<TABLE width=500>
_+ y2 ^- }0 S& v. s3 {& D x<TBODY>
( k! T; F! A) k2 f<TR>
& ]: L9 H( W# F% O<TD><PRE>Method 01 , @5 O" T# i) y4 j
=========
3 r( a( C" j) X9 Z0 b! J& K6 ~
This method of detection of SoftICE (as well as the following one) is2 ~) n+ ]( G/ c6 a; X5 e5 l
used by the majority of packers/encryptors found on Internet.
$ L4 G0 z8 m9 oIt seeks the signature of BoundsChecker in SoftICE
. i5 e7 }5 [5 j
9 b# i& {6 _1 c. t1 L. ` mov ebp, 04243484Bh ; 'BCHK'; M# \ Q" F% n
mov ax, 04h+ h5 R# Q8 E$ S$ S
int 3 : A! L6 l& i4 J3 t% V
cmp al,4
2 o$ ?' M5 c3 L1 E' j+ U jnz SoftICE_Detected) r3 }, u1 M7 w' P5 F6 U
' e- v# X0 E; `4 L; E5 R& N2 L
___________________________________________________________________________
0 t) [, G# @) b6 D, t; T& M
' b# V( i& G( A: y+ ^) {3 G/ x, FMethod 02* D, `% q V8 R% c# B6 @- |/ n, E
=========
4 n) z D: P$ i) ^ d4 \' }8 B
, O5 M. \7 \: X9 i1 Y3 ~Still a method very much used (perhaps the most frequent one). It is used
8 q, L, `/ ~& d! x: x7 w5 lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' l8 L# X! M" ?. }5 gor execute SoftICE commands...' l7 Z1 X) l8 `3 F6 x" N1 o+ @. M1 p
It is also used to crash SoftICE and to force it to execute any commands
% T6 k0 I: C3 M1 e(HBOOT...) :-(( 4 [9 M- J8 ^5 y! @+ l) k# t
. y6 t- {. |" ?; t3 n* XHere is a quick description:0 n0 R' r* O) A4 a2 C$ p
-AX = 0910h (Display string in SIce windows)$ m0 {; R4 O* L+ \1 r% q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& Z- h- `# b' V" a7 ^6 A-AX = 0912h (Get breakpoint infos)
9 m( B; ?: H( b8 J9 t: z6 i-AX = 0913h (Set Sice breakpoints)
- F" l1 P0 Z* t$ y( J- H; {2 {0 f-AX = 0914h (Remove SIce breakoints)( \" U6 ^# R% k
% y' I9 X4 S" n
Each time you'll meet this trick, you'll see:
/ g5 b/ T* R2 ` f3 ?-SI = 4647h: X( _' I5 [7 C8 a( k; K3 _2 _' [
-DI = 4A4Dh5 F; M9 z% e& J7 @- f- h0 C7 P7 ~
Which are the 'magic values' used by SoftIce.
' M: {/ a5 x i* tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 [- M, j' X3 P- O: o% f( Z
- O S% m$ R: |: W7 SHere is one example from the file "Haspinst.exe" which is the dongle HASP3 p7 K8 S/ A+ \9 ~
Envelope utility use to protect DOS applications:
; }; R8 M$ `, b3 p7 g) H9 P1 `9 b0 e- _7 r$ q
; t1 @% C g0 C L
4C19:0095 MOV AX,0911 ; execute command." x- ^# f) w) X, E& n: u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' I" J& ~ M1 g4C19:009A MOV SI,4647 ; 1st magic value.) M4 P n# ~+ A( ^
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 z3 t- f: S3 R4 g; j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); a3 ^9 t {( ~1 A0 |- h
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 t1 }: O- W- t, X* g
4C19:00A4 INC CX
! t& N, u4 k, H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 O" S: [7 w [% s5 S' k
4C19:00A8 JB 0095 ; 6 different commands.7 l* s6 {: [2 }' g8 M+ U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- Q+ [& }. G" X; a% ^; Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :): T1 u7 T/ B; `, q
* a, `* ~% @ P, q; w5 A( \# |
The program will execute 6 different SIce commands located at ds:dx, which- W) G6 O$ l! n2 H" n8 u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. b( _& t$ V% A
% x! Z2 P+ R: Q3 K0 o4 ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 |) x$ y* W: ]9 F) ]/ C
___________________________________________________________________________1 ~7 }- b+ w/ B( }" L8 ]' m% i/ V& D
" V7 ]* z8 c0 e- t ~% \* Y, ^. R n2 Q/ r. c9 X9 Y J
Method 03/ I+ y6 _6 J$ ]
=========
9 I/ a. s7 W$ W8 G; T* q0 S1 ~/ m1 f- k, x: j) r; G; D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% V6 y! @, q2 H% \5 h* y! t(API Get entry point)* l' [' j* i* d! L
, _! [! a$ I( h$ t3 a# H x
5 I" w7 j1 f# s8 Y xor di,di
8 t& e( ?+ E# H! | mov es,di
, _; I& p# @8 K/ T mov ax, 1684h * u' @; u% y1 P# S( t( R' X
mov bx, 0202h ; VxD ID of winice
! \- c) v, k+ z) n) p int 2Fh/ h9 b; i+ Y: {2 l: e
mov ax, es ; ES:DI -> VxD API entry point
0 V5 B* q! T2 L* ~- b add ax, di- e& ~+ Q! f% R! k
test ax,ax& t y: A W; D& p! K
jnz SoftICE_Detected: @# A# E' J/ F ^
# @# x4 w6 Y! r% v
___________________________________________________________________________$ Q f( L: {+ V6 |, n
. c8 s! y' ` @) }. p% V }9 HMethod 04; u c+ h& s5 u/ @' W0 n
=========
: @2 t' y7 X9 A. |, Y2 B
6 o6 h! T8 C& q8 Y! M4 NMethod identical to the preceding one except that it seeks the ID of SoftICE
" d9 f' g& @* X2 E4 z3 X6 PGFX VxD.
. k1 v8 u" J" [: J1 J$ p1 ]9 B4 A% P) A
xor di,di) D( X: U* S! b5 n- n* @
mov es,di
4 A& M+ N6 M. F$ H6 M* o8 d, ^ mov ax, 1684h * t! S# x, K& d. r& ]
mov bx, 7a5Fh ; VxD ID of SIWVID8 f6 Q! v* Z; O0 R
int 2fh
9 M- U7 k# y7 H& W l mov ax, es ; ES:DI -> VxD API entry point
# P* H$ o7 T- G& V5 r* ]! Q! g add ax, di8 r6 r# }# |: X; ~( ~ I3 x/ M7 `
test ax,ax
9 e* a! m) b" b4 b# z2 F jnz SoftICE_Detected2 H/ n0 j5 p1 U6 D# d
) e% M' h) Q* |7 z
__________________________________________________________________________8 Q" A. w* C( ^8 r+ I( A
5 }, x- S v+ P* P2 h
) B4 f8 S; g" x. r S
Method 05
1 ~$ w# S/ d- e& Y% Y=========
) T4 l/ i, V8 E5 K7 @
- |; c+ Z& ~" Z& y; d6 N9 iMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. O) }8 e8 w7 U) g8 m7 w5 Adebugger. It calls the int 41h, function 4Fh.( }7 U( k$ f" e1 x% \
There are several alternatives.
5 K7 i7 A" l0 k! A
( t4 d q0 \) Q+ |$ z) BThe following one is the simplest:
; Q. V8 }% q: f# q6 @, f
5 W6 w1 `6 j4 j; H( Q4 f/ l mov ax,4fh
. T3 m4 Z( I/ }" N; E! H1 `0 o int 41h
6 q1 u }3 l5 T7 x) A( T6 f. g) M cmp ax, 0F386
7 Y8 C9 {# P' l jz SoftICE_detected
$ ]7 y' {, O* ~2 `, j( D" | K, g: U7 L; G1 _9 R4 W" O9 j
A6 F0 U: ^0 E1 ~Next method as well as the following one are 2 examples from Stone's
; c+ j# M8 o0 @"stn-wid.zip" (www.cracking.net):
2 \5 G3 R7 h6 Y* Q% b
! k' f. f9 M/ _3 }: P mov bx, cs! K+ t8 F- X- `* M
lea dx, int41handler23 L5 j) m* g8 R1 U% k% I
xchg dx, es:[41h*4]
: z2 ]9 p* k2 u' X5 F xchg bx, es:[41h*4+2]
* _4 K; J* D9 g4 d mov ax,4fh
9 h* N; M0 i) N# u0 ]- q } int 41h, i4 t/ f" w# x J3 r
xchg dx, es:[41h*4]
9 t: n; y; `# N* ~ xchg bx, es:[41h*4+2]
: t5 i! b; a& w! E- d( G; ^ cmp ax, 0f386h
# j$ {" H/ H2 Q; X6 _ jz SoftICE_detected
8 e. Z. V, [1 U% I- T) n' z# ?$ Y# k- H9 b
int41handler2 PROC
6 H$ A3 v( R& ?4 P" M iret
, H" J Q: L! e; p& J$ a" {4 nint41handler2 ENDP2 W0 I% d7 {$ `% v( {% f
! b2 x2 j$ `8 B9 m" w, U
B1 X" N6 g: m_________________________________________________________________________
! K, x: g2 T7 k( F
4 M9 d! e! Z/ ?/ n
2 b. l3 f! Q$ r2 A+ y/ t4 E+ yMethod 06
' H7 y0 [! h$ D/ t+ P9 D- ~4 p=========; v, t& D3 \, f# ~% D5 I
: J. V# W- C9 E- b* t
; F3 l6 {& `( b9 d5 r [
2nd method similar to the preceding one but more difficult to detect:
% I& p! P7 H0 B& }' Q8 _6 q5 ?" Y5 d% P0 d9 R# o+ L3 j
8 N H( g+ z7 b8 mint41handler PROC. W" h+ b0 W" k0 p0 M
mov cl,al( R; ~% I" d8 y
iret
' A7 W, _( b3 F* p! [int41handler ENDP8 d# c0 V7 I$ a4 t3 o
. g; b; H- m2 a
5 p/ n8 T' J; l% m" y& M& p xor ax,ax
# ~( a6 `$ X, I3 v mov es,ax
# z0 Y) p2 [7 }4 v- C- I* ^ mov bx, cs5 y7 a7 o" q4 q. m: F0 o
lea dx, int41handler
' C7 ]% c4 s8 k+ g8 G/ S xchg dx, es:[41h*4]
" t- c3 ]( ]+ ? xchg bx, es:[41h*4+2]
7 C. z0 u- B' w3 O& Z in al, 40h' L: w$ {/ P) y) c% Q
xor cx,cx
8 G- ]3 }% ~% b5 \& ^ int 41h
( p3 E1 e( L0 W+ V* j xchg dx, es:[41h*4]
- [$ o& e9 F9 t5 X xchg bx, es:[41h*4+2]. H: m) G. G ~* M7 f4 {
cmp cl,al6 y, q; |) x6 Z5 W: Z& S( @* Y5 ?
jnz SoftICE_detected! m$ ?. h: g: Q" N. b2 H
/ i# f& }% E: i" ]_________________________________________________________________________% X& j* \% {/ R1 i. x# f
S. T9 G; G* M# }Method 07) X) [; K4 e6 p$ C. K
=========
- P3 f* c( D* J6 s) p% S/ \% p
* z. \7 t5 M( z# DMethod of detection of the WinICE handler in the int68h (V86)& q; Y$ p( ~5 G1 q
) M8 @! m3 O1 X mov ah,43h
8 f) s, X5 }- [7 N! G7 k; l4 ^ int 68h% x" Y- Y3 S3 u. M' [2 u' A4 D
cmp ax,0F386h
5 _1 ~3 f8 H/ ]& b+ G7 J jz SoftICE_Detected
1 v) t! m' o9 ~5 Y- p" t& @; a8 ]% S
1 j1 A$ p3 I: `; H, y( T7 a- s3 y4 A& W, V
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: h9 E/ [ S+ h0 z; G, T5 b! e app like this:
% G/ j! M. j9 g( o
" `+ T$ Z; u( b BPX exec_int if ax==68
: b1 v6 V2 F' q0 h4 _5 p) N (function called is located at byte ptr [ebp+1Dh] and client eip is% E: U/ F0 D+ j8 C$ L2 x
located at [ebp+48h] for 32Bit apps)
9 O) p. Z3 C- z' V0 N. L! s__________________________________________________________________________
& i2 d S! g- p' _" Q Q0 v; z* B4 x) d# D) W4 l& _0 V
( y! c; K5 h* FMethod 08$ F& g. }1 Q8 V3 E$ x9 p$ W8 r/ p
=========
- Y0 W* T; g/ w1 |# K; y6 }5 V) A; c1 l4 D, F+ N. q. }
It is not a method of detection of SoftICE but a possibility to crash the
2 G5 E: ~0 Y1 q6 t2 msystem by intercepting int 01h and int 03h and redirecting them to another$ K: O/ L* s4 ?
routine.
/ a2 H. N* V' @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 E3 ?; ?3 E8 P- ~+ t0 Vto the new routine to execute (hangs computer...)2 v3 A) Q6 z# P, c& B, b9 N3 E
|( V, U6 m/ m( l" f+ ^ X
mov ah, 25h( R5 P% E! c( S" }- i2 h/ ?. c0 @8 q4 ^
mov al, Int_Number (01h or 03h)
2 F6 Z9 s$ e$ a% S' c3 ~, | mov dx, offset New_Int_Routine% n% N$ ^+ W) o9 q3 z
int 21h
- [- b; y" C8 Z, i1 b6 e5 S# X; H8 p. Q. m5 v) ^0 d
__________________________________________________________________________
8 D; N+ G: ^4 A" q2 ?: g' B1 ~4 }- W; b. |4 D! q
Method 09
5 U) l) z) ?2 J/ U! N% a=========
4 o5 p2 L8 k: F! R# F8 v1 g
8 g* C8 v* M' Q ?% L9 B- ~' pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 I3 v- v. L) y/ g0 [" dperformed in ring0 (VxD or a ring3 app using the VxdCall).2 Y* K) f7 h" i5 ^6 a: E4 b; ^
The Get_DDB service is used to determine whether or not a VxD is installed4 ?" L9 K, Y8 w
for the specified device and returns a Device Description Block (in ecx) for
6 J8 L. Z2 `% S+ ~8 C+ ?7 {3 _that device if it is installed.
* [% p5 A# O5 D( q6 n: {- q L$ f4 E* r( B1 |) E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* \9 m i J) P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): H. k0 [4 j+ N2 n' ]$ Z7 v5 y3 v
VMMCall Get_DDB. G5 v4 T/ S% f9 v% j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. f5 r' c) l6 h; M8 T. p% Z# F- g3 N. P8 d5 b
Note as well that you can easily detect this method with SoftICE:( w; _2 r* o9 d
bpx Get_DDB if ax==0202 || ax==7a5fh# [2 \4 Q2 M; r2 |, @) z/ x
+ o& S, c% B: `! W( Q M+ H+ c: j
__________________________________________________________________________
9 D* c2 d+ B5 x2 w/ }' y' d5 {' ]. C1 C# U( p, E" f
Method 10: p, N# y( l+ O4 V7 T" H! Q2 `) o
=========
# T* ?, a' O0 w6 U8 p4 G" O3 J! s8 {( \* a* H' f6 G- s" ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 R1 M! R5 w8 _8 _8 K: p SoftICE while the option is enable!!
( ?1 ?( I. _% ^9 b! h, e2 V3 I
This trick is very efficient:
9 u4 i: W9 z' N! v, |2 q$ K: kby checking the Debug Registers, you can detect if SoftICE is loaded/ O! G @, }4 l9 {* {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ Q" E" {- a, L. Q. _there are some memory breakpoints set (dr0 to dr3) simply by reading their
( _' c/ V0 d1 l3 o% z8 \# tvalue (in ring0 only). Values can be manipulated and or changed as well! ~8 u1 p K# f y, U& a# I+ W5 N
(clearing BPMs for instance)# x& C* N( y3 C
* m# o3 ]8 u2 J; `1 J; Q
__________________________________________________________________________' |, f3 B6 `$ Z8 ~& {$ T3 }
- X: \( a: Y; |/ u
Method 11
) n$ F. m8 Z" I=========
' M2 g8 P. p# e/ v% b5 E4 \2 v: U7 w1 d& c) F6 w- n2 b
This method is most known as 'MeltICE' because it has been freely distributed
; R( k% B! ?, f! Zvia www.winfiles.com. However it was first used by NuMega people to allow4 A6 ?3 u" h* v: Y8 x0 r
Symbol Loader to check if SoftICE was active or not (the code is located4 g! }5 `- r# V- S$ F- m9 ?: v3 B
inside nmtrans.dll).
, [5 ~1 a8 L6 Z7 C! g0 p
: K) e& i' G4 Y: A; [The way it works is very simple:7 b2 d! v% B/ S, H$ B, J, k3 Q, D
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 [) T+ F' ?) ]. O2 ^' }WinNT) with the CreateFileA API. k5 n7 D2 t4 P! m
# R4 t" B+ p3 ]0 M
Here is a sample (checking for 'SICE'):* W6 f J* L e% e8 J( D5 I- ^& o
: i6 T9 i9 S7 ^6 v- E" Y
BOOL IsSoftIce95Loaded()4 B7 p6 L. w+ I% u& E/ B9 Z) S5 \
{
5 q* c) H- c3 P; Q HANDLE hFile;
, m! C! J* }9 b% u3 d" p1 _8 k7 O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* V9 j% R6 ?" U' Z' }; m FILE_SHARE_READ | FILE_SHARE_WRITE,
* c9 F' d- W. v2 F$ O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 S* `9 A: Z$ t( J/ i if( hFile != INVALID_HANDLE_VALUE )# K+ Y- Y" j, t* I/ J, ?4 V
{8 `3 @1 N- w; Z1 e/ G. T; d! J' ?% M
CloseHandle(hFile);# ^% i' v( m% d+ f u' c7 _
return TRUE;
/ [: D& \( Z6 Z/ ~ }% i3 @( v4 m* [2 y' s
return FALSE;
' j1 {0 r, s: i; a6 b}/ {3 D/ K! c; \; z. J
: `+ t! ~7 }2 z3 B
Although this trick calls the CreateFileA function, don't even expect to be
) O; E$ G9 T. x! W% ~able to intercept it by installing a IFS hook: it will not work, no way!+ X! M4 E& ^( Q$ `1 S5 o! j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 _' [- a9 Z4 x" x- @7 w, hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 `9 ?0 t. d, _0 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) e4 _! c2 x" Z! Kfield.
D) a0 k) Z* y- H$ s$ z/ e. AIn fact, its purpose is not to load/unload VxDs but only to send a + x9 w' W6 }& J: P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% o: m2 r# j6 y3 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 u" ^; t8 g: F3 W0 J" ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( v. A+ z) K+ c
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ M0 r. K) X0 `+ jits handle to be opened and then, will be detected.
& O3 N" O; R5 t0 @* D, J% JYou can check that simply by hooking Winice.exe control proc entry point' M) @9 x" s" O: f& i/ o2 D. A* [
while running MeltICE.
' H& F2 R4 c' N: N( c- E- o$ A
! l2 v, U: U. b* d; r4 C& N( R* K1 w5 e! |% V
00401067: push 00402025 ; \\.\SICE% r- ]) Y: Z' p @$ H
0040106C: call CreateFileA
5 n! F+ O a$ B \* M/ R" P% G 00401071: cmp eax,-001
. ?/ D( T: f* U) E- h8 ]- M5 N$ F 00401074: je 00401091' h& C" u X/ Q
8 T7 B/ K8 ?+ e. V, u, _
) ^3 Z# O6 v: C" _9 b6 Y
There could be hundreds of BPX you could use to detect this trick.
: A, @1 C, Q- U-The most classical one is:3 E- M, A1 f- G: a3 [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- m4 I5 y- A3 @3 S8 u; G *(esp->4+4)=='NTIC'
* `4 f$ a3 Z. o$ `/ o& M; i' x$ D2 R8 x
-The most exotic ones (could be very slooooow :-(+ L, L; J N. v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 J% E }& d6 b ;will break 3 times :-(
2 y6 Z! r3 q0 b$ E' }6 _2 U$ O+ z* ]
-or (a bit) faster:
; H+ d' V, e; p) N5 Y) t BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& ]; _6 L: m) d3 r+ }8 O Z( N' w4 j
- t* `9 h& U B( `6 o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 ^6 b; Y" s( R3 ~! M3 i ;will break 3 times :-(
. e F; a/ Q1 o, c
) n; k& N2 H( Q: B. y-Much faster:8 b# |* B+ ]) `/ s, X C2 i, K( U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' C7 d: S0 j! [
4 U# x s3 Q+ P$ U6 QNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ m+ t6 q2 L8 @3 t# k: h! E
function to do the same job:
7 C6 |0 ^5 j) Q+ j z% q: C$ M C( l6 {, E
push 00 ; OF_READ
5 ` j0 I5 v. Z' G/ ?+ m' K0 j4 N mov eax,[00656634] ; '\\.\SICE',0
! M/ t3 Z8 p4 b5 Q2 ]8 [5 {- N push eax
1 u) \9 O! J% ~: i. \# V: g call KERNEL32!_lopen* v M0 z) Y* A4 j# `# n
inc eax
! O, P4 R3 w7 Q8 q; b: T6 N! F1 y jnz 00650589 ; detected- k* S+ E+ U2 \! M4 O3 o2 v, n
push 00 ; OF_READ
, e* g$ y# L$ P, `7 E mov eax,[00656638] ; '\\.\SICE'- A2 r% M% L5 J) @
push eax
2 l$ z1 w6 X" W! \+ R0 x' M' x call KERNEL32!_lopen* b% T9 [$ G, ~8 D
inc eax0 u- G' V2 {' ^, m" I
jz 006505ae ; not detected
$ p g( z+ ?1 B! T9 A. Q5 ]% C5 F% {
/ { _# f! ^$ `; ]__________________________________________________________________________! r( ? U) }: B/ v+ D- x
i& }. I* S. H, ?! aMethod 12
8 |: @- `3 `. T* M5 K- P7 }, Q=========
D- O" P e4 s I- w* c3 f# p- h( m! N O6 P7 L6 `
This trick is similar to int41h/4fh Debugger installation check (code 05
) v; X+ Q( z; i, |7 A8 Y/ I* W: A' w& 06) but very limited because it's only available for Win95/98 (not NT)
, S* I6 ], H2 S& p/ M; Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ o/ L/ J! l8 l7 t& q1 A2 t- H. Q4 R7 c9 p z, u0 y* ?. b0 T( ~
push 0000004fh ; function 4fh
9 N: u3 w; X- \2 ^; [+ G# n push 002a002ah ; high word specifies which VxD (VWIN32)) d X1 r4 O% X
; low word specifies which service
, J j1 t0 C+ G/ D (VWIN32_Int41Dispatch)
( l9 ]9 W) d: `' |. S9 m$ S l1 e call Kernel32!ORD_001 ; VxdCall
! z3 `. _7 I3 o) T8 z3 q cmp ax, 0f386h ; magic number returned by system debuggers. E5 R2 Q, [8 @3 O1 e
jz SoftICE_detected6 d; I, d3 S% Z6 @: l
+ g) q4 B% S' I
Here again, several ways to detect it:' o7 t7 n1 g6 w$ j) t# U
: [- a" M5 ^: X7 _8 t BPINT 41 if ax==4f7 j$ @- ]3 x b3 T6 l C
- o4 y+ P" h0 P3 z/ @7 C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* `' c4 R* e6 A9 P, f# t5 L+ |6 e# x4 t h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 y5 z/ S8 A6 R
5 X) P$ U9 p6 Q6 N6 k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! [- a) a3 b/ @' u
+ |( E/ Y2 T, s7 Z__________________________________________________________________________
L. }! `8 {" l" J$ e; v9 t; S8 v
Method 137 |- p/ h0 X5 G7 I( N7 O% H5 P
=========( D/ \* }: A% t0 [. B" f
' F# u0 V/ c1 w; T" ENot a real method of detection, but a good way to know if SoftICE is
+ M+ c" k, `: Einstalled on a computer and to locate its installation directory.
; }/ F' [" U: N, P( T }3 _It is used by few softs which access the following registry keys (usually #2) :
0 U6 v/ K: H# q; P8 g9 E! L v4 X( H* c6 ^6 M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, v& Z. [1 B9 M% w. p1 l
\Uninstall\SoftICE' G5 R/ L: x6 m/ L; z5 \5 s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 Z2 y1 Z1 r2 q* f* F/ L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: }! N+ `! X& f* i& U) L\App Paths\Loader32.Exe
8 ^7 ^8 c0 m- y6 I) X% ], y) C0 E3 Y7 l) n5 n
& F8 C9 m/ g9 l6 \% P9 f: ]/ u) V% e6 _& |Note that some nasty apps could then erase all files from SoftICE directory) O% O+ z' f, H6 F7 F7 {
(I faced that once :-(: I- C+ z' j h: ]
8 J1 h% s/ b7 ?/ ~Useful breakpoint to detect it:
5 n1 L/ y) z( R7 n8 Z, i+ P2 C$ s0 z! m' V; A6 I9 @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 @" Z, f1 |$ x) H5 ~
$ u1 p. h+ h' X__________________________________________________________________________' [3 O1 _) X4 Z, `3 p
' Y+ c$ t' a6 W: J" M- w% `8 ?: d* c* O/ F
Method 14
* h9 a) D9 {9 A========= e9 B' F z! ^( ~- s- d- q
: T: B& G' {- S' B M' q1 |$ p/ JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- w$ `' D) Y) P3 N
is to determines whether a debugger is running on your system (ring0 only).
, L N6 f( f, o7 p& _* s& A
% s( j# e& N5 `/ x# k VMMCall Test_Debug_Installed
( c/ z) i7 X |# j1 e% B' ^, M2 w je not_installed% l' L# I3 }9 B8 `
1 ?/ [/ Y1 }4 J6 C
This service just checks a flag.
8 X' |5 l- k6 _2 B2 B</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡