<TABLE width=500>
9 Y% m* W/ V, o/ g' a8 C+ c" k<TBODY>; w( ?2 L; v7 M3 _# L
<TR>
' D* E7 ~# Q3 _2 Q/ G; S% _<TD><PRE>Method 01 1 |: Z" j3 ]7 G% K( m: @) `# i
=========
' ?" ~/ i+ m' f+ \
+ w* h7 ~4 e L V' @: PThis method of detection of SoftICE (as well as the following one) is
% r& o8 M" b$ Yused by the majority of packers/encryptors found on Internet.3 k) F9 e: G' ?( Q. ?' X
It seeks the signature of BoundsChecker in SoftICE) C/ O L& R" m' N! k7 S: |9 B
$ V( c1 b6 A% e. o) M7 B
mov ebp, 04243484Bh ; 'BCHK'
* I. |1 w' c# [2 s0 b mov ax, 04h
3 f. i, W( Q H5 E int 3 [* k4 W- N; s( O F
cmp al,4
' c$ d9 Z$ Z: d. S7 N jnz SoftICE_Detected: e$ Q! j1 D9 `; S) c3 O
, A7 z2 Z, y( H F3 p/ k: a$ `
___________________________________________________________________________
a' f7 t( t! |. j( P% w0 X6 z3 ^: x& h1 q! D& u
Method 02
' B8 p1 s0 h! Z9 c3 [& k: O=========+ y# S% @1 u! q& A
7 b9 C8 y' d& z6 F% A9 L5 dStill a method very much used (perhaps the most frequent one). It is used
7 b2 C" j) `# j7 x1 kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 T- c- M3 z" W1 T+ For execute SoftICE commands...
/ I1 S. T2 b) O; z1 G+ [! f# }It is also used to crash SoftICE and to force it to execute any commands# K. Z) o, u2 u+ D8 B) J* H
(HBOOT...) :-(( ! I; ^' Z5 j+ v/ d1 ^& t6 x
( G1 k6 t1 Z3 h, o! c
Here is a quick description:
6 e/ J( Q+ u6 ~-AX = 0910h (Display string in SIce windows)# d0 Z y7 j- [3 k' z4 y. S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ x {8 v( K- F, R$ W
-AX = 0912h (Get breakpoint infos)
3 ]9 {- B6 Q( [: H-AX = 0913h (Set Sice breakpoints)
- \# g. K3 v, m) L- I' W-AX = 0914h (Remove SIce breakoints)3 V/ @; W( {9 }% i
/ x0 z+ ]$ m) J
Each time you'll meet this trick, you'll see:
4 Z" L% o1 J @2 ~3 ~-SI = 4647h6 M* N, \; x/ A7 Q2 z, c7 d
-DI = 4A4Dh
" f- V$ I4 Y# B' u6 C3 qWhich are the 'magic values' used by SoftIce.( a: p$ ~: X- |! n" H/ Q. m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% E. ~3 j9 T3 {( \
. a0 ]& f0 z6 x7 j* ?4 G) aHere is one example from the file "Haspinst.exe" which is the dongle HASP) @2 R( e$ h1 D: _+ J7 ?
Envelope utility use to protect DOS applications:
" D: z' J7 ^4 Y q o
: X2 Y# e: C: T
: M) g+ s* d3 L8 Y2 ~4C19:0095 MOV AX,0911 ; execute command.
: Q8 d {! K8 ^3 D4 o8 y$ I+ s# t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ r/ Q! j$ m c. C0 Y
4C19:009A MOV SI,4647 ; 1st magic value.: R% l8 H* f& [, q- D5 m5 t
4C19:009D MOV DI,4A4D ; 2nd magic value.) w1 ^: x9 D1 o; J$ Z, O1 N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), @& o0 e$ c1 G ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; S9 n- H. a# ?2 o- s$ r
4C19:00A4 INC CX
7 {4 P- c' n( D( h( N/ r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 q6 h* C$ g) q# u+ y: F6 }# c
4C19:00A8 JB 0095 ; 6 different commands.) p( H6 A) H/ D. e* C1 s+ b. A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& {2 o; W8 }/ ]8 @2 _! Y4 K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 o, j6 t2 ^, W5 Z6 Q. N: ^/ j+ I' y* o0 b0 X
The program will execute 6 different SIce commands located at ds:dx, which
) `+ o: w2 G/ jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" X+ i" Z; N) b/ _5 I8 E" u2 l4 \# o; h8 e) f3 C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 g! ?/ t" V$ A5 D
___________________________________________________________________________
: g( O& y7 q/ x. _0 y+ A3 K2 F+ d4 Z
+ `8 F* v% x" q+ S
Method 03
* X; K( b* L9 b) ]=========0 \1 s; i) u# |8 Z. L9 A5 i
5 V0 O) a# n9 F6 S# z; `% |5 k- YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" u- _* ?2 V" x% a3 P" L
(API Get entry point); o5 V: g0 [* G- R$ \
4 w( S/ B* @9 D& K1 z1 f8 @; X2 Z
, i! Y$ k4 H( c) }. p# H# g xor di,di) d' `( l! {# c6 a) |
mov es,di
# n5 g, `' \! _' G mov ax, 1684h
- C0 C/ n" |. |7 C6 R mov bx, 0202h ; VxD ID of winice' N( ]; Z0 f9 Q% _
int 2Fh
5 N8 _+ d, ~+ m6 O. q mov ax, es ; ES:DI -> VxD API entry point
3 a" D/ S+ t2 x7 O; Q+ \ add ax, di5 _4 a" d! ^2 z5 x- N: O0 W" k
test ax,ax- O/ p3 W0 `+ D. @7 A
jnz SoftICE_Detected
' f$ E% s( b( B
8 M/ D5 Y6 |/ U( `% w! k* D7 \4 W___________________________________________________________________________
) z+ B% k2 l' u# ]1 R- U
) |6 X4 T+ E4 W( g1 P& }& YMethod 049 d* n& l% L5 x4 U+ `4 \* H& A
=========8 G" K5 a& `# h! W$ o
) v; I+ R. k' g/ V& W/ S' ~$ PMethod identical to the preceding one except that it seeks the ID of SoftICE
% t6 U3 b7 F% v% eGFX VxD., ~6 F, T8 P# v' S! B
6 ~6 `) J) x3 O. v: y
xor di,di
# c) {1 b* i( D6 K" [ mov es,di( E$ o% }* u2 H+ J
mov ax, 1684h
4 S1 c+ G% g/ E mov bx, 7a5Fh ; VxD ID of SIWVID
& \2 D$ ?1 ]7 E. u2 x int 2fh
& E) N: P3 i2 D1 a mov ax, es ; ES:DI -> VxD API entry point, R/ I% D5 T- v- b, y7 j3 K
add ax, di
5 C; N! K- X" a1 ? test ax,ax% ?! e1 p; m9 w5 M/ t4 O
jnz SoftICE_Detected
' }/ x6 t+ O) A ~& }, H
3 p7 Y: a& p D a__________________________________________________________________________& L- I: z3 D4 d+ [# E0 A0 T
# B7 e; ]! Q% }0 S6 l# L! v4 R Y) Z; |# a
Method 05! N: e1 t+ ~" Y
=========
( C; T9 I# b; t& e8 q g, V, ?( m3 H. y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: \# g5 g& A- k0 Y+ {debugger. It calls the int 41h, function 4Fh.( V6 A' v5 N3 q' }5 y( G* d% H
There are several alternatives. 6 ^- \1 e0 _- T3 Y' n- M
! U0 r9 k. q. c: C$ a( y
The following one is the simplest:
. t1 c) `+ i1 t$ F1 Y% E, e
) ^/ G' y* g( F, H9 T+ H mov ax,4fh
8 ^" e: y' _ d1 W8 K& d int 41h ]% y: w' z6 { Q3 }
cmp ax, 0F3864 X- a6 B8 s1 ^+ e! t6 S+ E
jz SoftICE_detected1 {2 o: J J3 @" R( `1 M/ F5 U$ ^
9 S6 ]% W4 j1 x7 F, g% `$ @
6 X+ Z& e/ Z* G- vNext method as well as the following one are 2 examples from Stone's
% q f) ]9 q, m6 `$ U"stn-wid.zip" (www.cracking.net):
0 `' e" U. a# o3 {
& y& O# m% b& e c* o0 S mov bx, cs
/ z4 W- P! j% z8 [ lea dx, int41handler27 A4 ~" N# ]/ [/ X
xchg dx, es:[41h*4]
f6 N/ @) ?6 A+ c" r2 i xchg bx, es:[41h*4+2]$ c1 D& [1 _! l! _4 L; s( H) T
mov ax,4fh s$ r' x# ^+ ~1 h( L
int 41h' [0 \. h$ T9 k# Q( r1 G: ?
xchg dx, es:[41h*4]
( V; Z; R9 Z1 H+ C% Y9 F4 G xchg bx, es:[41h*4+2]5 w: e) r. d. j2 c. ~2 o
cmp ax, 0f386h, O; H0 c, v! S8 L7 w7 s$ A" F
jz SoftICE_detected; T: q7 ? ~" |3 m @& {
4 K- }! \8 Z5 E; s+ Z8 ]6 {9 \
int41handler2 PROC
0 _8 Z9 n. H! |+ A6 F iret/ k( @3 U v9 ^$ a9 }
int41handler2 ENDP
* a6 O$ i% C& s$ w }3 {4 k2 A) T$ j0 s( q' E" j: T0 ^2 N
8 f* Q; z! S, n_________________________________________________________________________( x3 m/ W9 g, S6 m! B
$ M; m+ ?$ D- S
+ D6 k1 E! |; rMethod 06
5 S" {% }/ ]' e+ l8 w- \+ \' V# G& Y" ^=========3 e& L+ d- U+ A, q
, @8 f, j+ T3 S, Z8 Z/ c
0 j1 E; _; V2 e
2nd method similar to the preceding one but more difficult to detect:
, k X# H/ s# E' y5 `/ ^2 `8 O0 w, X, T6 s& F
$ [, ]' A8 I5 x- U4 t; a Q
int41handler PROC
" B" c; |# d/ h2 D, I; E) v: m" ~5 ]0 R mov cl,al5 R' r- b1 `' n2 H* j
iret& l( {. h9 x$ p0 ]
int41handler ENDP0 B' @( Y& m6 f/ I, ]6 n! ~
8 @" Z* l4 G1 F+ L* J5 E4 E+ V
/ K) E1 a: q! }3 v* W+ r' V
xor ax,ax f2 o, D. H- R9 z* g% z! W @
mov es,ax
% x2 ?/ p Y" @. D) E; J mov bx, cs& |( b) ]) J; b. e
lea dx, int41handler
9 m6 o5 A" u6 H/ @ xchg dx, es:[41h*4]
/ J5 _6 S e+ ~ xchg bx, es:[41h*4+2]- I6 u$ v# r6 r1 r. V( `7 o
in al, 40h# ?1 l# e. f- P$ {$ y
xor cx,cx9 \2 ^" D* K/ {# [5 U( }7 W! ^+ b
int 41h
; a9 \# e7 S& q: l" O xchg dx, es:[41h*4]- j x$ Y( W. S- R2 @ A* o% s: Q
xchg bx, es:[41h*4+2]
* Z9 ~, N9 Y4 [8 Y9 f6 q# j cmp cl,al
9 p# I" e+ }, d1 m* C3 R jnz SoftICE_detected, N" i5 P. H5 `" [% f, A
/ ^" o: ?4 T3 M0 c0 k8 `3 {# s7 X_________________________________________________________________________
; V& c9 ?( M& m% R# x0 U$ ^/ ?6 w9 B; Q9 o4 e4 V; q
Method 075 E2 C9 V4 b+ B. Q3 }3 ^; [2 Y9 j
=========
5 l+ @9 Q( ]2 b' y, p* L: q% E" T& F' D
Method of detection of the WinICE handler in the int68h (V86)
/ n' ^6 z2 b; W4 v* y3 h: U
! n. m( Z2 L# }: K: M2 H mov ah,43h# C7 b% Y9 v! e" G3 M2 a" }
int 68h
1 M- S/ U( w% [( Z4 O- l$ W cmp ax,0F386h
% i% z0 W( o: A) y R. A jz SoftICE_Detected
' x/ V: `6 u, o- g0 `1 P" g: l/ }
7 {+ L4 V! N" E3 H2 Z. ^
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 B9 [; @/ g# @6 M& E1 b app like this:
1 |8 {1 y% T; ~3 f/ a' n0 _8 t& I. L) v& a, u# T/ L
BPX exec_int if ax==68
) e! p" \5 w( x (function called is located at byte ptr [ebp+1Dh] and client eip is' S' {; z7 V& w6 i: r
located at [ebp+48h] for 32Bit apps)
: s! G, B \2 `5 A- g' j9 l__________________________________________________________________________
. J6 v" N1 L! ` n( e* V! ?6 K
5 M* m& H2 H p' o* O) k9 w" X. x
Method 08
; O& g, g, p$ r% ^, G ^' G=========$ w+ i0 s; x8 j
" u0 Q- K( \% [4 |) ]3 \It is not a method of detection of SoftICE but a possibility to crash the* _4 c- H0 ?* t3 z
system by intercepting int 01h and int 03h and redirecting them to another
4 l' e3 v1 ^* `0 z6 Sroutine.
O; S6 b1 E1 ?. QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ H6 z) q) `- F6 F
to the new routine to execute (hangs computer...)0 F3 `7 v: `/ u' h
: l* ]5 ^0 m$ w! U; F mov ah, 25h% O7 f: p( ^: ^; w: O0 N
mov al, Int_Number (01h or 03h)
) ?0 y2 E" }. J& C mov dx, offset New_Int_Routine
* c% X6 d/ f# y) A% E int 21h
6 Z2 S2 R' F: N
2 T! R" m) F1 j' w__________________________________________________________________________( j+ M, R- K5 d- D7 ]: j' Y& j
6 K* F( R3 S4 j6 X; g; `Method 09
: A2 Y4 m( Q" a; K% ^+ m4 X=========
4 l( L& W+ w' o: w" x* U( }* ?, J8 T6 C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 k" Y% T$ l1 B2 n& ?# qperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 a" I; T9 X5 d `0 pThe Get_DDB service is used to determine whether or not a VxD is installed
: y2 c( j; ?2 M! R! Pfor the specified device and returns a Device Description Block (in ecx) for/ u% C g5 u D+ X
that device if it is installed.& U: B9 [2 \1 G* S2 J0 l0 f8 ^, Q- w
! Y4 D# p* t" @8 B0 @$ Z( s" O mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID I7 {6 G! m |8 g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# x1 k1 K/ {6 `0 R
VMMCall Get_DDB
! a- M: [! Y2 p9 z, W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* {1 ~! X6 ~( x5 s- ]" Y, J
* g- C* ], k1 y9 N# C
Note as well that you can easily detect this method with SoftICE:+ r/ s7 Z6 b! q- j
bpx Get_DDB if ax==0202 || ax==7a5fh- g( Z4 D% z' `) s# G0 `+ Y g
5 ^) D& Y- `! s0 d. @8 m; t6 S__________________________________________________________________________+ f% ?1 j( D8 j
6 F! k m6 c* p7 SMethod 102 m. R9 x! J6 t7 i
=========
/ e) P: R+ R7 S. K* K; C9 t
' s( G* O2 j! E; G, V=>Disable or clear breakpoints before using this feature. DO NOT trace with
& ^6 w6 @; e; m4 c/ G SoftICE while the option is enable!!
: W# F( b. E3 S& ^% [* M
0 o X" s. [- lThis trick is very efficient:
0 ]2 Q( g+ s6 ?! \3 ?& gby checking the Debug Registers, you can detect if SoftICE is loaded
% x/ Q2 e& W- J6 Q: j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ u5 q( l6 b9 p' o. V) K9 d4 p4 D5 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their: ?. U% E" J% h+ F7 Q
value (in ring0 only). Values can be manipulated and or changed as well
+ p) H( d, n, c! q8 v3 ](clearing BPMs for instance)( @( k& L3 A8 R* f4 C1 {$ P
1 S3 _4 i4 ~8 }__________________________________________________________________________
' u }& @2 ?4 A6 n. ~, I) g
0 U# H' B" E) j% o. {, H# hMethod 11
* s, v0 l3 j: _1 o: Q2 D=========- F1 W) D8 |" U3 x7 K
! M5 Z/ N) R9 a' p. Y9 _0 jThis method is most known as 'MeltICE' because it has been freely distributed! w3 D$ d- ^& V5 h9 n# S, Q
via www.winfiles.com. However it was first used by NuMega people to allow1 {& \3 t$ K4 ~" E @9 D
Symbol Loader to check if SoftICE was active or not (the code is located: g- e! G; G$ M
inside nmtrans.dll).' E9 Z" w( V( J# F6 v# H
( a6 }$ u: |4 m) y7 C" \The way it works is very simple:
) l) J" S. V9 N2 \/ t9 Z& Y5 W( OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 s5 y0 O! R0 zWinNT) with the CreateFileA API." t& C/ r* }2 r
, p) h5 [- Z! f
Here is a sample (checking for 'SICE'):
0 ^ q8 d/ i6 n1 D& R& u! C# g; [$ y% k S
BOOL IsSoftIce95Loaded()5 x7 e' N& {, c" r4 ~6 `
{2 f! d$ r2 v6 U9 ]
HANDLE hFile;
) ^( ?' U- g6 Y2 a: B' ]% O( c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, T9 A3 V% t/ g6 c
FILE_SHARE_READ | FILE_SHARE_WRITE,* i$ X4 y$ h4 H7 x! h' Q x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( H8 p7 h: L c/ k
if( hFile != INVALID_HANDLE_VALUE ), Y5 U, n0 a0 X/ C+ n- g8 ~
{
! G. A( T) g+ W CloseHandle(hFile);1 A. L; q, \' q( `# |# i7 N$ A; Q
return TRUE;
1 ~: J' U I" a; i' z: a }
* R. n7 @: X% u return FALSE;$ ^. |! d7 ~) T, D7 K0 S
}
* K. {& M& d6 y% M/ L& o1 R: ]* T% ]6 W
Although this trick calls the CreateFileA function, don't even expect to be
" s# N! h4 V* z" ^( @able to intercept it by installing a IFS hook: it will not work, no way!
3 i5 a3 X2 Z5 |1 Q0 z7 N$ qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) [' t$ F. ^' M- E! G' m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). k. E/ }5 f- o& G# G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 r `/ v4 D9 w( U
field.
% W" y/ u; u/ U. e5 AIn fact, its purpose is not to load/unload VxDs but only to send a 7 S u# |; [9 u( Q& Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): X( Z0 N7 W d% D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! p& O f% H0 ]* z6 M8 v+ w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 @. V% ^& n. TIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 R, S# ^5 w* @( Iits handle to be opened and then, will be detected.
) j0 c: q1 e: Y5 W, F) x/ dYou can check that simply by hooking Winice.exe control proc entry point2 y" e1 `5 N P6 U) t6 {
while running MeltICE.
/ ]0 v5 ?* n# I: L0 c6 l) }1 p c J/ u6 i2 q9 M
% O( y+ f' K, v) [4 F
00401067: push 00402025 ; \\.\SICE/ e! v7 c$ U0 i( o) \3 b7 o3 t/ H
0040106C: call CreateFileA8 b. C7 W( `1 }. h2 s- K& ~3 k
00401071: cmp eax,-001
8 D" X9 i n8 n9 ^( H1 ~4 e1 G 00401074: je 00401091
; `+ B, x+ m8 b0 g
3 ?8 N! b2 B1 f) L7 j
6 @$ u' _ x) e8 m A2 w' X _There could be hundreds of BPX you could use to detect this trick./ u. d l- ?3 U% ?# y1 ~
-The most classical one is:
& ]: [+ g4 U; q6 o& ~% ?' ?8 i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 K9 h! `) E! S [0 L" J- |2 Z4 j* l *(esp->4+4)=='NTIC'
( B! _1 X8 Y0 s7 z! @
' N/ C3 R* q7 S# I8 p8 P9 @-The most exotic ones (could be very slooooow :-(. p2 W3 G/ x# ^+ B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 n$ I. {* P8 @5 S ;will break 3 times :-(/ Z1 ~7 A" ~" _: |; Z: T
6 K2 W1 L/ F) ^3 N
-or (a bit) faster:
) F N* `4 C7 K) R* w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 K9 o/ }/ R5 @8 x* L, t- l+ a6 K
6 p; j1 B0 @2 B) ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; ~5 m" H/ q" r
;will break 3 times :-(
8 x0 f& B/ Y6 H/ c# Y" Q; L0 C9 l+ q4 m5 W: N5 |
-Much faster:
! W# u+ I0 W% b/ j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& y( j1 R$ f) U$ H5 B
' s: V7 ~3 L3 }! J, A' i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 h& C4 k& O- C" Jfunction to do the same job:
! Y; ^* ^$ O2 l- q8 D! w% a6 {& q" v
) N- d/ \) b7 {4 ^; C$ E9 w! q+ p push 00 ; OF_READ
+ T! Y2 l8 D/ I& C mov eax,[00656634] ; '\\.\SICE',0: ~8 e4 F! x4 c' G7 o/ ~: H
push eax
( n) E6 B5 w& Y8 b0 q4 o: { call KERNEL32!_lopen6 S9 f, \+ i$ }; T* R0 C
inc eax, u$ W& C o# O0 N1 ^$ o; H: y% P
jnz 00650589 ; detected6 a4 x2 I# ?+ @1 G) G$ M. ^' n
push 00 ; OF_READ
$ u8 U: q, `: h$ B mov eax,[00656638] ; '\\.\SICE'
* T7 ~1 w' f; D: Q# C/ n push eax" h% E, W( N3 @; ~( c
call KERNEL32!_lopen0 G p, q& K, m6 ?* B! `+ Q2 w
inc eax9 G0 M6 z: k8 q9 ?3 m4 p. J
jz 006505ae ; not detected
1 E1 |/ }3 O3 f4 o7 O5 C" W8 \
g& H! o$ i2 R$ O4 K3 Y/ x6 s# D/ u! ?5 z- B
__________________________________________________________________________
5 o3 D& o* l8 `7 d% I1 \
: A+ Y+ B' D0 JMethod 12! k' X0 I1 S% @9 f! g
=========. W/ v! u' n; O1 v
5 D( v$ z* a. v. |This trick is similar to int41h/4fh Debugger installation check (code 05
|( q- x$ H4 M) M5 d2 N8 _1 r2 A& 06) but very limited because it's only available for Win95/98 (not NT)
! w3 U# Q+ S. o* K; v% ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 G& ^$ i" e, J1 i% T
1 ~7 t3 V7 T6 B1 h; S+ x7 o* ^ push 0000004fh ; function 4fh
. J9 V" y; A8 ]4 s9 H* L# { push 002a002ah ; high word specifies which VxD (VWIN32), l) x% V/ r; a" [4 {" W
; low word specifies which service; l. S7 K5 B& I9 R( K2 M
(VWIN32_Int41Dispatch)
Q# G) h: i6 [/ j, v& O9 E/ e call Kernel32!ORD_001 ; VxdCall
! f/ z' [' l! V) a cmp ax, 0f386h ; magic number returned by system debuggers
! o& h* p* G3 N! f1 v7 Y2 |+ U jz SoftICE_detected/ N/ j# z* p5 v2 k: P/ i; ~; s. j
1 C. }# G1 a4 A: v; ZHere again, several ways to detect it:
7 B/ k8 J6 H6 R; `- F8 G1 m
1 [* c- ~9 M6 B5 ]) l: I. v c BPINT 41 if ax==4f
1 h9 ^/ B9 o* e3 _/ c1 d$ \0 I9 f" i5 O* r, c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 g; A0 X1 S3 Y0 E* h: e j8 u, Q
u! R4 M8 y1 b BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" y+ ~, I$ F3 F; q4 N
2 }! R+ L2 y5 x# D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 q( n, d b! K+ T* O7 e
$ P# l. W% L/ Q. ~- ]2 L5 `__________________________________________________________________________
3 d+ n/ X) x1 ^ L/ G# }; H% ^5 z9 x. P
Method 13
9 {+ w& k' A6 @9 R: U=========
& y' a* O% o! X" v% Q+ O' w1 B$ ^& f7 X. V5 F3 p1 A p9 L
Not a real method of detection, but a good way to know if SoftICE is
5 e7 i5 @# Q( Cinstalled on a computer and to locate its installation directory.
$ H* \- T4 D7 A; iIt is used by few softs which access the following registry keys (usually #2) :
3 x8 `0 R6 t `6 `0 m/ Q5 s9 J
_. X, M) O! b7 o2 {2 i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 B: X9 D" Z; y: k
\Uninstall\SoftICE% c. J& @* D7 q1 C2 U; `% x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, t8 P. B( }3 W9 [) ~1 _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& q# o4 p t* I# Z
\App Paths\Loader32.Exe
, y* X2 H% r2 V; U" Q" _! _6 y# A3 {' e9 s: C4 Y& x' Z& t3 r: W
& j0 g. m6 R: zNote that some nasty apps could then erase all files from SoftICE directory
" u N9 ~1 m; {! a(I faced that once :-(! Q0 I' `! R! U+ G
6 C) Z9 ~! l6 J9 Q$ g
Useful breakpoint to detect it:- L/ q5 `4 O! c X8 R- t) l
+ k( j4 i( \) E6 M( T! G9 W( o
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 b( z9 N L' d3 b/ h
/ {5 C' @6 \( v" {; p__________________________________________________________________________
: @' o3 a- n% E
' i+ o2 q6 e4 g
8 w3 f2 q5 M* V4 {Method 14
^: q+ q) E# |. S8 ~, ^% l5 U* v=========
x6 c( S4 I- J5 T# ^2 i( ^. h: m
4 w6 K- j, n+ l( l' {% R& LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ K8 V J1 \; {7 V0 Qis to determines whether a debugger is running on your system (ring0 only).
$ U- a* {; y6 ^ P' @; w! L% `7 h9 r& H1 N% t8 S d0 U4 f
VMMCall Test_Debug_Installed8 ?; n7 U! W1 R) @
je not_installed. s) s* x- X6 l+ f! g
7 C. W; M0 [0 ]5 b% D/ T# ], c
This service just checks a flag.& \1 v, Z% P! G9 z& G# F
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡