<TABLE width=500>
! K. a6 T- t) R+ s& f8 l<TBODY>
: p1 ]$ j- S0 m8 f$ u& e" C- T<TR>- {# x- J" j# Z+ C% `
<TD><PRE>Method 01 & _" ~& B" j9 B5 n3 k; J' b2 E
=========
" l4 ^$ E& y0 O0 \
7 \2 x0 e' p% Q/ E& N9 e' PThis method of detection of SoftICE (as well as the following one) is5 d* I8 t& L+ m2 z0 h" t$ V" Q
used by the majority of packers/encryptors found on Internet.
5 L- g, C1 @- `It seeks the signature of BoundsChecker in SoftICE
7 j: m: A- h4 j
3 w7 D6 v8 m+ e/ N9 p A0 z+ k, m mov ebp, 04243484Bh ; 'BCHK'
2 c' O/ {2 o6 ]8 Y2 L5 ]9 v2 w- } mov ax, 04h% D: U m* z% f' J, }( _) \. P1 D
int 3 7 L [0 }1 @# h7 X% M
cmp al,4
: E' M8 X. @ i( W; r jnz SoftICE_Detected9 [2 H9 \# o: E7 }
; L& c' N! c2 y___________________________________________________________________________, ?: C) _6 }& K2 ?! K4 A5 E
- Z+ T+ d0 r+ m
Method 02- @: a& g; y. z4 k
=========
& ^: Y5 _% J W4 |" D3 d
6 N$ m K3 o, w1 pStill a method very much used (perhaps the most frequent one). It is used
( m& n+ }3 _5 Q: Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! ~. u% ~" F- d9 v/ o0 S4 ~% t
or execute SoftICE commands...
- t$ |$ D# s m6 {9 QIt is also used to crash SoftICE and to force it to execute any commands
2 O: L; h5 t0 s(HBOOT...) :-((
0 Z% h$ [7 d& L# @0 ?8 L5 g! I1 Q3 J+ }' N- w# A
Here is a quick description:
+ D2 `7 k) ^& O6 W-AX = 0910h (Display string in SIce windows); e- c+ j( i. f' t0 X% E; w
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' K8 H. X3 I* D2 z5 L0 v# y" x) l-AX = 0912h (Get breakpoint infos)
, k8 J( [+ M' c* y-AX = 0913h (Set Sice breakpoints)
$ }$ U6 S: X* v; V3 i) @2 Q$ c-AX = 0914h (Remove SIce breakoints)
4 U( E+ F$ v) c# A& E3 T1 d' h& Y
Each time you'll meet this trick, you'll see:
- f0 O; e* l& d0 K/ x-SI = 4647h
8 ^0 J/ s' C' Z3 c$ ?-DI = 4A4Dh
/ L' p# j5 d( S a# ]Which are the 'magic values' used by SoftIce.
% E, s$ r2 r7 ]; O$ M3 L7 h" H p6 bFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ H- R2 r' H3 d1 L
8 r7 e% y" w5 P. H
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 n9 Y: m; F) t) W! _Envelope utility use to protect DOS applications:
# ~. Q7 M% y% G$ T, b4 ^7 U
2 U- B; I& o7 e. d: y
+ f/ k) u! c5 g2 L& W4C19:0095 MOV AX,0911 ; execute command.
T2 C- q3 G! N7 m6 A. Q4 R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 n. E. z4 U: d4C19:009A MOV SI,4647 ; 1st magic value.
8 t, B( o- d, k4C19:009D MOV DI,4A4D ; 2nd magic value.
9 I# p: g& @- B- q/ \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 \8 X+ a1 b9 A2 a. s6 ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 G4 ` O2 X! |: Z0 [% ~4C19:00A4 INC CX
# G5 S; ]6 T3 j1 }* y2 j" E; N- i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: \ M2 c) H% o& N9 \# @& J3 J4C19:00A8 JB 0095 ; 6 different commands.
' {3 w: N! B) ~/ q+ Y. z( }; [4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 Y: V1 s) `0 X0 p3 `( |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* u+ p h9 g3 ^) r/ B! V. N* ]4 X
! r/ C9 f( x& t2 Z) y% }# {The program will execute 6 different SIce commands located at ds:dx, which( J5 j7 A" W, C" U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* h2 i8 Q- d, ? G
4 E4 p5 n7 `( p5 j7 q7 h5 W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 k- ]( z6 m9 O& q1 h
___________________________________________________________________________5 \2 b) H" {+ G4 V8 X$ j8 f/ D
% [( Y/ B; z/ D# }" N0 t+ f% Z) S, e, \6 v- L
Method 03) O% J3 x% Z! K7 {1 C
=========6 n2 x; K8 r9 Q( l B. ^
; p3 U0 `# Z* d. J! L7 V+ J) oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 _6 h7 H/ B. ^5 A9 u: T) v
(API Get entry point)
/ k( o, H5 H% N+ s- ]9 Y$ C 7 n, Z; \; o+ @
S4 T, i" a: W# g/ S xor di,di3 W& N' l* G- r" b
mov es,di* F; h0 j# J1 j
mov ax, 1684h - Z9 p" C% b* |4 D
mov bx, 0202h ; VxD ID of winice
8 p) r, C& B0 o/ M: G int 2Fh
9 G5 P' F3 F/ q mov ax, es ; ES:DI -> VxD API entry point+ ?* |5 r$ A+ J
add ax, di: z1 ^+ V5 _" \& }" U# a- N
test ax,ax1 v+ B2 X! {% C1 |
jnz SoftICE_Detected5 V* _7 t) y5 r! ~# k
4 ]4 Q" ^: b5 s+ c
___________________________________________________________________________
' T8 x/ b- P$ Y" G. g& z) [- b' L
Method 046 `3 X K. W( |2 {
=========
% _7 o. `7 t8 u, U. c
7 m: E0 p2 |/ D2 u3 V/ B1 WMethod identical to the preceding one except that it seeks the ID of SoftICE& |9 r3 U/ ]! v# ~+ t( b2 W4 [4 L
GFX VxD.
( t- E( T: s2 m M( O, I: O, l2 R- q/ `+ t' z# d
xor di,di
0 u1 ?& q+ I- L' ^( u mov es,di5 F2 i; i: C4 [7 L) A
mov ax, 1684h
/ |: v- ]* M+ c mov bx, 7a5Fh ; VxD ID of SIWVID) E; T L z0 V3 H+ N: Y
int 2fh
6 _/ N8 a# E4 ?3 g9 _ mov ax, es ; ES:DI -> VxD API entry point
# H0 f: |. d% K add ax, di* O& @8 r3 d t9 S' R( R
test ax,ax4 B0 O4 |2 r- C0 ?/ r
jnz SoftICE_Detected0 K- N" o" v1 n2 h; e
5 [9 N2 D; |* y7 S+ d__________________________________________________________________________
1 o2 L! Z/ |7 s/ ~+ Z8 e' C1 {
# V% R; v* y* h9 W* W. T& ?! ^& ~
Method 05
5 Q, V$ D+ N! Y9 r2 ~( G2 R=========
$ \/ ?7 c2 _; W7 x
6 U% [$ N+ U% n: C- g8 pMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! w+ S( Y! L8 n" k# odebugger. It calls the int 41h, function 4Fh.
2 d+ }& u+ N" E" MThere are several alternatives.
$ P+ s/ t2 z& K- v" K
( @ X* R) [& r( sThe following one is the simplest:
+ L6 r2 U1 Y4 C, `# y9 A" u; ~0 }/ Z& F( P& {2 U
mov ax,4fh
0 G3 f7 D$ Y, M- I int 41h( \5 m) X, K* ]3 x- W! A
cmp ax, 0F386' {4 s/ n, l/ [) F# @; \! @4 o. ~ s s
jz SoftICE_detected4 H7 e4 ~0 n8 N9 H" a( b g% @5 u
" e1 n1 i5 f: T* H# Y( u
+ q2 A0 U, P: s7 ?' N$ _
Next method as well as the following one are 2 examples from Stone's
) p4 y7 Q, z! C"stn-wid.zip" (www.cracking.net):) p3 E( n3 i, ^& P
9 m/ O* O: R' {8 A) m& W4 }
mov bx, cs' w6 m( ]2 b: ^+ N2 O3 _0 ^% D
lea dx, int41handler26 ~$ s' k9 ]; v
xchg dx, es:[41h*4]/ H2 z! F& U9 z% F5 v7 N
xchg bx, es:[41h*4+2]
$ U+ l! h$ t8 K mov ax,4fh- O w3 G2 p8 [6 @/ k
int 41h& F$ b" m$ I; K2 G2 T' n
xchg dx, es:[41h*4]/ u4 {7 E3 R9 E7 W7 |, k. X5 l
xchg bx, es:[41h*4+2]! x9 \* \: }2 N3 u' I3 H2 I
cmp ax, 0f386h8 L9 [9 W& X' b( S' H) j! f
jz SoftICE_detected2 z- r6 x$ y* m2 l4 V2 ?
6 M1 D0 Z7 x4 r8 X1 xint41handler2 PROC; T( R9 A4 h/ ?9 ]1 ]
iret
, C: ]* y: w9 }+ r: F) L. @int41handler2 ENDP. i3 B( i7 P' Y& W7 i" n5 k
/ c& H; l1 P8 ]( A' z3 b/ m
7 i! q1 V1 r0 l) a* L_________________________________________________________________________5 h* c1 G4 n+ b: t4 @3 u
) Z- ^( E I* _' K, L8 \
( x3 N/ H& X0 E/ n' T
Method 069 B9 ^1 e* y. }$ g% ~! |) N
=========( X3 h( }1 Z4 M" r1 Y6 S
2 b- L. r+ k* q" E/ V& j+ x8 y0 {! l8 P0 p8 l3 K
2nd method similar to the preceding one but more difficult to detect:
2 V2 G4 R+ r4 [5 [* ~# R [) R4 L! l8 b8 s- i, y$ y' U8 z
2 U" {! t& @) N3 u M
int41handler PROC
L' L! r% Y$ P* T9 ?. O mov cl,al% f/ c( I& G0 y6 e. Z
iret8 w, f9 N+ e* O/ K4 s8 ~
int41handler ENDP% k" G" `) {; `' X
4 d3 T$ Y& V) p
L1 r% q& | g8 m xor ax,ax% Y0 U' r) U; n1 W$ L& M' @
mov es,ax
5 g1 p& b3 H% w: K$ o9 L5 o mov bx, cs6 l. _) Q0 s1 y8 K
lea dx, int41handler: l6 S s% _' X$ A9 C* b3 z
xchg dx, es:[41h*4]
# l4 X1 {0 N c5 F) ^ xchg bx, es:[41h*4+2]
X7 M' A5 c+ {( L- v! h- o in al, 40h% `0 d( s) [" ?0 F5 n% H H4 b
xor cx,cx
/ z4 d! k# U8 n& Y9 a9 }, s int 41h
; u" I) a6 X4 e xchg dx, es:[41h*4]' r' C8 e V3 [
xchg bx, es:[41h*4+2]
0 k: ]3 _& \& n2 r2 w9 Y cmp cl,al
8 p) Y# N, r" M* P4 A jnz SoftICE_detected* J' }1 j2 m) g* Q9 k# e
9 n6 \& ` M& K_________________________________________________________________________; a$ \8 J1 U3 z) W* K6 \$ ~
# T' A) I/ m* y) H; S% `; S! ~Method 07! U9 t" M$ z% e4 \ m
=========3 s! T: I, h9 c- `- x- L* B" E
+ }5 J( ^* X3 o
Method of detection of the WinICE handler in the int68h (V86)
' _' s6 N; ?5 C `2 H, L
M6 N& ]! o, m0 d mov ah,43h
) @) e# z. O; Z int 68h, p, s" D# h0 k
cmp ax,0F386h) P- P8 m6 I4 V, {* }5 |
jz SoftICE_Detected4 M1 e' S2 X. \% b
2 c- m Y' X6 ^7 k6 u
3 P9 s5 d& n: l& k" Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ B* z! j, H# s) W* C app like this:
$ O8 x! U* {/ Q2 W6 ^
z m% e8 K, o4 Y( J. q4 P8 S BPX exec_int if ax==68
% j. w$ V; o& i" [1 J" t (function called is located at byte ptr [ebp+1Dh] and client eip is
7 a. {- _ y. t* g located at [ebp+48h] for 32Bit apps)/ V& n" i9 w6 h4 Z* R; P
__________________________________________________________________________
0 Q) G; ]8 G5 R0 l) n' M: S
4 s3 F( K4 q) ]
! [6 V& u1 u# P1 AMethod 08
2 R- q) N6 Y/ p- ^1 }=========% N& p. U! \7 L9 b/ x3 o! t
% \! y9 [2 C: R1 M# ?
It is not a method of detection of SoftICE but a possibility to crash the
* h/ A' h' F x9 v- ?9 ^/ k6 ?0 csystem by intercepting int 01h and int 03h and redirecting them to another
+ [* s4 R$ n, ~0 Mroutine.; [6 |- \# T$ p: L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& r# I% y0 A; Q& N, fto the new routine to execute (hangs computer...)
^& V, B+ A2 Q" U# ^6 O( Z" W& ^
6 t: |. \2 A. D; z* j: y% i mov ah, 25h
8 q; l# H. l W) v6 } D# [, G mov al, Int_Number (01h or 03h)
5 e; L7 ]* n' ]' x, L2 L9 w( ]7 [ mov dx, offset New_Int_Routine
1 N; w( p) l/ O' G+ g+ c! K& k% w2 b int 21h* ^3 n) Z+ _0 f) r
. B' @6 y+ R. l- e6 W( X__________________________________________________________________________
# _- H" [' w. Y% X9 J) Z* u) h6 l# a
Method 09% `+ T7 p5 V. R3 w8 D- i6 D. D
=========- I% ~6 Q' ^3 n; C! `" K
/ a! G% C7 f5 ^: E( p8 s7 ] p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" X' \- {' h" u) Gperformed in ring0 (VxD or a ring3 app using the VxdCall). l# O2 U* S. R" z5 ?% C" Y/ W' Z0 S
The Get_DDB service is used to determine whether or not a VxD is installed
' p4 U( Y! \6 u" c4 e8 B* f7 ]for the specified device and returns a Device Description Block (in ecx) for
# ?+ _: q3 `8 i0 b' G! P7 kthat device if it is installed.) \9 ?% p! f# M. [
1 v* C2 P/ g0 U% q# _4 ~& b3 t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 a; w" R* X, M9 o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); n) u1 k6 W. d0 {
VMMCall Get_DDB& ?1 \. Q* B( w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 B S' F. c+ [6 @! O8 Z" F M4 ]
, d3 r; b. z# k& F' R8 \Note as well that you can easily detect this method with SoftICE:
8 H1 S5 n4 N# q$ [) `7 S, g" w bpx Get_DDB if ax==0202 || ax==7a5fh) e( H1 v& w( O5 [ t
0 |0 T) Z) U. n( Q9 D: ~__________________________________________________________________________6 C4 U/ D# V, z0 D
' B4 J1 x7 P5 Y
Method 10
" {6 X4 j6 F& z$ Y/ k=========
. S! o* @- s1 ^ x' f& Z# w7 r, ]; p1 l
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. P5 f: Q: k: a. {& U% F! J( p SoftICE while the option is enable!!# o2 m! n$ S/ j2 V% W
2 e- w) y' o4 s% O3 |, JThis trick is very efficient:# B' H2 ]- P+ a% R
by checking the Debug Registers, you can detect if SoftICE is loaded& U0 f/ O$ [: o {% T a2 t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' U) d! \( ?/ x% ~% w- V
there are some memory breakpoints set (dr0 to dr3) simply by reading their" g/ z) c p7 A+ B3 {
value (in ring0 only). Values can be manipulated and or changed as well
$ s B3 Q) _# `9 d& z" c' [: F5 U(clearing BPMs for instance)
/ J- z# \' J9 X* v: a8 |
4 ]4 K* o `: n__________________________________________________________________________
( J _5 K6 Q) e( N7 n6 S' t
5 }' l' i U% `& U& Y1 v6 g- P; KMethod 11
+ U, ]; P6 r4 G5 [ v- Q=========
+ g- T) v' ^0 y3 V: u3 T+ @+ ~
, G+ b/ @9 M8 jThis method is most known as 'MeltICE' because it has been freely distributed
4 Z; T8 {- k( H3 W) g: evia www.winfiles.com. However it was first used by NuMega people to allow
, s8 R2 v; T! I" Q6 qSymbol Loader to check if SoftICE was active or not (the code is located$ ?0 @* ~/ K# m2 V
inside nmtrans.dll).
8 J( j0 _/ q. B: t& ~- S& }- f0 x$ F1 f! L& g* y
The way it works is very simple:" `" u) ]3 U U, p( v1 z4 Y3 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ h1 q( S7 j: J' ~WinNT) with the CreateFileA API.( C0 _" C' q7 S6 t! w3 d5 Q; j
. g8 M- U3 v( U' z
Here is a sample (checking for 'SICE'):" u# w2 @( y* }" S1 q
# e# ?" Q* G6 w1 t! P5 Z
BOOL IsSoftIce95Loaded()
2 Y& } |+ k; a5 c+ ?4 s0 F{
. g9 V5 `0 l! o' z: c# | HANDLE hFile; K) | z6 y& u- v7 K, U' ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- Z1 C5 [9 `! k* ]9 g, U' Y4 V
FILE_SHARE_READ | FILE_SHARE_WRITE,2 o( a* M# p. O- a2 H0 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% g) k/ d: k( N5 P+ c7 L2 Y4 x
if( hFile != INVALID_HANDLE_VALUE )
G# y: p/ g7 Y1 D8 } {
: Y' M8 ?4 Q' K8 @. q& f0 q+ B CloseHandle(hFile);
- a3 l% Z) d$ \2 o return TRUE;
9 L! |) K- O( k) }+ f9 N, T" y }
2 O5 g1 {7 v% ]) ] return FALSE;
# N8 Q5 n# w8 p- l3 s# l}
/ U9 v* l( A: `2 {, Q: N% r! G, k1 s8 V% _" Z
Although this trick calls the CreateFileA function, don't even expect to be7 I- p/ r+ a U$ b
able to intercept it by installing a IFS hook: it will not work, no way!# ^8 g3 R; Q, ~" K' S) I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' e5 [. Q% N0 f" `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 D+ c' y8 l$ A- D/ c2 Z/ }7 T. Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ i( [8 U$ u1 Tfield.+ [# y7 ]' ?; x1 ? t8 y/ f
In fact, its purpose is not to load/unload VxDs but only to send a ' t6 M8 s0 ]: ~5 d( a) z# x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ s3 x4 _. Q/ g3 sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ G8 d' i, {! Q' Y s) B0 Sto load/unload a non-dynamically loadable driver such as SoftICE ;-).# ^$ r# V9 N5 }4 R1 l
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 i# t9 V4 e7 b) e. Q6 I, sits handle to be opened and then, will be detected.& S: ?2 B$ ^# R$ X6 N" k
You can check that simply by hooking Winice.exe control proc entry point' Y! Q: e z- F0 }7 [& f
while running MeltICE.2 f$ L* K' G. m7 K& e
M9 I# U% T& i' `! y" _- M
( G* B- P) v0 ^5 k6 d; ? 00401067: push 00402025 ; \\.\SICE! S+ k* [% A8 D/ T7 o" U6 } q
0040106C: call CreateFileA; e1 c4 A% O! ?; E6 L' v/ ?
00401071: cmp eax,-001! |$ m- D3 l( z8 w1 T6 p' M
00401074: je 004010910 {% p' d/ L: \6 Z( C7 t$ x* O& q- U$ c2 d
Y9 ]0 y& n' k% i6 s2 x
( d7 e3 ^! E5 h7 c
There could be hundreds of BPX you could use to detect this trick.
0 O1 B# g( K$ J4 C- V-The most classical one is:
% r9 r% f6 \8 l' x+ }7 N/ F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, S( X" m; R. z+ `( B *(esp->4+4)=='NTIC'5 O4 S1 ~, P0 C
" t3 ~9 i- R" o1 L
-The most exotic ones (could be very slooooow :-(
! h* L- a1 }( R3 N, G7 F, | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 ~/ T$ J: d& Q. w1 t0 F2 ^
;will break 3 times :-(
" k2 m s0 C0 ^5 `5 R5 T3 s8 u7 R; \( |5 Q A
-or (a bit) faster:
( c, @7 q! ^! Y( j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 r. [* b0 h8 ]. R' b5 |7 B% k6 h8 e9 `) W& g! n1 B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + q& Y0 [1 o, }- j3 g$ y h
;will break 3 times :-(2 N. \: J& E. C5 r2 X
3 N. j$ @$ p2 {$ N0 U-Much faster:9 J3 H1 B. `3 `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 e" M, R2 q) d/ t, Q) h- ?
$ K: K# {2 ]/ X5 Z+ KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 J6 t* r& v8 l8 F/ y0 `function to do the same job:
* Y3 G# J) ^" j; N$ q! e
; u* t5 e8 t* f+ a s9 H' M [% _5 H push 00 ; OF_READ! X5 K5 }3 G0 h+ P4 ?$ q# _! r. C* e
mov eax,[00656634] ; '\\.\SICE',0* S$ |# x* Z* w. b3 `0 k: G
push eax2 A, S2 S$ w# [7 ^2 S& S6 g
call KERNEL32!_lopen- v. P0 g8 C: b* ^" Q; i# b
inc eax
g) ~9 L) F4 y$ O jnz 00650589 ; detected, d' U/ b# y. g& L7 B9 U
push 00 ; OF_READ
' j. `2 Q+ G5 y7 v mov eax,[00656638] ; '\\.\SICE'& o! p6 ?( w8 h6 r$ i; z0 B# K
push eax# T0 p0 d4 |9 T1 R6 ?
call KERNEL32!_lopen
% ^0 S; f- h; W0 K9 Y4 K. q0 r inc eax
7 E5 c9 R; [+ O jz 006505ae ; not detected4 m6 c0 @, b* R5 v5 s2 Z$ v
# q& s; y0 |4 W( ?" y' J
6 v4 U9 B6 N* j6 j. Y8 J
__________________________________________________________________________
) h$ ]0 s% Z- h% ~% n w8 k n i3 V5 u" ^5 B
Method 12/ {% T, A$ P1 y$ o* u D8 i
=========: ]* p, ]! u# n P
0 j# M. M( W3 ~This trick is similar to int41h/4fh Debugger installation check (code 05( p& K% J$ @; r6 ?
& 06) but very limited because it's only available for Win95/98 (not NT)
( i6 S; Z, Z# x( Z5 ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo., c) O5 Q0 V* m3 P7 [
) W7 ?- ~ l2 e7 K6 u, C1 Z6 {" n
push 0000004fh ; function 4fh
0 I8 G- |' w6 P% }& X push 002a002ah ; high word specifies which VxD (VWIN32)
6 f" \; Q& G' O7 a1 s ; low word specifies which service
0 e: ?1 @/ S s2 T (VWIN32_Int41Dispatch): M# c# C3 p" y
call Kernel32!ORD_001 ; VxdCall
! m; ]% P, l3 S cmp ax, 0f386h ; magic number returned by system debuggers
0 M5 y' W1 m9 g5 n. R jz SoftICE_detected X4 ~- d9 G9 d% O* w
9 j( q7 I7 {$ eHere again, several ways to detect it:! a. X) ^4 t `6 J% r' L$ o0 {- B
; G- E1 N* z2 I BPINT 41 if ax==4f
9 {& b: t4 S& D ^* p; y# q- y. l; k+ t8 c6 B6 P e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, N+ S5 c: a4 F4 W. e+ a s0 z. a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 j4 U+ B- P- g6 p9 \
) [( S7 ?1 d$ l" \% h! d9 A) u9 T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 i3 H7 c9 W* @7 B$ @* \$ _# q( W# N+ d/ H
__________________________________________________________________________
3 Y) c# x( q$ ]9 |. d7 @9 Q) p& b3 d7 o# Y
Method 13" G# J! B/ F+ S$ _6 N1 _, S
=========# i1 K1 t4 B+ @: l( e
" R- w* ` ~2 X C5 dNot a real method of detection, but a good way to know if SoftICE is) z8 w: N7 Q2 f
installed on a computer and to locate its installation directory.
9 J& t$ @5 R8 hIt is used by few softs which access the following registry keys (usually #2) :2 T$ s4 Z& }7 k, P9 W
# \; M" _! X( V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 x" B; S; y; m0 L2 E% ]
\Uninstall\SoftICE4 G4 e* s" w7 C1 x4 Z# \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 p' c& R, \7 Z% ~; Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: H$ X2 V9 p4 J6 A* S
\App Paths\Loader32.Exe
0 F* u( G# D% P5 E+ ?" r8 _$ b5 {5 x8 I0 G+ e4 j
- w& W- q: O/ F0 }4 i v6 PNote that some nasty apps could then erase all files from SoftICE directory
5 O9 G( F, S5 |(I faced that once :-(
9 U0 q+ F4 c( j5 \6 ]; h
6 Z& [2 b8 N( Q/ UUseful breakpoint to detect it:, l- H' y4 k1 K1 F3 }3 u
# N; h% g v" I! M$ k4 U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', G' u& c5 E) b% ~" s8 @
1 \' J, h" ] ~6 \3 f& H__________________________________________________________________________
" _* V$ L. ]* R( T8 @! T$ ~; }% p1 f# @$ V% I
" x4 A) Z! ^% ?" j) DMethod 14 ( x( q0 a3 v0 E( E6 r
=========
/ D( }* _2 _6 D4 r8 m4 P9 V; W5 }& {8 ]9 d, L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" u: E( I e' M* `/ O
is to determines whether a debugger is running on your system (ring0 only).
2 d# ?5 M ]! M+ \, ~4 @5 R) P2 w1 l. ]0 H5 E& S
VMMCall Test_Debug_Installed
[' A8 k$ l2 r! g9 k0 I9 J7 | je not_installed
. X( v/ n z8 U# {6 d& k7 S* U6 x) E% j6 \; X+ _
This service just checks a flag.1 x% E1 T, f( J& z0 f8 ]
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡