<TABLE width=500>
. s* F9 K# v3 m' O% t<TBODY>
" k2 U( s+ P3 a<TR>" U7 _; ^. C. J9 e
<TD><PRE>Method 01
! g2 n2 E3 V2 t0 W- @" ~2 c=========
8 |: @, R7 m9 U) }+ t8 m, c
$ V; V6 i) {9 w7 g& _+ x1 TThis method of detection of SoftICE (as well as the following one) is. g" |' _# u1 V, T$ c" c) {
used by the majority of packers/encryptors found on Internet.
8 m4 Q& T# E; f7 G/ U; HIt seeks the signature of BoundsChecker in SoftICE
8 D* w$ n- m9 p) d6 Q: s
7 N; M( I4 E, Y! F9 U9 u mov ebp, 04243484Bh ; 'BCHK'$ j- j( K! y. g
mov ax, 04h) z: U0 G) Y' v4 Y# i9 e
int 3
7 E8 {* k4 h2 N" N5 W. r- H cmp al,4
' u" }' W- k4 Z& U6 R; s jnz SoftICE_Detected
8 F+ F) z" I& g; I% P/ }. j B. N1 Z) ^3 U: I! q
___________________________________________________________________________* t, c) R6 E5 @3 p
5 D# f! K% @) g1 i( z% `( c
Method 02
3 p! T4 L D, c$ y========= h( g- e) w9 c7 _0 I/ `
/ p6 X8 f' T& a# k9 {4 D9 w: GStill a method very much used (perhaps the most frequent one). It is used9 R9 o, c' N% s' _( Q; {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 `: z' @, j; j5 Q+ K7 |0 T: B8 t9 Wor execute SoftICE commands...+ C/ D2 m: W+ ~* \9 C0 Z
It is also used to crash SoftICE and to force it to execute any commands) C" I. O# c$ v, s3 S
(HBOOT...) :-((
5 B# I- c( c3 r& f
3 v- D7 X- H2 `# OHere is a quick description:( o. n8 s; E" Q' A8 Q
-AX = 0910h (Display string in SIce windows)3 \: R/ k3 {& T# f, A' o) S5 }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# S0 W$ W- O9 }5 j9 j6 T-AX = 0912h (Get breakpoint infos); S2 ~( g, H/ ^* ]+ g
-AX = 0913h (Set Sice breakpoints)
0 i9 e9 ?# p! }; ^8 ]. H& L, [8 M4 W-AX = 0914h (Remove SIce breakoints)) A, a1 Z' V+ D; K: d" c4 s5 V
& Z! v9 t; T! H3 J& v
Each time you'll meet this trick, you'll see:
o5 @$ K2 ?! v7 M+ `$ T. }-SI = 4647h
7 K" q8 I2 T& m, C-DI = 4A4Dh P6 m9 G L( [5 M, {; W
Which are the 'magic values' used by SoftIce.3 E2 e4 W6 P j) f; |1 b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: C: F4 b3 h5 D5 g. n5 s% o) b' ~: [; U6 S0 h# F) j/ @
Here is one example from the file "Haspinst.exe" which is the dongle HASP, f, u+ j. H% p- T
Envelope utility use to protect DOS applications:
* k6 s- f. J+ \3 n! B( s, ^7 o$ z* {1 w8 V1 E/ ?( B# l! r
) `. j3 X1 ^- y2 G4C19:0095 MOV AX,0911 ; execute command.4 x/ ]5 a0 {$ r, C3 d B; V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ q4 G/ V4 u4 |. U! i
4C19:009A MOV SI,4647 ; 1st magic value.$ r, w" e4 Y5 O9 w: J; k4 M
4C19:009D MOV DI,4A4D ; 2nd magic value.
0 w3 f# T+ ~ D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! M* M( C+ b/ p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 C7 `/ e6 `! h; b0 B0 V& z) b9 g4C19:00A4 INC CX
% P; F1 ~4 e! i e3 ?# m' B" Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 T- M8 ~2 [: L& ^2 S6 [: @. U2 q/ e
4C19:00A8 JB 0095 ; 6 different commands.
2 o! w" v h. ?4 B# R0 a4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 o* u# r5 }+ h/ `( k4C19:00AD MOV BX,SP ; Good_Guy go ahead :) |( v& ]9 w8 E0 ~
4 C; h m8 v9 w# g& l6 R, N; k
The program will execute 6 different SIce commands located at ds:dx, which
- d" I; v( |+ c8 |* [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 O U$ E7 M* J8 a p
% [4 [- j B+ \5 i$ y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 B6 O2 j b1 y; A/ G
___________________________________________________________________________5 ]3 H- Y# a9 O/ w u, G
+ E6 \. j+ T* `6 c+ I/ C& d( |; A: R* y: F/ Q8 ]- n" g
Method 03: ?" h2 i1 ?$ ]; x1 `
=========
7 H+ S) `7 Y" M2 @2 ~& ]$ M) D
/ }9 p; z) j9 Y) @2 ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( f! ?" b9 W+ h/ e6 \
(API Get entry point)) K$ [8 a3 G; w$ _) _0 O
6 ~& T- u9 ?2 k/ H5 p9 v- L
8 O ~6 d2 h9 M5 }
xor di,di
: z) p* f0 V; v0 ?+ }+ E1 Y# o! K mov es,di: T& q' d9 b5 `
mov ax, 1684h
: M9 A& o" H9 B mov bx, 0202h ; VxD ID of winice3 F1 f& }* T2 P, |; ]/ o, L
int 2Fh2 T5 {9 h Y' }( V1 R
mov ax, es ; ES:DI -> VxD API entry point0 l3 r7 Q& I+ Z3 m8 P
add ax, di
. x4 t& S! N- p6 {* v test ax,ax
8 h5 `5 J3 k N jnz SoftICE_Detected
: B* F' W O* ^; K: N& _2 j7 z' @: `
___________________________________________________________________________
1 T) W& k2 P+ u. T
+ A2 @6 k) t, r Z% }5 s% PMethod 04! T, [; A' r/ X# x+ L( P
=========
$ b2 p- G2 F' ~; `; q$ I0 `4 M, f4 y+ e; n- I
Method identical to the preceding one except that it seeks the ID of SoftICE
8 D2 x5 w' l, E. ~& o8 NGFX VxD.
8 J9 L. r# w: y4 K& O1 E! g) S: p, P; X& Q# O
xor di,di
: _. i% ?# ~* k8 ^; b$ g/ q& O mov es,di
* G/ f5 r' Q+ B" Z mov ax, 1684h ; N# @' z% v5 }* U& h
mov bx, 7a5Fh ; VxD ID of SIWVID0 |( T7 H( S; d' j* K# q4 }
int 2fh' {: {$ _: y2 K# N" V G
mov ax, es ; ES:DI -> VxD API entry point6 c1 {- w# ]9 D+ m
add ax, di) ?" H X9 y% V6 l
test ax,ax4 u, G" L' \2 G9 s8 ]4 }6 [
jnz SoftICE_Detected) k, e5 ~- H6 d* x4 E, }( J
! V4 {. W/ h# V
__________________________________________________________________________
u3 N. E1 c" S
2 R# K$ d* W& C6 {
8 W( M C% A- b |Method 050 q6 D9 r4 H |& b9 {" _& R% u6 j
=========+ C$ p3 F( g9 F, K( `
/ z6 j: |5 ]9 ^* f# w' H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. j6 L( ]! f) h0 ]( U# p/ j- }) {debugger. It calls the int 41h, function 4Fh.: x; J0 G! p9 j$ w
There are several alternatives.
2 H! F4 H; @: v: o ~0 y7 V
, a! u; A) s9 q# E6 b; oThe following one is the simplest:4 r+ @% J z5 h" A
4 [0 [+ A1 ^/ ]
mov ax,4fh
; g9 i r* U+ `1 z int 41h
, B3 B8 w2 z% q3 B7 b8 S( @5 A cmp ax, 0F386; @4 G: ^, J8 Q( J( t& R/ S/ P- K+ H6 ~
jz SoftICE_detected
; }7 ^0 d: C8 H3 P) N: r0 O, P. |
, \" Y7 g) X6 B6 z4 J' D1 Y& u( _3 u: _4 U: J- C/ N& _* Z7 f# e6 k
Next method as well as the following one are 2 examples from Stone's $ a- i* }6 G7 U* d8 u
"stn-wid.zip" (www.cracking.net):
- Y$ j. V# W# \9 i6 l8 W! V7 x' [+ M
mov bx, cs' _) R% r+ @) _" k
lea dx, int41handler29 H" d1 w2 J; [! s8 g3 V. R
xchg dx, es:[41h*4]) q1 U3 C4 L4 l5 V
xchg bx, es:[41h*4+2]
! [0 P2 d4 l: a; o0 D mov ax,4fh+ v% ?/ m4 t4 E0 `
int 41h
* X( b# }: T$ n! p- Z) l xchg dx, es:[41h*4]& Q; D6 d5 W3 J0 H
xchg bx, es:[41h*4+2]# h3 z4 j$ ^1 A+ ?6 U7 Y# T
cmp ax, 0f386h. B. e7 Q4 P2 J5 v
jz SoftICE_detected y: F. q7 }6 c- t
: f$ b- S% V+ m6 L) rint41handler2 PROC
! n7 L6 d0 H9 x$ z- H% Q! @. j iret
' k' ~6 r- H* e9 r3 a* e7 f Nint41handler2 ENDP
e; y# e4 }- ^ z. L# {, h- ?6 E. Z2 X8 k3 T
5 y- r! V2 X8 j2 _3 c
_________________________________________________________________________
/ N1 t& H' s$ R" n: C
/ q( _/ T, c# g9 e: W7 R& I* m- p
! g" u$ W/ s7 @! PMethod 06
5 S( G/ X1 P, p# q=========( x& s' Y9 ]* D
# v# }, w2 y8 s' |, Q; w- T3 F5 N: ]( U' s3 |* x$ V
2nd method similar to the preceding one but more difficult to detect:( M, n' f. v' g
- {( s" Q5 ]5 a) v) a
9 A5 }! G/ z7 p7 K* L4 j" aint41handler PROC
- l+ W/ Z, ]: }: }5 \6 `$ b) g2 q mov cl,al& L! w. s3 W+ a1 R& n& U
iret/ k, ^" b* u2 r3 h; i o w; I
int41handler ENDP
* a. P a j& N
1 Y( v7 b9 o, @4 o% @7 Q" U6 K% S# J/ }
xor ax,ax2 I) |3 H! t _" p1 j& t9 M
mov es,ax ? q% {+ e9 V' t3 X3 f
mov bx, cs
@0 U6 A& x7 \6 S3 s$ U5 c lea dx, int41handler C8 h. r, c @
xchg dx, es:[41h*4]
/ w$ d8 H# n+ [ xchg bx, es:[41h*4+2]
1 `4 M9 Z2 Y4 n in al, 40h
; P; N; {( I8 c: D1 U5 p. P xor cx,cx/ l. e1 B9 j# U! R
int 41h0 [# r, j g% N. O6 t, \% q: r8 [" w
xchg dx, es:[41h*4]3 \5 r* W6 j0 x/ x7 u
xchg bx, es:[41h*4+2]# F( D) R& a, r' o, L
cmp cl,al
* w+ s) Y3 g* O: i# f jnz SoftICE_detected
5 {, \% O; Z- d
0 Q5 w4 N; e' V8 [9 g; y* d_________________________________________________________________________% l5 w' i" R }. ~+ S5 a
) v/ v- G6 d0 DMethod 071 L! Q' S6 f% Y1 d# W
=========
L" {2 {& O( x: Z% f- i5 r) S& |- B8 j! S+ c# r: b5 s$ F
Method of detection of the WinICE handler in the int68h (V86)
2 I7 m3 g1 L- w% B
3 m% b# Z8 @9 i mov ah,43h. G& W6 \0 B, x
int 68h2 C+ k- _2 Y/ N" w/ F' ^, @& i
cmp ax,0F386h* i+ e3 T/ c/ |* T3 M8 m
jz SoftICE_Detected
, w5 v. ^- H7 q7 T, y/ r: ?
! g9 w) t6 ] L7 @. j3 N! m% J F, _- O( a7 ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ @9 L, E3 W; J- d. A app like this:
0 f6 [6 m! T5 w$ s/ V/ p" O% q* m1 C0 z$ Z
BPX exec_int if ax==68! W s6 J) i' c5 S3 Q
(function called is located at byte ptr [ebp+1Dh] and client eip is
* b$ P1 g4 ?0 c# a; b located at [ebp+48h] for 32Bit apps)4 K+ I8 }3 C( l8 Q* \6 }/ }3 `
__________________________________________________________________________. C% S3 p/ N$ Z- u" K! i
0 F8 X4 Z; S- }5 U( a
& V$ I# J( E p4 }0 }- H
Method 08, X& _ s+ n8 W5 B
=========! f8 j' Q) n4 c8 Q" f9 `
( ^+ g, q7 }/ ^+ E
It is not a method of detection of SoftICE but a possibility to crash the+ w' w, [& u* f
system by intercepting int 01h and int 03h and redirecting them to another* u& M7 X$ S( X: @- Y/ T
routine.
/ {- B# }# n+ _' z8 V# p( VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: b: `/ j t9 t: C7 e- L
to the new routine to execute (hangs computer...)' l) U7 ^" b8 E/ O! ]9 _- I
0 B' _, N8 H. Y K/ s7 A
mov ah, 25h' c+ D2 w- k- l, M9 g6 P" H+ K
mov al, Int_Number (01h or 03h)
4 d) ~" U, `- p mov dx, offset New_Int_Routine
3 l6 t9 |$ D) T3 a5 i X1 f int 21h- K- ~8 [, o0 A# \# c. h
v# p( A- T$ t8 i
__________________________________________________________________________
7 Z" S! ?$ G9 \( g; b5 ^2 f! D7 B& u" Y8 D
Method 09+ p' X& @0 K% G7 S3 ~5 K* S5 }0 @
=========
( C5 k; X% Q1 U% e% b7 c
, d; X0 h$ Y* PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# I1 |' Q* @+ i7 ^
performed in ring0 (VxD or a ring3 app using the VxdCall).8 @9 K( @ A7 z% J
The Get_DDB service is used to determine whether or not a VxD is installed' m3 x- Q5 a' ~9 {
for the specified device and returns a Device Description Block (in ecx) for
% h# a7 f7 P' rthat device if it is installed.5 Q7 O- ^; i# [% x4 _: m
+ _5 h0 S6 _# m, a6 G) z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' w# O! E3 N6 u8 X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) \+ R) M" A: B4 K8 }! } VMMCall Get_DDB
, w6 ?+ {. ?0 L3 B& r/ D( v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 Y) i4 K+ E- Q4 F% Z ^8 k% Z- ~
3 [7 U; }; V1 ]Note as well that you can easily detect this method with SoftICE:* k3 t( F' R0 x+ ?, l3 B, P) b
bpx Get_DDB if ax==0202 || ax==7a5fh0 c- q$ L. _# i4 |0 P' ?" ^
: A1 Q6 I& A# y2 W1 z. ?1 N% }__________________________________________________________________________
9 r" g9 p$ t ~
$ h% n/ N4 k% @. H+ u x9 _8 lMethod 10
" E) s* T1 q. x% d% c=========
y( M7 c% D5 ~$ E* z' n. U( @- I6 r& [* ?$ k5 K
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 ~7 d; |" m! P+ @2 w1 T3 q SoftICE while the option is enable!!
. Q- V, w. e/ m6 ]$ |( O: c" `( ~+ a1 A; Q1 z7 }( r% K
This trick is very efficient:; F1 ~# ?% R( }, e+ [) y
by checking the Debug Registers, you can detect if SoftICE is loaded
* J2 J& K% K) i1 `3 h' [- N/ f, M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- Z2 X. z1 ~+ J, h6 y& w Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their! A3 y9 U" U& \
value (in ring0 only). Values can be manipulated and or changed as well
! S. g: }* ~ ~(clearing BPMs for instance)1 J3 k2 e! W- y8 f; Z7 c8 S
) \( @: D! B7 B* p9 b3 Q__________________________________________________________________________
+ y" X) j7 X, D4 b9 X. z) ?+ Y! y9 A. U* z& U7 T0 m
Method 11
2 ^ K. B! k0 I; w8 C8 @% l) K=========
8 s3 j& ~# v6 d; M1 B1 _7 E9 y l' M& ]( e
This method is most known as 'MeltICE' because it has been freely distributed/ ?' s( e) P* h9 \! Y0 v
via www.winfiles.com. However it was first used by NuMega people to allow, X8 ~/ {9 i2 b# L
Symbol Loader to check if SoftICE was active or not (the code is located6 I; t2 o" P$ h. q" B Q4 m' c
inside nmtrans.dll).1 A$ ~+ R" U6 M/ C& V$ B
2 S4 O( @% N6 B% yThe way it works is very simple:
0 M2 L1 M0 W0 k2 N" AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: e, w/ G+ a- K7 C- AWinNT) with the CreateFileA API.
/ X8 v/ ~) T+ D( I" \
5 \4 q1 R. x( ^, Z J) RHere is a sample (checking for 'SICE'):
+ t% ~/ F1 L+ a; ~* Y B/ D4 g6 h' J a$ w' @$ r+ m h/ r
BOOL IsSoftIce95Loaded()
- \- \5 l) X+ {4 P1 A{! F$ S; h! \ M! V+ G4 n/ O7 I- ^
HANDLE hFile; " m9 }5 V- D$ _. Y% r- B
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% [+ F2 g1 I1 e* X2 @4 _' e" {0 x/ A
FILE_SHARE_READ | FILE_SHARE_WRITE,% {# x- B( L7 v2 p3 ~! t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 f. O0 J. j) z* l
if( hFile != INVALID_HANDLE_VALUE )
5 v# A1 p7 X8 A- ?* f& N {
/ q& V% R* r% ^. m CloseHandle(hFile);2 n; T/ F. T/ p
return TRUE;
$ |5 I4 R+ X, A9 S }( K7 U0 f6 H/ u* B
return FALSE;0 w( c4 z- W/ L' P) _2 u5 a9 z
}" x; S2 l! H! ^0 q, u
. Y3 C7 _8 L+ k' p9 K
Although this trick calls the CreateFileA function, don't even expect to be+ m$ h: X3 [# f8 |- f5 v) V
able to intercept it by installing a IFS hook: it will not work, no way!
" Q! e* y: L9 z OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F! F# i: J7 [! X* }; i, @) Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 p. _9 M& J- c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc H: U, G1 Y* n- Z4 c! a
field./ J6 k9 w. W3 D6 h8 T& n1 x, o7 D
In fact, its purpose is not to load/unload VxDs but only to send a
( S1 L7 x! y9 L5 g" J: gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 \+ r3 ?0 U/ K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, u( p( W' B. T; ]& }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% b7 k9 d! ?; h+ y& [If the VxD is loaded, it will always clear eax and the Carry flag to allow
: }, w7 X: u4 |& Nits handle to be opened and then, will be detected.3 l9 r* S4 k. s: L+ V5 f
You can check that simply by hooking Winice.exe control proc entry point' H' v; K' X" ]9 U& H, L
while running MeltICE.
/ h! E' i! r7 x5 Q6 o4 X' L( }8 m: |$ d* X+ J8 J
6 n( x0 E9 C' L& ~ 00401067: push 00402025 ; \\.\SICE6 E L% {% C6 ^% L& N) X
0040106C: call CreateFileA2 x- k$ w2 p; M3 [
00401071: cmp eax,-0010 ]/ \: w- g9 l; _
00401074: je 00401091& ?/ S! a. _9 H/ n2 P4 a
. D% E5 H+ A$ K' |% L* h# F* a" c) a. d2 l( \
There could be hundreds of BPX you could use to detect this trick.8 ~) l0 b: ~/ J: F1 v8 n. G6 E; m; M
-The most classical one is:
. K& x$ g* k: Y0 D; U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 {/ |2 A8 \& @: L *(esp->4+4)=='NTIC'( @5 N$ ^0 Y" O1 P5 M0 ^
/ J5 G l0 x U F4 `7 M# S+ ^- r-The most exotic ones (could be very slooooow :-(5 X8 i7 n3 k* y+ W% G- X# F" z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( }! \. {8 E& i* Z) Y8 y ;will break 3 times :-(0 O( w$ C' H7 x8 z6 _6 V
* Z4 s0 i: D: c m* G( {
-or (a bit) faster:
/ ~3 `6 V9 L: E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( H2 Q7 x( S0 H& N" a
7 N; R0 W+ j8 q/ h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* }. w: H* K d# Q ;will break 3 times :-(
9 w4 J/ b) {. b9 m- b
8 d* Y# i6 \- N. }' A) z% g Y-Much faster:
& w, h% o$ X0 Z" T& s& j' [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ d1 `6 w3 ^6 I* d, d& i
) [2 @& Y: R# FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- E! l+ Z* W: Y5 ?. G' V Y8 |8 y
function to do the same job:
( }' F2 |, F% C, m8 z
" q5 a. }4 v4 w, k5 c; i, k0 | push 00 ; OF_READ9 F( }. C t# h( |, M
mov eax,[00656634] ; '\\.\SICE',0
, x4 m, s, x6 V9 g1 f! R% E push eax1 d" r, V* Y |
call KERNEL32!_lopen" U5 C0 x% H; q
inc eax
) i: [; |- A: N; `3 y' X8 o1 O jnz 00650589 ; detected
4 P! C4 F; v& P ` push 00 ; OF_READ
% o9 F0 z! D2 E& l mov eax,[00656638] ; '\\.\SICE'
0 ^& \& i5 q# L6 H$ C push eax" o% i! h1 r/ F
call KERNEL32!_lopen# ~2 I2 ?& P) k8 o6 ?
inc eax3 S; m# X$ @7 ~& a( ?8 c* ]
jz 006505ae ; not detected6 r; W* ]7 w4 I2 |* J
4 u q7 l" _+ U/ w) A9 o7 V8 `0 R
8 L; v( ], Y' _, Y7 A' j
__________________________________________________________________________
, _9 F& W" A' R" `8 N5 s3 U6 Y, P5 S( v7 Z; r5 \
Method 12
5 [; q5 t. t, V, W; ] [' Z' N+ n=========+ L B b2 L* d# [3 s
, }, X9 t' e" \& C( \8 ]3 qThis trick is similar to int41h/4fh Debugger installation check (code 05& v5 l4 h8 ]7 f \& \) c
& 06) but very limited because it's only available for Win95/98 (not NT)- o4 n, F5 m6 Z- E: ?0 p3 X5 {2 l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 _! Z! Y6 Y1 P0 U! q) s# B+ _9 K
. y1 t! s: i/ ?$ H, H; Z# o3 m: d push 0000004fh ; function 4fh( s' r; n0 Q4 q5 g& q/ u
push 002a002ah ; high word specifies which VxD (VWIN32)$ n0 J+ g% } y- z
; low word specifies which service
% a# V' ~3 u! M4 o3 V" j$ { (VWIN32_Int41Dispatch)- g$ |$ `8 P/ l) Q( z; \
call Kernel32!ORD_001 ; VxdCall
7 b$ x9 d5 d8 E* j$ |4 J+ g' S4 U cmp ax, 0f386h ; magic number returned by system debuggers: D! {4 f$ @& ?- S" ?
jz SoftICE_detected
9 d" d5 R8 q# k+ c. o" C7 l7 z- l- r* T2 b9 C6 V
Here again, several ways to detect it:
K% Q# I) v8 X$ }7 `& P
- h5 G, C/ P, [$ G5 E" L BPINT 41 if ax==4f
2 {# q( h5 z8 G$ m6 J" z: H3 d2 u% }' m1 e4 {( J2 _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" i$ Z' {: [- t1 h9 p# \9 w+ X+ r. f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 k0 v3 @' V4 L0 }: q' g: |
; Q6 l1 ~4 i! b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# _) N$ C G; X0 g0 O! t* L0 m
5 W, B0 V9 r/ K1 W) u8 ~& \__________________________________________________________________________
! N* e/ s+ L" P0 r' h0 {8 G9 e( X: {9 c; j. w' J6 x' L* P2 j
Method 139 B7 |# `3 X* ?0 z4 x- E3 T
=========. w4 N8 y2 ?( Q7 m" i( L: ?
3 x; g* T- N8 G! u! d2 M/ m( Z( u9 y
Not a real method of detection, but a good way to know if SoftICE is; C3 w5 O) W+ m" f( ?2 S* o
installed on a computer and to locate its installation directory.
3 X5 r8 R) c* t0 I9 _& s, V( ?) MIt is used by few softs which access the following registry keys (usually #2) :
" O8 l8 K" V6 \& R L8 u; T2 r3 ^- T* l" k% i4 c* n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; h+ P; m+ V- N; g\Uninstall\SoftICE% Z8 Z+ ^8 `" p$ K: [* n8 U. W9 u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; p. x% |( @9 V8 e" U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! p& B0 P0 X( d* w% D/ e# T0 m
\App Paths\Loader32.Exe9 I- u0 y+ E+ u, \3 [
n. @& ^/ K E/ n+ U8 ?6 e6 S; s/ B9 ~, k7 E8 K2 C3 e7 U& u' \
Note that some nasty apps could then erase all files from SoftICE directory! d5 u8 I3 n/ Y1 D" o4 ?9 R
(I faced that once :-(! {' [# J7 j2 y% \" E& k2 D
: f# c/ O2 j) s# k) X8 q5 k- n
Useful breakpoint to detect it:
- u5 [! f- v0 ?. w
+ v1 j( o2 _$ v* s7 C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- ?0 }& a( Y4 T' n1 g. U+ ^) l7 H) G U6 M% ]
__________________________________________________________________________
, J3 b X. P8 o6 n1 W0 U- J- T/ L; ?! k6 N, [8 m
$ K% ]: S [: z2 ?8 q3 MMethod 14
) @5 B( R4 U; ]& a4 E" m! ]# M=========, u% V: y6 ^( V! k6 r( M/ X
0 Q% U) W1 ^; X2 J t E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" d1 @2 q. c6 Q% u7 l. \is to determines whether a debugger is running on your system (ring0 only).( S g6 h O x# r0 {# z
* ]# V' n% J) T' B3 b' n4 F
VMMCall Test_Debug_Installed
# m! h& q# {7 I4 E! _7 f" l( q' L je not_installed
* q @6 D/ S! r2 x. C9 L6 Z- w) d1 @+ d: A5 \4 X
This service just checks a flag.( r, r+ H8 J5 c, A' ^0 Y1 }
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡