<TABLE width=500>
& h3 |. Q0 G L* a<TBODY>
: G: m9 u# J& G<TR>
. M! l9 v7 s0 ?+ P* z<TD><PRE>Method 01
- j5 d l! }+ P4 O& B1 W. R0 T=========# D7 L! \9 j1 H& [+ |5 e
, \7 y F, P3 m! _
This method of detection of SoftICE (as well as the following one) is
6 F: Y( W2 l1 q& i0 W9 c8 Tused by the majority of packers/encryptors found on Internet.
$ H7 S; J. n( }9 z! k8 o v' G+ CIt seeks the signature of BoundsChecker in SoftICE2 K" j9 V( ^% n/ p
9 S; M5 i3 b) e$ l
mov ebp, 04243484Bh ; 'BCHK'
6 t5 w. h% w. Y mov ax, 04h
% H. q% o8 @* d int 3
( [7 | X& o+ d- C" V) B cmp al,4
( @( {& @0 {( S- P% |/ `! O4 a jnz SoftICE_Detected, l. J1 I( N$ E+ g4 M
2 v S" [; T# k4 F0 E___________________________________________________________________________: I w' }& O; y7 Z* c4 d
3 t( I( U# M0 d9 ]8 o2 nMethod 02
; N' C1 o' f* m=========7 v0 |' v* v) ]: d* x8 d
1 W0 L" r6 {$ T0 \2 k6 |7 ^( x7 u
Still a method very much used (perhaps the most frequent one). It is used
) q% {- L6 V' R6 c2 W; W) T/ nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ G# z" c* x5 h' A
or execute SoftICE commands...3 C7 d6 J+ w% D2 t
It is also used to crash SoftICE and to force it to execute any commands4 O: a- r8 K* \$ h' G% M, a: V
(HBOOT...) :-(( 2 Y D: q4 T) _2 C; h
/ {" [/ ~& E) J" w+ z: ^( d+ P Q
Here is a quick description:2 ]4 U3 L) A7 `
-AX = 0910h (Display string in SIce windows)/ q0 m' Y# \) g9 z$ n# n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). [! _; n) _/ r* y4 d
-AX = 0912h (Get breakpoint infos): I+ {* h$ ?6 Y; o! W* M
-AX = 0913h (Set Sice breakpoints)
$ [4 B& Q3 t- g3 K' m-AX = 0914h (Remove SIce breakoints)
% L" A- h% R3 i8 e! X
8 R3 t% a# U8 {/ GEach time you'll meet this trick, you'll see:
g: Z* x0 }! W: b' ~/ ]3 ]4 b; H-SI = 4647h
% H9 b7 Z; O$ F( E( o9 z# ?-DI = 4A4Dh3 q* J# o* P, c Z
Which are the 'magic values' used by SoftIce.
/ d8 l- C/ Q( Z3 a Z: fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 l1 ?- l! O4 V/ z2 N! A3 U' h& ~1 y+ O* J: R
Here is one example from the file "Haspinst.exe" which is the dongle HASP, C& p3 g* j- v% D1 ~
Envelope utility use to protect DOS applications: M/ Q# [% e1 o+ D; M1 O
" ~3 M) Q5 U Q" M9 }9 p/ y8 F1 Z( J
4C19:0095 MOV AX,0911 ; execute command. q7 b0 k9 U9 e: s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* M5 A. p& b& d
4C19:009A MOV SI,4647 ; 1st magic value.- \2 G" J" J. \" ^( u
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 q# N i1 |) h" L, w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 S' t/ F/ W t F: v$ s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 I6 T8 J. C2 J j$ J4C19:00A4 INC CX
" H7 f. i# v: B) u% [8 t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- U7 n. y+ T3 i6 Q* k5 i& f) p; U4C19:00A8 JB 0095 ; 6 different commands.! Q' H+ C5 I; t* L$ l5 I
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; A) R$ ]+ ?; Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) d, Z0 @4 R* D! t& J- S
7 H2 I( O% o& b) ]* \' xThe program will execute 6 different SIce commands located at ds:dx, which
! m" \/ N4 |, ?; Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* d, {! @3 I" F
) I' F' T6 P: u4 J" q& u; e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( P' @8 h, s/ i2 Z% }8 C___________________________________________________________________________
' ]% W7 ]3 P/ A/ K6 D5 X( u; B N6 f
* w0 F, H/ R% t8 Q
Method 03
' C6 V W& x5 \9 H% y# C=========$ V' Y8 z) D3 N+ [ s9 U7 V
8 X/ M8 o+ f9 r; ^Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 {: |& E( r; K" ?2 q* a
(API Get entry point)8 {( P* X: ]+ Q
( t6 S" X# X& P) _# ?4 I
" w" B9 l/ A% S, f2 ^# m# E xor di,di
$ q$ Z8 `. t4 c" r mov es,di1 V) u: Z Z2 K5 u! N
mov ax, 1684h
. Q! y, T: h+ Z5 v6 J mov bx, 0202h ; VxD ID of winice" b% h" i3 F) n. N3 d. L
int 2Fh: Y9 J, q: }& j, s$ i
mov ax, es ; ES:DI -> VxD API entry point5 A0 ^5 o ^7 k! Q% q
add ax, di2 J( i# ]( I/ z; B5 V
test ax,ax
) q6 }; N- Y/ v( _) F7 j jnz SoftICE_Detected# z$ C' H1 _6 [! z9 [' i3 i
$ h5 X* M+ a) m* t. C7 ~___________________________________________________________________________
; f2 v7 K, e! {3 `! a: M
( L- u+ {; d3 s ]7 M9 i6 m& \Method 04
6 U( V2 b! F8 I7 F: P# Y4 `; u=========
- X8 }9 G3 B9 }" Y6 M& M7 H$ B0 v
Method identical to the preceding one except that it seeks the ID of SoftICE# m; s/ m x. e
GFX VxD.
4 l8 m( G5 \: J: M z0 Z
1 a+ _- F) {8 X$ y+ h xor di,di/ ^/ r+ x. p" p& J6 C# d
mov es,di6 c& [( P& _8 `6 y: D
mov ax, 1684h
! y' I$ m/ ~, o3 j, H mov bx, 7a5Fh ; VxD ID of SIWVID# [# W J8 U9 J5 R
int 2fh7 C5 F$ C V- X3 I o2 w) i0 y
mov ax, es ; ES:DI -> VxD API entry point
; y$ E# v, L { add ax, di! Q1 \6 ?5 A( o; y$ o0 ~! H, J
test ax,ax
0 v8 n% ^9 J0 t6 l/ b2 {5 u jnz SoftICE_Detected
- ^0 i" @+ F+ d
$ ]( m2 e: x: B# p: k* J__________________________________________________________________________ p' k) Q* Y3 _. W8 q3 I0 G: P$ w
4 i5 Z, _6 `% G
{: n8 \. f0 [Method 05
+ o" o7 c/ S, t! _3 H=========
3 }" G, |4 x4 ]- b
" A' C# W% I) k" sMethod seeking the 'magic number' 0F386h returned (in ax) by all system# Y) i% I: A K; J- H
debugger. It calls the int 41h, function 4Fh.
: ^- W8 N1 T* B% iThere are several alternatives.
. v% } w! h2 \/ f( {2 Y8 H' u3 M
The following one is the simplest:& F, f! B& f, l, U( |
/ m& ?/ v( s9 p# G mov ax,4fh
; i! B0 p- W9 [$ l int 41h, F5 Q9 o3 e" B$ Y8 [+ K4 B
cmp ax, 0F386, p5 U/ q( z6 S
jz SoftICE_detected& v4 X M2 k; y8 t
; k6 H) Y1 ^# z8 K0 i
; w$ r$ e8 B( G3 ^& x$ ]2 sNext method as well as the following one are 2 examples from Stone's 5 [" {8 q% u5 }
"stn-wid.zip" (www.cracking.net):
$ u5 f5 A/ G( H
+ g/ O8 J' Y1 R" w mov bx, cs) H6 O R5 j6 C ?& [
lea dx, int41handler2
, Y# P( H* l+ z) Y; Y xchg dx, es:[41h*4]
% v( W7 @1 p9 y% O: c1 X xchg bx, es:[41h*4+2]
3 \4 x8 p9 w! z' A- A mov ax,4fh
% o/ e/ Z3 m3 k$ D- }' F int 41h
* F# t& {- {2 v) b xchg dx, es:[41h*4]
: ]/ V4 ~2 B" @- V' P xchg bx, es:[41h*4+2]
! O) r% n9 U; |( p! Q& Y% i/ L7 } cmp ax, 0f386h
% N2 W( p9 E) D# `# }; B jz SoftICE_detected
" m6 B/ \3 M" G8 \3 d- O$ p* t& U2 d v0 |+ {
int41handler2 PROC
2 T \+ \9 T2 v/ f2 ?1 x; g iret
3 c7 T) i; v" M2 r( a. `5 rint41handler2 ENDP9 }, o5 w6 ?; ~) e7 u1 `- `
# V# _% y4 \+ T) |8 T9 Y
7 e4 Y. v3 m" N2 E7 i' v+ }7 B_________________________________________________________________________
/ o" d7 K1 b) m: F" P# d0 v1 F4 \2 O) U9 A
5 {& V) c; `9 D) u$ p5 z- jMethod 06& f% X/ h5 H1 \
=========
7 K! d) `# |+ V% r% @5 X+ b- F! |: m5 Q& C. y
# Y( O( X# o# S, {
2nd method similar to the preceding one but more difficult to detect:" Y4 L! r& J5 o+ O3 ~8 N* Y
9 h! U d7 P; c, @. s: M) P
/ r/ k+ n( l9 f% K" {* Iint41handler PROC' H& q6 V3 ]) ?% |+ r x
mov cl,al
- A! i! X' e8 [0 h6 D4 B iret
/ l4 w+ D8 R9 v) \/ K- H/ iint41handler ENDP" x* w2 D/ M/ G; |. O: W& E3 `
5 D& p3 S& l1 R8 I8 J* ?7 E
- q" l' U9 D9 B: K. K: S. L xor ax,ax
+ N* p8 a. f; o* y mov es,ax
b8 k; ?- X$ Q! q: Q& ` mov bx, cs
( K2 c9 _. L& l1 D. W: M lea dx, int41handler
% c* H0 S! z7 z8 i xchg dx, es:[41h*4]
0 f: N% F8 w3 Y8 ` xchg bx, es:[41h*4+2]) u/ \% }3 c. ~6 S6 N) N
in al, 40h/ c( N- o* ^- y2 R# L
xor cx,cx: i. T3 I: j! b1 d, c; R% D
int 41h9 |2 A; B8 g; X2 F$ c; c& D2 ?) ~/ q+ O
xchg dx, es:[41h*4]
2 i. [) W( ]* u1 ] xchg bx, es:[41h*4+2]
" M" ^( Q; A1 @: S7 s, Y4 D cmp cl,al
7 D! [& Y1 Q5 z jnz SoftICE_detected
Z( W" b9 O _ R% f( U3 @" m; s; r2 g( V: B9 R8 G' n: W
_________________________________________________________________________* Y4 x3 i2 ?7 w0 L, X
! n" s' Z! s& @7 v
Method 07% x3 J$ S' s" V0 w
=========
6 U5 ^# n# c3 e( K) F/ d: a( B7 t+ \: E2 c
Method of detection of the WinICE handler in the int68h (V86)( k* y* b& K# F
0 X0 u1 o2 D. x9 v% k, k
mov ah,43h$ ]; B( [) r, y( R
int 68h
( e8 _% O7 s6 ] cmp ax,0F386h! i6 P9 k5 S* ^
jz SoftICE_Detected% U ~; W2 {8 T5 n
( J1 s/ ^$ i: y, g
( }$ m3 D( f5 t+ o, Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& S. b( [: Y$ R2 M8 K. U. t app like this:
/ F3 A8 j/ F v$ H8 V: a
e: x8 Q+ S# ]: b1 R BPX exec_int if ax==68
7 I; G7 ^! E; |3 W, \9 t (function called is located at byte ptr [ebp+1Dh] and client eip is
, p# S/ ~7 L. U6 a6 ]3 w% M located at [ebp+48h] for 32Bit apps)
2 o1 U5 @" f3 Y+ h* d__________________________________________________________________________
; d( F2 G% a: V- m$ ~" s! w5 }# y7 K2 s, t, l3 u( `: U7 D
: Q( D. t. l9 N
Method 088 g' n) ~% x0 T* y$ I; K. h4 ]' H
=========" w) V5 p4 Y, G2 }% h- U! _6 b4 R1 H; s
' X6 s/ I$ H# pIt is not a method of detection of SoftICE but a possibility to crash the. ]0 J3 Y. ?. C* R( [( {6 X
system by intercepting int 01h and int 03h and redirecting them to another5 W4 y, z8 ^ h) p! z ]
routine.
7 \. c1 y: i/ E/ h7 e, n8 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* }, N6 d5 ` s0 nto the new routine to execute (hangs computer...)" R9 c8 W$ w/ S" M" H% H! B
A: A. m6 [+ I( L
mov ah, 25h
1 t* Y- v9 y f r9 p N0 t" W' B mov al, Int_Number (01h or 03h)/ Y, F* B* F4 j
mov dx, offset New_Int_Routine. k4 d1 l3 k w( _
int 21h
6 |& k4 d/ A. R; g# ]5 V, S b X: F( J
__________________________________________________________________________. I: `% n5 M; J. L8 {- \
" P4 J) H2 E: y3 u; ~Method 09
7 g; u" ^( B5 K+ \=========
0 U; w. ^& c/ L( G$ K* l# [6 g- r3 f. j1 k# o x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 ^1 o# ?/ ?; H/ v% K g1 | i; a
performed in ring0 (VxD or a ring3 app using the VxdCall)., `* k2 a7 N) {- {7 p0 U
The Get_DDB service is used to determine whether or not a VxD is installed
: h) v, x, U t- ^2 E% b4 G7 wfor the specified device and returns a Device Description Block (in ecx) for; l( e7 |( x. A. @7 D; }. U
that device if it is installed.! d" m/ @1 l# v! q5 a) o" o
+ x- r6 H5 X1 V/ g3 P% n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ ]% S! w! F) p4 v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 A! E6 E3 M5 s0 K" ?4 _ s+ l
VMMCall Get_DDB
" F6 {+ N/ b% p& l+ e mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. X8 j; z, \; P
/ O# Q# ], y: x
Note as well that you can easily detect this method with SoftICE:
* f& m) e) U! r2 v. H! Q bpx Get_DDB if ax==0202 || ax==7a5fh5 K6 s# u* P; H7 \3 u
, \/ O1 _* @( f& u
__________________________________________________________________________* b6 r9 o9 f' j8 Y& b1 a0 a
- w" t3 f" Y5 ?8 Q& s) d
Method 101 ?3 J& f( X" c4 V9 e4 d2 A | e
=========: w3 W+ s0 L! } I" ^; s
: p- x* j+ ?# _$ y' x
=>Disable or clear breakpoints before using this feature. DO NOT trace with% }2 Z( O0 F( n
SoftICE while the option is enable!!8 C' U" i* \& z; ^) M+ K
' _7 q) v# Y# G6 k6 EThis trick is very efficient:0 C/ K e+ Q/ P3 U
by checking the Debug Registers, you can detect if SoftICE is loaded$ Q9 N" [. ^6 |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 A- \: g+ j+ ?1 Z/ v, cthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 m* K2 N2 c' e7 Z3 f, d; n
value (in ring0 only). Values can be manipulated and or changed as well
6 J! R0 K3 p( G2 d. z% y(clearing BPMs for instance)
* i) Q* w9 n) J: d/ N, Y9 ~8 E7 p; o6 Z6 a# [
__________________________________________________________________________0 b3 p+ B# e/ ^: v, [, z
0 C7 c u2 y4 t+ O! j7 \5 @Method 11
0 i) L2 }2 x3 T: I8 }1 L; M=========2 A" a) {4 _- f5 Z' ^" t
+ K, b9 S2 K* K, H8 w
This method is most known as 'MeltICE' because it has been freely distributed, k" [# b# W: h4 ~$ {# k
via www.winfiles.com. However it was first used by NuMega people to allow' T/ G/ G0 q1 T+ d) Y% l
Symbol Loader to check if SoftICE was active or not (the code is located
, l* x9 c! b4 g3 q$ ^& ginside nmtrans.dll).
3 I/ i0 a( o9 ?$ \ I R5 }9 n+ f6 y2 J3 N+ }) T# M0 u7 S( [- S
The way it works is very simple:
! m* r) q. S2 ]8 N2 LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 m' ^2 e3 ~ e* {$ T; wWinNT) with the CreateFileA API.
& Q$ A' M& q% v
. ]" q. {$ c/ v0 O7 l* z+ W5 }6 CHere is a sample (checking for 'SICE'):
, @% h) z( J" R6 _
5 |6 A5 }. |1 m- M, B3 j* d% fBOOL IsSoftIce95Loaded()3 A- H# P5 V9 a/ B @
{
; X% ]: Z; M( i9 k% [/ H HANDLE hFile;
2 Z, ?/ x% T: c5 _1 u2 q' q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; T% L- @2 j. N" b9 r i1 g FILE_SHARE_READ | FILE_SHARE_WRITE,$ `4 [: w# p; t, N4 ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- x" v7 E, b' H; ^ ?" U/ r if( hFile != INVALID_HANDLE_VALUE )6 k( u0 N! H, Y b# L- c2 H
{- [$ B) H6 `! ~
CloseHandle(hFile);% a* U% C0 R, { @# y$ S9 A+ `- q
return TRUE;9 B5 T( O" n5 Q! g
}
: {: K6 U1 I: k return FALSE;* R8 v# L( \+ ~/ J7 z* F7 ~3 n# |
}
+ j; B1 o2 N- T
; d; |; g* a, Z: N, A: k1 P/ h; L ^Although this trick calls the CreateFileA function, don't even expect to be% x% @! {$ }( ]* M
able to intercept it by installing a IFS hook: it will not work, no way!3 |" x! L+ z* `9 ~6 C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; v9 B3 j7 d0 m* j$ x. bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 u8 `/ J; y) k# U$ eand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 D. Q7 m* U* J$ c+ r9 Tfield.& d5 e5 ]7 m% _) W- R$ y
In fact, its purpose is not to load/unload VxDs but only to send a
' C4 @+ m2 S y* Z8 Q0 T ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' b- i( w/ @9 a+ Y. ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 T9 l5 X ^6 O8 ?- ^8 c' Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).6 \" b5 x7 P! J
If the VxD is loaded, it will always clear eax and the Carry flag to allow; c) @) ?, u; z- s& f5 {
its handle to be opened and then, will be detected.
8 i4 M3 q/ e8 RYou can check that simply by hooking Winice.exe control proc entry point
% @7 c/ h- G0 a8 d% j+ `: Mwhile running MeltICE.0 h9 C3 S4 z3 |0 H1 S7 {
) n: Z* \. M a( W
! ]- K( h* Q% t7 s' A& X: N 00401067: push 00402025 ; \\.\SICE; [) T+ @5 b( y V
0040106C: call CreateFileA3 s" t' p7 u0 b4 G2 I
00401071: cmp eax,-001. }# |" l3 y4 u' |
00401074: je 00401091
+ {5 k' p( E* `) k5 |: Z, ^7 }# |" V) Q/ Z; L0 d3 L1 R: ~/ u
! w8 h% y! l, A# m! W- k" S' kThere could be hundreds of BPX you could use to detect this trick.0 U. T! c# y# Y( `! g/ \6 ~
-The most classical one is:
7 f8 t- ~) z* z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 m' d5 p6 m, p6 R
*(esp->4+4)=='NTIC'
+ B; H* ~, b( t% L# z0 T- a7 L' [. ]
; r, d1 U0 x; S+ {8 O$ x" }-The most exotic ones (could be very slooooow :-(% X/ W9 k5 C' S2 c0 \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 @6 g* }* g- @% _- O: O ;will break 3 times :-(: ~: e' U5 j4 r0 M- {- s4 J
! U$ a" B: ]+ k' \: R* }* Q-or (a bit) faster:
8 _4 D; U% g5 E1 n0 c" q1 S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% o. S' N) i* D" s, a* X
2 @5 O) D- h' Q& w# q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) h- _2 n2 R: t5 X* F ;will break 3 times :-(
1 ?9 Y1 Q: l6 m5 S( J& c/ e
, r; B" S8 _/ i; ?7 ]-Much faster:
@7 B3 R7 Y8 L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 ~' y3 b: \2 F' [# A
+ F" l& O: H5 h1 E- b/ G# t6 eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 y5 H; c. K1 D" ?+ \function to do the same job:
( R: D# n3 U* A+ d8 ?) V% n
5 E& j. Y6 Q1 R: { push 00 ; OF_READ
5 e: d" P3 i0 H# i! U mov eax,[00656634] ; '\\.\SICE',0
8 o; {+ E, y" a2 R push eax+ F2 o, \# M+ S0 ^$ y
call KERNEL32!_lopen
$ [' X% v8 r m inc eax
?) G) F3 l* X jnz 00650589 ; detected
. a; {0 c7 O/ d7 H, n; \1 n9 ^ push 00 ; OF_READ
& u2 f% C1 c2 W7 f7 J mov eax,[00656638] ; '\\.\SICE', Y7 K( E) z4 N* w
push eax' g- W& c9 J1 n. n3 E+ {
call KERNEL32!_lopen
F! e5 C" Q) C% F$ o inc eax
/ M: Z/ ^0 n+ l( K& c! i% s8 B jz 006505ae ; not detected
_! e; p/ k1 b6 h/ I8 V/ V( H
( U+ y# H4 H8 A/ M6 Q
( T* Z2 y% d! J- I__________________________________________________________________________
' o% m j* @! Q3 l/ D3 W/ Y4 O4 z4 H
Method 12
# B* G4 q8 K% M! z& [- b, |$ h=========
. G( a, T% ^; K1 u+ Q% @1 Q' {& [/ P2 I0 a3 Y) T, D, W# W! d
This trick is similar to int41h/4fh Debugger installation check (code 05 s! d/ }3 D D8 M' p
& 06) but very limited because it's only available for Win95/98 (not NT)1 U8 j3 b! k0 a9 @8 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, I3 s: R/ ]3 J- N8 y D: ^( A0 j8 [, u, t- d& ], f8 v
push 0000004fh ; function 4fh
& y" s0 ~. U7 u' K4 U5 k9 E push 002a002ah ; high word specifies which VxD (VWIN32)1 N+ @5 p; H o
; low word specifies which service2 R, q5 A' q+ m& {# }
(VWIN32_Int41Dispatch), R) T( F! C' l& J7 ]' }. t) {( p2 @
call Kernel32!ORD_001 ; VxdCall
9 n/ y2 B, @5 b( X, B cmp ax, 0f386h ; magic number returned by system debuggers
3 ?3 F+ F3 t1 G3 _0 n% k jz SoftICE_detected
6 ~! ^( }" M! m8 l3 }, y* ~3 Z! ]$ d1 q, w* c1 W
Here again, several ways to detect it:2 u! @9 s/ k9 n" ~: i
( a# c' B0 w' \0 y/ _" f0 b
BPINT 41 if ax==4f+ S0 r2 J& I" F/ q8 w9 r2 W# p
# d$ K. i4 W1 | o& u& z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; m) }- [: a7 n6 ^ G& \: C8 F* W! ~ _5 C" M( s1 `7 l' x
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ C3 ]7 j W' b5 a& k) ]
( o# x( p0 o1 a n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ p+ b( L5 M1 S/ w3 q! B
1 a7 N, Y% }0 @
__________________________________________________________________________
$ \& w: p( `# S6 _) F
9 y9 n& R+ M6 L& P% JMethod 13
( s: T2 m: w9 t# D$ `% }$ o=========- q9 m2 @$ j2 c
( k; \( v* q9 ENot a real method of detection, but a good way to know if SoftICE is
- f1 _4 ?6 m$ uinstalled on a computer and to locate its installation directory./ i" \8 L$ G" T
It is used by few softs which access the following registry keys (usually #2) :+ Y# k1 ?9 d1 v' p% J" h; c
% g" M4 ^5 X- m( P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! _" d }! q$ {/ {6 t. z
\Uninstall\SoftICE
/ d$ `# H2 j7 T1 C: c# l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 ?* L0 ~3 L1 S g4 \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 a* ` J" r- H
\App Paths\Loader32.Exe6 H# _9 u" P# }* q/ O* i
1 Y9 _3 ]" n& g+ `3 e1 N
7 A& R* j0 X5 i( o% j
Note that some nasty apps could then erase all files from SoftICE directory" ?# t" c) b2 v
(I faced that once :-(0 k! r: z$ ?0 ^& S1 u/ R! m# r5 B
) W* {0 b) y' u" t$ D1 _
Useful breakpoint to detect it:
* h0 A d: m3 j# y1 ~6 h F! P$ A: v4 i6 X
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 Z0 u4 O) c4 z' }5 H5 Q
9 F* Z6 W0 G0 M' T__________________________________________________________________________# ]6 }" L2 {: t& ~4 G- l3 r: A* ^
+ o( O) F- [2 U+ K. M- f/ m& i7 y' W4 y0 j: w$ ]% V3 s' A$ G6 X' ^
Method 14 * `7 B* U# ~+ _0 F: @
=========
2 r/ |5 q+ z1 X0 {0 y
0 ^5 }2 ^9 _8 f3 gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 H* G" }" @& p0 w/ ~/ b' U
is to determines whether a debugger is running on your system (ring0 only).
0 y; E- {5 f3 h8 ?4 B8 Q L- E
1 L/ @ V8 T# E) [: A VMMCall Test_Debug_Installed
K0 Q) h- Q, x( ^' q) x% Y& @/ T je not_installed& a! N. J9 }( i }9 b9 |- U( W
: W, q5 x1 |; D! G
This service just checks a flag.( P! I c1 {1 m4 O
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡