<TABLE width=500>$ ~1 b* ?& w+ }; \1 p& _3 _
<TBODY>
2 b0 M6 @# t- r3 B7 N<TR>7 V5 K% Y* N. l6 X
<TD><PRE>Method 01
* T2 v; h1 ~* K: r=========+ e% s; u- { e* f9 O) F
$ F/ L: w# u. P1 x
This method of detection of SoftICE (as well as the following one) is
/ L( g# z" F8 j. ^used by the majority of packers/encryptors found on Internet.- T/ |/ k# @* r$ A% B2 X1 A0 @6 `5 U
It seeks the signature of BoundsChecker in SoftICE
, E* M/ M" V- h% h8 c% I+ s+ M8 p1 |
mov ebp, 04243484Bh ; 'BCHK'7 p- x9 w4 c9 X) Z5 F2 M
mov ax, 04h
9 d8 U5 V! T: B int 3
5 ]/ [% d* {/ V7 g; E# `! { cmp al,4
?# Y4 \+ t: H jnz SoftICE_Detected0 q5 J+ F, J4 R$ ]
- C5 V" }. P' T, C7 I: {+ `
___________________________________________________________________________
0 [* p# N$ k9 c5 D, f7 d
6 E5 y8 ~2 v j1 ?' GMethod 02
5 o2 @2 U2 P& x2 E: ?=========
! A z1 T+ P* `' o8 \( k
8 Q8 c4 t3 P# Z- n+ _8 M" PStill a method very much used (perhaps the most frequent one). It is used
/ p# e# F& P/ \" [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 |! s% X) ^9 G$ _; P6 d! J
or execute SoftICE commands...7 C% l% l! e! f0 m" a0 F, C2 N
It is also used to crash SoftICE and to force it to execute any commands, p6 C* z3 d% |% l/ V4 M8 }
(HBOOT...) :-((
' z( [, g, U' x/ @& U
) X T L$ u. \- g6 CHere is a quick description:
& k) \5 q' R1 u-AX = 0910h (Display string in SIce windows)
; ~0 Y3 U9 A: y* N/ ?: u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- ?1 z6 Y, o5 f3 v4 i' D, C: ?- t
-AX = 0912h (Get breakpoint infos)
. O# r5 d9 y' X1 [-AX = 0913h (Set Sice breakpoints)0 T! v% X( L1 G) a( n" Y
-AX = 0914h (Remove SIce breakoints)5 U; o3 u/ ~( i9 k2 R$ n
: f1 J. w- ]: E: y# @" y
Each time you'll meet this trick, you'll see:! `8 g2 w+ U+ j7 _2 _3 l" ?2 j* C( W) w
-SI = 4647h
% @& f1 O5 P d8 D-DI = 4A4Dh, J* u$ q* b) z/ j* o3 {: U5 P) I
Which are the 'magic values' used by SoftIce.
2 y0 s: b: [; X0 d/ R: eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ W; g2 g: h! t7 t5 q# [. X4 g! `5 c9 r- X
Here is one example from the file "Haspinst.exe" which is the dongle HASP, V4 C+ x2 h4 H1 g0 b$ c5 s) h
Envelope utility use to protect DOS applications:; J& g- {+ {: J' r
- u! f6 n# u n1 U
: {9 g- b: G% V P* ^' Q: G* X
4C19:0095 MOV AX,0911 ; execute command.
6 i1 r7 _' W, N$ W5 y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." N" N! C0 W) M" p* c2 f- r" P: o
4C19:009A MOV SI,4647 ; 1st magic value.
- F* ^' S. w' d+ Q0 X) x* U4C19:009D MOV DI,4A4D ; 2nd magic value.+ [ L ?! R1 V' M m+ o1 J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* k5 L( x7 m- W4 z% Y7 ]2 s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" d1 X% D& Z( f6 T* Q
4C19:00A4 INC CX; }7 ~7 M# b p$ ^- L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! V4 T+ [1 ~2 N( H4C19:00A8 JB 0095 ; 6 different commands. m8 s4 Z3 h3 l- F7 V4 \" o9 |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ f1 ?5 X/ x* G5 { E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* z- d) A* Z* J& i
0 \5 r' b2 C: `8 X2 i, kThe program will execute 6 different SIce commands located at ds:dx, which
$ \+ Z& v- u; @, B( B% T6 n9 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 [5 D0 b! c! ^: }4 a: K
/ Q; C) h2 f; \3 [! _) w! m8 ]# ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! D, F0 V* c" x; g
___________________________________________________________________________3 J0 X) X8 d/ ?. L) n! T7 O
; z2 l% [; `0 O+ U1 ?4 t9 ~
7 m* g7 T |1 a" f5 K$ kMethod 03
5 P/ ?- g; ~! E; t- ?. y! E=========1 i* \4 F; `" _5 ?
! [$ ~% x1 A, L1 B/ \! ~+ ^Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( A) u# c4 S) X$ V, N+ p+ `
(API Get entry point)
: \ ^. j2 V5 i7 o& |' q - C! `" K6 d* [/ v" H2 g
. C6 x' |, g- y1 O/ l5 s* Y3 C xor di,di8 l1 I" j0 T! m7 d
mov es,di
/ n, Z/ b. a. k& D3 A$ o g/ L; C; i mov ax, 1684h
6 d, |# h7 z( }. R! r mov bx, 0202h ; VxD ID of winice# C1 N, v& R# C {
int 2Fh
+ I: n9 T) F* C' t, Q( k9 R mov ax, es ; ES:DI -> VxD API entry point
+ V# {% H0 |4 d' o add ax, di, Z `# U$ [6 B' a8 O- P- |
test ax,ax
8 @ f! V2 T: F' d4 i H jnz SoftICE_Detected+ B' b/ k1 |# R; |% j1 m. j
2 j% ]+ q& b) I/ y( v0 t6 S___________________________________________________________________________! F) I6 K3 H# [% L( I
9 P# y" ~! q# L: @8 P! b1 z' N" }1 V+ Z
Method 041 n6 z/ P# s7 e6 x- P
=========7 g' a8 f4 Z( G: }
) m2 h2 K. H$ ^3 r" C
Method identical to the preceding one except that it seeks the ID of SoftICE
# @6 e2 I$ U9 X6 E0 SGFX VxD.
- g7 O C2 t# X6 J! U8 J1 }$ R- k0 u
xor di,di9 ?; V4 J# y, |& ?6 w- j
mov es,di
( j( q( s+ c; } mov ax, 1684h
/ V5 z- y' @6 \7 Z% f mov bx, 7a5Fh ; VxD ID of SIWVID* M! M$ [8 p5 e9 Y J6 {5 E; W
int 2fh
/ y6 O- {& T: i mov ax, es ; ES:DI -> VxD API entry point5 |3 `" Z; t: f# B
add ax, di& q" r+ k. ~9 B) w
test ax,ax& U6 b3 e! x& [$ Z9 V7 \
jnz SoftICE_Detected
. U, j. r8 C) f' { ^3 z
0 k: h, L8 U8 ~' U# Y__________________________________________________________________________
/ f! R9 Q4 m, B k, H: }
+ Q0 V, T+ ?- F2 L5 o8 L% P
, u0 _+ \1 O$ h P5 T+ K$ _Method 054 U$ ~7 [6 | G* _5 q. S
=========: c% @" u% N& [" s
1 S+ L O' S7 I: U; e$ lMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 a4 F. {' e0 M1 g
debugger. It calls the int 41h, function 4Fh.
R& I8 a& a' A) Y3 Q& U5 n; n. hThere are several alternatives. , R0 p d) ~* m! }
/ h/ u3 J) o8 J3 F# J* ^
The following one is the simplest:1 E1 G# C8 r* A# r
6 O; v* c2 @4 A7 u# ?- v! S mov ax,4fh
4 c; [% P' w. \' O1 Y! a( b int 41h0 o6 P! R2 ]# L. K
cmp ax, 0F386
; Y" D, F9 ^1 ^4 z3 S jz SoftICE_detected: X) ]5 y9 k6 ]- h7 q0 A5 d
6 X. B9 ^2 I7 \
% I6 m, C8 v6 k
Next method as well as the following one are 2 examples from Stone's I `& Z* P7 z! ^! Y
"stn-wid.zip" (www.cracking.net):
6 v$ C# W9 Y( D2 A* a
5 O3 U8 [# V( O7 c2 b! Y5 T mov bx, cs1 F T( u: Z% r
lea dx, int41handler2
|; A$ \5 x" ~; D9 b" g xchg dx, es:[41h*4]
% G' z$ N* T$ U9 {! ]/ h xchg bx, es:[41h*4+2]+ r3 Z1 ]: r4 Y- o" \4 i6 Q
mov ax,4fh
2 M9 q% K" q! A' z" s( R4 a int 41h
- H$ Z* Y7 a+ e. c& T; F8 } xchg dx, es:[41h*4]
% h& `+ K' P7 N, I( s xchg bx, es:[41h*4+2]; @9 K* K! ?. y- ~' f0 F; Y8 ?
cmp ax, 0f386h% S* O2 X/ h( e
jz SoftICE_detected' F4 [/ S( E- Q! I! e
; E, w. G+ W8 n8 s# j# c) d
int41handler2 PROC- D% y/ t% Z5 G
iret3 M- M( M# P; l2 S C9 l
int41handler2 ENDP
4 ?9 H' X% Y$ b3 T% a9 R" b+ w5 A' _: ~
! G h6 ?& K1 w8 u8 U6 ?% t
_________________________________________________________________________. R. a8 J% G3 b; G1 Q
. h* r" Q! x$ {: i
9 O7 r+ E' [: h- M: w2 S* m; m
Method 06) ^+ p! W6 T2 r! w
=========
6 X% {, p: s0 J7 a; u# o5 P/ z% e e5 i# H
( R* [: P6 }) T5 \2nd method similar to the preceding one but more difficult to detect:7 s' i b" j1 M3 Y/ c
: i0 \1 n, E2 d$ n5 G6 O
0 @% E2 @6 w% ~: C1 i
int41handler PROC# d' `/ P! y8 \, z4 b( G9 ~
mov cl,al4 ]' P- U0 I: m6 g- x p
iret1 p z; D5 a/ f' j6 C' A" |
int41handler ENDP/ S5 E9 r4 C" ~
& U, l0 R* I( N& ~& d8 x; h: N1 p/ w
9 e: B3 m7 f% A: x xor ax,ax
7 r0 K) U0 F& @- m) C0 T mov es,ax) ^: g$ Q9 b% i
mov bx, cs* f7 g- b/ m/ z
lea dx, int41handler
. b* s; L% V$ K# w! L xchg dx, es:[41h*4]- ^/ g$ M( L, t }) y8 ]
xchg bx, es:[41h*4+2]
2 S4 C: E. N7 R) F in al, 40h
! Z/ ~3 ] r: B4 _ w xor cx,cx9 T9 ~; ] `+ Z& T& f# X
int 41h
" y. {+ S3 n0 I7 A4 ] xchg dx, es:[41h*4]* d) R* b' V9 O! P0 F& p
xchg bx, es:[41h*4+2]
' r( w p' X1 V) M cmp cl,al2 d# P# _- `) u) m: ~7 S
jnz SoftICE_detected5 ~1 ?8 E4 ^, ]5 z' c2 F2 U8 D
' [: a' ]. O4 x( Y& {/ T_________________________________________________________________________
1 k6 w3 B+ X7 b, [5 m3 v- G! p+ _
Method 07' j' o2 v7 q i! a4 f& ?6 J
=========6 n0 n0 D! A" R1 v: K
) ]9 T# d6 U5 q1 x8 @4 ?
Method of detection of the WinICE handler in the int68h (V86)
! w5 T: ?7 C( h6 k1 b& L
+ C6 W, n3 k3 H) m+ g4 \1 z: g mov ah,43h
8 d+ |! K. [+ w6 T+ U6 H7 j int 68h
! e$ G7 R A& ]5 |0 F# a; a cmp ax,0F386h
) L9 k) q- k n$ S jz SoftICE_Detected! V1 J" f! C9 [6 {8 a
) x' F: X- o, _
( Z/ A! ]: @0 W w2 E
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' q) ?4 j1 ?" b% r9 S$ ^ app like this:
; ]6 P, B8 y8 m% N/ n& |% ?8 G
8 P7 O' Q. x2 ?/ r' J6 @# y$ [3 V BPX exec_int if ax==68' T/ t% c; S! @8 y0 J: N7 c
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 g5 K. \; P- E, s Q located at [ebp+48h] for 32Bit apps)
/ l* ^( S x/ I) z$ R% n6 K__________________________________________________________________________9 n2 v/ g3 ^( w
/ I2 X K% m2 J: j/ T& J8 Q
* M- K3 D0 w1 t: O, e0 Y$ W" @0 v
Method 08
: j+ x' l7 ~/ B' W; W=========
) R' r/ _/ C/ B* I
$ A5 g4 R8 v2 |' b7 lIt is not a method of detection of SoftICE but a possibility to crash the+ C5 k T5 j8 [( X: ~. K
system by intercepting int 01h and int 03h and redirecting them to another& [# u8 ^- q1 p" L& E& t9 w
routine.
# ?' ]% ?! C4 C8 c3 H. UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ o: l/ O0 p; y- L$ s
to the new routine to execute (hangs computer...)6 W# M1 l6 S: r" n ~
" g r: a; I( q7 J! z9 z
mov ah, 25h
4 i, V' z' I' K3 U, | mov al, Int_Number (01h or 03h)1 H: a& E7 K9 W
mov dx, offset New_Int_Routine
4 X7 H6 `3 B/ U- @0 G int 21h
! h! W9 K; f! |: [- A
6 D' D9 D* F5 J' g2 n/ C__________________________________________________________________________
$ B1 Z$ a' f/ n6 v {3 @- C6 O/ G$ w7 c# e+ \
Method 09% P5 o# X; `' C$ }
=========/ L8 y1 x B9 S7 f. N! o0 U
: w8 O- W+ A9 x3 k" _3 RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 h A0 M: X/ o
performed in ring0 (VxD or a ring3 app using the VxdCall).
# X, E0 S! I1 w- P8 JThe Get_DDB service is used to determine whether or not a VxD is installed
: ]9 F; i! ~9 Y7 g9 e/ I0 wfor the specified device and returns a Device Description Block (in ecx) for
% e* C4 E* o& r# _4 v. Othat device if it is installed.2 ?. I# W/ f, q. X
! l) v; d# h/ y9 `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. Z/ {/ i: U8 C. y& {, T& J' L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 u" q" d* Q% `" Q( \% p
VMMCall Get_DDB
& W* \% Z) Z8 d- \/ N% D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& x9 Y- Q% Q$ b3 U9 M Z @8 h
$ ~( K/ K4 F4 ZNote as well that you can easily detect this method with SoftICE:9 a& W# q+ P* x; }* _4 W/ ]
bpx Get_DDB if ax==0202 || ax==7a5fh
5 x5 Y; O9 C( O. u* L. a) g8 Z% b$ z. K
__________________________________________________________________________
' U/ k8 N/ Q% o% O# o) R# b6 z2 d
Method 10
, o$ c- e/ Z8 g. o' b& k$ v# q* X/ j=========
, ` { c3 c# [( h4 i& K
5 s0 [7 _6 F! c2 R$ z5 T1 J=>Disable or clear breakpoints before using this feature. DO NOT trace with
" c, Q2 L* t# W SoftICE while the option is enable!!& w7 x9 z# e3 c& n
7 Q5 s& l4 I0 H. B5 R @5 pThis trick is very efficient:8 {: {/ o- P4 g/ _" o7 I
by checking the Debug Registers, you can detect if SoftICE is loaded, R3 d1 h" }1 n9 G' a( \
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# y' `1 y7 X' S, f# Athere are some memory breakpoints set (dr0 to dr3) simply by reading their& i5 ~$ [ h# b
value (in ring0 only). Values can be manipulated and or changed as well* m" C) x" @3 k1 K2 D: P
(clearing BPMs for instance), F- P% r8 H# q9 o' D8 p
* O/ { e- v" h. C+ p: ^; ~
__________________________________________________________________________
. o# B. y# ]& C" W* i8 i" k, k# Q/ r$ f) ~( R% o
Method 11
n- @) z( r, A! t# H=========9 U' ]' I7 `" J9 W
9 a/ G/ e. d- R+ L- `2 G/ Y; X8 zThis method is most known as 'MeltICE' because it has been freely distributed0 V* W7 N, N" ^ `) z; | z5 D0 h
via www.winfiles.com. However it was first used by NuMega people to allow
$ \0 R4 h/ z" h+ W# g# N$ WSymbol Loader to check if SoftICE was active or not (the code is located; M0 p3 W7 d @( |5 q3 x. Z+ b1 o
inside nmtrans.dll).
# l" M5 w& S( q g. H) b3 }% h2 p
7 K2 s" o, o; `4 g% a6 xThe way it works is very simple:
" X, `, y/ \( n4 y( e* c9 dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! {7 ]* _& i; G% k
WinNT) with the CreateFileA API.
1 ~. z' ^, S) }$ I' p- c, d t& a1 E6 Z9 m8 j' u+ k
Here is a sample (checking for 'SICE'):
4 X- g( ?+ \( h+ _$ [5 w$ e9 ^( H/ U) g+ x
BOOL IsSoftIce95Loaded()" `5 c; |# `- B0 O
{
) X6 t6 u9 D9 r4 Z1 w$ V HANDLE hFile; # F8 B3 Y1 _4 Q9 R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) @$ i7 W' H2 ^4 z' R! J6 J+ P FILE_SHARE_READ | FILE_SHARE_WRITE,$ v6 E% L9 a- L- d0 ^, j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# G4 T/ `5 Q9 e$ B7 g: g- P if( hFile != INVALID_HANDLE_VALUE )
3 O! B" z7 L# W8 X% \9 W. a {$ z1 ?: H# ~; t K/ V% O6 y
CloseHandle(hFile);
( C2 d$ d2 e# c. g return TRUE;
) K D8 p% \ Z }
% _7 l2 Q! A* q* o6 |( P$ U9 ~ return FALSE;2 R+ b) v1 \9 y8 F1 J
}- [7 e' Y# t1 Q7 ?. W! _
* l$ d; A/ q# b7 }" b* N4 B
Although this trick calls the CreateFileA function, don't even expect to be
; S. W0 w( P% d( ]% S0 w# `able to intercept it by installing a IFS hook: it will not work, no way!0 |. e1 H, y0 U" T4 e) e+ R( M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 Z5 Y* L. _( A$ F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 Y, y y/ Q4 I8 ^3 ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. m& J% X) P: e6 ?6 h' Efield.
& a8 q* {6 s, X' ^5 R( H: N0 [2 tIn fact, its purpose is not to load/unload VxDs but only to send a
5 b$ D) X: |, a3 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: L( G8 a% @; l, j dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
! {7 e! C% z5 {to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ d& G- i; p( n- s
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ e" L6 q! t/ ?! A" `& r
its handle to be opened and then, will be detected.
& L E1 @* j0 }: C" J* ]! bYou can check that simply by hooking Winice.exe control proc entry point* m( c. R$ A2 I- A4 B
while running MeltICE.1 h- p% y( [( h" G& L* N7 U
2 ^. @" Z9 c/ N$ _3 @; Q' j
' h; R. E' Z5 X3 c, I( d. X
00401067: push 00402025 ; \\.\SICE- ]7 {# N; @ g& Z
0040106C: call CreateFileA
) ]) M& D1 g; \7 U' h 00401071: cmp eax,-0011 c8 G" h: i5 Y' U4 y" h
00401074: je 004010917 E2 P6 @9 u% I0 u$ Q9 w
9 f Q; G2 p! S% L9 E9 ?: P% N$ T$ L5 D! ~' W ^
There could be hundreds of BPX you could use to detect this trick.3 I1 g7 E s0 |" w2 k+ N
-The most classical one is:$ b9 p/ g$ N C/ h/ b0 k L1 S
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 p$ f4 H8 V7 m* q, W! Z *(esp->4+4)=='NTIC'
; B2 j" g% c* y3 [* Z# y0 k. R5 ]
) G1 O9 P! ]- r" s1 W' Q-The most exotic ones (could be very slooooow :-(& t, [% T) S4 C$ [/ U1 r% q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 M- O% l! ]% w+ q7 ` ;will break 3 times :-(5 }1 H9 l, S2 ?, J3 u0 z
7 b! S1 x* s; {/ o$ T' s5 I# V-or (a bit) faster: + `9 R# |( L0 L/ e1 g( x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& D# R& ~9 ?4 X6 I+ _; u! v+ D, K- n3 \3 b4 X* G
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " p! R: T8 \2 x" f. f
;will break 3 times :-( ^: Y( a- f- J S* Y! \1 ~4 i- g
0 U/ j( Z- W+ m1 z6 R0 A
-Much faster:* p& Z/ u4 _2 x" q! C1 g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* F4 V: W. m c# D: h3 i0 O; g4 q8 q. x
8 P, |7 X/ [; M, ^- G1 B6 m' K6 JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen& ^. Z& z n" a9 n# B5 t
function to do the same job:; w% ]5 D, n- P- J" t
% P6 X4 t% [! _' M2 D D, H5 K push 00 ; OF_READ% Z) [0 e. m' H
mov eax,[00656634] ; '\\.\SICE',0( N v' G* R0 U$ W( [, b
push eax) y7 Q2 ? K; J6 w* o# g6 E
call KERNEL32!_lopen4 p# L" e+ K- h$ k
inc eax; |$ `* C0 q; o( ~
jnz 00650589 ; detected
' z$ h& p& C$ }$ Z+ @ push 00 ; OF_READ, h) T5 w3 d, j$ h) t- i5 `2 U
mov eax,[00656638] ; '\\.\SICE'
1 d% }, r* G! E3 } push eax
4 _5 W. t, t" o9 o, ^9 `2 r call KERNEL32!_lopen. e' L$ N* z- `
inc eax S- q* {7 P! N$ \4 [4 b
jz 006505ae ; not detected
5 L8 P" C$ @4 T" T, h: n, H' M8 i! C; T
. R6 s1 T! m! P7 I6 K; f5 X0 r__________________________________________________________________________& G; y- P( H" c& X+ g; \
8 R" s% r1 r1 g9 a
Method 12
3 j* Y9 G/ T, |" N) u- |$ \ X=========
7 ~; S9 A E/ t+ E. f% {5 Z! I7 `& y' }% r/ e
This trick is similar to int41h/4fh Debugger installation check (code 05
. f/ z1 j# Z( `+ ?& 06) but very limited because it's only available for Win95/98 (not NT)
9 K9 m) E7 r5 @8 W. m; ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. C0 G& {5 [5 N8 @9 X
. k1 @" A# q/ K- N2 w
push 0000004fh ; function 4fh
, l1 A# L2 d; G0 t6 k! X push 002a002ah ; high word specifies which VxD (VWIN32)
2 L& r3 O% [* A* l: x ; low word specifies which service
8 r8 X2 U8 @& X7 l (VWIN32_Int41Dispatch)
* ]0 M+ r4 p' j. @ ?8 ^7 h call Kernel32!ORD_001 ; VxdCall
; ]- R% l4 y' r0 A0 q$ I cmp ax, 0f386h ; magic number returned by system debuggers: J' [- O: x( s1 ]: L
jz SoftICE_detected
' T+ X9 i8 C* r7 k
( q6 ~' k" m) ^Here again, several ways to detect it:
9 v! Q+ V2 ?+ X9 j( [0 |$ U. M
! P0 M U& Y/ t- ~# Q$ F7 C BPINT 41 if ax==4f; q! V+ U8 J8 w5 f4 l6 z# H
6 z7 ~4 B: D5 Z/ \- O2 V; `+ h. K# c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ U) a8 O4 O L& [) E
2 r9 G, x! v. ~* d0 H% p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( r) o$ p# e4 P3 q! L
$ z e9 V" T" O5 a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! n$ p+ n7 B/ |( Q% x& Z( L( I. Z2 b' E4 J, h5 v
__________________________________________________________________________
9 @0 ~* W0 ]3 E$ t+ E3 V: D1 V0 P/ B% a. Y$ c6 R$ C# E& y
Method 13; V1 K; N- z* H1 L1 K8 _
=========
~/ v' a; ~/ v' b0 `* d0 r+ d& U8 A" o: ?1 j2 [0 _6 G
Not a real method of detection, but a good way to know if SoftICE is
& F8 s5 C0 n4 ^$ j: dinstalled on a computer and to locate its installation directory.) d; e7 B; }7 i$ g2 w8 f
It is used by few softs which access the following registry keys (usually #2) :
' P/ M1 Q2 Y% C% j) |5 N& d! Z- C; y; z" p g" ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 K) S Q i# ]! ?/ @& z, [+ y
\Uninstall\SoftICE. q: J- O) c: A3 X _- p+ A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 [3 ^$ ?3 _8 O9 a& I) X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. w: C; |7 P* E, |; z\App Paths\Loader32.Exe
0 N: b: p; D- s. o) x- q
# p( j% `& Y/ _, |4 b3 o. g" z/ z4 Z. Q
Note that some nasty apps could then erase all files from SoftICE directory4 q- M1 h! E7 U* N# J6 r( W/ u6 F& r
(I faced that once :-(9 ]+ A* P+ T2 G" c% w& R
Y& U" f; K7 e& A$ F; x+ d! p$ r
Useful breakpoint to detect it:" f, R; [, s4 g
. d& h( P' s D5 t; |8 `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 w2 h2 B! H* Y+ b8 p% ~
/ o' d: c. i; b; F/ A__________________________________________________________________________
! U, P2 u* {- [7 G4 U$ u( E4 ?6 S
; e6 `6 O* X2 U) U* k- I3 _3 }
, U3 y- u, @0 g2 y; m. m. Z7 @% @4 [Method 14
# V4 I5 P6 r' ?' m/ Z/ i=========
) n {# J3 q4 T0 ^; M; m6 U: d- F# } Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) F+ q* }4 C9 B$ nis to determines whether a debugger is running on your system (ring0 only).! m4 f, t+ O6 B% X. W0 T
: W: {5 L8 l5 X3 p+ f9 q4 U: U
VMMCall Test_Debug_Installed
7 F- L4 b* ~: X6 R je not_installed
3 T1 F$ a) z& S4 o3 K; T0 O
' K; n/ x. E9 @' hThis service just checks a flag.* O, g' o( ~7 s
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡