<TABLE width=500>
5 s5 `# |0 I7 U) O<TBODY>( \9 p9 I3 f9 ^7 X
<TR>
y( Y% N% d5 d5 @# t2 Z<TD><PRE>Method 01 ; V l/ @% o2 [ l ], s/ I: h
=========+ B$ s( F4 K, [6 [) k/ g+ N% k) d
. D7 {( E$ e) J* I9 _
This method of detection of SoftICE (as well as the following one) is
: K! {1 H' G( D2 \& E% G0 dused by the majority of packers/encryptors found on Internet.+ M/ Y" U S4 t- Y( l
It seeks the signature of BoundsChecker in SoftICE8 m: j- B( A0 u3 y5 \+ Q
$ w' H+ i; Z* n0 Y# @% z5 l' y) L
mov ebp, 04243484Bh ; 'BCHK'
5 q: N# w0 I) C8 v+ @8 e) d( F mov ax, 04h! M6 D* s [4 G# p- V5 R( @# r+ `' X
int 3
8 Z2 n& \% ]& z4 Z cmp al,4- U0 [' m7 G; S& e, E% o
jnz SoftICE_Detected
! l7 x, Q3 Q( \7 D
' A% ^9 w& J! f: W& E3 E( I5 U___________________________________________________________________________
2 L, V& L+ s" e( Z7 x; x. V
* T9 j0 d6 u! Y ^0 D& B9 X9 h$ ?Method 02' I; i, v" P) b3 u$ V( T6 b
=========- ]6 G/ k, F# R* U4 d" J4 g
: y: _; Y' w+ A8 CStill a method very much used (perhaps the most frequent one). It is used
( m! u% g# R$ ^& l' Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 F! W$ _) t7 I9 u
or execute SoftICE commands...! p0 l% m v( R2 k( F0 _8 `3 `! k
It is also used to crash SoftICE and to force it to execute any commands( V( O2 R1 f; H- o) q' \3 j; [8 x
(HBOOT...) :-((
4 N/ t4 F6 B' d- `' D4 U3 w1 F0 E$ N& ~* N
Here is a quick description:
u) z5 X/ J$ j1 ^$ [3 m3 Z/ o% \-AX = 0910h (Display string in SIce windows)' o# w- T/ Q3 s* k5 E* d; L+ }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" n7 ]/ d! |2 z" k, M. ]9 E& C0 U-AX = 0912h (Get breakpoint infos)7 O5 z+ P+ s5 p8 T4 e0 L; s% i
-AX = 0913h (Set Sice breakpoints)3 ~1 D0 o0 T7 r) R( f
-AX = 0914h (Remove SIce breakoints)
) _! J7 Y" V% M% S2 g6 x5 t% ~# I2 X" O
Each time you'll meet this trick, you'll see:
4 V0 a) Y# ` o+ f8 Z$ I-SI = 4647h
/ _4 X& q$ c+ J" ^5 A3 l-DI = 4A4Dh
. j8 ?' B8 }/ ~Which are the 'magic values' used by SoftIce.! [: E0 k0 K5 R* d* _, A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 {- Z4 ?7 w6 D+ N# o
, \) M8 f! G0 d7 L5 J$ K% z3 ~Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 |2 C8 j8 _* @Envelope utility use to protect DOS applications:& M O" l7 H7 ~( ^/ @: t% M
$ V3 K: Q, }( `' E5 l9 ^
+ J" J8 K; t$ m+ W5 v! m. m4C19:0095 MOV AX,0911 ; execute command.4 h1 `$ @: C8 D6 M' {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& |9 F' z8 C' k6 B u& z& P4C19:009A MOV SI,4647 ; 1st magic value.
7 T7 t& _9 R: K1 _4C19:009D MOV DI,4A4D ; 2nd magic value.) [: x6 T a+ ^) ?5 |8 t9 w' u4 ?; M, R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% f- `$ f3 O E5 s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 {) x! t8 y. C4 S L% ?
4C19:00A4 INC CX5 k- `$ e, i* Z# {4 J6 n, |* k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( O7 x0 e; S4 Z4 s1 N2 Z E8 S4C19:00A8 JB 0095 ; 6 different commands.( o% }3 j3 L# P' S- L8 J' S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ L/ A2 F; P$ X2 u' \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); ]& X) p% Q1 L, M5 k- D& O
& {# l+ E: S' L* P
The program will execute 6 different SIce commands located at ds:dx, which
: p! N! H6 W8 ^are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! E% w8 {% P5 }, G/ `7 ^
% ^; [2 s0 h" [6 z, M9 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# o! r$ A% t+ W* W, U/ f6 E
___________________________________________________________________________
9 f5 ]+ l4 T; ]1 x4 {
! U" y: s+ A `# I
0 Z1 n+ e$ `! O& v( }- Y) aMethod 03 T4 |* g. _! H2 w8 Y- ~
=========2 z: u Q' R+ y' x
0 v' P% G4 }1 o# P. _* tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' W$ E# a9 p+ g(API Get entry point)7 b, N7 t$ g1 b
: l* Q& a( s' H7 V
% s4 X( h+ q. q6 V
xor di,di7 T% O% ?+ ^9 Z9 e
mov es,di5 ^! @( v) U+ ?& U7 _
mov ax, 1684h 4 b. C: ?. G8 H$ X, P; w$ [3 U& ?5 P
mov bx, 0202h ; VxD ID of winice
+ _3 \; d" }. @% T, r8 _" K/ o8 u int 2Fh, o5 j) M" d; G- A
mov ax, es ; ES:DI -> VxD API entry point5 e) ]! _ K1 v& R- k5 O: e
add ax, di: L, r( W, N$ o% ?) M( Z1 W! [) z
test ax,ax
) C8 G' f3 t3 F& P! F8 x jnz SoftICE_Detected- z! |7 w$ y2 f' l; z
; O6 s* Y3 Z7 G) [* e
___________________________________________________________________________
! X# _! E" R9 ]' ~% ]
' Y8 ~6 m& o% O$ f' @Method 04
. x# f2 |" G2 ]9 B4 K3 w: q4 K2 Y9 u=========
6 A: e, E) \- F( e+ F, b$ s- ]. q- A- L+ v$ \
Method identical to the preceding one except that it seeks the ID of SoftICE
* V! H6 i7 H( A7 R% M9 B! G) WGFX VxD.
7 K) P& a' r7 Z2 A
1 T0 q- ^; p" p& l8 M& s S. a xor di,di5 s! D/ R* ?3 h$ l
mov es,di
$ e9 C2 W) m/ S- a3 l mov ax, 1684h 4 | b7 g$ I$ D$ H2 k" W3 }
mov bx, 7a5Fh ; VxD ID of SIWVID. Z0 _1 C5 X! Y2 |
int 2fh k$ j+ T$ P: a7 L0 c2 X
mov ax, es ; ES:DI -> VxD API entry point( X4 g/ C' j8 Z6 r% o
add ax, di) n( A9 c* {8 m* S3 l
test ax,ax
& r) s" U$ @; R3 Y, Q jnz SoftICE_Detected
) W; _: R6 {- g' l
: ]8 h! Y F1 o% S. v__________________________________________________________________________5 |+ |9 J9 y( Y2 o8 ~
- n2 w; _' m' F$ u v
9 {% k7 N+ e! i; V. u9 bMethod 05
3 B+ `8 R6 [: f- U=========; B0 r, u" c) x1 {: F
& c- e$ x& L: n! w7 BMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 y% r5 r. t/ d" Z& Cdebugger. It calls the int 41h, function 4Fh.7 {7 |6 ~2 {: a, ?) @! R
There are several alternatives. / P, S+ c( ?1 t% N# U
; v8 [1 O0 x: X* A& _& f/ PThe following one is the simplest:
6 B$ \& v5 w# h$ N! N, }. a/ a; Y, j5 Y5 ^) L2 H# y" W
mov ax,4fh3 z1 ~& Z6 r/ H; y
int 41h4 n. l' j+ G$ R; w) j
cmp ax, 0F386
* L& W+ X. s4 {. N( f. R jz SoftICE_detected8 c( K& s. F+ z/ Z/ [; Z7 c9 ~9 C
8 o7 g6 Z' C( Q6 ]
8 H$ L5 U" ]/ {1 s" R0 a& YNext method as well as the following one are 2 examples from Stone's 1 \- G! _) S) y7 `+ e; C4 `
"stn-wid.zip" (www.cracking.net):
- i. \1 D/ Z1 \- Q+ v R9 ~ d/ y
6 k( W# N6 |0 G$ t8 @ Z mov bx, cs
' G8 Z$ e8 p! Q4 B" _" Y4 Y! q! j lea dx, int41handler2/ }, l; D2 D8 F' ]
xchg dx, es:[41h*4]
% e3 d4 q" @9 Z1 c xchg bx, es:[41h*4+2]2 O6 I9 W% V2 K! v
mov ax,4fh1 L, f1 f: g1 H7 V" t
int 41h
0 b5 ?2 b! I. i- t( J! f xchg dx, es:[41h*4]# j0 v3 O" U& N/ f: Q* {( ^ _ O
xchg bx, es:[41h*4+2]: d1 J a; D9 e
cmp ax, 0f386h
, h1 @+ t. A( d# z6 E jz SoftICE_detected7 z7 w0 r: [, g1 A1 R
3 R- ~; R: P/ C/ Q7 I `5 ]+ H$ ^
int41handler2 PROC# t1 @6 ~) f; L' i7 O
iret; T4 X+ h' ]" t% v4 i
int41handler2 ENDP
0 ]0 A* _$ ` Q# q3 r
k& z% Q7 C9 a3 S3 K
0 O: l* r8 K) Z" [# p# {_________________________________________________________________________1 x1 K# s. Q6 p8 n& g5 H
1 g8 Q' r) w' n
# ~0 o! L4 P/ [, B) bMethod 06$ J% o- h- j) G7 \
=========
. D% D8 m) I, Q
4 F" L% }. L0 ?! [
7 Z0 p& R) W( B! n2nd method similar to the preceding one but more difficult to detect:0 t1 N8 A0 ]4 [
8 s' K8 v* J8 o
* ^7 P; K4 P9 \ [2 Eint41handler PROC
/ B8 v( o( H; S; w7 e* K2 N# i mov cl,al; [" P- \) g. k9 z
iret
d" ]/ \) ?5 Z' [0 O1 Vint41handler ENDP+ `+ o( k/ {, N" s3 ]5 A
4 v% c1 |, R5 n: `) d% e4 i( a4 w& w* L
xor ax,ax- _" Z9 C' b) Y) G
mov es,ax/ {* _, W J+ U3 E$ u: p# d
mov bx, cs
# }7 h/ ]1 A- \3 w' @, ? lea dx, int41handler
6 v" `$ N" E J/ x' G6 k1 M6 j xchg dx, es:[41h*4]
9 N& l8 }0 J* |4 E xchg bx, es:[41h*4+2]# M& p) v! w1 E) E2 @
in al, 40h: ]$ L) @, q, Q/ s# Y
xor cx,cx$ Z- x8 d+ G. u3 l+ F7 q
int 41h
% l G ]& h- W* R1 o9 n2 e- q0 K1 p xchg dx, es:[41h*4]
2 s1 c9 M5 G C3 j, X8 w xchg bx, es:[41h*4+2]
( @% B) r- K+ m cmp cl,al
) n1 H; e, ~9 _+ m% t+ V jnz SoftICE_detected
& C0 p4 E) p Q8 T+ s/ Q$ C9 E% L
_________________________________________________________________________ R( `: f3 m% b8 I1 P4 h" m" s
. j5 j' Y. B/ D0 m9 B
Method 07) {; ]0 }2 {7 N% T# `" h9 I
=========$ `4 e' E! \( Q* y
' L) M8 i I! c n( y
Method of detection of the WinICE handler in the int68h (V86); T+ R2 {( [1 j
# E9 M+ l1 G; F. @ mov ah,43h9 S `2 d0 H0 d" [. ?: n( p3 l9 U
int 68h$ q S, V& I0 I7 }$ G
cmp ax,0F386h. u* k4 Z: `& y/ y0 @2 U/ B+ Q
jz SoftICE_Detected
1 q$ L0 S2 A1 ]2 x& M G' ^7 [
; [: [: C6 _* J; P6 @ b# \. D1 x' m
& J2 ?* S! k8 M, a& {/ Q) b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 S, x" u6 W! L" q% l
app like this:
! s# \3 D3 H/ l7 R9 S5 I
; r6 t: U) @$ o8 t/ Y q. w BPX exec_int if ax==68
1 c4 X. x' I! Q* T (function called is located at byte ptr [ebp+1Dh] and client eip is
# L) a4 g0 A! A& G& w5 x located at [ebp+48h] for 32Bit apps)' s; K$ T2 A* N. S
__________________________________________________________________________
. t) _7 Q' C# w4 [& m
' G, X E: ?. o1 y- a* Y# e4 P ~' {9 n2 U- u5 `3 m" U
Method 08
1 r) M, M* k4 S/ G j=========
/ B: t5 C7 I! @ H. F5 s' h" T' _. H& k% p
It is not a method of detection of SoftICE but a possibility to crash the, s. e7 T& _7 @; m
system by intercepting int 01h and int 03h and redirecting them to another
; V9 ^2 E m8 }routine.
6 k. X4 [: S' ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. G& C5 W! }, c+ b j, j; {to the new routine to execute (hangs computer...)& v6 ~* e, C4 }' n
; ^" `8 ?! S6 w
mov ah, 25h( J$ l( ~( M; Z
mov al, Int_Number (01h or 03h)
! ?2 G/ H3 J) t% F/ P5 ? mov dx, offset New_Int_Routine7 K, ?9 I; i9 d9 s& H2 d' {
int 21h5 S: L+ e3 s8 c' ]* {5 r0 K; ^+ D
$ T+ @: q7 D, I9 ?" E
__________________________________________________________________________' E/ @5 p2 `& k( H
- O; K* o/ s4 g# D
Method 09
5 ]9 f1 `3 I6 P: n# [1 h9 z=========# c1 R5 a+ J7 j! e
& K# [2 N2 l& i0 }* u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 m. l5 l V9 }
performed in ring0 (VxD or a ring3 app using the VxdCall).4 _+ F' D" a# Z5 D' M! l
The Get_DDB service is used to determine whether or not a VxD is installed' a$ o( f& V& s: l
for the specified device and returns a Device Description Block (in ecx) for
6 c @) J0 y: T8 }that device if it is installed.
: N: t& Y$ y; j# J# w9 b$ Z1 t1 @! F5 S: U3 N" }! a$ {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 x; L6 t2 P* k `: S) S mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ L I* j! }# Y0 U) E VMMCall Get_DDB
" @" P% p# \2 Z/ p3 i& ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 y$ s2 p6 l7 X. s) z9 e
5 D3 P. h) `' V+ P' UNote as well that you can easily detect this method with SoftICE:2 ^& V1 O+ s4 ?
bpx Get_DDB if ax==0202 || ax==7a5fh
# I0 R6 f I7 Q5 n' p" d7 e+ g9 O4 A, I: j+ q
__________________________________________________________________________. v1 H* J6 r. }' j" W* z9 e
0 b! v# A4 L( y& M. T, h
Method 10
- _2 i" ~3 h5 K3 @6 X=========9 }; m0 [; }; x1 Q. ^( i
1 o3 L! x9 R' p- {7 a+ x" N; {3 m
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* l0 h$ y/ n: C$ c8 g8 c SoftICE while the option is enable!!
5 h: @. U$ M j. |/ M5 E5 v! k# ?" E
This trick is very efficient:. q% L6 ]; N' Q% e" k* m# b+ {
by checking the Debug Registers, you can detect if SoftICE is loaded
# B0 x+ L2 o+ o; Z6 x# Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 b+ T* `' m# ~, V1 q& vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 Z( r4 |1 c8 A/ L; [# z! a$ b5 V+ Dvalue (in ring0 only). Values can be manipulated and or changed as well) [7 l+ b5 \% B+ P- u5 v# l- _
(clearing BPMs for instance)4 p% j- e! T$ u0 o- o
% t( {$ l" v K2 p/ m& ?& o O* ~
__________________________________________________________________________
. ]' o: p" x( n8 W( M7 o* r9 E
/ F8 b, T0 A/ }& N* H+ z; e( MMethod 11
" b0 X! P. G9 R& {=========: |2 S, d& `" w7 p: N& E
( \( m5 o7 |8 U! f) B
This method is most known as 'MeltICE' because it has been freely distributed" l H4 s+ x& c* X4 w1 Z# g
via www.winfiles.com. However it was first used by NuMega people to allow
& y+ e4 g- P% o- j s+ i% w+ VSymbol Loader to check if SoftICE was active or not (the code is located1 }6 _( ~" |+ N, S9 C9 O7 \
inside nmtrans.dll).% s! a5 l1 m" m( g- O
8 P( _( C q4 e4 o* j9 p" |5 D
The way it works is very simple:
/ k% E% M, V7 nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" G* V" I6 Y, I3 m! Q
WinNT) with the CreateFileA API.) l0 H% \: `! O4 Z$ {2 G$ e
$ E3 B8 Y, }" l3 q5 M6 L
Here is a sample (checking for 'SICE'):
5 o2 f4 m U; v; S* E
* }) q' _: q5 l. J' M4 f; L1 `BOOL IsSoftIce95Loaded()
& ], A% ^0 \' D9 d{5 ~8 f$ O3 u( D f+ i3 g; U# j
HANDLE hFile; 7 C5 h+ O& B; j! @' }9 P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% x# k, c0 @, @, | FILE_SHARE_READ | FILE_SHARE_WRITE,
, a$ Q- L) [3 l* ?* ^) f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* X& M) P, ? U# i& L' _" C! p if( hFile != INVALID_HANDLE_VALUE )
" N- G6 f/ [8 A* \ {
; \- h: l# }3 _" @ CloseHandle(hFile);+ b. _. i4 B0 S7 G
return TRUE;
$ _1 R; x# G4 j% F7 R5 Z }. f: d1 ]6 {1 N
return FALSE;6 h4 o! W" T" A$ a$ n, H
}( Z* Q% ?: a2 E2 Z
! g( C& b* m% o, ^% b5 {
Although this trick calls the CreateFileA function, don't even expect to be
* o; }" N5 i1 i8 p% E" Pable to intercept it by installing a IFS hook: it will not work, no way!# I3 L6 y% {. z+ _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 G0 X" O/ L A+ u$ y( n( s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 T) u1 A; u% i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ a% ^: Y* B' h; T1 H
field.6 @$ ^* _ \+ p/ {5 V
In fact, its purpose is not to load/unload VxDs but only to send a ) d: E ~' O5 C* r+ L8 o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 Y! `& F$ i7 x1 X$ x+ j: a1 {5 y+ _to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 @" |: _% R# {. ^( F) N9 C3 mto load/unload a non-dynamically loadable driver such as SoftICE ;-).. k5 w1 T* z, K$ U
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. B" n) B' F2 f3 u6 p4 Aits handle to be opened and then, will be detected.
! \7 g9 g' U, ?: w r& jYou can check that simply by hooking Winice.exe control proc entry point. d3 M+ ?6 `- F: X# |
while running MeltICE.9 y9 u g2 s5 X! O0 L3 S# o9 ?
+ q; G3 }1 {, s" k8 S
4 S$ Z$ c! }; r/ {/ b Q, t
00401067: push 00402025 ; \\.\SICE2 J' y2 { a( y
0040106C: call CreateFileA
) n1 N2 i- ~; G. \- T- Z% p. j 00401071: cmp eax,-001
4 ?+ f. K1 n, f6 Y$ v 00401074: je 004010914 O1 Z$ {' n- C! G* c7 _+ _0 ?
, b1 O, U; b; s- Z9 q, p0 Y" o9 H/ P. u. p- H2 h% H* b
There could be hundreds of BPX you could use to detect this trick.7 z7 y/ l* s+ p6 d) K
-The most classical one is:6 v3 v) x2 w' n& I; J) k# [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* w5 E+ o* Z0 o *(esp->4+4)=='NTIC'9 O# V+ k# @) y: J7 _
$ h! F# |/ Z% ?-The most exotic ones (could be very slooooow :-(
# T9 b3 N ^; ~( w ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 |) g. @+ M6 B: j* Q! q* y ;will break 3 times :-(
- ~; F1 L8 D2 e P T: J) }1 O, M; `; o1 e. ^8 w0 m
-or (a bit) faster: @6 s/ j# _) |4 x1 u" D: I0 d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 G9 E% u) v1 s) p& i$ U
3 v# b$ E+ q2 @) w+ Y* X5 C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 @( }6 j6 P& E* U5 r4 e( l. r) u
;will break 3 times :-(, I: R$ b% Q% |7 k1 ~8 s) I9 ~
( G( X3 c9 X: S" g-Much faster:
0 s- q& R2 C4 L0 N( X* V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ z. V3 p5 C3 }! q3 O
# B% Q X- |' g$ \( lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* C' u: m4 }9 B8 {3 J6 `
function to do the same job:
' ~5 r2 q# R1 W8 H5 V2 ~. k5 w' X7 H4 w) ~5 H) o3 p
push 00 ; OF_READ5 X( B/ a% f9 X( y: z5 z
mov eax,[00656634] ; '\\.\SICE',0
, {( n8 Y, c( r+ M3 k! ]. C push eax8 z; p. j' @, j3 {
call KERNEL32!_lopen
: O, y$ d5 F& A inc eax' @8 o5 M# i0 {1 A; i$ G3 e
jnz 00650589 ; detected: n9 E: N1 g1 S% |0 T
push 00 ; OF_READ
. q# U! v* _' a mov eax,[00656638] ; '\\.\SICE'
7 E- v9 ^; e, M6 _& Q6 j push eax
5 v# {2 O$ @& r& E5 K' a: u: t call KERNEL32!_lopen
' O$ I: Y) o S inc eax% l$ Q) O& k$ U' W
jz 006505ae ; not detected
# T- x8 J6 m: Y' ]5 O7 @
/ {( b3 N) [ ?5 P
2 n, g ?+ F/ `__________________________________________________________________________) T. d0 _% H8 T" T/ c
8 ~' X7 n1 T; I8 b2 j" u
Method 12* f) y' A9 b4 N; z L* O Y
=========
. p1 K G M7 W' Q5 N$ w! B
# Z e. W. Y+ U% n2 K9 LThis trick is similar to int41h/4fh Debugger installation check (code 05+ S: n' F% J d' S/ @- B
& 06) but very limited because it's only available for Win95/98 (not NT)
$ V J5 ?2 Q g6 Q @5 T6 aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( e% \ E1 J3 x [1 X' d* B
0 ~ S' q5 p' V1 m- y5 n push 0000004fh ; function 4fh
$ S+ q+ t+ a( e1 E push 002a002ah ; high word specifies which VxD (VWIN32)
8 h) ?% c2 q( S$ O* k7 o$ @& s; o ; low word specifies which service
0 Z$ V. a; S s2 O Z0 j (VWIN32_Int41Dispatch)
+ W5 X2 W7 T8 \5 d" G" O+ f4 n call Kernel32!ORD_001 ; VxdCall
* M* u( k4 r0 a: b cmp ax, 0f386h ; magic number returned by system debuggers
; ]; F! M( s6 v* a7 o& m jz SoftICE_detected1 D/ \1 H# G. @, R2 i" d
! z2 d. C$ _% d/ o; I! l: {
Here again, several ways to detect it:% [, d+ F1 g* B1 b# c; n0 |: J2 \
0 B/ `* s! l$ A/ S3 m
BPINT 41 if ax==4f
, n1 Q ~, N! V& f: a2 {4 \1 J o. P; O* T7 M4 R
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 Q/ l7 m# V/ S% u# ~0 b8 N9 e
9 I1 M0 T/ M3 [4 N- W$ @ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ L* `, M" v5 q5 j
9 M* k4 {$ t( \
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 |+ P5 {# K2 ?+ C
, \1 w# _( w) Y3 V: I__________________________________________________________________________7 }1 d$ u# a; M2 R4 `' g
6 l, m/ L) [8 p' B
Method 13
5 ?2 x5 b9 P/ v( g6 l=========; q6 R! ~ G- m" W1 r6 J: {
- }( G( n+ V d" m! e/ ~
Not a real method of detection, but a good way to know if SoftICE is. b2 N- C0 E( O. i* s2 H* I+ m6 E5 _! ?
installed on a computer and to locate its installation directory./ S" L# ?- c1 m! s9 I
It is used by few softs which access the following registry keys (usually #2) :) |7 y) p% \1 I" c
O% g8 ]1 M" [. h1 x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ z8 a7 a7 w* F0 q T1 a2 ~\Uninstall\SoftICE
8 L# N" o3 e. V1 \! ^( R3 p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. s& i" f% s( p$ s/ {, Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 X$ n5 J& Q/ g1 m% I\App Paths\Loader32.Exe; R% H0 E: N: d6 N: i
7 k+ u5 i# N3 Q% A
: ^* ^$ |! G; g8 t' ^' [+ @
Note that some nasty apps could then erase all files from SoftICE directory5 u; a9 U: e* |* X0 G$ N
(I faced that once :-(! Z; ~8 ]2 S- [& E: `. l6 M0 Z
9 E4 J f" s3 u" K9 U& z3 k3 |
Useful breakpoint to detect it:+ J B, | r% b0 B& {1 J' _ v. V
% B: P9 m8 n) j' I7 f+ P5 G& e& K$ O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ d& n! z8 @: ?9 p2 h: f% i% f; X6 D2 v2 |0 ]4 R* X$ u0 x% ^
__________________________________________________________________________
# }# ]( a" x" v( e! z$ P: g% a$ `- R: j& ?0 R0 l
w. G; H& |' M7 A. L& i
Method 14 S. ~: k5 L# ~% c
=========
) B2 c( |9 S$ y: a; f4 F9 B& ^; [* ]3 E' J4 i2 }! s) S7 q2 I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( z1 W& @' H0 k! @. F6 nis to determines whether a debugger is running on your system (ring0 only).6 Q G, Z& _1 H) a! H
/ q7 R8 r* v9 ` w* |* I
VMMCall Test_Debug_Installed
1 Q4 O: Z8 f7 B je not_installed
" x7 v) j) O- T- b( ^5 U9 N5 @5 {, G
This service just checks a flag.
# ^6 h' S# \" i, R3 ?0 y3 D$ N6 [# I</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡