<TABLE width=500>! L$ Y* G2 @# e1 u6 S7 x2 _
<TBODY>
/ O& a. M3 D9 o& l<TR>
% [3 l) G. r( ^7 a7 B) X<TD><PRE>Method 01
% `4 Q$ m; s, J8 ?6 u: R2 y=========
! b5 q, u: x s$ M- b& b) `; K9 u' \. ~( `6 U- {" w: ?/ g( O u
This method of detection of SoftICE (as well as the following one) is8 A" A. b. b# b8 k
used by the majority of packers/encryptors found on Internet.
( [1 z- G' L0 h; g, E0 C( K% s0 UIt seeks the signature of BoundsChecker in SoftICE K7 o1 E' G4 X% F0 U
8 _" O7 d. Q) L mov ebp, 04243484Bh ; 'BCHK'
4 i0 G4 k J, ` mov ax, 04h
! [$ f; L$ W, z& ^+ H( m int 3
b" V5 P; Q* O3 U: M" o7 l cmp al,4% l% ]; a% ^& a7 R3 B( V. {
jnz SoftICE_Detected) y, a9 ?! X4 t$ N2 I4 G2 }. t! q
/ q7 @: v/ n$ H; u( w. E
___________________________________________________________________________
6 y U% W1 {! ]0 `
: {( q! f) @' L9 b( M* E2 sMethod 023 i% g7 b; _0 S
=========
) |9 g% k- c6 V8 P
. J" O: y7 W* y- p4 UStill a method very much used (perhaps the most frequent one). It is used {0 D7 m% Y5 d; ~" z" j9 O# u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- Q* ?- k' P W0 ~$ ~
or execute SoftICE commands...
, x. r6 U) W( x+ R( o$ b: Q: O, J8 IIt is also used to crash SoftICE and to force it to execute any commands! k; [$ {& h- g7 }# Z9 H$ x" K& b
(HBOOT...) :-((
! B& ^$ Q% k; j7 Q1 n: Z
+ E% B% N/ d8 {& c- f6 ~2 O: pHere is a quick description:
: w+ g' `. a+ x4 b2 w-AX = 0910h (Display string in SIce windows)" v, f5 |; X8 e' N) V! P* h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& F8 W! P% m. f5 ?: U3 y& {
-AX = 0912h (Get breakpoint infos)
3 P5 b5 @: u* F+ A: m+ U! S/ V-AX = 0913h (Set Sice breakpoints)
! L7 C, ?' u; i/ F9 A# A-AX = 0914h (Remove SIce breakoints)2 T; I) j7 p a6 F9 R7 z( T
% [+ F) J# `& K
Each time you'll meet this trick, you'll see:
, _/ z. v# D$ s2 E, D9 {-SI = 4647h5 {$ p, e" o7 D) I: ]
-DI = 4A4Dh
+ r, a% _1 C: B' rWhich are the 'magic values' used by SoftIce." A6 M/ A* e1 W: `; g
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' A. M* X6 r, s' x$ y2 ]
B- N) B! Q$ s3 M6 jHere is one example from the file "Haspinst.exe" which is the dongle HASP
, y7 r$ W$ A5 P9 k) j4 ]" EEnvelope utility use to protect DOS applications:. h5 R' I) \9 j( M L
4 d% \2 M- {, g6 n" r" S5 T
1 ?! a& H, m2 p. r4 B$ D% p% x
4C19:0095 MOV AX,0911 ; execute command.* S' J3 H! m( A4 j5 z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. z: r' H. i* K+ F/ }4C19:009A MOV SI,4647 ; 1st magic value.: O6 }5 z/ F1 {# I0 x6 I a7 x
4C19:009D MOV DI,4A4D ; 2nd magic value.; V8 [+ b: A$ n+ \7 K. O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 O9 j& g6 m! i, \" d+ I! z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, i* D& z* |5 H: T: ?' `( d" W2 O {) _
4C19:00A4 INC CX$ s4 ]. v5 \9 s( D# O" f. j4 N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ ?4 U3 l$ T' @2 q
4C19:00A8 JB 0095 ; 6 different commands.! w5 \2 O4 z* n
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# Q9 ? x# f3 F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ M! V2 H& n& _) ^
% M6 t% W' _* {
The program will execute 6 different SIce commands located at ds:dx, which# J. m+ P& Y8 ?. m; Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* X4 C- l3 R# r* p
. S0 t3 `! Q) X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ f8 q% E3 R8 a I6 g
___________________________________________________________________________7 G* Q6 y+ a2 c# [# C! `% M: k
6 A6 z7 r& a% [. A7 _8 I) i5 H& P( G! R3 B% l8 b, G. s
Method 03
8 _+ F2 v9 g8 L7 v=========1 X; o" t' Z/ E. F
! b' f; r" z& i6 t2 y' ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 V+ C6 }! W. c, d- T% {' \(API Get entry point)% ~* _" S9 O# W. F
! k- _2 E, ?$ [
$ K, f. K a! V xor di,di
+ l) f ~9 e5 G- w" l9 R; ~% w" C; ^ mov es,di
9 H; Q0 O: D2 \7 } mov ax, 1684h + \" _& P- ~4 k. w+ C) G
mov bx, 0202h ; VxD ID of winice
# I4 B8 d; U6 e$ i! i4 l! f% F0 X) r7 @, R int 2Fh2 b) W+ ^% |5 }
mov ax, es ; ES:DI -> VxD API entry point
; W' d6 O* p- H4 | add ax, di' W! t8 |: w% P
test ax,ax
7 w3 V' G2 \) r$ h* | ~" X jnz SoftICE_Detected
1 U6 q+ M6 m, F# s3 J& c# Q% Z$ r: |" v8 _
___________________________________________________________________________' j2 z# {( q9 z7 h; R, \
4 X' \5 ~1 h7 t* P4 N; TMethod 04* G: v9 R# I Y* }
=========
* \9 E1 Y6 X& E+ R# U& z0 S- { }" c; }. ~/ \& c. C
Method identical to the preceding one except that it seeks the ID of SoftICE
2 D4 m; i1 Q3 {% w* e- a9 BGFX VxD.
2 ^6 f# U9 {7 C8 F6 K' |4 Z6 o. n' t- {
xor di,di
3 x1 Y5 J# p8 I' l mov es,di7 a3 u7 C( H6 L' V$ j3 \( Y2 ?/ p5 ]
mov ax, 1684h / U8 U7 C3 ^' w; b$ a2 q6 o# a% [: S
mov bx, 7a5Fh ; VxD ID of SIWVID
: r. ?8 h i7 H; R$ g9 X" S- b int 2fh
( H/ ]* [) `9 @" O# Y, m mov ax, es ; ES:DI -> VxD API entry point" L4 y" x- k. A$ y: ]. w
add ax, di3 f! O6 T8 y$ v! C- h3 g' ]4 }# T
test ax,ax
! {+ g, L3 Z5 M+ {+ p% l! ] jnz SoftICE_Detected
( Q3 g- z Y% W) ~6 J/ d- U( Y
! E: X) f; w' V! ~ Q5 ]* a__________________________________________________________________________- W; w' k! D! G+ Y( j
8 G& X4 h& X9 e$ m% r
' K9 N, Z9 e) ?- y4 EMethod 05- q& F! ~- O w( B+ L
=========
+ K; Z" D3 Y+ l0 W* C: p
2 t7 B: l0 k: d# x: ]0 }" lMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ r: [; W2 k) Udebugger. It calls the int 41h, function 4Fh.2 ~- @# T/ p) T. b
There are several alternatives. 1 T9 g$ i5 k$ T$ y0 Q0 ]! Y0 F
! z8 Z8 X% l9 q+ j9 YThe following one is the simplest:' s! ?( \; f7 l9 L, x: G. _1 e( ^3 y2 h
7 `8 i+ {7 d( J! Z
mov ax,4fh
$ `& [5 U0 d5 g- r' y int 41h# ~: k% n9 n. B
cmp ax, 0F386
4 D$ l8 o ?' P jz SoftICE_detected
. m- M9 b( [% Y: K4 Z1 P8 @/ s) _1 p/ |" f* K$ X+ P5 x; Y4 X
% d3 Y2 A% a1 w( s; E' nNext method as well as the following one are 2 examples from Stone's : m+ k6 F2 z7 |! d' D1 F1 x
"stn-wid.zip" (www.cracking.net):( B$ S9 ~5 A6 h+ `: f' b
1 z2 B' Q% F3 t, q; q, g
mov bx, cs
o$ ]- M, j2 K) \) }& B lea dx, int41handler2) u. h% k5 S( D
xchg dx, es:[41h*4]; ^. q, u+ r3 C
xchg bx, es:[41h*4+2]
! g$ {: K( c7 a mov ax,4fh/ n6 ~: V" D; K8 w( ^5 @3 L
int 41h" j8 q/ S: l( t1 F
xchg dx, es:[41h*4]
! n3 b- \' {% q0 P5 ?9 C/ C xchg bx, es:[41h*4+2]
7 a4 d" v7 R' O% T8 c cmp ax, 0f386h
% r: O/ k3 `8 ]5 d9 i+ } jz SoftICE_detected" ]$ d3 ~1 e9 t
- G1 e8 @7 H+ s
int41handler2 PROC$ }( a3 @$ B+ T* X) v
iret
; O8 j4 L' Q" Tint41handler2 ENDP4 ?$ O# J' g1 { E: ]* W2 G
! W+ u+ D7 ?- P% u
s, S1 Z* L, z: ?1 [_________________________________________________________________________. `- y% u2 U+ f5 d. {1 q q
; ~0 y6 ~5 M$ l- ?4 v' g0 `3 t( K
0 e Z# H' R9 I: g9 l9 t8 ~. _( J VMethod 069 k7 g, b( |8 x: b1 s3 a
=========
1 ~( h, K/ V9 b* L4 J( }7 u/ p8 {- w6 p4 O
3 U* U- m7 x3 x( U# v7 W& y* b0 X
2nd method similar to the preceding one but more difficult to detect:+ x0 J$ f* m5 u1 m) J" z* Y7 v: w
* N; }) B, |8 o6 y! _0 K) Y7 d4 Q5 z# s1 o
int41handler PROC9 n, h9 e2 X/ m% g3 b4 A1 @1 t" w
mov cl,al4 e3 Z* }7 S: |! H
iret
9 Y# u7 t3 y2 P, a) b7 Qint41handler ENDP
8 @- x( S; v1 o$ O( w! s( x# _9 e+ Y0 n2 l5 `( M3 n/ K/ _
/ j3 E% [/ z$ ?& t! y
xor ax,ax
/ M; \: _. r, X mov es,ax
% B: M! G E3 N mov bx, cs
) Y4 m9 A9 S, j s" V% e lea dx, int41handler+ L" L& j8 o' ]- n+ M1 G
xchg dx, es:[41h*4]
, |8 E N# U, @2 S0 p8 X4 ^0 O xchg bx, es:[41h*4+2]
6 @: h) i- |9 ?6 W% q+ u' E! x8 S in al, 40h
+ r9 y: Z. F$ R$ q xor cx,cx
3 P6 e/ T2 m" H6 F1 l int 41h
( |1 {3 J0 H% O3 l xchg dx, es:[41h*4]
' W. \* ~1 I( N. A1 l xchg bx, es:[41h*4+2]
# R5 A( v. A+ X( A# q) |1 p cmp cl,al
) j. I/ }! }2 k- H; v* w: | jnz SoftICE_detected/ {) N/ D6 k; x0 h
( u* [, D& b; j
_________________________________________________________________________; {. [7 X! K% g; ], o8 ?( P5 _
! s4 T l2 h& {2 \Method 07
+ v6 k% Y, {3 f=========* ?$ O. H' t' R: U( r8 N$ ^* a
' h3 Z/ c; _/ Q* k
Method of detection of the WinICE handler in the int68h (V86)
( V/ [9 r" _) a% D# F1 f
1 ]$ v! i! O0 l* I mov ah,43h
7 E" e) b( o1 U4 P) _ int 68h
! J9 c# j# ^1 O: U: ~( [ cmp ax,0F386h' J# @, x9 f6 Y2 r% V! z. T
jz SoftICE_Detected, _( P! }: p6 F
1 P. r# ?& i% i( f) f0 m k5 q) t1 @- ?: o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 L8 c7 z O. p) y# n, k9 Q3 q, d app like this:" W1 d$ v, E1 l4 k R/ P1 Q+ t
, ^( z/ t. v0 Y( t/ B( [ BPX exec_int if ax==68
8 m9 U& `4 k/ r (function called is located at byte ptr [ebp+1Dh] and client eip is
4 n! j* t. P; L7 Y* ]" t( a- E3 m8 u located at [ebp+48h] for 32Bit apps)
6 O" p! R" K7 n__________________________________________________________________________6 r4 x% n( E+ s( s6 I( _' b
3 t! Q) S" l: ^7 n( y7 d4 b. w2 T) ]" @9 G9 A" y( p
Method 08
. C- V& m2 s# c8 p' `=========3 r ~' y; R( V* S$ s
$ e" R' J; D+ l6 b8 k/ D" m0 \/ FIt is not a method of detection of SoftICE but a possibility to crash the
4 Z, Q. b& P$ U5 E8 K" dsystem by intercepting int 01h and int 03h and redirecting them to another
, X4 p: I% h% Z) z( yroutine.6 G8 o6 B) G( W2 w+ f& H( ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 l: _% N# b/ Fto the new routine to execute (hangs computer...). o5 d% J2 z' S/ {
( H8 V$ T K: g. ^
mov ah, 25h a) x# F; I/ @. Z
mov al, Int_Number (01h or 03h)
# S4 a- h( Y3 G mov dx, offset New_Int_Routine
E0 n; Y9 c0 |& p int 21h9 e7 w; ]; l0 I3 D; D6 ]3 u) P7 N
. H( y! Q/ x! A8 f
__________________________________________________________________________
! d6 R3 @6 _3 l7 C2 F: _ j3 w- g' K5 u
Method 09) q& i7 O# r. s p- D6 ?$ k
=========
5 I7 r* V, U2 S7 b7 Z/ P8 f: A& O0 L9 J- {$ M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 w2 `0 W, v" g |/ ]; F
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 P- c# z5 h* v3 v. u& {: I7 `* yThe Get_DDB service is used to determine whether or not a VxD is installed
1 Y/ B( ~* N5 ?for the specified device and returns a Device Description Block (in ecx) for( ]- ~1 }: M) p& f3 k1 w1 N T/ i
that device if it is installed.
' A, B! e5 z% M+ g* ]5 \0 ]3 }4 J1 b' ^* t! J8 P. o& T
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ A% y# V" N% o5 T M. q" F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 @0 r5 B% D b: K$ I
VMMCall Get_DDB+ g2 N7 Y5 |9 x o. P( _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& L% G6 y4 W9 m& W1 p5 a% m
: V0 X3 Y. x+ ~4 g9 z! r
Note as well that you can easily detect this method with SoftICE:6 Q5 \& e% o3 v4 \
bpx Get_DDB if ax==0202 || ax==7a5fh
3 m3 c& a- Y+ _- B& \9 o1 h& @4 E
" ^. V6 U6 v/ Z__________________________________________________________________________! |/ ]. |9 i- d5 J. g
' U: B; ~9 ^ c1 O1 @- ~& b: LMethod 108 \' Y" H* f. v+ H$ a2 b, u+ B& N$ v
=========+ F6 d1 u6 }3 z- I Q# I% s
0 X$ R9 Y+ i D- S( R+ s4 T o7 x
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" d3 X. }! e1 P5 j SoftICE while the option is enable!!, u* H& a. a1 p* ]& Y& ^
' N' R) O$ E0 a( V! m6 D1 U1 \This trick is very efficient:
) }, D3 t( d! Y/ F* Kby checking the Debug Registers, you can detect if SoftICE is loaded
& J$ j) T* p' z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* |6 |. c: Q# F" j* A2 E
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 l1 { D9 |) ^/ L# p# W! q
value (in ring0 only). Values can be manipulated and or changed as well
i; S6 M4 {. x0 Q8 a(clearing BPMs for instance)) d8 [- ?. d9 J1 }
8 p4 d) h3 n0 t1 V. D__________________________________________________________________________
$ v' D v M6 h6 D Q
1 L5 f. f u& |" mMethod 11: l* h* v. r1 F' [5 r/ p! \( w2 V
=========' B( d1 _# e$ C+ [- K
' ^ ?. `) U) T- H
This method is most known as 'MeltICE' because it has been freely distributed
/ p( T- i' y) i# Qvia www.winfiles.com. However it was first used by NuMega people to allow
6 f3 {3 ]( `( h$ n( W3 T5 \Symbol Loader to check if SoftICE was active or not (the code is located
# i5 o, K8 _5 H5 g0 _inside nmtrans.dll).( E F1 B9 L2 t9 K* w
- \ ~8 X+ \- w/ K% t8 N/ z
The way it works is very simple:
( V; b+ M v6 R3 j" mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ ?+ y, k) ]0 V( A7 VWinNT) with the CreateFileA API.5 ]) S% f& F+ ?2 B- o
$ ]# \5 c+ R5 a& B5 V8 J2 n, V" GHere is a sample (checking for 'SICE'):
$ Y6 W: o& R) O; x s# D
) |3 _ Y6 F8 _# y+ g7 NBOOL IsSoftIce95Loaded()# L" u! e% t5 n0 [9 D
{
2 _1 G" g" x( W9 X+ B# i4 r HANDLE hFile;
& _2 [+ r( q# }6 p$ [- G) a! D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 ?! T7 s m/ Q _8 c0 A9 v FILE_SHARE_READ | FILE_SHARE_WRITE,; ~6 F E6 ?' H6 e5 ]. k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 b% G' G* B$ a( [7 T9 P- b if( hFile != INVALID_HANDLE_VALUE )% `5 w0 D6 h- }
{6 u+ y1 q: m3 e2 j" t' l
CloseHandle(hFile);/ w6 ?! U$ s1 A1 i& V, N4 _
return TRUE;
* P3 U ~) u- ] j% H9 w: h4 i6 [, H }( |' k$ y" ?7 D) W7 _/ f q
return FALSE;6 X6 D7 q; [/ L; h/ R% @
}
! o4 ^- L9 A3 M6 q
! a; g1 z$ K1 FAlthough this trick calls the CreateFileA function, don't even expect to be
( K7 T* s5 j+ _7 T. O+ }- Oable to intercept it by installing a IFS hook: it will not work, no way!
1 D, Z, \ h8 h% i' \! Y) IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 \5 S! N5 }+ a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* p! W Z( n o% {( F1 Q# o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, W: {; g6 N; m1 H( o8 s
field.
1 f+ ^: t2 D- ~In fact, its purpose is not to load/unload VxDs but only to send a
3 i- c2 ~" o. cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 a$ K0 C3 _( F9 D7 c! J$ vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 {- M' ^9 I, L7 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).) O( F% E+ f; C0 o( U2 e
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ x/ y7 ~* L, M6 i- l/ yits handle to be opened and then, will be detected.* Q0 |2 x* s7 p; d) g
You can check that simply by hooking Winice.exe control proc entry point
- `* I1 c2 q0 ^- iwhile running MeltICE.
) d* A Y& B) p" f2 A: m- X* v8 n6 M' p4 d U* D1 n9 T
9 E& A4 M* w1 Q 00401067: push 00402025 ; \\.\SICE
) Q/ w( Y4 }8 B: { 0040106C: call CreateFileA" B O! P* n7 m' {8 w r* W
00401071: cmp eax,-001
; X' d5 e& x$ z: m 00401074: je 00401091
+ B2 R! S! \( [" L- p+ N
, D" u, ~7 X+ P9 o! G
, c9 U) T. `! h" F5 OThere could be hundreds of BPX you could use to detect this trick.
" I- j; p& S- Q-The most classical one is:0 n5 C! p7 A6 d) n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* K, X0 }, e* ~( I
*(esp->4+4)=='NTIC'2 v: i' V3 J7 M7 Q
% o2 q# q7 p8 E# H" N* f3 g5 P-The most exotic ones (could be very slooooow :-(
) x- R8 p1 @% W9 } | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / \2 O7 f% Z$ ]' a/ m& z. W
;will break 3 times :-(
) @9 f7 m2 M0 q; \, h' F7 f; F) k
-or (a bit) faster: 9 a8 b. C% c& |7 }& l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 }. g/ `4 V0 W U/ y5 {5 {
/ A h6 q. b; g6 u. h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 Q# C; L/ x ]! C: w# v. c n( p( t ;will break 3 times :-(, l, X' [+ ~# E9 f" @) F* W; z& V
s5 P+ f; e9 T$ o- Y
-Much faster:
. a+ ~. q. V3 v7 V" ]! v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 n* b* ~* o% T9 L# I1 ]
. A. V0 ]- [8 P$ aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( E* K$ Q7 K5 I: M. n, x8 }function to do the same job:5 ^* p! Y& F; k p
; I) _6 Q+ y% n# l push 00 ; OF_READ; B. L7 v" b1 c. S4 e$ E# D
mov eax,[00656634] ; '\\.\SICE',0
! l# e) L# {/ w% S push eax
" c: G) a2 d3 y1 h call KERNEL32!_lopen" M, g' Z; @2 I8 Q
inc eax
+ M3 w+ @& Y% Y$ O& Z1 S jnz 00650589 ; detected# l5 W% T0 L" R+ k
push 00 ; OF_READ, t8 Y7 t+ x; o2 p
mov eax,[00656638] ; '\\.\SICE'
5 v, Z9 X+ Y2 ?, z6 } push eax5 U- g7 ]' h" S2 ?* |% {3 J/ ?
call KERNEL32!_lopen
; J: m7 f: a) ~( ~ inc eax
$ C& w- _1 U7 W [0 X7 G5 }- \ jz 006505ae ; not detected
4 c }$ ?/ ^: [) o3 I( ~7 j
/ G) V( A8 l* f8 l' E, d4 ?" B0 R6 h$ Q5 u( w7 ^+ V
__________________________________________________________________________
$ {+ c. ?& Z8 _; ?: f6 ]7 d/ J: M+ t, B" }
Method 12
/ X8 K# J5 P* T4 A- w8 _=========1 y. ?% v7 z& S2 Z) j
[$ R6 f4 R% `6 C1 |1 EThis trick is similar to int41h/4fh Debugger installation check (code 05
; |7 b9 c( N/ P$ i+ r3 x+ o/ X& 06) but very limited because it's only available for Win95/98 (not NT)* Y3 [2 B- `& P6 u* J" X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 I! t6 m. D, f- |( @
/ n e5 j4 Y2 W; m2 N/ _
push 0000004fh ; function 4fh: L/ H9 `* U* z6 k; }9 `
push 002a002ah ; high word specifies which VxD (VWIN32)
6 k; O2 n' u! l5 x ; low word specifies which service
2 d1 H; ^3 A8 r7 I% V (VWIN32_Int41Dispatch)) ^! U3 d# e6 X2 y1 s9 a& g' Y
call Kernel32!ORD_001 ; VxdCall+ k+ {- z* n# I7 x) U* u$ ]* k
cmp ax, 0f386h ; magic number returned by system debuggers. h5 [- Q- K1 ~$ ?& |8 C
jz SoftICE_detected8 X8 u! s f' m. ^$ d% T$ H4 p+ z
) x5 y+ l! H J: I$ ?
Here again, several ways to detect it:
& j% t8 X% W/ E3 w' E0 m5 _8 m& K- {9 V2 T
BPINT 41 if ax==4f
. _. G) g0 b S# o/ q
; u/ m1 r# V4 j: `! Z0 y" x3 p% L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 q: b# N" p; D6 j+ o, C: r4 W6 K% i+ Z8 ^- z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" c' c( l1 Q0 X/ I: S! c
8 i" k3 G! c: L5 j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( ?+ D0 M. f- V( o( F8 a. ]
$ S+ ?, Y: m3 e3 j1 R__________________________________________________________________________
6 W3 |. ]; _0 h @! `+ v5 e0 e Y, P2 y5 A1 ^, `
Method 13! H9 Y- g9 S6 Q% Z g& T( u
=========
1 D( }0 G, H" k" v# d
; l( q3 y3 h6 ANot a real method of detection, but a good way to know if SoftICE is% B" {/ L) y* k4 [4 [' d+ O
installed on a computer and to locate its installation directory.% H' v# |/ [5 E5 P& ?9 A
It is used by few softs which access the following registry keys (usually #2) :
4 i/ d5 R0 k9 @# V# r) G& t
- `3 g- O' b0 l6 |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ E, W. o8 U/ A" l1 i/ \
\Uninstall\SoftICE
# y9 m, M. S$ ?4 c2 a0 P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) k3 v$ K0 f# R1 q) D) o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% {2 a! \( @$ g* B- C
\App Paths\Loader32.Exe; W% J& v0 M2 u/ i m
# ]6 V4 B3 y/ T8 N
/ |! T9 W- i5 NNote that some nasty apps could then erase all files from SoftICE directory5 ?7 A' R$ g. s
(I faced that once :-(
0 T" |/ l1 Z/ s! d! }0 N; w% q, e9 X+ a+ \0 r; w
Useful breakpoint to detect it:
( ~& f! ?/ K# t- \+ `' H8 T4 }' c) O. m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ y# B6 \& j+ [: d f+ E6 W( C& i4 k0 j' w" _- o: Z/ I# y: u
__________________________________________________________________________
6 g( X* a7 `# `8 f: k* |6 |: m3 ?& {7 i8 v0 P0 B. ?, J
3 E% R, Y2 q0 E3 R8 v0 L
Method 14
) ?9 L; `/ L. u/ z=========
0 i! D2 x. c3 C: P9 X- l# O. V, ?# a w8 t }& A- D6 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& u/ E& M3 m4 M" v. l" d4 B) @4 l
is to determines whether a debugger is running on your system (ring0 only).
9 |. [! k: Z. q3 i' J: s4 ~2 U g7 x! o" k1 w$ M% A* l( s4 |
VMMCall Test_Debug_Installed
2 o. s( W1 f. M1 J" T' U. e je not_installed
0 {# o5 P3 d5 {: \( b; Z. W6 V/ E* ?* d" }
This service just checks a flag.
Q, w4 m& j$ D; D: F1 `</PRE></TD></TR></TBODY></TABLE> |