<TABLE width=500>
_ }0 F* Q# Z& L: U<TBODY>
! _" q5 g0 M9 a0 M<TR>
( M/ V6 G% P/ P: r+ ]: c4 ^& n3 v<TD><PRE>Method 01 * D. |4 }5 D9 Z* M5 R( o
=========, `7 o: Y% ~7 D! L0 Q
+ F: k7 B. i; \. ]
This method of detection of SoftICE (as well as the following one) is
7 R% P" K& w$ c, J" Q" o% j1 Gused by the majority of packers/encryptors found on Internet.
3 o- \0 N$ J3 UIt seeks the signature of BoundsChecker in SoftICE1 [! ^ T- Q, R# V# j, t
( X: E1 f- X' ~1 P mov ebp, 04243484Bh ; 'BCHK'7 h2 E5 [% F: ^
mov ax, 04h* U4 O+ s# y# ~( O3 T& W
int 3 * D- K' i, O2 V% t* \. {# r
cmp al,42 a8 l4 V2 p7 z* i7 O" Z# l
jnz SoftICE_Detected
4 C0 O) u2 f6 D% i1 ?- [4 {, U" l4 j
___________________________________________________________________________
! {" G" P1 V4 e# @ J
( q- F! ^# x3 }* wMethod 02# d: J/ H3 c3 V
=========
: ]$ U5 c+ h" J" Q8 i, ~6 @- q- ~" A/ J
Still a method very much used (perhaps the most frequent one). It is used
8 Q M& A+ r6 X$ p* ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' Q! ~. r7 n' b3 x! V1 Oor execute SoftICE commands...
_. T4 Y6 i0 CIt is also used to crash SoftICE and to force it to execute any commands
1 i* w% M" {; G! \(HBOOT...) :-((
# y, J& ?8 {2 q8 ~5 ~- Z: { c, X! V1 s( J+ p s" v- H
Here is a quick description:
, v6 ^, x) z& z-AX = 0910h (Display string in SIce windows)' {" Z' D9 ~ ~0 U: k1 F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# S$ f8 h$ U" ^7 I# Y-AX = 0912h (Get breakpoint infos)
! Z9 z) X. z+ m* @) F. Z-AX = 0913h (Set Sice breakpoints)% q# i! o* e' b
-AX = 0914h (Remove SIce breakoints)
2 G$ l, F0 T, N
, n, Q+ H7 y1 C$ @) EEach time you'll meet this trick, you'll see:
8 P5 p2 c( @. B; q$ m-SI = 4647h! c, _ O- C! O3 {
-DI = 4A4Dh+ n3 U& O8 o, b0 v7 N$ E
Which are the 'magic values' used by SoftIce.
+ K0 S& i! |2 ~# D: O/ H/ v0 X: cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. o0 n; N1 m8 h" e
# ?* |/ s" W2 U+ P5 ?2 V: ~. }5 \Here is one example from the file "Haspinst.exe" which is the dongle HASP
, S+ F$ y: f( u( f6 H- MEnvelope utility use to protect DOS applications:
) I: ~. y. {# p2 Q
# e" ?/ Z6 O$ X. G
3 C( F7 s' ^1 g# m! O' R) F4C19:0095 MOV AX,0911 ; execute command.
; Q% O6 R( s8 p5 X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 m. t7 K% s4 v5 F1 o& ]. G
4C19:009A MOV SI,4647 ; 1st magic value.
6 f: H+ _7 `, B$ r( M, n4C19:009D MOV DI,4A4D ; 2nd magic value.
- e! z1 `: J: M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 i4 t/ J- H; Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. K2 ]3 D6 N$ x, u, ~, B
4C19:00A4 INC CX4 j6 U0 F# Y* H! X% |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& Q2 X- f9 b2 ?, R
4C19:00A8 JB 0095 ; 6 different commands./ B% W# C1 A) D0 T. F) Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 L0 _- p+ p& ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% x% o @) ?' C0 i4 w4 [7 ]) c
) U% Z- z4 a( K+ s- |The program will execute 6 different SIce commands located at ds:dx, which
' Q7 G9 q* P I/ K& Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) m* v; |6 f; O0 Q. c$ i' H
8 U0 _0 ]$ Z; {( t5 v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, _' o6 z3 _5 z___________________________________________________________________________
: w$ J. m. m- `2 u' U3 ]+ ~; @$ T- [4 G5 n8 h0 E u
v0 } a8 E- h
Method 03
, u0 r3 U: {( n' {1 l! ^=========
# A0 k! E' t( Y1 P, j# T9 t0 H; l$ Y1 q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ U" g* J E; J0 r1 X, ^(API Get entry point)& S4 U9 V: c' ]" N. f( n/ `) R
7 ?9 n6 G3 f; w4 |
, z- q o5 I- L xor di,di8 |+ ?5 w* |* M( z6 l% w3 c+ H
mov es,di
0 ?* ]/ M2 L2 ~( I* y! G- u' i mov ax, 1684h
, G, x& d; F% N5 K' D mov bx, 0202h ; VxD ID of winice
5 p6 J: C$ Z Z, a5 _ int 2Fh( l+ q+ ?* B+ F, k' o
mov ax, es ; ES:DI -> VxD API entry point, v; _* a" l* f+ c: N" W. Q! S. } P+ {& Z
add ax, di1 m" T8 u- f5 c, {
test ax,ax2 e6 S/ o4 K4 Z+ f) m. p( Z, Q- c
jnz SoftICE_Detected; y3 @5 X7 q+ E% K9 [4 @
: J, X" \; S6 n
___________________________________________________________________________
) u/ m$ S% `" U; a
2 D8 d( M+ _% mMethod 049 H: H0 |* i4 e( k; {
=========
9 m* v* r( E; c4 V) ]/ A
0 X2 F8 H7 p# U4 @, `' Z! `6 ]Method identical to the preceding one except that it seeks the ID of SoftICE) ^+ f6 v) |% P; Z
GFX VxD.6 i7 ^* a) L& e' y! C6 a
2 @ I3 ^) W* F% Z3 E2 @3 [
xor di,di% S, n: ^, r! d; ~! @- I. c
mov es,di
^! ?9 p* c4 w mov ax, 1684h
4 J" u! D1 v5 `5 P mov bx, 7a5Fh ; VxD ID of SIWVID
4 m, l% m# e, S8 A7 K int 2fh8 i2 K5 h; E3 l5 w' b0 T
mov ax, es ; ES:DI -> VxD API entry point7 w, F9 h" P: ^$ r! B
add ax, di8 k' l7 R# f8 u) k6 z7 h
test ax,ax2 A" ^* u/ K* i9 Z) g: S
jnz SoftICE_Detected
9 o8 o) H) n, \% J8 a$ P' ^6 s- m
: t: S0 s$ R. i5 {7 I Z4 T__________________________________________________________________________
0 d- J" q$ |+ b0 t8 } l+ B
2 h2 J& P! T) B6 C
9 o5 |2 S1 l. L: ~2 P d( DMethod 05
7 ]& q% Z+ V/ q3 J/ c) L=========# a3 E% H: A2 O5 H2 c+ \
" v( N( i* \- g! u3 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system- J4 U* b2 Q5 D6 X1 @" a; _
debugger. It calls the int 41h, function 4Fh.
( P' Q* ?7 U! M6 C6 `$ R" t$ VThere are several alternatives. % F$ a) ]; D8 Z
1 Y; p$ U% k! S. ~. c7 [7 R; E/ NThe following one is the simplest:
) X. }/ A$ q6 ]9 W* t' f. ?( b1 n+ B8 Z L+ ]
mov ax,4fh3 p1 A! `( S( M9 m
int 41h4 j0 L3 e) W! `, {% b/ t
cmp ax, 0F386* |3 W; Y( E! P- ]
jz SoftICE_detected
% B1 }! b/ |2 i' U' b% n
2 o2 G. @. N( m9 z& M, `8 q2 W# K% Q" t2 L6 Y O6 g, p$ X$ J
Next method as well as the following one are 2 examples from Stone's / O% R% v# Z2 v, m
"stn-wid.zip" (www.cracking.net):
7 G# ^8 \8 R: C3 ?! ~4 F' ~8 R' {
mov bx, cs
6 `$ c% O P- A! @* N( F# K lea dx, int41handler2. w1 v# X6 N" S, H# K0 C& k& l. Q" w
xchg dx, es:[41h*4]4 y- a9 g6 }- O) {4 g7 i+ R9 F
xchg bx, es:[41h*4+2]
- F# d/ V& ^0 `, w mov ax,4fh7 D k7 C% M1 P) t& f7 {
int 41h, f; k$ Q3 O- e; {+ Y
xchg dx, es:[41h*4]& X4 C* P* a! y
xchg bx, es:[41h*4+2]
3 y t( a7 {5 Q cmp ax, 0f386h
4 a7 n0 Q1 y9 k0 N% t jz SoftICE_detected
' m' y' S4 L" j% m# P( P, b, Q+ e7 L8 B! {' n/ e H. Q: |
int41handler2 PROC
1 o- G: q* o! t4 N; L1 e7 y iret/ q4 x' T5 {% X3 K' H6 n
int41handler2 ENDP2 g" u8 I: {' u. b- h2 y/ y8 M
) c) H9 X, A( \6 Y
: L- V1 u, c+ d_________________________________________________________________________
* I% H: i: h3 M& q h5 I5 g0 ?. { [' I9 i( z- S: @1 W
* L; D0 y- t0 T# |# G
Method 06
& W) {, o+ D: x3 q5 T=========
, T& B; ~; w9 n5 f1 k% @6 F4 J- n e# p
3 k$ u G3 p- h9 b
2nd method similar to the preceding one but more difficult to detect:
# i2 w1 L% Z1 o! M! D* N4 N' ^- D
( b" ?4 _& L/ d R2 q" W+ y8 F! a1 c: Y9 m4 P* G
int41handler PROC
: W% ~- ?0 Y% _& q; C8 f mov cl,al
+ f8 \* `# \) Q% z# P iret
" V2 {2 p9 V& M3 }( qint41handler ENDP2 s- Q# d$ p1 Q( [/ T
6 v/ [. e: R" V, f) c" r
4 T4 b9 B; q& j
xor ax,ax' x7 H; H0 ^) r/ J
mov es,ax) f+ J/ z/ p4 ?, X' F
mov bx, cs
7 g; S+ Z" X: B* f lea dx, int41handler
; e V# G& u( T0 ]6 ~- J$ ^) k xchg dx, es:[41h*4]
\: k: N7 w% i xchg bx, es:[41h*4+2]
; L2 R$ R9 ^! k3 ?% l' g) ]: a* c in al, 40h! N0 ]( e! O% S# o, v
xor cx,cx9 [4 \; f [/ g. r( O( v
int 41h
* ]6 j- r$ D8 Z0 h/ W1 E. A! B xchg dx, es:[41h*4]% _$ Y0 B8 K$ p5 Z5 E, w- ?
xchg bx, es:[41h*4+2]
: m# u$ r$ \8 I, E1 `, i) k, p$ u$ P cmp cl,al
' J* K: \; _+ L2 O# e6 t" n& D jnz SoftICE_detected9 A R4 Q6 E9 @( t' s5 |- v; n; V
$ A/ K; b: ?+ M_________________________________________________________________________ ?5 r1 o+ F( P7 B3 \0 p
. G# Z& x" w1 n; v, v, G" aMethod 07) V# ^6 r' x/ e& z4 e# ?2 Y
=========9 y4 I; U" |4 ?" V
7 Y0 s, P; \. R, [7 Z q r/ M( ~Method of detection of the WinICE handler in the int68h (V86)
$ R6 [ W2 {- ]+ b
7 R6 D) u* Q" A0 \+ ?, b+ F0 C# R mov ah,43h2 B- X( t5 J& O% [3 t3 ^/ T- D" E
int 68h: U! I; Z2 N2 U% l x. J
cmp ax,0F386h1 D1 g7 n7 Q0 f: n: N5 [
jz SoftICE_Detected
" M4 l. ~' h1 [3 S( a( i4 M: @* E% I8 S
" }% k" X+ U0 U
& R: l9 }. d- Z) V- J; G=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% e O0 ^% ~) M! m2 R/ s app like this:3 X6 q$ B5 I4 R9 N
" T! O5 { d3 L# F! |% ]
BPX exec_int if ax==68% M: ^% }! F: A4 R% Y% f( z: J
(function called is located at byte ptr [ebp+1Dh] and client eip is; t3 {% ]% g2 ]* m, r* c! y
located at [ebp+48h] for 32Bit apps)0 x( ]3 C3 a# U* o/ n1 ^4 @
__________________________________________________________________________& [3 `' B7 E, j( m2 ?$ X: g: m
9 w. L! A6 j9 |: E1 k) s3 |# o; n
Method 08
) t- f4 J; T4 ~1 n1 Y' M=========) h9 ]- V* X7 V# u
3 \4 f' c. i! u% n( s$ m0 t
It is not a method of detection of SoftICE but a possibility to crash the
& V! ?: L$ o* S8 g/ n5 Fsystem by intercepting int 01h and int 03h and redirecting them to another
2 F; X# g: e7 l8 e& z3 c6 X, _7 lroutine.( m: V9 C0 Q9 \5 M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- e4 t' H- o! d. Rto the new routine to execute (hangs computer...)* u( k8 e+ b# Z
; d2 U( E, v, V% {& F mov ah, 25h0 h% L% l( ^; J8 u7 a2 s' \$ \
mov al, Int_Number (01h or 03h)
& u! P6 `) l- [' o1 A; I {- H$ w# p0 f mov dx, offset New_Int_Routine+ J. P# q; Y V. _8 h- F1 J( i( y
int 21h/ d! r2 q/ Z9 T V1 A
* _2 S. ?8 [" V! R" ~. ^6 z6 {$ m8 ~__________________________________________________________________________7 {4 F4 Q' N. N. I S$ I' x4 W6 p
) \; k: @8 Y% H* E# _' NMethod 09
; O/ i4 O& w6 P) ?& Q: M! L=========
' C3 W* d4 t9 z+ @
' c" f" ^. B7 l( }' qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. j \7 W$ `' w0 H9 n5 m
performed in ring0 (VxD or a ring3 app using the VxdCall).$ D4 P# L4 q! a
The Get_DDB service is used to determine whether or not a VxD is installed
b8 I8 f' {4 s7 lfor the specified device and returns a Device Description Block (in ecx) for5 v: r* g V, Y. b. O
that device if it is installed./ R1 c' A# O4 @6 A. N
8 B0 {. h1 E r& I3 q% k- `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ F$ A2 V% Y" N4 U" n1 d8 g
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): {- ~$ z- P& N2 [
VMMCall Get_DDB0 j# L& i' [8 R u8 T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& n" n9 U9 {) O3 o6 t' x8 u" V6 y
3 m% p' [6 `) U8 wNote as well that you can easily detect this method with SoftICE:# G( c1 S. V1 R# G1 Q" r& n
bpx Get_DDB if ax==0202 || ax==7a5fh
5 k: m3 s. C& B) V) h: e& Q/ h% C+ b8 e. M- b
__________________________________________________________________________
7 F! T: g2 u* i4 _/ N' g
* a) z2 u U. y ^ L- }+ }7 s. WMethod 10
( {4 t/ G9 u% ?' o=========
$ f% _8 F8 ?5 s0 ^5 O/ K- j8 C/ T7 B) u9 h: @; d
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 }% z- Y. F. Z- X0 C
SoftICE while the option is enable!!
: g5 W' G/ I5 v6 ~6 G" a+ t
3 V$ \9 V/ k! X! f$ a$ f; DThis trick is very efficient:
5 W9 k! V' W, Q# ]/ K2 {' ^by checking the Debug Registers, you can detect if SoftICE is loaded
$ C V: q# b! s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- Z: z, \2 V- ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 w0 u; r: U" e
value (in ring0 only). Values can be manipulated and or changed as well) Z, W- W- {; v6 w; ?) o, u2 Z: j
(clearing BPMs for instance)0 I' I! I3 l/ M
; ~( d t2 J5 Q+ R. P__________________________________________________________________________
4 M1 K" k! n- }! x- _) {) v8 M" i- D: e! L
Method 11 t# |$ s8 I+ ^ D! T. G3 s
=========
( P& ` V G( G7 n! p" \$ F6 L& B2 H2 b3 A. i% Q& C L+ c
This method is most known as 'MeltICE' because it has been freely distributed. a8 {( o& v. a4 H% S
via www.winfiles.com. However it was first used by NuMega people to allow
0 c3 k" P k, A; \+ j: \# DSymbol Loader to check if SoftICE was active or not (the code is located' g& f+ V6 B' w0 S
inside nmtrans.dll).
" l: W" D( Y* }* q8 P2 Z s7 |# {0 q% U- E! @- ~& t c0 ^
The way it works is very simple:3 q9 V% w) g# H4 D0 N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! p* `3 u8 l: U+ L
WinNT) with the CreateFileA API.
* H2 ]1 _! Q) B+ G0 O/ Q( |5 F, e. p7 ~# F/ A; S
Here is a sample (checking for 'SICE'):0 O# L6 Z L( G5 V( K$ i
/ s: r, R8 b9 ~9 }* z6 HBOOL IsSoftIce95Loaded()
4 w4 o- \2 W3 W+ w& k{
/ A9 G6 ]: t. ^ HANDLE hFile; / p; r( O$ g5 Y; P J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ a2 N4 w' E1 b1 N) K FILE_SHARE_READ | FILE_SHARE_WRITE,0 e, P0 e1 \. L- v- T
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' m% R& P$ w" Q' P1 v5 H
if( hFile != INVALID_HANDLE_VALUE )! [# A: d. w; Z
{
$ m! F* }9 f% Z CloseHandle(hFile);3 G, H/ _. s8 b- V6 b
return TRUE;5 C" Y0 ~* f' W+ ?" R
}
0 \) E0 r. M G, B& {0 z0 k8 z return FALSE;4 ]$ l' l" r0 ^
}) w7 v8 x8 p. G$ {7 k
( b, U7 L8 l) d& h% a
Although this trick calls the CreateFileA function, don't even expect to be' Z, D. O* x" D$ e9 Q7 j' t$ U0 C( r
able to intercept it by installing a IFS hook: it will not work, no way!
3 I$ F* W, W# ]0 G0 O4 ^. L1 iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. I* J8 X: O" t1 E0 V# T1 c8 x" v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ [) z5 k6 I7 v' x+ e; G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
[0 X& L; v- k9 a" `4 afield.9 j# s0 \3 Q8 q+ P) o
In fact, its purpose is not to load/unload VxDs but only to send a
5 z2 r; h0 c7 cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! }; C' A6 p; x' k, c) R s' Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 D) E+ `4 J: h) i5 q; Y' v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 P. F _% k; i! [2 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow. A0 V" M8 T3 b/ I; e$ n
its handle to be opened and then, will be detected.1 R) W9 B" d- c$ {; D
You can check that simply by hooking Winice.exe control proc entry point: c7 f9 f& j4 t' n; }( Y+ O( Q
while running MeltICE.
0 G3 K' G- G5 N* }9 U+ t* t; u4 u ]3 D c1 a" \- s( ]
3 l: I* O! P2 b* d" t1 E 00401067: push 00402025 ; \\.\SICE
9 S- ^3 N0 ?. E3 \0 y 0040106C: call CreateFileA
! | S) @# }* g d& s 00401071: cmp eax,-001
7 Y" H1 O+ b; b$ k0 q: P 00401074: je 00401091. ^9 u0 D+ J8 Q: y# Y8 L1 e( J
" [- V4 u6 ]* j6 y O% L8 N$ j( y" c3 P9 ^& X' e! d
There could be hundreds of BPX you could use to detect this trick.
. ^& a. S3 K! V4 m3 Z. U+ o4 V- q-The most classical one is:! `) E/ R; m6 X3 h2 s7 s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ \" \+ \! a2 w! [- k3 m
*(esp->4+4)=='NTIC'
4 y7 o6 p# {1 t1 F/ _+ E/ v/ U
/ r+ s/ d" N1 F- p-The most exotic ones (could be very slooooow :-(- w! @3 [) y2 I* {* L0 V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 i$ Y; Z, E/ q8 N
;will break 3 times :-(
, F$ D& ?* z6 A+ ^9 Y7 k# B1 Z( c' ^
-or (a bit) faster:
5 S' v6 q- z7 @9 W" f- m! y t: q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 |! q3 A; d1 l/ M1 |5 x, c# S: ^
' t. [$ v% p" X& Q4 a1 \! b+ J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 b- g+ Z) @! Z0 Y7 m( G [# g$ K
;will break 3 times :-(0 Z- Q' B6 C5 F4 m' G
2 B Z' p8 ~1 h1 k# t" e-Much faster:
) u M5 }0 }, `9 `' c/ W' z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 f3 \8 {4 I1 n' ?/ |+ J
7 }4 r0 P6 l! w3 h" Z- Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ y3 M2 v3 i( o4 G" nfunction to do the same job:
0 A3 d. t0 i$ N& C
* L2 B$ D( e# \2 f9 i push 00 ; OF_READ
/ ]4 h7 [: @, D' Y mov eax,[00656634] ; '\\.\SICE',0
( |% R; `$ u) y/ }( l2 Z- p push eax
- r6 ~7 N$ r' h) r call KERNEL32!_lopen! Y' Y9 x2 W, a9 U% Z+ R
inc eax
; z" N9 R" U1 @7 g2 O! G& I jnz 00650589 ; detected
e" y3 ?& D9 D2 ^; v push 00 ; OF_READ
# Q) z$ _; K. L' X mov eax,[00656638] ; '\\.\SICE'7 ^7 f' d d" b5 p6 ]! h
push eax) y& }) S# o5 m& B* J0 G
call KERNEL32!_lopen
; R* E0 o2 N3 v inc eax
( U8 [# t$ T: S4 J jz 006505ae ; not detected
& e% {/ Z$ b! c. i" t0 x0 Z
9 b0 _# Y$ U/ ?+ S8 W' N1 { E9 I8 E4 p. ~; U
__________________________________________________________________________8 r: Q3 z- m6 g# i1 P% L, G! G
6 B4 H1 J/ {4 }% x$ }Method 122 _ I' k; M& S: D
=========
4 J- _: W+ b" g- f% p# q( X
/ i5 r$ ~" U5 E! {6 YThis trick is similar to int41h/4fh Debugger installation check (code 05' K7 a7 I6 d* `- ~. I) X A' f! q4 I% ~. I
& 06) but very limited because it's only available for Win95/98 (not NT)
) b H1 J: e. Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ M! K+ E% H1 J7 j* j$ k v% y
- Z5 T8 M8 x5 Q; Q* p8 I push 0000004fh ; function 4fh
/ k( ?- b& W; G6 l push 002a002ah ; high word specifies which VxD (VWIN32)! n r: d% M7 S
; low word specifies which service" ~) k2 ~0 B2 j$ _) z" x
(VWIN32_Int41Dispatch)
( m) m7 D+ B4 _+ r; e# Y) X call Kernel32!ORD_001 ; VxdCall
) G' e! L8 Q* U- }! p( ?* [- l cmp ax, 0f386h ; magic number returned by system debuggers
: S5 L: h7 b6 ~0 \& [4 d jz SoftICE_detected$ ~* z) ~5 m! z; `
5 g& n1 g: p8 f: `; V+ zHere again, several ways to detect it:: |+ x! `0 w1 s8 q% Y/ H2 A
- n) ?$ ]3 M1 z1 h" E5 }' t
BPINT 41 if ax==4f
& ?; }2 I. V# j P! T7 h4 d6 @; B8 c, g# K4 d7 x0 o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- a" O2 ~, a& b5 e: k- q
$ Z7 [: e$ L! [6 I4 l$ L1 ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& c) B i1 A( S2 h% _* E/ J
( y$ @6 K. ~6 a) l BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' j8 x. l, F/ `/ f6 f( o' S
+ I( ?: v% U' e__________________________________________________________________________
' U2 q' w" i/ A7 r5 M! f
* Q7 J5 p+ f3 U. L. pMethod 13' G, j' ~5 z& M0 j* ]
=========
+ X6 w$ U6 Z, L% d4 c' x; @
3 a& v9 l9 z" S) P* mNot a real method of detection, but a good way to know if SoftICE is
) \+ i0 d7 m) hinstalled on a computer and to locate its installation directory.
7 [! C) W) y: P+ y: R+ E' \& EIt is used by few softs which access the following registry keys (usually #2) :
6 h2 _7 Y9 T5 s+ s" l) T1 A# }" Z4 B* d; l* D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ A. h; g" _6 ?4 ^0 [
\Uninstall\SoftICE/ n5 Z+ E+ C' ?; U0 F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 F; i7 W F- ? s0 P! K7 g$ J, p* |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion }* Q# r8 s6 C1 m" n
\App Paths\Loader32.Exe/ A7 l/ J0 |- E6 \( f! z |! X
! n4 S v% _* f
' E9 I& ~: f: I1 w2 s$ ?
Note that some nasty apps could then erase all files from SoftICE directory
5 r; n# _9 L1 H- F(I faced that once :-(6 i& v# y6 L7 U8 \7 H& W% l# I5 o5 V
2 w1 _% C0 I2 L9 [/ ZUseful breakpoint to detect it:+ _* o) A$ w0 i; U3 ]
2 a( P* D) U% J+ Y3 J: O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 o* _: r3 n U! f) A3 u3 {% k5 ?( h
__________________________________________________________________________) l4 U; Q1 ^9 n# p2 K
8 W$ |2 ~5 c% a( L/ i
& N! B6 f+ c7 g% B+ S' vMethod 14
5 k3 c! ~( t3 o. ^: _. S: M3 \5 h=========
/ v* A8 J7 T" i- b
7 E6 C4 a" B1 Q' g6 B+ z+ ]! XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. ^# }/ V$ l* m* _; e* H, J: E/ N3 Ris to determines whether a debugger is running on your system (ring0 only).
" R4 F! Y1 G6 l4 w( r6 R6 S% f- p0 W, [
! Z5 a' h2 X$ N# r* f4 t VMMCall Test_Debug_Installed
5 f% A7 \- a7 x je not_installed
! A( {! |' |3 e$ i8 E$ ^5 ~. e
/ y/ P. V& Y( {! ?) d wThis service just checks a flag.5 r. \; x: I/ @; {1 n) s m
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡