<TABLE width=500>
; R6 q3 \; `' k l$ W# Y<TBODY>8 U2 |7 X% V9 S* L# c6 \8 G
<TR>) G" o' T' q" B: R1 _; _4 t; e6 m
<TD><PRE>Method 01
6 _, [9 G/ \( D/ v4 Z=========0 P" p q$ w; ]- C# m* @) ]0 \
{+ E( L* A' d a9 qThis method of detection of SoftICE (as well as the following one) is4 ]* { }' X$ }' j* h0 y
used by the majority of packers/encryptors found on Internet.
/ S( W# M: C. i9 q( GIt seeks the signature of BoundsChecker in SoftICE
" y- c$ `# W6 f4 {5 o( Z. ~) M' V) L! S$ r" L s M
mov ebp, 04243484Bh ; 'BCHK'
1 g, _& v# o$ P; U5 _9 C8 A1 W mov ax, 04h z; l' p' `' I; C: l
int 3
' ?5 o0 w. N) b* C( Y9 c: T$ v* q3 S cmp al,4$ G$ G$ u( n# Z# K
jnz SoftICE_Detected
7 c6 t( `5 G2 c: P4 K) f
# u4 b9 ^& K' s& O___________________________________________________________________________
0 v% _( i/ ]7 H, Z' u' [% J' H7 C8 m% O
Method 02& i0 q* W( F' N' p/ ?! G4 |9 J
=========" f/ N6 N0 |* o- Q/ E$ l1 }( o3 N
: K+ k1 t4 c1 NStill a method very much used (perhaps the most frequent one). It is used2 b& H7 D7 o0 W* N1 d3 h |8 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 w* H& q, T+ a1 G. p' cor execute SoftICE commands...% r1 `% i8 I3 A
It is also used to crash SoftICE and to force it to execute any commands
# x u( V% m5 k7 B+ U1 i(HBOOT...) :-((
- }2 q5 }' i: A! u( K/ k8 _6 \# E! F" q6 M; \- t, s
Here is a quick description:6 H2 q n3 q9 o' D
-AX = 0910h (Display string in SIce windows)- }7 W" M* E# W
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% r8 z6 F( z$ U, s# r
-AX = 0912h (Get breakpoint infos)1 o5 }6 Y9 X3 f: A
-AX = 0913h (Set Sice breakpoints)2 n3 V. y' D. ]3 c" h5 `/ Q
-AX = 0914h (Remove SIce breakoints)
$ [0 M* k$ Y& T4 d% N. p5 @6 z. Y! X5 E5 d, s8 M# M, a( i: f
Each time you'll meet this trick, you'll see:
0 z5 B" y# Y) F" t-SI = 4647h9 G; Q+ n. W+ ^) L ~* w: g/ J8 W |
-DI = 4A4Dh
* t, V; {+ e" X$ KWhich are the 'magic values' used by SoftIce.
0 Y4 e" H: q; s% t/ m9 [ W/ S5 i% P' fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& z" g% y# N9 q/ g
0 U# O9 g- b2 s* g' k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" C8 _1 \8 W' y5 ^4 |Envelope utility use to protect DOS applications:
, V7 r+ t9 ~0 B9 L, w7 v. d) X) M- t. i$ B: y# V
1 b" z( _& A, G. u" n* |
4C19:0095 MOV AX,0911 ; execute command.
8 B; }* {% e; Q, W" g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. z" M/ }. g" j& E" |4C19:009A MOV SI,4647 ; 1st magic value.7 l8 z5 f' l2 N- o. K. }+ D& k7 P( Z
4C19:009D MOV DI,4A4D ; 2nd magic value.$ k1 k% t8 q0 X* U- X" x1 @' J4 _2 @+ ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& g- r2 h5 o+ @9 B I$ Q8 q1 m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 [% L8 g7 h) G' }4C19:00A4 INC CX* _) C* H( H& {5 ~# I- `0 |' [3 \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 w+ c. `- d! R3 w* K
4C19:00A8 JB 0095 ; 6 different commands.
& G! E9 j/ a* F; ?* i9 I4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 l& f9 @, Y8 R p) `8 [- G4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& v g2 t6 Z' l& z: R
: N) G2 f, {9 Z/ _
The program will execute 6 different SIce commands located at ds:dx, which
0 `" T3 W3 B7 l0 H7 Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 _) g. T( u6 S" F D. J/ L6 S0 j
/ j7 |1 E% s" Y$ A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 Y/ o/ d+ y6 \6 X# Z___________________________________________________________________________
! k3 V- I6 @7 K- D8 M& M K
: {/ ^, Q2 G8 b8 O' x2 Q, b5 C; \( s+ B' d1 a7 o( y
Method 03( \0 B D, k( o5 @7 a' @
=========
2 S/ G K% l! y) x/ L( R2 @1 C: m/ I8 K7 y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 b1 ^9 q. t- f3 N9 Y6 |/ U(API Get entry point)7 |. b/ ?9 Y- v
" |( b: O8 M% G
# `3 _. b7 g1 F8 O* b& g/ I' W xor di,di$ C0 G) r; q) c9 {
mov es,di
( m( j; p8 H- }9 x7 m4 o mov ax, 1684h 8 ?! Z7 C+ H# I: n
mov bx, 0202h ; VxD ID of winice
, T. A( s8 T x" l int 2Fh3 E9 |0 e; A. X
mov ax, es ; ES:DI -> VxD API entry point
4 ], J- g `/ t1 \6 E" D& v add ax, di
, u A$ z. [3 H8 ~# U0 }. S test ax,ax! F7 K; T) }2 l) Y0 e3 }4 I
jnz SoftICE_Detected
f5 d& t6 |3 {& u, o( y* f/ X- O- D8 I- O% F, A0 V% |6 p3 i/ l
___________________________________________________________________________
! C8 T2 ?: H# C7 s2 u* s/ J$ \1 A! Q
Method 04/ U* [8 T. a9 E/ Q' o$ r. s# _9 A
=========
6 t" M4 O, ~# B" G% m- H5 V
" [3 h; U; O1 H6 eMethod identical to the preceding one except that it seeks the ID of SoftICE
; W6 ?1 C+ Z; A' K) rGFX VxD.# A3 z9 c3 d" H6 S$ D
0 [- E- p8 p- H: a1 S- c. C xor di,di
# [$ a# W2 }- `1 d. T) ~$ |6 `; q mov es,di
$ I# i7 A% y2 j% l" ^5 c9 U mov ax, 1684h
5 s/ g; ~7 x9 ]/ Y0 d' W" o mov bx, 7a5Fh ; VxD ID of SIWVID7 h) P8 J( {! `+ |% J% e6 ~ H
int 2fh# L1 A! Y+ m+ x
mov ax, es ; ES:DI -> VxD API entry point
8 Z' T9 }! F$ r/ V1 ?) C add ax, di
( ^, w7 K( a2 j# w/ d) B7 _7 w& V test ax,ax% Q2 O! _% S, }# Q" w" L
jnz SoftICE_Detected/ e3 k8 z4 y6 N9 N) ^% U
8 `+ z% R6 @$ R) {1 A
__________________________________________________________________________; i$ b0 V7 F& \1 n: [2 J; j3 ?
- T9 f1 Q6 M; @2 ~- @' Z3 Z
+ a" t0 Z6 Q! w' ^
Method 05
5 z2 B, Z0 r$ m. [=========
1 U- z1 N% e1 c e5 B
& r2 Q2 A3 t( t( a4 xMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! }6 o. w+ F) \6 \) ddebugger. It calls the int 41h, function 4Fh.
* \/ i! V! J! S0 n8 QThere are several alternatives.
. H8 e, O" l/ e+ I1 d: W0 s3 h( \5 _; W. N) b& f
The following one is the simplest:: ?: U4 o k7 b% p/ v: N, }# D$ b- X: d
) I( v3 Z' \4 C5 r& R( q$ g mov ax,4fh, K( b w# w0 u0 i$ p6 T$ S( w
int 41h
: H3 c2 p2 M9 x/ x cmp ax, 0F386
4 O" J% |8 `$ t* ?4 H8 B: |+ B" P jz SoftICE_detected
A: g j9 E7 _2 Z T2 l( `5 J$ e- U) i( X7 w" {
; }/ c- @$ `. g, lNext method as well as the following one are 2 examples from Stone's $ R9 x3 M% j5 n! x- d) J
"stn-wid.zip" (www.cracking.net):) U0 w# v( V2 {! W1 N
& |/ ]; x1 H( V
mov bx, cs+ L' X8 J! W( _' o1 M8 u# Q
lea dx, int41handler2
( q8 L7 w! S9 y6 N# P4 l xchg dx, es:[41h*4]8 l. k+ o: n% M' W
xchg bx, es:[41h*4+2] [) G% [; i: H6 F P$ o# s
mov ax,4fh, k* D( u& ? T% n( a" ?3 S }; o
int 41h3 r7 ~8 G0 a! v' j" B1 s
xchg dx, es:[41h*4]# l- j" x+ ]; A% `! x
xchg bx, es:[41h*4+2]
t: h* t2 d' s e5 v6 { cmp ax, 0f386h( i: t" W& v- r4 O
jz SoftICE_detected
& {. Q" l; Y. C- \- x
?2 A3 p3 f) Y+ r0 \int41handler2 PROC4 F6 O4 n# e9 ^0 Q9 H; B3 K+ ?7 ^
iret3 f( M4 T3 C! {" U e, r4 v9 i* S
int41handler2 ENDP
+ G' m+ r2 {4 z& e* F V$ Q/ v- b6 }# F7 c1 S, n* u
' K. r4 [9 R( e1 W_________________________________________________________________________$ f0 G" m I6 `8 ~6 Y( n
: x" N6 S$ Q; M, V% N
+ |/ J4 ~; F9 B
Method 06
' ^) U0 X# E! h$ [9 L=========+ T2 p! U9 p5 K1 m( g, r
/ {, e6 s* g# b: z+ u2 r+ S& N
: h3 [7 y4 |& J: k- n1 J2nd method similar to the preceding one but more difficult to detect:# G' Q( R/ x+ \( _+ f0 z0 y3 `" L
- O3 h: m* R1 q6 J% j9 y* L6 j! Z6 B+ F G
int41handler PROC3 Y0 H" t0 A# S# e d9 O3 I
mov cl,al
% G! _- z$ ` t1 B, a, k j2 Q iret
5 c4 N! @8 s+ e! E% i% |int41handler ENDP2 w: i2 N* d" {- Y& E$ ~, r7 o2 _
; i5 S( H, m' n; [/ A: ]4 @* F
1 r# f+ t9 }8 p xor ax,ax
! T+ \6 a2 p8 d% d6 d$ _, q- } mov es,ax3 G. a. o" _( s, W, }
mov bx, cs2 X" C( O/ k9 T! C' e* g
lea dx, int41handler
5 W+ u0 @0 x6 e" | xchg dx, es:[41h*4]0 ~2 [; l. Q; e
xchg bx, es:[41h*4+2]
3 P5 `. j- \; e5 E- J9 ] in al, 40h
7 @5 S) }: Q) Z9 T xor cx,cx/ |$ \3 @& R6 C2 M' x
int 41h. Y/ L% W7 I! M( J4 L
xchg dx, es:[41h*4]
( }; y# e% ]' j9 D' {! Z xchg bx, es:[41h*4+2]3 q( [0 P* _. _) ?& r8 r7 r3 g
cmp cl,al5 h- g8 K9 m( Y9 q0 i5 L5 Q3 |3 j9 x) k
jnz SoftICE_detected
. u1 l7 f+ B `" \8 @5 T1 O2 L
+ O# [9 {9 X" C7 t* M_________________________________________________________________________
0 J5 A+ u+ u8 {
* W3 P G0 i4 V+ kMethod 07
* m+ F( N/ K0 [4 F! l=========
% y1 A+ g! H2 _) d8 P7 L: }* {5 B3 x- [2 w, `
Method of detection of the WinICE handler in the int68h (V86)
+ u- M! _5 y: V7 ~" E6 _% U$ o! s- l1 e. L+ l
mov ah,43h5 \. w3 p) b; M& F Z
int 68h" p' F) I2 F3 A2 X$ {
cmp ax,0F386h) w$ m+ Q/ ^/ r
jz SoftICE_Detected
l- n4 o' w& j3 {7 w
3 M1 `! e6 F% \2 v0 g- q
* i' a/ K/ |, O) {- [3 K$ J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( Z6 x P2 t' r+ ~
app like this:
e' u9 N+ _0 _" V! n8 x
W9 {8 b5 U; i6 a. u/ Z1 ?0 E* g BPX exec_int if ax==689 [( n) V5 h0 [9 U% y
(function called is located at byte ptr [ebp+1Dh] and client eip is6 B$ W! g) p/ X, [3 A/ R. ~
located at [ebp+48h] for 32Bit apps)
V! s0 Z+ g2 I3 m__________________________________________________________________________
# h4 l6 S. y, I; J8 A$ T9 e, ?0 ^ ]1 a- ]
0 D4 v" N1 }/ u* b: a# [$ D: S
Method 08
/ v1 n2 F" \* D' F9 o=========
3 W' e4 D/ \! z; F7 t g* j. u3 o, T6 b
It is not a method of detection of SoftICE but a possibility to crash the% K8 E& R% W# w0 f
system by intercepting int 01h and int 03h and redirecting them to another
3 w7 [1 r- ~& Y6 [: M( T/ V' }routine." X% Z( g, w6 C8 U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* k* A; `" }9 Z8 mto the new routine to execute (hangs computer...)
2 J: ?- V0 {" R2 M7 F u+ C
0 h! u' M/ E( _3 ` mov ah, 25h5 `' \! l0 K3 l) P* _
mov al, Int_Number (01h or 03h)
% k& V9 {9 l3 i Z" w6 f$ x6 i0 | mov dx, offset New_Int_Routine
/ }0 H" { x3 V+ ], }" J1 a int 21h% N! b, [4 l1 u1 b
: H/ H1 r* t3 P4 b+ R__________________________________________________________________________$ \4 o' c7 Y& \# W% _
& |' [% h' O- `. E1 ` Q
Method 09
# U( k0 S4 Z* T& H=========1 A; {3 T8 C' m! J, _
1 ]. v! S+ V# _1 yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* M7 c9 G3 {/ A; d; vperformed in ring0 (VxD or a ring3 app using the VxdCall).! j5 S* x: a* [5 G7 Y% {- G6 \' A
The Get_DDB service is used to determine whether or not a VxD is installed
% Y2 ]- A2 X% Z* a" `for the specified device and returns a Device Description Block (in ecx) for B2 F+ Y: r8 I! t3 k6 g+ ]
that device if it is installed.
5 W- h, N/ B3 x& V# Q1 L( _# Y
4 h$ m) Y; d& s, L, I+ ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( K3 J& e& `- s$ ?; ]' b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ e# z/ r& |8 y
VMMCall Get_DDB
+ X2 C) z* n! r7 a mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 t( r$ G; [) D( b7 y& _ D6 a" x
. `# v1 F$ V T: P3 j
Note as well that you can easily detect this method with SoftICE:
. H- I+ \! `7 N+ N' v3 {0 Y bpx Get_DDB if ax==0202 || ax==7a5fh" D! a; I) ^) O! t
+ U% Z; I: z4 \3 ?1 z__________________________________________________________________________/ j% u# c2 ]5 n
1 v4 S3 e% y& ~- o0 c" m! FMethod 10
' n5 k- s7 e. a=========$ P( L. y% V* h# v. P% R$ h
1 w% ]1 | E. E- `/ `=>Disable or clear breakpoints before using this feature. DO NOT trace with
. j9 E' u, b' S9 N& r- ]8 E SoftICE while the option is enable!!4 |' ?* r; \+ x' y4 L$ _
3 ^+ W& w5 s% O1 k3 b
This trick is very efficient:0 V9 g( T+ Q" k
by checking the Debug Registers, you can detect if SoftICE is loaded
, {* i! U7 K2 z6 G/ C# i! Z+ b(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 O7 `1 O7 |+ Ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
% Z7 T) y- o% Ovalue (in ring0 only). Values can be manipulated and or changed as well
6 E U; ^& [ b. T+ e(clearing BPMs for instance)9 G. S8 Z* L$ j' v
t. A e8 _3 u, |# L
__________________________________________________________________________
! J! S; M6 D$ k" T
4 H' l- G( w$ HMethod 11
* Y! L# H/ J8 I( N. G=========+ X; C+ z3 s" m4 J# l: C
& N/ g2 k& A: L% ?9 x( VThis method is most known as 'MeltICE' because it has been freely distributed
; k* i( r2 |1 v( e# }- N* @- C; ~. Nvia www.winfiles.com. However it was first used by NuMega people to allow
8 T' D" o: Q' j( _& VSymbol Loader to check if SoftICE was active or not (the code is located
1 s& x1 F8 M r. ~inside nmtrans.dll).
; h0 r( y4 q, _$ b1 t5 f+ Z0 @5 w# W) H1 f% T# X
The way it works is very simple:
6 b r, @! \, W) wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( H8 ^5 ]4 ~0 x" @) p' g5 p/ gWinNT) with the CreateFileA API.! m8 Y- Q1 j2 }
2 ] h! u' l- K0 L$ [$ e
Here is a sample (checking for 'SICE'):* }' L) S7 ?- z
( F8 {# \% F: v* vBOOL IsSoftIce95Loaded()7 b! s- F5 _* e5 U6 |5 y( I
{
3 p0 l9 W* }' ~# q HANDLE hFile; $ C# W* h0 X+ U# I3 x3 Q2 {( G
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; a' ~3 N. E9 E, h1 f9 l FILE_SHARE_READ | FILE_SHARE_WRITE,
+ Q/ g. b* c' M0 K& n1 T7 I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' }+ P2 }: l' O/ d
if( hFile != INVALID_HANDLE_VALUE )* T$ n+ z6 Q8 [% {2 v) D
{0 t$ p- E4 `& Z6 s" e0 l
CloseHandle(hFile);
" }; d- H1 B# v! q5 O; j return TRUE;" L! j: v; X7 o, L/ J! f" Z
}
& e$ i! K: v9 v$ a return FALSE;, e8 ~' U0 _' t5 R6 p: m1 Y
}
' Z/ e) y- S3 C0 `/ ~
) _* {( W5 j7 I$ ?6 o2 P) `& KAlthough this trick calls the CreateFileA function, don't even expect to be+ B) G2 z; o; ~) _9 C4 C
able to intercept it by installing a IFS hook: it will not work, no way!3 x0 }% s V1 U8 t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 B: t, n+ B: C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) E$ X9 o4 W3 t0 p3 H# `( v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" ^6 Z8 I; t2 E/ @
field.: T4 M' }* ^5 T; ]5 X" n5 ~
In fact, its purpose is not to load/unload VxDs but only to send a 5 d1 m" e$ D! o3 h6 @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 y3 b+ Y. ]+ ], Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try- K5 I3 @! R9 `6 G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
_) ]7 S: a: H e- IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
g9 P/ u! R! m; r9 b( B- V/ ^its handle to be opened and then, will be detected.% C# n3 J5 ~. }9 ^$ ?
You can check that simply by hooking Winice.exe control proc entry point
6 I6 @7 e+ i( X* y4 qwhile running MeltICE.4 [( o3 x3 n5 D, d- u
1 O1 H2 S8 B7 W! I- a6 R( @( G d- Q8 I$ k
00401067: push 00402025 ; \\.\SICE
3 g4 u6 m2 ?; D. W 0040106C: call CreateFileA
; |- _6 `( ^0 ~* p5 H1 Z 00401071: cmp eax,-001
. _( l7 P d5 t G 00401074: je 00401091
. A+ t* Y+ c( Z$ a
8 z) v# H6 c, G( B- g7 C' q2 u$ Z( g
There could be hundreds of BPX you could use to detect this trick. }, x2 K7 C& \0 B. {4 g+ V( Q
-The most classical one is:! K. Y$ M3 k% Y7 k
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- |5 i( i: D0 L
*(esp->4+4)=='NTIC'9 t) R0 ?% Q, d$ ?
0 o( e2 x K7 H5 c* z
-The most exotic ones (could be very slooooow :-(
1 K9 h9 f4 N2 J- z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; f( o& e ~8 V7 V ;will break 3 times :-(
) m/ h, D. C/ f! L1 W& M& y: f
-or (a bit) faster: - {% ?& x1 @9 o; E: J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ w( N; W- v5 `& e8 g1 g" C8 R$ C) m" o8 [# k8 y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 M3 z" m/ v# F ;will break 3 times :-(
0 w8 _, ?; z( j4 p. Z; b) i% Y
. n) h6 r* N( q5 D-Much faster:7 u& r+ o6 R/ `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 ^9 o+ z0 a- Q5 E/ p
) e/ S& `% ~. E. |& |! p6 _* R7 J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( O0 Q5 ` l9 ^8 U( W. ~! c1 j+ a- |9 ^
function to do the same job:; @8 g" l0 X; z9 W
! t2 ~+ w$ x9 Q
push 00 ; OF_READ6 n& Z3 K7 R: n. E
mov eax,[00656634] ; '\\.\SICE',0
3 b( k2 u4 N' F: U8 y push eax! e( l8 U1 L0 K4 p5 `
call KERNEL32!_lopen- K- o7 E; [; P# I
inc eax6 ~7 U1 d; d- ]# K- O4 x
jnz 00650589 ; detected+ x$ q' ^' P, R2 H+ M, L
push 00 ; OF_READ b$ Q* D+ }! A' B+ N
mov eax,[00656638] ; '\\.\SICE'. ?/ B/ M+ u+ t" |8 ` @
push eax3 l, G, z: t9 K$ F& k t
call KERNEL32!_lopen
/ f. S4 P$ o) r inc eax
, a3 N+ Q/ @7 w7 C& l4 W jz 006505ae ; not detected* t% T$ q/ d. ?( ~+ k
1 t' G& Q( J. g( z r$ _
7 l% r% E( ] m2 ^) L! j8 K/ n__________________________________________________________________________
+ Z U" N+ Y7 b k" t8 z S1 s( L+ R9 ?- D' \
Method 126 N: c; q" z- Z
=========
1 P/ K/ \" A r) r
. x" y( U' t+ T) P, V( zThis trick is similar to int41h/4fh Debugger installation check (code 05
& e9 W( Q4 \2 y2 q& 06) but very limited because it's only available for Win95/98 (not NT)* }* q! k/ S; K# M/ r4 b
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ x T1 g! g! J) c
6 O+ Y- {+ q8 B8 t: W% C+ X0 x
push 0000004fh ; function 4fh
' g4 j7 N8 P: b* _ push 002a002ah ; high word specifies which VxD (VWIN32)
; X j" R& S) s5 P ; low word specifies which service
6 N; b, `' Z' M& a; @* Q (VWIN32_Int41Dispatch)" {: {/ k, f& d6 J% M, a
call Kernel32!ORD_001 ; VxdCall; s1 v) T4 A+ `1 x- O
cmp ax, 0f386h ; magic number returned by system debuggers
1 L6 A1 j( a. G- h4 X/ e5 C) _ jz SoftICE_detected
! Y" X, R/ ~& g9 B3 {8 V
7 b% n$ k5 e) y( WHere again, several ways to detect it:
$ ]* {9 p1 L7 z* E9 B1 ^% Y& F6 n: `9 A0 A; B) r+ B* H8 Z6 e+ |
BPINT 41 if ax==4f2 F+ Y& W: [ N" I
5 M* r) P- c! B6 C2 I& H3 t" J% X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ z. b0 h; _! ^+ }3 s
2 U/ y/ T+ L V' K: E% e- R( M: M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. x: f# F% {) N H9 t E
8 h, n' _3 z+ C- C! s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" J, h) R9 _: F! R
1 J1 _2 E% u9 u1 Z/ S( G__________________________________________________________________________
3 ~$ b# R5 s" I3 [1 n: f `
4 w; z4 x$ O7 A9 KMethod 13
2 B' L1 `8 i0 c# z=========- X% i* C. U% y) p: p B! V5 X, [
7 |( c( b5 E$ X
Not a real method of detection, but a good way to know if SoftICE is
) t0 f1 n R, Z" x. @3 ainstalled on a computer and to locate its installation directory.( {5 W/ C3 S7 S% g! ]8 k( `& N
It is used by few softs which access the following registry keys (usually #2) :
9 ?4 F. j2 U) p& }; t& \/ u
/ g+ N$ [9 a3 B6 X3 C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' {; }8 |6 \8 ?) k
\Uninstall\SoftICE5 e7 `4 Q U) Z5 [/ H+ @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 U' x# W6 m5 F# N# s! g6 L0 ~9 r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& i, u6 H4 ~5 A4 R. E( r2 j3 J\App Paths\Loader32.Exe
* J+ m: l3 P; Y0 G. i) U
) Q$ J4 T( d5 B
2 E- j% c' R! mNote that some nasty apps could then erase all files from SoftICE directory
1 Y6 l" b' N" F S2 Z' P(I faced that once :-(8 h/ u: t F$ Y: s+ d& A* W0 f( v
. K: {8 K( L @$ O1 _3 R: H# DUseful breakpoint to detect it:
( q* M/ {+ I0 T0 V
# r3 {! v. F9 X0 w% N& |* F- | BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' A7 W+ k# c5 n
# U \' R D) h h4 ^* t' s6 S
__________________________________________________________________________% Y, M' q% Q7 _, m
4 N# p' ]1 \1 j; z
, m* g- h! Z, V* R7 `- F
Method 14
' m2 t* ?) R( R5 ~; g=========
: |0 w3 F( W- H, `6 P, ~$ n$ {9 D+ q9 u {4 O4 H6 P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. B. Q; \! ^! T+ K, }: E; {is to determines whether a debugger is running on your system (ring0 only).
/ B" k9 w4 m' {8 O1 V) Q
" f0 j3 ]% |! B0 ?; L VMMCall Test_Debug_Installed
8 u7 ?2 o9 Q! K& C& q# _6 O je not_installed
v8 M5 b7 J' p! C7 n4 K$ Q2 k1 {
5 ?3 V; {2 A" g3 _* A9 b: lThis service just checks a flag., a( ^# R, ^- w8 _
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡