<TABLE width=500>
' {$ `6 f0 J) q x! Y<TBODY>
3 d/ p* z# `* w$ Y/ B<TR>
/ ]% _. C4 x& U9 K/ D1 R6 i- x<TD><PRE>Method 01 % d) @. V' f0 n. U3 L- F: o
=========" ]: ?3 u% U" c$ w1 d
' Q2 ^/ z" V8 j0 o+ B3 }) B% ^+ EThis method of detection of SoftICE (as well as the following one) is1 N) f% E8 t/ S5 c7 U, y
used by the majority of packers/encryptors found on Internet.9 A7 R& G9 |- Z% {+ e
It seeks the signature of BoundsChecker in SoftICE
9 N: X' s" H# w4 L; }
# t7 }; k- W) G. Y! m4 D mov ebp, 04243484Bh ; 'BCHK'
" A! ~1 q3 V8 _9 V) | mov ax, 04h
# ^- [. Y# ?" {' N int 3 # b( R6 @2 M2 ~: r7 @5 }* b
cmp al,4% d/ G7 f! Z( l
jnz SoftICE_Detected
" {: P( L, k. Y6 }6 J7 |2 d9 X
5 l& {" Y q- ?& d( ?# I7 a___________________________________________________________________________7 N) w. q# i6 u/ @; c: U$ A
1 v8 V5 O. y; j' X
Method 02# d/ m3 v8 ~3 U8 Z# G; S; W
========= z- B; \& o4 g' V8 }
+ Z/ n5 O5 V* Y; ?5 f* uStill a method very much used (perhaps the most frequent one). It is used
2 M7 W* o- Z; N6 y% m" s+ Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 I7 s Z4 i3 S6 ]( a9 a0 c G3 u
or execute SoftICE commands...2 j' N8 U) N8 ^- W! a" |
It is also used to crash SoftICE and to force it to execute any commands* n4 m/ H) ~1 }7 O0 V( I7 S" {
(HBOOT...) :-(( - B8 k: I# K/ x' V1 E
" K Q6 G& I0 ]# @Here is a quick description:9 l" W8 W( P2 S, H/ o
-AX = 0910h (Display string in SIce windows)7 N% P) M) l$ V. ?. k7 E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* T6 u. j0 L" H+ K-AX = 0912h (Get breakpoint infos), b5 ~1 O' @" u/ s7 V
-AX = 0913h (Set Sice breakpoints)
1 b( L/ t% I8 M9 W-AX = 0914h (Remove SIce breakoints): U) a& B# e7 J+ G
+ M! ~: H6 L' V" j, q4 T) A4 N6 ]
Each time you'll meet this trick, you'll see:4 x) B$ c; f! V1 O" m) i
-SI = 4647h5 }- _: o0 W% Q* @ ]+ A3 ?
-DI = 4A4Dh h$ _+ z1 U0 _$ C0 w4 r1 e4 y1 [; u
Which are the 'magic values' used by SoftIce.- A. T# n5 l9 `' ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ y2 r' S3 q$ X0 s5 W2 u( |9 Q6 f/ G3 l0 m* u( ^ q* c
Here is one example from the file "Haspinst.exe" which is the dongle HASP* L0 ~+ I2 U6 S( R' ^
Envelope utility use to protect DOS applications:
" k2 a7 A8 t8 h+ M7 U2 ^1 I$ U6 {+ @
- `# m- z8 W" g9 i4 L' s4C19:0095 MOV AX,0911 ; execute command.
j8 e9 S8 [' e% C' h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% y" L' ]4 {) [9 G; V+ q4C19:009A MOV SI,4647 ; 1st magic value.
) r9 d& Z) P6 G* h% a# o4C19:009D MOV DI,4A4D ; 2nd magic value.6 _. G0 U9 s. }( \7 a
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, `; U8 C# S9 O2 b. g: M3 t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, w A; E8 r8 p7 v+ h2 Q. P4C19:00A4 INC CX# p5 F( e7 s, v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. E$ }8 @+ ]* Y, {" t
4C19:00A8 JB 0095 ; 6 different commands.+ C& `* y. f/ j- ^2 B3 B% k
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) L4 I3 X* L2 e3 _/ o+ F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 g( ]. }; I5 k, r5 k B8 |" R! z9 G
: M& d: M9 w3 F" g8 {. c7 _The program will execute 6 different SIce commands located at ds:dx, which z# v5 V# x N* J) D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( B# G6 v. S3 G) z3 [
- S |5 W9 O, ?3 U& H9 @9 n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% k+ Z7 I: p/ k. Z___________________________________________________________________________
3 R/ A- d% N5 }# K
5 G c, S0 b3 i0 R! o3 b, ^$ W% y( O3 S: t) h3 x
Method 035 t# H5 j+ p5 f, S
=========
; `/ Q7 D4 R5 q4 ^( ? ?
9 e) x, S' x+ j+ d; m0 D L) ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ S8 M& g8 l: _: b% c8 v
(API Get entry point). J$ f K; I6 h
. V# H0 A5 T5 d' M2 Q7 j; A. E [
. {% r0 y& q" t$ p6 t xor di,di
& Q1 F$ C; l7 ]/ M6 x6 f- r mov es,di3 A) c0 }3 t$ `3 e% W5 w: B& d) Y
mov ax, 1684h G4 M: e+ K6 o4 p: w
mov bx, 0202h ; VxD ID of winice( \$ L) v* B! s2 n0 T! } h4 S
int 2Fh
' Z: }* ], g v8 Y/ H7 ] mov ax, es ; ES:DI -> VxD API entry point( J. u( k0 R: D0 g+ Z9 [% X2 H
add ax, di. o# b$ S) l! U |9 D, X; |
test ax,ax8 Z1 J$ A) P, R
jnz SoftICE_Detected
" u$ q0 s1 u4 @9 e
( U) d- o- v9 M, w) i1 X___________________________________________________________________________
0 o+ y5 f' v; O- R9 v7 x4 R
9 G% l; Q2 i3 y y* IMethod 04
5 j) O( V7 j, t8 Q0 u' v5 Y3 I=========+ V6 J5 }) q+ |% N# H
5 f( B( j, o7 ~# h* X) V0 q
Method identical to the preceding one except that it seeks the ID of SoftICE6 M# \( E- r2 u: X8 R
GFX VxD.3 U$ `8 s5 W, z% d+ S6 f$ u
: D8 B/ Z5 H' N' J& l/ X
xor di,di5 ]9 _2 X4 e: C2 b
mov es,di
9 G I8 c6 [. n2 p mov ax, 1684h ' ^' ^3 G% Q+ J, w \
mov bx, 7a5Fh ; VxD ID of SIWVID
/ E: J) {4 ]# A' I int 2fh
: U) X: m2 z: G v4 z2 ] mov ax, es ; ES:DI -> VxD API entry point
/ ]+ V7 u& m& B4 h add ax, di9 k6 G6 @" ^2 S# |; O1 Z. l2 O) }
test ax,ax
- K7 J. {: h) `; B! E! m* } jnz SoftICE_Detected
1 C2 b# v$ z( z! }0 A. ]5 v8 J0 @3 X' D# F
__________________________________________________________________________4 F' [ d6 X+ J5 J% Y
3 Q, y6 k6 m5 {
/ X2 `! a7 N1 f4 S# H! i; QMethod 05
. ^4 G/ D2 q) c# y) S=========
: x7 Q. y% g5 D ?1 W6 y7 S9 J2 c* j6 q/ B+ v
Method seeking the 'magic number' 0F386h returned (in ax) by all system# V) l, _! q; x
debugger. It calls the int 41h, function 4Fh.
9 h- m9 O3 \ v7 ^( s fThere are several alternatives.
6 J0 Y- v$ F* l: x3 a( B- g' E% f2 V+ o( e5 V
The following one is the simplest:% D% K* J8 [4 q& u6 [5 |" B
" Z _, y5 Q4 b6 t; W7 `
mov ax,4fh
7 q1 S/ Y. U4 U; p int 41h
! p5 F3 {, ?# a2 w, X cmp ax, 0F3868 A4 I& E" e* \1 R4 k, w$ b9 ^4 Y. {
jz SoftICE_detected a& j, f- `8 r: Z+ V* s, R
# [" Z6 D/ p6 e& j/ X
/ z& G4 P# w. N7 M( f: PNext method as well as the following one are 2 examples from Stone's 0 J; s o; }/ a% A( |
"stn-wid.zip" (www.cracking.net):7 E" D2 c! F' a/ g; Q0 V5 ^
, X1 e/ W, J7 J& L$ T& q b i mov bx, cs( h, f1 L( k" A. o
lea dx, int41handler2
4 V& }( K* s- a% n6 j9 d" B# @2 _ xchg dx, es:[41h*4]
# Y( ]- h0 u- H" R4 E1 e/ F xchg bx, es:[41h*4+2]: M& H o9 K0 J" [9 c! y& l
mov ax,4fh6 V# ~0 f4 Q4 U6 j& y
int 41h# g9 _3 Z( S+ N7 s" F
xchg dx, es:[41h*4]) f7 j0 I% ?: X: R0 f0 Y! Z$ S
xchg bx, es:[41h*4+2] A* j8 b7 \0 H* N* k$ i, S" o9 x
cmp ax, 0f386h! p" K" p: c, i: D x7 N' b
jz SoftICE_detected0 X6 [( f8 Y4 R9 N% N+ q& t6 R
: K# h5 D, e+ @2 q! ^ V
int41handler2 PROC
9 ]: {* y2 y+ J7 ] iret9 o! Z3 @1 U% i3 H- o* |
int41handler2 ENDP
1 X5 e8 Z1 Q; l" `
! X8 F6 t6 a9 j( t( h+ w' s4 M. H' k
_________________________________________________________________________* v t; M- f4 s' P2 E
; M! }/ N& |5 V0 x% g
* d5 S$ n& ?# @! f0 c
Method 068 W! N- V. ]3 M3 l/ z
=========
1 x3 J2 G* x( O& r$ z$ j1 h! A _( f; j, w8 J
# A6 A! G1 w& D" T
2nd method similar to the preceding one but more difficult to detect:
' M7 L" X5 H8 T7 o1 U2 q. Z# U$ H5 g& D0 k8 u% v% h+ g3 X
7 u; J9 @% y* P% ?int41handler PROC
# |, C& h) k0 a4 i, p' m" H: I+ } mov cl,al
2 L' D5 a+ c& U# b( k0 o% b+ D iret4 [( n( p) ?7 Z, |) @
int41handler ENDP" ]! q3 {# [/ C4 }' X
: \' u* s4 ~% t6 i: l5 \
R# J( n/ j% b, W xor ax,ax: e. n1 y/ i, D( d; {" M
mov es,ax
, q, a- N3 |8 T A' c: a mov bx, cs
+ N- w) v* `, u% ~ lea dx, int41handler
& j' _8 s/ q/ d xchg dx, es:[41h*4]
; \6 b* n7 o1 r) C- @& t$ A xchg bx, es:[41h*4+2]' g/ r" A6 |4 C; x$ D& F1 E8 E' Y4 [) d
in al, 40h
& K" j3 N& _; D! o; ]# p xor cx,cx) @6 o, r) d2 T& S4 g" F6 r
int 41h1 L0 r* i6 _ j6 S
xchg dx, es:[41h*4]- z2 ^( W/ M" X7 W0 M5 E
xchg bx, es:[41h*4+2], X" R5 y# k% D5 R" a
cmp cl,al7 G/ ~0 v; p% M6 M/ O" O2 K5 n
jnz SoftICE_detected
# G& I5 k- _/ B$ O5 L8 L- [, R5 r6 |3 d
_________________________________________________________________________6 V% |. [) a+ c/ @" r- W, f, U3 X
0 z. g. a% ^) }6 S. W+ W, pMethod 07$ \- T9 r) C* M* k2 B* v* }! ~3 T5 w
=========
# t/ @' {8 V" Q" X, l( o4 b% E2 `( t
Method of detection of the WinICE handler in the int68h (V86)
* h* _# l3 k. Y- G7 f! A& ?' B* N6 ~! Q5 y6 a% ]9 h1 b- f8 G: i9 |/ S
mov ah,43h7 W- @/ K6 O" V2 V+ j" c
int 68h
6 c- ]3 ]/ ^+ ? cmp ax,0F386h9 j+ c4 K! c+ V' d2 F2 F
jz SoftICE_Detected7 l* |) z( I1 @( k
9 _8 l+ t" g, i \5 z
2 Q5 F$ C j% u3 T7 D4 N* t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 F+ U' L7 C; G8 O1 v9 | app like this:
* ] ~6 K( k# D) w
: b* l1 G+ U9 o4 D1 f BPX exec_int if ax==688 u% I$ e2 v/ O: i( J6 M
(function called is located at byte ptr [ebp+1Dh] and client eip is
- I; p* x7 K) \, P3 F+ H7 L located at [ebp+48h] for 32Bit apps)$ _3 x& H2 D0 O8 k) i. \3 l
__________________________________________________________________________
3 M2 l: C7 S) r6 ?( E) _: |5 c2 y" D/ ^! u9 ~& m } d4 w
0 U. U2 X" h% Y. T4 eMethod 08 d# A# D) B7 J
=========+ [1 X3 d4 {2 \# ^
% {; f" @, Y o: \
It is not a method of detection of SoftICE but a possibility to crash the4 T0 ~/ j: g% S
system by intercepting int 01h and int 03h and redirecting them to another* j- {; X7 x9 D) p3 n- q
routine.9 j: n! u" s! J2 S: t$ y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. C7 b5 H% b* y
to the new routine to execute (hangs computer...)
' G# z5 B6 q0 G& V, Q2 ], A
0 ]4 `: z1 M' I1 { mov ah, 25h
% [) s. r8 }8 t mov al, Int_Number (01h or 03h)" [5 v4 @4 m* @
mov dx, offset New_Int_Routine
7 H+ q8 K& ~3 Y$ C% Y# J& P int 21h1 Q* X9 E6 c* G7 z
G7 b: M- E' T+ {: x3 i2 e
__________________________________________________________________________% ^0 {3 S$ }( W, Y) [
. x. T5 T3 r' UMethod 09! U5 g7 u" F8 @: C j8 F$ y `
=========
# P& Y) |) M$ `2 S" Y4 N$ i
* b; U; N: p3 m9 FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ w( j) C( D6 X0 E$ w- z4 ~
performed in ring0 (VxD or a ring3 app using the VxdCall).
" D/ k& L8 ~! I/ k: zThe Get_DDB service is used to determine whether or not a VxD is installed, D) N* k( o- C( \% d$ ^: E
for the specified device and returns a Device Description Block (in ecx) for
7 [ ~( R( E+ X3 C" E6 r, qthat device if it is installed. c# c" W& M& X/ O- ^
, T: F- d2 ~: Y9 Q- a2 v+ x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- _3 T6 G }+ m$ {) ~4 T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: F) m$ q9 K2 |/ y% K0 i+ F6 I VMMCall Get_DDB
/ z0 O: l+ J+ B7 Q6 }& i: X mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ V% I4 Q+ J' J$ i. y& G% o( {
6 u# W0 F0 y3 j$ HNote as well that you can easily detect this method with SoftICE:
6 d' \+ j$ } ?8 o5 Q- V% b% q7 h bpx Get_DDB if ax==0202 || ax==7a5fh
, C+ A% x% }" ~; J. _2 @6 o" J+ K. p# j( p4 `/ r* T
__________________________________________________________________________
) z% i" X3 j) ~2 m: B' |+ R
4 I( o3 z) z2 y, I) Y# \6 MMethod 10
* `8 W9 T. ^ }6 |+ N3 n=========+ Z& `2 ]" T6 \3 w1 q% P
7 E3 p' A; i0 V$ Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, I4 N* I6 J2 \9 Y: m SoftICE while the option is enable!!
; B5 r* }! h2 }! F$ |( b' `
; Y2 C3 X Z( S7 ?9 mThis trick is very efficient:: Q. I1 Z* \ f) n
by checking the Debug Registers, you can detect if SoftICE is loaded
, |. [& g, o0 `# T) t3 K0 l% Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 l. s6 c9 v1 L$ Q7 q+ E# }* |, j
there are some memory breakpoints set (dr0 to dr3) simply by reading their. y' s9 ?5 h/ K) G4 Y
value (in ring0 only). Values can be manipulated and or changed as well- j/ g" F+ A# C ]6 P+ b' N
(clearing BPMs for instance)
+ j8 B7 g5 g7 W% }* Q: G5 S% N- p! Y# I
__________________________________________________________________________
8 _" ?. m% u3 Y* B3 I) c$ x) B$ Q F& A) ?* _* X2 p* H
Method 11
. t4 c7 z$ N% W# a% R=========- B9 d4 {; b, i+ w/ _
1 b# @: D) g) B! k. n
This method is most known as 'MeltICE' because it has been freely distributed2 k0 V0 L+ E j9 [9 |4 h& U
via www.winfiles.com. However it was first used by NuMega people to allow, c/ j6 z( T* L4 v
Symbol Loader to check if SoftICE was active or not (the code is located3 k! _+ O2 m; V& i" P
inside nmtrans.dll).
/ ~: ?6 i- i; F# G1 }; W+ \( ]0 J0 C; I
The way it works is very simple:
s' n. g6 d5 W* f4 C/ cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! S$ i$ ~( V; H8 t# D. D4 l( U
WinNT) with the CreateFileA API.$ N# b0 r& [8 y3 p& D/ c* V
9 h' O( ?/ I7 E# E3 eHere is a sample (checking for 'SICE'):. f a4 J( Z, R# D7 w
2 t. d |# t. ?; Y8 f$ oBOOL IsSoftIce95Loaded()+ a3 }0 X0 K+ h5 e" m Q( M6 Y) j+ q
{( B2 `! a9 |; i5 t- G
HANDLE hFile;
( q1 A: S9 {' ~2 b. c7 G' s hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- p& m5 L& Z. z. h
FILE_SHARE_READ | FILE_SHARE_WRITE,9 ^0 S0 z) ?- F8 R- \4 `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% d3 s g( p- n) x
if( hFile != INVALID_HANDLE_VALUE )6 r# i' C! n7 b1 l* Z& a
{8 R( a$ M$ M! Z: d
CloseHandle(hFile);
- r9 m( F( C5 ~6 n return TRUE;
: s+ P1 M4 y) [ } O( X9 J9 L9 E: L$ B) |
return FALSE;( P. }# f& a' F
}
+ u8 _7 d1 Y: h3 B6 a% o& ] t/ U. x3 n; ^
Although this trick calls the CreateFileA function, don't even expect to be
9 r! C. o. Z# D) ~+ s; hable to intercept it by installing a IFS hook: it will not work, no way!' B8 `9 y/ a# A: A( v4 S4 e* k% H/ N/ N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 \" ?5 m& \, `8 U6 Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 ~" v/ \8 `0 x0 A) r/ t. rand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 W# e. [( C, ~+ F' \
field.0 ^7 m5 R" ^9 K; y& t) J! K7 c
In fact, its purpose is not to load/unload VxDs but only to send a 5 j7 ` F) ]* ^* ]' t+ S* `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 B2 ?. K6 n9 y+ B' V, u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' F" O, d/ I. p6 hto load/unload a non-dynamically loadable driver such as SoftICE ;-).; k& o2 l# y/ M) T: @9 W3 C
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 ]$ n- Z' D. e4 R1 |: g; h/ D
its handle to be opened and then, will be detected.
7 P6 }) \( _4 k" I; lYou can check that simply by hooking Winice.exe control proc entry point
4 L+ L7 W" ~ A Qwhile running MeltICE./ S- B. n; \9 n, M' r3 F! i3 }/ O
9 h5 v0 S2 d, Q
4 J5 x# |6 `, l
00401067: push 00402025 ; \\.\SICE
2 I' O' H* W f 0040106C: call CreateFileA
9 G. p1 v- ?! L+ L# p 00401071: cmp eax,-001
; T: Z- J* ~1 F& o3 F3 m 00401074: je 00401091
3 E0 A/ [& F: k2 Y* q; {) q& S G7 ^! a5 K
' Q1 k4 f2 a$ `' j8 E3 c/ o6 V4 M3 K
There could be hundreds of BPX you could use to detect this trick., }/ z( X: p6 R' Z' F7 L
-The most classical one is:2 m+ ]5 K3 w, j" y/ F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# P% U& o1 F( S0 C *(esp->4+4)=='NTIC'
/ G2 n4 X3 x0 _2 e0 j T% W* v! ]' [. y4 H' O) _4 U
-The most exotic ones (could be very slooooow :-(8 N' n" j j8 M: O, j$ ]7 A( O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) {$ W# _1 M& k! Y
;will break 3 times :-(8 x; R0 Q: S! P6 p) k
# v2 q; Q$ A8 ^# x
-or (a bit) faster: ; Z( E8 d" F" k. Y1 G. g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; Z2 y. `$ V; {$ o" s% E3 s. \% w9 R; L2 F
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " M* c ~4 c8 X+ Z
;will break 3 times :-(
" G3 b I j7 j( h0 U9 H7 g. z2 F' u) H2 y+ i, p
-Much faster:
N5 l2 f) d2 | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 U+ A. ]+ H' K
& B' \# V5 P+ F5 V4 NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 y7 W$ R+ F5 z' Y8 P1 K, t: N
function to do the same job:' _/ N/ r6 B; ]# z4 T. q, O
3 H) b) r. H* y' z) y' o push 00 ; OF_READ1 P. Q, b% F4 h7 j% b% p/ J
mov eax,[00656634] ; '\\.\SICE',0
7 I$ C; z i, Q& C' W( c push eax$ l% t6 I, R, w4 ^
call KERNEL32!_lopen4 s0 [% l. F. B; E
inc eax, u) i+ r: K1 A. ^% S, P& Y* W
jnz 00650589 ; detected
6 ~# j$ c8 l1 x+ W push 00 ; OF_READ
3 j/ \ Z1 T2 m1 E mov eax,[00656638] ; '\\.\SICE'6 G2 }" ], s( r- i4 X8 c/ X. }
push eax
4 v1 _. k7 r. ` call KERNEL32!_lopen/ r. \/ X! p- X9 a! h
inc eax: I9 \* Q. i P. P) h$ A: N
jz 006505ae ; not detected
) S; T; h. k8 { Q; [- W% c# W- a- R% h% l4 ?. I' s$ w3 y7 y
! G, H7 Q6 P% ?6 V# M* u# U- O4 r
__________________________________________________________________________
/ b5 l) ^' ^1 H
, D# }& M, ~' ~. h9 \! o& QMethod 12" a1 r$ U- m9 S2 {6 C
========= f# }( C9 ~8 v, F% {
/ t+ |% O2 Q# F" j- H! u5 {This trick is similar to int41h/4fh Debugger installation check (code 05
+ F, P, n/ |# n7 P) r# G& 06) but very limited because it's only available for Win95/98 (not NT)' X+ n a$ u( ^3 ~" Y! r l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 d# ~# J" v9 e& t2 E5 ?
9 Z3 n" s& v: ^
push 0000004fh ; function 4fh- U0 T5 U: t% h/ G+ c
push 002a002ah ; high word specifies which VxD (VWIN32)
, p& t: K% @( d' O2 V" t) }$ u ; low word specifies which service6 y% ~" t5 N" ]
(VWIN32_Int41Dispatch)
7 ^+ n6 t8 u8 P0 y7 k call Kernel32!ORD_001 ; VxdCall$ _0 O2 T M# U, Q% ^; Q, l2 ~
cmp ax, 0f386h ; magic number returned by system debuggers& H) C. B5 w7 W! G' s
jz SoftICE_detected
$ Y' F: X6 }5 R( E, B& c
M+ @$ f6 [/ |9 {- r; EHere again, several ways to detect it:
* e% s/ T$ z& M% p9 Z
; Y0 A6 j, v" ^" @3 j BPINT 41 if ax==4f
8 O* `( z4 i. {- `: u# E) o. G: X* B! j6 D8 x4 S' ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; L; A u$ Z9 `' C0 ^* F3 R0 R
" R* n# A1 d6 c4 b BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: }" V% `' A$ n& _2 s5 _, y
3 |9 h$ b8 z# q3 C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 _1 I( ~( n& P( {- {; c+ D
7 h( x3 j$ k/ A! M7 ]__________________________________________________________________________
8 r+ ~3 d& T' h. f$ m* y
8 A8 P6 n% i" j6 O9 q/ KMethod 13( X- v' [) i8 ~5 n4 _
=========
/ C1 A; |' r% R, F$ {" b' E8 I
& F3 h1 b& r1 [( M) ENot a real method of detection, but a good way to know if SoftICE is3 ]# t. x& J- d/ w, {( l
installed on a computer and to locate its installation directory.
5 o! S' {, F* H% GIt is used by few softs which access the following registry keys (usually #2) :1 s& q; b/ E) m+ ~% K# ^/ ? o
# B+ `9 i3 i' m( w( E; L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* y4 _! ?, Y- o. \3 E9 g$ h, l/ v\Uninstall\SoftICE6 U! o* _; K/ \% c$ ^1 l, B9 M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- t$ g6 A& t$ c; y. o# \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 c4 \+ x: M. T9 W% ?7 `
\App Paths\Loader32.Exe
" O: ]. T9 ~8 u& {( ]) w1 u7 Z) @, d) u; q9 n8 _
; D& V1 {' S& w h4 A
Note that some nasty apps could then erase all files from SoftICE directory5 W" w: H: X6 q3 ]3 l2 j
(I faced that once :-(9 a2 q9 k3 n6 k' q# J* h6 j' S
/ _3 B+ q: V; `Useful breakpoint to detect it:/ b- y. B7 B$ {# J1 P+ V! O L, M
! h* b- u2 j" N: Q$ s* y$ I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( H$ T4 w: H6 g1 t; ?7 c9 g+ c
' g! H7 R" R# V* Q: K |. H* h__________________________________________________________________________6 u) q% Z9 ^: C7 V. E
7 @ H! K0 M- R! q7 \: {/ Q- B' }. T8 n& Z8 y* L
Method 14 % o7 L/ \ o, D
=========
% s, ~9 {4 K" N9 f# l
9 ?+ K5 W. L. t& C: Q8 B# N6 CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ D3 W% n" @0 \. I( _7 n. a
is to determines whether a debugger is running on your system (ring0 only).) q$ o" d6 N) S5 m [) S0 o
j1 z# x3 t7 P! E VMMCall Test_Debug_Installed
" \+ H" v' w$ w$ w @ je not_installed) m% p/ I" o7 S
6 V, Q8 N# j7 o# @4 E! g
This service just checks a flag.
4 T; K* Y7 l. u A. z# |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡