<TABLE width=500>
% H- B! x: ^! E" u( |<TBODY>
1 C9 k3 k. r1 @5 T<TR> F. B- _1 E$ M2 I4 Y; e* X5 D0 }
<TD><PRE>Method 01
; |6 m1 S3 _% k7 w) F=========6 A% n$ y4 R! N9 p* x& Q6 j/ B
j; o, O2 i- L& t! o& D/ f+ ~
This method of detection of SoftICE (as well as the following one) is9 ^" J5 w/ h1 n3 w0 X% J
used by the majority of packers/encryptors found on Internet.2 B, S; F2 s0 j
It seeks the signature of BoundsChecker in SoftICE
% x* J0 }/ e# d) n9 u7 \- E7 X& j$ _( l O! ^% H
mov ebp, 04243484Bh ; 'BCHK'& E; G; O" _3 Z$ o/ V* \6 `
mov ax, 04h
7 _; K; ?# w7 o7 E int 3 2 [# a4 r. T2 b0 N5 K* p8 {
cmp al,4
1 c) g9 r; k2 E jnz SoftICE_Detected
; k# m7 v- S) v* `# _; {" E$ Z4 `9 N; M7 m
___________________________________________________________________________0 H {# p5 a! `$ p3 d6 c
# f, w& _0 k. ]Method 02
5 m% D2 P# M' h( E" Z" _4 P=========6 v9 s1 l8 E J
. W0 ~( J# l3 q4 _, o6 zStill a method very much used (perhaps the most frequent one). It is used4 K! Z( W. j3 k# c' ]5 {" C" O& R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, u! a" O+ W- y: J, \' [) R* r* l
or execute SoftICE commands...
3 ]+ P- ?7 I% @. dIt is also used to crash SoftICE and to force it to execute any commands
; {$ m/ ]& w( c B6 z7 _(HBOOT...) :-((
8 y7 s8 R) q0 G! W" X& B' G8 k' d' g/ e( R+ V& F& r$ `
Here is a quick description:
( h$ w, y) [8 Z7 F) U/ O; L+ O% y; ?-AX = 0910h (Display string in SIce windows); G, u; ]3 d& C& f, a* ] S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 m, G1 ~4 ^4 p, H" g) ^( h
-AX = 0912h (Get breakpoint infos)& S: q% c* }- _; |
-AX = 0913h (Set Sice breakpoints)
3 l. e& ]* y2 X& Z1 L3 F% q-AX = 0914h (Remove SIce breakoints)
& x6 a, F: r! `4 g
: i7 m3 K5 y `) W' pEach time you'll meet this trick, you'll see:) g$ u w0 R4 E0 ^2 x
-SI = 4647h
5 s% r' i7 {: E4 _( ]-DI = 4A4Dh. J- h; x5 `5 x
Which are the 'magic values' used by SoftIce.
, C; j; \' g# uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. @* }- L+ Y8 k, _9 i9 [& ^
8 z9 u9 y" I& I7 P- m" v0 aHere is one example from the file "Haspinst.exe" which is the dongle HASP
; S# [6 @4 c1 VEnvelope utility use to protect DOS applications:
# {1 Y! q" W! ^: f' A8 y+ e3 m4 p2 z4 i: c) @/ Q. [( P
! V7 @) w$ w5 E- W0 K3 o3 U& W4C19:0095 MOV AX,0911 ; execute command.
( S) b' B u' z8 V7 R) H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 l* n! T9 w+ H( I% P4C19:009A MOV SI,4647 ; 1st magic value.. ^+ A5 s' T& y% ^
4C19:009D MOV DI,4A4D ; 2nd magic value.% W& w: D% V: X0 b+ O# z5 K: m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' C1 m+ o' {: o: u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 y9 L5 Q+ G0 K% A% m/ J! G( f/ ~: b4C19:00A4 INC CX
H% m2 c. R) u& s9 ~ N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 a# d1 D' }8 g% Z9 `$ K7 m. r4C19:00A8 JB 0095 ; 6 different commands.
" Q# d& a# @( m4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 _$ m* c- R+ e: T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
w& ~6 e, i6 \' x7 _5 c* g& y9 A
The program will execute 6 different SIce commands located at ds:dx, which
2 I' J+ ]" _/ E6 B2 P8 r9 Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ Z4 L, ]) L! A8 K5 I7 q: T( `
; t, e2 A# ?; [, h$ z2 ?! i* X% l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& e' n! q+ j' E4 H6 }' h
___________________________________________________________________________
3 D c1 q2 }. @) C z& r2 c
& b$ ~: X# M) b n( k6 T" u4 A$ o% B/ F2 U
Method 039 v N' k9 z! U& E& o
=========
7 p1 C! T% V6 f8 `: |+ J9 N }, n- W$ ~, t+ f$ s# m+ V' k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 I& ?5 f) c: `2 W$ a! c3 B(API Get entry point)' D, \) ?- Y3 S/ J$ R" _
1 x- m1 a' K. ]) m6 B: x+ e
. i' E5 V ]! O- a! v' e& F+ t+ N; y
xor di,di- ]3 p1 R# E! ] n' | o
mov es,di6 I% v4 H* z p$ Z* I
mov ax, 1684h
+ j- ^( }2 f5 \# b mov bx, 0202h ; VxD ID of winice
+ Y( P) u e V int 2Fh
$ n2 g$ i) q1 `) \+ X9 `& G+ d mov ax, es ; ES:DI -> VxD API entry point
: K( t( i' K0 k add ax, di* W" S9 c8 T# o: Y V
test ax,ax
/ {* R2 X: u! J jnz SoftICE_Detected
* x7 O7 h5 x( N0 ^- e* p. `8 i( F6 @) V( d0 B3 G- {% x
___________________________________________________________________________7 r2 O0 _, D/ B7 z
! R* Q# U8 T2 O; k0 `, K
Method 04. s; p. M1 P& z" s" |5 m3 k
=========
+ e5 q. v1 }* z. }! B2 u; c" ~3 K- d+ |- v( M6 h
Method identical to the preceding one except that it seeks the ID of SoftICE2 ^1 V/ z C' D- a( j1 ]5 d" c
GFX VxD.6 G" ~) |$ n2 u
0 }; j2 B' Z! n, y* _; n* ^2 d$ O xor di,di* a- u0 r+ s+ i
mov es,di
) t+ M) D0 o( K. k0 k" K mov ax, 1684h
% ~3 `% `" i: p1 J6 v8 e& {: ]7 K mov bx, 7a5Fh ; VxD ID of SIWVID
/ j0 x6 |. ~( f* E4 Q0 E int 2fh* H' \& R7 s& c5 Y
mov ax, es ; ES:DI -> VxD API entry point# ^# Z: e& t/ [% O6 W3 R
add ax, di
& A3 h' s! k) \+ e; L- L test ax,ax
8 ^- x) }' m) P# q/ c. }8 } jnz SoftICE_Detected
+ U& x; Q! ~9 d& N7 K$ D e
X, E9 D+ t3 r0 e2 G2 ___________________________________________________________________________! j1 v* }1 K3 E; B' l5 R$ L8 L
: J& c2 `4 ^6 S4 A5 {
+ C& Y! `# W8 {4 `. e
Method 05- S) J: \) J F4 x R
=========
2 t0 U! l7 i! ^# K9 T3 ?6 T' h0 @2 a, m6 [( v
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 {0 l4 b- i5 c' k1 n
debugger. It calls the int 41h, function 4Fh.$ C' a1 G9 A8 J$ ?
There are several alternatives. / c6 H9 E2 N" J* A$ N ^3 i* a
' J1 i# J: Z y) d9 [The following one is the simplest:: z* J4 D4 Z! f, c9 A+ D
* @2 y5 p4 @0 y4 @6 n6 v0 C/ S mov ax,4fh
- L \! V' f! K- f& s5 U6 Z int 41h
$ x. b; C( b( x# J4 h# ~1 \+ W cmp ax, 0F386" I4 A; x9 v5 R8 R0 s
jz SoftICE_detected
- H- o' \% q8 H7 ?9 R/ P3 U5 @, m1 a, F: d; ~/ B
2 C) U$ Z: J7 q# }" `* k# QNext method as well as the following one are 2 examples from Stone's
" _: k9 F- y( Y"stn-wid.zip" (www.cracking.net):
. a" w/ W9 U) N2 Z( b& U7 l
% M- j6 ^, ~8 Q5 R# u) D, s, j mov bx, cs; U& ]5 Z( r8 W$ W t7 ? \4 u2 a
lea dx, int41handler2
: K9 c" v3 z" A x8 A xchg dx, es:[41h*4]
/ {9 i Z. x5 |$ B3 N0 y xchg bx, es:[41h*4+2]9 u& t" ]" X3 W2 ^$ f: R1 F
mov ax,4fh
4 A, H: e+ t% q/ l( w1 k int 41h
2 m5 K9 T- b5 J) G xchg dx, es:[41h*4]
+ ~4 E5 f# G) C K6 } xchg bx, es:[41h*4+2]
, j% O+ g- `0 L cmp ax, 0f386h
6 `9 Y6 m5 e$ H% I: _' s ? jz SoftICE_detected
$ j8 n4 L7 B! k" A% w* d- g% @
9 w9 Q8 M! U( hint41handler2 PROC' ]3 H' i6 X: p" \4 [. \
iret- l6 X) N' I8 S p; _4 T
int41handler2 ENDP
; J" m# @; {, _5 X0 t+ n' [, i2 g# G0 O' V9 Q( I
6 c. ]3 t3 ~/ z" ], L: O
_________________________________________________________________________9 [% O" v7 X3 U* p
5 ^0 k6 U- {% g+ b. E
: t) i* ?$ m4 [+ u) b3 U- g
Method 06" K0 k+ f; P; T
=========6 l% f+ [& R% M
. m% k' g0 U. a" U/ H( V7 e& L" K6 ]) l* ]0 ]# }
2nd method similar to the preceding one but more difficult to detect:; v0 F/ U9 v+ m9 `
% A/ n/ k/ ^5 L# u: ]
5 ^; D. }% e& Q$ s+ _0 |
int41handler PROC3 G) s* [+ I7 y9 p5 u$ j& v
mov cl,al
/ z/ [ R3 X I+ I iret4 {# S+ {) ?% `0 G/ x; q
int41handler ENDP0 f" y' }: Z q; o0 {
# b! @' Y, p2 a0 | |
$ o3 n2 h% o7 K$ w# E0 v
xor ax,ax
" c4 [2 q2 f6 R! W- K mov es,ax7 b5 z5 ?1 }' h. s8 m7 }
mov bx, cs6 n9 Y' h }( x3 F1 S! o
lea dx, int41handler
/ L: y6 H- w" b" I% l- B xchg dx, es:[41h*4]
' @7 c. ~) i" I xchg bx, es:[41h*4+2]5 f5 T! t) [) S9 q( f5 S2 c
in al, 40h5 x, |. M4 `% K' s8 W
xor cx,cx
8 y5 M0 Y; k w int 41h9 ^' C1 w. L' y/ G/ e
xchg dx, es:[41h*4]- t% j! C3 X# a! Y& C
xchg bx, es:[41h*4+2]/ R' x4 y' s& i; v
cmp cl,al
! N3 o; `& c: v, s$ s/ V3 Y jnz SoftICE_detected
$ D, b# h+ y. e7 M( K, m* e# p$ ]( O* t
_________________________________________________________________________
& B) u \3 n: m0 c/ T! Z; C; O1 L8 B6 {; F T6 T( y; `/ B9 o
Method 07
2 n! n7 V6 D6 J: m=========* x2 a; U- o* K5 p& n1 E6 u/ F
8 W8 S1 v( F D+ ^2 N' G# M- ^
Method of detection of the WinICE handler in the int68h (V86)
) K2 v' M# O4 \& W6 ^* R- d# Z5 k7 `" d
mov ah,43h
2 ~( m* q' M! @3 w; U* h int 68h
& B4 S% o& B( j5 B; U2 r& { cmp ax,0F386h2 C' v' L; H9 P8 R9 O* b6 }3 ], Q. J4 M
jz SoftICE_Detected
9 f. ^& c) c. |& I a3 }8 O# W i" P3 @3 T* t
4 x$ }- q3 |- T% r0 v' s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 `# \$ k& b( s: A+ C app like this:
0 @9 W w9 v2 J- d% Y2 [6 N( r9 C# a) G* b7 h- ?+ ]
BPX exec_int if ax==68
% g2 k- ?" ^- b' Q) d (function called is located at byte ptr [ebp+1Dh] and client eip is5 c8 U9 n! { Y. S; A, Q' j
located at [ebp+48h] for 32Bit apps)2 [6 O/ }. u( u: q9 l# O0 D; a3 Y# {
__________________________________________________________________________
+ N' }0 N2 D3 \9 U1 f8 V+ Z3 ?* o' T! N
1 Y- W* O0 t, i8 ?Method 088 W3 @2 A2 B" k9 l8 @
=========9 J- u0 h7 V1 c4 H. P
' K$ n$ b2 }0 s( j, h, D" u
It is not a method of detection of SoftICE but a possibility to crash the; r \+ h6 S6 [) I* z+ I$ ?
system by intercepting int 01h and int 03h and redirecting them to another( G4 {1 Y$ n! D0 d% Y" v6 \
routine.
) z3 K$ Z8 d) oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. c* x) i u6 G7 o B: p1 e# r
to the new routine to execute (hangs computer...) O( U8 k$ v( S9 \" d. y+ B
~+ A8 m- @+ B: }$ g: z mov ah, 25h
1 }7 e- Z0 l8 N% R, a mov al, Int_Number (01h or 03h), W: ^8 k0 s/ B. A6 W* [2 ~
mov dx, offset New_Int_Routine
E& q& O& r( Q: K int 21h
! p' h; T0 W# e1 z) T" C, \! C
: c: J# |4 P; f: W* p9 x! @__________________________________________________________________________2 b" v; j: e3 R! C0 T; p" y- G0 Y( a
8 ^% x: @( |7 Z6 FMethod 09* a2 ?2 m6 ?; ~( z& `" m
=========' o# X% |$ @" @4 ?' i
8 f4 a" k9 ]$ ^8 B/ A u5 f2 B2 q. t' F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( W5 u8 e! {2 A. K9 E4 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ u" B( p: r0 [/ vThe Get_DDB service is used to determine whether or not a VxD is installed) A" \5 x& Q7 L; _9 F0 z
for the specified device and returns a Device Description Block (in ecx) for$ D' j2 G4 Z# }2 i# A. O. q
that device if it is installed.
4 ~2 N' v9 G" C' R8 @: n d5 u( i/ _5 v \* p0 ^# K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% ^% Y' X# D0 R5 ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
l( ~. m; `: H0 V: Y VMMCall Get_DDB
8 N: ?5 M7 B- s! F* K# t mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; R2 |6 _! @9 l. h
9 }& X$ a, R. D5 L) y: XNote as well that you can easily detect this method with SoftICE:; B& k3 ^% x, Q
bpx Get_DDB if ax==0202 || ax==7a5fh3 h' n2 G$ C F/ g
+ \: \% J( N& B+ j__________________________________________________________________________4 ]0 S5 H9 f: c4 E
% J# B/ H7 z* E
Method 10
0 g' L h* U6 A% R=========
" c" R" m$ Q& F9 w
' R* B' c2 V# f' \2 o. `# I$ ?8 i=>Disable or clear breakpoints before using this feature. DO NOT trace with& T# b& h2 L' j; L7 W- h. U
SoftICE while the option is enable!!
6 g% N' ]) [& w$ s4 y: E& A8 R' {" [; R4 ~; R p: x, x
This trick is very efficient:
' e t. A# a' \% ] F- c: k# o* \by checking the Debug Registers, you can detect if SoftICE is loaded
) r% o# a9 Z! g7 h, E9 W( ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ O' c% {% ~; ~$ c. @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 d: i( h' i% q* L" h/ _$ }value (in ring0 only). Values can be manipulated and or changed as well# x T8 b, D# N2 p4 m
(clearing BPMs for instance)
3 [' a5 S! ]& U
" h6 j% R9 x' z__________________________________________________________________________
7 Y# d8 I7 O2 I4 P. i& r; z/ }8 \* A. f% a# j- }
Method 11
$ N: j$ O+ O2 I+ ~2 i4 x* F& g1 j=========
9 j% K7 k0 b0 F4 z9 |4 H+ B( s5 Y3 s
This method is most known as 'MeltICE' because it has been freely distributed
! d1 s) M Q+ F5 Pvia www.winfiles.com. However it was first used by NuMega people to allow2 Q8 e1 K/ ?* B+ h- P! K
Symbol Loader to check if SoftICE was active or not (the code is located h4 d0 J' S$ Y. ]# b8 a4 a- ^
inside nmtrans.dll).
& s8 m0 c, f7 w% E4 E: G& @+ e; |. q: ^; k
The way it works is very simple:
: J* d; ~1 F2 @/ ~3 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 P2 F+ p3 A- U$ M; d
WinNT) with the CreateFileA API.1 s% E- |# {1 P7 e( m. B
! q- d7 A* D) n3 IHere is a sample (checking for 'SICE'):
0 X1 |7 W5 y6 d
% Q/ J8 w# f1 _BOOL IsSoftIce95Loaded()
& x. ~2 d6 s/ k$ s4 P{
4 ~( P. [7 a: Y! s9 {, ?9 d HANDLE hFile; 7 ~ b9 K# G5 W. |% C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 m, w. F1 E4 N0 [
FILE_SHARE_READ | FILE_SHARE_WRITE,; k' G% k$ x4 ^( k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* ]1 \5 t; N/ U& R/ P3 N# M if( hFile != INVALID_HANDLE_VALUE )* W0 \/ G" f8 M4 U4 i
{: u% B# ?) Z+ n" A0 F
CloseHandle(hFile);
" u( U6 R* a; ~! I' U/ W$ D; Q return TRUE;) k9 _$ m( Q- f
}
! y e7 h s+ r$ c return FALSE;; G8 ~: @6 }1 Z4 Z4 N4 U
}' J9 ~- T; S1 C/ h: w# b
2 j+ T; p, c$ b' MAlthough this trick calls the CreateFileA function, don't even expect to be
* X5 }; b6 ?: ^+ M% A1 gable to intercept it by installing a IFS hook: it will not work, no way!! j/ Z$ J9 ]' {7 N, M/ s% e# u) b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F b- @; W7 V: a [4 e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 r- m9 o! @5 R' r1 j, m% Land then browse the DDB list until it find the VxD and its DDB_Control_Proc
- B8 c6 [3 _: h0 H" y: T' @field.7 g9 Y: k+ q8 |( E1 L% V3 M
In fact, its purpose is not to load/unload VxDs but only to send a 9 ]! \* `2 \& _9 E) ~3 V' Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# o. _2 X F5 G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 G: O) R/ t4 ^ P: qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
% X5 y& o! D* ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 N2 X/ j/ U- |3 ~) W, dits handle to be opened and then, will be detected.: K7 k5 T. v8 F
You can check that simply by hooking Winice.exe control proc entry point
) a% e) ]3 q; d' ^# Y2 ^while running MeltICE.
0 `! z& K& L4 y+ ]2 z! J+ D
" h3 L- P( H& ~* O1 {% X" E- k! F$ h6 v( y6 U% h- y' S, Y
00401067: push 00402025 ; \\.\SICE
# ]8 z: w$ o' I3 t. u w 0040106C: call CreateFileA2 k+ O9 Z$ m. r- l
00401071: cmp eax,-001
7 n$ D- R" B$ g' Z9 q 00401074: je 00401091
! m5 l. F7 J' N1 F) L9 C; d- `, m- E( x3 E
& z. X% E2 Q: n7 _& nThere could be hundreds of BPX you could use to detect this trick.& O% ?3 q7 u' z R' ^* x: i9 }
-The most classical one is:4 e- @ X4 [5 M- @* o: \. ~2 E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" t4 x: C5 f$ I( m% ` *(esp->4+4)=='NTIC'6 U7 s% b6 g1 p9 l$ U5 J# R# ]% a, l
6 b/ N3 [$ [7 e j, u: B4 i-The most exotic ones (could be very slooooow :-(* a' W/ P5 G v& ?7 ]' U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & U; a2 L/ H+ y
;will break 3 times :-(
% R6 h7 F/ N' t: T, x5 V/ U- B
% |9 h# J: `7 |) X1 w/ C-or (a bit) faster:
% a' `- ]4 q7 }# v6 {' u9 b% R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: L0 e( o. F- h# Z$ {. R k
. ], [9 ]' |! r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / } U @- `6 ]' a6 Y
;will break 3 times :-(
t0 p( n3 }+ e7 U' z3 {3 y
( q% {4 I( [7 {2 {2 Z-Much faster:0 K' ]9 `& i4 Z* R; v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: w* b# s& C/ A* ], V* G2 H' `$ i: ?1 U# Z8 ?$ i$ g4 f( @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen ~1 G: E8 u2 Y
function to do the same job:
$ x u' J# D( s) e5 R& O8 L1 w7 n, j' B8 A, R/ j, y7 G9 i7 m6 B
push 00 ; OF_READ
9 ?$ S9 S% Z' H/ E; h mov eax,[00656634] ; '\\.\SICE',0
0 P7 L; G. o' U9 O$ c" L push eax
( Y& F+ ?' F) Z7 @( O+ }1 t! k8 M call KERNEL32!_lopen
3 N4 H+ N# I: X- M- T$ f* o inc eax7 h" p+ f5 A6 H! P
jnz 00650589 ; detected1 |6 N8 F1 L2 M
push 00 ; OF_READ
4 c; B7 J, d6 P* B7 j* W mov eax,[00656638] ; '\\.\SICE'
6 o( [4 e1 j1 \4 }+ s) h push eax( }0 U; w0 U8 x7 m# J. Y( p
call KERNEL32!_lopen
- P' ?* L$ ^& y+ e9 z+ b inc eax
9 d y" x1 ?' X6 X/ L g jz 006505ae ; not detected
* }- S- {- u/ h! a. R1 J3 {
$ ?# I/ k5 w6 D6 G6 }
& I5 y0 y/ u- z; @__________________________________________________________________________
! _7 u( A( q8 P" w" C8 M& l# s; k7 r& N x: N; X
Method 12
0 \( |* e- R7 G9 b=========1 D7 ~) F/ _0 j! ?
# R/ T" y( P2 q/ q$ l( L
This trick is similar to int41h/4fh Debugger installation check (code 05' G: L# T. ^4 X* ~. k! H. Z! a \
& 06) but very limited because it's only available for Win95/98 (not NT): @- m) {3 l. ?0 {# D4 e" f' K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: \$ Q- {& f+ W% O3 ~* D6 c* g5 }5 G! o T# ?4 P; y+ s
push 0000004fh ; function 4fh
& s" C. x7 E8 U, q push 002a002ah ; high word specifies which VxD (VWIN32)8 {2 [) s6 e+ V) _1 }- P7 v
; low word specifies which service
. Y: D& p+ Z0 \# O: m( B& p (VWIN32_Int41Dispatch)2 b! a* `. Z! u
call Kernel32!ORD_001 ; VxdCall
; n9 u9 {: O+ ~) Z7 P+ ]) } cmp ax, 0f386h ; magic number returned by system debuggers% ^! T/ I/ _' B6 B$ R; L# S5 u y
jz SoftICE_detected
! J T" c7 v, }# i7 M* A0 [/ Z! {; f3 b/ c0 O6 V
Here again, several ways to detect it:
/ N" L% X$ z' f' a1 M; ~% M2 `! ~( x. z- V
BPINT 41 if ax==4f
J( u8 M9 h& Y( T% ^4 ~2 ?- z' |6 q |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one h0 p+ n: ]% h7 P
0 X# }3 m" [1 J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 g2 I3 U, a4 Q! Q1 p- Y# W; }' l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 B6 a* d1 v, u1 W# v5 \
2 s5 r+ R; v/ U0 O. H, R__________________________________________________________________________, @$ B8 @1 U+ \, k
5 H4 x/ i# c t/ G' a/ m$ u8 r- X9 fMethod 135 N+ R, H+ M) j, x0 f. @
=========+ T7 b& o+ B1 B8 N* F, c4 g
! t. O" g0 ]) _# |/ QNot a real method of detection, but a good way to know if SoftICE is
3 P! `9 i5 k8 Qinstalled on a computer and to locate its installation directory.1 v: A, @6 P- W7 q+ P
It is used by few softs which access the following registry keys (usually #2) :, E% r& }0 |: }6 o8 [
_2 u& N/ N$ J, O5 Q# F3 C% O-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 q/ @& }$ M6 r4 f) l9 l$ S' x; D
\Uninstall\SoftICE
6 X1 O3 y9 j# Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ S( M; C( Z' j* Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% W* |1 |' v6 d# P0 B
\App Paths\Loader32.Exe# g6 a5 w) t$ Z5 v
- |' F Y; i1 W: x$ g N1 r" S* S: ~
6 U0 u1 |* Q" p! l( BNote that some nasty apps could then erase all files from SoftICE directory
* z: S& I6 Y( D/ X( Q( w(I faced that once :-(4 z0 n4 e7 o' Z0 e/ k
5 b( X: c& h! K8 w0 f7 O* @
Useful breakpoint to detect it:2 v# A% W4 j; R$ R/ \2 h9 O
, G. Y0 G) y4 T2 ^ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ h% i1 ~0 |; |4 L) F+ n: d
" }* a8 n5 x- D0 R6 c__________________________________________________________________________
' z0 I, B1 I. Y# h: N! K0 ~
7 F( s' \7 p: I _6 [5 \1 _! s; a7 M% a
Method 14 . X, `+ W6 a; {( I2 c s( _' E4 T/ j
=========
' ~5 t1 T+ V$ D7 i6 u; v# X H9 S/ \' O- C7 g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( s1 x0 N _* c4 b5 ?6 his to determines whether a debugger is running on your system (ring0 only).! Z2 T9 {$ e) a% Q9 _1 b5 B6 A
) G* C' `2 ]2 R& C" R" N
VMMCall Test_Debug_Installed
$ T0 H2 z: x* }" I H' h5 D* O je not_installed+ f. ~ ^ w p' t1 v5 ?! Y
6 t# U! X1 W: Z; R9 a4 W
This service just checks a flag.
9 |* H. @" y: q5 ?</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡