<TABLE width=500>( q: h0 n( J( ?' S1 @
<TBODY>
" g0 _! Q" T( n2 \<TR>
9 R0 Z( ?$ ]0 ]<TD><PRE>Method 01
6 J% k1 c3 j/ y2 }! [) c=========
7 e3 X! l3 Y; i
) C9 |4 F" v5 k! _This method of detection of SoftICE (as well as the following one) is F; Z7 e1 O$ {8 O% p
used by the majority of packers/encryptors found on Internet.: ?: \+ _& h+ [) y6 Q
It seeks the signature of BoundsChecker in SoftICE
9 [5 E& _# t* }0 A7 Z s. `- O8 O- s' D9 g# p
mov ebp, 04243484Bh ; 'BCHK'3 |( `% t: ^8 ?0 o1 r8 p
mov ax, 04h/ V( D9 [( C- b8 ?
int 3
$ h/ w ]" s5 [6 G+ _9 x cmp al,4
" p# t) i# B+ L* H jnz SoftICE_Detected
# P% G {- D1 }6 G; M) I8 H; g, I; z/ @8 }( S6 e
___________________________________________________________________________
. x( S/ R& X- B9 l, m$ n/ X) u. U5 J& F
: l( \7 C& @ e+ I0 q, |Method 02
/ U' {: l, m0 y4 w! q=========
' R% y! M b! r# y" [! R# H, B; B4 B+ l0 U! L- _" ~
Still a method very much used (perhaps the most frequent one). It is used9 q, @1 q0 M/ Z! U" ]0 x9 b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 X: U" @ M) M) }$ t' O0 `or execute SoftICE commands...
9 u, l+ d& { t4 x; h; R. B' s. e$ E- UIt is also used to crash SoftICE and to force it to execute any commands
: ~" h, |2 ^8 @; O2 j0 G) A' m' _3 f(HBOOT...) :-((
- F9 W8 j; L# ~: Y
2 O, E; \0 Z" S D9 XHere is a quick description:* n, I2 O* `3 m
-AX = 0910h (Display string in SIce windows)( a: C. J/ d% @1 f) [ e5 C
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); j( ?6 T* ? u' Z. J" D- L
-AX = 0912h (Get breakpoint infos)5 y* y K" U5 u9 W2 \ U
-AX = 0913h (Set Sice breakpoints)7 B9 k! k: |& X* h9 J) ]
-AX = 0914h (Remove SIce breakoints)1 \$ R+ k7 R9 V- d+ K" @. g: X
- s1 l; m- p. [' B0 z
Each time you'll meet this trick, you'll see:
3 K( y% m* g( @) R$ B% \( A0 H3 w# ?3 x* O-SI = 4647h1 e& ^5 I7 ~/ k9 f) h: f
-DI = 4A4Dh( w- |: D3 [- p4 ^
Which are the 'magic values' used by SoftIce.; B5 t6 C* [ u; ]! p4 K8 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- c- s, z$ S; @* J9 ^. i. H
0 Z1 }+ O. ?' | c2 P0 N+ _0 q7 { UHere is one example from the file "Haspinst.exe" which is the dongle HASP n, N, g g$ ~4 m: J: P
Envelope utility use to protect DOS applications:- d$ X* B. l1 p7 P5 L6 Y0 W8 v, V
( V, i+ A) ]" `( u- Q+ S# J' r, \* ~$ I3 w" I8 E
4C19:0095 MOV AX,0911 ; execute command.
: C* n; p0 ]" c# G! B# W% R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ e+ q5 _* W W* \% l! Y+ ?4C19:009A MOV SI,4647 ; 1st magic value.
% O* _! M7 t. } S4 Y/ |4C19:009D MOV DI,4A4D ; 2nd magic value.
8 ?( n# x0 e/ M5 X# B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): x( O+ I4 D" K( M2 R4 F. ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 N1 z& A \' y: U, V5 r
4C19:00A4 INC CX
# g5 W! W' N: G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 ^: O8 S ^5 {& S" B+ Y. g; @
4C19:00A8 JB 0095 ; 6 different commands.
' l3 \* i5 t- N* l: u- t4C19:00AA JMP 0002 ; Bad_Guy jmp back., z4 A) H: @: U% Z6 a& s/ d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* v1 j& Y6 e5 U7 d8 Z
" X5 W$ C3 l p f/ A/ M( _2 bThe program will execute 6 different SIce commands located at ds:dx, which0 V& Q" d3 I+ \8 M- ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ g7 U9 s" v4 D, K. Q9 B7 |8 I6 Q" b
' w' W3 Q S8 P0 g* M) n. }% C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' O0 T1 e' W6 I* ^0 m
___________________________________________________________________________2 N6 E3 f; M% \7 m( ?/ M. ?
2 u" o" g% H$ e% }! X. e& _' u5 m
6 p& H4 B8 r' ?3 H/ cMethod 03 P2 j( k3 N- o
=========6 W: [- z" h, w) U' O/ u, }/ a: ]
( a& c/ J3 _/ L4 }0 D$ {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h _* B9 x) \6 U. x$ `' x
(API Get entry point)
1 M0 A5 p1 }# G- D# _6 q
! b1 k: z5 J' e& {% w, T
) s$ k; \+ Y* i+ b7 j xor di,di6 d7 S0 M. a6 P
mov es,di
: j& k+ _) \; H mov ax, 1684h
" l( K3 \' E" Y mov bx, 0202h ; VxD ID of winice1 m& e2 L+ L8 F& q. i# U2 b. z
int 2Fh
- O3 L9 @1 f \# w. K7 P. b mov ax, es ; ES:DI -> VxD API entry point
- a( y7 R5 |& @ add ax, di
/ {% X* S/ s; A# u; x: \ test ax,ax. s. y4 Y9 Y$ K- w+ ?0 I. ~! E
jnz SoftICE_Detected$ P9 I4 o5 n* X; }; o1 x* h/ h
" t G) s! k+ q& e$ e3 |___________________________________________________________________________
, Q; f7 }" ^& `8 k# k
9 ~7 K& S+ u0 P1 y: t. ?& EMethod 04
* [: F. W" L3 s3 C! n=========. ^( {2 Q; u! Q* _0 t" M$ z. m
1 c/ J; E5 D6 R( ^1 g- w) _# zMethod identical to the preceding one except that it seeks the ID of SoftICE6 C7 W& l/ }; W7 H
GFX VxD.- t; p$ g$ {; o/ f0 D' S
2 j3 e, J) z2 g( T g xor di,di
: L) k$ G8 Z f/ M/ T& s mov es,di& M: y/ }0 T0 m+ F; a6 G/ P
mov ax, 1684h
/ |4 H/ W" i$ Z% Z8 n1 |! m mov bx, 7a5Fh ; VxD ID of SIWVID7 x& \8 a, B# T' w+ C% O6 D4 v
int 2fh8 [, D9 E+ `/ M) Z% A
mov ax, es ; ES:DI -> VxD API entry point
* I, l5 q1 \6 x' W add ax, di7 n- @4 M. ^+ n+ w
test ax,ax
! l3 ?5 e( X4 |) D jnz SoftICE_Detected
1 B$ X9 @' T8 c5 |8 s
$ v9 B' p; ], K- l( x* y& n__________________________________________________________________________+ g, o% r& A$ F$ W
* H2 h1 g9 m; j$ m7 D1 D
. Z. h3 P+ C, L W, tMethod 05# ~* q; [5 t6 r) f
========= H# E8 q' u9 q* K5 t/ @; p
4 @, a8 w J1 r+ @$ `Method seeking the 'magic number' 0F386h returned (in ax) by all system
# l* \. p/ ^8 @debugger. It calls the int 41h, function 4Fh.& M4 ^" | A$ \! l# h+ ]! k* x
There are several alternatives.
& ?$ M% h* Y/ X' F: ^1 J7 O" w, P
The following one is the simplest:
: d0 S( z% M2 F
( V! r( i0 V. h" e. j5 r {3 l$ \$ z mov ax,4fh
S+ h6 S8 ^* z' p& K. V, W int 41h6 t% x4 K0 P' {
cmp ax, 0F386
% R* D& z+ S4 x8 t8 I' U jz SoftICE_detected
- v9 U2 k; G; M, Y2 F* _+ E0 o! O' u; g# N' Q( N
) ^! {/ j( t0 f6 Q! e+ O
Next method as well as the following one are 2 examples from Stone's
6 R# v. n3 w- U% ]% ]& P% I: ]"stn-wid.zip" (www.cracking.net):7 {8 [& i- ^ s0 b# x
1 s0 q- v) t4 U mov bx, cs: A/ f/ o3 `$ Q+ ^
lea dx, int41handler2% N# s- o( S& `0 [. P+ D
xchg dx, es:[41h*4]
/ \% U: c0 e% D2 q4 p xchg bx, es:[41h*4+2]7 u) m9 K% u9 Q. }/ Y8 N7 @3 f# c
mov ax,4fh _4 K/ e/ \$ _. B$ t) p1 c
int 41h
: H, \1 }) c) z7 d6 ]9 ` xchg dx, es:[41h*4]
1 J+ I& D+ Q" i% y8 ?! \ xchg bx, es:[41h*4+2]! g* C# s) U0 {4 f$ Y3 }
cmp ax, 0f386h
. q) ~" E6 u3 Q% H jz SoftICE_detected6 L% z0 C' i4 w6 u9 [
% Y' s* l7 [7 Y! Zint41handler2 PROC
5 d* t2 Q" e8 I5 p7 B7 u" J iret
. ^0 \% n& K. ]7 W* _6 n1 K, U% Gint41handler2 ENDP! c3 w! R2 I+ f) I3 {0 z
6 W: V# D+ r! C1 w
1 `8 v* h! ?; N3 t7 l3 y_________________________________________________________________________, ?' d1 M ~8 C( m+ \
% g/ g, \5 I* \8 q5 w; [
" A; [( H" z M' ]9 E
Method 06% G5 g! W6 I2 _/ d; v1 M
=========! E, S' U; }) l5 n) H9 l
1 X* G4 N$ @+ @3 H' r$ `
) o2 u6 p Y# K3 U2 c
2nd method similar to the preceding one but more difficult to detect:- ^& O5 P H q* L* p
) N: ^& Z9 G) c) E* E' G2 |
+ g7 i* o1 [+ v, o' ^- h
int41handler PROC- q- |$ S( }$ v2 n- ~- f
mov cl,al* G0 X. m1 {! g3 T7 `7 O9 P: N
iret
9 B3 W5 i0 _7 s+ I$ t0 A/ Tint41handler ENDP
/ e3 g! k) l* {6 n+ L
% C4 z' ~" [3 J2 i* b0 F4 R1 @2 g/ E0 c4 X
xor ax,ax
1 Y/ C) I3 j5 k7 \; f! H0 K mov es,ax
) q$ H0 E+ D8 _7 D* @0 ` mov bx, cs) l9 S' R! R) G% P, e0 i+ @
lea dx, int41handler
5 o, Q1 F4 E! e: {$ d+ V" G xchg dx, es:[41h*4]1 ]6 d* L# H/ _" F5 b
xchg bx, es:[41h*4+2]
2 S) {7 @- |% j8 {. |: \4 h7 i- A in al, 40h
+ N3 e$ z0 H, Z w xor cx,cx/ V: p" L, P, p) z B
int 41h4 ?7 v3 v1 Z/ ~! b R
xchg dx, es:[41h*4]& B, ?* {1 i& D. d' F1 x
xchg bx, es:[41h*4+2]
0 W$ @" X& y: [0 q/ }1 s: L, m, \ cmp cl,al o% B+ K& n. K1 V
jnz SoftICE_detected
1 B& d* {! u; U: C+ }3 q% T; i' w: ~" _" M e, H1 S# o
_________________________________________________________________________6 [/ U: \3 r* h H
3 ]; `5 ]! E l9 c* sMethod 07
. F: U$ x$ D% k' V$ a=========" r( W, s# d9 V, \: H. q7 {
( F: Y8 n6 Q- t6 t! r# NMethod of detection of the WinICE handler in the int68h (V86)/ g& l) o, s# p/ J
; M5 v" {% u( G2 y3 e mov ah,43h
0 X& V$ F- q/ g5 { C5 p1 } int 68h1 ?8 T K4 h w, H5 \+ q" R
cmp ax,0F386h
9 H: F8 k& F! s1 i. N# q( M jz SoftICE_Detected0 U. m8 t% U/ H8 B* X
9 D3 u l; m4 P; r
5 i" W1 I$ o; h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, P, [& V& |6 A7 w$ k
app like this:
7 D+ ?6 b: {6 z+ m- ^8 A! W7 m4 N( F2 ?# v, U' v/ w
BPX exec_int if ax==68
- J& [1 v4 w0 E w- z+ _ (function called is located at byte ptr [ebp+1Dh] and client eip is- F y/ X! E: F1 t
located at [ebp+48h] for 32Bit apps)$ T8 |( A, `* s/ V3 _2 Q7 W
__________________________________________________________________________
J9 s" P- W9 J# D2 I2 F! c7 N* T d* R. I$ _
$ r4 S5 P+ T+ u2 Q$ C- X4 u/ C2 tMethod 08
3 W0 c0 h" H; O. V=========
, m$ V. Y/ c6 d/ I+ \7 F- H
& ?' b ?# T8 |4 z) K E: lIt is not a method of detection of SoftICE but a possibility to crash the
; P# t/ t* q# ~$ y- k2 Hsystem by intercepting int 01h and int 03h and redirecting them to another i( V# O% P; v2 z+ S$ m' j7 m
routine.# `' |; | E$ b* C
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: s7 P( n: f; O. I- q. L
to the new routine to execute (hangs computer...)' U% l) c* D) Y; C
" ~0 ^& H4 H1 `4 A( P! G+ o6 r S mov ah, 25h! K3 \; B7 f. \1 z$ |5 Y1 L8 j
mov al, Int_Number (01h or 03h)+ k+ f4 E* \" [3 \
mov dx, offset New_Int_Routine
. J: N' n* n. k& x5 n int 21h3 E- d# a" b9 z4 X: |) @
" k" [% Z/ v' ?' X; z W__________________________________________________________________________
: O. |- r( y9 ?4 ]
* ], a* y) @# e' VMethod 091 o) y. V$ R3 A& V6 l" j5 Y; k
=========
4 d [+ w% u. w* A, e4 t O
3 M, Q1 V( e0 V* ~; J- {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 C# \0 L$ B7 u$ y
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 D m' F. D4 p1 JThe Get_DDB service is used to determine whether or not a VxD is installed% u" A7 I, D5 C$ Y6 Z& n$ E
for the specified device and returns a Device Description Block (in ecx) for5 v8 q% x0 E, O+ T% a6 Y" q
that device if it is installed.4 W' ^) s- }; `- h7 H+ y
3 J9 t5 \6 p2 v5 o) L- E0 u2 \7 p8 ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. ^3 @. f F K3 h. ?9 v$ c& K: r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 i8 a+ Z/ c# u4 [ VMMCall Get_DDB
/ v3 k& t# Y I mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 @# f! f$ v* i7 Q- r
: z2 F1 ?0 R) K- o
Note as well that you can easily detect this method with SoftICE:( Y/ Y) v3 |$ t& O- J1 z2 d
bpx Get_DDB if ax==0202 || ax==7a5fh
4 ~/ l4 ?8 p) Z: O5 z( z
2 X! N( E8 X- x__________________________________________________________________________) T( ^* @; \2 q6 B: Q4 ?
- ~0 P- c* A# f/ c* f: iMethod 10
& i! a2 W% p& l, {: C% W=========0 v1 a( o, ^4 ^
: X: S4 \- _, c3 h8 y5 l+ O ~=>Disable or clear breakpoints before using this feature. DO NOT trace with6 C4 ?3 D" p: N/ s; j
SoftICE while the option is enable!!
5 Y7 p& w1 {! L% E4 Z0 i$ M" b `" O& b) d% q0 q! |
This trick is very efficient:$ K7 C& t1 Z% ?3 V& N& y% d
by checking the Debug Registers, you can detect if SoftICE is loaded
# X" E1 z; I" I" E* n0 {3 V! g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 X! F% \ @. I2 Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ V0 x1 M6 ^# avalue (in ring0 only). Values can be manipulated and or changed as well! x( L; e, p# ]) R4 W& [. `0 @" |: U
(clearing BPMs for instance)
V7 E5 ]/ Y0 ^ o; `7 B& n) |- H4 Z: Y4 ^4 ~3 T8 b; A
__________________________________________________________________________
; ~* H& I7 n2 {+ m5 i7 Z
3 Y H. _' o$ JMethod 11
, F- H3 A6 I) u" u$ f=========
. f3 a G: p: [* _, O- S
; ~7 N; B2 ]$ jThis method is most known as 'MeltICE' because it has been freely distributed
& h& o. J. L! e! Avia www.winfiles.com. However it was first used by NuMega people to allow2 ^7 {1 {- J9 Z7 K9 h |' y* V7 B
Symbol Loader to check if SoftICE was active or not (the code is located( ]: N% {* H( D) R4 R% w7 R1 g
inside nmtrans.dll).& e9 M4 j2 v6 H6 l9 ^) U& S' j
8 e# _9 Z$ j3 v4 o! \7 v6 o+ }The way it works is very simple:
" \6 W6 A4 U" UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 m7 s M& ?; E) }
WinNT) with the CreateFileA API.
. Y2 B3 x3 {& W3 P) j: w) q9 M% {# c% X
Here is a sample (checking for 'SICE'):1 f- J) @6 H1 A" G2 B) l. g# F& F
8 b" f5 I' }: `+ l) }5 k! u2 WBOOL IsSoftIce95Loaded()8 O7 ~6 |+ J4 U$ G7 a0 _
{
4 }/ T/ o5 y7 }3 D, b+ b; O& A$ b( J HANDLE hFile;
8 {3 N: v( U& G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 v+ b4 o; d R FILE_SHARE_READ | FILE_SHARE_WRITE,& H: A/ j- S" m; v8 ]/ }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 g2 R* I" U C& N
if( hFile != INVALID_HANDLE_VALUE )
" k; a0 `+ j7 G+ M {
" a, I, D0 ]% B" O CloseHandle(hFile);
) r" {% W" w! o' y. U7 M2 x return TRUE;: \! U; \. F- T. g$ }; W) d
}* k6 U6 d4 [& N0 X6 g- ~ ?) C; `
return FALSE;
" s- X# v) o; E; F. q- S! j}0 k, N' x3 N$ C3 C7 I+ k& j5 u6 J
) I9 v) G0 u8 f! NAlthough this trick calls the CreateFileA function, don't even expect to be" r# @$ H+ k% D& }8 L, k
able to intercept it by installing a IFS hook: it will not work, no way!
+ ^- b( b7 A! p) ?: LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ q9 a) f* c; K" G( U, r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# @5 |' G0 @) n' W6 b9 t9 iand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% S9 {% d! X* ~! lfield.
3 K4 C+ I, b- s% E" ?! nIn fact, its purpose is not to load/unload VxDs but only to send a . \- S0 g* A. g6 r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( U- e( G, q2 C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# C! z/ b, [' [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; F3 }, r* l! J: ]; G/ C
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ x( P K$ \0 F4 z! u& W
its handle to be opened and then, will be detected.
, v4 L' z/ V, t+ Z2 N6 u8 `9 tYou can check that simply by hooking Winice.exe control proc entry point
( K$ @% C4 P! J% a, E0 h; M8 z6 i( R& |6 `while running MeltICE.+ Z% L7 {. k7 R4 x
0 U5 a5 I. P: E) \
7 F" w; W7 C- K2 d1 _( h 00401067: push 00402025 ; \\.\SICE# h* `. O2 k4 R# Z
0040106C: call CreateFileA8 m; i2 ]3 i$ n1 u* m
00401071: cmp eax,-001' j# Y* O6 o' U
00401074: je 00401091
$ v: C, P2 x* Y
q9 {% h+ P* s: M- S. v6 W1 ]- {* v* U4 H% a6 _5 P9 w& J
There could be hundreds of BPX you could use to detect this trick.
* ?2 {3 l2 C0 S- [4 J3 H Y( D-The most classical one is:# [# `9 K5 G8 S' @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% z7 x2 E: C1 S0 S
*(esp->4+4)=='NTIC'% o/ Z8 [! V- Q( [$ ^ M0 ?
! O; e H6 T( S0 T ~-The most exotic ones (could be very slooooow :-(
4 j! t; t- }. P+ ^7 Y+ c' k& F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + }& L: R+ B( l( _
;will break 3 times :-(: G& N- I: q# K9 B Q9 x3 Q* i
" p6 \2 a; C* p; K8 n8 ]0 g* w-or (a bit) faster: 0 H- S2 |7 z3 v: c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 p4 U8 U& K7 G4 v& J0 Z3 S' z
# M8 R5 D& ` Z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 t. m! Y3 R: H' m5 q3 r( j
;will break 3 times :-(
7 J( f2 x; @* Q! k: f4 K1 E3 f; ?# f8 X n! u0 t' r
-Much faster:8 s$ v1 j; V& ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# S6 |- r7 s4 I4 }% E! J, |
* h2 Q" j" H: a# g' BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 Z* z: X a$ x' [4 j
function to do the same job:
, w2 z2 ]0 B7 t
8 f8 z. M/ Q& X push 00 ; OF_READ. C8 L! Y; z4 a) N. R
mov eax,[00656634] ; '\\.\SICE',0' ~' |* n" q4 P9 j- r! i8 e
push eax
' W' F O3 w4 Z! c5 k# B9 c5 g call KERNEL32!_lopen& c1 o4 t E3 ~/ i: ?4 ]8 p( U
inc eax
- ^0 j' p8 E" a- [ K# v! \( N. J jnz 00650589 ; detected
8 Q/ c9 d. e+ C. e push 00 ; OF_READ5 B7 r' I4 y/ I
mov eax,[00656638] ; '\\.\SICE'
) ~2 O! F/ L1 j- O9 M% F5 g# y( k push eax8 b9 a5 k7 P! a1 U3 x% R. V
call KERNEL32!_lopen M' n+ Y0 Z% @/ B0 l+ X. y
inc eax% V" P9 ~0 _8 b" x
jz 006505ae ; not detected% ~, f1 [" m, x% \: w% x8 X
2 y) t* q* ?7 s8 [& h, m6 M5 Q0 i3 R9 R: r. c/ }# L
__________________________________________________________________________
1 k* s. P$ U q" y! e6 F9 r _0 B3 }' W. Q8 e: B
Method 12- D1 x$ e$ M. F# ?
=========: N! J1 k* n! v( l6 y' K" D) Y
9 k* t# z1 K) y& K+ o. nThis trick is similar to int41h/4fh Debugger installation check (code 05; B. z" l( [: {" v; v
& 06) but very limited because it's only available for Win95/98 (not NT)
( @" L0 o& X7 u4 V# Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& U4 h) U) M: M- K, {, C
) t& F3 E6 S! E- R4 k& [* e! e push 0000004fh ; function 4fh
1 L, S) F. o2 E3 @9 m, G push 002a002ah ; high word specifies which VxD (VWIN32)
6 w1 r5 l: }- B! z: k ; low word specifies which service. s4 V% l6 f; R- Q" {8 k* J
(VWIN32_Int41Dispatch): }% c/ @/ k: d% w" W
call Kernel32!ORD_001 ; VxdCall
5 | s9 K4 E0 `# K, V6 A& e% Z, x cmp ax, 0f386h ; magic number returned by system debuggers
3 H7 Z/ X% B) I. a jz SoftICE_detected
7 u/ ^; v, a9 W5 Q( B) o3 u7 Q; n* a% r
Here again, several ways to detect it:
+ V T4 P5 X' b/ @' `
: `( I" _8 }9 g BPINT 41 if ax==4f/ a( H, l; x$ [
& Y- o2 W$ j7 y4 F8 s8 m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' X, |! M" z' c1 T. F4 ^) o0 T
+ w( P5 @5 h) `+ c/ K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 C3 T R7 m) v; f8 R+ \/ [
4 F- I/ V7 O6 S1 _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 W, J. s7 {* R3 n: u
2 }( C }' `1 W8 I* }& b__________________________________________________________________________3 c+ A @ W/ T$ U2 \
) I7 [! ]2 _; C6 M3 J7 `/ F
Method 13
2 \) r N8 D3 C=========& I% o- \ D% ]" R
G c9 {* }' o
Not a real method of detection, but a good way to know if SoftICE is6 s9 p9 L1 G8 R: B% e
installed on a computer and to locate its installation directory.
% M/ Q3 V* d6 Y) o# x P6 vIt is used by few softs which access the following registry keys (usually #2) :" v! j2 n- `: E% O. N
, X6 j! J4 J1 K% N9 u# u- E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( I; `: G6 {4 [3 e/ v5 t\Uninstall\SoftICE! [$ T& ?* y. P7 x% f0 j! b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE y( c. U9 T! \( ]" S9 A9 i( p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 m0 I% d2 |5 [% n/ {2 X\App Paths\Loader32.Exe
: |' \- ~0 m5 S( z$ \+ k$ k1 }! O7 k
* @4 S$ A+ m M: G" b0 vNote that some nasty apps could then erase all files from SoftICE directory
0 O+ j* z. s- p(I faced that once :-(5 R( ~0 j& v+ q2 R1 d
1 b! F: z `- z- \: v
Useful breakpoint to detect it:1 X: U. q' W* ]( A1 D: e- Y
9 g- F* r$ p& G8 e5 N! Z, e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' A2 o, v) u4 N! k- c: ~' r" N
' Q% v+ u* P8 W; e__________________________________________________________________________
4 |- a' ~1 H2 i" K
! ^( t/ U4 Q* g0 ~# `3 [1 i0 v; R' _% o6 o
Method 14
5 {+ \$ o ]6 e V6 C! |1 M=========( O( O! u0 e: m% h8 y
8 I0 l9 f6 l; u# i6 s1 k% Z9 H6 O+ ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 H" ^+ }2 O5 s! P1 L( K0 A$ ^is to determines whether a debugger is running on your system (ring0 only).
# k% l7 ~' R O9 N ]4 y+ {! @: v0 x5 _% H' s( F2 j
VMMCall Test_Debug_Installed, V2 I; ]& n0 g) Z7 ]8 s
je not_installed; ~. T& Y0 j" f# m) Z" u$ w
* S( B2 m! w# pThis service just checks a flag.
# i7 c+ K! m- e( @: A- o8 P</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡