<TABLE width=500>
, k Z. D' B# x7 {( L1 j* z<TBODY>
( o* L! y4 u8 h/ B<TR>
7 K4 y3 Y" R {7 J! U7 ~# e<TD><PRE>Method 01 2 D' o: \! I& ?: E9 l" H
=========9 S' K: ^) v" O/ |! L4 V
3 a3 V2 }2 N' v8 d( z, ^
This method of detection of SoftICE (as well as the following one) is/ i* e7 y. e2 D+ Y/ y+ ^; e6 a, N
used by the majority of packers/encryptors found on Internet.2 X) l5 c. y% z( M2 L
It seeks the signature of BoundsChecker in SoftICE5 K/ t1 f( V! j7 W' s
T5 [. D* ?4 m
mov ebp, 04243484Bh ; 'BCHK'
d% d9 u ^; W8 c# W* j mov ax, 04h
! Z9 e0 U: d& ]1 E# | int 3
1 W& y- O8 b8 f, p/ u cmp al,4
/ D1 m0 ^' `/ L& y, h jnz SoftICE_Detected7 x. Q( D- f* i3 r2 `' G
* j; I! D1 _1 ?5 h; G# H2 u! V___________________________________________________________________________) h- b7 V$ _2 [
w# J3 z# X& h! e3 [Method 02
! V) r; F; O5 `' s% \=========
k! j( u5 f' {- D) a( v$ P5 [6 S9 H( i; A- m
Still a method very much used (perhaps the most frequent one). It is used
0 [1 _0 h; D/ Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 l5 ?: Z) B& zor execute SoftICE commands...
/ R# v4 S0 h2 P+ k5 C, S! UIt is also used to crash SoftICE and to force it to execute any commands, w9 r7 a! @: h2 ]- `2 }
(HBOOT...) :-(( 2 R% a; Z$ b2 w- v4 i: V: ?
2 J# C2 n/ ?( f' V; J$ {$ Z1 ~
Here is a quick description:7 |2 m- V, H3 k; y% R
-AX = 0910h (Display string in SIce windows)
3 ]+ [, R: a2 z& s6 {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 a& p# M; H- O; ~& x* g" W) Q# D
-AX = 0912h (Get breakpoint infos)
W3 |' V: ^1 O; N/ O-AX = 0913h (Set Sice breakpoints)) Z5 L# l/ O; U4 X, \- k, m
-AX = 0914h (Remove SIce breakoints)
! X2 H8 n! i8 A$ ^7 b
* F# T: f, w2 q. U0 U( l! \/ vEach time you'll meet this trick, you'll see:) A' s& z+ w% }
-SI = 4647h6 o* H' s, {- b) S
-DI = 4A4Dh
& ]+ Z; q& A$ r; }6 NWhich are the 'magic values' used by SoftIce.
" r% F# c9 E1 W1 ^; x5 qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) s# U% d* n5 X$ B5 T" L5 u3 x
& y2 `1 D$ T q# g8 ]) j! N
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) l j* Z) t" ] Y" xEnvelope utility use to protect DOS applications:! Z0 E- G" U/ ]8 S
4 G- B% M# D2 `. R7 N n
) {9 O) d, D# W; s* y1 g
4C19:0095 MOV AX,0911 ; execute command. W. q# R; v5 y$ L+ {$ J
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 {, E( Q0 P' z# X
4C19:009A MOV SI,4647 ; 1st magic value.% G3 B$ ]7 N# q+ B9 f
4C19:009D MOV DI,4A4D ; 2nd magic value.3 e& N, L0 M5 F1 ]$ |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): I/ P |3 o/ y5 |% ~) H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) U& ^8 V: j/ x! X' z' U4C19:00A4 INC CX
3 t' z' M9 g& t! ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ H, {* f2 G' q1 x
4C19:00A8 JB 0095 ; 6 different commands.
+ U( |& F( r0 q1 k! d* ^$ R$ ?9 e4C19:00AA JMP 0002 ; Bad_Guy jmp back.; y6 H8 S$ Q# S$ V! {7 K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 T! {8 f( z; ], |: n) t" c6 j
- Q; |0 x& W" u5 U B4 bThe program will execute 6 different SIce commands located at ds:dx, which
$ g( n9 ` {3 u8 i8 f" _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ B/ \) }, i. V
* a$ s5 E: Y! L1 G! H* k$ _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ {+ o( S( Z: ~$ i___________________________________________________________________________
* _3 Z( c& R( A* m/ U1 p P: C! F7 K* L' t6 N
% _ I8 H' `1 f; M' }Method 03
& [' \, R& A: f* O8 F- w: c=========
2 }! |" b- W4 B0 R+ k' I# [% y$ Z( n# [, \- Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 {9 R4 J# Z; j: `2 s(API Get entry point)
4 d' }3 J v5 [- h
4 l& Z9 E: C/ j4 c6 E0 ?; T# Q
9 |2 ^1 u! Q" d( T xor di,di5 L' l. W4 O v) q3 I
mov es,di
0 z" V/ Q2 ~6 m/ @* D4 a mov ax, 1684h 8 Q! j; B' D+ n1 Z
mov bx, 0202h ; VxD ID of winice# Q' z9 h" j4 {
int 2Fh: n% M6 U: W+ k) w2 J) x2 V1 u
mov ax, es ; ES:DI -> VxD API entry point0 b0 w/ ^! d* N
add ax, di" E! S. w7 I5 x& T
test ax,ax# n( x' `( N1 w
jnz SoftICE_Detected
9 ?. n3 D1 ^8 R) \7 j4 \; [. o7 d( {! C, g* W. v: c8 u/ ?4 `
___________________________________________________________________________! s: C# o' i, D5 M; X
c9 A0 Y6 M7 h9 `" p' E6 LMethod 04' d l0 e8 D1 @4 ^& U# T9 { j' L# _
=========
3 A; A" i9 v- O1 p$ {, A1 G: d4 x2 [: b4 |0 k' X
Method identical to the preceding one except that it seeks the ID of SoftICE- _0 X1 `& E+ f+ X1 A
GFX VxD.
- B) K/ ~- \' X- S L7 y. M5 ]" y0 J3 K. z4 [3 }- E( C8 U+ W
xor di,di5 } Y+ P4 M0 W. x# _% E1 [( b
mov es,di9 F, m4 t8 ^# @( O$ a& I
mov ax, 1684h 6 Y% {" g c6 S2 r t$ q ?- I
mov bx, 7a5Fh ; VxD ID of SIWVID6 S7 q, ?6 n; W4 j% v1 `
int 2fh
2 K {3 a3 v$ A, B0 { J* p7 r9 U7 J mov ax, es ; ES:DI -> VxD API entry point. |% f: r( K4 D" v! Z3 t
add ax, di
0 I9 g6 d5 y* _( g0 n1 F test ax,ax! K5 z3 w! t, O- R
jnz SoftICE_Detected
2 p4 C+ J9 M+ _- s5 ]5 @9 _% o/ X! S3 @3 u
__________________________________________________________________________# r7 y& `: x' q* _$ a, g
9 W6 o/ ?( r7 r m2 [& d
! N0 F4 Q7 W6 x* PMethod 05$ [9 x9 }% v* F' l
=========
! x( I4 h/ ?( g9 O2 D6 J: A' {* f7 e B* k1 Z8 r% h! m
Method seeking the 'magic number' 0F386h returned (in ax) by all system" Z* O9 O. N; |# e: [
debugger. It calls the int 41h, function 4Fh.& j2 K! |7 ]8 c& l
There are several alternatives.
( Y+ ~7 i0 f3 |5 a' l
" g- O' ?! O o1 ], U: E( QThe following one is the simplest:
) [0 U- D7 C) d$ y" o4 b" j8 K/ `4 C6 f/ T: M! B, Z
mov ax,4fh J( l/ }6 K8 E& H2 _7 V
int 41h) B( m) n$ D; e; O2 j
cmp ax, 0F386, @6 y$ b2 r5 k
jz SoftICE_detected; E" o1 z; I, }! p+ T2 w; I
' T6 T+ z- M3 a! u/ L. H: m; X1 a8 C5 q0 c1 W
Next method as well as the following one are 2 examples from Stone's
8 i! H( z3 {7 k2 m) `7 G: a0 f: @"stn-wid.zip" (www.cracking.net):
, ^0 p8 e& L, n" q" Z( c4 Q7 r) g+ e Y* j7 X: G. I: E4 O- C
mov bx, cs
( i6 a2 B; N1 w. A lea dx, int41handler29 w& Z. B- K+ n) g4 C
xchg dx, es:[41h*4]
- x6 C3 y# {; U; ?5 O xchg bx, es:[41h*4+2]$ T# {, K; ~; T+ q
mov ax,4fh" M- t i0 Y% s: K
int 41h' ?1 K( m* P5 Z9 O' B% ^3 v$ S
xchg dx, es:[41h*4], {& E2 A' X+ y1 d( I i4 {
xchg bx, es:[41h*4+2]+ |4 j3 a3 K, h, b
cmp ax, 0f386h; p) n# s7 _3 x$ a5 P3 x
jz SoftICE_detected
* z9 L( c1 n* w# e
{3 L& r/ C# I: fint41handler2 PROC
" p: D+ t1 @, M2 \6 n# f iret
. D' m% n' O4 kint41handler2 ENDP9 d+ w; X- E0 l
) r- F3 }* u: [0 b2 v
( r1 F6 f3 H) r, t# u7 R
_________________________________________________________________________
8 @/ j* O' G: D3 v5 c) D0 W7 k3 P( M8 r' `: Y2 y; G
, r( t: }" @7 T" I$ \4 hMethod 06
9 |2 o5 G" Z3 ?& a' ^: z3 Y0 H=========" X: K5 e2 ?; n/ _: `' f8 a
: }% ?& P9 v' i1 a! i. I! t/ ^7 y: R2 e
6 ^- Z5 G) c: N& S+ k2nd method similar to the preceding one but more difficult to detect:
6 L8 J- l( c8 E" Z4 A
; f* w; i# | |! C+ T/ Z4 ~9 E
" u7 |, u* F$ w+ tint41handler PROC r; \2 \, U5 y6 N
mov cl,al
) L* b5 P( A# Z0 h- l iret! l: @" _$ m% g* m
int41handler ENDP" ?7 S& W }1 F( Y% M+ A
4 ] X# b" o4 {
# K, J0 f3 f; m xor ax,ax
& z1 c7 w L1 d& j8 w mov es,ax6 V# [. W7 o) o8 t/ V; e* D) Q" ~
mov bx, cs$ B8 N0 E: y! n. e5 M
lea dx, int41handler
, E2 b- |8 g; b$ Q0 ~ xchg dx, es:[41h*4]
. u/ p; }5 t, X/ }' t# d: ?# X d* D xchg bx, es:[41h*4+2]
/ G9 J( k& i& a1 S m) Y( @ in al, 40h
4 c: x# G. z1 {6 O xor cx,cx+ [, z& V* T) F; O" w& B+ e/ ^
int 41h
' c+ x, `$ {* M/ B/ E$ _ xchg dx, es:[41h*4]. K2 y+ [& ]0 x: y. y8 J0 e( W
xchg bx, es:[41h*4+2]- J8 j7 x1 @/ ?, {- v
cmp cl,al
0 s: i. L F& p# {" J' l jnz SoftICE_detected
5 g7 j: c& V& U% z, Q
0 |1 v# m! ?2 A+ O9 _4 w( W_________________________________________________________________________% c2 {0 Q' z) n% p' w, q
* D: V4 s# ]: zMethod 07
) ^ G6 U8 S6 \=========
( Z- M; i! N4 v0 U. U
H. y/ } h; h1 H# j! nMethod of detection of the WinICE handler in the int68h (V86)
, C' _) P) j% r! E6 n
( Q& e8 q5 a5 @! y mov ah,43h4 K4 `9 i6 `5 ]+ V X
int 68h
3 [) }4 |& `- ?4 u! G cmp ax,0F386h: [- f& o* }* W( R' e
jz SoftICE_Detected
7 n K# X* r5 v" @' |" b6 m' e' @: L5 q+ p
# r- G1 t& K' O, E: ~# t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) H7 d' b' `( ^ r9 H app like this:( s! ]/ X3 h' a' A, k
3 r& x+ J- q$ k2 D* F/ s BPX exec_int if ax==68 M5 G6 \& f: q" x( M7 d
(function called is located at byte ptr [ebp+1Dh] and client eip is" G; f" g# ~$ ^9 r
located at [ebp+48h] for 32Bit apps)
: n' X9 G# V2 `$ B- c__________________________________________________________________________2 ~4 X+ z. ^/ ^: o. O1 o
% b+ n8 h9 F. i* w V& `9 M" Z, P4 S4 \) L* P' L/ R3 l- [4 U- p
Method 08( Z' R. O7 t" Q& A- w
=========$ U0 T- T, i; _4 W* y! d* a
% \2 S ]0 B+ K
It is not a method of detection of SoftICE but a possibility to crash the7 f! t$ [' ], V
system by intercepting int 01h and int 03h and redirecting them to another" }: N; H. s: L" b' \
routine.4 y' D; L* A3 O, e3 ]* `3 V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( ^ u2 s1 e6 I' p' g8 @to the new routine to execute (hangs computer...)/ B; t6 ~9 ]- A# z8 B6 r) W g
' |8 N2 G7 g3 h8 F5 Y+ t mov ah, 25h
: V5 ]& [) n9 @- _ T mov al, Int_Number (01h or 03h)! G. K8 W ?6 T! U$ h
mov dx, offset New_Int_Routine
$ }8 ^2 A. t( o. q4 S int 21h
5 G' {' g- ?1 {" W0 q4 D$ Q& f K4 J$ C* ], k
__________________________________________________________________________! `0 i/ H5 v( C6 m. z" ?# m6 y
6 @' W2 `+ a3 sMethod 095 l G5 C6 f: ?+ M e) h1 w3 ?8 l7 p
=========
3 M# G' X, @: V' a; v- f0 l9 d5 X U; t9 y Z2 M h7 n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. k1 w8 a2 Y& k
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 I0 k" R' i. p& J: HThe Get_DDB service is used to determine whether or not a VxD is installed
2 p8 N6 e1 V. O! \3 Dfor the specified device and returns a Device Description Block (in ecx) for$ p8 M/ H' P# E8 K: `
that device if it is installed.
. f1 W. ?( i" d: C6 ~: z/ M7 m. y; L9 F- P& K# K8 u; z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 Q4 @6 x) a& ]- P+ ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) c. @% F* s( ?; t: e2 T
VMMCall Get_DDB
' R, s. y% ^; C1 b8 \: h% {! o4 V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. Z( ^# h: Z8 ]9 }# ]2 c2 [ h, R8 \4 T
Note as well that you can easily detect this method with SoftICE:
+ K% A" C) v* ~0 I5 X, E bpx Get_DDB if ax==0202 || ax==7a5fh
* y& g, `; G, U \/ B& E
5 L7 I/ l5 V; z Z" w__________________________________________________________________________8 o8 m2 A9 t% V* B3 m# g6 A7 E# E
& G" k! l! X1 j5 rMethod 10$ S6 a* d- E! v- [/ e8 E# K
=========
) Z: {9 A& |4 V: z
4 A, a# Z* l2 m8 Z9 ?. @5 A# B3 |3 O=>Disable or clear breakpoints before using this feature. DO NOT trace with
: [9 P4 s C) Y ]0 r+ R) K SoftICE while the option is enable!!+ F0 R: `) l5 U% {" X/ E1 S
( j4 j/ c* X1 Y T9 a! O
This trick is very efficient:) A2 a# v: j+ G: ^3 _
by checking the Debug Registers, you can detect if SoftICE is loaded
1 _/ ?( U/ u# x. T0 W2 {9 M' E c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. m( U/ W! d, Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, J3 V$ C, s) N2 L9 E! ivalue (in ring0 only). Values can be manipulated and or changed as well7 M( g$ W6 h) H3 m$ X
(clearing BPMs for instance)8 h6 I0 z T: N4 n
4 Y4 l- l# k& S% z, }7 {1 `
__________________________________________________________________________
. `! v( w7 ^6 H& e6 @7 X# h! S" E4 \: P
Method 11
, E$ G$ U* N# v5 Z=========
( r& W" Q; [9 h9 A' \% U& z( V, T* y& t5 n2 v. f* d
This method is most known as 'MeltICE' because it has been freely distributed
+ \) x- D j( b# w3 H$ wvia www.winfiles.com. However it was first used by NuMega people to allow
9 [/ n$ y# h- ISymbol Loader to check if SoftICE was active or not (the code is located1 F+ k4 u6 f4 I* U3 U# j
inside nmtrans.dll)., }3 f5 O2 T$ ~- |
8 q' a( N. `, A+ Y7 N3 x
The way it works is very simple:
2 |4 n4 U: X3 }! n& b$ Y4 p6 aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, g8 ~* K1 I( O& ^
WinNT) with the CreateFileA API.
2 S+ z: x% I: y$ J1 V, c3 w' z+ J5 V; ]! [* x. \8 v9 S
Here is a sample (checking for 'SICE'):6 _) h2 h0 g- _) n; @7 r9 Q5 _
6 p3 H7 T0 d, j. c* U
BOOL IsSoftIce95Loaded()0 B0 T/ z% \6 J4 Q" I3 w
{, g; g/ h# z' K9 z3 Q5 j2 l
HANDLE hFile;
a z2 G; W+ U hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! H' Z7 U a/ }( O8 G3 j r
FILE_SHARE_READ | FILE_SHARE_WRITE,4 k. B/ e- b9 l: r" D! D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) ^% y6 X+ @" ?- ]! h if( hFile != INVALID_HANDLE_VALUE )
5 {' ^2 a5 i% r* U" f {* w" i }+ n5 }3 t
CloseHandle(hFile);
1 ?7 [: }/ e$ G- E return TRUE;
3 E" Y7 ~( o( l0 ?- m, \ }" [" H; w2 [( X. b, p% D1 f
return FALSE;
" i0 u) i" u0 Y( t$ Z, \, g}
2 o3 ]8 Q. ~4 ]- f/ H5 \5 ?8 v
4 |. V) S$ y* }6 B5 E, t, r% RAlthough this trick calls the CreateFileA function, don't even expect to be
& d) |) p0 k/ H$ |- Sable to intercept it by installing a IFS hook: it will not work, no way! R1 O0 p- A$ U& G. ~! v$ i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- c) K6 v# B$ o. j; u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. m5 _ e) P4 k: r2 g: Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc' q3 C7 [2 N7 F% B( e
field.* }/ l& Z$ C% _5 v# K( [6 i8 Z
In fact, its purpose is not to load/unload VxDs but only to send a
1 w! s5 R0 j4 h" p; EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" b! m- q. W1 wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ M L; d) z' v I/ ]0 m d* wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
, F- Q- |8 l+ }5 T# rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% K0 z; m4 ?4 F5 T5 w$ Pits handle to be opened and then, will be detected.# R5 F0 n2 n$ A, V% o- ]) {9 I
You can check that simply by hooking Winice.exe control proc entry point
& Y! N2 [" H0 ^6 h# L; b- Zwhile running MeltICE.$ p7 l/ l. F/ s. Y8 d5 ]- b* r. s+ X
/ }8 n2 ?* W* U
! @5 }: V4 {% H- v 00401067: push 00402025 ; \\.\SICE2 m4 l" R% C- H+ A- x5 J
0040106C: call CreateFileA
, o' q7 Y1 |4 P 00401071: cmp eax,-001
- A2 o' B. v* g, u 00401074: je 00401091
/ m. N+ C! }. F- D3 `
! |# X) |( W: F" h' E3 y7 |9 i" Q
" O5 }! j6 p- F- v- h% [There could be hundreds of BPX you could use to detect this trick.$ @3 {* w% G$ w! C! r
-The most classical one is:
. H3 |; P4 }: p* Z& G i5 _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 u) ^2 H' Z+ h- o1 s0 Y2 |3 ?# p
*(esp->4+4)=='NTIC'# k8 ~& g$ M7 G+ Z3 ~6 K
% r! N/ @- y6 T5 Z3 P% y, O8 g
-The most exotic ones (could be very slooooow :-(2 c V* W6 D- J7 X' B4 \& F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! [! I& y$ K- b
;will break 3 times :-(
+ P! z, K, ~( C" @# L$ U% f& C( ^, G) Y1 x$ _
-or (a bit) faster: 7 z0 t$ k* I' A% F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ a% y4 L; E# c) \5 y9 p T2 R3 ]4 B) N3 a. ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / W1 v: s+ H+ \! x. D
;will break 3 times :-(; m4 r" R, v+ I( }4 H3 K
& m/ k2 S& Y7 n. J7 ], o3 m% j-Much faster:
+ y+ n5 P, g# n+ I/ g9 H4 A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. I) g* E7 {3 x, H1 _0 l" w, [' g- B
5 b$ [8 f0 Q& P$ p# oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 q: O: I4 h& H" Yfunction to do the same job:
2 m) Q5 S2 |2 ?% m9 t$ ^
2 T) v7 V' b5 ?5 i! w8 A push 00 ; OF_READ( K0 j+ n4 j/ V) N+ x
mov eax,[00656634] ; '\\.\SICE',0
# c9 x# M, u& t3 |# F! Q8 C push eax2 S' d$ [% |' d& g0 K- R
call KERNEL32!_lopen8 Y) [* E3 r& R- w" ?
inc eax4 z0 k# n4 j9 {% \
jnz 00650589 ; detected5 f3 a* d' M! A5 m4 K
push 00 ; OF_READ
5 a2 Z# [5 ]0 k+ Y3 A mov eax,[00656638] ; '\\.\SICE'. m5 H" y. K* [$ n. V' M- g1 x
push eax& Y! h; H8 S2 K. `! G% d; n
call KERNEL32!_lopen
( Z0 Y, z, n" \, V inc eax
, C1 A7 L# k% A* w" P! Z' v; B jz 006505ae ; not detected
2 R3 q; o& `; T s Y$ m: p
; J' ^+ f2 p; u5 t6 @5 U5 F z5 `9 M
__________________________________________________________________________
) j8 A' y- B3 p5 L
* ^" u, [/ l/ t/ FMethod 12, U( c& |+ u& |8 B4 b
=========
# J# }+ L8 b8 T* W, z1 w
* e" e% i ]! F p+ |' w3 D$ b( iThis trick is similar to int41h/4fh Debugger installation check (code 05
; B# O% e2 [( {! u0 Y& 06) but very limited because it's only available for Win95/98 (not NT)0 x, w! d* M; l6 J( B# X: d; J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& D# i9 t+ [2 G* H6 Q9 r0 e. E; o8 e. ~6 T+ H, T9 O$ \$ ?
push 0000004fh ; function 4fh
$ z' H" x/ K7 W( H1 h) d push 002a002ah ; high word specifies which VxD (VWIN32)
+ ]/ Q" @% [% ] ; low word specifies which service
$ S8 q5 Y3 p# K3 ~- x1 f (VWIN32_Int41Dispatch)
! L k _9 s) @0 K# F# m/ G call Kernel32!ORD_001 ; VxdCall
4 X, C5 t( F3 K- o7 \" g- o cmp ax, 0f386h ; magic number returned by system debuggers2 H v4 V: k1 k2 B5 G
jz SoftICE_detected
$ x' b4 U* b" A
* l5 g1 Q2 n5 {* F3 h1 c. ?( rHere again, several ways to detect it:
% _) A0 r* C8 D
8 o; G/ L$ X3 H; R BPINT 41 if ax==4f
9 M0 d5 h( x( P( L d
$ G5 w5 s# x, x5 _( r4 [+ z2 h8 w8 s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# B) [% g9 \3 ~0 }% h- K
( N; C* w( D% Q- W' [5 F% t# q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: [1 b8 g3 r& i4 u
8 ~% ~: c$ S1 e' Y' G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 [% d% A# d m( L
: p0 U }1 z' W7 [# A9 X__________________________________________________________________________% z! z' v+ u* I
$ F/ x) o. F3 [3 |. z- G+ yMethod 13
/ O1 [6 x4 ^, ]1 l=========
$ c9 |3 {) @: _( M( H" O
; [/ _/ h1 M2 W! M; VNot a real method of detection, but a good way to know if SoftICE is8 w$ ~( Z7 `# h
installed on a computer and to locate its installation directory.
0 l) l4 t! H( t4 |! P3 {! e* jIt is used by few softs which access the following registry keys (usually #2) :, L. i3 D& a, q& S% |0 n# i u
3 ?9 X8 [" u" Z# N; p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! o M& e. c0 o% b/ y/ C2 B) z
\Uninstall\SoftICE
7 x. R2 \2 o. N: N/ J* `" m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ m j4 S V# S1 d# A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' f/ N, q7 V8 M5 q U
\App Paths\Loader32.Exe
" ^ _6 R9 f. k
k8 Q. X+ B7 W) `- ~1 o
" y1 Q8 z" F/ _. t0 u0 nNote that some nasty apps could then erase all files from SoftICE directory% P& K( D$ n# S
(I faced that once :-(
. U. F$ y8 L S9 P- {% x& Y9 O! g: a
Useful breakpoint to detect it:/ C, g, w+ z2 y3 N% e1 b0 R' W# x
; H/ u ]+ X. u; i: v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 _$ P% Z3 g2 H# K( Y; Y
# g# K0 T' P. ]8 ?
__________________________________________________________________________& @' v/ K3 a/ t3 t& r2 S# t
0 B1 F3 F5 ]2 d" v$ I" X/ _/ |9 L
' k: n0 }" _% Z! O- \3 vMethod 14 6 X8 j0 P) |! z
=========
/ N, \; _# u% U" S3 W7 r- M
+ a3 P2 B8 y& o5 QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- r5 V. r% r7 V% X& S( ois to determines whether a debugger is running on your system (ring0 only).% ^3 C& v4 I9 f( q
" _2 m" X; S- T, e2 u& `3 t
VMMCall Test_Debug_Installed
! `, t- c j0 \# {3 D je not_installed) ~/ M/ a5 p: [; v' G# d4 m
$ c$ g9 I& B5 O; {4 x. m. CThis service just checks a flag.' e% Y2 t' E h% z" f$ X$ r
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡