<TABLE width=500>4 }) h1 Y2 ~% K) y* C
<TBODY>
3 k$ y# e6 R, v9 l/ @4 ~<TR>
6 ]! a3 x3 ~" X# C5 f<TD><PRE>Method 01
$ f5 F7 Q) ~1 \) g: ]=========
6 K* H* K" d9 i3 G/ x' b9 m s1 m+ y( z# `3 h. X s) \
This method of detection of SoftICE (as well as the following one) is8 g2 ~) ~: \5 q* l* o1 _
used by the majority of packers/encryptors found on Internet.
( a8 W8 G: L) J, B7 Z% B9 G/ ^It seeks the signature of BoundsChecker in SoftICE
! V9 i' N- X6 q( [8 C
) W" Z0 T& z6 q) @ mov ebp, 04243484Bh ; 'BCHK'+ F4 a" ?9 M/ z8 s5 `+ M$ j
mov ax, 04h2 `( a- s& `' S& w) ?8 L& E
int 3 5 J' W5 p2 n6 z6 @% R/ N7 q
cmp al,43 P% w" \( Z# S0 { b
jnz SoftICE_Detected
% ^( G1 v s5 z9 I9 Z! H$ @* {
5 D* q" H3 l' x; P$ e___________________________________________________________________________6 f$ H/ _+ \# n: ~8 q+ {# L M
9 }+ w; X0 q" F0 ?Method 02, l6 F4 m: c/ N# _- L
=========/ ?8 z6 v) V/ g2 A3 M
" V2 R: B8 t/ D0 U/ u1 qStill a method very much used (perhaps the most frequent one). It is used6 D- N3 O5 u: Q$ I% C4 }) u( \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 a/ q' G& o9 X3 O. P9 ?7 @
or execute SoftICE commands...0 I! T7 Q! M. d ^; g
It is also used to crash SoftICE and to force it to execute any commands% p, v9 t& _7 C r
(HBOOT...) :-((
& Y3 J( X2 o8 D+ p* A$ C& Q5 g6 V' y9 g& l. c& d
Here is a quick description:. J4 E/ o* v1 {) f
-AX = 0910h (Display string in SIce windows)2 B6 t) O/ L- f6 e6 |5 k
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 P9 b6 `1 S3 f! e; }
-AX = 0912h (Get breakpoint infos)
0 ?$ k1 D& W" Q-AX = 0913h (Set Sice breakpoints)& h! O* r( T7 M8 U+ O& Y) t
-AX = 0914h (Remove SIce breakoints)
0 j$ V, Q1 T2 h* R: c9 `' G
2 S" h6 y- r# o0 U6 s7 a S; e5 bEach time you'll meet this trick, you'll see:
( a, c7 M$ G! e1 V-SI = 4647h3 U% _1 `$ U! m* v w
-DI = 4A4Dh
4 \8 n# x+ h9 rWhich are the 'magic values' used by SoftIce.
; a% M7 N F! x0 UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* m6 u6 R4 v& u, I
E4 \, ]% Q* b" w1 WHere is one example from the file "Haspinst.exe" which is the dongle HASP0 m( |( s5 h( @" R
Envelope utility use to protect DOS applications:
) b k9 k, c0 T2 ~( W! F/ I! Z% `% s2 S! t; w0 L6 j+ ~+ Q
2 P- t3 j. O% }
4C19:0095 MOV AX,0911 ; execute command.: F' r7 Z( Z- {- A% ^( B% y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." w* Y2 A) w, Z$ X
4C19:009A MOV SI,4647 ; 1st magic value.2 o6 Z& V' i& y0 @2 o- [
4C19:009D MOV DI,4A4D ; 2nd magic value.8 S1 G9 b( L8 l# m& j( ]4 N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 N) R6 H. G$ {$ u: Z2 C# H: i6 U
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' [. `1 q2 n H0 v9 A4C19:00A4 INC CX7 B+ ^0 v C- D3 V; E* N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* G( {+ i" _ R3 G
4C19:00A8 JB 0095 ; 6 different commands.
; \) J; j) o- e( W; S' |. f4C19:00AA JMP 0002 ; Bad_Guy jmp back." j9 d8 e' J# `
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! b) ?* i4 k, \$ T5 ]! I+ }
' w* D8 m d) i! z0 D
The program will execute 6 different SIce commands located at ds:dx, which; S/ Z+ G7 P! h: M6 s7 f; _8 C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 ^% [7 H: p: g. M+ Q2 G2 z, P& q5 |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* y6 q% @2 Q2 d5 ^___________________________________________________________________________4 u2 f& [* X" m; z- ?* V% f
; [- j7 j* U: b8 b) `7 h
/ V2 n; }' ~( R; p* nMethod 03
& U0 d: i, k4 S% v=========" Q, Q n9 Z$ J' V
e+ a+ u0 U( K, f1 z5 b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( V5 @/ n! s( G
(API Get entry point)% B& d) f9 K6 w; O
3 X! L9 S1 X* i3 h+ d8 a$ O' ~2 E# [7 r
xor di,di
4 M; y! k6 u+ |: G7 k$ Q; g$ d mov es,di
6 l! K" A% ^5 N, a! } mov ax, 1684h # [! c1 d6 P/ q( C8 n# T
mov bx, 0202h ; VxD ID of winice: |' N N3 [& r* C Y8 d
int 2Fh. Q% R, ~& @$ k( }2 h& J
mov ax, es ; ES:DI -> VxD API entry point2 R6 s0 G2 k q1 [8 F: i
add ax, di8 A; @4 V0 x; }* ~
test ax,ax/ b$ f, k6 C1 _% f* V9 b7 A: E, ~
jnz SoftICE_Detected
% z0 @3 a; n7 J& g& k C/ q$ q5 J1 `$ g; f
___________________________________________________________________________
9 R% Q. o7 ~6 z# x' d& }
" g, F" A2 h8 fMethod 04
+ V/ f9 ]- J E5 t m+ h=========/ p* V0 X& O7 D R# Q9 t
7 H J$ U; l+ X( }/ g! m( nMethod identical to the preceding one except that it seeks the ID of SoftICE4 v' g9 |9 B- l
GFX VxD.; R Q; G! u8 K! N, q
- |0 m4 C+ k) R7 f$ d$ q xor di,di
6 Q: e+ ?. ` } mov es,di
! f& V7 T" T `8 N mov ax, 1684h # V7 D( X* _- e) N8 a$ M0 B
mov bx, 7a5Fh ; VxD ID of SIWVID3 V4 {9 k* b- l" x
int 2fh
/ o2 {! A: _" S# ~% g mov ax, es ; ES:DI -> VxD API entry point7 r( u" N) Q. n
add ax, di5 H8 C/ @' U/ p1 }5 N6 f& Z9 O5 I
test ax,ax
8 x" W% F0 v" I) }4 d9 b jnz SoftICE_Detected' }5 x: |4 u9 E: U3 i2 b ?
- C; F7 f @/ @4 A$ |: m8 V
__________________________________________________________________________
% @( |4 T' o4 g; A- \( [9 W8 S$ V
: L! J% ~* Y+ ~- _2 ], N
" `+ | t& L. i) ]- k: uMethod 05
5 P& L4 A8 ]4 K8 c2 @. d=========( d+ C, b: _% Y: U7 I( q- y& I
8 p4 ^ o8 q, GMethod seeking the 'magic number' 0F386h returned (in ax) by all system, j% d* Q) K3 v0 a8 ~& o" R' {
debugger. It calls the int 41h, function 4Fh.! q0 g" d2 i% O9 f& m
There are several alternatives.
/ f _! @6 \' T: t1 Q0 {
' t0 U9 S8 K5 |+ J$ e# e8 v- YThe following one is the simplest:1 L3 ] Z) A' m/ w
* F( {( k# f" }$ C, o! [
mov ax,4fh. D) ?. _6 B0 i0 J" L: r' T% m c
int 41h' x( s! O( S- L* Y
cmp ax, 0F386
; F4 A% D* V! Q4 k- s jz SoftICE_detected
5 v5 [- b, H c0 G O0 U5 l/ N* ^- Q1 F
& G- E" K7 D |3 g# y. B: V0 v
Next method as well as the following one are 2 examples from Stone's / U! X6 j9 E7 x+ Q
"stn-wid.zip" (www.cracking.net):/ W4 u3 G/ Q; b3 L8 y
2 f( @! q6 p! Q4 r: l
mov bx, cs* m8 v( b! j) C8 k; a/ I
lea dx, int41handler2
?; b4 m+ H& {# G- R/ {& }% {" \2 O xchg dx, es:[41h*4]
* O& Q2 r# S6 G' F5 y% H xchg bx, es:[41h*4+2]; W( f9 z) l* l( L8 x
mov ax,4fh
4 H' H/ C1 H% \4 }+ `( ~& Y/ v int 41h" r H! z9 F4 s. C: f
xchg dx, es:[41h*4]
3 L7 @8 O( O9 ~* e xchg bx, es:[41h*4+2]
# E, f; Z% s C& O cmp ax, 0f386h
1 ^. m: t {4 ?# h! _ jz SoftICE_detected. ?- |/ ?- q5 K! y
# d7 t0 |4 l/ Q# g/ |' {2 e! ?int41handler2 PROC
$ A: d- p* k! Q: d7 _. Q& f iret
# z( v, t6 N. |5 L. nint41handler2 ENDP1 j2 D. U" `% G X' W+ C3 d
6 H! n. ? |% t! u! i& d1 \7 w% |& Q+ k1 w
_________________________________________________________________________+ x9 i, t5 N2 x; g$ Z) m( [
3 ~1 i# e# G% V5 [$ w5 P- L/ H# z0 s, Q8 M' D- c
Method 06
3 q" H0 l# ^, d/ S! \% Z: t=========6 Z: H0 p! ]! `4 ~9 N
% i I* w6 W- ^+ Z5 W. P- p
% S+ U9 O" w: L, r- u2nd method similar to the preceding one but more difficult to detect:/ u, x: X# x8 X9 x/ b
! h( E& @2 L# b0 c$ [% q. e- J
/ }& v/ i9 _( `( Kint41handler PROC+ x# @5 |# T! j; r R2 C+ H
mov cl,al0 P" o$ A! K; a
iret
! K: r* \# @! eint41handler ENDP
7 Z% h$ t+ h9 r+ ~, [& y1 h& i. Y3 }9 \# B+ k
6 x9 @ `# _2 e& a. G
xor ax,ax) F# r% e, G* c7 }
mov es,ax K, F) z, x2 z2 R1 N6 x8 {
mov bx, cs! X1 l; R. ^7 L' D
lea dx, int41handler5 Y5 X& r! Q' B( G2 O
xchg dx, es:[41h*4]
$ R: X' t* B. d$ E xchg bx, es:[41h*4+2]
9 Y k5 ^; p9 Y, r2 @ n in al, 40h
+ }! V- y/ ]6 J1 S xor cx,cx' W6 q; Z4 M8 `" Y+ v2 c1 W
int 41h9 r) c O, K. e' r
xchg dx, es:[41h*4]4 p. H+ }5 a" {9 l% A
xchg bx, es:[41h*4+2]
4 K4 W7 l9 I+ ^5 x, E0 [, p6 H cmp cl,al' W! _8 J7 V3 s) b3 m. d& N6 E
jnz SoftICE_detected
1 ?5 F/ y/ v! `, X2 _5 A6 A
3 j8 U& O; T4 I' A9 M" {_________________________________________________________________________
/ V- g. E# L$ y4 w
: A4 `' O8 ]1 U# b- K, r' C; A, kMethod 07
5 ]! ]% Z1 `+ K4 P: o=========$ P2 x& N: [# n9 |" K- b
' e2 q5 ~- k% R8 O5 r: I4 o* a* vMethod of detection of the WinICE handler in the int68h (V86)
Z" j& i( o2 o
2 `; n( L6 V( t0 C0 p mov ah,43h! V$ u0 c3 e' O' h2 S
int 68h3 o ^) k/ Y2 L3 o2 W0 i
cmp ax,0F386h: z# o# l7 a4 l( {: y* `
jz SoftICE_Detected
: E& G. ?: S1 n9 w0 }# ^5 m* F& S
, {! ?; ?- k3 Z) s2 r. l- K; n; {! z% J! s+ A! P) \, _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! [+ A" \# B$ \4 M# K
app like this:, a. D9 }" E. D4 F; Z/ @0 E
9 b" y' ?2 x; k8 |
BPX exec_int if ax==68
, S8 C e% ^6 ^& e3 h (function called is located at byte ptr [ebp+1Dh] and client eip is
: Z( F" Q* [! }8 Z; \" O located at [ebp+48h] for 32Bit apps) c5 s. {% r$ }* e
__________________________________________________________________________
( ^5 D4 }, g5 V3 p7 {! q3 G
, o P# ~! L8 q# v9 h- V
. b3 X8 c' M3 DMethod 08
: z' ]3 ?% B7 I! A' m# z) s8 _* X=========
" ? q6 y, i! _1 C! W, A% A1 V2 Q; i" x1 t( r1 f
It is not a method of detection of SoftICE but a possibility to crash the
7 j; ]# c2 h- W6 Csystem by intercepting int 01h and int 03h and redirecting them to another
! {, a) W1 N& i& Aroutine.
% l0 j+ m2 z8 s, z' X3 SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' B5 \2 E9 T- v
to the new routine to execute (hangs computer...)
/ ^ i5 _; u. L, G- O$ i, N4 W+ R* Q7 z( c9 T- {4 ]9 e* d5 r" R
mov ah, 25h
- j0 F- t a+ j; i/ O4 K4 e mov al, Int_Number (01h or 03h)
6 p! [0 X, s x* W; p mov dx, offset New_Int_Routine
* \, d2 O [" K& t7 h" A int 21h
! P' k+ _' r. G- ~
, w+ ]/ ]- l. e5 @& o__________________________________________________________________________
^5 n/ g+ ~2 m9 x
$ A5 `4 k2 r S3 ]! TMethod 09
+ K9 Q7 S0 b" Y: q' A=========
; U( [3 e7 {3 P- d" e: p9 s+ f {2 ^& @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! u) b( A2 z- q. v# C8 U
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 P" r! Q8 u# T5 }# M& VThe Get_DDB service is used to determine whether or not a VxD is installed
* u+ M1 Y1 K9 j/ r! x' K: h" mfor the specified device and returns a Device Description Block (in ecx) for
( e2 \" m2 H6 \that device if it is installed.
* p7 o; d# u. h8 W3 A- J' f# m6 n( u
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ ]) ?9 i! p7 r3 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ P( U& I6 ?# T, p6 W
VMMCall Get_DDB$ B! d8 l$ o+ q3 K; M0 B S2 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: m, X* {+ n" V( X
0 G+ s1 T' }1 p4 h! qNote as well that you can easily detect this method with SoftICE:
$ W, q% ?5 R" N, ~0 p2 `5 {8 K bpx Get_DDB if ax==0202 || ax==7a5fh
( e7 g6 T/ i# c3 E& w, e6 N
( h. a V. R9 @) @1 i, K) h__________________________________________________________________________
\) c. B* C9 _, ^, q+ h% C+ A1 O4 m8 |$ `5 M7 b
Method 10
1 x( }* U- [+ \6 o7 _" E% p=========4 h7 O. a1 f% V/ R* c1 |* a" v
' A+ U5 O% u8 d( P; i=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ q) P* i! S Q. V$ r SoftICE while the option is enable!!% N! t- v9 I) m
3 }# @% {/ {) m! a- HThis trick is very efficient:
6 x3 G. a; p0 i* N7 i) x- ?& C; `by checking the Debug Registers, you can detect if SoftICE is loaded
; I3 ?) H; I) F; ^(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% W- }6 [* @5 d! gthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 x3 Q5 ~) [$ q5 Q: {6 e9 t. \; m
value (in ring0 only). Values can be manipulated and or changed as well; A z5 ?, K3 L) ~ a
(clearing BPMs for instance)5 V8 @0 H8 V* M- B
9 I% @( `2 Z/ L1 F; c
__________________________________________________________________________$ f3 a& y6 N; \4 t
7 R9 L) r0 Z6 dMethod 11
3 T# \4 ~- @* Q: X3 [; i! Y=========0 k. D8 i; Q/ u) |* l2 ^
) F, F# X8 Y h' K/ U! z4 H5 A1 PThis method is most known as 'MeltICE' because it has been freely distributed' t. M3 B; L n5 s% v. T9 w
via www.winfiles.com. However it was first used by NuMega people to allow
2 c {3 W3 [' z: X# N& z7 {. FSymbol Loader to check if SoftICE was active or not (the code is located% J2 ]' H- { h2 q$ Y* a
inside nmtrans.dll).
; K. s, s7 Q* W: o/ s# c! i$ \! ^( |' \
The way it works is very simple:
& g7 L& j, h7 [5 cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 G9 r/ U1 U! `9 _5 vWinNT) with the CreateFileA API.
/ J3 X' |' L: D/ n& ~
. ~& g+ Q$ S$ V0 S8 e* f( OHere is a sample (checking for 'SICE'):$ C& b7 Q8 {. B6 s1 r W; L
$ Y0 g, o+ @* S8 e) s6 ~/ O$ A& }BOOL IsSoftIce95Loaded()
; z) M# o$ ?1 M& y5 w. H7 z: k( e{
3 L. J* |1 w) `( o HANDLE hFile;
8 o8 [* v' [$ ?. W' ~3 p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, F; D$ a. G+ D( r. A1 a
FILE_SHARE_READ | FILE_SHARE_WRITE,
! [$ @, p, p+ A4 m. m6 U- o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 F; [- Z' ^3 |2 Y# D" y1 x5 U' [, t
if( hFile != INVALID_HANDLE_VALUE )
, L3 I+ @, N- J" ]7 T8 w) G {
! P8 g5 j3 v% d9 ?2 F+ E4 N CloseHandle(hFile);
+ i' G, N- X4 x# j1 ?! c; I return TRUE;
* @& C6 m$ R5 w9 W* A }
7 q4 e3 T- \" U" y- B; L# @ return FALSE;
$ d/ m2 g8 G- q9 i; w. p& T}
# k8 c2 h( \$ H9 h" o4 r) @! j' m0 J" f- q) ?* k
Although this trick calls the CreateFileA function, don't even expect to be
, L! P( ]4 Y9 ^; Z( L% cable to intercept it by installing a IFS hook: it will not work, no way!* h& Q- a5 K H2 X2 K- r; {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ X! h2 b" p9 x9 v" A/ aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 B/ ^' L1 q2 Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 @/ R2 Z/ Y( o, o0 _, jfield.
& N4 Z' V& X" Q) N0 ]4 N& dIn fact, its purpose is not to load/unload VxDs but only to send a ; Q% C; G% G6 y8 F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* _0 M! R% c v3 h% z- @to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, j* I. L0 h4 Q% [7 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; ^/ d1 x) V. v b, \( |- {9 s( TIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 ]1 |! n2 T# p% K1 f P
its handle to be opened and then, will be detected.+ w4 {/ j, a' m& [0 ~
You can check that simply by hooking Winice.exe control proc entry point
/ i6 J( x3 P; G! Q1 |while running MeltICE." ~ W; n- U7 c. G
/ h3 A5 ]2 a5 _' @) P7 s) B/ F; g9 h+ K
00401067: push 00402025 ; \\.\SICE
, f) H! }0 }8 o0 |' B% v* U 0040106C: call CreateFileA
' F; w" V' J0 K; m, G 00401071: cmp eax,-001
/ d* ]- x* D4 }/ A5 W/ f6 w* W: ? 00401074: je 00401091. V2 O0 c; F- y% s: J
2 K3 v$ i/ q1 r$ c9 P A9 H( t# }
+ a) f1 d( O( e+ U: F! x3 [. b
There could be hundreds of BPX you could use to detect this trick.1 Z! L1 V! f" y& Z# S; a2 X( R/ A. X! I
-The most classical one is:# D: G6 b# W6 F( ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; l y+ \! p+ [
*(esp->4+4)=='NTIC'
8 X, H/ R/ G8 y; o, ^7 u5 C/ |- u7 k" N+ l5 H& Q3 z. Z
-The most exotic ones (could be very slooooow :-(9 V( |4 S/ h3 W8 P1 @- K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; x) l2 \- R4 g2 Y I$ p* | ;will break 3 times :-() H& l3 q4 z, ~8 `
D% S9 H. Z4 c8 ]; B# x/ O-or (a bit) faster: ' s# f& H. ?1 M: X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# w* v# {7 B: c( ?& [1 }0 q2 H
7 A& q& e; h& {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 }' [8 J& x! O- h N3 C7 ^# c2 l
;will break 3 times :-(7 n- p- l# X2 o/ W3 a
! Y' \! u6 E, P. J( x
-Much faster:, C% Y0 B$ `. t4 H% s [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) S& S/ }# l6 {" _: i8 Z3 V
& C$ G2 s x0 K0 gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* y4 D; }( j" u6 f. _2 C
function to do the same job:
3 v" K* Z- S) Y C8 T; o+ `$ K7 c/ U E0 ^
push 00 ; OF_READ
" \0 m" |, ^+ F4 x4 i mov eax,[00656634] ; '\\.\SICE',0
]6 k+ e% I0 P8 B push eax% R4 b& _% O* @8 H, q+ e% Q, w
call KERNEL32!_lopen
& T6 ~+ u1 k. o) m: h inc eax
1 e6 q4 B5 H6 h- W/ _7 q) k jnz 00650589 ; detected( d( t% p+ R5 ~" G1 Y7 G O
push 00 ; OF_READ
' B. r3 t3 i: X/ F- f3 }$ W mov eax,[00656638] ; '\\.\SICE'8 p. M G* C8 i: a1 C$ A" Q" u: h( K; B
push eax$ ?4 p( O2 v6 X
call KERNEL32!_lopen9 s4 X/ V/ U$ M( r4 a
inc eax& w4 t9 r( I+ b
jz 006505ae ; not detected% ~: y& [( C9 b0 ^ h
# ~# R7 c4 Q8 y& j& y1 o
4 v9 k! S, p4 q4 a8 C1 W2 F3 s. y
__________________________________________________________________________5 D U# X# C. I. u/ Z% p
7 ^) U2 Z: B- f0 ]8 G1 V8 oMethod 12) F* L( B( o1 s& P
=========" j4 l4 [ V$ H* A. N2 X
6 E$ ]9 a7 k* s9 P7 F4 iThis trick is similar to int41h/4fh Debugger installation check (code 05) x# G6 y' ]$ ?/ H5 _
& 06) but very limited because it's only available for Win95/98 (not NT)
- j2 s0 X7 d* ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
F* y7 u( } u( b G
7 R# k7 K, Y X. I+ `6 g# [! l, q push 0000004fh ; function 4fh
3 W+ y: ^& j+ u7 [* D6 p; ^! w push 002a002ah ; high word specifies which VxD (VWIN32)( J. W6 @6 ~" Q* j2 J$ }9 ?, [
; low word specifies which service
. e5 H, l/ [7 y) F' N8 j (VWIN32_Int41Dispatch)
g( i! g3 a2 B* w; [( | call Kernel32!ORD_001 ; VxdCall
- o* n! l% u& w2 p$ A) J cmp ax, 0f386h ; magic number returned by system debuggers
4 Z0 t( G& ^2 w! B5 J jz SoftICE_detected
P$ }( c/ c' J l4 D% ?# U; K; j7 T! W$ @, v
Here again, several ways to detect it:3 ~! t2 Y2 [5 f, I
, t& ]4 ]$ _. ]8 E
BPINT 41 if ax==4f, X0 Z; M# y; e
9 r' ?3 Z0 V/ A6 R' k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% M. _, U- n6 k+ v' @5 _
" W- l$ t; H: P( T P) o! e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; ?7 L$ {: Z, l& q' ~6 k
* a1 y6 U% p$ n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 f; D' x1 N! @1 ^/ v* O& ?4 a" u( [: L1 @1 A
__________________________________________________________________________/ ~" l) C; ^ e
8 d* x; M/ n& d+ v, \0 |. d8 Z( h
Method 13& h8 G! K# \3 n) M6 l% r9 `
=========% R/ e" U1 |; o& F8 J
; s3 g6 B0 P5 j1 `* k! Z$ M n. DNot a real method of detection, but a good way to know if SoftICE is
" @9 i: }3 y @' u4 x% B4 J& s. B/ jinstalled on a computer and to locate its installation directory.
$ H& G5 K+ m) A zIt is used by few softs which access the following registry keys (usually #2) :
9 R. N N! @( N' \8 u
8 W0 x$ ?. o% a W& _ N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 P+ X& L$ @* ]" _- n
\Uninstall\SoftICE" H: R7 M- P) O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: ]$ m6 s) x8 ?' r8 h( k$ d( t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 W6 b- p8 H" F, Q) a @% b\App Paths\Loader32.Exe% b# C9 w' p9 b" H, h; v
' Y: V2 Z( @+ s2 V( j
3 R# C+ D6 F0 E6 z! |% ]2 dNote that some nasty apps could then erase all files from SoftICE directory$ C5 k' j, B$ R. M& K
(I faced that once :-() l% ^4 j0 F, x) A
# B+ A" F$ w! [& [Useful breakpoint to detect it:. Y) F5 L: t: w: Y) K+ g
, h9 Z# F9 z# S( Q. _8 E BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' I2 k5 T1 F0 z( D
# L% l7 _$ R1 l6 Q, Y+ D& @__________________________________________________________________________2 U2 K! J) y7 @2 S' _" \( B1 b
' C" r% I2 I' y) _
) l5 `1 k2 T. z3 ~) L7 K
Method 14
: T, }% e5 {$ M" D& |- H=========
1 E" O9 T. D L+ v" [' U2 @# p4 A4 |9 v4 u" s* f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 n& J7 v( r+ o U( ~" tis to determines whether a debugger is running on your system (ring0 only).9 Y! O0 x8 J; ]/ d
) g( i6 B& B6 r9 D
VMMCall Test_Debug_Installed
* f- M# X, D) F" I; R- V je not_installed
* Y& o, D3 A$ i' z
7 ?% {7 Q. H8 wThis service just checks a flag.. B- _8 H1 A0 ]9 f& l: r( W9 h
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡