<TABLE width=500>; {& d) k" c8 e% u
<TBODY>
. m8 |) N0 \2 O<TR>
- Y3 E/ I6 E; s A6 n' ]<TD><PRE>Method 01
, j+ Y/ N# x$ A! f0 c=========6 Y' {0 v7 |: i, e: b2 r% r
$ p9 g1 p: Z( C/ @5 [This method of detection of SoftICE (as well as the following one) is9 i# b: R1 |" ]) G; i
used by the majority of packers/encryptors found on Internet.
; j7 U' [- |3 w6 M! xIt seeks the signature of BoundsChecker in SoftICE8 S; L4 ~7 n" V6 l! o- `1 t% K
9 q9 F7 E1 a2 [& B
mov ebp, 04243484Bh ; 'BCHK'* Q6 g& N1 l' }; r8 j5 h
mov ax, 04h
" p- D. x" B- T0 T. G! o int 3 ; P+ I- R2 F" X
cmp al,4$ j# u0 y: s6 N# _8 [0 ?
jnz SoftICE_Detected
' I% y7 N3 \% a. X! R/ Z) C( u8 X8 f% d) A4 W
___________________________________________________________________________/ g- J! F+ q, Y* B! `
3 z; ?! B% h& E! y! ^+ AMethod 02
0 }7 G; A( y0 k=========
! v. l. @7 H% N" U! h0 Y
5 X5 o: H0 z4 M+ |% EStill a method very much used (perhaps the most frequent one). It is used
; V% h* `- {7 mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; N* x a7 E8 O5 Q! _+ Lor execute SoftICE commands...
* ^# T' e8 Y) R0 oIt is also used to crash SoftICE and to force it to execute any commands% @+ H1 B6 ]" I- W- l, ~
(HBOOT...) :-((
4 a3 `7 y- T+ I% ]8 O. j* y4 b: H! Q" n; u
Here is a quick description:; c0 k1 m* j, H( k% |" T
-AX = 0910h (Display string in SIce windows)
+ z) A' {/ I# l) k) f, r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ s: N- t, R3 I1 f% j( p E
-AX = 0912h (Get breakpoint infos)' T% k+ t5 u2 ^' q w$ F
-AX = 0913h (Set Sice breakpoints); e2 A2 j" {. H: [/ x
-AX = 0914h (Remove SIce breakoints)" T0 k' @8 \' {6 X% h1 W
, ]: z2 Z& J7 |
Each time you'll meet this trick, you'll see:/ [$ f3 x: A1 m7 i: y4 y1 n5 y
-SI = 4647h$ ?% N* F/ v9 { ~! C7 r
-DI = 4A4Dh/ J9 D$ D# i, ]- N) G t
Which are the 'magic values' used by SoftIce.
9 Q( `! l1 V" o1 LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ g1 A1 X7 F+ Q5 R% a5 f4 s$ z( m" V- g! F2 l( M
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 x( w# X" U3 o& J) u, l
Envelope utility use to protect DOS applications:' y/ d' n8 ~2 \
" J' H N/ B: j2 p/ @& C2 p
! W% j I+ a$ y
4C19:0095 MOV AX,0911 ; execute command.
2 d7 O" H$ L: \" N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& i% N/ U" K2 W. Z, h
4C19:009A MOV SI,4647 ; 1st magic value.
* i5 N& `+ i4 `/ G# f/ t7 L8 c4C19:009D MOV DI,4A4D ; 2nd magic value.
( ?8 j5 i) n( ~. P0 Z# F3 S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" W% c, ?8 u" J- u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: R& u& {- T$ }! T. j) S3 Q+ U" w4C19:00A4 INC CX
$ [- s. ~! I" j1 Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: M* z Y* i% P7 v; D' c3 Y3 o0 c
4C19:00A8 JB 0095 ; 6 different commands.
, u6 H6 [+ {$ y& X4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: s5 |/ r# G# ~8 l( K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( _9 l3 w0 [/ v7 y) }' b
' |, o. ^2 Z A m* ?+ Q6 CThe program will execute 6 different SIce commands located at ds:dx, which7 I0 K& \! h6 I9 @5 c: y% m9 D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 }- S+ g( p" ^: c/ e8 ~
, a- K% a" `& E2 c2 w$ k( T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; z8 C" A$ R- z9 U8 O$ ^5 }/ _4 b s
___________________________________________________________________________8 F* z. w, o5 @' i# ?- _% U
1 q- K- ?' V Y; H6 l/ j) C9 c: s; X8 l
Method 03
1 _2 [9 H: q' j; |, t3 D=========4 |4 w7 y5 B/ k" A6 M# o5 b( z2 g9 y
) T5 ?8 @1 [% O" n% g H( n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& o/ e0 M# S+ a- {8 h
(API Get entry point) h, F, X, Z. _6 [
( x4 y% q( o- L3 ]4 D
8 C7 r2 h ?( b8 n' r" s& p xor di,di+ n" A$ J' j) B7 B
mov es,di# i7 ^: ^# X- J! t. X
mov ax, 1684h
9 {5 I) A6 E3 F4 v6 G+ d2 j5 K mov bx, 0202h ; VxD ID of winice
( I! `+ o' g7 y# e int 2Fh/ h3 X8 i9 {* I& Q- D5 S
mov ax, es ; ES:DI -> VxD API entry point
4 |& W. v7 }/ e5 d! [, Q. K add ax, di
" l1 l, |) d3 o* \5 _' X test ax,ax
( |% p2 W6 i' M jnz SoftICE_Detected
1 C9 k# u6 u# ]5 E) y, r7 ~) D/ [0 }
___________________________________________________________________________, Z# i7 w0 x/ u0 p4 r0 r
. `& Q& C' B/ |3 @7 P3 ]8 i0 X
Method 041 _1 I3 |" t4 X% D8 h# l
=========
" E3 j$ }1 [ s7 D: A/ s4 l
) x0 W! f+ J$ I$ sMethod identical to the preceding one except that it seeks the ID of SoftICE
, a2 u) @9 T$ s0 ?- SGFX VxD.
) Z/ N9 x) R. R6 x0 |# M: J5 H v9 [
xor di,di" u G& k) u. E
mov es,di
+ n* h7 P9 f; X0 J8 X4 H mov ax, 1684h
# C! _3 @7 s7 b! E& N+ [ mov bx, 7a5Fh ; VxD ID of SIWVID, b5 }5 B0 _: b/ x7 f2 [
int 2fh, u; ~$ N o8 [$ F
mov ax, es ; ES:DI -> VxD API entry point
, g, N% u! \! F add ax, di7 b* T) n( H" q0 b0 `
test ax,ax
2 j& D$ W% V, h( ?* I$ }& q$ i jnz SoftICE_Detected$ ]; x8 ]% D' }7 V5 Y2 z2 P
. @/ `9 f; Z4 F7 e' y, K
__________________________________________________________________________ W! e4 n6 |9 P* @* M7 L
) K( ^& c9 Z7 k
4 {3 ^8 x% ~2 _
Method 05
, c6 a2 q/ x9 J( U# }=========# i" j* q8 G8 q' h0 X, V& D8 d! L( J4 H
5 M! H2 T5 s3 u8 x# i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. g1 R) o; [3 W+ p' tdebugger. It calls the int 41h, function 4Fh.6 s/ a P0 A% A) s
There are several alternatives. ) C$ U. Z+ U; B9 K+ H! p0 j
2 P; u6 a2 ]0 X/ d" B( U8 ] J3 G
The following one is the simplest:; q( [1 a8 T' W$ E$ ^
' \) g$ O% N' Q) T$ P* A; } mov ax,4fh
0 b& w6 [; b( j! c4 U! O int 41h) j% g: ?. S& p- w+ I2 n1 g
cmp ax, 0F386; f) O- n) j, S; n+ ]0 r k6 d
jz SoftICE_detected
$ f* E' n% `( l9 A- }% P! j' U/ Z. k9 U* L+ j2 r
8 B8 [3 f5 G5 d& T/ S% q0 R
Next method as well as the following one are 2 examples from Stone's
2 a W& g: U6 ^) u7 U! l# L"stn-wid.zip" (www.cracking.net):, e b1 y, B: ]3 ~
3 x% r4 \- N, q8 H" B
mov bx, cs! h/ e9 g; I' h$ a
lea dx, int41handler2
! V. \. X d+ e5 {1 W xchg dx, es:[41h*4]/ Q {- n9 m2 w6 }: N
xchg bx, es:[41h*4+2]
+ L8 W7 _( u% B# B mov ax,4fh
% J* [' `+ ^, ]: ?* H& U# ~! J7 s int 41h9 n6 N# y2 L+ q4 ~, ~; d/ c
xchg dx, es:[41h*4]
2 v5 ~( r4 X" k3 q8 R( N: A xchg bx, es:[41h*4+2], m5 o' A( H+ f% b1 D
cmp ax, 0f386h
* n- Z1 ?8 Z1 e# H" n: {. `- [# X jz SoftICE_detected' l. ^3 i2 B, h% i
& u3 B: f% t" U+ ?' v% f* Vint41handler2 PROC' I8 U0 H# h. H5 r* r1 d2 g* j0 z
iret5 ^# p1 S: t0 j
int41handler2 ENDP
% Q3 d6 y/ T, v4 l: |" a" F3 o3 K
& b, r3 j& ~8 d! S, `& }) e& q; g1 A$ y( k6 B: [4 u
_________________________________________________________________________
. `6 u3 v# L4 h$ L$ X" I
) h$ G5 D6 n& _5 f5 R
4 q0 Q- S) T: F: R/ R3 eMethod 069 A1 w/ u0 i/ i* V4 Y/ q
=========
7 w! s5 Y. h# h* b; w0 h% Y5 S9 R/ s
: f, Y! c6 S- I0 O; \2nd method similar to the preceding one but more difficult to detect:; T3 ^$ T2 A# P1 N1 s1 _; X& E
( I' _) B0 N" E; J" ?
2 s2 |2 p) Z# N( A4 {0 pint41handler PROC
! p+ R. c3 x0 L3 e p- a' W mov cl,al
" F: @( h2 s1 |' q- f! m3 ` iret6 j5 f- f1 Y, Y' c* ~
int41handler ENDP- n7 Q* B! z7 g# O, L
5 Y4 V" D3 k/ s2 Y5 y
' u9 X- g {/ N, S xor ax,ax( w* @& O% \) I$ Z
mov es,ax8 {1 U9 K3 a5 z& a' s
mov bx, cs
# G* k% L6 @, x w7 Y2 x lea dx, int41handler, x0 Q$ |! f$ D3 x
xchg dx, es:[41h*4]' c9 i1 B! _1 Q
xchg bx, es:[41h*4+2]7 y- ]6 \9 V8 x* L% w E' Z$ Z
in al, 40h0 F' D! C6 K( {8 T) {
xor cx,cx& r3 P3 o2 d- n& a: Q4 K+ V* w# H! N
int 41h# J9 P! T3 _ p/ W7 [0 b4 ?
xchg dx, es:[41h*4]
' U" A+ I( Z: u* `: h xchg bx, es:[41h*4+2]/ I1 T! `. K* D3 J
cmp cl,al Y0 z9 h3 f) e
jnz SoftICE_detected5 J5 M( T$ Z+ L& L$ m7 F5 N
. u. j! l H' T- e0 t+ z, Y
_________________________________________________________________________! U( r2 O$ v* a# K2 _ \& W2 e
2 ]% L/ e v" d" K/ ?, sMethod 07( g6 @( ?+ y% m8 E$ A( b- {
=========" L u, ` N' j$ s' A3 U% O
4 n% q6 b) }* u4 Z( Q
Method of detection of the WinICE handler in the int68h (V86)* U2 }7 v# p/ E( n
( K: e. I0 z. N% Q* J- U
mov ah,43h! H M8 j( P, j6 _
int 68h1 k3 ~; @) E0 j
cmp ax,0F386h* |1 V8 C; u+ q. H. B/ m% \
jz SoftICE_Detected
3 @* _) L) M) p
7 e7 l/ g; F2 v3 ^2 Z0 ]8 W9 y* F8 j$ Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 e o9 K) m% `, N+ _) D
app like this:4 S( s- x- L3 c% w
8 J; P$ E) I6 o# w* P
BPX exec_int if ax==68% m! {6 g" q$ ~- j, N" z
(function called is located at byte ptr [ebp+1Dh] and client eip is
. p% ^9 V4 r% J' n; g located at [ebp+48h] for 32Bit apps)' z# x% n* B# m# o
__________________________________________________________________________
" m) x$ ~; s7 w0 ?7 \# \2 I) |" J& e( j8 s9 F
8 Q6 I+ I& | x j4 {Method 08- F5 i9 b, ^4 k7 D: T2 R4 h' d
=========
5 n$ z5 T/ n) k2 F; K& K6 p4 K& e9 `+ V: r3 O" P
It is not a method of detection of SoftICE but a possibility to crash the
8 x" z: w+ b. I9 U& ~7 C. {system by intercepting int 01h and int 03h and redirecting them to another
8 X6 y: d9 x8 F7 Froutine.
1 Y0 L* X( g: `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. C& P' I: I- Z- @0 O
to the new routine to execute (hangs computer...)7 O7 W3 `" C, |' s
# l9 C+ h, O" x, E( E8 i
mov ah, 25h) I' N# X0 j5 ]0 A5 J
mov al, Int_Number (01h or 03h)
0 k; i- w! {# q* `7 ~/ |% O4 i mov dx, offset New_Int_Routine
. j, f/ n; q& u* y int 21h
) R* p6 U# o5 ^: q; G) S; Q/ f! h4 D! ]6 ?$ l# p3 z/ ?* F
__________________________________________________________________________/ x8 M: s. u4 w4 X
' y0 F) q$ ~' Q! c8 IMethod 09
. `& n# ], c- q4 q. I=========
5 T& X2 l+ D7 ]& \4 e; ]: A/ Y6 Y; }: A7 B6 }0 I4 ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 U$ Z5 U' N7 x' p* l
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ C8 q) X% {# R# P6 nThe Get_DDB service is used to determine whether or not a VxD is installed
7 d Z, x# v4 g9 j1 }- zfor the specified device and returns a Device Description Block (in ecx) for7 y1 c$ `' c) J6 C9 o; J$ W
that device if it is installed.
" q# Y( r5 T8 O2 d: c" H
; s: I. E0 {; K; n. r( t8 M2 ^ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: ~" [, `; T+ E1 @/ y2 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: B ^) ^1 O, m VMMCall Get_DDB
! t* E5 F! R! q& Y, N' S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 L0 l. r, G# k; j. ?1 |! m1 R. c/ V" V$ G& D
Note as well that you can easily detect this method with SoftICE:% v, c: W# h0 g) [) K& t: q1 [9 u
bpx Get_DDB if ax==0202 || ax==7a5fh4 W- U0 c+ E* o% i Z% H
% X+ |, R5 u" B: M4 W8 v__________________________________________________________________________* F3 w' A; n" Z' `# n* n
) i8 g8 m& O% v3 b. o$ f1 o
Method 10
' z) C! v1 d+ l& d7 {' y=========4 _ O! z( m( H' p/ ^9 V
7 V2 t. q' m- ^. p" o=>Disable or clear breakpoints before using this feature. DO NOT trace with
% D* P e, M0 T% @7 |; V% H1 S$ v SoftICE while the option is enable!!
2 r0 g* }6 ~' u8 Q' P$ t3 N9 w
( y" ^9 D% ^0 z8 a( PThis trick is very efficient:" u* K, q W* |7 n6 [9 G, }: Z
by checking the Debug Registers, you can detect if SoftICE is loaded
4 l$ R( O& n' E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ U' W/ F* N7 d$ Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ F( D' E: Q5 f |6 S" I. B% Jvalue (in ring0 only). Values can be manipulated and or changed as well
; Z9 p8 r6 t8 M6 p" S. Y6 n(clearing BPMs for instance)
4 ~2 |: ?- F; F! \5 z7 b( E' G0 U5 w6 h6 g
__________________________________________________________________________
% x" Z" M$ b( h6 W) |) E) p# b6 |, o) Q3 E
Method 11
* q* {6 |4 O. `, H: \6 H4 ~2 R$ \=========1 |- p# ^! R! t6 x
5 U1 B# i2 L xThis method is most known as 'MeltICE' because it has been freely distributed
, x: B7 D4 _( o* n3 P2 Mvia www.winfiles.com. However it was first used by NuMega people to allow
5 c3 |3 J4 {) M7 XSymbol Loader to check if SoftICE was active or not (the code is located
* ^! P* }* q. f' L" Uinside nmtrans.dll).8 j9 ^3 [. v2 Z( u
% z0 p' k% P5 u, F) ^- u
The way it works is very simple:
) j5 }) [& g' C# O4 ~$ |4 AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 ], {9 H; ~9 z5 P+ }( e8 P3 x
WinNT) with the CreateFileA API.
8 t4 a0 r! r& W' ]8 `+ Z$ i/ B- g: j( \' d, @8 O; K, ^& U
Here is a sample (checking for 'SICE'):
& A) `( {! l3 \' a/ `' i: r( e2 x
BOOL IsSoftIce95Loaded()
+ j: i3 P- d. p7 n+ |3 |2 @{
' J% b9 p# y3 G# N5 Z9 r5 O, T HANDLE hFile; m$ F$ D8 e) x9 O$ Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& _: o! t p$ D
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 k, o/ q$ \% F7 |, L9 Z& ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 z3 z* \; L& y$ d ]8 M9 J if( hFile != INVALID_HANDLE_VALUE )
0 l+ ]$ i9 N# t G$ R {
7 ~5 P" T* U* D7 W! ]) k! A6 G5 H CloseHandle(hFile);
* M2 l; p% W; `/ ] return TRUE;
$ F& `% \5 q+ x; B }" p% j5 N3 M( }; b
return FALSE;
- ?: e5 J. C# g A}- g3 W K. }0 f5 @2 t
5 W3 \5 L+ m4 V* R2 d _) O; g
Although this trick calls the CreateFileA function, don't even expect to be) o( j7 y( n- j; h5 l! L
able to intercept it by installing a IFS hook: it will not work, no way!
& j0 B q/ _( d4 fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- J7 g$ ~& l" Q; L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% V# P: `7 Z) M8 ?% Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 o7 v3 g( s' n! {' G- efield.+ }% p6 P8 r# x- f$ [5 d9 M
In fact, its purpose is not to load/unload VxDs but only to send a : t3 h0 f' p7 h, k2 P2 F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); T% i% |# X: N4 |2 j3 P; s3 y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% q0 k( a; u$ U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ z3 \4 L. W. n) y/ ?% g, OIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 n2 D+ x9 m7 D
its handle to be opened and then, will be detected.3 M2 C% c c/ r" N
You can check that simply by hooking Winice.exe control proc entry point% H' j" z2 e1 C5 j6 ]$ N' Q
while running MeltICE.
9 v1 h' ]8 j9 E8 ]0 K
9 u# k2 B- `/ h6 O7 n- V
0 q+ X8 \; W6 K6 g+ Y 00401067: push 00402025 ; \\.\SICE
& O& ~; ?8 T4 ` 0040106C: call CreateFileA
3 d" u& |/ E1 s/ |1 R5 G" k9 Y: t 00401071: cmp eax,-001+ J8 `" V, v: w8 I7 r! U5 M
00401074: je 00401091$ e/ P9 e6 X8 R# s! o% C+ v
8 @/ |3 ]9 s( ^4 L! R9 Y5 V4 f8 R" Q _1 \7 d
There could be hundreds of BPX you could use to detect this trick.1 X/ D: L. t' n, G3 T m& m- a
-The most classical one is:
y; |6 C1 Q/ j) h& B! M: k) f; N0 E BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! W9 L- |: N8 J; @. | *(esp->4+4)=='NTIC'
" ~- U/ G7 c- l. R, ?) H
) ?7 P; n4 y+ W G/ F; B" `; {-The most exotic ones (could be very slooooow :-(
+ {; z1 |- @2 s1 w- o R4 e. [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + G. K' ^; F9 B& G4 w
;will break 3 times :-(- k% Q3 O% ^4 f( K4 l3 m
2 v' O; Y0 }, |, R& x, v' J-or (a bit) faster: 3 q2 t- w' O: A7 i {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* |5 N) j$ P7 ~" M* f$ c# K) ]
) q! t7 ?' I+ B3 m/ G0 K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ i! v$ H* k3 p- D' T! V* R' a ;will break 3 times :-( M1 R$ d0 D2 o; m) Q" }3 S
& A) j* l# }8 W' ~-Much faster:
8 T4 ]" \. d/ u7 w4 q, W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& `' {7 J; S: O3 A' U" J8 ~! n6 M6 A( k% ^9 h& f- f) l' q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- L* b/ O* h4 Q6 bfunction to do the same job:
6 c7 k, F5 X+ K$ V; ^' {* B! [% V% T; P2 T: f$ f
push 00 ; OF_READ& z: O1 {& r. B. H, j2 A4 v' c
mov eax,[00656634] ; '\\.\SICE',0
6 q* f |) ?, ~ push eax+ K* b8 X k' e" e5 J
call KERNEL32!_lopen+ [6 u# b4 r: g8 M; z7 V
inc eax
8 M) v9 {4 j' o jnz 00650589 ; detected
: I+ @0 ~6 V! I* v$ P" @ push 00 ; OF_READ0 S. \3 ? U1 D$ T% B: E
mov eax,[00656638] ; '\\.\SICE'* N. ~2 F9 _8 [, H, \( k5 n+ e' q
push eax
7 z! u9 n& J8 A call KERNEL32!_lopen2 P' P8 q& \+ T9 a
inc eax
5 T8 f( F1 Z2 Q5 Y% ?0 D( e9 | jz 006505ae ; not detected$ u$ y; v2 q8 o) `: Y4 V" \. v
7 q7 C1 T$ {6 h9 _3 R5 y
* h$ Z. x5 S0 ~- Y; [9 R# W0 C% k3 G__________________________________________________________________________: A# | o S2 e
1 q* p+ T* K. \+ n- G2 d1 D0 ~
Method 12
; {/ f6 z- O. A6 l=========; N* M8 x+ z @9 J, ?5 Z$ l
# E7 ^- [) S. RThis trick is similar to int41h/4fh Debugger installation check (code 05
Z2 r5 }: S" L1 m" _2 V& 06) but very limited because it's only available for Win95/98 (not NT)9 z) @/ P4 R8 ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: q* P! K- M, o
. r3 n7 m* Z& U2 I7 F: i2 u/ \
push 0000004fh ; function 4fh7 ^2 b8 ~! n, m- q4 j: X
push 002a002ah ; high word specifies which VxD (VWIN32)
8 ]# {" ]& G8 Z2 x( a ; low word specifies which service. Z; `5 N S) z0 P$ t o. X: D6 A# b3 p
(VWIN32_Int41Dispatch)
) M( L5 j7 j, F0 L9 O/ X' W9 r4 m call Kernel32!ORD_001 ; VxdCall7 w# Z2 R K. C4 R* ^8 E
cmp ax, 0f386h ; magic number returned by system debuggers3 v+ q! m4 v- b0 y1 l6 W2 e6 z+ `
jz SoftICE_detected9 y% u* T/ I& Q; E/ @, ]
+ k" S6 M, `- \7 QHere again, several ways to detect it:. x+ \9 d" F/ l# M& O
3 D4 E: Z+ o+ Z9 K! T BPINT 41 if ax==4f
/ n$ j+ O) E" R3 U8 Y8 E, J$ B5 Z9 U# Y& @9 `" ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! U# l! D2 Q& ^' g+ o4 d
0 m/ S" f# n9 f# J5 C, i: D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ ?- ]( `, Q, c2 k4 h
4 D' K" R$ ?, B$ A5 {3 L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 ]2 R8 X) p; e* K$ b! Z
! i" P8 B2 \7 P& y& X$ }$ \
__________________________________________________________________________0 g' Q. L; w$ A7 j$ Z
3 |) Y* k, p& N
Method 13
: u' W; N7 d7 l) A=========
2 \" u r! G5 Q3 B: u
/ K1 o" a" R& y$ NNot a real method of detection, but a good way to know if SoftICE is
3 A5 [+ m# N; j# \7 m- k7 Kinstalled on a computer and to locate its installation directory.
; E8 Z5 X9 s, p, }It is used by few softs which access the following registry keys (usually #2) :
) m# T) ]9 s" ]; R
p+ a' V" h, }0 z5 h, |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ U: x$ Z V8 l8 h
\Uninstall\SoftICE* s4 c! e; t8 w! ]. O: L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# T# f/ n+ f# Z+ T* s& N2 |/ C0 V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, b0 g* c1 Q" ]2 P; c& v\App Paths\Loader32.Exe2 m6 g6 Y% R: O, G* S
. m* g \8 h- X3 u
2 V" ?: |' `$ j# GNote that some nasty apps could then erase all files from SoftICE directory
+ L3 G, V) y8 x5 [. c(I faced that once :-(6 [2 F9 |! {2 x" T6 f" I% g
! O! }8 J8 `. R+ }! F# T7 I2 @" F3 i
Useful breakpoint to detect it:
. n* r/ D& q* H
, Q! ]/ T; x7 [4 D& V BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' |7 J; |: `/ F' q3 f
# M9 p% j! x. F5 G# n8 o__________________________________________________________________________+ f6 R4 I0 \/ X* i+ A
# f( ]4 Y, W9 @' C! Y. Z1 \
. ^4 l+ u$ V$ a% IMethod 14 . i0 a* r I6 G+ B: k6 W; \
=========
) n& Z# c" e1 q$ P" b& p1 I/ t4 P, F1 n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: G1 U! b! Y2 k/ dis to determines whether a debugger is running on your system (ring0 only).
2 N" `+ o2 f9 h- U: _
7 ]* r( Z) b+ U" A8 k6 m VMMCall Test_Debug_Installed
' q F' W: B/ H" J4 e1 r( U je not_installed! Z1 d7 S8 C t4 O: h- J: B
# l6 O' x3 g6 i& y( mThis service just checks a flag.) n% B0 x8 p3 R+ H2 G9 x
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡