<TABLE width=500>
5 V1 L' A1 J, z5 J+ K& s% W4 C# P<TBODY>! P2 b! k- P) N" C0 M% Y
<TR>
- C; {. j9 l, {/ \<TD><PRE>Method 01
! I# Z4 X+ n2 s9 ^=========
. e M( g7 V4 _# J
. {2 Q# @8 q% W) pThis method of detection of SoftICE (as well as the following one) is. m7 I* A+ f# Q- o2 o7 t
used by the majority of packers/encryptors found on Internet.+ o. u$ Q+ b. U1 y6 R7 W/ F8 c1 X
It seeks the signature of BoundsChecker in SoftICE/ f& K; u) U6 r# C& J0 _
. X7 L& d2 ?/ `6 O2 T5 i
mov ebp, 04243484Bh ; 'BCHK'
% q" }5 P, h5 g, H* t6 v5 I mov ax, 04h; ~, ]4 K+ I9 D5 p& n! l+ _
int 3 $ V$ t; ~, |$ d& ~8 L* H
cmp al,4
5 Z+ s0 P# ^9 O7 F9 m8 K* | jnz SoftICE_Detected
/ J9 x* O5 e/ y- J0 K3 q
+ x2 }2 m' P" K& \/ ____________________________________________________________________________
' f# u8 B9 `0 m6 W/ Q
5 X# G2 u0 X3 ~; e- P+ FMethod 02* l( t' x: R V. n
=========
# A' v- z/ r. P' O
; p) X5 B0 d- Y' F9 M: b* cStill a method very much used (perhaps the most frequent one). It is used
0 f5 S5 _* b0 K) Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 a; M% K( m* G* o' D R& s9 q, H: E
or execute SoftICE commands...
8 x/ m4 G4 m0 Q* yIt is also used to crash SoftICE and to force it to execute any commands
1 E6 v' r- c6 e3 ]/ a2 b(HBOOT...) :-((
. H1 I$ [: o1 d4 r+ `, P9 ]. J, P, F8 P
Here is a quick description:' g% D) ]3 G2 n' w1 w& l5 y
-AX = 0910h (Display string in SIce windows)' H+ n6 `( `* ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) g# D. J& _" T, r% P-AX = 0912h (Get breakpoint infos)
3 G7 G0 f2 x% w O: E-AX = 0913h (Set Sice breakpoints)7 H7 x, w4 R& _' D
-AX = 0914h (Remove SIce breakoints)
+ X" ~0 y: t6 e: W, k1 m. O7 L2 P
* G2 ^% c2 {0 mEach time you'll meet this trick, you'll see:5 Z/ V2 O6 m" l( Q0 v) u3 Z
-SI = 4647h
9 d. }1 p) W' e-DI = 4A4Dh
, I7 `6 ?: v" F. L% S5 h+ QWhich are the 'magic values' used by SoftIce.
. ^1 D. u; l9 }2 ^! x0 I% o7 |! B; KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& X4 q2 ]( c% E- R# E; ^5 Q
2 j( p# H+ W$ v2 F" WHere is one example from the file "Haspinst.exe" which is the dongle HASP' Y, S1 R( l3 P+ b' d g
Envelope utility use to protect DOS applications:
) ^9 R% @: s/ |6 K, t
& H( p2 }; }7 Q( y+ f2 l; j2 o" t4 s6 t# O. [1 s2 R
4C19:0095 MOV AX,0911 ; execute command.
- P* I6 `2 u( r4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 F! N4 ?2 ]9 v
4C19:009A MOV SI,4647 ; 1st magic value.
* U3 t: O* d2 V2 q# z! w( H |& q9 m4C19:009D MOV DI,4A4D ; 2nd magic value.6 g2 ]1 ?. _# L. j# C: z6 u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ r5 T' w+ P1 }4 w( ~+ Z, y, R7 h( [
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- E1 B: x' |$ T: t/ {. S5 f4C19:00A4 INC CX
8 j: j7 {; {& s( U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 e& u. t1 f6 U6 K4C19:00A8 JB 0095 ; 6 different commands.
# X: ~$ v. N+ c4C19:00AA JMP 0002 ; Bad_Guy jmp back.# C: Z9 M- e9 E. D u
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: V& s+ M. j* }% G S( N G3 H
+ h2 {( }9 z. c1 e0 ^8 z Z. zThe program will execute 6 different SIce commands located at ds:dx, which& I, j* M. t: K; ~( E* U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 X8 Q. Q ~) A' [
% d/ W4 w) e+ ?- o h5 G" J+ \- j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 X7 b `. r& R6 m/ b
___________________________________________________________________________4 ~% V1 H0 z o$ K" X% P
) h5 q2 J5 N0 H( t. h
8 p( C' J& ^. A9 V8 F
Method 03# |: T( i+ j3 S/ I
=========* P5 c9 s1 J% D+ o7 _
- G3 w0 V) W( i& _' L. u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 g1 |! y$ X4 v: j$ `0 c(API Get entry point)
% x( _* t0 B( }* m O5 V
9 k+ A2 a$ d* C& x' h) X5 U7 R# J
f0 D6 I& _$ {% G/ I% P0 a xor di,di
, J" H& g8 v; E7 f- \- w5 s mov es,di
& V6 U* j E* T4 p( O+ _# C mov ax, 1684h
2 |, R5 U2 L4 z mov bx, 0202h ; VxD ID of winice* c) a( i* f% X7 B% y
int 2Fh
' m) _/ ^$ x0 o- G* D3 ^ mov ax, es ; ES:DI -> VxD API entry point6 J- S* K& |' ?
add ax, di
! M5 ^! Y5 b$ F' T( Y. z test ax,ax
6 Z" g4 j/ f7 C jnz SoftICE_Detected: \+ ?" b8 f( ^7 N2 \$ A
) D4 c4 J! n m/ P: {# m. y
___________________________________________________________________________' t# H. U) [1 F- \; j( [
/ N) y! e- N8 L- U3 {' ~0 b* [6 l
Method 042 ]5 W& m: N8 @5 n) \# I
=========! m1 m8 n5 f) Y7 U6 w4 c# |
& T. ^4 A, H5 tMethod identical to the preceding one except that it seeks the ID of SoftICE$ D2 H+ B V F' a
GFX VxD.
0 e/ I# _- ?+ e- O! s2 n9 a; Y( ~: {% x2 g+ Y
xor di,di3 |3 d2 k9 t7 ]5 c: _# K# I
mov es,di3 i8 P; S! }) N1 `
mov ax, 1684h
- x0 m1 b1 y& B8 M8 U: k mov bx, 7a5Fh ; VxD ID of SIWVID* {+ i" |" N" \' I# s' }0 }/ E
int 2fh
# o* A: b9 R1 I+ `! Z! V mov ax, es ; ES:DI -> VxD API entry point2 P' N. C* O+ ]) F# k
add ax, di. k$ j+ p5 ~$ [
test ax,ax
4 G* J4 Q, M+ M+ D jnz SoftICE_Detected
- o( _6 Q7 O# o4 A
+ d+ }# W, w5 u# |0 t' T__________________________________________________________________________! X9 {, E+ F6 q* H
( i2 l; L3 W b
7 D$ Z. L# d3 m- u$ n9 z
Method 055 ]/ s' y. Z. P& q$ _2 V/ O. h1 O
========= C' J/ L, y5 e) a$ F7 a% X( C/ a2 J
4 N1 u: s* d' c- S
Method seeking the 'magic number' 0F386h returned (in ax) by all system: l' a% g# P+ l7 b. c- Y* I2 d
debugger. It calls the int 41h, function 4Fh.! L" _2 b6 V1 u$ O l: G$ O1 i
There are several alternatives.
; m3 b9 R; d, H8 o( M( w, P5 U5 l6 H: l0 G" t
The following one is the simplest:; z2 i5 n I4 ]9 f
7 w1 n: x \, F2 q. `
mov ax,4fh
# G3 e* j, |! a; {" k9 G2 s int 41h
& l: M1 r/ r; E3 Q+ P$ j; @% _ cmp ax, 0F386
7 s4 G- B8 |9 v! N @& @$ p5 l0 n |; H jz SoftICE_detected, C; `. b! `+ B* T: A
3 w* \* E) y4 h+ A
6 b2 ^3 ]7 G$ ~# a1 I6 _
Next method as well as the following one are 2 examples from Stone's 0 U8 p9 l: S( B: u
"stn-wid.zip" (www.cracking.net):
' O# p, X {1 `$ `
+ r7 K9 ?1 ?, k mov bx, cs
& H7 p. t# l; q' p; }& D lea dx, int41handler2
9 e3 K+ U- y/ p o3 {5 K- g( k2 x xchg dx, es:[41h*4]
$ G6 ?; V( b8 d5 h7 W xchg bx, es:[41h*4+2]. T, L# n& I8 J' _4 C
mov ax,4fh
& `) [$ b% t5 _& T) L9 o( \ int 41h" O' i( I |( H4 }; N# T% @
xchg dx, es:[41h*4]
, e6 B& w) x& u; t+ o- ?1 O xchg bx, es:[41h*4+2]
+ a, x+ a/ }, X- O: M* r# I cmp ax, 0f386h
* T% R6 E8 t6 p5 J* f: k: E jz SoftICE_detected
% |6 A) o1 E( j' Y8 N1 `# s( v* d2 }2 \+ y
int41handler2 PROC& s7 `0 m$ Q2 P* h/ p/ c7 A
iret0 e& u: m- [ e& I+ _! U
int41handler2 ENDP
7 @* R. l6 [- q. g# i" p$ h% L, B. @9 K
& P. l, ` f8 G
_________________________________________________________________________
4 m. O4 h4 J* G
/ u7 {' Y: b D
k3 v8 m, U. x4 @Method 06
) c. [. g6 K- o/ u% ?2 i# `=========" s$ r5 Z2 Q2 ?7 B/ {/ @" Y& a$ d) G' {
7 x. L, q- o3 Q
3 ^8 D" B* {' t5 K; p% B* @2nd method similar to the preceding one but more difficult to detect:0 R3 q1 E- m9 A; _9 E8 b
/ t' ]0 h9 Y: e# k( z
+ Q% O/ W, n/ @! g' a2 `% T. Y, Dint41handler PROC
+ e* O3 ~+ G, v. d. ]1 S O mov cl,al
+ ?' `/ t* e3 l; W' G# F iret c: V1 G8 t- v1 m% W+ ~. j/ ]
int41handler ENDP7 c4 Z* R: |! x: k# {: E
# \+ R) ~$ @9 A K L* T+ _# e
' @& M* z& C1 [ xor ax,ax
/ E1 @# G& i& d& n/ b! i) c/ O1 L mov es,ax0 l5 T, Z3 ?: z* H* x
mov bx, cs
* i( D1 E1 g T# R- s lea dx, int41handler, m5 H r4 n* J% k$ F% I2 W
xchg dx, es:[41h*4]
" K% \3 A. ?" d9 c, Q7 A& E xchg bx, es:[41h*4+2]3 e* T" E" ], m) X
in al, 40h
. r) a2 k$ @4 U3 O xor cx,cx9 Q* N* S, J( ^# F3 q1 |6 l: P
int 41h
+ {$ [5 H! c A& U4 m xchg dx, es:[41h*4]
" n9 ]$ N7 f2 A4 e2 i" H xchg bx, es:[41h*4+2]
: I2 ~# Q1 j$ B cmp cl,al2 w; o. ]3 g. ]9 g6 B9 J
jnz SoftICE_detected
7 s7 y5 S# t P3 N9 P3 U* i/ Q1 j) o/ U- C9 x* D- i+ _
_________________________________________________________________________
' K; s: l1 ?* n& ?
2 }0 D3 o+ I$ lMethod 07# y& \- a# _2 e9 V
=========
4 w3 @3 i/ D6 J% c0 V$ n5 ]
' l/ B. N* F8 x4 K4 E3 w4 S; B9 SMethod of detection of the WinICE handler in the int68h (V86)
, |, l6 d' |. q5 { h) `5 M6 j
6 }7 P+ M. M& J' Z! W- p/ c mov ah,43h8 K, ?' ]4 J& L2 c$ ~9 ?! ~
int 68h/ H, G1 O1 c/ D! D& C1 C4 m
cmp ax,0F386h2 a5 q7 V5 {4 P
jz SoftICE_Detected6 Q, y% b2 ^ p, B
6 B: S5 e. y& ^% Q& J* ]* P
' e: W+ h) I' ^6 O3 e% b/ a/ X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 H& b( J% v& C: r; z app like this:- |) @' z5 { e1 m- T+ `
^0 b/ c! i* y- s2 i1 s3 ^ BPX exec_int if ax==685 v* W+ o% \0 R& @, ^5 x. ~) j
(function called is located at byte ptr [ebp+1Dh] and client eip is6 b( b2 V: w1 w. ?5 `7 c; p
located at [ebp+48h] for 32Bit apps)
' R8 m# G! o2 X, v5 Q9 u__________________________________________________________________________
. O1 [5 `" } r, q/ |8 ]1 f4 a) k' y+ Z
1 Y3 l& S; H+ {
Method 087 M' E( R4 N# c2 J# ^ C
=========
3 m* a7 }/ L9 M1 V- M5 J" V- W7 l' F0 k0 U1 L
It is not a method of detection of SoftICE but a possibility to crash the
* v* @1 U, g4 Y8 g3 }1 b4 b Csystem by intercepting int 01h and int 03h and redirecting them to another
5 G. x* i, |( g! vroutine.
) J# d" u, c7 {0 D1 RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 P6 h Q: N+ Q- m9 `2 `
to the new routine to execute (hangs computer...)- k/ D* G/ R0 `; c/ g* H
0 j% [6 r( F, H/ }& ~" i
mov ah, 25h
) U8 O0 b: |: d mov al, Int_Number (01h or 03h)* v* U. |7 N. ^8 D4 E9 v
mov dx, offset New_Int_Routine
* h- p/ Q1 c( F+ M' Q int 21h
3 s3 k0 Z7 p) S* @
4 K1 s4 r! z' {4 F__________________________________________________________________________, ?3 A6 \( x7 ?* I4 ?2 }( f0 e( q9 j
' j+ h; P% ?8 X8 i6 \' S5 r0 E
Method 09
- t6 W7 c% k& O* }=========* g o# g* c$ i
: `3 B9 R. ^" Y, L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 ?# \3 a; h( Y# y) j5 Y) wperformed in ring0 (VxD or a ring3 app using the VxdCall).
- C7 H6 H$ Z k( [The Get_DDB service is used to determine whether or not a VxD is installed$ c9 e$ ~ e1 }2 W5 F+ Q7 T
for the specified device and returns a Device Description Block (in ecx) for. X# z+ x6 V& q* g3 ~% D& t
that device if it is installed.
# o/ @, \4 ?7 l9 c/ X5 X( |6 Q4 h8 C% S# z4 _& K0 F' ~1 W2 @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: F5 T: z8 W) D, Z' x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), A9 [2 l6 ?' `# y& W& L
VMMCall Get_DDB Q q- \0 ?! s& m! O
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' z: F$ w! a* B2 a% H3 S! W& E9 M7 {3 r3 U
Note as well that you can easily detect this method with SoftICE:
" L; u, L. F* N: n bpx Get_DDB if ax==0202 || ax==7a5fh
8 `) ]- D' f/ N# x( u+ b/ S- _4 L6 o* J q i
__________________________________________________________________________3 z1 ]5 ]: V4 n, @2 B
w8 k- `* @% F2 S2 k
Method 10- p* V! K% r. X5 D
=========% L, X3 [+ `$ s
* C, k0 H; N5 t) S9 X' K$ r9 a=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 f8 W7 D! h% Q4 b/ m; s SoftICE while the option is enable!!0 Z; Z4 E$ W* L& Z/ D
( Z3 K8 L& P/ n* [1 o& dThis trick is very efficient:. z% @% S6 H0 W4 p$ ]; a
by checking the Debug Registers, you can detect if SoftICE is loaded+ ^4 y& y2 k9 C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
L9 d+ j) e6 V1 [- Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* S' q9 @% o* v9 k$ L Y( O2 @5 Uvalue (in ring0 only). Values can be manipulated and or changed as well+ {# m% H7 I. w1 _. ^
(clearing BPMs for instance)( U! D9 D4 C$ T% G4 y2 U3 L+ s
7 ~1 ?6 c" j' v6 B
__________________________________________________________________________
- b7 g" L" \7 p+ c! I/ U( I# p
5 Q9 f! I+ Y: Q! N/ ~+ ]Method 113 f6 j5 u: S$ Q1 g3 Y
=========
2 W+ s N' n5 D+ |% a) f% {$ G' Q3 T& O
This method is most known as 'MeltICE' because it has been freely distributed
. Z! u7 W0 e0 t( w. g/ |via www.winfiles.com. However it was first used by NuMega people to allow
4 o- `- N5 _4 i" j9 N. \Symbol Loader to check if SoftICE was active or not (the code is located) k" x I8 u3 n
inside nmtrans.dll).
' `/ I. s# v7 v( Z& M
2 w6 O1 |5 M9 A1 rThe way it works is very simple:9 U: ?9 T" x) r# ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 d: e( \9 D5 P3 f6 ~4 F6 K3 ~' j
WinNT) with the CreateFileA API.( ?( m% h$ {# a6 S
: |8 ?, F- v8 A% P% ]) pHere is a sample (checking for 'SICE'):
: e, l* Z0 `) B& C! t8 y( b
* p3 B& n; m' } z9 k/ a: e, DBOOL IsSoftIce95Loaded(); _. a# Z% p8 {9 [
{7 E0 ^( A; v4 I
HANDLE hFile;
+ C$ m5 T, `+ Y9 r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 i$ Z/ I% j B" j# o' s5 j( I FILE_SHARE_READ | FILE_SHARE_WRITE,
9 ?1 S" c- J( |0 a+ z6 H" b6 ~2 P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ u- v* m/ l8 z+ z if( hFile != INVALID_HANDLE_VALUE )+ k4 a% ]5 }. o* _
{
1 H l9 C- p1 _9 x/ \2 J CloseHandle(hFile);: a7 L$ C2 c( r$ e& c
return TRUE;
- j0 ~- r2 c# P8 `! ^% b, p }# a, W# }$ b" v* \: h L9 E& N' Z3 e! w
return FALSE;1 @/ o+ P2 Z @2 N @4 p
}# t B4 x' a. v
( ~( I; Z9 W" I/ d0 xAlthough this trick calls the CreateFileA function, don't even expect to be. `4 I% r, K+ M1 \
able to intercept it by installing a IFS hook: it will not work, no way!8 v! ~! ~$ W/ C, h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 O# e2 w1 i; X. f4 l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 V s5 K7 N1 R {. o+ Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc, S. {" d' h0 _1 e' M6 N
field.& T6 a3 i3 v1 n
In fact, its purpose is not to load/unload VxDs but only to send a
. {5 S3 b+ x5 t$ kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* U" J: C1 L/ |" y: x# f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try _3 _" W+ P* X# r, j: S0 C% U% P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; u- J9 @- ?7 @, I+ {* D( w( u
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 v5 o' B F" t v& X1 r6 ^
its handle to be opened and then, will be detected.+ K* y, M* p3 y: _
You can check that simply by hooking Winice.exe control proc entry point
5 |3 X( T) F, P1 k2 n0 o5 Z+ J' b8 g2 Uwhile running MeltICE.2 o7 I+ v& m$ ]* B
( y3 @1 \7 s6 E0 V s( n$ T$ B# ^8 G1 J4 Z2 w( L
00401067: push 00402025 ; \\.\SICE! Q: A. e( @$ a8 z4 x
0040106C: call CreateFileA
- X4 X3 Y. X8 j' h, t* a( T 00401071: cmp eax,-001
' R9 P$ u. ]! I+ _7 |( M 00401074: je 004010912 T( K8 W$ F5 }. h
+ T, w6 @: ~: d. @, E$ U' H& {. L! r2 b1 F) u
There could be hundreds of BPX you could use to detect this trick.6 [) Z9 b% e: s m+ l% K( E
-The most classical one is:
' X' R7 G6 b! s* B+ ~9 N% @3 q2 H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 w b9 p/ B, }$ ^% M1 ~ *(esp->4+4)=='NTIC'. O7 Z8 i! w) A3 z
, }2 {( Z6 d S/ f1 p |' Q; B
-The most exotic ones (could be very slooooow :-(- J6 J1 o3 X x
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * W7 ?1 t, _- S v* y8 ]
;will break 3 times :-(8 B T" q ~) q/ F
: A& C: g, F: |. p4 z) X) U-or (a bit) faster:
8 ?! e% p- [; h* o7 t" O4 r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' k, k7 `0 D; C' S4 o @0 x! l1 T' Z, [/ T9 ?
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& r% ^' q1 A \6 {: D ;will break 3 times :-(3 \+ c+ t& ^# w- K$ V
1 I9 C, B7 s9 n# d- a ?& `-Much faster:5 V) j8 H. j' I5 R; U/ O
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ H8 u* ?" [% V( [( h
) i$ D& T% J. R% r1 CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* V8 U1 @# ^( r; l rfunction to do the same job:' H+ S* C7 S l" p- ]0 u% e M
+ `5 m" T. P) N- Z! | push 00 ; OF_READ1 ]" k3 d0 _3 J% h
mov eax,[00656634] ; '\\.\SICE',0" C, b, K) G. I3 i6 _5 R8 Q; Z7 |
push eax( M3 I/ u+ o8 M, d
call KERNEL32!_lopen$ N: W* j: G; O$ M# M, c8 l
inc eax
6 P# w& x2 w O, f/ P jnz 00650589 ; detected1 q+ O* i1 `* v0 ^
push 00 ; OF_READ3 _ b, j+ `: y
mov eax,[00656638] ; '\\.\SICE'8 Z& r4 j4 B- j
push eax$ y! F8 I: H( H& U4 r" q1 R, ~( G) a
call KERNEL32!_lopen& U u7 ?: O0 w- i% C* r' i
inc eax9 a+ G* Q& g) r' X% ~$ J
jz 006505ae ; not detected/ u) C8 K2 }- G+ t
4 f3 y: `$ S- s ?- \
& ~, w+ v. R$ o1 l0 @/ R
__________________________________________________________________________" j' g6 s, `& t$ B
, u |) y" _/ E3 r" b
Method 123 b( T" h8 t" C& S! q* S
=========
5 J+ t% ^# |2 n" j* |
( D* l" e+ e8 c# B4 eThis trick is similar to int41h/4fh Debugger installation check (code 05
3 d+ L1 A5 V; s% b3 s# Y' m6 Q. F5 P& 06) but very limited because it's only available for Win95/98 (not NT)
/ e2 Q6 D0 \2 G) i/ Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' \) V( E7 [+ @; N2 k
8 V: `2 |% Q* r push 0000004fh ; function 4fh x: f A8 ?2 Z
push 002a002ah ; high word specifies which VxD (VWIN32)
K- I" S! m0 L+ X/ d ; low word specifies which service& h. y, V) K8 t$ {
(VWIN32_Int41Dispatch)
4 F0 a8 ~. a" k* S8 o* b' f/ A call Kernel32!ORD_001 ; VxdCall; @* }1 X) e0 o# u1 [8 D5 |
cmp ax, 0f386h ; magic number returned by system debuggers
1 L5 z9 k+ N2 ]+ s! w jz SoftICE_detected
" t2 N+ Y/ b. Q
' q6 o8 T" U; ]7 _6 BHere again, several ways to detect it:6 E2 r. D7 A1 Y9 h" {" n# Z3 f4 T1 } ]
4 C9 @0 d% x. Y, J
BPINT 41 if ax==4f
4 S* a7 M1 F, ]' Y. ^* e; k, N- ~: w8 y( W2 {4 `+ v3 k B2 w
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% p3 o- i, ^1 [5 u5 c4 Q
2 q- M X' l) f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 [, w# y, H8 V: u
f9 |4 H' v2 {0 G/ \5 n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, Y0 j& n+ T- e6 X9 u
5 e* Q9 Y, {: |__________________________________________________________________________
. M: I7 @7 m9 G* ^ K0 y' v: B9 S! d4 S5 [1 ?/ ]: {
Method 13
; o) m( V; y" e5 \6 z& j1 R" Y$ A=========
& z8 b# p2 ~" h1 {: l: b. j$ S( h; x# |& a6 B+ d
Not a real method of detection, but a good way to know if SoftICE is- w' v9 \ r0 @2 n& F8 w: t
installed on a computer and to locate its installation directory.8 N" q* C: r4 B% g4 `3 |' G
It is used by few softs which access the following registry keys (usually #2) :; E( \ T% V2 x2 M' o
; c" f* E* G. S8 ^; [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 v; J% l; L: W! z/ J' O8 _+ b5 }\Uninstall\SoftICE
( A0 N v3 V$ `5 a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 f9 [3 o& A; s1 M' |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: @% K1 D4 y' _9 B3 m4 ^$ u; |6 H\App Paths\Loader32.Exe0 n; Q, b. q; v0 ]. `6 E7 M
: K" `) z) ]) J
! n: F, G8 r1 [8 hNote that some nasty apps could then erase all files from SoftICE directory
) l$ b5 ?& W! h5 N1 \2 }(I faced that once :-(% S6 e, V8 C9 L( \* [& m
+ n7 ^! l4 y$ t$ D" R/ o9 t- `+ {
Useful breakpoint to detect it:; T& f! E: Y$ r4 |9 }, u/ s
$ S( Y% K* {' d3 Z' g2 \0 c% m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; f$ Q: I5 n( ]% I) `' r
0 o- ?8 H& L, H$ W__________________________________________________________________________
Q* T9 g" g! L c' N# T6 i- I Y) X+ w. F; v( M+ E! P
! x! e* m- |9 v1 T& i# v7 S
Method 14
8 |/ M1 G/ h! E1 p=========& n% W8 X& E* T d
" _' `* L0 o& Z. j6 TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ g/ a$ D7 }, M% Vis to determines whether a debugger is running on your system (ring0 only).& Y1 }/ k* c( N& p( W
7 v: a! B% w) ~/ @0 w# j/ t
VMMCall Test_Debug_Installed5 w0 L* J. b, g8 _; Z; N9 \. T
je not_installed
. W7 Q+ S0 r' s |/ ]- ]. p$ B5 K$ G
This service just checks a flag.! O% @2 E7 ~! K" D( H, C* H
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡