<TABLE width=500>
& y4 _; D: n0 d, ?: |1 v% _<TBODY>% A% D) Y; j% D5 M
<TR>
. c6 B8 X9 _; K. _<TD><PRE>Method 01 , _9 ~2 e+ D. R5 A e6 q
=========; ?# y5 ]: K) d0 U# k* e0 C/ Y3 k
& n6 X# J4 J3 L6 G' PThis method of detection of SoftICE (as well as the following one) is
4 X6 t) s- k5 Z: c) hused by the majority of packers/encryptors found on Internet.
/ Q+ Z" M5 l% q# i) I9 LIt seeks the signature of BoundsChecker in SoftICE1 c% x2 \+ G- ~' t( I9 Y
$ P! t" b6 `; U$ j2 T% L' t! a+ S
mov ebp, 04243484Bh ; 'BCHK'
7 j/ ~2 [: M& k6 X1 v g- `) o mov ax, 04h
' P7 v6 g+ ?/ \$ y3 W% t" K int 3
" ]2 N. j- F2 y8 o; \ cmp al,4
% ]3 t* d) h' V1 _3 @3 k jnz SoftICE_Detected( J* R. g3 u7 F* v
* R, G V* p; F/ \___________________________________________________________________________
& H6 G# p7 n1 R5 F. I) D
/ G) I7 ^* E% y' }6 SMethod 02
' J* s; U/ F0 ~/ C* i$ J# M=========9 H [/ g9 j! w# g
9 T( b- l4 l# G" g6 Y
Still a method very much used (perhaps the most frequent one). It is used( H9 g1 Q' G4 q& W/ u, k( W6 k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 E" L% L9 s9 q' B
or execute SoftICE commands...
' z% J: Y" G( n, sIt is also used to crash SoftICE and to force it to execute any commands
0 j# Z1 m3 s$ A `" s b(HBOOT...) :-((
4 _1 p, b$ s* J# s: @* t/ W: E8 C/ g5 u3 s' q% i, k
Here is a quick description:
, m' U- H: \2 [ Q0 i) D! s) C-AX = 0910h (Display string in SIce windows)
8 k$ A$ L9 i; d9 Y) A y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! T& u6 T; O: ^! e" y$ z& W% P
-AX = 0912h (Get breakpoint infos)
2 T& q/ Y- q: m-AX = 0913h (Set Sice breakpoints)
7 _7 n3 Q+ J: P4 H-AX = 0914h (Remove SIce breakoints); R- @. ^1 u, Y* F5 L$ [
) i8 ~4 O9 P qEach time you'll meet this trick, you'll see:
3 K. V6 h, Z, S* d, s-SI = 4647h: y( R4 I( v6 [
-DI = 4A4Dh) k" R. v5 |. S6 v1 q: B
Which are the 'magic values' used by SoftIce.# J- _" {, S% g( S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& ?' o! l% z4 ^" T4 l2 S
4 ?/ ?- M% a6 u$ x2 d6 F
Here is one example from the file "Haspinst.exe" which is the dongle HASP! H% k& I5 E* d- X3 Q
Envelope utility use to protect DOS applications:
# D" O& j; U- p! c
2 \" `/ u3 ~- p4 r2 b0 B* {4 H* o6 P: \8 t
4C19:0095 MOV AX,0911 ; execute command.
- N. t* W* A0 O( t2 u4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 Q: d8 w2 Y3 F+ ^
4C19:009A MOV SI,4647 ; 1st magic value.& o" Y: m9 ^1 [5 z; T. s: f. ]
4C19:009D MOV DI,4A4D ; 2nd magic value.' N' v9 G% P/ n+ `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). I+ o% _2 Q* ~0 N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ V3 ]. s4 {% w! W- Y* R
4C19:00A4 INC CX$ d9 B Z# h% C
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 x' P/ g5 Z* J: X7 O
4C19:00A8 JB 0095 ; 6 different commands.8 ~ y ]1 p" a6 D$ ~# \, j
4C19:00AA JMP 0002 ; Bad_Guy jmp back.. s4 A9 Q) M n) a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' u, c2 o% f* @; r$ T. {0 o$ f" |
7 s+ {; ^+ C) l* r. q
The program will execute 6 different SIce commands located at ds:dx, which0 f1 W% o4 _; h' u* _6 X0 Z$ I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 J+ w$ k" I- G
: a+ f. N7 q* z! q" ]1 Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! u4 u/ ~5 i- p) M) f
___________________________________________________________________________: Z: o# ^/ x; j1 k) y
" T: S0 Z# K4 ] H, I! U# P
9 Q; m9 Z; r) t
Method 034 m9 x4 g% y4 u3 W# U, ~% l. V
=========5 [% N5 `! a3 s& o( q
1 W" z. y8 L: e9 }( D# h4 S/ ]0 oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: F- O6 g9 [& d0 t! [. Y4 f: m4 A4 K! u
(API Get entry point)
9 n# Z" h3 w' j( O0 k ' H* `, z. _' J! U+ J9 ~0 |; Z
9 n3 R9 o) i+ X. @ xor di,di
( V& }" Q, h* O& | P7 | mov es,di
8 g8 R( R) J; n* {8 k mov ax, 1684h $ Z h3 Z: Q: q% y
mov bx, 0202h ; VxD ID of winice
2 ?/ |" r- i: A" l0 W int 2Fh
8 P; \5 K w$ u3 \4 S mov ax, es ; ES:DI -> VxD API entry point
9 G( F" i( g7 l( D add ax, di
" A3 ~, _* W3 B5 Y/ n9 @9 r test ax,ax
8 d+ P: J$ _; i+ M9 {) o1 D& B" G jnz SoftICE_Detected
2 b) g2 x' ~) T* @1 u
* J% n5 N8 a# @- H5 C/ c8 ?7 ]___________________________________________________________________________
! Y m/ D- t$ z8 s' t, l+ A6 N- L2 q+ G$ u6 S
Method 048 N5 b# Y3 X7 }) m/ H
=========
0 }: O! Z9 S- G2 M6 A+ [0 o9 b' d5 I# p8 W4 c: C* Q3 _
Method identical to the preceding one except that it seeks the ID of SoftICE, ?, |5 T" e% [# d7 l
GFX VxD.
! B: Q5 R8 n/ n: o) s
+ ~9 o- a, h: Y- Y1 Y# S+ z/ I$ x xor di,di
' j; P1 `2 Q1 z& a0 o; c! r mov es,di
2 b. v2 W3 w3 Q1 X; V: d% l mov ax, 1684h
a) i/ l( M# S' A1 L( u6 u mov bx, 7a5Fh ; VxD ID of SIWVID
9 @" f+ e2 U2 l" e int 2fh
+ N% M% w/ v0 C# ], b* ` mov ax, es ; ES:DI -> VxD API entry point
n6 t0 L! I; c9 D/ j2 f- _! J7 v p add ax, di7 p# B1 w7 j ~, H: O/ ^& B
test ax,ax2 K! `7 |- Q7 o$ @1 e
jnz SoftICE_Detected
. I7 Z5 |3 x% m2 \4 ]5 B$ }8 g+ k8 f0 A8 z/ W Z
__________________________________________________________________________
* P( C4 g7 R+ M
+ o f T6 A5 A$ ~4 Y
i8 x; l9 `- V: P5 r1 T0 \8 NMethod 05$ O5 D- _: k5 [( h4 C* O$ V
=========
: Z0 v0 T# x7 x1 I6 I5 X5 L2 E# L9 c
Method seeking the 'magic number' 0F386h returned (in ax) by all system! }- m+ i% k2 O4 y) v( q8 a1 U
debugger. It calls the int 41h, function 4Fh.( |+ G- I1 T# I1 Z
There are several alternatives.
2 v. ~% Q! n! g9 K9 e3 ?. }8 _3 k$ m' g' Q' I+ p: ~" O, W# Y
The following one is the simplest:
! ^5 M% k, ~# K
* Y% D5 g+ I* U9 P7 E% `8 k: H9 R mov ax,4fh: U* x T! U0 `; c, M
int 41h8 ~. J& ? v1 M9 p4 t
cmp ax, 0F386! Y/ f3 v& X# b3 @
jz SoftICE_detected
0 B8 c' d9 a0 E+ V9 `( l
6 o/ _& O' ?9 d5 n4 _0 A
: K' f, j# g: V" K& }) F, N0 Y7 lNext method as well as the following one are 2 examples from Stone's 8 G7 Q; O5 F4 S
"stn-wid.zip" (www.cracking.net):- W, l3 V- S1 n' l! c
$ w% L' H8 t2 d4 l5 d2 M0 `( \
mov bx, cs
1 I+ M/ }" }2 N/ Z& j0 g# z lea dx, int41handler2. \0 \- h% H+ k) f0 |9 I/ I: p
xchg dx, es:[41h*4] H* R" N1 n) u3 x9 X
xchg bx, es:[41h*4+2]- I7 a; k0 p4 u4 a$ c9 e
mov ax,4fh
- ?& s0 C1 ]! Y: a! T- s; K7 y$ H int 41h: J$ j; g* V, [9 |' z
xchg dx, es:[41h*4]; U% B& J8 ?- h+ a4 u4 V% Z
xchg bx, es:[41h*4+2]
# J ^% A6 `: y2 f( G5 } cmp ax, 0f386h
- \" y7 g9 |% L5 l jz SoftICE_detected
- r7 Q: {7 ^& |5 N; T) ?2 c0 G! P* S, b: z6 S* P
int41handler2 PROC
- f; C# ~. k5 p, L1 X) Y iret/ J/ d! e% J0 L
int41handler2 ENDP) v" m' a. ^7 p. f, q
- D# V& E+ {4 b8 ~
9 L; {- }6 V. z6 m/ S( j, B* n_________________________________________________________________________4 Z" C) t) o3 N
5 Y) w0 I5 k1 e9 Z) u
6 }- K+ c5 X6 S" p& zMethod 06
4 j, Q7 e; I9 l6 G; Z=========
1 y5 H8 G/ `6 n9 Y! {: x; G- U# M( v/ G2 J# r8 B
! r) p: p, c- B+ x( Z! i
2nd method similar to the preceding one but more difficult to detect:/ K7 V( u' i! C% m- T
; i% e2 G/ |! p0 j) W; f
4 K9 E" k! ]# m8 R b3 S; P" m
int41handler PROC8 S3 b( u) b- y
mov cl,al. e M( d1 u5 e( i
iret+ ^6 l- D' C" D4 y# o C
int41handler ENDP
. U2 S' d( @7 P
, F/ N1 ]- n. d( t! v# J/ o! b$ w4 o0 [
xor ax,ax
+ m. h- _( B% f$ d4 A: v mov es,ax
% I: s* s# \& S' ~" G0 | mov bx, cs
# c Y. G; O5 I/ G% v5 X lea dx, int41handler
# Z) n& ~) X! z' j9 A xchg dx, es:[41h*4]
$ b2 Z' O/ D3 e xchg bx, es:[41h*4+2]
# M2 J; W1 H' F1 j1 | in al, 40h$ V& k' E3 V' p9 e0 l5 A* Q) J
xor cx,cx
& ^: C# r9 W0 l& ]8 p( d int 41h7 o( a4 q! @6 @
xchg dx, es:[41h*4]: e0 t. `4 \9 d! e6 o* c! U9 ?# w- U
xchg bx, es:[41h*4+2]
% K1 R2 }5 [, @) g cmp cl,al
- K9 e/ U5 m" G$ |) B: i jnz SoftICE_detected" b/ h( |' {" r4 f
' j3 y3 s2 H2 o( J% }* Q
_________________________________________________________________________
8 j# z" g7 x D. y" l+ L
' [% o" o$ w0 W& XMethod 07; l& f, A' a4 S9 J, W6 b' c
=========
; n) E( [, {9 G6 K- k2 W) q5 i" g2 T$ m
Method of detection of the WinICE handler in the int68h (V86)
. y8 e% q; n6 @1 M5 }
: `5 o7 K: n' a$ u' Z# b8 ? mov ah,43h
1 ~& t0 p- u1 P# H/ z) q. H int 68h
3 v6 |2 a7 h- `4 K& C/ r cmp ax,0F386h: v- z$ D O6 ?
jz SoftICE_Detected- f- J$ T y* J8 L# `# G
3 e# J5 d5 Y& @
8 C+ m% g0 C3 n6 u6 H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 z: V8 U# J* W3 l6 B( z# Z app like this:
. o- A4 @8 n5 _! U( B, k! i4 {5 l& n4 ?3 E* n" C
BPX exec_int if ax==68
+ [: c2 u/ O1 x& ]1 S (function called is located at byte ptr [ebp+1Dh] and client eip is
! e& |" E) ]# b6 @0 [9 y$ z located at [ebp+48h] for 32Bit apps)8 U# Q9 ]1 ], z% w$ C
__________________________________________________________________________; N! y" t5 l2 L6 q! Y
3 E$ o5 W# F0 b; s7 v5 r( L$ |4 g) j; m+ }9 Q( f4 Q! a
Method 08
' Y2 l) x: J; x4 e% }=========. Q7 I; o, |6 B4 j5 }) \/ Q. c) j) m' t
1 @$ K+ L" Z* V' i# |6 pIt is not a method of detection of SoftICE but a possibility to crash the; k. x- z5 v1 S* [
system by intercepting int 01h and int 03h and redirecting them to another
6 r3 e# _* t1 R" O( a# M2 `routine.8 B# W1 O- G: z0 F$ q: X! y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ N; j# C7 R2 M- b
to the new routine to execute (hangs computer...)
. e8 B: r9 O% m) Y+ z( x
2 A! ~) z/ x6 v8 M mov ah, 25h6 y% y: _" i' o5 X9 ]/ S5 y
mov al, Int_Number (01h or 03h)- F, C) C5 p) b& [; a/ M
mov dx, offset New_Int_Routine& {; e S: s8 Y" v( g& F& W: q
int 21h
1 Z+ Y! _: r9 H; V! E
' l' }" Y x' t+ H) E8 U__________________________________________________________________________
- p2 C5 s- b( t" L. v' G* \- Z& m
, o3 u# ?1 E8 O6 [1 G* XMethod 09 {: s, m6 z! P
=========
3 s" D: h& `% q! d
. V( M% p5 ~5 |This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" R/ E) s# f. ~performed in ring0 (VxD or a ring3 app using the VxdCall).; ?: J! c5 ?6 W0 n; u
The Get_DDB service is used to determine whether or not a VxD is installed6 {$ A- @1 g! P6 ~
for the specified device and returns a Device Description Block (in ecx) for6 P+ k N' B8 S# }; E* Q
that device if it is installed.% i8 J9 x2 t* K7 O( s
* n# [: F5 J, T; f7 f3 i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ _5 y1 F3 _/ U, k: B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" O' ~8 C* W/ B9 ]. a4 p7 K/ ^1 c
VMMCall Get_DDB
9 E& s% L# k0 ~- A mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 a% O# v, {8 u, U3 f5 ~% p% S6 n9 Q% a' i. @9 I5 O6 Q( P: Q
Note as well that you can easily detect this method with SoftICE:1 Z0 ^0 c4 M' c# a& R* u
bpx Get_DDB if ax==0202 || ax==7a5fh; C. c4 L0 E$ {/ \- P6 o2 \ ~& F
! i$ o% @* a7 S% b! l__________________________________________________________________________
' a7 y l5 L& ~
6 b% s/ T; t; ?: g0 }Method 101 q$ G. i2 z/ [' W1 a
=========
! \0 G' s" M4 V3 C
$ Q3 M9 I7 x) z0 h+ g/ e2 ?% \. a7 R=>Disable or clear breakpoints before using this feature. DO NOT trace with
. Y# B2 |+ x! s/ M) j ]- p SoftICE while the option is enable!!
k a! E5 q0 h ^ i, I: F8 q5 u. ~
' z. K- b( e: qThis trick is very efficient:
& [0 G: k5 x4 K# vby checking the Debug Registers, you can detect if SoftICE is loaded0 X6 E1 m, _4 C' J/ {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 u- T- W1 q% i5 }there are some memory breakpoints set (dr0 to dr3) simply by reading their; r1 J% d. N0 y# {+ l3 h3 `
value (in ring0 only). Values can be manipulated and or changed as well0 d9 D. { W& l7 v- C; m N [$ R
(clearing BPMs for instance)
4 G! m9 S6 @ D9 W0 F3 L
. O1 w P' F# P% c3 o& s4 H$ L N__________________________________________________________________________
& {7 { u; |% y
/ U. h3 h3 S5 y8 A. g: U' a, h6 KMethod 11- h% |4 [' _6 r7 c
=========/ S) x$ E% B7 D
1 Y: W4 m' ], P ]9 G! L
This method is most known as 'MeltICE' because it has been freely distributed# @. _/ j* m$ h3 Z. ?0 Z. }
via www.winfiles.com. However it was first used by NuMega people to allow
5 P) H: T i0 |- lSymbol Loader to check if SoftICE was active or not (the code is located
, y# {3 w2 M! b+ z' B& i6 f( ^: q! Dinside nmtrans.dll).* r; R# q9 m) b
. p+ P: ^& g) LThe way it works is very simple:
5 j* ]) O# P7 ]7 s1 E; D* B: e% OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 D- ~9 e$ ]# q9 ~; [" I% ?
WinNT) with the CreateFileA API.
- Z; k9 S9 U) b/ z6 o- Z& ~7 M) j' b$ Y. @, T1 H0 r
Here is a sample (checking for 'SICE'):
' g8 F% {* [) E
% w, D1 Q. e l# ] C7 ]% g& S. aBOOL IsSoftIce95Loaded() C$ s E% w& j$ w! R! W
{1 z* b) j- ^9 j) _3 L
HANDLE hFile; 6 p1 l+ @# R6 w7 D3 m, l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' n* F3 U2 h6 J# p5 T7 K
FILE_SHARE_READ | FILE_SHARE_WRITE," M0 v% { C6 Y" `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: o& R- M- d. ~0 C1 h$ d) l( S
if( hFile != INVALID_HANDLE_VALUE )6 A$ t Y3 d( _9 a! R
{
/ k4 s1 {+ T. K) z% G. f CloseHandle(hFile);
# K$ C% @8 I1 T+ T+ f2 p return TRUE;
' u+ L+ ]" f; S( h; z/ m! E } K# u$ T+ O7 n: o( H
return FALSE;, ?" H/ \3 e) I* y
}" w b8 u) \: e' X3 Z
/ S' w5 ^7 p* t' z/ V4 n, G, [" E
Although this trick calls the CreateFileA function, don't even expect to be: V; |2 ~. A, T3 b2 |, n! n
able to intercept it by installing a IFS hook: it will not work, no way!
, f! H; n( i5 j9 U+ T4 r* vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 u2 C/ L. `% q6 J) R( L4 N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), a: ]/ b: {6 ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& p' Y' e' ?. O6 X
field.0 A- q `+ _/ O. L3 |" r
In fact, its purpose is not to load/unload VxDs but only to send a
% S- \- ]5 V2 t! h7 JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ @* i9 ~% v/ Yto the VxD Control_Dispatch proc (how the hell a shareware soft could try! F3 U; X* m Q& }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ R; T- ]" K" z3 m9 NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 y% K# V: j% Q/ u- U# Q; wits handle to be opened and then, will be detected.
, }5 E& |4 d* a3 JYou can check that simply by hooking Winice.exe control proc entry point6 J* { o8 N( a0 T6 w: q2 J& t6 p
while running MeltICE.3 z7 d) d) [1 I2 h6 N
8 R1 P+ a" c8 o/ Z! v+ e" W# W3 x/ _
: ^9 G4 I8 R) m/ k8 V% S
00401067: push 00402025 ; \\.\SICE
, o+ V& H% H% b1 ^ Y 0040106C: call CreateFileA
7 y; P4 t* C0 B7 O7 ^9 [ 00401071: cmp eax,-0016 N: P2 @6 |! k# t5 b1 `+ h8 o
00401074: je 00401091, l/ F5 X+ s- I2 l3 M4 m
6 Y! ~) o5 d( v- R1 E8 ] D* T
2 g& A4 ]0 Y; o h2 r' XThere could be hundreds of BPX you could use to detect this trick.0 W# {3 n- m+ _
-The most classical one is:7 K: A; `3 f* k( d7 l4 f2 U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 @( N( j1 h4 Z9 ?6 G *(esp->4+4)=='NTIC'
0 `8 A" V, e: D5 P& K4 d% Z/ u" @5 E; E" x, d& h
-The most exotic ones (could be very slooooow :-(
# {. u: E& H3 H- G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' ~( N* S' L6 ]. M7 j ;will break 3 times :-(
1 C" R R2 p) g$ c) e1 a+ @' U t3 u4 j# g" T( t
-or (a bit) faster:
7 ]7 ^$ q) f8 G) J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% F5 h+ I( @$ @6 V* ^ F% ]4 r% L' ?& E9 V" ~5 Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 S e2 ]3 M2 Z0 d7 w" c ;will break 3 times :-(
) I' a1 }4 T5 r% z/ ~; ~; W
" B! V+ Z! E1 a( v B4 G7 S7 l P-Much faster:
# z- ^. Q/ W2 c BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- w# t6 A/ r4 y; e% h
5 M0 A! @ I, I) u2 C% w* kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, y. s( n) R Afunction to do the same job:+ y- x7 L( J, H8 j# |, `
: \0 u% r5 U& u; ~5 y4 j" |: p push 00 ; OF_READ+ R, d7 I0 X" S1 ?" { D6 p8 U
mov eax,[00656634] ; '\\.\SICE',01 d5 F% s: X9 q- i0 A
push eax: i; s) O1 s. \8 t3 G2 v
call KERNEL32!_lopen
6 ~; J# z2 f! M4 M" H& c( I/ ] inc eax
Q0 x4 C+ p- j3 h* n jnz 00650589 ; detected X3 j* p0 ~ s
push 00 ; OF_READ
; o$ Q1 x0 s# Z$ } mov eax,[00656638] ; '\\.\SICE'
! T- Z& k, z0 e! k" C2 g; ] push eax
; V) b- q3 @( `- ?0 @ call KERNEL32!_lopen, `& F$ a7 Q: b, N! f# i
inc eax
. K" ~6 k0 C$ k8 X+ Y jz 006505ae ; not detected
; t- G/ O, t( U2 C! E5 L
4 [# ]1 g7 E6 I2 l7 N9 d
9 b. ?+ H! E+ v__________________________________________________________________________. t1 d" b1 ~6 r0 q
! U* z2 _; V4 E+ Q5 z' i0 ?& @Method 12! e2 S( |& N7 o! E4 b# K
=========
' O- ^ N3 n( q/ d6 J
' F% ?- N) M3 _4 ]8 @) L0 ]& x) bThis trick is similar to int41h/4fh Debugger installation check (code 05) ^3 J8 x7 n: m% ]% h
& 06) but very limited because it's only available for Win95/98 (not NT)7 Z' p+ U9 j4 O. q7 K- ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' A6 g% e# X' _8 M$ _! t1 D/ F! Z
$ { k' I: q, o; m' Z+ L push 0000004fh ; function 4fh/ I6 |) B, g3 _0 Z2 s. q
push 002a002ah ; high word specifies which VxD (VWIN32)8 G. B$ s8 M- x U3 v
; low word specifies which service! \$ u9 E- s# i( Z
(VWIN32_Int41Dispatch)- G3 S1 k+ E' d/ g& J: z; ^ K; b% U
call Kernel32!ORD_001 ; VxdCall
: J( {2 a; ]- H3 c' c5 V# ] cmp ax, 0f386h ; magic number returned by system debuggers
0 f3 _+ C9 T+ s4 A jz SoftICE_detected
7 h9 ? f( ^ q& W1 v8 c* g- e! R1 k( A( c, a$ n
Here again, several ways to detect it:3 ]& J* w6 ?6 w) \' ?. o+ D8 Y5 k' d
% b. J3 C( J- o& `/ T BPINT 41 if ax==4f" ^7 [; K( |$ O" [7 L' D
4 }. I3 G5 j3 v( n( }- t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. L& x" y! V6 m: a! H# x
, S" C7 x1 i9 v0 G8 o/ f+ ~6 L2 ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 _/ M0 j) v% |# Z" S. z7 Y+ R
4 y7 h# m, E K- U BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" k) {. {" g5 k% R7 N* c- _: E4 z0 }( ?5 Y( n7 v
__________________________________________________________________________4 i7 ?& r2 p: b# k% p, V+ R
# C" b0 I7 Z4 E6 r2 Z
Method 13
2 M6 a: s) g/ l: A=========
" g2 n2 V$ p5 s5 V* j8 l F% }+ i5 ?2 _) @# z% a4 Q9 A9 ]
Not a real method of detection, but a good way to know if SoftICE is
1 }& | @; W; jinstalled on a computer and to locate its installation directory.' p$ O' i1 y4 l+ J9 K( W1 o
It is used by few softs which access the following registry keys (usually #2) :
! D! d/ b: U" j
/ v1 S4 p2 m; D: b7 h7 G* E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 n: ] J/ T$ ?5 e$ I, L) J$ h\Uninstall\SoftICE
5 a& j. }( w# |% J: t6 [/ e. V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 u# r; P% E* P$ t
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" F" j; F, u2 z4 Z/ \: p
\App Paths\Loader32.Exe
5 B( x7 R% J Y# r* [0 E1 d) y) A- m& @
: H6 ~( `# E, o, _8 o
Note that some nasty apps could then erase all files from SoftICE directory
+ }3 V3 a0 `" [(I faced that once :-(0 h% u) D9 x( N& X: y/ b
% f- O# s2 J1 [: w1 Z! U3 I; B! z- b( k" ?Useful breakpoint to detect it:: x; i8 L) H1 [( F6 A
, A: c1 a4 ? M' I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
l- t9 z, K' V0 p0 E' N3 i0 G# C
) V( w* j; y; a5 `__________________________________________________________________________5 [+ e" }: ^) {& {% d8 b9 s
/ I" r% H7 C! V
, Y8 r! i8 x+ Q4 x: t( gMethod 14
9 f4 j5 }7 H/ Q4 d% _) T=========* o2 J! C& m4 s/ a8 S
, U9 \# w$ O c9 j% PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: u6 c7 V8 ]+ d) ~% eis to determines whether a debugger is running on your system (ring0 only).
2 H! c" B1 ?, @) g& z
9 E, y/ |0 e6 x7 M( l2 A) ?* V VMMCall Test_Debug_Installed
" |+ Z( L& J* F& |- L9 W je not_installed
1 M8 K1 I# S. K: I+ l% |: k6 U6 F: u |$ m( g/ p
This service just checks a flag.
% z) o- B9 S3 M1 x; l. M</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡