<TABLE width=500>
1 o3 g, a; }0 J% e, J<TBODY>
! e" E* Q- |2 l: k0 |% {<TR>
+ o6 P- D5 U6 k; {2 x7 H0 w<TD><PRE>Method 01 - r/ X- f: f" J* |* b
=========
6 K( N( k9 W- X* i0 L5 r) w7 N9 C: t5 R. S6 A9 V; W6 [. n+ S8 o
This method of detection of SoftICE (as well as the following one) is
/ x9 e$ q$ _7 a B- ~used by the majority of packers/encryptors found on Internet.! x" G) [" v9 D. Z) R
It seeks the signature of BoundsChecker in SoftICE
! I) I. F' ~$ R$ ?
- z( d* \2 i4 l" \& y# W mov ebp, 04243484Bh ; 'BCHK'
+ L" Q$ `. y) s, j9 S* y1 ` mov ax, 04h) h* z: Z, Y/ N% ^" U0 v
int 3 ! f# E% @3 x5 M+ h0 A
cmp al,42 ~+ M8 j* X, |5 r
jnz SoftICE_Detected# ~" l0 ^$ V! `$ |! ?0 K% |& E7 R
6 T X: ]8 V. z R; u; ~1 s
___________________________________________________________________________
8 P* f* j+ Q, U& ]2 G' y; X
: ^- L; C# {; p: i& ]Method 02+ u) R/ i ?! n
=========$ I% z) ~ _1 Y4 g* \$ L
( i! ^' @/ d& i5 P' j# {: B
Still a method very much used (perhaps the most frequent one). It is used
3 d# e5 `3 @$ l/ Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 C# w& w3 {+ j/ ior execute SoftICE commands...( @- S3 _( S! g! v6 G4 g
It is also used to crash SoftICE and to force it to execute any commands
: r# ] ~% U* K. l(HBOOT...) :-((
) P2 Y- [/ W" b$ E7 o- `& X2 Q. F/ S0 j% x/ U, N6 B% _
Here is a quick description:' C( ?: m1 V' ^% l+ @
-AX = 0910h (Display string in SIce windows) C" w5 F- \/ {. J: D7 c8 j4 W$ m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 M2 F. O7 F; M4 c( Q4 u6 U- X' G-AX = 0912h (Get breakpoint infos)
* e0 q, U5 ~+ h9 l8 ?: c-AX = 0913h (Set Sice breakpoints)2 b8 n7 L* Z* j7 D, k; a4 K
-AX = 0914h (Remove SIce breakoints)* H' h6 z9 @( l7 i* C
9 S9 F, ~& V, `/ R2 p1 N
Each time you'll meet this trick, you'll see:; ?, Y7 |& S& w' v
-SI = 4647h
$ Q2 D7 `5 p L/ W-DI = 4A4Dh
' C# R% |% J4 G1 D# H: ?1 jWhich are the 'magic values' used by SoftIce.
, Y' a, p3 X+ f% m) J; CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 U# {6 {8 L& |! q2 G2 H
* r1 K, T) p7 f! P( N5 H
Here is one example from the file "Haspinst.exe" which is the dongle HASP% d8 G/ M5 [( y* K& {0 ~
Envelope utility use to protect DOS applications:7 T; ]4 e& y, G8 a) w+ p
* w4 ]. W( d$ n u- E
% m7 }" V8 s, A7 Y4C19:0095 MOV AX,0911 ; execute command.
0 q) Z8 Q) u% y4 |1 x C% A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" w3 Y# m6 d" \. x- m) X( j4C19:009A MOV SI,4647 ; 1st magic value.
; h- T c+ Y5 L! d9 c4C19:009D MOV DI,4A4D ; 2nd magic value.
- ^8 y0 z. @" L5 Z6 Z# \: K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 z( b t$ S" B0 U* h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 l# A9 s* h3 h+ {$ i& q4C19:00A4 INC CX
4 `2 F0 Y2 U2 ?- W' k) V7 ]5 a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 h% c% [. f. ?6 L
4C19:00A8 JB 0095 ; 6 different commands.3 o. [5 b: L& F" _( Q4 D$ j$ ^: R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# X$ d/ s' W% z* ?1 `+ x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- s0 ?( Y* Z, b p3 U! `+ e8 G+ J$ Y+ H
The program will execute 6 different SIce commands located at ds:dx, which
# X& } M* L$ W5 A, q( |3 W1 M2 Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ z; N4 i; {. v( Q# j9 \# k( Z- l9 \" p9 D u8 \; z/ C. }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; r( ?6 ~& B" B/ U, q2 s
___________________________________________________________________________
. K% B% @: }) l/ ]+ }5 e9 M5 H0 w+ g% h$ |5 R- I& a) t
1 j, d4 P/ I* O1 v* p+ DMethod 03
7 V+ v) }1 ] y: @, a, y=========
2 o+ W3 A. ^3 A, B- M
) j( R* p/ M, H$ n, aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, b2 [$ u- `$ v, w7 j" V7 u6 @
(API Get entry point)8 c# M+ d# t: X; m/ U1 ^$ p
4 R& e. D$ \: c2 g3 [% e7 P3 e( {' s; ^0 d m9 q, t1 _/ s
xor di,di. L/ \* v1 C4 Z1 }
mov es,di
E$ Z; P( i* X; R1 h/ c. A mov ax, 1684h 0 O. V. v. r. ^! l% B+ K. l
mov bx, 0202h ; VxD ID of winice ?2 R; R" m) t) Y4 _* w) e0 o
int 2Fh0 g, O4 O- { S/ R: K- w1 }
mov ax, es ; ES:DI -> VxD API entry point
% t8 u4 i- U8 \/ ^& {5 o add ax, di
* `( B) f! ` W9 y: V& w: |/ f test ax,ax+ |8 H' ?. |" j" K/ O% z; ^9 m% y
jnz SoftICE_Detected
4 d9 E- \, K! A0 d% I: n/ `9 W. f$ c7 ~% ]1 ~6 S/ }4 H
___________________________________________________________________________1 @. M. }! B- z) t/ f% `
1 j6 ^# |! `! l( w
Method 04
0 ?5 o7 @' w+ Y! z, q3 s u+ d=========
4 y Y7 f& x! M% E" x- B% h7 ]; S# \; g; z0 N& v M! Q
Method identical to the preceding one except that it seeks the ID of SoftICE$ w3 N+ c: u& P' S5 k7 S
GFX VxD.
9 O) s2 I4 Z7 [0 F- U$ \* M1 P4 T) j
xor di,di
4 }, ]! g6 P- ], M6 t* @ mov es,di/ l. h8 ]2 d/ V3 ^1 S0 l& K1 y
mov ax, 1684h ; j( h: U5 E9 e
mov bx, 7a5Fh ; VxD ID of SIWVID9 {4 o z0 d4 m t& n1 v. K' O/ o9 ]
int 2fh
0 ~, a3 I5 ]+ z mov ax, es ; ES:DI -> VxD API entry point
9 L1 v R+ i( N+ ? add ax, di
# U" b y' P1 N( y/ n test ax,ax; Z6 d) z" B6 u6 K4 G3 t- H
jnz SoftICE_Detected
8 C y, D& M& j. ?3 T# P9 |
4 {6 \7 c% S. d__________________________________________________________________________
9 i3 A" l: {7 F0 s% G
8 P6 a9 @! Y1 E4 n
( D0 d: c4 ]. _- I: ~; P) ZMethod 054 M# d; T# U. C4 N$ @7 o
=========/ q1 ^, A/ H& O8 j$ U; f. s
4 C% @, L! g# l7 Y2 Z4 B* m- zMethod seeking the 'magic number' 0F386h returned (in ax) by all system. o! r3 _0 v% Z- r2 k( B4 Z, |
debugger. It calls the int 41h, function 4Fh.; R, ^$ ~. s" }- n, ~' }
There are several alternatives.
2 J. r6 P! k* b
0 ?6 n1 L1 W7 a! bThe following one is the simplest:1 [: z; @/ X; D& x8 s+ p+ B
( P) |, [: K$ Z7 I% [* B
mov ax,4fh
# B) w* X1 e9 A4 c) A int 41h( ~) j- s. B* h- z: u
cmp ax, 0F386
/ Q: O" P! U. F- q# X jz SoftICE_detected
4 d1 l/ h% ?/ U* P. p8 x% _' O, m: H
$ b/ j7 n4 d: F9 r# E" S+ V$ T4 d
Next method as well as the following one are 2 examples from Stone's
9 O: L# ] ^! k0 x# `% \4 a"stn-wid.zip" (www.cracking.net):
$ T1 X0 Z4 A" A7 t
9 V* b, z0 n u) l; g, h' [% B# P: L mov bx, cs% H9 D1 F% ^1 q! d$ r
lea dx, int41handler2
9 z# I; l0 d# I( d# M, ? xchg dx, es:[41h*4]
) Z5 g0 c" a3 T: R% F, L1 }$ B+ {0 A xchg bx, es:[41h*4+2], N: u8 k' r; q2 V% b
mov ax,4fh
( z, P6 @: R- o6 P+ Q5 F int 41h
0 ~0 _+ k0 D' |- P xchg dx, es:[41h*4]
J) \" _& U x$ J' N8 v xchg bx, es:[41h*4+2]
! S# Z: Q' n6 H" ?4 o) B cmp ax, 0f386h' m [! U" I) N z/ `: k: d
jz SoftICE_detected0 u7 u9 r' k9 g0 M" Q
$ J/ S2 a) u/ ~! s9 Z( {6 x. y5 [int41handler2 PROC5 R6 h2 `/ p0 N$ R2 ^
iret
. B; x* f# A) i8 \int41handler2 ENDP
9 w3 r" K; {( L( ^$ Q' j8 c1 K( `: W' V$ U
4 r$ [7 O2 L8 B J0 M D3 j6 `) k_________________________________________________________________________; E" E' g2 N9 Y) j! z" `7 I
p% H9 v2 r7 y; ^2 j- a+ }& \* g# P7 s
Method 06+ G3 @: x. |* S* @* |/ F5 v
=========6 \9 L, P# \* y+ }. T" {
* K: q, n S( o; \' m6 H
5 p# V+ x. x. @- O+ q/ p
2nd method similar to the preceding one but more difficult to detect:
& ]' h" P% T; E/ V7 V+ w* I- |6 a
) A& @: u4 P- c3 b: S1 w7 @
int41handler PROC
4 W5 @! J9 l& I* W8 p6 F3 A mov cl,al; H$ B% l% @5 h
iret% R6 R# O4 Q8 a5 M
int41handler ENDP
' S! t' d* t3 i3 |' \ y9 e) j" C* L
R- n6 c% i c% ?1 e+ X
xor ax,ax, M4 J$ d! H7 [) R% K0 O n( T
mov es,ax
, k0 C, _# G H) V mov bx, cs6 G( N4 L. v/ h3 g$ k4 q
lea dx, int41handler8 P( f2 z4 R2 n! q/ H
xchg dx, es:[41h*4]- ~0 N. S- T6 z0 o# M1 B7 @
xchg bx, es:[41h*4+2]
8 p, w4 s* a0 e1 }9 o in al, 40h+ ]9 Z1 Q4 W( F [$ g) y
xor cx,cx* ~- f- s s6 A e. q7 C" O
int 41h
6 a; c, C/ a- ]* D7 m7 V xchg dx, es:[41h*4]& \6 d+ y6 r5 ~8 _$ K
xchg bx, es:[41h*4+2]. y. R# e! Q3 t' A9 c( m
cmp cl,al
/ X/ J" }4 o, k t' @ jnz SoftICE_detected
: X$ D% H( _2 g' }5 @, V; J0 H' ^- E6 u5 B4 c9 {! |
_________________________________________________________________________- F" k% c9 \8 _# y2 i
9 K: G' B) l3 s( c3 S1 l
Method 07: K! _$ b$ i& J6 M
=========: ?; H3 b8 _! r) t% K* H
* A! Q; Q8 t' c7 @: sMethod of detection of the WinICE handler in the int68h (V86)1 X2 `6 y" u) p" H+ n3 K
- w; N6 `- f1 H% M% @2 p) E: Y mov ah,43h2 N. D" O% K. V6 u& {
int 68h7 h) W1 o( b3 h' L4 Z
cmp ax,0F386h: J! T1 J4 g3 w H3 Z0 N" C
jz SoftICE_Detected
- r0 C, s& {) C- n2 R
& q t9 M% x9 K7 T+ X" ~# x! N6 l
* ~! L$ I5 {; r5 ^: ~! s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' G! g7 t% A6 H' Q$ P* }8 W app like this:
: K# [8 [- j5 z6 x3 ~7 A h9 N4 z2 D. v- v7 v
BPX exec_int if ax==68
& b1 A1 T1 `5 F5 O! [ (function called is located at byte ptr [ebp+1Dh] and client eip is
# F9 R& t# V9 Y5 H( \/ }7 V located at [ebp+48h] for 32Bit apps)
, H. j* G# |2 U. r9 U8 M3 V! z__________________________________________________________________________( ?* i: j! B- {4 k3 c
! k, M& ]7 q! U* \2 w) Z
9 I+ f0 ?0 x/ t7 ^Method 08
1 P( l; b4 e+ X F! l1 H=========2 \3 h$ }- n9 D
9 T5 g+ |* e% m- I! ^' W( D8 m
It is not a method of detection of SoftICE but a possibility to crash the
( Q6 s8 j5 i0 Q# Ssystem by intercepting int 01h and int 03h and redirecting them to another
) W1 V2 X7 X) l7 Broutine." B: e6 j5 e; s2 {& A2 Y& D7 K' ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 {2 x* |. E. k7 p0 y+ ^
to the new routine to execute (hangs computer...)
, D. S- [4 |/ i1 t, I T5 F/ A& j! {4 |5 B
mov ah, 25h
' Y4 l& v* t U* u) d% d, T5 R; J mov al, Int_Number (01h or 03h)
L K* N5 |& M+ U mov dx, offset New_Int_Routine
! {" p* v7 z% }9 ~# a4 i int 21h# t; m7 E9 a( h( H
, v4 L' e/ j6 e. N
__________________________________________________________________________( n% r: O; ]8 w+ h: Q3 S/ v
+ P( w7 I* Z4 N. A
Method 09
" r* G% g& H0 Q0 N# K2 a=========" b) G/ f% }! Q
# [1 N3 [2 C# m$ V, L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 @* Q0 f3 I# T/ k) a* Bperformed in ring0 (VxD or a ring3 app using the VxdCall).9 `! }3 h' J% X" z \, Q
The Get_DDB service is used to determine whether or not a VxD is installed" ]1 p' P8 U/ |. Q- m8 T' J
for the specified device and returns a Device Description Block (in ecx) for
# F' ?' ^( ]% Q* _that device if it is installed.
% L. g8 i+ m" {2 Q3 @
7 c2 y8 k. M) V, u- i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 Q) }2 f2 X& ]$ ^7 ^+ `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 e% `5 D. T* A0 L [) C( i. _ VMMCall Get_DDB. I9 u8 G. [9 i. ~3 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; v: ~6 |2 E T6 o1 ^/ `, D
% U' a: U. }* s' g6 [Note as well that you can easily detect this method with SoftICE:
7 N' r) z2 {' K# [ K, g bpx Get_DDB if ax==0202 || ax==7a5fh
7 t* O8 ^4 ]6 F" p' I( v
1 U& ~7 t* Y! }" |1 T6 E# U3 {5 s9 ]__________________________________________________________________________
1 E+ Y4 K9 s+ O5 c* Z4 Q$ Y/ \5 H6 a, S* i1 \
Method 10
* M$ x! ?' Z1 p4 a=========- h9 T: A! x5 Z) [
5 J# D# Q- J7 i( C=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ ^. h* F- S y0 } SoftICE while the option is enable!!; A& [# J0 z( _3 B4 n
% R$ V6 U* w) |. wThis trick is very efficient:
. X" Y& V# K6 Uby checking the Debug Registers, you can detect if SoftICE is loaded
+ w6 {0 R5 q/ n7 l' Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 i9 D5 P( Y% j" ^. r* _, \there are some memory breakpoints set (dr0 to dr3) simply by reading their
% a! p& n. A. `4 L }' O; ]2 mvalue (in ring0 only). Values can be manipulated and or changed as well
( f( c/ d! M0 n, k n( ^( i(clearing BPMs for instance)
0 _9 B( }: I* j ~4 U$ Z. l
. ]" W+ [9 B; E__________________________________________________________________________. }! u+ w3 H) g. H
+ e) o8 I/ E# H7 J* y
Method 11, O5 T" {6 {; W
=========
1 L+ n2 G: e- x; H% m8 c3 r! T% [1 I; `! ~
This method is most known as 'MeltICE' because it has been freely distributed' n5 U. Z8 `! C0 c) `
via www.winfiles.com. However it was first used by NuMega people to allow$ I" ]/ m% c" J4 f
Symbol Loader to check if SoftICE was active or not (the code is located
$ Y2 J( ?3 ]( y+ a+ g* Minside nmtrans.dll).* |3 h! u# W; C( z9 z) n7 P( N, p
4 C$ U: I* Y' P) ~" g& E* H& wThe way it works is very simple:
$ m0 a) r) K! E r# PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 }2 [: P8 L. q7 e# t
WinNT) with the CreateFileA API.
, f( m, t. }0 M- |5 N# U2 t5 _: M: I$ H
Here is a sample (checking for 'SICE'):
4 x! _9 D! L. v" N* h/ O8 K( u$ ^- v# X: f8 _0 M, [# Z
BOOL IsSoftIce95Loaded()3 q; Y1 v; u3 m, X7 z
{8 v0 z8 J( B3 a8 d5 c8 T
HANDLE hFile;
( `# ~2 x, H) e. B4 S# e `+ o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' } z( J u/ k! H
FILE_SHARE_READ | FILE_SHARE_WRITE,2 }: G; F2 g7 L ]! J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# N* R* D( ~8 {
if( hFile != INVALID_HANDLE_VALUE )
4 ]$ _, `6 [1 p {( y6 V% s% n( m$ ?0 U8 m
CloseHandle(hFile);2 w8 u* D2 P8 y
return TRUE;0 S s* d) R& w: l# N; C
}
4 g/ }3 T1 n4 ?% T P; Y; S& Z! b return FALSE;
3 ], I& x, s& Z i2 K9 K5 _. v}
' O5 P" p4 J# b
9 N) \, r% j" _Although this trick calls the CreateFileA function, don't even expect to be# k( Z1 \; I1 x2 O5 l& I$ U
able to intercept it by installing a IFS hook: it will not work, no way!
+ ?7 G, W4 s7 LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- s: k3 f" b$ r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" G' X5 X7 e& U% v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
n& L/ a" _1 B/ o2 K% y$ h; _field.9 P2 h N) E" Y0 ^& D
In fact, its purpose is not to load/unload VxDs but only to send a
4 i3 j0 x- g7 B- G- b9 \5 P; VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% q- o" M: X! {: K. fto the VxD Control_Dispatch proc (how the hell a shareware soft could try# d" }6 q9 w5 \
to load/unload a non-dynamically loadable driver such as SoftICE ;-). C6 }* h- L9 d* {2 t# V' Z$ [
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( ]$ J) ^: q0 C1 |$ m' Hits handle to be opened and then, will be detected." X! ^: K! e* S6 `) Q$ w& i
You can check that simply by hooking Winice.exe control proc entry point
6 e/ z. p3 o( Z5 O( W' d _1 ^while running MeltICE.( _- {0 {' X4 K. d& a! v
3 Z- r5 H* K6 ]( Z' f8 o/ M1 f5 q5 q6 ]0 ~% H* H
00401067: push 00402025 ; \\.\SICE
D( H# e- a) N2 K- W 0040106C: call CreateFileA
; Y6 i9 v& Q) u9 G- Z 00401071: cmp eax,-001
# t, U& ]- i- e4 U# V 00401074: je 004010913 P* N- X4 x6 f
% [7 x2 i2 c% V! C: f: \
0 o Q# x5 U6 T' Q! C6 t+ n6 O
There could be hundreds of BPX you could use to detect this trick.; x2 U4 D, g; C1 |
-The most classical one is:
9 Y4 k: {" X9 ?9 k( _) j6 o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 F4 }2 y; Z' c6 K1 ~
*(esp->4+4)=='NTIC'
& }5 u; A- z4 W3 N
, ^5 O; u+ {' I+ ^2 r: W-The most exotic ones (could be very slooooow :-(- x6 u( X, \( y( R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 Q( v8 m# y5 f
;will break 3 times :-(
. j; f0 [# M% M: b. W, H. W6 [1 ]# l+ R0 }9 t1 l- V; r
-or (a bit) faster: L; a/ R* A0 X7 w' {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; s% e5 A3 Q8 P
. j4 ~) d: B) `0 q$ v- f: R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ i/ o$ j; T+ J7 T) J ;will break 3 times :-(
3 L" x# Y6 D: {
& V' w& J7 W- i-Much faster:
" U% w! Q( X/ I. S3 b9 Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! }0 r V. J$ n$ C4 e
: i$ u8 {6 `- r3 y, [' gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) e2 W' c: E' ^% \function to do the same job:6 B; Y$ \9 o8 T! S
7 ^/ E' l1 t! _) C! ]6 [5 _, f push 00 ; OF_READ- i- w' J& U$ x7 T+ }
mov eax,[00656634] ; '\\.\SICE',01 L ]* r8 Y% | `1 ]
push eax; h. H/ n, y8 C" x, |/ ^
call KERNEL32!_lopen9 m2 t# w& H! z4 I
inc eax: ?; P8 |7 j/ [% ]7 ?
jnz 00650589 ; detected7 V, y/ Q$ V) W m% D3 i
push 00 ; OF_READ
' ] ]9 |- v: ]$ M( k mov eax,[00656638] ; '\\.\SICE'* t9 _. J$ h+ J; q* {2 [1 W
push eax
[% }* T' \5 P' j call KERNEL32!_lopen- }$ P3 {9 @5 X* z _* K, i" |0 y
inc eax
( H( b$ A" H1 [/ ]+ j- v jz 006505ae ; not detected
- K1 m; u6 T( T% w' h
Y+ v% f/ B. ]7 _0 ~1 S" N- g
/ j7 I1 }; h/ l" q* q__________________________________________________________________________( ]" |0 G& u0 A$ j0 |1 X
7 V: b3 x. Q9 y; Y' w# cMethod 12
2 K) X! V9 d& ?8 g3 s& _' g& U=========- R5 d' r0 ?- d C; v. B- e
+ |0 J/ j8 \ V5 v. W0 m B5 n
This trick is similar to int41h/4fh Debugger installation check (code 05/ k, j6 i1 Y/ t- Z$ h$ o
& 06) but very limited because it's only available for Win95/98 (not NT)
) C: {. f+ X6 Q6 [$ W" p+ p; j; ?! qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# u+ v, @( e# F2 A( v; O
; R' r; M; c. _$ V push 0000004fh ; function 4fh
# t2 y, |; H* n% r$ x1 | | push 002a002ah ; high word specifies which VxD (VWIN32)
/ T! v" x" ?& j8 v2 l8 z ; low word specifies which service
3 u( `0 {- f' n5 I/ |3 B (VWIN32_Int41Dispatch)
7 V6 H/ H% I5 T call Kernel32!ORD_001 ; VxdCall
1 B, h3 i7 N4 {4 n1 A$ t3 q cmp ax, 0f386h ; magic number returned by system debuggers' s0 p" Y2 V; q1 B
jz SoftICE_detected0 ]. U/ b: y4 {/ R. a: S1 E1 o
3 I; ~& W( P. c r
Here again, several ways to detect it:
! e8 o3 B7 P9 v) W- G/ b7 T2 `8 b. i5 ~; d2 e
BPINT 41 if ax==4f
; t8 d" t: Y! P; _( l
. Y: e" E. P/ N" M$ y- v) S- {& n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) w7 E2 B2 N/ X4 }
- T6 {4 d8 B5 a) M( h$ f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) e- T# c: N4 m0 l6 B3 ^: [, r4 }4 a" I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 F, |/ m9 ^' x9 k2 h5 T
1 F E4 T2 `, O+ s__________________________________________________________________________: }3 ~- e9 N7 }! W) H: j+ G# {, L
: G. n- P, C. v8 P& K
Method 13" J4 H* ~3 v5 V! `9 I
========= D- G; d6 j3 B. j8 {& [
) r$ o! [3 k7 \/ u& j
Not a real method of detection, but a good way to know if SoftICE is
$ L ~% C [1 T: P4 t( @installed on a computer and to locate its installation directory.
' L+ Z; J% |. u! @5 J X; dIt is used by few softs which access the following registry keys (usually #2) :
/ f2 |/ a W1 E. Q7 h1 f' n; F2 i: Y+ v1 j% N7 x& D, n# ~# B! @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( J/ s4 r K* J7 Q/ P
\Uninstall\SoftICE
: v" j+ R. `! J5 q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' e6 A7 `: ]+ p( g r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# o8 ?7 R+ F* g\App Paths\Loader32.Exe/ J" I2 p* x) G
6 u2 A4 h- k3 N# c( B
' _5 h ^0 l! ]( P
Note that some nasty apps could then erase all files from SoftICE directory: i. S: w+ n$ D0 b6 P
(I faced that once :-(
& O X$ K+ Y0 ?6 k2 o5 U% p1 T. D
8 L+ N ? {5 l9 X+ V p! rUseful breakpoint to detect it:0 U9 i/ G k Z) _
7 J3 T) m$ o" D- s7 m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 H1 e0 e0 j* ]9 t2 I1 U8 x" `" c% Q% c. r% n5 f( g+ @9 G' Y
__________________________________________________________________________% ] M( m5 C" W, Z5 c9 w
# C5 ?. F8 Q$ n5 u# {9 }& \4 l, { {5 p
Method 14
6 V. ` B# \1 c4 B=========5 C" n: X/ O% N8 D% U2 R
% Y' D. O% v2 nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 l! v$ [5 _0 O' v, Mis to determines whether a debugger is running on your system (ring0 only).
3 k5 \+ k" [1 Z; r; v! I$ x8 C6 V- I2 x! C5 ?7 \/ Q
VMMCall Test_Debug_Installed
* Q3 L: y' |4 X je not_installed! X, g6 B5 y ~
3 x: ]. r' ~5 WThis service just checks a flag.
$ B( O5 e" S9 F, w- j1 @$ U</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡