<TABLE width=500>/ v, ]( E; W2 R$ Y
<TBODY>: H/ F& `( C- P; x' O: o: F
<TR>+ W, y5 g6 `: A+ v; u# a3 ^4 A
<TD><PRE>Method 01 5 q; D* F3 y. @& V
=========" T) j3 ~, ?0 U- Z! \' _
& l" m! ~$ j2 x$ o3 D9 cThis method of detection of SoftICE (as well as the following one) is
" C& T( [, R; H0 X+ Gused by the majority of packers/encryptors found on Internet.$ H# W6 k+ a* i6 z; \/ _
It seeks the signature of BoundsChecker in SoftICE& L% }( r, e j6 c" ^# O4 D
* O# ^) S& c# i! ? mov ebp, 04243484Bh ; 'BCHK'
$ d3 V( V$ s1 r) ^" n mov ax, 04h( b: x: t7 J% L9 P
int 3
5 h8 l3 H8 J6 J* A0 C( B( `, y cmp al,4 z( g0 n: k5 S1 j6 W" o
jnz SoftICE_Detected( g' H) v3 W! p
7 S9 w& G+ z- l& r( z( x9 v
___________________________________________________________________________' [% a; q P* F6 F6 r
. S8 e# [; X" |0 \5 J3 y& A5 VMethod 02
4 |8 _* z; H2 i ]% V$ d" `" o' ]=========
! s) O8 k/ Z" ?6 d J3 w0 m5 }* k0 i# E
Still a method very much used (perhaps the most frequent one). It is used1 Z1 [3 f! Q' B2 _# a" ~9 [# N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 o( X- F. ~# A, M
or execute SoftICE commands...( ?% I, n) r+ P9 f* g4 P' s- Q
It is also used to crash SoftICE and to force it to execute any commands5 P! z+ n- B6 @: F7 u
(HBOOT...) :-(( . D4 K" s3 x* o8 u( F* {# T
: V' z3 v% g: Y/ o& n
Here is a quick description:
: z- a( k# ]: \3 _# j; f3 D* _1 o-AX = 0910h (Display string in SIce windows)4 i5 N5 s* j( U& ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) t) y# W5 X8 I7 h7 G+ M6 V-AX = 0912h (Get breakpoint infos)2 x( P, ~& c' n9 W
-AX = 0913h (Set Sice breakpoints)& C' S! z# L& u% @4 R' ?
-AX = 0914h (Remove SIce breakoints); h j6 ?9 B s
$ q A c3 e5 ?$ a1 X4 a
Each time you'll meet this trick, you'll see:, B6 b5 M9 R8 {
-SI = 4647h; s5 ]! w, p' G/ p `
-DI = 4A4Dh+ C% w0 ?6 N: t/ l
Which are the 'magic values' used by SoftIce.
# B9 P# Y1 l- p& x- tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ q: r5 L$ z+ j4 f' \0 a/ v1 s+ P; p( j& ?7 v2 I8 Y- _; t- [4 v
Here is one example from the file "Haspinst.exe" which is the dongle HASP: m) Y) m' @6 o( J0 c; q
Envelope utility use to protect DOS applications:; c- P% f. I" X) x0 Q2 w5 O
! I& ]7 W1 y5 ^- k' }7 ^
; C; K& K7 D" D) t! S Z& P" u
4C19:0095 MOV AX,0911 ; execute command.; Q/ W8 m# T0 w- l. K' \2 x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' t" k" p. _' W/ X) z3 ]4C19:009A MOV SI,4647 ; 1st magic value., S. L6 M1 Q/ X w
4C19:009D MOV DI,4A4D ; 2nd magic value.7 z% [+ i/ P D
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ C$ a6 j; e+ z( q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute x( w% ~" d2 f+ g' h6 z5 b# ?
4C19:00A4 INC CX; f+ W9 k( H7 j: x6 {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% T% H- X7 ^4 D# c! J1 s4C19:00A8 JB 0095 ; 6 different commands.
4 Q/ y: U0 b& K3 ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 f7 q q3 \. c/ G- `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; B( l$ o/ e$ ~; U
* S1 B0 k: M# _0 v6 h7 [9 {6 ?The program will execute 6 different SIce commands located at ds:dx, which
6 I8 m/ J. G' y8 n4 bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
L: V: a1 `7 E. `* g- P9 v# J0 F( s- v: X7 @/ |. j; n9 d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 G& Y Q5 Z1 O# @2 a# S___________________________________________________________________________
/ n2 d2 v- Q" I7 C5 _, i: G: b& A s9 |
8 g1 o4 C* M. F7 }& IMethod 033 ~1 x; y: W' r2 N+ u e; r
=========
K& f+ L; |+ [6 T# x2 E. U( a- p4 d( ?, \! C# {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 y/ y: P4 ^' a) P(API Get entry point)
4 E( |% l u# z 9 x8 L) l/ n+ \$ O/ O9 a
6 O# W! d B7 P* B7 S- D xor di,di& J/ X( [" N( K, p$ ^5 W- B# d9 X$ F
mov es,di. \) ~8 r9 u6 N1 t* ^+ O+ d
mov ax, 1684h
" i. q4 G+ X+ r4 F4 s& G mov bx, 0202h ; VxD ID of winice
/ o$ d4 G; f: D6 P int 2Fh
$ x# T4 s- Q* g$ l9 M9 P" H mov ax, es ; ES:DI -> VxD API entry point
5 f1 y7 x+ V4 O6 _9 p add ax, di
7 J1 G" J" L4 Y4 L# Z/ r test ax,ax& e( u7 n: I6 }2 @: u# R
jnz SoftICE_Detected
h5 Q" |2 Y0 P: {8 B; D2 k9 r/ @
: M8 h. h' u c$ m! L, J( j- @___________________________________________________________________________
* q$ I! j' J, g! s8 Q% q
$ l# O( h0 K# m6 u7 B8 VMethod 04
! }0 z$ S+ V* h=========. O0 T" ?6 a& T( d+ P
; Z& R3 j7 _( u# |8 ?
Method identical to the preceding one except that it seeks the ID of SoftICE
! S3 k z6 L" F+ WGFX VxD.
% q3 o% |2 l4 V' {% h& G! @" ?: Q3 G F# U/ g5 ?5 @/ E
xor di,di
! A7 l& n4 Q# L: V; S% M mov es,di& X' ]0 A M7 M8 f9 R' w
mov ax, 1684h
7 k5 B7 ]# b8 V& a mov bx, 7a5Fh ; VxD ID of SIWVID) N+ E/ A" u4 K' H$ a
int 2fh) h3 C! s8 T2 R* B. b
mov ax, es ; ES:DI -> VxD API entry point2 P9 {' f; Y2 X
add ax, di
0 ~6 {0 j |6 l$ S test ax,ax
! I+ N8 p/ _0 B2 B jnz SoftICE_Detected
% o) K$ c2 }( o; Z
' q0 P3 U7 w/ I# y__________________________________________________________________________
! q p: T5 @' m: C2 P. _8 d6 r/ ?+ c$ J+ p
. Z* g* Y7 m- U) j' P: ]
Method 051 m5 Z; p% b# `% s5 H1 H! L. N' T
=========* C5 Y& H6 `. P7 M: z& V6 h. H
# K( L H) w, A& }# X# M& g+ jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 c/ F$ O- @2 `; F* C Jdebugger. It calls the int 41h, function 4Fh.' N+ ^& w" l+ K4 Z' d+ m/ T
There are several alternatives.
4 e; |& W: u0 L1 i6 P
( {& f A( _5 @8 N* s1 uThe following one is the simplest:. \& W6 J p4 d/ S, o/ N
- X9 A, @- g- Z mov ax,4fh1 @ d* T8 u& R0 f/ G- C! j1 y: K
int 41h
: f6 ^ g4 ^% a1 }9 X3 c2 T: e cmp ax, 0F386
' V4 G# A( _* m( A1 @# ^4 d jz SoftICE_detected' C8 e7 p$ J- f# C: m
6 ?/ g) v0 P0 |
$ J# N1 x! F. }; o2 eNext method as well as the following one are 2 examples from Stone's
* p# }* A5 Z5 P6 o- u"stn-wid.zip" (www.cracking.net):. d+ Q, E& \+ g
& I6 }7 b4 H5 L
mov bx, cs2 l7 c. Y) Q; n8 T$ c: m# ?3 A
lea dx, int41handler2
# w3 E. ?3 Z8 Y7 I1 x- E" J( b xchg dx, es:[41h*4]
6 k8 f" @2 T& U4 f8 q6 o xchg bx, es:[41h*4+2]
, n' g2 R! F6 _6 t mov ax,4fh
% \1 r* u; M. Z int 41h
! x' P" e4 y) @% T: d+ {5 } xchg dx, es:[41h*4]4 Q, M; V! l7 B' |! G
xchg bx, es:[41h*4+2]
4 a# V: c# m8 H5 n) v2 ]% n" p cmp ax, 0f386h4 n" g4 ?9 n# N
jz SoftICE_detected
6 A6 J# B& L7 R* S4 f' k( R( _0 x; `$ l4 @
int41handler2 PROC
0 G; e: v3 {" L- t B* o0 Y iret" Y4 R, x7 c! C) P( P; D
int41handler2 ENDP
7 E/ [( E9 K) k! p: N5 e, C- T+ k6 G) P0 c
# o/ A% h0 K7 i
_________________________________________________________________________
! Q S$ R% Q& j; o4 y0 W9 S7 z, i' S& e3 H! S6 s
: H& f' Q9 t$ m8 b8 E4 X g3 b
Method 067 W; d/ y6 N4 x! q
=========1 Q) u4 i# L$ j$ H8 q
& A N$ D, U& B* ?
o4 P; e$ k9 x$ H, D4 Q2nd method similar to the preceding one but more difficult to detect:
6 O) g1 z# P0 \/ I: m5 `) S' ]' N0 m0 x S
! x L9 x7 j4 N' R
int41handler PROC
! w: k1 \: ]7 A, `" G- c mov cl,al# y4 o, j" b* p# U8 y
iret0 l( \ C/ O: a& A3 c
int41handler ENDP
6 d% S9 @ G3 n3 f
& h+ Y% `$ z2 k* D+ Z: E
) u1 M: ]! E' c, S0 |! O xor ax,ax e# w: k6 d8 W$ Y& m
mov es,ax8 y- y/ E" D( F" B7 f
mov bx, cs4 w2 Y% ]6 Q9 S, x+ S
lea dx, int41handler. {: M. p* r1 |0 V8 i* ]9 k
xchg dx, es:[41h*4]# X: o8 ]8 b: x( c Y! `
xchg bx, es:[41h*4+2]
! h. V4 r% B( T: C9 o9 } in al, 40h& N9 W/ i3 S6 I3 D2 `& ]9 `' Q
xor cx,cx5 q; s6 @+ b; u+ a" v" h$ {
int 41h, I; p* Q8 j/ [9 N
xchg dx, es:[41h*4]
7 A) T$ p; ?8 H) R: k2 z" k& V xchg bx, es:[41h*4+2]& b3 z; ?% ^; h6 I2 O" @' N
cmp cl,al( A% b; ]: H2 t3 g, ?4 R) R
jnz SoftICE_detected3 {6 E# N* v; A6 n9 D/ l1 @
% r: J5 P, z3 W5 {" m
_________________________________________________________________________
, _& R$ {" J3 N' }. G
: G: h) G# G1 A9 s7 b' `9 n2 z I JMethod 07
: A3 ^7 [( S0 c; i=========
1 {, H) R+ F# H9 N# s. v! B( n8 s
- o7 x/ T2 t8 Q& ~ P$ V" N/ `2 aMethod of detection of the WinICE handler in the int68h (V86), |2 v) Y8 z( {7 s* a. f
* n1 K7 g; c" ]9 B( m/ Z9 I
mov ah,43h8 d: [* T3 V( J O
int 68h! \3 o# u" n& f( q
cmp ax,0F386h: l- p/ \% o$ {% A+ e6 ]4 E$ ~! R
jz SoftICE_Detected; D2 @, O* q0 a1 ^6 L
0 n( z5 t# x0 k" L# @0 M- ]0 p' L4 ]9 ?+ E
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ V: }, l9 k$ |+ u
app like this:
( j7 k* ~9 j- x s( l1 _, h) s% ]% p0 X
BPX exec_int if ax==687 W5 U" @5 W. }# I9 z' W/ o
(function called is located at byte ptr [ebp+1Dh] and client eip is& |$ W; F3 T; g4 e# N
located at [ebp+48h] for 32Bit apps)
/ W( z) \+ Z! n__________________________________________________________________________- y2 ?1 l$ b' V2 Z. y
; _3 {- A+ \+ O# H6 ~% }8 ^* y, o: c. @4 x* u4 \
Method 08
: Z3 ~; r' g3 y=========! w+ L3 r# V. {* g3 u* H
5 `3 K6 G$ N# ?% c2 ]; j# A) y1 l: tIt is not a method of detection of SoftICE but a possibility to crash the) B6 p0 t: t' S0 `5 f% [8 ^
system by intercepting int 01h and int 03h and redirecting them to another8 g. M$ y7 U8 b% J5 C! J3 Z6 e
routine./ A+ I; F8 E: |4 D. K0 c7 `/ L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. x U( S& Z/ x" c! B6 m4 Rto the new routine to execute (hangs computer...)
+ y/ L( J6 F8 U: N' ^( S
1 D2 d9 \& Q c5 A( c! y, m mov ah, 25h
* @' I, A* u, j9 r1 A: \ mov al, Int_Number (01h or 03h) J3 }! P/ q+ d/ h# G
mov dx, offset New_Int_Routine2 q% k. J) v; H
int 21h' O# t' n6 B( ]8 t
& f3 \( i8 `3 H% N9 ^! H
__________________________________________________________________________3 k8 h% J% _+ g: O( j# ^
2 M' h* F2 P2 M( e; E( }0 u
Method 09
1 {# F1 p. C& y! X8 Z=========
( D3 W1 H# f" y
+ C9 m' q b" `! q4 Z6 K* m- tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 o/ [! Q4 U$ L* w; Eperformed in ring0 (VxD or a ring3 app using the VxdCall).3 U/ E: X% n) m% C2 T
The Get_DDB service is used to determine whether or not a VxD is installed- @- m- t: i- n: y4 d
for the specified device and returns a Device Description Block (in ecx) for
& Z! _% E8 {7 h+ ^ v+ ?$ uthat device if it is installed.! I7 q* _% _, w0 Z( v$ t @' d
* p& y5 X4 F4 Z" T( j( h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. w2 T: x: L7 N9 |$ @1 g; j$ C" X5 G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 y% I$ ? G) I
VMMCall Get_DDB3 {) N; m! h7 r. u7 E! s
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 L. V* P) t: I( v" ]7 Y5 v) l
8 ^5 u$ \; a9 g' |, R$ z. O. h1 WNote as well that you can easily detect this method with SoftICE:; B' ^9 a* ]0 z- @% d. S5 |
bpx Get_DDB if ax==0202 || ax==7a5fh$ a' Y& x; S7 G- \
1 R9 ~9 g" x: d( [ Y__________________________________________________________________________
/ c6 i+ [" P! p/ \; M4 n+ s2 W$ o7 R+ {# {
Method 10
* f: V0 V' a) \' `8 r# h=========; c# L, G- V% e0 @( A2 s" _& \
& {& ?2 A, E) c=>Disable or clear breakpoints before using this feature. DO NOT trace with4 M$ T) J. w5 z" { c
SoftICE while the option is enable!!
" ~* F% @; u/ K4 s8 U# Q0 l0 m1 f/ |1 D3 U S0 B% T
This trick is very efficient:
( D- A4 L' n& @. wby checking the Debug Registers, you can detect if SoftICE is loaded ?6 H; D3 J& x5 r% ^5 S9 k5 D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 Q! d' p) e5 S
there are some memory breakpoints set (dr0 to dr3) simply by reading their& t2 E, _) e' m+ ~1 n: f5 a5 [
value (in ring0 only). Values can be manipulated and or changed as well" s* H* F+ d; H8 n
(clearing BPMs for instance)* ?. I! T& o6 S& d Z
, Y& X2 u$ A" I8 _' X% \# M
__________________________________________________________________________6 ?" r; M$ H& P G/ ]) {' L' V
4 y" h' ?. ~: CMethod 114 B i+ W6 B" Q# x6 ?1 J
=========
) U% i* h. x( i" o$ \! c0 m3 V7 W
# \9 c) t ~3 L: s) j+ @This method is most known as 'MeltICE' because it has been freely distributed( k7 _6 W# V) E' [+ [1 |; n
via www.winfiles.com. However it was first used by NuMega people to allow! N7 m; U- i) ]: w
Symbol Loader to check if SoftICE was active or not (the code is located
! j' m. L9 G7 _$ finside nmtrans.dll).
) z5 z- p9 J9 z/ s$ L& D4 G: b0 Q3 C; U+ _/ ?$ \. k$ L
The way it works is very simple:6 D/ @3 b: S1 \+ c% h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( ^: u- Y" X/ l% O3 C C; F+ jWinNT) with the CreateFileA API.! }% R& E* Q4 S1 ]# Z+ Z
: s+ e, ~: N# N# X2 B! qHere is a sample (checking for 'SICE'):7 f: y! a% G, \ Y: h$ k
0 x& R" X2 \$ Y/ l
BOOL IsSoftIce95Loaded()1 O# f6 r. {* t# t# ^
{
1 Q f# X' ]" A3 W( R3 I: Z HANDLE hFile;
5 @. D+ z5 q# k% F0 M( F$ r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 i+ p; O8 \9 Z: p. [/ E I
FILE_SHARE_READ | FILE_SHARE_WRITE,- S3 E+ y+ f) ?+ l4 j( ^+ n/ M0 E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' b0 H. _' b/ `0 r
if( hFile != INVALID_HANDLE_VALUE )
8 f! Q2 L+ _ s* B: q! b8 O {6 c! E/ a( F6 S
CloseHandle(hFile);$ M. H7 U4 U: g7 E% s
return TRUE;' u H5 X. X) N/ X1 f# s6 T2 g
}
* F3 z0 a6 P* B" d- ]/ M- [& L return FALSE;5 @! P1 |" I* s& I7 A* L
} P* U ]+ [# O+ I( N
2 H" C3 [ |% t, o( H/ T' Z$ AAlthough this trick calls the CreateFileA function, don't even expect to be
& [! |/ f) n( g; q3 G( e6 F7 g8 Yable to intercept it by installing a IFS hook: it will not work, no way!
: g; v# G# ~+ ^+ p7 C- X' TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 {7 d+ i& @" l' vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ `9 k, Q3 z" R, G" f! P2 Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* q' S2 k" p8 Z) ?field.
% N" l7 H4 f, r: BIn fact, its purpose is not to load/unload VxDs but only to send a
. {# N F8 h L& ?; I; `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 b9 ?: U! P/ a# G' U) Y4 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ z$ k# A6 h0 }. {) jto load/unload a non-dynamically loadable driver such as SoftICE ;-).# [) }. R! ^3 G1 ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ j* h& x3 f( u n0 Y; b* y
its handle to be opened and then, will be detected.4 B" u8 X- Y! G/ t, m/ z! w
You can check that simply by hooking Winice.exe control proc entry point$ _' @+ o, j2 H; d
while running MeltICE.$ d! R0 I5 T+ Q4 d/ k
# X4 s5 H& W" G" j# B& ?9 A. N" X3 c2 y5 f9 _% u9 t
00401067: push 00402025 ; \\.\SICE0 H7 W9 Z( A+ T! e2 z% a3 [
0040106C: call CreateFileA
6 L+ E- l0 x; r, n. L4 H 00401071: cmp eax,-001. V4 i7 q- g' b% |. i
00401074: je 00401091
D2 C3 f+ B" m2 ], o! T
4 |' v) T, D" P8 C' K. S1 N) ^
`; C5 b6 D: b L! ?There could be hundreds of BPX you could use to detect this trick.
; X+ H9 [: U2 c-The most classical one is:- i4 m% |. Z* O* a7 Q% z+ i: q; ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& s8 Z' @, A1 s8 v( R/ q' \: T9 c *(esp->4+4)=='NTIC'
7 B5 k& E; p& ]' v* c. i
2 T5 q7 B$ K. i, e-The most exotic ones (could be very slooooow :-(, T! `% U( V) R5 v: g9 B3 A* F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / f8 d2 }+ k& q0 d
;will break 3 times :-(( h) K2 t% U* }5 |3 Y4 k& Q" j& t- k
6 n) f3 v H! j9 u-or (a bit) faster: : y& x# n0 R8 A+ L# L7 a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- V$ u; Y% \8 ~8 N
2 c, `7 r9 x% B7 l1 L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . X q! h& c% J
;will break 3 times :-(
+ h2 ^) j) O) _: r- Q9 D" m* S" t! g& ^) P! i' g7 ?
-Much faster:1 w; G9 |- J$ ?) a2 q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. r( O w, G, z5 k2 d* Y
_+ O8 w' a" C" L0 O, q6 w' WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 g. c+ [; e/ y+ d8 G) F' Rfunction to do the same job:
) Q6 O% h0 `2 i$ i# I' A. O
, t9 J6 a3 e4 g! ?4 s/ A push 00 ; OF_READ
( q3 m; b3 z" z' ^, s mov eax,[00656634] ; '\\.\SICE',0
' j- M7 P; Y+ h( }, k9 W& c. W push eax
2 {' V8 @& `: G call KERNEL32!_lopen
c/ e% t5 y8 _9 ^' { inc eax( `% i5 b1 g7 t' d5 d
jnz 00650589 ; detected+ A! p# @* e, O. _% _
push 00 ; OF_READ
) K" y1 H) Z5 [: l/ M; | mov eax,[00656638] ; '\\.\SICE'
# w ?4 K* ]/ _( x ` push eax9 L' V* J$ Q/ V
call KERNEL32!_lopen+ X' L& W- |" U- \5 l7 _+ }
inc eax
) b+ F! k4 F: E' y0 O jz 006505ae ; not detected
0 ]. i+ l2 W; @5 H8 b
) d2 i1 w3 I) X1 e* `
' ?2 b4 p! q3 K; g/ e__________________________________________________________________________
" d0 C3 ]7 {) y( s/ d$ x x: [1 o H d) \! Q- c
Method 12
8 s8 r( y* j: C4 `3 [% \8 q=========
% y u6 t0 q9 x& d1 i
@ k/ Y: I3 f% N; fThis trick is similar to int41h/4fh Debugger installation check (code 05
* x! X9 O$ I4 @/ ^6 |3 L$ u5 c+ P& 06) but very limited because it's only available for Win95/98 (not NT)
* `4 e2 i. f& D- V% @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# G( S9 g1 M% g1 L! ?" ?8 Z
7 {/ w. {" Y/ \ N- V) T! C8 @
push 0000004fh ; function 4fh
1 \$ A: I; I, B: A+ o* C8 |$ ` push 002a002ah ; high word specifies which VxD (VWIN32)
( R- |- @9 Q- m& M ; low word specifies which service
; y5 [3 m2 }! e1 m3 S (VWIN32_Int41Dispatch) B& ^# k) e1 f
call Kernel32!ORD_001 ; VxdCall
0 L5 W: @& g1 [; i. F4 n' C0 x6 u1 Z cmp ax, 0f386h ; magic number returned by system debuggers+ b- `7 Y( f+ t- M
jz SoftICE_detected6 r) I2 K5 U8 u8 E4 ]$ }
7 R r+ D0 H0 b7 C) }. o, T5 IHere again, several ways to detect it:$ p6 J. I" z) {* ]9 O
0 ]6 I/ E. U2 J BPINT 41 if ax==4f% }& w1 u- G) k# Y+ f6 _ I0 w
7 e. a7 L+ a) c( b, o' U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 t! ^! c6 B4 o! W" C0 `5 |) R: f- U; J, |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 x5 A/ p! i" h. _) q$ x: P$ I" B2 _# z* Q. C7 _0 E0 ^8 V1 u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- _- T8 i2 T- m
( t- ` b8 p, h) N9 S# d__________________________________________________________________________' s0 B# g( b# `# b9 G$ x
( \9 R% r2 n o1 j: ]- C3 M |Method 13
5 t$ G/ e7 N% X3 b=========( I3 t" E, e; u" s
# L* r g8 r3 n0 r& S9 M' l/ ]" @! K4 F
Not a real method of detection, but a good way to know if SoftICE is
% q; ]( \0 X. b+ a* linstalled on a computer and to locate its installation directory.6 W& z* p. I6 X2 k. _; ^
It is used by few softs which access the following registry keys (usually #2) :
6 D1 J8 C& m% f* Q6 F$ e6 j. {1 G' }; _" L( F* t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 o* u1 e, x( }2 \\Uninstall\SoftICE
) W$ T3 {0 }$ C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ b( X! L% `% h, V$ k' {8 q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# y! t: X& {% Z$ ^: w\App Paths\Loader32.Exe' P3 h7 K8 @' ?4 a1 V* \: {4 p& |
2 }! w- L/ ^ h {5 V! T
) p4 I: l- a; iNote that some nasty apps could then erase all files from SoftICE directory6 Y4 |; K3 H% Z; T
(I faced that once :-(
( P+ H, U' I" t% z' r5 a
% G1 b5 l* E) c5 f$ A) I9 _% H2 ^Useful breakpoint to detect it:
/ {7 h$ N" d, p0 \) |! o. }. T$ N1 z* I, S: d( a& J+ J" R- c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 n. q* n1 V2 [, o6 ~" O" f& E6 [$ F' _
__________________________________________________________________________4 k' d$ f# s% `" m( y' `3 [
& S" t! s I( l9 { r$ W3 L' I
/ d7 W+ W/ p/ j1 D0 @5 i- G5 M4 jMethod 14
' y H- D$ p- a% {8 t=========2 v0 N {* M5 A' \" {$ V
7 |6 ?( A9 b$ @2 M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 O, X; c) _6 q" a7 E
is to determines whether a debugger is running on your system (ring0 only)." u1 F' g! N/ ]5 _: y! L
" @. ^/ k8 W5 r6 V
VMMCall Test_Debug_Installed7 T/ K% ]+ _9 P
je not_installed; w, x8 P9 \" R% ]) B. f& T
* q E" M: @. \2 W
This service just checks a flag.: N( i& ^- J" l) H8 v ^+ D/ u" L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡