<TABLE width=500>$ ]- o" l) k% E; d
<TBODY>' j8 M' o: p, {! p; y4 X
<TR>- y7 J/ m" ~6 U: s
<TD><PRE>Method 01
* e8 U" b0 e" [: Z=========( K% l! j! k( G" f$ X
+ D' R; Y" m6 c8 f0 A& a ` }' J) wThis method of detection of SoftICE (as well as the following one) is" ^# G. W# t5 y z
used by the majority of packers/encryptors found on Internet.
3 Q# `( ?# C, z4 e9 t/ c4 u5 BIt seeks the signature of BoundsChecker in SoftICE& p$ U, X- V% p5 b6 j& i; ]+ b
5 l+ [: r4 H7 }3 h9 d% I8 G
mov ebp, 04243484Bh ; 'BCHK'
& D3 P o1 d' D4 ^$ @0 N5 i D mov ax, 04h6 d- x& [ y8 t2 q Y/ x* z8 C
int 3 ) M# n+ g0 g$ R$ U9 u/ f2 K1 g
cmp al,4
9 e# X5 U5 v V- G+ R; I. g jnz SoftICE_Detected
- `8 |7 F# L7 i4 E
& v/ ?$ n2 R' w* G7 q' ^2 c# x___________________________________________________________________________
, \# ]- Q) x7 g: `5 k% Y# R+ B2 Q% T x# }2 r y! m1 c1 W9 k
Method 02; a; w- b4 _% m6 |
=========) ?. j& ^* P1 r8 B' t
# s1 |2 m, F: X0 C+ {
Still a method very much used (perhaps the most frequent one). It is used# ?: s9 w+ z Z" w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 Z9 x+ M# ]- D8 m$ U$ z1 @6 \, S9 aor execute SoftICE commands...; N9 x' l2 Y; Z4 q* p
It is also used to crash SoftICE and to force it to execute any commands
; }1 ?3 W3 }& c1 |5 r(HBOOT...) :-(( 9 I, ^, s, ~. R4 S; h0 X2 b- `9 V
7 T9 b) c/ I9 _) L& M. j0 Q2 N+ mHere is a quick description:
. {; [5 @4 q6 c2 L-AX = 0910h (Display string in SIce windows)
! K& J3 K3 j+ t" q! v/ z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! {0 l9 ~# L2 A5 b4 y4 z2 c% ]& z. [
-AX = 0912h (Get breakpoint infos)
& n5 |) F& N9 b" w6 w/ L-AX = 0913h (Set Sice breakpoints)
5 X! t8 s v7 G3 S! @% s+ S9 \4 k-AX = 0914h (Remove SIce breakoints)7 [' p! a: E! p5 E: T) l2 ^
, v% T g# i& `' l# ~& XEach time you'll meet this trick, you'll see:, L6 t& E0 }# g! Q8 Y
-SI = 4647h- S g) J# |" K" n- o1 [1 [6 B" V
-DI = 4A4Dh* S6 p7 c. \0 k) @. Y f
Which are the 'magic values' used by SoftIce.
* F) B# O1 ?% t' A% b8 V. Z8 J% i( QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 L" H |& p7 _" j
6 U& c" m+ k7 |) C9 ^Here is one example from the file "Haspinst.exe" which is the dongle HASP3 P. d0 E0 {- k2 l2 l5 W
Envelope utility use to protect DOS applications:
- {% l" @! T0 B. e; A
. t- [% F6 V8 M+ N
& b) o# f% h0 p1 s' _/ T3 F4C19:0095 MOV AX,0911 ; execute command.3 q! j( Q7 C& T, x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! p. a. j! f9 Z# h" d. h- G2 l" v4C19:009A MOV SI,4647 ; 1st magic value.
5 Z: } \2 Y7 W4C19:009D MOV DI,4A4D ; 2nd magic value.: Y/ t4 ^4 d& M+ @/ t; t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ g6 r0 @- X7 L1 X: a; H& q- o5 Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 n0 ]; e, p, J+ l) o" Q! i4C19:00A4 INC CX
( N3 ~" b/ n- `- u( |, E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ V+ q! ^; h9 H: q: J# K4C19:00A8 JB 0095 ; 6 different commands.
0 K5 \* ]- W; v% V6 V- B+ `1 V, H k4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: Q! Z" n$ D3 D4 t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 o0 r: \7 ~( n0 b, @; a% t
0 |- n( t t3 @* K; F3 R- |The program will execute 6 different SIce commands located at ds:dx, which
. }4 n9 ] r1 j3 Q& E) oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ e, F9 E7 W. r
) A$ `3 x5 Q5 y$ d# h# ?5 e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ B& o- \; s# \$ b___________________________________________________________________________
1 m8 T1 K9 Y: Y; u1 M( U/ c6 Y3 g( Z& x1 o! e7 {8 Z) [
$ J! E+ w I; p n# x1 B- P4 d
Method 03- j; }9 n8 a1 B
=========& l2 |' g8 b2 _' O. Q7 s/ [/ Z
; _& V7 J" [8 ~1 q7 d, p; HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 j7 Q4 i- _1 X4 u(API Get entry point)
f. [( i# ^& M # q8 N9 v3 @# L A( Q: d# L
' k. u' p, j4 N x xor di,di0 y2 j0 ]# K* }/ n* u5 _
mov es,di
: T4 x. ]$ q. X5 S% v mov ax, 1684h $ S0 { x& h. l
mov bx, 0202h ; VxD ID of winice
+ q' q+ [3 m j5 X int 2Fh
. c3 U: P0 T$ G* ?/ K' u, |: Y mov ax, es ; ES:DI -> VxD API entry point2 f1 t% J& j0 x7 ]
add ax, di
0 |1 D! {6 R( F: z" ?/ a test ax,ax
. B2 m5 n1 k" n9 G jnz SoftICE_Detected
5 x( }* V; s8 ~0 [2 a& C; G- Q7 X% F3 C; c1 t
___________________________________________________________________________
0 t5 p+ Q8 I$ J7 v
) g7 e' x4 O, @( UMethod 04- y1 M0 A/ S4 [3 X! S- `& X
=========
. D' X3 E" U4 h( t1 i$ X$ z8 C" G) Y4 w7 |2 w, P9 V
Method identical to the preceding one except that it seeks the ID of SoftICE9 B( l/ J0 Z+ ^9 ^% [* G' f
GFX VxD.: N# C5 s9 l, f4 K6 f
- p) X4 j$ \' r0 n6 V xor di,di+ f2 j( v! R$ t2 Z$ d9 i3 }' ]
mov es,di
% P4 E; V; j; p/ k mov ax, 1684h
, Z! }: E0 @& X1 L/ t mov bx, 7a5Fh ; VxD ID of SIWVID
8 B3 h% a. T% T3 `, }; T5 B int 2fh, J) o# S5 T. a6 G# L
mov ax, es ; ES:DI -> VxD API entry point+ G- r* l I, T! r( S
add ax, di
$ M2 e% U6 i& l5 F6 }4 H5 Z0 Z. u test ax,ax
3 G+ s2 c' P6 M4 W* | J0 \% ?7 X jnz SoftICE_Detected
: A6 X( y8 K( M; ~4 u
3 v- n9 }+ l& i9 ^8 m. b__________________________________________________________________________' @. w' m! n" T" w8 i: e, X; D) t
/ M! `) S( o5 K$ A
7 c# ]! h2 t4 y; m% Z p0 EMethod 054 Z9 ~' G3 J9 t4 k; O; `2 [
=========
3 u7 \4 z U4 z0 p4 W& X6 k' v( N- _+ M
Method seeking the 'magic number' 0F386h returned (in ax) by all system- J* h! I( n' e+ @ E2 ~
debugger. It calls the int 41h, function 4Fh.
( P# h! e0 C+ ^; u- G0 h6 yThere are several alternatives.
H* L% ]& V5 r) G. N; P& {
- g* }4 B" B) Z4 I9 |0 vThe following one is the simplest:
7 M! r( o7 a1 g4 q( D ]0 \1 C, a# k8 O& U& q
mov ax,4fh
1 s* @0 Y' g: Q+ B8 F int 41h
; Z. e4 v' F3 k cmp ax, 0F386 Q; c s. Y5 q$ R4 E% U
jz SoftICE_detected
5 w$ c8 S$ W% H* a3 F+ d
+ _. h4 r2 E. T% n
1 A; Q! h( B% x& N9 gNext method as well as the following one are 2 examples from Stone's
, B; H5 I$ H. C) }# F& J"stn-wid.zip" (www.cracking.net):
; ^& n' k8 K4 d* p b f( T& E
- x% ]# b7 H2 d* ?+ T mov bx, cs
- C- a+ A( X* I: B. ^* P' k" ^; d lea dx, int41handler2" s* n- ~, k/ i' K2 |7 d4 Z! X; u9 S" k
xchg dx, es:[41h*4]* G7 G" ~0 O- I4 \: R, O
xchg bx, es:[41h*4+2]8 |0 f: X5 f2 m! Y F
mov ax,4fh2 q- k+ d' ^9 [4 i+ x
int 41h* B: ?/ |+ P+ y' u% |1 F' F3 K
xchg dx, es:[41h*4]
0 i. X1 y2 R y1 _0 b xchg bx, es:[41h*4+2]
% a! o3 m8 @. \, W b cmp ax, 0f386h6 K. N: _0 N3 z3 A8 Y
jz SoftICE_detected
0 L- T9 m6 j# ]8 Z
5 y# D% x: C3 H) @, E6 ^. yint41handler2 PROC
, ]4 o ^1 ~: K4 e j% X! l iret
; D \: E7 o5 ?: c. Sint41handler2 ENDP! n0 u5 K3 L& B+ I& r
2 H6 y: P% ?# _1 b6 W; a% v! M
0 h! N3 i/ Y; I. F_________________________________________________________________________2 P. B% [2 b# z2 _
! y, R7 O/ m' x. W) a- A, K; R% ^! p8 L4 Y, r& f
Method 06
" d- Y- g% ^! P" y=========
1 X( h# d0 y1 t3 n9 s/ i5 a" L
6 c' ^4 E! p" y, L
+ L' H1 x+ v/ y1 J: [/ y$ J2nd method similar to the preceding one but more difficult to detect:& h% x* O; i8 k# z* G, r
4 G; {& h3 u3 Y
8 k' R" F: F4 {; n8 G9 Oint41handler PROC
9 G7 w* F$ o7 `5 N: V- @1 Z4 d7 s mov cl,al
- {" a, c6 i! B% Q) c9 z9 i' p iret
5 J4 z$ ]0 g- g1 aint41handler ENDP$ s- h: a5 N% D7 l3 W2 r( w
. Q/ _- K# {8 i( l9 \8 H5 r! l- W- s, q
xor ax,ax
; s; N5 V' c; l" K+ r8 C mov es,ax9 N8 q7 x4 x0 \* }+ I
mov bx, cs
8 K' N5 Y, {7 ]+ t5 g lea dx, int41handler' O! X( [6 N3 T# q) P
xchg dx, es:[41h*4]! j0 B% s% E% v& |! E
xchg bx, es:[41h*4+2]/ Z' V# r8 G* r! x1 E5 \4 l+ ]
in al, 40h7 i* N* ]- C3 |
xor cx,cx0 P4 a1 b2 k# b! t- t' _
int 41h) L3 O+ R- L# ]- @2 ~1 S) D& e2 P- d$ b
xchg dx, es:[41h*4] l$ E: r5 e5 H4 e6 H1 r2 a
xchg bx, es:[41h*4+2]
9 |+ I0 @. u" g# O cmp cl,al
8 F M) t4 K$ H* T: c* J jnz SoftICE_detected
/ }# D E, S2 _5 Y1 u6 H; J C% i, ^, u% E3 q1 i, G
_________________________________________________________________________
/ p) v7 B# S( M% T1 u) E* N% f
3 S1 X$ q% r0 E8 H! m3 _& r+ ]Method 07
Y" g0 n" B/ R& Z R( h7 s- h=========
B" r8 W4 l* \; Z6 m7 N: g" v7 p! J- \& u
Method of detection of the WinICE handler in the int68h (V86)
. |! s( C1 ~' H* N0 _) |% i" @4 p& @/ H9 h& I
mov ah,43h
5 J4 k" F5 s) q W8 a int 68h
( l7 y" X5 Q+ t. E! L cmp ax,0F386h
* T3 K: x/ ?, Y0 e B, M jz SoftICE_Detected
7 w; q- F6 H: V1 t( ]" A* S2 c/ e9 G( D1 ]" C s* m! s
; G( ]* q- o9 s; ~- R* e5 H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ H) U/ e7 ]4 p. I7 y8 \ app like this:( m: r$ A6 x2 e. g& m
: V3 U* X% I7 y; Q BPX exec_int if ax==68( {+ F# v% L8 R! F# N0 b8 ?, S2 ]
(function called is located at byte ptr [ebp+1Dh] and client eip is
) {+ m6 R" j: y z% O: u; `" `, m located at [ebp+48h] for 32Bit apps)
! V# ~' q# F5 |7 p9 E' _5 N__________________________________________________________________________
4 g0 U( W( m [6 t8 ~( x& Z4 G7 g0 p3 B* p$ A
7 c$ R$ f# G. bMethod 08. t( k7 F0 }* n6 P$ O+ V0 o. d
=========
! Z0 @9 M" \+ u! Q. p8 L/ W @& }
It is not a method of detection of SoftICE but a possibility to crash the
4 u: J8 ~0 F+ T/ bsystem by intercepting int 01h and int 03h and redirecting them to another, t& b: L2 n$ {( O$ S
routine.
H% M; _3 O: R* k# l, PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ W0 u) a' r- r: R" \9 L) P
to the new routine to execute (hangs computer...)
3 ?/ Y" |" a/ N+ J3 k% M9 c7 U5 ?4 [; y( _6 o
mov ah, 25h
9 r+ j1 k7 }5 |: D( Y; @ mov al, Int_Number (01h or 03h)9 K2 e6 t1 h. P: ]+ `9 s. |3 z/ J
mov dx, offset New_Int_Routine6 J# O. P: i' D+ E
int 21h0 a1 `# O- p4 T: i5 ^: \+ w( m
1 M# _- K- K" r7 M__________________________________________________________________________$ y1 T3 n0 O& h& l0 W3 P) J% a
; p; J1 I+ A+ \/ {! }' OMethod 09
# x; e0 l1 w9 O0 D+ [=========
{- E5 U( P/ n2 K0 U6 K, D
( ] U3 n: L! CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 {! _, q; M) k$ I! Z
performed in ring0 (VxD or a ring3 app using the VxdCall).2 a; e; I. w. S* D! O9 o. i# J
The Get_DDB service is used to determine whether or not a VxD is installed
+ d# u, j- l4 D1 g2 [, p4 wfor the specified device and returns a Device Description Block (in ecx) for
; B, F ]8 q' G- G1 \) @: ?. Sthat device if it is installed.
8 i! Q- r* {) V% N @- t9 L R! P: k0 a; d5 v' g5 R7 i# q& a8 e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; ?/ l* o5 s5 l* z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 v# L+ c( s! g- R! s7 k% d
VMMCall Get_DDB( C1 x0 E: o9 j$ i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( Z( R0 z5 I4 m; R
9 B5 w! v9 D; |/ m6 HNote as well that you can easily detect this method with SoftICE:
0 \$ ?+ |) Q4 S, }2 d bpx Get_DDB if ax==0202 || ax==7a5fh
& ~+ X# b% ^, J2 Z) a5 S$ h. i' l
& f% P5 }8 ^* n+ z__________________________________________________________________________3 ~: V# `& s8 @( E B
2 R3 [1 ]: W' b$ Y
Method 10
& q5 U- g7 [1 s1 G* A* U5 Q, T=========2 Q& B5 E; s9 q+ z/ c2 z$ K) e4 n
) M2 z* f# C$ x3 J, }* n4 @=>Disable or clear breakpoints before using this feature. DO NOT trace with3 _8 ]# g8 y# p' e
SoftICE while the option is enable!!
9 V+ ^* {/ W& f6 ]1 E8 A4 h
7 @3 K( x+ u& J( ~2 zThis trick is very efficient:' g+ m" `% U2 b! }2 U3 _
by checking the Debug Registers, you can detect if SoftICE is loaded) `2 H7 e3 O: `+ a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 h9 ~2 a# Q7 m% c! H
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* H7 u/ Z, g& h7 r+ m* ?value (in ring0 only). Values can be manipulated and or changed as well5 X8 m. |8 ^+ C$ p- y
(clearing BPMs for instance)6 M! G( d7 s- F2 {
% v; E" k5 M8 f) T: x6 r9 ~
__________________________________________________________________________* c& }9 o# k, j) b" @& g& F
, l: M: C( Y) [. c$ iMethod 117 Z4 h+ G* q* i
=========: S( z- w$ L$ I: [. k0 t6 Q
|" ~2 ^/ W) C" lThis method is most known as 'MeltICE' because it has been freely distributed
4 F+ ?, g7 I. v1 ivia www.winfiles.com. However it was first used by NuMega people to allow) X2 C- ]2 X0 Y' p/ G Y( @
Symbol Loader to check if SoftICE was active or not (the code is located
9 N8 b& f/ ]. K3 M" @/ l6 _# O; M2 Ninside nmtrans.dll).
3 E( _! c, k T$ R" _% {% |
1 u7 ]1 D$ i6 YThe way it works is very simple:% I4 s& D/ P+ C+ T$ w# u( F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, x* F* p5 B$ U2 J! wWinNT) with the CreateFileA API.1 N) X! |! f# y# y1 {7 e) t& z& I; Q
4 w/ z# ]- n4 g5 p1 j3 }
Here is a sample (checking for 'SICE'):
$ ]9 s) n2 F0 g. u2 E1 I' \ ]; z! ^( m# r4 j& ]6 o( g) k$ T' X7 a
BOOL IsSoftIce95Loaded()
5 l( j5 O; ]3 S) O8 \{
1 H: u0 r/ x" _1 C+ X HANDLE hFile;
6 `+ _; e- n5 ~$ V9 M" | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) G9 G p% u1 ?5 ?9 @3 Y
FILE_SHARE_READ | FILE_SHARE_WRITE,/ D2 D$ V# ^' K K1 G3 r1 k* s
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 \ `9 U5 s* U5 O if( hFile != INVALID_HANDLE_VALUE )
" ?' \4 m1 _% }1 O {
6 }" g. j- `% E1 u CloseHandle(hFile);
2 q3 I" h& m; V9 A5 R return TRUE;
* s. O( t1 g3 O }; b$ _! K+ q) y0 @
return FALSE;2 M) e/ [% n d: y- e8 I7 A7 P
} q5 |# B( n, V5 x1 ~
+ v' k: t; {) _. s9 YAlthough this trick calls the CreateFileA function, don't even expect to be8 ]* w- |0 ^# H4 s( T- @
able to intercept it by installing a IFS hook: it will not work, no way! D! h4 _( r- b) \6 R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 c$ K0 y4 b o4 x9 S0 j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% T, M2 { n# Q2 K6 x' y( ^; m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 F% |$ ^( T0 d- r+ Afield.% p+ R' r ^3 s3 {
In fact, its purpose is not to load/unload VxDs but only to send a ( E H8 v; v' t* c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( O! D* A/ s' L3 s1 u) xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
x- W U+ ?, `- n: Sto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 v2 C: J$ X. L: `$ V
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 n2 l- ~# e( _1 z1 y
its handle to be opened and then, will be detected.0 ~3 J0 K: u4 N% A! C
You can check that simply by hooking Winice.exe control proc entry point
% M, h3 @7 O" X* \while running MeltICE." `9 C' C) ]6 h5 V. o
; O5 [6 j2 [! N, x
+ k$ ^) y6 X* s4 `7 X8 o: l) q
00401067: push 00402025 ; \\.\SICE' W. u0 |" @ b; d, N7 P! i9 n
0040106C: call CreateFileA
; I: A5 D; v t* v: r: s 00401071: cmp eax,-001
7 `! R* S- W* B. r# W* C 00401074: je 00401091$ Y$ }% O" y, `) v* p$ M6 K
# i; i- u* F" E; q9 `1 x
* l/ m! U3 a( N! F1 TThere could be hundreds of BPX you could use to detect this trick." @' M. t, p, H" Z3 h. J
-The most classical one is:
8 t, q% c- O2 | L Q1 C& u2 A+ P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
`! `& Q* ]3 p2 V" B$ x *(esp->4+4)=='NTIC'/ C6 V+ }; D1 [6 }& F
: o/ G3 V. S/ m* v. x* G7 {; u
-The most exotic ones (could be very slooooow :-(
) P2 m& E2 R& E, Q5 ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 f8 W: k% F& y1 W
;will break 3 times :-(' \4 D" _5 X: K; U W4 R
' ` A3 B: w2 j9 g% R-or (a bit) faster: - {0 q& a/ Q) T' h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# \ c2 K1 c/ U, _0 l& u/ K* c
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , o" s, F+ F# @# z& q
;will break 3 times :-(
& o, t0 m1 _2 w
/ J: A p ^7 k# b) F. ?% V-Much faster:
* T K/ X e- T BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# y2 |* }( z7 ^; n9 ]# O; L; ?2 L' Z3 M% `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- R& X- j- h- I/ Q
function to do the same job:
' ]$ X3 g9 N1 Q0 d" ~8 y2 h$ ]$ ~
push 00 ; OF_READ
9 S; z+ h2 W3 l& T Q7 M mov eax,[00656634] ; '\\.\SICE',0- @- `4 h( `" ]7 U
push eax. o+ M3 o# i0 N( @* o
call KERNEL32!_lopen! b0 V; n% Y) F, ~1 g
inc eax
( R% S7 A- V$ y0 v jnz 00650589 ; detected! K O: _# T. z( T. O
push 00 ; OF_READ6 b# `( |3 D4 t3 _
mov eax,[00656638] ; '\\.\SICE'3 z! Y' O8 E% s5 T0 H2 e
push eax
|1 c2 O- a: k$ } call KERNEL32!_lopen8 D# \* q$ k$ B0 L; Q! e3 r
inc eax! J. S m& L. s# Z- c' q1 b- |
jz 006505ae ; not detected
" s) s7 S* J4 ~7 @7 R# l' Q
0 K9 \) s; z9 X% o/ \+ y8 V1 }: u3 T* ?5 v3 @" ?
__________________________________________________________________________* R' ?9 P7 r5 t4 A6 x& s* H. j0 w
1 ^9 o; d$ o& U4 l0 H
Method 12! n# y Z' k; Q' g2 ]0 `
=========
9 W/ c5 }: V& c! e2 b+ l, A5 m' f2 l' @/ G6 ?+ m
This trick is similar to int41h/4fh Debugger installation check (code 05
6 k" t8 J# f1 M Y& 06) but very limited because it's only available for Win95/98 (not NT)! `6 g/ C& B) p s6 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: R( h" q2 J" t5 }0 F+ K
9 K8 ?4 c2 ?6 y( g$ C
push 0000004fh ; function 4fh# z* M# Z5 O* n1 Y4 n' u
push 002a002ah ; high word specifies which VxD (VWIN32)
( `- b9 f0 F, |. l# Q ; low word specifies which service0 N3 ?, S4 @# p0 W4 f' Z5 k7 X
(VWIN32_Int41Dispatch)( X" y$ z, o& V$ `
call Kernel32!ORD_001 ; VxdCall; P' g9 C8 K- @, j s$ P
cmp ax, 0f386h ; magic number returned by system debuggers* G \7 G" H) _* \( M- }) M. F
jz SoftICE_detected
3 U/ q) }9 p' i3 K
4 z+ I7 t6 d+ _( \Here again, several ways to detect it:2 i; R2 y; H. R A/ ]* \0 O
: ?9 B+ z& l1 b- J6 B
BPINT 41 if ax==4f9 C+ Y; V4 J, d$ ^% A, F
: M4 e! y" ] H5 E. q6 h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: _" F- Q, w2 f: [7 B/ @) m3 _) t- `- Q0 X9 A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, ], E; ?6 a; t2 Q" A/ G0 Y$ H
+ A [1 w( j0 v+ s" r6 k U BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ z+ @( M9 e6 B, D8 l- J Z3 p8 k/ [& w" C. G, B% W& O
__________________________________________________________________________. y# c- s' I% |% f
) g8 b3 @; o- Q- P; Y2 n" B; U+ h- w1 t
Method 13/ ]" a' {0 \1 C: L# R
=========
2 ]6 i1 e2 y. V9 m5 s$ a* f$ C1 W/ a# X# ?: H, Q
Not a real method of detection, but a good way to know if SoftICE is8 x6 ]- `; l1 c
installed on a computer and to locate its installation directory.; S* i# \! u% t/ y+ ~3 W5 S0 k0 A3 @
It is used by few softs which access the following registry keys (usually #2) :" p0 ^4 N+ d# e( e: U& K: ~
+ z1 u, n! W" l( [) K: N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 D6 N( J8 J! C6 T# g. s; Q* O p: b
\Uninstall\SoftICE
' G2 w6 Z5 I8 D. s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 O0 F/ S: `1 I9 ~; d- F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ I4 @( D8 i' Z; I. |4 j\App Paths\Loader32.Exe# k3 b2 @$ Z l
- c8 [; p: G. r# C! p
+ V+ @0 v: A. l
Note that some nasty apps could then erase all files from SoftICE directory' [" C5 \+ s/ G1 U6 B8 @% S
(I faced that once :-( _, u& k4 _0 [
0 C$ p" P9 F& W: L$ p" }2 t
Useful breakpoint to detect it:
$ H! `. \: D! q0 J9 c5 Y/ T8 P; t0 n$ J0 z% c9 C
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' C b( l9 h) c2 c
: j2 @' o4 [4 o__________________________________________________________________________" j7 P5 Y8 T, ~- `. v
* B3 @: \+ d1 T# N
$ o0 z6 e5 t5 r! @1 w( hMethod 14 % ]' k' {+ t- v- y; P
=========5 y1 A! Q8 k! r+ t2 j) o0 \, K
5 C7 d+ E0 }9 }' @4 v5 v( Q: MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 ]; r8 c+ d. W
is to determines whether a debugger is running on your system (ring0 only).0 ?5 U1 a& w7 n7 V+ D
Q4 c- U( l: y! ^+ O VMMCall Test_Debug_Installed
: o1 t6 Y9 v# m+ @+ p je not_installed
# c( D: ~0 `3 N$ L. r, L% f n# [5 A& W7 s
This service just checks a flag.
7 |, h* x2 v; D' [( H. z6 B</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡