<TABLE width=500>% a# y9 S) m! \0 i+ ?; s# F9 L: B
<TBODY>$ S0 d* d* Z- `& U6 H- X1 U' d
<TR>
2 P% M* r, H6 V5 L5 H<TD><PRE>Method 01
/ B6 y3 @5 ^" i=========
: T0 v; ^: ]4 q# y
& ?9 x% ^: f8 E9 ?* l* Q# EThis method of detection of SoftICE (as well as the following one) is
7 P7 |- M, @" C( D8 d8 Pused by the majority of packers/encryptors found on Internet.
r* x0 e' i; u4 Q- w. `It seeks the signature of BoundsChecker in SoftICE# ~, |$ f6 e8 k2 P* \
3 E+ X2 A" ~1 G, j( l2 E& R
mov ebp, 04243484Bh ; 'BCHK'
3 e. K7 s. y# T6 ~- A" x% y% [ mov ax, 04h2 A) ^5 k0 v' `2 e' O
int 3 0 u( c+ ^' Z6 [/ S
cmp al,4' D, u- k% @! C+ U
jnz SoftICE_Detected( N8 C1 W3 i& s) M. j0 j7 B: M
# A3 c v/ G: X! }. `) u
___________________________________________________________________________6 K: I, k @5 D
8 \8 [/ _. o! j, s( A6 C" f+ O
Method 029 K/ S; t8 [. {8 s1 b3 U# m3 S+ i
=========
5 l' N6 b* k. h9 D$ f2 i7 P% X; g$ x; t5 ^5 D
Still a method very much used (perhaps the most frequent one). It is used8 w1 B" i1 X% p! e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 n. f- f: V- s& f( d: _5 C
or execute SoftICE commands...
! r9 z3 l, J# m9 O7 R! X' m dIt is also used to crash SoftICE and to force it to execute any commands1 W, F3 a4 x m- n+ c f' p
(HBOOT...) :-((
7 d1 ^- k. j6 I7 s; `( p& l {1 o p
Here is a quick description:
% A0 t b9 i0 a1 c3 ?4 Y7 c/ N-AX = 0910h (Display string in SIce windows)4 v0 Q, n6 H5 ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 v" P/ w' M0 P; `2 l-AX = 0912h (Get breakpoint infos)
. u: ]/ w4 a* K8 n6 l9 i- |5 X+ x-AX = 0913h (Set Sice breakpoints)
& r" {5 R$ i. c. d-AX = 0914h (Remove SIce breakoints)6 o$ d9 O) B2 Z7 v
" w! |0 c: {+ ~& x
Each time you'll meet this trick, you'll see:7 P& Z+ a- h: ?$ P# f
-SI = 4647h
& D/ B$ `5 }, z8 V-DI = 4A4Dh" ^5 X/ Y `, M+ B5 ]* A
Which are the 'magic values' used by SoftIce.# i0 j3 @+ B% B: m7 l/ A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! C7 L- S9 i" Z0 Q
7 v9 }' |& Q: R/ s+ h6 P3 r( s
Here is one example from the file "Haspinst.exe" which is the dongle HASP# ~" m! i/ r% c
Envelope utility use to protect DOS applications:* S* ]8 k5 r$ p$ t8 i* P
# v4 D. ] M9 U
* ^8 U! \6 N3 t# g3 X) a
4C19:0095 MOV AX,0911 ; execute command.
! |+ Q' f1 A" y1 ~$ Y* K: n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; L; l% {2 O9 o) y8 d4C19:009A MOV SI,4647 ; 1st magic value.
$ |6 J; b' J# D* c5 w4C19:009D MOV DI,4A4D ; 2nd magic value.% E. U) C$ I" O8 F/ R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), Q( S4 I2 y" A9 w& {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! R7 q- X4 }7 ~* L9 f* \4C19:00A4 INC CX! j s5 w) P- p4 d( C, }: E3 K3 R" F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* ?* d1 S0 \4 z1 b0 l$ {2 J% @4C19:00A8 JB 0095 ; 6 different commands.8 A( H( i G. X: c( T: b" F' j
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, ?* `$ w& Q+ y* k8 K/ M9 S6 ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ O5 V- W3 K$ Q9 Y1 g* R
" x, D! K; l/ p- ^! `The program will execute 6 different SIce commands located at ds:dx, which* z, c! U8 }& j/ r% x) n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) t5 h9 d) H4 {/ Z9 H2 S5 U7 o7 P* e
7 L0 I {0 G s% ~4 e7 }% B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, H( }0 D% l p8 N" ~___________________________________________________________________________
: e1 X9 v* W) W' t
+ \$ {) c& O" u5 {, r5 V. R- z$ t: q% h4 x* b5 v3 z
Method 03
# H" q5 }9 a5 G+ _1 X- v=========
9 o- J9 o. }& O0 I
+ [4 N% K- I( Z$ s: U" xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( T5 ~8 t( q3 f0 u# f3 @/ }; Z(API Get entry point)
- T q* K6 Q' h+ U8 ` 5 t( y- q* z4 q) v0 n1 x
8 G' S: B( K- r9 F) z! ~
xor di,di
( F' P' H, d6 @! q. t mov es,di& N# K) @# N2 Y! s( c& Y b
mov ax, 1684h j- g* S' N Z9 Q# E6 j
mov bx, 0202h ; VxD ID of winice4 X+ P6 c1 m1 y2 U
int 2Fh
& O- j/ q% s$ p( R- T. P mov ax, es ; ES:DI -> VxD API entry point
/ ?% q3 @; W1 D8 u& Q add ax, di
5 `( _9 m7 h) a/ H" U/ g% D test ax,ax
1 q6 X# K# g$ G! b jnz SoftICE_Detected
8 E. P7 z/ t9 ?+ h
! Y/ T9 S8 C4 d# R! t5 r___________________________________________________________________________. Q- } E0 U9 o, ?& M0 P
6 e: `+ Y; y7 L/ T
Method 04
( q6 F4 w' _ r" n# b* }=========% U/ Q7 {9 S/ W' k
7 j# N/ e$ N, r* {1 t- j/ ^
Method identical to the preceding one except that it seeks the ID of SoftICE& ?; S. \) R$ ~3 F: o/ V9 X* v
GFX VxD.$ b0 C' u% h7 A2 Q
2 k2 V0 F: N! C xor di,di
7 | |/ H+ x( e2 N" C mov es,di9 u: \. b- t- d
mov ax, 1684h % \, a! @/ B& G4 o
mov bx, 7a5Fh ; VxD ID of SIWVID3 ]& p! g- B: c0 z6 `' N
int 2fh0 y1 ]- @" Z/ M- a
mov ax, es ; ES:DI -> VxD API entry point! Y' \' `6 |. q |/ f u
add ax, di v4 p2 M a5 F* T/ I% g
test ax,ax
( O) l1 `9 j0 {, }+ i$ _ jnz SoftICE_Detected1 M( t2 C) T: p0 Z
, H* I+ z7 Y7 g$ ]9 n__________________________________________________________________________' ~' O% Z! F' G; a4 q
# N! _, ^, }# d9 B9 q
2 z8 c: E# g. n% h: eMethod 056 r5 x; W( D6 l. u% P# \ G
=========' R- n7 W. d+ q4 k8 W {) g
# P0 ^3 m& M4 D( j' H( i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 k+ O/ ?; S' ?$ D4 I5 m, i1 w8 kdebugger. It calls the int 41h, function 4Fh.0 Z/ w' |* a4 Y4 R% B
There are several alternatives. % \$ h) I3 X( e# m. r3 }) a
# [8 ~( w1 k- V3 ^ N( v% l
The following one is the simplest:8 E8 ?( q. m4 u% e9 `
. E! N" g5 E; d9 c, q" M4 B% ?
mov ax,4fh( R) f, ]) C* F1 h
int 41h8 ]3 L" n* t: q1 J4 Z1 z& U% l9 w; E
cmp ax, 0F386! b. q5 h. l8 Z$ ]
jz SoftICE_detected7 Y7 c2 L# F% ~6 X6 _ ~! C: M+ i* t
. l9 U4 G7 m) P$ r4 O" \
) B6 F' |; S) s; k9 n; O5 KNext method as well as the following one are 2 examples from Stone's + Z$ d: k0 i; r. V3 g
"stn-wid.zip" (www.cracking.net):2 M; f8 a- l- e% A
7 m0 v* J& E7 d
mov bx, cs+ L8 z/ a+ I; V* h9 O; q' d9 ?
lea dx, int41handler2
+ w2 E4 b5 A2 G; u' B' i xchg dx, es:[41h*4]9 w! {; }5 q3 N% S8 R) h7 l
xchg bx, es:[41h*4+2]% F5 f8 u$ R2 w/ B/ B/ Y
mov ax,4fh
1 C. C& X; r- q3 b int 41h1 U7 q2 S4 j/ D( z; t' V
xchg dx, es:[41h*4]8 ^6 O" P8 U; R9 _
xchg bx, es:[41h*4+2]
2 a! F: F; f) X* M# `* x cmp ax, 0f386h
) H5 w% w9 e* W2 H9 {" R jz SoftICE_detected
5 B: ~- n- }, W8 p& G& H$ Y# B5 h; C
int41handler2 PROC
; _/ i3 O; i2 |7 T iret
* v2 Z$ N' e6 U* eint41handler2 ENDP3 t- S/ s: |! q& Q
7 d5 y' ]8 ~7 f! Y$ P7 D& r5 o1 s
_________________________________________________________________________
' t2 v8 F. L6 r: ]. ]' m, o! w9 `/ D4 i
/ z6 _1 K2 ]+ O9 ]" Y
Method 06
9 q. J9 N7 e) f: v2 p=========
! H7 @* X+ g% c- L: V/ D" H- K1 t
" t* x- V/ Q7 Z* `% n9 x
5 m' p+ M2 e/ Z- Q2nd method similar to the preceding one but more difficult to detect:
. q! \( T# N6 ^9 q7 N: O$ ^+ `1 Y6 |1 M
5 N. e( G0 h r9 C1 T
int41handler PROC
6 \7 O/ v& c( j+ E0 ] mov cl,al+ |! c/ Q. [0 a7 p
iret
+ x6 s* j3 `4 V# T$ K7 c& Gint41handler ENDP
. o5 X' B' O- t% {2 Q! H: H& }( R4 n- ~5 B8 u+ E y( O4 X6 f
`; o5 C! ~- b& N7 h9 c: _ xor ax,ax
% v& S" y; _8 X% s, K" w mov es,ax0 g5 c S) N& {" \' q& X
mov bx, cs
7 u T. m, o# M A5 e; } lea dx, int41handler+ O; S! u0 K4 ^# U( N* w$ Q% r
xchg dx, es:[41h*4]
9 l% t+ L$ _2 I) K/ l8 Z$ [ xchg bx, es:[41h*4+2]' y4 f; W: _: A) K
in al, 40h
$ N6 f$ t; z& j% I xor cx,cx# F& H" ~6 u$ @6 `; R+ U
int 41h, d6 E6 L. u& Y4 @" G' x
xchg dx, es:[41h*4]: B4 r1 g" S0 k; @
xchg bx, es:[41h*4+2]
6 ^) M' U, ?9 C5 K3 d cmp cl,al9 T/ E( W0 z% W3 g o) i
jnz SoftICE_detected
7 I8 U6 G. a% f
; e2 f& w. w$ t5 c) A: E/ Z& D_________________________________________________________________________
7 A: u' I: w. ~( @ F* Q
7 `* { a$ S% q' D0 U& n2 w" p8 h5 z tMethod 079 k" X$ x; T! [3 q
=========) ^2 `: [2 S k7 h0 c
7 J, K- l# u* i, u' qMethod of detection of the WinICE handler in the int68h (V86)# B* r- }4 k6 h+ ~% I
, \/ Z& Y% q- k: [4 G9 I z mov ah,43h
. W$ f0 B7 b( t0 ~ int 68h
+ ~' c E- N, K cmp ax,0F386h
% b$ l3 G* W: l$ Z1 h7 j9 r D jz SoftICE_Detected& p- v' e0 o; y% m; I- }) R# l
4 [5 ]' G, ]$ O5 N) ^: T3 p
/ ^& z! r+ S; X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 ^. G p- i6 G* ?3 u# E
app like this:* ?. Y1 a+ E# H
! P1 b& X& V9 K7 `& f- s! T$ L BPX exec_int if ax==68
; i) o, }& p1 G0 T' O7 R8 N (function called is located at byte ptr [ebp+1Dh] and client eip is5 d5 v* x9 P2 Y6 s$ M% z( C
located at [ebp+48h] for 32Bit apps); r6 {7 }( E( w Q) h$ @; `
__________________________________________________________________________" O6 m, M+ S2 ~9 k& R
9 }4 t4 c9 \% a9 H5 K+ x
9 D# `- v0 O( VMethod 08
) ?, f+ \8 {9 B: a7 {4 T=========
* ?( l. v: _; i: D- b: ]) f( ~; b% U) N6 `* U
It is not a method of detection of SoftICE but a possibility to crash the
$ \, b2 \; ~( v$ l. A* qsystem by intercepting int 01h and int 03h and redirecting them to another9 S( g& w& f0 p( N( t, @2 W
routine.7 y3 e9 G% y8 S. q# C4 p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ M& X" d5 P2 f8 P Eto the new routine to execute (hangs computer...)4 R! i' g3 d3 A: c0 l5 \
7 L1 R. p7 x6 ~7 [, F7 Y
mov ah, 25h1 s9 ?+ o# \& S" [+ W% p
mov al, Int_Number (01h or 03h)
! }7 D* \6 e; \4 ^' d% [ mov dx, offset New_Int_Routine/ K8 n0 O2 J% h! W8 {% q. n
int 21h
; D! K6 W: B5 z- w- r) k
' n6 @0 E; {" [( T__________________________________________________________________________% K8 ~$ \" |4 U
' W% y/ _! x; s
Method 09
- E$ Q/ w2 H0 L) M- \=========
% M6 T/ b$ p. |# v3 K9 x# ?7 D$ Y1 V" f0 ^- A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: F$ i/ g9 w: v4 V: iperformed in ring0 (VxD or a ring3 app using the VxdCall).
" h% V3 G4 }+ Q: p7 s% f; nThe Get_DDB service is used to determine whether or not a VxD is installed
+ C. l" t! _9 [- w# ~for the specified device and returns a Device Description Block (in ecx) for$ X* C4 p1 T: z z1 c& b6 z9 }
that device if it is installed.
" l! H/ z, A2 f- [5 P7 [3 S8 L7 p8 n D% i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ v+ l9 T$ [7 f6 P1 D( z9 m/ s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ f- C7 E8 o/ p3 K: Q/ _! m+ N- Z# c
VMMCall Get_DDB
3 h. ]1 O# i( G* }5 Q9 J8 s* @8 T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" H- ]2 \1 I5 P6 l7 U
4 m6 U. L2 ]5 g/ e6 y7 N3 eNote as well that you can easily detect this method with SoftICE:
9 x; i. _/ T) H& |9 o bpx Get_DDB if ax==0202 || ax==7a5fh
& b7 S2 F m) [& u9 X; @' W" I' t: c* }' B: X0 F
__________________________________________________________________________/ O( w6 ?" T: D j8 z/ @( G
i! A% k( X+ t8 i* @8 [3 Z
Method 109 X; G v. ], P/ c
=========
2 U0 ?+ {! p0 A5 }& r( p- { p( v3 Y. n5 r/ F$ W% u
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 S; S* _3 \5 ^9 u+ t. A SoftICE while the option is enable!!
& f0 D1 c i: s% ? d1 V+ l' O7 d) u1 p
This trick is very efficient:7 P& |% A. Y8 Y7 G# [
by checking the Debug Registers, you can detect if SoftICE is loaded+ T- r4 p# ~/ h9 x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 u% n4 B7 a* X+ z# qthere are some memory breakpoints set (dr0 to dr3) simply by reading their5 w0 i) ^% I' i) r6 \5 A9 i
value (in ring0 only). Values can be manipulated and or changed as well
! H/ f S; O- f(clearing BPMs for instance)
! T9 q; @4 }# J7 p. A" K- v' F; l8 y& @! j+ T
__________________________________________________________________________9 ?) j- q2 v% r& J/ h4 a& ]8 D) @
* H( |* ^7 E4 r* p( p5 L0 rMethod 116 V+ a E% Q3 W
=========
) k% T- X4 ]- d/ f9 k } k, j3 ?0 Y) R4 W; P
This method is most known as 'MeltICE' because it has been freely distributed( ]7 V4 X5 l: R
via www.winfiles.com. However it was first used by NuMega people to allow# g9 A. n1 s5 |+ G
Symbol Loader to check if SoftICE was active or not (the code is located% `# L+ Q. }' z: l
inside nmtrans.dll).3 n4 {0 Y Y6 H
( D% f4 z+ l* `: N/ \The way it works is very simple:
, }- O! o" _7 X# ^! \0 NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 Y6 x4 x* p8 k8 I9 u6 Q
WinNT) with the CreateFileA API.
% ~4 _' w( ]9 n' c! _1 k
0 c8 `, C& l. C7 [- O. O, OHere is a sample (checking for 'SICE'):" `- L4 y& \- `" [7 S0 D
: I, H/ M, D5 `/ F+ C- Y- rBOOL IsSoftIce95Loaded(); i- `; c p5 Z6 P' i6 m
{9 f P* q( h5 f2 G2 C# Z
HANDLE hFile;
' P, U- B6 y, _4 O- o2 n! n) X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ U+ O7 K& i4 B& M G' V0 y5 r FILE_SHARE_READ | FILE_SHARE_WRITE,6 U1 }: H/ i) g* T* w% J% U+ G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: G4 ^6 ]8 M9 h% z7 C0 Z# Q5 g
if( hFile != INVALID_HANDLE_VALUE )7 A& ^: L6 j3 s; ~/ T7 l6 I
{) L" u/ c, ]3 X- U" n
CloseHandle(hFile);7 M* k3 V8 W. m. E2 a
return TRUE;
0 G, J1 L; ~8 V4 O# o }2 i- S/ k( B8 T
return FALSE;
5 e" N- U8 ~% O}, u! k9 z2 ^9 D, w0 ^
~4 h( k; w2 w# `& l. m
Although this trick calls the CreateFileA function, don't even expect to be$ A5 o; a0 L4 ]* I+ h/ h/ R
able to intercept it by installing a IFS hook: it will not work, no way!
% \9 |1 y% h( M% L6 ~& W+ n+ d+ XIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" C2 f- f/ f0 F: `9 ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 b$ G! d' d, u) m+ G$ _6 F, e$ }+ X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; V$ _9 I9 j/ V# J0 w
field.
; [1 N/ K- u& b% yIn fact, its purpose is not to load/unload VxDs but only to send a 2 ^2 ]; D4 U/ Y$ W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' z0 l: q9 C7 o4 ^9 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try; D! ?+ ]9 M# J/ m! ]
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% u1 N& S! }9 @4 g! p
If the VxD is loaded, it will always clear eax and the Carry flag to allow* W6 B0 @) S6 R
its handle to be opened and then, will be detected.
- L/ H E! X' _1 G7 f: V6 B$ g, PYou can check that simply by hooking Winice.exe control proc entry point
& E3 W( S1 p- q/ p b# t( ?* hwhile running MeltICE.
$ W0 \# c* o @; a' X/ z2 m* O+ j; Z1 w: E2 t
0 h0 c' j8 h I5 ^ 00401067: push 00402025 ; \\.\SICE; C9 g, B% F7 v8 J5 X
0040106C: call CreateFileA
% N6 X5 D& A$ B/ z% z9 D. q 00401071: cmp eax,-001% b0 z$ w8 K) ?6 U# T
00401074: je 00401091* ?& }' E( Z2 `" s2 F, @' s. i6 X4 P
+ _& }1 |# ^. r$ C$ H( m
# n" ?% w) q; B) p$ e: p
There could be hundreds of BPX you could use to detect this trick.
3 W# W- u! P; S-The most classical one is:
& m1 [% [( W# N" W1 v; e* J1 u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || T5 n$ {$ O$ t0 n p
*(esp->4+4)=='NTIC'* a, ?5 _' X' T6 f! ^
^$ R0 c. h. y) Z0 \4 S5 j
-The most exotic ones (could be very slooooow :-(
+ X7 Z6 W6 v) d! H3 c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# k! j2 Y3 I; G# r* t F" v* @ ;will break 3 times :-(/ B# _, ?* Q( i& ?
' F. H0 I% g: M) G: e4 t3 `; v4 l: Z
-or (a bit) faster: # n% \$ ?- s& k2 ]
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% G9 Z1 q. x, L$ U7 ~+ v
! l; K. s# c/ `6 _* { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 p! ]3 H, [% B2 r1 ] ;will break 3 times :-(
' K* I" E6 z; G1 H( ?
& r b4 F7 f! `* q* w" r-Much faster:3 u" c0 k" k$ \, E) b( k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% I" C/ N: r8 `: S! s+ e- }6 W# U0 [/ [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
~/ |3 v, I8 Ffunction to do the same job:
: m m" `. M7 Z+ S- O! D# A+ x' Q1 ^. [4 z3 F2 n
push 00 ; OF_READ6 q5 D q F5 I3 J
mov eax,[00656634] ; '\\.\SICE',0& |! A! l: O, g5 d6 c
push eax
# I7 e: F/ G* D" N$ n call KERNEL32!_lopen
$ G4 r" [' j, i: I8 I, C+ X1 l% x inc eax
" l8 Q8 b2 |) X% Z jnz 00650589 ; detected
; b( l( ^8 y* M; I' G5 M& h' C push 00 ; OF_READ
0 g: e! R: C* a! l1 ?! i mov eax,[00656638] ; '\\.\SICE': E2 [$ I5 |/ B" i6 h
push eax
W/ u8 \. o: x* F! N3 H call KERNEL32!_lopen9 Q7 d1 d2 `6 p1 Y* U5 c9 B
inc eax
% ]" q! j- v4 U& i; a+ j4 l' S2 S; V jz 006505ae ; not detected
& T) q. h* O/ q
# P- U. C* B$ r( T9 ?" |
( y2 g4 Q# {. Y__________________________________________________________________________7 f$ h6 R. M% Q1 Q4 F
8 H& D4 M; [5 H' e f
Method 12# H( S7 h) B+ Y6 X% }+ s% R
=========$ X2 K u/ d+ V
. |/ ~# j) ?5 |/ Q
This trick is similar to int41h/4fh Debugger installation check (code 05
, R# p8 L' ]9 P( V& 06) but very limited because it's only available for Win95/98 (not NT)% j6 l( o. u/ V/ b* \ _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 B& v% J: h& p: X
" I4 N! Q3 R; A, v- t push 0000004fh ; function 4fh4 D6 t1 X2 h4 b$ M# j
push 002a002ah ; high word specifies which VxD (VWIN32)
8 v* G( o, T) u4 ? ; low word specifies which service
) C: i1 ^$ j" N' D (VWIN32_Int41Dispatch)
0 P2 ]* n: Y3 U: L call Kernel32!ORD_001 ; VxdCall
m0 R2 [" x% w cmp ax, 0f386h ; magic number returned by system debuggers
7 {, s' \" u, }; H$ J jz SoftICE_detected) L/ a; D) L. |/ x4 I
5 o! E: Y, A! uHere again, several ways to detect it:4 u! h4 e2 E5 k( l4 E) D
% G+ a# M: o# |0 q0 N9 a
BPINT 41 if ax==4f
0 U+ ^' i E( `6 i
4 e/ J9 Q4 h& r6 r/ m, f6 X BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* H7 I' E$ V) m; g* ^ y; p
1 J- H( x5 z$ S* m% }' u- H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 Q; _$ O: E8 o6 q X) R
J* f3 l3 ^3 f6 H" s* o4 J- y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" @% G2 D( G/ k$ p; b2 ?7 S2 b8 i4 M! ^8 A+ d7 h
__________________________________________________________________________
2 Z5 t' E0 P# T" E, Q5 X% n
+ ^/ D& G1 @" ~; E/ T& m' FMethod 13
- ]# I* L* O3 k& t, x1 \=========
3 M/ u) T% x; ?+ b( k5 a9 h9 F1 j' P4 O) @# L
Not a real method of detection, but a good way to know if SoftICE is3 }: }2 G- e1 E, k& t
installed on a computer and to locate its installation directory.
. a: z$ z" {, Y0 LIt is used by few softs which access the following registry keys (usually #2) :
: I! v/ Y0 j' _# h4 H7 k' G* h) F i5 R
" ^. G8 q0 v% u4 [, N6 u: X1 Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- A3 V9 W% z: ~. T0 F; _
\Uninstall\SoftICE
# Q: |6 r5 u# h$ T" [$ L3 b( M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ G0 `% y8 g: D. v% a1 Q- p% a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. r3 O0 I) C' @\App Paths\Loader32.Exe' b c9 ]# u- l; D
9 X/ y4 Z; \8 A& I3 g* _6 h7 d
5 h' @4 c7 J9 v ]$ Q" L4 o x! n4 zNote that some nasty apps could then erase all files from SoftICE directory6 G( y7 Y1 a: i
(I faced that once :-(
9 S8 C7 M. ^/ M/ | w1 m
' x2 e, S# u% E5 y6 a, DUseful breakpoint to detect it:
7 H D2 D- u" y3 {: E5 T% ? f1 g9 R( Q% X1 l: Y8 V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 n& f, Y# R$ j8 O
+ d( E7 G P+ f0 r/ W__________________________________________________________________________' D) u$ W) S0 F4 `7 k6 V: @1 d
. _$ D: t7 {: |- `+ d; ]) }- t& I1 D) _( |" }
Method 14 6 e5 i( v" L3 G X# _0 W
=========* p. M( l3 m' g5 q+ l+ p
' `" c, h! g. n( I% {. c! L4 RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- G. \" h/ L; Cis to determines whether a debugger is running on your system (ring0 only).
; E9 a$ E* A- f6 h" ?" |( ^ Z3 {! i3 V; }, q" F
VMMCall Test_Debug_Installed
( N Z( D8 S0 ]) _7 G je not_installed
) U' u# O, I( u+ x" T
. {5 h3 B. k ^. j( Q, rThis service just checks a flag.
( d( q$ p( N- ?. ~</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡