<TABLE width=500>
; N; q+ y6 U' k<TBODY>4 x8 y. x5 a" ~* v6 o: n) Y% ~- S
<TR>
: p- J7 H7 F7 \! h$ a<TD><PRE>Method 01
/ M2 N7 _6 A7 _' r7 F- o i. z=========
* n" L5 E7 z) n) D& Q o% K3 b# v' R6 i- W/ w6 s' W: N2 N _
This method of detection of SoftICE (as well as the following one) is% ]! Z( G( K" W
used by the majority of packers/encryptors found on Internet.
: X [3 Y4 \. @8 IIt seeks the signature of BoundsChecker in SoftICE( y& J4 y$ D0 \. l9 J
6 v# Q) |8 J6 t M mov ebp, 04243484Bh ; 'BCHK'
8 e' v$ m; g4 }# Z7 W4 q mov ax, 04h
8 g) l, e4 w f( ~0 U int 3 0 Y$ y j% H8 |/ P C
cmp al,4
2 Y, U4 Z# Q$ U/ X8 D. l jnz SoftICE_Detected1 g4 U6 y# W# G( \
$ n1 Z9 b ]/ a1 Y9 V7 ]1 _
___________________________________________________________________________/ _/ x" V' M' N3 [% J+ g
, n T. S; d$ i4 V u7 r8 q: P ]
Method 02$ P- [5 u+ \5 X# a
=========
7 N! g7 o* s) N9 e& n _) ]* h8 |8 S/ H! U, \( q; z4 Y
Still a method very much used (perhaps the most frequent one). It is used
: K: ~( U, V$ f8 m: T$ q1 r. Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# _; h6 ?7 T- b2 ?' n6 ior execute SoftICE commands...* N- n3 V3 J6 N$ e
It is also used to crash SoftICE and to force it to execute any commands
5 e1 C* B, G/ t F7 L. C(HBOOT...) :-((
2 w( I4 @* F: p9 m8 r. r$ m2 j" y8 a' n% k: T
Here is a quick description:
) F+ e5 {% y3 c0 C( F! Q-AX = 0910h (Display string in SIce windows)
5 D) q( t, J7 W) @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 W- c2 N' L2 O' m-AX = 0912h (Get breakpoint infos)
+ a- B6 ?5 g" E `5 T$ {, d-AX = 0913h (Set Sice breakpoints)
* ]9 t% h7 q1 W& U* {: D: ?2 w-AX = 0914h (Remove SIce breakoints)8 l) q9 p/ m* R% ?) B. u
" P6 L; S/ @, r7 TEach time you'll meet this trick, you'll see:
, v( Y' ]- V$ i- S5 _, r. x-SI = 4647h
7 k5 ^% {" c6 \% z& {) Z-DI = 4A4Dh5 j" g: \/ o0 m ?; ?
Which are the 'magic values' used by SoftIce.
8 g( t+ g2 N* P% n0 o. i, ]6 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ w/ C' X( ~$ k$ Z+ Q
$ N( b6 k- H% U5 K1 _) BHere is one example from the file "Haspinst.exe" which is the dongle HASP
6 i# m2 a8 B% NEnvelope utility use to protect DOS applications:/ T4 K3 g& D8 U* w
; B( o6 V1 \5 t( R1 M7 E( t
% S; n/ m+ F$ n7 a3 l4C19:0095 MOV AX,0911 ; execute command.
6 Z2 K2 d& i! q9 @9 g. Y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# F6 w2 `) r. [+ N2 a# A
4C19:009A MOV SI,4647 ; 1st magic value.
$ W* ]" a" |7 ?! k' ?4C19:009D MOV DI,4A4D ; 2nd magic value.
' K* q8 Y( K, Y1 A4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 [; w7 l4 n& ?' [" m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 ~( [, V. a. L! c+ P: H( [4 e4C19:00A4 INC CX8 h7 O9 J1 Q" e* |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 l1 ?' u0 w1 H+ M7 h
4C19:00A8 JB 0095 ; 6 different commands.
( ?- v( b7 J) ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.; Q n2 s! S+ l+ ?( h% U
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* C6 ?& _( k7 |" H1 Y3 v, L) j0 ^& E# j, |
The program will execute 6 different SIce commands located at ds:dx, which2 b9 t& U' b3 e! R- J1 Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 M, {) n/ |0 J1 f
5 ~: o$ A7 ?; L/ B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 A% y5 K5 f8 B, g. L# N# u% ]1 v. ~
___________________________________________________________________________9 M5 f* t% N+ h4 f; G1 w, i
4 [7 K, f6 M5 P) q: N8 M
2 Q9 T7 d! Z7 c1 T8 v1 b/ BMethod 03. j3 F2 X; F; [5 ^1 L- S
=========
' A" e% X7 H% v. B# v Q4 }/ \4 P1 ~& V7 a& b8 y; x& T0 r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 o' h ]8 i# n" {2 u$ v$ W* [(API Get entry point)* R5 h! v" d: ]) K% [6 J# A3 z
) r2 m2 b9 N/ C m
! J. Q$ |$ B4 \
xor di,di8 K: y" F0 y4 t
mov es,di
2 Q- F) j/ L, k- q/ b mov ax, 1684h D: h& K1 c6 ?1 Q) }
mov bx, 0202h ; VxD ID of winice
% Q8 U! Q4 G; V( O int 2Fh$ _0 H M' W2 H# L+ H* T
mov ax, es ; ES:DI -> VxD API entry point
( X8 s* @1 G# W9 u add ax, di
5 {/ G1 Y- S% C. h test ax,ax1 P- H# n e! Z' o0 M
jnz SoftICE_Detected$ L( j4 Z1 J1 X& h0 e# M
/ P6 {4 N' H- T9 F; x___________________________________________________________________________( i1 K7 ]. x, `/ w8 I9 u; y
9 w1 V3 ]3 C7 s" p0 k3 |2 b
Method 04% p8 T7 w4 @6 x' |
=========1 l* K' ]6 @3 N: I
3 C( v, N8 p( Z3 v" YMethod identical to the preceding one except that it seeks the ID of SoftICE# r) S' v9 q$ }/ \' C9 {) u& x, s, k
GFX VxD.
' h/ w; L$ H" z& G" s
' J' o6 Y* Q2 P8 w- [ xor di,di
6 T7 Y$ [/ J: Z5 Q( J$ r mov es,di
# n) q# ?( A1 m% |% ^ mov ax, 1684h
- s3 \9 }1 U, [$ ` mov bx, 7a5Fh ; VxD ID of SIWVID
; u! f: w- Q7 K" q5 | int 2fh* v6 @# G1 \7 I' q/ H8 F: S
mov ax, es ; ES:DI -> VxD API entry point1 r0 N" e. k2 o% @! d" [
add ax, di0 o/ l. b( ^$ u; ], R8 A+ R
test ax,ax
) n+ _. Q: }! d0 h; G4 l \! n jnz SoftICE_Detected
4 F7 ]: g2 X+ ~1 X3 Y |8 f! V% t& r- w' T# |; T
__________________________________________________________________________
{1 ?$ k& _) o
3 ]6 X9 h+ p- O7 Q1 C; e9 c$ E0 J7 t% B0 w' U
Method 05
6 u' c5 g+ S" ~=========. l% B# T7 X& `3 V& H6 w3 Z" W
4 _( g7 H1 ~! F; I; kMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 @3 y: @8 ~4 `: y$ X2 e/ {+ S
debugger. It calls the int 41h, function 4Fh.
/ D* k% p% ?8 T% KThere are several alternatives. " V/ q0 [$ g, v0 t( N; T+ M
1 v$ {4 G) ]1 H- u4 T7 MThe following one is the simplest:
: J' S q: k$ _! g, ?. ~4 ^! r# C# }" H0 K7 d& d
mov ax,4fh0 Q! P' P# R! K g! H+ F+ c2 x
int 41h
: |0 L. g4 B: o/ Y3 s) c6 J" m cmp ax, 0F386
. A: Y& }; }# W2 e: s, s& z4 S y jz SoftICE_detected: D) D% D, v1 r% s7 N1 |+ t2 r
7 K3 A" y6 {/ F; w% V8 V# G
2 w8 e$ @' g, M$ F" H! p+ W% TNext method as well as the following one are 2 examples from Stone's
- G8 L/ H! D0 D( |: ?- F"stn-wid.zip" (www.cracking.net):7 h- G& v) |5 R5 R) K# r/ e
j+ \5 n* X& I! r2 j- I
mov bx, cs
* {' y1 \& R8 E* z& \ d- n lea dx, int41handler20 H/ m& p+ e; u/ [
xchg dx, es:[41h*4]9 ~) _6 T6 F5 Q0 t
xchg bx, es:[41h*4+2]" i6 q, X8 u E- z r2 n
mov ax,4fh/ r* F# m1 H" |4 m- N; I1 t
int 41h
% T* k. d4 d# H$ r/ d xchg dx, es:[41h*4]
, ?2 X) b$ {6 q- C* ^ xchg bx, es:[41h*4+2]1 b; Q6 J% F. P) X& [
cmp ax, 0f386h# m" |, X0 }7 T x1 n
jz SoftICE_detected, I z+ I) i' j+ x+ V& C* c
5 K5 d+ O+ Q6 @6 y* p# A/ J; ^int41handler2 PROC
6 b& H5 v9 E- s8 V6 @% z+ ^ iret& {3 o% Q3 v* I/ q( h, j
int41handler2 ENDP' O- M8 d3 _2 M# i
# x* [7 h- D# g( l$ b' B# t
1 h) h9 q5 S! Y2 M" \% h$ w_________________________________________________________________________, L" E" c! i5 a: k- j
' g: b8 [' o1 Y0 ]$ [ H; M* s0 n [0 V3 M; @( A; F/ ^
Method 06* C: S) S M; {. Q; \' r
=========9 Z! q+ t: A! D* r% E/ P
0 }; @: P1 B5 j( o9 b3 {% w
& N/ b# \3 c7 X4 G) ?3 e2nd method similar to the preceding one but more difficult to detect:
# H3 M7 G- b! W% a2 _3 o: ^" C0 X* h6 l9 u
! n* _, f* \4 t' S; n- l2 [
int41handler PROC
- u* ]$ H5 [# X" Y& O mov cl,al
: `( |3 f) n" p iret
7 _8 d; _0 N/ q* |4 ~. B! qint41handler ENDP
+ o2 p$ Y2 C: D# y* R9 l! p( n a% U, M% j% H* G/ ]
2 @( t0 D/ r2 t0 x8 z xor ax,ax7 @- X& F2 E5 c% q+ E
mov es,ax; n- ~& p0 y- e4 u
mov bx, cs, T% u4 T# {. B# t N
lea dx, int41handler" G. P! n: `0 S5 y6 _" r
xchg dx, es:[41h*4]
0 `, F& d" y" `6 \ xchg bx, es:[41h*4+2]% J; i9 H% d) Q$ r+ [* z/ C7 X
in al, 40h
% t' V) h* Z' i4 ?4 b/ d) r xor cx,cx. \6 G* G1 w# n+ V. j7 @
int 41h* z) k1 r# t# ]4 j! k
xchg dx, es:[41h*4]
! {( o: b M( _ xchg bx, es:[41h*4+2]: F7 X) q/ }- e( R' w4 f
cmp cl,al
: j) X/ J7 E" j! a: x2 [ jnz SoftICE_detected
. ]. o$ u$ N8 j9 u) D: a$ u, J5 F& P0 y. X. S; m
_________________________________________________________________________3 x0 Q* _4 M, {
7 t0 m; T+ q8 R8 Z1 gMethod 07
4 D6 c3 ? h) |- Q) v. S=========
$ u# q6 A6 e, O1 K* _4 A o
7 t% S5 p6 b5 J- k% w! }. C) AMethod of detection of the WinICE handler in the int68h (V86)
; Y V; I) C1 Z2 H. Z5 j2 [9 M9 I
mov ah,43h
+ i) `( F: p8 N5 e6 m2 t1 k* Q int 68h# ?- Y( [5 ^ z7 P7 m
cmp ax,0F386h
: H2 @* o$ m! T" h3 s jz SoftICE_Detected
; J" K9 \: X3 j2 \. ^6 J, ~$ [! H: @: P
8 y6 U4 Y. J5 e- ^% G t7 J: Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; V! H) v- [& ~9 ~9 V
app like this:$ T0 Z' h) V* ^$ X5 |* {* v3 o
9 [$ v+ e% ^8 I7 w% S6 G$ _' f BPX exec_int if ax==68
( L; y8 x! Z0 n$ J$ v4 W- X2 S; q (function called is located at byte ptr [ebp+1Dh] and client eip is
; t' z1 R) E; F# P located at [ebp+48h] for 32Bit apps)
: s1 ~0 i; T, k/ h6 ~6 @8 u__________________________________________________________________________
; x/ r j, A" o1 p8 Z
4 G" K" B8 g8 Z( f( d. b- u) l$ B5 a1 |( r4 a0 a& w6 Z4 q* V
Method 08; N3 ]$ G+ t- Y. m4 M; y5 \: A% h
=========, Z$ ]4 d; f/ O3 s; w
6 a# y! k9 a* d! q7 @It is not a method of detection of SoftICE but a possibility to crash the
8 a& z# g) L3 l! [$ ^system by intercepting int 01h and int 03h and redirecting them to another
6 p G" A/ ~* Aroutine.4 F" `( ? E1 ~0 k: i! E- y2 `3 A- Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% {3 ^3 N/ N' J& g5 v* I8 c3 Tto the new routine to execute (hangs computer...)
1 w7 |* f# V8 F6 F. w
. F2 G6 a5 s$ S" o- n- Y mov ah, 25h0 _& Y9 G) k: c: s; [2 B* B
mov al, Int_Number (01h or 03h)9 Y* h7 z# c# ]
mov dx, offset New_Int_Routine
( F5 m2 E1 E" F/ N int 21h+ z5 m& r! L& @# c; y2 n
7 @1 X+ i1 |" O) @
__________________________________________________________________________
: z: Y8 S! r$ P+ ]0 {; G' ?7 k/ L6 D: m: W
Method 091 B9 f; B! d: @/ P' M! d: _
=========
o7 }$ z% t0 S! k- ?0 m8 e; a0 }/ K6 Q$ p% `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 z' d- p; y8 {2 V0 ]performed in ring0 (VxD or a ring3 app using the VxdCall).
! G% Z& r+ b8 o G& E1 }3 ~7 TThe Get_DDB service is used to determine whether or not a VxD is installed& F) b* q+ t$ k# [+ Z7 B% Z
for the specified device and returns a Device Description Block (in ecx) for
8 d4 N; o, D4 z1 _1 p0 Z0 n6 e. _that device if it is installed.( ~% A0 d( R% o
2 \5 m8 ?( V" W6 \- i2 k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: ?; W2 |% c4 B1 n. j# `1 F F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 ^9 p7 G2 t$ h, I' t d4 N VMMCall Get_DDB
" X3 a5 u- A/ N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. C' m- ?2 I$ k5 F
7 J1 Y8 F: u. N- V& |; `
Note as well that you can easily detect this method with SoftICE: K5 p7 k6 |9 C9 O& r
bpx Get_DDB if ax==0202 || ax==7a5fh
0 @: ]! x# q- j; v) v* ~' M; ?
# K' g. {2 y* t* Y% U3 }# W0 L3 `__________________________________________________________________________
% @" q' A. K7 e( R L- [- Q1 U' A* e, n% w- d9 r+ E$ @. R
Method 10' r; H) b& ^% [6 D
=========* ^. J, |$ z5 o k
' u+ C8 I( k' E, B+ w# g, X/ r$ U=>Disable or clear breakpoints before using this feature. DO NOT trace with! h1 b* I. E, g9 {0 z8 `9 u( N/ W2 r
SoftICE while the option is enable!!/ ?- O/ c) i* s6 O2 g9 H- m( C; b
, @! o3 _1 r. q, a1 h+ t/ dThis trick is very efficient:* J2 y) Q4 x7 N+ p
by checking the Debug Registers, you can detect if SoftICE is loaded& A7 R9 L- }0 d+ E% y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ K" p. f+ C- Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 \1 P: |6 [0 R8 ~: C( j& z2 `; r
value (in ring0 only). Values can be manipulated and or changed as well
! F& I6 a1 ]* v& i( m6 X(clearing BPMs for instance)
& x. p$ w8 k: R9 f8 x
1 ~, k( r+ m6 @/ W$ L2 E8 u__________________________________________________________________________
1 K4 s$ [) |4 t: l; a( T: o+ u, T A
Method 11
# N9 I: u. s0 s5 R+ [6 y=========
, y$ ~& \% V5 {2 l3 j+ _$ t5 ~0 B$ j" D: {' H; F+ L- o
This method is most known as 'MeltICE' because it has been freely distributed
4 ]3 g9 k: R3 X- F0 M) [ o# J# r5 ~via www.winfiles.com. However it was first used by NuMega people to allow
- s3 [1 @1 T6 ~Symbol Loader to check if SoftICE was active or not (the code is located: N( d! ~. J/ V& o
inside nmtrans.dll).1 v& n: U3 N# M- C# \
5 r( u7 [) c5 k: Q7 t; K7 |The way it works is very simple:
' w& I* ^. f/ G4 p0 ^5 t+ o6 ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% n1 e; h, {# u$ ]
WinNT) with the CreateFileA API.
- I7 S! F4 L( i d# a7 [# k9 r& m
Here is a sample (checking for 'SICE'):
- ~( W' ` {' l
2 }3 B7 q* l. a2 kBOOL IsSoftIce95Loaded()& ~) O) v& B' K$ U; H4 `
{3 |4 F7 I9 Q5 O
HANDLE hFile;
, ~5 B5 m" c& ], _! \3 s hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& x) z, V: Y* E$ F FILE_SHARE_READ | FILE_SHARE_WRITE,
2 K8 w. v0 |) x# R; D7 X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ A( f% R: c0 A, Z7 X! ?1 g if( hFile != INVALID_HANDLE_VALUE )
- O' ^$ a9 |2 y% Y& h* E( {6 e {# W. b2 C8 W2 h( L: M4 H
CloseHandle(hFile);- g: H& l& v6 Q7 ?
return TRUE;
# `8 M% k+ _9 {! _$ Z! E }
3 z( ^" h* s9 y! K% J8 z" q return FALSE; Q8 G3 R0 h5 a4 r% f
}" V7 m! s0 O1 q; A5 ^7 B6 t# j( [
! ]& g8 C8 L8 i( k5 oAlthough this trick calls the CreateFileA function, don't even expect to be
1 R% e# h6 q5 K. cable to intercept it by installing a IFS hook: it will not work, no way!5 ]( w# {2 D. ]; e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# {1 l* `' o6 F9 r+ s. R1 Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% k1 M3 [& W& k* ?, B" P3 W/ }and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 b: z4 n9 H; Z0 u6 ]0 x O7 M
field.: g- ~! K' \. }! O% \9 B
In fact, its purpose is not to load/unload VxDs but only to send a
% ~1 [; |; k" {8 I% G4 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), i) w( E& X1 H Y4 X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. v- _$ E7 A" x/ ]+ E( {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& Q" k6 W: x3 p/ mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: P0 ]" s) S0 a# g0 I# o: h s3 bits handle to be opened and then, will be detected.3 \6 [- A' x/ ~! x' @! X
You can check that simply by hooking Winice.exe control proc entry point" I+ }+ @6 h4 e {1 S9 t
while running MeltICE.) G' @ O u% L! z" C. H! z! ^
- w' _& t3 [+ R$ x2 b* L D7 O6 \/ o. G0 m# E1 n
00401067: push 00402025 ; \\.\SICE0 T3 I1 _' e) w6 ?
0040106C: call CreateFileA2 F# i. N, K% \' p/ S
00401071: cmp eax,-001
$ N( z# d3 v5 h, @ 00401074: je 00401091 P7 d6 N0 h1 g+ p3 B$ K
# K* o$ E0 A: |$ a" e
U+ A7 _. [3 T! R, y: S
There could be hundreds of BPX you could use to detect this trick.
; ~ z% ], b) e+ A* z/ B! ^4 |-The most classical one is:- }& V# q# `- a& x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% a1 w S5 r; i2 g7 k
*(esp->4+4)=='NTIC'
G) o3 d0 ?9 `0 \
3 W; [/ Q& _1 h3 v- y7 }6 p5 Z* H" |$ R2 P-The most exotic ones (could be very slooooow :-(, b# P! i5 P$ f, q: T g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 k% A$ V" d$ A$ O8 \ ;will break 3 times :-( i1 \2 L, {8 A. j( L8 [
1 |6 S n# a3 ?) T2 S& n$ N-or (a bit) faster: ! R1 q0 W0 u. M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! |* c6 x5 z$ U1 @
3 b% M4 I9 U! H ~8 A5 X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& ^4 x, s S/ H# o ;will break 3 times :-(
. a; e' k6 j; S* E$ W3 w. ^( b: ^- X: b6 {
-Much faster:
! y+ u3 K9 P& x+ r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ P9 @ U6 S! g% s7 k6 e; W. c
, l. T4 [1 f) j/ HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( y+ d- e- p6 k& d! X! ufunction to do the same job:- s C1 q7 E* A
. m& n# f, Y# k. N! `" w! r8 a2 o
push 00 ; OF_READ
! u; K3 O; c' X, j8 a mov eax,[00656634] ; '\\.\SICE',01 o- w `; V; s
push eax
. P4 s4 f9 y# b6 n" q$ A call KERNEL32!_lopen
: _8 Q& B* w9 a$ {5 w4 c5 w inc eax
" ]0 J7 r* R- z- H7 o) p jnz 00650589 ; detected% ^9 B9 x* F/ c. y
push 00 ; OF_READ9 D" B+ W* N7 ?$ }1 @% r% o7 b
mov eax,[00656638] ; '\\.\SICE'0 n. E3 b# R# Q
push eax5 |/ |. j$ @5 C
call KERNEL32!_lopen& a$ t# Z% D6 M4 R% t& M& ?
inc eax) \0 Y" t5 u! {7 ?9 X
jz 006505ae ; not detected9 w$ V% S! h- l/ q& p- U, h
$ e" w. I( L# u4 C
" Q5 \; O! x g8 X' M" l w2 `__________________________________________________________________________: E! v: P, C/ Y' L1 h$ r4 e, ~1 A
" g4 T$ ^& H# i3 [' T( }Method 12
, D5 N3 O& K' q" j# v=========
9 C8 M6 i+ X! C& F# g' {7 _* x Q" c' G1 K0 W7 Y
This trick is similar to int41h/4fh Debugger installation check (code 05
0 C+ r7 T6 q) q: J& 06) but very limited because it's only available for Win95/98 (not NT); n* [# d2 U9 c* o2 T6 k' X5 [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& D5 H; H9 P8 {" y& U; M0 S/ \
$ O7 n7 u/ r* o; L push 0000004fh ; function 4fh
6 t0 K7 R0 \5 b+ t6 A6 P push 002a002ah ; high word specifies which VxD (VWIN32)/ G& \ g5 t, S% s- H5 L; q- H
; low word specifies which service5 [. ? l. e3 k
(VWIN32_Int41Dispatch)) _2 M! G; f% p l" P$ R) f
call Kernel32!ORD_001 ; VxdCall; Z' f1 c& \) D1 i5 g+ W* m
cmp ax, 0f386h ; magic number returned by system debuggers7 t! ~7 J, i. m* x2 `# q6 c
jz SoftICE_detected
! c3 N8 B8 E3 M$ U3 i O/ o; G& p P% ?3 Q5 j# y/ R
Here again, several ways to detect it:2 p4 u% D" \! T6 K! H
) y3 g% i/ e" h8 u5 V7 q4 X: ` BPINT 41 if ax==4f/ u; q- W/ }9 Q
6 |$ z* g6 W; E" k5 X# \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, s1 J2 f$ }6 D M) ?. v1 z. Y
/ n( @+ @+ s0 t BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' m- h8 N# g% C8 v9 K; {- Y7 ~& C; M
# N' Q* |" j( `7 @. r: P! e) M( a& K BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% \# A+ a# h$ D: i
3 Z5 S4 \- l0 f! a* k9 b6 t__________________________________________________________________________( f, q, o& f/ N4 ^4 p' ~ E/ p
3 P' y( ^9 A! ^) n. [Method 13
: u1 O; v! @: o& ^4 L& G=========
+ ?9 m- u" A9 a" ?1 p0 R, B- G2 Z) _4 \ y
Not a real method of detection, but a good way to know if SoftICE is6 K6 v# E# j; k' q. ~' h7 T/ [
installed on a computer and to locate its installation directory.
3 u) k/ w3 g% w8 iIt is used by few softs which access the following registry keys (usually #2) :( @& k' y7 [1 c) }) E- D
* X* D% b$ G' E, d5 u* N8 ^ K8 V& |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' B" Y, |3 r8 F' [* r
\Uninstall\SoftICE2 d7 w+ a8 _0 Q; y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 C! Y/ [) l0 d; N4 a8 J" |1 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; B3 A/ C; D9 i4 B. e6 U0 E, s\App Paths\Loader32.Exe
- s- m/ {( Y& }% Q* ?, P/ P* Q1 j1 ^ n. u/ [: w4 A8 G$ Y
" S. f6 v" I) g
Note that some nasty apps could then erase all files from SoftICE directory
! |0 F1 h2 e: K( V! g- W(I faced that once :-(
* |2 {; C3 ^3 P4 M( t e
r2 o& j: }$ ^Useful breakpoint to detect it:" V" p. g7 i5 \! G( P
" a% Y( P0 N- ]( E4 K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 W( |; n2 m: t' T+ s. J
2 ~& U$ f7 K5 Q, y
__________________________________________________________________________+ {% o" Z) q; O) ~+ w
, ?; k# ~+ {/ l. a. f: i$ F
9 x! E0 V ]! d3 f7 t9 ]# `! @7 d; {Method 14
5 N+ f! P, h n; U3 t=========) y8 t9 t0 H' J, b
$ o( z, k" x/ A( O4 R% f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ a2 v7 \: {+ U
is to determines whether a debugger is running on your system (ring0 only).
# w$ a) V- N! j# ]
. b( v* \' A1 r2 m VMMCall Test_Debug_Installed3 S& U) m, c) A! Q
je not_installed
' q: j$ o' V& h1 e- B
3 F7 q$ }9 X: r7 WThis service just checks a flag.7 h6 q/ ~; e. S2 Y
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡