<TABLE width=500>
- j0 V' `& F- K<TBODY>* B% s. O( N2 m U& Y
<TR>
+ J2 L; s" C0 i) G) d<TD><PRE>Method 01 8 B; j! T& L. T5 J- D. G9 N
=========. w% |* r; r+ Z+ P
" ^3 j5 b& V0 e0 A2 H( sThis method of detection of SoftICE (as well as the following one) is
5 \' F7 `, Y# w; n% I9 x% {6 Z, rused by the majority of packers/encryptors found on Internet.- l/ D6 i4 v9 h: `7 J
It seeks the signature of BoundsChecker in SoftICE% V7 {% z+ G3 S( R f0 ?# [
, ~' ?+ S% S0 ^6 ^4 d' u# f- e
mov ebp, 04243484Bh ; 'BCHK'0 r c6 Z! F Q2 i X* ]9 {
mov ax, 04h, E3 z, t* | ~3 a5 }9 V1 v9 ` f8 q
int 3 1 o' l3 K0 o) X' t
cmp al,4
7 y1 n* Z$ A8 n+ L( U jnz SoftICE_Detected
E3 V, E. n7 A$ f! e: I
# L, B5 w3 m4 G& ]1 O6 m$ X0 m___________________________________________________________________________ G$ ^5 s- L; X) m% Y
! r- n- w# j0 d' t
Method 025 I; Y/ V8 a5 k% u
=========
7 A& n7 @- X. R4 g1 Z
/ s) ^7 S, q/ k$ E1 ~Still a method very much used (perhaps the most frequent one). It is used2 F' c X0 d& d0 L4 H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ N0 w u3 S& }5 Y1 e9 {) v; g6 R7 _or execute SoftICE commands...& c- w3 y5 L" X [
It is also used to crash SoftICE and to force it to execute any commands
) T! g' M+ w+ O/ l! E(HBOOT...) :-((
/ H" U4 m5 F% E3 }: n6 a j8 Z2 W3 w1 w$ e& N- g
Here is a quick description:! g8 c m) t( P. v8 }- Q9 _
-AX = 0910h (Display string in SIce windows)
( i( p6 C" J% C% C) U) r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! X7 ~5 b% X3 {% B6 X; K* l- p
-AX = 0912h (Get breakpoint infos)2 U, K" g" H- o
-AX = 0913h (Set Sice breakpoints)
3 S3 P- W) Y6 |1 E-AX = 0914h (Remove SIce breakoints)0 K% t+ D* M3 l0 j
$ s5 ~) V% S( ?- A! F
Each time you'll meet this trick, you'll see:# ]; Y9 t: Q# M0 X
-SI = 4647h: d) X7 j7 W4 v! t7 E' l
-DI = 4A4Dh; b9 A& v- ]8 m E- L
Which are the 'magic values' used by SoftIce.
( ^: D4 G, X' N+ Y& }" x9 OFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ L6 o7 I) c c; G) I6 C( l ~( |1 x. e) i4 Y0 o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 @+ P; ~6 ~& K6 j4 O( dEnvelope utility use to protect DOS applications:
4 e7 D3 Z9 A" e
7 T. s" h0 d4 q* U+ N* i7 k8 J' ]5 n5 `. l F
4C19:0095 MOV AX,0911 ; execute command.% [- \( W# h" N0 j0 ~4 ?: R7 T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 }6 D1 U8 K. X3 ]( ~5 i8 k
4C19:009A MOV SI,4647 ; 1st magic value.
, {( _( B O2 T+ X# ~3 W4C19:009D MOV DI,4A4D ; 2nd magic value.$ h+ ]8 S8 n& }8 r* X% M8 ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! m! ]" T7 }5 h( l% C( M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 \8 n- d' h' U" q4C19:00A4 INC CX
, F( h: H, u2 P6 l; p0 j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, [! s5 b% @# Y( G* ^2 N8 B7 m4C19:00A8 JB 0095 ; 6 different commands.
* L0 h4 Q& p% ]0 G; ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.
l: _. x& {. `% T4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& x. r: H! X% h( O* B! l8 _
) e0 I$ l: h9 l3 VThe program will execute 6 different SIce commands located at ds:dx, which/ k7 A6 f7 ?" F _/ [6 \5 N5 y1 Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 w, J3 y( ?. o ~- W" Q6 G
* u6 E. b/ G& _3 F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 U0 h2 }6 Q9 i* |0 y___________________________________________________________________________7 Y5 ~* ?4 y, V; Z6 z5 a
~8 l/ d3 N6 j' Z# R- ?# s1 ? \
! k& g; |# u1 b5 I6 x( L) Q6 bMethod 03, B7 G. M/ Z" g# M# _6 S
=========
9 y) B# I5 G+ E3 l
4 _; ~# W! [ o, rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 y( ], s0 y- x(API Get entry point)
8 R* P9 g- O% s w
2 c0 ?& A; r1 Q! V. D
- t: q6 J9 \. m" E3 ` xor di,di
4 `- t3 Y6 G6 l mov es,di
; k* c, |$ J1 X1 ^ mov ax, 1684h & K5 B. c f$ h
mov bx, 0202h ; VxD ID of winice# _1 a" W2 B. i6 E. _9 n; t3 B
int 2Fh
# G6 j! f5 r0 ^ mov ax, es ; ES:DI -> VxD API entry point
t3 j/ p" S+ b3 X4 j add ax, di
2 x: O8 l3 u, ~0 Z b3 a test ax,ax
) n2 d/ t8 t' P' |; f jnz SoftICE_Detected
7 ~( @' E" U3 ^1 C& w: B( T, n' c
___________________________________________________________________________2 e2 p3 R2 W. I8 t+ h
4 G7 B, [' M# ~( z$ k' M
Method 04* L b% i2 m. L1 w- S7 {) }# ^+ D& h5 Y' p
=========3 U+ p( f( F/ T4 z8 Y9 a# y
; J& \3 E) {4 o/ r% uMethod identical to the preceding one except that it seeks the ID of SoftICE
5 G: ~3 H d6 w9 p8 {2 c o! ]GFX VxD.
8 S9 K% [* a6 A
1 f/ m6 s; w) j4 V7 a& } xor di,di5 A8 D' a) U' V. r9 p& ?
mov es,di
# n N2 e, s/ s* I# e v7 a! i% ?8 B6 T mov ax, 1684h
- V3 r' \2 y% Z& I' {( B& P mov bx, 7a5Fh ; VxD ID of SIWVID
' L% O3 n. ?5 q int 2fh
+ s7 F) P0 u/ F+ z mov ax, es ; ES:DI -> VxD API entry point% i! u/ t6 R) c' x5 S$ T% f8 X
add ax, di. ?) R) V4 T' @+ x3 O" j
test ax,ax7 M% F/ @3 U& S {$ X; }9 k
jnz SoftICE_Detected- ]- d8 \, j- L
9 M9 o# q! H: i; m6 {' J__________________________________________________________________________8 q: {) {( F' k; [ p$ F8 M
3 e3 `6 I2 F" ~; k/ J7 t8 {% |5 ^
5 y, j* [. s. q% P! c' ^Method 052 N, K3 n$ `2 @* A' ` F
=========5 w! r. b/ N3 k$ v/ p/ n7 Z
: @: y$ e$ C. c, ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 V& N& r' A/ V3 ddebugger. It calls the int 41h, function 4Fh.
F* ]7 B+ T9 lThere are several alternatives. % Y5 N. G3 s& [$ ?, p7 s* Q3 f5 t
& h9 f, z2 w7 f' ?7 f
The following one is the simplest:% T( `3 F: f" a2 B" l o
0 V+ d0 ^" c9 p( f mov ax,4fh1 P* { |8 K ~7 I, [
int 41h2 z3 N! ^' E* \2 R. E0 m$ P
cmp ax, 0F386
8 x6 A0 h& ^: u1 j jz SoftICE_detected5 ?: Y; H: ?) L8 {
) Y! P. e* A! k }
3 B: w. e4 L) W' ^/ b( z1 DNext method as well as the following one are 2 examples from Stone's ! L t+ G* }+ I3 p o# R
"stn-wid.zip" (www.cracking.net):
4 e) B0 {; N: h+ s9 s
; J5 r. L5 a5 d. C+ \$ f, M mov bx, cs3 e' l9 ~' a2 T( z) m( Q9 x
lea dx, int41handler27 l; L+ P* Y# Y4 P' J4 x, l8 c# j
xchg dx, es:[41h*4]
5 L; a( J A. z5 x! G xchg bx, es:[41h*4+2]
) h6 U/ \5 H, T, j2 Z7 j, R mov ax,4fh
: i2 L& y( E4 }) @- K int 41h
( k9 }6 e) R9 v. m xchg dx, es:[41h*4], h& s6 o7 V ~6 M! e* g+ K
xchg bx, es:[41h*4+2]) s ~( y7 V5 K3 i: `; L
cmp ax, 0f386h
- Z4 {0 ], E* [) _" `0 e/ z jz SoftICE_detected' D6 A3 P+ a) t( ^4 W7 S: X
/ ~& A$ E+ e! y( P& L0 s5 `int41handler2 PROC; t( A" E d- Q5 a+ m, \
iret9 w) J' Z! X! n: q
int41handler2 ENDP
1 g8 x* X* [. a0 W: r, b' J7 V+ l% g; z3 v& q3 S3 Q
$ b6 w/ r0 W9 O5 s; M3 L_________________________________________________________________________4 N! `+ Q \5 [) |9 N" z. L
5 F$ j! f+ g. x. M
; q$ U: y, U% g; bMethod 069 V/ H# |/ U9 Z& I ~5 n7 z
=========
X0 H/ L2 q; U6 ]8 W- i9 T3 ?. R1 A: @; [6 G
5 m6 t( @+ I' s2nd method similar to the preceding one but more difficult to detect:
* w5 [! i0 k+ X; k$ U' n3 |. }! _6 w$ N2 H/ i/ k
i7 {( _+ e/ Z. L
int41handler PROC/ [' C1 k% Y" k# ^: Z/ r2 @' N+ `
mov cl,al
$ j) B( P- ~% j' D2 {" I iret1 N }" u- s' w b! o
int41handler ENDP+ K. k8 j4 U4 ^( C) C! Q1 w
" N3 X2 l" L8 ]# d5 O& X, H
7 _4 n' C& L/ j xor ax,ax+ W7 p% i1 \9 C7 P
mov es,ax
# e$ y- Y8 d- g& x mov bx, cs, Z4 t7 [* Z v% i: i e, s3 g
lea dx, int41handler& w; V5 \. J+ S1 Q5 V/ _" @
xchg dx, es:[41h*4]
1 t2 n. q! O5 N! e0 _, e: y xchg bx, es:[41h*4+2]9 t i8 V- M# f, H y" D8 Q- [
in al, 40h- h& H+ t3 M8 q: x0 l! I% x
xor cx,cx
0 \; }0 q- ~. j( z: l0 K int 41h
+ @3 ]; X9 ^9 O# D; i# q q: r+ m+ D xchg dx, es:[41h*4]6 e1 ?! l) `7 c) h" V1 Y7 O
xchg bx, es:[41h*4+2]4 j0 o6 L, ~; o8 h* w# o
cmp cl,al% E& L' {1 o# x, Z+ T
jnz SoftICE_detected
0 _! Y7 o5 f+ u/ K% {) Z
/ H& N. z o! E6 G! o_________________________________________________________________________$ C- s8 @$ N6 N! T: e Q& q) h5 N! o4 M) c
# z' ^7 n# q# I0 O T) s
Method 07
- r: X& D9 M$ q2 c3 b3 i- B=========" y2 t$ Q( l, | J8 C4 D/ {: o, z* r
' s8 t' K, y* j% P. RMethod of detection of the WinICE handler in the int68h (V86)
* g6 l1 W* ^# ~& |& Y( o2 t% _( A" K6 y
mov ah,43h! t% a' w8 |3 t+ n4 L" G6 u$ v, G/ i
int 68h
$ |* z# e. p; n7 j" M3 Q- R, w cmp ax,0F386h* w' W' G( F N! {) M. T) f
jz SoftICE_Detected" `3 C r8 [! Z w- Z4 Y$ S
1 d: `$ w/ J* \9 M* d/ b/ [7 f8 `4 H" H2 A' R2 o: |
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ e/ d- {4 I9 t$ k2 P: } app like this:
: r* s8 i' P [) z" `4 ?, }; w
# _+ g% d0 b8 T BPX exec_int if ax==68$ T' [, p3 q7 |/ C" V( C# _
(function called is located at byte ptr [ebp+1Dh] and client eip is& q. U4 p9 n4 |4 G
located at [ebp+48h] for 32Bit apps)
7 X' G8 a1 j* R6 J) w8 ~0 F__________________________________________________________________________
. q' V+ o T% v" h4 ~3 U3 P% i8 D* B: [4 L
; ~. _3 {% ^/ l9 U! ~0 ^& YMethod 08! C& R8 Y' ?: l2 A, ~' f" e5 `4 k
=========
; U% ^# W4 r0 w2 Y
# }" c) P6 {$ R9 @/ h$ f" K: ~9 kIt is not a method of detection of SoftICE but a possibility to crash the
& V6 g5 E9 R5 u8 `. J8 tsystem by intercepting int 01h and int 03h and redirecting them to another( v9 o" ?7 ]9 J, x0 O
routine.
6 V6 m! m0 y( D# \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 k, o# S3 A. k3 N" P
to the new routine to execute (hangs computer...)0 k3 x+ O# \9 v1 q7 h2 [0 l
( G s5 U- f" l2 A mov ah, 25h
, R& t! u7 i; I2 M: r7 E% s mov al, Int_Number (01h or 03h)+ h6 s( ]; p. `: L: a
mov dx, offset New_Int_Routine! S. r) s8 R3 ~4 F
int 21h
6 V# o4 f5 ]% }$ A* q, _ {( Y- y/ |" J- m# I/ c
__________________________________________________________________________
$ R S' X, Y! }
) N8 s8 [& e$ V# S) UMethod 094 ]9 n1 ^1 x0 q& e, r$ m5 A! [
=========( `1 w! I% |" _9 f. r. p' ^
2 e" \& ?8 R1 d( V: F8 {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. b0 r& W; @( M' l7 K2 b8 g6 P
performed in ring0 (VxD or a ring3 app using the VxdCall).
2 l- y* q8 @+ g& h- g: kThe Get_DDB service is used to determine whether or not a VxD is installed4 n6 B" Y: q( K" e1 z
for the specified device and returns a Device Description Block (in ecx) for
% B! H b$ U! ?( t. k0 P gthat device if it is installed.7 d) t2 Y D1 \7 q1 h4 g' q
; }! g n0 X! H, ?, D, f' {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 l+ \. C3 l9 Z7 I% _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 c2 A* O, Z7 S7 a) c
VMMCall Get_DDB
2 ?5 W# ^- n% i& a' Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' d7 c. W. x6 h+ B7 F4 X. g3 }& G3 b8 ?# Q3 a) a* N9 p
Note as well that you can easily detect this method with SoftICE:9 I! A- P! ~- x! O
bpx Get_DDB if ax==0202 || ax==7a5fh
( H2 p. q# A3 V! [ |' ]/ T6 P9 X! B. N8 M! e0 T! {" X( Q
__________________________________________________________________________. f( j0 |* F( g, w" l4 s6 V3 r
6 R5 ~. Z3 T6 h7 k+ Y( A( s
Method 10
4 Q# L3 ]- ]- f M k6 `=========4 V" R5 |1 o" h. ~
" {* J/ {8 a! w9 C3 z& @=>Disable or clear breakpoints before using this feature. DO NOT trace with5 o) R3 x4 r2 b/ o
SoftICE while the option is enable!!
: u1 t/ [+ {. L y
5 ~4 E! U7 Y; p3 q) a) v& |This trick is very efficient:
8 q$ E6 C# H: e8 C- Hby checking the Debug Registers, you can detect if SoftICE is loaded. X! o) L& e( }7 u" W& R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. H F; I8 k3 |4 |
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 ^0 W0 m; f L/ @' J7 J4 F
value (in ring0 only). Values can be manipulated and or changed as well8 _7 ~& t6 V! o6 t7 E7 B6 F
(clearing BPMs for instance)
, f1 y. o, t! n5 Y# ~; X4 _
( o* \' b1 v5 A0 M__________________________________________________________________________5 n4 F% p# R1 O5 t; F
I: x' J9 V7 j& g6 B2 xMethod 11
, z9 M0 k) @8 k7 C=========# D3 X+ }0 r' d/ w6 e
6 u# Q* X& W. _/ g4 h$ P7 V. d
This method is most known as 'MeltICE' because it has been freely distributed
5 D4 |( O1 i uvia www.winfiles.com. However it was first used by NuMega people to allow/ l( h' Q x* K
Symbol Loader to check if SoftICE was active or not (the code is located: h! ]4 I2 R1 D1 C4 u1 u% s
inside nmtrans.dll).
' q8 K. H4 C0 B% f; v7 h
; O- {0 N; {0 ^) P VThe way it works is very simple:8 y [7 k& d2 ^& P& c% C* B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 f" G3 z1 A6 @) {) H0 R
WinNT) with the CreateFileA API.; _% v3 c# R" [8 M- M$ Y
' u3 D% K! F; U* ?6 h" ?' E; z
Here is a sample (checking for 'SICE'):
) ^* l1 w- z' o& O$ Q/ o; X
, R: U: Z; x3 L1 x) ]6 }4 FBOOL IsSoftIce95Loaded(), a- q2 g# k1 R% ^- F& l, |* i
{# _4 x0 l# w5 ?( Q5 r7 |- m
HANDLE hFile;
' k: F% n; V n9 _6 a: O1 Y; z+ l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& N/ g+ x! d% i& W FILE_SHARE_READ | FILE_SHARE_WRITE, `* Z2 E9 k$ H2 a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ V% u0 }8 q5 P3 c
if( hFile != INVALID_HANDLE_VALUE )
; p; u& `$ a- [7 ?- } x, u {
# X9 z7 w, P5 J3 F8 z1 S CloseHandle(hFile);
3 g2 g% z& ?$ m }, r. F- r return TRUE;. x$ _9 O" h3 a, F1 }/ q. p4 M
}
% J6 x: W" u8 t4 W% J, T# F: ~# P return FALSE;
+ M5 a8 p8 g3 @4 B& f1 Y8 P}
' }$ g/ B) E& q$ y
( ? A2 ~7 @( n1 C% eAlthough this trick calls the CreateFileA function, don't even expect to be+ ~5 h, x# X; S" D9 W
able to intercept it by installing a IFS hook: it will not work, no way!
% M; D( P0 k1 n( `; y! HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. C s z8 t8 d. Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 m* E6 B% y' U( R9 E# y1 Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc' F: i9 |. R( Q" T: m' v3 S& R+ r
field.- A! }& t& V" I+ i L' Y* r' I- p
In fact, its purpose is not to load/unload VxDs but only to send a " H( W4 o8 Z& ?8 |9 G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- j5 q1 s% d. c. E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 @; R3 m1 j' U1 |, @9 P& k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% A% z. @+ ^. E( t ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- x6 F' V1 O3 X& I% X! Z/ L) [1 vits handle to be opened and then, will be detected.0 S9 y$ R3 Z5 f) o) r
You can check that simply by hooking Winice.exe control proc entry point
6 z3 q# ~( D7 a% g) u% [while running MeltICE.; s- N% H/ }5 ^0 t5 N; p8 Z9 b p: f
8 Z9 [/ [8 e5 l, l# I
, S% o1 n) o9 ^7 l' x n 00401067: push 00402025 ; \\.\SICE* _9 T7 a# l% @4 v+ g. @: e9 n4 ^
0040106C: call CreateFileA5 s- l" W' J u. ?
00401071: cmp eax,-001
) ]& _7 b& Z5 B8 ~ 00401074: je 00401091: J; c3 z; Z" X
8 {1 U$ X% T) q2 L
) e' o( o* u) R& L
There could be hundreds of BPX you could use to detect this trick.
; G. K# {. i# h- { h-The most classical one is:
' g, V R# G. h z' C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( B7 j% H9 x5 \4 W% e
*(esp->4+4)=='NTIC'& B: F) o; H5 v) }
/ M, u+ I; @. U |-The most exotic ones (could be very slooooow :-(, \* {4 M1 G) w% H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ z- L% P- x; U E% k3 z ;will break 3 times :-(/ G# e) v9 V) {$ O$ Q3 e$ L& V
- ]( a! j: @) e' b-or (a bit) faster: 8 \. u! w! }5 \/ L& M8 \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% [. H/ F2 n# K; x
M7 w- v, M) \" z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % I& Y: p/ [6 t( q& d
;will break 3 times :-(5 H7 t2 X- F, Q- I. ~
+ Q4 F- A* d/ q. U) z
-Much faster:
. x9 d+ e7 a- i2 d1 ?/ G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') g7 V$ t& _+ ~$ D7 Q
( q% D& i2 V, }6 Q$ Z- F9 c! _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen I# k) u# w1 u3 ]
function to do the same job:1 D" ~8 l9 R- D
$ A$ l6 |5 K, g! f( p/ @9 Y
push 00 ; OF_READ
, J) _% S; ?; g4 k3 b" W mov eax,[00656634] ; '\\.\SICE',0
- w5 _" X8 o- O2 x( L( p push eax" Y1 m( P. B, W1 \7 M: z
call KERNEL32!_lopen' T: C+ s2 J1 ?3 i. |, T
inc eax
( R* D8 o, _5 E* l: h9 C: n jnz 00650589 ; detected
8 u; N! \$ S: O D l* t" D push 00 ; OF_READ3 b- z; R, O W; g
mov eax,[00656638] ; '\\.\SICE'+ ~3 v+ y: s) ^
push eax9 u( r; h+ b! P8 k: a5 ^' ^
call KERNEL32!_lopen
7 Z7 C' \+ Q' ~- M inc eax
6 R- i% X* P2 r. E) N: ]3 M% u jz 006505ae ; not detected4 P$ u, P5 b% j: ?0 W
& e( U m! K( B" Y" x1 p1 f6 l. C& E9 H* A+ p% U( x( I
__________________________________________________________________________
: {/ y! E$ O5 W- ^
1 L2 Q/ P3 ?# i/ ?3 I, lMethod 12
, ~3 r/ v7 h% _" D( E, V* T=========* Z, N5 i! Y C \5 |( ?8 B& J
+ w1 Y: A. c; Z8 c% `1 |This trick is similar to int41h/4fh Debugger installation check (code 05% j- \) } o% f9 p: V8 ]: W9 _
& 06) but very limited because it's only available for Win95/98 (not NT)
- {) y; `, x% f4 _. J& t# g7 W7 x1 was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* L7 V8 {2 G2 n0 R/ ^+ @2 d- p; n% H! c+ @, e5 G# I" p7 A% |# g
push 0000004fh ; function 4fh% F+ o4 r4 N. g- P' M9 B; {: x
push 002a002ah ; high word specifies which VxD (VWIN32)3 N, B4 o( z8 e6 U7 a" o# g
; low word specifies which service2 T, ^" ?; h' M! L, d
(VWIN32_Int41Dispatch)
# A4 x$ @: v8 F' }3 A) N: b+ ^ call Kernel32!ORD_001 ; VxdCall% K% P( ]$ D/ L2 K7 v
cmp ax, 0f386h ; magic number returned by system debuggers
% b8 p( b0 r0 j- T jz SoftICE_detected6 @+ A1 X' F) f7 D: M2 R0 w% ?
+ }1 N* w2 z! `6 h4 U2 lHere again, several ways to detect it:- f8 a8 T2 s6 H; k8 _6 N2 Z
* R1 v) u; q5 t" o; q0 s- E o BPINT 41 if ax==4f1 A. e$ j7 ~" l; M* F0 p
# q' C' W3 P: ^6 k. v2 ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# g1 P/ i& v h3 M3 c) f! I) d4 _
) S$ A$ Y# v0 {8 B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; C0 i) R( X) ~ R3 C
1 q. f3 J+ O/ d6 C: S5 A- m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 H1 x" Z2 O. ^ C
9 l* s! u6 [1 ^' G( V( L3 _
__________________________________________________________________________
: p C5 `7 B7 N6 U c4 q- ` F a# L* i' a8 m& T% d
Method 13- v2 s" f) h' S8 n* Z
=========( g+ j% V( h: i7 N9 ?6 m' d/ r
0 _1 d( r: Z. W) ?% T
Not a real method of detection, but a good way to know if SoftICE is. X9 J" N& _1 U9 N' ~) z& m9 E
installed on a computer and to locate its installation directory.! y. s5 H3 C) }7 [' g) i. b
It is used by few softs which access the following registry keys (usually #2) :
/ H2 U% P ]4 ^+ D
0 X9 g* `" w( ?& C9 Z4 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- g/ D7 ?7 b- f( j1 I; [1 e6 I
\Uninstall\SoftICE% |1 w' c9 I5 Y' d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 d' N, V- {& [1 n3 C( E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' | i5 x6 W5 e% }- B( `% W; H\App Paths\Loader32.Exe" l4 C6 C1 l; F4 V( W
7 x" v0 U7 f, @5 `
+ @; f& V% ]! f; t" H6 m4 Z/ y( ANote that some nasty apps could then erase all files from SoftICE directory
+ q, Q% L0 @( _7 I# _7 ^(I faced that once :-(/ E- r; h" ~1 U, |0 M7 y
5 \( e- `& P0 `' b
Useful breakpoint to detect it:
! {" [2 J( K9 J' C' V) j( s
& N* N+ S, X+ {2 ^( {+ V1 z0 G9 y$ ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. R5 g- k( g5 T+ i. s. n' [3 S a
' R: U& U5 X. \+ A5 b8 s/ w
__________________________________________________________________________$ q8 }2 |* x k" [! r( \( Y! @
9 I; z7 u+ B" E6 E
2 q( v8 D, t& F
Method 14 1 r& V# F% A: N. x
=========
# k& l( f3 q; Z, M9 O- }+ a
& G ^) J3 g: }3 }3 TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 W# {1 ~7 |5 J) F9 C+ h3 ~0 H
is to determines whether a debugger is running on your system (ring0 only).
. K" n( I4 J% Q% A) w" H
' w6 ?, i) ?7 s! Q! G VMMCall Test_Debug_Installed
7 A8 K# o- f1 x7 y/ t je not_installed
3 ~+ D1 Y! T2 V7 H6 Z1 J" H
# n; T# e5 Y9 x' V. jThis service just checks a flag.
7 @( F+ N) V1 \( ]</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡