<TABLE width=500>
f% B5 l. G) V& W' @<TBODY>
9 j8 [' e6 ^2 w' l<TR>" s/ O {5 z# @9 _9 ]) G- u( j# y
<TD><PRE>Method 01 4 X( U" H: m* q- B
=========
0 c. K& ?2 M' L; R! z; ^- q- d& y5 C) g; D
This method of detection of SoftICE (as well as the following one) is5 C! R9 q& I% N! \; N$ p
used by the majority of packers/encryptors found on Internet.5 G+ y6 l& \6 x% ~ Y& e( U3 W6 i
It seeks the signature of BoundsChecker in SoftICE1 a1 x/ V9 m3 J. J; R
$ z; t* |, y% |! c
mov ebp, 04243484Bh ; 'BCHK' p. t- K' u7 P Q; O
mov ax, 04h9 k. [0 w' [/ i3 _/ v) u
int 3
- q& P, c' c% i! T( ?- l: U cmp al,4
+ R2 m/ C6 F% l% s4 i* o jnz SoftICE_Detected+ g* M7 ^! B) |! y0 p1 s+ u( ^
; b, e+ O* e- V8 U, h; n3 Q4 O1 K___________________________________________________________________________
: m& R, i% U" F
* ]" n* ^7 ?: `5 j7 kMethod 02$ E/ n$ o3 [; ?5 e! Z
=========
0 ~7 I# v0 R2 a3 ~6 `( R, ]
: j, q+ A! _9 B( A0 O) YStill a method very much used (perhaps the most frequent one). It is used
& B" C% k9 x ?" Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ a5 ]' _% K$ d" Q2 V6 L% w+ {or execute SoftICE commands...
- ]$ e- x# z9 _+ v$ F* r4 k8 b) x: WIt is also used to crash SoftICE and to force it to execute any commands& Q% }/ ~! w3 V, D. h# w
(HBOOT...) :-(( % G2 f* Y- f q# w
% O. D: Z" v3 w
Here is a quick description:, c% |& B4 B! M# K- j8 T& ?* e( A( @
-AX = 0910h (Display string in SIce windows)$ u) C* x) z: z* V: y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
B+ \5 Y( H- T6 t' z-AX = 0912h (Get breakpoint infos)
* T1 y$ L/ i# t- Z* p' @. N# C9 r-AX = 0913h (Set Sice breakpoints)
E9 A7 z2 ^+ ?-AX = 0914h (Remove SIce breakoints)
2 U" U3 J0 Q, b& Z, R( c. Z8 q& b2 U6 B7 N
Each time you'll meet this trick, you'll see:
0 E! Y+ C' `: d, D* y: A-SI = 4647h
# w5 W3 j4 x" i: i3 \( q-DI = 4A4Dh6 ?5 y6 O1 f2 E8 v2 F( E
Which are the 'magic values' used by SoftIce.
& o8 N2 E, Z" r- N' @0 MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' }% f3 G0 d" i5 z2 K
) |* `; E2 t$ k s& @Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 F. e& Z6 r2 [3 wEnvelope utility use to protect DOS applications:% O1 j7 v! E& W/ H1 u' @$ N
+ e, b( h/ S4 w9 W$ U
$ Y* @$ P2 H: P, g' \
4C19:0095 MOV AX,0911 ; execute command.1 H8 p- L: ]2 q4 m% v- R+ R% O" T# W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; C( x2 n. J" O( o/ m0 T4C19:009A MOV SI,4647 ; 1st magic value.9 J/ E* A/ u$ c' G V9 [& L2 A
4C19:009D MOV DI,4A4D ; 2nd magic value.
! q y5 o( G9 N# a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, r: ?1 H' `) k* ?1 }3 o3 Z4 E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ c+ _5 } F! D4C19:00A4 INC CX
5 W9 v. L& f' V' A( U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; k& Z, r& Y5 Y* n2 a( b
4C19:00A8 JB 0095 ; 6 different commands. t) Y; n4 i% B. E; `
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. Q2 }1 T( G% T e: ?# I D: B* u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) z) x1 H/ A2 z b' M, Z7 p8 |2 m$ \1 X4 u) M9 S& F
The program will execute 6 different SIce commands located at ds:dx, which
2 Z6 |3 R4 c7 V0 N% tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! d( ^" O8 t3 ?% Q5 Q, x
3 F- ?; E3 R, ~2 U- e# ~& j* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( a X, D% Q5 d% O; a' I___________________________________________________________________________* D: _( [% t5 Z; l" c$ ?
4 ~$ l0 l) a) V" @9 f
4 `0 `& O% K) n% C1 a4 S3 Z' U* NMethod 03
9 O3 M- K$ w( I=========
E7 ?. W0 ]! k( l1 r8 p7 s, l( ]5 u" x$ f/ e* }2 `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ H E2 Y6 U8 i: B" T3 ](API Get entry point)) T# d- h4 `; R, X) S
, D0 u! D( p, l4 X2 ]; \7 v6 T R# P9 T) k q& Q, q
xor di,di1 Z, X6 v8 U+ M+ b
mov es,di
0 d" ` p: @( U8 i% _ mov ax, 1684h
% `& q9 k3 _# a1 z% N+ K mov bx, 0202h ; VxD ID of winice
2 L( F2 O8 A, h8 z% L int 2Fh- i7 p) T/ B$ g. M
mov ax, es ; ES:DI -> VxD API entry point: [2 V+ z: c/ @! l
add ax, di
; \. `8 _! I" v! h test ax,ax
3 G% j( i/ s* l8 H, _6 Q jnz SoftICE_Detected
+ \' \ [5 @% b' Y( `3 v( {2 I* ?+ T2 N& i0 ?
___________________________________________________________________________
: G( N9 g. Y- |2 Q; D% t2 p9 b5 R- @ k) m' g3 y1 u6 o
Method 04
7 p5 q5 Z. D; v* e8 V1 @7 J3 t- o=========& _. A4 q0 |7 U/ }) Z* H4 X- h0 W' ^
( p& U% o- _% x' D7 y) b2 j, EMethod identical to the preceding one except that it seeks the ID of SoftICE
0 V# x9 C' R) F! o; X SGFX VxD.0 f7 H+ `1 z8 G3 F0 c8 h: ?
$ U( _: k# P- v. M( T3 n
xor di,di
* H V+ A/ R1 S mov es,di& ?/ W ~# f) u
mov ax, 1684h
E% o; X6 @2 P4 q7 S3 { mov bx, 7a5Fh ; VxD ID of SIWVID1 H* A) | n7 i V
int 2fh
4 A& A( ~, u" x r `( `5 q! X) a' j mov ax, es ; ES:DI -> VxD API entry point: V9 V0 J2 M4 O6 F
add ax, di
9 K# f" T+ z* ^, ^" f: [ S: Y test ax,ax2 l' r/ \" T2 R$ h9 x- I- e
jnz SoftICE_Detected
: ^% L4 s% _! L u* R) o3 h% l
__________________________________________________________________________" L. z6 `) @; f( c0 J
& d1 ~; I! s8 l* z5 D5 Z: J. N# ]+ J- H" ^ R# ?5 y# R0 O8 [
Method 05
6 Y. ~7 Y2 C6 R4 ]6 e6 @=========
7 q, D. H1 O- b) s( b
& z5 s5 A. s" BMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ q: A% `% F, F) l8 y
debugger. It calls the int 41h, function 4Fh.
$ f4 y3 _6 U `/ lThere are several alternatives. / P/ f7 h* u1 K$ h
( t3 P( {, R, q$ bThe following one is the simplest:; @- ~/ f6 ^+ N9 L, i
% @6 q& K0 d; l5 o6 F1 L$ p( x5 g mov ax,4fh
1 r: T$ c! f1 w8 }, s4 ] int 41h0 G3 C8 \! _! @+ q; d
cmp ax, 0F3864 B; }( X7 W3 G5 F2 Y( D) w
jz SoftICE_detected
5 s. K# [1 D6 G; K+ M' s- B, k. Y q! A1 A. H9 e
& n# V. ?' O7 h3 S d( P; D4 ~
Next method as well as the following one are 2 examples from Stone's
* h. m7 Z3 x/ M; }"stn-wid.zip" (www.cracking.net):
( l2 ?* L3 W" s7 K0 K; |
0 d6 m0 Y0 X& M P, E7 [( t. r mov bx, cs( b7 h, @# w. t$ n
lea dx, int41handler2
8 w' f L9 d* b xchg dx, es:[41h*4], q) F) ?6 x1 f% q$ k' N7 u
xchg bx, es:[41h*4+2]/ ]; Q+ S+ s j0 L( s
mov ax,4fh s. c% x3 V, q( }
int 41h: D# N4 O" y8 s: a3 H3 r, G
xchg dx, es:[41h*4]! G0 I% \ K* G! z" d) l8 m. r
xchg bx, es:[41h*4+2]
5 }- h+ u$ p. m" y6 o* S' x- D+ T( T: K cmp ax, 0f386h
# | _, ?: [$ k! a/ O9 }( a% d$ Y4 y, M jz SoftICE_detected4 o& x% a2 A/ x1 N6 G5 Q& B
0 C3 {# Y" n3 T' G# Iint41handler2 PROC
0 u6 n* d! Y% ^4 N" C iret5 H/ `0 M4 ?1 j2 ^( V1 B
int41handler2 ENDP
* L7 k q# p9 `( i% V0 l9 s' T' {! _5 s$ q( _$ W6 u
3 \0 I* h% q7 R
_________________________________________________________________________: P# N% T, f% W
4 ~. N0 W+ `0 h7 m: N0 R0 c# i* H
Method 06% {" X4 b& E7 f. d3 M$ h
=========+ B; W* O$ w! ~, n) d
) [, S4 r/ G3 t6 |. ?2 r+ A6 P" {' w7 g& e! k1 I: `
2nd method similar to the preceding one but more difficult to detect:0 |" \$ L2 x: Y( k
3 I* q0 K5 w" b
" B/ k6 y' a3 ]# k
int41handler PROC5 y: d6 S) [% G
mov cl,al5 l1 F/ n a. H3 ~( s" A- {1 |
iret) F: p9 V' u" }2 Q/ i" Y
int41handler ENDP7 P* Y) j9 c' X- N9 d
* T# ^1 b/ o$ R+ y5 a; X% I3 F5 z% z. P
xor ax,ax: Q3 ]/ B1 b8 k" X- i
mov es,ax
* d Y# a* X k& s mov bx, cs* w( ^3 l' W* T5 c) c- p
lea dx, int41handler6 M. g! r* `8 S9 m
xchg dx, es:[41h*4]7 y) P( T3 q6 d: G7 M! ?
xchg bx, es:[41h*4+2]
7 ?1 a' W c6 N, b in al, 40h
# N/ @" m' C8 V' Y1 r xor cx,cx
& A% [1 [5 O; H1 l( v9 G( a int 41h% T( f4 |# D$ t- a2 J' H
xchg dx, es:[41h*4]6 ~' u' M* [; O: y$ i
xchg bx, es:[41h*4+2]0 H k* t, p9 A7 p: b- }
cmp cl,al) w0 T3 R+ Y* O% M$ t9 Z# {6 p2 D! [
jnz SoftICE_detected
1 }# O: K$ k& ?; h1 Q i2 R$ ~. p: }6 M7 k
_________________________________________________________________________
4 x6 }7 t# b [) E1 o+ z+ ~* j/ u1 [3 |3 {7 N
Method 07, v( @$ k L6 }' [1 N9 p1 ^
=========" g9 [; N$ V3 b, W7 f/ g3 _- C
- u+ K) C5 O$ `& Q0 ?8 B
Method of detection of the WinICE handler in the int68h (V86)8 v2 ~$ J' J0 Y$ U9 i& \: ~* M
; m5 x+ _/ O: ~% G8 g, l6 U mov ah,43h$ q% g8 ?2 d! E! z6 Y8 ~
int 68h
0 c, }. Z; C2 V( Z$ G' R0 u4 f cmp ax,0F386h3 Y" i; e/ K" E6 ~
jz SoftICE_Detected
# ^4 g1 \) k4 A+ Q5 R
9 T7 y' v( i% z0 U% z1 u4 ^. p+ I/ V5 T5 t9 t* i' o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% I1 i) t& W7 I6 B" @9 G# I8 s& V
app like this:8 E H; D% y8 F9 ^1 u
; R: f2 O) Y: E BPX exec_int if ax==68) L* f: {$ | G9 c8 T1 J
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ z1 I | j- n3 ]7 i located at [ebp+48h] for 32Bit apps)
, l9 Z; _+ r/ a8 D; H" x/ s__________________________________________________________________________
" T7 j4 f( U# v. p8 [
0 ?' g, v7 K ^2 h9 x& H
( f4 v( Q5 E- A. cMethod 084 H6 M0 V3 O8 X* M3 g1 w' x5 M
=========
& X/ W8 ^7 J; _/ C( x6 I8 U
1 }( ]# u3 o4 j" MIt is not a method of detection of SoftICE but a possibility to crash the5 y' Q& Z5 @7 K/ U$ e
system by intercepting int 01h and int 03h and redirecting them to another$ q% M3 J6 |) {0 I" I, k# \
routine.
( C" s7 |# k- o5 v- [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ U" n H% i+ }2 e8 ~4 G: E
to the new routine to execute (hangs computer...)
% \* G: Y$ _6 _* ]% V, L6 t" o2 `, j/ w# w7 W- c* K
mov ah, 25h
4 t0 f \& r2 | mov al, Int_Number (01h or 03h)
- V. M* }5 l' L. D" \9 c mov dx, offset New_Int_Routine1 c& |) F2 _" I7 n6 N8 Y
int 21h
$ U6 \1 v% n) z4 x5 C, e8 I' B- Y$ p8 Q& h+ J$ F: ^4 R& L6 j: X- y9 F
__________________________________________________________________________
6 q- V3 r6 p. F8 T0 T/ L8 C$ E2 v6 j9 p
Method 09+ C% C4 j m) C+ J! O/ D) `, u
=========& E: C1 a7 G7 C9 `
, S5 X3 j- h. V. Y" R/ s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* m" E2 l+ v& jperformed in ring0 (VxD or a ring3 app using the VxdCall).2 w- d, `: P- s# s. d
The Get_DDB service is used to determine whether or not a VxD is installed! u) k3 _3 j" y8 `, ~- K- ^4 d- Y
for the specified device and returns a Device Description Block (in ecx) for
0 N: J, X- z/ l2 othat device if it is installed.* n3 A7 z( [" k- T1 {; D
- R- j6 o8 z8 e5 ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 g6 P6 a( x% N1 G+ ?+ S
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ T3 l6 `! O1 H: M VMMCall Get_DDB
. {0 G/ T9 q0 ?) O- S8 x, p k7 l3 p8 @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! x& @: c, l& C6 U; _. B+ b9 L- s) O3 l* a2 q9 }1 x
Note as well that you can easily detect this method with SoftICE:
. l1 S2 ?# \: ~9 z bpx Get_DDB if ax==0202 || ax==7a5fh! V# F! `3 I6 X6 J {) Z. G9 u" r
1 ~4 [3 ^# d, R. C3 f! V% H
__________________________________________________________________________
' H5 b& u( }" u, o) r* l, x
. d) G/ N/ E& @6 Z8 Q% E. nMethod 10
9 d( b/ F* J0 ?2 f# X" P=========
5 D X* Y# _. H, w3 f3 y+ V" O! P/ X% E
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# ? j" |7 l1 ^' W" n: B. { SoftICE while the option is enable!!
9 r/ E O! z2 d6 H) E0 g' a
* d5 P) h( U8 C$ p1 P/ ^This trick is very efficient:
v( o$ K3 z) e2 p$ N% U! W. U2 ~by checking the Debug Registers, you can detect if SoftICE is loaded. i2 J4 O2 {3 P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% n/ u' w3 a1 w0 y. a9 ~2 Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! f! H- F0 f' gvalue (in ring0 only). Values can be manipulated and or changed as well' d* W3 |& E' {9 a% G* M
(clearing BPMs for instance): Y! s4 u& d, I! ^# K8 C+ N
0 Q' x5 Y$ h: D$ z- I* j__________________________________________________________________________
; ?( P' B# |( b, X. a8 `- s" G0 g- C/ G- W$ `; i
Method 11
# U" J% \, d. x' w( [=========
; D5 `8 o( |) j( [2 G# \& B8 `% @% E. y% h# V1 |0 u+ Z7 B
This method is most known as 'MeltICE' because it has been freely distributed# i) \ r* y- S
via www.winfiles.com. However it was first used by NuMega people to allow
5 _- y' L! B4 D1 iSymbol Loader to check if SoftICE was active or not (the code is located
) H$ t8 ]4 l, E2 y' q: t% c& ginside nmtrans.dll)./ Y, K. L4 R( a) E6 v& b
4 c9 [2 h+ O; _1 w/ ]. A
The way it works is very simple:
# n* R% _: U: m. Z7 [8 k8 |8 ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 R7 I+ x; p8 p E- V/ w; p
WinNT) with the CreateFileA API.& i" l3 Z& d9 W, n) @, O0 w3 j
3 M- o7 l% W& Z) J: PHere is a sample (checking for 'SICE'):
F* S1 S4 x- `: `
% K3 C O5 L7 R) ^/ ABOOL IsSoftIce95Loaded()" j( T8 p8 t' T7 Y! \9 G
{6 `1 w/ O+ e2 s- x5 T% V
HANDLE hFile;
) s! J0 k$ d# @: K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ z9 N& I' U* n. E9 @" p! U" v FILE_SHARE_READ | FILE_SHARE_WRITE," J0 A. p& \" [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" u6 |5 u; \/ d& l; h* ~' u/ j
if( hFile != INVALID_HANDLE_VALUE )
# A c9 s1 }" L {, ^1 R2 p, \) }" U& e: x& I
CloseHandle(hFile);+ Y% u5 Q2 |3 ?5 N. s
return TRUE;
, I& b V5 o# i" M4 H4 [ }4 J; ]* n' k, z
return FALSE;
4 n4 C) |9 ]7 I}8 o& T- S( N1 m! O6 c
4 v& @2 S5 E& u# B% f, MAlthough this trick calls the CreateFileA function, don't even expect to be
, f/ U) |& m! m5 |3 r# _; j6 Uable to intercept it by installing a IFS hook: it will not work, no way!8 d4 H4 {8 i) I/ Y& M+ d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ y( s5 T) W D* U' |% I5 Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 p, ]& I8 Y; ]6 z3 i; t, qand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ |# T6 u3 J- ^
field.) k6 V; L8 C/ D8 e7 A
In fact, its purpose is not to load/unload VxDs but only to send a
/ O2 h+ R* e+ _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
W3 O8 q. K" I3 _6 Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" C! L) |, f# u- |' f- A4 a. [( Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 i$ X+ `; b6 l M; s* X$ OIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 A! ]; G% Y& C# q+ o4 @2 j9 rits handle to be opened and then, will be detected.! _2 `) B8 i6 ~ B* m7 o( u& ^7 a1 J
You can check that simply by hooking Winice.exe control proc entry point
0 U6 B9 ]6 O: @1 Mwhile running MeltICE.
- g/ h7 ?$ R, j- u# r3 K# J/ k; j( S, `' \8 p$ u& ]3 o" n
' ^: B3 u( d1 q, ~$ p! y* W
00401067: push 00402025 ; \\.\SICE
) ?0 H9 o; K( [/ Z5 m" ~ 0040106C: call CreateFileA0 B2 E/ x+ d/ C$ k
00401071: cmp eax,-001* m7 d: `) U& V+ G' p4 K$ T
00401074: je 00401091
1 N! |( Q5 e7 W; N3 ~- S) z3 ^/ b3 N! `7 V
% q' B! [0 w* o1 k$ ~
There could be hundreds of BPX you could use to detect this trick.2 b( B4 g# h, h1 M+ C' Q {
-The most classical one is:
' k: F2 R$ I# O: P% M- n0 g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# r' ~! L0 B$ l, j: P
*(esp->4+4)=='NTIC'
) R5 b2 r" X# c1 [' z3 g" m+ k
-The most exotic ones (could be very slooooow :-(: F l7 F5 U- _7 @1 f
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 C# F& ]6 I* F1 [5 R
;will break 3 times :-(, }9 }( ^( H) |2 u
- q, L: c: D" `0 e) H-or (a bit) faster: - g+ w) A6 U7 m
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( n+ w% K( f3 D
: O, E! h7 Q: l: A9 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : U, p$ F- G3 _* x/ K7 e
;will break 3 times :-(3 s; [$ q9 s$ H, i5 W r
$ W) q e# x$ o4 r" \4 i" Y
-Much faster:
8 T8 u0 ]" v0 _2 N! A q) _! b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' F& t+ t4 e/ r2 a" G! b0 U
: ^9 K u: ^ D4 P9 P( uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- m( @- C- c4 ]2 o9 ]% @; o C/ I u; gfunction to do the same job:
: y t$ f: {' ^) V/ t
- }1 ~' m7 u+ j' l4 f$ z8 B push 00 ; OF_READ: u `( B. s$ n1 `- Z
mov eax,[00656634] ; '\\.\SICE',0 L% C0 |2 T7 g, t
push eax' _6 p3 g! H, i& r% B) d
call KERNEL32!_lopen- ~2 B: Z* m# R' R! t2 W
inc eax
4 C6 z3 L$ w" E4 G7 u6 }7 f jnz 00650589 ; detected
5 \: X; i6 ~9 r push 00 ; OF_READ; p( L# E, L- P- l2 ^$ L- t
mov eax,[00656638] ; '\\.\SICE' j0 N U& z9 q
push eax" T1 D5 {" S M! T0 u( }
call KERNEL32!_lopen
3 d5 B& ]/ A- I( R8 | inc eax
$ @" Q+ X" ~( \7 s$ ] jz 006505ae ; not detected
3 r0 M& b5 Y, p5 t5 ~# ^8 D" n( s# j, @2 M7 V2 K
) @4 C" S1 b; c* j# p1 _ Z) q
__________________________________________________________________________
% d- _2 Z1 R' t! d" s W9 e2 R+ Z/ N' r0 D! P7 s
Method 129 `5 {$ ]" H! W% I% o9 k
=========
$ E# k0 h$ b$ c' b! r! x
: x7 o" ^7 W. o, qThis trick is similar to int41h/4fh Debugger installation check (code 057 r& H& G9 i: M" G
& 06) but very limited because it's only available for Win95/98 (not NT)8 _9 g; |: [( s' V
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
u/ I7 [. ?# ~2 t; U
2 k" P& A; Y5 l) h; B1 k. Q push 0000004fh ; function 4fh( i9 w, D/ S0 t" b' V
push 002a002ah ; high word specifies which VxD (VWIN32)
4 o2 o/ e. N& g8 c( W ; low word specifies which service" e' J* x. n z+ l9 R
(VWIN32_Int41Dispatch)
8 A, e d+ r0 Y a' _ call Kernel32!ORD_001 ; VxdCall5 u/ f$ `) D" _% e- c
cmp ax, 0f386h ; magic number returned by system debuggers
4 Z W$ r: O+ J9 o- n5 Y& b: L0 S jz SoftICE_detected/ \% z+ F; h7 J
0 d; ]1 X+ T+ Q2 HHere again, several ways to detect it:
: V$ O7 t0 }3 f0 ]3 T
+ T9 j6 R' m0 w- D4 n6 v8 H( X BPINT 41 if ax==4f- t. X& c2 ?: y8 S9 T. ]$ Q
4 q; G& x+ j+ L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% _; y1 ^# H9 f# U& T+ r/ g
5 Q$ U6 W# E# N" M; Q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
l! S$ y, C9 A3 \/ b* i- r f
; C% @# q0 ]) ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, T& `! ?5 D: i) t7 Y, G: p! d9 T& R6 I
__________________________________________________________________________/ e1 N+ k# O7 J0 i. U6 E m
. o. R+ W+ \% YMethod 13
( ^( G9 A% M( h) z* h1 t' l=========* n! T1 m1 W' Q- `
( S+ a2 h% l& Z7 a3 fNot a real method of detection, but a good way to know if SoftICE is" u& _7 Z" Z [2 ^
installed on a computer and to locate its installation directory.
* F4 J9 E3 V# Z5 K3 yIt is used by few softs which access the following registry keys (usually #2) :/ }$ n$ f5 f t8 D% \) O
* b9 J$ ?1 c; j9 j! Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 Y2 J9 o# U2 g( i0 T. w) _
\Uninstall\SoftICE
% A. Y7 }3 u, n4 x: _4 H( U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- A9 T. Z0 Y' _, |0 z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. ^5 ?3 O4 N% Q: e! R/ J6 I. t\App Paths\Loader32.Exe) n+ x- i9 r; H
# H5 \7 G! x- t5 a0 T( y) `
) D2 S& T$ i; C7 S, w
Note that some nasty apps could then erase all files from SoftICE directory
6 B: d1 j9 t" o" F5 V(I faced that once :-(; i8 q+ D/ f) b
6 R& h0 ^( d6 D! r
Useful breakpoint to detect it:
/ C" P! O1 f9 D9 V6 U* } v& T) M0 n/ M$ U, V; |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ I4 {: I7 J4 o' ^
+ w: e$ z% @9 M/ l__________________________________________________________________________/ |2 \3 S; ]2 c% |: v& @; ]1 h- u
1 \' g! P/ D% Q& X! N" V. E8 u2 A8 S+ u2 V6 u3 T9 g
Method 14
$ e5 C1 c$ L6 j9 T. V=========
6 k: \; {$ ?! E7 a" a/ ?4 c
6 P+ q' N' g0 VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. H" N! U1 j7 f4 j+ His to determines whether a debugger is running on your system (ring0 only).
/ o; E ?$ o- K, K) P
0 M M3 x% z5 { VMMCall Test_Debug_Installed6 O! D6 S- I# k2 N
je not_installed
# h% Q7 X( I% N+ u$ L
' M4 ]4 y! i w4 x) g' YThis service just checks a flag.3 E: Q$ M3 O$ y' {1 t. M! H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡