<TABLE width=500>( c' ^/ V% c, W* B$ \0 Z
<TBODY>' U. U% ^6 N9 E" l* @% m; X I' q
<TR>
/ r! `" H/ a" v# n# _<TD><PRE>Method 01 7 E+ d! M0 z; Z0 y3 F$ q& }
=========# `, A/ W3 b% {% c2 ~ t/ d6 j
: ^0 F3 e# q) m1 A% k1 mThis method of detection of SoftICE (as well as the following one) is5 u' u( q2 v2 W' [2 A8 R" v
used by the majority of packers/encryptors found on Internet.+ P$ y' F7 ^6 l
It seeks the signature of BoundsChecker in SoftICE
0 R$ j& y; b# W8 w, W
" k8 a" O" Z7 C* e! p$ g7 V mov ebp, 04243484Bh ; 'BCHK'1 X4 I Y: S+ X# `
mov ax, 04h
% j( ?$ d, X: l1 j0 k. x int 3 # `" R/ F1 X7 V) s% ^
cmp al,4
3 `) S' @( N4 q, U4 r jnz SoftICE_Detected# E: y; }/ X- o0 l: m
. @1 p$ I# z. D k( T! M
___________________________________________________________________________
9 F2 P4 R" q9 m' ^' X6 s; m- c" a9 x6 s5 g; \* T
Method 02
5 c8 a5 `/ z y! M4 g* g# N* W=========, v* p7 c. {: N. a' h# t8 j
9 U; F/ V" L2 O5 R2 \' P" @8 nStill a method very much used (perhaps the most frequent one). It is used( Z' R F; C( ?! C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 q5 t3 \7 l7 k3 |; d* `" x8 l
or execute SoftICE commands...
# n2 Q( {. f# N1 sIt is also used to crash SoftICE and to force it to execute any commands( k r' E/ Q/ b1 c N8 B! j
(HBOOT...) :-(( & d( F# E8 w3 g& y
( F# n/ W" ?7 S- W; c4 [0 N& x7 N' d
Here is a quick description:1 A9 L% ?* g' q: h) b% `' V
-AX = 0910h (Display string in SIce windows)! f9 k$ y0 ?8 J- ~ r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ z C; ]( H6 f3 d) L8 x-AX = 0912h (Get breakpoint infos)" r( D) ?2 T# S7 B
-AX = 0913h (Set Sice breakpoints)
( l0 r) E. R% p F3 i-AX = 0914h (Remove SIce breakoints) c) |. W& M* y; N# D) {6 i0 O
# G+ ]# ^" `) p
Each time you'll meet this trick, you'll see:0 E( X P1 q2 f- ]: Z* a0 Y
-SI = 4647h4 ^3 G4 Z f9 Y5 z
-DI = 4A4Dh- s' a3 p8 Y: R1 u$ B
Which are the 'magic values' used by SoftIce.% r4 N1 p; f. T- Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ [8 {& u8 u. E1 x
) b, g9 K h0 k1 X# X3 z2 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" S3 j$ m( j$ e7 U' rEnvelope utility use to protect DOS applications:
) o/ P& s8 h5 s8 Y/ g
- D4 h. o `2 b! z8 _5 g: U; u7 r+ @! I5 J6 W
4C19:0095 MOV AX,0911 ; execute command.2 O5 p3 E: A: c. o2 Q; {' v, s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( O! u4 D8 h& k9 d; h
4C19:009A MOV SI,4647 ; 1st magic value.
0 \& }5 k, J- \$ ~+ \4C19:009D MOV DI,4A4D ; 2nd magic value.8 m) q" u6 c" U8 B, M/ ~) m0 z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 F' L& y: r$ s" o* N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ L8 G [4 {" h, e
4C19:00A4 INC CX
3 S; t( M2 e1 F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& D; I) s+ C/ d4C19:00A8 JB 0095 ; 6 different commands.
, q, _. u1 \, x8 ~, F4C19:00AA JMP 0002 ; Bad_Guy jmp back.; Q$ w G: |$ }' O3 _5 h( D8 K+ A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) g& E, M/ A6 |+ X8 m2 y- ?) F* N& ^
# E( S, E ]2 v" S; T8 P- ^The program will execute 6 different SIce commands located at ds:dx, which/ O) M4 H0 o) [; M7 K& S; s$ N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ e2 B* E! ^/ F5 x" L
" O9 f( p' d. @( i+ P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; S% Z; l( @) f8 v1 j' j
___________________________________________________________________________4 @1 f+ z! u1 d' @7 x* v8 `
9 @5 b# i6 O. {; q8 z7 u
" ^% ^" u0 _$ j7 g* K; y, oMethod 03
7 }0 ~ F, i& C `* F=========
5 b& g3 x- w$ h% Z R/ ?% ^2 n& V+ G5 G2 W2 z6 r$ }( A6 B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% s" s) `" ^# a& P5 C(API Get entry point)) [3 h J& J! Z$ V: M' b$ V9 d q
2 a3 \& T/ _) j6 a! X7 U8 e
% ^5 F2 Q6 d. j! `. O xor di,di
, s( |6 z/ ~& e0 Z mov es,di) q' N$ ]1 G& B/ N9 a
mov ax, 1684h
[: g) ]8 r8 k mov bx, 0202h ; VxD ID of winice
/ W/ D: [: D6 y6 S5 z int 2Fh
! @! E' e4 O5 {* L0 { mov ax, es ; ES:DI -> VxD API entry point
$ G# [7 B3 r, G9 r! A$ ~ add ax, di
3 H7 d8 l4 \4 d! |' u/ Z" k test ax,ax4 P' b6 t% o I$ y0 E# h
jnz SoftICE_Detected k% S+ ], Y! d" `- \
) l4 t: H" P! U/ J2 G
___________________________________________________________________________, d2 A7 m3 b1 y) c% F
6 A/ E) `8 J/ m6 Y
Method 04
0 h+ y) T, X. Z$ X/ I=========+ U# x* V# e9 ^+ u
9 R9 E: a- {& b7 d! m G# J9 DMethod identical to the preceding one except that it seeks the ID of SoftICE
% ~' x" l8 V Q# ?: c, jGFX VxD.
, l, K5 O, `% Z
# U9 M- c' x( i9 k# S xor di,di$ n, M' s) [9 i! t. n
mov es,di/ a9 h3 N- L0 D
mov ax, 1684h ' w1 g5 n3 ^2 @6 G0 n6 _' b) W
mov bx, 7a5Fh ; VxD ID of SIWVID
+ `+ K3 Z& z2 e0 r9 Y+ j int 2fh
9 B* [/ Y- u* u; J8 t% | mov ax, es ; ES:DI -> VxD API entry point% R, ~- n' C, K; p( i; v
add ax, di: G7 G/ P7 b& @2 z( {% v
test ax,ax
0 Y0 {0 L. v$ v5 j) ~2 y h/ p jnz SoftICE_Detected$ Q( B9 d4 @9 B# }$ o* X8 v* h
. A6 j# Z, I7 F' P__________________________________________________________________________: T! O/ i3 Y9 u+ `" _. C
" Y/ D& a9 | K S, ]6 e* w8 B; m0 o# D: i, R
Method 05
: A1 r4 h1 c( \) M=========- H2 }. U \, {7 _; ]4 S
* F6 F" Y$ `0 z, f' EMethod seeking the 'magic number' 0F386h returned (in ax) by all system& ^3 i6 r. H$ F4 ]0 k/ V) ?
debugger. It calls the int 41h, function 4Fh.4 z+ ^) K+ E0 @/ Y7 \( ]) D* B$ T
There are several alternatives. 3 T$ ?* g/ I8 }3 k8 |% |( P0 Q3 W
3 l: p5 Q! x4 R8 H5 w9 _
The following one is the simplest: B4 }' E8 q6 w9 {- L! t. \
) L( I" w; [: C" x; d mov ax,4fh
6 R: [0 a3 U+ q5 l7 N int 41h
$ i+ E0 Z) v1 Z8 V' H# f, d cmp ax, 0F386" a' \2 _6 \# i& {7 R5 x1 c
jz SoftICE_detected
{) m+ C7 h$ |( a9 Q: f) X/ o: ^; d1 d/ b$ p$ I% u9 n
3 `# b* S7 R, u5 Q; j7 m$ ^& zNext method as well as the following one are 2 examples from Stone's $ y7 J9 X1 ?0 U. S
"stn-wid.zip" (www.cracking.net):
: q1 V$ ~. y' q) o' D* J4 V, C; j" C8 L8 W" [) @3 h3 i
mov bx, cs/ W3 a# O. g4 T+ o6 p' E
lea dx, int41handler29 m, `7 M- J# S% ~! b4 d _2 c
xchg dx, es:[41h*4]* `+ `: A. ]0 o/ Z9 N2 D
xchg bx, es:[41h*4+2]! A) C' Z; ]$ ~+ L2 Y. X/ U
mov ax,4fh) e3 L& V3 {, V$ q8 v1 b5 Q- G- ?
int 41h
6 @( p' J8 P* j+ e) A& V xchg dx, es:[41h*4]
' I0 k4 k+ K/ g9 {, t9 Y xchg bx, es:[41h*4+2]
* ? J" }) F8 c- N/ G/ f cmp ax, 0f386h
+ w2 Z' @0 A5 h K ]) l, l jz SoftICE_detected6 v- j4 ~. B* L! `( I* G
; z+ N) k$ Z' I. B3 F* }
int41handler2 PROC( k/ y1 H: X" S" l* F8 e- M6 b( P
iret$ m0 K& }0 h& H$ A% _
int41handler2 ENDP- ]9 R4 Z4 g/ Z8 B
8 c9 |) e, Q" g7 R8 A; H
3 r8 q' E' x# A* y$ ]) T2 m* `: G+ C
_________________________________________________________________________9 @5 ?( w7 W' T3 o2 L! ~/ ^
7 |0 A9 E* @) o9 u
8 A* _5 P, ?+ O; H; xMethod 06. K) O' l: M w! y, {
=========
1 l z" B! _0 w
# ]& e- s% w7 }" Q. ]4 {+ t
3 \( B& E: O( b$ f3 x- Q4 P2nd method similar to the preceding one but more difficult to detect:
6 U8 |6 s; e7 b7 ]
- x+ b- q R- W2 H \; H L! h# n( S# @' K- c3 D2 ` j
int41handler PROC2 S/ v; E6 t3 ^+ e) f& J" j
mov cl,al. Q4 {3 S: D1 {3 P8 I( d7 v( p
iret
) w* W; s! P9 s2 `8 v! Y- N0 d Rint41handler ENDP
" H$ U8 f' i! z- U
1 B9 [) h9 E/ C" }' a7 n5 c
" s# ~+ z' Z' v# q! ~ xor ax,ax b7 a1 z# I: O# Q4 B3 [
mov es,ax
) t$ T8 _/ a" \1 Y1 i mov bx, cs
1 y; h# _2 t1 V) ?4 ^ lea dx, int41handler' c' d, E! n* B( {
xchg dx, es:[41h*4] ~- W9 C8 d) a% a7 ]. N4 R2 P v
xchg bx, es:[41h*4+2]. o6 \$ e) r0 M- @4 B& b& }5 Q
in al, 40h
4 h) q! O' f; r: Y xor cx,cx) k' c5 n' B* A/ B c
int 41h
5 ~1 ?" S9 _) F. L, v$ X xchg dx, es:[41h*4]0 e9 n4 _: n; x
xchg bx, es:[41h*4+2]
m- M) y% f* [* C cmp cl,al
( M, j/ J# f$ x/ r jnz SoftICE_detected
6 X i4 e9 R/ p; T9 k. f/ f) g" [& p- L# M/ g0 Y# Q: ^4 l% P
_________________________________________________________________________, x2 f8 p, e7 F' b) h' d/ ]
7 E8 F$ d- A h
Method 07
: ~( E- f# s% U; z- |=========
- S2 q% u6 D; q+ ~9 J) a1 @5 I- O
+ e, B: q- w, _, ~% ^! @Method of detection of the WinICE handler in the int68h (V86)
, C4 w6 o6 {2 D
; Q5 A# b0 l& Y1 E# q mov ah,43h
. c6 E6 E2 F/ X4 v int 68h
+ \; v7 t$ T3 ~& b6 A cmp ax,0F386h5 ^2 c7 U2 r4 p% y* ]; ^
jz SoftICE_Detected2 W- O T0 i- L4 f
. j) ^# i9 ?( `, t4 [3 f8 a/ \! g+ E% r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, t, s& h& S0 d# \- S
app like this:
) d0 G4 S; R( k4 }4 k
2 \+ G8 D I9 M$ Z; G BPX exec_int if ax==68
0 ?& [3 _5 F, i; ^7 `' F! s& g( P (function called is located at byte ptr [ebp+1Dh] and client eip is
/ e& o# X0 d' l7 [$ V! l _" b located at [ebp+48h] for 32Bit apps)8 {. s; Q5 ]0 J9 S4 m5 t4 {6 T4 R
__________________________________________________________________________/ k! Q: W, S' Q" M
: O/ C& ?) ]5 g4 X5 Y
1 |, ?. b+ R# D3 }Method 088 E6 s( e2 ^( f9 Q
=========9 h/ r k0 {8 C' ~6 m- m
" S1 N' m4 L; Y8 @3 LIt is not a method of detection of SoftICE but a possibility to crash the2 D; C" C4 z( i! K
system by intercepting int 01h and int 03h and redirecting them to another
) j- a5 f* ^5 B+ {9 v- Broutine.* J4 |) s5 ~# K j" P* K# _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. O2 Z A; R7 M) U! xto the new routine to execute (hangs computer...)# o4 l& _6 I. [" Y: e2 D9 L0 ]/ z
* Q1 {4 U U m- v$ c! D, A
mov ah, 25h2 i6 k. \% [) Y$ ^
mov al, Int_Number (01h or 03h)9 K9 Q3 u3 r% ^! E( y+ w Y
mov dx, offset New_Int_Routine
: A1 m* ]4 f' l# c o& p' u' E int 21h$ b& e! s6 q# p: H; y
; S9 r- W. E5 q$ j- l+ y
__________________________________________________________________________* z4 @! p- p S& \
/ d5 {4 g9 E: Z, mMethod 09
4 g6 Z2 o; D9 I( F7 S1 ^8 T3 }=========
( C& R* m% b% s/ g4 R7 R
6 W% w5 K& Q, b7 \, VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 ]3 `5 @# \% U5 w% `0 W
performed in ring0 (VxD or a ring3 app using the VxdCall)." n% F! l8 X0 t/ h3 q
The Get_DDB service is used to determine whether or not a VxD is installed
4 d" P+ @2 C) s. J( \& hfor the specified device and returns a Device Description Block (in ecx) for
& U$ i8 d. x2 U- cthat device if it is installed.2 }. R; g9 R, X" Y
; |5 ?. e/ }* u; ]* D6 N% f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" z0 B' v5 H& j+ {. a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: W, ?. d v) n* M e VMMCall Get_DDB3 s) `" V% B% k+ X# }+ p* Q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
r$ N% R5 U) _! j' o. I1 f# m0 G0 R2 f5 x; I0 ], i2 h
Note as well that you can easily detect this method with SoftICE:; N S* ]. o( k9 H/ l1 {1 i
bpx Get_DDB if ax==0202 || ax==7a5fh
# `/ b+ Z( x, Z% ^) ]% v4 v" K/ A* j4 c5 ?+ I
__________________________________________________________________________
B/ V& @6 e, c/ d" f p9 h
8 X2 t3 m8 e$ T" ]% H, DMethod 10
! U7 J3 v) p8 Y3 g& p. l5 t: ?=========
( i) D9 k5 E4 c2 S$ p$ h2 `" P" R5 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 E5 V b. |5 e1 ]9 y% V8 a- N SoftICE while the option is enable!!& }& n* [! A( V
7 }. y. ^8 T. L) I
This trick is very efficient:) S( Z. k; m9 x3 A
by checking the Debug Registers, you can detect if SoftICE is loaded( M R: b3 M) |! |4 I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. E/ j. L, S/ w0 L0 G" ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 o4 v* Z# f# H* Qvalue (in ring0 only). Values can be manipulated and or changed as well
7 p! @8 H4 z5 e4 |(clearing BPMs for instance)
3 n( _6 w; {4 K; n2 ]8 y. f- C0 q( j( N0 q1 ^! [6 c& m0 H+ g% O. J
__________________________________________________________________________
3 L2 x _; A! o$ W& S
6 Z# U: H1 [5 a: `5 z% UMethod 11/ z; x4 S' G* s9 u
=========4 @% _8 G' ?% u
' W V3 ?! ~5 a/ Z3 j
This method is most known as 'MeltICE' because it has been freely distributed
6 O! }* i2 \+ D( zvia www.winfiles.com. However it was first used by NuMega people to allow
2 W6 Q2 C4 E4 g- D0 DSymbol Loader to check if SoftICE was active or not (the code is located; Q) U; d0 k0 c6 M+ t* }
inside nmtrans.dll).
+ U3 s+ Y* R1 W8 S9 I2 M v
4 ^& t# h2 U4 q3 RThe way it works is very simple:
; f* ~) p6 h* f( @' IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) [9 I. ~/ ^7 [( r0 W; g9 c" Z
WinNT) with the CreateFileA API.
& R% J1 i. N) B+ R* T7 Q1 Q' @
8 g5 `3 y* G& E; fHere is a sample (checking for 'SICE'):
: C4 [5 T( u) W7 k6 a% v7 R0 T- a$ g, V7 g2 x e3 d
BOOL IsSoftIce95Loaded(): W6 W+ f- h# r% T
{' F' s3 _5 W2 s7 ? ~6 J0 h& d
HANDLE hFile; 8 G9 g# c3 }4 q7 x7 _0 Y1 |
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 [! x, y. Q! U: @; {* T& w FILE_SHARE_READ | FILE_SHARE_WRITE,( z0 n- S+ Y. U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 Q! ]' S3 L, w- q if( hFile != INVALID_HANDLE_VALUE )
0 n9 ^/ |1 h+ U {
' L V' {, o3 p- a$ z CloseHandle(hFile);
/ v2 R& S; a- N$ @ return TRUE;$ z4 @- F, X- E) K
}& M$ h: b0 t3 m& ]9 W
return FALSE;
$ @; [ f8 z/ n* u% ?9 i" n}: D, h! _8 H) e6 A' B
3 b# E6 B& o$ r: FAlthough this trick calls the CreateFileA function, don't even expect to be
7 p& v$ x9 s) b fable to intercept it by installing a IFS hook: it will not work, no way!1 L. u% \. }0 E4 J% ^' K; R* M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, m5 B) g" Z" o& h$ Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: |- J# d" y( i4 nand then browse the DDB list until it find the VxD and its DDB_Control_Proc, v& v) b. v+ O. o, G. T7 C& S5 ~
field.6 Q, Q) v7 \, N! d( u( f3 r4 @
In fact, its purpose is not to load/unload VxDs but only to send a
7 d5 T2 M9 ?: ~9 Q. H$ HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- H/ U7 m+ [" G* t9 v- H8 D/ fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 [' V E+ y; p; [to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" I% g, f, s1 |9 BIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 \2 Z Y; @) P. g+ h/ {& n1 Wits handle to be opened and then, will be detected.
" y9 i: O" f. Y8 i2 qYou can check that simply by hooking Winice.exe control proc entry point7 _2 i% O3 ]( z
while running MeltICE.4 B) ~1 L$ Q: G6 E' M o
, \6 e/ V0 y7 U
" N% V2 w' ~' g) f8 l$ ^# r0 m; F
00401067: push 00402025 ; \\.\SICE/ C# ^9 O e2 N- e; t4 [
0040106C: call CreateFileA
0 P7 V% U7 z0 b 00401071: cmp eax,-0016 v' v- p. |' t, N
00401074: je 00401091+ w) d: ?# f; l5 F9 X6 i
% J3 Z9 D4 e/ ?4 P
' ^2 r- k/ g: p" Q) h7 [- a) NThere could be hundreds of BPX you could use to detect this trick.
3 h; f' Z3 b" ~( a& |-The most classical one is:
6 b+ D5 j+ i. v# b4 j9 ^: Z1 \# w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
O' M' V6 P0 _4 c *(esp->4+4)=='NTIC'
! Y. w( i; y, _/ V7 g! ~* Q
' q3 ]1 A h7 U/ K5 b-The most exotic ones (could be very slooooow :-(0 c! @ A: g/ W" } h, ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- w2 R4 P1 u9 ^& Z. `' Y Z ;will break 3 times :-(
6 e& j1 ~8 N6 j! w/ e: i$ `2 E
! U2 i' w7 e6 t$ u) s: \6 K-or (a bit) faster:
" G3 I- T4 C4 ]8 L& c) B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" u4 s1 G" P$ ?" V- ^5 b& `
1 H6 l4 d9 h# F- w1 k9 [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' [7 K& A. a5 Y4 }% i, [0 m
;will break 3 times :-(( d! Q# p1 N4 c* ~6 U
% Q0 M3 c: `+ S-Much faster:3 K( A9 M- `5 J/ S9 @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& J @; ~0 G. G+ [1 ]( z& e
' O/ {; V: a. m! L! h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 p7 \0 `( j3 Hfunction to do the same job:1 z$ R0 E8 j0 H4 |1 r& j/ K3 I
5 O, S) D2 G( \/ o9 } ` push 00 ; OF_READ6 v& c( ^ ]2 a2 k
mov eax,[00656634] ; '\\.\SICE',0
1 U7 w9 G, [2 t: y push eax
, n' a- H0 J% |# X call KERNEL32!_lopen
( ? o8 T" b+ p/ R+ v inc eax
' P5 y- Z8 B7 _1 V" O2 ~" ^ jnz 00650589 ; detected
( ~6 Y% ]+ @8 Q5 r. G: `6 [6 p push 00 ; OF_READ: `" d/ f$ L7 L: ?
mov eax,[00656638] ; '\\.\SICE'
0 ^; H, ~1 [" ?# w1 }" \# ` push eax
1 x5 r L# ?* \9 _. l* O4 p call KERNEL32!_lopen4 g& T6 J% N& n% y2 W
inc eax
7 A) K% Y( M9 b% ~ e2 m jz 006505ae ; not detected! e4 b2 _3 F; u# }
r# R' H* V) p$ A3 r
0 I. u) ~- w+ Q7 n5 i__________________________________________________________________________4 D; R8 p1 X% b; y( a. S
* ^* z f. q9 k) OMethod 12: J) O/ x6 B5 N% i
=========! G. S) x6 k ]) q. E! E: n
( \7 G- q" g7 v4 I8 d+ M& M
This trick is similar to int41h/4fh Debugger installation check (code 05
1 E. y. o8 o' h+ @& 06) but very limited because it's only available for Win95/98 (not NT)
# x4 M/ x# v9 @- f5 P& }as it uses the VxDCall backdoor. This detection was found in Bleem Demo. O+ U5 N3 d/ v( G) ~
% g: Z" _. n0 y k. X push 0000004fh ; function 4fh
& E* c3 d) N/ L push 002a002ah ; high word specifies which VxD (VWIN32), g5 X) }! b2 Q
; low word specifies which service3 M, c0 E: \1 n# v. E( h2 b
(VWIN32_Int41Dispatch); Z \ h! B5 F
call Kernel32!ORD_001 ; VxdCall8 X, I: B. y8 g# i5 L+ s
cmp ax, 0f386h ; magic number returned by system debuggers9 h4 F( b2 R" ~7 X* p
jz SoftICE_detected3 |0 a# z4 t4 F8 d1 `7 L
( T/ z7 W: q8 D# r7 Z" }Here again, several ways to detect it:8 ^' l: ]3 c& d" w! c
: s+ n( N4 T$ c
BPINT 41 if ax==4f
8 `2 D- m3 [3 [# N4 \1 I) u. T* `5 Y' n, J% x! K1 d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ s- l D( \4 W" c/ a
( T: N/ _" @4 Z; } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- }& k5 j% V5 x: h1 ]
; R. J6 H$ o1 Q7 z( j- [; R
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, N7 Y; X) s, I" ^
4 F& f7 g; T) {. d- k1 Q__________________________________________________________________________+ t( a! l$ B- H: g2 i# D8 P R) F- L0 r
9 N3 q# h4 J2 Q! x+ b: rMethod 13: z ]6 {" G* I7 u2 d7 x
=========% Z* e, v; p! B/ s
$ X0 a( R8 i# b$ P
Not a real method of detection, but a good way to know if SoftICE is/ P' r6 g( g% U5 H* x' U
installed on a computer and to locate its installation directory. r. Z' X! m, n" T. d9 I
It is used by few softs which access the following registry keys (usually #2) :; C9 R4 w& x" b. T% ~2 x
`: |9 j+ r/ R" g: ?' K" T c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- H- P" H5 {% ~\Uninstall\SoftICE
4 ?& P" _) D/ c2 C( T& }+ p) ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ }0 M& M# }% f/ S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& F, X8 F5 @0 A/ @5 p\App Paths\Loader32.Exe3 Q5 y3 Z4 j7 a9 {
8 @& [: j% M' l- S5 P: a- l0 I- j1 O
% h2 o) I: _% f; I( o7 I, {4 aNote that some nasty apps could then erase all files from SoftICE directory$ Q" I, P9 H! o0 q1 n' l
(I faced that once :-(
V# k3 U% K+ X* X: X0 X3 x. R5 v
Useful breakpoint to detect it:: P( |9 v! I; B- h% D# g( x
& E; e0 ^4 J% B$ J# M0 y, J
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( Y9 I. o4 Q& @2 O% W& R+ L8 r$ h/ y: x: O: \* O& W
__________________________________________________________________________: [: J. v5 ?( G
5 `# K/ `6 U1 p$ `" Z0 k
& n" ^* |# o( ^: b$ W7 y! @Method 14 ; }, r9 I6 {2 f% Q
========= \- g% U2 O' q1 V; j
, Q4 O/ T1 L& j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ x% B+ K* Q( s( ?/ i, x
is to determines whether a debugger is running on your system (ring0 only).
3 ~2 y2 K# n3 ]
1 h; ]5 {. y" D! M( J VMMCall Test_Debug_Installed' A9 Y. i( v) G( o% i
je not_installed
& r% P, X6 u" m1 ]# z. H5 b0 Z( y1 W. T$ f
This service just checks a flag.
+ c6 D" \5 } ^3 q9 e1 w) k</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡