<TABLE width=500>
8 J7 ] t9 k( T# F<TBODY>% e; g6 }0 k" z( w
<TR>
% |5 g0 M3 Q. D, O- A. H<TD><PRE>Method 01 ( \1 x, e1 w/ |* c9 E: r
=========. ^( t% `* Y) o" m
% _ I: O" L! W0 X4 S: X
This method of detection of SoftICE (as well as the following one) is
/ S% J5 k/ C# u6 }4 @used by the majority of packers/encryptors found on Internet.: H: \( o0 R* D1 e6 Y/ _( R
It seeks the signature of BoundsChecker in SoftICE# L% Y* g' e1 h+ |
$ {0 S0 P" U# Q' Z; z% g# F
mov ebp, 04243484Bh ; 'BCHK'
! U/ S* G* t. n+ y9 @# y2 ^ mov ax, 04h
. e" p3 z+ O0 R int 3 , n: p- B0 W# n- B6 g b/ b1 w' e
cmp al,49 X5 R" {- ]" X, J6 C5 u9 T
jnz SoftICE_Detected
1 N- ^# g# D L+ g2 E1 V- k5 ?8 ]4 y6 u! K
___________________________________________________________________________
: M( ?5 D o6 K3 {. N Q4 H4 o1 z& K7 K7 y( b, {) s) z6 [4 \
Method 02
1 g$ y; x2 o5 L s5 d+ k=========
8 y+ w1 k9 ]" J( W5 u6 a, U; _5 v) G7 q% C5 M3 `. g% O
Still a method very much used (perhaps the most frequent one). It is used
( U7 T- V1 O9 H1 ]) Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% m% ^5 a3 B3 t+ E/ i, q7 dor execute SoftICE commands...% m; e) F7 h+ \) @
It is also used to crash SoftICE and to force it to execute any commands
`# ~- y0 |$ Y. `# B( ?(HBOOT...) :-((
. E: ^) @3 U9 [4 w0 a4 L" y
. o+ I- T, u! b4 G1 YHere is a quick description:2 \$ f2 o( k6 h" a u' O
-AX = 0910h (Display string in SIce windows)( \$ k" J( |; q! [$ G- F6 M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* C8 D( G- k. T: {' V-AX = 0912h (Get breakpoint infos)4 `* ~+ ^7 X; B& u! r! H
-AX = 0913h (Set Sice breakpoints), ?& L l) w& S6 p _7 _, Y% L
-AX = 0914h (Remove SIce breakoints)
, _. c$ C4 V1 D; R( i7 C1 g5 O0 a5 u" A$ F( y* _
Each time you'll meet this trick, you'll see:& z' D5 J& a/ b
-SI = 4647h K( T( `, s4 c& t
-DI = 4A4Dh
J, N* L6 d/ u/ N8 }' E" h0 q( wWhich are the 'magic values' used by SoftIce.
7 }5 r! b( i5 l( S$ ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' a! [- g9 S+ i# o8 I
2 h* F2 Q4 p2 Q3 _7 m& K% g
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) o6 N c _3 B3 p3 uEnvelope utility use to protect DOS applications:
% }/ f# o. S# A' q5 k5 U* {4 n4 j7 {& N5 o0 L
' {3 w: B" ~ B! A" r* |/ q( N
4C19:0095 MOV AX,0911 ; execute command.
8 B' ?8 ^7 _ Y( D* L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., A- t# R7 L0 m& Z
4C19:009A MOV SI,4647 ; 1st magic value.0 W {! N& S+ p* B! f
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ Z7 L, X* M8 O& i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 A3 [4 I# r3 Z! N" G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) p& S( w8 e/ g! Z' S4C19:00A4 INC CX
`# u# F$ u4 ]4 _8 d. C8 h4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. x0 O# m1 K% l
4C19:00A8 JB 0095 ; 6 different commands.* w/ P0 p2 S; ], v2 Y& e$ y
4C19:00AA JMP 0002 ; Bad_Guy jmp back." y. ?9 z+ Z9 q/ Q4 @5 J0 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" Z) _3 ~% z% _: f& o. S
; v3 n. w/ U; H+ }The program will execute 6 different SIce commands located at ds:dx, which" d" t4 e: F' J0 I' |! Q0 `. D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 ]. s! K8 D2 ?" R% }% U$ T
/ a' X4 e4 M; U% K! I9 _3 N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" l) B: k0 Q' {5 F) L___________________________________________________________________________! b; s5 x; C, l% \8 I
/ Z0 w5 [ [5 ]6 R2 Y& ~/ h9 `
' B$ I4 k& y8 N$ {Method 03) m; T# U* i( q) H
=========
& a1 Q; B! x8 `8 A4 {, w4 R- ]0 J* ^) H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 M! Y( w. H- E/ j( c5 ]( z
(API Get entry point)
$ o2 s& P" `! R7 w8 Z
7 C3 ~9 E7 Q6 [
; Y+ N* ^9 L) T- F; G xor di,di
( m; N9 A M' \9 s mov es,di
/ [' u9 h- O; Q/ K2 o1 Y/ B6 L7 O* M mov ax, 1684h
' E$ R, p5 |7 e0 q0 M mov bx, 0202h ; VxD ID of winice- b6 o. |+ ^ r' G
int 2Fh7 }, M D) t5 ] e$ A- `
mov ax, es ; ES:DI -> VxD API entry point3 A# Q6 M# E9 F5 K4 F. b2 `9 }
add ax, di
8 [) y6 @; \: N) h$ O3 ?- B0 l& J test ax,ax
3 e1 U: v+ ]0 j) L0 ^4 L3 B jnz SoftICE_Detected
' j1 z8 F/ l( w8 ?1 w- ~9 }0 H# L- S
- o' {5 v' A1 i' M___________________________________________________________________________7 Z2 N% ]' |* c9 Z" W9 w \
2 R2 `9 m- U% F" l2 B( U
Method 04
& o2 e4 P* g! I# D=========, }5 d5 i2 }5 C. E1 o' s6 O
% _. R: r( v: m9 EMethod identical to the preceding one except that it seeks the ID of SoftICE
$ F: Y$ b/ O& [1 d; O6 G6 E& }GFX VxD.% }4 v- J/ B4 k2 K
$ R X) ~5 M7 j/ B: A0 J! R/ u xor di,di
. A5 _! R, o$ u! e+ v- n9 m& A/ l6 b mov es,di
& k9 P8 }, _. Y8 ~0 P8 s C mov ax, 1684h * |4 L9 a4 a3 a
mov bx, 7a5Fh ; VxD ID of SIWVID: F/ F- X e; Q" A0 o- T4 l( ]
int 2fh
+ h t5 Y3 S+ a. h2 ? mov ax, es ; ES:DI -> VxD API entry point
# U. }# t' U6 l8 D" L add ax, di& I a6 {& j( n7 g/ J8 f& w2 M
test ax,ax
Y8 k- {9 R: m jnz SoftICE_Detected
* }7 E' b1 r3 V5 r: T5 I; m% S+ c+ F5 h$ P" ]
__________________________________________________________________________
# [3 {5 ]1 g2 S" b Z% J1 e5 `6 d' H! |) L+ D1 x1 o
- m7 f+ F# ]4 J6 s8 F& E, ?" r% IMethod 05, u5 t8 k( H1 d' N7 z
=========
" r% x1 H0 F& s8 a* F/ t8 x$ X) e- ]1 R- V+ \
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. O' Y9 @2 G1 {( Cdebugger. It calls the int 41h, function 4Fh., E8 k( c. ]/ f p! E6 {. A
There are several alternatives.
6 i: f6 P5 B3 {: W$ c, n3 d8 [5 b% G3 e+ d0 h
The following one is the simplest:- ]5 X1 D4 y9 e# E; X# |: D
7 m8 i, a" X6 o
mov ax,4fh
9 N2 h0 d/ g' P' R int 41h* k8 Y- |* L8 u1 L- q
cmp ax, 0F3867 o* d4 M$ D0 C8 ~* V9 B
jz SoftICE_detected
) G1 {6 O2 l2 [9 w) h* `4 g1 h4 f6 P0 n( h# g
; _. V. X( F$ w& J5 r
Next method as well as the following one are 2 examples from Stone's
4 E% H$ d# ]* M. G! q! a* w"stn-wid.zip" (www.cracking.net):
: N1 c( l a0 ^. ]6 B7 c5 j2 h
2 H% h" R( u4 I! ] mov bx, cs
0 M. b# u) f( U lea dx, int41handler27 b# H( y7 g( B& l( |4 N
xchg dx, es:[41h*4]3 v6 `6 u% [, q, V, @
xchg bx, es:[41h*4+2]! v3 H/ J- Q6 j0 Y) K. h% o) G x, n
mov ax,4fh" Y% B. Z; p7 z Y8 f' G
int 41h! _4 o* ^7 B. j9 N( S2 z
xchg dx, es:[41h*4]# o0 y1 Z$ h, I( R6 X$ Q
xchg bx, es:[41h*4+2]
; V) n4 c3 k" Y: X: h0 e cmp ax, 0f386h
4 O! \- W+ `3 I1 @4 q jz SoftICE_detected# F$ q5 N$ {: t& j& E
1 |4 F3 R, B( L
int41handler2 PROC# K/ K) T* d! O# u9 N
iret H2 [( w. ?1 t! W( x) K( h
int41handler2 ENDP
6 m. [; n* u: w. r1 x/ S/ J
4 S7 a7 n& o- r. c: B/ I8 X% z
5 ^. r% @8 k: a% A) g0 ^. k1 C+ ]. __________________________________________________________________________
2 k3 L' r8 _9 H7 f8 B, n
, H' X) d: C0 Z6 D+ ~) b1 f7 n8 h: a& @+ I& E" A: N
Method 061 d1 q. p! H* X% _
=========+ m1 p4 l* D0 \( Y
# @3 z% f# n# ?) F7 q3 T
" m8 n$ }. u- t! [$ j* a+ N' N
2nd method similar to the preceding one but more difficult to detect:1 i% [" W5 d3 ^8 ]% g! Q6 G
* \) c' B- q+ n9 O, k
% a. p! O+ ~0 G$ k, u) d; cint41handler PROC
$ f/ q2 S2 \. c1 B' J4 c! L3 f& i mov cl,al2 {. Z: K) K9 Z: t9 z t; s
iret
# ]2 I$ O" j. J2 Tint41handler ENDP) W, M0 p( J0 Z) @
3 B- r7 C0 B5 F* S$ m
& a+ }. k7 q3 J$ a) `
xor ax,ax+ b- M- `% m! G8 U* p- G
mov es,ax# c2 j! F# \& J/ P
mov bx, cs
7 N" Y: ^2 w) U lea dx, int41handler
2 f+ m& W% L7 x- O xchg dx, es:[41h*4]) Z% z( Z/ @- p9 [$ z% @
xchg bx, es:[41h*4+2]
) X& ?+ h. h! W+ Y2 i- N in al, 40h/ a2 }: U7 V) q, N6 p+ C% Z& m
xor cx,cx
2 o" E/ i% J, O+ I% G3 d int 41h1 [4 ]+ q9 z- k% p8 x
xchg dx, es:[41h*4]' A* E: m3 v! X& |% x
xchg bx, es:[41h*4+2]
" j4 n; ]9 v8 Y0 F- X3 Y cmp cl,al: y7 g) C0 a7 l9 |: f3 n3 S7 L
jnz SoftICE_detected& j: g- D f3 r5 P3 N9 a
$ _. _: W, O' J# E& h# e3 o D_________________________________________________________________________0 b0 f: e4 o& X, w. B. A
4 a- s8 d i! z
Method 07
' T$ |# w% |* Y | c8 `2 s6 L8 t* l& ]=========
) Q* k; z6 }1 ^8 H, z" P9 b+ C% \$ [
Method of detection of the WinICE handler in the int68h (V86)) M$ X8 o$ n( O. I# i
) L" @0 h) \" @' w
mov ah,43h
4 l. y) s7 A/ U6 [! g; R int 68h& A3 G: F/ B: e4 C- Q; Q3 V6 T
cmp ax,0F386h! z* s+ `3 C P4 v! S& J. c
jz SoftICE_Detected2 o! `$ V: p+ A& L( j! r: f
6 i, u3 Y4 A: M9 Z& ^
; K2 [* a0 P' t( q: I* |2 M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- k. \8 `0 {& H# D app like this:
, V* j* T2 k+ ]1 G3 F+ u: E! k" b" ]# |
BPX exec_int if ax==68
! [9 s- U/ I- p) L( L1 Q8 y (function called is located at byte ptr [ebp+1Dh] and client eip is4 C) h9 t O+ [: W9 o6 h6 s+ L
located at [ebp+48h] for 32Bit apps)$ ~! Q4 T8 m4 W# [+ c( `( n
__________________________________________________________________________
. z# I. T }) T
# q0 l; ] G0 M0 I8 q
7 m! q6 O. b% x+ kMethod 08. g& _2 H( F! T: k0 J
=========2 ~: ~6 k- c# q! J
5 I' Q( b4 d6 W2 ~It is not a method of detection of SoftICE but a possibility to crash the3 H; y9 a5 Y- i, l9 ^
system by intercepting int 01h and int 03h and redirecting them to another- o1 Z* u! ?5 c5 X- @) j
routine.; t8 T6 f" M5 v! h/ N2 ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ }; T+ G0 p# L& L X) h( l* L
to the new routine to execute (hangs computer...), c# S& I/ B. X
0 U* s5 V3 R! h3 S) s7 |* k; G mov ah, 25h
4 t" J) u0 T8 H! e( T! H6 A mov al, Int_Number (01h or 03h)/ l+ `) x$ V2 Z# ~! k
mov dx, offset New_Int_Routine8 E! Z2 M, q+ M& p
int 21h
2 Z4 U, G f+ j3 y/ T+ e3 }7 U! E5 R0 D& }- h. \. q* ~2 a
__________________________________________________________________________$ ?1 ^+ M: u! A7 p5 i7 ?3 T) {7 o ~
7 y1 }4 s" @9 K- M a; e
Method 09
3 y7 u& M: D" P- g7 K! h2 f5 o9 C=========. r$ m! |9 a1 C
; B; u8 R; @- B) \$ s9 F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ q. y& f& I. o1 j6 i4 hperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ r% ~2 N* _: T! V3 p' eThe Get_DDB service is used to determine whether or not a VxD is installed" s2 w2 E. L( y, J# N$ U6 C2 i
for the specified device and returns a Device Description Block (in ecx) for2 r4 E# ~" k/ J
that device if it is installed.) t' H* a/ C/ h
! |( Y5 n5 U! t. @1 o3 A o+ y5 W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. y. o! n4 [+ S4 t4 |# X2 ~7 B. }( H mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! {( U5 K% f( R% a8 U VMMCall Get_DDB
# i O$ N7 X% x8 I: b, k: t) | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% s$ L% c* t: x6 j. a' X. p9 y1 O7 n, M5 F3 R/ [' Q! K( i% j
Note as well that you can easily detect this method with SoftICE:6 x5 }0 S' b0 ?, @
bpx Get_DDB if ax==0202 || ax==7a5fh
4 j# y2 d" S& M; K$ j$ s8 I6 ], w5 A* V0 E
__________________________________________________________________________( D) O3 ^% w8 W. w J
' u% H: R! b. r! d! Q8 UMethod 10
+ x4 Z2 l$ o. k. z$ q- D=========
8 Y/ g* Q: K+ R8 L U3 I: M! b. u X2 B: z1 W: Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with! r7 m, p$ P% [$ p* q' J" l3 ]
SoftICE while the option is enable!!! K( y' V4 W' ]7 ]' j% C
+ a1 {, N4 P$ D9 i' N
This trick is very efficient:
0 k" |% }- Q3 P1 q! Rby checking the Debug Registers, you can detect if SoftICE is loaded/ q+ v3 V2 _: S' k0 Q0 \0 ?2 A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 e, x( z9 @. H, x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
i5 k) C9 U# k( Z; i, ?5 lvalue (in ring0 only). Values can be manipulated and or changed as well4 Y; _+ D! d' r
(clearing BPMs for instance)
! b: B# O, N# v% R( w$ _ x L( N+ w, o! \1 P
__________________________________________________________________________
" I1 U5 v$ n) q7 y% g1 L4 i, Y9 i. {7 D5 T
Method 112 T3 I8 v% G0 S3 c& w/ T' {
=========2 `6 Z! \5 `8 S+ q( t( q N
% c* E/ |: ]$ l" {. L" G* [This method is most known as 'MeltICE' because it has been freely distributed! M3 P8 Z+ v* m7 |& q4 [0 P8 E
via www.winfiles.com. However it was first used by NuMega people to allow1 C7 I$ X4 f. P: ^" b# ^" v
Symbol Loader to check if SoftICE was active or not (the code is located
( {6 |$ a8 T( T9 Y' N G9 N iinside nmtrans.dll).# P& h( w& F, E, Y* `% y
5 F2 ~$ X3 M `7 A3 f% c
The way it works is very simple:8 A/ f1 k' v$ P2 `5 m. |9 r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 D4 B0 N3 j- `' l( |% zWinNT) with the CreateFileA API.( k$ d! J' q( N& t
1 {8 I9 N V& j- O& @ u5 {
Here is a sample (checking for 'SICE'):' V* ] D" d1 w8 m/ P
: S% z5 T$ T5 @0 r5 o! ]
BOOL IsSoftIce95Loaded()9 l/ @) K Q6 X7 Z) A/ ]
{
$ O' s+ N, [' t# q HANDLE hFile; 3 v0 D6 @; _9 N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* }/ V2 z2 ?: E5 f0 h" _; t FILE_SHARE_READ | FILE_SHARE_WRITE,
- C0 E* W: \2 _6 k j4 b; b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 E* }3 i) _. y8 d if( hFile != INVALID_HANDLE_VALUE )
) K" U$ o/ E1 g: e( { {2 r9 r( `, B# m/ j6 Q, h; V6 I
CloseHandle(hFile);8 F( I9 @5 @, y& [! }
return TRUE;
2 K% S4 w8 v7 ?: T6 A$ n, ` r }/ I' z/ n6 \6 `; _5 |+ P
return FALSE;
; `- [2 ?# ]! [}( q# V6 `" w3 i. i
0 G% Z. m7 n( v; uAlthough this trick calls the CreateFileA function, don't even expect to be
5 d! ~" F. m2 x8 G# _7 S* o0 wable to intercept it by installing a IFS hook: it will not work, no way!
0 t* Q) t5 D$ ?3 S+ b$ e& {+ [ VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: H5 N) m* E8 d6 ~: Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
t, Z3 {( M; p. X! l4 P& \and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 w7 T( Z7 [5 U6 F' |% }
field.
/ g+ {7 \7 E7 _In fact, its purpose is not to load/unload VxDs but only to send a % L) k2 @6 [: U; O% H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 @; P2 G. ^3 @: s9 n5 M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, ]. x8 R& x& Y, o' F0 S
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ e, Z' @0 ^: a* C: E1 o. y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 Y0 n+ T/ `( r( g7 fits handle to be opened and then, will be detected./ h2 R# A0 c/ x; i6 g7 |
You can check that simply by hooking Winice.exe control proc entry point
# q# W$ e7 K6 Z" a2 M; [7 [while running MeltICE.2 A% G' D: g) r
# t W& D5 w( O& N V4 f! b& w) I$ z
00401067: push 00402025 ; \\.\SICE
$ b R2 L: q. w8 Y( _ 0040106C: call CreateFileA) ?: z U4 O0 Z
00401071: cmp eax,-001
9 p e4 g- G8 Y; ]; G 00401074: je 00401091
+ t1 {: h0 g; t4 q/ s" ?5 E9 l! S+ M+ g+ F/ ~; q' E! j/ P
4 f" D- W' q: p+ p- q: |/ EThere could be hundreds of BPX you could use to detect this trick.6 o: K9 O/ J8 Q( `1 D
-The most classical one is:6 n. F( [% z1 t$ f
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 v3 e" e& U. n& M& j
*(esp->4+4)=='NTIC'
2 I, U4 _; z+ B0 a; j* g7 t1 e+ a, G7 m" V( e
-The most exotic ones (could be very slooooow :-() s8 ?, P+ K0 j0 I2 n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 g$ F# n$ c6 E& F n ;will break 3 times :-(7 f% Y: A9 m/ [: A
' \6 Z- W1 C' z0 X! {2 S
-or (a bit) faster:
( u$ ? y4 ^1 N- B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 P! h6 T U% [6 @! y
# h# U* L( ~3 t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& F5 K$ j. w: C% n2 u% X% M ;will break 3 times :-(
* y' s6 ^- k! h/ ]# M. W& l) w$ q& \9 z' C( J
-Much faster:
5 l8 s% W9 r' R8 S: }3 P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 j3 b: i. e9 y) o& {$ r W0 c7 E7 N3 I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ E0 \- }4 l" {% V* X9 b( B
function to do the same job:
2 H- n2 O [+ Z; V6 i9 g' e+ {5 M' L; A+ _8 l' [& l
push 00 ; OF_READ
& M8 z7 E: z* h! a+ a4 ?: I9 } mov eax,[00656634] ; '\\.\SICE',08 I3 D- |! K4 u( c j) }
push eax3 \0 {0 V8 w5 V1 k# }0 p
call KERNEL32!_lopen
# M& C' e# s' r: q x: Z inc eax- {) I' A- c- f( C% g' O# V
jnz 00650589 ; detected3 P/ |# v/ X/ V, Q; J S; l
push 00 ; OF_READ0 A6 m+ V! y5 O5 L6 n" f3 h: }
mov eax,[00656638] ; '\\.\SICE' J- ^) } l+ G
push eax) n' D2 f3 ?& P, k0 f/ K& J/ p! H
call KERNEL32!_lopen# e( t1 z$ M4 F+ X' T9 f
inc eax
9 i2 J3 x+ T; t4 L% q: C jz 006505ae ; not detected
a/ n9 }8 W2 U3 _. R0 i2 O6 l+ ?) ^
) K. | E8 M% ?) K__________________________________________________________________________
3 O% h. D; Q- h4 _5 m2 K9 E8 Y* d/ M& M* D6 }8 D7 v. u# a
Method 122 U) V. |- T: r
=========
7 J) `) { g$ b0 p7 b7 z2 P
( Q' [) C7 e& YThis trick is similar to int41h/4fh Debugger installation check (code 05
& B0 C3 C) J0 E5 C6 }5 @& 06) but very limited because it's only available for Win95/98 (not NT)
9 ~, I, a& x7 L/ Q- i: was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; K+ n n* {6 A% ?( P
* G$ p2 @6 P5 G push 0000004fh ; function 4fh
7 d+ K' ^' i$ i" ?! g3 t push 002a002ah ; high word specifies which VxD (VWIN32): q3 v& P3 F: G X! |$ m: l
; low word specifies which service
# Z' \0 ~) @( |0 R (VWIN32_Int41Dispatch)
8 {# v3 A& }; a; n: @' t call Kernel32!ORD_001 ; VxdCall% S7 K/ ]0 i5 r' I8 b
cmp ax, 0f386h ; magic number returned by system debuggers
& m6 u- J8 A; E2 p5 K& V% K# O/ a jz SoftICE_detected5 n# j% H/ K8 _$ x
0 U1 R( C6 b5 |' P2 }Here again, several ways to detect it:
8 f, I! L/ i9 Z* ^* F d
/ r! F- n& k1 ?: C9 k BPINT 41 if ax==4f
. s( ^) c) j0 Q7 \( ^* T& k
* t5 w5 b c' z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 w; Y) x- y/ c( _
9 g( t: O/ Q/ |/ v3 b5 A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: u# @$ \/ Y4 B9 u4 {6 Z
2 Z2 b9 K, M$ ], _3 m4 Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ R0 p# f8 u$ Q- F- M# a& e. }, D: K9 O: ?$ E# y- `# v
__________________________________________________________________________) I. E% s a; f. i
5 s5 n( l4 T' O$ C1 U3 f& |: Q( P
Method 13
/ T w8 f( m' q/ `=========
4 r. [, x( t4 [" c2 \1 A [( O! |8 V+ z; J( w
Not a real method of detection, but a good way to know if SoftICE is
$ b; {3 w2 ?0 G0 h9 c7 q. @installed on a computer and to locate its installation directory.
7 U. ~3 D+ A8 x- }0 YIt is used by few softs which access the following registry keys (usually #2) :
4 D3 i3 @# V; q: k T+ f8 L8 o- Y2 E) m* Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( h& d: T" O: C1 n\Uninstall\SoftICE; M- ^9 y; |4 D, B: I0 e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! V& }# Z% x* v& R8 X C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 {" P3 A9 b6 O6 u; k% u3 D\App Paths\Loader32.Exe
$ V, P4 ?2 T5 j9 M) X; P6 [
( B/ w! M# r! e e4 `) c
O/ o/ b; l4 V$ ^3 l3 l0 Q+ |Note that some nasty apps could then erase all files from SoftICE directory3 ]1 S' e0 m+ ?
(I faced that once :-(. i9 [% w( [. v" G- A4 h1 P
+ E# v5 H W }. }9 e _& U) \5 O
Useful breakpoint to detect it:
4 A* z7 K/ D& W } G
, H) L( ^% I' h+ i% `# ^' \) P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% h# m( e0 Z0 y9 K2 e- U4 a
8 j% d' x' M7 h" t__________________________________________________________________________
5 n# Z8 {" m4 [7 u, c( X
4 U" O( Y; t4 |$ a6 j4 Z
5 Q: ]# y6 X* N. B& ^! pMethod 14 ; _8 L$ {2 _8 s& n
=========
5 m0 _& I& L, S& o6 b' y D' H
: v) P/ c0 N' j: A% CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 g; u$ P0 x; B0 |) I* a+ qis to determines whether a debugger is running on your system (ring0 only).; w& U0 G5 D* v/ _/ t3 }$ A/ R8 D
: I, L) T. e5 k, W- \% \
VMMCall Test_Debug_Installed8 h6 R# ]7 a8 O5 t! q5 I
je not_installed9 [! A: _0 K( F* f3 d! U
5 @+ H, W! n" h& _) L
This service just checks a flag.* l9 P# c1 z ` Q! u6 I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡