<TABLE width=500>9 O1 u# t$ g+ k5 A& W
<TBODY>
+ v- y% t; ]! I u- j# m u: Z<TR>
3 O3 A/ e7 J( ^! }, A* I. f<TD><PRE>Method 01
; ^) t! Q3 E0 I' v0 Z! {/ Z% L=========5 W6 G5 p* k( ?8 [+ s g( T
8 D& t0 ?' a( c! \, x4 T: l
This method of detection of SoftICE (as well as the following one) is, P' K5 b s p" y3 ]$ M$ C: r
used by the majority of packers/encryptors found on Internet.
$ \& L4 v! {9 ]! AIt seeks the signature of BoundsChecker in SoftICE
, R* [+ S0 M; Z4 q6 Y" H, P, `# Y# C# l, ?
mov ebp, 04243484Bh ; 'BCHK'
3 I1 A3 g4 A& f9 }8 H mov ax, 04h
: L% q, k! R3 b" G5 P int 3
6 \: b7 Q0 s" M# V% Y( I; g+ A cmp al,4
5 q7 m5 J' `& M7 q7 u jnz SoftICE_Detected1 c8 Q* F* @, z1 R+ j
/ s0 ?( i$ M0 b$ T0 Q# `" l% [
___________________________________________________________________________
1 W4 Z9 u- R% x4 \% l r Q
( d0 P: L" e% s; D6 s+ qMethod 02
4 S/ T/ w/ d0 W3 O1 N& J1 A) j=========7 u: C( t& K- d a/ A7 }7 m2 H2 p
5 ]8 E! l3 {, P- j( ]Still a method very much used (perhaps the most frequent one). It is used' K9 a+ p) V# X+ r" [ B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. n8 }6 Z5 I1 R+ J _or execute SoftICE commands...
& v$ a# {) c4 ~6 RIt is also used to crash SoftICE and to force it to execute any commands; |6 G" G5 ^7 L& ^4 i- h
(HBOOT...) :-((
4 Z) N/ J- ?' u' s! g4 ]% ]; s: h" S* M
Here is a quick description:
* U) l, P9 t2 ^$ F ?8 b, w$ U0 ^-AX = 0910h (Display string in SIce windows)
$ N. A8 _4 N! d8 a9 y$ E0 d-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ Q* H- s' o$ |-AX = 0912h (Get breakpoint infos)7 N9 p" w9 Y5 }! g" g {* m- \
-AX = 0913h (Set Sice breakpoints)
" ?9 ?- Q) f* O, B5 I% s7 X' c-AX = 0914h (Remove SIce breakoints)$ _, |4 O! i2 `# A* @
" F5 y; H1 A1 O" U REach time you'll meet this trick, you'll see:4 `3 n. k; Y( w3 m$ L; v* ~% f
-SI = 4647h, A9 x' T7 H* D; y$ a
-DI = 4A4Dh8 A4 Q2 `& f4 H
Which are the 'magic values' used by SoftIce.8 h, ]5 ~) L4 ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
Q0 P& C# W: ~$ v# F
/ D" Y8 u$ U3 X) Q7 yHere is one example from the file "Haspinst.exe" which is the dongle HASP Z- t# }9 O/ q: R
Envelope utility use to protect DOS applications:: g3 |# E" D) F U
1 @$ A9 r3 b" ?/ m4 X$ n
: c( A) J0 N% l6 i* p% M4 b4C19:0095 MOV AX,0911 ; execute command." }- i1 [; t& z$ F _+ k* u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- P" K Q) C9 P( E& M) b4C19:009A MOV SI,4647 ; 1st magic value.
9 I" @$ g0 @. ]- d4C19:009D MOV DI,4A4D ; 2nd magic value.
% R t1 y3 d3 l- |1 G/ ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' ~: Y9 ], E" h( Y! f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' ?( v# p2 E/ @: N. R% ]' o
4C19:00A4 INC CX) T) m8 d" ]+ D$ K' r; K$ M1 o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; o8 v+ B+ g" `4 y
4C19:00A8 JB 0095 ; 6 different commands.- Z- X8 i7 P1 i* g% P& t8 P7 `
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# G7 l& Q7 ]# n6 H, S! Z. x! H, A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& ]" b+ i' {" J {. O# \4 l" p0 X, m+ K! R6 r4 Q7 t& ~' e
The program will execute 6 different SIce commands located at ds:dx, which$ q/ m9 t; |; [) s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. N9 G8 A4 @, r2 [; ~2 e
0 b% d5 z3 ]& \% v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 N% `4 W3 u8 L3 _+ J
___________________________________________________________________________
: [: m1 \; Q+ a% w8 I- f/ D4 U$ ?2 c8 B$ V( n% _# ^
% f% f: P1 D4 Z2 \
Method 03& h6 p: \' q! E9 k$ ]( x: C5 o
=========( n: h# `4 r @4 t% D
" W5 g8 e K8 O* r" oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 I; u0 G# D y5 j5 m* h
(API Get entry point)7 _* ], M: ~, |8 a- V% _
' s9 `+ |: i* w+ c; E
3 T6 M0 c; W$ x( n- E( Z
xor di,di0 L# X$ o1 x- {& v0 a! @
mov es,di
# `( T; O+ y* o1 f mov ax, 1684h , o# U( f0 o: @( R2 h9 N2 {8 y: D
mov bx, 0202h ; VxD ID of winice
: p. D6 A! o% j# |9 a+ [ int 2Fh
! s" `' [8 z3 H5 @& l* l- K. |. D, e mov ax, es ; ES:DI -> VxD API entry point2 z9 ? a' M9 j2 ]
add ax, di
( k$ g6 F$ l7 f5 ^/ J test ax,ax
8 j$ ~: t5 n, c jnz SoftICE_Detected( y) w6 o. q2 _* |2 Y6 l7 w$ m3 o1 c# Z! T
; }& n! t; t/ c6 Z___________________________________________________________________________
$ e, d% [9 P3 j1 L# X3 i
5 N. x# B: D9 |3 E3 _8 z9 uMethod 04
2 ~1 w# b y( X* P( z4 r=========
5 h; M; U# A( `
" `8 a$ X3 w# O* L% cMethod identical to the preceding one except that it seeks the ID of SoftICE- g# E7 H# R0 [* J. J+ R& @
GFX VxD.
! |. p! T3 y0 u
/ }7 K8 F2 m% v( X" F xor di,di
7 F& r( t7 A! k! A+ x2 z mov es,di. v# y+ Y$ u0 `! J$ |' `
mov ax, 1684h
. O% N) E4 Z! p& E T }& @6 s mov bx, 7a5Fh ; VxD ID of SIWVID
1 y9 ~7 B4 X. f9 f: a int 2fh5 p$ t& V: A% f
mov ax, es ; ES:DI -> VxD API entry point" L2 |% D7 ^- o$ Q' }, l
add ax, di
9 a# e R" Z6 ] l7 I8 J, D6 j test ax,ax
. a3 O* M5 P! T$ L9 G' e jnz SoftICE_Detected3 [2 m. f: T6 ^
* g, U$ ~! b' G+ u
__________________________________________________________________________
3 k5 u2 Y: {( p$ c5 V
1 b+ [$ Y* a" a, _7 {5 [' E/ W; K$ [
Method 05
) ?0 k; C' e) W/ [=========7 M' t% u$ @2 \/ }
" b8 g" q5 R6 v5 G8 U9 a9 MMethod seeking the 'magic number' 0F386h returned (in ax) by all system# \6 R4 D6 m: o+ k( F
debugger. It calls the int 41h, function 4Fh.
& L2 P$ U9 n: lThere are several alternatives.
0 z; y; w1 V p+ W; r( n! t' E; L8 I
The following one is the simplest:
3 b! m) ~: R' R# B. V
- Q" ~ K6 H8 k* P$ z0 v1 W mov ax,4fh
1 ]* U7 ]" X' B+ R9 ] int 41h
, [9 x* Q1 z7 |1 o1 T* H cmp ax, 0F386' e1 C. d& a+ }4 [9 l4 e7 v1 h+ W, j
jz SoftICE_detected
$ _+ h9 Z" Z5 g4 _% ?- ?$ u6 V" E4 w! U1 J& L
. _: }3 }5 F, C7 }9 F
Next method as well as the following one are 2 examples from Stone's / G5 c' d$ b$ w: f
"stn-wid.zip" (www.cracking.net):
! f0 B D! J1 B" S, W
* x' h" O+ q# @4 c; g4 P3 g3 \3 S mov bx, cs
( n; O ?+ Y) H6 ]; ^0 ~- V lea dx, int41handler2
$ T' Z0 Q* j3 x( D0 k xchg dx, es:[41h*4]
% o z9 Z. |! |% Y' o xchg bx, es:[41h*4+2]1 V2 B, T* Q8 V e$ A
mov ax,4fh p/ g% M2 Q9 }. n' V* H
int 41h" F, G2 W' V8 Z9 p& o3 P
xchg dx, es:[41h*4]1 w' a5 G0 Z6 a* [0 `- V; n
xchg bx, es:[41h*4+2]
2 B* P; [! p, L2 }5 w cmp ax, 0f386h
U( N& G, C4 Y: \ jz SoftICE_detected
! n1 b* B6 d& f" M( N$ E4 \
/ L+ |5 D2 T, W: S/ S: Q$ { eint41handler2 PROC& V3 {4 Z: x! s/ P- N% E+ h& c: { ^
iret2 g/ s1 h: b, W( _
int41handler2 ENDP; f9 u8 E+ X8 D5 `0 ?6 L
8 H. b- G8 ]/ B( G
6 o4 k( @; Y$ J3 V6 Q) Q& M- __________________________________________________________________________
; ^9 W7 P' ^: B/ q- D* D* N" h# C2 x% s* O8 d0 y# A
0 G& A- x% F* N) e
Method 06
) W# u2 c& k: S: z=========" o N+ U: O6 U+ ` M- H% S
0 P0 w% W( B/ u: U% p1 b; y5 s! d* t0 j0 q; g5 C- k
2nd method similar to the preceding one but more difficult to detect:9 y, ~% ^, O# _: Y6 `& i0 q
% l7 n P% g+ s4 d0 d. \
7 j1 h$ m* ?& m
int41handler PROC
; R, v" {0 N$ O* E/ O9 i0 b, l mov cl,al; f0 _. v* Z) F% D- C" A# a# M
iret( F" ^6 B* C+ w) ^0 D- E: n
int41handler ENDP0 C5 D( o0 o( N: F9 |
7 l* ]$ @. H: O5 H
( Q4 _, H% l2 M. r( E7 H5 a xor ax,ax& r1 k0 W4 m8 d
mov es,ax
8 Z1 s# S- k# m9 b6 U. x' Q( C mov bx, cs( I# K6 f& V' `, h
lea dx, int41handler
9 V7 P( w) ]# i( T) M4 L' e( ^ xchg dx, es:[41h*4]/ L7 R! h0 J) }) f$ F
xchg bx, es:[41h*4+2]
: q2 Q P1 k: D% S t in al, 40h0 {) c# m h* ]% u0 H* ?
xor cx,cx
d& p- d- }: a7 N+ [& ^ int 41h+ e4 O( M! e, b; \
xchg dx, es:[41h*4]3 z( Y% u' ~7 c: m
xchg bx, es:[41h*4+2]
1 B% j; e& X! f* o& W cmp cl,al! V* _" G- Q( ?) x0 d+ f/ M! C+ o7 h
jnz SoftICE_detected
, E: t. P( h* H* U% [3 X. N$ J0 S* K) o: d" ^
_________________________________________________________________________
' `) A& x* ^4 E; b$ ^8 L& x' q. B# F9 \- ?- p3 P8 h3 @( e
Method 07
$ J- B+ U5 J0 C, N7 S9 ^6 t=========
. I8 X" k. X+ K# Y. E; ^) g/ ]+ C) M/ ^/ c( t! q
Method of detection of the WinICE handler in the int68h (V86)5 n( |& x6 O: |
$ {+ y- q. b: d4 P% Y, P mov ah,43h+ H" i; @0 K; b" r& G0 F
int 68h4 ?4 \) B! [5 ?
cmp ax,0F386h
5 E- J" G6 K+ {! x$ m# h jz SoftICE_Detected
" O M! D& {: ?) u
4 l8 _( U1 B9 g2 c: B1 j. @3 t1 m6 b. U% }' t1 e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 \' g& p) S& W$ G
app like this:0 Y& T( P8 E& c8 p% M5 ~ t
; E5 V; o1 A4 h F" K& y
BPX exec_int if ax==68$ F6 W6 u: d+ H; J8 c/ H
(function called is located at byte ptr [ebp+1Dh] and client eip is/ @+ h5 x1 X; ~( r
located at [ebp+48h] for 32Bit apps)+ ?" p! q' j( O6 e: q8 n
__________________________________________________________________________" Y! N, A2 T9 G; A: {
) |+ M. e8 _4 _: G/ h, r
) j' m" W6 L z3 D( t7 R9 ^Method 08
* n& c+ U: c! E=========
8 f2 _7 T- B, n. a+ a
- N) g B4 f" x7 ^. B$ V2 A( @It is not a method of detection of SoftICE but a possibility to crash the4 [. g/ U- C u8 H0 q/ R/ r* v
system by intercepting int 01h and int 03h and redirecting them to another/ O% K8 \& G3 y' d0 X) F
routine.
. F7 L! f4 y6 b j3 IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 Y: [8 ~& x& @& k! ?
to the new routine to execute (hangs computer...)' B% |# \( [6 v/ m( M: y4 @
, C+ y6 {$ }; ^$ S2 C mov ah, 25h6 X4 N# N' p' ~( b2 T+ w
mov al, Int_Number (01h or 03h)* u. D2 s* _' c
mov dx, offset New_Int_Routine$ f4 ^/ j' A1 ?0 y
int 21h) _- |* k7 I8 Q% ^" Q3 l
8 j8 @/ C4 ]: i% {' U7 N
__________________________________________________________________________
- p5 [6 E" E3 A0 V! V' C" A9 @3 }, x% c# R
Method 09
M! h$ y" c& A2 Q5 }* E: K=========6 G- m3 I% j4 N% u0 p* H
: ]0 S5 |: Q {, A7 Q, o$ m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 s" F5 _+ o2 @% o i3 j1 p
performed in ring0 (VxD or a ring3 app using the VxdCall).- D7 F" ~2 W: l3 X' J
The Get_DDB service is used to determine whether or not a VxD is installed
% y& _9 X1 ~7 T" rfor the specified device and returns a Device Description Block (in ecx) for
6 ~; ^: Q$ `1 S" F8 K9 J( N# Bthat device if it is installed." A# t+ @1 B0 [1 ^1 p# p
- N% D% c$ {" A9 w9 i, o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; m" v7 g f: |+ x' s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 m4 a0 Q$ F( D/ G VMMCall Get_DDB# O- L" V9 i+ E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" d% H$ l* @( P. f0 }
/ X" u y* D% e0 v$ T9 HNote as well that you can easily detect this method with SoftICE:
( [' ^2 {5 l% A7 j# |4 N: { bpx Get_DDB if ax==0202 || ax==7a5fh( a9 B3 h7 y- j" @$ ^1 A
- t" R% q- X# T' l$ V8 ?
__________________________________________________________________________/ [" O5 C: [8 @3 j5 U4 A
4 A4 X2 t' S7 i- m7 yMethod 10
4 q& Q1 y) E: o6 u: X( m9 U- w, M=========. d. u4 ^; i6 _
: L3 ^7 s8 s1 j$ G. ^. |) w=>Disable or clear breakpoints before using this feature. DO NOT trace with$ o' i0 ?3 u. v' Z/ j( ~7 r6 h
SoftICE while the option is enable!!7 ]* M' S; U' W; _- s; L4 K! m
3 {5 R! r7 |9 l, D8 v9 Z0 ZThis trick is very efficient:" S: X/ j, M) ?- k' f
by checking the Debug Registers, you can detect if SoftICE is loaded
. R9 n1 `! v/ k9 z6 T: g" p1 m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if P) {: A* L$ @) A
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, v1 a$ \1 G+ p& b. H# x$ svalue (in ring0 only). Values can be manipulated and or changed as well A+ ^0 Y4 B6 ?, L+ B; s7 J3 M3 s
(clearing BPMs for instance)
) V% N% m6 M' p3 c6 g4 _8 w- }! d! F5 n6 E, s5 t
__________________________________________________________________________
7 r- {; I5 z( k* j: Q X- m: P1 C2 M( ~
Method 11
3 _5 v' a; X" H8 w=========
2 W# j8 n0 J3 g$ D/ Q
) v5 s0 M7 c* b% B9 ]' u3 |This method is most known as 'MeltICE' because it has been freely distributed5 [! d* v5 O, j' ?+ E
via www.winfiles.com. However it was first used by NuMega people to allow, a( a( o7 u: j
Symbol Loader to check if SoftICE was active or not (the code is located
! [- ~4 O* a& H# V0 U* @% N. a. hinside nmtrans.dll).# o$ q5 W& J3 q* o$ Y$ p. B- G1 O
; P1 {$ K8 M3 q W
The way it works is very simple:6 {; `4 Z! b4 A5 M: H$ g2 ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& X- c! F8 a5 j _4 Z. g) U
WinNT) with the CreateFileA API.
& U: x# i, p& U; M; O0 ?8 T' \6 e, H9 w& l/ ~( M
Here is a sample (checking for 'SICE'):
1 a5 d9 j$ @- }4 C
; G0 P; V; a; L7 p& w @5 e: m6 gBOOL IsSoftIce95Loaded()
) P" A* ~ t5 k! n! B{
N# Z m" C; [$ J% ^ HANDLE hFile;
: t( o7 k5 H L7 `4 l+ Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. J1 H. e5 n+ L' G# L8 q
FILE_SHARE_READ | FILE_SHARE_WRITE,
* o- V! Y- t9 u4 H2 G2 n9 s' ]8 a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& d c0 X2 v1 v9 N) W if( hFile != INVALID_HANDLE_VALUE )
3 n6 M- G# y( P( A! r {
5 F4 _ y: U) _ CloseHandle(hFile);
3 v6 z# e5 q: X% X% { return TRUE;
5 \+ Q& I/ V) T+ O- l }: N$ c: c" t; A" H& N" Z5 H
return FALSE;8 x2 {, Z( d& a1 L" c
}8 Z6 Y8 q4 N1 c, T* z3 Q( \
! t" I% x! A8 y; QAlthough this trick calls the CreateFileA function, don't even expect to be8 R$ f& P2 v- T0 w5 [8 h( q2 @
able to intercept it by installing a IFS hook: it will not work, no way!
/ R" s4 {/ h! v2 e0 ^9 pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( [; d, h/ ]8 {6 b# H- @* _: i, rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ N' `4 }: }4 _) z& n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& a; x+ g) N) I1 X) [, Y, jfield.5 k4 ^* ^* M) p0 C
In fact, its purpose is not to load/unload VxDs but only to send a
% I0 O% N0 w6 ]6 A) V; z9 fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 h8 r" d0 G ]* G. |: T5 }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 I% [4 u4 [- x: f. }2 L; p" Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 _2 X7 u8 \0 ^6 k5 B- \
If the VxD is loaded, it will always clear eax and the Carry flag to allow! p5 k' ]$ ~$ G3 O' y ^+ `
its handle to be opened and then, will be detected." K5 W" S* N, Z2 g
You can check that simply by hooking Winice.exe control proc entry point) {# L% F, u) K* ~
while running MeltICE.) l% J" d" M& C# M7 r, G) B' q/ p
9 g" I: l5 J+ c9 x9 w2 C! X- B* F
00401067: push 00402025 ; \\.\SICE
4 ^% O* x4 U. S( ^3 o" ^ 0040106C: call CreateFileA3 Y$ E. R; V4 E. i$ q
00401071: cmp eax,-001
8 |) @+ ]1 ?/ u2 F9 c: m 00401074: je 00401091& ? R$ r4 I* c
7 w8 s* x# B2 B' f0 H1 F: s g# g
& g: T: X w- L% T# VThere could be hundreds of BPX you could use to detect this trick.
h0 w- p! d$ i2 U. i$ m-The most classical one is:, P0 U, h8 n, ^* @; K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || Q/ I. o9 P8 e* M6 p% v
*(esp->4+4)=='NTIC'
3 m2 e1 d3 S, x# z l0 R
* h# i+ f" w. W9 U4 k-The most exotic ones (could be very slooooow :-(0 A/ G6 Q, k+ D# t9 W) R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 g$ S+ j& a8 h- I n9 J$ K8 C, ~; P ;will break 3 times :-(
- a; Z2 |- K7 u" L6 G! v
2 p& k6 J5 v6 ^1 f7 Z-or (a bit) faster:
% U( C1 F( ^' Q* [4 j4 R BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), t; M: l8 I/ z: f( z) {! D
3 F) E) _" l2 I# E4 u: v, E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 }3 I* Y4 R: r6 Z2 j8 G ;will break 3 times :-(! L6 \3 o8 n+ v. E# w! Z
# `) D) J0 L% e1 M" I0 w
-Much faster: q! n; [, H# e8 T$ s; p- T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 Z- ?! A: s$ }; g% K& S9 V! X: E$ k, \3 L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 }/ ?. \* Q! lfunction to do the same job:/ N- S/ J; F& Y) z6 y5 P
& P2 f* e1 Z/ J: ?8 O push 00 ; OF_READ/ I- {4 w2 n; f9 _* m) U
mov eax,[00656634] ; '\\.\SICE',0! [1 v0 R& f7 r$ a
push eax
+ @, r, v. `+ D$ H$ J5 P$ X call KERNEL32!_lopen. \2 i/ u* j" Y% n ~, I, A+ h* y
inc eax/ U O6 }# [3 P. L/ H& W9 @; [. j
jnz 00650589 ; detected
8 p j$ ?5 N7 f; V' [ push 00 ; OF_READ2 B7 y- C, @. T/ D/ s
mov eax,[00656638] ; '\\.\SICE'
& f, O' q0 [. A9 [$ \8 L- x6 l* ? push eax: i+ |; G# f& r* t
call KERNEL32!_lopen" ~; p: Q) D) l$ D+ M
inc eax
5 X v" c, }; _. p- K% R6 n4 k jz 006505ae ; not detected
1 N* d+ } W6 m2 ]- ]
2 A t Q' J6 Y. K+ s6 a& {# k8 k
0 o! m; ]% P, _0 l__________________________________________________________________________
! c+ C( a S$ n+ ?7 D1 y: j9 _% `& ~6 k: E
Method 125 I0 z% \6 ~9 e8 ?6 ?' ^/ n4 @" G$ t
=========$ @( r6 G1 g' J2 j9 C
% W7 t0 }, H: X. X5 P8 _& OThis trick is similar to int41h/4fh Debugger installation check (code 05
" a* G& ~) }! G: A& 06) but very limited because it's only available for Win95/98 (not NT)
- P* R4 [# k4 o# s. [/ ~6 H. Y" Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ i% z( h# W7 U! a K# r+ _
; j5 G& X/ z: E+ w( l/ r& |% \
push 0000004fh ; function 4fh
' M" z& e) l9 D8 Z+ K( p push 002a002ah ; high word specifies which VxD (VWIN32)4 N$ [% D; r0 |
; low word specifies which service4 E) `) Z! {3 M/ W1 C( M+ D
(VWIN32_Int41Dispatch)6 s J2 x6 Y) `# O
call Kernel32!ORD_001 ; VxdCall
) ^2 p& D0 E/ m% x. J! y9 L; T cmp ax, 0f386h ; magic number returned by system debuggers
8 u# V1 L1 Q( Y" O jz SoftICE_detected
! V8 j) u+ r" `) m
; `" E+ F; {5 q4 J( I' ?5 n# B: f/ vHere again, several ways to detect it:( w$ g9 Y2 p( Y* K* s
. y# j. I; @' ]9 m# {
BPINT 41 if ax==4f
" Y. _+ K. R9 N% W5 O- U1 N6 v" r
( l, D9 W6 \0 B5 U, T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) l, K2 c$ G! a- z% Q
' r2 z, y& [/ K6 t) R& O6 g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 g' ]6 a- M( F& u6 y
5 P. t* }% D3 J) b& N. { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: b u; L! N- z/ ?# c
* E0 ?, J/ m# O$ l8 s6 n- b__________________________________________________________________________
o) a3 R( m7 O/ M- e/ k' ~
9 N' W6 S( ~; e5 `3 }: R) d% RMethod 13
: U( E8 ~, @$ Q, i0 G+ g=========) D$ F! a. i0 n
) ~4 _( m7 @) ?' ^# i c1 qNot a real method of detection, but a good way to know if SoftICE is2 d7 o8 f, s# z; |
installed on a computer and to locate its installation directory. u; X0 B" ]5 ^9 I- ?+ O
It is used by few softs which access the following registry keys (usually #2) :
4 {* n% D4 J ~+ F' ?6 z* w/ {" a* f* n% @, x6 D$ \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' n/ e/ \& `; a% J5 t) Y9 r1 N7 y\Uninstall\SoftICE7 p# P9 {0 A- f7 o0 C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ f" t$ y+ ~ t" U! k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 W* W( ~( _% G e2 h1 `4 d5 r" |8 W\App Paths\Loader32.Exe
: C7 ^3 X6 l- I6 {" z+ J1 ?: i1 D K( p* X/ z) o( E$ T
& b" h! Q! F- V6 ?
Note that some nasty apps could then erase all files from SoftICE directory
; {' ]5 [3 f* c7 U(I faced that once :-(4 u, s# b3 n' b0 ^
) k8 U+ E3 _, r/ w! l2 ]' }+ K" C
Useful breakpoint to detect it:
' v! M3 Q+ S* v- N& e3 [
5 Q4 M* m# @6 Y/ h" |1 g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* j4 F: P# Q( a( S
" Q) D5 w* a. t, T! a__________________________________________________________________________
9 p" N2 f: G% P4 j; V2 h/ v4 T, U& a; e
* c! R: F' n1 b3 k
Method 14
* y; j. | _& ^& Z0 b! [$ z=========: H" f+ ~/ Y& ?
$ I1 T8 u W; U. y( `8 C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 \) }0 p5 r' k( J( s
is to determines whether a debugger is running on your system (ring0 only).+ J/ l$ ^5 C7 Y/ N( u: S
4 |" k2 _9 l3 o- C0 G* o VMMCall Test_Debug_Installed( J, Z1 c. v1 u6 X7 x4 I
je not_installed( x+ Z0 @. Z% `3 V/ O
& w4 C! G+ a# @- v$ y
This service just checks a flag.4 D4 O) U( X0 a- o4 H5 i: b
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡