<TABLE width=500>6 w, _9 ~$ P" ^. c. w( ?4 d
<TBODY>
T4 w/ a% H( g$ t; r<TR>$ {7 {4 ]: o; p) T
<TD><PRE>Method 01
; U2 s+ v# i5 g4 X=========
, R- w# i: o, W5 \) m; E
! Y4 m% r- N- n6 I# P5 {+ pThis method of detection of SoftICE (as well as the following one) is
% W3 V0 }) u2 }0 E. I% l5 bused by the majority of packers/encryptors found on Internet.: G3 G* w/ Y7 `1 r% Z1 P
It seeks the signature of BoundsChecker in SoftICE/ _/ p( W. @! o2 }5 @
) e! W( D$ n' p4 ^
mov ebp, 04243484Bh ; 'BCHK'
% F0 C/ I1 H8 l mov ax, 04h) _6 L6 e0 f! u2 S! k9 J- ?5 c
int 3
- b5 y! j6 o0 E: f( Q cmp al,4
2 b; G. W4 b- r+ c+ m4 }& ] jnz SoftICE_Detected
& a2 M+ e/ {# N/ n/ V# j
+ k! R: J: a7 v/ a# E, W+ m1 c( G___________________________________________________________________________
" |0 z$ s! g I9 ~. U+ n, k, T A; W H0 P: Y9 a$ X
Method 02* V7 @ n) F9 v! L, d6 C
=========
2 [; f y8 w2 X2 w0 p/ m' @0 u- U2 b: I7 v( J/ L' |
Still a method very much used (perhaps the most frequent one). It is used- [: b4 p1 W V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) \' R1 T. l" z# H4 s1 x
or execute SoftICE commands...
) {9 s/ _6 r( B( \4 C1 [It is also used to crash SoftICE and to force it to execute any commands
; B2 N* ?* `2 m$ o3 ^3 ?(HBOOT...) :-((
- l) A; y! J0 V+ S: ]8 m1 d4 i1 I9 p S0 c4 t8 X4 U; Q ]/ m
Here is a quick description:
: M3 k1 J5 c! D5 | b- b-AX = 0910h (Display string in SIce windows)
8 M( M' N B% j4 H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); M k0 P" P+ n$ f) J( N# o g
-AX = 0912h (Get breakpoint infos)
j; ?% k m* h; v' d2 Y5 S9 Q' u-AX = 0913h (Set Sice breakpoints)! E0 k% U& b. A+ D. c* k
-AX = 0914h (Remove SIce breakoints)
3 Z7 Y6 z$ s5 y& O) }! \" g# g
* A l& V8 Z q1 iEach time you'll meet this trick, you'll see:
1 c, D; L! f7 o- X A-SI = 4647h
* {6 q/ E$ a* p-DI = 4A4Dh9 I- R, y# v& S- R4 v- H
Which are the 'magic values' used by SoftIce.; x/ ^3 g- h0 a6 W. _( ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 C' T- G% |& e
6 ]/ M' U9 J/ b* j
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 B6 o! ?6 [0 e) sEnvelope utility use to protect DOS applications:
8 N) N. ~( N7 R* Z1 u+ O* l! h( E' I0 u# l% L' p
, {; P5 i! g- x9 X: F; R. ^4C19:0095 MOV AX,0911 ; execute command.
( d, Y4 |( h! s k! g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 ^5 s, w) J& `8 ^; X
4C19:009A MOV SI,4647 ; 1st magic value.5 g* T P; |# y0 Z+ ]
4C19:009D MOV DI,4A4D ; 2nd magic value.
* v0 Q. M n( U4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 w9 m* b2 t* N3 B1 z' h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 `" s5 @' ?( b' u' u, z7 u
4C19:00A4 INC CX! [+ w& p; A1 g: J* G2 ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- N0 k: Y6 `( d# Q) X7 p G9 R% }4C19:00A8 JB 0095 ; 6 different commands.$ K6 A: x! Y8 z7 n z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% q( H1 I& [3 k6 K" ]2 {* f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 s3 T) q- _. d
2 G( L) O# g4 B1 B: \' @% {The program will execute 6 different SIce commands located at ds:dx, which
$ L) {# y% c/ v3 R( R: e7 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 u4 A" l& e+ H; m; G' m; v% a S3 A4 g- |6 v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 G3 S" }! a. F
___________________________________________________________________________
- G% f% \* G, U2 w8 S* u
& ?* d$ w, U0 n( @, G0 z0 ~0 `3 {9 @ h' K, Y9 g, j
Method 03- I" s( ^" Q0 {2 f# e
=========4 }/ u- I+ i4 k2 D
; J2 [8 ^6 E6 s8 c4 [3 N( q% r F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! N7 U {7 b. \7 A+ g) x
(API Get entry point)( a" O5 k Y8 i! P$ P# F) c
$ [% Y5 r6 J) k/ l" g6 e3 v9 X
: N& I0 }% w( f2 }! q8 \9 y xor di,di
* A" v% R2 W- Z/ B3 \* G' [ mov es,di
' `; S4 |( n) [; M7 }. N& k5 M: h1 z mov ax, 1684h " i; d/ w% N6 {5 r
mov bx, 0202h ; VxD ID of winice6 R7 g7 _5 }+ ~6 ?6 W+ k+ y
int 2Fh
/ e3 P6 d3 G; b: u$ p: _ mov ax, es ; ES:DI -> VxD API entry point* k* X8 z1 r- N6 w2 {3 q
add ax, di* ]; q( B8 f, y; `; J8 D
test ax,ax
+ Q4 v$ N6 M8 p# S jnz SoftICE_Detected3 N# Z, P3 ]/ c3 K5 b9 f2 t
, O$ d0 c. {7 I, E2 V e
___________________________________________________________________________
. R7 {; S/ i3 Q+ v' U: b5 z1 o/ Q% I
Method 045 B5 `. y I3 u8 l
=========
2 h9 ~, W3 z7 d! S/ Z: w; F
* ^# _# K# L+ F, z/ RMethod identical to the preceding one except that it seeks the ID of SoftICE
" y/ M" d4 F9 s WGFX VxD.
+ x4 N7 O- I" \
, k5 q5 A/ E* a4 T+ i7 o xor di,di
( @9 o: X5 _% z* P mov es,di
/ U" V1 h6 p* _2 g$ P3 b# l8 V mov ax, 1684h
1 k; |3 h9 n7 I3 P mov bx, 7a5Fh ; VxD ID of SIWVID% O/ g$ `* c5 `+ k; v! O. q
int 2fh
: x, J* l! Q- r. b* Y# U mov ax, es ; ES:DI -> VxD API entry point
' e: S$ i& _7 \ add ax, di/ E8 ?9 U# f$ V8 o
test ax,ax
* U( h( ? V5 t3 O- U jnz SoftICE_Detected
' D `( @6 a+ H9 l% h) [& Q- [" @
# ~* {5 t, J6 b__________________________________________________________________________
: _# p0 P, t/ m7 J) X1 |- }$ D
6 O" `% d5 ~4 I, M4 ~! F
Method 05
' `+ u2 d B3 ] s2 D/ B1 x, e=========
4 i2 i1 M# W6 S7 O+ S
6 L/ i) e$ a7 Y, V) AMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 m$ Z3 G; [& ^7 o
debugger. It calls the int 41h, function 4Fh.
7 ]! Y/ G" f8 \; ]' vThere are several alternatives. 7 e9 ]2 N; o+ C& P( s( y# M4 [
5 X0 I- T2 W* ~1 ]( VThe following one is the simplest:
$ T& z& `( W& S1 A ~6 A- O
1 G/ \. U' T" X/ _( M mov ax,4fh/ F% U8 f+ Y0 Z. ]8 x7 w% b. I
int 41h' M& X6 T1 l% T+ E; m! ]) h# G
cmp ax, 0F386, v/ P! B; {3 D
jz SoftICE_detected: }; v& j7 D' d* s$ n" z* {
8 Z, e4 J6 ~! @ ^% H5 T* ?* o. i4 P ?: u: s# X5 W( P/ K
Next method as well as the following one are 2 examples from Stone's - Y& V5 b# ~4 P/ f2 _
"stn-wid.zip" (www.cracking.net):, Z, q' Q5 F; X$ T7 D) k+ |
2 P# m% H% U+ Y, d mov bx, cs
% J5 |, ]! ~/ _/ x# O% ?+ o lea dx, int41handler2, f, V: P8 H( I
xchg dx, es:[41h*4]7 Q* k f \$ x: v: x
xchg bx, es:[41h*4+2]
$ _7 n+ V! e4 k0 o2 r mov ax,4fh
0 f3 n6 x. J9 g: U% X" F% R int 41h7 C( D0 K/ W4 S3 }$ f0 i. V9 O4 G: j
xchg dx, es:[41h*4]
/ i! v9 v" y2 ]5 Q' D xchg bx, es:[41h*4+2]: u% q+ C" E/ z* Z. }& { F$ D) T7 }
cmp ax, 0f386h
& w" {8 l9 `% y! V) V# d jz SoftICE_detected
9 `4 r( q: @2 p8 o, ?3 V) ?1 j r8 f3 H. Y1 [6 t' U
int41handler2 PROC# Z! }( R; q; j; W7 h
iret, R, N3 i! B8 p* H( ]
int41handler2 ENDP
; T! Y" B4 J" D5 A9 P* [! o
; X- j& u8 i* U- E! ^2 M2 o* i; w5 p7 D" }! L" ?
_________________________________________________________________________8 J& b- @: O: f0 s1 e! h3 _# h+ y
9 {0 P) a2 D$ B2 K; R! t4 y/ R, e) _! r; p
Method 06
: Z$ G. m N# h. J3 R& r6 O4 @& N=========
9 G( P( G1 e3 t- a0 `# N4 S* ?- C9 u; n; S7 h) O% w
; @ ^5 f( v, g2nd method similar to the preceding one but more difficult to detect:6 j# L( x5 i8 e" {. L% w
7 s @2 l# S' W. F; ^
* e- [! E3 }5 R4 F5 F) \int41handler PROC& T& C: m* Y4 S* }. y+ q
mov cl,al* D6 k+ j+ j$ y7 q% c
iret) o" [' {+ q. h3 i% Y' S
int41handler ENDP
0 P5 U8 ^% C% c0 B; y
7 W3 V) ^1 l: U, H" n; { O1 H; a0 N4 r0 a; h8 n
xor ax,ax* c- x/ P# h2 o# C& K* Y# }6 ]
mov es,ax/ F, m+ q) H E% o5 P
mov bx, cs
0 f+ m" x4 z& _: V) P% G: J lea dx, int41handler
1 k6 |. f1 f: q/ T9 F xchg dx, es:[41h*4]
X: v, t9 i# @& b xchg bx, es:[41h*4+2]# ]0 K1 G, G, H: S: b: R# |
in al, 40h
0 Y( D( Q7 {4 F xor cx,cx2 L% W& A+ q% E8 m7 P
int 41h
0 L( I/ ~8 {2 u xchg dx, es:[41h*4]3 F7 K& ]" N( N6 N0 S5 n
xchg bx, es:[41h*4+2]2 o% J, P$ @/ z j0 m( \% F
cmp cl,al0 @ K; Q" \& p5 W3 u% Y
jnz SoftICE_detected
' ~- X1 `: R. L. E6 ~) S- ^$ i( M$ X
0 j! k/ ~1 c& ]6 v: p, o_________________________________________________________________________
& }1 E% E3 e3 S5 k0 a, c
( L% I: j0 S, W. l4 T0 dMethod 07
7 Y1 K# j: L7 u' i% A ^=========
( K% ?- @* y5 @; H2 I: I; o) D+ R: e* {3 _
Method of detection of the WinICE handler in the int68h (V86)( x% Q& G1 K0 J3 f1 x
& T2 T; N2 }4 h& k( b T) ] mov ah,43h; K- c) m: \! S7 y% s
int 68h/ a! L+ ~/ H" S6 j- t' [; f/ B
cmp ax,0F386h
T. e' c' N! B; @2 d jz SoftICE_Detected* ?5 B6 h+ w; c! S4 B
5 m: g$ K. e7 ?+ G& ]- j
- B `5 k8 [$ D# B- Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- y1 C5 h. V. a. r( A' R- W app like this:) K* K! s# U5 z4 \
) e: L2 V* j4 w. }( ?4 |' }! H
BPX exec_int if ax==68! A- B+ V# s6 x1 E8 z
(function called is located at byte ptr [ebp+1Dh] and client eip is) L6 z5 S6 ]% G, e) u" q
located at [ebp+48h] for 32Bit apps)5 U+ B6 @& `& M V
__________________________________________________________________________" \7 Z0 h0 Z# F' l& K6 m- c
9 h( Y2 }: O* A% U( m1 R' y! L% A, i; J' \: a+ W: b8 \5 R
Method 08; {# z, l; Y A/ \, j7 M
=========) o) W/ b- J$ [
6 {4 N( h- ]1 \% D# eIt is not a method of detection of SoftICE but a possibility to crash the
1 N' W9 h5 C. c- C9 ?. x1 |' c+ Usystem by intercepting int 01h and int 03h and redirecting them to another* S3 E- U! ?: g4 X# ^
routine.4 T1 u9 d" S2 q R. x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: W. L9 D$ M+ Z# Y- j: S- ito the new routine to execute (hangs computer...): e e4 O! B( ?
. F5 w7 w3 M& t" S& [/ o mov ah, 25h
) L6 Q. N( ^. T4 ~* ], M mov al, Int_Number (01h or 03h)' ?9 }( T5 X, l, N U7 T
mov dx, offset New_Int_Routine3 ]% v* X' w. E6 x3 L
int 21h
3 ?4 x: U+ M- w' U8 d; }
& k) \3 {, S& j6 U( T2 H9 p1 m__________________________________________________________________________% a, h& b/ ]6 ^4 a, q7 w
- P6 A/ o0 Y& L) g, XMethod 09 D; d0 z1 h2 Y# M }% a/ k
=========
) H8 \- m! V% o! s
# U' w' t0 ?9 X" J- \4 MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; ~( V5 t' o M) D' N5 p/ `3 c9 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).: Q+ f( C+ D+ D( a, g( X/ u* e
The Get_DDB service is used to determine whether or not a VxD is installed" W7 k. W ~7 V; E) i2 V9 j
for the specified device and returns a Device Description Block (in ecx) for
; P' K" s& D- i4 {0 o+ [that device if it is installed.3 x5 c+ x7 [8 V2 q( G" z: w
* n7 \7 T4 n; G/ |/ Q9 F8 Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' V, i& z2 L$ j1 { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 H$ r, ?9 _3 O& l% k VMMCall Get_DDB; R' Y; g, p) E7 T }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 L6 f# {- M4 [5 _2 t& a' S) c; \( @6 x- E* }
Note as well that you can easily detect this method with SoftICE:2 Z$ d6 J, h. L5 o
bpx Get_DDB if ax==0202 || ax==7a5fh
3 v' x/ W# ~) n+ J4 v
0 x4 a+ g! i5 F__________________________________________________________________________
4 ]- S* |. R* Z; c3 c% I8 O
4 p2 f2 V1 H+ {; XMethod 10: e% i* \' {5 {, {, q/ b, k
=========
$ X9 u6 \% q. C8 P( ^8 \% [/ G; }1 W
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 t! ~% ]. z/ N$ D) [
SoftICE while the option is enable!!
. A1 d' Y$ {& R9 E1 P* N* M6 _1 O9 e _5 t+ V
This trick is very efficient:
% S- u: J! q* h4 n0 {" nby checking the Debug Registers, you can detect if SoftICE is loaded
! f! }) J/ x5 t2 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ M; Z8 O* s$ p+ q: l3 a6 ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 u; t1 w7 b2 _8 |value (in ring0 only). Values can be manipulated and or changed as well
) c- G% D+ Q: |/ O3 g(clearing BPMs for instance)0 J$ s1 m! N: f+ S3 |# F* @
; E, p/ O) m* t2 _7 a( Y
__________________________________________________________________________) G, m9 J& f+ j5 [& j4 l4 X
* l; i: k+ W. Y, o/ N) v
Method 11
: B' N8 T! P+ f' W2 `' R2 Y) A=========
. g% I$ U1 o' N! R
( _3 o1 _* Z' s4 f' |0 J( x7 lThis method is most known as 'MeltICE' because it has been freely distributed
2 Z& T* v8 k' Rvia www.winfiles.com. However it was first used by NuMega people to allow
# y+ }' V% C& ]9 N/ Z( xSymbol Loader to check if SoftICE was active or not (the code is located
( a( }4 E0 I B: b3 {* {inside nmtrans.dll).% Y. R n4 A/ I. g
; ^% i# d _6 X4 h; D6 A; a# N* C
The way it works is very simple: x3 u/ A" q, `' U7 j! Y; h1 ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- `8 e8 C% H) e8 P: }9 q
WinNT) with the CreateFileA API.
w5 K9 B6 y( n6 h9 u \* p& i+ x9 F0 X2 \' @3 q/ \! P
Here is a sample (checking for 'SICE'):
7 Z: ~- C* n; A% M" d% P) P/ u4 _0 K2 P/ @" |) y& P7 I
BOOL IsSoftIce95Loaded()
# N& m4 e" c* K8 E{
6 \8 I0 E1 z4 r HANDLE hFile; / ~1 A3 S6 U J- B
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 _1 M- ~$ ?8 @8 J7 G
FILE_SHARE_READ | FILE_SHARE_WRITE,
% V' X" b+ _+ V9 s/ U/ S3 p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 D5 B$ {0 a+ j* b d
if( hFile != INVALID_HANDLE_VALUE )
; H& {5 J( D, x {
& W; p) S3 p! ^) P CloseHandle(hFile);
& Z3 L9 @: l6 x5 d* R( } return TRUE;
4 d& {8 `: P( u8 v }
/ x: n( {# F' ` return FALSE;
2 i: `7 I1 b2 L' R( ~}
, {, H! L" C$ S1 s4 {$ i- O% H0 J$ U9 T
Although this trick calls the CreateFileA function, don't even expect to be
# D" M' H) i- L+ ]- P% j( \9 Gable to intercept it by installing a IFS hook: it will not work, no way!5 h/ _, d5 G) ]% F- ]; ~) w6 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 I( L) X/ J: }" G8 Y1 yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 E- D; O" c# q8 G& D6 h7 qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ _4 E/ S& p; Y' Tfield.% V8 T r1 _+ p, l9 R3 a$ C( K
In fact, its purpose is not to load/unload VxDs but only to send a % H( L" P) v6 c5 h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 H w N+ i( a% }. A) q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 i- D! {0 W9 }$ A4 Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: G$ W+ ~- ^- e' c2 R+ F0 \If the VxD is loaded, it will always clear eax and the Carry flag to allow
: M" ~! W% Y- M) Z6 pits handle to be opened and then, will be detected.: \' V! n7 K4 A5 K* ^ e
You can check that simply by hooking Winice.exe control proc entry point& z$ p" t0 a% w3 U0 k6 M
while running MeltICE.1 o' t9 y# ]- e G" o* W2 z
' C4 o4 c- }, a' O& c l: t) |1 Z3 b( u' Q, K+ e
00401067: push 00402025 ; \\.\SICE; H* M2 T* x1 v
0040106C: call CreateFileA
6 U f5 [1 j' e- v, p2 ? 00401071: cmp eax,-001
( R) e; ^/ E7 v+ p7 K( ^, r5 ?1 X 00401074: je 004010916 d# Y7 C5 ?" E; `
8 m# w5 T0 m" d% H# B! m1 p/ V- m$ p6 g
There could be hundreds of BPX you could use to detect this trick.
! G# M) s7 r0 P9 `) D W-The most classical one is:& ~3 t. c# F0 M" D0 `9 y. [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 Y, w. m4 X4 [% J) X# |& e1 @( C2 E
*(esp->4+4)=='NTIC'- u& n1 q. `" D4 q1 c
) H2 }8 p( \$ \5 X# E' w& ~3 m5 P- }-The most exotic ones (could be very slooooow :-(
- \5 e- T6 y( @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) _4 K5 ]- e3 B+ ~0 g ;will break 3 times :-(
; M- X( Q1 s$ P! I$ c( a
% V) v Y/ I/ g* E* G' V: a-or (a bit) faster: % `* B0 x: g% s% V% H
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 u0 h+ K9 w) k' e
$ `" @9 |8 ^) B3 ?8 u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 [3 K" r$ y" |: t* H5 | H
;will break 3 times :-(
! |' W ]" C1 H e' L" }) ^- y9 R" L Q1 s1 A3 v3 i0 s0 h0 C! V! }
-Much faster:, g. @6 E J" l( V) g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& ?- F( [3 l5 k! `" F3 m1 c2 _% o
) O) e, t U' ]7 @8 R1 D8 PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ c4 A3 _' S( ^4 y% E y( A
function to do the same job:; d$ g0 I/ K. h0 m2 r8 }/ ^
0 h6 s4 K7 H7 ]. k push 00 ; OF_READ, |1 U( R" l. O6 D( h! ?
mov eax,[00656634] ; '\\.\SICE',0/ E$ [! f8 b, n8 i. V
push eax
1 R* A2 a, S1 ? call KERNEL32!_lopen( @( E4 K. a& ~8 w# b$ {! d( ^
inc eax! ]( A1 _ s/ s. ~
jnz 00650589 ; detected; c( M" G1 C* ~0 g4 `) C* q' O* ^
push 00 ; OF_READ
8 n, D! S3 L2 r, o mov eax,[00656638] ; '\\.\SICE', R7 Z( `. F6 w! K4 J6 O
push eax- u$ c! k) L5 I/ ?) f2 w
call KERNEL32!_lopen& ~" L8 U; c$ \0 E( }5 W
inc eax
[" l2 p; f( I' s4 I jz 006505ae ; not detected
6 n# u1 H, ]1 W) s
7 P* y- e7 Q& B; q6 r( c
7 X/ z4 v3 l* o4 E& j__________________________________________________________________________
- ~% j7 B! {/ P1 W1 @ c
8 E+ q* s, ^ x- @/ E$ HMethod 12
& }3 [9 O! S' P=========
' p* l* a3 C2 i& t
! B3 J' n6 s; Q* n& mThis trick is similar to int41h/4fh Debugger installation check (code 053 @7 n+ A; k/ z) i
& 06) but very limited because it's only available for Win95/98 (not NT)
5 ~$ t: Y! M2 |/ _- K. G; was it uses the VxDCall backdoor. This detection was found in Bleem Demo.% ~; m) X* B+ a5 i
' |2 }0 D5 o) Y) g1 s( C4 t. S, `" ~' f4 U
push 0000004fh ; function 4fh+ Q8 @4 F& p% K: \
push 002a002ah ; high word specifies which VxD (VWIN32); H" D) {& o5 s' S1 v8 g7 K$ Q
; low word specifies which service
) T8 d0 ?# x% ?; W7 z0 ?$ |1 ` (VWIN32_Int41Dispatch)( C! m) s% m% `+ v
call Kernel32!ORD_001 ; VxdCall' Y3 E& w2 b% J l1 j
cmp ax, 0f386h ; magic number returned by system debuggers
1 K+ v' c, P/ e5 s8 E" @% O jz SoftICE_detected
7 W8 ^( G) L9 w; F% W* o9 E' Y$ i2 [6 ^) d
Here again, several ways to detect it:! G; ]% p9 ~1 r
) q: \( K& I* e) B6 Z4 Q
BPINT 41 if ax==4f
, I2 \/ q; {" B f
, F" ~, _4 P- X. [0 K Z! S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 S) B* f3 ~0 \& R" Y" R. }7 \; `: Y1 Q) T& A5 u S3 Q9 ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& o+ Z! b' ?6 \7 A
& V% e8 Y/ p$ A9 Q7 F f) ^ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 U7 s7 R$ b) ?' D4 d0 T. R6 ]
" p# ?7 u' M3 I3 b0 g0 i! J
__________________________________________________________________________. [% W, e$ P0 {$ B. L, {
- t* Q2 S' q$ ^6 m
Method 13
. r& Y! W' I2 L' V" a$ X=========& ^% c; Q* O. {# H/ `! F
" U$ B+ f e. _
Not a real method of detection, but a good way to know if SoftICE is4 {$ c* m1 i0 m3 d: R
installed on a computer and to locate its installation directory.7 f1 Q2 C p% |- h2 {+ o
It is used by few softs which access the following registry keys (usually #2) :
& V5 r3 _- |6 p: p
) w2 x x- E y. x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- s/ g m/ x& G3 C; z7 `* e! k" f/ d\Uninstall\SoftICE
! r( z$ U0 |' e* D8 M' N5 }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, ^' h- K2 V4 E- C" z$ |4 ]$ `7 k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- B, J( J4 e& ^* |
\App Paths\Loader32.Exe
8 z; l1 R8 B; A2 G3 Q7 z7 B9 y+ J8 }! ?
4 N3 q A5 E8 J2 ~Note that some nasty apps could then erase all files from SoftICE directory
( I9 E0 Y% g( @& Z4 w(I faced that once :-(
" r$ K- u. V7 q+ V
; i) v. T6 t. ]/ XUseful breakpoint to detect it:
; u# _5 Z( ]$ w
& ~ C. {8 `4 I0 `( b# ?/ f6 o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- g- W. } k a# A
, s- j' J @. c- d__________________________________________________________________________% ^! Z9 z) l0 |
2 b7 Z% F; I- a2 ~2 J" n4 ?
$ l, i+ w2 {- K) g) B* \9 e8 FMethod 14 $ f6 U: {4 p7 Z- ~0 F$ n
=========+ f1 F9 E; ?! w# U5 `0 S: i4 m
8 W, Y- \/ g& t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( M2 t: r r/ |
is to determines whether a debugger is running on your system (ring0 only).
/ @9 o9 W0 Z( R# ?( m& r/ t
/ Z& H) }# D+ V$ H+ J VMMCall Test_Debug_Installed
, [% D0 s$ f8 [% O9 b' A$ R je not_installed2 T2 ^6 K0 p8 e- H) W
- d" m$ w$ A( b' f, O
This service just checks a flag.
( {- Q. ]1 O0 B</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡