<TABLE width=500>
# v( Y8 l n0 _& @, g( o6 v. K<TBODY>
r% ?: v( N( Q6 i<TR>
9 x% {3 P" U3 v1 Z<TD><PRE>Method 01
6 B' D5 u: L; X9 R" H7 m/ G=========
9 r+ I$ y1 S$ R: R& \( H1 G
$ _* r6 v9 }4 Y, _This method of detection of SoftICE (as well as the following one) is4 ^7 y. A" f4 ?8 S" W; N: S
used by the majority of packers/encryptors found on Internet.
7 e+ @* n8 \) Y6 y/ S/ I+ ~It seeks the signature of BoundsChecker in SoftICE3 Z8 B) C7 L4 F* l$ D
2 f/ ]2 n8 \; D9 Q! L5 T* C6 T mov ebp, 04243484Bh ; 'BCHK'3 O+ r8 A/ _ w$ k6 @
mov ax, 04h
7 b; ^; h |4 Q$ `$ N int 3 / S, `# n. o1 M& W, P! t" q5 ?
cmp al,4
* [% A2 ~* ]9 `2 l jnz SoftICE_Detected4 }) o5 K1 |$ P3 |
' }; D4 H" }% d$ S n1 A9 K
___________________________________________________________________________
6 u3 N, Y5 u) B% I1 f6 t* d' I$ i6 Y, [
Method 02
6 I1 h* o" M Y" N=========
+ i z6 E6 ]/ ^4 o5 l
4 B# j6 }0 B( l' }8 N4 n b: ?. r6 ?Still a method very much used (perhaps the most frequent one). It is used
5 ]! B( C! A" s2 ~" fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 K( Y8 S) }1 G& A* r
or execute SoftICE commands...
5 D0 _! X( M9 v& [3 PIt is also used to crash SoftICE and to force it to execute any commands
+ V, u, A% P+ K(HBOOT...) :-(( * S7 a* c( ` {7 I% ~% I
M; t+ R7 x% y
Here is a quick description:: S5 h3 Y' E1 h1 @5 }6 M* ^
-AX = 0910h (Display string in SIce windows)# e, W- g5 u1 a; l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 ] Y4 p$ L7 X. t
-AX = 0912h (Get breakpoint infos)& B3 i L, D; w1 _
-AX = 0913h (Set Sice breakpoints)! [7 m3 B- ?; I; C V( j
-AX = 0914h (Remove SIce breakoints)
L4 S- ]# {3 B4 `' r" s: C% L# q4 E+ W4 ?* g
Each time you'll meet this trick, you'll see:
6 n0 W, E8 o7 L: N1 r' n-SI = 4647h& C A* S ?) j5 H4 F8 S
-DI = 4A4Dh. r) k B* Z! w+ a- m
Which are the 'magic values' used by SoftIce.
* ~ J& B6 k0 Z) }, x. S o0 lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- r/ @/ ^# \0 Z B: D: L( `( n3 B" ]. E( N5 D
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; S& t$ x- {3 H* mEnvelope utility use to protect DOS applications:
. \& {8 G3 a1 F8 s* s$ L$ K6 g' J/ l7 v; g0 s( B
2 j. X2 R6 T3 D: k
4C19:0095 MOV AX,0911 ; execute command.# _- a/ d' d8 W; a& Z; B) {9 g- b
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 O4 t" J- y2 [4 L: |1 l! d; g) z
4C19:009A MOV SI,4647 ; 1st magic value.
4 o9 c% K; E' ]* H: z$ J4C19:009D MOV DI,4A4D ; 2nd magic value.
- e0 c& m% Q& }: c7 `. {5 Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; N" F- K1 p' a$ v& g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 ^; e- |9 m; q4C19:00A4 INC CX
# Y- `$ }4 S, D" W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 w3 {7 a8 ?+ c4C19:00A8 JB 0095 ; 6 different commands.
" ?" z- m6 g- I F! s4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 |% n" c0 Y9 ]! y1 [9 b% J5 C) R4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' Y3 D6 O L+ z9 q4 A0 Z
, j0 b# O7 n0 x- E3 f" w3 mThe program will execute 6 different SIce commands located at ds:dx, which
& `$ w% O5 {- x' B; M; [& @/ xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. L5 n/ r9 x7 |# \
0 C; d9 P0 o7 u! d( h) r* F" Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 A' D9 S$ u p% B0 x. Z___________________________________________________________________________ I5 t- I; q2 @" o
# r2 |" y7 H8 }0 z6 \7 V# a* g8 ]
8 d* r# R, x- `0 u8 y) f. r
Method 035 s# j- Q. z( P1 C6 ~0 U. T j
=========
# U( T: b( z- e
6 n8 v$ h) W( o2 I* gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 t2 D, [! e" h(API Get entry point)
) V3 l" d& H" l. \, s( A
3 G2 H \3 p# G. f m3 e# [+ L
* W! @, ]1 C& p& ~. H xor di,di
' k1 T J* D& ~- _1 r' N6 m mov es,di
1 g1 m* u$ l6 o! Q( i' L mov ax, 1684h $ t; f/ I. ]8 Q
mov bx, 0202h ; VxD ID of winice
) }+ `# }; @. w, t2 z: E int 2Fh
( D. l. m* a$ ~) [# A3 F, T mov ax, es ; ES:DI -> VxD API entry point4 W5 G( m) \& v2 D2 k
add ax, di- j( i" z5 {: m/ u- W: G
test ax,ax
! W5 o5 D. C" `9 H$ X3 X$ W jnz SoftICE_Detected- P" L5 E- x2 p9 ?1 x
6 g9 T$ m. _+ K- f G5 _ r" l___________________________________________________________________________! f0 [0 p* g/ Q0 E! s
- `3 N$ B$ F; I* _$ L
Method 041 D2 f" L1 }* _, g( \' f% a! c
=========
" d9 M0 s0 T L j4 x) _4 A
: U0 _/ x6 @& |+ j& |Method identical to the preceding one except that it seeks the ID of SoftICE v' {1 n0 C. D) s# W9 N4 X0 z
GFX VxD.; D) W$ h( q5 Z1 F6 p; b- \" P4 Z# h
5 }, Y n1 e& ~( @2 Z xor di,di
# d+ X1 h7 C1 n) ?# f, l2 ]1 S mov es,di
7 S- g3 P- Q+ u: B( }" \ mov ax, 1684h - @1 E5 C8 ?# B% W4 t* ]5 ~8 w4 r
mov bx, 7a5Fh ; VxD ID of SIWVID
% ^3 a, F ~5 B$ L* U4 k" L! o/ r int 2fh
1 G$ y/ U s: G/ {# T$ b9 W& g mov ax, es ; ES:DI -> VxD API entry point
, M/ ^/ L4 s# @6 M( f. ]7 S( U5 k add ax, di9 r( s8 {/ h* R: t, c
test ax,ax* \ p0 j) q. V
jnz SoftICE_Detected/ g N4 V5 S( c) M q1 k) d3 q
. Y; | s* j( O3 x__________________________________________________________________________- L/ j& u1 w- h4 l, l0 |
! l/ ]2 g! U: T( _5 a: \
( m! B7 s: Q v" e( SMethod 050 |# w; S& t$ p9 I m, I4 S
=========) x7 ~* C M' z( J
, `7 M3 R8 R& C4 j N
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 W; C% V& [$ i- }7 _ \: ]
debugger. It calls the int 41h, function 4Fh.5 n9 k% l9 K5 v" S
There are several alternatives. 3 E& U c& |3 W0 A3 Z0 M. r
9 E1 D2 s" m0 i, a; ~; m1 C. ]
The following one is the simplest:3 c5 m/ p, k5 D
/ U* k' [1 a. U1 V, U- \* g7 O
mov ax,4fh. Q1 Q. e" O7 p& ^) b# u6 J
int 41h
3 Y) G4 X; u" M# Q; ~4 a. }9 t; p$ a cmp ax, 0F386( x& |5 E: t3 G6 u
jz SoftICE_detected
% E) t- f2 U6 e6 E+ V, @0 G+ X; a. i
5 ]+ |4 u' W8 E, @( E: \9 c6 Q
Next method as well as the following one are 2 examples from Stone's
6 ?& a( u! s' M/ v1 I0 a"stn-wid.zip" (www.cracking.net):: }7 J' e* c: M) D
% R: A, r& A: d; w: x! K, F
mov bx, cs
# `) O4 D$ o* n# J, k! ~ lea dx, int41handler2, ~) j9 x5 o$ ]) `2 N! r
xchg dx, es:[41h*4]2 U, g/ t, j6 }# \) n! l
xchg bx, es:[41h*4+2]" |! h4 A5 B( g8 \) d' {: _) f* ~; @
mov ax,4fh
6 C9 k, l! X0 O' l int 41h5 A; c/ A! t, E3 o. Z6 S/ i2 U
xchg dx, es:[41h*4]4 F9 Y+ L# p% q1 I: S0 k
xchg bx, es:[41h*4+2]# K$ g( q. W/ w3 Z
cmp ax, 0f386h
3 {& j" @$ \! { jz SoftICE_detected
7 i2 C* u% c2 \7 u y8 [! {/ w4 U3 B9 e2 O" ]5 X; \; v
int41handler2 PROC
# i; i; a7 @; S; ? iret
0 f7 a8 H& ^& j8 Yint41handler2 ENDP. f/ v" H# @' v. q0 o
. I; [( @/ y4 h& D& z
7 _' ~# ]! d. z5 y: x( F
_________________________________________________________________________
0 q1 @$ Y' m2 @) O8 g7 M
- d4 o( G/ {1 }) D9 s( l
, y# |: h# g' E; V7 }Method 06 W7 Z% l; T- h0 x# _( L, y/ W
=========
4 S) W1 k: D: d8 c, a, D1 e3 A/ y/ W( P3 t# W: B, ]6 Q
' y8 v ^- }1 s2nd method similar to the preceding one but more difficult to detect:
. i( t% I h4 {& r3 R+ W
- i, j8 ^" } r3 p( b4 W0 V# u7 r" j( r6 Q9 `8 _
int41handler PROC9 O6 u! m& E" j- r K' `0 p; }
mov cl,al
; l* X8 s: P2 _% @; k iret& `+ g2 @. `9 |1 B0 H/ g
int41handler ENDP) b# v: C' u. [' {
! }7 \2 o/ G3 k3 _! ^# \, j9 b
, {8 S) w" y' m# B xor ax,ax$ A" f1 J+ C) r) g6 Q1 p
mov es,ax" c3 _* r$ G/ |! y" V
mov bx, cs+ ?4 m$ p6 K* ^! s
lea dx, int41handler# C3 t; y! f ]& h+ Q
xchg dx, es:[41h*4]
2 i; ~. Q( |( Y) P M$ C& D4 U5 L xchg bx, es:[41h*4+2]
_& e6 u8 M1 ]: e' R in al, 40h
% m% X7 ^$ K7 r% r! W { xor cx,cx
" r6 I/ A2 N4 \ R8 q int 41h
' o* F- Q) p! X: ] xchg dx, es:[41h*4]
2 P1 W3 F: l( p; G; A xchg bx, es:[41h*4+2]+ B7 h* E' }' ~
cmp cl,al
, q% l( E2 D5 l jnz SoftICE_detected9 \" o1 Y/ ?& G6 p7 T5 _9 _- g3 [
/ n# e5 i Q7 G9 Z0 c% d# v
_________________________________________________________________________
3 z, O2 v. b9 h+ j' W6 [$ M; }5 F7 t/ }3 x# `
Method 07
/ m( x6 c0 [# @9 [5 ?2 L=========
1 u! |% p9 z* J0 Y
3 \6 I2 W' S4 o7 ~- iMethod of detection of the WinICE handler in the int68h (V86)7 b2 Q* l* Q Q7 z
0 p+ C& z$ ?2 ^. l mov ah,43h; f# g7 S9 B5 Y p( o8 z2 _+ D
int 68h7 t! I7 p2 u* A. y0 Y/ C6 @
cmp ax,0F386h- n# D* i Q" I3 t
jz SoftICE_Detected
9 @, ~1 p$ m; G4 u) R5 P" R% l- F, s6 _2 @4 e& @* F2 t
" r; X1 k# q/ f) g' |; `2 l% ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 i2 F; O' D7 O( l2 f app like this:( L0 r& [7 b5 E9 `2 p+ K5 C
: O' h6 u1 O2 W BPX exec_int if ax==68
% s0 r r: Y7 m1 X (function called is located at byte ptr [ebp+1Dh] and client eip is
2 Z( D3 e; n D& k located at [ebp+48h] for 32Bit apps)
, I# w: z( S1 A: U1 j P+ s( O__________________________________________________________________________
5 d9 P) W9 m+ f8 K* X T+ S ^* a1 u. K' X
" {! z- |* v3 Z7 D! v/ M
Method 08
& x/ j+ T: ?7 Q# u! J! ?* d# {4 [$ o1 S=========7 v; t- e" P8 f- t
8 v, G" L2 {+ x0 ?$ q- G. SIt is not a method of detection of SoftICE but a possibility to crash the6 U& @/ `) L. Y4 l5 ?# F9 u
system by intercepting int 01h and int 03h and redirecting them to another
$ b/ `) I! G& H: i3 j! d9 droutine.0 @$ f1 ^- s9 C c# F T- K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* I/ m3 h* _0 mto the new routine to execute (hangs computer...). U2 g& D% n; S2 u
1 Y( H( T; X: [4 Q3 {* x mov ah, 25h
2 x; C( e4 l2 n0 G mov al, Int_Number (01h or 03h)
7 W3 V: |+ O, }( x" \( o% Z mov dx, offset New_Int_Routine
% w7 {% O2 k8 o7 `7 |4 D int 21h& I* o; a$ ?& w6 z$ Y, l
' S! d/ D* o- E/ a0 b
__________________________________________________________________________* f. k3 e3 h6 K
$ w Y% J! J k+ uMethod 092 v7 y6 L* e7 D* d+ R# c# ]
=========+ s: ~; P3 y! u; C) H* P; \7 A' J
5 f1 t8 ?: @3 H' f* o5 z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( [: u* {3 A; ]- Q& Zperformed in ring0 (VxD or a ring3 app using the VxdCall).+ `! i+ z% N) q/ C( ?+ S! |
The Get_DDB service is used to determine whether or not a VxD is installed
& {9 v6 P3 V: R$ Efor the specified device and returns a Device Description Block (in ecx) for+ H. u2 B& ^4 G7 }4 G
that device if it is installed.
0 @. F( @) U5 ]3 N/ r7 ^0 S" j0 \. @9 u% n( x. h. v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 a& @" V. K+ @$ S0 ]0 W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ ^4 ?3 t5 L! Y
VMMCall Get_DDB
9 w8 Y6 w- U [$ N9 `6 R( ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* m$ D9 M9 a8 m% ~: M+ @+ _" S- w3 M4 _0 e; x
Note as well that you can easily detect this method with SoftICE:; y& t, }' C8 {& `, d0 g
bpx Get_DDB if ax==0202 || ax==7a5fh
" Y- U! V$ }2 v9 B$ k- U
) B% p7 h* l9 B4 E; m5 D0 f& v__________________________________________________________________________% Q& D- t! a V" p( L. c" ^
6 s% `' J/ W, s5 O/ j9 C/ VMethod 10* Q* a& \& i% a
=========+ y/ Y9 N, ]+ W% c, `8 ~
% y T( m1 Y5 Q7 k8 P+ f# g& i
=>Disable or clear breakpoints before using this feature. DO NOT trace with' x$ I' \! U1 u: [. ?) i5 F
SoftICE while the option is enable!!0 c& v. X( B! R
2 `! K4 I# R7 }' a* XThis trick is very efficient:
# I; E" a7 z5 i; F$ hby checking the Debug Registers, you can detect if SoftICE is loaded
+ W K$ s+ b+ F a# j: E* ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 p+ m5 L# n5 d* Q/ Y# `: Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their6 G2 T; A* f# B% F, |5 I/ C! [
value (in ring0 only). Values can be manipulated and or changed as well
. Y( z# s0 c. X# W- u( G' }(clearing BPMs for instance)% a3 J/ U* z+ k! `( f" T
4 Q/ B1 ]' z* w4 X/ r__________________________________________________________________________
; H% X% t- F/ x+ R3 |# O7 ]5 j/ Y6 m7 l& {
Method 11
, A% m! v# ^$ T4 Z& n K8 r=========3 l/ ]. {8 x& I2 P3 c
. ^. _4 Y8 h5 u
This method is most known as 'MeltICE' because it has been freely distributed* S$ |1 y5 C8 e
via www.winfiles.com. However it was first used by NuMega people to allow
' [7 y# I# |" \* S! A4 S7 _Symbol Loader to check if SoftICE was active or not (the code is located1 {% X/ X" u; @: m. I4 w
inside nmtrans.dll).
; i. `; v3 H& f5 L2 M9 R5 T6 V/ H; P; w" Y- J
The way it works is very simple:
, m% v1 A& J+ T7 Z( WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 O! w+ a8 Q: a% r8 u5 p/ KWinNT) with the CreateFileA API.
& ~# J7 s6 z, J% V' F B# q8 p3 Q) F5 [* V$ v* s2 s
Here is a sample (checking for 'SICE'):
2 ^" {8 H) p; ]3 W
: f3 p1 c! k" A6 j2 l# iBOOL IsSoftIce95Loaded()4 L3 A+ S4 W- M3 ]' Q
{9 G$ P( ]$ X1 c9 o: v* c* {( M
HANDLE hFile;
0 q! o! n2 n6 X7 E5 t0 \/ W8 a hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ \: d; J+ R# I# m FILE_SHARE_READ | FILE_SHARE_WRITE,, p" ~6 ~* P5 _
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 V3 B8 P! l% C0 W; j' e
if( hFile != INVALID_HANDLE_VALUE ): H+ A# B+ M- {" K
{) g- }5 O, Y! Y! v
CloseHandle(hFile);
" p$ b D9 @# d( U" X O6 { return TRUE;5 Z0 e( q& X# D( F4 j/ `1 n
}
$ T! w& r6 K: ^ e& q9 K6 I) r- u return FALSE;
4 e) ~1 I" a! e: a3 i* Q}# j$ @9 z' z I9 N9 l, [
% O E$ C$ |$ |5 M6 `Although this trick calls the CreateFileA function, don't even expect to be
- ?' b7 G! f/ wable to intercept it by installing a IFS hook: it will not work, no way!
4 w0 V% g: ^) Q1 N8 O& A. F: oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 E. B) A1 s' S6 j4 j) zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ Y) r9 y6 C l3 f. I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# d4 X3 v3 d7 i8 E/ g9 ?8 W! \
field.
4 | a3 @6 [, K/ e+ \In fact, its purpose is not to load/unload VxDs but only to send a % w& g. |: K! `8 \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( h2 \; f+ |& r- m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 c4 Z" o6 W6 s5 n# v* M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! i5 ^( b9 d3 S8 ~1 _0 C; E5 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow4 W: }0 K. h( w3 P. Z
its handle to be opened and then, will be detected." t! t. _9 k ^
You can check that simply by hooking Winice.exe control proc entry point
3 J( p1 @$ _7 E7 Z, V5 H9 Lwhile running MeltICE.$ |- w# u# m2 u* N
# @* f4 @( d$ s- k! W* T
+ Z5 ?. K' S+ [8 j# q- r/ ~ 00401067: push 00402025 ; \\.\SICE9 x0 L3 ~8 @+ x. f" l
0040106C: call CreateFileA
$ o/ t4 G9 e, {) w" @4 o$ d" p6 b& X 00401071: cmp eax,-001' g0 L) ^8 @+ ?( X. }0 l
00401074: je 00401091, [: X% R. i3 w& V- j5 X
3 l. d* v* }5 q0 z
8 i H, O# Q RThere could be hundreds of BPX you could use to detect this trick.0 ]0 X; b' w k# Q9 P4 B
-The most classical one is:% N M% o' _" V) H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 s" S3 y4 r" S. ^/ I5 R *(esp->4+4)=='NTIC'
8 i& @9 j& M, u. d4 W; i0 z
7 K1 B9 P8 o. S! {2 C k: y-The most exotic ones (could be very slooooow :-(3 l" p7 O) p' D6 H4 m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 R: m5 _4 K/ q9 u
;will break 3 times :-(
9 X) Z. D2 @* g9 _) W. E. e; k* b r( S, L
-or (a bit) faster: 5 Q; R9 r: `3 e) s/ v) i8 q" T
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 C& W9 |5 L; y( X5 x0 R! B% Z! o* w6 }- p5 g6 g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & t6 d2 x" S: A
;will break 3 times :-(
9 |8 O! K# a& v, r) J) h% C& }& S4 l1 \* X1 f' D$ k K& F1 h
-Much faster:8 e+ E1 u2 K `" ~( U! q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ n9 \; h/ e+ ^$ V5 C; S+ T( U! T* r. h/ n8 D) H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* \5 G* d; D; t1 P: K- N+ E
function to do the same job:
0 _/ V/ j1 `* l& \ `6 n
! i$ N9 t. M2 }: N& G$ n push 00 ; OF_READ+ t: @7 }" [2 J( g
mov eax,[00656634] ; '\\.\SICE',0) _8 N& p+ u. N* U7 H3 |+ }
push eax
) N5 q) V6 W1 M call KERNEL32!_lopen$ O6 V5 S) w% [9 g# M- S6 y
inc eax
3 f3 \, t) _3 q; g2 A) M4 W jnz 00650589 ; detected
' U" G F2 w2 t! x push 00 ; OF_READ+ D/ s! e8 U3 K& f; p
mov eax,[00656638] ; '\\.\SICE'
; e6 N! g( N9 n( ]" J8 M push eax
5 y) G, M- r9 ^8 f call KERNEL32!_lopen5 S) N( s# |9 y& m4 P2 n. f* R" D
inc eax$ _* E4 c' H7 U* b7 v1 `
jz 006505ae ; not detected |6 ^. }+ z) k1 X0 A
, n$ F6 t# K' d/ k: _! [# D7 u- l
' _- i d: P6 \& a/ {2 [
__________________________________________________________________________: _9 v4 w$ i7 S1 m$ O
( ] D+ i& y9 s) A$ t1 d+ f
Method 120 r/ R' A5 U& s/ x- C. w
=========: u" Y8 j1 L9 D8 y5 ^
" E& i7 z& c8 L+ |1 sThis trick is similar to int41h/4fh Debugger installation check (code 05
7 j8 H! T$ C# l( T+ h( L& 06) but very limited because it's only available for Win95/98 (not NT)* a ?+ R% E \7 r4 e( l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% h t4 n) M2 R4 W
b5 J& a" _0 s0 I3 T3 Y push 0000004fh ; function 4fh
6 m- y4 ?) m" E) [3 u0 K9 ~1 d2 t push 002a002ah ; high word specifies which VxD (VWIN32)2 \! v: ?$ n! R5 h' C
; low word specifies which service
: A& b! |3 K9 m' G: h6 j( g7 B (VWIN32_Int41Dispatch)9 i, f3 f; z* B' r& g x
call Kernel32!ORD_001 ; VxdCall
, b$ C& C$ v7 u8 d; m0 v9 \ cmp ax, 0f386h ; magic number returned by system debuggers
1 E M- e1 F/ {( v/ R$ j jz SoftICE_detected
$ [" V; ~0 L) F' }* ?, G
( Z. B2 t3 B' w0 @Here again, several ways to detect it:7 z5 U0 i8 X6 x, L+ m
% j- W$ {( W; x. j, g8 c' b
BPINT 41 if ax==4f3 a& a+ M M. m' o. O/ _
5 l6 ~3 U7 s" f+ V$ z6 s
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( M: ^5 C: Q! {7 R& ]1 ^8 P- t4 K. |4 d) B* F. g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 y* g2 n% W; ^3 [+ C1 @* h/ F2 H9 l; w4 S0 o _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( p! @8 I9 b$ { f( N. l' Z
`+ s$ ^: Y: M! q; k
__________________________________________________________________________" q% c2 ^4 M% I4 q
8 a, i8 c3 K& O! I8 I
Method 13' m! a/ d; P" H1 |0 p
=========, o- |; F# z) y& d
2 G4 f, B* @! |4 Q5 y( P5 Z
Not a real method of detection, but a good way to know if SoftICE is, y0 @- j/ ?" y. U
installed on a computer and to locate its installation directory.5 D1 ~/ y4 R# T/ D
It is used by few softs which access the following registry keys (usually #2) :
/ e! v, v* n. o) r" B" F7 H8 u3 D0 i; F- j" v( A, ]; U/ k" s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 f( D- v' R) t: L1 k3 B7 c( T\Uninstall\SoftICE+ O# |. U1 y8 K& h! m5 ^
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: v' Y" l* p( q& C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' V. E. Y) B( v/ K5 O
\App Paths\Loader32.Exe
7 ]) S1 ], D% y: B
! R- I% f( o# C- U9 Z0 ~' {* V8 u+ O* g) C- A9 x. {
Note that some nasty apps could then erase all files from SoftICE directory
6 @; V/ v7 t& f( h6 |(I faced that once :-(# J" P% v6 X1 J) F) I
8 ` ?& Y0 g+ j, W1 [1 u
Useful breakpoint to detect it:
2 U) m' j4 P0 x: Z3 E% E$ p5 c
, m2 b2 n- D. E6 {. b. [ l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( h8 _9 [7 v( P" B `. O2 v- Y
Q; C6 h8 u/ e) L__________________________________________________________________________
+ F' q u0 i" t% O$ k, Z' B
+ [$ h( x6 u2 E/ y; I9 Q5 O* v2 C5 H
Method 14
& i7 \, I' w" O" y) n/ H6 j=========$ {. K/ @0 F5 r9 r8 @ F
" j- Q# k( g" q& z1 U. c# R- f3 PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ S( |9 z P( b! o. e. e2 \4 ris to determines whether a debugger is running on your system (ring0 only).* G1 @" A! U- M: P) j
& M* |5 _) G' ^/ k9 A VMMCall Test_Debug_Installed. I+ X+ p( N6 Q' F& R; A2 _
je not_installed
! Z8 r9 e0 x7 @: y
, Z o, g+ S h: g! X! {+ {This service just checks a flag.
* U) M- i; c D) b- ]$ h</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡