<TABLE width=500>
* G2 Q ]5 S/ t7 u<TBODY>3 x R3 o4 }3 w, m% n
<TR>
& ?! t% Q& r. M0 t' o: w1 \2 c0 G$ M7 _<TD><PRE>Method 01 ! I8 M4 n. U. j" n% w4 u- a! L
=========
0 U2 w! i# l! a* h6 ^( J
# |' \( F# o) D2 ~7 g( `& } d. gThis method of detection of SoftICE (as well as the following one) is" f" _7 N& C; q9 G
used by the majority of packers/encryptors found on Internet.
. p+ j4 S" `1 DIt seeks the signature of BoundsChecker in SoftICE
' \- L' P" n5 k+ [- S
# [5 |. x" t! y mov ebp, 04243484Bh ; 'BCHK'9 U* C# C! y: m8 [7 p! G
mov ax, 04h' P/ W/ j: [! C9 Y/ M
int 3
; ]/ }9 m3 m# }6 Q. c6 d, W' G- i cmp al,4/ ]& N w O& I; a7 o7 I/ {4 ?: f
jnz SoftICE_Detected1 y% C! t0 j8 y9 f( e
! b7 c3 \7 c! G# x0 E. N$ u6 L___________________________________________________________________________
" h# g P& M/ o, N$ A, x7 s: L% T
Method 02
+ S4 G. f9 @. }. g* [=========
, y4 l. Q' ]$ g6 `( y: Q$ D3 [5 A" g9 G" q8 d4 U
Still a method very much used (perhaps the most frequent one). It is used
1 b$ w% N% F& }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! u: T* |; C* X( }# C7 \6 T1 W3 X
or execute SoftICE commands...
$ K! K7 S: x# c7 c, C) ?It is also used to crash SoftICE and to force it to execute any commands! r& i/ f/ ^+ H# n, e
(HBOOT...) :-((
+ G% T$ e/ q+ K3 e
" `9 n$ B- K' z7 aHere is a quick description:2 D( w* D2 }& b, u
-AX = 0910h (Display string in SIce windows)0 O) D# ?% [8 Y: p9 L9 c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% E' i/ r# x2 |' u$ C2 l- k* ~, ^-AX = 0912h (Get breakpoint infos)
0 T* g1 k* N) P, `( V" }, x-AX = 0913h (Set Sice breakpoints)
: L+ v' l: T; a V: Y7 b: g9 D1 N-AX = 0914h (Remove SIce breakoints)
. d9 |# o# w) I4 V2 g3 V
B! Z. Y0 l& p. g) \Each time you'll meet this trick, you'll see:6 L; A( a5 v& b
-SI = 4647h
$ V3 ]. Q: r- E-DI = 4A4Dh
$ b+ t+ f- b* W; W7 A& M! U0 [Which are the 'magic values' used by SoftIce.
1 }4 [- `" P; \4 iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 ^8 k3 _) a) A( q! N: R. n& y3 V0 i, t# e. T- [+ S& h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( o" o5 i4 [9 i6 Q: |Envelope utility use to protect DOS applications:
8 `% O6 X+ L; |' a% x7 k; p2 h" S& l
3 b) F4 y- Z) M; a& M) c5 g; I% y9 @; d3 \0 W2 U- y" R* {! q. y
4C19:0095 MOV AX,0911 ; execute command.9 N+ y7 q- C( A* `. p0 C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., Y3 ]- z4 u0 a: g: U
4C19:009A MOV SI,4647 ; 1st magic value. O2 w$ K9 F# K- V" \2 i
4C19:009D MOV DI,4A4D ; 2nd magic value.
J5 n8 ? y, L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: J: M8 T- z' G2 f! Z; ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" {! P$ I0 H0 }
4C19:00A4 INC CX1 w' ^9 g( R$ f& L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 f* b4 h1 m# s J: E* o7 A7 G# R4C19:00A8 JB 0095 ; 6 different commands.0 ~1 c7 H: i2 w, J& @ s
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- i% k# z2 a9 x2 Z8 P: N- h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( @* Y0 F- H! }& H `! M
. `3 o% d) L; Y! t& Z# J
The program will execute 6 different SIce commands located at ds:dx, which( \* A( f6 }5 y% Q4 x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& @; i; c4 Z+ ~! _
# C! Y1 o( e4 V6 I/ l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 f( H; b2 u9 S$ |" `* d1 j___________________________________________________________________________
$ S8 q- D9 \' W1 G6 `( U9 b' v5 v# x) p7 Y
( G- c, F( _: r+ W
Method 03
) y6 S) H, U6 @- N7 Y=========( `& d4 ?: V* \! Q
: a$ a7 b+ x% WLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 `; h* T6 ]9 p" h& U9 W(API Get entry point)0 T/ I* \: H2 ~" \6 v
( L) [' d: B" T& c; A( _4 B# _! ]& f# ^( s$ c) Z
xor di,di
. ]( {7 c- M" g" F1 D1 C9 _ mov es,di
$ m) Q# Z/ L/ [: y- R$ v0 M/ \- n mov ax, 1684h
W0 N; h9 n- |1 N, P mov bx, 0202h ; VxD ID of winice
3 n `6 a4 M2 m int 2Fh
1 i) ~- `( X" c, p' @6 \ mov ax, es ; ES:DI -> VxD API entry point
5 d. Y L6 [+ M. [1 w" Y% l add ax, di9 l( Q8 L: q& H$ d& v" i
test ax,ax
6 A3 K! e) ]1 t1 _ jnz SoftICE_Detected
; e: a) L5 y7 L2 W/ w6 e* s4 s1 @
___________________________________________________________________________
3 B% Y) n; z9 R) q. y0 |
- J6 ^7 B5 \4 {! m; qMethod 049 P4 s# f6 K. D9 F; m0 [
=========4 V8 }' n. ]% @4 N( Q7 b
; Y) V% {9 i5 t5 l, h- a# z* ?Method identical to the preceding one except that it seeks the ID of SoftICE0 ], Z7 a' V y7 q0 }1 c* @$ }
GFX VxD.3 c" u* U8 F- R h3 e/ z) q4 X& ]
) ~% L+ I9 t: I* d+ G
xor di,di6 u, J! k! I! M9 q" Z
mov es,di _+ ?* ^9 K& l8 f _4 N. ^' j5 e
mov ax, 1684h
- Q& n% p) L- u* K; |6 E& X mov bx, 7a5Fh ; VxD ID of SIWVID
. d% m& z" }2 M. Y/ U int 2fh
; |$ n% O/ I) z0 ?4 B$ h T mov ax, es ; ES:DI -> VxD API entry point
1 A* p3 U9 e. }" g: j8 Q% y& W add ax, di+ Q# j0 ?* w. d' w0 ~( {% z
test ax,ax
2 T: Q7 s5 k" J' s1 L$ B jnz SoftICE_Detected
! ~9 Z8 e; q# D! x4 S" j: ]
) x5 k1 Z8 ]4 z2 J: W__________________________________________________________________________4 C' `9 [/ l$ W) ?0 `
+ u8 p2 H6 m" A- P# D
$ R; i9 s, [3 \5 q
Method 05$ s* H* P+ Q; k9 E* E
=========
, b7 G5 R, b0 M: B; F" k4 \8 ~( p2 N( P1 d t' x! t
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 m J/ {% p- P: n8 M7 J
debugger. It calls the int 41h, function 4Fh.1 A. w; b: S5 ^8 X6 D0 R
There are several alternatives. ; d" @7 o! L. b) C$ K
4 E. a% _5 R" V( cThe following one is the simplest:
: \. ?) A2 Q2 b* `# f0 l% w) d
( s2 t4 ~ L; L mov ax,4fh
" U5 n2 Y$ ~+ A9 b( {8 e int 41h1 y* p4 `7 M; W6 e7 R R: O8 p
cmp ax, 0F386
O2 T5 B- e( D4 Z jz SoftICE_detected
* _; J2 ] V3 a; u& g
& k$ G+ E% b" M9 f* Z+ G) @) i- X; o G( L
Next method as well as the following one are 2 examples from Stone's
0 x, ?$ }! N3 @- Q"stn-wid.zip" (www.cracking.net):
9 y x' t5 i' c
" {( G2 ]" D4 \$ @) v3 H- e mov bx, cs
) x% S& Z( M! z! k# p lea dx, int41handler2
. {2 L$ ^2 I4 w, O! h; T xchg dx, es:[41h*4]7 Y7 ^6 S [5 f
xchg bx, es:[41h*4+2]0 I, P3 s4 a# K$ _+ _( `! B$ m. b
mov ax,4fh
2 F) ]: P: z! m% E$ e! l6 c* a int 41h1 J# ] W; a+ j z+ c4 J L
xchg dx, es:[41h*4]& I) ^' e1 A# Z8 J1 Y6 T% ^9 p
xchg bx, es:[41h*4+2]
8 P& \! @9 \- |7 ^* m cmp ax, 0f386h
1 g# e: k2 W$ ?0 r+ x4 s9 { jz SoftICE_detected
) S* l+ P' ]+ g0 p0 B# t/ S0 d
int41handler2 PROC
, z8 n6 W) [+ T* f5 F iret% L4 i) @# S) h3 _ ]1 E( e
int41handler2 ENDP5 z& P7 j4 e/ s: m( M
: z6 @% l8 J2 S8 ~% u/ O+ g% d
( e/ u% }9 @3 k& K
_________________________________________________________________________
% Q6 y; O8 m1 O; z2 N
( `! Q9 B' y" U3 {9 n4 |
& r3 X- p" o8 K8 f" p$ _9 PMethod 06
5 f2 Q7 | B1 m8 H9 K) o=========& R& ?! n2 z/ `2 O
. ^: @* K( K1 S: Q* A
, s) k) a/ R, |
2nd method similar to the preceding one but more difficult to detect:+ ]* I% l! h. i( x* K4 Q
1 c8 ]. I( Z) B: t0 O- E
, y) C* \4 m# I+ i2 L/ }" z
int41handler PROC' v$ o: Q( D$ M- @ v3 B4 [1 C
mov cl,al
4 U! E {5 k/ {) f! Q iret
_7 {# p7 `% [6 z7 T( h2 oint41handler ENDP7 j/ W/ h# M$ @' i$ W
4 D, o5 A1 e' T# v M$ f
, `1 Z8 P& a' @2 W, v4 h9 b xor ax,ax1 _3 e' e) J& w" y _3 t% M
mov es,ax- E! ^: X" S, ?/ t
mov bx, cs
7 s" X2 W0 c% B. l lea dx, int41handler
0 g9 p! i* |$ J) E/ y+ X. P xchg dx, es:[41h*4]) B3 P* F/ l1 t, \* J
xchg bx, es:[41h*4+2]2 [% L. P1 j {% \
in al, 40h
/ z( U8 P" v( I) ?+ a2 O! ? xor cx,cx
8 z9 W5 M& s" V; J. ` int 41h; d8 @ t( H& h5 h2 M
xchg dx, es:[41h*4]( n, ]3 ^% K1 y/ k( I+ M" [" a. J$ B' t
xchg bx, es:[41h*4+2]
' k+ e* \6 T; ]4 _7 n I cmp cl,al
/ U3 ?, t3 h$ n* r* N" i2 [4 ] jnz SoftICE_detected
1 j: u5 k( Q1 l# x, ^$ P# H. s2 q7 n( X+ I
_________________________________________________________________________
6 X, A" S( t+ _
" y9 ~ ?0 P7 ~: s8 b+ Z6 p6 |3 xMethod 07
. u! f6 o; B" d6 m=========
/ r2 X& t4 S: j ?9 Y9 C$ s8 O% f( P! |" ^/ i2 Z' s) Y
Method of detection of the WinICE handler in the int68h (V86)
\# F @6 `/ @; |; q# T4 |9 Z- A8 C {) b+ l- u
mov ah,43h
7 C$ ~# n) R, V7 ?3 r) I int 68h2 x: Y7 U3 ?: p5 W1 s
cmp ax,0F386h/ Z1 T9 o6 X6 @: \
jz SoftICE_Detected5 b! K3 y# P, c. ?$ N
' X! l7 t' a. h6 d- x" ^( B7 @* w6 c: A; S D+ w$ N" ^
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 e, d5 }2 E6 k4 Z
app like this:: k" C! j# O9 m7 Y w! o
4 x! r7 w9 J: |3 B BPX exec_int if ax==68. p; `9 j5 M# ^* Z/ m- [: B
(function called is located at byte ptr [ebp+1Dh] and client eip is7 r4 u* v2 d& c8 {; _
located at [ebp+48h] for 32Bit apps)
. A0 `* E7 c5 r7 m7 w__________________________________________________________________________
* |( Z U. _3 ^, Y' i
: A5 i! D* y: N, W- X4 T
6 ] x4 x+ L+ O/ z6 v0 s' K# uMethod 08$ k/ |0 H, D& K7 V. r: ]
=========
& v3 G0 t+ j- A5 I1 p! C8 u& R9 P2 z, w/ K! v
It is not a method of detection of SoftICE but a possibility to crash the1 Y8 ^% U% @, _% o/ F
system by intercepting int 01h and int 03h and redirecting them to another" G* N' n. j8 V7 i: \
routine.: d+ c V& q1 y, f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 H0 y1 p9 s' B3 I; E" I: Y) L9 v
to the new routine to execute (hangs computer...), ?3 k: [4 v0 }! n" f
. n( A3 e1 R7 D9 V+ z
mov ah, 25h
7 S9 R+ I4 I3 k8 }: [4 i+ a. m3 b mov al, Int_Number (01h or 03h): e! h- J$ J. ~' L) f
mov dx, offset New_Int_Routine
; ^0 O$ i2 w5 | int 21h
0 G ~* X* x% [( g2 k2 T9 b, T
. u' i9 ], |- m__________________________________________________________________________
( Q2 Z7 i" o% _, d9 c) Y
3 m% ?' h$ j; E. IMethod 09) T/ [7 y2 ^& g
=========7 B) t# ^* r8 n% n
9 w7 J: B7 A+ N+ l* E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 ]2 K5 u+ J* d
performed in ring0 (VxD or a ring3 app using the VxdCall).
D0 Q. V. j: l& N: JThe Get_DDB service is used to determine whether or not a VxD is installed, U$ y! j' B% B) e7 ^- z* _
for the specified device and returns a Device Description Block (in ecx) for
( M- g- ?# l( F7 Z( I7 ethat device if it is installed.
) m8 S7 f3 o2 H, m, S$ \5 x0 u2 ?4 V; t' M$ M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ P" Y1 m2 u8 z0 X- D, |1 ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ G( u9 W' a/ a* F! d+ u
VMMCall Get_DDB
6 J8 d( k7 U3 f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed K$ K5 B) ?. t" ]' _
& E; i: c! E' f! D5 dNote as well that you can easily detect this method with SoftICE:! c# V# z( n& a( _: V8 m# [
bpx Get_DDB if ax==0202 || ax==7a5fh
2 N5 ] L4 S* u6 _2 s
# p% E8 s. H# s! S% W; ]3 k__________________________________________________________________________+ W9 V: D7 N. a8 ]& `, S
# m, D2 K+ X7 @1 f- g5 L
Method 10
5 a. c7 i) Q* X, i=========* K8 f5 r/ Q6 ]: k
8 V! C3 H. r2 R) e) ^=>Disable or clear breakpoints before using this feature. DO NOT trace with
' V7 F" o- j4 P+ N, _ SoftICE while the option is enable!!- S( D# {- f5 i6 n" o
: c8 u6 U t4 E+ ?This trick is very efficient:; G9 O1 d# t+ C7 |/ U5 }% b
by checking the Debug Registers, you can detect if SoftICE is loaded/ n5 {0 a3 M/ @- {+ ~( M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% |/ ^! [# `. k+ l2 E
there are some memory breakpoints set (dr0 to dr3) simply by reading their, z6 T- {5 N2 @# b. l
value (in ring0 only). Values can be manipulated and or changed as well
) F" v: P/ R6 Z( t" W, ?9 v(clearing BPMs for instance)
/ Y9 C2 A8 k2 P# Y5 V9 u$ `% W
7 ^$ @- a [8 @- V! r- ~__________________________________________________________________________5 y7 |6 `0 V; I# `4 V$ E
- u1 }, q0 J. G9 ~" \6 `0 D4 f
Method 11
: N% X! g4 G k6 t' v' Y1 _=========
/ a7 U" j' h; p+ D; ^; U0 O' I
4 e \# _8 `) JThis method is most known as 'MeltICE' because it has been freely distributed1 I7 V. g2 y+ L+ t' V
via www.winfiles.com. However it was first used by NuMega people to allow1 E5 v% N, ~" T$ @, X
Symbol Loader to check if SoftICE was active or not (the code is located
# K6 H: j& p/ H2 x2 S( Binside nmtrans.dll).
+ @! Y/ N* a+ w7 E+ J/ n; _+ @& V7 Y1 H1 s( p, [/ |' B, s
The way it works is very simple:+ H+ j9 R7 o( m6 z1 d. G2 f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 F4 ~( e7 G. W1 b" [WinNT) with the CreateFileA API.& R6 ^2 [% q6 I* o& L0 a* x/ T
* E z0 e& H) k! T0 rHere is a sample (checking for 'SICE'):9 }$ T# E9 V. x# u+ p
4 \0 n, @& o, S- t7 q
BOOL IsSoftIce95Loaded()
5 }" j! Z0 `1 B5 C- y. _, P% j# q5 [{: @, `0 G* D2 y% I
HANDLE hFile; " f+ z: k1 {7 v& ?2 R# l: r g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& U" G: H! d; r5 I9 t FILE_SHARE_READ | FILE_SHARE_WRITE,9 Z/ L9 S4 S. e- F' g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 Q2 i( n5 @+ h! K
if( hFile != INVALID_HANDLE_VALUE )
1 d, @% i4 ?6 ^, {9 z; V' {: e {
# @6 ?" k& l, `* D1 G CloseHandle(hFile);( } ^/ j( D" q9 }, H
return TRUE;
9 M: v, A3 S+ C" r1 h }0 n0 ~% w9 V. _# }! A
return FALSE;5 W, u2 w+ F( m @( f. U5 k2 ~6 f$ q
}
& O9 S4 E% `! V; O6 z, G5 S2 }/ h' b( y! H2 v
Although this trick calls the CreateFileA function, don't even expect to be8 Z4 b4 e4 X* }) O* y) j
able to intercept it by installing a IFS hook: it will not work, no way!
# F- @# U) G3 s+ t. g- qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, | z7 ]" }5 N; B5 i7 Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! s g! U8 M; qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% k& Y* A- Y& _* Ufield.
) R* y; b8 D# d1 ?In fact, its purpose is not to load/unload VxDs but only to send a 3 q3 m' f4 D2 x6 z/ u a& q! [, L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 y4 f* O- @' Y4 W( G) j: h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 b* E, K! ~/ B+ h8 eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 o" j" x4 O# \. mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 l& N6 N+ u+ w8 l. [6 |its handle to be opened and then, will be detected. G- X8 R z2 `6 g
You can check that simply by hooking Winice.exe control proc entry point
2 f7 O' D1 x) wwhile running MeltICE.
9 J! u- r9 F; q; p7 I2 Y
! y# ~: \* |! ?2 I- ?0 @+ b& q5 c" E- g% l9 S2 [
00401067: push 00402025 ; \\.\SICE
4 N; t; W1 H+ |) L 0040106C: call CreateFileA" g1 N3 e5 C" h" P' F& Q {% L
00401071: cmp eax,-001# l: B1 f/ K' O- r1 M+ g
00401074: je 004010910 w) }- ^; e" U- B0 B
9 ^' c8 K) f/ Q E
5 N( F5 J2 @# v% a6 d$ ]) UThere could be hundreds of BPX you could use to detect this trick.
+ H, F3 P! \3 `8 f1 j H- l-The most classical one is:
2 T! Y7 f h/ |7 L: M& O) c! | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: j, _0 g& m' @- u# ~2 i0 L *(esp->4+4)=='NTIC'' ^* E4 G0 K, M, {$ U3 g
; `- e& j3 f0 `3 P+ v1 G-The most exotic ones (could be very slooooow :-(& w2 c3 N4 L5 A. t+ k5 _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 o6 t4 `0 r6 G8 _ ;will break 3 times :-(
" }: J$ H" M4 G n7 D
4 M7 h$ r0 l5 ] p$ v3 {4 G-or (a bit) faster:
( j# Y0 ?! {: ^+ ^4 O. Z+ W/ y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 q: R/ M! u$ U) V* O O: s
$ m2 c' l3 U8 J# x! ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& X" L/ |8 h: a. Z, e ;will break 3 times :-(% z$ {6 F4 ?; O& S1 {
5 Z. H; e- i% L5 S# v6 M" Q8 t V
-Much faster:, Y' ~2 Z m, z0 I* A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( @6 R ~1 @+ H, s2 _1 j& G/ C/ V
1 w1 ^; N5 H d! V' KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* n# B' j, [# Vfunction to do the same job:) N; h5 g/ B% k
- y, _: Q8 M% X$ z+ }$ t& Y push 00 ; OF_READ% ?9 d! o1 _5 m/ Q" a: o$ j
mov eax,[00656634] ; '\\.\SICE',0
9 T1 k' K5 W5 w) C2 k7 ]* U9 x! I% c push eax7 R, g9 l0 f+ W0 W, G
call KERNEL32!_lopen' u% `! H- k* e7 O
inc eax- S# O3 e. Q& Y3 X: B6 W8 Y4 w
jnz 00650589 ; detected
: h+ {4 k& E s+ f. j/ g) i push 00 ; OF_READ6 r# d" L5 K# q( h
mov eax,[00656638] ; '\\.\SICE'$ \5 ^8 D$ ~+ k# a- p$ s
push eax7 i0 r' ^2 f8 t
call KERNEL32!_lopen
. Y( ~1 F Q2 p inc eax
8 \5 g, M+ K' w% e: l; ^5 { jz 006505ae ; not detected
. k. z W/ _- }8 z$ A6 m. V* d6 [* X4 ?; A9 s
9 ]* S5 I2 ?2 Z d# a__________________________________________________________________________/ ~) }' ~$ B8 C4 m
) m }1 E/ R& {0 m4 n
Method 12
! T2 J% H6 Q; {* {=========0 @" j" H* \9 B- d$ a( G
5 C& N" e1 ?1 I( IThis trick is similar to int41h/4fh Debugger installation check (code 05
5 R A* _% q! p3 d" S( i/ j& 06) but very limited because it's only available for Win95/98 (not NT)
6 j) s% l/ ?9 i7 a3 I- U# k. V4 Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% ?9 b% o% S8 o9 ~& {% j; y) V
7 k" E1 Y3 u0 Y$ H; s- a
push 0000004fh ; function 4fh
: W" l) Q: [, C; o { push 002a002ah ; high word specifies which VxD (VWIN32), r" M/ s' y7 b) G; i% L3 W
; low word specifies which service+ P& {2 W1 a w
(VWIN32_Int41Dispatch)
# k, X' C, y4 s call Kernel32!ORD_001 ; VxdCall2 `5 A9 e& [' m) n- K: y
cmp ax, 0f386h ; magic number returned by system debuggers' p/ e/ p- ^# o" ?. L A: S. K
jz SoftICE_detected% h! `4 ?1 e1 _
+ J2 g! P5 e& k4 |9 N% E8 n
Here again, several ways to detect it:( r$ k* s1 h5 _/ A
3 ] K4 S0 t0 U% \" p8 | BPINT 41 if ax==4f
& g' S Y" n( e; P( v; H% @4 `$ m% _7 m) a+ C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 W2 ~3 r) X6 ]( o# L: M1 [
& S% n5 _! z8 f+ [. s0 C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" ?, \/ G3 M+ y9 X! O) F* W
" l1 f" Y3 z c- j& @) l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! f( T/ z, B6 u
* k% r, `* |" M+ Q- I__________________________________________________________________________0 L/ w, I. s4 U3 K; G: I* E! e T1 s
3 P+ r2 q0 k8 h2 ?
Method 13
* c) m0 r$ U7 D& U! {=========
+ p% g' |8 S/ ?7 \
9 ?$ L$ ?" m/ o: A" e# bNot a real method of detection, but a good way to know if SoftICE is
- F( V# A( V3 ?6 [/ N! V$ Ninstalled on a computer and to locate its installation directory.4 F' F/ @* e% e" K5 `! V
It is used by few softs which access the following registry keys (usually #2) :) p1 e; e- V/ V) a2 l
& Q$ W% J& Z+ ^* Y# p5 v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. C- T+ \( @9 T8 N* h& j
\Uninstall\SoftICE4 I+ ^" M) N9 ?* C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( ?. {" g4 D; H
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' I. L U* h6 O9 k( s. ?\App Paths\Loader32.Exe O" {$ u* m9 e
6 e! x6 K% b$ I: i0 l
' \5 V3 Y: P. F6 x0 M8 F
Note that some nasty apps could then erase all files from SoftICE directory$ |: j1 Z6 ^7 |5 e+ T
(I faced that once :-(: q# J# X1 C3 c! j2 J1 ^
6 w' w( G: h7 }9 _Useful breakpoint to detect it:
' b8 U6 f0 M i8 W3 Y
3 K. s B6 y U. X: ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' c/ }7 S- s9 W, q6 @- S; l
% e, Q" H5 [' ]- ^
__________________________________________________________________________
$ G# J$ }4 |; |2 K& ?4 X0 v, p
# @$ ~2 k G* H8 v
$ {1 V9 \7 s2 K8 ?$ P% \2 uMethod 14 2 @) z) ~# M8 l" W5 s) b7 ^2 j
=========
/ r" q+ W# G- r: f; d9 ?* a( t# g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, _' z$ c% q# h0 v( x$ P8 [4 ]
is to determines whether a debugger is running on your system (ring0 only).0 s/ m( J# D8 n( i* V9 i5 F& v
/ R( \* Z% i* {/ X, I$ ~
VMMCall Test_Debug_Installed
7 i( u! w# }6 I2 ?5 h je not_installed
6 M5 f. B. p: ]: o+ p3 R4 V5 C( j6 U, F
This service just checks a flag.
5 e( Z& C8 b; _* \- r6 m, t! O; K' w</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡