<TABLE width=500>! A5 n+ |, `; g8 W; T8 V
<TBODY>7 s1 y' K# X7 m! v0 k
<TR>$ }4 J# X; N" \! T9 _; r# b% H
<TD><PRE>Method 01 ; }; h7 |8 c f8 X# _6 B* N
=========
& w, ?+ ~/ K- f6 d8 V8 E+ V4 f" k5 s/ K+ y9 D5 M' T4 T
This method of detection of SoftICE (as well as the following one) is
$ J: l& r! W; ]7 Nused by the majority of packers/encryptors found on Internet.
, ^: k/ h% N6 W3 I8 z2 rIt seeks the signature of BoundsChecker in SoftICE
$ k2 g4 W! z( t5 {, n" W/ i/ q
$ ? ]% i) s: B mov ebp, 04243484Bh ; 'BCHK'/ U* C) s2 X; }" l/ [- }3 `
mov ax, 04h
; h. {, V* C [3 @0 A int 3 , t6 |* m6 K. L- l- d1 H1 \
cmp al,46 `( o7 F- n# r1 H5 k
jnz SoftICE_Detected
7 W; @" w9 W" Q5 {) \# J" R0 M9 ]- @: }7 D" ^# A: v+ o+ x
___________________________________________________________________________ T+ r3 [6 @+ }5 _7 u
" H, y& g. e- x; ]0 vMethod 024 ~. f0 n9 n, `* w
=========
7 D* Q7 A' w9 ^9 S& h7 o& W' n# W8 R9 o/ n1 d
Still a method very much used (perhaps the most frequent one). It is used7 D' @+ I/ e: ~, O- U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," A; f: b0 G7 G2 t- e. i
or execute SoftICE commands...: R6 h) q9 K$ f! z1 R) {' C+ K3 ~* m
It is also used to crash SoftICE and to force it to execute any commands& \9 @. @, s4 a6 e: F
(HBOOT...) :-(( 1 C4 T9 l+ Q( i3 {! X
" @! P5 a( E" N
Here is a quick description:* o* ]; r4 W8 x$ ?
-AX = 0910h (Display string in SIce windows) ]$ Q- R/ h- O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). C0 O: a6 s, v) d
-AX = 0912h (Get breakpoint infos)% H% } d# D& @3 l
-AX = 0913h (Set Sice breakpoints) b9 e& C6 f2 U, Z
-AX = 0914h (Remove SIce breakoints)
# d, z1 I# D$ \+ [! W( c2 M$ v) x" }$ E' S& z( G) ?) n' h
Each time you'll meet this trick, you'll see:
; g: }; n1 A$ F& L2 n-SI = 4647h
4 _0 H% q! I' z+ ~% R2 c' }# ]* s- F-DI = 4A4Dh
' |9 }- \7 v1 K6 p& Z' {; A+ z `Which are the 'magic values' used by SoftIce.0 C, q8 c% f+ U9 k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ L$ J/ a. A9 [: Z9 |0 h
& b* e; F I% R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 C2 w5 B6 V* JEnvelope utility use to protect DOS applications:8 m+ }% N% m7 q3 D: Z7 B1 @
& P: W) \2 c7 w
% Y; t- z; r' p) L
4C19:0095 MOV AX,0911 ; execute command.# b/ R0 s U, t
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: K! E# x( E/ X4 J
4C19:009A MOV SI,4647 ; 1st magic value.
* `/ K0 O7 ?6 d2 x4C19:009D MOV DI,4A4D ; 2nd magic value.' Y$ m! G2 d7 z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& m, G7 H; I6 [! r0 E) T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& A4 U9 ^9 ` }0 n+ m4C19:00A4 INC CX
9 h, V9 s3 \5 l1 l: |8 V' R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) I3 }/ g; Q w+ ^) i' x! r
4C19:00A8 JB 0095 ; 6 different commands.' r- ?, W7 g+ ]9 W8 k6 k5 I
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& x$ X7 I+ N5 g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& [4 n1 ?# S; g6 e9 n' L3 r; R& Q+ u! k& n5 v: k: {( `4 {
The program will execute 6 different SIce commands located at ds:dx, which
4 i9 ? l2 |3 b/ a" Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 Z9 [. ^! \+ e) L/ s+ q% L
4 k2 R0 P! q0 H# U5 h" c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 b- A& j. [- d; c' H
___________________________________________________________________________) o" j% {) a# t) D- ~7 }2 m
* X4 \$ u8 W; G! c3 N) }
' m& Y/ n9 y$ m) S' bMethod 03
, H q/ ?+ s6 b$ ~$ J=========, }1 a0 u& M/ _+ q& t
: x$ {9 N/ d2 i+ I4 O
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; x5 j" z- m4 j' I5 i5 }3 A# \(API Get entry point)
) d( q. ?0 `3 Q( D0 p: r$ D8 [ ' N- c& }$ j5 |8 A* w
" {0 M0 F% r" ^) I) T1 } k
xor di,di# |* l" Y/ `0 E% H$ M
mov es,di- Q6 P1 t+ G+ ?" h5 S$ ~! v" l
mov ax, 1684h ! s4 W7 j" H5 i. k+ J( G
mov bx, 0202h ; VxD ID of winice
6 ^0 ~ X! O2 t/ m int 2Fh# H( ^$ g$ F4 v2 s
mov ax, es ; ES:DI -> VxD API entry point7 D5 v0 W$ G+ Q8 v8 v! t4 @- C: ?
add ax, di& D) a; y- i; B
test ax,ax
. d, C8 j8 v/ M jnz SoftICE_Detected* F! L5 F0 N' v; g: u6 `
8 V- a3 \ R4 E___________________________________________________________________________& W0 ^0 ~; U4 \+ s1 O
; f9 m2 x- z' y3 CMethod 04
e/ l# F! _0 J2 \/ T=========
7 J9 H2 k+ R+ _, [/ \! A+ }
T& q7 r5 {- W+ k' [Method identical to the preceding one except that it seeks the ID of SoftICE, B8 ?- q* J1 T k2 C1 r3 }( o
GFX VxD./ C1 h' h x7 ^" {+ G
$ t' s U, n q$ G% X xor di,di5 D7 y; s6 q1 w, Y
mov es,di
. S5 i2 T) u# W- s8 M mov ax, 1684h
: G# e& Z7 u9 q8 k, e6 A( _, M mov bx, 7a5Fh ; VxD ID of SIWVID0 l' x8 D, t1 d. `6 L) j
int 2fh/ B, _% g* i/ I+ Z2 ~/ ~9 T
mov ax, es ; ES:DI -> VxD API entry point! f5 Z- d3 V) u( g$ y& n. f
add ax, di
+ p c) b: U2 F2 d1 f( H5 I: W test ax,ax. G2 g' }/ L5 B
jnz SoftICE_Detected8 n% {- Y9 C2 _8 o \+ g
$ v( I9 r! e) A& y# z8 z
__________________________________________________________________________
9 p( E' N8 i0 K) `+ @
7 e+ c8 t' ] I0 O
/ X3 A, Y0 r2 LMethod 05. R' {' V' r9 s
=========" t, Z) Q- V, @$ [ l& ]. \
- s4 n5 l; d) WMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, L+ y% o$ G5 T) Y7 p1 tdebugger. It calls the int 41h, function 4Fh.
+ p& _' G* ^2 [+ h% r' O: |There are several alternatives. / P1 h* x. R& U" Z- B5 H. q
4 ^& t" E% y% Y- \0 ~ KThe following one is the simplest:
9 Q5 w2 Q2 p3 p* } N1 ~9 r8 ~% e) r# e9 @: D# i# g2 j( Y' Q9 b
mov ax,4fh6 b+ V, E, P5 U! Z/ v
int 41h
3 v* q' Z0 a/ Q8 A' w cmp ax, 0F386
$ T+ S* a( }3 O n' u+ k jz SoftICE_detected
. m0 ?% `8 M5 Q @1 |9 `3 Z e3 z2 h9 m3 W0 M& E
5 \4 s9 c& ^; A" J5 [2 {0 x6 o. w7 P
Next method as well as the following one are 2 examples from Stone's
$ H$ W9 T. W% Z* }$ r"stn-wid.zip" (www.cracking.net):! s# c" n$ B4 X4 j
8 I8 j d" X( q, b" F# z' e
mov bx, cs, w4 h2 g/ j# q% h( D
lea dx, int41handler2# O9 Y! U) T) r5 }; |2 ]
xchg dx, es:[41h*4]
% V; b4 ]6 u# B xchg bx, es:[41h*4+2]
* r( }- F7 t8 q( y mov ax,4fh& W; t0 v% r2 M5 |8 D& A& k2 d" h
int 41h( {0 u1 r" S1 C/ _+ Q
xchg dx, es:[41h*4]
$ t) D+ i* M2 \& P xchg bx, es:[41h*4+2]
4 s9 Z P- Z6 w( ^ cmp ax, 0f386h. k' ~2 g8 W( h. a# L
jz SoftICE_detected
, S0 v7 D3 N" l) o+ W* E2 _/ ?* a% j. P3 J" P1 y" C8 w9 q% p, k
int41handler2 PROC% E* e! a$ U+ I$ z
iret
7 E$ m/ @1 p5 t) m7 O E4 Gint41handler2 ENDP# S1 T, l3 v& S, R/ Y9 n
( g: ~+ M$ t: U1 u5 T: E. z0 @( D1 X. }
' S2 s: G+ E7 E! C0 u_________________________________________________________________________
0 Q& y: G0 z2 q$ x
" e8 U; }( \* b* \2 L- }% Q, y4 T4 v, G6 K# s
Method 06+ L& X& Y$ g( s3 X
=========
! ~8 x& I, ]; g: p' T0 e- @5 _7 q; R9 H
@! I& s5 v. \! W0 i& t* j0 c0 `2nd method similar to the preceding one but more difficult to detect:! b* f+ Z* S, o6 t
$ U: Q- d# h+ g5 v# W6 z( L! l1 E6 X8 r$ s7 T, v
int41handler PROC
8 ^# D7 z) K" D. S2 r mov cl,al
1 n) [1 P* F6 a iret
8 v( T# t" U" F% wint41handler ENDP
# b. R. G, n J' W' n8 j
/ u2 y( y$ i; W2 K2 _ C) R" k' i; h# G2 S& q( p
xor ax,ax9 C: B3 h2 e' Z4 j; |
mov es,ax0 ]: D1 r4 _0 S' Z% k: {4 r2 `0 e
mov bx, cs
D1 U8 O" z- U2 ^+ i+ {$ R lea dx, int41handler/ T" x5 o/ b8 L/ o* i
xchg dx, es:[41h*4]9 R3 G! [. L+ W/ ]( G+ q
xchg bx, es:[41h*4+2]7 f( _0 Y; V5 N3 M- ]% O0 C
in al, 40h
. N" q# C3 X# ]3 B3 Y/ j8 y5 {5 i* a4 ^ xor cx,cx
M! M% `! h# s6 |& @1 k% [' }. W int 41h+ W! M. c' o* k# h9 A) Q
xchg dx, es:[41h*4]; u) I) X6 `. `, ~) i
xchg bx, es:[41h*4+2]
+ [2 d. i7 e- c, ^/ h cmp cl,al$ R3 O! o. ^2 O% O* F: O
jnz SoftICE_detected
8 L* b! w; C4 w/ o" J! B6 n
' \. r, q V; H8 q$ j3 K- q$ V_________________________________________________________________________( N- l: F2 [7 t) V
7 u9 c( C+ s3 J$ u+ t) \ M7 AMethod 07
" {3 g- \5 t# V! u=========
; h- {8 \, r* Y8 n+ R
3 x+ ?7 p$ }6 g3 r- rMethod of detection of the WinICE handler in the int68h (V86)
! W6 W. Z; G% ` c9 ]- k
' j7 F6 @8 |5 v3 w5 b mov ah,43h+ p4 C7 }5 `1 x" n5 c
int 68h- i- X$ W5 c0 X
cmp ax,0F386h
% Y; Y& D( Z0 u7 h; N jz SoftICE_Detected
0 Z4 ^; d; p8 O9 z' J! @3 p4 j+ G8 f" n& g4 [9 |5 d/ B: V
& \( a. R- N u9 j$ c" E" @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; Q7 H) Q( G1 k# A% y app like this:* E* U/ s: l* w2 o; @( i* S4 T
! s. S9 K) ]7 I# \
BPX exec_int if ax==68& f0 F6 f7 I5 E4 u2 ^% i7 v+ ~
(function called is located at byte ptr [ebp+1Dh] and client eip is0 [, ~0 {2 U0 ]+ k6 T6 r
located at [ebp+48h] for 32Bit apps)' L' f, ~8 V0 S/ k+ ?1 b! q
__________________________________________________________________________
/ F, N9 Y3 }1 ^, L' S/ G
" n+ \) h4 U: g5 v- w" m# r
$ T* D2 W9 |$ oMethod 08 y' c7 V/ c7 y$ \# d
=========
( w D n4 H9 n" W8 X- d+ z1 e" t. f7 X1 N. M6 W7 @) x5 t4 p
It is not a method of detection of SoftICE but a possibility to crash the/ n5 T0 c8 z |6 D4 g; I
system by intercepting int 01h and int 03h and redirecting them to another* e6 h; c- l r8 p6 Q# O9 Y
routine.
2 [6 E E% z" d7 x1 p4 nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: k' {! Q$ T/ @
to the new routine to execute (hangs computer...)* u; j6 b" s. T1 F6 B9 C- ?
: Y9 l- ^" s5 O( M& t. L
mov ah, 25h! b5 Q$ L3 ]6 v( H$ C+ r& S& f
mov al, Int_Number (01h or 03h)9 |; T2 K2 r+ u* R+ T
mov dx, offset New_Int_Routine
' [3 k4 i& Y' m5 w a$ S* j int 21h
) o6 _$ w3 s; n- N
: }0 N5 r+ C/ ^__________________________________________________________________________
) @! M4 Q' S: Q" Z* [: n0 @. P8 h* a
Method 09
5 r+ @+ Y$ ~# d+ E5 ?=========
6 B2 v S, g% Z$ ?( s4 j' u1 Q g4 x$ e" g6 j. }+ H$ _3 m' q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 \+ @8 `8 L5 ~' ?! k
performed in ring0 (VxD or a ring3 app using the VxdCall).1 p& \! Z) I( Y3 N, J) C
The Get_DDB service is used to determine whether or not a VxD is installed
( x9 }$ b% h1 d/ M3 m' G. D. b; s7 Ffor the specified device and returns a Device Description Block (in ecx) for
; A1 D6 o1 \+ i' Sthat device if it is installed.
# [" F) b8 E9 w
1 }- u. O1 m5 ]. Z5 p. R2 C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" \) x+ T1 I% `- O+ |7 f; V9 m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) t; r: U L& y+ y; b8 f! w& E* C
VMMCall Get_DDB! s$ k1 N9 V2 Z& V9 H7 k; b, s! T3 j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( W$ D( o* N( |
8 B& K+ ^, G& R' b' k
Note as well that you can easily detect this method with SoftICE:- x& g* Z7 [4 H3 ^+ C7 e- R
bpx Get_DDB if ax==0202 || ax==7a5fh0 n+ f; ~+ e z5 b
# G1 A0 _4 g a( X: z' h: l
__________________________________________________________________________
5 e# k* s8 Q# o/ y: ^0 M$ {3 v r( h4 S! g& f( |5 G" r
Method 10
( Y/ {8 _+ F! T' Q( N0 k& ^+ H& G=========
2 b! L; W) g1 b7 n: }5 d3 i+ {$ ?7 h P1 q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' k( M9 T7 L: ~ c2 ^ SoftICE while the option is enable!!0 i0 `( a% k* O, h; S5 B
) L( H B( {# z$ W* vThis trick is very efficient:
) J- E7 S& q1 t% t/ d v/ d) H9 rby checking the Debug Registers, you can detect if SoftICE is loaded
0 ]8 z4 m! i0 G1 [: _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- k1 b8 c3 X) ?0 B6 v$ gthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 A" Q7 i* I2 |& d/ F2 w6 U4 W
value (in ring0 only). Values can be manipulated and or changed as well- V9 b4 }1 f: T/ z: f
(clearing BPMs for instance)
# K/ x, e2 q$ y" Z
' i1 S( z M' S# I$ [5 r( Z& T__________________________________________________________________________$ t# w1 R/ h) C9 h6 ~
8 A' S. H6 w% K! r
Method 11
; B$ h* j( G, T3 C/ |5 G$ }! x=========* h( ^" {: [# G* ?; N+ a7 S
" z# h- Y* k- m2 H* p9 BThis method is most known as 'MeltICE' because it has been freely distributed! r1 B# f( R/ S
via www.winfiles.com. However it was first used by NuMega people to allow* b: }/ l6 a( }: ~& ~6 N, R+ K- O
Symbol Loader to check if SoftICE was active or not (the code is located& I% A4 A6 {0 M) ^' c3 d5 f2 P7 M. C
inside nmtrans.dll).
/ d- w6 f; n$ s4 z3 z. W y7 B) N
The way it works is very simple:
$ E' ?2 i6 x X( V# J- j ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 P. O; D- e* g( E
WinNT) with the CreateFileA API.
& p- d! h/ l3 Z, K% ^/ d- h5 m
1 o+ E9 g: \) F- hHere is a sample (checking for 'SICE'):
4 u8 q* M7 x* U* w, H
, I' @1 l* F: a* t- oBOOL IsSoftIce95Loaded()
8 W2 e8 d6 V1 t2 t{9 w" }- I$ H3 A; @1 e! O- w
HANDLE hFile; . p; y& k& w+ V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 R& p2 f' ^0 d
FILE_SHARE_READ | FILE_SHARE_WRITE,
& T5 |! J+ ~, Q6 o: r( z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 V1 t7 ^( l2 U4 a5 v
if( hFile != INVALID_HANDLE_VALUE )
- W5 S( S/ ?# z6 F5 s( x# B& u {% C) ]" V6 s; V# J' M: x7 k. o
CloseHandle(hFile);. [; r. Z# B% Y
return TRUE;
/ T7 C) m+ k# A& k }2 x" p2 |. s; p' `+ q
return FALSE;, S/ z: e; N6 u* n* w- {; s4 M
}
8 k _5 T2 }/ j4 K# z6 e% c# j, I' p; Z+ H% v( V2 h7 q- l
Although this trick calls the CreateFileA function, don't even expect to be4 z! V3 S( n# {8 d
able to intercept it by installing a IFS hook: it will not work, no way!
* n/ J$ Z* t: N+ LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) g# a: s% T! L2 H6 }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 s& e2 f: d' Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
' A! n [9 b$ |+ K. Mfield.
/ `. d: C9 z: F/ ~5 c5 cIn fact, its purpose is not to load/unload VxDs but only to send a
# e& s* O& n! c* p: F7 D/ |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! Z: H/ H/ A& dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 @/ j) m% v2 K3 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ v' v: \$ j) e
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# [; m( O, C p9 ^+ Oits handle to be opened and then, will be detected.
$ t0 Z% R q/ B: m) UYou can check that simply by hooking Winice.exe control proc entry point7 s* c3 n1 D* q- @5 j: a8 S* [3 a
while running MeltICE.1 V5 j# w* M: e' I8 \8 w
8 L2 p0 U R/ I4 J# W% a8 M
/ G' n; q. t9 a 00401067: push 00402025 ; \\.\SICE2 {& ~7 O* j0 `- w7 \ s
0040106C: call CreateFileA
2 [0 f0 i4 |+ C4 x1 E 00401071: cmp eax,-001
" V6 q% z& b7 v7 e: L 00401074: je 00401091
' r7 O" X2 c( |/ p0 i2 L |* C
2 ]0 `0 H/ c3 ~( N5 k/ v5 @# K5 o( O& B
There could be hundreds of BPX you could use to detect this trick.9 X3 n* e( j1 A$ q+ E" H: `4 V) q
-The most classical one is:8 k& O5 k$ N3 `/ X
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# U9 w: g% Z3 e& P. l. Y/ G
*(esp->4+4)=='NTIC'9 ~% O' J9 i; m' ~" |
" Y6 |# N! y5 v6 x; F8 N
-The most exotic ones (could be very slooooow :-(
& x5 X/ ]- `, q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 o4 O+ w; V0 ~3 y6 O6 J3 s v+ M
;will break 3 times :-(
/ v% |! ]) s6 T1 h
5 j. r+ t9 _& p* X1 F$ ~ v-or (a bit) faster: % ^- o# b2 M0 D+ e) D6 Z! ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), H7 X( n$ O# p6 s
- p, e: f# K% @% ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' W: k, m O" S! ~
;will break 3 times :-(
+ Z2 Z% X$ T, f
1 k- }; g' _# e-Much faster:
: k. f3 Q4 J' J+ s: M2 ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! e$ L/ ?6 ~7 H( n4 H8 Z" K$ \
0 }3 E- u! q5 ]/ LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 i$ F7 J, e0 j% S8 ~
function to do the same job:, u$ @( l* f) y8 u, O% V8 [
; {, E; E8 B0 I/ S push 00 ; OF_READ
$ K }, L) z/ L* q7 @# s mov eax,[00656634] ; '\\.\SICE',0
3 X& H: _8 Q w7 T3 W2 T9 `! { push eax$ @, Y' C2 D9 p4 N4 E
call KERNEL32!_lopen* @4 E% |( A* b2 i$ T
inc eax
* [* ]3 A. S4 x% R+ f8 @% \6 ` jnz 00650589 ; detected9 _3 d1 w2 Y( n- S
push 00 ; OF_READ
: ?" a6 @0 N% X mov eax,[00656638] ; '\\.\SICE'2 Y o1 i8 d/ T6 W' I5 M I
push eax
7 M( c" C2 j! e' [3 V call KERNEL32!_lopen' _+ ?9 a8 G2 P8 D6 e9 k* u6 C
inc eax4 z' P7 C- e P
jz 006505ae ; not detected: U7 L4 ~$ C" h( s# {
7 t* e7 W2 n* Q( w/ y, S1 O- x5 u8 x }6 E. e3 ]2 V
__________________________________________________________________________
" x* }! Z- G l4 y, b9 _$ B* q
( Q' T& n8 `( zMethod 12
! I& \# b% j; h/ q=========' K$ j3 S) q6 N8 i6 z3 \8 N4 O P
% e) N+ M: F3 `; O7 J
This trick is similar to int41h/4fh Debugger installation check (code 05
3 X; o) r7 j% i4 \% Z- n& 06) but very limited because it's only available for Win95/98 (not NT); c. `/ a6 u: h* U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ A/ ~$ T; X0 k) X2 e
7 U3 }( o" u/ Q* o1 L. Y2 i
push 0000004fh ; function 4fh
3 m4 ^" Z2 g: F; _, L6 a; |; p push 002a002ah ; high word specifies which VxD (VWIN32): R8 \! i- ^ o9 R5 d" U+ E3 K
; low word specifies which service
! i: O3 C* @: Y! r (VWIN32_Int41Dispatch)
5 I* ~: c) J$ w call Kernel32!ORD_001 ; VxdCall
( N7 e+ m( q) e6 X9 I cmp ax, 0f386h ; magic number returned by system debuggers
* N$ ^" _$ x% I1 m8 V9 O$ l q, |7 Q jz SoftICE_detected
7 a' W4 h+ o" U' X* @
' j7 `/ Q' [' {" H3 |+ eHere again, several ways to detect it:
# C" w0 H' g/ U. @4 G: O8 b+ p [0 B6 D0 K5 F
BPINT 41 if ax==4f
& j0 D/ ?" U5 d& D3 L: m- P' u6 t- \4 | `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# m g/ F, T) D4 F0 m5 X, F, ]- J: y1 \# [# \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 w' e* J* K8 w7 \# _1 I4 r
, h$ F4 K9 I, a" J5 q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; @# o4 V% N6 ^
( A, t" c* q$ o3 B
__________________________________________________________________________: r6 q) P j$ l' j0 t% d
[& S( r; j/ z. H1 w1 O5 S' H; j
Method 13
: I' z$ `' K" F4 `. b# c" f" t' ~=========
9 p* r8 |" u+ P; f0 I2 j
4 C0 g6 U" q/ G' [Not a real method of detection, but a good way to know if SoftICE is
) X, ^: d* f0 p/ s' x# z+ Zinstalled on a computer and to locate its installation directory.
8 |" u3 N) O8 \It is used by few softs which access the following registry keys (usually #2) :
2 o+ q+ Y3 J) v% b! ~6 c
: O: V$ }/ A# O0 {& ] o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; F& D' w2 R* r! i
\Uninstall\SoftICE" G J% v) u; T5 f5 i: ~# f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% n. X' V8 P- Q$ O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* C% M9 s" n4 i
\App Paths\Loader32.Exe
" S* n$ G/ L+ V+ }/ l$ Y U% R! h. B( R5 b7 j, P0 f
+ y& e' I o8 T8 sNote that some nasty apps could then erase all files from SoftICE directory0 l/ T+ @* y: A. w7 l
(I faced that once :-(+ l( I& `1 u( _- N9 O
1 {. G1 t; X8 c. u3 T! T. ~
Useful breakpoint to detect it:
6 s' V: u7 W" X1 T0 m- k3 I
; c( a$ Q7 B! K" J# U, b+ k0 f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) F$ C. h( N2 L' v5 _' ?+ L. E! Z$ b) z* J; X" G8 o+ [% F3 L
__________________________________________________________________________
3 X7 j% P/ P. O# n2 F. ?* t/ u0 @% T( P, j3 E
7 F( ?3 R2 \5 E
Method 14
( d$ N3 K7 x0 K& i4 P& F% g. L o=========& E' t' ?! U7 E( ~0 n
7 x: G! w; X2 h& q+ ]1 s Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 n& p; i5 D" C$ h2 S2 ?4 H" n3 Tis to determines whether a debugger is running on your system (ring0 only).
3 m* T: M) p* l9 Q; E; {' g: w+ K' c
; l U \4 t5 ?0 B% H& |' j+ \) P VMMCall Test_Debug_Installed
9 s% _! b7 e4 K7 e$ J0 i; b2 N. v je not_installed
) d1 |' }, D' X
! ~: I5 i6 o5 BThis service just checks a flag.
9 Q/ U5 R. P" }& Z% n3 E' P$ Z</PRE></TD></TR></TBODY></TABLE> |