<TABLE width=500>
) i1 p/ z" z7 B+ t<TBODY>0 Q+ D8 Q7 _6 w4 z3 d: c _
<TR>
+ U% ?. n5 S1 U* @<TD><PRE>Method 01 # i; N& v1 I: n
=========
) s9 w) C' ]" h) p
) F" m! Z! _0 L) z, ^* oThis method of detection of SoftICE (as well as the following one) is! P9 |0 J1 l( M- P$ R+ p# Z
used by the majority of packers/encryptors found on Internet.
4 Q: _' C6 Q0 U' N) w. yIt seeks the signature of BoundsChecker in SoftICE
7 H3 N/ ^. M) a4 d9 B; h5 q) `$ F/ g! x& i* ]+ U
mov ebp, 04243484Bh ; 'BCHK'
3 s# [/ c. N4 j' e8 Q: W mov ax, 04h3 g6 X) B) D" j2 H1 m4 }& P0 s t
int 3 ! }4 G* L6 }1 {# l# j6 ^
cmp al,4
* ?" }8 j: G& ?: v jnz SoftICE_Detected
4 Y/ r- e) N. `
$ v3 I4 d. u8 E___________________________________________________________________________
8 R2 A, t2 K# q6 j: \$ p- w6 r9 P: p w; e2 A. l
Method 02
$ C8 z3 O4 K2 J( U=========) `9 t9 x8 u6 ?* p9 o5 h
9 y$ q. z- @. f6 y
Still a method very much used (perhaps the most frequent one). It is used
8 d8 c! v c \ d6 s% p; Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! ~7 u8 T/ d) A4 l' a* ]5 m/ K8 {or execute SoftICE commands...
8 u% ]" U% ^; }( h8 tIt is also used to crash SoftICE and to force it to execute any commands( s$ @: A: y& M5 x. j
(HBOOT...) :-(( : N& y, P% y8 M* f
. N/ g: W/ e; `9 gHere is a quick description:
0 L1 U/ o7 U7 n-AX = 0910h (Display string in SIce windows); k4 L: o" i6 J: e* E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 H6 b; i2 ~1 D' O+ t( I
-AX = 0912h (Get breakpoint infos)6 W+ k) U6 _, y% D+ f4 e2 a. W
-AX = 0913h (Set Sice breakpoints)
0 i9 C% _ ]2 V+ n& i1 {; K% Y( S( ?-AX = 0914h (Remove SIce breakoints)4 @% i, |0 w3 E: c
) ]1 d4 Y/ J5 f, E9 ^' x
Each time you'll meet this trick, you'll see:
) M% w I8 ^% i6 F8 R# _% T/ `-SI = 4647h4 p8 \: J! E- I; z
-DI = 4A4Dh
1 w& o2 M5 Y( CWhich are the 'magic values' used by SoftIce.( W1 w! G) M0 Z w$ ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ g+ y4 V y! P6 K8 d1 _- _) O& B, |
6 ~/ w" n6 ~' V/ `- }' A1 R0 O( a' P" @Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 \9 f# `9 s8 C* |" y( i$ \ |8 JEnvelope utility use to protect DOS applications:
( T1 Q# l D3 @/ L, {1 u
. J, l' }$ E; r4 R1 {
V( @+ ~# | w( O# I4C19:0095 MOV AX,0911 ; execute command.7 Z [; v8 z" \2 S w7 q* V2 M# D
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: h5 l+ F9 O' E4C19:009A MOV SI,4647 ; 1st magic value.. Z* \# P$ p2 i" i
4C19:009D MOV DI,4A4D ; 2nd magic value.
& i6 U+ }" g& p% `* }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 f7 x, k$ S* K+ h4 s8 e9 r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 k+ T% J: g y3 [. ?
4C19:00A4 INC CX# Y L4 b- K; [- ]* u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ G' j# T3 ~0 j$ J, g0 _4C19:00A8 JB 0095 ; 6 different commands.
- k4 n, @1 p, U, i) i/ K( ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 V R/ Y2 p, \$ P- U8 C* Z9 N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: h$ f/ p! f/ H; k+ M4 k5 j
$ S# S) J& [9 P8 |The program will execute 6 different SIce commands located at ds:dx, which2 @9 Y% i! a; M9 s8 l& G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 b# B2 N, @: n+ K
3 i2 T3 T& I7 K4 T1 \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# g/ S( g+ r3 ^" l6 B9 S___________________________________________________________________________. S, E+ l) j3 U' u- t
5 X2 {( k% B ]: h
3 N, D# i) B- @% K: A& oMethod 03
) w! b1 ^% B$ O3 b=========
- \7 H& C1 F% L0 i
0 p+ K. s" |$ R% C3 PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 e( ~& g/ g- J
(API Get entry point)6 g o/ y/ `: z! U! ~) i
! i+ J0 y4 y) ^: `5 B8 X6 S) m7 N* Z; ]- X7 r0 K" s1 f( h
xor di,di2 a ?) i* W7 L9 Q
mov es,di$ y, P+ d7 C% h) e0 h+ z8 _; }+ d
mov ax, 1684h + z4 n* Z* c$ L! N( K
mov bx, 0202h ; VxD ID of winice
* w1 E2 L3 |* ]" m. `8 q" a( o& n- V- j int 2Fh' c8 o8 n* R: f* w- U
mov ax, es ; ES:DI -> VxD API entry point
3 e5 o5 Y* c! z' [! u4 [; u add ax, di$ A9 T+ \4 y0 \$ V
test ax,ax. O3 x+ G0 ~, L+ D5 T
jnz SoftICE_Detected
% S# [: y, j* D: D. S1 ]& A4 C1 x- m7 m
___________________________________________________________________________5 J. k' g8 w2 Q) D
" `0 F' J3 V( j1 ]1 q6 I
Method 04
7 [ ^9 A/ n2 `8 n3 y7 ^/ o" d=========' S& d' n x, d+ u+ v- y
! k8 ?% |# p+ L5 f0 y; P% v
Method identical to the preceding one except that it seeks the ID of SoftICE8 |5 [/ G t- |( O& \2 u
GFX VxD.
% ^3 _' b6 j: s- u5 e7 ^7 ^5 M
- u, `& j; G' D1 W& W; W xor di,di5 G# h& @) w* M! g `: G7 l
mov es,di
* ^1 f: h$ U" d) b mov ax, 1684h
5 X4 [4 ~/ \. q2 n: q mov bx, 7a5Fh ; VxD ID of SIWVID
) ~7 ] J9 R9 A! n int 2fh
: R2 [' v3 R* i( M2 v3 ?0 \ mov ax, es ; ES:DI -> VxD API entry point
) x; U/ h+ R- {8 x z9 L( r( p add ax, di/ {, L" Z" S+ ?2 ^
test ax,ax
) `- F9 ]5 h+ g3 x jnz SoftICE_Detected
7 a; C" F7 P, n" [" D1 U% `
0 Y" }3 b2 v5 a) s4 |) M; p__________________________________________________________________________
) U8 h8 j; y8 [4 h) }( C/ Z* b& T
: y0 @& d4 {& t( F B6 cMethod 05% H2 n9 e/ `9 m
=========
0 O0 F, o8 h7 l M0 b4 b x0 V( \ D/ t: ~- J
Method seeking the 'magic number' 0F386h returned (in ax) by all system: u/ U' i: g/ u5 }/ V, T T. H
debugger. It calls the int 41h, function 4Fh.3 L! \7 W1 i* p3 L2 m l" T
There are several alternatives.
# O- x4 L, v/ }% H4 r. {) Q c
, l8 @6 c* U8 }, vThe following one is the simplest:; H( P, Q6 m, K+ @. s, h0 C! q
* d1 y3 T! S3 f# R. I0 `6 n
mov ax,4fh
2 \9 I2 e4 @+ B int 41h
9 Z: i4 G8 a9 T cmp ax, 0F3860 u- z7 h0 c$ S+ u y2 F
jz SoftICE_detected
" W2 w9 C5 K; {- e( @4 C1 _+ K8 b1 g- |3 _5 O/ ^5 W8 O
5 D5 V6 w: \ ^
Next method as well as the following one are 2 examples from Stone's
9 x* d$ ?1 k4 _"stn-wid.zip" (www.cracking.net):
2 M+ m$ Z" u; ~ }- c3 C4 F$ j- n, A% p J* m; y ]5 i, c
mov bx, cs
1 |9 n7 L6 K# u+ Q# X: h4 @ lea dx, int41handler2& ? Q% [* q7 t
xchg dx, es:[41h*4]. R0 y0 S5 p! z P5 I F
xchg bx, es:[41h*4+2]
* H+ N( c( C, ^% A3 X mov ax,4fh
; E2 {5 [! H+ M) F9 l" d, b. p* T int 41h
4 q( {5 k D; Z2 c xchg dx, es:[41h*4]- g" ]7 y/ S) {# ~% Q
xchg bx, es:[41h*4+2]
6 d3 F/ E; u) V8 o g1 D cmp ax, 0f386h( z- z0 E) X7 o1 w/ J l. O
jz SoftICE_detected5 M/ J7 z- t$ x" {1 n4 Y# }; G
/ v7 \% V; j2 K: k% Y5 j7 W8 H; [int41handler2 PROC4 M Y: a! T2 ^. W; `$ O
iret
- {8 V5 t1 k7 H; @: D9 H# Uint41handler2 ENDP
2 \3 e9 |& T$ o0 x# y* H
# i" n5 X+ ?$ R/ V* t! _+ K# O: Q2 s: h4 @6 W+ ]! D0 E
_________________________________________________________________________# t4 A* k" N: I2 E+ e) P6 b0 v
! t/ F$ q2 d4 d
! Q" j& w+ z# y( UMethod 067 Q7 c3 G0 r; a1 C3 J* t9 E) H6 U
=========: s; l1 t$ i* |+ ^' J3 M
$ `1 D& [/ _5 ]6 s8 Q3 L
' }4 g7 p: H0 e; f; C2nd method similar to the preceding one but more difficult to detect:) f7 ` N2 i5 h. k9 e f$ }8 _
2 p0 V, k1 s7 U4 u3 \. R
4 S- Y7 W6 i" x% M7 F& Z8 pint41handler PROC8 X/ Y# b/ J" m+ T* s
mov cl,al
0 Q/ O! D- y( W$ E# d- |% {2 g* y iret
2 a; k" y1 T( `: ^4 _int41handler ENDP q* H, H" h% S% E
0 t/ [7 h* A4 A7 w" ~; _0 d8 B/ x; c
xor ax,ax
7 O, c; r: C$ g) q l mov es,ax' R R# F/ r% n" Q0 J. ~7 t. Q0 v
mov bx, cs* q% K' ^; I5 c7 @
lea dx, int41handler
z* N; W. J8 l! r0 } xchg dx, es:[41h*4]
! @$ j& g( A6 h* b0 ? xchg bx, es:[41h*4+2]
# e6 D4 T" m' O# h6 i" r8 | in al, 40h
' y3 l: o0 P" k- ? xor cx,cx
& ?4 U, p L) ^7 V int 41h0 y! W; k; F' [4 g
xchg dx, es:[41h*4]
+ B1 h! E1 f- T. n xchg bx, es:[41h*4+2]/ @! _. P, T4 ]/ [$ V
cmp cl,al! I. K; y& z9 W4 Z8 n2 v) p ?
jnz SoftICE_detected! B2 Q# c: q4 o. p* q
7 [* Q- z+ M; |+ w; R) [" _
_________________________________________________________________________
- g8 V7 I2 ?( A5 n1 t, T& K t( q8 s* x( O% b
Method 07
) Z% e, u9 i3 Z=========
" Z5 _( F* V" e7 n0 Y: {% C( ]% Y; i
3 Y7 |) l4 _; G0 ~Method of detection of the WinICE handler in the int68h (V86)
& b3 V9 @3 H9 R" |2 g$ F% T$ l3 S( M! ~4 l7 f/ e
mov ah,43h
, ]- j, o) R% R6 {+ r int 68h1 d& o& X& h! J8 s/ w- o& G2 E
cmp ax,0F386h
M0 V2 K* [. m, w jz SoftICE_Detected
: a. e, A6 M* O7 l( B O! W0 ?! [. L1 T$ y
7 `! w0 f: P6 E! L/ G=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ C' K$ H7 B) f) x7 w app like this:/ a9 x5 y! @9 f! a# c* E2 |7 T
4 K A6 x$ n) y4 W# a* l5 x
BPX exec_int if ax==681 p7 k- F( n8 J# Y2 h
(function called is located at byte ptr [ebp+1Dh] and client eip is
& }4 X# Z# M' q% q/ h located at [ebp+48h] for 32Bit apps)8 ?3 K# C) |8 l( h
__________________________________________________________________________
D! S( q$ S! O" Y! a
) I8 e ~) m& ]0 S8 k. K2 y, {( J7 ]% }
Method 08
# t( ^0 z% m" h" h+ A* x$ c G; m=========0 p+ n; p M: G
0 ?4 `; y! }8 S' g0 p! s# iIt is not a method of detection of SoftICE but a possibility to crash the3 r4 s5 V3 {) S* t7 ~
system by intercepting int 01h and int 03h and redirecting them to another
1 P% L. D+ R5 J5 B& \" Wroutine.
$ |; u+ m; t. y) b8 x( n6 dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! v3 `+ |) e/ |; v: S
to the new routine to execute (hangs computer...)
! M1 F: u+ [* E( _
' U$ X, c( s x. T8 b mov ah, 25h
2 m9 S1 q8 e0 e' u/ \ mov al, Int_Number (01h or 03h)$ O4 | j9 Q/ m. W. G l2 a
mov dx, offset New_Int_Routine
2 L" n6 L% z7 [! H7 [) \$ h& k int 21h
& Y3 N/ W+ b2 b; Y4 Q9 k3 a) e3 J! A
__________________________________________________________________________
- n4 f5 M3 i% f
& V1 a h% q# U0 A: u0 FMethod 09
1 U7 @$ c$ j% j; v, L0 F=========
* e, A# w" C% |4 n, m
! o" O2 w L1 Q2 f$ c' t- ?+ kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: L) R& C H/ f. r* F
performed in ring0 (VxD or a ring3 app using the VxdCall).& @5 D1 j+ D' V/ X2 o, l% E% I$ u1 q
The Get_DDB service is used to determine whether or not a VxD is installed- m* k4 W1 t: O, d0 M
for the specified device and returns a Device Description Block (in ecx) for
" P, H7 c( f; v5 C: Xthat device if it is installed./ ], i4 x9 H" ~+ k
+ Z2 X1 i- @4 L" A+ J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: [1 E5 M8 N1 @1 R+ O& q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 m! U; \8 D) D+ W( Q VMMCall Get_DDB! m! Y- s! ? s$ p' W9 a' I9 w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 s; I0 F4 Y! }5 [& i0 b
) j7 |& p, ^, s. [! f3 R, P9 DNote as well that you can easily detect this method with SoftICE:. s, l4 q: s/ h, ^6 d
bpx Get_DDB if ax==0202 || ax==7a5fh/ k0 \0 r8 O' T" c; N7 n
3 r! i( ]1 U; k' ] k0 y4 ^__________________________________________________________________________. s7 C, o3 E0 Y ^
) H* F8 L! K' q& h9 @Method 10; o5 ~( j4 `1 q' {# p
=========
) K h0 v6 a9 _1 k" j
4 e" P, b. h3 K4 W=>Disable or clear breakpoints before using this feature. DO NOT trace with' ?7 o; C5 N: ^7 [" ~
SoftICE while the option is enable!!! p$ I3 {# u( [; v9 v
% _" r5 o0 J* p7 |5 e% Y
This trick is very efficient:
0 p9 |0 U( y% K2 |4 ~by checking the Debug Registers, you can detect if SoftICE is loaded
, }2 M4 i- i! m# n9 h1 D* l$ ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 ~9 |0 z, Q0 {! z
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ v' z; F4 X4 o
value (in ring0 only). Values can be manipulated and or changed as well
+ j- f% t4 l1 y9 x3 O# S" [3 u(clearing BPMs for instance)& L: T, [( \- v& f
* X' S, V9 q$ ^# }& F2 a
__________________________________________________________________________
- T' t+ {) Z: h' u' D. {5 Q/ Q5 U9 s Q/ r, A
Method 11
2 a/ t, M0 k! v# C* H=========/ s# S! T! x4 K& ]" D
& m, j* e3 p" n4 g
This method is most known as 'MeltICE' because it has been freely distributed! z M% @$ s$ ]& b+ z
via www.winfiles.com. However it was first used by NuMega people to allow4 X( @9 i" p# T( ?2 J- T
Symbol Loader to check if SoftICE was active or not (the code is located( }3 W* \$ u0 D; B, c- c
inside nmtrans.dll).
A, w% F7 t1 \% R5 V" t
' v+ o9 ~# f/ `" j) F6 kThe way it works is very simple:
! e3 L* S6 c* h A0 Y! L3 O6 f8 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; @ ^, [7 K) Y
WinNT) with the CreateFileA API.+ M3 o/ h- K, I7 z0 p1 O, d
; H8 F! k" C3 O% o- \& x1 [( aHere is a sample (checking for 'SICE'):
% z. V |5 b1 v N+ n' r& L4 ]9 X- f( d; |- p
BOOL IsSoftIce95Loaded()
! T0 R: l. y, \7 V{
8 a; t+ q6 w: U3 B* X HANDLE hFile;
- B# j8 x: M( Q; \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ {9 m5 j3 k% \) a6 a
FILE_SHARE_READ | FILE_SHARE_WRITE,
. n& _; d" ?1 T4 J NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: ~" v% p2 ?* F# ?& a9 h: T
if( hFile != INVALID_HANDLE_VALUE )
) D0 I( E8 T7 s1 w3 Q: S {' V7 K& V* J$ x+ D% j# A4 v
CloseHandle(hFile);
( ^% Q4 C3 T2 B: k3 d7 B return TRUE;
; s4 J5 [, n5 F/ }% V1 g }
$ ^. i" ?" ?/ q" e return FALSE;
9 p% p6 T/ V; G( c, E, F" D}
V& U G% v+ T2 d
- ^0 [2 p+ _: _: Z/ hAlthough this trick calls the CreateFileA function, don't even expect to be& W u5 M, @2 b! x) h' g1 l
able to intercept it by installing a IFS hook: it will not work, no way!! U5 i( I* {0 m4 a- i0 p5 a2 e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 a* O" p) r) z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 ]( g* q6 Y a T, v* h
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! Q, d8 p+ b+ j
field.9 y( L' _: d J4 C% c, y* G
In fact, its purpose is not to load/unload VxDs but only to send a
+ R/ C p$ L5 G6 u% N( I* lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* k2 T6 h9 q( R$ Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ l6 T8 Z3 U0 e& l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 h) L, E. H$ S y- s
If the VxD is loaded, it will always clear eax and the Carry flag to allow
t) x6 E# X- mits handle to be opened and then, will be detected." ~+ r$ x) H: L1 m
You can check that simply by hooking Winice.exe control proc entry point# k0 b) }3 z( B9 p7 o
while running MeltICE./ ]7 j) E2 J$ V6 b" e2 c. H i7 i
% n1 R* y& [5 p, F' n! L' e' M7 ?" `# z
00401067: push 00402025 ; \\.\SICE3 k0 n, `9 O. d/ n& y
0040106C: call CreateFileA: B" R, W1 S( Q) P; b1 `
00401071: cmp eax,-001 @0 m' I' r6 l) z# ?, ?! {; B! U
00401074: je 004010917 P5 H) e }2 Q6 m- |
- D" v4 W1 {3 v# t
) C8 D5 q! N7 LThere could be hundreds of BPX you could use to detect this trick.
5 {* S0 Y/ Q2 l' W0 `" }-The most classical one is:' l5 o* R! u* }$ E9 s& X7 w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% Y8 r9 I3 X# b *(esp->4+4)=='NTIC'
/ B3 O# w& k( G) `1 W# k# G" o: T
' F- ^0 i* ^- ?) P- \3 V; x-The most exotic ones (could be very slooooow :-(3 W. h9 s6 W: |; i; R) N
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % u. A" Y# R( m0 }& B, i+ o' ]
;will break 3 times :-(
. V" m* [4 r$ e* W# \) i# h, D, e3 |! w' V$ V, o
-or (a bit) faster:
) g9 y- y5 J+ A( F# |' R4 H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' u% B R# p" B/ ^1 j3 F6 Z f
% B4 W2 o8 r+ @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * b0 e- ^3 x8 V& u3 Z' Y
;will break 3 times :-(" h+ S& @/ ]% m1 |" @: Q' G
% F1 z! c8 Q8 p* W-Much faster:
2 l0 x8 M4 { L, d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 C! @4 M2 |$ {$ V3 X9 \8 @% y' g( V6 Q4 [3 K5 X3 I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# K- w# e$ l9 X9 x- B) Z3 S# ]" y$ ]function to do the same job:
: z9 t( o( [7 D& {) l( C# R- z% @1 E% f4 R: I" I
push 00 ; OF_READ3 t; H5 v/ k# N2 t. g/ n7 H
mov eax,[00656634] ; '\\.\SICE',0
; G* n2 t9 @5 \# R$ g push eax7 n9 ], {# S- C3 E1 h+ X ^3 q
call KERNEL32!_lopen
. x3 c# e2 y V inc eax
3 J1 D& V0 y9 p( q) M# \" C jnz 00650589 ; detected1 v7 c! X& o/ ~8 h% F6 p
push 00 ; OF_READ% b* u. B9 G, u9 q
mov eax,[00656638] ; '\\.\SICE'
7 l4 p" c2 Z1 {$ R4 ~ push eax! _6 P* D, n6 a* U9 o0 B% _: T
call KERNEL32!_lopen
1 \' h& `4 @7 F' L' u/ u inc eax
( U9 H. V2 w; B" q jz 006505ae ; not detected
. \0 q; i$ G- J- v* N _: s% k3 Q9 P2 X2 @8 @
0 I8 }& M6 v9 H__________________________________________________________________________ O8 A- U$ C7 M( D) n7 e: u
$ J! Y3 a$ X, ~( i0 e' B5 mMethod 12
7 m+ P% h& e, h) f4 z8 g/ J& x=========
- [8 ?# G1 x$ h* Y0 ^, b% G9 M
3 ^' t; S! R. p% o1 ~9 J/ _: HThis trick is similar to int41h/4fh Debugger installation check (code 05
0 p* I! r; x4 W" _; i& 06) but very limited because it's only available for Win95/98 (not NT)
# U& I2 L: ?* z3 }" L0 Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 k4 r3 S5 z K1 F" O
6 @$ J5 \, Q% g+ G& C: \ w push 0000004fh ; function 4fh
: J V7 H+ f2 Z3 G2 b8 T1 S push 002a002ah ; high word specifies which VxD (VWIN32)
. C$ O7 C- Q- c+ w# m( \ ; low word specifies which service
8 I/ S; T- |( ]5 s (VWIN32_Int41Dispatch)/ M% D( @0 U' O9 d
call Kernel32!ORD_001 ; VxdCall
; L+ P" G" A, d! _* D# } cmp ax, 0f386h ; magic number returned by system debuggers2 X% g+ i* n: K
jz SoftICE_detected# z1 `) O( e4 g% z W4 L
6 n; `4 B+ P( j: h8 dHere again, several ways to detect it:
: c# J j: L& R1 g1 A- r5 _) p# N/ ?% t& P6 n! k& e
BPINT 41 if ax==4f7 C* F3 J( K; C* w8 Z
# G7 ~! L, K& G \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 {8 H5 c' f2 L2 R" b
" B( l0 u' y. S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 d2 P: V% l/ m6 i; b
$ y+ n: r2 G) o) J4 c" c BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* X! Z# X$ e+ P8 K
) {/ |+ k; N! [! a5 D__________________________________________________________________________
. }9 g) J& }8 j1 \1 u* n7 J6 I5 P4 w( H8 m7 }& M- S8 o- Y) S
Method 13
6 B4 L2 K0 d. r& q( r7 p# e=========
5 C2 F2 e) O/ M4 u$ g
y; P+ W0 c& W4 a ANot a real method of detection, but a good way to know if SoftICE is* m* g# D/ `1 k" ]! \
installed on a computer and to locate its installation directory.( A% W+ S/ ~- ^1 _% b; q* ]
It is used by few softs which access the following registry keys (usually #2) :
& t3 Q' j& e& J- |
: }$ b# A8 q% `- A5 s3 d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 V; h' Y, T% g, K\Uninstall\SoftICE2 C# Y4 [( H7 Q* b. H: j& U( U9 ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 X- M5 H$ W3 Y" J; v0 P2 b" b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 S6 v2 y$ c$ I ~7 w2 `% D" S, o\App Paths\Loader32.Exe; ?9 O. H; X( d% d ]3 W9 S
1 ]/ A# z' D1 C8 m; e
) b! f; O( y+ R- g
Note that some nasty apps could then erase all files from SoftICE directory+ Z' m& A2 H4 C" m" N2 `5 m$ T9 v
(I faced that once :-( d/ L+ a# k' y
- e, O3 A: L. `( f3 g
Useful breakpoint to detect it: s4 ?9 |0 ]* O. t) p
, k* ?* V$ \# @, @. N8 z7 ~/ h BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ R8 k! P3 y$ k# F2 l7 a! z; o
5 l. H5 {. \+ E4 z* [__________________________________________________________________________
) l% f, ]2 q8 C( r1 a8 d8 h
3 {' c, ^. |9 h6 [' F
2 W* v/ Z% S+ K4 L' y: ~( vMethod 14 9 b2 [' R$ m/ x8 y3 Z
=========
( O& n9 {) h6 n2 Q9 S$ g, e! }% o2 ^' D: Z" g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) T# [4 J! `' S( t5 W* E
is to determines whether a debugger is running on your system (ring0 only).
- R6 }8 |: ~: `* _) \( N# ~" N n1 s& N+ b6 [
VMMCall Test_Debug_Installed
' r) c7 q [! L6 Q7 K0 E je not_installed! L4 [ J8 @ ]& x
0 x( X1 V' m3 m4 m. L2 g
This service just checks a flag.% u$ t3 ^/ \- K4 q$ g
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡