<TABLE width=500>
. w- e- {0 _, X% ~<TBODY>$ T5 ^8 ?! J+ q1 l" O+ q' z7 v
<TR>- `& c3 j# Y' |5 _$ |! r
<TD><PRE>Method 01 " M9 v5 W _- O
=========
) W6 C( @& G% H- T5 x8 b5 C( b
; z5 P! K+ }3 T; a% Q% _( T0 vThis method of detection of SoftICE (as well as the following one) is
4 J6 m- l a: W: ?% B Oused by the majority of packers/encryptors found on Internet.) I% N( t. I0 G$ M' P0 C* a1 u0 w- \
It seeks the signature of BoundsChecker in SoftICE3 s2 r0 _5 g. q* W! j2 v+ U
& X8 r1 l* |: ~- ` mov ebp, 04243484Bh ; 'BCHK'
x8 K" _2 N" k" ] mov ax, 04h/ p# \( ~7 @3 G7 p1 ^/ r
int 3 2 ]* R; H9 d4 f, Y1 i
cmp al,4/ n9 V, l+ C8 M5 j) Z! \: B
jnz SoftICE_Detected
) S f+ l+ L" ]; d1 Y) o. U8 D1 p8 A# X$ L; a
___________________________________________________________________________# C, @. ]8 C. L" b0 v
$ m+ J5 c$ X7 w7 h% U, G
Method 028 C5 Q& k- D8 Z7 M$ [! j
=========
" G3 f3 ~2 f7 ^; q% u! {2 x; a [ o1 N0 V1 R: o. R: i
Still a method very much used (perhaps the most frequent one). It is used
' O7 ]0 K0 f; v8 Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* A4 h* @, q1 o" E W [- zor execute SoftICE commands...
% `; n; x0 [4 W/ v7 jIt is also used to crash SoftICE and to force it to execute any commands0 W- C9 Q# X8 U
(HBOOT...) :-((
% T: Z! a8 x. T5 l' S& I/ l
# a7 T% P+ D) H4 N- w: IHere is a quick description:% p/ U) w1 m/ ?* o& q
-AX = 0910h (Display string in SIce windows)! F: c* F( }$ j L! N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! U! d1 O. b4 ]6 B- u. |4 j& D-AX = 0912h (Get breakpoint infos)
: h- t1 ]: X8 g8 w0 t! c-AX = 0913h (Set Sice breakpoints)+ k; h' Q6 b: R' L
-AX = 0914h (Remove SIce breakoints)
7 V# ?9 k* D9 i6 v! ?% [4 P5 m
, l0 ~4 n! G# b, d) y* A) VEach time you'll meet this trick, you'll see:. Q6 O" w, S3 k6 _
-SI = 4647h
4 l$ R, B4 P. x$ s' A" W( ?-DI = 4A4Dh
! C7 H! U8 ~, X7 \8 PWhich are the 'magic values' used by SoftIce.3 t& ]* F& i6 }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 i# v4 T0 U1 l# _5 W8 [& d' e0 o/ ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* O$ g/ B9 X! K" CEnvelope utility use to protect DOS applications:
9 n/ f% e- y( }! W3 q) g I6 b F( ^8 u1 \: a1 I
* t9 k4 X- G- m! l, X5 |4 t4C19:0095 MOV AX,0911 ; execute command.# j8 U$ W, E4 e5 z# d! f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. e9 q' n( D2 N+ t4C19:009A MOV SI,4647 ; 1st magic value.0 i Y6 F1 ~$ t5 b3 ~& j2 i2 w
4C19:009D MOV DI,4A4D ; 2nd magic value.
: m* ~, e* _6 b4 o+ T9 E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# j. u/ ]7 Q& r, [+ \) \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 Z; h) N) o% ^# X8 t# G; z
4C19:00A4 INC CX
; Z4 g( u* f. u G& K) e3 V/ t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( `5 y( F$ J8 { D, L4C19:00A8 JB 0095 ; 6 different commands.7 M( R/ N* Q" z' j9 ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. O0 m3 }6 ?( o) K$ A2 h/ Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 H6 N3 Z" v% K. V4 X6 R7 W; ]% I, p7 G5 ^ P
The program will execute 6 different SIce commands located at ds:dx, which3 }3 L6 i0 i; q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 U) a+ R7 O( S/ D0 ^% I
' Q( O: I0 L" A9 N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& @) e, v5 d: I/ v
___________________________________________________________________________
( W8 X4 y9 _& {# ~$ ~& O; T" B" P% s' r9 s0 F' Y1 X$ G; }
. D2 ^/ b4 s5 d0 l
Method 03( r' G. I6 U. J! E g
=========( _ w6 V$ a& K$ A( q' M7 R( N: B
/ j* W8 J+ C K' P5 s' k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: z9 N9 A+ M* S0 ~
(API Get entry point). N' H6 C5 }5 ~; l5 y
( h+ d n u8 J$ H& Z" R* n1 G5 M8 _3 m9 ^! `# @, @0 j) S
xor di,di
8 e" E4 v1 a% N/ e" _ mov es,di" G6 p' G6 H& H
mov ax, 1684h 0 e1 t8 h# A3 O: O H0 f. y
mov bx, 0202h ; VxD ID of winice) z& z1 ^ d, f/ ]. l0 Z
int 2Fh
0 ^3 r. X3 F8 L' i( p mov ax, es ; ES:DI -> VxD API entry point) [* k1 C# Z# n
add ax, di
$ X0 ?. m4 `( v8 g/ @9 l4 s test ax,ax) j4 t, E' s" x4 Q3 f4 b
jnz SoftICE_Detected
7 n7 o, G+ e0 A, b
' `1 r' A; B5 C! i___________________________________________________________________________
. Z6 u$ y; w& j" X, K7 ?" Z
6 _2 G1 B* \* ~" kMethod 041 e2 r$ a' b* e3 u; Z0 \& c
=========
% S0 p) S/ ^$ L5 }
# z7 `% Z0 U! C- ~8 NMethod identical to the preceding one except that it seeks the ID of SoftICE
/ y1 @! S9 |7 P0 w7 p# s4 {GFX VxD. w0 Y) r, h: u3 e: m
9 k( s! j5 m6 t; | Z/ f7 K xor di,di2 n* {" a- d' J% h% u$ @
mov es,di0 C* W# G A) \7 x4 W& u$ r
mov ax, 1684h
3 U) A" y9 l/ X" J8 i" H6 D7 f( J mov bx, 7a5Fh ; VxD ID of SIWVID* \. l. d ~( C" J# w' k
int 2fh* [7 P8 X' e& F" f- t' T
mov ax, es ; ES:DI -> VxD API entry point
7 O0 x5 D5 c( {9 s0 N: J; S( i add ax, di
( H# @2 w" {! L% o4 ? test ax,ax
* L/ {3 x' e% ? jnz SoftICE_Detected% ^% e* K' W. u1 W) p
! h- P( V/ ]; P. s# ]; f' c__________________________________________________________________________/ z9 u1 H" b3 I- b% _1 v
' G0 }; z/ G0 r) f( W: I w
. x* ^# a7 \6 B, H- @ U
Method 05
X8 C' f0 B2 O$ K: V=========; c, x1 [: v T8 K/ Q" f2 @" j
* `0 y2 V, k: r' d4 k/ a
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* y6 ^- H* S! v' x% ~# edebugger. It calls the int 41h, function 4Fh.' S e4 k2 L( L/ j+ U" {2 E6 |
There are several alternatives.
, }$ ^, {+ o2 f( Z- {* ?% L5 i7 y% J# S5 ?+ f
The following one is the simplest:
- p8 T6 I* V4 j1 P2 [0 b- G: P: {. i; p, h* G
mov ax,4fh! L6 g2 d- y! y u! `7 |2 M! Q
int 41h
" T+ c+ Q$ ]& Z+ B; [ cmp ax, 0F3863 x9 T. |8 M1 v% J
jz SoftICE_detected; o& t) z( o, Z4 [6 x
8 r' Q9 \. b% D- F' c9 g% S; `* E! [! u
Next method as well as the following one are 2 examples from Stone's
% j: K8 s! T0 z8 `/ @"stn-wid.zip" (www.cracking.net):3 i* f# b+ e+ k5 i5 h
/ M) s6 B; Z: @ A mov bx, cs
! R" s" ~. ]: [, l lea dx, int41handler2
+ q& u- F4 s' i, } xchg dx, es:[41h*4]
9 z* q6 E5 u# c8 y xchg bx, es:[41h*4+2]
1 N( q0 s( Q e& y0 A+ a* j- o mov ax,4fh* M/ }% }2 X) a
int 41h. g0 ^( `5 W8 X' H7 D
xchg dx, es:[41h*4]4 h2 \! F- c) C: c* n% {: m5 v; }9 h" U
xchg bx, es:[41h*4+2]4 G: L7 y u0 R( r1 D0 ?+ ~
cmp ax, 0f386h5 ]" L8 ]! ]2 k2 Z7 ?
jz SoftICE_detected' }& Z& q9 M( w: {
k. P: `5 L+ e$ mint41handler2 PROC
# t% w6 g7 n7 g# u- ]0 Z iret4 q# ]3 e" K. i' m4 p2 u+ z
int41handler2 ENDP$ w n, E1 Z0 }7 V
7 n5 d5 o0 `. k) A3 @1 l( O; e! W
* L5 }5 r* S+ P' S
_________________________________________________________________________
, ]6 u5 _2 d' K# v6 H3 @' I1 f# C0 x! D) G
9 f8 i$ r& Z' J! ^' `
Method 06
- A$ ^* L2 a- s' \" r0 a. ~=========2 K Z+ j+ I* x9 R2 ?
1 A l. \$ b" N6 n/ y8 P" {
7 v4 E" r, f# \8 \6 e- l
2nd method similar to the preceding one but more difficult to detect: h6 D0 [, X5 w- G& P
% i) ]& m. ~" ~) Q2 K
# d [* _# f! \9 K5 c0 xint41handler PROC [* j/ J- A9 |1 K
mov cl,al
) B9 S2 i% \' D: U" A8 O iret/ a- _0 N) u$ n5 T- y$ B. F1 U
int41handler ENDP! r3 v, M/ b5 e# {# e
6 q6 Y$ a! S0 f0 W2 k; \( }
0 Q; Q0 M2 H# G4 d, k xor ax,ax
8 g4 O! I: p' T5 L6 _( r |4 |8 C# g* O mov es,ax
7 {' K" ^) ]+ E" C% Z3 w) R* t' c mov bx, cs$ @" Y$ K7 B' \3 T. `
lea dx, int41handler
% D8 l- C q. q1 q. M$ j xchg dx, es:[41h*4]; u1 k, W, K6 q3 B
xchg bx, es:[41h*4+2]( B. V/ B( V/ ~9 w' `, U
in al, 40h
( g% L( [3 X8 S3 d! s xor cx,cx
+ ?$ k0 N/ E1 J: \2 d: Q int 41h: S |2 k" A+ j2 }. A) `7 J- O% T5 |
xchg dx, es:[41h*4]
* E( ~% m+ w! ]. l1 Q2 T2 O5 C1 A xchg bx, es:[41h*4+2]
4 M% N1 j7 ^/ c1 m6 z cmp cl,al6 R' _( P2 y# ^
jnz SoftICE_detected
- I( Q! H: P/ H" Y; V, u1 F: N+ A, D( i) L) |! H/ A( w
_________________________________________________________________________4 @2 U9 j9 J( H- L( Z+ E* w2 h
$ W: N' A& `1 kMethod 071 a2 e; x1 D+ d" S7 S8 I
=========* W1 g" @# R! X* T( [# s+ }) h4 h* C, W
* c( X7 P+ c( E8 u% |7 y
Method of detection of the WinICE handler in the int68h (V86); G9 Z2 O1 ]8 l+ b, F
" A% }" N* B" i `$ K& E mov ah,43h
/ [( u6 F1 `5 v! S* q int 68h& H/ w$ a) a- M2 v
cmp ax,0F386h
: a- f3 `3 r) Z# G* ~ jz SoftICE_Detected
4 q+ E( T- ?' f$ ?4 i) E% l, T% D" c: S0 q. R
! s- A/ N$ ]5 V( q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
T' I0 O5 A0 X+ O' P! ? app like this:
6 |: X8 n9 z5 x# t* L2 \8 I; R* T. \& @
BPX exec_int if ax==68
8 F+ a* \4 ]# y+ S2 M1 o" v (function called is located at byte ptr [ebp+1Dh] and client eip is
P2 l' R$ b3 l, v# B located at [ebp+48h] for 32Bit apps)+ \3 V( p) D+ h, T9 V- n
__________________________________________________________________________; k0 H% [2 U( n0 u6 U
" l2 ~* I* X' n- ~$ q R' S
1 D- ^, \: X+ rMethod 08
9 ~6 x# J( v" l; f% K=========1 e5 S- R. j, K
8 o% j: q2 l) \& L4 r" p e& P9 Y) bIt is not a method of detection of SoftICE but a possibility to crash the
, V* _( v& i* T+ {# hsystem by intercepting int 01h and int 03h and redirecting them to another6 e" q- }6 l X- @9 L3 o X
routine.
- N: ?8 v" }5 `. O6 g8 j' |; }, Y8 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. `; h/ E+ \* p2 B# D% G
to the new routine to execute (hangs computer...)
0 N/ @# h) U! e+ _- v `3 e/ _4 d. T0 b1 b- n
mov ah, 25h$ Q( K' H, ~/ a4 S& J
mov al, Int_Number (01h or 03h)6 X$ I' y) i5 V q- V
mov dx, offset New_Int_Routine% x* \- U/ f4 E4 ?
int 21h" J' n" |& C& d/ k
/ L h; Q2 _. a- A& b__________________________________________________________________________" s! @, _4 ` m* b. B7 m) I, H
0 n2 d! n/ T/ b4 j6 eMethod 09
) x& W* n' x# E' {& d& ]' \=========3 j, \( _ V; {4 U; ]! G
1 [( m3 G- w3 j: [. NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 d/ \4 E+ y8 |9 aperformed in ring0 (VxD or a ring3 app using the VxdCall).
# |8 d. N2 |1 K. v" aThe Get_DDB service is used to determine whether or not a VxD is installed
, A& ]- G% K: ufor the specified device and returns a Device Description Block (in ecx) for
& v2 \+ W7 M) Q( O2 T( F3 sthat device if it is installed., O& u- J$ o5 K4 B9 z( o
: `- {2 e) ?) y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! U0 h# X* Y, S' I mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 O9 f( P4 a) L: O) P% G, [
VMMCall Get_DDB% J* [6 J9 P, W# D& x) d% X- v0 h" C6 F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ J6 T# S% r" O5 Q+ { \$ w) ?
! L3 m) g0 T* b7 [4 }2 ?9 nNote as well that you can easily detect this method with SoftICE:
! C8 a3 H+ ]5 w( e bpx Get_DDB if ax==0202 || ax==7a5fh& |/ h- x k* ^
- v3 B6 @; k; g! G8 m( `0 X j__________________________________________________________________________
7 O+ b! N. P6 [) m; h, y
$ Z& J6 z) i* N& O& @Method 10
* y. X6 P3 q( A" U2 l2 W=========) a2 I: R4 k; K% I2 X7 ?2 L
& }6 H! o5 @- C=>Disable or clear breakpoints before using this feature. DO NOT trace with& e+ U, h' w6 y7 }$ c$ Y
SoftICE while the option is enable!!
N5 l1 J4 w; [9 G' P( X* ?5 H. g/ o1 ^" N! T
This trick is very efficient:; B( z2 m+ q8 B, v' u, F
by checking the Debug Registers, you can detect if SoftICE is loaded/ Z8 I7 S7 S1 P" I( k7 O3 }# E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* A" e* W# z) @; M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 c1 u* ~: s) W' I/ d& ]" ~& zvalue (in ring0 only). Values can be manipulated and or changed as well
4 T. m+ G6 N m5 Q$ l: x(clearing BPMs for instance)
6 H% r$ `. T3 u* q
, x" Y" t( O) |7 K__________________________________________________________________________
2 F: j9 X- N8 I0 W5 x. q. T# }5 P8 F
Method 11
9 I5 s/ _& b" q0 j4 j=========9 J; C# M* o, M z* Y* @
. y3 b: A, T' _5 ^* O8 a. D* e6 C& K
This method is most known as 'MeltICE' because it has been freely distributed
* j) z f `6 b; Q- `via www.winfiles.com. However it was first used by NuMega people to allow" y+ M9 n3 {$ O7 l ]! b' o
Symbol Loader to check if SoftICE was active or not (the code is located# |2 O7 g; R' p6 R
inside nmtrans.dll).
9 d/ T! P. d, O) x/ p) T
4 X& m& Q9 p; B( I. C vThe way it works is very simple:; `) }0 ^# Q: L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& u! Z. h7 {/ Q0 _# e! ?
WinNT) with the CreateFileA API.& I/ [% D4 L. E6 _9 ]8 c
* A0 I( B8 n+ u2 d5 h4 q
Here is a sample (checking for 'SICE'):/ |) B T$ b7 E$ z: c3 Y" _# z
; w% M0 c) z+ j7 a+ j; k5 aBOOL IsSoftIce95Loaded()" u& ~3 e/ e' g e
{
; t# l1 F1 Y; ^% v# O9 Z" B HANDLE hFile; . d- U2 G/ d/ w- e+ S3 Z# x' ^
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, P" ~5 D8 G% U0 ?5 O4 K0 w# u FILE_SHARE_READ | FILE_SHARE_WRITE,
5 s0 e X$ \, K: w2 Q2 U1 y# M6 | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" P: d0 D( b* O4 X0 C% q
if( hFile != INVALID_HANDLE_VALUE )! T3 _8 T' Z7 P/ ~
{' i' r2 W7 l D. F# @1 N6 M
CloseHandle(hFile);
/ S6 q1 M E. G) u; i- ] return TRUE;, u6 \) _- Y+ R2 k" }
}- O2 {) q1 O$ N, D0 y! G
return FALSE;, w1 U& a$ c. W8 ~; E( \ K
}1 M: {$ b7 H! M2 S6 Q4 j0 B
, ~$ S6 e) @: W
Although this trick calls the CreateFileA function, don't even expect to be4 E7 I& f. K2 o5 |& w8 F
able to intercept it by installing a IFS hook: it will not work, no way!
: B1 F9 o: g9 m, u1 K6 zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) e" a; v$ m" z9 g9 M7 ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' c& q& c6 H! Z% A" g, ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" \" V6 q" l7 rfield.
2 ~' c, {- o' Q2 k- N: O6 MIn fact, its purpose is not to load/unload VxDs but only to send a : h: c* `) N$ x& O# r1 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& A$ u H. C+ f, v+ t" x/ Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ @4 |! J) v' k$ \( G, X% [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 U& S: h# g: G5 {' CIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% i7 P! D* I# Wits handle to be opened and then, will be detected.0 N3 |% l2 I; j0 q) n8 F6 B) R, K
You can check that simply by hooking Winice.exe control proc entry point) ^- N! I4 L; H* n( z' r
while running MeltICE.
w0 v* _/ y* [) _2 H g
1 h+ z. |/ q+ \' ]$ h5 q- m
) _/ \( n& h) T+ V9 W2 W; E 00401067: push 00402025 ; \\.\SICE/ P6 v) k( |. V
0040106C: call CreateFileA a; p6 t) G: C' @% l8 b( C2 ~
00401071: cmp eax,-001
1 f0 v7 K! M$ i& W 00401074: je 00401091& D/ ^4 U/ v2 u8 G0 {
1 C8 ?1 H' e; t) M4 V7 p0 P* D3 @% N5 P& S& }
There could be hundreds of BPX you could use to detect this trick.7 a; z# d; V! z# n& ^; `$ M
-The most classical one is:
3 R$ B: ~3 T4 V0 t. a1 Z e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. z m6 V9 R# }4 G *(esp->4+4)=='NTIC'
. Q4 K% d/ z4 K. h
- A5 q( A$ U+ C" }( w; n8 w8 D-The most exotic ones (could be very slooooow :-(: { Y1 l; P1 I3 B, B" c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' P" b) P8 H4 ^- _6 f/ L3 M g
;will break 3 times :-(9 t0 G9 Y6 [4 c( ]- d7 J
& u) R! v' |" Z1 ?; e& ?2 s
-or (a bit) faster:
8 m3 d& Q" {1 h2 o. `% P9 {% d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 O5 d+ {4 A9 W0 h, D
5 K- r7 q8 ?0 X) V6 ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 _9 v& M2 g1 r: B, D ;will break 3 times :-(
1 K E; {/ V8 _9 H. T9 k
- ~6 Y) X! A V G1 s; R-Much faster:
/ @2 e; i) B; `& h# Z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', S. c( \/ {9 C9 p
1 u# M6 o e( A( ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 r' l+ Z+ |) \5 w1 S) jfunction to do the same job:( H+ J k! X7 N3 h, H. i4 f0 r$ {1 |
9 b r) [8 w6 }7 l2 ]
push 00 ; OF_READ
" p& u% u8 j4 q' S8 l mov eax,[00656634] ; '\\.\SICE',09 p; ^% b3 F' E0 S
push eax
9 |6 k2 U1 U/ k& Y call KERNEL32!_lopen, e% _1 w, o f+ L
inc eax
" K( k6 N$ G/ s jnz 00650589 ; detected
; e5 G! b3 v8 J. d1 T, @8 ~0 k, h push 00 ; OF_READ
$ x! q; N1 c: j, X- M mov eax,[00656638] ; '\\.\SICE'6 E2 U; ?. h6 k- E9 `, I. B1 k/ K' i
push eax
8 l* }% p3 |$ X, Z7 |1 z6 d call KERNEL32!_lopen! T0 Y" t( _- k- W/ M0 Y1 K
inc eax
. T$ ^( W+ P$ G jz 006505ae ; not detected
7 ^3 X' T& S8 b* }+ r+ d% R+ E1 o
$ h+ ^7 v1 r5 Z
$ ~" }6 g4 k* }) A$ q' A__________________________________________________________________________
6 h& _, i! g8 T
8 V5 g/ O( C, J( d3 M$ NMethod 12$ _* U( l6 H" d
=========1 H1 L& x4 V4 w2 x0 w
0 a$ B' L8 J% J" k8 l/ D' U7 m
This trick is similar to int41h/4fh Debugger installation check (code 055 w' W& g o/ E* m. Z; c
& 06) but very limited because it's only available for Win95/98 (not NT), N6 C5 t/ y `" ]0 ]: U- L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- V7 ^7 Q2 u/ v0 \( h. R
* ]/ h% _9 J7 J
push 0000004fh ; function 4fh
2 F' O* T b$ g6 Q push 002a002ah ; high word specifies which VxD (VWIN32)
9 ~8 x* x M% N- q9 n ; low word specifies which service% a+ r% ]/ F2 z+ w& ]0 q% @0 @& j3 Q$ x
(VWIN32_Int41Dispatch)" ^) `& r' M8 x6 Y3 r
call Kernel32!ORD_001 ; VxdCall' U) H/ z& |4 r
cmp ax, 0f386h ; magic number returned by system debuggers2 U- ]4 B9 @! L! o1 ?
jz SoftICE_detected4 Q5 k( p2 Z* Y X" |) @
% F$ a% B' l6 p1 Z3 Q l2 K9 H
Here again, several ways to detect it:: a8 s: f& r# Q) i& L0 j0 z
3 C* Q k; O$ D# G( `$ b BPINT 41 if ax==4f) D- f" q) h4 u$ s
* u+ c* R# x9 |5 ]* I( W( I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' x/ y4 W! R# I: {* ?2 F2 [6 {1 l1 j+ U7 H7 L |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 r5 Q. H7 \ ^3 u5 h! v
, W0 v) S7 p" ?* f1 d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 a% s0 m \# K+ _9 e% _8 w
" ]7 `8 t- O2 k__________________________________________________________________________
6 p& E* W% q: V% Q, w7 l( [) j- t$ \( x2 [% C9 D! n" n
Method 13
' v% I4 {" r# \( | w% y=========% T/ L4 ^& i! x1 G) J3 D' J5 \
4 f7 M/ i2 ~5 Z/ M' c0 k
Not a real method of detection, but a good way to know if SoftICE is
: f5 E9 Q. c- \: O7 qinstalled on a computer and to locate its installation directory.& @" e l2 Y! u9 a
It is used by few softs which access the following registry keys (usually #2) :
& @8 M& E: s% s% ~4 R0 _/ a
" {! M+ y v* n# j: }( \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 Q' d; w* g% s
\Uninstall\SoftICE9 S2 k8 v# k5 X' K* p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 ^5 U1 y9 _5 _. O- k1 j: |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' z' p/ o& F6 ~1 d6 Q/ E: k/ A" q. j! i
\App Paths\Loader32.Exe
5 O' r% f# j, W# I! ~! y o0 O
/ a4 q1 J- f C# |$ T, t+ ^/ o; ?. Z1 b% A) ^ N- T
Note that some nasty apps could then erase all files from SoftICE directory2 k: d Q# V( G# m0 J1 n `# |
(I faced that once :-(8 o9 S" y, Z2 L3 z8 r8 q
# R0 b# y, Q/ K) p/ t. cUseful breakpoint to detect it:! f$ [& ~% y, P
( T7 W* F/ o/ N- E, z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 A _4 e! W' {- e4 E1 K8 B' L- @! Q3 K
__________________________________________________________________________ Y( x4 G/ G+ ~6 W8 h7 T
" Y$ w' K0 N, `4 e u1 o/ W! l0 z' n0 F+ B |1 T$ L
Method 14
1 S" C3 f; | ~; `9 ^+ E=========$ U+ U4 d% L0 W) f0 v9 }9 n! u" ~$ x1 ?
" R) J9 z" A+ }8 e; }" S7 v" p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 [, l9 q6 c1 n4 v; Z: h ?is to determines whether a debugger is running on your system (ring0 only).3 d) @' U# D( r3 i" _" L/ n7 F' P9 [
, q3 j3 i8 M( G3 {
VMMCall Test_Debug_Installed
' x" I# V" i; ~; c je not_installed P0 X5 [) F A1 x1 B% h
( w4 |2 K, J: L3 F' i9 w& c; i$ ]5 ?" O
This service just checks a flag.$ k/ r( M; i4 ^9 U r, V7 h3 `
</PRE></TD></TR></TBODY></TABLE> |
|本地廣告聯(lián)系: QQ:905790666 TEL:13176190456|Archiver|手機(jī)版|小黑屋|汶上信息港
( 魯ICP備19052200號(hào)-1 )
發(fā)表于 2008-9-28 16:34:50
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡