<TABLE width=500>
' D0 ]1 n# |4 e& k% P+ }<TBODY># t! a/ c" D7 a, v, i4 a+ G- u5 e
<TR>
8 _% O8 p6 d6 L/ s; g& m<TD><PRE>Method 01
' [6 R- k* [% K=========
9 S) T1 `8 K% p
( P7 g* t' @1 A' n# TThis method of detection of SoftICE (as well as the following one) is
# \+ ^, _! G* f4 Rused by the majority of packers/encryptors found on Internet.( u b+ @! {( j7 @$ L4 I0 k
It seeks the signature of BoundsChecker in SoftICE
1 ^9 D; E2 _. V7 }& g
+ b! |) {( G( X U) O mov ebp, 04243484Bh ; 'BCHK'
& E! @7 q* ^' ~7 T/ g mov ax, 04h. c1 _) N0 |. b, w5 X' t4 B; H0 l
int 3 6 n# y# L' }# q+ {
cmp al,4
0 U. K* A3 F, y7 m9 j( D jnz SoftICE_Detected
; U" }+ F' D1 ]' ], `
. j5 T( ?- E7 K/ D M___________________________________________________________________________
( N" W5 o6 F8 [9 T# l$ ~8 H3 C8 `) m! B3 d( _$ U3 W
Method 02
% _8 K) `5 A* S' j=========8 m+ q' V3 J J% x1 M g9 i7 b( U
0 i0 H) Q1 \2 m4 C% s% e5 z. k dStill a method very much used (perhaps the most frequent one). It is used0 s, ~) ^4 ~; H/ u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 h5 r% n# S. p0 Aor execute SoftICE commands...
& J- H5 {4 X: ^6 G& Q6 P4 @& b3 YIt is also used to crash SoftICE and to force it to execute any commands
3 H1 ?- b" M( d* m% O- h(HBOOT...) :-((
" F. L0 o$ U8 _: |8 s* ~( D+ x p& @% k8 {
Here is a quick description:
; E8 j/ S9 |1 s6 Z' H-AX = 0910h (Display string in SIce windows)
# {* z( M/ j' [% z( p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* X3 z, P. Z5 E! m) ~
-AX = 0912h (Get breakpoint infos)
" T2 l' v3 C, D3 f" ] ?-AX = 0913h (Set Sice breakpoints)# f1 L/ d r$ s8 `
-AX = 0914h (Remove SIce breakoints)% T" C2 f1 Q9 k5 e' e
8 n+ k( S& k) F" mEach time you'll meet this trick, you'll see:9 Z! n& O: O7 k3 I" \# U H
-SI = 4647h4 e% D0 h8 p* R L. C
-DI = 4A4Dh
" i+ _5 P3 B/ qWhich are the 'magic values' used by SoftIce.
; C/ Y4 w8 m( l; oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 n; e6 N( j' A+ A- n/ y* K$ R' ^) s
Here is one example from the file "Haspinst.exe" which is the dongle HASP; P k: V9 S: J* \ X
Envelope utility use to protect DOS applications:
( y) ^2 Y! s2 P' C
7 f( U5 U( d; d) e
( R F* C+ T/ s) \6 S; [$ |4C19:0095 MOV AX,0911 ; execute command.4 E8 E3 X1 @5 a# w; V* a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# l# Q0 h( ~7 Y- ^9 U" k8 m* |
4C19:009A MOV SI,4647 ; 1st magic value.
6 Q" G, f/ j6 {4 V; D4C19:009D MOV DI,4A4D ; 2nd magic value.' x4 h2 b( p' _( ?+ }" r1 p( h( P0 |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ Q6 M2 ~* `8 I/ U$ q* ^0 G4 Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 y2 L+ W- b; y2 y4C19:00A4 INC CX
' H) e: F' f$ g& V4 \9 w$ b9 X- u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- l' V+ E+ ^/ u! o- e' L2 X1 j9 C4C19:00A8 JB 0095 ; 6 different commands.% v" s! t2 w: B; H- q. s3 {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ e* Z3 K# c' _- j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) j" P. \/ d `+ J6 M3 A3 J, C6 `
/ Z( n; v. [! e, M4 H' bThe program will execute 6 different SIce commands located at ds:dx, which/ M- g, [* u% ^# A0 ]3 }% P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- X( }$ \/ [) ?1 @8 A/ f
9 [2 j; r# j$ n0 g4 _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% Z1 }7 M1 |- H1 J
___________________________________________________________________________* P& P. l+ m9 j% N4 n+ N
+ M/ I0 I: g. B+ |7 g
5 D! ~/ w- M5 S @, Y5 V, Q5 {Method 03
. ^9 w( P: F, t" K=========
4 Q$ N5 L( {+ K# s+ p- {8 j3 d1 p$ Z! P. A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. ]$ ^- O; T- K$ _4 N' h, |(API Get entry point)
( _) ]/ a ^$ e6 ? }) R1 L $ F8 ?% Z4 Y! @
, ]) a# j) r& l4 ~* O: e xor di,di
4 H# ?( u$ J" v C- n ~0 g mov es,di
+ V. _& T5 \5 t2 q7 L0 i( Q4 n0 b mov ax, 1684h
5 F3 q5 L, F, o; I( S- E mov bx, 0202h ; VxD ID of winice: p7 o4 X. i F5 D. S- x
int 2Fh3 d5 [& ~2 f% N( s
mov ax, es ; ES:DI -> VxD API entry point4 l# p+ [7 K" ~1 A. G ~
add ax, di
( U6 ^- s8 `+ u7 V) r o) [ test ax,ax
" [( o! n6 k4 d& |: ^1 ]6 R jnz SoftICE_Detected
- j% A$ w: v2 U& c; m, t+ b+ K: L; g# G( n: R
___________________________________________________________________________( s0 Y7 h1 }' [4 X) R: C
1 y- o% T2 H! ?7 H, AMethod 04
0 N4 ^8 }. f5 p2 p5 @=========- ?2 o1 v, g. c Y! g. g ?4 B# m
9 r2 g) N& j( Y& W, ^
Method identical to the preceding one except that it seeks the ID of SoftICE$ [# F9 o7 i; Z9 V
GFX VxD.
7 N8 }, W0 j9 T1 J7 F0 K2 X Q* P& L" S8 Z. ]+ r' x; T, V" G
xor di,di
H4 p, I* r* p* C mov es,di1 C7 [; D" V! Z+ E9 o* |! a: V3 k$ j( b
mov ax, 1684h
. H# E5 S. B' V& D mov bx, 7a5Fh ; VxD ID of SIWVID" ^5 g6 y; i9 t4 o; M' k: b
int 2fh- C/ ~# o0 g" {
mov ax, es ; ES:DI -> VxD API entry point5 z, S& z: m* c# m2 m- ~2 F
add ax, di4 E& k: G6 U: u. s1 P$ K
test ax,ax
; t6 i! b9 j# X9 n7 ]+ B jnz SoftICE_Detected2 e6 ~, r b) l- F5 W" I( A6 e) f
7 ~; y. _ d9 K5 q: T2 {* {7 F6 L__________________________________________________________________________* n; }4 @. {5 Q7 m" ^
! R3 v' B9 g4 S+ F' r- [
( b% ]% M* n: ?
Method 05
6 G0 T* O3 d! o=========0 p: ]# U$ ^8 C, I
& i+ t6 W+ B& W. q# M% ~& d
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 C+ P* ]; p$ H3 }/ F' mdebugger. It calls the int 41h, function 4Fh., ?& O \( v T) @( ]
There are several alternatives.
# {, k0 R0 f0 z5 v8 g' ]9 Q$ b% P
The following one is the simplest:5 W3 n J+ n4 m; L# n# A3 a* Q
. H1 h- v4 H0 v! b
mov ax,4fh
8 n, ]. p' m1 Z6 ~; ~1 v4 E int 41h
) z2 a2 i/ h. e7 { cmp ax, 0F386. I* D2 M1 B3 b
jz SoftICE_detected
3 Z6 o8 v2 C. O
5 w, r* b! j e) C
- g* x5 G R1 A, Q8 ^Next method as well as the following one are 2 examples from Stone's
) _/ C2 _' i% n% `8 ]9 W3 |% H1 w" Q"stn-wid.zip" (www.cracking.net):) n# v8 O7 I1 _* ~4 c! ], I+ P6 J
, M" S( j! B6 i; N8 C
mov bx, cs
; o/ R4 P0 w( k1 r2 t# J7 r lea dx, int41handler29 P5 r3 O0 [1 P: G3 T5 x8 [# V1 F0 M
xchg dx, es:[41h*4]
2 C( z# v ^* R' l9 M8 L7 ] xchg bx, es:[41h*4+2]
0 s. H- z7 o3 q% d# o0 S! K mov ax,4fh
0 R6 {" M, m! y- t int 41h
* R( h4 ]1 o3 m! w. p3 Y xchg dx, es:[41h*4]
% \6 A. `+ \% B xchg bx, es:[41h*4+2]
. h4 V3 W# e' K: t7 R6 E; p cmp ax, 0f386h0 N* L5 l6 u7 i8 P
jz SoftICE_detected
7 U; y& m4 _, C5 s
7 y( u( D3 U- w5 ]7 p3 k! k# X* Yint41handler2 PROC
, j! t) J# }9 L6 O7 ]9 z$ W( L+ } iret# Y+ P+ U6 T; L+ Y: v6 s
int41handler2 ENDP
; z: d8 h( ]" z5 |8 Y* S) V& M; I" f1 i5 q$ E6 I" W
; {( M3 o8 i1 H, V
_________________________________________________________________________
" v0 b2 L \! i; R7 q
[6 ^8 j( q q( f" @/ u" B# K, P- L
Method 063 o, g+ y% x5 h* w, i1 e/ r
=========9 f% @* G, ?, H: u y/ F; Z6 H
- }: P) K6 k' \1 A1 p% V, y# f2 q; _: j, b- J( h5 o6 M: r
2nd method similar to the preceding one but more difficult to detect:
" R O5 F, r) ~# @1 R) M9 ]$ ^/ z1 A: H
* J, Y# ^/ c p7 Jint41handler PROC
, P7 S3 ]% B& j mov cl,al
; @) O! B! M% B! B; O# S% Z iret# m! d7 `% n4 J8 b z
int41handler ENDP
" c) W% M6 a+ J2 i' }' G5 J0 w7 _. A" u& X* V$ D* J# W- O
$ h5 s5 h& S+ O
xor ax,ax4 v; y% y3 t& A2 R! n$ h
mov es,ax
, D8 y1 b/ ?# \ O mov bx, cs
4 m4 _7 L5 `$ V6 b5 w lea dx, int41handler
# J3 \3 s: M9 u$ J9 Q xchg dx, es:[41h*4]
+ u$ u; A* T. g% _0 p4 c xchg bx, es:[41h*4+2]
t( }0 T! z2 q: x8 g in al, 40h
. V2 f* p! V: Y0 b xor cx,cx. Y7 Y [' q2 w2 S
int 41h
5 k2 m. m# T& z6 @: V" {4 \ xchg dx, es:[41h*4]" t4 |2 A( J! A8 `, [0 t l
xchg bx, es:[41h*4+2]
4 k5 G% J; j0 a! M" t, M& _. s cmp cl,al
4 I( X% I' o r; } jnz SoftICE_detected
1 U% g9 ~5 i+ E& }5 T4 Z) Z; L. m: h
_________________________________________________________________________2 I( k$ |2 e3 A; d! q* U6 s
# r. R6 X* m; d6 f- T
Method 07
5 B# e- u3 M6 e$ Z( z7 b=========; ?' d+ q( y+ q; k6 Y9 D
- O3 x) Y/ p7 @
Method of detection of the WinICE handler in the int68h (V86)
, g4 G/ b! e$ T& i( F+ j" z* |0 c5 i$ S' C- }3 ~$ s! A: G
mov ah,43h5 O: U( Y" J+ ], R5 y3 m
int 68h* c. X+ {* p2 f% x+ k9 t/ R
cmp ax,0F386h+ ]% l+ x1 G3 `3 A% n' @! s l
jz SoftICE_Detected, I; ?% v- }$ g2 k/ a
5 Y9 X& [4 a$ h1 `2 I% S, q; x2 n+ B1 ^% y9 M- k
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! ^* @" i3 ], r# _: j
app like this:. b# J9 p ] U. ^& y: y/ q
8 ]+ `& e$ {. |( Q! ~, g
BPX exec_int if ax==683 d' o2 v0 F- t& o8 X
(function called is located at byte ptr [ebp+1Dh] and client eip is
% N# U4 O) _3 ^. o; _# e located at [ebp+48h] for 32Bit apps)
4 o. j1 t K9 V( U/ T__________________________________________________________________________
: r9 [* ?; ^# l2 s& p7 t6 [3 G
`8 Y4 n! m9 e7 y7 W9 p1 S# X
Method 08, q! w, w9 n' w9 c' T6 T, L
=========
( D8 k5 B* b0 b Z) _) `; `
! N V {# q6 WIt is not a method of detection of SoftICE but a possibility to crash the
' m& \2 W! l# u9 _system by intercepting int 01h and int 03h and redirecting them to another
- T5 S8 g, c7 L$ v* t: E( yroutine.5 |2 O+ o) n* `0 A) Y( o# M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, m h5 m7 {6 Q: E# Y7 x6 mto the new routine to execute (hangs computer...)
- S- X- |5 ^, j/ {- w
) X- H$ R- t: T: N mov ah, 25h
1 j5 V, x! c/ r2 y mov al, Int_Number (01h or 03h)
; y9 f& c' R1 o" C6 g+ r mov dx, offset New_Int_Routine% x& s1 x3 c* s& s% H6 ?
int 21h( @' _1 d: k' w
! X/ D0 @9 v- g1 n- C- U# H% b+ z__________________________________________________________________________9 q, p9 D. T9 ~# `" ]" `
1 C7 r( N7 T* Y: L7 n+ \% u0 \Method 09
! \$ y( C& Q& }. _% ~=========$ e1 t0 Q+ c7 @9 z5 @; B
7 |0 S( o) f5 A5 F" q7 ~- l& C5 K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 X/ f d9 D" a- {
performed in ring0 (VxD or a ring3 app using the VxdCall)., F( X( M$ h# D8 a
The Get_DDB service is used to determine whether or not a VxD is installed$ z0 ]5 K8 b2 p2 v" j9 L
for the specified device and returns a Device Description Block (in ecx) for1 y v; ?7 W+ J- x. w/ A
that device if it is installed.
! c! ^, l& d# _. H# x6 ~ P. P, v: Q7 }$ [2 X. t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; T3 n3 D9 r. Q. _) q& y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 b( N3 C3 G1 e' H% l
VMMCall Get_DDB
% v: A4 f7 g0 i8 u1 M. y F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( y0 @4 x" \. A$ p
/ M/ v5 j5 R# |
Note as well that you can easily detect this method with SoftICE:
; S: B8 ^/ T3 N4 O- n3 d* q- Q1 o N bpx Get_DDB if ax==0202 || ax==7a5fh
0 I5 S" H, i9 W1 S$ n/ w, O
5 q2 a& _' O z3 K( I/ k' K__________________________________________________________________________
0 r9 A- h4 `: f6 z' f+ W6 b$ V* D# k6 p4 b `9 D* Z. ]3 N
Method 10
, h# L+ K6 U( b$ V- b! r* @- Q6 m=========. @9 j! ?+ \+ O" c
( B& I( m( M; G2 P9 `( u5 G1 ~; \
=>Disable or clear breakpoints before using this feature. DO NOT trace with! v1 E! a, o$ q" ^
SoftICE while the option is enable!!! u4 ]6 L% i. Q* Z/ D7 T* ]5 ]" F& ?
3 N9 A7 T$ b! X; G0 B3 V
This trick is very efficient:; D; i" |8 X) P: V; Q" A
by checking the Debug Registers, you can detect if SoftICE is loaded+ L) Q B, \# \+ v" o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 v% z3 p; ~$ _- W9 n
there are some memory breakpoints set (dr0 to dr3) simply by reading their# x( n% B9 h* h, i0 Z2 c3 l% U
value (in ring0 only). Values can be manipulated and or changed as well+ _2 @ N) O2 {# k* n+ g& ]9 E
(clearing BPMs for instance)
& E% k% G* `2 D& l3 _6 m, ~! X: g: N$ { \
__________________________________________________________________________
0 s, n* K, x3 v" {+ B- b5 l5 o, {* d' l R
Method 113 t9 M0 y( v- ?1 P- E
=========. U5 X0 O4 U- }& B! E0 k1 E0 B2 l
: A: W. |* `; W# N! ^/ f9 H3 h
This method is most known as 'MeltICE' because it has been freely distributed
A- V5 U2 x: R3 ?via www.winfiles.com. However it was first used by NuMega people to allow
% Z/ a/ I v$ I# L FSymbol Loader to check if SoftICE was active or not (the code is located& J) I" n& D# ~7 h$ s
inside nmtrans.dll).& ?2 ^3 w" e. r/ H
4 v! u3 n2 w7 J& t r% n" f+ KThe way it works is very simple:$ C( H) M" U- `( Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 w T# V8 e- H% {WinNT) with the CreateFileA API.
8 H6 @) } h- R5 L' l" D D4 e& s1 i0 k: @) E) F
Here is a sample (checking for 'SICE'):
, _7 u" s! u. J( l
2 U3 I& E! ^3 v5 y) lBOOL IsSoftIce95Loaded()
2 p) u, f$ k0 T/ q4 u{
3 W4 B; _: j" C HANDLE hFile;
) r+ ~: L# W4 A# N& c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 y! ^/ A+ }" i0 ^# u, B
FILE_SHARE_READ | FILE_SHARE_WRITE,
: _+ X$ X& Y0 s* ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! I9 e7 B( [3 e0 h) J: D7 m8 D
if( hFile != INVALID_HANDLE_VALUE )$ y/ X8 V' H2 a( S2 a/ ? _
{
# S/ v9 z, O3 ?8 F& o CloseHandle(hFile);
0 G% ?) ]2 ^9 m7 k) ^1 a. f return TRUE;
& \7 k4 c( P( \ }
+ P }5 l, f* l8 u7 W3 L return FALSE;) ~4 U- M- |% T. n% l
}
1 i# {, ~+ p4 C8 r* h- I
/ @$ J D- T, J+ CAlthough this trick calls the CreateFileA function, don't even expect to be
# J# i' v- @ g: `0 v; Aable to intercept it by installing a IFS hook: it will not work, no way!
' B! ~) J6 X! s5 c. ^: @In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 W' @6 G) \7 m( {" dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 B4 H6 f5 k0 W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 m( o1 R3 b& k
field.5 i: z, c: ^5 Y( C1 y
In fact, its purpose is not to load/unload VxDs but only to send a , a8 c8 {# i) R9 O+ X3 k( w f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ `" A" d: |; u- ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try, N; f7 [! W, T# L3 P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! Q- w6 t7 P" \If the VxD is loaded, it will always clear eax and the Carry flag to allow
" b2 n% ?3 ^1 B; Yits handle to be opened and then, will be detected.
; Y9 i2 ?/ A, d7 o/ O# W$ eYou can check that simply by hooking Winice.exe control proc entry point4 k2 ?1 j1 u) z* r9 A; b
while running MeltICE.- m+ m% U$ g; {
: x" j$ n( Y& U3 c' y: Y
0 T- R9 n! t: \2 R0 K
00401067: push 00402025 ; \\.\SICE
$ i8 O9 l$ D% W3 ?3 Z8 P 0040106C: call CreateFileA. k7 Q7 K& t( k8 a
00401071: cmp eax,-001
$ I' H) b: a% d! f# p# O1 w 00401074: je 00401091
3 A& t+ Q& \4 d0 q
9 d; [0 W$ N* b9 r- A$ e) J: G. w& G9 ?- t
There could be hundreds of BPX you could use to detect this trick. {* O: z( s. M* h) l& j' _. l
-The most classical one is:( p m3 K; d9 y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ D" ~1 H2 K, r+ W; m% P2 a *(esp->4+4)=='NTIC'+ n a7 i" }7 ~: Y/ d4 |$ ]9 K; H
0 |" W; A: o" ^$ g7 {9 x-The most exotic ones (could be very slooooow :-(
( G ?3 E6 r1 y/ [0 ^* x BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! s. a# [. c3 R- m9 {. {: k2 n0 r" s4 |
;will break 3 times :-(
4 @6 C v. ~4 V, f4 y! @7 I2 T: h4 W$ B7 Y. l+ s# A
-or (a bit) faster:
, H0 j3 x' G8 ~0 L/ I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% }! v) @, T$ q
8 G0 @' @; [! o- |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* m* g5 L; [# x+ U ;will break 3 times :-(
* ?5 d) `9 T4 C' e5 S' L2 w( G$ Z! m2 Y7 i: l
-Much faster:
; Q4 N" \% ]: Y) F' @# n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ ^" v( f2 Z! @& p4 K. G
$ P( _/ `+ L+ c( ~( }3 u" MNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) l: M$ Y4 l- z! A( t8 R0 ?% ?5 Afunction to do the same job:
) h8 f+ p$ I0 }1 X' E1 c. ?) I- V* a5 Q B" W2 S# R f
push 00 ; OF_READ/ E6 ^$ u" m0 `* V: A$ j! `
mov eax,[00656634] ; '\\.\SICE',0
6 j+ n+ \$ Z: a: M* m push eax
' W& x q0 u; u4 y+ w call KERNEL32!_lopen
1 z8 o: ?8 I& n inc eax
6 s/ _4 O6 ?. ^) k7 ?- O( P# u jnz 00650589 ; detected, e% s. D6 c$ m9 v- D
push 00 ; OF_READ, h& P5 [6 J) A( C0 D9 s: e& Q
mov eax,[00656638] ; '\\.\SICE'; o. K+ X! m) U/ _: L2 `
push eax
' z+ q9 z6 b7 a7 Y, M$ M call KERNEL32!_lopen$ @) ~& _# v" a* u' t. c' o
inc eax
0 ~" E1 n9 d8 e jz 006505ae ; not detected
! Y9 `: q' m- {& Q& u) N& i# M: D8 {2 ^+ X
$ a1 Z4 G4 ?6 {( `0 R__________________________________________________________________________" K8 E; p0 @( Q, c+ k& Z$ N) {; ^
. N4 n* {, b7 V8 y4 CMethod 12
: F" e! [& b A' l$ Y% [9 g1 I# O=========
0 [( M9 x: S. ^+ y
+ Y; Q* E$ W1 @( w; @$ PThis trick is similar to int41h/4fh Debugger installation check (code 05
& Z# ~# w/ c! B }1 {2 P# o4 D; k& 06) but very limited because it's only available for Win95/98 (not NT)
) t3 a/ V' n7 ^3 \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ b; k4 S( m5 h( g. _. ^6 y3 d
: R0 Q2 d- o9 U6 A: D2 p# d, s push 0000004fh ; function 4fh/ w. O1 j% `$ F! A* V. J
push 002a002ah ; high word specifies which VxD (VWIN32)
1 h2 N3 K9 Z, W$ T l9 w6 | ; low word specifies which service
0 ?3 N+ P% ^$ M3 p" | (VWIN32_Int41Dispatch)! R9 d0 F% n6 a+ z% z. _0 X% F
call Kernel32!ORD_001 ; VxdCall
2 M" }) A$ e1 e" M( _; Q cmp ax, 0f386h ; magic number returned by system debuggers
4 |% { Z' m/ f, q jz SoftICE_detected' ^; u7 q5 U5 C- Q
6 l+ u% E+ Z3 l! J- ~* \2 ^' G2 `Here again, several ways to detect it:( e$ ^/ F5 t& N% ^
+ x8 ?2 v( u% n, r& _+ j BPINT 41 if ax==4f) Q8 K3 D. n6 O p1 m
6 e; T) K/ l. `: h5 y) v8 v+ T% o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ [! e6 w' I: F6 n- ~
" r7 E$ `5 f- T( C- N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* V' K7 Z4 o% U7 s
( O, f6 ?0 m( z( e; E$ @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! ]4 M9 s9 i$ {; T/ k" _
! n* m# T4 p" Z% b( a% H# r__________________________________________________________________________/ E# C% q$ ?* m
' U+ W2 b) X/ c2 Z1 a6 v
Method 13
6 L N/ y. B3 I=========
6 H5 O: H3 ~6 Y, v y6 N1 [% d
: p" I k1 W+ _Not a real method of detection, but a good way to know if SoftICE is
: I/ W8 B* B" Xinstalled on a computer and to locate its installation directory.$ f# c& H/ i/ R! e% w
It is used by few softs which access the following registry keys (usually #2) :2 \8 ]+ [$ L1 B* a4 u- F
* s+ D6 F( N( w) ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion f4 P8 w- ?8 _; c* A
\Uninstall\SoftICE$ A! S- J5 ]$ s I1 {2 }) ~, L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% Q' q; } d$ Z* Z) Z3 N* V& i7 V* \1 I; q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 ]0 s! c) f: G7 F0 B\App Paths\Loader32.Exe# M; g" {' e- c
4 c# a0 E/ _4 @& K: z, N1 G' o
" M6 u( O4 Q5 J9 f$ e# iNote that some nasty apps could then erase all files from SoftICE directory% P- z; g0 j! `6 t
(I faced that once :-(2 c _7 \; z* C R' q' x
* z+ Z/ c* f$ H6 m& S
Useful breakpoint to detect it:8 r" [" \! z& M- Y% ]7 i- S" f9 b% u
( g9 |* o; p e U/ l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 D1 g& } W7 a6 u5 R" O( u
4 i0 U& I9 m: D) i; r; S2 U3 t' x__________________________________________________________________________' u/ ^ V' n9 d* Q% }
8 b" {$ c7 s: ^ S( n9 `
6 N' ?5 a6 u$ i4 D3 rMethod 14 # f s% P7 k! p
=========
/ p2 B7 I1 ^' [" U4 {( R+ K1 ~0 m& S& u' h( j/ h2 A3 w" ?% {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ i0 H Y$ M5 t4 j: b- T1 M$ a/ a0 ?+ ~
is to determines whether a debugger is running on your system (ring0 only).
' Q2 f+ P& c4 a; ~9 [$ A6 h7 I% [6 p6 f6 L6 N
VMMCall Test_Debug_Installed% F/ n1 q2 N! D! T+ n) e* x" \' U
je not_installed3 A3 S% |1 I* I* ^. M& b
: i: O4 L/ U% X
This service just checks a flag.2 m/ F' M. U) ~4 A( l P- |
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡