<TABLE width=500>
# x& ^5 _& o" Z' ?<TBODY>
) j! Q2 T8 n: y) S<TR>0 e3 L% }! `, r, I! ]: ?% [
<TD><PRE>Method 01 - b7 H$ R0 ?/ g1 k- W8 d+ Q
=========
/ W; L- `' x8 w) m5 q& _0 X& x, I) i q* S1 a( _
This method of detection of SoftICE (as well as the following one) is7 \* m* w" D% c& Y
used by the majority of packers/encryptors found on Internet.
3 d. i8 @7 V3 Q! O6 J9 IIt seeks the signature of BoundsChecker in SoftICE
. y- T! a, v V& C) ?' y
, p1 D0 n+ i+ x2 s7 a mov ebp, 04243484Bh ; 'BCHK'6 v. [- ~) e+ W& g, Z. d
mov ax, 04h
9 L, Y/ x; w+ M$ ? `/ X- f int 3
7 m' X6 q, L+ I' e+ U) x+ S: T cmp al,4
& [6 ~ F$ N0 j/ Y5 t9 d jnz SoftICE_Detected
; A" A( g, h; l. A( Y) N) A: d. K$ D$ O+ D! T/ j* f+ N
___________________________________________________________________________
+ w9 z4 \8 e. j3 q6 q8 C' g1 P% f3 r5 ]: C4 o6 |; S& K/ X$ v: V# T# P
Method 025 D( @/ F! h- b7 u4 Z2 [$ h' d
=========5 p5 ?" s# D- P1 i9 R" o* ~) k
$ j3 E1 t" B/ `
Still a method very much used (perhaps the most frequent one). It is used
: Y6 g# M2 L1 y) W- n5 ^/ qto get SoftICE 'Back Door commands' which gives infos on Breakpoints," j) z8 \/ w$ }, G6 O
or execute SoftICE commands...3 C" j0 ?% B8 ?- s( F% {, h; m
It is also used to crash SoftICE and to force it to execute any commands
0 m, w9 U- ?& r8 S1 L/ M, @(HBOOT...) :-((
' H* j& c- u* L& h- c% J' i8 z' D. c" q4 u; Z1 R
Here is a quick description:
, e" W+ a. o) b# ~-AX = 0910h (Display string in SIce windows)1 t+ N3 B! R4 ]7 C5 t9 r8 h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 @ C5 W4 d3 v! Y: H# r9 B. B" V-AX = 0912h (Get breakpoint infos), N) N) J' d7 H9 _
-AX = 0913h (Set Sice breakpoints)5 G# I. S4 W: [& `- h, [1 J" e
-AX = 0914h (Remove SIce breakoints)
1 L" B, `( r! |! ], E' _+ A' ]; i4 a8 p, b3 B) _
Each time you'll meet this trick, you'll see:. Y9 p! }4 F! u5 @4 d
-SI = 4647h
u2 J" j# B0 }-DI = 4A4Dh/ s9 T# Y* Y& S* b1 I8 Y
Which are the 'magic values' used by SoftIce.
0 L0 S/ b2 J2 [2 i3 XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* j- v) D$ u+ J( N, X6 Z
! f! u0 Q! k, O. AHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 e5 Z* ]" [! O3 j- AEnvelope utility use to protect DOS applications:
: X) d" H4 M9 R/ P# ?4 M" e
) k9 j6 }5 ^9 M/ t- `8 \8 f. W4 X9 V8 [# ^' g
4C19:0095 MOV AX,0911 ; execute command.
E2 K) d' L! p% G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 f( c- p5 d/ v9 ~3 I4C19:009A MOV SI,4647 ; 1st magic value.. d4 ]' F+ D3 _, B$ p" X5 l; L: \
4C19:009D MOV DI,4A4D ; 2nd magic value.7 K2 D. O6 Y/ G- M+ i( J v" g& t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& L% [$ }! g& e+ O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 f7 N; Y% v7 M' M
4C19:00A4 INC CX& t$ r+ U8 U9 c9 T3 P8 Y% {/ t. Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) ]! b/ I+ Y7 c7 z" Y4 v
4C19:00A8 JB 0095 ; 6 different commands.' ~0 j! b- O, d, N2 I0 X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. U$ N8 `. c! V5 N6 v( x/ q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* S8 s0 {% b* D; _0 Z* c+ j$ m- i1 O
; R. h) _- n% x& x# `' p+ H5 T6 x- O
The program will execute 6 different SIce commands located at ds:dx, which
, O% f$ z+ g+ ]( b; T( hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- G5 u; t9 J: U( L9 Z+ G! l
# t& x- ^4 C( @) t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! l2 Z m8 U1 O" Q# L
___________________________________________________________________________' C4 e) c, b) R
7 N# {& ~: E) _ t7 a( z9 h+ G* q: Y& _0 d9 y+ m+ @6 O5 L; G$ d
Method 03& l* D# q& a. c) l8 X
=========
& E7 i4 K; n0 C! ?% p: }$ l; l# H; E' E( k1 I) Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% X. g( w8 z4 K) e9 j8 g/ y(API Get entry point)
+ }9 v- R" H1 r' D/ h2 m
6 O6 |8 M, e* s
1 m, @) F) @& f) r- U9 E+ ?2 i xor di,di
% b& l/ H6 b0 s( ?( m* G/ k mov es,di7 Y$ S; x( O# W6 R5 d X. `
mov ax, 1684h & h5 V* n( G3 ]$ E; s5 p! K
mov bx, 0202h ; VxD ID of winice
+ O0 I% P" L( p" T int 2Fh
6 q, S4 K8 g4 H% E" u. w% e p, n mov ax, es ; ES:DI -> VxD API entry point5 S: d3 ^* Q! E
add ax, di- S3 c a7 w% g& r
test ax,ax/ l3 z! K. Q% F* F6 g0 K
jnz SoftICE_Detected
# J$ a) D5 C1 h0 |/ O+ Q7 k& A5 q0 S$ e {, l) b- v
___________________________________________________________________________
; ?7 {( p# _1 C# Q/ v: P6 }. g% q; ?5 A0 o1 Z' O# N2 U
Method 04+ K% \+ A! m; r; s# c
=========
- p+ [) J6 F# j; S/ K& q3 @/ k9 C+ S# V
Method identical to the preceding one except that it seeks the ID of SoftICE, Z) j6 C9 J. W& Z
GFX VxD.: [5 p u& b! x$ p
/ J: B, v& x' U6 b. }
xor di,di
4 R" G1 J+ c- x7 n/ [+ t# Y mov es,di- z: S9 R9 `3 P: c
mov ax, 1684h 8 ?6 ?. I1 @8 p3 G) `
mov bx, 7a5Fh ; VxD ID of SIWVID2 E# n/ S1 F( Q
int 2fh
* @5 V) G& S! }6 M mov ax, es ; ES:DI -> VxD API entry point; S# ~) f' Y; z. S+ f4 Y9 l
add ax, di
! y+ e4 Y4 x+ r7 X4 b5 m test ax,ax$ E9 q i" L! [1 {3 K( ~6 f( x( ^
jnz SoftICE_Detected7 [1 j& S& ~" ?2 x% f+ Q
1 a2 Q0 Y8 k5 y7 h7 a r__________________________________________________________________________1 W( C9 ~& e8 g# h( |% S
9 `. k1 G7 z0 G8 x" x: V
# @" ~2 \. W" s
Method 05
; J+ E# T) t" L) a4 b=========) j% N) [* o7 G) L% l
( M1 G; H$ E; F# k; J) FMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 K: {. a0 {8 `$ r: s0 sdebugger. It calls the int 41h, function 4Fh.8 x, d2 b. V" V6 h
There are several alternatives. 1 T) l( ~( f; `& W
( |( U' |1 M; g: mThe following one is the simplest:$ Y* l& o# K( h1 f. ~
2 s. I: [ w1 d+ ]! d- |
mov ax,4fh+ _3 X4 @- m8 a8 h3 W6 [) R3 s
int 41h
v" a. n6 B- B/ z) D* Y- U S( k cmp ax, 0F3860 ?9 S. N% P4 O
jz SoftICE_detected' N. k7 `+ x) Y' m ~9 V
% {" S9 z: R2 [ i5 G
; r$ P: R& F: r6 E4 B
Next method as well as the following one are 2 examples from Stone's
. ~" R8 [$ g% {% u) v"stn-wid.zip" (www.cracking.net):
) v/ X9 i+ D' N! @% o) F( h" I; S5 S0 N1 @9 R5 e) r' {
mov bx, cs: |0 C7 Y# s! ?: O
lea dx, int41handler2
# ^5 t+ `( P. {9 K xchg dx, es:[41h*4]5 K8 @3 F6 Y1 b
xchg bx, es:[41h*4+2]
, j) d3 \) V# e8 c mov ax,4fh
8 E) f* b) M, l& @ int 41h
/ D: H( X4 X! B xchg dx, es:[41h*4]
# H: E! l: X/ @( r5 x xchg bx, es:[41h*4+2]* M/ X0 |% A4 f
cmp ax, 0f386h
+ a1 M, i: o c0 M jz SoftICE_detected
4 ]0 _+ s! R9 i# q3 `2 ^4 X2 [: ]( _
int41handler2 PROC7 D) v. E3 D3 }. a# Y9 ]
iret
! F& q, {6 g: A- Z. d: }int41handler2 ENDP
4 j1 E& C6 o& a- v& ^' u% [
. q( l8 v7 g" D' } }/ E% Z8 T4 G) d; L+ }4 }, {
_________________________________________________________________________
- k7 b3 j; k6 z, `$ @4 _2 b: ?
, Z2 h, f0 R, e7 E
3 e( o. O' y6 e/ DMethod 06/ a0 k3 r7 U* U4 R/ T
=========
. ~1 d" f+ t/ i: T$ M5 `% ?/ |& l! `) r: [( d3 Y
S/ U1 M. ^( l' K% ~9 E
2nd method similar to the preceding one but more difficult to detect:
( ]) k0 C+ y, k7 ~, v8 d; f" _) v
$ {$ Y" ]4 y, g( kint41handler PROC
2 k* _. ~! e* h mov cl,al: w! @- d9 k f& q0 o- {! j
iret. E& e* h5 w2 \; v
int41handler ENDP
" x: t8 K7 E: i: K& l& j) k/ W- a4 x6 n* `7 B( P
+ {9 w6 S. F$ I6 H9 e6 g0 |( G
xor ax,ax8 ~- Q" m2 L8 t/ [" t
mov es,ax
# G5 ? A3 ^1 [# ]0 {! n0 c# j mov bx, cs
6 {0 C8 e3 m Q0 \ lea dx, int41handler
& S# K$ m" e! E6 j2 s9 z2 a xchg dx, es:[41h*4]0 D$ P1 z! G2 [* f$ A4 o. U- M# t
xchg bx, es:[41h*4+2]
. l! a8 ]8 w, N3 z) p& U7 ?- n in al, 40h* R$ p2 i1 M1 j% s& k V7 X5 z
xor cx,cx7 p, c% u8 v2 C- u3 r
int 41h; V: O& {! _7 N
xchg dx, es:[41h*4]# t% E6 z0 X8 t" m! y
xchg bx, es:[41h*4+2]5 G! r( E9 O; ^# S6 G7 f
cmp cl,al
1 Z9 c, e* m' k jnz SoftICE_detected
% c0 F+ t7 q* G& P$ ~1 ^( i0 h0 e" Q
9 A/ x% \" {, Z$ ^0 r/ J_________________________________________________________________________
2 n& B* X2 S5 L% p! {7 \4 v/ {, Y" Q/ u, ?; b# C/ _
Method 07
# z* `6 y/ A* y; d3 V=========9 [% Z, B( l$ ~, X- }, G
2 O& k' w4 d6 D( T' H2 |
Method of detection of the WinICE handler in the int68h (V86)8 Z" F; E/ |0 X3 b( z; k
8 E" s( I& ^+ b' d- P5 L+ z# u mov ah,43h3 p& E- d6 |$ F. F8 z5 X) h
int 68h F) S- {. j# y7 A+ C! C: f. ]- q1 L
cmp ax,0F386h
; O, o% R) Y* F# I jz SoftICE_Detected
2 a+ B- X0 p7 E4 W+ u4 D6 n: A9 i2 Z3 ?
( g6 l8 d3 O1 W; K5 Q+ x% _7 `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' g+ h- \! I V% D, h i4 d
app like this:
( s# `0 H% Q3 o: Y7 y, A: B3 e2 {
' s' M) `; X, d8 J% i BPX exec_int if ax==680 u" \* g9 m! ^/ d! U% j$ l
(function called is located at byte ptr [ebp+1Dh] and client eip is
( s2 `5 N! F; J+ V: }; N located at [ebp+48h] for 32Bit apps)* F+ W, @+ m$ n$ x8 V
__________________________________________________________________________
- M' |) t) n# e5 i0 n0 H, B
! M" h, c- Z* i
% }: a: p$ Y ], | t( \2 P3 z. UMethod 08
+ n( g/ |, v% P9 B5 N* ]=========
( W1 c9 y u7 i
8 {7 m# T+ \: X* eIt is not a method of detection of SoftICE but a possibility to crash the; h9 S& e5 F, O1 R/ v
system by intercepting int 01h and int 03h and redirecting them to another7 F! U* d7 D5 z1 t, p) V
routine.0 C, P0 }; q# T+ M. j0 T
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% N( J* Q# l, b/ T: u
to the new routine to execute (hangs computer...)
' W0 L6 y( S% h6 a6 n
$ s/ J0 f4 \" O mov ah, 25h0 f+ V" L/ b6 I1 e7 L* @3 _
mov al, Int_Number (01h or 03h). }7 \* r0 p5 I) k Q8 a* a
mov dx, offset New_Int_Routine$ r9 r' d' _6 n: ~2 y: |4 r
int 21h2 J& T2 d4 M" x/ M
4 |7 K( B5 P/ f0 x__________________________________________________________________________: M: R6 k4 l4 Y" h* ?0 s
6 C* _# K1 W, X, s) W1 [Method 099 V: y/ `, I6 M
=========
7 N0 A, c D. u, e" n8 f+ R8 ~7 t
5 ]' o' e; m; Y: ^0 ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 l& H& n& \2 q
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 g ]/ N' W7 u ~; fThe Get_DDB service is used to determine whether or not a VxD is installed2 ]) o- `4 M! _+ V
for the specified device and returns a Device Description Block (in ecx) for
" G( |, g1 o; V8 m. z$ x" ^+ rthat device if it is installed.8 a0 n% T C& w& i# ^: K
. {6 R5 `4 t) D& U/ G4 { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 F3 X: r* t# ]5 f. |" z4 Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ |- D% O5 z# Y* V" j* I! K
VMMCall Get_DDB
& N; m6 B: y- p b* z: Q9 b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- P& M+ `6 g1 x! c" W4 B6 A: z2 S% e+ s; c1 i) K+ k, g
Note as well that you can easily detect this method with SoftICE:
2 e# H4 p& v8 e7 g bpx Get_DDB if ax==0202 || ax==7a5fh
6 h, E1 D3 Q9 P% T/ G& h, U
( Y2 Q; P( ^5 Z C6 z- w; d__________________________________________________________________________- k1 m/ x1 b$ P, X1 w; U6 \
$ `% C( |; |! n4 t2 u+ G; o% _Method 10
- I# F+ |+ Y2 U/ o1 _4 ?=========
; p6 C7 b5 j E7 s; G! U9 n n7 I
; g+ t* X- A7 p6 n=>Disable or clear breakpoints before using this feature. DO NOT trace with) w% s4 _/ Q: E6 X+ U8 B
SoftICE while the option is enable!!; E/ L- U( Z3 W8 l9 J/ q' P
' P" `- K. T! M, b: |+ xThis trick is very efficient:
: m& b# X& q- ^by checking the Debug Registers, you can detect if SoftICE is loaded& x; q6 W8 a! J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: `; G* J+ q& \( V! o5 s
there are some memory breakpoints set (dr0 to dr3) simply by reading their: a K- U. X$ R7 {( ]' V
value (in ring0 only). Values can be manipulated and or changed as well. c" b# U- S+ l
(clearing BPMs for instance)
( i2 R4 j, I3 g- E) T6 f' F9 z% `7 ^1 K
__________________________________________________________________________9 q z2 I' p; i& J
' X- O* P+ j% MMethod 11/ a. L, C8 S# F- w' v0 }# `
=========
1 q5 n! i* K. E0 Q8 a, {% v( i! g' z
This method is most known as 'MeltICE' because it has been freely distributed
1 ^9 c2 G- G0 [9 S4 G; cvia www.winfiles.com. However it was first used by NuMega people to allow* J6 ]8 ^* b+ I! L" R: g
Symbol Loader to check if SoftICE was active or not (the code is located0 O# Z) O5 z% u* L1 s
inside nmtrans.dll).+ w: @0 g1 `* r
5 D7 S6 F3 I" k. H- BThe way it works is very simple:: d4 ?5 f$ b: J9 `8 s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 U) j% b3 i, M1 j, f" }& ?WinNT) with the CreateFileA API.; D, {& t$ e0 H# V+ U" K, N
+ w# S1 S0 i$ G7 ]Here is a sample (checking for 'SICE'):! F: X- p1 O) F. a! y! }4 [
. a" \& c# [ {* F. d
BOOL IsSoftIce95Loaded()
1 Z$ T! v1 Z, N; R% m" S! p, v{
( q4 E8 j, m& \3 W; f; }7 W HANDLE hFile; l7 p% k# l' ]% p3 F2 S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) ?& G$ B& x5 _3 s4 N" b. k! l3 y
FILE_SHARE_READ | FILE_SHARE_WRITE,& z. [: W: W# p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 \! y7 o4 ~/ h& w4 Y if( hFile != INVALID_HANDLE_VALUE )
) j( c3 E" ?- m; p- D/ b# A5 H* ~1 g {
. E! z. k) }- N8 N- E2 e CloseHandle(hFile);
9 M7 Z/ g5 N: r- j5 o I return TRUE;
5 B' \) v4 h" P. ` }
5 z1 c L; {. L- r5 n0 f' b return FALSE;
9 ?% H% @, W' J( y8 @7 ]2 S; f+ `}
. J" b `9 }& ~$ b* `
( r; ^ t R+ Y" `+ U5 T5 x6 aAlthough this trick calls the CreateFileA function, don't even expect to be( z* Z8 G8 G1 i$ {: ]) ]& u0 a
able to intercept it by installing a IFS hook: it will not work, no way!
; o4 A/ c1 S# w3 ?5 S( }) r( G* XIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: L% D- X: o! p$ x* Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& z8 ?5 Y1 }0 O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 g* q& [3 h% O l
field./ s- G1 n5 F8 ~0 F: c
In fact, its purpose is not to load/unload VxDs but only to send a $ `* f/ K2 G! H& z0 x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 K V6 A* p1 d( L, M+ m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 P8 ]* ]+ w- p, ]; G8 Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 O6 V. m& |1 r+ _& Q# ^6 T# s- @If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ S; @1 p! P% F) k3 u0 C& Bits handle to be opened and then, will be detected.
4 t. l9 f5 T& o/ t0 [) d; |You can check that simply by hooking Winice.exe control proc entry point( f* e' l2 U! R2 q
while running MeltICE.) I; g1 q# V9 e g
& `: T/ S9 T5 n6 n6 a% P& W0 m
1 [2 _, r7 n3 h. P+ `0 c5 b. z
00401067: push 00402025 ; \\.\SICE
8 Y3 h/ S4 E# @" y+ P+ j! h0 o 0040106C: call CreateFileA
! W- K: p. ~# n. E2 g( H/ j 00401071: cmp eax,-001
$ [, d% a: O6 n6 T 00401074: je 00401091+ F2 q1 y& m7 {, u1 b) V
, K) H% o; P! m
: W% o+ m! h$ O6 l* T$ k2 _There could be hundreds of BPX you could use to detect this trick.
- c. R1 g% e: n- s R8 x/ p: t-The most classical one is:
' Z( C0 s7 |+ A8 z# U5 n6 d6 k BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( s0 [1 l$ | F+ D
*(esp->4+4)=='NTIC'& C# m; |/ D. L# F! q" g
5 N( r: f4 d9 ?8 O0 M6 C$ W6 ]-The most exotic ones (could be very slooooow :-(
3 [9 ]( |" A; P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 \5 k7 s+ V, z( y) y9 C, E, O5 s ;will break 3 times :-(
: D* Y; W9 [- \
6 G$ C1 Q9 r. E4 f3 ?-or (a bit) faster:
7 ?; Y! j }' ]" g, |2 T/ o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' I |7 g' M9 w
# g4 k4 r- [, a( j* K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ ~' p1 v4 S7 ^( m i ;will break 3 times :-(6 k5 S, u7 x7 \1 s$ H
% e3 g$ N" g1 T- `-Much faster:1 @: h0 Z O4 ]+ Z0 i3 r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. ~0 N$ @* C# ~2 p( V T; ]- k4 R5 C( i! {3 B: F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: W3 b/ {. x' l- X) [function to do the same job:# o" W; U0 D$ W6 L2 t7 [
" I5 b$ \2 A0 W push 00 ; OF_READ$ i' b+ h; d8 D0 n' J
mov eax,[00656634] ; '\\.\SICE',0% Y3 r& l; T0 B. W3 v7 T
push eax
/ Q0 S' b" g8 p- `9 A call KERNEL32!_lopen
7 b: ]% _' o" D/ g+ ?: f inc eax
/ p8 N1 R4 f& s% @; C jnz 00650589 ; detected! d# S3 i0 ?$ w4 z
push 00 ; OF_READ
( y9 _7 ?5 @! H9 e: M mov eax,[00656638] ; '\\.\SICE'
- l+ b, x" A) |6 C2 }- }2 r" ~6 o& J! Q push eax/ N* U7 V( K/ U m( C9 j e) }/ ~4 j
call KERNEL32!_lopen
3 e" \* Y8 O! O" W- J I* x inc eax7 h/ Q a) g2 w, p8 O/ |
jz 006505ae ; not detected
; S1 E. m# b% L& }5 J% w* t( o* z: |3 V
" z- | d3 E$ M U: b6 G8 G* k; k__________________________________________________________________________
) A6 B: u% E$ T9 J" v# U s5 H1 k2 n: y
Method 12
; T3 W; B3 ^4 `% N( k* B: _6 j" e=========
, K. N" L7 ~+ Z5 A& j- g3 A
) L+ e0 @% J; i% E* cThis trick is similar to int41h/4fh Debugger installation check (code 057 m1 n. y9 u' q- l- P) e' ?9 y
& 06) but very limited because it's only available for Win95/98 (not NT)
" Y# _1 h$ ]! P0 ]5 j3 C2 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% M) T% K5 U8 x9 Q
7 h5 m2 D9 m, h$ s6 u8 ]; g
push 0000004fh ; function 4fh$ ?: A. e5 u6 m7 o! i
push 002a002ah ; high word specifies which VxD (VWIN32)6 o S0 }- x8 x
; low word specifies which service
7 j5 O* p; u4 s (VWIN32_Int41Dispatch); i4 J, R" L0 e/ m
call Kernel32!ORD_001 ; VxdCall
9 E' B4 O7 u6 d' U6 \. B cmp ax, 0f386h ; magic number returned by system debuggers$ O r% z& s0 R+ @
jz SoftICE_detected. D5 G: p; `1 ?- H7 ?; l
2 n5 M5 [0 s2 E, F9 `# G @$ G/ hHere again, several ways to detect it:" h9 j6 Z5 w% C
9 t3 S7 H! w' z$ M4 X5 ^0 x BPINT 41 if ax==4f
4 A( Y! { u) S1 Q& O* q7 i( B
* Q6 E+ W& a6 C) C# \ Q; o! j& { BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 e, q |, b6 N# e. m' f9 B: z% K/ A+ S, n. K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' J, m. R" B0 b( ^3 N
$ ^% p) M" W9 \ G6 H- L4 u. N
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 f, D8 s9 |# u+ P% F+ j
9 m4 z. h4 j0 a* D
__________________________________________________________________________$ S; y' m0 @1 x: X1 n- \
; d, \- v4 Y0 q3 j( f
Method 134 R$ e1 I) R' V
=========
1 a* p/ G6 n, A9 S. D5 W# G9 S( p* e) S2 x/ A2 x
Not a real method of detection, but a good way to know if SoftICE is
* ]1 m& _# u0 t8 C3 F) k' Oinstalled on a computer and to locate its installation directory.1 f$ C/ I+ D$ W! P* {, b3 O
It is used by few softs which access the following registry keys (usually #2) :
3 G& e P5 ^, h* R. w
& |6 n8 P' h9 R' h5 Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" N$ V& o" X+ V2 h9 Q6 q
\Uninstall\SoftICE
( {% Q2 v. M, q* _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, U8 ?3 d4 p" L4 S% m0 F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% |1 T6 {) q; A9 A\App Paths\Loader32.Exe
! w3 g" T' V8 D- p D- I# k: M6 \2 O; ?4 e5 Q8 m! e
# U3 c `$ g. U, ^# n. q
Note that some nasty apps could then erase all files from SoftICE directory
3 {9 M( U3 r4 H$ f(I faced that once :-(
4 ~& I1 P, ~8 y: q- a$ q: {' E( z) U. e/ p% C
Useful breakpoint to detect it:
; T! Y! [4 T; O! I1 M( C& M& N6 A/ T- \ ]5 ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! @2 r0 p5 t+ x5 D
6 y4 n. s w9 k
__________________________________________________________________________
+ i7 R, _4 l8 h8 H1 }" k7 @1 g R( b% k' n
7 ]; K) c/ ]! e& U% M1 V+ FMethod 14 k6 S- r2 A: d* u! B' F
=========# o! I( n# @& { K; i6 o& l
1 d$ @- x, {8 R/ P2 W0 l" q8 h4 VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; E6 J3 z! c; a* \9 }$ e% o; S9 D8 Lis to determines whether a debugger is running on your system (ring0 only).: [0 |6 g1 J, x
) z7 j$ w& N- O; b! { VMMCall Test_Debug_Installed
! w' J# F" @' d ?6 I je not_installed
8 `/ M! j7 R9 ]% l; A. `, M* y+ i' b% M& r* _
This service just checks a flag.+ x6 c4 P% U M, x" S; \7 O7 S9 | w
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡