<TABLE width=500>+ L M1 J3 d' l G
<TBODY>4 a- i3 S" @, b! B
<TR>5 g+ a- O# ]& C
<TD><PRE>Method 01
9 u6 y7 ]+ u& k9 n6 S! X# d=========
; }; B: G: s f+ ~9 }3 i) p/ G$ Q7 K0 q: t2 V0 u
This method of detection of SoftICE (as well as the following one) is5 j- y, K6 I: B
used by the majority of packers/encryptors found on Internet.
- S/ ?4 s& v' ]0 [% S0 QIt seeks the signature of BoundsChecker in SoftICE. V2 C6 i6 |: c% s& P, i5 L
* x$ x! L/ ?1 b8 j' [
mov ebp, 04243484Bh ; 'BCHK'; ]! d B4 f* ?8 G4 U, l
mov ax, 04h, r* D z1 j ^9 P
int 3 ( c' x4 g( C5 `; P/ k& j
cmp al,4$ V/ J1 c* H" ^2 e& q) n
jnz SoftICE_Detected
! ?) }! G% }6 u" K' v" S2 ~8 `: Q' r0 w. t4 u
___________________________________________________________________________
$ Q9 n3 B8 \# U) c2 Y# c/ M* ^) Q2 R3 N9 L- F, c& K
Method 02
# |( J: O3 _+ i/ X0 S$ H, ^=========
4 C3 i1 d# p- l s7 j z; N8 x
% p$ ]; R/ B0 U! K. GStill a method very much used (perhaps the most frequent one). It is used$ J9 X3 u& R6 {# o& L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 \: H4 L8 N2 n0 a1 i$ m& p
or execute SoftICE commands...9 ?0 u; `1 L7 r+ e, x
It is also used to crash SoftICE and to force it to execute any commands" p# w! R1 x9 ~
(HBOOT...) :-(( ; ]- d$ {2 o7 `0 `* j
& X1 `) S9 O$ k4 o( m. bHere is a quick description:
3 ]3 V+ o1 t5 W6 R6 |3 l-AX = 0910h (Display string in SIce windows)
( K! d/ C: r2 a% I, B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 p; Q- U' ]2 f
-AX = 0912h (Get breakpoint infos)
6 B3 R& z' f% G! E" y-AX = 0913h (Set Sice breakpoints)8 M1 S4 K7 f: F0 h, L) c8 T l6 f
-AX = 0914h (Remove SIce breakoints)/ O" M. P$ T) M* M3 S* h9 j9 [0 m
7 [5 n2 _ z6 {9 k
Each time you'll meet this trick, you'll see:
# p; r$ @" `% R1 s B, T-SI = 4647h$ F) `5 X9 V% J- L
-DI = 4A4Dh6 m7 U: J6 e, S4 ^
Which are the 'magic values' used by SoftIce.4 T( Y8 O. ~7 |$ a( n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& N l l: L" M" ]
6 T! J3 J) C. E# `Here is one example from the file "Haspinst.exe" which is the dongle HASP# N6 F8 y/ y$ z; n
Envelope utility use to protect DOS applications:; k% j. }4 y5 K6 K. k2 ~8 x# r0 J
* U! J2 s( Q! ^
( `! R) V( C) P4 w9 L, C5 \
4C19:0095 MOV AX,0911 ; execute command., \ m* L; o s. I2 i6 E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 \/ T* V% o9 W7 ?4 ?/ S3 v
4C19:009A MOV SI,4647 ; 1st magic value.9 Y* R, H2 o9 x/ s4 q: N
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ J0 i: O) y) \+ J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' O0 I+ m5 t% R( H* M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 O* T! C* s, I; Y' m! t2 j4C19:00A4 INC CX
& N# F+ f5 R# P2 ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: K- ^) `" x9 y0 m0 t- O- v) ?* @
4C19:00A8 JB 0095 ; 6 different commands.; ? y) v/ B8 `( y. ^- f) A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 z# m% l# v" @4 |8 E: V, \1 C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 y" s d! C# L- _& L
& m7 u+ H0 u5 B) v5 _
The program will execute 6 different SIce commands located at ds:dx, which H ^7 t7 V5 f# W+ u4 S' r
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% v$ H; `0 c5 P. S5 B4 M
3 t; `; j5 v7 Z* r. ^/ g; V* i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 `5 d/ H, Q0 k
___________________________________________________________________________
4 O6 u' F6 u( P; }+ ~# r2 `& E# _4 j
3 R0 Q: {, q9 s2 _9 I) U" X8 v4 @/ H1 ]6 Y; E3 Q
Method 036 q# Y" K1 }. f- D7 {
=========' E5 Y! Z. o8 b( W
C0 y* S% h4 \' n9 O( u6 x7 V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ D) @6 o7 A/ _. l
(API Get entry point)
/ F9 l( u4 v5 a % K. q' W( y( A, Q9 v! I; @
% O+ }! Z2 h) X& X( j$ [5 |" v xor di,di
: _3 Z. ]. J; v+ ~6 ~' o mov es,di! q5 t6 e6 v" z8 w/ z6 B7 ^
mov ax, 1684h
$ d3 I4 v3 X- ?) T3 g( r4 ?, | mov bx, 0202h ; VxD ID of winice, d# q3 n& I) _% v6 }! I
int 2Fh
9 B" B5 e7 V" G; P9 M mov ax, es ; ES:DI -> VxD API entry point5 b$ P3 G. t# {
add ax, di
" t A: E4 V0 N" _5 z1 } test ax,ax& q7 p8 `5 p& U, {1 V) Z, F
jnz SoftICE_Detected
% d% Q0 c, @, z3 c& F% E5 I" k! k, `$ s. J7 J3 s+ M8 T& O3 G5 [
___________________________________________________________________________
1 D: P' h4 f0 E2 g: V1 N& v8 ?) j2 C. r- p
Method 04
1 w' W# \8 ~4 {( V6 l) Q! [( j=========$ ?1 J3 W9 E- H" `( r w! F
) e* C. `) W; }9 C) V1 bMethod identical to the preceding one except that it seeks the ID of SoftICE: X2 p- ~; s% {% b$ P
GFX VxD./ v$ b* y; }, h3 Y! y" \
1 ^9 D; q/ u6 E& n/ G. Z3 q8 j$ u xor di,di
0 v! ?; E; d& h" P mov es,di3 c5 E+ L( D& Z6 u3 Q3 P+ U; P& ~6 s
mov ax, 1684h
( R2 |- {, B, I* t mov bx, 7a5Fh ; VxD ID of SIWVID
8 g; E" d% K$ i0 c1 ]7 d' a* d int 2fh; U$ R! i6 p& T5 K' x+ ^; K8 e
mov ax, es ; ES:DI -> VxD API entry point
. S, Y! }+ M4 a( P- r9 h/ x add ax, di1 K) o+ e% l' o% f9 m! @7 I# O
test ax,ax
O+ ]" l. z( G& t jnz SoftICE_Detected0 M& Y# V( R- t/ L8 t; B
4 a+ ]3 h: c6 ~, U# ^; n8 n. v) u
__________________________________________________________________________
- @4 Y$ |6 j1 F/ N; x8 H9 s: o! f6 B, W! H3 _2 Y# ~
) K7 z, p: V7 ]0 \
Method 05) \4 y; {/ l1 E# v1 m& E U \3 D
=========
u" [/ r- A- s
& d' b: [, t) n1 [! r$ eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 u7 b4 ?; }0 x+ x! s9 C3 ddebugger. It calls the int 41h, function 4Fh./ k1 j C4 y2 x4 L* F
There are several alternatives. & k% o5 r3 t% {
- e: c, K8 o t
The following one is the simplest:0 @/ H8 ^- \ [ U! D. j
1 J# C! g& E' T" Y0 u& x# R1 ]1 P mov ax,4fh
+ P! g: s& ?- k+ B int 41h7 I. y/ ?; Q; Q6 _) a9 g6 K
cmp ax, 0F3861 {6 ^/ y. [" h# r* G" ~# z" L
jz SoftICE_detected) K* u1 ]$ T9 ]+ |3 y2 g
I" Y7 J, Z2 d: ~ _/ v/ i
4 W& d6 b( {4 y' `7 h/ eNext method as well as the following one are 2 examples from Stone's 6 C5 ~4 y' T8 ?
"stn-wid.zip" (www.cracking.net):/ X; C% O' }) t6 y/ [" \1 K( S
+ B3 A1 o8 h S7 ?9 Y' y" A mov bx, cs* w) p- ^/ L! w7 i, @5 B, i
lea dx, int41handler2- C; L5 b3 j& |6 P" a
xchg dx, es:[41h*4]
; S) c0 R C3 r+ x. g& t xchg bx, es:[41h*4+2]& H7 N9 Y X- r7 K! ^0 b
mov ax,4fh
1 W" a6 @( b0 a) W2 a8 c int 41h
1 Z% ^ I1 d/ V# J- { xchg dx, es:[41h*4]* E$ d5 C( F8 S* ?* S
xchg bx, es:[41h*4+2] v R! O+ V t
cmp ax, 0f386h0 M- k" i/ M) Z* a V* r( X
jz SoftICE_detected
" V+ C; Q- l2 ]/ {/ C8 F8 |9 I
/ m9 k3 M$ c5 H. ^int41handler2 PROC9 O$ P. N8 e5 z
iret
' y( Y* h/ L) _5 e. bint41handler2 ENDP
8 m+ X1 Q0 F% `* }+ K
2 @- B$ g& e0 n' m# \
7 v* I" D2 V* Z2 n0 w* g( `, `9 m& M_________________________________________________________________________
7 r8 z# y& J6 [: M' a' J9 u# S6 ^% a5 [; j6 a6 W. ]+ m3 ~
9 s @! T+ g, f( ~9 `& L
Method 068 {! f% w( O3 U" N
=========0 P" `! R7 @4 R& y7 x8 r8 ?9 n
9 j& K) x N# Q
" Z$ y: L! A/ h2 q( C5 Q9 g4 s2nd method similar to the preceding one but more difficult to detect:
- ^! D. b7 F/ e: G1 ^9 K5 X' s- }+ p$ ~, u2 a8 H
% u# Q) e0 \. x# O( G3 |- H
int41handler PROC
" U; w# p$ v9 s% L% Q' p mov cl,al
4 Y- @) K$ Y& U8 G iret& G$ i8 B- ]5 f
int41handler ENDP* ~2 v! g& r' i/ @5 Z/ n* N3 A) B
9 k E+ b* d1 Y! \3 U
2 i. u0 p8 z6 ^4 E7 L xor ax,ax
$ z" M n/ ~$ E/ _ mov es,ax
1 H* f% R, X9 [. s, Z+ J mov bx, cs
G: }% t! v) J" ` lea dx, int41handler' l" l6 s2 n. Z
xchg dx, es:[41h*4]- z) ^9 Y% I* D
xchg bx, es:[41h*4+2]+ K, R/ P3 y/ x) L% G& U$ w
in al, 40h# W: d0 c& G: M1 K1 B/ D
xor cx,cx" k9 G7 h7 \5 c5 \
int 41h5 q2 u; h( \, T. m# D% H! I
xchg dx, es:[41h*4]
6 T3 D/ T. ?/ c6 V xchg bx, es:[41h*4+2]
/ b. e& n$ F. x0 G5 D cmp cl,al" U2 v2 }/ J. F8 }
jnz SoftICE_detected z' p! G0 s6 ~; Z) O1 J
3 X7 r0 z3 q) o8 H' n_________________________________________________________________________
$ k0 ~' l) b' l! L$ x$ e; I! {' ~" X/ u2 X$ r* k* M y: m, U
Method 07
. o$ m& y8 Q x) E=========
# K1 H0 P4 H7 d+ o+ |
3 q. t* h6 j2 c8 T3 BMethod of detection of the WinICE handler in the int68h (V86)
% S7 S" \# |9 ]: c
0 c3 r& g/ h# X/ | mov ah,43h
; D5 _$ N; i& E' N int 68h: x7 [) U6 R, j$ d5 z* B9 x' i1 e* Z& g
cmp ax,0F386h
) l! a' m9 o3 K. l9 D& [ jz SoftICE_Detected* @$ k* l6 W7 p7 o: T
a/ w. z9 A6 M K( U
0 l$ R) L) |4 [6 R0 B' Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" a. I3 t1 H+ v: I+ U; `# j app like this:- J( Y( g$ ?$ P5 _
7 C3 E g9 ~" V BPX exec_int if ax==68" Y+ w7 l$ X {4 S1 _( L) r/ r& I
(function called is located at byte ptr [ebp+1Dh] and client eip is; o# A$ x$ T) J3 ~+ n
located at [ebp+48h] for 32Bit apps)
9 m. A- L) `6 ~' F: f# w3 g" F# c6 K__________________________________________________________________________
. @5 a- U7 l- l) f! K* w/ a% X# `0 O
" [& h) j" T; p
Method 08* }: P5 h5 |; P$ g, K0 o4 R
=========
C+ E2 Y7 R. l" e% c4 B( |
0 z: E5 b; u% n( |+ GIt is not a method of detection of SoftICE but a possibility to crash the
( T) m7 _) A) R9 Dsystem by intercepting int 01h and int 03h and redirecting them to another
5 }$ y6 K7 |% P+ K1 W0 W8 c& K. {# qroutine.
7 U ^ G( p( u+ j4 A: P% b* NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
N/ ^4 ^+ h; w! R& k( \to the new routine to execute (hangs computer...)7 B3 y( Z% k7 `3 r9 L
7 g( _5 d% H0 A) v7 D {5 v mov ah, 25h
# ^% ^/ Z' J. y1 I mov al, Int_Number (01h or 03h): [% b$ I% J* V; h2 L! L- w3 E
mov dx, offset New_Int_Routine
, c6 h4 R3 S3 u: { int 21h
: L/ N: N* K f% R) I! y% _# B8 q2 N+ l5 u* c' E5 G
__________________________________________________________________________
+ j8 z- ?4 H$ W( _( D0 p
* w8 i4 X, n2 l4 s- E W9 n- N7 F* YMethod 09% g, y! d% ?. `& N
=========" v. w% B) K# U8 i4 f2 K5 W
& i1 p$ d" @9 `/ PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" v3 W( q* [6 sperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 F# y1 G& H0 |" rThe Get_DDB service is used to determine whether or not a VxD is installed
6 ^' j: z9 F" N5 B5 p4 `/ bfor the specified device and returns a Device Description Block (in ecx) for
+ m& `; G/ b" {' P% N. Y Rthat device if it is installed.- S% `4 M" J8 |# \" |' J: a
! [: H9 V$ d( ]# k4 m1 y; x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 B. }* o5 ]: C' w mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 _5 Q, G: |% @' l, {. u
VMMCall Get_DDB
% t9 g, _1 I ~& Q3 Q6 U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 u8 \- B: \5 h! ^) _
/ G4 l. V; V1 r' e" p! n% ]5 g
Note as well that you can easily detect this method with SoftICE:8 e6 u9 E0 {- t2 c
bpx Get_DDB if ax==0202 || ax==7a5fh( k. r6 |5 b* o
8 I$ y) ? b! G8 B& f ?7 N__________________________________________________________________________
2 b) O/ s. g$ }% H2 i* \3 r8 W( L; d$ E
2 H3 ^% h4 Q# }, A( F0 X3 f* F& OMethod 106 F( u5 } S" P
=========
6 H+ N, F( ^! P& e% K, g
- \1 n7 Y4 r: r; ~ h6 Q5 D \=>Disable or clear breakpoints before using this feature. DO NOT trace with
J3 {6 q3 t/ h6 ~ SoftICE while the option is enable!!5 L- K5 t; V* L* `% [
3 _' P7 w# O, X/ ]3 \This trick is very efficient:
% W# Y: |% E; T/ dby checking the Debug Registers, you can detect if SoftICE is loaded" {1 y% X# A" X1 q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 I2 ^+ ]- r4 z M( vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 Z' V% M0 N3 nvalue (in ring0 only). Values can be manipulated and or changed as well
9 C3 O! P/ `# ^(clearing BPMs for instance)- r9 Y3 m7 j. G' _ z/ p# X
7 p( b( i9 i' d' l
__________________________________________________________________________
$ R7 Z u* g2 L+ U! n& v; S7 b" l
Method 11+ K1 e! A& d9 C' g" }$ t
=========
7 E0 |( s3 c9 c4 D. K; [1 i5 ?, {$ g7 d$ k4 F# I
This method is most known as 'MeltICE' because it has been freely distributed
+ L& t3 k8 u# |5 H; @7 |via www.winfiles.com. However it was first used by NuMega people to allow
* |$ P; g% s. @1 `Symbol Loader to check if SoftICE was active or not (the code is located q0 t! f+ {: S4 C6 o
inside nmtrans.dll).
~! I) O, r8 {! ^0 U: R' e
4 @" m+ c3 O8 _! b5 u5 a( G0 Z/ BThe way it works is very simple:# p- z/ y$ x) h: P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 Z0 R$ F$ g7 k: ^! i6 A+ f
WinNT) with the CreateFileA API.
% k/ M) G5 q' t1 H3 O6 T& C+ |' ~* m5 M$ L0 @& @
Here is a sample (checking for 'SICE'): n: V% H( U" D, t
% V R! Y* h# U6 L/ J* C, S2 WBOOL IsSoftIce95Loaded()0 C; H8 {- k1 X; A4 [& }! G
{
# G ?* _, M4 \ HANDLE hFile; 5 @, ]5 e. w k- |( n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: |* d* L% k" {4 N5 r! Y
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 R' \6 G' o( K& k8 H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# F' p2 \$ p3 n, u3 D if( hFile != INVALID_HANDLE_VALUE )2 o. d# ^ v; h9 }
{( h" y8 g4 e x' a' `" \" |
CloseHandle(hFile);
/ n- U& m/ y7 b8 P1 j return TRUE;9 Q2 @" X9 F9 ]# @
}
Y6 T# l! R" m& }9 J* l/ D) n$ M return FALSE;
2 T ]! `3 r8 O. |8 P+ h& ^}2 W/ L# m5 V9 I
5 j3 g1 e6 q; H: E. @
Although this trick calls the CreateFileA function, don't even expect to be5 I$ p8 ^ d0 a( ~5 z+ S2 g+ T
able to intercept it by installing a IFS hook: it will not work, no way!* _+ s9 ]' T. g# r. p8 P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" A' o( X$ |% g! Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! ^" |6 ]/ G% x1 D$ [3 h; `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 B. d! C% }0 A M& Bfield.9 w5 {9 V( D9 W: O7 i2 c
In fact, its purpose is not to load/unload VxDs but only to send a 1 k5 C, C& O4 [2 p5 c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 k8 ?# ^! Q+ h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! p: r7 z, j) k+ bto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ h( F: ?$ s+ b6 B
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& K: Z' l+ k, G6 X0 X2 k' Vits handle to be opened and then, will be detected.4 y" d4 i p2 e+ T+ ^& {# ]) Z
You can check that simply by hooking Winice.exe control proc entry point( q$ @# r- {* {+ W
while running MeltICE.
4 H) M; A2 |9 H4 w2 Q8 y1 k, p( {
- |: a9 i, B4 U# c5 ?" p! }8 A" }4 {" b) U* z
00401067: push 00402025 ; \\.\SICE5 p3 C$ F* k, f% g
0040106C: call CreateFileA' t4 s: @% J. p# R
00401071: cmp eax,-001) z- Q: _5 @5 [0 t5 a/ h7 |
00401074: je 00401091
3 K, P6 |, w. Q( f5 @
0 y& B8 j9 f) g6 Y% Q2 n( v( p R4 h8 D" ?, o# `
There could be hundreds of BPX you could use to detect this trick.0 x1 y; d) p1 g9 A
-The most classical one is:: S* m; w- r6 Y% L% m! o' C i1 O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 B; P% H# [& v2 F8 h* U *(esp->4+4)=='NTIC'
& m' \9 U. e- c. v6 r! C( `! i' U# L: |/ {
-The most exotic ones (could be very slooooow :-(. R4 v) l) {) N; d9 U W- x. E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- B! ]6 h2 i1 }2 R ;will break 3 times :-(
: U A# K) y; B7 q9 s+ h+ m* N* T4 O. | r* v) ~! e9 S, o
-or (a bit) faster: , V# R7 T" r# f6 j3 ]. a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 C' Y2 ]5 Z6 Q
$ A: E0 r9 g0 M9 b1 S! j5 Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / L8 O1 j* T5 n0 y
;will break 3 times :-(
; ^% E2 k1 h4 P& t/ s) k- Y; J
6 g B6 P* s z L-Much faster:
4 Y/ Z1 d. W7 @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ I3 K/ M; t& ~# |0 t
8 S/ @9 D6 o1 o$ g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 r& e9 {. T& s6 b" T. kfunction to do the same job:5 D& E% u4 w0 B% z c2 U
$ y6 o' }" l1 R0 {# ]
push 00 ; OF_READ' ^ K1 ~( X) c$ j
mov eax,[00656634] ; '\\.\SICE',0
8 g9 }' ?1 |: Y2 ^0 c9 E( i push eax* v% G/ l2 I7 f2 t \/ N1 W; T
call KERNEL32!_lopen
3 E& B) w" w" w+ H' {" |# ] inc eax1 z/ c0 c, d, V* V5 m+ |
jnz 00650589 ; detected7 c3 s9 s( X* u6 s9 P% u
push 00 ; OF_READ/ O |) H" J0 R9 `1 J8 |2 |
mov eax,[00656638] ; '\\.\SICE'
. k) z8 Z" Q# N' d. `4 n$ B+ \ push eax. ?3 k" x1 f2 P, a# ~/ @, m0 r
call KERNEL32!_lopen
1 B8 v+ ?2 j6 R/ {3 `6 |8 D" O: } inc eax7 g1 z6 O5 O( V: \2 c5 H
jz 006505ae ; not detected
, U- }/ z Q3 O4 K L. U1 \3 g9 b# ?( G/ A7 b1 H
( E" J& Z- P2 z8 I2 ~1 J& r; V4 X
__________________________________________________________________________ W9 r* @3 b. J) m7 Q S* W
6 y' z1 K( @& R9 Q% q/ V* G* \Method 12
( @: y9 x& |8 U4 E3 I=========* U: D* Y, O7 x" `- F
/ u- j) X3 J- BThis trick is similar to int41h/4fh Debugger installation check (code 051 u, n; m4 J8 X, B0 S6 Q5 X
& 06) but very limited because it's only available for Win95/98 (not NT)
* L/ B& B. n* b& _as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! }8 ?5 W9 |% t! M9 T) q
' _5 z% \8 j% V push 0000004fh ; function 4fh1 o7 }" r5 U! t; K- \1 q I
push 002a002ah ; high word specifies which VxD (VWIN32)# G. n% I3 J; `
; low word specifies which service
5 I/ D5 |( r! e: N- o/ i (VWIN32_Int41Dispatch)
' ^4 l7 Y7 k. A: Z& J- l call Kernel32!ORD_001 ; VxdCall5 _- r; ?; q' z& j: y. f1 Q/ o
cmp ax, 0f386h ; magic number returned by system debuggers- }( G# F4 I* h I: \
jz SoftICE_detected' i j# z. j; z8 d
* J B2 Y# u0 e) B7 c' |
Here again, several ways to detect it:
% B K, P) P; T% {4 O/ @+ A# m. N. x& N# \+ q- J
BPINT 41 if ax==4f+ g! E( H; h( t+ a5 O1 U
; u+ U" z! |9 i; u" }2 I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& G4 L1 J6 @0 b" j
' j' ~% m- ~, H8 k$ q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 Y9 h7 l, L0 _. G" U% R1 C1 S4 } i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 a/ i- B% \; q5 L$ l& M6 ^( L6 v: E5 V! Y
__________________________________________________________________________ z& g9 k! \# x$ M- E
2 T( ?, ^% p# h3 c8 @1 ~, F
Method 13
& a: p+ G# _; `1 w=========$ i6 [5 Q" t7 a5 ?
5 C% C: P% q+ {- k; uNot a real method of detection, but a good way to know if SoftICE is& V) j) ]2 M( X3 y0 w8 _
installed on a computer and to locate its installation directory.( a; \0 T; Q5 H% z
It is used by few softs which access the following registry keys (usually #2) :
$ j% l2 O$ _) K, M3 a c( l N1 ?! t1 ^ F" Q- `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 G( Z2 {0 r5 u- u- K5 D0 s. t6 X* h\Uninstall\SoftICE
. w4 K7 Z; Q% \4 n. X2 t. `, y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 ~ m9 u; x; L- G! Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, [* m5 L3 c' x# ]+ X
\App Paths\Loader32.Exe
. X7 ^+ \4 e' `4 s" C3 G) X. Q3 P" T8 j" B3 @
6 b8 q. {7 {, H) D2 h6 h0 }; ^
Note that some nasty apps could then erase all files from SoftICE directory
$ { M5 W ^. A3 P1 N8 h(I faced that once :-(# M1 Z# j% U% I- @- ?
$ a- i. |) T" I9 r. g5 w. C
Useful breakpoint to detect it:
0 N/ D4 \$ l# a- j* W- }2 a8 X+ ^" U3 ~9 P g! G6 R: x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% D1 p, {* V" T* b. U' B; h7 A5 Y3 p
__________________________________________________________________________6 S. |/ ?6 `2 e* A& O# S. E
7 J' a+ v. @) K' Q' R9 ^
. P: g6 }0 R' p4 [Method 14 0 ^5 `, P+ h, k! r, }
=========
5 }$ Y0 {5 H5 m* L& I# w0 Y
; u, {% L/ Q# y n! c4 kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 N1 D$ y! x! v5 h
is to determines whether a debugger is running on your system (ring0 only).3 X3 _ z5 n+ g! b G! r+ X
! v' B& D: _" V+ q5 @ z9 ^0 v& @ VMMCall Test_Debug_Installed1 g5 L* t! B {
je not_installed
0 G; W* q4 A5 P6 h$ J0 w$ |) ]0 R- V9 b
This service just checks a flag.
2 z5 ~; x9 B) |, G</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡