<TABLE width=500>
* W. ?) }! [' J: r+ V. C<TBODY>& n' h' L0 A g, f- r6 ]
<TR>2 \+ }. |, U# O, x H
<TD><PRE>Method 01
' }, e o e) p/ c4 C- b: i: [=========0 J! P5 W+ T- ?# C. A2 N7 I
9 m4 c' [- P! W
This method of detection of SoftICE (as well as the following one) is
. `3 b* R! X, i0 O" M1 ]used by the majority of packers/encryptors found on Internet.
9 C z+ N% l! Q" H; i* O) G* zIt seeks the signature of BoundsChecker in SoftICE
. L5 I \( X5 ~( t) {5 s! {7 g( I. J( ]8 \( m5 ~5 N6 z" Q
mov ebp, 04243484Bh ; 'BCHK'
' K4 N1 @* W; Q. X$ ]- \6 y mov ax, 04h
6 [6 m& ^! p N: u9 d1 N4 e5 y! i9 h: n int 3 1 b- v# C% O9 c! u G g
cmp al,4
: S5 C; W% h. k7 F1 O6 ` k8 g jnz SoftICE_Detected
9 j1 b0 i( E! E+ L( Z, @1 q5 Q. m i7 I2 A% m+ h |' [ J
___________________________________________________________________________# C& N3 }7 R; f C9 t
7 N; X5 [# [. Q$ w9 l7 YMethod 02
, v6 U8 z: I( o/ H=========
9 _$ j1 X" K& d% o @2 {5 H- o6 |% N& i
Still a method very much used (perhaps the most frequent one). It is used2 I5 Z3 R3 b2 c
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% G; E7 B) ? `7 k/ E- u
or execute SoftICE commands...
2 {5 Z8 |- `# }; M7 h; VIt is also used to crash SoftICE and to force it to execute any commands
+ i2 a# `& B5 c0 ~0 `(HBOOT...) :-((
, |) J2 `3 F& i% J7 p; t
7 V2 ]: B5 ?7 L$ b5 f/ h! YHere is a quick description:
8 m1 h j" w' T7 X1 C4 w7 [0 P2 h5 A-AX = 0910h (Display string in SIce windows)
~1 {9 e* v4 K) G, [% t. M2 X6 x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), i/ n+ l% {2 T
-AX = 0912h (Get breakpoint infos): w/ X [7 m* v( {8 X# S. s
-AX = 0913h (Set Sice breakpoints)
2 S' `* N, `) }! J! _# Z9 N) V& E7 a7 T: o-AX = 0914h (Remove SIce breakoints)
* L+ n/ R- P! [3 G+ M z+ {' k7 D2 O2 R' \! E% Y) V% ^3 _) u9 ]. e
Each time you'll meet this trick, you'll see:/ E5 m8 u! M* p% c0 t9 V6 I, A
-SI = 4647h
6 K3 h( U# e' T' R-DI = 4A4Dh
& }# b' o( q3 Y1 ]9 |Which are the 'magic values' used by SoftIce.
6 Q9 ]. w7 e+ DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" v2 h+ J1 P& R+ M4 z; f2 g8 C( C. c! t6 y2 |- V
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 }2 \3 X3 X; ?: _Envelope utility use to protect DOS applications:
8 a5 Y& h2 R. p. r
, M- t) u& U) g* Z
, T4 b5 B3 `$ [ r. V4C19:0095 MOV AX,0911 ; execute command.
/ g7 s& Z5 Z: {& L* C9 Q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. @3 S% J. w ` W' ?% V# @. J4C19:009A MOV SI,4647 ; 1st magic value./ a+ Q/ \: K+ M! F& t g' n
4C19:009D MOV DI,4A4D ; 2nd magic value.6 j3 m+ n D" g+ {! e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ Z& l; `- [( w: X4 Z& M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- q3 m5 {5 `# i! r1 V& Y4C19:00A4 INC CX* @- Q# j, b$ u! n' P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; S/ r t, w# ^$ r# i7 w4C19:00A8 JB 0095 ; 6 different commands.
: |( V( b* S, a, p, M4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 g: b' c; E4 | v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, `2 r$ P4 F, |& M, l" E2 I
4 `0 g( X5 u, I! qThe program will execute 6 different SIce commands located at ds:dx, which
0 Z1 U+ C5 F6 }( Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* ~0 f+ a. ~! r1 C; u# N
0 n& P" K5 T7 `0 m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& @8 r+ S; {' H/ W, O2 N& O
___________________________________________________________________________1 Y& N& y& Q0 {
: N, W) q; A; O9 z0 z
% [" D: ]- Q7 Q5 F' A/ t( nMethod 03
, t: e N8 ]5 F4 B: g; A+ H! V& m=========
7 f6 T; Y! j2 O) h9 M7 v# [# O& F% f i0 x# C; T+ ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 C: Z ^4 B( I: W
(API Get entry point)
3 ]- ~0 L+ `( `, i: E
5 O8 F4 A) _+ s, V: W
7 I* W$ _, m5 r5 R xor di,di
# r9 B( D' A& z* c mov es,di
9 o0 W: n) N0 v8 ^ mov ax, 1684h
2 {1 E' M; K) v! B mov bx, 0202h ; VxD ID of winice; \7 K7 O9 t4 M6 a. l5 H6 T7 z* @
int 2Fh
! L8 x/ ~ m5 j( c mov ax, es ; ES:DI -> VxD API entry point2 m) t( b0 @7 \0 d# @! o/ c5 m
add ax, di) B. Z9 h2 ?; ]4 z0 H, i
test ax,ax
- I# U. J( N; ^; S& Y: K U( z jnz SoftICE_Detected
' h r% ?( R9 k6 ?2 D
8 D! D/ X# K/ U3 C- Z___________________________________________________________________________5 c& \% N3 F0 ^
" J( ]' I! k1 E) Q' Q- \! qMethod 04
( n& `8 q# F& ^- T=========
: @* ?6 ^1 ?, r2 r/ r9 b8 T: m" k h- B$ V
Method identical to the preceding one except that it seeks the ID of SoftICE
) S0 I5 S( N# h9 H$ {7 ~GFX VxD.
3 |; P" [8 @$ `/ i) y, q! U2 Q" f! U& A4 [
xor di,di
: \- j. S! Z8 e5 c mov es,di
8 V9 u* ^! x: D' q; _/ H mov ax, 1684h 5 _( ~6 u! y/ e
mov bx, 7a5Fh ; VxD ID of SIWVID8 V& v/ g; T7 ?2 q3 P" ~+ |/ |
int 2fh
- P% T4 P% o! R" a, ]" ]' g6 g mov ax, es ; ES:DI -> VxD API entry point
9 z% B2 V' C7 B3 N add ax, di
* N1 b2 O5 t4 q1 N* L3 b' u test ax,ax3 p4 p- S5 @' e+ n, I& ?" S& B) c
jnz SoftICE_Detected
+ T" g. m- x9 W y3 ]: e2 _9 O% S
__________________________________________________________________________
' _: m6 K# z5 W$ A5 u
& x9 B$ ~: @1 x- r9 C7 B* [
7 R! i, Z" b$ U" ^* r3 XMethod 05
: Y2 W5 v# D1 ~% Y=========
7 p* ^: q- o. y8 U m% r& m& S/ j
$ F. \" R% ?) p6 t% @Method seeking the 'magic number' 0F386h returned (in ax) by all system; `+ E: e$ I8 N
debugger. It calls the int 41h, function 4Fh.
$ u( e- d! k5 `8 s; J# eThere are several alternatives. + ] a, m" r! Y/ I' }3 b
?/ J- @; O1 z mThe following one is the simplest:
/ S4 R* m) a1 _9 B4 [$ N3 y1 u L; o: s) a5 J8 \ J, }& ~
mov ax,4fh
& O" Z4 k9 q- ~; j8 E M# t int 41h
; }( Z! |& e' u0 g& F! N: s; F cmp ax, 0F3861 \! r9 O1 M" f z& G- \7 i
jz SoftICE_detected
; z& u+ S; o- ~
% a$ M4 _: o( n3 }$ _5 t# k+ g4 Z' R
: v# ^* j" [, g& d4 E+ k2 jNext method as well as the following one are 2 examples from Stone's / T; Z- |' z0 Z
"stn-wid.zip" (www.cracking.net):
5 b3 Z/ R: ~. Y9 F$ [+ v! Q7 @; @% C- y3 D G3 E
mov bx, cs3 c( z3 f E% Q3 F0 f& G' `5 k% |8 f! b
lea dx, int41handler2+ q+ ^5 W4 j7 l: v5 o
xchg dx, es:[41h*4]' r: r# w/ b# _$ O/ _- X
xchg bx, es:[41h*4+2] @2 N, J& ^. r6 x$ W% H
mov ax,4fh
8 I* g# c9 V, F6 B9 s4 `6 O int 41h( F t! q2 u) q; P& A, F+ E- R
xchg dx, es:[41h*4]
! x' j7 ]+ v% G, | ? xchg bx, es:[41h*4+2]+ l2 O+ ^$ [2 c5 U
cmp ax, 0f386h, ~/ I( p4 j) a% ~6 t
jz SoftICE_detected L* ]# B- E, H; E4 ?
2 y4 P) o J& L; kint41handler2 PROC- G2 K1 F7 ]9 v: {
iret& ~/ T H3 v) a
int41handler2 ENDP
% k9 I4 K! T8 q' A" y; u$ C% v, ?
8 q8 o7 t. F& l: l( [
! g8 ? v! h! M0 j, Q_________________________________________________________________________1 r! A/ W& f: }4 |
) K5 |& V5 Y6 j8 {4 H. |
+ G, k1 J. i1 D6 Z' NMethod 06% Z( z4 A6 z( i$ c8 m
=========7 k6 p8 I, g2 N
( r. a3 u3 C: `% i! t% R" C: s( B% g' s% ^4 v" i
2nd method similar to the preceding one but more difficult to detect:. u; k& ~" w' |9 U& }3 H
! [% Z; z$ C$ Z# j/ U& s) D# B9 _/ L5 U* e, |. x
int41handler PROC
6 h! h5 K+ i- O mov cl,al/ ~2 I( Z5 s; x, o# j6 c' k
iret
+ e! M$ y1 w, `) Q6 n1 Tint41handler ENDP
) R( Q; O2 `! b4 J8 x5 x# V$ I% M
0 i! t7 \9 r8 e# K/ e
0 F/ D* s( \6 f: [5 X; R xor ax,ax* u% g* L' z% X) e3 b/ [
mov es,ax
. R% K) S$ I3 ^/ J0 q. Y) e mov bx, cs
6 q" @" e& b7 P lea dx, int41handler6 ~2 `+ W2 ~" |
xchg dx, es:[41h*4]
. }0 g Z ]+ u0 W& Q xchg bx, es:[41h*4+2]
: H5 M( s) D+ s1 ?3 o2 ^6 R2 A in al, 40h
# i. Y( t. |% P+ y' c$ [ xor cx,cx0 d1 q% X! B, j* y; l6 r$ N
int 41h
; l) Y3 w3 p8 ]) r xchg dx, es:[41h*4]
0 V& \% @4 u( _, C xchg bx, es:[41h*4+2]- x4 m' u# x/ F% r9 \) j0 X; d4 e
cmp cl,al
/ c- i& V, p) L1 C3 G- B jnz SoftICE_detected
0 Z' e1 n1 h( G( L9 b2 ^* a" P
6 N. B, t; C! __________________________________________________________________________
7 J) } L- [- _: d: X' M, V0 z$ U; b2 d/ q
Method 07
7 E5 F5 T. }: d4 t" L0 Y( `=========
q3 ^/ _, M4 J1 o9 I0 p8 i: f
; G. p/ Q1 _& h, V! SMethod of detection of the WinICE handler in the int68h (V86)4 t% T: v: Q& \1 s
0 B9 Z* X& V5 P. i mov ah,43h
3 \1 c8 f* X% Y+ T8 f6 j* O int 68h
' L( F6 d; h( G7 V' u) ^ cmp ax,0F386h6 i7 y. X6 z& k9 J3 e
jz SoftICE_Detected0 @4 Z' ~2 z% U+ k9 w; [0 ]7 `
?7 i& g" `8 l" J% N0 O1 g
1 m; A2 G' h9 y' m' d% O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, T6 ^' V; o8 w! K( U$ W' j
app like this:
, z. _) f4 m; I- V# w- v$ x9 h( a3 M8 c1 \5 w, I
BPX exec_int if ax==68
' Y0 f2 k# s7 N! p( F' Q: d (function called is located at byte ptr [ebp+1Dh] and client eip is2 p# r; e, M: s* O- T
located at [ebp+48h] for 32Bit apps)
' [% X" @" T2 Q& V4 P4 C__________________________________________________________________________/ J* V9 E2 M+ d+ y; z& k
7 Z6 S* a4 q3 Y
6 n0 [, t/ m" N! O/ |# [; f3 ^% gMethod 08$ k+ L" l" i y4 y, h% w" V
=========
$ d! v7 D% x- V1 N. A( ?( Y" u- T$ o* P
It is not a method of detection of SoftICE but a possibility to crash the" @) n6 s1 D! p9 h' ?
system by intercepting int 01h and int 03h and redirecting them to another* L$ y0 K( E6 k% v' \
routine.7 y) c2 v, g Z+ ]2 d$ A* |2 W2 y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 ~* E! t3 w/ C& W [to the new routine to execute (hangs computer...)% F2 t) N, g- c- M0 W) }
' @9 A2 L$ l! f* K. V. v& ` mov ah, 25h: C8 b) t1 y2 ~
mov al, Int_Number (01h or 03h): q* _6 \9 K2 ^- a0 R/ p
mov dx, offset New_Int_Routine" r/ J2 g3 S" _
int 21h
! `- M4 D- e c6 H1 C6 _+ i0 Z
' F; W3 _4 j* d* N6 S% v0 @9 f__________________________________________________________________________: @( y$ W! J; o, P: l0 _+ G
8 }9 ?5 O6 W, T" U
Method 09% s2 T7 P! Z! q3 c
=========* y" F! b9 h7 \( J# g# K
+ G$ e; u: b# z3 f4 e5 f( UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" Q' W+ Q9 P6 d# @- s3 J
performed in ring0 (VxD or a ring3 app using the VxdCall).
# s9 A( F4 u) z- w1 TThe Get_DDB service is used to determine whether or not a VxD is installed
( \4 h& _" U, Wfor the specified device and returns a Device Description Block (in ecx) for
2 d0 Z) G+ P# L6 `$ _% j/ S8 Vthat device if it is installed.: j6 f8 O# |5 f! p$ Q, g
! h/ D# [ J3 Q% N' l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* H o F' U% S/ N% |' B9 |& B+ L1 u8 i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* O. Y9 I/ t+ j& E% Q
VMMCall Get_DDB {* ^, E5 K5 R1 c2 F; t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
^2 i! ]: y( M, j5 e, o" k! @! G
Note as well that you can easily detect this method with SoftICE:8 {' i$ t6 ?' P
bpx Get_DDB if ax==0202 || ax==7a5fh
& S5 z- w: C, z. T* t
7 C! O/ J' K- X__________________________________________________________________________
" C; ~8 T9 x! u, H. C0 H% x# X3 B
+ I! e0 U- s, N# k, ?" CMethod 10
7 ^& ?' w, F' O/ v* m=========/ V9 M5 n. \. |0 Y& v
1 X$ x; r4 ?1 F" }& W7 A( r/ [
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' v4 }) ]* _5 a) V" g SoftICE while the option is enable!!& @- g. c5 l T; U. L6 P6 V8 S' m* ?
$ j) ?+ x. D8 {
This trick is very efficient:
* f$ o, W6 n. T# _0 ]" Qby checking the Debug Registers, you can detect if SoftICE is loaded
$ n& t2 F' Z; Q! Y( q/ v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" f+ k( P( s3 k$ L; s
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& g- F( u3 N4 ~ vvalue (in ring0 only). Values can be manipulated and or changed as well0 T* f. ]7 Q6 ?0 b1 H2 y8 M
(clearing BPMs for instance)
- ^9 U e8 e: \4 p& d
) P. q% Z( b/ u$ D# r# D7 J__________________________________________________________________________
$ ]" C% V) i2 ^ Z+ Z: U6 q w) `' e% ~
Method 11& p2 z R2 V" {+ u! f8 @; y# V
=========
9 e( y& h% j$ c }
; E' S- H3 O$ v2 FThis method is most known as 'MeltICE' because it has been freely distributed
: M% v8 P( a' f* x7 Pvia www.winfiles.com. However it was first used by NuMega people to allow
; L% @. U, `, ^9 USymbol Loader to check if SoftICE was active or not (the code is located L# X( i0 b) c$ x7 g
inside nmtrans.dll).. g: f7 }0 m8 x' W( I
# J, V$ t; S6 g5 ^) ?- g' ?
The way it works is very simple:
/ G) l* f6 |; A0 U* K4 V7 l) }' OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: H8 t- p: H; Y' `$ \4 K: s
WinNT) with the CreateFileA API.
9 [1 o" y9 [0 q$ s5 x, o% b) h5 S$ [4 \
Here is a sample (checking for 'SICE'):) h0 w9 \2 v7 W" _( q h' \1 v
4 I( ]: A7 @$ V& z- JBOOL IsSoftIce95Loaded()
! o( B4 g$ w, {0 C; f{' ?- e. W7 b. E+ S, J
HANDLE hFile; ) O5 U+ h# z$ k) b+ z. D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% i* ~. s% n# B* `2 ?7 L) O FILE_SHARE_READ | FILE_SHARE_WRITE,
5 c3 P. _9 I6 \0 | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- B% j; i6 q9 W0 N8 y l5 d4 b
if( hFile != INVALID_HANDLE_VALUE )2 i, d) N4 G/ f& ?: \
{0 ~6 H4 n& n+ {
CloseHandle(hFile);
, Y$ t" r) [1 s! O9 d return TRUE;
" t( `7 S2 [1 c2 G4 W8 Z }
( M N) h, r$ o' ?# e: A# {9 s( E return FALSE;3 ~% u3 T1 `7 u
}
( {+ [* d# b9 Q
5 p# b; f. e# X) LAlthough this trick calls the CreateFileA function, don't even expect to be
$ ]6 n2 S0 @$ G" l3 T; r; S3 h( aable to intercept it by installing a IFS hook: it will not work, no way!
& z( `8 X7 `. HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# g1 x! n' W0 J3 Y% m$ eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 A/ M+ Y2 a' W8 @( ~$ V* s s6 ~; Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 e! |2 O" w% g `! I2 J5 e, j
field.# S$ D- P" J, X' |$ ^: J0 ^2 W' [: k- n0 x
In fact, its purpose is not to load/unload VxDs but only to send a ( M) @& L0 z8 G( B& N' U3 I8 f: C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 |6 w: l- k% Y7 qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ F6 [/ b& P$ e' u4 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 F, V3 \% Y- rIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 `2 q* L! D* a) L/ t6 Z" B
its handle to be opened and then, will be detected.* A$ \3 t5 q& B; o- Q
You can check that simply by hooking Winice.exe control proc entry point! E x' q& s% c
while running MeltICE.& N6 u: ?* t0 M: \; k
8 i3 }! t: P( `: A; M" E/ c
# l, l, g( o" q% h# ` 00401067: push 00402025 ; \\.\SICE% M- B$ U" S/ Q u% r$ F4 @% ]
0040106C: call CreateFileA
1 _* `) u, v& |/ H5 S+ |5 z 00401071: cmp eax,-001! \- _) ?6 d( V$ T1 h( N+ k4 K
00401074: je 00401091
3 z7 F' u8 Y9 c' Q% ~, M0 z- i9 Y' d9 u h
+ l% `8 e0 d; N* r6 G# P
There could be hundreds of BPX you could use to detect this trick.
0 \( ?& H8 ~& k6 l. Q-The most classical one is:+ N. W) u& d2 D+ ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 D$ A: L3 N$ m *(esp->4+4)=='NTIC'# M% p- V; x* f& t$ F$ P+ `) K
, F/ t+ f, G: I( _9 y9 Z: k Q
-The most exotic ones (could be very slooooow :-(" r2 X- ~& R* C; h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# s+ R5 A1 \( f2 R$ I ;will break 3 times :-(* b4 l9 A& b" H& i% S+ B
' P |( ]5 D8 } E' Z) k' \# l. f6 ?7 D
-or (a bit) faster: - B! m9 `8 s, B/ k6 [) I) S6 @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; t6 d, {. _' y- ?- Q6 C( I
2 [' A# O; L' ]" X% R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% G) t& P% B0 l# A" I6 _3 S7 R ;will break 3 times :-(+ n% z2 s* g) b
* V! Z- k( F9 r1 @
-Much faster:& l0 z/ K3 m, p. E! |; u7 T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* S/ _+ _$ Y8 q8 x( X( O7 e+ f/ f* ^& Q8 }) h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 g2 y2 Z/ D; r* y
function to do the same job:8 n9 J+ g2 M. }+ w4 a
+ r+ [6 m R' [. i" n% |! X% H
push 00 ; OF_READ8 f5 u4 b. |3 J& E0 c9 D: ^2 y' N
mov eax,[00656634] ; '\\.\SICE',0
# T" e2 n" B8 E& S, R# y push eax3 g% `+ u W7 f" i1 |
call KERNEL32!_lopen
" h5 R0 C! d) o+ u inc eax ^, \' o6 y% ?* W4 [
jnz 00650589 ; detected
% M' F4 J; k' a4 @) O push 00 ; OF_READ
9 v2 D$ W! g+ _% D' A2 N W* E mov eax,[00656638] ; '\\.\SICE': q- s# u# {: T0 O1 {2 M4 {
push eax8 s$ N- ^9 f6 _7 s# }/ p: d
call KERNEL32!_lopen
v6 ^' m3 @& J! {. [ inc eax
$ h8 i$ j- L, k& w jz 006505ae ; not detected
0 Q; M1 F p7 J6 X$ G& y5 f( W4 l7 Z% Z* j# f
( A* H* r& u" m8 y
__________________________________________________________________________( ` a. l4 E8 D0 R. j
$ V1 K4 i) l3 M- n7 L: EMethod 12
3 L/ R; e/ i5 q9 a3 G=========' w u+ o; {) x
" G. A& D& c. u Q2 z7 VThis trick is similar to int41h/4fh Debugger installation check (code 056 ?1 s: o6 K4 V( ?( A7 P
& 06) but very limited because it's only available for Win95/98 (not NT)
6 V1 }# q" {1 V9 Q0 Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 d7 @$ U" Q0 t; V
b. |+ c8 W% Q' H
push 0000004fh ; function 4fh% p# k/ Y- K/ b6 {% F3 G
push 002a002ah ; high word specifies which VxD (VWIN32)$ L! d# L* ], m. ]- @& @
; low word specifies which service
7 b) f& H; I, Z (VWIN32_Int41Dispatch)$ i0 n( L4 R+ k3 q' S
call Kernel32!ORD_001 ; VxdCall
' W* Q. a3 i b/ m4 [; i, e5 t cmp ax, 0f386h ; magic number returned by system debuggers
2 M* {* ~% f9 b6 u. \9 \ jz SoftICE_detected
8 w, m, Y! t6 J( U6 a2 Q; f6 O
, t- h) b- ]' r$ H3 B% uHere again, several ways to detect it:
: @# B2 |5 N$ w7 V" f I6 n" O5 g! d! _
BPINT 41 if ax==4f2 e! p$ t& v! Y% ]" B" O- A% u
8 g9 Y2 T; \+ A4 [& @# }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* i- c; G- V7 t3 W" j: ]5 C; [% C' o, C$ }' y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- h S7 a( L, A2 {, R$ X4 C* F& m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 F& {( X; x8 }3 x, u6 K
0 W( L+ ^, ]1 j" R8 S9 @* `
__________________________________________________________________________9 }2 J; t5 @% ^4 j: ]/ \' o
/ W( W# f0 o @2 T0 JMethod 13
8 n, h. N6 @: c* P% c) f* ~* r=========
/ {3 U7 O' F9 B& I! I# @- X+ n
3 Y+ y. w: f, I: e1 u$ ]: {, T/ CNot a real method of detection, but a good way to know if SoftICE is
. e9 R0 g( ^* x: p" I4 Hinstalled on a computer and to locate its installation directory.8 }$ J# M7 g" A
It is used by few softs which access the following registry keys (usually #2) :
o+ c Y" O; ~( |( }* ]- v% s* S/ e1 g" L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" k* t" E7 [) p8 S; e6 ]\Uninstall\SoftICE
& r( Q; E1 r6 ^2 E/ G* j' Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 W, |7 p: i2 x$ T& c( V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% n& N# O* A1 {% Y3 A2 B/ _
\App Paths\Loader32.Exe
- t8 E; F( c3 o% T7 u( k' f Z. A6 e3 M! E; w
4 t; D7 F5 L2 b( v6 W- R1 x
Note that some nasty apps could then erase all files from SoftICE directory
' U) n3 z1 v9 P. Q* \/ H(I faced that once :-(
7 P/ v( @5 C5 T; O5 [
( X' D) O0 B* E7 ]( J$ @; pUseful breakpoint to detect it:, K# b8 R; C4 `. X: j
5 M- O4 `6 E# T4 f8 D! L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! a, x: t) n4 U6 @
5 s5 F0 a! E$ c* O+ j8 l6 ?
__________________________________________________________________________
6 v% K8 O% Y/ b1 H
$ u- v5 q9 m% e* C1 {2 y5 `' ~6 {/ B& ^
Method 14 ; M0 u6 l' C) t# z3 E
=========
9 Q, P& U; F1 z T; ~3 P1 t) D/ [* n6 K- x5 {6 \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, r" g- D& I; \- H0 wis to determines whether a debugger is running on your system (ring0 only).
% A4 g8 i$ H: P, P, L3 e; q* T! U; X7 D5 K: S9 S: [
VMMCall Test_Debug_Installed
) D& t" }6 a0 w) ~( I+ o; {5 Q je not_installed
: V$ f9 Y3 _* V q: C' O
6 u+ ^; M+ s8 z# m" MThis service just checks a flag. K& I) {- Y0 _
</PRE></TD></TR></TBODY></TABLE> |