<TABLE width=500>1 k( C; Y% u2 l8 N( y
<TBODY>- m! T/ F5 Z0 U* K! W: C0 N
<TR>/ b% N3 d* ?) ~5 _
<TD><PRE>Method 01 ! R* L: W7 y6 ?+ G9 S3 \$ t ~1 [! K
=========5 R* f* V9 R+ E4 G
, w/ Y( O$ {. y7 I% x x) X1 V4 S
This method of detection of SoftICE (as well as the following one) is
m: B1 u# y7 G3 w9 B' U1 ~1 W- z6 Fused by the majority of packers/encryptors found on Internet.
' M3 t3 ?7 J7 P2 g& ~" iIt seeks the signature of BoundsChecker in SoftICE
, Q& v, z8 X4 g/ C( v$ m
* v; ]+ W1 Q C5 Q mov ebp, 04243484Bh ; 'BCHK'9 N* s; p# c, q+ c. F( z
mov ax, 04h$ N/ X y. [1 ~6 I1 x8 d
int 3
z w5 Q! T ?1 Z% a cmp al,41 \/ y1 |8 O6 @1 P& `. S( I
jnz SoftICE_Detected
$ [/ ~' m9 U3 I r. [/ y3 |8 e( W
" {/ k9 W$ ]; y. w4 x0 n___________________________________________________________________________6 @& c. N" ~- T* f2 ]( C3 S
* f8 f# |5 |( w* I, m% f2 i jMethod 02
: k$ ]* b! d9 s3 x7 c. k s) J, j=========" ^4 @, ~( f& {8 ^! t
' ~7 V/ [9 j* w; t
Still a method very much used (perhaps the most frequent one). It is used t0 v. k& X. f" u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ T( S U& b. c" p- J
or execute SoftICE commands...
/ W8 v& g" M! x( a( T9 BIt is also used to crash SoftICE and to force it to execute any commands4 r5 D9 J q9 b4 h `3 X8 K+ }
(HBOOT...) :-((
+ W. E& \- n7 j) i. |' S1 V1 ]/ T* }7 Y+ r% r7 \7 d# w5 @
Here is a quick description:# {) y/ x, z1 y& ~
-AX = 0910h (Display string in SIce windows), ^% y: T0 z5 k3 w& _" d" o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 V# g9 {6 p7 ?' W0 Q8 c-AX = 0912h (Get breakpoint infos)
5 w& g6 |$ P& {4 m-AX = 0913h (Set Sice breakpoints)
! N+ {4 v' z, j( L-AX = 0914h (Remove SIce breakoints)
- S# J/ U, z$ E- K. @' }
$ G6 K; w0 K4 L1 @4 @" dEach time you'll meet this trick, you'll see:
: N+ B3 R& k y4 M% l-SI = 4647h& ~& I' f; e: T
-DI = 4A4Dh% z7 j4 k) H. d* f+ Q! H% F1 B
Which are the 'magic values' used by SoftIce., e1 `& J- D) O5 S( ~: ^/ ?' q% C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! W! `# g. W3 o" z6 }( c
0 `! w/ }. q5 B) c% Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, F6 T8 ^. `1 J9 ]8 W, q3 }$ a& A' H) nEnvelope utility use to protect DOS applications:
" E9 M( i; b" w+ `- t. V3 |4 n0 {+ }3 D3 T: f
- V& e! z( S6 d! d
4C19:0095 MOV AX,0911 ; execute command.# j9 S2 J# t/ Q0 B, ^* q1 |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 ?" F+ _6 P( M4 U c/ b4C19:009A MOV SI,4647 ; 1st magic value.: E, a! _0 e: p( l) V/ I
4C19:009D MOV DI,4A4D ; 2nd magic value.
: X8 ~5 p" f- l( k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* N. f4 `. ]$ ?4 V8 ^8 j2 \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' v, X) [% z0 B1 r# `
4C19:00A4 INC CX' \6 ^" `$ f% n& T: @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute e/ R( W- w4 Y
4C19:00A8 JB 0095 ; 6 different commands.: Q* l* z9 ?7 N% |* B3 F6 w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 i) f: }- D, s2 z6 g& w- t$ C. W4C19:00AD MOV BX,SP ; Good_Guy go ahead :) U- d1 S- \& r9 A9 B( r7 V8 t
F3 ^& @% s) B" X t9 J2 \The program will execute 6 different SIce commands located at ds:dx, which
" K( E& h6 N) L4 C, zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ x5 e3 K2 k: |' C" r" j: P& d8 j' n9 z1 R; j' \& d* K! i! z: ^' m+ z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ U/ \ ]: j0 @ J
___________________________________________________________________________
6 b2 n) X) H. S! ?6 M; p: O! W# O# f- P: a: p w. w3 _
, d* d/ N" b$ P6 I$ v& k1 h; E
Method 03, l5 o' _% q) b; l
=========8 ~* ] z/ f1 `/ M ?
1 C2 Y2 L: I$ u. w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: p, {0 ^* Y- B+ M0 F(API Get entry point)
& ?9 [9 q% ]) e" [6 f! l
# ^, [- ~0 W2 \" D( q! `* y2 B" m( |3 s6 \* `# S
xor di,di
) \- f% Q# R8 I6 s" l& C+ r mov es,di
- h4 y4 O5 A+ G, }: Q4 u mov ax, 1684h
/ {/ T$ `$ X- Q( R mov bx, 0202h ; VxD ID of winice
2 c9 |# _! b) T+ s+ m2 c int 2Fh
/ y" ^! O9 u% I! ~ mov ax, es ; ES:DI -> VxD API entry point
# _1 G! i0 s# k2 H4 h. v9 O- q add ax, di
/ K% H) W, w7 T N- e n7 t& u4 G4 o, I. t test ax,ax
' q' E) B- w8 l- m6 f jnz SoftICE_Detected- z8 l! I1 J1 |* f3 B& \
# O& g7 p7 O" m6 j7 g+ N P) D: x0 k___________________________________________________________________________! \: P8 R- k+ t$ x. E2 c! }* J
/ V- ]6 j% _+ d4 Y- wMethod 04. `: _! \+ J9 N2 K* |( Q+ N% {
=========
4 N* p+ k( s8 L# `' R6 w. R" r( }9 i# O( n' Z/ z
Method identical to the preceding one except that it seeks the ID of SoftICE
9 b* x0 z% o4 C* U7 PGFX VxD.$ O7 q3 q3 } ?1 `: p
2 B, m& h& m. T G9 w: w; Q7 U2 K
xor di,di2 j: y) m/ r' |. i+ o/ z/ t
mov es,di4 s; X) s- \: u& z6 K) y; z
mov ax, 1684h 3 v% J+ N! ^& M. @& x2 v
mov bx, 7a5Fh ; VxD ID of SIWVID! r4 V& A) V* x1 E
int 2fh
0 [" ?8 s: t0 {+ h" A' M j" c& u' q mov ax, es ; ES:DI -> VxD API entry point& D+ c# o& l' n) E# X5 u" D
add ax, di7 P) j$ v; J3 D+ C8 r
test ax,ax; z) `" w) L( t+ W- y' V. g
jnz SoftICE_Detected
+ N3 y r/ V, `0 D/ l' ~) n
8 w. J7 ~/ z- h9 o$ k__________________________________________________________________________
; ~$ @9 P" d' X8 L; G" y) C4 o8 i4 q" F# ^
7 J9 i/ S1 H- e8 }; P4 B
Method 05+ U+ w) B9 N9 R0 \% U
=========
- O2 f% f, b* O3 n6 B, i, {; e" G
Method seeking the 'magic number' 0F386h returned (in ax) by all system. m- ?6 Q0 O0 p
debugger. It calls the int 41h, function 4Fh.
* z. ?2 b9 |6 Q9 _There are several alternatives.
% d7 }" S' @2 a4 @$ O. H" k" g% P9 r6 s" }; {, y% l
The following one is the simplest:7 L) f7 L- j- y$ Y; @
- W3 E6 A2 i) c6 E0 o; }/ ^
mov ax,4fh5 p* k; Q, `3 e' Q ]0 f
int 41h
8 V4 k% [& u4 ?1 } l. O cmp ax, 0F3863 T# X+ a; Y$ `6 h5 o1 j) r2 J
jz SoftICE_detected
% c9 z# R$ O! p) n; @( S$ ?
9 N) W$ P8 ?$ A, l% b! q1 \* {1 p# X6 z' h
Next method as well as the following one are 2 examples from Stone's 3 P) W; C Q* o( u) T) |- i. B
"stn-wid.zip" (www.cracking.net):
) W5 {2 |) l* c( h6 @( m
9 f( l$ A: y1 U; V" a' o8 F mov bx, cs8 @6 l/ K' h9 b6 t9 N8 }1 S
lea dx, int41handler2; W+ j7 I& D U
xchg dx, es:[41h*4]1 W/ `0 X6 M; Q
xchg bx, es:[41h*4+2]
( {3 o# k' S5 h: V& t mov ax,4fh
8 |% Q+ S3 ~9 h7 W' q! a int 41h
2 E: W% Q9 C# R2 B xchg dx, es:[41h*4] G2 A# W) F0 w
xchg bx, es:[41h*4+2]: y, w; Y: R7 w. ] n' T- T- p
cmp ax, 0f386h' h) J: |" l3 b, E( v# L* c0 R
jz SoftICE_detected$ D1 G3 O) w% h5 I
% R- T) C4 Y2 a' A
int41handler2 PROC
, |8 z+ ], Y/ ]/ x4 p) F6 e iret8 V/ i9 h2 \( |8 X/ _) b7 L: k
int41handler2 ENDP
+ l8 d& v) t, H6 y$ w; |+ E1 g& q# f. w
+ j4 [6 i6 l0 ?3 l; }! j
_________________________________________________________________________
. Q* W: ]5 y3 s& I* V1 k1 a* u: p& O E
1 [! A* k1 t$ r
Method 06; F3 {8 e# `4 U8 M3 l! \
=========6 T* e6 K$ r0 d
1 o! V# o) K' I) M% W3 T5 p
( Z+ E8 Z" m: i% ?6 C( q; T2nd method similar to the preceding one but more difficult to detect:
/ s. }* v6 U" B. r( i' Y' B6 G- _8 V# B/ M4 _* H
: n1 z1 T# z$ n# W/ N) i% pint41handler PROC. F1 ~8 ^ I2 [7 v* } z* E$ m
mov cl,al
2 j( \0 |4 J m iret6 ^8 e0 R) c: B
int41handler ENDP
, D! [* G- S" m+ W& Z. r B) H
- e4 C& B3 }& v$ P- A1 ~3 Z3 j* Q. o \8 O' a: N1 ]
xor ax,ax
& R2 U, K8 R5 c) s8 b! I# g mov es,ax C, c" Y6 P# ]2 C3 a# o" p
mov bx, cs- I% E+ ]1 m) J+ F1 V
lea dx, int41handler( G/ {" l: o+ W6 E
xchg dx, es:[41h*4]
7 i0 r. H$ N/ B xchg bx, es:[41h*4+2]
1 M# `( P) F0 H in al, 40h
% R0 \+ {+ W. s6 N5 d# Z9 J xor cx,cx
6 }) f" R$ m+ d3 Q int 41h
/ P) |1 ^- H; }5 ^' D" S xchg dx, es:[41h*4]
# J/ X# y! L9 j/ `( D: }4 i; I. w; M xchg bx, es:[41h*4+2]5 @0 F- Q5 [( S7 u. f) m! y
cmp cl,al
: ]6 k6 k% C9 P8 e* }* Y A& E3 M jnz SoftICE_detected
6 v6 L8 N* i8 M5 w% V: b# c a6 v$ s& a+ K4 k' Z6 w/ Y
_________________________________________________________________________
6 z+ c) d% a( {; z3 @/ r4 a2 P; @4 w+ V! l" ]
Method 07
* z& O! {3 W* U=========) @2 c& V& F. E+ D
U: A- G* s6 v. h
Method of detection of the WinICE handler in the int68h (V86)
6 x' U& e: n( u2 X
: H* I8 ~& O* ` mov ah,43h
; V H3 J: k: ^! s! L3 I int 68h
5 ~ h" g5 n: I$ {3 f8 I cmp ax,0F386h
- q; A2 m+ w. u: J. R: g! }; ~ jz SoftICE_Detected8 s0 }. d& x- M6 I1 k) e
: w; E) a- |: ?3 |. r( }) l( l' [
+ s, b% y: F: T/ m2 b0 E& g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 J8 y' t Q( ]6 L$ i9 u( T0 m app like this:% [) i! i1 [+ Z4 g
0 p: F X4 T% H" B- c" C# _ BPX exec_int if ax==68
, l- r; |) @" K6 h( k& v (function called is located at byte ptr [ebp+1Dh] and client eip is
/ f1 `( `2 u1 f located at [ebp+48h] for 32Bit apps)6 {& Z6 D: W2 o! O- q5 [& K
__________________________________________________________________________9 F8 g9 }9 x1 v* ?
; m; W; C. p, w
6 o4 i" L! X3 ~7 NMethod 08
% c6 L- q2 p- i. y6 ]0 D=========
' h& G2 b0 T8 X$ X h) V* \* s( e
It is not a method of detection of SoftICE but a possibility to crash the
) r( ~8 ]$ H. L0 {system by intercepting int 01h and int 03h and redirecting them to another
" P. q7 K5 Y' Oroutine.7 K6 b9 {7 F5 l( R3 ^7 W8 |( a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" ]$ c" d3 `7 G# s* z0 rto the new routine to execute (hangs computer...)1 d: t- h' r! D
# ]0 y: _, l. \7 ]6 }3 _ mov ah, 25h. q' f/ g! f2 s9 w- O7 ]
mov al, Int_Number (01h or 03h)
' e8 K Y- C! a" k7 ] mov dx, offset New_Int_Routine
: w, O8 V% y2 c1 G int 21h9 [6 S0 I* c3 C% F3 B/ x9 F1 F
' X& z5 p# P* \% _6 E* M H8 M
__________________________________________________________________________
5 q4 `4 t4 n: Y& D/ Q$ o
% g7 ^0 j: ~$ c+ E+ B6 b" ]Method 096 {# }1 } p6 O0 m
=========' `. L& A% C8 Q4 p5 [6 U! B
! D2 _$ M" Z+ C- B6 W( `0 _9 p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" L. C/ W5 r B( x: Mperformed in ring0 (VxD or a ring3 app using the VxdCall).- r6 E* }1 v0 }( {' ~
The Get_DDB service is used to determine whether or not a VxD is installed
. U- A/ W$ ?* x, c' }( f, w% gfor the specified device and returns a Device Description Block (in ecx) for0 r7 T* C4 r" F+ d; H8 r* ^
that device if it is installed.# |3 `; f8 q; W0 A. W: E6 n) c/ b/ f$ l
9 {& y! Y; m# G& ^# _8 i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; _6 [% k" u2 j& k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 {; h; F: S6 a- D0 u VMMCall Get_DDB
7 K$ o% n/ A; Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) x1 V% D+ P ]
1 D/ ~) B- F2 S7 c% xNote as well that you can easily detect this method with SoftICE:
$ F' m$ e6 c( E, l bpx Get_DDB if ax==0202 || ax==7a5fh. B1 r. c1 V. r; s4 S. ?; w2 }9 j
( w0 i0 j9 W. @
__________________________________________________________________________
" S5 h2 `" n4 Z3 ]5 n W* g; U+ S
Method 10, F; D: n4 ]! U, G
=========- Q3 e# S! D8 y- U4 ~) _4 g
" E6 s+ F- c7 v% m9 D# N- ?" p
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 W- R# o& S- \% I6 R
SoftICE while the option is enable!!
1 x0 U* Z/ F$ r2 l# U$ n( [1 m& U$ [* g9 B, x8 n
This trick is very efficient:
+ ?3 ^5 P9 I; Q3 Y" i% bby checking the Debug Registers, you can detect if SoftICE is loaded" s7 M4 K* J% D- o5 o0 o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, _3 v9 x7 u8 R2 v
there are some memory breakpoints set (dr0 to dr3) simply by reading their C; ]1 E3 Z$ e7 A- ? A
value (in ring0 only). Values can be manipulated and or changed as well! f+ r# I, \# {' p( k3 k
(clearing BPMs for instance), a: `& ~7 `0 _% y) B9 z/ ]& w
4 ?* I7 g, u3 w& v__________________________________________________________________________+ g8 q4 d) y2 @, ~
7 k7 ], x x" w% k0 h+ IMethod 11
: X! I1 j8 s& t; ]0 B) v=========
& F& t* k4 g' K8 g- m4 i
" h1 y0 o/ K# e4 j- fThis method is most known as 'MeltICE' because it has been freely distributed& Y; N( o8 W2 u5 A- U' Q6 o- k6 P
via www.winfiles.com. However it was first used by NuMega people to allow
# D0 n" ^) E- J0 v) \- I6 XSymbol Loader to check if SoftICE was active or not (the code is located# c% O _6 s: y
inside nmtrans.dll).2 Z R' `6 T# S; O5 ^
4 y5 @. D$ _( }; o5 ]) u7 XThe way it works is very simple:
3 O8 a! r6 N$ _9 G0 d4 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ Y9 }- r/ s A3 [8 ?* Y8 f8 w" q; [2 \WinNT) with the CreateFileA API.
( v. R `# X5 B0 p* p, ?3 Y) u& F T' u. j& B6 ~4 y3 C
Here is a sample (checking for 'SICE'):
* K* ^0 ?( W8 r; e+ B2 L5 ]4 Y; ?
5 q* f9 D* ~+ lBOOL IsSoftIce95Loaded()
( I, f) p/ e& F- V1 g{ D7 ?* _1 Y- \
HANDLE hFile; ; g6 Z+ C9 w$ p8 n) C! E- G+ G
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; e/ Y6 z K3 r5 N0 X, } FILE_SHARE_READ | FILE_SHARE_WRITE,
8 k4 _' [$ D8 }6 v | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 W2 e$ r" N# ^4 M8 v$ S if( hFile != INVALID_HANDLE_VALUE )- g5 X4 y* a1 R M B
{+ N& [5 h. g7 F1 T) \
CloseHandle(hFile);# P% N/ T, z0 j! c
return TRUE; O' D* v: W; Y
}
) O9 q0 p+ A( q i( q4 C7 n- m& _3 M% ] return FALSE;
/ i% r. { S: `6 ]3 m}6 f! M. @* x7 f% T& B
" A! ^: V f. k$ I0 B
Although this trick calls the CreateFileA function, don't even expect to be
+ J4 W- g2 x8 t' f8 c- oable to intercept it by installing a IFS hook: it will not work, no way!4 t/ }* @( V8 {2 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; {0 n/ t' W; x2 |6 Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% O0 }/ ~ M b" c# A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# K( A( V0 [, Z3 ]; jfield.) r7 k# ~# R) I( V4 m
In fact, its purpose is not to load/unload VxDs but only to send a / g) t1 Y2 H4 j; r: k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# P6 H J9 ]+ d$ b1 Z3 e5 L: b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ J' O# N2 t0 p# b& N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 i( K8 O! J( ^* q& P( q5 FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, e7 |- W: U# d' i5 nits handle to be opened and then, will be detected.
0 T/ Z% _& g6 `9 y1 i4 F, u6 zYou can check that simply by hooking Winice.exe control proc entry point
8 e4 U( [* V+ U" N1 u6 P- j6 cwhile running MeltICE.' ]5 B- B) V! V4 @% N
+ _- [6 h9 N: a1 _& K
: D8 J. I! G9 l# n: Q7 N3 V" s
00401067: push 00402025 ; \\.\SICE
7 U Q7 Z4 _7 p0 ~' v" K 0040106C: call CreateFileA
. ^" T4 K; `: B& p 00401071: cmp eax,-001# B9 B) I6 \9 {( \ K) w
00401074: je 00401091
+ J% a: P; E' {9 H% d# i# v3 z' [
% W) ]0 j; M, k2 ?$ D& q
! O/ W8 U; G3 K7 j2 H; Z! ^3 fThere could be hundreds of BPX you could use to detect this trick.
# A& ? S2 f2 r( E-The most classical one is:9 U* H- l% f0 t6 A7 B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ s$ H9 k- b* q( B9 J# H *(esp->4+4)=='NTIC'. B! I9 j( R& v j5 g8 W& C
8 f( j. z i8 w9 o/ i
-The most exotic ones (could be very slooooow :-(4 x. A) e5 d1 }, e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! w% Q6 r! h6 ^& t- d2 L* d ;will break 3 times :-(
6 d( ^ B% C4 o+ C2 c* _6 [6 }
- D# s1 T" ? v8 Z-or (a bit) faster: ( k2 I6 F) L1 F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) h- P. X- e; ]) o( e5 L/ J0 X' }6 v; l5 R2 \. O$ y) I0 Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# @, a$ _- c* \* b ;will break 3 times :-(5 f, z$ p4 t: }, c4 B' [6 c
: `' ]) Y& ^, v6 l1 l% C; C/ j-Much faster:
- D0 y3 H! H- e, e O( o4 f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) D z0 k- a( m5 n* m# o. O% L8 Q' I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( J, @0 ]9 M& Z% x8 J [. R! |function to do the same job:
% E [6 Z/ r0 Z C$ }+ x5 Q9 I* a) Y
push 00 ; OF_READ+ |6 @! o6 S( K6 _- T
mov eax,[00656634] ; '\\.\SICE',05 F+ f: Y' W+ y
push eax
$ {$ t g; Q' G6 d call KERNEL32!_lopen
* ^$ _$ q( a% M1 A0 |1 c inc eax3 L( X# f% R3 d6 |3 I
jnz 00650589 ; detected7 X# _# Z& p: O! h/ x" H
push 00 ; OF_READ
9 R5 ^% z2 d: r7 J# t* m mov eax,[00656638] ; '\\.\SICE') i7 ~, O) p0 ?6 w# @
push eax
0 ]% ?7 i! H, e9 |! l call KERNEL32!_lopen
- @- g9 c; e: A! O inc eax
1 Q% H0 O% Y/ u jz 006505ae ; not detected
) Z/ h5 L- a3 ~' k$ @( e5 p, l; n; `0 W; G
8 }; ?& ^" k6 q+ K& @5 h+ s5 L* h) O5 v
- W; x. b! B% E$ o3 ~! p& U8 ___________________________________________________________________________0 w& K7 A! v5 M/ o ?7 ~
; ^8 n. i J6 C$ c' B/ Y
Method 122 K `0 v8 H7 C# q$ d
=========7 z* G2 K2 h) n9 h' Z* L
S8 E7 D9 U7 v+ z; l7 H c, XThis trick is similar to int41h/4fh Debugger installation check (code 052 E g# d) d/ }
& 06) but very limited because it's only available for Win95/98 (not NT)2 d% u* |# P% t$ E& w4 K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* E+ a( G; Z% \9 V! g4 l3 T3 p
[! G8 q4 d* n2 m' y) E push 0000004fh ; function 4fh" |" N8 t5 P) S& B/ U. J/ i
push 002a002ah ; high word specifies which VxD (VWIN32)$ q$ V+ N* D6 u: L6 @. a9 a+ X
; low word specifies which service' P; o- X1 X l; {4 D2 n0 d
(VWIN32_Int41Dispatch)1 W( x; x" t; B s! {2 q6 N
call Kernel32!ORD_001 ; VxdCall0 T3 u6 g) _* n" U9 Q+ w
cmp ax, 0f386h ; magic number returned by system debuggers5 p7 G6 r; z! i; }
jz SoftICE_detected
6 b% M( {0 V# v2 O e; b p5 V# @( n
Here again, several ways to detect it:# i3 J0 O; i2 K$ V9 X% I( e# b
2 G9 M# d, `; X+ X BPINT 41 if ax==4f
$ q. O. M( V b: c9 }7 M1 S3 O$ H6 ~6 T& A8 h& e8 L! M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& P/ i2 [" G7 d! R, u
) W, g3 ]$ H" i5 l6 e4 R BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; F" r R- M6 }3 u$ |/ z
' q' D6 T# C, @; ` f. j
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! N! q. S, B* y$ h( m- q6 w- j
0 K$ \$ E- L, _4 R__________________________________________________________________________/ K$ e; }; H( K8 E: D' F
$ ]$ C, o9 N) c
Method 13
8 y; _$ G" F2 N=========
. ^0 O' Y/ A: j: Z, E# ~' |# y9 ^
^# G- \1 M6 `- q) O. eNot a real method of detection, but a good way to know if SoftICE is+ u1 U R6 }1 v! z! H) Z6 }; t
installed on a computer and to locate its installation directory.
o" p( S/ ^: tIt is used by few softs which access the following registry keys (usually #2) :, c4 F1 o! u- r8 L: n
0 Z$ y: j3 ~" G2 x4 a$ X- X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 {* j- `: X5 b$ j/ v1 }
\Uninstall\SoftICE% ^6 c; p6 X" V& Q b D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ D& E1 P' ]$ u3 W/ ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 [. K: O2 [" }, M) l
\App Paths\Loader32.Exe2 k4 w9 `4 [8 D8 O8 d1 Y
1 B/ `5 ]. q* r5 p
# w W% M, V3 A9 G* N$ x7 [Note that some nasty apps could then erase all files from SoftICE directory
# F. J+ l/ m( m2 {(I faced that once :-(7 [) v. ` a! b, r7 X
% r; a$ Q. |6 ?/ k& p
Useful breakpoint to detect it:; N& }9 D+ z) I# J: c
4 e, A( l+ T& E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* G: `+ ~4 k4 Q- Q: j( [, \. }6 J- v3 w% z: z% [( I+ F2 e
__________________________________________________________________________
$ C& a% y" L, [: `0 C, F5 P8 `- @/ \( R( Q
6 _" m# |- r/ X0 k3 i% J/ s
Method 14
2 ?! w8 A) v4 S0 \=========" z$ a0 N4 o' ]' b; P
% k8 {2 ^; l( K0 |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' W( [0 ~0 s6 }6 F! m
is to determines whether a debugger is running on your system (ring0 only).6 Q6 k( l- O y: t
; n- U/ X% I1 k4 Z
VMMCall Test_Debug_Installed
0 [6 I/ l7 \) V% S9 e( a je not_installed
( f. R+ Y! u; S( Q6 J5 t7 h v0 {& P6 `4 f
This service just checks a flag.! t. }( p) J5 l1 @* h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡