<TABLE width=500>, A$ P! V: V; l4 q
<TBODY>
+ {& e& Q7 F! {$ v- f8 I t' U<TR>
6 h. C, D% b8 q<TD><PRE>Method 01 . I# K( |3 v% f0 I
=========
- V. L0 i8 R9 C7 M: u* h5 _9 M4 H* J- c( S& F, m; ~
This method of detection of SoftICE (as well as the following one) is
. Z! ^- r$ ]% }4 e3 K+ _. W* h- Fused by the majority of packers/encryptors found on Internet.5 o8 { j* N* |8 f% D
It seeks the signature of BoundsChecker in SoftICE# q; z5 l$ i7 B* h& K
& S8 q) q# I9 H mov ebp, 04243484Bh ; 'BCHK'
% g) |4 \+ c; e" h; N mov ax, 04h
% }" e( c" Q: e- z7 t: @. ?2 a int 3 # e7 W9 r$ t! G8 j Q
cmp al,4
" V5 L7 b. w; A* `+ { jnz SoftICE_Detected3 t: ^5 p* j& F5 H3 P* W
\) E9 k4 n& J+ f z! E5 M$ }___________________________________________________________________________9 }' z0 V H# R6 k8 ]+ |
3 m7 \& k& x3 }' F" EMethod 02' M, d/ `: Q, U: E! e5 W) @: r
=========
# M5 `* }9 k' i3 m' h4 Y
. Q) B O9 U8 G5 VStill a method very much used (perhaps the most frequent one). It is used
0 T) v6 L, A7 T- ^# Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,% H! h% p1 B. T+ t4 S; Y5 `3 O) O
or execute SoftICE commands...
! C: q) I }" w5 s; DIt is also used to crash SoftICE and to force it to execute any commands
5 [3 ]! l/ q8 |(HBOOT...) :-(( 8 l7 O% m! ~ i+ _7 V( Z. a+ D" a! t
( u h1 K& y8 a% e8 Y; a9 qHere is a quick description:
N) U+ s/ y4 b" B-AX = 0910h (Display string in SIce windows); x1 h6 u* l" M; C( T# z6 S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
Q& W; T3 {7 p, u-AX = 0912h (Get breakpoint infos)
0 ]: Q2 M$ d4 O2 M1 t-AX = 0913h (Set Sice breakpoints)
4 u5 U& N2 b! w( }/ V: ?-AX = 0914h (Remove SIce breakoints)% H% s4 q8 y9 G: u( n
) O- F/ A1 S/ B: i, [9 b! v6 DEach time you'll meet this trick, you'll see:
7 x+ L; O3 ~3 c% c-SI = 4647h5 h6 ?( s ?6 X" u
-DI = 4A4Dh8 J% l: _: \* N6 t8 l: l
Which are the 'magic values' used by SoftIce.- l7 N/ s* m, k' k# v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 E3 c# {7 i( y4 W+ ~$ x( r4 n E/ H K9 E! Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ C2 J& V- O) B; t
Envelope utility use to protect DOS applications:3 V4 d. B# X) g* d! a
0 ?2 H4 J3 v, |
3 x6 ?3 q5 k3 Z1 _ t& m4C19:0095 MOV AX,0911 ; execute command.8 A+ y7 H! K: B, c: C, J
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., u ?1 T8 e1 w5 w% Q5 `! B$ i
4C19:009A MOV SI,4647 ; 1st magic value.
; A5 ~- i" p/ u# I/ x1 V4C19:009D MOV DI,4A4D ; 2nd magic value.2 k4 B- M4 G: N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
Q( n/ H3 `1 z7 O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- g6 j0 |4 K( r
4C19:00A4 INC CX
0 e$ p$ J/ u- J% U: R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; Y) O5 `/ m; x/ O* d- i4C19:00A8 JB 0095 ; 6 different commands.
. G# r& N$ F& }1 _% D( g" u. D4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 l& D( `$ v4 m- Y) [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) J8 }5 ^' ]$ Q9 l3 B
1 w! `: X; N& t5 W
The program will execute 6 different SIce commands located at ds:dx, which
6 G5 f1 ?9 f2 ^( @; F" ]/ E& Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ~; w" |" Z+ F
& X6 p1 r6 F9 |' t9 D* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 G) _8 ^. G8 \3 _2 T
___________________________________________________________________________
& M$ {6 O3 W4 o4 E' i" z+ y+ J7 X1 c9 P5 `6 Z" f* j
( B, w9 t4 x/ [0 W; n6 ]0 c7 z7 T
Method 03" R7 v% ?1 b' l. @- B
=========
( }+ q5 f. [/ E' P' p& w
9 W$ n T7 j& Q; y: C( vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 ^1 r. z$ \3 J* Q
(API Get entry point), p. X% U. D. q" h' l8 `; R* r6 \
0 H4 m! N6 \/ F" ~, R/ O
/ K) q2 c9 ^; W- E+ i { xor di,di
$ F# p7 z5 t$ {* G mov es,di
+ V5 r( e, S t mov ax, 1684h 0 y! g2 U5 M0 ?# _7 l4 w
mov bx, 0202h ; VxD ID of winice
9 M3 i3 X# w8 E* ^0 o8 ]1 D int 2Fh
2 P( Z* X( n% S5 D- U mov ax, es ; ES:DI -> VxD API entry point
' e. a3 Q$ D0 W- U1 D add ax, di
; B1 T, m' e# F: }2 K$ ` E" p test ax,ax
4 f! c5 Z' j# [8 Z: V4 s jnz SoftICE_Detected; y! d U/ Z, N* G9 k9 `, [
5 _/ C& R0 W( e/ w
___________________________________________________________________________
7 z, w% _9 c1 `9 F1 R& X. n
5 ]3 |1 n5 o: l. @: Q# [ M/ }1 zMethod 04
/ C( d; f, {: w# K7 K. V, ~=========
8 F. _% P; F2 x5 E+ \- P
6 C! w6 Q/ x2 e3 z+ i' H2 W0 U# {Method identical to the preceding one except that it seeks the ID of SoftICE g: Q0 N) c: L* }1 Q( C
GFX VxD.( h( B6 Z( X; H+ x8 T/ Y& |; r7 R
6 B8 C' j9 n& X5 K5 q* J/ I* B xor di,di
! | v& a9 \: ~! T/ B0 P# x0 ] mov es,di1 }8 v u$ d) M# n j, n: Z
mov ax, 1684h + }& o+ a) e" v+ t- b# o
mov bx, 7a5Fh ; VxD ID of SIWVID& b, m& H0 I- N. H& |# V. Q- E8 R
int 2fh
/ `1 i8 _5 O2 t4 V+ s+ {1 v mov ax, es ; ES:DI -> VxD API entry point$ k) ]/ C! |: {) I2 N' H
add ax, di
n& t5 q1 _/ l M7 `. ? test ax,ax
9 s7 V$ B R9 l! m! j( N Y% c! K jnz SoftICE_Detected. l% G& m+ z* U* k, x( [
6 g& V. B7 o" i5 X4 e__________________________________________________________________________8 c5 o+ y+ t0 ^
$ s7 Y& E8 c4 ? {2 L% _9 u( ^
' B+ \1 P- T- Z4 P6 T. l# EMethod 05
Z; l& C" R. T t. \5 k=========' v" j8 G( H* e! I3 h- v) m+ t4 W0 p
( Y' r+ R/ C+ W2 j( XMethod seeking the 'magic number' 0F386h returned (in ax) by all system' i( N- p" ^$ b: |6 M+ T- V
debugger. It calls the int 41h, function 4Fh.
8 Y! Q' S9 E: }0 B1 S JThere are several alternatives.
- a3 D! E: I0 y. s h1 ~# J4 y$ L) l+ J' E
The following one is the simplest:% T. l1 H' | w
6 M* m8 A5 x9 ` N4 |
mov ax,4fh7 t% C& D! B: N
int 41h: }+ W& N8 C! J8 j
cmp ax, 0F386/ X. E' B$ J# z7 ~& L: z
jz SoftICE_detected# u) F2 Q: t4 R1 v5 P7 T& i4 e
" `3 |* O+ o" \0 [* i/ ]6 X4 O* ]7 e# C) L8 \
Next method as well as the following one are 2 examples from Stone's
* c3 w$ H2 H+ y( i- l"stn-wid.zip" (www.cracking.net):
9 ]. O: f4 A8 o
2 k& g% d" B, X. G/ a7 Y mov bx, cs
. p/ j0 b0 {3 h0 i" w# r lea dx, int41handler2# k0 X( C4 C3 h1 i
xchg dx, es:[41h*4]
& }+ a# S, U& Z6 ~ W7 }* B+ o, Z7 f xchg bx, es:[41h*4+2]
& l, C5 k- f$ }6 K mov ax,4fh* _: o) b$ X$ E0 E& C% d
int 41h
0 {8 V3 I/ f- Y8 O0 _ xchg dx, es:[41h*4]; x7 u: c% y! G5 _0 `% f
xchg bx, es:[41h*4+2]: l) d d* m+ t( s% ]( B" U) k9 ^
cmp ax, 0f386h
" k) g& l6 A+ ^2 D jz SoftICE_detected
( X2 }1 L1 P% P7 s2 v( E
) R/ R0 w" c# a4 ]int41handler2 PROC
}4 z+ V5 e& l- Y! v& V; S iret7 \& j( v0 t9 H" ]8 o" q
int41handler2 ENDP- o. w7 r6 ~5 N) s. @( v7 T
; X- z4 J4 D: h; U- d
& f) L. C) H$ y0 `+ `5 E
_________________________________________________________________________% L5 a& R6 I: N
4 h7 i% Z2 ]2 R) R4 f% R2 M1 q3 C8 k; H5 v. b
Method 06
2 Y9 \1 F" \2 C. q% S=========
3 k. N1 k3 Q7 ]% s2 t4 I0 m! {0 G
$ B* G8 Z, M0 J+ ]5 m: O$ r% {0 A& ~- B( j
2nd method similar to the preceding one but more difficult to detect:
1 B1 l% H0 H, V- ~' p3 y, ]3 C# |$ G0 [7 t, Y5 T
" ]! Q! d* V4 I1 `
int41handler PROC5 @2 m4 B8 i& u: a$ d) x
mov cl,al1 i0 a8 E* s- J/ E8 T& [/ ^. y
iret
$ _$ C8 ?3 X+ d: c4 c" {- p5 sint41handler ENDP5 |; d$ k# A, A
5 T$ z5 y7 R9 v* a
8 W/ C) j% X0 ?" b. K E
xor ax,ax# P5 p1 `0 K% G, k0 F2 ^
mov es,ax
0 z; g' j, Y( v- v9 y mov bx, cs
+ v# \+ q* k2 y" s4 _2 q lea dx, int41handler" R1 K p( J+ M5 V
xchg dx, es:[41h*4]
/ x& [) g( e5 A6 m, w* w8 P# i+ y xchg bx, es:[41h*4+2]; {4 a# J f* C; G( R' l
in al, 40h! u8 ^, A/ V1 }4 t
xor cx,cx) @2 U b0 s Z5 l
int 41h
9 Z) F4 V, Q3 v& D) Z7 T- m xchg dx, es:[41h*4]
4 M! Z; Q) D2 ]6 i | xchg bx, es:[41h*4+2]
* W5 D1 Y" C: ] z M6 b cmp cl,al, y$ A- F/ F D' a" f3 t5 @
jnz SoftICE_detected
5 c. X* H5 Q5 x" L$ e: v
2 ]1 Z8 R& w* C1 `0 K_________________________________________________________________________
7 p- j1 D# T" E% }- U! Q5 ] `5 ~
Method 07 O# Q) o& X" c$ B0 I3 L' u, t
=========0 S* D* ^7 g# M
6 c1 M2 ~8 p; {# c6 B' oMethod of detection of the WinICE handler in the int68h (V86)
: ]* k5 S& ~7 Z7 ]3 \: M
1 ]+ m# h7 K B+ v; p. q mov ah,43h
' \2 @* B: L) X! C, k* k, m# ?& e0 ~- s int 68h9 K# G0 c2 x7 R; B
cmp ax,0F386h6 d4 H& m' X }6 Q5 V! W
jz SoftICE_Detected
4 {2 }; W2 D- @. g# n j" S/ Y% G0 |
4 B* i) n" r! K& g" l* f5 G1 w/ G, Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, K$ t$ A: b ]/ C4 g' o app like this:' Q8 _4 R/ }% x- ^! Q" l
+ `* {$ R3 l( K* D
BPX exec_int if ax==68
. a- ^: [0 N2 ?1 E' g* ~9 ~ (function called is located at byte ptr [ebp+1Dh] and client eip is
# k0 V- e) h3 L4 h5 D located at [ebp+48h] for 32Bit apps) i/ B# W4 K2 |
__________________________________________________________________________9 _5 h$ x$ ~- p+ _2 ~( J! s
0 V1 Q* l$ w7 _/ I3 q
2 D. c) [9 y3 c' G: F* {4 `/ JMethod 08
, \7 m. d3 s) F=========
( J+ T& s# f# x4 l) n# C$ s2 b" ~! T/ g5 _, f3 H) A% ^- n' t
It is not a method of detection of SoftICE but a possibility to crash the
( R: I. E% m8 psystem by intercepting int 01h and int 03h and redirecting them to another: b4 i/ q5 w* ]' U, i4 |* |
routine.0 M$ k H4 `3 H8 f+ Y# a3 D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; N q/ b2 v. X& y1 c, F2 C z8 j
to the new routine to execute (hangs computer...)
* N6 y/ J* G$ \$ ~9 [& }* K4 O# e* Q- p1 P6 U
mov ah, 25h/ x* Y( B# ^3 `/ w& g1 i
mov al, Int_Number (01h or 03h)
3 L; D3 w: b! g7 E( G mov dx, offset New_Int_Routine
e& A1 L; x$ B9 h7 x1 F int 21h4 u: G( a- V$ l# X' i
# c6 M6 t! V1 ?# ~; U
__________________________________________________________________________
7 a5 E$ a6 H( o/ k+ P* i. ]! }8 Y% `6 W8 @% u
Method 09$ K7 Q$ l j8 l
=========
) D! E0 ^7 U$ V* P8 p N' l5 j
' {, b+ I. E+ o0 F. Q0 a' KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# c8 z0 w0 m) @# K( F; _* P
performed in ring0 (VxD or a ring3 app using the VxdCall).
, K5 U [9 S6 W/ B" fThe Get_DDB service is used to determine whether or not a VxD is installed6 Z" I' w/ ~# c( S6 v& E1 h
for the specified device and returns a Device Description Block (in ecx) for
+ g. X+ _/ Z+ D# N- R/ `5 M: E7 sthat device if it is installed.
' p2 Q( }6 b, b' ^
l* z& q9 J+ D( S+ U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( s. s- R0 E! i; E; i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 K$ z; i0 Z+ c8 o! \9 h
VMMCall Get_DDB
6 R3 F' e5 _3 C2 @+ z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& x) \$ U1 R& G; }# S/ K [$ B. x5 f
7 @+ ^; j1 p1 B) s3 T& f, pNote as well that you can easily detect this method with SoftICE:+ b* K8 t& C' s
bpx Get_DDB if ax==0202 || ax==7a5fh0 c4 ?+ O# |8 {: L$ F A% d' U/ }
: x u9 |4 N& v9 Q3 o
__________________________________________________________________________/ [3 G8 B$ t; x3 Y
& o+ w( S' `! I b
Method 10
q4 C0 s5 H6 S/ P) [=========
6 L7 |& c# t# `4 z$ t+ Z0 }- f) o1 D6 z( u
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 I& y4 i. j8 X7 r$ B: w
SoftICE while the option is enable!!
7 X) p+ R. r' V7 ?2 g) n3 D
# U% i- O9 h- P. O$ j4 W7 cThis trick is very efficient:+ z( X8 `0 X4 ^7 W
by checking the Debug Registers, you can detect if SoftICE is loaded& Y, L( V! P- ^+ P, l, N# F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if S& ^( A: f( N0 @1 X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
t- t% M8 }" q+ Xvalue (in ring0 only). Values can be manipulated and or changed as well* S. c, \* I G0 J7 k
(clearing BPMs for instance)3 K* `3 B& v; w) s2 P, J8 ]
" s1 A3 }3 U0 l! y
__________________________________________________________________________
1 a3 w0 J: \! z
7 c& a5 q7 W& o2 |/ k# q5 PMethod 11
3 ?- Z' i2 s( H C: @$ @% G0 D=========
9 P- j0 a% |# y' v( z
& x, x8 Z( U0 `' W& ^/ kThis method is most known as 'MeltICE' because it has been freely distributed8 L7 x* ^5 h" h8 r- |
via www.winfiles.com. However it was first used by NuMega people to allow5 g$ _* z/ y) e6 |) E- X, Y( U0 G
Symbol Loader to check if SoftICE was active or not (the code is located, ]4 o E6 q" }1 ~
inside nmtrans.dll).
# w [) H2 i9 V- s" ^ h: M
8 Q0 b( G! Y1 y+ D% i8 H, o7 ZThe way it works is very simple:! m9 m6 [! K% L9 t5 `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% \' A! F. _* X, Q+ P4 O
WinNT) with the CreateFileA API.
# `/ |8 Y7 H% ^, @
, N7 Y3 f% x" Y" K, b l2 g% S* DHere is a sample (checking for 'SICE'):
3 D4 s/ p" [- N$ ^) K
/ v* a7 ~/ B( l( ~; \2 G u% nBOOL IsSoftIce95Loaded(), [- N, \4 i5 g1 h. k
{
4 F5 x# ?2 h; F7 q" D9 P" N HANDLE hFile;
; H% S r7 J* x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; S* @9 O+ T2 }0 L FILE_SHARE_READ | FILE_SHARE_WRITE,
7 i; m0 X' o- s9 o' o6 f, { NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 {5 y9 A2 w8 x9 u- c% { if( hFile != INVALID_HANDLE_VALUE )
- b: ^4 h. c- A* m1 F* X& K N {& g+ p+ G, @9 u0 h; g
CloseHandle(hFile);
, o# D, [' R4 v$ U1 h4 | return TRUE;
* Q W4 @& U/ T& j }
6 c! a, v* Z; | return FALSE;
2 s3 ?" R) U# B" F4 M5 B}8 l0 E% T( J( b/ a
& W9 J; v8 F9 _! [& lAlthough this trick calls the CreateFileA function, don't even expect to be2 ^9 v% ~ Y0 x% v
able to intercept it by installing a IFS hook: it will not work, no way!3 y! z: Q" `: t7 {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 J j) N9 x Q$ V2 K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ ~. _- Q# y( R. ^& d8 g: n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 e( p% I9 W! I$ R4 U6 Efield.
* [! z1 s$ { i5 l* B4 oIn fact, its purpose is not to load/unload VxDs but only to send a 8 k" J) d- ^) p! N( r' T0 G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* d0 U; ~2 }* a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! H; j4 o* l. K; H* Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 E, O* ^0 R% t( vIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ s5 L. w% x. C* y+ W) }2 h
its handle to be opened and then, will be detected.; I3 ^" P4 P! E
You can check that simply by hooking Winice.exe control proc entry point
) B8 m4 q+ V; c# fwhile running MeltICE. l# A1 j2 r \2 B7 q3 M. J3 j! d
% ^* D' {2 R. b' | A5 z9 [+ P6 D
00401067: push 00402025 ; \\.\SICE
+ K3 l8 X# |3 d" V6 i7 J$ {" b 0040106C: call CreateFileA
" m( M& a6 D% u1 }6 M 00401071: cmp eax,-001
$ [$ {6 Z: [6 z h7 L 00401074: je 00401091) c9 ~- p* _& _
" E. f0 W2 b( i0 C* `# r6 y
7 k3 t; `+ H' CThere could be hundreds of BPX you could use to detect this trick.! N3 x6 [6 R5 K0 n8 m1 E5 R' Z) t
-The most classical one is:
' F2 Y a( R! U, C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 i$ |: L2 O- B9 Q *(esp->4+4)=='NTIC'
( x/ _0 L+ h# m5 M4 z$ ^( Y- ]7 e1 g/ e& U ^* M6 r! u
-The most exotic ones (could be very slooooow :-(1 v, l0 P) n3 S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % `0 \9 Y6 i' o+ X& k: R+ R3 q4 I4 ~
;will break 3 times :-(" G) Z# k3 c4 E
# A) e8 I+ k( G G! Y
-or (a bit) faster:
7 w0 ]; W" w9 l/ h- a+ v/ F BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& Z* L0 ^0 l2 V/ V- X8 F, R2 l2 S3 y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! `# ?7 p3 a& |* F) i. }5 ~ ;will break 3 times :-(# L+ z+ m8 p, K! D$ b2 S# Y" m
. K7 m% V* P4 p$ \3 h* J2 S
-Much faster:8 y/ L" X7 I, ~1 I; c' X6 ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; i, E9 c, W. {8 |0 F
; W$ W' s; `) ?! t* zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; s1 w2 J ]8 ?: |( u |
function to do the same job:+ s8 _3 |' [& k9 O$ w$ ~
" ]3 m1 c: b& F. @. e; j push 00 ; OF_READ' S: F/ E, M5 {9 \ U' V4 M
mov eax,[00656634] ; '\\.\SICE',04 X9 u7 @) s) `; X* ~
push eax4 |$ X- m1 R9 U$ [1 |
call KERNEL32!_lopen: {& }) U1 L& M* x& t
inc eax
3 _; c1 h) l: ` jnz 00650589 ; detected, a8 |( T4 p8 \# ^8 _* L
push 00 ; OF_READ+ k! G0 O% O) x. q* y) P! F4 g" C
mov eax,[00656638] ; '\\.\SICE'# v; \6 o+ F" w8 s6 Z
push eax, z c5 j8 i$ I
call KERNEL32!_lopen+ ~0 M6 z/ L) J& N7 @
inc eax5 w. w/ a/ B* [6 ?1 _
jz 006505ae ; not detected2 d T4 v3 C# Z6 I
7 H# c+ W V* F6 \+ r5 e' x, |2 l% a) T
0 W4 `3 o# r& x) J5 q
__________________________________________________________________________
6 q) G$ J: {! Z6 M$ }' r" G- [" ^' `9 n2 h3 [2 f; w( ]5 e; I
Method 12: R5 i' z% F( `' b; q$ a4 C
=========9 G& S7 ?* M* {# p# Y4 R8 v
/ B- G+ x$ z4 \& v& H& E
This trick is similar to int41h/4fh Debugger installation check (code 05# k# q, d9 l' D# z0 x% g
& 06) but very limited because it's only available for Win95/98 (not NT)+ _& }' v! t/ x# b
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 X) ]4 x1 W% a; c
4 L( G. u$ T6 Y n7 d: X1 {" y
push 0000004fh ; function 4fh
' p- N/ B1 x4 P* f3 ` push 002a002ah ; high word specifies which VxD (VWIN32)! y5 {* o! L# P# X+ c$ j
; low word specifies which service7 k6 ^6 ^/ T+ s3 ?2 v
(VWIN32_Int41Dispatch)6 J: o1 `/ L9 |. z6 o, Z- t
call Kernel32!ORD_001 ; VxdCall
3 k- _& X P! V& P cmp ax, 0f386h ; magic number returned by system debuggers7 a( p. |1 s3 M M/ G( ^
jz SoftICE_detected Z% M, U+ J( r; \
Z3 ^$ _1 k- H6 Q3 c/ NHere again, several ways to detect it:, ~& J; Y9 c% W; A7 k
/ j* z; S( n% X9 I% h; ^ BPINT 41 if ax==4f
6 y& J7 A3 _% g: F2 e6 h2 `
, Z, U( }% m# z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; h2 _2 b4 o- k7 _! y+ l/ V, U; a( a% w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% e) M c6 h0 S1 d9 y
: O8 _9 k$ x0 o! E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ a! T1 z3 C' {* q% X* @
/ r- A' B' b0 C& R, e4 _( V' D" y__________________________________________________________________________% L% B- u" R0 T0 T
+ n5 Z% w/ a) N; L8 k) P- `3 _
Method 13
. F# c( B' E3 L, J* Y. }0 t# G3 R=========3 x- i* ]# f: Y! b! x; [
9 m; s" X5 {$ O5 r' w! fNot a real method of detection, but a good way to know if SoftICE is/ U0 B* m0 h( T$ C% K
installed on a computer and to locate its installation directory.9 }0 D3 L7 @. X5 d
It is used by few softs which access the following registry keys (usually #2) :
$ V& x% `/ C9 ~4 b0 L/ \) Z8 e
; ]$ j3 \+ S# I; k+ ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- P" f: T7 M1 T/ x% _
\Uninstall\SoftICE
6 _: |4 z" ~7 w, x) _0 P' s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, m4 i* W3 c' R. G' Z8 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! Y, D1 r: m+ Z3 b
\App Paths\Loader32.Exe
8 ~! ?7 k+ i2 `; t5 T9 q0 ]: m% k9 s3 ]1 N1 e5 ^, z4 n
1 k! n- p9 _% F) h6 a! ?Note that some nasty apps could then erase all files from SoftICE directory
, |9 ~( n6 M( \& {# Q; l0 I(I faced that once :-(
5 M# Y5 @! l' q6 v$ r4 c
# G1 c, h- r4 ?Useful breakpoint to detect it:
# c: N! \- w. I/ n1 d+ \& W* q4 i0 Z7 { V. M P9 M, N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 T, h( Z3 Z5 Q9 P$ z$ ]. G/ g
/ r, p8 ]6 [2 E' `2 P
__________________________________________________________________________9 P8 R5 Q2 k3 _& C2 V! N
9 C( t* [. l3 @$ q7 n' y9 d
/ W% r. u8 o3 Q5 M* x# [5 i) w/ K6 y+ u
Method 14
% F# x/ `/ }, _=========
; I# P: e( B# E" Z& \2 z( f, N \ a7 c# x, B6 O7 V6 t! G. W, C, F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 R4 v- j# j# \: E# o# mis to determines whether a debugger is running on your system (ring0 only).
" g& S2 {* m; K3 D) B1 C3 X
1 j$ \3 W1 K* [' [2 y- t0 {* c VMMCall Test_Debug_Installed
; I: ~/ ]2 a9 ?5 P. _; J je not_installed# G' P+ ?3 Z9 k; a- t' a: _
+ N0 @ A$ s% {) U4 H
This service just checks a flag.9 H5 Q: y/ k; Y$ W
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡