<TABLE width=500>2 a7 W4 b9 |$ S2 S
<TBODY>+ ?8 Q( X$ B0 [, T, e5 ~
<TR>7 l% n ~7 w. C8 j: S" x5 C
<TD><PRE>Method 01
' @8 Y9 x& `& A! W=========
, v) ~' E: p# j1 w( g+ d7 O* d
. L @% V: G/ i% G$ G- FThis method of detection of SoftICE (as well as the following one) is# S' `5 x* @! i0 A* ~8 u* V
used by the majority of packers/encryptors found on Internet.
/ [9 j) j& A" h, hIt seeks the signature of BoundsChecker in SoftICE# {: M% [4 U% E# N; ?, \7 z
; U/ z$ c T* x) {5 @* `. N! K
mov ebp, 04243484Bh ; 'BCHK'* j! [6 Q) m1 S, y
mov ax, 04h( ~) L5 D9 P3 Y8 `8 O
int 3
8 e* u; H" l$ W# a8 v cmp al,4
y' d7 G3 b0 J* S- F5 Y5 x jnz SoftICE_Detected" C% w( F) c0 v B+ z; w
( h. D$ I4 i1 v9 @& k
___________________________________________________________________________$ r) h0 S& G3 F
- b& P6 p; J' L% q: T) r! }Method 029 ?/ T, z7 J- e- N9 u
=========; E$ U3 x' N7 s1 {5 t
/ m+ Z0 I" b. y# f! t5 H! ?* ^# xStill a method very much used (perhaps the most frequent one). It is used$ w5 }7 k7 w! i, ?2 W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& }, t. S. J% W, |! E
or execute SoftICE commands...
) S) j; {% O/ W- Q7 L# t- _" @: i* T3 Z) tIt is also used to crash SoftICE and to force it to execute any commands
; i4 X& G, j0 h0 a* i* x(HBOOT...) :-(( 9 a3 b4 I7 W+ H) V
w2 \ l c0 L$ \$ _+ n- x
Here is a quick description:
2 N) J' q S5 {1 U-AX = 0910h (Display string in SIce windows)
$ Q1 }$ E8 ?0 X5 B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 F j e, A# v3 U; D
-AX = 0912h (Get breakpoint infos)$ s' ]6 R" k: C# p* q! g
-AX = 0913h (Set Sice breakpoints)
* a" `; [, r7 Q& k$ }4 N-AX = 0914h (Remove SIce breakoints)
2 q8 w0 S6 s% m, X& O1 ^+ L
7 I# B7 b' X& C# R3 N3 L8 jEach time you'll meet this trick, you'll see:/ R1 L1 l# S( \0 V- F
-SI = 4647h8 p8 x# M' V" ~, K/ y
-DI = 4A4Dh, V D5 Q6 |4 F5 G# S' c- Y
Which are the 'magic values' used by SoftIce.! M S! |6 T1 J' I. d! i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! ^. Y! e0 t2 O+ x! K2 R0 C
( p8 [/ o. F% i8 [0 hHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 O5 r8 G+ S9 M- y1 {9 e! T4 PEnvelope utility use to protect DOS applications:# e9 n/ ?& m' w+ K
& ^7 @5 ?9 A1 N, T% w4 }# S2 _7 z- s, P
4C19:0095 MOV AX,0911 ; execute command.
2 ~3 x% X( K6 @# b3 R8 j( i: J9 H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! G4 w7 _ ^! ~% M7 x0 `9 T
4C19:009A MOV SI,4647 ; 1st magic value.6 _: i# [9 A6 G6 r; S6 w, u
4C19:009D MOV DI,4A4D ; 2nd magic value.1 `, u- N8 o' k) U
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! F& B7 i2 p7 Z8 ~( y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* Q7 J& V4 u" _- z; k7 ^4C19:00A4 INC CX8 b8 d8 g0 J5 Z ~" _4 n/ P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% I8 M6 A# p/ Z9 r: q4 t4C19:00A8 JB 0095 ; 6 different commands.
3 r* y; N0 l. Z2 d0 ?5 }) }4C19:00AA JMP 0002 ; Bad_Guy jmp back.# t: F2 a2 F" c7 Z* A5 z% v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' \9 E9 E9 T' B# u3 c3 b- a& c/ W/ ~
2 q5 s9 X- u( _) R; |1 G# e5 r2 TThe program will execute 6 different SIce commands located at ds:dx, which
. p2 z1 ]) L4 a; e2 Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# `) p1 g3 T) g9 m; ~$ {% ^! F* o
# U* G r8 i8 m/ m( v& Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' b( H3 h) v8 S% \" X- H- z___________________________________________________________________________1 E. l3 M$ ?! W! t, ~$ h
- g, I3 I A# ]1 U5 j+ J
0 a# m5 o l! ]* cMethod 03
2 u, N9 ]/ [. l( O4 d=========
/ }: m9 [& m; \: Y2 P2 n! t) Y8 F! Q. O; a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ i% \0 d& @& Y5 x8 H. ~(API Get entry point)
/ R3 N' Q) p7 @* g, W2 b8 F , d b: t0 w- S k% E
# _: M1 H5 F9 D xor di,di% }3 k+ E" z& c# g5 e
mov es,di$ y O- ^; E, A. X6 `
mov ax, 1684h / M4 X+ {8 P- {# e7 M* ~
mov bx, 0202h ; VxD ID of winice
~( Q) _' D$ u) z/ R int 2Fh# u1 V# X' T0 _& {5 ]. _' z% ]9 y
mov ax, es ; ES:DI -> VxD API entry point
# A W: f( E; r( v add ax, di& G1 W9 s7 c' l7 V" r
test ax,ax
& n& V) C5 H [8 U/ W* f! E jnz SoftICE_Detected% p# W1 Z E, ?1 T" f
& Z5 Y+ v# b* @+ i% j9 e" \___________________________________________________________________________+ B3 _( t- b6 _2 c* p
' g2 @1 B4 [( ], g% k, t' B
Method 04+ [% R1 T( \0 E% y$ @8 J% [
=========8 ?& o5 t9 B# A G2 g3 T
* q& ?; _5 N4 o, e# z# K5 ]4 pMethod identical to the preceding one except that it seeks the ID of SoftICE
% \9 T- u4 B( F7 iGFX VxD.# t+ p. y7 x$ B
8 i" y9 f5 m; K, I& X0 R
xor di,di
* P) d, l. t( N/ | mov es,di" @& C9 Y8 u0 _0 i- p/ z
mov ax, 1684h 1 n2 y, r8 U U1 o" S/ C) C( ~
mov bx, 7a5Fh ; VxD ID of SIWVID5 T' C9 M% W9 g8 V; v3 B) ^
int 2fh% R0 ]+ x9 x! l" p; ]
mov ax, es ; ES:DI -> VxD API entry point$ t" x3 a) ~/ j# @0 U6 B% E& D2 t9 S8 r
add ax, di
8 X7 M: P; S% t- K3 H0 c test ax,ax0 \$ R. O" A) x c q# \1 {
jnz SoftICE_Detected' x9 k( K$ C0 e2 x ?( ?4 H | [+ o ~
5 X7 Y/ T4 W. v! k, g: g__________________________________________________________________________& T2 K E; F9 F( c. O
5 k. Q! e' F+ B% O: Q0 A/ f
6 J6 f; `7 { _7 M$ lMethod 05
1 r; |! I8 K, [! X2 P! Q. j& i=========
$ g$ u$ g7 c# H$ G. X
3 f# F7 N+ r+ _3 Z( \7 Z. CMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 e& H9 U1 n5 Ydebugger. It calls the int 41h, function 4Fh.
$ o# i8 ?* ]2 BThere are several alternatives.
. u$ T8 s0 C8 J- ]' v' g. C
6 x5 o" E1 L- ?( z1 x' e& N$ j o, qThe following one is the simplest:
' J' t; n9 j3 P: z( D3 e' d2 c; R9 A, M( T$ h( k+ C* f
mov ax,4fh, S) u$ ?/ M; [+ X
int 41h
' A9 {; `! k2 Q7 I6 J Z* G cmp ax, 0F386
+ K( P5 u$ r) ] jz SoftICE_detected
2 m7 k5 f0 U! P) M4 P0 {' N
; S/ H& m. j" _) @" [) T; O2 c& f4 ?( t7 w5 U
Next method as well as the following one are 2 examples from Stone's
/ s) w& j8 B% e, }: Z& F4 w. u; s"stn-wid.zip" (www.cracking.net):0 v) J# J' c. Y
, v7 Q4 P+ j$ D$ A+ a; D( k" w mov bx, cs
4 N, \6 E. F* P lea dx, int41handler2$ `: w2 m& x7 }# i' H
xchg dx, es:[41h*4]' n* y7 H+ R: x9 J
xchg bx, es:[41h*4+2]
2 b, z/ V9 D0 ] mov ax,4fh, b; L- d A6 C5 w
int 41h' q. O: o$ {" t8 L
xchg dx, es:[41h*4]
6 X7 X6 E, z* G2 s& _" x; d xchg bx, es:[41h*4+2]* H9 f+ U2 |0 g9 `
cmp ax, 0f386h
4 R4 i3 C( l( d3 k% h4 F jz SoftICE_detected3 E. _, Q( S& O4 D% Y
5 R1 K7 A' `6 @/ g, Y+ u" J& l. i
int41handler2 PROC/ n* ~, n1 j- C3 E' Q2 h9 Z! n
iret. t! ~1 l. p5 s1 X- {, @0 G5 H3 B
int41handler2 ENDP
9 x( Y: i5 \$ h! X0 r; l' R
( |' e9 U& g% Z* b( @- x! w% v, C; M$ u
_________________________________________________________________________& _" G8 ^6 ^- Z/ v% u y
- ]/ P/ M9 g$ i! p3 ~
' e) n4 _4 j: s* U% {& XMethod 06
l6 n( i8 k7 o: f# a; n=========4 q0 w( m" K. Y/ H
) X1 D8 |5 \6 U. d
* {" `4 F0 Y2 J( [4 @8 _, l( f
2nd method similar to the preceding one but more difficult to detect:
' K4 z) A5 G7 Y/ M
0 j( H( Z/ U- e* w% Z# s% ` ?& n+ W ~; i9 u3 P/ l( d! B
int41handler PROC( C, _# A' a+ ~3 x' `; J; e
mov cl,al
' x! L, J) V. y$ M/ C2 [ iret
. c# H$ r; l, C, y# F6 x! E/ Oint41handler ENDP
9 ^5 i' Q) z1 x& V3 r
7 A8 ~5 {9 H6 M1 d$ G( S- u& U
5 [) A. a' z. t7 z5 y: h xor ax,ax# `. ^, J- E7 G/ M @. c- @4 C
mov es,ax& r$ A1 R0 {2 i. m! A
mov bx, cs; l; z6 H% f( G4 I5 K/ R
lea dx, int41handler
2 P( `3 H5 X0 E2 t: \8 w xchg dx, es:[41h*4]
/ }- a! Y- u* L% `! i* ]+ n% Q xchg bx, es:[41h*4+2]
, j, r* m/ }* y _ in al, 40h' w, ~. {. {/ U
xor cx,cx
/ {: y. P$ H* K6 [6 R3 J int 41h2 T9 T5 Y) ]6 E% _) @
xchg dx, es:[41h*4]
) ?4 Z* T! l0 o, ^+ ~ xchg bx, es:[41h*4+2]
t' j; `- U9 S% i' V0 K cmp cl,al+ s8 S$ k( i2 y) S5 Z* X
jnz SoftICE_detected
4 w6 B; [; c* x8 s7 G3 K& n( o1 m' }! v; x
_________________________________________________________________________7 [" _. V" O/ p1 W
$ u+ A5 T- c$ @5 ?% b5 `. M. _
Method 07. F; g" o4 ~& \, w% a
=========3 D5 W/ V% H9 w% a/ G
1 x2 _6 N' U0 k8 rMethod of detection of the WinICE handler in the int68h (V86)( P! m% j8 k% Y
! `7 X' c9 k j; X0 I mov ah,43h
% T. U- L4 u% ^ int 68h1 b& ^. L9 G% E; C* Q$ X8 ?: j2 d
cmp ax,0F386h
( v2 _- a6 U& G- M jz SoftICE_Detected
* o. x# B( u7 T9 U2 t
, @1 e" Q* j0 r$ s! D& D" x( x% g* l8 A8 c5 F9 B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 H5 [" M; d0 {& K app like this:
, n9 y0 E, E/ {9 c9 K5 T: F& @" @2 k# ~$ S) L& O
BPX exec_int if ax==68
% R9 N% B' k% N' C8 ` (function called is located at byte ptr [ebp+1Dh] and client eip is2 e9 d4 ~) l8 b1 ~( V' J
located at [ebp+48h] for 32Bit apps)
; u/ c' ?' C3 r$ G2 W0 i, D" C__________________________________________________________________________; M7 Z7 l$ ^2 R7 s6 O
1 F, r; G6 P( O' y0 k4 R+ d p& q" Q
+ w2 p/ a* i3 OMethod 08
. d5 S. v3 A3 d( d2 p2 O H=========
* d% F& Z$ l0 j; Q0 |, {
8 m, c* {6 i3 e6 a# u; c- VIt is not a method of detection of SoftICE but a possibility to crash the
$ a2 E, h5 Z. e( a8 z3 Qsystem by intercepting int 01h and int 03h and redirecting them to another
6 F% V8 A& y/ Kroutine.
9 v, ]0 Z( t1 P( bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 j& l* q" o' r, `- f: `" Zto the new routine to execute (hangs computer...)6 r* D) ?4 N `- s6 g$ N% U
7 v. Q0 |1 i: r% q5 A9 E r* T mov ah, 25h' M& v- K4 m i( {
mov al, Int_Number (01h or 03h)* G( i9 v- U' o d, j. {/ A" q5 M
mov dx, offset New_Int_Routine
# e! k: _" y) {$ U* S' B8 @ int 21h1 Y' w- t) L5 ?6 R( }( K' [
+ o6 }' v' L: ~' x+ t8 H: a i
__________________________________________________________________________
5 a# f9 q/ A' W' Z3 g- o# K" Y3 R
' X% X1 T9 b( U% m& y# u* yMethod 093 P% {, X, K* K- n7 e! c
=========) z; C' c/ z: h
# W& }1 v! x$ d. {8 q* z3 o# O. LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# {3 R$ ^% |+ B. r! lperformed in ring0 (VxD or a ring3 app using the VxdCall).
& h2 \' y& m1 R9 g% |/ c' \The Get_DDB service is used to determine whether or not a VxD is installed
1 ^5 Y* F2 L7 L2 a0 J7 x( xfor the specified device and returns a Device Description Block (in ecx) for# [6 V4 R! \0 L
that device if it is installed.; A9 I7 Q0 ]% `
3 _ V" k1 E4 g9 \, D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. h4 j1 E. p# J/ \/ s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! O) U3 ]* ^* T5 i, P
VMMCall Get_DDB+ Q; u9 \1 k$ k, o* t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: O+ b' p' O: q' K3 ~: [5 F9 ]
% h. f- ~+ W L
Note as well that you can easily detect this method with SoftICE:* d% E# ~+ C- [7 z2 f
bpx Get_DDB if ax==0202 || ax==7a5fh' f* A: n; L# \0 R. ?
, ]( c% T; ]4 v5 j4 X# K, ]
__________________________________________________________________________: D# F. N5 {8 R4 D- D
; n6 j- b5 N* ?# M' |8 w
Method 101 T- M9 m) u7 k9 r" e2 v- W
=========
+ n9 B& O/ y: E! G$ S9 N+ a5 j. H* H* x1 x9 X! E. B, i* Y
=>Disable or clear breakpoints before using this feature. DO NOT trace with
`/ @9 Z0 J0 D- b8 F# p- a SoftICE while the option is enable!!
! k) Q3 B2 u& |. L. b) R" H. R
1 i+ i. D6 V4 _( d& _4 R% z8 J3 K- }This trick is very efficient:% W2 g& `! T: ~0 S0 L6 J4 S; i
by checking the Debug Registers, you can detect if SoftICE is loaded
% n. `- [. B+ L$ L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
d, _" G2 x+ Y# _6 H5 cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ D3 X5 f8 c: O; c" Bvalue (in ring0 only). Values can be manipulated and or changed as well# @( _1 v0 _0 Y
(clearing BPMs for instance)
3 a; a% a# S# ]6 j. o5 {5 h1 h; R
__________________________________________________________________________
: Y" j4 P! d6 T# z9 t5 }0 `1 C) O- \% B! M, w* U6 y
Method 11; s+ F4 O6 R& W4 c) J* |( e. y
=========1 t9 d) N! \: ?! B. L
* l4 f f% }1 R% t- VThis method is most known as 'MeltICE' because it has been freely distributed7 x. [8 d4 @7 Q! t/ I* k% w
via www.winfiles.com. However it was first used by NuMega people to allow
8 d; F1 n. s7 k6 d) o/ JSymbol Loader to check if SoftICE was active or not (the code is located
0 R9 L6 }* o6 N2 M7 ^inside nmtrans.dll).8 I0 b) C+ H+ [0 z; k L
+ s& J3 z$ O' p5 H- u! w- c+ ~The way it works is very simple:
. o7 A+ |; l9 [4 T" }/ Q" @9 bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 L4 T' W! o8 {- ^, R
WinNT) with the CreateFileA API.
. k# |) A) Z8 p/ \
! O5 D* ]# `. J) _* mHere is a sample (checking for 'SICE'):
: E1 _1 ]1 K( P% M! h& i! n& o1 r" i
BOOL IsSoftIce95Loaded()7 m- `8 |) K1 D& n0 ~, T
{ W7 \4 V# r0 w/ f% l0 g. @
HANDLE hFile;
) F" c6 l9 z/ y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 z/ H: A! b2 j5 J) {% n
FILE_SHARE_READ | FILE_SHARE_WRITE,- T$ K0 t: O) T! z' X5 J* y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' j7 I* p' G; w; W
if( hFile != INVALID_HANDLE_VALUE )+ G- D) j" |/ @6 _
{
/ C' X q# x$ i; |) X" A2 r CloseHandle(hFile); ?" q! K$ B1 A
return TRUE;
/ h7 [: i5 g3 H% @ }
( E9 S+ E. B7 G% _' o return FALSE;
4 w% n. r% h- t& t6 y}
1 h( b' S; `) _. j& s: }# f, I( c# K0 f5 Y
Although this trick calls the CreateFileA function, don't even expect to be
5 L3 z P. P/ T4 ]# @4 @) Fable to intercept it by installing a IFS hook: it will not work, no way!# \) P" ?, V0 s- W$ @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 F1 l& r4 M: y, i* n }7 T) E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ t2 @* }, C* C6 {7 b: w! x) _and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# A0 ]2 D9 n( g# V Ofield.
) }: A) P9 l- @# v, FIn fact, its purpose is not to load/unload VxDs but only to send a 5 K8 ]8 L& ^' u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 O% j; G5 L0 r- S! ^& n, n! `2 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; O% q+ d: d6 ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ f0 D/ ?: W1 v6 l; T' k
If the VxD is loaded, it will always clear eax and the Carry flag to allow: X# H* z2 I: ~$ a9 D% h: m
its handle to be opened and then, will be detected.- i# \) o# c( s8 Z) b1 L3 ]
You can check that simply by hooking Winice.exe control proc entry point/ \; i8 F. }9 k& m6 f% W
while running MeltICE.
9 M% @7 Q. F. l/ ~: m C* U- ~: ^
" t6 ^% d2 D8 M' r: h* R" f+ { 00401067: push 00402025 ; \\.\SICE
) t# u- e& o4 i+ _! Y# B 0040106C: call CreateFileA2 T' J, V2 k, E4 r* h* |6 U
00401071: cmp eax,-001# I3 G$ I4 ~( L) I
00401074: je 00401091
4 u, d$ `! b9 p( A1 K0 P0 g0 ^5 @; \: \4 O
1 U1 h% t: i$ Z: R: b& a4 ~# ^There could be hundreds of BPX you could use to detect this trick.
; i0 C, a% g0 L-The most classical one is:
) b9 H2 v- }+ G9 b7 F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" R- S7 E9 S) B! ]
*(esp->4+4)=='NTIC'" [# |& Q. |% Y# x
: u: \+ G$ W5 W/ A0 V
-The most exotic ones (could be very slooooow :-(4 V) e& \7 j: ^5 s# Y) M6 P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ ? _$ t1 e2 { ;will break 3 times :-(% c1 y2 a) |& `8 \7 e" F, W" b
+ I D5 q: P/ k5 W r-or (a bit) faster: # g9 C9 _. Q! N0 g+ R4 ^& m2 A0 J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 {" V8 E1 O2 S; O. q H8 R2 o; u" H) n
& f9 p, Q& l4 k6 `3 R: ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* P8 J6 R3 W: t, L! A ;will break 3 times :-(6 |6 R3 o0 j1 ^9 m! K4 V) w
5 s# j. \! ]) B9 p-Much faster:
7 d3 _0 o8 X; y4 `8 I, e& j& M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 x9 x8 r' ^( E1 F) J) e
8 H5 H+ _, X; @, c# }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! O q1 o1 `- D d
function to do the same job:+ S! f# }% H4 x1 v8 q5 K" k" O
$ U2 S% O7 W# B push 00 ; OF_READ3 c' N- ?$ x& @( @) l
mov eax,[00656634] ; '\\.\SICE',0
% x+ O( ^! X( U. m2 t push eax! l# g$ b7 G2 ~
call KERNEL32!_lopen
* |0 ?( J' M H g inc eax
- V b5 p) s* ^# ?. f2 W7 a jnz 00650589 ; detected
3 @" G: S# {, I push 00 ; OF_READ- l$ A$ _. R$ z; K$ B
mov eax,[00656638] ; '\\.\SICE'' O' n$ A% {% {* {3 C
push eax! [1 F' X2 m4 | G+ m3 r
call KERNEL32!_lopen9 t6 A0 C9 s$ t0 _- ]
inc eax& @+ U$ d+ l7 m8 ?& a
jz 006505ae ; not detected
. o5 E/ c, Z/ T4 N6 [% I
1 h4 Q6 ]) u! J! C) Y8 v, _" \2 C: r0 G
__________________________________________________________________________
+ [+ z' U# z$ S5 t& ]$ p& f( C8 z/ @7 a
Method 12
; A! A7 \) `' g- o, S& Q' c=========8 T$ s# g7 b7 I1 ^$ `3 c4 o q
0 v/ p; R# a% y r- lThis trick is similar to int41h/4fh Debugger installation check (code 05
* o7 k4 M% j/ X' B: ?' h0 g& 06) but very limited because it's only available for Win95/98 (not NT)
( p" e9 V6 G+ Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. a2 _9 ?; } R1 m0 J+ I6 k8 @2 M
push 0000004fh ; function 4fh/ r, |6 T/ {! l1 M7 `
push 002a002ah ; high word specifies which VxD (VWIN32)% e" T1 x2 V& x
; low word specifies which service% s7 ~" k4 @+ F/ e1 n) W% D; r
(VWIN32_Int41Dispatch)
V4 M& T2 M* P% h call Kernel32!ORD_001 ; VxdCall
4 q/ Q% b9 v7 J cmp ax, 0f386h ; magic number returned by system debuggers
( k7 X( o- @0 K- `% `$ s% V jz SoftICE_detected
( u$ r, @1 _/ }' Z& o% n W. N2 L. Q% A5 R, v1 h
Here again, several ways to detect it:
& ^- z) c) |( \+ k- @: U9 f( f3 t7 r L( Q4 n) L& D
BPINT 41 if ax==4f- z, P- i( i7 B. ]& m9 p
+ f) s L- z* T( b. ]5 ?5 G$ a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! F6 j8 e- V- w. @
9 }, T: {3 J9 R( a, V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ H6 x6 P: r& |" o e6 n1 i4 o( l: Q4 ~9 I4 f# W) a/ j9 ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 ^$ _8 ?3 z+ |$ E8 D" u8 h: ?: O% F7 m( a" D' I: ?
__________________________________________________________________________
' V6 {3 m# `4 y& f- R8 G3 S# ]
Method 13
, w% L; _+ d8 D+ \; ~=========! r, \2 |! S& J, r* W
, ?7 }2 H3 S6 sNot a real method of detection, but a good way to know if SoftICE is. ^$ T% j% P0 i0 w
installed on a computer and to locate its installation directory.
8 Y8 L* i+ V/ F f, cIt is used by few softs which access the following registry keys (usually #2) :
; T+ ?/ Z8 p& L( s2 |8 \2 t' G0 @9 X8 J/ t# a. C4 @3 N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& X9 v$ K& b9 e% u8 B$ j\Uninstall\SoftICE
2 w3 V0 K, |& C' g" n$ p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 Q: @- U4 L$ V& Y. `) C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ q7 b+ U% o$ J2 w\App Paths\Loader32.Exe
3 x% C; b' T" X0 D
- l6 {- F$ g N7 F0 j
5 v- t* S; c) J2 f mNote that some nasty apps could then erase all files from SoftICE directory
, P' \7 k0 n5 G: ?(I faced that once :-(
- p6 r" ]3 c. T* E" r" _+ `' N: k( q a1 ?* |
Useful breakpoint to detect it:; J( R8 G/ s, i' R
8 r+ Q1 d( D8 K- r* u {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ I3 i% i6 e" o$ F F5 q+ A
4 N# b P ?, j' D: P8 x9 P) G__________________________________________________________________________9 ^7 J' H( k9 g5 M9 q2 Q
; ? r0 h' q! W% G; R: G, d
% G7 e, M# t2 @" }! F0 e' g
Method 14 % I' f" O& z$ ?. K* }# h: E
=========! g% T* ]& {" `; M) I7 W
$ s; t, [2 I6 j1 {* @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ g/ _# D( Q6 y, i: A8 U5 n( y
is to determines whether a debugger is running on your system (ring0 only).8 I7 @5 J+ |$ o" X) S3 v/ a6 c
! R# ~- A& d8 ~( P VMMCall Test_Debug_Installed
+ Z a6 J' a1 p' n je not_installed; A' n6 Q- j5 c
$ B9 l4 W( x! \9 l! T
This service just checks a flag.& `5 G6 T8 G% T) e+ l7 ^& |9 ?
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡