<TABLE width=500>
& O+ L# Y* ^) J; V& X* l- }% ] S<TBODY>4 B5 G* p6 ^# w9 A2 M
<TR>
! S( F. @/ D9 k9 U3 C: X ?+ X<TD><PRE>Method 01 8 b. J5 @5 I, n+ @4 f# T
=========
7 ]8 G5 n& w/ Q, C& Z |
2 }, _ o, K9 ?! v& L$ d3 t) w" @This method of detection of SoftICE (as well as the following one) is4 i+ h3 U8 L2 S; a
used by the majority of packers/encryptors found on Internet.
" i) p8 C" A' K, S) v* d KIt seeks the signature of BoundsChecker in SoftICE3 t/ \; x" X5 Z, b
; n; I- D$ J: Z4 A mov ebp, 04243484Bh ; 'BCHK'
$ w' O" m* E- k" I1 R0 Q mov ax, 04h. y8 N- I* H/ F0 w- D Y c% @
int 3 . M2 `3 r6 n }# m2 [1 \& M
cmp al,49 g* |' F+ {* U0 e5 K2 l
jnz SoftICE_Detected
6 H7 N. Y+ E; f2 A8 A
$ Y7 F& J& [7 p1 u___________________________________________________________________________
: ^$ J5 d! ]' j+ G1 S1 K0 O% m; ^, {
( `; @1 L3 f1 }Method 02. ~' q; n7 D, `; ~' C5 S, v% B$ Z: L
=========
& m* W( C6 `6 B% t: D8 |9 q+ @ x- z
Still a method very much used (perhaps the most frequent one). It is used
3 ?7 ]& R' s! Q9 R6 Z: nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- A' N) }1 t( Q8 [4 ^1 D: aor execute SoftICE commands...# e' ?7 x: `4 P" t
It is also used to crash SoftICE and to force it to execute any commands0 U% i* M2 a) X* n( |7 G
(HBOOT...) :-(( . Z5 D/ K1 A4 r) }- q/ n; J
8 }0 w. a e& ?; I% f
Here is a quick description:
! k! y9 R8 e( C; R-AX = 0910h (Display string in SIce windows)
3 ^2 s# l1 y0 ]8 ~' F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" V& W- p# S! Q. C6 a: [4 ` X
-AX = 0912h (Get breakpoint infos)6 D' a: q" w0 M
-AX = 0913h (Set Sice breakpoints)
! Z7 ^! `+ y+ `' j) v& @ @5 b-AX = 0914h (Remove SIce breakoints)- }7 i9 ^1 e$ z! u
2 [; n+ |- u* `7 b& e! a
Each time you'll meet this trick, you'll see:
% k/ z4 j+ r" t-SI = 4647h
# i* R/ ?$ M% C. C: _& ?-DI = 4A4Dh; c7 X% W$ V: U/ X& X
Which are the 'magic values' used by SoftIce.
* `2 k% c) V# o$ k/ G# a0 h1 Y! @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; f8 b; E+ H- @0 X3 ]0 z' F9 u, J& ?
5 H; j. C( f- w* vHere is one example from the file "Haspinst.exe" which is the dongle HASP
; X5 g3 l) Q7 M1 U) w; c- B( REnvelope utility use to protect DOS applications:
4 d+ a4 y Y! f% u/ Y$ O+ D! h( d$ |6 e1 d6 i, {/ q: S, b7 c1 x
8 [8 E C% [5 x9 |+ q j3 v+ s# y* R4C19:0095 MOV AX,0911 ; execute command.
% n6 D$ W& g$ T7 W- C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 V( E T! W9 t5 e# a- X
4C19:009A MOV SI,4647 ; 1st magic value.! o+ T0 X3 J5 A
4C19:009D MOV DI,4A4D ; 2nd magic value.' C& p- L( D. i7 j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ c/ Q% `/ c8 [4 R& q H: E8 H9 J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 f& I$ p; {3 s4C19:00A4 INC CX
: C' ?0 }$ e' d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" q1 C% Q& _5 Z3 z2 X2 H! X% [4C19:00A8 JB 0095 ; 6 different commands.
" X# r4 @2 Q3 U6 }6 x) ^ a4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 G4 @/ M3 t C, x* B6 z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ I9 E1 W/ R6 W% E" w% ~$ ~
- Z0 |3 h5 J9 O1 A0 {2 jThe program will execute 6 different SIce commands located at ds:dx, which
( d) E0 |: @1 K5 A a$ Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT." F; ]: D7 \2 u" X# _
" Y$ v7 n5 l2 o5 t0 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 D+ i( O1 D6 q2 ?3 V' F6 R/ Z- K
___________________________________________________________________________
, s' `% O5 f# U6 Q( f1 r7 x* h" Y: z* D9 `
. g& X! ~% B: E: E, V$ _Method 03' S r! D1 F" o% d/ z
=========' Q; b0 S0 Z) r
, L$ o* y% @9 m S2 ?6 u* N$ z+ k% \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 X! u/ `5 N. P. z O$ O I* U(API Get entry point)
& m1 U- `& d- G* ~( a! F
# s: Z; I' k) F6 Z. O+ Q( e
* P/ s) S* q7 \* V' l8 I xor di,di, g* J$ L" W0 B9 Z2 L
mov es,di( v, {: \( c( c. G
mov ax, 1684h " T$ Z0 d& |( ~# w" d$ F
mov bx, 0202h ; VxD ID of winice- u e0 D6 P7 z7 v5 r
int 2Fh
. | M8 V" k! _. \- r- O: X$ ]9 h mov ax, es ; ES:DI -> VxD API entry point h L# Q: Q. V! q p2 A4 v
add ax, di; \" p, v3 P; B/ k5 s2 }
test ax,ax
& U7 |, S; n; i: z9 b9 }: G jnz SoftICE_Detected. M) O( [# L" \* I
, z2 b3 g9 V* l___________________________________________________________________________5 K# v! Q" |1 E5 o) c
5 a) k1 Z( X; ^2 zMethod 04- ~" w4 @4 g5 p" C" l$ ^* W
=========5 C- I0 h" @/ ]0 j
) E' H) Y; }: F) {( H! RMethod identical to the preceding one except that it seeks the ID of SoftICE) ^& @9 l+ j+ v, U2 C# ?
GFX VxD.9 i8 i. ^5 `) J# J1 W
' ]% s+ Y1 H5 @0 f* S D5 T7 g xor di,di
: Z L# E0 ^# ^; }2 ~# U mov es,di5 }! e; ^( M3 T, A+ A' o
mov ax, 1684h # a1 u5 W% D+ I
mov bx, 7a5Fh ; VxD ID of SIWVID
) ~% G* _7 U2 O; C" N6 ` int 2fh1 f; {9 W6 f; i B# l$ N4 G
mov ax, es ; ES:DI -> VxD API entry point& K* I# F) _0 z1 t+ N+ X" o! l( r
add ax, di
6 [* f$ E% H( x: N( s, m test ax,ax; F: T+ }* T) E: @
jnz SoftICE_Detected
2 f3 v3 ], \3 ^: G9 F" d. E8 v& W8 q$ j- I0 \( _5 K7 x
__________________________________________________________________________
6 P, f# ]2 b9 `& Z' \
. @- h$ E/ b# d3 K, [
1 @9 g. g$ q! E! uMethod 05
% P3 d5 k& k) n. n6 M N0 n2 l=========5 Z. _' D3 D! D+ d
2 A* k5 c$ P5 {5 M
Method seeking the 'magic number' 0F386h returned (in ax) by all system& h8 C4 }) Q0 c
debugger. It calls the int 41h, function 4Fh.
% ~! L m+ R( PThere are several alternatives. 8 a5 R5 U, h1 x5 I6 A: v1 l
o9 x0 P' Y+ `4 s4 M# a: s
The following one is the simplest:% T) L' W' T* C9 E" `& z( s
$ g1 I D* G t+ K/ D* ~, Z. Q mov ax,4fh' M4 t2 ~, n7 {6 V
int 41h. ^, r# } s( M& |
cmp ax, 0F386
9 r' l. J" e; ~ jz SoftICE_detected
" y4 v7 B, ~! f5 H# s
0 H$ [" i# U, y% X& g5 e) \( b: _2 Z( d4 q0 @
Next method as well as the following one are 2 examples from Stone's * T/ Q2 N! Z. \
"stn-wid.zip" (www.cracking.net):) x- ~7 { X T! F" S' w% @
' x# K) a0 p5 A/ `# Z5 h9 y mov bx, cs
/ j! n' Z$ c$ T4 A: C lea dx, int41handler2/ l# H$ M' b+ h' J; u8 K' x. U
xchg dx, es:[41h*4]
* T3 E7 I1 g l/ L xchg bx, es:[41h*4+2]
* @: e/ K' ]' O) T2 ~+ u! { mov ax,4fh
4 x6 n( I% j- ^- ^6 s9 G int 41h1 l6 W! h: Y( p) r) c1 x
xchg dx, es:[41h*4]
/ L& T! m* t% J: A8 m8 ^ xchg bx, es:[41h*4+2]4 B& P6 ]$ C6 _' J2 I
cmp ax, 0f386h+ d: d( }3 E+ t/ B7 D) U# Z
jz SoftICE_detected
3 F% f' z( I N/ U
! M3 c3 q( |0 g K0 I' Nint41handler2 PROC. I2 k N H. N% C T7 v9 n
iret% Z" @& a" M+ U9 S/ \# \, r; {& g
int41handler2 ENDP
- M r. E# _& `% a, @3 X
% ?2 g! q2 r6 |9 D/ j% m0 ]+ j1 z1 J5 ^1 p! c& _3 k! P& U( X6 R) f9 Y
_________________________________________________________________________
4 C9 Q# h1 _9 E l/ }7 `3 U; n
. w) V+ U; S% {1 ]4 R7 S* y8 N$ r$ J# K7 d$ D/ A5 A
Method 06
# k5 ?" v: X. p) d=========
0 Y7 j' v* L& E
9 j* n# Y6 U- ]) P8 S1 M9 o% Y
; `' q L* \: D9 \$ T4 ^2nd method similar to the preceding one but more difficult to detect:; s3 ~# n- C% c F
/ U6 R! U! T5 d! y1 S/ J! W$ j4 ?1 R$ ?" b
int41handler PROC
5 |$ l# s6 v1 e mov cl,al6 w- h# x" N$ Z, Y' `
iret
; c: Q+ d1 D( C8 F$ z# Hint41handler ENDP0 g# p) `& s6 ]% o: X
" [4 c& `; E, U; n* R }1 {
/ m* ? J: i& {& F8 ` xor ax,ax; B1 U# l* z5 Z# u' {
mov es,ax* v. q+ B; p5 A$ V# g
mov bx, cs8 Q5 S+ ?( \' c" F6 T
lea dx, int41handler
8 i. N, b* j# y+ d0 s* B xchg dx, es:[41h*4]; I. X' E6 f1 e% d, j/ L0 Q% l
xchg bx, es:[41h*4+2]9 _' w7 A, f/ a, b6 g- E
in al, 40h
0 v& l4 s8 @; F+ ^ xor cx,cx
6 n2 g0 u0 o$ q* l8 @ int 41h
/ i5 ]( x8 j @ xchg dx, es:[41h*4]" [( Q/ @, o" ?3 W" I8 u
xchg bx, es:[41h*4+2]
, y) `; U) y( q cmp cl,al R, Z% ?6 d2 P" P0 z1 X# N0 D
jnz SoftICE_detected% u" l- u" }$ ^ D& {! l
) ^# M0 b- I7 d+ Y3 o# N' t" O
_________________________________________________________________________( E1 X9 s3 c& _6 ~. U& X8 L0 l
! I; y( I9 H8 b, J4 V9 }
Method 07
6 k0 f8 H3 E$ h=========
; N6 t g/ r$ n1 |5 K3 R
; t5 @ l' m- s; |0 pMethod of detection of the WinICE handler in the int68h (V86)
6 h8 }- e4 A0 [# U1 ?4 w8 O/ m( N: D% J- Y$ V
mov ah,43h' Q3 F& T7 z# u% [( ~/ b! U! ]' }
int 68h0 Y/ J+ Y2 O" R: Q0 D
cmp ax,0F386h N( }7 {* m$ { P( C0 p
jz SoftICE_Detected
9 \; N; F9 l& f" J" g, T. g* Y+ u; u1 t1 P0 a: ^+ H
' F- Q. y% ~: ?; m: V4 k3 L0 k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& ]# e" k' c6 Y
app like this:
! H, Q& `( G9 [0 M9 r2 {3 f) h# a2 B; P; b1 p- W- A
BPX exec_int if ax==68
" j( V0 H0 H. l* F4 _, {3 j (function called is located at byte ptr [ebp+1Dh] and client eip is
! Z: N- M5 K g# S' m located at [ebp+48h] for 32Bit apps)! b8 [1 ^% S: S; P# V! e
__________________________________________________________________________
$ f! t8 v1 T; c% |2 U
1 y6 Z5 \! E( {+ d5 r6 A
$ X, F- v# @" M' ~, |' t% bMethod 085 X* y1 Y' [7 M
=========
6 ^1 d( D' O ]/ U! M0 ^' H* {4 X) I& N+ ?5 l
It is not a method of detection of SoftICE but a possibility to crash the4 }# q3 C T1 @' J% Z
system by intercepting int 01h and int 03h and redirecting them to another
^: v8 T" O" x2 ?; ^" Proutine.: ?7 K! N/ S) r1 j6 @9 h* j1 B1 _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ e& P, k; I, @+ q0 `! @! N" C8 mto the new routine to execute (hangs computer...)8 q% l( c, D u+ t
& X" }4 k5 {# G' w& F+ g mov ah, 25h
1 C. T; Q% m, D# M, ] mov al, Int_Number (01h or 03h)
& F6 g9 r) c2 ?, D0 N1 R) F mov dx, offset New_Int_Routine
( H* k: a+ k% F7 e int 21h5 d7 y4 |) z, l. o8 x( m
* a) a% b: [; A( |/ e2 I__________________________________________________________________________* @( X( k. D, \, v- H9 R
# \ q9 T% k: { v0 B, ?3 {! C) a% h* @
Method 09
9 x4 r3 v( M. ~+ N' P8 a=========, ]3 |/ q; H7 o8 y; d, r: {# z
' ?5 M) M+ Q. {& U! E. F1 `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 `: S- I, y. p$ z. p/ |performed in ring0 (VxD or a ring3 app using the VxdCall).- ^0 u4 {, J( i2 o8 k o: A8 q
The Get_DDB service is used to determine whether or not a VxD is installed- n* {& p& ^* `
for the specified device and returns a Device Description Block (in ecx) for- c Z$ m6 f6 S' `5 O6 G
that device if it is installed.# r+ J0 ~. a9 b
: R/ I R2 e' x! t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& a$ r) V4 ?; G! n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 W& v& e: k9 W6 g- B8 O' z. W VMMCall Get_DDB
8 a0 z2 r$ L, B, ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ F& C2 K/ @. T, `
4 J1 {: H6 e6 w# s* {0 e
Note as well that you can easily detect this method with SoftICE:
: k( f# P0 F! L) S' V4 V1 C bpx Get_DDB if ax==0202 || ax==7a5fh
7 z' s1 `6 L1 F* `0 \ J$ c; x% j+ U8 _
__________________________________________________________________________2 y4 V7 J, e, ~7 l
5 w0 V* r; P2 b
Method 10
9 H" U0 c7 D' c' }=========
* c8 ]" p. l% [
0 S& M+ q7 P' S: q" d0 Y; q3 F# q=>Disable or clear breakpoints before using this feature. DO NOT trace with6 V+ @& y! l/ b! }; O# a
SoftICE while the option is enable!!
7 x1 u, A$ j, h( A) ^/ R3 K7 }$ a$ i" W2 }; {( a
This trick is very efficient:1 H( |) g5 P3 U* ^4 H1 p: U
by checking the Debug Registers, you can detect if SoftICE is loaded
' @- S+ h% d! ^+ Z" J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ X7 R( u8 {8 h( a9 a* z
there are some memory breakpoints set (dr0 to dr3) simply by reading their- @1 ~ ~; B I2 `3 V0 u
value (in ring0 only). Values can be manipulated and or changed as well
7 J( E4 Z1 a7 V(clearing BPMs for instance)
! j" H H: I$ e9 T
; A5 f( S( |6 _, \% r__________________________________________________________________________+ i G; \9 _; K0 v2 o6 ^4 @
- O8 I, Z" J; c/ Q7 u/ n
Method 11
3 k5 w- \1 T0 c& c6 E/ i* D/ g=========; P8 D5 ?7 x! L# T* T
6 W9 _ q' O8 h" _- u* z3 AThis method is most known as 'MeltICE' because it has been freely distributed
i% V; {- P/ k+ W6 V( V7 O; Tvia www.winfiles.com. However it was first used by NuMega people to allow
2 o0 e$ Y$ _; T- X7 f! \" R, ASymbol Loader to check if SoftICE was active or not (the code is located5 u: _8 N& g: Q) s+ B5 T
inside nmtrans.dll).2 Q( }( ]: d1 ?, a
5 W5 e0 ?9 a9 G$ w: c# X" N# S9 `
The way it works is very simple:' w6 O* g$ q9 {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 J$ ~' W& \. H; x5 y! A
WinNT) with the CreateFileA API.
8 \, Z- @" k' @% q( S0 F7 I: k" N; V. b6 K5 p; R$ K+ y. b
Here is a sample (checking for 'SICE'):" ^! w( ^$ Z6 P" f
! a) }/ N+ m m3 b/ Y0 J' O- j
BOOL IsSoftIce95Loaded()
+ v+ K4 ]9 k" H4 c* O# S" X{- N, c3 ?; E: r2 j' Z) k$ C1 W
HANDLE hFile;
: ~. b) G. ^) J3 i hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; J# D8 I# h7 I% |' U3 M
FILE_SHARE_READ | FILE_SHARE_WRITE,
; G! Q1 `2 W, x Z0 \5 M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); s" N* S6 `- r% @. t
if( hFile != INVALID_HANDLE_VALUE )1 F/ E0 n! V; c* k4 J
{ t7 N9 M) T2 Q7 d [% l7 d
CloseHandle(hFile);
3 G* I) W8 n9 f- J& w6 E return TRUE;% z* y9 B* q. N! T7 x* G0 _6 t
}* V# {1 T2 s2 X: p* ]0 M# ^" _
return FALSE;0 g% \' D( s# x8 y1 u
}! J0 l" u; ~* j2 F9 C
) D* [/ d+ z: S/ i" X2 W& y m, C
Although this trick calls the CreateFileA function, don't even expect to be
3 s V( T2 U4 I* c0 h- B% eable to intercept it by installing a IFS hook: it will not work, no way!
7 o$ w0 [/ L+ _) iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" r1 R$ X( ]2 T* j2 d+ gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), Y1 }% H8 \, }$ e7 o' s0 g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' X% [) r4 ]8 P0 l% a& afield.
: k' a4 T% @6 H' C3 C* cIn fact, its purpose is not to load/unload VxDs but only to send a - t! z. r; C' d( X0 W8 F" @# C0 G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( \8 R$ y1 V1 Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ z, K- s: \" r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: j3 O+ M3 h* _2 G6 W ~. B" mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, A* N |: o H/ }its handle to be opened and then, will be detected.
# h5 k" O6 V, z; G- EYou can check that simply by hooking Winice.exe control proc entry point9 }) R* m* V' \. S) I9 | u: |
while running MeltICE.
1 e) x+ g, e. |- w$ b" G2 g1 E2 ^7 [9 i8 b; O
* c& H* F0 V, `. \
00401067: push 00402025 ; \\.\SICE
6 s! C% l! I5 n# I# K 0040106C: call CreateFileA% o$ d/ {3 ?* t& g$ N+ u* X
00401071: cmp eax,-001
. [- Q/ r) C! t8 z: F 00401074: je 00401091' O' X4 z+ \: @5 n& {4 S
+ B+ V; T6 E' v. Z; b* z$ M
9 c' f$ Z( p8 L8 Q8 l C/ ~There could be hundreds of BPX you could use to detect this trick.
1 P& E4 b) w, U6 Y-The most classical one is:- D* `# u& u* M* F+ h2 U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' [# J6 J+ P- V6 }+ e6 Q *(esp->4+4)=='NTIC'
- V/ K4 U! @5 i9 y" I& w! i
- h( F( _ Y: Y) K-The most exotic ones (could be very slooooow :-(
+ ~1 ]4 W& @* [1 j5 N% K- I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ D% H M: n/ C# K# n% j ;will break 3 times :-(/ g; X( ?. ?( d% w0 A
w" t a& I1 X-or (a bit) faster: 0 t, Z: l. i, { h3 A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% _2 u# C4 n7 k: ]) E) |6 d, X
% F; b9 J. X4 W) V. } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ _4 o1 E5 s/ q ;will break 3 times :-(! G* A( M- z4 P
S9 k. Q o( T. Y- i0 Q-Much faster:) w, X5 K+ Q- K- i# Q7 H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 k) L: T* E7 i5 y0 \. [
# P+ Y+ l. K, }* A0 U4 {2 TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ ^7 J; I% D8 s& s" h2 Y, h3 C- Ifunction to do the same job:
" n& `6 f' Z' l" M, t& I. r# t% q4 P$ ]9 h" R
push 00 ; OF_READ# } Y! s+ c+ r& T$ ^
mov eax,[00656634] ; '\\.\SICE',0* B( v# R/ k9 ?* _
push eax
* U( H9 m% x" `, ] call KERNEL32!_lopen
* c4 P8 t+ }5 I2 ^% V. G3 k inc eax
5 h& g6 s o! g3 F# a jnz 00650589 ; detected+ @$ r. z6 p; s; d; f
push 00 ; OF_READ& ^6 W/ H9 X# R- y8 y) ~( t
mov eax,[00656638] ; '\\.\SICE'
J% L; m$ D1 L7 u push eax
/ i; ^! U9 i. K P call KERNEL32!_lopen
/ @0 S4 q' Y0 J! O! @ inc eax* I' N8 a+ L% ]/ k
jz 006505ae ; not detected
5 e( w0 w! q; H" t. G
, ~ c1 \/ R4 Y# g$ B) d: j3 F2 p E! H" S) O7 `* `5 a
__________________________________________________________________________% m' F* ^3 }$ E+ [9 Y `
9 [ ^ P2 M& E7 vMethod 12
' ]: W% m8 n7 `& K: ?& V! ]=========
1 z/ F) ]9 l& r! K# S/ n, W4 C
) r a2 P* j* K+ G# U( tThis trick is similar to int41h/4fh Debugger installation check (code 05
8 m% U" z* j) U: Z, W0 G& 06) but very limited because it's only available for Win95/98 (not NT)
E* D- z d+ }& O$ das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 x/ A" U0 U0 r3 m- H2 q
, S8 P( ]' v' a% g. ] push 0000004fh ; function 4fh; Y- g5 J" P1 G1 {- @
push 002a002ah ; high word specifies which VxD (VWIN32)
% y& P7 ?+ _) ` ; low word specifies which service) F3 h. |1 \& R) Z
(VWIN32_Int41Dispatch)
W8 I: f7 S! t( ]$ N call Kernel32!ORD_001 ; VxdCall- \, d4 E" E, {0 h; ?
cmp ax, 0f386h ; magic number returned by system debuggers
- w- r. L) {- t! f# P& D! l3 H9 z& h jz SoftICE_detected
9 N3 P/ h( A/ D* o; Q5 G
- O5 K# }5 _( t' HHere again, several ways to detect it:
1 s- z- O1 Z T6 H$ n! T" T; Q$ E/ c6 |0 D5 r' A
BPINT 41 if ax==4f
0 X9 u( n7 I7 C6 x3 }1 i. F) C; t4 W8 f# L/ @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) |9 s; t, Q! u" w
# c1 w7 Q1 p7 ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ n3 l; W0 @8 A; J+ F" d' `! y
1 H! O: w$ r: r L/ b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 B$ n( E. r- q4 H( b
' b1 l* p6 F1 T* k% Z5 n__________________________________________________________________________; k1 u, ~5 |* R9 N$ L+ @7 N
: v N. e* h, j; b* ?7 n
Method 13
& j# ~- N3 z6 t9 Y) d! m=========
6 h0 T/ a! b4 u: m
4 q. \7 S) a. dNot a real method of detection, but a good way to know if SoftICE is/ c5 n0 n3 {6 C- l
installed on a computer and to locate its installation directory.3 e6 j v8 [2 {& [
It is used by few softs which access the following registry keys (usually #2) :* D. Z, @9 P' T, [
! a) ^; S2 U! M. c ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 I/ K7 B5 e( m" j
\Uninstall\SoftICE
2 x4 N' c, a% V& Z. X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# j8 o, @% a! {, e$ G! w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% Z4 ?& _" G1 r/ B% r! `# v
\App Paths\Loader32.Exe' U a% {6 K7 @& R
5 m0 k( A3 K @! q# o
1 ` E/ F/ q$ S% v" YNote that some nasty apps could then erase all files from SoftICE directory4 j/ W) O' n! f) P
(I faced that once :-(* e( A7 b+ z0 B. d4 o* i2 [& Y
5 H. M& I1 S* X9 d: RUseful breakpoint to detect it:1 V, ~9 c/ a% |2 |+ L
5 W+ ^8 ?2 @1 J, k4 G( y5 T6 u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ ^) |; V' v& j( U, `
4 Q6 [1 s- s: c( D1 r* ^$ P__________________________________________________________________________( `5 }) R0 ]" q* B: W! r% k$ d% O+ i
0 w& R1 C+ T, I. ? Q
: f9 N' P. q1 zMethod 14 " y) E) X( r1 S1 E* k+ f3 k0 v$ Z
=========
+ f b. a# p' n' L ?; q
8 g& J" U1 W/ X7 |1 I( Z' o- r& FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 E/ }" M3 r+ i# Yis to determines whether a debugger is running on your system (ring0 only).
1 }5 {4 n0 v' [; |$ C$ Y5 Q& P2 ?$ ?3 D' }2 h4 ]9 ^
VMMCall Test_Debug_Installed
2 J, \0 Q' g7 B je not_installed
2 m3 c# A# u7 @9 r3 g* `. G% [+ {. \6 g: ^! ^
This service just checks a flag.
1 R' m* x$ k$ z0 p' c</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡