<TABLE width=500> v( T, I( \, T2 `& O
<TBODY>
# B m4 U4 O1 r<TR>
, z2 |6 g8 |$ X! G* Q$ |<TD><PRE>Method 01
$ J t$ g Q c2 V- |: B* C=========
2 Q: I5 n3 |( l1 V# z
8 j) v- m. c8 L% o6 _8 H1 MThis method of detection of SoftICE (as well as the following one) is: s& u) B$ |8 w
used by the majority of packers/encryptors found on Internet.
% m0 F z, m3 T# N1 k6 hIt seeks the signature of BoundsChecker in SoftICE# W1 {# D' g. r" H
) L# c! Q9 I2 T mov ebp, 04243484Bh ; 'BCHK'
6 w: \7 [) N6 L7 h0 Y mov ax, 04h
1 \$ V' Z: O# w- t8 ?2 [ int 3 0 `1 R6 Q# z/ N% R. t
cmp al,4
O+ N+ Q- x- N: O jnz SoftICE_Detected
( n T; ?) P+ }) [) u# w/ y0 J) A5 N7 J$ v
___________________________________________________________________________' Y- \* v0 l, K2 }, }3 l( D/ j
' S4 o, k- O6 S! |. S' u
Method 020 X- }' {2 E% T) U. F. I6 F: T$ F# ~
=========
% @4 A* l; }1 y8 U8 I# c. u
1 v7 c# q2 Q: K9 S2 rStill a method very much used (perhaps the most frequent one). It is used! n1 Q' @5 w3 J% u' y2 [0 M0 S% g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' P+ v4 W# o& _) Z4 d1 f+ a7 gor execute SoftICE commands...! U% B$ Y. T& e0 l1 U
It is also used to crash SoftICE and to force it to execute any commands7 n' N5 k5 Z" i& A$ S* X
(HBOOT...) :-((
. [6 x# u& K; m0 O3 O, O2 s* U c% D+ t
Here is a quick description:- K1 d$ t" m z& Z, S- e
-AX = 0910h (Display string in SIce windows)
: {$ ~' V+ C" o* Z1 K-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 S: A& z1 N$ ]" V, Y
-AX = 0912h (Get breakpoint infos)
$ F6 |# @5 U5 ?' O+ o-AX = 0913h (Set Sice breakpoints)
$ H# ^9 G. A- l; j$ o5 K6 _-AX = 0914h (Remove SIce breakoints) M- v: n+ M# g- D' P [
6 e2 n4 p7 B6 H# k5 f( a
Each time you'll meet this trick, you'll see:
# S* o& Y, }' g9 v" T+ N9 z-SI = 4647h
3 B/ V+ d; x/ `: a2 p' ]* I-DI = 4A4Dh" j y) w+ l- r: o9 F1 Q
Which are the 'magic values' used by SoftIce.% o. E' U5 A8 C& {9 l4 T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 ~* G: P+ y% d7 D/ L7 J7 H9 j7 w7 D
" }0 |- _( z* [! K+ [Here is one example from the file "Haspinst.exe" which is the dongle HASP
: F3 T7 g/ C( e; i8 O5 V5 Q0 zEnvelope utility use to protect DOS applications:( s% i) A9 s; |* j/ b. a2 j
# x8 b- D3 @# V) Z# Q8 W1 c$ o. A1 ^7 Y0 s5 n$ H4 }, F
4C19:0095 MOV AX,0911 ; execute command.
% r* x" U: V$ i7 _0 ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 r: D( t- H$ A& r6 W0 G4C19:009A MOV SI,4647 ; 1st magic value.- l5 T; Q/ n6 ^
4C19:009D MOV DI,4A4D ; 2nd magic value.8 R& r8 `7 y# N0 u& w* C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" q" t# {0 h8 R! V e5 [4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: K8 B' J6 |1 a4C19:00A4 INC CX
! s5 t8 N9 z3 R8 x0 g! C2 j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) ~! u' h# ~( P$ T3 O4C19:00A8 JB 0095 ; 6 different commands.
, N6 n/ \ c) l: e4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 b* j: M) f9 z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), K. c6 Q9 }0 m0 ?
; t2 m& T$ }8 V
The program will execute 6 different SIce commands located at ds:dx, which" a, e' g# C8 a. M% o5 i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 |$ L+ N3 B6 | @ P2 D" L( u {) b1 @
! ~+ T3 U. G# Y! q) y% j3 U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ M4 h5 r3 C Z, v
___________________________________________________________________________
; f* d; E- Z) B& D9 `4 l3 K) w; b. y+ Z- w p! ?# x
( [8 {/ {, ?3 T% }Method 03
* g2 {' \/ @5 c# O=========
! l2 {3 Y! S- k+ D3 z
: s+ d8 }/ G" N: Y, RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 E3 i7 D2 j6 f+ z+ ^(API Get entry point)
& U8 L& F, D9 Y3 e# ` # x8 }, U) ] R0 D, m0 A
! h" g, s5 u' P: ]7 e4 Z4 [, ] xor di,di3 G! K+ c4 }) x1 m. j
mov es,di
4 _ q5 I9 G0 J4 S, D mov ax, 1684h - U& @3 L t, V; l1 p
mov bx, 0202h ; VxD ID of winice! p& N6 T7 {- Q
int 2Fh
% P/ t; W0 o) H mov ax, es ; ES:DI -> VxD API entry point |4 x+ V7 E, N: A* L" l
add ax, di( d# B% C$ c1 r
test ax,ax
: }5 G) a: z. s1 `% R- l: V jnz SoftICE_Detected0 ?7 [' |" e4 d* ?3 w2 o9 |
3 f( j- g# u' v, b% ?4 \0 N
___________________________________________________________________________
! @" T# A& N$ U7 @9 C! I+ }
+ B6 [8 ?3 [& J" ] F& GMethod 04+ D% V% q0 i3 F' O8 s
=========
% Q ?% W5 F( l4 R, c" s' m) p' ]; F0 W# e$ `: p+ T1 P
Method identical to the preceding one except that it seeks the ID of SoftICE
' @# R5 D5 B3 V1 OGFX VxD.
7 Q: A1 b# s* z+ r; M0 c5 p3 f8 `6 Q2 G' F) a$ u+ b
xor di,di1 s. D: x8 p& j, `
mov es,di
1 L6 F' {+ E: R* ? mov ax, 1684h ; @. t* {4 @5 I2 P% A) c
mov bx, 7a5Fh ; VxD ID of SIWVID; [1 a& y7 T. ]* \' c2 f$ n
int 2fh# S; _3 m- S* h& `' Q
mov ax, es ; ES:DI -> VxD API entry point' }) x U) A9 l6 x
add ax, di
: V3 q9 _" ?( m8 t# | _ test ax,ax' w$ Z1 m% l3 e
jnz SoftICE_Detected
9 C3 q1 [$ A, H. P7 P# s% z3 l* d. |& n" l! H
__________________________________________________________________________$ N3 k: c2 p4 P) ? `$ F
, t ~2 @# P' m4 |6 D
1 j2 f% B! q0 L2 Y% U4 C0 cMethod 05
6 }' _0 X! e/ p- c9 @: o=========
' c8 e1 H% L/ C4 k
+ b* G3 v c* v- Y/ Q5 L* R; pMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 `1 k9 h) L# E) Z8 Z9 d. r
debugger. It calls the int 41h, function 4Fh.
( W2 ~# P" C$ Q$ T. f8 F, I CThere are several alternatives.
; y6 f/ z# K: z' ^
7 `, Q9 t! @4 JThe following one is the simplest:
, q2 a' D0 U. }( P9 [; \9 }; _
$ ]. b1 }- n$ _! F# {4 A mov ax,4fh6 S7 N |/ G3 t ~! e a8 G9 j ?
int 41h8 c+ U' g- n( j. t1 J4 @* ?
cmp ax, 0F386
2 w& Q* `/ h$ m: [% G2 _ jz SoftICE_detected+ d! F' L& V8 J7 {* _9 _4 X
* @0 X, j {: u' P9 R4 q
9 O- g, _2 N( h. ]0 J9 H
Next method as well as the following one are 2 examples from Stone's
. x- Y/ `1 h: E6 X; M3 |7 N"stn-wid.zip" (www.cracking.net):7 ^: h( x l8 E/ l3 J1 o8 B) z
/ J1 T) m; c% S% {$ w0 L5 ^
mov bx, cs9 i; L3 X R7 Y8 R6 P
lea dx, int41handler22 A( n! r+ k( E; P5 Q
xchg dx, es:[41h*4]! ?7 L7 v8 ? `1 D5 X
xchg bx, es:[41h*4+2]3 C( O7 V2 J# e8 G; v
mov ax,4fh0 W5 ]1 e% s! E) i$ z7 H0 [% X
int 41h
7 R7 L+ y4 f, k7 ^9 w. w+ a xchg dx, es:[41h*4]
$ E( i& c& @! `2 O% R xchg bx, es:[41h*4+2]
( {4 a% e i- I3 h cmp ax, 0f386h- y7 I( d3 i; _ i I* t# @
jz SoftICE_detected u0 W# K: S' q1 Y
' x8 Z$ x; H* P& G8 }2 Lint41handler2 PROC" a$ r3 W& E, Z9 b
iret! }7 t# `6 a+ d: F
int41handler2 ENDP' s' T" z+ S+ F* L* C2 b6 }
( J- Q+ H8 W* s: P) z& y% o& V, ~3 r6 ?
_________________________________________________________________________
; {7 U4 H$ ]+ L4 b2 O5 n, C6 ]& l( }' g/ Q$ N0 D$ I
- M" H; a8 w0 L, yMethod 06
0 u T) K! \6 ^6 ` q, f2 M=========
8 C% f+ l& C% _. G8 ^& z y6 |' Q/ _/ m; L% X
4 G, h8 [. ^# u, m! `/ L |2nd method similar to the preceding one but more difficult to detect:
9 h& P& @, ?3 o, }
+ z! ^6 h6 ?# g+ u! i/ t" A% C6 Q
int41handler PROC
& X, v% Z4 k3 A0 \( f% l X mov cl,al9 p" t8 L& F: {3 A3 M- V G5 Z) j
iret: E; P' t) H7 [1 J4 `& t
int41handler ENDP
$ I- k9 {" y7 m i& s" l2 T% u6 }! r( K) j6 d1 r, g, z. u
( L! q+ s; L h xor ax,ax
$ u; f! e/ Z6 ]% \1 a6 K" n& U' m mov es,ax- F" Q* H5 x1 M0 ], O
mov bx, cs# J7 I- q1 t* d0 X
lea dx, int41handler
" |/ g7 c/ n+ _ xchg dx, es:[41h*4]
3 I* L4 f% J' S/ G. v" h xchg bx, es:[41h*4+2] r+ I3 ^+ O @
in al, 40h( P& R+ {4 |3 R# C! e& S6 U
xor cx,cx
4 i: [0 Y! u$ M3 l8 X int 41h
4 a2 x* P( G. w xchg dx, es:[41h*4]7 r1 j) F0 A& F% a6 f
xchg bx, es:[41h*4+2]
" \7 [% } x" S$ k, D8 i/ ?3 _ cmp cl,al. u3 u7 G3 D, T; d" C. J
jnz SoftICE_detected! K) ~# X3 a& x' ]/ A/ R: B
/ A% h+ y& m/ T3 S
_________________________________________________________________________- p8 p+ J& ?4 h( ^' {, ]5 d$ Q
" T# L) @/ Z2 H' {6 u, L
Method 07! J1 l3 |/ v6 @; B3 e+ O- r
=========
$ N$ r: @0 z7 }: Z* i. W1 W: y0 j
# @8 k1 G5 u+ K, \9 p% Z1 t6 |, N$ YMethod of detection of the WinICE handler in the int68h (V86)
9 j! l1 x; ?9 h2 E( p! P7 V( c5 ^1 r( z* l( k( j6 m3 C
mov ah,43h
. f$ U1 m" T" X& {( T int 68h# d. a: Q4 W# P7 ^8 j, }( v! F' b
cmp ax,0F386h# K9 u% b e [
jz SoftICE_Detected
0 ~ u& o4 T0 Z3 b6 h
# R* k9 T5 e+ t% I" I$ }) l' c! ^ m* Z5 H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 K( f' j" s/ G9 g: B( E app like this:
. R C4 D8 E/ _2 Y0 z5 q, w5 d) H/ ^4 t$ K o+ l& c5 R6 H' s
BPX exec_int if ax==68
- Y( x" j2 N A; v/ D (function called is located at byte ptr [ebp+1Dh] and client eip is
9 X# Q# q( m4 h: I located at [ebp+48h] for 32Bit apps)
) G2 ~/ R+ K% K4 Y" C__________________________________________________________________________
& f. R2 g+ e- I) I. M2 ]7 T% Y$ p$ f' Z" s. j0 \4 Q
% Q6 t9 C) k/ n/ r9 ^" rMethod 08
( K: \9 x8 l$ l! F: j=========
( |9 z# Y. @; F
+ F3 ?+ c+ ?& c" Q0 j$ P" U: uIt is not a method of detection of SoftICE but a possibility to crash the
, T* C+ ], c& _6 n: l4 n1 f0 p- Qsystem by intercepting int 01h and int 03h and redirecting them to another6 \; Y$ K& P, E0 W6 X
routine.
/ B/ m, a8 p6 S) [; q% }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; \; e, [5 c2 u7 o5 c7 l3 Oto the new routine to execute (hangs computer...); Z6 O Q* W- d$ s# q. X4 x
, a% |" C' M( V! i: D% M$ [9 L
mov ah, 25h
4 C/ \2 a8 a) L$ X) I7 f mov al, Int_Number (01h or 03h)
( [' s# v6 W6 H/ P/ S% B mov dx, offset New_Int_Routine
, ]+ k* S1 w, M# ~! U L& @+ L: T int 21h j1 A- A7 Q! v8 ]: N# g
+ ^6 T+ X0 I! ]2 l; _1 ?- {
__________________________________________________________________________ j1 w; S# e) O, N
( i: x6 t- A% x1 J V0 s
Method 09
0 g6 x( w/ @0 O=========' q" s" W. E2 u2 `0 s, r
1 d# B$ M" k2 m9 B' b2 |$ d/ _1 ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" x; T1 K/ s7 k
performed in ring0 (VxD or a ring3 app using the VxdCall).' _7 Z( v: w+ G0 ?( n# j
The Get_DDB service is used to determine whether or not a VxD is installed
P) v0 q: v0 D% h* [for the specified device and returns a Device Description Block (in ecx) for
; F9 z- V- d r' x X( Q5 hthat device if it is installed.
) S- E0 ~/ o1 _ J2 g) L" W& ?0 N4 k4 Q$ z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, `5 \7 j) w' i4 d& w$ Q9 A% { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( H6 R) t) ~% M1 {. R8 i7 s VMMCall Get_DDB
/ a" g2 o0 Z0 ?# W$ d1 _( s% b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 Z3 Q6 p& R% O' _, c c
% g9 u- ^' y1 |+ g. S \Note as well that you can easily detect this method with SoftICE:
, X3 T9 H" i5 H4 r3 R bpx Get_DDB if ax==0202 || ax==7a5fh8 m' j* j6 f8 F' F3 P, t
% k6 N) n3 F- b9 q
__________________________________________________________________________! K) l' D7 c0 Z4 R b
! f5 ~5 l; j- h* G0 J
Method 10 C' e, ~( R2 t) B5 w& I
=========- W1 t$ ^# ~! {
# L/ T# _: J' V: z. G: F; g=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 x: F( `# ^% [# j! I SoftICE while the option is enable!!
* T) t1 f2 y4 {+ \% N/ y0 X' O$ _& j
This trick is very efficient:; v9 U1 G+ J& G( a+ G, v! J
by checking the Debug Registers, you can detect if SoftICE is loaded
6 n: }6 k. t$ K3 @' w2 o6 y7 r(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, V% D: {: v" [' f1 `there are some memory breakpoints set (dr0 to dr3) simply by reading their! w) R% E# i7 t) \1 ]7 s! p" e& ?
value (in ring0 only). Values can be manipulated and or changed as well
9 D6 E( p: x: B0 [, t: U+ ~(clearing BPMs for instance)/ M9 G" C5 m, m9 c
/ @+ B! }9 i7 K__________________________________________________________________________
! k* u4 l+ I, s
; j" w o8 {& V% M9 u( L! `( IMethod 11
' x. {( _& V: {=========
3 {- _+ Z. n% J+ F- e
1 `: O. S" V7 [6 b5 K- c. dThis method is most known as 'MeltICE' because it has been freely distributed! c9 u5 B7 ]. {6 ~
via www.winfiles.com. However it was first used by NuMega people to allow
9 m7 T5 r% e- M/ U& w9 ASymbol Loader to check if SoftICE was active or not (the code is located8 R: H4 ]2 J4 k
inside nmtrans.dll).
# @3 G2 ~5 K+ W2 K6 V9 f
7 K7 m* h, Y) A, r, g' n3 M7 pThe way it works is very simple:
" }" L" L$ s! U/ ?" k8 {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) b: N( _0 G* c% S% v
WinNT) with the CreateFileA API.
4 a1 B0 L0 s* J3 L1 I0 d+ R) O# f# [. L2 k
Here is a sample (checking for 'SICE'):
* n" v0 g+ } S. R, `- a, f* v
! w; K( D- D9 |0 I# b) u$ ~BOOL IsSoftIce95Loaded()3 a+ s6 }, X4 {$ K3 y
{3 G) c( A1 P$ }' p/ I M
HANDLE hFile;
2 G9 A, I% j* t# ^ m5 e1 p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 O% s3 z/ k7 E: H" x( B. G- W FILE_SHARE_READ | FILE_SHARE_WRITE,& x! _1 `5 ?, M& T, {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* Y, r. N O7 _. z: X7 B( S& Z6 F
if( hFile != INVALID_HANDLE_VALUE )
* T- Y, \. { P" w' r {) r3 R/ U) ?! L& L+ T
CloseHandle(hFile); p" `: D0 \4 a8 S1 d5 ?! u
return TRUE;
( a8 j; t. v/ F }. N# s3 C0 }# i w% `3 a6 h
return FALSE;: ]1 p1 l: G$ Z. g1 F; J& O
}
' k7 q+ d2 q; ^8 ?. _1 p5 }' T* M+ n4 H; T, \6 {: m# S( U
Although this trick calls the CreateFileA function, don't even expect to be
7 p9 z% K) l% W9 L% G6 J, \5 Y3 E7 Cable to intercept it by installing a IFS hook: it will not work, no way!
2 ]: `" F6 Y9 \9 O$ N. X- T6 C3 S+ \7 }- uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 L8 p d7 w' A8 }7 Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' a( D0 J+ p7 O) j0 _) `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; {& q3 P1 f9 B" O. o; F
field.
# q5 ^' H4 R7 Z/ W' K+ HIn fact, its purpose is not to load/unload VxDs but only to send a
q4 Y: ]+ s5 J# QW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( p" @7 C8 J; k; P6 `5 j5 ~* J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 P* Q# D" O: g9 o! l& ^3 dto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 S' C$ ?7 g0 R: @
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ h7 G5 X+ h! e6 [5 b/ l
its handle to be opened and then, will be detected.' x- h$ m N- B: |
You can check that simply by hooking Winice.exe control proc entry point7 t! _4 t, L$ C( }! I+ S% C
while running MeltICE.' u$ ]9 U' f3 M) l, C# Q. A
" a8 ^/ a( C x3 H: `# a8 I0 p8 x' ~9 h
00401067: push 00402025 ; \\.\SICE
. ?& w) {1 ]" ]3 Q6 F; [ 0040106C: call CreateFileA
8 m, L- @9 G5 C. u+ { 00401071: cmp eax,-001
& j% [* ]5 O) m( l 00401074: je 00401091
/ Z. p& K9 ?' h1 l. F) o& c2 D6 H# B2 G. J& V" y9 {
: `8 B+ w9 ^3 U6 aThere could be hundreds of BPX you could use to detect this trick.0 X& _2 d! i4 v; j9 Q, e5 O7 I J
-The most classical one is:$ f) c: C. _5 v1 q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 l1 E6 \7 m6 O5 D. v *(esp->4+4)=='NTIC'9 ], A7 ^9 X, G% |
! F/ g0 G2 \2 ]. Z/ U' U' v7 V-The most exotic ones (could be very slooooow :-(* F9 x' A# L& w; I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 Q4 k8 W- G/ D( x( v, T
;will break 3 times :-(
% e7 v. ^/ f$ K0 s4 A/ {0 S* U5 S; s+ H+ O
-or (a bit) faster:
& q* r# ?+ ]" E# ?% h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# b6 g1 t& n# L" C2 k# _
G3 @7 S- U' z: m- p& y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : @2 I) }' V( Q5 l
;will break 3 times :-(* [# l6 S, _7 }3 {3 R
! k3 [! T2 M. Z; c- B-Much faster:+ J9 ?+ W4 l/ E* S) K! D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 L2 }3 ~4 } O
( e2 I4 ]6 w; c# q/ _( U X) ?( qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 q5 F* m( \9 Y' R2 kfunction to do the same job:
2 v# r, L" ?5 T( P0 B$ |$ h' A/ x2 A. Q) V1 m
push 00 ; OF_READ: f( |) H( H. |$ c$ P8 C0 {
mov eax,[00656634] ; '\\.\SICE',0
( J: @4 u+ {* I8 G8 G push eax
6 y* F# ?% x1 u0 n, q call KERNEL32!_lopen4 H/ @; o e% X- ?
inc eax
5 f. ?! w; s( v$ `, S8 j$ v# O% z jnz 00650589 ; detected5 ^( Y g! @7 `" h4 Q4 e4 t2 ]- d
push 00 ; OF_READ
, y/ ^7 _# k+ u! u* z mov eax,[00656638] ; '\\.\SICE'2 Y" c9 g" \3 [
push eax
/ d3 G: T0 l- E, ^6 } call KERNEL32!_lopen9 S2 ?/ Z5 ~- K
inc eax
7 F! g5 p4 M7 e. T jz 006505ae ; not detected
! L, \. |5 R8 y3 g+ M6 T8 Q
/ k/ O. V8 ?; t
, i2 L5 [% B2 J4 q1 R- Y1 j& ]__________________________________________________________________________
* }- _# K' f* I( ?
: }; F/ h8 \0 _6 r, w5 EMethod 12
6 @4 G' ~# ]5 t2 N# Q/ w, M=========# S W3 [9 b) e, k+ K9 I
# Y, H: b9 Z+ ]This trick is similar to int41h/4fh Debugger installation check (code 054 X I: C- f" G
& 06) but very limited because it's only available for Win95/98 (not NT)
) \0 \4 B. `9 }7 {6 gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& R3 X4 _9 A3 n I/ L# t
. n% ~( [- k7 ]- I
push 0000004fh ; function 4fh
, G% z8 _8 r9 t- i' P% N, D8 { push 002a002ah ; high word specifies which VxD (VWIN32)
' `' ]6 |1 D! `4 [3 }+ q( X+ N ; low word specifies which service
* T& O7 a+ h; O$ D* ~, } (VWIN32_Int41Dispatch)* `9 |" i( g3 R
call Kernel32!ORD_001 ; VxdCall
$ v2 H$ W/ A8 R! z( A- H' M5 N cmp ax, 0f386h ; magic number returned by system debuggers
, t% [8 D1 A" C, [, M* E( ~; ` jz SoftICE_detected2 C/ b1 R3 s- U/ V7 P
1 g, [6 Y" p8 C. c6 x" ~
Here again, several ways to detect it:: z% f6 H! ^& `& Q' W9 ~* r- g" V
2 @; d, A4 y, p$ Z* {' U
BPINT 41 if ax==4f
# h. B- Q0 v5 F: G! ]& \1 _& ]( V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one _8 v+ ?+ m: D7 q$ |
9 Z9 O3 H0 o" ~1 a6 ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( L& x# u' j E7 d
q! O/ L6 F# b. w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 Z9 O! h* R( {; T( ]
$ ^" @! u3 ]; U__________________________________________________________________________/ X0 t$ r; G* ?* h
5 K# I( s' z3 }8 }6 W& W* vMethod 13/ [) O4 O ~( h @* k
=========
; Q, R" p& P5 z' @. n' t- [: V3 y" @' h. C$ _
Not a real method of detection, but a good way to know if SoftICE is- R- V' T( V% p2 d/ I: f
installed on a computer and to locate its installation directory.& @& B; q" F- d
It is used by few softs which access the following registry keys (usually #2) :+ R, _7 i& b2 w4 b0 A* k
7 I2 |4 y1 d( v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( R) n' e/ G+ r* G- f' O
\Uninstall\SoftICE& p/ z+ ]' x; a0 G% z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. R; P+ I% ~. |0 r! E. z7 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 c# A: E8 C! k0 b2 l( ^/ D
\App Paths\Loader32.Exe
) `" F) d: o5 m! }/ ]( g4 F
+ h2 [3 h' v0 z: m% `: _( W1 C
$ y3 }, P* K* ?! L" n5 P: m9 V. ZNote that some nasty apps could then erase all files from SoftICE directory
2 s. e/ S2 t. Q/ u2 _$ L" [(I faced that once :-(
& Q" I) j0 A8 F0 V9 o( F z ]6 D' T0 D# r. q
Useful breakpoint to detect it:6 e1 j2 t) I7 t0 S. H; ?5 h! D5 n
/ z7 C A- _% L( w1 G; b
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# [* }8 w @( Y. k
s! {9 o( ]& A0 [# k4 X__________________________________________________________________________
& N3 B; M7 [$ Z* X" }) h4 h$ _3 G! C K3 i8 }3 w
. X2 ?" ], j4 k# F1 h8 X& ?2 }
Method 14
7 Y1 h! a! g& t, g7 t' f=========* [% p! [8 a! O- ~
( W$ u/ q m: V6 `* u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" Z$ G6 _ H3 m- j% kis to determines whether a debugger is running on your system (ring0 only).
0 f, w+ E# ] ^; {9 g
0 N8 `5 @1 T' T VMMCall Test_Debug_Installed
3 Q, S$ [. p$ R! \- H, P je not_installed0 k( ~0 g; v _" G6 F! |% Y3 a; @
+ w) W3 O: d; C2 j: z4 T0 DThis service just checks a flag.9 h5 |3 B; R; s* f' i
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡