<TABLE width=500>
% Y4 P8 H2 B8 T( i<TBODY>( }& f$ Q: g4 |3 D; l Z1 {
<TR>
, m; f [. f! F- g% J<TD><PRE>Method 01
& Z: T* e+ s! q q7 }( P- W" s. B=========( R2 r1 A0 ]* y( B
2 Y( o3 U2 Z+ C, K
This method of detection of SoftICE (as well as the following one) is
; ^6 H& {1 W9 U% W( O& U9 zused by the majority of packers/encryptors found on Internet.
7 Q' l! v7 J qIt seeks the signature of BoundsChecker in SoftICE. d0 S8 r( |3 |; t* ?( i2 I2 P
# H2 s5 [, u% A6 H$ Y' w; ~! _
mov ebp, 04243484Bh ; 'BCHK'" f* ?& D$ ], j5 G: G
mov ax, 04h
; A2 P* B# Y5 x int 3 ( Y: N4 T( Q( }1 L8 j6 g
cmp al,45 }- d1 I# @1 ]. B
jnz SoftICE_Detected
! [: ?( B: \( p j5 _1 l4 @ G4 z* v1 ^
___________________________________________________________________________
7 U9 u( z+ Z& x2 n7 }( H8 N! a+ w: ~+ Z2 N; l
Method 02
+ Z7 O/ C' i1 \4 T* l/ A, T6 z. n=========
3 `' ?% p+ m6 c* i2 O) O+ [: F
" D9 T6 ]+ P6 p( r4 r. zStill a method very much used (perhaps the most frequent one). It is used
( |. O7 Y( n; y, P3 G! F% xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,* ?5 V/ n5 x4 U/ c. ^% j9 Y- q
or execute SoftICE commands...# N, c' l# s, L
It is also used to crash SoftICE and to force it to execute any commands" p# o7 [( d- z% t/ A8 F5 t
(HBOOT...) :-((
7 ?3 S% W# E, \/ f0 B
& m$ s: x3 K3 L! A. W8 ~' }- wHere is a quick description:1 `- T: N3 K. U2 S( C0 J
-AX = 0910h (Display string in SIce windows)& X9 z2 F. f6 }. F8 v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 z" p# A8 ?6 v' v-AX = 0912h (Get breakpoint infos). t/ ?/ P* \. _" P# ?9 N% |
-AX = 0913h (Set Sice breakpoints)
# ~* ?+ i; b% W7 [) O$ |6 d# m3 v-AX = 0914h (Remove SIce breakoints)# S4 {' q ?3 i" N: u+ S5 E9 j
8 x9 F& S" n3 ^5 \8 s4 OEach time you'll meet this trick, you'll see:
s3 y: M* o; |# |9 t-SI = 4647h: A( [% K* B5 g0 R
-DI = 4A4Dh
/ M, }9 n8 { ~5 Y4 qWhich are the 'magic values' used by SoftIce.; B! _$ l' x4 M/ I: a; q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
o0 g& J* c; q1 H `1 A, l8 I J3 p6 j
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 o; x) L# v8 ^/ V7 l. {( aEnvelope utility use to protect DOS applications:
" P6 p5 i7 T6 U- z, R( [$ E1 y$ p, [- E, i
" u5 a7 _; ~( _. x4 c
4C19:0095 MOV AX,0911 ; execute command.; t( U5 r5 U6 |# b' L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- c4 Q1 K4 c, i* M. c5 a4C19:009A MOV SI,4647 ; 1st magic value.
& l) R# ~6 F D' U! k2 }& ]( r8 X4C19:009D MOV DI,4A4D ; 2nd magic value.3 H" _; |7 }; M/ ~, Y9 z$ M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 ^* L) w7 [5 P1 }9 f6 }% k% F1 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 K# K: g B! ^) v+ l: n4C19:00A4 INC CX
, L2 S; E$ D, j( J6 X4 c- `9 A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ {$ X" m: K) x2 p* z4C19:00A8 JB 0095 ; 6 different commands.
H; [0 w# A1 e2 \- c4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 _) ], K4 m p5 f( @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ @& L* \% X' \4 p& Q% N% j4 V# Q. F- j7 T
The program will execute 6 different SIce commands located at ds:dx, which B0 ^2 I' `% l* r. w( f* E- O0 ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 ]1 P6 j8 V8 k s$ X6 W% d* q$ E/ y7 P) h, A& s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ q& O; L, p; y R2 a0 _; h
___________________________________________________________________________
2 p5 `) y) s% Y$ m
; l# J2 Z o. j v
7 v8 R, ]( {5 H; O G. }1 jMethod 03. O' Z+ G( q. { E! u1 M
========= I; B! P; ]+ ^! i
# Q* K, O/ H) ^( J3 `4 _; g$ ~0 e
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# Q( V4 ~5 b/ e: L7 T8 X(API Get entry point)
0 R3 H8 ]5 Y6 X m' A1 K0 Z * k F& O$ Z% }& G( |
+ R, e% h7 S4 f xor di,di
* U* g. W0 j. I0 ?# { mov es,di$ r4 Y( z; B" Y/ @
mov ax, 1684h
, P9 |/ k( d, Y) b mov bx, 0202h ; VxD ID of winice
( K- Y6 P2 X a' q int 2Fh \3 {) ]; L z+ U
mov ax, es ; ES:DI -> VxD API entry point9 W- \- c y' I v9 r
add ax, di5 n0 l/ P: y8 B5 B! l" s i
test ax,ax
5 ?" R8 B3 u5 o2 {. c& ~& D+ M# \1 G4 R jnz SoftICE_Detected% r3 t& ^( q1 \% _
6 D+ R4 ]0 ? B
___________________________________________________________________________) `/ ?; k, u$ h: p) B) X
& d) d. H" W' B/ ?) B8 `. vMethod 04
. y Y1 j+ n& A! B=========
/ d0 V# b' i3 |. d* u$ q2 d3 @+ m2 o: R. K
Method identical to the preceding one except that it seeks the ID of SoftICE4 U. `& c9 _: g/ G; L* z$ S+ Y
GFX VxD.
3 x4 u4 H2 B. }5 y+ M8 K; d: W( \: J' |% o! i1 ]
xor di,di9 U9 v: w6 I" @5 }
mov es,di- @/ ~8 I# u# f2 a
mov ax, 1684h
8 ?" h( `2 T- W. d; e/ t. G3 k mov bx, 7a5Fh ; VxD ID of SIWVID
2 p% o" J$ v9 M0 P8 o/ b int 2fh1 @! g" w9 ~+ Y ^( D8 `. L
mov ax, es ; ES:DI -> VxD API entry point
5 ~& ?, o/ ^6 z! u& H k7 C( ^ add ax, di
; Q( E0 e% L% ?* i) h0 a, `4 G test ax,ax
8 y6 U0 G/ K( H/ F+ A3 l' H* H jnz SoftICE_Detected, u8 Y1 M1 l7 h3 b
0 c8 l) Y3 u* B t
__________________________________________________________________________, Q+ H+ [) @8 w+ H6 I$ P. ^
. K: J" D1 k4 _ c8 M
7 J9 A4 [, v( W# W! n& c- U
Method 05; V% v$ s4 ~) h: M# i& B
=========$ h+ t& b" ~, q) X
! @1 R" P. d1 T" K" XMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 k6 i9 P* y. L% G, O
debugger. It calls the int 41h, function 4Fh.2 F/ Q6 T; u& o( r+ s* s6 X0 Y; o/ l
There are several alternatives. 9 ?7 Y5 O; O+ \& V& f
' ~& D4 R. ?0 d: }+ j0 x6 L, E: y
The following one is the simplest:
1 T" W( k' }5 I. b) h6 `
) K5 Q/ M" ]& M2 F, t mov ax,4fh
: u/ i( L# x) J int 41h. w8 }* [0 Q3 d* m) a7 M9 g% H) U: u
cmp ax, 0F386
. \" s# A0 |: P' }6 D/ c. F1 D jz SoftICE_detected
& e T6 s% J# o4 l1 U+ I! h% g0 c+ k; i, g7 O! z- a2 p. E0 U
' E1 h" ^/ V% D, \8 `7 g3 BNext method as well as the following one are 2 examples from Stone's
$ \; U! ^& @ P" ?( B"stn-wid.zip" (www.cracking.net):
. T P) a: _' h" \. G+ B C0 ~. A1 b2 p3 f1 w y8 n- m" q- _
mov bx, cs) P2 ?+ H; Y7 X, }
lea dx, int41handler2' F1 O- F; L: b5 V( X2 b" Z
xchg dx, es:[41h*4]: p" \$ @. M3 ~4 I* @
xchg bx, es:[41h*4+2]
. `5 \, e- ]# _2 S. _1 u mov ax,4fh
# K& W4 M1 c5 T, c3 ` int 41h
, N; E' d" n2 s; U3 H* E xchg dx, es:[41h*4]1 G5 Q* g( u6 T1 _) A$ ^0 x3 R
xchg bx, es:[41h*4+2], O- h. c! Z, A$ t' n
cmp ax, 0f386h; Q; ~" U& m& e
jz SoftICE_detected- I; f1 A. c2 o& j9 J" P
3 r# ~+ _2 y) K- T' sint41handler2 PROC
+ V: {( j6 T& Y; C' C iret
3 J4 U0 O) J& _ Z6 zint41handler2 ENDP
& J- O3 y( I+ K7 d7 r& ?) V, ~* D9 ?4 `4 {
6 o" R1 i! I# v) C; S
_________________________________________________________________________( T3 G; ~# m& M5 {0 q+ I
2 F9 i+ _8 A* h% R
) l( f* Q8 O( Y0 r9 \Method 06
: D0 C$ |0 R8 N' ?=========. P& V# ]" w( x6 O8 x
; Q" _6 V' X3 D$ n2 y0 `0 R' r
, D* I: H p7 Q( d
2nd method similar to the preceding one but more difficult to detect:
8 V: }. w/ t) y6 t4 S; [ x O% U! \" t2 j
+ i: U# t1 f) d5 u* _7 o4 c
int41handler PROC
' K6 U2 }4 s. X: [" o0 D: z mov cl,al$ e6 u! V7 Q* v
iret
0 u7 y( }6 v4 w. {7 X: } Hint41handler ENDP c& Z% T6 M% h5 v7 F
! q `% f' k7 J% A
5 k& T1 h5 r) b% n
xor ax,ax( N7 v% e7 \$ o5 e- E5 |! \* a# V
mov es,ax
' r ?$ s* q5 g% }) R" u" h/ L mov bx, cs
, A2 @+ `7 `# g' j1 @4 @( K- | lea dx, int41handler$ G) r7 c+ x; F) I6 X% |
xchg dx, es:[41h*4]$ \+ I9 W. U" N. u8 j; Q% k$ j' t
xchg bx, es:[41h*4+2]6 ` c/ X+ s3 T+ |+ P& y
in al, 40h" X$ d1 W M: g, D! t) T( t7 q
xor cx,cx6 W I L1 m4 g8 R
int 41h, R4 ? s. J u$ v: q* Z
xchg dx, es:[41h*4]
& L0 X% a& ^5 c7 R xchg bx, es:[41h*4+2]
% u$ \2 H" T9 g+ c1 n* q4 N2 \, B cmp cl,al
7 ]. C% n. Z, {9 h% K( g/ j1 Y) ]) a jnz SoftICE_detected
$ P' q9 n) f! p& b. m
9 s/ |) o2 Q) W L_________________________________________________________________________
8 e+ m! h% u1 B, g1 _
3 t6 Q }" O+ R/ O* ~/ [Method 07+ T* c1 o0 n7 z& x! R
=========
5 v' [( G- D. R5 _7 X6 X) V9 Z% A. F: e0 A2 C/ v4 n) Y7 K2 T
Method of detection of the WinICE handler in the int68h (V86)+ s! a. f( k! D" u5 f
6 p* D% q( ?) S8 @# Q) `
mov ah,43h
/ O0 d9 Y7 h6 J) x& E+ O$ c int 68h
0 X6 Y& n$ T S6 A! y. s3 [ cmp ax,0F386h
; ~7 f; a1 ~- E% o8 f b* c7 r jz SoftICE_Detected
, F3 p5 t4 K4 j4 d. n! X! v
" ^" L+ E5 x7 T9 G! W+ N2 X6 x7 F7 H: n$ d- h/ j3 G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit Z8 d' l! \; j
app like this:4 S) ^, P4 W; h( o
( D7 H: `0 f5 d( d5 i+ J, y! J) }9 s/ f BPX exec_int if ax==68
/ p' \; g" J! k; G: T& I8 w (function called is located at byte ptr [ebp+1Dh] and client eip is
% o4 v0 L% {* I6 X4 x$ z located at [ebp+48h] for 32Bit apps)
/ i8 A$ y5 ~7 u* D% ?- @2 N% T8 Z__________________________________________________________________________" @+ p `! i M5 R+ B: [3 M
4 U9 I) F3 W9 I/ k) h9 D' g8 I8 X. z7 {& Y( L- n) F# q, z& h
Method 08
1 K7 n' k( |% t; s, T=========: G! I$ e7 f; K4 w! S2 }
6 {; P7 P# f9 @ MIt is not a method of detection of SoftICE but a possibility to crash the3 ] x1 ]; o' L; }
system by intercepting int 01h and int 03h and redirecting them to another
6 ?! ~) x- P' b) R5 s: Vroutine.0 d0 b/ e; d2 ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 U7 T0 `7 K* m' N( [to the new routine to execute (hangs computer...)
9 X! w; f; H8 x. T7 o8 W$ S% J3 p/ J t( i) g0 q! _* v: x
mov ah, 25h- _5 A9 Y1 ^6 r4 B+ I# c# m
mov al, Int_Number (01h or 03h)$ m. o" [: e3 G7 B- n& x
mov dx, offset New_Int_Routine
0 {- u! h7 }- \* @5 \( w# M int 21h
4 P* J% k0 V4 x! W) M8 I; z+ l2 ~
- D, j' e @, I: O__________________________________________________________________________ ?( j( t' [/ K# T& X* x
* V/ g6 ~. }2 [8 c, iMethod 09; E ]) O) i& ~3 x1 q" n* g
=========# A$ p: H6 b! O6 W
/ b5 w8 O) z) f' BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; X8 Z+ `! |/ D5 ?" gperformed in ring0 (VxD or a ring3 app using the VxdCall).; E& a0 [8 [) }
The Get_DDB service is used to determine whether or not a VxD is installed
, M8 o7 A, P! ^1 \6 s" Z# Afor the specified device and returns a Device Description Block (in ecx) for6 t8 x! ]$ d% C2 {# Z
that device if it is installed.
. [( }* b; p! b7 x2 s7 @6 s3 l/ P I4 ?3 H( f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 U1 O6 @2 P) Z0 A6 J% P' }, D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 j H& x2 A( U VMMCall Get_DDB$ x4 M7 _4 }' C: Q/ N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 \* _- K7 y; x/ m
/ c9 w3 m8 n- [- U' [Note as well that you can easily detect this method with SoftICE:) y7 Y* a8 `9 T# b" V! N" z
bpx Get_DDB if ax==0202 || ax==7a5fh# B% R8 ]! t" N
& W- Y& H; O( z! J6 p3 E__________________________________________________________________________: e* E) }5 ^7 n% `0 @5 U
1 K6 b* `% t! l8 V( _ FMethod 102 V+ ^3 c" E6 G9 x& F2 k+ C* P. h
=========
/ ~: P& a( }. e- h) f& t. p
6 f6 {) Q0 u) a) r! F=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 n5 D2 g$ \4 `, f' |' E* I G SoftICE while the option is enable!!
- P% R# \( M# U; V3 G @2 I( ?" O4 Z7 L$ t$ a- c; U- N
This trick is very efficient:
$ C( O! B/ a hby checking the Debug Registers, you can detect if SoftICE is loaded
/ X3 t8 w- R" D- F4 b( ?9 y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, e; c, s4 ^% p+ Z; l' P
there are some memory breakpoints set (dr0 to dr3) simply by reading their# V: u2 \$ ^$ T! r
value (in ring0 only). Values can be manipulated and or changed as well
( p9 W& ?! A- P! @1 q( y# a$ c(clearing BPMs for instance)
1 b i% s9 S) X4 T* b# u% ]) o# }2 q) H4 ^, U4 C
__________________________________________________________________________9 E, g2 v9 U" h7 w
B2 S0 g8 X" y# o: qMethod 11: @% N0 M; e1 N3 r u- d0 _& G
=========' G9 v( u: B' F& `7 e( W' j
2 P; I3 p- C) [( w
This method is most known as 'MeltICE' because it has been freely distributed/ Z' ?8 u- O# O' v$ K$ D3 N
via www.winfiles.com. However it was first used by NuMega people to allow
$ `% x: Q' p5 A: k7 G6 nSymbol Loader to check if SoftICE was active or not (the code is located
1 }; W$ n M* g3 ^: Vinside nmtrans.dll).
! J( @* ]$ H3 s" V5 H, o4 S6 L+ ^# w$ _; A
The way it works is very simple:, e* U r6 t, S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- R/ K+ ~( _ o' P+ h* XWinNT) with the CreateFileA API., p& V7 K. [4 S6 _1 Z
* C. v# l$ E. y, z& yHere is a sample (checking for 'SICE'):; [. u0 h2 C* O2 u. D. C& O; c
7 n/ b$ D5 T5 FBOOL IsSoftIce95Loaded()- T0 c; w0 O$ s
{
! t' V8 o* _' l/ [. T8 ] HANDLE hFile;
7 {7 e2 n: `) F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) t9 i0 [9 B, R* V7 r g1 B! a
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 [2 U2 N5 Q, |6 P5 \- E) D" K3 t7 F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 |: t2 h" C. l0 l" Z ~: W
if( hFile != INVALID_HANDLE_VALUE )) ~( Z6 r/ z- d, v B- B+ s
{
- p, @2 c2 R* r# }/ b6 y+ H CloseHandle(hFile);# l! b% @8 X3 h7 R
return TRUE;
8 ]; Y0 I+ p. b0 o6 s }8 Q) p2 M- b8 M
return FALSE;
3 u1 n& A) B9 d& ~* U( \) V}
+ m. d% _$ p+ [* ~; E* `$ H4 w9 B. g
Although this trick calls the CreateFileA function, don't even expect to be
; j% Z7 ~7 i) j# y6 lable to intercept it by installing a IFS hook: it will not work, no way!
% h4 B+ q, o. P& A( qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 {& v0 F6 Z. J. k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, S" d5 Q, h$ q7 a7 @* `( R- o+ wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 K8 P! _9 a8 K2 h: a/ {1 T, sfield.( E3 n; w' E7 p% Z4 Q. u
In fact, its purpose is not to load/unload VxDs but only to send a & X' M1 V3 v) D: E: D! s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( s; E5 {# d& C4 Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try4 R. x1 r8 J& c! O* n7 }: }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% x4 g, ]# @7 |" \, \% eIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ U( }0 P1 l5 a8 n
its handle to be opened and then, will be detected.
& a' D/ Y4 ]$ T! |% t( ]You can check that simply by hooking Winice.exe control proc entry point
, j: c7 F( z1 Rwhile running MeltICE.
1 k( W; b* y9 x/ l. R, `: p6 e; [$ p6 U" W
, L+ {" ]+ Q: ?3 y2 ^ 00401067: push 00402025 ; \\.\SICE8 f. i, ~* m) q9 `4 b: y# n/ O1 u
0040106C: call CreateFileA: q6 Q. S: C# Z/ g3 _$ ]" V7 L
00401071: cmp eax,-001
- S2 A/ {2 w* l- r6 H* v" Y 00401074: je 00401091
' O/ b1 ^; n! H# ?2 M
: H( E& P) \$ }
2 {+ {9 k% ]+ ]" RThere could be hundreds of BPX you could use to detect this trick./ {0 h) o1 H5 R5 ^1 q+ z" u
-The most classical one is:
( J) b; F* I1 O1 n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 F1 m% `3 [( w" }" I4 ? *(esp->4+4)=='NTIC'
4 ~ ]- i7 O8 V/ G( B
; `. r% ?1 }# b; `# D) |3 S1 y' t-The most exotic ones (could be very slooooow :-(7 E* n' M' a# y4 U) C2 c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 h; }! j1 Y( o3 Z5 l6 N
;will break 3 times :-(
# ^* {3 {2 C+ k& f8 j0 n. J
- j' y: C2 I' W' G, G" H3 J! m-or (a bit) faster:
/ u' ?) Y/ U8 T3 K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 ^) `7 x; a2 u
/ V, _, m) \5 a9 q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 n1 k; g+ v+ X2 c$ t( k
;will break 3 times :-(
/ F' t3 o, m- r4 o3 Q; G" Q6 p* \5 O; f$ C* A$ b O5 G# h$ ?, x2 @: j( o
-Much faster:2 J# Z6 R% d" g) g, W% P0 p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 _# k' n( e& c) \ Z
- w' v! f0 v$ X9 `" g* vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" K: P$ i' v$ h& D! u; vfunction to do the same job:
3 N- d, O! f% N. c/ R( i
- \# v3 E4 |! ~' v push 00 ; OF_READ4 m& L- n; T$ ?' y i& j- v
mov eax,[00656634] ; '\\.\SICE',0& M2 U1 c+ j G3 j9 t* R
push eax2 Z$ G8 m0 \% B- N& ]) M
call KERNEL32!_lopen, H8 K( ^1 \- o0 n
inc eax3 h- g! B R# Y7 P5 E
jnz 00650589 ; detected2 k0 E- f) X8 c. m
push 00 ; OF_READ
. s# Q; q: P0 e! y mov eax,[00656638] ; '\\.\SICE'
2 R' V, y( {: }! P push eax4 ?' }, Q! G' w% ~+ r, }
call KERNEL32!_lopen
5 ?; m+ `0 f1 S" W+ x2 L inc eax
4 Q% X- G$ L3 S$ g6 m J jz 006505ae ; not detected
0 W6 h- [5 J: U, O) w+ h) e1 E- ?5 F+ g' L. E
3 k2 y j) u' B5 N1 i5 S2 w
__________________________________________________________________________. }& J V5 B, r: o$ Q& ~
\2 V# y8 P" r9 n9 |) `5 m
Method 12$ P' h" r5 r. y
=========
2 y0 a _5 C* |. C0 v
6 ~5 B' P% t7 {* D, WThis trick is similar to int41h/4fh Debugger installation check (code 05
; }- |* c1 [5 e% P! X7 i8 U& 06) but very limited because it's only available for Win95/98 (not NT): d- Z# g6 M/ ]* P3 y& i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 l& h8 v. m: N9 l8 h0 d8 B ^$ }, v* B, Q
push 0000004fh ; function 4fh
1 R5 e# \3 u. X push 002a002ah ; high word specifies which VxD (VWIN32), R! J- C |9 k8 y! ^* t; j
; low word specifies which service& d. d, ~" z0 Q6 z7 D6 h
(VWIN32_Int41Dispatch)
- p' R) q! s1 Q L call Kernel32!ORD_001 ; VxdCall, _; v% U s" A) ]5 H8 y$ _
cmp ax, 0f386h ; magic number returned by system debuggers
3 k/ U( B" I* H, b jz SoftICE_detected% [$ w( j1 M- S% I. |% {5 b A. q
% |+ v6 o7 H% d8 P$ EHere again, several ways to detect it:
8 l7 M) A1 r# `& i9 Y2 g1 _, G
8 m. D9 E, C4 N6 q, d BPINT 41 if ax==4f
' i' {0 Q6 E0 l6 T- n: l2 K$ Q1 M, U4 \) L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 s! J( J! U- a' W4 p
1 }. G4 t; k3 i4 A$ v8 n% R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, y) u8 [: _ H5 D6 w
4 u- ^! c$ o. o; ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 S) _# ?# ^* ~& t! a- {
0 B: M# x! [6 m( o__________________________________________________________________________4 q. O% e1 e- E$ F
. V# l; r6 h: l% N0 o6 G; i' dMethod 13
& a* [1 j6 y; e) w l=========4 T; f- P8 a5 o) z
" |8 h9 h! d" g# V# \8 W" m, _Not a real method of detection, but a good way to know if SoftICE is
l6 v5 \# X" {$ @5 Uinstalled on a computer and to locate its installation directory.; r5 B% D9 D4 ^5 k
It is used by few softs which access the following registry keys (usually #2) :: Q* K3 D6 I/ X$ v1 b% }
: y& R. g) g# M7 c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. P: K3 v( H$ f( b- n" n' `0 R; }\Uninstall\SoftICE
" ^ m' W" |6 a B# \ X7 c0 w- Q! [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 J9 ?4 }) _1 v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 Y6 e2 p6 y' W\App Paths\Loader32.Exe
! |! s: f8 u( J8 D5 c0 W$ U% }' `% q- g* x- t5 p _2 W
8 f+ f, Y6 R: b/ Y" o3 D
Note that some nasty apps could then erase all files from SoftICE directory8 n- U/ ^- V1 ^( N) ?5 s7 Z/ ^
(I faced that once :-(
+ R3 B8 H5 C( g b
% @" G; z' s. s* @, k$ MUseful breakpoint to detect it:
+ M' N" j* l: |: Y8 y$ \& u7 Q% m2 f
& ^& R$ Q6 q( N+ W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 R b" f2 N* R, h/ g, d
! |8 e' H' ?' \$ ]' K! ?: |__________________________________________________________________________
7 }1 S2 `( @9 j7 U& w6 B9 E
5 O) w3 V. ~1 I: Q5 t: h; z: B( c9 M5 a0 ^: n2 _, f4 q
Method 14 1 J B" _* U9 u0 f( f) i0 c
=========
9 ]) w/ u) {& U4 @2 Y- [) C
0 @+ d$ Q) I# i' G0 O. B- D- |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 G) ^& U& t6 v! p) R$ Z- y L1 K
is to determines whether a debugger is running on your system (ring0 only).! N3 q& ~5 \8 b0 `- A5 G! u0 e
3 ?) i& Z6 V9 a( B1 E1 ^
VMMCall Test_Debug_Installed: a% p+ k M8 Z6 n9 u( {) a0 ?- q
je not_installed
: d4 ?2 N0 c2 a; @, y
; X4 d0 I0 N" H3 GThis service just checks a flag.
( j9 l& j' o$ w4 W9 x</PRE></TD></TR></TBODY></TABLE> |