<TABLE width=500>
7 s B& Y" n. v$ g<TBODY>* f3 N/ L y$ h' l3 Z# b0 H4 g
<TR>
' q9 m+ |3 X, K6 h' n8 h) c<TD><PRE>Method 01
# W# s% A1 Q+ ]3 q=========
' O' q9 F) u3 h( t9 [, l% B) z5 j, S- z* ]3 b4 M4 `
This method of detection of SoftICE (as well as the following one) is4 _+ r, G1 B; }( ^
used by the majority of packers/encryptors found on Internet.8 x7 ~5 {6 a% F0 T% n! ]1 k0 K
It seeks the signature of BoundsChecker in SoftICE$ o P, G/ d+ t% k2 a5 r
: v' i# W N" L: U6 ` mov ebp, 04243484Bh ; 'BCHK'% R' V+ K+ b+ [2 {9 f
mov ax, 04h2 e n: i1 g' Q6 c9 ?
int 3 ! j; w+ e2 o5 P$ E1 n+ T7 F4 Q
cmp al,4
! S/ U% W3 ^# J9 n, W5 ?% m1 } jnz SoftICE_Detected% j( u- a5 I8 ^3 Z& |* Y5 j+ t' ?
' \2 l+ O8 r% [
___________________________________________________________________________8 @ S B/ E" |+ s# G8 W
2 `. M4 [, @; x! U7 `# c' o$ a
Method 02
: a Q. m, | k- v7 o! D=========3 X. y/ }' W, h' \" P
I# k8 {* m) V2 xStill a method very much used (perhaps the most frequent one). It is used/ e& C6 u/ s) ]7 |5 d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* R/ T0 M: a% S, P. b
or execute SoftICE commands...
- d1 s/ R/ N* s. @It is also used to crash SoftICE and to force it to execute any commands
, K" e3 `! y$ r2 d5 O [(HBOOT...) :-(( & {4 G* Z% p( Y9 V6 \' a
! n* @6 q' ~' m- W8 _6 ]
Here is a quick description:
: o( G; P0 r+ t5 @' S5 |, z-AX = 0910h (Display string in SIce windows)
( d' Y- f: y7 M" u: B. s% c' ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) n5 \- I1 ~. p3 A1 p1 v/ n
-AX = 0912h (Get breakpoint infos)
. l' {: a7 f# f# \-AX = 0913h (Set Sice breakpoints)& w; v& N3 F g" d1 h
-AX = 0914h (Remove SIce breakoints)
; ^: Q8 T2 J. @9 u- K1 B% ^; V. @7 G9 o' V1 P2 V/ L
Each time you'll meet this trick, you'll see:
! }+ u* q: y! p* W% W' s-SI = 4647h
- C( f. \/ }* O7 p0 |( Z( e4 O-DI = 4A4Dh; u' q- U! ]: ~8 ~
Which are the 'magic values' used by SoftIce.
/ N2 L4 K7 I ]+ aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." j9 {: V& _/ Z
* y% h0 S' Q* l/ x3 E" ^' E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, J0 j( Y: `0 iEnvelope utility use to protect DOS applications:
, ?3 w8 B5 x/ g! h8 l' a. ^! D8 Y2 M5 Q+ ~
( Y' z( W! }" n8 f' H( W6 L4C19:0095 MOV AX,0911 ; execute command.! Y3 _) x. n' G h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( d6 E! N7 ^0 |: H: B% _: I
4C19:009A MOV SI,4647 ; 1st magic value.
/ {0 S! r/ v1 C) D4 ?& k$ x6 S4C19:009D MOV DI,4A4D ; 2nd magic value.( B$ J. Y& V f k2 R( D
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), ~3 O, A! I% G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, f& Q7 n3 P4 ^" n6 P. G
4C19:00A4 INC CX
/ {8 Y, T9 `! u, s$ B- j2 a( F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* K& X( H( \- ^3 \" b
4C19:00A8 JB 0095 ; 6 different commands.5 v7 u7 @4 b1 {7 V; W
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 c8 g, a6 Y* J0 `. R% Z; l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 ?, R1 v# \ Y5 K1 x5 x* g! Z" I1 W$ t+ `% i: w
The program will execute 6 different SIce commands located at ds:dx, which, \" s% p6 Y* @- k1 ]9 Y- ?! S8 S. Q N) s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. m" J6 J. ]2 ^1 q$ H2 z
, b/ M5 s ^$ P( ^' G1 H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% n5 c& v4 v d6 @ |
___________________________________________________________________________
$ i- N& V8 P m8 d" I# u8 E3 H9 [4 L
: l O- [1 U4 |4 ^7 T l! f1 B
Method 03
; R* Z7 @1 H4 _0 O& ^, _- A3 |=========
# ^! Z; F$ b9 q3 V# i& Z0 `; i
! g4 z/ O& m* m$ lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 |* V' \ I" V. z2 ^(API Get entry point)5 X+ W* V6 N, V" c1 B
6 U" P# H' {2 \' ~
0 M) k5 C! ]' k9 D w
xor di,di! y2 p1 H) v8 u% Q
mov es,di* f+ Q1 @% O+ a% \# K& K
mov ax, 1684h
, d2 j) @8 s4 j) k mov bx, 0202h ; VxD ID of winice
# v6 N5 [7 k1 k+ C, @# f int 2Fh
( Y6 F0 N3 [$ n# e+ u mov ax, es ; ES:DI -> VxD API entry point3 R2 H! `2 _; G1 Y0 K
add ax, di( z/ a2 g# O5 q
test ax,ax+ Z4 T$ q$ [' F# x
jnz SoftICE_Detected' w7 K5 [; }7 Q& l
4 W3 V. M) `- d( V___________________________________________________________________________
' }$ R4 Z/ f- F' \& A: f- h
4 T" |5 B% L0 t1 f0 Z. o, {Method 04. c6 n: ~( e% O+ N
=========
1 o% j5 I' l' n3 h+ t5 a$ t3 T* t. B$ Y2 Z6 x
Method identical to the preceding one except that it seeks the ID of SoftICE2 w) ?4 e4 I. t6 @) O
GFX VxD.4 s0 [6 {) |' L' X4 Q6 E* \
d, ]; Q- s7 A. T xor di,di
* a6 Q" `. \9 L) t" p mov es,di/ h0 F! |4 r* m$ u, V
mov ax, 1684h - K; \: }: M9 A9 d
mov bx, 7a5Fh ; VxD ID of SIWVID9 I. T, t6 g4 }, g6 D% c
int 2fh
6 o: Y& C* S& f! q* i& d mov ax, es ; ES:DI -> VxD API entry point
7 P, P. w' `& x9 l* M# v) G4 ]# |6 I add ax, di) z2 I- I/ t6 P9 U G+ t* \
test ax,ax
+ }$ s, V/ O( w jnz SoftICE_Detected0 r1 w* k U9 \2 ~/ J# e6 @
7 Q p$ u2 u \/ y H6 V0 [ ^__________________________________________________________________________ S/ b4 }. v5 w. v5 L# f
- Q. ^/ h# K0 m! M- J/ b
, g7 @( ^9 }9 D! J2 o
Method 05# ~2 o, H0 V _
=========/ r$ i5 D$ R& \# ?' L
# L1 H3 R3 t( i ]3 hMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; f3 V8 c; P7 f. cdebugger. It calls the int 41h, function 4Fh.
* e p; r" o4 H7 ?& J" zThere are several alternatives. 0 y% Y4 n8 H- ] h( D5 R7 E% r
$ x R, ]4 c- f9 u; YThe following one is the simplest:& i* s' t+ s; D3 C& j' ]; S
- F* o4 j Q& G( M
mov ax,4fh
; Q/ {0 j# `' _0 R* k int 41h `8 [& R; j" G- y/ y
cmp ax, 0F386
$ l* o4 ]2 e' G& s, h% N, c jz SoftICE_detected- @% A' L: \/ F5 l
. v; p! Z: n1 i" E) I# v+ T
8 @& Y' p7 R7 j6 W8 eNext method as well as the following one are 2 examples from Stone's " }1 T1 w# W% r S; ~0 @' T
"stn-wid.zip" (www.cracking.net):
4 T& j; R# Q3 T9 y
! W* h4 ]# V* a+ U& w) u mov bx, cs# `2 u7 ~$ b [2 w& f- I. y
lea dx, int41handler2
+ I+ }! y, V9 U- v9 J/ e9 w xchg dx, es:[41h*4]
( c, k) B1 v; [ xchg bx, es:[41h*4+2]
! t1 P6 v( M2 X( H mov ax,4fh' I0 |( I6 Z) w( D
int 41h
- ?7 l' X9 I8 q) l. \! n/ G# \ xchg dx, es:[41h*4]
. g/ X6 ?; h, P8 A& E xchg bx, es:[41h*4+2]# W5 w8 {$ X$ O: Q. H' Z, O( S
cmp ax, 0f386h
% Q! Y# t8 o! r) W0 f5 @ jz SoftICE_detected% K/ |8 w1 z S
; ^6 @( g% N$ W6 U5 S
int41handler2 PROC5 N, A- H0 }8 ]5 |) q9 D8 }
iret( a# U( \' o) F( e
int41handler2 ENDP9 r7 t7 x. Q* Y& E1 } D
+ s- B% n! E7 K& `* g0 @% f
( Z; Y4 n- A! H_________________________________________________________________________
# t) o1 P7 m- X* `) q% X4 j4 ^$ t. m- q) l% S
6 f0 p9 ]' J. P$ U/ D& k c
Method 06& m: x2 T6 q- l: Y6 `1 V
=========* B9 g! J% ?2 w# B# C% n% P+ ^
* E; u s3 {1 C
7 x% K0 _: ^! Y8 b2nd method similar to the preceding one but more difficult to detect:' K# C! A4 [0 l
( [8 R3 y5 s5 b0 q1 C% k* J% G6 F
" C# B: I$ P+ C. o% X8 u _; O6 o
int41handler PROC
. L* A \5 i7 ?) J0 M# y y mov cl,al
0 t1 @( m+ R. e$ L/ r iret+ v/ T- [' X: c3 s4 r
int41handler ENDP" c6 i p) V! `( e
* T- c4 @; s9 ^9 n2 N, Z: Q% C
: q# x( \/ y- X0 u; ~# `3 m xor ax,ax( H. u5 G; x3 V: U3 }! C1 t5 s
mov es,ax/ l/ @% G9 t1 V6 H
mov bx, cs, `5 y$ k" Z; Y/ }& ^ s: a
lea dx, int41handler
7 U6 x& T) o8 h5 a. k xchg dx, es:[41h*4]
3 s: S) Q2 Q5 ] xchg bx, es:[41h*4+2]( }5 W0 k+ r7 V, Q
in al, 40h
9 q$ A$ Y) j! h xor cx,cx0 e7 H0 w" T) Y
int 41h7 Y# Z) o9 G" \
xchg dx, es:[41h*4]
% I' h' @) L! k; `( N1 } xchg bx, es:[41h*4+2]6 _/ k7 ~) A0 E
cmp cl,al& g/ p1 T3 U; H. {0 T& P% l
jnz SoftICE_detected. r! ^. |2 j4 {9 O7 Z
9 [3 F V3 S+ W- o: R" s_________________________________________________________________________8 q3 K5 r6 ]% d/ B, g# \/ a
' k1 V, R0 h) \: C L4 c# G8 Q% r
Method 07( U7 m# b+ a9 G; u/ C) t# @
=========2 e6 e# R4 \& Y: w7 E' K9 e
8 s# ^1 J8 f! D! z. C$ Q
Method of detection of the WinICE handler in the int68h (V86)
* {+ h* T" X! H2 [
! f- g8 e+ ]$ c, H' J# } mov ah,43h1 ]& v4 j' w3 Y8 Y- m
int 68h
& S4 c, @. \ l: e" B cmp ax,0F386h, l/ t; z- H5 c/ x `# m. Y
jz SoftICE_Detected
6 f2 w, T9 i8 Y3 y! y1 ]- T6 [2 D& f2 v3 x
/ d7 ]: J6 f9 n" N/ s/ g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( f+ @3 v# W$ w3 I% g% W
app like this:
- r* a7 F- V1 `: T* U8 ^6 s% u2 q8 x, i5 _+ n e
BPX exec_int if ax==68 v0 L1 @2 m% |! P% z- ]) v
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 r8 S! x- m1 G: { A located at [ebp+48h] for 32Bit apps)5 _. t1 `" m, }
__________________________________________________________________________
8 |1 c% a' K- K+ _0 a
' L+ Q. B$ T A& ~- U& B5 q- v+ f7 V3 r& v# ^+ D
Method 08: X" ^( n4 o. r& p; M
=========$ r2 Q, y+ B+ s
h5 H' Y* L; B# E
It is not a method of detection of SoftICE but a possibility to crash the
2 ^* Z$ K N, s' Jsystem by intercepting int 01h and int 03h and redirecting them to another
9 Q0 w" ?9 n+ `. y- nroutine.
3 k. B# r0 U; |7 h- M6 ?$ j* EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 Y% I; C4 D7 [+ _" [' I$ m
to the new routine to execute (hangs computer...)
( y' P+ z( d. f" P N" g4 V6 X) C2 [! q$ O5 t$ k' c$ c. ]
mov ah, 25h( ~. [* i( w+ q! C
mov al, Int_Number (01h or 03h)
3 v6 z2 J9 o H6 K. _, | mov dx, offset New_Int_Routine
2 r8 T0 P1 {% e w1 B int 21h5 B, w6 l8 u* X3 t
4 Z% \, z/ l9 ]% Z/ O9 {0 y__________________________________________________________________________ k4 u3 W4 E# `8 j, k+ I
* N% n, X/ w: r8 l) B! O
Method 09
1 Q0 s; J' B+ {, o9 I# ^& G4 _=========
& @% v- m! p* X' H; H: \3 W# n& h# E3 I
) s3 y% _7 P+ N. FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ p$ G) y2 p/ u
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ Z3 D; g6 c/ u* t5 U+ |The Get_DDB service is used to determine whether or not a VxD is installed
5 R9 i* N7 w- |for the specified device and returns a Device Description Block (in ecx) for* w+ a% B O! J, g: c- J+ I" g2 i: E
that device if it is installed.+ ^4 H* u( ]9 J' G- l
8 \7 [! V# I Y* f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* T- U9 s9 B1 P- l5 Z& b& @) F* u& _3 ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 H: G8 ?. m0 x5 K: g; s+ n* K VMMCall Get_DDB
2 X. k9 R' r6 e' w. Y& R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 J) @7 c x& c7 P- E: T
6 L* \% j6 U6 M' ~# y0 T/ o
Note as well that you can easily detect this method with SoftICE:$ D$ W6 w! V9 c/ c- u+ W
bpx Get_DDB if ax==0202 || ax==7a5fh9 t0 l2 h5 _- E/ u h/ ^
* ~; p* I0 Z- u U
__________________________________________________________________________
. o( Q% `1 Y( \, r6 i' \$ b8 m9 [2 C% G d4 e" F# H3 Y' |
Method 10& k: f- y& X" y
=========
7 H8 r5 L6 X9 U0 O' L) t, G* p- Q0 r& y, E& x' R" ]; J! O
=>Disable or clear breakpoints before using this feature. DO NOT trace with( ?8 P0 V; O1 ?( m7 R# z
SoftICE while the option is enable!!
2 \1 G6 t4 T/ P4 p9 d8 _4 A# \
! U% J* ^ S q1 qThis trick is very efficient:& U A; D1 r6 h
by checking the Debug Registers, you can detect if SoftICE is loaded: W- M7 J8 b: C2 e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" s! m; W/ y+ dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) W4 M! ]% R. C5 P. {5 L/ ovalue (in ring0 only). Values can be manipulated and or changed as well5 ^/ o* [4 P* @1 L9 P% i
(clearing BPMs for instance)
8 j9 r. a5 O5 K
, v0 k* ^ z) f__________________________________________________________________________6 N, N: c* @8 A- W* K! C0 M
% i+ F* X& e& [: L! f
Method 11
8 C: N: h# x3 [, j/ C+ R( l=========
7 @9 U8 a* b) d* V8 q8 M' A* b" ]9 E' T- T0 N1 j+ ^4 ?" Y5 Z/ D
This method is most known as 'MeltICE' because it has been freely distributed% f" P5 F+ Z3 E8 N0 k8 M
via www.winfiles.com. However it was first used by NuMega people to allow( W9 l" l- m3 \# i; B- ~1 n
Symbol Loader to check if SoftICE was active or not (the code is located- K+ g, l: I9 t. e# N
inside nmtrans.dll).* s2 B) [: ^! f' T
& H1 l6 k# j2 |, u% I2 aThe way it works is very simple:
9 t" m/ ?) ~+ |3 D# v8 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 ?: Z: L9 V3 @# n1 x) q0 _( G7 |
WinNT) with the CreateFileA API.4 M7 P' q( J% e" _+ C
( _4 C- \" c2 _8 jHere is a sample (checking for 'SICE'):
# g; H& ?( K: k) i! Y$ m4 D8 C) m( q$ q7 ^2 G
BOOL IsSoftIce95Loaded()
" I8 n2 A0 z2 v: `{
& R- ]7 p, l; |2 `0 x HANDLE hFile; 4 d h6 T/ C& O0 \7 J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 j( @* X. _" Y/ U" f3 m
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 y: s) x+ ~( t9 ~; s: | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 h' D2 m. X6 i5 e9 n. Q
if( hFile != INVALID_HANDLE_VALUE )5 \4 l0 p, _% ~ Z l' k
{
+ x+ v* Q2 ]2 H# d2 n4 O CloseHandle(hFile);
2 h" p4 ^* f8 S. J. ? return TRUE;
p( v9 O1 o. @6 q% m* i- ?& E }9 u% t+ c& w. n1 a
return FALSE;
$ W# X$ S: R" R; C& P7 S# Y}, `3 `2 H) m( [$ M' j3 A3 l
9 x& d: {/ r8 t3 q
Although this trick calls the CreateFileA function, don't even expect to be
2 `3 F$ b2 b( j; q4 @. Eable to intercept it by installing a IFS hook: it will not work, no way!
/ k8 W6 m6 `$ G6 n- W9 @! GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 m9 W! E. C# w% X# X5 eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 S6 |: D" I) M5 U6 B _/ k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 Y5 t1 Q7 i* X- Afield.
, W: j! C* n2 } a: C6 [3 g7 s! \In fact, its purpose is not to load/unload VxDs but only to send a . d1 `9 q9 q& {& M& N' A: Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- I( l6 I% [7 U4 h8 F! t7 {( |7 X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' y# |6 D3 Q! d# Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 k3 n. ]' Q. \9 k/ ^1 s3 @( X4 GIf the VxD is loaded, it will always clear eax and the Carry flag to allow* ~( |, [; y+ r/ u3 e' G/ s
its handle to be opened and then, will be detected.
9 M2 D7 ~9 \4 K( L/ a8 |You can check that simply by hooking Winice.exe control proc entry point
& m$ ^; j B) z: ywhile running MeltICE. H L, n$ e% E& S) X [7 Y
R2 g. b* i5 X. s' W: g7 ^4 k3 g) g2 W! t4 L) c; ?. E* T
00401067: push 00402025 ; \\.\SICE* l3 d1 @+ n" s
0040106C: call CreateFileA5 a; \$ I; w6 o4 B+ S K; \1 I0 \
00401071: cmp eax,-001
4 \0 t/ x+ c% p4 X 00401074: je 00401091: Z- l2 G2 U7 g+ P" A) s
- h' r3 X( o. N4 d% k n8 C, c
9 L/ e) \7 x* \# TThere could be hundreds of BPX you could use to detect this trick.
- v" r) ^6 ~( X3 X-The most classical one is:( B0 @6 e/ f- I) T N8 S( {2 a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: x. _$ ?) c$ Q# P- k *(esp->4+4)=='NTIC'
" @* D) u0 a# p
/ ~+ X' K# N% s5 m-The most exotic ones (could be very slooooow :-(
2 a4 ]9 @) ^/ z3 C# D4 S3 e6 R2 y2 _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 }0 P& o3 x* w! z8 C- K
;will break 3 times :-($ p: O! k, v# z1 P
2 s% F6 ?6 v. B-or (a bit) faster: , N% _& T' w' Q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ x: G1 J* T0 B( L
7 ~) {% R; ]$ F$ \" A! b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 h! |8 S) R$ B, L9 _% H ;will break 3 times :-(
1 D8 R2 l) B* _ u) b/ o2 p: r, T2 B9 M$ o
-Much faster:+ E7 Q2 [4 p' y* N& l, ?, U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- Z5 T8 c1 Z/ ] O& u
! E; K" O% W: F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 l# [( O( R! Y4 ` @function to do the same job:
7 d9 {) A4 t$ T2 V2 z1 p. _. e) M' g0 z" e5 w d( d3 B- U+ o
push 00 ; OF_READ+ u! I- z9 _8 G& e) B9 ~8 @
mov eax,[00656634] ; '\\.\SICE',0
; T/ p: Z" T1 Z push eax
3 ^: C: _8 l* B0 f, B2 w call KERNEL32!_lopen+ n: T$ D6 [: E6 T
inc eax2 J/ n) _5 o" i) r5 s
jnz 00650589 ; detected8 \8 O0 \9 I+ M: V
push 00 ; OF_READ. ^- L5 Z3 {/ S2 U) e' W9 k1 B
mov eax,[00656638] ; '\\.\SICE'9 K" v0 f1 p! C1 Z2 |# l" Z/ J
push eax, ] ~0 z9 c: [# i
call KERNEL32!_lopen
I; S3 ^6 ]5 C5 @" Y0 j inc eax
4 @% c1 ]! E& z) s# |. ^ jz 006505ae ; not detected
- a. \6 q; J0 i7 z& n8 a% k4 w8 ~! o* k+ O4 k
2 K8 f; k9 ?* m) M5 P
__________________________________________________________________________; D6 S* {2 d$ M T3 f* c
' x+ x( i0 q+ X! PMethod 12* y7 b$ l0 R9 a% G; [
=========& H" j9 v- X0 J6 {8 F
# b; K8 M( B& F3 x/ X8 y2 t
This trick is similar to int41h/4fh Debugger installation check (code 05: C8 M/ J: Y% O7 C
& 06) but very limited because it's only available for Win95/98 (not NT)
% h; ~) W4 f$ e/ e4 ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 E8 V* ^3 o) K7 R9 j# q
- @: I x; v w
push 0000004fh ; function 4fh
; g5 ~) I: [, C# A/ M" E6 } push 002a002ah ; high word specifies which VxD (VWIN32): {9 E2 Y7 G0 R* {
; low word specifies which service
& _5 d/ o- M) t- D# r (VWIN32_Int41Dispatch)
9 F+ e; h: Q5 P% z3 M% { call Kernel32!ORD_001 ; VxdCall
; b% z/ b6 U' C5 j# E5 H3 j cmp ax, 0f386h ; magic number returned by system debuggers& k& S0 z" q9 A0 H5 N6 A" L
jz SoftICE_detected5 G, H# k! C& W8 A
6 m- P) X, `5 ?, p4 p0 k7 O
Here again, several ways to detect it:# X1 b0 f$ |, a- C
/ V, F' Z1 Y. c- V+ l6 L9 s BPINT 41 if ax==4f
0 ~ O X. R( s* t7 G' D1 R4 Z. }& n1 C- S4 A3 E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* Q* G1 N! Y/ V$ R5 r f9 i! X
) U! Z& ?/ P. U7 D$ G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
H3 H$ Z1 k. }
0 A5 O, B/ w+ W( h0 S/ i* ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- V* I" p; q" P! y
9 n+ w* P- X9 A. O' f4 ?__________________________________________________________________________/ O3 D+ u9 y: o. o, P2 S. r
" K8 V) Y3 P: e% {# \, q
Method 13: L) v' C# D8 O) @7 K8 k- a, D0 f1 q
=========4 H+ N6 \; b. W$ T( m3 B! ]
4 O3 P" b7 C9 t: `6 Q; V L+ ONot a real method of detection, but a good way to know if SoftICE is% Z- }) p' `7 E& g/ u
installed on a computer and to locate its installation directory.
1 r1 q4 I3 u2 Y. q7 jIt is used by few softs which access the following registry keys (usually #2) :
! w- c: I1 P9 }6 L: e6 k' y4 N4 S! z. j: `: I* y, Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, J' Z6 y# t3 V3 L7 C" h0 A
\Uninstall\SoftICE/ V, F# s* K2 {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# _( @7 Z0 S( a( V5 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# o$ ^# E0 k4 j1 |: s6 V) s( K
\App Paths\Loader32.Exe/ y4 S* |; A) H ~) r
* r, r1 i- `8 J9 y8 z+ V
3 J% I4 O0 C9 J! O) }
Note that some nasty apps could then erase all files from SoftICE directory
1 V$ Q# @7 v, F. f(I faced that once :-(+ E3 }" I: I" ?
" d w, h/ k+ N: AUseful breakpoint to detect it:
2 h: k' `# l# N2 r2 u+ P
/ Y/ Q: z: e" Y) D. u5 |# E BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 a1 m8 b' n ~, `
' f; B+ N$ R: I2 ?__________________________________________________________________________
! c: N+ j9 C9 P" L, H) k
- F7 b7 E0 i2 F$ X0 ]
/ K" v- G' L, CMethod 14
0 O$ G3 O: U% N4 ^" y5 ^. I5 V0 F% z5 E=========
1 x# ?$ R# I3 J2 y
7 @ u9 W* r4 K; M7 Y1 _0 ~- v( _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; _' b: m/ N- a- pis to determines whether a debugger is running on your system (ring0 only).9 N$ m# P% t" ~1 f4 X, B
) a! a8 r" l- c, b# F VMMCall Test_Debug_Installed
5 O" Q- x7 M$ Q) y6 S je not_installed% a2 U/ q+ E6 X( V
1 X- ^5 `" h8 m0 v. _, [1 ~This service just checks a flag.
' p0 g B! j1 v8 ]% V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡