<TABLE width=500>
/ ?2 a7 _: Z' C8 ?3 V: Z2 \6 C<TBODY>. Z' C% B' m# }) w; \+ \' ?
<TR>
* Q' o. x$ X( k/ w! D7 S<TD><PRE>Method 01
; w+ e v4 U3 y# C# ~1 H=========4 {* V! r' T8 R
( ^6 r, @7 o- AThis method of detection of SoftICE (as well as the following one) is
/ g2 P" c( { b! U% |used by the majority of packers/encryptors found on Internet.
0 R1 t0 s' v uIt seeks the signature of BoundsChecker in SoftICE
! o9 u! F8 R& ^8 a' B* s: A! @7 E- X8 Y7 [# _/ ?# i0 O
mov ebp, 04243484Bh ; 'BCHK'" m2 h* Y. \$ B, d
mov ax, 04h
) g$ w! C4 f4 l. E: U: t int 3
! J- f5 C3 l. I4 |4 H cmp al,4! Y" H; v4 D8 ]9 F# ?. B+ F3 @! m
jnz SoftICE_Detected
& K4 d6 k6 T: _: R0 {* i( p/ U! h3 b5 ^" j* E$ I% J& _8 m
___________________________________________________________________________' F( d6 v9 w; q9 d- p% |
$ @0 o! w% j* f. d! }* n: X- W
Method 02
+ H( d& Q' A" O, T9 L=========
% d$ _# |" @! ~4 @
% Q% V) C# c+ Y$ t$ i- U+ C. |Still a method very much used (perhaps the most frequent one). It is used
( ?9 E9 {% Q. K6 v/ Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, [4 J8 {- D2 Z5 H1 w3 zor execute SoftICE commands...9 {) N2 x* @! O. W8 |& ^
It is also used to crash SoftICE and to force it to execute any commands
: c7 n2 J+ H* D2 b9 A(HBOOT...) :-(( % s4 `% _) b" x
' X" P3 D B& U0 }+ D/ P
Here is a quick description:8 c- n# C2 X# o* e5 J4 v
-AX = 0910h (Display string in SIce windows)
4 o' J" F) d8 q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 M5 {5 w0 u: t3 b# C( @1 j
-AX = 0912h (Get breakpoint infos)
* W6 m6 F3 n6 f% `) g0 O. y-AX = 0913h (Set Sice breakpoints)
1 @3 ~) c8 Q4 X1 L. c% K" Z-AX = 0914h (Remove SIce breakoints)
" w3 p& ~7 P# \9 G( I7 Q+ E; e+ F" G2 r. o1 @3 E
Each time you'll meet this trick, you'll see:1 M0 g4 y3 Z7 } @7 `& i
-SI = 4647h) R( N; E0 v* _) x; }# y- Z: R
-DI = 4A4Dh r2 A/ M! v( l4 f ]9 V8 B, w: e
Which are the 'magic values' used by SoftIce.
2 m5 j( J' j1 Z* `' J" ~6 eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 r$ g5 z! s# M% K) E
& `* h, B+ H+ m: [- d' pHere is one example from the file "Haspinst.exe" which is the dongle HASP
! F5 p8 d$ j, M' u; oEnvelope utility use to protect DOS applications:
. }% v# a- D+ ` t
. m8 C1 L1 ]- ]! e: w
* `5 Q( X' s. f" j- g$ J+ \4C19:0095 MOV AX,0911 ; execute command.
1 b9 A C4 N5 y/ s6 N0 A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( b! Z) {6 R6 U4C19:009A MOV SI,4647 ; 1st magic value." J6 R( h* c' K( T. z0 w: j. l1 d
4C19:009D MOV DI,4A4D ; 2nd magic value.+ d! t7 S# C7 d5 {7 X
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 l8 ] D Y2 I0 G' B. H4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 X$ r9 k$ o% P2 A) I4C19:00A4 INC CX
1 e$ P. h( n" F' S* _$ K6 C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' T; e- I3 [- P5 h( f- x4C19:00A8 JB 0095 ; 6 different commands.# U, H* W' C- m& z' H ~! q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ h H% C2 T9 {+ `0 \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 A2 D/ n! y" i, M$ L3 v, i, w" L9 ^
( a ^' H# r% w: \* J: Q
The program will execute 6 different SIce commands located at ds:dx, which D; x+ q. y2 k& C: E
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 L# k7 ~4 M4 ~* @1 r! W- W/ B" h- _! G- J& ^" M3 O' _0 h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& Q- J' j1 g' M# s
___________________________________________________________________________4 x; b% b) `4 H1 }3 M# q# [& `: s
5 ]! ~3 k: D3 J; g& ]' P+ F y2 |0 W& U
Method 03
6 o# z4 O) {, |4 r0 ~=========( E/ q/ U- q% i1 `. b% o) C
9 a# T, _' f- B, x( V# ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; a7 U% B" w" G5 T
(API Get entry point)
% q7 ~/ T, c" e
4 b! s) d, |3 [* ?! P* g
& K- h7 }8 ~# ~" M7 x xor di,di( f6 u& K$ G- k# u
mov es,di
1 S) J8 l; } O7 T5 [5 O mov ax, 1684h & C5 }; \9 [( W
mov bx, 0202h ; VxD ID of winice4 t z& p. O0 `( Q$ A$ p2 T
int 2Fh8 l& \# W5 q/ D2 @/ K" w0 u
mov ax, es ; ES:DI -> VxD API entry point$ { o4 u( {+ _8 T0 V `
add ax, di
& U' M v7 H2 ]: x test ax,ax
; G" a9 e% v3 P! \7 b& Z1 t+ ~ jnz SoftICE_Detected
0 |2 k# l. k( R: p5 D3 j% P6 X
S$ Y9 e% A& W0 o___________________________________________________________________________/ l: R* i- S) R1 s# r/ b
( k6 \6 u* k9 ^- b8 ]
Method 04
2 o2 T1 ]2 x' t=========
; }0 n' {& i! f! A3 i: u& }6 ?' ], ?9 t
Method identical to the preceding one except that it seeks the ID of SoftICE1 l5 W' I* v Z, Z: x
GFX VxD./ Z- _+ q4 J% p$ k+ e5 @
5 C! h6 s$ U7 X
xor di,di
4 S* y3 j1 P$ [1 q4 z) z mov es,di
5 _- p2 ?& _- }5 S) u* c2 s mov ax, 1684h 4 J$ X* b7 `, O" i
mov bx, 7a5Fh ; VxD ID of SIWVID
: P! E' F @0 h3 O' I7 M int 2fh
# T9 {9 v% Y0 m; b mov ax, es ; ES:DI -> VxD API entry point* |" W4 q+ _/ b: R
add ax, di7 T. c3 z9 b! y9 V7 ~! G
test ax,ax! U* n/ x9 s# f- N* P1 y
jnz SoftICE_Detected( G) w( w( u" d* I1 C, c
3 J: Z' z; M, O( ]7 e+ p% D1 Z__________________________________________________________________________
" _7 U, E" g6 e: W4 |* ^- _6 t3 X3 {
9 `/ \/ @$ Z/ _; i/ ?( f5 \; ~
Method 05
' g$ S1 ^$ Q3 `' c M=========
3 V3 o7 {) E' J, f0 d' K, K5 M4 w5 `5 T/ y) W8 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' y7 u. [. ?! H$ p( E/ I: hdebugger. It calls the int 41h, function 4Fh.
- t! N. ? b1 O+ T3 @There are several alternatives. ( v; ~1 e2 U+ G3 A0 u
$ u+ T5 t+ E9 C5 z5 c' Y: N
The following one is the simplest:
0 Y9 j3 B# J* F# b7 z
- z0 j+ v, l( Z: |0 b mov ax,4fh
! y& P$ E5 W' j/ }' q% M int 41h* H7 c8 ^6 V! v# y/ T/ J* E* ?
cmp ax, 0F3861 \) ~2 P/ T0 G1 ?# K2 c8 Q! S5 j
jz SoftICE_detected% z8 n! P, n4 R9 F! |3 a
( i: B6 @3 [& P" E+ u! R* F) f. ~; Y2 d) T
Next method as well as the following one are 2 examples from Stone's 1 b6 S8 S$ P! m' g4 o" c
"stn-wid.zip" (www.cracking.net):( F: ], b o- b8 q) ~
y; v% O( { X7 Z- f% p& c$ w+ r mov bx, cs/ @0 H1 g$ i9 E3 n1 B" H' K
lea dx, int41handler2
, W" @# L# M7 E* T/ V xchg dx, es:[41h*4]1 P' @8 k% G$ D
xchg bx, es:[41h*4+2]
' ]" e7 h& F9 _# p/ D mov ax,4fh
& Z, o9 w; W' g2 _( X' L int 41h
6 ]% j) S' n& m6 | i d. c' r xchg dx, es:[41h*4]& z# @% a5 n6 s
xchg bx, es:[41h*4+2]9 \7 F% l! \$ Y
cmp ax, 0f386h
& r# b' F9 r% O8 U jz SoftICE_detected
0 Q7 ?& e$ y& a+ R* \1 S! S, z
, _ i0 Z, L% R S/ b' aint41handler2 PROC
$ c, S4 i1 m' R) e0 f6 c iret
$ `: j0 C" V/ w" a+ T9 A& k9 Rint41handler2 ENDP' w3 c+ s; w% N! ~3 R5 `+ `5 U
2 ~( d8 J7 q: r$ I- S+ q1 z
7 M/ k6 ] e: V- @. | c+ h
_________________________________________________________________________" P/ [0 S9 Y$ K$ w$ A. T: c
9 u3 b! G ~% _" K" U
1 E. y/ z# }4 t3 GMethod 06
) c# E# a8 a; N4 e. |=========
7 J, W$ \* w" y ~
9 a( j! _$ R1 E& G0 R- V6 Q! V9 R) n
. i( O* k7 h$ ]1 W. ^' c9 \' _2nd method similar to the preceding one but more difficult to detect:
& v% @: u& C2 W$ D, g! {5 t, g: j8 D, y& ]! S
! `5 a$ m/ p9 y3 l) k {
int41handler PROC! O! c3 k. U2 \. T. e0 j, C5 ~
mov cl,al
4 t9 l1 B+ W) M+ ^8 ^ iret9 i% w! \- J4 ~# g
int41handler ENDP
" x: ^: I4 j4 c- F1 m8 p$ J" ~: {5 f4 M! `/ J- O
% u. P$ U' S: G) T
xor ax,ax6 F: R; Z$ c" d, h0 f
mov es,ax8 v# j9 i. P$ }2 n2 B
mov bx, cs
1 @5 j! u; O1 J# T3 |. K4 U9 ~ lea dx, int41handler
1 D3 c! F4 d& S% J$ S2 z& ~ H5 M$ D xchg dx, es:[41h*4]
7 E5 ]+ @! P* c5 ^* i7 d* d& C xchg bx, es:[41h*4+2]# ~$ D) Z3 K7 x, Q' ]
in al, 40h9 ]" m+ m, {& E) g- P
xor cx,cx
( n/ a; P8 S5 Z1 _$ v6 B Y int 41h
7 W3 O0 f' G6 _ xchg dx, es:[41h*4]( v5 S. V, v5 J) p% Z3 a. |
xchg bx, es:[41h*4+2]& B5 i" h S9 O9 N
cmp cl,al
$ U5 |" c, W/ }3 }6 n% F$ ? jnz SoftICE_detected& i3 b& N. [: h
' Z4 f( y5 G O! Q E_________________________________________________________________________/ M7 P/ u7 J. a; n% V. w) O5 d
) q1 E7 z, C2 U8 e! _3 nMethod 07
" Z2 v7 L, ~$ F, m. i=========
& Z: o) ~+ `4 p4 X
) _ H4 C0 U S6 @9 _- f$ w s/ lMethod of detection of the WinICE handler in the int68h (V86)9 C0 H4 i3 g1 \* o
# }% U4 C9 a% z" ?/ K! E+ y
mov ah,43h
j4 C, w: _# S, V2 V6 J6 N4 D int 68h
! q' l" h8 |* i; q cmp ax,0F386h
1 E6 T8 `4 d- Z3 [* y6 u; {% Z jz SoftICE_Detected
" ~0 n+ i I1 k% U% P1 m. N) L' L: Q* z; b' b4 W5 f: D2 F& h
5 q# Y0 [+ c0 q! D6 k( p, r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 T* h5 |% C, T( Q S6 H
app like this:) f% _# w( F. g: w$ G
! s- T2 {# z b! I5 D8 z& g) p
BPX exec_int if ax==68
4 O, M5 ^! z8 Y/ _ (function called is located at byte ptr [ebp+1Dh] and client eip is
9 F' T6 k, f1 ~! M+ @ located at [ebp+48h] for 32Bit apps)
4 C4 [* [ N( i) B7 g__________________________________________________________________________! V- v. ^- D9 w0 b2 a2 I# ]
y1 M$ [( t- F* V1 j
2 n4 Z, c7 u1 v# \
Method 080 b/ \2 x: z7 A0 o7 _0 h
=========, K' a/ N+ m$ V1 @( J4 Q" }
# s8 b `; f: x- |, M( b" ]It is not a method of detection of SoftICE but a possibility to crash the Q; v! Q% H7 x
system by intercepting int 01h and int 03h and redirecting them to another
% O/ ]8 q& f- ]* C( ^/ Uroutine.
/ C1 X9 v! G* X5 uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ Y# e% C& m8 Q( f) Z
to the new routine to execute (hangs computer...), V r1 q, j0 ^8 P% o$ K
1 M0 r+ o( S) ~ mov ah, 25h" s& i' B9 V; R) c1 @
mov al, Int_Number (01h or 03h) K# ~" \ ]/ j7 A+ n4 o
mov dx, offset New_Int_Routine5 _; {& j" K) O$ E3 |
int 21h, F2 k( X- O5 c* }3 R
& V d2 I* t# }& B: i- R& k__________________________________________________________________________
) w5 m" r: k1 Z3 d0 e2 i! b2 B$ e4 t
8 [* L, P) k* o, i5 pMethod 09- ?% H; [9 A* I! {* A
=========- F4 @1 x6 h. q$ k7 H
+ v6 R7 d0 V/ x4 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 \ [4 r6 ^1 B3 n* P
performed in ring0 (VxD or a ring3 app using the VxdCall).9 w6 h, _6 Y- u5 ~8 g
The Get_DDB service is used to determine whether or not a VxD is installed$ O+ @ }0 C$ m+ F7 L
for the specified device and returns a Device Description Block (in ecx) for: z3 A) E% ]& A" G. ` u
that device if it is installed.. |; k6 I- _0 q" M' W1 k, Q4 L1 k( @3 D
: K- ^5 Q. Z) r5 w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& j5 s9 Y# q ]0 W0 c( v5 l0 U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): J9 w0 n7 Y! j, B' T+ [
VMMCall Get_DDB
& N6 d; W4 @# h8 |+ O$ C& s8 L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 V, O' L; J' N& y4 h: Z
5 S6 ]) [6 R$ Z9 cNote as well that you can easily detect this method with SoftICE:
+ B9 K/ B& E$ q bpx Get_DDB if ax==0202 || ax==7a5fh
" C" `8 t- i/ B- Y! p& s* R4 M# k7 q' Y
__________________________________________________________________________* G4 l* v2 }. j q
" | k! ]/ t3 X' fMethod 10
2 E# M4 N0 ?+ C, |1 c- y/ m4 T=========
Q; G J9 R/ M7 s3 D* ]# ?3 [- ?1 o# ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with' h/ _0 M% R; L, x9 P( ^) M
SoftICE while the option is enable!!
* c. L* n" {+ B: ~7 A. V
# U: S# u1 r" QThis trick is very efficient:
1 Q1 q# X9 P' g3 D9 Xby checking the Debug Registers, you can detect if SoftICE is loaded
3 n. P6 ~* t& i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) T( M" m4 n7 V% |0 s6 Y& fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 Y# \& d+ ~ _! c: `value (in ring0 only). Values can be manipulated and or changed as well
2 q! U) i2 K# h# |7 K1 q" B(clearing BPMs for instance)
; q% s# ~# @1 E6 x& L0 o: S
/ A, S8 H# l5 q3 i# V% z__________________________________________________________________________2 k1 H/ r/ _- Q6 `2 i0 `
9 b2 f2 N) r3 U' q' }6 o! [. S
Method 11
% `6 p7 ]7 A& L& @" ~, k=========% O3 ^$ |2 Q. }3 ~
) t- E( [- k' P- R; x# m) _! N
This method is most known as 'MeltICE' because it has been freely distributed
) H; Y8 X: K* n2 n% Bvia www.winfiles.com. However it was first used by NuMega people to allow& m8 K/ ?4 P) L0 \5 k1 t& ~
Symbol Loader to check if SoftICE was active or not (the code is located6 R+ l/ U9 N9 u& f; Y' q
inside nmtrans.dll).: E) D: i- m; `: r9 t; [+ h
% p" M; L9 F! Z
The way it works is very simple:; }1 Q% z- e% T# Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ l. X5 q3 k, \
WinNT) with the CreateFileA API.
- z; d, O/ B; b2 R
6 p9 [4 n* r% Q2 jHere is a sample (checking for 'SICE'):
& s- Z0 U( P4 a3 `% w
- L+ o/ T& l* l1 R. @! H9 WBOOL IsSoftIce95Loaded()
. K, R8 i0 @4 w9 F' I/ p{5 h! W, \# o9 e7 \, _, {1 W4 ]
HANDLE hFile; 2 l7 ~1 n! _0 u( i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% p' {4 |8 c4 F: z# h( D FILE_SHARE_READ | FILE_SHARE_WRITE,& Y0 @, a) n2 B3 ~- l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ D; [% Y+ @( m/ ?0 j& M" m if( hFile != INVALID_HANDLE_VALUE )1 c& v, S6 p7 U' Z
{
& g9 i _$ T- t8 s; P, \ CloseHandle(hFile);. \+ F9 _4 p( q: x' H/ [$ M
return TRUE;
6 _, u, \0 V) S" o: } }
7 J' b- Y8 J( v return FALSE;6 g+ A" ]: n! x. N
}
& p/ c9 c5 V2 Z/ q4 e% z, f5 h. P$ I- K" f( A1 [' i7 ?
Although this trick calls the CreateFileA function, don't even expect to be
. Q9 e* L6 S1 I' [3 Mable to intercept it by installing a IFS hook: it will not work, no way!" g H. e) X. I8 M% `" Y& W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# [1 v0 j L. ?% V/ r% ^; l: oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ g o2 [0 s7 V0 z/ y8 ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 w5 F( ~( Z% R, j8 r2 G# S8 Nfield.
- ^6 Z9 `/ B6 M' R L+ o# v }In fact, its purpose is not to load/unload VxDs but only to send a 7 _+ Q- m0 l) C3 D( H' m0 r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 ]8 {/ U- Y) M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 ?: A0 k k' O+ {- Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 R; F" B6 C \( D% y) e* f# C
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 u8 s" e. s3 m* p' rits handle to be opened and then, will be detected.% r1 m) G" i" {6 D& I' x% a9 ^2 k) I
You can check that simply by hooking Winice.exe control proc entry point' `( k8 L+ m6 r! j
while running MeltICE.
) S$ N7 }5 ]3 s- P2 |( p+ e* u+ p+ y2 V3 k! V
/ y% Q. N4 _) s& e- V 00401067: push 00402025 ; \\.\SICE& S% {1 r5 r1 d3 h; V+ N u n
0040106C: call CreateFileA
1 c, \& j$ W( z) S 00401071: cmp eax,-0012 X" }$ ~8 ]5 U6 W8 z" C
00401074: je 00401091 N) X( _' G1 E5 e
' M: J; i4 u# S+ P3 q
. @. N( C# Y3 ?2 E5 T0 tThere could be hundreds of BPX you could use to detect this trick.: r$ {! L% [6 N! {% b
-The most classical one is:
' L5 U6 X0 [* u7 H6 d$ C, j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 S1 R- X# K% b7 `% U
*(esp->4+4)=='NTIC'3 I5 K. g8 f+ M( ?: }0 J
/ y. ?( X5 i7 |2 h-The most exotic ones (could be very slooooow :-(
) u( Y3 c% M5 }% ?) Q3 u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. d; y# o. S) Y: V5 I' m ;will break 3 times :-(1 `& B. N2 u' f( G- b4 {) P4 R
9 B$ ^( w$ i' F) h-or (a bit) faster: ) g- A- d' r( p4 F- U5 `) ?, R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 y: J# q# d' W) `0 R
7 p* h9 d' l6 b
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) O# J( m- j7 | ;will break 3 times :-(/ j$ s0 Z. W& Q% D
/ w6 [" r9 C/ L- H7 C1 h( e-Much faster:" E& J: e" h6 l) ~/ k9 z! r: j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' ?6 `- Z8 A* m. D4 @" D
+ I* \# q* Z/ o: uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 h0 ?% G( p9 e2 t% E$ f3 sfunction to do the same job:6 ~1 m6 w9 s) Z, p7 |
9 e% N* P" \* B+ z+ e+ \2 l push 00 ; OF_READ0 g2 _: Q1 Y4 e) t0 z7 `6 j& F
mov eax,[00656634] ; '\\.\SICE',0
( J1 D: }8 _& F& c push eax
( ~% { b" I7 e2 X( L call KERNEL32!_lopen
, H+ t( _2 \$ N$ M: a1 t inc eax" t7 t# C- m9 `3 y3 \$ A
jnz 00650589 ; detected1 U8 A. a% j) x2 B8 \, G& E0 m' Y) L
push 00 ; OF_READ
/ s: B: G0 x$ N' | mov eax,[00656638] ; '\\.\SICE'
9 I* M6 R2 d$ d Z# p push eax" E. v$ E: |: p7 Q
call KERNEL32!_lopen1 R5 K3 l9 O8 F* ?% q
inc eax
. @9 q6 s, z* G jz 006505ae ; not detected
& c) c( l5 S/ n7 `$ @- f. C6 m3 Y* E' G+ q' k9 \0 W+ q
) P) D# B0 n1 X/ ?1 o__________________________________________________________________________7 d1 e; I7 c& _/ W! d7 D
5 e3 e D% _4 I- m
Method 12; t: a* Y6 T5 H7 N1 B' r% W: h
=========
) S2 d; X" f& b) u6 B9 |. o
$ X2 e- V9 `) C3 @This trick is similar to int41h/4fh Debugger installation check (code 05( E6 L4 f9 A+ \, \, Z
& 06) but very limited because it's only available for Win95/98 (not NT)% t# }$ ~+ N& F3 t: Y3 s1 S! D
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
@0 n0 Z( `2 K) A# Y. @9 t7 d% ]+ r
R* a# Z+ A; D. L push 0000004fh ; function 4fh+ n+ u( z9 N% w
push 002a002ah ; high word specifies which VxD (VWIN32)
) F; i& R( a+ C; j ; low word specifies which service* j z( Q/ a) h W4 `
(VWIN32_Int41Dispatch): C/ v A" Z# ^. ?7 i. p
call Kernel32!ORD_001 ; VxdCall! A8 L% c; d( S( G; v
cmp ax, 0f386h ; magic number returned by system debuggers9 b2 w- u1 D: }3 G$ M+ V1 S2 C
jz SoftICE_detected
! s3 T$ g. |9 z/ l9 ? o5 K9 c: Q J
Here again, several ways to detect it:' Q5 W6 V( s% `2 W
& ?4 g! `! v, M0 z! _) p$ m BPINT 41 if ax==4f1 v. V/ h" w! h' Z, F5 \
5 B2 a$ z% f- ]+ z+ c5 E
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& T4 ~9 k2 a" @0 k$ u
6 w1 T/ W. Y, Z- P$ j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
g- x& x- E( _3 M1 y6 j
/ Y9 Z. I+ ]: R7 O w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 g; Q" f; l' q6 s5 d- c
3 d; s1 \8 W$ L7 S7 m" n
__________________________________________________________________________9 H8 {" Q, M; F: h5 D. u( p4 @/ U8 u
: U4 k+ _% T- l3 G% O) K/ D9 Q9 B( I
Method 13
- R' A3 E" m' e* E9 `=========$ y, e$ Q6 G2 j* Q8 ^
' y3 H( J% G* \, N- U5 |0 RNot a real method of detection, but a good way to know if SoftICE is
0 X |' d# D$ A% f$ B3 T! ninstalled on a computer and to locate its installation directory.8 @; U5 c+ |. @) _' a, N$ a* r
It is used by few softs which access the following registry keys (usually #2) :5 ?' \0 y% r. g) D; f" I
1 J' W3 K9 a$ j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ h7 }" ?: X- q/ Z1 y$ O, J
\Uninstall\SoftICE: G, D* h5 @& ^8 x9 |4 }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. i; b& E: ?+ y c; Z7 D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# ~$ q( {, T- |6 X, P\App Paths\Loader32.Exe
; C3 y8 E. B6 }3 q: V2 w
1 E6 }' y0 C4 ?) }
5 Z9 c; a3 ?4 d BNote that some nasty apps could then erase all files from SoftICE directory
1 Q; Q `/ |% p! M(I faced that once :-(+ t* z5 B, v9 ~! A/ `
' l2 l6 A# ^) a( F* D$ a/ AUseful breakpoint to detect it:
( Q5 }2 M; P+ ]" F) I% k
8 G3 g# P, d8 R5 N0 V BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 l: y* v: I. r& t% {9 J% F& F$ W0 v
__________________________________________________________________________
* c- L% ~7 M3 h ~7 q
/ O8 ?* c7 H2 @: D1 Z# Q! L [4 B! F
Method 14
) m: y X9 R$ j=========( X3 Y0 |' k" q) j
' s! f# u6 ^/ i# D5 b2 J+ f4 a& uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; _; r9 Y" z! ?+ c. F6 u+ N
is to determines whether a debugger is running on your system (ring0 only).
/ `' E" x" j0 M* i
1 w( A' g2 P: n8 s VMMCall Test_Debug_Installed
0 l2 Z8 D7 I# d. b5 ]6 C* d, c5 g je not_installed W/ m- c/ K4 k. x& U8 z! G
Y8 V9 c, f5 a- N. R7 y* U, \2 d
This service just checks a flag.
$ x; T+ k, [9 S- }3 |</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡