<TABLE width=500>' `! w$ j3 e- y" y6 W: i+ M
<TBODY>
% w$ M& @3 D* X' @+ m! E+ Z& \( m<TR>
* P2 u/ O- |5 b1 H2 t! _<TD><PRE>Method 01 : i1 y8 v Y# T5 i4 a) y" Z% i
=========
& B2 F2 L3 c$ |7 P- Y- W0 Z5 J! C* ?% H9 d7 x" K
This method of detection of SoftICE (as well as the following one) is
! Z8 s- @! ~/ P4 C2 ^used by the majority of packers/encryptors found on Internet." v6 K4 N4 Z- H# e
It seeks the signature of BoundsChecker in SoftICE
5 B% j& ?! p/ F" b4 m2 T' k, \, R0 K2 L0 G
mov ebp, 04243484Bh ; 'BCHK'
0 u+ V% H6 y" [4 X8 U mov ax, 04h
; }! [' l* j# s4 w3 r int 3 ; X$ C: F) R! U m) T1 N
cmp al,4
! J6 w' \/ w. F0 t! _7 l& C jnz SoftICE_Detected
0 n N) ^1 q0 ~4 x+ R; i: R" L( w7 x+ ~6 @1 x
___________________________________________________________________________
$ N# o; R! y, B8 x1 O* t# a+ F3 K" T
6 w6 u9 V) t5 VMethod 02
8 | O6 y7 h+ d4 j; F=========# i' ~* {7 F1 n2 x
2 R4 @6 b9 ^; k' x% x7 FStill a method very much used (perhaps the most frequent one). It is used1 f: K4 s# f# e+ q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! D! s* K B: U I$ o% xor execute SoftICE commands...% D5 T; x* W5 y8 l
It is also used to crash SoftICE and to force it to execute any commands! z% q- l8 ~" U2 \
(HBOOT...) :-((
! y+ T" W8 F- H- u4 L( r
8 \/ R4 J' |, k' S8 t' E" kHere is a quick description:/ V% F6 v8 Q% v# N! ` X. M7 j
-AX = 0910h (Display string in SIce windows)
! J$ M. M& u) g2 h s4 P: |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( m: r2 s) C1 I* `/ M) s: I
-AX = 0912h (Get breakpoint infos)' ]( T: C- H8 l9 W
-AX = 0913h (Set Sice breakpoints)7 \# G' _2 t( h+ J5 u% V
-AX = 0914h (Remove SIce breakoints)2 o" n4 L. X0 N8 _3 v$ L
8 [9 J8 V! h! d$ D0 g8 G: dEach time you'll meet this trick, you'll see:7 S9 ?' F5 _9 A% z% V) R
-SI = 4647h0 ^$ a+ s2 b0 w. v8 w* D" U0 i7 W/ K
-DI = 4A4Dh! [ w1 Z$ I4 S4 u
Which are the 'magic values' used by SoftIce.* B; ~) p. K8 Q8 G/ g# I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ x% ~$ d3 c! t/ H" |! }/ u/ I6 |5 G
) }" I8 k' e5 G! s+ r
Here is one example from the file "Haspinst.exe" which is the dongle HASP' r$ b" P8 I( Z0 y6 R
Envelope utility use to protect DOS applications:- H/ g/ w8 @. z; a- F8 u; K/ B6 e. [
# h0 I$ [* F0 S7 a
: ^6 |+ M) [4 ~4C19:0095 MOV AX,0911 ; execute command.* E& H0 W" x- w8 s2 Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! h8 |( V r; B5 I' U- ]' P4C19:009A MOV SI,4647 ; 1st magic value.- w) n) q. A6 U b* G$ m H- {
4C19:009D MOV DI,4A4D ; 2nd magic value.- h- h8 w9 j& \4 n+ B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 f2 j, j1 H5 Q4 L" h6 Q$ T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 X( `6 n! L+ ^) e+ A) {1 i- `
4C19:00A4 INC CX8 `+ O9 o' H# ~% O# {* z5 o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ Q+ R6 E# |& H d5 }. C5 Q6 f4C19:00A8 JB 0095 ; 6 different commands., v3 ~+ I( I" L
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& \. s; A9 H, ^: L4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& t+ x( ?+ v6 z0 }; S2 y# l
`* K1 k2 e- G% W# K
The program will execute 6 different SIce commands located at ds:dx, which/ N+ g: A5 m% g! L+ z" X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( V' ^- Q ?' H) k- I
) h; H/ h- o; b+ ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" r* [( t5 a1 @& r3 P" R___________________________________________________________________________& M$ Z$ u d5 F* @' R
4 z0 m# u& C7 f6 X6 F
( L) Z |2 L% G; U9 f( H& u
Method 03
( n5 q8 O! V2 { y- q& l=========! @5 X: o3 W$ K0 Q
" i! ^" T/ J) u2 G* ^- {6 T9 l
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 b# [9 X& X. I2 Z, u, {' l, {
(API Get entry point)8 e+ h. ~0 {2 E( t8 P8 H
( f U* b$ C% w( r& S9 Z, ^2 J" _$ b: r7 N7 l# E" t L3 g' t
xor di,di6 M! I: s! i, U. s0 A. n$ l
mov es,di
+ l5 v; c6 @! d* [ mov ax, 1684h 5 O' X5 F. @1 k- M% o4 u
mov bx, 0202h ; VxD ID of winice
7 o8 y" J/ F+ q1 W' U) @- l int 2Fh- S+ _) U; Z3 r+ ]0 Z6 l
mov ax, es ; ES:DI -> VxD API entry point
/ r3 w) o/ k& z" f add ax, di
4 M) K) z2 D9 Q$ s6 G* f$ F test ax,ax
& R+ T4 H% M" D( \! M jnz SoftICE_Detected/ g( P) [) n$ h( `
: ~% Z# a1 C- P& h___________________________________________________________________________; S9 q' X/ k; G8 U( F3 W
( y: u. m" g' k5 ~Method 04
$ N# y% Z$ I8 T9 ?/ @3 \" l=========# ~% }7 V( Q" g
/ _$ O0 A" A4 _" @
Method identical to the preceding one except that it seeks the ID of SoftICE0 g9 q9 h7 J+ O5 F* z8 G( n
GFX VxD.1 u" H: u5 L L; H
" i* |& g# a8 l$ B
xor di,di6 `5 _- y$ m$ A, a( o
mov es,di! [0 d* ~4 t5 A
mov ax, 1684h ( ]' v8 l: S/ B5 a+ E
mov bx, 7a5Fh ; VxD ID of SIWVID5 J" e8 R; M# Z& b% C$ b
int 2fh. h$ r; X8 {4 M7 R5 g& \. {6 G) ~
mov ax, es ; ES:DI -> VxD API entry point. E0 D& l$ c' e: z8 p& ?. H
add ax, di
) d! |1 t# U& n% i6 E5 \3 W test ax,ax
5 r1 }3 b+ N5 S) j* | jnz SoftICE_Detected6 r( `4 _: Q0 x& B8 q0 E& Z
8 ~4 e5 |5 ?8 y% a7 z
__________________________________________________________________________
. b% \8 s* q. `! ]! h9 C/ j ^2 k( C
, {0 X% a" i) i, x$ f
Method 054 g$ X# P0 b2 S
=========
* C: w4 M2 A4 l; E5 W+ F/ ?; d/ |3 v. \7 x2 `8 y* W
Method seeking the 'magic number' 0F386h returned (in ax) by all system- `8 O! o2 l, T# b; @
debugger. It calls the int 41h, function 4Fh.
/ j S" o2 M3 v% f$ c9 G7 \) y$ \) TThere are several alternatives. " j8 |9 i' z9 s9 d9 G# O- W
, u" P7 _ u1 R1 X$ A" K" KThe following one is the simplest:" Q+ W1 N6 v' u& u- c
' Y# P+ _. |0 X5 f( [0 l0 g mov ax,4fh3 C7 C* V4 |6 ]& w# u; {; s
int 41h
, S1 d' W3 R" X& C cmp ax, 0F3865 u5 }. S! s: J/ R
jz SoftICE_detected
) w [1 q2 l+ w4 R" }! q
6 V( p# ]8 G- u& N! _
/ o1 h! _6 V U3 C6 C1 GNext method as well as the following one are 2 examples from Stone's 7 l1 ]* p1 D% q" V9 z" J9 S
"stn-wid.zip" (www.cracking.net):
, h: ^% c# [" W5 Q
8 v/ s: q x4 M; ~7 \' f mov bx, cs
0 n+ l9 U1 t% g' y lea dx, int41handler2& p$ t+ N7 O7 ], e* M5 x+ {
xchg dx, es:[41h*4]6 ?/ k& D, k; r" W7 m) X" {
xchg bx, es:[41h*4+2]
- n, T/ m% d K$ M4 h. S1 Z mov ax,4fh2 F% j2 e) E; r! |
int 41h
( F6 Q( h* t) u$ ?" a& Q- S xchg dx, es:[41h*4]: J: r$ l# l: l! Q, | \; ]
xchg bx, es:[41h*4+2]2 A* ^/ o# }& |2 [0 T; V8 w% y% o8 C
cmp ax, 0f386h
- z) |8 Z& d! S# l3 p jz SoftICE_detected+ B, F1 |' x# R$ E" x# T" X m
. }0 ~0 q8 _+ ]& Gint41handler2 PROC& n2 C5 C% U. J+ m
iret# ?5 ^6 L2 z4 O8 ^" p2 t9 H
int41handler2 ENDP
% h/ T: J$ h1 h3 R3 g" J( r$ m& R8 {
% ?" N$ O# ~1 r+ p& O_________________________________________________________________________3 {. I; \- Z" v8 E4 W
1 A1 v3 o6 S D: ]' h% p
: f6 F& l0 r8 {4 i) C
Method 06% r, |% l1 N" i' r1 y( `5 T
=========2 l' E! ^: b( r: l$ D) c
& a; |" Q; n/ _- [5 F
5 t& S/ ~0 O- H6 k" q# X
2nd method similar to the preceding one but more difficult to detect:
: k( t5 M3 M% c9 U0 P9 N% T2 \2 ]+ Z; x; i
4 M/ W7 b8 l/ X; ]% |- Kint41handler PROC# D! A; A! Z; V) S
mov cl,al
/ k& V1 O9 X9 }3 Q. U+ c7 l iret
: K S* L F8 O8 K9 U7 n {0 L2 Iint41handler ENDP
8 w0 J- e& h& }+ z: o0 j2 c* h1 a3 N1 Y3 T$ [1 A8 ~
$ F9 _8 g# E4 ^
xor ax,ax J3 A' f$ |7 i0 u% R
mov es,ax7 x! S; y3 Y5 L+ W0 @8 D
mov bx, cs
! s' `; g ~7 k9 J2 G: z lea dx, int41handler
4 J( I$ w' `, R5 ~- \% q. ` xchg dx, es:[41h*4]4 ?8 y5 `: ]0 y% W+ D9 d" n
xchg bx, es:[41h*4+2]' s6 H- P2 ^% ~( @ M
in al, 40h
1 Q( d( A$ _4 i V [6 l xor cx,cx
! t" [8 g3 y" H+ f4 j int 41h
0 Y6 {2 d( D3 g! R xchg dx, es:[41h*4]
# E2 ~1 H% W8 r5 t9 z% l' ~ xchg bx, es:[41h*4+2]
6 V1 V9 n" V5 d6 H, a' H cmp cl,al6 d; M# D. |9 F3 ]8 W/ C& d
jnz SoftICE_detected
( ~# m$ ?+ Z1 L5 W' [, `. s3 Q( X& p
_________________________________________________________________________
' V, ^1 A( P7 H0 w5 `* s$ \
- g# i1 I' m# N$ y' N cMethod 07
- [. m* s; z* E8 W=========
1 G6 B6 d; t7 Y: l3 _: \+ J; G' {/ p7 U, Z% p
Method of detection of the WinICE handler in the int68h (V86)
8 X/ @8 p3 D* K# z$ C5 }, w8 K' H- y+ o& e- T0 h
mov ah,43h! _7 c! Q6 ]% A7 X8 x, w" G6 k
int 68h* l5 W4 _ B2 K( r; c
cmp ax,0F386h
! @ [0 x" d* u8 z7 C! u/ E jz SoftICE_Detected6 A9 G3 P. b& L" V2 J+ k
( u+ w" |& S9 R4 h6 K: W
) I. w- Q) v0 I' Q$ F7 I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 @. t$ y! O. N2 y app like this:' n F& b' T) X' L
, U, E0 { e1 e$ ?- X% j BPX exec_int if ax==68( W' S' T: C C2 h$ N
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 k; H& k5 A& U$ k' T located at [ebp+48h] for 32Bit apps)
9 R/ a) i' Y7 J6 O__________________________________________________________________________
, Y0 J( c( Q1 t5 F* a
' E, O+ v; C* i* G$ u9 b9 R3 ^/ P; X) _: Z; G$ L
Method 08
2 M2 c4 Y! K$ h8 C) \* u=========9 n3 u! Q& f% m$ A) b% O
- ^* f. \' B! z: J2 \It is not a method of detection of SoftICE but a possibility to crash the
# l8 b7 k# `" t# msystem by intercepting int 01h and int 03h and redirecting them to another2 R y& M0 M. z0 C/ {# d
routine." A6 [( o# ]: g. d9 U/ Y) |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 w7 R! ]0 c# C
to the new routine to execute (hangs computer...)
! M& A+ \* ]" Z6 M# X% o0 N; x( L+ C4 ^& F
mov ah, 25h1 n8 [+ R: Q* E# M7 d4 P
mov al, Int_Number (01h or 03h)
$ s: _4 m" _- P9 q mov dx, offset New_Int_Routine# Q! d5 b$ Y$ A7 L6 T
int 21h
8 M) v9 x$ Q% F% }7 o3 t
5 W/ U/ w8 O( b4 p__________________________________________________________________________
0 v' Z+ i" _8 t- q$ S _/ |+ G
[ z! d& \7 i' Q' j( ]7 \Method 09
6 O: X [7 W h=========
8 ^$ ?' M8 ?1 r3 B# S, |& ^& I6 M* `. p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 X u' V. z( I9 s
performed in ring0 (VxD or a ring3 app using the VxdCall).% ^& P7 f8 S8 w! i! A5 ?5 }
The Get_DDB service is used to determine whether or not a VxD is installed
; [6 Y8 q. U$ Xfor the specified device and returns a Device Description Block (in ecx) for: b( b H; N& ^6 n n
that device if it is installed.
7 [% a6 I( d7 l% k2 z0 c% r8 ^. L# b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* E) k) ^1 }6 o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' W" ]0 y* Z' H5 ?; W VMMCall Get_DDB8 \2 ~! j: [9 P: R6 F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ R* `$ v; k, a. Y3 z* A' X
- w3 V* @% p) O5 C: a2 k
Note as well that you can easily detect this method with SoftICE:5 {, F. Z6 W% o
bpx Get_DDB if ax==0202 || ax==7a5fh
; o" {& K8 V+ w7 D
: C: x3 [1 X$ m) X" a V2 K__________________________________________________________________________
) b) F8 o" T3 T I9 F& _
! l" S/ F0 j& S( j/ ?5 lMethod 10
+ f7 d' X! Y+ F2 I; v6 l0 W3 }=========
( @7 k% F& N) U0 \4 P4 H2 m9 a
! `; i6 e- R C% w, Z _0 O=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 m( a; L+ l; |- v d8 e SoftICE while the option is enable!!& z: ^# F8 W' n9 V7 b+ U' Q
% O8 Q* [5 G. q# }& f4 U0 T2 e
This trick is very efficient:
1 s% H [0 t+ n# M1 W( ~. `% l# Sby checking the Debug Registers, you can detect if SoftICE is loaded& K& m7 l) C9 m, P! j
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 ^/ M+ s! h$ `6 i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 {' k. G9 H& Zvalue (in ring0 only). Values can be manipulated and or changed as well: M& b+ ~/ u9 n2 s' Q# a
(clearing BPMs for instance)5 J% o. r) x) j5 f$ |- }! p* Z
9 d. H! {$ A( f: g M1 ^__________________________________________________________________________/ J: ^/ W1 o: o$ o) y# E& V. [* r
; s& \# u* G" Y: ]1 i- u
Method 117 z' T: D) E7 e6 W$ E% h
=========
; a2 D/ B5 {- g8 x" `; G- P
) k2 ?: X0 v( R9 s6 R- HThis method is most known as 'MeltICE' because it has been freely distributed% \% B ?6 q2 ~& e$ K
via www.winfiles.com. However it was first used by NuMega people to allow+ A' _' U0 U: }9 T4 l- o
Symbol Loader to check if SoftICE was active or not (the code is located8 \, S, x; D/ P& l8 {& G7 V
inside nmtrans.dll).
- ]4 U7 G w* v! T0 q' P; a! X# x. t+ j d0 D( q. V
The way it works is very simple:
- B! N, P1 m+ n8 E$ W1 G" ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 W) O* A, v: p$ X
WinNT) with the CreateFileA API.
9 {3 I Z7 z) u3 E+ v2 O( v* u; n/ ?5 h
Here is a sample (checking for 'SICE'):
) O1 R. }3 T6 z7 W4 h3 a3 v+ f- ?8 f1 s
BOOL IsSoftIce95Loaded()# }: x4 `7 J/ w% A; c
{: t; L. O9 e# P# f
HANDLE hFile;
% K0 K! w4 s7 x" z: }+ I' g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 Z# R$ s B8 @; }( i' G FILE_SHARE_READ | FILE_SHARE_WRITE,
$ V8 o* l) R( g1 B0 e. I, r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 w! B; j" f, u: H1 S* o7 V if( hFile != INVALID_HANDLE_VALUE )8 k! B# j! O* ^& b, o- d9 B2 T6 a1 \
{% H6 ]' i h% G
CloseHandle(hFile);
* q7 S; J2 u9 D- [; c return TRUE;. y( }" u! X, s) m# g7 ^
}
1 J* p( K0 M0 _& F return FALSE;
2 Y9 @. l% B5 J}" d: M4 c9 k& z$ H
- ?& a; q/ N* W& w/ mAlthough this trick calls the CreateFileA function, don't even expect to be! A# b1 ?2 Z3 n
able to intercept it by installing a IFS hook: it will not work, no way!# {* O6 i' j$ ^6 O' D6 Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 f8 l' G- V1 R2 k& k& A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 Q) B: e; U- j$ G, G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 O Y% x3 t( B% q% {field.7 k1 u% j0 H7 d6 p0 Q
In fact, its purpose is not to load/unload VxDs but only to send a ( P2 c' Z3 C6 q: A6 w B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 G7 {% I2 _/ g+ ito the VxD Control_Dispatch proc (how the hell a shareware soft could try: p2 S4 y1 k' d% l
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." i" n0 Y( ^6 @) }9 L2 t: o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 l) J3 n1 J, q. x, M2 Hits handle to be opened and then, will be detected.1 z. J. n7 `- [
You can check that simply by hooking Winice.exe control proc entry point( q1 F+ Z& d1 d: ?& H) W( F
while running MeltICE.1 K$ K" y4 u+ ^7 g* u8 @
0 u! r7 y2 L& c8 d. d1 ^% A& k
. \& [$ q' E4 x) `" F# ~9 D9 V5 b# U 00401067: push 00402025 ; \\.\SICE
# [9 g, y$ h' {$ a 0040106C: call CreateFileA/ P, g' g9 q7 F9 c. L
00401071: cmp eax,-001( K1 x& N1 c$ L' s U0 K: }
00401074: je 00401091* c: z2 ?2 E2 a: e
% I1 v2 [2 {/ t0 g$ O$ S! I6 x$ Y: [; J
There could be hundreds of BPX you could use to detect this trick.) d" |$ y" E2 N% ~6 i
-The most classical one is: W0 l* Q; f2 y& l) o- c( W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 b" f8 s; E% L+ c& r3 [ *(esp->4+4)=='NTIC'( r- D3 d2 e9 g, h; p
4 I; V3 b/ B$ n! A6 E
-The most exotic ones (could be very slooooow :-(# q1 @7 @- c# K" O0 z) a% Y! O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* n* l9 k% _$ T1 P6 E- j% M4 j2 @ ;will break 3 times :-(+ Y; r' v7 y+ O
! l5 T+ c( J8 G-or (a bit) faster:
! C* B e3 m; R0 P BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) k& u% L3 O8 t' I! R, ~: D$ h/ f8 B* I* Z0 J& m) m4 C/ _0 Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
e/ B) h( l; o3 d) \6 s. N( k) o ;will break 3 times :-(
1 {3 O9 N1 R6 t
, z1 }/ A6 f! l: c" B% [-Much faster:5 j' g4 A- [4 ^8 v; B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ @7 x4 S7 b* L. @8 n+ _% o- l( d' Q5 Y# E3 w, y/ X1 _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% I9 y7 W8 P8 ]- K3 f% |. M( c9 Qfunction to do the same job:. q; B. ^# [3 |( f* {1 ?
8 w+ ?$ F( G: e/ \' }! p1 q1 J
push 00 ; OF_READ
# K7 o5 |) B$ ^ mov eax,[00656634] ; '\\.\SICE',0
( X3 V2 M/ ]! r. x# C8 H4 E push eax; K# _/ k4 Z: C1 ?& v
call KERNEL32!_lopen) [' m4 I6 Z f8 \3 x% w
inc eax
9 T7 B9 ?0 @0 O2 T7 } jnz 00650589 ; detected
. U1 O6 S" a ? push 00 ; OF_READ/ D& `4 r7 ~6 y. W& ]- m% ?
mov eax,[00656638] ; '\\.\SICE'
- L: F; z2 Z+ R- V2 P7 Y: Z push eax
+ b9 q( ?( v& e2 c( {" k call KERNEL32!_lopen" z7 h, p9 U+ q, N: b, g& T) _8 F
inc eax) v" @! E5 v- t$ k& d
jz 006505ae ; not detected
2 C7 m v4 P" G& |5 K6 t0 C6 o, D1 I; d: I A
; @! O6 X- ?2 J2 O__________________________________________________________________________' e' B: q. j$ a* p7 |
6 \2 m. J" }% S2 R7 r( nMethod 12
% Y8 l- a4 }$ q1 K* {4 H O=========
: _2 ^% C# E! N% @/ n1 ]6 t% D4 s# m0 D7 V/ E4 L% i# _2 m7 W
This trick is similar to int41h/4fh Debugger installation check (code 058 @2 B* j$ f4 A( g. L
& 06) but very limited because it's only available for Win95/98 (not NT)
) U; G, V% V; R4 O, K4 D1 ]4 fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) ^, @ y+ _' y$ E1 n1 v; ^7 m4 [
$ f1 q" H& j% r6 Y8 s push 0000004fh ; function 4fh: G* V9 u! \6 c5 ?' `. y9 d
push 002a002ah ; high word specifies which VxD (VWIN32)# _! F. z s# m; e( Y
; low word specifies which service
6 b* w* i; j' \8 V/ r (VWIN32_Int41Dispatch): N3 x4 t% h I3 v2 C6 \
call Kernel32!ORD_001 ; VxdCall
- b; @, f4 E' V/ I* A+ b cmp ax, 0f386h ; magic number returned by system debuggers3 z$ X P7 g' Q, B! w! H# j2 i
jz SoftICE_detected
' k" H6 c; r! U; f/ _
* D5 T8 @9 _6 S- u2 C4 |- I! j5 I$ AHere again, several ways to detect it:0 M; C$ x% t! f# }$ X
9 U1 V% x5 g. r, w
BPINT 41 if ax==4f
# j+ k6 o+ i8 L
7 k7 f7 x# K" T4 y4 O7 L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" g2 x6 V% r3 n c
3 b' Y) g2 i3 ]* a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 E/ {; j N# V4 u9 t! H
: A" }8 P9 C0 e+ T7 T0 W) d9 N- N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( N! _7 a9 o/ T# R# Q
/ I( r, \. ]9 c: y% l6 m2 w+ E
__________________________________________________________________________6 }0 H- C' i& g6 z% x: f/ W, z
+ }9 R) s0 \ o+ ?0 | vMethod 13$ }% j7 s& Q. z* o: L9 z s
=========; ~( c- K% N7 @8 v5 }
6 X" _2 j* G$ s1 ^# i9 ~# H
Not a real method of detection, but a good way to know if SoftICE is" ]" v0 c; J8 H' C# L3 `) g/ N
installed on a computer and to locate its installation directory.& |/ Y9 T: w4 E% B; g4 U
It is used by few softs which access the following registry keys (usually #2) :! k* p0 A( ^9 ~/ I
: b6 k$ _2 h* u4 v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& K; d9 R$ x3 A8 R! O
\Uninstall\SoftICE2 Q! ^; V) m8 \+ a5 y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& {+ c# a' w$ S! \$ E. p+ y1 Z7 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" J5 N6 n F: R: ?! g
\App Paths\Loader32.Exe
6 @1 \: K f7 z T% ]' `
7 ]7 ~/ k; D& H2 _% R$ c3 @% C
+ t) G& B/ a' Q# g+ o0 [! k ?5 TNote that some nasty apps could then erase all files from SoftICE directory+ e. H [9 X8 M& g+ ^& i* f& }
(I faced that once :-(# d" \: U/ r3 t0 Y: e! a$ k. H2 y
: i$ ~. H% p4 P6 ^. m, W% r( i/ YUseful breakpoint to detect it:+ O* V7 b5 u. V S* q6 D
, V/ A% e1 ~3 Z9 g; G7 _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 `6 e1 {, M* A
# D1 L3 V4 @1 g5 {0 e
__________________________________________________________________________, ?) R" A( P# C" A2 r+ M4 J
( S1 C+ k* c u
* A6 `) o6 y. o5 OMethod 14 ; [/ W! v5 g# t7 y
=========
! A( v) ?1 y/ B( ?& a6 {+ s. o H9 O1 Y O( M* W5 |0 t8 a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' y& k8 z2 k* [( o
is to determines whether a debugger is running on your system (ring0 only).
$ c* [# c0 ]' ^- o2 W7 w2 m& T. n; @6 v/ [+ |4 {/ ^
VMMCall Test_Debug_Installed h% L* k9 z% l, r4 E/ M
je not_installed
7 ~" T# t: b; Y/ c/ O, O
8 D4 M" v& X9 ]1 Q( O& ?This service just checks a flag., v _! B1 ?# ?* N
</PRE></TD></TR></TBODY></TABLE> |