<TABLE width=500>9 J8 ~: ~3 m, `! u5 H
<TBODY>) ~2 B9 J# M/ ]
<TR>; o" y3 p1 [7 N$ \. Y: x
<TD><PRE>Method 01
4 T$ E3 l# R8 w+ M& j& G=========9 Q$ ?6 L5 F3 x5 f4 A u k
# K* B& o+ f6 V9 x: B6 H0 b
This method of detection of SoftICE (as well as the following one) is, Z/ ]& Z5 z$ R9 p8 U L
used by the majority of packers/encryptors found on Internet.% u* |- o0 A2 {2 a; b- b* i
It seeks the signature of BoundsChecker in SoftICE2 E! i" N" R* M" o8 S7 L
- Z6 I& \7 A% e Z$ z/ c& @ mov ebp, 04243484Bh ; 'BCHK'1 p& P' o7 n6 c" e6 }, M
mov ax, 04h2 B% d' ?6 q; B c- G* u
int 3
) H& g6 {/ V; P- d9 f3 d3 Q4 K1 g8 ~2 K cmp al,4/ K! B* S3 j2 `7 s% X, Y
jnz SoftICE_Detected
$ f+ l6 x9 ]1 i+ L' b3 g& O/ Q8 U; Q4 Z/ E: f
___________________________________________________________________________3 a9 a: F' w' `# J" |# t, r2 ]
6 Q v1 g7 F7 }0 b6 J4 M. TMethod 021 R1 m7 ^( K. r# n
=========
' U. z: ^1 t7 |& e+ U, `- X* H! h0 @3 L/ I$ w+ V
Still a method very much used (perhaps the most frequent one). It is used
3 t* E5 f. P- X2 @6 Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! ?2 X+ F7 i' m) a+ N6 |* t" X/ r" w
or execute SoftICE commands...: U+ v y1 _$ u, L
It is also used to crash SoftICE and to force it to execute any commands! B$ N! w5 X5 o
(HBOOT...) :-(( ! U0 F' l- h9 @
6 ]# r l8 O3 ^' z5 X5 \& J/ ~
Here is a quick description:
% h4 s Y5 r* q( u0 y7 ^-AX = 0910h (Display string in SIce windows)
2 b' \. j! z2 t! @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 R8 D* z3 ?% N$ U0 i4 X-AX = 0912h (Get breakpoint infos)
3 a4 x' J& j# |) p-AX = 0913h (Set Sice breakpoints)
) d4 V* f. S3 [-AX = 0914h (Remove SIce breakoints)4 `8 c4 K. @( [ i) {
4 p9 ?1 M: M! tEach time you'll meet this trick, you'll see:* H5 u. ~) K4 ?# A
-SI = 4647h. w6 |: z: Y/ j, U! j
-DI = 4A4Dh8 ^: q4 u% H/ K K" ]8 z
Which are the 'magic values' used by SoftIce.
: c6 H) v2 C m3 k2 J C9 RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 S1 ]7 k ~& a+ V- u( s, p( `* ]8 j7 \1 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ ]6 N0 O1 |9 [
Envelope utility use to protect DOS applications:# C N3 q( \( q# h1 v7 j
8 k. d8 G, w: a9 S% j6 C3 E& x2 d O3 I) g( G. [
4C19:0095 MOV AX,0911 ; execute command.) Y) @4 ?4 G V( A
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 A: G9 N) o5 y% X' I( ^
4C19:009A MOV SI,4647 ; 1st magic value./ I- l$ R9 w. d
4C19:009D MOV DI,4A4D ; 2nd magic value.5 T: A! v5 G9 ~" m/ O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, \2 V, ^9 M x4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# y9 ]# W( N9 P/ Y/ F: @
4C19:00A4 INC CX
0 s' p3 e8 e* }: L8 f7 X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 C/ X1 s0 l" v
4C19:00A8 JB 0095 ; 6 different commands.
. r! g$ X$ C2 U$ W* g% O) A% e }4C19:00AA JMP 0002 ; Bad_Guy jmp back.' n" G) p/ v0 w: ?7 y+ Y: e
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# q" H9 v/ q* k; ?; g! l. C& ~* A
9 K* D6 x# [& `% o+ V
The program will execute 6 different SIce commands located at ds:dx, which
/ B, Z/ A8 z3 y$ {9 U, Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# `0 r' k# h: ~! r( u1 e
) e# u1 A( w1 s0 Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( b+ L4 j0 ]! T% l: R n
___________________________________________________________________________% H6 U/ {8 T$ G6 f5 x& J" i
Y9 R- R3 u0 h% B+ z2 t. r& A6 _# b5 r0 L2 K
Method 03
% [5 H" Q0 c7 H& X=========
0 h# B7 l3 c% N! ^
, `# a$ I! f- j' X* n! |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# Q% Y' Y0 R" b% j8 Y7 K
(API Get entry point)
1 {! X" ^- L& K' m* ]+ a
# M$ k# l, c) N
: ?) ]" [9 A7 ]' J xor di,di% z T- i0 I! ?# l( K
mov es,di
, a( c- [% U2 a6 y mov ax, 1684h
C x4 d( Z1 n9 `5 N B3 L+ t8 g mov bx, 0202h ; VxD ID of winice0 j, G B+ X' v9 j- q6 o$ B
int 2Fh
% I$ H- o0 ?7 T7 R- ]' O- a3 q. } mov ax, es ; ES:DI -> VxD API entry point
# |( x5 k4 K2 P A/ Z add ax, di* K# b% a9 v: M9 M! V
test ax,ax6 O/ i% F6 |9 I0 U/ Q z
jnz SoftICE_Detected
9 N1 r$ q+ D5 P3 |4 ^0 i5 v7 E2 o& E# v }
___________________________________________________________________________
9 w0 {1 z& Q+ J0 u! a( ?4 ]
- {+ D* V( k: {' U) yMethod 04$ v0 P6 l" G* c
=========' P5 @5 z! Q& j( o; A* t
3 i' W6 Z/ x5 I U uMethod identical to the preceding one except that it seeks the ID of SoftICE6 K1 F7 R% m0 u6 m; s3 ?
GFX VxD.
/ b' }" _7 I) |1 N3 h
" ]4 G1 d, U" ]/ S5 T xor di,di
# b2 w8 I" H) j( M4 V4 m% e mov es,di% e, n3 I4 p. y% Q# u2 x
mov ax, 1684h : S# }( H( J3 l5 ~. ^ l
mov bx, 7a5Fh ; VxD ID of SIWVID
6 T( `% |# {5 [1 ~, M4 i8 z int 2fh/ S: x8 F1 w) T& j
mov ax, es ; ES:DI -> VxD API entry point
- @) g8 U A2 j# H* f add ax, di
0 l! _7 y0 B7 L1 j2 ~7 U0 E$ \ test ax,ax
' B9 B" _ r; X$ }* Y$ ^ jnz SoftICE_Detected9 C- `' N& ^- b; `1 l
+ _ A V+ P" q7 `6 R
__________________________________________________________________________
+ e# M8 a+ v* f% o# k- F, Z1 d/ S3 q4 B- q, c9 R! e; ?0 ~
8 e: u- W$ c; Y! k4 YMethod 05
6 ?# d* l1 R Y8 S% ]" C: _% ]=========
. {* Z% j9 Z- c- f- |0 \8 P5 v
8 p2 Y) ^& g! Q8 | y0 K" mMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( Z+ ?# o- Y* f% y2 e" Q4 odebugger. It calls the int 41h, function 4Fh.. ^$ G. w; x* n5 R- A1 `4 n+ d/ i$ p
There are several alternatives. 3 G$ }2 Z$ a9 O( `* N, [
# b8 m5 V! `+ h. A- j8 ^$ _* X
The following one is the simplest:
' I2 F1 M N8 A" G& v; N0 A6 p* j. X3 p5 z5 h$ i& a
mov ax,4fh
3 k' a+ {* U) q' m2 P int 41h
+ N1 \9 h. |# v4 s: t cmp ax, 0F386
2 B5 X7 R: I3 j3 d ^+ E jz SoftICE_detected
; A9 C% |1 r* J. D, O" F, }5 e! _% S6 j$ L
7 p% R9 Y f" A- _- YNext method as well as the following one are 2 examples from Stone's
8 f& x( T% `# g) t: J3 H9 \3 k8 N3 T"stn-wid.zip" (www.cracking.net):- @6 E! K* q# a' `6 }+ u
: R5 x4 k7 u8 O mov bx, cs; ? T6 ^# a* n! b" Z- f
lea dx, int41handler2
5 q# H) h& Z$ J# J6 t7 {+ _( K xchg dx, es:[41h*4]" F5 V4 Y1 F9 d; D6 A
xchg bx, es:[41h*4+2]" m3 J" k% Q5 W
mov ax,4fh
7 X, U1 o' W9 N int 41h
7 a i- h% y M) Q K6 | xchg dx, es:[41h*4]( I+ K9 X" o- \. x% ?
xchg bx, es:[41h*4+2]) x E7 n6 F% c B4 ^5 r
cmp ax, 0f386h% D$ F% V2 t$ R
jz SoftICE_detected
/ ?6 Y. p3 c1 w# [+ C3 C% m$ F! W$ u+ L1 X, I7 g, i; S
int41handler2 PROC
, y& o8 d1 m7 X8 |* ?4 p f iret
* I3 P) j$ q4 jint41handler2 ENDP4 [9 U/ k/ p7 N) M" g3 j2 h
. c" X3 @ {" O/ a# \7 ^* g+ P$ X7 V3 I8 _# i2 D/ C
_________________________________________________________________________
# P0 X; W' g8 ]! {9 ~4 H7 M3 X% n3 D# u- _$ z0 \, W" l! w
4 \" X% [. V: u4 t) k3 }& uMethod 06. c' `' J- ^0 K+ v# C
=========* M0 A% @( K* D# H* H5 F* ^' d; J
& P; I% [4 }2 K$ G1 H
5 x) \, @0 ]5 N5 Y2nd method similar to the preceding one but more difficult to detect:
5 z) A8 K8 n$ S& b" |
6 L, G7 \- f" U' w. J7 L
6 X8 _4 ]. q- L8 M3 [int41handler PROC
8 @# m9 W5 Y9 h- r. k# K: j mov cl,al9 P4 q. K* D: C+ L/ }
iret6 ^! c4 q6 r# ^1 d; R6 N1 j( o: f
int41handler ENDP
) n( Q. V0 k6 j. J
j' M P4 O( {' ?) K; G3 j1 R9 K& ^- n4 ?
xor ax,ax
! @1 J/ Y! Y [" L% e: T mov es,ax/ ~, o* r# q) A6 ^/ S7 x7 x& n
mov bx, cs( I% h/ Z6 Z, ?, x5 V
lea dx, int41handler
! D; `/ G, L9 ]! W D xchg dx, es:[41h*4]
, v# K2 u1 L) y* S. b7 H xchg bx, es:[41h*4+2]+ K0 _) _- l1 }! k
in al, 40h1 V X0 m6 n- N
xor cx,cx
* E% g% `9 r& i B& s9 b& n' B int 41h
: ~/ f/ h" S' V: } c xchg dx, es:[41h*4]% l o( o5 P/ L) |1 g
xchg bx, es:[41h*4+2]) ^7 D5 W8 I& ]7 b
cmp cl,al
5 h! \5 S y8 L& ]8 w3 d* y$ U5 s3 X jnz SoftICE_detected) X0 b- ]. t6 P: _8 r4 ]9 \' M- C6 t5 _
" w. r0 e u8 [4 H_________________________________________________________________________; q$ y$ `3 ?& ]0 J* t
% e9 P0 z8 p' X2 [, M
Method 07
- ~8 P1 l/ [+ B$ f3 M5 D' k=========
# a5 A- ?9 c9 G/ z9 m1 F, E7 [. g& f* V2 a7 _9 c8 R
Method of detection of the WinICE handler in the int68h (V86)9 M# P1 m/ v/ v. ], z
% a& t8 s: ~* Y; i o5 L
mov ah,43h/ A* C& }; W6 p4 c8 X. ^! j I
int 68h
8 S; Z" H9 X( a$ b; L9 ^ E cmp ax,0F386h# U* k8 I2 g7 W, F0 {- F
jz SoftICE_Detected8 X3 Z D H( O* {7 ?9 [
6 O6 j7 X t+ E- T# j
: C# w" P0 N, n/ U- K0 `0 { c' [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 z' p( g9 e. n' x
app like this:# X! \: N4 v9 t. N7 h3 K9 v
" E+ W) X- D" N$ y
BPX exec_int if ax==688 V. Z' x% t1 g+ \, _5 I3 e
(function called is located at byte ptr [ebp+1Dh] and client eip is
% f. \1 }. p& f: n located at [ebp+48h] for 32Bit apps)$ m: L- T8 v+ G% ` Q
__________________________________________________________________________/ e$ E4 ]- F: `. H& s
0 |0 a' I* P2 r @; ?
0 Q1 [% U4 H0 Z" N5 @Method 08' E. D8 d% }7 O+ S5 d' V$ S! J
=========9 w6 I+ L0 j9 `
( l$ B0 d1 {+ E2 H) G6 U
It is not a method of detection of SoftICE but a possibility to crash the* _% K+ r/ P) t! V7 ?
system by intercepting int 01h and int 03h and redirecting them to another
5 M9 I9 Y% v2 @8 A/ z$ {+ T7 e( t w' ]routine.' Q! k7 g' ]2 Y. d* X0 T
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; |1 t- A* L% `- e2 B8 E. d% u
to the new routine to execute (hangs computer...)
+ S9 A6 I) X% y5 B7 M- g5 o
( J1 q! \1 z- v. B( M1 k mov ah, 25h
" \( O- O( }9 z) g* O+ e. f3 S mov al, Int_Number (01h or 03h), e5 D2 e7 e5 J* z7 s& V+ n
mov dx, offset New_Int_Routine9 C& w: B* g4 i
int 21h
5 [( U8 ^; P1 B* w, t* J
+ q$ r, V: v' a__________________________________________________________________________3 C0 \: _) g1 K" Y
4 g: c1 b5 D$ C1 n" dMethod 09/ g" g8 I) z3 l* H
=========
( P) E9 @2 q- O; z2 @" \" A9 W6 ]1 D* f2 a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 D( d4 x' }4 t# ]$ w7 lperformed in ring0 (VxD or a ring3 app using the VxdCall).
* h8 i t1 \+ b: v5 S; s( YThe Get_DDB service is used to determine whether or not a VxD is installed3 X/ E% Z8 [8 c1 C/ t# L
for the specified device and returns a Device Description Block (in ecx) for
! D. r+ C7 t$ i" g! uthat device if it is installed.
& C) U; B8 f3 `* o1 I: e" ]
6 p" d& C; i3 G. J: E* c' r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 d1 \, v: V. Y( y, i0 B6 ?: t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& E3 \* {% u% ~* p0 P
VMMCall Get_DDB; o# s, A' H7 O/ k2 F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: ?) c. b7 |1 K& w" d/ \
0 r: N9 h8 s; k: O" {5 p6 D. O* TNote as well that you can easily detect this method with SoftICE:9 Z! ?. X6 R1 [) W; k% @
bpx Get_DDB if ax==0202 || ax==7a5fh$ @* J. V. o4 G# v q& ?
0 o' D4 z, \& {3 c G__________________________________________________________________________
; U; Y1 ?* m3 A3 v5 C v8 Y2 [% I' C. P" u5 `* Q1 W
Method 106 p4 ?* A/ @) }. T
=========
+ N& S$ m6 t8 \% L+ q" Q( p, v; Y/ L2 v: a8 p% l+ S' K9 a3 T! \
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: A. ^% d- o& L; Y% }# ~ SoftICE while the option is enable!!
! [# f: _% T8 y( G. v: U, b- y7 T) w5 G: \. }; u7 H
This trick is very efficient:; s7 A- b: w- Y/ g l( M1 v, W
by checking the Debug Registers, you can detect if SoftICE is loaded- ]5 ^+ {. S* h. P) S6 \3 h4 L
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 F0 k8 U/ Z- _- g/ Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 g3 }& O4 c' O6 Ovalue (in ring0 only). Values can be manipulated and or changed as well( O) N: X% z' K( W/ V
(clearing BPMs for instance)
" V6 ^3 N7 E2 A M- A v" m5 X7 N- ^$ h1 l4 b
__________________________________________________________________________3 ~+ e9 `- O' G3 X( V0 J
- d' v5 r2 a' O o/ s1 W$ L7 E
Method 11
* p# k3 N s* ^+ _, c7 }. s7 Z& V=========" g" H" |8 _, J- q C
- ?6 E5 q/ H9 X2 v" J' M2 f
This method is most known as 'MeltICE' because it has been freely distributed
: R$ T7 u! P: Y7 vvia www.winfiles.com. However it was first used by NuMega people to allow
2 F( T( o8 T3 S4 @Symbol Loader to check if SoftICE was active or not (the code is located1 J1 V, O8 A; D. D1 f
inside nmtrans.dll).( b! y1 H+ i3 j, a" U0 b5 l
B' Y9 }; r+ W' X+ TThe way it works is very simple:) N6 ^9 x8 Z7 n- I9 m) }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 T8 }( ?% M# Z: j
WinNT) with the CreateFileA API.
5 r9 h! o' f' |& D& y1 Y! g5 _% h8 R/ B& N
Here is a sample (checking for 'SICE'):3 B3 N' w) k" W$ ?& D: A+ B7 u
* D, ]) [! J8 ], j" dBOOL IsSoftIce95Loaded()
4 w5 r) d: w2 k) E{! p% d# d3 Y: ^0 H3 ^4 [
HANDLE hFile;
0 I- Z* H/ I( e8 q# n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 q, n; S4 I% ^/ d5 _& e
FILE_SHARE_READ | FILE_SHARE_WRITE,
" r0 `3 R6 d2 c9 L) ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 q6 D$ [0 g5 e0 R' J* P" M4 } if( hFile != INVALID_HANDLE_VALUE ), U0 s: }; P+ @4 ]5 h# o# W, _$ E
{) {3 F8 e, n3 a" m
CloseHandle(hFile);- Y/ v' t. M! l# G
return TRUE;; C+ Z1 B* W$ U/ _# h# n
}9 j' u- d4 g/ K
return FALSE;
% J) y, G4 w4 k, J; @1 [}+ x) c- f+ s: y. U/ C9 u: D, l
* z u% @# J8 w. ]Although this trick calls the CreateFileA function, don't even expect to be+ J% y4 y! ?% u; a
able to intercept it by installing a IFS hook: it will not work, no way!
6 B5 f/ b# {. I% Z( aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 W' N! e4 h9 h% }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ f1 ]; g& u8 m- v4 L0 H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 r, e+ a# h4 t5 B4 A i Rfield.
- F! T9 e( X3 i1 ^In fact, its purpose is not to load/unload VxDs but only to send a
. L( v$ `+ q# S7 ~1 V' f8 ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* \4 s. Z. i2 Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 n( q/ i; t4 [to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 g |3 Q+ R6 B# r1 x- O7 X" ]3 M
If the VxD is loaded, it will always clear eax and the Carry flag to allow' r" E& s, p* G7 M% C- n
its handle to be opened and then, will be detected.1 J) j* B1 x% I* R& F: g& N
You can check that simply by hooking Winice.exe control proc entry point
D, F6 O% Y+ hwhile running MeltICE.
7 l- h( H" L; M
2 z' V* q& L7 G z
" b! b: P5 y/ Z( u 00401067: push 00402025 ; \\.\SICE
( }4 O2 U6 d4 K9 n 0040106C: call CreateFileA
/ j+ E* S+ w5 s( a, y( C 00401071: cmp eax,-001+ c i: e, D4 n* s
00401074: je 00401091
3 C1 c: }4 g" ?( S9 E
6 r$ W7 W# k8 ?7 u6 F( P8 X4 I" c i% o- {
There could be hundreds of BPX you could use to detect this trick.0 h% A* s& H+ p' L* h
-The most classical one is:/ _4 X$ f' w! r6 H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* c2 a# H: N" ~! F *(esp->4+4)=='NTIC'
, {9 v" [+ r# {' e3 v6 U' y- W2 e; R6 d# b7 Y& f6 C; L
-The most exotic ones (could be very slooooow :-() I6 b$ x+ ?: o9 J1 h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" Y8 R0 f- b( x1 I8 k/ } ;will break 3 times :-(
8 L3 w, J: ~4 N2 C: p- K/ T5 j# r' i0 s7 a4 s
-or (a bit) faster: [& E: e P" z3 w8 O9 U6 U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" J, q& K$ K/ m0 s8 Z- q" f& J5 d
7 U9 |. K# |, u/ `$ [; {2 H) |# |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 f( B1 _1 z! {
;will break 3 times :-(3 I; M A2 Z" P( P
& W6 {6 G4 E' l5 Q4 b-Much faster:
" \2 C J- Z3 }" E* o7 B5 T BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ [8 ^0 |; j7 {9 h$ u; M2 |3 s- t" m
+ A' }% @# r$ }7 H' LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% @8 u: C2 d; P' z$ Gfunction to do the same job:, _& ~) {9 r( \7 a9 U! W
! j+ R1 l2 \9 E: h+ z* M! E* z push 00 ; OF_READ
% ^9 ]0 b% k: T2 D" f+ ~4 z mov eax,[00656634] ; '\\.\SICE',0
6 R; H$ z+ k: y% o) O push eax
# A4 |; t/ p# Q1 T call KERNEL32!_lopen2 j1 n4 h: G6 y: U$ ~# K
inc eax8 j+ J, }4 k2 O2 m: }
jnz 00650589 ; detected
. t+ U1 V1 ^, l( z5 T push 00 ; OF_READ! y' V# s# Q7 u0 j9 d, h8 c
mov eax,[00656638] ; '\\.\SICE'
, u) i3 M; J, F) S push eax: M( @% F- ~1 k' y
call KERNEL32!_lopen* L2 I2 }! `: t' {+ r$ g* {
inc eax
1 Z% v/ i8 p8 o jz 006505ae ; not detected9 h6 g' `' y) m3 B* y, M7 N
3 |+ R! i/ E$ k: n0 `" ?/ ~' d+ Q& [0 O/ y q& O1 X. N- E
__________________________________________________________________________
* U8 J. i# E7 x8 [; `+ A' o9 L; ^9 a S U& X
Method 12+ u; u5 Q2 h. u e
=========8 | I) x4 X r- Q$ Y+ D
( m' v2 E- z: F4 I$ J( A; r3 y
This trick is similar to int41h/4fh Debugger installation check (code 05
# Q( s* f0 z& g) M4 y* B& 06) but very limited because it's only available for Win95/98 (not NT)
3 {$ E( y7 u5 h0 Z2 g- eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. s3 U* @+ a& V2 Z' R
) r* d# v) S' r push 0000004fh ; function 4fh
; d8 `: A2 x6 c# @& ~8 z push 002a002ah ; high word specifies which VxD (VWIN32)
" z7 V/ A8 l0 u! P8 Y ; low word specifies which service
0 x! l- R- \7 q: \& J7 h$ _ (VWIN32_Int41Dispatch)0 r" t8 q: B# }& U- d8 Q3 V
call Kernel32!ORD_001 ; VxdCall8 `8 Q8 f/ i" x; Q, |' ^5 R3 O
cmp ax, 0f386h ; magic number returned by system debuggers8 _# \' ?9 P: X/ P' b8 f' z
jz SoftICE_detected
# H K/ o3 t) m" B8 P: q7 o' C, w: E& T3 L* X1 K4 k: I( d
Here again, several ways to detect it:
( `2 Z$ f- w1 ]) t; s9 t3 y: H8 U) u. a7 @
BPINT 41 if ax==4f
\# H! E; ^0 u* Y1 j; o! b L
2 ]* _% a6 v' u8 p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ _! |1 G& H$ M9 v8 X% W2 u3 L7 }' B) a1 B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( B4 A; Q* B$ |' A" C u/ G; z, ~8 k" ]0 r) r/ U8 r2 c K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ v/ J" |3 ~! s" Y/ t
+ Q/ C/ f6 p/ L1 m+ C__________________________________________________________________________
& H/ B; V3 K( s& T# V' k. H$ k. C! i- j% Z: w- A( E
Method 13" Y' i6 a; A+ f/ f0 j! h& y
=========5 ]0 W9 L2 [) F; o
- b2 T. R5 H7 L6 n8 [5 Q) l
Not a real method of detection, but a good way to know if SoftICE is
. W# _9 _8 t: B: f( D5 }5 d% ~installed on a computer and to locate its installation directory./ i$ l! f- M1 a9 e
It is used by few softs which access the following registry keys (usually #2) :0 V1 Y* D5 t* [. d
% O1 g3 @) a# _5 X& n8 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% u( y! Y+ `% K2 [" O
\Uninstall\SoftICE- ?+ {/ e: e, C2 f9 T3 m) ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 Q. T8 H/ b, s7 Z; p& n5 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 A3 p, q e" \+ q! _3 k8 S* P/ p\App Paths\Loader32.Exe
l' q! j# e: T8 V* h* I# e5 r) A( c2 ~$ I
# R2 T9 S% E7 J" }" z! B
Note that some nasty apps could then erase all files from SoftICE directory+ d+ U5 O* f( K# P
(I faced that once :-(
% V. h" u* c5 ^
4 N4 d9 x3 H3 u, e, {Useful breakpoint to detect it:
, [) @ Z6 ]" q: ]- y T$ X( A7 R6 ]" t( Z: ~! G$ P$ }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': I" W9 Z3 k5 t% M: E
5 s, r/ x& [+ _ K: r2 H4 b__________________________________________________________________________
- O" X5 M: x" Q- F" j! V A4 v7 o7 V5 Y, g) t
6 n7 _8 d0 X$ B0 f8 w Q
Method 14 " Y3 p+ Y- I. Y
=========+ U. T+ A8 b8 R3 ?
# X% [$ p% J4 H- r+ M7 O$ Q' y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 o7 S/ W& ^" G1 B* y3 T& O; G+ Yis to determines whether a debugger is running on your system (ring0 only).! H+ d8 ?3 F" U9 v& ?
( q5 q$ d9 }( t! P1 J
VMMCall Test_Debug_Installed U% s) k7 w8 H; b4 |
je not_installed
9 C% B% d1 y" A: x: @' L: V. a5 @: R! U9 x' S9 Q0 C
This service just checks a flag.
2 x$ T/ p4 z w* a& T) k</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡