<TABLE width=500>- [* x5 H5 b( X# y2 ~1 r+ W: R' E
<TBODY>. {" [ b$ @' y# j5 k# H, m
<TR>
* J2 t& P$ Q u. J7 S7 o<TD><PRE>Method 01 # E. D: ?% n! e$ c
=========1 o# _$ j4 ~- U' T9 J, i: d% T
) E; e# W. }+ w! VThis method of detection of SoftICE (as well as the following one) is
3 a) y( F/ C) ^* d) O1 |used by the majority of packers/encryptors found on Internet.6 K9 l) @! p0 g) i& L
It seeks the signature of BoundsChecker in SoftICE. f; V G1 N2 _* I
( N. S: e8 Y( `. G9 }" B; R( E7 [
mov ebp, 04243484Bh ; 'BCHK'4 @% {5 H: Q. p3 D7 R# X a
mov ax, 04h
, m9 \! u! @4 C2 g' |9 h int 3 |9 L% ^* ~# B( ]
cmp al,4: l% T* R4 t* I) B
jnz SoftICE_Detected
: i7 f' I" P9 p) X8 F
& i" S7 \- a6 O) o0 _0 C8 h, y___________________________________________________________________________7 }4 U% a/ E; Q V# K
9 N' m$ G" o$ d; E9 C5 O3 AMethod 02) `7 R8 h! J5 K( p
=========
% S: t% T8 n4 s+ {
1 {0 V$ w! @1 C# L2 W; R" XStill a method very much used (perhaps the most frequent one). It is used
& h/ C9 j7 N! P7 W8 Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) W f; P. t: E# P
or execute SoftICE commands...! y8 f1 I X; j) _& Q; z t
It is also used to crash SoftICE and to force it to execute any commands
' m {7 x# v; F4 j) d! \) U(HBOOT...) :-((
4 N' p7 t5 X6 M4 {' `* E* S: K
: P3 e8 n& k) ^4 Z8 hHere is a quick description:2 V# i& [4 @ B* @1 `' |* p7 b/ x
-AX = 0910h (Display string in SIce windows) k. T' R& D2 N; z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 Z s; D2 N. Y# G-AX = 0912h (Get breakpoint infos)* z6 O4 V' P* q) W/ \) ^9 T+ N
-AX = 0913h (Set Sice breakpoints)
! d K( t7 A! M0 C5 g" m7 r2 v1 l-AX = 0914h (Remove SIce breakoints)
8 J$ |" d4 f3 `5 R8 [! S0 d' I: I
/ S6 n+ E) Z; y) BEach time you'll meet this trick, you'll see:% {5 D% z( ?( ~7 M& u, W- S9 W
-SI = 4647h
1 l; [, B7 m, i& ?+ s: z-DI = 4A4Dh
1 T5 }2 l5 }! L" [Which are the 'magic values' used by SoftIce.! |1 \) n8 y0 S( C! C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' v: h5 y; m) {$ z% f
0 O8 d; u4 o8 G: I+ \- }" W9 n$ t
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 \0 n" Q- X9 m2 z L
Envelope utility use to protect DOS applications:' o; R+ Y& Q' m& n1 Q5 w
% ?% a: T( A5 m# I9 B
, ?& v0 d- A" K0 k, }: Z
4C19:0095 MOV AX,0911 ; execute command.
% M) E# ~ m( W) i0 H$ W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* x9 V( Q: x9 B! z# v. b4C19:009A MOV SI,4647 ; 1st magic value.
1 K! D+ {. c3 f8 L4C19:009D MOV DI,4A4D ; 2nd magic value.
8 e& z, l& y/ J% G4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 K, \" N+ k- @( y4 K7 c8 O3 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 u/ O V1 F. t% u2 C4 L
4C19:00A4 INC CX5 H9 _4 \4 |9 `) g# T/ Y6 D8 d3 E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 ^6 `2 Q9 I5 d) w/ h/ U$ ~4C19:00A8 JB 0095 ; 6 different commands.2 o0 g. X# j3 A7 j/ M$ j! |# Y* b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. g3 l/ _) s" B( j2 b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 I! g# W- f/ j9 G v1 j3 Z% }* v, | d2 w; ]0 E. e
The program will execute 6 different SIce commands located at ds:dx, which
1 ~. Z) x! m" ~3 _& R$ X( xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 Z# K& a9 k& a* c/ W* Z
7 u* K) m% u0 [+ v: ?7 B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ l7 ^# Y# Z0 D' Q) j7 ?0 u___________________________________________________________________________
% \% E9 e( D0 Y: @7 Q. U% M* Z8 N1 I
8 s8 S! Q( [# @* KMethod 03
7 ]- A0 [% R' [- z=========
. b9 p7 I" b% G8 `; n' J3 ]$ @; i2 t3 v* L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ B; W$ m0 s: m/ Z* m(API Get entry point)
6 _, l' r" N3 U" V
6 P0 x" s4 C: C2 R( }: z5 H @3 n% T; B: }0 {; ~& C
xor di,di
1 v, A5 ~. U5 t% i: ~ mov es,di8 l2 D: f1 |) e) G& K
mov ax, 1684h
[1 m" @9 R8 R) z# _# ]% e mov bx, 0202h ; VxD ID of winice) [0 t/ Q% X) _( C4 V7 }
int 2Fh8 o0 T+ T& w# O4 k
mov ax, es ; ES:DI -> VxD API entry point
7 a( b! h' C6 O: L. l, q add ax, di
5 A& s9 o2 O$ F- D# @7 N test ax,ax, o2 V2 h# O2 L! j
jnz SoftICE_Detected2 `5 m0 @! W" o& D H; G
8 [' }4 f, R% J7 A4 b( U___________________________________________________________________________5 }5 e" e; m7 j: f8 j' M
, f+ @$ G& m. Z2 Q! |Method 04% P* h$ `) G" S _; E. v' e
=========
. m n" \$ e( H5 R G, g- r* q
& F9 A+ s( g5 E& m9 FMethod identical to the preceding one except that it seeks the ID of SoftICE3 q* m0 p% @2 [5 o( L5 X) J4 P
GFX VxD.
+ c7 {+ z- J4 [0 [) R' c5 _7 K/ {) |, M3 Q4 O
xor di,di& u0 J4 O# j* k0 ^1 S0 F+ y3 S) R
mov es,di
; k0 c. G- ?, p- R* i5 g, ]1 @, q mov ax, 1684h
2 U9 u) u: L# K" G p6 g mov bx, 7a5Fh ; VxD ID of SIWVID
2 ~6 C5 J2 ?+ e. o; @3 K! c int 2fh/ [( A D* t( y1 v
mov ax, es ; ES:DI -> VxD API entry point
" ~0 w' L, y% Y* _) A add ax, di9 ~2 \% N% m& U
test ax,ax/ E, m: c' [; P/ q3 f/ Z3 ^
jnz SoftICE_Detected
. \ G) [3 v; Q3 `9 T) q' _
5 z4 l4 o/ o' \4 g" P__________________________________________________________________________; q+ b/ B* }* L
' U$ r& D& [% F7 ]# |
) t2 v- `# I; p D( x
Method 05
+ J& ^0 p, O. R- R% S9 V=========
. T9 b; w5 l( n0 T/ j4 |5 _( D" T" E! p% P
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 N* E& `0 d. N2 D' @# F
debugger. It calls the int 41h, function 4Fh.! j i( U3 I7 u, h, j2 ^# q
There are several alternatives.
1 I; v4 J# _; P) E+ z0 k, f# P' N5 T. D3 j& a8 S/ w1 g5 m7 t
The following one is the simplest:
+ h+ c: e$ L% l9 n. [/ D$ W* ? U, G' G2 c/ h2 d+ z6 `- v
mov ax,4fh4 F# s0 |9 V& B4 _4 ^
int 41h9 ^ Y1 e; z5 d2 K `
cmp ax, 0F386+ ?4 B3 [# B# ]6 p7 ]6 n" m# l
jz SoftICE_detected3 l: _8 T- B1 m% v* s1 |
) s: B) B- X8 n+ M' ^7 i4 B* f$ }4 L% d5 f: H- N) A
Next method as well as the following one are 2 examples from Stone's
4 r" U; I' W2 @( _" H"stn-wid.zip" (www.cracking.net):/ {3 s# E. A8 P+ q9 D
. {7 \/ `, i- ?1 J mov bx, cs1 ~( o+ j. p, w: s1 \+ s+ @
lea dx, int41handler2 `/ Z4 i* X; S: E" k$ _! k
xchg dx, es:[41h*4]
1 g. y6 @( O8 `8 Y0 B6 s* l xchg bx, es:[41h*4+2]
9 e' ?2 Q: `" Z9 h' @9 g/ f' \8 a mov ax,4fh
+ V, ?0 [0 s$ X- C4 c int 41h
, I. K' U( ~; N) e xchg dx, es:[41h*4]+ D) l' h! q5 v5 l& \
xchg bx, es:[41h*4+2]
y- c, N W8 L$ O cmp ax, 0f386h
4 C/ Q! s3 r7 r0 Z8 i: @( D' w jz SoftICE_detected
3 L0 V5 y- _1 \1 [, }# q) I* d' O$ l
int41handler2 PROC* C5 X+ Q [9 @/ p8 l% t( }
iret5 ]0 \. I) L: K( i- ?
int41handler2 ENDP
9 x6 g% P# t( v- y" v% _/ t7 E( X9 C5 v7 l! o; S
/ ^7 `' h8 b9 t' ~& d
_________________________________________________________________________
9 i# W/ A8 g% X( b# |! e8 i- w5 F" i7 l& o; w( E' G( M
" W/ d9 D8 {' f. E; j+ d) i
Method 06
& t$ g$ w' h' M" W6 v=========
, L$ ]9 \0 E5 a- q, J( b$ G) f& t& o
( `5 I$ |1 ]% v' k" x2nd method similar to the preceding one but more difficult to detect:
: v# m, D& b/ X- A0 V5 O ]. V0 x3 h& y
/ c1 Y/ m1 f# k" P+ Eint41handler PROC
4 k8 a5 p7 F( n$ g C% Q2 `* Y9 l mov cl,al
8 o) t, }/ ~; I, e iret
5 S9 }5 A1 Z8 o8 Z) vint41handler ENDP* R2 d7 P( H1 E7 k. p( l! x; X* D
S. ?5 ]; t/ g$ ^7 j3 B* @9 L) i2 Z' m- Q0 ^, N5 P5 i0 Z
xor ax,ax
0 i- G# |' s' {2 o mov es,ax
0 A0 I9 `; s+ b5 R) {6 @ mov bx, cs. W3 l+ n! k$ ]- j# H
lea dx, int41handler4 Z r: Z6 V( ~2 S5 O1 B7 n9 V
xchg dx, es:[41h*4]
( _0 G) q" W5 M2 l( a3 U5 d7 D xchg bx, es:[41h*4+2]7 z: e6 ], `# l8 L
in al, 40h
& K* b+ k4 b/ `( J$ _4 P9 s) C xor cx,cx3 `. o2 b) @1 ? J* n, ~
int 41h5 z b) y9 l( N; ^
xchg dx, es:[41h*4]
4 @" O U+ O2 o! m. \4 r" ~; f xchg bx, es:[41h*4+2]
1 w) r8 @% ~" X& q cmp cl,al
7 o( ~1 B9 `5 ~ jnz SoftICE_detected
3 w3 I: Y- q) K4 Y
7 i; ?: r, K7 q/ |/ c4 Q_________________________________________________________________________
; |" f5 J0 j& L9 V/ r }$ ]4 t0 Z0 D2 K$ m- g0 b/ E
Method 07. Z7 i( F# J# L2 u1 f. i- P
=========
) P/ g( Z. ?) G* C2 H% m; w
4 C' ]- J# g& D6 YMethod of detection of the WinICE handler in the int68h (V86)
5 E- \6 \# v; F3 ^9 \5 E9 g7 ^0 K, D( B8 G% }+ R9 n
mov ah,43h
' x# D( v+ { o M% g+ R int 68h
2 W' T" [2 i& P# y' l cmp ax,0F386h
2 B* `4 D8 E; `# o, S jz SoftICE_Detected
1 h" C& Y T- g/ r+ V8 O) T8 P$ o9 }/ P3 r" a2 K8 h1 {
' [0 [" z; T. {9 Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 a4 ~- g1 H+ F5 j1 |$ E. `+ O
app like this:0 A; n6 p+ R: m8 I3 {
3 [/ _: D6 W$ t5 f& j BPX exec_int if ax==68% n( V( x4 ]' V3 c* k# X! J! Y
(function called is located at byte ptr [ebp+1Dh] and client eip is: P' Z* k7 G: J7 n9 ~/ g
located at [ebp+48h] for 32Bit apps)' J+ ^9 Z7 A3 c% {0 g$ O
__________________________________________________________________________
" I; D/ ?4 }' s p
/ z6 a* v, B/ e* p6 `! J3 X% f; a& t, i8 O
Method 08
_) b8 x& w* d( s7 D" K- ~3 L4 x=========8 \9 M4 { u* T' |2 g
]/ f" J7 E: k( X' PIt is not a method of detection of SoftICE but a possibility to crash the
& m, _, N1 G6 n) B3 X) V" Usystem by intercepting int 01h and int 03h and redirecting them to another$ V- ?; G5 o/ s$ |' j; S# R
routine.
5 ^) S' @0 I% _- t Z0 dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; W" D8 `6 Q' }' K7 L( M8 Nto the new routine to execute (hangs computer...)
2 E/ ? E# G! S+ h# \3 `/ L4 L. d/ y" `% E3 d8 V
mov ah, 25h6 j3 u9 i2 x0 O! Q2 w
mov al, Int_Number (01h or 03h), S5 h) a2 h& E3 l/ X. {! Y
mov dx, offset New_Int_Routine8 @" {$ R& }% C
int 21h" i1 k$ l9 @0 T/ Z4 O
9 G4 k9 k) h: _" d2 ?1 L- b
__________________________________________________________________________
4 b) [, m& r0 m/ R' f4 S/ l, `$ r( I7 | d3 t- u
Method 099 v1 V6 K: H2 u L
=========6 U/ z# _3 k9 p. H
8 S V' m5 Z: x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, D% l" U) w5 m6 r3 N
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ t! F2 `: j1 \* o+ PThe Get_DDB service is used to determine whether or not a VxD is installed. Y# s# ?* n, i" B& K
for the specified device and returns a Device Description Block (in ecx) for5 H) j! u1 h9 |% V1 \
that device if it is installed.
1 |* g8 K; c0 m5 B w V8 z0 N% H; x$ K3 `6 I; G7 T
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! X9 q- i1 ` x. ` mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); J$ J9 s/ \' N
VMMCall Get_DDB0 c7 f o5 ]. q3 G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: W% ]: ?4 ?! a5 c3 p# j I
6 X( k! ?$ G# p1 {Note as well that you can easily detect this method with SoftICE:$ R" g: w$ a- Y' x- g+ q/ M
bpx Get_DDB if ax==0202 || ax==7a5fh% S1 `$ o$ M _4 Z3 T5 L
p9 l- e5 R, S) }$ s% ~
__________________________________________________________________________
0 H i# A4 z+ h! _. t# v9 ~; {5 F
8 Y7 I# b: R+ {Method 10; F% l" ]4 V: o' x3 J$ n
=========
4 c2 q/ Q) V1 ~! t. X$ ]# u- s; s! i! N) z g: s
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# y8 V F5 ?' e5 r SoftICE while the option is enable!!* C+ O S; | E2 W
3 ?4 l7 `- d) V% u$ rThis trick is very efficient:/ ~$ G. W- j/ @! r
by checking the Debug Registers, you can detect if SoftICE is loaded) H) V# m. b6 O6 X5 C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ T# k+ }" k, u+ ?! ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 H+ Q a* ~2 {$ T, b2 ]: ?2 ~value (in ring0 only). Values can be manipulated and or changed as well
, m5 R- ~0 d! l! b" r& @. D! `7 ?(clearing BPMs for instance)
6 B* {5 k, H( G& R- d; ]6 ?: x: V: C0 r9 g$ B- P
__________________________________________________________________________
/ B- Y& `. d4 H( X h0 U; v- }0 ]1 U. N6 p9 c
Method 11$ W5 p9 q1 f4 ^8 V+ \
=========1 J$ b8 [. Y& B7 y
0 T4 C" C# b( ^# L% |( D
This method is most known as 'MeltICE' because it has been freely distributed
$ a9 [! {. d/ @4 G2 Z! j: t$ Wvia www.winfiles.com. However it was first used by NuMega people to allow
2 j6 n: E6 D0 }' GSymbol Loader to check if SoftICE was active or not (the code is located! I V4 B) R5 ` M h
inside nmtrans.dll).
+ q: u# m% R2 |1 d3 f6 v( `0 J( ?% _9 A
The way it works is very simple:
5 x1 p, ^& X9 V' M$ m, Z) nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 ]- b: O ?$ T6 eWinNT) with the CreateFileA API.
/ H/ L" O1 A9 ^/ I) s' x
- }# `, g2 ~. P0 m0 R6 i. FHere is a sample (checking for 'SICE'):$ D c) h" Z% x% f
% u+ x3 |0 p8 b. Q( z
BOOL IsSoftIce95Loaded()
* D: R' m; L( o9 K F{8 Q$ \/ I" r9 a6 L# I/ R f
HANDLE hFile; 7 i4 q1 [# @' i3 ^# |# G
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- r: K) t, h. `. w# J FILE_SHARE_READ | FILE_SHARE_WRITE,
7 o8 ~3 W' Y: c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); ?& e6 {: ~' z* f
if( hFile != INVALID_HANDLE_VALUE )$ }; T- G. }% o; b+ _9 B
{
# d' @+ V$ j: n" H* a4 w8 ? CloseHandle(hFile);/ g1 y0 {3 i" R, B& f
return TRUE;
0 U4 F& T8 Z* h }
; C2 c% V& C9 q) { return FALSE;
8 x) N4 q1 ^0 v4 b4 J8 O}
* O% [' m! K0 E' M) e9 G @
. Z5 |+ P+ A3 TAlthough this trick calls the CreateFileA function, don't even expect to be
$ Y6 P4 f* @" i% I0 h9 J% bable to intercept it by installing a IFS hook: it will not work, no way!; M5 B' Y' R! @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 Y& g& j: T- ?1 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 h$ V9 S8 ^: ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 M7 Y+ \. c: z3 ~) D
field.
, [. t6 }/ X) lIn fact, its purpose is not to load/unload VxDs but only to send a
" y9 d' Y0 Z- k! d# ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 {( L" J9 ~) g( Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
* p5 j3 o5 T1 @5 tto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 @' Y( z" ~5 s1 K) |$ P: L
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! Q2 \) N5 |6 K0 g J" lits handle to be opened and then, will be detected.6 Y/ l# I2 M1 H
You can check that simply by hooking Winice.exe control proc entry point
, |; _5 C2 E5 o; w) M' f2 A9 k, jwhile running MeltICE.0 S$ f9 G) W/ o
+ I* s& n3 l7 j& z( K" `
& o" F' p/ J9 G* T1 j0 k! r% M 00401067: push 00402025 ; \\.\SICE
( O, e, I* z* r& c9 _1 d5 s 0040106C: call CreateFileA
! e3 h3 }1 J# {3 L& r. X4 }% I2 w( i1 o 00401071: cmp eax,-001
& u( D- D7 T8 ~3 | 00401074: je 004010919 j; A& l9 o8 E+ o) `" D; T$ k
( ?+ A9 N; m, n
2 F. L. t. I" y" G
There could be hundreds of BPX you could use to detect this trick.. r4 [$ H9 F2 @$ J* |( o" Y0 o+ H
-The most classical one is:2 j* ^% L( ?- x& A% f3 \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: f/ b Z: g8 G
*(esp->4+4)=='NTIC'! n& S. D+ n. E [9 X( K( ~5 Q
! P9 h+ `8 g* E9 U# N; ^; s
-The most exotic ones (could be very slooooow :-(* K: o% P8 ^. t6 j; y( x
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. g& k v; L! N. p/ {' ?* M8 U; D2 P ;will break 3 times :-( `/ @+ V, W% N" y
( {$ S" X4 }- a
-or (a bit) faster: 1 Y; A2 c! c% ?8 [$ x% R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 }, G6 [5 f: M* O4 s& j0 G% O6 w: K' [ ]0 f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # X% K4 D; }" _
;will break 3 times :-(8 P7 z D( N9 ~* k
! Y6 O7 {4 d1 B8 @* y& J-Much faster:
% d9 ]2 \( W0 \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 j* R$ y. t3 [2 W% R# u9 _
1 v, D" ]) i! p$ o( A' bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 _9 I2 d7 e/ Z- n: P- F
function to do the same job:! i3 Q+ T, O2 i4 {
5 u6 g L$ Q" Z7 C$ e
push 00 ; OF_READ/ Y& ]4 Q6 ~9 l* n2 m( ]
mov eax,[00656634] ; '\\.\SICE',0
( u- f! m: u0 {# x$ {+ ~# w5 q, y push eax
# u% t5 h9 S T6 V call KERNEL32!_lopen
0 _# O, E4 ^: v1 z4 d. O! H* [4 Q inc eax' b2 Y O, I5 F6 _$ t
jnz 00650589 ; detected- P4 V! K2 c. C, O {
push 00 ; OF_READ& S! N4 S8 [! W% ?9 ?: G' Y$ m
mov eax,[00656638] ; '\\.\SICE'
8 V \3 T" Y* v, c& E1 m3 w, ? push eax! S" U% C) f/ P7 E% J" _9 b
call KERNEL32!_lopen
4 O2 ~/ z, v8 y( N inc eax$ F) i0 r" b" v0 b% S) s% @( O
jz 006505ae ; not detected
* d+ z% x6 v9 C$ z( {. ~- {. \7 r3 M; O# w! M! ^ l* J* ~+ f; M
# a9 p$ p& i9 G" M: d
__________________________________________________________________________
" Q6 J/ i! v/ v8 I+ F, T F" W$ N9 a- g" h) P9 U3 @
Method 12
! B( n- T6 y* a7 ^=========
1 k% P& i& Z3 B2 r4 {. U8 C; U' q' Y6 t
This trick is similar to int41h/4fh Debugger installation check (code 05- F e( P$ E) r; X3 \
& 06) but very limited because it's only available for Win95/98 (not NT)
" ?+ L e4 v! H- D7 `7 Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, ~; I& g) V. [$ |) B
% d+ C$ G% b) t( z push 0000004fh ; function 4fh
3 I$ v6 R8 G# H2 P) m+ j push 002a002ah ; high word specifies which VxD (VWIN32)- y. r- h& {! P+ O0 n) }" t7 G- X7 K
; low word specifies which service
) G+ @5 A3 g0 ^$ F; M; _ (VWIN32_Int41Dispatch)( L9 P' N) |, [2 k, n3 L3 r
call Kernel32!ORD_001 ; VxdCall# H8 L" }* p- v, @' g, D
cmp ax, 0f386h ; magic number returned by system debuggers! m9 g9 Y2 S3 p9 {! b( f$ G
jz SoftICE_detected8 k8 ~2 U7 p( b- M5 j+ _
/ J0 S/ u3 N. M% X
Here again, several ways to detect it:0 z* }' J+ `) b- X" G# \+ A
s, ?; Y' t0 s: t- G) I BPINT 41 if ax==4f
+ `& G* I. L( ~$ S5 W* W9 x0 z/ Z2 d) ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one E% y* X3 F! G/ o# y
% m8 K/ s, o. W2 n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 u$ I+ U+ l6 A# S' p
' f3 Z, x# a: |, q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ ]6 F: C4 s6 |; ^. K1 q
Y( p# V: M+ J$ B__________________________________________________________________________
2 o5 T( U% {" Y) K
! P$ H: W) d* ]2 c iMethod 13
& g2 X" r& x- A( ~=========
M' Y5 k# I" [7 O' Q
% m* a \3 a c$ ^Not a real method of detection, but a good way to know if SoftICE is1 A3 _! Q7 v1 C6 f: W6 I8 h! G! G
installed on a computer and to locate its installation directory.
i) X9 q3 {6 t9 b) q( \' U; I% yIt is used by few softs which access the following registry keys (usually #2) :
. ~8 f% v$ |9 E, Y8 N' A; i4 d: u7 ~$ W5 c% S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ ~9 B0 N2 z# G' H9 h ]
\Uninstall\SoftICE. x2 R$ r) O' j! O. m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; k3 R) R! t' |% Q0 n2 r; r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 t9 \. g2 s. F, j* Q; e/ {; f9 K\App Paths\Loader32.Exe
{% ]+ M) g# l( r$ r
4 J- x! k7 f. X' j
! X5 Z+ N7 Z$ H- @& j% g: kNote that some nasty apps could then erase all files from SoftICE directory* V a: K; |/ ?4 D+ [
(I faced that once :-(2 t; n6 T6 \. J p8 l+ |5 R
% v. u7 ?. d" j, S4 k% [( qUseful breakpoint to detect it:/ Z! ^: C+ L4 \' z
/ i) ]# ^) f2 k' p6 j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& w6 ?" n: [" V( v
* S' U4 u0 ^2 X0 |__________________________________________________________________________6 |. }( c5 r" R. b+ Y5 Q t
0 A8 N- W2 A4 A0 v; D' X
0 P+ C! k9 O6 ~. w; H! R) o4 A
Method 14 8 l7 ?6 P7 F( Q0 [) |( G
=========8 {; ?& t: V* \* X
/ [; K; ^' E2 n( C* i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 j. Z6 ]3 P$ O ris to determines whether a debugger is running on your system (ring0 only).
; g8 p1 i' |/ x, d! A* w7 j+ Y5 J. d7 V: N o. R9 ]
VMMCall Test_Debug_Installed g$ e r, f) A G& l5 ?( ^3 N
je not_installed' ^0 L/ ?3 U; ^8 P
- Y1 ^: z9 ?& r0 `This service just checks a flag.( i: v2 s- [% ]# n9 |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡