<TABLE width=500>! ~7 @. Y$ u3 _+ F" Z
<TBODY>
# e+ N3 V( _% i6 W5 E: Z! j L c<TR>! D0 U) y$ A( e, b% W* C
<TD><PRE>Method 01 1 l5 o$ z: W/ [
=========9 g$ o. ~6 a v# ^& a4 d+ j
. f) D4 I, D$ \) n7 a: CThis method of detection of SoftICE (as well as the following one) is
5 e0 z' h6 u5 h# q/ ?used by the majority of packers/encryptors found on Internet.) L) i. x1 p% x' H' M( t
It seeks the signature of BoundsChecker in SoftICE
7 K) c7 f% i) k' o; m5 b8 g4 z2 J- m( r
mov ebp, 04243484Bh ; 'BCHK': {# j( i2 s1 K
mov ax, 04h
9 n7 R- p# R1 \7 c; M3 p+ S& N int 3
! e6 e7 d2 o# z' y% D cmp al,40 J! g& w @ A$ \, _$ k
jnz SoftICE_Detected; ?6 I8 c, p: o+ A1 _8 m( }
! W) g; b7 P, l# F! o) a9 N1 B4 r) }___________________________________________________________________________% U% b3 s6 g) O; ~
) j4 t9 J2 R- Q. O$ |4 D6 fMethod 02' u; z. O# j% `8 t0 {1 ]1 K& W
=========
0 T% p- u8 x" ]6 a3 k
6 R& c& ?: F2 z3 H/ R- CStill a method very much used (perhaps the most frequent one). It is used. ^0 e1 }1 T- z* D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* M7 A, v9 P% M2 h7 v: F! U
or execute SoftICE commands...
* R: a1 Y5 s! L( k- n- m9 UIt is also used to crash SoftICE and to force it to execute any commands
r9 Y/ G$ e5 T( ~$ n8 Y(HBOOT...) :-(( }& ~# H4 D6 [! b* P" i
7 y- M0 X3 ^ t+ }, P& l% I3 dHere is a quick description:
) i+ p5 _7 o( V' g-AX = 0910h (Display string in SIce windows)
6 t# U* P& ~: S- i6 l* O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), X$ O4 ]6 z! R' `- o0 q' _
-AX = 0912h (Get breakpoint infos)9 c8 F* r8 A" `' W% v9 f% Q
-AX = 0913h (Set Sice breakpoints)5 [( ]" {. g4 c* P) q* u- f
-AX = 0914h (Remove SIce breakoints)
4 U C" W; y/ u; G) r4 x: F: P7 Z
3 L. r- P3 w9 b2 Y% r0 IEach time you'll meet this trick, you'll see:
@1 t6 ?* k3 b5 r% x-SI = 4647h* _" C4 |% Q* d4 t) ]8 T! m
-DI = 4A4Dh- n) M$ g4 V' F
Which are the 'magic values' used by SoftIce.7 t8 j1 y N7 F6 B4 k: T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; F1 {1 z+ W6 |6 a& O; [3 Y
8 O& c+ W1 Q1 d& D7 uHere is one example from the file "Haspinst.exe" which is the dongle HASP
# y. V+ c2 w0 q0 _Envelope utility use to protect DOS applications:1 F. o( o3 _2 o& p# n( ^, U
- r! |9 Z3 L2 ]5 x
: K% C; I1 x' ^4C19:0095 MOV AX,0911 ; execute command.. i% v/ h% c4 U6 I( O9 C! v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 B y/ _& i+ w% J6 R+ v( U
4C19:009A MOV SI,4647 ; 1st magic value., @7 S0 g, v' }# J
4C19:009D MOV DI,4A4D ; 2nd magic value.. L5 a) z( V1 P7 V7 N8 v' l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* ~% O1 q, M n: M D) s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 C( k3 }7 m* K B2 u8 M4C19:00A4 INC CX
) c3 S6 o8 s( ~7 n) z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 K0 \3 R3 x; B4 {0 g* J# r3 L$ I4C19:00A8 JB 0095 ; 6 different commands.
6 {" {' Y5 T+ s, p6 ~) L: A0 f8 M4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 u, Z' {3 y- H8 ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 y% O3 v! b. L; K/ ?
1 A' b0 g9 e3 ?$ hThe program will execute 6 different SIce commands located at ds:dx, which
: n/ N' W, S( I) [: Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 R, m. G( P! C. h7 P. ], |" p/ e9 F& r5 N8 o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 D. V% H) t4 U3 F) D
___________________________________________________________________________. X& w/ \' E. r
* o" ~, `3 m) m
' F- W6 w6 A7 \Method 03
- v1 E* o% n0 M+ B=========
3 N& r6 d0 V6 N2 x: ?8 U+ D9 ?# A. k: V! t! O# s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 |1 w; _( W: r7 p8 p- j(API Get entry point)
4 G, u v" x6 Y) H$ b/ a 1 x; a A* @# X% _+ z
- r( n0 H- H8 S7 O W! A7 M
xor di,di9 \0 y/ B2 u/ M3 Z1 Q% f% T6 C+ g8 q
mov es,di1 Y2 d8 y# G6 O4 ~% @
mov ax, 1684h $ _& G' m. U L9 J
mov bx, 0202h ; VxD ID of winice* q* _* F6 q: Z9 o% P9 t) z7 I( ~1 _
int 2Fh
3 h9 k1 Z; R8 _2 I8 s mov ax, es ; ES:DI -> VxD API entry point. n! r% r1 K0 m7 g" M
add ax, di& ?& {" k7 D1 K
test ax,ax
; C* A: @& J1 }3 N K& h& @ jnz SoftICE_Detected
- V; F( S9 d: @8 n# }- P
' i7 E" V+ c( h4 D! M$ j___________________________________________________________________________
6 V: z& h# t( r& _$ v
* ^$ n7 M1 ~/ o$ V& MMethod 04
: | w3 t) l; b4 U7 M0 h! M% t" z0 z=========) s. k& v. `' M
' X' Y2 J- \& w% ?, N) _ k
Method identical to the preceding one except that it seeks the ID of SoftICE
% Y& H3 q8 q2 _7 oGFX VxD.' Y; i4 r* i8 N0 J
' Z3 e! e. V; r m. ~2 E xor di,di
- H* e7 }& F* ^0 p mov es,di
x2 w% B3 F& M0 E2 i mov ax, 1684h 5 B: c: C# | T s1 u, d
mov bx, 7a5Fh ; VxD ID of SIWVID
! X0 V" c! B$ f8 J5 g: v7 n int 2fh. N- ?; D- Q1 `: s1 f, \
mov ax, es ; ES:DI -> VxD API entry point
* Q$ B( w! T: B6 B5 |- R. }# Q add ax, di
/ R ~. R- k1 A. w, m6 V4 F: ]; d test ax,ax
- {/ O- Z) U) z% h% [! _, L$ K jnz SoftICE_Detected5 }5 L3 ~, D: t: }
* Y3 v! k( ?0 m" x& U4 c2 v__________________________________________________________________________
0 | S: L$ G+ Q0 J' H* P- o* u# V+ n f7 N! [
) @: h4 L8 u: W" h/ F/ W0 i- sMethod 05
+ F [, g! q2 z=========
( ~! U) j, r1 v% r# t3 Z1 R% E) Z2 s. y, a. r) d; F8 C' Q ?
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: d9 p+ | {4 z/ l/ wdebugger. It calls the int 41h, function 4Fh./ S' J) [8 G* S7 `
There are several alternatives.
1 \/ z4 k+ d( W0 b% D
& o7 ^$ c5 s& N L( R4 BThe following one is the simplest:* Q1 E; w) f3 S0 c# K0 R% u& E
9 f/ u3 E/ x4 ]1 @& _, \6 g, b j
mov ax,4fh
$ o3 l. U( C0 C int 41h
: {2 S( o# ]) ]3 V# |5 y cmp ax, 0F386
7 ?8 i2 E3 z* f8 ]8 i- K jz SoftICE_detected7 c1 {- q9 V* y0 u. s
+ W+ f# j; b6 @
/ n* ~4 j9 u' s; jNext method as well as the following one are 2 examples from Stone's / D/ {7 y+ T9 d) v( U" T( [
"stn-wid.zip" (www.cracking.net):
2 e) a3 v, r, w. j" N/ V! I4 ]- j
+ G# w* H! K \5 U1 m" R, e/ K' K mov bx, cs
/ B7 a8 V ?. q& j @5 W; z lea dx, int41handler2
& w$ p7 r6 U* ^) b xchg dx, es:[41h*4]
- t' r, J2 n8 |% m5 n& } xchg bx, es:[41h*4+2]
9 }7 t$ O4 a) ?+ E+ P mov ax,4fh' K* K2 z3 c% ]6 v
int 41h6 q. K- o" a: n# }. E, y( ^
xchg dx, es:[41h*4]
& i- O9 s9 |# t xchg bx, es:[41h*4+2]1 v: b0 D: ^) F9 J
cmp ax, 0f386h
& J4 d) R$ [( D! R0 U8 h: M jz SoftICE_detected
2 ]0 ?! K1 |# p* k1 C7 R, r# I1 |: ^) i6 {9 X: G
int41handler2 PROC; R+ n3 D) P2 z$ d- C, V
iret3 y! t( l% W; G5 t8 s8 L+ h
int41handler2 ENDP3 R$ ~$ X/ l9 N' ?
6 y( Z; U H+ a- ]( x
5 \* E. ^8 N0 K& D$ d_________________________________________________________________________& g' j( _ r: r/ y z
6 c, b4 w0 _) z/ C- W/ u, w
; b `0 I* p, n' \Method 066 O; j) A5 {4 x+ q+ U9 U
=========
' l: h$ Z5 e! |( p E# f' g; V7 w, {- A0 I( P4 N
; {4 `; B4 E. F$ I( U! P2nd method similar to the preceding one but more difficult to detect:" f8 H, Z2 Y" ]8 ^0 N/ q3 _" Z1 s
7 j3 `) r# K( p" @2 n
, `& m7 ]5 g" \5 J; E
int41handler PROC
/ a; N- f; t- o% ~7 D* j# K mov cl,al8 q) j- ^8 [6 D2 c, N& p; C
iret
; a7 Z# x6 }7 }int41handler ENDP' Q% L8 ]$ W/ i9 z
/ f# s Y4 g# Q% E* J: s a2 ]
- @; D) W$ M0 ~7 N- `* L xor ax,ax+ A( f1 Z) ]2 B( N ^2 m3 v
mov es,ax
H) e3 Y2 \( ~% ] mov bx, cs0 ~, ~" f2 ~+ d u
lea dx, int41handler* _: {" N* S! | E
xchg dx, es:[41h*4]. t6 l% G6 `2 {! F6 z& T5 K1 l
xchg bx, es:[41h*4+2]
5 b4 }& z5 k: r7 s( ^7 ^ in al, 40h$ I1 i0 T; R5 S2 w z, i, y
xor cx,cx' Y+ Q2 T' b# i/ C. G/ G3 T
int 41h
" Z- ]) h% P1 n: K9 ]! `' U xchg dx, es:[41h*4]
& N; ~- a% F4 c( A, @# J xchg bx, es:[41h*4+2]) ~" m# m( z- f1 Q+ [! a: X+ |0 M
cmp cl,al4 }, M4 z% r& S: F i5 B) e$ C
jnz SoftICE_detected
3 a1 O3 _* X' Z. W( B9 D
, d' P0 Q- \+ _) __________________________________________________________________________7 E8 a+ m; K O& F1 v
6 [( E' p5 l; S7 z4 \
Method 07+ d/ z8 k( R5 s. s
=========- v k/ Z7 w& [* {3 W9 X ]1 W
( o3 Q0 g/ [! J x/ M5 ]5 CMethod of detection of the WinICE handler in the int68h (V86)
9 B W/ |" }: B' r# a9 c, m* B) s* d* o- J# i
mov ah,43h7 t5 N9 f/ d. B
int 68h; f7 ^+ B3 G0 j% H5 E. z; u
cmp ax,0F386h
* ]1 r, x$ G" \. W jz SoftICE_Detected
. C$ @3 D! b& s6 f6 w
1 S8 P( M8 L" b* K) K$ n" z; \) ]; X9 O# Q+ \6 c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% L+ R+ ~& { C! v$ u
app like this:3 W* E2 i( ^& Q: R$ f4 y
( A- n* s5 x5 F% k* z
BPX exec_int if ax==689 d. S4 r( R2 F# q2 `, R' X' Z
(function called is located at byte ptr [ebp+1Dh] and client eip is
* m; a7 n. E, r, A* U located at [ebp+48h] for 32Bit apps)
8 j7 w$ H3 A7 Q; l x, e4 K6 Y' u__________________________________________________________________________
7 |9 G. s% N- E
7 O2 R/ C: m# X) a) _+ j
0 G+ {0 z6 x0 T/ R( i' i+ rMethod 08
- Y+ q* W' ~1 [; [" G* E9 }=========
& O5 P* a3 `2 P, b! b& e$ V% E# `4 t6 Q$ d8 A* ~
It is not a method of detection of SoftICE but a possibility to crash the+ e2 U; m( M, B$ c& O. L
system by intercepting int 01h and int 03h and redirecting them to another* ]6 M! B$ |$ `7 _/ S
routine.( C- } I( [ ^' v3 K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% [3 r% _% ?. c2 _' d$ }+ `to the new routine to execute (hangs computer...)
; d ?- W: ^6 U( V* W% v6 i. r @
: ^: o& [, Q1 t mov ah, 25h
. c! r W3 j ?0 J mov al, Int_Number (01h or 03h)# P3 M$ b9 U& a3 o9 }! F
mov dx, offset New_Int_Routine
5 |7 e' T7 Y$ z- W" @ int 21h
" k% K. B: A" R; l0 s" M2 U9 @
' \3 M9 q& A- Z' p& B/ B__________________________________________________________________________
& ^- q/ u) p1 N: r
, L( v. s3 `" m; E J0 HMethod 09: J' U" u& [: S" S* m) D/ F7 V% R `
=========
1 L8 u; J, {. d2 \/ N1 U4 a0 a9 `. j( @# u# o" e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 R$ \ ^: E! \
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 j8 _% R/ {' i3 B5 TThe Get_DDB service is used to determine whether or not a VxD is installed
8 d! D; @) t5 I9 D9 ufor the specified device and returns a Device Description Block (in ecx) for8 l% u1 Y( n' x% z1 o3 a5 V7 {
that device if it is installed., ^ s- e# j' ? z; p1 O
m/ T; P' x8 a8 p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' J5 O6 S& M y [% ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ z9 V/ `9 J: A9 O7 }3 d. B6 D% I
VMMCall Get_DDB
& c. T# e, }1 W6 K' B# c( @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* d2 t" p* h6 ], x3 C3 I2 N1 _7 m' | _4 E8 a0 V; a: _
Note as well that you can easily detect this method with SoftICE:: o6 l# J5 m; D
bpx Get_DDB if ax==0202 || ax==7a5fh
# F8 s I8 Z/ h) u( g4 D" M# G. w5 g \% P9 e& h7 z
__________________________________________________________________________- m$ I: y. q. j4 r( B1 i u, `
! e2 X! H# K3 q7 N7 e. y: ?; z4 T
Method 104 G2 |/ B. X, C4 q" O H9 W f
=========
& f8 g4 i3 n* S! K" O$ g4 @
M0 L0 L' s+ r9 ]3 ?=>Disable or clear breakpoints before using this feature. DO NOT trace with6 u# W$ k' D& D9 z7 v( t
SoftICE while the option is enable!!4 t! n, o* {! M; h, X5 W
" U! [, G) O# S4 G
This trick is very efficient:
1 l/ ] q) x/ cby checking the Debug Registers, you can detect if SoftICE is loaded! u# g/ v+ ] j1 {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 D3 O& N( }$ ^there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 b6 v, U+ y* a- c V6 I4 B. K% Lvalue (in ring0 only). Values can be manipulated and or changed as well
$ T V% A6 q* ` ]: x5 I2 @(clearing BPMs for instance)
2 T+ Z$ k! \+ p6 e- `+ U( G6 F! W, g; C* t# [8 t* C' V& r5 j
__________________________________________________________________________
4 g' Y0 m4 i1 c' g
% W# z/ U# T2 B/ \1 @Method 11
' y) `6 n, W2 d) b9 g=========
' n7 P- i _- W8 p" S
: U) w0 e* a+ XThis method is most known as 'MeltICE' because it has been freely distributed
: b% U) f) O" H+ d nvia www.winfiles.com. However it was first used by NuMega people to allow$ E( Q- b$ n/ t/ x* k4 c
Symbol Loader to check if SoftICE was active or not (the code is located
6 t/ C5 P- A2 `* u/ @% T3 Cinside nmtrans.dll).
" e) t# w/ e4 ]; S i
' d/ I/ P1 l* `The way it works is very simple:
( C3 f, c/ p+ }& ~$ z8 [4 wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ k; G/ B, O2 }( h' f
WinNT) with the CreateFileA API.. y- ~2 T" ~. f4 W# K4 D* w$ B
5 a% D9 j0 J5 Y! q, M" R( L
Here is a sample (checking for 'SICE'):
% _* u3 L: A$ O2 `4 U N, S% J# p; S8 d5 I+ h2 s. `. E; i
BOOL IsSoftIce95Loaded()
7 E' \7 f( r/ M{' d- }9 s5 N4 b" e
HANDLE hFile; & n) A, |! a8 P# y' P2 U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ f. X5 h5 S- n) X3 m+ D FILE_SHARE_READ | FILE_SHARE_WRITE,! L- E" R8 f4 a: O3 S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. q% M0 e r# j6 v7 \0 Z/ X- r
if( hFile != INVALID_HANDLE_VALUE )2 f3 ?: `( ^5 ~2 Y
{
4 j1 p+ g' Q3 d CloseHandle(hFile);
8 Y- F) d" r2 } s return TRUE;
9 K" `( o3 ?' M6 ]3 I }% [2 b$ l: A9 ~* \( V5 k$ X
return FALSE;
+ j( Z7 I7 `# F& x6 J}5 S: g% X" C( p. {6 {5 B
5 A9 k' e6 F) J& g0 @. ?2 ]Although this trick calls the CreateFileA function, don't even expect to be
2 _( p1 z% w2 S: Pable to intercept it by installing a IFS hook: it will not work, no way!' ~ T" D+ ?6 F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# N7 ^; s5 ]/ C9 z+ d4 B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" S) g" B4 I6 l0 K. I7 s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- S5 D- z) S5 {7 s' qfield.' ^: c- m; R2 f% _* C
In fact, its purpose is not to load/unload VxDs but only to send a + X* w1 b2 D" `# ?' X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* H6 p" t. h0 I- A3 b: Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try o* S3 a6 ]$ C8 K3 S2 t( F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" V/ J: y( a1 F) NIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 S3 t C- [- N2 @
its handle to be opened and then, will be detected.9 g# s, @& m; F6 [6 C
You can check that simply by hooking Winice.exe control proc entry point1 \3 ^# `( c: e+ u7 r
while running MeltICE.2 ~" [3 d; R: f# I' ]
3 d6 i: `; H# k; z$ k$ v
4 ?8 s. N- ?7 C, J
00401067: push 00402025 ; \\.\SICE
$ B1 ?) K# l( ~" v2 U5 r 0040106C: call CreateFileA% U' {6 l) p' N9 h5 G7 B+ u
00401071: cmp eax,-001
' p) l1 d8 Y' Y& ]) ?* w5 ] 00401074: je 00401091
4 h2 o; E$ i; e2 M6 Z; `5 @* c t3 e9 R" b# T: J. R' `3 S& o
4 R1 G! c5 n$ ~( x/ g/ oThere could be hundreds of BPX you could use to detect this trick.
7 M( m! r! U1 E; n+ f-The most classical one is:0 M/ A5 ?& F8 r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 ~" w' V% U: w' y% t, w *(esp->4+4)=='NTIC'; D" Q6 {- s" X+ i
$ u, e4 X# p: U* \( H4 W-The most exotic ones (could be very slooooow :-(
( C [, D; m8 W; b" i+ h: [# V BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: T3 @/ J/ a+ @% t" t% i9 @* p2 H. G ;will break 3 times :-(
( T2 P: N3 y. G+ {
6 T+ G7 [; E3 z) M-or (a bit) faster: : {. p' X: N& o% H7 T9 l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& `1 q" ?1 E8 o8 D; j1 ]
/ n- w/ h! d1 _5 \! J; q' p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & B- Z$ U9 X" I$ o
;will break 3 times :-(4 P$ s9 G1 J0 _) |/ H [
2 i" z4 s! i: {2 {: i0 x: q2 v; W% o
-Much faster:
! S; w* Q6 P* C/ U M1 L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' g+ K. j' _' o, I- \" w
, h6 D6 t$ t: e; M7 G0 j$ YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 c) ^0 [8 L5 Hfunction to do the same job:
: ]2 k4 D, r. L0 x! J+ ^& Q7 n
' O' o" }' U& W push 00 ; OF_READ
7 N3 w( [3 _) c' j mov eax,[00656634] ; '\\.\SICE',0
' P8 U) j, a# E' W; n5 j2 b push eax! H" r. p9 N( [+ K- I
call KERNEL32!_lopen
* u1 t l# `+ k inc eax4 s( K3 c% X- @9 G! `% ~' p6 j
jnz 00650589 ; detected
: z, ~ e' }) S" I# T) T) B5 J push 00 ; OF_READ3 M D4 x f, ]/ i( D# I" G3 s) ]& [' O
mov eax,[00656638] ; '\\.\SICE', e! C- M/ S' H _2 p7 O9 K) _
push eax: L+ k) m1 e1 ]
call KERNEL32!_lopen7 {: V5 @) |- @( _: Q5 ?' K
inc eax4 B1 L, T0 X' N1 o
jz 006505ae ; not detected
* \7 P* d* h4 X
$ ]# s) w8 p7 k7 c; u! d# S! f; e% b( W. K' g+ G2 {
__________________________________________________________________________
( P- Y$ G4 G7 X( d2 e1 E C8 t9 h+ o
Method 12" n' I" C9 B8 U p5 Z% A4 C
=========
) x/ h3 J' O' Y4 V6 |6 M
3 j: ^( {! y b. _. d( P o4 vThis trick is similar to int41h/4fh Debugger installation check (code 05+ C! q- q' A0 \. }4 O" C) a9 s1 s# ]
& 06) but very limited because it's only available for Win95/98 (not NT)
) q: {/ p! z5 e; D( Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 ^' r# p) Q( l0 v) C
7 W. e, v0 X! V; r% j push 0000004fh ; function 4fh) k, ~9 H2 @! ?: Y
push 002a002ah ; high word specifies which VxD (VWIN32)* W0 p! z" _3 j- P( {0 w
; low word specifies which service
! D8 v% G( X+ }: K. J (VWIN32_Int41Dispatch)
' ?0 c4 D. ^ N( h. s* r* u8 h call Kernel32!ORD_001 ; VxdCall, j+ `" L y0 m" f1 y0 K
cmp ax, 0f386h ; magic number returned by system debuggers* E" u& ]: M- U5 p# T
jz SoftICE_detected
% F! h+ g: z0 q9 R9 `0 i* |7 T9 }- j {2 O& b
Here again, several ways to detect it:
: ^1 h5 l3 p8 B5 D
A* c) q2 G& G( p) r G BPINT 41 if ax==4f
E8 t& l$ Z0 l" [! W0 |! W' w4 {% t' j7 O- T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ O" _$ k( `, S& A8 w: X$ T) L5 |1 E- {6 u4 o$ D: g- p+ \' d
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% j) K6 N* L+ F/ i6 s
5 a1 y* }' g+ X4 {/ p9 M! k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; A) e# L+ B( m0 @. H2 T8 a- U8 C/ S+ E+ V1 Z
__________________________________________________________________________0 m8 j5 f4 A' Q* X1 N0 `9 ]
. r+ J- P/ N& [/ @# K" JMethod 132 t4 d" e) u) Y
=========' b8 Y4 q9 U7 w+ M- f, f, Z* D
: [+ }# T& F9 @" p# K4 ?Not a real method of detection, but a good way to know if SoftICE is# ^+ w; X% H4 U
installed on a computer and to locate its installation directory.
# v) @& F+ f7 e: F& M i, K& {It is used by few softs which access the following registry keys (usually #2) :
: Q2 g, x( c# S u9 [2 j$ j
( m$ c, c& W, g. m# o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ u3 O. G: N3 }# D/ v
\Uninstall\SoftICE
! [$ ?: P2 Q8 i. {$ C7 O: x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: q& I: p5 p& e; C( x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion s& P+ |+ c8 H- Y; v
\App Paths\Loader32.Exe6 n, H, Y' n5 d; s6 p
' f: P9 s* g ?" Q2 v4 n* b ^
) b6 l7 R9 Q. g o) W9 dNote that some nasty apps could then erase all files from SoftICE directory2 Q }; I/ X! l+ ]1 S1 n
(I faced that once :-(
; u6 q, z& _8 U% ~
4 U, `$ a6 M2 w nUseful breakpoint to detect it:, ], j3 G6 r' i; d/ R. Z2 W2 V6 V H
) Y* I* w, ` _7 Z! u2 f% J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: m* b9 | `+ F2 S8 Z
" U: ~2 f" h* m" d# c9 K; ^__________________________________________________________________________
; n$ e# J; u, o1 g1 C$ y- J( ?- [ C5 a! L+ r
1 ~4 t2 \0 Q& R# [. j
Method 14 * B0 M C$ Q5 V; ~' L
=========
8 r7 @/ A% s3 L3 f( t8 @& L, y- X5 G& L( F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" v P+ b2 A7 X; Ais to determines whether a debugger is running on your system (ring0 only).
9 w8 a3 k) C* r. A9 E. s" D* V$ z, k1 u q5 |. O; H6 a
VMMCall Test_Debug_Installed
2 s. e* t7 v# e9 a. y& ]$ h' { je not_installed& i) X$ ^2 O# L$ ^3 J: T' R, d6 `
+ a0 s7 p& \- l0 q- M( R6 E
This service just checks a flag.
3 m4 Y) v, O! T- k- p</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡