<TABLE width=500>
* x: V+ N6 \* L) m<TBODY>! g# Q" o, b, Y
<TR># W5 U6 B/ j8 K7 ~# u3 m, t4 p
<TD><PRE>Method 01 1 G: s) A0 {; h2 A( H) L
=========8 D" w) ~/ C5 h7 R* }
- A% N* b9 ? {* OThis method of detection of SoftICE (as well as the following one) is) `5 o* j: c ]5 A1 {
used by the majority of packers/encryptors found on Internet.0 s+ V4 M( l0 s: Z# P0 E
It seeks the signature of BoundsChecker in SoftICE/ J9 A7 x9 j5 ]0 u8 R. {$ ^
5 p Q# e9 R! P
mov ebp, 04243484Bh ; 'BCHK'
4 `/ \. S, ^: ~0 g5 ? mov ax, 04h/ e1 v7 U8 z" ]# c; b0 C
int 3
* Y7 _. U4 ]+ G1 B! i( g6 g cmp al,4! [4 C$ T6 f5 C; J
jnz SoftICE_Detected
7 I) j# x! v& N+ C. q; C. v# @9 l# f9 v, ^5 k6 i \$ u
___________________________________________________________________________
" L3 m& y# G" h* Z; H
% p( E9 } R3 d5 [8 `Method 02
* d: q( E. B& Y3 s y( G2 S' x j% l=========6 p% d1 C# s5 s: ?" Z' Y1 s
- t) X" N; C8 y! {4 E- Z0 x/ JStill a method very much used (perhaps the most frequent one). It is used
% D, U- R4 h* Y* |. M* uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- X% ]3 s0 _3 Z ]9 l" }or execute SoftICE commands...4 b, d& X$ F; `/ T F4 a- `: ?" @
It is also used to crash SoftICE and to force it to execute any commands
7 r# s# r' O) {5 W(HBOOT...) :-((
% `/ g& x: D% H/ [9 K! ^' }( H; E- `& j' R# H
Here is a quick description:5 B. @: @' I, {* {: h6 E5 o, T/ T
-AX = 0910h (Display string in SIce windows)
3 A* G) q) x: c" [-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) z3 J$ s5 l/ ~- ~-AX = 0912h (Get breakpoint infos)
" m1 m% y' Z( h0 R" p( o-AX = 0913h (Set Sice breakpoints)
; D$ q3 U1 C, Q; ?0 ~-AX = 0914h (Remove SIce breakoints)
9 d1 D' u6 R7 m8 T F4 ?, G/ l
) {) W5 q5 r1 M: s2 F" PEach time you'll meet this trick, you'll see:
1 S4 r K! X2 g; R" W6 g$ U-SI = 4647h/ _. ]- X6 A( X
-DI = 4A4Dh
- r9 o8 d8 A# N+ D# n+ r: I' EWhich are the 'magic values' used by SoftIce.
9 ]7 p) W5 j- w9 g3 z) kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. X; u* R& A4 J, @7 y+ a# k4 n6 h$ {8 `2 `& O
Here is one example from the file "Haspinst.exe" which is the dongle HASP& u- _5 c# T$ C" R0 {2 v
Envelope utility use to protect DOS applications:
, \. P0 j% m0 h M8 O- t% |( y! j8 N
4 i5 d. A' a5 m7 ?3 O
4C19:0095 MOV AX,0911 ; execute command.4 X, T' T( N/ Z2 H! r
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 l2 E0 R& P0 B4C19:009A MOV SI,4647 ; 1st magic value.
: H+ {- T7 u8 G4C19:009D MOV DI,4A4D ; 2nd magic value.$ N' C, B4 ~) O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. O0 {2 H' x( N+ x8 [+ ?0 f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 {! M1 x; S8 [0 A4 F% f# I
4C19:00A4 INC CX
! N9 F8 O Q/ u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 J: l4 d4 N, l0 l7 H3 E8 ^% K
4C19:00A8 JB 0095 ; 6 different commands.0 G; e8 l7 M4 p* N( k' r2 y( ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; b* {5 V- U4 y+ b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' g# P- _% Y/ M0 I
- p/ u- w# i9 f+ H5 _The program will execute 6 different SIce commands located at ds:dx, which
/ i: x# V6 e d3 |& C9 F1 Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: c3 d' U8 V1 }7 k8 z: j
- z9 U' Y* U8 Q+ ~9 e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* {7 `# l" Z% l) {6 I+ F
___________________________________________________________________________
% Y$ f$ E) y4 R8 r' Z) K' X
/ D/ {/ O' H7 a, { S
0 w3 f' H- H" pMethod 03
8 `, Q6 `- A! e3 S7 P ?6 B$ I( n6 `=========0 b5 h" i: g$ m. s4 r
' z* c D5 X+ D' J6 j! {2 Z/ xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) C! v( d$ G9 D8 V6 P! M P
(API Get entry point)
5 V) f' L0 I& T$ p9 G
/ I+ {3 \/ |) b- n6 b1 G+ X+ R* F
xor di,di$ q- W& l$ |/ B3 y
mov es,di
& A1 k/ c" O7 ] C mov ax, 1684h 4 T; I( d3 e& f* g8 S: \ L
mov bx, 0202h ; VxD ID of winice g" I6 o$ f @6 n5 ]" E
int 2Fh; f. d" e: ^8 J0 G# L' Z0 C6 O! g
mov ax, es ; ES:DI -> VxD API entry point
9 t( F7 {- h4 E \4 _8 z add ax, di7 P# g7 h6 ` M/ ?5 e7 m9 i
test ax,ax6 q/ x+ y- z5 Q4 d [
jnz SoftICE_Detected
S2 ]1 l$ N* ?- r5 z! Y% Y
& z/ u+ p/ [5 T( x6 Z+ T___________________________________________________________________________
8 l+ o0 q1 e8 I& W
2 @* s7 C% [8 K8 ZMethod 04/ T& r1 H& m/ I. A
=========
! M9 j# [) U" b: o7 Z0 P* e4 p4 B( I1 c7 F% r5 O1 p
Method identical to the preceding one except that it seeks the ID of SoftICE
" u/ `! {, V g4 hGFX VxD.
# m( j% q+ h# ]
: H$ p+ @3 u; U/ Y xor di,di6 X1 Z- \. P: X! ]
mov es,di
$ ?3 Q# ^- G v2 h1 A0 w mov ax, 1684h # x9 k/ C0 n) K0 c
mov bx, 7a5Fh ; VxD ID of SIWVID
- ^! C* o) q+ b: u( o int 2fh
9 X: y" i7 ]9 N. H, \* Y mov ax, es ; ES:DI -> VxD API entry point6 v5 Q* l9 v. s6 u+ _& g+ O
add ax, di1 v" n% c! t$ A
test ax,ax
% [, ^) m5 j% y$ X- P" B; l$ t jnz SoftICE_Detected
8 p9 A# x& z# H: }9 G! w4 s8 y" E9 D
__________________________________________________________________________
, u, c+ l! f+ w0 p& [, c O" f) D3 ~6 S* o2 a' Y: O
1 ^' v, t- t( K1 _: `. G% ] o
Method 059 K T, X! e. z- _& q
=========
+ y Q5 @) V4 I4 s% }/ |4 b+ w3 X/ |, }3 ]1 E/ b! O
Method seeking the 'magic number' 0F386h returned (in ax) by all system _ I) l+ ^: I& t: {: ?8 ?
debugger. It calls the int 41h, function 4Fh.& [# Z0 J" \! |3 {) |: c& F
There are several alternatives. 5 Y* D) b6 o* s& X$ H; i
4 j, ~( j! J2 w: X7 O6 z4 `The following one is the simplest:
) V% J4 h0 w! M# t4 H2 @$ a2 p8 a* b$ s8 b* D2 H
mov ax,4fh* ]1 o/ n# Y* N
int 41h
, F) g! ?- P1 O+ R2 `4 z cmp ax, 0F386! D( v7 j& o6 p- m# q
jz SoftICE_detected4 i) e8 o; J: W! E4 _9 J& o
. o0 w$ q3 G2 a2 o
; N8 k" l, {" ^% W" S3 ~( ?
Next method as well as the following one are 2 examples from Stone's
, m/ k! ]( {! d8 n3 f3 `"stn-wid.zip" (www.cracking.net):
1 @3 {. }- U- E2 [, s% Q$ _* Y( v6 O
3 f/ ?% X5 x! k1 @& n8 Q0 d! Q mov bx, cs
( G4 h, \8 t# q3 t: r5 Y u lea dx, int41handler2
& e2 s- U2 S3 c& ~2 @6 h6 l" ]: E xchg dx, es:[41h*4]
- f- j8 N% i5 V1 K xchg bx, es:[41h*4+2]
+ b! i; z6 @6 _" A mov ax,4fh
$ m- a9 ?$ v0 K7 u( j# p+ ` int 41h; p; z! V: P- w- d
xchg dx, es:[41h*4]
4 }- S. @5 r. y) I8 Q xchg bx, es:[41h*4+2]& |$ H% h' f: x/ v3 _1 I" o
cmp ax, 0f386h
$ o7 L- s) H4 g5 d jz SoftICE_detected. \( G L7 m) F
9 {; \! z9 M+ R# @' w5 Hint41handler2 PROC0 e7 I# S% g( ^* E
iret: ^5 Q# _7 n! w" S O
int41handler2 ENDP
/ C3 d8 Q/ N) W% h! r& l* w
. K, E; F$ B+ M. w0 q+ h o) _) U: Q0 t- r/ V
_________________________________________________________________________ q+ f5 s8 t. s2 [1 J
8 k& k0 ^( ]. ^. u
: ~$ [3 a/ x9 _ i/ v5 y0 W
Method 06
5 N. N6 P3 L; q- U=========
K7 k7 N# ^) y0 p7 N2 G3 T
& `& _& i* H/ V9 e
; D4 L$ c& h' I* S% i! C& \) B2nd method similar to the preceding one but more difficult to detect:
# L% }0 H: C- Z& U; W6 }
: @! g& x! r$ Y5 b$ d- \" W. U" _; b+ T7 c# x( E' _
int41handler PROC2 ^, A) ~# d) I E' l
mov cl,al0 U9 s& \. a0 @6 E- j; p/ z
iret
1 [! ]. u; o' S- Yint41handler ENDP
8 ~! R7 w3 s! Z: z8 j; p! j
1 v( g X( v. T& u. J( \* A9 i% G0 a/ ], w5 J/ V! O' p
xor ax,ax
$ E( j5 E* F; s: u mov es,ax# s' Y# e/ S& }4 }8 h+ F
mov bx, cs, r0 H7 Y( T: I# b, i+ X( r
lea dx, int41handler- C+ j: o( u( {3 e. V
xchg dx, es:[41h*4]' l. c& T9 y3 C: I
xchg bx, es:[41h*4+2]
, `+ c. N6 m$ e+ n [# U ] in al, 40h/ f1 i, ?4 H: C0 Q
xor cx,cx- `- f. {! r+ E. X: O& A
int 41h
0 l" W& z# _+ f/ f* j xchg dx, es:[41h*4]
|% J `( P+ Z0 u4 ?- g xchg bx, es:[41h*4+2]8 E+ E2 c, @0 w7 X7 P! }7 P
cmp cl,al/ f1 \5 Y, p$ j9 J
jnz SoftICE_detected+ I- c, w6 W# Z6 t. Q2 M
, @. P! H8 D8 _- ~' c" I5 __________________________________________________________________________0 x+ H9 `8 T& {6 u
% v2 r- e, b) r% p6 T
Method 07
4 r: `% _ X- A q6 s# T=========
& [" q( x( A/ P8 s) V, ? [* N, L- V
; L, Q7 L! q) D+ ?Method of detection of the WinICE handler in the int68h (V86)) x7 P1 Q1 F( }2 F+ s- w
8 t$ N- L5 a7 ~% |( Y$ e: p, d+ X
mov ah,43h' x4 M, R5 \- Z% a0 X* Q
int 68h6 Q" {& d7 q- Z& }) A
cmp ax,0F386h
; x2 w. B3 O$ H* o. [" E jz SoftICE_Detected4 R p4 ]' H+ t8 l- T$ Z5 h5 u5 L6 `
! Q& Y: q, h" d1 V" z8 x
8 @/ `, {) W Z; R& b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 @6 N7 @% o ~2 s1 n& O' S app like this:
- s! i2 r0 v N5 l9 z( s9 q( D( a& c7 o! W- {: M% Q
BPX exec_int if ax==68
3 X+ N- l- Q; E1 I \* R (function called is located at byte ptr [ebp+1Dh] and client eip is( @5 f W1 b, ~2 G# |
located at [ebp+48h] for 32Bit apps)
# L I; I9 J- t__________________________________________________________________________) O6 ~6 ^# k9 [8 Q4 u
A- x% r& a2 i/ r. H
, K, d* L3 x0 N0 O; f- L* ]
Method 08) Q; y2 g% g! z0 Z
=========
z3 q: U, s, z7 W0 i, c+ _ e9 q( ~% C" ^* E" D
It is not a method of detection of SoftICE but a possibility to crash the' Z: `* o) i( Y- H/ G" ~' N
system by intercepting int 01h and int 03h and redirecting them to another1 G8 Z$ m: a( p" T7 k
routine.
2 {8 m1 A, q, _1 _3 e( e: mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# d' @, S4 P: M6 g& D
to the new routine to execute (hangs computer...) N5 h# i, ]6 e/ [
3 X' D- s2 g f8 d7 G
mov ah, 25h: m/ _ E. @$ _: V: T; B
mov al, Int_Number (01h or 03h)
( J9 C# v6 j4 K8 c mov dx, offset New_Int_Routine8 a, v9 E3 x# H" [* ?! O N/ X
int 21h3 ]- V3 z, J4 b, |* _
) M0 |, `) Q- W
__________________________________________________________________________2 h! S& ~* E+ A( x1 q& S
. I& V- |9 Y: d: z' ^
Method 09
1 j( N; H2 O Z; b5 \1 K+ o, C, j=========
9 `7 |" N2 Y4 z
5 j" s+ J0 g% G" p r7 AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 L0 ~' z! K, l2 h3 e; T, Gperformed in ring0 (VxD or a ring3 app using the VxdCall).0 k* y: ^: b; K
The Get_DDB service is used to determine whether or not a VxD is installed3 t" |0 P, a( t% K
for the specified device and returns a Device Description Block (in ecx) for
: g6 n$ Z3 X0 ~; A/ g C. o6 zthat device if it is installed.. i b! V+ s$ J5 x+ q: B
2 ]+ G2 {+ E. Y4 Q6 B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 V7 Z$ K1 C7 p! ]- s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( @2 v! ]" |3 D* ?" L5 S VMMCall Get_DDB+ U) S" \- G2 z- V1 _6 M
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' M9 d4 t- m. ?0 G% } C0 F* l R# L' J4 L% ~8 @) C. W: g4 V2 }; A
Note as well that you can easily detect this method with SoftICE:
& {# c: N2 c1 {/ L ? bpx Get_DDB if ax==0202 || ax==7a5fh! H. W; Q7 E7 {. c; R0 k
, t# Y% S1 ~2 ]* t+ P__________________________________________________________________________
+ ?4 ]0 p4 d R! z+ A3 t! r; P& Q( F
Method 10
' J) C) |3 H7 w0 D( o- K& ~9 f=========
3 C# O% p7 Z$ @/ ?8 ~4 Q+ t. Q
5 z5 h# B+ z* W' o0 O7 F4 N=>Disable or clear breakpoints before using this feature. DO NOT trace with' S5 d/ d2 h! V8 F1 x
SoftICE while the option is enable!!! O8 O7 F- B/ o/ K. }
; A( I2 k! N) [
This trick is very efficient:
" |3 i! F, o6 r. I! d4 y! @by checking the Debug Registers, you can detect if SoftICE is loaded
% n; p$ p- _- I( ^% U* S6 N0 K; I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 O; E1 k7 c& u2 b2 _there are some memory breakpoints set (dr0 to dr3) simply by reading their5 g. j, p5 ?: |- X- ?# Q3 \
value (in ring0 only). Values can be manipulated and or changed as well
0 U; k3 k1 `* A' s+ R(clearing BPMs for instance)5 C; r" G3 d- G3 |
7 _8 I+ z1 d, B" [5 ]6 `9 I__________________________________________________________________________
, ^; |, L6 |* F" @7 z3 }
; i! L* V) T4 \5 V& X8 x9 nMethod 11, u$ A! F; s1 ?9 G% P6 Z- z, a
=========
4 v, A2 i; ^$ t* g' U3 H; |, O$ ]. {$ u; L! ]: a' M! o& j, S
This method is most known as 'MeltICE' because it has been freely distributed6 d3 M |# p$ g$ s: {6 g+ ]
via www.winfiles.com. However it was first used by NuMega people to allow
5 \. S7 W' ]3 I3 I: j( X5 FSymbol Loader to check if SoftICE was active or not (the code is located
3 W( f: O% } ^' A: B' Vinside nmtrans.dll).0 T, q4 b! x; E- H2 l) T. g
8 I6 { `5 [# r& v% F5 w( A3 [The way it works is very simple:
6 T; ?# @( L; G. XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' v7 h5 O/ _2 }+ T0 ^9 `
WinNT) with the CreateFileA API.
# o9 O7 {: {6 @& L8 U1 c m! W4 a! v- @9 ~
Here is a sample (checking for 'SICE'):
7 G" W# d2 O- f6 P3 w4 K$ Y+ r- q0 [! o! j; v
BOOL IsSoftIce95Loaded()
/ E# K2 o! \. t! ~' ^{1 k0 |5 P# T) ?
HANDLE hFile;
# P, @! g' m1 \6 B: L: f( p9 | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 P9 i7 `( e; D6 v: N FILE_SHARE_READ | FILE_SHARE_WRITE,
6 J' J9 ]7 Y* W! B+ n C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 y# B& m" ]+ b7 B: n
if( hFile != INVALID_HANDLE_VALUE )
) l& o3 K/ g$ G: g, o; S2 L {/ H) @, m" E h4 X
CloseHandle(hFile);8 |3 y) t) N4 {) R! `7 G% k9 P, @0 }: m
return TRUE;
" B$ R/ D, r# h3 {4 B& \ V) | }4 S3 L0 f) T9 R/ [
return FALSE;' [. _; k: Y: w
}
' R% \1 D1 c8 K4 n6 H. e
: C/ q* j; K% R. {- j, P' b/ wAlthough this trick calls the CreateFileA function, don't even expect to be
9 X9 j) }. |2 _. Mable to intercept it by installing a IFS hook: it will not work, no way!3 ` L" Y! C0 [ c2 u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F q) c' j M. ]; V0 Y4 m/ i& Q, }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ F0 j4 Y* K0 a5 r; H0 ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ D, }2 w* Q; d4 y6 K# @field.
" U2 D( _6 \2 H# I$ ^In fact, its purpose is not to load/unload VxDs but only to send a
) h* }' G% S" ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ T Y( N1 u F( ?' C3 Q4 l4 tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ a" c+ z* \7 L( R! z' N4 z# P* tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& J& u2 T% \8 I x! }# \If the VxD is loaded, it will always clear eax and the Carry flag to allow3 `1 Z# l0 X i7 A7 E
its handle to be opened and then, will be detected.; k, W$ m! ~, ~' q/ N3 N
You can check that simply by hooking Winice.exe control proc entry point0 Q I/ m: c# j5 @" o
while running MeltICE.5 U; b& w- d8 T$ f8 k+ s
/ Q' G5 b& n2 d D+ f1 a1 I/ J* E( R5 n' b) X
00401067: push 00402025 ; \\.\SICE: S+ [8 a9 A& h3 [
0040106C: call CreateFileA; v$ ]+ c( n6 B! i+ S
00401071: cmp eax,-001
" f: r# n: W. b$ P 00401074: je 00401091! \; l0 A/ k) T. ?2 w' t8 I& |1 ^9 P
7 A5 Q& F9 B' v" l0 `6 I: c3 A4 M- o9 r3 C2 A% B! d6 D" u+ N
There could be hundreds of BPX you could use to detect this trick.
- O8 q Z5 l7 k0 t-The most classical one is:: K- B" O) o: Y9 Q0 _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 o. Z* U1 p6 \4 v. Q3 `; d1 A
*(esp->4+4)=='NTIC'
+ H, ~ W& c; a" [& R- i: s' G4 i8 f* Z
-The most exotic ones (could be very slooooow :-(9 a% f! J6 Z4 p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 H- A4 m8 F8 | ;will break 3 times :-(
6 P) ?. b& e; Z, s; M1 c6 j, x) k! k Q
-or (a bit) faster: ; m+ X% v$ L( t4 V$ ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 v. C: Q2 N5 a' N; p7 o) u
% Y* Y! G Z& f6 Z2 m* ~. _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 A `8 K8 e4 i& T ;will break 3 times :-(* W) F1 p% Q: ^: d1 A
% K/ o( V, C0 h5 o. K" z0 M4 w
-Much faster:0 E& c+ c& Z& V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& E G4 A L4 j$ c: G
$ z2 V% {- }/ M% X0 A& Q" aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: m# Y, B, r J: |! E
function to do the same job:
, r# U5 x/ j5 U9 i/ }5 Q! B
* B7 ~6 _& B/ Z. e6 [9 B! w# V# X, q push 00 ; OF_READ
4 D; z$ z! c$ e7 s! m+ R mov eax,[00656634] ; '\\.\SICE',0$ L" Z- a8 [' w6 K1 z% h, i7 Y
push eax; Q& h9 u$ G4 p; m; ]' h
call KERNEL32!_lopen8 q5 e h6 s" _2 z2 q# ?
inc eax* t7 K7 p( F8 |0 C! h; @! t
jnz 00650589 ; detected
6 S1 |+ _2 ~1 G5 x: ~ push 00 ; OF_READ
6 Q# s% ^; }: P8 |9 T* S) j mov eax,[00656638] ; '\\.\SICE'' O2 P+ b1 b8 s( S
push eax( Q9 l/ W& y. V( n8 U# x& n
call KERNEL32!_lopen
; I! G& Z$ N& m. d inc eax1 l9 b) {, d; D# p& r
jz 006505ae ; not detected. d/ L: _, J- w/ k, `
9 A0 U: ?2 o- i" A$ S c
# h: p0 j0 U i3 i. b7 x9 t
__________________________________________________________________________
& \. w' |& v, e4 J5 l X: L. p# j: B8 q" P4 I/ n
Method 12) k5 \% D1 _% N' q
=========
& e/ E/ M& o/ W/ F" | E+ ~' R% N4 _4 @
This trick is similar to int41h/4fh Debugger installation check (code 05$ Y% }( h* s9 a/ Z7 n
& 06) but very limited because it's only available for Win95/98 (not NT)' X% X9 H v) b9 C# z' i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: f L" m# b! R( M* R4 {) [7 h6 a$ x" Q; v! g, h
push 0000004fh ; function 4fh p3 @# [/ c& Y
push 002a002ah ; high word specifies which VxD (VWIN32)! i. Z& j8 x/ s' J4 T+ v
; low word specifies which service
- T0 L o+ r' r7 I j (VWIN32_Int41Dispatch)
& s. E7 I1 \' V3 l$ w call Kernel32!ORD_001 ; VxdCall4 ?* @; c% M3 m' ?
cmp ax, 0f386h ; magic number returned by system debuggers" t( C5 C- F4 K% T: p1 q
jz SoftICE_detected. Z- G' o6 ^! u) b
* {1 c* Y" A6 e" GHere again, several ways to detect it:
9 V$ G( S! L* d3 s; a
4 M: v! }# M7 Y7 f( h, ~2 e9 b BPINT 41 if ax==4f
$ w; t2 S: c& @' |
& T, ^" Q+ b! x# m. s) ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 p& G6 ~+ W! U' M9 @& M- [
" G6 A% B1 O# T* D1 _$ l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# E4 R$ g1 S& K1 t5 V: G" `* _" f
5 o+ G2 ]" U/ k" M+ k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# m# w- \3 e1 c% [) R8 z7 T' L0 O4 e
) H! ^! q4 z" p# E0 \0 M; @__________________________________________________________________________, l7 ?1 M0 H' m4 q
) p" Q; E( V$ u0 }! a% Y2 B, f
Method 13
# r% s& m% o& ?2 u=========
4 x. Q9 \' x6 {/ I2 j0 Z* Z0 h
/ a( X+ F8 R% ENot a real method of detection, but a good way to know if SoftICE is
/ b8 y7 a7 e5 W6 F6 s! H6 Sinstalled on a computer and to locate its installation directory.% c% q0 _) w5 \7 N$ G
It is used by few softs which access the following registry keys (usually #2) :
$ M r) @8 u* v# i$ ~' f
& Y- \) }% E3 ^5 `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: F* @+ Q% v$ r\Uninstall\SoftICE' }) Q: u U d* |* v) m2 D: E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 y$ y4 y0 Q, w3 ?8 p7 o6 D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: S6 Y. N( } t! P2 `4 O\App Paths\Loader32.Exe q* ~6 ~9 ~; o+ b) `* i% P
6 u% X" n* [: O7 G0 K. j- a W$ ^0 W# n6 l# X$ N
Note that some nasty apps could then erase all files from SoftICE directory; L4 l5 H4 P0 M! a- S4 d
(I faced that once :-(
; h3 M7 Y3 H( S8 T, a2 g: c
) p2 [* C* \- e8 P$ J- `Useful breakpoint to detect it:
( R7 ?8 A( k2 A. [
4 j ~6 X# ^& f* q) w BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. e& X3 e1 u" R0 ? `% N/ m7 Z* `
6 H, F4 D9 ?3 P( [" F
__________________________________________________________________________
5 [3 w( t: h9 P0 e
7 f2 Y+ t0 M6 _0 h- Z/ K+ r
' O( R; y1 ]: y, B( B" O$ y, r7 Z. bMethod 14 # s; A3 j4 n9 J+ P2 k
=========" R' h. L, l. H3 a1 Y. h8 t( S
( o7 Z% I% ?1 Q7 n) OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" M$ Y! f' k# u. A
is to determines whether a debugger is running on your system (ring0 only).
' x: b7 ?4 V' v( x$ d4 B4 d
' r' A7 I1 o/ j4 I% I- o VMMCall Test_Debug_Installed
! l2 Q8 J3 w2 i0 }6 U je not_installed& _$ Z+ C' q$ ^* Z
' H* h! _5 h9 @6 @- p
This service just checks a flag.3 Z: i6 }. k' d- k1 d) v) t A: ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡