<TABLE width=500>) \0 x- S% Y$ |# a9 w' \% c
<TBODY>9 R. D) Y: w1 G1 }
<TR>( h" Z. X( s. ^$ D/ X" Y
<TD><PRE>Method 01
5 I& x8 a& b; g: T9 Z; B$ h4 b0 x=========
w$ |% p9 r; W) S2 w/ r0 |# J/ e3 {9 H1 M/ @
This method of detection of SoftICE (as well as the following one) is
2 D5 L6 b; N [6 v: u5 n9 Dused by the majority of packers/encryptors found on Internet.
, n: ?* u7 l& W0 xIt seeks the signature of BoundsChecker in SoftICE
& S/ J; `1 R7 F. T! l9 _& X" v. |; i0 O# }/ w
mov ebp, 04243484Bh ; 'BCHK'
: ?8 A5 H; Y) `1 c6 P: D! J mov ax, 04h2 N5 f' B" {0 b0 [8 g
int 3 2 ~8 k% f$ L& X" z1 R: H
cmp al,44 R% y2 z2 F8 v4 g X
jnz SoftICE_Detected
3 R; N2 V w; Q5 g
8 b% P- z1 ~$ h9 s) F___________________________________________________________________________
3 F! n5 D. E; h, V v" B
* C7 W2 d4 }8 ~- _0 j l- j* |Method 02. d1 ?5 k' d! F7 Q
=========& A# Q. j8 x( f0 r5 K3 y
. K" B! H7 P) @0 u. y/ T/ G6 FStill a method very much used (perhaps the most frequent one). It is used3 D$ C. l& N+ H3 K2 E) u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! _7 w) O9 \- w7 A4 N& Bor execute SoftICE commands...
. z4 x0 {$ z: I# T# _It is also used to crash SoftICE and to force it to execute any commands
; t5 b# J" V- @# Z(HBOOT...) :-(( * Z m3 S& Y7 Q* f
; \! ^8 s5 O) ]" \ o1 T; J
Here is a quick description:& @/ `3 ]9 n+ D3 ?1 n
-AX = 0910h (Display string in SIce windows)
6 o6 A; p' b1 P! U) G. r ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ X, q4 H7 w: z8 R, X8 C3 z-AX = 0912h (Get breakpoint infos)$ L( _; j% c9 m! c" l2 a
-AX = 0913h (Set Sice breakpoints)$ d! b3 ^# V1 J" i, G
-AX = 0914h (Remove SIce breakoints)
- s. ^8 k( ?3 [& N% p$ Z9 L
4 u( g% Z$ {2 c: R9 N& cEach time you'll meet this trick, you'll see:$ ^4 W1 p2 g0 A! {$ c7 ~, ]
-SI = 4647h; C6 I( n$ X5 p* g' m3 B* y. E
-DI = 4A4Dh
! P7 K! v! ]6 i) o2 w. K. xWhich are the 'magic values' used by SoftIce.! i9 V$ S2 S& M. x$ E) D {+ R0 e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; y6 L( h7 W/ g+ r
; c8 G9 }# \, p; |7 a3 s `Here is one example from the file "Haspinst.exe" which is the dongle HASP/ e2 b4 |" {+ ~, A \- ]1 j
Envelope utility use to protect DOS applications:+ Y, Y& B9 f4 T+ i6 [# t
Y; \+ y/ Z! A& y( K' {5 p
) R$ W9 d6 {# K- h/ Y% J
4C19:0095 MOV AX,0911 ; execute command.+ W1 M6 @# p H# W j4 q" w9 J; o1 o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 ?1 f* c7 c$ E& U
4C19:009A MOV SI,4647 ; 1st magic value.' b$ S- {7 v9 y
4C19:009D MOV DI,4A4D ; 2nd magic value.8 Z5 j O: U1 H5 ? y- Y1 ~* E" S. H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 R7 t2 o. Q" r3 o! R: r X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' v+ I. x4 f+ ], M1 u4C19:00A4 INC CX
& K; v7 e. e/ i. d) U7 e/ W" S/ S4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, K% V5 @! T; M" `* A4C19:00A8 JB 0095 ; 6 different commands.
( V6 a: ?! Z" O. O1 ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 \- p- V- s7 }; z$ h4 R& y' p
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) |. i- \# C u, w( @/ x9 N4 M3 u
* F1 a5 ~- `# A. u1 XThe program will execute 6 different SIce commands located at ds:dx, which, T0 I$ w, q/ @3 Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# J; J. Y* { o2 [ U o& z2 O
1 G, S: W5 m% o6 R `- J6 j* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, N0 f1 W( m# B& Y$ C. G___________________________________________________________________________+ g/ z0 Z) b3 R) h
* {7 r* X' Q9 P9 \, |% A
2 {# Z0 V% l" \7 U; t" x& y; Y# BMethod 03
4 x8 b+ q! k, ?+ c=========: y' |+ C! c, X9 x' I1 E3 U
, y0 W6 v" @' C* \# ~5 _Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! ^, Y: I; k* t' R; }. T0 h* i
(API Get entry point)
5 i- _8 ~; h5 m5 c4 l6 ~. G
- a0 `, a" }" F7 y, V1 A
& [; g0 W4 X; H, W; p$ y. [ xor di,di$ J! x/ s1 w3 j
mov es,di
- K' l7 l& u+ l! |9 i/ o mov ax, 1684h
2 v- E7 Y! |# ~& K mov bx, 0202h ; VxD ID of winice3 w6 S1 a# v& i% ~- `
int 2Fh
( n. _9 N; R6 |( [+ Y/ b mov ax, es ; ES:DI -> VxD API entry point+ V* P. B6 _" t4 I2 K
add ax, di6 p* \% Q d. G# ^
test ax,ax( k* {% ]/ w w2 i4 p
jnz SoftICE_Detected
6 E* ~; Q) \8 Q: R _6 |+ g' ~/ S2 F* m
___________________________________________________________________________
7 Y, p& ^9 ^! m+ \0 I- D; T
0 R0 J1 W' F! M L9 wMethod 04/ i, {8 s1 @0 ]2 O# V" O
=========
* N5 x5 |- b3 u" }0 n: h4 B, V
$ c' f+ C" b3 \9 O$ L9 B6 dMethod identical to the preceding one except that it seeks the ID of SoftICE9 r4 e( N7 ^: Z! y- p& T! Q
GFX VxD.
6 y# C- m8 ]) A) s0 r, n4 [- E8 I
, h" C! Y, h) A W% z* Q* t xor di,di
& i5 x2 H6 H3 g# V( z) k# y9 B mov es,di& i+ i5 a1 C7 X- c3 m* v
mov ax, 1684h
2 g" y. J6 A9 m2 z6 a& x. X0 e mov bx, 7a5Fh ; VxD ID of SIWVID
+ P" F) o! E) t, k int 2fh4 X3 ^3 b' G% L% A" w) g3 D0 l
mov ax, es ; ES:DI -> VxD API entry point
! M; W2 R }6 H! E/ U% _ add ax, di
7 o0 t, a" x6 G" {4 n+ q test ax,ax
4 r: Y) w5 n( q: } jnz SoftICE_Detected# w/ I1 _% |* C, f9 k9 C
8 x' o9 c& I1 p8 L# s# t__________________________________________________________________________, ]/ j! w: t$ S6 n
( d7 p( b) \0 e' t6 b
' R" `9 q6 ~2 ?, | f
Method 05: z1 L- X/ y6 M/ _
=========. Z* n$ Q* `. v! J# r! L/ c
/ s" K3 z7 H7 g0 ]# S8 N0 HMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 K3 n( e+ ^% ]2 t# Edebugger. It calls the int 41h, function 4Fh.
: s" N5 P9 A M N! VThere are several alternatives. " E2 X, q5 F' ]3 o/ O
+ K; F- b# i3 q
The following one is the simplest:+ [7 H3 k3 d$ v2 e! ]0 x
2 ]% m4 \# U1 E# | mov ax,4fh; [( m' c4 L: \
int 41h
8 [+ c4 U3 v$ ?, v X' W: | cmp ax, 0F386' m) s9 B }* k8 c* P: b6 D1 `
jz SoftICE_detected
+ a4 r' \5 _9 o6 w* N/ `4 H+ ?3 M8 j, @, c `2 @- |
. v1 b9 n7 l) j" o) bNext method as well as the following one are 2 examples from Stone's 8 n; \8 Z! @; H" ~! \6 F
"stn-wid.zip" (www.cracking.net):8 y3 v: p2 f7 C5 q8 r
Q0 T9 C: V9 O4 E9 b ~3 X' U mov bx, cs
0 e" q7 O, n+ r, t: u lea dx, int41handler2
. I' A* ?# B8 Q" j* m3 n, L: m3 _ xchg dx, es:[41h*4]
0 a7 m7 f P, ^$ o xchg bx, es:[41h*4+2]
; Y& J8 ? _6 |% L4 `! Q& D mov ax,4fh4 A, f, W( o% b4 `; j" b3 h
int 41h9 s3 D% u2 L D, G, C& V. @7 x; D
xchg dx, es:[41h*4]8 o6 x1 T( V( q# v: r
xchg bx, es:[41h*4+2]
( d1 }; z9 ]& L. D cmp ax, 0f386h
/ |0 C0 Z( O( v" {! m jz SoftICE_detected' R! Y4 K. ^0 a( V1 o* Y7 F
' G0 U$ s8 K1 p
int41handler2 PROC1 I3 @7 {# `3 q
iret
1 A# X5 a: t7 M+ Yint41handler2 ENDP
. X. m# X+ K1 L
% J9 E' v+ Y3 F" r) |
/ k9 [" G& A% |8 v7 k9 r; }9 S_________________________________________________________________________. s- l) k+ i. R% p
1 A" Q5 L6 d5 q- D
4 Z* H6 j5 j% tMethod 06
5 J" z p' ]+ N9 y7 z=========
3 A! K5 x9 z8 ?2 [
& I* k' i6 N" K4 z
. Y' X- H2 V, H2nd method similar to the preceding one but more difficult to detect:
2 u. @ Q$ Y. M) _; W8 O% G# C% J0 ]1 f) I; O$ N
& Z$ i ~4 q7 x, y1 C i6 W+ @int41handler PROC
( \" T' J8 O. C; w/ A; M" D mov cl,al
u" ] t% n1 U- g2 Y iret% z" ~. h4 _8 O( s' _( t
int41handler ENDP
7 d9 c- y. o, i$ q' L
6 d/ L7 L% d$ d, Q# g2 }$ u0 p H
xor ax,ax3 I# u* @3 j8 ^# W* N
mov es,ax
% ^' p0 M, p5 p3 i: l9 q6 A8 F( i mov bx, cs
( N4 ?, W6 @: E2 N lea dx, int41handler: h: L; _ I& D0 }& A! O; F
xchg dx, es:[41h*4]! h* ?3 R% Y( r+ \
xchg bx, es:[41h*4+2]
5 O( G N" z3 f. J in al, 40h
Y( ~ o. A, G; h" o) P5 { P xor cx,cx
' Z$ N/ a; t2 K& m7 N int 41h
) ]3 S: O/ x* T1 ]9 I% F/ M xchg dx, es:[41h*4]+ k5 ?2 j9 w+ s" \( C
xchg bx, es:[41h*4+2]
3 D3 s6 o* l2 I* p Q' U4 V" F) N cmp cl,al
- A' l. c7 S' b6 E- Z$ @ jnz SoftICE_detected
9 P: g% ?1 p6 ?) [$ m9 ^3 i9 D7 |! j
_________________________________________________________________________" g2 g% P9 _' y" q0 r4 E1 R) B
, R, c: j; `7 ?. VMethod 07
8 [, h2 m' Z2 \6 Z=========
8 |1 t: D& d% |2 t! S* |+ z; G1 w& p; L$ k; E7 g1 H6 z: T9 N& l$ c" W
Method of detection of the WinICE handler in the int68h (V86)
/ h' [% c& r% K0 o1 R" u- z8 L% l1 ~2 K) _0 g i
mov ah,43h8 [3 O$ i- N& D
int 68h; @& Q1 a i- g1 @2 M" |6 o
cmp ax,0F386h
6 K. O4 w, }' T3 a$ a& K jz SoftICE_Detected" X% U+ y- _7 U* o
9 {$ t/ O* |/ E7 L& M0 A
' o' v1 [' ~1 V# b/ p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 C7 Q+ i9 J' N2 v ?3 n app like this:2 A; V2 r+ Y# N% x# Z; f
& W! u) ?! ~+ _ BPX exec_int if ax==68
% ]# v+ N3 r, |! r (function called is located at byte ptr [ebp+1Dh] and client eip is
& J+ ~" [7 x, A n1 R: J& e I located at [ebp+48h] for 32Bit apps)
$ k' H; P: h+ n6 V__________________________________________________________________________
$ C" E& ^3 A( ?* ]" }+ S, E- U0 B" [- A( M( I
0 j, x2 x8 c: q0 d6 Y* UMethod 08
5 t7 b ~. E+ z' r$ J5 W=========$ Q4 c# U) I! J- R0 y
( C& B8 S- F9 Y( h! f# O, U4 W/ [
It is not a method of detection of SoftICE but a possibility to crash the
+ [ S9 W6 h" P \! e( V3 usystem by intercepting int 01h and int 03h and redirecting them to another' c. {( y! i$ F
routine. c4 l4 L* M; M) Z% p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 l) _3 f8 c0 K% n9 Bto the new routine to execute (hangs computer...)
) d t4 b G5 ~% { K+ O' l. x4 M; B
mov ah, 25h
6 f0 K# R% z0 c* j% e' R I6 f, M mov al, Int_Number (01h or 03h). V( k4 j& F# I
mov dx, offset New_Int_Routine# F* U- h2 z5 Q$ ?; j6 V, @
int 21h) d1 J7 k* V: S$ c( {/ j
# \2 Z! S0 v8 O/ m% \__________________________________________________________________________
y8 \ _1 c$ K" I' i) D) P1 Q3 `' U- m; h: J* N+ v) E+ Z/ O: z8 `% o; _- }* B
Method 095 Y1 }/ h# ^3 Z! Y' }& o+ Q
=========! w' N! F7 F9 V- n$ J! r6 t7 @
0 e6 g8 [/ A) R: nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 u3 o2 X) k" b4 L' q8 d5 Eperformed in ring0 (VxD or a ring3 app using the VxdCall)./ V$ T" l6 D2 E
The Get_DDB service is used to determine whether or not a VxD is installed; T8 F. @1 s2 o5 u
for the specified device and returns a Device Description Block (in ecx) for
( @! E1 _3 {. N& r9 u U; ~0 i) [9 ^' Fthat device if it is installed.! ^1 n) L; s; g
; f9 y, b# G) X. n& A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 N* b/ M- ?) T" s7 N# I4 ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 w E$ t& {# W
VMMCall Get_DDB
* n* S3 ~% D9 S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: G1 |' R# o1 ]3 B- s8 c* A
$ I% z1 a2 D) H; Z; QNote as well that you can easily detect this method with SoftICE:
- y9 G$ f: N' A0 E# U bpx Get_DDB if ax==0202 || ax==7a5fh5 G$ B8 x- }+ E5 r3 L
" z- ^) Y- k" N% k3 r) e; f4 e
__________________________________________________________________________
& }) \9 X6 V/ Q1 i g) v6 s# ]/ r( T, e) m1 @ `" q3 x" v" Z5 E, W
Method 10
& V9 t1 {/ U" u0 P=========3 e2 v8 g3 R' T+ N+ m! S, K
1 ]& b/ L2 ^) X( U n8 t- @
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! V4 M p9 x' R1 }% c5 } SoftICE while the option is enable!!
, c. \ t9 ]$ \; x. f# Z+ v2 A
9 s! j+ ]% Y! w4 U. YThis trick is very efficient:
' P+ _3 Y6 e* B9 k% r1 R' _by checking the Debug Registers, you can detect if SoftICE is loaded; [; v8 j8 L3 U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 _$ D& N9 e w" n3 M. M
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 a: R i1 f; k0 b3 ^% y
value (in ring0 only). Values can be manipulated and or changed as well
; k; m* d0 F" e, }(clearing BPMs for instance)
7 B. o. [, @% W- q7 G7 ^6 P _- w7 Z* `& p* v3 _
__________________________________________________________________________
: X. D! N) q5 w# b1 q- V/ H3 }) I: L! T9 V
Method 11( y0 D7 [0 v) w* W
=========
$ ~$ d: c4 B2 |* s% z. z" X
% O( T. c! C. ^3 Z# MThis method is most known as 'MeltICE' because it has been freely distributed
* l# T6 r% ~& y5 M3 }0 r) y* O Xvia www.winfiles.com. However it was first used by NuMega people to allow
/ H6 I8 `) N/ c$ o3 h5 GSymbol Loader to check if SoftICE was active or not (the code is located
' ~1 Z' `# g. Dinside nmtrans.dll).
& ^9 v9 k4 ~; M$ a2 t7 @# e" D4 b0 c1 p e" m, d
The way it works is very simple:
8 [9 b& ~! ^7 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, W% e$ p0 [) F o+ q$ I. J* s
WinNT) with the CreateFileA API.
3 Z9 K8 T# l* r+ u3 Y. \
9 U- ~' N2 M( |3 ]* Z" aHere is a sample (checking for 'SICE'):; A( u1 N- ~6 H/ {% B4 O6 a
( t+ R* I# q! g) h& G- p
BOOL IsSoftIce95Loaded()
- n2 O8 l2 I* s8 R$ h( f" m{' p. m* m! p. X, l4 u- `
HANDLE hFile; 1 G6 Y4 T$ F6 {3 A# T: m6 I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ e6 T6 U2 g" X5 C4 I4 n; k1 a/ \ FILE_SHARE_READ | FILE_SHARE_WRITE,
! J% T k+ H! v% E NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 u/ c/ h( R3 `3 h0 t) o- a; o
if( hFile != INVALID_HANDLE_VALUE )/ p8 w4 i$ v) f5 R" w; {7 H6 ~
{/ M) E8 L W/ K5 r( S
CloseHandle(hFile);
/ ]5 W5 p: Z3 T7 _, F* ` return TRUE;
& {( b, |9 E. K# R2 a' o7 r }" |1 k3 Z; m5 M1 ?
return FALSE;
. L( R; z# B& \: Y' h: h0 M. n}" \( }4 x; F( J0 S
; B- l" f; @" e: a# L% }
Although this trick calls the CreateFileA function, don't even expect to be% N( N8 J9 X) j0 e" `8 t
able to intercept it by installing a IFS hook: it will not work, no way!
4 ^8 Z5 e0 \' O ?" U+ lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: t6 f/ m+ U3 M* Y% r' f! }. Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( a) ^ M' Y v) t2 _4 J1 h D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* u. v' ?7 @2 Z D5 z( @
field.. A2 }0 A3 j3 [; c7 E: M2 ]
In fact, its purpose is not to load/unload VxDs but only to send a
8 O) N; L4 m3 O8 VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& m1 m9 v1 e8 l$ Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try% N- }" h; L3 T( U: x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 b# H2 ?( \, k
If the VxD is loaded, it will always clear eax and the Carry flag to allow# b0 w! X, k4 V# L8 }4 |, F
its handle to be opened and then, will be detected.# L. |( x- b7 a, }- C% I
You can check that simply by hooking Winice.exe control proc entry point/ o. C) l; }; `2 e
while running MeltICE.- b7 i5 o" C2 a. s/ @0 T
- c" u2 T) N8 n
% A0 u0 }1 z0 O 00401067: push 00402025 ; \\.\SICE
; H5 o8 m6 c+ m8 ?# s3 T! S 0040106C: call CreateFileA; K, x) y# v( Z+ e& J* X
00401071: cmp eax,-001% g v! k: C6 L; S
00401074: je 00401091- W. ~4 K: c2 x- o
7 L% Y7 O0 W0 c5 x+ Q$ g2 [, t0 Y% s% Y0 v H. Z& k
There could be hundreds of BPX you could use to detect this trick.
0 ]" q5 ~1 }+ {% k( F# y1 [-The most classical one is:2 m0 c; {& B y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 ~; c- K3 m7 r$ R/ Z# G
*(esp->4+4)=='NTIC'
* H' P, K p. f0 G# }$ r9 l E: V: o
-The most exotic ones (could be very slooooow :-(# Q- c w2 D1 q' B6 [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 Z# o- K- k& i5 r ;will break 3 times :-(5 U; Y- K- I6 z
* R" X% x# ~- ]# ~0 T" Q( P# V
-or (a bit) faster: + B# }" l. J F5 Q4 @& {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 X' Q1 ]1 t/ t! J3 C! i k$ c
2 ~' f0 x) }: B: ]$ m$ v. r J: F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * S. U4 K0 S" r5 e4 G) H
;will break 3 times :-(* E1 t1 L% H( y7 V
6 T8 v0 x8 o) T6 W-Much faster:
$ o, i, z0 |, n0 Q8 o7 M( U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- @. U2 Z2 ~6 y; _# I: Y; h
& I4 x8 W0 A+ `3 o: D. }3 l FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' \& n) t* I" M1 E' M: t
function to do the same job:2 o* b4 E. g5 f
3 {( W2 Q% W1 j
push 00 ; OF_READ
, L2 P- _# c1 n9 O1 }4 H mov eax,[00656634] ; '\\.\SICE',0
* a& S) J& g+ o) a push eax9 ], z! e& b( I! z
call KERNEL32!_lopen
# C5 u; l; b" ]" T9 y! Q6 d inc eax& |+ x3 ]& r, Y8 D8 ~
jnz 00650589 ; detected( g: k; A: t: Y- U* B
push 00 ; OF_READ
5 S; j h9 c) V: \2 G; H mov eax,[00656638] ; '\\.\SICE'
" u% H: O6 R0 l: n4 q# a; e push eax5 f) D! j+ L( j7 L4 I. E/ k
call KERNEL32!_lopen |# }* h/ ^3 f7 Z3 J2 z) F) d
inc eax
7 |3 l6 c. z8 Y jz 006505ae ; not detected) O- c/ z1 S3 d5 N
0 T! Y3 U) Y) s" R: Y0 X
% H/ O! s6 F6 S) O. I__________________________________________________________________________+ v! W; J1 B% X: h3 R9 u
/ i5 c+ D' b' H- kMethod 12
& C2 O! N6 x+ p( c2 j- @" c+ j7 Y=========9 P" A$ N6 q( K- I
0 I3 y* ?1 u9 c
This trick is similar to int41h/4fh Debugger installation check (code 05
7 {* C) G) A' ~2 _* K& 06) but very limited because it's only available for Win95/98 (not NT)- B( x! v6 b& j: z/ ~/ J7 \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% M7 T" n3 Y! O6 N& [, k, h
: b5 ~# e; k1 W push 0000004fh ; function 4fh
2 [# n/ u, U5 n! i9 D1 h& [ push 002a002ah ; high word specifies which VxD (VWIN32)
. u/ W( C7 h/ D6 e! u/ G" U8 A4 e( }* N ; low word specifies which service+ {# j5 K- N4 \3 w
(VWIN32_Int41Dispatch)
+ @6 `2 q# k; ?0 c1 r1 [( C+ V call Kernel32!ORD_001 ; VxdCall
2 S! b1 h6 _ \7 m3 B cmp ax, 0f386h ; magic number returned by system debuggers% \ U- P: H& R# D9 l- _ p+ @1 N3 \" [
jz SoftICE_detected
$ r O$ W9 ^. r. o+ a6 c# J% P. A1 {7 R8 |1 v5 f% w
Here again, several ways to detect it:
2 L1 x" n" q- _5 O w% G6 M
4 F8 F* G" C M1 Q9 ?8 A BPINT 41 if ax==4f
* I' B' l E3 W7 L
; d6 @% K+ ?8 r1 P! P8 N# d% T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; k9 C/ j: V2 u8 ?5 b/ U0 h/ v' A6 j- a' ? x4 ?8 v7 Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A Z' E# a5 n* o( A7 c: w1 }( D \
* | x1 r8 c" ~1 \6 D3 E; k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ f9 q' C+ s1 x5 R9 X( U- p9 Z* ~4 k% Q: K
__________________________________________________________________________3 S4 P! f4 J. b9 r0 ]- K
. w% h( e$ d$ s8 _3 Z% WMethod 13
6 h+ C8 n8 E! a' v- ]' `$ n; t=========( _. q! h0 ]" X# F- b: j" X1 Z
9 y+ E1 e( s$ ]Not a real method of detection, but a good way to know if SoftICE is
' p* v* G7 j3 Y' e* Cinstalled on a computer and to locate its installation directory.$ w- ], u. G; |: P9 E0 a, A
It is used by few softs which access the following registry keys (usually #2) :7 b; ? ?5 X! ^* x" c$ n
/ }( l$ A8 z2 P; ~% x" S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' C3 J$ _6 q' `! G8 p. w\Uninstall\SoftICE
6 |2 S4 w7 y( \( R5 O2 L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# [/ b2 |5 T/ n% v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- `. k8 s* h- q( z0 S" \* p+ _\App Paths\Loader32.Exe7 I% P4 l- J+ X6 |
& E- b6 B2 }7 z+ W5 S
" B' y, h" v4 L* }( ^4 j
Note that some nasty apps could then erase all files from SoftICE directory- i+ w8 E% V8 M& ^
(I faced that once :-(8 ~' \1 ]6 _5 w9 A' W7 d# `
" q8 X* ?# h- Q7 k% h
Useful breakpoint to detect it:
! \+ R- f5 m9 c# {) j& F
) e; \9 k5 ^1 p9 J: V3 i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 m# v l9 e4 u4 z' z: D. L6 Z! ~$ W) J/ }+ ?9 i) P
__________________________________________________________________________
! V5 P( H% M Z" {. J0 I: O; }& X6 U( t1 f5 @3 T
8 X, V# x3 v8 r: R( q$ K+ I, OMethod 14
1 ]# q# O- x: s$ c=========& z; d. m! E* R" Q6 |3 c
7 q9 h$ D% C! R4 F2 S. x0 n- \, u5 JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! z6 I' Y8 C5 Ris to determines whether a debugger is running on your system (ring0 only).
" P, {2 m* X- A* q, G. V/ m* G( m' h- k k
VMMCall Test_Debug_Installed
- w ^1 U7 s4 \/ d+ H& N je not_installed
# L$ C/ L( M: ~! O y7 g" A% q; H3 D( \* X
This service just checks a flag.
) `+ z- {8 `2 y</PRE></TD></TR></TBODY></TABLE> |