<TABLE width=500>8 k% ?9 X* Y7 g5 _+ W4 L q
<TBODY>2 ?3 [% M9 b0 e4 K, F# B
<TR>
5 }% m. V q4 S6 A/ {- m J' T3 V<TD><PRE>Method 01
2 v* {6 O! [% p& C; @! k=========
( x2 }; ^+ F- h/ w- C6 r' d
3 K) w0 B: b; z- {; NThis method of detection of SoftICE (as well as the following one) is
! i# S) _# U6 w' D6 ]1 [used by the majority of packers/encryptors found on Internet.
$ C% \* I) Y% z# X9 ?It seeks the signature of BoundsChecker in SoftICE8 a( V5 N- A' v( m& i% \2 b" {) L
) g2 ]* K- q4 s1 D
mov ebp, 04243484Bh ; 'BCHK', i& J5 ]! B% c" [2 F% O
mov ax, 04h, n, Q0 o7 {/ ?( r+ E6 r: {
int 3 ) ?. v+ {/ R" S# u
cmp al,4
9 e. T) H9 f; @/ z0 @* A k jnz SoftICE_Detected
( z6 t1 p& T6 `- i9 }5 h) i9 k4 w3 ]! ]$ n7 F2 o' I
___________________________________________________________________________
# n' Y9 a* e3 j. l
6 w+ c0 U: T7 x% d2 H$ sMethod 02
5 ?) J4 ]6 i" e+ z0 Y=========) d) c4 v9 j- ?( `/ b" L* |
1 ^% V4 E y% m3 K3 _: Y7 ?Still a method very much used (perhaps the most frequent one). It is used$ }8 I% z3 M) N8 r _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 c" l( o$ p7 E6 t$ l$ c
or execute SoftICE commands... v+ @5 l' p D
It is also used to crash SoftICE and to force it to execute any commands
- D) Q1 Q9 w0 T7 s- k: o; b3 `(HBOOT...) :-((
% G- C/ {" p; y- E2 @
" o. t$ e" [$ t$ @Here is a quick description:% `1 Y3 b" Z ^/ a
-AX = 0910h (Display string in SIce windows)
8 B( B- s9 o1 U. v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 U) U- B. e2 @. L7 L/ c3 N-AX = 0912h (Get breakpoint infos)
% R5 L# g6 C/ L2 e O-AX = 0913h (Set Sice breakpoints)
6 h: l$ W- J! \! C( {-AX = 0914h (Remove SIce breakoints)
& q( X5 X3 f/ Y" P/ Z& Y
5 q+ y5 @( k# h5 g5 h% VEach time you'll meet this trick, you'll see:
U) g/ D' w; U/ ~$ u$ n-SI = 4647h
8 ]1 [, h. z/ z7 M2 `-DI = 4A4Dh
; Y- B% z: \7 qWhich are the 'magic values' used by SoftIce.
4 r0 W, G4 r; |2 ]5 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 a/ O3 L/ Q; G6 O7 |
' s1 H1 ^: i& ~( XHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 j& Z$ C; N) j7 A# IEnvelope utility use to protect DOS applications:
) |& }) h/ O( l8 G) H; x4 s/ d
5 B; ^, R2 N. B8 n& F+ K. I
& K+ p/ c H) J7 K+ s$ j; G" ^( _4 Q4C19:0095 MOV AX,0911 ; execute command.* m$ p0 d/ I1 _+ w5 Z" x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- X; |4 b) {; |4C19:009A MOV SI,4647 ; 1st magic value.
( B# C, e3 p, e6 r/ [- \4C19:009D MOV DI,4A4D ; 2nd magic value.
, n [. _% n* e+ I8 b+ }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. P# C# {5 K( y* U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 ]/ l; J& f) n0 @! R9 D4C19:00A4 INC CX
$ M4 \. M/ u% M* G+ j. j4 N. E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" m, g+ p; q8 l x% D1 p
4C19:00A8 JB 0095 ; 6 different commands.% i6 F+ c4 p: T6 f
4C19:00AA JMP 0002 ; Bad_Guy jmp back., k1 }" u! P1 w; r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 z$ ~. Q) S% ^1 c) r: C
" @7 L% ?4 R- k# G/ uThe program will execute 6 different SIce commands located at ds:dx, which( N3 |' @% L& F( P3 | d4 x+ U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. j& y# ~1 ]2 n8 I8 H" @2 M, X
. |+ S9 i9 F ?5 [7 Y( P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 Q) j4 X5 G4 f$ Y% V___________________________________________________________________________! r" r2 X4 i; F; @% j* R" M
: ?# s0 L0 Q- p# F* t5 L; v
5 v( J4 @9 K, P9 i- `3 hMethod 03
' `4 A4 l2 a4 G8 y' d! A=========
, m, z' g1 U/ `+ B9 U- Z" E$ B5 `
, x+ C$ J/ G0 l9 ^7 g* _! yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* i3 o. f. O. S& F9 n(API Get entry point)
" s( l3 F: v `6 ~% W2 K 5 m% m8 j2 d& j* N
: o, | ^; a' ?* Y& J5 m* V- Z xor di,di2 O$ b- ?" {! l0 ?9 E' q
mov es,di; o& D7 @; T2 [6 D6 S& l
mov ax, 1684h
: w( a n9 `! v3 q- Z2 | mov bx, 0202h ; VxD ID of winice
- a0 }, Y- }/ S @% z int 2Fh
" I% h4 Q" g6 x s& `' P, Y; d8 _ mov ax, es ; ES:DI -> VxD API entry point0 \4 t) t! A9 K, ?' u; v
add ax, di
6 |0 w* h, O+ Z Z; ]3 `. X test ax,ax
7 V% G: n' j5 N8 S& |. T+ _ jnz SoftICE_Detected
8 P4 H, f4 K& G8 S! A j: W2 k _
+ \0 m7 y6 m8 F6 q___________________________________________________________________________
* ^1 \1 I6 Y/ g. h- V- c2 T* b' C5 g R% C& j/ x6 [
Method 04
3 {( \ I) e$ v- m* t( }=========
6 r1 U/ r9 ^2 O7 p5 Z: [4 ?4 p
8 S1 s9 G3 Y2 B. \* g; M z8 {Method identical to the preceding one except that it seeks the ID of SoftICE
6 t9 o" k$ T T6 A6 M1 J9 kGFX VxD.: a$ k6 x& p) Z |+ J. r% p* [# K
3 U1 w$ @! J* q% K) h1 N
xor di,di+ ~7 z, O8 c9 {) K u
mov es,di
# u% [9 o+ q' e, i4 D mov ax, 1684h
1 N* q. y/ ], X6 z/ o X mov bx, 7a5Fh ; VxD ID of SIWVID
+ r, F- l! Z' X int 2fh/ W0 ]6 E+ n0 `
mov ax, es ; ES:DI -> VxD API entry point5 t0 b* W- I6 W5 H
add ax, di
, I0 s2 a0 [: v test ax,ax
$ j. I8 h6 v, e* L* G$ X jnz SoftICE_Detected- ]% x5 w7 z" b; Z5 ^ ?
* J7 ?8 O% \+ a! A7 r__________________________________________________________________________
0 ?& P7 R3 d% y @' v- \" ^
- F. p# {: u6 C' v) c- x6 y; U9 l: \: L( L
Method 054 t, Q, _; h4 @
=========
, e: p- r& N# C3 V' O F) k/ }% P) [) V5 Z/ e
Method seeking the 'magic number' 0F386h returned (in ax) by all system' f1 q h. g4 ]9 I
debugger. It calls the int 41h, function 4Fh.( b- Y2 h: ^; i1 e: p5 V
There are several alternatives. : i+ r. m6 L; e, B# f( J
- l# T5 L. ^1 {% dThe following one is the simplest:$ ~. F: ]) Q/ R9 [& [$ c9 k
4 _( x$ h6 l( ^& s* i2 F mov ax,4fh
: m) v' @7 m$ i: u$ i int 41h
6 ]4 V8 V1 J2 q% M: T: `, T cmp ax, 0F386
/ r3 \6 k4 C1 O& n: f9 g4 O jz SoftICE_detected
! Y/ q6 \( d2 \" C4 g- o6 ~2 c$ e/ d" i% @/ K
- d( v7 Q5 W* D. K! Y9 ]3 R
Next method as well as the following one are 2 examples from Stone's
5 E+ O2 L& B7 g9 j2 T6 ]2 o7 \/ P"stn-wid.zip" (www.cracking.net):
+ V2 T' y! J+ s. J1 b" ]1 G, o
9 g) x; A# O- E& g, P. N mov bx, cs4 o* P% T& r, ^" u( w* I3 ~4 C
lea dx, int41handler26 L. x! U# J$ o! Q2 G
xchg dx, es:[41h*4]# Z* g; E6 T8 U; N6 Z# u6 e
xchg bx, es:[41h*4+2]
9 u, O/ |& U$ k mov ax,4fh
9 N/ b( s3 ]; G+ p. u int 41h
8 I w5 C) C. | c% ] xchg dx, es:[41h*4]0 }4 p2 i, N2 ]- G' G6 ~
xchg bx, es:[41h*4+2]
2 e2 U" k, ^7 r8 p4 e$ L* G cmp ax, 0f386h6 U4 v @$ C6 h0 l" ?7 ^
jz SoftICE_detected
. P, E$ W- Z: ^* J$ O" m. S; G. @2 Y5 M) R
5 t ~! p, y3 L7 b* qint41handler2 PROC. k: x, p: F9 H: |0 U
iret" j) c' X* e( H! `1 ^2 o
int41handler2 ENDP4 d6 h w- _1 {& r
4 I5 Z0 Z/ j4 T- ~+ f& w: P) |
) b& J- p4 o* v! ?7 v a0 P" V6 I_________________________________________________________________________
. c9 e1 q d$ {3 \+ H$ L7 |( _0 a3 `" \, J
* B% l* u; b+ e. O; e, EMethod 068 \0 ^: i. b2 ~3 v8 \
=========& Y( [. E- K* ~8 k; o9 H* a8 V% i
* r7 ~$ u% P8 d1 V
$ m% @9 @, Y# F+ U) Y h2nd method similar to the preceding one but more difficult to detect:
+ ~" U' ^7 f, |4 D- ~: s( D/ L/ t# L+ f
2 @4 T% {* x0 x7 i: u. B" Y
int41handler PROC5 N6 ]4 T: I! ^7 S# }) N
mov cl,al$ X. d) ^: ^" R- N$ D' Q9 T* ~
iret. E# w4 ]- W- k H( T
int41handler ENDP
( z. A# `$ [9 |: Z6 I* C8 d! ^4 x3 ?+ j
# D9 _" m+ O; D! B
b2 \% Y1 w: k xor ax,ax8 O3 [: L) }' Q" d0 J
mov es,ax0 Y& I) Z( ]7 @
mov bx, cs
0 l' C7 n: o# i& q5 v lea dx, int41handler
1 K5 M4 y% u- K% w+ S. H9 A xchg dx, es:[41h*4]
& ]9 I7 z5 e# ?4 p3 `1 d! ~1 o$ b( U xchg bx, es:[41h*4+2]9 C5 B: j( ~' k' F9 W) u {$ o
in al, 40h
8 N% p! }& E" W1 C2 T xor cx,cx+ Y& R9 g# U6 v$ R% a' |9 }1 _( J
int 41h8 S" \# W6 G) D3 i0 e1 N8 Y
xchg dx, es:[41h*4]8 V# n6 U# _1 ~! z1 W2 ^: G
xchg bx, es:[41h*4+2]
: v' W4 p9 P# a) K cmp cl,al5 g6 a& Z$ T9 ]
jnz SoftICE_detected$ t- a- D. i6 j0 m, i8 F1 K0 o
2 \: B3 m! z* U& L& X# `_________________________________________________________________________
5 V6 A* X: ]. h. r( G# r; e) Y x2 b% ?3 @
Method 07; W0 {2 k9 n9 s) p
=========
# M5 K6 A% Q/ S7 h; X
% _! w2 u1 I6 RMethod of detection of the WinICE handler in the int68h (V86)
( y% |! L q/ Z( {( U8 z- `1 m6 g: C
mov ah,43h
! t$ V) R' U7 A int 68h
, e6 q7 f: C& N- j4 u5 s( S cmp ax,0F386h- f4 X$ A- C7 A1 m1 a* a- x( a
jz SoftICE_Detected$ w3 Y7 F1 J% n+ Q
. L/ d7 `) o% J* h# ~, H3 t3 L2 b2 a; v& k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 [+ @7 P, `/ f/ \) g( j app like this:
: N' E6 _5 o2 h' j; \; \$ h. ]3 M4 Y$ M+ s& E1 O' R
BPX exec_int if ax==683 A, g ?* _9 B; ]: y$ L4 A9 R
(function called is located at byte ptr [ebp+1Dh] and client eip is
# l& w9 T, u0 O5 v located at [ebp+48h] for 32Bit apps)( J: E6 g( f/ X- x2 }2 Y) p# d
__________________________________________________________________________
9 E0 z! _, {6 { r. y! }$ j0 q$ t
8 v! n1 v, D: Q8 r8 v) u" m
0 P" z& z/ P# {Method 08' E# |6 U; g1 m# t$ d
=========
# H5 B5 m: Y+ N! t
- Z: ^. N: N: ?" e; n2 _2 e9 }+ \It is not a method of detection of SoftICE but a possibility to crash the" m8 {* { ]0 q
system by intercepting int 01h and int 03h and redirecting them to another, c/ N. n& h5 I/ f
routine.
+ Y/ w. l1 b1 A" NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points M) v7 N2 s/ h1 n# ~2 y J
to the new routine to execute (hangs computer...)
! z$ e) [! t9 I& s5 P- [& A0 Y4 k+ D. R
mov ah, 25h2 }& ?* k; a( o7 `0 w
mov al, Int_Number (01h or 03h)" [5 c' e. `. S& B
mov dx, offset New_Int_Routine) |) \8 ~3 G( Z1 ~6 \7 I. j/ x& i
int 21h
6 A& s) q* l; P2 F( j, D. z! t9 d) s: s
__________________________________________________________________________
' d6 |. p2 Q; f! U# x3 b8 p! F
; a* C. \& b! U& y* \Method 09
) v- h8 V5 z- i=========
0 g1 n$ m( L, Z7 }+ @" l' p& Q% h X) ^# v5 B" u0 V6 s- d9 q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* z9 V! Z) Z# ]
performed in ring0 (VxD or a ring3 app using the VxdCall).8 [ l4 J1 i, s! J& d
The Get_DDB service is used to determine whether or not a VxD is installed
5 x' m: O- D! \. O$ zfor the specified device and returns a Device Description Block (in ecx) for
3 W$ ?3 g3 Z ^+ D0 ]+ f) C3 Zthat device if it is installed.
7 ^" a2 G$ Q* S& n4 Q0 G6 j: W: F( c# y. r3 {" _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* F5 [* \9 V/ g& \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) ]6 q; f. ] l
VMMCall Get_DDB
# U9 [. z6 x9 S$ N5 {8 D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ U3 A) V8 U: E8 N/ g* F6 L+ L9 b0 b5 }7 Q6 x
Note as well that you can easily detect this method with SoftICE:
+ t, E4 k" L; h3 D8 L$ { bpx Get_DDB if ax==0202 || ax==7a5fh( d$ k* D4 ~3 @) t" y0 S
" M$ o2 x1 A1 ^* @4 b$ ~9 O5 o
__________________________________________________________________________
5 Q- ?3 V; y6 J( n2 e- W p( ~- o: s; _% r$ A
Method 10" p* X1 ~ P+ w9 l/ i( W) l& t0 N7 Z
=========7 j' q5 C g$ O' ?! C
9 P. v* T$ p/ j1 \=>Disable or clear breakpoints before using this feature. DO NOT trace with' t" _, M9 a& K8 p, J
SoftICE while the option is enable!!
5 S9 s3 M7 ^! R$ N R$ m( O' T3 ~' P
This trick is very efficient:- L7 N) H: N! t* ?2 g7 ~6 l
by checking the Debug Registers, you can detect if SoftICE is loaded
1 O; j! O S/ y5 g( C) Q7 ?9 ?9 x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if ^+ X- m7 _4 W Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their, b- E0 E" Y* }8 x
value (in ring0 only). Values can be manipulated and or changed as well
1 |: E2 Y3 M3 ^ \3 j6 B6 K(clearing BPMs for instance)' e5 F' h# V$ o5 }, L
`% X% D" A! |0 V; s__________________________________________________________________________# l1 M- B3 H& |8 G
+ Y- O0 t x! z% V- V t
Method 119 y3 _# T( D' Y. @ o! c
=========
+ ]% l, v- ?7 C* R5 N, o$ M
~- b P) z. F5 _This method is most known as 'MeltICE' because it has been freely distributed8 b7 d- _. x1 J
via www.winfiles.com. However it was first used by NuMega people to allow3 k% @. y1 g# m! J4 g
Symbol Loader to check if SoftICE was active or not (the code is located
2 c' y" d6 I% L4 J7 v. ainside nmtrans.dll).
) _8 I, J" z5 c x: B5 m; O4 M9 f# E2 t
The way it works is very simple:
; s/ J5 ? L' F0 y* C( {. cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 W7 j5 Q8 l* s bWinNT) with the CreateFileA API.
y. e2 W5 V! K5 D4 k# y3 w4 P, A0 e( X
Here is a sample (checking for 'SICE'):
" |' I7 Q$ Y% f" R; a* x. {$ _" x0 C/ X
BOOL IsSoftIce95Loaded()
1 L8 h0 `3 j$ I2 d$ v{3 H5 N& H+ ^% @2 C" ~, Q, L
HANDLE hFile;
/ d8 R9 {, x+ i5 S2 E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& J: L( a) O1 H# p4 H1 w5 b
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 J! J4 I. S E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 d+ f, I. W8 g" K0 \- x# K7 |+ A if( hFile != INVALID_HANDLE_VALUE )
. B U: I, G3 y# } {
0 X6 {9 r1 y7 P+ v1 u' x: u. w CloseHandle(hFile);# x" c) C4 V/ a' M# i
return TRUE;
3 R1 E b- u0 i, P7 Y }5 J6 A* b u$ e6 ?" F3 y8 z
return FALSE;- W+ ?" g- j" ^2 Y) g2 ?% g' a
}
1 x- D5 Q6 X- j+ A& i3 v" u# @& E
, x9 s3 w, s% DAlthough this trick calls the CreateFileA function, don't even expect to be
; a- ? Y+ W$ o* A5 Dable to intercept it by installing a IFS hook: it will not work, no way!
c H) F7 J5 U" {In fact, after the call to CreateFileA it will get through VWIN32 0x001F# i. d8 s- { V+ k6 E3 W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 U: {% q' U5 Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 Z: H. c" c6 j# Hfield.* O# K7 q+ Y9 i& b* b
In fact, its purpose is not to load/unload VxDs but only to send a
" P; e" Z: ~5 h& @) ~% P1 L* tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 Y7 L* n" r A) }0 eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: T& ~2 y3 j! C1 R' P3 Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 U& |7 x$ g3 j4 ~; ?# lIf the VxD is loaded, it will always clear eax and the Carry flag to allow* j. d2 T3 S: R! F1 a$ E
its handle to be opened and then, will be detected.9 E( i' L, W5 Z; R
You can check that simply by hooking Winice.exe control proc entry point8 N, m* `+ i# }( [
while running MeltICE.. _$ @- y' f( S& L* A
3 ~) M& X6 `& H3 t
* ^0 O; J, c9 ?. O3 P3 w 00401067: push 00402025 ; \\.\SICE
9 }- F$ S: I$ v 0040106C: call CreateFileA
; d: }" `' D O! v 00401071: cmp eax,-001+ P2 d, [3 G; `/ a( w: n
00401074: je 00401091$ E! B; h" g" ?6 A( x
" ?8 \' y& |% ?: \' D/ `8 y8 o, ?% z% m$ G8 c: f
There could be hundreds of BPX you could use to detect this trick.
' p, o0 j& L& h2 U' z-The most classical one is:' J) G* F/ E) m7 _6 b ^3 S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 z4 r# |+ x( L, |8 O *(esp->4+4)=='NTIC'
: ]; B2 p' z: r+ \
. ^* H e k# U1 j-The most exotic ones (could be very slooooow :-(" L8 B) o! s% S8 n: h, G2 |0 \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 {* j$ f7 x8 G; P* h; {5 e" y
;will break 3 times :-(/ K$ c: w; X/ Y: |6 y8 Q
- {! F# T* V- d" r- y. U
-or (a bit) faster:
6 r4 `6 W8 z/ Z. e- U% | BPINT 30 if (*edi=='SICE' || *edi=='SIWV') U( ]& u" l3 y1 E
7 G/ }. Q1 L0 V X/ R3 a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( [) Y2 \ F& B6 x: E& L5 {% n+ x: { ;will break 3 times :-(4 M% m$ m6 W* t' v( x" t
! Q$ v0 ^9 H' Q3 V
-Much faster:5 p( w2 E: {# F3 v/ W; e) Q3 M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 I- |; z4 Z. o6 P$ h
' B J) i- L$ oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 j" U9 `6 A- N) zfunction to do the same job:( w% Q4 |6 n; c4 h" `* L$ @8 k
' H& T; t) C; [. Q: ^
push 00 ; OF_READ; z% r3 b, n; Y, P
mov eax,[00656634] ; '\\.\SICE',0
4 s9 ]( s- \5 c6 I- R% k% P push eax1 f. Z0 k- r: B+ |# L/ X5 `' t# w$ g
call KERNEL32!_lopen Q! L$ ^8 ]2 b+ e# t" D" `
inc eax
: X5 g$ A4 f( V( g3 K& z jnz 00650589 ; detected
! I' |* ]/ d3 m; c* ~, |' C push 00 ; OF_READ
5 i1 G' K! G* |8 K S* ]: i. S! n mov eax,[00656638] ; '\\.\SICE'0 C9 e: A7 C; M/ W8 q
push eax) A$ l" ~- ?5 K. i, G
call KERNEL32!_lopen
) A# ^$ t2 d, }- p! X1 x inc eax" r7 `. B4 R3 ]+ S
jz 006505ae ; not detected
: ?/ t, b$ W: a2 r6 [- B4 u4 _; R% `
- ~: H7 z/ h' H: S4 @
+ r0 [3 n1 ^! u# H$ @__________________________________________________________________________
1 A% ~* l7 i* K, n2 m
. `* K$ K, U- }$ ~! ~& lMethod 128 B- h* F5 _" Y) I1 U
=========6 x \6 X0 E: a8 j) h
. m! @6 G+ L4 S/ v; k
This trick is similar to int41h/4fh Debugger installation check (code 054 D5 m+ g% U2 U1 x. J. a2 k0 F9 }' l
& 06) but very limited because it's only available for Win95/98 (not NT)( K* L+ _/ @. g, ?2 _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 v$ m5 F3 I; \; w# F: D$ \4 p w6 U7 u& F+ n* W3 g
push 0000004fh ; function 4fh7 b: Y* u$ R [, V6 b8 C' E& n
push 002a002ah ; high word specifies which VxD (VWIN32)3 Z! `* l; c* K) e( n0 f
; low word specifies which service( D# b- T' U% k# M, P5 t
(VWIN32_Int41Dispatch)
/ B" D* x) y+ m' B' `2 X call Kernel32!ORD_001 ; VxdCall
, _1 ?. c" ^* g cmp ax, 0f386h ; magic number returned by system debuggers
- ~4 O d. w7 F( l jz SoftICE_detected" b3 S% D* f2 R: J' K! l) l( G
$ h: y: M4 @! K4 p- m. U& L+ v& `& |
Here again, several ways to detect it:3 ?' M) d' y, Q! ]8 F# B
4 O( r* D* }* E/ q. [; j
BPINT 41 if ax==4f& B3 r( r+ P8 @2 F; V/ _
; r, s9 u& n* D; `7 u( e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 M+ N: F! U$ v# B+ o# R! s& p! B9 u4 s7 R6 A: i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 W# ]9 _$ p% r
- F. u4 E% r% T7 [* P' Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
D& `2 P/ S/ W! h- _& a y' I
& A* H+ ^. n% S" Y__________________________________________________________________________
- q$ n. P) i) K1 q" x/ P5 D$ o- e/ [
2 U. g- [% ~: P) q9 H: xMethod 138 O( M% ]9 |5 B, }5 K
=========
+ i# p: k# X- v+ g% z" b/ Q# |4 H+ F. S! P
Not a real method of detection, but a good way to know if SoftICE is. q. F+ Q: S7 v# |# _4 Q6 d
installed on a computer and to locate its installation directory.
: e. r/ F8 G+ g/ r) }" t2 J( iIt is used by few softs which access the following registry keys (usually #2) :8 T3 b/ |! L4 [9 }
6 T9 U% V( m8 l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 ~# B5 d3 J4 d# u! A$ L3 P/ s\Uninstall\SoftICE1 m# H6 k: |6 e; \6 y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, e9 y2 x) G2 \2 z1 W4 [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ L7 u+ A4 a% P3 F# y+ `2 y\App Paths\Loader32.Exe
* L" C9 A3 \& E( o s3 F% n+ V8 [& l; d$ q* g& |! E
% `* w# ^- m' o+ d( o
Note that some nasty apps could then erase all files from SoftICE directory
* W0 @) p3 O$ X Z6 u4 Z- l0 T(I faced that once :-(
) R5 q" s% Z- y. k7 O u- ^$ s6 s
1 U# j; `, m/ U7 h! f# E6 CUseful breakpoint to detect it:
& V3 U; \" r8 ]% ~- d$ d7 s+ W& F @' X m" {4 K9 l" O: h2 ~) b
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 f: u Y9 q2 z5 N/ h! U
7 K2 I% A @1 h/ H: H, H# ^. A# j__________________________________________________________________________ L' ^. b) m' X, B
2 A2 e8 \9 c7 O8 R) }4 c
; n1 l/ I7 j- I+ D$ K4 W4 iMethod 14
4 O% d# C$ B* X4 L p=========
[/ D' ], n5 x& T" A$ C. C5 [! N& L2 h* R8 J7 ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. @4 X2 Q K) Jis to determines whether a debugger is running on your system (ring0 only).' w& G, z6 K6 m" }3 i, x
; U) P& y' D$ |( ? VMMCall Test_Debug_Installed
5 x" }# e, g+ C& Y je not_installed0 s Z7 {9 p! r0 @. s) H
) Q. K4 {+ t3 F& m# {3 g4 |1 |4 G' C
This service just checks a flag.
3 \+ |' U" b) V: M. n2 j3 m; X</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡