<TABLE width=500>
6 t# f- J1 {: L& g4 t2 t<TBODY>3 i9 J: G8 F+ w, ]8 u5 j
<TR>$ o4 C6 m6 e8 F7 C: V& A }
<TD><PRE>Method 01
+ |1 X+ |" z! g& n$ F=========$ a1 k0 Y4 o5 |. n2 F4 ~5 H ]
* m4 i1 O0 e9 f& c% y
This method of detection of SoftICE (as well as the following one) is
. N* O% ?& l5 ]0 I# {# n, _8 tused by the majority of packers/encryptors found on Internet.
! f$ }6 v) k0 w( w pIt seeks the signature of BoundsChecker in SoftICE/ J$ Y6 f6 t6 j. H( h2 B
! } E ^: m2 U3 T' ?( u& a3 \ mov ebp, 04243484Bh ; 'BCHK'
, ~& d$ \ g7 J8 `% P- R& K mov ax, 04h: Z5 M0 U; v) {+ u! `
int 3 ' V+ r6 S& Y% ^( p' W; c
cmp al,42 M: Y$ z, z+ G1 x; k/ Y3 [/ {$ R3 J
jnz SoftICE_Detected
$ S8 o( A/ u1 {: X* Z+ w
* j8 o; l3 g4 j# S2 J0 s# ?___________________________________________________________________________
* a# Z* g# I! z( Q* a( u7 J" t, D
Method 02$ w+ _% C- J* F
=========
: j' r7 [3 f0 ], ?7 _/ x3 W3 u. e+ M# b+ h3 e+ I% ]4 \
Still a method very much used (perhaps the most frequent one). It is used
! h# n8 W |2 zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 I) Y; A' G0 U4 Y' f3 Z0 cor execute SoftICE commands...0 Y. f5 ?6 Q' e4 i
It is also used to crash SoftICE and to force it to execute any commands
4 H! L; |- {) S: A& [( z/ F3 O(HBOOT...) :-((
4 z( G( f/ n3 g' A0 a
- W) w# }) N, j5 yHere is a quick description:
7 Y7 P/ Y& K" `4 b$ d& {-AX = 0910h (Display string in SIce windows)+ b1 p# p# i" Q; ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 `2 ?5 B, T9 z
-AX = 0912h (Get breakpoint infos)
. D! l; V" y0 x# D4 S-AX = 0913h (Set Sice breakpoints)
, m7 I$ R) r+ l' }% } a L-AX = 0914h (Remove SIce breakoints)
# L) {) c# ], z) c
/ D" L P, j' x6 o% H3 E) }Each time you'll meet this trick, you'll see:
1 r3 W0 `$ Z* w0 q0 s5 r-SI = 4647h2 k* Q* w) H5 B; {$ \8 |# D3 }
-DI = 4A4Dh) X. u4 `" h4 d) l* |& @- W
Which are the 'magic values' used by SoftIce.6 |. r! v& H' s# \% ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 [6 R3 h$ Y" N' c1 I* x* K6 s! S8 t9 C
Here is one example from the file "Haspinst.exe" which is the dongle HASP) ]+ w, w+ r, |4 T: w
Envelope utility use to protect DOS applications:
, Q3 ?. a& m) T) N/ @* \( O
) t1 J1 q) V5 b! ^4 {* N+ g) J, F: F# t# T0 m6 [; n, _. ?+ u; }; j
4C19:0095 MOV AX,0911 ; execute command. S5 `8 m- X9 E) {3 \" F, m9 ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) q8 d8 V% @. E2 @. H4 a; A9 Q
4C19:009A MOV SI,4647 ; 1st magic value.) R( Z$ Y/ M, e \9 Y
4C19:009D MOV DI,4A4D ; 2nd magic value.5 {& C% t- M" x4 Z0 H& n* |" D0 d* Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) D( m8 R# f5 o g; c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! E/ s. {* [4 _6 A& O% ?2 Y
4C19:00A4 INC CX
* D; b& }4 m/ Z: E& ~8 V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ p8 ]% K' O. m5 f
4C19:00A8 JB 0095 ; 6 different commands.
8 k# M) `! ^9 M4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 m- x1 j3 A6 `9 Y% l# N& E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" V2 H, P+ l7 P
/ r |" Y3 }& i8 i/ X7 w! U" \$ H' kThe program will execute 6 different SIce commands located at ds:dx, which
1 O0 j$ y6 ^) B" g; h) t( Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 c0 M( V) ]' |5 G0 f: Y
0 _! I4 W( c O, T1 _) {' c2 ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; D, P8 Z& p+ Y$ o$ z( h- ^2 H
___________________________________________________________________________& l7 D' j {0 y" y! v
6 {! H- t' D {3 S; x U
7 G7 k4 \4 G5 a9 D# _% qMethod 036 e9 V! o+ J/ m/ l: Y! B
=========
' L1 N+ D$ y4 B9 f- D: W$ {
- W p& D% g: K9 C0 I2 ^Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ `$ j3 x0 C# u0 ?3 X, Q(API Get entry point)+ P' P* f2 e+ O0 R# w
% }+ N# a( t* Y" C# f
9 Y0 V1 @2 |* |7 n# @- f X xor di,di
8 _" i! U9 h1 X |# r: j6 p mov es,di6 X/ B5 V& ^! V! d/ f, }, j
mov ax, 1684h
9 y# N5 m3 y/ _0 F7 Q mov bx, 0202h ; VxD ID of winice8 v! K1 |! p! P2 ]5 \. k
int 2Fh# v" C2 x. A+ x; y$ n0 Q
mov ax, es ; ES:DI -> VxD API entry point
/ Y8 f. d8 w: H; u, ^! j add ax, di' c/ w& z8 t3 q
test ax,ax
! T" }. t6 g! T: R, W9 C jnz SoftICE_Detected7 Q1 n+ r g, `$ V- Q( j
0 S0 Q# p0 Z x9 Z% s* m
___________________________________________________________________________6 T* U! q$ L$ z6 y; L5 B: f
1 ]$ g' F; X' g, CMethod 04 _" a1 _% |1 j
=========
% v- i+ O3 B+ d# n6 `; Z. \- {8 A$ [2 S& ]
Method identical to the preceding one except that it seeks the ID of SoftICE
1 n% K6 t/ T& f) FGFX VxD.
8 d: \8 g! W$ K6 v% l1 h
* @9 g4 H, `0 s xor di,di
2 T2 u$ ~ g9 e: @ mov es,di; k( i- U" v, M3 p( a! g% d
mov ax, 1684h
: i& ?9 {6 A! S: g# V, z' x! s mov bx, 7a5Fh ; VxD ID of SIWVID3 H2 @% q' X+ f! F7 \% o
int 2fh
. ?* Z8 C0 h! H+ f) U) e% B mov ax, es ; ES:DI -> VxD API entry point7 r& N" D+ a2 R0 D
add ax, di' l- P1 P, b% a: R$ E( Q% \' V q
test ax,ax* r; Q% G7 d1 Q& k- V8 s9 S
jnz SoftICE_Detected" ?/ R; f: G' _; [, h# }( S; ^% ~
9 ^2 W$ U& o$ R5 u* r1 Q__________________________________________________________________________" {9 Z k0 t- k
! u( ~5 e0 U9 r7 k) x1 }
+ n8 f, m. }8 o5 Y- t" _/ U
Method 05
/ |% _% F. [( H+ N=========
6 H* I7 x, O* L3 ]: \+ ^5 q
$ F: c" N# g9 T jMethod seeking the 'magic number' 0F386h returned (in ax) by all system* d) `6 m" t& K% Z! g3 X |
debugger. It calls the int 41h, function 4Fh.
1 B# `" S5 \# uThere are several alternatives.
& d2 T+ \6 @3 U" Y% r6 L
: B( a# I, e- d/ Y2 EThe following one is the simplest: j7 Y: ?2 z0 f' r
/ s! \( a; Y" H3 r+ S mov ax,4fh
6 r+ \6 J& w) ?8 \2 L int 41h( t7 R! B/ D( p! @2 n8 e
cmp ax, 0F386
8 S$ F1 ^, [4 S7 S, ?* ]6 {7 ` jz SoftICE_detected4 Z9 _& d9 x. X5 j, ^& Q5 r$ D
' I7 @- V* k. W1 ^0 F4 H' f+ Q4 k6 G% { J
' N- o- N9 L! k; {Next method as well as the following one are 2 examples from Stone's
/ v! {; m3 T% p/ Z7 S X8 ]7 z"stn-wid.zip" (www.cracking.net):3 V- F' `' S4 u0 _( j; Y( U ? T
) w, i1 _ a9 L: g2 J% D9 b
mov bx, cs6 ^7 q5 x* B% L& d8 ]; v7 l3 a
lea dx, int41handler20 e( ]1 F# I* Q' f6 Z
xchg dx, es:[41h*4]) X+ ^1 Z- o8 Q5 K; f
xchg bx, es:[41h*4+2]
3 H3 r, c$ f6 {2 F2 T+ S W mov ax,4fh
9 \5 k) ~% f4 Z' o: n0 B int 41h
j. O9 A8 D' c1 L$ j- ~0 A xchg dx, es:[41h*4]
7 y, s( ]8 a8 S& ^7 X xchg bx, es:[41h*4+2]
- M( U. H% G3 @% I cmp ax, 0f386h( W! l( |, }; f) v) D
jz SoftICE_detected
! B% @. w5 ` m9 D6 U7 E2 s( `' k4 l5 r+ D
int41handler2 PROC. R/ c5 v! ^* s- _) i9 i* Z; o
iret4 v0 c+ N5 E5 h: M
int41handler2 ENDP3 C( b, D s* v, ^ \! O
( a2 I8 c& x+ D, I5 ~- a8 r# s+ h8 p; Q. |" r
_________________________________________________________________________ l8 h( S/ r$ R& f! N
$ n1 K& X: G8 U- i, _; G$ l3 X
1 i8 b2 c% O. x7 HMethod 062 e" p; Q5 d/ q# |! O/ D! u
=========% Y" g* _, ~/ A) {* ^% m( j
0 L w/ b: @: Y
2 H/ l2 A/ ]$ i' h' N
2nd method similar to the preceding one but more difficult to detect:& c+ v, W% w+ b& V2 _
8 @" b$ s8 R7 O
8 P% \6 l9 \9 Q5 Y0 e+ r* i" G7 i; kint41handler PROC' W" Y3 _- o) V
mov cl,al( F& G) L" `; ~0 y9 l8 Y E5 F4 b
iret& i0 e" {- ]1 V" Z. _1 l
int41handler ENDP
- O+ s7 L/ b0 d" O+ F, U3 x) n% ^! M0 ?" [! J
3 c4 k- o h& U. I' Q4 J" r
xor ax,ax
% Y7 L$ r4 ]( s: q mov es,ax
, {) V4 V& I/ I mov bx, cs
+ i- r1 ^+ A6 I5 b3 x) a& M# T% c lea dx, int41handler
" r. x# o& I/ h: g( ~+ a) U) M xchg dx, es:[41h*4]
% C2 P( z R5 T xchg bx, es:[41h*4+2]
6 S- h d; R% _' X# U in al, 40h* X" Q2 W: d6 d: C
xor cx,cx
+ X: G: ^; W2 f6 n# l7 `+ R' F- Y; Y int 41h* @2 r- H) y- d. M7 m
xchg dx, es:[41h*4]
5 R% u. l( ~. u3 Q3 r% ` xchg bx, es:[41h*4+2]
Y( M2 \# c: @2 v: g7 v- ^# \) Q cmp cl,al% r: j& P+ n* _$ d
jnz SoftICE_detected
; I. C8 \5 V0 s" y! z) \3 @6 p2 {1 I
_________________________________________________________________________# O$ O! U* @8 j
! k( w v$ e8 {9 v
Method 07
1 T4 x5 [) u$ l* y2 c7 s& \1 u=========; N% Q. C. g+ b( [& \/ g
# x! q) p& l3 R) P: U' @Method of detection of the WinICE handler in the int68h (V86)- S9 Q6 A6 I0 q) M
3 R0 R2 @6 {, Y: d$ I mov ah,43h
( _% C3 p- \. M8 N, s& d int 68h. e7 d" P( J! R
cmp ax,0F386h$ i; T: Z) L; b) Z! w
jz SoftICE_Detected5 ]! P, Z, w$ p# v7 [. l7 i
0 J) }; h7 ?7 U# k* g
+ ~) @ `3 c1 r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( ` z3 R1 S8 t$ Z3 N* V
app like this:7 F, }5 N; x, Q L: J
3 C U: ^9 w) w0 J" x) |0 H9 n( {7 G BPX exec_int if ax==68/ Q' D7 k- C( n* y b$ ~* f
(function called is located at byte ptr [ebp+1Dh] and client eip is% \4 e/ O9 T4 M
located at [ebp+48h] for 32Bit apps)
) q8 V% ]5 _- S__________________________________________________________________________
$ z9 H/ F" s" R, Z! T7 e! U. i8 V4 B) d, h
0 p( ` s. Y p' p! P% x1 @7 b9 oMethod 08
r* l2 {6 R* e=========' ^+ T3 N# _ H3 C7 X
y4 c9 j, H5 ^0 [% L7 _2 hIt is not a method of detection of SoftICE but a possibility to crash the3 }0 g7 U$ |4 Q1 A w e
system by intercepting int 01h and int 03h and redirecting them to another1 [& I3 N( v |* f3 t
routine.
# G, g q4 \4 j$ q4 `! C( Q4 AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( l5 ?3 C! l- C0 \
to the new routine to execute (hangs computer...)' F3 E7 h! D6 S* O5 |* m6 t
) U1 r! g) }& G8 W V v mov ah, 25h
, G. y% y- @" V9 t: E mov al, Int_Number (01h or 03h)# i; x' W! x0 w, V& K+ X) w
mov dx, offset New_Int_Routine
/ I7 n/ {; }; ^3 i" u- c8 ^0 V int 21h
- J" y& J, `% S; L, Y9 J+ }# F: \2 k- [2 p. M5 Q9 G( J0 e4 x
__________________________________________________________________________! v# O( i* s) Y/ x4 _- Z5 N q
: |, M7 V9 u( }8 q' V! I
Method 09" W; g2 U' K* k, ^
=========
( ~3 z0 n& n/ U7 r/ N5 U
) P6 o) Z/ K! N ^0 @3 T5 W7 lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) B' m1 F" X( X# A: O, Jperformed in ring0 (VxD or a ring3 app using the VxdCall).: S) d) `6 H |
The Get_DDB service is used to determine whether or not a VxD is installed
/ L% L- t4 ?6 @! H' ^& Wfor the specified device and returns a Device Description Block (in ecx) for
- K( K" d- J" o7 [6 C: i( o }that device if it is installed.
4 Q! @1 f1 I+ K9 `( m; T
6 X; B/ H E' f: g8 U4 D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 H, D! N3 S# L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ S1 n' K! k- T+ L: u9 t& g ^& ^ VMMCall Get_DDB9 s# q4 j \4 @7 [( U! d* k8 H; ]
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ e C! k+ w) ?( T) h
8 }( g5 d6 w* K0 y1 g# l
Note as well that you can easily detect this method with SoftICE:% [, D3 t- A4 K1 Q% I# q
bpx Get_DDB if ax==0202 || ax==7a5fh
5 j4 l: z# e1 }& H& x: N. D: W
4 C1 R/ x8 e. Z5 k% i2 E4 @# y: F__________________________________________________________________________, B# @! k9 u7 W
, g3 j3 s+ y+ ^1 V6 h" oMethod 10
/ \' t+ V \1 Q1 R1 i. Y=========
0 D5 O/ x4 u5 F4 S4 e) M2 i/ a) F9 t( J$ m3 C. v
=>Disable or clear breakpoints before using this feature. DO NOT trace with
R8 F+ |7 G; ~8 y: J1 l; c# P" [ SoftICE while the option is enable!!8 Q2 Z3 j( i! F) }" @& w
' d; {3 U% ~ u' K& {! BThis trick is very efficient:
% }1 |* @. N$ U4 E) k5 Hby checking the Debug Registers, you can detect if SoftICE is loaded
% v F4 B, B3 c7 B5 }7 ?: F- V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( p6 D& S! p j: @8 Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 C, n7 ]; S3 {3 V% |
value (in ring0 only). Values can be manipulated and or changed as well
5 M6 n, i N8 J# |(clearing BPMs for instance)
# D2 Y! k# a$ d% ~# N5 |! A( @ p4 o l2 J% w
__________________________________________________________________________2 f3 Y p% M) b2 C1 m% V4 t
$ w0 M: [7 z+ @4 OMethod 11
/ z9 i& p! [9 q- r8 e" ~2 h=========
/ W2 m5 P" Q* g
+ |+ s6 c( k) E' Q& Z. W8 u% pThis method is most known as 'MeltICE' because it has been freely distributed, s/ P2 a5 [) l" R( N: M
via www.winfiles.com. However it was first used by NuMega people to allow K8 x, A& n: P
Symbol Loader to check if SoftICE was active or not (the code is located
. E. F) i; E. g% o3 M0 jinside nmtrans.dll).
* A O3 w/ `" F }! w) b$ o
! I5 w" I+ B: b: S) @The way it works is very simple:9 W1 q2 F2 ]6 `3 L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 }4 J+ D& N8 }, iWinNT) with the CreateFileA API.
/ s. O* c4 v# e3 d* x! T
$ T; T3 Q$ e7 p: s, u P! N3 zHere is a sample (checking for 'SICE'): o0 l9 @. y0 G! F0 h
+ k# r& T. P: s; h2 KBOOL IsSoftIce95Loaded(): V" d0 y$ n% h* L% o
{
$ F5 [3 V- M# b5 t6 D, b HANDLE hFile;
' e' b4 T5 i |3 P! K2 U hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 F* w3 S# \, T! S7 d5 L
FILE_SHARE_READ | FILE_SHARE_WRITE,
. y8 o% T; t0 f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 o* F5 g: n7 \: }# B if( hFile != INVALID_HANDLE_VALUE )
/ m5 n2 @0 o L! r1 s# R' O {$ `7 z9 P2 v) N ^7 a$ z$ Y/ d
CloseHandle(hFile);
' W* q `. q! s S# M5 l4 { return TRUE;; W% E U" B- Y4 q) U
}4 ~" W( p+ l2 d) x
return FALSE;' P" r2 K& ~; D% r5 v
}
. D, H' i8 C6 Z, y. M
5 ]7 `# V5 V! v) W \Although this trick calls the CreateFileA function, don't even expect to be
! w8 Z5 O; |; Z3 z+ I( v' p! Kable to intercept it by installing a IFS hook: it will not work, no way!
% C* Q: e8 m+ i* ]7 WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. c9 ~( n" K+ A m) |5 v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) w5 D! ~7 P" J1 H9 R l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 _7 G: [3 k7 M5 U/ {: m
field.5 A. H$ \; f! b8 U- D. {0 L' B
In fact, its purpose is not to load/unload VxDs but only to send a
% `7 o- r0 R' {/ X& qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 }0 `) n* @* yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: r& ^2 |5 Q: m; w: u8 X! c- eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
% l2 B& r- K: fIf the VxD is loaded, it will always clear eax and the Carry flag to allow' H4 `5 L. l2 ^( o4 S
its handle to be opened and then, will be detected.
+ i: W/ ^$ i1 D. ?4 K/ tYou can check that simply by hooking Winice.exe control proc entry point
9 T ~# i" o* q o) a; R7 N% swhile running MeltICE.
6 m2 b3 B0 ]) @/ ^1 y1 x
9 [7 M* o1 y: Y7 }8 ^; p; s1 V9 h2 l2 t1 | u
00401067: push 00402025 ; \\.\SICE
0 b0 H. a$ @; a. s" r 0040106C: call CreateFileA
, P4 v% ?* v( ~ 00401071: cmp eax,-001
" i3 g l' c; p9 }7 t2 T/ N 00401074: je 00401091
( I, ?% _' j+ r* _# ^& j- x9 V7 x0 G6 }$ `
5 W. }& t+ g2 e8 y
There could be hundreds of BPX you could use to detect this trick.
- o; T- x3 H) A" o* i9 L- l* D-The most classical one is:
6 D! m- f( _& d BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 j2 P2 q5 V$ f. y3 F *(esp->4+4)=='NTIC'6 W. \2 s8 Y4 m
) ~. w3 h+ A" q) o) n6 W. Q: g
-The most exotic ones (could be very slooooow :-(, K3 c* V8 o# H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( E' e* [# n) { ;will break 3 times :-(+ y. j1 ^ q! O! C" H6 s0 T: P
$ H' z7 ?, f2 N/ p9 N# f1 u6 v-or (a bit) faster: % W$ A/ b+ X+ Y* O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ Q# [7 x' t" T8 u& I- n* v
7 p) b$ {0 W5 q8 O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) o; R3 _0 ?1 r0 H/ ~$ b ;will break 3 times :-(
& r6 O* z* {/ E! `
1 p8 |1 C7 M8 D$ |-Much faster:1 q8 u2 _5 v$ c9 J+ q: z* d; T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, }7 s7 f2 M+ J' Q0 U1 |5 [1 [
* f- s" F1 d ^% R) kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
q! Y }: d' d4 o& b. i9 Efunction to do the same job:4 c4 O% G9 m, L
9 p, g) m* q; N A% h7 u N
push 00 ; OF_READ
$ F$ a* ~% |6 A: [6 v' Y/ W/ b' F mov eax,[00656634] ; '\\.\SICE',0
' ~ O r8 @5 j7 `' H& P push eax2 s g# {) v( ]2 w3 N
call KERNEL32!_lopen
9 D" N/ _( C; G+ ?6 ~! T inc eax0 ^1 a4 a' S+ R% r t
jnz 00650589 ; detected* l, L0 Q# r* X2 j
push 00 ; OF_READ7 a7 u6 V0 W" e8 J4 f
mov eax,[00656638] ; '\\.\SICE'
) d1 ~$ G; L; C! b* O7 x push eax
- C4 L) g* s( X8 W7 r0 p7 F% r call KERNEL32!_lopen0 |: I% R; w4 T5 w- r# K
inc eax0 J$ t6 C, Q" J
jz 006505ae ; not detected+ @8 m: g, V, }) R. ]
: u4 ?4 i$ C5 m( ?
8 Z$ {; R( T0 h* W) E- w- ~ b5 [__________________________________________________________________________5 T5 f0 Z4 W2 L4 v; l+ \6 _2 m
0 V4 V$ \/ t ]) M* l3 d/ _
Method 12
7 d7 U8 s2 w# C/ n=========
; y; H( ?" |3 Q1 U2 b& v
+ L+ I4 q9 l# K( Y& E4 B% HThis trick is similar to int41h/4fh Debugger installation check (code 05/ ?9 z; E- n8 ?! F2 w1 o7 J
& 06) but very limited because it's only available for Win95/98 (not NT)' M, P H q; X* A8 f* @0 T" v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 D. W5 v6 u' p) l7 g
/ S. k8 U( i, J' K0 a7 l9 m" o
push 0000004fh ; function 4fh7 k6 `' b. \; E$ }
push 002a002ah ; high word specifies which VxD (VWIN32)
+ r+ i8 U$ E/ b- m6 ` ; low word specifies which service
( S- o2 k9 C% Z2 F' o' v (VWIN32_Int41Dispatch)
l$ x, u7 [. j5 S& v* y call Kernel32!ORD_001 ; VxdCall
5 {" L# R% ~6 f( @" S0 y cmp ax, 0f386h ; magic number returned by system debuggers
3 o1 j1 w& ]7 ]: @) | jz SoftICE_detected1 F! t) K4 j( G0 S+ f
( B4 L! U- W% Q
Here again, several ways to detect it:
4 R4 u7 J1 M* D2 }' T; t |; v* B& C& d' ~' {
BPINT 41 if ax==4f
2 d6 a r! M( [: v: _5 c9 m7 C8 j! B ?' b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. R$ l! A# e2 [6 U2 D8 M
2 f& u+ {9 z8 G: ^- @ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 d' c/ t: U ~' Z
$ ]6 j9 {/ e# Q# `" G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* u+ p, H( ~2 U1 z) E, E j
# T3 g$ G5 C$ t9 p W. A2 I+ X* P
__________________________________________________________________________
6 y# n5 {' y: i) q" l
/ w4 O* n0 ^. F! H) o; } sMethod 132 G' k1 _4 @7 R. ~7 i: H
=========
1 ]5 n+ o: k5 A0 M' r A+ ]4 F
9 @5 Q; A7 Z. `Not a real method of detection, but a good way to know if SoftICE is
4 ^4 w/ Y7 H- ^+ G) Kinstalled on a computer and to locate its installation directory.9 T7 Z' W7 C& j2 S' N5 \
It is used by few softs which access the following registry keys (usually #2) :4 B- R3 c+ z: t
7 \3 K Y q7 R/ `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# m$ R; K: L- k1 E4 z1 T' t3 o" h
\Uninstall\SoftICE
& Z$ L, e) P) Z$ J% t+ H- v# H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. N' d* A+ d W) w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' B, C/ Y2 ~) ?7 `, R0 @
\App Paths\Loader32.Exe
6 o4 W& |1 h% }; P5 K: o
. R( o% L. R. N% C5 A6 K2 t7 n, N( \+ w5 u/ Y- i
Note that some nasty apps could then erase all files from SoftICE directory0 z6 T5 w" z: {, x
(I faced that once :-(
7 P$ A1 v) d$ m" Q) X/ E" f( }7 y# O% m3 l6 z
Useful breakpoint to detect it:
+ X8 F- T% n6 i+ X! x' D4 V
6 @ [- Q$ m* \, T4 F3 ~/ t/ J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. m. N5 T5 B8 B: B, s2 ?- D
+ ~; W2 b4 s' M" S% M+ A6 e/ `: L. T
__________________________________________________________________________* ^0 N K* z1 j8 B$ c) K
0 o4 F! i2 ?" i; ]
' c' `0 B* |: {, J
Method 14 3 ?* g& p* B: }" W# [! u
=========+ J* y* X! k5 J/ F# h
- X8 d$ T* M% k$ j( r/ I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; a5 E H" b# g8 L4 p, n0 h3 n/ Wis to determines whether a debugger is running on your system (ring0 only).- @9 {3 ^# ?" J) W' B
* e0 Q! b+ G9 E6 U. U. f VMMCall Test_Debug_Installed' R4 i) G) K: I# w, D
je not_installed
" l: m' S. i" C2 f H6 D+ |; v4 G; [# O/ E. D, y0 M
This service just checks a flag.3 V6 |9 z0 |% N8 y9 \ p
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡