<TABLE width=500>
- n/ u; B3 p6 P, r ?$ Q<TBODY>; k4 t' n- F3 z9 q
<TR># w6 M% o7 Y- K) K
<TD><PRE>Method 01
: z" T$ f [5 t=========- ^ A8 j" Q4 n% v1 C
+ ^" |7 n) V0 d; g! _) ?This method of detection of SoftICE (as well as the following one) is& P. w# e; A z' b* ^& _1 P1 V
used by the majority of packers/encryptors found on Internet.
) X' @* L" `2 k9 w/ v4 nIt seeks the signature of BoundsChecker in SoftICE& B( C' N: U( l# \( m; K, U4 \: p
4 @' X; [( _1 h7 M6 l. B$ J) x mov ebp, 04243484Bh ; 'BCHK'6 e. N( {* u. i4 ?" Y7 h K- \' ~
mov ax, 04h
0 B0 d* ~7 g) M; l8 I int 3 }# `* \8 H- a4 v. F) M% l: h" G
cmp al,4
' }' Z: O+ u2 b jnz SoftICE_Detected
2 L0 n* y/ e+ {4 @$ C0 S" \6 k$ j: t- P8 j6 P
___________________________________________________________________________
. b$ O5 ]9 J8 @) s% |( [$ s% {( |% i2 J% \
Method 02/ g, x5 F; M2 O! j# v8 j
=========
$ _& c/ @& T7 k/ O; ~3 o+ H, o8 ~1 I% O4 d$ K. d" _9 O$ I3 F7 D
Still a method very much used (perhaps the most frequent one). It is used
" I+ U6 x* F) y# d& xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 b- Z* |) l+ E
or execute SoftICE commands...( ~- y! @4 V& h0 U
It is also used to crash SoftICE and to force it to execute any commands4 F2 s' r5 [. \) \, e
(HBOOT...) :-(( . o% \: t: V+ r* Y+ a0 Y
5 X/ l% W5 F5 L! Z1 {Here is a quick description:% }: f) ]7 {& u
-AX = 0910h (Display string in SIce windows)8 j- \9 e$ Z2 m# n$ a7 E- C
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 t9 v! D* X1 I0 ^
-AX = 0912h (Get breakpoint infos) u- @2 d2 B; g0 f: k1 g6 \
-AX = 0913h (Set Sice breakpoints), P; r$ ?+ |( t% Y+ m
-AX = 0914h (Remove SIce breakoints)# q% F# a3 z4 h, U
- H1 E, n) z8 j G! w9 I. O
Each time you'll meet this trick, you'll see:
" o1 a4 `+ l Y* p; I4 W- ?" A-SI = 4647h5 b. T0 T( B! a. r+ }
-DI = 4A4Dh/ D) i4 z: d' A9 M- e
Which are the 'magic values' used by SoftIce.+ y& H& x: ` X5 w+ U1 l& }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 A" n, n$ r; B1 U4 \4 a' `; V
% m( N* |7 z& [3 c& x/ ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
* m! H4 M* D7 I! f$ QEnvelope utility use to protect DOS applications:
+ k0 V2 L9 |6 N; C* |4 e: u$ v: U' d5 [' {6 Z9 H( Z
! u! i4 i$ Z9 V5 l
4C19:0095 MOV AX,0911 ; execute command.
6 I7 |' Q: C0 f- v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 n6 e- j6 W1 u! m) e1 Q4C19:009A MOV SI,4647 ; 1st magic value.
3 F; w8 k. C: A! Y4C19:009D MOV DI,4A4D ; 2nd magic value.
& K5 M& P: }4 _2 K/ r4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. `- T% h' m; h2 K+ `% e; |8 y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* V3 K- J+ u7 `* H- H2 J& N4C19:00A4 INC CX/ D/ E. c* q/ F& e% S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% s7 Z3 E4 g. {$ ^1 i5 }
4C19:00A8 JB 0095 ; 6 different commands.' d( T( Z7 o h( _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 `$ Q4 X$ O5 n" U( f+ X3 z+ c* Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) P6 M0 V! p5 R5 ]8 X6 o
) d$ q! x6 ]- G% f2 H( I
The program will execute 6 different SIce commands located at ds:dx, which
% Y' U( n9 V# J0 u u, k: m% Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" z, q, F% ~5 M# l4 P& z5 [* H7 F6 I5 f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# }; V& b3 D5 @; D9 [$ N1 g* J' M___________________________________________________________________________
! ^/ L8 d) P t+ p, L) T+ {0 X
! Q3 w9 g3 M. `7 h: }
& _) T7 q, h$ ~+ _8 ]* yMethod 03
- X! n$ i3 Q5 e% c=========
& i: h2 r: d M! t8 i- n( c. g4 W. _8 `7 s6 O- {6 _
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' A/ e8 w) r# N/ L/ [
(API Get entry point)' Z. g# G9 D& y4 m
. d+ z& @' D" U
C1 O/ ^+ B1 T/ W" H9 P9 G9 e
xor di,di9 O: O4 T4 n, q8 y8 {
mov es,di
. j5 f/ G% y! W+ y+ {1 \ {. W mov ax, 1684h . F5 i& u ^- Q, U" f! Y+ {" a( j
mov bx, 0202h ; VxD ID of winice
7 J1 p8 E5 h* {( ?: e& P9 @- P int 2Fh
1 x q4 i* U: n% d" c( H mov ax, es ; ES:DI -> VxD API entry point) t. A6 q' s" f9 _* a3 K5 K
add ax, di
) u7 a, z" b3 n3 W test ax,ax
! J3 h+ E' V" N# ^+ U6 a p+ L4 L jnz SoftICE_Detected) m0 r: o! {# d
0 [& n8 h! J) F8 I___________________________________________________________________________
% e5 ~4 g" n1 n
+ T& k; B2 g9 \) PMethod 04
. ~& X; [. d6 j& Z3 ^=========$ [: e% M! ^# V$ v. I B5 |$ }
; {: @) I: I$ {( {Method identical to the preceding one except that it seeks the ID of SoftICE
8 w5 C& V4 o. A& F0 G% |# G( P; P- |GFX VxD.
# ]! ]8 S4 b( C& _/ B: v2 L+ R, c7 G2 z& _9 b8 N5 c
xor di,di6 d! a! m P$ [% a
mov es,di! \8 Q! b5 T% p; O& T9 P# J
mov ax, 1684h 6 I" Z# e- s+ @6 P4 O g; n7 ]
mov bx, 7a5Fh ; VxD ID of SIWVID1 O: T* v- Q. t5 x8 H. V" K" e s
int 2fh- [" ~3 B8 o0 i# p {. R
mov ax, es ; ES:DI -> VxD API entry point) W; H1 Y& b# @. L X
add ax, di
2 {( F X, k8 W, I* e test ax,ax8 ?# n( V, u' U1 O9 O e, ]/ m: W1 X
jnz SoftICE_Detected
x3 o4 h" k9 r* t! i# G; j$ f7 P, N
__________________________________________________________________________
* @- R( r% }! P: z8 F
1 B' s' a0 K. ?
# [7 y- h! d+ ?- DMethod 05
* f/ n4 w B2 v9 Y/ q=========4 Y! `5 q7 j( L1 f" ]# s
: x5 s5 ?: K5 r1 b u( E
Method seeking the 'magic number' 0F386h returned (in ax) by all system& ~& n$ k6 z% I. n& G+ a
debugger. It calls the int 41h, function 4Fh.% a1 o" q: f8 _ Q) }
There are several alternatives. 4 G5 A+ w$ f+ O5 l1 S3 N' e
7 S' K6 I( z8 S1 |+ o
The following one is the simplest:5 g8 P+ K& c4 R- `2 P. h7 R u0 I
' @ H1 Z7 L# A1 T mov ax,4fh1 T( x2 [) r) t1 w) F, G5 `% a G, P
int 41h
, G, N5 K, H6 } cmp ax, 0F3867 k0 R8 F2 x& E8 u
jz SoftICE_detected
7 l; E/ I( {* O" ^0 g/ p$ h- S3 e5 l, R4 P( R
1 [3 a6 j" G2 p7 F/ m. o& \0 H
Next method as well as the following one are 2 examples from Stone's 6 h `6 S0 t" @( K( v: _# _
"stn-wid.zip" (www.cracking.net):
& U1 ~6 P, T# w( l. _4 \* [* t5 K0 L, L! c6 t
mov bx, cs, ^6 w4 K( Y) g2 W0 w$ }6 c
lea dx, int41handler28 h6 o6 `8 @4 w$ B
xchg dx, es:[41h*4]
( M+ U+ w4 C& M! P3 f& F xchg bx, es:[41h*4+2]
) F- _& f5 \5 ?2 w ?7 G( {" |- |) Z mov ax,4fh* V. c3 a( H% a" [! i3 K
int 41h, g2 t) k, w# ?9 @
xchg dx, es:[41h*4]
9 p. b) Z& ]# p xchg bx, es:[41h*4+2]
4 s1 X: I2 k$ K+ I$ g2 e! w cmp ax, 0f386h9 f. H, f: Y, P7 V X7 R
jz SoftICE_detected
; o! F/ v# T: D+ K/ _) ` ?& Q' p$ u+ r9 y0 o# ~
int41handler2 PROC3 E8 w$ e$ w- ]2 q3 X
iret( C& ^. {; H" _: ^0 q
int41handler2 ENDP9 k* R4 e7 l4 N/ U8 |# }/ O) b8 F/ v
6 T1 {( r3 _* N
$ V+ z6 ?& V; W4 U# v_________________________________________________________________________
# Q% l6 [0 y' L2 h+ w% S% [% p+ m( U! N! N9 M# y
: S$ Q9 r: S! t' b; {( w/ T
Method 06
5 e' m! ]2 R5 t3 N7 J=========
9 h" d- l# X b
- n# i1 G! s% r* |2 G6 N
8 G0 p8 a. Z3 `3 S" `1 ]' x5 f2nd method similar to the preceding one but more difficult to detect:" @# m1 B! _' t$ P% X+ M; w7 L
T, M: m9 G, q3 c: S
% i: p; z- P* G! J& w: nint41handler PROC
" d( Z' ?& `0 p9 ^7 N mov cl,al
~0 M J3 u* T iret) W5 `9 @1 D# ]( ]
int41handler ENDP
; M5 E5 G* J, V: R7 b
: S* I/ o4 y$ j- ?& q e c
# ^; H+ e, v7 [ xor ax,ax
$ t. I, Y1 i, n" P" t# q mov es,ax
! n, Z; |+ m3 M2 P. A- P mov bx, cs
! k/ _$ v% J) z* C lea dx, int41handler
$ Y, `$ b7 z& K xchg dx, es:[41h*4]
7 Q# t8 t+ m; c xchg bx, es:[41h*4+2]' I& h* X4 L) c$ n+ l( |
in al, 40h
# @, y% t" v) e# }+ h0 t+ W xor cx,cx
9 t& r( |7 @& q! | int 41h+ t* y, Z. L0 S1 M$ B
xchg dx, es:[41h*4]
& Z2 G& a% U, G! U5 }/ M xchg bx, es:[41h*4+2]
) F0 `( ~+ q( J2 G, K4 b6 v cmp cl,al
! j- C, ?$ a4 Z& P; ?' a6 @2 W jnz SoftICE_detected
" u- y K, U3 C, G* @8 m, s# p, F& Z) L5 G, z3 m9 m
_________________________________________________________________________
; {5 M% p; {5 B& `. m% ? L! w {( |0 j: q7 H" p2 \0 }3 D1 [) `
Method 071 z$ @. g# i- Q: O2 J* y
=========
2 a- J# o# u+ B4 N e- I C9 H2 Z0 X; Y1 u% I
Method of detection of the WinICE handler in the int68h (V86)" T7 }- E/ r% D; [" _- S
( ~4 D, f. m9 n2 v
mov ah,43h' T# h! l, d L( X7 y, Z
int 68h
* e) e$ D, M! Z1 a- d, ]7 k3 X cmp ax,0F386h* S( n; B2 v M6 a
jz SoftICE_Detected# T7 j X6 n1 m$ j5 R! |
: |5 }/ ~+ |, _" x$ w4 @+ f4 G2 v) U3 R% B+ y, N% P% a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' z% Y6 d @, c& p
app like this:
* U5 J. N/ K" j: D
& M( M! n* Y/ t% K* c BPX exec_int if ax==686 @ V: i `2 O, B4 z0 R
(function called is located at byte ptr [ebp+1Dh] and client eip is7 y( v* g& }4 |+ P
located at [ebp+48h] for 32Bit apps)
# b6 l+ D# z! K8 K0 K! x t__________________________________________________________________________ ?/ _0 @ j4 U0 ]
* S/ I( p8 Z$ {! P# e4 Y! V3 C1 Z+ V( X# M7 K1 y
Method 08
* |5 ]( v0 a1 x% s, ~. f=========4 M) O/ E6 x* O3 }8 Z
s1 t @2 c( x/ ?
It is not a method of detection of SoftICE but a possibility to crash the
' P6 n$ D" D" D" [system by intercepting int 01h and int 03h and redirecting them to another3 B0 r5 I, z6 h: X5 Y
routine.
$ Z x6 g2 W4 K: |+ A" q8 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; P5 s5 }0 ]4 z: c& g5 H% mto the new routine to execute (hangs computer...)/ j' B# L: r& k9 D" x9 d, W
1 k( k, N+ w! x" y mov ah, 25h8 `, N1 i1 n+ d" v( X9 T [
mov al, Int_Number (01h or 03h) ^. G9 E. m2 i0 s+ ]/ F
mov dx, offset New_Int_Routine% G$ K. [: D! H
int 21h
/ b1 { M: j) U% c8 t) v
Y1 }3 k3 ?, B5 i( c9 N__________________________________________________________________________! k+ I% y$ h9 t R9 g% W x% k/ Z& o
- }+ |! ~0 e+ ^
Method 095 B+ J) c0 R5 L' x
=========
: b2 F, h, S: s, O1 \, G3 i# c5 c3 i
; O3 A6 R$ F' y/ Z8 u' V# XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' }1 l# h* Q# F
performed in ring0 (VxD or a ring3 app using the VxdCall).
. A4 T: L+ V/ J0 a5 ZThe Get_DDB service is used to determine whether or not a VxD is installed* t- b h v6 `0 U+ N* |
for the specified device and returns a Device Description Block (in ecx) for
9 }5 ?- P! L* W/ F# O- pthat device if it is installed.
7 N" J8 [" u3 Y9 h6 o. O. w2 f$ g3 n5 d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: o- k8 p9 B: j v. |- _' D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ k% _ a( \1 n
VMMCall Get_DDB) h# C, `1 [; l" j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 z& e0 [& |# g4 k* J% X
8 N- e& q; C; {1 @
Note as well that you can easily detect this method with SoftICE:
, B9 [( O, |& C bpx Get_DDB if ax==0202 || ax==7a5fh
7 S- d7 x2 R% [& |9 C0 z) s( \. o! T2 _: K
__________________________________________________________________________7 y# d# n8 g( c8 X( I$ e
( x+ ? H- c8 d& G1 _Method 105 U" c m/ u h- Y* H, l
=========# G( F1 [7 N- c6 U* u# ~
3 Z4 A. e2 D" m+ d/ {=>Disable or clear breakpoints before using this feature. DO NOT trace with% H/ b2 d9 B" m; a
SoftICE while the option is enable!!5 C H L. W; d0 x( r+ h. f
6 d% U% C" J* X {1 {" \This trick is very efficient:
0 K! [) U7 O T1 R6 q& ]by checking the Debug Registers, you can detect if SoftICE is loaded# u( Q5 a/ ^9 c. [4 W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' I% \2 a* U. g- zthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ @/ T3 T! c$ L$ t; d8 p; z
value (in ring0 only). Values can be manipulated and or changed as well
$ l+ ?! x- Z" k6 p- i |(clearing BPMs for instance)5 y: |. V4 N# f" m/ p) ~& \& z
) e: q* q+ m7 q4 X/ m+ {
__________________________________________________________________________
: j! W% H. D8 t
5 N- P1 a; ~/ d& aMethod 111 K' M5 @; s& A8 q$ k3 Z
=========5 h6 {9 d+ O7 r+ v& O7 W$ v
+ n! X2 u8 T) n% V; R; K. r
This method is most known as 'MeltICE' because it has been freely distributed
; S+ M" X/ g4 Y" Gvia www.winfiles.com. However it was first used by NuMega people to allow8 Z1 U6 Q/ e6 V' x
Symbol Loader to check if SoftICE was active or not (the code is located
: a2 l2 V+ y( W: j9 J% `( Winside nmtrans.dll).6 s( s$ b! h/ l+ @4 g+ @
`- w! C- U0 P* X- {
The way it works is very simple:
/ Z8 k1 V+ `8 g: c) aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ T# l' x( _8 w' l( j
WinNT) with the CreateFileA API.0 s7 `: [3 {* P8 `1 j
+ ]4 _8 T9 w' A8 j0 W. t E6 U
Here is a sample (checking for 'SICE'):
% z% I4 Z9 g6 T" Q0 ^% A: k0 ^% N7 a9 q& y4 z' ]
BOOL IsSoftIce95Loaded()# G" u; T5 E5 I0 \
{
' [# D' y x: ]; U; w HANDLE hFile;
/ P8 u* g8 `1 V5 J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# k3 M8 H3 X3 }* Y8 i5 u FILE_SHARE_READ | FILE_SHARE_WRITE,1 |( O; G& e v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* S1 Y3 k- C, T3 ^6 n if( hFile != INVALID_HANDLE_VALUE )2 b: D; k0 F( O7 v- w
{( d i4 B6 ]1 B1 g. N
CloseHandle(hFile);
0 H( I2 G: @/ o# w return TRUE;: L4 ~5 o8 _: I
}- v* @0 r2 _2 }: l
return FALSE; o. E: G. F3 _3 j0 `/ N
}
9 z" I% d% g7 Q* A9 N" M5 p# l; S/ i6 e+ t4 S: R
Although this trick calls the CreateFileA function, don't even expect to be
/ D9 }0 s8 d3 @! D% Cable to intercept it by installing a IFS hook: it will not work, no way!
& l4 I6 a) S- qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' F# y8 G" n7 ^) A1 [- f6 |$ L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) g" Q" ]% S* [: c" `& w$ a/ j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* x- Z7 t5 V+ q' Z
field.( g7 G7 Q; b, a) y a
In fact, its purpose is not to load/unload VxDs but only to send a * ]+ I+ c$ j, E- O) z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 `. m! o4 ~3 u: |/ n. Y, z. J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& t( O8 R: R2 R: O: y6 B% e) Cto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 E8 c: \) f+ Y* K
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: {0 D( M* c$ B, n( X6 E9 hits handle to be opened and then, will be detected.* `3 I/ A: e) B* `( X+ u
You can check that simply by hooking Winice.exe control proc entry point
! a# y5 h& g+ p5 e8 U0 }% {! qwhile running MeltICE.
, k+ A" h0 M9 {. z) l% M. N
- s' W" C+ s( u) C: m, X5 b
% H7 g: i. o; P% v 00401067: push 00402025 ; \\.\SICE
3 L; X4 e8 v8 ^* k5 h8 }8 q7 v# x 0040106C: call CreateFileA
$ b7 q' F+ L. G8 a 00401071: cmp eax,-001
6 ^9 e. V9 U# Z- G9 u 00401074: je 00401091
+ {. x# A5 s6 k* q3 Z. B& L; s3 S
7 T% |2 z8 q( }$ _0 d: L2 \2 |. |6 c- G. Q
There could be hundreds of BPX you could use to detect this trick.
: M! I( \* A5 Z) G-The most classical one is:
+ f$ o) d( l# z/ C& o7 C' a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 \, x6 T7 I* S6 ^& U) u *(esp->4+4)=='NTIC'' l3 T6 [- n. h4 u
o+ ]+ y/ Y/ y1 @5 a2 P-The most exotic ones (could be very slooooow :-(
8 _' ^5 y t6 w0 I0 P" K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - z' f- o( E4 Y! x
;will break 3 times :-(
1 l! s! |2 t; J7 p8 k G3 c3 g u" l+ ?/ t) k
-or (a bit) faster: + z+ u. D; k. d h2 y) V" e- b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: |' O( f5 F" A
5 A# W/ i$ }5 O* z- E. c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' X6 X! E& N4 X; O" X
;will break 3 times :-(
1 V0 P- ` n: D& y* G0 f! [' \# o h) o) c
-Much faster:. M6 _$ z9 f9 n; s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') {& |; f/ O, w3 F% R! _
& `: [7 D. w8 Y) p! Y) E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 i K( j4 F3 {8 a. s; O% o0 }
function to do the same job:
7 ` B* Q5 J/ S8 u2 W
; B( n' w, w& O; _$ V push 00 ; OF_READ
' [, N3 y6 }% g. B& E& f' h1 _) n _ mov eax,[00656634] ; '\\.\SICE',0
% K8 N- L$ N# d push eax" v! w) Q" s8 Z0 M" N
call KERNEL32!_lopen
8 X& l- L5 Y- V L T inc eax
7 T9 B" d9 a$ _$ \9 v2 D, z jnz 00650589 ; detected/ J* x3 D; h) N3 J) V7 ?( J
push 00 ; OF_READ: A d0 q& O8 p1 Q, |0 K9 V B
mov eax,[00656638] ; '\\.\SICE': @7 I) \, C9 L! B. y* u* _
push eax
* C, U# l" {" K* W& b* U6 x# } call KERNEL32!_lopen; c. o) {6 S' y" N8 M8 s1 R, [9 q
inc eax: p# A$ C6 m h8 J" U
jz 006505ae ; not detected
8 l7 x- z9 @8 t' T9 H4 e8 T' t
" C/ F* r% i) Y" b5 H2 T__________________________________________________________________________! ^1 v! f' k% _' l7 Q4 l$ |, r1 c) \
2 ?% b x. F! @! @; N
Method 120 [) Z% S7 Q! ?6 r$ g
=========
' \0 v( q0 G" s$ F5 R2 t( O2 {3 ~( r9 ^* ?
This trick is similar to int41h/4fh Debugger installation check (code 05
$ j; b" ]/ b& _6 ?& 06) but very limited because it's only available for Win95/98 (not NT)
, L0 J" E1 M& f4 t$ nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 ]4 I( ^5 f5 H* u" y& S1 w
6 J' y4 e1 \7 m; ^& P' a7 Z push 0000004fh ; function 4fh
5 ~: ~; c* o9 G! b j0 _ push 002a002ah ; high word specifies which VxD (VWIN32)
# e# E2 b& `2 \2 G4 d ; low word specifies which service! X7 M( N9 v& f' ]1 g
(VWIN32_Int41Dispatch); K1 ~/ x$ F- Q# h
call Kernel32!ORD_001 ; VxdCall
4 I0 q" V3 H' r& A7 M cmp ax, 0f386h ; magic number returned by system debuggers
/ G9 E! d$ }' t# a y jz SoftICE_detected
0 s8 i# j& y. Y# `" K
/ a, B0 H3 H4 aHere again, several ways to detect it:0 Q( ]& @5 \0 T# g! Q
' V6 s/ v5 s, I( o* |. m. T1 T {6 h BPINT 41 if ax==4f9 ?# X! j4 K: {' ?6 X2 M) F
) H1 _, M; v7 P: a/ B3 s4 S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
m; J& M% g% A! i2 E/ Z
6 i9 n7 v6 |5 ~; J3 h& l% B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' R. c+ Q W E8 b5 Z7 q0 ^3 d) y3 N, h, J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% Q& h7 v% }" g$ G$ J. Q% q' m
# X" m( W" ~& V C3 g
__________________________________________________________________________# H, C2 _; i- S% N. P4 x, P7 j# T& |4 T
t) r o% s3 B9 ~# j, ]
Method 13+ T/ ?/ J! _& B
=========' C; Z" Q8 A; u% K7 ?/ |
2 p( Q/ `% g7 P5 |2 D; @# c; `2 {9 i
Not a real method of detection, but a good way to know if SoftICE is* H# B' B" c0 ^2 ]! ]% x& V0 k
installed on a computer and to locate its installation directory.+ c" i: N' X" M5 C: X3 V
It is used by few softs which access the following registry keys (usually #2) :
- a* s; F6 N: ^- I% n/ ?/ r" N1 m; ]6 ?2 c/ Z! O% U. j, J% C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 k5 C% V. n8 y6 c/ M\Uninstall\SoftICE
4 Q+ z" P- W6 ~' L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- h1 V$ r/ h0 R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 W6 W3 W" ]4 r2 A# P\App Paths\Loader32.Exe: d1 r0 E- c- T& {
O" w! D: H _1 @8 C) ?* F
& X& I4 g% j# d' r" ?9 c% _& ]2 Y
Note that some nasty apps could then erase all files from SoftICE directory
. p$ m9 H- r& h3 a(I faced that once :-(: L! i O( _- F! o% h. C
( m$ {( i) e* M0 `1 ?9 V# G2 {
Useful breakpoint to detect it:
4 z6 V- V6 F. S* X6 U7 I
& v- p. s! }8 K2 Y5 V8 v8 m- \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 q @! q0 r( u( ~2 K, J! r
0 D B- h* R6 [" i+ }" H$ p/ \6 u
__________________________________________________________________________
$ ?4 v/ D5 c# z6 _
0 b) z' z9 J4 X! A h+ D3 \; c7 v
Method 14 3 g8 ]5 s/ [1 b% Y! X9 ^
=========
, ?: r7 M: a8 q1 e3 K, S% [9 T9 i g7 V0 |6 g6 o- J, ~, M( d& ^* e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, N' L' |( W: K/ eis to determines whether a debugger is running on your system (ring0 only).
! k9 ~$ b) c! T, b1 Y3 V
6 x% D8 ^; d$ h5 j' w5 d$ \ VMMCall Test_Debug_Installed
% y3 |# b3 V+ L/ B je not_installed0 ]# R1 b! i6 [2 ?5 r
7 m. s- }, x& b/ j+ H
This service just checks a flag.
6 R, u) U1 E/ o8 p</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡