<TABLE width=500>
% p% _+ Z1 t7 E. U" a) d<TBODY> k5 a' K0 |2 D" W
<TR>0 s! H ]2 q# R; X6 a- o
<TD><PRE>Method 01 2 ]6 J( \: |& O5 O; @' [
=========) O) [/ V- c- s2 t: d' v% }5 `
# |$ d7 i, A: z* qThis method of detection of SoftICE (as well as the following one) is
* y9 S/ u9 a3 ~8 Dused by the majority of packers/encryptors found on Internet.* v2 u9 R% c4 K. l& j5 u5 r# |
It seeks the signature of BoundsChecker in SoftICE" Z" n. p+ ^: \
# \& }3 {& \; i w
mov ebp, 04243484Bh ; 'BCHK', m( J/ R3 Z; f
mov ax, 04h
7 f9 z u9 H$ E" S# i int 3
% X$ N5 H! o: b3 O cmp al,4* o% | ?% ^. d5 B8 o
jnz SoftICE_Detected- l% f7 v" t& H6 ^9 Y
6 r# i% Y# p8 G9 e# z___________________________________________________________________________! p" E5 F/ \0 o9 g0 i' S# f$ t
- E" ~ S) h4 \% fMethod 02& t! ]- ]1 H5 }
=========
1 O) [, v! K1 i5 V9 m& ^
8 q/ C, f: s5 }7 N5 g0 CStill a method very much used (perhaps the most frequent one). It is used
/ @5 Q% w$ [0 s7 K5 ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. }9 x# y% L6 m" I( P: E: xor execute SoftICE commands...
, o1 ], T5 d' v" G% z2 @6 bIt is also used to crash SoftICE and to force it to execute any commands
9 z. D; h1 L2 z- C6 a(HBOOT...) :-(( g# I( p( @3 x
0 W# _$ Z8 W1 V3 d+ T
Here is a quick description:. h) P# \/ ~- N
-AX = 0910h (Display string in SIce windows)
9 Y/ g. r( B# U) v2 T9 w; R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: k$ u9 J% A6 G0 Z3 B& L7 m' d-AX = 0912h (Get breakpoint infos)
& H, ]8 z1 g, w7 z# ~6 K5 ^-AX = 0913h (Set Sice breakpoints)
. m. f' h2 r) c5 H* Q6 B-AX = 0914h (Remove SIce breakoints)
- N' e+ M* J" ]5 y Q7 i$ |5 C7 m' B- K r9 D4 {& o
Each time you'll meet this trick, you'll see:
7 U( F7 D. q5 M* ^# L-SI = 4647h" d% t7 f0 _/ f6 A$ S3 G
-DI = 4A4Dh |: L* B& u* M0 T
Which are the 'magic values' used by SoftIce./ q7 y. B% U0 B/ N) T& A# J- b# W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 e9 q# T# C" u/ N( w, {% X' I0 z
$ u4 Z7 T; H& V' p ]" EHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 @! g4 W. u5 t/ \9 d7 u/ rEnvelope utility use to protect DOS applications:3 T) M- B3 t. B3 ?& n7 U
' A% M! j6 G! X) s) D# Y+ v
1 b0 N4 a" J. Z7 h* L5 [4 b4C19:0095 MOV AX,0911 ; execute command.
$ X% F4 f" B4 ~7 a9 Z% B+ w: N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# ^! }! R8 u4 d r# c7 ]* D5 l
4C19:009A MOV SI,4647 ; 1st magic value.* X+ ^' C, F5 U7 {: |
4C19:009D MOV DI,4A4D ; 2nd magic value.1 X0 C5 s& R- o4 _, [- n5 Y% g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& A5 L. L; ]; T" V W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% B& E8 A: S* ~. B9 H% S: B
4C19:00A4 INC CX9 y% O5 {4 v4 J0 \6 a3 i2 P& i3 |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 M1 Z- f& z9 r+ i. ^4C19:00A8 JB 0095 ; 6 different commands.
5 z3 q) U& j/ h2 G9 C4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ Z+ ?3 n) F" `, @) N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 e4 M8 p& f6 i6 n. R; ^
5 t- m4 I5 y t/ ?8 m4 X. G* @
The program will execute 6 different SIce commands located at ds:dx, which+ O3 k+ n% p3 t! {4 u9 {1 ]8 p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) }$ n* O: n% [& y9 h( {. m
7 {) y# Y, E/ A; W. J* U! @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( `0 _0 O4 s+ s& f: n1 [/ ~4 T9 e# h
___________________________________________________________________________3 h0 Y% w: V' K1 ?
- m2 S. S, ?7 C0 I" z
- a7 c: u7 _0 M0 e
Method 03: k) H( m/ i* o! P
=========
" a, L* Q$ P' u, s0 }7 Q! |7 ~. e, B4 k% m* A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 d& c; Z3 b" b% f7 P- h5 ~. O(API Get entry point)
4 K/ F2 `. T& l8 k4 E
- E5 i+ V. y {! R u& P8 K9 z& ^
- l7 c9 m; X* v& u) f xor di,di
3 y6 K, z/ A+ w, A+ H% ?) s mov es,di& X# [6 M, b% c. L& t
mov ax, 1684h
1 r( R" M! b5 O/ Q mov bx, 0202h ; VxD ID of winice; l: i, n. c7 z$ A4 ]: {7 o, A" X
int 2Fh% q7 C: Q: p7 m# m7 X2 Y
mov ax, es ; ES:DI -> VxD API entry point7 N6 X7 O8 k% m/ Z- W1 }- V
add ax, di, Q! ^. |* T7 `# ^' K* ^9 j
test ax,ax
9 ~: h- F2 ?' g P4 W" w jnz SoftICE_Detected% h1 q# j* G/ U" D; g
& M* @& G$ G7 g. b: v" d
___________________________________________________________________________
; j: P0 c* u/ m/ x5 S: F( e- ]9 l6 o1 |4 w
Method 04# Q& V H, @% h4 X6 X K
=========
4 k" s& v1 ], ]$ ^" S, a0 t: P0 `( e9 T+ Q7 k' C& [
Method identical to the preceding one except that it seeks the ID of SoftICE
3 r2 U K) D+ ^7 g! S! T' x4 jGFX VxD.* p- I6 X4 I* r! Z2 m
+ H( W+ O/ a- p6 [* J& U% w7 w
xor di,di
& b2 X5 p0 L8 [" e( | mov es,di$ \4 M4 f, {1 k) C
mov ax, 1684h , l( d% P5 R6 @
mov bx, 7a5Fh ; VxD ID of SIWVID. t1 N/ h! j1 T- i4 A
int 2fh
) m" h2 u/ g' j* A0 p, r# A mov ax, es ; ES:DI -> VxD API entry point& }, ~9 I9 r4 s, o' [+ i3 r: n
add ax, di
" ]5 j' P/ k$ `4 @( R6 [- ^ test ax,ax* ?/ N8 o" j) q# ^$ C" r
jnz SoftICE_Detected! m5 C! Q% C! E n7 D
+ P+ D1 @. D3 `3 B2 }
__________________________________________________________________________
! t" l% K. b4 W R- @9 \# c/ d3 t+ E8 J: L
: w# F3 s ?8 g' Q* ?4 ~
Method 05
. Z9 S+ |# h5 }- k=========
% X) v- ~* r1 @( y7 U
3 w9 ?( R1 m$ \/ M# qMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 n7 N) K3 F6 E2 m$ Qdebugger. It calls the int 41h, function 4Fh.
, F) Y7 {) b. kThere are several alternatives. 2 W: F+ X9 ]2 b$ L% @. C6 H/ ~
/ o' o0 F8 O# G. h: G7 B1 d+ t3 _The following one is the simplest:
i1 T+ s1 @. B+ G+ H2 X8 ~- P8 Y0 r
mov ax,4fh
5 A4 y" W% S/ {! j- G% Q( w int 41h
) [/ U1 {: G" p# r; d6 L cmp ax, 0F3866 Y9 h+ e* y' @! ? m& w
jz SoftICE_detected
- e, @% Y5 X- J; Z. n1 r! q( E' Z) G0 u) T& x4 {
# t7 c/ Z, @* Z7 W" Z( l5 T
Next method as well as the following one are 2 examples from Stone's
4 {$ d3 W5 G/ {% C"stn-wid.zip" (www.cracking.net):
, J- K0 W8 W s; F& `$ F6 v% ^ s1 l+ N m) _
mov bx, cs
g$ _, Z* Y6 B8 } lea dx, int41handler2' |0 C- X# ~' E) e3 p4 Q1 {* d" x7 }
xchg dx, es:[41h*4]
7 D% `1 P4 e! E6 H xchg bx, es:[41h*4+2]1 E! X& C& h7 k
mov ax,4fh
3 N" y/ u: X1 e7 }( E int 41h
6 L6 T s9 Y8 }. A0 o. H9 r xchg dx, es:[41h*4]& D) {, `5 E! Q3 u' Q
xchg bx, es:[41h*4+2]6 G4 _% |: u' k, [- U
cmp ax, 0f386h+ \0 p/ w* w8 B% F; l
jz SoftICE_detected- B% i* i3 a* e2 W
' J) {7 y% Q& ~, Tint41handler2 PROC0 k& @& f7 d! ?# V* q" E
iret
, p# W. d7 r. `8 c2 Y/ R9 b: yint41handler2 ENDP
* @- Y" B. w+ l) a- C/ {$ }/ P& J+ K5 C; V( ?" d
# ^$ z% |% B$ {& ?0 r; M
_________________________________________________________________________
( @8 V" z8 G6 z% B7 v' ~1 ?
/ P1 Q ?) m4 u& p& m$ A$ z1 A# C" Z
Method 06
* E1 T( p4 O5 B% X7 \' g=========* N; v: W0 A# p) l9 B3 z7 I8 O+ a9 k
2 B) O- L! @4 W
. l5 p/ A) H6 X! A. c& C2nd method similar to the preceding one but more difficult to detect:( T9 }! S) O. Y$ T
2 O" x) Z% X- j/ y% T T7 F" d4 d& x G) t
int41handler PROC
. D* B0 E* U) _1 w mov cl,al
# x6 T% Q) h G0 W6 D9 ] iret8 U/ c4 o1 z \. m+ m( I5 C) i' }
int41handler ENDP2 M5 j: D8 L4 h# x; e. f9 H
1 t1 q/ v- p( F+ B% W5 }+ f& J9 C9 V$ Y& k2 o2 t& j9 d& p: W
xor ax,ax
4 A/ F6 a# Y. S0 L E mov es,ax( D2 ]1 V0 R6 }" M6 c
mov bx, cs7 f+ V6 |9 k t3 `6 u7 m
lea dx, int41handler
. T6 h1 R# U* n xchg dx, es:[41h*4]$ l/ ]: R! G) t+ a' t
xchg bx, es:[41h*4+2]2 k, J+ A8 D1 ]; g9 k8 A
in al, 40h3 V6 c. i; U" Y* b' ~- S
xor cx,cx
" H8 x$ F) N$ o+ @& U int 41h; j0 D# }6 D$ P
xchg dx, es:[41h*4]* L( h# J8 L% M. u5 i F7 j
xchg bx, es:[41h*4+2]3 [' l5 E4 s3 _0 T: Z G" {
cmp cl,al$ U, I% R5 i$ A7 |
jnz SoftICE_detected# ^ J+ N) J9 h+ k! O
# y! y+ _+ A& z% U, h
_________________________________________________________________________' a c/ ]/ U. Y* g/ F+ w
5 w0 `! y/ F% SMethod 07- N9 f9 a" D7 R
=========) A, o. {; e8 }* K6 h+ G0 ?- s/ d
E' ^3 c1 i+ D0 n1 o- g4 ?3 @" s& _
Method of detection of the WinICE handler in the int68h (V86)
2 V0 c3 F' c) ]9 @/ Z" G/ \5 c8 s) A5 w' r( D; B
mov ah,43h' x, O' W- L" T# j1 ^
int 68h' n S! M$ q" x8 t* \5 j
cmp ax,0F386h: Y( M7 J% b/ i: y% J* R
jz SoftICE_Detected
: M# v1 W+ A+ R5 B; ~
- V7 a i5 p5 {) d# ?2 `, X. h- B& b: D! n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 ^* J# g" |# B6 P' [& ^
app like this:
0 L4 ]2 a" p" R7 [+ w' L
. n/ F6 m3 S' D/ e9 d9 w, ` BPX exec_int if ax==68
, ~- B H! Z$ \7 }9 c7 c6 M9 A1 A (function called is located at byte ptr [ebp+1Dh] and client eip is+ j: {, B7 I1 j+ @$ [
located at [ebp+48h] for 32Bit apps)
) C+ c$ x" @8 C1 y, Z! m* ~__________________________________________________________________________
: g+ A# i4 t5 X/ _' a1 N: a) V+ y8 r' n9 v8 }" P0 ^
" u0 i/ G. K0 l T4 jMethod 08
( w# v# b) `! b7 y7 H& M=========
( j# B$ d& k) k9 G$ b% R) \8 M! ?# j6 ^) X4 p& p- H
It is not a method of detection of SoftICE but a possibility to crash the6 D/ _. [9 q ^
system by intercepting int 01h and int 03h and redirecting them to another
) j# D* {( a( \2 Aroutine.
8 J3 S* h8 g) X; x; hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" Q& C' d# Y# l* j! L) W
to the new routine to execute (hangs computer...)
! h4 @. L h& z: g. B" L8 z# i5 u/ S! q& l# b. q
mov ah, 25h
' [: e: C0 f, v7 }/ I2 A% y* w mov al, Int_Number (01h or 03h)
/ e( Q2 V2 O( H y% h3 w4 c mov dx, offset New_Int_Routine
' A9 z2 n0 c6 |& s int 21h& p2 a! [) ]7 {& @- @
2 ^+ ?- b1 u4 H( r__________________________________________________________________________
5 y" k$ X% \8 \; ]8 S' _7 D# g) u* w% r. z. m* ~
Method 09
0 X( p1 u9 [) E" y9 m; C0 m. d=========# ~$ X' |7 `, k6 C- o1 N/ G
: [, N2 V" V' c% ^+ wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 @9 V6 [6 i3 z3 j _4 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).
" X9 O: e; j: kThe Get_DDB service is used to determine whether or not a VxD is installed5 F# j3 v+ [4 u1 B8 M
for the specified device and returns a Device Description Block (in ecx) for
: J0 f: e. @0 B, ethat device if it is installed.
! I8 @4 f, @ L1 n
' U* Z& Q& U m+ _! [/ \) Y! E8 Q0 v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- T+ k! D! z: \/ u1 k$ F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: W L9 u5 Y6 y' t5 J% s VMMCall Get_DDB C- T3 ]: L K! h9 @9 I1 o4 E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& }. Z- A3 m( d* D9 f
0 {4 D: y; i7 g$ P
Note as well that you can easily detect this method with SoftICE:
/ I% R9 A/ d+ [8 w8 @) c' A; ~. U4 R3 R: B bpx Get_DDB if ax==0202 || ax==7a5fh$ G$ ~9 P4 _) X3 o) z' ]
) p' d9 p: F, e& z% Z
__________________________________________________________________________
- M# _) p- @# q9 ^' f/ P
! C3 d9 ?) A% W) S; s% DMethod 10
9 C: j+ e9 W5 W( D8 U+ c8 M0 }=========( E( @3 W5 w% c
, z1 z6 P+ D, L5 q5 K=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ w5 H+ v g9 o SoftICE while the option is enable!!
" H; [+ F1 O/ @
$ l' Z4 n7 F0 S6 Z, lThis trick is very efficient:4 o7 j7 a: A7 Y+ }* r
by checking the Debug Registers, you can detect if SoftICE is loaded* u, `, }& W& R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" [7 S& L% U* ]% k3 k0 u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 T% A6 u- _; J8 |value (in ring0 only). Values can be manipulated and or changed as well
3 u7 o- R/ d; H7 E(clearing BPMs for instance)' T5 G: J5 x. b5 U" |- O; ~/ T6 a
4 d+ a2 |( v7 D$ u& x__________________________________________________________________________+ e, L# e- R, Y' L, ]7 b
$ S- d1 k. P1 o% w
Method 11
2 x: K9 B) I7 l2 G3 _% n=========
& A0 F- ]: ?; s* ^8 z q* m; R% P/ d0 `: E" ? ^: N
This method is most known as 'MeltICE' because it has been freely distributed
" \" I& Z z! P. z+ v2 jvia www.winfiles.com. However it was first used by NuMega people to allow
9 h' U2 b p8 i o# H }Symbol Loader to check if SoftICE was active or not (the code is located
6 x. c& t7 k& ?inside nmtrans.dll).+ ^' r, z6 O& f% ?7 Q2 `
0 ], Q# v/ }& U3 _- L
The way it works is very simple:. u l: }( |/ n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 m5 @7 l& V* g. Z9 f4 ]
WinNT) with the CreateFileA API." U2 F7 S: z4 t) u5 j
0 N; S, |2 x E6 r' N/ o fHere is a sample (checking for 'SICE'):
- `, h* C: a1 ~3 z# K$ \. Y+ L) Q* ]- u, f0 y1 S& B
BOOL IsSoftIce95Loaded()& G! Q" n* ~& l3 i6 L6 m: r
{) G# d5 R5 `7 P3 R \# |
HANDLE hFile; ! ~; \0 d( w/ |! D1 y& x' M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 ?: b# h; \: `* j W) g/ O FILE_SHARE_READ | FILE_SHARE_WRITE,1 c, D" Q1 D9 g/ v7 x9 j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ k/ q& U0 S) L" T
if( hFile != INVALID_HANDLE_VALUE )
& P! `8 B% C: d% j9 ?0 x {
7 X# t- W- c P" w( X9 A7 n* `& T CloseHandle(hFile);3 o& W! K, m% P# U) D- W% \
return TRUE; ]0 A; f8 s7 }. X' i7 k
}
+ Q5 j U' C( w# s" X return FALSE;( I6 O( L- [6 k# W1 ^( p1 u$ O- @
}
5 A8 m& } U5 P0 F1 d6 L) L
" ]- ^1 Z0 H7 q N, a- rAlthough this trick calls the CreateFileA function, don't even expect to be
) o) M) y& m: c& w) iable to intercept it by installing a IFS hook: it will not work, no way!
" t$ @: U6 M2 |2 h" vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- c( e) `+ H2 ?+ T- i0 j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- a6 Z2 R( R: p, k8 yand then browse the DDB list until it find the VxD and its DDB_Control_Proc# ~# S- d& Z& u H$ u, c. Q
field.* m. D+ i5 @8 u9 \9 e/ @
In fact, its purpose is not to load/unload VxDs but only to send a # T7 c; `/ T! K" R. z: x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* c. c Q2 W, f5 j( b. O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try C! E* w9 k" _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- v$ _: g- p1 w* p. G& p& T2 v
If the VxD is loaded, it will always clear eax and the Carry flag to allow* @& u8 a4 ]8 E: E! h$ r
its handle to be opened and then, will be detected.
6 @5 N& J4 ]* TYou can check that simply by hooking Winice.exe control proc entry point- L" f6 e4 z8 K8 \
while running MeltICE./ A q- E9 B {7 m" G u6 f9 O) q9 x
8 O' ?6 t. {: I. Q7 N; C; y$ e: ^! Q- b
! X$ H: G8 ?" @2 \ 00401067: push 00402025 ; \\.\SICE
# \$ x) @5 Y I, j+ H 0040106C: call CreateFileA
& j% }. v- q6 r8 t! ]3 { 00401071: cmp eax,-0017 ?, K3 z n) S! `8 U
00401074: je 00401091- A" s( x F7 W: D5 ]" `
& P+ |& n7 L# ]( C c. U
6 O* j/ j# F* o8 F' kThere could be hundreds of BPX you could use to detect this trick.; c$ R# n I9 E$ V
-The most classical one is:
- ~0 ^! d A( l) p. {' w' s# g _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ T3 @* ], }9 u/ I9 d
*(esp->4+4)=='NTIC'% h" U! p f' d5 K
/ X7 J! Z0 p. C& n2 C i-The most exotic ones (could be very slooooow :-(
- ]& c1 V( b5 q: y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. s5 C3 E! Y9 e1 `& @ ;will break 3 times :-(
( Y/ |0 t8 B+ ^) O/ m% {- |) k, S0 S
-or (a bit) faster:
; i. p6 g# W0 d" R: G1 k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 q( \% \. K/ @3 h" q+ C2 [: b
0 l5 \ E: ~2 S4 K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% H5 {: S: @2 Y' b. H ;will break 3 times :-(; L3 t6 _) I* r. [" j8 M! t& f
, i2 ~! D1 _# N4 N# b
-Much faster:
: H8 L3 J4 `* z; T6 l; n U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 {" Q* x. p5 I
5 A% ?0 ^8 N7 p3 A0 QNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# l Y6 D* H: Q4 Y( W H
function to do the same job:. }0 [) U! f( ?- F, N; B9 D
, {. J) P/ m( Z0 I" y/ R6 [: V# V push 00 ; OF_READ
) K+ x' z* i( F! a" U' e2 l6 c mov eax,[00656634] ; '\\.\SICE',0
2 g4 |* I, |/ R% i3 Y push eax
- t* F1 C& ^! t; e% u) i( E call KERNEL32!_lopen
6 {5 P, {, F/ k1 x inc eax
7 ]$ \( n. B2 T2 S" n7 { G jnz 00650589 ; detected' l& x2 {' Z" N) b" P
push 00 ; OF_READ8 V( d; W2 O7 w, \9 j, @/ I
mov eax,[00656638] ; '\\.\SICE'! s: `. K/ V# K& f8 B" r! j+ K% z
push eax# ~# z- a4 v% w9 E" U/ c
call KERNEL32!_lopen) _/ t9 p& T# n3 f& f! J6 ]
inc eax% d( L5 [7 Z* R9 ^: n
jz 006505ae ; not detected
" `4 `5 i, w& L- v( J+ N1 `- T# \ V+ Y- y$ e J
7 X3 S% _; n/ T# v5 b: T3 P1 b7 X# n) `__________________________________________________________________________
% h9 F- U/ O6 @+ f3 X: H4 |5 b3 \* ]; N
Method 12; D$ i/ L0 R1 i5 z
=========
% @* `6 L9 J6 ^* q1 ~( x/ w. ]( X! r: c* F
This trick is similar to int41h/4fh Debugger installation check (code 056 t+ Y5 [' E9 }3 r. t
& 06) but very limited because it's only available for Win95/98 (not NT); K) p6 F3 w* l/ p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 b6 c' i5 O. o; J& j* Q" V
+ ]) l; z' ~" u. Q' m* o& q push 0000004fh ; function 4fh" W) J: j# o( y. ?9 p* P8 t) t
push 002a002ah ; high word specifies which VxD (VWIN32)) g4 v" f8 c8 ^- J/ Y
; low word specifies which service
% V+ V! G! {* ^" O8 x (VWIN32_Int41Dispatch)6 `, E8 E; L# N" w0 w
call Kernel32!ORD_001 ; VxdCall$ b0 k. n4 n ]& p7 v- |
cmp ax, 0f386h ; magic number returned by system debuggers* R, D& U. L- y1 v8 g! o
jz SoftICE_detected2 v# ?! Z: G* z) A; r- I
1 ?' A- J1 O* P! [Here again, several ways to detect it:
- B& W+ P7 N {- f0 f" P6 ]6 m% S: W
BPINT 41 if ax==4f
3 L* r. ~% b7 [. [$ A# D
3 i$ m* \- _+ a! s5 f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* Z {9 N. Q. h; e* ?; C1 G, w+ g' Q4 i: T4 G/ v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' l- c% r; ?7 h6 C& R
3 Z* L/ ^4 A0 h0 c3 `1 m; p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 [1 g7 I5 M8 E
. {) N. `4 _* K4 D1 J$ V
__________________________________________________________________________: H7 g! `0 Z o! i4 W
9 i! i. c( r" J' |% TMethod 133 A( }( r0 r' B7 Z5 V
=========' e% \, w# w$ g: _
: e) u5 S$ m* u3 I! [$ x% q
Not a real method of detection, but a good way to know if SoftICE is
$ z0 ^/ C, K9 e% c/ |; E9 Oinstalled on a computer and to locate its installation directory.7 g$ I2 o, H3 a1 w
It is used by few softs which access the following registry keys (usually #2) :
0 k/ p/ H( R' A% q: U; Y& K, Q, m, B( B+ R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: h% ~8 q/ u4 w" ]/ K\Uninstall\SoftICE' s E- S/ A8 q$ x8 b0 j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( P! @3 H) H) M) g% H9 k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) @2 `( f; z& ~: b: D/ Z7 K; ~/ w\App Paths\Loader32.Exe1 f5 R0 W* m1 K
5 n3 S0 A7 r: O, x1 L' V
9 D2 V8 F" }, U, B: O3 I9 CNote that some nasty apps could then erase all files from SoftICE directory
& p" O; e. u9 g$ N5 G8 H- {) @(I faced that once :-(
7 |/ g9 v8 P8 |# E% s
$ ]$ _, X- A5 f U. Z1 B* P8 U% kUseful breakpoint to detect it:9 P. D/ B+ O, _
9 D4 y* u: Y& b ~; h H: Q& [ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', s1 X. d. @. g2 B, V1 t- G' Y
8 I, X' o5 c) [- i; E0 U L0 _
__________________________________________________________________________
# a$ H" {; Z3 D! r: [* }7 j( D; C4 P, X+ l
# X: u) f& J! N. g) i! P) u: NMethod 14
2 i4 J2 P: u3 l) A5 p" t=========
* Z; t) `6 {6 ]4 x0 i
9 k3 Y. ]- P: A, cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: N- H$ j+ ]! h% dis to determines whether a debugger is running on your system (ring0 only).6 B! h* \ G3 |( g) s5 V
* M$ g( B% [8 ^8 o! F VMMCall Test_Debug_Installed
' |3 i6 ?9 m6 _. s E- }& o3 h, W$ y je not_installed$ v* W" w4 G( y m& |5 O
. b" w6 I: C$ T! W* u6 Q# ^This service just checks a flag.
5 v2 ?8 p# d* H: F1 A( Y5 {* }</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡