<TABLE width=500>
1 y9 {* V& n2 _5 b* x% R; t& @<TBODY>
6 }8 z% ^+ A6 v& {4 k4 K: [2 G<TR> U2 v* h$ b2 x7 V
<TD><PRE>Method 01 , d' C# `! t6 {0 [
=========
2 l; b/ Z: J9 P$ x) M; P& w4 q* V' _
* f0 H8 R# t# @! x) | L* xThis method of detection of SoftICE (as well as the following one) is
2 u- ?" T$ w$ O) Nused by the majority of packers/encryptors found on Internet.* e: Q, e2 y3 Y7 W3 L* K
It seeks the signature of BoundsChecker in SoftICE
! U# q7 _ L. t2 l' k
; Q& P' t$ U+ ~9 Q9 {' p4 j$ S mov ebp, 04243484Bh ; 'BCHK'
1 o* }' G) n" W: n. {' |7 S mov ax, 04h' Z f0 j7 k! v* i
int 3 - A/ n/ q' _# |4 f
cmp al,4: b' S6 k5 X5 G9 J
jnz SoftICE_Detected+ S2 n1 a2 x, Z" O6 W
. w& j7 {) ]; g___________________________________________________________________________/ H% ^9 b8 e, f% j2 H
$ M' A% H* `( z6 dMethod 02
- M1 O5 B6 z% \5 c3 g6 l" Q1 i=========
8 [: G3 L. n# y1 Q
$ l: e4 q% e6 w+ X) sStill a method very much used (perhaps the most frequent one). It is used
4 N4 ]: ]+ `2 s9 Z3 [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- \, f+ h7 O4 ~$ Q+ t* r
or execute SoftICE commands...
8 R" B/ }. _3 WIt is also used to crash SoftICE and to force it to execute any commands
2 X5 Q, U5 t, C9 V- {/ V0 {: v(HBOOT...) :-(( ( T8 h- @; F0 Q G/ X7 W9 d
& D1 U: p8 Y6 p7 j, |/ `Here is a quick description:
" y$ v1 H. @4 L2 `6 R, e5 [- r+ V-AX = 0910h (Display string in SIce windows)
* }1 B( k# U% {, m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 K6 a; r0 P" s, b: b
-AX = 0912h (Get breakpoint infos)$ {& [* O8 {+ v3 v$ S$ k2 a3 |
-AX = 0913h (Set Sice breakpoints)! S, ~ t8 P) t
-AX = 0914h (Remove SIce breakoints)
* h0 i" @* _4 ^* V( P2 N/ V) P) Q& L, n" g7 O
Each time you'll meet this trick, you'll see:
7 x% y, X6 ? ?9 I+ P# W, \-SI = 4647h9 {! o3 q) x1 H8 j# M( P
-DI = 4A4Dh
! Z2 g+ d }3 m& V6 X, R* NWhich are the 'magic values' used by SoftIce.
0 Q/ n" ~- X6 B: ]0 y6 q/ ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ J) u1 k" m9 U
) O. T; r7 @# y" mHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 E3 \9 W0 J" G1 [- M; Q- v0 @) uEnvelope utility use to protect DOS applications:' p9 ?5 N9 X! g) x
' L* M% w+ J4 ?1 D5 k
) ~: X1 ]! y( h' J. r/ I1 h/ t4 x3 s
4C19:0095 MOV AX,0911 ; execute command.
, D, Z9 r! X+ Q3 X+ o0 A' d' M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ ?& [1 g6 A" }4 j3 p8 l- X4 {0 j
4C19:009A MOV SI,4647 ; 1st magic value.
! `. A* d0 s) ?# j; \1 G9 h+ N0 ` K4C19:009D MOV DI,4A4D ; 2nd magic value.' `9 f, B# m' {3 U$ G; l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& Z5 p4 Z( n' f" K8 j2 S; E
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 H) o; Q/ B- |/ ?5 V
4C19:00A4 INC CX
9 I L1 J( B3 I' E2 a# a* _6 X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ B% K+ n. C8 w. l! O0 a1 j: ]/ J
4C19:00A8 JB 0095 ; 6 different commands./ P# i/ c( I @, T8 X& q5 v
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) b! s! J9 b! Z3 k i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# r& ~+ B, X' n# F
2 z" |9 }' G- S1 _+ k0 iThe program will execute 6 different SIce commands located at ds:dx, which, ?8 m( z9 s' J: e* ]' {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 K3 H" v" j; M2 Q9 ]3 g! j: \+ W$ }5 ]8 j5 ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! g8 C# V) P# Y+ a/ S___________________________________________________________________________
; G) y, Y: I }( I; k7 h, G2 T3 ^; l" Q- C" A* K
5 C) @( u7 A/ \% V- t% y
Method 03
" V& p! m; ^6 \5 n( E# I=========
+ Y4 H/ [5 g$ h( P. Q( b
8 C# w, X7 {; F( aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' Y- } W* L" D' D6 F8 F
(API Get entry point)
% B8 q7 n* x1 a' @' S/ g) y
]; p0 g4 d* c" X6 t! o; f$ q: f+ P8 i# o0 X
xor di,di3 [- r3 ]- e1 _. a: I
mov es,di
: j9 ~% Y9 S( S5 G( g# Q; n4 D mov ax, 1684h 9 K1 f6 p6 k& r% u
mov bx, 0202h ; VxD ID of winice
/ F- b( a& D; c9 o int 2Fh
! `; [! |( A8 W' _- n mov ax, es ; ES:DI -> VxD API entry point) r3 A7 c' o7 B: j0 }. ?( y
add ax, di# i2 |6 Q; V7 [- q" `" q! `: _
test ax,ax9 x S8 O/ p4 V6 f
jnz SoftICE_Detected% |7 r' l# I/ K' D
6 o; r9 R. G% w. t___________________________________________________________________________6 j+ I- H9 @% B& N
( ~7 F. \" S' @8 D5 k, S
Method 045 e: \% Z O. Z; J
=========
2 w \1 @# q& k# Y. c4 `/ x) [- r4 }3 i# W
Method identical to the preceding one except that it seeks the ID of SoftICE
3 Y; _9 ^3 O. [# OGFX VxD.
8 \5 I: ]# d& j
# s3 M' l F* u, f- u- O xor di,di
+ v) q3 }5 @- Q6 n) t1 y mov es,di$ s- i) A8 G& B! {' O% i
mov ax, 1684h ! H% M! V ]9 n3 \+ P
mov bx, 7a5Fh ; VxD ID of SIWVID5 j, a. _$ m2 W O5 {
int 2fh
; c! \& Z) U: h8 W mov ax, es ; ES:DI -> VxD API entry point
; F& N$ T+ }1 [ M2 o A. V add ax, di
6 R$ y) }* G/ s" x; Z4 y% } test ax,ax
, v. y$ a/ D; ?+ R jnz SoftICE_Detected A. R* p2 L- w; u2 x4 y/ {
- x+ V# V" A- w d# u0 P$ V" v
__________________________________________________________________________
" z1 ]$ u8 a: m
. l' d7 ? m0 e( h4 [- ?
4 f5 _8 {" ]2 e. P. {5 {6 ?) YMethod 056 B2 K. E( X6 j3 f. i
=========, b2 t5 r$ G' n. [2 R8 w7 L) ^
4 F, H+ f8 ~; _
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ p+ b! O: Q+ E4 |6 \# k
debugger. It calls the int 41h, function 4Fh.
7 a0 e3 }9 w& F) O$ XThere are several alternatives.
3 n5 ^8 i# [3 ^- t7 q2 V- ]! F, g6 L A4 @! G, I7 Z
The following one is the simplest:
6 i( T* V( p* B: @: M B8 W/ d' [/ Q5 B/ _, i
mov ax,4fh& S$ }+ R! \1 r' q! P
int 41h
6 O& m; V4 d. Y% }0 K+ i cmp ax, 0F386+ r0 f/ i! J: d/ z
jz SoftICE_detected
$ Z+ R- ?5 N q3 Y
6 u5 W7 N, Z0 E0 |6 _- {. o3 y+ O8 ] H
Next method as well as the following one are 2 examples from Stone's
, x @# P0 M5 x2 y"stn-wid.zip" (www.cracking.net):
$ _* _9 Z9 k, J2 B. x6 M6 q$ }0 J9 _
mov bx, cs9 J& ?# U$ X" U+ q& r; ^
lea dx, int41handler2! h2 `1 I+ P$ K* |
xchg dx, es:[41h*4]/ I4 l9 }7 i7 ~
xchg bx, es:[41h*4+2]
; j( I1 S5 u( B. e+ n, x' i mov ax,4fh; t' K/ ^2 q+ k9 ]/ U9 |
int 41h0 w3 @; g6 F3 T' F1 p
xchg dx, es:[41h*4]1 b* a K+ T3 _2 ^
xchg bx, es:[41h*4+2]
( ]4 m7 o a( N8 P5 u) E1 L. ` cmp ax, 0f386h9 Q' H$ Q4 a9 R* S
jz SoftICE_detected
& \7 }7 \3 c5 R* ~6 b- U0 T1 L' f% h' Q
int41handler2 PROC: W6 g h4 E: P9 m R: v( V* n
iret
1 t, L* q+ A8 T" ]* w9 b' x" ]int41handler2 ENDP
4 p7 J7 k7 e+ L4 B' |0 ]
9 d/ t- w, q/ x d' X. T. }- n+ I0 H2 E
_________________________________________________________________________: e) r4 M( j7 ~* p; V7 P! Y
! a- Q0 O$ a F
6 K& @2 _1 m1 }2 ^2 r3 F" pMethod 06
7 S" k9 N9 e* P7 u; N: i- E" F- z=========( U' ^ t7 D; I9 N
; P* u- {, I' y6 u
% C7 e4 i5 d3 P' t; |; y2nd method similar to the preceding one but more difficult to detect:
n7 R3 t# ~' j6 l+ y4 f+ U
* C( C4 N. W. p( ?0 A7 R1 }
! v. r- \, p2 {- X3 nint41handler PROC$ _% ?6 a$ ]4 V7 v3 f0 o2 j8 b
mov cl,al; }% @( r8 ^) ` f
iret
7 G- L/ b; t& Q0 sint41handler ENDP
: L( I: _( w! A% q7 H3 ^: S: c' [ m' d9 f$ m& ?* ~
- D0 k2 E V( N, [4 _9 K4 K
xor ax,ax
. }* b+ L; B9 T! Q' V' @! M5 d mov es,ax, b/ j3 E" j+ W0 v
mov bx, cs7 x$ V c. ~$ D8 N! c
lea dx, int41handler9 _9 R' N& X; \. x, j
xchg dx, es:[41h*4]6 [/ Y! P, L2 r+ @8 H
xchg bx, es:[41h*4+2]
/ ?1 K: R. v) a7 b6 {& y in al, 40h
! P. u9 s$ |9 x xor cx,cx
. H4 Q( C7 o/ k- \& F3 d( i, ]1 K% O, C int 41h" J3 I) M% P& S$ P- d
xchg dx, es:[41h*4]' e% I3 l5 E) O! J3 x, n) @
xchg bx, es:[41h*4+2]" t3 U# `& J* J0 T- C d* N5 O
cmp cl,al
) H$ y) G3 j7 V' G( S jnz SoftICE_detected( w' S) s& U" n8 N* _* C7 u5 r
+ s4 l6 i. J+ p( i0 r
_________________________________________________________________________6 h P! ]4 z% h9 Y2 K" U
6 q$ ^+ Y4 n# Q& z5 @Method 07
& u h6 r2 Q( l3 o=========
% p: x! i/ a: z( e& W
5 _1 p! C& i" C& {+ VMethod of detection of the WinICE handler in the int68h (V86)
% ]1 {) O) K2 \( N! I
" t2 P" Z# Y& w- q4 Z$ W7 p; B) \ mov ah,43h! x- T1 a1 o. h' q) h. j# ^
int 68h
& w/ y }* d' l; f6 {( J! } cmp ax,0F386h: d5 g _5 T! A3 b4 v
jz SoftICE_Detected
7 D( A3 W& A: _
$ q# p" G" ^7 Y! S
- l- \' n' F* O* ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. ?. Y# z$ z$ ^% k
app like this:
% W" u, n5 l) f/ a. {6 s- J8 Q' t, \$ t! R2 u- D1 X. }
BPX exec_int if ax==68
( F, n# p5 M5 O9 C; b4 Y) v (function called is located at byte ptr [ebp+1Dh] and client eip is
* ]( s: A: Y _7 @& O located at [ebp+48h] for 32Bit apps)" K7 l/ [0 A6 V7 P {1 }
__________________________________________________________________________
- s. g r h* S2 p3 R4 [7 T
7 F6 w$ c0 y4 Q; Z: I" i7 d p- Q3 W$ h, p; ]' d8 a
Method 08- Q r, |% @2 w% u$ e
=========
, p/ V/ K, [$ k! D6 U' x8 Z
) a; F" |( l5 ]. B- x7 Z/ N* f5 AIt is not a method of detection of SoftICE but a possibility to crash the
+ q+ b8 ?% ?1 K9 |5 z: {5 ^7 @) ]system by intercepting int 01h and int 03h and redirecting them to another
. {0 N8 E8 @* \% broutine.
y$ Q& ^" C+ qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* X$ J1 _( R4 x/ C$ h/ e) f dto the new routine to execute (hangs computer...)% w& K- k0 O; S7 Z* A$ s% t
% H3 K$ d' C: w
mov ah, 25h0 I( [. S a: @1 G8 q3 M
mov al, Int_Number (01h or 03h)
2 F) n, ~# C4 d; X# ?$ | mov dx, offset New_Int_Routine
' H' a# u7 X5 {$ o: E' S. J int 21h& n! x8 Z8 {1 O2 i9 T
* q0 n: ^- ]) B7 i t8 P__________________________________________________________________________
& e! I" k d* A( {5 {7 Z7 O6 |. Y* [) D! F$ l, y7 s% Q
Method 09 Y% @7 U3 {" I
=========+ Q3 _$ J4 R: O* T
8 `! R6 N% I: H8 _7 g1 iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 Y9 o% f" N7 J
performed in ring0 (VxD or a ring3 app using the VxdCall).
2 s2 O) U/ A4 Q( O0 zThe Get_DDB service is used to determine whether or not a VxD is installed
9 C2 Y5 L9 }- }! j5 p* Sfor the specified device and returns a Device Description Block (in ecx) for
' i9 m$ j ~0 |0 o# K9 ?+ d$ D5 u/ gthat device if it is installed.3 Z- N' E9 f3 w) A/ G
6 ]4 U& k$ { \+ a- O$ \* L! S0 X3 H J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* U% {! j1 S! Z8 l3 L
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* ]4 P B3 o s0 h+ {+ Q VMMCall Get_DDB; ?9 ~4 [) c" F+ |* |7 I
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: k( t& l" A" ^( x
" X* s0 A' \+ Z) x1 V
Note as well that you can easily detect this method with SoftICE:# e# M# I7 j0 Q( y3 ~8 i$ V0 R. V
bpx Get_DDB if ax==0202 || ax==7a5fh* n+ c" l. G: f4 A6 S2 i! |
& e9 }3 S4 v' P6 _6 a& V
__________________________________________________________________________1 L, @" l3 y/ P* r/ P; b' |
) ~& X5 Y* ?6 t
Method 104 `! U* p$ w ]5 \0 v) |6 `
=========' W1 F% u! K. F0 N& t& j
# b5 T; G2 {+ I/ @" i; U& l! |& [
=>Disable or clear breakpoints before using this feature. DO NOT trace with! C' J, J& b" S/ |
SoftICE while the option is enable!!
" @- q' C9 B- E3 H! l1 \5 {0 [+ x H: V; C) t
This trick is very efficient:
# C9 f8 a% }7 K! B' Sby checking the Debug Registers, you can detect if SoftICE is loaded
@# }. g) ^9 S J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- e6 K5 u/ D7 |8 I( ~there are some memory breakpoints set (dr0 to dr3) simply by reading their0 L6 A8 ]5 d( S! p. J) C2 o
value (in ring0 only). Values can be manipulated and or changed as well7 G% D8 M+ c: R/ Z3 u: `2 t- X
(clearing BPMs for instance)) K. n p. v7 E0 L
, b0 u" N" F0 Y9 \
__________________________________________________________________________
; P- p8 h7 J: M. a/ r d) O
: j7 b* k) t. u* Y1 J* h. lMethod 11
! A1 T( s, n: A) e1 u* O=========
+ A6 g+ K- B8 `$ N5 L3 Q; w# h, J; y: `
This method is most known as 'MeltICE' because it has been freely distributed' D& A/ ^- @& p! M A
via www.winfiles.com. However it was first used by NuMega people to allow* |. |5 N* M; s. b, c4 y# [$ z
Symbol Loader to check if SoftICE was active or not (the code is located
5 d+ V" A, V/ p' J6 Q, X8 ninside nmtrans.dll).
* S; C6 E4 S/ P; g
8 @4 b" i/ H3 s* ?The way it works is very simple:
9 ]4 J7 S; L( F/ r5 DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 }- f# M6 K( N6 V2 ^2 K
WinNT) with the CreateFileA API.
! Y; l. h9 A8 ?0 y D0 O
9 h3 [- v9 x- l! s3 \Here is a sample (checking for 'SICE'):" a# P5 C3 n# c* x" K) m4 k6 O
l' ~4 d I$ `BOOL IsSoftIce95Loaded()
1 ]5 U7 d$ ~0 S: \6 h{
7 x. _6 N7 P) {3 Z% } HANDLE hFile; 2 u9 F& ^1 R* G9 ]4 s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ D3 N [$ Y, q, v+ V! k FILE_SHARE_READ | FILE_SHARE_WRITE,/ C4 ^8 a" u' j: H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 n% O- P, P: o, @6 g if( hFile != INVALID_HANDLE_VALUE )
$ k) b7 t3 E1 I' F6 L {
( F( Z* B+ c* y% K5 v CloseHandle(hFile);
M7 [/ ?) d' C/ Y; ] j# P return TRUE;/ V6 K. E1 U: o3 J5 S, t: j+ h
}7 p/ U+ h4 S( E6 S2 {. I
return FALSE;
, e; r. G% {: t}
: F' W9 O" ~4 Q( H; v. |% @; O T8 i+ u
Although this trick calls the CreateFileA function, don't even expect to be
1 O8 j0 ~' @8 I# a5 v4 Mable to intercept it by installing a IFS hook: it will not work, no way!+ s# C) C! d1 o4 g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; |' t- s( J( r2 t5 _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 u- f" \1 [& n/ b: g9 [and then browse the DDB list until it find the VxD and its DDB_Control_Proc& Q4 o$ R9 o# n) P! `
field.9 m- C q8 y$ n! t2 v3 p
In fact, its purpose is not to load/unload VxDs but only to send a
7 O: _1 t6 N9 d. i/ U8 J, I; gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 {+ u7 k0 i# P' J( Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
' m$ f2 q9 K. lto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ Z! \) {% V6 T$ ]4 I! }3 G a
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: @% n9 G9 G5 Bits handle to be opened and then, will be detected.
3 S" k: M: s& z: x1 d: g hYou can check that simply by hooking Winice.exe control proc entry point
7 a2 [5 J/ V0 Lwhile running MeltICE.
$ |* h, L& o" `& E% j6 N2 @; y. ~1 ~% R8 t6 z7 M* A4 N- ?% j/ a
- L; K; Y3 G x! Q5 W9 L
00401067: push 00402025 ; \\.\SICE
e/ L( E0 G- n: [2 Z 0040106C: call CreateFileA7 [5 M# w& h. I6 F
00401071: cmp eax,-001+ _% F# D* i4 t y9 o V! p
00401074: je 00401091
+ R2 x t# p+ V: Z+ G
1 I/ o& L( y3 b/ J! {# {
& J$ u% ~/ J/ [There could be hundreds of BPX you could use to detect this trick.
6 b4 K3 T+ W5 w8 @: d' ~-The most classical one is:6 A7 M0 c5 W- ^4 F" k% e2 l. S0 I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) O" F; n) I2 ]# ]- d, R5 n+ e
*(esp->4+4)=='NTIC') L. |, B. r: [4 [1 @- t9 E- K
- |( Z' R/ o1 s: [; g9 d7 ~) n-The most exotic ones (could be very slooooow :-(* Z( e+ n- y) a/ @0 M0 L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ ?# {0 Y/ P/ ~- _3 k7 |
;will break 3 times :-(
9 J4 O& U: V% H6 e5 i, _' y5 i1 s1 Z7 y- F& \
-or (a bit) faster: % d# |) {% S- n+ E% ]5 t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), t2 A7 H1 g9 A9 y! B
5 ?; @7 J/ K$ ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 x: R4 k o* d, z; T/ z ;will break 3 times :-(
1 Q* S5 k; Y7 e& A( l/ ^' i5 N0 t" k3 w- {$ J' U
-Much faster:
0 i" q- ?) h0 K' e7 @7 p6 @& N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ y( v$ B; t$ L9 u$ a* `
6 W% O j3 @, ^. K) P! sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 z$ r8 Y( g. O' ?1 }function to do the same job:% N$ d3 X4 ^8 e; k6 l1 m
$ V* T9 j. \5 ]7 K$ W' L
push 00 ; OF_READ4 L, F' t$ _1 l$ [
mov eax,[00656634] ; '\\.\SICE',0) i7 v0 u# y, d
push eax
. \( V4 ]4 c' P9 k call KERNEL32!_lopen, w/ U6 D: A7 G/ W
inc eax
6 X5 n* l2 i( t% A, @% b. B1 R jnz 00650589 ; detected
$ Z/ a' H! v+ h% J& U push 00 ; OF_READ' C; K* f- b3 f ^1 X
mov eax,[00656638] ; '\\.\SICE'
$ Q* Y- t- H h5 C push eax. F+ S1 v& C, m3 H
call KERNEL32!_lopen
2 D7 j" O8 E5 E/ h1 x inc eax F a. l; i1 K8 p; k
jz 006505ae ; not detected: S; `. d: p$ f2 N
8 G6 v' o* k$ v0 ?1 g0 _
# }1 j3 c& |. w {5 L; m__________________________________________________________________________
1 D+ r+ K3 y, B5 G) W7 ]! x5 s9 ~# v/ E) F. z7 ~
Method 12
' {! E8 R- x. `3 F: o/ o=========. W) k" J* [! X6 \
. ~9 p1 h. o1 Y) y2 s8 q: J- K9 ?This trick is similar to int41h/4fh Debugger installation check (code 05
1 ?5 l/ l' P8 V& F+ d" b9 o% g& 06) but very limited because it's only available for Win95/98 (not NT)
: j* _7 Q9 [& |$ }& Y; @/ J; ?5 ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 J; O1 u S) M8 s, g8 R4 K- j
( O. \$ G0 `' [: Q R
push 0000004fh ; function 4fh* J7 c# Q' C% ~7 l: ?5 x ]5 S
push 002a002ah ; high word specifies which VxD (VWIN32)
( g6 Q5 G6 x/ O6 F ; low word specifies which service& t! x( O( v6 b- Q$ A
(VWIN32_Int41Dispatch)
- C: `" T) b# l/ J1 y: n call Kernel32!ORD_001 ; VxdCall
$ y- J5 S( ~* @6 O1 X) k- G. j- B cmp ax, 0f386h ; magic number returned by system debuggers
4 j9 K4 q' b+ K3 t5 b+ q# c jz SoftICE_detected
) I. K! w2 x' Q. T [0 I
! u; l2 f' J S( R2 J1 ~Here again, several ways to detect it:+ ?8 k" f" G0 u
$ e$ o e& O, B8 S0 q BPINT 41 if ax==4f
b: h# e! I) O3 M8 |; f. B5 p( Z& x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 P6 E; Q/ o7 [ ]4 k. G- M: w/ ?- i$ I7 D1 p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A O- K L* v* G1 L/ l: ~) r6 C, d
( C6 j) H$ t) H* P7 L7 X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' n( z! W; u0 x5 ?6 r
4 N' o; ^4 v& Q: K& G8 Y3 v0 w ~! S9 ?__________________________________________________________________________- R" `0 y7 f% P J3 _; B
6 A9 |: M+ m1 d) K- t( ]
Method 13+ J3 k0 \7 e8 i/ c% g
=========
, q3 N( J" Z$ r# J' L6 w+ V: \0 w; O: v' z6 t6 k% X
Not a real method of detection, but a good way to know if SoftICE is
& i6 z5 r: l4 C, E E, u$ J1 E* l9 Qinstalled on a computer and to locate its installation directory.5 w. `9 e6 h+ M N" P8 m
It is used by few softs which access the following registry keys (usually #2) :- n3 s& N: F9 t4 a! A3 [
" ]$ E0 r9 Q+ E3 [7 d' j2 a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: [- r a1 |' v
\Uninstall\SoftICE8 G" e4 ^2 X, C) w9 z" Y- ^& F% v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 m0 C) o7 _+ \7 f, v% l) v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ x5 p1 H3 V! W4 r\App Paths\Loader32.Exe
9 t! u( @- s! L* K1 l1 B: U% w
6 i' n, F8 A, {6 o0 Q3 |7 T1 [Note that some nasty apps could then erase all files from SoftICE directory
1 y6 t: d2 r# y2 c$ y(I faced that once :-(/ I8 T l. I) \3 D( t( @2 K" d
% B* E4 T9 _" Z- ]% ~$ `Useful breakpoint to detect it:
% C* H1 Z5 Y/ f* K9 y1 t$ z6 }4 R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. k `% `" y# V2 F2 z
( n- A: S6 K3 u3 G! I1 B__________________________________________________________________________6 c: [$ |& G& h
) w- x' C5 K( B
9 {5 H" U) P5 E& [4 r6 t/ lMethod 14
# l# K7 |6 ~5 W6 Z=========/ K" A" P) I' `( ^
6 t5 ~: [( D+ B5 y: h% p. N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. {. O y/ r# [; ^; R' @) U
is to determines whether a debugger is running on your system (ring0 only).' @& }3 r# _0 I' q: L4 d2 ^
0 |3 \. C: d6 S9 N+ \5 H3 |% O
VMMCall Test_Debug_Installed
' a$ }1 Y' h; i. D5 Q2 D5 V& E3 c je not_installed" `) A% z0 ?& W2 L
5 l1 S0 X# |% oThis service just checks a flag.
! {0 w+ v0 U! n- a. R, E% D</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡