<TABLE width=500>
) t! g* k/ f' T7 }: E0 F<TBODY>: g" b+ w. S( l# M, v1 D& h4 P E
<TR>0 l6 L* c: @; q0 U5 a
<TD><PRE>Method 01 ( ] t2 `$ G# O6 t" P
=========) a- X' K6 z( N5 M2 d8 t% g4 Q
@7 t( R9 a' A$ n7 H! g5 TThis method of detection of SoftICE (as well as the following one) is
9 k5 W, g- a R, Rused by the majority of packers/encryptors found on Internet.. L$ |9 ~4 N- z
It seeks the signature of BoundsChecker in SoftICE+ g1 P5 H5 W5 U$ `3 u
- P$ P: a" I1 j0 ^% @
mov ebp, 04243484Bh ; 'BCHK'' w: b" h2 s! Q% L' ^
mov ax, 04h$ O1 e2 g! U$ R4 \
int 3
7 V4 h Y/ Z: U: h+ m6 B. ~ cmp al,4" y1 L- L2 i( H; _+ k3 Y6 _, W1 ?# i8 Y, k
jnz SoftICE_Detected' \9 G; y! E! b
9 S' V/ y9 m6 F O0 z: c9 D9 b___________________________________________________________________________
7 j* Z9 i/ Z# n9 o9 y2 ]: A# }, r" r
Method 020 V8 O d6 Y4 r; l" l4 Z* V- i
=========/ }' D; H" K# _" f+ C
* E# j w/ G1 d8 z
Still a method very much used (perhaps the most frequent one). It is used% h. R, U4 h: G/ [, G S+ m' ~% {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# n- X+ H5 O. P; sor execute SoftICE commands...
0 d, j. w+ R9 o4 UIt is also used to crash SoftICE and to force it to execute any commands; {- m: ~2 M, G
(HBOOT...) :-((
2 X# J% _# _# S4 |+ P0 ^1 P* r* _1 I8 t8 L" L/ k( @7 `. A
Here is a quick description:/ o9 Y8 l$ ^3 W+ q c
-AX = 0910h (Display string in SIce windows)
U, s! D& a* ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. W( W& W7 ? O3 }) q-AX = 0912h (Get breakpoint infos): S B' Y4 L1 w Q
-AX = 0913h (Set Sice breakpoints); s' |# u0 ^6 @' l
-AX = 0914h (Remove SIce breakoints)
' n9 ] p8 y: ?5 [+ ]: ~! }1 E- F8 h* W& @2 x" `6 s
Each time you'll meet this trick, you'll see:
5 \+ u! _3 A. z. D6 N% ~-SI = 4647h7 C8 W Z. g7 f( D. {# J
-DI = 4A4Dh
& N: e0 V# c' N' f- Y+ KWhich are the 'magic values' used by SoftIce.: V* B( R% ?4 _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ f- o$ l) x6 e# X6 ~! a
. Q9 q1 ~+ X2 T; eHere is one example from the file "Haspinst.exe" which is the dongle HASP. C0 o' W" n" T( s# N
Envelope utility use to protect DOS applications:# M$ _/ l) S5 b6 u
7 t- {* Q6 x& m
% R9 r6 k' ~) V& c4C19:0095 MOV AX,0911 ; execute command. v8 y, ~( x) h+ X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# ~* j5 J: J+ g8 [7 l2 E3 F4C19:009A MOV SI,4647 ; 1st magic value.: e; j% R$ \. O( R" z9 |
4C19:009D MOV DI,4A4D ; 2nd magic value.
" y( h- N/ `, m) u5 K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 k7 b( j" W; O/ u7 g$ o( j0 l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: f8 R- l& h9 B! ^: m+ t! ~) P' b
4C19:00A4 INC CX
( T" C6 K! h/ n6 T! ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 T6 P0 q( X* ~5 a/ P1 z# Z
4C19:00A8 JB 0095 ; 6 different commands.
* S4 f& {+ T4 }0 l j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 |5 g& H) v6 Y2 r" y- M# G, i' w0 }4C19:00AD MOV BX,SP ; Good_Guy go ahead :), v! \3 O. y* G5 E
5 C$ ^$ \1 f$ ^3 I+ gThe program will execute 6 different SIce commands located at ds:dx, which) @% C- [0 {4 G+ I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: e' G: G. O; z- P( H! t
& u' h& ?6 D& f- t; S, O$ Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 R( `& l/ a( l! |4 J* }: j6 `
___________________________________________________________________________' v; Z# V9 ^% }) [
9 j% [; o( A7 f, m o0 I7 Q$ g8 f0 x* V0 _* A# B
Method 03
, _: a- u8 x6 t) a=========0 m0 p1 M& m& s c& u; t8 K, R7 s
( B/ X' J; J- ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ H1 ]! ?# Z ` S+ l. o(API Get entry point)
+ e& u7 l$ E. R. {: Y- e 9 X6 @0 t% w0 {
' R4 A0 ]6 Y6 z" r+ D- \- e" W% P! i
xor di,di8 B* z8 z4 b: H. b0 K/ b3 Q
mov es,di
# p3 a! A9 G! x4 c) P+ @5 R mov ax, 1684h # H, C1 c& E2 y. i
mov bx, 0202h ; VxD ID of winice
/ u, A' d* i% A! T( z3 _ int 2Fh: t8 X. R1 u0 s6 i3 r, x
mov ax, es ; ES:DI -> VxD API entry point
3 f& c. _( W, a% M1 p8 D add ax, di
P& X2 l3 R2 \) d9 h test ax,ax6 M8 j0 f- `% U4 ~: L
jnz SoftICE_Detected3 u/ l( u6 g, V# n$ ?
6 ]5 G; n1 a3 r7 Q
___________________________________________________________________________
) N3 K$ u2 g7 [; r% [$ B) S) L5 w n* |5 J! u. L
Method 04# ~0 h5 S( Q" o* X1 t1 W x5 I
=========: _3 I6 d0 S( K+ \$ J: L) P! r
3 m1 ?2 }' h5 {9 U
Method identical to the preceding one except that it seeks the ID of SoftICE7 g2 Z+ ^; i; k) E% H. z6 K
GFX VxD.( G1 @$ Z& r; ?3 f' X P
F! o7 Y2 H( D2 h4 j7 r% Q6 O1 m
xor di,di6 L* G4 Y: U8 A
mov es,di( R, H. c4 M3 j0 e- T
mov ax, 1684h
* m- h' P% C/ j3 r" R! q$ j6 p; Z mov bx, 7a5Fh ; VxD ID of SIWVID
9 }( C+ S8 R% F2 P& y int 2fh$ d0 q# `; e2 D H, G: Y
mov ax, es ; ES:DI -> VxD API entry point
9 N; x, g/ g9 Z add ax, di$ d" Y" Q% F; Y Z1 _: }( r
test ax,ax; I' E Z1 U6 Q$ B Z
jnz SoftICE_Detected
0 Y: e* _1 B' q$ O+ [
+ h/ b8 F6 M9 R: h! \ R# c__________________________________________________________________________; K. r5 B) o- q! Z
/ u8 H: J7 M0 a! h0 i' @+ _
$ F5 l" n+ I( J% y+ _
Method 05
# g# I+ X6 o2 p* r: p q% y. T=========
1 T5 j0 {! h5 C' p3 r9 s( i1 N) T, D {/ W- v2 ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 `9 w3 E6 M1 ^
debugger. It calls the int 41h, function 4Fh." e1 x) }0 ?% G4 F
There are several alternatives. ! [0 k) y/ }$ }4 d6 A$ w' O0 }0 o N$ G
w( I- x8 E8 T' R
The following one is the simplest:( j' j! P$ L9 S
- K, P( l6 f; \" r( d3 }( [+ Z0 [! D mov ax,4fh. w1 S# ~, a" U* ?
int 41h
: v8 t+ j7 a% H$ ]. o cmp ax, 0F386
" F# p: _4 Q0 G" _9 y jz SoftICE_detected
% m; O7 w* O5 Q- W5 k) X" G8 j9 l" T
8 u1 L# A" P9 r3 [% z/ vNext method as well as the following one are 2 examples from Stone's
/ l1 d; {8 j/ Z: ["stn-wid.zip" (www.cracking.net):
% A* F( d2 n4 }: T( c+ S
; s0 ]% H4 b% W. O* h/ s8 F mov bx, cs
% k. F( a- k7 ^5 Z6 F lea dx, int41handler2
" q. b3 ~! y5 D3 a' T xchg dx, es:[41h*4]6 V- a& g2 {. D4 t& v- S
xchg bx, es:[41h*4+2]
0 X4 \9 v' a' O0 f mov ax,4fh. u! S2 z, C! g! ^% ]3 I% k
int 41h4 i/ _ [% n: p; z
xchg dx, es:[41h*4]: o0 b9 K4 D# X% e/ K, x4 b9 s$ E
xchg bx, es:[41h*4+2]" Y: g5 ~. H+ H! V
cmp ax, 0f386h% G' t. ]( m' D( k7 y% v- y% @
jz SoftICE_detected2 _: c# l+ l5 j" \0 L" C* k# J4 q
7 U7 f6 M5 b, Y9 Eint41handler2 PROC
8 d8 @: P9 q( T/ r iret9 L: o; c3 I, c- q+ }, o
int41handler2 ENDP
; Q. n. w, ]0 z3 \ r2 l( t& u/ x8 A
4 |% Z5 F# ?& J! V# p( K
_________________________________________________________________________
# j! |! I# F: E" S. A+ _2 T2 Q
# d7 y/ A' S, X x3 I9 Q" P% J% L' R$ t3 f9 \
Method 06
. _) ]: u" M9 B=========! R! L2 w$ U1 z# U* y0 ~! w' o
0 s$ A, p+ ~% m7 K6 `
. X4 E3 [; h9 _; O
2nd method similar to the preceding one but more difficult to detect:
2 S0 I. b# f9 U! k5 K- s7 k% B% M3 a K
, K! v6 B* F" M A1 L- `* d
int41handler PROC
; R* O6 ?/ p. Q1 Z9 ]! V; s mov cl,al0 Y. M* K6 S/ ~+ u1 f8 }
iret
4 c, S# r: i8 v' Sint41handler ENDP+ v" `" [% [" I0 B% R; ^( m, J0 `# S
x" V8 c$ ?2 @9 o
3 H" ]% E+ R: g) {
xor ax,ax
g8 }) X' V0 f& W mov es,ax
) k5 q0 Q* z( |! M mov bx, cs% |4 ]' Q# h( m/ S: J
lea dx, int41handler+ k, y5 Z0 C6 e
xchg dx, es:[41h*4]
: ?! C' L0 H5 |) x3 T xchg bx, es:[41h*4+2]/ H& }, w; E8 \/ R% u1 j
in al, 40h
! Y2 K+ V9 [0 n5 D" L8 L/ K xor cx,cx0 Y% T% `$ i3 X" c1 r. p
int 41h
0 E9 I9 e$ l/ F& Z. M. Y xchg dx, es:[41h*4]
8 \! F8 u5 W" M. s/ M# e xchg bx, es:[41h*4+2]
3 c0 c2 R8 |# X2 g cmp cl,al
# P) e( ?. A8 y- }: x" e jnz SoftICE_detected
' X5 R( S% H0 z e# s" }1 t$ d8 Q9 v& m/ \- \ M
_________________________________________________________________________
$ ^" u1 v( Z+ P% Z+ O: X8 q0 ~; ~1 C1 \. n0 q2 l, J4 _. M
Method 07' I+ P8 `# V3 b* g' o+ a
=========
8 `# v; t6 E8 o* h u$ ?8 l8 |. N' ]* {+ g! [; @" ~
Method of detection of the WinICE handler in the int68h (V86)
! W. S0 z/ r. D4 {# C+ E, c5 F6 J1 h) g6 U" k( |, T% Q
mov ah,43h3 N- ?. d# S8 ?% N' y& R
int 68h
3 z+ p$ }# C* z9 e" X cmp ax,0F386h& l$ _1 w7 y1 r9 o
jz SoftICE_Detected
9 Y0 z! X5 S' `" v% m; l3 v/ h0 ?* B% n2 v
% \' x9 p. v2 i" f) z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 L! T# O' [% s O& r: H* p, X# t7 \ app like this:8 J o1 }* P4 I: ^; t% l
+ R8 Q3 Y M p) a& E8 L& u9 q
BPX exec_int if ax==68" \4 C s! l2 F" Q" t
(function called is located at byte ptr [ebp+1Dh] and client eip is
' r7 q1 k6 J: t9 ?- W/ E located at [ebp+48h] for 32Bit apps). x+ O% K/ a9 q3 x( t. [! F1 a/ R! C
__________________________________________________________________________
4 i+ v; j" x2 f. J& K6 n% n$ l. R) v, H- Z+ y2 {
7 k. X! W0 L& C; f# f5 X, FMethod 08
/ [2 z( f0 z1 E=========7 U( V' w. @) q& m0 z
9 P! r& G3 x3 @7 Q* r. a
It is not a method of detection of SoftICE but a possibility to crash the
' k$ z! A* U! f, Xsystem by intercepting int 01h and int 03h and redirecting them to another
: v, ~' H: t) E u5 n( nroutine.
# f4 |0 m, C1 aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 O* e) s+ j2 Oto the new routine to execute (hangs computer...) Y5 Q. W y6 U
, d7 k2 a% e2 {- y9 O! \4 g1 [2 L: @
mov ah, 25h# S4 U( b6 d0 G$ R* b
mov al, Int_Number (01h or 03h), b1 H; F1 Y3 |9 L1 J* P
mov dx, offset New_Int_Routine6 w4 a0 c/ o+ I0 j( h
int 21h
; m6 a1 D3 X2 l4 n7 D+ P) c8 g( G2 C
' w; `7 }! ~1 g. }__________________________________________________________________________6 r0 J7 o' T) y) h* x4 i1 ^
9 I8 I, ~+ k; K: P( F8 v, `7 |Method 09
' _* E% P* m" p9 D* ^/ b: }# Q2 Y! J7 H; ]% u=========
[) f" |6 {' c+ V6 }0 g7 Z L4 u$ K6 q1 V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 `4 U0 \& O! O; [% _# R
performed in ring0 (VxD or a ring3 app using the VxdCall).
* [6 W( }! c' i6 i5 M" _+ ~4 BThe Get_DDB service is used to determine whether or not a VxD is installed
8 O1 \+ B- C* [3 G; e! h& I, hfor the specified device and returns a Device Description Block (in ecx) for
6 X# B! t' ]& i% Y- p8 I+ `that device if it is installed.; Z, n# h; n% V+ ?' G
7 a7 d4 k3 m T" g( [% Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 w- G" S4 U1 P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 i; a/ }3 f- d/ a& a+ O VMMCall Get_DDB
* I. V7 Y0 Q# F( `& M% O0 P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! S& V) o' E2 m; ^
3 X* p- P( z+ } i
Note as well that you can easily detect this method with SoftICE:0 I$ E7 j) D4 }. Y
bpx Get_DDB if ax==0202 || ax==7a5fh5 k8 @& `, C8 d @, Z% t
" N0 d0 J5 M$ e
__________________________________________________________________________3 T& J9 F1 ]( R* `5 l7 |
7 L2 u1 I2 H/ t+ r
Method 10
. C- S% e5 s. k p=========
4 U: f6 r. l1 [0 R( N D* K# @
r8 s4 O' T0 {3 P+ w3 x: a=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ x+ r5 o% K2 p5 n2 [5 W) L2 ?% j SoftICE while the option is enable!!& {2 P" S1 B; c% z1 x% ~
! Y* U7 ~8 g4 PThis trick is very efficient:
9 s/ ?5 Z+ T4 o' oby checking the Debug Registers, you can detect if SoftICE is loaded
/ y% w1 g, g5 E9 q& H+ Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- P& s u% K3 ]" T4 c+ Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their7 ]+ v* v8 x' b$ S5 K/ v/ Y/ W
value (in ring0 only). Values can be manipulated and or changed as well/ s7 F# z/ J0 p& d! ?) F7 S
(clearing BPMs for instance)
, c& y: C1 B) u
% i: U2 F* m7 M: g& a__________________________________________________________________________
; h, k* b' c. i& `; w& \1 }4 W. K' y$ h
Method 11
( v& O T. t1 X9 p. Q=========' T' u5 T( b- B' b2 O* L
4 k% M2 q# t2 N* [% D% w ?* x
This method is most known as 'MeltICE' because it has been freely distributed
/ n3 k' s- `" `" v+ }via www.winfiles.com. However it was first used by NuMega people to allow
0 }. O' @. R! E# L' KSymbol Loader to check if SoftICE was active or not (the code is located; g& f: r" z6 r# G5 k7 Q: y% Z
inside nmtrans.dll).
( q5 v/ `. u6 j# Y
8 d: ~9 \% }$ N9 yThe way it works is very simple:+ `( E( a, U) t7 q X$ j" ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ H2 v- h. V5 h
WinNT) with the CreateFileA API.* n0 m* Q! s# F: H9 C; {9 [
( r# K3 U J; @) b7 S
Here is a sample (checking for 'SICE'):
/ E2 K& w) S& n5 e
! ~# h; k- I$ b% I: r8 NBOOL IsSoftIce95Loaded()( ?' O ?8 r' ^4 n
{3 y4 n6 M5 |3 O1 u& G: I6 S) @
HANDLE hFile;
9 [7 r7 `8 l' | B, Y2 b hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ e' k. ]8 K2 i8 B2 o2 _* u FILE_SHARE_READ | FILE_SHARE_WRITE,
& J- ~" d0 }: g/ ~3 K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' z, T$ Q8 k4 X- A: R8 x
if( hFile != INVALID_HANDLE_VALUE )" K2 \( z% s# q6 r# C% c
{# ?2 L; D# H$ h5 P7 y1 F
CloseHandle(hFile);
3 B ?; B6 u: ~, n" I1 [) H2 }6 V return TRUE;5 J6 B' j/ B% }% _
}
& |, [9 U3 [7 |, m return FALSE;
, r8 {2 M% h8 d/ O1 i1 i G}. E+ ^, }: D" K+ i
" R* @( U+ H3 f- q+ G2 s8 k
Although this trick calls the CreateFileA function, don't even expect to be; L$ }9 _4 j; x# u) r8 I% y
able to intercept it by installing a IFS hook: it will not work, no way!
& K+ R6 a$ K1 B: u5 `1 Z6 CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 ?& \/ v& u( j( z6 c- L, z4 F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ q: N8 S3 Q3 T' v: j; Z! v8 e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; B- ^5 s* Z1 _5 o: f' l% Ffield.
i; u, {3 a( B8 k3 RIn fact, its purpose is not to load/unload VxDs but only to send a
' T1 b! F. |( |+ y) Q FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ u' g" R G+ V3 sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. g4 S7 s$ b& e; M# K9 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) |8 Z+ `. P o) Z% C! O/ [5 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" x( K& J, U& {; s, Gits handle to be opened and then, will be detected.) c6 i, X; P- \! C2 L) d4 a4 t3 l, F- U) N
You can check that simply by hooking Winice.exe control proc entry point
, N- v" ^4 ]6 Q7 uwhile running MeltICE.
2 [6 U: K& o+ J! Y& c- |
) v0 ?+ ]; E0 T; `) L" s- s; m* q+ I' h6 b3 S$ X& N
00401067: push 00402025 ; \\.\SICE9 b- b8 @% I) n% F
0040106C: call CreateFileA: c# n3 n+ N& f) W$ {- ~
00401071: cmp eax,-001
5 M7 g; K2 Y L( e5 g) ^+ ?8 M: X6 | 00401074: je 00401091
! x- g$ P+ A# H0 {4 @
0 G& v( t& c& ~8 @- D: e) |5 t u/ C8 f; e. n+ V/ b* E4 H0 Y
There could be hundreds of BPX you could use to detect this trick.
% C; p) L% r. {5 H-The most classical one is: ~3 M3 E. M z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# g6 i4 g+ G: j) X9 Z *(esp->4+4)=='NTIC'
$ J. l' c: }+ |0 f) j! |, K7 H E% O
4 e2 f' ^6 [# X-The most exotic ones (could be very slooooow :-(7 T) |+ O& p# H n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & L0 G: M$ i9 s, R
;will break 3 times :-(
4 v$ R& @. q( l# H. x: g) Z' [8 ?/ W6 I
-or (a bit) faster:
6 P& |2 V' T. }& g" T+ \! a$ R% J BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), L( W# M1 f+ v' @- v+ N
1 B! S9 J3 U( {8 [0 _$ U2 C
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( N) @( O5 S8 b ;will break 3 times :-(
& ^9 l0 R: M. z% A! u+ f
7 @; |, ?& j3 ?3 q6 f: d-Much faster:' Y. l! @: u* s1 e7 [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. q9 d! O2 q" [
2 q/ X6 z& x, H' X. n" n9 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 j h, _6 k5 Y
function to do the same job:
! \8 s" P( e& Z$ [( a0 i) ]5 y* k7 ?# O d
push 00 ; OF_READ! a |0 v2 J7 g. T% S* v0 W2 I
mov eax,[00656634] ; '\\.\SICE',03 j5 P+ n4 j" d% g% r! s
push eax( W( s: _: z6 V! r, u5 e8 O# U
call KERNEL32!_lopen& O# @" F( L+ I; d
inc eax
" x \6 q* G) g( L8 ] jnz 00650589 ; detected, u9 c. Y% ~9 ?
push 00 ; OF_READ
3 W, D9 R9 e' Z mov eax,[00656638] ; '\\.\SICE'2 v* {$ k, L6 H# z2 [
push eax
M, Z7 R$ s% i6 |6 k8 g, r4 f2 Q4 p call KERNEL32!_lopen
6 T1 ^, h& ~ I. G" f/ ?& ` inc eax X* Y1 g& C& h% u L7 g
jz 006505ae ; not detected
6 G' Y) ^' P5 _$ F3 W9 ^3 D3 B2 h
$ v$ h F0 |/ U3 z- b1 I
; [# T$ C' ^& a7 c ^# W' L/ g__________________________________________________________________________
% j4 f R3 F5 b/ H+ p: ~; X' p# S1 P6 U5 c1 h* ^9 n) M+ `4 }% R' X
Method 12* @: G3 e1 E+ Y! E* W
=========
1 I, |0 s' K3 e! N1 O) I9 U; V2 o+ Y) |6 O, Q
This trick is similar to int41h/4fh Debugger installation check (code 05* x% `7 j0 J2 O/ K1 u9 D2 b
& 06) but very limited because it's only available for Win95/98 (not NT)( e, i1 u6 \- Q- h" y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 [$ M" L/ t$ f8 \- _6 k5 J
% B. K( X Z0 O9 X. E4 u6 b- D
push 0000004fh ; function 4fh
5 I. F! O# c2 M! Y2 X3 }6 m9 I. W push 002a002ah ; high word specifies which VxD (VWIN32)
$ J9 L2 M6 \0 }3 E! N4 G ; low word specifies which service
3 t* x/ F7 u- d" \ (VWIN32_Int41Dispatch)/ f3 x# k# t7 }# g2 c* |0 E: z
call Kernel32!ORD_001 ; VxdCall
C% X# }' Q U5 B: ^ cmp ax, 0f386h ; magic number returned by system debuggers
6 k, e$ P* C3 d; m4 X9 {) h jz SoftICE_detected
; M: \1 \& r9 N* r2 i- v5 {4 D! g% g& p9 y
Here again, several ways to detect it:
: K: n( d. p6 e" L' r. H' o! i, O( L# ?9 m/ o$ M' {
BPINT 41 if ax==4f
L; O. e! C5 ^
# w3 c3 {/ i# K; { BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' W% ^1 G6 T" V! M2 @/ \. m- \' ?- c# V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" d8 y8 S4 K4 k0 {& K
; ~+ n7 f' Z- x, l. B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ A5 ^( g; b7 f
" f/ \4 ^! t$ m- P% h# K; @' h+ b__________________________________________________________________________
* J. g$ s7 C" f% Z) T+ J- G+ G6 b, c7 s' ~
Method 13( H: L% j/ O" D. x: t' ~4 c' Z, b
=========
) P7 W4 C5 j4 P8 M# X: A2 W) J. j% s4 S
Not a real method of detection, but a good way to know if SoftICE is
5 Y9 K( m! S) K) o% Oinstalled on a computer and to locate its installation directory.
1 A% E( J0 @4 }It is used by few softs which access the following registry keys (usually #2) :
4 q* r! Y5 S6 \. Z# L! ~
) y4 G" ^ R" e; Q. r6 h, c" j9 O- Y" ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) q0 r, G- F5 j% u- ?
\Uninstall\SoftICE% |7 z, e- r9 Y1 @& ^! E
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 i% d9 u- t1 l' ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! N' I4 x) i8 Q3 e
\App Paths\Loader32.Exe
6 Z, B u* w5 V O* }4 J2 v( Y" _4 Z
" i; }, }1 l6 M2 a. M! T: ANote that some nasty apps could then erase all files from SoftICE directory" g3 M( G% Z5 g4 W" ?# L
(I faced that once :-(; O* o3 X' o4 @3 Y; R
% a+ \' X' @7 Q" c( ]
Useful breakpoint to detect it:
% O9 y& B' U$ S N' d- Q4 F1 J( Z F; C* \- \' i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# L- }8 t; T$ d& J) ]
5 L% j2 l* c7 R' ]1 A- K0 M8 C
__________________________________________________________________________( `* [) K, [" K/ O& ^
$ E* T/ b4 C) J- B/ c- l
& ~0 e9 l9 B* ^( A
Method 14
* k: ^4 @) e, k" ?/ R=========/ x6 p/ m' C9 [
3 M* d# i: Y# i( c' Y& E% ~5 ~7 K! o9 dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) r6 X ~- ]2 g. \& J3 _is to determines whether a debugger is running on your system (ring0 only)., P" o0 ]* g* q/ W9 w2 e/ \% t
' i& L+ ~. A" h; |4 w VMMCall Test_Debug_Installed/ i B: c" n0 L+ B7 c* @0 A8 S
je not_installed9 p0 c3 L7 z0 { M
7 u. D) u6 u8 Z& Y+ qThis service just checks a flag.
' Q) y, I: T1 [7 i0 f6 i# ?8 p</PRE></TD></TR></TBODY></TABLE> |