<TABLE width=500>4 O( ~: _9 o. P" ?* p$ m& h$ f
<TBODY>6 `) w( ]2 H% h% i& d9 X
<TR>
7 f, W P$ {! `" g+ x4 E u<TD><PRE>Method 01 & h3 o, }. g% O* x2 T8 b
=========
, [9 k/ |7 G# h4 b8 }, e. N5 w' r3 g7 r4 G
This method of detection of SoftICE (as well as the following one) is- [5 ^. Q, Y h, q0 {$ g
used by the majority of packers/encryptors found on Internet.+ e7 H1 N# C) c* N, J! l* k+ @0 c
It seeks the signature of BoundsChecker in SoftICE
( |/ h% `% ? d R/ P9 ^
- |% z, L* `0 D! ]- |, N7 f mov ebp, 04243484Bh ; 'BCHK'0 n1 [1 k# ?5 i8 {
mov ax, 04h0 R/ _, F; Q7 B* F8 B0 J" x
int 3
2 x! L6 B5 U0 P$ s cmp al,41 L, A6 W& M9 w& S) D
jnz SoftICE_Detected, f3 t* @% G$ q. a+ _! ^+ r1 {1 o
' h: {8 a9 A7 n' ?: |) l" W! J
___________________________________________________________________________
6 c8 z' }: v, M2 A( A
+ F% T2 i) n0 v1 `& g- Y' v3 ], NMethod 02
% ]/ X1 [, d9 c+ j: e: p1 t; o5 `=========1 w* z) `; ?' \. T9 I8 r0 m
9 V9 L+ _$ ~( j1 m
Still a method very much used (perhaps the most frequent one). It is used* R8 j9 ^! {' h) _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# ?8 P9 p3 H& z6 N. {
or execute SoftICE commands.... l5 \/ y4 x) d0 F; j
It is also used to crash SoftICE and to force it to execute any commands- W9 t q5 ]- h P6 J8 O0 }. n
(HBOOT...) :-(( , ~4 [+ z% J. T
F4 j; V: b4 F/ x5 qHere is a quick description:
0 \ _, s9 t* Y6 x+ S-AX = 0910h (Display string in SIce windows)% i5 B( i5 Y) N! k Q6 z- Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# J V$ U1 A6 w, f0 [/ O- F8 m
-AX = 0912h (Get breakpoint infos)
7 J6 h0 \! t( W* T-AX = 0913h (Set Sice breakpoints)
N, T: e2 N9 ~! n-AX = 0914h (Remove SIce breakoints), |: ^9 y# o& ]7 J6 h0 E' @- e" E$ o
" `( G- Y) \/ o i3 `6 P4 hEach time you'll meet this trick, you'll see:8 C& [6 C) K; N9 Q
-SI = 4647h5 N7 ~4 g! A! d" V
-DI = 4A4Dh) s! g) {: P+ @" D0 e, X0 s
Which are the 'magic values' used by SoftIce.
" s$ X- Q5 }" J. a& u9 tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., |; e* H5 |$ L
) ^, ?2 p: a: THere is one example from the file "Haspinst.exe" which is the dongle HASP
% W' X; ?) c0 H/ x" j- x EEnvelope utility use to protect DOS applications:% V/ U7 _! b/ T4 m" P! Z) S
3 z( M' k/ b* d d; a2 ^5 r3 E
9 T' q# y7 h0 N7 k, w: s4C19:0095 MOV AX,0911 ; execute command.( E* G3 b! `/ J( }1 I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! f& ^1 k4 B; a$ A$ B& h2 s2 h. u
4C19:009A MOV SI,4647 ; 1st magic value.
9 ]! o2 u4 T, d* E0 d6 B4C19:009D MOV DI,4A4D ; 2nd magic value.( e& M P. `" v: l7 |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 J' e) Z7 d+ H5 t0 i( }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 m5 g8 }3 B. v4C19:00A4 INC CX8 A$ h* ?4 y" m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- h# ~5 [' v; d9 {& }: N4C19:00A8 JB 0095 ; 6 different commands.
) X1 v- p: F+ F$ s4C19:00AA JMP 0002 ; Bad_Guy jmp back." v. S: d* I3 R7 y/ X
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- A' i% z2 U7 V2 e+ o' a" b" O3 Y# f3 y0 V( O0 E* b
The program will execute 6 different SIce commands located at ds:dx, which
, B, `% p! c) G- T/ }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 V# d2 a& P. t* D( L, l* [
- `# ]; K6 g% o- u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" n+ |$ ?4 d/ q5 |___________________________________________________________________________- H2 a2 U7 E& W' z% g$ G
3 {' n: P( P, ]
, i9 V! t/ q# T8 w9 |
Method 030 c9 a: x* u1 ~- S
=========$ O7 @$ J) A! q y% n
' q2 R1 l& O3 N: FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& Q% b9 {/ I) U3 M0 T(API Get entry point)
" X F/ N! [ D+ }6 i7 t, Z9 ~ 5 P0 [6 M0 W; j8 \6 O* o9 t: [8 E
0 h5 E3 `* m/ M/ N1 a% o% k
xor di,di
9 E; r, T7 p; v- o) e5 N" |8 w; P" d% W mov es,di
4 n% r. a* B3 E2 F9 L mov ax, 1684h
9 p) e, B/ {0 J1 ?4 z9 E mov bx, 0202h ; VxD ID of winice
6 p6 Q7 m/ F! ~; {1 p, z( R int 2Fh
7 L1 h* ~" W/ [1 z mov ax, es ; ES:DI -> VxD API entry point
- d: W+ I2 P; F+ }5 [6 L( o add ax, di+ g6 s3 Q" f' U% J* ]6 x$ R
test ax,ax( \9 C+ O, l) f0 b3 a/ Q
jnz SoftICE_Detected, P" R7 r0 v6 U
- l+ W* d9 P* {# u
___________________________________________________________________________
# `" }$ R% t1 _; o$ p5 a7 X5 s% e( z& S+ j
Method 04, o+ H9 J! V7 B$ D0 i
=========: ^9 X+ z- ^9 s1 C( I& i
2 ?2 k; K5 j/ pMethod identical to the preceding one except that it seeks the ID of SoftICE
2 I# f u4 x% S3 q, d% g0 ~3 MGFX VxD.
* `1 i# ^/ {0 r$ W4 `
2 r$ n! O- ?2 }6 L {6 U& b xor di,di" z; b" M, V% O/ s4 k/ E
mov es,di* i/ P6 M& m2 F4 p
mov ax, 1684h
s' K6 j: {; s9 n6 p! _# \ mov bx, 7a5Fh ; VxD ID of SIWVID
8 D6 o4 c D) t+ N int 2fh: z4 k+ r, q8 N1 K
mov ax, es ; ES:DI -> VxD API entry point
$ w: |$ C( T8 K2 y3 O: d7 S g add ax, di
; ^( m; w4 i, D7 b; f8 y. Y test ax,ax
( S1 I" \% n' s. o) g jnz SoftICE_Detected' M7 n/ L5 W6 T- {
3 P5 Z3 U6 G. a
__________________________________________________________________________7 `0 M/ C" g8 ], c3 }' G
7 o; m8 j$ i2 |
X( P* i& u y+ a, ]6 H* x2 y4 WMethod 05% X" g' F0 }. x! x
=========
; j+ O% X. s1 \& e# K. W9 p
5 |( R3 N. u' {$ }: {3 pMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 q5 N0 c/ A9 V4 Q% M% adebugger. It calls the int 41h, function 4Fh.7 r3 A: G- M v# F' F. l& {
There are several alternatives. " S( S9 Q( E% ?. d! }6 O
7 Z! l3 ?; {; WThe following one is the simplest:
0 t6 q) }5 b- v2 a' C; H% g6 \, ^4 C2 L1 f2 m7 i2 N
mov ax,4fh3 N' v5 K$ p* T* t+ Y
int 41h
) y& n% F3 _# b5 n: ^+ @/ v cmp ax, 0F386+ Y# _$ h8 Y: |$ T
jz SoftICE_detected* t! C4 E0 Z1 r* w# _8 I4 L7 z. U
# z# T: d1 V4 b' p$ Y1 l: |! |9 [1 V2 B! P I5 _
Next method as well as the following one are 2 examples from Stone's
) c( v Q' x3 J: X9 g' c7 H5 C# Q"stn-wid.zip" (www.cracking.net):
4 x/ A& P' L( |5 _) C) A" k4 B2 ?8 k# Q" _. n
mov bx, cs
* z4 f- Y( c% s) z$ W$ z lea dx, int41handler2
0 i1 X7 V# ^4 C& O' q3 w xchg dx, es:[41h*4]
. {6 O" J! X5 ?% R- U0 e xchg bx, es:[41h*4+2]( A9 G; I7 h5 L& T- J
mov ax,4fh0 v: ?5 y# b: n( [& x/ c
int 41h# ?/ ~8 D2 k3 v- O- G% |
xchg dx, es:[41h*4]
- _% {0 A7 v0 T! |: }' ~ xchg bx, es:[41h*4+2]
# t1 J& j, }3 \/ i cmp ax, 0f386h
4 X' Q4 B0 v) ~$ ?+ S- a jz SoftICE_detected* Z. a, q" ?7 u9 p0 b. p
+ y) ` I3 d0 N: ~
int41handler2 PROC
& K' X! Q' F$ z5 i iret
: X4 y8 a. v% x4 ?3 ?( h$ iint41handler2 ENDP
- w8 t8 b. ?' `( T- T; f: h7 d, ]$ |' V( j0 p% f
" b/ u( i' ^% n8 ]; [3 M- U_________________________________________________________________________( `1 G- w# Q9 f% l& h& q
% {5 h4 A8 F3 [9 H
, E: e1 F' m6 a$ q: [
Method 069 e5 ~" b( U4 X* q2 i
=========1 n' d3 G9 A: }" `( B
; b) p5 N5 G( f" D5 X3 `% N. t t/ _; Z3 [! ~4 D3 A
2nd method similar to the preceding one but more difficult to detect:
9 P) x. g( R1 x9 }8 C0 B! }
$ E E `6 w- Y* k- C8 \0 I' J2 H5 u5 U( e0 b6 G
int41handler PROC4 c7 b5 H: o4 T- X; ?
mov cl,al
6 J* y& p# l h: M, \$ a iret x: q& B3 a8 e+ g0 M
int41handler ENDP
+ `. t( _ I3 T: Z% J: Z5 O* Z8 ]; q4 E1 O0 H3 A8 ^1 L5 V. V9 \
9 R" M1 | g7 K- S) `
xor ax,ax! c$ M& R$ f' P' O, e
mov es,ax7 E; z4 W; |) I
mov bx, cs; W# S0 {& M6 `8 Y% [' U- K& K+ R
lea dx, int41handler
0 n7 ~! p# T4 o+ z& h1 I xchg dx, es:[41h*4]
# d! f: `- C2 r( R* g* @ xchg bx, es:[41h*4+2]; X/ [6 _' g, v0 G3 P; ]
in al, 40h( O$ Q e/ u' R- C
xor cx,cx
9 w; U3 |$ a( ^ int 41h0 V! R+ ? i/ ^" p
xchg dx, es:[41h*4]9 W6 I. @, N6 n8 t- Z* _9 z
xchg bx, es:[41h*4+2]
# C! j/ s: i8 [) b# B cmp cl,al
9 F* O/ F0 A& A jnz SoftICE_detected
2 Z. S$ _8 e/ N9 k
) x3 B+ t( ^+ S! K_________________________________________________________________________
6 z5 n, F0 ^ x6 s
% }5 [, e& C4 pMethod 074 N" x$ g/ a* K
=========; P- V, ^4 a ? P
) x3 q) |. ~- R1 d( d6 W" _
Method of detection of the WinICE handler in the int68h (V86)
% o q1 [# p8 z6 d k3 Y5 u7 V/ j8 _
/ T( h) Y* J! p4 A2 C mov ah,43h9 `) b9 z* ^. O" z
int 68h
8 j7 B# P" l1 M( z2 |. r cmp ax,0F386h
2 v9 d+ d, d/ G& L8 d' U jz SoftICE_Detected
& i8 E) Q8 U2 N- w& K5 M f
; R2 K& f% {1 m1 f
1 D# N( C. X1 b" ?7 Z$ z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, @, k- T( x( P/ A app like this:
( O; a& A- P' U, F3 c3 K7 G4 O
( U4 P9 K0 E j l# K* X: h BPX exec_int if ax==682 Y! ~% k, }: U9 D5 f ?5 o7 y
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 ]% s; K4 u" e8 @, m8 ~+ T" U" X located at [ebp+48h] for 32Bit apps), ]5 i, f, a7 j H( _! d4 i
__________________________________________________________________________
0 G6 n* z% e# Y1 [% z, P- V0 V
% Y6 |3 [' l; l2 U) F
9 @) l, p ]1 R& h+ v! t0 g( MMethod 08* z7 W/ @3 j( i, x" S/ m
=========
5 `2 s, {5 f% ^, s4 o
) T7 C( H. ^4 L3 {+ _It is not a method of detection of SoftICE but a possibility to crash the$ U. x; S4 R% ]4 T' c/ r1 t, K5 u
system by intercepting int 01h and int 03h and redirecting them to another
8 O1 F( A A5 ^6 T/ i" Mroutine.4 K, x; o2 }" F% z& ?2 i' [* \; P8 {1 C
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 l6 _' ~, c# w* L+ a5 P& w
to the new routine to execute (hangs computer...)
; S+ c& R) m4 E6 p2 ^+ w% z5 G1 \) j7 W x% v* ]2 p
mov ah, 25h6 v. D" c' D" t, q4 w" x
mov al, Int_Number (01h or 03h); l6 i E+ p/ H0 M; ?8 {$ E+ F
mov dx, offset New_Int_Routine4 v4 a5 d8 h) L2 t5 m2 l
int 21h
I/ X/ K- R5 E& J2 h$ Q( Z! j% z2 |* y0 X
__________________________________________________________________________- X! ]7 }$ u8 x
( r8 B* E& [% b# y/ C/ s( K% A
Method 09
+ w5 w5 x- i# X$ ]* H: |' U# a- ~=========, Y1 Y. I: H/ O
4 c# }9 c, H5 w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ W/ r) h0 `6 t; P3 N) f- \! Q y9 xperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 v9 W! H) f6 n, J% K( Z y+ VThe Get_DDB service is used to determine whether or not a VxD is installed
2 X6 ?( ]' T$ Qfor the specified device and returns a Device Description Block (in ecx) for! A. `! [6 d, A3 `. S
that device if it is installed.
1 f) C0 @8 H. F+ `2 R/ u! D' \# b; q' _. ~0 O; B4 p7 M3 y. I
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: L2 w; [' S( V9 ^. I4 p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- x) n+ A, J2 f) {7 d
VMMCall Get_DDB1 X' x' a* q3 o' c1 B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 Y# G3 B/ r. X7 X- V
8 G( d, s; ?* w) H! V+ n* mNote as well that you can easily detect this method with SoftICE:
5 d- g* P: k3 j. ]4 w bpx Get_DDB if ax==0202 || ax==7a5fh+ [& `9 W" v; w$ i; ^1 a$ w& _6 p
5 i- X* w+ ^; r* f3 ?__________________________________________________________________________
. b @8 b) c7 F O# q6 Q2 M1 d! e9 A3 w! E p3 g' D' Z6 ?
Method 10
6 {2 S$ z7 o T- f=========
3 G0 r# W/ e# U- E
0 g5 k' N z4 {=>Disable or clear breakpoints before using this feature. DO NOT trace with& c! ?1 r; @, ]8 h$ B
SoftICE while the option is enable!!& o2 t3 ?! l9 I1 x7 _! q5 A
* r! v. N( W3 ?& _* K$ B- E. j, @
This trick is very efficient:3 Y* n1 _5 m8 Q/ J
by checking the Debug Registers, you can detect if SoftICE is loaded
& S' q, q4 m% N* l7 ?/ Y( C& k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) I) I; W* b a" Q+ v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
A4 ]' Y. F' P% N2 Z( `0 mvalue (in ring0 only). Values can be manipulated and or changed as well2 N" q+ F9 `' u6 v- I, f
(clearing BPMs for instance)
+ B4 Y% t3 c. ~) h4 O6 ~8 b, ?7 R: I I& o8 q3 |
__________________________________________________________________________
6 a, R T: u; H$ h1 L
6 N0 \5 a9 q" XMethod 11% \. L* l. N2 ^4 h, I) @6 s; G
=========
7 h, d9 d9 y. d$ F
% Q% l% d- }0 ]+ |This method is most known as 'MeltICE' because it has been freely distributed, g& b- r% K( g
via www.winfiles.com. However it was first used by NuMega people to allow: M3 Z ?! ?/ h9 b- u: b5 [, C) K
Symbol Loader to check if SoftICE was active or not (the code is located3 J- ^& u% m7 q5 A/ \- r
inside nmtrans.dll).
4 |4 m# F( f. j2 | J- x& W7 }1 S
The way it works is very simple:
- V7 }0 U2 C/ G4 o4 WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! \/ v9 u" O& v. bWinNT) with the CreateFileA API.
$ v8 A3 u9 g0 l5 s& T0 p: i" Q% Q& o s
Here is a sample (checking for 'SICE'):; }8 d/ n# \( E' w4 A8 S
8 g/ N) q7 q- P
BOOL IsSoftIce95Loaded()
! C0 ^9 p6 ~! A# ?: u{8 z8 b- H! q) @: ?
HANDLE hFile; : |! }5 g" q% h3 J, V( m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, j% M! v" E8 g( [2 g+ L
FILE_SHARE_READ | FILE_SHARE_WRITE,- _( L3 c6 X& h( @6 o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) `# S3 F* m* w5 E: v; } if( hFile != INVALID_HANDLE_VALUE )
9 n- A; S9 f0 M+ C) i: n7 d2 w3 ` {- O9 k* C. }( S/ `* G2 B6 ^3 Y2 o% x
CloseHandle(hFile);6 Y7 D" k: ^0 B. C* W9 |' N
return TRUE;1 w( S- b" j8 F. n
}# p1 l( `6 l0 j0 w0 \
return FALSE;
% n& G0 j# o; c( Q/ a8 p, T}
. m5 }6 y6 _) D B$ l) ^' X$ S# O* N d. v3 d# x7 O+ S
Although this trick calls the CreateFileA function, don't even expect to be1 P7 R# I; j. j; L# N
able to intercept it by installing a IFS hook: it will not work, no way!0 N1 H9 J9 r$ s9 x7 H u! e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& u% Y9 h9 _! h: M6 F' Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 k9 i& P0 o4 f$ s/ r# a' m5 p1 O' dand then browse the DDB list until it find the VxD and its DDB_Control_Proc: r# b* m; t5 t
field.: G2 s( @9 Z- T. R
In fact, its purpose is not to load/unload VxDs but only to send a
1 A% l0 `; x/ {1 \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ e( V. ]3 [' k" [) X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! d2 V; ?$ i! hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 K: I: ?& F/ @/ HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! I! z( v' e5 ~7 q! Y7 Pits handle to be opened and then, will be detected.: ~, }# d/ }" _+ A8 F8 G' b
You can check that simply by hooking Winice.exe control proc entry point) P$ S: n# O0 W
while running MeltICE.
! W2 E* Z. v f0 O5 O2 i5 N
4 }2 v R; J& o. p0 i& |
) l% c5 {$ ]2 X" H! D( w 00401067: push 00402025 ; \\.\SICE
8 x6 f( ~8 A9 g3 W5 Y# T7 L 0040106C: call CreateFileA; [$ }1 D+ f+ }6 J# Y! \; U
00401071: cmp eax,-001
3 J- |+ l3 n& U, J; ^! E( l) ^ 00401074: je 00401091
; P8 u2 H. J0 o; N' F: g( A. n, x3 r( q4 w; @! a
* }: B& Y( ?* lThere could be hundreds of BPX you could use to detect this trick.( c! W) }0 V, x7 h4 H# v8 ~. l! R
-The most classical one is:( M1 `6 |! A& a; \0 x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 V& ]1 b* z& ]
*(esp->4+4)=='NTIC'
8 N; i! Z8 D1 K# D. B, U
: g1 L1 E" R/ d1 G; x4 O& l2 k-The most exotic ones (could be very slooooow :-(* R* u4 Q- d0 p5 X1 g$ f& d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" i; T. S- U+ K% Z0 {- A8 B1 Q+ T; A ;will break 3 times :-(
+ N a# o$ x0 y/ f& n! e I7 z9 J8 B0 F/ p
-or (a bit) faster:
$ U. T0 O0 H0 D9 D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 E: ^: m, `* Y7 h
" N2 y6 j" |& T9 s6 ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
]+ t( o2 ~* H ;will break 3 times :-(
3 e8 D6 b0 b, A
" e0 p z @4 e; t1 s+ _: ~-Much faster:
& b2 {) r {2 F4 t& M* K BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ `6 N% x8 n# l5 s( k7 S7 `
6 ~+ ~% M' r1 j9 j0 l: g8 MNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 q7 J; D3 N% G& P" {- J1 d5 Y( Gfunction to do the same job:! G0 `8 u+ [4 o) o
" n4 s* l( P. O- x! C
push 00 ; OF_READ" D1 b9 M5 ]$ ]3 m
mov eax,[00656634] ; '\\.\SICE',0: f* p. o1 K- T! K
push eax) ^) v' u7 d" ?8 N+ K+ ?+ Q2 Y
call KERNEL32!_lopen" x$ h, D/ `9 l8 x! N
inc eax$ `1 |3 \/ z2 r( p
jnz 00650589 ; detected
8 B' j+ b% l+ N9 j, O, C push 00 ; OF_READ. H1 L) M, d$ F9 X2 r2 E
mov eax,[00656638] ; '\\.\SICE'- L8 F4 D0 I: A3 t U9 d
push eax
7 D0 r4 l, }/ u! n" y/ H! ` call KERNEL32!_lopen
6 M" p6 h7 ]& _3 p: @ inc eax
" ] n% U+ h+ H+ r& h* k jz 006505ae ; not detected
! [0 B R& c# ^* Q0 _
- I# G. Q+ n9 | J
$ d- D6 A8 p: g: s. u5 }__________________________________________________________________________
* Q; b9 V9 `2 e* P
0 U7 E1 m$ v7 H7 L9 Y/ tMethod 12
- U1 j) L l+ ?$ T, X=========& O2 L" Z* g* l r6 d
/ k3 e0 i6 E; ]0 m6 K, h, ?" K- L
This trick is similar to int41h/4fh Debugger installation check (code 05+ \+ H* I- H h$ A# ~, R# B
& 06) but very limited because it's only available for Win95/98 (not NT)# F' v0 q( }6 i, \( \* m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 x* I8 H# M- D$ d% x3 ]
; |7 c% c( I: E$ Y" M
push 0000004fh ; function 4fh
! ?% H9 K& i/ g# H8 g4 P& C push 002a002ah ; high word specifies which VxD (VWIN32)2 A! b9 d6 o+ Y8 a- p
; low word specifies which service) ~$ \; E) X/ l# h: N
(VWIN32_Int41Dispatch)4 N" i: y9 [$ y) @1 Y4 T) a
call Kernel32!ORD_001 ; VxdCall
# p; y2 Z( R4 H cmp ax, 0f386h ; magic number returned by system debuggers
" ?, T# d& m8 { jz SoftICE_detected" q( K- p m: v: I/ ? j
0 V# c5 Z, g( {9 b3 b9 l
Here again, several ways to detect it:8 }5 D) H+ m. d. U9 K0 ?
$ ] u8 T7 s5 z0 [7 q
BPINT 41 if ax==4f4 j: d0 W$ a6 l- i/ X* R
+ _& D8 @+ w# p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, W! }" r- U( c6 s2 ]2 m, T# u! O
. B4 j8 B4 t5 v1 K7 ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) p. \, y7 J* i+ {8 h/ ]0 q- \
- {1 D. E* `* N F! i4 y; \ P' x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 J; s# E9 ?6 ]7 L! v& ]$ n2 V4 i
4 [) O' N( c8 E( _# }__________________________________________________________________________& D. r* M; J- y) L
: p/ U- F7 u5 M" P& n E. qMethod 13& c) f. K, {8 G/ `( I/ M3 ]
=========3 Q4 q. L& W& Z) z: \9 G( p/ b2 {
5 N0 D" f0 L2 y; K9 e8 H/ \+ ]
Not a real method of detection, but a good way to know if SoftICE is9 {$ ?5 G# r) a- U4 N' X
installed on a computer and to locate its installation directory.- |5 J0 y3 \/ q9 M0 v
It is used by few softs which access the following registry keys (usually #2) :
: _1 I k( m- E0 ~5 C& p: n; b. f+ b/ b0 q8 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ f+ y- ]9 n+ f& c
\Uninstall\SoftICE8 W+ `1 M9 K4 H6 b0 R% y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' @7 b$ P0 _( X6 p0 a. T7 V3 F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% h+ m; @5 l' A# M1 X X( }
\App Paths\Loader32.Exe
% `/ ~1 q/ {! T2 D j6 j% L U, [$ R. p; `/ _6 E8 |+ J
: X2 n' V6 c$ m0 D! A+ CNote that some nasty apps could then erase all files from SoftICE directory
/ w5 M0 ?3 {+ f(I faced that once :-(
( E% j+ N7 b8 {% j/ _- e7 L8 ~' v" S1 ?/ }. B* n& Q
Useful breakpoint to detect it:. T( m5 \ b0 S" S
1 ` g' }2 G5 E4 X( l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 C2 V! r9 D' K# k3 B9 N5 w3 } E1 ^0 P, B6 [
__________________________________________________________________________
3 p: ?6 r. \1 C- c8 o
7 P) ~% D: ^% @# D
7 ~$ b7 F; l4 h! ]" a8 GMethod 14 1 q- T( ^+ ?. Z1 l8 m
=========
$ a+ |% U" E6 ^% a! ?
4 p# p# R5 H$ ~/ D4 sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* g5 B7 O! K7 z0 I, mis to determines whether a debugger is running on your system (ring0 only).
8 w8 p# }2 z5 Y7 ^: W5 t
' B4 S0 \$ |8 m! n) l VMMCall Test_Debug_Installed! ]6 |4 v3 y$ A* O7 ^% i
je not_installed5 A1 T% K6 X, Z8 T$ p& [0 `5 k
8 S" w& N: n6 E/ g- a- E; rThis service just checks a flag.
: B5 a0 ?6 ^! n' j3 K: y7 `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡