<TABLE width=500>
4 P2 G) l* A$ a& N+ K6 y- E<TBODY># {5 r" n# A, Q
<TR>
* r8 x" c! m) [ P9 J2 J<TD><PRE>Method 01
5 H. z4 t+ l6 {) a3 O=========5 F' T* F. @% p+ z0 c; N8 C
5 _) j+ B+ j9 W! b5 aThis method of detection of SoftICE (as well as the following one) is0 N$ ?3 ~0 ^7 U6 K. t! a
used by the majority of packers/encryptors found on Internet." z0 ?+ _) T) t% v- |
It seeks the signature of BoundsChecker in SoftICE7 a# J4 o: M& b6 V7 E& k' p
( D Z9 y' I- W/ c( p( j mov ebp, 04243484Bh ; 'BCHK'1 ^: I3 R; X! j/ Q$ R$ t- _) q
mov ax, 04h
! o$ l3 ~4 X0 h* l int 3 W! M8 W! G$ w+ b0 E3 B7 |* R! W5 l
cmp al,4! k6 m$ _- n1 \. [9 ^( N* A
jnz SoftICE_Detected! O6 q, s+ S/ J# A) u
) u) k$ i" l: T6 \. k9 u___________________________________________________________________________) H) k9 p2 e% \, t% g( ]3 [
: C7 b" U" R* Y P k
Method 021 X5 {& g4 W' B
=========; M R$ Q9 ]4 K; X. T9 n
, W( c# U/ v$ N% e8 t) ?! aStill a method very much used (perhaps the most frequent one). It is used
0 c3 J) N2 z3 e; Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: F5 A1 C" p* ]" t: S0 Tor execute SoftICE commands...5 [8 o/ m1 r5 Z' h |+ l* J
It is also used to crash SoftICE and to force it to execute any commands, U) d# U3 Y5 X) z
(HBOOT...) :-((
9 i$ f, Z/ A+ y: s; f& ?
8 j# ?1 ~7 h% t, }4 t4 d# bHere is a quick description:
. W F4 w. h; t+ L3 M-AX = 0910h (Display string in SIce windows)
' |. g! t1 }5 l2 @6 H$ ?+ f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 }) q. x# h# _: n* v8 v3 ^-AX = 0912h (Get breakpoint infos)
$ c: J7 H0 H n6 B-AX = 0913h (Set Sice breakpoints)
8 c2 a. d' M' q9 o( r1 _-AX = 0914h (Remove SIce breakoints)
/ p& [" x- a" Q) N) ^4 y0 j" K, a- {/ i! t0 h) ~- ]& \) P
Each time you'll meet this trick, you'll see:
/ x9 o% w( K3 n& Y! @4 U' a-SI = 4647h, ?, V+ d& i! o- X6 Z
-DI = 4A4Dh
6 n+ s; I! C1 u9 B; C: HWhich are the 'magic values' used by SoftIce.
) W5 k+ l( h) y- j2 EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 m+ {% f) A5 |, y
! Q8 D2 Z7 |3 D& Y( A2 p" u8 e
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# e( k5 f' l$ UEnvelope utility use to protect DOS applications:0 U3 i$ T* v! v$ {; y3 l. ]
/ T( v8 k! K; B! |! r4 K
2 w0 X9 a: e& g! Q$ J# `# Q
4C19:0095 MOV AX,0911 ; execute command.
0 K7 P. E/ a6 N( ]& l, Y4 b! y- o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 a, A* \( s; p4C19:009A MOV SI,4647 ; 1st magic value.5 C y& P9 }8 ]' h ]' b
4C19:009D MOV DI,4A4D ; 2nd magic value.! J; W* @: u2 w b! p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" d) {( S7 K, e N W6 W1 x4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, j0 |# [) l% i! c3 u, R4C19:00A4 INC CX6 d F; r/ L; t, u" I/ ~+ h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. x2 |5 Y% q5 O. S% P( G7 s
4C19:00A8 JB 0095 ; 6 different commands.
q/ u. a) c. X6 u3 ?" @4C19:00AA JMP 0002 ; Bad_Guy jmp back.! C) k% H3 M. N" `4 f' I% u" w
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' P5 i( z9 D6 W, {7 i y Q3 N k% v7 M$ |. P/ h) w
The program will execute 6 different SIce commands located at ds:dx, which5 E, p: }/ H0 }0 k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 E6 B5 w" e+ }. @) I! Z
0 D4 A: u0 r1 ~7 h( n4 `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 |" [' @2 u" U1 i3 u) ?* U
___________________________________________________________________________: {+ G6 {& l3 B/ v) p- N
6 |8 L+ h6 j8 @2 A# w
8 y$ x1 b9 o I; qMethod 03
6 f0 x. g2 A% B& S=========
7 o2 H" [/ [! s- ~" {. @
& \! p: s& E, l: {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ u+ c% _5 I& t9 q: W3 B4 n(API Get entry point)% A3 m( e. o6 H' V1 h
2 c0 L9 r4 u- r
5 }. U$ Y) Z# T" u5 r: X
xor di,di
3 | W* q: C, ~9 \ mov es,di# A0 g% U7 h! U$ ~* X
mov ax, 1684h 5 }/ d* E* y1 s
mov bx, 0202h ; VxD ID of winice
M* L4 ~5 h* g# J" g% Z0 w* K int 2Fh
3 A, o3 D* R# _- I( u mov ax, es ; ES:DI -> VxD API entry point
$ n. U. b% c; w/ H9 r8 R add ax, di
, {) a" |& \ z: Q test ax,ax" S6 p% e7 p% c9 s! O8 @) ~
jnz SoftICE_Detected
/ [4 A, a/ ^/ W) L4 v* X1 T1 J, ~* b1 [4 s9 Y& L: ?
___________________________________________________________________________0 f- H; C6 e e- {- S9 S
8 c7 G) }* E* K3 qMethod 04: i! E7 u2 l/ M$ n5 D9 u
=========
* N( u8 O/ M& ?9 V6 q: _& h( x+ s' i2 Y& V
Method identical to the preceding one except that it seeks the ID of SoftICE2 V; X; r( F$ O; D9 S8 _. M
GFX VxD.
( D7 H. f& {, P- j; t( [' l
. }3 s3 O, [( r: k xor di,di3 P7 ]7 ?1 A8 X" O2 \
mov es,di
8 w! K6 r+ n ~" Y) B, [" \ mov ax, 1684h
5 a* D2 R* z- ^$ [7 d8 x$ V# @. C mov bx, 7a5Fh ; VxD ID of SIWVID
C8 T0 I w5 A int 2fh" Z2 z" G9 h) R5 C( s
mov ax, es ; ES:DI -> VxD API entry point
% K8 b/ ?9 O* t add ax, di
/ t9 B6 G; m8 z1 g- B test ax,ax9 S1 w" {, t- e. N
jnz SoftICE_Detected2 ?& F5 {$ x' m }) q1 g- T. }
4 h6 S6 [' }9 a3 t__________________________________________________________________________
8 L# |. [1 f( B6 ?7 p$ N3 Y6 A2 C
; @. P2 ~8 q; [# s7 q: z' }* v! v8 L1 U: w1 F& x3 ]
Method 05
, }# W: o/ i' b/ _# `=========6 |, O3 k$ s" p! L B$ I5 ?
# ]5 i; g0 R3 hMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 d1 f, ]9 W0 }- L$ Odebugger. It calls the int 41h, function 4Fh.5 _% X7 u( L# y/ l9 I
There are several alternatives.
: S! Q2 O; B( H# Q |
4 C* o; p7 v% Q: t4 z6 gThe following one is the simplest:
' y! _* ~! Z. m' q* ` @$ ?, I
6 Q+ M2 i# H5 g$ j2 F mov ax,4fh, h8 S, }0 m( y! K$ g7 l
int 41h- C) g( I" w% g$ \
cmp ax, 0F3866 o3 D4 I' N+ s4 y
jz SoftICE_detected+ r9 I) L g+ X5 {) @
# @+ |* p1 N M- Y$ F4 d; \" G) d: r( U' D9 C
Next method as well as the following one are 2 examples from Stone's
5 w( W: M( Q) S) \4 ?1 V"stn-wid.zip" (www.cracking.net):2 \7 g0 V+ v% u) r, ^; j
* ~, P$ M3 i2 R$ w6 ?9 [9 C% W3 t mov bx, cs& P' L; o( H/ T- _
lea dx, int41handler2% Y* \' k& d9 n
xchg dx, es:[41h*4]- f) T; c# w# p3 N& K
xchg bx, es:[41h*4+2]3 a% _# ?' H3 S, Q7 D
mov ax,4fh9 Q* \, ?2 T; x( V, q$ {. O
int 41h
% K9 c- a: R/ \7 Z" B xchg dx, es:[41h*4]
) e n5 d, _/ m; m- p8 V; [ xchg bx, es:[41h*4+2]
# x/ G, ~. a( L, q cmp ax, 0f386h+ ~. W$ M N0 E8 A+ f* f. y, v
jz SoftICE_detected
8 j1 f [ ?. y7 o( o( c
2 D' p% E- y0 P+ H8 ^int41handler2 PROC& k; f$ n- |5 c1 T2 T! u. }: W
iret0 Q2 [" h6 O6 r) H' W( K9 u4 A# x
int41handler2 ENDP
! S0 J0 b/ |5 |0 g8 X8 [' O' N3 c5 M2 x2 h0 ~
& Q; L! V( b/ ~ L. q0 \_________________________________________________________________________
1 \( \% x# A# i
# j7 ]# w1 V% |6 i* C1 I; g
0 b& m0 g. P( B+ n& j, V- x# } gMethod 063 y+ b! }: z$ V( E, Z% e) ?
=========; M! Z+ | x# t8 E3 Q* Z
$ B! g9 M: W/ S0 U+ R9 q& _
$ O2 l* }+ |, G4 h6 i9 b4 ]2nd method similar to the preceding one but more difficult to detect:7 ^1 u8 n. X5 |0 G6 E
" s; ?! Z3 X5 B+ }
5 n+ }+ t7 i1 P+ uint41handler PROC
' W! V$ ~, t, D. k! Z7 E mov cl,al r/ B9 T, _9 Y+ W
iret0 `2 }2 j! u& Q8 N! j& U
int41handler ENDP
! ?& M, f9 L' z- I9 m$ d* A, s% F# R# L) A* F& x9 l. B
6 @) s: y \* }6 _. l+ Z2 J/ r3 t xor ax,ax
2 O0 V, ?: w) |3 I mov es,ax
2 n0 L+ s% p' g' @; O* `" `9 G mov bx, cs
) V: V' {' ?, g% B/ Y8 M lea dx, int41handler7 O1 l/ k; k* v4 s- h
xchg dx, es:[41h*4]7 V( u6 \8 X5 U8 g" N; Z. O
xchg bx, es:[41h*4+2]
! R! ]7 x0 Z6 i( @- i( m in al, 40h D+ a* ]6 \( L! Q6 N5 T6 Y, Z# a" v
xor cx,cx3 ?- P- [/ U. v! E" s1 O
int 41h
- D; l/ ~* b" {( o3 E' z3 H xchg dx, es:[41h*4]
1 ?/ |. G C( ?4 I0 v) M xchg bx, es:[41h*4+2], A3 u4 O# A! F6 k# U
cmp cl,al$ D0 y0 \8 |7 E: F. k
jnz SoftICE_detected( |0 a0 t. ]0 g& y* s
. N7 Q) v+ o1 u8 t; b$ {
_________________________________________________________________________2 S9 t. Y5 x) F" j. y* ]
$ F! u5 c4 R6 }' {9 zMethod 07
7 Q4 N- l. ^0 v9 m! |- v=========
8 [7 m5 n2 C7 p7 U/ l \. }, J0 D! w" s6 b) Q$ D; }
Method of detection of the WinICE handler in the int68h (V86), `& {- L) `- M* t6 |
$ z3 z/ j4 i* g) z8 P4 }9 W mov ah,43h6 R: l& N( m5 {: M& \
int 68h
$ O, X0 ^! h3 v6 `- |% W cmp ax,0F386h
$ v2 V% f5 V4 f- t/ q jz SoftICE_Detected6 u. x& J& `, S! x
+ |3 }6 f- e0 [5 i9 W2 h
+ m% R, ~; w( v3 c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# Y! q2 p6 P* Q6 M app like this:4 u1 z* j& q8 n# i: D
* n' y: i# h% _" T8 ~ h BPX exec_int if ax==68! G( w( n1 }5 x8 U3 Y3 u9 u! [. P
(function called is located at byte ptr [ebp+1Dh] and client eip is4 E2 M. [; T0 s+ S0 S: j* j
located at [ebp+48h] for 32Bit apps)
" D; k( a- C' E! @% M$ M9 q4 |; k__________________________________________________________________________: a4 }2 D0 o/ x W s
" M7 ?# l0 U' Y# U. j
2 S7 D# y3 J& K9 A) @
Method 08
- S& `- P4 P" c3 @: N/ G7 f4 _=========" s3 {5 ` ^/ A P% t2 {) ?
: _" i3 m9 |0 p. `. OIt is not a method of detection of SoftICE but a possibility to crash the* }5 g& ~* L& i5 n' u0 e9 I
system by intercepting int 01h and int 03h and redirecting them to another
" G9 b, v4 ~' [) Q9 Groutine.
]6 j' k3 }' m- \% I: H4 _) ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& M5 r7 P9 K0 V; W- t8 h. H* R
to the new routine to execute (hangs computer...)
- u% Y. M U f7 h' \8 }
2 `" I0 q/ e8 `. f/ \' e mov ah, 25h0 c; L C# i/ b; U" n" a
mov al, Int_Number (01h or 03h)5 i' Z$ s6 O" K" H4 M0 F. z$ t# [
mov dx, offset New_Int_Routine; |, x: j! _+ g# ^. ?+ M- t
int 21h5 r' G% a: g' {
( C W. l. }1 c' {__________________________________________________________________________
! O- l s9 {5 k: m" \9 z5 Z1 [3 N4 y$ e1 _* g F3 ^
Method 090 W. n/ c6 I6 n& f; F
=========' I `( n- |7 Z/ Z" _0 I; _
7 j( T2 O& D- }+ N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( b8 d/ p2 j: fperformed in ring0 (VxD or a ring3 app using the VxdCall).! x8 C' M+ l/ F4 \: V
The Get_DDB service is used to determine whether or not a VxD is installed( Y+ L4 V3 v$ m( d. ^+ F& U
for the specified device and returns a Device Description Block (in ecx) for
$ ~; D3 Y0 r3 L2 Mthat device if it is installed.
6 }) o$ W" B, u& [! Z+ d& W2 N/ l6 U5 I0 Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& h* _& z9 \# b5 u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( m. y5 \0 g$ H! t1 X, Z4 }' l
VMMCall Get_DDB
+ n s% t! B$ |* ~ [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 b: f; v" }8 h( v
* d2 h$ c8 ^; x2 a( v- B1 pNote as well that you can easily detect this method with SoftICE:: U6 ^- {2 j6 j6 K( m: P
bpx Get_DDB if ax==0202 || ax==7a5fh% p2 Q& h0 F9 u K1 J) W
/ q+ k# u; c( V0 g4 W8 t! M__________________________________________________________________________
5 a3 P& M e4 N4 D8 B* x t( g! b6 q$ N9 q) A
Method 10' N. g: a4 C2 O( T) m# v
=========
& x: t! d j6 l2 t# u
2 A/ O' A! h5 b. S& H=>Disable or clear breakpoints before using this feature. DO NOT trace with
. g9 r5 f/ Z% m9 t: Z3 o# _$ g SoftICE while the option is enable!!" X2 |5 e/ b+ i8 i9 ~5 A
& t& T! ^1 G$ JThis trick is very efficient:
' `3 R |! e" J: Uby checking the Debug Registers, you can detect if SoftICE is loaded
7 j/ `( u- z/ g$ [6 A# G& E- p: S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; C6 P" `% ?1 g( }5 ?7 ~7 R0 @there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 M; U1 A* f* W6 bvalue (in ring0 only). Values can be manipulated and or changed as well
' V; j$ e6 \4 t3 b0 M7 u+ t(clearing BPMs for instance)! q- Z8 w. E! I! o
' ?9 D8 ^* h2 m__________________________________________________________________________$ _4 d4 q- v1 G+ r6 x: R
" \4 p8 y: ]" y' q( kMethod 11% n# r# I3 z. J7 r/ }/ b
=========
+ ^# d4 J" ^- q6 k# z+ V
. N+ B0 B+ _: c5 R8 T& NThis method is most known as 'MeltICE' because it has been freely distributed% y/ T* F, H$ _" N7 f2 b( s9 s
via www.winfiles.com. However it was first used by NuMega people to allow
8 v! E( `/ R4 kSymbol Loader to check if SoftICE was active or not (the code is located
& S' @5 A5 Z- A. m! kinside nmtrans.dll).
$ w6 d2 v* w% r& u; o2 V+ x* S8 }+ V5 j9 B
The way it works is very simple:
& ~, B. t% R3 ~% X; |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ ]# w8 d0 C4 G/ O8 |: X
WinNT) with the CreateFileA API.' L9 r' q8 `5 p; j3 a* t
3 b* E# `5 P3 ~" A& ]* ~* R
Here is a sample (checking for 'SICE'):) x& E: ?$ s; T- Q$ d
) K: C6 y+ B) R& e9 X0 j6 ~& W- Q' HBOOL IsSoftIce95Loaded()
+ g, z1 ^6 ~+ B{0 @ k. U# f; r: E) g% X
HANDLE hFile; 7 n; X- N# h- S! Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! e6 }3 y2 t' h- ~ y* V, t
FILE_SHARE_READ | FILE_SHARE_WRITE,# Z/ l4 U5 R' a3 B6 G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
b3 T0 V8 E/ n: P if( hFile != INVALID_HANDLE_VALUE )$ E( y* k) M: D% w9 G# ^" X
{& Y: e" |. ^+ w( V k1 F
CloseHandle(hFile);
6 C, g; n( b; R- \; Q' p return TRUE;7 U* w$ R$ i) ^. N V ^
}
+ n. x, S% o! K& ^ return FALSE;, c4 g% b0 b: L/ g, N1 T; z
}# q/ |5 S/ p) U1 J6 C
; w' U# m9 n- m w2 EAlthough this trick calls the CreateFileA function, don't even expect to be% i+ K6 O! k, N- H. n+ K
able to intercept it by installing a IFS hook: it will not work, no way!7 j& O; P# j; M* I; t% H1 m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 P. ?* o- k; Y; o' p. Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% h3 D, d" ~# S9 t iand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 Z7 r0 ~2 e6 j9 efield.
1 }: ]* r, J- r! d, yIn fact, its purpose is not to load/unload VxDs but only to send a ! X) m2 f* b$ t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 @, ?# I4 H2 `/ w8 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 H3 f0 X4 K+ N2 p+ Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 \) E! M" A' FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; ]8 p4 q; f- Oits handle to be opened and then, will be detected.# Q @5 Z1 D* g2 N! ]* M w; g
You can check that simply by hooking Winice.exe control proc entry point' L1 @1 O( |; \6 {8 b5 B
while running MeltICE.
# a C6 I: P' e# |( }/ s7 ^! ~& O3 p; e+ @: m
. {) o1 O( b. I& }+ }/ \
00401067: push 00402025 ; \\.\SICE
3 j; L; Q% c4 I% W0 N2 ~ 0040106C: call CreateFileA
% Q. T; _) G4 Z. ~ 00401071: cmp eax,-001
' o9 v% O- ?5 J* t/ l% R6 N 00401074: je 00401091
3 g4 P4 Z5 y' n/ r8 C4 ?" R! g5 w, Y
. D# [3 H3 g; q9 J7 ]# g d; e
There could be hundreds of BPX you could use to detect this trick." j1 I6 f/ v2 k2 k, S* z: o* ?+ M
-The most classical one is:
; d5 X* z; E0 m3 } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, r8 c8 D& C$ n0 c) N) K& N6 v
*(esp->4+4)=='NTIC'' E( y$ Q: c8 k3 G5 |$ ?! K0 x
: ?: p9 D0 F. M5 L' {3 |-The most exotic ones (could be very slooooow :-(
$ a" x ?8 A/ R% y% v7 r. C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , p( d( x" `: N7 l! O; I
;will break 3 times :-(
4 l2 p$ j* ~5 ]( X, l( w) D5 r1 @. x0 D' Z
-or (a bit) faster:
2 j4 a6 Z0 ] `5 ?. @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 O) q2 o% j3 t3 C
) j; Q% ~* Y7 ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 d* q$ K$ `4 j
;will break 3 times :-(. B s# e0 ^) o% A, h5 v7 A2 N
! t" K, @1 X5 a [( H! M9 f-Much faster:
2 V/ R% u2 S4 N6 C' t- q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# A: T# w3 ?1 s9 E1 I
; Q( V K# b: `* C: ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 b% R/ }! E0 a+ ~
function to do the same job:
- v7 O: v+ i0 }6 L4 Z# b) b/ ~, X$ h. k i
push 00 ; OF_READ
) o3 Y; V5 V3 y4 p5 t mov eax,[00656634] ; '\\.\SICE',0
) d, s$ x- X) d4 B2 c. r( Q3 i push eax4 Y) N8 f5 @5 f/ }! A, u
call KERNEL32!_lopen
6 F- @+ r' J9 P6 k7 G4 Q" k u inc eax3 t K0 k" L- m) C6 L; R; q7 t0 {
jnz 00650589 ; detected7 p0 L/ W; h- Q) D. }
push 00 ; OF_READ
* S0 I: `+ P& d! s$ D# G1 N, h, M mov eax,[00656638] ; '\\.\SICE'/ v& d2 w. X5 c, H0 `
push eax
5 T! J, h( t% ^- a9 L" J call KERNEL32!_lopen8 d( F+ o. Y3 ~
inc eax
. J# @. h. u4 r* l9 h# N: k" B+ a) T jz 006505ae ; not detected
, K: D6 I1 d% t# \# J9 u y" R* b* `
. v3 C: M2 T; {# U__________________________________________________________________________
5 G+ n* f) D; x( d! b" H, v. \9 M$ @( z; D
( P0 I- l, c2 Z! sMethod 12+ F6 s" D" a% `% b t9 v3 A1 X
=========/ y; n5 c7 C; j6 |% J2 K
5 c# n, E; |7 n0 |; j. ^
This trick is similar to int41h/4fh Debugger installation check (code 05
0 t7 O% s; k8 J( v& 06) but very limited because it's only available for Win95/98 (not NT)
. j9 n- i# e! ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& k' k; \ N3 n
1 {- {3 c( y6 Y3 S+ I- w2 k E push 0000004fh ; function 4fh
7 w8 E7 Q9 q" \: V' q8 _- W push 002a002ah ; high word specifies which VxD (VWIN32)1 C! a& N! K& b
; low word specifies which service
/ n; {; C/ N0 [9 m (VWIN32_Int41Dispatch)6 E9 c& O7 S/ ^9 T
call Kernel32!ORD_001 ; VxdCall7 t% f0 A8 [% M( b( U6 i S* d
cmp ax, 0f386h ; magic number returned by system debuggers1 c B$ C5 Q. ?
jz SoftICE_detected
4 D& G7 ^, Y Y9 K9 q& V$ e5 v ]/ W/ R$ [& {+ f1 y9 J4 L
Here again, several ways to detect it:
: ?3 U* Y4 b( F) n' m: B# ^; q) i( C' E; q. n$ w3 n
BPINT 41 if ax==4f* z: Y% a5 s6 m& O+ [& a$ v/ Q
L" W: b1 m! ^+ E: |+ n! O* v BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' s$ s5 A& {4 b
Z5 B' a _' P# ^8 K; s. d; X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( E1 | F* T% U0 L$ D
( L$ M* e6 t6 Y) U% ]( v4 } BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. |2 ^! E9 X; E1 \
, a& v# E1 Z9 x3 Q$ o) Z$ b- b- {; T
__________________________________________________________________________
7 U9 N0 t* V# a2 s: j
5 p6 _8 i c% L. QMethod 13
. ~( _ }1 w, ~( N; k& S: V3 i=========
/ s, b0 D! U/ v1 G* h+ V; O; J/ f9 K- u. ^. S' Q
Not a real method of detection, but a good way to know if SoftICE is
! R4 F& D8 T* {7 |installed on a computer and to locate its installation directory.2 P5 \" ?& X+ k0 a7 L" G8 s
It is used by few softs which access the following registry keys (usually #2) :1 {/ G0 [' L% l: q9 ~( K- t3 s* ^
$ }, f' N5 @2 E5 O8 Q! o# N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ ^5 u# j$ h$ X3 ?\Uninstall\SoftICE
8 X- |. X$ @4 C" `2 E" `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
s/ ~. u& }: ?+ A) }% u, N5 h8 ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 d# q: v# T9 C) ~* V6 w1 Z
\App Paths\Loader32.Exe
) _# Y# u" z7 @8 F+ N. k2 a; q& P9 z; a/ k
# m8 V7 p4 O; J
Note that some nasty apps could then erase all files from SoftICE directory7 O* c8 }( J. S6 W8 g. c5 M; X
(I faced that once :-(
; A7 O! m, n3 e, ^) `1 |+ Q
5 A: u5 [5 x! j( i; m! D& Y6 J8 mUseful breakpoint to detect it:! {( j& Z3 x% ]& R
! ^4 h1 f( q: l2 m3 L4 r: h Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 j+ g7 E0 H3 @; M/ J9 b7 v& g- S/ b3 v' K
__________________________________________________________________________* v9 U [, _ b1 D d. a9 c
3 @; O9 M2 ` w! O n: V/ S D1 a+ Q# _- N# D
Method 14
: I4 k- F5 k$ G6 W8 X=========
5 z/ E1 ?$ M8 X6 u/ P8 X" \; ~5 Q5 e" \) o" X( P+ \0 k& g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& q8 ]9 e5 U; P- T4 @. A" x) C
is to determines whether a debugger is running on your system (ring0 only). j5 _" w( p9 J' g6 ~
! I: G. c% b q2 ]* C. H- E( i2 x
VMMCall Test_Debug_Installed
& z Y$ F+ T) a1 m% C T% A je not_installed, V) H+ |: q% d& E, l. D# p& a* Z% _
5 `. ?: U$ T- a9 i' c( a
This service just checks a flag.
1 _% L; n2 T0 B% g- W* {! `</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡