<TABLE width=500>5 b$ P' _1 X( o' F" y A
<TBODY>, b0 F: \ F2 B/ k6 I6 E# u
<TR>! B5 v B2 i/ h
<TD><PRE>Method 01 3 J0 S3 U/ L6 F& [5 Z
=========
! Z5 I6 K, e7 b6 H2 Z+ }0 S5 K0 l8 r; n
This method of detection of SoftICE (as well as the following one) is" P$ S5 i) y T* |) ?
used by the majority of packers/encryptors found on Internet.' @2 L3 w& M; j: o
It seeks the signature of BoundsChecker in SoftICE
" j( `( [8 ^ E2 T: v6 i! T; V
; M/ p; ~+ h% {$ \$ c9 W/ W mov ebp, 04243484Bh ; 'BCHK'. V$ N& U* Q8 g! O- z0 h3 [) c
mov ax, 04h
1 _8 y! @7 d' ?0 X+ x D4 i int 3
* Y" `: Y0 s0 M7 Z" ^ cmp al,4. W" z) x5 _# M
jnz SoftICE_Detected/ O$ m* I* p5 `' I. n: T x& G3 {
, r& S! F: a, R+ t' F; U
___________________________________________________________________________0 w6 p! ?$ C' N
7 x; f1 U0 z; Z# c4 `7 yMethod 02
! k: h0 x; b9 S. h6 c9 ?=========; M0 o9 a8 v( p ?7 Q) d
+ A* f0 _7 y4 Q+ s: t
Still a method very much used (perhaps the most frequent one). It is used
1 {) X, z' v- ^/ @$ m+ [* mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 a3 Z4 g5 \" z6 h
or execute SoftICE commands...1 h4 N7 ?! T' Q$ T8 U
It is also used to crash SoftICE and to force it to execute any commands i5 M3 F% s7 e7 S
(HBOOT...) :-((
' m$ Q. ]6 a3 l" B/ ? X* j1 W
4 p* Y' A$ P6 \% {; K6 ?0 a* c! YHere is a quick description:
5 B( V4 R$ c1 P' {7 a-AX = 0910h (Display string in SIce windows)* d9 y8 s/ d% D, j2 o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( ?+ i2 \+ g# d- R2 o+ `-AX = 0912h (Get breakpoint infos)
5 \+ D0 S3 z9 f ~7 s, ?-AX = 0913h (Set Sice breakpoints)
7 p3 @3 k4 G4 x: V, y-AX = 0914h (Remove SIce breakoints). R( B1 ]! I" z, [
/ D/ Y7 d6 S: j4 ~# `4 N9 jEach time you'll meet this trick, you'll see:
& j2 ], e# ~4 [! X* B) L+ I, `( D-SI = 4647h J/ ~' z5 _' k) q% N
-DI = 4A4Dh$ j$ i c4 P9 K
Which are the 'magic values' used by SoftIce.4 H" j9 T8 X3 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ X4 ~* b# R4 d4 L& v
' Z, V& X1 z& fHere is one example from the file "Haspinst.exe" which is the dongle HASP
" @3 q( ^8 k& @Envelope utility use to protect DOS applications:) D9 \+ T! F v6 U. X8 v+ j
3 _( h N. y2 ~
+ ~1 L& ^, u, u2 n; S* r4C19:0095 MOV AX,0911 ; execute command.
8 @* h. \: m& {! k( i3 |, v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 e& q" \. O [4C19:009A MOV SI,4647 ; 1st magic value.2 l, Z$ J& G2 W! ~" f% X
4C19:009D MOV DI,4A4D ; 2nd magic value./ R. J9 d! a/ T6 f# V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), D! R5 B8 m! C# C3 E$ E
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 Y# Z7 z* i! O. k4 @7 \& O
4C19:00A4 INC CX1 r6 h* m$ y. B- q; T9 d0 U5 G% J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; F l8 y; [, s4C19:00A8 JB 0095 ; 6 different commands.
5 ?0 e# I8 i* d1 X3 R$ l4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* O& s, n7 A8 w" `" v7 t1 K% Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 o* u4 D+ y3 x' B% E4 W
& Y$ s# q. U9 c# U' K/ LThe program will execute 6 different SIce commands located at ds:dx, which
7 L% L* z9 D5 B* _! S2 rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., [( E: l3 P+ [- G$ s; Z; M
& I) ~ o) M6 E" ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% T5 p, A8 X$ B! |+ t5 X/ i. V
___________________________________________________________________________: o' m3 i# {$ U x' [# D: N
2 s9 z( U! v# T4 x
1 l; q3 M( m9 j9 c$ W
Method 03! b, b l( K$ d1 m* w
=========
4 ~0 }* {$ p' G4 m! Q9 U; [
% ^( d+ x. o! p i. z' O2 ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 W4 n$ P% Q$ j# F2 N
(API Get entry point)) T- Z6 u' \. d/ y
6 \! z* X( L# ^# d0 W& e
9 n2 q' B, x0 D! L: K
xor di,di! |0 ]/ h" u1 Q: }4 v* @
mov es,di' _* d% S8 b7 ^* I/ a2 N0 y
mov ax, 1684h
. w" V4 U1 M+ r% R mov bx, 0202h ; VxD ID of winice. X3 C$ |: A5 _5 }3 l9 [# }
int 2Fh* L1 l- g2 h T) h' C! O. ?
mov ax, es ; ES:DI -> VxD API entry point
; b y3 ?2 j9 L0 I add ax, di1 m n, {3 }5 t4 |
test ax,ax1 \1 e8 i; e8 @
jnz SoftICE_Detected
, W4 r$ U9 ]. x; w: J3 I; {# `9 O( l8 A
___________________________________________________________________________
6 |, E. H, |+ s- E* V% B# h* }- X. `- i' S
Method 04
! H' ?3 p, f6 D2 e: Z1 {=========, c! I: r. j* q9 ]
! Z# D7 B; N" f& Q
Method identical to the preceding one except that it seeks the ID of SoftICE
" e+ w: X" W9 S3 h" \GFX VxD.
8 ?8 b; ^/ s* }
) f7 B: S) c n) x9 O) S xor di,di4 U$ ?6 `$ g s+ l
mov es,di
( L2 K+ L6 n/ E P! U mov ax, 1684h
2 u0 p0 N4 |3 ] @/ h, b2 J; d mov bx, 7a5Fh ; VxD ID of SIWVID
" F3 J |! W" X- m- n2 z$ _ int 2fh" w- b, Z( y: U' E: q
mov ax, es ; ES:DI -> VxD API entry point4 w" c' T3 S% o, }8 K% l; h* u' P
add ax, di- B8 j2 H; C) D: x+ K7 e; h S
test ax,ax% k* X/ G, v7 d" n
jnz SoftICE_Detected) F) B! l+ H: F5 G' G7 j
# k; [: h( b. c1 u3 g
__________________________________________________________________________
2 {% f0 s5 [" C
F% ~. o2 p9 x
T# ~' J. o0 Z, d' G! ^# w: uMethod 05: k: q; B7 P }) {5 R
=========2 Z8 q9 y& \& k6 X
' y4 T/ d' W, t/ s) ?' [
Method seeking the 'magic number' 0F386h returned (in ax) by all system! ~# a. i# F9 w( T4 j2 p! A
debugger. It calls the int 41h, function 4Fh., `. a c5 F; y& d# h1 }; S
There are several alternatives. a# w3 O Q8 [( T
8 t: O3 Z x& L" F) YThe following one is the simplest:
" V% W; q5 a0 r* ^7 t% |# I4 Z0 _5 L6 _
mov ax,4fh" o0 c+ }, U1 I' i: r( a
int 41h1 p! o* E# f u4 P( A3 Z$ \! Q
cmp ax, 0F386
2 j3 p1 U/ |0 A3 X8 D jz SoftICE_detected
5 \' ^$ X2 ?: J m
4 ?) y7 y# {$ \" e+ H; }% {! m7 X: b* r L5 x
Next method as well as the following one are 2 examples from Stone's
: t' l! c# z+ I. M* V! N"stn-wid.zip" (www.cracking.net):
" e& @/ E: z) O; C- z) I; X; u" T% _- e# h1 ]* U$ P
mov bx, cs
c& R/ _( P+ \" L! ? lea dx, int41handler2
3 z) t3 V$ K! V5 v( p3 p( A5 t xchg dx, es:[41h*4]9 l. B' h, {* _' A% ^1 p; Z+ F
xchg bx, es:[41h*4+2] o$ y+ b7 f5 R5 }0 L3 P, p
mov ax,4fh
1 @- n/ w6 R; l int 41h, J3 Y0 E5 S( M1 g( K, ~
xchg dx, es:[41h*4]. ^8 `1 G3 T9 }; P) _$ {
xchg bx, es:[41h*4+2]
" F b- |9 D8 Z8 R2 L5 ], T cmp ax, 0f386h
6 b. q/ q9 o1 k9 ?" [ jz SoftICE_detected+ P* k8 ^7 G9 X# W
9 M' g3 G8 ^$ m9 B5 I; v nint41handler2 PROC' y0 R! D% W7 D' k# V
iret* ` D. F0 f, j1 f: {; ]
int41handler2 ENDP: |- n; n B3 _) G4 o4 @
2 J* x5 X0 q* T4 q: X: R/ Q3 W' l% P
% d9 I/ Q# @# H! g0 K_________________________________________________________________________' Z7 A, \9 i2 @8 D
% A- n2 C) M" z, p! K. n8 X
. i, P7 D8 z' _/ B8 P3 F& C
Method 06
; L) o, @$ i' _8 a=========
$ W- {) T9 X2 m
* o* z. q5 w, K& z. c1 G
_7 Y" C! D# [' R6 ^ e! s/ z; `2nd method similar to the preceding one but more difficult to detect:
; v0 A0 t' y- B6 q
2 n- h& h! l. f# A: e3 H: T) G- Q/ G5 p' g
int41handler PROC
6 T8 C& A& D. u* n! E$ i mov cl,al
7 I( ]7 g9 ^( |4 k) S9 q0 r iret
& Y: e: ^3 _$ W& Y8 uint41handler ENDP
: j6 _6 V5 R7 F
4 p/ ]6 _" j: N1 `: t3 S
- Z4 I& l: A; A/ R$ ` xor ax,ax7 }4 q; I5 ^* N; @2 n
mov es,ax$ j6 s$ ~& y. h) Q
mov bx, cs' R+ D. h( U8 m, R) D( y
lea dx, int41handler3 v; |2 s# ?# ~# p6 p: W
xchg dx, es:[41h*4]
z3 z* [: l9 r4 ?0 ^ xchg bx, es:[41h*4+2]
7 Z- R0 p- b& S in al, 40h8 z7 h4 ]) e6 u- d
xor cx,cx
) u0 O. S0 H; g+ @/ x int 41h: t, P1 T% @0 w% N) C
xchg dx, es:[41h*4]
$ {" [/ c- n) i& v. h( _& D xchg bx, es:[41h*4+2]4 f! b# N, u0 h. j5 }& d( [
cmp cl,al
" N( e8 v1 i- |2 O; _3 M2 n2 R jnz SoftICE_detected
- \8 x! v8 P- ~- _4 s4 z) N6 X3 i. m v+ d9 a
_________________________________________________________________________
3 x* S( l* e6 Y6 j4 ~1 G$ Y$ V& _7 ^6 L0 P
Method 07* K( i% Z/ t8 `- p8 V }
=========5 g; [9 P' e. r8 S6 j' g
/ a5 b. L& L4 g7 x2 {3 t
Method of detection of the WinICE handler in the int68h (V86)$ i- q( _- i4 M- v* o# l4 m
7 [6 q$ T$ G+ z8 S0 b( l
mov ah,43h
; N0 v! O! p: u4 j! j4 i: Y/ Q int 68h0 K, v6 I* }9 ^# y
cmp ax,0F386h
6 l! J8 U2 z, n# c6 g jz SoftICE_Detected$ W; ?& ?; _0 s" p# v
& q/ G9 W! @. g( M3 L2 |8 @
) ^: ~8 w4 r% ^* g" M3 o" O' ?' R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: g# A7 K, q. q6 ^! K! \ app like this:
1 t3 i2 e7 r3 u z% H; M/ m/ x( }! N. F
BPX exec_int if ax==68
. Y9 c7 x$ j* M4 W (function called is located at byte ptr [ebp+1Dh] and client eip is
w" H" e% i2 s! B7 c* k) w located at [ebp+48h] for 32Bit apps)
3 K) J0 I) z. f# v7 I# {1 }6 F8 ]__________________________________________________________________________
6 d3 Z. `- ]& \3 E- g+ b% l' E8 Q3 e; }0 B. U* _
; _* ?9 f: Q3 _* RMethod 08* A9 ^9 {6 l3 \
=========
$ W2 c0 G# K8 Q; a9 x5 _* r9 ]. d/ p4 ~3 T1 [7 P
It is not a method of detection of SoftICE but a possibility to crash the2 E: S! _* D S! J- r: X* H9 r
system by intercepting int 01h and int 03h and redirecting them to another
" l, x$ }+ w( Q r) [1 X7 ~+ p0 ~routine." m7 Y# O: A7 ^' U! X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 {- O0 `; K% a; t* }1 n
to the new routine to execute (hangs computer...). W- B+ b' Q9 Y9 r2 D H. n
6 R0 {; K0 X6 o$ O4 m$ V
mov ah, 25h2 ?! r6 h9 q: J) h9 p+ W* k
mov al, Int_Number (01h or 03h)
) h T4 U \% P7 j5 O mov dx, offset New_Int_Routine
( L* i8 p' o$ z int 21h7 k. C. Q, A8 Q: w
+ e1 s" R! f9 u5 J2 y! W. J5 x__________________________________________________________________________4 X" |8 ]. e$ \( t" ~. _$ ?
+ @8 I( o2 a6 l; o& ~( O F
Method 09
' j* {( j( i4 y/ \2 [=========
, ^3 y3 \' h) r# ?4 N( d0 \4 k$ e9 Z1 W+ @# f7 C8 l) X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) G0 W. W) U# _; g' q4 n
performed in ring0 (VxD or a ring3 app using the VxdCall).$ y/ c. S' m2 @: z! y9 P
The Get_DDB service is used to determine whether or not a VxD is installed
* i; r: d2 I- Y. N) [* m2 Tfor the specified device and returns a Device Description Block (in ecx) for
) e! t) B! ?2 t* ]$ V! J5 F5 M* ?# Xthat device if it is installed.
$ z I( n R- W; o2 K4 D. b7 c8 i0 Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ W5 J! q; v P% O- I/ I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! F c0 x V& ` VMMCall Get_DDB
# ~! V! P2 J& \. v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 d$ N: f+ [' F$ k
K- K1 I/ ?# Q* \/ I' K
Note as well that you can easily detect this method with SoftICE:4 m( h% n6 P. t6 ~6 t
bpx Get_DDB if ax==0202 || ax==7a5fh
, [8 z! m L0 M5 a9 X$ a5 D9 c3 m" f- U
__________________________________________________________________________
: U' l6 H/ U$ s% M L! n- F/ ^. X6 w' m3 c7 x" [
Method 10; S3 ~0 }, G5 ?+ Z
=========8 D# _5 c. a K$ z$ x$ o
, a0 b! m0 I+ d: U; _ ], V
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 v. }9 \ H$ z2 l" q, C1 u/ z
SoftICE while the option is enable!!
4 n8 A6 F- x& M: ^/ ]
2 S5 m- O, q* UThis trick is very efficient:+ L" p( V- C5 M9 w
by checking the Debug Registers, you can detect if SoftICE is loaded- R7 G( t, n9 B! i/ l1 \/ h. v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ d/ l/ |0 A" {: ? E
there are some memory breakpoints set (dr0 to dr3) simply by reading their W, k t/ e, T( @: |
value (in ring0 only). Values can be manipulated and or changed as well
. [- V" A& l) Y(clearing BPMs for instance)
& J9 b- n+ ^2 O: q; ]) o5 h
+ m/ Q7 t0 Y* Z/ T/ Z) W3 Y- Z__________________________________________________________________________, l" P. l8 u w: C# B7 o3 L
' `7 q! T9 M# L& p$ r) s
Method 11
! }4 w6 \5 ~( [3 K========= c# l6 S( T+ a5 y, I
5 f' E( p. P: G" h s# K* r' yThis method is most known as 'MeltICE' because it has been freely distributed
2 C# o7 s% R! i, k, v+ ?' f fvia www.winfiles.com. However it was first used by NuMega people to allow% t+ y% o3 I3 V) g2 o
Symbol Loader to check if SoftICE was active or not (the code is located3 l6 x- B! Z" Z% U4 q+ w& f
inside nmtrans.dll).& e3 t& L- Y6 O3 x
- m; f0 O; x7 f3 `6 z$ m Z6 b0 ~The way it works is very simple:
0 c" c! G7 g! T7 D" @! oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& \4 l3 n6 W) M9 g, rWinNT) with the CreateFileA API.
0 |+ }- B% K- W ^; z1 f8 A- q/ W* A {: ^( r5 X. F
Here is a sample (checking for 'SICE'):; |$ G0 Y2 A; D: _( |; g/ b- p
% A- F, Z- d- u# ?; l' f3 \; f/ u1 i5 y
BOOL IsSoftIce95Loaded()) V+ g1 R% x8 ^. K# V- j
{9 O6 F& ^' s* x4 T- k$ {2 b, q$ ~. [
HANDLE hFile; - t. m. w4 ?! W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: K' o& o4 H% N1 ^ FILE_SHARE_READ | FILE_SHARE_WRITE,
0 @8 b E7 f2 C: P& k1 ~" \7 t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ z5 B7 h! ~% `# F5 i8 ~ if( hFile != INVALID_HANDLE_VALUE )- q- D; n9 @. W3 v
{! |) G' X- t5 k, D7 N, e1 \4 h
CloseHandle(hFile);/ a" p! P z- a
return TRUE;8 y0 g! h: F) S$ s7 u/ p
}
T/ h1 a. h" [2 X' F8 S return FALSE;- q. r2 n4 Y) e0 V4 j- e' `
}
& J! H+ n! ?, U8 H1 U; I" ?- x! V" S$ x1 s$ N% S+ ?
Although this trick calls the CreateFileA function, don't even expect to be
. p/ m, x% t7 b9 C& Z6 |& Sable to intercept it by installing a IFS hook: it will not work, no way!8 A; g# ~! J1 G2 Y/ R' w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 I+ [! _7 \ C. cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 Y) X6 V" X( A& iand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( h2 j% T- ^# Y; B; o+ @9 ^field.$ H4 I3 ? C, u* Z7 o5 |* r t, P }
In fact, its purpose is not to load/unload VxDs but only to send a
" L( i- c' ]# h. eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ A; p7 m8 E( w0 C" R0 v3 x2 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try' D+ D. t9 K8 S+ P; z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( K5 E. i: K- h0 t4 m( jIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ t8 @. l7 r0 B1 Z
its handle to be opened and then, will be detected." I% T4 ?3 d" y, H5 c' z! D7 [4 a6 q
You can check that simply by hooking Winice.exe control proc entry point
) C- Z5 i" Q" Dwhile running MeltICE.' `4 o/ L- m4 z
/ h, R5 T' k: b4 }- D) u
. w# X" {) r4 |: V 00401067: push 00402025 ; \\.\SICE
8 ^0 M: o# F/ z/ v3 h, A 0040106C: call CreateFileA! y: L' H% y. M' _ P
00401071: cmp eax,-001" J: P3 @ B9 f( _% G0 i2 c, _
00401074: je 004010917 A u z: V& F0 Y4 }
) d; J ?! u9 Y) A4 A g T
+ s. w" `0 _. {! DThere could be hundreds of BPX you could use to detect this trick.0 T9 N1 U& ?$ k9 h8 @
-The most classical one is:2 A' B" _. Y z5 t( W- d: f6 [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" e; |: k; f6 Q& ?) K
*(esp->4+4)=='NTIC'
5 D4 F* q% f+ L3 b/ q8 |# W% B' I# |3 A) ]% W9 v D# `
-The most exotic ones (could be very slooooow :-(1 _$ K# z" ~; \8 n0 e+ R7 @) x0 |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' {1 G- S' S, [5 j. B" L ;will break 3 times :-(
" B/ D( k) J* b1 r! x8 z: _! L+ q9 G, E& A4 x
-or (a bit) faster:
, F R1 ]! t z4 e BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 v7 u, n3 V* W/ S7 G
w6 j( y# J8 k! q( c, I/ b5 o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" e- q# P, N# c+ }. y4 G1 X: ? ;will break 3 times :-(' K! X1 U2 Q$ X0 H) {# F
% B1 n8 I" W/ }' _6 r4 f. \
-Much faster:2 A; m ]0 M6 B# A$ H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- p+ L3 W( U2 L, b8 f
/ V+ p: N: q" x" | ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen; a S4 t% Y4 Q: G" y! O
function to do the same job:
$ o% }5 s5 I1 V
* f( L; R0 T6 B2 c" C push 00 ; OF_READ
0 s9 _6 P8 c' U6 w) Z7 s mov eax,[00656634] ; '\\.\SICE',0
7 y; s! r: r. x% L# l0 @% O push eax/ |! z0 @, w( D2 A; L
call KERNEL32!_lopen
; M) J6 {9 O/ _; G) V: k inc eax/ i+ [% H' i4 N; ?
jnz 00650589 ; detected
( _# ?, V# r+ ~! S push 00 ; OF_READ
3 Z/ A& k6 }4 p mov eax,[00656638] ; '\\.\SICE'
' M& Q9 o+ y$ r" p- y push eax1 J' d1 s& d( T" K- R. {% x5 f
call KERNEL32!_lopen% f2 j H6 D0 E
inc eax
# |9 {! s5 C4 p8 L a1 H jz 006505ae ; not detected7 \. h$ ^5 i6 z( y
- d3 g, r, M( i- G9 [
( J2 ]/ W' x7 T__________________________________________________________________________' ]1 t; T1 Q/ e! e9 t9 d# p! H
' e I/ }+ k2 h S, U1 a
Method 12* [3 P; n- a2 Z
=========
. r) V; ~! R" `3 J" M( C4 Z- D' Z8 o5 F
This trick is similar to int41h/4fh Debugger installation check (code 05
! B* t, c$ z* X/ T% }& 06) but very limited because it's only available for Win95/98 (not NT); F9 u& Y& i7 n% A) _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 b1 t5 ]$ o8 V; [2 R/ r" `9 q# }0 Z( [* M) _; n
push 0000004fh ; function 4fh# n* S0 l: Q# {7 f: _! l
push 002a002ah ; high word specifies which VxD (VWIN32)
) D) D% S* a9 H+ J8 N/ |# |+ f! X ; low word specifies which service4 V ]! @5 {6 @
(VWIN32_Int41Dispatch)
& {8 j$ J% a4 _4 C call Kernel32!ORD_001 ; VxdCall6 ?1 I8 s2 j& O* ~4 V5 f
cmp ax, 0f386h ; magic number returned by system debuggers; M: i3 u$ h" `! R8 V3 z) |
jz SoftICE_detected
1 Z+ h% m$ `- M: E8 c& |9 P' Q
$ G' S0 Z2 s$ K9 n$ u' x+ tHere again, several ways to detect it:
0 `8 J- z: C A& q. r! p" R6 h3 m4 i$ V6 |. G; i" R
BPINT 41 if ax==4f% ^* @& Q3 W9 ?1 a% F, M$ T
- n5 y" Z' {, q7 m2 [7 ]* K k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 h' n. G. S- T9 n1 \+ v3 D
4 J6 M# A7 A6 p+ w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" T; H; e9 X& Z" V7 ` @ J
0 A4 e. I/ L& U" j* M* n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 `( p) W8 N3 o6 V7 c6 E
1 \& \4 Y9 G) d% F# f__________________________________________________________________________
4 \. z6 c& ~! j% I7 I" [' d/ t5 b! q6 p) F4 a
Method 13
e7 Q% Z$ I# Q9 Y=========
& s0 R$ A* `% B8 ^& R9 q2 x! L
E7 e6 i% g1 \ TNot a real method of detection, but a good way to know if SoftICE is9 l3 e5 D! A T ?" x' b2 B8 X4 g9 W
installed on a computer and to locate its installation directory.
$ J4 [/ M* ~/ m4 zIt is used by few softs which access the following registry keys (usually #2) :4 l* _" \, o# U5 b, A1 u1 i/ P
* b `; G! e: _% ^, K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 k6 [. Q7 f+ n) {8 r
\Uninstall\SoftICE
: A2 J# R, e" _: W$ c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: v5 r1 k2 B7 w4 F5 s( D! Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* g1 V4 {+ `0 L$ ^% a2 i& s\App Paths\Loader32.Exe
# I8 A9 h* i) t T, Y; B- n- v# t3 n" J1 L! I
& P1 r7 n& S; z* gNote that some nasty apps could then erase all files from SoftICE directory
( k1 E5 ?) p" a9 V6 [5 Z/ A(I faced that once :-(
9 T9 t: g2 J! ?: e* Z: N' |
, ]) a! }% c) o; ^+ l2 S" nUseful breakpoint to detect it:
9 ~; Q9 f$ g" }, ?) V' u* `+ h4 I7 Q0 e- U+ y: ]$ G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: w. v- L6 i( R5 e
" J2 V/ Q' D2 V# l0 V, V) a/ h__________________________________________________________________________
6 b, x) Y) F g; z& W, Z. H% ?6 e' T, r/ I! B! v
& U- \, u5 M, g4 rMethod 14
! R% K1 f! w- L* @& l7 B0 x, u=========
% L! o' `, K6 \$ I, e6 N) V# p' G) P
( r/ W, y |! B6 @' UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; F' k, X0 p$ [ I q4 l, I
is to determines whether a debugger is running on your system (ring0 only).
5 }/ ~: z+ Z5 O$ H* h; Q
; X4 ]9 }4 P e$ F3 i VMMCall Test_Debug_Installed8 K* p8 b5 N! d9 \$ X% e+ d+ Y7 s
je not_installed
4 k/ T- K' J8 L8 z
: q$ \, r6 [1 M5 [/ Z) zThis service just checks a flag.7 K" s6 o* J, }5 A! d( ?
</PRE></TD></TR></TBODY></TABLE> |