<TABLE width=500>
: M Z+ \3 [& L$ N: B9 [8 E<TBODY>6 ~* _' x( f+ j% q0 N# y
<TR>
0 X: j; h) j1 L+ k5 L% ^3 c<TD><PRE>Method 01
. _* [7 [0 N6 y2 m5 \' l. [; n=========
: {+ a/ ?2 \% {; r( M
) ?! w7 j a1 \ c# r) _9 s/ y; MThis method of detection of SoftICE (as well as the following one) is
3 p( l2 ]* v- P, u5 j. c( Wused by the majority of packers/encryptors found on Internet.
2 B [- C- [8 ?" N. z3 MIt seeks the signature of BoundsChecker in SoftICE7 i: A8 |+ k {) o+ r' P
, A! B8 _& i5 d( z
mov ebp, 04243484Bh ; 'BCHK'
0 v( c0 c8 L: ~4 S) ?9 D mov ax, 04h2 Y! s; V- B' |: w4 ?
int 3
y& M- F& f* M5 G$ K9 ~ cmp al,4$ K4 m' E; g# e: H- R" A9 j% E
jnz SoftICE_Detected
' t+ ~% A$ u/ O0 E' ~, X# t
5 C3 g3 _+ x1 Q7 B___________________________________________________________________________
. W) m. x0 [) R0 [/ L# Q2 }- L$ z# J2 o
Method 02- i" g# u; f. \' m4 }
=========
- Q9 J! {" Q: Y# n" c( R. N# S/ C: k4 ]$ z
Still a method very much used (perhaps the most frequent one). It is used: y9 `/ [' k0 H% i; ^! T# _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ l- h6 ?& v. u, kor execute SoftICE commands...
6 P9 X( [, U$ f5 C1 e# UIt is also used to crash SoftICE and to force it to execute any commands$ J2 L9 o, C! w7 S5 }
(HBOOT...) :-(( 3 C+ s1 ]5 p7 F3 L( g
z$ |; y& y+ {# P8 t( |Here is a quick description:
_8 N: g. D3 b5 O8 K-AX = 0910h (Display string in SIce windows)
% k# \8 B# c+ q, d( w1 \" v# w-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- X3 l7 ]3 u/ _* R9 M" b: b1 d% Y$ S-AX = 0912h (Get breakpoint infos)
) g8 Z ^! `1 R: H& F% E H-AX = 0913h (Set Sice breakpoints)9 u6 u# h; n' P# i8 Y
-AX = 0914h (Remove SIce breakoints)
' D* N. }$ p( X1 `0 [- W9 j+ c
Each time you'll meet this trick, you'll see:
2 ^) C a$ Q; w0 |7 w-SI = 4647h
# H8 ?" f% a3 m) J% K- p/ H-DI = 4A4Dh# y/ |7 \, N. t9 y
Which are the 'magic values' used by SoftIce.; p% U; K8 Y# |, w. {; p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 b* R+ n N8 ^3 K+ m, z+ [% Q0 `* M* G H0 m/ X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" {3 X$ \, z/ Z- x7 C- mEnvelope utility use to protect DOS applications:
2 P' ? J4 y& x( Z0 f1 a9 W9 z0 b9 }- O9 R1 y+ p
* y: c5 u& Q8 w4C19:0095 MOV AX,0911 ; execute command.
' A8 Z. n7 T3 e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- ?1 [0 z3 h9 E7 v
4C19:009A MOV SI,4647 ; 1st magic value.. l- b5 {& j) l4 @
4C19:009D MOV DI,4A4D ; 2nd magic value.0 G' U4 L7 X1 R( ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" a: r( k/ w2 T- K; X2 z5 @4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 w+ Y% r4 A; }$ i* ?! T3 J
4C19:00A4 INC CX
! p: d5 E: j4 K1 d- o J4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& I$ ?& J, q' m# w; i
4C19:00A8 JB 0095 ; 6 different commands.; }7 u0 j3 g' G6 J8 V9 q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 E/ d6 i. v* E' R- `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- p% W: `) `* N7 y L
; [( @ Z/ d0 a& V9 ^& a; ]4 qThe program will execute 6 different SIce commands located at ds:dx, which
/ J5 P: Q% `# [5 I2 _3 X& i( D: B6 Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., y6 N2 I+ m- S6 t$ I
3 F# ~. G0 l8 e6 p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 L G5 @, s8 a9 j# U8 _+ E/ k/ _3 t- x& ~
___________________________________________________________________________1 s) h) H' H4 J S m
& ~6 B# v+ ` D; P3 W' f3 ?+ M; W
7 g3 C# ~" r+ ]) U" `- G4 hMethod 03) M8 |0 P: e* ?- u& |" F
=========, j+ H" M8 q: ^ R5 J
/ I" h6 l6 T& b# J; T; I. Y e3 d
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 v, i0 M/ s5 b0 N
(API Get entry point)1 R" T z. }5 I+ i5 b
i* s- |: y5 j+ |1 w( f. a
* c8 _4 r5 M2 [+ U7 {+ x
xor di,di& B" l1 g: x9 d) C
mov es,di6 C8 \: C9 s. i) S
mov ax, 1684h
# A4 z- g$ I! k" e* _ mov bx, 0202h ; VxD ID of winice
- {8 k( z4 o# Z5 X& v& Y3 d' E int 2Fh
3 A, u& j3 P/ `1 m mov ax, es ; ES:DI -> VxD API entry point D/ g9 w+ r0 N, u
add ax, di& \' L5 f6 H3 i& Y/ z5 m/ V
test ax,ax
0 k% {/ Z+ i& j) T N jnz SoftICE_Detected
1 t6 l7 }0 i4 Y1 Z4 {' K9 h) w, [+ t, | K. ~
___________________________________________________________________________2 m6 C5 F# {3 A5 b4 l* ^
6 U, C! T# Y8 TMethod 04
+ H, l0 t" l6 v; M/ y- \6 n, C=========
3 B, G: b1 o7 \1 X d5 b) i' p- E6 k6 P
Method identical to the preceding one except that it seeks the ID of SoftICE
+ L+ S( \! Z! z9 j+ m9 pGFX VxD.
6 C' T1 c0 n; y; K7 g$ W/ d# q" D* z% M! s
xor di,di
l$ z5 m7 d/ ]- X8 E3 I$ M4 h mov es,di
: j S M% G% {. h+ f$ x- G mov ax, 1684h
# g3 F% n6 J9 D- F mov bx, 7a5Fh ; VxD ID of SIWVID
! S, }/ K% M3 m7 j* }6 I int 2fh& W8 @0 l2 _) B7 X$ x( l
mov ax, es ; ES:DI -> VxD API entry point& D7 o* ?) Y6 R3 v
add ax, di0 ]# ^' [: Z0 B0 v
test ax,ax4 x0 @; r' p& B
jnz SoftICE_Detected
- z2 ]* q/ |# b% B5 W+ [9 R; C1 J) W# X" g7 E; u* Q" v$ G3 h
__________________________________________________________________________
7 _2 u* Z) N5 j( p2 I. p5 b( O# u+ ]- |6 B, Z' f/ q
6 t% x6 y9 j' f" g0 g/ s K
Method 05
, U0 E# k7 n" U+ p=========- y, V5 l! B* H2 H% C+ |
2 Y9 [& Y0 S& j9 P+ {0 e4 ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! _2 y* V& z ~) [- @9 kdebugger. It calls the int 41h, function 4Fh.' M2 y/ r$ g/ i
There are several alternatives. . y" s. \3 t' _0 S( ~' _
+ \; A" L0 t) t8 p' R- M0 mThe following one is the simplest:# T+ c- s/ \8 }# C6 M% {
8 o$ l2 Y; r4 x3 W9 c6 z9 e) O" {/ G0 L mov ax,4fh
2 ~8 e5 w$ Z. q4 O& V1 q# V B int 41h' N7 d) C: ?) `# Z) M5 u8 z1 a1 x
cmp ax, 0F3869 {2 l2 `3 T- R+ ^
jz SoftICE_detected
! R( A9 J5 k1 h% S
* H& B" t- U7 H& e& g8 X N" Q8 W2 N) B' B% G8 [
Next method as well as the following one are 2 examples from Stone's % {) z4 `/ G3 T" E
"stn-wid.zip" (www.cracking.net):
( `: ~4 R" o6 U9 ?. u2 W j1 O
6 X0 q$ l( b. u3 E) @ mov bx, cs
0 u8 U: D3 ~+ y+ c+ _ lea dx, int41handler2
0 V4 g8 {$ ~$ A! _% c6 l; {( u xchg dx, es:[41h*4]! R+ b8 `0 P$ M. L6 H9 o4 |2 e# r
xchg bx, es:[41h*4+2]% G8 ~% l6 r- q* S+ V" `) ~
mov ax,4fh+ N- w; k% \% h$ ]6 g k
int 41h" | ]0 V( i/ N9 J/ q
xchg dx, es:[41h*4]
% j3 k9 A3 U9 ]* U# k+ g8 t+ R xchg bx, es:[41h*4+2]: l! D* E1 a% y- O5 f* v) h
cmp ax, 0f386h
2 Q7 o- h, }5 Q2 e1 n jz SoftICE_detected
8 G3 l$ P0 j1 E7 m" r' f+ R- _
5 @2 a L# |" x. x2 Q( Bint41handler2 PROC- _, v2 ~8 p& N( @4 N
iret
+ W6 k: t6 j& e, A; V% _6 Z) {3 {' n3 `int41handler2 ENDP
" ?) o, x1 Y1 O7 q4 S
6 @" I( t# ~. K. n: L5 V/ j. l
* w$ y4 m1 y/ q_________________________________________________________________________
: s: T: ]; ]# o0 N/ B: ?8 X, ~3 W; C- I" _3 \0 o) u
% `6 X* @# x- ^' \2 j
Method 06
% d# a3 ^1 |9 J6 r=========
; H% J/ S) b8 U) ]
9 A9 [- A, ^0 E4 K% C; K k( N' j; Y
4 J* V1 p& c. f, w2nd method similar to the preceding one but more difficult to detect:; ]; o1 k! q3 ~, U6 U
9 t+ P3 @: Z; n0 H2 a
, h T% }) e- Y: q$ a! Pint41handler PROC; B) g) M4 y# t0 i0 i
mov cl,al0 L) G M i4 ^- W# [! a d
iret' m7 P) F- U3 o7 ?" F
int41handler ENDP, L Y6 ~0 Y% G$ Q
4 Y* i$ g7 M. i$ _7 e5 K
: a( {' c& T8 T
xor ax,ax& D; D6 ]" Y8 ?
mov es,ax' d* }2 h; f' C& {3 E. J1 s
mov bx, cs) B \$ [+ n( k: Q0 A
lea dx, int41handler
6 }, z7 }1 @& e" K. _' z- C1 H0 } xchg dx, es:[41h*4]3 c, t' N( J/ C) e& g
xchg bx, es:[41h*4+2]- v# S. a j' C
in al, 40h
4 I1 }/ O& {! f' M xor cx,cx
0 A" F/ N ?7 V- x( x. S int 41h
0 `3 C5 M1 @; ^; z$ q" m0 n0 Y xchg dx, es:[41h*4]( L1 f. u- r( f$ O0 n0 v4 D5 S
xchg bx, es:[41h*4+2]3 s2 B. @* V# j2 x# O0 _" \$ ~
cmp cl,al
) o0 l3 F. d% g0 _5 t" O jnz SoftICE_detected
- e/ Q! q6 f2 ?* l6 E5 b" m5 h& b( [6 @0 s3 s) L& q
_________________________________________________________________________
! }. {: H: h% P5 ~' g! W" V0 g
& A) C* K/ W& \. T. R8 u& `+ [Method 07: B# T7 ?- S2 f# x: g5 n
=========8 ^5 f/ o+ M5 C3 s
( z5 g/ t# w8 Z, S* wMethod of detection of the WinICE handler in the int68h (V86): M( x3 P/ v) h1 _- e$ s, @, Q
3 S9 ?0 u# f1 L2 F0 a& K; _
mov ah,43h
* b4 A3 A. ?2 \6 h$ A& t int 68h
2 |6 u9 H) }# v2 H" I7 c) s8 P cmp ax,0F386h# }1 k o" A k. V( W
jz SoftICE_Detected
2 j$ ` M) C; W$ w& |
, v% o( N$ Q% e8 \, J0 w+ I5 F& l9 N# O; M/ x
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 a' ?3 O& L7 R+ Y. \* H/ }4 ] app like this:
0 a3 i2 I+ x4 M% d8 v% W( |9 r. j, J# S, ~- d- p1 ~2 E# f' E
BPX exec_int if ax==68% U H0 [$ A) C9 Z) }$ Z
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ F; `6 `: Y4 L- W7 a Y located at [ebp+48h] for 32Bit apps)( u& F I- \. T }% v
__________________________________________________________________________% h# k6 k. [0 K
( l& m1 o7 T B; k0 a5 Y% X+ F- j+ s, d1 G$ D6 F. o/ d
Method 08
, m' G U+ H* @% E=========
3 i' Q7 p0 @4 x; s6 {( W6 B( T8 C5 j7 e- ?8 J+ _
It is not a method of detection of SoftICE but a possibility to crash the2 v1 R3 i* Z* Y' F `2 U$ A# s
system by intercepting int 01h and int 03h and redirecting them to another$ b5 a$ L# X2 D- `
routine.
1 y! D7 A3 \0 O# B! JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 l5 P; |. |. u1 [9 S
to the new routine to execute (hangs computer...): q& E Q- u! i7 }- N
: \# r7 @/ ^9 n4 l$ l( G& J1 F mov ah, 25h
" n4 T, {5 t* N J* _( { mov al, Int_Number (01h or 03h)
+ T& Z$ M y# C1 A& M0 I- T mov dx, offset New_Int_Routine
$ d8 z! N2 G! P l# w' D; Y int 21h6 k* }$ ?1 i/ \4 }6 [8 }* c
5 e. @4 z' K, N& x9 P: w: E__________________________________________________________________________
1 L& j7 r# y) w. e
+ s/ X1 K. n8 A X& a- a. KMethod 09# H# M7 x& n" S$ {4 ^5 z
=========0 E6 h" E+ t9 E
$ [. X: I! ]5 C0 j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 w% U1 _9 D- ?; |
performed in ring0 (VxD or a ring3 app using the VxdCall).2 x+ i& a2 t* x. W2 Z2 K4 i; @
The Get_DDB service is used to determine whether or not a VxD is installed; p% \5 x; J [
for the specified device and returns a Device Description Block (in ecx) for
) v. H7 Z4 J8 y7 K5 ]' ?1 U) R. vthat device if it is installed.
0 i6 ~; c) h; ~2 I n
8 Z. u8 d/ R. p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ G% e, V9 U2 E6 _" _" c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), h7 ^! k# M* R, T
VMMCall Get_DDB0 X$ Q! n; j4 |7 y' q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# v- Q8 t6 k, n# g+ Q m7 z
' U- c7 d9 y8 y: NNote as well that you can easily detect this method with SoftICE:
4 Q* p% F2 I2 t; s" B) q bpx Get_DDB if ax==0202 || ax==7a5fh
6 Y( [5 L% V/ J0 k% g
) g3 V8 x |. {/ r+ R5 o__________________________________________________________________________: h- Q5 `+ Z" }/ l
$ c- Z5 \ n1 x- e! ]Method 10
; y5 X$ E7 ~( W=========
/ Y' ^; D* D' g3 v$ P3 y! A
: k2 D1 O9 W5 R=>Disable or clear breakpoints before using this feature. DO NOT trace with' x2 {2 p6 O& ?# K4 J
SoftICE while the option is enable!!( n: g+ o$ d# a. \1 [
2 D) Q6 I# g: m r0 g! @4 a
This trick is very efficient:$ M) }% q+ R/ M* p4 S, M
by checking the Debug Registers, you can detect if SoftICE is loaded7 ?3 }9 \5 T! N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" y8 V2 L: A/ [8 Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their: _2 B' W& Q6 @2 d9 q+ m$ y
value (in ring0 only). Values can be manipulated and or changed as well
( r( R- z& F2 _( ~ k* I$ s! H(clearing BPMs for instance)
! a+ V# e6 D+ W% D
$ l3 K( `0 a, v: [, o: {0 t2 q1 z__________________________________________________________________________( g3 o# e& {! b1 r g( ` K
# h8 `# d$ ~$ g- P: J
Method 115 l8 c! h) @/ v! g
=========. r+ b9 V2 s7 h) R. t" i' N- m( Z
`% N& s0 ~8 s J6 ~: `$ i" X. q
This method is most known as 'MeltICE' because it has been freely distributed
! t m7 r: T. a6 i8 |via www.winfiles.com. However it was first used by NuMega people to allow
% w J7 v0 P/ ~$ nSymbol Loader to check if SoftICE was active or not (the code is located3 M' v7 z* {: b% O* [% T/ `/ s2 k
inside nmtrans.dll).0 c: @% S o; d1 X8 q( t' f2 U
+ S- N( t ~/ l; p, ]* `
The way it works is very simple:
! C" G! s; c9 mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) {* G* A; |! B9 @WinNT) with the CreateFileA API.% [4 j0 K6 f6 d6 k- P% S2 n: O
3 S: Z x$ H, J0 ^, {) W
Here is a sample (checking for 'SICE'):
2 m. N6 Y$ U% w* ^2 [' z6 y9 N& U& y+ N% {
BOOL IsSoftIce95Loaded()
7 D( ~& A4 c8 K M6 X{( R: I Q9 o b/ w% C
HANDLE hFile;
@5 H* j- [# O' y) E0 [: {5 N8 O* _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 ~' x/ M8 K5 m6 T% ? FILE_SHARE_READ | FILE_SHARE_WRITE,3 f: y! D B& w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ \2 f/ `2 ~# P
if( hFile != INVALID_HANDLE_VALUE )* Y: {0 Z) o- K" p; E) S% m5 u
{
* {" H) v. H) M$ d1 U! Z' [ CloseHandle(hFile);
# N7 H& Y3 M! T% h; T( p, {1 o4 ^ return TRUE;
; N8 @# H7 E+ s' Q5 C2 a: g$ S- z, R }8 c8 A3 s1 e- ]9 v' _7 g
return FALSE;7 l5 z: W ^2 t
}) v& n, A( D' T A; x6 n, h
P7 h) ^8 a- ~* W6 B
Although this trick calls the CreateFileA function, don't even expect to be9 ?' m# D! V" F; ` u7 T
able to intercept it by installing a IFS hook: it will not work, no way!0 @% L/ I3 D3 X- ?. o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& B2 G, K7 ?# E- Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 @7 g( \& ~/ [
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ i5 E& f# l- Y6 xfield./ h7 K8 I0 ^! R2 w2 H
In fact, its purpose is not to load/unload VxDs but only to send a
* E* ~! b( \& z! z- EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ G0 H' N, {% ^* x0 B% s) ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" S7 t# M% }: `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. ^6 Y, B) \8 e1 k2 pIf the VxD is loaded, it will always clear eax and the Carry flag to allow% P8 w( ]' u8 `: z6 G ]
its handle to be opened and then, will be detected.) a$ D% M, E+ u
You can check that simply by hooking Winice.exe control proc entry point+ k/ @1 U- Y) J/ }
while running MeltICE.
4 Q l5 z2 L& j6 W6 c8 t
+ `5 S! y5 v @' A0 M1 |9 T/ R9 ~4 U; K( b9 h% E* U1 S& A
00401067: push 00402025 ; \\.\SICE1 E+ v2 C) P; B P# [
0040106C: call CreateFileA
) A% x/ `& q3 j 00401071: cmp eax,-0013 q6 q$ T: S. \
00401074: je 004010919 u" `& |) m$ Q- M8 v
) ^6 X5 s/ O" c* X" ]5 c% j. A8 n7 N" P* n1 C
There could be hundreds of BPX you could use to detect this trick.; X9 }; |/ ?: w% e8 R
-The most classical one is:
, z0 }: o( e; X% W$ ?5 S1 q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
A/ ~8 {5 U( ?" } u0 I *(esp->4+4)=='NTIC'
- R# s* ]: q# T& D4 x. k% o
V0 r. l, V; U$ t# Z4 y8 k; N-The most exotic ones (could be very slooooow :-(
' C% p2 F* J' C" N$ W BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " F6 ` N/ A# B3 u. ^- i0 c
;will break 3 times :-(# t- v% ^+ l% C) r7 G( P( ?
* I! w: t- v( n5 K$ l3 l-or (a bit) faster:
% m8 `/ l* P# P9 X: U BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% D' k3 a' r& O
, t# w. ?! p* v. t8 Y1 K, Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 I N) k5 b H7 z
;will break 3 times :-(3 T# C Z. x, g3 U
# R I4 k" r; o. |3 o. Z-Much faster:; |6 P& i6 b7 _3 z& T/ a2 R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% y K/ q- s+ m! }
, V+ ^: n4 \# K8 H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 }2 W' G0 a% D; f ?+ V
function to do the same job:
( P- l `" E, `5 _0 F9 N+ K X% n2 L
push 00 ; OF_READ& W4 n: ^' u! N; s9 C: \
mov eax,[00656634] ; '\\.\SICE',0
# \) b* t7 ^. O+ u3 N- W push eax
' d* ?% r- ?" F C" j8 q3 E call KERNEL32!_lopen
6 Z# Y! _2 d7 Z g1 H3 o inc eax
4 o7 v+ F B7 M) B3 F jnz 00650589 ; detected
7 M) ]9 Z; Y" p push 00 ; OF_READ J9 E+ r2 e6 A
mov eax,[00656638] ; '\\.\SICE'% @9 V# i+ P( T( f3 N
push eax1 o* ~ u8 ?3 F1 q" D
call KERNEL32!_lopen: I3 f* x ~0 i. t$ m% T
inc eax. h1 r" |7 R( p8 W7 a2 E4 F
jz 006505ae ; not detected1 H! G4 X& j* _6 Z l! f1 P
, `- M1 e( \! K) K( d
# w2 N$ I% k/ a: G__________________________________________________________________________' x$ \1 ^# G2 W, t0 g
9 v! Q9 R m9 g2 V {9 IMethod 127 d+ k( A6 v9 d
=========: x. J3 Z0 a$ Y; r1 v! i A
; i5 ~3 H+ k' G( p$ d7 nThis trick is similar to int41h/4fh Debugger installation check (code 051 D1 s( g/ D8 p4 f9 B; _
& 06) but very limited because it's only available for Win95/98 (not NT): ]: i3 D8 o- {$ U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 P# z1 @& H! G
* ?; W+ d" J" W4 `) w/ k) q push 0000004fh ; function 4fh
8 _9 R r6 N; }) R9 n push 002a002ah ; high word specifies which VxD (VWIN32)! T, e8 r6 \$ q5 w1 B
; low word specifies which service& x. \5 g! g7 O# j6 e r$ \
(VWIN32_Int41Dispatch)6 y+ W2 h. B" _# E" i% W3 X
call Kernel32!ORD_001 ; VxdCall. n/ l+ G: a4 g
cmp ax, 0f386h ; magic number returned by system debuggers
* ^, C( ^0 ~) B0 o% a$ X# U jz SoftICE_detected
1 p- ?2 n7 E% P- |' n! C- x7 O0 J& O+ i1 L
Here again, several ways to detect it:9 P0 |6 I: {6 d% q
- ] i/ d: l" Q1 Y! m
BPINT 41 if ax==4f
+ R) E- }! C* P. q( g w' Y+ G F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. o$ t$ O0 ~) L& ~6 s
9 S" |! m+ N1 S: S% ^/ l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) s+ j1 |! g% U( b% G' t2 G7 M2 x0 \' D8 ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( e0 U, V6 W" i7 }( u
4 T2 |- B: k* K* b8 D1 p- j/ s
__________________________________________________________________________( e; c- A/ Q. g7 G
* l. o) y! ?4 r; @
Method 13
* R6 R) ?9 ^+ T=========
6 X5 C% [7 k# f Q3 d1 d$ C% b# H2 J3 M! i4 j( v9 j: B/ l
Not a real method of detection, but a good way to know if SoftICE is
- F/ k6 \( c, V7 b$ [1 \installed on a computer and to locate its installation directory." \2 z% \4 t5 k$ H r9 Z/ d% t$ W
It is used by few softs which access the following registry keys (usually #2) :* x1 N {+ I* F$ S8 n, T
4 b! d) F+ E% J& N9 L+ Y5 A) L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; N; R+ p- q( l. y: w$ ^8 Q3 X
\Uninstall\SoftICE
& d9 P4 F; o! ?2 C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 \7 \, n0 Y" i9 D8 P! a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ ]0 t- a, H& ?) z- h+ {8 L\App Paths\Loader32.Exe
* J0 _* C" l# F; @5 |( P; P; [
( P1 [4 H( k8 w# P, g, F7 a: l* A4 A8 Q# d, c
Note that some nasty apps could then erase all files from SoftICE directory
8 U4 ` _2 l% i# b* M$ d, v(I faced that once :-(/ L! \) `( a9 h
/ U0 v; y9 B. l; b( ~
Useful breakpoint to detect it:/ e9 W6 b6 q" L2 S% M
1 S( E9 v( Z X( u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
~" c9 z! M, P _- p& d
$ [* u; U1 E. h5 l# v( f__________________________________________________________________________; P( J' u) ^: O! y
/ o1 ^! T% _2 ]* [0 [% n
3 V6 F8 k! C) a( \2 f, D, h$ ^' S: G$ aMethod 14 , k# i; \( H: }& u! x; H
=========! ] r7 c1 d/ s: _
$ ^$ F" z( h* |6 P& NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: [! a3 F: x' F$ l0 N0 O* iis to determines whether a debugger is running on your system (ring0 only).
) Y: S6 P+ N8 z2 o- ]) h! j- }9 ~) ?! q+ K* V7 `. ?
VMMCall Test_Debug_Installed
/ B, a4 J7 q1 T$ R je not_installed( S X- c9 B6 {3 D* T
/ k9 j& [: o% }8 q% u- C, z
This service just checks a flag.
# D3 g7 V4 H9 M: \</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡