<TABLE width=500>
5 S- y1 G6 Z: v3 C! S<TBODY>$ o/ U: _% @* d' `
<TR> c& E6 ]/ Y6 a( Y
<TD><PRE>Method 01
# \4 W1 K- p- t( X========= `4 q! ?& u! F" t- [+ g
+ P' ~$ Q( [$ E6 Q* C3 A {This method of detection of SoftICE (as well as the following one) is
. V4 Z# H! I; s& W3 O' }! Q$ Aused by the majority of packers/encryptors found on Internet.2 T/ m" b7 E7 p' ~& C
It seeks the signature of BoundsChecker in SoftICE# K& S( E7 J5 `9 {1 V2 L5 o4 J
) r3 u' |- }2 H# ?' O. c9 d |' S
mov ebp, 04243484Bh ; 'BCHK', X$ V8 \. k ?) d; V9 i8 I8 Z0 H
mov ax, 04h
+ f' A; N4 f: N% e% f* m int 3
# ^) I" [ E& d$ |1 s cmp al,4" \5 T' V9 @3 [& s; A
jnz SoftICE_Detected) J' F; r6 X6 T% N! ]
$ |) X9 ?9 N* `4 U. s7 M___________________________________________________________________________
" `. _6 J2 W& b4 O& W% f- f8 Y% a& i
- d: @1 ~4 `& [; x" I. J @2 g; EMethod 024 T& z3 E L8 B5 J) i
=========
$ |3 `7 c2 ^* |! Z# c6 \+ g% _7 l, A/ u# H* b
Still a method very much used (perhaps the most frequent one). It is used
8 ~6 w$ c+ y+ V: Y9 Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 S$ K9 T1 I: |& kor execute SoftICE commands...
+ z2 s9 [" p/ d" J0 l6 `# yIt is also used to crash SoftICE and to force it to execute any commands
: L; O; d: r* h% ^2 M/ b* s(HBOOT...) :-((
% {! E$ T; Z4 ?4 k' O- {6 T! u1 ^9 ]: R7 E0 H$ a
Here is a quick description:$ w) V4 C- N% p. d. }0 Q
-AX = 0910h (Display string in SIce windows)
m9 c2 }& `9 `( a% V/ t7 M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; E+ U: ?4 `+ ^: M8 [6 A-AX = 0912h (Get breakpoint infos). `& M8 ` c8 ?
-AX = 0913h (Set Sice breakpoints)
. T e" i. A' G5 d% l5 K! k3 W-AX = 0914h (Remove SIce breakoints)8 l3 o. i |& h2 S: |
0 d# l5 k; w+ ~ u
Each time you'll meet this trick, you'll see:
% k2 Q/ H8 B! U-SI = 4647h
8 i9 E3 }: j2 S/ W. v. ]6 S-DI = 4A4Dh( n' E9 K$ T( @- {) P: S$ t
Which are the 'magic values' used by SoftIce. m+ @- m5 J, z9 D0 q9 ^- q. K8 G: U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 h' Y: u* S/ V. r; q6 H& t$ U: ]' F* x2 [# `
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ ^" Q9 e* {6 i; G; u% ^Envelope utility use to protect DOS applications:
7 U7 _. u! i% e1 G+ y& m9 ]( T7 n$ I
- P# {! M) r j
4 A# m2 }4 Z. c" R% B4C19:0095 MOV AX,0911 ; execute command.% j$ ?& {, i+ e" b5 D
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 U! j2 v$ C+ R- m' b
4C19:009A MOV SI,4647 ; 1st magic value.
1 D# ~4 K3 X3 G9 w7 q+ B5 c4C19:009D MOV DI,4A4D ; 2nd magic value.
7 T9 l: J8 f9 G4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ F6 X( y4 K: @4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* u( u3 A) k% q5 \' p
4C19:00A4 INC CX
! {$ L% d( D& g3 s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 p! m, x1 K. k+ M0 H4C19:00A8 JB 0095 ; 6 different commands.3 t) m: H! o) a2 ?7 S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# I4 _8 b I& d, G" F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' F" J7 b" J+ ^* B. V
* v: s; M, E5 s3 Y
The program will execute 6 different SIce commands located at ds:dx, which
* i; k+ G' t4 b e+ {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ l9 D: {9 ]( o9 @# ~1 F. T
1 ?% _6 g3 {/ ?& [1 b- W/ N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* T8 S; o) a* P+ J0 U: D
___________________________________________________________________________
! d; K$ d, w$ K9 u' w1 Z) R, S0 F7 |+ j, T- H( C: K' k- u* O' |. A c
, M) {1 u7 S1 _# ~' D4 q: @) k
Method 03
- ^* N* I1 D% V=========
8 z, l: F) B* k
+ H" B0 }, H- Y1 L! w, w* VLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 f- q) v7 w6 E
(API Get entry point)! ~) ]5 n" ]" T0 N
: g4 F4 m9 k0 W9 d
9 B( y$ s- ^8 P. L
xor di,di: u; X6 g/ n j, j- r. Y* i3 f
mov es,di
0 @0 r4 O1 Y8 u' F: \7 ] mov ax, 1684h , l+ T f' A, _- d* \
mov bx, 0202h ; VxD ID of winice
; k g. i* i- u( I* _ }9 O5 R int 2Fh8 |# f& }8 s' o7 O2 i
mov ax, es ; ES:DI -> VxD API entry point# z% C! U/ V8 y% q. R# u: i
add ax, di
3 N) [0 |, a9 o8 m; G5 `: d test ax,ax
7 l* [6 O; H) c3 f jnz SoftICE_Detected
1 p, E6 `5 x9 Q4 c* Q5 A
) `; N5 p2 n( L5 ~3 }+ ?1 w Z, B E6 m) G___________________________________________________________________________
9 F2 u" x- C+ ?% E8 s) l/ e) d# j" x, C! p2 a) _
Method 041 j; I: L" c' p- ^& D
=========. N: n/ {9 u4 R) x! g0 \% D
: U& h; J) A6 o5 m
Method identical to the preceding one except that it seeks the ID of SoftICE
+ }! x" w: k) x. }- @GFX VxD.
! l# i" D! s+ K6 u7 A8 R& l4 ~1 a+ e0 z/ ? s
xor di,di
4 P$ u" A% ~1 _ mov es,di9 e: ~. h% u. f* @5 c
mov ax, 1684h 3 W4 v0 |( ~: k9 P3 B1 O) P' t
mov bx, 7a5Fh ; VxD ID of SIWVID
8 Q" Z9 S2 H J! f' i: z int 2fh
' M. K8 S' \8 v# S mov ax, es ; ES:DI -> VxD API entry point9 Q8 j6 K6 d' x$ }5 P
add ax, di
# b) I1 a9 d6 J' H# r test ax,ax
) t2 P/ w4 I; P7 v1 L& w2 v6 d* b jnz SoftICE_Detected3 V/ `7 n6 c x' h/ o3 _" P! l4 Q
% s1 s+ z r* f! t! [__________________________________________________________________________* P y( w' n9 O3 C) ]' R
% c, }3 I- L; M; { q& }$ V! A. l& H- j$ V. C
Method 05
, b) `% X' j. j' @1 [=========
& l% E3 J9 m+ w, R* L: Q% Q2 O. T) a4 Y" Y* D! O; T
Method seeking the 'magic number' 0F386h returned (in ax) by all system W0 d6 ] L5 Q) h! c% p
debugger. It calls the int 41h, function 4Fh.
: j5 I5 P5 J+ |, B+ y2 QThere are several alternatives.
& a* ]. B7 u S/ ^# M4 p G/ T, M& c. }
The following one is the simplest:/ Y" G; u9 ^( J- h1 O: F
6 e, B P+ [# E1 ~' i+ N
mov ax,4fh1 B: ]8 N. Z2 n$ Z2 z3 A1 @6 u
int 41h$ N, D3 g9 V2 x, v
cmp ax, 0F386
3 |' x! M2 A( B0 Q: x jz SoftICE_detected
" ?0 }; ?' C e8 ^: i( [" k! I
' I9 l }4 V! I1 V/ |# ]8 K3 g$ A, e: U9 S& n- `4 [
Next method as well as the following one are 2 examples from Stone's ) E' T" e4 d8 w% J" Z5 p
"stn-wid.zip" (www.cracking.net):! d0 z' u$ m6 B: W7 J" W5 r8 p: m
. F; l' J- _+ S% N
mov bx, cs# w$ s w% Q' _4 t% ]3 {, Z
lea dx, int41handler2" u2 m7 Y: {+ h% n- y, n
xchg dx, es:[41h*4]
, A7 S& P6 z2 b1 h S9 ^: A; U3 f xchg bx, es:[41h*4+2] {" e4 A0 q! f6 m1 [
mov ax,4fh
4 w5 E! g8 m* d' I5 B4 A int 41h
- p$ J. t- n- o xchg dx, es:[41h*4]
( ~6 b- k. z" C2 b: H3 b. S xchg bx, es:[41h*4+2]1 B! I U j. B: V" s+ D
cmp ax, 0f386h
( q1 Q# J/ y* I# ^. q, U% \4 g jz SoftICE_detected
% f( r- ?) L# X" i4 q/ i4 j" Y! l1 C- g
int41handler2 PROC" A8 Y8 h& }/ I0 Y l
iret
$ }# |0 p9 C x0 O5 D) ~int41handler2 ENDP
0 V; t& g6 h9 H: a' k) |/ u- u( H: d. P! y& X. Y; v
+ b3 B2 r: W- U2 ?, c_________________________________________________________________________
+ a2 B! L( U) ]% R# c
. [5 W `2 Q0 u h+ ]9 G; n3 m6 Q% }. h6 _ ]3 e) N
Method 06/ @- b- V) {) U1 S- [' d: ~
=========) ~; E+ _+ ^$ L
+ I6 x0 S! _. t9 V5 J2 i
9 G' c: x+ ?( H' M- w* l/ x
2nd method similar to the preceding one but more difficult to detect:+ G- c4 d0 i+ @, S7 h
2 U5 x5 v. T2 U8 Z
4 E I% C) A' \& X- dint41handler PROC
) U' Q2 x, U5 K) Q R1 W( U mov cl,al
7 K) e4 D& l, v! S& b" M0 k1 X! U iret4 \! T) f4 E* ?! d' R: h
int41handler ENDP1 C2 x7 p. E; R/ L3 u; {
E0 E( q: z( s% {
( P: ?$ k: V# m xor ax,ax
. [6 `% w( c5 F3 {3 B mov es,ax
2 i' @; ]8 l! @ s mov bx, cs& A/ E2 _$ l8 e$ g' s( N
lea dx, int41handler
, j; s6 A; f. C6 U2 z6 G0 f- S( R xchg dx, es:[41h*4]
' ]! N& {" l5 f5 w! j& m& g xchg bx, es:[41h*4+2]; q* w0 u& A4 J6 H& ^, ^" l
in al, 40h
4 ]' f# w I- o5 Q7 F' P xor cx,cx$ M: u5 i0 u8 Y& D
int 41h
4 q7 r1 A* B& i xchg dx, es:[41h*4]
* Z0 ]: b$ B* v9 t$ w xchg bx, es:[41h*4+2]
( I1 p% `4 b8 f cmp cl,al1 C* c1 u( G3 y
jnz SoftICE_detected
* G+ L- @% F# h4 L' W
' t7 Z% D" \: U" D/ _/ j& |7 w_________________________________________________________________________
7 V: z! F; C: J/ ~/ @
/ W8 c& |( [( v- PMethod 07# H1 `+ C4 `8 d3 n% U7 H
=========7 c3 v+ t* q6 Q: }# |
, |& V& t/ D) [8 R2 F' J* p
Method of detection of the WinICE handler in the int68h (V86): k/ V( j4 l! F. ]) e
" @5 b3 z( y# B9 F9 L- }3 h, |+ D
mov ah,43h1 I1 T% a8 p+ i+ W% @* S8 h
int 68h
6 ?! ?6 Q: H) s6 R9 p1 | } X cmp ax,0F386h
) q, K- w; j- X( J jz SoftICE_Detected9 e) g- {% d4 a! ?; @3 w
2 E) M+ m; V8 g/ d2 i
5 }, @4 g# f$ P$ j! p0 J: d/ V=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 E' e5 |/ h; Z7 n) [' }
app like this:' S+ `9 U0 f2 v6 A, D+ e
. c! V: `: s n/ k' t; h
BPX exec_int if ax==68
4 b2 A. G0 C) x (function called is located at byte ptr [ebp+1Dh] and client eip is
0 {; I8 ?7 z' k9 D2 _ m0 F# f located at [ebp+48h] for 32Bit apps)# T( q7 I6 R9 P
__________________________________________________________________________
d |7 ?- x- {. a- K. L3 l) l8 X$ j4 B% R; A
9 L! }' d5 C' p/ x' F
Method 08
/ t) A& ^5 K- e% f0 |. h=========' w" @/ p9 X1 [& D
* J2 X" ?5 Y; v* k z5 S7 U* DIt is not a method of detection of SoftICE but a possibility to crash the/ B4 x4 u. U7 r e0 a+ d
system by intercepting int 01h and int 03h and redirecting them to another4 l% l7 i$ }3 _: M5 p
routine.
0 Q5 P4 n- T; w K0 a! OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 c" |% l& n7 r& |2 {to the new routine to execute (hangs computer...)
# x) C$ R& F# V) V
" {$ m: p" a5 f6 {3 Z mov ah, 25h
+ t" Y6 W0 @0 T4 g( }. d mov al, Int_Number (01h or 03h)/ F, f4 w$ }) K+ N+ |% w! h
mov dx, offset New_Int_Routine
' k, c$ z T; [( m int 21h8 A, T0 o0 m, R. x2 G# V
T% n9 P/ J \3 {0 D, J* h% w__________________________________________________________________________6 D' N" T- {8 M3 ?* P
[ q6 y% n8 U/ `2 |1 r" V* ]Method 092 W& \( R; y$ V! ]$ Z
=========
5 b, M$ R$ S! ^8 e$ X& k- p7 Z. q" T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 u& d9 j2 a- w( f, operformed in ring0 (VxD or a ring3 app using the VxdCall).
- }0 O+ `# C' [6 N# }, n0 ^The Get_DDB service is used to determine whether or not a VxD is installed
2 g8 j0 ], f5 b9 V& m2 Sfor the specified device and returns a Device Description Block (in ecx) for
8 K! ^3 x* X) I4 t* H4 Wthat device if it is installed.3 F3 p3 c& F8 t" G& ? f1 u! b
5 ~) F7 I/ B3 [ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. H: i" R: S: G! l7 Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 K; G% a/ }% w6 ^0 q
VMMCall Get_DDB' H( `! Y4 l' C7 b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* i/ a! u- c. M* |* H, R/ O" \+ Z! Y6 C1 v/ g# N1 \$ W
Note as well that you can easily detect this method with SoftICE:
; u$ L- v& W! W3 ~) X+ X bpx Get_DDB if ax==0202 || ax==7a5fh7 b! n& t. C' o/ b% V
7 ^# @0 p9 U) a/ d; Z$ ?9 l__________________________________________________________________________ i, j# P; A: [: R: _9 Q! H) b; f
% y) q1 |0 ]- w' m5 X7 OMethod 10" e0 b) F1 N2 l% G% Z9 J
=========
& D8 l; Y2 U0 _2 }8 u
' ]5 I9 X/ I& j- q* W* q7 c=>Disable or clear breakpoints before using this feature. DO NOT trace with
" C( z# R$ R$ j! _- ~8 B SoftICE while the option is enable!!
; M9 m0 @* O+ V0 M& Y% e4 F: M2 b0 P. A1 [
This trick is very efficient:
0 }7 Q6 Y6 d$ @8 n# @4 J6 Qby checking the Debug Registers, you can detect if SoftICE is loaded
2 x/ T0 ^1 d! J4 I5 Z* E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ [5 R1 }: G0 i1 U3 ?. zthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 E% H+ b2 L, ?6 W
value (in ring0 only). Values can be manipulated and or changed as well$ Y- X1 Z% N3 Y5 }2 V1 H) J
(clearing BPMs for instance)
$ c1 C) C3 V! D1 } [5 }
9 `; y5 E' ~ r. i1 `, f% e8 U__________________________________________________________________________
- u& J5 g+ z: ~. _! F9 b$ }9 J9 b! Y! x, q# F2 O5 f
Method 11
" {3 G! Q) r" r' C1 f+ P=========
9 I9 v. s: s' r; w2 B4 O; G
$ C3 v2 b# ?' }* e$ t: nThis method is most known as 'MeltICE' because it has been freely distributed0 Y" K9 v: d8 N' [
via www.winfiles.com. However it was first used by NuMega people to allow
! y- r/ S3 _, X9 t6 ]9 I( VSymbol Loader to check if SoftICE was active or not (the code is located
$ I% a3 n1 `, x' w8 @6 _0 Einside nmtrans.dll).$ _( u! o/ l* W7 c& c9 B
- n3 j' F& ?$ C: h! s- _3 h
The way it works is very simple:
`& P& V2 T8 P @/ Y1 J$ f1 nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; x" O( T. }8 S) a6 S$ m, w$ _WinNT) with the CreateFileA API./ A; B7 r/ y( l& k
# b& j2 C6 \7 @Here is a sample (checking for 'SICE'):0 f* Y) r# `8 `+ C8 g I
1 }" k3 M7 g- FBOOL IsSoftIce95Loaded()
! D* L# M: r; T5 K& K) `{ L$ q% H. X; w A. A
HANDLE hFile;
2 O$ L( F) H2 a& ?# V7 E( E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) _2 |" I3 N: g( B FILE_SHARE_READ | FILE_SHARE_WRITE,
+ A5 P! V" Z# O' X' \! G& `! {: G6 f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ F' |, R* L0 W8 H5 E if( hFile != INVALID_HANDLE_VALUE )4 \4 C' p3 ^, V" k: j% h
{
# n6 u3 ~( ^+ [$ M2 }, F. s4 | CloseHandle(hFile);
% Y9 h* t% b) L return TRUE;
8 |( u1 d3 P4 o d4 R }
# u! I. R" r1 k, E z. }* `- L& Z return FALSE;( ]; d8 A2 k5 a+ J, \! T
}
. ? l m! m+ f3 @
6 a! A, x, c5 QAlthough this trick calls the CreateFileA function, don't even expect to be( t- c0 y9 m i% L5 P5 [
able to intercept it by installing a IFS hook: it will not work, no way!
5 x/ U/ C# J$ E9 H7 v! X: ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F q$ \/ G4 z K( J# M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 A/ g; W; m/ T: [ k g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! ^3 n8 o0 o5 [field.: y4 q! k$ M( T3 H5 [: L
In fact, its purpose is not to load/unload VxDs but only to send a
9 \6 b7 o `* k8 D& w7 z7 _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; m$ A. R8 T: Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" k) Y% i5 c$ x0 [to load/unload a non-dynamically loadable driver such as SoftICE ;-).; `% j( y. @3 W5 O, S. _
If the VxD is loaded, it will always clear eax and the Carry flag to allow' y- W6 L" K4 A
its handle to be opened and then, will be detected.' q0 B$ U' J. v" Y8 I7 d
You can check that simply by hooking Winice.exe control proc entry point! V' g. }2 J+ @5 p
while running MeltICE.
, y) p2 q7 }% b- x
; W+ O: v8 a$ m9 a+ f) h' h* O& E; R3 @# j5 X# y
00401067: push 00402025 ; \\.\SICE
, M6 a8 P& H+ `4 w4 _ 0040106C: call CreateFileA
( m) x( x5 C: D" T9 m1 u9 m 00401071: cmp eax,-001+ |$ r. Y7 M" `8 @3 n/ i
00401074: je 00401091( B) Q2 t4 N* g* C
. \# N1 m, C$ B0 B6 X7 {# C) m: h6 b, s* X. K% w3 I& E! g
There could be hundreds of BPX you could use to detect this trick.
# E9 v$ H) |7 `0 I( ~9 h& N4 z-The most classical one is:
1 c) B8 f. l2 ?, V$ n: H6 I% R3 m1 B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 j; A. ^9 s4 T& X) q. v/ q
*(esp->4+4)=='NTIC'' D5 }" |2 `6 Y
6 ? K7 Y/ v' v' B& a2 A0 H
-The most exotic ones (could be very slooooow :-(" D( t4 F! y* o4 w. @$ W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 Q4 C) l2 x" L- i ;will break 3 times :-(0 f, w L/ q+ N- ^/ e( d% i0 F
. S( O% \! K+ Y" I" D! J
-or (a bit) faster:
% ?+ Z9 z5 u i1 |- J BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): D: O% D( h1 @$ d/ q) J1 J
9 x; C! O, T( ?2 M0 E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 C1 s$ A' [7 B+ I1 o ;will break 3 times :-(0 Q) E) S/ z9 F# J9 a/ g5 g3 F
5 s, H/ p# n+ m/ p+ E& T
-Much faster:
' i W2 v- S% e$ P0 @: E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 B# W: ^6 z2 Z) {
1 H% D9 ~( F1 x0 w: sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( H2 i: x5 f1 v3 [/ sfunction to do the same job:
" L! `4 U! c8 ^5 o1 t6 K; A- B5 ?6 R1 S" V% S8 D& X
push 00 ; OF_READ9 ~: L- x. K* j" ?
mov eax,[00656634] ; '\\.\SICE',00 H7 [7 R& `; G B2 J- f$ [# t
push eax1 r U2 \. b9 \0 [) p9 s* Q+ B5 T
call KERNEL32!_lopen
. w1 k: \& a1 U2 f/ W inc eax2 N2 L& c% n# o5 |
jnz 00650589 ; detected
4 p. b' u! U- ?4 S push 00 ; OF_READ( G" Y8 o& Q( N" c/ K6 }7 K% x
mov eax,[00656638] ; '\\.\SICE'& o7 t! v4 o& Q0 H1 N/ Z6 u( |
push eax
0 l7 s" Y1 B0 d8 o0 d call KERNEL32!_lopen
# h& a6 B& b& m, k inc eax5 O" b, l$ L# F& ~' s2 R
jz 006505ae ; not detected- m1 q$ g1 W9 x, `! a
0 b2 a1 ^ C. x) v! I& |( X1 _. e- [2 Z: u3 v1 a* @
__________________________________________________________________________
3 F6 w4 [, g( U$ f6 ~! Q
- I6 Y# a; s1 e; m& ZMethod 12
6 e6 Q% G( E/ C' \/ _0 D3 [=========5 h; p* ?2 i6 F; i5 v% L
6 _+ V; ~9 e* t: l# k. o' GThis trick is similar to int41h/4fh Debugger installation check (code 05
0 |2 Y- |; j- H# j, Z& 06) but very limited because it's only available for Win95/98 (not NT)
9 Z6 T& r+ N) h1 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 J1 J- g+ S# q K8 g7 L* I
7 m) X. q$ N7 ]' a6 u push 0000004fh ; function 4fh
3 f0 X& e# h# E4 ~9 ]) h push 002a002ah ; high word specifies which VxD (VWIN32)- i2 X; m7 `1 ?! g! O$ T
; low word specifies which service C5 ?0 q3 H2 c `' [# S% f
(VWIN32_Int41Dispatch)
* U$ k3 p! d: z( K/ P" Q6 T# Z call Kernel32!ORD_001 ; VxdCall
0 J9 d4 L- J& f; h1 B- t) y cmp ax, 0f386h ; magic number returned by system debuggers/ d' A$ x8 N' i! h* E! c- e
jz SoftICE_detected& [: [# }1 {7 a
( L( N6 Q2 t' ~- f
Here again, several ways to detect it:; H1 @4 r3 S" B3 q2 z1 q8 {% R
- h; v7 s+ q; q: Z: x4 l& B% ~. `+ M- y
BPINT 41 if ax==4f
, M" I2 Y, |/ ^8 y/ \% B, b6 n( M6 H1 |/ `' Z. L6 x0 Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. [" U3 [& }" f2 z
* G+ t8 Q) _2 w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 q4 P! ^6 L* B4 P
5 t2 | D0 X: h$ F C) ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ a8 o1 {: Q* {4 _/ S: P
3 Q: g1 m$ F4 A! f__________________________________________________________________________
3 B# \0 |% k) n% N' k( ~6 [8 ^6 o' a% u+ D9 `
Method 13) W, m W+ ?7 _# ~# a' q2 `
=========2 N# g8 h6 M. K8 t5 J8 z
+ e) ^- f- b' W# fNot a real method of detection, but a good way to know if SoftICE is
+ ^$ P# v3 u- n% @installed on a computer and to locate its installation directory.
) D# R/ z1 g9 s# W) _It is used by few softs which access the following registry keys (usually #2) :
& d$ J- N l8 h8 T; O; f. \" H1 I- b$ @* g& e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 {( L# L! Q5 w( j" }
\Uninstall\SoftICE0 N Z! S% h$ x9 O, b: F) z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* G+ o* x7 T% M6 b$ v; P9 j5 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 x# x8 C( {$ b
\App Paths\Loader32.Exe- I; [6 p1 o" D0 F% i$ Z
; D* G+ i, \! B3 h7 E9 H
8 _( L! o6 n8 o1 v- g$ D3 ^' x- YNote that some nasty apps could then erase all files from SoftICE directory
) x* d) D% M b9 b) u2 M$ i(I faced that once :-(
% v, i7 ~ u% {) O- P. c* t# M% K9 F8 X1 N. J
Useful breakpoint to detect it:
) d2 |& L% m% h
2 \) c- G/ W9 E' I7 ~ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 V% k W- Y& [
; g. y5 C% A' F4 u, E+ M/ s- q' x__________________________________________________________________________, {4 ~1 ~1 z' G2 p# ]" _2 u0 V
+ h w5 z6 ^0 Y
4 Q4 ]' J6 s5 |7 lMethod 14
q7 o. t; l& |' R* X=========
; R R2 [# v( x7 x, u/ {) Y: v( _8 I) f% _- m* B! E: H$ ^: a2 ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ V5 ~, Y n! X* h, l
is to determines whether a debugger is running on your system (ring0 only).' P% j" m2 [. `. x3 K3 `
- p$ F5 v7 B; }" ^
VMMCall Test_Debug_Installed
2 e7 N$ H0 t: \( H je not_installed+ k; N* U3 R* |* u" m5 S! }
" E. e2 I2 n' {7 U$ E& m- uThis service just checks a flag.
$ V6 ^, q6 d" Z+ d# L. z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡