<TABLE width=500>
$ {" b5 H5 N* n, R/ d/ _<TBODY>+ Z S7 o( m r; v
<TR>
( d( F/ d; i2 E0 Q4 c- E* ^<TD><PRE>Method 01
. j6 g# x$ T8 u1 y6 Y6 C=========
) Q$ U' V3 \* _% L) u* z
2 k& p2 h2 Q' e& q7 I2 kThis method of detection of SoftICE (as well as the following one) is
( y4 Z5 S9 W9 f4 `( Qused by the majority of packers/encryptors found on Internet.
+ i% d7 i k/ d8 y5 c& X9 Y5 i! ~" n. [It seeks the signature of BoundsChecker in SoftICE+ A( [+ \/ u Q4 t1 Y! M
- B) y" z8 T& J, ^$ s" l) T$ y- @ mov ebp, 04243484Bh ; 'BCHK'
- Y8 [) U2 \, {7 s* I1 v mov ax, 04h5 ] ~/ _6 U! A: [" {% T3 M5 ?
int 3
" [3 A) x# E4 `# e% _1 a7 s cmp al,44 p5 P9 i4 ~0 l( |% b8 \6 t- c
jnz SoftICE_Detected4 s8 E: p& }7 s9 c# v* g' m6 b
* k, p! u W8 N/ k" Y: j; X
___________________________________________________________________________5 K* l' T2 u; N, v% P9 t7 \
- y ?; x+ Y) v L4 H0 Q( VMethod 02- }* u: h. ]: c- n/ L
=========& S' |' G. o3 h, _7 z3 B) O9 [
. y y( D, n# v& VStill a method very much used (perhaps the most frequent one). It is used
! C7 \* @6 [* y) oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 s: _" @3 B: S6 X( Y; |0 I
or execute SoftICE commands...
% |$ n; p8 y; t* T' vIt is also used to crash SoftICE and to force it to execute any commands
, v6 i% v1 j# G(HBOOT...) :-(( 4 _+ ?. O( Q+ x9 _
# `0 h" ~8 d6 s# r) b, xHere is a quick description:
, a8 _) u0 F) }, [8 \' ~( u-AX = 0910h (Display string in SIce windows)
9 \! S0 ?% n; D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. |& h; f) m; ]-AX = 0912h (Get breakpoint infos). d+ w2 c1 B6 Z; j" L0 p# v8 P8 z" ?
-AX = 0913h (Set Sice breakpoints)9 |$ c; ^- U9 @
-AX = 0914h (Remove SIce breakoints)- H- r3 q0 B* t* `4 r
+ h; G; o* _( ^4 DEach time you'll meet this trick, you'll see:/ q% u5 v2 g2 {' |
-SI = 4647h
" v5 F" z% e; d5 B0 d) `-DI = 4A4Dh0 e: a7 \7 p! H% k, \9 A9 j9 |% e* N
Which are the 'magic values' used by SoftIce.2 U! N* q& \" O3 \& f" q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 {% q' H5 {( E& K; N
! V. T6 Y; e Z) j! MHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 r0 t2 x7 [" LEnvelope utility use to protect DOS applications:7 s5 c a" l* K: H4 T
$ _7 F6 P9 g0 e9 g7 T, @
: t- K2 Q x0 T' K4 n8 o8 J
4C19:0095 MOV AX,0911 ; execute command.
# L6 u h% P1 R) ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 ~/ U9 O2 P" S: w: P; K& u4C19:009A MOV SI,4647 ; 1st magic value.! h5 Y! s$ D6 _6 P
4C19:009D MOV DI,4A4D ; 2nd magic value.
) z& k# n7 K8 u; m9 ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. a7 j2 I T/ h0 d2 b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' V! ]' t: K/ P" n4 |! C4C19:00A4 INC CX
& C% k( a |1 a8 y0 } `9 A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, X) x7 ~4 Q' }4C19:00A8 JB 0095 ; 6 different commands.7 o8 ^+ _$ X) Y9 [( e0 F2 K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 \7 U3 [% v# ?3 G' B* b4 v9 k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), b' I* i9 _& [8 x8 ~
! b3 ]. ~4 R' E! I+ w. cThe program will execute 6 different SIce commands located at ds:dx, which
6 p: C$ e2 ^* z5 D0 w- p9 Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 S3 y6 o( s3 ?
9 E4 b, |" o' v/ _ H, S4 v, J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., }& z+ ]; ?/ l9 b* i* y
___________________________________________________________________________- Q9 q- m7 d1 O1 S
. W+ q4 E* w+ L1 J6 N" w
0 W& _: G! ?) X9 q0 g) ?4 BMethod 03- w. j" F6 i; v6 e" U6 D
========= a9 r# e* J4 D" c4 @3 [& f' f
7 a" ~5 \- _# P( f" a- Q: ?" ILess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( p |+ {0 `' t, o; a( R9 m
(API Get entry point)
# z+ F6 i0 y) m% I6 \$ I, P
7 B' x* A2 Q5 @1 k2 Y8 \/ R8 A# r3 h8 b7 t( ]
xor di,di, d# Z, s8 y0 y( D9 l5 P
mov es,di
9 \0 A2 G+ N( I/ Z1 H- B6 r( L mov ax, 1684h 7 N0 m! |% H6 I# z# N
mov bx, 0202h ; VxD ID of winice4 v3 W; D# V0 G! |( T$ D3 k
int 2Fh+ P0 i8 ]0 E( Z% W3 H
mov ax, es ; ES:DI -> VxD API entry point* @/ n1 Z; u& L8 A3 b; I! l! P1 c
add ax, di
+ f& E1 A! E+ v* q9 a" m( h test ax,ax; {, H# P8 @1 G" ]9 z
jnz SoftICE_Detected2 t; z: Z; s1 {! W4 ^$ I7 e9 l+ ?
1 }% ~* Y* |- Q" @___________________________________________________________________________& `' I- Q9 [! d6 S' g
, h7 {* ]3 e1 h( U0 |; i% k
Method 047 A" r4 E. d. j$ M
=========
x" ?. l0 r2 m4 l1 s! \/ E( a2 U; A0 b# ^& } S
Method identical to the preceding one except that it seeks the ID of SoftICE* n; \3 E0 R1 z' i1 t# X
GFX VxD.
9 n7 g; x8 X" I! f( ~( t
0 e- _4 a" v: X) D* S# p4 a xor di,di1 s0 E- G! j) A1 {
mov es,di
0 W5 |% f9 U$ y% L: S mov ax, 1684h
* W/ V. F- n2 Q2 V3 t. a1 g K2 t mov bx, 7a5Fh ; VxD ID of SIWVID) g9 ~* U: t# g1 X- I
int 2fh
9 B8 F. @5 i! f" Y! r mov ax, es ; ES:DI -> VxD API entry point
! P1 a, @+ n* }* M# E. { add ax, di
2 P( S% B( ]1 h; T7 ]7 S; k3 t test ax,ax
% I5 Z2 \- t! C9 h* q jnz SoftICE_Detected
5 u( q# j+ u5 \4 X. R
, H$ u# H2 G' X+ p' s' Y__________________________________________________________________________1 ^) N9 E0 {0 D5 u
" K+ F& q4 C/ {3 \. b
% z `" f+ _) m4 Y, vMethod 05
8 d1 l+ A, Y) Z$ X% V# e9 ^/ a=========9 F, h8 N8 Z' q2 }2 V
6 M$ `+ @* C+ O4 r3 T6 o4 t4 I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
@; f! f4 t# R7 `: rdebugger. It calls the int 41h, function 4Fh., f2 m7 X3 B- k5 {) ~
There are several alternatives.
. Y9 b# F. `+ w" l. J8 B
5 B2 w; @! _7 X/ k8 bThe following one is the simplest:: g( L1 c; F w6 u n
# l$ o# i0 A$ Y! e! | mov ax,4fh
4 Y" D Z7 G/ j! t int 41h2 |2 z7 O% a0 ]* S
cmp ax, 0F386
2 A v( T! A/ U) G jz SoftICE_detected
9 x3 j5 x) C1 M$ M O" {( u' m ?' |8 x
- l- I! j9 d; S4 RNext method as well as the following one are 2 examples from Stone's : ~7 k( q% V/ C5 ^
"stn-wid.zip" (www.cracking.net):* o9 [7 r9 }1 A8 X& W3 N+ c9 @4 T
, a' B9 y! C# F3 y/ \ mov bx, cs0 B5 @1 k( ~ [
lea dx, int41handler2
* B. C4 D) q! _8 q& @ xchg dx, es:[41h*4]
) A7 U. O" ~3 w8 H# X xchg bx, es:[41h*4+2]
; K& ^' a2 C h- T/ { R mov ax,4fh
* }' C4 l7 ^& g+ ~$ H$ T int 41h
# X H% y- z; l7 s; N6 b. P3 N5 W xchg dx, es:[41h*4]! m2 S* s* S" m7 A7 t B! B
xchg bx, es:[41h*4+2]
* I6 Y0 \% U6 L, q3 { cmp ax, 0f386h3 N) y1 X# E; E, X r
jz SoftICE_detected7 p, m+ V2 s% ?0 h
. F- V. j+ I3 h; J7 E) Z. Dint41handler2 PROC M. g# y! i5 } }% P) m3 V% K) N# x
iret6 y( f- m) Z, V
int41handler2 ENDP: [: Q! s7 F7 J- y4 k& j) x, Q) V
$ z: H3 ]7 ?" x |8 E
- q/ ]* r" {, b" X A, ?% K# g_________________________________________________________________________
1 c# p1 q: D3 D& b% o
! D- ]2 l7 u: e$ \0 e# i" J# X: {- i; L; X$ E+ H& q
Method 063 J2 Y: e$ `" q s$ h
=========! U$ l1 u* g# P; W* V& l
; P4 L$ F. K u, d* }0 Z
$ w3 k0 ?6 _' [! a4 s* {( P0 D- _2nd method similar to the preceding one but more difficult to detect:, z! H* v. X; }6 h4 Z3 Z' b+ t2 Z* s
+ d# o/ j2 e" g& U7 J* }' w, d! r- ] X- Z4 M
int41handler PROC$ U8 O# d9 `& Z
mov cl,al& t4 X& i2 Y2 R3 n0 N; B( O+ U+ |/ z
iret2 O! `" n2 K/ N2 K
int41handler ENDP$ S5 e% P/ ]9 q- c8 T
# d+ ~6 N Y) f* j) ]0 J( L2 H0 k P2 P% \* n
xor ax,ax
* j. Y W) @7 T$ K mov es,ax& g, j- S5 E- P
mov bx, cs" b7 T5 m( Y' m8 L
lea dx, int41handler
& f9 d1 } t; v$ y. P1 N xchg dx, es:[41h*4]( a7 f" l* N' l3 ~5 ]/ o
xchg bx, es:[41h*4+2]
$ @+ B. F, B" p, o& p in al, 40h
" o) ~9 N! N! z+ h' x xor cx,cx
7 Z3 P, u6 s5 p0 Z L7 K int 41h2 D9 D2 g7 i; Z5 {2 R& o
xchg dx, es:[41h*4]% `1 e& g( g' s }8 ]1 b
xchg bx, es:[41h*4+2]
1 i9 @6 t; q- N& I- J cmp cl,al+ g8 \% f; R' |- P
jnz SoftICE_detected; M# C6 a7 Q! M/ j
) _! {0 k1 j" z3 k" M! G_________________________________________________________________________
! V. ?5 D; _7 r+ r* n9 _0 x3 N
Method 074 L' D9 `4 Q e/ U# G- u% F _
=========
: `0 d U+ W1 |# {; t" H5 x7 }8 L
- ?/ m! P) v8 F/ j8 O# wMethod of detection of the WinICE handler in the int68h (V86)9 c% b4 w2 n; B1 R& z3 h
9 C1 }: J* v8 ], g' `* x
mov ah,43h
3 Q( w) F1 [9 q4 k int 68h. m s1 A O; p+ O: _. I* o# R
cmp ax,0F386h
& _ M# g& [+ }0 i: u7 l- T+ } jz SoftICE_Detected
1 Z8 ~" D' o ^( K' F6 G `% Q2 ?8 D" J
0 L" M4 X6 Q; a8 j* V$ T1 q5 J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, M. l4 P0 I) {; `
app like this:6 `# o; s& P4 I* |
' t! N4 h1 O1 h9 x( d BPX exec_int if ax==68
$ z" ^+ D- l E. |4 r (function called is located at byte ptr [ebp+1Dh] and client eip is: f$ \) k& ?/ z. X2 c, o
located at [ebp+48h] for 32Bit apps)# K3 J4 y, B: l4 U+ }
__________________________________________________________________________
+ c7 F& l& G$ X8 H+ c2 K' L
, n o& K( _4 a$ ]1 w; n' I; ]
( Y. {& Q) u* ?Method 08
6 k: k3 z/ K! F7 H2 O8 R. {/ U& S6 N=========
4 ^' j. N7 E9 K3 S3 k+ Y( s4 u, U* l2 v2 {- t7 h0 Y( l
It is not a method of detection of SoftICE but a possibility to crash the0 t* e$ ]& E! c
system by intercepting int 01h and int 03h and redirecting them to another: f' d6 V8 Q. i. L
routine.
9 \- L5 r8 w a \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 W7 O- E- S' o5 Ito the new routine to execute (hangs computer...)3 p; A& T% a1 I' ?8 R* ^1 B" v. p
2 _, P+ ~* M0 i' D& r$ o1 `9 e' k mov ah, 25h" p7 d6 H5 A' x: b2 k
mov al, Int_Number (01h or 03h)% J9 K) \5 ]0 N
mov dx, offset New_Int_Routine/ ~# g+ T6 X3 c" j# s, ]5 N
int 21h
7 g; D+ X) l! a: L c1 }# ?. K5 Z! j* j" I
__________________________________________________________________________+ W! j5 n2 X, u2 x. L) I, m
) }. q# ^% \) k, d, O8 A5 w; ?& `/ p
Method 09
, h% O0 W. F' Q/ W" i; n=========
: O0 S; d( S1 F2 f; a
6 _* T; R$ h' K" n ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 W5 r+ E# g7 d0 ?! R, U6 {
performed in ring0 (VxD or a ring3 app using the VxdCall).; o% ? {: z: M) F/ E0 Y
The Get_DDB service is used to determine whether or not a VxD is installed) ?+ |. g% y, n: t# B+ p
for the specified device and returns a Device Description Block (in ecx) for
; L* Z: |: C" f) i) athat device if it is installed., t+ u4 k( ?; S/ \
* G3 m% C; z0 F9 M2 K0 K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 V) m9 g1 n0 T$ U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 U$ \. ^1 b1 E; Q) r0 z5 `8 {
VMMCall Get_DDB+ P7 \$ f+ K5 C. s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( w/ H3 N! N( P
- M" V9 m$ s' L" K7 t
Note as well that you can easily detect this method with SoftICE:7 K2 H) Z) U1 }; D. y) I
bpx Get_DDB if ax==0202 || ax==7a5fh
4 |4 O0 q- Z w) i) `- R
* w) u6 S; m% M__________________________________________________________________________
) h" F. S6 D* U% o$ J8 @& I1 D- P" @' K( t% l8 D' u5 P
Method 103 w; v$ \4 p6 x y& g' T
=========) V) O/ c5 |) L7 v' v4 M1 d
. B) ]8 q. z$ b V9 K8 ?5 D5 H
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 l6 N2 P8 c2 _ ^+ C
SoftICE while the option is enable!!
8 U; a9 y; Z0 ~0 t( W
$ n% v% w# O; T8 E7 V JThis trick is very efficient:
. Q7 L0 n- o4 U. Z* ^by checking the Debug Registers, you can detect if SoftICE is loaded% ?/ V o. _; ]7 L# h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( y% T7 [0 m7 b" C% V& { K; K! H/ \there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 n6 }% r+ z9 ^' \/ D) R% n- Y; tvalue (in ring0 only). Values can be manipulated and or changed as well V8 r& g' z, X+ }! R
(clearing BPMs for instance)4 x Z# N0 a5 |
2 K4 q* |# J$ w7 `: j! y7 P# Z+ O/ A
__________________________________________________________________________
) s6 G% G8 @9 R/ f
D/ i$ }; L2 J; m( cMethod 111 d {. j1 i! U: F9 ^2 g; H
=========5 p9 j$ V- }5 r- r
2 O7 u- H4 @) ^+ g8 rThis method is most known as 'MeltICE' because it has been freely distributed/ }8 n. ~% S7 f; u+ s
via www.winfiles.com. However it was first used by NuMega people to allow4 d$ i1 U V: y' Y" A9 x) J7 W
Symbol Loader to check if SoftICE was active or not (the code is located, r: c) }! a' o$ r* f% |
inside nmtrans.dll).9 X6 H% x- t7 ?- Y- O1 K
" j1 G; u! ?2 U9 CThe way it works is very simple:) f6 t' Q. e( z) r+ ^1 C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" W1 \& t' `# L8 _WinNT) with the CreateFileA API.
; ~4 p* o) E: [8 m; m3 }( L/ ` Y6 g* `( s4 E
Here is a sample (checking for 'SICE'):
i4 J6 j$ d* K7 Y3 z
& L1 e" g; I7 ABOOL IsSoftIce95Loaded()
0 P, C1 q2 N/ ~ @, @+ K{
# R5 Q3 U3 Q7 p4 p HANDLE hFile;
% o' L; B t6 k2 [4 [! J0 ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 [7 h8 C f% ?7 a
FILE_SHARE_READ | FILE_SHARE_WRITE,7 Y/ w; Z6 Z7 U! }3 z- I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: P, @8 y1 {' \, t$ { if( hFile != INVALID_HANDLE_VALUE ), B F, C5 f: Y( J
{
% E+ F- k- d ~9 }6 R: t CloseHandle(hFile);
6 X; `" d5 w4 F( X return TRUE;1 X# f8 {3 q8 Y
}
# i" y2 M2 p0 Q9 K e ~ return FALSE;8 p, |3 w2 v) Q( }% z- I, k
}
4 Q! R2 m. d" D X
# z% J# ?' ?( M M2 DAlthough this trick calls the CreateFileA function, don't even expect to be: q8 G0 F+ `+ m7 ~; A
able to intercept it by installing a IFS hook: it will not work, no way!
; F2 C, `& r- s8 x+ d6 }5 DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# h) S' D& P* p; [- mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# ]/ X9 u) t4 N, gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 }" {0 I6 x& l( S1 w4 Jfield.! ?% L' P6 M0 l
In fact, its purpose is not to load/unload VxDs but only to send a
3 N* x1 h9 H! t4 A U, p; iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 r( B/ T% H" Q# W3 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) _8 i1 \; V6 ~6 P/ Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).1 V, k( @; \4 j( N( |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# n" _( C: S7 Lits handle to be opened and then, will be detected.. I; O1 q( c0 t1 {# h1 |
You can check that simply by hooking Winice.exe control proc entry point3 d4 J: O9 [( }3 y* ~4 c% s% X
while running MeltICE., N% g- F3 S0 y2 e. {/ W. F: o2 {
, f9 Y% J1 P1 e1 k
4 n: p, z3 ^4 _; j# i 00401067: push 00402025 ; \\.\SICE$ L7 F% j& ^& ~3 B" e$ k
0040106C: call CreateFileA. `7 E' g8 \4 U9 C. F8 I
00401071: cmp eax,-001
+ x( G, v9 w2 ~0 P4 K 00401074: je 00401091& j7 e/ }3 ]/ k- E0 s
]% \* b, ~9 @, M. g! H& s' C
9 \! z X; B0 X
There could be hundreds of BPX you could use to detect this trick.
9 o B6 |9 U& T5 d-The most classical one is:; v9 H# Z/ N( h
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! p* t! _& U( R7 h. r, V *(esp->4+4)=='NTIC'
5 G. T/ h( k& ?& i
$ d8 s2 i7 p8 ^-The most exotic ones (could be very slooooow :-(
1 e9 m' i5 t: u8 y, F: { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + G3 x' _( c% o
;will break 3 times :-(. k( p* G3 ]: Z. [4 A: f* |
5 i- ]; V, n7 Z6 a1 o# K4 T) I-or (a bit) faster:
6 ?- C2 D: u- Q! q7 h, \0 | R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ w: |, c& n: ~1 H, f$ M |
3 I4 M4 F$ S$ i8 J5 ]/ W! \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. ~1 D' _: c, } ;will break 3 times :-(
/ c. X9 h, m+ t$ q/ S' w& b% @# w& h! o+ q; A& s, z
-Much faster:
: P$ _3 t0 s& L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 M2 C. N: u& E5 P) d2 y( T9 M
% Z8 @7 o) M$ l( P2 K) |5 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ k9 z# a) _9 `1 ^" M2 W: r8 g& Efunction to do the same job:
+ i* f8 P6 z) D e4 S% f: n1 b1 _" d- g, Y2 n" N" `8 z/ k3 W
push 00 ; OF_READ
; s( c, `' |- Y" K mov eax,[00656634] ; '\\.\SICE',08 J& ^9 c* V4 F& A/ D5 U
push eax! ^2 [! L% C6 |; u% F e
call KERNEL32!_lopen4 ~( j+ q& R2 ~; j2 x6 g7 d# J
inc eax9 ~( V) I: w A, D
jnz 00650589 ; detected
~4 e% b% V, u6 L6 f! k push 00 ; OF_READ
( J9 d# h1 V- F2 I mov eax,[00656638] ; '\\.\SICE'+ ^9 A6 ~( k/ J2 m
push eax
! Q. H" f. t1 Y: S9 _+ e/ T call KERNEL32!_lopen- j$ K8 P# v0 b- O
inc eax
& I+ ?0 O; m! d jz 006505ae ; not detected3 m& K) l9 T) E# m
# ~+ H1 _5 \7 C
: |% [9 {9 a) J2 A( p* w) j9 z__________________________________________________________________________+ L: W! R S. }, g7 v
) U% k- l4 o& m: P- pMethod 12
1 Z" t: z0 j* h: T' N9 y========= b$ R4 Y3 F" }0 X1 i# w
7 S. w, U0 M! w8 g1 j
This trick is similar to int41h/4fh Debugger installation check (code 05
/ o& e! v, r3 c9 `& 06) but very limited because it's only available for Win95/98 (not NT)- o& H7 C* Y/ t( x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 }& m5 Y5 m' A8 E s' S
5 a) i! Q3 w* R: B: r( d" y- A: A push 0000004fh ; function 4fh- @5 d- q" o( {/ g' N
push 002a002ah ; high word specifies which VxD (VWIN32)% G" y g' o' b. W- Q5 O+ f
; low word specifies which service
9 F8 N, t" u: M0 V6 V$ C) O3 p9 ]3 b (VWIN32_Int41Dispatch)
4 @ b9 c" n, c' Z7 @; d3 G call Kernel32!ORD_001 ; VxdCall
( b% \! g8 T2 Y! X" X! Q cmp ax, 0f386h ; magic number returned by system debuggers* i4 ]1 I6 j% Y; [5 u6 ^
jz SoftICE_detected6 j$ n+ W! k9 T' \ I6 b) {
% k4 C; L# v: b7 V& I2 }Here again, several ways to detect it:5 U9 ]/ V8 H* _' l, g
: G- y6 X; C! j: O5 x% L: Z
BPINT 41 if ax==4f, H9 x" b* u( S6 U& a' c
/ v! d& O; ^. C1 z4 n* s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 B9 N6 M8 X: L( q1 e* }+ x
0 E$ a" g1 I7 S$ B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; n; T, F0 j. h9 i6 f* U! S1 M4 W5 f
. T1 |, `" J' l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, ~. q/ G+ ^3 F* K# L- h
- K3 E! r* ~4 p, h _6 ~/ z8 U3 I
__________________________________________________________________________
, M3 |& d2 m% J8 P* k+ p8 }$ X7 ~# p$ {9 P) O
Method 13
3 H4 d3 J! O0 F; D4 h2 y=========
$ x x* `+ [) T' g1 B
P5 d, L- y8 C& x% BNot a real method of detection, but a good way to know if SoftICE is
& a$ {7 ^! {, [4 f- I" qinstalled on a computer and to locate its installation directory.% j5 ^+ l" N1 V; D& g; }) g7 i
It is used by few softs which access the following registry keys (usually #2) :" Z+ X7 S' h* E4 _+ f1 j
+ Y' M6 W2 H3 f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, j$ f/ `8 y9 d! j4 a. X" O\Uninstall\SoftICE
3 z# i+ q! c. E; \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ G# K) S2 Z1 S; E7 B0 U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) ]% C( O2 W9 R' L0 h5 {\App Paths\Loader32.Exe& {. O8 U' {( b( m
* Q4 P3 s/ \$ d; \3 z
( i( M0 T( e' U$ T; p9 n
Note that some nasty apps could then erase all files from SoftICE directory8 I9 |& J8 C. W# N
(I faced that once :-(* }7 u8 D, S3 F1 F0 _* `" r, N# u
( W! r& d* ?% C9 \0 M) e$ J- N
Useful breakpoint to detect it:
6 U8 P8 r% S( t. f; }9 m! O9 c8 I6 w% `1 _8 E7 M3 L9 i7 T( k% C' U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- |2 a+ K; A% D1 s3 J8 G0 h' {3 n9 g6 p G2 |) F
__________________________________________________________________________" i; e. h; A3 b- z
4 {% h7 v, J; h# H8 s( r* L
7 L+ n$ q' y7 ]; R& jMethod 14 0 C" s' O0 W/ t: ]
=========
( a) H" h$ I4 q0 y
) @, K0 t1 P3 |1 d. _) aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. J) e3 t! F$ Z& l( ~
is to determines whether a debugger is running on your system (ring0 only).( S! P5 j' @/ D8 H6 z: U0 w. ]" G. F
2 ^1 }9 _; a' h3 {4 F% D2 i) ^( L
VMMCall Test_Debug_Installed
8 S# Z, }2 Y/ G: U9 X5 ^+ V8 m je not_installed
; w0 X9 C" ?1 h9 E* ~) q0 s: S& O+ F) U0 K' V: K% l/ c
This service just checks a flag.
" K" `0 H3 N( b# z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡