<TABLE width=500>* H: ?9 z8 i$ ~3 M, P! f
<TBODY>5 F# I2 w; j& A- V
<TR>/ ~; Y' _) }0 \( A6 X
<TD><PRE>Method 01 2 @) ` L; c9 O% ~, u2 {) r
=========
8 g r# y7 ~) J P9 @4 L! F( ~* u; L2 p! _) r, \' L& L: _; [
This method of detection of SoftICE (as well as the following one) is8 x9 Y, x: k' p) m! |! C r
used by the majority of packers/encryptors found on Internet.1 R L( c) M$ c+ G5 Y
It seeks the signature of BoundsChecker in SoftICE
8 z. Z; F/ X! B' u9 \5 Z' j3 _8 j G. L% e. |
mov ebp, 04243484Bh ; 'BCHK'
( w) @6 \. C( D, E( J/ K, @4 o mov ax, 04h
( N. Z, _+ N. h. D1 m, w int 3 / f: R0 G% u* Y7 r8 t# ^, T' W' [
cmp al,42 r9 Z! q1 k9 \; `% U R- a4 {
jnz SoftICE_Detected
. s( I; W n1 a( u; }: [2 B
" L5 q0 j/ [' J+ Q( s1 J. A___________________________________________________________________________7 k1 r. h' n2 R+ g$ v& L
6 J1 ~. b- Q# y2 n0 H% B0 B
Method 02. l1 D) E( s$ n4 ^ _7 d: N) L
=========
' N4 F- m2 W8 i/ P+ d& h
- y3 X! W& q; _0 bStill a method very much used (perhaps the most frequent one). It is used' f ]+ ^; _4 m5 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 y8 c7 u/ d9 F# A- D. J' gor execute SoftICE commands...
3 i' D1 i! c9 m: a, r F1 UIt is also used to crash SoftICE and to force it to execute any commands5 m+ A1 u3 d( R& ^* R. t$ Z
(HBOOT...) :-((
" h" w! ] [3 p
- G9 p; b+ a# B. P7 G1 F4 jHere is a quick description:
( g# ]6 g9 T/ R2 R& {) A, H- S-AX = 0910h (Display string in SIce windows)
' m1 s; ?/ t4 _, G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ r4 L6 p" `% P2 c2 _' S, S
-AX = 0912h (Get breakpoint infos)0 r$ H2 j! k# @5 h
-AX = 0913h (Set Sice breakpoints)2 i( A) Z% } s1 i
-AX = 0914h (Remove SIce breakoints)
' M1 E1 e/ T) y }: v' O# `/ }. U8 ?, H/ O {* M9 M8 \
Each time you'll meet this trick, you'll see:, L' p0 \ j) T9 x% o* I1 H% i
-SI = 4647h* m$ z; j. A+ x& o. H
-DI = 4A4Dh: D! W$ C1 _; L/ Y' R% c
Which are the 'magic values' used by SoftIce.8 _$ ?$ ?+ m6 E7 p# O; u* o
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 s& P9 N2 ]' v- d+ o
& \3 O& s# w3 K3 M% a) V& `. LHere is one example from the file "Haspinst.exe" which is the dongle HASP
* `8 p4 { R1 m2 P" y8 G3 LEnvelope utility use to protect DOS applications:
: a0 @* w; L* j3 Z, e) }. V0 ?, k6 u/ v% B4 i' x: Q
3 p4 P4 m/ [& U, n0 I; H. v) w
4C19:0095 MOV AX,0911 ; execute command." z0 o8 ?' g7 ~- ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, J* K$ c; O- n0 g+ N) r( p5 T% Z* j4C19:009A MOV SI,4647 ; 1st magic value.! a, L# Y4 u" B' a0 X8 t/ l
4C19:009D MOV DI,4A4D ; 2nd magic value.
) r: k% z0 n# _# R- `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 [. r1 F; W5 u. C: g4 }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ L# H$ G6 D5 z' s+ m
4C19:00A4 INC CX# o4 b! I @* c1 {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 f- P1 k/ g" S7 y& ^+ W! q/ v. V
4C19:00A8 JB 0095 ; 6 different commands.8 n5 ^+ e5 g$ f( e& C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( B1 W8 \0 S& I' z6 P. ~1 u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 a& d6 S1 g# i5 l3 N
! @. `, \5 `6 PThe program will execute 6 different SIce commands located at ds:dx, which# _+ W5 N6 B: M! r$ S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. ]+ _" v( S- l* J+ B
; }: L7 S5 `: t! ?. [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 c. A" ^4 K8 o# ]9 X1 S___________________________________________________________________________
- ]! F2 \* z) O) d! Z" g i9 a6 j
l. s/ s/ M& i
7 x6 v# U! A0 WMethod 03
- Y; ~, |& z# R& g0 n/ L. Y, w=========5 M6 Y8 d3 j4 y3 i3 R# ?7 O; d
% Z, ^- b- F2 f7 b; n8 {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 N" D9 @* i5 n2 K
(API Get entry point)& G) s3 K6 I$ ]4 I
$ L9 L8 n- w9 @
4 U5 f) ?# p# T0 G xor di,di
5 g+ m9 t. z0 r1 N mov es,di
/ q! \* E8 G7 H* e+ \, P mov ax, 1684h
2 T) o, \9 Z; K/ n, p" t mov bx, 0202h ; VxD ID of winice
$ b o3 L/ u! } int 2Fh$ D- J6 E% e) C
mov ax, es ; ES:DI -> VxD API entry point$ O! n8 q e- B( ]2 q A
add ax, di
# y; U8 Z; Z$ e( w' G test ax,ax! d0 ~3 x0 z) A& ?& [
jnz SoftICE_Detected
* E0 C( ` x' x
4 M2 Y8 o/ B* j0 [___________________________________________________________________________( n* o) {! p4 ~+ R. m, _( a
0 n1 A i+ w6 W2 Z- _. `
Method 04& Z O3 ^' A; X* Q- Y# l0 a
=========9 Y$ b8 {9 _/ ]( h l5 @9 s/ ^
1 L" ~" r/ G, u- ]% V* T fMethod identical to the preceding one except that it seeks the ID of SoftICE) ?. l8 h! E' ~ I8 l' I
GFX VxD.+ y$ \# s# R V' s$ `
3 g8 Z- l" A5 y4 h y7 C/ B- ^3 H
xor di,di G6 K( f1 u5 I$ A
mov es,di& d0 Y N; ~1 e/ `9 |& T6 |( h
mov ax, 1684h # q" M \" l. \1 |+ {7 F
mov bx, 7a5Fh ; VxD ID of SIWVID7 ^' j& M2 o5 R
int 2fh4 |- Y2 O6 _$ R- D; F! _" m
mov ax, es ; ES:DI -> VxD API entry point/ i- [* a- W% C1 d0 V
add ax, di
, z) K( l4 ^" W: k& L {8 W* X4 A' g test ax,ax7 v9 G7 `2 r% U: O) E& P
jnz SoftICE_Detected0 ^# C& E# Y2 v8 z0 z) P% S
; D* |" }* t/ U% T4 E2 ?( r__________________________________________________________________________% Y4 @9 L' U3 G7 X4 w/ v5 M
9 U' K0 E8 c$ Z+ i& {+ c
7 Z; _; E' o3 a4 q4 o/ R; a& H
Method 051 X% B3 p9 h/ b$ A
=========
4 E8 q& z1 n7 x/ b' s0 }9 L* S1 F( L2 \- y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, Q. w3 X- t$ f) h! s: Zdebugger. It calls the int 41h, function 4Fh.$ |! g) ?) f6 Z6 \5 X' t
There are several alternatives.
" T2 l2 n) V4 q9 z$ e* e3 F
. s9 ]& J9 G _* B7 r: V4 f8 FThe following one is the simplest:
" p2 v* K% \1 h* J
6 y+ D) ~3 e) P. ^3 j- |/ G mov ax,4fh
. d* c7 E. R- r( Q7 k int 41h
* i3 q8 `6 z. o: C9 H5 W' ? cmp ax, 0F386
, v# _+ K% Z- c5 I9 B' p6 h jz SoftICE_detected8 A' A5 n% G" p
- B- T5 }1 ` [6 s( f
$ a" f" @: |8 U( i, J: _
Next method as well as the following one are 2 examples from Stone's
5 z' L8 ~$ L: K+ p0 S"stn-wid.zip" (www.cracking.net):
1 ?0 w1 V2 R. O# Z3 E6 O+ C* [4 F' b
mov bx, cs
5 }0 p: O! }' H: I+ ]' b) }# }* k lea dx, int41handler2
6 ^8 g2 Y* a1 I! W! I0 f' d xchg dx, es:[41h*4]4 w4 r7 ?* i \1 N5 a9 v) c
xchg bx, es:[41h*4+2]
. J% P1 _! M/ D8 N/ t, d mov ax,4fh# `: @: q. u/ _$ O
int 41h$ t$ u @9 P" z
xchg dx, es:[41h*4]' L; b/ a$ r; G" b
xchg bx, es:[41h*4+2]
4 p, A* D. e. k. Q cmp ax, 0f386h! y) j1 w$ t# i, @( j {; C
jz SoftICE_detected
' S- |- d$ J4 Z9 ^
& ~8 F) e8 l) ]1 _* R: g$ cint41handler2 PROC
\4 m% M6 T4 b4 H& e iret: U3 ^" Y6 |0 w1 j H
int41handler2 ENDP0 c/ ^/ X6 e0 H" v
6 _& @+ n+ w; H9 ` j2 Y
% w: j z* V" d_________________________________________________________________________( j! S9 y% T( C8 ^' @
. }8 T5 t* | p% r* b" d3 q" w) e" @+ {# b
Method 06
0 e. o' u7 [3 p+ {=========& x9 \9 W9 q, K { ?* f$ _! n2 M3 |
) O& X' Y3 ]1 s8 n1 \- w' E6 N
/ ~, Q# d. y1 T& c: p1 S
2nd method similar to the preceding one but more difficult to detect:8 ~$ E( @ ~7 X5 W$ j' C% L
1 A( u7 t+ K' q! O G
, G* a0 y1 Z7 t3 [
int41handler PROC. G9 A: k+ E* F5 R& ~) D
mov cl,al9 @) o; _" K9 g& F
iret
& b7 H. \2 |+ Qint41handler ENDP
. O0 S0 J: X% _& j' o7 B. X; y9 g, b6 T
1 k7 H u! r$ I/ E6 U, B
xor ax,ax8 Z$ K4 j* `: P
mov es,ax' K% O( ^7 M# @" _, \
mov bx, cs
- M( J0 m `0 F- J8 j* p lea dx, int41handler
3 u1 Y R6 W0 C: c. _" \- j xchg dx, es:[41h*4]
8 @8 S/ s+ q- j' S- t# p xchg bx, es:[41h*4+2]
; [) T5 t y: ?) v# z9 k in al, 40h
) B8 d9 `$ E1 N$ O, f xor cx,cx
) Y3 e: b' G1 m6 b0 N9 ]( B int 41h4 x. T: [- j, ^
xchg dx, es:[41h*4]8 ^+ M9 r- x) p" k; X
xchg bx, es:[41h*4+2]$ n4 `2 g2 I7 S. u
cmp cl,al6 J% r' T( J+ \6 O X2 f
jnz SoftICE_detected
# s- p& \1 U+ Z
* f( F! o6 n# r- S/ X5 ]_________________________________________________________________________2 [+ ~1 s: o" g
! _" S3 w: I2 G+ _/ E: bMethod 07
* @* b7 d/ d" _& K! e=========" s t! E" ]/ B$ l: R' d
8 e( f2 c( F5 A* e1 B% n
Method of detection of the WinICE handler in the int68h (V86)
; f( o8 C, v5 _1 A' z
+ e4 h. K/ }, C# W. h" r mov ah,43h
- m. Y" h; W* @6 t& \4 d int 68h
! r h/ z0 s5 g5 Z cmp ax,0F386h
. Y1 w& T/ \9 a, v' j% g$ `1 B jz SoftICE_Detected
% R0 `; q& ]: _2 z* f( s% Y4 P7 e
1 }1 j* u2 Q& V& G1 X* Y9 H; B
# y: W) U2 D5 I4 y( E! B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ U- y0 L3 z: |
app like this:
/ r9 T. C& x4 i6 b$ {" E: B4 r( F
) ~: }6 q- @; G+ Q0 g BPX exec_int if ax==688 @ x: h$ M) Y
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 c/ C! B( }5 {# I. X; m4 @' z located at [ebp+48h] for 32Bit apps)+ Y( [. Z n& O5 u' U
__________________________________________________________________________2 m% u! E8 C0 L9 C g. |
# ^( n. {- T# b! D7 g- D! ]0 q
8 u+ S! @2 U% z- F) a: sMethod 08
* }2 ^4 X- Z0 ~9 ~# Z& {7 h7 ^=========
$ |5 T$ ]8 T; e
0 d% b3 Y+ W5 dIt is not a method of detection of SoftICE but a possibility to crash the9 u; Y# ?& I# |5 f1 r5 `+ D
system by intercepting int 01h and int 03h and redirecting them to another# b6 ~) o: P9 ` ^
routine.
. h, u1 r/ f, Z+ b; c% zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ L9 ]) _! N8 n0 J7 xto the new routine to execute (hangs computer...)# F5 ]; }* C% t% T# Y
. M7 h* M: T1 y8 @$ n
mov ah, 25h6 e+ k9 D2 ^8 g! E) v5 b
mov al, Int_Number (01h or 03h)# t+ P0 G% w2 x9 F
mov dx, offset New_Int_Routine
7 A( ^1 V: E8 c5 i D# `8 C: K4 b int 21h
5 b2 Y& o* s: V( N' [+ K5 l6 N' O7 p/ i7 x; B9 \% `- ~8 z# ^7 X
__________________________________________________________________________" @9 w% h( P9 a: L; Z
3 ~, @9 B0 b' I. c8 q7 V$ E0 H
Method 094 `) W$ l; ]5 v% a- I- S5 O
=========
9 D& \ L% u5 k0 I7 r) P7 X# J h. j: `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 j( B& _. A. tperformed in ring0 (VxD or a ring3 app using the VxdCall).
, w1 k$ C2 U7 zThe Get_DDB service is used to determine whether or not a VxD is installed7 Q( U- l9 v( @, L ~3 l
for the specified device and returns a Device Description Block (in ecx) for" o/ v8 F8 m. D5 k1 ]
that device if it is installed.9 x* Q5 h) H7 G
; ?1 t1 y: l; |! {8 N6 t7 J mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! ?' M2 V. ^6 z' T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& f4 S. l% }! _1 X$ y VMMCall Get_DDB
/ f! {9 C) p7 h1 ?2 O/ g0 A" d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 f1 {; G7 t9 u+ @/ N6 Y1 I0 ~% B" K
Note as well that you can easily detect this method with SoftICE:
( i+ o$ k6 i9 y/ F& y, L/ g bpx Get_DDB if ax==0202 || ax==7a5fh! r, m, ]' L# z' t7 P9 }) I. p
2 s( [9 i/ _1 o0 @. F/ J2 q__________________________________________________________________________+ X) \( s# i5 D) R
) e, F% r# M+ u; q* g
Method 10/ u* t; `4 N( P; ^1 t/ M9 }
=========- y; u+ T/ Y. H* C
5 k( [% m1 v0 x* S% \; M
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( _6 J, w, S8 K; `! }6 | SoftICE while the option is enable!!
# b& z6 N( W H; |9 ~( {# a; h9 t5 P
This trick is very efficient:( K: s" S3 r9 o" I
by checking the Debug Registers, you can detect if SoftICE is loaded
0 ^# P! q" ` p7 v: N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ T, Z9 T4 O/ {7 b, k7 o: mthere are some memory breakpoints set (dr0 to dr3) simply by reading their' k3 J j; N' B) I, U
value (in ring0 only). Values can be manipulated and or changed as well' q4 k& L/ H. ]$ K3 y& L
(clearing BPMs for instance)( P) `4 e. C/ j! }# z
, X7 _6 w. M: S/ L& x, R; D K6 a
__________________________________________________________________________
6 t* h9 N3 N" ]. e& F, V- w `2 ^1 u+ \* d+ Y3 o. K; T3 |0 p% C
Method 11) x+ X) T- E+ l* [9 I n6 @1 t7 C
=========/ [9 |- l$ [) U+ d5 @; @
2 O% A: l: X6 P% Z
This method is most known as 'MeltICE' because it has been freely distributed
* _4 R& S2 y8 Q. Nvia www.winfiles.com. However it was first used by NuMega people to allow
9 S- w5 n' |, L7 G' Z) n5 X HSymbol Loader to check if SoftICE was active or not (the code is located2 t/ O4 @# l: @/ b; i% c \8 L
inside nmtrans.dll).
9 u2 H/ J, ^1 P- `6 Y4 c
# Q9 j# c2 o4 g9 v2 eThe way it works is very simple:
' a4 k6 B( O, c+ UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 Y) D; v, _2 `' z: g$ \WinNT) with the CreateFileA API.
4 Z1 v$ r7 Y4 Q! m) R. E
& y# M' N" C6 NHere is a sample (checking for 'SICE'):( X1 J# X4 R6 v) C
$ }9 L; A. v# K" z- w4 P# C
BOOL IsSoftIce95Loaded()
+ Y+ K! h$ U6 l3 p{( S. x3 C! h! d/ D! b0 W8 _
HANDLE hFile; 0 X1 }$ X) e& R+ j5 W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 X* y$ i7 Y- }2 s% F. q) F/ o FILE_SHARE_READ | FILE_SHARE_WRITE, {: a/ t& z% t2 A# Y2 ^ \! e* o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ x; v( h4 t) T% V: \ if( hFile != INVALID_HANDLE_VALUE )6 B8 ^; u# O& b9 U! k j
{& G% ~" x9 }7 V/ v2 ^2 ]- G
CloseHandle(hFile);
$ p0 W: e5 q u/ B return TRUE;* Q9 i# a W7 h2 ]
}
7 b% w- W& t* c6 y8 `1 }0 i return FALSE; N' ?- z9 |; P; n
} R6 C C6 f h3 s2 i |
9 X* g( \( C* A! y7 v
Although this trick calls the CreateFileA function, don't even expect to be9 S3 _( X: k0 U1 s
able to intercept it by installing a IFS hook: it will not work, no way!& t9 v+ f+ k# @ J' J& J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 y" N* b$ Z; \( N& ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* G4 ~1 Q/ {# y; h0 w Y: L+ b5 R4 K7 L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 r4 D* [2 B) y3 z
field.
; z0 p4 A2 L# c: B2 ]In fact, its purpose is not to load/unload VxDs but only to send a ! R0 X" r& y, f0 i3 g9 M- K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 r7 x: ]4 L* \3 A" g4 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 d; ^# J( y4 m3 J1 i; [to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 g" p- \$ r: {6 R& V% {) x
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* H- k, ]0 Y8 T# gits handle to be opened and then, will be detected.
/ |) f, _" X6 R8 s+ NYou can check that simply by hooking Winice.exe control proc entry point* c8 i* C1 b9 W! [( H
while running MeltICE." U' c! l u4 ?$ V+ a+ X
! b v6 N& a2 ~/ H3 k
" l# n+ G! e9 I! O 00401067: push 00402025 ; \\.\SICE
/ m4 r. }% H* I% t0 c, T) R 0040106C: call CreateFileA7 Q- {% W5 `9 [ m, Y
00401071: cmp eax,-001$ T8 m( s: X* x: W8 o# ]5 F5 C
00401074: je 00401091$ S7 \* p4 i7 ^* n; H2 ]. q
- Y4 ]( ]7 U8 T$ p* f9 O; J! |& G
1 q7 I8 a ^' }There could be hundreds of BPX you could use to detect this trick.; J5 Y) l P [2 ?/ O" F/ y" e
-The most classical one is:
- `" X4 i6 V* Y1 C. l BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: H. N" E7 o, |; z" }+ `( d
*(esp->4+4)=='NTIC'
) A# w7 A9 H( {
( K) h# z1 y1 E! |) E% m& c( ~-The most exotic ones (could be very slooooow :-(
% U% y+ {' c& X+ m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , R* `" g& [% Q/ J
;will break 3 times :-($ e% D, \! K8 d6 y% X
$ `# @6 G/ i# U* D' Z-or (a bit) faster:
9 a- L' t+ K* H; Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 N; P Q s7 ~# O$ }
' ^ D% C) K5 } s8 d. S$ j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 C( X$ w% h5 b( A: p1 }+ [
;will break 3 times :-(' [3 w) {/ Q) ] J: _
8 e: F2 `8 I8 N* M4 L: P$ I
-Much faster:
, p, i7 J; J5 @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 _7 i2 I- O' T K2 m3 Y' z
5 H5 k% P! k. _: Y4 o+ G7 Y+ C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* H, ^0 F" A! p/ j3 ^
function to do the same job:
6 \! r$ t; V# y
3 }! L. R7 \$ ~8 \( N! [+ j push 00 ; OF_READ
& J- {' z$ C# N7 e& L8 r2 M mov eax,[00656634] ; '\\.\SICE',0
2 H* C4 ~( @3 G/ y" l# s push eax7 \ e9 i* Q3 n7 [/ J# b. I6 ]! T
call KERNEL32!_lopen
# {8 c8 T, Q: H Y% F' _: Z" y9 x inc eax5 f! ]8 i; Q, P( q' A2 M; A
jnz 00650589 ; detected
- Y m% ]% |9 e \9 V o push 00 ; OF_READ* z( g5 E$ M4 e6 ?1 | R, m) h: r
mov eax,[00656638] ; '\\.\SICE': u8 S2 n6 l8 t1 d8 L0 m
push eax
: K; [& `+ r m9 e* ?8 O call KERNEL32!_lopen; i4 _0 |- l4 t' ]+ o; D, p
inc eax
1 H' y! g: |8 e1 F M# F$ o jz 006505ae ; not detected
, {4 @( P- S7 @+ |2 N
( j; `2 _! S; g/ [! f: \
) a- R7 `: `: |! i& Z# A: X__________________________________________________________________________
; I8 y2 V) q' Y7 N: p" J4 a* A7 Y; a
Method 120 W- x5 f+ G: q F3 X( B
=========' V% T+ O, x$ v6 `$ A
3 K+ ?) ^ P+ l3 D$ OThis trick is similar to int41h/4fh Debugger installation check (code 05
* M" Z6 X5 m$ r; O& 06) but very limited because it's only available for Win95/98 (not NT)$ _) J% T1 s6 _* `5 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 Q/ U4 g* Z# [ C& t2 `
& l/ a, {" V9 D/ }3 m
push 0000004fh ; function 4fh
6 N% K' h/ ?1 t c- _ push 002a002ah ; high word specifies which VxD (VWIN32), p$ d% j; f3 K3 h# l
; low word specifies which service0 m! X$ u+ R6 {1 h) _1 ~
(VWIN32_Int41Dispatch)
: j1 c, v) ]7 U4 O call Kernel32!ORD_001 ; VxdCall
3 I/ n* X1 Z. t' ?/ n cmp ax, 0f386h ; magic number returned by system debuggers
: w9 b# ^' m& S, y jz SoftICE_detected
. {1 L( \8 Y( c) |( {6 @
/ }' w. V6 Z# z! K+ hHere again, several ways to detect it:
6 v! g( L% A$ C# M6 c; H/ q+ {& B& A6 z ]
BPINT 41 if ax==4f
% W7 a1 f; I. e
# l3 y" \7 z# R) ?6 d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; g" i& t. k/ E& J3 @
' Z5 z% ^9 A. g* u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 n0 h* k) r9 {1 C4 G# x5 `' E* w" _* W
5 X( ~+ R5 N0 ^ E9 m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 E+ x7 f' ]: w! p% i) d* q9 }% D3 L4 H' O
__________________________________________________________________________
$ A# m( h. [+ K% k
6 G! n2 K1 f6 ]0 TMethod 132 ~- j( n; U2 _7 Y0 ~
=========; W) A) x7 @+ a" E3 a- T' E6 k& ]% d2 U
/ e" Q/ u8 h, {5 m8 P+ {
Not a real method of detection, but a good way to know if SoftICE is
% F- ]8 p' v/ Q: K4 Qinstalled on a computer and to locate its installation directory.. n5 I, y- R* t6 \ F# A* L
It is used by few softs which access the following registry keys (usually #2) :
" @" E% I: @+ S( F5 G; E9 l2 J& e5 ^2 |2 C' z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 |! s0 V: c: A. t6 A/ H; G\Uninstall\SoftICE7 H/ l( H5 S, u9 m. L* J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, t6 w$ y& M1 W! U& N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% S# Q" v- h2 }! g+ `\App Paths\Loader32.Exe
* D& D2 a, b, D0 \ @! g
2 ^! s( q8 n% D/ M: f
2 x/ L7 f: v+ R- ~% m* T; } aNote that some nasty apps could then erase all files from SoftICE directory
0 z/ I9 r1 C# s: `1 H: L( j) s(I faced that once :-(
, ~2 a- H- q5 Z/ g1 m" H7 r
Z5 y* W$ P% P- JUseful breakpoint to detect it:
3 I3 B8 j0 }* k2 _) c
0 U6 u% K! V: x( L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; n3 [ b0 I- W7 D5 x1 }3 L' L! {9 ], P
__________________________________________________________________________
! ~0 |0 R4 f: W7 X
) r+ x7 I! Q; `& r# q' i! m' }" ]5 m- G2 K0 [% f* J
Method 14 * T6 ?) Q$ [6 d7 i2 f m
=========
* [8 u0 p+ b3 A/ V; Z( |6 f( V' E) r
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. e/ v" m2 t* w/ ?is to determines whether a debugger is running on your system (ring0 only).
5 }0 J& C/ M) q3 G4 E+ j. |' J" a3 U, x7 o
VMMCall Test_Debug_Installed
. e6 D# j$ I! e$ {+ K je not_installed2 z/ h: o+ z, R
/ t) K9 _) ^$ A0 R' ~; R- {
This service just checks a flag.2 J' x1 C& K) F
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡