<TABLE width=500>
& @# l! P; E6 l<TBODY>
6 l7 I% f8 d Z8 z( N<TR>, Y5 ^. i7 ?* w: x+ ^% q7 M
<TD><PRE>Method 01
0 z7 R& }. ?. [" J1 t0 F=========4 U$ Z3 V2 w4 t. N& Q
: Q+ l/ Q r) I% P& z2 U1 u# C) jThis method of detection of SoftICE (as well as the following one) is' T6 D3 B" s1 }: } w* D- {5 Z
used by the majority of packers/encryptors found on Internet.
9 I9 f% m' o: v6 x, y: L* g6 hIt seeks the signature of BoundsChecker in SoftICE" M" M7 q9 [' H4 {+ _6 E+ L4 S
; F+ k3 R8 l- [6 u! M1 l mov ebp, 04243484Bh ; 'BCHK'4 r: v5 q: t; ~$ G* y; H
mov ax, 04h
5 Y2 B/ ]# E9 l3 k5 O int 3 ) T, H; K# q( \+ M0 E8 ]8 N, z$ [
cmp al,4# z+ G: s# x& C/ ]: A
jnz SoftICE_Detected: u3 u9 T) h' R8 B2 A! o2 K
T: m) u: d" U- q4 o___________________________________________________________________________
% H4 m) m! B0 ?+ v9 s3 x. ~9 l _2 q( Z# ~
Method 02& n! f h; Y' ?7 W/ b
=========5 Y- U; f4 j' A; U9 m& o- m
! {# g! g) B) p/ BStill a method very much used (perhaps the most frequent one). It is used
1 v6 r7 r5 w# \( t( @) a1 a$ N$ mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 K2 z B" u& u1 e6 G4 J
or execute SoftICE commands...3 M9 l% o5 _, \% o% n& E1 C1 E
It is also used to crash SoftICE and to force it to execute any commands
3 ]" D: X4 a- F2 I( g4 Y3 _(HBOOT...) :-((
* S; c' Z5 Y& y7 v
/ t$ _5 A! {" T) @4 q, i. n* fHere is a quick description:
$ R1 X- R! f: P4 m: c8 u+ Z-AX = 0910h (Display string in SIce windows)
F+ H7 d" ~: f+ I( e% V: ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ a9 Y( {3 E v
-AX = 0912h (Get breakpoint infos)
4 G& m7 Y& l$ `$ A-AX = 0913h (Set Sice breakpoints)9 L1 b3 t2 o0 o) m0 Q0 F: X4 t
-AX = 0914h (Remove SIce breakoints)" v z3 V1 e" m8 @, v; k
; X; _2 i* V+ f
Each time you'll meet this trick, you'll see:) O6 M: Z& d O4 O1 \
-SI = 4647h; U- i( x. y, ]" ]; L) x
-DI = 4A4Dh( Y G9 P# {* W+ C; A2 p" v
Which are the 'magic values' used by SoftIce.. Y0 L5 ?( K) z. B2 L0 }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 o0 e U! n$ T* k* A* f& j
, f9 ?* ]) w$ i# I+ a6 R
Here is one example from the file "Haspinst.exe" which is the dongle HASP: {* m1 a& s3 [6 s3 _( g6 q2 ]% J
Envelope utility use to protect DOS applications:
7 O7 R3 y7 {, ^( q) ]+ t
, d: x8 Z# J2 N8 v( ~/ ^9 T4 j4 ?7 {2 f* X) k
4C19:0095 MOV AX,0911 ; execute command.! s4 p! p3 o: g( b4 u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ @* g$ p) |! K
4C19:009A MOV SI,4647 ; 1st magic value.
: R7 Z1 P7 F7 P6 E( a! j/ H6 Q" y4C19:009D MOV DI,4A4D ; 2nd magic value.% T: D8 h U, E, }3 o9 _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ y" W! Q: t9 _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute M- v4 ^+ t2 T8 c# x% ]
4C19:00A4 INC CX2 e8 ^+ p( T: j% i: h/ H
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 E6 s$ ^* v2 g8 i. D* T. H: G4C19:00A8 JB 0095 ; 6 different commands.
! z& A4 p( b* F9 d# J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! e9 ?$ _9 o& K- A3 Z% l& O4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; ~/ G G: n8 g' s" @) i Q$ z3 v' b5 M5 N0 e# |$ V" N
The program will execute 6 different SIce commands located at ds:dx, which
* I3 {6 c2 W& O9 f v8 Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT." D+ A0 P3 ~$ I# X" ]6 ?
8 \3 r3 x$ y) H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., J% U7 t8 H& x1 }# o9 T/ L$ u' s
___________________________________________________________________________
6 E4 `2 }4 ~' A! L3 W4 N" e, s+ k' d& F& h% b( ?
. G1 |, O* C8 t1 z% ]
Method 03
. i: [, `& e; y7 M$ E=========3 _+ v" ]$ K' K5 Y: S, p
7 [6 a& |5 N, @2 M2 GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 i/ ?' z& J, A0 K6 V
(API Get entry point); f, o+ l# J' o
% T: [+ P$ L" |3 _' M
; j( L: [' ^# P3 D* W
xor di,di# i) }3 n$ t. R) d
mov es,di
3 |6 C% E* \9 d: b. v mov ax, 1684h ( E7 D" x. k& T: R4 n7 I
mov bx, 0202h ; VxD ID of winice
2 K. K6 H, v4 V int 2Fh
$ E2 p$ r" ~0 O7 Y+ k mov ax, es ; ES:DI -> VxD API entry point7 M2 W, @& F# A# S
add ax, di3 A% @$ t0 V% `& n4 d" i: }; g
test ax,ax
( C2 P* X K( v* x jnz SoftICE_Detected+ d9 d4 M% F9 x6 |3 w" G
3 e1 h6 F; I$ Z7 M___________________________________________________________________________& x; v6 v5 a) `
/ k$ r. M7 c8 z- k- M4 @Method 04
: D0 N) X! j$ Y5 S========= H0 E6 k3 P* V: I
( G1 V) i3 o& X* r
Method identical to the preceding one except that it seeks the ID of SoftICE
# R9 x; y( k' L: F& \GFX VxD.
3 [0 ]/ i" e- N T) s* x! t% U
/ h: H1 d U% m/ d& s xor di,di8 ^+ @- k4 d9 K' I+ c2 F. d
mov es,di
- C& C2 E- P' p mov ax, 1684h 9 @$ c, v$ z+ x
mov bx, 7a5Fh ; VxD ID of SIWVID! b0 t' U; D; V( Y
int 2fh! R* S- j$ {' v1 C8 i4 b2 _
mov ax, es ; ES:DI -> VxD API entry point' H; }, I1 j8 k e' K! S' W3 f
add ax, di5 M6 ~2 _9 r% A, n
test ax,ax) h& |, D- `. `! h
jnz SoftICE_Detected
6 F; l- W8 Z/ K0 {+ d5 e. j
2 ~2 x! z" e$ K4 o4 k__________________________________________________________________________
$ j3 C2 i/ y9 i2 L0 l) ?) X4 e0 P. b6 d
8 ^5 a* t: w* D0 l4 t1 l7 |& ]
Method 05: U' T- L4 a, U" j5 g
=========
1 r3 E- _, M! J* m) O' L+ j0 y; N
Method seeking the 'magic number' 0F386h returned (in ax) by all system' Z* L. j: Q( r1 X3 h* v3 V
debugger. It calls the int 41h, function 4Fh.+ ~( {$ P& I X$ B% d0 }
There are several alternatives. - o* Y/ R' r. T5 ]
5 Y, D+ G* \' ?( Z
The following one is the simplest:
" s: w& w) a; E9 \! X! P: L) @0 s& h9 a' @4 w
mov ax,4fh
C+ Y l: M3 b d int 41h
$ ~9 h4 h- q: \5 K& b. @% x4 Y cmp ax, 0F386
; g( D3 o; e& |" m jz SoftICE_detected1 B4 Y+ c: Q; o! `6 z3 ~3 |
4 c& A, v [, W9 L: A
, H9 S2 [' I8 ]; ?: K! E
Next method as well as the following one are 2 examples from Stone's ; y: }; {" |% @3 k
"stn-wid.zip" (www.cracking.net):
. ]: C& J2 n" U" X& K
: `0 V2 H% L$ G# f9 ~( R0 N mov bx, cs, @3 v! n9 ~& G8 u K' h3 X
lea dx, int41handler2
1 Z6 \3 t/ w+ O* L4 N& f6 S: | xchg dx, es:[41h*4]
* [% W4 H! o# c' K7 M7 K0 C xchg bx, es:[41h*4+2]
/ a, u: H8 j1 x9 ]& v/ L& x mov ax,4fh+ g3 Q3 [5 T& b$ f/ ?& k
int 41h
, X; ]8 v) ]2 w, ?, o5 u xchg dx, es:[41h*4]/ Y3 I! M0 U0 z+ \3 D
xchg bx, es:[41h*4+2]
8 F7 S8 E: f2 \3 v cmp ax, 0f386h
) o; L/ P5 q7 s( T& i8 @( n jz SoftICE_detected# K0 X9 M, _5 I8 i( o+ v. ^
; O/ C. M. _, d [5 w8 }
int41handler2 PROC
8 x: a. T" R9 P8 y! J; k iret1 }# X3 W. s$ w# v4 _( x/ a2 p
int41handler2 ENDP# n% K' Q+ X- B5 ]! Y! p
' ?3 k8 l* l0 X& c3 B# {" N8 m9 h0 ?/ J; l& q
_________________________________________________________________________8 a8 h. N! ?/ }) x5 x) }
. ]' U- J, d% w" Y" Z) L- s, o1 n
+ z: i4 Y, d7 V# n% {) @Method 06
$ p" H( o; U5 P" q* f9 X=========
* d7 V8 A" y8 t# ^% q7 R6 T: d* e8 b' c: I
3 h* ` G% o4 F
2nd method similar to the preceding one but more difficult to detect:3 B) q/ F( f1 t' k* m( F
. J# Q/ M% [, e B* `: _2 ]! ^6 a: G" Z# h" E
int41handler PROC; y/ L- R3 ]$ Q% J
mov cl,al
0 o- V; X" ?/ U7 U9 u iret
8 d! ]* C) u4 G- q) oint41handler ENDP
, E1 |9 x$ }3 O: t: u# Y! {3 _! V% q, A
, O) a, T N3 k8 D xor ax,ax' w! H$ Y& l! g% D
mov es,ax
! ^, k4 V$ f6 U0 B mov bx, cs
" Z* M4 T6 {1 e$ E/ b' S3 i lea dx, int41handler
# K( ~" r; {% x9 O- q& ^3 e xchg dx, es:[41h*4]4 e% Y- Q5 _0 w. Z- N% B
xchg bx, es:[41h*4+2]& W/ u8 R% Z e* K; x, H" f$ ?7 w
in al, 40h) m$ [2 h3 ?. K3 C) A5 [5 o2 C% b
xor cx,cx# |$ o5 {; x% Y8 u# q( f
int 41h+ O6 ?: B3 T( T
xchg dx, es:[41h*4]
) i, R* y! A9 c9 E, R xchg bx, es:[41h*4+2]% g: s( }2 p" ~$ V! j, {4 E! `
cmp cl,al
+ Y" H$ ]% q, `5 H' |9 w7 k jnz SoftICE_detected4 _) s+ ~1 i6 b+ h% L* t# T) k
9 P9 L6 m( o4 w5 f' v_________________________________________________________________________7 \ P; T* P; }: P+ q1 _9 \( C. X
: G8 ^7 o2 ^! ^: @) eMethod 077 d. M6 T6 X0 P: Q3 [) w& I
=========% i5 j" G& V; T1 T' e
& W% \; v. C1 J4 iMethod of detection of the WinICE handler in the int68h (V86)
( N0 h- M' q ~2 D6 u3 I- e j" @6 a
mov ah,43h
$ d4 k1 C$ f3 n+ d" W) q" H% o int 68h
0 w2 b$ S8 K$ h8 t6 D cmp ax,0F386h- M/ z0 D! `* q' v
jz SoftICE_Detected
* ?: v7 ^8 ?4 M% D* u7 d4 I+ D% N1 p L8 O7 _5 _
( A/ k8 ^- i1 D6 e, B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit @7 |: ~7 O' k- q
app like this:* H( e, x# f2 c' g% X- o$ h" \
% _9 c' ?* A+ Z; r BPX exec_int if ax==68: P- P. P6 E5 U6 X5 ^; w6 u
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 D( R( T; B' O: G' w% _ located at [ebp+48h] for 32Bit apps)/ G: x: `+ W1 {7 g W% _5 E, X1 m: D
__________________________________________________________________________! Q8 _; M& N- z1 u' M/ R
, h4 H5 h& w9 n. c3 B8 n6 @
0 _0 [% `8 k i: `Method 08
* f- Z0 C6 s0 n* S=========
c' H3 e% z5 V" T C, c Q$ S, }& I' O* I, I% H3 Q% ^$ _; e. q$ X5 i
It is not a method of detection of SoftICE but a possibility to crash the
8 L, O2 R- Q# z! \6 g( J/ osystem by intercepting int 01h and int 03h and redirecting them to another% t$ ]) n2 b3 p! E
routine.9 j1 R5 G" i5 M/ {" X7 @0 j2 s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& a5 Z: v, e8 X% V
to the new routine to execute (hangs computer...)
$ T# B7 a! G5 b! D, M
9 o! b3 d% k. N7 w mov ah, 25h
. J& G Y- t6 J H7 i5 j mov al, Int_Number (01h or 03h)
0 m7 u* ?1 }1 A# V mov dx, offset New_Int_Routine, k! h1 g3 A9 v/ f# A' Q- n& Q) n6 x+ x
int 21h' X1 h& R; C' L/ q" \$ _
3 R6 T' ^0 e8 A) f7 {$ S% u1 R; \0 E__________________________________________________________________________
+ L5 w/ ? ]& b9 D- _( ?/ H6 \& B6 c) {) P% _! a5 S& H
Method 09
/ J0 o/ e# k0 w+ \" t0 j=========
+ P, S+ K3 o! U4 D1 P# R5 L9 [
4 x9 N& n8 }5 G, e2 AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 l6 j2 j- C9 m3 `" w
performed in ring0 (VxD or a ring3 app using the VxdCall).
) n0 u6 ?1 ^* ?9 v/ j' c* D& Z* z7 jThe Get_DDB service is used to determine whether or not a VxD is installed) }8 J5 q! o, o2 N9 }4 l- B! p
for the specified device and returns a Device Description Block (in ecx) for# x2 s5 e+ P2 Z: R3 q* R/ j$ ^% q
that device if it is installed.
$ i x9 E7 _& E3 h; F
. u* ? W5 o8 z0 O- Q' I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: r& x3 g/ F7 S' X- D% E/ s7 @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) v% E) r* ]0 J5 O, Y( p
VMMCall Get_DDB
! P8 \' l5 g! G8 ]) A, o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 j7 `% m, f6 |# @0 A
4 ^) M/ w0 N- A. x) LNote as well that you can easily detect this method with SoftICE:- G4 i2 |5 @4 c" r4 Y& H2 l% }' B
bpx Get_DDB if ax==0202 || ax==7a5fh3 Z' K3 A7 X& S; V% ]
9 A: j8 {: I3 M; F- ]% u__________________________________________________________________________
5 w2 o+ D$ q2 K
" C, ]- v9 C7 h" ~& L4 @4 WMethod 10
9 O9 D5 S6 n- O; K- q; H* I=========
5 k7 p7 s' C6 ]( ^# z7 ^! U7 m% q5 K) X1 t! C! X, z5 q
=>Disable or clear breakpoints before using this feature. DO NOT trace with# X$ q% ^/ x& h) L3 ?
SoftICE while the option is enable!!
/ D% L% T1 b* k
8 I' g) T/ _0 QThis trick is very efficient:
- I `% R- y4 _1 s4 L$ R% xby checking the Debug Registers, you can detect if SoftICE is loaded
# G% p; |. ?! H( Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. t6 W2 x; ~ J3 H& ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
- t7 w0 d; J& C% J( P: ^! tvalue (in ring0 only). Values can be manipulated and or changed as well8 Q6 F2 }9 T8 ^% _/ {
(clearing BPMs for instance)
8 c8 X* o; C, q0 L+ r) m. p. u0 {! Q* B1 o) B- Y
__________________________________________________________________________, C% [% l- [4 E3 Q- q
, m \2 y7 _' R' e' W8 j
Method 11
0 [! d0 B2 _5 O) W2 ]1 p- }=========: }9 P. l+ U5 [6 o( |
0 L' I+ z* L; Q4 I( E0 G0 p8 ~* oThis method is most known as 'MeltICE' because it has been freely distributed4 I. D* m' U6 v+ m5 o
via www.winfiles.com. However it was first used by NuMega people to allow" l0 i0 U0 g a+ V
Symbol Loader to check if SoftICE was active or not (the code is located
6 S& z" g0 Z3 X* y6 xinside nmtrans.dll).
{8 w* K5 ?" V5 D- I5 S7 F8 \! C, f$ m! B' d! s7 q9 O
The way it works is very simple:
% B0 V3 C# i" WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 X9 C5 Q" L( _# p: C8 V. N5 B
WinNT) with the CreateFileA API.- L/ W& n$ I" {) O; e! h0 h
0 v) u0 p% Z5 p! a. N; y4 [Here is a sample (checking for 'SICE'):0 O3 j+ ~2 j4 c# {
5 S% w0 q; ?' e# hBOOL IsSoftIce95Loaded()
. _+ o( ?& V. J) l+ k' U e0 {) J{
2 D" G6 @( P* `( w HANDLE hFile;
2 G6 a4 A {' @' O- S | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 b( q' T, m0 @ FILE_SHARE_READ | FILE_SHARE_WRITE,
" z5 ]; [# e0 @4 c7 j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- [% B+ s% ?/ u- H5 o% j if( hFile != INVALID_HANDLE_VALUE )& j. q9 \, ^ N' e# C
{
$ P9 Z: x$ n" ` CloseHandle(hFile);
! c1 v Y' E" l0 K2 w return TRUE;
# F4 \9 X) u# e" C" M3 M }2 K3 ]4 b3 D& [) ?
return FALSE;
: V$ }9 [& D4 o8 ?6 e}' ]4 A5 U- w3 H! S
/ y4 }7 @$ Z5 ?8 _* ^' n kAlthough this trick calls the CreateFileA function, don't even expect to be
' M* X; R" n, Table to intercept it by installing a IFS hook: it will not work, no way!6 k A! X; X8 y/ ^; ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; b+ Y# J1 }8 a) B- Z3 N) r$ u' Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( m$ \" \: p; e+ V! F+ cand then browse the DDB list until it find the VxD and its DDB_Control_Proc( p6 V0 L& W9 X( t: j
field.9 G5 K4 F& X. k! O: Y$ X
In fact, its purpose is not to load/unload VxDs but only to send a . x% t% ^, B( Q: q3 X6 }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ }" O- q8 y2 l6 f; V) M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; m1 h- y( ~: [& d4 p- J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 ^ C% e- Y( P% FIf the VxD is loaded, it will always clear eax and the Carry flag to allow- e% r; q; L: n5 V
its handle to be opened and then, will be detected.+ ]. Y* U( I/ _8 t5 t8 z `2 y. r
You can check that simply by hooking Winice.exe control proc entry point
7 A: i$ J9 o9 N6 zwhile running MeltICE.9 a/ J; W" G. ~2 ?
) i4 I- H1 ~3 h& g$ W8 w
: r4 I! O, j, g3 k 00401067: push 00402025 ; \\.\SICE
3 F( l) U/ T$ m9 _ 0040106C: call CreateFileA
; {: W1 ^9 R; I; ]! u, a; O1 O 00401071: cmp eax,-001, } \* l% t5 y, a1 h
00401074: je 00401091, Z. z b" c1 ~( ]2 n
, R( O8 p. J4 i
' F, p$ n7 @" L# J8 M; E
There could be hundreds of BPX you could use to detect this trick.% ] f* C" R& m; N( S
-The most classical one is:' B7 v* y8 q2 @; B. S1 A! C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 l0 |" T+ O! D8 ]( G; `& V *(esp->4+4)=='NTIC'
, p$ b) @' ~+ i8 @; Q. z! [. E- g% ]+ v' ^4 A9 {3 D
-The most exotic ones (could be very slooooow :-(4 ~' `0 A6 v6 C# Z4 ^0 n5 c" S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 g3 U5 b# i9 u) v5 n# C ;will break 3 times :-(
$ a3 [9 _- z" K
+ ?: Y4 x# S0 X/ {-or (a bit) faster: / _. n( p `% Q+ w1 f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! B# m4 o9 l. `& p- N1 J
E9 g; U& e$ K7 R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ v' [* F- G) f- S8 k( i0 w ;will break 3 times :-(
, E) k! H# n4 r! P2 ], c7 k+ N, e: s
-Much faster:
. G. K% b6 ], G0 Z3 t( R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ A1 r2 R$ J5 \; P5 l3 p' O& O
1 R8 z8 Q$ Z& u. x# ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" g# G( r$ `3 d( \7 N" ~3 ]function to do the same job: O" q: D7 G$ J$ {6 I) f
! r: ?9 K' o/ h! r push 00 ; OF_READ! ]( g: B$ t( p% U. j* o
mov eax,[00656634] ; '\\.\SICE',01 R' P9 k9 l; A
push eax
9 j1 `) |" R2 L C call KERNEL32!_lopen6 q( ?1 r+ k2 l# l) l$ A
inc eax' `0 R9 g6 |+ }# o4 O5 B
jnz 00650589 ; detected) e8 g6 |4 t& f$ _
push 00 ; OF_READ( V7 |4 O3 D. N: G! l
mov eax,[00656638] ; '\\.\SICE'7 F$ K3 n! V' S
push eax1 k% B+ R6 e S* B4 l7 o' n [0 l
call KERNEL32!_lopen( C$ H3 u+ g O! ~5 j
inc eax
; y i& @' G% @ A, w$ | jz 006505ae ; not detected4 Y7 ?7 p& C+ i( A* H! A
0 g- O5 A- w9 R! Y* l9 {
6 F2 w/ A0 e& B; V__________________________________________________________________________; {; m) f: S+ e u6 R
) _" s3 L6 f |% n1 f
Method 12
* t1 ]7 P& e; |- ^: w" b6 W5 F1 y3 [=========. |) _( ~0 O4 |$ q# D+ U$ O
& i" e- d' V( Q- fThis trick is similar to int41h/4fh Debugger installation check (code 051 b! H* K. }$ A# `- w6 A
& 06) but very limited because it's only available for Win95/98 (not NT)
7 A: X3 L8 Y5 ]# r$ Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 G+ K3 d0 l; s% \5 P+ E- V" `1 u3 d' \% u5 K3 ?5 C' ?% w# Y0 i
push 0000004fh ; function 4fh. y: R4 k) N3 S+ R( o& h: a
push 002a002ah ; high word specifies which VxD (VWIN32)
% R! @" p6 a5 y1 f9 A ; low word specifies which service
, [5 j/ q* m* C b$ G (VWIN32_Int41Dispatch)
) ^0 \$ x3 B8 B5 E+ H+ t call Kernel32!ORD_001 ; VxdCall4 I6 _) W1 X2 [$ F
cmp ax, 0f386h ; magic number returned by system debuggers: i6 e: F7 Y9 M3 K. t+ e
jz SoftICE_detected8 v0 W) U |* ?+ b' L' ~0 O0 O
; ~& h$ O% L* F2 H; B2 o& \
Here again, several ways to detect it:% `1 M8 L: W& K3 J$ q" _
! T- V2 |7 r9 F2 i7 k" a# K+ s8 [
BPINT 41 if ax==4f" Y2 Z% X8 d/ p- e0 r& h7 v; E! e
) N/ l% f, U( @ V BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ p( [/ U1 \2 ?: A( R/ \/ k/ z4 E U }/ |6 u# N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 j* o8 S! T# J' N- K
+ F% R" K% F/ N9 a! b7 U5 M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! C. _+ F% }" L4 W) B4 M
/ @" j+ V' q$ m' \ E8 P2 W5 L
__________________________________________________________________________
6 \$ F/ k: e; M" G- F) U( _( {4 c. w
Method 135 B; B7 s$ C9 [- t I" N
=========
# Q; Y# o5 Z i: ?! e# @: F5 w, I) B3 O1 d% \* R; m* y0 o2 h; q
Not a real method of detection, but a good way to know if SoftICE is
) ~) u4 d" r% b) _5 `" R e7 ` ~installed on a computer and to locate its installation directory.
! B; G! H3 @& mIt is used by few softs which access the following registry keys (usually #2) :
1 \- X# b! S8 k& V+ e- N y! D* _# }
1 N3 X. h4 d; y5 R: R p- r* z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 y2 a$ e; W. _\Uninstall\SoftICE
7 D7 a7 O3 V& w, D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 E) T C a% z/ h9 K" s2 u" l$ L, {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! p6 n3 c; M8 \3 `' U) A\App Paths\Loader32.Exe7 l# M2 R [* ^9 G
& a6 `" A4 x1 k5 }
, _, v% e2 S7 a* d# Y
Note that some nasty apps could then erase all files from SoftICE directory, [& f6 B0 f7 N6 n$ z% Y7 d1 d. p3 P
(I faced that once :-(
- \9 ?3 t2 m: _& ~" y" K/ p3 b" Y; B1 {# r% Z8 m6 |' W9 q
Useful breakpoint to detect it:
' j9 B% [$ |' B: z; K3 g2 c" V! ?. B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; N* _1 o0 J0 R# M; b' Y% Q% _7 }0 ~5 E% O& t4 t# S
__________________________________________________________________________/ g' m" Y# ]) x* K
, O4 o8 H- {: F! i/ F# r: z* V: A! l- D
( `- o: V( T: _- `: B* TMethod 14
% V5 {. }! J9 \5 B=========/ Y+ x8 z" j: Q1 j9 d/ j3 I
% A& y5 _; r( B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 v4 b& b& v. M/ o. i$ N+ N& u
is to determines whether a debugger is running on your system (ring0 only).
2 p9 J: l7 S( T; X& O& ~
+ _# w L: J T, c( f VMMCall Test_Debug_Installed2 ^0 I. A; f( W3 {3 s
je not_installed. g z9 R L6 n u
[* f; w$ z* k; H/ |, _This service just checks a flag. X" \1 R* g7 _2 }/ ]9 K" i
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡