<TABLE width=500>
7 c, ~, T1 w" \! [3 }. Z<TBODY>5 N7 M$ [) B5 g- p" d
<TR>
) E- C) r- I& s( b/ Y<TD><PRE>Method 01 ( T' d* u! p2 w* ?
=========
0 n' ], g1 C7 w* J! M- E
; P" q3 z' Y8 V( JThis method of detection of SoftICE (as well as the following one) is
, F6 l: o% \( Y8 w. B) P: k, j1 Lused by the majority of packers/encryptors found on Internet.9 C7 c- N" s' b/ O. i. r- Y
It seeks the signature of BoundsChecker in SoftICE# n$ y7 E9 n. W: o! N: ~7 q# b8 Z! G, P
. b$ V* K: J" P2 d# s! X& X
mov ebp, 04243484Bh ; 'BCHK': P0 C0 O% L4 G
mov ax, 04h8 _: g1 ~0 F0 a
int 3 5 y1 ]1 i2 s2 O! i9 T+ Y, ~
cmp al,4( E5 D# Y: z4 n5 a: E( K
jnz SoftICE_Detected+ d2 U. h, y( m- w
- e5 o4 T' p( T) \
___________________________________________________________________________
! }/ [* b2 r* ~8 A% x
$ q0 f3 h* E$ H( c8 a3 y- {: l2 jMethod 02
/ C# \$ Z7 Q* V% P3 f' Z. A+ b4 u) L=========
( V& s$ u, x: ]0 o* [+ I, f2 M+ P1 r9 C# @4 K
Still a method very much used (perhaps the most frequent one). It is used
3 ` w# b x9 q/ g" Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: t! e/ S+ ~* ?0 Q; ~0 M
or execute SoftICE commands...
. @. s5 G5 ~# P& FIt is also used to crash SoftICE and to force it to execute any commands
x7 p/ J" z* ], k! o9 b7 x(HBOOT...) :-((
' z$ T; s( B( s4 h' o# O H+ Q' `+ ?
Here is a quick description:# Y% |, |% L; s- l; k* J
-AX = 0910h (Display string in SIce windows)' A& A! [8 q9 E2 ]
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, c" t4 f- ^" r8 p" ?' @-AX = 0912h (Get breakpoint infos)
1 T/ @% V) z7 w9 `9 ]; Q8 B$ u1 D-AX = 0913h (Set Sice breakpoints)
7 p5 y+ Z l5 g- V-AX = 0914h (Remove SIce breakoints)
. v/ C& _$ r, L& [7 N9 o9 o0 f+ F; @( L& r- P+ h/ m
Each time you'll meet this trick, you'll see:
8 |; X: ?0 h; |4 V% J) w( S-SI = 4647h$ u# Y. X7 u* p$ s9 G
-DI = 4A4Dh+ C0 u& b' ]0 E' a# ~
Which are the 'magic values' used by SoftIce.
, _# r5 u! T9 r, P; t) fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 L$ j0 W! @: i! j2 T% [9 {; A$ i) L# M4 \1 S9 p, a+ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% R" M% X) x2 F6 e* HEnvelope utility use to protect DOS applications:* z& ?: K' t2 W: b! U
* E0 {, p' M5 m2 X: ]
, H$ `4 P6 o# O( H! l( T' |' V4C19:0095 MOV AX,0911 ; execute command.
: m/ t. r: h' C3 F; l4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 Y. U5 F% S: Q+ @4C19:009A MOV SI,4647 ; 1st magic value.% |5 K# S# r/ N( h' Q& Z
4C19:009D MOV DI,4A4D ; 2nd magic value.* {; J3 v& y; B* k' m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 `1 P" f# C5 F1 L3 l7 D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 }+ A4 p& y$ M8 g2 H, H
4C19:00A4 INC CX
8 y# T/ s4 d$ h) i' A, ^+ ^! \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( O z R% {2 U4 x1 x- X4C19:00A8 JB 0095 ; 6 different commands.! Q# l% i" B2 g9 z, q- l$ q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: w; R# m: }5 a5 {& @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' m$ F7 E3 E Y$ |
3 w- Z% m. P& z. JThe program will execute 6 different SIce commands located at ds:dx, which
1 d- Q. A" k7 m1 \. |9 V$ hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. W1 H" H, v$ e9 Z+ ~1 J
" i/ E& @. g3 x5 U' e- e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 j: [+ `2 [1 b
___________________________________________________________________________
$ z" _3 R( a8 o, I7 V% f" |& s9 l& r& ?4 I7 G. b# \
# \( o% }! [4 C1 E! Z4 o
Method 03
( x' _" N H: n9 Z=========& `3 P/ j s" U& W- o+ N
3 R5 C- Z% T! [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* A8 m3 t4 d J$ K% t
(API Get entry point)6 n8 y9 Y, ]8 |5 ?
# q4 D: ]2 X: i3 u/ D' h. i+ x% X
+ H) J3 X! O; E xor di,di
# T# G+ m/ ?: v( g# I8 n mov es,di9 R" F0 J+ M; O3 H( o& i) y
mov ax, 1684h ' D0 _ i2 R" H: g9 M. E6 a
mov bx, 0202h ; VxD ID of winice
+ c9 W0 p L5 F! h7 `: i int 2Fh$ h# j4 f: i. @0 w1 b
mov ax, es ; ES:DI -> VxD API entry point$ y4 P! @7 @ ^) p9 U' t F1 l
add ax, di) b; j9 i2 p/ z# @5 ]
test ax,ax) x6 a l! \: Y+ ]7 D5 ?
jnz SoftICE_Detected- t2 h$ h" V& I1 l' H/ @! c
5 N( W# s5 U6 W2 p7 o1 m0 P6 A/ w___________________________________________________________________________( b8 y }, d) B h
* S8 u- G* c$ F2 g+ J: c1 j: T" P
Method 04
. @9 n" h# Z# N1 x! B* L! R2 ~0 \* d=========4 s( Y, M2 z7 Q9 q- V% s
b/ t. _( [- h+ y- z/ N: gMethod identical to the preceding one except that it seeks the ID of SoftICE
1 C0 M% G. B+ n# H0 }6 F: oGFX VxD.3 h) y* B9 L" W+ t* C* L( B. L! @
8 v, n& a7 B0 x! i' ~3 t- x4 |3 ^: ^ xor di,di
) y) h8 M5 m/ b) j1 `% B mov es,di
5 K1 [* ^, }/ i8 E1 h( |- B mov ax, 1684h
" l( j3 s0 k z' z. ?" h/ H mov bx, 7a5Fh ; VxD ID of SIWVID. Z. [! i2 y# @' c1 x
int 2fh
- u* r2 J3 t. W7 h$ Z mov ax, es ; ES:DI -> VxD API entry point M+ W; o% O/ ^: ~
add ax, di3 T0 u2 W; X$ z. Y7 c
test ax,ax. J1 W# |2 R( m s) @9 I" L' }8 U9 z
jnz SoftICE_Detected/ h6 w3 x0 D% u6 [
% S+ L$ n9 w) i4 v" V( k__________________________________________________________________________
& O8 U2 W8 m2 \+ o3 Z+ Z
% F8 C1 r3 n: a
" v$ p: @# F8 \1 g5 MMethod 05% v o! \- }( ]0 t3 d; U9 \
=========
. O5 o6 V* ]6 ?7 y6 I6 C) e0 @; V4 ?, p2 ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 O4 ?% d' ]+ C( y6 _
debugger. It calls the int 41h, function 4Fh.* A* |$ O6 \2 g6 ?1 [ ^0 |
There are several alternatives.
( J; m6 v1 \+ ] W
- P% [5 L% R3 L2 S: {* e5 w8 VThe following one is the simplest:
& q9 V; k8 E4 P: v% G- q
0 }9 W% w+ {2 \6 k2 X/ D" l' q mov ax,4fh+ L, D# D; D+ Z* j, _# l+ {
int 41h% z- r! A! g8 @- \8 ^9 |) F' G
cmp ax, 0F3864 A/ B! ^5 `* r& e" p( ]
jz SoftICE_detected4 f1 u1 M4 ^! J; b) S
% u6 C) u S" [1 [! J
( y/ P$ P0 M9 V& n- A/ J; gNext method as well as the following one are 2 examples from Stone's
' l0 p! k% L2 f6 D"stn-wid.zip" (www.cracking.net):
! P3 p. D% t8 L7 n- i
9 |2 g" a( l& s1 x# m: q7 d mov bx, cs2 R% K5 y' J" C7 m( ?
lea dx, int41handler2! Z% Z) c% e* h$ C- ]9 ]
xchg dx, es:[41h*4]
! V$ I8 L8 V& }) z/ V7 r# R xchg bx, es:[41h*4+2]7 L- B0 n& l5 C) s7 ?
mov ax,4fh
/ H% W3 w: _7 |- }& _! G8 o. z% z int 41h
3 t! {+ I9 a6 K2 t# I { xchg dx, es:[41h*4]
. e* V' @) x% g7 k5 ` xchg bx, es:[41h*4+2]) z! o( A8 t0 d u6 w5 F
cmp ax, 0f386h
9 m b) g3 h) S9 Y# G jz SoftICE_detected
# F: p3 g$ I* A, i/ |* [1 D6 o, {4 H/ K
9 E) q- C& f9 T& v" N% d$ gint41handler2 PROC: ?' m6 @$ K7 M9 R3 e8 B. l9 h
iret, E2 ~' ?2 z1 A8 M' ~
int41handler2 ENDP
! {2 W! c8 Z5 t0 D; f
% ^! l9 w2 [5 G/ o
# ~1 `/ G. N/ v# `0 W, s& T2 R5 r_________________________________________________________________________; H. D- [7 u% L( A- _% k) q( t
2 X1 {) H0 O' V* E& e& o
1 f \$ b% e2 Z! V- Z- JMethod 06
' k& X8 ^# u. y& Q=========
& l2 \$ I: H% B. n9 J% W8 w, p, p9 G$ _" v# w& j) t7 I
4 l6 I7 P% Y9 ?
2nd method similar to the preceding one but more difficult to detect:! j% t5 R* X9 X3 K7 f Q
' G0 k l2 ?, I& i/ _
4 t' |: o5 \ G9 T, Xint41handler PROC
2 u+ b* _! f, u3 [ g, G+ [ mov cl,al! r3 ?& S3 d1 m9 d, A
iret
5 z) ^& g. }" f5 W7 e6 w- Q2 H" Aint41handler ENDP
* z* q, ?5 o2 d ~% u0 T( A
" L3 b0 h( X3 r9 r: s. ?( n7 O1 B ^2 E2 s$ D
xor ax,ax U: s4 Y8 E/ Y$ U9 L9 }
mov es,ax9 G: C- k, m( \# ^$ t$ j' r
mov bx, cs
/ C3 {8 C) H0 A lea dx, int41handler
5 [8 E5 V) r* H) `6 X xchg dx, es:[41h*4]
! H, h+ g8 }1 B( } xchg bx, es:[41h*4+2]2 l6 K$ w. f* s5 A" @. t6 ]
in al, 40h
" _4 ~3 X& v# o xor cx,cx
% W4 b' u/ q( o- L int 41h
! m: Y% h3 A5 x l; C xchg dx, es:[41h*4]
" C' F% ]5 j, e7 K: A, v' U xchg bx, es:[41h*4+2]
5 x$ f9 d+ } G% r cmp cl,al/ h; X9 X" I# o) v
jnz SoftICE_detected
& s8 N) Y, A- r
0 J2 i7 Z4 x) C; P_________________________________________________________________________
& ~7 L3 p' t' [8 E: n0 ~5 i
, e$ }2 z$ }* I" \3 PMethod 07: w7 a3 X' U* G( X7 _8 ]0 L
=========0 [! V1 [) i8 W+ h, c
' K) d* z0 @3 NMethod of detection of the WinICE handler in the int68h (V86)
' l6 L$ @/ M! ]) v0 {1 n; S6 O9 K1 j5 I: @& J' X
mov ah,43h4 j2 M8 M& R& V: D; x* r
int 68h
4 u& Q- R3 Y1 H0 B cmp ax,0F386h) @( ?6 p2 r4 G
jz SoftICE_Detected1 N( ]8 d/ T+ k
8 `! H& R, j) T$ j; W' z# ?5 R% t
6 N" n6 z- k9 ]3 p5 c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; B: ~3 I1 q9 v, Y3 S1 i
app like this: Q" J$ Y5 p6 h- ?+ l N
* |% }/ F$ e8 [# e% L1 s, J, q
BPX exec_int if ax==68
8 ]7 W/ y# X4 d; g (function called is located at byte ptr [ebp+1Dh] and client eip is! E/ [* Y Q9 S
located at [ebp+48h] for 32Bit apps)% O% N- w1 i% u6 U* n
__________________________________________________________________________
4 m. l# D; H6 e9 i9 S; u Z2 y6 T) z" W1 w# X2 j6 B2 P
1 Q$ d$ X D' O2 e& D! eMethod 083 z, a1 ]# @( V) |8 |( b3 f: Y
=========8 T# }, H( f! F2 h
& s' u$ {9 [) NIt is not a method of detection of SoftICE but a possibility to crash the* l' k7 @( U9 Z6 A+ @5 Z* C4 ?* P
system by intercepting int 01h and int 03h and redirecting them to another; p$ h* n' o. Y( J0 o% [8 m
routine.+ l1 R/ A% ~1 M7 G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* |1 Z# k( o- {; O- S. W6 xto the new routine to execute (hangs computer...)
# [( Y( F( L$ P
( B. P6 `& N/ @! P mov ah, 25h
) e. L! ?0 N" s. p: ] mov al, Int_Number (01h or 03h)% z7 Z8 Y4 n, I' T: n
mov dx, offset New_Int_Routine5 q: c9 u% [' j+ E4 {: Q
int 21h
- q5 i4 U7 j% c( U3 W- Y* i" m; \% G7 W& h" W
__________________________________________________________________________" x: R, b8 h8 p
! k% G! H& n2 I2 t3 I& DMethod 09
2 g7 s/ j6 C) W- G% `=========
0 R7 T4 h0 O; w% `# L- e
7 W: F* F- g* i3 YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. o0 w2 T/ f1 o$ f, O1 G5 Lperformed in ring0 (VxD or a ring3 app using the VxdCall).' D! S: j- \5 n% Z. u7 b: W6 F
The Get_DDB service is used to determine whether or not a VxD is installed- U4 u% A8 W( k( D; l( ?2 {
for the specified device and returns a Device Description Block (in ecx) for
$ y! S4 u% R5 F( q$ g: L; mthat device if it is installed.
; k1 \! P! B" d* t
5 {7 y! u. G6 @4 y' _' i$ q. b3 q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* D. |/ ^8 l2 q3 a' W; ^0 q. m; D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 R2 v$ |1 q+ P* p+ t, b! o4 [ VMMCall Get_DDB
, p- {- C8 @5 `- W! W) ~" B" @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. d9 R3 B) x: d6 Z$ g' } F' {; J5 ~- J4 I4 {
Note as well that you can easily detect this method with SoftICE:
2 U6 S( d0 D! e `" o- V: N bpx Get_DDB if ax==0202 || ax==7a5fh) t x* u+ {1 P' Q0 h% l6 b. J
6 b9 u" I2 C- f! c
__________________________________________________________________________2 b6 M2 ]% L) l0 W# W
1 y6 Y$ {' p. @! N( H. G7 B. ]7 e. zMethod 10
5 x. V4 w ~9 h0 F3 G=========
* M, G" O3 R- a2 Y/ Q6 n' V# G
+ K c. H. u. X=>Disable or clear breakpoints before using this feature. DO NOT trace with
' o* U; J( I# N% l5 A* ^ SoftICE while the option is enable!!
`; \% G" g& ?/ J L
* z7 A% n& D$ ~This trick is very efficient:
& I/ w7 }* A/ G5 [. l9 {8 hby checking the Debug Registers, you can detect if SoftICE is loaded
( _! {$ n5 L1 E% {5 P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 F0 v; l( b A4 |' \$ X& L1 D, U
there are some memory breakpoints set (dr0 to dr3) simply by reading their; j) a3 {, G8 v
value (in ring0 only). Values can be manipulated and or changed as well0 H0 i4 A# _ ^2 b1 y! u
(clearing BPMs for instance)
" D8 ?. e8 D# M/ y0 W! v+ `, g. ]) c
2 m# @7 m3 R" p+ n' R: v__________________________________________________________________________% b) x; ]' Z W% T
* H- L0 Z* Y( r
Method 11( [! Z2 X, i3 e- o
=========: r) j) |: z4 z! k5 I. p" |' e
8 U; p7 j- I7 ]* C' tThis method is most known as 'MeltICE' because it has been freely distributed
( n) W' ]& ~* C4 s& ^1 L; Z( i0 zvia www.winfiles.com. However it was first used by NuMega people to allow1 ^6 N& U; ?9 M. m ~" u! m! r% e# T
Symbol Loader to check if SoftICE was active or not (the code is located
. c0 B6 I) Z! _8 N/ u. x W1 Q3 ]4 @inside nmtrans.dll).5 T/ w* g% C" N8 p, z' |9 N4 d
( b3 f# a* Q% X: L1 aThe way it works is very simple:$ G' l- I( Z5 V8 F7 b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 p% ~8 [1 d5 Z, C+ m5 f+ e+ EWinNT) with the CreateFileA API.
: H; g5 z( P+ T$ @" o" P0 W2 ^, ^3 _, z
Here is a sample (checking for 'SICE'):# \: a; a! T8 C3 [' d
: Y6 H# M. K6 z: iBOOL IsSoftIce95Loaded()/ C: a7 H, J0 ^0 W1 g3 ~, `; a
{
1 ~8 w% L' y' ~, v% ^ HANDLE hFile; . G- F& J# v( a+ e% J6 J1 E) [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 H) b2 f0 X; [" J/ E: _ FILE_SHARE_READ | FILE_SHARE_WRITE," O% T- q/ p# l/ v! M; p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 ~% s& L+ p, T, r, a( P$ k
if( hFile != INVALID_HANDLE_VALUE )
: Y* f8 }/ S7 Q; R m7 p {, i) V2 a0 U2 [1 N
CloseHandle(hFile);) T3 ]) A$ |4 s6 i
return TRUE;
4 J/ o3 Y: x+ m- W }
8 P2 u! E9 e) d return FALSE;
/ x4 v0 S( E$ V6 }5 h7 o4 t}
) d/ }% a) ~; P$ u
% ^; r) |7 [! c8 @& O# [Although this trick calls the CreateFileA function, don't even expect to be
- v0 E% ?' a+ f& p0 _" B2 Bable to intercept it by installing a IFS hook: it will not work, no way!9 w2 K; @1 Y; G+ I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 D2 J. b4 K3 M5 n# B1 }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 h' E7 d6 X/ k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* V8 h0 @( O/ _% E7 pfield.- r, @* L$ O5 Y
In fact, its purpose is not to load/unload VxDs but only to send a ) n0 T1 P# p% W* B1 }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% v6 }! _' l2 g. ~9 q* }9 `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& d5 ~% L3 }) S# j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 L1 ~/ p, C0 qIf the VxD is loaded, it will always clear eax and the Carry flag to allow
* i) r+ x( X0 |its handle to be opened and then, will be detected.1 v* X. A! A6 U) R* R
You can check that simply by hooking Winice.exe control proc entry point2 g: |$ I8 C0 t7 F+ Q5 F2 C- V5 T
while running MeltICE.; \, X' |- M3 r0 f, K
. l5 \$ g1 x2 l) }' J8 Q8 |: c
& [, T. o; T4 m( D) ~4 L 00401067: push 00402025 ; \\.\SICE
$ U( a0 k7 H! V6 m% b" s* o, @3 o- S 0040106C: call CreateFileA
}. I u% _; a! c+ G2 f: s 00401071: cmp eax,-001
2 E* F5 a$ ?( \% \: u# m% ?$ M 00401074: je 00401091
- ]; m4 D/ |2 x& o
- `0 h k: k9 |3 A' g
' m7 q m0 a& d) g3 |There could be hundreds of BPX you could use to detect this trick.+ V$ x, Q) u: w
-The most classical one is:
9 [0 L5 S$ `/ `9 k$ ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 W) \# C A8 h, n$ _
*(esp->4+4)=='NTIC', { x+ `# ?0 v. C7 p2 W' R
$ }3 B- r( e; J% r% t-The most exotic ones (could be very slooooow :-(
; p6 I; ^0 [5 _5 ?, ?' f; v+ u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 o C0 V4 ~, U; x ;will break 3 times :-(+ N" y% @# g; b7 m% q0 h" K( d
# R8 w* W: J2 F5 f# V0 @( M0 u-or (a bit) faster:
' s3 ^1 V+ Y, d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( e4 t1 }. g! |, a& H4 y
0 \+ T3 k& {5 m# }% d" Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( F* f0 u( O/ }
;will break 3 times :-(
9 U. j: O3 o8 X- e6 q) B; y% ]4 ?, B1 P8 P: @0 t+ x9 Q
-Much faster:& `( i6 Y% a( C/ G7 \# ?* J1 i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 Z+ o5 s. t, M9 o+ J" r4 Z
0 I# J S$ m+ FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) }6 {. I5 `: x" ?. t+ d( Sfunction to do the same job:) h7 y0 M5 f6 D5 q' j
3 j9 n/ p5 D) \' _) B- L1 V" X push 00 ; OF_READ
; r8 G1 [% Y f2 c4 W mov eax,[00656634] ; '\\.\SICE',0# D% c- Y5 v. }) }
push eax
. m( }" T: Q0 L; C call KERNEL32!_lopen* @4 b9 X2 C) d
inc eax1 b( ~2 Z' M* P0 y
jnz 00650589 ; detected* y4 d2 Y$ K& J1 k! u, y
push 00 ; OF_READ& k8 s' s c% V) d
mov eax,[00656638] ; '\\.\SICE'; u0 v. d1 \; f8 g1 b
push eax
3 g- P. C4 i( j* w call KERNEL32!_lopen
2 u- G2 J( t+ G- }9 b inc eax
$ n3 X9 y1 T4 ?! H7 i3 q3 R jz 006505ae ; not detected" `& n- ^3 O9 |; e$ C& G
$ H% l; @! k8 _1 S4 t+ h
! u/ o; Y; I$ Z9 `4 ~5 T. P- F+ T
__________________________________________________________________________
6 s( d9 K! h. D) }8 m" I V
5 J- ?" W! M! ^8 T4 J; m) pMethod 12
+ ~, p* @' q b1 R2 ]=========7 @7 b S; _* P( z
. f M- z, @( _! z6 y2 ]/ R0 {2 V
This trick is similar to int41h/4fh Debugger installation check (code 05+ J5 V! h/ \# J% f" E
& 06) but very limited because it's only available for Win95/98 (not NT)' m$ m0 M0 w* f5 Q+ p0 c4 z6 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 O/ S7 y; m! Y& X" ~3 t. E: U; {8 B2 E6 w7 d: x
push 0000004fh ; function 4fh* ~6 }) L' v& X U! Y2 R
push 002a002ah ; high word specifies which VxD (VWIN32)
+ J( i" N3 F/ `" U, @ ; low word specifies which service5 [/ i/ J) A! g" T
(VWIN32_Int41Dispatch)4 H, ?; L! D! U8 b/ q5 e- y
call Kernel32!ORD_001 ; VxdCall0 n$ O7 _( z: x9 {+ B9 u
cmp ax, 0f386h ; magic number returned by system debuggers
# @ s1 |* N0 p7 ^ jz SoftICE_detected
# D" w6 H1 U' m' q; W. N: _3 c$ I! E* U% \+ y8 ^" C; I
Here again, several ways to detect it:
/ b8 M8 w/ t5 Y
, L) s* }2 r& \, Z% s BPINT 41 if ax==4f
, ]- t) ?0 D- Q F
% A9 P/ y, `) n2 g2 | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) W# X& _2 p+ E( _& @2 w( i% M( X2 D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" R2 ~5 I7 A2 y; }1 r4 h3 Z' S n
1 L/ M2 h7 Y Z1 k& L* `8 v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ i4 r8 Q4 g: E3 S% f' }0 t
0 t$ \$ S6 K" G' j+ e
__________________________________________________________________________# D u3 u- Q! C9 v+ M5 h! k: W
e! y E7 y' j% ~0 A. _# b+ Z
Method 13. ~ R! C8 f! y) s' {5 i
=========
1 [4 Y! Q$ |3 V& [, h: A
/ g' J) @+ O1 c5 W/ BNot a real method of detection, but a good way to know if SoftICE is5 p# R" J2 w5 k2 [& a
installed on a computer and to locate its installation directory.; g6 @8 H: m* q2 v
It is used by few softs which access the following registry keys (usually #2) :9 z" Q2 k' J2 S1 [3 n. G2 X
8 t7 l8 z6 m8 Y0 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 @8 O5 f2 L% ]; C, o# r. q
\Uninstall\SoftICE
4 K1 Z0 Y, v0 N/ O5 V7 R5 a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" Z+ H) ]: s- X# ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- c2 N7 E! N) g7 }3 _0 d5 J+ A\App Paths\Loader32.Exe% r8 C6 o. Y( L" {8 [
" D3 h) X+ n5 J/ N" l
) h, Q7 i! N" Z$ ZNote that some nasty apps could then erase all files from SoftICE directory
$ ^& O8 t6 ~; x& S k# B(I faced that once :-(
, t2 u4 x! }$ y5 p3 L3 A& z- Z }4 c- T# j* X
Useful breakpoint to detect it:" d3 e, _/ h9 Y( I' ?& i3 v
- F" E" _/ V- s7 i% M0 I4 a: D% m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 |( E+ z4 L5 I; T! N' F" t1 q% x2 F" G' g$ k2 M* t! m
__________________________________________________________________________
8 m4 V% \" u! ]
! O+ u+ h3 ]! k( m+ z8 n
) l+ F# b9 M9 Y6 b+ dMethod 14
; M; Y; `& j+ K0 V7 t=========( Y# G0 p; s# ^8 {8 _
/ y$ T6 t" H0 Z7 h( g3 E- l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ s+ g, n9 N; s" V
is to determines whether a debugger is running on your system (ring0 only).! L0 P+ p5 e0 F* h) |4 g& z
% q5 ]1 C. w# U$ a VMMCall Test_Debug_Installed: @# q8 Z8 S& V0 z# L
je not_installed
2 B+ T! [/ X' g' H, ]. W- U; D5 @" p. v5 }
This service just checks a flag.+ [$ r g4 @: r
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡