<TABLE width=500>
9 ^; ~8 Z0 W5 y# ~# w6 m; x<TBODY>
% T1 g) t1 G; v+ c8 V<TR>0 F# }0 p: C8 b: V
<TD><PRE>Method 01 + c: m+ v3 D/ L0 v: w: }
=========
3 D% I8 l) d8 v3 E7 A
* T8 k' F, Z. qThis method of detection of SoftICE (as well as the following one) is
) G+ d0 y; N% E& l* aused by the majority of packers/encryptors found on Internet.
' G4 z8 w, @; GIt seeks the signature of BoundsChecker in SoftICE# K) C& a, s+ m" e
+ ^! Y! E' D- A2 G' e
mov ebp, 04243484Bh ; 'BCHK'6 D; t4 l5 Z& e+ X
mov ax, 04h$ u! a3 o1 P' e. [$ j
int 3 * O, z3 k. E$ H
cmp al,4/ k( L' {. l; H& u
jnz SoftICE_Detected; M( z. y; _) ~5 ?
2 |9 e. W, A3 O R; N, f
___________________________________________________________________________' g1 j7 ?' F; s: g4 E" J# P
7 R7 Z6 a5 t) S7 C4 f3 C) w) {
Method 02
9 C) E- T( Q6 `2 h=========
! ^ i& n, w5 q \( U+ ]
3 f6 D; l6 K3 l( EStill a method very much used (perhaps the most frequent one). It is used/ I7 n: t( m* G' P7 |$ `; N0 @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 d( g- {. C" k$ p" J2 X) S- C
or execute SoftICE commands...
! z# E' r, V l+ p6 b2 tIt is also used to crash SoftICE and to force it to execute any commands; B- ~8 G( E, f5 ^
(HBOOT...) :-((
' e5 U p' h3 L2 J3 [& V- `
! Y$ t7 v3 p4 i# x. |Here is a quick description:
' Q' X) B) v9 Y x-AX = 0910h (Display string in SIce windows)
( ]) x, E1 I6 U6 V" c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, B7 n' a, o+ z, G4 e-AX = 0912h (Get breakpoint infos)1 i+ \/ l" Q& s9 x, E) z$ M
-AX = 0913h (Set Sice breakpoints)
) D1 t2 v3 e6 D2 V& t-AX = 0914h (Remove SIce breakoints)
" e$ [% |" r' m; d2 D1 a, m" Q O, B6 W
Each time you'll meet this trick, you'll see:& O/ O: k0 [ {
-SI = 4647h
, G$ i. ]6 o$ K7 ]: Q$ V- K, K1 d' ~-DI = 4A4Dh$ a h8 y3 E- n( d( o. ^
Which are the 'magic values' used by SoftIce.7 {$ E5 B! b8 L1 A1 H/ g8 c* i6 c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 Q7 x$ g. n% X0 |. \
( h) L; {0 Y' ~9 H) D9 h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% u7 B" R4 ]) |% }1 c5 \Envelope utility use to protect DOS applications:
) u3 j) I8 [& e$ }7 ]4 [9 Z8 f5 G* A- S) v& [" Y
/ ]1 V! X$ q, t7 \& ?
4C19:0095 MOV AX,0911 ; execute command.: a |7 L6 @# ?0 s7 ~
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* ]; }) y& m4 f, n% N' T$ A
4C19:009A MOV SI,4647 ; 1st magic value.7 f5 p+ K8 a# @8 d( |( |
4C19:009D MOV DI,4A4D ; 2nd magic value.
* m' \% B# I; ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 z. c) h2 A0 z+ B, M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. g' G. Y: P; ~, _. M
4C19:00A4 INC CX) s2 O) d2 Y( |" d8 k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# w' X+ H* \+ I( \
4C19:00A8 JB 0095 ; 6 different commands.
+ L5 ], B }% J, |' ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 m% q6 n- J" L0 C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& ^ J4 m" O' h; _6 b! T- f7 H
8 {- N3 m. \2 Q! R% y% y3 F( U9 L
The program will execute 6 different SIce commands located at ds:dx, which( R: S, S Y1 U4 N. ^- _5 p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& J m# M0 ~" A- z- x1 w
5 @4 H/ y( p& y& A ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ z! S- e4 y" _, g, y___________________________________________________________________________
( M3 D9 D+ Q3 i; o X. Z& j* V$ N M* f
* d. B6 {' _3 k
Method 03% ?& ~. [; n( t. @7 E+ F
=========
! ]. I- L6 B/ r3 B( N& z8 O9 O" `3 [& z8 Y3 E* z7 j/ |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; d; R' q/ S: ^+ A: ?(API Get entry point)
2 h/ V( w0 }' \: c- r" I& V - z, S0 d7 H" L# t
, }, M0 s2 d+ p; g xor di,di
/ R$ n5 j2 a }/ u+ M mov es,di! a/ s8 r4 z- o$ P: K" V$ k
mov ax, 1684h
, r% F3 X, ?# T( ` L3 I0 v mov bx, 0202h ; VxD ID of winice
8 o( v5 j h9 \: k0 _6 j% I int 2Fh
+ B% t9 x' a2 ?+ m% a mov ax, es ; ES:DI -> VxD API entry point
: N- {# x( U2 Q1 C7 X add ax, di
7 p- ]8 Q- ]0 b$ r7 @' B9 f5 x0 `; Z test ax,ax: D4 _ [' w- h- U& Z/ E
jnz SoftICE_Detected8 d% |/ \) v; ~6 Q+ H) ]
; Z0 E' z1 Z# O+ s) I0 b
___________________________________________________________________________7 ~5 \9 W0 R# s7 H
# w/ D6 g$ d; W: h" i& D( Q
Method 04+ ^2 J: c) x' y) ]6 U8 |, D
=========
3 a# H. d! G5 [9 e' R; [: H/ z! b0 K
Method identical to the preceding one except that it seeks the ID of SoftICE
9 `. {2 P# e& W* |% xGFX VxD.
0 `! }5 O$ p- K! a, g4 L, _1 n' s8 H0 g) k6 s( @" `
xor di,di
$ ]3 V8 Q" l# D5 } v mov es,di ~0 c! h; @) ~: b7 S" Y) W
mov ax, 1684h
2 b/ J7 l, w0 U+ i2 E) ^ j mov bx, 7a5Fh ; VxD ID of SIWVID( X: I$ l |) d' H
int 2fh( D% h9 c# R# u5 P3 P% Q. [
mov ax, es ; ES:DI -> VxD API entry point$ r8 L! d1 K& K! j/ _; r. c5 O
add ax, di
1 U$ E0 J0 Q- k3 Z l+ y test ax,ax* m6 \, D+ p: ]
jnz SoftICE_Detected
! C3 h5 B; g$ O/ K ^
% a1 Q0 b% y2 Y7 P0 @/ ]+ M( y# r% @__________________________________________________________________________/ F' [0 i7 z$ c8 G, f
$ y& K. n8 w; J( D. Z6 n( T; i+ D9 `& p3 E2 b5 a5 {7 K3 F- K
Method 05
5 ^: R4 e% ?. r. F" ^=========% K' U6 f8 F. m" j$ a* }' `
! P. s* T' ~" h5 S( F, F- o% v
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 i/ v) J; h" y7 h8 R& r
debugger. It calls the int 41h, function 4Fh.9 ^, J" K# ^7 v( ~
There are several alternatives. & N: [6 J& z% C, c. M; I2 I
2 G! C5 t, u/ W. [, RThe following one is the simplest:& B) v8 d$ r1 R# J$ \( W
, G4 l+ z# |* p, ]& z+ V mov ax,4fh
% [: K7 _# q7 z3 d' m9 z int 41h
1 x& ~) B5 i8 Y0 |& c cmp ax, 0F386! f- A: f/ B; u5 H/ M' T
jz SoftICE_detected4 ~8 M& b+ ]6 J+ d. a
3 v5 t. K0 c0 y" n' P9 {& b3 C* ?# m- A w1 U4 g
Next method as well as the following one are 2 examples from Stone's * N+ y; o Z" [1 x6 @
"stn-wid.zip" (www.cracking.net):6 Y2 J0 i" R+ o) P
7 P( o% `) L% p/ @" L2 m9 M
mov bx, cs+ c( T% l3 Q0 w9 t
lea dx, int41handler2
E5 l+ w- d! r7 f1 r xchg dx, es:[41h*4]
/ z' G' I3 e/ ?; W xchg bx, es:[41h*4+2]
2 } O9 u) f1 u& g2 D$ b: Z& \ mov ax,4fh) e# @$ W$ c. N* x
int 41h
7 \+ D- \% s6 P9 O xchg dx, es:[41h*4]) k/ k4 S/ C, J( _& A+ ]; S
xchg bx, es:[41h*4+2]
( {: t1 V! m. P f6 [ cmp ax, 0f386h6 D( E5 {3 `/ ^/ w G
jz SoftICE_detected* m/ p1 H# W/ u! S
* f3 L3 Y9 E% L/ eint41handler2 PROC* l4 G- q: ]* @
iret
7 ?) l$ @ S2 Q$ @int41handler2 ENDP
8 {6 U4 t% F# f
' w! o! ?) j, N* [8 u6 }4 {3 `8 K" E; V# C* E8 F- T, K8 ]
_________________________________________________________________________
0 P* d9 P+ K+ U4 u h$ J6 |
- F. Y% a; O/ J0 M: g
- Z) K' S6 q U Y1 m2 _Method 069 p" A- u% ]2 n2 o/ I* v9 G# h
=========. \# S+ S( |+ c6 E2 P: j
4 _" K$ B" L, R1 d5 H* k6 P
2 E: b) A+ l+ c0 q9 r. G" B, [6 Y2nd method similar to the preceding one but more difficult to detect:
; U( M8 F( h; k0 [: k* f+ b
J$ V' s- e' W0 `$ V, o1 H+ n% A5 ?$ G7 K
int41handler PROC
& w6 o" V. h2 d: Q2 I mov cl,al
( S0 q0 R/ `9 W! A- t6 R) @ iret
" s) y4 Q& R x9 c/ J" m% q: B; x+ yint41handler ENDP
% L6 |9 m7 P# ~9 @( _; D4 h
1 ~* c* F$ c; c% l+ u" y! N' Z+ l. T( J% P
xor ax,ax5 W* o, e/ T' u' k2 g% ^
mov es,ax- @6 E4 H8 g/ L2 I/ M+ l
mov bx, cs8 N2 i& `4 q" @4 A
lea dx, int41handler4 n( \' p: N$ J$ w/ `% w( A4 S
xchg dx, es:[41h*4]6 a. b" P' K8 b
xchg bx, es:[41h*4+2]
7 w, t# x5 {% S) c" O in al, 40h
9 q! H4 C5 ~; n+ L5 Q xor cx,cx! Z2 q* \* ~1 t
int 41h# p- c" ^, T1 `+ N. s0 r9 V2 w
xchg dx, es:[41h*4]
$ c1 A. _( c7 `" J xchg bx, es:[41h*4+2]
2 R I* q& P i: `5 i: } cmp cl,al* J B& ~1 p* }; T$ s4 a
jnz SoftICE_detected5 Y* {% A9 k7 ~ @$ ^$ j8 j
* P/ z# S2 u$ `% s) M
_________________________________________________________________________1 J" M- d% O* @+ L: ~: o- s: G3 F
* [( { i8 K, e( c) sMethod 07
- |2 Z4 E5 G/ d( u=========9 E8 c, k8 }6 m, r: M+ s
: j* \$ O* ~* a4 ]) p+ A
Method of detection of the WinICE handler in the int68h (V86)5 f ]9 A! @2 B1 {
- n' R) p2 I" s2 L mov ah,43h8 Y, R& r& }! v. N0 Z. X
int 68h
& Z+ y0 @$ I( I i% ~0 |& p3 Y cmp ax,0F386h6 w/ ?8 g( I+ }
jz SoftICE_Detected
$ N1 \8 e+ k+ M: S
' p5 l5 e" Q4 c$ U. L- R8 N
8 l: [! v& d# t% L( m' C+ I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* y8 N3 p6 H$ |4 K, \5 L3 @
app like this:( }9 P' ~7 E* c2 ]# u
8 K% y% Q- ^3 h$ ~- k! F BPX exec_int if ax==68
0 ]: j; R# ?2 ~) O* ^ (function called is located at byte ptr [ebp+1Dh] and client eip is5 i6 V c* i- T6 W1 a2 D( }
located at [ebp+48h] for 32Bit apps)
+ @+ A; o0 O1 R: F# s__________________________________________________________________________4 i% T* r. h: Z0 a8 e: E
( R$ z0 h% L: Y2 @- ]
2 T) ]- G1 a5 Z6 ?Method 08& @$ P4 @. ]& h5 E
=========$ }4 R3 R( u/ ^: O8 ?( @
2 W) B, U) K) H) P0 D
It is not a method of detection of SoftICE but a possibility to crash the
) f( g! }" J) [* c9 `& Y2 wsystem by intercepting int 01h and int 03h and redirecting them to another
0 Q( j1 I |8 B I$ L! n/ P5 T9 [routine.
/ |. \ s9 l* S, ^' R. YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 `1 w' S P- k! P# e! |to the new routine to execute (hangs computer...)# J3 H: ]6 n) [3 V
- c) T7 ?) @% ]& u. J* q9 e* C4 v' [
mov ah, 25h% h" \7 W9 n- f2 [5 A
mov al, Int_Number (01h or 03h)
9 c+ ~# f, _! C! ^ mov dx, offset New_Int_Routine- [/ z* u0 l/ {4 R- t4 T( K
int 21h
7 w- d8 K% l, B+ Y$ {( B( g m- j8 ?: t6 z; V* T! J! u
__________________________________________________________________________
8 L7 t5 B* V' I) ?' f1 x u2 {- d- l* C! b% t
Method 09
; Q4 o% O( R9 a3 g=========
" Z) |+ z- F1 _% v! B; p" h& _8 x) }4 K% C, C( l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# e# B6 {( q1 }6 ?" R" l3 W
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 A2 z; [0 e$ B, h( m' ^) D; p/ yThe Get_DDB service is used to determine whether or not a VxD is installed
0 z% {8 r5 J( `6 ~$ I* O$ A& Bfor the specified device and returns a Device Description Block (in ecx) for
5 `( X$ a! S" I5 wthat device if it is installed.
! h9 l# |6 w) q. W% r3 S
" ^- [8 b3 V" U4 M7 S& o1 b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, {/ C9 \+ O5 O' ]; c" r) v; i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ H( j6 d1 I2 _; T* G6 r& Y
VMMCall Get_DDB
, ? X& t' I; ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 I' Y1 D7 C; O& O
- s& J1 N3 R1 r" n- y: F' D* `Note as well that you can easily detect this method with SoftICE:. R+ u. ?" x3 n- L. @9 J% u
bpx Get_DDB if ax==0202 || ax==7a5fh0 U; \" u( D. H
; R. t ^! y; {; F, O; Y/ a
__________________________________________________________________________6 W5 X% X9 q% J; z
! p$ X1 ~" b5 P/ z$ M8 a) x. b* Q
Method 105 [% n5 f# N: ]2 ^, ~+ D, K
=========
# z6 `; _6 E" ?% y$ N4 O) c. J! J/ _6 `, x& N: ~' a; x5 u
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 G3 u- y$ i7 L3 |5 `# N SoftICE while the option is enable!!: Y; Q5 k; y ` m
6 B& x# r3 j: L5 ^4 V6 TThis trick is very efficient:, ^8 y. i& V, A( E i' d
by checking the Debug Registers, you can detect if SoftICE is loaded
# _( g2 o7 i( l- d& G, k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" g0 }2 t7 q$ ?. h& Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their; P* p! ]8 T K' [8 A5 m2 n
value (in ring0 only). Values can be manipulated and or changed as well( v( `3 h" ^5 `. M! Z' w% I
(clearing BPMs for instance)
0 f' I# C) k. L: p! G
+ c9 E* y: G; T2 e& }__________________________________________________________________________# ^7 _4 c8 H! n# I C8 l1 m
4 |) e' C% d; D( d$ F& ~Method 114 m2 {6 O6 D% g( f
=========
8 G. r' w9 n( z$ d& r J- Q6 e( Y
' X0 A+ p! c0 m* UThis method is most known as 'MeltICE' because it has been freely distributed
; g& Q# G+ w3 F6 W8 g. Wvia www.winfiles.com. However it was first used by NuMega people to allow
+ @1 p% t0 k) B2 k; xSymbol Loader to check if SoftICE was active or not (the code is located
- h" B u! |: Uinside nmtrans.dll).
, O1 M0 U2 e# G
% Z5 _3 ?& S! H/ L6 eThe way it works is very simple:
5 f# k& @0 n qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' \4 z# A/ q$ Z$ B; M. e1 r% F* s
WinNT) with the CreateFileA API.- P# t) w( T0 b) I: P8 f
; D( C3 l2 c+ W. u0 DHere is a sample (checking for 'SICE'):
) t" u5 t1 r% G6 I# d5 t% u& E% ?
$ m1 e% f' h: n- `2 |BOOL IsSoftIce95Loaded()( `: l8 s% p. ~- Q9 u8 O7 c8 m
{( n' h) b3 n8 T {0 }& K
HANDLE hFile; Q1 u3 i* ]$ u4 @. m* M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 w& i% V" w: o( V4 ` FILE_SHARE_READ | FILE_SHARE_WRITE,. v1 B7 J$ j9 i8 S: L# y: J0 f7 w U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ k! @. l9 b4 m+ r# | if( hFile != INVALID_HANDLE_VALUE )
+ L9 a" u1 `6 U {: }( A |4 z4 n, f* N: Z( k; {- E: \8 l
CloseHandle(hFile);% M1 Q% I% I4 g7 c) Y1 \
return TRUE;
* } J. ^9 j2 Z% H9 Z }8 |8 i$ P$ Y9 e3 U: P
return FALSE;
* t3 p$ n. P, X0 @- V( C}
% ]( z, {/ n2 P5 e5 }4 V) C# S5 ^+ G5 [7 T! m& [ n' l+ A
Although this trick calls the CreateFileA function, don't even expect to be; A$ E1 \3 ~8 @: A9 |& ~$ _7 {
able to intercept it by installing a IFS hook: it will not work, no way!
{ I) G% ]9 m1 T2 ?! C5 I1 vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: q: E5 E7 l' O `! [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 O! G3 E1 d$ Y3 g4 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# ^( r ^" v* i, J1 Q. ]
field.
" R. @& B7 s6 d8 ?( NIn fact, its purpose is not to load/unload VxDs but only to send a + A$ E( t; o6 K# [: R) {% n- U) B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 W4 _& s, Q5 W! C [8 Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 n; V( F( P7 C! |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ r( c- e2 P LIf the VxD is loaded, it will always clear eax and the Carry flag to allow, ~9 z6 D5 J# M! s
its handle to be opened and then, will be detected.
/ O# e' m- w' OYou can check that simply by hooking Winice.exe control proc entry point- T& K% r% S/ o! |* q% U0 T
while running MeltICE.# D/ E6 r, R9 ~
8 v2 M: F) J& B* ~
! L# D" s) F1 b, u7 C* {9 L
00401067: push 00402025 ; \\.\SICE
# A( N) Z( a9 K 0040106C: call CreateFileA
) Q$ f- j3 f9 q7 m$ I 00401071: cmp eax,-001# C A1 {, h2 S- l4 Q, E' X; i
00401074: je 004010916 v6 s5 n4 R* Z
$ g) R) G2 z- [. h' z& a6 Q( J9 K* `# K5 N0 C" K
There could be hundreds of BPX you could use to detect this trick.6 b2 r1 e0 Q* ~5 [: e( x H/ x: k, ^
-The most classical one is:
* d) f, T1 \: |3 [. m2 r1 ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 n# F2 O+ `% b* D *(esp->4+4)=='NTIC'
# }/ |6 K7 A/ q7 D" i6 O) ]6 C4 y+ H8 ^2 I
-The most exotic ones (could be very slooooow :-(
4 j' v4 m2 ~7 H: \) J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) j$ e+ a- w D& \" I: ?
;will break 3 times :-(
% ^7 v- `* X- u" C; z! h0 W) X2 A5 \2 y
-or (a bit) faster: . E9 D e9 u! [* j* G% D, u. n& S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" }0 x1 ^ i/ @7 \# j' c5 J
2 a& v7 E6 X. Q! I BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' L: V: r: K. X! m4 { ;will break 3 times :-(
! ~' I. {5 M- z& I* Z8 U# [- a& Z; }6 o+ Z- a7 s
-Much faster:' l+ U6 M, h. T9 _& @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 m: k# B$ N1 c* ~
- C0 H. k; e' z" b9 j! [$ CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ g+ s- t% g) r
function to do the same job:
7 |' S o8 L! `$ {0 |! h5 r" M) Y; j
push 00 ; OF_READ, e. N# |; X. Q* q; ~: b
mov eax,[00656634] ; '\\.\SICE',0
3 i" a1 O" R3 X$ n1 _ push eax2 U, ?& D& S5 K4 k( A; Y |+ b4 a
call KERNEL32!_lopen5 S, U( K- Z4 B5 E3 _
inc eax
9 |% W6 ]+ T/ d9 d" [ jnz 00650589 ; detected* L2 r8 o2 d5 W2 n4 J: ^3 K, a
push 00 ; OF_READ
% e: K: G* g# Z3 T- H8 c/ Q& N! X mov eax,[00656638] ; '\\.\SICE'
7 G0 y4 \2 w0 A0 H- o push eax
& [ p& d) y5 j call KERNEL32!_lopen
5 e! v% Y" D0 K' q inc eax' @1 J# B+ I% Z* @
jz 006505ae ; not detected
- }5 N9 I9 z6 q7 _! K: s7 W5 j" ^! z1 o
' ^" N6 i$ |6 ]) D9 V__________________________________________________________________________( |6 M+ P8 Z2 s, A7 E) ?
; D4 P% l' n1 E" O4 S) hMethod 12
0 P2 L+ A3 A% I. E. G$ u# ]) l=========. o- j6 O+ Z/ x5 j
8 a' g/ [6 Q3 }1 ]; Q+ u5 }5 ZThis trick is similar to int41h/4fh Debugger installation check (code 05
m k- P# }6 @' a; F& 06) but very limited because it's only available for Win95/98 (not NT)* f$ |- [5 H3 t8 D/ h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ o$ j% T% Y0 f6 N& u
9 p$ M+ p* l$ M- p$ F3 E7 A push 0000004fh ; function 4fh* }8 w1 l. X( s6 w
push 002a002ah ; high word specifies which VxD (VWIN32)
) J1 \& d( w9 u! w- j8 | ; low word specifies which service" C* A8 F6 N* i
(VWIN32_Int41Dispatch)
. j+ I( Q& A7 b7 g. n# S call Kernel32!ORD_001 ; VxdCall
6 K9 u7 n2 e9 ` cmp ax, 0f386h ; magic number returned by system debuggers
' Z0 I2 N- f; p# ^/ E" s jz SoftICE_detected* e. O- M( U) i0 v8 l& B6 l
0 S8 }. x8 i& l" e' v
Here again, several ways to detect it:
; z2 \4 O+ }. c; H: k) o) |1 a3 m
BPINT 41 if ax==4f
- x4 _$ |' v& o" }6 f. B' K) l# W g% @ ~' x6 P( V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 B6 Z9 |; R) F0 k9 c
4 F7 d' k% u) w* N0 K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% H5 n) _* w/ M3 M1 d# I9 `
" z2 i# u( U! T3 M% y9 p5 l BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 e( L4 ~/ I3 x0 z% b8 l
2 A; ?5 j% \' L8 m: m3 G__________________________________________________________________________7 r; C- V/ N. M) v$ |
' u8 V$ W4 `. a- `6 q
Method 13
. {2 s% O$ [ U: w5 u/ v=========
5 f# _5 a$ `4 \4 l! t) n1 \, M( Z4 w7 l; D0 h% J) ~: v
Not a real method of detection, but a good way to know if SoftICE is
$ v5 Z- |6 U; L. q$ binstalled on a computer and to locate its installation directory.
- z6 C `: ]0 oIt is used by few softs which access the following registry keys (usually #2) :7 y3 v) M9 n) }5 P& f
) O+ A& ~9 I) t& j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ G, d0 N5 G7 h9 H\Uninstall\SoftICE* v0 ]& r. v( X3 G& L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) r7 n# ^. h- {1 i. t& \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* }2 `0 R, v/ M# R7 b\App Paths\Loader32.Exe% Q7 h7 x. ~% I; F
% O. J% p! t4 Z, v. E* Y& n4 ^! L/ s% F8 d6 p* A
Note that some nasty apps could then erase all files from SoftICE directory
6 J% y$ d' J! g" y(I faced that once :-(
/ Q, e' r! L/ X* s0 w. r: b* D* k- e
Useful breakpoint to detect it:
9 e. P( u4 W8 A# m$ r% F" E
2 {$ M" M, p: B' H4 T1 t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 F0 v& N- \) E1 z7 [
1 r3 {' j/ q/ }0 ~' W__________________________________________________________________________( b0 Y6 C# Z+ w- x) f( t) j
( q* n) w# C5 m$ F8 P# m- B) X- L$ v
Method 14 * t, P: f- x; H6 G
=========
9 n, r5 {' Y0 E# d2 r- a$ A! C% l6 m7 I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) B- d! w# Z2 }6 e' j1 |
is to determines whether a debugger is running on your system (ring0 only).
# P* W9 X& M9 x7 j3 E! W2 ]3 b( C4 \& @1 o- F/ a9 m
VMMCall Test_Debug_Installed: Z9 X& B2 Q2 p
je not_installed
P _1 F) M1 ^& w' T. N% O7 N. \4 {/ X: n$ i
This service just checks a flag.2 V5 u! G P# W" M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡