<TABLE width=500>
5 ^- C" H$ Y5 P: d P<TBODY>
/ w; i) A5 H* |( s3 Y' u: e' e- [<TR># G$ p& B* h# i: a9 ^: Y' X. ~+ F$ Q
<TD><PRE>Method 01
# n" H/ {+ e" y7 D$ k7 J=========. Z4 R+ `: y8 W$ |
* a0 c( O) h! X o
This method of detection of SoftICE (as well as the following one) is3 z6 E( b( ]/ X. u
used by the majority of packers/encryptors found on Internet.7 l- X7 J& L" ]
It seeks the signature of BoundsChecker in SoftICE
4 i7 r! q9 _: R1 ]1 Y. W5 H/ l$ j- n0 x) v
mov ebp, 04243484Bh ; 'BCHK'
: |, J3 [5 a8 J$ @ y4 z mov ax, 04h
$ B2 ]' S$ w( N$ e. E3 O int 3 $ @1 e0 {2 ~$ e2 J, ^) U
cmp al,4
3 w5 D% g6 D& H. u0 n* P jnz SoftICE_Detected
8 f' C( ~% \3 F1 {: g* v
- L3 J3 `- G/ \% G___________________________________________________________________________+ o1 L+ I. T/ Y" T3 Z
4 u/ z Z: b7 l8 QMethod 02
+ ^$ S9 _+ j) E0 y" }: }# Y=========6 _& F6 C8 h/ O
9 f$ n1 `* U+ A! B
Still a method very much used (perhaps the most frequent one). It is used5 y! ]7 V2 c3 d% u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ v D5 n, U) Z9 R) z
or execute SoftICE commands...
. N: {# X' n# l- U: e( S# J& |It is also used to crash SoftICE and to force it to execute any commands
3 P0 m. ]3 `# o$ I' N(HBOOT...) :-(( . H0 ]) E5 J8 h
, ^: ~/ r- Q4 x% cHere is a quick description:: j0 A3 \; w: ~& |2 }( r
-AX = 0910h (Display string in SIce windows)( P( w' W2 o6 H* ?4 y% E) @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( Z, v; i1 X0 ?; T
-AX = 0912h (Get breakpoint infos). {& M6 G: T1 A* Y8 u5 o! @0 N% W
-AX = 0913h (Set Sice breakpoints)0 z _4 Y2 ?1 Q; H+ }' _
-AX = 0914h (Remove SIce breakoints)
% j4 J z! d5 T6 A5 y! g* e; S
+ k, h4 A# l, {6 b& {# c9 JEach time you'll meet this trick, you'll see:
/ F, C7 B: o) I6 M' y4 |-SI = 4647h
3 B( u$ `% [. q! C8 }+ W* v-DI = 4A4Dh
/ o0 ^: v2 M5 [7 qWhich are the 'magic values' used by SoftIce.# I: n" ~3 n" F$ V) B3 O4 k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 V* O6 c% z. v8 N4 ?+ u& }
9 \0 U0 z$ e8 \5 r/ k+ u
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 c6 {# J+ v" p# B8 U! M2 dEnvelope utility use to protect DOS applications:* U( d7 I' d0 \: o" h
) L! D) O( z2 M2 \) R& I0 W, e
2 f* D6 N# s5 J6 p" f' d4C19:0095 MOV AX,0911 ; execute command.7 o% Y U) T& T0 W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, U) w1 s$ j4 g3 p0 v/ k7 M4C19:009A MOV SI,4647 ; 1st magic value.8 n! I# j/ q4 v# ^
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 s7 ^5 q7 s, ~9 Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 U5 E3 j- `$ @9 p& t p6 t4 t& L2 d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 @7 s: c& m9 m( x. ^
4C19:00A4 INC CX
' Q/ g( i2 o6 a! ]' ^. F8 H- B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ x$ l5 a I8 m1 `
4C19:00A8 JB 0095 ; 6 different commands.' h* \, C! v7 h; E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 U3 J: u( r& Z' g" _. v$ L4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- _. L* B0 v9 a1 Q* J1 R2 z% A' u
8 O% C* F$ q3 i( ^6 a* fThe program will execute 6 different SIce commands located at ds:dx, which
7 K$ `( o9 H+ n0 _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; F0 r" ^2 Q& y& q2 D( q9 E* e: t3 Z
. K' z1 H$ ~! X2 n1 s3 h# I3 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 o- ?" R+ G( ]# Y. K
___________________________________________________________________________$ O! O- d b- f: {( R
; p7 j2 O# n7 i8 F- G/ ?# H( s
; G9 v D. d n8 u, K5 T7 A) d
Method 032 Q1 z1 c3 v( J+ u% q. V
=========: V/ L5 i+ O+ J8 B; P
' [4 m2 B2 C) ^; Y# q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ o8 A% \ `6 U/ a, U& U, Q5 K8 b(API Get entry point)0 H- V' S( a: u& P4 S0 u
9 D4 x: P4 c" J4 N) Y
0 H4 K1 q& _1 f+ R- `% _ xor di,di
; h7 X* w: L8 z, X mov es,di
# Q; K) b7 k: b7 m2 t! {1 C mov ax, 1684h # [2 f: D+ i- b! i
mov bx, 0202h ; VxD ID of winice9 z9 R) e8 N1 L( p
int 2Fh
* V$ A- H2 S: v- O; X' e8 y mov ax, es ; ES:DI -> VxD API entry point
' h# q3 R1 ~7 m3 c add ax, di6 N6 b4 |7 v- R. c0 v9 Y9 i
test ax,ax9 v" r2 x& b# P8 l, o2 U D
jnz SoftICE_Detected; W6 k) d$ k. T
0 B0 j6 B+ X4 x& B8 V+ S___________________________________________________________________________2 {2 y4 @/ F6 j4 e+ l# A% V9 Y
/ M9 A5 v7 l8 \. \; \, x0 L
Method 04
- f- q' {+ k5 _3 Q* U6 }=========
# }3 Q9 s/ p6 E( I! H6 J+ B7 ` R5 Y% h3 P% d; o( Q
Method identical to the preceding one except that it seeks the ID of SoftICE$ |6 f! ^% K- ^9 W4 y; t% ^8 ]
GFX VxD.
4 {& E3 E; }* i5 f( f
6 @# i" B& [% S# x" r xor di,di& F/ H) m8 |) c
mov es,di. r3 f: l6 n# i3 ~
mov ax, 1684h
$ K8 w/ u f" i v9 M& z l% K mov bx, 7a5Fh ; VxD ID of SIWVID
, D- w" ^! x/ P2 x/ P8 c! v int 2fh' C5 z: j6 O( A7 f! ~+ g
mov ax, es ; ES:DI -> VxD API entry point0 p# h% P4 n+ {* q! I7 _
add ax, di
: a' g- e% K2 Y6 G test ax,ax
; O7 r2 n; `0 w0 Z) H3 I jnz SoftICE_Detected* }& s" X' n2 Y4 G! R/ T
* S* e! x: Y+ a7 t__________________________________________________________________________
8 d( x1 D+ W# H# T F. P
" c" w( d! Z8 A7 x+ G! a: i) C& [" a# E* ]
Method 05
6 d* \: d' S: A, D6 m/ A- {" k=========9 K" Y! K9 Y* V
, a; c# q) c5 B. @4 K$ D- ~Method seeking the 'magic number' 0F386h returned (in ax) by all system5 y+ V' h8 I7 ^8 @ \3 R. @2 T
debugger. It calls the int 41h, function 4Fh.9 L% `% `% g' Q i4 g$ y
There are several alternatives.
# T- E1 L1 R v; [ K9 O/ w, u# n; t+ z! u9 V5 x9 c
The following one is the simplest:
/ f+ D \0 W8 P; M, J4 u* I" ^6 n4 R6 g% `# d& c9 A3 z* }
mov ax,4fh
" `$ l0 A1 B- o! C int 41h
% W& Q$ Z2 F/ h! ]! Y! | cmp ax, 0F386
4 m, `. l# g2 _2 Z, g jz SoftICE_detected& E* Z" H9 Y+ `; z# g
4 C# ^: W% q6 ]3 M- m/ j6 s! l- w$ W, V
Next method as well as the following one are 2 examples from Stone's
8 t4 f( B" S$ q"stn-wid.zip" (www.cracking.net):& K' P" ^, |2 i, I; i( e
+ w( V7 c5 z6 I& Q
mov bx, cs6 V6 W( v( h5 b3 E; {! u8 g6 y1 t( }0 r
lea dx, int41handler2& f1 ~3 [% {# W' y. U" W. A
xchg dx, es:[41h*4]
4 J& @" `9 \+ Y: r& b: h# A xchg bx, es:[41h*4+2]7 P l! l$ w9 G( h; O; V( Q; r
mov ax,4fh& H: L; p9 z N& O9 G5 Q% I6 S; ?
int 41h+ w* }# l+ c! I) N& }8 v: p
xchg dx, es:[41h*4]
) p! e. ?3 U% E/ O8 J* }* f xchg bx, es:[41h*4+2]* F) v% f) z6 u2 I' G
cmp ax, 0f386h( O, J& |8 R/ P9 D' c% ]
jz SoftICE_detected: u/ e, r; N7 L
) ?: U9 }* i7 \0 c( [ \/ j$ ?int41handler2 PROC
) j! O* I9 W2 J j: @/ t1 t3 O iret/ \9 w8 q, L l
int41handler2 ENDP# h' D6 G+ y7 A. Y5 m+ p+ B" @
+ U" K+ Z# j7 B
% N; ~$ M! m+ Q_________________________________________________________________________
, t E! F2 ?2 w( ~( s& z# }# o1 B- z( }/ @ [
/ d" z! M7 s" U" B) P5 H
Method 06
7 \' q- ]! `4 ]: j% F" S=========
" F: U5 h {& n6 r( ~
2 O) u" f* m K6 G3 r9 x, _, @2 L, Y0 S3 D! O3 n C. _
2nd method similar to the preceding one but more difficult to detect:0 Z( F* [3 g6 o( T, k
+ `/ ^5 f% g: \2 K- c6 ^
8 G0 H# W% W0 I. S6 Cint41handler PROC
7 t9 B4 o; T$ }( \ mov cl,al% \) c4 @9 u- \) K9 @+ r' b- i, G
iret
6 b4 i- W- d% M: M; xint41handler ENDP
- g0 h, l$ C* F0 h
% V! h! W) A% {: c0 a% o: F
) b5 x$ _7 [9 P; H3 b% j3 H' R' \/ t xor ax,ax* Y5 j8 y$ L) k- f" _
mov es,ax
* _9 A; D5 T& Z" Q2 k; f( v% _2 P! n mov bx, cs. i( W* c9 v! i7 U
lea dx, int41handler
}9 S# ?2 N( k$ Q xchg dx, es:[41h*4]- i2 ?3 `4 t9 i; t7 E( h
xchg bx, es:[41h*4+2]% w0 k _0 W: \0 ~2 Y) r/ z
in al, 40h# M: |! }# M* g# h
xor cx,cx! a ?6 I. Z' \ j* ~
int 41h% D6 A$ z$ n1 Y/ e0 d+ v
xchg dx, es:[41h*4]( m7 |6 x: a' q, W7 A; B
xchg bx, es:[41h*4+2]
u* ?9 b. w N, [ cmp cl,al
- [2 ]' Y) v) R3 h u0 {; K jnz SoftICE_detected
# `" |1 F9 r% O& _# Y5 p8 }) M) G% g% O7 n1 i3 d
_________________________________________________________________________
+ l% d1 R% v: X+ E2 ^3 L: I* G
& L! [ x9 j* \& M$ I% eMethod 07
( U6 C+ k/ c" h3 w=========7 G4 D: V# d% @2 x' p4 k
2 A( m4 U1 l5 z3 D: `
Method of detection of the WinICE handler in the int68h (V86)
3 S+ E( f: W( o) R6 m) P. @8 Q$ z: ]) `: K- K7 ]
mov ah,43h1 |# S4 d. F3 ~2 v
int 68h' j: D" p z5 B, w& C
cmp ax,0F386h
, _* c6 u. b; e- U2 N7 q jz SoftICE_Detected
+ S2 N O# c. j; Q: h; C- k
. q4 c$ U5 o3 z; i7 q0 w5 S% R. R1 ^& l; r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit D3 k7 x9 X$ Q# _* D, X' B
app like this:$ z% f5 R, T. A( y% H" i
0 p: N5 m" }2 Q, R BPX exec_int if ax==68. C; |. x$ }$ Z* V
(function called is located at byte ptr [ebp+1Dh] and client eip is
( I# E' ^9 }! a& k; b8 V6 D located at [ebp+48h] for 32Bit apps)
) y0 ]) N9 C1 K% P__________________________________________________________________________( W* t* h9 o6 y, G4 V
6 T" N: }: G. ?# N) Z- |$ x, A% y. E
Method 082 K' S$ z, e, T' i8 ]) J/ _) o
=========( Z2 f4 B4 @7 v% Z
& P* b& Q, V) Z- }# l. b
It is not a method of detection of SoftICE but a possibility to crash the
) f! F" T1 Z* Usystem by intercepting int 01h and int 03h and redirecting them to another
# w% X" b5 T" S( f) m8 N# jroutine.
. M; h" ? o9 q7 i3 zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 x. E: T1 Y! uto the new routine to execute (hangs computer...)
+ p% f7 u9 p1 \ ~5 [
1 C- ^! @9 O- ~ mov ah, 25h
+ G+ C* ?/ S* O4 y8 T) U7 _1 t9 f mov al, Int_Number (01h or 03h)
* }( v' C1 a5 a" W% M mov dx, offset New_Int_Routine
, ^) Q- p' R& p/ c6 B( x, A l int 21h
. k. a3 O$ }5 r$ w: o8 `
2 E$ C4 b+ G$ i: O# Q__________________________________________________________________________5 ~' Y9 Z: _) \% h: ~
% B# g6 Q. N I7 E I( b+ nMethod 09; J- r5 O* N5 I; [% o* A
=========
; W5 d3 G# N% f, X3 J! q. c( b; w. C$ q K0 I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 K+ c& s% ]3 f7 w7 q" B
performed in ring0 (VxD or a ring3 app using the VxdCall).! W1 }: j- t+ k
The Get_DDB service is used to determine whether or not a VxD is installed$ [- r8 D( r, _* M
for the specified device and returns a Device Description Block (in ecx) for
- }0 N' `1 H/ b2 ?7 n5 {% G- G- Mthat device if it is installed.3 S& U' B0 m* X3 X( T3 M7 Q. D; l
) } ]9 i! K. t. e5 D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! W+ G$ Z$ z* o1 W/ F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 w( |- e* |% I VMMCall Get_DDB
& N+ z5 p3 _9 Q# O' x& [1 I4 Y$ F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. N# D2 p w$ n4 @
, o- t% k, Q+ L0 l; lNote as well that you can easily detect this method with SoftICE:" S* c* G. ]7 r
bpx Get_DDB if ax==0202 || ax==7a5fh& G5 r% C3 @5 u7 p; _% g8 f' |
$ r0 r& ^( w3 @+ m# n__________________________________________________________________________: s q7 A7 k4 D+ T
, Z5 R- T. W6 |# a `! v" a7 E
Method 10
) }& a! m2 ~" ^=========
% c$ S h( A) Z' F; t9 ~7 _* X* S$ P$ m
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 D+ y2 U+ @% B+ ]) d0 X
SoftICE while the option is enable!!
$ T( y+ D% \3 N( b+ G' X/ k1 E9 ]0 Y* q% I% |
This trick is very efficient:7 y# B5 z$ Y; v& }& ~# ^
by checking the Debug Registers, you can detect if SoftICE is loaded
T+ d1 x" S# _% d- u& z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& m) F' x& L: ~1 Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 D8 n9 d+ u$ X
value (in ring0 only). Values can be manipulated and or changed as well1 q, r2 i/ p9 {! j: G' [
(clearing BPMs for instance)
; R) K- _4 c8 P3 J8 E1 i# H/ w$ _% x9 G# A' T8 N& w
__________________________________________________________________________# |) D+ e7 L5 l$ C) n# p/ P& H! r
, W7 k. K( l# l- B5 D4 _
Method 11
9 h% |9 q" y) E4 a6 C8 |- ~. Y' G; V=========$ x- q1 x4 L( F; w8 Y# I* u/ S: ?
3 u% I' H! u a4 yThis method is most known as 'MeltICE' because it has been freely distributed! Q8 N- B% E) M- o: @! ^
via www.winfiles.com. However it was first used by NuMega people to allow. Z+ B+ d& v; S+ D
Symbol Loader to check if SoftICE was active or not (the code is located
( {, R; R' A$ \. w) O2 Tinside nmtrans.dll).1 |- ?9 ?/ X8 ^7 F8 a
- d' w) L7 H9 d1 u3 I T: b
The way it works is very simple:( i" n' ~8 q+ _* a( _1 B; d8 j B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% x3 T% w5 j5 v
WinNT) with the CreateFileA API.
$ } q) _: ]) e( W( i; N3 |; H
! E8 G8 @2 `& N- E& S9 }& I6 x) N. oHere is a sample (checking for 'SICE'):9 r* m5 V0 y2 l4 r# T& b
) J1 ~# ^2 v8 z" f7 h4 qBOOL IsSoftIce95Loaded()
& F2 Y2 `5 ~6 O{
3 e' I% j% R; B% n# h c( |7 o HANDLE hFile; # N3 w1 ` P2 S, H- \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ H" q, f9 E3 {$ K! N1 R+ k FILE_SHARE_READ | FILE_SHARE_WRITE,9 M! L; J6 `4 a1 J- R0 _$ m" S" u2 k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
w; t6 r& k* t6 v# g1 {; \ if( hFile != INVALID_HANDLE_VALUE )' Z8 } H! b- b) [ l/ }' w
{- |" q6 |4 B, H3 P/ e. P
CloseHandle(hFile);! i& r) l0 j. |* e& ^
return TRUE;# V$ k% z& g/ b- {: Q
} p: x/ ^8 ^3 f
return FALSE;
! {4 H: }! D8 Z3 d& f}
) I3 n2 N2 _5 d7 C' t; c9 v
9 T/ g8 `2 k( u% Y! k( N5 OAlthough this trick calls the CreateFileA function, don't even expect to be
1 c/ K/ n- [ z. p4 u+ rable to intercept it by installing a IFS hook: it will not work, no way!
3 T- H: F9 i: z* yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# W$ ~8 N. M7 W' f9 R* h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 G" [% K/ Y! u: N5 W$ m" k3 W9 X+ f4 ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) X1 ]# B3 Y' K! f( z4 H' I% lfield.
/ V! {0 T* P6 }* ]In fact, its purpose is not to load/unload VxDs but only to send a
( \! B; m1 u) A7 yW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* [& o5 W: a D4 l3 q8 T q' }* Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 x6 E8 C& f1 C% f+ z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ J- \' s0 |0 j3 K# E) H: cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 S( x3 Z, [9 I8 qits handle to be opened and then, will be detected.
, Y- [, M3 ~" v3 z9 wYou can check that simply by hooking Winice.exe control proc entry point; c) B3 o' }# l" i% \2 W+ s
while running MeltICE.
, @$ h6 J+ D1 N5 O- h+ r
4 U5 x& S" Q) l! c3 Y! ]/ E* o' ~' {( @2 u
00401067: push 00402025 ; \\.\SICE
! U# A8 N& f( |- s( z9 c8 k 0040106C: call CreateFileA3 q6 D' g( J- x7 r. N- M R
00401071: cmp eax,-001
+ f& w& r8 `5 N7 i 00401074: je 00401091& H/ W! b8 t: M
W- w( C* |- B* m
* {+ u7 `& `: H( \/ q* KThere could be hundreds of BPX you could use to detect this trick., O7 b$ ~+ c6 P6 p+ `
-The most classical one is:' h, Q% L9 o+ Q$ C4 w" P0 S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || C! i6 G8 y# {: t. W
*(esp->4+4)=='NTIC'2 e* @/ Y: a8 B$ G& u
5 v2 @2 v1 o) R! z; r) @! B6 f
-The most exotic ones (could be very slooooow :-(
* V5 r8 d( C( k$ I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 H! B' W6 ]3 N# z5 x ;will break 3 times :-(' l+ A; x; r, b1 a
: M- Z V6 W. o+ K3 u) G4 I-or (a bit) faster:
' y* W, O0 e7 w; h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 g: h0 H6 T7 t5 A' ?1 v. i( ^2 p/ u0 T8 h7 [6 S8 a. L2 L$ L" L7 T% Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 G0 T& a* f9 ~ Z- L ;will break 3 times :-(, E3 v* b# Y V2 b z6 @" A
0 M) U9 A2 l2 v' L1 N6 l
-Much faster:
1 z0 \, m2 x; M4 E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' \1 [/ W2 F! ?& y+ q
* f" ]4 [% q6 G: \ b: _/ y8 ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen B& G$ ?2 C x2 c1 }; h
function to do the same job:* \+ [! C/ g: V" _/ o* c9 ^
! [9 ~$ d4 M! h# m9 v1 d" \4 V push 00 ; OF_READ
+ V. _# H$ L) C7 Q5 t mov eax,[00656634] ; '\\.\SICE',0
4 a, j" v( O" P- [) d' N push eax
9 s) I1 L! t, @: {2 C call KERNEL32!_lopen1 ~2 P3 K/ |3 ~* _7 `
inc eax
) w/ U# O* F9 G3 J2 F0 q4 p' C) n jnz 00650589 ; detected
" w0 |. m% T/ ~) J; t8 _ push 00 ; OF_READ
1 J9 R+ R6 Z$ ]: ^ mov eax,[00656638] ; '\\.\SICE'
( Q+ h% ?7 A, D5 H) ~$ A5 X3 s push eax
2 X0 o: U, M* a, v+ b call KERNEL32!_lopen) f, V( h. |4 Z% V0 O9 P, y3 @% ]
inc eax7 M, n9 }6 A Y$ G8 p, B) M. p1 S
jz 006505ae ; not detected
2 Q1 \1 r9 T* ~7 x
; ]! Z% H v% I9 h: o8 C1 u" t3 J! j- O2 P
__________________________________________________________________________, u8 s) L+ E% R5 ` B1 [
, A! B- i( y$ q
Method 12+ B6 Z5 i) T$ m5 g, ?
=========- Q, ~* Q6 Y; B% U( i+ J$ R
5 g' |) T$ V; Z7 R8 ^This trick is similar to int41h/4fh Debugger installation check (code 052 E& n1 `- g8 \& B: }
& 06) but very limited because it's only available for Win95/98 (not NT)
( K" U- J! X0 x1 ]. p" u/ has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( R5 [9 x5 Q' e
H$ n+ y$ J7 [1 y- G' x push 0000004fh ; function 4fh
`, O: O' k8 B push 002a002ah ; high word specifies which VxD (VWIN32)8 n, E& ~& q& M/ R0 p
; low word specifies which service
0 r ~' R- A8 G (VWIN32_Int41Dispatch)
. V* e* o4 K& J/ y& D. A- l/ \ call Kernel32!ORD_001 ; VxdCall
& ~* i* _6 y& u. F- p' n cmp ax, 0f386h ; magic number returned by system debuggers
5 s+ ^' E3 U. u3 E( X) ]) i! y jz SoftICE_detected
$ }9 Z# b8 c2 P4 s! I- Y; D3 U9 F9 ]
8 w+ a/ Y$ b7 _0 _Here again, several ways to detect it:8 ~, t* i/ \4 w: s2 L2 f1 \( H
6 {& x+ g' D* {2 _3 P6 x' A& z; n
BPINT 41 if ax==4f
$ l4 s$ l5 S$ [+ g5 p M
/ r6 O" c2 ~# Q$ Q. x3 g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 R" v2 f, [$ V: t
" J% g5 [- Y2 W BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) }, R: D0 @* J) Q3 E0 y# I
9 o& a& r" d/ f1 d; o" w2 Z! A, H3 l0 A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, D; l; r5 Y( w7 ?$ b% M
8 w# K/ K4 @8 y! ~7 B5 g$ {$ X__________________________________________________________________________
% B. O' b: j' m, n
i4 @8 Y3 I4 S! }Method 13
% Q% z6 h8 p, y4 M. v=========
0 m! w8 `) Y) ~; b" _# C2 P' R! h+ n! B# O" ]6 J* R# B
Not a real method of detection, but a good way to know if SoftICE is
; B1 ^& U. L9 Z3 x" G" _+ Ainstalled on a computer and to locate its installation directory.
, E/ ^& L/ ]' Y8 R2 c5 \3 jIt is used by few softs which access the following registry keys (usually #2) :3 n" Q/ c: v. @* ?7 b
6 o; ^' f) a+ |) p5 O" v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 W# `$ D1 k8 D% e& p0 z\Uninstall\SoftICE+ e: `5 L# B) i; w& k: Y# n- S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 e; j4 F9 n' {' Y' Z! \6 S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 U$ r s0 J; s' U: J& G9 W" q\App Paths\Loader32.Exe
$ |3 ], S; u. s& j8 S' T: M
5 @/ t" |. F+ B" s% T" [8 T* @( r7 q1 h0 j
Note that some nasty apps could then erase all files from SoftICE directory
- k9 r1 R9 l) G- H/ d, ](I faced that once :-(
+ [- c9 I. l' j
5 e; U& N& d0 _; O/ N2 PUseful breakpoint to detect it:
: [% D4 u' C! V" B( H/ T" D5 E, b3 f0 h9 f- H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; { z" m" P) e" q) F1 q2 z1 E3 [3 L# `# J1 a+ [
__________________________________________________________________________7 z+ k" ?7 }) v2 y: u) l: b
* z. B1 h. Y& I u9 y F+ R
8 o& J+ V+ N1 j$ ? @! W/ G1 NMethod 14
, c" U2 s$ Q- j5 T- G6 P=========& q' b# H6 r8 k- |# N; `$ `3 h
9 X; j) q' y; B, {# X# M4 m* |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. ?: z- ^, } w0 j( Fis to determines whether a debugger is running on your system (ring0 only).
1 O e6 c: ?) n3 ?+ R
, g, E. R: b2 M, | VMMCall Test_Debug_Installed. y0 i) i0 f& h1 U' W5 l
je not_installed- {$ k2 @0 _5 |. ~% x
# Y* i9 b7 ?- y& E
This service just checks a flag.
( M- C' H- K# x</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡