<TABLE width=500>
# f% u: O. B5 B% s<TBODY>
- G; m* ], D, s7 w4 b7 \% w<TR>1 x1 B1 B# X5 o4 @
<TD><PRE>Method 01
3 [) Z2 u2 L) v, x; f [4 X=========* V! M/ f( [3 T) M3 j: b! y4 v
' H5 Z) \% o% U/ I. @! `; D) _This method of detection of SoftICE (as well as the following one) is6 W& |1 e( D$ F% G( u0 S1 L
used by the majority of packers/encryptors found on Internet.+ @8 Q6 g2 m/ i1 S4 r, j. R
It seeks the signature of BoundsChecker in SoftICE
3 h% i( c9 H. T; z' w/ i7 n4 B& z, O( ^4 j
mov ebp, 04243484Bh ; 'BCHK'
- V4 Y4 ^! }4 F mov ax, 04h( j+ ^$ y$ E% P& L# ~
int 3 ) E/ j9 U" i Q5 M O: h# c: e2 E' X
cmp al,4
! l6 Z* T2 I" u0 J% R jnz SoftICE_Detected
2 N. ^+ S& G$ P# W i
% U( J, j9 @# A1 z& |, @5 m___________________________________________________________________________
; R1 p* z, Y0 z/ X- e. P+ \; w3 S {
Method 02+ Y4 h- j3 J; F7 b$ j
=========
4 o3 k5 {; \1 g" k/ O9 Y$ f6 L5 u! S; e! X: A, K
Still a method very much used (perhaps the most frequent one). It is used
6 }$ T+ N5 E: b# V2 Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% ~1 j; R' T8 ]! C8 H3 por execute SoftICE commands...
' J, e( ]8 ^1 ~ K0 J; RIt is also used to crash SoftICE and to force it to execute any commands2 @1 [8 {, B1 i5 ?
(HBOOT...) :-((
0 i" {6 c0 X4 Q' c
c, g& D' o- S$ A' DHere is a quick description:: q: f P- u8 y+ `; i
-AX = 0910h (Display string in SIce windows)6 o5 G0 T) Y8 p! T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& d& ]* @/ K, O- Q0 M, e-AX = 0912h (Get breakpoint infos)! u$ d3 R; n- D. _+ L/ O
-AX = 0913h (Set Sice breakpoints): e9 l$ ^2 P" Q- d' P
-AX = 0914h (Remove SIce breakoints)0 p. ?" [# w2 R5 J4 d% C2 f
5 T9 m: y/ N c/ m. o; s, GEach time you'll meet this trick, you'll see:
: O( q8 o" u" c$ X0 w1 {-SI = 4647h' B; f+ r; ?8 c# \, m
-DI = 4A4Dh3 z6 m# f. E- h, r1 ]
Which are the 'magic values' used by SoftIce.
$ Q6 t7 r3 z. l9 z8 ^( r9 S) f- [* SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." E. p* K2 k. @9 I
: t1 P) n4 t% A8 ^+ y
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 i# s8 S% X3 T/ r
Envelope utility use to protect DOS applications:
, @6 C; n+ b) t2 q
2 ` a! V4 k5 Y. y7 @ u2 L3 A
2 i# D; s" Z* X: N4C19:0095 MOV AX,0911 ; execute command.
O4 v, g0 Z% G8 E3 ?1 A, Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 y9 ^7 W! u9 L: z; Z4C19:009A MOV SI,4647 ; 1st magic value.* b! r- W: l+ T2 H9 f/ j N
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 N; R4 \' s4 g" d {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 [: U7 q- o0 J' j( t- [9 k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 ?# R8 ?5 v/ h: h8 ]# L
4C19:00A4 INC CX
7 X- E" u0 ^9 ?. H- F% d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 }" O ]9 q6 }0 W5 I0 Q6 ~# V
4C19:00A8 JB 0095 ; 6 different commands., Q+ q9 F. E" C2 ?* O( J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& R H; J+ H+ l e/ s0 q+ \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 ]' c4 E8 l0 x4 A! ~6 y* [3 {5 w
, \) }- f) G5 d+ g3 D- oThe program will execute 6 different SIce commands located at ds:dx, which% C$ u$ r7 @8 i% @* m" L8 O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 K- _8 T: t$ \; R; f, i
) D, D7 ^4 @+ e! O- e2 |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 D" F5 o- |2 M. H4 s7 S1 N
___________________________________________________________________________
- g2 m$ [5 W+ j6 }+ ]5 i7 r M( ~# N9 [- T5 T
5 `4 ~. @* d) W! L
Method 03) ?, G$ w9 n8 X) Y( G& G
=========
0 N2 q; p7 A4 B2 p* M, J) q
7 x$ H' W# F, }! |, o, P! fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% v, J' j3 O( q6 ](API Get entry point)! P7 d# G. I* @5 n& f) B
N/ d; D' g) D; q1 x' c t: g
8 r) b9 Z, C* F3 `+ W5 w1 V! X+ y xor di,di, B1 d# S% q3 @1 p/ e
mov es,di
) D( e& c g+ k) K mov ax, 1684h
% G, |9 I, v5 x% r9 s- s$ z mov bx, 0202h ; VxD ID of winice
2 s# }) F" q. H9 g2 ~. x7 h, J int 2Fh
2 j$ z+ Q# O% R3 g: V; O mov ax, es ; ES:DI -> VxD API entry point F8 [7 d T: m
add ax, di
$ r& x* E# D3 F$ S; @9 K6 h test ax,ax1 o1 R; N8 _" s" J6 w( ^
jnz SoftICE_Detected! ~) L( e% t5 Y$ p# j) `
# G% @. t6 _$ B5 d- v. a( Q
___________________________________________________________________________
/ w) ^! A* U; x F$ `! L; K, A
4 h1 U( T; v; B6 o- k2 u$ mMethod 04
- E5 |# V" [, w7 ]$ }5 s# e=========5 |- F3 y+ k) o8 l
/ [* S& E9 m+ u) J- {3 J8 ]
Method identical to the preceding one except that it seeks the ID of SoftICE
2 Y0 T3 t- p* L0 j' Y# K, bGFX VxD.
, Z K+ \+ r+ O) \: m# v) |. r4 F9 H W
xor di,di
/ R0 w0 {0 U5 v' U mov es,di
. |# U% j, d* r mov ax, 1684h
1 S. W3 e1 J y mov bx, 7a5Fh ; VxD ID of SIWVID: a. E; E+ U6 `0 Z T; P
int 2fh
' m: Z1 }- v! v, F5 }2 A; y mov ax, es ; ES:DI -> VxD API entry point
2 @: u' U# K* J: \ add ax, di
; V8 P$ T6 V% I4 V1 q, L test ax,ax3 T4 ]( ^( _5 B# l
jnz SoftICE_Detected
3 r4 M( Q0 x% ?2 f
" Q. d1 n) \, c/ q__________________________________________________________________________
( G# @: t0 p+ Z/ b, o) H* A5 t2 c3 f$ {0 N
4 w- m [0 x/ W; L# ZMethod 05
3 x% ^# M3 Q* V' _/ ~& @=========
! w, Z8 x0 D% E) n: u" ^# M( Q5 P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 v/ g6 p% n+ ]' Ndebugger. It calls the int 41h, function 4Fh.
! }6 F9 ]" M$ k6 ~% W2 F1 `, U- ~There are several alternatives. 2 {. j4 E4 T- \: m& u; j
9 `8 K: j: s( I7 I- p2 C! ?The following one is the simplest:
1 p0 [: a; g% Z6 t$ [# ]% V6 m" i# s6 c# U( j; [
mov ax,4fh
+ d. @; u- x1 c# ]4 D" \ int 41h4 Z! t& f# [& w3 W, i
cmp ax, 0F386
, q! Q, U2 b |& _* E# A jz SoftICE_detected
. f3 d+ Q% H+ H" v" w( @
7 {( t& }6 M; b0 K5 J9 F0 C, L# t3 m ` r" r# V1 V$ w" k' z) J& S+ b7 [
Next method as well as the following one are 2 examples from Stone's
6 ?; F- L+ ]5 R- E) V. M"stn-wid.zip" (www.cracking.net):
9 L2 ~( V' w' G# w! m# ]( C& }$ p
1 G: @; b- w8 g, B2 _7 o+ n6 |% m mov bx, cs
+ `) m$ S5 d: [( E2 E( |) ] lea dx, int41handler2
. I u. ]$ ?7 U& d6 q% U/ ` xchg dx, es:[41h*4]
; E) L, B4 z- s0 H# r& o) b xchg bx, es:[41h*4+2]9 {- K/ E6 j+ g- F n F% i
mov ax,4fh
/ M8 y4 t6 h* t. V6 N |) b int 41h& U: c/ G3 Y7 J5 j
xchg dx, es:[41h*4]
/ N/ R2 X) h ]* b3 b& { xchg bx, es:[41h*4+2]% D' `: k8 b( L {- i
cmp ax, 0f386h
# O3 f3 A( B" e7 i+ H jz SoftICE_detected
, j1 x9 l( S( Z8 k) z
% i. y$ z" d& b4 M( J9 e2 Uint41handler2 PROC$ `' j2 f F) M
iret! ?5 ^; E# g9 Z/ \$ W# `0 k+ g
int41handler2 ENDP
1 [- ^, |9 e P9 H5 g7 D2 q
& i# y" _3 M+ H. k8 I$ Y! b0 u( l+ O- W& D
_________________________________________________________________________
# s* ?( o2 w! w6 w. g8 T
/ @. |8 E# U, P3 w6 b& T
+ y8 v) r4 f. KMethod 06
! K! v& ]& U% I$ A1 Y# r: I( t L=========0 J* y0 B& T" f, ]' F
3 [/ `/ [" V% h* `
; U* |9 g8 K& o% i% }2nd method similar to the preceding one but more difficult to detect:3 L" ^3 I' r; s" Y1 s4 N& j
- Z/ a# T* F+ i* C( e1 I) f0 D. t' Z
3 g4 R/ p4 E# o% X0 b6 ~: W. gint41handler PROC
- D2 X) @/ G6 Z$ z& {/ v0 Y mov cl,al# H' x% Z( D* U$ N
iret
* }) }6 |4 G) {2 ^4 Pint41handler ENDP! p$ M7 R Q: v9 j5 [5 X
/ N: x( i2 G3 O/ u
( V) Z2 L3 U1 J xor ax,ax* P$ H7 M# k* n& P
mov es,ax& [; b4 m6 A( b
mov bx, cs, [8 ?' K) I* s* E
lea dx, int41handler
7 ^& x9 w3 r3 ^5 C' _ xchg dx, es:[41h*4]! T) X& V! y% X1 |) ]
xchg bx, es:[41h*4+2]
" Y( l. t( Y" [- v) P in al, 40h
1 Q7 \6 w- W5 s! h5 t5 N! o* D xor cx,cx
2 C. M+ x3 H; ^ int 41h
c, `- H' P7 |+ U4 Z xchg dx, es:[41h*4]$ f9 v0 R" {7 C' W
xchg bx, es:[41h*4+2]
* _+ B/ s: ~ w8 P1 n$ ~5 i cmp cl,al5 b" U9 ^' P/ G2 X
jnz SoftICE_detected
$ M N" o6 v+ \) r- z# Q) X k: p
_________________________________________________________________________
$ g0 e. v9 ~. ~1 ~4 p" T" c6 C, o$ ^* s' p- W7 i8 m
Method 07" H: K% N" H( ^" r5 m( U0 u3 p
=========
2 E* Y( w4 X1 a- L
3 d6 d+ A& V7 R: }5 X% f2 P" SMethod of detection of the WinICE handler in the int68h (V86)/ E. i7 {) r1 S) d% W
Z- K0 J) Y5 `# c% w0 H/ G mov ah,43h+ I2 O6 {1 b) D
int 68h7 A3 F$ h+ K5 x& [* F
cmp ax,0F386h/ L% y; @' B, f6 v
jz SoftICE_Detected
1 {2 W, N& G% J5 S. _& D, h5 @* W5 G, L$ _7 ^/ |$ w" b
! ~1 \2 b4 V0 ]& H1 B: A S* t2 I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( d# Y* w+ [2 {2 [- k7 \& }, T app like this:
\( T: j* p4 K0 p7 s7 a9 R g: {
BPX exec_int if ax==683 ^5 j; A" W: Y; f; j( e9 n' Y
(function called is located at byte ptr [ebp+1Dh] and client eip is" d* O; C4 W9 _, N5 B7 J; U: j! A
located at [ebp+48h] for 32Bit apps)
+ F4 W1 P" k$ _4 L5 u; g* s$ D__________________________________________________________________________
! L: v5 Z$ t0 H0 `$ c* e
1 @" f% k2 s6 M" x& e" V# e" x# H# Q
Method 081 A: N2 B/ q- P0 b
=========/ u$ u. Q6 S9 Z* [, W2 y. D
9 Y0 Z G' o+ E' [/ Z7 i
It is not a method of detection of SoftICE but a possibility to crash the
0 m: L. [( ~6 w& a# b3 {( b. O; Usystem by intercepting int 01h and int 03h and redirecting them to another q7 P7 L N H
routine.
( e/ V9 C/ n, R$ u( PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 ~: G- ~& D( D+ }: n- Fto the new routine to execute (hangs computer...)
0 a; ]$ l& P- Z5 Z# j* w: i
9 f5 G1 I- Y' a ~0 `, z9 G mov ah, 25h
' ?3 _' j: ~, m' { mov al, Int_Number (01h or 03h)" w: N8 y! M: {( @; x
mov dx, offset New_Int_Routine. {4 |: a# t2 Z/ o% d" I$ g+ |# r
int 21h% q: r0 p8 t$ Z9 d. ?
$ A" N* C5 |( f: `& d/ u3 E__________________________________________________________________________
3 ~0 N! d7 B4 r$ [* q. ?; O# B0 [) K* G
5 F5 \; a1 X5 d! j& B6 k6 P. P7 CMethod 09
` Q% A- B, N, v/ P. d7 p' A=========6 K1 c1 a. a. E( E) N0 o
% ?0 y0 @2 V5 f- Z p# ^/ I/ _1 c; \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 N" Y" [% }2 \1 J8 E8 r* c
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 h; \' N! W. `( s& l& qThe Get_DDB service is used to determine whether or not a VxD is installed& B8 e# o5 O8 E9 \; C
for the specified device and returns a Device Description Block (in ecx) for' H7 W1 i7 ?! T2 N' i9 I
that device if it is installed." [& q- K8 T* L: R' C7 H
( y* i, h) Q5 g g) o( w1 a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) X5 i0 a0 d! k$ F6 Q4 }8 p& f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 T* q/ c9 F. b5 Z% \' v7 v9 Q% H VMMCall Get_DDB
4 z C1 N) C5 I7 s9 { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& J! a0 r! R, Q( j
7 O1 _& ], T: g7 _Note as well that you can easily detect this method with SoftICE:
3 \" o( @/ {+ K. B! ~; l bpx Get_DDB if ax==0202 || ax==7a5fh2 w# k+ X9 t# n& F1 I4 A; n
! x* c; ?) e: E6 U/ s__________________________________________________________________________
" ^+ R% ~1 w2 i4 p* u+ \! W# s6 T' d9 M! j
Method 10
) V4 D( y, ^ D+ J8 q# x3 r3 W=========& {4 g; }9 a6 `8 u! c
! C) r' f* i6 l8 q
=>Disable or clear breakpoints before using this feature. DO NOT trace with% p2 a+ l( \ J' q
SoftICE while the option is enable!!
# R0 q, Y; d$ y) F3 f/ I* s7 s) B# Z
This trick is very efficient:4 ?- u- N: [7 V; T
by checking the Debug Registers, you can detect if SoftICE is loaded* D0 R. h5 V) Y+ L: D, W: j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 ^& N4 u: S T7 g# O3 V! dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 T* u# `+ a, y3 y2 t5 Cvalue (in ring0 only). Values can be manipulated and or changed as well" B+ j% H$ ?; ~
(clearing BPMs for instance)5 e6 T Q Y }, \7 F) m
" K; i7 E0 Y* @__________________________________________________________________________, B9 _. t$ V. A% w% \8 F
2 E* v5 l# q4 OMethod 110 m( I1 m7 r/ J& d9 [
=========- e0 G, ~6 a$ Q( Z Z+ A
+ a# `& s+ m) N! |7 X; t/ C5 IThis method is most known as 'MeltICE' because it has been freely distributed
9 B& f7 N" u& s) s; {2 x3 vvia www.winfiles.com. However it was first used by NuMega people to allow) ~) \5 g" [/ X* U" E% K1 z& x
Symbol Loader to check if SoftICE was active or not (the code is located
" L! y% e6 S' P# k8 Oinside nmtrans.dll).( L3 b' U5 N# y+ O; V& d4 D4 _! N
7 ^6 x! [& g' a; [: O, IThe way it works is very simple:
7 A+ M/ A; g) D2 ?: j& qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# n) Y1 r" x1 S$ i# V5 FWinNT) with the CreateFileA API.
- I1 l( w% C3 t: J
# |6 |! p# b, |3 gHere is a sample (checking for 'SICE'):8 G2 i! X0 s% s8 x
3 P* D/ S! [) i
BOOL IsSoftIce95Loaded()* H- `$ y4 ?4 H8 V8 _
{9 }" A8 p7 n6 m3 M
HANDLE hFile; 2 e. I" u/ z" V, |5 O, p \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# v; M1 G w$ t1 ]: S FILE_SHARE_READ | FILE_SHARE_WRITE,
7 q/ K+ E* K; z: N/ f4 Q3 p$ ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
H- k9 F" X- X y9 Y" ^: X/ e if( hFile != INVALID_HANDLE_VALUE )
7 g i* l1 }4 P3 X" Y, i- J {, P+ a( |" s9 d5 D& P" y
CloseHandle(hFile);
5 a+ l1 ~; L0 W' |8 o return TRUE;' O8 K& Z, a, P. I/ O9 k
}3 f- `" w: ?3 W3 L" w
return FALSE;9 z) k0 c: E1 S: `1 q( U9 k: U
}3 R& Y, G x: H, h4 n# i4 H
: o8 Q# z: y& z. {; B3 u% m
Although this trick calls the CreateFileA function, don't even expect to be& G# p9 b3 W! |$ ?/ n$ N7 S
able to intercept it by installing a IFS hook: it will not work, no way!
$ k/ `9 c4 \2 M! F4 N/ ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. i8 d" |) m/ `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ `2 y/ T# ?3 j% g( f( [4 x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. ~+ }. u3 I6 }
field.6 l V$ e `- D; B8 ` e
In fact, its purpose is not to load/unload VxDs but only to send a $ Z0 L( B* _. X) B* x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 L) I% Q: g/ j& s1 F' G- T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ T# F1 W# Q8 o/ K1 b4 d* j- d2 U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% t, ]6 C2 _' J3 e& c
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! l; t3 ]6 x7 i; n* I) P( G! Q# c. vits handle to be opened and then, will be detected.& d" N0 w8 \6 w% t3 I0 m
You can check that simply by hooking Winice.exe control proc entry point) t' p: C, z( W7 B# K
while running MeltICE./ C, \* Z; w* e& n( H9 B0 x
9 Y5 C q' [, Z% S }
* _2 P- @5 \ P
00401067: push 00402025 ; \\.\SICE! e; P6 I' A% W) h( b2 ~
0040106C: call CreateFileA7 x) m& Q$ ^ z# v; A7 V
00401071: cmp eax,-001
# `9 y4 o1 O* [1 E2 R% ` 00401074: je 004010918 D3 t+ o5 r U' C q
6 j- b z3 i3 ~3 w! O/ O3 R+ x
There could be hundreds of BPX you could use to detect this trick.
- `3 E; m9 m% F0 ]- j; h/ ]-The most classical one is:
6 O2 }) l4 C) W2 g: r' v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' t) M: b$ N% b) a. o
*(esp->4+4)=='NTIC'
9 Y8 H! _: L" @' e& b0 c6 c( g U
-The most exotic ones (could be very slooooow :-(
) w' ]& |" z- a& J- [* _8 | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ ?1 Z5 Y9 D/ i ;will break 3 times :-(
- u" S* o4 z7 Q" v/ B; z: \3 q2 N( V+ }: t
-or (a bit) faster: 2 ~* R& E' Q" D( X! [9 F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 R8 t4 u2 ]7 W8 n8 s3 {
! D& `+ n# f( H4 I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 L( B' U" P0 X8 n
;will break 3 times :-(
9 l+ Z6 ^$ G7 w$ Q" y5 w7 j9 P: m9 o a! V3 y
-Much faster:/ [/ {# D8 |! O" }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* T: Z I( ?. t6 C1 Z' O
0 W" |2 q6 u$ M# q# x! L; u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 \- M4 L8 f" |8 Bfunction to do the same job:
6 ?) r; V' I% ]' {5 t% Y _) N$ D7 B6 q! O% b
push 00 ; OF_READ
) Z( r8 l- N; E, K7 w mov eax,[00656634] ; '\\.\SICE',09 T3 M1 E1 x; k! R0 o
push eax5 v9 {- ?4 v( a% i
call KERNEL32!_lopen
4 }6 M& s7 W' T# @ inc eax
0 q8 i \6 `9 T) C. N7 w jnz 00650589 ; detected; k* i& X4 f* @8 f$ \/ B
push 00 ; OF_READ
9 R& Q4 V4 h k. B# ?; W2 b, J mov eax,[00656638] ; '\\.\SICE'1 L# _9 r% {" |% c( G: G
push eax
% B. e% m6 F) U* |3 h; | call KERNEL32!_lopen
' B& q- J% |* t: [: [. [2 \ inc eax
" I# w0 ^6 t# z3 P! N' {+ D jz 006505ae ; not detected5 f5 s: b4 p& d2 k6 }
3 R" n+ ]+ h+ ~+ e; S% q, M# M! V* j2 U% b) t
__________________________________________________________________________
' i! [' T3 S; K+ W0 }
+ p" I7 Y. e" sMethod 12$ i9 c* o4 `1 W. A5 y( z
=========
. ~/ n1 v) H, [7 u- A
+ X" R- J$ k q9 L7 w& FThis trick is similar to int41h/4fh Debugger installation check (code 05; [5 y) H! U. `" g% T
& 06) but very limited because it's only available for Win95/98 (not NT)# u) e! v4 D9 k- P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, w8 B6 V/ M* C3 h: o- Z# `
, g9 C8 c% c$ k1 L) H: p- x push 0000004fh ; function 4fh/ V2 A b. g! }4 g& _
push 002a002ah ; high word specifies which VxD (VWIN32)' h. J$ x% _1 T
; low word specifies which service
: ]8 E+ }7 b6 ~( a+ E4 s% s (VWIN32_Int41Dispatch)
, B2 v `) f1 d4 X& ?; J! _ call Kernel32!ORD_001 ; VxdCall( M$ t2 j5 ^/ ^8 Q
cmp ax, 0f386h ; magic number returned by system debuggers
" F m7 `6 P7 {: j1 X' V jz SoftICE_detected
7 P2 V: p w* y/ M [, L
0 `9 ^9 a' \. H, a( T7 V: C- n) rHere again, several ways to detect it:* Z7 |/ n. `# I
7 L$ n- y/ R# h2 D, [) u/ a
BPINT 41 if ax==4f$ j2 _% I6 |# D5 A' G9 W1 v ?
. ^; \- W1 O' t) F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 n+ _6 @7 r) l- R( n1 B3 e! {
, Q/ v8 f' A, @* s6 y! m. J9 } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" o2 h% v5 E: f* g6 c6 W! i! r" F9 s/ w8 L6 Y( i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" J( n9 R' t. h( L1 I& d
0 c: E1 g1 R, x5 T2 Q__________________________________________________________________________* J6 ]3 B" {5 x
0 P7 Q" ^$ F4 `9 |# ~Method 13) P( v$ F: i% M4 i( Q( v
=========
' q6 z) p0 G% I: S3 i% V; r( e
# z. h4 @8 V t* G) aNot a real method of detection, but a good way to know if SoftICE is
, n2 r& x2 z) M5 Z" x/ \) o0 uinstalled on a computer and to locate its installation directory.6 S7 e' _7 h& D9 A# P. G6 N% u) C
It is used by few softs which access the following registry keys (usually #2) :
0 Y1 |9 V( Q$ |
& n+ A( L( z" o) g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; A' F9 @5 n9 O1 w, h) q! l
\Uninstall\SoftICE0 R9 ?9 C, a* h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! H/ J. q% Q5 Z2 h2 `3 o" b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 W# E5 o$ }3 _8 u* u\App Paths\Loader32.Exe+ |( O) r* q K4 n2 D2 L
' K, |4 f! s3 N4 i# g/ w' F& p% H! o! d. x ` T: m
Note that some nasty apps could then erase all files from SoftICE directory
' g7 G2 i% `& i" h(I faced that once :-(, a1 U: V8 G# Q9 W7 \" b5 y
1 i# B' u5 w7 {/ |
Useful breakpoint to detect it:$ i+ v9 w' x5 m8 g$ S! s, [" v
" [5 {7 [" _* \: M$ N w. { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% x7 s8 ]/ A0 ` F
3 m9 {3 x$ l4 s+ [__________________________________________________________________________
1 A( u1 b$ I5 N8 B ]( @3 i, h- i, v
+ @# z# x' B6 ^# _# u3 R' T
7 w9 t+ ]) K( Q, ~2 l9 ^Method 14 , b# Z; {/ n4 C# j. F% p v
=========
3 ~2 V3 r& r: R# Y+ C' y( x+ q( a& }+ e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 R8 ^6 A; j, @9 e2 i! t
is to determines whether a debugger is running on your system (ring0 only).: ~( a" B" A; z1 e. {1 \! E3 j
, p4 w$ L, j' X
VMMCall Test_Debug_Installed
; v! d8 L7 p5 m E5 C je not_installed2 ^, a$ w& N) `2 t
' D+ e& i. Z$ r0 f, S* n6 `
This service just checks a flag.' U; Q0 l, v+ x3 @# z9 G8 E
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡