<TABLE width=500>! a- a9 p1 U) [4 t7 U5 V! P, L) S
<TBODY>
9 T) J; z, m, Y* B, n4 f( K<TR>. v/ H; u# a8 s+ k$ o
<TD><PRE>Method 01 5 Y; x+ {) u. y0 T
=========
1 c" S" W8 p3 a. ^4 Q$ ]' M: o$ w- n2 U
This method of detection of SoftICE (as well as the following one) is, p5 E- K& @, b1 q: g
used by the majority of packers/encryptors found on Internet.- z- j! f" ~0 g2 o0 n* O+ m9 J
It seeks the signature of BoundsChecker in SoftICE
! V. T( Z1 U$ {4 ~7 @9 \, z' V
4 V+ m2 x6 s, a d+ z8 [5 O mov ebp, 04243484Bh ; 'BCHK'
- B8 f, A9 i: r& J- u; u mov ax, 04h4 }8 ]4 M9 C5 V; N
int 3 & e: u: R3 w ~3 V% p. [! `. a0 g
cmp al,4' P" n$ I: k( A
jnz SoftICE_Detected
{/ t5 e7 V1 b$ s( F
& o6 n! K/ l! F7 a2 h% e___________________________________________________________________________$ @" F/ m5 n# a4 M1 c, V: j* {
4 ]* \, f4 y" a: M" _Method 02( Y3 |0 b: Q; k, p- C
=========. |# X0 _( _) S, r
# q& j2 |7 p2 a0 `
Still a method very much used (perhaps the most frequent one). It is used
2 x" s# ? u8 d; H& k" H0 Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' B5 p7 n9 ^: Y4 J
or execute SoftICE commands...& y) [3 t8 F% Z x- ^
It is also used to crash SoftICE and to force it to execute any commands2 ?3 k; w4 v5 @& x( L( V
(HBOOT...) :-((
# U0 h% G6 L0 f U! H+ k1 @
( V' b( z+ L. |# i" c; MHere is a quick description:
; |2 A* L3 o* b6 Y; U2 p% C-AX = 0910h (Display string in SIce windows)
# O, T, {& p: @' C: H-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
k9 z, w. O& S3 f-AX = 0912h (Get breakpoint infos)
0 [ E( i% [# y& _-AX = 0913h (Set Sice breakpoints)
4 `% h! j6 A9 M. ^8 d-AX = 0914h (Remove SIce breakoints)
' b( z3 B* L. k' I1 ]+ o1 X+ b$ H) O, p% V/ W( ]; T
Each time you'll meet this trick, you'll see:( ?4 d4 t9 x3 |, H, S& n0 ]0 w
-SI = 4647h2 T5 j) ~2 m z- n$ [- \6 J7 l
-DI = 4A4Dh/ G. y6 ]$ T( R# n3 M* b: T
Which are the 'magic values' used by SoftIce.
( I8 V5 c% z* J( A" s! kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& ]7 k0 ^' c8 g" M2 a4 a; x- U. H! Z" n! M: `- b, I, c
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 Q( ? s& {5 C- QEnvelope utility use to protect DOS applications:3 {# c2 _7 g: l
/ B+ o; I+ U: s
! `5 b3 y7 p0 E* F9 y4C19:0095 MOV AX,0911 ; execute command.
$ y2 D' I$ V2 G# L. [' Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 b# B: D: k* S l' `5 w& ^* n. ]
4C19:009A MOV SI,4647 ; 1st magic value.
0 E7 T: n+ X' u: }2 {4C19:009D MOV DI,4A4D ; 2nd magic value.' s* E6 M! ~. b2 d) d& q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( ~3 p" W( T t: i
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
n, [- D m8 `9 r; ?4C19:00A4 INC CX
! d7 C, d: u$ @3 Z- q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ Q6 n7 N2 O/ z6 e
4C19:00A8 JB 0095 ; 6 different commands.
- J2 R* s1 c; G4 |! {) F' v4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ F5 c. U$ U; R E5 Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 T l. _$ b6 {+ L" ?1 c/ ~4 |6 A4 @" S5 [' W% M0 n
The program will execute 6 different SIce commands located at ds:dx, which) T. @$ k$ V/ Y1 ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., |7 I# Q0 H9 n2 I; J e6 V! R! t
6 r* G1 ~7 |0 ~' k* E# E0 M# u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; O" B3 U" I$ B$ l2 R
___________________________________________________________________________
9 Z0 L1 N' B: p8 ]2 d
- j/ y/ \& w6 `3 \ H0 P
& X8 B, ]1 |/ c% ~( T8 m+ F* vMethod 03
; L7 U4 l, k- M$ |, G7 ^6 h=========) x: `# X$ J4 ]- t: i0 p
3 M- }1 n B/ Z* k5 S6 B# K
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- S3 Q+ X; Y# J! {(API Get entry point)7 b5 ^, n4 q5 q% C
4 ^4 F O6 b9 @: a3 J( [( e
0 D5 |6 b) a- d z xor di,di% Z+ o$ N+ F8 x7 p; S
mov es,di: S( U, \- k% Y: ]9 T
mov ax, 1684h
1 E% w7 t5 a" _3 X! S4 h mov bx, 0202h ; VxD ID of winice
5 b& I& q+ b+ [& y6 d int 2Fh
% A/ g/ e. T) J) d, t mov ax, es ; ES:DI -> VxD API entry point
) v* N# B9 q$ V8 Z: L% p- K add ax, di7 F& a' i% A3 _4 @: U6 ]+ J2 {
test ax,ax
: j A7 z) T+ w/ }& s$ P. n" \9 g jnz SoftICE_Detected
- \) U$ M7 D; T* P) I( H$ _, G! l' a0 h3 ]+ V( c' v1 Y
___________________________________________________________________________
! r, E8 \* u! W( b' |! \+ ~6 L, O; v: m1 w3 H- p
Method 04
8 B4 `& X3 i4 i- R9 Q1 o- l=========
1 {4 H O9 X* M% e+ E1 h
+ E; _) }5 {1 b, O [; uMethod identical to the preceding one except that it seeks the ID of SoftICE5 C- C4 d9 S7 W8 ^8 E6 y! C/ q
GFX VxD.
1 H: u. o# _! V. A5 S) _
o8 Y. u5 @# ?4 e7 S. l4 D xor di,di, R9 x+ z( X8 b4 Q
mov es,di) l1 j2 g/ V4 U. R1 u8 a/ q
mov ax, 1684h
) C. m; a: Q4 Z# N mov bx, 7a5Fh ; VxD ID of SIWVID
+ E, W6 _# S2 p+ _! Y' a int 2fh7 ^5 N, m4 Q6 z4 c4 V) M9 E
mov ax, es ; ES:DI -> VxD API entry point* ~( h( W) j* b$ E, a
add ax, di7 b4 }, c# g; `6 r
test ax,ax& N/ j0 k2 `, q( s
jnz SoftICE_Detected
7 K: D6 t+ e8 L, E3 w8 }! A' A& o( L9 B
__________________________________________________________________________8 L! g" g* O2 }
- ?) q* h3 M, W3 t& F
1 S, {. S4 Z3 w7 D* T( ? t) n+ QMethod 05
t* z2 Z; c0 [ @========= ~& Q" V$ c7 }) j% }; \1 c' T
- |8 Y, ]: f/ h
Method seeking the 'magic number' 0F386h returned (in ax) by all system. T8 Q/ i6 {, s; F# ]6 G9 }
debugger. It calls the int 41h, function 4Fh.
3 i9 W8 ]. x3 [/ zThere are several alternatives. # F2 f* G% V* _' w! S$ U7 m
2 \3 s6 ^+ a% M: d$ [% F
The following one is the simplest:
' J8 T4 n* T. b& n9 |! O) ~% c+ G! d7 E
mov ax,4fh
& l6 k0 W/ z' [0 i' ?) ? int 41h' E& K7 I! i+ `% t. ^6 F: D
cmp ax, 0F386
$ r+ G" n9 X2 Q" t L jz SoftICE_detected
! j5 g U" y$ t% J- O2 i4 k2 x" g; u: g. }+ p
& m1 Z$ g% y! f
Next method as well as the following one are 2 examples from Stone's ! L% e3 M2 g! w' T8 h
"stn-wid.zip" (www.cracking.net):
5 I5 f4 w) B" t: [. B; q3 A; V* z4 c! ], m6 s' x
mov bx, cs
: @ i4 N4 P: _7 Y7 c lea dx, int41handler2* Z" R! m5 N! [
xchg dx, es:[41h*4]
P" j4 `' T9 Y' f- o: a# j ? K xchg bx, es:[41h*4+2] w3 t7 S8 [- P4 u$ r1 a% o
mov ax,4fh. E( b. d" }" C5 R( Q% N s
int 41h
7 Q: u9 G& P' n( G9 j8 r xchg dx, es:[41h*4]- w! L* N, o; }
xchg bx, es:[41h*4+2]
: U- P) Z# T- M: y4 `( G6 U' l cmp ax, 0f386h3 ~5 ^( V# b8 g6 y2 X; S
jz SoftICE_detected
: f3 c- m) e' j3 V% i$ d/ P: j, |
7 f5 r! D8 @* S3 k8 @0 _int41handler2 PROC
/ h x: |$ {( z/ o1 f iret, T2 [# o( M8 u. j7 l
int41handler2 ENDP
3 y& _3 u* S6 n! M
; I4 _+ B" q+ E- k' j; D. v0 I! [/ T- E, u) [( n! `6 Y
_________________________________________________________________________$ Z: N+ ?) `3 ^. T4 H1 S6 U
% a; I. ?0 q! a
; t/ {8 j) ~4 f+ f* [; j1 JMethod 060 }& U \, M$ Q+ ?2 p" E& R; }
=========9 h) E; p* b9 K X/ g% C) U& V
% m8 W! U: P5 z( S/ y
( h& t4 A* h! e; x: Y) a2nd method similar to the preceding one but more difficult to detect: D: u/ C* ^" V4 I8 i9 t6 [' l
8 k1 [; y/ }) x3 H$ }( H" E/ w8 {
- w3 w) y. b( w6 Vint41handler PROC* d5 @ s( t" c' X @/ `
mov cl,al. v. W3 i4 T1 g
iret
/ p& I. M! _$ h! P, Eint41handler ENDP' P0 Q0 [# q, G$ f6 j! y
c: a! {& M8 [& D
& Z8 V6 [/ h% D N xor ax,ax
. @* k5 R2 O, y* U3 K( _ mov es,ax
+ Y% r, n& ?, E4 y \ mov bx, cs# P8 Y' ?* W2 z* V: L$ c: ~2 u8 b6 C
lea dx, int41handler- I9 ?0 M' n$ I( Y; @3 ^
xchg dx, es:[41h*4]/ h: \- z2 h' s: H* j
xchg bx, es:[41h*4+2]' x! y" k3 j3 v$ C4 z, l5 S- ]
in al, 40h, p# v$ J8 { v) O
xor cx,cx
" j; U+ `5 m* K int 41h3 [" Z/ [! ?! s+ O% c1 M% o9 z
xchg dx, es:[41h*4]# o3 i% R8 a# R
xchg bx, es:[41h*4+2]3 \' @/ I1 f" f. e
cmp cl,al$ c6 W5 s& D2 H- M
jnz SoftICE_detected
. ~' \: W# w: x4 k; r& q4 c1 w/ @+ j) L9 K5 L% o
_________________________________________________________________________$ ]8 g7 n5 h: |9 U6 k$ \
' V+ g$ k2 D+ I- \! U6 n
Method 07
) K7 } h3 [( M, i8 K5 Z=========
$ _% ]) }% P. d( d; A6 O$ R! v, |, F; S6 l
Method of detection of the WinICE handler in the int68h (V86)+ h4 s7 s8 u, l
& Y* a2 [2 v/ m" R, ^9 r2 E1 d: T mov ah,43h; g( q$ U4 K( v( O- O/ T1 e+ f& ]
int 68h
- }" Q8 r4 O% ]$ C8 `( h: c7 D. L cmp ax,0F386h4 y7 F7 U3 o0 V$ G7 h' P/ N
jz SoftICE_Detected
, j3 r# q1 l8 |+ l, |# k
1 a9 m5 \2 B5 r3 [4 b5 W' N
- ?$ U" r/ ?, o* V- ^$ I. s" }. i=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, A- m& Y: ]7 \/ F app like this:
# V& r1 W+ e) v6 w2 v: K, p! g# G% ~. i3 {, E( E: w
BPX exec_int if ax==68( s) o+ a& D) f+ K
(function called is located at byte ptr [ebp+1Dh] and client eip is: }% R3 I1 M) k2 e8 z. z% c
located at [ebp+48h] for 32Bit apps)! F! V9 r1 }" O; J2 t$ T$ J
__________________________________________________________________________* H" [9 A# S5 D8 q
, w$ c* H, Q0 A: w- x
0 _/ k' u9 k# _2 y
Method 08
; ?+ t$ `+ {3 |=========) L# ?( Q; f* I: m5 F' i
9 V; ]9 y( w9 d. J# X7 g7 w/ |
It is not a method of detection of SoftICE but a possibility to crash the3 x$ p c& Q1 G0 Q+ X [; w. Q
system by intercepting int 01h and int 03h and redirecting them to another- D3 A) R; Y$ T/ \
routine.
5 \, ^0 h) |9 ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 A/ X! b8 Q7 y! w, G3 [to the new routine to execute (hangs computer...)0 r2 L: F0 \ Y/ t
( b$ ^- ^# E, T: o! _3 I9 e
mov ah, 25h" i$ X4 C. F% q2 o9 f6 V
mov al, Int_Number (01h or 03h)
% j8 {' B8 J# r1 z- y3 Y/ D7 g/ Y: f4 ] mov dx, offset New_Int_Routine
* ?) M: p; U* S* L5 d int 21h
+ g' X$ w2 s. ]* m! K `& M1 ^% t: O+ p$ E/ }
__________________________________________________________________________
- C7 J4 o c& A
( _ N8 |$ {# ZMethod 09# q( {3 B' H; [. Q, @! Q* K
=========
& z+ L1 ?+ V: {; w: C, Z, G
7 @: I9 J0 y# a4 h$ f4 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( q" L! C1 }9 G# o/ ?7 {performed in ring0 (VxD or a ring3 app using the VxdCall).
: @1 G( m7 }3 W2 B& o, [; C; B: KThe Get_DDB service is used to determine whether or not a VxD is installed( F" s! g+ I4 \; M {6 Z
for the specified device and returns a Device Description Block (in ecx) for
! h+ b, x7 o8 j& c4 ~that device if it is installed.4 `/ i1 `$ k" t0 n$ ^( \ N
& w' [. o- _0 G! ]9 l/ k8 n3 T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- c6 E# A) f: m) b, U* o; n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 q6 U" _0 C' X
VMMCall Get_DDB
8 l8 o: n8 M& L$ m& ?( a! h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 b+ N/ z1 W. P7 P
~% @( `& P" ]" o5 x: Q9 oNote as well that you can easily detect this method with SoftICE:
, f$ D( T: N8 ?& X. k* g bpx Get_DDB if ax==0202 || ax==7a5fh5 u$ @3 j8 r! a$ a3 A
0 L' l6 I% c% C/ C# D5 E__________________________________________________________________________4 c6 }) Q2 w. F
% }1 A% x) W. V% k, r
Method 10( C. K* e: s8 ^+ R3 n1 c$ k
=========
% N+ H# N: p) q0 ^; n8 G* g& l6 Z9 I% k0 R' f4 x7 _
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' z5 k2 \8 i; s$ V6 ] SoftICE while the option is enable!!
' `4 v- z4 Y) J8 [5 O) R' q6 {$ m. D o* h, b& q- C
This trick is very efficient:, [2 T& h3 a. r) p( o
by checking the Debug Registers, you can detect if SoftICE is loaded
; f" i; f0 E6 Z9 W- A% _- K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 t2 x2 b x" {. athere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 t% F7 k) m B) W; gvalue (in ring0 only). Values can be manipulated and or changed as well' I }! L. F& t+ d _4 ]0 w) z& g
(clearing BPMs for instance)
" P* \& g% B' {) p) Q' ~- T; P
, R& S7 g& t6 @" J# ]__________________________________________________________________________0 V( m1 Y/ S4 x3 n" \0 @
5 _6 |3 @( M6 f7 X5 t+ a
Method 11+ c# S1 B! _5 s1 Q, O( n1 m
=========
! c7 t9 D' y! O3 L+ {2 y. D+ b( r' `& m, d4 _6 _
This method is most known as 'MeltICE' because it has been freely distributed
) `; r5 H* k. N( \via www.winfiles.com. However it was first used by NuMega people to allow
7 }2 g* q1 T0 ?# r' VSymbol Loader to check if SoftICE was active or not (the code is located: d+ w6 v# F+ i
inside nmtrans.dll).
5 v3 F% G. v; |/ O, |. V
. i* \' F4 h3 EThe way it works is very simple:% M0 l! U/ q# Z0 b2 o5 [5 ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ {% x$ |. w: lWinNT) with the CreateFileA API.
" [7 m; U) d: X4 j% Y: N3 T) S* U; H9 o' q
Here is a sample (checking for 'SICE'):
- E7 k- }9 v2 y
6 q z8 q; T- r5 j0 cBOOL IsSoftIce95Loaded()
1 S; E( ^1 b. t G5 t! w{
6 o+ [% d8 [6 f1 h* i" l2 y HANDLE hFile; 8 T& z' W0 B4 z" `+ ?. X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' K. Z- g4 K4 R6 u+ a& v9 }% O
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 N0 r3 ]5 H4 Z6 g( P+ @8 S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& D" x5 w) @/ w) R if( hFile != INVALID_HANDLE_VALUE )
; N7 p1 _) ?2 r' d {% ` Y4 f v5 M3 B7 X- S
CloseHandle(hFile);; b# a! J# Q# E9 p/ k* f# d6 ^
return TRUE;
2 S0 Z% O Z y; e5 i }% L. `1 Z# g0 L4 k1 b: Z3 j
return FALSE;# L- \% a' ]& V# `; ?! X* ~( G
}
+ E2 w# ^% l! [0 N
4 n& e# ?1 N( ^7 U) x2 xAlthough this trick calls the CreateFileA function, don't even expect to be5 `# [" }; e% |' a+ j2 z
able to intercept it by installing a IFS hook: it will not work, no way!8 ]( G6 U! F, _2 B) b+ Q- w! c6 z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, B9 i+ Q2 r4 Y, O7 Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 ]! M+ @" |* ~ G) Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc) Z# ?- x( n( Z' v8 X
field. K6 ]% N* i& O; x
In fact, its purpose is not to load/unload VxDs but only to send a 3 ~! H/ p3 Y; E! ~9 v! P- q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. Z" ]8 A! `9 K0 @; Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
% |1 V/ V7 I- Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 ^* D$ r5 M/ Z* F" p* O1 ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: I8 {$ w2 G# L6 `6 N; iits handle to be opened and then, will be detected.# {# |2 Y5 T0 l8 D) i
You can check that simply by hooking Winice.exe control proc entry point
/ C7 Z& q E6 \6 [; i& x; k0 G3 V! dwhile running MeltICE.
+ a2 X N+ O. m- Y0 c4 f
- u7 @6 Z8 p- S4 V" j9 Y
& c, r% k5 q! L6 E' |4 ` 00401067: push 00402025 ; \\.\SICE/ q1 S3 |9 v3 u; y% Q& i
0040106C: call CreateFileA
; K, v7 H$ p0 V z: e9 ` 00401071: cmp eax,-0016 V4 l; u j9 P) P s* `
00401074: je 00401091
" N/ K7 r8 R- R) G! m- e* K
8 h' ~9 i& W* z8 Y: u1 E& V* t# ~* F9 ]5 @! C6 B
There could be hundreds of BPX you could use to detect this trick.
1 A! a; q# W% {% i* s-The most classical one is:( ~) u/ I S$ g6 b, |% K4 q3 ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, p) K6 `/ i# {6 U. u *(esp->4+4)=='NTIC'
9 q' R# ~* i0 r8 W, Q/ N3 p& f( c1 Y6 a5 \# B
-The most exotic ones (could be very slooooow :-(
; A. C$ }* y" H- |% Y! p7 P1 u V( j: ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . c4 I/ G+ W8 T' Q
;will break 3 times :-() m3 T6 n" n5 x
* P/ d/ a. R: d0 W" i+ D
-or (a bit) faster: 3 `. A9 y9 B% A: f! I
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 X# y, Q8 [0 E7 r6 w9 w
9 h( y# C: p6 R. H$ s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* [/ x- q' p+ d% g# M, Y7 ?" t% B ;will break 3 times :-(
( d& K' w% E o c0 y
8 G9 n4 t4 y/ w/ i-Much faster:4 |+ y$ \4 W) M. }" V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ \# e Y; {' @
, C1 s" a" E9 Z0 y. G7 {; zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen, p; L& E$ m, h, k
function to do the same job:
6 a; U4 s" ?9 Q9 ~, M# w0 [% p. V* [# a: M- t3 `) j5 ?; T
push 00 ; OF_READ
/ ^; ?9 p; p d! k mov eax,[00656634] ; '\\.\SICE',0
% \! q$ \/ w- X0 X& x push eax
5 [ N. G" C2 f( r( M call KERNEL32!_lopen" b& y. `: ?3 F" }
inc eax
& L: p2 J! a4 V; u/ @ jnz 00650589 ; detected) I7 b6 d' p! a; _2 E
push 00 ; OF_READ4 F! Z$ \5 o. B! T3 @
mov eax,[00656638] ; '\\.\SICE'8 \( X. \" ^) B: w& i, e3 y1 Y
push eax
5 d! c* V9 [# P1 L, R7 A9 p call KERNEL32!_lopen
7 j7 r3 ? N' X. O inc eax8 }* G9 x3 J$ N% M) ~7 g! o
jz 006505ae ; not detected
! b2 M, x9 P" U) N2 d% n& Q, K& m3 T
$ A* t( {; j* `) C7 w$ w
2 w, i+ K. V; u9 H__________________________________________________________________________' E% w0 Q+ l# u6 b
' k$ O) H! z6 ^
Method 12
8 @. ^6 Q5 s) L8 X========= z2 w3 Q# }+ x5 Z5 b
; n- F/ o1 M( k) l, U3 Y7 m. C% l
This trick is similar to int41h/4fh Debugger installation check (code 05
) e% n8 K4 A7 {" X6 o& 06) but very limited because it's only available for Win95/98 (not NT)
: Y4 Q8 C7 T5 b& b- U+ |% sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ N; [" V- g+ M+ D. k) {& }! N# j! r. m4 v9 ~
push 0000004fh ; function 4fh7 U' H0 U/ l- W# B- J' U8 K
push 002a002ah ; high word specifies which VxD (VWIN32)
2 ]5 `$ b# o8 R- C" E; p* [; X/ G ; low word specifies which service
" u: j3 T* h L9 n9 S3 @9 ? (VWIN32_Int41Dispatch)
" c+ M, h( i* V7 w. l! j4 e; x call Kernel32!ORD_001 ; VxdCall
" Y& @9 N& i9 }/ p cmp ax, 0f386h ; magic number returned by system debuggers
- T1 u$ a- r7 Z jz SoftICE_detected1 N% P! m$ \, Z \' Y3 w" z
' H, ?! a. ?9 T9 f6 _Here again, several ways to detect it:
' g+ ?0 Z; i3 x2 V7 y
" U3 P3 P9 T$ q4 N8 \0 p& C7 |# w BPINT 41 if ax==4f' m+ ?- m1 w/ m: U' A6 L& V5 e* [; W
?9 D$ h& q; t4 ]; t& C3 D2 V BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. a# L& O( m3 B9 n+ w* _
+ [3 _+ L& j4 a: U: k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A \# m- S1 J' k- U: T0 B
5 |, C$ o* B( l8 y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ v- |" C: T& V/ f9 [
$ h, ~3 N/ B8 x% \% ?- d! B* V__________________________________________________________________________# ~& m" @ L( [2 ^! {- T
6 |; E3 F9 w) O( H0 l
Method 137 t1 L( k$ s0 U! W
=========: p& q, C0 p) b- I: s
. E5 p3 B6 Y! j: q7 Y
Not a real method of detection, but a good way to know if SoftICE is
3 M* M6 r0 w2 D( kinstalled on a computer and to locate its installation directory.. g9 E3 |, p$ _& y9 v6 P, |
It is used by few softs which access the following registry keys (usually #2) :
. @; @- n! Y, L2 C; ~4 z% V0 Z2 ~6 A0 X/ i* n1 v8 i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ I! H, Y/ G; D$ E/ v
\Uninstall\SoftICE8 P" H. o5 {+ K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- P. j9 ?9 J9 V3 O. ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" C" Q. W9 g" V* a7 E) i
\App Paths\Loader32.Exe
" y% [7 I# e5 Q' b' D* R2 P' D
, ?( y$ z% `9 L8 yNote that some nasty apps could then erase all files from SoftICE directory: J0 {% f" Y G1 D
(I faced that once :-(
6 O+ v7 y% a/ R0 d. x! K* |7 t7 ^3 F; [, V: p
Useful breakpoint to detect it:
+ ~* d- v q. a3 G6 \' V6 c
* r& e) g! L* y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. t A! s8 @* q: }' e5 X0 P
' W2 t, q! | T: s__________________________________________________________________________. I' c- p# A# r/ b
% l* L) S+ C9 `& h' \% y
. z2 ?3 s w9 X6 m7 l' Q8 t: A' `Method 14
" G- A1 a9 N* g" Y# X=========
/ f# N: h7 L* D. M& A' r/ n" N2 c2 q) L2 E3 U+ b& u; l* [. y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 [, i- n% G0 m: p8 K3 A, |is to determines whether a debugger is running on your system (ring0 only).% s A2 }- u$ U
: r5 A* \0 w+ B' b VMMCall Test_Debug_Installed: ~& o! D- i( K5 [6 q* _; @! h6 N
je not_installed- [6 K3 v8 }0 b' u6 ~; C
0 o2 }4 |( N9 q: ~! T7 o# G
This service just checks a flag.
- M7 V* Z; O# U' ~; A7 O O</PRE></TD></TR></TBODY></TABLE> |