<TABLE width=500>
/ }/ R+ e0 {4 [# B; r<TBODY>
7 J- r9 ^# X9 }<TR>
1 f' z3 o1 I5 }/ H( ?0 N<TD><PRE>Method 01 ) _6 @. A" Z5 t+ m3 {9 r+ N
=========
# s& Q/ m9 ~ G1 T& t; }
+ y2 g7 [7 |$ N1 P8 \8 kThis method of detection of SoftICE (as well as the following one) is( X' M% R, H! V, }
used by the majority of packers/encryptors found on Internet.
4 H: h% F1 s/ {9 E. o( z- u5 @It seeks the signature of BoundsChecker in SoftICE7 D/ P- c+ C2 q, }' h
2 K) J, d! \' o f0 {* D% i mov ebp, 04243484Bh ; 'BCHK'' ?& v: ]# G/ T7 j$ b
mov ax, 04h# D1 e- I- w/ P! O
int 3
6 _+ h4 @& O! G' h6 \ cmp al,4
2 L% P+ A* j6 h% o- E jnz SoftICE_Detected$ z& E( D7 }6 O; [
1 g1 m! @* _4 Z8 g6 u- B4 a. v___________________________________________________________________________
1 s2 q4 v9 J9 L/ W& i- L
6 N1 T$ i5 V' y' M+ K6 wMethod 02$ d* ~: s1 o# R7 k
=========
) u3 A+ y, {2 B9 D4 s: e; Z4 p" O1 ~6 z' R M
Still a method very much used (perhaps the most frequent one). It is used9 r* d9 k/ e" N( h0 c3 D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 K* W- R4 }! U# }) Q/ Z# jor execute SoftICE commands...
% z! w+ R( k( {$ R+ XIt is also used to crash SoftICE and to force it to execute any commands: B- d% R- w, W8 u ~
(HBOOT...) :-(( ' N7 W4 h$ x# }0 U# @5 z
, N$ {/ V1 ?) l) Z* iHere is a quick description:! l+ R7 P# @+ [- b
-AX = 0910h (Display string in SIce windows)
" @ G) T6 h1 M u4 q7 _5 A3 v5 x- k3 F" Z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), c* G+ S' Q+ \9 m# Q! T1 c
-AX = 0912h (Get breakpoint infos)% t! O9 r4 y) {7 V6 w f( z- H" N# R# l
-AX = 0913h (Set Sice breakpoints)
& w# P! k$ l. i$ a S8 c# E-AX = 0914h (Remove SIce breakoints)' Y( V/ ?) \4 |- h$ K
9 g( r4 \0 _% ~5 Z* x' V( {& x, M- dEach time you'll meet this trick, you'll see:; i% L" M5 t Y* C- ^
-SI = 4647h
, b6 P. v# D# \7 B; p" c-DI = 4A4Dh
1 D" S+ s5 Y* ]# o" w2 `Which are the 'magic values' used by SoftIce.
' x8 r; S+ f: z1 mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* ^7 q: m- h2 v6 D+ s
& a% @4 v6 l9 Y2 j! x$ L7 VHere is one example from the file "Haspinst.exe" which is the dongle HASP
# _& [; Q8 J% U" ]6 P6 S" k& lEnvelope utility use to protect DOS applications:7 x' p: @+ z0 u. i* R: m- z$ ?9 W
3 F4 P1 w) h$ Y& i8 f3 ?) t* f5 N! c4 C
4C19:0095 MOV AX,0911 ; execute command.
9 k+ P( E0 f% a4 U- Y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) T, h" M5 y# J- x2 M, [4C19:009A MOV SI,4647 ; 1st magic value.+ \7 Q$ d" {& y( {
4C19:009D MOV DI,4A4D ; 2nd magic value.
- H# w( p D4 y0 r7 J( l! U4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 o% E( L* e5 ?7 ` }. r. V& _ H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: i5 H7 [ {7 o% I6 u: b" t4C19:00A4 INC CX
7 o( D1 r( y6 d+ Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* `& F p9 c3 I, L) x" b
4C19:00A8 JB 0095 ; 6 different commands.. }) k4 y5 S" ]/ ^ @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, K2 ]+ J$ q# n" A- w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! d3 T& s+ A x
; R' S* J. H) i8 ~# oThe program will execute 6 different SIce commands located at ds:dx, which# A- }: Q. I2 l& h9 f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& m" U' ?( c+ G; w; [, o
U& e" F( ?! D4 F* B+ l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
f4 A) ]9 Y% i___________________________________________________________________________8 \# {; @" C( a& |# A h/ ]; h6 M
! t2 k: H7 X5 j; x2 ]
. ^" a& [2 T- mMethod 03
! |( A' E! q+ {=========3 E. R+ M; V# m0 b6 Y
6 k$ F* R! D: ?& C, F! C% ALess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 P. L$ \5 ?7 [ K
(API Get entry point)
& r5 i% i K9 M( l( d% @ " C; f& J. H" t# S; J/ T9 Z
( b6 b6 a. i5 S# W xor di,di) k3 L/ u* _+ T" h; i. I
mov es,di2 \1 z Q X/ a" ` ^
mov ax, 1684h / a# S" M, }4 {9 P
mov bx, 0202h ; VxD ID of winice2 b1 K7 W/ x. k6 h. _# b" E
int 2Fh
3 q& \% B2 g5 ]4 n* v4 G mov ax, es ; ES:DI -> VxD API entry point
' Q2 b5 D9 z! u8 ?. ?, a9 @ add ax, di
- k5 S! W! J ^ test ax,ax) v6 p: _1 l) o
jnz SoftICE_Detected
- ]% N$ S9 _8 {, }7 b0 y1 I) W
# A& {, J# V+ W/ g9 G$ M___________________________________________________________________________
1 @. \- L$ N E8 ]. d. H; k$ u5 n2 g# i& N4 N6 u$ w& p
Method 04
# Z/ E; F$ i% x=========. C% I7 L' z, d$ x
1 D3 s/ j+ Z: [$ d! L3 [
Method identical to the preceding one except that it seeks the ID of SoftICE2 V- W2 S/ z; I7 C: x
GFX VxD.
+ ?7 C7 X* t3 m3 n8 X3 `- M/ ]
( L* |2 R' Y! \- i xor di,di
. s8 c- ~( {7 o# q( w3 j1 g1 m8 K mov es,di: V: z& s# d0 F9 P6 M' d) L7 F
mov ax, 1684h
[: u6 k& Q c0 A, V; f$ G8 L$ S/ Y5 a mov bx, 7a5Fh ; VxD ID of SIWVID: E7 m* R3 v* m
int 2fh
2 G H! C t" j$ Q1 d1 P# X mov ax, es ; ES:DI -> VxD API entry point2 M7 J+ ]& W" s, V+ A
add ax, di' n7 X3 k; J! S- K) t. v2 M4 J
test ax,ax+ T& } \0 t! [: d4 Q; b+ P
jnz SoftICE_Detected
6 ~: V/ T. Q, u# m5 b* m; h
* q: u# h1 J" [+ C0 H__________________________________________________________________________
2 B1 G! N& @7 P2 C- X7 Y1 B& t$ ]+ H3 y1 G
& z* i* q% o" ]Method 05, ~+ e; k2 t$ Q5 q4 w( b
=========
" B6 A# x! L' R# D7 I: }7 l/ O7 H; l: O& E8 y: R
Method seeking the 'magic number' 0F386h returned (in ax) by all system; F: C. C7 w4 ^1 X4 x
debugger. It calls the int 41h, function 4Fh.
" V7 e5 O) G/ a0 T9 RThere are several alternatives.
2 I: y: Y! V' ^ z
' ]' m' P( U+ t/ s/ UThe following one is the simplest:9 H$ w* O- x$ g0 d1 Q9 w# l" h
" g8 S! e! G( x, z' ~" {
mov ax,4fh7 ~6 F9 W4 E, e0 [- [" K
int 41h6 `( ^* ^$ a) U* f
cmp ax, 0F386
6 e; }' z# s) ^3 x6 F jz SoftICE_detected% Y/ [" Z# J1 V# F8 m- i8 L
3 C: M9 p+ d+ u0 h- r# E9 e" M" D4 {
Next method as well as the following one are 2 examples from Stone's 3 m2 I* p8 |( X" U( N$ S
"stn-wid.zip" (www.cracking.net):* u' E Z6 F0 y% h( z3 n0 S
' y& @9 F+ n1 b% h mov bx, cs, R/ V7 p( V ?- ? v `+ e8 `
lea dx, int41handler29 q3 {1 s" f, b( g' z
xchg dx, es:[41h*4]$ }( J% V! g# `- ]9 t. S3 f6 q, z
xchg bx, es:[41h*4+2]
. Q m7 G& K' ]% a5 c mov ax,4fh+ {# ^2 A/ H5 P) L
int 41h
4 O. ?( m4 M+ F/ x$ _3 ~# l xchg dx, es:[41h*4]3 V- n, U$ ] C% P! e5 |
xchg bx, es:[41h*4+2]
* ?5 \, o9 Y+ ^7 {/ |2 Q cmp ax, 0f386h4 j- m$ X' O- ^: R
jz SoftICE_detected( g/ i {; ?9 i. _ l. f
: `1 e4 E- p; x& `
int41handler2 PROC9 w7 q4 b& [, d* A3 E, b) ~
iret/ B W! X8 E7 D5 l) C9 M+ g' m
int41handler2 ENDP' Q$ g$ N1 x7 s5 `& k
) O" e# Y3 n& j c/ [$ \& r, v1 v Q6 f, g+ m
_________________________________________________________________________! Y- L |' G2 ]# q- \
]7 o, }: l9 u# _* T- I& y* l
: y& m: i# f8 y. r) J; S; C1 E- q7 F
Method 06
+ m) F! E& s2 x# ~=========
- K1 K2 X' w, f. m) I
4 D6 N, w7 i4 n B8 ?6 u4 F3 C a b; a4 T; P
2nd method similar to the preceding one but more difficult to detect:
, p* H3 t' A! U/ e% u2 i$ |6 J
; O/ r0 n0 ]: G4 ^, N! o3 O. ?6 K' I: m
int41handler PROC9 c" D$ o: c+ U+ l& o, |' D. n
mov cl,al' b; |! L7 h3 b+ T# `. A
iret
* Z4 [$ m [ u2 l) d6 oint41handler ENDP
a2 ^* K2 m# N
3 w% V5 }) f! y! }% p: Y9 D6 f6 c2 b& \& |. b
xor ax,ax2 ^. E- d4 x2 v" H, {1 V0 S* q
mov es,ax
( Z1 L; v9 }* u0 ] mov bx, cs
: y- P& _2 S7 s3 {+ R+ i lea dx, int41handler2 \$ r5 x5 T: ~9 H4 E, H0 V
xchg dx, es:[41h*4]' q- J* J* K1 z. ~* ^2 i
xchg bx, es:[41h*4+2]
# P2 t. J; k0 Y9 u$ a9 P in al, 40h$ ^% d6 E% {' m: x: `0 {
xor cx,cx( V) {) {7 B. a1 [9 c# h# \% y5 I1 X& K
int 41h
' v- J: q5 e: P1 ~ xchg dx, es:[41h*4]
6 _: y O0 c( S" Y) \4 ?! w xchg bx, es:[41h*4+2] R/ G4 b" Q: m: a3 J
cmp cl,al
$ [4 {% p- |4 S& j: f jnz SoftICE_detected
- G2 X# I1 f0 x" Y9 t
9 r7 Q4 | \* \2 \_________________________________________________________________________
/ n4 U7 W( M) C! V. C. j, B, L. ?5 ?* Y, ~" n3 x
Method 07. z% q6 [4 K+ ~" _% t
=========: R$ b# g# n, z
1 y! V8 b# {" I+ f, _Method of detection of the WinICE handler in the int68h (V86)5 Y6 H" ?* b/ {7 H( V Y8 H
! X$ G& _+ ^$ A mov ah,43h6 a( `! m, }4 t5 V! b/ I
int 68h
4 e/ s8 |9 P/ m a# k cmp ax,0F386h' }9 v7 _/ A$ E# O. ]3 ~2 E* @- N
jz SoftICE_Detected
+ n! |, f1 @: a' [" n8 }
; x' Z$ }, ~$ e$ p* R
6 N% K4 @# o& X* m; c! r- t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: L) V. [4 I( O- j- T app like this:
& e1 f8 ~4 N! o. a* Z6 g, J7 p2 z) [' p+ b3 Z
BPX exec_int if ax==686 a, x7 i8 }3 o/ M* u' d
(function called is located at byte ptr [ebp+1Dh] and client eip is" N- r4 J$ U. c; {6 g& ]( S
located at [ebp+48h] for 32Bit apps)5 |; d0 Z9 t* r- P
__________________________________________________________________________
4 J8 p; }; p- H# l, o7 U
' N3 s* W6 S, X; C* o. H+ s" J1 ^5 Z, |4 f' r7 b( G+ Z& n
Method 08
+ o( f; l5 Z: k `: }=========1 C+ \; \9 P* X
; t+ u: \! I. g9 h/ K7 }$ C$ |
It is not a method of detection of SoftICE but a possibility to crash the
$ q+ ?, D6 I6 \6 x* G4 Gsystem by intercepting int 01h and int 03h and redirecting them to another
6 }1 ~ }6 ?! _) ]1 }+ eroutine.3 ]) Y; d$ z. s" v& ?7 \3 x/ q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 N# J0 V3 {5 I' Y. E" {
to the new routine to execute (hangs computer...)
$ k, o# w* c7 O4 C4 I8 f. J2 G, j1 q" w; \( M7 V' u% S& {$ C( c% Z
mov ah, 25h Y" r7 y* Q* e
mov al, Int_Number (01h or 03h)
5 J" L2 L4 D: P, l6 O mov dx, offset New_Int_Routine
9 P6 |0 ^0 m# V1 B3 H, Z8 a9 Z int 21h) h3 i- N; e1 O5 b- o* m1 N$ L
0 [+ |2 `* K/ x% _, V0 ^
__________________________________________________________________________
/ w: ?7 _. f, Z: }9 V* t# X( \4 u2 X, }2 f) ^% V: v. ]! G. V
Method 09
' _4 B6 o/ D# g$ x6 R" L=========
O+ e$ m6 g3 k5 P
9 [# M1 F, f. Z5 E5 aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: K& ]+ S( e- w7 \) O, y/ j8 t
performed in ring0 (VxD or a ring3 app using the VxdCall).# N! ~$ S# X( |& d
The Get_DDB service is used to determine whether or not a VxD is installed
& f+ m; U5 J+ J# u' R$ Lfor the specified device and returns a Device Description Block (in ecx) for
# c' L* D; p6 E8 B+ u+ }that device if it is installed.9 Y8 Y+ l6 q* J: L* z
6 r$ u9 l# V! t5 s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( h7 S" w) d8 C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 T# F! L9 a I& _9 D
VMMCall Get_DDB
% i7 r& k0 d( B9 r8 ^0 V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 f/ V9 Z' d0 c1 A: ]) }# Y0 N, i+ ^& Q- z
Note as well that you can easily detect this method with SoftICE:" _ c! D' M: c
bpx Get_DDB if ax==0202 || ax==7a5fh
3 ], y! c5 t0 m, R/ N. Y" x2 T. @2 b8 ?- i7 c' L& _* a
__________________________________________________________________________+ w$ q k) e, E
; D. N3 |% W4 R9 W2 M0 e4 O7 m
Method 10/ f" o! O: @2 @% `
=========
) T; T$ U9 y5 Q) y
3 d8 O) y1 K' ]% g=>Disable or clear breakpoints before using this feature. DO NOT trace with
& ]: _1 g. u9 L SoftICE while the option is enable!!
9 h8 W1 @; H4 x0 g/ Z4 d) `
' {( {% y7 `7 G, d# ~2 bThis trick is very efficient:
( Z- \1 ?' z. ]by checking the Debug Registers, you can detect if SoftICE is loaded
9 c( k8 q5 t } R/ v' w) j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ ~( Q$ E: m' K2 d9 v4 Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their! C: s" |+ o9 ]/ K1 T4 d) `
value (in ring0 only). Values can be manipulated and or changed as well6 n9 u+ ?$ }: E3 y
(clearing BPMs for instance)
/ ~+ Y4 e7 W$ C/ F" {( a
a1 p( e$ M0 y2 w__________________________________________________________________________
0 D! ^/ }9 b" {" f3 B o; u3 l7 @. G3 L! h. F6 q
Method 11
5 `. i) ]7 v* {# I+ F- Z6 L2 j=========
& g8 Y) d5 }+ \! e4 V9 p0 c
# ~/ l, c- u7 B% {/ o8 V9 Q- A4 ZThis method is most known as 'MeltICE' because it has been freely distributed9 u, [* z% P+ R( a3 v6 O" J
via www.winfiles.com. However it was first used by NuMega people to allow7 `5 f f* I/ j9 ^
Symbol Loader to check if SoftICE was active or not (the code is located8 _6 C2 q5 W/ z2 d; Q
inside nmtrans.dll).
7 {+ y7 J5 v( t- J) Z, b2 f# m
7 Q& ~7 a6 U( t7 L4 RThe way it works is very simple:
" ?- U# b' U5 _* c' k: KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" b; H3 b8 P7 m9 O1 J8 [* fWinNT) with the CreateFileA API.3 `; @1 \% n3 P5 M" d/ b. Z9 S
* [/ {7 J! k% k% [* @( `' HHere is a sample (checking for 'SICE'):
. w1 L Q a( n& I6 Z
, g- l; d) [$ M! [BOOL IsSoftIce95Loaded()
, |+ r; c1 v! U" r{
' ]- ^6 u# t, m$ h% @! { HANDLE hFile;
( M% U3 t6 H# U/ [ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 E! B( [0 I$ |4 J
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 S% J% r- D- j4 Q; l NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. C# z& o# F+ Y( N
if( hFile != INVALID_HANDLE_VALUE )8 F* {' P0 b1 f( B- y0 ^0 f
{
) B1 f- [# H7 [) l& G( R2 s5 B/ _ CloseHandle(hFile);& N6 @. X% j5 }6 r$ z+ H
return TRUE;3 k( W, Z# z5 `* \
}0 ?8 i' Z. c1 H$ A& _0 k: v1 S
return FALSE;) Q1 i& o! f0 z6 Q/ _8 u
}
! v: }' w4 z* c7 b7 }
" M& {) G @3 f( A" B7 H$ I6 }Although this trick calls the CreateFileA function, don't even expect to be
/ t. X% f4 Q4 X0 xable to intercept it by installing a IFS hook: it will not work, no way!7 a% J0 O2 w+ j+ ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: i9 K8 d0 e0 [! Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 J, J: }; }% W- K' T& x1 pand then browse the DDB list until it find the VxD and its DDB_Control_Proc1 n: X& {0 o6 R: r7 n$ b0 x
field.
: ~0 P1 R0 v) L8 x; a7 p) nIn fact, its purpose is not to load/unload VxDs but only to send a
( A4 Z# L% V( E- J- c* GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ d" v4 t) U: T6 U$ q$ Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% q9 q! N& O. {! o" Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 I/ A d* B* e& O% rIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 x6 S8 G7 ?( p7 @8 n; r# } g. k E
its handle to be opened and then, will be detected.
* @- h& Z7 _2 I |. qYou can check that simply by hooking Winice.exe control proc entry point5 F: Y7 R( Q! s0 O% e6 I" J: W) }
while running MeltICE.
/ g* [3 L8 ] v0 }1 `+ Z
, p2 d8 b$ `& k8 X6 N/ ]1 g5 j- e% o, r# \3 b4 l, L( G- {$ E3 g
00401067: push 00402025 ; \\.\SICE
! e/ J3 d% T1 ` J! Q4 ~ 0040106C: call CreateFileA6 n/ y3 b! W1 h6 i: ?
00401071: cmp eax,-001
! C6 X& E* [7 u1 v7 R 00401074: je 00401091
8 e& b! d& a# D$ D* F \/ C( d/ Y* V% `
+ B, X* ~ Y* t: D/ f/ Y( S" R5 n
There could be hundreds of BPX you could use to detect this trick.
! w/ M/ I( I2 n-The most classical one is:
Z: v t3 E, M- a! u4 ~5 Z8 q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 j. ^; g4 {9 i# a *(esp->4+4)=='NTIC'
) p% s- L5 F3 x5 A6 v6 I) p
' J! E- x; q8 |$ z/ j' G-The most exotic ones (could be very slooooow :-(
) P# N3 H" I" F/ u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' w. L# ^5 m2 y, a; h3 m
;will break 3 times :-(: I( j# z$ r: D6 t, U2 u1 N
$ \; v! Y3 o) g8 m-or (a bit) faster: 0 x# w7 s* L7 K% N9 M; D4 @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): u% e' H' ^ ]' |7 f7 r9 s& H g
1 }1 T+ p. b- m* j# q! } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 T( Z7 |9 F# Z8 p
;will break 3 times :-(
* G0 D' j2 s4 T+ _
/ ?* ^, F' J* j5 D$ O-Much faster:
& X8 `7 A k8 B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: g+ |# ]+ Z2 ]$ ~( o
2 {* H4 z( V! ~6 e4 o. H7 z" l: aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 i* M$ f( |! ]/ d7 t
function to do the same job:: Z/ e2 |* |4 X0 e# T# W
: h& l" U2 v$ }0 K, o push 00 ; OF_READ
# d( @9 L' s2 J; N mov eax,[00656634] ; '\\.\SICE',08 Q7 G: O5 Z- @4 V' `6 Q
push eax6 c B" `6 r: v$ O! ^( z
call KERNEL32!_lopen
5 q: `' g. ?. L inc eax0 O: l1 @ |/ {# Q( T/ z& O) @. y
jnz 00650589 ; detected) u/ A& i/ ]! I. }+ Z
push 00 ; OF_READ9 J+ I, b) w$ \% f9 V- J
mov eax,[00656638] ; '\\.\SICE'4 S: P5 K0 n8 Q
push eax
# r+ C( i. d, a9 v call KERNEL32!_lopen+ \3 C6 ^ g* I1 _5 F4 d
inc eax
l+ S- |2 ^4 d U6 Q jz 006505ae ; not detected
; I! ^; x b9 c3 X3 t# ?1 z" D
1 w* ~8 p* Q; B; b9 M5 l: B/ ~. ^% G: h! \
__________________________________________________________________________" g7 {+ {% d" ?* z; N/ ?: c. \
2 t' r8 G* o9 ?2 n0 \
Method 128 W, V. s0 M0 y5 l0 j* I
=========
; `7 u8 q6 S" m. t
5 I1 j' Z2 O0 B# vThis trick is similar to int41h/4fh Debugger installation check (code 056 M. \; y9 x- b
& 06) but very limited because it's only available for Win95/98 (not NT)
( O3 C7 X* f8 \- Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 n: ~# H$ W- f ?' J R( ]( G
2 V2 A$ [1 ?) |) H5 ] push 0000004fh ; function 4fh& w0 j) y) B0 k% q8 ^. B, A
push 002a002ah ; high word specifies which VxD (VWIN32)
+ E j0 Y) ]2 q& o, j ; low word specifies which service
0 [: n, p" E3 w; R" X7 v! V$ c! Y1 ~+ p# c (VWIN32_Int41Dispatch)4 H& C5 N$ O/ l
call Kernel32!ORD_001 ; VxdCall
4 Y: f8 v* V8 d- c. I cmp ax, 0f386h ; magic number returned by system debuggers
' _6 c" D0 J4 V/ @6 R8 b jz SoftICE_detected
7 D6 q( v) Z1 W, t; t# U
- u' j7 B9 {' c9 N0 t9 eHere again, several ways to detect it:7 K5 |2 p8 A& A' m7 S' n! _1 Z
! B/ D1 T1 h" z BPINT 41 if ax==4f2 F- ]% C& p) X- V' J
/ F7 {# m- ^& i8 W. Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ x7 q+ c+ V: a
0 d& q( c) ^/ z& r
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; e, T' E" }7 ~3 E2 }, k/ Q: y
7 k" C/ e/ _4 h. Y" o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
R7 L) K2 m! p, N; U3 K% O; q5 `3 h/ e
__________________________________________________________________________$ P$ v9 A1 G" S& J
6 Z" _/ o9 Q" N9 M( L# MMethod 13: u& T; B* z n& z6 ]
=========$ G1 @9 t; n8 [6 \, |
6 T8 M) |4 E+ E3 b' ^Not a real method of detection, but a good way to know if SoftICE is) x4 t: |# _0 f7 D& A3 F) K6 n9 v: V
installed on a computer and to locate its installation directory.5 [$ L( G0 {6 r4 q
It is used by few softs which access the following registry keys (usually #2) :
# M3 c, E- A4 }, T; W0 N, z. i
- B/ E p1 A) n" h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# ?7 b" H |$ u5 R7 X9 s+ N\Uninstall\SoftICE
, U( k( I! b1 f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 b+ g$ v" L! n4 v3 ^, Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 l+ A8 ~ P% F+ m1 B\App Paths\Loader32.Exe: ]5 N' l4 w! X. v7 T' C! H% _6 t: G
7 F7 Q& W) ~2 E0 `
0 y( S# r) C. PNote that some nasty apps could then erase all files from SoftICE directory* o9 e+ `) y% F+ v' o
(I faced that once :-(- R* S- }3 S" [# {' K( x
! g0 N: ^1 u& g+ B FUseful breakpoint to detect it:+ H5 U+ B' y" ?; u- j1 T
' Y! x+ m8 j8 E. J+ {' o2 M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& i& M7 Z+ t9 |0 k- E
4 A5 f6 b6 w4 ~__________________________________________________________________________0 s" I+ i5 v/ v' D4 w+ z+ r
$ _( y; g' V( r) q# l
# G1 R, C# K6 b7 d9 vMethod 14 6 ^$ Q3 o! s$ l3 W# X
=========
0 K; ?* E* |4 F$ X: J" b, w4 a
5 u m3 h" H. }0 u; O2 D" p( UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose [; J/ s4 D$ S( d$ s3 `( R" S0 K
is to determines whether a debugger is running on your system (ring0 only).' d5 D8 m% L4 _; s, H( h) `
5 x7 j& S7 B7 N: j+ k! h1 X5 O VMMCall Test_Debug_Installed' p% ]. b( I/ q
je not_installed5 o) z! Z& ~1 x
. q) }$ A7 y; T4 o* hThis service just checks a flag.% }* v: b9 c& m) J
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡