<TABLE width=500>9 c: {1 S- Y* c
<TBODY>" ?3 Z7 j( t, O- r
<TR>
% D' p2 f* v3 [% M9 D; \6 | C<TD><PRE>Method 01 7 a# ^% Z% j# ]3 q
=========0 I% y; q$ q' {
9 l1 d1 w+ R* w+ s/ ^
This method of detection of SoftICE (as well as the following one) is
% s, m' E, Y2 K+ ~) Gused by the majority of packers/encryptors found on Internet.
. A% Y8 | |9 TIt seeks the signature of BoundsChecker in SoftICE
" P; r& H7 x3 Y) Z5 n1 n. b$ I- D' M
+ P3 O" M) M w0 d7 j1 R& V+ x mov ebp, 04243484Bh ; 'BCHK'
) M/ M$ A4 g7 h, x% V6 W mov ax, 04h) k& f3 T7 r# \' I( [, n& [4 \
int 3 2 R" @1 E, K' O8 J; `) H2 U& R
cmp al,4# \: ^; I" q4 U) k
jnz SoftICE_Detected
# a! ?9 X/ U2 C1 f. j- H% G+ K- d5 Z5 |5 [5 I$ n2 S
___________________________________________________________________________* |! d; V3 l4 G
; ]% {7 M& @/ }* }) aMethod 029 h& g* q4 {. Z6 b! C% ~" p, T
=========$ F& D0 p/ e; x |
+ I. ^$ @% |* W' P2 O" U- [
Still a method very much used (perhaps the most frequent one). It is used6 Z% o" B/ k: D+ a# z* b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, Z! R2 u) X6 I0 c
or execute SoftICE commands...$ e. J! w* s# V5 K2 f* o5 I
It is also used to crash SoftICE and to force it to execute any commands
) N; e% T) I7 d0 A(HBOOT...) :-((
7 I+ L5 y4 ~# N: {0 t2 T
9 U1 X0 V2 n* cHere is a quick description:0 O+ S, b- H6 F1 [( m
-AX = 0910h (Display string in SIce windows). {% \3 S# O- d* v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 k, i1 y- S3 i2 R7 C5 `
-AX = 0912h (Get breakpoint infos)
3 D* C( t, n2 ]-AX = 0913h (Set Sice breakpoints)" F- C4 V" `8 F" C. K
-AX = 0914h (Remove SIce breakoints)4 I- F' b& ]% p* K
0 l, E& Z. `9 l5 e
Each time you'll meet this trick, you'll see:8 e3 O7 Y. z/ H
-SI = 4647h
0 H3 N1 y9 Y3 @( j+ G; x-DI = 4A4Dh6 v" n4 N: w$ a$ [! G+ Y" q, n7 B, W
Which are the 'magic values' used by SoftIce.! t1 u- a9 q9 o2 _4 N) q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 A* k3 A) ?5 A( B. y0 C( u
: |0 {% L7 L ?) ~$ u9 `6 ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 q% c* h7 ?& a+ o7 s; F
Envelope utility use to protect DOS applications:) y# e5 f! L% e# A* @
' i+ B& A* S' ^5 a
) b% M/ X3 M4 q' Q0 c! _% C/ a9 Z3 ]
4C19:0095 MOV AX,0911 ; execute command.$ A6 ^" v. g+ Z& `) ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' Y! C, v6 U+ u5 M7 ]
4C19:009A MOV SI,4647 ; 1st magic value.
^, E5 B6 ?# c. N4C19:009D MOV DI,4A4D ; 2nd magic value.
! [9 C( E* V2 u! x' R6 s9 N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 S; g' p6 a( E7 ?2 T; ?& E: C. |0 {* h
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 e8 b' x8 M* q0 H3 H, m* O
4C19:00A4 INC CX2 B) d5 w, o* b7 V3 g1 s6 ~& T/ e: {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 T: l4 @) p5 Y7 B4 \9 B" X
4C19:00A8 JB 0095 ; 6 different commands.% I, b3 Q/ k0 e; o6 U+ R
4C19:00AA JMP 0002 ; Bad_Guy jmp back., u/ f. T: m- i' m' W
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 C, n, O/ V# V6 ]$ V, P
5 Y* \5 t8 w i' H( t/ u1 X8 kThe program will execute 6 different SIce commands located at ds:dx, which
0 b5 T$ [1 |6 |- x9 r9 V: t9 |0 Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 V1 i0 q, x3 i& z* Y
7 a, k; f* Q1 X1 V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# e9 ]! m: I5 m" y8 p' S
___________________________________________________________________________ i0 ?/ K' _& {5 j: i
( C9 \6 V8 B% f6 o# C7 E
. O$ y! H' i7 Q" \Method 03; D: Z9 l+ x' d
=========" r7 a7 N. s) |* h2 ~; _0 C" e4 ^
3 B: g2 g7 ?( \4 F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; B& H6 r% n: R! O$ V" r, u
(API Get entry point)
! ?$ g& ]# p: I2 M : C' M+ `# T5 g6 h; ^: `7 T1 r! b7 o
5 D! B' j. Z6 V% T0 g' { xor di,di
3 `0 C. e3 L, }$ o- ~ mov es,di
: P$ Y% \7 g& F2 {( s% v7 M mov ax, 1684h
4 b7 F( a+ C4 @( t- V0 c9 Y mov bx, 0202h ; VxD ID of winice
1 Q" H7 K; R7 K! O8 Q K2 a' { int 2Fh# E1 m# M9 a& v6 F) a5 z' t
mov ax, es ; ES:DI -> VxD API entry point* L) D! r! ?. v$ v, Q2 B
add ax, di
8 M$ W! N2 J5 D2 F test ax,ax
7 g, Q5 j# M0 B4 d( | jnz SoftICE_Detected
) g( x, ~* |4 {. G% P5 a
; i! o, R6 ]) m; @___________________________________________________________________________( z9 b% |( H/ a6 _' W* z. k
( z: i9 I6 r# |: h( _
Method 04( ] n4 c5 V5 @8 K0 b1 h8 B9 L
=========
3 v; N' x- R/ n. U4 c' u L! O/ h* c% e- X0 Q6 {
Method identical to the preceding one except that it seeks the ID of SoftICE# O% Q* P: c% I- G! H4 K
GFX VxD.
& C7 g5 ]0 x% N ~! B$ p# j" }0 @# {# E6 S
xor di,di' U8 W% R1 T( M2 ~
mov es,di( w6 Y3 K5 Y8 Z8 v$ i
mov ax, 1684h 6 h$ @6 G- }6 i. b: X0 M
mov bx, 7a5Fh ; VxD ID of SIWVID
E8 J) U& r& T/ f* W% a int 2fh* W4 v( q- ?5 |3 I# y; o
mov ax, es ; ES:DI -> VxD API entry point
5 g' w* w) m6 X add ax, di7 x' r( e& t/ e9 p0 i! k5 q0 a
test ax,ax/ B& A: r3 z# Z2 E8 W% k0 b
jnz SoftICE_Detected
5 s9 N6 C7 m! ~+ R5 w+ o G7 L; e& @2 M7 Z+ q5 _, J/ _4 t
__________________________________________________________________________! }+ T4 ~: c" a% F
4 {9 U4 |$ a1 x% l' Z$ L
8 o* l+ F4 P3 [% l: K& B N; aMethod 05& p/ a J1 J! H4 _8 P3 w
=========
4 z+ j1 N' r' D( c* s) M
' I5 j) A" `7 o, c4 k- f) EMethod seeking the 'magic number' 0F386h returned (in ax) by all system& N! j; o( t3 _$ E( g
debugger. It calls the int 41h, function 4Fh.
( e& Y9 Z/ J; UThere are several alternatives. ' Z' q$ k- T) ^+ J
) M8 ~ ^5 C3 r o4 e; |
The following one is the simplest:: a; u* I6 B* S7 K, C% Z2 s
% N3 C# Z* h2 S, x1 H
mov ax,4fh0 H. j3 v" |3 g: b( z
int 41h& |9 c0 C/ c& c% S2 I
cmp ax, 0F386
! q( X3 q, g+ Y! U3 u: h# j9 r jz SoftICE_detected. x; d5 r9 N' A) k, ]2 q& n
: L- M& b* u3 p4 f: _+ `
3 x* y; r& P; W4 k0 J# ONext method as well as the following one are 2 examples from Stone's
( ?9 w5 R, O' q"stn-wid.zip" (www.cracking.net):
9 d) `! g M9 e8 y. B* g r1 H- @" ~, x" k6 ^$ }0 m6 j* B
mov bx, cs0 J& d! z& K; c0 ]( D4 Q M( [+ x
lea dx, int41handler2
, g/ \+ _& D% [. f/ ~% Z ~+ ] xchg dx, es:[41h*4]
' w$ i; [% ?+ W; l- |8 ~9 D, ] xchg bx, es:[41h*4+2]
* |& n! l# C2 E mov ax,4fh
1 q( T( `: K1 U& F int 41h
, v2 F/ F* U: n# g9 p7 [% I3 D9 q xchg dx, es:[41h*4]( Q* e) f( o* C
xchg bx, es:[41h*4+2]3 j( T) I/ h& U7 E$ o2 F
cmp ax, 0f386h
9 m, H& _7 }- P1 d6 X, @5 m/ c jz SoftICE_detected' u) T- P2 x' a& D3 I' d0 t- [
" L+ I' b3 y4 o5 p8 g' ]
int41handler2 PROC( c$ D# I* n% ~1 x' _+ H. _$ u
iret
0 O; X2 w9 P) Z5 Z" @int41handler2 ENDP
( U7 v5 ~( }# w) ?1 y$ [# G6 `3 _+ L
. {% j+ M3 u1 B0 R, E1 m
_________________________________________________________________________7 r6 `+ I# R6 ^& v, Z
# p3 j+ P) ]$ ^; M5 b( D1 l7 b
1 c( b6 L. Y& p2 _# J
Method 06
4 L1 W: [# O6 t* o9 y( H0 E=========; f$ I, Y6 x" S
$ m# }+ {0 v! c8 h0 _% n# g3 Q: S) p* q0 [7 T! v
2nd method similar to the preceding one but more difficult to detect:1 l8 `- y0 P- ]$ w: @
6 B: N2 B7 ^5 n9 ]" d6 ~. t
3 C% g) b6 z [- _int41handler PROC6 y7 Y" t: P4 R3 y2 L% e
mov cl,al
- p) n0 ^& r5 X3 y iret
, U0 J' q9 Z, h" `int41handler ENDP
+ p! G. l3 n1 O# o0 j+ M: x) ?' O @
! P& s; _5 Q, v( \
xor ax,ax
4 ]- s6 q) V2 A7 Z( `" N! j mov es,ax
" q. m/ }4 f1 W$ ~; u$ _! L2 m mov bx, cs5 i+ G0 o+ }- Z
lea dx, int41handler: _& R% w( a' a* M' z3 j
xchg dx, es:[41h*4]
0 h1 m0 T7 G# y+ \ xchg bx, es:[41h*4+2]
2 ?. `- y, Z5 u# |1 |! o in al, 40h2 p* S3 A( d& s6 E& v
xor cx,cx0 T/ ~- n* V3 K6 O
int 41h
7 H/ R+ r! ]4 ]9 {+ { xchg dx, es:[41h*4]: s4 F! D0 d. G0 D- M
xchg bx, es:[41h*4+2]5 ]7 a; l: e9 u' m8 K; Y2 X
cmp cl,al
, q* T. a/ F; }1 e) Q6 z jnz SoftICE_detected
0 {# ?2 ?$ C* z* Z& A! a* P- W" J, f6 b/ g7 d
_________________________________________________________________________3 K7 W O) L( ] b! y4 h; R
! ^6 K4 C; f) L) n c
Method 071 r2 k/ ]0 S- t! n. ^3 g( i* F" [1 n
=========
4 W# z j( _/ |, {, U- q& a0 j" F; d! G1 @' H5 S- _) k' {
Method of detection of the WinICE handler in the int68h (V86)1 t5 ]! S: V6 \7 a9 W
/ A6 Z; F/ d6 Q) X1 k
mov ah,43h
3 D+ v2 n( @/ w8 X3 F! Q* n! @ int 68h
" A/ W, ?; R# }+ O& l1 q cmp ax,0F386h8 m) W+ k% r: `: o+ V8 a; ]9 I0 G
jz SoftICE_Detected
% s' L+ X! \3 M& I( O' E) A& N5 j7 E8 F
0 F' S7 i) a4 g3 H: I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 v M- L9 [" }5 e
app like this:# l0 H& Y9 E8 }6 ^
" {5 F* `# l$ y* y
BPX exec_int if ax==687 j+ b- z& T! x1 }! j u8 g/ j
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 n. a( S* P8 { located at [ebp+48h] for 32Bit apps)
/ u4 F2 z. G% o0 j0 X/ w: L. R# C; o__________________________________________________________________________
" S; ~0 n) {# P- W! m a
" B6 z2 I; b+ C1 U6 |- g4 M9 @5 o3 U
Method 08
& M7 f8 F/ h j=========. F# C. N7 e" Z; t: ~" T# k
: @$ P% a" \- J. w" IIt is not a method of detection of SoftICE but a possibility to crash the
' x' V0 N- J# ]7 Psystem by intercepting int 01h and int 03h and redirecting them to another
7 |9 C) r% S+ T8 i3 _ hroutine.
" r; l# J) g. j5 c' \) ~% }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ C* \. e% M/ X2 V
to the new routine to execute (hangs computer...)2 s* U- a" p' R4 s
& Z$ c4 B, j$ m* ~4 s mov ah, 25h+ o8 D; g; O# {, @& Y( p- O
mov al, Int_Number (01h or 03h)+ p& i+ p0 O7 v) t
mov dx, offset New_Int_Routine- Z6 i* D. ]0 t5 B# C0 l4 o
int 21h
' T3 s5 ]. O4 a: [' G0 k, V8 R0 [; c( Z7 W& A( q) }/ r
__________________________________________________________________________
* p# w8 y7 D. I6 A! K
7 H2 d/ P) u% l" I/ RMethod 09% q+ z5 r7 R w; C0 j8 g, a- b) ~
=========; y v8 t/ G8 X. [5 H( L
+ N9 z1 p8 F; b$ r* O* M) ?, p4 }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" l6 Q' S" a/ S' E
performed in ring0 (VxD or a ring3 app using the VxdCall).& ]# T( N$ c* [4 E0 F3 C* H' D9 O: W
The Get_DDB service is used to determine whether or not a VxD is installed
+ n4 f9 a8 j! B+ `# d2 ^" _+ afor the specified device and returns a Device Description Block (in ecx) for
6 n: b3 s* F+ e! v" |that device if it is installed.
$ s4 f( N$ O P2 ~" d8 a
6 Z- {4 @! h( C* | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& ?3 s0 O; [1 q9 k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 z0 W5 @4 U' e* b; s VMMCall Get_DDB, D/ P, p j- ^% r" t! N7 ]4 j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& z/ u- Q% l. z! m# A# X! |# Q$ y) Q3 Q5 K4 n
Note as well that you can easily detect this method with SoftICE:
: I! |. k% F: `0 K bpx Get_DDB if ax==0202 || ax==7a5fh% W8 n4 J \' k2 o8 i4 M
6 M; j" p0 |; r4 L& o__________________________________________________________________________
* i4 X$ k- O$ O% H2 Z! I7 d# |: v' [! U8 u
Method 10
8 }8 ^- Q% Q) W9 _2 e. n=========. T) i: m! K) @. W; S0 o
3 }9 y% A% @3 }! t- J" G# A
=>Disable or clear breakpoints before using this feature. DO NOT trace with; q" }+ {; c; K1 \
SoftICE while the option is enable!!
- L( @6 F1 |4 P+ i
! T( N# v# }" S3 Z# J" H1 O2 r. IThis trick is very efficient:4 r4 D( i& R2 J$ U* k
by checking the Debug Registers, you can detect if SoftICE is loaded
5 f7 q: o4 M2 n! T- |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
s* b2 _4 h1 b8 ^5 s5 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ D2 u' [5 B$ }- X( ~% F. t
value (in ring0 only). Values can be manipulated and or changed as well
" x& f5 g% ^, F- @5 [7 v* [(clearing BPMs for instance)1 b2 H7 b% c5 j/ k" R
9 p& X$ I% n8 @8 W__________________________________________________________________________
' m3 ~0 o5 {- p. z0 Q: R6 N+ w! s7 A+ D
@8 q* v8 j+ D3 f+ @Method 11
- k& o( L2 L0 D, Z( e=========
) n7 y" _4 h0 W; S% Z0 e
0 t4 k& A" O" n) P' YThis method is most known as 'MeltICE' because it has been freely distributed1 p3 A8 w0 V' }1 N' s, y3 @1 g5 k
via www.winfiles.com. However it was first used by NuMega people to allow7 ?3 d: D& |+ A0 p W5 _
Symbol Loader to check if SoftICE was active or not (the code is located
. ~ W, Y! J- ^% B- l/ l# f: sinside nmtrans.dll).* n" G$ L1 W* z9 _9 ]
" d" f0 z( Z! y; `* C) f* u ]
The way it works is very simple:/ D4 V0 h: [" }! s4 s$ k
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: I' b% x& X+ H$ ?" m) ]WinNT) with the CreateFileA API.
, w* U# B; m' W( g: d& Y3 e; s4 [4 p
% l6 r5 g6 _( {! ?/ m* e! sHere is a sample (checking for 'SICE'):
9 u- w, _. ~6 e, G! c; p3 D. c3 m2 X- I5 m
BOOL IsSoftIce95Loaded()/ v Z" C3 Y( q' u
{) O4 F- f7 H' ]- k* J
HANDLE hFile;
1 t4 d' W7 W0 C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; K, S0 `" U9 P7 f5 U. A) ]3 z
FILE_SHARE_READ | FILE_SHARE_WRITE,
( g2 f& L# I* |% d, r% A. O' N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( I: {7 Y+ o% D/ s
if( hFile != INVALID_HANDLE_VALUE )4 R$ w4 @/ F( v4 b0 _
{
- |( u* e! O, W& h- P: V CloseHandle(hFile);
1 @, @5 `3 V1 S: t+ o return TRUE;8 t9 W/ p" r5 M( t: ~% w6 k
}
# O. ?; |6 i! w/ {+ u& u6 F" U return FALSE;) ~" K2 Q) L( h6 V8 z9 e8 K
}
6 g, D: i( x1 D4 \- Z; r: k9 G8 V' p' h- m8 J
Although this trick calls the CreateFileA function, don't even expect to be; i* o) A5 m; E5 @4 `
able to intercept it by installing a IFS hook: it will not work, no way!
! }* u# d8 M% n# V: NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; ^6 t6 R c& Y8 _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 k( S- D) p m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& X7 i2 `7 k% d/ Ifield.3 @1 N6 a# n/ r
In fact, its purpose is not to load/unload VxDs but only to send a
6 T: O2 e" N, \- K$ vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ S9 }5 @& \' C# H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- j: \; T* ?* a% U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: |+ N! a$ K. j) j9 j/ l$ l4 uIf the VxD is loaded, it will always clear eax and the Carry flag to allow* M4 t# [ H4 F$ L( A
its handle to be opened and then, will be detected.
5 Z7 V7 l5 O( FYou can check that simply by hooking Winice.exe control proc entry point
0 X; d/ [2 i; D9 M1 V7 n" M# p% Owhile running MeltICE.6 k. t3 m2 l1 d6 Z( d5 }3 S& `9 W
7 o5 L* i! | w% |
I1 S, E# x, U& }$ v( D
00401067: push 00402025 ; \\.\SICE' ]; T. ^( x; Z# [. r" `' V
0040106C: call CreateFileA" i: V# _0 q0 c
00401071: cmp eax,-001
; B0 S1 x. p- D- T 00401074: je 00401091
1 X! D, c4 R' F1 N5 `/ W9 Y
5 c0 h% n# k# \3 Q4 Q$ _1 h0 n! a, _$ T! h- h) v6 Z9 I* Y
There could be hundreds of BPX you could use to detect this trick.
$ E9 j7 G: n3 z3 w6 `% T( D' A-The most classical one is:' w f1 H1 G( J% N1 Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' \+ o3 t! F2 ~0 h( e
*(esp->4+4)=='NTIC'
; d/ \9 M5 a3 n) \3 s; Y9 u% y/ H9 b% }
-The most exotic ones (could be very slooooow :-(
1 Y j7 q4 z E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . s; W0 Y' @3 ~9 G' d5 I" a
;will break 3 times :-(, U r$ N. y M6 i
v" W& m- I3 [# A# u6 l' y$ W-or (a bit) faster: , u1 \4 }6 d9 T: _& B8 z3 S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
T+ L8 q, u$ H2 B5 V% @- G& r, Q' L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 Y% p& ]5 Z7 f2 T5 @ ;will break 3 times :-(
2 @! p+ D+ \. Y% T: _5 a0 e- o9 i% L" P/ a
-Much faster:
7 ?& ]. I0 e) ^ a& P$ T0 h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. s% |6 c: V& n, A( V" ~$ m: y
: p7 Q7 \5 @) j. i9 m! u( [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 Y0 ~6 Y8 j* J$ i( G7 x% l: Sfunction to do the same job:
2 T6 q- l0 c( ]
3 p* m; z1 S1 u, }# D8 a$ g5 H push 00 ; OF_READ: a6 I( }) M" \& ^$ N
mov eax,[00656634] ; '\\.\SICE',00 H2 w1 F6 m. T; K
push eax$ \+ i& {0 P' y
call KERNEL32!_lopen
g- P* T% i8 q9 e" \5 c. c inc eax
. b& ?2 g2 C% [3 _9 K" R& N3 d, E0 f' D jnz 00650589 ; detected
: ?1 A% B* O6 w L Y2 ?3 ]5 U e5 p4 z push 00 ; OF_READ
* u& V) h3 J* ] mov eax,[00656638] ; '\\.\SICE'- O0 ?% j2 _$ }: R
push eax
) D. F2 U4 k5 i2 Y call KERNEL32!_lopen. v- `! P C8 ~% ?% E8 K
inc eax0 r- r# {1 f0 {3 G! u
jz 006505ae ; not detected0 K: N6 m& ~* K3 h8 M, l2 W
- ~. H: M% V/ ?3 ]6 L* w; I5 W' f$ U
) C/ J# V) i/ d: W: d4 E9 }
__________________________________________________________________________
! e. g; S/ y+ e: d* ~( J y# p) L) v
8 T. E z7 y" s; |Method 12
* X P* G5 ]& h8 C, L' I=========2 \7 q1 L$ K2 n' T/ M$ q! t
; m: D4 |- s7 s$ Z+ h' o/ aThis trick is similar to int41h/4fh Debugger installation check (code 05
* q) D5 m+ i3 G( V: [/ i& 06) but very limited because it's only available for Win95/98 (not NT)' @3 s& x. _, ^( h. [, L0 h# o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# f4 D" `: v. @) }5 {# x$ N' `' [. L# z. R" y( N0 N* G9 U
push 0000004fh ; function 4fh
) e: W( x9 Z) F! b push 002a002ah ; high word specifies which VxD (VWIN32)2 r* U1 ?( r0 Y1 I
; low word specifies which service7 S6 N% h; G8 `, D5 B7 n# O
(VWIN32_Int41Dispatch)
/ I1 @7 n- k/ l' H O2 ^ call Kernel32!ORD_001 ; VxdCall" Q( Y) T, K) i3 r$ K% Q: Q M W
cmp ax, 0f386h ; magic number returned by system debuggers$ H/ i1 ?2 M; A( |5 G1 K
jz SoftICE_detected
6 ]1 Z0 `* N% y
5 C& w. y3 u% I, c- w+ FHere again, several ways to detect it:% ^. o0 M+ A" J- f* Y a( J
" _7 C! \/ Z( b) z5 U! W& E% I
BPINT 41 if ax==4f5 z+ i' c: C% X4 a2 ^+ f
2 M& }8 F5 L5 X( x I! R& J) A% x BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, }: E- L5 H. d: |( o/ O
% F6 m4 Z' N8 V C* G; W$ w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, m$ n* D& |9 `: l. n7 M+ u
- D' Y6 }) F2 u. y! {+ m( a- N
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* F. l6 R+ o% L
, @: P9 G) q+ V I; J0 D0 @9 U5 E2 j__________________________________________________________________________
9 H4 _- [% ?/ p* ?. P8 L7 D$ u) f2 J. A6 m; t, d
Method 13
. v* t% b9 Q. D+ X* D' e9 u/ u' j K=========0 I1 N( T$ I! @, F0 q' t
' [: _9 l# p4 n$ t/ ~* V* qNot a real method of detection, but a good way to know if SoftICE is
0 T7 [& P" |( F5 U, j) F0 O* b- ]installed on a computer and to locate its installation directory." e* r0 e* d6 @6 b" I
It is used by few softs which access the following registry keys (usually #2) :
' l/ z7 m8 V$ [1 B$ t$ S6 ]5 Z& b1 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: n' I Y, r |5 y" V6 c* u. a& v\Uninstall\SoftICE
6 z2 c0 g) x, K- {: L# ^, s2 X' c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: N. s' L0 v9 Y% y% n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 P( f" g' U' X; U- b8 X\App Paths\Loader32.Exe) n% k8 J/ z$ b3 ^/ j
" T" [: F9 T1 R. B1 {$ w0 J+ p
7 a. T4 d n# e3 C: ?1 d& D. ]& B3 aNote that some nasty apps could then erase all files from SoftICE directory
2 B. d5 T/ \# |(I faced that once :-(. ~* M/ r, g9 m; X, {" ^
( f6 j# Q7 B. A0 V2 W$ K$ x& p4 \4 kUseful breakpoint to detect it:. ]0 M2 j d0 w/ Z! l+ x2 V, O+ m0 ~
3 l/ w7 O; d* w$ L8 @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' C) u" P4 e# ?% z; s
5 A0 T' m$ x" Z) i+ r. Y* K__________________________________________________________________________
+ ?) `4 X& g, }. G0 @1 W( \6 W% s
. Z. {9 }! W- i+ R9 U. Y6 r
: Y8 s. X; U! D! |Method 14
( m1 t8 C. s' i) H# f" D=========
+ D: Z3 d* n; F9 B# A: I% @. o+ H
: ?& m7 `/ G. W$ XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 M9 A: ~7 K* x( }5 n; zis to determines whether a debugger is running on your system (ring0 only).
, ^: z% q5 |; Z. L7 j8 Z+ X( D
- y" X4 N/ y" l) X% n3 Z VMMCall Test_Debug_Installed
4 [+ P* m. A) b: r5 B je not_installed
% q- G5 A8 A1 @. N0 g
, D. I4 w" ~0 l5 I. b; }4 Q6 U8 pThis service just checks a flag.' \4 I9 z6 w! i& N. S, T: Z8 C8 m
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡