<TABLE width=500>3 s+ o m* Z- j1 c8 X& V8 u- P/ k
<TBODY>; V, ~: T0 h7 C, f: L
<TR>
6 E$ U- A9 ]5 y& h: }4 a6 k! r! {<TD><PRE>Method 01 4 e" x5 w1 v: W2 z
=========
& s, X0 {- k0 ]3 H
# l6 K, z4 t: H9 e6 Y7 u8 [% `This method of detection of SoftICE (as well as the following one) is
' f$ _" E, n1 N! P4 w& _used by the majority of packers/encryptors found on Internet.
" K; C3 ^ M, E7 BIt seeks the signature of BoundsChecker in SoftICE
9 D; p( b4 U- \! r* O+ z7 f5 L, D& n" _! P$ B
mov ebp, 04243484Bh ; 'BCHK'
( k/ P( t/ S9 u+ Y mov ax, 04h
) R1 w8 ]6 u5 ?7 k8 i int 3 4 I0 T' q1 S3 R# O& T
cmp al,4
+ q) d: A) ]* h7 `, |, W1 ?$ i7 V2 e( z4 ~ jnz SoftICE_Detected! O6 v; j7 S$ d' s8 @
, _. D: ?! f2 p, B* T0 o1 ^$ v___________________________________________________________________________
0 ]& @. M0 G; k/ w3 k1 E, r g' w7 ]
Method 02. ~1 S( @. m& O7 R; y$ d5 \, d
=========
2 c& [* e ^' B# a1 }
. q8 e9 R/ V, WStill a method very much used (perhaps the most frequent one). It is used+ W9 v( o# t* ~. V. w, L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ N. v8 K; z3 L; g' c
or execute SoftICE commands...
' n3 r$ \4 b8 w( XIt is also used to crash SoftICE and to force it to execute any commands: R4 K' O+ f2 Y* L# c% ?4 @+ e8 G
(HBOOT...) :-((
5 `# t2 h3 i9 ?+ `* M; O$ V. v6 J1 Z! h: E" o% L
Here is a quick description:$ |+ P+ v# o3 R- o
-AX = 0910h (Display string in SIce windows)1 d n2 B$ L; H$ o8 ~% U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
Z8 B6 K N9 R3 O-AX = 0912h (Get breakpoint infos)' D A. q( n4 m. k! ^
-AX = 0913h (Set Sice breakpoints)
1 Z& k( z3 F0 ~0 {! l) r-AX = 0914h (Remove SIce breakoints)
; B' Z) C* l9 J' t9 a% ]& D
) X( X5 M( I2 I8 DEach time you'll meet this trick, you'll see:
/ u8 I$ n9 M4 u0 Q7 e-SI = 4647h. _1 e" x7 T* {8 O0 S
-DI = 4A4Dh/ G7 f: I/ r9 c
Which are the 'magic values' used by SoftIce.! `& k* N) J0 T7 F) F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# O( a4 \/ r0 r: R: r$ R/ h
" ~3 d0 E' l9 u) b5 mHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 @1 {1 F5 H' D- Z8 qEnvelope utility use to protect DOS applications:
, D' Z/ [0 U* `) e# h4 ?! w
* l3 q; Q& J; A1 Z/ s+ d5 o8 s1 f% ~1 n
4C19:0095 MOV AX,0911 ; execute command.5 v9 G& E& q5 I' }. R1 P7 C, E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& b2 _9 \9 a8 e4C19:009A MOV SI,4647 ; 1st magic value.
$ N, _ Z! @" V9 h5 K1 h4C19:009D MOV DI,4A4D ; 2nd magic value.
; G/ V" S, `; p/ E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" D$ n/ t( w! x q' {* K5 }+ ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ m9 Z+ u8 r$ e3 A4C19:00A4 INC CX @$ B8 ?) O( x& L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( O& W1 b4 I% |9 L
4C19:00A8 JB 0095 ; 6 different commands.
) G; `$ T- |2 w H7 \. Q j5 L4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 d1 z5 m, @! w3 C; J6 C: M% _) d5 l* Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 J" d# K, b* ]
$ S; D0 k: I: M7 ]# F
The program will execute 6 different SIce commands located at ds:dx, which/ P6 D) @- A5 J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. c5 b9 g) ^7 J" Y+ v
- J/ {- ^- c; F: w- ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 b- ]2 j1 T$ H; x4 I" I! T___________________________________________________________________________
9 J" f. W) B0 J2 r9 s1 O
q+ X0 C; r5 B9 X
7 ?" A- b9 @8 n* U6 E0 g% GMethod 03. t. U5 i& h6 W Y3 m" s" X: c
=========1 |6 F# n, S, @6 A
4 S' G: _5 ]8 V4 `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ S7 X- H; g/ @3 @* {. z
(API Get entry point)
) I8 H, W2 O" d7 s ; W4 w, J& k. s! O7 e0 B
" m8 E5 b5 C+ Q0 e xor di,di3 _& j( u% I, E; w4 R0 C6 v
mov es,di2 `- f) Z4 [$ K) s8 W' I
mov ax, 1684h
3 G' l! ^* Y9 p7 `5 H! z mov bx, 0202h ; VxD ID of winice
+ E9 v8 J6 D M7 w$ I ~8 X int 2Fh
1 @! _; f4 v& h( l! \- J; T- E8 e mov ax, es ; ES:DI -> VxD API entry point% U% c% E! t) t) S
add ax, di2 l8 u& T3 Y! l! k
test ax,ax: I# A. O; I& k$ u
jnz SoftICE_Detected" t# Y( `: I- B- A% D- ]
( j6 l9 b$ c6 E) U8 Z/ z) C3 r/ e: \
___________________________________________________________________________
% q) h3 d1 O: v8 M# m
& |$ j9 m3 O- K/ \$ O+ bMethod 04
; S W X- r0 @0 k=========
8 i$ m' y0 i0 l5 Q4 I5 T% W. ~
7 T) k+ h5 Z5 S- b5 f( Z( fMethod identical to the preceding one except that it seeks the ID of SoftICE
2 B2 y4 o% Q5 U# n, H% `! tGFX VxD.
' A+ O2 o y- z! q! H0 i) r4 y) C) v) k0 G0 T4 i# r3 P
xor di,di
" O" v/ P( M) b% L mov es,di
2 X' d: o! h; p& {/ G# [! w. V- ^ mov ax, 1684h 6 A, p( J; Y9 `; j
mov bx, 7a5Fh ; VxD ID of SIWVID7 N9 ?2 b5 U1 j1 Q& `$ [8 p& r
int 2fh
+ q; v0 _- e' f/ z% v* h! y mov ax, es ; ES:DI -> VxD API entry point8 q9 S6 [7 z* V; U' t
add ax, di
. R0 V2 p B) F: F0 m: G test ax,ax
6 r' }# w2 Y$ J- u3 g9 d jnz SoftICE_Detected8 b' z: s+ w8 I* |9 `. E0 g4 ^
6 J- l/ k6 B: G
__________________________________________________________________________5 Z% y- r" [, d. M8 P' X! J. H
0 o8 D% o R# G, m( u+ w! q! E- g1 J9 C+ x8 {" r6 G# X
Method 05
/ [& {" o& L5 t6 C# b7 v4 L=========
- P# X7 o7 S! g8 s: G4 |% U
" x! h9 G. Y) a$ LMethod seeking the 'magic number' 0F386h returned (in ax) by all system w% @6 O% S0 o# \# }5 o% b
debugger. It calls the int 41h, function 4Fh.
2 n* @; X% F x7 dThere are several alternatives.
8 p/ e: A9 ^- d3 G. c, e. [0 H' i" k) J! z) h
The following one is the simplest:
7 r$ M6 G" S' j5 A
1 `" [/ |: O7 T. m: V. \ mov ax,4fh
) X( D# G- S: @% U( \ int 41h3 ]6 |* X1 d6 M8 f. \; |- \9 y3 u
cmp ax, 0F386! m' P2 W1 w R# w5 I7 l' M
jz SoftICE_detected6 ~/ B T2 r4 V2 a6 c' `+ m
7 Z" E x6 v0 G: e3 C5 s) j, B+ D; b, T( i
Next method as well as the following one are 2 examples from Stone's ( m! K: a# {8 N7 N$ ^ G# K: N% J
"stn-wid.zip" (www.cracking.net):. B7 l) N; J, ^ K s! k3 l7 H
3 @. q. i7 w$ m7 Y: g) g2 L$ c1 h% W mov bx, cs
- r6 j0 t0 s# i0 A lea dx, int41handler2! g$ J: e& C0 W1 k6 v* P0 B
xchg dx, es:[41h*4]) T' b2 y! ~" G% ~- D
xchg bx, es:[41h*4+2]9 ^0 E$ |0 ^ C! g
mov ax,4fh
8 ^- `+ Q) L9 K3 N int 41h' _% z1 D' d; {- D+ g* j5 W% e
xchg dx, es:[41h*4]
) O+ l, H3 |7 ^- W- t+ t xchg bx, es:[41h*4+2]0 k8 F& m! N9 A$ i
cmp ax, 0f386h
0 a( `/ P9 E& [9 k* V jz SoftICE_detected
; P1 d4 F1 O& y9 ^! k g8 q0 u+ f K w0 z: h
int41handler2 PROC
' d: c2 i# r* Z0 @ iret8 v. m6 c8 L6 h8 N5 K
int41handler2 ENDP$ }% \( w% p1 Q
/ I4 e R5 s- p( ?; F6 A
+ @- ?: p% t/ Q$ l9 D
_________________________________________________________________________
- i* Q0 n# Q1 b0 p
- V a" c& W& s! M' _! A
7 P# s; o. L {! S8 k/ F* bMethod 06
: y6 j- D' k" F+ W=========
- `# Y; q, R7 F; [) _1 M) R" V& O( |
3 f$ w7 J" r A4 w/ W& f9 N2nd method similar to the preceding one but more difficult to detect:6 T$ G% w' _. A* X) Y6 L, {' S" Z
. S/ P" e; n) K" R* q
4 ^ R/ N8 y! _( ]. v, s
int41handler PROC8 @6 e4 W6 O1 N" G4 {6 e" R8 T
mov cl,al
1 d: v, _ f" k* w" C+ |& } iret. G) [4 m+ j. C6 Z N/ p7 G5 P
int41handler ENDP0 u; x- s, B7 G5 @
[+ Y4 S8 d$ P: i1 t5 B! x) e1 w0 w0 n( s9 Q- b2 J! j! U3 Z7 _
xor ax,ax/ x" j. r. k) k* N
mov es,ax
3 M1 r# F6 C/ _% U+ x mov bx, cs+ ?0 F0 v- D( w* h, D0 c
lea dx, int41handler( [/ O4 Q* T4 p$ Z
xchg dx, es:[41h*4]
0 Y9 D$ \: n5 b5 ^" \* \ xchg bx, es:[41h*4+2]
, o/ A s1 h/ l. P in al, 40h/ N" p$ m: U2 Z+ e8 U. _! _3 ~
xor cx,cx% j2 d0 k! C9 B- F* a9 Y
int 41h( M# M ^2 [+ ^4 J
xchg dx, es:[41h*4]
) M: v$ g) i2 d* Z2 I xchg bx, es:[41h*4+2]
" y* L3 \0 N( N5 ^ cmp cl,al
/ n: z. E _9 J- g2 U" y) r1 ? jnz SoftICE_detected s2 O$ v; A7 y, t# r! Q/ k
0 [# a; ^' w$ I/ ~5 G ^_________________________________________________________________________
# V6 f1 G8 R+ f7 D4 k M. _- r; b l6 P0 v/ d9 }
Method 07- F; o% Z: C6 q5 B. d. B! d
=========0 S& r+ f7 l. C+ C
- {- q3 L; z* g% dMethod of detection of the WinICE handler in the int68h (V86)
. `& `/ _7 j; Y2 o% n2 O8 X( O# G2 h# N) v5 J+ ?) R9 W6 H# Q* n
mov ah,43h9 `3 b) B4 W5 _) C
int 68h
: @: J: Y) `6 [7 t; E cmp ax,0F386h
4 K9 r6 d5 B, c2 w+ s; t) \ jz SoftICE_Detected
# T9 _" L4 z6 m& _, j# D% @; A+ A: x; f; V0 Z; Q6 u. f# r% I
3 D% V' C' t; |" O+ |5 J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit [2 X: K( ~* e/ K4 h
app like this:
! c3 ] d6 w: K6 S G1 [9 O7 D0 d. T* t @ j3 q, n5 @: q
BPX exec_int if ax==683 E+ a. K- q/ E& e
(function called is located at byte ptr [ebp+1Dh] and client eip is) h& t8 h0 K. G. f h1 }: i
located at [ebp+48h] for 32Bit apps)
" k* G9 l- ?# U9 ~( P2 X__________________________________________________________________________6 a0 G5 F* K% l2 }2 Q, q
& m) y A& \% [/ J) `; s1 m {* E9 w8 L) c W
Method 08: Y- o' x* Z. u m
=========: D7 g4 {, K0 X/ D
5 O* P2 m0 n$ G" p/ `" RIt is not a method of detection of SoftICE but a possibility to crash the W8 t% F0 |: n" T
system by intercepting int 01h and int 03h and redirecting them to another
0 J. H9 O' I9 }8 S' Groutine.) w$ k* g; {# N4 v8 l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 O8 x5 u, V( f* N% E4 Q9 V
to the new routine to execute (hangs computer...)* S5 |- N& P6 X
- a1 S7 z! F5 o' A; x5 W# N" k; G
mov ah, 25h9 S5 @9 Q2 g8 d
mov al, Int_Number (01h or 03h)
! E, o/ o# p8 V( x mov dx, offset New_Int_Routine
: w2 c! a+ i* o G4 J& q }0 D int 21h+ V3 m, e6 [ P7 l2 w9 \/ v
$ `6 r0 v% i5 E" q1 M8 J
__________________________________________________________________________
1 K6 n: ^4 t' @4 N$ |( N' ~% K% C) R+ K. V! V
Method 09
5 R4 |' N+ z4 P W$ @=========
/ s! w# g% s' G+ e
' g" W7 Q, Y# L- ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 b# z: B4 }* }performed in ring0 (VxD or a ring3 app using the VxdCall).# r2 {1 e9 s4 I
The Get_DDB service is used to determine whether or not a VxD is installed
2 i5 ?) F: T0 R) ?4 kfor the specified device and returns a Device Description Block (in ecx) for1 \: w6 L* f( t( n
that device if it is installed.
& _. E; v/ g: H, x' N: q, H2 v6 D* P. r8 A/ W3 ]9 r1 g& a/ I* F- I8 S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ |! _% Y2 I1 w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
s u$ R, [( Y0 H& U8 u5 p! c VMMCall Get_DDB# Z" {( x2 C. I+ q6 L2 o' c
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% s( B' t1 x ^, Z0 h
$ F+ y- N* y! W0 {( L; _
Note as well that you can easily detect this method with SoftICE:
, \- S! M. u5 f* r5 s1 Z bpx Get_DDB if ax==0202 || ax==7a5fh
$ g3 }' ~# Z, i% a
" }" F H# P5 ]9 T3 g, E* v__________________________________________________________________________! F B+ V! r* a
. p( ?) w$ [9 o. VMethod 10+ L' }9 e8 V# ]4 |1 `- A
=========
% W. ?' ~8 |# d2 e; ~& p9 L
5 k) G6 J m; h=>Disable or clear breakpoints before using this feature. DO NOT trace with
) v" Y: P1 E; }( f0 j7 ? SoftICE while the option is enable!!- Z w. t' s- S$ L
3 D7 f3 H: t( ~" E* b4 Z5 oThis trick is very efficient:
1 Q. c1 w5 l' k6 U/ j5 w+ G* M+ s- d/ Wby checking the Debug Registers, you can detect if SoftICE is loaded
\7 {; K& K, U! T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ P* g, G* t- f. y/ Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 k* K/ C# j! n* @value (in ring0 only). Values can be manipulated and or changed as well
' {# ]$ f- {. W(clearing BPMs for instance)
. {4 @( Y% B2 W) M
2 F, o1 P9 G7 y4 ___________________________________________________________________________1 M( V0 o( m) x4 Z0 I# c) x4 ]5 M4 v+ z
f* A$ U* Q, j! k, RMethod 11
) V$ U8 {+ j i$ o/ n8 @=========- Q7 }. n7 X5 _8 H) A/ e
^4 s% C1 u4 ?6 |( OThis method is most known as 'MeltICE' because it has been freely distributed* n( \6 ?1 R* i' z; w4 S
via www.winfiles.com. However it was first used by NuMega people to allow. d, ]/ q3 B6 h0 |; C
Symbol Loader to check if SoftICE was active or not (the code is located
; ]8 j0 [4 s2 }8 uinside nmtrans.dll).! u3 T! b | p0 F6 F8 d- S
( a. s! k. o# z% y8 {4 w8 B) i, P4 [
The way it works is very simple: U1 ~! e5 @3 ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) R# x/ ?. |# \, O. \+ r
WinNT) with the CreateFileA API.( z m' a0 W! w7 g; o
7 I7 }2 C2 Z% k4 ]' [" N HHere is a sample (checking for 'SICE'):4 p/ S4 r) o' y( G, Y7 A
, D- P+ J! N2 XBOOL IsSoftIce95Loaded()8 h3 g9 s: {' c# [/ h' p8 p' F
{
6 q$ w/ _, X: w2 W; ^8 N HANDLE hFile;
# ^3 g6 s1 [: G4 C. G9 w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ x6 P+ S5 h3 V FILE_SHARE_READ | FILE_SHARE_WRITE,
7 h# Z% F: }2 D2 ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 ~+ l- j! `6 }% g5 [ if( hFile != INVALID_HANDLE_VALUE )# n5 t$ z( R+ {+ r3 [1 Q
{: _4 k; {; R: F |# o$ i
CloseHandle(hFile);- D4 s. S. p. [2 u# B
return TRUE;
- l( C" ? k9 g( X$ f }; s3 h s# L1 a
return FALSE;) L7 _$ w- O8 d, _& P' H
}( e0 r2 U5 r [1 e7 q. Y4 Z
. M6 B' s: P: r4 zAlthough this trick calls the CreateFileA function, don't even expect to be
' H: w1 J4 m I) {1 u: [% I+ y! |) Rable to intercept it by installing a IFS hook: it will not work, no way!4 R9 R+ F* X9 P& Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 j, M4 H, l' s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( Q7 g3 U ]+ W( M0 S' X+ I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* |# q" s O7 a) m5 F% |
field.
: }1 p2 P1 r5 f6 n# n6 _In fact, its purpose is not to load/unload VxDs but only to send a
: U# }3 {3 X+ o! WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 `0 j1 l4 G& B$ p2 `( N" }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: g/ c( ~* M. H* W6 o$ A# h" e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& _* t; E3 O1 l
If the VxD is loaded, it will always clear eax and the Carry flag to allow* B; C$ }$ n9 f3 D! s" ]9 K) ~( o
its handle to be opened and then, will be detected.
# ?7 T& E1 [: q: o' a/ }$ XYou can check that simply by hooking Winice.exe control proc entry point
2 M# H7 \/ l( L; {1 r# vwhile running MeltICE.2 k2 _9 m. C2 G M3 T5 Z& g$ q- h( K
. g1 H; r) a+ g, i X( p) S
4 e0 }- o! V( X6 N# j 00401067: push 00402025 ; \\.\SICE
/ s4 O k, U3 L# o7 ~ 0040106C: call CreateFileA1 Q8 Y! p0 C. N+ `
00401071: cmp eax,-001+ X, z# r& F" q. ?, O) ~& j6 X4 W
00401074: je 00401091/ \1 T e5 q. W0 m- U: k% s/ j
: L# k) }0 @ A& V0 v) V
& J* x# X' C3 x, iThere could be hundreds of BPX you could use to detect this trick.) g" D: c# j0 L/ n6 J _
-The most classical one is:
) u' L$ `% \3 H* t: d' X8 C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 P' k4 A! B+ A9 ?9 P$ W
*(esp->4+4)=='NTIC'
+ J) @. T. h3 ^- q6 c/ J9 S
2 F8 k; m; w0 [, G-The most exotic ones (could be very slooooow :-(5 _* S: }, ?. ~. X, s* g* `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
L' Q3 L6 R6 W: l1 U ;will break 3 times :-(
0 S0 x% z* [" p4 h3 ~8 q
: X: C' N' g/ q( M- L7 p2 b-or (a bit) faster:
) `7 b; S. \, |1 e& s( e6 A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! W0 H- `! w9 V. F3 @
' X A9 a4 h! d/ N" ]6 t! @" {6 B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 D6 }& V6 ?# A+ M3 w
;will break 3 times :-(
2 O8 c: N* ^4 V( H3 r( F6 }5 n& K0 y% {; t" J a
-Much faster:
5 l" k. ^! v. e! I" t BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. V1 i) c Q$ ?: S
% _! I5 w( O8 B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# W& e2 p4 L. R6 o5 l6 W
function to do the same job:
8 c6 v0 H5 B' Q; ]' Y# E7 f3 f9 w! K4 x3 ~
push 00 ; OF_READ8 H" e: a u8 L$ k w1 T/ k
mov eax,[00656634] ; '\\.\SICE',0
1 M# Z3 f4 {' I: K6 D, Y push eax
. e5 M" f. k! R call KERNEL32!_lopen
3 e6 G" c+ r+ V6 q inc eax
7 H, E7 W* A8 t3 N' _ jnz 00650589 ; detected
V3 f3 s* S! x$ W( o5 p push 00 ; OF_READ9 [( {3 a/ p- t, C" h: i
mov eax,[00656638] ; '\\.\SICE'
; J( ]) C, h8 v; r5 q4 Y push eax
0 L2 M) z6 L: f7 M w+ o/ f call KERNEL32!_lopen% p; q+ A& T+ |! A
inc eax
* S4 O( ~$ j6 p2 q' n. X" a2 ^ jz 006505ae ; not detected1 ^: Q2 |! i% U) E6 E5 k5 Q1 t4 i* W! r
9 Z2 R$ `/ B4 V: H" k9 c0 Z E* _" i$ {2 L- V
__________________________________________________________________________
# X. `# l1 H. l% d+ j/ O5 h# c. @' p! q# Q1 X0 x
Method 12
6 L3 J1 l; y' c; z=========
) }" M" P0 ~5 J: O
( E0 Q+ O2 R3 cThis trick is similar to int41h/4fh Debugger installation check (code 05+ R- v! g$ @0 F7 {, [" g8 g
& 06) but very limited because it's only available for Win95/98 (not NT)
- f$ d: f% \( Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: o+ N7 L ~ _& O h( |" I+ B8 W6 |( S; r* y
push 0000004fh ; function 4fh
7 z# k* Z0 v: r push 002a002ah ; high word specifies which VxD (VWIN32)7 F7 Z. S( V: h$ i% L5 F3 f9 d
; low word specifies which service$ }) F7 \4 {. g2 ]
(VWIN32_Int41Dispatch)) b! d3 _; _6 J E' A( R
call Kernel32!ORD_001 ; VxdCall5 B/ }/ N2 }3 T5 n5 Y+ K5 G( u
cmp ax, 0f386h ; magic number returned by system debuggers
) o) O1 R. m! C- T jz SoftICE_detected
- |( m$ g& H3 o6 Y7 e, |# I( B8 |
Here again, several ways to detect it:- w8 e/ h& B: E
V1 A) d* } o+ h$ ~5 r
BPINT 41 if ax==4f
7 C# |, H. [( C- S" E: ]" |0 D i, C) I( j5 K6 E! ]4 P" I
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ n5 r0 e1 A6 h# s. z) f+ ?
$ \6 ^+ `# i; z3 e2 E+ r$ ]# k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! {: n' }" t8 I$ T4 O8 l% Y2 V l+ Z- M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 n9 |. n; C) j: l9 E0 o1 P X, l+ g
__________________________________________________________________________
$ t/ N' _ T+ b' d7 v# @9 Y* J, V) R8 z9 U, s% v6 D
Method 13( ]& p8 n1 Q8 Y
=========
# F; I% c( Z, Y6 ?" [: p
0 u, W! v( J1 H; j# u/ ENot a real method of detection, but a good way to know if SoftICE is
" @5 ^- a3 {5 r& l1 k1 H; z/ Rinstalled on a computer and to locate its installation directory.5 ]2 s3 C+ ~; I y" J* q: y$ j
It is used by few softs which access the following registry keys (usually #2) :# u* t0 @' P( r$ \
( B8 G4 d9 A5 A+ L0 U5 Y2 F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ L* G0 J( B5 l, g. @" _\Uninstall\SoftICE: ?, f# t9 i2 @6 w! G9 W: S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' f3 ~) h y0 {3 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; |/ d% q* e0 ^5 f: G' M
\App Paths\Loader32.Exe. q" c7 }5 `7 S3 A+ `8 B
1 M: J4 B& v% a" Z4 i9 w1 V5 n0 u
* X+ b4 ^* W0 XNote that some nasty apps could then erase all files from SoftICE directory
4 Q2 a( ~6 B0 |9 G(I faced that once :-(
6 M G2 \. d ~, D y% k
' @/ `1 o! G! ~5 I+ h" w. G2 L2 ?% BUseful breakpoint to detect it:% V1 r+ |& `) q# s; j. c: f- E
! b- P. B4 A( F, }4 Y+ u- b5 e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% Y% W) p% S' _5 _* l; a4 w9 Q" v2 ~7 M' e. d
__________________________________________________________________________% F6 P! v0 S7 k }% a
6 y# A5 ~1 X& p! R* r" T
( p, @! F/ `0 T: f% H, d: m
Method 14 3 m$ s: y- }# {% p+ n
=========
( M4 K9 B3 d% v) ` z' Z- }( ~+ N# A; N) i9 B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: g) J4 c3 j8 K6 z4 |6 K! Nis to determines whether a debugger is running on your system (ring0 only).
- O9 Z T+ M5 a! [
2 z6 \; ?, v" L j8 y+ v VMMCall Test_Debug_Installed4 m" L' V( z; L: y% s
je not_installed' Z. U7 F% I8 G" Z& B+ B: r
' M7 g: H1 Y& Q
This service just checks a flag.6 {7 R! J0 J' Q/ n0 Y+ s6 W
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡