<TABLE width=500>1 P& E, G. @* i: p4 e) i
<TBODY>+ u9 P2 a) g$ ]* s; r, t" B
<TR>/ ~0 X+ W+ X7 o- C
<TD><PRE>Method 01 ( g9 a! L2 ]& N6 j% g
=========7 t6 J9 d/ _( O2 [; a
: |! x" c' z% a5 W; A1 FThis method of detection of SoftICE (as well as the following one) is; ?( j& M2 O, L$ m* o# l. x0 U) j3 x
used by the majority of packers/encryptors found on Internet.
( s7 X8 X( U3 S! cIt seeks the signature of BoundsChecker in SoftICE
" r7 L* u1 `' Y% Z" X. e. A
7 V# O: c$ }8 S mov ebp, 04243484Bh ; 'BCHK'2 A' {# J2 } x; h8 Q0 b
mov ax, 04h$ K/ x7 z" x5 ^0 z# w! n
int 3
, F$ m( O+ `6 B& G# T9 A* c cmp al,4
' |5 R- X7 G& q" }1 ^" @/ q jnz SoftICE_Detected
" D, ]1 U5 m6 ^& [+ B6 X$ Z" [1 |2 g) x! Z+ e. e, P9 ?3 f% n
___________________________________________________________________________
; F/ Z5 w* o$ n/ t8 T' i" F3 _0 w0 t6 k& Y
Method 020 Q t8 K+ R2 ~6 \4 S
=========* [$ ]6 f% s" T, H0 \
, u9 s( d* [( N" {8 e4 K3 F' J
Still a method very much used (perhaps the most frequent one). It is used
* V+ W8 R$ G+ ^) U8 O) Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 x% o. t% ^! }$ o% r. F, K
or execute SoftICE commands...
k ?# y5 K6 l& z) l0 P8 dIt is also used to crash SoftICE and to force it to execute any commands& b5 j7 y# U1 F# ?
(HBOOT...) :-(( + b# J3 M. w5 l6 r( X
8 Q+ J7 X& v3 E5 R$ n% cHere is a quick description:; v4 e5 B! Q+ U/ c6 M% T7 L
-AX = 0910h (Display string in SIce windows): _9 r( L; ^' D0 f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 R$ K, X' b" ^, q-AX = 0912h (Get breakpoint infos)' A B: Q+ F- P2 g1 f3 J& h' O4 e7 e1 T
-AX = 0913h (Set Sice breakpoints)5 ]& ?7 S6 _+ k. ?' Q' c4 F K" N
-AX = 0914h (Remove SIce breakoints)& L K, @* h% L0 V7 o* e) y
4 u$ C% `# Y; w) {1 @ j3 a# FEach time you'll meet this trick, you'll see:, S) ~( F" t+ C( p3 o( x2 Z4 F
-SI = 4647h
! o( e" T9 `7 b/ ?$ u3 b! y-DI = 4A4Dh8 |+ X, A0 p! v) E. Q
Which are the 'magic values' used by SoftIce.
6 Y& R6 k9 {! N) l; pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 N- P) [. \) T* F8 j& e m% C! [* f# T9 e ~% G, _# V
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ U1 B' ?- t5 R# Q) [7 \Envelope utility use to protect DOS applications:
3 W" L x' T6 t+ Q3 p9 n* k8 X
6 Z0 \1 j) ?$ X, ?+ l% H4 K% M/ [
4C19:0095 MOV AX,0911 ; execute command.
# [) O8 z, [5 l4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 r- [: |/ l1 G
4C19:009A MOV SI,4647 ; 1st magic value.
2 B, h n8 T/ W/ \1 g$ s4C19:009D MOV DI,4A4D ; 2nd magic value.' y# T- S# c$ C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% d) A. A0 ]2 g$ g* g& H1 N3 x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 L. p- h2 G/ j; [2 J4C19:00A4 INC CX
& y2 _$ c6 b2 Z4 L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 G7 Y. j/ Z) J
4C19:00A8 JB 0095 ; 6 different commands.
6 K% Z2 g- X$ x( B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 A+ k# x- n m7 O4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# ]& q3 x j0 q2 C& M, `
) T! H0 V* _, E5 ?8 h7 ~
The program will execute 6 different SIce commands located at ds:dx, which
) h# x& ]6 d. X# T- Y# N7 C4 Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* A* \& ~( k- Q2 v! O$ S* Y+ k( @9 I- o. O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 m" y; z; F& J3 S. I___________________________________________________________________________/ D2 \& F( W2 R- ^# ~: L# M# U
J- v) l, C, [8 T6 v, C; n
t' F# Q3 e7 P Q" oMethod 03) |# F2 [7 P1 X4 C! k
=========
+ F: n5 w8 G9 c/ Z& K+ W% u4 U U! {# ?1 H4 _3 g0 X( a4 `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 _+ k1 O8 N: a4 R- z$ s(API Get entry point)4 x7 w9 L3 k* l7 j
' ]/ L- \. _- [% Q$ N3 Y" s% y
( d/ s/ }; `) H
xor di,di$ t! c1 | u2 E7 L5 p4 M
mov es,di! \+ {& p4 Y& z$ N
mov ax, 1684h
. Z8 z0 h& E* O) O3 W mov bx, 0202h ; VxD ID of winice
0 E4 B2 s: K/ P; T# ` int 2Fh
; X! S( [4 I1 S I% J3 K mov ax, es ; ES:DI -> VxD API entry point: H6 F6 s% a, ]# S8 v! ]) D
add ax, di
( U( C+ C u; g# x8 K test ax,ax
; X0 z& L' v. U/ x6 y jnz SoftICE_Detected
6 W4 i, I- l9 \; Q
" j2 n) H, `: b2 c$ N' L% A/ P# v___________________________________________________________________________
% X# q5 E2 w% A6 X
" n4 j- z6 \0 O5 E1 ~Method 04. u) c3 V- ~+ k
=========; F" ~. f% o; a3 J4 I! a' S; v! O9 Q
% k& l/ s: V8 S# S. a6 JMethod identical to the preceding one except that it seeks the ID of SoftICE x& l( f$ ^6 _) N
GFX VxD.% l0 {/ M# F4 s/ H
; ^: C$ T9 t7 Y- H& f- ^# A xor di,di6 u$ G+ t: |9 W3 z- L5 X# j( M" C
mov es,di
* ~% j0 n; [' K, C; Q/ C8 X. W mov ax, 1684h
) |* P$ k ]0 Y& o mov bx, 7a5Fh ; VxD ID of SIWVID
" Q1 w1 D" [- T int 2fh8 `: `, H: G6 n0 S! t
mov ax, es ; ES:DI -> VxD API entry point# R( Y- c* D3 b* w
add ax, di* o" x0 x5 s, j/ g; ^8 S
test ax,ax: Y" W( r2 {& t9 N1 ^: x! w* t
jnz SoftICE_Detected$ I1 t: h; B% \: L$ m) I* ^8 v
/ g1 ^! S1 [) b. l* p: X6 K3 ^0 [
__________________________________________________________________________, f7 D) V" I ^! b- m
& n& ^' k8 Y" g
& o; o* f8 O3 C9 [: E( ~
Method 05
- m4 W2 @( p" {( S=========* Q9 t4 S( n5 r1 G2 U" B
( Z+ y) I& ^6 tMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 j: J. {$ T F( J3 C6 [! |debugger. It calls the int 41h, function 4Fh.+ ^! ~$ m1 z O$ y- a1 u: L
There are several alternatives. ; u. n! ~/ M# z6 q
; X; o* f( ?1 l* l9 s6 D" z8 g
The following one is the simplest:) q6 z/ W4 e' O" ]+ l1 b" u' O' ^
0 @- f4 }7 o" \& Y
mov ax,4fh
: Y. c2 G9 L; m int 41h; _. [) T" S/ }9 U% ?! E
cmp ax, 0F386) p2 f' B# K+ p
jz SoftICE_detected1 z2 ]* y! c2 S0 C
2 S1 @( q! d9 F# r3 x
- Z% L/ K$ M' Z+ q, |* v
Next method as well as the following one are 2 examples from Stone's
5 @: e' D$ Z2 R6 ~"stn-wid.zip" (www.cracking.net):
8 u0 @& q1 c9 q- I' Z/ q- T3 h5 G& R
mov bx, cs
8 m6 g2 @' K$ R. P8 t+ e& g6 a lea dx, int41handler2
/ d! }( D s5 N9 V# I5 k) B xchg dx, es:[41h*4]1 Z& V! J4 e% G9 w. `
xchg bx, es:[41h*4+2]
7 [) p: a! o8 `8 c mov ax,4fh
8 Y+ t/ { g2 G. o int 41h
a- r2 \1 F( d" M: V% |) T0 b xchg dx, es:[41h*4]% S4 j) I; e9 f# {7 l
xchg bx, es:[41h*4+2]# \" K, T6 [ M+ @$ ~
cmp ax, 0f386h
* Q& ]# s9 E( U* H( T jz SoftICE_detected
0 _( Q+ R5 O5 O! t, P; S: u& P( Q
4 s% @5 ?0 K7 m. r% Wint41handler2 PROC/ z8 L" J# c2 d& P
iret9 x7 p3 S' [' e1 d# q( J9 p- c
int41handler2 ENDP
: X8 x3 o; j$ u: G, a+ ~* J) k5 J
' |, n$ Z; ?; @& t+ s! {
_________________________________________________________________________
. A7 {2 p& A% n0 u2 c
5 w+ i4 D [# m* r- |4 ~0 }7 U$ `/ g1 T3 L% b. h9 J3 _
Method 069 D4 s' l. Q* k6 s
=========8 k" n& F0 T. z# O
# _, ]% Q# O4 X: o/ i: W3 ]) u1 i9 [& ]
2nd method similar to the preceding one but more difficult to detect:0 J: N9 F | U% r; l" e9 }
0 _; l" y+ b% Y; N
7 T& j7 a# l2 _1 T# y- Y
int41handler PROC
5 @/ r' W, u2 T; ?3 z* [ mov cl,al
; l' p3 h" l W, b& O iret
9 g8 K* _2 N3 N D* \% h& \3 \6 aint41handler ENDP
1 j1 F3 e% R! Z @5 ]
& \0 B) w5 U9 l. @* E' ?1 a5 T$ k H! A5 O; \
xor ax,ax
1 M# K# T k& F: z3 `7 h% J mov es,ax0 p; p! b" I- O9 |/ X* J7 S/ q& ]
mov bx, cs. g) D0 O. C9 B3 H, h8 ]
lea dx, int41handler
# i8 \: V W4 o, E3 W! }! [" o xchg dx, es:[41h*4]
8 O3 G# n; s# e/ @ xchg bx, es:[41h*4+2]+ L" ]9 s& M8 C! J0 W
in al, 40h+ F G3 o8 W1 X8 \% F
xor cx,cx5 i; b) u3 b, h, Q. C5 R! d# P0 ~
int 41h
G+ [- A# U' b( { xchg dx, es:[41h*4]6 k& u6 Q9 T/ q$ a D5 D
xchg bx, es:[41h*4+2]
$ ]( s( E, U1 T9 E+ U cmp cl,al
; V: b3 R' V' ?8 d jnz SoftICE_detected; u0 Y4 J, d2 G6 Q* P- x9 Q
% r; H ?6 ?7 g% }, l_________________________________________________________________________
; I' J& i: Q9 ~/ h, y+ K7 S+ q9 Y& }; }1 y4 P, M
Method 07) n- X8 o; z! m
=========" O. m% y7 ~9 c
; q$ H: Y. a7 [; n0 O2 ^! x
Method of detection of the WinICE handler in the int68h (V86)
3 |+ I1 v+ o" k4 A& A9 u! Q7 i
; f9 c! C; l: _+ Z6 W mov ah,43h
2 B% s- t( G% F9 O, I; H int 68h
9 \5 G6 P5 M" h- A4 t, h cmp ax,0F386h
7 t0 q) K4 i7 `# ~1 Z' u& q9 q0 W jz SoftICE_Detected& v* J* A( x3 P% B% a9 A$ p
% E, T5 l+ ?0 R6 ~8 ?
# J$ r7 V% Z9 b K) ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* G6 A2 d) f0 H0 t6 t' l8 Q app like this:& l; `" K/ Z5 s' U# i
$ h3 e% p; u: ~& W" M5 O
BPX exec_int if ax==68* t3 @0 Z* f1 |7 n
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 L6 [: V0 O+ ?* ~4 Y located at [ebp+48h] for 32Bit apps)' p( D/ c8 Y5 {+ r
__________________________________________________________________________6 c) v, L# `! S2 S
" I5 |5 d9 E& ~/ ?
0 B4 {9 f" X+ V' c) z
Method 08% v) E: E0 N/ ~+ M
=========3 e- T4 M/ a) P( K( L- p
# v8 B+ y4 n, F1 \2 ]( }It is not a method of detection of SoftICE but a possibility to crash the
! [; f" [) {! x( }2 O. h9 b% g( ?system by intercepting int 01h and int 03h and redirecting them to another
# F$ @3 I. p R8 kroutine.& K# ?" v% ?. t, |0 A# w) Z, g
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 d, _# X" W# J! U/ {# g; uto the new routine to execute (hangs computer...)
5 k8 {) z( @) v" a: g4 j: c! Z( S
& S4 i% Y+ r" A mov ah, 25h
+ `" F/ F* r% \ mov al, Int_Number (01h or 03h)
* X9 Z5 B( o+ I! E/ x mov dx, offset New_Int_Routine
% n7 T' l2 l" V7 C" y3 ? int 21h
9 e! N- P. D" w: @
) G" F' C( p4 C- E% U& n6 L7 }__________________________________________________________________________
+ ?- C1 K2 x M/ k6 q# {+ W% `0 O- A2 f% i+ H- g- W
Method 09" {: z2 ` v6 @9 {' F
=========
% E0 h6 H+ W8 [+ s' D6 ^) k9 `1 a9 ]% n3 ]8 L, e" [; a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' P4 W) d* I6 Z- G5 R5 v& P4 Wperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 M D7 v; f# v. ]2 uThe Get_DDB service is used to determine whether or not a VxD is installed& a6 \( p8 u8 t0 L4 [0 {3 m
for the specified device and returns a Device Description Block (in ecx) for! L* k3 m) q* o1 G/ n; M1 V
that device if it is installed.8 l3 {: i3 y9 `$ }0 A9 t
+ c! Z4 n/ z5 {! Q! z& T
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% e3 I! p5 n6 D: z, U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ z0 P! _: B- |
VMMCall Get_DDB$ [) o" a/ @$ }: o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' F4 i' z# i1 L$ W" d
# j! N. a& y6 ~2 X+ _Note as well that you can easily detect this method with SoftICE:
0 \! T, h5 e' A3 H bpx Get_DDB if ax==0202 || ax==7a5fh
8 c& H, z8 V7 x# w3 b+ }8 ?
9 s8 H5 y" l. `1 Y__________________________________________________________________________
8 ?7 ~# u y, z! O$ f6 m$ F; u* O" y1 z5 n+ Y! \
Method 10/ a4 {( g. i: x2 c
=========7 f8 f- u$ g4 x
/ z; N! M2 u4 u' M8 O. Z! @
=>Disable or clear breakpoints before using this feature. DO NOT trace with& _9 j' N; n/ U; {6 D {" Q
SoftICE while the option is enable!!$ K3 Y$ @ O: |
3 [; {* l; y3 A M
This trick is very efficient:1 N6 r) B/ N, q3 V
by checking the Debug Registers, you can detect if SoftICE is loaded5 u' @8 H% N s7 O6 T) T+ ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; [3 Q( a7 K* H' R6 |9 o8 X
there are some memory breakpoints set (dr0 to dr3) simply by reading their% \! y, \& ?; g* d
value (in ring0 only). Values can be manipulated and or changed as well: c/ o; ~4 k! M! t. ^
(clearing BPMs for instance)
# e; d! g, J2 @+ @- n) _ E5 I
* V* {6 ~) R( J& V+ {3 w__________________________________________________________________________
" Y( R2 Q" N) E4 Y$ K! }) e# d f+ w7 K# U
Method 11
1 q3 [7 G6 k/ G0 w/ ]=========! A' H, ^; ^0 N* r1 N# M
- [9 k: [1 `$ ^! @! j( E
This method is most known as 'MeltICE' because it has been freely distributed, X0 G# s5 o4 Y3 h, Q
via www.winfiles.com. However it was first used by NuMega people to allow
3 w9 C3 q; W. z/ u6 R+ W: kSymbol Loader to check if SoftICE was active or not (the code is located
, d c9 f& m. qinside nmtrans.dll).
; I6 x9 b- P. ~& ]+ N% |+ P- q( Q& y: T2 `
The way it works is very simple:
3 }$ q4 \% c* a2 Y$ e; [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: D5 B4 g& P# F9 |) h' QWinNT) with the CreateFileA API.
0 g. |1 A: i. G0 w' i7 m; Y# d. n' q* E, t0 R% d0 y( s8 w
Here is a sample (checking for 'SICE'):1 g2 R5 }( o1 Q& k
* Z- m! A( M# G% [
BOOL IsSoftIce95Loaded()
6 U" M. E7 ^* ^{6 [5 K' `- s+ a( B' |
HANDLE hFile;
4 Q) h% C5 }" Q+ \6 ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 Q- e, K' c5 N1 _8 z9 }1 q
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 j) o$ Z1 u8 M; m4 M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 a, j7 B( p8 X4 k if( hFile != INVALID_HANDLE_VALUE )
3 K. h8 d, H. \. ]1 m {! `+ b! z4 t) l
CloseHandle(hFile);
8 G- q! B+ ~6 Z/ R% m# m, O return TRUE;, L9 I6 ^; t9 y; N9 U3 X9 j
}( Y; F8 D% A, A
return FALSE;$ n9 T4 i; U! }& R* k/ M
}& R# s- f' h& d5 w; c! w- g
3 Q [! C* x" B' O/ c
Although this trick calls the CreateFileA function, don't even expect to be
( e8 l& P1 ^7 F+ j7 B9 q7 Y+ Nable to intercept it by installing a IFS hook: it will not work, no way!
5 Y/ d8 j) P% C) m6 s% OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 r3 K5 s/ G: D4 [' v0 }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 x0 D8 ?- G( z8 B- mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 a$ n. F) N$ v. T; H1 cfield.
+ a: P# {( E9 k# a9 {In fact, its purpose is not to load/unload VxDs but only to send a
& l9 V1 C6 P GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: f0 ~, V0 F+ D% | t! cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 Z3 j5 {1 ~3 |to load/unload a non-dynamically loadable driver such as SoftICE ;-).: [: V4 I- {3 T# i6 _
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 P; l# V) t/ O% x4 v6 T" v+ Aits handle to be opened and then, will be detected.! J9 K6 i K6 q
You can check that simply by hooking Winice.exe control proc entry point' N3 U* M B+ A9 Z1 r
while running MeltICE.
- c; a7 g# s: e/ V3 B- I1 H/ [2 ?+ ^3 f2 R
9 M0 K4 A( r) A, m, C: H 00401067: push 00402025 ; \\.\SICE' b% Q, I; z, {' A# N4 h* J
0040106C: call CreateFileA
9 M+ z5 ~- [3 W K! ?4 b 00401071: cmp eax,-001
L; i3 `, l1 O 00401074: je 00401091
3 [0 h; s U* V0 N* O& v4 Z0 `
% D7 N7 ~* K- F. ?- A
There could be hundreds of BPX you could use to detect this trick. `; K8 x8 I' F' f" f. V9 y ^
-The most classical one is:
% f/ }5 ^3 \! ~- ]3 M BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. R* W: ~0 e* f9 N, Q5 [
*(esp->4+4)=='NTIC'
4 L1 Q% C3 h% F! m& i1 z7 @3 }, I7 F' ]/ @4 K9 O& d) b
-The most exotic ones (could be very slooooow :-(
- \+ r- l3 c& A& u1 [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
F+ d g- k# l ;will break 3 times :-(
: H+ x0 Z! f/ q" R4 C" [/ Y& D1 l' G$ z+ @& ?
-or (a bit) faster:
: ^) S& ]" u d. s( W2 U( Z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ _6 J" X: R% k) X. B; } ~( ?/ e
$ R# X p. r; s% H- E1 o' q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 t F3 x* J% T" ~0 E; ] ;will break 3 times :-( N% g) y. S6 L, ]% Q8 J) C
: Q4 _. |! t6 V4 m0 t' Q& F
-Much faster:" u5 C, Z7 E" {; U2 R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' c! x4 D$ i6 \9 c% W
$ O6 p$ `3 h- Q1 ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. c. l! _* i8 P* `. q, H5 |; \
function to do the same job:
$ s3 ]! i: U2 I; A Y$ H1 V4 i$ t
push 00 ; OF_READ, s0 a8 d" }# d
mov eax,[00656634] ; '\\.\SICE',0# u; G1 o8 F3 F7 J
push eax1 o- J+ v( a# [- C
call KERNEL32!_lopen
5 y$ M0 j9 U$ _* p# N inc eax0 U$ x0 ?" F; s/ y3 Y
jnz 00650589 ; detected
2 t/ ^* G" ]& O) K1 t, ^- `2 W: S push 00 ; OF_READ
6 i7 ~; V0 o$ C* R8 W) \ mov eax,[00656638] ; '\\.\SICE'7 I q$ I3 ^2 G# h: }
push eax, g( C! G% U, ?7 f( s: R0 B
call KERNEL32!_lopen$ U8 J9 e3 a4 C( k
inc eax& b: P% F) G+ Q F5 K
jz 006505ae ; not detected; v8 X9 s& l* [# `- w
/ ]; R- Q$ x3 d
" l& l: U' N- A4 s; [ k* I9 M8 a0 y) {! C__________________________________________________________________________
- R; N0 h' l! Y6 [6 ~6 }$ |5 |; `1 c* A! J- {
Method 12
( S/ U- T7 }2 u/ C# N0 k=========4 \ q2 e0 R4 T- l; z
# c9 ~- b" R0 ~5 D
This trick is similar to int41h/4fh Debugger installation check (code 05
) G+ [6 T$ r/ [& 06) but very limited because it's only available for Win95/98 (not NT)
0 ]* |) E9 X" n) f( a" h7 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 r! R/ h1 a) i! m- j
" i4 M5 H9 c) ^ push 0000004fh ; function 4fh
2 }7 A# I. E% X push 002a002ah ; high word specifies which VxD (VWIN32)2 O+ `& R& j a4 q/ F# }
; low word specifies which service# c# L& g( R q7 \/ T; q6 k* I5 C
(VWIN32_Int41Dispatch)( |; n$ J0 C$ Y+ o
call Kernel32!ORD_001 ; VxdCall/ ^, S/ Z! r8 u4 |+ v- L2 T2 ^- X
cmp ax, 0f386h ; magic number returned by system debuggers
0 x9 U9 E* X. g1 n7 ^: w jz SoftICE_detected) ?5 ?4 U: h, C" a. O
; T( U3 J' n' F/ VHere again, several ways to detect it:" M5 q. G+ i- c% F5 t& c
. G; E9 ^- e* b4 z
BPINT 41 if ax==4f
t) o i$ G' ^6 F7 A1 V
; d9 f+ ^+ \# n& U6 |. z, g! Z( l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 A# O5 u8 T; ~; U, C
: v, ]5 R6 r8 ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 @# S' p* Z% U! S
' ^* o6 C6 j- N, K* W8 A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 y4 R7 w5 W; K$ z* U
k- q" ?* h& k( h( O9 ^9 M
__________________________________________________________________________7 A; C/ y) _1 D2 T0 P5 A- i
0 V& k5 v# n9 u, d [. ]! K
Method 13
) ~& q+ K5 Y N* Y2 \=========
- y5 l+ v: \: m: Z: \! T: ?0 S9 }6 M- n- N
Not a real method of detection, but a good way to know if SoftICE is8 Y, ?5 G8 e; C
installed on a computer and to locate its installation directory.& z) p/ _! }) c: Y* C# l6 v
It is used by few softs which access the following registry keys (usually #2) :
' O% M% P* |! C) ~: a8 o7 ]0 ~- [$ k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 I/ d3 }& ^. J2 f4 x\Uninstall\SoftICE- c/ x G6 q; y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 Z, Z1 |/ s) q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 \, v& X1 H; Z8 ?
\App Paths\Loader32.Exe
! r X7 L: Y) Z( ]5 u+ K" F
" T2 R2 [- s0 |4 R. k' ]. F
, O- \( Y+ o r% gNote that some nasty apps could then erase all files from SoftICE directory: a* x# M o( D: c
(I faced that once :-(* W0 n2 S) o7 L- i; ?" a" t: x' A/ N
; n) X0 Z, E. S y# u! L5 ?
Useful breakpoint to detect it:" t7 ^7 ^7 R% Z7 h) g
+ [! U; w9 j9 u2 k i. ?; C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; R: c$ P7 J7 _( P5 G# v V% d9 c3 C# t! W+ {- B- V3 d) r6 d
__________________________________________________________________________$ M5 V, ? F! i
! e" O {" Y0 b, b' k% X/ {6 T M; I t, B4 o7 y
Method 14 / \, g* d& i* X/ i+ l: E
=========1 ^' O$ f7 Y8 v5 \
k0 N+ @7 K3 D! y9 o$ GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 H9 Q, v/ Y6 {* l- a8 G2 r4 b0 sis to determines whether a debugger is running on your system (ring0 only).
4 b9 M7 |6 F0 x, x9 X- j- g/ o+ ~; X% u% T" Q# i. g6 m0 r7 y" A
VMMCall Test_Debug_Installed
! o5 r0 d; N( @6 P4 g3 K- F je not_installed
1 ^8 k, ?6 v# [3 m7 K! @
7 ?# L2 ?2 U( q- rThis service just checks a flag.
9 H9 \) @' g% o( t6 M5 }</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡