<TABLE width=500>
: l9 W- m3 H* N0 m! _, A<TBODY>3 g3 K2 C/ Q1 k7 u/ E
<TR>
2 e1 x* j2 q4 k$ y8 ^2 l<TD><PRE>Method 01 + s9 a! H$ D. d
=========
: ?/ o4 F4 x4 P' s! Z; P( I( {7 G! d# }: v
This method of detection of SoftICE (as well as the following one) is- ]9 ~- b8 Y3 L
used by the majority of packers/encryptors found on Internet.
# s0 v% e8 S p1 F* QIt seeks the signature of BoundsChecker in SoftICE) }" s! y$ K' H1 s/ R
. H. B7 i) }9 J7 q mov ebp, 04243484Bh ; 'BCHK'* p, O: |2 v. c$ D
mov ax, 04h- F* \9 |8 B1 K: [
int 3
; H% g% A- ~1 W cmp al,4/ s( E" G) D! R
jnz SoftICE_Detected | n& z; c, `8 e1 t$ `
( g4 x) W2 T; |$ c
___________________________________________________________________________
Q+ I8 q$ s) o0 S
+ u: a' ]3 l h& {Method 021 k: B: ^- A# n
=========
% m; Q, F8 D) A
! y- K+ L8 r% q2 s2 hStill a method very much used (perhaps the most frequent one). It is used
! {/ V# E2 V% ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ d; _$ G4 |% q F) j4 N0 ]or execute SoftICE commands...
* S5 a! O4 }. X4 N% r" LIt is also used to crash SoftICE and to force it to execute any commands* L- c+ k# O/ D% W. ~
(HBOOT...) :-((
% r; ?1 n- O. M$ I0 Q' @: ^2 H/ M) Z/ n
Here is a quick description:7 a2 d4 L+ z7 S0 j4 ?! _# e/ J
-AX = 0910h (Display string in SIce windows)
' i, t2 l0 j6 f-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 s( U& ^, M) e: t* u
-AX = 0912h (Get breakpoint infos)
6 B1 Q1 `) W; k" S-AX = 0913h (Set Sice breakpoints)
0 F* v9 m2 ^( k9 f' g* R! \: n @-AX = 0914h (Remove SIce breakoints)
3 M9 Q2 D/ k2 c+ @* v) X/ _9 C1 u; R+ n8 \5 ~
Each time you'll meet this trick, you'll see:
" @) I4 s2 u" j6 Z4 _" k8 u-SI = 4647h% x3 D/ E0 E6 g8 Q4 J; p: l4 O
-DI = 4A4Dh$ a: G" |1 L- r
Which are the 'magic values' used by SoftIce.& X9 i7 U) N* w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 q4 B5 h4 P5 i) g! a& \4 C0 f
0 S! s. \. h3 `8 V! z7 H' K
Here is one example from the file "Haspinst.exe" which is the dongle HASP: {8 U( E3 D9 W- }6 j0 D' H7 ?
Envelope utility use to protect DOS applications:
/ z# i% W! d( r1 i
' `; X. S3 @9 \% O7 p( b8 [$ E. P' A) }1 f8 ^% `
4C19:0095 MOV AX,0911 ; execute command.% |' n# A- }. q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 x" ]: e( o, I' h& p4 A: T4C19:009A MOV SI,4647 ; 1st magic value./ c& n A2 p' ]9 Q. m( g) {
4C19:009D MOV DI,4A4D ; 2nd magic value.
( Z& v. Q, y3 y! j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) U) f" g! y: E( v: K8 z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( z. e! b5 P4 N/ I- M
4C19:00A4 INC CX
0 [$ ^/ _0 ^+ M, [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' T, f1 C8 k" U% t' I4C19:00A8 JB 0095 ; 6 different commands.
, z, {7 Q- Y7 _9 J, ~ o4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 X2 m7 W; S% K& Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 q. W6 |/ x, `( ?7 g( r
2 s7 I; U: J. |4 O! NThe program will execute 6 different SIce commands located at ds:dx, which
% \1 y7 O5 O6 h) _8 I6 `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 Y- u6 ]5 I% q: X' q; U% w3 v7 ]4 J& j( w2 q E1 K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: t+ K" P' g! `. d___________________________________________________________________________3 \7 i( n0 ^4 E0 B
" z$ M) G* l) ?8 f% x; I% e( n- z1 M, q6 |
Method 03
) c) Y6 z, T- `) y, z" \=========6 K7 i q% |$ c" t5 b! H
+ C5 R. b1 Y9 n' F- @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: p. D/ t# o& l(API Get entry point)
' f5 D8 V7 V# @. S5 k
+ K" K e* X; E+ |' J6 h' `3 @4 t6 @, a3 Q4 |4 `$ Q
xor di,di
7 f1 `/ l3 c2 B% k mov es,di" Z* |# J2 f2 \
mov ax, 1684h
) e" w6 E* ~9 a mov bx, 0202h ; VxD ID of winice; ?) X8 R! Q- X
int 2Fh/ v2 Q: w7 B( [% u8 F
mov ax, es ; ES:DI -> VxD API entry point
3 u$ w" Q$ p5 Q, y+ s2 u5 v add ax, di
5 A p- ~& j6 s- O test ax,ax5 M9 L9 G1 Y' z+ m. G# o
jnz SoftICE_Detected
# n4 J% L$ q0 k( Z2 K" J* s
. x) }5 o' c( z' P/ M___________________________________________________________________________2 `" O2 _4 `% S7 u) ^
5 V; X+ A5 P' m
Method 04/ i3 t4 [% e5 Z' ~8 b
=========* I4 [: c/ _; Y4 L- Q4 H2 o, \
& ~- x7 ^* M# r Q6 n3 v& C) q dMethod identical to the preceding one except that it seeks the ID of SoftICE4 ^# J! g& A, K1 L
GFX VxD.- W1 A4 `6 z& t) U t/ O
' ^" j# ?9 F$ F4 T$ r xor di,di3 Y$ q5 ?" K( Z1 E
mov es,di" y; ~/ M" `1 s3 N
mov ax, 1684h
6 u7 F4 D" w7 {. ^$ r mov bx, 7a5Fh ; VxD ID of SIWVID. N/ x3 _6 Q+ N- ~' m7 T5 \
int 2fh% E: S7 K) ^0 `4 W# h* Y
mov ax, es ; ES:DI -> VxD API entry point8 l* u* K, P2 g, A3 Z
add ax, di
3 w' K' p5 D0 m9 U+ a test ax,ax
3 A; ~& E3 V* \2 x1 H+ o7 W3 D% {1 c jnz SoftICE_Detected7 m/ g' \6 q8 \3 Q: F9 `/ H
# I" I* I3 \' f
__________________________________________________________________________* \! L7 Y# ]# ^8 H# ^2 W* M( d
: D4 Z M5 {5 q. q$ v% k9 J8 o- R6 |+ {' g& g
Method 05
) k7 g5 K, s( J! G# u) t& `$ h& c=========
$ {1 ?2 x B& q: N
8 `, i) l0 X- x( fMethod seeking the 'magic number' 0F386h returned (in ax) by all system
d$ Q0 b2 D2 p2 R; Ndebugger. It calls the int 41h, function 4Fh.& Y1 j! C/ @/ E0 g6 c
There are several alternatives. 0 c2 n* S" \. d5 S I9 G8 {
" ^0 P/ ^8 r7 M' z4 CThe following one is the simplest: k; p/ x5 Q$ l- y
) X8 t- c) x+ d7 D( T) `6 A F mov ax,4fh
9 ^- |- |$ Q: |4 f! f, m. w0 _( I int 41h
* N. d" v' L) z. [/ D" m6 l cmp ax, 0F386
6 Z) @; t! Y( e jz SoftICE_detected
- q. [& m R1 M! ]3 r, A2 G/ r8 E3 a* h
; ^' a, K" _/ U7 ~Next method as well as the following one are 2 examples from Stone's
+ g8 y7 \% x3 c"stn-wid.zip" (www.cracking.net):
$ {5 Z' w* u! r; w2 j7 S% t
# t9 I$ M. b8 Z0 G# B# y mov bx, cs
! B6 r d: \- ^6 \6 ]9 o# T lea dx, int41handler2& ^0 L; f! P0 B
xchg dx, es:[41h*4]8 {+ Z g# z: A2 D+ P- J" e" ?
xchg bx, es:[41h*4+2]2 l+ K& `. \# \3 e
mov ax,4fh
" n# T; I, X0 H9 \/ F) V int 41h. h; C! r C2 M2 N) n' x* o& M
xchg dx, es:[41h*4]/ V) P0 d5 u/ g3 b5 d
xchg bx, es:[41h*4+2]6 Q7 c- _) p: W8 r) k9 g
cmp ax, 0f386h
; x% V& ~1 g6 A. W$ I* V3 s2 x! ]9 k5 L jz SoftICE_detected
) v5 T g6 ?! F) e7 q0 g5 |! j1 `- _: o' i X9 @! N6 d3 f
int41handler2 PROC
7 x7 j( T$ H4 G/ I5 { iret* s4 H3 ], h+ B- L! @
int41handler2 ENDP! x: ]1 s- m8 s+ A
: f4 }5 l- Q. O8 o2 @% X$ m
- d% G* m. G" h6 I/ ]& w/ _3 t_________________________________________________________________________5 E8 K% s' ], `/ X7 L4 y+ K. Z
9 E- J; X+ n8 \# s+ b( m0 |$ U/ ?5 d, c1 g; ?2 J: k1 j
Method 06
( w3 j% R0 `0 x' k=========( V: v8 r/ [' L3 F% X/ T* V
; @; ]+ ?1 u; B6 A- ~
: C, n$ y( v: g( k- t9 x2nd method similar to the preceding one but more difficult to detect:) N: ^$ K5 P) r/ `. S
0 r- Y2 X5 A K, h* X5 k
% e- D: Z" q/ {" _
int41handler PROC$ _$ q |2 c* D( X: `
mov cl,al
8 x* l7 R8 n4 p% q( z iret& r# {5 W8 C: m. W B) R5 w6 ?
int41handler ENDP
( ?9 G, [4 {- H& L
. ]1 O- Z9 g. @5 Q' Q* t# [5 Q+ d( d, ~8 H% Z8 {" }" X) [# ?) W
xor ax,ax
+ w7 J+ ~" R; ~2 }# i h mov es,ax& F( T, S6 u& y% F
mov bx, cs/ E7 q( ]" J! `7 Z! W
lea dx, int41handler
- T n6 `! N+ H/ r xchg dx, es:[41h*4] G8 D' Q9 [4 [
xchg bx, es:[41h*4+2]5 e2 b- @, b) K7 g5 F
in al, 40h
) b4 s! ?4 B' _4 ? xor cx,cx. {6 Z! C; n8 F) a! m! ]4 {, P
int 41h
5 T3 Z, z: B( {7 V xchg dx, es:[41h*4]
% G3 ~ _" `. v+ e& o7 A xchg bx, es:[41h*4+2]
. X5 i0 w: f& X; k7 m9 ~ cmp cl,al
. `0 A. c7 C M; c/ a( O$ `- O jnz SoftICE_detected
- |8 M0 ^" z3 E' d! z
) ~4 v/ }* J# D# x1 r! p_________________________________________________________________________+ P5 ^- R6 c6 S0 K& [
. G- U# v, n& QMethod 07" S1 W+ x. G9 }& P
=========
6 g4 u" k2 l. i% y' G* J/ W% u& \& P9 l0 Z/ M0 m3 g; p% M
Method of detection of the WinICE handler in the int68h (V86)
7 ^, G/ J3 q+ T. r/ v8 A6 c" J* N) t, J' l* b
mov ah,43h) e- a, {% ]+ _1 P# |" j
int 68h
5 T7 T9 s5 N9 }- h+ v cmp ax,0F386h( ?+ L' w' ]( N! l
jz SoftICE_Detected3 R% |- p; p: M* a% r6 X
$ E2 a" @4 x k) d$ f& B; w0 ]
# j- X+ t; P/ `# z# I9 D7 Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( _) A; A" W2 g/ X
app like this:2 q/ x# t* v3 ^, o
- Z$ H. K9 k7 ?0 E# A
BPX exec_int if ax==68
' d6 G6 z$ z% l; J+ {3 B3 F* { (function called is located at byte ptr [ebp+1Dh] and client eip is
8 S ~4 |$ U% X; y" u located at [ebp+48h] for 32Bit apps) ~# S% G5 m4 x% V0 R; W
__________________________________________________________________________' A v$ @& b3 ]
2 F/ v N5 H7 [0 L( o7 R9 `" [, W) I8 t, g
Method 083 |3 P9 p1 z: Q
=========" c8 d9 Y. T6 h9 a# Q+ W! d5 x
* C$ [- l% D& V3 v% \" `It is not a method of detection of SoftICE but a possibility to crash the2 ^2 [2 j# Y* d1 A
system by intercepting int 01h and int 03h and redirecting them to another
' C3 N r% |% H0 j7 u+ Aroutine.
( w% l; @; r: y' _$ r# J# RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: K+ h; M8 ~9 ~2 Jto the new routine to execute (hangs computer...)/ v3 C; w4 j. I. m4 ^* l
& I8 f& d" [, \, K( R+ c mov ah, 25h
9 r- M6 @" U/ t+ H7 I: J [% J mov al, Int_Number (01h or 03h)8 ?2 I+ N( p0 S
mov dx, offset New_Int_Routine* s( ]- Z% ~5 {; E0 a3 ?3 [" v9 M
int 21h
* J+ }& w! f8 b6 G4 }9 e; n
/ d$ m# V5 @4 g. W% @" M__________________________________________________________________________. B. w' S5 S* R0 f/ L
2 V3 x' h+ w: {% q: C: `9 \Method 093 `8 i4 Y; L. e/ y
=========
2 o p/ `0 w; w. P* x# K/ c Z) W( Y: l* F5 x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 A* v6 p8 k' |9 u; b% T
performed in ring0 (VxD or a ring3 app using the VxdCall).4 b& g, x8 Y. g
The Get_DDB service is used to determine whether or not a VxD is installed
/ m' Z* A* ?* k/ p& p/ G2 ^9 g: R7 sfor the specified device and returns a Device Description Block (in ecx) for
$ q) p& U9 K3 d2 _0 S5 othat device if it is installed.
' H( I1 N1 g& d9 K$ T* v2 H( L% U* p9 I s% }9 c
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" e# x* t& E& P }, s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 A1 S" f8 }! d% K
VMMCall Get_DDB
+ N7 }+ F# e! c+ N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 l) K( z7 Q" o
- v x l: w; J2 o6 ZNote as well that you can easily detect this method with SoftICE:
/ s, [1 p9 |/ z, p bpx Get_DDB if ax==0202 || ax==7a5fh D& W4 ?$ G# m* p1 V
7 s4 j. k+ D; K8 J N ` w: M% a& F__________________________________________________________________________/ w7 Z* c+ U8 w
2 l# D; `, ?2 ?( @9 a" s7 l! `
Method 10
" B2 J) r- N0 m4 a3 y=========
6 e$ u$ Z# Y' u7 S( x8 h" ~& B# q* {$ G- K; y3 T5 S8 r
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ @, Z* @" P5 ^8 U( N
SoftICE while the option is enable!!
: b/ d- Y, t. U J
( J) X9 ~& r RThis trick is very efficient:! ?. e& w% j8 ~
by checking the Debug Registers, you can detect if SoftICE is loaded
& e% r3 Y8 V% F9 r. t0 w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 z; w6 d" U8 ~5 G
there are some memory breakpoints set (dr0 to dr3) simply by reading their; u6 z1 }3 K; Z" g; Z- N6 ? [+ \: R
value (in ring0 only). Values can be manipulated and or changed as well* k7 P# m& k7 e: p# i
(clearing BPMs for instance); t% B, w, V' W% ]; z. n
* \& s$ T3 r4 v2 x$ e0 B__________________________________________________________________________
# M! y" t" L. n- a
8 ]7 u! O, z( f( IMethod 11- H F. X5 g7 _: q: P
=========
9 p, _* E+ @( q; w- {! Z* f
! y( _* h6 _; C X4 [' b5 kThis method is most known as 'MeltICE' because it has been freely distributed1 U3 r2 p% Z; M# E
via www.winfiles.com. However it was first used by NuMega people to allow" f, r% X: Y) K( c
Symbol Loader to check if SoftICE was active or not (the code is located
9 A( l/ B: b; U5 B2 M h) ?, n& Pinside nmtrans.dll).9 T5 R& ^# ]* Z2 w3 S
$ r* @+ }$ q) _7 }1 S* W [' f @
The way it works is very simple:
9 d3 u; e- O# D( u8 v6 P9 TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ _; t- j1 @9 l3 W P& L7 n
WinNT) with the CreateFileA API.
/ c: `- K8 t4 E9 }
/ I$ b! W: y/ L7 Z1 A: xHere is a sample (checking for 'SICE'):( m* s# e1 W- X* r) q* B
: |( a, u5 N0 O. J) s! ?! ?/ }3 s7 N
BOOL IsSoftIce95Loaded()" c& H2 h: N4 }* S- O% e
{5 L1 `# \ w3 u! v/ `
HANDLE hFile; # R! H5 x. b2 I6 d
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: u+ \0 d6 y2 { @+ `" r
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 \1 A' Z7 }( M7 y$ |4 F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" e( H; r+ i- [, M# z
if( hFile != INVALID_HANDLE_VALUE )
2 P3 @3 o0 A0 D: u5 }: ?1 D( X {6 [4 F% f8 k& u4 V( p4 u
CloseHandle(hFile);
4 c# |4 Z2 g; c d5 q N) C return TRUE;* Q; e2 z: C E6 v& ]$ d/ |3 B0 j
}
6 `; \. }& @7 ^$ S return FALSE;3 F+ ]9 h8 |# E7 x( F8 o2 @
}* B& H5 z! `# E! D a
% c9 o2 [' F/ q2 N2 }Although this trick calls the CreateFileA function, don't even expect to be
) `8 y2 h; X0 \; X3 R6 u! }; Uable to intercept it by installing a IFS hook: it will not work, no way!9 r- f$ ]9 |1 _% b. {+ a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: p6 O2 z5 e* v0 U# _0 S- F3 G5 l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. a9 \% a, i# f' s* f: yand then browse the DDB list until it find the VxD and its DDB_Control_Proc& H9 b4 v' @8 d5 P, h
field.
4 u7 @3 x/ E$ b3 v3 W5 X3 J7 eIn fact, its purpose is not to load/unload VxDs but only to send a
$ s, c$ b0 F% MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& K3 v/ H3 g1 I3 Q7 K- v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" I, A" K7 }2 W' ?: c# E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 ^9 b1 }% P: [# I% C0 ^If the VxD is loaded, it will always clear eax and the Carry flag to allow$ [7 P+ D3 g9 W3 ?9 L# Q5 h& o
its handle to be opened and then, will be detected.. ?3 H* B- e3 m6 v" W, R# C
You can check that simply by hooking Winice.exe control proc entry point% Q4 m; B: b3 z3 L9 `. H6 f$ o
while running MeltICE.
, k! A2 ^! d4 ~# F+ \+ S' m
W% { v0 R' V! K
8 V D6 x+ T- ?! y3 U+ g, O 00401067: push 00402025 ; \\.\SICE
* q7 I3 q* q/ y& Y0 j; X 0040106C: call CreateFileA& e9 R. B$ g' M" l4 G/ M
00401071: cmp eax,-001( x) W0 N# t7 y W% O) m
00401074: je 004010919 E4 P ]* B6 M: i0 R
0 E8 e- ^. z! n
" W3 `0 U0 k t; C1 bThere could be hundreds of BPX you could use to detect this trick.
: Y. T- q& X* w# Q$ l- h( P5 S5 G-The most classical one is:
0 x8 o Q% O/ q, J BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ Q) |7 z" E, S( A" b; ? u
*(esp->4+4)=='NTIC'( q% [8 Y" W( S; y# Q
. Z' U" Z! \, h9 S5 L& @
-The most exotic ones (could be very slooooow :-(
7 R' Z6 d9 X6 ?: H! Q8 G" U( q6 q; c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 I1 y9 T7 m) I2 y" e6 K. H" C6 m
;will break 3 times :-(
( x8 w2 I7 k% G: j# F) Y; g; m5 D' f9 s! z- K$ |3 z4 W7 I" A$ {
-or (a bit) faster:
) v5 O$ d% S; V* ~$ {( e, j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" V+ Q' y0 h9 d% ]+ \/ k; U, q" K& P0 U6 D. i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! D+ K4 Z" Z4 b3 h, S ;will break 3 times :-($ ]' L: E, v; k% B i
$ L6 }+ h0 l8 y `/ w; p _-Much faster:. T, ]) t- v- Q; |7 h* r3 P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' R u/ {2 N2 v& k* ?( J7 f7 I% D5 A, N& E4 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" A8 M- R6 S) S. E1 y4 lfunction to do the same job:
% j; d4 ? l; A s% E, x
4 y4 z& L ?3 g" z; p1 n; A5 T push 00 ; OF_READ. [ V; @- W. L* f, K7 T0 x- O
mov eax,[00656634] ; '\\.\SICE',0
3 u9 Q9 m' K; O# l push eax4 ^) }9 ~: y, t; z( B4 K- V7 v( Q# o' s
call KERNEL32!_lopen
3 V% J+ G' T' d0 }( r( d6 u inc eax3 `% q/ Z* H0 N- ^ ]2 u( u* D+ s
jnz 00650589 ; detected
1 V2 `5 g" c( Y4 V5 T push 00 ; OF_READ
) z/ t0 M9 D/ v3 [ mov eax,[00656638] ; '\\.\SICE'
8 v' v _: e0 {' s6 k6 Y, y push eax; H& W' ^6 L! x/ A0 f2 z: [$ S
call KERNEL32!_lopen
8 R1 e0 ^( V0 ~$ s" Q" y# K% i inc eax. ~& h! j8 F/ z* a0 C4 c4 J( | I
jz 006505ae ; not detected
1 _4 Y+ z" @8 J7 ~( T, q6 k! q! E. o$ Y+ G" l7 J/ f
& R/ T7 `4 i6 G% K__________________________________________________________________________! u' P3 {/ z3 y7 m. K
6 g; y7 L ?( r: FMethod 12
# [6 S) S& D7 h=========: \% l, f3 v7 C- V& e; u
0 }, L; \$ M& ~ S& `" Z* Z2 vThis trick is similar to int41h/4fh Debugger installation check (code 05! N3 L5 B& f; o0 M! B8 y
& 06) but very limited because it's only available for Win95/98 (not NT); I4 f; L! U8 E9 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' ~2 ]$ B o2 }9 [+ g/ h/ d
# \+ a: I' B9 W+ {2 M- k( B2 ~ push 0000004fh ; function 4fh" S( q0 f: t4 l* l8 Y/ l% \* L
push 002a002ah ; high word specifies which VxD (VWIN32)& y7 k$ R1 i7 m
; low word specifies which service% n; f& T( t8 C0 Z. O2 Z; {
(VWIN32_Int41Dispatch)
! r9 {$ j# p8 Q- p" z6 J D call Kernel32!ORD_001 ; VxdCall
9 b6 ^( `+ ~$ Z8 P {: [% g cmp ax, 0f386h ; magic number returned by system debuggers
7 K) K0 v" P( Y' W; [* R. H jz SoftICE_detected
5 T4 ?0 r/ ^9 d, X) l- ]/ Y4 P9 C7 P: o, v
Here again, several ways to detect it:
' x4 c( m' G! ?3 w$ g$ o D+ Q8 r s9 H5 d) I* Y
BPINT 41 if ax==4f0 W$ F1 Q/ ^( ~1 h4 E- t1 B
* A [) B( b, c$ ^8 M BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 X) W. r% y' {' J2 I0 h) K
( R9 ?- h& g1 K* ~# L+ u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 t* g$ \' Q, C1 q
. |+ Z" M, w2 K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) g( A8 F2 ^) H1 L) S# D( `3 G0 v9 `1 b6 Y, g: S
__________________________________________________________________________
, e: l. b7 v; Y7 `4 y5 l
0 [* H8 l. d0 Y( `Method 13. P0 M$ s7 f- Z" @: y
=========
6 K5 i( U8 I. o, |! f) P5 S' m6 e* P' a6 W9 R, x ^9 b
Not a real method of detection, but a good way to know if SoftICE is
) r$ {& x. v* o( N, Y. q# Xinstalled on a computer and to locate its installation directory., `) M2 r- e5 R' _( `
It is used by few softs which access the following registry keys (usually #2) :
1 q, {; g/ b% G# U. \, h
2 D3 g4 s1 R X- Q& b1 ]" a, T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. z5 D# o4 M, \" r8 ~8 T0 e: [\Uninstall\SoftICE
. O. _+ v% B9 x. I' X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ X e: V" h! e0 t' _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- L' J+ R( _7 c* w5 D4 z/ E5 W, Z
\App Paths\Loader32.Exe( K, K' c4 u) C0 u y
# r' C2 b+ D4 Z# x% A
5 g$ e* @( }9 {$ s% j2 U _
Note that some nasty apps could then erase all files from SoftICE directory2 I) e6 A8 ^2 d5 V- |; w4 |
(I faced that once :-(
! k- @1 \5 t) u' F7 [- I6 Y8 S# q
Useful breakpoint to detect it: s5 ~. j- a* d+ C
0 {2 b; Y7 [) V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& [, Q! O6 [3 t" b' A
^9 F7 }' M7 G- H: O; Q7 q
__________________________________________________________________________0 |& `# q9 \6 y: c2 j, {, w
( f' | M: L. N" a
$ S4 ^# f7 a" N7 ? C; ~Method 14 ) S b6 ^% p+ F
=========
/ y3 ^5 V6 `: Q0 L0 x6 J; u
/ E2 |' W, R5 v3 x }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 ]1 _2 L; R I6 a2 yis to determines whether a debugger is running on your system (ring0 only). K& m7 o! C$ w8 S, Z( A* g
9 R2 P! X r! H; z9 n/ R$ n: |9 D VMMCall Test_Debug_Installed1 }7 V" s; E& c3 p, r" G5 \$ ?" p
je not_installed
* ]' ^. \" Q" ^4 ^: n" y/ z& e* l# r$ F' z4 J
This service just checks a flag.& O. b+ j" L7 {1 X) a+ z; j% O- Y4 f5 X
</PRE></TD></TR></TBODY></TABLE> |