<TABLE width=500>) L2 ^4 v3 t! x
<TBODY>
# w& j: @* d2 D1 L<TR>% E6 }! Z! C6 t% Z6 t' K) m
<TD><PRE>Method 01 3 c7 c; Z% l" B7 O; u1 d/ |* `
=========. e0 v. Q- l. e& U" C: a% S
- J; f' _/ i$ S' O2 DThis method of detection of SoftICE (as well as the following one) is
# A7 v8 k8 z9 q4 aused by the majority of packers/encryptors found on Internet.( C' v7 X' j; S9 W; Y
It seeks the signature of BoundsChecker in SoftICE2 U4 w- c4 `! g0 g0 e4 W3 x2 p
8 E# B9 n# J( b8 O5 |2 U1 R; a
mov ebp, 04243484Bh ; 'BCHK'* f. C0 \9 r1 P( i6 e! ?. q
mov ax, 04h
" S2 h( F& @4 c! j1 G int 3
$ S, @6 |/ k* F, w4 b. W cmp al,4/ _, [! x. c P; P. Q8 V) d
jnz SoftICE_Detected
^$ x/ W1 z6 x e8 X, _0 r9 B' J. `, Q' p
___________________________________________________________________________
* V1 P* k" x0 ~' [, ~$ e3 k* V) A& P4 u" R* V
Method 02: W8 `. y3 |# |3 o2 S# M
=========, }4 W8 j! i0 }7 U) e* H7 Z$ ]
- i0 f: r Z2 h. ^7 V- aStill a method very much used (perhaps the most frequent one). It is used
) @7 b( |0 \3 P% Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* h& |7 T7 J/ |& R" @0 ~or execute SoftICE commands...
* ~* U+ B9 b( x( z( E: P5 u" k) sIt is also used to crash SoftICE and to force it to execute any commands
/ a( S" Y% J; S9 s6 g(HBOOT...) :-((
* p, J- K7 P2 t* @
$ t' [4 q' y# kHere is a quick description:5 S* A5 U" E; k+ ~1 b
-AX = 0910h (Display string in SIce windows) V9 H4 Y5 o; O8 h9 ]
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) @& S- l2 d {
-AX = 0912h (Get breakpoint infos)
( `5 b; N. Y$ B, n$ l* V1 [3 J-AX = 0913h (Set Sice breakpoints)
. b; L1 E9 V4 r: i w-AX = 0914h (Remove SIce breakoints)
' G4 Y$ r" Q) c; x, v9 |% C+ c
- M. |0 `/ O* d2 |1 q+ {Each time you'll meet this trick, you'll see:
5 p- n I; U, G3 ?1 y7 i5 e9 q* V" Z-SI = 4647h ]$ ] G; c6 G$ u4 W
-DI = 4A4Dh
% E/ G" }2 l9 @& x3 yWhich are the 'magic values' used by SoftIce.
$ F$ W0 [' b5 K( b' t6 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 V; ]+ s6 |" p. M
% S; z4 y+ }0 F, R$ }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, W! U0 N7 ]% G6 S, { b/ T' ]. YEnvelope utility use to protect DOS applications:! l ~0 s. X$ B% }1 t" T( i6 a
/ X& g" [' [& z) p- S, t
. }8 `9 V9 k! L9 s
4C19:0095 MOV AX,0911 ; execute command.2 j1 }" _( H' |+ ~5 a! G4 A3 H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- h4 [8 }& U% } s: a7 ?' x
4C19:009A MOV SI,4647 ; 1st magic value.
) \! h" S: X; |" T/ D8 M4C19:009D MOV DI,4A4D ; 2nd magic value.
- B7 g1 P- B/ Y5 S% \* [. F4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 }9 R q K& g' l. K+ r/ J1 ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 Y/ o6 e( x4 U4C19:00A4 INC CX
6 z+ P+ z$ v M7 s; H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 _' ^3 e3 R6 P) Q: z8 R8 q
4C19:00A8 JB 0095 ; 6 different commands.
5 \& D, D* M9 W3 `4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 ^- U4 n1 R7 c9 i. Y- E
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 P1 P% O ]" D2 K. r3 D' k9 i) m( j8 C9 w3 U" U
The program will execute 6 different SIce commands located at ds:dx, which
5 x8 X& i6 V" q& @* Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! ^0 X( G! h& n( {: e1 x
4 X& a$ \! z! G* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' G, M* k1 ?' Z
___________________________________________________________________________
& p( O$ I/ s. s5 q s2 A- b5 H, K- c. }) z7 s% R& c3 ?' p# ^5 L4 S
( P A. O2 c) V- PMethod 03# _5 _$ ~& D1 W, Z) h: W+ A
=========
7 x7 X/ m8 Q5 k- }/ _( p5 ?' {7 [$ d ^) T
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* ]/ Q1 X. o+ _% R7 T: g(API Get entry point)# a1 s* a& N, O+ [/ L& C ^
: w. D' y. V$ L$ Q5 o8 l5 U
% G. u- i: S- z" O/ E xor di,di
; W, B6 |. ?' s0 [2 C: p5 E mov es,di1 X- I$ y; h) u* h
mov ax, 1684h + G, V7 a3 e" M8 r+ l
mov bx, 0202h ; VxD ID of winice
8 I5 Q! \& F _% a4 [, C& w5 [ int 2Fh- ]& i" U6 j" ` `3 X) z2 I
mov ax, es ; ES:DI -> VxD API entry point; x8 K' X$ T# a* i1 e/ i
add ax, di
% g# t2 O8 w4 z! R test ax,ax8 c9 D* C6 g+ }
jnz SoftICE_Detected' V/ |, [0 d- U }
* R8 I% |2 |! L/ r- \___________________________________________________________________________
$ G; q" T# x, k" B# k! [
. V, ~3 @4 x8 @: w+ YMethod 04+ |+ P: x+ i+ |0 z' o
=========5 W% ^, F7 o, v
% g* \1 g% b: g _$ @& |# K
Method identical to the preceding one except that it seeks the ID of SoftICE
. c3 S( ]) W* Z+ p$ U# WGFX VxD.
& M7 @ l' r2 [4 W7 K1 Y
' W( A- c. T' D3 z% ]2 O; T# P f! ? xor di,di
I- S* V& @ w' P: i6 r mov es,di
) Z2 i$ `1 u; |; p/ n0 c! } mov ax, 1684h
4 a% A: b8 G+ ^3 S mov bx, 7a5Fh ; VxD ID of SIWVID2 k6 O- \8 `7 a# d. l" s
int 2fh! S6 _/ j3 S7 {/ y$ _: w
mov ax, es ; ES:DI -> VxD API entry point
% M( |9 K) ~* F add ax, di
# ~" Y* X" Z+ H test ax,ax
& a7 V" h" a4 s jnz SoftICE_Detected
4 V7 ~7 p* G! a! y/ L: C0 g# [' a- s Y' F
__________________________________________________________________________0 y, n5 \( g3 P- b) v
3 J$ r& D4 N& o# c! R/ b
* o" C2 f1 Q) B
Method 05
4 M; d- m* `' ?# Q1 L2 ~=========3 |; e0 H* d9 d1 }
3 e7 w0 G2 @% AMethod seeking the 'magic number' 0F386h returned (in ax) by all system- B8 G' `+ [7 g' W+ w9 h, D" ^& n
debugger. It calls the int 41h, function 4Fh.0 m3 g8 I; ~& U
There are several alternatives. - c- \# _- H: @% }! `3 B$ q
4 ^% D. M* \& B' f$ }' w5 m, M
The following one is the simplest:$ @1 f1 J) ]$ i, Q
& X% i& X2 `9 U2 d" `8 _0 Q, U
mov ax,4fh# i; U# C5 c) V* g' i
int 41h! @. s' b8 S- ^3 C/ r# r0 ]8 R
cmp ax, 0F386
% t5 w" @/ c" p7 p3 n jz SoftICE_detected
0 t) R. s( V3 ~) ^! J* L" B6 j: M7 z8 f9 G6 Z! K# \. [
: P1 D( T. I8 j/ q" B9 @
Next method as well as the following one are 2 examples from Stone's
# v7 I9 \. i* M4 r# y"stn-wid.zip" (www.cracking.net):
, K1 @, G+ f9 E0 T/ e$ Z! v
' O1 L3 p6 \+ }. J/ W mov bx, cs+ w/ i8 H* y, ]4 H/ l5 J
lea dx, int41handler2
5 \+ M$ [; `! v( d xchg dx, es:[41h*4]
" D7 F4 H7 D. s9 N* W xchg bx, es:[41h*4+2]/ g7 d F0 F3 q3 ]& v( H% D/ K
mov ax,4fh
/ O7 a8 X3 h9 T1 F int 41h' C, x) P, u5 M9 K
xchg dx, es:[41h*4]
6 J4 w; G' Y/ @& _2 H; Z( A xchg bx, es:[41h*4+2]
5 x6 f9 P) S3 Y k cmp ax, 0f386h
0 |) f% B( k7 {" F jz SoftICE_detected
6 Y' c6 q" ~9 Q' B2 A7 O8 B! M
& `0 n5 t5 c' j, t5 kint41handler2 PROC0 G+ J3 z/ t/ k3 k
iret8 V- W2 j& \/ p1 X( `+ m5 o
int41handler2 ENDP6 e; I/ t Y1 y" A n" J+ |2 |
o+ J4 x4 M4 ]6 z3 ~4 R, J2 k5 ?. F& F$ Y# x: @. w" K8 E* n* e
_________________________________________________________________________
" }/ z7 M2 W, `; q% @0 E
- ?/ c" p4 e4 A, e. M- a/ J8 @" [8 {# a8 |
Method 06
9 k, Q/ Y7 k2 x=========/ y& `3 |7 g! Q( G# b5 O7 E0 a
" g8 c; J( b' V2 M/ \- t
4 W( [) Y+ X4 e7 Y5 E5 a K; ` L2nd method similar to the preceding one but more difficult to detect:
7 N/ ^ R- S/ X* l6 w
y" _) w: g& d" t7 G8 Z' e# K, `$ d
, v* f4 l0 i a* ^int41handler PROC& `7 m/ f- Y4 Z1 A" |
mov cl,al
. J8 J1 o. n) X+ a. u iret1 E( O: v4 x7 A# }
int41handler ENDP
) y+ \& j6 P& y
8 O, l1 X4 i* R# M$ j ^ N% M+ G$ Q$ r! Q9 w6 }
xor ax,ax
8 l2 P w! {( W6 t mov es,ax, C. \- u, Y N q4 Q
mov bx, cs+ v+ j9 P6 [* m
lea dx, int41handler" E) L+ n; C4 a
xchg dx, es:[41h*4]6 j4 L; g6 t6 a% Y
xchg bx, es:[41h*4+2]
; i) a. X( B( ^ in al, 40h' H9 @" k9 R+ H2 w
xor cx,cx! b/ a! m. `% c3 [
int 41h4 ^- M8 B/ w- T+ c, z, J
xchg dx, es:[41h*4]. [' y2 O7 ~& F; n$ V( S( s
xchg bx, es:[41h*4+2]
% l, |& o4 f, t. r. [ cmp cl,al% ]3 k+ L$ A# Y3 R% A# {' Y
jnz SoftICE_detected
8 o9 R% C5 V. }4 V, b9 B3 Z; A! K2 p% P5 [# F# Z) A; Z9 L- G
_________________________________________________________________________" f [, e" g& h9 x% w) U! G% t
& a. A5 `$ t+ Z$ h
Method 07
1 m& `( I& c1 m$ \( @=========7 F/ o+ t$ V5 s8 t" \
+ X* X+ A+ Z* i' B( B0 h2 A, w
Method of detection of the WinICE handler in the int68h (V86)
, { m6 v9 m \$ s* ?( n8 @- q1 j/ u% a. ?
mov ah,43h, v( }- `4 L( ]; [; F" T
int 68h/ ^- Y/ e* M$ M3 l" C* j
cmp ax,0F386h
/ e& o; s S7 W: ?! W! j8 |6 S jz SoftICE_Detected; J+ E* C; D7 Q& G4 x/ E
( {0 [& { S* m) S
& }0 w8 \4 ^3 r: z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) n$ j1 C) y% W2 V# e* P
app like this:
) s: g7 \2 I6 ~( j1 ~
6 f" U% z2 V2 m- O7 X3 C- |' E BPX exec_int if ax==68* e! x! d) g$ y) E2 {
(function called is located at byte ptr [ebp+1Dh] and client eip is6 M* g) p+ F8 }- n$ @; s }0 d) V
located at [ebp+48h] for 32Bit apps). Y9 z7 s; R, a9 P! z: a
__________________________________________________________________________' u# K0 t" b8 V% D. b, Z% L
7 @) y/ c J: w$ U, a$ |5 u
' F) ?5 p8 R, m6 ]: @2 L$ M9 P
Method 08
6 [! q8 _9 \7 \ D0 A=========+ f/ O3 _! I$ e- f8 d% o
7 H1 }/ n+ z2 h/ Y) j6 S. eIt is not a method of detection of SoftICE but a possibility to crash the& @4 E5 e2 g2 ?: a) j9 G) s/ P3 i+ X
system by intercepting int 01h and int 03h and redirecting them to another
K' q1 u) w# I& S/ iroutine.5 t7 r' C0 b9 c, k% o2 }2 M- ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 q0 `5 J0 t: A) c1 B* r
to the new routine to execute (hangs computer...)
0 [3 l5 |' `( O% V* W6 i3 H% g3 g: ]: Z4 o0 N; \
mov ah, 25h
4 \* P- @. }8 H1 S3 Y mov al, Int_Number (01h or 03h)- v( z% d* {1 F
mov dx, offset New_Int_Routine
1 [4 d, w8 l9 H0 r& o/ j L' ?; j int 21h* f' n0 `! O- U9 x" [: w6 N, {/ F
1 [4 Z0 E2 i5 X7 a d/ R__________________________________________________________________________
( D& ]! n3 {5 W1 L7 R( O* t' m- n8 t. ~& D
Method 09# A4 r6 M7 |# K& w' t
=========0 j9 k; s# o7 s' _
3 x4 B7 N5 E2 R! ?$ \6 I- DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ F" |" } C K5 H+ c2 n6 F7 T M
performed in ring0 (VxD or a ring3 app using the VxdCall).
: H0 J( S; X: ^The Get_DDB service is used to determine whether or not a VxD is installed
u: c, A+ K7 N. v1 kfor the specified device and returns a Device Description Block (in ecx) for/ L) v$ N% u1 W
that device if it is installed.
# ` k7 ?0 i# d) [ T7 ~% f5 ~1 G! V% w# s8 L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 n M, j) I1 f# F( `1 |
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 E l, p) Z$ C+ t) J! {
VMMCall Get_DDB$ u( U5 ] z3 v& h; _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: f& G5 B7 t) s9 Y% c
& C+ |+ g) g. v) _
Note as well that you can easily detect this method with SoftICE:
8 F# |" `+ v1 x bpx Get_DDB if ax==0202 || ax==7a5fh L c2 R u; {3 x
) }+ \ b: S0 I) W
__________________________________________________________________________
+ M6 y1 o6 j/ d
5 B1 E0 f/ T6 w+ K* q; pMethod 10! K6 l0 O; @% h9 z9 f7 D
=========$ |; m; R0 u; C: ?
9 k* j% G) r1 Y$ ], }4 n=>Disable or clear breakpoints before using this feature. DO NOT trace with, `6 f; O. ]6 B: U% t
SoftICE while the option is enable!!
% k' ^6 r1 ]' G" z' S" R7 k7 G) G9 T& ` D
This trick is very efficient:4 z! g4 H) h9 v/ |; ^ S+ B5 {
by checking the Debug Registers, you can detect if SoftICE is loaded. h: w$ H/ i4 U4 b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ S0 `* Q! N, U2 hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 v' G( M# v3 Z% pvalue (in ring0 only). Values can be manipulated and or changed as well
2 k6 D3 [: \4 |(clearing BPMs for instance)7 ]) l# C5 L: b, ^8 Y( H, N
) s* k6 M$ o. ^! B- H% F. `__________________________________________________________________________
, c0 C3 K: m$ n4 I1 [/ ]" L8 s0 [) z' U
Method 11' p3 x/ M% O- z2 L- x- U
=========
I4 v- W$ ~) Z7 V) d6 t
1 N' x6 \! t' o: `; eThis method is most known as 'MeltICE' because it has been freely distributed
% s& R2 m" q( p# {2 _via www.winfiles.com. However it was first used by NuMega people to allow$ u) Z/ S" u7 z! O0 I. n V* l( u
Symbol Loader to check if SoftICE was active or not (the code is located! | H8 l# v+ A9 O
inside nmtrans.dll).
! U9 ]8 ^, a4 F3 u- n7 {# @( d! ]6 T0 S
The way it works is very simple:
8 B$ o3 [( G4 n* P* d A* wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* k5 Z. w( W0 v! V$ B; L; W1 I
WinNT) with the CreateFileA API., Q/ q9 d% F9 Q
1 h F6 |+ U- Q( `4 m6 u
Here is a sample (checking for 'SICE'):* m3 Y- H' ]! c! D0 Z
' S/ x0 n% j! L. D4 o
BOOL IsSoftIce95Loaded()
& F" d7 h1 l& B- u5 v/ b. `. W6 @8 y! l1 U3 ~{4 e( d# e1 m t: k1 }0 B+ R
HANDLE hFile; ) N8 B% q; E5 X8 [: p( [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; p6 @9 ~8 r" q" e* Z
FILE_SHARE_READ | FILE_SHARE_WRITE,$ B3 ~5 _6 u$ T- i) u$ \5 I. y i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: w* S8 w) y1 v5 k
if( hFile != INVALID_HANDLE_VALUE )
; p% W% X l5 g {' d, j5 v! H- C" a) ~! U
CloseHandle(hFile);0 i' ]- t+ t3 w5 U! M2 q6 S7 R+ B
return TRUE;
4 C: ]; _7 O* w2 V# V! ^7 C, L! B) X }- B+ M: ~! Z1 j ^8 d% H: n- |
return FALSE;4 a6 M i! |; c
}
" z8 z$ A9 [9 t1 S$ J; ~
/ M! x5 O0 ^. A( ?# o& VAlthough this trick calls the CreateFileA function, don't even expect to be
0 x3 a* [/ F% \able to intercept it by installing a IFS hook: it will not work, no way!
$ v5 i3 H3 F3 H* k- ]1 JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" k0 m! d9 e9 t8 d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
p3 ^# I& K' Q. _' }) zand then browse the DDB list until it find the VxD and its DDB_Control_Proc- Q7 ]( F$ \( G/ G4 R. B
field." k3 `1 @: Y. b# |4 X9 r* g, Y7 O
In fact, its purpose is not to load/unload VxDs but only to send a
1 W0 c0 ?- w, @( X5 fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 [. }) ^# G3 l5 z5 k$ e' H9 k, K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" @: S m( D! E j% t& L! [* Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).: B) \( D8 f2 ~# V
If the VxD is loaded, it will always clear eax and the Carry flag to allow# N( B$ H! m Z1 ]3 r
its handle to be opened and then, will be detected.
W; S" Q* `" T( Z, V7 DYou can check that simply by hooking Winice.exe control proc entry point
. ?8 h6 O$ _0 L4 i4 A, zwhile running MeltICE.5 v) x* N F6 T! X/ K6 g# g
$ V; H/ `# e% B$ S0 N/ C7 K5 M
1 j7 ^( U" q, N0 n: U 00401067: push 00402025 ; \\.\SICE
! B: a9 _% ]3 ~ 0040106C: call CreateFileA
- T3 O6 m. r) W2 | 00401071: cmp eax,-001- C+ b- X+ d! }# {7 K
00401074: je 004010914 H1 c: k3 b- ]2 ]) X7 o
/ _' N6 W+ x/ q8 J
5 i) Z( r; i; L0 v$ {There could be hundreds of BPX you could use to detect this trick.
$ M* q5 a4 z) T, d2 j1 e# i-The most classical one is: A/ y; x( `" U" h0 c, s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 k. V1 j; O2 ~- D *(esp->4+4)=='NTIC' @5 \; j, D- B J5 f0 d! W
( e, n7 T2 i D4 L/ U: Y-The most exotic ones (could be very slooooow :-(( S. p0 ], H) E3 Z) \: O8 k1 O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! y; E5 |7 i8 S9 a+ s2 d ;will break 3 times :-(
8 Q" |+ O$ J1 Z$ t
- P" l/ x, o6 N- `-or (a bit) faster: 7 r# i+ m& ~" u. P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ G: z! r" K( b2 t- [) p
B$ P! ?; Y& E. m3 L9 w3 v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 s/ F1 z# |: d+ L$ a
;will break 3 times :-(; u, ~' C1 j: f a" j# b/ m
; s! ]2 j6 [ I$ M* P" w5 Y7 @
-Much faster:
/ N2 W2 Z2 i1 l0 Z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 K- X! c; w2 u5 Q# T
; r1 p+ y ]' i; ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ U+ `& [7 ?' K' }* v nfunction to do the same job:
( F& A Q' }( y6 l' ^$ W4 \7 \$ }, Y( ~4 q. ?& `3 F
push 00 ; OF_READ& i+ f4 |( e* ~. c; c% E" k* d: @
mov eax,[00656634] ; '\\.\SICE',0
" V( X- d, w5 e- d5 Y5 c& ?, ` push eax* e, q6 t8 ]$ u. n K
call KERNEL32!_lopen
8 V: `7 D: w, [0 m) \ inc eax5 v& Q% o' ], c! v2 |$ G- }
jnz 00650589 ; detected3 u) \9 l: u6 f- p8 V0 d. ?- }1 n
push 00 ; OF_READ
z' W. G5 P" C' X) ` mov eax,[00656638] ; '\\.\SICE'1 J9 t A1 j) j5 i4 t+ m$ \8 v5 Y
push eax+ m) ^9 R& g9 y9 Q5 f% L5 p1 a( y
call KERNEL32!_lopen+ ^/ D. o: ]' f+ A( U
inc eax0 h& `: _2 [# s- a# H
jz 006505ae ; not detected
" U& O! X* y: v; M+ \
3 g( {! ~( O2 E1 l, s
7 r3 y5 {8 k d__________________________________________________________________________
& L: D) j$ V2 X4 K; ?6 H, G j1 T# ^4 v4 E
Method 12
" m4 ~ j* A% c=========
. c9 K9 d7 l! s# S B; D- o
' S: H$ D8 J6 a% mThis trick is similar to int41h/4fh Debugger installation check (code 057 u/ M4 `* z% N/ R/ R
& 06) but very limited because it's only available for Win95/98 (not NT)
6 m8 z/ U: Z; I3 M* C0 Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 r. q) c- h I. j6 I
9 ~$ w" O! `0 l0 g! d& s; x) v
push 0000004fh ; function 4fh& S# A& R1 H" ~6 K! r* M, Y; f6 l
push 002a002ah ; high word specifies which VxD (VWIN32)
+ l6 w% `" T( n3 }8 n2 B ; low word specifies which service
5 O1 A( ^5 a r (VWIN32_Int41Dispatch)
" {1 F6 f& B% P; q call Kernel32!ORD_001 ; VxdCall+ I f+ ^0 J3 S6 B( m# O
cmp ax, 0f386h ; magic number returned by system debuggers. {6 u" d9 ]9 C' B7 w. k
jz SoftICE_detected
' r" M5 I$ {- l$ \- G
$ o( }+ F! p2 ^1 e$ W2 `Here again, several ways to detect it:/ O, _$ H! M3 {- A5 y
, ^0 o' T3 o% ^8 b, h$ H" e- {
BPINT 41 if ax==4f
) _& C3 X( W8 j, \- l' b: b% F
2 e' h W% ]' y' k6 F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. N5 ?9 i- Y& t) j8 }
( y$ c. Y+ P' R( ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 ]' a8 j: U) P6 @" K) R
; D% |% F" s8 I, p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' {- r' V) X& r9 k) s
0 @1 f6 _' T! W
__________________________________________________________________________9 `+ T& `& E# h0 X/ ?/ M
2 V$ G2 v, t0 h4 A% l$ q8 ^# TMethod 13
4 N2 _% y, \( C _0 l& }=========, _/ S! {# Z* S3 I& Q2 @
G8 o7 C2 F9 Q" O8 aNot a real method of detection, but a good way to know if SoftICE is& g& p( E7 B! ]3 G2 p+ E3 t# d
installed on a computer and to locate its installation directory.
3 Z7 m9 w4 }5 HIt is used by few softs which access the following registry keys (usually #2) :0 E1 Q; f3 [* X7 F1 K( \
. G8 x7 X( S( o, C, p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ ?9 M( g: h! N1 L4 I
\Uninstall\SoftICE% Q' |& @- d- e# f8 a1 R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 }) ?3 n) ^. d; d# s% P7 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: ~) G x3 p2 o; x. e) i; h\App Paths\Loader32.Exe/ q) c3 O" i8 H" p
' F5 o- O, e+ M4 q K) F+ `6 Q1 e2 X' b9 m- Y3 V5 E
Note that some nasty apps could then erase all files from SoftICE directory
% a- [1 C8 X. n4 ^& ?& A1 d. z! H5 F(I faced that once :-(
% f% ]1 ]! y# Q4 |
# t) z: I& k) e) [4 M, | WUseful breakpoint to detect it:
a0 d8 I- o; T3 Z7 F" k! }
! B8 ^4 Q S: Z' D$ E( N9 z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& c' e/ ^; q6 ~- `3 S6 U! M6 v2 R3 V, S) A& }9 Y/ S" z: `1 L
__________________________________________________________________________
9 ^5 C4 T' e. p5 j6 O2 X
7 d: h {) |. V6 j0 ?/ E" q! D/ l' R3 H
Method 14 7 D5 ^' T2 B3 E: c* `' q
=========1 i3 ~/ w; E k& G6 E6 j. i- j
/ B3 e. M8 c" v% Z1 k2 E7 ~A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 z$ G# C9 V6 P: @& _' U
is to determines whether a debugger is running on your system (ring0 only).0 M1 Z' M0 K' t
, ~# X' Y6 c9 [% M
VMMCall Test_Debug_Installed
4 j4 |5 b) g/ _: {& c je not_installed' S/ I; R9 \9 N, t) w# [& a
& X, @( @9 r' N% s! R/ dThis service just checks a flag.
0 U. p5 F* n8 Q! W, e5 J</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡