<TABLE width=500>" q" r5 a2 d! D- p( A
<TBODY>
+ K9 x1 c1 j3 ?% a<TR>6 q% g2 y) M6 I7 [# t8 W* m
<TD><PRE>Method 01
4 V7 q! z" R( h0 h=========
* M; B9 |% r5 E0 O3 q6 D0 w7 c
. ?. B5 P; p& B$ Q2 b) y% R4 ~* X' VThis method of detection of SoftICE (as well as the following one) is
0 l1 n& C3 o' |% [$ vused by the majority of packers/encryptors found on Internet.
b8 k* w+ l4 e' yIt seeks the signature of BoundsChecker in SoftICE
; p; }/ K, w' F+ e
& i1 E/ L; n1 v0 r) o: D. g- z mov ebp, 04243484Bh ; 'BCHK'; G! D' I! n7 h5 R
mov ax, 04h" J& \! q2 Q+ |# i5 E# x! p
int 3
7 `+ _: R- c+ o6 M cmp al,4
1 _6 F+ `$ i0 ?3 _7 C jnz SoftICE_Detected
7 x5 {) ]" l/ q) O. s2 U' |
, R) T0 A+ E% z+ g& e0 M___________________________________________________________________________
0 ?: A! n, k' S4 z$ D" A3 C0 i# f. @& B
Method 02
" n7 F9 y |/ i! \=========2 i; Q/ J$ z7 p5 h+ D/ |1 |* `4 E+ @
4 G- f, c: r1 C( vStill a method very much used (perhaps the most frequent one). It is used
4 {8 b" J0 m3 A3 o/ e) R6 Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. }( w' E! w. S1 Y3 x2 tor execute SoftICE commands...
9 W) T; |0 w1 `" F( ^* VIt is also used to crash SoftICE and to force it to execute any commands
! k5 `" Z/ p4 ^% d(HBOOT...) :-(( " D4 q( j) @3 s% h) y4 |
/ q q! P; T* z, C6 cHere is a quick description:
: y+ R3 `8 E! G8 R p' g: c3 ]0 O-AX = 0910h (Display string in SIce windows)
+ e8 V! B& h) g$ O' K* p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% u9 }% c; Z6 Q6 _# v6 T-AX = 0912h (Get breakpoint infos)
& W w( O) w$ S# K# L-AX = 0913h (Set Sice breakpoints)
" v) W" N) c' g. Q-AX = 0914h (Remove SIce breakoints)9 r3 F1 Y' Z2 T( K& m
; J1 U5 Z% `) u6 p# Q: ?Each time you'll meet this trick, you'll see:- p, l9 H! B4 M
-SI = 4647h! L6 K! g$ a9 T& P( I
-DI = 4A4Dh& z' ] H6 }6 D
Which are the 'magic values' used by SoftIce.
9 @$ e8 H( \2 p fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- @! ]) {1 O0 }& O6 z0 |& L& K- |
- ~# y! E- \. V' g% ^/ }
Here is one example from the file "Haspinst.exe" which is the dongle HASP, x+ D, Y" S1 m& q
Envelope utility use to protect DOS applications:
6 T9 `: ]& g5 G3 ?* U5 z$ j1 m( H+ x! i8 E5 r$ l$ D
( ^7 Y L. s7 H) Y ]( ?4C19:0095 MOV AX,0911 ; execute command.6 f. c* c5 w3 }' a; w- ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% h c" h- W. }" l0 W
4C19:009A MOV SI,4647 ; 1st magic value.0 _1 ~# o/ ~7 i' M! l
4C19:009D MOV DI,4A4D ; 2nd magic value.
& Y$ R0 a- d/ p0 Y% `9 `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( z: R! ^6 ^0 s0 q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) M4 e& O/ A% h9 C5 _" q
4C19:00A4 INC CX
8 @; v* b. h U7 `1 Q0 H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( C* h# |! v/ x
4C19:00A8 JB 0095 ; 6 different commands." I" _. ~+ O/ @- i+ C$ N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ i" [* Z6 D' K% A# N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 [4 K3 Q0 k1 r
! `( |" {1 J5 y% I$ i
The program will execute 6 different SIce commands located at ds:dx, which, f) V/ _% ?8 a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ S3 F8 t3 g7 M/ [/ b; B* A* H
2 l( \# i! K( n F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ M g D/ v! B8 ~) A" g6 p# {: c0 k___________________________________________________________________________
# M* K6 v0 Q. c! g! ]0 ?, u
; A3 A* G% N' \: R B/ F1 J$ L% }" t/ W- m
Method 039 D) b( w7 ~5 U1 ?0 M
=========
9 T7 n( i+ {1 L' F. Y5 L$ C( i$ b7 f& [% C! E X3 S8 ^# e9 V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ U8 N3 [6 S1 K" ^ ^
(API Get entry point)% h+ r& X6 f6 r5 S7 \" k
8 M* ^0 V; S: g( a# g% @
4 I) t# [9 _3 p7 b5 g M3 t# L xor di,di
6 @7 \9 ?7 h1 t* H) c+ W mov es,di3 W w! f3 P: V2 l
mov ax, 1684h
, s0 j W4 j8 M3 l# @' m4 h mov bx, 0202h ; VxD ID of winice! c c- ]' C0 ?; e
int 2Fh
# a; a9 r/ H' l$ R$ R mov ax, es ; ES:DI -> VxD API entry point
5 i4 W: n) d5 C" s" k) @$ W; r add ax, di# c2 y9 j) J, [! A/ _; ?+ Z
test ax,ax4 h- d: e: k7 t5 L/ m8 V
jnz SoftICE_Detected. l- i* x) a' \) c
( c" M# r: k) p- d. g9 v
___________________________________________________________________________
! e7 ~ e- t* ^9 n: U
. N% d+ s7 F' ?$ g, X4 sMethod 04 {) _! ]& Y+ d1 ]' f! Z( A% G3 j, y
=========9 O% `5 {9 K0 F8 ^4 k
; S. T" n8 X" p/ V2 Y/ ]- G- x# b6 _Method identical to the preceding one except that it seeks the ID of SoftICE& [% m0 ?) ]& T
GFX VxD.
% _& l- O0 h# i1 K$ H
& ^3 e' U& J r; f0 R" X' W2 Q* b& Z5 @ xor di,di
( r# b* C. x) u' k- w9 ^7 t mov es,di
( G& p8 {: T% x6 y$ q mov ax, 1684h
% _+ l9 E% M8 d+ j0 R L mov bx, 7a5Fh ; VxD ID of SIWVID! i- m2 C1 A. M# C
int 2fh) x1 O2 u; w! F2 g" M: \& U
mov ax, es ; ES:DI -> VxD API entry point
) Y4 C+ _1 b3 T. N8 K i. F3 h add ax, di
/ B9 I& J! |" S$ q, w9 P test ax,ax
' Z0 u+ f4 {8 G5 v- c" U jnz SoftICE_Detected
2 y+ | B" A7 S6 c4 a
. L! u! I/ b, Q- |; L__________________________________________________________________________
" A7 \5 R5 v! j1 c: I1 K
, P) {" f0 ~2 e, L% T2 |; M; n
7 M" b% i! i& Q; @7 Z4 x8 FMethod 05
* i$ }6 x/ ?- C* X9 e$ R+ | c=========
2 F4 m$ m1 q: B' x( i8 \1 T' ~3 v* Y) Y2 X2 V7 M) N0 n2 P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. ?9 \: i E2 j& h$ `/ \7 x$ ^debugger. It calls the int 41h, function 4Fh.' ], J, U+ R* o0 x: r# Z
There are several alternatives. 7 S3 Z) g; {# a, Q) }0 U
& S0 u+ p9 M2 v( JThe following one is the simplest:
% {0 n7 I0 m8 A* b, z0 \/ n3 o7 f! O# q+ X7 v
mov ax,4fh
. o1 a3 z9 b" j0 c8 L# X- j int 41h: `5 R' a+ q: i# M
cmp ax, 0F386: B B# s/ Q8 l1 E! N
jz SoftICE_detected0 {2 N! J' w+ U
7 H2 S2 c, e+ c, a9 w$ M
+ I, U/ b9 [* [+ |! nNext method as well as the following one are 2 examples from Stone's
3 C3 u0 q2 L) w# H2 Y"stn-wid.zip" (www.cracking.net):
( a4 ~1 V; Y( N6 o; ^0 l. \
1 K. P' S3 F* F" z mov bx, cs( z" \" Z9 ^: K% L6 D
lea dx, int41handler2) S- s9 C& [/ G1 m5 z. H' _
xchg dx, es:[41h*4]
1 ?2 Y T; Q. M6 B: _ xchg bx, es:[41h*4+2]+ b8 ^8 s4 [4 c- m
mov ax,4fh4 t" B' P7 I! Z6 C. H' J
int 41h
' ^/ X8 q- j2 _8 \4 z' Z xchg dx, es:[41h*4]: G D% | V. S
xchg bx, es:[41h*4+2]& ~, ]6 f5 j7 ~
cmp ax, 0f386h
6 I- L1 D. g( h5 T" u9 X jz SoftICE_detected
. `( n2 C7 a8 H7 I/ W% e
# @" T4 }6 f. [: E/ X% g1 oint41handler2 PROC+ P K5 o" p3 V- [
iret
$ C6 b! f: `% o' t2 Z% K! e6 eint41handler2 ENDP
1 [, G6 o# m8 t' P# n2 ?5 n; X
1 O5 b3 i$ q1 l( n1 i9 q( \8 F5 g6 {- g7 C# j6 c6 F) z1 J* W2 |
_________________________________________________________________________
! T$ ]1 y6 {* j6 N6 @2 O$ o/ @3 Y! [, G0 g( Y M6 y
8 I' ?) o9 y* i! h8 G& n; d! B- LMethod 06
( r, s6 i7 O/ y9 t=========
, M4 t0 ? D) p& m ?
" V; I5 Q$ M G; a g. o. M
5 Y( Q- [1 T$ j' ?, L2nd method similar to the preceding one but more difficult to detect:
% I+ L4 q# a. ^: E- c' [: }3 u, g- e9 {4 {+ \ w& p- G$ c0 _
6 y/ s6 u! k- s! G
int41handler PROC
" j" L; b3 s6 Z# X) |% U mov cl,al
$ V9 {) l @' G3 [7 C; ? iret
. X4 D! a! O- s8 `0 Z5 N9 nint41handler ENDP
' J; W( p: m: X! G2 J1 t; A R6 q) O" L, s1 v
, V9 v. i# q6 M7 B xor ax,ax
9 l, b; F: S2 z( B% y G5 ^ mov es,ax
7 L* e, Q8 {9 s) M- c- @8 J2 r/ z2 w mov bx, cs
6 y* y& G7 v7 D) y+ q/ { lea dx, int41handler
) c, O0 x I" q xchg dx, es:[41h*4], W$ c* G) ?9 h
xchg bx, es:[41h*4+2] r; \9 }( V0 L2 L
in al, 40h
7 s _1 }" t- D F0 _5 l, S xor cx,cx4 E4 ]1 G' Q% J3 Q8 H Q
int 41h
) B( D! _' }5 q, w0 ~# ^9 O xchg dx, es:[41h*4]
- L1 Z" Y' n5 [' @. y1 ^ xchg bx, es:[41h*4+2]; W+ A% F5 k6 v1 T& _8 Y
cmp cl,al
8 k# {/ ~0 r7 q) `8 P jnz SoftICE_detected5 ?) h/ L B0 p0 \/ \
$ C* _0 C4 T, N
_________________________________________________________________________
( C3 I" f, j' L, U( @0 f, S: a) h; L. f! u- Y* w6 d6 I0 S
Method 07
1 K0 O. Q/ l$ O3 M1 b! O: {=========
, E8 ?; h8 s& x I
: ~9 A! D/ Z- [+ jMethod of detection of the WinICE handler in the int68h (V86)
5 c* `; {4 f# i i4 Y; d. V6 O) T. {9 `' l: Y" D
mov ah,43h) H( ]+ y" N& D; N. k( ? z
int 68h( o9 T3 v; G! k, y7 m
cmp ax,0F386h
% y0 _/ `- B, n. p jz SoftICE_Detected
! U2 o6 R' } l( a" T
4 B" E! N; w5 J8 j0 V" W) p, P& l1 g, c. J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" }& B. `( J; P+ V. c/ j0 `3 y+ t app like this:
% c. L. M! s2 I. A: d% X" b
% a4 t7 u% ~, a& \% P. O BPX exec_int if ax==68! c1 }- W0 c4 G
(function called is located at byte ptr [ebp+1Dh] and client eip is) D6 v" n8 r7 \# G
located at [ebp+48h] for 32Bit apps)
7 }! ~) {- z. e0 ?! D1 l9 e8 {4 v__________________________________________________________________________. q: V1 X1 Y2 y" C
2 j1 l! K H: r K! w
! P! ^! m6 q) u; [Method 08
9 J4 }) f# w) B: g) y$ i: S=========; p6 ^' P0 E" K% g" Z2 |% A
$ K6 x. f3 {) |: N" ]1 L/ nIt is not a method of detection of SoftICE but a possibility to crash the; B1 G+ }2 x4 i( A. Q. N5 q, l) ~
system by intercepting int 01h and int 03h and redirecting them to another
+ v6 A9 N2 s; e$ K% U1 o5 [routine.+ s: i) F8 i; h$ J# o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ ^3 n% A" U2 S9 r( ?
to the new routine to execute (hangs computer...)
# G5 X: T3 \$ G
! S. ?% b2 y% ]$ F; |4 l mov ah, 25h* ^! N. c7 E' ~0 f
mov al, Int_Number (01h or 03h)7 W# p) [0 U1 A8 S1 I
mov dx, offset New_Int_Routine6 ^+ w0 Y' |8 T, v
int 21h
6 ~) `3 R# r( T# D# m, n8 C$ U/ Z# ~ ~+ b# i( A
__________________________________________________________________________5 z* B1 t( P! q# n1 [
1 Z; d+ E5 C- [' }% vMethod 092 t* q* Z6 T2 b5 H) E
=========$ F0 b+ P8 d2 ?" V9 P
$ l: [: f9 M2 |0 z7 dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% }) P! ]$ _0 K- `performed in ring0 (VxD or a ring3 app using the VxdCall).8 N1 t* L# f% |) m n# w$ e
The Get_DDB service is used to determine whether or not a VxD is installed
' K& \9 Z# Q* Yfor the specified device and returns a Device Description Block (in ecx) for
7 L3 `5 I9 Y8 ?+ {. kthat device if it is installed.: ^# p2 S& E5 ^/ t' a+ m: ]7 ]; N9 G
5 E, x/ c6 e7 A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; r! O1 V( w* d& v! X+ a. J" q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 i, K; t: o- i8 q7 k VMMCall Get_DDB+ z& d+ w# g( y: q1 x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" C4 ]7 j) y; M/ i& G. z- S N
Note as well that you can easily detect this method with SoftICE:$ y; u8 d' g/ a g7 a
bpx Get_DDB if ax==0202 || ax==7a5fh
! B2 `- [1 K/ x V* \
* O) T9 d) V9 ?% Y+ ?" |__________________________________________________________________________$ C" W/ [1 g, i2 k0 ?* B' Z( K
" ~/ z8 `/ `. F" ?9 w! p- k
Method 10 r# R4 M; \$ A8 l$ }
=========' k! h7 g2 y8 W. y
2 D; `9 H" D, |3 V$ ?( \=>Disable or clear breakpoints before using this feature. DO NOT trace with
! f& x, [, y" W" @1 D" K& W SoftICE while the option is enable!!) J4 y# }6 b, {* v
' T8 h9 s7 k! y+ E! iThis trick is very efficient:! ^$ }. p% \. i% n) f4 p
by checking the Debug Registers, you can detect if SoftICE is loaded$ u& W: u8 @! u& H) b9 e8 Z3 T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 C5 h) M5 N# m ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their* F5 m) W( `5 w4 y/ c( l
value (in ring0 only). Values can be manipulated and or changed as well8 O( S% d2 J T- y' ?1 K6 S4 J
(clearing BPMs for instance)
5 Q2 V6 c9 {( ?$ _' G& i& ]: T- D$ F' m, @5 o
__________________________________________________________________________
( ~9 _& E; N9 Z I
- _* \7 O+ U* l) V( TMethod 11+ a! N5 v7 [1 e' [1 I: z% h! [4 u4 [
=========
6 F4 [, k+ w7 w1 i F* |& O' [5 `% j: x# R$ P% \: w& r
This method is most known as 'MeltICE' because it has been freely distributed
( K! M5 d5 S3 C! l8 avia www.winfiles.com. However it was first used by NuMega people to allow2 Z2 t9 _- R6 X
Symbol Loader to check if SoftICE was active or not (the code is located
# q. Z7 e2 m( M9 S( U/ Xinside nmtrans.dll).) @9 h- V8 U/ J! Y) Q
$ f8 P/ @$ \3 y7 I" G/ SThe way it works is very simple:+ u l. i1 W9 v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 a: t8 S- i5 W4 hWinNT) with the CreateFileA API.
% @+ T( Y" e8 R# T, j9 l
/ e1 b% t, |/ ]; L2 {' ?" qHere is a sample (checking for 'SICE'):! q7 d* @" w) ?3 t
8 E- J* K2 |+ e5 ?; K: }8 ^
BOOL IsSoftIce95Loaded()
6 B+ u6 Z6 E: q ~% T8 R( V{
{# N. \/ _, Y HANDLE hFile;
; Q4 O9 A) w7 N& j; @ N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 Z; K4 o& X, k* m: { FILE_SHARE_READ | FILE_SHARE_WRITE,
' G- T, e5 k8 Z" U: N5 A. D6 X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ b; E z, V, o6 z# @- K) F
if( hFile != INVALID_HANDLE_VALUE )
5 z! H+ E3 j8 B4 ~1 _7 f% v( Q {
; O. c) Z. A6 b) L CloseHandle(hFile);2 i" Y8 A/ P+ E- _2 U+ T
return TRUE;
0 }$ w; I0 p" O, z7 T }9 b7 H' H7 U- T0 `0 B$ L4 F7 f4 @
return FALSE; Q' Y3 V7 b* i" x
}4 J0 f3 ?) a4 c8 M
7 p' i% A9 \/ \; i' R6 n4 gAlthough this trick calls the CreateFileA function, don't even expect to be
) @* A3 w [7 {. X w6 yable to intercept it by installing a IFS hook: it will not work, no way!8 o z& |- e: i2 H. v6 Y8 g5 [0 c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) ^* i. T( P" jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& e5 E% `8 t6 h! K+ N* W9 gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, F3 ?2 p) u2 H4 b2 y8 w2 ?field.0 |' W# P3 L& H" l
In fact, its purpose is not to load/unload VxDs but only to send a + v* Z! R7 _6 U5 X! c }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 i: H. {7 V6 R& ito the VxD Control_Dispatch proc (how the hell a shareware soft could try: o3 o$ L1 l5 n) e4 X" w( ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% ~8 j# D. z2 W" A0 u( j
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* d7 R1 N3 P8 o- ?* |/ y( Wits handle to be opened and then, will be detected.) l6 C- _! V3 t6 A
You can check that simply by hooking Winice.exe control proc entry point
+ A6 v: [ W! kwhile running MeltICE.
9 L, i. j6 k+ i3 y! S& x5 ?' D
5 |0 S+ I' A" m; H# @6 h0 y7 u* o; r/ o
00401067: push 00402025 ; \\.\SICE( T) R0 U' K- v% L1 U
0040106C: call CreateFileA
- \. b/ ?. R i" A5 G 00401071: cmp eax,-001
, y" T& }% Q1 R9 Y* V 00401074: je 00401091
$ |) [/ m: p4 T
) D# H2 }% r1 l! a. y8 s$ x v" q; f
There could be hundreds of BPX you could use to detect this trick.2 [- u) y4 k9 E' g4 c/ v
-The most classical one is:: j8 n. l U, P Y. s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% {5 ^8 u) V' A9 A *(esp->4+4)=='NTIC'
& `) m) B% R1 }$ ?
# C; _: d0 V8 p+ ^-The most exotic ones (could be very slooooow :-(
9 L! P+ P' o/ K/ e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , x2 R8 p# Z; h* p
;will break 3 times :-(& ~0 L+ \ r! @" C; u1 e6 A, z
* D- e# n% C' Z* W7 H( q
-or (a bit) faster: * r# N( O) F! i9 K9 s- k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" a: A" C+ s% U, P) P- q/ R# |& p3 @- W( L. {& g& F
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 s a2 [. t1 T$ @; g3 l7 _' O ;will break 3 times :-(2 L. M* @) }% S$ r" F% y
# ~8 q$ ?9 u$ m2 w) L* M G
-Much faster:, J0 `( t7 n% L: e. ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% ~; @- l3 _9 u: X
9 c' g1 W* B5 ^9 ~/ ?/ S- N' D7 XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* N5 K) k) }7 i( a5 _function to do the same job:
9 Y! ^ E: O9 x2 _5 Y8 M3 k( J& U) M. x8 x' u
push 00 ; OF_READ1 V3 P( N& N s( p% e
mov eax,[00656634] ; '\\.\SICE',0+ x( q8 V5 b1 }6 c# o1 V2 X* L
push eax, I- |4 r7 t' A! T& b; A" P4 u
call KERNEL32!_lopen
- P3 P# a- `2 v9 y% t3 l( J8 F inc eax- z1 ?& m7 i8 }- S
jnz 00650589 ; detected* d/ R/ N! P/ ]8 Y+ g- ]- i
push 00 ; OF_READ. P# |$ \, }. D0 Q* x2 r5 B
mov eax,[00656638] ; '\\.\SICE'9 G- j& ?6 S1 U0 H
push eax
: o6 Z. `- i2 e' V' Y1 u9 {0 D call KERNEL32!_lopen
; k$ f" i8 b% D8 d* G% V inc eax
! B/ R7 K) I( {1 }0 E | jz 006505ae ; not detected, L1 U ~, K8 v% X6 r2 \/ E( z5 u$ T
# W: s$ \0 {% l/ G) T
7 g+ Y; n1 R' Q1 Y- H__________________________________________________________________________
6 Z# M* {: i* D X7 z9 a0 y" [
Method 12
( I2 \0 h }( G' ^: V0 r=========) G5 f6 N# |2 n# w( K
2 j, T# V* w8 x3 ?* o- p m0 MThis trick is similar to int41h/4fh Debugger installation check (code 05
9 r4 m n9 Z. }1 y l+ ]& 06) but very limited because it's only available for Win95/98 (not NT)
# N9 C, u6 p/ p' R2 {0 _3 Las it uses the VxDCall backdoor. This detection was found in Bleem Demo., x1 m* J8 D6 V
* `4 E# s- i, Z' s1 w push 0000004fh ; function 4fh
( H$ Z; P) c5 Q4 b3 [ push 002a002ah ; high word specifies which VxD (VWIN32)
0 a7 r: {# m8 P ; low word specifies which service) H( C$ O3 i8 r+ O4 @5 Z# y' _
(VWIN32_Int41Dispatch)
# H* m% h: [8 c% J/ w$ R$ v call Kernel32!ORD_001 ; VxdCall
/ d- b% l2 M/ g8 ~ cmp ax, 0f386h ; magic number returned by system debuggers( T$ G, u8 d) \) X: q
jz SoftICE_detected
7 v- o+ j# b1 U0 r3 K# Z
6 t i! P, y7 X% }Here again, several ways to detect it:& v2 @$ ~/ Q% u+ X7 C5 e
% d1 c1 w9 P7 E. P! L BPINT 41 if ax==4f' N9 H1 J# z- T% K+ @3 g
# t3 X3 t3 ]! K* X& m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, i! k" t# J. ~5 ?
( _9 m% w2 N) d& U0 ~ w+ S& a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 J6 S5 {; b9 }
( m! d ^. z9 R8 v9 ^7 Q Z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* M& j% o/ S# D2 S! ^/ \2 I/ b
+ C+ y* [# N4 |, o$ Z. b. F__________________________________________________________________________
# O7 ]: S" _: W! H. ]$ x* X: \3 M o
& n! c* g( G; |5 |/ W" q# CMethod 13
# _0 E: @* j/ I' F" U. t- r- T, \0 x=========, u1 B2 D: E6 q5 [# z. [
' T5 m- `: u8 D) a% WNot a real method of detection, but a good way to know if SoftICE is* W: y3 s9 ~! ~# i9 E
installed on a computer and to locate its installation directory." T0 g: j% q( b
It is used by few softs which access the following registry keys (usually #2) :
j0 Z3 D4 q! n* c' M8 B: D7 K9 y9 l* f8 P1 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- d1 h# K5 J9 H; S\Uninstall\SoftICE( b, h5 C E% v+ l: W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, F8 o- o u; E- M, S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& R; u: x4 [) p1 D, ^
\App Paths\Loader32.Exe1 ~3 \" u5 o* L6 R0 ?0 m
: Y' h1 l4 Y6 k2 Y. V" s
1 }" `) }1 _9 Q- FNote that some nasty apps could then erase all files from SoftICE directory; }4 { q+ Y7 q1 }/ o; W5 f
(I faced that once :-(0 |& }% t. W7 F* b( [
8 O; g) [, ?& I+ V0 i# i( lUseful breakpoint to detect it:
$ }7 W% S3 |7 k0 T3 s
5 _! F3 I3 X# g4 k4 I BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 s4 L; F' n9 @/ k, ?* K
4 i; b: A/ \: L3 Z! u__________________________________________________________________________. P( l( i) b- p' k$ h) o
* Z" ]' d$ e2 x n# z9 o9 e3 E0 A9 v3 y, _4 z+ _
Method 14
& W" R9 x7 ~; ]* Y; V=========0 q# C" R- h q) o' E7 I
$ e( \# @. {2 {6 qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" R2 f$ I* `2 eis to determines whether a debugger is running on your system (ring0 only).8 {3 l" j# S/ k- E
* o6 D1 K' b2 ]+ R1 s" x VMMCall Test_Debug_Installed% R+ X& ]4 V/ @! _
je not_installed
% l- S( P* l- q" E* g* L Y( A& z' {; Q( a+ k
This service just checks a flag.
2 T Z+ L, k _) F0 |7 Z, N( ^: H</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡