<TABLE width=500>2 @3 T, R- P. i* C1 N$ q
<TBODY>
1 `+ L$ z8 B- y2 x<TR>
) U% ~7 J' j5 H% C<TD><PRE>Method 01
1 @( s9 e% q% S$ i S5 ?, @5 ^=========2 F( h* [0 {6 C7 t! k* P
2 F& T6 p0 y' @- g: z. o# V- O$ Q
This method of detection of SoftICE (as well as the following one) is
8 g0 p1 `3 Z6 k6 y4 l/ [used by the majority of packers/encryptors found on Internet.
( H& X$ [8 B) c7 _ }It seeks the signature of BoundsChecker in SoftICE
Q; t8 @1 z+ ?4 \& e8 g. d- b2 x0 c+ h$ d" ~
mov ebp, 04243484Bh ; 'BCHK'
( c$ F/ l0 N$ I9 @ mov ax, 04h4 o4 z- [" l1 u
int 3 2 }$ Q# ?, |5 U% B
cmp al,4
* [! b* P+ D: U# f3 U! }5 h jnz SoftICE_Detected
( n2 l5 S' z4 v3 b" ? @1 D D* z9 @6 {3 X- i( E
___________________________________________________________________________7 Y# n3 H+ D3 K
: U$ V3 |8 k8 Z1 }: rMethod 02$ q) a0 j5 I+ F; `8 A8 @% m2 S
=========
; \( q1 j% h O \) |& U# d3 x
L% `0 Z, y: v0 pStill a method very much used (perhaps the most frequent one). It is used0 l9 C+ _+ A( z) ]2 i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; c; `0 _! {* U9 X6 [: B {7 Y) t0 C. j
or execute SoftICE commands...
' O' r9 ]& |5 |; T# g2 x, w& x! i& MIt is also used to crash SoftICE and to force it to execute any commands
/ O9 m' g* q* y; L- ~(HBOOT...) :-((
( d: e: k' S. r6 {! `; |4 g: ~! S/ \& c
Here is a quick description:
- H5 n |! C) H C( W5 h/ ~8 Z-AX = 0910h (Display string in SIce windows)
' I3 m* C( q5 v2 O1 s-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' N) \) X+ [* `6 h, G-AX = 0912h (Get breakpoint infos)5 N; X. a8 Y% e8 \6 }) l
-AX = 0913h (Set Sice breakpoints)
# G' T- i. \( V: v9 W-AX = 0914h (Remove SIce breakoints)+ _( q$ {% W% s* L
; ]. T6 Y- \6 Q! o0 _2 J% h% FEach time you'll meet this trick, you'll see: N9 r9 A4 O+ d5 c' w! j/ D! ~
-SI = 4647h
; P8 D8 Z+ y+ T2 Z/ D) S( p-DI = 4A4Dh
1 D3 l L; `8 R* BWhich are the 'magic values' used by SoftIce.
; d8 y- j, H* E4 f- L& pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.! s' h. }& f8 Q \0 y% K
0 @- y, _/ D, Q' c4 a
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 B; k" U+ C/ `6 o
Envelope utility use to protect DOS applications:
% n5 U- ]9 I+ t1 b* }
. u# ^* @% w1 u7 q9 Z: `) _: L% D2 T7 ^& |& v2 K+ F/ n
4C19:0095 MOV AX,0911 ; execute command.
# ?: l* }# i6 h% M5 z2 _7 n1 ]4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 |2 k% Z1 M& l
4C19:009A MOV SI,4647 ; 1st magic value.7 P& W7 ~1 }3 C, R& N
4C19:009D MOV DI,4A4D ; 2nd magic value.
: d2 _0 j% y/ y% e0 `$ \; ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- g' K4 n7 e3 ~+ ]: P
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
T5 r Q* [; N/ b, D. `4 @6 p4C19:00A4 INC CX% m0 ^, S! Y# i
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% i2 t z9 I! t- X1 t( ]4C19:00A8 JB 0095 ; 6 different commands.
( ]0 \$ V8 W1 u: N; r9 W# q. f- s4 X4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 g8 J A0 L, v; q) ^7 p3 L' a1 j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# y; o) C, p3 X6 u; R2 p2 ?+ {/ V. H7 J1 \1 U
The program will execute 6 different SIce commands located at ds:dx, which/ F- d- E( E; J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. \2 Y) H) g' T/ K$ x
' M7 w* w% K* C% r9 f% X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 ~4 I+ ^0 [$ a6 `___________________________________________________________________________
/ H- p# T( z) P @6 n2 A
) g% |$ T _3 @7 p' ?) c. D8 b+ e9 r7 Z$ L! u9 O$ F2 Y1 X7 _
Method 038 ` \0 l/ U6 m# j: P% ~
=========
1 d9 g3 I, m$ w6 ?6 ~
0 o4 g- t$ ^/ b9 vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; H% n) J+ ?6 V9 H- r(API Get entry point)0 W# K% \; R j+ g/ J4 j8 U
b6 C; n, l6 M( m, L& Y1 k3 i Z# N/ \, I$ K( j- J! n
xor di,di& z! F3 z* C, c5 Q6 M- g
mov es,di/ P+ D) k& S$ O& _
mov ax, 1684h
5 I! V% H0 U# B1 a9 d- m! J: g mov bx, 0202h ; VxD ID of winice1 F9 {9 O0 k& ^
int 2Fh
# D% ~0 Z5 x N- l% W7 X" [ mov ax, es ; ES:DI -> VxD API entry point/ J$ ^. j! g. E) x8 g
add ax, di1 p* P4 S- ?7 B) T6 m
test ax,ax
6 r- X8 s% W1 x H: d jnz SoftICE_Detected A" E7 ?& i0 _: J
- z" ~. j6 M6 t4 L/ ]6 v___________________________________________________________________________
/ ]) K( J" I6 I2 T B7 t) P6 [3 {/ q4 d0 ~
Method 04) @0 f1 i. k7 j9 O' x
=========- w+ G+ N9 \9 h+ n2 \
0 ~3 x- r6 m+ kMethod identical to the preceding one except that it seeks the ID of SoftICE( A% ?& ^8 V& b* D3 q: o/ E
GFX VxD.
2 w1 q* {7 Z1 J9 r [" m# t
1 D7 G1 g4 w' J: }# v xor di,di
7 r. D6 {. D( B4 F( E mov es,di U& }; N. D4 T9 I9 v! b) W4 @
mov ax, 1684h
# j6 B+ [0 I. O9 H) d# A4 ` mov bx, 7a5Fh ; VxD ID of SIWVID
, s. [* J8 H# A% z int 2fh
- X R8 m8 w9 @; M mov ax, es ; ES:DI -> VxD API entry point
4 | J' @$ W6 ?' l/ H0 e, M8 z- j add ax, di
9 g1 f2 P$ O* `2 A9 u! s" R test ax,ax j' _5 Y" g/ Z j
jnz SoftICE_Detected
2 q6 n3 R$ x* b( |9 `3 f' A+ B& _2 ]: @/ Y, j0 x
__________________________________________________________________________
4 L3 a' o# F# r( z4 B3 J% h' c3 E
; x/ v7 F/ P, s0 ~/ w% J
Method 05
* c9 J* i: I$ w& u=========
# Y' ~8 @: r' c3 ?5 X: |6 U2 R" e; I8 }
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 \" p+ E- L+ W/ m" _* b
debugger. It calls the int 41h, function 4Fh.; S# |! V3 u' @
There are several alternatives.
, z0 M1 E" b3 {% V- Q
! S4 B8 r' P, Z* Q7 A' D" MThe following one is the simplest:
* p' t5 J' j5 o. C8 N7 n2 a" A! V4 W1 V5 V' k# A2 Y$ f
mov ax,4fh# Q6 U- [; n+ `/ U
int 41h9 ]/ Z' e4 A1 k$ }
cmp ax, 0F3866 G( H: V% W9 ^+ g% N
jz SoftICE_detected
' B }# V. ^* q1 _+ C$ l- }( T# W. V
2 Z8 k: u& Q$ y6 @Next method as well as the following one are 2 examples from Stone's & u( g! ^) Q' X. ^3 `' p2 U' T- ~
"stn-wid.zip" (www.cracking.net):
" e3 M+ e# G7 y# G2 f: n$ f2 s( g6 ~. V: H
mov bx, cs4 D$ A; C6 R2 m2 u
lea dx, int41handler2! n4 R, w$ f3 m9 l
xchg dx, es:[41h*4]% r3 z* A0 p. y; |) O
xchg bx, es:[41h*4+2]
; i' L4 E4 Z) u' i2 Q* k mov ax,4fh7 Z- z- g2 T0 l, Y7 x9 Z: G4 K* {
int 41h5 W/ U( v+ j4 o# _+ y; y( p
xchg dx, es:[41h*4]
8 U1 H+ w, E" j; S% d xchg bx, es:[41h*4+2]
$ f7 E7 c7 i- s* s cmp ax, 0f386h
( o+ w; {* s( p! Y. a+ K- _ jz SoftICE_detected# u: j3 W! U7 ~( s
) L+ i0 K1 D1 ]+ a6 M# V
int41handler2 PROC: P( z O7 R# W7 [( E" n
iret/ Y$ E+ R1 J8 ^* f$ f. j' {! R, k
int41handler2 ENDP
+ j, v5 F9 K* i3 ^% p
$ Z* f3 _& ?: K0 j4 \" F# N, F* t+ a7 C- B
_________________________________________________________________________
; ~+ o7 a( K. @4 F- E0 u9 p8 S: H, o4 x( q: A# ^
2 A7 }' x" N+ Q1 M" ]4 j
Method 06- _- A( o# z+ p. z% e" B
=========
$ ~3 ~7 f/ V9 |3 _; }$ _4 E- r3 K) m$ y% _9 F4 b0 c6 h- D+ L: D- G
! X1 L% p0 s: M! S' [5 k
2nd method similar to the preceding one but more difficult to detect: n' O$ p! D/ B; N
2 T( { I9 N- ^3 R; y
5 Y0 @$ N5 C* `4 Z
int41handler PROC0 u8 N& |- g8 C
mov cl,al' [/ q: i" t* H6 E7 k3 `0 g
iret3 ]* Q/ A9 S c3 ^! }) W3 \" k8 A8 u, F8 S
int41handler ENDP
* F" A% m- M% A- T2 ]' W. r! c' u% g" [, r: @
9 g! ?9 J) z! H3 h2 Y. B6 Z xor ax,ax' {) U) P H. D- W! L7 @. j
mov es,ax
6 L l# y( Z& U mov bx, cs. V$ u6 W6 X- i+ l/ }* X: @, g
lea dx, int41handler
: y3 U! b7 Y4 n( C8 ? xchg dx, es:[41h*4]) T" S8 G/ H: r7 [0 ?3 f
xchg bx, es:[41h*4+2]7 K5 |3 S. \0 p3 W; G( T
in al, 40h, a$ F0 c- h0 H
xor cx,cx
d$ \/ O9 Z `7 b int 41h. W9 I( h: \9 d+ o
xchg dx, es:[41h*4]
% O$ o3 |) I1 k4 E" Q8 i/ Y xchg bx, es:[41h*4+2]
4 _; C0 M$ c' e8 x- y cmp cl,al
* C0 V' E2 S+ x7 m$ k4 h s5 P jnz SoftICE_detected
) H$ U7 G) K3 m/ f* C" l, c! G. T$ n5 X) x
_________________________________________________________________________
& e, f' }8 ~4 @
8 T! [) O, Z/ V3 `Method 073 e) d& v: x# S( R6 U$ H
=========3 I8 Z& G1 h4 ]' E) ~
" k8 v3 @. ^2 s% F/ ^8 T9 I. m9 i. x
Method of detection of the WinICE handler in the int68h (V86)
+ n, \" p) |3 s: y
e7 m( |; a9 k4 C) P) W mov ah,43h" {4 d2 `' _4 y5 `. K% H4 l
int 68h2 Y5 Y0 o/ {! U! g) O* [
cmp ax,0F386h
4 Q9 {* L8 V' K, ] jz SoftICE_Detected4 V9 b3 B8 N2 S. |; E( H7 c
4 M& {' i! f1 [; L, d
4 |" c }! {" k1 J4 p' U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, C; M$ x- ?2 \, x9 ~% s app like this:3 p" M9 e: j% c* }
" J3 x! W& e* i% ^ BPX exec_int if ax==688 k4 {, B% ?3 v& S4 s
(function called is located at byte ptr [ebp+1Dh] and client eip is
! ^9 s# \$ d% o located at [ebp+48h] for 32Bit apps)! V' k: Q& N, c! g3 ^
__________________________________________________________________________( y4 [0 h$ F/ @& p1 O8 s% ?
; _5 {+ g3 y6 q! u' s3 U$ l
6 a9 s+ h- D6 jMethod 08( x( @4 E) H4 W+ \
=========4 o& G. q, [7 J, P
0 }! I! Q% l" r& Y
It is not a method of detection of SoftICE but a possibility to crash the
' p+ t0 q) f) ~6 l0 V' k1 B! S* |0 Qsystem by intercepting int 01h and int 03h and redirecting them to another
9 q0 ~+ _$ o3 C8 s7 Proutine.- a3 L g8 ?- ^- `7 @2 F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ t9 H1 o! G% v. oto the new routine to execute (hangs computer...)
% a/ Q4 \; o: R7 e, `' v+ X2 y
1 f M6 u$ k8 c8 b: T3 l5 q mov ah, 25h
! d5 b2 h) P" f mov al, Int_Number (01h or 03h)6 ]# o6 `& X, E( L
mov dx, offset New_Int_Routine1 D7 U* _0 w E
int 21h
) G0 t8 @ i ?6 O5 j
' F b6 I) K' a8 h: _. `5 U__________________________________________________________________________
" w3 Y- @! ~; ?+ ~" i
' m! g. S1 U6 ~2 \# mMethod 09
" F+ Y2 M: F5 i4 G=========
& o( k8 Q" E+ A$ P; ~& F- P# H$ b; P! C2 K# b2 y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 I- F: h4 G! ~4 w: O0 E+ V' _( |performed in ring0 (VxD or a ring3 app using the VxdCall).. f' S& I" J, x% r. h% U& h
The Get_DDB service is used to determine whether or not a VxD is installed# t& n0 G- }! a' O& u4 f8 z
for the specified device and returns a Device Description Block (in ecx) for0 L+ S' l- R6 D2 ^9 f( Z
that device if it is installed.
+ X$ K8 g3 u3 v, P$ ]7 I. A
! G! @* H: T) p) P. i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: _+ m6 m9 m$ ]- I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! ~5 Q; k( | a6 a4 Q" ~ VMMCall Get_DDB
6 E! a% \2 y8 L* V L! c) M0 N9 { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& I1 R/ k& y" h% V9 _
- x8 X2 r7 H! g0 eNote as well that you can easily detect this method with SoftICE:
, h! x7 W/ ]( o1 E1 B bpx Get_DDB if ax==0202 || ax==7a5fh! k6 H; B, v! ~1 O: l6 T
) X1 C3 e2 c; s% m0 Y2 K__________________________________________________________________________
0 U @. j, W9 h* O* A5 V2 U3 D$ V
3 o% D8 j- ^2 V8 ~Method 10 f. m8 s8 l; w: D( ]" S4 v' s$ r
=========
- o# g" e$ i) E; n( x3 p2 s) y: W. E6 f6 }
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. ~4 z5 [8 z/ E |& {: R SoftICE while the option is enable!!
- i$ P P9 R4 H. U& {+ e7 n/ A
* j; N$ \/ p, T+ i- IThis trick is very efficient:
7 S0 j7 u) a4 b& Y& A8 tby checking the Debug Registers, you can detect if SoftICE is loaded7 w- v% J5 Y6 u8 o, R( x/ m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 P6 ~6 z6 ?0 a0 [. ithere are some memory breakpoints set (dr0 to dr3) simply by reading their# M: s5 f4 k0 Y, ~. @+ C7 o
value (in ring0 only). Values can be manipulated and or changed as well
/ N0 q+ O. i4 @9 p Q& m4 r9 N# Y(clearing BPMs for instance)& Z% U" f) t2 o! W1 e) b
2 [, ~; W) p q/ e__________________________________________________________________________ P, B2 S) l8 N
8 A- v5 ]. h, ~ W# HMethod 11/ l, Z; F$ p. |8 {9 J5 J# f
=========5 C' {6 r2 P+ d( h" P3 `) a
' l+ y# k9 ]6 a! Z" D! b* ]& T; ^
This method is most known as 'MeltICE' because it has been freely distributed) H; N; M7 c! o8 U. L5 P! p! A8 G5 i% k
via www.winfiles.com. However it was first used by NuMega people to allow, z* S6 Z/ l; Y5 l* o' S% z( }
Symbol Loader to check if SoftICE was active or not (the code is located
' @2 v2 H! X% r( f! vinside nmtrans.dll).
& Z/ p" L. O* J. U+ u* p; j- x+ n- Y
+ W& w+ n* i0 A* u8 E: CThe way it works is very simple:. r D* c2 L" Z* z7 d f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 Y/ G. y R- o' D
WinNT) with the CreateFileA API.+ b7 P" }9 P$ q( l4 l* \9 X
1 p$ \% c# q7 D# }Here is a sample (checking for 'SICE'):: ~& q M: i4 Z/ \
5 Q9 A2 e- B: E4 {1 q& G' f
BOOL IsSoftIce95Loaded()
9 K5 x r3 q/ P9 n" |; `{/ m6 r9 M6 i, c
HANDLE hFile; 8 J8 [" [5 `. f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* Q$ ]& U' w9 X7 E+ o
FILE_SHARE_READ | FILE_SHARE_WRITE,* v! F* I2 ?% x: }5 ]" Z4 G* Q& U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 d2 b! S5 v' d- M if( hFile != INVALID_HANDLE_VALUE ): @ P) n) d K9 O, y! ^
{# s2 T1 q7 \- Y E! z% w' y
CloseHandle(hFile);
( [9 T4 H f v4 C return TRUE;/ ~. [3 K/ }" x" V1 }0 z
}
& l D0 F+ }$ j; `' g return FALSE;
4 _# o9 n' _4 C' k/ Y5 K! v}6 U% n$ p! I+ l. }6 ?3 o
. m g2 A5 U" s' `. ~" o
Although this trick calls the CreateFileA function, don't even expect to be- a' Y# a0 z% U5 n3 W2 Z* \
able to intercept it by installing a IFS hook: it will not work, no way!% V: b- ~9 {8 I) H" H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. e, B" [2 n U: \( |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) g) x$ h* ~1 p0 xand then browse the DDB list until it find the VxD and its DDB_Control_Proc) c' n7 S; W Y+ x( }2 @9 z1 |
field.
' X% L' X7 p4 J* oIn fact, its purpose is not to load/unload VxDs but only to send a
. r+ e! g3 t1 p/ dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 S# S, Z" S: Yto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 a( I6 e" m& M/ B+ f: Y) f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 P6 A I) M% E& ?8 HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. ]* @/ T) P& _) i4 ^4 F+ y: @- }5 M0 tits handle to be opened and then, will be detected.
% Q% P8 p* _9 D+ n( w( A8 I+ Z$ m( }You can check that simply by hooking Winice.exe control proc entry point5 S, g+ i! @7 D3 U
while running MeltICE.# Y( O! t# @( @3 b& S3 l
% I* r- \6 T& v8 B& a! r. {. ]
, P: b% f0 h+ q: r. f7 a: q 00401067: push 00402025 ; \\.\SICE
' b! g3 Q0 ~, U P q 0040106C: call CreateFileA9 j# x9 {. j6 j; b; i
00401071: cmp eax,-001
1 i! W- v1 }, h" A E 00401074: je 00401091
0 |3 F$ d' M( t) ~, _/ A- K- y: w X
" b4 a" f0 @/ z4 DThere could be hundreds of BPX you could use to detect this trick.+ t; ~8 `; A1 s5 }6 f+ I/ Q- Y
-The most classical one is:' P( H$ T# k6 r9 r9 E' L9 n0 q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 x: p, |; B! O* P3 o: g; w; u
*(esp->4+4)=='NTIC'
7 W+ W8 I+ ~5 _. F: g: C( U( ~* A$ c; y2 x8 ]- w
-The most exotic ones (could be very slooooow :-(. v ?4 O. q% \5 V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 u- @- Q$ J+ f0 `+ V2 R% v; } ;will break 3 times :-(
4 _) k4 a) l1 C* w( Y, B2 i$ D( ]7 G0 f( m% [8 v3 A
-or (a bit) faster:
! g5 ~ y% S) D5 \/ O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ i- P! ]3 w* h
9 T- d" ~( |* E8 z5 K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! {+ K, M' w3 ~+ p
;will break 3 times :-(
0 E& B& `. Z0 U, k
% j2 v' G/ r4 j& p& S. s, o* C-Much faster:
1 a% e2 ]6 |( N I) w: ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ d8 ?) q! M) ]5 R0 ~- t5 j
, O% o; ]6 d7 i a$ b" fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen ]4 G5 I$ T4 D0 ^, i
function to do the same job:
/ D7 }4 g' o {1 r. I1 `7 U; S8 d' j0 R' Y, F, J0 n6 z- L
push 00 ; OF_READ
+ ]! l* |% |# X( c, N* }! G mov eax,[00656634] ; '\\.\SICE',0
/ o H! H" c+ z6 c9 R2 ], X- f push eax
0 v3 g7 N, b2 @+ c0 S7 N. b; P call KERNEL32!_lopen/ m7 Q; `3 c" b8 T3 i) u
inc eax
( B2 f- b/ O% B# [: i jnz 00650589 ; detected
$ h2 s6 \7 r: X8 [ S push 00 ; OF_READ+ g, _; ]( d; `* q/ r* {
mov eax,[00656638] ; '\\.\SICE'
/ L( U# _. Y7 R& f- D8 ^4 f push eax9 y+ N& R# P- [& W) c/ h
call KERNEL32!_lopen
/ \ o) _2 ~$ P/ I inc eax
) ^7 T7 V( [. C9 m& C+ y0 L- o7 f jz 006505ae ; not detected
& K) D* U" M. `' q3 a, T3 u0 F8 N) W/ S. Y! o# q2 [
- n1 M" z! O# d0 { R7 r* K, `5 F
__________________________________________________________________________
, t$ {: q; |0 ~) R3 V: l' Z/ _9 Y1 D+ Z& I. E/ Q! u) G
Method 12
: g6 M) z4 z4 G8 S$ j=========2 Z, T4 L J; y
' s& f& T- N7 S) R3 W/ Y# N% P4 |This trick is similar to int41h/4fh Debugger installation check (code 05' k- e& t8 z% G) b$ ?: x6 N( l
& 06) but very limited because it's only available for Win95/98 (not NT)
$ Y2 ?! ~% X0 u/ C7 o: ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo. I! O$ [& `4 ^
& W: O( r/ L2 e# C push 0000004fh ; function 4fh
$ ]5 m/ c, D# y; w push 002a002ah ; high word specifies which VxD (VWIN32)
/ T9 {' Q- ~( n9 D$ J: g M9 I ; low word specifies which service0 F. Y8 G% E# j* {7 Q- Z: R
(VWIN32_Int41Dispatch)
b3 F' o+ m( ]1 R6 ?3 n- |, A call Kernel32!ORD_001 ; VxdCall% n% t y. J- d8 t0 h
cmp ax, 0f386h ; magic number returned by system debuggers
5 A$ a; |* H$ b+ T. K; U% t jz SoftICE_detected
) I2 B: b4 r) l [4 e" j/ \
* l5 {1 o K% w9 q& E6 THere again, several ways to detect it:7 \5 r" V8 P3 j* l6 J& A' D. z- T9 j
6 N1 l2 z" i) C2 f+ b: B/ I# e. V( j
BPINT 41 if ax==4f& T" {( b3 B7 W2 W) k
7 o# _& C- l9 N8 f K# J& H3 y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 O0 L% r" w8 v
8 m1 e; o/ V2 K7 g& H9 p* e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 o, ^- P& I8 X; C4 w; Q
. i5 }7 N. H- Z' q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# S. h1 T% P0 ?) P) T; y& u8 K `$ |/ Q x/ ]* r9 n
__________________________________________________________________________
1 X5 {' P- _. d6 S t# v3 R; A/ B1 v* Y1 ?1 S" ~
Method 13! f- N9 M8 ]! T. t3 K8 y% z
=========
1 v* u7 V7 U8 x4 L i5 C7 \& t/ p5 @' f0 f8 |" N- C
Not a real method of detection, but a good way to know if SoftICE is: g" p6 h9 Q5 i+ u1 j
installed on a computer and to locate its installation directory.% e, A, H( m. p# p A
It is used by few softs which access the following registry keys (usually #2) :: {" P) ]9 Q/ D$ x5 ^- [
5 X# ?& {5 b3 Y6 f6 x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. Z i& \8 N" I1 x+ g* H
\Uninstall\SoftICE3 Y8 ^/ D9 n% V/ L7 l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& M# Y* l- |' R. d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 N. {/ @! z; `\App Paths\Loader32.Exe+ f( \" D" g \# D& ]
: N; L8 t7 B% \$ L' @2 b% R& K( ~5 i
0 u) I$ z; @, N$ w2 }8 FNote that some nasty apps could then erase all files from SoftICE directory
, H9 U" S3 R" h& H(I faced that once :-(
) Q/ o- @; O: u8 b/ _# D& q% j2 h6 R- M B# ?. k2 P
Useful breakpoint to detect it:
7 X1 X- h! W. u) }* g- o
+ R3 B8 E* {, k7 b8 p$ V9 W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 W; ~( B; }% r& G1 P' n
6 w' Q% J9 V% r( J! D8 p3 }4 S__________________________________________________________________________$ @8 i1 ^& O; J3 e! B! G( J1 R
& t1 A' a1 \* w* ^! a
2 K) f( P; I% ~Method 14 ( L' A+ Z# x2 c. ^( J
=========( s7 U0 S- @& ~$ }. f1 u+ M5 x
8 B* U- C- V8 r, \% fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' t1 u6 G. ~0 I+ B1 s, K
is to determines whether a debugger is running on your system (ring0 only).
, B, U" ^# w( {: [( v
: x8 v: {" b ~ z! F7 M3 T VMMCall Test_Debug_Installed
: w+ ]. ]4 b0 _ je not_installed
. A3 f6 z2 g' E( q4 {- M& H1 w6 j; t; h' K) V' |- c- Z' _$ A4 \
This service just checks a flag.
, n' \$ ~8 T; A9 H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡