<TABLE width=500>3 Y; t! A" R, G! D
<TBODY>( [, R4 ^# T x$ ?3 A5 c- ?
<TR>6 V( X% ~# |; m7 x8 ^3 H* j# x
<TD><PRE>Method 01
) b Q) o% x% m- l=========/ T& ^; y6 _0 r# l5 C
, G; {5 {: w5 `. ?+ a: A8 hThis method of detection of SoftICE (as well as the following one) is
3 \/ ?! i" _: ~7 M: ~ H8 [used by the majority of packers/encryptors found on Internet.- m' n1 A. L8 Q8 Q
It seeks the signature of BoundsChecker in SoftICE
7 m3 q( g7 ?2 z- S. h& C
9 _; y( a4 s8 A3 g* E8 D mov ebp, 04243484Bh ; 'BCHK'* R N. J' W" c: @/ ~. z
mov ax, 04h
1 a" \+ k% r N- C int 3
4 Q2 H% ]8 ~5 U; ]* P cmp al,4
* Q2 E0 S$ Z- Q ~) ? jnz SoftICE_Detected* V* K% S f; U* L" D# |9 m
! q" c9 ^9 i8 ~9 E2 `% T; [( f
___________________________________________________________________________3 K5 u! [3 P2 J# a: p+ H
- O# a& A* w' r9 SMethod 02) V' N% z' o- B
=========* _. b1 ^3 c. g0 J
|/ a( _% R+ H$ }Still a method very much used (perhaps the most frequent one). It is used# ] f! e! B1 W" X3 e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 E- S9 F9 ^6 K9 d% w$ E$ G
or execute SoftICE commands...
) {: \1 z) Y/ n; `2 r }! y4 KIt is also used to crash SoftICE and to force it to execute any commands$ _" q1 W {! r
(HBOOT...) :-((
5 H2 z3 h) ]& y& J8 l6 J: G& ]& l: o7 ?5 G$ n# O1 x$ h! G; {
Here is a quick description:2 v$ ~- z7 r; x: Y
-AX = 0910h (Display string in SIce windows)
5 K: W# O& H( z: L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( r6 K; Q+ ] a% b* u) J3 f-AX = 0912h (Get breakpoint infos)/ `2 o5 j+ v$ Z+ n K+ Q
-AX = 0913h (Set Sice breakpoints)
1 G( X- }: `& w6 K+ z-AX = 0914h (Remove SIce breakoints): ~/ s/ M0 U/ q1 c% r& }
+ F) o; G; \7 Y ~. X9 k
Each time you'll meet this trick, you'll see:. [, U, `* E7 H3 ]& \/ H1 ?
-SI = 4647h3 v9 Q" O. |' E T* c& ?/ R
-DI = 4A4Dh
8 F% d3 G+ r* J% v. e% u, @+ c& c: [Which are the 'magic values' used by SoftIce.0 ^, a% \; Z1 `$ `5 U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 w* x3 C9 K6 l2 b: n4 H& F* R [
0 i6 {. R- ]& o% f- B, d( g4 T- _Here is one example from the file "Haspinst.exe" which is the dongle HASP) G1 l Y: s% I5 D7 r$ }7 T
Envelope utility use to protect DOS applications:
; q: ^5 i* c$ r1 A3 Y
* E) M9 C5 [1 M1 b" @- H: _9 b1 L9 a3 Z P Y
4C19:0095 MOV AX,0911 ; execute command.
! R. ~+ H' l" K6 Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- g6 s* @: b6 d2 T* V9 y
4C19:009A MOV SI,4647 ; 1st magic value.) Q! M0 }# z# T" l
4C19:009D MOV DI,4A4D ; 2nd magic value.
. u) A- [2 {7 A5 E; m6 w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 z1 T3 T; P$ N9 r! R( f
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! ^: m9 n7 s) s8 W4C19:00A4 INC CX) M* `/ M9 }& f$ ?( x" G2 U; I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
c: R: ^0 I; p6 l4C19:00A8 JB 0095 ; 6 different commands.) I7 R9 V2 k2 |1 B J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
U0 E5 @' y6 K5 N8 `8 q# a6 y! V( l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. B$ t3 P' f8 w
* s- B6 }( X- Q6 q- K% U vThe program will execute 6 different SIce commands located at ds:dx, which
6 h; ]$ ]; y; I& G' L. Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. S0 F1 H" ?3 |3 I: Y1 {) u8 R" t1 r' S" X. y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ L2 o+ K+ }" Y6 B$ }___________________________________________________________________________/ k" Y' N/ x+ x9 N
+ E& u3 I, j- s
' C4 |: f" C# F; s" E1 P' fMethod 03
4 i1 V( q) C: }. c9 R4 q% h% g% W=========
3 a- {# L+ J4 O2 F5 p* {: O9 F" Y: [6 r; e& g8 h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; s# N& s' P4 k3 [; G, v9 b
(API Get entry point)
' l, T$ y" q& }% Z$ A# J. _
5 `/ V6 j/ {! C% c& v
! S( z2 l2 ?1 f O) E xor di,di5 o4 ^0 ^8 d# e& c( f# y7 M
mov es,di/ f+ J' W: L5 a$ s* D' _
mov ax, 1684h # U/ b7 k/ q% M+ q
mov bx, 0202h ; VxD ID of winice
! L; t6 P- O; _1 z int 2Fh# S+ w! g% P: y4 k: t
mov ax, es ; ES:DI -> VxD API entry point
" _) l) N c7 h0 y7 x7 T add ax, di
" b/ ~3 ^4 l9 h1 F* D* z! ~ K test ax,ax
; \7 s) X7 o0 H; Y. w! G% K jnz SoftICE_Detected
# w. ~$ K7 K( T9 l$ O- ~ p2 `( m' J) W! O% l% E& \, \! r
___________________________________________________________________________
, R0 m- L! ^1 e$ F. V# k4 b4 c+ u5 r( h8 d
Method 04( p7 `0 }& o8 y9 n' w3 k
=========
$ {* l9 @# X# Q6 a6 h* |" @3 T4 g" I# k6 N6 ^3 o
Method identical to the preceding one except that it seeks the ID of SoftICE
- y( E! B4 y; K1 PGFX VxD.3 ]8 Q b5 ]+ \
/ U( u0 l' N& F5 k4 r+ a
xor di,di3 T) o0 M1 P. R8 V% F
mov es,di
0 x4 R: K( A& ~) C) Q; R2 \4 D mov ax, 1684h
9 a9 h2 c0 A3 q0 e8 D4 | mov bx, 7a5Fh ; VxD ID of SIWVID
. h3 q( u5 V0 h. E) ` int 2fh7 b2 x; g$ Q- f8 q. h
mov ax, es ; ES:DI -> VxD API entry point# e7 d. \/ P$ N% F7 }9 X7 A
add ax, di
8 z! U5 m9 F k/ m test ax,ax: P! Y5 C( N# o6 G6 r
jnz SoftICE_Detected9 c4 D6 L# Y m: W# N) t
. n' r9 U$ T0 O/ s' @4 i, m
__________________________________________________________________________
0 ^- u9 \- ]% a/ u# B- ~
: Z- E( x$ |. U; p$ ^1 x: H! w0 d
0 }/ g3 Z9 B/ N/ z0 SMethod 055 r# p+ d v6 _5 N; i
=========2 U( J" A# C* h/ C
% v8 y3 b( z) |6 j# [/ a5 _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% T7 m$ B0 `3 g8 R9 ?& X$ }, N7 {debugger. It calls the int 41h, function 4Fh.
+ I6 U$ O) |. U* Z% NThere are several alternatives. 1 ]7 i6 k5 K/ D, q$ d) {
6 w* D2 J4 A4 b: K, L" J. \2 O
The following one is the simplest:% P6 e1 P+ Z) D* E1 W) X' N
0 _3 W* g: p9 E3 @6 [. U' N* d1 K0 m
mov ax,4fh% Q4 \/ |* J: z# C2 }) |9 a6 q
int 41h1 R' ^* ]3 x# G6 F( [8 [; g7 o
cmp ax, 0F386
# l* r- [" I N5 D/ a jz SoftICE_detected
# j( ?& I9 _9 V' q! x) a1 h5 X( `! J! K0 w2 L! |5 O$ c
, u2 D4 z; ]2 G- b" G- {' ^Next method as well as the following one are 2 examples from Stone's ! P# a) A& H: h5 K1 j$ z
"stn-wid.zip" (www.cracking.net):
7 y* }4 V: f' M- b
6 L6 I A1 ~. J/ j9 u. O) n mov bx, cs0 k. Y. l7 X- R
lea dx, int41handler2
C2 o% t5 V9 L# g: E' D- M xchg dx, es:[41h*4]
" x4 [* ~% I4 U8 G9 ^" |7 `9 w xchg bx, es:[41h*4+2]8 B* Z3 b7 G& `: w y0 `0 _
mov ax,4fh1 C6 H/ l: C8 N: o; I
int 41h, q. |/ T' s% |. c$ J; {
xchg dx, es:[41h*4]& B* x1 F W7 S. i' C0 b
xchg bx, es:[41h*4+2]( a8 M( w, Y$ w! J7 {
cmp ax, 0f386h$ [7 J2 `8 x. t
jz SoftICE_detected2 V& U( a0 C: g) I* o! c
9 A% b7 ^. @3 P. d
int41handler2 PROC0 ^1 C& a- B7 c7 H3 v
iret+ R$ p z& ]/ A' {2 ]6 j) Z; f
int41handler2 ENDP
# ^% P" s( ^* O* p0 y% w
8 A2 ]4 p- `" c. X. c3 T% ?4 W2 F7 H7 D' }
_________________________________________________________________________" e. k6 a5 S9 M) D7 ~
7 @8 A" e, ]" t1 a2 M7 V1 B% s0 Y7 p, f" A
Method 06
9 M3 P' l; l" C& I=========
; c; ~7 n( j. f) O! J
" ^ W- k0 |8 L$ f
/ _& p c8 E3 }/ S2nd method similar to the preceding one but more difficult to detect:# M; w8 y* G. s$ x8 H/ E1 Q+ B8 F
+ w/ P- N0 ^/ _: t; O" O# B$ }( x# }" _/ @; E/ g
int41handler PROC' l1 H* K, v& z# k5 S: Q7 l; m
mov cl,al
9 G7 _6 O: L# o. q1 c iret& D& w" \* W5 H4 V4 ?0 Q2 P: i
int41handler ENDP
! } T" d. I4 I. ?* E0 p2 Q' `; Y9 C2 u# t
% G `, F; Q. S1 x$ x# j
xor ax,ax8 S% R1 `$ i3 O7 v0 s. G0 z& j* T
mov es,ax: q; J {% o9 V( y1 B/ W7 m
mov bx, cs: F4 j6 H+ k. f E, U
lea dx, int41handler* |7 l" F5 U3 h
xchg dx, es:[41h*4]
. |( D! P* c" T! l9 ] xchg bx, es:[41h*4+2]
( d4 C6 ^2 L+ p: l in al, 40h( I9 z M! Z9 T9 w8 w6 L$ O
xor cx,cx( G* ^( T- O! e# [7 ]. Q* k, q
int 41h
- A4 _$ N0 t- ^- D2 v. ~* q xchg dx, es:[41h*4]( \3 s& F, S( p9 y
xchg bx, es:[41h*4+2]
" r; _ D+ x% L1 A; k cmp cl,al
; M, A6 H1 [$ R) @* V jnz SoftICE_detected3 R p ^: \! c1 f4 o* [: Q
+ i' U r( V$ G6 \_________________________________________________________________________
, ]& @8 k2 ~ c6 I; i/ d
! d# n c5 m( p" V5 c( n$ QMethod 07* r/ y! K( }" D
=========+ |* i5 b, n& D8 `" m
- \; b! A x6 J, m$ G$ gMethod of detection of the WinICE handler in the int68h (V86)
+ G6 _$ _: H" l, s9 N7 v/ @ V1 E* A, U) @ `/ n
mov ah,43h& [1 q8 i4 {/ F" _3 ^" E
int 68h( f' E" {& |) d& m$ O, T
cmp ax,0F386h7 c8 b9 ], R, o; V; o" ^
jz SoftICE_Detected1 n+ q4 U) O4 r+ d, L
6 k" s$ Q9 f; [' q
6 ^5 x8 M! n9 ~8 z9 A=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% W" l5 q4 Z" j1 a B: G3 [1 h E
app like this:$ t t7 K, p6 {9 H
/ M% q7 e% j6 Y. [3 _; R2 B BPX exec_int if ax==68
1 X) c6 Z2 ^! d. L0 G+ h; U8 n; B9 w7 C (function called is located at byte ptr [ebp+1Dh] and client eip is0 J- } R. y) [/ h
located at [ebp+48h] for 32Bit apps)# a, O' k$ Z% ]# m+ V
__________________________________________________________________________3 v ]- e2 x# n! Q# `$ |: i6 F( o
/ h3 s6 o/ m5 `7 a! P+ s
5 G, s% o* {1 Z% ~. m" LMethod 08
5 A- D/ d% B( X+ p=========0 ]" N, |$ e7 p, Q
- j% n& u* W) \* bIt is not a method of detection of SoftICE but a possibility to crash the
% U% N. X& r4 W# Ysystem by intercepting int 01h and int 03h and redirecting them to another
4 G9 g1 I: i2 U- z. m# }* }4 h* _routine.
4 H" f+ `& y, R3 b9 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, u" [ \8 l3 U* U: S1 f- n" s! k
to the new routine to execute (hangs computer...)
+ R% h% a1 k7 p* \) s |0 ^% F1 X0 T4 R4 ^3 {3 V
mov ah, 25h" g, t: b. Y" B" ~2 q1 W; B
mov al, Int_Number (01h or 03h)7 q! x# B( E! T9 o# h
mov dx, offset New_Int_Routine
! u* Z9 l9 `$ K e9 X. ~ int 21h3 [ o6 m( u4 e! w% i5 K C
, c1 n* P$ ?& q% I3 d__________________________________________________________________________- i9 Y! S. L, S. D6 G- C
* P" q, b) ]# g, i9 V9 C }
Method 09+ R+ q+ Z6 ?8 J3 }; J: x
=========
& I, {" ^9 A. z* G( t
, u5 X2 H- e2 w1 V( W m& hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% s8 T& L& v' ?/ u, K3 ~performed in ring0 (VxD or a ring3 app using the VxdCall).+ M* I' }6 ?5 z" J; M
The Get_DDB service is used to determine whether or not a VxD is installed
~, p6 c9 v. h- \# U/ T, [# Sfor the specified device and returns a Device Description Block (in ecx) for
- I% _7 v6 ?, j+ I7 m3 a# z# H& d2 e, Mthat device if it is installed.
' f* V: |" l' }* k4 v2 V+ ^0 k2 h+ y$ r8 ]+ Y4 }! g; H5 J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' H7 X8 v5 N/ }- x, ~3 p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 ]" Y1 r0 i7 g/ Z$ S* a& V
VMMCall Get_DDB
+ L x- K% j4 J. j1 U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( C, e2 @" ^$ H# H; r
( q8 ^: d1 ?" W. [4 B, y; E6 ANote as well that you can easily detect this method with SoftICE:" g9 T; v3 q* Q# |% H5 S f$ C
bpx Get_DDB if ax==0202 || ax==7a5fh
# I# g k8 m9 V6 ~* V8 A: x' Y5 Z
__________________________________________________________________________
1 w. I j( P/ D1 K5 ]" @# J2 E0 ], }1 p& c3 N
Method 10
: _3 R) z6 a- X$ f=========9 o6 S* y' j# z9 C
) B- e- p4 c# g7 B7 d1 K/ c6 U Y=>Disable or clear breakpoints before using this feature. DO NOT trace with& G- m) Y6 Y {+ i3 F8 J" V
SoftICE while the option is enable!!
0 h1 }* b* v0 Z
: x$ C- ^( C/ V5 I; B) fThis trick is very efficient:) O" B$ ~3 P0 S
by checking the Debug Registers, you can detect if SoftICE is loaded9 X) d1 f0 w {$ p- E, K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 h1 i0 m& I0 B# e: `/ ~7 F5 pthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 x6 e c- B+ n/ T* m
value (in ring0 only). Values can be manipulated and or changed as well
( p2 L3 z3 L. s& k- c5 P1 x(clearing BPMs for instance)1 p$ y9 ~6 A; R0 `
0 a+ i% s3 b, u$ y9 U+ |3 r3 D__________________________________________________________________________: S* G, b, \# k2 S# `
0 s9 h4 e. y: U, [
Method 11
4 I4 { [' m# W0 P3 }) Z. h. O=========0 d! E% [* y' N+ }( H
& Y" C" u, D, @6 R) YThis method is most known as 'MeltICE' because it has been freely distributed) l/ {, y7 F( r6 t E* k( L
via www.winfiles.com. However it was first used by NuMega people to allow
: i8 k! Q2 ]# s/ j, bSymbol Loader to check if SoftICE was active or not (the code is located) P4 s& U+ Y$ c. k( g2 v4 z
inside nmtrans.dll).
; T( V' Q1 }. h! b" L6 j3 _
0 P- z3 }# K0 NThe way it works is very simple:
8 }, s4 s; t9 u1 T) y7 ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% p- X# a& d. m0 M. R5 o
WinNT) with the CreateFileA API.+ W5 |. U" N4 k& W0 V( ^: S
j. O6 k- F8 i2 X% ?. t
Here is a sample (checking for 'SICE'):
) N3 w9 Z" h% n- O' u, X* [5 ]4 J) h# p# }) R0 \
BOOL IsSoftIce95Loaded()
5 x# k2 c, H0 `. [; I: `" G{
4 N7 U0 t( V! P) P( r3 V" W" P9 l HANDLE hFile; 9 ]0 f3 P& {( ?6 r' N% B
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 a* t9 [# y9 Z% c+ M/ P2 C/ ^# h FILE_SHARE_READ | FILE_SHARE_WRITE,
O% L- G+ h* Q' Q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* o, n5 }- c- X) A3 O* s% h/ C2 m
if( hFile != INVALID_HANDLE_VALUE )/ I% ~$ {- j: k9 N
{( i' ^ ` Q& U9 a
CloseHandle(hFile);( n9 _$ L/ P7 g/ b# E( c
return TRUE;. _: g" t- i5 z0 r6 s! i0 s3 B* h
}: Y7 n! T4 i; w
return FALSE;9 J0 L; L: o8 g9 k& X
}
/ H" d& Y S* s u7 D7 ^' T% {+ M5 j! K: }
Although this trick calls the CreateFileA function, don't even expect to be6 r# f5 [* l7 u, Q/ T
able to intercept it by installing a IFS hook: it will not work, no way!
- s1 n" @8 U* j% }' }$ w, sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ S% K; P/ |" Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ R5 n1 |3 J. g/ z1 c S0 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc! R, U# V" O0 T1 P' E3 R
field.
5 p4 z; x4 H9 r( c+ OIn fact, its purpose is not to load/unload VxDs but only to send a - ^1 f k! x! A; o8 d# E# h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), Y) M }. N* b! W9 Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ e- q4 M$ U5 D5 n& ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 z5 _+ ]( q( o" X/ u% lIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 v @( t' I- n9 ~
its handle to be opened and then, will be detected.1 @' ?' Q+ U: q* g) C
You can check that simply by hooking Winice.exe control proc entry point& b* x3 a5 `+ }! [
while running MeltICE.- e) i+ V3 R( O* N' c+ C
+ w/ r, B r$ F/ W) k! n9 e; s% V/ P1 |# k
00401067: push 00402025 ; \\.\SICE
8 e& l( h! n4 R0 I" ` 0040106C: call CreateFileA
; S" }2 i L6 q4 u 00401071: cmp eax,-001
: {) s1 d, a- d/ `( C 00401074: je 00401091; F. V( ^( ?- y5 q8 g
F3 n$ k# J" v, Y! t1 {" ~% A) g' H# r
There could be hundreds of BPX you could use to detect this trick.2 p1 w5 k1 _+ g
-The most classical one is:' K1 I" ~" r- ]9 x w1 r4 }5 t$ |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 E% c2 \1 }* T2 x; G *(esp->4+4)=='NTIC'; j: K" U( }9 O3 t
4 C6 i/ w; M0 M-The most exotic ones (could be very slooooow :-(
! K" [# m% q! {# R. u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 J8 o. q) y0 N3 q: @ ;will break 3 times :-(
( v; c! u1 V7 r4 Q
: D; d1 z3 |) M0 [-or (a bit) faster:
# w" L- d/ |, I6 j! t# h- m BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( n* }/ D( C R4 c1 ^1 s! Y6 L& q6 e& T0 H* J1 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 a3 G1 e5 [) B9 W6 B9 o! I3 W
;will break 3 times :-(6 ^5 m: V* A; h6 y. o, m
, |) i; u) ]& a2 N7 T( g$ K-Much faster:
, X7 m+ }$ `8 z( a' A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
T! e. n" P6 a9 t, ~1 d% w
, a' N0 K: ^' [) t3 B. KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 w3 I7 E& l6 |function to do the same job:; m- J' y, D8 z6 a0 q
+ |/ T, A# P, ^) R# c push 00 ; OF_READ$ N* r5 d% s: g9 J8 o3 m
mov eax,[00656634] ; '\\.\SICE',0
" Q. T7 m9 N1 t" l8 }9 A push eax
% M }, l0 G% ]% p8 ^9 B& r call KERNEL32!_lopen) U4 ^8 b, Y) `5 U! e! m+ t
inc eax
) D' a) M h3 o6 ?8 a; m: u jnz 00650589 ; detected
# R: v2 O5 s7 n; R( a push 00 ; OF_READ, W9 C ^5 ~$ L6 q, X
mov eax,[00656638] ; '\\.\SICE'
. Z& g; }, a3 d. D8 G push eax; H7 e8 E7 w( |) ~# D) g
call KERNEL32!_lopen
4 `. e2 C o2 T+ P7 Q4 @! q inc eax
2 c+ E; P; v1 F) ?' L; P; q jz 006505ae ; not detected
`& S/ z+ f0 e/ B
( z4 @" b1 x1 D5 j5 m
; S: { Z. E; c( t) u__________________________________________________________________________
1 v! \. O. b& N9 X, ~5 `
& r# W# r+ x, g' i4 K- nMethod 12
4 \1 F5 S% J7 Z# ?$ e$ M=========6 J8 W+ O2 a: B2 ^ u
4 v! ?- u; G8 ~) X; q- r
This trick is similar to int41h/4fh Debugger installation check (code 05
6 D& G C2 h: i* P" K9 ?& 06) but very limited because it's only available for Win95/98 (not NT)
7 J' K/ V5 G, y1 las it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 d: x/ A$ r% r: G. A% m S& S
9 J% p3 H3 H! Y4 G* l6 r+ A" `
push 0000004fh ; function 4fh
5 x2 s! H$ Y+ M, ?, ]5 p' l push 002a002ah ; high word specifies which VxD (VWIN32)
; O$ P! ~" l# s- O2 W0 Z( u ; low word specifies which service
6 m% ~( i) C U& W* u5 l# E& Z" } (VWIN32_Int41Dispatch)
, R% @8 a. P1 t* z6 t call Kernel32!ORD_001 ; VxdCall
. K {3 i5 p1 l$ u3 g; e/ O3 M( q cmp ax, 0f386h ; magic number returned by system debuggers
1 Q+ I! a8 f. A. X2 j jz SoftICE_detected
& G* l( \2 K1 {. x
. a9 c3 Q) f/ s: aHere again, several ways to detect it:9 x( d9 u. s/ H- Y; x' ~) n
1 B) t0 @4 S, V4 {7 W+ j$ G
BPINT 41 if ax==4f
3 h0 {1 N, y0 K, i9 J
. ~8 f6 [2 X- A2 V1 ] BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 H6 Q( y* n! [3 b6 v, f2 W
]" w& w4 p5 u7 r h( ~/ h Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 }$ F: K% l* e3 @4 n& C6 p; b! z8 r* k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: m6 l5 E; Z& o" k. S3 a. `5 [7 b, j3 U& I3 _: M
__________________________________________________________________________
3 X% j0 k# E( u9 `2 t/ N2 h
3 v) D7 N2 V( s( K6 Q& O) XMethod 132 m- F% } z) q& E
========= P& @5 y2 w) b) _' D
1 o! n2 z7 ?) \. g* v+ mNot a real method of detection, but a good way to know if SoftICE is
/ C1 X; [! R/ A& cinstalled on a computer and to locate its installation directory.9 P) N, M, \& A# w' R+ \
It is used by few softs which access the following registry keys (usually #2) :( U; h8 r" O7 Z, R, A
' K6 l; N0 K {* s! c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ c% B6 V3 w j3 U& [9 B# K6 U2 _! L
\Uninstall\SoftICE
+ M2 J9 O9 W# u' s% ]5 T$ k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ X7 Y" j+ S6 \+ Y/ b0 w7 t3 a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 ^1 h9 t$ P. \+ i& W\App Paths\Loader32.Exe+ L7 b0 N: k- v2 O/ a
& b, _9 u/ x$ w* F! i- d) A
& O; I& I+ x( U" @9 eNote that some nasty apps could then erase all files from SoftICE directory" r! A2 o5 l6 `3 T: S- B/ A& i9 `
(I faced that once :-(
& \; C1 i) q. a: A: _
! H2 F, B, _ `# dUseful breakpoint to detect it:) @1 C5 z/ H& `( ^, I- B
0 X7 X+ g9 p0 u: M9 T BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ v; g7 m6 L$ W7 x" A. i
: l- h a5 L9 V/ H- ^__________________________________________________________________________
8 }9 P. {. ]% a* ]7 s* y9 c( T2 [1 v& W, O
# N8 V" a% g" _5 Z" z0 z/ a9 TMethod 14 ) B# @# M/ |7 Q: h+ j, ?, B7 ~+ i
=========
& V' U4 O" m& o3 x% [" e# S! U3 G+ H( [2 J, ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- ^8 s. M/ [) b2 U) z; V
is to determines whether a debugger is running on your system (ring0 only).
2 w4 S0 Z6 ]. _& A. J2 O6 W9 i; h1 S4 D' P
VMMCall Test_Debug_Installed9 \1 R4 E! S- I' Q. [
je not_installed
9 @ O/ U X' d2 j7 {& V F" z G, l2 ?4 \) X- @6 g% P
This service just checks a flag.7 N4 b& O& r0 H p& `/ W( w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡