<TABLE width=500>& b. x Y8 g: ?, e Q* W; a
<TBODY>/ {" `' v( g$ ]6 L7 O* l0 A$ s
<TR>! K+ z g5 J7 V9 F1 w3 c8 U: E7 K
<TD><PRE>Method 01
0 D) D2 X6 J: B: D W; v" c=========
: r1 f1 j: f x0 O0 r) X# _ i
! V' }. _" I' G$ IThis method of detection of SoftICE (as well as the following one) is' A+ C0 m$ ?1 U [
used by the majority of packers/encryptors found on Internet.
8 m/ ^7 n8 A2 XIt seeks the signature of BoundsChecker in SoftICE
- ^4 } R; S, D" k7 D0 s2 y) s1 v4 G( `
mov ebp, 04243484Bh ; 'BCHK'
" d8 [6 `$ [+ m: r: S mov ax, 04h8 y$ }, R! m7 r
int 3
1 u0 U8 h/ ? s/ \ cmp al,4( w; t- W& j$ T& \2 J4 Y% |
jnz SoftICE_Detected1 ?/ c' U$ K V. G1 m. {
8 u5 I) q9 V& W+ ?! Q b. c___________________________________________________________________________& ~, x' I3 T/ @# y! @. s) P* o
+ F* c4 ~# ?; U) uMethod 02
2 h/ ~8 R) |, h2 k6 [=========
4 @ W8 @7 z* c! L1 H! @
( u5 R9 n8 C: {* P0 B3 zStill a method very much used (perhaps the most frequent one). It is used1 a9 x8 U9 m! T$ x1 V* j1 m+ v4 g* s: ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 m+ s9 M% w3 K3 x7 G, P- y% A& por execute SoftICE commands...
1 _/ M# i V# B) D) M4 C3 |It is also used to crash SoftICE and to force it to execute any commands
) E6 `6 d: y% c3 J. A1 C1 I( c(HBOOT...) :-((
! c$ T, J5 }. T6 e. a/ `' y, y# S6 A2 m2 i# {
Here is a quick description:6 J6 M# {% t* _* V& _# ]; L
-AX = 0910h (Display string in SIce windows)% l( E- U* Q0 N4 i# a: |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; U' v# ^4 b4 K7 z, |* I- b-AX = 0912h (Get breakpoint infos)5 L1 B% T9 W. Z* M$ h% u. Z7 T0 k, H' U
-AX = 0913h (Set Sice breakpoints)
9 D" F& D/ I+ [, v-AX = 0914h (Remove SIce breakoints)
3 b: q1 K4 ^: g& T; F# |# F5 A& [, K; s- I
Each time you'll meet this trick, you'll see:9 ?/ w) V. H! U N& [* u$ [, \
-SI = 4647h
" n. X) k' @+ N0 w-DI = 4A4Dh
, j2 t, I1 e, p5 |Which are the 'magic values' used by SoftIce.$ B" _# ~9 g. K& C% f* l2 i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. N) i! G: c8 o. m. z2 j
2 k% ~( {$ \% b/ UHere is one example from the file "Haspinst.exe" which is the dongle HASP+ b. L7 }& A; m
Envelope utility use to protect DOS applications:( x# Q0 p. f, E! K
" k) l) d' w; v( k" X% g5 z4 {& Z! w$ @: \; w
4C19:0095 MOV AX,0911 ; execute command.
2 h% ^/ \' P+ E" O4 l% d+ L- H* f$ k. o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) M+ N' R. } u& _7 S4C19:009A MOV SI,4647 ; 1st magic value.
" \" H+ @$ X8 s4C19:009D MOV DI,4A4D ; 2nd magic value.0 T+ }5 K1 O3 v4 J& F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ u" \1 t+ |: C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- A' {" d8 z% N& l6 S
4C19:00A4 INC CX
; \& C0 r; \% g4 p5 v2 S4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; v% _$ f( T: h4 l+ b4 q4C19:00A8 JB 0095 ; 6 different commands.' P1 U! P. N( e! F- j. q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ N. {# |) ?% L3 p4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 t6 ]% [: N+ F( F9 o4 E: V) y
+ t @; k3 h: \The program will execute 6 different SIce commands located at ds:dx, which; C& ^3 A0 G+ k! t1 X* L! r9 V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! z" V# ]3 r0 Y; ^" E, z9 l2 J, M& u& b, H K2 T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; l* ^4 O; Z1 U0 H4 Q9 I% x___________________________________________________________________________
$ t- L, n4 Z! q4 A8 b# V, x" ~& e, k% `) E4 M5 H
- `8 q! {7 u! _" l; ^- H8 pMethod 030 u% y- n/ f1 @% T/ m
=========
; n2 a- W7 w( B1 D+ T% v% I0 t+ ^$ s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( k6 t. C+ a- V; X- [- w0 K6 a(API Get entry point)
8 _! {7 ]* D. O" g
: e! k" d6 R7 B/ d
# s7 x* f5 E# T; Y3 S1 E xor di,di
0 F# }: T0 o. w+ L" }8 o- ^" t M mov es,di
- i( O, X" l6 A3 J% w! n9 r# v mov ax, 1684h 4 M, ?8 k) X4 E9 D) W
mov bx, 0202h ; VxD ID of winice
0 |( w1 L6 G9 r; ^& `. | int 2Fh
5 W& l, _$ H. c/ ]" Y0 _) t mov ax, es ; ES:DI -> VxD API entry point
0 s" }+ o, ~9 @ E' h9 g, C. F! H add ax, di
1 u8 e t0 d# @- ]3 { test ax,ax
/ H. f$ l( D8 a. E6 z b2 W jnz SoftICE_Detected
' N$ a) @* l( ]3 w& S# T- d/ i8 c: O
# J6 U e, f! Q___________________________________________________________________________7 e% f* m. X( Y
$ y' I I/ C U- [9 a( \ u
Method 04: h, j' u- L( z$ q I m" J V
=========
7 s2 ]0 @/ }& {: j+ _
- R0 v. h- `/ K2 L8 h3 AMethod identical to the preceding one except that it seeks the ID of SoftICE" h* H( |$ b% @. J$ Y7 I2 b6 T8 w
GFX VxD.
% h' }' F: N5 H; q# S9 M: l- X3 I2 N7 ~8 Y
xor di,di
+ s5 q+ K" H' _% L2 E# Y- E- h mov es,di1 V; D0 N/ _5 ?3 g( q7 k
mov ax, 1684h
8 ^: J2 Y# i1 P8 S( Y4 P mov bx, 7a5Fh ; VxD ID of SIWVID
+ G, ^7 P% A: P( e( }8 ?. z8 @ int 2fh$ n6 M1 _* Z; r8 w% m
mov ax, es ; ES:DI -> VxD API entry point
& z+ i. j& a" l0 E add ax, di
6 O1 b! d" ?# _3 n5 T test ax,ax
3 F6 Z0 y+ Q% }3 H: p) V jnz SoftICE_Detected
2 Y7 L* w7 ]* C( J- I. C `8 o' y7 }6 N7 m9 i* a0 [) Z
__________________________________________________________________________
* b: J7 a: F C9 g- u( _5 L4 p2 ?( f
" e7 Y' H6 u5 H% |Method 055 d- i$ `4 E- Y: u2 C7 A. o
=========
/ b; w; |5 ]3 O9 I" O- ~
% P7 b2 Z) n% C5 Q. wMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) F& c, R1 i3 ddebugger. It calls the int 41h, function 4Fh.: B4 f1 ^$ `$ u" J
There are several alternatives.
1 a6 U4 J6 o0 s( J4 P# t% p# @+ B
The following one is the simplest:) ?& B7 j: P/ H) ]$ R1 ]6 f) y
. o( [5 [8 w/ T
mov ax,4fh
/ y: P/ u6 i# b int 41h
2 D7 e* s. l- D7 Q' t) I cmp ax, 0F386' ~7 [3 y# B5 O5 u- Y4 m
jz SoftICE_detected/ J7 O- F- Q# O! M3 B# z/ E
6 F9 v' d. Z8 T0 a: c; \
e( ~) r( v) Q; f e, iNext method as well as the following one are 2 examples from Stone's ( v! n" K4 \3 B& A- r/ Z
"stn-wid.zip" (www.cracking.net):
( R* v! i6 o+ @2 V8 Z X" w
5 j) g5 a7 y5 F8 R/ }1 j mov bx, cs4 w& V# T8 m# U
lea dx, int41handler2
0 p' u2 z0 N# m; a' q9 w' C6 ` F xchg dx, es:[41h*4]
; Y# l# W* C0 [' I0 s xchg bx, es:[41h*4+2] G- s7 q5 Z+ ?1 D4 ^8 w$ r
mov ax,4fh
; z3 T0 R7 D# r. D int 41h+ b0 c0 D0 `$ p+ z
xchg dx, es:[41h*4]% V6 F. }/ `# Z! c. Q5 m
xchg bx, es:[41h*4+2]
. q9 {3 L3 X# }" Y8 U cmp ax, 0f386h
. v7 V) O" Z; V/ l jz SoftICE_detected
, W6 M! t8 y. [8 b& t( [4 i4 e; ]4 H# h9 N
int41handler2 PROC
- L& B- r2 H3 H* ?9 v/ u( j iret
1 Y0 j; v- P. vint41handler2 ENDP9 n3 |3 S W0 y# S$ h: \& `, s
) P4 E3 j+ g% u2 h! M
6 z( \) |6 c+ z( N
_________________________________________________________________________; T, I+ m6 p3 p* m6 H; s+ P% v; F
% l0 \/ R$ m# {! o( d& X4 p3 z. u& `1 m: Y
Method 06
# }% m) M" l; b0 A/ R=========
+ O( y4 ? o+ Y' c- E+ j$ F4 y
" }3 q+ O* F4 d3 n$ T) V4 M3 g4 r l% v) z) e! e1 |% S
2nd method similar to the preceding one but more difficult to detect: M$ ]+ j, [& _% e: u5 |7 b
% a4 B: P9 N3 U+ v
4 Q- k4 h$ D3 kint41handler PROC; I1 X) u' n5 C: t+ K7 y
mov cl,al
' n- o7 G5 d6 l8 y0 s0 V iret% |" `% v, J" |8 \# ^8 b* w# |
int41handler ENDP
, z2 {9 p, N8 l' ]2 n' Y
% t/ i/ }) G0 ?3 G0 H L3 E# ]1 \. F
xor ax,ax
8 o* _. W- I X+ V+ Q mov es,ax
; D' L% J7 c* \ mov bx, cs
8 _0 m7 O& P: x+ U8 j) l lea dx, int41handler
% } F" p) e, f1 u xchg dx, es:[41h*4]1 ]$ e' d1 F; @) T5 C
xchg bx, es:[41h*4+2]# m* k: {( w$ a: ^! @3 W( ]
in al, 40h: E8 g4 {" T$ U
xor cx,cx
, r7 E1 x4 x- `* y3 \8 Y- } int 41h
0 T( Z* ?/ M+ w xchg dx, es:[41h*4]
9 D6 i k& N1 H9 L5 L! v# i. V xchg bx, es:[41h*4+2]
% }5 D! H+ X- _ cmp cl,al# i# A8 _3 d4 L' r) ~ m5 ?4 H
jnz SoftICE_detected
1 D/ z- ?! d4 \0 s% G; _
, f# Z2 G( ~* ~3 V8 e+ z0 x- n_________________________________________________________________________
) F) f1 ~5 R! ?& }3 C4 {# T
! a+ S; N! A/ j! L$ ^% K: S: ~6 \Method 07
, c# o+ t# Q! ?4 b$ O2 h=========# A. K- S9 S/ @5 a0 t
: g, o3 `. z" n
Method of detection of the WinICE handler in the int68h (V86)8 g$ P: f+ t& ^3 }) l$ f: K+ P
- n6 X" `. S0 p4 Q, {% M mov ah,43h+ `* C3 r& q" j+ E* a' f: Q
int 68h2 `. c' K/ }8 F
cmp ax,0F386h
& e0 U) z9 ~& R2 x2 w4 { jz SoftICE_Detected: R5 h- e& t. c. G
2 T6 ^: K" @, T+ c8 x$ D
' a! d1 c' I2 F$ `+ X2 i. n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& m1 g; q# V% V5 O
app like this:: y( A' y7 @& |, |/ H. u( Y- b
3 x, C, {, F0 K3 J8 f
BPX exec_int if ax==68! K' d$ |2 {& M' C& N9 q: X- {
(function called is located at byte ptr [ebp+1Dh] and client eip is, j5 I5 y, R: q s5 h
located at [ebp+48h] for 32Bit apps)
$ m& K# X, L% i1 D4 v# o) I__________________________________________________________________________5 |9 z( i& w* ?5 n$ V* f0 B* I
4 V8 }: B, g* {/ @9 n* v! C
7 Z5 J7 ]- F8 H g1 k' q
Method 086 p3 Y7 u( U5 K C( |
=========
8 q! J7 t2 @4 L" [- h7 ~
, E9 _& a* z: l2 N! OIt is not a method of detection of SoftICE but a possibility to crash the+ b( R. X9 ?! r5 v' c! c" V
system by intercepting int 01h and int 03h and redirecting them to another
+ a; m2 `$ F; ^# C+ c3 i9 a9 droutine.
) l$ q9 w1 U# Z/ r1 g& y! rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* t! R- e8 d- O M
to the new routine to execute (hangs computer...)$ _# s, J4 C$ {9 W7 H4 |8 S
& {) e+ C0 [% K6 s' S, J
mov ah, 25h
+ _: e3 a- o/ a* a6 a# f" l( I mov al, Int_Number (01h or 03h)
+ o3 I4 c, O( p8 e$ X. [, j mov dx, offset New_Int_Routine' U7 y/ N3 C0 K- s0 u* t- u
int 21h* p+ }! F" t* [2 x6 v+ E( k
- ]4 B# q# [1 S- G9 g- x
__________________________________________________________________________! ]. ^/ a; {# e5 _+ n$ c
6 @, ~9 e0 v' {) m. X) QMethod 09
; V! _& u0 d2 Y+ d: Q/ ?=========. s! x& l, J) t; k* ]! ?1 z
# A" k& \# ]3 q* t$ j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, P* n, J4 E' C3 K
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ `+ B& @0 J6 _% C# G, jThe Get_DDB service is used to determine whether or not a VxD is installed
7 L9 V* R* l0 w+ D' q* G& `for the specified device and returns a Device Description Block (in ecx) for1 u) i' r( j# W: K! \6 _, G
that device if it is installed.# Y! r+ e6 n$ ?! l
* O& ?0 u# G) ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. @! L3 O7 P8 D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 [+ l* F6 O, ^9 \$ t; _ VMMCall Get_DDB
8 [) C) W: g4 G' `. r3 B$ w/ U9 g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ A) M8 `$ A; t4 I6 y6 q+ o1 J" w. U: w: d5 r: C* T
Note as well that you can easily detect this method with SoftICE:
& _- h% B- T6 s* Y# c; r( P bpx Get_DDB if ax==0202 || ax==7a5fh
- ?- v4 \; }$ |
: G6 v" f/ C3 z2 b__________________________________________________________________________5 L6 q; a0 Z: W- o
! @ R5 ]4 f9 H9 m) O, y1 {
Method 10) G% ^7 y3 Q' c! p5 T
=========1 C/ ? i/ o- w9 ]/ {0 l1 N; O
. r" u. o5 d; X4 [$ y* K. v=>Disable or clear breakpoints before using this feature. DO NOT trace with9 R* h4 ]% z" C" d$ ~1 K9 o
SoftICE while the option is enable!!
' P4 a9 X$ Q. T' `) d+ J. M. @+ |5 D- B/ J6 t! v: \
This trick is very efficient:
# @5 I" M1 H( j U0 Nby checking the Debug Registers, you can detect if SoftICE is loaded
1 B8 ?+ M- A0 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 W. n* X, _1 fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) i% S: j5 y: ~) b: g& ?- U# ivalue (in ring0 only). Values can be manipulated and or changed as well( f) q" w& V8 A/ I5 Z
(clearing BPMs for instance)
2 l \/ h5 O; O' x; _% ]: @& c
2 M. j4 u) \2 F- {4 {- C__________________________________________________________________________% |4 ^+ s% v& G3 a
2 r$ ^' v$ F5 j4 {+ \; n1 jMethod 11 Z' |1 Y9 w" v9 E
=========$ ^9 k8 Y% N6 |! }* b, M/ S
# [- E2 A b/ E+ \1 Z& cThis method is most known as 'MeltICE' because it has been freely distributed) @5 V# U$ ?+ K9 j; q
via www.winfiles.com. However it was first used by NuMega people to allow% V2 o0 W& J- A
Symbol Loader to check if SoftICE was active or not (the code is located
$ I8 C0 P8 t4 cinside nmtrans.dll).
' r" f8 N& V- w2 N$ l( _/ S1 a& {. u
% V7 z; {* E% \$ }5 F$ b5 d" Y: HThe way it works is very simple:
" g3 U3 p2 g) i0 [3 Q$ A2 QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; J8 B- w- u a" l" D- ~4 y% b; HWinNT) with the CreateFileA API.1 u+ `/ ], u9 k% k; R3 `
" @' _) t! s) C" B( p; s1 E
Here is a sample (checking for 'SICE'):# `, K. o/ P' T6 ~' I. V4 a, n
: d: F) o7 F7 @! t' A& X# h# } o
BOOL IsSoftIce95Loaded()
: Y4 ?1 |" w: ~) `{
9 i( L. C% Z2 l# o) y HANDLE hFile; 0 ] K- ]7 }9 B. K" n( D, _
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, u t7 b& s5 _* E4 y ~ FILE_SHARE_READ | FILE_SHARE_WRITE,
4 [% R( O0 t4 g3 ^# [- u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% @/ O; M! e# c0 A7 {; H
if( hFile != INVALID_HANDLE_VALUE )4 P i9 w r2 e; [6 f
{
3 h/ v3 ~# {. ?( C0 f0 G CloseHandle(hFile);; n& L0 _" j3 D
return TRUE;9 }: S$ n% l% L h- _1 x* ^- ^
}
) ~, Q: @6 {7 d4 o8 {) I; t return FALSE;
; ^$ i; z, l; R$ e6 b}
( G( a9 S) k8 J' I( }; \# ~" Q, X3 d: Z
Although this trick calls the CreateFileA function, don't even expect to be6 {* L* e9 p; D5 \
able to intercept it by installing a IFS hook: it will not work, no way!* L+ m' H2 Q% g0 S7 _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 Z2 K* p; c5 \/ m0 x& {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% c7 P) ~1 T" Y) ?/ ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 R) ]1 ~" Q7 ~+ X2 q6 r6 k
field.
$ F/ q! E7 N/ S3 }5 MIn fact, its purpose is not to load/unload VxDs but only to send a
( F( ?+ \0 p9 CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 g5 G+ j' D2 E$ Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ N+ g8 N! o1 U4 b2 h% [( {, e
to load/unload a non-dynamically loadable driver such as SoftICE ;-). U D* X; M% f0 o; s" k
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 y3 \2 |3 c6 J! e7 u
its handle to be opened and then, will be detected.; W3 E0 {1 o6 f) j8 P7 R
You can check that simply by hooking Winice.exe control proc entry point$ l2 e$ z/ w' c: i0 B1 d
while running MeltICE.
9 A4 f* C2 S, ?1 u
6 f" T _" ^0 o0 c6 c. x: k8 s' F" B; M( y) a$ N& t5 s2 W% |
00401067: push 00402025 ; \\.\SICE
* y ^7 O2 c0 ~6 K$ \6 `/ T" ~2 G 0040106C: call CreateFileA
& [5 Q* P8 `3 w) H! I, ]3 r 00401071: cmp eax,-001
2 C- m1 B+ G! V! j4 Y 00401074: je 00401091
0 z- g" W: o6 }/ C- q6 D6 {! z! C" S% O
, m. ?6 W& C% L# Z# J1 D) q
There could be hundreds of BPX you could use to detect this trick.& {7 b" h M' o: z8 y5 Q5 b
-The most classical one is:
- c# s( z/ S- H3 X0 q8 T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) ^6 N: {. t+ n" \6 Y6 Y: ^/ l/ l *(esp->4+4)=='NTIC'
. s" E K! f$ V( i P5 o
u/ s. ]% W) u, |" F! o-The most exotic ones (could be very slooooow :-(7 C) a6 q) E& k% W, W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * y0 i3 d+ D8 x
;will break 3 times :-(
' k# }) _$ p% v: V3 j% Z5 Z
2 i2 _% l; w4 W. K+ m3 }5 D- v4 }-or (a bit) faster:
4 H7 f. F5 v/ r/ N: F BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 b0 s% _7 z: G2 m" O
; E# s+ ~1 F* m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- {' B- p, |( x& n% h+ } t ;will break 3 times :-(
% F L P' ?0 H1 W8 M! k9 R9 e6 d1 y
-Much faster:( W/ \# G9 I: p0 l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') c) ?6 m$ ^) p, m( m
1 L2 x# } G- b/ r q" U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ t: v. y* A* P7 j+ T
function to do the same job:
. h( w7 _7 T1 ~
8 y& O4 w' w/ r! w! E4 P) v push 00 ; OF_READ
$ Q1 W# B3 K- w# U! k$ b* Q mov eax,[00656634] ; '\\.\SICE',0
4 g7 p4 {. B6 l# _ push eax
2 g( w# s. O& A" s$ u; w call KERNEL32!_lopen
+ f8 e+ q/ \8 u4 c( N# { inc eax
- B; I" Q- N, r4 W6 c3 U- C jnz 00650589 ; detected+ s: @. a2 x* A& p+ u
push 00 ; OF_READ: Y* B- \) J0 e2 s8 {$ ^$ z
mov eax,[00656638] ; '\\.\SICE'
; U6 h( W! Z% g push eax
0 K/ W; H/ ]$ g i1 t0 N call KERNEL32!_lopen( W' V! p9 E( y$ z/ I- ]7 ^ s
inc eax7 A- t9 O$ b, s4 N
jz 006505ae ; not detected" Q" R3 p6 z% ]; V9 i0 d; q1 Y! b w. I
' l+ o# }' J- ?
. E; K9 Z7 H% g) t! ]8 z/ K% W0 F
__________________________________________________________________________! x$ _8 o H: {: Y! Y0 e+ J
0 C$ q! @7 {) nMethod 12
- M( x) s1 ^+ U" x. D=========
; E6 j1 o6 k' u3 x4 B- ?# S+ I
. n$ ]1 l! ?2 S: B; u( M i* \! ZThis trick is similar to int41h/4fh Debugger installation check (code 05# `* Z N6 B; _6 Q7 r, n; f
& 06) but very limited because it's only available for Win95/98 (not NT)2 F4 F5 e) _+ I; p( N$ p; Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 j# I. [3 S! t0 X/ [
6 l2 @7 g$ b F s' h3 w
push 0000004fh ; function 4fh+ j3 t" E! V6 ` h+ e4 P
push 002a002ah ; high word specifies which VxD (VWIN32)
7 d! ]; ?8 K: E5 N) N, Y% [ ; low word specifies which service
' X# r& B) D$ i3 G- R+ V (VWIN32_Int41Dispatch)
3 T/ T3 J" {" V* J call Kernel32!ORD_001 ; VxdCall
8 ?, Y: {. u7 d8 V. r/ Q+ ` cmp ax, 0f386h ; magic number returned by system debuggers2 T5 g5 v1 m) V6 d3 C% r
jz SoftICE_detected
( T$ x+ [; O2 q; m1 T" x4 x
7 p- N4 a0 _8 K8 z6 y8 EHere again, several ways to detect it:
* o' I* t& [ t5 G! V0 P
& E3 s5 p7 C# ^0 |# t d BPINT 41 if ax==4f
% w6 B# T( a" T/ h) \' Q. Y
. ~2 p: i9 R8 L$ W" e8 F: h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* j2 t/ Q; k/ y1 P
2 A0 P6 Q4 v1 b/ f3 o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 o; S P1 X: ?, g J- D" ~
! x/ S8 \2 l% l, G' W7 r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! O2 X, H4 c X* l
, D" C x# G, \9 S1 H__________________________________________________________________________" B& C& R- Q. j" o- k
. r& d$ N' Y) n1 l$ i
Method 13
- o9 `" h- i5 |3 M=========) i. ?; R m- X- L" r6 o* O, u5 [
4 h" \' q+ z k, w# j* o8 E) s9 @
Not a real method of detection, but a good way to know if SoftICE is9 l9 Y3 F' f% M
installed on a computer and to locate its installation directory.
( @$ Q5 M4 \# b+ P/ iIt is used by few softs which access the following registry keys (usually #2) :
/ R8 ~& ?; k. _" a( A
7 Y s0 h! X6 Y8 ^1 S# r$ L7 g; H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ g6 e7 T, ?, U+ J' y
\Uninstall\SoftICE
! a& O% T- X8 M; n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! E! z' |- S. j7 r8 s. s: p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( C/ V) Y8 D" }2 P5 R$ E
\App Paths\Loader32.Exe
- O7 R4 k/ l" k
_# m1 p+ R1 l% g: t+ U
" {8 x* ]' x: z& t, n, M+ Z9 c- fNote that some nasty apps could then erase all files from SoftICE directory
# ]- R# ^+ j; x9 N8 ~' z(I faced that once :-(+ \: I" Y$ m" K" ]1 w
+ ]' `. _' w' \+ I
Useful breakpoint to detect it:
2 X x2 @' M8 z2 R7 e) v; t ` \, f2 ?4 k0 [6 M% u1 O7 \2 ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' p/ b9 J* F3 Q
/ E+ o g! A& Y' L
__________________________________________________________________________
: A5 n8 r* }' R3 f1 q9 N3 h' \
0 z7 H0 V9 _+ d" e+ H% u7 s3 ]8 z3 W: U7 t) y# S- U( X
Method 14
9 |! \# w4 Z, l$ t r# }=========
& T$ S' Z, H( _4 @6 ~) X, K' U, l2 T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! L, ^8 z4 m0 J6 L/ n# [) V) E; p
is to determines whether a debugger is running on your system (ring0 only).* C. g" z! A1 G7 L( x
3 G. U# [7 _2 B6 Y+ q5 j VMMCall Test_Debug_Installed
5 B3 t6 F o- V. X. @' ^" _+ S( U je not_installed
4 s1 W" T5 b W. F, x2 \0 a/ S0 q& ?( p# H9 A
This service just checks a flag.9 ?% i3 T' n. {5 ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡