<TABLE width=500>
1 y" t) O/ o% Z7 E. f y<TBODY>
+ |# t' E7 X% g" T% i( }3 J6 A<TR>3 ^ k; a5 N0 [! ]( y. \
<TD><PRE>Method 01 & \; k! [! N/ A( \7 H U i. [+ F2 t
=========# Q% d( i" l3 t$ J
! K( u- b" Q7 i& B" @This method of detection of SoftICE (as well as the following one) is; ?4 w7 ~+ U/ s) g) V5 N! F
used by the majority of packers/encryptors found on Internet., K/ Q9 y" s: A+ W
It seeks the signature of BoundsChecker in SoftICE8 z0 f q, E* U
4 n7 u) T% O: A: w; u- v& x mov ebp, 04243484Bh ; 'BCHK'
& j- k Q1 c5 U2 h, j( t9 f M mov ax, 04h2 y) W7 X& W" @/ _8 U* R# _
int 3 : f0 m; C, B/ J+ z; ]* M
cmp al,4
! U, T: v0 s9 P6 t+ q+ Y7 T jnz SoftICE_Detected% o6 @# d) y' U- J8 d2 [
+ P7 c3 C6 p4 U# i
___________________________________________________________________________
: s' C) M# b: W6 ~$ r& Q5 N/ b b2 \. k1 G/ n7 v% o. w/ o7 d
Method 02
3 i. i; u3 {' |% @3 y=========: K5 v: ^' H$ y: v; {6 n) b2 t! r
* e+ i3 Q! c/ \- KStill a method very much used (perhaps the most frequent one). It is used
! r. _/ w) E- v! oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,* U5 l7 k4 A' N+ R9 ~! v1 G3 V
or execute SoftICE commands...
% B0 l8 {: }4 [ Z' p- h2 u/ U3 {It is also used to crash SoftICE and to force it to execute any commands
0 r' c9 @- @( ~) W(HBOOT...) :-((
) v7 g/ s* Y9 q6 ^& }' L
* i- Z0 ^6 X. w& J3 X( ~1 j5 JHere is a quick description:* }# _* i a, g6 V
-AX = 0910h (Display string in SIce windows), ?( e c; E1 J/ t4 Z6 m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 S" i0 M$ _ R& G; Z( g
-AX = 0912h (Get breakpoint infos)) g& t( c! k5 k* Y" {6 j) [! p
-AX = 0913h (Set Sice breakpoints)
! W# E: ^! E1 u; R: E2 Z-AX = 0914h (Remove SIce breakoints)
. z: {$ }. |6 u, v" W& D7 I
1 o) B# H# ?7 r$ e' F+ a2 nEach time you'll meet this trick, you'll see:, Q- h. a; H, S) {% k% m
-SI = 4647h( i% M2 D' E8 Z. \7 f
-DI = 4A4Dh
- F V0 Q; t4 ?' P# t5 Y+ I( hWhich are the 'magic values' used by SoftIce.% G4 |% p- i) ` t7 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& c, V! t& t& C7 m W
8 V1 X" { q: |* h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 v% j N1 t+ T& q4 @Envelope utility use to protect DOS applications:4 p3 T; H- Q; F, O e# k
. \2 A+ ^/ S/ x* A& j
0 l+ h1 z0 J' S5 ^
4C19:0095 MOV AX,0911 ; execute command.
3 l" {4 J9 `" r/ M, D3 M0 w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( k# I+ `0 p. O3 T1 O3 c+ u9 {2 z4C19:009A MOV SI,4647 ; 1st magic value.
9 o. o( I/ T* ~3 Y% C4C19:009D MOV DI,4A4D ; 2nd magic value.& x5 V( v3 L! C$ N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 Q& U, O( L5 d8 P; v: L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 y/ R/ Y, A- F9 A0 `0 v4C19:00A4 INC CX
1 [/ p7 E4 l$ e4 H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" M' u" [9 Y# X0 u4C19:00A8 JB 0095 ; 6 different commands.
( `$ h9 Z9 n! m" b- [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 S7 ?) Q$ y1 S. z1 [+ X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& F/ ^/ P' y* k H1 [
+ }& Y- {" ^8 i r9 i$ O! Z# o& vThe program will execute 6 different SIce commands located at ds:dx, which
. w3 w Z3 @2 w, [) j8 _' \" Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% l5 u3 v4 V; b: ]: y9 Z" r0 b$ j( y1 t5 j/ E) R; _) C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 Q W( h1 A8 h0 z___________________________________________________________________________, R& \5 o; H0 t4 o; \& ~
& `7 _/ i/ @; `& w% L; `7 |- C
7 W3 @$ ?- R( q6 v- Q2 UMethod 03: L; Z! D. _1 b5 ~5 w
=========
4 S t3 e' h$ k, [0 W' N: _
) m% c* s, z) p2 P' R6 d. `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 ~9 f9 H$ E" ^6 ?7 V
(API Get entry point)
% X; d q2 P z
9 O0 E; N0 D: q1 Z
5 P, J' y; S" I3 a4 O. N9 a2 @ xor di,di0 y6 E$ V; P: r% j
mov es,di( s* Z+ |. C7 |0 m4 H
mov ax, 1684h
0 F' l. H+ J( W" N9 Y mov bx, 0202h ; VxD ID of winice
% |- X! s+ [ Z2 \. [0 i! ? int 2Fh
4 ~5 o) m" m0 } mov ax, es ; ES:DI -> VxD API entry point
. M2 r# u7 G* K& d9 o, k add ax, di f. o2 O7 t- l4 R. W& Z
test ax,ax
. A; G, b. U8 Y! t' O. u! U jnz SoftICE_Detected5 P* k! k6 r0 {1 L5 K7 H' s9 }" _
2 N1 ^; _ p6 n& p$ I' Q Q___________________________________________________________________________
) p4 `5 t1 I; ^! T) G5 B7 C4 r* m u' D. H2 w
Method 04- ~3 u$ f4 ^) }% M# ?. R( N/ J2 R
=========. z9 r' E8 G" m& Y$ i# i3 d
; ^4 z1 n6 Y' {; s) q. f0 [Method identical to the preceding one except that it seeks the ID of SoftICE
y+ k5 k+ [% R. n# c( ?GFX VxD./ Q V8 n# @* t" M
" ^" J' y- U" i xor di,di
$ r% z& u5 }4 b* A8 l* R' j; o mov es,di
% B9 v" Q r. J4 t& [) P mov ax, 1684h - ^. ]/ h3 n- u- E2 x
mov bx, 7a5Fh ; VxD ID of SIWVID
O. q9 i2 P5 D int 2fh
1 P! P; Z' X1 k9 P8 N mov ax, es ; ES:DI -> VxD API entry point, R. u- X5 ~' ?" f
add ax, di
* q" K+ d% e: N0 |4 G1 y test ax,ax( ^9 V L% D) J2 q) r! ]
jnz SoftICE_Detected% r6 B& Z8 Z- D0 Y/ B( D
5 h$ l" y( Y( r5 d, J7 _/ p r
__________________________________________________________________________7 f( ]; Z) m- L* ]' W j3 \) `! k" f
3 g! J; p8 ^! F' a/ R; X! U$ j* `+ q! O$ g
Method 05
# C% U7 v# L# B% f5 D=========, ^. [8 x- p; ?- x
+ f# Z1 [, W( O7 Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 s& E* A: |7 C1 Q. T' _
debugger. It calls the int 41h, function 4Fh.$ d! R) P& x. i" Z4 C( ^
There are several alternatives.
* O* M' c" d# B4 ^! q, z: a9 i2 F/ a* }
The following one is the simplest:5 q9 \/ r; Y* m; T
- \2 Q$ w; _1 A. L3 ]! X
mov ax,4fh
# `3 K% ?0 A/ x int 41h# N; p. P3 F- T7 u. `& g) P
cmp ax, 0F386
$ s1 X( j+ p5 J6 X jz SoftICE_detected: m( t; a; ]( a* {+ U
7 B/ l- u- d3 R! p" u! ^
6 A Z/ I* d+ R8 y0 t' KNext method as well as the following one are 2 examples from Stone's
9 ]. S- Y/ U$ b! J1 r"stn-wid.zip" (www.cracking.net):
/ t; H# ~9 ^) ^" m: t: z! e+ _( S) k6 P( d+ T0 u" T3 U$ p
mov bx, cs
0 r* w4 {: b+ k W. u) m8 |9 G& {3 D lea dx, int41handler2
* L, M0 ^5 w, |# J/ m9 e# i xchg dx, es:[41h*4]) A, b; n/ ~; _+ H) }. P2 }
xchg bx, es:[41h*4+2]7 [2 J! p' t9 I9 V3 h6 n8 a
mov ax,4fh
* E( y. E$ H6 l/ \ int 41h8 [$ |6 x+ v* c$ N$ }: W6 H0 S7 ?% R
xchg dx, es:[41h*4]% O w" w3 p- @% a7 a
xchg bx, es:[41h*4+2]$ k; z( p8 z$ o8 n
cmp ax, 0f386h" t2 Q- R }& N8 L
jz SoftICE_detected
! f0 t+ y+ E: X2 c4 a9 {9 ~+ ?7 U* @. G8 [0 s, q- J/ p
int41handler2 PROC
/ b$ c3 M! O, {. Y6 N8 j3 E iret" k g8 x) L7 N: A
int41handler2 ENDP; d$ ^. T9 O) g2 O8 p3 b6 |
3 S( o9 g) v5 X/ r1 |- ^
" N' M0 t) c2 \9 i_________________________________________________________________________/ T) O( K3 t. A* p
' @8 c7 v h* r- Z- j
. T( t- q! Q$ X" N4 S1 F
Method 06
4 Q j% n1 V' I4 l* G+ g: ?=========* [5 A& L3 H+ S5 S
7 f# g; y7 ~" I! n, g. V4 y; ~& j5 o U3 K& X) x
2nd method similar to the preceding one but more difficult to detect: z5 k+ W m/ ]+ Y+ V7 u
! {$ o/ Q/ @/ H6 P ?9 R) E1 d0 [5 g: Z, v; \% T2 I
int41handler PROC# M g \( b' T- S9 |1 i/ V4 ~
mov cl,al
, j+ \7 G% g3 @' v' o( e iret# m5 z/ Y6 e: R* s7 ]" ~. h
int41handler ENDP
6 }6 x$ }6 ~4 Q8 ^/ J& ^4 i' c# n$ Y0 |2 @5 _ M+ e! d0 k
1 p2 j T' W+ C& D
xor ax,ax: _8 O- X; M% k, D$ |7 u2 ?
mov es,ax
1 C% N( f2 R5 Q+ }/ p mov bx, cs( o! }! W" [' D1 k
lea dx, int41handler
" V; E+ g' W8 ?& f* r xchg dx, es:[41h*4]4 o6 C7 O1 _6 u: m/ K% S, {: L
xchg bx, es:[41h*4+2], S" ]5 n1 d) D1 V* r3 _: F2 G( X
in al, 40h
; D8 H+ z% n5 A2 O6 h xor cx,cx6 l$ x- Z& b) d
int 41h
4 t- k, K# Q# l, S' N3 [ xchg dx, es:[41h*4]
. m& ~2 L% a% ` xchg bx, es:[41h*4+2]: q% s- D8 c; Y; `- \8 j5 k* _
cmp cl,al
1 f2 k+ F, N6 V! K jnz SoftICE_detected3 |: m, A- X9 V4 h7 Z% }. c- Q
7 v i9 V1 B: E4 {* n- S! n' J- v
_________________________________________________________________________
2 v7 m) B4 Q. s( P' U$ o
3 {4 q0 B( g2 L9 FMethod 075 c0 d# V$ m" `
=========) v7 D K3 ^* m3 a9 A; y; G
( G/ {( }. m/ A3 Y% iMethod of detection of the WinICE handler in the int68h (V86)
, B. R4 e: W8 d( h
! o( Z- i" w; p1 j mov ah,43h
: P' x E6 F7 [0 u8 \ int 68h
8 m8 K) j' j; O* v- ]+ u cmp ax,0F386h$ W1 [6 V9 \+ J* o9 S \9 }
jz SoftICE_Detected! \, K3 b2 j H1 ^* K6 ]/ [
% {: I+ r1 I$ M, I
, B( t) _1 l# U' \8 E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% C5 A& G, B# f3 I' B/ _0 K: e- N
app like this:* Y/ z- _; P5 D# t
( v( G3 x, f" p' E" P8 x' o0 B: }
BPX exec_int if ax==683 M% C! I. r d; {
(function called is located at byte ptr [ebp+1Dh] and client eip is& x$ X0 X' j! B5 o9 ?
located at [ebp+48h] for 32Bit apps)$ C! _2 | T" S+ A; q
__________________________________________________________________________! L6 j: j& b$ B3 o5 A
% a( A! r$ e2 Q7 Q% Q, n; A$ Z" w, _& ^; ]
Method 08# T5 {7 s3 O$ F' d0 }2 |
=========( P, ~' `* K a( {! X! u
/ T4 ^/ B0 T1 e2 W
It is not a method of detection of SoftICE but a possibility to crash the5 M X! z' R0 w# z# w2 F
system by intercepting int 01h and int 03h and redirecting them to another
( y* O7 S' n9 g0 [, T- froutine.
8 t' w! @8 P, W% AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
M5 C! l& i( o2 m( U. sto the new routine to execute (hangs computer...); Q" u/ c. I! i& u0 L) z3 z
9 R; j2 X3 `% N" J: D+ U- } mov ah, 25h& \. d$ K. @2 d( ~) ?4 p
mov al, Int_Number (01h or 03h)
9 e5 e2 U7 X" G2 d' h mov dx, offset New_Int_Routine
. j" s) ]2 N! ?! ^7 s4 `* N/ Y& h int 21h
. M+ W6 [: D) Q8 }' J n! A2 o# }# _% z$ _, O z
__________________________________________________________________________
+ L1 l5 _* r( o' @ c2 P, C. Z0 S5 o& e
Method 091 k9 U" q3 I* n
=========
- u, _6 A1 A* @% a% Y/ S' k& W% I; H: a# E8 B3 u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, g6 k8 e6 n8 u% Q5 Hperformed in ring0 (VxD or a ring3 app using the VxdCall).5 a. L9 o: r6 I- y
The Get_DDB service is used to determine whether or not a VxD is installed
( G$ o$ l/ F( \! b( q" |for the specified device and returns a Device Description Block (in ecx) for
& G7 @: F7 |0 v5 m4 L* Dthat device if it is installed.
+ z' @$ i# G8 z9 y2 E/ A, ]; Z5 B; f/ Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; _3 H1 t/ C7 { ^* ]* a0 c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); B- R" G3 E% I: }
VMMCall Get_DDB4 Z* ^6 O8 F# A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 K; y0 A' y8 S2 a
+ g( [+ z0 ~: \( ?
Note as well that you can easily detect this method with SoftICE:( X% Q0 T4 g' C) l6 W
bpx Get_DDB if ax==0202 || ax==7a5fh
& Q9 z% m! ?6 j, }1 W" b Z. [. v' y; S5 m
__________________________________________________________________________! A4 I! t$ S9 J+ S8 S( W' l
4 I( a) [2 g8 N5 @3 @! k
Method 10, N6 M, H" Q3 S% f
=========
- ~5 f8 }7 r6 ~; G' Y/ A2 U0 n$ C8 m* w! D% ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 C7 C& K5 R5 M( P$ E t' b0 v% _ A SoftICE while the option is enable!!
, ~' x4 r8 s& c) A/ r/ K5 J
5 F9 U2 V: J3 Z9 f; h0 oThis trick is very efficient:
- M# v/ z( }' Z. A; r5 b: |by checking the Debug Registers, you can detect if SoftICE is loaded
) L; f: A! w& ~. V0 z/ r$ p, q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" K2 N) K) v; k7 @7 J9 ^0 \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) A1 \" F) U9 s+ h6 {6 ?value (in ring0 only). Values can be manipulated and or changed as well p `! p5 Z. U7 u* D
(clearing BPMs for instance)& t! L" Y4 b) E+ \: v9 q! c2 ?! f
, e1 ^# a) H( x1 p2 c__________________________________________________________________________
2 A) X) X& ~( |3 d9 R8 D
2 [! R5 o6 ]( n: ^: h; wMethod 11- Z" F. x4 m: F, K- M; h
=========* J+ R+ ], `( r/ V% S' l/ ?
i: J+ g+ t7 B5 \; A9 W
This method is most known as 'MeltICE' because it has been freely distributed4 p* q% t6 K" F) Z6 ?
via www.winfiles.com. However it was first used by NuMega people to allow
t3 F7 c+ v) {- f+ u3 Z- KSymbol Loader to check if SoftICE was active or not (the code is located1 v( _% _! N! Z: P, L, ]- g; m
inside nmtrans.dll).
, i9 K$ Y7 K6 ]5 G' \/ w
! W G1 n7 s% x2 FThe way it works is very simple:
6 n" G8 T$ }0 JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* u6 A2 n; ~8 ~1 R3 W$ P! V
WinNT) with the CreateFileA API.
+ n/ T& W8 V9 U& w% ~* n) p' q8 S i2 P8 ^2 c. `% Q& I
Here is a sample (checking for 'SICE'):
H& |% r( g! r- o, K6 h w3 ?! `8 Z' h, ]4 D7 D
BOOL IsSoftIce95Loaded()
' k" g; e) {& j3 ^" Z{
- z4 h/ b# f% @ HANDLE hFile;
1 R, F6 x9 S2 n0 ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ G. E. w# C0 x; _. y( U FILE_SHARE_READ | FILE_SHARE_WRITE,% S0 |& c# a6 ^4 n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) j2 q5 Q7 @- G! f if( hFile != INVALID_HANDLE_VALUE )
5 z* t5 R! m9 T! u* w) K {
n% Y0 U- W9 O# R CloseHandle(hFile);) x5 h, F6 z$ O: R6 _& K5 y: T1 J; h
return TRUE;
6 @( v9 v* w& b( ~% E }
( ?( Q1 T3 ~' W0 a% M+ m8 f: U4 G return FALSE;) b0 C) A0 N+ w
}5 `1 B: Y: q4 v$ M! w3 D
8 v: g5 y: i! F% N; g' n2 BAlthough this trick calls the CreateFileA function, don't even expect to be! s2 ]6 g, s7 w
able to intercept it by installing a IFS hook: it will not work, no way!# M- Q& t4 e, U. C! d8 r) p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 V+ A# ?* s j' \' T4 j* oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# z$ M' F8 B- e5 f7 z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 H1 J! ?* Y( r) p. a% R! u2 i) Ufield., V; L5 B! N. ]; ]& p
In fact, its purpose is not to load/unload VxDs but only to send a
& S# |* [ p; ?5 @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 N. w$ Z9 P3 N; L+ t. S' kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ }, H( h0 i6 T6 e) w+ Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 \/ r) d0 Y) W2 j% T4 k! S
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 b9 I4 @* X" ~" z2 ^ a
its handle to be opened and then, will be detected.
4 L1 K8 f; [/ G- DYou can check that simply by hooking Winice.exe control proc entry point3 l# f) m- F& g( x, {8 ~! m
while running MeltICE.
" |- n# d8 i. g0 V) I" @ i$ K9 ?
) k( t, G/ N- ?% w# v1 p4 s- E 00401067: push 00402025 ; \\.\SICE% ?" o, w: V2 H6 ~
0040106C: call CreateFileA
3 N) I3 p% h3 }- q 00401071: cmp eax,-001
% u& u( h4 \9 N: b 00401074: je 00401091
0 w- a9 E! Z' n ]. z2 p+ p0 Y& r1 I* }+ V
0 r2 a3 x5 [) o2 X) t) IThere could be hundreds of BPX you could use to detect this trick.
* |( d( B( N8 ^- @* j0 E! E-The most classical one is:# u8 m- G- p T7 T' u: q6 |# z+ B+ s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ s7 |) z& U4 n. _, |+ p *(esp->4+4)=='NTIC'
6 H+ ^. n& ~. W1 j1 M3 j! W9 k+ D) i7 K& ^
-The most exotic ones (could be very slooooow :-(
5 d$ U& `5 ~. {% A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 o% L' G" c6 @. {0 y. ` ;will break 3 times :-(
( _% ^2 b4 Q5 j( Q+ D) R n
" ?( M3 \9 p" ^# \! O-or (a bit) faster:
/ f( ]& H& a" u, D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! M( O" _/ v% H
# J+ X% ]! @4 W$ O. J) Y- h3 z4 D. o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 i7 x2 c, r8 t ;will break 3 times :-(
! t6 H* T- }& }" H6 v: s
. o% ?$ V! X9 u0 s# ]1 } n-Much faster:6 o5 p# R4 s# X- B L/ x8 P/ M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ E9 l5 Q% B" Y; s& ^& c
0 q5 R+ \ h6 Y& u' n. J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 }8 M+ Z' ~) I1 B9 x
function to do the same job:
: O# c' I* ?: m% @5 H( c$ N, V9 S! [7 ]0 v% H
push 00 ; OF_READ
% Q X/ |0 U, I: |) v* D8 Y" u mov eax,[00656634] ; '\\.\SICE',0: u4 u9 h9 s" ^% d
push eax; y( B% k% d' Z v3 c% I
call KERNEL32!_lopen9 @* C! L, |% y- b1 H& a
inc eax, @3 T1 U; P# n% P$ p6 s R
jnz 00650589 ; detected
) I2 C: i5 G: L push 00 ; OF_READ
& V1 F! T! T5 Y4 n1 }, S8 M: A mov eax,[00656638] ; '\\.\SICE'
$ V7 {2 G2 H( m3 T push eax
9 C* \4 y/ U" C& ^ call KERNEL32!_lopen' ?% {/ }) n0 P- ]
inc eax
6 q. @$ {1 U. o4 g9 O' O: o1 |& t2 Q jz 006505ae ; not detected0 r' ^0 `- W, m8 V: n, \: g, K
) W+ r. `, `. J% ^+ F% R/ d0 {* l7 q M" |4 G
__________________________________________________________________________
/ K/ A8 H; n( R) a
: I. u( _7 y4 F; ?; {2 eMethod 12
: I+ [! Q( B8 P3 H0 F* R4 Q- ?# A=========2 n# @* A5 X( c0 E; z* W
( |2 }" S+ U4 i* v
This trick is similar to int41h/4fh Debugger installation check (code 05
* E* }0 g" a+ J1 B/ p3 R& S- K% F& 06) but very limited because it's only available for Win95/98 (not NT)2 m; E$ D& y4 P: {1 ?8 @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 v4 U- j% n. o' W9 R3 J# A- Z
" a* o2 T* Y" U( b+ S2 S& h% X
push 0000004fh ; function 4fh
, a8 \" b: ?/ S6 g( M, K push 002a002ah ; high word specifies which VxD (VWIN32)
8 ^! m8 N3 W4 F ; low word specifies which service
9 p" E' i0 r$ V" [2 V (VWIN32_Int41Dispatch)
! d! u: J$ [, m( Q8 J" x# _' m call Kernel32!ORD_001 ; VxdCall
* F1 Q7 d, n0 Z* f F1 O) ]/ [ cmp ax, 0f386h ; magic number returned by system debuggers
4 t! A$ C. i1 g' F jz SoftICE_detected# N4 s4 o5 |" O& f$ @
4 p. v/ K3 Y4 O9 w& s9 PHere again, several ways to detect it:
& K; u5 N, o/ p4 O! k k, T. ], Z$ `% I
BPINT 41 if ax==4f
) L( D' U" m" P1 T, k' @; R" P* V, ]/ m0 F7 V7 ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 c) a1 K% S) b9 q: M
5 S0 G7 x/ `- A6 V9 g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) }& q" c8 G# {2 S
3 \8 ^8 V: w _5 g" w+ ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 m5 R4 y- I* q% p o) q8 d3 C6 i
* f1 g' m$ @# o- M9 f5 k- @. G__________________________________________________________________________
" X' ?* i- C; i
: T' z9 D( W, n5 ~% C% H1 ZMethod 13
8 A5 W% r% Y3 l1 _7 H. _=========
: K: Q7 a0 F/ Y8 T/ n
( Z3 `( O7 d$ q1 t( y; T8 w" INot a real method of detection, but a good way to know if SoftICE is
9 Z( j/ ?; i% z4 [4 x8 }5 tinstalled on a computer and to locate its installation directory.
8 N1 d, U( c; d v5 N8 ]It is used by few softs which access the following registry keys (usually #2) :
# a. h) j* W) P: u0 }% F8 C% s% ?6 Z! a+ a) O: g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& B* Q) K8 J8 B- x, a& p
\Uninstall\SoftICE
: y) `# R- L* Z; p$ {6 }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, u# y) l# d! x1 E. x. x4 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: s/ A' m+ f) N; |2 X3 f3 i7 b7 X+ G\App Paths\Loader32.Exe" W9 K7 x/ P6 t$ I# T1 D
6 P- h$ d( F: i0 v+ y1 u9 ~" o4 t! i
S7 J3 Y' M' a+ K. t# G$ A1 KNote that some nasty apps could then erase all files from SoftICE directory
) t$ R$ _ j5 l) I5 {& j(I faced that once :-(
% |0 B: ^) n) O6 |- \4 X: X) P; f B8 ~2 y A4 N- X4 L
Useful breakpoint to detect it:2 _" f) H; _8 s2 q' T b
m8 u% |. A1 m; ^! l" j% P4 [; Y: i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# Q; M, F, X' A0 {. d
; ^- _% K% a/ F6 Y) B m__________________________________________________________________________3 T& ~) @# u1 T) w
+ o, K/ _9 }; i
4 b/ I7 q- V. g. d$ WMethod 14
/ h: Z1 H( h9 {& |=========
) F. Z0 N2 n" Y9 [# m$ y0 N, W# l5 w- q( g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 a! R* H/ ]4 `( q4 e& b/ X
is to determines whether a debugger is running on your system (ring0 only).
0 ]' J0 d; p1 ]: w
! n# L8 B8 q& Q# n4 v$ S- e2 Y# Y VMMCall Test_Debug_Installed
5 e; h- b' E( u9 M" c9 Y je not_installed* x/ W9 i# ]$ T, D4 F. `: f, J
% @8 O7 Y! C- ~( pThis service just checks a flag.
) p. g1 i/ ~3 z3 d* r4 M1 T</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡