<TABLE width=500>
]! C, d5 J! c, i<TBODY>& M8 j; D w% V2 ]+ G
<TR>
- t' |- Z# `' }" S0 ]. \<TD><PRE>Method 01
+ t) z$ V# x- m8 H- `1 \8 q% H=========2 }+ V1 e- c2 U% E8 B" j' }
5 k# @* @9 {7 I9 `" nThis method of detection of SoftICE (as well as the following one) is
& Z9 E. c C6 y; x" v% Xused by the majority of packers/encryptors found on Internet.
0 _: _4 s# G6 bIt seeks the signature of BoundsChecker in SoftICE
' E+ _! j) y, ]; F3 |) x. W! ^
% H% n4 \* a! ]! K mov ebp, 04243484Bh ; 'BCHK'
/ f" ~7 U) L% k/ V mov ax, 04h, b1 I# v: S3 k1 l
int 3
' P6 }4 y4 R3 k6 w/ `) H" s1 b cmp al,4. h5 q7 M( Z0 s. e9 n2 Q
jnz SoftICE_Detected
" A4 s& M/ b: T2 e7 K
# U& A' p; |% ~) I* s q* Y6 c___________________________________________________________________________, Q9 `& Y# b6 B F$ K
& ~, N2 g' k& s( S; W3 lMethod 02
) ]! q& Z5 e2 Q/ W=========
' ~# d" @6 U5 s6 r" d5 M+ T; v1 t1 n, d
Still a method very much used (perhaps the most frequent one). It is used
- f; ?; n0 R9 O: T9 Q0 |2 p" zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. j2 T$ y4 {/ ]6 N
or execute SoftICE commands...6 G" U* E+ \# Q$ t4 n
It is also used to crash SoftICE and to force it to execute any commands8 f) _( r) B; I5 z
(HBOOT...) :-((
8 T) H8 d# o$ I P8 x) M, b# ^& ` j0 t; t# L3 \/ a/ p9 d$ v- B
Here is a quick description:1 ~2 K O8 H' Z. V. g3 F7 Y! \
-AX = 0910h (Display string in SIce windows)0 A' h5 ^( u/ P% q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& j- X, l- ~" W9 J
-AX = 0912h (Get breakpoint infos)1 `, E2 A! z, j; X, F+ Q% t
-AX = 0913h (Set Sice breakpoints)
; B9 _1 S9 ?& |& E7 V. t-AX = 0914h (Remove SIce breakoints)
: K& C7 X ^ a! |$ ]" _* h4 _9 r; e9 p( Q2 b D
Each time you'll meet this trick, you'll see:
% z9 t9 c+ B" k: ]" u" i: d-SI = 4647h3 k0 i, V3 s8 n. U1 c! ] X: e0 p8 x
-DI = 4A4Dh0 b8 y8 x6 I9 P9 d, L* E
Which are the 'magic values' used by SoftIce.
5 M7 Y' V8 J: [3 iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 P! |* O7 K j# @9 k6 K
) }* s8 m4 T* P' f: {+ GHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ q% `: ^* V0 U5 G4 D8 REnvelope utility use to protect DOS applications:
) i! a- Y I) }! k" v. Y% y- q! Z- F) a, T1 E7 A: Y
+ x" F1 N) Z4 c
4C19:0095 MOV AX,0911 ; execute command.$ I4 J* H. [0 X- b: ]+ s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 P- g* `' y6 d& V) M# y4C19:009A MOV SI,4647 ; 1st magic value.
+ A3 d$ p5 z: y. o4C19:009D MOV DI,4A4D ; 2nd magic value.( I# u- ], @+ x+ P' _+ C: `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( q3 f2 A0 M$ c. G# g$ Q5 O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 \7 t5 A) F' r! m# ?+ M
4C19:00A4 INC CX9 C" u0 {+ x6 Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& b2 b9 C1 u3 V9 F3 |
4C19:00A8 JB 0095 ; 6 different commands.
' n* @% a) }5 n! f2 a+ C8 U4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 m. k9 \, p9 l' | Q) [9 F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ V) Z6 H# D$ I9 D% X( K I% \2 l9 ?- N2 ~: b( C! e
The program will execute 6 different SIce commands located at ds:dx, which
' W& g2 a! n; q9 y& `8 K' W9 n0 J [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' n1 X! @" U- Z0 \
; ~; g' R$ i* w5 a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' b3 o- c! `6 G) i3 r
___________________________________________________________________________# U- L# t& y1 ~. ~6 h
' E, l; C0 H( q8 q4 e( c o$ ?. {' c4 v
Method 03
# w) S( d7 s( P% }) U# @6 m' I=========
2 j; r. x! |& v. |" @* P
. C5 K1 ^# H0 X6 T7 {. s. P2 mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 g% t) K) a' l" Z3 H, P* B(API Get entry point)7 J c+ Y+ Y! F6 B6 Z1 F" q$ o) ~
6 o, ^) K: R4 s3 E2 O' A: Q
: N0 u( n6 ~8 Q. n xor di,di
- s, F2 Q- A! U3 R mov es,di
0 K1 Z {9 {5 a9 l- Q" i mov ax, 1684h
* K) `; j2 S0 B( m. d mov bx, 0202h ; VxD ID of winice
' v' F8 [) A$ r1 q int 2Fh7 p; t) s9 o" i; S! c5 ?1 s
mov ax, es ; ES:DI -> VxD API entry point" ]: i% S U; Q2 X8 s2 c( n
add ax, di0 a, M: h) s3 X' P' w, |
test ax,ax
9 y5 D v) d/ Z; \ jnz SoftICE_Detected
1 o' H3 s0 W6 e
* G* M* {; }3 n/ |# Z___________________________________________________________________________1 w5 |9 Z C1 c; }" A5 A1 x' H
6 e# I7 ~. j* V/ z# X
Method 04
7 G4 m8 d6 |- A0 w2 n# m4 N t========= o1 D2 p1 @ R
. G$ U8 i4 A+ Y) I g7 e
Method identical to the preceding one except that it seeks the ID of SoftICE, E' K- D, Y2 ]3 t8 |
GFX VxD.
, G. z+ {, {4 Y; S9 A( S' F, i9 i! Y2 T# i' t
xor di,di
# t& ~: E% {6 Z. C9 z% p2 ~ mov es,di) k, S, C+ S$ J$ `. @/ J+ @6 I0 c
mov ax, 1684h 7 K3 ~" @8 P% k; X" g8 K, |
mov bx, 7a5Fh ; VxD ID of SIWVID
" o: E' Z, v0 h5 }* M. W int 2fh& F. z( E- h) H& w1 }5 I
mov ax, es ; ES:DI -> VxD API entry point
$ H# Q I2 t& v4 V7 l add ax, di
* Q3 V3 l0 @) L5 d, W+ o' C test ax,ax" A' n4 Y: I% B- e' U+ N; N3 c
jnz SoftICE_Detected' K5 S5 O0 x" m
! i; i4 X v# \! r0 f3 P% P__________________________________________________________________________( r7 [% l. p" u% M
0 S8 h9 c0 q/ ^6 s9 G: @- g# `# A9 a) t# T! @: r/ D
Method 05% J5 h5 i/ o* [& b8 B
=========5 U7 x( z# q9 L% P0 U' j5 d
2 T6 y0 b3 b2 C2 q$ H2 i$ I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( P& @0 R8 e% F8 Idebugger. It calls the int 41h, function 4Fh.0 T( Z# P( K- x9 }- c
There are several alternatives.
9 c: V7 _+ ]6 [4 q! r x, M1 u5 ~( p+ Z2 G
The following one is the simplest:
' ] x6 G+ B0 b2 F% E b2 c$ G8 G; H, n9 E) W# f
mov ax,4fh
% D* ]) R' ~4 `. Y! {4 O2 G! J int 41h" ~: w( e6 n& b- H% r8 _2 |
cmp ax, 0F386
# \7 O( G7 `1 Q' | jz SoftICE_detected. m+ ?% [1 H3 [
& Y/ e" `$ d" D& q6 _! `) q$ X
+ E, \* g( i( D# ?8 L0 n+ y6 q
Next method as well as the following one are 2 examples from Stone's
: W$ Y ]$ Y' Q7 v* O) U+ I4 @"stn-wid.zip" (www.cracking.net):" G' k- j5 o+ F1 p
6 `2 k5 }% Z1 i/ [
mov bx, cs/ K# W) T) N; r& y( F y
lea dx, int41handler2
% B# y1 @9 x' n. K1 H# { xchg dx, es:[41h*4]
3 e. v k( o: m0 o3 R# Q/ i- T. j' X& f xchg bx, es:[41h*4+2]* }& W( V0 [* u9 a
mov ax,4fh# a, V$ h i7 ?
int 41h
3 s9 B8 o$ u' M' a* _. c xchg dx, es:[41h*4]
' O0 Y' n8 {& e9 w' m$ F" [. S7 X xchg bx, es:[41h*4+2]6 D4 o0 @5 z _5 M
cmp ax, 0f386h2 I9 h. i& M# g8 \( x% z* U
jz SoftICE_detected3 x5 v/ M$ _. }' N4 K. ?
- v* c9 K% d% \5 T6 r. }
int41handler2 PROC
5 p; L$ N( Q( @* H2 ~ iret8 r2 } j1 ^, s8 U7 k) f# @
int41handler2 ENDP+ G, @, o+ H. v7 K1 [7 s
: t# f: p* ?8 B& R% K9 n4 y
, X5 r) d, C8 S6 B
_________________________________________________________________________
. F n& u' c' E; U# H2 b) w1 v2 Y7 Z: q9 ~
5 |! u- X8 E6 IMethod 061 C+ x0 @0 r: Y2 E, Y1 Z1 J
=========
& I2 ], t. m5 \% |( A
6 \. E; p5 v2 v8 P# w1 r0 r
3 c% c2 y4 @7 y7 E, J7 v$ Z/ V8 C2 F2nd method similar to the preceding one but more difficult to detect:5 E% x" Q% A0 {
. `, \4 L# ]5 a# l5 l
' q6 I8 g5 j, N% d" I1 |int41handler PROC% t8 |, j, n/ K2 F+ N6 P- n% a, U9 q
mov cl,al
8 b+ b2 n- U6 v iret ?" T" n9 m- ^& D5 O: { T* \
int41handler ENDP5 J( @: I8 ^ d! S( L1 c1 C
) j& m, P7 N/ Y/ _; y
* m9 i+ ]# h9 b3 ? xor ax,ax; I& X/ x$ N }# j
mov es,ax9 Z8 l }: P5 H4 ]
mov bx, cs
9 H( g) Q$ w! t/ C( Z3 E, r lea dx, int41handler/ _6 W9 O& K, I, }: h
xchg dx, es:[41h*4]4 q$ c" f3 S* ~' D' a6 x
xchg bx, es:[41h*4+2]
" o1 I& R6 V7 ]3 y5 z in al, 40h: s, J r2 W9 k4 B5 X* v6 w- A! [- Z
xor cx,cx1 T# d5 I% H/ ]
int 41h6 T% ?$ z0 V$ f4 ?
xchg dx, es:[41h*4]1 U, m: u1 w4 {4 w
xchg bx, es:[41h*4+2], k* a* N* y0 r7 F: r: h8 ? v
cmp cl,al
: p# |5 L5 ]* D. K$ T- j8 d jnz SoftICE_detected
4 _& L, l5 P1 w+ \+ R7 q) U t, H" d# }- p
_________________________________________________________________________0 H4 D4 L s. C* I/ Q9 A
2 f! F+ _0 u) b2 d4 t' T9 ~Method 07
3 F7 r7 q# b/ T' c+ v+ d=========( a' A. q Z: I4 \$ ~5 e
' u# P# J$ T8 C! |) eMethod of detection of the WinICE handler in the int68h (V86)7 ?1 n* y* l+ i( @
/ G$ U I) ^3 B mov ah,43h
4 r& g" W$ t( S5 x5 m0 b8 q. N int 68h
/ i2 [' B9 @ U0 z cmp ax,0F386h7 O- O$ R! V' L i. ?6 ~3 g- F
jz SoftICE_Detected- B& h7 _3 `/ M( b
8 A7 z# o7 q) ^
- h. x( ?# a& ~( l5 v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! S1 b4 m) C$ o/ g
app like this:
3 `* b1 y+ s8 }
9 a! Z* j+ s9 v& F BPX exec_int if ax==68
+ P6 Z+ H$ v/ T% H (function called is located at byte ptr [ebp+1Dh] and client eip is F4 A1 f1 w; a4 i- h
located at [ebp+48h] for 32Bit apps)
v d$ [0 R- {. X# i% D6 S__________________________________________________________________________: y" M `- [4 o/ R
* l8 E3 o2 A+ g& F1 H; g: K) X2 Q" {/ A* Y# V
Method 08
. W/ l. a( R% D8 N=========! T# s/ N& h3 Z% G
2 W' k! `9 c& {, l, _, K
It is not a method of detection of SoftICE but a possibility to crash the- j: z, _6 ~% O; l3 E! A6 q8 e
system by intercepting int 01h and int 03h and redirecting them to another( E w! _; N0 f, S2 c
routine.
# X( T% R. B' S! a4 nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 H1 {. E% l3 ?; j4 @to the new routine to execute (hangs computer...), N9 \" F; M z5 L4 h" @
, X6 Y; \& S, F6 F1 h1 Y mov ah, 25h
/ r0 Z7 h9 y- A# a$ g, | mov al, Int_Number (01h or 03h)
/ ~+ p2 e6 l. b7 _* M mov dx, offset New_Int_Routine
9 u7 n$ m* K0 s% u int 21h
- L& B7 x! F! ?1 a' X! q( \/ r. m( L7 ^: V6 Y' _
__________________________________________________________________________
, k' Y) @0 p9 J: Q% j$ B v/ e9 m" n5 k2 j. u
Method 09
4 k( i3 v% ]1 O=========
5 m& _6 g4 e( F6 U7 N7 k P% |
5 b( ^; p1 H* {: r P2 KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( n( l' R: E3 A
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ q* a. p, j/ g. NThe Get_DDB service is used to determine whether or not a VxD is installed5 }7 E$ o) t: u
for the specified device and returns a Device Description Block (in ecx) for9 J" Y: N# L8 ~2 z$ `
that device if it is installed.
, O1 f; q/ ?8 J- z. T
+ J& F( e) @6 f( P4 I( e3 p0 x. x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 v6 v% i$ E/ z5 ^+ G1 u, e. Y% m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) z/ m( m; |3 c( V# r; }) N4 l
VMMCall Get_DDB2 X9 ]6 S; I5 i& S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! b6 E+ a7 X+ V0 ?4 f2 V% k! x3 X( G# K( O- Y
Note as well that you can easily detect this method with SoftICE:
/ i5 n0 Y) M6 n/ F! T bpx Get_DDB if ax==0202 || ax==7a5fh5 A7 h( \& M3 h& K1 g z
/ b% H* `! [4 Q% J/ M2 ?__________________________________________________________________________/ a5 D' C9 E4 e
7 V; z) ^. \/ W& XMethod 104 f& n/ K% p2 f; b! m2 b! q
=========
8 D. M9 f8 M; m4 |+ n! z" o9 x$ |! c+ Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with z/ e3 u# L* o- r& C
SoftICE while the option is enable!!
7 z9 r* }) w& @+ K0 f, _* N+ j* H8 `: ]! v
This trick is very efficient:
) w: ^; { h4 z2 J% _1 qby checking the Debug Registers, you can detect if SoftICE is loaded8 Y* L( ^3 O- S% S0 X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if M5 G" s. }1 v$ h& E' n
there are some memory breakpoints set (dr0 to dr3) simply by reading their- M$ y% z' l8 }1 u5 h0 u9 Z: J' h1 H
value (in ring0 only). Values can be manipulated and or changed as well) r* n* [+ f2 W2 g, d: G3 d
(clearing BPMs for instance)- f1 V2 R/ X' R+ z& a
4 n: K) C& a! r. B( G
__________________________________________________________________________& J$ g! |( [0 e! `- y9 F# R0 K
; o0 M" e6 c2 Z
Method 11
. ?; d1 }: W- [5 Y4 ?( d) I: f=========
g) |1 c/ K# d9 g2 M9 H2 P: e" t/ f
This method is most known as 'MeltICE' because it has been freely distributed
% s# N; A7 u0 `% xvia www.winfiles.com. However it was first used by NuMega people to allow, s5 g4 @& D: x. E: K3 a& _% J
Symbol Loader to check if SoftICE was active or not (the code is located
: E/ E' G. G E7 J2 K0 dinside nmtrans.dll).% n+ L% k: K3 n6 E6 D& `
, U# o2 G' ~) P
The way it works is very simple:
0 @7 Y7 f# q9 Y3 N: V8 G2 DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! B% t/ i( ^7 `; U1 s, T* P2 N* iWinNT) with the CreateFileA API.# [5 X R9 d2 `, v; j4 k
+ l# w, \: @ E1 q7 E! I3 c
Here is a sample (checking for 'SICE'):
8 |0 ^7 b: @2 ^$ u
5 r9 }/ V' w$ `5 Q% x6 D2 ~; SBOOL IsSoftIce95Loaded(); J, M3 T# l7 Z$ E- m2 ]" `4 E
{
& _" b5 ?2 Q% E1 v HANDLE hFile;
( o7 V$ n3 Y" f4 M0 k; [. u hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- W/ d2 s; x: ^! K. P$ B: n
FILE_SHARE_READ | FILE_SHARE_WRITE,# e2 H5 s8 H& Y v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 V; f; v ?! [$ Z9 w
if( hFile != INVALID_HANDLE_VALUE )9 o# h( Y! d" h& o
{1 W' s$ V1 D' p2 b5 c3 ?
CloseHandle(hFile);
# c5 q7 W$ _4 W3 k: R return TRUE;* W. l( h6 E% d9 Q. {+ r$ p$ ^
}
4 s. }8 O& |6 d: ]' N return FALSE;8 R9 K& h4 w; d2 W; n' M I
}
8 X# e+ D6 X% f. X! ?) [# G) {7 l; ^$ f* Q' @, p
Although this trick calls the CreateFileA function, don't even expect to be
! `, Q* a6 B* M. X& p/ @, Dable to intercept it by installing a IFS hook: it will not work, no way!7 A1 a8 O# ]6 c: G/ g9 W0 l. \' ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" H8 }. s! U+ Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! n0 c w! w( h3 {& }# i" L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 g d8 c1 n: v4 U! B6 C
field.% o% O5 S: p+ M _
In fact, its purpose is not to load/unload VxDs but only to send a 0 q' Q, }* z5 R; D N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 o1 ?: o+ z' z S3 ?# \2 g; Yto the VxD Control_Dispatch proc (how the hell a shareware soft could try& U1 ?# M& W: J' a9 D2 g; x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) v2 H. } F$ P) B
If the VxD is loaded, it will always clear eax and the Carry flag to allow% @9 N2 b. k$ {
its handle to be opened and then, will be detected.
) U, n/ l8 }. W5 n0 j* F6 nYou can check that simply by hooking Winice.exe control proc entry point
9 r" |$ z: G6 E* ywhile running MeltICE.8 W& @8 r2 D+ u& p* r; @
1 ]8 ^, W0 k% n
# P( e/ V% ?% c$ L
00401067: push 00402025 ; \\.\SICE
) t9 o% x) N6 M/ h$ X0 h& W3 C" w 0040106C: call CreateFileA; l6 K0 L* D$ o/ v+ \( D
00401071: cmp eax,-001
/ R6 v1 q* e X' ]0 O) f 00401074: je 004010917 P, X* K4 b o7 w. S0 o( E$ q
1 z9 @8 R! J* y) ?5 n
6 a" j. q# Z: Z. g- _
There could be hundreds of BPX you could use to detect this trick. z( E& r$ _' z0 o
-The most classical one is:+ ~% u% f7 l5 m$ i1 M- N& ^& U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 t3 U ]" q) N' K/ Y1 D$ E2 l
*(esp->4+4)=='NTIC'. P( T, H2 Z8 h3 E8 L! @& t" H
- J9 b! K5 k+ ^
-The most exotic ones (could be very slooooow :-(
* x$ y8 f9 ^0 ]6 J. k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ Q3 Q0 I+ z5 m; p, Q ;will break 3 times :-(7 Z) I M3 n9 |9 X- ` s
. Y' j% W% p% H/ Z-or (a bit) faster:
8 B }# E( }5 R5 y+ L P BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( P+ Y6 k2 J) N' r: ]
3 S, h3 p% B; E& P BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; u' O- \2 ]8 Q4 ]0 R- A/ @/ h ;will break 3 times :-(4 ?2 e5 [8 T. P2 c- f5 y" \
+ A" ^; `2 \, a1 Y# p-Much faster:( Q1 h% f) D7 J ]- c2 d. R, h2 I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 i2 J1 Z; A9 n; q& F {4 L% ~& ]! H. k" |! ^+ H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% j |, D0 r1 X. g+ W+ b
function to do the same job:
+ R( d) k7 r' d( f: A; Z ?( d0 V2 _8 J2 s/ Z% p
push 00 ; OF_READ( L9 a u0 ~% ^0 p* R
mov eax,[00656634] ; '\\.\SICE',0
* w* c; A" J/ L+ { push eax8 o) t# Z H# F- X8 w. k' N, ~
call KERNEL32!_lopen7 A a* M7 E8 X) G; M- T- F( W
inc eax6 N3 c" a8 \: b$ \% A4 `$ t+ p. ]
jnz 00650589 ; detected. Z( Q) L" r0 O3 a
push 00 ; OF_READ
# s5 O4 A/ G( S' `+ f mov eax,[00656638] ; '\\.\SICE'3 K6 T3 C% T) j: ~0 n
push eax
% f: I3 M% R" ]7 g$ \& r3 o: X$ m call KERNEL32!_lopen0 X |* t+ ~: V. E1 R2 c
inc eax
% g N9 c0 q+ w r2 d jz 006505ae ; not detected* L' D7 m* W- r
# y& k8 D* Y5 v: V( j, [& H
$ w3 \. \+ z. q$ h( y__________________________________________________________________________
/ z/ b0 e; T" s* {3 f4 G5 ]# ^! @ J1 l
Method 12
$ z- w6 c7 A) |========= w# |- o: I, T1 M- w( F: }
+ N: y: a8 ]& N E4 K
This trick is similar to int41h/4fh Debugger installation check (code 05
" T5 Y5 k1 E* g( P0 i& 06) but very limited because it's only available for Win95/98 (not NT)4 R' r: x+ v3 D7 d& ^( X# ?7 X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. |: G( p, p" F# y: b" g$ i( L6 V" |( c
push 0000004fh ; function 4fh- p3 N; R) ]% I8 P1 Z7 {
push 002a002ah ; high word specifies which VxD (VWIN32)% n0 h m) x. y( _$ h8 N- z* F
; low word specifies which service
1 B' }6 d# H" |# c8 F4 V (VWIN32_Int41Dispatch): f! x& T( p+ o' l
call Kernel32!ORD_001 ; VxdCall. @- J( J/ V% _6 \
cmp ax, 0f386h ; magic number returned by system debuggers
: _" q% m' P, U8 Y+ p0 l5 U; U3 [ jz SoftICE_detected
' g5 ~" Q3 n; v- v8 b; `* J9 W" m8 _) P6 d }$ _/ _
Here again, several ways to detect it:
! J4 n0 N: b |! ]- X, S, z+ ]$ y2 ?% J6 ]. t! G
BPINT 41 if ax==4f
9 W) h; g$ H/ P( _' x: I
% w- b3 r B, } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* u% j+ t% |* k, F1 F' R( T2 b
( ^$ m0 \# R+ j: |/ w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 \' d7 s; U/ I
% Y/ o. ?1 t! W* l9 ^ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 b, i% {' h/ ]) ^" F- ?5 r) h& {; B. i
__________________________________________________________________________7 Z$ ?. f" x' N0 D; ^
/ z8 p2 }$ J4 Y4 b! E: u4 G
Method 13, S u G5 B! T% B- [9 z- R
=========' B1 ]0 Z \% g6 N- j) X. z/ U1 e
" w" w% m3 s* L6 T% @% uNot a real method of detection, but a good way to know if SoftICE is" D# Y5 R; N9 z ~8 j
installed on a computer and to locate its installation directory.) w/ ?- t: r+ H& u, e3 Q; q* U
It is used by few softs which access the following registry keys (usually #2) :
+ B9 w ]. b s1 L( I. W6 F! q+ S) k) ?! x M8 z. o! W P8 ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* L5 H# w* E5 s3 A& R
\Uninstall\SoftICE+ ~6 ^$ b& A$ l+ W. w2 p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" H- i9 N) }; b8 X1 j Y; ]
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 X5 | g" j& I1 S- Q8 o( N\App Paths\Loader32.Exe
( ]; ^4 a V" T: w) x& w6 B
3 `& w/ y& o/ d: I5 N5 T1 p+ Q F: l$ V/ q, C$ e. I
Note that some nasty apps could then erase all files from SoftICE directory o) V2 E) p0 q/ E! B7 N& \
(I faced that once :-(
7 Z+ x& c7 O! M# ^: o2 t: ]$ @( h3 D+ |8 _
Useful breakpoint to detect it:
, Q( G5 F, R- F. F& J2 N, I/ M: ]& {; ~( @! ~' e
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ j3 r6 M$ `: i1 h( L' o8 E4 L) f( b7 [$ K/ p/ e9 q4 F
__________________________________________________________________________
* F% A6 u1 M' B* K( R
( K7 [1 r) B7 C8 y( A& P! K+ O! A3 z3 o; \, U" v+ m. S* h
Method 14
" G3 P- l' H2 Y$ m( c=========) k5 Z8 \" F: p" {! W
# t6 F" @. \+ j& s& H. K- p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ }" U, n; }: u: z' g" b) W# s
is to determines whether a debugger is running on your system (ring0 only).
& x4 i1 A( j6 A; N& v
! J2 Y7 X. n0 E5 ~* l VMMCall Test_Debug_Installed( g0 y9 G8 f9 E: E- F
je not_installed
Q& W) H3 r" z2 X
: l9 A8 _0 N; SThis service just checks a flag.
" L6 k& }2 ~6 x</PRE></TD></TR></TBODY></TABLE> |