<TABLE width=500>
+ P; K9 [. o, K+ `& C# r2 L<TBODY>
n, ]/ [* h+ ]/ o) V! c) m: s" M<TR>% w3 g* X! f9 M; R
<TD><PRE>Method 01 5 H4 ]. w' U" g# j" }/ N
=========) b% f, a' b. H& ?! O0 ?- X
( x% R# F* ?! ^3 J* n: A$ nThis method of detection of SoftICE (as well as the following one) is
( F, d! T8 `0 x+ a' U1 e9 Wused by the majority of packers/encryptors found on Internet.0 D2 F% y8 ^! G+ D; K. o4 I! @
It seeks the signature of BoundsChecker in SoftICE& G: u0 [) E3 g2 `7 N
. o8 E5 m7 x. G$ q" O mov ebp, 04243484Bh ; 'BCHK'7 a/ W) W: d6 t, v
mov ax, 04h
! ?4 j& q, B8 Y2 ~% ]8 h( R int 3 % g% v1 U5 P+ x
cmp al,4
! F6 c4 Z- g8 o) t* O ]7 T+ | jnz SoftICE_Detected
1 ~4 Y+ D9 G) k( K$ C V# e: W" \" @, ~3 }, @
___________________________________________________________________________" S+ I3 q0 L2 o d" z2 ~
( q d' a7 r2 W8 C0 ^) z
Method 02
2 \- k, |% ~$ z5 H: J( N=========) e2 L' d5 C8 w6 S! h) e6 [
4 H, [) `! H* J% |/ iStill a method very much used (perhaps the most frequent one). It is used- m4 W2 N, E/ }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- x! a5 x7 a; c( Kor execute SoftICE commands...
! X w; C1 M7 l4 d8 E1 ^0 rIt is also used to crash SoftICE and to force it to execute any commands# z% S8 @) ^/ l1 i3 ?5 u, P' w# I
(HBOOT...) :-(( ) u' L* ^8 l- Y' D% w: D8 U6 [3 l
9 a. D: e& c* o
Here is a quick description:
/ b" G, n J! t-AX = 0910h (Display string in SIce windows)! m! r0 F* z1 f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). M1 U v- N0 j* j3 S% r
-AX = 0912h (Get breakpoint infos)! }( O4 K& Z$ K3 v7 L
-AX = 0913h (Set Sice breakpoints)' N4 f% i! l1 d9 q I
-AX = 0914h (Remove SIce breakoints)* g: T9 q5 x4 q1 p' ?
. X2 t$ G1 _; K8 F- b( V1 b
Each time you'll meet this trick, you'll see:1 | r7 \* `5 Q g0 P
-SI = 4647h2 A; m" n& `1 H; G
-DI = 4A4Dh0 g0 Z2 ^; E; G) n! S8 Z& I6 W
Which are the 'magic values' used by SoftIce.: H8 m* B Y, q7 K/ B: C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% c( T9 L2 y, k$ B: y* n% }7 u4 v; |- t% X
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ _5 P1 V/ }. s
Envelope utility use to protect DOS applications:
6 e+ S+ F' w1 b, \
, J" O9 k) y* i. e3 w5 V
( u/ a l. Z+ }( ^4 X; j$ Q! `4C19:0095 MOV AX,0911 ; execute command.& Y8 Z0 Q& K( i
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 P$ }( x- p2 h8 X |3 u( y4C19:009A MOV SI,4647 ; 1st magic value.
# D1 `- [/ w: n$ Q4C19:009D MOV DI,4A4D ; 2nd magic value.$ p# Z9 H5 Y5 J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! R2 d+ D6 `( F* J! `4 y( \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ i* f( h- W7 ]( }: B! }+ |2 i
4C19:00A4 INC CX# {" O! y$ }3 {, X# {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& ?* f: M& ?3 z, _- W
4C19:00A8 JB 0095 ; 6 different commands.1 |: \. f/ q4 }0 Y ]$ n9 T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% ~! `* M- X: W+ g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ w4 p$ M+ G& b/ z- Y8 G8 q
# r! g3 R9 v0 I3 |! X4 B
The program will execute 6 different SIce commands located at ds:dx, which
4 N. g$ P2 q+ `# l+ ^are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) G- N; t( r* i [/ G" f
: d$ f9 _% N" t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 |) [' d* a* ~% {1 ~' M
___________________________________________________________________________6 `9 }, Y# w! t3 A
8 g: I: V- V: n" D/ I) g, t5 ^7 u
Method 03
# k; m4 {+ I7 ]& O2 S=========8 z2 l. G6 ~- M2 H. L
# U6 O5 p! i/ e$ S$ t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# L8 P! W/ [: T7 P1 @0 K9 h(API Get entry point)
2 H3 |' {2 v" A6 F+ H
$ M( V1 O% ]9 \0 ]: E; [6 E
_( N7 b4 k1 L& \$ l1 @1 E xor di,di5 u9 Z# J4 r# w
mov es,di- t; U u4 S' Y$ [1 o( g
mov ax, 1684h : \. C" p( I ~8 \ d) j G
mov bx, 0202h ; VxD ID of winice
; K2 }4 t) F0 M6 s- X1 E int 2Fh
; S% G( ]% x, Q mov ax, es ; ES:DI -> VxD API entry point" G+ t' C& r: Z$ Q0 T
add ax, di
) B" A- u5 G, t% R( o3 [0 `( G test ax,ax. P+ L3 l# ^3 w/ z- v. q6 H+ b
jnz SoftICE_Detected2 w( N' m: e% X" t9 O/ l" g/ T& f) z9 g
+ j. ^6 x/ Q- s) E2 v
___________________________________________________________________________4 r P* Q/ e& W0 J. \2 y: q
: |; a( O* G u' q( K( ]8 qMethod 04
; K6 Y$ u/ h' f0 {: N=========8 q" u! u; `0 l9 c* q! \ Y
" T* ?" f- o; L/ J8 u' CMethod identical to the preceding one except that it seeks the ID of SoftICE
( b+ M, q: Z" _6 A3 M5 ~2 F* U& N9 XGFX VxD.
3 E8 y( A2 `. h, J- q
" B3 I9 }1 Y" j/ h! y, E xor di,di4 p6 @& A- C" W% r, ?/ q2 U
mov es,di n6 C( n; L5 V0 D% b! z. Q
mov ax, 1684h ( c/ N2 W- X& Q0 h* ~
mov bx, 7a5Fh ; VxD ID of SIWVID, F o: S0 s" _) \! L+ y) c) N
int 2fh7 e/ E+ f! [7 K0 z
mov ax, es ; ES:DI -> VxD API entry point) s0 C; D$ B+ f& S
add ax, di: K) ^, g) B/ c- {% s8 z2 `
test ax,ax* l9 Z# M1 l' A+ A7 F$ W9 U" l1 e
jnz SoftICE_Detected
2 \4 p4 F; y, H1 t [+ q2 R7 Z. I7 z% |3 V6 y
__________________________________________________________________________
( F1 I/ g0 U+ f! N
- i8 f: p V& t2 S
1 m8 l8 t1 s7 `) l$ f) aMethod 05
* b& Q; T* U+ V% \: F5 r) [=========0 B& o% m2 ~' g; f1 s" y
6 p1 T5 M, G: H4 S5 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, f1 v A8 [; N4 Cdebugger. It calls the int 41h, function 4Fh.
5 L' M0 U% X. C7 F, E) xThere are several alternatives. ; [7 W: i, l u1 Q8 u/ T
$ E# j& t+ x; i# g( V3 e% @The following one is the simplest:
% G# s: {0 F4 ^' z8 q J( m9 m" S D4 w/ @0 w. @
mov ax,4fh5 V7 ^7 G3 |! W$ p$ Q
int 41h$ }2 {( `1 y5 f' Z4 f
cmp ax, 0F386
8 x9 i: o+ l ?0 X% H0 T jz SoftICE_detected
- T$ `& H/ ^' e6 y
# x$ x! O) E6 {% q& j4 f* V% A' R
] x' S* F$ UNext method as well as the following one are 2 examples from Stone's
- w- \: H* d% y& u s/ y8 [% t"stn-wid.zip" (www.cracking.net):" F- E* L6 K7 @8 |1 P6 }! O
4 R0 M. o# z' ^
mov bx, cs2 x# t( A; E: m
lea dx, int41handler2
k, g) z" {0 u5 r- _3 }" U xchg dx, es:[41h*4]
# |: Y$ }" l" N/ J5 a9 _7 A xchg bx, es:[41h*4+2]
) h% \# F) Z9 A mov ax,4fh
7 T0 }$ g( A8 g7 c. y) F int 41h
$ x9 V9 W6 \! v! V$ N0 _! W xchg dx, es:[41h*4]$ @2 v9 a0 c3 ~% G* R3 D, b; s# U
xchg bx, es:[41h*4+2]$ T' |# p# G# \# Z K: }5 D% w
cmp ax, 0f386h
6 G' u F, q9 }8 N, x! u% t jz SoftICE_detected% g( D8 l- ~6 t& J, O+ D q
8 e) c' q7 A' M1 Sint41handler2 PROC% ], ], n4 x- {% O0 e
iret/ N# u8 _6 X% O; q) `
int41handler2 ENDP
% u( Y- x6 l' Q) G) H. K, J7 o; ~# E' ?1 u
+ `! G6 L. c: J3 [+ W2 b8 r* ]
_________________________________________________________________________
- D4 }; H p; B
; J6 ~6 l) M! b7 N4 l' @1 _
5 V0 D. r, F% q8 ^9 {' y) UMethod 06. s3 U! j, q+ R9 t7 C: {( a
=========: ?+ k/ B4 m4 m9 g i. J
4 y- T* `0 x" u4 D
' a, n {* r. m: }
2nd method similar to the preceding one but more difficult to detect:
0 x0 s" g/ h0 q7 X8 L1 ` r3 F( g, S' L9 M* X' a! A! J" W5 p
9 b7 J6 V% P6 x F& d# }int41handler PROC a7 y- g( d( ], U& M! k
mov cl,al
2 L) N7 e( x; E* V iret# O1 H) o4 W5 y- Y5 l
int41handler ENDP" A1 y3 M& p: x* L9 E
) f! v% Q& |7 ~7 n
8 l/ K, M. d% C. O8 z
xor ax,ax
2 z6 [) p! J3 c8 `4 u$ ~ mov es,ax S& p2 T6 p$ t e1 [# M
mov bx, cs
% ]& z7 _0 @9 i: p6 A lea dx, int41handler
/ y' _3 Q/ ?0 I4 G& l xchg dx, es:[41h*4]$ Q8 q% T. C3 p1 |: [& V+ ]' d( l( a
xchg bx, es:[41h*4+2]* H$ R2 k( h1 t! y6 Z: |
in al, 40h
& |3 Y ]% |/ }) q xor cx,cx" O4 ?5 ]. u$ Z* {' T( E
int 41h. d) f# j) `% A9 y
xchg dx, es:[41h*4]
0 g; R' \7 O# Q! C# w3 g xchg bx, es:[41h*4+2]& s/ ]; m" y% ]# C1 S* n7 W/ h
cmp cl,al+ Q$ V" y) i& C6 U3 m2 Y
jnz SoftICE_detected5 y9 V( Q5 [5 r0 I+ N: s
% B. k& \% Y+ c
_________________________________________________________________________' w- z; v' R& R+ ]6 g1 u8 `6 ?6 R. i
- z, R! Z; [1 j) w* V
Method 07
$ V" v/ A! U9 T% M' Q=========
& {& v. G) N% `, f* B
" a4 p5 N! \# u) G/ }Method of detection of the WinICE handler in the int68h (V86)
! o" l' W' F% s4 s
4 s( B6 C1 s2 H# y mov ah,43h
- Y- P8 b8 E- R9 b2 `: R/ H: k) } int 68h
5 T; G/ ^$ v$ D2 c1 W( B: u2 p cmp ax,0F386h
, P, a' X' x& a; Z; g v jz SoftICE_Detected/ D7 i; F( ~" o/ P+ h4 @
8 E! _/ n7 [) v& J' h' F
' y) D+ |$ f D$ a4 R. g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! w9 j& U8 o5 i! y/ Q5 y P
app like this:
0 n9 j& e/ O j N3 }% _# }- D* p2 i+ X E- V, ^/ D3 Q& L! M [
BPX exec_int if ax==689 {0 e# i( ~) z
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 P" x9 [. A4 q4 Y: K located at [ebp+48h] for 32Bit apps)( Y& D* ?( I0 C5 ^' t j, K, y! y
__________________________________________________________________________
' ]. L8 s7 o! `# }# H" |0 `& f0 o1 v5 T5 Q/ `5 t, m* t
8 q( D8 k4 h+ z% I
Method 08
$ H9 H" Z: C8 M' e+ Q0 J1 O H9 Q=========! d" e0 \ W2 }* M( T
3 v- d3 \" |! p& E5 w, v5 R
It is not a method of detection of SoftICE but a possibility to crash the" j; G0 p V; U8 ~0 B
system by intercepting int 01h and int 03h and redirecting them to another
( w. f! F5 E. @) P( Qroutine.
: I) j- W+ g+ A( u( P+ B) vIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 N* {" ]8 Z. t: |" x( k d% E% g! j
to the new routine to execute (hangs computer...)1 W& s" v* L1 I Z' r0 q
; ~' e. q" j& }1 D& ~6 k9 l mov ah, 25h
7 e1 D5 w# S! j2 x* n: O3 ` mov al, Int_Number (01h or 03h)
% \' B9 V' s o2 ~% V9 q mov dx, offset New_Int_Routine n4 M* m2 S# N: H7 H
int 21h1 k+ _+ ]# Y, F. U0 e+ \! g) z
5 Y- @, B9 w( p- ~' |/ g# ~__________________________________________________________________________# d$ }* W: ^1 W/ N5 {' Z2 `
8 @+ ]9 O4 k, s0 V8 a
Method 09$ k' @$ c" B3 R8 G" {8 }
=========) ^* _# t. ?3 q$ }/ G, S4 I
4 C9 ~' R1 d3 a2 I9 I3 I* g# K5 I( U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only N4 n- ?* I( r3 i) Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
& @( y# K8 \0 f, gThe Get_DDB service is used to determine whether or not a VxD is installed
0 w+ U z( A9 n. Yfor the specified device and returns a Device Description Block (in ecx) for
! S" M6 M. \$ M* x' |6 `that device if it is installed.$ Z7 n2 d' ~/ E# x9 T. c1 {& {
$ ]4 m; ?$ k: V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& F, n8 s' V$ T) R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& y; A: e5 C* D! ^ VMMCall Get_DDB# n( h; ]- u0 k6 {( e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ C+ h+ h: l/ r( C: S! X5 O/ a- m" u3 B
Note as well that you can easily detect this method with SoftICE:
$ O, g8 h# w" n5 v- c bpx Get_DDB if ax==0202 || ax==7a5fh
) ^, P7 G& ]4 H( W' V2 {9 W# `% l, [5 N" d
__________________________________________________________________________
1 ^5 C, Z* t2 [* ?! h
3 e9 g* B( r" X. R! H' _5 eMethod 10+ A/ a3 P/ h$ m
=========
+ K+ E& [' m$ F" ~: Y* ^' O6 T* Z9 A1 f& H2 R
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 {5 m# ~6 y+ _+ i! K
SoftICE while the option is enable!!" ^3 }" K- E8 i+ i" Q
% P& K3 \- ]: C: T
This trick is very efficient:
" f3 q) I" L5 `: T# iby checking the Debug Registers, you can detect if SoftICE is loaded
6 }7 B4 B6 T8 M+ F* A0 a, Q# d; s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 M5 x& z2 w# w' s6 ^( l: G2 ^+ ~$ x# U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. y* a0 D4 [0 B5 ]3 rvalue (in ring0 only). Values can be manipulated and or changed as well
; j, U8 M: C# h" F(clearing BPMs for instance)
# E+ Y' |* O" Y7 k" t
" }0 n" a$ Y6 [* `. b/ v__________________________________________________________________________
( M, }/ }$ m% q8 A
9 z% a% b( D0 J( EMethod 115 R$ k: S* j9 `( ^
=========' g+ b- O Q4 w
$ o$ N- K* G! H' |# d/ u
This method is most known as 'MeltICE' because it has been freely distributed: s5 t/ p6 T/ l" C, W4 W2 e
via www.winfiles.com. However it was first used by NuMega people to allow
# W. T! K% k0 \3 ^ S6 xSymbol Loader to check if SoftICE was active or not (the code is located
4 L; i" B8 K- ~inside nmtrans.dll).4 r# d" t( m# I4 F
s7 p/ C, k$ j5 rThe way it works is very simple:
# n% j- x* z/ w2 s; w% TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; V0 n7 S) V9 v/ ?; X" o& d( }' X
WinNT) with the CreateFileA API.
% p/ f/ O, _8 z3 |% }( X6 d6 Y' \2 w
Here is a sample (checking for 'SICE'):
; r; l- {3 @6 e- B) {/ D0 z. }3 M# S4 x' F" p* {, B! O
BOOL IsSoftIce95Loaded()
4 ?! j: j- i% ~6 e* ?2 z, g{& j9 Z/ t% d" C
HANDLE hFile; 9 \) I9 e u. n( p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 D* K7 x& B7 k7 e) ]0 X2 h
FILE_SHARE_READ | FILE_SHARE_WRITE,
( y" X+ E0 h! ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 q. g4 u8 d8 T! `& h6 Y3 U
if( hFile != INVALID_HANDLE_VALUE )
8 E% J& ?9 U% D% P+ F% l {
/ Z: y$ _4 X! z CloseHandle(hFile);
5 j7 m7 D" t; C) P return TRUE;6 P" u7 I8 U3 T: }- r1 i
}
) y1 `8 u, Q/ I o return FALSE;5 I" o$ w/ }5 g. L7 ^/ N: k
}
* u3 O* t2 ~' k5 P7 R& q% x# h( w2 i) d' ^+ {( k
Although this trick calls the CreateFileA function, don't even expect to be
/ C E5 Z% _) S8 t" Yable to intercept it by installing a IFS hook: it will not work, no way!( B6 B" n! f' o/ V8 c. l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; T+ _0 `& |& I+ r6 g' r' \) E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 N* F) Y1 v2 J5 o9 J7 v p: p
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% V+ E" a Y( C# [- P
field.
1 m7 Z' {% Q, W' A4 L8 tIn fact, its purpose is not to load/unload VxDs but only to send a
' l% _/ z+ i, IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) J6 E6 M: Q' ~! b7 o/ R# s5 O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try' m6 Q9 d( K5 f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. N3 ^9 k, e3 ]5 R2 i
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ V. Z# n1 @4 m# G8 Mits handle to be opened and then, will be detected.
v& j4 U$ f. r/ IYou can check that simply by hooking Winice.exe control proc entry point& ?+ \5 R9 j" v: M4 @! F+ S7 j
while running MeltICE.
$ N+ {/ M& P7 e$ i r+ E7 H ]' Y4 i w' E, `- X. k9 R
5 X& E+ o5 G2 Z% D) K
00401067: push 00402025 ; \\.\SICE& N9 ]/ l5 v# Q0 U. \
0040106C: call CreateFileA* Y6 f; |9 o2 H2 W1 F
00401071: cmp eax,-001
. R, k% E1 K( a5 N+ T2 \' _" E 00401074: je 00401091
8 z0 ?) N9 D6 p7 y" _" q. y) f" P% }: {. f1 a6 I8 b+ N
3 b3 V h7 n+ o
There could be hundreds of BPX you could use to detect this trick.
1 m$ r/ x) ~6 k-The most classical one is:5 R1 ~# E8 G* h9 S4 H* {' x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 z9 X: f! _2 J+ l9 l
*(esp->4+4)=='NTIC'
: W$ K/ |; W# r4 |9 @$ T: {9 [/ E; L" s5 B
-The most exotic ones (could be very slooooow :-(
- M, p0 j: G5 ~! F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ p4 r) Z9 h1 X/ o! G2 @9 c ;will break 3 times :-(0 M7 }1 N! ]0 S+ e" l
1 ]- {; e, }' J3 ~
-or (a bit) faster:
/ Q& m1 _/ y f* j7 P+ c. v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% Z7 E: a0 n& F) p/ W# j4 D
) Y c" `3 {- ?" l- R x1 l3 v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 i4 i$ k k& k, k' F' }
;will break 3 times :-(
1 E$ }/ }: q% U- d+ a. T2 q9 C2 C; e1 {
-Much faster:; K: ^( y* i6 D: i! v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- x; }- z; P1 ^% j- r4 d: w! Y0 R* l0 o2 {. ^& W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% z; l6 Z9 ?& u' H. u" g1 n0 }function to do the same job:( o3 W% q5 X# D' J* K+ d
5 N0 I! }; ]( U- w2 Q6 S
push 00 ; OF_READ
; y( I3 _/ F, f7 q7 S$ A3 f mov eax,[00656634] ; '\\.\SICE',00 N, H# i5 s O- v/ M
push eax/ G% v# @4 o J8 E) s0 A' B% O
call KERNEL32!_lopen+ `4 _/ z8 }8 W8 {. v
inc eax
& |8 z/ p0 x4 g& k( B9 c/ @ jnz 00650589 ; detected; d3 u& G8 `' D g3 r1 j0 t
push 00 ; OF_READ# L; U$ D" W- _
mov eax,[00656638] ; '\\.\SICE', c, I( P' M$ O4 u2 V9 h" q( n
push eax
# q+ z. P- Y- [$ L, }5 g call KERNEL32!_lopen0 J8 n9 W/ r" }, y8 m& v
inc eax! [+ v7 K! u/ t
jz 006505ae ; not detected
2 B! \5 N: w" [+ l' B
+ s! t8 t) i, [5 }3 m. G9 L O" o
' g* ]: D2 R. F9 |9 n* A- w__________________________________________________________________________
8 m! G$ I" a7 v# n( G
! f) \, C* `9 ]) r! [Method 12
; e' }% h& h2 t! F' T) n% _- B$ p/ l=========
- N! d% r9 \* P, h7 ]; a+ L! B& n1 k( D3 {' E; }
This trick is similar to int41h/4fh Debugger installation check (code 05' s, L6 \- g, X
& 06) but very limited because it's only available for Win95/98 (not NT)
) B; u& K7 P0 J: {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& |/ l5 K# p/ `, B, i7 ]3 j9 k1 ^
0 d K8 Q# j, J* y8 x9 w: a- D9 W
push 0000004fh ; function 4fh
3 }4 n6 i' @' O/ {# X2 b t push 002a002ah ; high word specifies which VxD (VWIN32)
* ` }- |2 G6 T+ j ; low word specifies which service
0 q1 C. e1 c; K, ?/ |, X2 H, \ (VWIN32_Int41Dispatch)
/ R% P2 J) k p" U7 x6 l) Q' V call Kernel32!ORD_001 ; VxdCall
2 a( M$ P0 k: Q cmp ax, 0f386h ; magic number returned by system debuggers
6 J3 t0 D# g! Y4 n( E jz SoftICE_detected
* {+ d' E9 `9 u0 \+ Q5 {
9 O, {! y; ~# m- r, @Here again, several ways to detect it:
6 M/ G/ j. U" |, w5 ~0 C5 l$ w7 J' Y! L" [2 r. }2 P2 _4 I
BPINT 41 if ax==4f
) x5 _2 o1 Y2 |- M$ D( V
+ z% U! R# l3 p e/ n0 T3 Z9 s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 B5 U* v- c% i+ L; ?' o
+ e5 h. b; w- l' {# q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* [9 q" \6 ?8 P' X x/ {& _& x5 I) p9 D! M$ N
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! R* }: L" A9 C3 M0 R4 [' t: G+ F# y1 C
__________________________________________________________________________
. O; d5 V' \/ u
) a. J" B% l9 z1 \Method 13
j! l3 u3 U1 z% `7 U=========, o: ?: M& y0 M1 q8 T3 x1 t
4 h6 y- N* L" e0 @1 A& z% Q" r
Not a real method of detection, but a good way to know if SoftICE is. ] o3 u+ c: l% T( s0 X! q# a8 ?
installed on a computer and to locate its installation directory. l- ]$ S/ U4 m5 z, k
It is used by few softs which access the following registry keys (usually #2) :
& K* X% S: j7 A$ K0 `7 l5 Q( d: i! y* |9 Y2 Y% e6 e" z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' }) q1 b% x1 z, D6 c; e- A
\Uninstall\SoftICE
. c" b* \7 i+ J q" b+ y$ Z& D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& f) F" y. u/ [7 G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( \7 h, D- _$ q0 W, d/ I\App Paths\Loader32.Exe% G. n# W% ]3 b- b; Q9 r
- t7 H1 \, ?+ w) E- L6 V8 U# ?
' ?0 s8 B6 V! O$ TNote that some nasty apps could then erase all files from SoftICE directory2 e' m' J' @' w6 o9 W
(I faced that once :-() B6 u& c. Y; o, M/ v2 }4 n# _. J
" ^. H2 Y- H, ]& w( R' O$ o wUseful breakpoint to detect it:# S. ^% U4 D2 E& g+ n9 r
S& m, |( H+ h3 H$ E BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* p" i- B* q d
/ ?* S" G7 a/ R
__________________________________________________________________________2 N' T j u' T7 z4 W; o3 Z
6 f5 X `% I& o) P u! `( e
0 a5 O# Q6 @1 Z, j5 \. {Method 14
5 ^- |: \7 h( ?: g' e" ?) i=========
: T8 i; U r6 g; p7 k ^2 f4 m4 Q- N- T% o8 w: m; B0 V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 w# e! M; v! P5 p
is to determines whether a debugger is running on your system (ring0 only).: ~7 Z' G. ~9 c0 L2 v! o
0 d8 L( e3 x- i6 v: c" M3 M' }2 ^$ \! A
VMMCall Test_Debug_Installed
* M6 x! E9 M I6 k& d4 y" ]# D je not_installed% A+ Q& ], c. t9 \1 O
+ V+ b0 d8 u/ Y# D3 L; g& L
This service just checks a flag.) g1 M$ k& `1 n m: O0 E; t
</PRE></TD></TR></TBODY></TABLE> |