<TABLE width=500>
- P2 ?$ X9 Q& J3 t6 r<TBODY>
5 j5 M$ N/ m6 m/ _3 A' P* }, E<TR>4 W" I6 |9 T, A8 X5 B+ N2 q& O
<TD><PRE>Method 01
1 c6 y# `; E! i; L! h=========8 x0 n; G: f6 f7 r" N. n' O0 b1 {# m4 @
1 o' O( [/ `. ~This method of detection of SoftICE (as well as the following one) is* f1 j% T8 C. a, j _9 l. D) D
used by the majority of packers/encryptors found on Internet.
, ~) V$ d5 e2 K" T& [2 hIt seeks the signature of BoundsChecker in SoftICE
/ x$ X, c' u0 ^2 k* Y" R1 D8 |# A, [! j9 ~2 M
mov ebp, 04243484Bh ; 'BCHK'
! @$ D! r3 O0 r. Y mov ax, 04h
; E1 e( I: Q1 [# y1 F) { int 3
; Q8 ~4 [6 q: X+ t- [1 P0 s; C cmp al,4
6 {/ P( ?0 J) z4 s jnz SoftICE_Detected
! A2 E3 e; G2 \- I7 I1 b: b) i3 s, a/ p/ u" W9 f: T j( C
___________________________________________________________________________: c8 R g B) L$ W/ p6 W
d3 B' I2 ~2 s$ j- ?Method 02" ~$ ?) r- F8 ^6 H" S: V9 V% v
=========" K+ u: {7 \1 ?8 i8 \
F( X# M: J ^Still a method very much used (perhaps the most frequent one). It is used
0 N' z" _: C# Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 `7 g E+ r5 x1 _# q( i
or execute SoftICE commands...
; L) U H& V% ^3 `5 E# `$ qIt is also used to crash SoftICE and to force it to execute any commands
: H9 c0 ^' I. d0 G" v2 u4 I(HBOOT...) :-(( + w: w+ `4 |; P3 ^
( c, X; u6 _9 Y I
Here is a quick description:
! f: c( p6 B7 ]$ k, g h-AX = 0910h (Display string in SIce windows)
' n$ S1 z s) N. Y& \-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ J! h! M+ t+ I1 M% C! z ^-AX = 0912h (Get breakpoint infos)! e7 m# M& m0 g1 d* ^% V
-AX = 0913h (Set Sice breakpoints)2 I0 G w- z( x/ _8 C7 m
-AX = 0914h (Remove SIce breakoints)
+ |9 F/ z* P4 k9 {" s! A
& T* n3 m' w, d: |8 CEach time you'll meet this trick, you'll see:$ l' l/ d9 V+ f5 a& D% f) ^
-SI = 4647h
+ @) X: m5 o" x2 t, K/ {4 E-DI = 4A4Dh/ m' S/ r2 \* V- n- u$ M
Which are the 'magic values' used by SoftIce.; m5 M7 U6 @' U+ K( o; R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 \- v D/ l" y* ?2 Q% k5 |5 ]% R/ g* N, R4 L9 X
Here is one example from the file "Haspinst.exe" which is the dongle HASP, i' q Z4 x9 F5 w" _. v( y! i: a
Envelope utility use to protect DOS applications:$ e9 o a7 U: T! a! g+ a
3 L2 H D0 w$ p: d- [9 b
" F: N9 g. {3 R3 a4 k
4C19:0095 MOV AX,0911 ; execute command.2 V3 J. B2 {1 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 N, d- p/ I, G; K# V* c* `$ m4C19:009A MOV SI,4647 ; 1st magic value.( c' x; }- C% M" K8 _& `4 [
4C19:009D MOV DI,4A4D ; 2nd magic value.6 t- B V6 f$ q, L2 m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 P& f) M; c u4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- k1 E9 c# s6 l s$ W2 T
4C19:00A4 INC CX
. s( n8 T) w$ ^8 ?- i! @" c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- Y9 q1 _; J2 B, [! \- [: B# c4C19:00A8 JB 0095 ; 6 different commands.
$ ?% }, X- m7 F! }0 ~, |4C19:00AA JMP 0002 ; Bad_Guy jmp back.& O) N. l5 d5 `3 e3 t/ y! X( s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& t& H6 L" Q/ R" v4 ~
& S% c! n! L7 qThe program will execute 6 different SIce commands located at ds:dx, which
1 v6 y; o% o5 r4 h. @$ eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* w' V2 \$ B" s& M/ A, N) t
1 j+ G: y- S9 |0 S+ w1 y/ R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 |8 U2 J& {: |! g___________________________________________________________________________
9 y- f8 m1 ^( l* ~* ^
3 x! w; b) v4 _5 C3 E% \
" s( Y" F1 ^& f$ bMethod 03* S3 ]* `$ V/ n0 W8 X3 G
=========% [, U( H+ e) L. M& B' `# j5 v+ i
4 l ~/ [$ o1 O- [# u3 e: \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 K) ^$ ~4 a7 x( y(API Get entry point)
2 S Z. F' _ X1 v; M
6 F8 t" L8 ^8 ~! k! B
$ V% m7 f5 Y, O xor di,di/ O1 U. D% K3 ^) t8 X& v
mov es,di
5 ]$ C0 Y$ R5 e# h mov ax, 1684h ! m% ^+ F+ J/ V' I# j9 @1 }6 z
mov bx, 0202h ; VxD ID of winice) U' H- [ L, P( y
int 2Fh" [4 b G6 I; A* D: c
mov ax, es ; ES:DI -> VxD API entry point
! x& k% l) I% [( @; |$ u H add ax, di7 u; ^2 F8 {& Q$ o* P
test ax,ax
1 R3 M, V8 r. f* N: K$ d& s, K jnz SoftICE_Detected
) Y" T. K$ }. D8 F" w1 |" E3 }2 A" l3 s1 r2 ?, N
___________________________________________________________________________1 J4 f- Z4 z! m, b7 l4 C8 x
3 `. }- O9 H b1 h/ e
Method 04
+ u9 O1 f+ \2 p# h8 q/ b) ?1 f=========9 n4 ?0 S/ b; Q' U/ V# i
! @9 |. p7 |; dMethod identical to the preceding one except that it seeks the ID of SoftICE6 `. K8 n) N" J% D& l# R+ e
GFX VxD.
- v; B+ t- a( h7 B( Z @( Q0 ~/ Q/ \0 |/ O U9 i N. B! |) H
xor di,di+ F) H, n# E1 B5 d1 _
mov es,di$ { s0 b' w R" n a
mov ax, 1684h
+ H& U" z) c% z c; c. s mov bx, 7a5Fh ; VxD ID of SIWVID: A6 {/ U4 H$ v* s1 o
int 2fh
4 J1 x8 j8 m% M& v8 w7 _8 \+ d: a# K! N8 N mov ax, es ; ES:DI -> VxD API entry point( ] i: X3 A8 }, Y3 @$ l
add ax, di; n) ^$ u# h/ g
test ax,ax$ M3 M* s9 q0 M/ z3 w, i
jnz SoftICE_Detected
/ W* i7 N" v7 n/ b) z2 f2 E: O' o8 t; @+ y- g4 V% W- w
__________________________________________________________________________9 I9 ` ^4 U: C, x. g
i$ ]: V% Q" ?
' Z1 I% k8 a& @Method 05. U7 @8 ?" Y9 c: ~
=========3 Z2 Z8 u- M5 K& @( _$ d/ c
7 p# i* }/ M! WMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 h% I4 f0 ~* u
debugger. It calls the int 41h, function 4Fh., h1 W1 F9 B- x2 f! ~
There are several alternatives. , B5 u; `) f7 f2 z3 ^7 q% u
1 F& k; G, ]/ EThe following one is the simplest:0 U+ d( z8 N' F# z9 z
1 W3 F+ H. _0 u mov ax,4fh
7 s' U3 Y, R, ^) F( n, o- T8 x# j int 41h4 A [) {+ r" n! [0 x
cmp ax, 0F3862 U! [: n5 A9 ^( m5 f
jz SoftICE_detected. E( R* _4 H# }; K5 w
2 s, N& o |' H Q' c: ^1 j) d4 c; e$ w2 q1 A& h
Next method as well as the following one are 2 examples from Stone's
: s4 o# r/ B" b- G3 v& ?"stn-wid.zip" (www.cracking.net):
& m) A" s6 Y- D2 h6 t( l2 v, k1 X' E3 \( l# G
mov bx, cs
6 T' h/ M9 A, b* w3 e lea dx, int41handler20 U/ E5 L# U" l# U/ B
xchg dx, es:[41h*4]
: Q1 \+ P2 M6 C# P" f8 f2 W xchg bx, es:[41h*4+2]% i. q, s7 ?7 j0 C" A9 s8 B
mov ax,4fh2 A6 W9 o# X% W0 w- b
int 41h
7 B6 `. n e+ a4 p% f& O3 S xchg dx, es:[41h*4]
! U4 q2 W1 f# q* P) T0 W xchg bx, es:[41h*4+2]7 t9 t% q. X% q2 V9 c: V
cmp ax, 0f386h* r/ @# ^" T9 E+ {( G5 X
jz SoftICE_detected$ p/ x: |. I( `2 @0 \# Y( X- V* c
! i$ t2 E9 K- a. O3 P% Kint41handler2 PROC
- }2 x7 e5 ~7 G. ~5 ]1 d* a iret- x' Q5 H" ~8 j! P
int41handler2 ENDP: D2 P8 @% @8 A6 U
: J6 b4 Z9 \- j% J" w9 i$ d
0 C# A$ Z2 _0 d) G# e) h
_________________________________________________________________________
0 F* Q8 |6 ~+ G
+ D5 U* V+ p9 @) @4 ?( \5 s) _7 A
; S0 ?& u8 w" UMethod 065 _% I( G9 t' E6 G2 T# O( K) w0 B
=========
$ t# m j% F1 o ~& j+ U) R$ c9 `4 D$ Z: X0 l, L: ~# c
& u7 G0 x( f) N3 p; A2nd method similar to the preceding one but more difficult to detect:5 h v% A9 ^* u
$ `- W3 r- v/ ?! l2 d! z* ~! t, i5 L/ m& a( Z
int41handler PROC; g( [7 e) P% K7 H$ P
mov cl,al
" W E5 \* j- D iret! D( p; y/ d! c( Z
int41handler ENDP$ ]" X: E: ~, [
; U I" V7 p7 N2 } C: d! b
0 Z* ?' @' L$ f% ^9 _. }; T xor ax,ax
2 f6 q( K. p6 B4 } mov es,ax! Y8 l7 V$ E0 G2 ^1 N1 w0 |
mov bx, cs
+ V( `: t: z# _9 Q* r$ z lea dx, int41handler
1 `6 g- p% Q) \% I8 z xchg dx, es:[41h*4]: t0 ~1 [, b3 O3 S7 e' l
xchg bx, es:[41h*4+2]
9 n' k- @; f& H* T in al, 40h
. K* J5 B* M, }+ b* _# N8 _ xor cx,cx0 V9 O" f/ n; }2 K0 d+ e7 J. P
int 41h' a; g" H2 }( f( i/ Y
xchg dx, es:[41h*4]
5 s% @* G" A/ A# `( O xchg bx, es:[41h*4+2]
6 n8 e3 c& _2 Y( T0 M* N cmp cl,al: u! ]4 [' m# P* f$ u+ N
jnz SoftICE_detected
% M/ {) ]& T# S3 b
`+ o" f3 g, @+ T4 r_________________________________________________________________________$ ~& f+ s1 c6 c! @/ U
7 w" n. f' x' {2 F( Y5 n8 ?) D
Method 07
( x5 ^7 H. Z4 P O6 p7 ^* K=========
4 h8 u0 k( G/ D' q, l
4 `2 ~; O: j/ oMethod of detection of the WinICE handler in the int68h (V86)6 u, u C* z% t i
/ }; H5 r- s" `& U& |. ^$ u1 W! {2 a- ^ mov ah,43h! v6 h1 R* ?: G
int 68h6 K' ]: W. E; H9 x+ Q) v
cmp ax,0F386h" V+ y. {' g* Q, B" _
jz SoftICE_Detected
8 s% U2 S% ^1 U d# B7 A/ F3 z5 y, N# }! J' K: t; q
. J8 H0 X1 f* l/ _! D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 J% {6 L* o. D$ ?$ M. J E
app like this:$ [* Z* ~% j$ Y- Q
$ X% s% Z8 [( s _! C
BPX exec_int if ax==688 Y$ r6 |0 e- m2 n4 P* V7 ?' g3 r
(function called is located at byte ptr [ebp+1Dh] and client eip is2 r J/ j0 R( l
located at [ebp+48h] for 32Bit apps)" Y* {, @9 N$ k: t
__________________________________________________________________________6 L+ C) N3 Y: l& S* l
4 Y' s( I7 Q$ L4 |8 [
4 W' L$ l& g* KMethod 081 ]- O, m4 F, q0 |; L* l
=========. @% `$ b" I( m
7 V# ~% @6 J$ @4 W3 J3 I) q) h
It is not a method of detection of SoftICE but a possibility to crash the
: m7 |6 F x+ i$ T4 xsystem by intercepting int 01h and int 03h and redirecting them to another% u; f/ T B) u- I, c+ b5 X
routine.
# B8 k$ R9 R7 p HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. P8 T: o: n6 q5 r% S O$ bto the new routine to execute (hangs computer...)
9 P7 e; ?2 A6 S$ i, y( H! a5 P
* i, L' ?2 \) F: E7 a# c1 a/ | mov ah, 25h
0 @; F! t2 p! D+ x mov al, Int_Number (01h or 03h)
* u2 F* `+ c& b* k+ I mov dx, offset New_Int_Routine
; x# U s# Q1 S( X int 21h
- K1 b; } a6 T* \
E" a- F: V4 P& V4 Q1 t. |__________________________________________________________________________/ _; I8 o4 p/ d# i: z* j& E
; d; k$ _# b2 y" u0 ]- B
Method 09
; b3 d' v$ T+ O8 k3 C4 o) w6 l, T9 X=========0 M8 t- ]; j5 C! i# M
% v; J5 X9 B. u) t0 qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 R- k" t: \3 r
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 W0 K: V- @+ Y1 |) G+ XThe Get_DDB service is used to determine whether or not a VxD is installed4 e9 Y# d! r1 f8 u/ w
for the specified device and returns a Device Description Block (in ecx) for
8 `6 N8 {6 V# U; o$ I" \8 Lthat device if it is installed.1 z3 k! ]' c! i4 }6 f
9 C4 t' m. B$ J G& B. M2 h# e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% T! G3 L z7 G/ [4 s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) s" l# k8 \' I6 \, a% U/ \* |5 s VMMCall Get_DDB
! x) j$ {0 [! Q! U6 D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 w4 z2 Z. F0 J* C, K3 q
$ w+ k' Y5 A& ]( R) Y, aNote as well that you can easily detect this method with SoftICE:
& q$ S1 }" h" O, i bpx Get_DDB if ax==0202 || ax==7a5fh
+ d& C" b* o& ?
% ~1 q# A3 P% V; e__________________________________________________________________________3 o! B8 d* j& ` Z$ ~* \
8 [/ @8 W! q/ _/ m) R
Method 103 q- ]. e9 }- e; i. {# \" e
=========/ r, e+ H. {7 s
. a1 P+ m. U' Z% |3 |: F$ D
=>Disable or clear breakpoints before using this feature. DO NOT trace with: y4 A _1 s; ?: G
SoftICE while the option is enable!!
% t5 Y: u# `& }. g0 H( t1 g/ {, X2 X( `" p, i2 {
This trick is very efficient:" J" S( c* }* h3 s# e0 w
by checking the Debug Registers, you can detect if SoftICE is loaded
1 }/ v4 i/ {3 k: J& d, E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. u' ^$ V. O1 f5 F/ O& g: p7 athere are some memory breakpoints set (dr0 to dr3) simply by reading their3 Y2 H+ p$ P/ b* b' V8 l* }5 j& ^
value (in ring0 only). Values can be manipulated and or changed as well3 M3 o: T; Q4 S7 O
(clearing BPMs for instance): |) B; ]) v' S4 p# u& z5 V4 r
& G' I* q8 g5 F__________________________________________________________________________
0 d' q* f6 h$ D3 C8 F q
8 V p, f, y0 Y% rMethod 118 W1 A# G+ E: o Q
=========8 P* M: ?' }; ~& Q4 t
2 f5 c/ x6 y; Z/ E* VThis method is most known as 'MeltICE' because it has been freely distributed0 \) g1 M+ o/ U3 Z, m
via www.winfiles.com. However it was first used by NuMega people to allow% y( r' [) q* C; K
Symbol Loader to check if SoftICE was active or not (the code is located. {$ X2 A4 O( W* ]5 _
inside nmtrans.dll).0 ^, Y& M; a: Y X+ F
% \3 i* ~' G# k# d. N3 b
The way it works is very simple:
, ^& N! {' R& f, E* L6 [4 FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 F* G% ]0 C# aWinNT) with the CreateFileA API.
% I" ~ W" l5 i! E: R7 ]3 U9 v9 n) O5 f2 J
Here is a sample (checking for 'SICE'):- R, D0 G% n' q6 ?
# x% K3 B0 p2 i
BOOL IsSoftIce95Loaded()! A7 n1 p4 @ j. ?
{: E) `+ ?$ R+ c5 Z
HANDLE hFile; 8 s2 W" e: c. ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; J; |( l5 C e# i FILE_SHARE_READ | FILE_SHARE_WRITE,
- G" m: ^' Z8 J9 }4 q" p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( s7 j2 b* U) L, v8 ?+ c) f& C. S- }
if( hFile != INVALID_HANDLE_VALUE )
( G& s& ^. J+ H, i {
& t4 I8 p3 F$ t# p: e4 N% x U CloseHandle(hFile);9 }! q X; V) s
return TRUE;% Q9 k- Y( I% n0 I* |4 n5 [! E
}# x' W4 J# @ t4 a
return FALSE;
$ M5 m& g# D- V/ ~& u- ]}7 H/ R4 ^' B& R, K V. Q& b( ^
8 G5 L: n+ t: p5 x e) \$ A# o
Although this trick calls the CreateFileA function, don't even expect to be% R; h3 g/ F6 |( B' W6 ]2 B
able to intercept it by installing a IFS hook: it will not work, no way!
1 p( `$ d3 p7 TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# |& f- M, S- F. E. d/ }: Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 i) z6 N" Y: m) J# S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# z4 a- U) u& Rfield.
0 s' O/ `$ Y# R* [+ HIn fact, its purpose is not to load/unload VxDs but only to send a ! K- Y; R" s, Z1 J2 Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# ]( _4 i% z* i% A* i3 ~' b" F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ r5 x" _9 I: W7 O, N/ T7 {to load/unload a non-dynamically loadable driver such as SoftICE ;-).. C1 p1 x. o- e3 P8 {
If the VxD is loaded, it will always clear eax and the Carry flag to allow
l; q. `- w* U7 P. uits handle to be opened and then, will be detected.; d3 t. @0 B8 ~5 l3 g
You can check that simply by hooking Winice.exe control proc entry point8 S( t- G9 A/ j- q0 V0 E# @
while running MeltICE.
; C' k* j% j: V' f- \
4 b2 V8 C( e/ H: D% |/ D5 R
( M+ n5 D2 P7 m9 S6 ]* ~ 00401067: push 00402025 ; \\.\SICE
/ [% U! E1 I; o 0040106C: call CreateFileA
# q# m" ]% g$ y6 e) ` 00401071: cmp eax,-001$ D7 n7 c# J; @* d' K" n
00401074: je 00401091
( J9 o$ X! A" E* X5 ^1 E2 [+ E5 ]2 [1 {' {
8 i5 r5 ], w6 L6 u
There could be hundreds of BPX you could use to detect this trick.
* }. q7 Z( R% ~; m+ o/ g-The most classical one is:
* g9 B7 ^7 c# C+ X' u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( @ P7 S+ X3 S* u6 w
*(esp->4+4)=='NTIC'+ }" z5 ^4 d7 f) v" G% m, s
* |+ o7 o$ T* [) B* \-The most exotic ones (could be very slooooow :-(* w h$ p1 t/ J( [0 T, L: }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - C, a3 {) H" D2 X
;will break 3 times :-(
8 v8 @" p R2 R+ M& `: x& c' Y: ^' p& G* P
-or (a bit) faster: 0 }6 B! ]$ o& {$ W& o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 W/ n; M9 l# d3 r8 M1 t1 k3 K$ D
6 b4 u3 n* _4 e" n! G
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! m0 G& b( `+ h F; j ;will break 3 times :-(
5 G. X$ M% V1 M( G" _, B, W: G4 q3 L, o. T3 b+ u
-Much faster:
( t# k9 G5 e) b$ J* H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ {* C R+ s: ]) ?2 J C
' S' v5 S: L; @# p3 gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 `% }5 h! x: ffunction to do the same job:
8 K- F! y/ J9 ]6 R' ^" Y# r( q1 n0 c1 k# B5 N0 n" p0 B
push 00 ; OF_READ+ Z1 s& a7 E& L, g1 u
mov eax,[00656634] ; '\\.\SICE',0
' U9 `9 F2 D7 C$ | push eax3 {5 Y/ K' m3 D( s5 K
call KERNEL32!_lopen, e' u2 \% O- Y. E, m4 ?4 }- Y5 s6 t$ U* f
inc eax
& t0 n/ w' _" {1 R0 j jnz 00650589 ; detected
% [9 e. R8 c) t+ S push 00 ; OF_READ! Y$ Z- Q, Y9 T' w& P) S! z- `6 h+ o5 i
mov eax,[00656638] ; '\\.\SICE') [7 p5 |! P) g# h! `$ q
push eax) ?. S- J3 \8 `' N3 s, Z% |) E) \, F
call KERNEL32!_lopen
* }, Z3 ?! K U* `$ S; g+ O inc eax
) j- ^* i* ]# D7 ~+ O: q7 T jz 006505ae ; not detected+ W; z% R" q3 J- i9 o8 j9 p
, p- y2 w8 y) l- t2 k
" i$ g2 c) R2 b
__________________________________________________________________________" d! y5 \: s4 O. j+ M
; C$ `) c7 Z4 `+ \
Method 12& ~+ N4 C5 ?5 v3 m! @, N Q% V4 [- K
=========- r6 I0 |6 ?! }! f6 W: h
- f1 V1 K S. ^ U3 O" s YThis trick is similar to int41h/4fh Debugger installation check (code 05: n, l' d2 |7 B7 T* A% H8 N4 M
& 06) but very limited because it's only available for Win95/98 (not NT)' O4 m) X! } p j: g6 L. J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 I4 z9 k9 ^, x
( n- v4 C) J2 v. B push 0000004fh ; function 4fh
* a0 I, x( S5 D) p& Y push 002a002ah ; high word specifies which VxD (VWIN32)
$ o3 U- j- `3 @; G/ F# Y ; low word specifies which service
. E8 f( I$ C, T9 s7 w% o (VWIN32_Int41Dispatch): ^% V x# i9 B
call Kernel32!ORD_001 ; VxdCall1 Q' \6 T& m: H7 Y
cmp ax, 0f386h ; magic number returned by system debuggers) V5 F9 K9 i* c. D# I+ X
jz SoftICE_detected, i( s: K3 h; X' t' `' @) j. z5 X3 I: F$ H
3 i* j( C& T# j; B# n
Here again, several ways to detect it:7 c" A: J. `- X, ]0 q) H) C5 y' r
4 [5 {8 j$ Q7 x! `+ W Q BPINT 41 if ax==4f
* f& Z* D* e( E$ n) @8 ~6 W3 g$ H: p8 t! B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 I" m& e2 d g7 Y: N3 H. j
6 p; U) [5 l2 g2 u. n0 ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: Z: D e i5 y n" k6 ]* L ]( a& S* P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! F( P) ~( {% \/ [
9 b/ H9 O' y! R- M- b, c__________________________________________________________________________
' K+ E* k \6 K3 Z" [% U% x; t
* j8 D" p: Q$ Z3 E: v! l6 fMethod 13; D, H3 x9 F0 z* F2 m7 r* U9 a
=========) o' i4 F' _( Z7 R* W
$ r2 g3 }" f# W, o- o
Not a real method of detection, but a good way to know if SoftICE is) ?& s3 ^ m& Z0 {# l
installed on a computer and to locate its installation directory.0 p7 `: C( E, L" ?3 P% h' V; @
It is used by few softs which access the following registry keys (usually #2) :4 h% ~; E) u7 Y L u
; H7 J( [3 x% j0 l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 f6 x% f, H& Z( S8 R
\Uninstall\SoftICE
' f- }4 }: ~6 @1 B5 W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) [+ g3 Y3 t# S0 K' h" ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 d, B# a! Y1 Z! s- E% Q: l
\App Paths\Loader32.Exe. h/ D: J. C' [" `8 j: s+ ^ m+ B
2 W/ _% ~$ B0 d5 S5 X; O
2 Y/ @/ R$ A0 w( r
Note that some nasty apps could then erase all files from SoftICE directory
( N" f5 O, `, O& e: B. S1 \" l8 U(I faced that once :-(
3 A% L- A: a: [1 P0 [) M1 ^+ d+ v1 C) w+ `5 L
Useful breakpoint to detect it:
6 h$ N# M5 @$ A% i# m$ A; F% n$ T! l! R; q$ O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', ?+ t. O% f- ?% B4 |/ E
, g( }, F, K) S# c. Y4 m; p
__________________________________________________________________________6 }0 g$ v6 _% Y4 Z+ v4 J0 P5 a
) c8 Q9 k* I2 `6 p+ m3 e4 B( J4 `8 r* \. F( ? ?. F+ j
Method 14 5 R; R+ B7 E9 u5 m$ k- b# w
=========: l& u0 m) O0 b
3 B) p8 m/ J1 G# [9 g3 U7 KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* K% z6 r( _4 W! n' l- z9 n
is to determines whether a debugger is running on your system (ring0 only).
/ f( \% H. O, Q8 G' P0 t
' l$ c; V4 A! s( Y VMMCall Test_Debug_Installed# @' j1 d6 { ]) Q
je not_installed: H. N0 J R$ U1 l' l1 e* ^
/ m% y& X$ D: C; ^$ c8 O% Y: uThis service just checks a flag.
4 [* v4 `8 \. I) d! u; \</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡