<TABLE width=500>( k& q, t* a/ Y) Q" O
<TBODY>
0 D- [2 B- ^) Q) K: W: v& `+ H; H# V<TR>
$ n/ G8 R% ^& D: g' }% s7 a6 }<TD><PRE>Method 01 1 s; E5 F$ r4 w1 E* i3 u
=========
4 ~6 x$ d. }9 ]
4 T9 M' j# K: d+ E$ j: |8 ~5 t5 pThis method of detection of SoftICE (as well as the following one) is) F" R$ n/ w9 c9 o3 ^/ n
used by the majority of packers/encryptors found on Internet.
; E# B+ f; r9 S+ P0 c+ |) e# w! o( cIt seeks the signature of BoundsChecker in SoftICE
0 _1 P6 ?/ ~ W ]: M W& @
( M* [' L u5 I) v" a# i# P mov ebp, 04243484Bh ; 'BCHK') E" d# ~9 U- d$ N9 d
mov ax, 04h% x" a! ]4 ~( I5 K4 ~+ X+ _+ N' m
int 3 % g4 ?$ {3 C; r) {+ G$ K- t9 V i
cmp al,40 `+ ^% _; g5 ^
jnz SoftICE_Detected
1 ^: `+ \* G- E8 c/ Q# t8 z/ J$ ?4 \/ i7 j o1 f
___________________________________________________________________________
- H* o6 h1 b& K7 p3 A# {6 f
# k$ Q! o. N# L% C5 ?4 I. TMethod 02
1 _7 g% M( h, C4 s' | Q=========
% l- C. B9 n8 `4 K' K3 K& M
- E$ _7 O9 [3 e, W! D' IStill a method very much used (perhaps the most frequent one). It is used
2 t+ {! _7 s F+ {3 W& c3 xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( J( C3 @7 T( J: p8 n Y
or execute SoftICE commands...
' H* @% a5 o4 Q2 ^+ N" }It is also used to crash SoftICE and to force it to execute any commands) ]. b. d1 @7 l7 @1 e
(HBOOT...) :-((
$ c1 M% n) n, h4 m# l) z5 n* x) c4 U; S8 q5 O4 V+ K
Here is a quick description:; t1 q0 g3 h6 a8 h9 D
-AX = 0910h (Display string in SIce windows); ^8 y6 k. N- O% x6 I
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) e6 z: ?7 g6 S6 i4 @# T" o. _-AX = 0912h (Get breakpoint infos)
* Q& D! K/ t+ R-AX = 0913h (Set Sice breakpoints)
4 d( u. w4 t8 e-AX = 0914h (Remove SIce breakoints)
5 M$ C9 V% _+ r# r7 i/ b+ @+ d) i. B: d! J
Each time you'll meet this trick, you'll see:5 i4 r, q4 Z/ k* H0 K6 P* [/ ^" A
-SI = 4647h
% J# ^* x3 P; ~0 ^8 @-DI = 4A4Dh6 Z; ^* l$ a6 p2 c3 R$ K O8 M
Which are the 'magic values' used by SoftIce.5 J6 a4 q" C7 G# R: b" `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" u! o3 Z7 }8 }( U8 L
( D: X7 o! ]5 a g1 z ~4 O5 G0 lHere is one example from the file "Haspinst.exe" which is the dongle HASP) g+ t: L4 ^; ~, Z2 w4 B
Envelope utility use to protect DOS applications:. o$ Z& V5 i+ S2 I+ e
$ @5 h/ `# Q. V6 W" S
' x# _/ P u+ R" k( \: L O% X4C19:0095 MOV AX,0911 ; execute command.2 V- k1 h9 C2 Q z8 ^, V& n" g, b
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). t$ X$ b( i+ g: \; C g
4C19:009A MOV SI,4647 ; 1st magic value.& E8 t% f7 j) P/ C. ?( h
4C19:009D MOV DI,4A4D ; 2nd magic value.
: c7 }* x: e7 q1 J$ A7 {4 z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), `& j' K* }4 ]5 Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- H# A: t; U9 K7 X' c/ D9 G. f; O
4C19:00A4 INC CX( S! {! n* \5 _1 {+ h+ [. q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ |" i( Z8 _9 F4C19:00A8 JB 0095 ; 6 different commands.
+ I3 `; L6 j6 i4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ [( G% D7 p' R: V$ |5 m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 R3 S5 x2 m9 l* v3 K: [
3 N8 i, p4 X }
The program will execute 6 different SIce commands located at ds:dx, which" ^, K3 P b" G( [, I% h% p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ o1 ^& @( U6 m8 l
8 K1 ~9 x. z! y4 r' K5 y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ G1 O. v- M1 T
___________________________________________________________________________" E3 ~& o$ U( Y% H
2 _8 Q& e* k, k9 y
5 Z3 S6 z; e& T* M, Q, K$ [Method 033 v/ a- E2 z; Q* Y, m* S
=========
1 W7 v* _$ N( V( W; ~- M( Y1 P# ~% H6 g9 s# h) U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
D9 X/ x* d/ {$ e(API Get entry point)
8 A% b" E4 v/ z1 H6 z5 ]/ W P- q
- N, u8 x% b, e% r
* J$ Z3 k( h' d! A) w: p xor di,di0 Q- ~1 _" G4 y- r% q9 a
mov es,di
. Y! d# }1 {; T. E9 n6 o; ^ mov ax, 1684h ) F9 m, z1 \- T0 X
mov bx, 0202h ; VxD ID of winice& b; ]! U8 y: L* c/ e! i
int 2Fh
/ J9 T; d; x- ?& ~6 q u mov ax, es ; ES:DI -> VxD API entry point
. J; M) E3 b7 r! |& w/ q, G, c add ax, di8 S% k1 }" @! x- {* ?4 k4 ~) G: d
test ax,ax
6 j( ]6 X3 @& r( v6 D jnz SoftICE_Detected6 D- k' Z" {( y- q& P
& q( b: d, }3 m9 G$ `
___________________________________________________________________________
6 [0 w4 a9 h9 T% I, ~! Q; C0 H
5 L) P: G# J4 E ]- tMethod 04
t8 Y- K Q$ a=========
1 r- ?9 k- B l2 z# E0 x. ]7 b( G2 C
Method identical to the preceding one except that it seeks the ID of SoftICE0 Q* Y2 C, h9 z& z
GFX VxD.
# ] E# C7 `( i& f$ U8 l# m; a& R6 e
xor di,di
e; Y( B& a3 U- W# a mov es,di
: ^5 O! ^6 \& Q9 m. J$ B mov ax, 1684h
1 f) H i _, y( G mov bx, 7a5Fh ; VxD ID of SIWVID
4 t6 Y! a5 h# n* P1 |3 l9 o4 q int 2fh4 n# H* l! ~. }# ^1 o
mov ax, es ; ES:DI -> VxD API entry point
9 h7 P& M3 e/ ?* l/ ~: @ add ax, di. l- L3 r. `2 S0 i% |
test ax,ax
) M& [2 c4 G3 K: a jnz SoftICE_Detected% R$ L! B' z! E l f$ M/ |, h
7 m3 l# x# J8 B' M__________________________________________________________________________. e; l* K+ {0 z1 T! u" H
& Z+ @4 _/ |: C$ B) D$ X( P9 b. j' @: S. _: {
Method 05
5 \- ^6 Z% f9 `8 m=========
& Y2 z4 [; p( j; G/ ?4 X. m' j2 W
. [; p* i3 k6 J+ r0 a! `Method seeking the 'magic number' 0F386h returned (in ax) by all system
. F6 b" s7 r p6 v, |& wdebugger. It calls the int 41h, function 4Fh.; D# |8 P1 k( [" o
There are several alternatives. 9 s2 {# \% n" x. r5 d3 S# G
9 }" D/ g8 p5 m4 M0 p( rThe following one is the simplest:
; U2 ]1 ~% _' p( ` ~' S
# D5 m' D4 v/ g: `" M4 F mov ax,4fh
$ p+ v( \7 M2 O7 K! g/ e' t; k int 41h
1 t6 t o/ [7 Z8 E cmp ax, 0F386
) m, p2 Q3 l% ~: h jz SoftICE_detected$ O7 {5 K& A- f7 t* L$ C
" ?5 i5 R8 R% E7 V" N8 E6 E
+ q2 `/ z( v- c" v* \- S/ ]Next method as well as the following one are 2 examples from Stone's , o$ N, W* R) m4 u' A3 x2 }0 R
"stn-wid.zip" (www.cracking.net):; `( ]8 K1 _ s; Q( v
& \% W6 ~3 x' `8 E
mov bx, cs
a5 {0 o; R* v, N. L/ v lea dx, int41handler2
% n+ j2 n1 {5 |) n, ~+ M9 f4 r xchg dx, es:[41h*4]
" u) k( Z8 V4 P xchg bx, es:[41h*4+2]
% \% }2 t+ b' C8 x& j mov ax,4fh p- J3 E. |: T4 R- b3 M0 u2 |
int 41h
n/ [& f! l2 x/ m" m/ T& y xchg dx, es:[41h*4]" y# {2 P' j9 {7 M
xchg bx, es:[41h*4+2] \5 l4 Q# L# R0 g" O8 ?( X# ~
cmp ax, 0f386h
# N- T: w$ D' G8 F2 d+ x5 m jz SoftICE_detected; J$ R3 E2 \% {# E# }. g7 i
6 {) e/ U7 }' @1 o: Z; g4 y0 b
int41handler2 PROC5 D, l7 d; j3 B7 _
iret
6 Z& E5 ^, x1 P/ ~# Hint41handler2 ENDP
7 T" R; x+ T" B$ d8 H2 d# |* z( h9 x" }# }
4 r4 l. f/ V- N2 L_________________________________________________________________________& `7 a3 N' h/ ]0 S6 }
6 b1 ?- T& G* r
( Q, ^# U, x q% F0 v" o4 N
Method 06
# |. e% f4 u6 F: `=========
$ c2 x$ Y# M1 O) u; H2 b9 Y
. Q1 k3 w, I- ^, U+ R1 g1 B2 a( C, `* [( c/ n& W: k9 v
2nd method similar to the preceding one but more difficult to detect:' K# o7 t& B" _# D+ P+ A
5 f& j; d8 d" s) ^
" f* N6 v3 R; O& Fint41handler PROC
9 L# ~) v. o7 A8 D# {# \1 y7 B mov cl,al
- n' i' D7 D8 }2 A( U" k+ o* M iret* M, X" ]1 l7 N
int41handler ENDP
( l3 A5 i( q" z
6 |6 l# Z7 v! j
% J5 W3 x/ o# b+ d' V xor ax,ax, P8 R. p/ b8 N- q# S& P0 V
mov es,ax
1 a6 N) D0 i8 \, m% u1 l mov bx, cs2 I+ I& E5 O7 Y2 _) j: j, u. P
lea dx, int41handler/ x' W4 a* b( ?
xchg dx, es:[41h*4]
; p% V6 M. L5 ]' s xchg bx, es:[41h*4+2]
7 |0 L5 E t$ @) S7 g/ i in al, 40h! A1 X, y- @( h; M! X
xor cx,cx) w4 P8 ]! V5 k0 L
int 41h' B- K7 d/ }, x/ q
xchg dx, es:[41h*4]
3 z# B/ ^' N+ y. W9 p( W5 X n; J7 ]1 { xchg bx, es:[41h*4+2]1 \7 B0 `/ V% N6 v a3 D
cmp cl,al
, X! B5 k/ X( Y; U$ [ jnz SoftICE_detected! B* I( I2 D0 `, I
, V7 d U& [6 Y# F, W4 e
_________________________________________________________________________( N. Y2 ~5 p0 P d3 _8 H7 x
3 _) ], N1 t/ s& Q8 r* XMethod 071 |; V% | h: S7 O
=========
8 ~2 M6 G. P$ k+ q
6 e+ [, `& h; o' yMethod of detection of the WinICE handler in the int68h (V86)
, R' O$ E7 ]: t- B! o" t! E* R; Q5 ]7 e9 i) ?7 Y$ T
mov ah,43h ?7 |- E3 i6 G, }% F `
int 68h
% i+ D9 f. ?* v6 c1 v# C cmp ax,0F386h! J" `5 C3 C ^
jz SoftICE_Detected6 B/ p, G. m' k1 g; K; {% Q# x
# u& f+ v; A5 p
/ a, c% G g7 O. j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 i; ~) b* k% {3 y( e, S
app like this:. c# P& ^' Z* \
6 _+ i, Z. J# U BPX exec_int if ax==68( j: W9 ^( l( b+ V
(function called is located at byte ptr [ebp+1Dh] and client eip is0 a6 _9 J5 l _+ L8 Q1 l. ~0 O
located at [ebp+48h] for 32Bit apps): T7 H( _8 x- ~9 l, E
__________________________________________________________________________5 t6 p# w$ g8 G3 r; Q
" |4 T4 Q3 P& W* P, }' I# l* n) S" j6 G9 e1 R
Method 08
7 l/ `, Z7 z$ D5 ~7 f=========
! r9 X& B# W7 t8 t. B
* k+ ^9 Z9 @( s4 ^( s/ ]3 @It is not a method of detection of SoftICE but a possibility to crash the
0 `6 x) l0 V) [/ m% Y7 hsystem by intercepting int 01h and int 03h and redirecting them to another
7 n" Y* c4 @# X: d2 E3 W1 b U$ hroutine.
: [& K# q2 A8 N3 HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 [9 ^. D% S- k7 u j7 Z' J
to the new routine to execute (hangs computer...)
. T/ q- P& w. \1 P" {* G
7 A+ h4 b3 Y: } M( m/ w4 e& I mov ah, 25h
! N1 f1 K( ]' `; w mov al, Int_Number (01h or 03h); H6 \. K3 N J* Z; C
mov dx, offset New_Int_Routine9 r* g4 E1 n4 [$ r; F
int 21h
9 {# n1 @! s7 i8 H/ O
8 Q' J' ]+ E& Q$ v__________________________________________________________________________
' b0 ? N- @9 V* ~9 F% n
9 I- x8 E" g% q7 B2 M$ {* }* RMethod 09
9 D" e5 `8 _8 x/ K# o* `=========& D4 e' G8 z" a* X/ m
9 K3 w' A+ Q3 k2 hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" \- K, f: r: {0 _+ K6 V$ X
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 N& O# E4 D6 ]$ S/ E. lThe Get_DDB service is used to determine whether or not a VxD is installed: W& Q, u. p7 X+ m8 q2 ]
for the specified device and returns a Device Description Block (in ecx) for1 z5 o# l0 ]3 ^2 Q. D
that device if it is installed.1 v3 Y& f" M L7 G0 S+ ^5 e7 y; s
t3 o4 m2 u( L; u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 J3 b0 G! T* ?8 `3 t. ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 |0 _6 A5 b- K" B! k" P1 `
VMMCall Get_DDB
) s" B1 W7 M: q+ v- e' B0 y* @" X mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- L9 K8 d; h/ M/ G
2 D4 F3 Y, e( l4 k2 Z3 V$ {
Note as well that you can easily detect this method with SoftICE:. Z/ P3 v* v6 s/ A9 P$ t: F6 y
bpx Get_DDB if ax==0202 || ax==7a5fh9 q; I) R& d* }% L2 B: ]4 H0 t
) V' ?2 ?* Q" `, K# f$ P
__________________________________________________________________________
) l4 @; A- C" P8 [3 o
0 {# ?+ \% Z( ]- O6 QMethod 100 t( j& \ S- E
=========; a5 ]: N3 K/ V1 {# v+ d$ f
$ ^% @, k: Z, L$ x' {+ F4 C& ^/ \7 b: w
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 V. C% D; _1 C8 w" j
SoftICE while the option is enable!!
) N8 W) x- W# a
! E+ x. W- [: O, jThis trick is very efficient:1 I9 a C8 v, p9 t: D
by checking the Debug Registers, you can detect if SoftICE is loaded
9 f& c& s4 I# [8 t- x4 H2 v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! ^. h9 L/ i4 z* b
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 i% Q5 F* T2 ~- x1 Qvalue (in ring0 only). Values can be manipulated and or changed as well, g: S+ |, y4 ? m: p% U
(clearing BPMs for instance)
2 ~4 L) [% Q9 z5 o
7 u6 M' A! d4 ^" ~__________________________________________________________________________
. o! ?7 |# D3 o7 z( M7 w/ S l9 L( q* a0 M- q
Method 11
4 q% s" K% l5 O! j=========6 N8 u7 s( G/ I6 ]' I Y3 y
: \6 ?' g @# h- k: \% ?; ~, VThis method is most known as 'MeltICE' because it has been freely distributed
1 J1 L% L) d2 L) e* v0 m" Rvia www.winfiles.com. However it was first used by NuMega people to allow
2 g: m# O- W% c& rSymbol Loader to check if SoftICE was active or not (the code is located/ y' E( F( _1 K
inside nmtrans.dll). e8 F% R6 p% m5 _5 V$ q6 b
( m- ~# {$ M9 K9 I1 U5 X, i* ]& [
The way it works is very simple:( S& c) j; e1 C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ C+ H6 y- g# H- ]WinNT) with the CreateFileA API.$ d+ P! h/ K: T
9 i3 t' x) W: h) ~
Here is a sample (checking for 'SICE'):
& ^+ D: Y: A% U) B! Q7 h
9 t/ M' [7 z0 T! CBOOL IsSoftIce95Loaded()
6 h n. _' J: H# `6 h$ a9 x. B{, {2 N4 |0 Y4 T5 k% H
HANDLE hFile; / o' I& g( u) O/ r& S1 s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ z+ N3 h: @4 i# w. u& C FILE_SHARE_READ | FILE_SHARE_WRITE,7 h$ {( B* ?7 l" P6 y* I4 ]2 W, Q0 v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# R; L( b2 _/ w: F4 Q9 t. k
if( hFile != INVALID_HANDLE_VALUE )4 [! I# u3 S. H* N! u
{& c' A( A) I# C' G+ K0 k ~
CloseHandle(hFile);+ g+ ~& R' v* V
return TRUE;6 `9 D! K, u/ Z0 h
}
7 P3 P5 A$ N7 p' T$ P0 g+ { return FALSE;* S$ G$ u4 O% }! v0 j
}
; I; R# `9 b* D+ o4 s
5 v6 {+ o% m& r$ L$ I; wAlthough this trick calls the CreateFileA function, don't even expect to be
% Y; L$ _& g4 F( f% f" I! Yable to intercept it by installing a IFS hook: it will not work, no way! ^% {" P( c; U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 B9 ^4 t* f- O3 iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: W. \: t/ M" {" ^. l4 Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 x# h" H! t& H% rfield.& d7 i. i1 ]: c: g. B9 R
In fact, its purpose is not to load/unload VxDs but only to send a
+ Z- E. S6 T- L% I# J" l) }) T0 A3 @) BW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 _$ Y5 G3 p1 E& Y W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 H! _! Y. A( l0 ^' X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& |; Y& s6 q% A# S/ DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 G& t& D* C7 wits handle to be opened and then, will be detected.
: T7 |$ `/ `5 SYou can check that simply by hooking Winice.exe control proc entry point8 O. g# o# r, r! e" ~ U
while running MeltICE.4 x& }$ N- B8 g3 m' j
: Y2 }2 @% W! K3 y
4 Q- d Z [, V% e# I0 v
00401067: push 00402025 ; \\.\SICE
3 c* ?# a* b5 M4 D5 | B 0040106C: call CreateFileA
4 `& G- z6 {( G B m: {+ H, i 00401071: cmp eax,-001* J- t N) t# p5 {" n
00401074: je 00401091
, L3 ` C( E P7 q+ H7 X2 P+ t* ^8 X, V5 o4 Y1 G2 p' ^3 Z& a
" {8 o1 I1 M: X* Y1 }There could be hundreds of BPX you could use to detect this trick.4 `8 J- u4 j* Z+ v0 u8 r
-The most classical one is:5 @( [ J3 w, F) x. ]* ~+ K0 U" R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ Z4 t2 J# p; Y' c *(esp->4+4)=='NTIC'
+ a: O" W) H6 P6 v9 m3 |3 M* Y* N6 P" C2 [
-The most exotic ones (could be very slooooow :-(
3 d& {/ M/ e1 g9 Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, N4 O/ T7 u" J$ i ;will break 3 times :-(
( H' b+ C( H/ r$ C6 _
% V; z. N7 T. |: i& B( _) {# }-or (a bit) faster: / u4 S( R2 l. m9 S3 I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# [5 x# q; n5 T# d) ?
1 E) I' ]8 g( ]4 J( c/ T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & v* W" Y2 U, C
;will break 3 times :-(
% }# C! j4 f6 s6 u8 x6 d6 O# p5 Z! l% V3 M7 H
-Much faster:1 B/ z' v5 U* Y N# \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 y- j4 o" Z! ?# Y* ~: l
- T9 T) q; i* N7 kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 g S- M' d" D3 d' ~3 |
function to do the same job:# j% U) ~4 U& k, \7 r
. c/ i' h3 C" M& C- c2 C push 00 ; OF_READ1 g$ X( A# P# P+ G
mov eax,[00656634] ; '\\.\SICE',0" A+ o# Q! n- Q }: l; g
push eax
9 P5 @" C4 j* u% j& G' u* ? call KERNEL32!_lopen# f& M# L# X* }+ U
inc eax
# ]& b! N" X# Q; f$ v9 C) V6 q jnz 00650589 ; detected4 a# B( B! j: h6 W$ \) L
push 00 ; OF_READ
& R2 ~9 a0 n* G8 ?0 P0 o* D mov eax,[00656638] ; '\\.\SICE'
9 w, M( E% d3 S! z3 p push eax
# R, D) p+ Q) b call KERNEL32!_lopen" M# q8 A. ], m# v7 o( {% `2 w; P
inc eax
' W3 j0 z2 q y: W jz 006505ae ; not detected
0 z" r4 x3 E7 ^! n2 O, w
0 @9 E V8 A* O( } l& q9 B6 ~; s2 k A6 A' a/ `
__________________________________________________________________________
# X. E, c1 e1 J" R+ Y5 g) S0 r+ x) c& a7 x- ]! \* W8 q
Method 12$ W6 i( e' S1 b4 q8 i
=========
V$ ?4 L1 A6 r% w( E* x/ B# R5 G5 E
This trick is similar to int41h/4fh Debugger installation check (code 05* A; f5 b; F: I* _+ U) _9 ^
& 06) but very limited because it's only available for Win95/98 (not NT). h; G- O/ \. s8 ?' ^. D# B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# \0 b4 D3 Y0 p; F' U" u
6 { V# Y% s% Z7 ` push 0000004fh ; function 4fh
. e* v; }' W# r* q+ v' u& A push 002a002ah ; high word specifies which VxD (VWIN32)
+ ?* y) [9 W2 S# y. v; u" `/ ] ; low word specifies which service
( y6 `/ E1 i/ z. P8 D- u (VWIN32_Int41Dispatch)
$ C% R! M" ?' c call Kernel32!ORD_001 ; VxdCall
$ W/ b$ V" z$ X$ X7 {1 T cmp ax, 0f386h ; magic number returned by system debuggers
8 `+ m& A0 Q- O. h2 ?; k. `. U jz SoftICE_detected7 D$ h0 D3 I! Z+ U# Z h u/ L
+ h- \4 M. l1 b5 d4 q9 ]) \& U7 x- t. S
Here again, several ways to detect it:
3 f7 ]8 }0 n& @
, `: A' F' N5 ^, f) r BPINT 41 if ax==4f
" a Q0 l* l& g/ i/ S6 E9 \$ u
) ?% h: g. p+ y, |& |+ z/ a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ ^8 v3 _+ w. S8 o& \6 ^
9 c2 v! `3 k9 e% | BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 O, X8 n x6 J4 [+ }8 }1 j3 m2 S1 A9 {5 @- X7 x# @/ q) ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' U5 D( Q) Y4 }* S* J
- m! u! o6 j9 l: ?% ?8 x__________________________________________________________________________
2 w+ l, p/ T& c" _% Q4 }8 g" f+ i3 O! h
Method 13
* _8 Q) J9 L- B: C9 l H$ g- c=========- f) ^+ P5 T6 N/ \. h
% ?$ e- M8 A/ e* t+ o$ l
Not a real method of detection, but a good way to know if SoftICE is' a3 p e1 j+ e- Z; j6 R
installed on a computer and to locate its installation directory.
' Z5 q5 r7 q0 Q" pIt is used by few softs which access the following registry keys (usually #2) :" F- |, V% u* `" ]. ?
' _7 V; n+ E! z. t/ ^- u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 W; ^$ k. I$ o* M. R7 l1 F
\Uninstall\SoftICE
9 G6 C: m( p9 ^) Q5 \/ M# [1 Q5 x- |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 v5 g9 ]! T4 i1 Z* z4 m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, i2 F5 d+ D" r0 ?& w. Z2 c
\App Paths\Loader32.Exe
: ^ Y: |1 U& y7 s; C) i! ~- ]3 \2 h9 g3 b% E. U
) {* F1 ` ~# nNote that some nasty apps could then erase all files from SoftICE directory
& O& E' @- a6 C a. k* H8 z(I faced that once :-(
. M4 `+ f0 B \+ d. d. V( H5 `$ V' O% {3 Y0 j+ c
Useful breakpoint to detect it:5 p% q0 r! ~, y5 p! R* ^
/ F1 }; V- A" c! N1 {& c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 j+ m& t7 U4 b/ O4 @
8 }7 V; {/ _, ]2 f
__________________________________________________________________________8 C! K5 J- ]0 o. P
) ~4 q6 P; o, ^0 ]2 y! ~
" J" O5 `& A/ v0 I: f/ q7 _2 a2 v
Method 14 , H/ R% X* L" ?+ `* C: c
=========
& I0 G) N! D/ K$ {3 u0 S- _! w3 T$ @1 r) e% k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 z/ J6 e4 `( V* p, h6 \is to determines whether a debugger is running on your system (ring0 only).5 M0 n* [8 S* v/ H% T
3 g5 d! F+ E9 S% U# s VMMCall Test_Debug_Installed: ^* }- r0 n2 ~. g' F
je not_installed
4 @/ W2 g% h3 a0 K; c" J( I- q$ H2 G
This service just checks a flag.
, s' \$ S) |* W</PRE></TD></TR></TBODY></TABLE> |