<TABLE width=500>
+ D/ ?4 U" F; [9 w: U<TBODY>
9 w! ? ~# C4 o: {8 E9 }3 M6 C5 `<TR>
; P% n8 O. S0 H' A<TD><PRE>Method 01
$ X8 I u/ F* s: H' G/ s=========* O& {: j6 r9 ~+ r" v3 U! W
1 }; O. V( i9 A% ^* [$ v, U7 {
This method of detection of SoftICE (as well as the following one) is
& ^ o' x0 \* |5 R3 X' N. L! bused by the majority of packers/encryptors found on Internet." {$ V/ F; ^& y6 A9 i; l# h8 d
It seeks the signature of BoundsChecker in SoftICE
0 R7 l9 d5 z/ Y9 D* W, R9 T1 s/ I0 y
mov ebp, 04243484Bh ; 'BCHK'( n K, k. z1 j! b9 ?
mov ax, 04h3 w5 l, M* G2 `% A9 M4 o
int 3
, q5 S: x% v3 W' } cmp al,4
' Z9 s. O2 z0 U+ ] jnz SoftICE_Detected$ |% g9 g( }$ |+ d6 ~# M& s
+ q3 M$ H I6 h___________________________________________________________________________
& ]/ v3 u( A7 E6 W7 o% q6 }' U0 l$ ~
/ L# m; M; e, @; [9 w/ rMethod 02 I ]% Y6 e# S
=========
8 L B3 p- A# g0 D- l; `1 }/ r: v
Still a method very much used (perhaps the most frequent one). It is used
1 v, T- |7 `# v6 v+ L- ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" r2 y2 }' U: g7 A" j5 B. @or execute SoftICE commands...5 |6 X# t8 I& t2 J' s: K
It is also used to crash SoftICE and to force it to execute any commands' k: I" @7 S% E4 d1 d/ l
(HBOOT...) :-((
; _; c2 C% Y! W- n- n8 Z! B! d. j6 x, M; W6 l$ i) @- R
Here is a quick description:* P. \5 Z2 u; ^% l4 y( Z# u1 Q# m
-AX = 0910h (Display string in SIce windows)
; ~$ l8 D: `: z( N/ ?) E, c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) ]/ ]8 V3 x; ~3 A7 V
-AX = 0912h (Get breakpoint infos)1 n8 u. o4 U/ a) R8 }
-AX = 0913h (Set Sice breakpoints)
4 }5 x+ ~& f. I( F6 l! z: I-AX = 0914h (Remove SIce breakoints)
. O" z# A4 J" Y7 M
: {& t0 a4 s2 B2 nEach time you'll meet this trick, you'll see:
, C8 a Z/ J- V$ ?5 _1 K-SI = 4647h
# @4 @* ?! X" k: ?& h$ g+ h-DI = 4A4Dh
6 J9 c& w/ x% d. CWhich are the 'magic values' used by SoftIce.4 a+ x+ u+ W1 d; r1 b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 V! g' K5 A4 h) }4 F
; C4 x" S# m' zHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 w6 R+ W- b) A" b3 Q& R9 O! tEnvelope utility use to protect DOS applications:
) {6 e I) D' ~, N% r, s
H" x+ N+ y6 A) L2 V5 D4 A/ l6 v
7 e8 v- }! f3 U3 b: [4C19:0095 MOV AX,0911 ; execute command.# a2 ~0 s! d8 a% P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 I9 F. \2 R6 W8 {; O) J) y. {
4C19:009A MOV SI,4647 ; 1st magic value.
+ w" o6 |8 h6 Z/ o4C19:009D MOV DI,4A4D ; 2nd magic value./ G1 \7 }0 K3 a3 H& m: x; {
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) B l) q( B- \! Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 k l) `1 V7 H [$ [0 n7 `
4C19:00A4 INC CX# H Q9 F/ a# Y* F/ I/ L5 E: H
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: O* N t/ X$ C# m9 T& o# n
4C19:00A8 JB 0095 ; 6 different commands.
! [+ @7 \# O" X8 F: F$ ?6 T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, u- z( [' c( I, }& L- ?6 M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; v9 I% C( F* Q7 _* r
3 S; e- f! Z. Q2 lThe program will execute 6 different SIce commands located at ds:dx, which
( B* `7 H5 @ d5 oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 h7 P, [; ?% Y6 l4 `+ A1 Y
1 V; g$ G' b0 x- l) U. {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# J* U* G) p. e( o i. U___________________________________________________________________________
8 }8 j L+ @7 T/ }+ A! d4 w1 A9 f! W8 Y# o* ^. w% G) q
9 u, z1 f$ P4 U* H6 x# |. Q
Method 03
. i1 U& M j% L=========5 k0 ]5 Q8 M9 `* \
4 b9 N3 Q# I* i1 a2 t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 S$ I, \) u5 e, c% i- o7 G
(API Get entry point)
3 P% f$ a9 |4 I( ]( e
; E; A# {8 D2 ^
$ L: E$ K4 q/ F8 ]+ { xor di,di) D0 c4 r3 H0 Q
mov es,di3 U) I; w1 C: Q8 p% q/ x
mov ax, 1684h
~3 D" u6 p, Z4 o3 f mov bx, 0202h ; VxD ID of winice
5 [7 z5 x$ e& s- ~% { int 2Fh$ w" {- @9 B/ T, U9 I4 L; [+ B
mov ax, es ; ES:DI -> VxD API entry point
( R0 ~& G$ |, A& N, \ add ax, di
7 |& v& G/ l; Q4 _+ L) O. l: _+ } test ax,ax
: i, j/ R& ~. o) B- M. a jnz SoftICE_Detected
. E+ t6 V) t. x0 S& n( p; ]- \# Z; F5 A
___________________________________________________________________________/ `; j! S2 c7 h
/ W0 ? D' q B3 d0 `) r
Method 04: f5 _5 C5 f% U/ {: o
=========
% R U3 _( Q% ^$ D# U
" d) C/ `) f& H/ {* v, e% FMethod identical to the preceding one except that it seeks the ID of SoftICE
6 a `: @2 s" u0 z9 `% p6 D, SGFX VxD.2 J+ [- H- e) i
/ ~2 ]7 s$ W1 B: k- @7 D j xor di,di
0 ?3 m( `5 A+ k1 @+ c- K3 q mov es,di
9 w+ x/ ?! L# @/ y; }# V- S mov ax, 1684h
& `) w$ \2 o+ v mov bx, 7a5Fh ; VxD ID of SIWVID9 L! \( K/ z- ~
int 2fh& {* ]- `/ G8 m
mov ax, es ; ES:DI -> VxD API entry point
. f! e8 s3 D* N! K, {& Q add ax, di
6 ?2 ?8 l0 G; X! n. c1 ? test ax,ax7 m2 Q$ |# j* r2 j( y ]7 \3 k
jnz SoftICE_Detected, E& u$ Y& ]9 o! m
0 |, H# m! u3 y$ _* O: x
__________________________________________________________________________ ^. S, ^* x8 j8 l3 E" E
' c* b5 d8 O2 m7 o% h
# K" q% i" o, W4 C! U( q
Method 05
+ T# K' Z0 ^! _. k5 W6 J=========% T' }5 E2 N5 L$ P; ^/ M; g+ L, w
; t& c9 q( t: p
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 P+ T; v3 T. Z8 u% e% m% Odebugger. It calls the int 41h, function 4Fh.
+ j% K+ a* d7 E/ f- FThere are several alternatives.
$ A7 C) p* I5 C) n) D2 j
- z$ ]! \3 T0 E5 l6 C6 NThe following one is the simplest:
8 _. M# H( z \* \ B5 l8 k- U. R4 G( c+ C0 k$ n9 i5 |; C
mov ax,4fh. I; `* p5 m) p
int 41h2 U4 _, S8 X, O
cmp ax, 0F3866 r: ?, e% |5 j6 P
jz SoftICE_detected0 p5 ~1 j( D. X1 x% s
. ?& T6 Y0 L4 Y' j" _5 F
$ Z: _& x! y0 s2 d- f
Next method as well as the following one are 2 examples from Stone's
c8 k; |: r" s0 P+ {% M; Z# h"stn-wid.zip" (www.cracking.net):
y1 a! X, W; m" c. N& {9 q: [, |& Y3 Y, G( }
mov bx, cs
* r! I* E8 o9 D0 B lea dx, int41handler2 j( Z4 a, e) I) ^1 m' S
xchg dx, es:[41h*4], R5 k' c( q" n% `$ `! p% D
xchg bx, es:[41h*4+2]
5 D4 W* K7 s7 I' u, q mov ax,4fh! I) u2 N6 L. p5 b" [
int 41h
; w" u5 v# s" w1 v6 [ xchg dx, es:[41h*4]( u" u0 Q6 `. Y
xchg bx, es:[41h*4+2]
- B# R* s% v# x: R" L cmp ax, 0f386h
* M- p" F3 v" H# ]4 |" A- t jz SoftICE_detected& l! N6 b6 E1 @
) r3 p$ T4 K6 z9 w `# l! l2 Oint41handler2 PROC
9 @( M8 H: }2 @1 ^1 ` iret
' g& v7 u: j5 s0 f+ Yint41handler2 ENDP# t7 g6 `+ _6 ]- s- Y, ?0 L- N
8 H& H, p2 x. o* z6 h# @8 N
, r3 W* Z1 I2 g_________________________________________________________________________9 z$ v) q+ z! j5 X4 I1 N
7 }7 A9 S0 W/ K% l) X6 H( l8 [# g( ?, O7 ?4 k
Method 06
2 {9 d- w+ F3 \1 t, X+ u& ?* d=========3 x6 t6 S; D( ^) ]6 g- x
6 \! I2 z' Y; M* F( G4 k, e
' \, R' ^$ c& j# M2nd method similar to the preceding one but more difficult to detect:
! E9 H9 n) F; H9 C4 @
: F$ {- W# p5 b; e' C4 ? c7 d
: `0 V' k6 P) _2 M9 fint41handler PROC* |; k2 S8 l5 E
mov cl,al
1 T$ a5 L3 c$ M2 @8 g, c iret
) x! f+ r2 m9 E* t* D3 ]int41handler ENDP: O6 n! K% V0 s6 L- U) s* |
- {, u3 j7 t& Q; q( l! v: K' v
3 [7 u* X+ \. z1 y; V9 H$ S4 \+ _ xor ax,ax
6 B, Z6 g3 w4 I, B2 e" L. l mov es,ax) Z2 ]3 a3 T! h
mov bx, cs. h# ]8 z5 ?: l) e5 o
lea dx, int41handler
3 [4 T2 H4 b) X! a* d P) d xchg dx, es:[41h*4]) }7 O, i! F; D/ F: s0 O
xchg bx, es:[41h*4+2]
1 ]9 Y H: b5 K( \2 _. v in al, 40h
. [9 D$ |' ~/ s; z, A xor cx,cx
0 S5 U* u, x" `1 u g int 41h
* T" [+ u% X! z# X xchg dx, es:[41h*4]; U: d6 |6 i5 J$ u6 ^% D5 b
xchg bx, es:[41h*4+2]
! U' g# h$ r" e; m3 R cmp cl,al( Y f2 C ~& q) T. z! Z
jnz SoftICE_detected
. z4 {) G4 {: i3 F4 I( Y! B( X& \4 U5 L k% U1 Y/ l; C
_________________________________________________________________________0 {' j7 R. Y$ F
+ ]. R6 ` ^3 K5 }
Method 07
: `; i( o7 D3 v7 }7 }========= O# ^1 K! |. g! g0 ^. ?& [
2 q% i7 `: M8 y7 z& t/ tMethod of detection of the WinICE handler in the int68h (V86)0 C K7 w# x' T& v w+ }/ K! D
' f4 E0 W9 j0 K0 q0 y' | e/ E
mov ah,43h# b1 `! g7 ~8 n2 u+ s* I9 p6 ~( v8 T- V% M
int 68h
2 @/ ~: l. E1 h1 |5 |. x) u cmp ax,0F386h! O* j) O" o, o+ P- j" d" O- O
jz SoftICE_Detected
+ Q" B3 u5 B! p
( P& P; s* N( l: H
1 M! {+ \% }% t: t* \" y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 F6 w1 M' {5 C* F9 J/ P app like this:5 L) M6 `* z3 h# T7 ?6 e8 m
1 m/ O4 e3 r+ q3 H) C
BPX exec_int if ax==68
! Z; u" D/ c' e9 g( ^5 u) \ (function called is located at byte ptr [ebp+1Dh] and client eip is$ g. J2 j4 W. G2 C9 m! P
located at [ebp+48h] for 32Bit apps)" Z% F, T& ~, K A/ R; X ^
__________________________________________________________________________
7 Z& B5 t6 w- N* \- u; C9 a. F) U4 j2 y2 K2 V+ u8 r _
! ~( ?9 L, k+ d* Q' DMethod 08
* H1 \( D! w% M1 W$ N=========5 v+ Q! W# T5 {& v, D
" @* V6 `% e m' S0 ], WIt is not a method of detection of SoftICE but a possibility to crash the
' r. N; e/ @6 M$ _system by intercepting int 01h and int 03h and redirecting them to another5 C+ c6 \8 w: O
routine., k/ G" l, l8 G& ]/ z4 \! d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 s& }& D3 ~( Q/ N( l* A7 Xto the new routine to execute (hangs computer...)' S9 I) I' _- B* d: f% M. }
3 V! }8 M7 G1 O6 F$ \" v9 D mov ah, 25h8 E( T& }( M2 Q
mov al, Int_Number (01h or 03h)
- a- H) i. H5 K/ `! g mov dx, offset New_Int_Routine
5 r; H9 a4 U" C1 Y int 21h
' I9 x8 F4 U( y5 t$ I( ^$ }
_( x) \/ `+ C" d7 c9 Z__________________________________________________________________________
; T5 @. `3 O2 x: H \
/ i4 ?: L9 l9 f1 X3 ?Method 09
$ a+ Q. y8 j9 y7 P, F=========% k/ s5 q' N% f& _
' @) }! l3 x: o+ D) q* yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 }- S+ {$ j2 |, I
performed in ring0 (VxD or a ring3 app using the VxdCall).6 R' J# o, V0 s) E3 V4 ~/ {2 j
The Get_DDB service is used to determine whether or not a VxD is installed8 T( g: E6 }. }6 ]- c% e
for the specified device and returns a Device Description Block (in ecx) for
2 [$ P5 ]+ q8 ]. Z# z& R) K' vthat device if it is installed.
9 D6 s8 N, d) y7 ^) z0 a; v2 m% s. B5 y9 d& |, ~6 C/ ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 ?' R7 @( B. \* E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 I, |8 [1 J" w, Y VMMCall Get_DDB
7 s5 ]% O0 i0 _9 s8 E4 C; @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 g4 y+ j% h( @/ C$ H; K: R+ U5 a) @ ^9 Y7 r/ Z' D
Note as well that you can easily detect this method with SoftICE:
9 s! [: _3 J2 e; P bpx Get_DDB if ax==0202 || ax==7a5fh. E/ }6 b, T n4 O3 s% b
$ I' T6 U8 L2 Z3 W; }" ?' y
__________________________________________________________________________
$ [9 ?2 K D5 n) ]) j$ I# h H2 ~7 a$ ~% P1 _' ^' ~
Method 10 W+ h) ^% y" y
=========
8 M' {. M% `9 |4 H6 q- j) V3 E; c6 U5 g" D) ^7 a2 K
=>Disable or clear breakpoints before using this feature. DO NOT trace with" L) `4 s- V9 }
SoftICE while the option is enable!!
2 I9 ~- i6 k/ ^; q! d* ^8 \3 B4 d* ]
) s: Q6 ]& ?; w- w1 C# ZThis trick is very efficient:
0 Y. p0 f. }& b$ A; _2 pby checking the Debug Registers, you can detect if SoftICE is loaded4 c/ R# f1 y _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; c/ g9 {4 `& }
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 x" p) y- h" f3 O! M9 x- @# r& J; kvalue (in ring0 only). Values can be manipulated and or changed as well
* b3 P: A: m) |& Q0 r# ](clearing BPMs for instance)
& }9 R5 T5 ~' T; ]- J% q7 p, u2 c4 r% B8 g; f
__________________________________________________________________________
% n- A: D1 i) l+ I: g$ G7 B4 x- z! }' U
Method 11% |# ~* ?3 r" X8 ?- |2 ?
=========2 D4 T& I9 X( `2 E, G( s: ?1 f2 g
, r' y$ {! G* {$ z$ E oThis method is most known as 'MeltICE' because it has been freely distributed2 D! x, o5 K' z* q- Y
via www.winfiles.com. However it was first used by NuMega people to allow
0 g) S- D$ T0 T% G6 e3 L+ USymbol Loader to check if SoftICE was active or not (the code is located
8 @! f# z7 q0 {/ g: c7 binside nmtrans.dll).- K, ?6 P; r2 i& W
7 e8 s2 f1 {! d4 a# X3 n# NThe way it works is very simple: q' `: U6 j4 \1 n! l0 V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- [* h1 ?# R) }' \- X1 {WinNT) with the CreateFileA API.
* W9 Z$ X' s9 D% w
$ O9 l7 F3 a/ F: l& _; P( t9 XHere is a sample (checking for 'SICE'):4 D* _% m- y8 X3 X- P( W, f
4 x( _# u, |7 D H0 b9 YBOOL IsSoftIce95Loaded()
; Q: O! R' F. g{) n( P! a3 Y9 E; n' M7 o- {0 M
HANDLE hFile;
$ N. S9 Q Z, G) C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ b- F" ~* B! @ a. M! b L FILE_SHARE_READ | FILE_SHARE_WRITE,! p* q2 K; o! q' E( ?& w( N
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, S) F5 v& M8 o$ K# d! E if( hFile != INVALID_HANDLE_VALUE )! `6 G2 p( z' X" e) t4 f
{0 o0 i; W& B/ ?& O# E
CloseHandle(hFile);
+ P# o4 t2 U( y" k return TRUE;' b1 Z# c9 f/ I
}* {# {5 Q0 _3 T
return FALSE;
- i9 i9 \7 L! s, v4 e, P0 U}0 A3 |( [- Y0 t1 A! F5 {8 N# R
, Y) t. a4 _) b6 ^6 q4 Q
Although this trick calls the CreateFileA function, don't even expect to be
3 K- B" _1 r, R; B2 ]2 ~& O- t( Q. @able to intercept it by installing a IFS hook: it will not work, no way!
( d! y( k+ X. `8 f) ^6 BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 S) S, b' ^3 r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 D* \) d6 a! }% @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" H2 L$ n4 i% F/ u1 ?9 r9 Afield.
3 w! v/ p7 P+ w7 i5 RIn fact, its purpose is not to load/unload VxDs but only to send a
7 }. O& R6 i- H8 f6 ~ }W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& o6 i! I v4 j" V! U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ z* f% u3 p6 N, y6 ^to load/unload a non-dynamically loadable driver such as SoftICE ;-). C8 K1 j P2 M- K
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ f* L3 {2 |- A2 o8 E3 ^! k* \: bits handle to be opened and then, will be detected.( l9 l7 K4 x8 e6 b) h+ ]3 }
You can check that simply by hooking Winice.exe control proc entry point% h7 y7 J; K4 z* z5 c# W _9 J
while running MeltICE.% ]. ~6 t2 r% S! r; I" K" G* {
* D, K# Q8 [6 W* J4 h5 ~* E+ N7 ~; X- D5 ^# L
00401067: push 00402025 ; \\.\SICE
+ e% z. W+ [0 U$ a" P 0040106C: call CreateFileA
1 d* H2 K: Q7 Q1 C$ I8 z 00401071: cmp eax,-001
. r7 |* b2 K( z3 K, \( E( {" k5 i 00401074: je 004010912 Q. B: D- I5 b3 n" \7 n3 J) P
! w5 |1 X" u" M2 { T% }4 m. Q7 b6 K: ]# d# W$ a
There could be hundreds of BPX you could use to detect this trick.- Z _4 f, x2 Y/ J
-The most classical one is:$ x/ k5 v' k7 _8 D/ C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 ?8 ^: N2 c' ^. M- z) l3 H0 Y *(esp->4+4)=='NTIC'/ z0 n( \- Q! N9 W. @
5 U6 V9 m; _6 a7 g: M$ e-The most exotic ones (could be very slooooow :-(8 w w2 ~- {: r1 M% j5 U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' A8 S* T5 x0 N& @6 L6 D3 B ;will break 3 times :-(* M/ l1 B( I% r2 Y9 p! c
1 u+ `; u4 x( p h# W2 b
-or (a bit) faster: & C# f# g& N t& @" a& N% h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, ?4 s) H0 j2 j6 U ~
; I) m, H+ b9 w6 m8 P8 Q/ J, K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" X* _, `) u9 ? m& u8 U ;will break 3 times :-(
, Z# c+ ^5 F/ ?" g p- o/ Z' c( {# ]/ a' Q
-Much faster:
: g. n3 m8 M! ?2 L* ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) W8 q# l" c1 X/ m
2 W [) j) x! U/ _* bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% L/ G" F( M2 w7 q1 Sfunction to do the same job:
9 z' ^4 A! C \0 T
1 ^: g8 u) I" j; ^0 l* O push 00 ; OF_READ
8 y! Z& O9 l$ E* K7 E( _ mov eax,[00656634] ; '\\.\SICE',07 O" o: t6 W: k0 t u7 v1 D) n
push eax; P0 a" t0 o3 V" \1 H8 g4 j
call KERNEL32!_lopen9 T$ B/ I! h8 s- u
inc eax
& ?/ j9 Q7 Y, _, O; [! P jnz 00650589 ; detected
$ A; Z) j: U7 q8 _ push 00 ; OF_READ( o, D' q1 n W
mov eax,[00656638] ; '\\.\SICE'$ K6 D9 d% k7 S/ n6 Y$ T' \
push eax
! b9 S8 g7 F* I* _ call KERNEL32!_lopen+ k3 r# B, x( k4 W
inc eax9 h7 O6 f3 s) S a: V9 r, ^ Z
jz 006505ae ; not detected
" Y. |/ U4 s( C3 d4 u% ]. E0 ~# ?/ I4 E1 _
R8 c% Y; ~* ^( b1 j/ y
__________________________________________________________________________+ x0 \) ^% J9 _1 c! N7 f( R
3 ^) x& a4 ~! L1 m) J u5 OMethod 12
% s* @ }' ^6 S, t1 ]6 S=========
3 w; Q# v; H6 {1 E# r5 V% K1 t) b" Q
This trick is similar to int41h/4fh Debugger installation check (code 05- |% n# s+ h: a! _$ W9 u
& 06) but very limited because it's only available for Win95/98 (not NT)
) a1 U8 B/ h3 O' ~( @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; N5 h' t- e X! u: Z6 O T6 J/ ?/ c* o8 ]: P) w1 \. Y+ b
push 0000004fh ; function 4fh
8 [- g" R8 A+ @" U& Y. q* L* |( Q* [ push 002a002ah ; high word specifies which VxD (VWIN32)
: f5 i8 G# H# V; x5 j/ W ; low word specifies which service
) [: `4 f5 T0 B0 Z( f( }" x1 S (VWIN32_Int41Dispatch)" Y l/ `1 g9 I3 q, t- o8 b. c
call Kernel32!ORD_001 ; VxdCall
5 M' v( J& L) z2 q cmp ax, 0f386h ; magic number returned by system debuggers& ^* K; t, h) j* ?' E1 ~) b
jz SoftICE_detected# A/ Y {5 s% p: |7 `- Z
- O4 [# s* h# e1 b% o1 ~: P
Here again, several ways to detect it:
% o Q* ~4 R M6 O7 E9 w C! Y" y6 y" P( l2 Y& s
BPINT 41 if ax==4f
* ]% w! x% _ z ~' m( K( i# U+ J$ G" f5 g: }+ T. n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: O( ]/ q! P" Q$ i; `. p$ Q6 x9 V
8 R2 z4 q1 k3 Z9 l1 B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* Q3 j/ {4 M* k' \4 L+ Y0 u% D9 v* f; R' m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 Z7 W; C V0 L. J( o
* J$ X" w+ w* U# {
__________________________________________________________________________* k* [' k( ^8 {3 I& {. ~* \
# k, t: Z- {; O+ JMethod 13* i1 B+ ~' ^( h) d, O$ D
=========3 U4 E1 [1 T) v; R% q8 [1 e
, f' g; _! q$ I6 J* }1 o) c& Q
Not a real method of detection, but a good way to know if SoftICE is
% C O9 C1 O6 F0 \installed on a computer and to locate its installation directory.
5 }/ q1 G. |$ N- w" ?( ] NIt is used by few softs which access the following registry keys (usually #2) :
* _3 M3 g' i( l$ ^ Q- a) n n& J% P" U2 E8 d/ p0 x0 u; Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 U* G( C1 z1 w\Uninstall\SoftICE
3 D) |) c4 m& S3 b- d8 F) ]0 p& [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ H* p [' u6 B! D) q) }3 h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- H, E8 F. ~5 f2 U; @( m5 `& {+ \
\App Paths\Loader32.Exe
$ j$ T7 ~2 P+ h3 U% [
/ q. O# i" h+ q3 H5 T1 i
& h# G3 }) J9 _9 d; r( c' WNote that some nasty apps could then erase all files from SoftICE directory
. d% m2 l* K5 l- h(I faced that once :-(
( c+ a! G% V' U4 @' {1 w% W9 ~' f7 i
Useful breakpoint to detect it:7 l/ q+ K; o" y4 c9 ]# e
) s2 Y5 Z# t" l+ {* h: C( Z) l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 }* e& L1 Q5 D+ x8 i4 {
; W* p L( i+ `
__________________________________________________________________________
3 m% c( a) f: ~& X* _+ I9 I2 h# B7 F
8 Y2 i7 \/ p8 `' XMethod 14
- P' Z* D! K' o, A( P, d8 G=========
, o) N# f) J' c5 h/ U
' m, W$ `. z7 qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 b( ]) D$ D# Y; c, y% T
is to determines whether a debugger is running on your system (ring0 only).
0 Y1 H+ k% V# H6 y4 S- p& R: O( a" k' D6 i+ U! f& u
VMMCall Test_Debug_Installed4 j2 T p, U& y6 {2 f4 M
je not_installed
8 K8 a/ N8 `1 k6 b% f
7 m' X B5 {& |/ c) NThis service just checks a flag.
* e+ F' C5 B9 F9 P+ [7 v2 e8 X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡