<TABLE width=500>+ k; F# [' Y4 F
<TBODY>
6 ?+ n+ D; J8 P7 F- g) {6 c) B2 S- c<TR>! \* Z* I* \* ~/ q5 q
<TD><PRE>Method 01
/ X2 K7 o1 a7 J: K=========
: A% a: f3 U2 z
) `, X9 P& c- O. cThis method of detection of SoftICE (as well as the following one) is
% c1 c; s- Y: u5 w4 s) e. Bused by the majority of packers/encryptors found on Internet.9 p' ~) h, x J# x7 ]# ^
It seeks the signature of BoundsChecker in SoftICE" V$ x, F ?) U+ e; V; e
5 C) S) O" [5 p% x$ { mov ebp, 04243484Bh ; 'BCHK'2 `+ N" `# M% s: Z7 z; q0 e
mov ax, 04h# [# f* ~/ \0 c
int 3
* |& f; n4 m0 @1 g cmp al,4
8 s: ~5 w. o. ]' q jnz SoftICE_Detected
+ w; E4 \+ ~8 Z8 k9 o, i* c
: v( q3 [$ U X9 a$ U0 O___________________________________________________________________________
3 F. W e- W- n/ E- [8 u% @. I1 Z# o0 R6 i" ?& d% R
Method 024 U1 I% |2 ~! x5 w1 G
=========8 G; w3 x9 I5 a, t8 {( N$ @8 d; d0 b
' G% G. }4 r* p& d0 {3 z' |
Still a method very much used (perhaps the most frequent one). It is used& T9 y: e+ k0 e2 }0 [; B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
n/ w2 m! y* ~) a) A! R+ _. Gor execute SoftICE commands...; u, |! n8 W( e4 W! q7 j$ a
It is also used to crash SoftICE and to force it to execute any commands
' b5 t2 s+ F( }0 P(HBOOT...) :-((
3 T' ? ~" t5 r: K' k
7 p. v7 U5 ]/ D4 }! T: NHere is a quick description:
" @$ {$ Q b* m$ R( X-AX = 0910h (Display string in SIce windows)* k4 }+ O2 ]1 ]( W
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* Q/ `+ ^4 e( }-AX = 0912h (Get breakpoint infos)* C. w" }7 ^% @( F5 ] f8 v+ P
-AX = 0913h (Set Sice breakpoints)
0 A2 @3 I ?( d& I$ T! Z-AX = 0914h (Remove SIce breakoints)$ s- \/ g4 |9 G7 g. H% g
: M6 ~. [, v1 K( X- J
Each time you'll meet this trick, you'll see:* i0 X$ z$ l, E1 i
-SI = 4647h) v1 g8 B0 v* X, y5 ?5 u8 [
-DI = 4A4Dh( U& q, j9 b( ]/ A1 b/ U( r; S# H
Which are the 'magic values' used by SoftIce.
+ I6 T) ^! b# I+ Q0 QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# w, W# ^& q. j+ G9 J' c2 c
: x) M/ V( _5 m- p$ O6 hHere is one example from the file "Haspinst.exe" which is the dongle HASP
: _4 Z3 ^( ~6 ^! u/ DEnvelope utility use to protect DOS applications:
) a9 z/ U, o' l# @. c% a# X# o
2 ]0 B b& }! N1 w) {3 Q8 ^$ q& T1 y5 m2 j
4C19:0095 MOV AX,0911 ; execute command." A3 ^4 R* N/ E7 r
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 z2 u+ A% V/ l
4C19:009A MOV SI,4647 ; 1st magic value.2 c% U6 G5 f8 g9 g% R4 _, W
4C19:009D MOV DI,4A4D ; 2nd magic value.3 l" D' V! W7 P8 o8 c5 M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 e2 o! Y, i% ]- n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, H' h; I0 ~* Q! t% W" g$ P2 `4C19:00A4 INC CX
# b6 b: c) d: @. R" \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 v S [0 f+ |# c4C19:00A8 JB 0095 ; 6 different commands.& G* m$ ?7 n8 `! d K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 U% U" S) B# t# x& @+ A& v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ B. Y- W9 y3 }3 i
5 e8 @* |4 y+ X9 B
The program will execute 6 different SIce commands located at ds:dx, which
: t8 n7 h. g$ L! [+ D- kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 u1 W7 L& E+ G
$ t% J5 Z& z: I1 }+ d2 h* D3 S
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) @* o: K! T h___________________________________________________________________________
( F+ v" H' \( p+ t, H, j6 w7 ~: c& w2 e5 U& K8 r
: M% [& C+ {4 P; p1 g+ _ ^Method 031 V3 I- }3 q$ u/ F0 J6 N! e
=========: A' F3 x {0 o* k
; d" s: {( `# Y: aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 \0 L% N, w. `: U1 s1 x* l
(API Get entry point)+ f: d1 o+ w% {' i# _" E
N8 w2 E t- U! M- a- q p, I2 n
3 k, B! ?1 }6 w2 X% q8 G
xor di,di
! X- q* l- w$ ~; `# j% B* \* h mov es,di
* i$ w, R( U8 j# d! g7 N L mov ax, 1684h
4 i" c7 X! T* ` mov bx, 0202h ; VxD ID of winice7 w" R& D N$ r, J% I" u
int 2Fh
4 ?# T0 Q; \! J3 B mov ax, es ; ES:DI -> VxD API entry point
) k* T+ J1 Y! x8 \ add ax, di; K; q" N$ m9 Z
test ax,ax$ C8 i4 b+ f) s: j' m8 ^6 c* q
jnz SoftICE_Detected
1 D! T% ^3 q' C1 u" M! X; P" W T* {2 V
___________________________________________________________________________
/ n u8 n. W5 t
+ q g$ H8 l. AMethod 04
( `4 N) \2 p5 O4 ~4 g=========
+ |7 n7 J& U9 J j
2 ?; z% e' R7 W+ p4 n5 u' S0 _Method identical to the preceding one except that it seeks the ID of SoftICE1 z/ y' ^+ B# r7 U
GFX VxD.. K! Q4 _$ N) @5 c! |
! d( D/ c6 y1 X7 B8 p- ]6 C xor di,di3 }5 a# M/ I! e/ l) }, x1 n; i
mov es,di
2 V& c& B% c2 a g mov ax, 1684h + R* L, W# t) s2 n
mov bx, 7a5Fh ; VxD ID of SIWVID9 a! g- l9 @" ^" R$ ?; E0 k& P3 U
int 2fh' P0 v& F2 T: K, x5 I3 R
mov ax, es ; ES:DI -> VxD API entry point
2 B/ P* ^3 D S6 U$ o) _! Z add ax, di" e+ R8 a$ S% u4 _9 O) A
test ax,ax
+ ?5 q$ O. v4 {/ i jnz SoftICE_Detected
% ]! f5 e! Z% o8 V! w
( `( d& Y8 \& z5 U7 `* F8 z__________________________________________________________________________
' _0 t2 V2 e4 I$ ?; n( W, i( D9 V" r; B7 W2 S5 F0 }$ c
# b) O/ [& j2 k3 u, G$ Q; N
Method 056 r, I; j+ H, }8 y- x
=========- p# b/ ` j6 \% [1 _0 C* a, J
1 {# |- M' z4 oMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 ]4 w2 l7 K9 ?
debugger. It calls the int 41h, function 4Fh.* o( \; d5 [1 n
There are several alternatives. 2 X& z+ ]! s" \
9 E8 q) z: x3 W( r$ L h* Y" B0 G
The following one is the simplest:3 P! I% d) m: F5 ~3 l( v& |, p; H
5 V I' [1 q' T4 F mov ax,4fh
; G8 `+ B+ [% ~. E ]. P int 41h
6 f+ p. ]: y; T+ Q3 ` cmp ax, 0F386
7 `' s( O) w/ `- a1 v6 G jz SoftICE_detected
: C: z4 f( a) h7 X: A
& y) t) \# s4 Z
3 a1 v! D0 r, s. NNext method as well as the following one are 2 examples from Stone's
' w h4 I9 d* B2 m5 M"stn-wid.zip" (www.cracking.net):6 d& K ]1 u. |6 q3 I: W! E' m1 Z
1 o: |3 ^6 |. U1 ~3 m mov bx, cs
% w k4 g0 N7 T+ J( V lea dx, int41handler24 O, r* ]* b# n2 O
xchg dx, es:[41h*4]
$ R7 F- d" {2 ~$ ]# L xchg bx, es:[41h*4+2], `2 D) @2 I7 b; C p
mov ax,4fh7 S1 x& o0 n) [2 f4 `* y
int 41h
) p7 c4 H: p* W( L% v xchg dx, es:[41h*4]8 J" ]7 h1 _) c5 }4 x+ K, a6 ~
xchg bx, es:[41h*4+2]
& @5 @# }0 P6 d# R cmp ax, 0f386h
4 {, K4 `# x/ M: L/ I7 F jz SoftICE_detected( \5 G. H# d6 D8 T
% d6 Q. s/ H/ ?* c/ }int41handler2 PROC _2 Z% p" [( d! `5 h
iret* z7 z: H$ I3 C$ Q! \( }
int41handler2 ENDP
3 O& s, r o1 f+ h# b8 v& I+ E) Y7 i4 Z' g! C
0 K; h0 L6 N6 Y/ __________________________________________________________________________; P# M7 _5 Q) L) L# I' `
* {% U6 [; j$ { g5 ?
- S! I# C& D5 F# f% J# Z+ S3 x$ ]
Method 060 D; G! m; W6 O# \, R7 a0 R. I
=========3 u2 q) |7 i. g
, O/ }, ^0 X' [6 L( h
! N$ ]) n+ S/ e& ?- s; n4 M# l! @2nd method similar to the preceding one but more difficult to detect:* [6 U0 e( `' R/ Y4 k
- [* g6 g1 F. U5 M3 H9 q
: |3 _4 R5 F: \
int41handler PROC
3 V# v' k, S$ X( m2 J mov cl,al3 X0 G6 u! l# A' X) b0 W# }9 a
iret
L, o" Q# g! M* s; x1 ~( gint41handler ENDP$ M/ k4 _, g3 ]: b ~
5 g" a9 i7 ]- W" }
0 p7 ?# V3 C+ J! W& ~ xor ax,ax3 ]1 O9 [0 A1 q
mov es,ax
6 j' `$ a! _) K W mov bx, cs
& D6 O+ X: b$ T0 @% U& j& T lea dx, int41handler6 K! g5 @( ~! N3 M! b5 p* M
xchg dx, es:[41h*4]
6 `3 o; l! v! k$ i# R xchg bx, es:[41h*4+2]' L6 H7 Z) u, z4 y
in al, 40h" h' w8 s( h* O5 _: \, J# V. y6 I4 Q
xor cx,cx$ B" [4 {# C& E/ p. g, ^% s9 Q
int 41h
+ [4 z, W! X j2 J* g: p5 U; n xchg dx, es:[41h*4]
' H) r: b+ o% r. } xchg bx, es:[41h*4+2]
8 v! C/ G( E# b* F cmp cl,al
5 a; t0 ] ]7 K jnz SoftICE_detected9 y0 ^* o" Y+ ~" b& |
$ K/ E0 t( \/ e2 \# q+ ?: c
_________________________________________________________________________/ Q, b' k/ Q/ f$ `
3 k$ d- H* t" j$ yMethod 07
: Q9 n* w7 r" Q V | x=========
7 D( w2 l1 t9 F0 \) T1 v, A( x, e5 u5 I; U8 x; r9 U
Method of detection of the WinICE handler in the int68h (V86)4 L9 E1 f5 d* E9 u7 |
& F* P6 f( B$ a& _8 q mov ah,43h, M" z$ i, i. U, Q4 }- |. v
int 68h
( ^. d9 T; U7 h; {# x cmp ax,0F386h
1 W, i6 `; R+ Q( N7 z( ~ jz SoftICE_Detected; k# e3 U5 d8 V ?
( u8 q" m0 e& M2 X& t, l/ _0 @
" z5 c) R2 g$ S1 v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) D/ h1 \4 ?8 R app like this:: {. X3 X& w2 ]8 j- i2 x$ U
- [. S! O7 @) J. _. t
BPX exec_int if ax==68
$ \8 y- c8 y2 L5 U* J% T Z (function called is located at byte ptr [ebp+1Dh] and client eip is9 n- A8 t6 ?6 z/ \
located at [ebp+48h] for 32Bit apps)
( R" O$ m2 `+ t, i% B0 C+ e# w, K__________________________________________________________________________
% w( F% x# T1 g% Q$ [
) U( x/ y4 {- N4 |
4 ]6 Z- X m" D, i! @* l) v# I1 GMethod 08" W: _# z) }/ z' ]3 W
=========3 b0 L1 G3 B* v: g
" P2 j" Q) a# D. [5 k6 OIt is not a method of detection of SoftICE but a possibility to crash the) N6 b+ ]: t2 @3 H
system by intercepting int 01h and int 03h and redirecting them to another
# r8 }/ e! q8 Sroutine.
$ {9 f1 M) a+ ~( ?" [( dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 \- T7 @+ V3 g
to the new routine to execute (hangs computer...)
. Q: K: E8 c3 z* Q' i
9 Y, T1 M) A0 H9 o/ v0 m" ~ mov ah, 25h
# O' p |+ n3 t" e1 ] mov al, Int_Number (01h or 03h)6 O7 V6 ~9 h8 ^( |/ M# _4 E
mov dx, offset New_Int_Routine
. G4 R; n1 V* D$ y' U; m, P int 21h
5 N& j9 y: ?$ J, V* H2 X$ C& Q9 j% @3 b7 u* J
__________________________________________________________________________
- r$ k/ P: |2 S& J. t! [
, @: l V( u2 d: p4 u( gMethod 09
( w: k$ C6 v4 L=========# }3 h z* s; Y- Q0 A
6 z7 T# ~# D3 UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) T* y# R4 |! S+ f9 E, wperformed in ring0 (VxD or a ring3 app using the VxdCall).
) |0 ]7 c% f. b; o4 }! j( tThe Get_DDB service is used to determine whether or not a VxD is installed
* e1 d) j7 w* I( }/ dfor the specified device and returns a Device Description Block (in ecx) for9 u0 l3 Y2 j4 \
that device if it is installed.
7 h1 v7 o) U1 h2 F' f7 I4 |* [; D% l) l. H1 Q: {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 \* U* Z* r' C. o6 M9 V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% J4 Z. y0 E X; |3 r6 J
VMMCall Get_DDB
& z- G; I1 I4 W: l6 |- ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& l C- N# A5 W
# S- B. }2 H) aNote as well that you can easily detect this method with SoftICE:
3 R1 o& m1 u) Q0 \( n- _ bpx Get_DDB if ax==0202 || ax==7a5fh# ?: ^7 C1 G! n
9 r. c, X1 r# M
__________________________________________________________________________5 P( l3 d+ E5 ^( w4 T% n/ S
! t9 P$ r/ Y; ^7 zMethod 109 J: K7 G k$ U" W2 Q/ k
=========
3 d4 L8 ]2 Z' }4 ^0 k r- P
n* U7 }# s& c=>Disable or clear breakpoints before using this feature. DO NOT trace with
* M; n+ H+ u2 [1 v$ _# A3 i SoftICE while the option is enable!!; u/ k& `2 j3 A" A" i. ^( H
9 {8 Q5 l/ c, m8 e1 uThis trick is very efficient:% t! i1 C6 a6 ]4 }; ]. X
by checking the Debug Registers, you can detect if SoftICE is loaded, e1 o3 |/ P5 G' S
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; v8 \! _# I3 r3 L1 i- C
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 P! w- }! g6 M9 @! ~. Kvalue (in ring0 only). Values can be manipulated and or changed as well
% O- [7 t1 r6 D(clearing BPMs for instance)$ x5 r& S: @+ O" o6 b- |9 j- y
/ V0 P. ~$ V9 \% }
__________________________________________________________________________
* i+ j6 {( |6 u6 G8 l
: }& x2 {# o5 k$ V& x9 c: DMethod 119 g+ B& d- a9 j
=========- i/ s! E C- Q
6 M+ n4 s n4 H& F' Z7 R
This method is most known as 'MeltICE' because it has been freely distributed
$ {7 s) O! Z" v o" P2 Xvia www.winfiles.com. However it was first used by NuMega people to allow
5 g7 U. `7 Q2 O0 aSymbol Loader to check if SoftICE was active or not (the code is located
2 E) B: N2 [2 d4 z9 }inside nmtrans.dll).
S9 b4 D! ?0 x) x1 B5 J1 ` t# ^8 O3 e* p
The way it works is very simple:2 H* r5 x |) s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* |. J9 a. n9 N3 _: s4 n% g
WinNT) with the CreateFileA API.# h1 y0 b1 h1 ^- F) I: }) K: Z
9 I$ H) S& V6 z, _) J, gHere is a sample (checking for 'SICE'):
7 u; R7 d% l3 G# E0 D$ \* l, s$ C% U9 Y) O) |6 a
BOOL IsSoftIce95Loaded()1 z% @" x2 o. N9 S0 C/ t b' r
{: y& S$ L. N o% r; i0 |/ G
HANDLE hFile;
3 f( ]1 B. f" T4 ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," t, A, j7 P# z! u8 B7 O
FILE_SHARE_READ | FILE_SHARE_WRITE,7 f7 G+ r6 ^, r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 A' j0 {: t, h# G1 _. ~' v+ P
if( hFile != INVALID_HANDLE_VALUE )7 h" Y- Y S8 x" u% i1 m4 P
{
) s( q$ ]1 F- a# u# t CloseHandle(hFile);# y0 U0 d+ a" x9 ^2 e
return TRUE;7 x" n; C7 g& P) Z9 [9 g% C
}
& I2 O+ h: P: T3 q7 i) N return FALSE;; K" Y" A6 h% A: \3 J% P! Z
}
5 L) N1 u v4 h6 Z
4 y/ u1 v% [6 uAlthough this trick calls the CreateFileA function, don't even expect to be9 [' Y1 U+ V0 r
able to intercept it by installing a IFS hook: it will not work, no way!
5 ~& ^. z% A% D+ R8 _In fact, after the call to CreateFileA it will get through VWIN32 0x001F- `/ w- J7 c8 l" M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
k" o1 d) q3 t& \ H2 u( cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 H5 E- ?& X+ E) Ffield.% ^; W1 i3 B* }
In fact, its purpose is not to load/unload VxDs but only to send a # T1 N- f: W* P# v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ y6 N% i. a. \% j+ Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& G- ^% O- u* V% ato load/unload a non-dynamically loadable driver such as SoftICE ;-).! I( Z, k4 t- J
If the VxD is loaded, it will always clear eax and the Carry flag to allow* c, A+ {7 y6 e# `5 l+ L0 B! I
its handle to be opened and then, will be detected.
" A2 Q5 m4 M" T2 p) G0 P7 XYou can check that simply by hooking Winice.exe control proc entry point/ E7 f, k F+ O7 X" ~" }0 B$ I
while running MeltICE.8 Z3 R7 M" @/ k. r$ @) R1 ~: m
" O* s7 F4 `. J ~5 T
, V8 w% R- M3 e0 O 00401067: push 00402025 ; \\.\SICE
4 ], m+ T' B$ h- }7 R1 a: V3 G K+ n: d 0040106C: call CreateFileA* w& F8 R" @3 K
00401071: cmp eax,-001$ z' \1 e& _( \- M8 @% x/ i2 b
00401074: je 00401091- L' R0 r$ }% g9 L- D2 b
' z% D1 R" `; ~
; }# V: M2 C6 Z3 gThere could be hundreds of BPX you could use to detect this trick.
7 K# @. A4 e( m, M2 w5 N-The most classical one is:, V% V7 u3 ~/ a4 k
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: R" N: {5 C$ g( R* N0 j. l. D; g
*(esp->4+4)=='NTIC'
+ ~$ x1 j; c* Z, O; d- D: e! A9 F% | b9 k0 c- C
-The most exotic ones (could be very slooooow :-(
/ T5 C K# R- K0 o/ I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ _7 H4 V# ~: e/ N3 i! T2 V ;will break 3 times :-(
) Y7 z; F! g B3 L# N
/ `. @+ f0 e P% q-or (a bit) faster:
' G, N2 C8 N- l; u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 L5 I$ R/ S. e! O4 }- ~ Y, {/ t% ~: b* Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ ^" V' b8 M6 E; r5 {
;will break 3 times :-(
* {. n% O9 o" k8 S. u+ ^2 I% }
4 q5 w5 a* `' N" |-Much faster:1 r. k3 c; O" V8 h5 R; a$ g( U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 b* G; A2 Q9 w. s! D/ i
9 Y3 q5 I" k2 g% R0 F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: f% D6 {: X9 R& g( [function to do the same job:
0 [8 |# D6 X$ B$ S( {! K
( |7 ^* S0 X0 T1 c! X/ ? push 00 ; OF_READ
( j5 J r- j! G) q# o mov eax,[00656634] ; '\\.\SICE',0
8 ]+ l% B: N+ x. K push eax
Y& D6 I' E d6 n0 E' z7 J call KERNEL32!_lopen; G# r1 M) Q. n
inc eax4 }( v3 u' B- U( D! `" z3 P7 q
jnz 00650589 ; detected
0 U7 K9 N2 ~) K; W) _ push 00 ; OF_READ
) t( i+ ]: f' q9 z mov eax,[00656638] ; '\\.\SICE'
/ B2 f2 H( T* i$ [4 I- g3 q& q8 G push eax
7 W4 y$ y% x. r& u9 O1 x call KERNEL32!_lopen, ?0 j+ F( J, K4 v3 P
inc eax
8 s, B) K, V1 O( G jz 006505ae ; not detected4 |1 M" t) b. b) M' S7 A% R- x% X
0 m6 @( [4 }7 e/ N" b, Y! _. e
, _% \) `: U. l7 Z" Y0 [/ T2 V__________________________________________________________________________7 H8 J% n8 O1 Z8 H- u
! ~* H% p2 g0 ]' |( ^5 oMethod 128 h7 d( B# X0 O. a5 b0 z
=========9 V' `% @3 P- _) V
% i1 @1 }: {7 N# UThis trick is similar to int41h/4fh Debugger installation check (code 05% t7 d; V7 U" P
& 06) but very limited because it's only available for Win95/98 (not NT)
7 \- I9 i) h/ Z) `; ^# c) ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.& F1 `6 @* h% D W
L" c$ G0 l6 S* M4 b( \8 l" E
push 0000004fh ; function 4fh8 A7 s/ `$ f4 R- k& ]( v7 A
push 002a002ah ; high word specifies which VxD (VWIN32)+ R" ^9 Y$ K$ O1 P- r- E8 p/ ^
; low word specifies which service
1 `* S" G2 Y" U4 A# h# m (VWIN32_Int41Dispatch)
/ h5 J! h4 D" i6 J, ^ call Kernel32!ORD_001 ; VxdCall
5 m' E6 [$ x6 |! I) y+ Z6 ^: E cmp ax, 0f386h ; magic number returned by system debuggers5 G: l* G; g: e. L7 f
jz SoftICE_detected
1 t" |# q* b- k p& J+ U. U0 I* I+ ~( o p, d) P' [6 v
Here again, several ways to detect it:
N1 I) F( U! R/ J& v" }" L1 }8 E9 U) v8 F4 T
BPINT 41 if ax==4f
# u: c* V5 \. c G) ], ^7 F
# T8 [+ { [8 R9 s# b- D BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 d9 Q4 I& ?: D
, x- z- H) ?& o( m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 q+ |/ ]! |2 G- I+ t2 s: ^) G* q. d$ b4 a" E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 B O" [% X! P6 H1 S( L ^; ?' ~( j& ~, S9 {
__________________________________________________________________________
) @7 j. }2 @4 ^( s# U2 N- y
) f+ E7 m7 j5 _& v" s- F1 MMethod 13
/ d" s' v8 k! @& ~, S0 }=========6 X# L2 w) T6 j. G/ w; G b
b$ c/ c6 j8 x1 PNot a real method of detection, but a good way to know if SoftICE is V1 `4 m5 P* ]+ k1 K) p
installed on a computer and to locate its installation directory.
! n/ t( V. f% ^- d% g# qIt is used by few softs which access the following registry keys (usually #2) :1 ?* M9 z4 A \( @! Q9 w! L
6 ~- Y& w' S# I# X/ S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) D# ]# {0 W6 X, s\Uninstall\SoftICE8 u3 `9 X5 G) |/ k# Z8 S5 O+ b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 i6 n+ N' b$ Y2 M( f+ ^. `2 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. i2 s% R+ t H. j, b/ E
\App Paths\Loader32.Exe3 R1 b2 F- w0 p. a6 I4 W: p
0 H9 f1 d0 y# k) f
? Q# ~3 r/ @% s
Note that some nasty apps could then erase all files from SoftICE directory' m# F+ n8 v. @& x8 Y9 V$ {; m6 V
(I faced that once :-(
- p& {/ _ U& x- D8 x$ N# D
1 s$ Y8 U) n, ^8 ^+ LUseful breakpoint to detect it:1 i z+ y- _3 y6 ?, r# u7 k
/ a! n) y3 H8 B5 Q* J ~6 `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 S; f6 c2 \7 y
5 U( \9 x8 k$ i; ~. w& |__________________________________________________________________________2 Y- w B7 u- @% }7 h0 X
! J% [& G3 s4 a2 M
. G+ g# `& ~/ u* ]2 o6 ?% zMethod 14
( `/ ?# x) D( c=========$ D- c3 a2 }% c& Y/ U
0 u* G0 x7 d) }' U/ k% U8 f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 G$ P0 {* U( u/ p; Ris to determines whether a debugger is running on your system (ring0 only).' G- }& @/ Z3 Q( E$ F' H1 j/ E/ s( m
- t* {, V& n+ |* E3 l; M VMMCall Test_Debug_Installed
' Z/ c2 l6 A2 l6 F je not_installed, o/ @1 W; Z% p' X: S
, N1 t. z# |6 _4 i
This service just checks a flag.
: i+ v2 J# F, N+ V</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡