<TABLE width=500>, c+ r3 d/ D' f: l F% M5 x, S6 E
<TBODY>
# m2 M5 Q" |' f7 z7 O8 W<TR>
/ O% l. k u7 w+ i* L+ c2 n1 S<TD><PRE>Method 01 3 {8 d. @5 h0 E M; p4 Z* }* o
=========: _ A" A9 R! {5 f( s
( n% k3 n0 \2 A1 x4 Q* R( WThis method of detection of SoftICE (as well as the following one) is( F" V, S( u7 n3 M8 j) o$ @2 c9 r
used by the majority of packers/encryptors found on Internet.) }0 k1 C T7 P1 A+ ^7 p
It seeks the signature of BoundsChecker in SoftICE: ~! N, p: d! y6 F- J
6 x4 E, L6 A9 F- P4 L mov ebp, 04243484Bh ; 'BCHK'
: u% F/ m% P* e5 o mov ax, 04h
7 e, L; b, Y* B. J% E# h T; C int 3 ' e1 u' R; x. I0 d6 r5 }) A
cmp al,4
* L4 E0 d1 ~7 j7 E! \7 F7 \6 t jnz SoftICE_Detected+ A$ @$ }- v+ f: h1 ^! B5 P
: G/ f8 \) }4 t9 a, g+ a
___________________________________________________________________________: q1 E/ w2 Z- M; p% b4 M# @; e6 S% q
& H* O2 k0 N/ x1 @. n# {
Method 02
& p2 q" w; f, x2 j6 D! e=========
( a) X J$ ~- H- h* l' b' V
7 }4 B0 r" q$ r; T$ s5 CStill a method very much used (perhaps the most frequent one). It is used
5 h7 w3 o% y. i3 W9 Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 P0 C' S; ?; U) X5 U, mor execute SoftICE commands...
: ^7 z8 O& o8 U1 GIt is also used to crash SoftICE and to force it to execute any commands( X6 g7 I& V6 V2 v) I
(HBOOT...) :-(( 7 v! c& |" C+ }) g* l' ] e: @
- m( Q W! q4 G+ X, I- Y1 D& h
Here is a quick description:
6 e$ V; Q1 k# r% ], @2 U' h-AX = 0910h (Display string in SIce windows)
$ W3 x- d J0 V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& m4 L0 |" F9 Q- P- l. ]
-AX = 0912h (Get breakpoint infos)/ I6 N. a! d# e
-AX = 0913h (Set Sice breakpoints)
& a B5 A. D, Z# e$ d- Z2 ~: ?7 p-AX = 0914h (Remove SIce breakoints)
9 C P/ h0 V$ c1 e
( K5 l# x1 \- o# ]Each time you'll meet this trick, you'll see:
) ^, w0 ~6 o' @-SI = 4647h
( s! X( D, g$ J-DI = 4A4Dh7 ?; I7 G' `4 k7 d0 M. d7 `6 G8 H
Which are the 'magic values' used by SoftIce.) Z9 q3 z$ X; N$ W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 r: q5 g: W% u, j
3 U# [- `- {, Z% Z! H; T9 zHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 |4 Z1 Q9 d3 m2 n4 X; LEnvelope utility use to protect DOS applications:; Y- ?) k o3 K+ F2 L0 i9 O
. a* @8 n: E* z5 F9 j
5 `: j3 P7 @+ b) ?: l! U9 ^1 J0 E) p4C19:0095 MOV AX,0911 ; execute command.
- f: d2 r% K7 R3 B1 _9 \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; E' L7 Y; Y: ~5 I M/ t
4C19:009A MOV SI,4647 ; 1st magic value.7 f3 J2 h) n) [* U# ~; T
4C19:009D MOV DI,4A4D ; 2nd magic value.
! G* [* Z- ~* J6 d4 u, I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 ?$ W* J8 e* o( {( A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 z$ | g1 }& ~4C19:00A4 INC CX
9 I7 J! ?, c; d3 C% ]8 }5 k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: R6 B$ w: ~, M+ G
4C19:00A8 JB 0095 ; 6 different commands.9 r% c1 S4 j" I# w! e5 k/ d
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# v+ ^9 i6 O! d4 Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 Y* a4 b( H6 P) f8 ?' Z- m' ^( m* e+ ]; U8 v8 Y0 j# S
The program will execute 6 different SIce commands located at ds:dx, which
( H6 H* Q- n( ^. {& n6 U1 Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ G% T2 H8 Y- c, b
& J% t" m6 A. k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ h; ^& j4 K5 O$ q ?___________________________________________________________________________
5 y* w4 B1 d# E4 L
" L- d3 h" P: @! x
+ Z2 N+ \' I2 P A* C7 k" ?' [Method 03( \$ ?% ~, S+ {2 w7 z; q, @. a+ c! b
=========8 z, r. k& c" p3 k
' P2 Z0 u* X+ g% xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* \# V# v1 `* x6 \0 {: V(API Get entry point)1 }* K) a2 w Z2 `" F, h
0 l5 l0 v, E3 g w
/ G+ Z, H5 g* n* W xor di,di; m3 y! q' s( z, S1 g; x
mov es,di4 E1 Q( `, C6 T" j, h0 n
mov ax, 1684h
1 T6 N! ^8 s, D* ~* C0 U mov bx, 0202h ; VxD ID of winice5 h' u$ e: y! h
int 2Fh- v- _4 D0 H& h$ N, P
mov ax, es ; ES:DI -> VxD API entry point# o4 c2 E7 e+ q' u& ^, g q
add ax, di
" u Q; ` s7 S test ax,ax- {$ \2 O% c" g; m6 w/ H( Z: B
jnz SoftICE_Detected
# P. I# T/ g6 Y. k& ~# n# I
+ b1 \" k. E: B! _8 J: d___________________________________________________________________________
/ c/ `2 S/ {7 ^# x0 e3 [: x3 B% S- ~3 z/ A
Method 04
1 b3 t/ s) o; r7 i1 e5 h+ P' x5 G; @=========
. p0 ?3 V" U& ?
3 N. q2 r! E& t% y5 v1 u- DMethod identical to the preceding one except that it seeks the ID of SoftICE% G& r# b- Z# E4 p% S! x" g
GFX VxD.
& k H6 p4 ~3 {; ^: h; |/ q, T$ j8 A# X& q
xor di,di
1 r8 S5 B1 b) X5 R) m+ I4 H mov es,di- I7 x) v# m! |
mov ax, 1684h
! c! Q; B g: z6 G mov bx, 7a5Fh ; VxD ID of SIWVID
+ P9 p. c. e$ o; ?: K int 2fh
' Y" `# U; B* n4 Z: [ Y- e% Q3 ~ mov ax, es ; ES:DI -> VxD API entry point
4 ?1 f) W _' W9 C add ax, di
' E. E9 N( I7 } test ax,ax6 T* |" Y# }8 t) V) c
jnz SoftICE_Detected5 U; X1 B2 x- q- s0 c+ ^
5 t6 N1 L7 Q& [. R9 d
__________________________________________________________________________
. ^% N- T( L: d* z3 N* m9 @' d; D. \
0 i7 N: u5 h9 I u+ R. [* |0 qMethod 05
- {( c7 }( f$ _4 m$ ^=========# y7 |% a" V0 o
Z* F% k7 Z3 e" f4 DMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 }% y% K' W$ `; h0 @: W. Y* \
debugger. It calls the int 41h, function 4Fh.
/ d; K' ]5 G( @, Z1 V ?* F9 Z0 uThere are several alternatives.
% F" R. |. _. W ^% G" J( I, g* z) H
$ d+ G7 h0 I* e0 I! H. aThe following one is the simplest:
2 {& r1 |4 w9 Y% E- W$ O C; a% p7 v4 x& x# J8 F, ?+ x2 W3 T
mov ax,4fh( D; _) n D% S
int 41h
+ e8 t3 J, e4 z2 p* L6 ]) t cmp ax, 0F386
* K( I/ k/ k/ ^# M) B jz SoftICE_detected
! A# v# o7 E$ p8 o+ \, B# d/ g. U1 l" z q3 v( P7 e
7 N( \* V; L4 D- M7 J4 Y
Next method as well as the following one are 2 examples from Stone's
- _ t7 I& R7 O$ O9 G/ m"stn-wid.zip" (www.cracking.net):
4 N5 E2 j! Y, c6 I
. z. h2 @) u; p mov bx, cs
* [8 M. M5 _/ D lea dx, int41handler2
- I% s: V$ k" |0 b% p0 x xchg dx, es:[41h*4]- T+ _) ^6 t7 e; [
xchg bx, es:[41h*4+2]
" o& a3 Q% S) `+ _ w0 V mov ax,4fh
; H7 T- K3 n$ e' {7 H6 T- v# P int 41h$ f, j$ d: q" g$ x/ b
xchg dx, es:[41h*4] z5 W$ q, V% e. K; l$ e1 L
xchg bx, es:[41h*4+2]
/ ]* n7 q% \7 I cmp ax, 0f386h
$ u$ J( ?4 z5 a8 g8 E7 T jz SoftICE_detected
$ f# Y s# I; ~2 \
( J8 F F3 M$ e$ w0 Z% P, [2 j$ Q# L6 tint41handler2 PROC
, T0 n* K: A: l2 P J* l: ]8 D iret. b) t/ v# ?( s- Z4 q
int41handler2 ENDP
5 [" j5 S0 L, z0 m- F: Q2 O( M1 Z0 a9 V. d
) \, R, _' e" r/ n& T' `
_________________________________________________________________________ T1 a! x7 `5 \) C/ L
- \ C; ]% x3 Y* H0 t2 U7 b/ ~% J3 e
Method 06
" b8 o! i1 W, Y=========$ S1 [, c- {5 N( d2 R
+ i# R0 H/ o$ j/ W1 T* l+ f) R- W& J$ n) f
2nd method similar to the preceding one but more difficult to detect:3 e0 d7 b1 X% X/ I1 |4 `
' d3 \$ I* y! w6 F
4 z7 b2 N- |4 k. Lint41handler PROC: W# K. H- a+ p( L' a9 l
mov cl,al
2 V9 r! }' B+ r4 o8 @ iret" {* `1 o2 d3 y1 |& T$ ^
int41handler ENDP
( Y* u. U: V1 Y1 S$ M5 I- F. k7 j: t1 N5 p1 d9 N
; }) Z% W% m$ r1 E* A xor ax,ax( J, C- m* |9 i) M* R( u( N
mov es,ax
( R* E5 ^2 u% {2 N- p- q4 Q mov bx, cs
. J# g0 \: f. ]: e" n+ n lea dx, int41handler5 B: q& C4 W' y, I- c
xchg dx, es:[41h*4]8 U$ j! [7 x. x/ ]" _5 N9 K
xchg bx, es:[41h*4+2]
8 K2 m3 Z: Q) Y1 Y a7 c5 J in al, 40h
2 k. F8 ~' C, s, i" C( } xor cx,cx
5 P! ~# N* G$ m# Z! C9 K int 41h. I4 s1 Y ?7 F$ }
xchg dx, es:[41h*4]
& |/ L' l0 A0 ]. k# | xchg bx, es:[41h*4+2]7 e$ w* u) k2 X: U( S) [% y
cmp cl,al$ J# l9 G9 V k: p# F0 W. k5 ]
jnz SoftICE_detected
, g9 s q2 j. M. y7 L4 \# [9 B) W3 |( h# ?) G4 k
_________________________________________________________________________
- l9 ]8 z4 q+ G5 [! `0 u% I+ S p8 m
Method 07
/ l) T6 h" X; q: k0 f=========1 B9 H( `! X; I% k2 _
9 X( @$ ]- |/ X2 i" \* b) @Method of detection of the WinICE handler in the int68h (V86)
0 s, E) o; j# I. e. K) J
$ i& {$ A5 M: l mov ah,43h. I, z! ]3 G. _9 C/ h
int 68h
4 n2 _% z; \" p% p& x+ \0 \* i: B cmp ax,0F386h9 I. Z* p" c3 F- j3 j# }
jz SoftICE_Detected
]" K& w. b/ I4 t9 D2 S' Z: K) w
4 W) E+ ?2 n$ m' q: r1 T
; k1 n$ W1 L0 {# ^0 N=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
B$ {. `) U! H' A- Q8 P- D Q app like this:5 P+ U3 F: K$ d0 u' G
; B3 M9 e( S" f* C2 |4 { BPX exec_int if ax==68- j9 N' {4 i% o. u3 x8 S4 U# z
(function called is located at byte ptr [ebp+1Dh] and client eip is3 t/ [' O8 S* {
located at [ebp+48h] for 32Bit apps)
. ^- n1 s; H, E$ s( }* ~# D" e__________________________________________________________________________
! r, _' l u% a
6 o {% e" b+ q4 Q; a) c P3 D2 V" q& d1 F
Method 080 r+ P- C5 w& w: V% s& s% G6 }, u
=========
3 s$ b+ S3 }+ c: h
+ o W. x, n; X& q- P8 j D$ |( v( |It is not a method of detection of SoftICE but a possibility to crash the* B- B- P0 e. ]( t/ i
system by intercepting int 01h and int 03h and redirecting them to another/ F' g$ @5 o- \4 K3 y# g1 L
routine.
! K1 C3 }8 {8 D% c. W: mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: U8 D1 B q; m! }) [9 _( T
to the new routine to execute (hangs computer...). |& O. d) D. O' O V
$ V7 U j- z6 m: r, F" D S+ j mov ah, 25h
. Q1 b' k$ W% q- _4 C mov al, Int_Number (01h or 03h)1 l1 [! J9 `# c: K* G, O- Y5 j5 N# f0 ]
mov dx, offset New_Int_Routine
2 J4 e" g* R# K4 i+ S int 21h! c% M; h; J/ s) P
7 r$ o' z6 p" P3 r) [# e__________________________________________________________________________- T: S# i, K6 g- z
2 b0 ?* Q. P A3 p0 L
Method 09 G, Z1 l/ \- J$ p5 ^
=========0 z# k7 X+ a* |3 N
; R* W0 |1 H( C+ l) ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 {# ~$ X! z5 X! K8 U' T# I, l; qperformed in ring0 (VxD or a ring3 app using the VxdCall).9 }" d1 v; D: X$ D
The Get_DDB service is used to determine whether or not a VxD is installed
8 x" f% ~! y& Z- g0 _# ]3 }; B3 Wfor the specified device and returns a Device Description Block (in ecx) for" ~" V9 l' a6 M: {7 \+ N
that device if it is installed.7 U1 A* M1 i% J/ V# w
9 Y3 x2 A$ L5 u% J" p/ L/ E0 P
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% P! i/ m4 l$ s+ p) d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 Y1 S3 o/ e+ u! ~ VMMCall Get_DDB4 {6 g# O. G& T2 }( y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 T) b) V6 B2 N! \3 L( p
, B1 W! t3 X5 U4 QNote as well that you can easily detect this method with SoftICE:$ @0 Q) l: v) D
bpx Get_DDB if ax==0202 || ax==7a5fh
1 T- N$ h5 _7 e L
& i! e% ^- `# n! F( ]__________________________________________________________________________
3 }, L, r; J5 h$ J% M+ @; O7 g% K6 H) q& ]' x% n& `8 i
Method 10
, g9 L* d# R* r- a: ]; G=========# @: V6 f# j5 `; K
# h4 w) W; K+ T* y1 \' t7 ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ v* O" V' I$ w. H& i. I& o) x SoftICE while the option is enable!!9 I% @8 J0 n- ~. K) [; @% Z
8 n: r" `: g- e% g) o: L
This trick is very efficient:
$ f: O5 ^. x; h2 d( e( dby checking the Debug Registers, you can detect if SoftICE is loaded$ O. P5 `* X& Y6 k& u& X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ q- x- C1 s: R+ v; u. B9 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ _0 q+ w( o9 C7 ]9 u4 R
value (in ring0 only). Values can be manipulated and or changed as well; F$ Q# q1 U* ?0 I
(clearing BPMs for instance)
5 }& s5 m4 |3 n9 T* d* N1 L' u, L5 E; }: P1 L, [
__________________________________________________________________________
: A8 Z# k, b" [. t2 J
, |3 h7 l8 T' g) b: m! I- zMethod 112 n( I) A( c6 j* f' K0 o* H }1 S
=========
" J' Z& I$ T, k+ R* b% o" m& A- g5 Q/ H R0 |6 g0 U: K
This method is most known as 'MeltICE' because it has been freely distributed+ I; E0 e9 X* W: J4 A( A) a
via www.winfiles.com. However it was first used by NuMega people to allow
2 F; g1 l4 P( r# n; Q2 jSymbol Loader to check if SoftICE was active or not (the code is located6 y/ R# f# ?- V% T# S* V4 N$ [
inside nmtrans.dll).
; I; y5 F: F* F, x% J/ M6 J# j0 ~' T/ _+ _
The way it works is very simple:5 `3 \' s* a, v$ N# K5 P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" c. i, C. |% n' q/ Q3 ~WinNT) with the CreateFileA API.
7 S' J/ ? B( a, e" E- s% r! M
Here is a sample (checking for 'SICE'):
; f% W. K8 g3 w$ ?5 K/ _, C) t: a4 D" N; V/ y9 ?# L' i9 t; R& e, u0 a
BOOL IsSoftIce95Loaded()
; R7 }9 s0 w. `{( [" \! C3 C9 S5 G1 N3 k* M* T
HANDLE hFile;
2 Q2 N# K% s9 ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ t$ V! L3 ]( k; s8 k7 p* v FILE_SHARE_READ | FILE_SHARE_WRITE,8 p: t. z% j; t0 ]7 t, x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, e* I& V7 h* b- Y
if( hFile != INVALID_HANDLE_VALUE )
' f9 m% Z2 P) `; z1 t {3 {& V2 \4 \, G4 b7 b
CloseHandle(hFile); ?5 c. l% l1 N7 Y" {
return TRUE;
7 l! v) p+ Z3 U6 @: \% F5 j }
8 q1 [3 ~: A. d2 w7 J* v return FALSE;$ C7 X* ~6 @; ]# Z/ H
}) h/ ~3 k; u& h/ a3 A5 f5 n
) H+ j: V" l) H( l$ D9 EAlthough this trick calls the CreateFileA function, don't even expect to be. n0 y4 L& q7 h0 ]" T
able to intercept it by installing a IFS hook: it will not work, no way!
2 y; `8 N- z8 J$ K& ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F" r) ?+ E9 |4 ^2 F6 A" m3 L. l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( W) n$ f: h5 t4 l" Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) `# k g6 W& {4 vfield.( G/ U6 u! s5 z5 p' v" A
In fact, its purpose is not to load/unload VxDs but only to send a
7 w( v, a/ |! n( J GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% A3 A' x ?# f) E! y( c/ Y% dto the VxD Control_Dispatch proc (how the hell a shareware soft could try `/ U3 G; N" k, J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* I* Q3 ~8 S- S2 |If the VxD is loaded, it will always clear eax and the Carry flag to allow8 N1 I2 r S9 o" Y5 N
its handle to be opened and then, will be detected.0 ^6 I' p# }3 r$ l- z- H
You can check that simply by hooking Winice.exe control proc entry point7 Y! j1 b! R/ }3 Q4 b6 \
while running MeltICE.
3 g8 G4 j- }/ @8 B
+ W+ m6 J4 T, h$ N ^. h
' K6 c0 I- b y9 L& V w( \+ e( f 00401067: push 00402025 ; \\.\SICE; S: D' K. I" ?- b
0040106C: call CreateFileA
4 \* @/ C4 L1 } 00401071: cmp eax,-001
1 Q; J* {( W* t2 w; O, ` 00401074: je 00401091! l- k/ |* e/ M1 l- U8 C0 t( H
; p: A9 u+ M$ G( u6 O Z
2 _( r# B8 X( W2 A7 Z( L$ W
There could be hundreds of BPX you could use to detect this trick.
$ Y# x% y7 `3 b9 |' ^: c% K- V-The most classical one is: J |6 c( z6 V1 c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) i- h: @: |6 a6 _$ c
*(esp->4+4)=='NTIC'
6 I$ V' ^& i/ S( h4 ]! U) i2 B" d, m4 q) B" {; R6 v
-The most exotic ones (could be very slooooow :-(
2 E8 Z; M. c( |2 i5 H BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 f0 N3 v5 W; r9 \; J6 p% X ;will break 3 times :-(9 Q( Y0 L" U; L1 ~7 n
& j; m5 _8 N' B
-or (a bit) faster: ) K) ?! |: S& [% D9 P( f+ x8 J3 d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, V/ |* u; {8 u3 I' T% a5 z" B2 z/ t8 s9 ?- X: V/ {, t1 X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* @# @: w! l! Z, |% l# F ;will break 3 times :-(; {/ T+ }5 l( w+ N% q
" B: V4 K+ I* h% o2 H/ D! F% p# h7 x-Much faster:) s8 N$ K/ J9 H4 e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, @2 C6 l% R7 `+ y/ z9 V0 L' ]1 k, C6 X1 w7 |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; I& X- f+ b4 v9 O& Tfunction to do the same job:4 q" c, r4 G/ E# \) C, ]
1 A4 a) V: S1 i, m push 00 ; OF_READ
9 T/ W1 j7 G! P mov eax,[00656634] ; '\\.\SICE',0
8 J4 ?1 b8 P% ~4 y/ P4 }& B push eax: [1 [) K: \2 x1 W' m
call KERNEL32!_lopen K' K4 H; @# g- R) e( Y3 E
inc eax
; ]% F: s' v1 a* H1 C: Y jnz 00650589 ; detected
; U' J9 i/ S+ m0 n7 V! O; D- Y push 00 ; OF_READ" ~( x: B; g- g2 ^; ?) d
mov eax,[00656638] ; '\\.\SICE'5 K( j, k+ B# M1 h
push eax7 s8 r6 q+ [& m& [- t! t: A4 Q
call KERNEL32!_lopen
# `* i- J3 L4 i inc eax# S, L% A* Z f1 |% A- S0 _
jz 006505ae ; not detected
3 P9 n) A- ?8 c& B& X5 c: y; Z
4 H4 }+ ^. C; T' m X
( s# k5 ~2 v" z& u6 U- J' y__________________________________________________________________________
9 P% Y) W+ a0 Q6 }: A+ f
/ Z1 p7 z7 [2 sMethod 12
/ M) h6 h! A; @+ J" F& E) F=========/ {7 B v: q9 ]5 P/ R4 M& i
" ] A: m6 @! E( }This trick is similar to int41h/4fh Debugger installation check (code 05
* Q0 `. }+ ]* p& 06) but very limited because it's only available for Win95/98 (not NT)% P1 N- i! S7 ~; W5 v- _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ h0 N2 {8 A5 r& b4 s3 L( B$ R
5 f0 }! k5 _% a! M! W! P push 0000004fh ; function 4fh
; D$ |) w# c$ h) z push 002a002ah ; high word specifies which VxD (VWIN32)6 }) O! }( H y- Z W8 n( L8 t
; low word specifies which service; ^/ g& u2 v g) }1 T+ g, i/ x% c
(VWIN32_Int41Dispatch)3 F2 _& q8 @1 F+ n" s
call Kernel32!ORD_001 ; VxdCall
9 ]" y+ y; k+ ` cmp ax, 0f386h ; magic number returned by system debuggers
/ m$ G+ `4 L$ _) u jz SoftICE_detected
7 E8 D. |" B) U
* d) U! m' B/ i; x- SHere again, several ways to detect it:
* _9 p4 O0 G* |2 n+ _8 E
& I( j0 W2 u. f4 j( z0 | BPINT 41 if ax==4f: G2 I3 a9 l9 F ]
2 S7 z8 L( r3 n( t6 A! i/ u+ D5 K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 |& d0 h; D6 J4 \0 V6 s
! h q1 L- L. W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. a' ~- ^* [: x( {; e6 D
% |( R" D, N2 C- ?9 } N7 Q/ X. A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 _4 q% Q- D* Z
3 B1 O- O) }5 Q- e: ~__________________________________________________________________________7 u, d8 E. r2 b9 y9 N& R6 J: |) o- S
, z& l' j) d9 K# Z9 G& x
Method 133 h. j- n, |3 P0 w9 [9 T, q8 S
=========) j( \2 R/ f3 ?( d) E& Y
# y) h+ j2 [# k( Z3 T
Not a real method of detection, but a good way to know if SoftICE is+ l, I& }! f9 d4 O7 j! A
installed on a computer and to locate its installation directory.
0 p9 f( i1 G$ J; W8 AIt is used by few softs which access the following registry keys (usually #2) :
; P2 y2 O& Z: `5 K, |- L3 r" u% Q8 E6 h; S; ~% U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: B* I# Z5 F% l+ f+ B
\Uninstall\SoftICE u' |4 I# V( s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: A# a7 v) y- s8 U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 } x, f0 G F" [6 k\App Paths\Loader32.Exe
8 `9 `7 U# F2 K# \8 x) Y, S2 ]+ z+ a5 d/ o' [4 F: T
9 ?" d: ]; S! i/ D- {
Note that some nasty apps could then erase all files from SoftICE directory
3 v4 i# n) Z; r+ j) m(I faced that once :-(; Q( ]" }% A% }' A% B
- `' R* K/ ~- A( S- n- E- c
Useful breakpoint to detect it:
" v8 \6 |" _8 f. ]
+ @+ Q9 }* r9 i. L% \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* q) { a; ?' W) ~
- w7 n) K. S' { O4 T4 `
__________________________________________________________________________
6 {& R8 A: S; z% u5 n3 q
# y3 f; k' t7 G
1 B4 v! G' X: ?/ z* ~; S. J: LMethod 14
5 y3 m- \: X I3 s K; D=========6 W1 }; R' z( Z& M, D0 u
7 K7 o# D5 B# G" W% G: B3 g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 @, z. _+ A" G' f, S
is to determines whether a debugger is running on your system (ring0 only).% C4 d5 j" `5 f
+ O0 S) b$ Y8 j VMMCall Test_Debug_Installed) L, g# o7 t8 U1 ]5 v$ ^; A
je not_installed9 h' B* f. }- H G! ?
' ?& b. z2 I( l; bThis service just checks a flag.6 i. y) }% q7 z$ R) a
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡