<TABLE width=500>' J5 D9 i* }( ~' ^+ y/ W
<TBODY>' G& c* \: m) O
<TR>
) ]% a0 Z; B ]! [. i8 n<TD><PRE>Method 01
" B4 m& W6 T$ B: ~: _, ~3 W=========
3 W2 Z5 x: } r2 j6 s8 t @2 S8 c: h) |' [; X# G1 |
This method of detection of SoftICE (as well as the following one) is
; V( |0 P) E7 zused by the majority of packers/encryptors found on Internet.
* J1 o$ m; i) @It seeks the signature of BoundsChecker in SoftICE
- _6 s+ Z4 c0 T7 T& U$ ?7 e" |0 Q3 B6 C; t3 r
mov ebp, 04243484Bh ; 'BCHK'
( B3 L3 |4 x0 S; n/ e' ~7 D1 y+ z mov ax, 04h/ m$ V% E" X/ v9 `7 F
int 3 / _. Y3 h! @- \" b1 z7 V
cmp al,4- c0 N6 A' y3 i$ I2 a
jnz SoftICE_Detected2 d6 X; r: C$ ]6 ~* |9 r+ V
4 O8 b8 o+ M% d: t, G___________________________________________________________________________5 K0 {8 T$ X |8 D; X E' R5 ]& H
1 N2 {7 U0 v( _& bMethod 02( x& D( i0 g5 b9 `5 b, m
=========% O7 d W2 s$ M9 n
( d( P+ ^# A9 U4 Y" b
Still a method very much used (perhaps the most frequent one). It is used
7 N& [! H: F# e' @to get SoftICE 'Back Door commands' which gives infos on Breakpoints," @3 ?3 w3 j+ o
or execute SoftICE commands...% |" v/ ]+ k' V8 Y! h6 _ X# B, n
It is also used to crash SoftICE and to force it to execute any commands
+ G0 L' w& G% o5 l(HBOOT...) :-((
0 |" J- Y6 S3 }3 w1 E* a' p* G* u; V. l9 B( U
Here is a quick description:5 E4 q4 R& A6 ^8 {( }
-AX = 0910h (Display string in SIce windows)
" {. N! Z- @: V2 K ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 E7 M% R# R2 R- n-AX = 0912h (Get breakpoint infos)2 j9 r. T0 ~9 ?2 L* l8 f7 X
-AX = 0913h (Set Sice breakpoints)
, N6 e2 W" \* @5 M, M1 \& G% B-AX = 0914h (Remove SIce breakoints)% q& g4 i% U; Q' Y6 E2 H2 T- v0 [
& t( p! o/ w3 d5 \) x# d( eEach time you'll meet this trick, you'll see:
' |3 |3 e) ] e c; l3 H6 g6 H0 x-SI = 4647h
3 T0 J+ |6 C& K2 B-DI = 4A4Dh2 Q5 ]. C7 y& J$ `6 H% x) \( H
Which are the 'magic values' used by SoftIce.1 {, F) _. Y* J! F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! w& m: d1 g( i, v
; y0 r/ W0 z. l( ^3 H5 }Here is one example from the file "Haspinst.exe" which is the dongle HASP S6 l6 Z7 c9 D8 c
Envelope utility use to protect DOS applications:
8 Q5 o% ^, R! h* O3 T$ v+ h; |5 b% r2 g
" M! h9 J# r$ ]5 N3 o4C19:0095 MOV AX,0911 ; execute command.. T& T0 X+ d; @3 M
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ h" z1 C( d( y( d3 a H( Q4C19:009A MOV SI,4647 ; 1st magic value.
$ ]& {. b6 h' B3 F3 Z- e4C19:009D MOV DI,4A4D ; 2nd magic value.$ {! W" |( r0 b+ c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: e2 S0 V2 v# w( B2 w* P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 ~+ h ~3 l# ]( O; I4C19:00A4 INC CX( ` S) {6 L, {+ s/ W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 {/ @* y" \# f0 M4C19:00A8 JB 0095 ; 6 different commands.6 `: H6 x) D9 g [9 E, `, b, `* N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.* k6 l& m- N+ A: W# j/ {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :): A% `$ ~2 M7 k5 |* l0 C
6 z( u5 N0 I0 C* S1 _: Y
The program will execute 6 different SIce commands located at ds:dx, which
3 G& u" }8 v" @0 Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 E$ K& P2 X! d" J# ^4 j
4 _, Y" A: b n- E" x% B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* n) [2 S) t, V4 r$ Q( ]
___________________________________________________________________________
1 q6 d# y* h2 A* {+ W4 Z
7 n" U- N) `* K! N6 U
) a- ?- [6 u# T9 ?) \$ }Method 03; B' V7 m0 B" t4 I5 [: x: k w# Y# L
=========
) G; ^2 W' _8 H3 Z# d. ~& W( v ~; q9 E+ k" Y8 \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% {) j' A5 @% ~ s(API Get entry point)' [) y! W" f0 P) M m1 i' t
2 ]1 u g0 R5 K$ ?% L( D; a. b- c! b" B' i$ D6 }. \; n& m# A( X
xor di,di7 A$ r* v' u. `. x: a3 T
mov es,di9 X0 Y5 L4 a" n8 Z5 a) H, z$ p
mov ax, 1684h : v) p ^2 ]. n
mov bx, 0202h ; VxD ID of winice/ N- s0 R) ]% ]1 a f
int 2Fh
5 o. T! u& }8 E, r# _0 i) f mov ax, es ; ES:DI -> VxD API entry point
2 v( A/ V# c- `* ` add ax, di
. Y- Z- y. p% O4 ~# Z' [ test ax,ax
3 b( O6 k. F$ l+ k8 r e1 T jnz SoftICE_Detected8 S" a; q6 M: M! x9 X
; q6 y ]1 R, A0 Z___________________________________________________________________________, c% H- Q5 O" q2 l! `1 v' A3 Q
6 E/ L) v, L% P! x. ^* m0 d1 z& HMethod 04
4 r% O" L2 n1 ]=========: [+ D+ W g8 Z
0 E7 n8 K5 ^8 m1 KMethod identical to the preceding one except that it seeks the ID of SoftICE
) G8 ?& f; h, d3 uGFX VxD. L+ j3 l5 i2 z1 p, n" `( E- [
" E5 \9 t( O4 T' D$ A6 d: h1 q, _
xor di,di
4 G( J3 Q' l2 X: \: U5 R/ k mov es,di
, b' i6 l2 O- U/ o0 |0 n l mov ax, 1684h 7 \$ }, Z, A6 W9 U- s2 p
mov bx, 7a5Fh ; VxD ID of SIWVID
" ^- {' w3 E t5 } int 2fh
9 R4 T* i- {$ |& F% m$ j mov ax, es ; ES:DI -> VxD API entry point k. ?5 t- U# o- E
add ax, di
0 c( w- p4 u9 d8 t test ax,ax6 \; p& W5 ^; e
jnz SoftICE_Detected* f9 v% W4 R3 ^4 D6 ?
. ~6 j Y3 U* V: u! z__________________________________________________________________________
! a* u4 \3 k# K5 \! s& g; I0 Q* R
5 M: @& U. ]9 o8 E! w K& w% kMethod 05
3 P* V# `' t; Y=========- ^+ u' a3 \- J4 } O& b
9 l! A8 Z; b; a- _7 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ q. h6 R- k& t! M! \* C' x- v, n! Qdebugger. It calls the int 41h, function 4Fh.: d. f2 U" E: Z: l
There are several alternatives. ( B6 U, O0 u3 W% t3 s0 i, d2 f0 {+ q
! q5 l% R6 M+ Z$ qThe following one is the simplest:
1 S% k6 n8 g, n& x% w: a. r8 v/ c" S7 u! Y
mov ax,4fh$ C3 @+ _% z7 J+ d# [- m: R* l4 r
int 41h9 _; x1 m: ]# O( I6 t
cmp ax, 0F386
8 h; T. C$ O, @9 T b jz SoftICE_detected
% g2 {( f. _- d' _# H
* @: J6 A+ P+ u5 ?$ O
" ]% @# C2 `1 \. ANext method as well as the following one are 2 examples from Stone's
0 G, j F. O7 \) ]"stn-wid.zip" (www.cracking.net):
6 y) o& R1 l! t0 i; _1 {3 J9 |. s$ s- C( k
mov bx, cs ^( x6 ]5 c) R$ \& W
lea dx, int41handler20 a' c0 ]' _8 f+ t s( x6 T8 X# N$ g
xchg dx, es:[41h*4]
# a* H2 W, B. o, a, r/ z xchg bx, es:[41h*4+2]. w i9 m8 W* @1 Z
mov ax,4fh
: _% r2 ~4 x' {6 q: m6 J% n int 41h# j8 O1 @! u! b# F/ S
xchg dx, es:[41h*4]
7 ]# ?) a0 L/ l+ h xchg bx, es:[41h*4+2]
! X8 c4 R A# p5 f! C" v6 l3 X) ~6 G cmp ax, 0f386h
7 u; O% }4 Y( `% s8 H jz SoftICE_detected5 I& W1 ?7 \6 g! u' b
: O0 F( W" ]! _4 `6 L& B1 S# x4 o) Z" Uint41handler2 PROC9 g# ^+ T) w0 t8 D
iret
$ v2 P( r! g" n; u3 h6 Xint41handler2 ENDP) N0 U" i& X0 g2 f+ c
2 U1 _+ o+ T% t& K( `: v6 E! o; x$ }$ _: M" H
_________________________________________________________________________3 i+ a- m5 V1 E. ^4 {* N
3 ~7 ?2 m& S) f, \3 y: v: w f
1 W1 m T" u7 C5 r& w9 [9 p
Method 06
1 e" {- y! S: |=========
; ] P" ]2 a9 m4 e' T, l! N1 p: u3 z' x8 I q
1 _" p: l* Z8 q& {* M& @, ?6 M2nd method similar to the preceding one but more difficult to detect:
) S# ]% j/ |3 i9 R/ N0 m; Q0 _" ` e \* a, w, e
4 l* y0 {4 U' b4 f& V8 s# Eint41handler PROC' x! k% G$ B- U4 Y
mov cl,al
! Y" m* @' [5 f1 T2 H3 U iret
, |0 N3 E5 Q: u) t; v5 iint41handler ENDP* C# ?8 o8 W: D& v0 g1 p
7 J$ s/ O \) `5 o
6 z- h+ q" P) t7 A+ i* j& F xor ax,ax9 J& T- o& }( q8 v% t4 a
mov es,ax
F- c% Q$ m# I" J mov bx, cs
7 c& {$ e( K8 d$ @8 E lea dx, int41handler
/ `* |' R A/ m4 E5 Y xchg dx, es:[41h*4] a7 b& C& F: Y3 \# o# p/ i: u" h
xchg bx, es:[41h*4+2]3 V0 J4 Q I! p& ?
in al, 40h
# W) M/ t1 T4 z2 z g+ H xor cx,cx# \% T3 d& f( l' D, L+ j/ V
int 41h7 M { \! j- J! W
xchg dx, es:[41h*4]
" N6 g4 D. w: M) z6 }& V4 Y2 a xchg bx, es:[41h*4+2]
" E& |2 j+ }" j% g( N4 | cmp cl,al
, B* o) n' |' a% N; R4 w jnz SoftICE_detected) q; m) B( Y3 d5 G; }% O) }8 Q
& C" g; m3 n+ x+ M- s/ l0 H5 Y
_________________________________________________________________________' q1 B& X) E7 _6 j) x
1 y" ~( a- Y4 C% V2 v0 I3 J; p# s$ AMethod 07 h D0 o& @: F+ t g
=========
: ?* r0 }5 G+ d4 @/ ~# p' P# k- s+ ?) {
Method of detection of the WinICE handler in the int68h (V86)
6 y# r x" h% }6 V8 F7 n4 b( D" T0 K2 f; R, `+ m. y, r a
mov ah,43h+ x$ I# B$ L4 _; j
int 68h
* n) T7 X2 s5 t3 ^' T: R2 X cmp ax,0F386h" h$ \! v9 @* ^1 B8 R# S
jz SoftICE_Detected7 Z f( T! a6 A" n
1 N0 y. r! j b& I% n% f# @7 [7 K f" m2 m4 Y0 {1 m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) J% b/ t' L; g% K9 Y7 W& ?$ w app like this:/ q6 m+ O" ]( T1 F+ V" F) z
! G, x1 Y5 f; O D0 n
BPX exec_int if ax==689 S* w! Q% i" _ O
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 |' \7 z7 J1 q0 f located at [ebp+48h] for 32Bit apps)0 W8 | J3 i2 {! u0 |
__________________________________________________________________________9 @3 j/ C; C% D3 _
! @3 p+ U" W* l6 c3 {/ ~1 j' g. f
* Y* m# w9 @4 T- g0 C% F2 e: UMethod 08
( P# p1 R# X3 M/ T3 w, W+ v=========& b+ w) J! w0 p% b6 C5 G
0 N! ]+ Y" H/ {& d+ Z' h& V
It is not a method of detection of SoftICE but a possibility to crash the
; I, }9 H4 e5 i) i2 Asystem by intercepting int 01h and int 03h and redirecting them to another
, R2 R$ M" c* k% yroutine.
, j# s! B: b/ O- f1 |6 cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' d6 C/ Y1 M' t" B6 V
to the new routine to execute (hangs computer...)
0 {$ S; w. \7 `% j
/ H7 V' Z S' @$ x; K mov ah, 25h: v& \; z( v, o U
mov al, Int_Number (01h or 03h)
2 R7 Z+ u& `! v3 d) V n3 k0 G# x mov dx, offset New_Int_Routine+ x, [0 _+ M( m
int 21h8 |& `% E# K% r& E7 Z$ [4 P
5 k7 k) p p1 q, j8 d' X7 H
__________________________________________________________________________2 u4 ~# g! V9 |3 s% v3 F' ?2 d
* |/ O1 e( n' F4 a: _! [Method 095 e( l4 ] P9 f9 u! h
=========/ Z' I* p9 L" r+ I) w
5 q1 b% N% _9 z8 t( o: b8 h1 dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 z" _8 v+ f9 k; Z5 n/ t/ _6 _) G
performed in ring0 (VxD or a ring3 app using the VxdCall).% x' `: t* h* f. G5 s
The Get_DDB service is used to determine whether or not a VxD is installed
: e( b; b. Z0 Ufor the specified device and returns a Device Description Block (in ecx) for
' D& c; d1 _5 k' \! K- C/ {that device if it is installed.
" }% D3 p4 h% s* p7 z/ ]8 K& o( b* \5 t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 ?- x4 c! E: m7 Z7 V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 q: q @ j" M! b$ n VMMCall Get_DDB% K Y% `- N; N7 ]3 X2 o# l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* Z: K, L) L* Y; W1 i" p! s. X0 _ s% s
Note as well that you can easily detect this method with SoftICE:. P! b4 }0 ^3 U: O O' V4 Y, M
bpx Get_DDB if ax==0202 || ax==7a5fh5 q. H+ e3 L) k: m5 o# j' b" Y
3 d0 i/ @3 D& F8 p4 K5 Q& q2 M9 F6 \
__________________________________________________________________________
. t3 T+ c3 e0 s Q6 `& Z
. u! r5 ` G. t; }Method 10
8 x* G/ E* A* y% I" f! ]' B=========. }8 q6 s% I" {7 P$ i) M0 N
" v, c' F8 A& d w) p=>Disable or clear breakpoints before using this feature. DO NOT trace with7 F! M7 b# T3 }2 ]
SoftICE while the option is enable!!* I! u c4 r0 t
+ i$ r+ y- Z* u' t/ Z
This trick is very efficient:
! Y7 u3 W; q5 t J4 m f4 Dby checking the Debug Registers, you can detect if SoftICE is loaded, r W1 x) c. V3 P: X6 w, e& k6 x8 l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! S$ C" k9 [) }! S$ u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ ~9 l; f3 c9 wvalue (in ring0 only). Values can be manipulated and or changed as well% d# V; V; ~" q3 S
(clearing BPMs for instance)
6 D+ [5 J1 ` k! g, T3 g; k/ D& d6 l0 t6 S% n7 ]$ {
__________________________________________________________________________3 `5 Z- L3 U5 W0 z5 }$ m1 P; V
& T: _7 J3 r3 k& B( G" L3 g6 H( _
Method 11! |7 u7 ]* s9 ^! {' i2 G
=========. D. J: p9 W _+ G; @8 C
2 @; w: P T R+ w6 f4 D' M/ f) tThis method is most known as 'MeltICE' because it has been freely distributed- C, }, Y: \$ u2 q7 B$ U
via www.winfiles.com. However it was first used by NuMega people to allow- w! l# x9 X C M7 E
Symbol Loader to check if SoftICE was active or not (the code is located
4 g+ V* K: o* r2 p; X! Sinside nmtrans.dll).
' h- R1 C" E5 g7 L5 H7 N$ V& o
. o" j" R5 l& T0 K/ q$ Q( p* qThe way it works is very simple:
: g5 n7 }% z1 F/ YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, y- h: a/ S( R" T$ M/ S
WinNT) with the CreateFileA API.
' ^8 ?) O! w6 ?6 K/ \2 |4 T$ U+ V+ n3 c* F
Here is a sample (checking for 'SICE'):) @: E2 ^9 U s) J6 S
/ V2 w* R2 D9 t. t! S* M. C
BOOL IsSoftIce95Loaded()
. [" t* ^9 t$ \7 s. j8 }0 d* E{# l% G( l& i+ l* m0 c
HANDLE hFile; 1 H6 o; p9 a. e& H& n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ k0 K8 j( a' A0 Y6 j, v FILE_SHARE_READ | FILE_SHARE_WRITE,6 S4 o# {6 |, y! T/ g; x; `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* O+ W) w" S1 @" w- o5 d% q if( hFile != INVALID_HANDLE_VALUE )* U+ K; B1 r8 Z# ^& _
{' @) c) m6 I) S" g
CloseHandle(hFile);: B; B* E+ P+ K- c+ ?' i- z
return TRUE;
# F$ T" c& i; W& H/ ^* U" D) ^9 R }
% I5 U0 |1 S1 r. m: w, `8 G return FALSE;
8 J8 l& o7 ^( G, d" M% {% o- F} Y0 {6 N, l8 w) ?# j
, W. t# l8 U/ U7 g2 z# \/ O) kAlthough this trick calls the CreateFileA function, don't even expect to be
, j6 o0 n) G @able to intercept it by installing a IFS hook: it will not work, no way!
& Q7 I& m1 `( t- |) Q' p' lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! H+ c9 z9 n( X5 Z; s9 _1 Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 d' y4 n% c& l7 m) x" T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ \3 M; Z1 w1 I% Bfield." {! k! j, C6 @6 a: o( x( B
In fact, its purpose is not to load/unload VxDs but only to send a + E. U" H$ X+ z, T/ V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 o( b) i9 H" hto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 z( m1 X' D r8 V. {* a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 `4 E& I% G# M8 V8 }) |If the VxD is loaded, it will always clear eax and the Carry flag to allow
) R! {% P0 s G, Z6 T2 {its handle to be opened and then, will be detected.
- e0 l0 l6 s* T- `* kYou can check that simply by hooking Winice.exe control proc entry point
( a, w! {" G5 X4 b' A, Nwhile running MeltICE.
/ o# j$ L/ b& m) m2 a# p0 A$ ~% ^( ]. u% M2 E1 p. s
/ C, a/ U+ h/ P" N 00401067: push 00402025 ; \\.\SICE; F4 m# e) U1 @5 t. M
0040106C: call CreateFileA
% L" a& R/ [' q5 d2 M 00401071: cmp eax,-001
' B: A1 C; i7 F5 Q8 T+ C) F! F 00401074: je 00401091
' L0 o5 N* p' B% k# J" B6 M1 `0 `
/ r4 k+ B. c+ X1 O! a
0 M3 a0 G# _) b8 z8 ~5 bThere could be hundreds of BPX you could use to detect this trick.' O# c- z" n6 f( N
-The most classical one is:- D# E0 U9 \/ ~* ^$ R- z. q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& H9 ]6 \: ^- C$ u" {( G3 j *(esp->4+4)=='NTIC'3 T1 t, ?7 J, x" Z% b
, p+ t+ |* N5 F4 `5 q-The most exotic ones (could be very slooooow :-(
& c& ~# w' P7 I9 }$ } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! Y, r2 Y! \- c' V( H' {7 R
;will break 3 times :-(
" Q7 A& ]- Q7 p9 f7 O' W4 ^
0 g6 j" [" h1 {& g5 n( ^-or (a bit) faster: ' s0 p K5 k- E Z- r0 ~" q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 j5 p, ]) c& b8 `1 ^, m$ h$ X( Y! v, e0 d4 n1 m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 b3 h$ d, \ e$ Y: E" ^ p
;will break 3 times :-(& z& D) t% _3 {( F
. l7 X2 i6 }" p- E/ ]-Much faster:
: U0 j t- ?9 [2 n/ ]* Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. z9 I9 m! j; `1 I: s- D' d
! W. v9 q2 M9 F' BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( }' n4 ^, J8 l' O" Y% {
function to do the same job:- v+ x; E% b5 `9 P+ d
0 g0 C0 f0 i i9 o
push 00 ; OF_READ
, Q' e+ \: M5 m6 M0 I5 Z# j mov eax,[00656634] ; '\\.\SICE',0
3 Y& f! h! Y7 k5 _* [, b push eax6 h1 n+ X; R) I+ X# m$ \) G
call KERNEL32!_lopen% z; ]+ [/ ~' l1 y1 I
inc eax
5 L6 J6 o1 F5 ] jnz 00650589 ; detected
: m& t) v; V( J1 m push 00 ; OF_READ- [! H; g' l p: K
mov eax,[00656638] ; '\\.\SICE'
; h1 o5 r. K: P. r. z4 w0 A/ i push eax g1 X) T. m) w3 [0 k
call KERNEL32!_lopen
( ?+ _* K2 W0 z4 { inc eax! d' v5 |2 F7 z; E: J6 M9 D* b! i; U
jz 006505ae ; not detected/ X3 V/ T2 W* ~- ?9 F
$ i* Y, v0 Q; w
3 z+ g4 g0 s5 s3 p, _" A' x__________________________________________________________________________
1 F! d9 s$ _0 `; N" q S% N. t2 r' ~9 G% Y0 N- ?
Method 12& m% a! Q7 b7 }2 m* i$ D) g
=========
- B: V, D, ]$ N3 X4 F
& @1 [3 [" N6 P& TThis trick is similar to int41h/4fh Debugger installation check (code 05
4 t7 r- T I" L% v" v: \' R& 06) but very limited because it's only available for Win95/98 (not NT)5 d0 i9 ~7 f2 F; V
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 ]% @) K3 t! x4 R- s
, ~: j0 {4 Q8 O2 p* U; y push 0000004fh ; function 4fh
# d% C6 X& V5 D1 l1 Y& p push 002a002ah ; high word specifies which VxD (VWIN32)
( }- G& z7 V" `, _, u w/ s7 G! b ; low word specifies which service# k7 q& u4 l6 D- |/ o4 y
(VWIN32_Int41Dispatch)+ K: a5 @; e9 Z! h Y Y! b
call Kernel32!ORD_001 ; VxdCall
2 K) k7 B" @* D cmp ax, 0f386h ; magic number returned by system debuggers
2 |8 ~4 R- m4 ~: ? jz SoftICE_detected, e n# [/ a5 o4 J+ S# {, Z
3 d& a. H6 P; m0 H$ P, q# S1 [
Here again, several ways to detect it:
5 g/ f, |0 |5 @1 e' ~! g9 \2 e- N. [7 \9 x: Z4 V
BPINT 41 if ax==4f5 p8 {0 c0 S0 F! N& i3 e
0 ]; M; G6 P' k# I: g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 c+ c7 l4 e1 g9 A* x5 D5 B! k9 _2 D; g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) Y; A/ c1 Y2 ?/ h3 `# P" s& d
9 S2 s5 F& C' g2 r: b; g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 f. E, {0 t, N$ I& w% G- g% q9 o' V) U) {+ u: w
__________________________________________________________________________6 s. S: I! |" g% E% U4 F
8 U; O3 V( O% i% q0 S
Method 137 }9 H; s0 ^6 X9 b/ L/ A9 R% O3 D
=========. R* w' m8 V2 |
& s6 M1 r( b1 \: y' w5 L8 G$ N ?% Y# {
Not a real method of detection, but a good way to know if SoftICE is; x3 K3 x1 ~, r# u8 g. W! o
installed on a computer and to locate its installation directory., h! P2 ?1 R4 n$ M0 L; J7 O+ T
It is used by few softs which access the following registry keys (usually #2) :0 U- t& _: o7 ?) X, e8 T
# R5 X: \& B7 N4 w* P6 ~$ Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 w4 G6 [5 C, k; E6 I\Uninstall\SoftICE
9 }" a) j' @8 ]3 f% A0 a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. W$ z; W- e# \( g9 F. O# R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- k3 M- ]' E+ ]
\App Paths\Loader32.Exe' S. g! U7 }' v) c9 h; r0 v
4 W6 E% Y: Y3 U
% Z) M( g3 R5 r" u) S# m* @# UNote that some nasty apps could then erase all files from SoftICE directory# ~4 H' d. A) ^4 T
(I faced that once :-(
% X) Q9 k. v, E2 @* _
# g) U V' M3 o* t! J3 \5 SUseful breakpoint to detect it:
3 M8 W: T8 N6 e: y# L& t6 [0 ~7 {! N
8 n- a- m$ u: S( f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' Z: s/ C6 K V9 N: k
/ X' B: Z* d' c
__________________________________________________________________________( y9 ~9 i% U+ K& f! j" ~
( s* P2 L- d0 s! e+ k: c6 B5 v% ^& g% ~. N" E
Method 14
1 R& [$ V( ]) P9 D4 [( C8 r* d' k7 E=========& D; B9 i8 w2 ]( ^' J! N: d
$ \) N' _7 D$ w) D0 `. r+ M8 B, m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose l* _& t$ e% I
is to determines whether a debugger is running on your system (ring0 only).6 i" l/ c+ y) X# P! D. X6 R
$ G1 v3 d0 g' p5 R/ u
VMMCall Test_Debug_Installed
$ r. l" P% ]( j0 |( u- n) u" E je not_installed
- Q z; @ z& R+ n/ y! `2 |! }+ ~4 f h. D& K
This service just checks a flag.5 D" i0 w# F) ?8 I
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡