<TABLE width=500>
; W, p& ^# R% A8 E: Q9 E0 |& s" Y" `<TBODY>/ X# Q( I9 w" _ |4 I" o% q; Z
<TR>! @3 I0 W( I$ ]" r7 |$ ?* [: H X
<TD><PRE>Method 01
1 Z8 P9 r) I5 B# n# s; {=========. _) j$ A7 u; m) C5 ]* t' I3 q
1 h4 v) B$ t: ]$ g" N6 N8 t1 lThis method of detection of SoftICE (as well as the following one) is. G; e9 ~9 P/ G8 `' D
used by the majority of packers/encryptors found on Internet., t; D& }2 N, Y& `: q
It seeks the signature of BoundsChecker in SoftICE
# F5 @5 c7 |3 Q
. A$ l* N2 ?9 o1 C) b mov ebp, 04243484Bh ; 'BCHK'. n6 W* i7 a7 k; _/ m- T' i
mov ax, 04h
; E5 J' w$ [% v5 D0 P int 3
, r5 r$ c& F) o6 y1 S7 T1 R cmp al,4
7 B+ S! ~; V+ C' g9 g4 B$ T( b3 y jnz SoftICE_Detected
% D* `+ y, j" m" y/ _
% M; V8 Y: ^; v$ _( w; H/ \0 G___________________________________________________________________________4 L! q' \; X# ^* P% A+ l' R* t
/ W/ c2 k& j0 oMethod 02
7 r# e5 R3 W# v& J/ t=========- Z7 _; X6 w8 g) `
( f2 o1 P, X0 S4 e0 ?8 T5 @5 vStill a method very much used (perhaps the most frequent one). It is used& R1 r& [ m: }- P8 ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! W* E) c7 c: ?* ~
or execute SoftICE commands.../ F# B/ V/ ?" T+ S
It is also used to crash SoftICE and to force it to execute any commands
" L- T% R8 W% {* H(HBOOT...) :-(( + B- \8 J. h( b( A# H6 A4 _
% s- o' ] K& n5 d$ R
Here is a quick description:
& w0 s! ~6 u7 J; u7 \- g8 ?-AX = 0910h (Display string in SIce windows)# a7 K2 K1 q* e) I+ j
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), s. K8 c# R( R; j: \# B m& ?
-AX = 0912h (Get breakpoint infos)
) A( e! w$ t, L8 A-AX = 0913h (Set Sice breakpoints)
) Z8 E8 D/ I( F/ Y6 R0 t! ?, J-AX = 0914h (Remove SIce breakoints)( J9 n" x8 ^5 Y I5 z% Q
G4 H+ A% V6 q% j/ t( A
Each time you'll meet this trick, you'll see:- E* Y5 R; q9 N6 g8 o
-SI = 4647h
/ ~3 {0 @: f- N! w+ L/ q-DI = 4A4Dh
. y& | t4 \$ _( ~, u9 [Which are the 'magic values' used by SoftIce.& {. e5 W) _+ q5 M. Z& W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- U) E1 ~0 c3 K+ \
- m: P5 N$ o0 s/ C" J/ r& U5 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ S) _9 v9 [: B6 I/ _Envelope utility use to protect DOS applications:
. T$ G& _+ W, C, e: O9 m% p
9 Y. h* y. a' @5 C8 E1 ?. G7 }
N" V5 t, e! |* O+ b4C19:0095 MOV AX,0911 ; execute command., V' _' E* ?' A0 N& \" y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 u4 D& S) _! ^7 I4 D' d, w' H
4C19:009A MOV SI,4647 ; 1st magic value.
6 r8 r; N' ^2 L9 m3 ?9 l$ O4C19:009D MOV DI,4A4D ; 2nd magic value.8 ] ~ c# E X5 K5 Y& F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 S; g l) I, _( p( v3 e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 b2 H; {5 [. V0 ]& q- k4C19:00A4 INC CX
* L; \ Z! C" v9 `4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; E! V/ _( G1 I- Q w0 B# v
4C19:00A8 JB 0095 ; 6 different commands.
; E4 l P, F: j' }$ a& {, _- G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& J) @) P8 k& F* S4 b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 s: _- O5 _8 x5 T* ]2 K$ \( E6 \
& ^$ a5 D! i, _: ], D# F) EThe program will execute 6 different SIce commands located at ds:dx, which' x5 _4 ?( u3 Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 H1 E+ I2 O- u% l# z' h- S: d8 @% O
) S" C$ p( j. Y# W3 i: u# E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 N. f4 i3 C' ^
___________________________________________________________________________, c! g% P' e% J4 U3 v
; l7 T- z! Y( y+ k" `, B* x) J7 y o1 t- _! k
Method 03: ~( }) P# @0 ^* h2 I
=========1 I3 \# |; W& ?# w& y! N: C
- u3 Z2 {2 G1 eLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 n% u) D4 n7 l$ a. D/ Z. G(API Get entry point)# ?' C% I/ @( i" s
' g7 O s. n- {2 G( G7 k9 i7 b. ~) D0 q& o7 I, E" a: t. T
xor di,di
( k% i7 e3 R/ j mov es,di! K1 H+ \% Y/ q1 F0 e; F
mov ax, 1684h ! q- h" X) h- M: `
mov bx, 0202h ; VxD ID of winice
) }! Y6 p( c8 x( C2 u int 2Fh
" L" R. `# X1 D6 P% s. b mov ax, es ; ES:DI -> VxD API entry point+ T9 Z; ~) z! r, I5 \! L3 H
add ax, di8 J6 H3 u$ R8 Z# d
test ax,ax/ s- z: [' I i9 ~" R
jnz SoftICE_Detected6 A! H7 d4 S" \
1 B. p7 M9 W1 K' m___________________________________________________________________________
5 @3 M" {3 j; z$ e) d; ]3 E4 L, U
( \% U6 ?# y1 W" q3 E5 CMethod 04
; A# Z8 n6 v7 i; q. T=========' a7 Q- X* o9 Q$ u. Z/ b- S6 d ?
- A' B8 L' [; R6 P( r, v4 r
Method identical to the preceding one except that it seeks the ID of SoftICE# P4 n( [4 V% Z3 j2 @# m
GFX VxD.9 V2 i) e* E& P. B, }: v8 ?
9 ?, A- f4 q# r- `* l xor di,di0 _, z9 g$ }1 S, @% a
mov es,di2 \! {' V8 H& U" C
mov ax, 1684h # B0 ?: A4 x( {' S
mov bx, 7a5Fh ; VxD ID of SIWVID
: V% i2 z s9 \4 ?7 E) w# j2 m int 2fh: L8 H* U8 F4 d7 ~3 g2 I5 t% l
mov ax, es ; ES:DI -> VxD API entry point
* a* ^. t8 i. ~$ ?/ q F add ax, di6 b, F1 e3 h, V
test ax,ax
" e5 e, d# N, E: V4 ~: J1 r! t0 X jnz SoftICE_Detected
w' K8 U5 c/ m, {6 x" E W+ { J! u1 y, r
__________________________________________________________________________1 Q* E* v; S! V. ]
2 j. u$ h# X$ ^+ [8 C% A% v% Q, O
7 o: p! l; K! R/ z
Method 050 a2 u# C' V7 b' G8 D1 d( D! B
=========
0 q- c* y; _, |+ D, l9 e, c$ r* j( S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 ^/ }, [: K/ l* N( hdebugger. It calls the int 41h, function 4Fh.3 U, G: _5 z$ r/ L. N* u" b; H! W. I
There are several alternatives. * v2 d( g- q. k
4 W: J; L+ L1 {- b0 d0 z, DThe following one is the simplest:
+ y$ t/ d# J& T& f/ q( D/ }3 n4 {: @/ c. Z
mov ax,4fh
; D; `- k+ f8 M) n3 a int 41h. }$ G6 E$ Z0 u; Q
cmp ax, 0F386
# n) o. G/ a& j8 f jz SoftICE_detected7 F; t& S6 S4 ~/ {9 @% q# T/ j+ K
5 l* ] e# O) p! z# a& W/ Q
n; R! S3 q, N; B% y9 x, NNext method as well as the following one are 2 examples from Stone's
3 s1 f& p% a6 n5 @0 Z: T"stn-wid.zip" (www.cracking.net):( T! }! w4 m( i- C6 Y: j% G
5 F+ ^. O, E% v+ _9 ^9 _ mov bx, cs
9 m7 }( E Y& a8 q( `3 U; ^/ ^ lea dx, int41handler2) J8 s& m% Y* B# b) [
xchg dx, es:[41h*4]
/ [+ D, q* C( [1 O5 v xchg bx, es:[41h*4+2]
8 P/ u) k7 m+ T) I mov ax,4fh9 N G: v$ p* @0 k; l9 \$ \" b
int 41h
# h% H* E1 A" V- N. w xchg dx, es:[41h*4]; X$ M0 r. v; c9 `
xchg bx, es:[41h*4+2]; c4 y$ u6 a D& T8 M& U
cmp ax, 0f386h
* V C" `; B; X! y! [$ I jz SoftICE_detected
. G1 U" L4 |# {2 ?
" A: A( q$ x( B3 Y/ i0 g2 ]int41handler2 PROC
& W- S8 Y# E- k' m# z iret, R* Y2 e0 h, ]( W( B+ e7 j
int41handler2 ENDP
- B4 w6 k* F# v t! [, _. T" N! R4 o: B
9 p4 R& ^- ~" `8 r
_________________________________________________________________________
. n/ u5 U+ I/ z- q
( ~, N8 h8 Q! k3 d+ R# V }; \( B0 ]( X9 W# g
Method 06, _# X1 P& p# n, n
=========
# D- G+ p3 N v* `: I
7 ]! P. D. K( ]6 o! d
, S# ~% N, m$ d( s2nd method similar to the preceding one but more difficult to detect:
+ T4 U1 P0 j: H& Y/ Z, {# p$ a2 w' P7 M
4 f' w0 r' S; \ Z/ T
int41handler PROC! _4 U4 T9 n% u3 Y/ l2 b q; c( c9 F
mov cl,al4 c) S9 V, G- e f8 ^" D
iret
( \' T/ m+ |) S- N+ K" _' Kint41handler ENDP W9 U2 _3 w5 M# r( B: v
* R- A$ Y+ u2 z5 U
& ?) m1 V7 z. Y7 Y* [2 m xor ax,ax
6 F' J1 h9 I6 [5 g x mov es,ax9 W' o7 f5 g4 I' v
mov bx, cs
" f# t* W& i) t# ~! a lea dx, int41handler+ s3 @0 V8 ` l" p0 }
xchg dx, es:[41h*4]
( Z+ i+ r6 o7 R& | xchg bx, es:[41h*4+2]5 g0 f) P n; a* D+ r* {4 q$ u
in al, 40h
& q5 q( F0 N% H) V3 E7 | r; J& R xor cx,cx
% v3 `* E1 n( I: v9 C int 41h* f3 n* w' I. d- V
xchg dx, es:[41h*4]
\& r/ w, s& q xchg bx, es:[41h*4+2]8 q: ?/ ` t( R, |# D
cmp cl,al
; M) f0 W- |8 P0 s jnz SoftICE_detected
4 Q ~7 o0 e" T9 L8 i- I. P/ k; u# Z% h
_________________________________________________________________________* K5 ]" ?# C8 I1 ~: n
3 J5 ]5 h8 ?: ?, }' zMethod 07
4 P+ X7 A5 A# o- I0 N3 \. v=========
; I$ j( {, d) X$ C z. j& s1 k3 J' R: x! O$ W
Method of detection of the WinICE handler in the int68h (V86)6 `: E' n! r) }2 b
1 j L7 [, f9 Y
mov ah,43h7 |$ A1 K/ e7 a+ O9 z
int 68h- u- M' h% a) l; b/ W
cmp ax,0F386h
5 r' P* W2 \& o+ G3 ` jz SoftICE_Detected+ Q* M& T2 P+ N/ W
6 |6 V! G$ M2 S0 h' O- S3 }
# v% [, A3 C3 Y6 {( [0 |=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 h6 @) |- w; `( }
app like this:/ T: a9 c' Z' d" g% a3 o, I
$ ^ t) ~4 f$ [+ {' r% X- Y, [8 S BPX exec_int if ax==68& x0 C2 x0 [+ d7 R+ e" y
(function called is located at byte ptr [ebp+1Dh] and client eip is8 Q- ]% ]5 V' |0 g, s& J, \
located at [ebp+48h] for 32Bit apps): C. c/ W8 d! g: s/ L, }& x
__________________________________________________________________________
( M8 L2 }' `* ^7 H1 U" Q
4 R v* b, M. e/ [
# _' y: X' b$ R) UMethod 08, s8 s/ r8 B, C+ W/ c( n, W) ~
========= u1 v& e/ x( [
a1 {( H; y9 `, |3 k+ p; w7 mIt is not a method of detection of SoftICE but a possibility to crash the, I. o, P X7 ]7 W B, a
system by intercepting int 01h and int 03h and redirecting them to another/ o2 k- a& Z4 e' g; p% S5 B
routine.
" q- o) G! s, b3 U$ u& @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 m: N( |$ d' P) j- l- T( Ito the new routine to execute (hangs computer...)
" F2 y7 O& S" a0 [- x
% `- Q1 M1 Q# `) s0 | mov ah, 25h) i# T% o3 R& b: g( J& V
mov al, Int_Number (01h or 03h)
/ @/ A6 E/ c2 g+ Q mov dx, offset New_Int_Routine. \* z% N+ V$ e6 S) O
int 21h
) Q& ^/ o0 y: i& \
; }0 U- H# L# ___________________________________________________________________________
4 c$ d$ G8 y4 N- \' `. n. R) n* c+ ^1 p) F# T# }( M' c1 l& b- f# t1 Y( A
Method 09
1 k& }" g4 I, T- D* r=========
, g9 [( O0 ~2 H6 O
1 Y( Q# c& U3 s$ w; V$ i$ I0 C0 B5 IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 T& N% a- G' i5 H& k# u \& i: Rperformed in ring0 (VxD or a ring3 app using the VxdCall). R$ Y3 C6 V" {, X [- V( Z
The Get_DDB service is used to determine whether or not a VxD is installed* \6 A* V9 G. C0 n
for the specified device and returns a Device Description Block (in ecx) for4 \( W; L6 H2 _8 C+ m; d5 I
that device if it is installed.
" ` X- G) B" v A# P2 X- ^, b' I
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 j, ] e! H" \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ k( z0 Z7 O/ a, o% o- h! J i VMMCall Get_DDB
1 F9 d0 l# @; C* E) K6 N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ T- Y: r5 ~0 y1 M6 D& a! o& ?( p' I- e6 i7 W$ ^
Note as well that you can easily detect this method with SoftICE:
+ [) u% d3 h# ?3 K bpx Get_DDB if ax==0202 || ax==7a5fh4 ~% a+ s- N8 B V% V% z: q
& a& @9 B. `% U8 l) {- b$ v+ w2 g
__________________________________________________________________________5 B% d% V$ o+ p8 _7 T
* x! P' B3 F9 ^0 Z6 B
Method 10
# }# a& X8 \; H5 n1 U=========3 i" f0 m6 T& g: E
8 D( w& w- ?) _- {
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 y! {) V. B, o/ P SoftICE while the option is enable!!
9 G5 d8 E% w) ]
+ J/ E- _* x" f- b% { }8 BThis trick is very efficient:
! Z/ W6 u4 o* P* W, h4 ?by checking the Debug Registers, you can detect if SoftICE is loaded
6 V* L8 F. _- _2 Y9 q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 D1 t1 E. w' `, C) Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 r' \; `7 O: a- z- hvalue (in ring0 only). Values can be manipulated and or changed as well
" z% D: Z c8 }# Q(clearing BPMs for instance)
J8 t+ ?9 o" R% }( B; t% x/ ]+ C6 l7 `, o
__________________________________________________________________________
! p% J/ x d3 e$ Y1 E; c3 O- [' y" O
# e2 P* G. [; b1 N) _7 I. l- l. BMethod 11
$ H) k5 @" E9 H1 Z=========
5 x8 b- O( U- j2 }7 } }) F) s$ c3 o b% a
This method is most known as 'MeltICE' because it has been freely distributed
7 g* [5 E; s/ @# S( Q: d- F& c9 Y9 {via www.winfiles.com. However it was first used by NuMega people to allow7 P1 z: H4 A, @; U
Symbol Loader to check if SoftICE was active or not (the code is located
+ E6 W3 s: m P1 V6 q6 r- uinside nmtrans.dll).
9 ` `1 v+ o# \) c9 O; f0 @( @! v# q9 j% F% U4 G4 M/ v
The way it works is very simple:
, p% j, ?! W3 ]2 k: q: fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ T8 }- U s7 H7 D
WinNT) with the CreateFileA API.8 V' Z" O7 w; i# V& p: q; p
& h5 P( _% V+ q! L
Here is a sample (checking for 'SICE'): C8 C4 b. F5 Z6 V4 v/ C$ C
" j" w: J6 ]* [BOOL IsSoftIce95Loaded()( M4 K' n' J" Z. I7 M$ U
{
0 ~$ r3 v) c, N' L' l$ ] HANDLE hFile; o- l w( L. l' J+ K S' n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- p% ?- h" x, V$ {* Y* O FILE_SHARE_READ | FILE_SHARE_WRITE,
6 H$ l' i# o+ ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
Y8 Z: @& F) z D if( hFile != INVALID_HANDLE_VALUE )) D/ m1 f! _3 p1 f. k
{
5 n5 o l, K- T+ f6 b CloseHandle(hFile); u! K* y9 X# d1 X; k
return TRUE;4 ^+ \5 t* [0 p7 P, Q6 J
}
( A" m/ V3 q! o) u( p' A) t return FALSE;
) _# R' g' ]3 |}. `9 K0 O. ?: H6 U
2 @& Z) Y7 v: L. ~' a0 M
Although this trick calls the CreateFileA function, don't even expect to be0 q- m D1 ]" q5 C* Q8 V, |5 `* Y
able to intercept it by installing a IFS hook: it will not work, no way! _, I6 Y# w$ u' w1 {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ \5 F1 ^9 Q V# P9 g s3 U) c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: k+ j6 {9 ^5 \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 n. S% U5 T" J8 Y, M b% Mfield.9 ~% o5 q, L% l! h
In fact, its purpose is not to load/unload VxDs but only to send a
# J, a, y0 q @# ^& n3 z. WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- e D1 S2 e! w E% _4 O$ c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: C, i: |2 _3 s, b2 N" D% @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 M: J) n/ h- a" M+ d+ e, ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 t0 l" e) E6 W# M: V' tits handle to be opened and then, will be detected.3 g1 `" X+ F9 u& L- t$ X$ `
You can check that simply by hooking Winice.exe control proc entry point
! } u3 l4 |5 p; jwhile running MeltICE.
4 f U ~* X& F9 s ?% S* D( H
1 n. d; y" V6 z4 g5 W+ W
4 ?+ [& z7 _. F" _9 Y$ S6 d/ F 00401067: push 00402025 ; \\.\SICE2 z2 o9 m. v/ B; m8 P& f6 Y
0040106C: call CreateFileA
7 \- e# Q8 `7 T+ F4 C& | 00401071: cmp eax,-001
( a1 S* `( ?7 f X8 f- ^) Q [/ d 00401074: je 00401091
5 m- T7 f. o5 R; C4 ?9 w. R" n% E: I: i
% `$ r- A5 q! b% c4 `. }1 b
There could be hundreds of BPX you could use to detect this trick.+ H/ u* H; x2 c3 z1 K
-The most classical one is:! q0 Y( e) J6 [5 m* U3 R; P' z9 [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- K5 v) Y6 G, ?1 H3 K+ Y
*(esp->4+4)=='NTIC'6 L1 P* Z( S3 i% o) ^ A
5 Y0 {0 o: d4 h& P-The most exotic ones (could be very slooooow :-(2 v9 u5 n* P/ ^( U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# m2 W# J' _, `: v" ]. }# W" Q2 J$ j ;will break 3 times :-(
- j2 j5 N' g( V8 |
, R. {, @# n% g6 R" f; p; h, {5 i-or (a bit) faster: ' ~/ y4 z0 M6 a) O! ^; {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# D' T4 [' U) P' c0 n9 c
. V$ K8 l) @8 F( N F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ |, U1 Z3 j8 w a ;will break 3 times :-(
- G' K+ Q7 X( c2 m0 {2 z7 N; c% V: ]- c' \7 O
-Much faster:
. v; h5 k( |% B, e. X3 ^7 l6 M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 v" \, T7 |% q1 A9 a
( |, t+ ^* }/ P2 _6 f: u& rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 H3 o! z, @! n8 ~, q- {function to do the same job:
# J4 w! \' n, d9 M4 F+ W
. b: f: E' ~1 P% `% x push 00 ; OF_READ
. P0 q. l6 W, _, L6 U" U mov eax,[00656634] ; '\\.\SICE',01 J# c8 t" p: `4 s- \& I* q
push eax
" D; K: J/ Z- x! ?+ n call KERNEL32!_lopen
8 |& Z' P5 @ T: y6 \, U; u inc eax, N. n/ X5 A. D/ O
jnz 00650589 ; detected
/ @( g, j4 U7 ?) [2 j0 X! | push 00 ; OF_READ
h0 D$ X* R6 ?, I' Q mov eax,[00656638] ; '\\.\SICE'
' d* h3 O" f J3 ^& z% @ push eax8 c$ Z0 j$ |7 y- f4 S" t, z ^
call KERNEL32!_lopen6 Q6 Y G% u) j4 }! J7 ]# {
inc eax3 @0 w# M; k9 T; g. D
jz 006505ae ; not detected
6 o" k( k+ e0 ^. W5 `2 u, C2 G2 z4 `1 O* F
& `+ i1 i% a8 R1 K) }1 p6 ?
__________________________________________________________________________3 O- L+ t( S ~- t% _" I7 _
/ V @- E: R5 f$ c; ^" F
Method 127 L, |5 T# M- f" d
=========
) P4 f& r: ~7 w$ O0 W
: e. F( k+ a) c& G: F& T) iThis trick is similar to int41h/4fh Debugger installation check (code 05
, ^, Y$ J# P0 S- s& 06) but very limited because it's only available for Win95/98 (not NT)
4 G* S/ z. Z {; uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: ?9 |0 C# i/ i6 z; I
3 e# C, q$ r& y# \ push 0000004fh ; function 4fh" g3 E3 p ^3 l! {# i0 e
push 002a002ah ; high word specifies which VxD (VWIN32) U( |" B( i# n6 w! j0 O' a
; low word specifies which service& O; M/ h, j/ H3 ?
(VWIN32_Int41Dispatch)- Q$ A% u7 D+ z5 Y/ Q
call Kernel32!ORD_001 ; VxdCall
4 F+ t; @( U9 v6 q- R cmp ax, 0f386h ; magic number returned by system debuggers0 j7 M& S& ?+ s* b! I3 j0 ^
jz SoftICE_detected
2 u A9 D" ~3 `' w; Q; ~! ?0 r+ t5 y0 h+ A
Here again, several ways to detect it:
5 `' {6 f2 e6 f0 ~+ n2 E# ]$ l
# b& J' u0 B1 G1 n E BPINT 41 if ax==4f# I: B* G* S% H* ^9 m- R# x: @( V7 o
4 E% y0 m6 ~9 D, H% J+ O0 W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% G* E' s4 [* s7 W) M e
. \( e: U% n8 ]! ?: [% H2 e% R BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ i4 @' e- w+ J9 C" ~9 z/ V* p. V7 f
$ b' P. T8 V0 h# r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 t% O) \, O! v2 Y
3 e& @& X4 x; v6 G9 H7 B8 e__________________________________________________________________________
; J3 J! {0 ^) i, x& [4 }# z( \9 `5 t0 H$ j
Method 13
o0 O$ _2 x, o% a. S: }% m8 O=========5 w/ J% Y' b3 L5 ~! v( M0 Z
: X2 ?% Q1 r# b/ K" U5 C
Not a real method of detection, but a good way to know if SoftICE is
& e* l) H3 @& h3 b5 L* Z" c- e& @installed on a computer and to locate its installation directory.+ f; @3 |3 ?4 } f+ g1 W
It is used by few softs which access the following registry keys (usually #2) :/ P& L ~% [- ]' z
6 E* Q$ L/ T) a9 f) P3 S2 B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" v/ A, ]; E P1 t& w2 Y- o
\Uninstall\SoftICE
- o- E0 q5 Z' n8 g2 l. ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 V5 q" \% }' P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' O0 F- B; U3 u3 x
\App Paths\Loader32.Exe, L# | m2 _/ M" l& K( j$ o8 s7 J# M
) B+ N, J* H. p ~! g
7 }! D5 {* |) {1 y' v5 s' W: ANote that some nasty apps could then erase all files from SoftICE directory: N& `* u8 T5 n! s
(I faced that once :-(& ^( M$ s5 c2 ]( Z: e r- U
8 B! |5 F) `5 @7 uUseful breakpoint to detect it:$ c/ @( Q* V1 ]+ R
7 P+ I# i! T9 w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 F5 {' t6 f* m8 n" m
5 D2 U% Z I# ]9 h; U% n
__________________________________________________________________________
3 s8 g2 S3 ?: Q( n
7 [1 \- ]9 f6 w) s6 ]+ n6 \* z3 ~! P- p2 |# I, J# c0 O
Method 14
3 x- E( ?$ @9 X' u2 N- q9 }" }. d=========
4 {4 Q% j3 _0 A ]/ M2 I
6 J8 O7 \2 p+ S& NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! A J1 ]0 |0 M3 R9 @# ?
is to determines whether a debugger is running on your system (ring0 only).: @* C5 T: T9 f( |* ~
, _9 o$ G! K4 S8 ]; v$ b* v1 C
VMMCall Test_Debug_Installed
8 |! `6 {: B& E! o* t, ~" t" R je not_installed! y0 C6 U$ N- G
) [3 W, L$ U( ` m9 {% R/ b L
This service just checks a flag.& y0 T$ E2 ^9 {8 n5 v
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡