<TABLE width=500>
* `: j' S$ `( P6 w a8 g<TBODY>
" o3 l% [" f9 V5 S' g<TR>$ W6 m) w% d) b
<TD><PRE>Method 01 3 C; e7 X9 m( F( ~5 t: _
=========
4 t. B6 q9 A U4 y9 c2 _1 z) C
/ `; X8 `2 k' F! J9 j$ lThis method of detection of SoftICE (as well as the following one) is
$ |, @: Z& u# Q/ ~used by the majority of packers/encryptors found on Internet.
" U* @4 f- n: k$ VIt seeks the signature of BoundsChecker in SoftICE
$ Q% V4 j' q& h, K4 Q# W3 W5 x; @: V, S
mov ebp, 04243484Bh ; 'BCHK'; c4 k" t+ w& i9 a6 s
mov ax, 04h
1 Y3 |. X# n2 v% U1 b int 3 8 j8 s0 d3 o) p9 U4 ]8 c9 o
cmp al,4
3 o9 W+ N' E& Z. _; m3 v0 H# V4 n jnz SoftICE_Detected
8 ^! K% h2 [! u+ L& n! I
$ H. S& ]/ r7 | n' r+ u___________________________________________________________________________ U a) D' I: z1 A0 j
8 u* w/ c# h' P/ g
Method 02
: [4 O9 L( r" J& W$ D: ?=========1 n' S. D4 ^ b, U
) e& K# h. b; Y$ l3 m
Still a method very much used (perhaps the most frequent one). It is used
$ h# i$ Q" A" l8 G) U! C7 _( Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 K5 s+ v: p' a
or execute SoftICE commands...
' G* s8 x% e, \% O; Q. gIt is also used to crash SoftICE and to force it to execute any commands
2 t" T8 H7 p7 D/ Q" n9 ~(HBOOT...) :-(( a' s. k# s/ ]& S: \/ @) m' i) R/ Z
- x7 \5 w8 @+ j& O% v6 R
Here is a quick description:
+ R4 e+ [6 v2 d: q4 h$ K: g0 t, W-AX = 0910h (Display string in SIce windows)/ u7 j/ d1 M! L) x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# U4 p K! ?* E-AX = 0912h (Get breakpoint infos)2 s! E9 k% C. B& t. Z: L0 ]
-AX = 0913h (Set Sice breakpoints)/ e4 r, ?) ]/ @' d- k
-AX = 0914h (Remove SIce breakoints)1 p& z5 S& ?, c7 v, o- _/ f
3 E& ^+ v% m* a+ g! A: @
Each time you'll meet this trick, you'll see:) v9 C) k( o! E- y
-SI = 4647h
% u7 q* X6 E$ g-DI = 4A4Dh
; P& v* B" e, u6 H; kWhich are the 'magic values' used by SoftIce.
+ h; o0 C! j4 V _; Y& QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ v9 j# k: h. |0 w
" ^" M$ A" ~, U1 i% R/ x! q* jHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ e5 V& Q% G2 Q8 |' `* z9 m4 q$ r0 Q, [Envelope utility use to protect DOS applications:# z }+ A& m. e& b6 U) e
2 i! u2 r) G6 ^+ G/ ~) @& o) s2 q2 g; Z9 `
4C19:0095 MOV AX,0911 ; execute command.- z& C9 A9 Z% x1 k! U+ E" Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 z/ y5 r) W, _9 \' p: U; Z4C19:009A MOV SI,4647 ; 1st magic value.
7 {) ~" `. F- i1 E% N/ D4C19:009D MOV DI,4A4D ; 2nd magic value.9 F# @6 H& i$ L5 x# i- q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. f# m. G5 q/ u! `- u7 m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! O9 I- j% }, L4 [. V9 o$ R
4C19:00A4 INC CX+ o* B1 A# ?$ a1 u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- }# D% B O/ T" p- }* O1 \$ S+ {# v
4C19:00A8 JB 0095 ; 6 different commands.
A0 X: {) g* m8 @4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' Y+ T9 v6 H* H. d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ Y7 p) r1 [& z1 K6 y% x4 h: Y0 f7 j7 O1 V L: {
The program will execute 6 different SIce commands located at ds:dx, which
/ r& P5 z/ O& B- qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 y0 z! N g0 {
7 _2 ~" @: Q0 j5 d' a O# b' |% C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- s; l) @' x. |8 q
___________________________________________________________________________
9 {0 p3 s( [: I& o" p- y n- T7 j
6 C8 h* C/ d! z+ Z( n. x( U7 ?% p- C
Method 03) e5 g: O U0 j" w0 T% w
=========' I3 V* l1 W1 \0 l, ~" s
# Q6 B: L7 d; i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% ]; y1 p0 G. m8 {# E9 t(API Get entry point)) t3 S. J# \. p' c/ H$ A$ a" ~% r
% y1 T* t0 R6 G3 W, p* T( o7 i
$ V6 {! s7 b6 b xor di,di" o: |9 U, P% ?9 z/ X# c
mov es,di
0 s# d( E8 j: Y p mov ax, 1684h 5 \) ~% c* ]! E! V+ w$ y* p) j0 i
mov bx, 0202h ; VxD ID of winice
; f k1 }& ~* X; F0 A1 @# } int 2Fh/ Z# G6 j9 l( T' ]8 ~$ V# q
mov ax, es ; ES:DI -> VxD API entry point
7 [" Y1 S( f5 N add ax, di) u! K/ F8 Y% E9 I# X/ c
test ax,ax+ {$ h: \* b( F' i6 g% T* J) d
jnz SoftICE_Detected9 P$ i0 {9 x$ `; p) `, o$ Q
; S' z. B5 `8 [/ M1 ~# s___________________________________________________________________________
- q: E) Z7 F! ~* W8 x) F5 E# P5 M4 s, K% h( h
Method 04$ C1 }* e( T: }2 e% g
=========
5 t! q+ P5 }/ C& Z; J( w8 ?- ]
Method identical to the preceding one except that it seeks the ID of SoftICE# O( q# n/ \+ l3 ~) _
GFX VxD./ o; g7 j. E+ @, _. }' u2 C
& R- C r$ _! |$ r% y
xor di,di
/ a$ ?" g# e. |1 |5 U mov es,di: m1 ^* i% x- W; }% B
mov ax, 1684h 3 [4 |0 U! [: T8 w5 @ A- w
mov bx, 7a5Fh ; VxD ID of SIWVID
' D; y/ v) R% @9 M9 C& J& p int 2fh) h. n3 o7 q" r" `
mov ax, es ; ES:DI -> VxD API entry point$ w( m* j; a% j) O6 ^
add ax, di, b+ f% A# J: X; [' }% {
test ax,ax
0 u) I B0 ]# h5 j jnz SoftICE_Detected0 x' u1 U( a$ H8 |% ?, R+ r N3 q
! f; P! e1 N9 l. f! [- {__________________________________________________________________________; `; Z0 v3 y9 o2 A7 U
" Q: h+ p6 H7 I$ {' B3 n. n" {3 e$ I9 e+ U/ _- V7 j5 W& ]& P6 E
Method 05
: C6 I) E, D: |+ a, y1 _=========% m6 ?$ K; b5 I
. q; K4 o6 U( @Method seeking the 'magic number' 0F386h returned (in ax) by all system
- p* R6 j1 d& C8 f% n, ^$ Gdebugger. It calls the int 41h, function 4Fh., P7 l1 B1 t9 R) N
There are several alternatives. % K' J0 B1 g1 _6 _5 ^' z
/ b) P) S% T# z4 o) p( VThe following one is the simplest: q! H) ^/ O5 |: G. x) m
' @3 V# }! |; w1 O mov ax,4fh+ b' T/ R' J6 P6 ~& }% F
int 41h# v2 Q' N5 A |
cmp ax, 0F386- i, T, S' Z2 P% u6 q
jz SoftICE_detected
3 U9 e" w, S. Q8 ?; p- u6 k+ C! F3 ]
9 J) G0 E6 i9 e. o% }: B- d/ eNext method as well as the following one are 2 examples from Stone's
. E% L; |1 h9 w1 l3 k"stn-wid.zip" (www.cracking.net):5 @ y8 }& |1 M( Q3 i2 T) k
; \! s+ M- V( `# B6 x5 n0 x) @' ^- Y
mov bx, cs
, [- o$ o) i9 W) [: H lea dx, int41handler2
0 m4 W% t6 Z8 a! Z# [8 A k xchg dx, es:[41h*4]
* w2 B8 {& _3 u. E- [' {6 V1 e xchg bx, es:[41h*4+2]
6 l& m: X' |* g( }. x mov ax,4fh" r& p7 L. E% j4 I ]# M0 l
int 41h
# \; ]* C' X3 B8 a0 J xchg dx, es:[41h*4]% O- F X( M+ l8 L2 K* V' c6 ?
xchg bx, es:[41h*4+2]
0 z# Z# F$ A: H* d cmp ax, 0f386h
4 [0 Y6 O7 i% C jz SoftICE_detected3 H. }( S5 \( E* m3 S
- g+ X1 `" z$ v0 ^) X
int41handler2 PROC! q9 j- O' t/ ?8 h6 Z4 I* l6 ~7 E$ B
iret) f4 d, s6 G; N4 r% i: N% {
int41handler2 ENDP
; {/ J9 T m% _9 ~
( s, T1 F- K4 `6 I
, \/ @- v( H+ d3 S0 S% J_________________________________________________________________________
], i' u( H* N D/ ?5 j. n6 F r) U) o3 B2 s! [
7 o; p, M( o1 Z5 l5 b
Method 064 h# V& \* C9 c! O" q& V$ w! ^
=========
0 i9 \ @1 k @* s& \3 W6 x/ }2 B8 s4 t4 x; o
- P- z X" I1 r1 W
2nd method similar to the preceding one but more difficult to detect:
! V# t3 }- w" O' D% X4 X" l" t% _% R5 \' Z
. w0 R' F8 B$ x5 ~: U
int41handler PROC" Q, ]; N2 s* d% p1 n8 j# }
mov cl,al
+ \: t4 \& }3 i! I4 L iret( O8 P. R2 ^: @
int41handler ENDP
$ r' Y) w" i) O1 B, U
3 p4 ~+ @0 @3 L7 O* R) `- o( l5 p
xor ax,ax
: r" x- X! R" ?7 l: w( {# O4 ^( _ mov es,ax5 N. `( D5 K# Y- G. P
mov bx, cs
6 x% R5 M1 f" \( _ lea dx, int41handler
" [4 H' C6 j; A4 T xchg dx, es:[41h*4]1 Z/ ]& m3 U0 c, i" l9 k! H8 d4 W
xchg bx, es:[41h*4+2]: i& x x" c) V- e) x7 U
in al, 40h
" [% d9 h+ M! j xor cx,cx) M* [, c" d7 u+ r
int 41h
- g* {5 y! G, O/ \# j% h, ` xchg dx, es:[41h*4]- `1 S2 {4 t, S. ~" X
xchg bx, es:[41h*4+2]& F' p9 w3 Z L- R6 Y2 T
cmp cl,al* @- _# f+ i( o& a6 K0 Z/ g
jnz SoftICE_detected0 m, m2 Q) [+ H7 I6 G1 ~
5 Z* _) [3 s! D5 U' W$ E
_________________________________________________________________________
# {5 v0 Y7 w5 e' P* j3 d* z5 [+ X d" O6 x
Method 07
1 P6 h L/ ?" } |: E6 S. `=========& B& Y3 q& I) B' H8 k$ D$ t
% D W! T* j3 k6 P% h# n% IMethod of detection of the WinICE handler in the int68h (V86)
6 T2 P3 a. `( E3 B- r
( d J) Q% l% k8 Z, _ mov ah,43h* d* a6 E3 q5 R& V, G1 P
int 68h
. @5 k# B/ Z9 s+ p1 T; t cmp ax,0F386h
7 U/ S8 N( W+ U4 L8 f: Y7 a jz SoftICE_Detected: R# c; Q( m( L3 s. q
) b4 S: V! X5 j9 `) b C7 A4 z; h
1 K8 k- X3 Y9 y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; ?) @3 S, T* u s4 @+ @, I app like this:
7 _% k# H. n+ C8 \. G( e& q+ T9 y1 ~% E3 U" v
BPX exec_int if ax==68; U" e0 a& _9 G; i1 V
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ s D, l! D k1 V# {% M, _ located at [ebp+48h] for 32Bit apps)$ o5 W0 {9 f* ]/ w" A
__________________________________________________________________________. f6 \3 V) H- O. d* ]! O
2 h* g% N4 F S4 R2 _
6 g7 b/ y3 ^% |5 s7 Q6 {/ H" WMethod 08! y, n2 E$ L1 _4 z2 R: V( T5 Z
=========
, E# b) T: L1 ]3 v" _+ e# J ^2 e* q# y) ]. r4 w
It is not a method of detection of SoftICE but a possibility to crash the" N" N4 Y& h C) s3 D/ g
system by intercepting int 01h and int 03h and redirecting them to another
0 f) U1 W' n( v# q- Croutine.
) U* A P+ ?( L) RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 i4 j3 H. z% G* u& B! v$ }2 }to the new routine to execute (hangs computer...)
, o* V7 \/ C2 S& N" X" d2 r
& l W, _9 v2 u5 O% ` mov ah, 25h) ]* N4 Q w2 |$ i. ^3 J* C
mov al, Int_Number (01h or 03h)
$ g. f+ |$ C { mov dx, offset New_Int_Routine
# J8 x R; o$ T! r; V8 ^, \3 u int 21h
$ E1 j1 [( B* D& o: W! \& Z) b! T' [8 k
__________________________________________________________________________& }) Z( i8 T+ u# @6 t1 [
/ a7 ^6 J1 e0 o; V: _( uMethod 09! I; K( ]9 i$ e m
=========3 Q# }. J& F" R2 B
& u' I0 t4 v% I& AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 ~" _8 L, ^& ?/ k
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 j' ~4 @6 j4 f$ @7 m: VThe Get_DDB service is used to determine whether or not a VxD is installed
7 k# ~+ g* f* n) B+ I6 w, Y" Q8 Zfor the specified device and returns a Device Description Block (in ecx) for
! L$ @% L$ S0 V+ ^that device if it is installed.9 `5 S- y' M9 [$ H0 K' H) U; n# s
7 }# y/ ~$ U- b+ l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 ~4 x8 q2 P# K# A1 s' M, C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 K0 E" f1 R0 }9 p7 B c VMMCall Get_DDB0 u9 Z7 }) B9 }3 M2 s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 t4 `" G+ b( v @4 y! O/ P
- z3 a) {0 y7 k% B5 M: @2 i% W
Note as well that you can easily detect this method with SoftICE:5 {3 K9 b4 P; I0 ~) Z+ v
bpx Get_DDB if ax==0202 || ax==7a5fh u+ d; D. q: S+ j4 m% u. ]( }/ \
: w4 o; v; a: m X2 p__________________________________________________________________________
. l$ R8 L1 I% W# J' x m+ H5 ^7 ^4 `0 G h- K+ l4 A8 ?6 E
Method 10, f/ m5 K6 k" z; ?* z% A* t
=========
1 m' K+ V o' Q; X+ j2 \7 B( E
. ]+ I4 [6 t: Z* S=>Disable or clear breakpoints before using this feature. DO NOT trace with* E5 @2 v( n: a. \/ e
SoftICE while the option is enable!!
% P' `8 B3 b% r
+ ]. ^7 X4 w/ vThis trick is very efficient:
, N. a7 D+ }* C: D: J Y2 A; Vby checking the Debug Registers, you can detect if SoftICE is loaded
+ G# q S2 i) { F9 ~7 \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 A7 X( J% t3 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 W0 q5 H# w) L: w; R' m1 uvalue (in ring0 only). Values can be manipulated and or changed as well
$ |. s1 i/ f5 N, I& a1 ](clearing BPMs for instance)
! \9 i ]# e- v7 r- p& V( ?9 N" F' G; K4 [( `
__________________________________________________________________________
% z5 v% F5 v! F' l8 @) V8 ]- K9 U7 t% c. R8 J0 u* y$ z. k) g
Method 11
" G% H* S, ^% Z" n+ v=========
, `, G4 R+ e0 ~. o! e& ]6 i* g& M; q. g2 a
This method is most known as 'MeltICE' because it has been freely distributed
8 F! M& Y' g' ]2 B/ Uvia www.winfiles.com. However it was first used by NuMega people to allow
" `7 ?# @$ T) d X" ?: s( s$ j2 KSymbol Loader to check if SoftICE was active or not (the code is located
2 a. C2 C% M; S Q( n Hinside nmtrans.dll).
$ x% T* q7 f% }1 N7 K/ B
0 B/ Z0 B0 O2 W: _9 ~/ A6 o' q* KThe way it works is very simple:
1 R8 T1 I: H5 `$ F1 t, F8 g9 V& _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' b* ^7 w; m' N- l4 _1 C
WinNT) with the CreateFileA API.
{. }( `$ ]* |4 \+ E8 s7 B7 h
8 X4 g6 N5 [. Z+ RHere is a sample (checking for 'SICE'):5 ?, o& n- } Q# B& j* I6 l
" n# k: v3 E' ~( {6 ]+ u. nBOOL IsSoftIce95Loaded()
" h0 X$ u, {. g0 A{4 B F6 a' g5 |$ t. A
HANDLE hFile;
9 I' V; V( ^% \7 i/ X8 w0 ~! Q, c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 i, X1 V) w- Q FILE_SHARE_READ | FILE_SHARE_WRITE,
; i' h; j" i X+ I6 f! P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. l0 @. J% G) ^& |1 J+ A+ V& v
if( hFile != INVALID_HANDLE_VALUE )
# _5 `, S: W7 o- u {) _; x! j0 T' G, M# Y: C0 i
CloseHandle(hFile);
0 P) a- Z$ p, q4 q3 X* H return TRUE;
# Z# X5 S; ^) i" [9 ? }
: B( ]: R$ K9 o; `; n return FALSE;9 E- k) b: F2 h) b
}5 | q. ^/ ~1 m6 A4 Y: ]
0 o( k" G' p, KAlthough this trick calls the CreateFileA function, don't even expect to be
: K+ q3 w+ v y' T$ M, ?( }# fable to intercept it by installing a IFS hook: it will not work, no way!8 \; x$ i1 m% h8 V$ S% K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 e; n) Y* b7 Y) hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- Z( j% T2 E/ \# ^& nand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 H- m- u$ J- d& r/ R1 `3 k
field.
" E3 S! k& e. k0 i: }In fact, its purpose is not to load/unload VxDs but only to send a
% u4 B" B) W" c- o/ c+ k+ YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& X/ [, K/ u& I4 E# E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( Z" t$ i5 o1 ^; A6 s
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' F8 s5 b' Q0 D$ D0 e7 J
If the VxD is loaded, it will always clear eax and the Carry flag to allow; q( R: c- e/ h8 m S2 L; w
its handle to be opened and then, will be detected.' A" t7 V9 m/ d: N( v
You can check that simply by hooking Winice.exe control proc entry point
}2 W8 n0 N! N3 Xwhile running MeltICE.+ I6 `# T6 v: K2 W6 d
: n- A, y8 D+ J- Z# @: @: S. e5 C! r( @: L
00401067: push 00402025 ; \\.\SICE
+ q! k5 r8 A) P$ \7 z5 \ 0040106C: call CreateFileA, H Q# c( C+ }7 ]7 D
00401071: cmp eax,-001
6 Q0 y5 S' C; k z# Y+ R, c 00401074: je 004010914 r; L$ V) J2 k% ]2 Y) H t7 Z& G
8 B4 D0 R4 y$ A1 l! L7 x7 H) |! M) \- K
There could be hundreds of BPX you could use to detect this trick.
* m4 ?. y: h$ S! z3 l) t5 l-The most classical one is:
; B1 d9 x1 _: u2 U$ o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) \& o! L" f/ G *(esp->4+4)=='NTIC'; W. F5 p( S( t- @1 F
2 L, ~' ^' ^7 [. u
-The most exotic ones (could be very slooooow :-(
# ^9 d! I2 s1 R0 `5 Q; u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 R" t" |* E6 O$ {7 [ c ;will break 3 times :-(
+ }3 A+ s0 T! [! B ]) ]& F! N
! Q0 _: s/ g4 p& g+ X-or (a bit) faster:
! P4 \2 k, H8 g1 j: o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* x+ `, |7 F% {4 \
) C2 f5 |# u W' p% c5 }5 @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 C" Q7 u9 R( O6 Q0 X- Q
;will break 3 times :-() S/ F9 d/ l4 [& V( w' M
( G) q. q; j# Q8 k-Much faster:* ~3 ^- |) U9 u+ [% \4 V4 S$ U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 |6 L+ E, Y% M3 D+ N" b" P
4 l. p0 ^% x, i/ L- h" R% T; \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* y% g; q, Z! G1 J/ o Dfunction to do the same job:! ~) R7 k2 @7 V" u' Z5 D3 M. \+ h
: H. O" o; n% x5 W# ^
push 00 ; OF_READ5 a: G, i1 E8 \% `1 X, O x
mov eax,[00656634] ; '\\.\SICE',05 G5 j/ w, ?% E' N: J, H
push eax
% H( w# x5 y+ P; z* E" q call KERNEL32!_lopen( p: Q) G# e$ V+ `. P
inc eax
! i9 M3 b$ b& ?7 U3 X- V jnz 00650589 ; detected
% B0 ?& [6 i) r/ _" L- B6 M7 F push 00 ; OF_READ
( |4 N& e( X* l8 U. M) w: [ mov eax,[00656638] ; '\\.\SICE'
2 A) J% {3 |' d4 s) ~0 r! [ push eax/ p4 }; v2 l/ n: v0 b
call KERNEL32!_lopen
6 F! h& b2 C1 f inc eax
- H9 v5 c+ ]& W3 J+ O( H _ jz 006505ae ; not detected
' Y. a5 N4 Q/ _. B. u- R7 z1 N, \8 M3 [ _8 p. g/ Q
7 c3 B2 @ A( ?0 k Y" W
__________________________________________________________________________: `# U3 v* z' w) `7 H
5 H& i. u5 y7 z! }Method 12
$ p$ |8 W* M* n! Q% o! U=========
1 s7 U9 f: N8 m" d5 ]* M
* G4 R: ~/ h/ s/ uThis trick is similar to int41h/4fh Debugger installation check (code 058 g2 V a: j, j ^1 ?( A( ?' ?' w
& 06) but very limited because it's only available for Win95/98 (not NT)1 ^( ]& s x* j; }1 k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. n" D. q6 }- k d
! m, j! q" `7 P! I6 E2 [. L, ^ push 0000004fh ; function 4fh" \( j: h0 }4 o d+ ?0 l" D
push 002a002ah ; high word specifies which VxD (VWIN32)4 p7 r2 q0 O5 f9 X/ F
; low word specifies which service
2 V/ G; ^* U, N (VWIN32_Int41Dispatch)
; h2 t- v, }! n call Kernel32!ORD_001 ; VxdCall/ E' B. {" \; ?
cmp ax, 0f386h ; magic number returned by system debuggers8 `/ H7 d% B2 U9 \) V' b$ N
jz SoftICE_detected2 a. S1 h$ m0 t# H1 h# K4 z
; K3 \1 S9 }% _6 r( t- kHere again, several ways to detect it:
" |$ H2 E* X! \2 e3 z: u8 S. }: O# r4 P$ o
BPINT 41 if ax==4f
+ @) U: w: r! M) d1 N0 x: Z! A3 }, `' Q. Y' }. N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* L! }2 e' o7 ~# p/ Q
0 w- ~# M+ E$ X4 z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ W) y9 M! q9 [
* ]. C9 q6 g: \2 ^7 _0 i2 |
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 W1 I5 g8 x1 k' k% g6 [# g# g( b4 Q8 t4 c$ J
__________________________________________________________________________
* M0 @! c1 w+ Y" U4 ~' i" Z- ] l/ X
Method 13
7 D) F% D% r! W3 ~1 ?/ S l=========
# J k6 \5 H2 f7 t9 W5 {; s# \1 m. f7 q$ \3 d, ~1 r( b
Not a real method of detection, but a good way to know if SoftICE is
$ B( ?* ] z, g: uinstalled on a computer and to locate its installation directory. g3 ^9 ]6 U0 j+ k) c* @' ? y9 B2 l
It is used by few softs which access the following registry keys (usually #2) :/ R# ?+ k" K. _ t* C+ ?
p. Y9 R' T: e" {5 _3 M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ n+ x9 ~5 T- D! ]* i3 O( l: [\Uninstall\SoftICE* m' |; ?8 I6 | @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 u$ Y6 ^& R+ T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; @" C) i$ t6 e\App Paths\Loader32.Exe
$ _# ?! ^2 T2 m0 ?) e+ G4 s2 g, f3 ^: a$ x3 p3 d \% y' q# K
* J( m" [# F0 ^9 L; CNote that some nasty apps could then erase all files from SoftICE directory
& O. T- H- N( d7 c) ~- j4 Z8 @(I faced that once :-(
. h) p0 U' N$ O" c* m" p8 ?* P/ y3 R9 }2 i; K. Z
Useful breakpoint to detect it:" e' b( P% W$ O2 Z0 p
3 z$ _1 r* z. d" o* D1 m) Y& f% S# K. P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! V- K1 K7 U, u6 D- B7 A% `
5 ?9 O% N' V3 K( {, R: ?3 r( [) S__________________________________________________________________________
+ G& [4 Y7 P0 a, ~' v& p
" p' R x/ y" V, L6 T
* o; ^1 X) C9 l9 N FMethod 14 % j4 w* m9 u% I& @+ k6 ?5 f# D
=========
) J/ J$ I, k# s% M! m; g$ b6 L* @8 F& S5 H6 i/ u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 y! }4 a- X+ I2 e. [/ Vis to determines whether a debugger is running on your system (ring0 only).
2 E- x i7 N0 {6 Q4 _* j
- G( U N' c2 o$ M5 U# h1 w, v) {) p4 y VMMCall Test_Debug_Installed& R/ Y. {+ K5 w. J
je not_installed. \6 u6 z8 b& W) ?
9 f$ n" v' ]5 V' tThis service just checks a flag.3 [( b; b" D3 g9 q! c j( t
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡