<TABLE width=500>6 l Z3 D) H+ H+ F
<TBODY>
& j2 E! M! [' a" s7 h<TR>
0 M- q# f. M* e$ x* B, G) l<TD><PRE>Method 01 % H9 f d6 }8 u+ [
=========
: F1 M! x6 }. {7 a! p I; ?+ v
3 {2 f& r: i5 i, X; }1 y3 H- o& _This method of detection of SoftICE (as well as the following one) is, n0 z$ ?2 \% Y% u4 d: X
used by the majority of packers/encryptors found on Internet.
K6 S5 k& @+ z* q% }1 w" ~8 yIt seeks the signature of BoundsChecker in SoftICE
; q- U) D8 \& g; q
/ P/ ?2 h* p& U) u mov ebp, 04243484Bh ; 'BCHK'
6 F' t( I. s9 _; r) `0 E mov ax, 04h
% D5 u( \, l" ? T int 3
9 @+ D; Q: G' @( G# ?3 l8 I, M cmp al,4
* \+ h( F" M2 ?9 I: O+ ] jnz SoftICE_Detected
1 W$ \# z+ q8 B5 V- ^# M% h, A8 g1 Y/ l# \+ P
___________________________________________________________________________, k" f3 ~& m0 p, a5 j- ^& [
; X' N/ f. P/ Z9 w# CMethod 02/ X. E& ^8 n7 M) ~+ @
========= w% {0 f6 k6 ]+ M% k- |1 c
3 |' \! Q7 V! O, r2 j- e
Still a method very much used (perhaps the most frequent one). It is used+ J; K4 Y+ E& c" S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' }0 I" T3 _: F9 J3 ^6 H
or execute SoftICE commands.../ N3 }$ r8 m" T7 f$ G4 P9 m# t( l
It is also used to crash SoftICE and to force it to execute any commands
: \2 K7 Z1 K. i6 [9 Z; Q; _5 f0 d- [(HBOOT...) :-((
5 q" g, k5 I2 k7 E0 J; N
& F( O$ w2 ^3 w2 ?. K/ PHere is a quick description:
/ }- x4 i/ e& |8 c6 C% e-AX = 0910h (Display string in SIce windows)6 [2 y6 y1 D6 R8 O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 _ y5 X; q, _! l% r7 C) \
-AX = 0912h (Get breakpoint infos)
# y2 a3 r H- H, e; j-AX = 0913h (Set Sice breakpoints)& @$ w5 Z( S, \% V6 `; N
-AX = 0914h (Remove SIce breakoints)
7 d2 m# g. [* F& q& U: F4 q% n9 A" r$ p I0 C
Each time you'll meet this trick, you'll see:
; z7 z9 ^1 | y/ E- C( v-SI = 4647h
; d0 v9 @9 O# O- K. ~-DI = 4A4Dh
3 f6 O. \ n; H" BWhich are the 'magic values' used by SoftIce.
) q8 X F0 [% ?6 v% vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 C$ @4 k% F a4 e2 y; R1 U2 A7 g
% v. Z0 _* n1 x( G- k# v( BHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 p1 k5 l, H6 B4 |' E( fEnvelope utility use to protect DOS applications:8 j& k; T1 H* Q% T$ Z0 m8 y+ h% @8 ?
, q. t) c: O6 O) K1 _: J
S. g w* A, J& D$ H) H7 h6 [4C19:0095 MOV AX,0911 ; execute command.
7 e0 a. g6 j" h/ ?+ e9 l4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 D7 A) ~) g1 Y. Z) M
4C19:009A MOV SI,4647 ; 1st magic value.& p* S( Q5 e8 s/ n3 ?' b
4C19:009D MOV DI,4A4D ; 2nd magic value.
& B9 T5 C$ \1 D4 R! }2 h! L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# v, Z" ~ U( ]# w- f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! k( c9 u- h, F9 [+ Y
4C19:00A4 INC CX
' p# M/ j" r. s* l [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 X) w3 Z& ~9 |2 N4C19:00A8 JB 0095 ; 6 different commands.! C1 ^ u; P5 X. v1 y* E0 q& ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back. B. T. _- P0 |; P6 U, n+ s+ g- k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" O9 T$ D0 M, J' t+ H* B
6 i$ w# M% I. A. MThe program will execute 6 different SIce commands located at ds:dx, which
; x" k$ R4 b" `) s4 h. care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! t7 n% d0 b( \2 y- \0 V
% Y% x) n. ^. E) v) W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' D9 ?, h: s5 r k/ A, p, ^' {( I8 {___________________________________________________________________________
: x. M7 V, N. j) ?2 F# D; |- |5 V- f* b# ~9 g% u4 i' T i
* B% L( u1 B8 [# T- @0 x& {6 n* sMethod 03
+ I0 t: q& o* D# h=========
: E+ W/ |( M' v) G# O4 I* ]3 k
9 k' n/ E: y: |5 H* rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" i- z! W" K1 Q0 z6 \$ b5 T(API Get entry point)
* Q6 _" X0 E6 l& z
/ i! G% e& O) s6 w6 j) ~, c$ N
& r' W1 n) p% a) q4 Y2 @8 q xor di,di
/ @1 b# T' s2 i) _! e; d mov es,di5 t4 l/ ~$ Y7 h8 h$ @
mov ax, 1684h
s! H6 q W5 W/ r. h mov bx, 0202h ; VxD ID of winice
$ l4 N7 C3 q. g int 2Fh
6 @, M' {: L8 ~ mov ax, es ; ES:DI -> VxD API entry point. |2 H$ F$ A4 a/ L5 l+ }) l
add ax, di
+ k- f4 d9 z# y. g4 V* z* Z test ax,ax ]% c- d* e* v. [2 m, N
jnz SoftICE_Detected. Y9 I6 q4 L. k) h2 d0 C' l
( \- t/ T/ @' }/ @; w
___________________________________________________________________________
) X* n9 {5 d. r8 D( e' w' v7 d5 ~ o+ g; t% c! o7 l9 R% C
Method 04
6 J& f+ b' s" d=========
$ r' {6 _1 G, {$ S
# d, m6 S# [( u( _$ EMethod identical to the preceding one except that it seeks the ID of SoftICE
) c: E) G1 J1 m) qGFX VxD.
1 O/ p2 H Q& U! _/ E: q
7 h. h' A4 T8 N xor di,di4 U3 Y0 Z7 n* t5 y. w6 ]" k$ w
mov es,di
. e9 G. f/ m, a; b" s mov ax, 1684h / e8 d/ X7 C% h& I
mov bx, 7a5Fh ; VxD ID of SIWVID
7 q/ t" u4 ^ b& o0 Z. x7 g- h' ^! u int 2fh
% m, x* I- i& \2 R4 d mov ax, es ; ES:DI -> VxD API entry point
% v2 e/ F H- K add ax, di% I- z1 Y3 Q& F3 H+ a& ~0 G
test ax,ax
) F3 K9 `! M9 w% H* O, G! R& d jnz SoftICE_Detected
" h! w' \5 G7 l
4 c. \# F8 b0 P6 \1 L4 ?__________________________________________________________________________1 w+ a+ j6 I! J7 L0 {3 A7 ?# J4 {1 f
8 n+ W0 Z2 M) X8 ~/ o3 S
. }7 p5 y5 U. m7 b6 W0 O5 c. v& O! aMethod 05
( K6 e5 V2 T& ~0 {* g% U=========3 _: }4 h* A! A# j6 o
1 U6 { o# `& _0 f2 t, Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ B* p. e! r% _. @; ddebugger. It calls the int 41h, function 4Fh.$ }+ G' [8 w- _1 l2 R0 P( @
There are several alternatives.
+ o9 ^3 m, @( V
: g! o* c8 ~) u) G! u n; hThe following one is the simplest:7 t" w! q6 d% c: u
$ {( i9 P% K# F9 b5 y m' X
mov ax,4fh8 z& e7 H5 A; ]4 b8 b
int 41h
# H6 u, ? \8 Y cmp ax, 0F386
2 P. S; k1 @4 c jz SoftICE_detected G( w, d& n9 q" c
8 q! v" X( N6 P' |# M$ R9 t5 t7 ^& `: h$ I% V
Next method as well as the following one are 2 examples from Stone's
% V8 ^1 v) `' j"stn-wid.zip" (www.cracking.net):
$ r2 N( P( C4 m& d F* E7 m: \! n0 }, I3 W B
mov bx, cs# {# `1 m9 N3 r) d6 m
lea dx, int41handler2
/ j, | H) }1 ^8 S xchg dx, es:[41h*4]3 `" R2 s4 a6 L* a
xchg bx, es:[41h*4+2]
+ k6 Z1 {2 S; J5 F( Z# r3 ? mov ax,4fh& t& g. K, B F' o
int 41h
W2 k+ s( ]$ Y, i xchg dx, es:[41h*4]: C0 g% V4 T/ i9 g* J% W' `
xchg bx, es:[41h*4+2]
D' ~ w1 R1 i' Z cmp ax, 0f386h
" K. W3 F$ S `! L% \2 Q jz SoftICE_detected# C8 k P [4 ^! g, h' [
( J" P. L$ }$ m# wint41handler2 PROC, o8 Q3 B0 M( a8 f* U: W! g2 c! w
iret5 F" d' U/ Z& a
int41handler2 ENDP. E4 `6 M: |; S0 I
5 M$ D6 Q/ j, L; \
) E' X6 V, _0 N t( s" |) U_________________________________________________________________________+ W* i# f+ Q/ n+ {& `5 J# n
4 P* }4 F5 t# N c& M' T3 z
. ?) U L8 J- ?" N9 `9 y0 Q. t6 rMethod 06$ V) S0 v9 w/ ^ I
=========& o3 L z7 e: _" T
7 _# P, C* n1 f& J# x$ A4 D1 X6 u9 o
2nd method similar to the preceding one but more difficult to detect:
1 g: L1 h' v8 C3 D& W* P) A1 K" R) e' ^0 r r
8 b% `5 {9 P" |9 C
int41handler PROC
; [/ U# V/ b0 s+ J3 _; a mov cl,al5 l; p7 V: ^2 O5 K' Z2 l
iret
, C1 _0 J7 z* J& ^1 k vint41handler ENDP% G# i5 z7 ~- F
; P: u5 P) `0 R0 @
( }9 h6 B3 c' [7 o" r \2 t xor ax,ax5 q! K3 P _+ D9 @- G: c
mov es,ax1 X4 k( G+ v7 a, k, i% q; {
mov bx, cs) m$ Z7 p7 x, k; c0 k" {4 Y' o
lea dx, int41handler" N; h4 n9 S! ^' y3 h% M+ o
xchg dx, es:[41h*4]
) E: ]; ^ @- S4 D xchg bx, es:[41h*4+2]0 B4 J2 C. _+ T3 `
in al, 40h+ _$ W+ {+ J+ f
xor cx,cx& }6 `8 G1 W9 k7 Q& |8 B. T
int 41h6 S% G% J) c6 C! \' v1 c8 B4 R) l9 ]
xchg dx, es:[41h*4]
9 S" t& p- g1 P1 K- V4 u; u xchg bx, es:[41h*4+2]; Y, |% V4 s* M% Z, t; p* z
cmp cl,al! r9 X: W( S& y) [6 Q7 I
jnz SoftICE_detected) ^' }( F- l; j$ K! k6 r
* L% H5 @" d: H, H: w
_________________________________________________________________________
" \8 J* e A3 r5 \3 s
5 |4 M0 K0 t& f3 T+ w2 b6 ZMethod 07
, x; }) R- s4 T- K, h& f: w k" {=========. y( b4 X; Y$ Y' i. w
0 Q. R: ?* H2 [) Z
Method of detection of the WinICE handler in the int68h (V86)
- q3 t7 t/ D. q
+ I& S( {" T: N7 V9 V: ]4 e9 G mov ah,43h
8 H, r6 }$ [% |! K+ o, w* L int 68h
' B- ]0 X! s. {/ g cmp ax,0F386h, P x1 k/ r0 z- a- e
jz SoftICE_Detected
0 f7 r y+ M; u4 N) ~3 I
( X4 Z$ j Q! ?# P6 u/ X2 n
6 `, K/ A2 ~" l1 |; u* M; ]" o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 n5 p- V0 K; b! \# m& m app like this:
7 w8 D1 D# {# @+ W
5 F' b6 \# l; }0 k BPX exec_int if ax==68
9 N3 y9 N& w; k (function called is located at byte ptr [ebp+1Dh] and client eip is3 ~2 X$ I" |( s: {6 O
located at [ebp+48h] for 32Bit apps)
_# ^8 ]/ C, _$ _7 r9 U0 e' O__________________________________________________________________________. K" K2 ~) H' d
- [: @( y# r0 r$ i* q2 L% L7 X( h) l+ W
Method 08
5 J" J, i. R3 {( d1 C* M=========
# L" L! k: e# R/ c; C' n/ X. I- f" P
It is not a method of detection of SoftICE but a possibility to crash the
% L& H5 W" M5 e+ i: a! Rsystem by intercepting int 01h and int 03h and redirecting them to another& W5 m8 e4 j- x, z' k H9 n
routine.
( i& b; s2 l- T- w" z! [" k& R0 NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- Y: u8 _3 m8 d9 M% Yto the new routine to execute (hangs computer...)- V- x3 J' x$ P$ H6 ]8 j% G% V+ b! v# n2 A
0 k1 @3 a2 _& q2 y mov ah, 25h
" B/ X! G6 W7 s mov al, Int_Number (01h or 03h)) J7 ~1 h! M2 ~
mov dx, offset New_Int_Routine
/ t6 S& x8 ?! A" q int 21h
9 X2 j0 l$ J! R. t5 t9 u! W7 M" G2 [. e( c; H& E
__________________________________________________________________________
* y7 c" I1 A- P6 a( P7 r4 i$ B+ ?( B3 V$ _& ?* O8 p2 b7 u( i" m
Method 09
5 Q; q2 A' N* @( L; _=========
3 M, W. E6 v4 A
; Q7 P* V! g1 r( u% o$ M3 g2 T% EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! @$ i |/ W! ~" g" R$ W/ \ P6 q
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 s; T* J. V$ KThe Get_DDB service is used to determine whether or not a VxD is installed. j' Q- R! |6 F" e7 l
for the specified device and returns a Device Description Block (in ecx) for1 N7 c/ D! [. w2 \2 u+ ]" a
that device if it is installed." D) y( c; I. s- R0 ?
9 [& p% ]/ c) g7 s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# d. t _" p$ P) B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 b v3 ?* T/ \/ Y _% S4 l
VMMCall Get_DDB
/ e# [: T- h$ x* m, X6 r; Q( ~5 _ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) v; V, Y8 ^4 u
. ?& @8 C7 _6 l* g' {) B" b2 j, q
Note as well that you can easily detect this method with SoftICE:; C! j( ?. b2 Y& M
bpx Get_DDB if ax==0202 || ax==7a5fh
/ z( H9 ^9 s9 H' y3 ^7 m% G2 \8 \1 T9 n2 `8 \, o/ H
__________________________________________________________________________
3 Q* q; p& U2 U2 h& a. Q0 o
1 ~& {9 `7 D9 N& [" s8 xMethod 10
" m4 ]" ?- f& ~ S5 p' |=========
" ?+ q. V: F) f7 l9 r$ l$ T0 g# Y3 Y- O# {, l
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 B2 c5 X, x; @& M! u# I SoftICE while the option is enable!!- |$ _( L- K; A9 \0 B& o
& F/ A( D5 h7 z5 C
This trick is very efficient:) C. B% d+ Q0 q1 |9 f @
by checking the Debug Registers, you can detect if SoftICE is loaded
, ?" y3 Q# g4 ~7 c$ l3 x9 A5 A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 m# V4 { a8 E5 _7 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 W$ q0 K$ R. S5 h" d/ j3 |3 Rvalue (in ring0 only). Values can be manipulated and or changed as well4 Y4 D) O" _& Q( N
(clearing BPMs for instance)
3 `6 P9 G: [( A3 w; {; q/ u. X" f& B; O. N1 q0 ]
__________________________________________________________________________& U: K( I. U( @7 l+ d
3 @6 W H6 E( x4 p3 I5 m
Method 11
8 Y" i, c2 C0 [2 d5 V1 x! P" l V=========
7 G5 X/ o) X/ ~, @! {% y5 q8 G2 t0 u; t2 s+ r0 U: Y
This method is most known as 'MeltICE' because it has been freely distributed
Y+ R; ^2 L+ S: Zvia www.winfiles.com. However it was first used by NuMega people to allow( ~- D, ~ H, q. W
Symbol Loader to check if SoftICE was active or not (the code is located' [4 J$ W- }+ `# @* \
inside nmtrans.dll)./ L) ~' A9 x$ q# e* |3 P
$ c8 b. z% v' {6 v( L+ QThe way it works is very simple:
/ V. b+ i0 ]5 t% fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 U" g7 @+ R/ B) d+ J9 s' U2 G; NWinNT) with the CreateFileA API.
5 u/ z: q# U' A# t1 F. C$ F. k, Z: t) \2 U
Here is a sample (checking for 'SICE'):# A! ^+ O4 R3 @2 i& @
9 v1 m1 }, ]- H: P
BOOL IsSoftIce95Loaded()
n6 W/ ?, M* v) p0 z* D, Q{ j) }; @: o4 x4 y- r! a3 ?
HANDLE hFile;
" l- }1 W# r) W2 z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) }$ |6 f9 B- M$ r+ W: c
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 T: R5 v* |+ E# e. ?: k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; s' L: C0 |' p0 f( C4 u if( hFile != INVALID_HANDLE_VALUE )
* P8 m- C$ F- q6 u {1 J- S b' @- N' \( y# U6 D
CloseHandle(hFile);
1 l/ \3 t5 Q/ M9 p4 y return TRUE;
& g/ O3 k9 n% T. h }6 V, l& U% Y v5 C" P* H
return FALSE;
- f+ U9 V# F7 u$ ]& [}& k6 r( g5 _' k
* a0 k* W* ~8 t6 u1 R& t5 ZAlthough this trick calls the CreateFileA function, don't even expect to be
6 j8 Z, a3 ~8 l! x( K: R5 Y' R6 wable to intercept it by installing a IFS hook: it will not work, no way!. m6 T7 _1 y; `' }# q! b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ S% C' q1 B. ^% I v* b, N/ hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& s& T7 S6 Q& w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) y u# ~" S$ d7 tfield.% y/ t3 w6 G4 |% K3 O; _2 d
In fact, its purpose is not to load/unload VxDs but only to send a " A, {; g" `+ C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" F2 _6 P. T9 Z7 J5 d8 x- p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 e6 z* I% e$ l/ c. @( m4 u1 n, pto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 q/ O$ ]# b: k B: z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 K( u. v# Z7 p# O& F& nits handle to be opened and then, will be detected.
! Y) [$ V$ L# P; T) Q5 @7 DYou can check that simply by hooking Winice.exe control proc entry point$ K3 ^9 n4 S+ i# n
while running MeltICE.8 j- E* B7 X, F& x- c8 d" C
+ q H- b! m: U8 e3 i2 X' k! V( Z5 ?: M1 J
00401067: push 00402025 ; \\.\SICE
/ r% R2 Z, D9 G1 K 0040106C: call CreateFileA2 _8 R5 Q" S/ k( w
00401071: cmp eax,-0018 `% w5 j/ e+ M" u
00401074: je 00401091
5 c$ l! y8 \$ i' C; m
' {1 M- y8 F* r r$ e+ H8 o# a- H. ]* k: ^
There could be hundreds of BPX you could use to detect this trick.
; L0 J0 u' ]0 M; G# t' |-The most classical one is:& h, ~4 g# i. A# L, o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || M4 x/ t( I. r+ N+ k" ?
*(esp->4+4)=='NTIC'7 i2 n8 i' }' }" _5 d, s
0 w! k+ }( e# j% a- L- H-The most exotic ones (could be very slooooow :-(# J/ B, t9 t3 y1 t3 m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ ?7 j9 s# R( E# c4 U ;will break 3 times :-() s5 X% T3 R1 u3 W3 K8 ~2 h
+ K( Z$ e" b, b& z( P-or (a bit) faster: ) V7 u1 v4 l; p" Z1 O" s" X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). h; o) ]" Z5 G- f4 m# b
" g# u# m' P7 b E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * j/ @# h: w# [' n/ {7 M1 O; {1 E
;will break 3 times :-(0 w+ A- C8 D0 D
O* _! q f/ q# g% ~0 |/ V-Much faster:& Q! a0 x3 p- P. K+ Z8 Y6 o! L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' s! F4 c9 k9 P. c* ~' Q+ {0 `9 z# |% P: B) \. m$ c3 z7 R. r* |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" L& L+ N9 H8 Ofunction to do the same job:+ v0 }) `2 f3 Z7 R3 \- h
6 \% ]' F. K# R6 C push 00 ; OF_READ8 H( Q1 d4 U! o6 w2 v2 Q j
mov eax,[00656634] ; '\\.\SICE',08 e& d/ C* C1 I, j1 a. F
push eax
( }% s; x& E2 N; P call KERNEL32!_lopen" \& |: z. |& O. |$ n5 ^
inc eax
' c8 t8 v% x8 d( A: A( W jnz 00650589 ; detected
; P' {% q6 d2 j! y. _ push 00 ; OF_READ
5 M$ G5 Y' Z+ H, m5 I. X mov eax,[00656638] ; '\\.\SICE'6 K$ V% p6 T1 i- I' q# q" R. |
push eax" j7 |/ P2 X; z
call KERNEL32!_lopen
8 m9 p1 u0 ?5 v/ |/ u inc eax
+ U! @' }4 K& r3 w1 I* V8 N jz 006505ae ; not detected
1 ?. z/ c& n. P+ D \0 l# Q% H) i- d2 Y5 x+ q U1 D
/ n5 B! T% B' Y) w" u- h
__________________________________________________________________________
- w9 E$ f4 `' ]& t4 b$ h
?4 f% l9 Q, P' s, K" |3 r$ w5 n n# lMethod 12$ X4 I0 G- y" C
=========
% Y! c/ K7 c' \. x m: \- I' X8 A" b {) {. _+ G- K
This trick is similar to int41h/4fh Debugger installation check (code 055 ?$ t" m) N8 D$ k
& 06) but very limited because it's only available for Win95/98 (not NT)
' Z5 e2 A' U9 w0 i" V( M; i$ c3 ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# `$ i% x2 F4 o# b6 _+ r& E4 U& z, O; c& f6 ~
push 0000004fh ; function 4fh$ G0 J( y7 w4 o2 q( @
push 002a002ah ; high word specifies which VxD (VWIN32)( |/ y0 J3 u( u2 W% ^
; low word specifies which service
: O8 h- N* B, s8 r @: f (VWIN32_Int41Dispatch)
9 M" a& F9 }( Y ]8 x: V call Kernel32!ORD_001 ; VxdCall* D N+ }- }+ ]
cmp ax, 0f386h ; magic number returned by system debuggers9 m+ J0 q& n; d1 Q! J3 }1 I
jz SoftICE_detected
, G$ L4 u& q1 u+ W9 y7 x$ d. C4 X7 ]" N2 L
Here again, several ways to detect it:" O# h! J# `# u9 k4 @) m0 C0 {2 z
5 _3 B/ X3 u( z0 Y. o( c8 r BPINT 41 if ax==4f0 | p& ~, m$ N( e# R- m0 ~8 b
- E7 z/ X8 w) J' n9 d9 V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 H$ ~: ~6 Z X) H9 { A
. e" k$ J2 A B( ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: B5 P, F$ l# `5 s& h
! G+ F, T6 J0 Q$ i5 S6 _: B
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* d) u# d( _5 d8 U4 ^5 V. }5 ?) T$ }
__________________________________________________________________________
" Q) N, }) l$ l& a0 m$ }
8 n* ^- @ B. c! i$ B9 @/ FMethod 13
7 S+ `6 u1 H4 ^& k& O2 J$ F=========! S, f7 K: n; t/ F8 n9 W
, z B$ _. c( H8 F" {) S' s( {
Not a real method of detection, but a good way to know if SoftICE is2 w( C7 C# \4 i: `3 S4 U/ J& C5 y
installed on a computer and to locate its installation directory.0 l, R6 B5 Z& L! t
It is used by few softs which access the following registry keys (usually #2) :: g5 h; w* B t5 E0 h
, F9 g* X1 _& w( T- T2 ^+ U; p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 H1 j' M4 c% u3 ?2 E
\Uninstall\SoftICE8 p+ B; r6 J7 u$ y/ A$ N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 b4 f, _* m) T k. J1 `8 d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 D, e; f7 E) M; U2 }
\App Paths\Loader32.Exe0 O8 N; S* ?3 K& Z! ^" [
2 \% N1 R* \( C4 S4 }7 t" E u$ u0 C' g r/ N3 c+ M
Note that some nasty apps could then erase all files from SoftICE directory/ A: e6 S1 j& U% |6 U5 B2 B
(I faced that once :-(# G# Y8 C) W9 D: W- \" J# i* i
2 i5 g. O+ M" ]Useful breakpoint to detect it:
" J. F# D4 |* X5 ~/ R+ o
: j8 h, A/ v; c }) {2 ?- f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- \2 K1 M# B( L0 E$ w: v2 [$ G5 H; N$ Z, F
__________________________________________________________________________
1 R: d4 Q' U' V( X
* k' o* c9 P5 h- Z+ c! ~6 t; ~8 N2 b _% \4 h
Method 14 ~' c3 B$ M3 [
=========
% U% g" t6 G9 Y
' m( x0 Z: v4 M0 FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- I3 c! q* g! {! Q$ y9 B
is to determines whether a debugger is running on your system (ring0 only).) _) Z& W/ P) A- ]
k) X; q$ ~7 \" _# N
VMMCall Test_Debug_Installed
" p7 ?2 K" ` w! r je not_installed+ f# r' k; o/ q0 h+ c
, v) S& @% o0 s7 I% xThis service just checks a flag.
3 Q* y K& X. a, o. o& [</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡