<TABLE width=500>6 [. C5 Y- J0 @; G5 x
<TBODY>
! q9 q; J4 ?' V<TR>
/ u6 x4 e. g; ^' V<TD><PRE>Method 01
% B$ e; e! m" [6 }=========
; Y, o& h! _" n1 W0 C7 p& o3 Y! Z' O' W
This method of detection of SoftICE (as well as the following one) is3 f7 [6 W4 `/ E& Q$ G
used by the majority of packers/encryptors found on Internet.
& E, ~! M( Z! M3 r+ A: z, GIt seeks the signature of BoundsChecker in SoftICE" D' ?7 M0 O7 a) m: [9 w. e6 q/ z
b( L7 e8 p* y0 C& y/ y5 V1 E) r( a
mov ebp, 04243484Bh ; 'BCHK'3 T+ n# q' ^, v& o. a$ k4 L
mov ax, 04h& B- `+ g, A0 x4 a8 V
int 3 % a' w+ j! [+ }/ B) l" B
cmp al,4
+ T. _; o0 D/ [* X$ x& j9 C jnz SoftICE_Detected
6 \2 Q( S% U/ s- H: W6 I2 D" W6 j9 {3 W6 k
___________________________________________________________________________
! g3 ~& H% U- C, M( C7 Y ^; U) k, r5 x
Method 02) ]$ ]9 {3 e6 w
=========- d9 u, n9 E1 W! U+ U1 ]/ P
9 z# p3 B) F$ m$ C3 g; \* t
Still a method very much used (perhaps the most frequent one). It is used* O0 q- c% i: i3 a: P. K
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! G0 Q0 x+ T" r. C
or execute SoftICE commands...
) ]) f0 t; h+ Q' aIt is also used to crash SoftICE and to force it to execute any commands' c" J6 ^2 U8 S+ C. `
(HBOOT...) :-((
8 A' U. j9 k9 X) s' [0 x. j o3 e4 Y
; a: i' i+ ?; S, MHere is a quick description:# z# s$ O; T; i% ?6 }4 ~
-AX = 0910h (Display string in SIce windows): X' t' T) V1 a, C; v8 m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ b7 G. _2 H/ Y: O2 v* `
-AX = 0912h (Get breakpoint infos)
/ P. A1 V O5 D5 t-AX = 0913h (Set Sice breakpoints)
) {$ V7 ]: w' X9 @, k) B-AX = 0914h (Remove SIce breakoints)# b3 a+ j5 ^8 b( V
& u6 D) I: i! L( {& b
Each time you'll meet this trick, you'll see:
, {( b7 N7 ~: ]" _2 u-SI = 4647h
7 M- X o% O0 e$ Z) u-DI = 4A4Dh$ d$ b1 X/ c7 d( y
Which are the 'magic values' used by SoftIce.
) Z' X0 Z9 d( [# { DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* b/ ]6 h w: ^) V- Y' |+ S
+ Y1 Q) l) w- _Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 P, @6 `- I, t7 }4 JEnvelope utility use to protect DOS applications:
T3 Z& L' |. i& ^/ B% ?
# w1 D$ D) l$ B" d) I) Q( b+ W( ^- }' b& Y* k
4C19:0095 MOV AX,0911 ; execute command.; ~) }# r& ~( H3 k1 D8 {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) C7 O0 }) T+ [* l/ O- r O
4C19:009A MOV SI,4647 ; 1st magic value.
3 d" ^# F; G: B* Y8 ~8 p1 }4 A4C19:009D MOV DI,4A4D ; 2nd magic value.# Y E/ s5 u, c! d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' \7 ` u& J; |$ t. P
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" u6 V+ P; v( D0 f4C19:00A4 INC CX! G5 X" S b0 [% W7 G
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 f+ u0 r* [8 f) Q, X$ J% u" f
4C19:00A8 JB 0095 ; 6 different commands. p: m5 j+ P3 `) N+ P' N1 z
4C19:00AA JMP 0002 ; Bad_Guy jmp back." [4 _) t4 c6 t; f2 L
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( v. U+ d0 W; q5 R0 k/ O+ u) G# `
5 ], s+ G3 z$ m' f
The program will execute 6 different SIce commands located at ds:dx, which
" g8 a: L3 `. ]7 C( |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 Y; Z) J+ i. z+ l! U4 E ^3 I& ]. A! @/ z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ {. L" L1 v$ X+ E/ X$ y6 ____________________________________________________________________________3 t9 G) F5 H7 n8 a! r5 x1 I$ N, x
6 I# o- b4 v G" F5 [2 Q; ~
. |) A6 c! J* @; o2 {4 B
Method 03
" n8 K: u+ z% m. v5 I1 F=========
5 M7 q/ I2 \; [5 P2 W) v
i3 d8 u7 j3 L D7 CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- Z3 c4 f/ P& k# ~
(API Get entry point)% S7 L. ?+ i# b; h% Y
, O' j$ V. N- }! W- Q/ M) {# @) }: q$ x7 {# E2 W- G) c Q
xor di,di0 Q2 |+ g9 K6 A. H
mov es,di2 o- x+ N5 a$ {2 X" K7 T" D
mov ax, 1684h
. P/ [9 ^/ y$ ]0 E3 V mov bx, 0202h ; VxD ID of winice
" k4 K2 v1 p' `; K4 l4 F' t int 2Fh
. H4 I- l/ W" F0 Z mov ax, es ; ES:DI -> VxD API entry point' G1 G. A- R) ?# ~
add ax, di0 n+ i8 k8 j2 n! w5 W L
test ax,ax
4 L7 S. K1 Z1 F8 k jnz SoftICE_Detected
( I0 `* d; c# B2 C, R. |) [) P4 Q/ ^; u2 h
___________________________________________________________________________
( m; M& R$ |' [& Q( g
1 n- ?/ s0 J; g. uMethod 04
4 G% l# C& G( Q* A1 |' b=========
5 n/ r( O; j' S; e m
, J. M# l: n4 V* A% Y+ H3 [: H* ]. UMethod identical to the preceding one except that it seeks the ID of SoftICE) M! T3 c7 E8 o
GFX VxD.% R9 U2 [( R3 o* Z, o' P \
0 v% X* h8 N W6 h* S( n
xor di,di
- k; F! l) d% G' M% } mov es,di
7 g Y0 ~: Q+ c% _ mov ax, 1684h
5 q. s' {5 ]% C+ |; C+ i" h: _ mov bx, 7a5Fh ; VxD ID of SIWVID! l4 K1 [8 j7 J5 w; [
int 2fh
( w) ]9 i& l! B& B, }# V2 i mov ax, es ; ES:DI -> VxD API entry point# d6 l9 u% i4 M" Q& W# ]3 h
add ax, di5 B- G1 j$ ]% a2 B3 @1 y t
test ax,ax
' d- H0 }! R. e; d$ E8 Z jnz SoftICE_Detected
4 _( |9 j/ s( n8 j, Q2 O7 e9 U$ B6 [" @6 k( N9 u" X T/ k$ C4 K
__________________________________________________________________________
7 ?$ P% N# I3 c# ]+ N$ f6 @6 l. i4 v/ F7 D/ D. o# ?' h
- V* A4 i% Q; E2 L( x) V4 ?. fMethod 05/ I& u4 ?. q& l
=========8 P9 ~# C/ f3 w1 h
- H! Q0 u" b8 ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system$ {& ]; c. l; ~+ Q
debugger. It calls the int 41h, function 4Fh.' e6 k, A/ G! ]& \+ X
There are several alternatives. : o- X' p P, N! X' ?
$ |6 g& R: @3 _* @3 _) Q8 G4 q
The following one is the simplest:* y7 L7 X# ]7 M; Q$ `" p
0 p: @: i9 R3 r% k
mov ax,4fh1 |0 v9 h2 D) q$ u. Y2 H. F
int 41h
. |; h+ V! t {5 ]" G' T cmp ax, 0F386+ g# C3 |$ _5 x4 ~% G4 d. a
jz SoftICE_detected/ \6 M3 z1 a. T H' T: P% H; v/ |
& u1 Y- k- P* ^' Z
2 M( W P: o/ i" O) z
Next method as well as the following one are 2 examples from Stone's - T g1 k* {: r* V
"stn-wid.zip" (www.cracking.net):
; t! [1 L8 f# O7 @/ Y! C
- W) _4 b, l% l: l q) s mov bx, cs
/ E6 t2 q. c0 }; K lea dx, int41handler2
' m: [- a. S) h) m4 q- j! m xchg dx, es:[41h*4]
# L' @0 e- r/ q6 a {9 k xchg bx, es:[41h*4+2]
Z9 }6 }4 f1 C7 u mov ax,4fh
4 A1 M* }3 x; j5 F1 C int 41h
4 {( l4 Y/ v- A: U1 _1 \) y9 K \ xchg dx, es:[41h*4]/ O0 g' v% `0 R0 [, Z# B
xchg bx, es:[41h*4+2]. g& Q% w* o, X" ]+ ~. N* f
cmp ax, 0f386h
& \! P/ N2 Y3 J5 X2 t jz SoftICE_detected
) M4 P1 @: o& l! r3 \
6 m2 ~4 \7 L( N3 @& |% sint41handler2 PROC2 P4 g: Z9 V" t- b) d0 r
iret+ y. x2 K1 t& q6 C+ J1 |
int41handler2 ENDP; O# r. H5 R9 W/ t5 U% w
3 ?: |7 r6 O0 t( k* Q/ ]: q- y6 A# v0 w4 `7 p
_________________________________________________________________________
: J l A1 ~4 @: l4 ]! Z8 d* ~: Z* O, M8 d& n8 W- ~" y
1 m& q5 q+ }% W; C& x# v. F
Method 067 ]! `; w& H" u" i( x6 {( K
=========7 e; g6 x& t! y; X2 S
. [6 I$ O C( y1 G" x9 J5 _. P0 U
5 T1 Z& d- q. A5 ^3 c$ L2nd method similar to the preceding one but more difficult to detect:
9 u( `1 a; k# E+ Q( c
7 n: {& C+ l( ^5 B6 G. i: b- r$ Z" R- ^
int41handler PROC
G7 u8 Q3 ?/ P3 S2 F# O# Q/ ^. a mov cl,al% W# \: W" `2 ^8 v
iret6 e5 P# e9 O. b/ }3 T0 x/ \( e& K
int41handler ENDP
2 }/ W8 A. V: H5 @) q
: m. c! O. U2 x9 O5 u. B3 W3 @9 G! R# \
xor ax,ax
* T4 ?( E" {* s mov es,ax' Q; b3 a. C" S
mov bx, cs0 o+ n) X; I Z, Q- |: Q; H) ^+ z4 m
lea dx, int41handler1 y$ o6 X, P; T" m/ e
xchg dx, es:[41h*4]# c+ q! T7 s2 J, i2 h
xchg bx, es:[41h*4+2]
8 X: |0 o+ s$ a/ ~" S* e: s0 t in al, 40h
& B( z) M3 y1 U xor cx,cx4 K; E% \8 x/ c& K% w5 P
int 41h8 [* w, l3 r7 O! E7 `$ g9 `" j8 s
xchg dx, es:[41h*4]+ ?! e. a6 {; E. p* ^5 r; ^* I
xchg bx, es:[41h*4+2]# j/ o, j m! w. B# [) l
cmp cl,al
7 t1 c/ Q2 W* [6 \ jnz SoftICE_detected# L/ ^/ U& o X
2 y( C( z" _8 P& P/ P_________________________________________________________________________
& ?' r' ?5 L& Y% s0 c3 n5 H, \1 h* f# X7 F, |1 _1 ?
Method 07/ [$ M B# D# L! w2 [7 B y
=========; B8 }/ G$ f! X3 J
7 D) ~: M$ h9 `$ ZMethod of detection of the WinICE handler in the int68h (V86)" x3 v( W' C0 }: A0 Y0 ]: Q
2 B0 X# g& w" c mov ah,43h4 @$ f0 p1 Z# C$ |
int 68h0 X; R& M E; z; I0 f
cmp ax,0F386h6 X8 ]+ f I% K7 |4 o
jz SoftICE_Detected
. c7 _3 q3 F8 p4 T4 e
9 V3 {* u% E( H/ |5 Y# [. k; m. g4 D* x2 C% [4 |3 X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
t" E1 J: h* Z5 g6 F# q app like this:
; u) q9 U" h1 ^9 d4 F" \& {; e. {
BPX exec_int if ax==68
4 R8 {$ w6 }% C) ]6 ]* E0 \* p (function called is located at byte ptr [ebp+1Dh] and client eip is5 f2 P9 b& {# j: _
located at [ebp+48h] for 32Bit apps)+ }8 W- Y. v. K q/ C
__________________________________________________________________________0 B. e R) [" v( D
/ r7 z1 F0 L* v- o6 z9 h
5 `$ ?5 }9 J% A$ C0 Q
Method 08
. R" k' F! D5 P5 `4 Y=========4 J. b" K/ N2 q* o
. e+ i5 l/ A+ d1 S8 p9 [( X0 C; Y8 ^
It is not a method of detection of SoftICE but a possibility to crash the" x j% }; I, k( F
system by intercepting int 01h and int 03h and redirecting them to another( {( f [6 i% _& _& {/ ^, _
routine.$ q; K9 L/ H! Y1 G, y: t) U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, W# }3 x1 l. i+ `: o
to the new routine to execute (hangs computer...)
+ K5 \ C2 s* ] g1 B7 N) U+ N7 i- s4 q5 \
mov ah, 25h4 ^9 z2 g4 i* N6 j
mov al, Int_Number (01h or 03h): ]# {& ~# F# m' r4 i: r$ G+ g+ ~
mov dx, offset New_Int_Routine
/ {; h% {: }7 ]* Q1 G int 21h. Y, S; j+ N6 Y4 U, }
+ l5 F: o6 |/ U N__________________________________________________________________________9 p# m! @+ x8 [3 i" _7 l$ i. k
9 I8 z+ D+ R. j/ l& }+ P& G
Method 09
& E/ ^% `$ Z$ }! I=========: i! N+ B! u G# U! ?1 w" e0 Z
3 I: D2 p1 n+ ^: M6 d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 _- w# h, J" ~; X; `/ Mperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 Y, s" Q. w4 f( e- \* {+ y8 CThe Get_DDB service is used to determine whether or not a VxD is installed
9 H& o' l+ w5 k. A: w% V/ Ufor the specified device and returns a Device Description Block (in ecx) for' y; d5 C0 w/ J) Z& w
that device if it is installed.* R) o% _- X# h/ C9 C
* D) m( ]0 A [( w e mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( } M& a/ L5 x# Y, g( D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 W$ H' S2 i$ t- n& X( i$ m VMMCall Get_DDB
3 [6 O* j& |! d Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 Q7 s$ @4 q# P4 ~0 V
9 {' |+ G) N _6 s0 ]
Note as well that you can easily detect this method with SoftICE:& l3 C& Q# m0 }
bpx Get_DDB if ax==0202 || ax==7a5fh
3 I$ f; n1 p8 B5 L% u
% G. R9 p1 B" Q# @& G__________________________________________________________________________
$ K$ j$ t- ^" d% n- P6 C7 x' l- |. Z6 q/ b ?
Method 10
5 U- x. v! l" i# ]# k=========# d/ b) j" T4 W( u/ e
4 y1 P5 q6 N' S3 S* S=>Disable or clear breakpoints before using this feature. DO NOT trace with7 N$ X/ y& u: k4 q* d
SoftICE while the option is enable!!2 Q J7 F# ]( @% z
- ]0 O5 W$ Y& T0 O' `+ A/ a& `" X
This trick is very efficient:; n( k8 Q9 F! P/ |& K9 l
by checking the Debug Registers, you can detect if SoftICE is loaded
6 ^$ P5 A' _. d- ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 Q9 d5 I6 C0 K4 M8 ]& p0 u/ h( rthere are some memory breakpoints set (dr0 to dr3) simply by reading their* t& Z& R7 d+ ~; [( s9 J6 E4 O
value (in ring0 only). Values can be manipulated and or changed as well. F) H% g. z" z: ?
(clearing BPMs for instance)/ ]% g: f( ]7 ~: f
6 {4 Y% P% E w& J; a
__________________________________________________________________________
/ e( z$ P2 Q k' R' A: t" w" T
4 |4 K# v5 _3 hMethod 11. a, z9 b6 I# a; W4 s# U
=========
# b1 z6 E+ o2 U( j6 l5 f! g# C7 |( b# @
This method is most known as 'MeltICE' because it has been freely distributed# O6 k8 E" U1 \
via www.winfiles.com. However it was first used by NuMega people to allow
* {% @& K( `/ a0 i! I/ x5 p2 w- bSymbol Loader to check if SoftICE was active or not (the code is located
# c# J( v5 D2 i2 ]inside nmtrans.dll).6 g4 J( g5 i- T( A4 G9 ?9 [
0 b0 P8 s* g; h0 e1 I+ Q0 U$ KThe way it works is very simple:; Y ~% i1 W" {/ P6 J3 }+ X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ u- b+ I* o" o$ n4 _WinNT) with the CreateFileA API.
, K( D* L+ H3 v, ~& M1 m/ X. \. _# W* e1 g* P
Here is a sample (checking for 'SICE'):8 X- K( V0 }- U9 z6 ~
; r1 ~% g! i/ Q5 b
BOOL IsSoftIce95Loaded()
" l, b& h F- g1 m" J3 g' ~{9 |. A/ E. ?1 x
HANDLE hFile;
+ O1 p; P4 e' w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 ~- p% o& Y) u0 c FILE_SHARE_READ | FILE_SHARE_WRITE,
" k; ~& D$ j* h# W1 d$ K2 z3 \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 H+ J) z, w4 j5 |/ _$ i if( hFile != INVALID_HANDLE_VALUE )8 u, t3 u( O5 P m* q+ v& z, i
{( @( T3 c$ B2 I A
CloseHandle(hFile);4 {1 F3 i. P$ P J& i0 r! m( O
return TRUE;
; ~1 E) F, j4 _" f8 p+ c }
, M J; X" f. D return FALSE; n9 _& R/ Z+ h9 B
} M% \: c9 l0 b0 F
+ p) J" ?8 B7 v5 q) P+ a2 _
Although this trick calls the CreateFileA function, don't even expect to be
5 _, g' ]3 C& {9 table to intercept it by installing a IFS hook: it will not work, no way!
/ [; K O3 i$ m; m% xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 U+ p9 T& J3 P& G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, J5 C" d, k" ]! r0 T) jand then browse the DDB list until it find the VxD and its DDB_Control_Proc& T! p4 A E! j) C) E
field." C( P3 A% l9 f
In fact, its purpose is not to load/unload VxDs but only to send a 6 a: E% } h# @% G' H& `, x! H H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" _' h9 V8 @! q- oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 P* E( x. Y8 d; Q2 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).$ c5 m0 [# ?$ G, Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow! H$ [% u2 V3 {) t$ e
its handle to be opened and then, will be detected.
- ^' I# [! z/ uYou can check that simply by hooking Winice.exe control proc entry point! [. ~! a# _) t7 C, ]' {5 I
while running MeltICE.
! n7 |" L: q7 ^9 Q7 @. U( m
* R& V% F' \9 k; W
! y; _ U6 X. z' N; |6 O$ w 00401067: push 00402025 ; \\.\SICE v8 j0 u0 B' J: J1 F* b; ^
0040106C: call CreateFileA
" y9 i& \- |+ o 00401071: cmp eax,-001# w( e3 Y, q$ c' s, B0 Y) ?
00401074: je 00401091
) H- B! ~( ~) W) l( S; [: {8 G; u9 v5 {7 B4 Y8 J: P2 N- v
1 U L& y$ o# P# {5 P
There could be hundreds of BPX you could use to detect this trick.
4 ^* |) l4 W6 S1 Q! I) h-The most classical one is:
- q0 {! k3 m, t, C3 h4 ?2 T BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 T5 C" [6 S# Z4 |" B( u *(esp->4+4)=='NTIC'
6 X* j, B- |& k
0 ?' S R# {# O. x& l-The most exotic ones (could be very slooooow :-(0 H+ R* F5 n; Z: g2 o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 l k0 z) B* d# W5 p$ b
;will break 3 times :-(
8 I1 t6 _* f. u1 u/ Q
' n$ q" ^- G! u: b% C+ ]; h5 q/ K-or (a bit) faster:
% Q% \7 e( _2 [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) z' B# c+ e3 R- b9 y( D# U. p
* @" }6 h* z: {4 I4 `6 }/ m# W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' o& n9 K3 B% F) w5 H ;will break 3 times :-(; f) ?* j2 t, ^% ^6 u) t
8 X6 \5 v+ J+ |2 m-Much faster:
y& B! v' I' Q8 d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" z) s# ^& ]/ d0 O0 I% H& K; S4 F' @) G: ~9 m5 [( ~1 W0 B P! T. `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 f: H+ |' s9 _5 H Q) y! tfunction to do the same job:7 r/ D3 j! F/ D; f3 Y& X( m0 Y
- F/ S; u1 x4 j. \; _: c push 00 ; OF_READ
( u' @: I& u; n4 q# j1 J% A9 K8 _ mov eax,[00656634] ; '\\.\SICE',0( S; K" `4 q$ u2 f$ a
push eax
9 u! _* d ~* m. r5 K% b call KERNEL32!_lopen! n& u. y) H s; G o2 Y8 q$ C
inc eax
& J8 T* u. r" d4 [& [6 o" L1 h- _! z jnz 00650589 ; detected
; Y. o( G% S! p0 I+ G* O9 C push 00 ; OF_READ
: W- J* [- `* L mov eax,[00656638] ; '\\.\SICE'
! F4 n6 x2 d: q, W push eax. z7 _* q3 @4 D
call KERNEL32!_lopen: Z* l& A1 h3 i8 y/ _+ R) Q
inc eax/ b4 H/ ]* E ~0 t2 K1 t9 c
jz 006505ae ; not detected7 f$ @! e! x3 g, x% r& {: e% t0 s, l
, S. b/ w) A3 x. C1 V! ~/ N& Y
& a T4 D9 O9 Q. d& G__________________________________________________________________________/ f% t B2 q& `4 p/ P$ o; F: c
: _" t. Q- o. ^0 {7 E
Method 12
; M+ [: B& w8 k6 F$ P=========$ I! B- \ ^# z# L
. a8 l$ t: w8 V0 ]) yThis trick is similar to int41h/4fh Debugger installation check (code 05
5 ^9 J0 M+ o- \# v; h" ^: O) o& 06) but very limited because it's only available for Win95/98 (not NT)
, @$ v1 n( V) {) l9 i% c( mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 b) O L2 q3 t
" y0 n# x6 D2 Z6 L( z push 0000004fh ; function 4fh
* l1 B0 v7 O; t. t) u/ a# p | push 002a002ah ; high word specifies which VxD (VWIN32)
5 y9 x% z8 [# i/ @# _ ; low word specifies which service
- ~& {! v0 j! h9 ^/ x (VWIN32_Int41Dispatch)
9 J# D- ~% V2 F$ r call Kernel32!ORD_001 ; VxdCall
0 U) f- e" w0 G cmp ax, 0f386h ; magic number returned by system debuggers
& E. P; \2 K* w: c9 l2 C: b( f jz SoftICE_detected' n6 M* m/ G$ D1 l, B* o8 H
( J' u9 P! g) K( j5 H& j+ @Here again, several ways to detect it:
6 S; c3 ]3 @: y8 S) A; y h3 \! [7 f4 j0 m4 ]
BPINT 41 if ax==4f7 b' A$ b( x9 _
- z: p3 b% D; j8 w I, ~! u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 p- g& F' B: i% c1 r6 l
! j# _$ G% d" d# Q4 ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 X3 q+ m) i5 R
0 b# B& v( i+ l5 U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
[1 ]( d' A2 G' K9 p+ X* F) _) W& Z- O, v9 v/ v* a8 P m* ?
__________________________________________________________________________
" Q, K# h9 t, F! a' Y3 v3 I: [; z0 L' n
Method 13
/ N2 |' i9 `+ I' {6 }6 e=========
6 j0 p/ E8 L! }5 W- n% U5 S1 Z7 s7 Q; R/ Z K9 P# h* _
Not a real method of detection, but a good way to know if SoftICE is
% k+ v( A' `0 W$ V0 O1 }installed on a computer and to locate its installation directory.
. s1 a) s) }, U) }! U* s! ^* M/ X* m% MIt is used by few softs which access the following registry keys (usually #2) :0 M5 h c8 |4 { Q# P
& f) _5 o/ E: t& ~6 A* b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ o+ d9 ~1 m H* _ V7 D* h
\Uninstall\SoftICE
[ H$ n \' k3 l& v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* ^) C- W E- r4 g0 t) M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& X* U+ q. L! W& m$ n3 @
\App Paths\Loader32.Exe0 u/ D# V9 M* n7 m. T* o
8 Y2 o7 B9 p2 U9 I, I
# ], t. [& _9 G' j! WNote that some nasty apps could then erase all files from SoftICE directory
5 w6 L0 p2 \' d$ b* G0 v(I faced that once :-(
+ }7 x) M- i2 S% H
" p+ j+ ]; F" a% d7 U# w) m6 S# |Useful breakpoint to detect it:, n; p3 e$ {6 Z
, y8 {. R; Z& W2 v. \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 T: X0 T3 B6 O6 C" A$ J4 q& t \% A) E! E: H
__________________________________________________________________________+ m5 v8 Y) T" ~8 g% f3 D+ f; W
) C8 G" v; `' Z1 H) {; O
2 Y/ e$ b* B0 K( ]; GMethod 14
. F+ k2 d5 q: T% l=========
! j# S& O7 }/ W% D) K; s& [+ C& l6 Y m' a7 f$ z2 t: `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 }# b: R! O" x. f# J1 Tis to determines whether a debugger is running on your system (ring0 only).8 u( _* b* x, G! k2 G+ M
7 b3 D4 c c# g9 f, \+ C' ?
VMMCall Test_Debug_Installed. _# m) ?8 Z" A e9 v
je not_installed) o) t6 ^& E. O
! t I5 R1 t7 e& Y$ M2 K- H. h9 b- r
This service just checks a flag.9 B6 g9 L" r1 p6 b% n
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡