<TABLE width=500>* z- z5 V; x8 Y# U: B' b( N
<TBODY>
/ f" v. X I3 h9 I<TR>5 A8 p: z3 w E8 J' W
<TD><PRE>Method 01
+ Q- D. c) l, o: p7 A=========; B! s* E4 C+ W% i" ^
( x8 D3 z9 d' Z6 k/ q
This method of detection of SoftICE (as well as the following one) is
" o7 i* ]3 R" v# E+ @! Q7 {2 gused by the majority of packers/encryptors found on Internet.
6 N+ [5 j. E8 K- [It seeks the signature of BoundsChecker in SoftICE
3 l/ a; s. k' [- K; s! o5 P5 k& C, i; L% a. t
mov ebp, 04243484Bh ; 'BCHK'* _" {8 L1 q2 D6 C4 p) C. w
mov ax, 04h, b" {: g5 l6 \4 e
int 3 2 L0 r4 n' f5 l) H: x0 J$ V
cmp al,4% u2 X- D6 `- I5 S
jnz SoftICE_Detected
1 F* ]! S$ [: }* n/ W) C/ Y: Z8 D& A
___________________________________________________________________________# K E7 ]. O" m& T+ n2 {7 B
, @6 M1 H. f% f7 H
Method 02
$ U* n: a0 B( M! k' A5 `) E=========
! K) ^$ C+ F8 t. |
! b4 h$ u0 e1 y6 g5 R. W. NStill a method very much used (perhaps the most frequent one). It is used$ u8 Z W5 g' I8 E0 i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: N! @6 p/ f# D% V$ G& v5 @& i1 bor execute SoftICE commands...
6 s+ f! P! u1 [. G" E2 n; g& E3 Q: @It is also used to crash SoftICE and to force it to execute any commands
, C. S# K% b+ S( _% X(HBOOT...) :-((
! c) H5 J) ^& W" m! [ H5 F6 W$ p [' _& o' w2 U
Here is a quick description:
: H' b0 E) M: G- i* u5 n; [-AX = 0910h (Display string in SIce windows)
2 W- |0 ^$ Y( r" e8 C. @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: H# X3 }8 G; x, U2 [* \$ r* Q-AX = 0912h (Get breakpoint infos)
! G7 H; j& S0 f-AX = 0913h (Set Sice breakpoints)" O0 ~& c1 h% d4 @4 G6 E, f
-AX = 0914h (Remove SIce breakoints)( P) c2 @( [( O* N0 {" y& J8 T/ L+ U) m
. ]8 r0 P9 _; y* wEach time you'll meet this trick, you'll see:
; D% g9 C- }% T-SI = 4647h' J J& \, A2 |7 F2 X
-DI = 4A4Dh: r) E7 X& A) a, p) _
Which are the 'magic values' used by SoftIce.
3 @8 Z+ b, T; f0 k7 A: k+ s( yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 {8 b4 s$ e8 l- ?5 c
) j, J# ?; x6 {- ]Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 ^, L: \3 X1 h( ?9 Q; i, hEnvelope utility use to protect DOS applications:
2 U9 V- m. q; V$ H- b! v% v7 }( s! w1 \. ]
, |- B" R6 u' G0 {/ S3 V$ t" {
4C19:0095 MOV AX,0911 ; execute command.4 q0 I3 |) b, v* h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 F+ m' M% ?& X* X4 p& n8 ?4C19:009A MOV SI,4647 ; 1st magic value.
/ u( s) x, Y C' I+ o- x4C19:009D MOV DI,4A4D ; 2nd magic value.$ z3 }, B/ T% [- ^) D( R; \2 b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). S; i8 ~$ P6 E# b; T. S! Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: g3 ?3 k, U$ l" K+ [4C19:00A4 INC CX
) x+ S1 |- r! X7 v' m( F: @, u6 W" P4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 f' Z0 @1 h! o7 Z0 h$ Z: w4C19:00A8 JB 0095 ; 6 different commands.8 M/ c' B6 r2 @, A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( y% W s p" R% \; j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :): D1 Q. F5 y' w1 g" y; r
! T( R7 s/ Z! x3 t2 q2 \; fThe program will execute 6 different SIce commands located at ds:dx, which
3 S! B6 z: j! W) @/ F: b- z) yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 w. i7 w6 a, L1 m% n
- |" {/ C5 B+ K$ b. v$ O9 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% A4 n! ]* D* Z" N
___________________________________________________________________________
0 R7 K7 B* ]6 L, n _
) U, L+ p/ \& C. o7 y
# l* `$ H' O6 L. x: l( fMethod 03
+ E3 x d, w+ J# M- V, h4 q=========8 P9 L S6 x+ c& G$ i" Q, p. H
& L5 V. D5 f2 m U" z# K b j1 i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ a7 S% v+ R% P- i8 w(API Get entry point)
( h. D& ^5 j( Q0 [
7 @4 `1 Z/ ?9 w, z* B( v Y8 U1 X% R& x
xor di,di" t0 g. w* j; Z% c8 Y
mov es,di. f5 k1 d' f2 |, I5 }& r& L
mov ax, 1684h * f$ b; G4 V! ?! {
mov bx, 0202h ; VxD ID of winice
* E/ Y( X3 B: C int 2Fh
. O b/ H7 j8 d { mov ax, es ; ES:DI -> VxD API entry point( V0 Z0 P+ U# j9 z
add ax, di% {# e* f# _" \4 J! u
test ax,ax3 U1 G) _ Z# W) b8 s: G5 A3 \
jnz SoftICE_Detected
3 L! v: p/ L" ` v8 n3 U5 Y$ c$ s& t. x
___________________________________________________________________________
$ F" a4 [; ]* O; p
* g& j" b0 t3 \Method 04
6 ^; _8 h! k7 F=========
; c v, l9 ?+ p M! E, ] ]" u: k5 x
Method identical to the preceding one except that it seeks the ID of SoftICE0 p0 @$ [) I+ f3 P( y1 t
GFX VxD.1 r1 n- t+ c1 g3 E2 T: q
1 W e5 S8 j. Y% x- g* o& p# E
xor di,di
& X2 k& T1 j+ z+ t4 }% V$ v7 A mov es,di6 j, ]' P. f# W% a. `* Q, s
mov ax, 1684h
; `$ ]/ v7 [. [. x2 v6 I2 W mov bx, 7a5Fh ; VxD ID of SIWVID5 n) j, D9 \0 E& Q, T
int 2fh
" L( p& z/ v. n! } [5 o1 [ mov ax, es ; ES:DI -> VxD API entry point- A) m* W5 ]+ @) H
add ax, di2 Z' L8 W2 i# a- I
test ax,ax
5 j) g/ f1 J, {* v jnz SoftICE_Detected
i3 y! d. ^' r' |) ?: u7 ` `+ w# z$ ^7 D0 K/ d8 X7 k* L" H
__________________________________________________________________________
: ^/ f! n4 c7 F/ j# g/ z7 B
8 r3 j0 u* M( Q# Z3 ?7 M8 M ^# K1 X$ @( P3 P- q) Q
Method 05/ i8 U% n* n7 [8 q/ U- U
=========
* W) q- l2 O x+ t1 a$ K! q; k$ c U# f* i: y. ?
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ S9 W4 W4 z1 E! j v4 t! h
debugger. It calls the int 41h, function 4Fh./ V0 t" K0 k( J- m
There are several alternatives. , ]$ G/ f2 X' ^: f& N5 m8 b
7 n( d& t6 `3 M! ?2 l! b% Q4 }
The following one is the simplest:6 i3 |/ w" {7 m+ l: P
1 v9 A4 r! h% g( o
mov ax,4fh( r0 b: u) `3 I' J
int 41h. D2 _* L" K v A
cmp ax, 0F386
" z. d: _3 i0 P$ r. E, q jz SoftICE_detected
; z+ b7 D" _- @$ T, f
- ?: b9 T% c% n
, O1 q5 z# A: _: Q' ], ^/ ~6 BNext method as well as the following one are 2 examples from Stone's
" a4 e. `& D+ A6 m& h% H"stn-wid.zip" (www.cracking.net):! V8 a9 \0 m* ~* h; g+ z. m8 z
9 h \/ i. l* K+ p* W
mov bx, cs
" d0 h8 e* q7 ^1 G) [1 _& @ lea dx, int41handler2
0 P8 u- m7 ?: `% \ xchg dx, es:[41h*4]/ C% Q/ W3 M& q( s/ V3 D
xchg bx, es:[41h*4+2]
5 C/ N7 r4 H1 o7 K2 r* j9 H mov ax,4fh) A8 }& W5 u2 Y8 H
int 41h" s# A# ~! p; {3 J* [+ [* C
xchg dx, es:[41h*4]
4 t. f* `' J7 x" x- ~8 ~. | xchg bx, es:[41h*4+2]0 L: g. E6 W1 J+ A' \) q0 L
cmp ax, 0f386h
0 V( k/ }/ F& H5 q( L0 B3 J jz SoftICE_detected
2 O( _$ ^2 t: f2 T5 _( P. F
2 N& s/ V7 q6 h- h9 _, Rint41handler2 PROC. |/ `# k' G4 _& Z9 b/ g- R2 u
iret/ Q: ` g( }0 v$ J3 [' B* T% N
int41handler2 ENDP
" W* W' \0 E6 S. M' t) f/ u& I1 |& H
) ^, Y- ?7 Y1 [' u5 k+ D_________________________________________________________________________
* ^/ Z' ^9 p! d# ^" i/ A$ ]4 W/ X/ w' t1 `- k
& a, U2 q9 u: }
Method 06
7 Z. u; C! D! s( i3 ^; ]: d( U=========0 {: q/ Z, X* r# \9 C
7 _) f$ m' m, N& b, `
! g0 H+ ^7 M; z3 p2nd method similar to the preceding one but more difficult to detect:* T8 V+ M* M3 _
& c0 c2 O; Y" f( G& _9 u& w
6 O3 O. f4 s7 X* @2 i9 [: _5 v Vint41handler PROC; t* m+ `) Z, r0 O% X3 b
mov cl,al
* c: a" K, i2 W4 V iret6 N7 r K4 x6 N0 z5 m; u2 f+ ~8 ?
int41handler ENDP# v) K8 s- g8 F9 I6 q+ S" z! v" y* z
& ^* B, @7 m7 o9 T, ?
7 j7 k; O- r) s) y2 m xor ax,ax
4 X9 W+ u; d7 w mov es,ax
0 w h7 a3 D3 R; T% @ mov bx, cs
; V0 ^/ i" o8 R; a; C lea dx, int41handler
- n2 P- Y, c: C. k$ b8 y( g' L xchg dx, es:[41h*4]
; D5 u3 ~0 D" ?# W xchg bx, es:[41h*4+2]2 E% Q- l. X( x$ G3 r. D
in al, 40h7 D8 I3 j4 y& @2 p, T
xor cx,cx
5 j! G: ~; u; C& w# Z. P int 41h$ ?4 }$ o' @& T/ e& f3 o0 |% ~
xchg dx, es:[41h*4]+ N2 d' l. ]4 z! r3 e! U
xchg bx, es:[41h*4+2]) O* A% e' F' v* F; j# X9 ~; z8 E7 f
cmp cl,al
# }# ?2 B }! g, j jnz SoftICE_detected' f+ p* ]. o7 h5 L! w N
( j( b: j! M2 P. s_________________________________________________________________________
7 j5 x7 y2 P% _" R9 ? q# |, i( f+ g" G5 P
Method 078 `1 r7 Z; ]* _' D* m
=========& K$ C, t- H3 E
4 t! S1 K- C, S" `
Method of detection of the WinICE handler in the int68h (V86)3 i+ P: T1 b ~) R, w
/ Y1 O4 q8 g" `1 X: N1 @. i mov ah,43h
. g+ ^& R# T: @ Z& [$ Q/ Q3 C int 68h4 q# Q" x9 [5 J
cmp ax,0F386h
' Z8 J9 i' F8 K! G9 E. O jz SoftICE_Detected; }4 J; L" q5 r5 h1 e: o9 K1 ?
4 E$ l5 ]+ C7 i# X: j- N, b) N$ }
/ Y3 [% ?4 @$ s3 h, Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 z' S7 T& d% e1 P. i8 P
app like this:% {6 N! N% \0 j6 V Q G
, q( W. F- h) M: j* ]. o: g
BPX exec_int if ax==68
q. L; P4 |4 O' q. l# J (function called is located at byte ptr [ebp+1Dh] and client eip is
8 a0 C3 {* Z0 {* N: C' p located at [ebp+48h] for 32Bit apps)
1 H4 @( ~' t& }0 E( l/ m__________________________________________________________________________( e) s& A, ]% c; N
+ _& S1 X$ z6 S% l
' U' Z8 X/ h* E; E
Method 08
# s0 \# R. k x% l) b4 L. \4 [. ^) `=========
/ ^, H% M" w; n8 U4 P
3 _9 T3 }5 ]: T$ p. Y& c9 L+ j3 k' kIt is not a method of detection of SoftICE but a possibility to crash the# v* b" H* Q) [; w! |
system by intercepting int 01h and int 03h and redirecting them to another
% A% X( k" `8 L/ c- iroutine.! x% C7 j2 x+ Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, \1 j) d1 I) U7 Y7 l# Q" K1 V- r. [to the new routine to execute (hangs computer...)9 @" k; P1 M1 u, v8 e1 g4 f
' b: ~4 U( M( g8 X
mov ah, 25h
& x+ X7 F! y6 j/ @: v! | mov al, Int_Number (01h or 03h)$ {0 t4 {- y3 S" J# f s5 z) z
mov dx, offset New_Int_Routine' R4 N! T" D; y x- z2 J& a
int 21h
: } G/ y+ v* V1 v+ m3 X* H- R2 U# Z' P/ g6 y" G5 t: D
__________________________________________________________________________3 _% p/ ~) J" p& C! i3 {
! h6 Z; q3 k$ @3 s
Method 09( S9 A# c W) z7 ^/ |( n
=========
0 n) _; t3 c D- }1 q# I
6 T% l, s, }" K: T( XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) b. E# p- k# K5 P+ ]performed in ring0 (VxD or a ring3 app using the VxdCall).- Z6 `8 b- v% g: C$ z6 }
The Get_DDB service is used to determine whether or not a VxD is installed
* g. ~: S% w1 n, N+ lfor the specified device and returns a Device Description Block (in ecx) for
* q6 J+ k5 h( L0 b( J9 x* g2 tthat device if it is installed.
( ]7 H. C }- ?& f+ s6 l$ q1 `9 U6 E2 a& }6 S* w, D3 X
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% Q1 J0 a. @5 G* z2 ?, H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! x7 y' G6 r# ~, u. m) Y VMMCall Get_DDB
* I# u2 V& P) R) b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed \( D! H$ C9 a* V% U
! }4 f% E4 ^1 g0 o
Note as well that you can easily detect this method with SoftICE:
( Q l! i: |. V8 E6 E/ ^# Y2 g bpx Get_DDB if ax==0202 || ax==7a5fh
4 H* f6 F+ N) k% _8 N. ~5 `3 F7 V
6 C6 {5 e- d. k+ ?! e I__________________________________________________________________________+ x+ A* x7 [7 m$ W
; ]5 R: y% }9 g( zMethod 10
' G- K5 f: W- U* Z=========
5 ?# q9 e9 q' b6 S
9 k- h7 ]+ g6 ^=>Disable or clear breakpoints before using this feature. DO NOT trace with1 _3 }4 w) g- X+ E! E, l" X0 S
SoftICE while the option is enable!!' c6 F2 ^. q" I9 l8 _
. Z% ^3 \, Q T4 }/ [; VThis trick is very efficient:
, N- K; h1 d* Nby checking the Debug Registers, you can detect if SoftICE is loaded1 h4 L- M8 _, L3 Z9 G/ d7 |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' W9 F7 ], ]4 w7 B$ p1 U I3 u* ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their) @: a3 U$ F" Y# b; L1 M
value (in ring0 only). Values can be manipulated and or changed as well8 u0 X# T. p! ~: X9 R9 p
(clearing BPMs for instance)1 q5 h6 `; f ?- ^2 W4 v( o
" d" z/ I. @# C# X: E; p
__________________________________________________________________________# [9 G0 p$ u. p% S& ^3 A
5 V7 Q% c2 U4 B0 j' g; BMethod 11
1 k. U# q- v6 A, Y: n=========! D+ Z% }1 C* [& C
; r$ ?8 ?& T* M* L8 f$ @; m+ Y6 o, B
This method is most known as 'MeltICE' because it has been freely distributed
3 Y) ]" X$ H0 l1 j3 Mvia www.winfiles.com. However it was first used by NuMega people to allow I# d) ^9 F* t1 G* Y; C
Symbol Loader to check if SoftICE was active or not (the code is located: } S+ R2 D4 T$ k7 B
inside nmtrans.dll).8 Y: } c9 g" {) }2 o) x6 i
+ e0 L- {4 C! s$ }8 a7 K& _The way it works is very simple:
5 k' G" j! P: mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) _+ A- g1 s4 a6 ?' bWinNT) with the CreateFileA API.8 v, c9 P' S a" b! N) u
* M' G. v8 h! @Here is a sample (checking for 'SICE'):5 c: A. ]/ E! N i
, [4 L$ }* O5 IBOOL IsSoftIce95Loaded(). f- z3 l# z% l) |& h
{
* U/ i, @9 Y* x; P5 q( t HANDLE hFile; / K% m7 ?; j b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 P) I' l# P/ k
FILE_SHARE_READ | FILE_SHARE_WRITE,: a, P' \$ O x$ @
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 J3 ~. H8 Z5 e" ?* q if( hFile != INVALID_HANDLE_VALUE )
) Q3 J8 @( d7 z {
. S a3 J, R' z: W% W6 Q' g CloseHandle(hFile);
' J" I# H$ A% M3 `' v, M# F3 [ return TRUE;
2 B. F: Y) E) s3 D1 J. b }- i2 r2 g) N" l& r8 Y
return FALSE;: O) F& |6 c) s0 [$ ?+ w; \0 |
}/ ?$ C6 W, J3 _9 y& x
# S& E& t5 P1 e; V4 {& {- _) B
Although this trick calls the CreateFileA function, don't even expect to be) n0 q$ f( z. L6 }
able to intercept it by installing a IFS hook: it will not work, no way!, h, u2 ?3 z% c6 p w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F G" X G2 l" A' p8 o* s* ^" v0 w3 ]+ F. Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). |9 o# I6 v! }$ E( t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, |; o9 m, s* T$ q% ?! I
field.2 d6 Y+ S$ b5 \, D1 N* L3 G) t. |* s
In fact, its purpose is not to load/unload VxDs but only to send a 3 }0 l! j" G0 B J4 m& A" O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; y" q1 n9 X+ m; p% Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
v6 x' U% R4 c- m) yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( l W1 K N+ HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 Q% r M" q# G5 m/ n: D! qits handle to be opened and then, will be detected.# c5 ]: T$ _4 ]
You can check that simply by hooking Winice.exe control proc entry point4 R- r6 D& U: ]5 f; m/ } |. x
while running MeltICE.1 V l6 H0 i+ c6 D% i3 \
8 G& S$ A2 V$ `
* i% n' J! A3 w& ? 00401067: push 00402025 ; \\.\SICE
) D0 A% }3 h: M1 ?: [- ^" `: G 0040106C: call CreateFileA5 @) V5 x2 Q7 O3 p/ ]2 w' n. X$ H
00401071: cmp eax,-0015 z( L4 \1 L `. h6 A: ^# l
00401074: je 004010913 I7 U" p* p9 V
~3 K6 v6 h* L/ O
6 _0 `1 b& G% t/ [4 [
There could be hundreds of BPX you could use to detect this trick.1 E# E# m9 Q$ M. m# v& a
-The most classical one is:
7 F" `7 {5 k1 P+ V% u8 b, J& D0 c* ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! I5 y0 u% M+ t' O, l: Q
*(esp->4+4)=='NTIC'
, x3 t/ [4 c. G& C8 [; T& L* r5 o# [/ P. U7 y* i; d* X, V7 `6 W/ O/ O
-The most exotic ones (could be very slooooow :-(, M2 N: X" f; W. R% w8 E; G' | S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 e' v. a. y# `! h ;will break 3 times :-(
0 v$ z# j8 F+ c" w& I5 ]) f/ x! E/ m. l$ |& ]
-or (a bit) faster:
3 i/ I- e* o+ P4 I, u BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! G/ `- X) a' [/ @1 Z ~: }+ R6 X, K d! Z/ y% B) P$ r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' k" k5 W Y# O! x: D* V
;will break 3 times :-( |4 W. i8 u; F! N
9 Q! @, d& I5 e1 X, ^-Much faster:% z4 Y7 s+ p3 ?; O& p& G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' B' m- N4 j+ l. T6 N7 D& h Y" d( Q: P2 g& G; `$ ?5 J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. `. }, U8 j+ `2 L5 @function to do the same job:( h3 q" A$ ?" ~ o ~
( H( s& U6 u9 o) k1 C0 l' z; s4 e( y push 00 ; OF_READ
' X: \" ~$ ^4 }' E$ G6 n% \ mov eax,[00656634] ; '\\.\SICE',07 X% E# H. ~8 N. l8 O; `! W
push eax
8 `5 |) p* M. ]: ~$ g call KERNEL32!_lopen
1 b, ~) W# R" r% S5 ^, [1 L% J inc eax
# l7 @9 Q* h* @% Z- z: H! d jnz 00650589 ; detected6 d1 S: _/ X$ S; Q
push 00 ; OF_READ
- K, V4 C8 O: v9 q) V4 y mov eax,[00656638] ; '\\.\SICE'
; u& t% C( E: ~4 Q1 q% n9 _ push eax
' Y/ j3 \% b! u; F8 c5 x/ x call KERNEL32!_lopen
* ?* J& U. h2 A7 M# S9 ~0 U9 W# L inc eax! j6 T, M7 R% r1 N) d& |
jz 006505ae ; not detected4 x7 P8 G- O0 {
i. p0 }, e! J, G A
i4 L% n! g/ }0 K
__________________________________________________________________________
! \, h1 _& U8 }* v7 Z- F' f* ^6 Z, u# K0 ^& S1 Y: e) N+ f/ b
Method 12
& y, @5 B: ^: K7 s/ b1 S=========; g1 N& {6 c+ F- c) }$ u1 \3 z: ?
9 x* O8 F+ P+ z' b+ }
This trick is similar to int41h/4fh Debugger installation check (code 05) Z1 @/ X1 u+ Z/ a9 J
& 06) but very limited because it's only available for Win95/98 (not NT)" `( }' n9 s; U: v) X; V% E, q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 o1 G6 ?5 P+ u# | M; L6 K
* `9 G! z* Z0 ]0 u( z' G1 H push 0000004fh ; function 4fh
( S" \7 |3 G+ r: r4 g push 002a002ah ; high word specifies which VxD (VWIN32): T! s' t4 p! y0 @& V8 Q; w
; low word specifies which service
1 C. S: w# Y% U% t (VWIN32_Int41Dispatch)
: O8 I) N6 l B8 I, f. K. `1 s! G call Kernel32!ORD_001 ; VxdCall
4 e. L5 X) a+ w cmp ax, 0f386h ; magic number returned by system debuggers
; {( R# z( T& `% ] T" } jz SoftICE_detected
' \% e# d& ~0 v# [' [/ O4 Y+ |; e% ?% l3 {7 g) j
Here again, several ways to detect it:& R I; l, i N$ ~) R0 R6 i9 N( w
9 Q0 f' K: ]. m* {: { BPINT 41 if ax==4f9 b, z( i: r% P' b9 [
) U$ I/ \. p( j- | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 c5 b- b: B8 Y0 k8 b$ `
: Z& h% @! Y8 [9 Z {
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- y- R4 q5 R: f/ Q4 K
6 h) f+ ?# B& Y3 f7 ^ E( b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. s6 i! Z p+ o2 g Y; |& p. S6 y
3 o) t2 _3 a4 N__________________________________________________________________________
5 X4 j0 P. F" {5 g
4 D( H: b: f: Z; T8 B) V5 IMethod 13
8 n# B9 ~/ h' N3 Z# A=========% w) j P+ d6 o/ ]1 {
6 t: s( Q" ?3 I0 qNot a real method of detection, but a good way to know if SoftICE is3 k2 Z2 n4 I, a+ b4 ?
installed on a computer and to locate its installation directory.
7 R$ K2 c2 {5 J4 o0 ^3 e2 o+ v# w+ i! {It is used by few softs which access the following registry keys (usually #2) :
8 G7 G- c# c2 ?% W+ m6 D
: }: n1 W! I9 ` V! }5 s, ^- ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 q7 _1 M9 q# ?; R
\Uninstall\SoftICE
8 ~ _/ T4 u1 X. v: m) V: e; Y: _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 M* j6 o4 L1 F' I0 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 m) k/ S4 H. B4 a' h4 H* Q5 {' f: T\App Paths\Loader32.Exe
6 V2 f( f5 k$ ]( ]* l5 A1 m' m
/ p! l: b m3 e- D7 q0 G+ e: _; ]
% r$ X3 k- _0 A8 d3 nNote that some nasty apps could then erase all files from SoftICE directory
, m3 g, R" ^- Y(I faced that once :-(" P6 ?& C2 `. U- d
# d) R, s+ F5 I/ t( VUseful breakpoint to detect it:
; @3 ?5 Q4 M4 \, u" Y+ \
+ X7 e4 f% l- D7 X0 Q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 Y0 l0 z: A0 x# ?4 C$ r& s, X: n! l( a# [
__________________________________________________________________________6 s+ ~) [, V. ]/ q! Q% d: M
8 K8 x1 O. E0 _# S; N
# x5 o+ k- L! |- Q' }) ~Method 14
# v2 Y& N6 ~& ^- w9 `; h========= _/ p2 G2 j) u4 |! _. H: X
$ Y |. @5 q" ]; B# x4 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 q2 n& P1 W/ `3 K& u% {& Eis to determines whether a debugger is running on your system (ring0 only).) v/ \0 n" @, I9 R
. I: F8 o* F4 \ VMMCall Test_Debug_Installed8 G7 ]% z4 e: V8 ]2 O& a
je not_installed0 ^+ L- o! h+ s
% |! n( z/ c! p) }2 R) v: J
This service just checks a flag. @5 Q; G) `; m( C8 L; B
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡