<TABLE width=500>
) ^; o1 n" S& e0 U<TBODY>/ T+ R5 I! W) c+ v, K7 z
<TR>- V# l! q, S8 I! W, N
<TD><PRE>Method 01 ' i, J/ A! x1 N0 U: ]
=========8 R2 P, B: J( y) z6 j
+ Y2 S6 H- O5 O2 uThis method of detection of SoftICE (as well as the following one) is
; d: K* C1 K9 H: p" I$ Mused by the majority of packers/encryptors found on Internet.
: ~3 Z% {4 B* u& fIt seeks the signature of BoundsChecker in SoftICE: U8 w3 [3 n+ c& i* v" e" G
0 W0 f5 i2 n9 N0 e* u& C mov ebp, 04243484Bh ; 'BCHK'
% P# d3 E3 L5 Y2 t. W' i# \ mov ax, 04h
. n5 d" Q) L" d int 3 ( p* a P7 a/ O3 {* ]4 K
cmp al,4
1 u/ Z% s& E( M8 g4 \ jnz SoftICE_Detected/ N: z: ~9 C. j6 j/ q8 J) B* w, \
1 x1 k0 U- L ]: N; T7 k' x& ` g
___________________________________________________________________________
6 V1 W5 q5 T4 }: w
) @' f9 Y# n; z7 s$ ~7 \" x: lMethod 02
* u. i- m- ]. t* E* K7 u=========
' \% M% Y7 ^" o) |" I1 f7 b, C9 Q0 G- `
Still a method very much used (perhaps the most frequent one). It is used
# d7 _ |; p& l6 Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" T# l/ ~& ^- z+ U3 Aor execute SoftICE commands...
8 j9 H" z1 i* w, v5 aIt is also used to crash SoftICE and to force it to execute any commands- o* ?/ K# g) P
(HBOOT...) :-((
( r# c: I; G# R& x7 q7 \) {2 u1 [: i( l2 ?
Here is a quick description:
^+ o; n* h; B) e3 k" l, L-AX = 0910h (Display string in SIce windows)
& w+ I, f4 H, R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). R7 p! u- B6 w
-AX = 0912h (Get breakpoint infos)
% l( |3 K) o2 [& n& H-AX = 0913h (Set Sice breakpoints)
9 j7 R) T" u5 D6 B% I Y5 V-AX = 0914h (Remove SIce breakoints)
% I* [" }( n) U4 b% ~% B0 Y( B% T5 H6 v" B4 R, a; ^/ l
Each time you'll meet this trick, you'll see:: i0 r6 a" Q, v, R
-SI = 4647h" o8 R H; I" m2 J
-DI = 4A4Dh4 i" i& c1 v* E6 H( X5 F
Which are the 'magic values' used by SoftIce.
) H( }- [$ t6 ^9 u8 pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- |% G/ B8 ^. u, E8 o
d0 @4 G& }9 @9 A* c2 e4 ?1 k. w
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 F0 N3 Y' u$ y
Envelope utility use to protect DOS applications:: {3 j4 d) p2 m$ k& X6 p: P- F; q
4 @; P1 e/ l7 D, i/ U. ?
: v) s: i# J7 A! W9 y' C4C19:0095 MOV AX,0911 ; execute command.* Z0 K7 v3 ]- d) z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! `0 N+ {4 M; g, k8 s4 p q
4C19:009A MOV SI,4647 ; 1st magic value.
6 q7 e; J4 H Z0 L1 J4C19:009D MOV DI,4A4D ; 2nd magic value.. C0 {8 ~& I6 w& s$ C* ]
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ K! s" a7 ^0 Y" E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 J+ L2 p* c9 y/ e& w1 M
4C19:00A4 INC CX5 o* O7 p/ N( k4 C
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& S3 X1 P2 X1 k0 V3 b: m
4C19:00A8 JB 0095 ; 6 different commands.4 l0 g3 }& f# n+ W9 B n
4C19:00AA JMP 0002 ; Bad_Guy jmp back., c. Z( i& r) e: V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* ?7 D) w/ m. [
6 R# D, v \$ K
The program will execute 6 different SIce commands located at ds:dx, which& p1 g8 b- E" |( U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; U/ }# p9 @7 a4 N3 u" M8 r+ [! I- v4 P3 v3 p; a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ ~4 a) g7 ]! X# T. l( S! U8 V___________________________________________________________________________9 V6 k! I$ t6 H; q$ L5 V0 J/ N0 H) w
. ]' e2 O, z$ s b! L9 E9 d- J0 L! l: G0 K( R- K
Method 031 z+ R0 k/ I' j) k" E6 P8 u0 G
=========
$ g3 S- \( I) G' Q0 \3 k$ F% m4 Q( B. F$ b, G
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 t( L* `2 w0 n* k9 b: c& K- T! z(API Get entry point)9 m- ?! N! A4 b1 ^( t; q6 v
2 L7 m/ B/ z, F/ x) s: C% |. q+ t$ a
2 Z( m+ D7 |3 B; f3 K xor di,di
, K% q( q) m) N6 o, w. J2 p mov es,di8 T o. F# f' G( S" q6 K; q, S9 p
mov ax, 1684h
9 O7 U8 m( @ l% v mov bx, 0202h ; VxD ID of winice4 H; h1 O+ B/ T8 n" G4 _" m
int 2Fh @) W: t) z: v% Q) Y k0 N8 g! e
mov ax, es ; ES:DI -> VxD API entry point
6 b! \8 I# ^6 J" v add ax, di
' Q8 x @8 V! U* W3 _ test ax,ax
" P2 _5 _3 }3 C! |4 X2 `/ l jnz SoftICE_Detected& j# ^# t0 a/ [0 s! g
3 x* x. v* n: G) `0 D" i$ D* S___________________________________________________________________________: T- C# @& L( {$ \7 ]
; @2 s- x2 u% X7 _8 cMethod 044 D7 v" U8 v$ j* B+ B
=========, ` t6 q/ a0 H9 `- n5 d y' Q
" N+ ?6 A; x/ q3 u4 \4 y" ?7 aMethod identical to the preceding one except that it seeks the ID of SoftICE
# r6 e2 l/ ^. ^; xGFX VxD.
" `& R% H5 I5 v. g+ }4 p1 w; f, o x- B& A9 I9 B0 F
xor di,di
6 z6 {: v1 n/ g y+ I mov es,di
- |0 {& D" Y+ Z$ B mov ax, 1684h / {6 p3 ~9 T5 E0 o' k- D5 V( l
mov bx, 7a5Fh ; VxD ID of SIWVID
9 {1 A$ X/ r3 x" i7 x int 2fh
2 h: Q0 Q& K7 O, o/ p0 E$ } mov ax, es ; ES:DI -> VxD API entry point4 |7 h$ {, D2 g3 @
add ax, di2 H, k* l9 D7 r% v0 Y' f: u0 ?
test ax,ax
, M- _6 @9 \( Q' q4 d jnz SoftICE_Detected2 k) _. \& i0 T8 R
) N2 o- t {, }
__________________________________________________________________________
5 }" C* T, S7 C$ X' S9 a `. K, a" C4 J
" Z: a& A' |5 a% ?' GMethod 05
- Y% C( V8 F" D! ?=========% {5 p) ]7 W. W- }
# z. S. F' `2 L1 F$ Q, {, t; m; ^2 ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ ]! t" f) E6 G% U/ H' `debugger. It calls the int 41h, function 4Fh.
0 U( S/ V& z+ u- t9 I8 q& MThere are several alternatives.
8 `4 S5 s# h& R* b$ h( Q
9 {, ?' Q" P3 q: F) S) pThe following one is the simplest:
% k" n# Y( |# v7 h% v9 x2 o! y0 i3 W1 }9 n
mov ax,4fh; J# Z9 {& B' B
int 41h
6 _! K: o; Z0 |6 m1 A1 M2 A cmp ax, 0F386
$ u0 p( g* b% O/ F5 A! K' f jz SoftICE_detected
5 T! K* S Q3 y
" A5 e7 w& G- N h+ c' ]0 v0 R9 u) T% r2 U
Next method as well as the following one are 2 examples from Stone's
. M& p! d& t% `1 U, ?"stn-wid.zip" (www.cracking.net):% s1 R2 Q/ \7 N# |; G7 i6 f# f; s( Q
8 u+ B9 q( P& O* I$ n
mov bx, cs3 R. h U8 c: {( P8 b2 K7 x6 J
lea dx, int41handler2
+ X" `$ F7 c# K xchg dx, es:[41h*4]) j5 ~; H4 l% u$ M5 B) _; B2 f5 v
xchg bx, es:[41h*4+2]
' \! `- v/ }# i+ e( F mov ax,4fh
- q$ ?- c) J, s- w0 e6 z9 P2 T+ d int 41h
) E3 Z* `. h" @2 I: j1 a xchg dx, es:[41h*4]
N: M1 O& |, p: n xchg bx, es:[41h*4+2]
7 t. E- V) J" _2 k3 n% J, y" ^ cmp ax, 0f386h
' b [ i% V* f1 P jz SoftICE_detected3 i. P( ?( _6 X" }/ B
8 Q- W$ S' H, z4 } C1 ?% D
int41handler2 PROC
9 }" k$ q# N5 u% v) ^. n8 T iret
r7 Y4 ]4 @5 n) R- J' sint41handler2 ENDP
" _( l! y( _5 {( q! {* `1 A
, C) B' J' P" x% L6 M
: p" t! n# D$ q! X_________________________________________________________________________" I) @3 I' p0 k. g) A) \. B
: V4 H& E. P" Z7 F$ M9 V
9 I) o4 X+ l; A, E% c" S8 _
Method 06
5 [ F6 i u/ _0 G4 `- [" W |=========
6 m. ?/ b7 `7 o+ g6 i0 N! _8 r5 n5 F. s! |1 C V& x0 C
( W/ r, v2 b/ s9 t' g/ X
2nd method similar to the preceding one but more difficult to detect:
8 E. o/ v U8 {0 M- R1 j5 e) o4 q2 t% A( X5 f$ L. Z; v1 ~
9 r4 t/ S6 z% G& a4 X4 |# v# J
int41handler PROC
' p- I6 G' ~& v8 Y mov cl,al
+ L" h) L" p* d iret6 h0 f, t; l( G7 M" I9 i" K. o, Z3 K
int41handler ENDP4 B1 ]; V( c4 Y$ P! `
6 E* t0 e) W7 P
8 P" ~; {5 `9 d xor ax,ax
) X0 U6 S# v* g$ z2 M$ K# H mov es,ax
( E9 {0 D1 K! i4 V mov bx, cs$ e1 |2 d" N4 L" h8 s
lea dx, int41handler( c q8 v' f! b o% M
xchg dx, es:[41h*4]
# [2 e: b7 \2 }. M- Q4 q& s xchg bx, es:[41h*4+2]2 W% @4 `7 }1 L F3 r/ T: r0 u* M7 Z
in al, 40h( @/ |; L( P/ ?/ j) Z$ p' h, C
xor cx,cx% H1 y" J' R! I: E, g
int 41h5 y$ a4 n5 M8 \! |
xchg dx, es:[41h*4]
% k- |% c0 c- s2 v9 n( X xchg bx, es:[41h*4+2]- ]2 ?+ f' W) p7 `5 Y$ W
cmp cl,al1 s2 K( l( ]/ @- H' x# R
jnz SoftICE_detected6 I0 U2 T- }8 y4 b% o: t
/ ]/ T6 l+ H; U- V" U' E
_________________________________________________________________________4 ?8 g8 ]% |" @) i
5 }( V2 X& |7 ~2 o8 CMethod 07+ a' U9 ^4 `- k
=========4 S8 r R: _& g$ F! O/ ~
" ~6 ]; p8 w* HMethod of detection of the WinICE handler in the int68h (V86)3 \6 {1 r9 \1 I5 ~
* h( V! h; E. x% D5 Q k1 s
mov ah,43h
) o. }9 R+ n. Y& C3 c u* c& U int 68h& {9 ]0 ^2 f# i8 `' L, E7 S
cmp ax,0F386h
8 o" n, z* U8 [9 e jz SoftICE_Detected8 l8 V' q3 m4 Y1 H
& d5 f, G( R \$ }# P
4 [9 W7 V) K$ x0 H) e8 _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, I0 Y/ j5 f/ q8 |3 f. @ v2 x+ S app like this:
" F [9 I! X7 Z8 E4 x
! X: P: ]4 i6 [% g5 j BPX exec_int if ax==685 B* [0 ~; }; n* W( Z2 |
(function called is located at byte ptr [ebp+1Dh] and client eip is2 m, Y; |! [9 U, ^1 P) _0 W4 j. B
located at [ebp+48h] for 32Bit apps)) d+ l2 f- Y# I: `
__________________________________________________________________________9 g3 s. {/ f5 D
; A$ B2 s4 j. N! F
8 l4 s* M; O% Y ~ qMethod 08
# b6 ]% I) `9 D y$ w=========
% L! i! c# _! ?$ }, B2 y+ b+ [* w3 x% f- r; A# D, \. T
It is not a method of detection of SoftICE but a possibility to crash the+ p/ t; d* u& v0 I, U! z8 p
system by intercepting int 01h and int 03h and redirecting them to another
, w3 o# N9 I% Hroutine.
7 S E( v/ i% h( @5 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! e0 P5 ~& \7 v; e4 ato the new routine to execute (hangs computer...)
4 b0 U; \ ?) {: M4 x: ]. N* F, B1 g, v' u3 K5 Y' A0 Q5 m: j
mov ah, 25h
" s' y( T* n3 i" J! T mov al, Int_Number (01h or 03h)
* ]8 s1 T2 C; ^7 A mov dx, offset New_Int_Routine ?1 N+ w" ^7 R3 D
int 21h" B# f, D* T6 d: }, l q0 c3 A
6 v' V* }0 Z& }" l
__________________________________________________________________________
P3 M$ V( p5 s: n& y+ i. D
% G2 ]% u4 M/ r- X# [Method 09
! e; J9 B% k) l: \=========' i7 E+ C+ G3 ?- s) `
) f$ `( W' U* j0 oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 i+ B4 X4 t' F7 M1 k; s! I6 z' F3 s7 X
performed in ring0 (VxD or a ring3 app using the VxdCall).
* Q- b5 J; w7 c" S$ G+ O' M1 XThe Get_DDB service is used to determine whether or not a VxD is installed
, c W% D1 M8 J, E9 m* ufor the specified device and returns a Device Description Block (in ecx) for
1 V) ` i5 @8 u m7 ~that device if it is installed., ~4 G3 q$ s: a% F* L! a& \. G
& c* J; z+ Z" L1 {. t6 u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 b2 F$ F m( W9 u" l- J Q. J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# C% F5 J Y5 D# ?2 d& B! f$ m
VMMCall Get_DDB
8 j" D1 ?$ S# f- i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; U' W# d1 h- E; a$ v) K6 Q
% L6 X# T7 P: r y* ]1 \7 {9 i. cNote as well that you can easily detect this method with SoftICE:
: X3 x6 D* n5 ] bpx Get_DDB if ax==0202 || ax==7a5fh
; B' W7 @$ b& j3 ~$ |4 k
. {" v& T* {2 }( i6 I__________________________________________________________________________
3 P5 o+ Z' O3 m& j! h2 Q9 b0 X9 e0 l; {$ Z% T9 h
Method 10
# g3 L( T. O9 U- d# Y. r=========
+ I! Z) J6 f4 Q. V; V3 d. I* B8 q! s8 I, h0 b5 M7 d
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 t& T; D! b9 V8 r6 D- i SoftICE while the option is enable!!8 G( G4 e' A' P/ t8 ~
- s- S' V; {4 ~3 C+ L/ I- tThis trick is very efficient:+ `: B: u. v; |$ K6 M
by checking the Debug Registers, you can detect if SoftICE is loaded
m% U/ U# B1 [5 K5 O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if Z) j* G; k3 l' H, h
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 d6 i8 H$ M Cvalue (in ring0 only). Values can be manipulated and or changed as well
1 g, k7 F$ S6 U1 f I' f. `(clearing BPMs for instance)
8 m4 T$ V: P; ~) R1 ` a4 G8 A) q! r5 ^4 S" q; P7 r( V6 j3 G
__________________________________________________________________________: W Z$ e6 a9 W0 X. i0 H, C e- |
1 [' t+ P8 ]2 P1 g8 I4 S r) W
Method 119 z/ k3 b2 c4 Q3 x/ n+ e% g
=========
, ?7 L$ w0 R# Q3 m1 M0 v2 m: `) D: U- z
This method is most known as 'MeltICE' because it has been freely distributed/ d4 j, U! e; h: R! r- _% r7 o; w
via www.winfiles.com. However it was first used by NuMega people to allow
8 [5 H3 ~+ l" G) d, B: WSymbol Loader to check if SoftICE was active or not (the code is located7 L+ P/ |8 w; o9 Q
inside nmtrans.dll).1 S( U/ j% W/ A+ X- m/ w+ j
2 U5 l1 d; M: { EThe way it works is very simple:
4 B' y' o; t: }( kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ Q! E5 Z, n! j& B& @WinNT) with the CreateFileA API.: d- T9 g8 E, X7 t8 P% |& w
: B% W* n8 y; _( F4 C- l, b: JHere is a sample (checking for 'SICE'):' a0 d$ `4 D8 F
6 V1 o* S3 b. vBOOL IsSoftIce95Loaded() x9 ]( Z J1 L, F9 v# d& V
{% b5 K3 `$ S! V% V
HANDLE hFile; g% P7 }- t4 r
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. p, \0 ?5 H3 S5 ` FILE_SHARE_READ | FILE_SHARE_WRITE,; F& @! ^+ k8 x' q9 @8 ?8 ~9 G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 X2 I: ~1 b8 ? if( hFile != INVALID_HANDLE_VALUE ), s3 d h4 o) T1 O3 }7 t
{7 W. }& P4 J% E. X
CloseHandle(hFile);+ E$ N6 P- v0 T, f) |3 f$ I
return TRUE;$ _+ ~& y$ |% [3 a- m
}
% Q9 C/ o! F$ U- Y return FALSE;! u) ~$ e) t! k0 p( d9 a: C
}
' Y- g# u* N5 }1 [* U( v+ B1 v/ R5 @! u" S
Although this trick calls the CreateFileA function, don't even expect to be
7 U' f* ^6 Y c' M7 K6 Z4 Vable to intercept it by installing a IFS hook: it will not work, no way!
. Z2 G% d' J& zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 B( H- e, M' Q8 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 {3 C; ^- D" a6 Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc! z7 T6 ]: _. T. X# n, k' e
field.8 g. k/ a/ }9 a) N
In fact, its purpose is not to load/unload VxDs but only to send a
7 t4 l- m$ l1 f! kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; T# r) S. U i% wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& V8 I7 f1 y5 U& K) o9 |5 Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& d3 K& o4 C: IIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 E% M2 @; k Q9 x- m$ Z. q# P
its handle to be opened and then, will be detected.& B# L4 Z: x- d7 o' O. m; R7 D
You can check that simply by hooking Winice.exe control proc entry point
8 i% @: e0 _2 K$ r Z5 D" Ywhile running MeltICE.
8 F9 t+ ]) `) `8 Q1 Z
( L! j; b2 j6 X2 ?: c1 A
, L( _& J _" N4 s* x8 m+ A 00401067: push 00402025 ; \\.\SICE3 {8 D/ p, `5 B$ I
0040106C: call CreateFileA, h4 @& g- ~) q# k3 Q1 e4 j2 y
00401071: cmp eax,-0019 r( S6 t( d i) r
00401074: je 00401091. Q4 `0 U# J8 m1 l' O
Z( ^3 @1 d5 P. `2 ?4 X1 M3 T' M* z4 e+ R H
There could be hundreds of BPX you could use to detect this trick.% u# c! W7 L) q% F/ u" O1 O
-The most classical one is:* G6 K3 ~! Z/ D- v1 _, w1 N
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' w/ r8 a; o' S9 J- n! D *(esp->4+4)=='NTIC'
+ p- l# _ @0 e. }* H6 |+ R5 h" g8 l2 c6 q5 W4 j4 A8 J
-The most exotic ones (could be very slooooow :-(
! O$ y/ K5 S% M$ P, V$ O* E& C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) \. c$ L$ w/ K3 ~/ b0 S; ` ;will break 3 times :-(# J1 f2 V( M' N/ d0 F! ?( `8 ^; b/ q
' d/ w8 j$ N- j6 Y
-or (a bit) faster:
0 ^1 X6 N7 ^" t1 l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( k# l8 l8 l# R: ^5 |
5 T' l9 q" m! P% f# H. c9 Y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 p: @1 c" T1 G8 O: J# ]( Q" V8 T
;will break 3 times :-(
' L4 b2 B3 l) R B' w/ C+ S9 C0 M- \( ]) e
-Much faster:
4 p* z* E) [" @2 S7 r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ h$ W5 d4 F. u# w. g) z' [% ]! s6 F. u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# k; ]) L3 ^% w- m$ G b
function to do the same job:
9 Y! {: H/ |+ P+ X/ c% X5 s5 R5 d: r# e
push 00 ; OF_READ! A% t9 T. ]3 Z
mov eax,[00656634] ; '\\.\SICE',01 ?0 v$ l: @6 N+ s# M: p
push eax$ n, ~/ {4 _4 l. W0 \2 }
call KERNEL32!_lopen) I! Z% ?7 r1 ~/ @
inc eax
* Y: ^2 x0 V# R; k+ T jnz 00650589 ; detected" Q' k, ?! ^5 s7 y: t, r
push 00 ; OF_READ3 A$ T' f' y$ P# I/ I8 r& v
mov eax,[00656638] ; '\\.\SICE'( O# r; B1 M4 x' {) S: H
push eax: d( k* c7 W1 B& | V9 w
call KERNEL32!_lopen
( ~. ~" }; G& L8 u1 ]! o inc eax
7 d1 A) ^ a! y! z5 g6 M7 C& g jz 006505ae ; not detected
, K6 S8 C0 G# R# I! Y9 y* Y1 n" g
! D& y1 a; h- P
8 G2 x3 @ j) U7 H__________________________________________________________________________ }5 ?4 T: W5 l2 y @
; P# M$ E( p% A* M( dMethod 12
j) j1 }3 ]: m! s& A1 N=========
4 t% L' i; V# b6 F
/ h6 c+ k% R' S: i) Q: OThis trick is similar to int41h/4fh Debugger installation check (code 05! N1 U* h& e8 N' s- z# r
& 06) but very limited because it's only available for Win95/98 (not NT)
9 n6 h4 E; P. T1 x% e* d) a% [% Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo. T4 f" d) s# d% c
! ]1 q& D8 K' [/ R. g" ]4 t% s push 0000004fh ; function 4fh$ I: d9 \& _( w, G+ b( b
push 002a002ah ; high word specifies which VxD (VWIN32)
) u9 W! b) z$ g1 N$ i ; low word specifies which service
$ K' a5 X1 a* o9 L$ d! M' r# c (VWIN32_Int41Dispatch)- w+ ]0 b2 }5 L' g! S4 q7 j
call Kernel32!ORD_001 ; VxdCall6 I% i3 S( t; h- t+ I: X% v# A
cmp ax, 0f386h ; magic number returned by system debuggers
! n2 L- Z7 h1 |2 v- v0 ]! j jz SoftICE_detected
: T. Y/ v0 k/ t. J& M
3 F! W6 K! s' v1 r0 ?9 V! uHere again, several ways to detect it:
. @; P- ]3 h0 I- E5 F
! [8 |+ H; F7 q$ b" m BPINT 41 if ax==4f# ]/ E3 U% C" V
2 F' W5 h5 V7 x2 V( O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& w. ]0 v7 J0 i7 N& r4 C l) R6 |
+ T8 y3 g0 d0 P/ p6 ?' g- `
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A n, q, m! W' \/ F w
) w$ f& P9 ]7 t+ s. T9 M6 C3 [6 \8 a
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! h- i3 ~ I9 n y% p- O } D# v' ` w. ?3 N
__________________________________________________________________________
3 E/ Z1 M/ u+ j& E3 f' G" c2 e$ k/ @: G
5 Y5 U0 B) {. HMethod 13
, l' i. l ~$ W=========2 ~, @4 K1 q; p
9 K2 {" m% S& Z( \+ J1 N0 a8 UNot a real method of detection, but a good way to know if SoftICE is
) f; |/ O9 S! C/ }! P* b: Linstalled on a computer and to locate its installation directory.
& R% t/ S# ~# A1 g) ~0 VIt is used by few softs which access the following registry keys (usually #2) :! p) N8 v c F2 C; F; `( p
3 E( x& V; H( D) K& I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- _6 H* v6 U: j\Uninstall\SoftICE. l! Z7 L2 V& e# E; ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. b2 I6 H) c% M" J% B# V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 f- e8 [" T8 l( Z% b& W8 i
\App Paths\Loader32.Exe
?8 V% K- F% U& y, C" t! R9 ^5 C' ^4 W) ?
$ B! V# P C6 z% n
Note that some nasty apps could then erase all files from SoftICE directory
4 s+ B8 h4 [( R/ s) N' o% c8 u(I faced that once :-(
' U T: b4 @7 V' Y" l8 O* i! x
6 A3 y7 R' t2 |# i4 V- KUseful breakpoint to detect it:
- W8 C- e4 m P) h- }( @1 |- c" _: ]! H9 \* F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 F( C8 t# D* c" W o$ O# D3 H
# }% N) |* O$ W: V: C" @__________________________________________________________________________; z/ Q* L! L& w P2 y: D4 Y0 H
' [0 _6 c* W! g' X
5 F+ E& @, e2 n VMethod 14 1 v0 y' O5 X7 r# X3 a6 O. G8 T
=========" E. r5 W7 j* C- R& ?3 e
3 U0 m( t# Z( `" \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. m) I4 _, O0 F+ h3 }is to determines whether a debugger is running on your system (ring0 only).+ u5 e; Q4 o4 k* M
$ y; L4 M4 ]6 ~! l& u
VMMCall Test_Debug_Installed
* U- w# U0 @* D- B# o je not_installed# G* u1 S1 l: |1 C p
' g, T: u% `2 g4 Y4 M* v( {This service just checks a flag.
& ]6 T5 F* G8 s; y2 Y" A- Y</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡