<TABLE width=500>
W( k- ?1 R. J' ^% J4 {<TBODY>7 u4 W' S, L: V; R" n; E: z
<TR>
) v3 m4 u1 \2 A' N4 `# f' E<TD><PRE>Method 01
) W/ a9 \# M% s* v4 j/ R! n1 B=========
, K$ I1 U0 w! M4 H" r# a
" J% T4 j+ C! o3 H6 T: zThis method of detection of SoftICE (as well as the following one) is
) P% g9 i; }: L& g1 T: pused by the majority of packers/encryptors found on Internet.
6 H8 [6 Q7 v) j1 yIt seeks the signature of BoundsChecker in SoftICE7 q9 ?3 F5 l; j" O7 o8 I4 M
- \$ ~- k: t# w7 J+ O4 W P# K2 P mov ebp, 04243484Bh ; 'BCHK'7 k- Y8 }/ {% H
mov ax, 04h
4 d2 p8 A4 d- o) k% v int 3
; j7 Y; t# Q5 i6 t cmp al,4 `! N$ x* ?" R; M1 B
jnz SoftICE_Detected2 u4 n' A& R' _ d$ q
9 }1 ~+ [8 E! D___________________________________________________________________________
6 ?* N; K9 F1 A( T# u* ]( a" t) [
Method 02% b* V0 I; J0 Y
=========1 g! Y: c" S& P9 r
) m h, o g% A$ C) l5 g/ {/ CStill a method very much used (perhaps the most frequent one). It is used, f# v4 E9 c3 I& A8 V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 \) V9 F& g B5 h0 W, s ~6 L
or execute SoftICE commands...
7 @% r" S. w$ D* h) EIt is also used to crash SoftICE and to force it to execute any commands! b1 E- k9 s" S
(HBOOT...) :-((
' k) q' a+ U1 p0 @/ | Q: i2 ?5 t' f' i
Here is a quick description:) \: p: |0 O. ^5 z
-AX = 0910h (Display string in SIce windows)
) Z: t/ ^# {+ m; L/ g3 o0 S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- V. K4 U; {6 e( |( E% A" }: E
-AX = 0912h (Get breakpoint infos)" E3 T7 k( B) Q: x* d: Z4 j
-AX = 0913h (Set Sice breakpoints)
' D1 ] D: V |& _/ m5 v-AX = 0914h (Remove SIce breakoints)& r- l* ^9 T- c$ t" N3 ? l/ H
1 p! @7 C8 ~' ]% @Each time you'll meet this trick, you'll see:- U+ g( X! A0 [& Q- _
-SI = 4647h7 E; w* h2 E6 F* x0 O: @/ P: s
-DI = 4A4Dh
' U' ^1 Y" a k- _Which are the 'magic values' used by SoftIce.4 A/ D4 s9 @9 h n$ _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( s H' l* K/ D7 o1 X3 m b' ~' n# q4 r
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! E% O- z1 ^& J4 LEnvelope utility use to protect DOS applications:% ~7 Q% U5 w i/ b
9 @7 [ p5 {" I3 P. \6 a1 l9 U0 c8 C; r; U1 W# J
4C19:0095 MOV AX,0911 ; execute command.. v/ W4 U9 e b4 O
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& J' F+ [$ I: O2 j% ]* \9 _
4C19:009A MOV SI,4647 ; 1st magic value.
1 _* V+ ^+ f* q0 t$ L4C19:009D MOV DI,4A4D ; 2nd magic value.
% X% q3 Q, g/ E+ G" f, D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; ]& K0 f7 {3 m% {: y# M2 R4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 C# y8 K3 y: D4 f8 t4C19:00A4 INC CX
% K" [1 w3 J d2 v/ a$ U4 n; r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& m7 U) e: C% C! ^
4C19:00A8 JB 0095 ; 6 different commands.
5 D1 ~" `% [+ u: G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 p- ~$ J" K6 c0 ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& j/ Q3 e2 i- }( v$ n$ \' }- e6 G
0 i9 U! G5 q+ r3 T3 f9 h9 pThe program will execute 6 different SIce commands located at ds:dx, which" `. ~5 V) A0 W% {* f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 w: n5 i7 k, G9 ?4 O1 X
# Y$ w" j X( h5 { B$ B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" S* |! n" P6 J( ?0 h___________________________________________________________________________
! {4 a' D- E' d# r1 V& l' B$ a# k6 s" r' T9 F; A. m
7 F+ Z$ m3 v/ m/ _( p7 R5 X
Method 03/ W+ _9 ?, J' X# i2 o+ G( u; e, O5 _
=========/ A" `& g) D* w# w. [8 X/ n" Z
/ G" ]) T/ D( P/ j- E# X& N. ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 b2 v8 I) h9 H3 {4 c' i(API Get entry point)
6 @3 A6 d3 x6 Z% T/ {' Y
* M) M9 O' ^0 \ |% _6 Y; t! ?, F5 F
/ ?' s' z1 b$ F8 \+ l7 M# l xor di,di
- Q2 F% D% [. C# h5 `5 A! i mov es,di
* Q* c% ~" D R; y5 V9 D mov ax, 1684h
0 u, x, m/ r+ I6 a$ |, q mov bx, 0202h ; VxD ID of winice
4 Y3 P s; `- [5 f int 2Fh
k, }; ]4 F! J mov ax, es ; ES:DI -> VxD API entry point4 I/ w, q/ l5 I/ ?
add ax, di8 g$ u' M; {" v/ u
test ax,ax
. T8 H1 ^( L4 }& `9 e jnz SoftICE_Detected
% d, S1 `3 \7 [& z$ f
3 [ h4 i. T- s7 u6 L+ h- ?% R___________________________________________________________________________& q. u, g J0 g1 w" F
2 x, v/ D4 s. ^' m- ~4 `Method 04 d7 l# j2 ~) ^" [' N- d" F
=========
/ _2 y; U; P& ^5 J) L1 T, D
; b: S) ?0 m6 m2 T1 wMethod identical to the preceding one except that it seeks the ID of SoftICE0 S3 H! B# J i' X
GFX VxD.7 P: d2 k8 h. n: O# k9 x
* p d$ J5 k1 C" g3 [# q: a) y" X xor di,di1 _) U) p7 C5 Y) T r
mov es,di
$ H, L: f0 S2 a! ] mov ax, 1684h + L; U/ G! i5 Y8 n% J( W
mov bx, 7a5Fh ; VxD ID of SIWVID" R* e) t8 [* P) c g$ c" }: M- B
int 2fh
2 J2 z t( x3 w* G- l9 X( r+ @ mov ax, es ; ES:DI -> VxD API entry point, o a6 o7 Y4 [
add ax, di! b% ~+ l: K9 i- A
test ax,ax4 N' b1 A# o& O8 ?! \) E6 r
jnz SoftICE_Detected( X& A3 ?% ?2 v1 ]& M2 n
2 s+ u6 @, j! u# t! j2 w9 Q
__________________________________________________________________________0 v! \5 M4 l1 n% L/ O6 u% z
0 k6 E3 q: e8 ]0 b! C* Z
9 l* r) O) k; m% h7 g G, sMethod 05$ T6 v) B( j# H3 S8 e/ v
=========/ a4 W/ P( ^$ ?- c5 q4 [
" I& b: `- q8 v( j
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" ~ w+ ~2 x7 w9 m P4 Tdebugger. It calls the int 41h, function 4Fh. i# [6 H6 w1 ]" g- v. e% X
There are several alternatives.
- e% F& V8 ^. e& q* Z+ X" S$ j z
) j# k7 v% g- ?The following one is the simplest:/ |" f8 o; r/ r4 Q: D$ J
- u6 N# A2 ?8 }0 @/ F0 v0 [
mov ax,4fh
& E4 y+ M* B) n3 C; P) e4 G' _ int 41h2 h* G2 Z a8 A! B9 A
cmp ax, 0F386
9 H0 `0 t! E% |% p: @ jz SoftICE_detected
0 B0 n2 `7 G6 x( ^ e# D" n# _
* ?8 \/ S7 e) d3 K7 f! B! L. u0 M. _9 B
Next method as well as the following one are 2 examples from Stone's & K. K Q6 d* ~
"stn-wid.zip" (www.cracking.net):* W, f; h/ d/ L( ~/ z
0 [/ O& }+ V/ u8 }0 p8 Y mov bx, cs4 D: a# }+ H2 {
lea dx, int41handler2
) N& f% \4 i9 ^/ F# p. ~) n: k xchg dx, es:[41h*4]
8 z! b) ?7 W. J8 |: U- }) E: W9 ~8 T xchg bx, es:[41h*4+2]
/ o/ w& v7 x. _1 d8 s& j" Y mov ax,4fh
) X( _5 R, W i( a( y! m/ [ int 41h% \/ I R: H% h# G0 [
xchg dx, es:[41h*4]7 ~* F2 J% T0 ]. p
xchg bx, es:[41h*4+2]
. Z2 I: ?( n) ?4 j6 F J, r6 {) A cmp ax, 0f386h" B7 \- Y4 Z8 D H
jz SoftICE_detected: g& b& F; B6 F) \, t3 q
9 r# B: d! Q) E8 ^- `int41handler2 PROC
) A- ]7 e- @! _* [. b iret1 p1 C' L- C7 c( _
int41handler2 ENDP5 t P8 G, j& t* V: u. a$ m
5 [4 t7 M4 a% _; K( p$ Q$ i) i6 ~# e2 D6 K7 S+ ~
_________________________________________________________________________
- A: E, \. u+ U; |- k% h4 ~. W) u0 R1 ]: `: X+ i
( K( N' ]3 Z. I5 C. r' sMethod 06
- w4 f" ]% B" J- p% V8 N) U: ?=========8 `8 f$ H) ?3 D% i- e. E
+ p9 c3 z4 B ?) m8 c: D3 X) j9 r/ c- e3 E
2nd method similar to the preceding one but more difficult to detect:
# \( Q3 B" q: b& b9 D$ P( `( Q; F, {/ |3 O6 O8 J6 Z
7 K8 S4 [& Z l' Q. ]int41handler PROC
+ B; F @: ~8 F4 K9 M% i1 V mov cl,al
$ y' n0 p) U L' _2 ~8 n( q3 k iret5 Q% Q6 L8 k1 k0 F) m+ }
int41handler ENDP1 O( Z' k& Q9 ?4 x- ?
7 X. i) L/ O9 T" j
1 Z0 k( q5 j3 G0 E# z8 }( R4 v4 t
xor ax,ax
5 F* Y8 G8 O) d( Q7 x1 {5 H mov es,ax
! \0 ?6 {! ^0 Z9 s+ N mov bx, cs& f( f! r- p, B( ]
lea dx, int41handler
$ B' i( a& J0 ~ xchg dx, es:[41h*4]! h" v7 R" U; i( o+ k0 @. f
xchg bx, es:[41h*4+2]) F# q& @+ ~$ t
in al, 40h: d& K" M1 P% w; H# z: K! m
xor cx,cx6 o1 v+ w `: ^2 U* v! c" `
int 41h) D% i8 u7 k1 Q! Y3 K4 [$ `. l
xchg dx, es:[41h*4]- E1 ^5 E: @7 `1 a N, `) {
xchg bx, es:[41h*4+2]
" U0 C* M0 x8 U! }( }' C" E cmp cl,al
8 i: P. d3 s+ y, `' N jnz SoftICE_detected
% C6 \% d- u/ A( L% S" S" n/ q( O+ t& Z% T9 K
_________________________________________________________________________
. [$ W7 c* _- x# B3 g& K
4 @) b- r, o( o6 ^6 lMethod 07
: r+ F. N* f* g1 e8 l" R% S========= [0 d9 [* W& U/ }" ~ G8 R* o
* [, p/ Q8 s- |Method of detection of the WinICE handler in the int68h (V86)
# b s, D8 n2 ?, E# y
5 S* t Q4 n) M z$ _7 H mov ah,43h I& j; `- ?4 f L- \7 v
int 68h8 T5 G6 n+ o# s
cmp ax,0F386h
! m7 j9 O! N, c) x- d7 L jz SoftICE_Detected
& w5 P9 q( S( y1 z5 I+ k, D$ |; j2 m- q
# b5 Z$ g+ ^% I) p1 g9 P+ `8 i& Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 x3 _5 @1 U6 R$ p7 d7 i$ j- L
app like this: _% \, n" K7 @; z4 U, m
3 c) `& i+ m% r* e0 n: z BPX exec_int if ax==680 P% V8 r" I5 t& o' d
(function called is located at byte ptr [ebp+1Dh] and client eip is" q6 ?3 X5 X9 L
located at [ebp+48h] for 32Bit apps)! Q; ?; _9 z2 _/ v$ z
__________________________________________________________________________8 C" c$ E" B2 J3 J7 d5 W4 ]
6 M3 E$ j8 Q- p% C3 N- W8 m$ M
6 l8 R( X8 o, _+ }# N
Method 08# T( P) L, Q3 P5 p( T" H& A
=========
5 T. u8 x$ n( s7 k' l
! k8 E0 m+ I1 `3 Y3 UIt is not a method of detection of SoftICE but a possibility to crash the
: a3 v( E2 y- dsystem by intercepting int 01h and int 03h and redirecting them to another( d# I6 \9 z5 @- [; B* ]/ k
routine.
$ J, \2 {" @( [, H! o" cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ n3 ^, Z. A" Q* Y
to the new routine to execute (hangs computer...)
" y/ u& _) { _6 s6 _4 l$ R/ D2 l _( m5 W+ w1 E0 K
mov ah, 25h
N/ h6 }: @1 I9 H mov al, Int_Number (01h or 03h)
) z7 E% x, \9 G# v4 a; x mov dx, offset New_Int_Routine3 u& F3 d! P" Q' D* k, y) g
int 21h: B- ^/ l4 d E% |! I2 \
5 T# L5 g8 u5 g* Z- i; B
__________________________________________________________________________
4 n" o. r9 D3 B. ?. C: U8 [; T8 f. |6 ^7 Q0 a, \: t" {1 `3 F
Method 09
/ F. R) _/ y" w8 l2 U=========
, b R! n0 e4 W' L' K0 Y" e1 ` T" K8 J8 w P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' H2 H. u L: K* H3 n, n; A- @( R
performed in ring0 (VxD or a ring3 app using the VxdCall).* u1 L# T1 F* l1 @: L4 e" D
The Get_DDB service is used to determine whether or not a VxD is installed
0 G: b+ i& r2 vfor the specified device and returns a Device Description Block (in ecx) for
! n( x0 i, O `. M& q5 T+ q% qthat device if it is installed.
1 T9 E, x( V% ~9 P$ k6 m% {( H$ C# [4 ]! W2 N! N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 W+ x% x/ ]& v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 q, h4 U/ s/ L VMMCall Get_DDB+ I# r6 G0 A( \1 G" }6 H' J
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 r+ V: W0 U8 y/ b5 ?) @. ?
( B" z. e. w5 M6 |" \' j5 A
Note as well that you can easily detect this method with SoftICE:7 y" k% Q9 ^* p: r6 C! c7 r" E, p
bpx Get_DDB if ax==0202 || ax==7a5fh
2 y8 ]& \/ W" i( j) ^8 g
, k l4 z r; q1 C& i__________________________________________________________________________
S4 d6 C, P% M4 s7 S0 y" I) ^/ Y0 f' L: Y- n) D8 z
Method 106 ?# i; B' R4 ~+ W7 r) j( k
=========/ x# Q1 G5 L& V; a$ s; i2 ^2 H U
. g4 W ]) i$ d3 {. e: ]. ?. ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% D- T+ a% ]0 b7 F7 G SoftICE while the option is enable!!% C% {4 X2 ]8 M+ C% z3 ~$ Z# e
2 U$ Q# F& _: e( {
This trick is very efficient:- } a0 J/ R" w+ C. g
by checking the Debug Registers, you can detect if SoftICE is loaded, B2 w0 a! `2 {7 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 C0 u* u0 \, j5 e4 [
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- I) b( }) T4 ~/ V gvalue (in ring0 only). Values can be manipulated and or changed as well/ N, _9 [' b9 q k$ B: b0 ~
(clearing BPMs for instance)
, Q8 P! H6 I8 w7 I, x; F2 W
, Q8 Z {" k& I [; R0 v! v__________________________________________________________________________4 Q: w: } v, c: z% u/ ]! g
r' m* @# B3 T! [; QMethod 11
+ F/ f) t3 `' w( \& X7 L=========
9 k ~) o5 [6 @: I# ]
5 ^& ?1 L1 \7 E3 G3 e# ?' {This method is most known as 'MeltICE' because it has been freely distributed2 f% R9 S3 J) [. q5 [
via www.winfiles.com. However it was first used by NuMega people to allow q# B7 H+ k$ g- e" Y z
Symbol Loader to check if SoftICE was active or not (the code is located
3 h3 G5 J* t/ [5 c6 n, u% a/ Kinside nmtrans.dll).
+ B4 s0 O, g+ Z5 C; h b% N* T
% W R3 f1 g: w: o( w. H4 QThe way it works is very simple:
; \ q0 l% o& B$ gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 \/ U' K5 T- S3 G' WWinNT) with the CreateFileA API.
, D& M& x9 y2 b
/ q. ?( a7 M& \ mHere is a sample (checking for 'SICE'):8 n2 j& G+ [1 X, l3 m
! E+ d4 \2 {' h( |2 ]
BOOL IsSoftIce95Loaded()
" q, _& ^; [; I; v{2 h" G! H9 i' O' q) W1 Q
HANDLE hFile; 9 I4 O B6 F' H6 ]6 ?' Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& |! ^4 T8 [* m o9 P FILE_SHARE_READ | FILE_SHARE_WRITE,$ Y7 M' o: j- Z6 x4 Q p$ u1 J9 B
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 S- ]! t& K; D$ t" l% s
if( hFile != INVALID_HANDLE_VALUE )
2 G# ]% F9 P0 m( I5 m0 h: e! Z {( k1 n$ ^; v6 z6 r5 {( t
CloseHandle(hFile);
/ }* L! e( A8 ^. ] return TRUE;' F1 {8 B( q1 z* I$ L2 P
}- w- p5 k7 k. d" `; w+ Q* {
return FALSE;1 S8 t/ I) m6 h% V
}- T( _1 t, C a6 n
; U8 ?9 T# Q' z- g' h/ O: d: rAlthough this trick calls the CreateFileA function, don't even expect to be) y( q8 l$ ]6 c, z I0 P H
able to intercept it by installing a IFS hook: it will not work, no way!
. U2 Y) |3 _6 ^- A) MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 z w. ~+ R/ {; [ V& I7 g: ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: M0 Y' B4 k8 V5 \4 B' a# Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc( g7 Y! u/ Q/ q8 `# z7 z& d5 q
field.$ C7 X0 r$ m) p/ |+ d, e- M
In fact, its purpose is not to load/unload VxDs but only to send a
; N- t" @/ k+ V* f8 Y1 b4 uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" x/ w: E' C+ N" J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 [4 }, f; f8 J; ]- ?8 eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 m n' b8 S+ a' K9 p% {) aIf the VxD is loaded, it will always clear eax and the Carry flag to allow. d7 w7 i$ W+ w' q6 C8 {9 i
its handle to be opened and then, will be detected.
: Q( D5 |$ P9 w& w7 CYou can check that simply by hooking Winice.exe control proc entry point- i" [6 P* v# {2 F; g
while running MeltICE.# ~) ]$ O4 _9 e) W7 R# C; ?6 G
2 Z; m" F# R, G( T, T1 N. z
0 ?& {+ F( \% V: t+ f+ \ 00401067: push 00402025 ; \\.\SICE T v z# \8 `- Y7 _% [
0040106C: call CreateFileA# D$ R9 m5 l( w& z
00401071: cmp eax,-001
) l1 [% ^6 t" W, L6 E- p* h 00401074: je 00401091
; k7 Y* i6 R1 x, r
! U) y) h& Y% P1 N/ d4 q5 L: o$ E, z1 r! V
There could be hundreds of BPX you could use to detect this trick.
% _% } s: C% I-The most classical one is:6 p- j3 q. p* d4 ~1 i( L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ P. m' b+ r8 C5 h2 c' L *(esp->4+4)=='NTIC'7 ^" P6 @/ C* F$ [4 j# `, g
p0 Q# b4 E1 N/ l6 r& S0 @1 A
-The most exotic ones (could be very slooooow :-(
! O, A7 z* y" e& Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! m9 l- P: q6 A8 L$ H) A
;will break 3 times :-(
$ t# k! L! _& w1 }
8 ~8 O ^1 ?$ ?- W: T-or (a bit) faster:
( T- O9 Z: t$ D- ]5 Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 @3 J4 h0 P8 c# A) o
2 `5 c8 {4 o+ Q: O4 l i8 M$ p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ R( p3 N( v& {5 ?, ^. I ;will break 3 times :-($ K* e- H3 w: H- i% q* |
- p" Q) n0 K, T2 E+ z" Z
-Much faster:
( r! Q0 n8 X4 _6 z0 [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 v; F5 u! k \+ q9 c! @3 \9 W# t
+ i9 d# T+ V" z0 Y+ o* U7 J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& \% |1 u+ W7 p- j# Ufunction to do the same job:0 u" A1 G. K5 k
1 }# \" ]# i' b0 a push 00 ; OF_READ- k# ^5 L, c5 o. u
mov eax,[00656634] ; '\\.\SICE',0
) N$ v/ W; E. t9 _+ S5 c push eax
) s6 A$ d' o8 V! S8 N call KERNEL32!_lopen- T3 J5 S% p& S2 I# N
inc eax
$ f4 s$ {8 c( N# R# u q" c. x jnz 00650589 ; detected | p1 e6 K' q3 N) }: `2 d U; s
push 00 ; OF_READ$ f1 V* Q) a9 R2 _
mov eax,[00656638] ; '\\.\SICE'0 _/ [7 V7 b9 d/ Z9 J, |. U
push eax
6 m5 ~' ?! Y, s! q$ x call KERNEL32!_lopen
$ m) U' {+ }& J: X& H1 W* {+ A g inc eax2 Y: l2 }5 ^3 B4 _ H3 z4 d
jz 006505ae ; not detected
, J) [7 j0 @" p6 }7 e R5 e; J4 z8 K6 f: q. ?% Q1 I. w
D% q, h3 J0 \* z8 D__________________________________________________________________________& p, n& b0 Y, x/ W# v f/ `/ b7 g8 f
- X* H$ U- B# H" B; p" s4 L; y
Method 124 L% i Z+ ~ [7 C5 B. i
=========3 ]8 Y1 E* J; [3 N
- o* w0 f( i! \: n0 v9 K) l
This trick is similar to int41h/4fh Debugger installation check (code 05$ {' y# i- }* F/ x7 ]! V% ~
& 06) but very limited because it's only available for Win95/98 (not NT)# F- W c0 \! v- M9 t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# B9 \$ @: R# g4 ]- C
- k$ l0 z& K- l% A0 e7 U push 0000004fh ; function 4fh
6 }3 D- F) S( I7 l+ ^ push 002a002ah ; high word specifies which VxD (VWIN32)
1 `2 `- P Z4 U9 H6 L) ` ; low word specifies which service5 e9 H8 i! u, Z1 ^6 Z+ F$ s
(VWIN32_Int41Dispatch); Y0 Z3 L+ H* m9 t" k4 w$ z/ z7 w
call Kernel32!ORD_001 ; VxdCall$ U2 o$ O( w$ l, @0 \( c
cmp ax, 0f386h ; magic number returned by system debuggers- N, c- h# [. Q& P! w
jz SoftICE_detected
, \* t7 E" y6 y) O1 z4 j# n0 l9 ~2 q# @# U& ]
Here again, several ways to detect it:
0 c8 z3 [. z1 ~$ U* v- T5 M, [
BPINT 41 if ax==4f5 U* v, B1 m% A/ v5 e( K# u
9 |/ v0 q! }& B) X% q' l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! Z5 T( ]2 D$ U+ k. `
C* \( u( K! E, _4 z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 w5 _: g9 \! a% h4 E* k
! s3 r2 N( ?. @' Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& Z; V1 u% K# B- e/ j/ ^% Y l' [) X. y
__________________________________________________________________________
P1 h8 @4 t, S
3 W' S- B6 {( }" R& e# \( [Method 13
9 O% C9 } d& U6 U0 ^& t=========
' j L; l7 I! f5 K
2 g. h) ~5 V* R9 W: h$ kNot a real method of detection, but a good way to know if SoftICE is
) k1 c+ y! {$ W! ]' \9 Dinstalled on a computer and to locate its installation directory.
/ e3 @. s1 n, uIt is used by few softs which access the following registry keys (usually #2) :
; u4 t6 v4 V0 {0 P
" |+ m; c& z7 u) B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion m" r. n/ O) j) g2 Q
\Uninstall\SoftICE7 Q' o- ^" L% a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 s' M/ ^ X. ?8 e4 }/ x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; s! a. f5 s ?/ f0 T) e4 g/ c: M3 P
\App Paths\Loader32.Exe
7 ~+ r3 D: }6 a$ ?; `* B7 g- e) n) `4 Z+ d, Z) x% w! y
% M3 b- O: ]+ G9 l+ x, T& y v4 INote that some nasty apps could then erase all files from SoftICE directory
! _. b5 I, `6 E; T) Z8 D(I faced that once :-(
5 O9 m1 J/ N$ ]; q% [2 t0 A, J, l+ k
Useful breakpoint to detect it:
3 w& U0 C" h4 Q& @. P3 r+ ~9 G6 L1 \( L6 W
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
P8 S* U+ H6 J6 {: U' ~4 }, r6 T
: K) E5 J$ T2 g__________________________________________________________________________
1 G1 k# B+ A" K! ^/ \) \- s) Q, `; J/ N: Q; `9 L9 i, `3 J
1 {7 @) L5 g0 y; I5 a6 H
Method 14
- j+ ~' g$ p$ z( T- w: {=========
4 r+ z+ D }4 n, r/ K6 `
; c V* E# C9 lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. K" l! }1 N/ m% Q% \7 d, K0 z
is to determines whether a debugger is running on your system (ring0 only).- r9 t, Z) Z# N7 [( K
1 z# |" c9 J' a# g/ D' e VMMCall Test_Debug_Installed
- w+ g! l: i2 L4 m# E" z3 W je not_installed
6 o- a: X4 ]2 W, b6 v; @" n4 I7 D7 z! P1 ^
This service just checks a flag.
" c% d5 a/ }& T8 N { `- k</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡