<TABLE width=500>
# \( v- T' c, w! G* q, O<TBODY>+ f* \* R! s" u) X: K# A) Y
<TR>
: b/ g' ~0 r; \<TD><PRE>Method 01
- t [0 h* p5 J" L" C8 H=========/ e3 q, v$ u( ]
% [" m! i% I! o- v5 o6 jThis method of detection of SoftICE (as well as the following one) is& ?5 Y+ y9 [- G$ W- D b" ] o3 f
used by the majority of packers/encryptors found on Internet.
3 A# _" i, g) KIt seeks the signature of BoundsChecker in SoftICE
6 R9 W2 L$ B* G8 r2 m W
% G+ @5 ?! b b; u# @: o mov ebp, 04243484Bh ; 'BCHK'
- ]3 D8 U: c* I4 e% }) N mov ax, 04h- g; M1 X# b2 M, x
int 3 ! L+ E8 m. v$ P9 ]
cmp al,41 ~( G" }1 d7 ~* }; j! H
jnz SoftICE_Detected
' |1 J" i6 A2 q F7 H9 J* ]* L4 s' |$ r4 |# k$ Z# `9 A+ V
___________________________________________________________________________
3 P i* z% x) S) S( Y3 k K" l/ I9 r8 @1 n' @
Method 02- [$ i( s' N2 r. b/ k+ A2 `
=========
, R" U* |: n( b5 } R. `* d o$ q( w
Still a method very much used (perhaps the most frequent one). It is used
: Q: ~' K$ r! P, W4 W; s6 U0 A" K pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- t( M; {( ?; A9 Dor execute SoftICE commands...# }# H8 D& ~- p2 Y
It is also used to crash SoftICE and to force it to execute any commands1 x) v0 c. v8 o2 A* ?7 x
(HBOOT...) :-((
" }0 r6 N$ w( G6 w( n) H4 R2 ]' [8 B2 b) H, i: G2 X; D% Z4 g
Here is a quick description:
- C7 C6 v% m2 X8 S3 ~, Q" A-AX = 0910h (Display string in SIce windows)
^: P8 a3 M8 A u- A0 o/ ^) |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) k- U$ q( N6 ^8 O, X-AX = 0912h (Get breakpoint infos)* ^& j& D. d, G2 { K `& E
-AX = 0913h (Set Sice breakpoints)
" V# A# v9 L( i* J' R-AX = 0914h (Remove SIce breakoints)# ^+ g5 Y$ U; M$ k' }2 S# c; a
4 r8 d6 I, L. L. \# U' F
Each time you'll meet this trick, you'll see:
) u }3 E. E0 |) S1 n( G: Y% j$ U-SI = 4647h% V: U! o! W8 U4 C; O* |* o+ \
-DI = 4A4Dh- X* Q* E" ?7 s: O7 a
Which are the 'magic values' used by SoftIce.$ C! p# V, Z, [6 q( U% c% D& w/ O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 D5 i' f" r9 M& U5 l" C" Y
6 `! m6 e6 t5 p. k! qHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 g& \8 m# Q& v7 d' O1 Z1 VEnvelope utility use to protect DOS applications:
) W( m( ], d/ L# ~# I4 k2 V& ^5 E+ G$ D C
! b8 G' s5 ~3 K y" \$ D
4C19:0095 MOV AX,0911 ; execute command.
+ Q0 Z8 [ M+ ]3 I( R M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* `$ Q; T* e y' C& `& Q
4C19:009A MOV SI,4647 ; 1st magic value.
/ z4 l) W; R- U% C& F4C19:009D MOV DI,4A4D ; 2nd magic value.) j( g3 j8 s5 ?3 F* |) I* b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, l3 z" I& q: t& x4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 F! p" h3 o% q9 a2 b, `0 n
4C19:00A4 INC CX
/ {2 Y4 s$ R% _5 w) M8 ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: r: V6 i( I: W; F$ J$ f$ `0 c4C19:00A8 JB 0095 ; 6 different commands.5 X3 J3 }- b9 { H9 @# }: U' ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# U2 R8 t; U6 w4 F" w, p9 T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* ]0 h4 z# G8 Q: U; h3 j! v$ Y! C0 C
' `1 Y. q3 O) `2 N: rThe program will execute 6 different SIce commands located at ds:dx, which
. g; h! W% J9 y8 X" i+ \! rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT." S. q; Z# G+ Y+ g3 [, G2 {: b
Q2 \ Y# G! ]3 i4 N) `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. Y. O# P4 X, A4 R
___________________________________________________________________________6 [# c% w7 ]1 q+ t
- }" w7 a8 P" B: j+ p
) v( A7 n$ w. f" m; B
Method 03# e' }- r3 H9 H( y# |$ G
========= K% @0 _/ P$ G+ F+ ]" K
( z& ~# Q" |2 E, cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ M& T; R9 ^/ ?# _(API Get entry point)8 ]% I' p) x) M, ~+ w; v& S: I, l
) X( E& G/ e6 n: d
+ [+ \8 q2 p$ Y! m3 e" W xor di,di
9 S/ Y( o7 c$ H, @% P2 F- x1 z9 ] Y4 s mov es,di
% K, ^) {2 ~' f4 d0 S/ Q mov ax, 1684h ) r9 @# \7 H7 z6 ?5 R+ n
mov bx, 0202h ; VxD ID of winice6 q5 y" L( m; R& ~
int 2Fh1 B, I( Q, t# z/ q% Y
mov ax, es ; ES:DI -> VxD API entry point4 Q, a- H+ p* J. P9 l1 P
add ax, di7 ^& P7 j. l1 \% {3 t
test ax,ax& B% @) T% ?: ?( h. Q( |8 s
jnz SoftICE_Detected5 G `3 Q6 A: S& y$ R A+ P! O( D) o
# A3 q2 }3 u3 C7 D7 t5 s( z___________________________________________________________________________
3 H# I8 L' _9 g( i H3 i- u. e! f- }- U; ~6 o
Method 04! q3 @0 W, I. ^/ Z5 a
=========
( ^( Z1 X0 N: c
' t5 s7 q. q& e3 O. r; YMethod identical to the preceding one except that it seeks the ID of SoftICE
0 N' H& y- n& _7 a# s1 G7 m% \GFX VxD.
3 r& u; a' U) }: _
# L$ f) n5 ?/ ^ xor di,di
% V9 b( ?- E! F8 K mov es,di
1 J" m% m# z# F8 J- e' g) f mov ax, 1684h
' D* [7 ~ }* ]% v7 s mov bx, 7a5Fh ; VxD ID of SIWVID8 f# w/ s1 V8 {' R0 E
int 2fh x/ v) \3 o% e/ k8 M
mov ax, es ; ES:DI -> VxD API entry point
" v% s( R* g: f add ax, di2 b2 r+ q- a& _
test ax,ax
0 _" v+ X. r2 X% E. `# C jnz SoftICE_Detected( w& V( N7 S8 b# r8 A
6 O1 _( Y) l4 D X; b__________________________________________________________________________
5 x) k. _, P$ V0 r0 j/ M0 f7 ^$ s5 i% p0 K$ g8 @' Z& t
$ C$ z! B- M6 m/ gMethod 059 W$ Q5 g9 r6 _ ~9 @5 E( X2 T' I
=========9 J" Y- X6 n: N7 I
% y/ k; x; C* @2 [0 _3 \) S
Method seeking the 'magic number' 0F386h returned (in ax) by all system% O4 X6 K: ^. N
debugger. It calls the int 41h, function 4Fh.
/ h, _& z6 V! U- DThere are several alternatives.
% g8 e4 G. d7 v6 t- T/ O' u h3 C; ], p
The following one is the simplest:
" i8 F5 q8 C, V7 \/ [/ v6 {( `9 j* a4 v& L# u
mov ax,4fh
8 |) j$ _+ B4 b0 ^& X int 41h
+ ]1 h' q+ Z& t/ o" U cmp ax, 0F386% e. X, T- J7 Y. ]' X" Q* {! ?& O
jz SoftICE_detected$ `$ u" P6 Q6 ]$ B3 B
- }* n( R7 I3 `% W
6 t3 x$ `0 W# HNext method as well as the following one are 2 examples from Stone's
7 a6 k1 d1 }& `4 B5 d' D- N3 T"stn-wid.zip" (www.cracking.net):! T# l* _9 m) b, R3 p7 S* _
9 V4 H6 [' [) z* f
mov bx, cs0 R6 J& l2 H! G: g4 S
lea dx, int41handler2' T; x" ?; u. D3 g2 O
xchg dx, es:[41h*4]. t9 q# a8 a4 U; l, G) ^6 A8 @) z2 A
xchg bx, es:[41h*4+2] W2 z2 ]# {3 }0 l! [
mov ax,4fh
! m. _8 _; N" U2 T: D. m/ v int 41h: B2 g! ~- _! r$ z
xchg dx, es:[41h*4]# k! r$ l) W. G7 L/ `
xchg bx, es:[41h*4+2]
; V8 q+ R. v1 B( d cmp ax, 0f386h, D4 V# @4 a: G) [, l+ D- e
jz SoftICE_detected( d6 Y% L5 w0 j. h6 J
, z0 w0 R# P, y$ H4 xint41handler2 PROC
7 T0 s% m# T3 v& w4 ^ iret/ l& N- i' x- R5 L% S
int41handler2 ENDP
, H3 Y6 a" D; K4 o3 I1 ]9 ?& K' Q7 u' S6 I/ S' L/ A( n9 N. ~
& l1 e8 q5 s$ a2 C- X$ U8 j
_________________________________________________________________________; z6 P- o1 a+ f5 m1 e/ b
$ J# W7 P* q ~2 I4 G* e' g% Z
2 d& B7 r2 ` Z: h* M! U1 ?; DMethod 06
. T: n4 z* ~. h$ A3 w) A: ~=========
% E: y) _, O% T; Z, \: l/ O
) M7 i1 T! b; \, U% j4 X. G% m0 G" |+ }# p( o% F& |8 k
2nd method similar to the preceding one but more difficult to detect:
/ f) w! z1 U; ]" q& q! c: l
* ?9 v$ @# n/ g* f$ f, ^) o
# i- E. P9 R |; Gint41handler PROC
* l& r3 w, Q9 k+ ~4 |. i5 N8 a. { mov cl,al0 ]$ x X/ v' j4 D# U. g
iret6 E6 I; V0 y, b# K, @
int41handler ENDP
5 s# N! }# `- j6 {* y0 R
% D! @5 B# p( J/ X( ^+ r8 g% }( y
xor ax,ax
- t/ Z4 u: B: K0 h mov es,ax4 Z; ~# h0 X* @ h# o
mov bx, cs1 O* o% G3 p. C5 B9 ]& c: F9 u
lea dx, int41handler
" I/ g+ E& M1 w6 x M xchg dx, es:[41h*4]
# R* n: b2 l: V! P. h& p xchg bx, es:[41h*4+2]
2 q5 O( i- \7 d( l9 O5 O% ^ in al, 40h c5 `- `0 g6 U6 }7 \+ u) j- Y
xor cx,cx
& n) g P+ W& }# {4 I) Z9 U int 41h9 N/ a) }6 M% u
xchg dx, es:[41h*4]
2 r. l' }' Q; H* x% G4 W# I xchg bx, es:[41h*4+2]
: P4 h; [( L8 D( X# H, W/ |# P4 u cmp cl,al; ^. N$ H k3 U7 }
jnz SoftICE_detected
$ w2 p @; p% z. ^5 E, s, _$ i, M0 k/ P7 m" o8 }( T# Y
_________________________________________________________________________% L! q9 ~& L0 |1 v, A
7 ^3 Z! L3 ]6 `2 Z! L9 {* KMethod 07
$ L4 K( @2 a- i7 Q" X5 [# i5 S=========+ t6 n: H& t/ m
. N g- x4 s9 O! t5 X+ R
Method of detection of the WinICE handler in the int68h (V86)
z2 b9 R* x0 [; E4 z% E0 m- d1 ~' ^$ r2 V. O/ @, m, p# R
mov ah,43h$ E7 |2 e+ Z/ R0 a6 P6 M5 }
int 68h/ l" c/ v' U1 T2 s- E V f0 F
cmp ax,0F386h
3 y' @9 [$ P' l* T8 r; x1 H( l jz SoftICE_Detected
+ N. i6 R+ b8 B" s* U* t
; C F8 i. ~0 y5 R* } d. s8 P1 r2 w& ~0 W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! Z P" t# ~# J& N6 d P N
app like this:- k/ I; j! M$ o- Z! ]- \! m! G
# c& ?. n8 e1 T, z+ f. Y2 u BPX exec_int if ax==682 s0 G; q: Y3 @
(function called is located at byte ptr [ebp+1Dh] and client eip is9 m# g6 P9 J4 d% M8 a6 Q( U9 Y
located at [ebp+48h] for 32Bit apps)4 D5 K4 Y( o7 F
__________________________________________________________________________9 P6 g! L0 _% x6 ?9 f7 R
) r/ L: T+ N9 }+ O8 b( P5 v1 r1 a% l, T5 G1 _- w
Method 08
u2 Q3 W( i" [8 ]4 j8 [8 z=========
2 |) a! ~* F( V* \* k3 `8 q5 b7 L8 D1 P4 x, u' ^
It is not a method of detection of SoftICE but a possibility to crash the3 P# `2 T" ?: M9 }* B
system by intercepting int 01h and int 03h and redirecting them to another
9 Y4 M3 h0 }/ _% @8 s' J# Droutine.- Z: Q" d$ {4 N" I( h1 w; L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" B& d+ Z2 b* r6 |* ? N5 S6 N- K
to the new routine to execute (hangs computer...)4 A: `9 e. r/ v: q
5 W: x/ c0 R" I- H
mov ah, 25h7 e1 ?1 N. k/ S6 N# @" ?, f
mov al, Int_Number (01h or 03h)8 K, }" F2 B4 x: g7 Y! c: R
mov dx, offset New_Int_Routine
; i7 G) q" n" [& ^7 A int 21h2 K8 s% s" D1 c9 @7 [! T: `
# Q# h" b, M% ]5 f+ ]" s2 \__________________________________________________________________________
, D4 z5 v) H" W2 G5 _. |3 B# O4 l0 i1 M6 c3 L) {
Method 091 R, [0 N t6 l% m/ ~. ?9 Y
=========1 R1 }, q2 e# C0 I1 }8 p" c3 t
$ h. y0 I% f4 ^# C* z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only M* X+ a @# k2 L) Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
) a( f) N8 I" T/ B8 ?6 XThe Get_DDB service is used to determine whether or not a VxD is installed
/ Z; d3 \* m/ ~) q3 P. cfor the specified device and returns a Device Description Block (in ecx) for. T$ r( x6 g6 p0 u" m7 v1 F
that device if it is installed.) e9 I3 N# n; |" D3 s& ~$ z! }6 u
( w5 X K2 ?, ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# x. o: [; [+ J1 F% S; ]9 o4 x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). J: l8 y7 N: U4 w( ?, ]
VMMCall Get_DDB
. d+ N! R, g# \" e0 H7 s l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ a+ k- U7 c% D! L4 r
6 A& |" T. u! h7 S; SNote as well that you can easily detect this method with SoftICE:
/ v& V& U8 p, f bpx Get_DDB if ax==0202 || ax==7a5fh2 H) l$ I8 o9 t( V/ @
! v8 x% `* L0 M__________________________________________________________________________; z( `% ~) y( I, `* I% z
, u% b2 n% g* DMethod 101 Q5 H7 V3 U( U9 B0 {
=========7 l X; q J, U# G
( ~5 i* o4 C: s4 H
=>Disable or clear breakpoints before using this feature. DO NOT trace with' O! F7 Y8 K: c _
SoftICE while the option is enable!!
9 c u" }6 q7 h+ e6 \
( [! ~% A, r9 t& t9 X: zThis trick is very efficient:
9 `" _/ ^/ y/ o- G& @by checking the Debug Registers, you can detect if SoftICE is loaded
' w' L3 u/ D" h, s. B+ r s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! p5 ^' ?# K6 L2 X( _3 m, ?there are some memory breakpoints set (dr0 to dr3) simply by reading their( |7 V7 W. T' J) j5 o
value (in ring0 only). Values can be manipulated and or changed as well: e/ E' ?; e# T$ J( }9 k' j4 x
(clearing BPMs for instance)
1 t7 z3 k8 ?5 n* t, H- I5 `+ r1 G" d1 g* ^8 Q- ]. w- q7 J P
__________________________________________________________________________
" a7 d& L* c$ J# W, Y7 r9 t
* Y0 A8 ?% _- A5 }$ L5 k T2 H% lMethod 117 L3 O3 u* V: k0 S
=========
4 P0 f) b1 D E$ z, n& C3 \% G. S( { h5 \: d' q# v
This method is most known as 'MeltICE' because it has been freely distributed( c; [" @6 a) y
via www.winfiles.com. However it was first used by NuMega people to allow* p4 g9 e6 d. R3 L0 @( ]6 p5 X7 M) @
Symbol Loader to check if SoftICE was active or not (the code is located* L* R( ?/ n+ q( J' O8 L
inside nmtrans.dll).
" M" I" l" h: _- q; }: I
/ U- Y' L1 G) y/ {! w2 kThe way it works is very simple:6 ~6 W( {, ]) F0 k# A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ S7 y/ J; Z: }( R
WinNT) with the CreateFileA API., c- ? e$ h2 L2 Y2 {6 e/ R
% d5 q: I1 [# O$ w2 w
Here is a sample (checking for 'SICE'):
. L, y' E; _( q) S
* J# r L) x4 O) s( y, LBOOL IsSoftIce95Loaded()
: q P) c% A M8 l3 r{
! C' J" s6 }5 G2 b6 r HANDLE hFile;
: }: I1 V5 y" _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% ?9 R, D9 r9 N! {
FILE_SHARE_READ | FILE_SHARE_WRITE,# p' R, ?3 q1 g1 ?- i+ c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! X! @; U8 O! z7 [6 T if( hFile != INVALID_HANDLE_VALUE )
; D( I: e% j5 ^" S; K {
9 g m6 M' s! C3 o) C CloseHandle(hFile);2 g/ I3 O3 J) [" ~$ W
return TRUE;+ f O9 b( o/ h9 E, N: g
}
9 m% ?; @# I* J: E) @) J; D L return FALSE;5 X/ [# W. {( a$ I9 l6 l# n
}$ d' C% ]. C' s- Y
5 t0 X" ^& V0 } \/ ^( \& D" bAlthough this trick calls the CreateFileA function, don't even expect to be* G, I* D7 e" L/ e% J8 i8 Q
able to intercept it by installing a IFS hook: it will not work, no way! d: k5 o" n3 Z' d7 z/ ^0 s( Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 o7 U0 L8 K, }6 v; k8 Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ w, s8 @2 O5 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" Q$ I5 v' _+ t4 }: S$ o0 e* {field.0 C$ a1 T3 B: i4 W
In fact, its purpose is not to load/unload VxDs but only to send a
/ V& s3 s0 H! y; K$ t3 yW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), _) j7 I U, X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) m/ e: j# N1 B
to load/unload a non-dynamically loadable driver such as SoftICE ;-). G: ]/ E( K' f" Z" p
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; V; f8 F7 N4 jits handle to be opened and then, will be detected.0 B1 [8 ]4 F, j
You can check that simply by hooking Winice.exe control proc entry point
+ J0 ?4 F9 c7 K# N7 V5 \while running MeltICE.
* c; y5 K9 z3 B/ X8 W9 m5 D( G; H. @5 ~) M) v" s
( x9 R* N7 n* N3 _ L/ K2 h
00401067: push 00402025 ; \\.\SICE% b" T/ v: H" ]- B
0040106C: call CreateFileA* x0 v3 A/ K: q
00401071: cmp eax,-001+ v1 u5 B0 P* i- |3 b# Z
00401074: je 00401091
& [5 B2 u- E, @8 D: X# G6 Y7 j
$ r' A! z3 n0 J2 _* F# k$ H- ]* _
There could be hundreds of BPX you could use to detect this trick.
( j2 |% G+ H& Y: n' N% |$ X# \0 R- L-The most classical one is:6 `! p- D. J- {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ H: O$ w( W# M/ o9 h- N! T- _+ p
*(esp->4+4)=='NTIC'& l6 [9 K8 x L5 h- Q, H# T
. S& C `- X% J( ^5 f
-The most exotic ones (could be very slooooow :-(: x4 q$ h2 @/ P8 L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 i) m8 n$ h. V% x
;will break 3 times :-(! Y. o, t! Q9 S# C4 k$ O
% e7 o1 R' y, B- V0 K- f
-or (a bit) faster: " r7 d) H0 ]7 K! ]
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; [% Y# W- k/ L! ], ~8 H) e+ t D/ b2 F$ C: b h: d) N. w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ b( @1 u* @: t; z9 l ;will break 3 times :-(( a+ P) K0 [# P& z1 E$ \- v
0 G" e1 Q9 x9 ~9 U$ _( L5 G( U-Much faster:
0 K/ N" @1 A2 P: ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( _" k; g E) |4 ^2 U! _/ K3 e, e' ~8 C8 A1 c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 s) l& Q; r) O: d+ I d( `function to do the same job:" ~; r1 R7 i6 G1 L& w d% h: h
$ u+ M9 a. w6 D! t9 Y5 D
push 00 ; OF_READ
# e& g Z1 \* [; V+ u( A7 Y0 N4 o mov eax,[00656634] ; '\\.\SICE',0' y' p& v4 @7 X
push eax* U! P6 L, ^1 U: b
call KERNEL32!_lopen
% E+ P$ T3 D1 u( m3 C$ |& L inc eax/ `; r: d0 i( H9 `& d# n
jnz 00650589 ; detected
! ?; s/ z+ _. w push 00 ; OF_READ
7 F( I1 F) W8 f2 B6 t; R mov eax,[00656638] ; '\\.\SICE'
9 F1 Y8 O4 H- J" Y$ p+ k push eax
+ h9 h7 Z( s/ j& o( _9 a, N call KERNEL32!_lopen, i7 O; K' r. r" i5 q
inc eax
# ]3 t# v8 D+ K( K; ^4 B5 O% ~ jz 006505ae ; not detected% U: `+ H) i( D4 Y* p' f
* r h* v \3 w4 ~2 r
' X4 V9 h: J' i9 y/ q
__________________________________________________________________________3 I F- P7 B. \) ~: I
% i" V& f* \3 S- L8 C# r! YMethod 12, F" L0 Z Q) ~3 V
=========# ~, j6 y3 q' S+ X* f
G3 x% ]7 q" k/ t6 z
This trick is similar to int41h/4fh Debugger installation check (code 058 N: p w7 o8 U+ H% O
& 06) but very limited because it's only available for Win95/98 (not NT)
0 G( d& _7 c1 a; ]3 O3 f. W% tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. q/ z5 G* j- N* `+ j
* m5 b9 S3 v, h, ?3 a1 w push 0000004fh ; function 4fh1 ]' Q# A5 }/ K! Z0 @. |
push 002a002ah ; high word specifies which VxD (VWIN32)7 ]7 n8 ?. j1 y) W1 n
; low word specifies which service
5 `+ Z+ [9 n/ I0 d7 o$ R4 s: ] (VWIN32_Int41Dispatch)
8 r% Y* e% w" h call Kernel32!ORD_001 ; VxdCall
# D% k3 P/ p; l- a4 L cmp ax, 0f386h ; magic number returned by system debuggers! q1 b* h. ~6 g* F2 u7 [
jz SoftICE_detected8 I: |. L$ p0 T6 L1 l
5 ` |& R& \# I# _3 O
Here again, several ways to detect it:
W+ ]4 K! m$ B! O1 d, X
, E: H- X4 s" W @& N BPINT 41 if ax==4f6 {* Y2 R7 { o4 O
+ e* J/ u( J5 Y: Z2 L3 u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- j+ n. M! m @# [7 D
* U) K$ u+ J7 D# S9 k: ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 m3 V& I( \3 W! q
! l: G4 N1 _0 t+ i, l: ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( u, p/ M2 F# P
0 O1 m5 t5 b: P, l! a__________________________________________________________________________, s$ c' w! t+ V) X
8 X& Y/ D% \( ?- m& f
Method 13
& u/ ?! a! m" y1 k* M( k=========- h) I4 Q8 Z0 _! _
$ N' c% E( ^0 f" D+ w6 C1 {Not a real method of detection, but a good way to know if SoftICE is
8 J+ H; a5 C- x" f8 cinstalled on a computer and to locate its installation directory.* N, {2 u8 l8 J) n
It is used by few softs which access the following registry keys (usually #2) :6 ^# @; Z, r6 O1 D3 `9 L
# w, S7 k* p/ o! `) F9 K) n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& ]9 l2 ]3 t0 ` v: m& S1 G0 \+ ]
\Uninstall\SoftICE
; ?$ |" }0 f2 @' l9 E7 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 z, N% K8 i" c9 S; m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 O! R6 g' v( u! Y- U\App Paths\Loader32.Exe# X+ q3 s# P* j- p$ Q
6 J, @: e9 ~/ b# b
& ^ C3 w) h5 t+ o( }) m" DNote that some nasty apps could then erase all files from SoftICE directory8 c, M# s8 Z3 V, r8 F" J4 Z
(I faced that once :-(
- Y8 f9 t9 h3 X( y4 }8 l+ s: T p6 S l x
Useful breakpoint to detect it:
2 |1 L3 v& p! i3 S: l5 r1 S, g5 L' M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 ~2 q* @, ?/ J$ l% z) s
( c* l$ p' g$ q. Z__________________________________________________________________________
8 P( S K6 F3 ^6 |. z* v% F
& _6 W% O5 x0 E
! r; \/ l$ w( }" K/ @2 Q0 g4 WMethod 14
# x3 v( e: C* y=========* P7 Q4 l$ r& P$ o
. D2 D, ^$ @' q2 D6 i0 xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 K1 t. {% W3 t Dis to determines whether a debugger is running on your system (ring0 only).2 }) l" |( t' J7 d5 K
- j8 P3 K |. L* B$ z. Z: w4 q VMMCall Test_Debug_Installed: g; b" e+ x' v$ \* k
je not_installed
0 q( y; W1 N% J: u! w5 A: x2 V: G; A/ R6 j$ z: b
This service just checks a flag.6 R. a' l% C7 L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡