<TABLE width=500>
! q n# J7 b# P1 `& t! k% U<TBODY>: E7 @. T5 U4 R" M
<TR>
\- h3 d8 w+ c, q" E7 m4 D; T<TD><PRE>Method 01 ( j }& ?$ E/ ]* ]* x g- a
=========1 j. K! `$ g6 u7 Q% s6 q
0 z! F6 c/ x u. U7 R) s' BThis method of detection of SoftICE (as well as the following one) is
) {) [8 ]1 B, b+ n: ]( Fused by the majority of packers/encryptors found on Internet.
# {; z0 J- `+ h# d0 }It seeks the signature of BoundsChecker in SoftICE3 [# r4 H9 {) }" E2 {% |
* I& y( k1 F2 w5 [7 k mov ebp, 04243484Bh ; 'BCHK'
+ \$ ?' a; C1 F' @ mov ax, 04h
, Q& ?% Z, x" R! n5 p( j3 R7 K& h int 3
# o5 @# a: t+ D& p0 Q' j! ` u cmp al,41 _! ?5 E2 T$ T
jnz SoftICE_Detected7 ^- U/ N, ^$ G) b- P
& o( }) d$ k. z# V
___________________________________________________________________________
, `/ I/ ]/ y/ h: g8 d9 i/ I. T; E# g. S7 [* p+ k. y+ E
Method 02
6 @& M' `, Z$ H) Y# u=========, [, D; K' p5 g7 B; `7 _( i) d3 F
6 x( u7 q# e2 R/ D/ RStill a method very much used (perhaps the most frequent one). It is used, C) c! [0 y1 Q# l2 ?3 m$ F5 K
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 Z, Q0 H5 o/ o. u+ gor execute SoftICE commands...' b# K" E: K% g9 [ d- T/ ]# K# C& |+ S. o
It is also used to crash SoftICE and to force it to execute any commands; u; u: d. l8 N, Z- o
(HBOOT...) :-((
3 y1 X- t v- Z4 k* p! R
3 a4 D. H# \) z3 b, E* W+ cHere is a quick description:
: e B/ A2 U% k6 g" e# V-AX = 0910h (Display string in SIce windows)1 \# u) y: }6 l& k$ `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 q; I4 S8 {' S: {2 j-AX = 0912h (Get breakpoint infos)
$ j- T& Q* H s+ G$ o* {8 D" \. h-AX = 0913h (Set Sice breakpoints); {: q1 u' ^: l# @& H
-AX = 0914h (Remove SIce breakoints), ^" t1 |* n/ i/ Q: Z
# x5 c. Q: G+ w- N8 xEach time you'll meet this trick, you'll see:3 m; N! t8 E& _
-SI = 4647h% j* r0 X- f* G1 k" b: j( |
-DI = 4A4Dh$ y5 ?- g- _+ N; B
Which are the 'magic values' used by SoftIce.
" x* L# B; J+ S1 D+ |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 [- r$ B w9 q' ?1 E6 M# W7 i
5 F' G4 O; t' I5 t, c1 ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
- O* L c C# v: [+ h5 T7 X& EEnvelope utility use to protect DOS applications:- {" Q2 T, B) M, P- Y; P
4 H8 A+ ~, j' ? J$ h3 x3 j; m+ y) y' H+ [0 E5 _2 T) j9 X& K
4C19:0095 MOV AX,0911 ; execute command.) t' _& u/ Q) q; |/ q C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
Z g7 ?4 H3 `6 `4C19:009A MOV SI,4647 ; 1st magic value.) J% u2 `" Y* V/ m# M) C( l) J1 M
4C19:009D MOV DI,4A4D ; 2nd magic value.
% J# u6 A; Z3 Q# c7 O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* A- i; |7 K9 S+ ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# p% U8 U3 P9 O0 S. M# i
4C19:00A4 INC CX) O6 x5 {* `+ t8 u0 V7 R' y- W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ K* ~( Z I: W( n. P. [& ]. d4C19:00A8 JB 0095 ; 6 different commands.6 [6 p/ P% M8 u# h0 G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( G% ?/ w( n6 x5 t* {5 u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! B/ x! }& h8 j2 O d* t( b- v( c6 g
The program will execute 6 different SIce commands located at ds:dx, which; U$ a: _- S M6 x9 | l3 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 k; s, \5 r" B$ J( O
]. Z) H& f% Z/ B$ ~& Z3 V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% b C. E' K b
___________________________________________________________________________
! R- v/ m, [, q; B3 Y4 G4 x
% v I% m* l( Q+ \7 w
( m" P0 L* o6 F y: [3 J9 ?Method 03& T7 t1 ~& b+ ]8 ?
=========) v% {% h- a" w0 h
2 H6 q/ ^ H' t4 C* _, K% f( DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' v. ?# |) N9 h6 L; o(API Get entry point)3 }# l8 y+ p+ M; ]
7 ]% A5 B1 q: K, p
2 t4 U8 l. a/ B xor di,di
! A! G) c4 b8 D* K mov es,di
/ J( _* J" t# n! g' v# G0 j mov ax, 1684h ; Z& N% M8 K% d
mov bx, 0202h ; VxD ID of winice. V' s. M0 Z0 ~+ k2 X
int 2Fh2 {: H7 [9 r& X2 X# d
mov ax, es ; ES:DI -> VxD API entry point( U4 x, d, g* C
add ax, di1 Y+ h" [' f# E7 }6 {3 _9 u
test ax,ax
% ^& O4 @& l4 i8 M jnz SoftICE_Detected
/ R% p) }/ L* x1 e! I5 D5 x- u! _8 n! ~* C4 j4 g% m
___________________________________________________________________________! x- I4 N6 `9 ^! J/ @7 X% W
+ Q4 T. G# N; R1 Z3 sMethod 04 V9 m, |3 @0 Q6 m' |2 d9 w. z
=========
, P3 J& J; a% Z; f: `$ \
) N0 \2 u0 a6 t B8 t y2 \Method identical to the preceding one except that it seeks the ID of SoftICE
, ?' L6 Q0 p1 Q# Z# uGFX VxD.
0 e7 E$ r/ S) n9 _4 ^, \/ E
0 @) F/ \4 s* l- B) Q& G xor di,di
( a, u! w; r. z8 \ mov es,di+ R# h' }5 x- _! R$ z
mov ax, 1684h : j* J e2 [( f! p
mov bx, 7a5Fh ; VxD ID of SIWVID
, f8 H) Q, X1 C" G( | int 2fh
# ~& i* d5 {! |# a1 [ mov ax, es ; ES:DI -> VxD API entry point# o# o! p0 W" r- V8 [0 F1 X+ {- [
add ax, di: N* s6 ^' J+ p( x7 }' x+ X/ U
test ax,ax
. X$ r5 V2 F3 \ jnz SoftICE_Detected! \% j$ K5 E( N& v) j; S- h
1 _7 E# ?% G) L9 ?! s5 h" O
__________________________________________________________________________
2 K5 A. F% K$ {0 K% Q3 T2 }& W! G1 \4 Z: T/ P% H, Y/ H
( b2 P& s1 e5 K4 ~Method 05. o& s& z; k4 @
=========. Q6 o- y1 O/ H! X8 W* S$ p
2 y) X2 Z1 T$ K) U4 Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" s# o4 d. M1 l' b7 edebugger. It calls the int 41h, function 4Fh. ?/ H) ]6 j& v/ v
There are several alternatives. 0 Y; q* d6 P) r
8 b8 H( ]7 q! b# Q5 \8 }
The following one is the simplest:
3 A9 n/ x0 U2 R& S4 H# T& }/ o+ b$ Y _7 I
mov ax,4fh+ b( i* ?) h& ~# m
int 41h
$ @7 x- b, n( G cmp ax, 0F386; s ?" l7 \$ Y7 k/ A
jz SoftICE_detected: x2 L" p0 U3 a7 w w" x, e+ H0 y
2 Q# L7 o7 e$ x( ~2 x+ E. o* c0 Y g" H! O A6 o
Next method as well as the following one are 2 examples from Stone's % ~, ]8 N8 A+ Q7 c# m
"stn-wid.zip" (www.cracking.net):
& G; t' Z: ?2 ^8 @% U; e# L, Y6 \& ]& L
mov bx, cs
- ~) g0 e" x( b2 n9 f$ `4 J lea dx, int41handler2
# z' d% W! _5 u2 T( S$ Q xchg dx, es:[41h*4]
* d4 K* Z7 J. T% i& B xchg bx, es:[41h*4+2]
" J6 r7 }2 q+ N Q; m mov ax,4fh* r1 i' t, n& l# I& E) w4 C
int 41h6 ^' S* G* q7 T0 A
xchg dx, es:[41h*4]7 ^# j/ I) m: W% X" S- b
xchg bx, es:[41h*4+2]
+ `7 C L& d6 ~/ ?& U cmp ax, 0f386h
. g( U" l4 C" ?5 @/ X3 D jz SoftICE_detected
; Y5 e5 b" [! a* V6 {4 h! p! Y( D: H D. z4 B' a3 U2 F
int41handler2 PROC
+ Z5 t: T$ r+ V8 [ iret
# V0 G6 V1 |" z! `2 a0 oint41handler2 ENDP
/ d$ H. m7 e# q# u9 p3 L6 j0 U% T {/ b0 r
( s+ J T& P; m+ I
_________________________________________________________________________6 t6 l- t- E4 K1 e0 m1 Y
$ ~+ T9 E$ L# R. e' ?/ H) q
/ A9 s. e6 ?' rMethod 067 |0 F& X; }# |* D
=========
+ e. x/ g8 _; n% I9 j i8 T- Y( z% g {
: E4 C0 G3 H, R2 C* w/ O/ Q2nd method similar to the preceding one but more difficult to detect:' @* V- U7 _) |, A1 G) B: c, p
4 O4 k7 g6 P1 ^2 X! W" |1 r# U, |
1 N- |+ L$ M* Y- I+ c! f: e
int41handler PROC
2 O* E- J [ Z7 d) L mov cl,al/ u! P. t9 a" S! v! ~% M5 q% @) E
iret
, Z9 V/ h. z& P Aint41handler ENDP" Y* W, [/ K! ~' Y: w% y
* i+ Z% {& [, `2 w* ?8 N6 G
, F$ f2 r# m2 B$ q4 N xor ax,ax
9 C E* y2 C4 p; T# a mov es,ax3 R. i4 H5 v4 n3 G$ ~
mov bx, cs& W) R8 n- b( B7 m
lea dx, int41handler
# u$ K/ W. p* x; j! R xchg dx, es:[41h*4]
1 W+ ~0 ^2 b R3 J( J9 Q xchg bx, es:[41h*4+2]
- w5 R L5 h9 o( f+ h* } in al, 40h
% |+ B, L7 X& f7 L3 x8 T xor cx,cx1 C; b/ F) \& w$ }: Y
int 41h
8 K- R& F k" C) d. v xchg dx, es:[41h*4]
$ N5 }# U/ I% H# m7 _& H }* j xchg bx, es:[41h*4+2]
' g1 i% j9 f; v. w W cmp cl,al4 O) f$ q; @+ i! [# b. c
jnz SoftICE_detected
+ V. S& j f( Q G" F3 T0 m/ c# Z5 n
_________________________________________________________________________
# N/ S8 P0 g& O) y( T& ~( e" r* ~& u) w
Method 077 J% `; Y$ z9 N- T. |
=========9 _5 Y. y. Y7 y, W% C$ m. H, R1 u
; v/ _) F( t2 F( _- n- c) B
Method of detection of the WinICE handler in the int68h (V86) `& J( m' h- Q1 I+ |/ d
1 f" }8 n2 m! A; b( a
mov ah,43h
0 X& A6 D; J0 x" P- x. @$ A# j int 68h
- i2 C' w. u8 k% E cmp ax,0F386h9 I7 t0 i" F' y6 H" `1 a
jz SoftICE_Detected$ Y ]2 _+ y z+ x3 ^7 ~" ~! w
) q/ C! R( d) J/ H# ~- I& B) d- t
7 B& v7 {: r" X! P5 B' s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. V% o: p7 w: Z. @# Y app like this:
! _+ V! s; s6 s1 O3 f9 T8 z4 s( l& P- v! w w5 d
BPX exec_int if ax==68
. x$ V- z* T. e( `. u" H9 [1 T (function called is located at byte ptr [ebp+1Dh] and client eip is9 ?) d% F5 U3 Q, K/ b
located at [ebp+48h] for 32Bit apps)2 W/ L x& J' ~* X e
__________________________________________________________________________. Z* S: ^/ `% ?* f: I
% N* }2 [+ l3 Y6 u1 `1 i
, }% l& \' F( Q5 E7 dMethod 08
, v& C- M# s5 b* p=========
5 j/ j0 E: `' v/ ?+ l; g5 K5 M1 l( P3 q6 E* e+ W
It is not a method of detection of SoftICE but a possibility to crash the
, t0 M; n, [. t# f3 b1 `4 d6 Gsystem by intercepting int 01h and int 03h and redirecting them to another
$ e9 s- N# @, e& ~0 F( |7 j; | Froutine., f* n; h$ i# C3 Z# O8 h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( G s3 m8 D: `* ~# f' H; m
to the new routine to execute (hangs computer...); d) L( }- ?+ t, j/ I9 Y8 E6 H; a( N
u. t+ O3 Y, X2 c: e& r( D mov ah, 25h7 |* l; x7 o4 c, D3 w4 x( J7 J. @
mov al, Int_Number (01h or 03h)
' J2 V! A- U# N/ t9 m6 m9 E4 z7 J mov dx, offset New_Int_Routine3 d7 |1 ]* C: M" Z
int 21h
9 N* L P# g5 S; ?. N q' y# ~1 T3 n
. ?8 d& F! l& d& Y; C! K; ^# W8 H__________________________________________________________________________0 {8 l# L6 K2 L( ?0 k
9 g% i4 }# j. [: |/ \; X; iMethod 09
& D* e" s) X; a=========
- f) J0 {. Z+ H, ?/ E F: s4 ^
" \2 T- J! H+ E% M# B7 BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 } J% w% {) E, k1 {performed in ring0 (VxD or a ring3 app using the VxdCall).8 D6 i. l- s/ V
The Get_DDB service is used to determine whether or not a VxD is installed, g* T1 N3 W" y
for the specified device and returns a Device Description Block (in ecx) for2 ?. k+ @7 i- [. D) D4 U: l6 S7 c
that device if it is installed.
( K" L7 Q, e5 L" Y
$ K+ ?$ g: _" s+ ^3 a" d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) d3 ^& G; d6 I5 }# T3 l% \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 v, M; ]$ m8 `8 Q! x' e VMMCall Get_DDB
3 t& A% c6 u7 m' k) U- K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; y0 d; G \" D; ?/ q
9 ^5 N) c4 }1 a* @) A$ k& i
Note as well that you can easily detect this method with SoftICE:' a7 C6 g5 z; l
bpx Get_DDB if ax==0202 || ax==7a5fh; O+ ?; @0 g. K
$ r) E% D5 \; k y) _( P3 m/ q
__________________________________________________________________________+ T) U6 G& W0 I' k
m* H9 T7 t+ n
Method 10
3 Y2 W% h, @$ _' Z/ u7 @* p, V=========
, ~- \4 B1 H3 v4 a
) S5 B7 j# q" F' H" T/ O2 @=>Disable or clear breakpoints before using this feature. DO NOT trace with X' M5 F, v! f6 l
SoftICE while the option is enable!!3 U2 |% y; b {% Y
- d6 ~2 H n* i" |1 t. u
This trick is very efficient:6 ]% w" r5 _! t, n6 S( o
by checking the Debug Registers, you can detect if SoftICE is loaded
4 U. n: j" @: y& E) `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 l8 o" D7 i: B* C5 ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 B4 v$ \# P3 Y. f; P; S. F3 hvalue (in ring0 only). Values can be manipulated and or changed as well& V/ T' p1 j8 e8 z+ v) l8 i
(clearing BPMs for instance)
+ w: S2 \/ B9 \1 q1 a2 ~; |( e
- }/ v& U- f/ b6 W. y! G6 P: c__________________________________________________________________________- y6 H5 ]% n7 t1 H, J
# o$ H8 @3 t. k: P+ R( p. QMethod 11& w; |1 m( R7 O
=========% @ S5 S/ ~ h+ R( c0 ?
' Z/ A! d* p" }& i0 ~This method is most known as 'MeltICE' because it has been freely distributed
* |5 H( b- `- A i6 Tvia www.winfiles.com. However it was first used by NuMega people to allow$ d, B" m2 d$ [* s7 n
Symbol Loader to check if SoftICE was active or not (the code is located
" x! I( G! J% U/ Y& F! D9 \& Einside nmtrans.dll).
* }: J3 j* Z- u2 c- ?& T6 i, l; G& i- V9 ]. ]1 c
The way it works is very simple:" U! {& g5 B( o, z# D; G- Y( Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ r) Q3 b6 I) @/ U+ n0 L& v$ Y! b6 i4 KWinNT) with the CreateFileA API.+ {; q/ v& M8 N7 S: s+ ^
" S6 ~' m) [$ S- c, SHere is a sample (checking for 'SICE'):, s# |% w% g: D+ }7 E
; R1 |; L) K: _9 DBOOL IsSoftIce95Loaded()
; K( k) j) {( x' F' W{* L7 q2 l& @7 F( }# o
HANDLE hFile; . e' S3 X8 t V' V, I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' \$ e7 C5 u% b. W! e4 u! D) ? FILE_SHARE_READ | FILE_SHARE_WRITE,
7 g1 l" A/ k7 h, U. X+ P/ q6 H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 p9 r5 D& @0 f! b; m
if( hFile != INVALID_HANDLE_VALUE )- N* X6 F& j7 k) J9 D3 M$ g
{
# h( O/ c6 f/ `& W; h6 | CloseHandle(hFile);& D, F' t/ H5 N6 F; ]; M! s' n
return TRUE;
, g" v6 w3 T K5 e }
& v$ i7 L/ C# k- F! u& d return FALSE;, ?3 S1 y. ~8 A; Y h% U
}4 {( i5 N7 a6 U" i6 B
$ v4 ]% W8 _1 W$ U( UAlthough this trick calls the CreateFileA function, don't even expect to be
- K- L3 `4 z; A0 H' qable to intercept it by installing a IFS hook: it will not work, no way!( N N. e' M. ~0 t+ F7 x" h7 \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. s' g9 d5 L9 O: i: M5 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ S4 L* I: Q) Y$ Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) [% w1 X& O( O% `8 Yfield.
! D0 T8 o+ B+ j1 L) K4 `7 ]In fact, its purpose is not to load/unload VxDs but only to send a 7 }) l) Q4 A- v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 L9 r: R1 I: n% n3 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ _4 a/ m* L# q# o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% {, z5 U$ M1 F9 C- J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; \% ~9 U9 n1 t2 U$ R4 ]5 hits handle to be opened and then, will be detected.
+ c! B, n% E- M6 O; s8 s3 t6 d/ VYou can check that simply by hooking Winice.exe control proc entry point4 N: c6 Y7 f: q6 r8 I% o. w- K
while running MeltICE.
& n2 v% g4 R# i/ o+ V
0 \9 y! C, ^- t) K& U' O# c( D6 J% V2 E. _! z( |) M6 [& K4 z1 ^: B
00401067: push 00402025 ; \\.\SICE {. ^8 b1 ?. a& d
0040106C: call CreateFileA$ y0 I. {+ M& |* Q" v
00401071: cmp eax,-001
0 d% w% L; U9 ?, D: z 00401074: je 00401091; i( n' O% h) s( W" P& A' X$ U
9 q* w3 J6 s! P; H* @9 L& _
- A- |. b/ P5 \* Q; W7 ^There could be hundreds of BPX you could use to detect this trick.
' n, U3 Q( R/ L! D-The most classical one is:2 U' l* J! ^$ H8 ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- T7 Q$ N# D, b1 D- C3 j) n *(esp->4+4)=='NTIC'
^0 I. }2 s9 l2 i% h
9 ?$ F* a+ y( k0 N4 P" P-The most exotic ones (could be very slooooow :-(- J7 P; [7 s0 p/ \0 Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ M4 }- |: l6 t# D. E8 b7 C& y% K ;will break 3 times :-($ I# n. l! T6 j$ o K4 ~/ x
4 R2 ^3 u% Z; a: p* G3 \2 h-or (a bit) faster:
( F6 `7 e, D3 G8 x3 G) I. N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 O3 E. \- `- {. Z- h! T* d8 p
$ s: J/ M8 f W; t8 e ^
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- L# t1 ?% ^9 C, K8 y6 f [ ;will break 3 times :-($ {/ z8 ^$ N' c
# K# Y' ^9 V* v# [" G6 T* M; V
-Much faster:
$ E7 W3 e% u7 u& _ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' U. @5 I0 H+ x8 D/ U S
; T/ R) f% P" g* I& g, |1 nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. J/ r' t! w( F! pfunction to do the same job:! \: b' m9 v; L& I6 D( X
* m+ D+ k: }7 F/ B+ B0 t1 v$ P
push 00 ; OF_READ6 F6 I/ ?: u/ l2 t% P7 i$ G
mov eax,[00656634] ; '\\.\SICE',0
. t9 x! P( J. ^$ h% h- } push eax
9 l* h* y/ j5 g0 O- | call KERNEL32!_lopen
0 J4 a7 b& G* J( C" Y9 n/ f inc eax. n+ n9 w8 `# k4 F* e9 A2 ]4 x9 X
jnz 00650589 ; detected
l9 A6 o$ I) i/ l+ c0 G push 00 ; OF_READ/ Y5 K. ~+ w n1 b( D
mov eax,[00656638] ; '\\.\SICE'/ n& h! x4 ^& }$ e5 n; Q* J
push eax
7 d% V2 C% f" c8 Q$ ?2 O call KERNEL32!_lopen6 b/ D! R2 T* c4 [+ ]
inc eax# U, w+ B7 _4 ]) y5 _* C, ~8 U
jz 006505ae ; not detected7 H' ] C% ?2 @
4 [# C) N" ]# k; W0 f& n7 m. a( G* b; [
__________________________________________________________________________% X' |( q: }& x; \: Y* y
. s+ F2 @ C5 A8 d, ^) V' J' }1 X
Method 12
6 s% O: a) z; M- G6 ^2 o=========5 I0 ]5 P% n0 Z* L) j( W
6 A. X2 ]- B" `4 }
This trick is similar to int41h/4fh Debugger installation check (code 05
8 V b1 D0 F# P6 c3 u9 J: h& 06) but very limited because it's only available for Win95/98 (not NT), P8 Z5 f" @6 \1 N1 X6 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
R0 R6 c6 K- J& P0 u- i
/ S# R' T! t" s; @+ b push 0000004fh ; function 4fh3 q5 m* v( d' S6 Q+ {
push 002a002ah ; high word specifies which VxD (VWIN32)# g0 V* k! w. i2 ?9 L2 ]% z
; low word specifies which service8 t& F! i, _9 r# X. _
(VWIN32_Int41Dispatch)3 _- h, b& j2 h/ [
call Kernel32!ORD_001 ; VxdCall
" m5 b j; x' P! L" `5 b cmp ax, 0f386h ; magic number returned by system debuggers" u/ f# {8 |7 e# I% y
jz SoftICE_detected) Y# E. i2 P! d$ j0 h4 q, ~, }
' C$ [9 i4 Q5 B/ @6 W. M! LHere again, several ways to detect it:/ ~9 _. l( _2 V8 e, i0 F# u3 I% y
7 S4 g( m% k" G$ v) I
BPINT 41 if ax==4f4 x8 k' x4 G9 R. q1 z
D3 |! Z; K, L' O7 U. T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 C) X% D. Z4 h% A- H+ t. h3 A
( H& l. p( L k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 }1 u4 ?0 W" a9 D0 _0 K3 Q( g0 e
! O7 i6 ]# H' h& K% j8 x6 w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% N$ Y, G! z B" y8 Y3 Z5 b' W" X8 }& j+ C1 }
__________________________________________________________________________
6 J* Y4 A: @% s. d
$ E) ]% L1 h8 kMethod 13
- N+ e, A+ {/ O, t: ?% K5 A* B* E=========
* L8 Q4 F! E& v. ]- t# b+ T5 T# y% h3 ?
Not a real method of detection, but a good way to know if SoftICE is
7 O/ U* \1 ~& q" Y z, j) jinstalled on a computer and to locate its installation directory.
2 O9 m" f8 N% `It is used by few softs which access the following registry keys (usually #2) :& B) U; W# C2 i0 G! s
: N _/ S+ z" I. r: a' V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 N1 H: Q% L F. q$ O
\Uninstall\SoftICE) T' O" g9 j: U% C V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ Z' ]+ B. K% A0 y# T ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 M# B+ \' S0 j: ]
\App Paths\Loader32.Exe( Q `& P% X) [$ N
6 k$ t, i$ d1 \5 U6 w7 J9 u+ D! `3 V( j, S
Note that some nasty apps could then erase all files from SoftICE directory* l6 L+ S" t8 @, M, a
(I faced that once :-(
3 d$ b% S2 l) o8 Z
8 F* W) E: a& M: ~Useful breakpoint to detect it:
+ ^) }; I( R2 O% ?' D
. C8 ~+ K; S" B4 ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- ?6 Q$ A4 Q$ s" b
3 A( ^. A" u& p
__________________________________________________________________________. u6 R. M- A! B; N& h( _
& @" L' b: k5 Q. O
9 N" C1 D4 z0 M3 \Method 14
4 k( `- x7 H" b; Y4 e) d=========7 I9 I$ G- M$ C; q3 s9 L7 f
1 ~+ A9 m2 M/ G+ K$ V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 h) W0 B+ S5 A+ o; o
is to determines whether a debugger is running on your system (ring0 only).
+ A* B" m: S8 G0 w$ C( J
) Q" J' Z d6 Q VMMCall Test_Debug_Installed
0 @; ?9 `4 M$ f7 \& F9 R1 I je not_installed. N6 }( h% i# y( B! t3 \6 @
+ d R P5 N6 C9 p3 O, yThis service just checks a flag.
/ n" ^* N* I$ d1 B1 L Z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡