<TABLE width=500>7 g" ^; ~* Y) K# Q, f
<TBODY>/ b' c, I) I5 o/ ~) Y6 q8 r
<TR>1 l |- g( ]/ G6 A4 B7 W1 e
<TD><PRE>Method 01 ' T) P& k" K6 \6 b7 @) |1 M
=========$ _9 Y; ?3 N0 C6 G- U }/ B
, @* |5 q( H6 z6 g6 x' O4 Z
This method of detection of SoftICE (as well as the following one) is. W) |9 h' f+ F3 P/ N5 Y
used by the majority of packers/encryptors found on Internet.
; l# v+ U5 j: t8 Q! `: TIt seeks the signature of BoundsChecker in SoftICE
0 y2 x0 y- x1 k5 K$ B
! N. g1 I. m/ Z3 G$ z5 M! k mov ebp, 04243484Bh ; 'BCHK'
3 B1 |, t5 \" p7 `3 |+ d; q+ Q mov ax, 04h* J1 J- U! u9 U6 p, t
int 3 8 s6 H; n1 }$ q( S+ I9 K
cmp al,4
. [5 c- S; ?' x6 ] jnz SoftICE_Detected; C+ [; _+ W3 _+ U
4 k: F. Y# n" T* H
___________________________________________________________________________9 O" y- ^+ [/ n
) z+ t% E1 D/ ?1 f/ P( j
Method 02) \# Q, r( ~6 ~
=========
: v$ X- T+ Y' Y/ j' ~, N# Q3 q. |" F/ n4 ?
Still a method very much used (perhaps the most frequent one). It is used) f! s) v7 k0 G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 D0 I& _0 N4 A
or execute SoftICE commands...
) I; E! l+ T7 g+ `* vIt is also used to crash SoftICE and to force it to execute any commands, S0 A1 W0 \; m
(HBOOT...) :-(( 8 d8 O% ^% {0 X% G8 S7 {
3 v4 ]3 V/ P2 X* {+ k
Here is a quick description:0 r+ a! g8 j7 K1 v2 C6 |
-AX = 0910h (Display string in SIce windows)
: J0 C3 \$ c0 E" t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) z% `5 Z; N8 Q) @: X
-AX = 0912h (Get breakpoint infos)
2 h0 e3 e$ c# |% S' Q; r( |-AX = 0913h (Set Sice breakpoints)
! M2 Z! ?/ m+ o) j( ~: ~: M* r8 e-AX = 0914h (Remove SIce breakoints)
* x# v( M" P2 q' N& q1 ]& g+ D+ y" I
Each time you'll meet this trick, you'll see:
5 t5 l# k7 e5 u; y. u0 V9 p( \- ]-SI = 4647h$ f5 S) b) y. U! v* K h$ V. b4 |- h! {
-DI = 4A4Dh
7 c% z) y* [1 y; KWhich are the 'magic values' used by SoftIce.+ u) n" x9 b' [9 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 s4 v- [2 }/ k# q0 M
: w9 z" u' v+ ]8 d. LHere is one example from the file "Haspinst.exe" which is the dongle HASP
: D( T- i: y' l) P% \0 |; ^Envelope utility use to protect DOS applications:
" j0 M4 q9 z* i
, a9 y* z' v* y/ ^% C* V
$ G1 h8 R0 C1 x/ p4C19:0095 MOV AX,0911 ; execute command.2 y2 }5 E2 N# z* k* c) x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ I8 i) P# [- q- C
4C19:009A MOV SI,4647 ; 1st magic value.4 h+ M7 n" q' w* l! ~. ^
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 D2 M$ B1 v+ o4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, p; }6 `( Q0 S/ m& n0 {! s) Z6 Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* w$ T% A- u. |7 N6 ?/ n4C19:00A4 INC CX
% X- x" k$ X, h4 x5 J/ V3 y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 i7 R9 S6 X" E0 O2 J4C19:00A8 JB 0095 ; 6 different commands.1 F y4 ]* L+ \8 b2 v
4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 s G5 A! t1 y7 {7 n. [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 s7 X' |6 ?1 X4 o; t
8 y7 q2 f- o; y$ ^ c: N! ?The program will execute 6 different SIce commands located at ds:dx, which
& }6 [8 B" n4 x$ G, C4 n* b' ^) tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 M, V& X7 N- A9 S/ g: m
$ T/ I0 Y. \' J w. f" q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 s( ^: }) a0 n! r
___________________________________________________________________________
9 S/ d1 m' K5 _* S' ?/ s% B$ _. H8 Y" s0 `2 F
2 M' ^0 G3 Q6 n) \+ i, yMethod 03
! r3 X9 F7 H. A! q8 V% u7 M7 P8 V=========; j& Q3 I: ^# T8 U
2 T! v5 D5 f- d+ @6 B; mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 v" |' {7 W1 L& s% ?
(API Get entry point)
+ m. r4 Z \* Y' p7 F0 v0 j 2 {% C& ~2 A. x6 }, ]7 v- F
d" j; N: m" Z xor di,di
Z; u3 \! C+ V! ~9 [# f$ r& b mov es,di
9 ^9 T$ K5 A' n4 C# d' B; n* G mov ax, 1684h
2 V l, @4 ]! ` mov bx, 0202h ; VxD ID of winice$ s! G4 i* L! h K. I+ k
int 2Fh
, I* l& }( p2 X mov ax, es ; ES:DI -> VxD API entry point) u/ b2 o2 q9 x
add ax, di
+ V: g% c1 j7 d }$ D6 |" g test ax,ax# @" _' |" i' p& S' _# k
jnz SoftICE_Detected
% E+ P( r) `1 j9 v6 ~9 T' }+ [2 j% ?
___________________________________________________________________________5 d3 r8 U7 _! _
0 c0 F I v( z$ |; t' o' D* qMethod 04 E+ \8 y7 M; R9 A' I2 l4 ?
=========& k3 f5 |9 ?1 V; p$ |
3 L: A# `8 H2 e7 V
Method identical to the preceding one except that it seeks the ID of SoftICE
% o; f- z7 e2 L4 h/ u+ c/ ZGFX VxD.
) Q/ y3 J- b/ r; q
' A4 E# M ]1 o, e, Z3 {* E xor di,di: J' j% A. [! E
mov es,di0 c6 Z ?& \% j2 |) ~
mov ax, 1684h - x- P, F6 m' u$ g
mov bx, 7a5Fh ; VxD ID of SIWVID
& v) N* p! C- h9 R u5 { int 2fh! i0 ~7 F' z6 @2 i. |
mov ax, es ; ES:DI -> VxD API entry point
( _1 A4 M, Y" o6 A add ax, di. p7 f& ]& h) ]
test ax,ax
3 [# f; ?0 c0 B% }5 p8 { jnz SoftICE_Detected4 `$ N2 Y. @: T
: e% j" A) r5 ^" z/ o8 y__________________________________________________________________________
4 S9 c/ O z5 l9 z9 p2 ]! d4 t; ]' `! H3 P
6 M% j! C& ~& M+ KMethod 05
7 T) B! p" t& X& u+ F+ f: D! F- J=========8 Y5 D- H/ X0 F* Q. ^
' I/ b1 ]# B2 I8 @9 `; yMethod seeking the 'magic number' 0F386h returned (in ax) by all system: z- r6 y6 a& _2 S3 U: ^: `1 [5 O; f
debugger. It calls the int 41h, function 4Fh.: O1 i. O+ m' P+ q
There are several alternatives.
/ d& c1 n- v4 f. U) Q- J$ U% W$ O) z4 |( G* \9 p* f4 l( U, w! |* L. `! B# G
The following one is the simplest:
- }; Q/ T# P9 S8 Q! M L3 S) Y* S3 s! N6 K
mov ax,4fh3 _3 f. m8 l" _! e! D
int 41h
& Z$ q$ q2 W$ D- h, x0 x5 U3 s cmp ax, 0F386
! ]' z7 K5 v- J- |; j+ }+ a jz SoftICE_detected
' V. \" ^0 P: Z% D8 A% i5 W! K5 t8 r7 P1 z# ^; b9 I
6 f! F- ?* x; j$ G* D% B0 \; X8 T
Next method as well as the following one are 2 examples from Stone's 5 M- [8 j% I R3 I4 }2 a$ [* F
"stn-wid.zip" (www.cracking.net):7 v6 `: z6 {, B( _$ r' N3 @# G' a% A
* Z9 u8 P: E# S! {% O" H8 }5 _# g
mov bx, cs
7 @* `- K$ D; r) ]: s, Z# Y9 [ lea dx, int41handler2
. U, _% N9 [# s( ~4 N1 a5 B& b xchg dx, es:[41h*4]8 j. m5 }, S$ }% }" U! A
xchg bx, es:[41h*4+2]
6 B3 i6 i3 c: R1 G6 F* @9 V( K. R" q2 F mov ax,4fh
, s) c% N0 y2 Y0 C) R; m8 b int 41h ~5 M/ S! {+ A3 e& `3 P0 t& ^8 B
xchg dx, es:[41h*4]# A% T0 l: L! t* a
xchg bx, es:[41h*4+2]
9 _9 @- r( X4 ]2 w0 b# i) S cmp ax, 0f386h
& ~0 }- `, J6 B7 m, g9 ` jz SoftICE_detected: s& t4 |5 X: }: e
# f' f( ~5 F2 s4 ^+ l
int41handler2 PROC0 Z+ s6 p- I: h. `& ?- u
iret
* }3 n# p" z3 s3 I, W; M% c oint41handler2 ENDP. m# Y" o* ^* Y0 j4 V( y- N$ y
9 m( H g# \) x
4 r9 ^+ _* a% e5 I: l_________________________________________________________________________& j# o1 n- ?* h1 S7 q
$ _' e! [3 J" h* {! r7 i
/ j- b! _4 f3 P; _) t: i
Method 06
4 T* N' H2 _9 k! i7 I=========& U# O1 f# u `1 r6 l
2 r/ A" `* [0 {6 x, W4 D8 }& H/ G* n( j" K+ o! B a
2nd method similar to the preceding one but more difficult to detect:# C! A: p% M2 }; m, M3 D
; \% x5 n$ j6 p$ P' s, f9 Y
0 _; w) u; m( ^4 Y( O
int41handler PROC
& n) U1 m# R: O" X4 h mov cl,al( v0 q ~" s, L9 X
iret
8 H) z- T# t4 {int41handler ENDP& ~2 T9 v0 m5 f8 Y- d4 G
# {+ {9 e( ]! n8 A! r5 e8 u- A8 N) N" h' t
xor ax,ax
- y! \% W# ]( {/ I3 K! m mov es,ax
+ R/ E' p+ R2 m mov bx, cs
( z+ Q v6 n- O% ~ lea dx, int41handler3 e! ?2 E5 q3 J0 B0 t4 j: c3 I
xchg dx, es:[41h*4]9 K( M" k+ T* i/ H
xchg bx, es:[41h*4+2]
% {" F2 x$ L3 U4 J' R4 E) R/ j in al, 40h
3 o7 ^' [" ]8 U xor cx,cx0 H8 T6 Z: p9 f6 p
int 41h
0 u c8 J/ u$ ~3 u8 E xchg dx, es:[41h*4]6 s9 R# C( H1 h1 R: w$ t. [. P3 U
xchg bx, es:[41h*4+2]6 Y0 [! Z$ O2 P A" M
cmp cl,al
m' Z9 F$ V7 W- S9 z. n jnz SoftICE_detected( Z) y0 \1 ?1 d! u
, w- r, j* ]$ Z/ i; W! C% U
_________________________________________________________________________. r" n" H7 ?' o; M( |1 D
9 O/ B X1 G" T
Method 07
5 N7 t) G2 L0 Q$ D$ U, d+ _=========- O& b6 \5 _% [
7 M" b4 X7 K6 o5 o* \: [2 QMethod of detection of the WinICE handler in the int68h (V86)
" V& P& |1 D/ m6 e: c& x! d p3 e r0 c, k
mov ah,43h
9 I2 r0 K$ w& x+ H2 s int 68h$ V9 s$ D! Q, j0 c. }
cmp ax,0F386h6 f9 |1 B" P8 O; d2 v4 H
jz SoftICE_Detected9 [. d4 e- I6 j- |" [; x2 l
+ Q! j# G: }6 I4 V+ W3 T; H
: x; J( v3 R7 e( Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 ^1 y6 O; T! o7 t! r6 P app like this:
& x( {% a0 f2 ~% V
* Q; r1 R9 ?5 S r* x. e BPX exec_int if ax==68' j$ F1 ^" d) S. |* j
(function called is located at byte ptr [ebp+1Dh] and client eip is$ ^* _' @4 y/ e, {* _2 k% Z8 s) `/ n
located at [ebp+48h] for 32Bit apps)/ ~/ d/ T0 o: B
__________________________________________________________________________' A% Z, s; N8 w5 n) E. {
( {; {- H2 s, i$ C" R/ N
, w, R& \7 A9 }. y2 G" C% HMethod 08
: E6 d" W' l9 j6 ^- W=========
6 E. D, k' q$ b( D' r+ x5 W* b, k" v! w7 x# E' k& ?, w2 |8 q* w
It is not a method of detection of SoftICE but a possibility to crash the0 `7 q6 t n; C+ c- J
system by intercepting int 01h and int 03h and redirecting them to another, i2 o! L* y ]4 S# i
routine.7 @0 G; ~5 A1 e. o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* ]$ w# _) i4 l; N6 Y* x) C( F
to the new routine to execute (hangs computer...)4 m0 h9 o' r/ O3 |8 \
# b! o) u6 T4 l% P4 S
mov ah, 25h- `; r+ Y! k5 p
mov al, Int_Number (01h or 03h)7 h4 F2 j8 ?+ z! K D0 ~. q
mov dx, offset New_Int_Routine
: l0 i! D. y; C; s3 v2 K5 }, y int 21h" D7 \5 H: X" F9 ]' l5 J
- s" s8 Q2 |; _" l3 P# q__________________________________________________________________________% ^$ B, O1 x# j' o
9 c* V: w9 @6 {7 s' ^; }6 YMethod 09
2 P; n4 c7 u- P=========) y2 c. u! m, ]* e4 E
6 Q) N+ ~8 ]8 @/ B3 V8 D" [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; J: `% k: X+ K& h0 P4 Pperformed in ring0 (VxD or a ring3 app using the VxdCall).2 V* |1 v5 R# ^' I& x1 q
The Get_DDB service is used to determine whether or not a VxD is installed
5 O5 M+ J0 N. k6 {for the specified device and returns a Device Description Block (in ecx) for
- d5 X7 {- }% H2 qthat device if it is installed.7 V" M7 h/ }! b# d8 _
; W# }4 H: [9 b! ~2 K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 z* a- Q- b1 M- }/ g( Y X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( ^; O: w7 E' Z- R VMMCall Get_DDB
. H. m+ ] r3 [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* m* H* o$ @" K& m7 D3 M2 g [7 e
( Q4 K! a/ J" Q3 w
Note as well that you can easily detect this method with SoftICE:/ Z( f, t8 r; h, {" @ W
bpx Get_DDB if ax==0202 || ax==7a5fh( H1 P. D$ T! g; L
' J7 @3 y9 j* F" K% q. a0 V__________________________________________________________________________/ u, ~. ^- b6 T( F5 z1 j. ]
/ C6 t' ?$ q* [. X( l# z l' IMethod 10
1 Z, o& M" }, z7 c1 A0 y3 `! E=========
* B4 F" ?; s: I# X7 W" h& E+ ]% o4 x7 [5 G, {) k/ c; U# C1 v
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 [- D( d- I2 h5 h SoftICE while the option is enable!!' ~, {8 X% g- A$ Y
/ p& R$ y- |8 ^' C' SThis trick is very efficient:# w9 @$ J9 a* n% Y9 V
by checking the Debug Registers, you can detect if SoftICE is loaded
! a1 c% S: m# @7 V( K G& |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ l- \) y1 J9 [& g" Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& I0 H% P2 [7 i7 c1 Bvalue (in ring0 only). Values can be manipulated and or changed as well$ U" C$ k7 v% B7 i
(clearing BPMs for instance)+ o6 u+ s+ [3 D& H
* _: Z3 k' V4 g" ]# x$ G: w__________________________________________________________________________1 x8 e3 m! K5 t2 `+ w
( C" \9 }8 [4 ?' p( d% SMethod 11$ C! O7 i8 [8 U- k
=========( W B9 T' _0 D6 R/ _1 B- a
+ q) A* g% J9 fThis method is most known as 'MeltICE' because it has been freely distributed
3 D$ v) m! U8 p6 Q; m# X+ G+ {via www.winfiles.com. However it was first used by NuMega people to allow7 w$ ^! F/ J2 P) U$ i( W
Symbol Loader to check if SoftICE was active or not (the code is located
. ?" \! _2 C; oinside nmtrans.dll).( q+ P. w( v1 |! a3 X
2 X& O. }: \9 t5 \The way it works is very simple:
4 D& \* Y- \: A7 S1 RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 W3 w: a5 s" KWinNT) with the CreateFileA API.
% L( F/ B' Y$ B0 q1 H; P7 D5 a, f- |0 U+ y5 L2 k8 `
Here is a sample (checking for 'SICE'):
5 ^; w6 H9 j0 {9 D- `& v2 s. i
7 x) J3 M- ?6 b2 m8 H" jBOOL IsSoftIce95Loaded()
2 z' h+ u2 ~" T6 [8 `# M{) f) s6 p4 c9 s3 C( T" W
HANDLE hFile;
5 z' g- q9 b8 w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; J/ d2 J1 K9 |
FILE_SHARE_READ | FILE_SHARE_WRITE,. A6 W( M, `8 x w6 F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& P6 Z) [# v1 V if( hFile != INVALID_HANDLE_VALUE )
) d, S% ^" W$ h. N5 w. v {$ s8 F% A: n9 t( e( Q" {7 [' C
CloseHandle(hFile);# A: D2 w! o6 X2 e% D$ d
return TRUE;: K! j$ E7 o% p
}& s# J0 Y6 `5 `1 S4 t
return FALSE;
' s. L8 U# |. W/ |}
0 ] C9 x( s( J J F! G
+ D+ l) R2 x/ bAlthough this trick calls the CreateFileA function, don't even expect to be
* r7 V) B. p5 dable to intercept it by installing a IFS hook: it will not work, no way!
$ d6 {- J" w& U/ m4 |3 A b; m( iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& m5 C( `# L i4 m" d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 [4 D% a! A9 o+ S# Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# @' j7 y5 \+ kfield.
! \% l' W$ h& ^% e! N6 Y' q! T0 \In fact, its purpose is not to load/unload VxDs but only to send a " E, t/ u; S W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), O+ H% g3 q0 a* q' ^( J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 k# e1 q7 u z& u, u0 t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 J5 l4 V! Y7 B5 o; t# w. B
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) k6 s& M8 Y/ e( x0 {& j" Xits handle to be opened and then, will be detected.
7 }7 o0 O9 k8 w1 f2 VYou can check that simply by hooking Winice.exe control proc entry point
6 L# ^) c5 P; I5 ?0 gwhile running MeltICE.- I7 _+ Z, ]& h! ?
9 K7 V$ {' n! @& ?; r
$ B: F0 h# t3 s k: B. P3 X 00401067: push 00402025 ; \\.\SICE9 ]2 I, p. p* h1 B
0040106C: call CreateFileA' j1 r( W% [- T. `
00401071: cmp eax,-001
6 S3 P$ j; D y; U 00401074: je 00401091
2 T5 c! }: P! y9 Y. M; y" m7 S) i! e0 R( P
( q, B' S& L. G& b% P+ P) \There could be hundreds of BPX you could use to detect this trick.
: h# {# l% \3 A; D h B- ^-The most classical one is:+ {. j0 i1 q. {5 n. h
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( [8 z2 S, d, H5 R
*(esp->4+4)=='NTIC'" X0 U3 U$ m. J" Y" a5 }& L0 a
6 W; ` H8 \3 J7 b2 T3 b
-The most exotic ones (could be very slooooow :-(6 w* m& ]5 \" J, j) K' S$ z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' }+ A! G: T3 U
;will break 3 times :-(
2 ^* W6 D' [5 Z$ T. j. H
8 J, o+ e; s4 ~& |5 k-or (a bit) faster:
# [1 i4 s( U6 z2 A6 {% d' f# z BPINT 30 if (*edi=='SICE' || *edi=='SIWV') U4 |2 i5 x6 u
9 ^6 F" D" t+ z% X* B$ T( M; H3 W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 ~0 H5 S9 L4 o& t$ t. H4 t ;will break 3 times :-(
5 E. c; f7 c- m" \. M& ?( L; w" ~* s* v. G
-Much faster:
' e0 Y1 J5 j; ~- G1 @9 S0 w3 H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; \& k/ k! O- E6 l5 p4 v9 N
( m( e+ f' k' X |8 z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; f. A7 k/ g9 M2 G0 x
function to do the same job:
% y# z+ ?. S: n" A# ^, @% W8 y& L, J d! d8 [7 Q" h8 F& e
push 00 ; OF_READ
: v& k9 B" `# A! U: L5 ~ mov eax,[00656634] ; '\\.\SICE',0
# D- I1 G8 C3 a, ]9 x push eax6 Y7 f: p' Z* t; ] X4 [1 S& m2 G
call KERNEL32!_lopen
; q; }$ M, y+ E$ s2 a4 } `$ }$ G inc eax
, Q: T3 _7 H" r9 s. X jnz 00650589 ; detected
7 r3 Q% z0 G# Q- f push 00 ; OF_READ1 b( p$ A6 ^# |% J
mov eax,[00656638] ; '\\.\SICE'' x2 h' h+ W, N2 E1 m
push eax; W! a) ?+ d1 c& E0 o/ ?2 K& f; f
call KERNEL32!_lopen# B$ M7 a% l) u+ \. X/ n
inc eax
. u/ `3 U* V6 O7 b0 q jz 006505ae ; not detected; P& b$ P& U- e
( M" Z' d, g7 Y
$ l6 \4 T+ d& b) U+ V k2 W, [+ G. j__________________________________________________________________________
. i) k4 C1 F) e5 N; u' }% Y4 p, H
Method 12( p5 \ O% F% Y" K3 k: V1 Q' E! Y
=========$ o, F2 D: V& v3 M1 k4 g3 U+ g/ f
! ^6 q* O* T6 Q! ]* \This trick is similar to int41h/4fh Debugger installation check (code 05! H3 O2 @: D* \0 f
& 06) but very limited because it's only available for Win95/98 (not NT)
1 E% i% {& s+ G) C6 @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
e3 i/ p2 Q4 S1 L$ S$ U/ B6 I8 E
% D7 y6 k* ]5 h/ Y# H& j push 0000004fh ; function 4fh
7 V, M) i' v) e push 002a002ah ; high word specifies which VxD (VWIN32)0 i" X5 O) |( s" w9 e/ W
; low word specifies which service! b6 Y; q8 L, A4 T# _8 S ?( @2 t3 p. K
(VWIN32_Int41Dispatch)
! n8 H/ l( ~3 o$ a+ c6 N: S9 Y call Kernel32!ORD_001 ; VxdCall
5 S u6 P5 u7 l% c, T cmp ax, 0f386h ; magic number returned by system debuggers0 M, X1 d' K9 K# ^5 [& E+ b
jz SoftICE_detected
) s- }/ {+ T; c* ^3 P G
8 X4 X2 k$ T6 N. z9 @. ~# qHere again, several ways to detect it:
! g2 A) M5 |' d! m0 q
) N% G8 h- t* b% _# J( B BPINT 41 if ax==4f; y+ i* Z; i4 z( a, |
5 C+ G7 f% R2 Q& R9 C/ U9 B# ^2 P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; X- u3 l4 e& s% I5 d7 U# ?4 R$ w- d6 `9 {: B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 n- C0 H8 M) E5 ~/ M& n3 F" u
: ^# d/ u+ E% M/ l, g7 w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! U6 Y! m) d2 S: y' P5 z
! A1 R8 }: Q0 \4 [6 v; m% Z__________________________________________________________________________- T' b* V0 Y' _9 e2 H& h% A' Y
/ l: T1 J- ~2 D3 W e* a* x) L# d3 n; _
Method 13
% S7 t" s0 M C" B2 a+ g3 R=========. {( A9 }8 G8 u2 e& l2 E
+ m5 l% s$ @3 D- C
Not a real method of detection, but a good way to know if SoftICE is
+ O/ [4 p2 L d5 E% ainstalled on a computer and to locate its installation directory.+ P* E9 F2 @$ h5 J1 K
It is used by few softs which access the following registry keys (usually #2) :
$ k z0 W0 V$ S" e& j: y( N" r- i2 I" P( M3 o4 {5 f; N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 |, c" t# ~6 b. y6 Z8 N1 K5 ?( @\Uninstall\SoftICE# F" E) c8 f+ M4 X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% p+ h7 d! Z' V0 @) e0 x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) m6 M) g# e$ q& W) S* p0 f$ I
\App Paths\Loader32.Exe4 H+ r9 d, H$ \0 d9 r1 L
0 [/ ]% B" y! Y9 h3 @8 J! j V% w# t/ |
Note that some nasty apps could then erase all files from SoftICE directory. X: x! E9 ^+ m) b4 S% s4 W
(I faced that once :-(! B( ~9 t: Z! A
3 \; k e' v, ]* AUseful breakpoint to detect it:7 n, B/ c6 _2 J" c" g6 _, ~
2 [9 N0 j _0 L; r* c6 y1 G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: ~4 a: f+ a; O3 F" w
7 y5 n& N2 ~- J8 t9 L/ I__________________________________________________________________________
9 V) C4 ~9 |9 p9 S, t7 e( M4 V! C2 Z4 }0 ]" J9 w6 I1 A7 F9 m8 V
4 ]+ a2 J! ^0 ?9 D8 ~+ J: |5 dMethod 14
: O7 ?) K7 M& j8 z* q=========
2 d" @/ O V: U& S$ G& s- i( e B- W+ Q7 @/ X; K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% d1 P+ L1 A: R+ h0 lis to determines whether a debugger is running on your system (ring0 only).+ V; x! j b$ B2 Y& q% P& F
/ t1 O$ ^+ W" x2 ` VMMCall Test_Debug_Installed- w5 F) G5 b: f0 S# J" C, {. Q* M1 O
je not_installed9 o) L9 m! [- f& G
8 F, }# `3 _5 P7 G( a3 ]1 iThis service just checks a flag." \/ j0 Y. }- d7 p# Q" S
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡