<TABLE width=500>
# o" A+ l9 r! p! G0 N3 c<TBODY>
1 X( F M* d8 [; L8 f- i2 J( K<TR>
+ e# v8 J1 }" F; f$ ^3 }% } M<TD><PRE>Method 01 7 b1 `& n5 g6 u
=========
0 }7 l p: k/ O# ? @* g j$ |0 Y4 g. X, s
This method of detection of SoftICE (as well as the following one) is- W5 d4 j8 {" x) N4 \0 p
used by the majority of packers/encryptors found on Internet.
$ Z" b# {% A) w4 GIt seeks the signature of BoundsChecker in SoftICE
8 G# k# g& P& Y* B' ~, n' p: i O7 v, x& n! z" D+ L' U
mov ebp, 04243484Bh ; 'BCHK'
. P* \" c& T# S/ p mov ax, 04h
8 w: }: K+ ?6 c. h% m int 3
4 o; A% j" z ~' |9 l( {# ^$ y cmp al,4
- I v7 m7 c: ^; x9 K! u' w" r' Z! Y jnz SoftICE_Detected/ l" n) d; I% p0 a& X$ @6 P
7 E9 c8 S# P: V___________________________________________________________________________
1 w/ [) J6 z5 G9 D8 `2 [' q6 N2 M: w
Method 02
; a# e3 _7 u- O/ [) `=========9 h. a# C! I/ P/ C( ?2 `, H
) o& M: b* j- NStill a method very much used (perhaps the most frequent one). It is used$ n+ b8 _: [: a8 o9 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) r: H, V9 W0 z0 o
or execute SoftICE commands...
' j! n6 B- E h5 GIt is also used to crash SoftICE and to force it to execute any commands0 A- w" b# t$ Z
(HBOOT...) :-((
o7 I- O" S* K. a
* u8 ?! [. U ] e2 a7 c0 CHere is a quick description:/ |- B( x+ `; a1 d9 V7 m9 m: a; X
-AX = 0910h (Display string in SIce windows)3 ~! V! f) l9 {* }0 u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: Y& D- ?1 V! m/ l4 _-AX = 0912h (Get breakpoint infos)6 H6 |# `7 [: }6 c. `4 [2 g+ J
-AX = 0913h (Set Sice breakpoints)
4 |! ^1 a" U; ~/ M% J- A. R-AX = 0914h (Remove SIce breakoints)) O7 b2 d' U' S6 t: C" s
. J0 B; P, m8 W. p0 @5 m+ C
Each time you'll meet this trick, you'll see:
. I0 A6 ~; N+ s' d' [-SI = 4647h
3 t+ P; t/ q; }, ~-DI = 4A4Dh
# a- O4 m" a) B) OWhich are the 'magic values' used by SoftIce.) |# G$ j# {( k/ u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 L; u/ G' I2 i1 Y) K
( D( j8 K- j2 Q- iHere is one example from the file "Haspinst.exe" which is the dongle HASP5 w+ }8 N% U }5 M! p
Envelope utility use to protect DOS applications:) L' x+ j' B/ D$ M$ \2 t
2 K, H4 U2 t+ o$ b6 C+ S1 U: O
( l/ [0 V+ _4 \, u9 A* t4C19:0095 MOV AX,0911 ; execute command.7 u1 }1 e7 t8 J* P3 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& G! |( @! w! P; m d4 r3 k4C19:009A MOV SI,4647 ; 1st magic value.2 a! w$ W2 L( R( b7 B! D, x' k! t
4C19:009D MOV DI,4A4D ; 2nd magic value.$ ?+ z; w6 j& D9 h, K% }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) ~8 b) r2 W* @9 ` l" ^4 t6 h
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! t$ }7 A" J, p
4C19:00A4 INC CX
* z6 m$ l/ t5 K2 x) R9 j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 w" u1 w- m+ |% _4C19:00A8 JB 0095 ; 6 different commands.7 M! m2 P1 R7 N: N' B* ]# P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 e) K& b& s0 Z8 {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) q& r ?# Z3 c j
M3 Y0 \7 |$ k7 ~, R( y, C+ aThe program will execute 6 different SIce commands located at ds:dx, which' B6 A: g f. \4 j: n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ o( \! H* D' N# t+ @# s
) c( v% o* P+ c( k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 ?/ c d' ?7 `0 [* z& i. {6 L: E! u
___________________________________________________________________________
, B; B/ e2 h$ ~/ v. k
0 t2 a5 y' i% n% m
! p7 Q: n' Q" g& ]% v/ v( fMethod 034 b# a7 f3 i2 F! S
=========$ h3 A& V6 {% m( t
/ k* H7 h/ r+ V4 X5 j8 u2 J; V+ ]4 C
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& I! n; ~1 V0 m- z! u(API Get entry point)
: H% V: R! q, ^, }
, c' ?! u) b% V6 z& D0 T3 X% P$ S
- A5 ^# e8 E5 i. Q: z xor di,di
8 X0 M+ i, p( s9 Q' O mov es,di& v' Y7 F* i+ A2 i6 A5 K) z
mov ax, 1684h
/ n. x. d# t3 @, e: A mov bx, 0202h ; VxD ID of winice7 s/ D" `+ X7 Z
int 2Fh3 x7 x9 Y( P4 V$ J" H- ]! B
mov ax, es ; ES:DI -> VxD API entry point
- d0 G w" O3 |5 ~0 ^ add ax, di1 V6 n. O; l8 J) Q
test ax,ax
: E& P; w3 b' y jnz SoftICE_Detected( Q1 k) r* E+ ?4 w
/ q' K( W; }/ K
___________________________________________________________________________ P# m4 [6 `8 `: R# [; }: ^
# }# a# \& Q# TMethod 04
1 L c0 n) G5 |========= ^* R" q- | }. t8 L0 A
6 W4 I: G/ v, _8 ?' [( \Method identical to the preceding one except that it seeks the ID of SoftICE
- X1 t, s9 x' g( y4 V! y4 jGFX VxD.8 f" a3 s4 Z' o) g: G- b8 v
' r2 Y0 ~3 D9 b- M6 [2 b0 ]0 N" H
xor di,di, |- p. P3 ~8 R
mov es,di! @' a" L% U7 M e
mov ax, 1684h
7 g2 t9 F. p' c( J mov bx, 7a5Fh ; VxD ID of SIWVID4 W& l" J& j- ?" q
int 2fh
/ v. k7 H" s( y# R; d mov ax, es ; ES:DI -> VxD API entry point+ e" q5 x2 A' j8 A
add ax, di
: @ s. K8 J' q( s$ g, u* V test ax,ax
; _, A, C$ v* J0 d jnz SoftICE_Detected
7 I8 u- C7 Q+ \ r9 R7 X2 ?# F) u" t4 b3 l5 g6 ?0 `6 t
__________________________________________________________________________
5 e, E$ z' J9 X# I: R8 {8 U, q
7 j2 a4 N# }' w1 d* F R( _& L( z' C& S# l7 O0 h
Method 05' ]5 r2 `4 e& V
========= Y4 X! Q, M# T' N* v* f e3 ^2 o1 Q
, S' c$ n' `% w6 U
Method seeking the 'magic number' 0F386h returned (in ax) by all system& P: {5 ^; b# m
debugger. It calls the int 41h, function 4Fh.
& ` b: l/ f. k) g+ aThere are several alternatives.
6 A! D. r' _ \# E. p) Z
( f3 i' ?. M$ W0 o, YThe following one is the simplest:( X. K) Q0 F+ s' N! f7 E
0 V" z, N- B% t$ C! I% C2 L1 m
mov ax,4fh
2 t+ k$ P5 b1 q* F1 }+ C int 41h& o3 {3 k+ Q+ q+ a: t
cmp ax, 0F386
( } ~3 r) m5 I$ B* y- u" t jz SoftICE_detected
) M6 G* G, }: v& |3 Y$ X E% a$ ^, @2 Z
3 M3 k3 M! d2 h& k$ ^Next method as well as the following one are 2 examples from Stone's 7 Q6 a0 R9 a3 A
"stn-wid.zip" (www.cracking.net):
' _ \6 `5 }. ~1 p/ p4 v
) j: [$ \5 \3 E3 m& {$ H( G# p1 y6 ? mov bx, cs6 ]1 U# u$ q9 W) F* m. p R
lea dx, int41handler2
0 E: B( J: |$ } xchg dx, es:[41h*4]
& G' U/ G6 P; W% I9 c, z xchg bx, es:[41h*4+2] ^' X" G/ T0 _* B* Y" ^ i( G
mov ax,4fh
* G7 \! ^+ q) m. M, E4 ] int 41h
; z. K& z1 s6 K) M4 d5 K xchg dx, es:[41h*4]* i7 ~4 a) z& E
xchg bx, es:[41h*4+2]. v" P. F8 K- F) e& q2 x
cmp ax, 0f386h! t& p" Q( K5 D: S! Z" c' R
jz SoftICE_detected
& m5 y8 n8 S O5 e+ W0 H. |4 a, j" h0 H( |
int41handler2 PROC
# Q p0 j, M j3 E iret
5 w! @" v* \; O4 ?% r5 u/ Aint41handler2 ENDP
- K" y4 ?3 w" |/ y" N
# I K+ C. B( A$ j6 N$ K2 J( ^! E9 ^& U
_________________________________________________________________________; h0 p. ~9 S' c! \- [. w% R3 q
% j# U& l+ K# M, k8 |
0 Y) z8 i8 ?3 H% H6 Y9 x
Method 060 C0 l! z& u, U$ R
=========, L/ A3 B7 k9 d6 `. g$ g: }0 X' b. ]
3 d7 l+ V" r! g2 ]/ B
4 T z6 _& s' Q' L1 m. v2nd method similar to the preceding one but more difficult to detect:- `$ \ X; u5 z0 A& C. F F
A- G; o/ P; W j" I+ {
" c: @0 i- G6 K3 _int41handler PROC
8 J1 O, f5 [8 g2 \4 p) s) f: a mov cl,al6 i" Y ~2 l; E: P3 g0 N+ r+ x* U9 a
iret
2 x7 l T: T+ Z( M/ qint41handler ENDP/ Y8 |8 @. ?# j& A9 ~8 q
7 R6 {$ o% ~0 K0 A$ U4 T6 r( ^3 d1 w% P+ c# H; W
xor ax,ax3 S1 v {; g! D+ W1 R
mov es,ax
0 ~* j1 @* B, o% f0 d& @; L% f mov bx, cs! c6 z# y- M: W
lea dx, int41handler
" s$ t1 t" @ C" R% |( q xchg dx, es:[41h*4]
$ D- U6 W7 \# O6 S4 |; `1 w5 W+ a xchg bx, es:[41h*4+2]
- ^# A A0 b" P3 P" F, X in al, 40h
" ~4 s' a) b) Z4 I4 w: J2 \2 y xor cx,cx# ]$ K$ o/ s" g+ b
int 41h
4 S1 F, |- l/ I! M+ K0 d xchg dx, es:[41h*4]! K# P5 a3 X/ u7 O/ h; h6 B
xchg bx, es:[41h*4+2]7 ?7 i% Z! O c# l8 j0 i0 A- `
cmp cl,al
1 j. C+ y5 n( s6 h+ P: ^: | jnz SoftICE_detected e$ @4 d- K) G$ K3 q
- d7 F0 z$ @0 K! Y" I
_________________________________________________________________________. N. F5 ?; h9 H& G L4 {: y6 |
8 z' b% B$ h8 R7 W gMethod 07& A7 M2 T" l. y/ i! { K u% y& B
=========8 ?% V. s8 V$ G* X' T' L( @
2 S/ S5 o9 u6 Q! _5 U: w/ K. kMethod of detection of the WinICE handler in the int68h (V86)' _0 i1 C, Q2 B* Q. E) I
( ]- R1 C' t. c8 h
mov ah,43h2 e* L" U" y3 Q* v. I
int 68h& ~9 y# y9 k' X# J+ N
cmp ax,0F386h
; l: l" S! k4 p! f/ o jz SoftICE_Detected
. A) m# ~! A% ? o
! p* P7 O5 v, A4 f; v$ f7 z" H. d- ~% ]( B/ @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# B8 e& x* W# X app like this:
# `+ R, s! c4 ~! r" N
6 o0 ?. j, e" ` BPX exec_int if ax==68
4 d z- i. B, T/ h6 w1 i E (function called is located at byte ptr [ebp+1Dh] and client eip is" s! t4 Q% d* ]& o# I% B: j
located at [ebp+48h] for 32Bit apps)
$ B1 T# z5 y2 ?0 m__________________________________________________________________________
4 K# i* @! x( H" c' T
* h6 y+ ]+ S2 D; W- o8 B- N
% v* Y% a, ~! r7 i6 v, u9 P: f) YMethod 08
/ u, u$ `' a# l2 L+ \& z! [# ]=========
}) S1 w! O5 G. e
; `% ^5 w4 ]+ i7 J" r2 y) cIt is not a method of detection of SoftICE but a possibility to crash the- z5 t( }* Z) H" V
system by intercepting int 01h and int 03h and redirecting them to another& P! j; d. V& R; ]: j% E9 W
routine.
, \1 f1 m8 Z D ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points c% i* w( [% @4 @" @( I
to the new routine to execute (hangs computer...)
$ W4 s, X. C _9 t* Y! s% b, J" x) [3 k
mov ah, 25h6 f9 ^8 u4 t0 c+ P
mov al, Int_Number (01h or 03h)
7 N K( {5 B1 w mov dx, offset New_Int_Routine9 Q3 `, `- t) P5 v. T
int 21h
" e# U2 b& O" w- N1 x2 M4 h `
$ `' _' l; k7 P__________________________________________________________________________
; t8 e, Q% h# S) O+ v7 o9 C
9 L: I7 t& V/ U E. FMethod 09
. k7 t. C$ `. ~3 F=========+ Y3 [4 y( i) `) y, `0 C7 x' e2 w
9 |" T* c S! \7 p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ t" j5 k% O6 y; R' J v% n7 k
performed in ring0 (VxD or a ring3 app using the VxdCall)." d" J! |$ Z* d* x
The Get_DDB service is used to determine whether or not a VxD is installed
# e( V" W4 y5 x- P( T4 [for the specified device and returns a Device Description Block (in ecx) for0 F& ^* L3 s: o
that device if it is installed.; J8 L( S: e2 X+ S. ~$ w; J
; C1 ^& Q0 u a# C; x" m
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID m. ^6 c4 ^9 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 y# y* W; A; K* e- b, r VMMCall Get_DDB
. t- p6 U2 j9 z3 x. Q: d( | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 Z, V) f6 {. I, G+ `# F
0 x& N1 C2 O* d; l& KNote as well that you can easily detect this method with SoftICE:2 W* d+ W$ Z7 C
bpx Get_DDB if ax==0202 || ax==7a5fh4 U& I# w* U( V# N+ }& _
. C" A' o) G! @( I+ c& V, C__________________________________________________________________________8 y$ H' N0 n7 e& D
7 ]9 g8 D9 z+ g: y5 E
Method 10
5 @# c# O: u2 k7 i=========
) L* @1 q0 a- r4 z3 V! y4 ?' {4 C8 w) B* L5 ~; R. `, z
=>Disable or clear breakpoints before using this feature. DO NOT trace with: _7 T; j9 y) ^8 |) k) s$ E& a
SoftICE while the option is enable!!# }: B0 x$ D; ~
: M3 `: f. K. V+ ZThis trick is very efficient:# S1 A/ n+ c! E# h3 k" H3 C
by checking the Debug Registers, you can detect if SoftICE is loaded2 J6 _% `7 C5 f; P- r8 |1 N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% A3 R! U6 M, e: Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ a% e( s" D+ w& f
value (in ring0 only). Values can be manipulated and or changed as well+ ]# s+ h, i% T- o9 A6 x
(clearing BPMs for instance)
; I$ T' j( s$ R" D& Q! v
7 ?6 u+ u' @! z8 C$ q+ j- S__________________________________________________________________________
* d+ b5 G$ T# ^# t3 \9 s0 h5 B& C; k+ v$ q" v8 P- _
Method 113 @4 E9 S$ a) q$ x) i7 L6 x: Q7 N
=========+ L4 @4 j% A% y6 o1 M+ L
( d+ h+ n. M1 D' f; l. y( hThis method is most known as 'MeltICE' because it has been freely distributed
3 g4 \) M$ O4 i4 e0 ]2 q! @via www.winfiles.com. However it was first used by NuMega people to allow
) ]# u+ {7 f/ x! ~- u) _$ pSymbol Loader to check if SoftICE was active or not (the code is located
6 \3 L7 X; E" w8 @/ f Jinside nmtrans.dll).
$ J1 O7 a: k& i1 g! e" Z% \ L- e( p5 M6 i# J- @" |; y- c
The way it works is very simple:3 I* l! a+ ?( f H% I7 z% w( s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% ]3 q3 [5 N* t- W7 WWinNT) with the CreateFileA API.
, J9 t- O2 e5 R6 M- L' W& c) {% E" F4 h4 e8 ~. F
Here is a sample (checking for 'SICE'):+ V- D# C6 Y% h" u
* L- v$ p$ O5 _) b$ wBOOL IsSoftIce95Loaded()
! g# k' N& ^" U- a{
8 p# a0 J2 g K- i HANDLE hFile;
8 R6 V" N: V) @0 N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, ]# j, G& V9 P9 o
FILE_SHARE_READ | FILE_SHARE_WRITE,2 Z( @2 a* H) n1 R& H! L% z, l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; r5 Z, d1 S3 j1 x% }& B& ^ if( hFile != INVALID_HANDLE_VALUE )( A* _: V7 z: p* A
{
2 N9 U" ]! M4 G1 q" p CloseHandle(hFile);$ u- Z3 A: P- h6 {" g/ B
return TRUE;& \% A8 z3 E8 {* c
}
. @) O0 S6 X% B( F% O2 ~ return FALSE;& _$ ^3 h/ C' b( u: A9 f
}1 {( J0 n# s2 s2 n* ~
4 Y/ F- ]) M. A9 V- Z" a2 {
Although this trick calls the CreateFileA function, don't even expect to be B) W8 f1 ~( r$ l- U7 A
able to intercept it by installing a IFS hook: it will not work, no way!
; l: ?# V: u8 m6 Z6 KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ t r+ u* ~: t7 v- L! v( c4 Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) \6 j* S. o1 \1 U" C% `9 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& s" N- G" Z9 ]' k
field.$ r% h5 ^' y1 t, i; @' }$ [9 ^- g& m; [
In fact, its purpose is not to load/unload VxDs but only to send a ! D1 ^0 s7 Q2 A- \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( j4 X1 [3 q; ~- J1 x0 I/ l- k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( i$ H% e+ ^$ ]( a7 [1 K! o. x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& G1 P% ?) Z+ \1 ^. FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- }' F" I6 S% r) ]its handle to be opened and then, will be detected.& [; h0 T7 B3 k' C& K& t
You can check that simply by hooking Winice.exe control proc entry point
8 l! o2 \+ l% C- A3 r/ ?while running MeltICE.7 | z, P( Q( q f/ a9 b; Q
1 r5 o0 C& h! `7 G7 \ y! x# B- L; z/ ?1 t: T
00401067: push 00402025 ; \\.\SICE2 \6 F$ i5 N a0 E% L
0040106C: call CreateFileA
: N; p0 i5 C0 B5 A% N, z 00401071: cmp eax,-001
( R) O! b S( Y2 f' F7 m 00401074: je 00401091
- |( m% j3 E" G }) g0 E q, c: U+ u( l2 X; P$ b% Q$ F
: W0 S* l3 s7 Q$ s: o& D4 S6 K
There could be hundreds of BPX you could use to detect this trick.1 c8 t3 z" b7 u
-The most classical one is:# r; G# v1 e9 E; D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 Y) y( N9 d5 ^ ?
*(esp->4+4)=='NTIC'8 _9 o& K2 i: x! h- ^. g
$ g. s7 x3 \+ c
-The most exotic ones (could be very slooooow :-(
: A& Q% K; j t' T1 J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- d4 |/ H& J3 z5 R0 W | ;will break 3 times :-(
5 Y h7 o7 n2 I: l$ e6 b* r/ j2 Z( \$ g
-or (a bit) faster: 5 K4 d6 g4 _$ ^. E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) ]6 I& N9 F( f; p! C c
0 ?# `* a2 Y8 z" a5 H; @: [' S1 [4 @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# `% N6 x( C' c6 z2 h ;will break 3 times :-(- ~4 p3 C/ [3 L2 c) \3 }
- w4 Y% x5 C$ n
-Much faster: r# H! e. r, S1 e9 B6 T8 x/ W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( o4 I' A$ [6 G8 _4 ?3 U; c( Y" b6 @, ?5 h3 d6 A7 D% \7 I L' T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' \1 h; k0 }8 |
function to do the same job:. V5 f" z1 ]. ~1 [
5 U, {6 ~% ?& w& @ I+ B/ Z- \
push 00 ; OF_READ
3 p8 k8 K0 K/ h: e- a4 u6 | mov eax,[00656634] ; '\\.\SICE',0& S. L' D# }( R7 t( E) q3 @
push eax
+ l! O7 H$ I% e1 Z/ z1 K call KERNEL32!_lopen$ T p u. L1 X
inc eax
; s% ?* i8 `- j1 V7 S jnz 00650589 ; detected
0 o5 T4 _, P9 P. p/ k2 p) B) \& o/ V* H push 00 ; OF_READ
5 | i' G3 Z! B% V$ k+ z* V. o mov eax,[00656638] ; '\\.\SICE'
8 ~6 A* {, u- C% F9 a push eax( b+ Y) X4 d% [+ \1 V: f9 G# _
call KERNEL32!_lopen1 J) v% L/ F8 Q- V9 i) {
inc eax
E- `& J7 c+ M8 }* I2 Z jz 006505ae ; not detected# g7 b: ~# n! _8 ]
4 z, r! O9 P" U. k- B1 V/ [
$ ?) P6 Z8 L4 b* _- Z__________________________________________________________________________
5 m a& i8 O! w3 |) f
3 W) G' ?+ s2 o/ S' TMethod 12
- K& P$ R0 ]9 n=========1 K! F4 z* u1 ~. a% ^1 e' E4 r
! F# @& \& E0 Q9 MThis trick is similar to int41h/4fh Debugger installation check (code 05# s$ a' o2 E3 X- p' z; s9 y* r
& 06) but very limited because it's only available for Win95/98 (not NT)
" A7 e+ i) b6 y' k+ I! Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 Y( }- j- w ]/ Q4 ^; ~
8 D* y, z- B( E6 R% z U. \" Y
push 0000004fh ; function 4fh
" E& S) s4 m8 c, n A' y push 002a002ah ; high word specifies which VxD (VWIN32)9 H0 v; [. x0 ~4 W. t% B( ^) N8 z
; low word specifies which service
- O7 d# Q3 x ` (VWIN32_Int41Dispatch)$ T" b( K! r( l
call Kernel32!ORD_001 ; VxdCall
5 K( Y1 N4 p# l1 c$ G& } cmp ax, 0f386h ; magic number returned by system debuggers' A7 s+ W3 M w7 D, {
jz SoftICE_detected3 w- y9 L3 N/ x- K+ {
' B+ F9 M$ _5 A* [. j
Here again, several ways to detect it:
* d+ V0 ^% D+ g6 u u" {0 ?0 h; n' M" \
BPINT 41 if ax==4f5 L' r- T4 F8 a1 U' e. R
6 {+ q V2 B' L; X) {. _3 O3 e BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( r' Z% L% {1 E) E* { e0 t
% u. M B B9 B- p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 ?3 A5 s, Z! B. l# J7 n; u8 A* @8 ?0 ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 \! h0 q: Q& C, E! l$ ]& B5 @5 N5 A' i) i* W$ _/ @
__________________________________________________________________________
) K, ]5 N; ~- E# e9 e9 F* g. P% Z! g4 j
Method 13
! s' B; A* _9 e% i9 Z" w=========
0 ~! l$ t/ a# D6 Q6 e
1 M4 y# z/ @+ E" w+ ^5 H9 L. ANot a real method of detection, but a good way to know if SoftICE is
) b: ?# _: c7 L( oinstalled on a computer and to locate its installation directory.1 G+ [5 B% l9 q: d5 [! `( W
It is used by few softs which access the following registry keys (usually #2) :& t- G3 X8 B' u
' Q1 ~+ [$ j7 i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 @; U; E5 q+ F+ m* j0 {
\Uninstall\SoftICE' V- p4 p% q% @1 |0 e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( U( q; W. x& B ?( m" l9 Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) w& ?2 \. @5 W# Q0 c. U5 G3 K q
\App Paths\Loader32.Exe
5 N: `0 l V- C# \5 U2 C( S; W/ w! x; F- z
$ I3 H8 [; h7 A2 d; fNote that some nasty apps could then erase all files from SoftICE directory
7 `" s( `" `- h( r) P6 z(I faced that once :-(
0 C4 Z% M. W" W) y: U/ g( F* H# ~: I
Useful breakpoint to detect it:
+ B& ]% v4 O! O& `& O
# ]8 K$ r! E) T6 h$ d. c' W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" P# |+ V- w* f1 Q& K$ j9 ~* r! ?3 X: E0 G% Z; I( S9 N2 T u# {
__________________________________________________________________________
4 j6 k0 Z. Q/ U+ Q8 t1 Q# s4 w8 Y( f. Z% p/ I- D
9 G0 ?8 Q8 a2 U. b$ P& z7 w% Z
Method 14
" a0 V- K) q" P% a9 {=========4 ^. h6 f, [% g+ {, w8 R
7 \: I0 O* L2 }) v# c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. D0 b# B" G0 Q Z$ |% k3 v5 Qis to determines whether a debugger is running on your system (ring0 only).
% u" \+ L4 W! d9 }- N
" j! ^- x# V0 g: B+ T VMMCall Test_Debug_Installed) z9 p, U+ @! O1 {& d! S
je not_installed
4 n/ a- J; z3 d7 V
; L/ r9 @5 U m$ ZThis service just checks a flag.
8 P# w. K; W9 O3 Q( H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡