<TABLE width=500>
m9 C( ?2 n. I<TBODY>
& G# x- \1 z5 W; L<TR>+ |) m/ X: s& ~9 F* n/ c
<TD><PRE>Method 01 % _4 b t/ x5 x) s# [, n, N. P
=========# o# g3 h& r( w" o
" ?; N8 t& J, K' h, F9 T
This method of detection of SoftICE (as well as the following one) is
5 c5 J2 z' O0 \) E kused by the majority of packers/encryptors found on Internet.5 r4 s! M# g% y' x% P2 Z+ v
It seeks the signature of BoundsChecker in SoftICE" e6 ^ U5 y; z% T/ ]
7 w- q# }+ Y. ~+ n; j/ Y* t$ j0 D
mov ebp, 04243484Bh ; 'BCHK'6 P$ K6 B3 M) n' ]8 u4 C
mov ax, 04h# }, O2 C) c8 t# Y
int 3 8 f; C! _! W" a+ @. S
cmp al,4 c* F/ d& @- w3 p4 {) a# E2 q$ u, E
jnz SoftICE_Detected: w0 s& }2 w2 g, p) d0 V
* X; b% W1 |5 N% u2 {
___________________________________________________________________________; H; J* i6 W4 ]6 L! g' g0 I2 D7 ?
' q9 Z) J# N% S9 f/ K9 I
Method 02
4 N. Q; B* X. w: e=========
/ J' `1 C/ V' N6 X" a5 {% \ c
( B b: R( r0 v" |; LStill a method very much used (perhaps the most frequent one). It is used) `$ n9 C+ F g/ `$ ~& b9 i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 K3 p+ ^% `( p# L
or execute SoftICE commands..., ^" ~; \: P. L
It is also used to crash SoftICE and to force it to execute any commands
0 K+ f$ u M# B: E4 F- {, W) c(HBOOT...) :-(( 6 S6 m% d% u: [" ~: @8 n, N! T
% l& L) ]- H+ I, K' o3 }0 w8 HHere is a quick description:" ]) c9 j* j y% @# m: A
-AX = 0910h (Display string in SIce windows)
0 a$ b$ V8 z2 l7 l: v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' D! e% B) P8 c4 e9 X8 A
-AX = 0912h (Get breakpoint infos)1 z b( l9 _8 n- c
-AX = 0913h (Set Sice breakpoints): S& j4 v! E+ v8 E* e) Z
-AX = 0914h (Remove SIce breakoints)8 _& L' N I: y6 J F3 q
. S4 \4 ?7 R) y4 [7 N& BEach time you'll meet this trick, you'll see:
2 k8 ~" U/ |2 r. R-SI = 4647h" D8 E0 B) @+ K5 \: }# `& |# X* w5 E
-DI = 4A4Dh
, U6 w6 L0 C" `( tWhich are the 'magic values' used by SoftIce.) B- |5 n6 t5 l( E% K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. z* i: F. Z, v; N& M' _# `3 c
9 d+ o) b' \: VHere is one example from the file "Haspinst.exe" which is the dongle HASP
! w z0 r3 j: v- }Envelope utility use to protect DOS applications:
$ J F* V/ b {; g4 o7 W k/ e/ @2 u5 @- T* ]$ E
) P C7 G# J% o4C19:0095 MOV AX,0911 ; execute command.
$ _4 G- E2 i7 H8 ~2 T" y6 V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. N5 H7 Q( X# c3 `& I4C19:009A MOV SI,4647 ; 1st magic value.' \6 b" B" N/ ^9 ^
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 h. L/ b& F5 Q) E, Z* F9 d0 \% X4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! R& s: q1 `0 n I0 h. O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 ^# J+ h: D1 b6 c1 b. b* Y4C19:00A4 INC CX
$ N2 N% d* p% x' ~6 G. N" G8 j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 g0 z8 l9 I- g4C19:00A8 JB 0095 ; 6 different commands.
" ?, a5 z; r1 I& G# g/ C8 q1 Y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' {* d _" J4 ~# R! Y1 e V s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
i' W% u# s. F. X( P: [1 O+ {0 Q5 ? |$ T) s9 e
The program will execute 6 different SIce commands located at ds:dx, which
9 q: y. D( w9 _& d6 jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) i3 w$ Z( b8 e8 E( g
1 P9 x, s* R( S1 O7 W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 c( V* w) _( X# h" T___________________________________________________________________________
% K# ]; ]: o& Q; V( a- H8 I* J. a9 T4 k9 Z @
7 n0 ], C, [( F
Method 03
/ I/ S0 ^% Y9 X# t=========
' x) Z0 w7 l& z; y' w9 x% d; c+ W/ e% O
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) e; A$ R% Y* P
(API Get entry point)
* t8 L0 c% y* z3 p
2 o+ t9 i' m. ? R& ~+ F5 U1 C# Y5 z* y4 H+ B- A, y( O T
xor di,di
7 @( E6 U$ A6 F$ Z8 b mov es,di* R* ?: p1 _ O" O
mov ax, 1684h
( c+ E- v9 |. c/ s mov bx, 0202h ; VxD ID of winice
/ T+ j: @) s6 o8 E1 E% n int 2Fh
8 C/ ~5 t: @. S& ?$ Z! u mov ax, es ; ES:DI -> VxD API entry point
4 u9 f g7 h; f add ax, di4 |" f& v6 K9 ]) j, P
test ax,ax3 F! C$ \, F& V/ i
jnz SoftICE_Detected+ T C$ t' Z" o4 B/ m6 t/ K. _
% ^. ?6 Z$ J' T8 L6 ~; i___________________________________________________________________________
1 l% g* V% |4 Y1 E$ S$ `
: I) b# i* P: _9 V/ MMethod 04+ g3 L6 ~8 a4 k
=========& o4 |6 y1 t2 t/ |
' F! A6 j. y b0 K+ E0 r. eMethod identical to the preceding one except that it seeks the ID of SoftICE
- P' Y# L2 l+ \8 }2 F0 H6 v% e8 nGFX VxD.
/ o; W7 d. `# V8 u8 `+ ] ]# I- x0 `# J3 j
xor di,di
5 n C* j7 f* T# A2 z2 K; g+ r! f mov es,di
2 D, S, j# |' a3 R, h5 f% n! j' F mov ax, 1684h 3 C, _5 e% i; A/ E
mov bx, 7a5Fh ; VxD ID of SIWVID
1 k- T* Z/ v% f, y& w int 2fh, d9 D: W. ^: F* Z: s# G% a
mov ax, es ; ES:DI -> VxD API entry point
$ o2 v, t$ i( D add ax, di
& w8 f, a' D I5 ^- M& H test ax,ax
e, W8 X' f1 n0 e! f jnz SoftICE_Detected
9 s1 h( o9 m# }4 a, M( ?7 b$ D7 @: ?' f! K: B7 R4 i% U2 N
__________________________________________________________________________' p* s5 K. M+ |0 `/ x
9 K6 U' E, O+ V% B9 ]6 x& j0 V
+ n, i o8 }. Y! k! p6 fMethod 052 r+ C! v0 F4 u7 s% _
=========+ D! r2 G$ T- Q: W6 h! f
& O/ f/ ]& c \3 t4 l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ e0 u% O) I' ?( Y( Q% I& w, i( A4 ^5 ydebugger. It calls the int 41h, function 4Fh.
1 @! \9 I: j7 ?! G2 ?There are several alternatives. ) O7 T) g$ |2 H8 p. U/ s4 |
, r* R9 C' y" H% {. z& ^7 [The following one is the simplest:
S: J- Q. Q3 g6 a6 a9 L) N( O1 j. |& ?8 N3 ^1 E- F5 J
mov ax,4fh" q- ~+ i) h: d; ~3 Z
int 41h8 j- p8 A, g) f3 r/ _
cmp ax, 0F386. u d7 s) V* x6 J9 s
jz SoftICE_detected8 v. l: [ l" Z
/ h2 y: ^9 P# T4 T7 q% V( r" R( v6 C; m6 {
Next method as well as the following one are 2 examples from Stone's
, K8 q" u- N9 r9 `0 i. D+ H0 H' ]"stn-wid.zip" (www.cracking.net):1 b( |& S' U9 o. V% I( `
7 O, X. l1 O, a mov bx, cs
4 b9 f# \% N9 y7 l. z+ i lea dx, int41handler29 y0 L8 c) Q* c* V
xchg dx, es:[41h*4]+ Q* [$ e! k) N/ E3 d+ F: F( O7 g
xchg bx, es:[41h*4+2]
; ]3 u9 e' D" l& X6 d mov ax,4fh0 S9 P$ j$ J1 _8 m! \' F
int 41h+ V a9 {; G+ |& g3 S
xchg dx, es:[41h*4]3 K5 i2 [+ `: ~: e- ~0 H* {! `7 j
xchg bx, es:[41h*4+2]
{! m9 A$ B5 l8 r0 I cmp ax, 0f386h# s7 C- U k3 f4 v' C: A# }& [) ^
jz SoftICE_detected
: p3 h' y: ?& \7 `& R6 K
/ V; \0 ~( N/ L8 w( yint41handler2 PROC
4 {* K/ q7 a/ r6 Q* T9 o iret+ Z/ m1 |7 O. D9 |
int41handler2 ENDP
9 b2 B$ {! D6 ?" \, v) j3 x9 b) H! N( r# | i8 |
# ?5 P1 V' V# o6 L; U. I
_________________________________________________________________________. f7 r3 T1 z- I3 k
4 T; g: G6 S* q+ e4 E8 \6 c' K" h+ v8 r
Method 06
6 f, S) m& m: W. c; N=========
& V2 M1 ~3 ^( B# ?* T. C, R) i
0 I) D0 N5 q& i( Q* a+ a/ R$ M+ \6 x8 U8 U( c' {/ b2 K
2nd method similar to the preceding one but more difficult to detect:
* w6 u$ s' _% ]& w: q$ n$ ~3 L; N% B! N0 V
3 u0 o. O/ I5 U! N8 j0 ?int41handler PROC
, v3 A* b3 {/ v! E, V. y1 q% X mov cl,al, X/ D: W1 U1 _1 J" y- Q. W3 q
iret
0 `+ ^' @: m" f, w# c6 e& @' }int41handler ENDP
$ ?7 T( S& F1 K, e: |: p5 b* m% H
# B+ y" }5 ^; I" P5 A! {8 o% @% ?( ~
xor ax,ax
; y' d% l& D) q$ O6 G8 U0 u0 y9 H mov es,ax$ K6 y+ R; [: N4 e' y' {& Y; Y/ [5 `
mov bx, cs
' M* ]8 m6 K5 f _ lea dx, int41handler
$ s; D# L. E" e1 }$ R xchg dx, es:[41h*4]
$ x) X" z& `# X( I) w1 W, x2 h xchg bx, es:[41h*4+2]
; P* [, B( i- F7 w1 N) H in al, 40h
$ ]3 h2 T5 l: s* p2 k6 J8 V2 J xor cx,cx
2 t, d, z; @/ p5 D7 f0 G/ a int 41h; f! {8 \8 g3 }# H x; m
xchg dx, es:[41h*4]& o( Y! Z0 H" w" L% v5 M. I
xchg bx, es:[41h*4+2]* @* P; E8 B) p5 H, S3 F
cmp cl,al/ q$ t1 _$ f1 A7 l9 \/ V' E
jnz SoftICE_detected
3 |8 v" }4 R, l& d8 Q0 J1 u* b( M
_________________________________________________________________________
8 d2 m0 p/ D# `1 q5 P! D+ M! ~! k
2 O& [" K$ f9 ^: H' J' ^/ p3 ~Method 07
9 F9 }* \7 w, S& r: j=========3 c. Z8 ], I2 `. b0 G
0 Y4 V( h( I5 d" w4 gMethod of detection of the WinICE handler in the int68h (V86)
, T, L0 s! }- Y) J! c( a5 X P" O0 k' A0 b o
mov ah,43h
6 y4 d- f2 }$ p: K( ?% u' l int 68h3 {+ h7 Y0 V" j4 x) j
cmp ax,0F386h
9 H4 \7 ^1 y, G) G6 t5 l" t4 W& l. L jz SoftICE_Detected- T5 ^/ |$ d. A2 W/ g& ]
1 `) T9 W! [% M$ L# g0 {2 I4 u g9 {, g, r8 ^: I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 C1 q9 M/ G/ s' d+ l! j) M; e
app like this:
6 e5 W3 C2 y9 b) |/ o$ r
9 }0 H. f8 @+ \ BPX exec_int if ax==68- S+ V/ l$ H! S
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 _- o- _( M, F located at [ebp+48h] for 32Bit apps)
5 M$ [7 P! E1 u# c. o__________________________________________________________________________, [( ~; \% | a" D) ?
1 V/ o7 K0 h# A% C, q
% S! u/ g1 d* y5 b) |1 R0 V4 e
Method 08
# X. {( k) I3 e* e6 p# g=========
8 g0 U! G# w# G. D8 b7 Y8 {4 F+ Y& n2 |
It is not a method of detection of SoftICE but a possibility to crash the# t: [4 k7 X4 p# v9 X
system by intercepting int 01h and int 03h and redirecting them to another
, U2 d( W) {& m' i, proutine.
6 `8 {" c3 a' C( M6 X- x; GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) x# c% ~ [0 R, g3 Gto the new routine to execute (hangs computer...)
) k8 H" Z, E/ C' o. ?4 o" R& c3 Z6 D
4 B1 I- @ n4 |, e8 O mov ah, 25h* _2 C* [& v3 V [% A
mov al, Int_Number (01h or 03h)
" V( j2 N3 V2 g/ r1 x mov dx, offset New_Int_Routine- t- Q# q$ C( c( H7 p
int 21h2 d' O7 ]/ N% h: b1 u
4 J0 i+ l& C1 s8 l. U: y3 X__________________________________________________________________________4 o4 m" m" P/ m* q! Y8 l- C
, R, J( g% q1 c; H* s( Q
Method 09; |' s% Y( q b
=========) A& d6 v1 M6 ^
; u& O6 o7 K5 w: {% E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' |. B! \# B7 U& o& M k
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 d9 Q' R# `' s9 R8 a. Z1 FThe Get_DDB service is used to determine whether or not a VxD is installed
: a/ ^& c. j5 u1 Nfor the specified device and returns a Device Description Block (in ecx) for$ ]% }4 Q& w6 L3 {6 B% p1 q g7 L
that device if it is installed.
* L7 d1 e2 d- x' l4 v" i" O6 h, a9 G, R3 c
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. T$ v* g C/ ^1 x- N# v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 E. Q2 L2 x2 f4 J' ^- L
VMMCall Get_DDB
/ a! M0 f$ }' {- U5 V/ l# J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# O2 I$ t2 U5 g0 m- K; Y- q( z8 Z! O" W: s B
Note as well that you can easily detect this method with SoftICE:+ {1 @8 O7 i3 G$ D
bpx Get_DDB if ax==0202 || ax==7a5fh
% ^+ A! _& j h4 }4 T# i0 ] m. f/ C# B4 s9 y8 t
__________________________________________________________________________' [" h) ~# F: s; X
8 w3 H7 e3 Q. Z$ q
Method 10" l" ?& m1 D2 n: ]$ x4 e
=========2 `0 R- Q3 h/ U; q
. Z: x( h* k: O l4 S3 L=>Disable or clear breakpoints before using this feature. DO NOT trace with- n5 A- j* a# v: q9 p) W2 N( C0 h2 C
SoftICE while the option is enable!!
: I% R! f. V- {4 j
# z* u0 z0 F: i5 wThis trick is very efficient:- ~1 e2 w+ j$ Q; @
by checking the Debug Registers, you can detect if SoftICE is loaded: i2 i- H5 p4 D: _( M- J% P0 p9 R% w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 F, ]6 J9 h6 {) A1 I' V$ D. fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ `3 e5 K6 w8 p, [$ xvalue (in ring0 only). Values can be manipulated and or changed as well" l' D/ h" O* S, i1 y! q% @ t
(clearing BPMs for instance)
' a0 F- ]9 N2 Q/ J; U, U8 `1 T
8 s$ g2 k* D0 Q5 z" Y__________________________________________________________________________* U/ p( O) z0 L( r
- {4 C4 z7 z; w( i, B8 k
Method 11
: s0 z& t, i0 W2 j2 I' Z6 M=========' g/ i v" m+ _- X
0 A2 d$ R9 s$ e/ k' {. U6 M& L1 `
This method is most known as 'MeltICE' because it has been freely distributed1 N* j5 Y3 E2 O, _$ x
via www.winfiles.com. However it was first used by NuMega people to allow
2 Z7 `# f+ L- q2 ~5 BSymbol Loader to check if SoftICE was active or not (the code is located2 A- R) U1 S% D
inside nmtrans.dll).
% w, N' b* }% q% ^+ W `4 J* W& Z" j- ^% b7 Q. U) z% C
The way it works is very simple:
2 q* B, k0 s4 u. M/ u) bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( M4 r4 l3 v( UWinNT) with the CreateFileA API.: D ~9 X" P9 q4 d2 w
; P; p- F9 w8 s0 Z4 D) {Here is a sample (checking for 'SICE'):7 m, s+ s8 q4 o' w: w. y( V7 I
% e9 m8 ^' d) F/ S# s( M; [BOOL IsSoftIce95Loaded()6 H8 J1 r) D- f9 \; U
{" K) }" {4 n1 G7 s
HANDLE hFile;
, V$ t" P+ H! b+ \. ]& r% x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) f& S! n1 l4 D FILE_SHARE_READ | FILE_SHARE_WRITE,
, p& S) y6 j7 O/ q& T0 [3 ?+ M+ S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) p$ z$ g& U4 k3 E4 k
if( hFile != INVALID_HANDLE_VALUE )
5 b/ p0 S9 u! K- y1 q3 c {
+ l7 D- o. s0 L1 g: i CloseHandle(hFile);
' F ]% {- o( Z: n& `9 d return TRUE;
" S8 G. C/ g: q; j$ l }
- u6 ~6 S" O% e/ v8 G& B; y return FALSE; J9 @3 Y* i8 J; ^7 n2 Y: }. y
}, k! U3 C$ k* C) t; e, I
8 y$ e& N& K! LAlthough this trick calls the CreateFileA function, don't even expect to be" C; r/ B9 x \8 K/ U0 F
able to intercept it by installing a IFS hook: it will not work, no way!( W" C: X+ q$ }7 F: [& h# W; R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 M% J, W" ~' F* x# H* Y) t2 Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# R5 [" ]/ @4 l5 W* S" @2 T( [
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. R3 f" _' f: R& Afield.
; v1 l* d P$ b! u- u- TIn fact, its purpose is not to load/unload VxDs but only to send a & t2 u g; \" U9 e Q( q! i/ ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). s0 E6 M( I) ~6 h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 E1 z8 b" O0 v5 n$ _5 \to load/unload a non-dynamically loadable driver such as SoftICE ;-).* k" g2 T) |) a+ Z: C# O, |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 J6 {6 A: s2 b6 ^$ A* Tits handle to be opened and then, will be detected.1 M8 c% j+ W1 B/ e
You can check that simply by hooking Winice.exe control proc entry point% _; f1 M+ L$ W+ k( R7 |+ r9 o1 D4 a
while running MeltICE.8 S, k F2 R; i7 t* E+ f/ p
$ \* C' r5 W! W! z
! |) x! Y( J$ d1 A8 D2 U" N 00401067: push 00402025 ; \\.\SICE
# A, o. I+ d* C/ U v) Y 0040106C: call CreateFileA' l2 ^6 F, C7 N! C
00401071: cmp eax,-001
3 y% d+ k3 C! k+ s 00401074: je 004010914 `8 g8 s. ?! I
. Z6 i! H( v3 p
- O4 y2 @5 G# q$ @ i+ u4 ?
There could be hundreds of BPX you could use to detect this trick.
( f1 [% `: X0 w- v$ W-The most classical one is:
9 z% t$ e Y5 h BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; D# g# o3 d1 w7 ]! a4 o8 Q" u *(esp->4+4)=='NTIC'- r* n) m) a: N$ s2 i! ^
# O! Q1 I9 e# w5 F/ f3 y
-The most exotic ones (could be very slooooow :-(8 f5 z4 b/ Q5 c8 |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 _) l6 X2 ^/ ]7 |: r
;will break 3 times :-(, u4 Q8 v9 H( f. T. Z
2 I' Y" j0 a: t) i: E" L# h
-or (a bit) faster: , y; t& ~+ |6 U& o9 f2 q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 Y* e) a9 m8 g) g4 q1 Y" ]3 R$ X6 G4 \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 X5 X+ L6 z9 ^& U ;will break 3 times :-(+ r' a0 s" p, c$ d
5 h8 u" R6 d* D-Much faster:2 |; h& I( p1 z% L8 }/ y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' \6 I, S. ^0 d' Z6 c# f
r/ g7 B" U# j7 m5 n1 ?$ RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 u9 b! ?- N7 U6 t5 q* q* a
function to do the same job:
* q7 A! ]+ o% j* ^3 A' M1 C3 l) t* A- P% _5 Z
push 00 ; OF_READ+ }0 ^3 w$ r6 ]! y9 _+ |
mov eax,[00656634] ; '\\.\SICE',0
/ Q% D/ E( a* Z, C6 r" I push eax0 g! J; u1 ]* o
call KERNEL32!_lopen
3 h! V) T# t. G- O& A7 K inc eax; ^$ r. a3 I; e- e0 b" q
jnz 00650589 ; detected
/ C. f1 e( W! d$ w1 v push 00 ; OF_READ
4 ~' P, w# V. p3 M4 ?. F; @ mov eax,[00656638] ; '\\.\SICE'! A# `7 L( y' [3 k* s7 [3 l
push eax
# @4 H+ k4 n' y3 E7 b& F4 g call KERNEL32!_lopen
5 g: p* g3 I5 D) j1 y inc eax
! {- X4 k9 e$ u1 a jz 006505ae ; not detected
" D9 N" k5 A7 ? G% l7 R/ N9 H6 @7 i8 \$ i) Z
" [0 s1 K5 Z& h: c
__________________________________________________________________________
* q# o) J' }4 S0 o4 B$ V5 q, T
5 T) z, U: }, nMethod 12
. y& v/ b+ M$ F=========4 H" m% ^, D( `- Q, j
/ U. s. E [* q3 QThis trick is similar to int41h/4fh Debugger installation check (code 05
1 [# \3 m% t6 C5 w& 06) but very limited because it's only available for Win95/98 (not NT)
( E G8 d+ T/ I/ R( c3 Q; yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 v# p/ H- M/ o/ u1 U8 E
( _1 j" r5 B0 n& D
push 0000004fh ; function 4fh
: i+ m8 u) ]4 I, G7 [) o push 002a002ah ; high word specifies which VxD (VWIN32)7 o6 E7 O+ h5 e) w7 w
; low word specifies which service4 f4 }4 v. O9 j: y8 g: G
(VWIN32_Int41Dispatch)1 x) p3 B9 V( S& @8 n) {
call Kernel32!ORD_001 ; VxdCall
# X, o# p+ [: n cmp ax, 0f386h ; magic number returned by system debuggers
q0 W) o5 b% A9 Q8 @- S jz SoftICE_detected% }" j' o3 ~/ Y8 O4 b" _
' j' L2 }/ y. g5 E1 n
Here again, several ways to detect it:
d' U6 J" {: k6 ^# w1 k4 z# W+ _2 @- m6 h* W
BPINT 41 if ax==4f4 H5 `4 X, Y6 N" b7 p ]6 U5 G
. D- A) X9 u- g1 b4 B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) E9 Z0 k) h9 [) l/ r
, V: |3 Y: g3 @2 ~2 j' f0 H5 c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: @ j7 A; f1 X6 {. m4 p" E5 I
# b" K( f/ x8 b$ d+ [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: d* x3 j I! i4 C+ u' Z E# B) z# c0 f' [+ v
__________________________________________________________________________4 | f8 T" | x" j8 D+ ^; ?7 g
: C1 h( _; ~0 O7 c9 T# E: N5 k6 RMethod 13
0 n0 k; l$ m: l9 f n# k( i% F=========
% ]$ M! [) y2 X2 |* c( U; @/ k6 N; v( M- r
Not a real method of detection, but a good way to know if SoftICE is
/ {6 F" r6 ]( m G" @installed on a computer and to locate its installation directory.
+ P# o4 V2 F' r) i6 ]! oIt is used by few softs which access the following registry keys (usually #2) :
" U$ U9 j2 ^: r" R% ~! m5 J8 B4 i% r0 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; x7 J0 C! `; _\Uninstall\SoftICE5 R% [2 K( G- o7 m) z5 @9 N4 C: J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* k) J6 U1 F8 c' ^0 v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" a2 C1 O) y9 s9 r" Q! T: C2 F. D\App Paths\Loader32.Exe
* C( G! U' i: C: c( r! Q2 ~' ~8 u d; K+ k1 S) O2 _6 m! P+ v
/ e1 \; s/ A- |! G8 Q' I7 Y, MNote that some nasty apps could then erase all files from SoftICE directory
4 `4 v7 o: c. V- m& [; t6 n3 `(I faced that once :-(. k! e& r) ?' S' b
# q3 e) T8 J' l% Y
Useful breakpoint to detect it:
" O1 i, X. G2 }3 R( f5 w- W6 s: s1 n Q: ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! H1 H4 P% o* p6 r4 o4 Q
% ?5 a; z3 n- k6 i__________________________________________________________________________) w/ L* ^. K. M$ z* f1 {0 m8 t
}# u9 |3 q. q0 a& h$ ?
& M+ W* R# t- c4 e7 y8 S: XMethod 14
! j, h8 ]% ~8 g=========$ W1 E- T' k" C# T/ H/ Q c- ~
- \) m8 D V8 z2 [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( v8 E9 _5 A+ g3 R& F/ l, H" Q7 s
is to determines whether a debugger is running on your system (ring0 only).
7 Y) `8 q$ W @5 A
4 \7 W+ ~- x) N8 B, c; ` VMMCall Test_Debug_Installed# J1 N8 g4 d- }) G# C3 p' U7 v
je not_installed
0 x+ e3 ^+ _/ p' Q8 X- A L. d. s' z2 n3 |
This service just checks a flag.' B p- A& _5 P z" j$ g+ O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡