<TABLE width=500>
) u$ h) U' p- N<TBODY>
* Q) L2 A3 l: O. c9 O4 Z<TR>7 w3 j8 C/ ^& F/ b2 m8 P
<TD><PRE>Method 01
& l, |- _; p' D4 i }# F0 k=========" g. I5 e! U+ B' P1 g2 d; P
( L7 ?/ k0 k8 i. z
This method of detection of SoftICE (as well as the following one) is$ k B: M }% j( V, N# q+ e, O9 N M
used by the majority of packers/encryptors found on Internet.# u- u* [. X# I+ t# h: ^, N
It seeks the signature of BoundsChecker in SoftICE- i; E* m$ V+ u
- I& O2 `# Y ?9 x, _6 { mov ebp, 04243484Bh ; 'BCHK'7 W, {! _+ `1 H* \0 R
mov ax, 04h- y) P: U, T- b# H
int 3 " s3 l# \2 ?* L# ]
cmp al,4+ s8 u8 w( @( K
jnz SoftICE_Detected5 v$ X$ P( G' |; Q
/ b) k# i- C; ` U0 L4 p! D0 R; Z
___________________________________________________________________________, W$ y, d: \' b! t& W
! m2 y. a# }, ?
Method 02
2 a- | \! s0 T6 M2 D. D: @: Q" T=========7 z: R' J6 Q" N4 _" L$ H
# s1 M7 u) O/ x6 uStill a method very much used (perhaps the most frequent one). It is used5 d' v& u9 W! `% L3 ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 f/ L# Y. g, m2 T' t! n9 d
or execute SoftICE commands...
1 h" g' o+ n$ n$ G; XIt is also used to crash SoftICE and to force it to execute any commands9 c, f- ]0 `. r: P' A
(HBOOT...) :-((
4 q. l* _6 _. K; }; u/ ]
1 ?2 ]& ]: f9 Z. `' x4 u& L$ xHere is a quick description:
5 ~# Z8 Q8 g2 O) l7 A-AX = 0910h (Display string in SIce windows)3 @) _- G; ?6 H3 z7 T8 c E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), d8 g' |/ l8 f, P8 _, e
-AX = 0912h (Get breakpoint infos)
! K+ P* `7 i5 z-AX = 0913h (Set Sice breakpoints)
4 V$ f# X8 c' R. Q-AX = 0914h (Remove SIce breakoints)% r2 b" s5 j* u9 x7 I1 P
$ h4 D' V- {. \9 Z
Each time you'll meet this trick, you'll see:
" m+ v, @' g" _9 o4 X0 g8 d-SI = 4647h" h1 u% n4 V% E' c/ }- h& ?( c
-DI = 4A4Dh% x% t! ?$ U" h$ o2 L
Which are the 'magic values' used by SoftIce.4 W6 C/ x( V/ q: t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ ?% P5 O/ K3 l' G. l
1 d/ h( K4 _) l, }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 ^2 t; S2 B5 ZEnvelope utility use to protect DOS applications:; O9 K) o( M" U, C9 h
# b( g# s& C- N+ A7 Z2 m. k; a( h E
4C19:0095 MOV AX,0911 ; execute command.
4 S, F% O2 A6 b" H0 b+ E% t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( Z- d# T4 |. \* a, E4C19:009A MOV SI,4647 ; 1st magic value. b- K8 }5 a5 B$ s% D. \/ n
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 G, _% R( @+ {6 e h" Y/ N3 F- [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. u' n, l- u; I! g& I2 A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 U* h5 A k3 E1 K' c8 l+ O5 w) C3 e4C19:00A4 INC CX, }4 u, [1 F- s* P0 P W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; D! q' ]: f3 S0 y0 D) O1 c
4C19:00A8 JB 0095 ; 6 different commands.
! P9 f" k5 i& F( x, e/ E4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 B# U0 S2 E- r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- t+ N5 R( v! D X* t' H* [) m; g# u
The program will execute 6 different SIce commands located at ds:dx, which
x \: y5 R* p6 C8 lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# n+ D+ a7 n: ~- T* R8 Y; m
- f, x" f+ Q# S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; x. ~0 P* p" u! K1 W; I; C- @+ j
___________________________________________________________________________4 P* E: t0 z6 [4 r+ g( P& a. @
# a" L) p$ W4 H0 U @% L
0 |$ X# w, J* n: f: r' C* P9 c2 dMethod 03' g" f; f5 G+ V6 k+ F
=========# _ }; i0 o1 {: I
) c* o6 i0 Y$ i/ d' v3 JLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' _) j4 S7 b. p! r(API Get entry point)4 J/ t" ]% c$ v: M7 y* g0 ?
+ f5 j% l! z0 Q6 [ w% c4 _
' Z6 C2 b9 {. H0 V
xor di,di
% k/ A7 g, p" S5 r! [6 X mov es,di6 h+ g# U2 s3 a( p6 |; ^
mov ax, 1684h
- f1 f0 L1 _, T9 Y4 A+ R mov bx, 0202h ; VxD ID of winice; L' P/ w2 C) d# T! @2 i! o
int 2Fh
% w y, t- T! C: T- b: t. ^9 J1 P mov ax, es ; ES:DI -> VxD API entry point7 p5 h$ q% Q; b& c5 U! a1 l
add ax, di
, o3 `/ Y8 ^ S1 H0 o+ l7 u0 f test ax,ax9 s9 p3 @ R) K; t6 w
jnz SoftICE_Detected3 s$ D0 e1 M, V3 b
! Y% ^: h- q. u1 g' S___________________________________________________________________________: M- n: J M/ p8 K: X$ m: V' Z
$ r4 s; a w: D8 RMethod 04
, U9 v ~; s: b=========
3 x, A$ ^% W3 ?% t+ d* s& E' _: y6 [# k. t8 F3 X6 W9 m* c
Method identical to the preceding one except that it seeks the ID of SoftICE
* Z. X$ W' x4 s# v- xGFX VxD.
2 E0 g& W$ i, v' F
) p, N# Y, [9 h5 v0 q xor di,di" s3 e; W" K! x0 D
mov es,di5 F8 t& U' h; U8 O: ~( L9 j2 [
mov ax, 1684h
' `4 k+ B/ Q* y9 ^' I+ Q8 T0 Y mov bx, 7a5Fh ; VxD ID of SIWVID
0 T, `) E- S. w% Z9 I int 2fh
; c% L- E: {5 P4 R# P7 [0 g mov ax, es ; ES:DI -> VxD API entry point2 k( V6 E, \, T8 s7 s2 i
add ax, di. | t. Z8 U5 I, E5 e- `$ D
test ax,ax6 T; f: S X8 r
jnz SoftICE_Detected. D! K/ @8 n9 a( _
' m- I% H& D. W* E- \2 d* H* B" ?
__________________________________________________________________________
0 e% B% f$ W" ~5 p+ t" e9 r" l5 `
) b# N7 r) A% G
Method 05& }% u/ u( g8 X% n
=========
0 }& T2 `/ f" K7 W7 W2 o: e* W l( i
; l* Y& u' J4 A1 R3 X4 M3 ]Method seeking the 'magic number' 0F386h returned (in ax) by all system! f s+ ?( T1 G
debugger. It calls the int 41h, function 4Fh.4 x0 ^4 s+ y; a! F: } B
There are several alternatives. 1 f/ b& k) K+ W+ L2 i1 Q. C& e
: L2 Y0 w+ E* s5 T; N0 FThe following one is the simplest:
* |% H! x0 ~. U u" D3 z$ J+ L
* D# v r) U8 L) x' n- Q mov ax,4fh
, e' J3 }3 {4 r) {" ^' U0 h int 41h
& h K- I! a b+ e cmp ax, 0F386 s: v2 E" N! m, {1 Z' l
jz SoftICE_detected
* m- c0 Q1 S, N9 H2 w- C
1 E Y, Q+ g! A! c$ Z$ t+ U3 c% v* n2 X1 e
Next method as well as the following one are 2 examples from Stone's : O9 o/ S0 w9 Q
"stn-wid.zip" (www.cracking.net):
( p/ [ L: O' b% M$ H& ^7 c9 }0 {; W& o% s! H4 q# T
mov bx, cs. D0 C, A+ `. [# A
lea dx, int41handler2
+ v+ l# z6 w" ~, _$ B* L5 q# Q/ I2 W# ~ xchg dx, es:[41h*4]# W ^# P4 _/ c4 @' s
xchg bx, es:[41h*4+2]
4 P8 I9 r& g1 X, M" w8 ?, ~ mov ax,4fh! D- z: C) f% _2 j; F
int 41h
) D) M' w! }6 E |3 A xchg dx, es:[41h*4]
: B, ^0 Z/ v7 m( U+ ^2 \ xchg bx, es:[41h*4+2]2 E, L$ I, T% e, ~7 `( t6 m1 C
cmp ax, 0f386h4 @3 ]8 L4 {9 q, V8 L
jz SoftICE_detected
! i4 k \. B6 T8 C" U( z" \- W& Z3 \ V5 s j
int41handler2 PROC7 o9 N0 L) V" ?6 P! ]
iret' P; g' {+ _ l/ j
int41handler2 ENDP
" H. ^3 \/ a: B9 z9 l" [8 b5 `& p" ?7 p, J& X+ @
7 W5 f6 \- d$ }$ H8 z0 ~& i
_________________________________________________________________________
( e9 o/ I3 X' ~. |8 O# w
# I8 n2 m) N3 k+ e2 k" y4 D) n1 r* J' ?. q R
Method 06) s3 U. W- m6 e7 I# g
=========: \" j6 }8 R; Q1 K+ |5 v! R
6 Y% U0 Q0 g; F2 b# U' X
( n; {: E u) f) ` r2nd method similar to the preceding one but more difficult to detect:
; `0 `8 j' N" T& v; u) c0 x/ G$ f' N, [& u0 ?. K/ A% [( H
+ ^/ K7 e. B; }9 Y9 fint41handler PROC
# r" Q1 e+ C3 L7 H E mov cl,al
, G3 E7 q( d( h7 \ iret9 r$ {1 ~* h3 F: G6 q; {4 c5 G7 W! @0 O) Z
int41handler ENDP
5 [; q! h# O o& B0 j
% Q1 L1 I+ q$ W# A$ B
" U- H2 A) M c: Z. Y4 M xor ax,ax
: t: ^2 n. W7 x' O" N W3 D* q i. f mov es,ax0 B2 R9 v' t7 Q6 }5 I$ `
mov bx, cs, d; ^( v- f1 c$ y) J
lea dx, int41handler
; s$ S# ]6 p' j! ?! {* \ xchg dx, es:[41h*4]
5 a. h+ `+ D' ?, x, a4 s xchg bx, es:[41h*4+2]$ E! v/ D. B3 }# l q' y L6 ]! P% P A
in al, 40h
8 w, k$ C2 L; T# }3 j9 H xor cx,cx5 ]) d. ~% ?& `9 c% O, L
int 41h1 M' b. }6 U; m8 C. _# p2 E+ G. x
xchg dx, es:[41h*4]
) h* F7 P& E! U: X$ X xchg bx, es:[41h*4+2]3 u' H7 b% ^" l& f- G3 `
cmp cl,al
* a4 b- O9 g7 h jnz SoftICE_detected
7 N& z: |4 w! @# [
% m' x' I. o% f1 |# ]8 L_________________________________________________________________________
r8 j: Z5 e# m+ ]% H0 p
+ J6 m0 @- I: y1 hMethod 07
7 }0 p' _! M% K6 B) F9 s3 J) Y* q8 r=========. r; d- E9 E) P- x- M- R1 C
! Q+ O& Z" ^) v% R4 U% j, o8 v; JMethod of detection of the WinICE handler in the int68h (V86)
$ ?" O; d' H. w; R% ^; ~4 f
1 E) ]+ b- q1 S; }4 Y mov ah,43h9 m* l L! u: ~7 s( E) m2 ]
int 68h
+ b! i2 `) _1 R2 a6 `2 \ cmp ax,0F386h
( y; L& | V* n, Q jz SoftICE_Detected5 _ \% U5 n+ J7 g0 y! k7 V
+ ]. |5 M* W' w- Q/ [* H# p! r [ a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
W/ T/ V, ?$ b. ?. h2 z app like this:, S# Y6 t% x! c& S
/ n' _; L2 U; x% \& S BPX exec_int if ax==68
& X0 ~! k, {) k& H! ` (function called is located at byte ptr [ebp+1Dh] and client eip is: B$ \# p, ?1 D% n- I1 ^- Z
located at [ebp+48h] for 32Bit apps)! Y1 _+ V0 ?0 G! ]0 P) T' c
__________________________________________________________________________3 {8 \7 u+ u7 C1 H; L
0 b% R5 a1 i" C' J/ U
; H6 u' x3 z- G# ?) a1 Z1 ~' IMethod 08
" _1 \7 h& m8 ^/ v# h! F. C3 N3 L=========9 J M( }; n/ ?8 K- y; e+ V1 R1 X
$ m" U4 K! E8 [
It is not a method of detection of SoftICE but a possibility to crash the
+ m& R0 N& J6 S6 {8 ?- asystem by intercepting int 01h and int 03h and redirecting them to another) ^( |' p" M# K z: z* m+ W( _+ F1 l0 [
routine.+ \- C' T* a3 _: }- H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 s8 W: L1 q) Y, h, E/ Pto the new routine to execute (hangs computer...)
1 c6 I' ~& R1 h8 ]% L% R* B
3 |; a! U7 I) Y; [/ m mov ah, 25h
* L: c; j. v$ Y* |, Y ~" q* ? mov al, Int_Number (01h or 03h)
& _/ P" M S ]2 r" ]! ? mov dx, offset New_Int_Routine" `' w! A$ Y4 I) S; p+ p( B
int 21h6 l7 J* t& T" {; W* M) x( f" E
; u$ k9 P8 q$ M6 Q- b$ j4 _, j__________________________________________________________________________# B- S% G" k$ D( A: l# k: S
! }' s* Z6 c1 j! ^$ nMethod 09$ y4 o! D* b& l3 F
=========5 N3 A% z2 q; b$ w, G: }% {
8 k5 O7 b: H; K5 ]7 `# u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- a$ V# G1 l+ ]9 ]4 E' Mperformed in ring0 (VxD or a ring3 app using the VxdCall).
" D, v- F4 T' Z& C4 ZThe Get_DDB service is used to determine whether or not a VxD is installed) P* d! i0 z+ ^8 }/ U& l0 D
for the specified device and returns a Device Description Block (in ecx) for
) i) t0 W$ o2 I( ?1 Pthat device if it is installed.
; _3 q8 n5 m4 T h H! f0 ]2 N+ m6 g5 q# z& O( n, U0 k. ]; r2 t% v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 \% w, o4 r8 }; c1 L5 U s# a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); k7 |9 {9 h" K6 S/ l4 U' {$ R
VMMCall Get_DDB& G% x7 e5 L/ e; F9 v8 W: P% M
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% S1 m" [- Y) S" ]/ ?
& R" [/ K6 @% I1 x2 W& B
Note as well that you can easily detect this method with SoftICE:# R+ |( R7 A9 F" ]* Q+ Y
bpx Get_DDB if ax==0202 || ax==7a5fh
& G. O& T j9 b3 @6 `% |/ ]8 p2 O# R; S
__________________________________________________________________________$ M8 Y- q- n6 C: k3 t! I2 J
. w' M' ]& `, S9 \
Method 10. V, f! K! M5 y8 ]
=========9 k) o/ Z% x+ ~* I( D3 f
$ V* ?' [; ?. p9 ]=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 K! g- m* J0 u" c9 P& {& P SoftICE while the option is enable!!. ^+ C; H( j" d( ]
, W: h$ ?) ]) ]+ z, Y, RThis trick is very efficient:
( ~ Z2 Y8 `/ F9 Z8 T/ y; n( W! x wby checking the Debug Registers, you can detect if SoftICE is loaded% [( [% }7 B0 u0 t0 }+ H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 @( K. D9 q* d7 f0 ~there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ e+ T- }$ f& }5 q+ X2 i k' X& Evalue (in ring0 only). Values can be manipulated and or changed as well6 T7 m( k6 w/ r1 k2 j, c
(clearing BPMs for instance)0 w2 t1 f7 F: X! e1 b# y
; ], y1 i7 p2 M
__________________________________________________________________________
# g/ X4 b' |% r; k. |' G
' U" }5 a( O! a2 }0 S$ vMethod 11
& p* V `: L2 Z& j4 W=========. ^# } H7 ^5 j# R. I5 o7 P; ^
3 r2 ?, H2 B( X/ e
This method is most known as 'MeltICE' because it has been freely distributed
# `/ H6 N7 g* ^5 y4 _/ N# zvia www.winfiles.com. However it was first used by NuMega people to allow
$ d: g9 q7 Z0 NSymbol Loader to check if SoftICE was active or not (the code is located
2 ]( E8 h$ J* Q* A8 finside nmtrans.dll).
! Q9 k3 x( A! w
9 n5 J A: D' w$ g: l! HThe way it works is very simple:
! [3 y+ R9 Y# T3 _ WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 [, K7 Y& F2 K7 A* cWinNT) with the CreateFileA API.. s4 ~5 n1 O4 ?. b) J8 L% e c
: p/ ]2 k4 W3 q* Z. y- g% z
Here is a sample (checking for 'SICE'):
7 }/ C- B( h c% ^; U1 j
5 O: l, ]8 d Q$ U/ uBOOL IsSoftIce95Loaded()
% ^" h. p- K) ?2 \{1 C4 f, h/ ^. a( Q
HANDLE hFile; - x1 w$ ^& c8 z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( L8 z: O. I( G; L& D- j FILE_SHARE_READ | FILE_SHARE_WRITE,5 O9 J, b$ v0 K/ g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 S! r5 Q8 B6 I
if( hFile != INVALID_HANDLE_VALUE )$ H A& b1 B, Y+ j
{8 I% W" ~# t( x" G
CloseHandle(hFile);+ S; y9 F) l- S
return TRUE;7 j/ M# q/ g5 _: v' l: X
}
2 K$ v$ F. y* E$ H5 g7 h return FALSE;6 @# ?7 S" ?# }( `, a7 |. H ~
}
9 O4 A% z6 g5 \5 o4 Q7 z5 l# V) X5 T5 L! v4 f
Although this trick calls the CreateFileA function, don't even expect to be
2 I N0 W% Q- t0 f: uable to intercept it by installing a IFS hook: it will not work, no way!2 g! s# h* H7 C4 q5 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, `# T5 ^! q+ ]3 Y1 I! Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- S/ ]- s* q# r+ I& d1 Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% g( A' N' |9 R
field.' _+ J8 N! G& I- O& T
In fact, its purpose is not to load/unload VxDs but only to send a : I6 T' P: s& d" _. P$ V+ o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& H" E; s9 E1 l% T j3 }# xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 |& [, x2 { P# Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 a, ]: @5 k$ w& n- r5 w M
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ _6 [/ @ _7 _" m" dits handle to be opened and then, will be detected.; f4 F, v3 `$ Z( ?0 u
You can check that simply by hooking Winice.exe control proc entry point
: M* q# z0 T' s% E) [ Swhile running MeltICE.( e; k- V! f( s& [6 |' r' b" O$ b
9 N% _ ^5 I5 b/ v {* k4 y4 j6 j
00401067: push 00402025 ; \\.\SICE
8 x: L% F" G { [: o3 e 0040106C: call CreateFileA
. C2 k8 l% r0 x6 ?4 w% H 00401071: cmp eax,-001
`7 E8 S1 o9 J, W 00401074: je 004010919 w" E/ V5 J& r6 A# J
: o- P/ U) ]; V" A' o2 t5 n
$ ^5 f- _& U! ]: n& m9 K4 O/ n. }There could be hundreds of BPX you could use to detect this trick.7 P2 |( ]# T( q, H
-The most classical one is:/ r0 ^" v# ], B( p! R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" D2 t/ j# K) J, K# s; T. Z7 p
*(esp->4+4)=='NTIC'
$ `8 C Y1 L/ a0 [. O; O ]1 H! [+ Z9 ?+ s
-The most exotic ones (could be very slooooow :-(+ a( R& {% b6 U3 E! P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 L: P: r @* p4 J8 ~! S ;will break 3 times :-(/ w# Q. D& C! h8 w) J
" L0 Y/ S& s4 g+ \1 r& M' _) e" f& z-or (a bit) faster:
+ {" T2 G8 D; s) _- k& X8 G1 N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 f" }3 c+ n/ {. I
: X& m0 O- P& [ M2 X8 m
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! E4 X; z) ^5 T: a; J
;will break 3 times :-(
9 J: C) N* ~/ B( _' V) w: H8 F' v4 Q5 p6 [
-Much faster:
5 P; k3 C' P) i" D' g+ G: z$ g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( Y/ \8 \! \+ O: q& d- f
9 e$ ?6 j1 l' |) iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& O& U, A1 T: d2 y9 I8 {function to do the same job:) p# F) W2 j* ]. O0 T
8 c C9 ^4 \, ?6 y
push 00 ; OF_READ; a7 U* n: h7 y/ z0 C
mov eax,[00656634] ; '\\.\SICE',06 p* Y6 V; M a K" ~/ a# V# T
push eax
; B0 l1 H* m# U1 j+ \ call KERNEL32!_lopen/ A/ k1 B* P' l( N( a J
inc eax3 _. w9 s1 F: R6 u/ J) @# C0 @
jnz 00650589 ; detected' y5 h3 h) D; W5 p
push 00 ; OF_READ
6 f8 l+ A# I6 Y mov eax,[00656638] ; '\\.\SICE'- P: x$ \& P/ T( Z" }' d H
push eax
+ Z) X5 A% L) l8 U9 h9 i0 Z call KERNEL32!_lopen
. u) r0 Z& D2 @+ j' Y inc eax, M2 X. F( d) y
jz 006505ae ; not detected$ h! x& I' T+ b7 x8 i" l4 h
: J( Y/ b" c! h& v, j5 ]
! p, a( N" u/ U4 }( Y; E__________________________________________________________________________! T, n0 L8 u* x2 d {
/ ^3 g# T g3 ^$ r) UMethod 129 `% S8 l/ t. z5 w! v. G% X
=========
+ ^' |; M! r1 k( J2 b# c3 E
& D G- l& K* NThis trick is similar to int41h/4fh Debugger installation check (code 059 c$ x' J# t5 c) A7 N R3 E! D/ T
& 06) but very limited because it's only available for Win95/98 (not NT)+ e( Q4 u- x6 u3 E8 z. X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& X& U" C- [+ o, U1 g; n$ v
7 t* ]. }. r0 R1 n0 _ q9 q push 0000004fh ; function 4fh% j. M3 V- }: L& @1 A# Y+ K
push 002a002ah ; high word specifies which VxD (VWIN32)1 J; Z* f* J' W6 d
; low word specifies which service
& N5 [% m, |4 L+ o; x (VWIN32_Int41Dispatch)
% H5 k N1 Q3 f0 u$ l call Kernel32!ORD_001 ; VxdCall6 l% P" P& L, Y/ Q- |* V- y
cmp ax, 0f386h ; magic number returned by system debuggers
1 @" H( n# \! s5 `3 z/ a* M jz SoftICE_detected
% o" S: t2 k, j1 J: |6 Z3 F) l3 p# _
Here again, several ways to detect it:
! d* i5 p2 u# ?1 P _
* Z! t% }; ~3 `/ @$ J4 | BPINT 41 if ax==4f" k y/ T8 z' l' _
0 K& d E- p/ R5 o2 U$ m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, ?) F- u; h1 M1 g3 S9 W
; u; h, O/ o2 y7 l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- _ M: c+ M' g9 f$ J% U- a2 D5 F1 G" B3 b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. D7 M0 o7 C. }& t% b$ ]
: ]/ }& L* x3 C1 G. e6 I__________________________________________________________________________$ f/ i3 X6 A9 m; u% H, Y
) B5 c' z& B. A
Method 13
3 _9 k3 }. m/ d* G9 {* v6 x0 n4 `=========
) [# n+ b [( q" w, R* O6 F3 M0 j' v9 Q7 a4 B) \
Not a real method of detection, but a good way to know if SoftICE is% i. P7 N' `$ A9 @3 {
installed on a computer and to locate its installation directory.
. ]+ j; L9 w8 DIt is used by few softs which access the following registry keys (usually #2) :
) v' ^% b9 Y$ I* V- W4 N
: e" Z: y+ o4 V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* t+ Y9 p! \1 L' J1 f
\Uninstall\SoftICE5 _5 e, q( U) m2 X* S% o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. U7 v/ P& y U' y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% q" {$ L8 l5 H; r\App Paths\Loader32.Exe H2 d+ m4 E9 X7 U e3 t
" j- l+ R/ X8 k: O: V6 d
- O& W5 L# x( ]/ YNote that some nasty apps could then erase all files from SoftICE directory
5 l$ L/ P2 u2 p% a3 A( y(I faced that once :-(8 e' n; N9 K8 a5 y' w4 L- W
& R! M F$ u# `' Y% oUseful breakpoint to detect it:
" K! v. y& f" \6 }' R, ], r' E8 Y" n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 f7 `2 O. d, H
) Q- u: ?: s5 l7 q__________________________________________________________________________
) K- K. E) A( s6 `, e( Z- R# o7 N. l1 a& ~" ]3 \0 e# g) f. ^
. Z7 M6 E1 S. \* _& D: yMethod 14
5 z0 p) Z6 j! X% K. h=========6 G# r- u" i5 c/ ?
" l; E" m$ Q8 ~/ q$ S' L" U0 C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, B; j$ Y- L& k3 c9 I- f) n( X3 \2 _
is to determines whether a debugger is running on your system (ring0 only).% x: h* X0 W# j5 M4 c# y; _! H
' W' M) g6 C, k) N9 w4 D! Z VMMCall Test_Debug_Installed
$ x; d4 _' O6 Y9 ?; A% R5 d1 R je not_installed# y( J, M; L9 B* e1 z
( G& q8 @" b- [$ y
This service just checks a flag. G8 X3 _, l" x+ N4 z1 @! A% z
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡