<TABLE width=500>
) e- [0 b* j, m0 Q, H( d<TBODY>1 C1 O! h" w# [7 k! R4 y
<TR>7 L% c$ M& @; ~& v' u$ G
<TD><PRE>Method 01
m& _- `" ^; u=========
. h' d' F0 R# l J
7 L2 d8 d1 P( [. KThis method of detection of SoftICE (as well as the following one) is
/ z- y: h, i% c' q' R" S* J5 ?used by the majority of packers/encryptors found on Internet.0 N' q2 |! P$ G% G7 d6 u
It seeks the signature of BoundsChecker in SoftICE
2 n3 b3 Q y) r
& P! k. m8 l3 N; h; P& L. H mov ebp, 04243484Bh ; 'BCHK'
, R3 _) d! s+ s mov ax, 04h
* [* d. m5 T3 { int 3 ' r& u2 ?2 i' o# E. i% |; L
cmp al,4
% s) |3 K$ I% Y* R jnz SoftICE_Detected' O: l0 m+ q; {0 u: i% a
; ^ Z3 l# a( n; N* T( C___________________________________________________________________________, o# ~6 z ?3 O" K2 p; u: U
' P0 x1 K8 G e* ~& }
Method 029 n% V! n8 P+ K+ `
=========1 J4 i3 e; \3 T6 l
: `6 k9 p, N) P! m: J# E; c! DStill a method very much used (perhaps the most frequent one). It is used
; C2 p; X0 g- @8 Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 M9 {3 K) l5 }4 y
or execute SoftICE commands...
0 Z9 [& d: h% R. g) S* ?# MIt is also used to crash SoftICE and to force it to execute any commands! h3 W4 j$ M9 j3 J6 T% k/ V
(HBOOT...) :-((
9 U$ Y5 k$ S" U# G# ~+ q3 g4 X' T% u1 a& V" a3 {" t0 u
Here is a quick description:
# d. i J! d, }+ T8 `$ z# z# {-AX = 0910h (Display string in SIce windows)
2 h. E" [5 d, L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 k* B' }& K- {2 V$ k1 y-AX = 0912h (Get breakpoint infos)
( ~+ h# W4 o% k6 p: W! g& V-AX = 0913h (Set Sice breakpoints)6 T" {& m/ H8 R
-AX = 0914h (Remove SIce breakoints)! C7 |. W8 T9 g
4 {. ]# x) t1 R
Each time you'll meet this trick, you'll see:
" G* b) M7 z1 J-SI = 4647h
' l3 F. e- f8 v5 I1 H! L* \-DI = 4A4Dh
9 y' q5 f% O7 W' S7 X+ a# R9 jWhich are the 'magic values' used by SoftIce.1 z% @5 J9 a5 {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( @4 C/ v' F4 p8 ~; t. n+ c6 Z7 e2 ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ _" G4 j) S v \5 i9 f: lEnvelope utility use to protect DOS applications:
9 z' E' A2 m' c3 Y9 k
: e6 |$ e7 `8 F* f$ G' m6 u
: d) G1 Y( J- {, \7 ^4C19:0095 MOV AX,0911 ; execute command.
; }8 K' ]6 ~, s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 J) [/ M3 S! p1 x& v4C19:009A MOV SI,4647 ; 1st magic value.
$ J% {/ b. L" g5 I N6 K4C19:009D MOV DI,4A4D ; 2nd magic value.. P' C4 b- K1 }' ~. A# s0 f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 \- b# I$ p1 V8 A6 U% F# r" _+ W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) j4 U* G" ^6 Y' T4C19:00A4 INC CX- K- {. `8 M- v$ y% G* r0 l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 g- e- x+ l# p+ O; E6 K
4C19:00A8 JB 0095 ; 6 different commands.7 {% j7 a5 c a
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ k% V6 ^2 E- a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- u, A: v8 C+ H0 `
8 m0 x2 C+ V# P+ H9 q- N' WThe program will execute 6 different SIce commands located at ds:dx, which/ t: o1 J- g) x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 q$ W6 D: I0 ~. p% E. F
/ T- h( W% z: w+ n- k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. M6 E3 L+ F% ~___________________________________________________________________________
3 B# s$ R" e0 ^' y2 H: U
r+ w( C4 }( ^
9 ?- N/ o+ w [! Z0 b5 MMethod 03 O1 I* e5 J* _5 c' Z0 M
=========5 F+ z* r: z5 R! n4 d9 j* y. I
; @9 u+ W5 Z' E4 B; w- S! M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 t: y" d4 \3 x" C
(API Get entry point)3 l+ a& T- y. p
4 ~5 k5 h9 U: A) |* p b2 t1 X
6 G) u Q# U8 q3 Q5 f
xor di,di2 c$ n+ ]- C" r8 j4 r' F5 z7 [* _
mov es,di
9 I7 o# D# l) k mov ax, 1684h
8 k# P1 A! M7 m5 u# | mov bx, 0202h ; VxD ID of winice
. p2 Y5 ` Y8 |1 r2 l9 U int 2Fh
/ X' s, a8 n5 ` mov ax, es ; ES:DI -> VxD API entry point
' [; ~% U Z; E/ @7 \9 G- P5 s. M add ax, di& O% S& C) m6 B& V
test ax,ax
( i3 B& O* |; [" B, W* ? jnz SoftICE_Detected$ r% i7 H; q/ f5 Z: y) A! |' \. T
! G8 i% _# h- X& z
___________________________________________________________________________( H, P0 T7 G& V H
% z6 q* b+ p# A2 S9 v1 Z2 I, o+ c
Method 04
# R- L2 H/ S t) f0 w" C=========4 ?9 x+ @2 X( }6 }5 R. O; c* p& P/ A( A
- U* Q# L* Z7 R. e/ s# KMethod identical to the preceding one except that it seeks the ID of SoftICE% ^9 `% J- \5 D0 u' b8 X
GFX VxD.+ o5 s' A/ d: V. a# _# i+ b6 r4 ~* ]( `
& A! ]8 H- c) A3 M
xor di,di, c `; [: d8 D. z
mov es,di4 v1 ]' v: X9 l" C+ y2 p9 v0 m# L
mov ax, 1684h 5 K' ?: |! l4 |1 a* h' V& L
mov bx, 7a5Fh ; VxD ID of SIWVID! x4 ^% n0 O- z. c& Y" m0 c; |
int 2fh
0 M1 l" T. o* t* h mov ax, es ; ES:DI -> VxD API entry point* l% n- u, E' E# @3 e$ ]
add ax, di4 y5 D% K% h3 [1 n
test ax,ax
! z4 Z2 b0 M% x( { jnz SoftICE_Detected
8 Z! S( m4 N0 f& T& |" b
$ W( y8 e# O4 N4 k/ y__________________________________________________________________________; G9 e: w; b" D1 d$ i4 K
8 U: \0 w4 {: z7 T$ {7 R( E2 Y6 x n( d+ B; _1 Q( t
Method 056 T. |6 \0 g4 l# f, k
=========7 g) w7 M" X' w1 s8 q0 q0 V
. ~1 v& o3 U0 e$ g& S' R) D- N" r/ O
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* a( g: r# c/ W/ B3 l* Wdebugger. It calls the int 41h, function 4Fh.
1 E$ V! m- s4 ]There are several alternatives. # ?+ J7 w) P" Y& R$ I
/ C* a4 s9 @9 n+ S; O$ NThe following one is the simplest:
: k; g" L' ^: m0 Z
6 V$ j& z3 O- D3 z mov ax,4fh
6 f- R9 d2 A0 n* U- ]! g int 41h
% h9 |! }; M3 c0 W6 g cmp ax, 0F386
d* R7 M$ v) A [' ?; A jz SoftICE_detected
+ d8 |6 u0 F2 ^, H; V
! |0 o7 }& U* |4 m' L9 U. q6 y( J0 u( G8 `
Next method as well as the following one are 2 examples from Stone's
& X' G, `' X' s, {"stn-wid.zip" (www.cracking.net):% Q4 b |. F1 T+ |6 g
! E) F' B4 z1 n y% A3 } X% p
mov bx, cs, K# ^# I1 F7 {. y! W" d
lea dx, int41handler2
+ z ]7 B0 t- x% @. l% a! q$ t xchg dx, es:[41h*4]
& g% S4 z, O( J [2 \, q5 l2 X+ K xchg bx, es:[41h*4+2]! P9 V/ _ N) |7 @
mov ax,4fh3 u3 E' |# L& I9 p9 i8 O" ]& i
int 41h
6 Q% F9 U! S" u xchg dx, es:[41h*4]
8 |( b# L4 P0 \' t0 F; C, j; Q- Y xchg bx, es:[41h*4+2]( Q4 b# w- X; `, J& b/ ~
cmp ax, 0f386h
6 `; t/ d: v, t' e! m jz SoftICE_detected& h1 T5 [* I, s) d
N5 D5 V6 A6 a+ Kint41handler2 PROC
- v- V4 N/ S) J; ~# [; @# F) g7 }* W iret
" r: Q9 e6 k; F, E7 `8 Rint41handler2 ENDP
$ D1 ~* u9 f4 ]' I. r
, M0 y! K, S% P6 I7 `% e
: h. K, s! T5 Z7 i_________________________________________________________________________
. w, p$ ?$ {/ T- `; u8 a" g: \: {( D& a7 A5 j3 l( \2 C
7 U/ F2 k' a: a5 p2 ?; V& y- KMethod 06
# s" u0 R& n7 a=========* L3 ^' u: \9 F) F, ?& c
B( V$ e O: d6 c7 z
3 z* ? f! Q/ ]1 k4 S2nd method similar to the preceding one but more difficult to detect:
; X5 J8 M, t3 I7 d8 e6 B
+ w3 t. t* m$ x) k/ ^) Z4 H
0 w' q3 b; h* Z$ _- Rint41handler PROC/ o+ o/ C3 a' ^' u2 G+ S7 z$ V
mov cl,al6 y3 W, a: N) u5 W* Y+ w% A
iret
7 A3 x+ e" X$ c O2 T9 ^int41handler ENDP
2 ]* h1 c X6 y, x; J5 r
+ X7 A {* g; v/ ^% X- d- m& \% n! p1 r
xor ax,ax: j; b: A, ~' k( e/ c9 l8 w3 n; A
mov es,ax
1 V& Q( T" [. d* h mov bx, cs$ F3 N4 ?; j6 e G. A
lea dx, int41handler7 c+ S0 j- R8 W2 I
xchg dx, es:[41h*4]( d- r! _, O' J8 o, I
xchg bx, es:[41h*4+2]
/ u4 w- N: v& Q ~ in al, 40h
[# F, g& s! p xor cx,cx
* r! ^& A. C5 b5 R) f# n* g int 41h3 f1 g; T$ x2 u3 B4 z0 j
xchg dx, es:[41h*4]
9 Z; I3 m0 t4 ?+ r' T xchg bx, es:[41h*4+2]3 L4 I% e6 _0 F+ m% n
cmp cl,al
a5 `) V3 x7 h1 E) U' U jnz SoftICE_detected
6 m& O3 a" F- r0 x8 ?1 A
' ?. S m8 Y- l) d_________________________________________________________________________
& b4 _! m$ D" I. E% D1 f" z( R z- g* ]
Method 07
4 \, Y0 z4 m; T8 W% _=========
' _1 ^* Q* W, x. c2 q- o$ ] @ c% B+ a
Method of detection of the WinICE handler in the int68h (V86)0 W9 X, F4 _; c/ |
' d, X# L" D- Q+ O, o
mov ah,43h
3 E2 H! v6 r* Y/ u) ]6 c int 68h9 Y( T, u4 Y" s& R4 _' J
cmp ax,0F386h
# R3 x5 c/ @! m3 |. N6 w9 g jz SoftICE_Detected
3 ^+ [* h# a$ n# v4 p1 ~$ @5 z# ~5 W6 ~8 t
7 D6 ?2 F5 M ~=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit |& Q( P0 B7 G) g
app like this:8 G B4 h" q. n
, I! M. [! ~ k( w BPX exec_int if ax==68' p* L' l$ {, ?/ s4 k: E3 p! ]
(function called is located at byte ptr [ebp+1Dh] and client eip is
# j3 ~" n0 ~, b& M located at [ebp+48h] for 32Bit apps)5 V6 b% c2 v/ ~8 L
__________________________________________________________________________$ J( P2 F, P3 M9 _2 b
. p4 p3 V4 G) N, w& P
8 ^6 v# @6 n. c" X$ K: C0 LMethod 08
2 m+ `6 E$ f( y. F U=========: T" D1 j* {; a, M3 ]' y
$ H; S9 T& { I) Q! h, wIt is not a method of detection of SoftICE but a possibility to crash the
, ?+ L+ P4 A$ G t8 Y* u; lsystem by intercepting int 01h and int 03h and redirecting them to another
6 R2 q# ]- x8 ]( g5 F1 uroutine.
) Z5 \7 [) v. v3 n# a" wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ z' j+ x- |* K1 ^! U$ o5 X
to the new routine to execute (hangs computer...)$ D" r! T6 [" v a9 b) {
( F- y$ a3 f. f0 R5 s: A# V
mov ah, 25h! y2 U* u8 D- G2 W9 C2 K" u2 s
mov al, Int_Number (01h or 03h). |. A' o7 Y) Y) d8 e
mov dx, offset New_Int_Routine
3 Z5 q- k/ G) T* W$ D int 21h/ o5 p: h, I+ c9 R: P
, M+ M) S& w5 M
__________________________________________________________________________
& n% U) T% l. S
# v- J! Q) Z; NMethod 090 V8 p" r2 n2 F& d; t0 x- J1 T
=========
X9 o9 W) T: ~) |) |' w
' Y, Y0 X; d3 s, j5 k4 WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 J4 H- H W$ j8 X" I- p @performed in ring0 (VxD or a ring3 app using the VxdCall).
6 `. w6 r' d. l% D, ^The Get_DDB service is used to determine whether or not a VxD is installed
* |" U% Q7 }9 ~ f: u. w0 ?for the specified device and returns a Device Description Block (in ecx) for" Z! r- S* d' R# t5 H1 \! R, B
that device if it is installed.
9 [9 K4 h, p! c# A
1 [: j+ [9 M1 I) ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) g* j3 \' @' ^! f! W* s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 J4 i# b; L+ X% ? VMMCall Get_DDB
' E5 Z" o) a, F# L& L# T% k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 I8 T0 [( f- z3 S/ p
5 H5 j% k2 A0 e6 {. l1 d
Note as well that you can easily detect this method with SoftICE:: D8 e! O/ K `+ c
bpx Get_DDB if ax==0202 || ax==7a5fh- v, o2 C, P8 H! d) w* k$ a0 d/ z
5 x" k* s* G. l, K__________________________________________________________________________$ ~) U- {+ u, C2 _- Y) _& G
- N9 k$ R7 p3 ?( Z! F8 ~
Method 10% W8 t3 M! J- i6 A" Y# h+ c6 ?
=========
# J* v- V7 A. k6 Z# ~ H5 m0 k8 P, \
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ W. t& M8 N: B. X G
SoftICE while the option is enable!!
7 J" H, {" Y. p- }; \$ V$ Q( M
; l* J- }' y5 ~/ R% ZThis trick is very efficient:3 X( `/ a0 p) O( k
by checking the Debug Registers, you can detect if SoftICE is loaded
; Y6 d4 w$ o- V0 ]; Z$ v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 t8 U7 T3 m9 R$ L
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 v6 X% B1 F2 ~1 |7 A
value (in ring0 only). Values can be manipulated and or changed as well
" ^4 `' e ^% g' g% v9 B( B# X(clearing BPMs for instance)% ~3 X% R6 Z0 x8 W8 r2 b9 v5 M1 a/ ~
/ W2 r1 v! o7 ?3 T5 `7 D( n- Z0 `+ J4 e
__________________________________________________________________________+ w* r6 t3 H- j; n1 y4 p3 u, `
1 N" }3 Y7 l; ]# `( C$ bMethod 114 T( j+ o) C# j/ M9 o
=========, I5 D/ R9 o9 A$ `
2 k/ e& o5 V( a1 b. u! L
This method is most known as 'MeltICE' because it has been freely distributed
- w' A- i |" O: e3 ivia www.winfiles.com. However it was first used by NuMega people to allow" a# ~! f% m8 s! X' K# A2 A: a
Symbol Loader to check if SoftICE was active or not (the code is located" P; Z- s9 J3 I: Q2 I
inside nmtrans.dll).( W% _( R& |, d) N
% o/ \/ `* n! p4 k# g, aThe way it works is very simple:& |/ _% z. ]* d- S9 E `" _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 ?/ [3 A2 h/ m0 c! y4 O! c, l
WinNT) with the CreateFileA API.. l# J- d& _; d
; M7 F. t$ C' T7 G9 Y, P+ ~; f5 IHere is a sample (checking for 'SICE'):
" z. [7 P0 N5 Q0 X/ g! v9 r5 G3 _# R5 o1 G
BOOL IsSoftIce95Loaded()
& Y! P+ B u( n+ x0 k{
. ?# b# i+ u* J! t" H6 F5 O HANDLE hFile; , B: g4 a% d9 V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 i& H: b6 c9 F6 o4 O
FILE_SHARE_READ | FILE_SHARE_WRITE,
+ v3 }4 k+ F q# O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, ]/ j( i. o/ G7 x+ ^# O7 ~& v1 j0 p5 U+ P
if( hFile != INVALID_HANDLE_VALUE )5 y! A; |% H% _; X
{
8 l( C7 ^1 b/ d CloseHandle(hFile);
6 l* a1 w/ p5 @% \/ v return TRUE;
8 a( f& C/ ^* W6 | }
: K2 M! w0 ]# b0 {8 h3 ] return FALSE;
/ {& d( Z8 E3 `}
5 E; W" b0 M' v7 m4 W3 A, t U0 Q. k* p* S# `
Although this trick calls the CreateFileA function, don't even expect to be' z2 o9 i9 ^+ y5 \5 Z$ C0 o
able to intercept it by installing a IFS hook: it will not work, no way!. Q/ w7 s+ P7 i3 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# J# T( E/ E& \3 B: |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! Q: m0 c/ p: C" E" m0 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 \( S9 A8 C/ v6 wfield.
7 I# C* j) H! Z& _In fact, its purpose is not to load/unload VxDs but only to send a $ }& \9 m% @% J7 J! b5 U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); A d% w5 R0 W4 x2 B2 v) S& w2 ?) ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 D+ ^4 D1 [+ B* {$ g ]" Q1 H$ Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: G: o, B* u' ]3 [) J" z) m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 f; {. ]" U6 ~' H+ R6 @its handle to be opened and then, will be detected.
* X5 F' O/ x% j' v) } v6 P+ m& Z( iYou can check that simply by hooking Winice.exe control proc entry point
8 L6 ]7 A0 u1 hwhile running MeltICE.
2 V" B5 j1 y. p0 z2 ?
. I' U! }: D3 b8 }* y$ M' ^* b/ |! I3 _* v
00401067: push 00402025 ; \\.\SICE
1 {9 X% L) U! G- k* I 0040106C: call CreateFileA
# P- A& V2 g% w6 H5 | 00401071: cmp eax,-001! c2 ^% T) N# o$ @+ H
00401074: je 00401091
$ v7 K( n Z1 i: ^; }- [9 i- K8 Y2 u
) O" ]% s6 ~( @6 ?" ~6 ~There could be hundreds of BPX you could use to detect this trick.! ]( v% E4 w+ `2 \* ^' a& k6 J
-The most classical one is:
# [- i) O# y* U. t" f6 \. x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' E# e1 |) \" o5 Y7 b" V" x *(esp->4+4)=='NTIC'
9 {4 k1 k$ j+ D% ]. i3 z' A' y8 j$ i" c/ O% y2 Z+ J
-The most exotic ones (could be very slooooow :-(
" U, f1 r0 f t- K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( E& R$ q1 l5 J0 g0 E ;will break 3 times :-(! q/ z: R7 _; @) G) u" w, D
$ n$ W2 K( o6 \5 E! v-or (a bit) faster: 8 k; T: c; \# S0 _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 u, `+ H8 q8 W+ e4 U
5 Z/ v) w% u+ {/ t: v! F2 A; G$ ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- d5 U. w% K, I4 ~- n ;will break 3 times :-(
3 `9 F5 D% ]0 X( q$ N) P: X F! v3 k& _. t
-Much faster:
7 w+ i' r+ U. `4 {2 H6 ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 M) i( k8 ^$ K, V! n9 t4 ]# o5 ~6 D4 M$ N2 j/ j; E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 g$ a3 o! @2 o
function to do the same job:
0 i( s5 v$ Z; s: |9 [ v
5 j) R( L j/ O& D! _# ^7 v2 g push 00 ; OF_READ" K" @' b$ A3 [
mov eax,[00656634] ; '\\.\SICE',0
# ]5 [4 \: a5 e% W! U( s+ ]9 R push eax
- Y2 l" _3 ]7 f+ j! e0 z2 b call KERNEL32!_lopen
7 } l! u* y1 F) a# [+ R/ D$ V! D inc eax$ S: a! u8 x3 P; u) m3 ?# `8 ?
jnz 00650589 ; detected
. T/ D) U3 |$ f9 m push 00 ; OF_READ- o5 J/ e I' w( W C+ t3 _' a
mov eax,[00656638] ; '\\.\SICE'7 [* B k" }% W) u5 Q
push eax* z5 f3 T# ?# G
call KERNEL32!_lopen
, G# l. l$ J) H0 U inc eax0 |, I4 W# [5 ]: B( B! D) F2 Z1 |
jz 006505ae ; not detected2 M9 b4 E; `3 c: d- ]' E |
J" g, e- i1 q. s3 S: h
- v+ t$ s, e- `__________________________________________________________________________
2 i6 X& j: l* c8 m* ~9 g0 p3 H6 [, ?% F; B! a
Method 12" W! k* P- A: B! Y
=========
4 s. f( x6 V' q L7 l2 O
+ M5 b2 O8 W& q! w; {& y: V yThis trick is similar to int41h/4fh Debugger installation check (code 05' Y) A+ ]& q5 t
& 06) but very limited because it's only available for Win95/98 (not NT)
( V6 O* B- ~7 F; L0 ~5 P8 das it uses the VxDCall backdoor. This detection was found in Bleem Demo., B, c P& k9 i7 X6 r/ H8 T
1 c: M/ R9 Q# r' C push 0000004fh ; function 4fh
5 K- W1 P. i% P) ^; V push 002a002ah ; high word specifies which VxD (VWIN32)
/ u* x0 N7 Q6 b& m" w* [9 t$ u ; low word specifies which service5 {% d9 ]& f$ V {1 B( a
(VWIN32_Int41Dispatch)
: a# f3 |( R' f& k9 f3 l call Kernel32!ORD_001 ; VxdCall+ N) a9 m4 q* L _" j A2 {# s0 l4 U
cmp ax, 0f386h ; magic number returned by system debuggers- f6 X: S) s$ j1 a0 K
jz SoftICE_detected1 W& j" }1 _. g
: j! W% ^% ?3 |7 v* ?
Here again, several ways to detect it:! S# ~9 a# y; g w) \. r* J
# h( j& |2 O; B2 u
BPINT 41 if ax==4f
; b4 @. I* `1 ^/ d9 c8 l' W4 n
4 J7 B+ A, u# |$ _ M4 D8 Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ F" K# c6 [: ]
0 o* p+ u) k5 o8 ~ u. x7 l: X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 A% a" S8 s. z: y7 ?. K
5 A* L G( s# v& r1 R; f/ j: @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: O9 P6 h" i: v' W" i* {
R% ]0 W( A; k- E W% W
__________________________________________________________________________ u- F0 R$ i: ^* x& s2 D
+ q+ y3 R/ z9 U5 ]; d' G) S$ |4 Z* N
Method 13
( z+ o4 j* F$ } f+ L* G* i=========
1 K7 ^- ?* v) Q7 V/ L- Y6 y: A& @1 t- g& |, ^8 I
Not a real method of detection, but a good way to know if SoftICE is8 a4 |6 h! `9 ?5 M- }
installed on a computer and to locate its installation directory.# k# z! f. E$ A0 j' }
It is used by few softs which access the following registry keys (usually #2) :# z) e2 c+ d4 W
& D$ Y, h8 l! s8 Z" v0 n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 w8 ^$ y! h2 w' o2 i# l! D" J4 U; R
\Uninstall\SoftICE6 \. C! b1 E, o' S8 g( Q6 \. n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* |9 t2 z) F' p+ l) }) g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* o) J( R4 f* v+ C9 h# N
\App Paths\Loader32.Exe
9 ^4 A$ O: J) G. O3 l1 J0 n2 P+ X7 S |& J! ~; f
# Q9 ]* C, ^5 N0 ^5 ?( g/ s/ \
Note that some nasty apps could then erase all files from SoftICE directory
" i; R/ B4 S2 j7 F$ L(I faced that once :-(
' i$ W D! E3 J/ _1 A0 R( g* Q6 Y. Q% K" R- X* Z
Useful breakpoint to detect it:
, U' ?6 k, \! h2 g* b+ J! G v! o
1 m4 m/ _/ ^3 R; C. d' p BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! H) |) [: Q, R2 N
: L5 n) c( p% h% C3 i__________________________________________________________________________
$ A1 M* y7 N8 m: y; {1 V
# G5 K" U8 z' s. Z) h |: u2 `* U3 j3 G1 V
Method 14
% s5 w, _* Z% h2 v# ?* A=========$ g4 B, k8 X- S6 O% n( t, v
) m- @4 K- v5 \. |. d/ kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' J! s0 g7 X9 s3 @ f/ his to determines whether a debugger is running on your system (ring0 only).
& X* r/ g- r! q. s/ t) I% k
( ^5 ?& e' `& y$ D9 u, \ VMMCall Test_Debug_Installed
5 `8 m* ]0 h- K- I; u je not_installed
& I" i3 W5 ?( S+ Z5 Q
) |# \' m% G. ~- o8 x0 k4 ^* a3 QThis service just checks a flag.2 n4 Q: ~: K d. g- A; w$ k, X
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡