y/ V3 p' t; h# y, z) j$ S
Here is a sample (checking for 'SICE'):2 A9 Q- p1 f" x8 @ Q& i$ J
, K8 {: L7 r4 {. m; K
BOOL IsSoftIce95Loaded()& j$ C# ~7 i% R
{' e' W2 U7 F, T
HANDLE hFile; . x& y3 ?" A% ]4 l% P! P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 \% ?3 l( Z) I+ C. T w3 J. e
FILE_SHARE_READ | FILE_SHARE_WRITE,, w) S; i" E/ q2 d- }2 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 x7 c+ X9 z0 i6 M if( hFile != INVALID_HANDLE_VALUE )
" y0 _) {1 c! G U. Q: U9 P {
) v' n* k/ e: h, m CloseHandle(hFile);
9 i2 V9 b1 {- r( T" e' B# u& [ return TRUE;
# \! K$ F- A- i/ { } k; E0 h7 n" ^2 V
return FALSE;
, z c/ p2 @- D9 Q5 `}
E) h5 j, e- L- H6 A) B. A; H
$ j" y' m8 |! U& k; GAlthough this trick calls the CreateFileA function, don't even expect to be
; f4 v4 v" _3 n0 _* v, Vable to intercept it by installing a IFS hook: it will not work, no way!
c% e z) U' M1 @- wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 g* p8 h4 t6 z( K2 gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 v' R6 T7 [; S9 n3 B& a3 \) {0 pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! ^0 \; g# t+ U/ d$ R. i1 Q8 b- hfield.+ w% X, w |% |
In fact, its purpose is not to load/unload VxDs but only to send a
1 D0 A' M. E) C3 ~: mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). o- a9 D4 V1 J& F% m1 O+ p/ y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( s9 b: m3 @; @, U9 Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
! }! h6 e& C! @ y5 L5 n2 f; ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# K t9 F1 B2 H; a% Hits handle to be opened and then, will be detected.
& M! G# y. O- rYou can check that simply by hooking Winice.exe control proc entry point6 A" R! `; | Y4 g, L1 s+ }8 ]
while running MeltICE.
: C2 w+ G+ Q8 V4 w8 f
: l0 g! B: q) I/ E4 F5 f: n" J) ?. ~. M" y$ ?' N
00401067: push 00402025 ; \\.\SICE
9 f! `2 F R" a5 J 0040106C: call CreateFileA4 c$ \( O: ^1 `1 f/ w
00401071: cmp eax,-001
/ I9 P5 S. B( h2 c3 A- n* M7 j# t- Z 00401074: je 00401091
" S [+ @- _ e1 T
5 O. d# M5 b' E7 A S) b$ R/ v; K
+ |- A" F7 @0 R. Y& k8 v7 OThere could be hundreds of BPX you could use to detect this trick.
6 P( A/ u: p5 Y2 K: `1 A-The most classical one is:
m ] w8 U% I/ y: g7 } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 O4 }) J9 U/ X4 b0 o
*(esp->4+4)=='NTIC'8 G( L2 ]' p6 z* e. @4 A; a; B: {
; ~4 G& V" X9 T( B6 r9 f- R* I-The most exotic ones (could be very slooooow :-(9 `% E; P! d" C( \- S* p# y* ?% x1 o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 m0 r+ {" P0 N; L, Y3 l9 G' J- P ;will break 3 times :-(
% Y- M2 W1 q( B; A* W
* a/ y) ~/ Q3 G, a9 s9 o; \5 O-or (a bit) faster: - C3 }, F0 c) L( Q( a1 C8 p! H
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), ^4 q: H- i9 A3 l# \8 F: E
! I D! ?2 H$ d0 n2 o2 x5 w# ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 G: r4 X1 s Y2 I ;will break 3 times :-(
; B/ @- M9 E; S7 _$ I+ Y+ l0 J+ O b* s# O+ _
-Much faster:
# S' ^! {$ S: T/ \+ W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# w- G. M& y O
0 ^& U+ \/ }, ]6 p" `. M4 WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% w; v$ i! W1 f8 Qfunction to do the same job:0 v2 M' R: @$ o+ h( \0 s- Q
1 b" E+ _0 B) F. w push 00 ; OF_READ
) M7 f; x/ i* `& m+ j( \+ \# e mov eax,[00656634] ; '\\.\SICE',0% I7 Q# a$ _/ x' T+ W* }
push eax
; J( a7 h! R5 p. @2 B. E call KERNEL32!_lopen
* O: f' Z, a$ m5 K' y* Q3 Q0 P3 U) u inc eax
( U& ?( a# v9 u+ j jnz 00650589 ; detected
! N% M; }0 w3 [ h push 00 ; OF_READ3 `9 Y" p6 A: O- N' u/ Y
mov eax,[00656638] ; '\\.\SICE'
H- l" {4 U( f; l! y* x push eax
8 e& q; m$ G2 L4 w% ? call KERNEL32!_lopen0 K- j( ~! e4 H$ f; e; v
inc eax
+ H( d8 y( p# q7 ^) p- ^) ^+ f3 q3 c jz 006505ae ; not detected
4 m& _6 A$ D) f: U" O' q" @ t. W9 M. @. F' r( d; s
& u6 X& o5 P& J" B& o0 ]7 J( g
__________________________________________________________________________
8 S# E( e+ W! O! O: l2 E0 w6 A8 A" |; v! d, \6 v E
Method 12% D; w9 o+ Z ~* S. M8 V8 \
=========
6 c1 j3 \# t$ X. ?
2 B' I. p1 V3 {( J6 L) YThis trick is similar to int41h/4fh Debugger installation check (code 05$ C/ s: q" D' X1 x
& 06) but very limited because it's only available for Win95/98 (not NT); m( k( o# x" o0 _2 U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 c7 }( ]+ f+ N2 w s+ x5 ~
7 t1 N( g4 Y* Q+ T1 I; Y
push 0000004fh ; function 4fh! l! a Y& }) ~5 ~* I# w
push 002a002ah ; high word specifies which VxD (VWIN32)
* n. h. t* G1 V: I8 ? ; low word specifies which service% D5 D B- h- l3 ?! W4 Q4 g& n( u, [
(VWIN32_Int41Dispatch)1 a" Q; W7 @! S' |: |0 p
call Kernel32!ORD_001 ; VxdCall
. z; I* L# y* t, l D cmp ax, 0f386h ; magic number returned by system debuggers
, X$ i7 q9 r5 D9 v jz SoftICE_detected
1 N4 L& p* ?' f4 d# D/ w1 w4 S
Here again, several ways to detect it:" g" T' ?% s' K2 y3 ?
4 Q3 o$ d1 |* f BPINT 41 if ax==4f- u' J; M" `$ h+ v, o9 }$ U
/ U" `9 `7 h: e0 ~/ Y% d- H4 E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& Y; x- C* N2 G0 U8 q* U% C, T0 @2 d" D+ Z5 b" a& e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 z, q7 W5 q) |1 N' [9 M
4 S. J* V0 P% d' i9 L4 d. n3 u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( G1 V7 Q: q6 U" i; {
! E' X- f; S! i6 h' {) I__________________________________________________________________________% p& j, D; B: j! n% H
- G) A( e( q( c9 I7 l* ~2 d' M4 U+ x
Method 13+ F8 i: B* |; N! U/ L
=========, ~+ s) a+ Z8 M8 C
) ~' C9 A; E* h- T
Not a real method of detection, but a good way to know if SoftICE is
/ Z. g3 K, w, @! _- Dinstalled on a computer and to locate its installation directory.
: k" ]$ k, M% w* F6 L6 p# TIt is used by few softs which access the following registry keys (usually #2) :
5 T5 s. S! Q" P1 y0 c# D! Z2 l ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! r1 Q9 K! n( | U2 m
\Uninstall\SoftICE3 u$ l* O* C$ M% ^ ]3 R$ }; U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" V& B7 j* h' c5 H! V# R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# w! ^7 V, `2 l& [: a\App Paths\Loader32.Exe
8 S. |2 k/ \# Q6 n) K+ N1 E, v3 o7 R1 Q4 @( K& E' u. s
: `: f0 Y0 c9 d+ D5 H
Note that some nasty apps could then erase all files from SoftICE directory5 E6 D3 I! ^) ?5 x7 C, J, @3 @
(I faced that once :-(
8 [' u4 U; Z) K/ z0 R' j7 C% G
! R0 s- z1 S1 p/ ]$ AUseful breakpoint to detect it:* i" I! y' r, o$ n8 Q' d2 F. I) e
. m+ s! \6 _8 \7 h9 N" a) I! q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ u# g1 |0 T3 T* d. P' E8 Q: i
7 |; k+ H. u2 {$ M
__________________________________________________________________________, q* Y: d( d- s/ t% m$ w
& ^! E1 f- N: `, h+ H% l' h4 Q1 M9 J/ x% r+ z, M- j* M/ K% }7 o
Method 14
, {" w5 J5 U" K; B: ?- B& v=========
# U0 d3 e7 \. X9 `& q! |7 D# q- C* y3 d) S' L( G4 V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" E" r1 M* ^) g* e2 o) `* j! J# j
is to determines whether a debugger is running on your system (ring0 only).0 L( M* l. f4 X- I
' K F2 T9 @+ p* [
VMMCall Test_Debug_Installed/ {, ^1 z2 N( K% I& C& D x1 T; {! Y
je not_installed
5 Z/ h# ?0 S+ R( e/ z; L0 _( Z+ D/ I4 P7 O# I; g$ G5 v& l, K* q; f
This service just checks a flag. v/ U2 @ @( i% {$ o! y6 r7 h/ w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡