<TABLE width=500>
p3 ~+ N5 F& U1 w7 `5 Z4 I8 X<TBODY>
; g1 Y0 t" [1 K, F* g<TR>0 y" i, R9 ?0 }% _9 D$ t% a
<TD><PRE>Method 01
1 L" \* T1 r ?! y9 a+ ^=========% A& I X6 T' e5 Y
7 D2 d6 ]! q- M
This method of detection of SoftICE (as well as the following one) is3 P- k+ ?6 F5 d
used by the majority of packers/encryptors found on Internet.5 \( C0 O) [6 O7 n+ X5 z. G! n1 Q% H
It seeks the signature of BoundsChecker in SoftICE' t7 L$ R, ?" D( x# B
( [3 \4 |- i/ I0 Z
mov ebp, 04243484Bh ; 'BCHK'
) a! G0 z4 M& C1 G: e. `0 O mov ax, 04h
3 V T O- _8 T6 y int 3
, P" A) e" @: b2 | ]7 i" O2 l& N5 a cmp al,4
$ w+ W/ ?5 _. F p _: X8 P jnz SoftICE_Detected
* c& }0 `3 T) a, Q% H$ W% r
* ^* j0 k0 H/ U H! W* t" C___________________________________________________________________________' S _& O( A" e3 b
; i4 ^6 X# p1 lMethod 02, I0 G# r2 o9 R9 F
=========
$ \4 o( ^! K0 K' Y7 l4 f, K" }. g, g2 t! e7 R4 w% B- a
Still a method very much used (perhaps the most frequent one). It is used
; v( `* ?% m I8 s# z( X8 ?# u+ _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! j2 O$ H' k" S1 zor execute SoftICE commands...# d9 H" j+ M' n. H7 T# c9 k
It is also used to crash SoftICE and to force it to execute any commands
* n3 b1 c& C5 K' s# M(HBOOT...) :-((
6 S" S- h" }- f! C7 ~3 `! B
- [6 d$ y- n: H4 n; ?. G+ lHere is a quick description:" c% G9 F5 L: u1 {$ e7 g
-AX = 0910h (Display string in SIce windows)
: o( |$ N7 u, o! {* `% H' V4 H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 D5 L- ?( H8 D, I
-AX = 0912h (Get breakpoint infos)
& X/ Z9 Q& B8 x4 w" f-AX = 0913h (Set Sice breakpoints)
' t1 I, h8 C4 }-AX = 0914h (Remove SIce breakoints)- P- l- J a' C( U- Q1 w( \, s
1 W, |% Y, A- x
Each time you'll meet this trick, you'll see:, H5 n# R3 q# x: T" t* V, a. ~
-SI = 4647h
8 R6 v, d2 ^7 G3 e4 V-DI = 4A4Dh
( [3 I- g( N4 l! c) K: ~* C7 HWhich are the 'magic values' used by SoftIce.9 W% n1 _# a2 U9 a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 {. o; k# ]6 Z' r& u8 Z& H5 g+ w! z, h/ }
Here is one example from the file "Haspinst.exe" which is the dongle HASP* X: b) z" N6 v6 X7 Z
Envelope utility use to protect DOS applications:
: B0 j S2 z) b4 l( t/ p# ?* J8 B; y& I: V3 \2 W
5 Y, b% P1 K' ?- B4 Z* v4C19:0095 MOV AX,0911 ; execute command.; h' \& e# u# F( z; |7 }; d0 X( M6 N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 X& l3 C% P0 C8 Y( l
4C19:009A MOV SI,4647 ; 1st magic value.& O, Y' N$ V" z+ d2 `5 G
4C19:009D MOV DI,4A4D ; 2nd magic value.9 _, z$ j$ D& x' }+ \( X* m8 I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# l8 a+ A. U' R* B- C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 O# h) A% u2 h8 C+ D4C19:00A4 INC CX
5 a& g8 R$ h ~1 b0 S/ ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ a& T% G( T) p) s4C19:00A8 JB 0095 ; 6 different commands.
) ]: D2 k8 E1 ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! v: H4 H) p" u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% f& e: t0 u+ U: C) P5 n6 B- m- Z6 s* p" m9 l. @2 o
The program will execute 6 different SIce commands located at ds:dx, which
) D; R: z8 W# o5 L$ X0 Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- _6 J! p7 t9 ^" w
2 }0 I& }+ ]2 [0 @; O: l3 W6 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' [. T w4 Y1 R" o0 y E _: l___________________________________________________________________________
% y- g4 F1 R, N1 O( {- U) k; |* k* {
6 h. B6 [' Z2 T
Method 03
# h* k5 S2 r7 s& h& ` k: a9 r" x=========
I0 f0 w2 b, Y8 b: f5 [; V; v P+ H6 [5 |. E# X. v) j
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 w C# f7 A; \(API Get entry point)
' R k4 c* ^5 P* U- R , v# T* j" _. u6 f
8 p- t4 Y& i, H8 }7 n3 D xor di,di# l' p- ]" i% ]3 t2 o
mov es,di- {* B" l( X3 R. x8 o
mov ax, 1684h % N C( D0 _9 W/ q( C! P* z
mov bx, 0202h ; VxD ID of winice! q6 k% k* P- a8 j) \1 f- V
int 2Fh
* F- R0 X3 ] X) n6 e mov ax, es ; ES:DI -> VxD API entry point: M' Q1 M8 Y) p# {% {, ?
add ax, di7 Z4 O3 I3 ~. ^6 `: Z
test ax,ax
4 Q9 U( C! C3 c$ y. h jnz SoftICE_Detected6 V% r. ~; u: V2 I# \
0 L6 R$ b: l9 a# N* r: e$ O+ J
___________________________________________________________________________
0 Y# Q: J+ A" c
; ~6 m+ S* t/ p7 S1 r! k% Y, L+ D2 [Method 04) e$ t3 I/ T U: r; ^ R6 T
=========" |1 p3 X# G3 R, A0 T
- J' Y$ {! U" a1 X+ n
Method identical to the preceding one except that it seeks the ID of SoftICE8 c. z `5 B8 `# u' n
GFX VxD.8 l" n% o3 a$ L
/ Q$ n3 S" m. ~5 ~" y& H6 i. o; Z
xor di,di
8 i" l8 O4 b, X8 M3 w5 J2 G mov es,di
) Q" z6 x2 Q9 D4 z# | mov ax, 1684h 5 N6 w# r3 b: g* b
mov bx, 7a5Fh ; VxD ID of SIWVID9 |, _4 y4 h7 P
int 2fh; c# j* L7 e' ^/ F! H6 }7 t0 l8 {
mov ax, es ; ES:DI -> VxD API entry point- V8 T. [% ^- _3 q/ f2 p5 s! |
add ax, di
7 V/ k9 o) h( H; i! R( A. Y test ax,ax
, s$ x2 L- _0 K z. t2 V* R% Q8 L jnz SoftICE_Detected3 ?( ~/ v3 R+ W' h
: Y2 m e. S$ L5 o& \6 s
__________________________________________________________________________+ V% \$ c! h6 I. C
: ]- d+ o v+ A
# R* O4 I4 }: ]9 _' fMethod 05# S n! E1 c J8 r6 F A' U
=========' o, y) n5 b( F6 [
! a; X3 E& c: y1 k( {; o
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ _, w% |* F5 @( T7 [debugger. It calls the int 41h, function 4Fh." F1 `" {0 E- x) s5 ^4 P l5 Z
There are several alternatives.
6 j, P( @6 O4 @. r* E
6 c$ n, B& d, l) }7 EThe following one is the simplest:
, s r/ S+ `+ @, C* Q, i
2 q3 ~0 ]( `9 p7 I. m. v/ h7 _7 x# Q mov ax,4fh
0 y% j, @$ b6 y( O3 F+ v+ S, Y* L int 41h
: a, l( [, P5 G cmp ax, 0F386: B* ?- X! [7 W3 W* A- L
jz SoftICE_detected
B8 ~* d1 t; S% _: ^: G; ]( A5 }3 a
" }3 Y4 L$ H6 r* w& R; C' vNext method as well as the following one are 2 examples from Stone's
4 w. H( F2 Q# b! {/ t: c& Y4 X"stn-wid.zip" (www.cracking.net):
6 Q1 q& S- E2 z L# K: ?; c$ Q3 b) p
mov bx, cs
& u0 Y6 b( V. @, H# c6 v) y6 d3 F lea dx, int41handler2
5 E! X) d1 M( x$ U2 j xchg dx, es:[41h*4]
0 I7 F3 S" F0 T% u! r xchg bx, es:[41h*4+2]
9 `; G$ |1 G/ o8 p+ s1 F mov ax,4fh" p" n. M5 `9 w5 A1 @' p9 @
int 41h
; T" S: O2 Q" b6 M# [/ @ xchg dx, es:[41h*4]
5 F: c5 l% S) M" C1 K r xchg bx, es:[41h*4+2]3 c- E+ r9 {1 O# V. E$ C8 K
cmp ax, 0f386h
0 b$ `$ P! K8 U3 w0 J# M! C5 [ jz SoftICE_detected# y/ U2 E& F0 U' v: G* _
$ F/ h h# _. ~7 w# {: mint41handler2 PROC& q; [ E2 ~/ w5 z1 |
iret+ I1 r: U' N% G4 ]1 A
int41handler2 ENDP, M3 k8 P% w: K; a5 `9 s
- E$ Z5 f: x7 I6 {' H* t4 M, S
9 d( u# f. m2 V5 z_________________________________________________________________________6 k0 @0 F+ ]. B" l
. I4 @/ w4 t$ B% N$ l
) @7 c$ C$ V) xMethod 06
% `4 X; P* T _/ Y D- u, h=========/ U% W* S0 q% O L
0 K' ~5 L. l3 n- p
4 q8 w0 {8 P7 _6 m/ ^+ A _2nd method similar to the preceding one but more difficult to detect:: b+ M; U8 Z! u, W8 D/ |
2 i" m; d; b/ l1 ^& w' `2 |7 `; j7 U; t$ h; |) ?
int41handler PROC: n' j5 N6 [3 N+ P% P' j- y m, p
mov cl,al/ Q, u0 {' Y8 W8 i5 V( {6 i2 e
iret3 e2 ]3 x6 ?) V: Z/ ?& [
int41handler ENDP
0 m. c3 \0 l& J, E& F
7 ?: c% {; ?5 m, Q
8 u6 @0 `1 ]. v1 m, c% ^7 {& ^ xor ax,ax
4 B0 A( F5 |; d mov es,ax
8 ~/ M2 d0 X1 h; q1 o/ d% V mov bx, cs& W# g7 y+ x$ j/ d
lea dx, int41handler
, r# Z% K) {* s* I" g5 h xchg dx, es:[41h*4]
# b6 s9 E- o: N- \8 d/ r xchg bx, es:[41h*4+2]
" W+ g& e8 @; \7 g% C5 _0 [6 T in al, 40h
/ a- C7 z+ E' `& y% ` xor cx,cx
5 h: E S2 W: e int 41h0 r; u5 {" K3 i5 u/ K& r
xchg dx, es:[41h*4]
# S/ ^7 f* y6 @; t* Y xchg bx, es:[41h*4+2], @# H3 N% l x u
cmp cl,al
& h( R% I6 h( i0 i$ h- H6 H jnz SoftICE_detected# ~9 A* f3 z7 h+ Q; T) a
) q' L" N+ }, ^ @! z7 ~/ {_________________________________________________________________________9 [1 V+ Q' r `' B" E
+ o9 u" N( \9 y1 k
Method 07, e% D4 M- ~3 W
=========
4 c) B) A3 ?& t. ^( X' ^( O0 @0 t3 c, F, f
Method of detection of the WinICE handler in the int68h (V86)
* b# p( f0 t8 x% k2 f' Z+ @3 B. Q9 ~! o* y/ @( y/ d
mov ah,43h
7 O, w i" K# J' X, Z) x' \ int 68h% z! s, G, T' ]/ _: y7 Z4 b( d
cmp ax,0F386h: Y9 x$ U- X( s8 E R
jz SoftICE_Detected
5 `. C8 Z- ?' o: X$ ^# |4 H. _( o8 z2 |+ _% T1 X( ^
& k0 }8 W" _9 x g9 `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 l+ v) y5 }+ w Q app like this:, s, x o/ ]6 V# Y4 d) y
$ n2 ^' P; ?8 p, f% Z6 m3 t6 K7 A BPX exec_int if ax==68
) ~: [( t: B9 D, ~4 ? (function called is located at byte ptr [ebp+1Dh] and client eip is5 O1 o! |( P/ A" M8 y, ~
located at [ebp+48h] for 32Bit apps)4 E7 k- U! C. v8 L
__________________________________________________________________________# {; f* N* H! A
( r4 U( Q7 E$ ~! Z5 T) y( A5 d$ W: O$ B! t
Method 084 b- i; ]( C6 }+ r( |
=========2 d8 Q n7 j9 J; ^
/ l$ C( r8 k5 `/ c& Z' {
It is not a method of detection of SoftICE but a possibility to crash the: x+ W5 ~! n# A' v( K& O: q
system by intercepting int 01h and int 03h and redirecting them to another
2 G2 g+ W4 m1 f+ Sroutine.
0 n* @, K! g7 _$ x& aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% Q* T0 ?0 b6 y& G- f W4 y- Y/ yto the new routine to execute (hangs computer...)
- O5 N- Y% P8 Q- p, \% l, n h; O; \0 O9 ^4 b3 B. E) i7 B! d
mov ah, 25h* B* o! [- e" B @1 j2 Q
mov al, Int_Number (01h or 03h)
% @% b" W& S8 p8 L mov dx, offset New_Int_Routine2 x: J1 y) _# p; W
int 21h* z" j& l% W+ {4 r
3 k8 Z2 ?4 k" T @* I$ \3 m: D% T
__________________________________________________________________________3 p5 o9 x( e$ {4 u5 l
* h" r) Q8 q; H+ n
Method 09
4 ?0 T X+ v0 x& g. A( `- t3 N% M=========
; Y9 g& j+ k6 R; e% z4 ?( b- S; e. X* q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( w+ _; Q ^3 B
performed in ring0 (VxD or a ring3 app using the VxdCall).* I0 u3 ^. W. U; L7 `2 j: b
The Get_DDB service is used to determine whether or not a VxD is installed
+ I0 C8 s6 l! y" O+ [for the specified device and returns a Device Description Block (in ecx) for( i% p" a* q; p' O+ D( l2 O" R- C
that device if it is installed.
+ b& g: i- U) M! i, O2 B4 M
! i. U7 J/ z" W0 C9 d" y ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 m b) Z4 O) Y- h! |0 } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' j! d" D/ H/ m6 u& ^1 j
VMMCall Get_DDB9 e/ X& D* B, G; C3 J
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 t$ x8 B; ^$ ]9 t1 x9 p: g" z. N+ @; H
Note as well that you can easily detect this method with SoftICE:$ }0 R, `7 j- V, {; S4 l/ j0 `0 b
bpx Get_DDB if ax==0202 || ax==7a5fh
. Y' q4 V# k8 d& D6 ^7 V$ n! _' B
__________________________________________________________________________4 D' T3 l/ X! D& s9 W# p
/ z" z8 E4 |0 g6 G! i
Method 106 `0 \4 \, I+ @5 u$ Y. q
=========
! O, k2 H" ?) H2 ~ ]3 Q% r1 Q+ x7 j$ S
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, z# y. G% S: X6 M" L' \7 R SoftICE while the option is enable!!
" U* X' ?( y( K9 q$ b% u' \ E! Y: _
This trick is very efficient:
4 x6 ?; Y3 q( T- C2 D8 g7 a) J s, ~" xby checking the Debug Registers, you can detect if SoftICE is loaded: J: ~8 [. B" f; [( h; K h. l' d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% _8 {; G1 V8 P5 N" _1 Q( Y+ H5 M; j+ n( k
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 d- y" E& A' C& ~4 d0 R7 C. gvalue (in ring0 only). Values can be manipulated and or changed as well. X& {$ s* K! o f8 Y, j8 X
(clearing BPMs for instance)" r, E( G; a; Z4 Y( s* @
6 D; h' C, S# |/ I5 u__________________________________________________________________________
5 Z2 g, Y. [. n5 X) ^8 L* o; l& M% b
Method 11
7 c+ G* g' P& L6 r% S7 a$ i' T( c9 B9 A=========
9 o/ M& k8 X" T
7 z+ Q! a, C6 R& b8 dThis method is most known as 'MeltICE' because it has been freely distributed7 T/ T/ s3 c" t8 V! g
via www.winfiles.com. However it was first used by NuMega people to allow, E. s) H* o3 L0 ?
Symbol Loader to check if SoftICE was active or not (the code is located E. o. A2 P/ \ x- Z
inside nmtrans.dll).
, ]+ s* v' `" a9 t' R! I7 j
9 U& X% g; r5 x9 x- {# \! _$ t7 M" PThe way it works is very simple:: W* M- Y/ j: {% I- X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, S! M- g: G7 o+ KWinNT) with the CreateFileA API., E. A* Q" w# s& x
+ T/ {7 R/ K% Y0 n
Here is a sample (checking for 'SICE'):" c; q4 c! N! n }, y/ b" J
% W" o4 s8 a, i' p7 GBOOL IsSoftIce95Loaded()& l. w2 u/ b0 m7 v
{$ n) s+ R6 t8 U% x- r; [
HANDLE hFile; 5 H9 y& c* ]7 o$ D" s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. U s/ q8 y2 H! k, I' ?- q# n
FILE_SHARE_READ | FILE_SHARE_WRITE,; y% Y+ m/ F6 y" D4 j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" u) \8 i( u2 j6 Z! n$ |$ E if( hFile != INVALID_HANDLE_VALUE )
J" b6 ^* c- ] {! b" F0 m7 b' ^. E9 @/ o& w
CloseHandle(hFile);
! L) I/ y, E9 { return TRUE;
4 i7 z, O, B9 F5 y) |* I9 q; G }
; _4 A; Y. a! k) p6 m return FALSE;
6 f& b: ^1 G8 @: U% N4 }}, p2 l/ a; g# X$ D5 C3 M
% U7 }0 C( |3 j/ Q5 G7 W" u: RAlthough this trick calls the CreateFileA function, don't even expect to be9 e8 P$ _% D# D [0 \3 v0 v
able to intercept it by installing a IFS hook: it will not work, no way!
5 g" x6 E7 C! [) n/ K4 TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( n+ y8 J' ]" \5 O: L7 X; w0 tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 i) h L5 \! P% c. H" M
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" z! J) h: m/ Zfield.
0 B7 W: A* B3 t% _In fact, its purpose is not to load/unload VxDs but only to send a
- V+ {4 Q+ \- y& a4 a. CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) Y# Z8 R. I0 M7 c- U" E, v# ^# t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ u5 I* p* `' M: {+ h5 A( S: }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 y5 K" c' |3 z6 v+ zIf the VxD is loaded, it will always clear eax and the Carry flag to allow' L3 w. ^% W& c! F0 o7 O2 }, v2 u
its handle to be opened and then, will be detected.
" A3 `; f( h9 g3 ?You can check that simply by hooking Winice.exe control proc entry point
V& f' S+ P4 ^while running MeltICE.
& O# @+ }0 G1 N) S8 O4 w. O& P# q) |% c4 p2 o6 N( r
. W/ ?& w( G7 G 00401067: push 00402025 ; \\.\SICE
# ~5 p8 C& [* f/ Y( o6 x# G 0040106C: call CreateFileA
/ }* ]3 D8 a; j% _# b 00401071: cmp eax,-001
, S; N- y+ I' J0 y& f" u8 }" _ 00401074: je 00401091% w0 g# }9 S8 s
# h3 Q, T0 K, \8 @; {- i7 M/ M% ~
3 g: T! {: @! ?8 dThere could be hundreds of BPX you could use to detect this trick.9 q6 B3 V& e6 d3 U) T8 j
-The most classical one is:
$ I# s4 q/ m- S7 o+ Z( u: S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 B6 J4 k9 p+ g$ ~6 `4 b o) \8 n6 }
*(esp->4+4)=='NTIC'2 p- i, H' K7 a4 b' r1 c8 d
0 z% F8 x- \) S2 z, O: l-The most exotic ones (could be very slooooow :-(
# G7 A v8 g* {0 ]: [! l5 c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; v; _9 V: Z2 ]/ w/ u ;will break 3 times :-(
9 B7 f* p Q6 r& t% p2 x: y7 F; b. ?- }7 B' Y0 e' ~
-or (a bit) faster: - N. x! N; q2 @% J1 J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! c: r) s3 i! J4 }; M3 l# B ~; t G1 q! X, k' V! d' R
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 U1 P9 y5 ~7 ^* Y0 v% E
;will break 3 times :-(3 b8 F2 d4 B8 q; r2 ^; v
, f" t% ^) ~) V, x
-Much faster:
( ^3 R9 [ o# A+ L) t) N6 Q8 Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 u! Y* S4 B7 o1 E
: [6 Q3 `% y$ Z* E+ }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# C i5 T( G$ {' g. U Y
function to do the same job:
, t: ^8 H) D; X! `( z9 u; R7 J) y) c% |$ h$ j" J! s% S; A
push 00 ; OF_READ5 e. k% E0 W: L+ f V3 a
mov eax,[00656634] ; '\\.\SICE',0, ^1 x0 t! R( J& }2 z8 Q
push eax
% Q$ W1 z4 |* _' W call KERNEL32!_lopen/ Y+ e' i2 ~- u3 j' j' J+ ~
inc eax7 q6 Z4 b4 u+ e- q
jnz 00650589 ; detected. H1 C& r. |( ^* D( L) D R
push 00 ; OF_READ
" m! h: O; A v3 R) G mov eax,[00656638] ; '\\.\SICE': C4 b! L& m# I3 d/ U% c5 ]; \
push eax
3 h6 m( v: `" c0 k4 C1 Y+ p call KERNEL32!_lopen" q2 _- r! C# m: O2 @1 R2 n* ~7 d! q
inc eax2 r( K% J9 c; u5 @
jz 006505ae ; not detected/ G$ T( F; O! t
9 r( _+ j' p& ^! Q4 t" v) `
2 R, y' h) e4 _/ J1 U2 x
__________________________________________________________________________' Z# i7 v6 T' e) H
/ ?+ S) n% c% FMethod 12: g- ~0 A2 K7 t9 T
=========
8 m/ A" z1 W( ]- C( e
3 c9 z6 x/ ~8 jThis trick is similar to int41h/4fh Debugger installation check (code 05. F- r! \; |, P' @ V# `1 U& L
& 06) but very limited because it's only available for Win95/98 (not NT); z- Y1 }# K; M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) O: V; V, H) u' v& d3 Q1 ^
& ?2 K6 w# W2 i- C$ I# e push 0000004fh ; function 4fh7 u6 I( F& t' c8 z
push 002a002ah ; high word specifies which VxD (VWIN32)7 R2 D$ C! q- r" K, v
; low word specifies which service0 }( K, r! p) a/ b* C4 ~
(VWIN32_Int41Dispatch)
( |0 A# a' @) m6 D V* j. \3 i; y call Kernel32!ORD_001 ; VxdCall
& P% N _+ w% R, g* w* A$ x cmp ax, 0f386h ; magic number returned by system debuggers3 L( n# R" C) Y8 ?
jz SoftICE_detected' c- I5 P$ k4 v
5 [8 t9 z9 x% d" P& x
Here again, several ways to detect it:
& w6 W. r) U U! W) d& S5 Q4 K" ~3 {. }0 Y
BPINT 41 if ax==4f' }7 M; I [1 s4 \5 ~
( R' C' S1 E1 u/ F( D+ a( q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 R2 B7 L/ O/ f, V$ `5 J. z# A5 S: W/ p" m6 D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 d! i9 d* f3 [$ e1 P R! W' E
8 H, K) c% A- C: M+ U) X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 ]$ w% m8 O: t5 H e" N8 j
) G8 H; s' f: S. ~# I__________________________________________________________________________( b4 e z1 v* ]0 D1 Z5 j
& Q; u8 R# v$ ]* q
Method 13# ]9 ]( B! O- m) S6 E
=========% k2 M3 l; U4 t' u
! R/ P3 y$ t# C' h
Not a real method of detection, but a good way to know if SoftICE is$ I+ {+ G! u: m& O) s
installed on a computer and to locate its installation directory.
& Y. [& C- y3 d% lIt is used by few softs which access the following registry keys (usually #2) :" J4 ~$ {* g3 i; {, t6 u
) u/ C! \2 x2 b& i- E7 G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. B/ Y: w4 M; g; V8 Q8 z) |\Uninstall\SoftICE
* j2 G. g B6 t2 |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 |1 X# E' R3 e: i- E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 t. t6 x8 P# X j9 e\App Paths\Loader32.Exe: T- L! r# N/ k) h" v
) Q7 O9 q5 [' l$ h
' Q" l. }) F& c& G1 o6 W
Note that some nasty apps could then erase all files from SoftICE directory: @- C0 l! X1 c: l- _* J% J; V
(I faced that once :-(
' h# h: B+ a* M& J1 f
- c7 x( z: g4 R* h# `Useful breakpoint to detect it:
( y: d1 s+ p1 f. g# F j6 l" G) |+ C" @, Z) m6 N) k1 {1 M4 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& [* _3 X s* l% X2 d+ ?# z
: _: n% E; X* [) g4 \__________________________________________________________________________$ l! o5 I: C" x2 m' C5 V% }
* H0 h3 }. p5 Q, N
( x8 M$ J" o- k. d- j" B3 c4 X) pMethod 14
5 ~7 A* O. h( O' k. ]" ]=========" e0 l& \: \$ } s8 r8 N
* L7 k0 k3 C+ D- p" P' Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- \' O$ h- z1 s$ T! |is to determines whether a debugger is running on your system (ring0 only).! ~# G: U E3 b1 x
& r9 p' Q9 L: ?" E3 U% P' I VMMCall Test_Debug_Installed
: G9 P C& u# k$ E je not_installed) H2 H1 D, h0 U+ c8 i
! Q- K( ?& P) Y+ U" w( U/ S8 ~This service just checks a flag.* K" r/ v0 k5 R: h. h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡