<TABLE width=500>
4 }3 C4 D9 F6 Y% x) s<TBODY>8 O& Z# r+ L( n- M+ Z# G
<TR>
& n! l8 N) W" x, O<TD><PRE>Method 01
5 R1 ]+ L/ c. j7 s0 l=========9 ~* N, e, w" [" X3 y; r5 _
9 U, ^8 Z6 f7 M* S9 [( P) F4 _This method of detection of SoftICE (as well as the following one) is* ]" Y- i% }1 g8 w$ K
used by the majority of packers/encryptors found on Internet.
. f: ~- k. k6 W( wIt seeks the signature of BoundsChecker in SoftICE. k! j- c3 A0 E
5 s% K9 m* h- u2 |, k/ n+ K
mov ebp, 04243484Bh ; 'BCHK'( p, x5 L6 t3 O* i
mov ax, 04h
4 m! M4 j0 T* { int 3
+ J+ P: M7 `: T' B- o cmp al,47 J$ G( ^2 |) w+ O) A' c# t
jnz SoftICE_Detected
! K3 S7 H1 v2 z$ N6 Q9 Q- ?; ~7 c0 U+ T8 o6 h8 r e
___________________________________________________________________________* [+ r& @ I0 k
1 a% W! F8 [/ V! n4 F' a- oMethod 023 n/ h6 a! k/ I4 s9 ?
=========4 _( N; g2 R F5 f$ p/ \
" S1 C. p- G4 D: n& a0 A, S
Still a method very much used (perhaps the most frequent one). It is used* ~5 k' z. k$ h6 i! D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' K1 F0 }; m- K% D4 h' C1 [# D
or execute SoftICE commands... E4 x2 s0 r# E' Y/ C' x' H' E
It is also used to crash SoftICE and to force it to execute any commands
4 p6 F9 x1 o i0 m5 C, S/ ?3 r. A& @(HBOOT...) :-(( 9 k4 W6 h: K3 C' B$ y) Q5 @
( T: S0 w/ X' W3 R& u fHere is a quick description:8 s( d. V+ m" z- B! f1 `
-AX = 0910h (Display string in SIce windows)
( ?' ?0 Z3 U# o% [' t5 E& _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! P, N3 k- C- B5 E" w6 L-AX = 0912h (Get breakpoint infos)
! F% P' M% W& k+ e _3 T6 {-AX = 0913h (Set Sice breakpoints)% q. |* M3 f, W* n
-AX = 0914h (Remove SIce breakoints)
/ G2 c. }" t6 c' H6 `2 |
8 D$ h1 E7 Y# v7 iEach time you'll meet this trick, you'll see:& q/ B5 }4 Z( w" Y' C
-SI = 4647h
4 e+ [. R7 p2 T5 x, d' B1 Q-DI = 4A4Dh
+ \# W! V0 q0 G* Y+ X; J, dWhich are the 'magic values' used by SoftIce.
5 T! e% D* k" O" z; P" n( RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; N' F# d- W. ~$ ?' ]* t7 v! D) U- Y- h( n/ B+ @
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# J& |2 @1 u. S9 B6 @' `8 n* bEnvelope utility use to protect DOS applications:4 c- c' _7 j V2 v8 W& Q
9 g" x: M" g4 F( y: q5 x
9 M" X9 _- m6 H0 a4C19:0095 MOV AX,0911 ; execute command.- { p0 h1 q1 l0 J {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 T+ v+ Q$ U' o$ b8 [$ Y4C19:009A MOV SI,4647 ; 1st magic value.
- `3 ?! L! M% [4C19:009D MOV DI,4A4D ; 2nd magic value.8 Z. t) i7 S6 z. b9 }. j; V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 d+ t/ A' E% Y) c+ f7 G5 S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 g5 c! j/ |7 t2 r4C19:00A4 INC CX
. ~; P9 A" }3 n/ T6 m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* t/ g1 z- f' ?' D# r1 E d* A4C19:00A8 JB 0095 ; 6 different commands.2 @$ r- f! o- B) }0 A3 \7 E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 N. w7 B% Q' j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* D) l! G9 `, q" z3 a0 }: c
1 f) B# V( [+ o* ~
The program will execute 6 different SIce commands located at ds:dx, which
. |! n3 y$ T4 O1 P, F, [6 mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% @6 a2 Z5 }3 I7 ]$ P, d
" a! ^* U6 G" i5 [/ X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; Y4 {: B) U$ r$ W0 h+ D" F# z8 J
___________________________________________________________________________+ L0 D2 h3 T8 }; a& p( n
# D' I: d1 }6 O' z# ~6 G
/ V0 s; e% L- Q& H; e& D* d5 HMethod 039 V( o* l7 ?' C: K9 U
=========
, m1 p- \2 ]. f; |
; I7 ? J' V4 mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 l0 h& P8 i- q; N4 @(API Get entry point)
+ r% m' |( g6 N9 c; v
# N, S* Y6 @( ^5 w, @. R4 t2 S/ s% u( _ w* c1 S! ~; M) a/ F0 |
xor di,di# u- U& H0 w, l6 c+ L8 Z
mov es,di
- ~, h4 t: w+ C0 B9 a7 p0 N mov ax, 1684h 6 Q% Q+ _3 U& M; D
mov bx, 0202h ; VxD ID of winice
/ @5 B9 H# U; T3 V+ |$ p& _) i9 j+ U int 2Fh
: B6 x* x& X+ n, Z! T$ f mov ax, es ; ES:DI -> VxD API entry point
2 G ^8 Q9 K D5 X$ r9 c: N _ add ax, di
" m- ~( ^! G# j6 a+ {1 h; s test ax,ax* P. E( l6 ?. b+ A9 C
jnz SoftICE_Detected3 K; e. q( ^" S7 a
+ r& d4 a8 P& ]0 `, G: N' o___________________________________________________________________________7 @- X' x8 Z+ {5 U. t% P
! j( {0 f8 [& H* v- h3 H8 J7 @
Method 04
8 l1 W& W3 ~5 T=========# p3 E+ m7 p1 S* m+ n$ g# }) r
1 k& o1 R! }% b0 Z
Method identical to the preceding one except that it seeks the ID of SoftICE3 v5 B7 q1 ~" o8 E4 ^3 |
GFX VxD.
0 L8 q% L" T" Q" o# U& c# Y6 d: \$ V; {, y4 X" @4 k( Q2 M
xor di,di
& V7 {1 H" ?" W" t! O mov es,di J7 G$ W" u% B/ c& L/ F
mov ax, 1684h
1 m% y) _, @2 C# d1 ` mov bx, 7a5Fh ; VxD ID of SIWVID
9 H& k1 U, H C$ O4 b int 2fh# Q2 x7 f% s9 X( ^/ m
mov ax, es ; ES:DI -> VxD API entry point
4 Q' L* b+ m4 C3 \ add ax, di3 K! G( u8 w; I T. B$ X3 p
test ax,ax$ j; I( P. ^. j; d; ~0 W8 V8 p
jnz SoftICE_Detected
: k1 R. Z6 t3 E' U# R
5 c E% J6 n% ^% }__________________________________________________________________________
6 q' w. ~# E, ^& f8 z- q+ N8 j) ]& ?* v; }5 u$ w$ x6 [
" o/ n+ `& @$ x, b+ _# B& Y+ w8 MMethod 05
0 k" }* s. E% u; Q=========- A9 }0 J/ _4 c6 b& A
! N3 f, q0 v- W3 V' R# f: v Q) oMethod seeking the 'magic number' 0F386h returned (in ax) by all system' ?, _* A G" H, {+ r8 N1 T
debugger. It calls the int 41h, function 4Fh.
1 u! H' _& g8 v' q! p+ pThere are several alternatives. % u- X5 F- L! O8 C. m" g
9 m# t @6 K' x. |) _4 h' N) JThe following one is the simplest:
9 n. k4 K' c0 l+ Q+ L8 q1 D3 z) H' G$ t7 {" q
mov ax,4fh0 o% h' U1 a/ }# I- S
int 41h! i" d0 B; e' U: z
cmp ax, 0F386
4 u. B& I: y: f! b9 G0 ~/ p jz SoftICE_detected) Z6 L& [. e: r1 f" U( ]
. x5 _0 O- q0 s; J. B0 E" N
, J; Y" L& R" ENext method as well as the following one are 2 examples from Stone's # W1 M5 M: s1 N3 B: @
"stn-wid.zip" (www.cracking.net):
' \4 _8 l i9 I% q7 E* c
0 e& U6 B7 W0 G2 i mov bx, cs
" a0 a4 N( [2 Q2 R% x' L lea dx, int41handler2
1 i/ u* S3 a. o) \4 `5 L xchg dx, es:[41h*4]
6 F0 P, X: H5 E6 S4 g* _0 E8 e xchg bx, es:[41h*4+2]
; |8 `- g* U1 j ^$ Y mov ax,4fh
4 C% g( D o9 U$ I5 b9 V int 41h6 V+ m K( a2 d5 L; O; e
xchg dx, es:[41h*4]- Y- o4 S Y$ l- w
xchg bx, es:[41h*4+2]
' t5 h( v7 E" [( q# B- i' o. g5 U/ V cmp ax, 0f386h/ U; e8 g+ D" l- i0 Z5 S- \
jz SoftICE_detected; a. }% b6 s# d5 q
# ]% o* `# k# w, G
int41handler2 PROC
z6 z) m8 T \; d iret8 i: v# x2 D) R/ P
int41handler2 ENDP/ F8 S4 n: Z; v5 i/ b3 c4 X
- t) M$ c9 ~5 Q
1 p8 _3 x% \: i_________________________________________________________________________
: K' q: O+ T: g; H3 a# |2 i/ Z* D
) |. G7 z- p, n: k7 r( s
Method 06
' K1 b. A9 S2 N7 E {% j=========% a. X/ A0 p$ _' z) B. P5 |
% s/ Y$ E/ a5 p! Q) x) y" t" _
, q, [, k& X6 ~/ z/ X* |7 s3 @- E$ s2nd method similar to the preceding one but more difficult to detect:( |) @3 U- h( G! y' i2 M
6 C4 i+ A8 a ]! x* p: ]) a
6 j: ]- e3 @9 Uint41handler PROC& _4 {; P' s S; M% z8 Y7 D
mov cl,al4 y! [" ~. W: m* r# T& }# D' D
iret: j* h2 ?8 [8 R& i2 M
int41handler ENDP
+ R. w2 A, L% M( q: s8 U5 p
1 j- `7 V3 m/ u
$ i8 R# Z. X# ~ xor ax,ax
N D3 ]( A; i, O" N+ x' z mov es,ax6 W) q7 M f% L
mov bx, cs5 T' U* d8 N4 Q; X# B. F
lea dx, int41handler
- c N# y2 A( m5 y& R9 u2 ~/ E xchg dx, es:[41h*4]3 n* u) o+ [4 p, V
xchg bx, es:[41h*4+2]
: v/ w. e& R: ]2 p in al, 40h
! [0 ]" W/ z2 r3 A* [ xor cx,cx
% d- _% D- p# G4 A% y int 41h. z5 T" k U6 x* y9 n7 B
xchg dx, es:[41h*4]0 e% w9 G/ A0 L
xchg bx, es:[41h*4+2]( H# ^4 G" I5 t- K' N( w
cmp cl,al
0 P7 r8 {, s1 i- u" {& K- K jnz SoftICE_detected
4 E! R! ^$ {: l! [$ u
% G4 r! V% `( ~( [ G& W9 m5 [_________________________________________________________________________! \ q6 ]/ l# U& {
5 n( ~( m3 e8 H( G0 ~
Method 07
# r2 `$ p! o- o5 D1 K6 [. W=========) D$ h% v& {+ S
5 A2 Q4 P3 n. S2 P- E. U" A
Method of detection of the WinICE handler in the int68h (V86)
: x/ D0 J" b+ c& ~6 z
3 `6 \& J4 w2 s mov ah,43h
T2 I5 m! \5 g int 68h
* ^: b8 u6 i1 R cmp ax,0F386h
3 [7 D* _# t) s! T9 P! n jz SoftICE_Detected/ W* \9 U; x4 w( \7 A
) [8 o$ x3 O7 B
, ]2 m8 Y1 s! \" N# p" Y* ]5 K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# I9 r v; \. Z1 A- |; g2 B
app like this:, A: _% Y1 {. Z
: v" M' \4 ^; v3 ?# F, ]% ~# }
BPX exec_int if ax==68
. b9 l" ?. N1 _$ D9 v2 |/ W (function called is located at byte ptr [ebp+1Dh] and client eip is2 y: a6 C0 [, J
located at [ebp+48h] for 32Bit apps): q3 N. W; _3 H9 G
__________________________________________________________________________, B n$ A1 f' ~' w* i
' V& b9 E! |$ U" c9 s( v$ Z) ~
2 [! [5 l% l+ L+ c HMethod 08
1 h1 h |" i! ^% M6 ?=========' j/ {, Y$ L, L5 y
+ @" l, U! m9 }
It is not a method of detection of SoftICE but a possibility to crash the# P6 H0 D/ z# g& ~) _' @/ n: i
system by intercepting int 01h and int 03h and redirecting them to another) m- ] V5 @6 T
routine.8 R! c- U( K% n$ [% l N4 R" \ o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 Q4 j$ l5 f% W% d; |8 w/ _
to the new routine to execute (hangs computer...). g' d) _$ O4 n" s+ u* D0 n7 f% X- n
; o$ b, `; p8 s T4 g mov ah, 25h& |4 F( r' j0 B4 q3 n, B1 d" s
mov al, Int_Number (01h or 03h)7 _) |6 D6 r. J! J, r
mov dx, offset New_Int_Routine& U: E) J: C: u
int 21h7 e% p" F! J6 a3 h( T* m- H0 J! i
3 D0 z1 e2 R+ p
__________________________________________________________________________
, J0 H1 U( V& \' u* K" x4 @5 L( i! H: ?9 R
Method 091 r, _- E4 K% K4 V) z, L8 a
=========# s; k: ^* I% ?+ n
7 ^/ W: l) n; u' x5 lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) I! B/ c; E; A3 b1 Q2 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).
* t5 o, O) K) ZThe Get_DDB service is used to determine whether or not a VxD is installed
3 R' M) j4 s+ e: Q/ s/ ]0 {1 Ofor the specified device and returns a Device Description Block (in ecx) for
& {" |/ j5 T4 Ithat device if it is installed.
; N- {1 o4 U0 N, ]/ n3 L% h" `( W6 H: @# l, ]3 V8 y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- J/ j2 A. o' V% y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 q, z" T; N! W4 O" p' a VMMCall Get_DDB
8 \# u# G/ @1 h; G. s" M- p+ }/ e mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! ~2 @0 U' E/ u; X, f9 f
( d( q3 {7 K6 h* t5 D* C9 p2 XNote as well that you can easily detect this method with SoftICE:
z1 c5 V9 b* `: ] bpx Get_DDB if ax==0202 || ax==7a5fh6 l" @2 g9 q+ J w1 |, e0 Z
5 n- {6 l' R7 p. h# r+ P
__________________________________________________________________________0 F: a/ G l. A
- R) X( M5 _& A: a1 P1 e# TMethod 105 V8 G% ^2 b5 `! Q
=========6 B4 i5 n3 V4 d9 T. p! q' e
/ M9 p5 D( D& p) d( K! Y3 A3 D=>Disable or clear breakpoints before using this feature. DO NOT trace with
& ?1 `% a% v; g6 A SoftICE while the option is enable!!1 q2 X- J4 d. @1 f
$ [+ z$ V% V* iThis trick is very efficient:
) u2 c: B7 K$ t9 Xby checking the Debug Registers, you can detect if SoftICE is loaded# m! _" J r8 T9 V2 `3 e% [! _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 F* |- p0 \9 r( J+ ^4 H( a- ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
) a5 `! f. \4 U# b c( pvalue (in ring0 only). Values can be manipulated and or changed as well
! {; ?# c5 w3 h* B(clearing BPMs for instance)
0 D; v3 \/ w8 M, B' q
) c* g1 e& G: y__________________________________________________________________________
6 R5 d& K }' i' D9 |$ t
+ U. z6 f7 o: Y& ?Method 11
8 b2 y, [ a9 U2 A. D. ?=========
U/ e* e3 f0 s m M* |5 j- k4 U# g
This method is most known as 'MeltICE' because it has been freely distributed: ]6 e) l4 Y! G) k
via www.winfiles.com. However it was first used by NuMega people to allow+ R6 k B8 t" H: H/ g) v; K" L
Symbol Loader to check if SoftICE was active or not (the code is located
0 U. z, N9 o/ ginside nmtrans.dll).' r$ {1 @3 C# O% C; D6 p4 f9 V
' N: R4 c" E" v0 \' C: S8 f# z) r* tThe way it works is very simple:: Z' k8 T( _; g5 I) f4 W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 |% w, G! j3 X, A1 `WinNT) with the CreateFileA API.
" j( ` \6 O. [8 @5 H, r9 l* t$ d& R4 l: m( D8 p3 L, C; F0 A2 G' ]! c
Here is a sample (checking for 'SICE'):
5 S$ H) D B- x8 R* |- K- ]# g1 i" @' S4 V' K4 h- w7 S
BOOL IsSoftIce95Loaded()
$ T; H) O! R% R0 @6 a: d3 G{
4 y7 `% r8 `7 r! m! N5 J/ ? HANDLE hFile; " T0 y. J6 ]: @9 s6 Y* K! |
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
l w6 s3 L1 {+ y1 w FILE_SHARE_READ | FILE_SHARE_WRITE, b: _# g7 Y6 d/ ^! R& G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% Q% k3 q/ D0 J! { if( hFile != INVALID_HANDLE_VALUE )* x; A X) @+ B
{
. [( W) t9 L* g6 V: M CloseHandle(hFile);
0 _' I# a; X' p6 G5 M' r' y return TRUE; G2 d' G: j+ _! f- _1 ?
}- Y3 Z4 |* E% \/ Q( U4 G* n
return FALSE;% G2 S/ c7 P) I
}3 Z2 M: v, N" g& y# I+ ^( T# W
' q1 D4 ~( J# P
Although this trick calls the CreateFileA function, don't even expect to be
3 p4 [# u H" V- ^able to intercept it by installing a IFS hook: it will not work, no way!
7 A/ u& a5 Z8 Z* MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; o1 i; c8 b* [/ Q. zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, T- e; ~9 K7 B5 w0 B2 a" z9 ?3 Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 S8 C8 p2 o4 yfield.! _: P# n. f- _
In fact, its purpose is not to load/unload VxDs but only to send a + g& |' e8 h/ x5 e7 j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! F% {% o& F' k# o$ kto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ `) b o! I. O, C7 T
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% j( I9 X" O" ^/ z3 gIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 }. f5 E% _ B
its handle to be opened and then, will be detected.
! r; ]) j5 C0 ]1 R0 M) XYou can check that simply by hooking Winice.exe control proc entry point; w+ ~6 q9 T% _! y$ E
while running MeltICE.
8 R) B0 b5 r6 l9 A& z! n& A# a" }! ]' R9 o
o' A" E) K) _$ y5 m4 Z
00401067: push 00402025 ; \\.\SICE
/ T* a& a" s7 D8 `- [% t 0040106C: call CreateFileA" L8 G) p' m# p" _! f. @
00401071: cmp eax,-001( r' X1 r2 Z5 c5 u ^. C7 z/ J
00401074: je 004010919 e( l! j0 c4 J) {) h' [
7 }6 o8 |9 Z& g9 N
) h: \& l6 x# j( J8 g0 cThere could be hundreds of BPX you could use to detect this trick.6 g7 g! A3 X: z- f* r+ \
-The most classical one is:
$ k' [3 ~! {6 f8 @) @' w, [ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! o r% b4 Z# g" s
*(esp->4+4)=='NTIC'& m7 I4 [( G1 u- S* t* O& C
4 ]' b* o3 a; f4 q$ i' C8 O1 _; U
-The most exotic ones (could be very slooooow :-(
. y. c+ h: r2 c! \4 x6 n# A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" g( [" Z: S) d* a: m& \ ;will break 3 times :-(( h+ e% k0 y. P" r1 O
1 }) b& G3 }* [* G-or (a bit) faster:
% @+ k% n$ ]5 p3 \# X BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: S( j/ e! z) J `0 F/ [3 @* W% ` j* t. L% y8 s' ]8 z# |( g% E- O U1 g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # K7 U+ W8 P6 s+ G
;will break 3 times :-(
) E1 @! s! u7 J" B s, l
/ a3 n9 s# V0 v* ~-Much faster:2 _- q2 B/ F9 @% y4 N. K2 K: \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# C3 q f8 K( V. W. B6 J" I3 h0 K
" k8 t6 f1 b6 m9 j% g' VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: M' c: m w# d" O1 d' Lfunction to do the same job:3 @6 w3 q9 w: }8 ?1 ]
; m$ i! {* J) m8 F) N& p3 F4 a
push 00 ; OF_READ
, A& f1 @0 m0 P mov eax,[00656634] ; '\\.\SICE',0# [( h: ?# {; T5 K
push eax( g! G. \% E# R6 s
call KERNEL32!_lopen7 d! Q* x. ]/ S, |
inc eax9 P6 ]4 o8 E" @0 L8 C% Y+ ]: l8 I3 t
jnz 00650589 ; detected
/ V3 c, w# b" X$ P push 00 ; OF_READ
8 Z$ x" b* \: n mov eax,[00656638] ; '\\.\SICE'
5 H [3 h) B. B push eax4 C, a2 Q9 d8 i: @
call KERNEL32!_lopen
! {3 j: {8 G, {$ [0 N inc eax* ]- D" Z @: Y8 V, l
jz 006505ae ; not detected7 Z+ ?( M( ^9 Q0 E+ {! S
9 E* Z) T9 D3 `4 _1 o2 Y0 {9 n" t' M4 j8 I% x8 p7 x r
__________________________________________________________________________
^ |1 h4 \% } N5 O& v2 e# r+ B! Z- O! [$ @& R" I" ~& I
Method 12
. k6 _* R, F5 W; V3 S=========) }# n8 ~8 S: h
5 x, T8 c. r& ] g
This trick is similar to int41h/4fh Debugger installation check (code 05/ r- x% W" s1 J8 u/ n) E
& 06) but very limited because it's only available for Win95/98 (not NT)( W2 [8 Y( H" o- c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) l2 I4 n" D; ^1 Q* }/ w
4 o9 e: {3 ]6 P. V2 p Q$ B
push 0000004fh ; function 4fh
$ V; e* {$ }9 I6 w8 o7 Z push 002a002ah ; high word specifies which VxD (VWIN32), o) o# K" a8 i, a: X2 b) B1 h1 D
; low word specifies which service1 g7 X6 W4 I* E9 D6 ]/ x
(VWIN32_Int41Dispatch)
" N$ W& h6 x! |- T K# `/ a4 W call Kernel32!ORD_001 ; VxdCall6 r( S4 Z+ M, T& Z# i9 Z- v
cmp ax, 0f386h ; magic number returned by system debuggers
) |8 n {9 _8 N# N2 G jz SoftICE_detected. m6 \- l, X7 C4 y
7 m0 b- y- p# g1 a" h$ e) R8 ~
Here again, several ways to detect it:3 |! o* f$ a' v* }
( i5 z' j5 d* \9 L- L. G( e
BPINT 41 if ax==4f
( o# i* b2 P' O2 c6 W+ a& e- U- c# _5 U) g( @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* e9 K: K% Q- a! n/ M/ X& K2 [% D3 h* N3 t
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. X' A* B( o" d- |7 s6 y5 m, t4 s3 Y/ p+ r( ^: ~
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! l& s- J" x. y" Q1 T+ H( [: y* a, E! v
' t6 k" f* x% _2 t& b8 L/ i
__________________________________________________________________________8 J3 j9 N1 I1 Z( v1 R ~8 p) {
: i' C; ~. }1 \- x2 M* i& A
Method 13& m6 ^7 i5 r4 x7 N$ X! j
=========
+ [/ v+ d) e) [
) }2 _ M6 t4 }( i% k( N% _Not a real method of detection, but a good way to know if SoftICE is# R8 A6 H4 C7 P, \
installed on a computer and to locate its installation directory.
( x! f: o0 X( bIt is used by few softs which access the following registry keys (usually #2) :& o! E4 F _2 I! j5 `; J
& {; {! e }, }/ q: R6 Z3 K2 D) J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 p/ L( Y; t- Z$ K# Y- T% ?\Uninstall\SoftICE
8 J' }3 j3 @4 M3 ^+ r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 ]5 ?4 r: X" G' L/ M7 t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; j7 i- p* a' W* {" f/ Z
\App Paths\Loader32.Exe
, x7 }) m6 E0 y$ E! |& o+ j& [/ ~) Q, t
! E9 w7 W7 L% ~9 _: e$ q6 \Note that some nasty apps could then erase all files from SoftICE directory
$ f2 d/ C% T! d6 u( p' ](I faced that once :-(. ^) B% _( D0 G; N" Y2 H
# h0 C# y; F( T5 i& t$ ^Useful breakpoint to detect it:5 w0 M$ P' n$ x/ C
, H3 @6 }! F3 ^+ k5 G+ n! M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 o E' y& S) U7 Q( j! z! a# v$ c) L
__________________________________________________________________________, B) G+ [" F5 E) s, E3 w4 d
2 p+ g1 y2 t4 x
) k5 `. m. P" X
Method 14 * Y# }% ^) y* w# `) m8 ~
=========8 W; j7 _. M' B: j; f9 s' H
: _6 q4 i8 t3 Y" J+ ]2 uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, h' B8 I4 E; R1 y* M/ O3 ~) `
is to determines whether a debugger is running on your system (ring0 only).
- z X: K9 D, D) O# p0 B$ I0 ~ c J4 K8 G0 Y" l5 D7 L$ B
VMMCall Test_Debug_Installed* v O1 B( _( D: C6 h8 C8 W7 ?& @
je not_installed2 R$ r9 A S7 `5 A9 W9 J
! t0 R. b4 j- x
This service just checks a flag.2 O2 C1 ?) F* E! \2 c* A; u* M
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡