<TABLE width=500>$ C/ |. _- m7 _8 z! q
<TBODY>
) M' j% E% e0 p9 Y% C2 M2 K. j<TR>* x E; n' p7 y' Q. W
<TD><PRE>Method 01 1 Y8 U6 i9 C0 h6 ?% F7 [* z
=========& f- S' H+ s( p3 \) N
/ M. ^* y! A" ]# D& v+ ^
This method of detection of SoftICE (as well as the following one) is5 I. O7 r/ O1 O& c& N$ X& C: [
used by the majority of packers/encryptors found on Internet.. n1 I/ e9 u5 c+ |6 }) r
It seeks the signature of BoundsChecker in SoftICE& b6 d' n O' h v) ?# D0 ] D' q
0 X E- m; r, `! ?$ E mov ebp, 04243484Bh ; 'BCHK'* T- {" R3 k2 U! m
mov ax, 04h: Y& Z8 _: M9 R
int 3
0 g* o' {* X* W8 L: S cmp al,4
# C- ?% Y& X1 Z; ] jnz SoftICE_Detected% a9 d; [; d% m6 g5 o) e/ r$ w* E9 u
( r' ?' O8 M# h6 q6 c2 a0 W- X
___________________________________________________________________________8 T% h5 w: `4 [, J0 h& C
, e9 Y( H: k1 H0 V$ UMethod 02
+ L& Y8 O0 T5 }* l=========
9 R7 x9 u, y$ m) l2 m( e' b9 Q
7 f5 N: U; \* U! D# u3 w5 |% lStill a method very much used (perhaps the most frequent one). It is used$ p3 O$ @+ i9 w) B5 @( w0 K
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 Y8 e7 a* T* E7 A! w$ Yor execute SoftICE commands...9 K9 m: |. t! j& [
It is also used to crash SoftICE and to force it to execute any commands
9 H# N7 Y( N6 E(HBOOT...) :-((
4 G0 Y4 a3 k; Y/ [1 Z6 z" Z
' o% J/ B0 t/ t" uHere is a quick description:0 u5 S8 K4 U, ~- w E; w- M
-AX = 0910h (Display string in SIce windows)6 Y" B* e. \6 r5 R3 v4 C6 F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 v- z1 q; [2 l. a; p2 H
-AX = 0912h (Get breakpoint infos)6 V. P1 y! E& R% [/ J
-AX = 0913h (Set Sice breakpoints)
/ V' z S" n8 Z. E& ?5 A8 I5 K-AX = 0914h (Remove SIce breakoints)
# K2 M5 j9 n L
: O7 ]0 X9 ]5 K' e+ Y" U7 _8 I; {Each time you'll meet this trick, you'll see:
: e! U0 p& X' A L-SI = 4647h
]7 N) M# `6 M8 s2 \7 l-DI = 4A4Dh/ R* w0 u7 F* n; O3 z, s! G! s
Which are the 'magic values' used by SoftIce.+ Z5 C; ~: ~+ c c* K9 ~9 R* @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 r$ Y; m6 L* X! p B- i' C5 a: b- t/ o. y
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 v! ?! _2 e4 C2 S7 ~
Envelope utility use to protect DOS applications:9 s& m; Y% D) W8 I$ E/ M ^
1 m; x! q9 K4 r) x; i
6 n1 D$ O' q2 B5 q4 r
4C19:0095 MOV AX,0911 ; execute command.
1 `! {( O* e y7 _ O7 a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' @: Y: M( Q2 M. U9 M
4C19:009A MOV SI,4647 ; 1st magic value.
: Q" T4 @2 M1 u. Y- y& n4C19:009D MOV DI,4A4D ; 2nd magic value.7 k7 K! E8 V. D& p0 C. V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 }4 P" K. u/ V2 q' Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
W3 S4 M! o! @0 ]. ?8 K4C19:00A4 INC CX
( y' L3 B& G0 n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: K9 ]: I% h# U4 ~) V
4C19:00A8 JB 0095 ; 6 different commands.
6 D8 M7 r' F; H6 n' @4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 J9 i/ w/ V; O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, J7 R% J/ W- k- H; d0 N6 v
& R: s9 H8 ?& v3 C D# F* gThe program will execute 6 different SIce commands located at ds:dx, which x' T" Y S$ |5 p% u0 M+ l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 U2 Q7 K! d4 X7 t1 ?4 |& s J9 y \$ i# o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( g0 a7 g- | E6 z___________________________________________________________________________
* R& v8 s( x/ h4 ]7 g: Q' J- X7 O+ [) m/ A. I) ^( o; k. ]$ }
) t. }, q5 M1 [4 `+ g
Method 03* s. ?& J7 ^. }2 [) Z$ [
=========
; e1 D; Z. ^, m4 k* L5 e+ g# ]) ~
& t9 }4 W( H8 ?9 ILess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, X" W! u$ v1 Y, p: ?
(API Get entry point)
; L+ \4 h( _7 C8 W% v6 G
: l2 C/ i$ k/ G! C( M- `* I+ A& @
0 e5 E8 l# I* D7 C. p xor di,di8 l( T, o# W1 n
mov es,di
% h/ Z0 L$ ^ R mov ax, 1684h
/ n& t9 L, H6 k) V- o mov bx, 0202h ; VxD ID of winice a3 W- K, l, q' ^, {
int 2Fh; R2 ^ K0 K3 ]+ c8 B$ Q1 o3 {
mov ax, es ; ES:DI -> VxD API entry point* b4 ^1 a1 O) @, H, S
add ax, di" u( Z, B" Q/ v5 y5 L5 M9 g- E
test ax,ax% n5 @0 H1 T0 o
jnz SoftICE_Detected, R$ \0 F5 B* ~. T" v
6 {: u6 j5 A7 a5 `* d___________________________________________________________________________
4 W6 J U8 l% w. b6 V3 ?) V
; j" U, u1 A+ mMethod 04
/ \" Q2 |" {) v7 @=========
# f; s) ?$ b" H5 H1 s5 M) m3 |) C
0 Y0 b7 U, m7 a3 r6 CMethod identical to the preceding one except that it seeks the ID of SoftICE
& [. A5 k% Z5 e+ h% W' hGFX VxD.
7 @" T* d$ y7 k3 H5 N0 F; f3 |: R; ^ D+ |
xor di,di
; V1 J8 N3 U1 y3 C, C( s/ S# @6 u mov es,di
% j/ A( C- q' D7 d; Y$ U1 W: G4 { mov ax, 1684h
- s3 N( B4 w2 ]* D mov bx, 7a5Fh ; VxD ID of SIWVID
7 ^1 B( I3 D; p+ k! i) K6 r int 2fh% `& z# U4 q4 h, b
mov ax, es ; ES:DI -> VxD API entry point
$ z- V; i0 c @8 v. H: a3 ] add ax, di2 s, x/ Z6 V# S5 P* B' {
test ax,ax! C, L/ m4 T- I I5 N, F
jnz SoftICE_Detected
: A( f; z+ v" j+ ~/ R( B( ^# S; u: R s: k/ T+ i$ n
__________________________________________________________________________0 F7 d5 _& C8 l
+ l. a2 Z* `" n8 a# X
3 X. @4 j3 \: Y3 {% BMethod 05) L% e; A" h! _
=========
* q; Z1 D) B7 N" Y, g+ z% O
- ~. r7 [% a. x/ c& v7 oMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 s6 z& ~9 n( w* B* i h8 I
debugger. It calls the int 41h, function 4Fh.# U) n. R) q8 i3 K
There are several alternatives.
7 a+ \2 }, T z- F: w; M" I: [
2 o) d1 q! Q/ w' }8 \, IThe following one is the simplest:; O4 W0 R7 t N1 }. r
$ d4 y$ f+ ^% |9 M9 ?0 |! x
mov ax,4fh- b" U0 J0 r: T: Q. Y. p; I7 J3 o5 _
int 41h: s" e1 j, E- d3 n- W6 u: c3 t
cmp ax, 0F386' l0 i( X, X' I x4 }4 c: C
jz SoftICE_detected, `# C9 d: r+ i3 a
* M- M P3 t7 h8 [: C. {8 X7 e6 F6 q: P- y( d
Next method as well as the following one are 2 examples from Stone's
5 k7 S* u; G, B"stn-wid.zip" (www.cracking.net):! P+ E/ G* s2 Y! J) G9 c
9 H+ W- k- K0 Q( _# e
mov bx, cs/ v& \: D8 J0 m; L3 s7 `
lea dx, int41handler2
5 g/ |' j. F4 X9 a+ G" c7 F; o7 c xchg dx, es:[41h*4]
$ p' t$ X+ }9 |- ] xchg bx, es:[41h*4+2]3 \0 a4 @ q) n4 x+ A6 K( |' X
mov ax,4fh
# D2 f% E4 |/ U1 _ A2 h* i) } int 41h
: j# s5 S, P( }' P7 m+ k3 C xchg dx, es:[41h*4]
0 r3 X+ y0 J/ S xchg bx, es:[41h*4+2]
5 q! A$ z- |% ?. P' d6 |0 k cmp ax, 0f386h& V9 Z R2 T3 o F$ D' f
jz SoftICE_detected: U8 `* ]6 ]; s9 e2 @; B
" J& D& k8 y8 `6 x
int41handler2 PROC$ C o& o( O6 t# C) a, H
iret
1 s! G/ I8 J$ Pint41handler2 ENDP* k) O" K$ p' @- F3 s$ m2 i
+ k$ ? P7 h* v0 h& d- N
, V' x: {0 y' L" }! Q0 d6 m_________________________________________________________________________$ |7 m4 q8 C% i7 I. }) l
* c; N$ m7 C# { I B. }6 y
8 `- s2 B }) Z0 e3 u, S/ q
Method 06
- c6 ` n( B. V=========
1 x( }& j8 g* d
- @$ z" M5 Y0 r- v R2 }& {
M9 R8 O' c* F, G* l2nd method similar to the preceding one but more difficult to detect:
( |& \2 p( T4 f; G; e% }7 w9 ?; Y7 }$ m7 g6 L$ V* Z: l
+ F% o7 ~# j0 v( [8 `# g
int41handler PROC
# u& W, }2 `. K3 m) @, O mov cl,al( O! s1 \7 \9 B
iret: B% p; w) N* A; F
int41handler ENDP! R# r% {4 y) C4 I: J
/ M6 n, r; I" B$ {
' H6 a& w. K. l/ x$ ]. n xor ax,ax( {- f' a* U4 K" [' v- U
mov es,ax
4 F6 G. u r7 T' K: @- x7 U/ T mov bx, cs
% d2 R! l! ?* ]) o4 \ lea dx, int41handler
6 D$ I! ?% u2 f( ]8 ]& K' b xchg dx, es:[41h*4]4 Y- I3 I( m }
xchg bx, es:[41h*4+2]1 N5 V8 l% m5 K2 Q( F% P
in al, 40h
+ W4 b; \" m# B+ Y \* T9 P xor cx,cx3 ~# k4 y+ B/ r. d* R5 A
int 41h
+ _! a+ `+ R1 _2 } xchg dx, es:[41h*4]
/ r# L& h* b4 l7 Y xchg bx, es:[41h*4+2]7 F- ?5 |- I( M: M# |) H+ m f
cmp cl,al
' }2 e" j' }; _. ^- [( C jnz SoftICE_detected2 }, I [; v7 z4 k' R
: t) P% d' B4 l
_________________________________________________________________________
5 x8 K! B* y. {0 t' S
: ?% _8 A" {, qMethod 07
6 J0 g6 o2 U* w) Y. m. G=========; |1 Y V) P* U( X" X9 B
: {$ v8 t. }$ _' y1 M
Method of detection of the WinICE handler in the int68h (V86)+ `) m, R1 F" G% E" |5 b8 D
+ F8 a ~8 K) f" B+ o- W
mov ah,43h
1 { c) @! }# v' v0 i int 68h
( a' @3 W# Z+ ?" t2 Q cmp ax,0F386h& r2 ?! y4 V6 H) r0 s3 l
jz SoftICE_Detected
- o- P7 W; P# S& V
% h% _2 r `' H
8 |: C' f0 u* t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ C! T+ h3 X8 J% z6 b
app like this:, {- H3 p2 e1 ^" |1 h
* a# @; _7 @' M, o2 Z. v
BPX exec_int if ax==68
$ N6 j2 g; b# p: a7 T9 K' o (function called is located at byte ptr [ebp+1Dh] and client eip is
" w# H4 {' N1 b0 L; {, P/ f0 E located at [ebp+48h] for 32Bit apps)
: e# S0 t9 X8 s* ^7 c- q$ S__________________________________________________________________________
# K* S3 A% \7 Z E" I* X6 J# r# p. h- F; a
1 B/ s" ~; M" H" \5 e
Method 084 t$ I9 D+ ^. C! V b- r3 n
=========- p S* `% R1 p6 g
$ N) C, N- X/ p' vIt is not a method of detection of SoftICE but a possibility to crash the
5 z/ D# _* l& Q4 T" ^- Wsystem by intercepting int 01h and int 03h and redirecting them to another
9 j* b. z) U3 y) kroutine.& A( V$ S, s7 k. ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 z" H3 v1 G* m
to the new routine to execute (hangs computer...)
2 T3 L5 B& g6 c6 Y0 B! [1 G3 {: q+ X8 K: m
mov ah, 25h
. w9 W3 ]# s: C* j- A mov al, Int_Number (01h or 03h)
' `( s( m. t% g( \9 W mov dx, offset New_Int_Routine4 \0 ]) t6 k3 @2 p' u6 t
int 21h
/ y1 ?' `: F6 g0 S* K$ _, l0 n
# u2 J, l; _, y) v__________________________________________________________________________5 |2 y: F7 z$ d1 _9 W& \6 M
+ |$ C" t% Y6 @
Method 09
1 O& E4 Y5 S( L, C H, A8 S=========
9 @/ u' |" s6 J' w2 P; ]$ w
4 Q A+ g2 C2 w5 z) O6 T4 bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) X7 J- s2 [ v1 O: }5 u
performed in ring0 (VxD or a ring3 app using the VxdCall).5 R. z+ M& A' I. A* T |/ l
The Get_DDB service is used to determine whether or not a VxD is installed
5 u" T" n4 d$ d q5 o3 {for the specified device and returns a Device Description Block (in ecx) for
8 ]3 e& J6 n; y4 U7 o% h* K) Ythat device if it is installed.
% m0 h3 c( U8 S1 b) |: C$ C) W) N4 \; X+ q1 y' [+ }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! _2 K/ \+ Z% U7 v! E& [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# P; V# t# N' y2 g6 |+ e
VMMCall Get_DDB
# n5 n0 f9 k* k9 l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 [/ D P0 l3 }& Y K- g# N. k
Note as well that you can easily detect this method with SoftICE:
5 h, k" r, c8 M! z bpx Get_DDB if ax==0202 || ax==7a5fh
. n* W9 J- q$ r2 a: a4 ^" k( o3 ~, y/ A6 c' r. n
__________________________________________________________________________
; v( I0 e4 v9 g* J Y8 ^
* f) ~. d7 s! g) d' t0 f3 YMethod 10
( J1 W7 W7 H9 s" s2 L) \4 g$ m=========
' b7 p% |! ^2 J' M
) z- X, Y# F* J0 `% b' z2 L1 a=>Disable or clear breakpoints before using this feature. DO NOT trace with3 b/ |, ^! ?2 y+ V2 U0 l0 F
SoftICE while the option is enable!!
6 z6 G- w% m- b6 W: J) V9 L* ?# o0 ?: R& F
This trick is very efficient:, B: k6 ]3 F: E5 h9 N3 h
by checking the Debug Registers, you can detect if SoftICE is loaded
) k$ R9 p3 D% ?2 S0 j) F9 r# r(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 ]) y8 R. P' {$ F9 ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 Y" }! j( b; G6 S; A7 l
value (in ring0 only). Values can be manipulated and or changed as well
5 i2 z! `/ Q' C. j1 V; k(clearing BPMs for instance)
+ Y3 L0 h) u, s1 O( r6 s! ?9 U" o: S3 d! u. R5 P+ T1 U, M
__________________________________________________________________________- m0 p1 C4 C/ _: }* s' A6 e
2 z. S o* @9 T0 t
Method 11. G3 |! Y7 y4 C9 F
=========
3 p* o& E n( Q+ ?4 t- m; Y- u! [% }; Y' R( _& x/ ]
This method is most known as 'MeltICE' because it has been freely distributed( C5 A! ~' n. i) Z
via www.winfiles.com. However it was first used by NuMega people to allow9 |* G* W* v6 l1 L1 y; M+ Z' o: Y1 J
Symbol Loader to check if SoftICE was active or not (the code is located/ R6 E# i% Y$ `- T7 S& v/ o
inside nmtrans.dll).
4 r. K! K, A) K4 [/ M( n1 n/ R) y% |" S; B- s" O
The way it works is very simple:, s n* O8 t! l, z3 P7 o8 ~! O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" U( r0 n* H' d/ oWinNT) with the CreateFileA API.* f: w. t: h3 r1 m# E: y) ^- t
' \ w7 h* W* g6 Z. O; Q8 s( D
Here is a sample (checking for 'SICE'):, _0 F9 j! S) g9 O
Z3 z4 }0 C# e) B. L6 V! C3 _BOOL IsSoftIce95Loaded()( h2 N" r3 T, }# E! c' I
{
) \* _9 X1 R |' J- _, K" g4 r HANDLE hFile; * P. ?6 s! O/ {" t
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( G: C R4 w$ w/ G, h/ v
FILE_SHARE_READ | FILE_SHARE_WRITE,
! l" g/ i q. j& \5 D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" o7 J6 S* r% H( a0 O& w* F9 b$ A if( hFile != INVALID_HANDLE_VALUE )
# m4 n5 W" W% c$ C9 [/ y! y O: I {
1 p8 ?( W* v/ o5 |6 h/ a CloseHandle(hFile);
m1 y1 H4 ]) [ return TRUE;
, W* r7 ^1 M$ a$ m$ {! q }, |2 ^, c/ \' E" t/ M1 V
return FALSE;3 i! }$ i: {, V
}0 n0 @" x) ?, O( x' q6 O
7 W2 Z* i! k0 E* R$ c2 m: a& o+ \
Although this trick calls the CreateFileA function, don't even expect to be
0 z) O% P8 a, b' x$ R0 Fable to intercept it by installing a IFS hook: it will not work, no way!# g* L6 E+ T0 ]7 p- ], g! ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( j' g9 G2 b# r& Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! h/ N( O+ w$ R# H. Y* m9 B3 R7 w7 n, ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( f8 u+ z) _, U9 C/ K. v
field.( @5 G& k2 ~* b/ o6 ~! m1 ?2 ~; E
In fact, its purpose is not to load/unload VxDs but only to send a ) j# g# p# D& R9 T& Y8 k8 \5 h- ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" O6 k7 J1 v# J* _* F" T, ~* }to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# ]; U; m1 y3 ^; Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 z( E+ L0 Q; N; T: sIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 e6 c4 A! L- w+ ^its handle to be opened and then, will be detected.
! X$ X" H6 t7 G( T5 T4 C3 n; aYou can check that simply by hooking Winice.exe control proc entry point! i/ l+ ^; I5 i+ y
while running MeltICE.! o0 M( {3 F& V: e- h7 `
& b: Z; y; i# x8 [5 E
! v. y. @7 r" Q- i0 U
00401067: push 00402025 ; \\.\SICE$ I& s8 r$ s$ q# w
0040106C: call CreateFileA
, F7 C+ L: L; z, _ 00401071: cmp eax,-001) W g5 ?0 z5 M. D$ e
00401074: je 004010914 e8 d+ | ?! Y$ K6 `- x; y) C; j) p
, M) q# [# D- T) R$ H2 s* R" I) Q' F% N+ @. s# K
There could be hundreds of BPX you could use to detect this trick.
6 j( h+ e7 ~5 L) o& `-The most classical one is:" c1 o {, I8 o5 [1 V
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
x/ o) {# f7 r$ Q" | *(esp->4+4)=='NTIC'/ C" R8 C2 F" i9 y: ]( H" Q1 B W
) P$ G' X' l5 b9 G1 F$ z. ]" _" o-The most exotic ones (could be very slooooow :-(
% N/ P1 O+ y d5 E BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( N P& O ~1 b; |) \
;will break 3 times :-(0 H8 l9 k+ z; a8 F0 k) w
+ L% @" k I- R! ?" L-or (a bit) faster:
' n( Z9 S0 R: Q$ k7 f+ h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 s4 j& d7 B9 Z" r/ V
& i: n" F. C i* |4 h: G- x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 Q* X% Q1 k3 v7 l! O2 e( r
;will break 3 times :-(
5 J# L# S0 S! M7 o% G: e+ _; n4 M3 `0 B/ p
-Much faster:
* ]9 \2 A% ^ m2 @+ s9 D; ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 I7 \9 {! T. p3 o2 c: x' H. U
% B* [8 E6 F* E; P1 lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. L7 z9 V! i s% c4 G
function to do the same job:
: c& G7 P. K& y0 b
# q; K; y. p6 ~# d4 `" ?4 T push 00 ; OF_READ7 D' a) w( z& {6 V s
mov eax,[00656634] ; '\\.\SICE',0: B f" C: @) T, V( z+ }3 Z5 w R
push eax8 a" F" K! p" _4 Z3 Q' c" G2 G2 b- ]
call KERNEL32!_lopen
- K3 R: [2 S4 I7 K# l$ {' \ inc eax
: X' U y, C4 @4 y jnz 00650589 ; detected) w6 V9 e( p3 H S, T9 ?
push 00 ; OF_READ
5 c' n+ A2 |1 \; E' I* r6 ~ mov eax,[00656638] ; '\\.\SICE'& n7 U+ A# Q+ U" b) k- x
push eax7 w. O+ o( r5 W5 d) z- i _
call KERNEL32!_lopen
8 A- {6 n! k) ]/ R7 X inc eax& O/ [* q* m, u6 g+ G
jz 006505ae ; not detected
6 {! d7 m7 z' o7 S. H8 P2 a9 P6 P. `3 K) X% K
4 {/ g# X# p* Z1 P" J4 ]6 j0 @6 q) M, S8 ___________________________________________________________________________
% R* Q0 l! k1 h0 ]+ m' b& g9 O3 j
Method 12
4 O0 b. ]. V! {9 ]8 i=========
( I) z/ F$ J' G4 `# m! [
$ x- o" h! @7 ~2 j: B7 h8 C3 R! f3 _This trick is similar to int41h/4fh Debugger installation check (code 05
# S$ `1 o* j( \3 Y' b Q! r: s- T& 06) but very limited because it's only available for Win95/98 (not NT)
3 A7 y! R" \/ C. I0 Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! e4 U1 K; s# }0 a* I& G3 }0 f: U: s/ V# m0 E* L- n/ ~# W
push 0000004fh ; function 4fh$ n' `7 @% J( v& Z7 f7 Z2 w& F4 s5 T
push 002a002ah ; high word specifies which VxD (VWIN32)
- i$ m! V% ^9 [( x5 L1 } ; low word specifies which service# |. t8 I% F9 ~
(VWIN32_Int41Dispatch)5 w5 `+ S* {0 @- W) H0 F0 B. ~: ?
call Kernel32!ORD_001 ; VxdCall( H8 k3 u! Y; P+ c
cmp ax, 0f386h ; magic number returned by system debuggers
2 o9 T* a& Y* J4 w: D# `' g jz SoftICE_detected5 Y" d# E# j1 x
) L7 R f3 H1 a
Here again, several ways to detect it:. T5 J" @ q( G# z: \
) ?) e" o0 V- t# t2 U* f: z$ T
BPINT 41 if ax==4f6 V( j& d/ S1 `: }8 A- i
* V: T( j$ b. g, v8 y* z5 n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- A ?% M. n z9 R6 ?+ w6 u" o3 J7 ?5 l: X. v) F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 A0 \( T, d5 `5 c. i
& k* N: z5 i' e0 x& B& M5 R+ {0 N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ g2 j1 }4 J- R" k
) J* j& O W0 T& t__________________________________________________________________________# N5 {+ m! _3 ?( g9 f
1 ^; J; m; }9 Q
Method 136 S, J9 H8 s' [2 K: y
=========2 V( Y3 Q3 k! k3 _
1 `7 j1 c8 m r) C2 I
Not a real method of detection, but a good way to know if SoftICE is
7 y$ E A1 K/ jinstalled on a computer and to locate its installation directory.4 [% |, ~, Q, C, n
It is used by few softs which access the following registry keys (usually #2) :' p% M9 s: I. G
5 [, ~2 e& B* u9 [- s6 W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 p1 J% g. \. e( u) r5 @\Uninstall\SoftICE
9 o, K7 N5 j& E4 B* g3 Y5 q; R: r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 `( N, U1 R M# T. m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. c9 M, V& N \/ O y4 F
\App Paths\Loader32.Exe; m9 G0 A* y' W
% G2 o& p9 [4 K+ K+ A; l
% ?/ R/ G; a3 H: z9 q$ a) w
Note that some nasty apps could then erase all files from SoftICE directory
9 [" J' k2 V' G- Z1 Y7 t! k: }) j(I faced that once :-(
# }6 s8 I& i! I! Z2 x9 ~( F$ a+ g) R" w$ x
Useful breakpoint to detect it:
5 K. U8 v0 ~* b1 [% N3 v3 l& N0 P$ i! D/ C8 V; `! V5 f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& I! i0 T1 V6 H2 U
3 x Y7 L; s, v% Y1 t
__________________________________________________________________________
7 ]( E+ h4 F! K1 m( z3 D
! D- A; S8 b7 ]* K/ n' J# \# m& M7 N* l; |5 O# y# A z2 ^
Method 14
+ r" d! ^" d2 K* h$ _=========
& g# [0 V" p# ~% \) r
: g8 P! Y$ o3 Z2 d: DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; E1 m% i0 H# j. w6 K- V8 Fis to determines whether a debugger is running on your system (ring0 only). O* R3 q0 M: U, B* H' r; c+ _
. v) ~/ }. t# S' y1 A* H
VMMCall Test_Debug_Installed
9 ?$ ^, Y w: G( L2 C je not_installed% W8 s, l- w0 f6 Q: |
; k" ~1 ^2 @) G/ \8 A
This service just checks a flag.0 O- T# j$ y( l
</PRE></TD></TR></TBODY></TABLE> |