<TABLE width=500>
; f# C; J) U- ]<TBODY>
& r$ }- ?- ~& f: X+ I& N<TR># G1 O, K# _; j T2 m$ n+ r0 L) q
<TD><PRE>Method 01
( d+ ^! r2 W# x=========
% s0 h: J5 d3 C
2 m! `- q! `. E1 h0 y' z7 A4 _This method of detection of SoftICE (as well as the following one) is+ v9 F' ^4 m- F
used by the majority of packers/encryptors found on Internet.
3 ^9 g3 M8 }0 g: p- D- [It seeks the signature of BoundsChecker in SoftICE
" D/ T/ U# m* p( `
* t2 @: s: G: } J! |: a. c6 p mov ebp, 04243484Bh ; 'BCHK'! `! V1 q4 F L4 r1 Z9 ~
mov ax, 04h
& r! r i" \; @& | int 3
' S7 J. s2 k, Q9 C+ | cmp al,4: b6 v# Z8 m, R! R; b# s
jnz SoftICE_Detected
$ W! d2 ~! [7 a5 d9 W( \
) C1 b& ^9 S* F___________________________________________________________________________" \7 _# H' f5 `+ h# |. c
0 A/ d% E, p& g$ eMethod 02* T2 c0 ^. T1 i8 J( R: e3 c
=========
# l. ?! L1 E, [+ Q- m* w) Y
3 N0 ]2 E7 y* w, q( y" g; F0 nStill a method very much used (perhaps the most frequent one). It is used* X, }# P# k3 F" |* N; n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 b/ Q% z. p0 W
or execute SoftICE commands...
" p0 `! H7 M( p8 ?2 \It is also used to crash SoftICE and to force it to execute any commands
9 e0 f1 s) q6 K3 Y. m* ~(HBOOT...) :-((
# P- e* P4 q+ G6 Q9 O; C y! v- {, l5 x7 ]; S
Here is a quick description:4 X$ q% E' I- \5 e. B$ i; @
-AX = 0910h (Display string in SIce windows)7 ?9 X( Z/ b) O! u, s8 l) y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 f9 v: ]* k5 w) ]2 [$ H, K
-AX = 0912h (Get breakpoint infos); {, j* g' C: I2 ?+ d. |3 E1 V
-AX = 0913h (Set Sice breakpoints)
: s; ^8 R. O/ u' V- m-AX = 0914h (Remove SIce breakoints)
/ c! v& v) d1 h+ @2 u/ `$ U& x0 y* {0 S
Each time you'll meet this trick, you'll see:8 q' V+ L* F" m, J+ [5 `' b! \( ?
-SI = 4647h- }( h# O( q7 M2 W7 K" n# U- C
-DI = 4A4Dh% [. L4 `' ]1 D4 z) n
Which are the 'magic values' used by SoftIce.4 D5 o( p3 B) E, {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ ^5 J# P. M5 @ L0 ]- w
6 k c, a! s3 ^# V; p
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 l1 r$ E9 B! T) O- w4 h
Envelope utility use to protect DOS applications:
) n. g4 o) ^9 q$ Q8 a
9 o# b2 n# A% S/ q
J* V; |7 S" J" U+ A- X4C19:0095 MOV AX,0911 ; execute command.
& f; \6 |" j) e1 _/ p4 i+ ~4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 g8 x6 B8 n; i3 A0 G t! F% r5 q$ V4C19:009A MOV SI,4647 ; 1st magic value.7 A; ~ X) M& B3 Z* C% F( N
4C19:009D MOV DI,4A4D ; 2nd magic value.- n/ _) q1 Y5 q1 }0 b0 |, o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! W: N3 I: W& W* M: q, A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- _* b3 w) }2 j8 \: P
4C19:00A4 INC CX; |# E, z5 [' Q: ?& u+ \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 s" m& z8 _( B( j) T" G1 }4C19:00A8 JB 0095 ; 6 different commands.: [ ^ e1 x, X2 m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 k- ?( t4 y: }% Q: x% j5 D2 s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: X% r. q% S8 u6 V; L5 M d& ~
! ^. k* y/ h B# Q2 KThe program will execute 6 different SIce commands located at ds:dx, which- q i( e3 S: l& m% a3 H$ e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: j" A: I, P2 ^; h; R/ m( q. R4 h/ C# M2 r7 ?, D) m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 _7 e& |7 B5 Z t___________________________________________________________________________1 U/ D0 K7 R1 x6 P8 g2 V# X$ z
2 l1 ~6 R8 A" v7 x5 v8 Z1 n* x4 _0 Z% L
Method 037 x. b! D8 I( ]) k/ }) T: d9 x
=========
& f- u4 c- Q U( o; j
" z( E- a% a' s* v' z* `; dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 s1 T T: u( b; x(API Get entry point)1 s! v6 H& ]2 |# _( u1 S: W
8 a$ B+ [) N" h ]5 l a
/ c. f8 t/ Z h& |& \ xor di,di6 A+ B0 x# S! g3 y
mov es,di- {, K3 S* B9 Z/ O% Q
mov ax, 1684h
: R' ?7 K6 N+ a* X8 F/ W% {; V. L mov bx, 0202h ; VxD ID of winice# ]! L4 H& O" J
int 2Fh+ l4 i! |7 G6 T& z V3 E1 \& b
mov ax, es ; ES:DI -> VxD API entry point
8 M% p! A0 e Y2 e add ax, di* j3 O! ]& d: p& ^8 T/ p7 H) Z
test ax,ax
4 N% N0 A. H7 T; i, K5 e# r jnz SoftICE_Detected
2 t3 }# ^9 j* ?0 S" {! C$ C: `0 h7 s6 {" O6 Z
___________________________________________________________________________
1 x j7 y- s# L W+ V; w, L, t: h+ E5 _% T' h6 [
Method 04
/ D. u, @, e7 p8 B! I9 y=========
, L& s* J S, d8 P; P4 O( g0 R# }" C! v3 S6 E, b I
Method identical to the preceding one except that it seeks the ID of SoftICE
' E. Z1 }% |- W, ~0 ]: E2 \$ hGFX VxD." F8 g* C! s3 p9 f
& S& v2 [/ `( e+ R xor di,di, t/ s0 c% T3 ]# G
mov es,di
. ^- q( \) X2 Z; K) \# H mov ax, 1684h
; j6 j/ n( p: T( l/ s- } mov bx, 7a5Fh ; VxD ID of SIWVID
: M; O8 O" |7 }# o2 C& M$ |4 c* U int 2fh1 @- L7 W! x* f; [
mov ax, es ; ES:DI -> VxD API entry point0 b) E6 Y2 s4 u& C! Q; `
add ax, di
0 i; \+ V) r, K) c- r test ax,ax; J+ Z5 {0 j; M% S/ T- t# @
jnz SoftICE_Detected
, V; M; b _% S7 X% ~. a, D! f, O. D6 K) y8 C
__________________________________________________________________________
# K2 | G. Y/ L6 T* n8 v
: @% L5 z/ ?2 d( a4 k: }0 X) A& n& C9 W: s) B
Method 05
, M) I. ] N4 l- k=========
/ p1 E, m; Q4 P( n: a9 t/ B. u+ j
+ t6 _5 R; q- H% }# ~ o3 qMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 X4 E2 r6 x0 O7 t) C6 [. E2 p3 u: Udebugger. It calls the int 41h, function 4Fh.2 y1 S( m% `/ P* j5 V
There are several alternatives. 2 E \; j3 w1 _) K. S
. v- p( P4 z$ _) E/ E2 Q. HThe following one is the simplest:# D. J- S; b6 F0 A# d
8 m" X( |2 o# n7 t/ |+ V
mov ax,4fh8 L+ G2 l/ \" W E
int 41h6 j% W( \: F1 V4 l& m
cmp ax, 0F386
( X' c: v4 N: c jz SoftICE_detected3 ?) p O# k& f6 f4 h" n8 J. d
8 [% d7 i% m- s* t' \6 E
2 x1 k$ n3 z/ NNext method as well as the following one are 2 examples from Stone's 0 s, T! f( E- e3 G7 F
"stn-wid.zip" (www.cracking.net):
4 O2 E& [5 b' U, L( V/ u0 t `. n: B8 A, V% t1 ` N- ^
mov bx, cs: _: t U' f' b" @! [0 H
lea dx, int41handler2
- @# n [, E/ T3 d' g xchg dx, es:[41h*4]
6 t* j" }* ^/ m# U6 y4 ~ xchg bx, es:[41h*4+2]( n* ]. \4 Q' M
mov ax,4fh
" d* G+ M8 F( P: G' z: J int 41h4 e3 z4 p; Z; c# l* d; f O. @0 {: v
xchg dx, es:[41h*4]
8 N3 p2 b' M! q$ y* r0 s, e# e xchg bx, es:[41h*4+2]
& T' n# z0 q1 b: \: B cmp ax, 0f386h" ?. U3 t& {* J7 @8 \
jz SoftICE_detected" L; b+ @, P# w2 ^- l- W+ C
; i) d# i9 W5 U5 t
int41handler2 PROC& }8 z7 S2 a& q& J
iret
! b/ \" N1 b5 Yint41handler2 ENDP& C' M* A+ E: [/ y2 d9 |& x+ G0 ~
& ~% F- @! u1 ^1 @) B
' p6 [: j5 q4 j! i_________________________________________________________________________
`1 v$ e" A4 M5 [3 p, J* d" ]0 y2 M9 y; b* j0 I
% R$ p" y6 S' W+ B7 k; A V# V; l6 }Method 064 C- R8 A3 ` U. j) l
=========
; x: J. S* e, J' b4 E$ [( ^1 [ X, [- }$ o2 l) B, g& E
, ]; M: R4 B$ o% H
2nd method similar to the preceding one but more difficult to detect:
# W! h4 g0 H# M7 A6 j/ H3 v' q' R% q4 J) U$ l0 S, F
+ \. ?+ n! s7 q" }: J
int41handler PROC7 Q3 R% n0 C' `( k6 k" _
mov cl,al+ K% s* S- o$ z' U" ?6 M2 q" M
iret
# `7 |8 z* E. fint41handler ENDP
# r3 X( l8 |% m! j$ K/ K; Y- x! ^1 n' x& q+ P/ X9 F) i" n8 p, [
# `7 p# E0 p& ?+ W3 {
xor ax,ax r$ D! P. v# O* t
mov es,ax1 ?& S/ i3 ~" D( i% c
mov bx, cs) T' p! N- }/ s+ P' _& D/ Y
lea dx, int41handler3 E; Z, }' M- ]1 [0 n, ?
xchg dx, es:[41h*4]+ j; D0 a& y' W
xchg bx, es:[41h*4+2]# f* o! p' l& r
in al, 40h [2 f/ p! S- C, \- N! n( r
xor cx,cx$ I: `8 t8 Z z9 g: h2 _
int 41h
]4 o* z1 d# n xchg dx, es:[41h*4]* Q0 O$ N% b2 D) p( b3 a9 X
xchg bx, es:[41h*4+2]
. g/ y+ N/ \4 D O( f0 K' H# n cmp cl,al) p5 s# T* ]1 n$ A6 ^
jnz SoftICE_detected/ _) I& u) H0 @: F7 @) V
" f g$ H& Q# T: e_________________________________________________________________________8 [: G' _& }4 M$ d0 \! h" Z' s6 A
. k) P% s, R3 m: [- f1 g
Method 07
$ a" p! c q4 x" q: U9 G1 J+ D=========0 ]" S! Y0 w! h4 |
. T' u! v- @- b- j% E
Method of detection of the WinICE handler in the int68h (V86)
8 ?( r2 n" ], W% ~9 S) ]
% F5 Z( f0 k1 D" `$ \7 F9 S& Z' ~6 I mov ah,43h' S. n& k6 j, \0 O1 B, R% b
int 68h
+ T/ S; x6 ?% V, ~+ k cmp ax,0F386h4 m8 @$ w7 Z$ U$ o1 I: t; j
jz SoftICE_Detected, z5 {$ {2 s. U; t
& _. o& C2 R) j/ d: c( V- D1 C! a4 _: F' H& R% u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 {$ d5 V1 i) L7 _ app like this:% i; K, P n6 s- c3 L
6 S# {2 y+ n' F BPX exec_int if ax==68+ E/ B4 f( z. K+ t3 r
(function called is located at byte ptr [ebp+1Dh] and client eip is
" {. n1 ^9 H# U1 f. w) I located at [ebp+48h] for 32Bit apps)- a2 h- [0 f# W4 t" ~
__________________________________________________________________________0 j8 Q" ?: u; i+ |) D) V0 P
/ l, X* R' ~7 Y. S! i5 g/ `$ _( V8 T% j
( \6 K& m" X% l. Q: Z
Method 08" z3 Q: K1 {8 P4 a( }, L" m
=========
0 P+ n' |" W" B( u4 P& |# H% F8 y. O P
It is not a method of detection of SoftICE but a possibility to crash the
6 ^6 `: t! n& c; g; t4 Asystem by intercepting int 01h and int 03h and redirecting them to another" j/ J% k* L: N& t, O+ T
routine.
! ^( q" U$ y- T S$ m4 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; o$ ^4 X0 \ z* |! u& k7 @to the new routine to execute (hangs computer...)
. }8 h4 y8 o9 a n8 g- P9 i i/ M% Y# R9 i
mov ah, 25h) e* ~. M0 r2 Y/ i
mov al, Int_Number (01h or 03h)! _! u% ` _! u: E: Z: u' T# [
mov dx, offset New_Int_Routine) j- n0 n e2 O: G: Q+ O: u7 @% W
int 21h- R9 I. F# `+ u3 u' }* t
- C: I* ~. c5 s- D
__________________________________________________________________________. _3 [6 M' ]1 R. F( B! D2 b
' T" ^ T: d% g( x. B& mMethod 09
) d7 z h* D* U! ]=========! m: Q) M& G3 X- o6 W
J/ I% X+ _. f: F- o8 YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. ?, w2 M4 a) C$ A
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 N+ l; `+ U, g% ~, gThe Get_DDB service is used to determine whether or not a VxD is installed
7 d4 a1 }7 Z& c2 Q; y" C# C2 bfor the specified device and returns a Device Description Block (in ecx) for ]- }" u) V' H" x
that device if it is installed./ C" H/ G. U9 s( s" v9 L
0 W w6 f; K8 F, C4 v- u8 j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- S& E/ ?4 _, _0 V. K: s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) L7 J. d' F- S8 p0 F2 G5 i: w VMMCall Get_DDB
$ E3 ]; B& n( ]8 L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ ?3 E' x2 p! C$ l+ {% W
7 L1 i: k$ [% ?8 ^9 n$ Y
Note as well that you can easily detect this method with SoftICE:" H: G) w2 v% h& u( D
bpx Get_DDB if ax==0202 || ax==7a5fh
6 E! b k/ K' ]2 s0 X% e6 g
8 Q0 r- R9 m4 s& ~( h__________________________________________________________________________
' D% N' d' `( R7 c6 @* T. a0 l1 T7 I
Method 10
' k7 l4 D5 P6 y=========
# J* N: ^+ [; |; H% y0 @( r
- c: @+ D. V8 U: P5 U* [7 p+ u% v% G=>Disable or clear breakpoints before using this feature. DO NOT trace with- {1 y }5 E1 V6 Z8 |
SoftICE while the option is enable!!
9 @ u& _( \) y' N) o
& ` p, \ P- Y3 c, V5 kThis trick is very efficient:
- b, B+ Y8 e& H( I) hby checking the Debug Registers, you can detect if SoftICE is loaded
* K0 ^, I0 R/ j, B* R+ Q7 i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 h# b, q% ?0 j
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 C5 J: c4 k; fvalue (in ring0 only). Values can be manipulated and or changed as well
- t! i3 h0 S4 A1 p6 M(clearing BPMs for instance)$ P8 u" y0 q# B
" g, ]7 p" T" b: `1 V7 ~6 _
__________________________________________________________________________ q9 G& w2 w6 `5 C7 M) D' J
/ G: _* X4 C+ U: IMethod 112 @7 y7 O. K3 ~$ ~( i/ r
=========0 `3 b F& k2 n7 T
6 A8 {6 L0 L& t8 X1 v3 D
This method is most known as 'MeltICE' because it has been freely distributed
) z. B* [9 x$ G% lvia www.winfiles.com. However it was first used by NuMega people to allow! w* }. H: b1 g% q
Symbol Loader to check if SoftICE was active or not (the code is located
/ Q) O+ C7 ?* h1 yinside nmtrans.dll).: m. @6 J) I! d. Z- Y% t
( M& Y; N- f9 aThe way it works is very simple:! X, L) K% I& W# D4 H# ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 L1 |& X+ K' v
WinNT) with the CreateFileA API.( J9 o2 P% A$ E
+ R9 Z) ^7 _! c: \+ Z5 Q+ y; _: v
Here is a sample (checking for 'SICE'):1 h4 g+ x: ~$ Q+ |7 a
& }3 p5 V6 Q7 K$ }9 H- @
BOOL IsSoftIce95Loaded()1 f/ i9 ~7 C q" N7 g7 f! H! k' n
{& p# ^, y8 ^* Z) ]. b: J
HANDLE hFile; 7 v: i; F/ x8 V( C: W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* N( g, G- @3 m1 O) x' L7 P FILE_SHARE_READ | FILE_SHARE_WRITE, i( k( g' m* B7 @2 S0 l; o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); ^9 l- j ]1 S
if( hFile != INVALID_HANDLE_VALUE )4 Q i, D& _* E) V
{5 d f5 _/ p$ q+ ]
CloseHandle(hFile);
0 u8 ]2 M l5 |& \7 V4 c" k6 s2 b return TRUE;5 f: y2 t1 O/ a/ i0 \5 x
}3 h9 {4 z5 n2 l
return FALSE;4 \) x" F; `& g: ? S5 s' F2 a
}
! C* R) T4 d: Q; |# T+ f0 t) o. {/ h* b2 ^3 q4 ^6 v, v
Although this trick calls the CreateFileA function, don't even expect to be
& ]. Y% O; u/ \3 Gable to intercept it by installing a IFS hook: it will not work, no way!% {, E# o* p( m" ^5 j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( g# d2 ?! i C7 w+ ^# _7 D; Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); r+ |8 K. b* R5 Z Z1 `! @9 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& r; T6 ]# ~4 c' rfield., I/ j' a( v$ l
In fact, its purpose is not to load/unload VxDs but only to send a
+ U1 ^4 s& w$ h$ M4 P7 N+ X; aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 I6 [9 r) N' B+ Q2 E( x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 v& W% A! b' Z6 o- ^5 y4 `# }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 c7 o2 S7 Y$ ^) t2 `1 bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 T1 t' V& h0 _ l' J7 l' ~/ Cits handle to be opened and then, will be detected.+ D) b# F$ J: j* o; ]1 n, B3 H
You can check that simply by hooking Winice.exe control proc entry point2 j) @ q5 ?8 A; j* ]3 j
while running MeltICE.) m8 T ?* v0 C' j
% P1 u/ ?+ k, ]1 W$ B& T; U7 Z1 }* Z" R: A" B H3 Z9 z* X& W
00401067: push 00402025 ; \\.\SICE! ^. V* M) H, D0 c" C) m/ |
0040106C: call CreateFileA
" f. S* v7 q9 F+ {$ _ 00401071: cmp eax,-001
0 m9 d& g5 N$ }$ S7 G& Q 00401074: je 00401091( c: \) X' ~2 Q' [1 E
$ P" o1 M" I# n- E9 r
2 e% |, I% b) V1 ]; A6 _There could be hundreds of BPX you could use to detect this trick.7 N& Q$ o- b; V5 ]4 w1 W- Y
-The most classical one is:; B7 w( U+ ?0 P5 g4 O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 K1 s0 n( E3 L. O' }& i/ z
*(esp->4+4)=='NTIC'* H" z: L9 G( a* I" G; H L
$ K+ h* Q ^% H! p5 L8 u" n/ I
-The most exotic ones (could be very slooooow :-(6 f9 Q5 w4 ?9 n9 ?/ ?' D3 G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' ~6 }+ i8 R- @4 }, M2 p% C* v2 f
;will break 3 times :-(/ U$ I0 C$ a8 }+ P
2 L' ?5 y7 i2 }
-or (a bit) faster:
3 y' j: r2 b( \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ e3 f) M( {) O/ x+ Y$ O- c
. d1 ]6 x' r5 M) ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 b/ {2 ?( u( p- o) y+ R8 k/ _9 u ;will break 3 times :-(
4 Q3 d& |0 {. `6 ?, E; k# X6 p" s0 {; g' r4 B* w
-Much faster:9 N4 F' T k( d8 Y% s5 E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 s/ i! P9 G4 B1 D5 ~+ ]5 n: g
1 i* K' l/ ^, c# c7 XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) o+ \% l. ?+ K5 _% b0 p+ [9 tfunction to do the same job:
! S1 |4 J3 n9 P! \: H9 V8 f
3 Y: G. ?6 Z, h4 v7 W% a push 00 ; OF_READ r7 G. z: S; g9 i) i
mov eax,[00656634] ; '\\.\SICE',0
7 j6 ?$ J0 A, L" y/ y push eax
% x7 |1 w# m% O2 E: N. d3 m, B0 q call KERNEL32!_lopen. E/ j4 `$ h7 e
inc eax) E0 l1 k u* s1 ~) y: y( c7 Y
jnz 00650589 ; detected
/ Z% o; v* |. v" P push 00 ; OF_READ6 [% Z/ N2 B% j z* U0 R
mov eax,[00656638] ; '\\.\SICE'2 K; t$ Q! X/ A V. k) m ~ H
push eax7 n3 D8 g4 v8 k8 J: H1 p
call KERNEL32!_lopen2 ~" h# B1 b- ~
inc eax
2 K6 S" i u6 ? jz 006505ae ; not detected
( P V* w( b2 o" W. o; t u: f- `* `1 Q$ h! ?
) C( ~! s* z( I5 H) I4 o& E: Z7 i, V
__________________________________________________________________________
! r4 Y/ M1 ?9 x1 A! y
" C% }7 `; ]9 q$ ]5 |; Z hMethod 12
4 a$ q$ O) p# h. C/ k# T$ e1 T: L=========5 E% L( H1 j+ s; d6 k/ D1 N- B2 J
7 R& Z2 Q) \2 B- H8 [5 [- e
This trick is similar to int41h/4fh Debugger installation check (code 05
: h) J9 F+ e4 L& 06) but very limited because it's only available for Win95/98 (not NT)
& Q0 A( k. a# i6 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ J9 z& q% D% n1 P! w- F4 ~! ?
9 R0 e! z$ I2 U6 ^ push 0000004fh ; function 4fh
9 o1 m3 l: \& L: @: j; } push 002a002ah ; high word specifies which VxD (VWIN32)6 ~% W3 l0 A8 g/ j0 [
; low word specifies which service- S5 W* d) i& h
(VWIN32_Int41Dispatch)
# h+ a W5 i7 m: } call Kernel32!ORD_001 ; VxdCall2 z, Z; f9 }% T
cmp ax, 0f386h ; magic number returned by system debuggers
! \( S9 c4 r3 H# W jz SoftICE_detected' \3 O/ C, s3 \3 s! f9 r% r0 T1 s
# J) o' u. M8 {) {, e
Here again, several ways to detect it:. `& r4 Q; D9 W3 E1 \1 Q
* A+ ^# Y5 G* E% @2 F
BPINT 41 if ax==4f! k) Z; G6 X$ E; I
8 d3 g4 O7 V$ M4 j( R5 O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 D2 `) `0 C3 ]; u2 v. I" i
' f! v- j, m& c+ _: O6 z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! _, k7 d( u3 P$ G8 q1 M
1 M: @. } S' ]9 ~4 s! z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 E, i @2 o0 c* p- K
; H: t: K; j9 F/ z4 ]% t2 N H__________________________________________________________________________
0 e9 x' M# H% r Z" P* Z" J( |' r4 ]1 k3 ~
Method 131 j; Q( j) h- s, e, q( i
=========. I7 U9 V# N) O N0 x
3 C# C3 h/ S! \. K+ k3 xNot a real method of detection, but a good way to know if SoftICE is6 a8 H C- Y) o, \' u3 e, ?
installed on a computer and to locate its installation directory.
& |% {8 @. c: z: T" q! xIt is used by few softs which access the following registry keys (usually #2) :1 ^; t( |+ M; D! t) n! c
. \# m9 }6 b! A( H n3 p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ j' F' F5 T5 X$ f: d0 g" `
\Uninstall\SoftICE
7 h0 L: J* r% ^# i+ `1 N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ f& i* a" u; I7 Z* ~1 j
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
r& I& h' R X\App Paths\Loader32.Exe
9 p% D5 a2 Q2 m0 ]4 M
; [+ t D6 u& V* H) y" U: H9 ?! N k5 A" @# A1 P. c% o# E
Note that some nasty apps could then erase all files from SoftICE directory: \& F$ N' {! _, Y: V; x, k
(I faced that once :-(
$ H8 ]5 E2 m& |# ^& o" g$ ]! W& n* T! U ^6 h8 S6 p
Useful breakpoint to detect it:
( k, m( L. z( V( ]- n
6 w! h- \8 a* ~0 O, i2 ^. n" B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 _/ \" C+ D) r( R# x& G, S5 p) Y: ~8 k) a1 ^# M8 Q: H1 `
__________________________________________________________________________2 f- J$ X! g4 m$ b- ~" C2 o
! D5 B! h3 X8 w* d- ?& E7 b
! ^! o- ^1 H& aMethod 14
! _4 I4 |8 p5 B' g4 v6 P========= ]3 L+ d* c3 S/ T
1 Y5 ]9 J. w4 ?9 S' o6 kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# M' d* n1 s+ F+ c/ J6 S
is to determines whether a debugger is running on your system (ring0 only).
2 D3 L. c: w( w9 Z9 ?) p$ c. h3 A x2 s' O! ~0 v( Z
VMMCall Test_Debug_Installed$ c$ F. c. j) f. z/ R, i ~) b
je not_installed
# @- K. V. {8 c: Q* r9 {0 G) X" j/ H! |% W! n! w$ j
This service just checks a flag.) ]. V9 L1 A! Z/ b7 k
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡