<TABLE width=500>
0 R7 F i# T, z( [! |<TBODY>+ M. y1 ] t1 B( m; p
<TR>
5 F' M9 n* Y E3 g* A" r7 F<TD><PRE>Method 01
" \' a& i0 U" {8 }4 o5 |=========5 x/ X7 Z, S* N
) y8 \4 t. ]/ y6 ~& o% A- }+ n
This method of detection of SoftICE (as well as the following one) is
3 \# x( p+ B/ _; e9 }- Z! a; Nused by the majority of packers/encryptors found on Internet.
3 u& B+ x) G* S9 qIt seeks the signature of BoundsChecker in SoftICE
" {9 U. z6 X' T( H9 \1 _! s3 Z8 ]7 R7 p
mov ebp, 04243484Bh ; 'BCHK'
0 `$ B" D% d4 w+ g# Q1 X mov ax, 04h
7 J! \9 F8 O& S int 3 . }' M6 p$ U$ H2 h/ S
cmp al,4/ |5 |2 B$ Z0 f. L1 u
jnz SoftICE_Detected
7 W/ e9 K5 { E; r: j) O: {
0 Z" ^* G/ u. g5 U___________________________________________________________________________- ~9 ?3 O2 ^% j4 Q# N6 o. G
X8 u4 F) W3 _- ~4 f# P2 q5 @: Z
Method 02 E) z) l( h. y* x$ {
=========
0 ]& ]- B7 \; O! [
; {. g6 M; D( G4 \* L% j: @Still a method very much used (perhaps the most frequent one). It is used
: n2 ~+ @) f$ ?, X" Q: y4 }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" J5 y# K: O; M* Cor execute SoftICE commands...8 L1 }/ c5 T- d* X/ s% c0 F
It is also used to crash SoftICE and to force it to execute any commands8 w% T, V% c. m! l7 S/ w P* E
(HBOOT...) :-(( 7 J/ j: i& `! t! E2 `) n
2 {8 o$ e& F4 @. m
Here is a quick description:
- T) }" z7 k b. r$ V% e, F-AX = 0910h (Display string in SIce windows)* d$ ^: R0 I0 Q( x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 m! h9 e% [( U+ F' O7 |' F
-AX = 0912h (Get breakpoint infos)
* Z+ n8 u8 o6 I-AX = 0913h (Set Sice breakpoints)2 {* U! q: A! K( X( s3 P. K/ J
-AX = 0914h (Remove SIce breakoints) x7 E& C* b5 C: J# {# n6 ]
; T4 V: y$ Y* TEach time you'll meet this trick, you'll see:
) ]1 T* s% _( R9 A) |% |/ B! P-SI = 4647h
+ B4 E7 ^( x9 i1 P, @# m-DI = 4A4Dh
" t; E! |( V- g5 f7 h) R( l' B% g; v AWhich are the 'magic values' used by SoftIce.* y# q* Y0 A& T+ m9 O3 W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( a- e5 a* U) d' E2 l* \6 E4 n3 T9 l# W# N) K7 m
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) L/ z! b/ D5 |" p0 y8 HEnvelope utility use to protect DOS applications:
& K" r$ X. @$ L& c% B. ?3 p/ w N3 X: [
% E9 o+ F# V% I1 `
4C19:0095 MOV AX,0911 ; execute command.
7 H' i4 s6 X9 V. G- X* N+ F4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 I$ K' k& A" u1 v+ S: H4C19:009A MOV SI,4647 ; 1st magic value.
4 Y# A( l6 g8 U# ]$ o- X4C19:009D MOV DI,4A4D ; 2nd magic value.
* \) W% s6 U# U5 y) o/ g6 X, O9 `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). E( I" o" V$ \2 m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: T6 x. `+ n5 t
4C19:00A4 INC CX% {8 G" S0 V$ c- J; O3 B
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% k% Z+ T/ S5 U6 e, f4C19:00A8 JB 0095 ; 6 different commands./ p8 W! A5 d) x3 V, F5 q5 U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( x& Q3 w! Y! a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! E; ^0 |# p' h+ b# r6 P
/ E" }3 [, U& T( j0 w( ^4 z
The program will execute 6 different SIce commands located at ds:dx, which4 |% I& k9 o3 B1 ~6 \5 T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) A( B8 Q; c" A# S$ x* [) q- y- p& l4 U, q& p: C! ?6 \0 Z: w& `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: \2 ?4 k% |5 ^; a! A
___________________________________________________________________________
! k/ ]* V$ F; V6 J( N
8 A+ A3 d5 P6 p0 s) l. j4 h/ |0 ]% N; M0 K; l& _4 X6 G6 u; @
Method 03
; a- |$ t6 J- E! E% J=========; J( z' Z: t" i
+ t T6 C$ ~% @$ a$ I+ d4 uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 G5 r3 A( V E- T# F1 ~
(API Get entry point)
- P) e6 S6 k; D) X0 P " k7 }- c q( f; R- B, `9 S
' ^" R% l+ R+ S: |% P- Y$ w xor di,di" J7 A k1 l2 l; h' i! \8 ^0 v& l
mov es,di8 L3 t0 i, U1 h9 N$ B* G' S
mov ax, 1684h 8 I1 V8 L' R# s$ U" K% E; b
mov bx, 0202h ; VxD ID of winice
C0 ~' ~6 v0 Z1 J" n' H3 | int 2Fh
( d/ S9 N# H5 S- g1 V mov ax, es ; ES:DI -> VxD API entry point
! O& J* R. y- b+ M/ V- @9 @1 R' U" M add ax, di4 s. _; y J& M! j: V4 ~; }
test ax,ax
$ v/ A7 p1 @( n4 L, P) I. @5 M jnz SoftICE_Detected8 J0 ^! m' t) e+ G6 W
+ `# O* X! }+ k
___________________________________________________________________________" j* x w3 f: P2 {
1 C$ Y2 ^: P) s
Method 04/ u- H: d2 a5 W% f
=========9 {1 ?* _. @6 Z3 a3 `/ ^7 Z
, S# s3 p& A$ \- _
Method identical to the preceding one except that it seeks the ID of SoftICE
4 U1 R% A/ ^! b2 t3 `* CGFX VxD.
: R/ I- h. H; x6 c
' M, r3 G: U5 Q, D5 b4 p+ r# ] xor di,di! D3 c' [+ u4 c$ J& Y7 j$ {& ~% i
mov es,di2 \: e j4 {; |) h0 \, \% W: w
mov ax, 1684h
# g: J5 P' L9 z$ P mov bx, 7a5Fh ; VxD ID of SIWVID
2 d! j1 H/ T) `! B& f/ ^" |! H int 2fh$ Z! v& C2 K1 g3 D
mov ax, es ; ES:DI -> VxD API entry point
; L6 r0 x% y M& s' {6 R; d! O add ax, di# T' [5 ~ `' R" _. p
test ax,ax2 m- J- v o% v- {% P/ e
jnz SoftICE_Detected! n! W+ K9 l3 o$ w7 ?' I5 L
2 {* K5 ^+ `+ g& Z8 u
__________________________________________________________________________
" `/ S0 v2 K% y4 r/ _1 Z. ~* ^9 |3 V1 R( I
6 v3 v/ a7 h- O# S q% n u5 x. J! I
Method 05
! w: H0 U' h+ g% e/ @$ s=========
7 v# e1 c1 ^* i% t( Z" l9 ?1 m# A& u0 h& ?4 C. F
Method seeking the 'magic number' 0F386h returned (in ax) by all system! n% m. C# F9 h/ a9 v
debugger. It calls the int 41h, function 4Fh.' W& h, c0 B( a0 m
There are several alternatives.
/ b9 D& L/ U; h, ?) c
4 P8 q" Z/ `, ^The following one is the simplest:
' W, V- m3 k$ k
0 f7 a) F& z! b mov ax,4fh
2 U9 N' `+ J/ U/ K int 41h
9 ~: h0 r3 w6 }. N3 X& j cmp ax, 0F386
; M; _: M5 y9 ? jz SoftICE_detected6 k4 H8 x6 e0 p) l1 Y) K
! U5 I# { A9 O! I$ S% r( F
& a; K4 [4 E0 x) P/ m2 ?7 F
Next method as well as the following one are 2 examples from Stone's 4 C5 B+ R9 O/ e% }0 r
"stn-wid.zip" (www.cracking.net):
9 q) d" T5 X: U' W
d( [* U+ I& y9 o+ b3 o mov bx, cs( _& i5 z! D# l# |
lea dx, int41handler2
+ V% z/ ^, T" J& k: f8 T1 q xchg dx, es:[41h*4]
% }7 ^3 M4 _3 L- Y xchg bx, es:[41h*4+2]7 U# S$ C) b; k s
mov ax,4fh
6 d c/ z5 N. \ j& q" z6 X int 41h
5 z" k3 {2 J# \& G xchg dx, es:[41h*4]+ h% _ C+ e; |, D7 ?
xchg bx, es:[41h*4+2]
4 y5 N9 c. X- Z. V cmp ax, 0f386h
& c$ y7 w) {! q+ z* z jz SoftICE_detected
$ o& O- E5 g* C7 Z- [! y! _, @2 L( o! Z' H
int41handler2 PROC
2 h. Y! r% }9 u' r iret7 K1 e w2 a* Z5 X: L3 I
int41handler2 ENDP
- }8 Q/ `' K' ~, Y
! }6 ^1 ]9 i3 |) d- F3 K
. }2 F* w) H, j0 K7 ` x_________________________________________________________________________! q+ h+ ^: _ @! H, v, K' h+ H5 `
E* r/ m# m1 c5 L* L5 g' W2 u4 M* \ ^4 G( A8 G8 S$ F
Method 06
2 p( f5 x* Z: w7 f8 Y4 ?=========. L5 _7 }" {# \
1 q7 ?) _& r5 r4 ]8 h* J4 P2 y
* t% q3 b- c! u3 c+ e+ j2nd method similar to the preceding one but more difficult to detect:
: L4 b$ @+ _3 q& U n! F# ^1 p4 l; k& m5 {+ c" `) E
$ a. P, ]% j5 q( A$ s" b6 ?
int41handler PROC
0 B' H1 s. }+ `5 S# \ ^ mov cl,al
( H+ Q5 b$ h3 o8 y5 | iret; ^/ u1 ` g8 t5 i' M7 \
int41handler ENDP l2 o" H. s! E* [
4 V! S T; L. Z7 [$ `0 ]- |: s5 v1 b2 D( m8 [6 P) D
xor ax,ax# O, X( }: Q& W, ?$ C3 {$ F& N
mov es,ax
% K+ ?9 Y5 C/ P mov bx, cs
, c* x9 c3 y8 Q- q% q/ P& [ lea dx, int41handler
7 {! Z2 M3 z$ O) g) Y5 y xchg dx, es:[41h*4]* ?3 \4 _0 o) L* C' k" v, u4 ?" o
xchg bx, es:[41h*4+2]$ R! b) G1 p, Z' N5 c: _6 a3 y
in al, 40h
$ z, |" j, h- q7 }- s6 } xor cx,cx
* o, z* ^" Q; V int 41h" z2 m" D' F! f' f' L2 C
xchg dx, es:[41h*4]+ C2 _4 d9 O: Q- E
xchg bx, es:[41h*4+2]
8 s, L0 E8 |7 p* y3 O cmp cl,al! Z$ Q2 F( L1 t: D# x8 R, N& q' k* Z
jnz SoftICE_detected
. k5 {+ b, X! r- j, d7 T. U8 J3 i/ y5 {, h$ S9 l( ^
_________________________________________________________________________* V/ |! \: N; S) v' b
) U r7 v% d M {1 l3 w6 e7 h
Method 07* l- w% g& l6 X/ E' I( t
=========
4 o% Q8 @9 X {
+ \7 e: W- T2 @) ]! mMethod of detection of the WinICE handler in the int68h (V86)( [" F' J% W9 F& M
- _3 W- H' Z" q9 E mov ah,43h+ B% I7 Q2 h) X6 U9 e
int 68h7 o6 ]. o$ a1 c
cmp ax,0F386h
2 b- t: P7 G! I$ ` jz SoftICE_Detected
0 {6 M# F% P+ d
9 I' |6 t: e' Y% h) B5 g2 ^4 O7 C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 U1 ^: k8 L5 ?" j/ | I
app like this:
+ B# W9 ` P1 k- ~& S4 |& r5 A. }* C7 {# Z' Q$ j2 N
BPX exec_int if ax==685 b+ t1 s# l3 I1 A9 T* J
(function called is located at byte ptr [ebp+1Dh] and client eip is
: v/ Y' X% y& Q! I# e located at [ebp+48h] for 32Bit apps)
6 {+ ~$ d9 m2 f( c0 u* x! y, J: `. s__________________________________________________________________________
3 e7 B! I! Z/ H! p {$ s) X( }1 y* k. c
C. ^7 B2 A [) K6 Z! a! m
Method 08- }: P3 k/ ~+ ^" N
=========' S' B2 i! p; |
/ k+ p w! a' o8 `3 `+ N# y# j3 A& c3 K
It is not a method of detection of SoftICE but a possibility to crash the
/ a. X; J, B! R, W' asystem by intercepting int 01h and int 03h and redirecting them to another
, F6 Q' T6 N* L1 Kroutine." k4 x9 y; Y G* `2 y+ C9 e0 u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 n5 m6 S+ w! S( ~! x; ~& X
to the new routine to execute (hangs computer...)( |# U# v) l. g- u* V
. w8 o( Z% V0 k2 K mov ah, 25h
A$ R" W& ?4 C6 j mov al, Int_Number (01h or 03h)2 Q9 N/ j( ^7 X. n) _' l
mov dx, offset New_Int_Routine
$ i; f+ n- k$ F9 d0 ^ int 21h
8 u6 I! a/ T$ c
$ _3 i" a4 i7 T__________________________________________________________________________, k7 O" c" k; r5 V u5 @. Y
6 f* K. b! t. P3 a
Method 095 V- U. f" Y; K! @/ z5 H
=========4 z9 _- Q/ G1 b
( D8 U; }% b9 J0 F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 h2 \7 m# m# }performed in ring0 (VxD or a ring3 app using the VxdCall)." |8 E0 n; y& Q7 k
The Get_DDB service is used to determine whether or not a VxD is installed9 e* X/ |' W* w, q
for the specified device and returns a Device Description Block (in ecx) for
! C" `0 a( ?- ?that device if it is installed.9 A6 S( d! R# b2 W: C% Z" [3 s
; q t- m% \; x1 [" V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' \+ A3 x! [) i% n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" Z" q* Q0 i1 g5 _ VMMCall Get_DDB" e8 [1 V4 N% ^! f- Q: F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 v/ a- w& m; U j1 [
' {% \5 s" v. UNote as well that you can easily detect this method with SoftICE:7 R2 F& {3 F4 Y0 C9 _$ g3 G
bpx Get_DDB if ax==0202 || ax==7a5fh; p8 L, E1 m3 m9 _# S* {3 D
( Z5 ~) o# _! H. p4 @6 _0 l
__________________________________________________________________________' u v: B; w, X) D, z9 w1 P1 z( s
/ b' \% ]* I2 P6 NMethod 100 m) b/ U; X+ {, }. N
=========
+ b; S `2 i! J8 |7 L0 [5 W
/ z3 Q' v6 \5 e( S- v=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 i: L1 Y' l5 a# h8 s) @ SoftICE while the option is enable!!
! V; k- J0 m/ X0 p) m' b. C8 U
) M4 N: o( b8 j5 }% B' m/ l+ dThis trick is very efficient:2 P6 C& w( z$ d/ x) S! H
by checking the Debug Registers, you can detect if SoftICE is loaded
' U) H P( v8 y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 E1 [# w& a W/ q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% C+ J1 F/ }) O+ vvalue (in ring0 only). Values can be manipulated and or changed as well. z( z6 x J9 w) t6 f/ h$ f, F% y! C
(clearing BPMs for instance)
i! ^: B/ w# Q
& v0 i( [- `, p+ A, L- d/ {__________________________________________________________________________' ]( U" j" Q4 w8 ]
4 q1 O7 r5 _# `3 ` _2 g5 K9 ^
Method 11; o' B5 |6 b- U9 K- l
=========+ R8 i$ q6 e; ~% Q
( A$ f0 B7 D8 c* r5 h. f& t
This method is most known as 'MeltICE' because it has been freely distributed6 @; V0 [ U% t3 ?' G3 W/ W
via www.winfiles.com. However it was first used by NuMega people to allow {* h y: J2 W8 X
Symbol Loader to check if SoftICE was active or not (the code is located
S( q! z! k) v4 P4 Jinside nmtrans.dll).' x1 S1 V, { H1 p1 Y: x4 x% j
' i( R7 S" _9 z' b
The way it works is very simple:
) W3 G, D$ Q& X5 tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 O9 p3 C8 R! z3 J; JWinNT) with the CreateFileA API.* v- }2 B# x" V2 s! m
f0 Z8 v* {2 v6 \/ I5 r; tHere is a sample (checking for 'SICE'):
/ B# j# r/ a- O' C+ s D+ m& }' ]0 N l7 v
BOOL IsSoftIce95Loaded()- X: \8 {$ D/ ?( P# m1 [
{
- s4 n% t2 t) b HANDLE hFile; " n% n4 n5 q' E5 [; p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 ^, f2 {2 B. W# s+ q$ F FILE_SHARE_READ | FILE_SHARE_WRITE,
+ X" z: r& I0 N- x$ I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ H- r# S4 z4 u2 \
if( hFile != INVALID_HANDLE_VALUE )- r! x* X" d% m/ E9 R: z
{
! a+ u$ g0 J+ K6 u CloseHandle(hFile);1 Y- [6 t/ ^* ^' i! ^8 ?3 l8 s* C
return TRUE;
( R, I6 n! W1 i4 b$ J- p }
2 R! {% X0 J. j! _# x, ^5 n return FALSE;4 i. W/ E3 e! W0 J
}
2 T6 N1 h+ {* |9 e
- n3 K. B0 E, I- r* L7 mAlthough this trick calls the CreateFileA function, don't even expect to be! U7 e# |2 h2 R3 t
able to intercept it by installing a IFS hook: it will not work, no way!
4 k4 H# l0 D: @In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 e; H2 y$ ?9 f @5 p Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, m5 \* ]# g& aand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 |3 r, T1 b0 y* w+ N7 P5 F
field.6 ?( {* U9 v1 g! }+ c' ]2 \+ ~
In fact, its purpose is not to load/unload VxDs but only to send a & `$ }7 z- s5 i6 w) F, S6 e5 `3 o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
w* p' e1 F1 m% A' f6 t* yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 O: j, z+ f- R! ?) r+ l4 uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 j- \% q9 U! p& q( ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' C) t% Z; o0 l/ {its handle to be opened and then, will be detected. w6 J% B6 R+ T$ s* S. C
You can check that simply by hooking Winice.exe control proc entry point
; I% r" T1 l; ?6 D6 wwhile running MeltICE.) ]0 D# B7 i% h$ q) Q8 j: p
; j' ]- ?3 {' |/ ]$ N, z# T8 |2 ]) N7 e: E
00401067: push 00402025 ; \\.\SICE) z7 S0 c- q0 f! T( q( A: ~
0040106C: call CreateFileA
$ `: c7 E& z9 T; l) T 00401071: cmp eax,-001
) d: w' g4 _7 e: U 00401074: je 00401091
* g, A; p- k" o# o% [; W) w
' d7 O# Y% z6 U9 r' r8 @! R; V& \7 j. G2 d! e! R
There could be hundreds of BPX you could use to detect this trick.
, {9 a% i; _! V" ^1 l-The most classical one is:
^7 r. Q& [4 `8 @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. T0 P3 v4 M4 r _. s+ l
*(esp->4+4)=='NTIC'
5 _8 v; N+ U+ j* x8 H1 k8 {6 D W1 q$ N# t! ]
-The most exotic ones (could be very slooooow :-(
( m0 x0 |% \9 }. Q3 {# w: j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( {6 _+ v f1 v/ i6 v5 p3 k
;will break 3 times :-(% z& \4 s f( s
7 u7 X/ a8 }7 g4 y- F" u-or (a bit) faster: ; z% A% ~+ E6 |* }( c$ A( n0 M4 W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# h/ w; a) n4 D+ a3 z- k% E2 Q
7 ^ u+ ~) M0 ^5 _: i" a
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 W& D# l% o$ ?' @/ r- s ;will break 3 times :-(
0 B0 X8 E; a4 b7 \' a! t6 n i- v( K
-Much faster:' N! T' t- F3 H4 g, ~; O
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 T' a1 X' L& s; R
2 Q' A0 V0 l7 V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 t# P' G: f+ k9 ~( Q
function to do the same job:. P" V, { [3 L
7 |" N7 V' |, P% l7 S push 00 ; OF_READ3 |9 l% K& y+ h8 l( f$ s
mov eax,[00656634] ; '\\.\SICE',0
% z1 Q; n- M( l1 h2 ]1 I& K2 J push eax+ H4 r& C1 e& ]8 x! p5 y
call KERNEL32!_lopen6 X5 D h; Z/ S! X6 e
inc eax0 `. s7 m# v) s- ?/ R
jnz 00650589 ; detected/ }/ G1 F7 J. d" T+ O
push 00 ; OF_READ
* D1 y; g4 S+ u& A. n1 h mov eax,[00656638] ; '\\.\SICE'
/ _) W. v/ N: Y push eax
0 Y! u, E, }5 E call KERNEL32!_lopen
0 v e. q1 N) }" ~7 u1 o" Z inc eax y( N7 Q8 P0 S' ~7 L4 U, Q7 A, |
jz 006505ae ; not detected/ n7 p1 c8 y* f: Y* t
! D" n4 ^9 {/ ?# e0 z* Y
4 S$ J% U) e7 g/ ]__________________________________________________________________________! T8 u3 n9 N6 ~6 }
, M2 ~2 { b9 B" h+ N8 yMethod 12+ S# ?4 K; l! a: G
=========2 r0 R! ]( v6 |' B3 P" N3 f
) U. H9 K3 S5 C9 x ~1 vThis trick is similar to int41h/4fh Debugger installation check (code 05" p' L$ ^# _! h, L
& 06) but very limited because it's only available for Win95/98 (not NT): O" ?1 X8 m z9 x4 w% m! ~/ W- _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 ^) v) }; z$ E% \/ L
1 h7 K: u$ d4 X0 A& ? push 0000004fh ; function 4fh8 a; [+ z5 ^: j( p/ N* \0 N8 w) |
push 002a002ah ; high word specifies which VxD (VWIN32)) e8 L: j9 @" Q
; low word specifies which service
' o' ~+ ^9 V0 \' T/ |0 A5 L/ d. W (VWIN32_Int41Dispatch)/ n" {1 R, l1 H& Z+ Z
call Kernel32!ORD_001 ; VxdCall+ z* T% ~, j9 Y
cmp ax, 0f386h ; magic number returned by system debuggers# F) [" K- u3 z0 Y# K A: K1 t& H! X
jz SoftICE_detected
4 Y0 H" E: F# S3 Z5 L. I/ O
4 M) T: k" A5 F D% h6 ^Here again, several ways to detect it:( t! ^; J2 `; i1 e$ n
/ K e" d3 ]# k# a! U BPINT 41 if ax==4f
2 z5 e( H3 f* L) @7 O$ U' }
7 s- d8 w6 R6 S: d( J) q% J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ q, C' V$ s% T. p0 q
' V! w; ?0 @" h5 R- l( U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 }$ g+ _* {5 p) W& ?. R
+ g/ [# ?3 _$ R, X) f1 Z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- B3 T( v, W) t& p! z- a
# t1 ^! h7 O9 s/ Z6 k8 G8 H4 n
__________________________________________________________________________! o) H- h7 x' G3 q& Z" f
2 a+ y: A4 |' v& cMethod 13
! I/ ^6 L6 ~. v' |% b=========0 u ^5 l& D- s( L
: d! w" i* U8 C$ g
Not a real method of detection, but a good way to know if SoftICE is+ b9 o9 @% O" k5 \1 _$ Y
installed on a computer and to locate its installation directory.
6 u/ M0 F3 C* ?# T& [1 T# jIt is used by few softs which access the following registry keys (usually #2) :5 u. Q f. d4 R2 g+ q
1 a& ?* K) Z* h, j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; s y: v1 x! P* f! r2 }
\Uninstall\SoftICE
; o% N& x% G& x' }2 I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 x6 b4 k8 L8 J! V: \/ T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 C; [ I' v* f/ t3 R r8 i! U
\App Paths\Loader32.Exe5 a$ I1 j E* H. |% R
# k% q/ r+ i" E9 k
. c# m V. j8 }7 R
Note that some nasty apps could then erase all files from SoftICE directory
& E. K w4 F {2 l: i9 Q(I faced that once :-(
, x0 g, }8 p V0 ?4 D3 Q0 h7 }/ r7 ?. ?6 g1 y$ j
Useful breakpoint to detect it:4 O) }" @+ ]: v7 O/ p
0 e$ t8 T# F8 p2 n BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 G0 E. \0 O) e" ]' w9 c
/ w/ O0 c& C7 f5 p__________________________________________________________________________/ x( D6 q2 u3 G1 ?. p
% [ R' G; o. U9 P) v1 M
- t. n; ?$ N2 ]! D$ r6 X) E' oMethod 14
2 s2 ^$ i) H, d. V" f. f2 M=========7 D* m3 |8 `* r; t
, a$ W6 o# M3 P7 I/ Q. P0 s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 {7 ~( b6 P1 N& Y" mis to determines whether a debugger is running on your system (ring0 only).
; ^4 I# L# O h6 j6 ]& A' h! F' q0 p; c' m Q
VMMCall Test_Debug_Installed5 ^( s6 E, K2 R4 W
je not_installed
* p- r9 g" K! B) k/ L& j2 ^( Y2 G# _
This service just checks a flag.
( `/ c1 N3 y( |; i0 z</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡