<TABLE width=500>. _& S4 N f1 S0 b! Z5 w. g" Y( |
<TBODY>( Z" u* A$ }8 V c* g/ O
<TR>& r- c4 ?1 C( h$ |, @7 O* s
<TD><PRE>Method 01 3 i1 y3 o* }! p# W& `4 G
=========& g. D$ A" `# G( \ N/ Z* z
6 K/ J, I5 n4 |6 B. yThis method of detection of SoftICE (as well as the following one) is
% x* [5 T& r6 Y( _6 ]+ C, fused by the majority of packers/encryptors found on Internet.' t# Z, b5 G8 f8 K( W0 G
It seeks the signature of BoundsChecker in SoftICE
$ @% w$ P2 q A; m5 S( P7 ` ^3 v2 `8 j" {2 d' Q: H0 i* N
mov ebp, 04243484Bh ; 'BCHK'
& ?' f4 |4 ~: o O' S mov ax, 04h
) C0 \; v5 b1 }8 ] u int 3
4 z T+ S8 x. P! T cmp al,4
* O# ~; y2 |% W- x9 u1 W+ r( g jnz SoftICE_Detected
: {" _4 ~9 p# k+ `* X A8 Q4 u [/ {1 c0 ^* B
___________________________________________________________________________
; _% \4 T) C) L/ [% D, x6 I) w# G( \8 z m1 V; I7 D: ~% y
Method 024 O" D# Q( K5 F- H
=========. G6 A& l0 e+ _. e+ H' x
5 f7 J) y, ]8 x' G, {' P) ^Still a method very much used (perhaps the most frequent one). It is used6 k& M9 J8 i: B7 K1 V; n+ E) j4 O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ e+ @# @& _3 J) h9 Mor execute SoftICE commands... y1 k- X1 y0 y; c0 K8 W3 }
It is also used to crash SoftICE and to force it to execute any commands
, k5 J: c, z' }% Y, t9 N0 e, _(HBOOT...) :-(( ; n, r1 w; A" L# T: q
+ p7 L4 s* r* w- M: }6 W/ b
Here is a quick description:1 |+ g* T6 N' M
-AX = 0910h (Display string in SIce windows)
, M8 S3 |: P! e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# H" ]* `' V0 z
-AX = 0912h (Get breakpoint infos)
( [* W" B* X5 c/ ?-AX = 0913h (Set Sice breakpoints)
: _" X2 w) |6 S( M-AX = 0914h (Remove SIce breakoints)4 M4 |6 I4 g; C3 \8 }) N
; n' d8 G* x$ k0 U2 H
Each time you'll meet this trick, you'll see:) c; D0 Y6 v% z5 K% u1 u& l
-SI = 4647h) p* z1 {, d0 ^( ~/ w
-DI = 4A4Dh
) E2 T" H4 f1 t" YWhich are the 'magic values' used by SoftIce.: J' r7 e) m, u' B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) ]. K$ E( h6 x' d
& o8 f$ ? D7 I9 O! r5 `; oHere is one example from the file "Haspinst.exe" which is the dongle HASP, A' X* P( F( u2 D0 Q/ d
Envelope utility use to protect DOS applications:' c. p/ V* q$ V; S" [7 i
+ P1 }, T' T# X4 x M
8 I4 k' o$ h' z8 H5 `8 F4C19:0095 MOV AX,0911 ; execute command.' F. V. ~9 X d6 u% p. r& s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 d$ x0 R6 M: V4 T
4C19:009A MOV SI,4647 ; 1st magic value.
o9 u- H4 \: ?# u# ~: D- k4C19:009D MOV DI,4A4D ; 2nd magic value.4 K( e: W1 P8 E; @( t4 B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; b. p. W5 G8 Q5 k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: k: ]8 ` m) l* o( U, n! [
4C19:00A4 INC CX, H) u/ r, Y2 z" q5 q0 _# r9 L9 Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 B9 f; t$ u5 f! B) g; ~) B4C19:00A8 JB 0095 ; 6 different commands.
7 v: I7 S& H5 Y/ w; [3 d/ S4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 r( q$ z1 ?* N z; L; v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' Z: U8 p. J: \% t, N) s0 R' a$ P
) P# d& }1 m3 Q; W0 [The program will execute 6 different SIce commands located at ds:dx, which
5 \* p4 j( N3 c+ b& ~' s$ aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 i6 O' @) d+ f6 y4 V
+ d1 [ j- y/ X3 O( A* E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' J1 P* U F0 D* \. B: O2 ?___________________________________________________________________________
, Y# b7 R% m/ O7 d O- e, p6 S( E
! c, T: p6 G! ] [1 F9 z% h$ CMethod 03
4 Y# ?9 `% M$ b4 ^=========8 b2 b6 f; U0 i8 M1 j8 D6 l
2 c) d) \0 Y) rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: g: n) {8 u8 F. w5 {8 l(API Get entry point)0 P! K6 k# Z R) N. q
, v+ O8 z; {- g" e
7 F7 i8 j6 e3 j* j
xor di,di
9 Q0 n' @0 T8 j4 M mov es,di
1 x! K) q/ I( p: t$ T# h B; y- F mov ax, 1684h
! Y% K4 p. P3 D' {2 Y& J* z9 j+ u mov bx, 0202h ; VxD ID of winice0 h6 W! {: D; o, {+ e
int 2Fh+ ]4 u5 T! j# m. r" l, z6 l7 O- d
mov ax, es ; ES:DI -> VxD API entry point
$ y. Y+ N4 e& O8 p# n0 t/ o add ax, di- a! ~# C" D5 b) m$ C! t
test ax,ax( e: o' f0 ]% y
jnz SoftICE_Detected) B* M* R' r: q; ]' P* x3 M4 }* p
& B, l8 o8 m5 C# T; k: t: o* ?# E
___________________________________________________________________________
1 i5 t* y/ {. O3 v/ r9 V5 n8 c0 `9 ~3 [
Method 047 Z' \4 ^# U' V- j( G6 |
=========$ H8 ?/ N& e8 O1 N, q; x
& t4 B# k0 E+ d- m* z4 W0 \Method identical to the preceding one except that it seeks the ID of SoftICE) U. I% Q7 ]& G
GFX VxD.6 L7 x# P5 N( k
8 [; v! E/ O/ \0 O) `6 K xor di,di) f8 b6 q$ u* c' s' j$ _, V! L8 @
mov es,di
) n4 |/ n; n1 m) d' S. r mov ax, 1684h
4 F- E5 ^) C9 F mov bx, 7a5Fh ; VxD ID of SIWVID8 t( b$ i! b/ V$ F/ `4 P+ R
int 2fh
8 z8 A+ @% N) X mov ax, es ; ES:DI -> VxD API entry point# U) p9 m1 [+ A& q+ Z
add ax, di1 n) X7 g0 n; ?5 |5 Z$ f! \
test ax,ax/ s {) n9 T6 v/ N( x2 {
jnz SoftICE_Detected
, f; G/ v$ l4 }9 k4 l) J. i
/ t2 a9 l Z# Q0 y$ d; x/ c5 T__________________________________________________________________________' b6 M7 ]; J8 b
; ~. A- h' B- k1 e: ?: N5 ?
3 J: a8 R5 @4 lMethod 050 I0 J$ X& c) b8 N- f
=========
3 f% r0 D: X9 q7 b w
2 f( |9 {8 `2 Q% X; FMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 F F8 w. V4 R9 _5 P0 \; j
debugger. It calls the int 41h, function 4Fh.3 R! M! {' ?. G+ D
There are several alternatives. ! ~' c i6 s9 N" {
* \. F) s4 Y8 N: W) Z9 d
The following one is the simplest:
- f0 ]$ Q% w6 i- ]6 G* }, p) |- l) }' V* y
mov ax,4fh
# s& ?6 n. T) n# J3 Q- u int 41h: \, O1 b* q5 d) x2 P7 D% e
cmp ax, 0F386* ]/ ?1 ~6 o ~: q* Z1 B
jz SoftICE_detected+ q; c$ ?7 `" X# D( m+ C
5 Y% a8 I4 B+ S) f4 J5 R
1 i' J5 b: J. h- t
Next method as well as the following one are 2 examples from Stone's ' C0 d+ _) A6 r+ a$ B) O; j
"stn-wid.zip" (www.cracking.net):
, Q4 L" }+ ]9 m" T+ {" |$ P* O- _! ^
mov bx, cs
/ @) U: T( X6 h; ` lea dx, int41handler2
$ S+ r; n: J1 d/ ^ xchg dx, es:[41h*4]
9 N/ o" |! [. R5 ? xchg bx, es:[41h*4+2]) C% w. e; H) U
mov ax,4fh# X9 d ~: u4 k, a# {8 [4 @
int 41h
& |5 S' G; ^# Q6 e; Y xchg dx, es:[41h*4]* L b- s- t6 \2 Z9 u7 I
xchg bx, es:[41h*4+2]) y) t0 S0 l3 h% E
cmp ax, 0f386h1 n, T! d" l# I- [. E
jz SoftICE_detected% d; U5 V7 S7 t
* J/ V, _3 c' X; V" G/ Y
int41handler2 PROC
2 z( q5 N+ y3 L) l% z& u iret/ ]& @5 p' ^: O) Y' i: K
int41handler2 ENDP; K" p8 |7 g3 u4 t1 z
" t! y' R& @8 L q
6 l8 O, x1 G# D3 y. Z7 `_________________________________________________________________________
' O9 e3 Y& \' T/ v" G
) l: Q! }# n$ }% X0 q8 Y# q+ |" c& [8 h* ?: B: r
Method 063 b) b+ E8 o% Y+ u! `% r% o
=========' E& ~9 e0 G# ?$ o
0 w$ V6 r( v0 d$ O! s. Z% G6 g/ L& `+ L7 ~& v( C
2nd method similar to the preceding one but more difficult to detect:
# C! r- p. h: w {2 k
$ [1 g; ^8 p2 E: p$ M5 r& y% I, Y
; Z: K3 ~) m/ |# r2 vint41handler PROC8 P5 L& e8 p2 O
mov cl,al
1 H& V+ @# J- P9 c8 X6 i! ]! Z iret
# w; D- Q0 I& D- K1 ?7 @9 d8 bint41handler ENDP2 c1 O! I! c/ {" u& @
, M+ m7 }( h1 `) X
7 q# g4 E# r, w( N
xor ax,ax9 ]3 r! L9 b. f* y
mov es,ax4 e5 k3 G$ g& F# c( r
mov bx, cs- L" Y1 D& Q1 h |7 H- ~, Y
lea dx, int41handler" l( v+ h: |2 Y+ Q8 Z0 W; s
xchg dx, es:[41h*4]/ R- D& x$ E0 a( v3 e3 P- {
xchg bx, es:[41h*4+2]: b7 B6 k+ ~4 D5 ~/ w( [7 m3 I
in al, 40h; ]! M" a% B4 N% }+ J
xor cx,cx. e3 q8 e1 z3 D
int 41h6 R2 h- D5 B( k
xchg dx, es:[41h*4]
$ ^" E4 G& j7 x9 ? xchg bx, es:[41h*4+2]+ W% O! M. b4 O$ Y& a
cmp cl,al
7 Q4 a* L7 _0 x# u1 [ jnz SoftICE_detected0 X' \7 l4 s* t; I4 d
! ^% P. } W1 l; ~8 z
_________________________________________________________________________; S3 C4 v, j/ s* ]: {: v
8 e! e5 ^+ v1 a2 B' UMethod 07
3 b5 L! M* z$ y6 Z=========
" E4 E4 j4 {+ T2 ^5 J- f5 ~; e1 h: o" ^: O. X: S" g
Method of detection of the WinICE handler in the int68h (V86)$ ^; z4 z- W+ T# S- v" \
0 ?, _1 s) I0 C6 n7 {7 e
mov ah,43h
8 B8 W+ V- c9 S. c int 68h; B. @2 V L5 J2 m* Q
cmp ax,0F386h4 _8 w. p' f3 J+ J
jz SoftICE_Detected
) `5 z% m6 o+ \0 X# T
) d! X2 X% l. E( o( L' ~" v+ d; \7 }$ L1 W; t# @; Z5 k6 d$ s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 r( T- Z$ w5 F2 L app like this:
+ M* _/ Q7 f7 V& o8 @+ _& X+ a
3 I" f' T8 b# a) K BPX exec_int if ax==68
' s& i d* ]% M7 V f8 q" T (function called is located at byte ptr [ebp+1Dh] and client eip is H7 A- B6 e& n$ V0 {& ~- f
located at [ebp+48h] for 32Bit apps)/ c1 u3 k& T9 H; ~. g
__________________________________________________________________________. N% q3 S8 W# [0 D$ a r/ u
# m: O- l5 N% H5 W' t& ]2 S: F; b6 o2 Q+ Y D( o
Method 08
! F; J* A; }" L% {=========. H: d3 |7 C0 k9 ~
% D: k( n; W0 u# Q; zIt is not a method of detection of SoftICE but a possibility to crash the( S: G6 ?( u7 g
system by intercepting int 01h and int 03h and redirecting them to another6 ]6 H* y+ h3 j- r6 `6 B
routine.
, j D$ F0 I. O! }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, t! g o$ R9 a
to the new routine to execute (hangs computer...)+ i3 F: G7 S! x+ t6 ?! ~
9 [, x# P: `+ `, v3 v+ n/ w
mov ah, 25h, D& P0 J7 {7 ~" {) [5 v
mov al, Int_Number (01h or 03h)" c0 f8 k, I3 V& [6 j0 p4 n
mov dx, offset New_Int_Routine
" H7 s1 Z' O+ Z- ^- z* p int 21h
9 Y0 R* @% H. C1 l9 D2 W. `
; Y0 c4 p/ n. {__________________________________________________________________________+ V: l+ L: n/ d% ~2 b5 m7 G
r: s/ i/ s8 [1 jMethod 09: z* T: C4 n. q# i! G: K
=========
1 s( U$ j' t, G* u) I5 I4 K# V. V
) ~$ a( t5 J* q" b7 }7 _/ ?0 ?9 qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: Y8 M2 {$ ?5 |+ z- A1 w
performed in ring0 (VxD or a ring3 app using the VxdCall). I, E- j& ?9 _# g% k9 F& Y
The Get_DDB service is used to determine whether or not a VxD is installed$ k L) k6 N9 T4 J
for the specified device and returns a Device Description Block (in ecx) for2 } G5 S& _0 y V" Y
that device if it is installed.; y) j; d3 O9 O* ]0 o8 o2 N4 k# i
+ d: k5 _- q! V. u9 W i7 G! v' M5 F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' f% N4 n$ _5 X2 j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! ~# C1 e1 c e9 [5 S
VMMCall Get_DDB) ?& ^! [% {5 m' v2 T$ V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) Q" r& t( J7 ^( s# C+ y- r/ j0 n {0 C9 o
Note as well that you can easily detect this method with SoftICE:+ k4 e! C- h: p' ^( P4 d
bpx Get_DDB if ax==0202 || ax==7a5fh
/ M7 `% K' S) E8 Z% w( b9 o! S) K1 a3 S4 J
__________________________________________________________________________
( r) F( X& E/ H# K' \; ?
1 t# t6 H( f' OMethod 10
8 A$ j3 z: G$ r; k5 i- `$ g y=========
0 [5 }- m% q9 h( _( L9 f& i% y/ J7 n
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ _! h0 O- {+ Q( D: z SoftICE while the option is enable!!
: {/ ^) |7 ^6 T/ L1 h8 k1 [) n3 }+ S3 I; F9 N# N9 | L8 p
This trick is very efficient:
$ j! E5 `. \+ g3 tby checking the Debug Registers, you can detect if SoftICE is loaded
+ D; ~5 x. a3 Z. W1 L6 Q& X. ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# W7 |- s H6 D- Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% f# o: G$ L. J5 T1 Evalue (in ring0 only). Values can be manipulated and or changed as well" }0 ~' T, i& O8 m; [2 }
(clearing BPMs for instance)
- a- v% M: F5 ]! g
$ ?4 Z; B( V+ p! r7 o; P7 W__________________________________________________________________________
0 D5 c( }. W. Y5 Y8 U( [( Y, O2 m! j1 c6 g8 r' _' {8 s
Method 11
9 B$ j8 L5 }" L- c0 o6 d9 A=========3 w1 z8 t# J2 |( |
7 Q9 R+ ^2 ?3 D3 Q3 f" MThis method is most known as 'MeltICE' because it has been freely distributed
5 q* K; F: K8 C" H4 `7 nvia www.winfiles.com. However it was first used by NuMega people to allow- P& d; f& `, Y. B
Symbol Loader to check if SoftICE was active or not (the code is located' x/ v* i" p& L# ^. R8 r6 X
inside nmtrans.dll).! k# `5 {# K p* T
1 L& v: K" `" q U8 j' N
The way it works is very simple:2 D9 q# Q# [; s9 r8 b l; Z) \6 B$ t
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 l0 F, s6 T8 | G2 r+ K
WinNT) with the CreateFileA API.
5 ?6 i4 E* @, ]* p5 ]4 J- R% p
1 n6 |# l4 J; I: d* v, W( EHere is a sample (checking for 'SICE'):
, X: D, E E. R4 Y# I, v9 G( M
# x9 b: Q z2 jBOOL IsSoftIce95Loaded()& R, a: t; N' @* x b. A" A
{
6 x: j" ~- s+ S6 a& m! o8 I HANDLE hFile;
; q5 f8 |# Y4 I0 S. g: Z, T' N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) v4 v ]( N) Z9 A4 ?' [' d9 b FILE_SHARE_READ | FILE_SHARE_WRITE,, t! i& J% T3 J ^# O# M9 l! q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- ^* f7 I+ H7 { if( hFile != INVALID_HANDLE_VALUE )
, @! ~6 c9 t2 e. { {+ N+ Z) ?6 E/ h2 B$ o0 t9 {' ]
CloseHandle(hFile);" t1 k- ~# @/ @6 A9 f6 d6 G4 @
return TRUE;
- [' w. P) R6 w& s- \2 W }
' {8 ]3 @& U4 [/ q' F y return FALSE;' N2 j, N, X" Z+ H# y
}
3 i( a9 M @5 c0 f% @) R2 j9 j0 m5 v- B( J, I8 G8 G' W
Although this trick calls the CreateFileA function, don't even expect to be
3 K# c8 c! \; E: sable to intercept it by installing a IFS hook: it will not work, no way!
9 o" t: B# U0 u. C! c' e4 Z5 [0 BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. @# p6 C9 j" H5 g: T5 f. ?9 sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), U3 }5 z( C7 ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, d* L' m( n" C y; Y1 A# @. e
field.
6 s& O# o; A% [3 |" N( S# k8 wIn fact, its purpose is not to load/unload VxDs but only to send a k" b% Q* |3 _/ P# r0 \5 j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) ^5 R) K2 p4 T2 g( H* y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: p V% I1 C) q- H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* O( D1 p! m0 A @
If the VxD is loaded, it will always clear eax and the Carry flag to allow; Z, n0 @& Q0 y& p
its handle to be opened and then, will be detected.
' Y1 f3 ^2 S {* iYou can check that simply by hooking Winice.exe control proc entry point7 o+ R M- P y
while running MeltICE.
& e1 A d! E' R$ K F7 j3 k4 ]( _8 _9 ], W" N# t$ I! S
& @6 J* _1 c8 h7 \1 f1 H) Z1 [9 ?# N 00401067: push 00402025 ; \\.\SICE* D- r6 Q! v9 {8 x
0040106C: call CreateFileA5 {7 w" S$ U* X& S1 L
00401071: cmp eax,-001
o+ C/ ]2 `5 F- f1 F 00401074: je 00401091
. s& ?" N' S; e! E Z& e( ]1 E- i* X; \* s; ?
3 i$ ?) e" ]& o6 Y) g. V! }" NThere could be hundreds of BPX you could use to detect this trick.
% P* a' M4 T4 d1 \. @-The most classical one is:
5 G" i5 Z# M$ _6 j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ N- W2 a) A4 M/ ]5 b7 d *(esp->4+4)=='NTIC'
2 h& u+ e- a7 F5 ]
; i' b: `( i! [2 u+ ]-The most exotic ones (could be very slooooow :-(# i+ Z. v7 `( N/ q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; w# L( `; L8 j: ?% h8 V& I ;will break 3 times :-(
6 m8 M% {; K5 n3 K/ c8 ]3 R$ l* D f' ]* E; t
-or (a bit) faster:
. y( U* x' O( D; V3 f, l BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), r, r5 V C9 l2 B3 U7 w) W5 X, M
2 `, r8 r5 X( l9 K( k& L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 q' j ]' V! e% }- ?+ X( m9 Z ;will break 3 times :-(. K# C9 O- s5 K: J: l9 l
7 S8 k* B! B# \-Much faster:
8 Y }6 t% i, J( B) T# ?0 k) S9 T; I BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. I) ?/ v8 R- S, G) I
' z; q, Y( }9 n3 _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: H Y- \/ }' C% S* a& N
function to do the same job: G$ y/ z( R. n( N( A- z8 z3 ]4 N! `
- a1 ]: K6 k8 N* C$ y% Z
push 00 ; OF_READ1 p2 C6 q3 m; ~
mov eax,[00656634] ; '\\.\SICE',0
$ v& N$ o/ t& S; y/ W9 E6 c push eax
2 N) F+ z( X/ t0 c call KERNEL32!_lopen7 O& F3 w# m% W2 M
inc eax
! w; `6 r) @9 U! E' T) }* ? jnz 00650589 ; detected+ a4 X ^6 o( o9 C) V
push 00 ; OF_READ
- q& r& p9 o5 ?/ ^" u" V mov eax,[00656638] ; '\\.\SICE'
0 ]7 W0 ~' c! }1 W; b' \9 N# C push eax+ ~8 ?2 v6 q$ c7 X
call KERNEL32!_lopen
% m$ F# ~; }4 m% ]" c inc eax @6 K7 Y1 N! Y( F, h4 M
jz 006505ae ; not detected
! F9 z. c0 n, g' c% K. x( Z# a) M% w- E
& u* c6 _/ p, v) S3 A s% {+ M' n0 P2 N, r& H9 `
__________________________________________________________________________
" C! S/ s* j9 q' u4 U. ]3 I U8 w# j5 Z- n4 X8 E7 h; ^
Method 12# D" r) m* o; H$ t! W% D
=========9 C3 c+ p% k; P# v \: V _
, ?: \/ e0 {0 A% {% W- U
This trick is similar to int41h/4fh Debugger installation check (code 05( t8 J9 l2 g' U9 i2 i6 e/ l
& 06) but very limited because it's only available for Win95/98 (not NT)+ I6 P G6 D7 a& ]# D# f& }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( g; r/ o, P: e/ ]
( b0 B, U% S6 b! o" o push 0000004fh ; function 4fh
* w1 r% H' A1 g6 w push 002a002ah ; high word specifies which VxD (VWIN32)* @% O3 s7 b8 u K0 a: r8 l: `4 k
; low word specifies which service
& i8 F2 T4 L f t, u (VWIN32_Int41Dispatch)& [. C+ M" J6 B3 f
call Kernel32!ORD_001 ; VxdCall
# r& q+ _# w0 x. V cmp ax, 0f386h ; magic number returned by system debuggers
! x/ X6 V1 L! Z: l6 F* U! T jz SoftICE_detected+ q- r4 ^* G% V4 b8 c8 W5 k3 d
4 M$ M) O! h4 |* |. ~$ J
Here again, several ways to detect it:
% d7 p4 Z7 M' A
$ `5 n" E8 x4 }1 t BPINT 41 if ax==4f, D, I4 z/ |! w" x8 r& \ r
8 b3 y7 _" r# v2 r& {0 [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ s* Q8 P, |9 p2 l
8 a1 H1 ^3 }$ m0 c$ W BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 ^. P8 h" U) P' @* q2 a! Y+ ?
: l, c' n9 A7 A, F4 I3 C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( M. P6 ?2 G9 u/ f" `
6 J* K- |, C+ g8 @0 T
__________________________________________________________________________
+ w) \) d( N2 a& B5 h; H3 l. L9 J! E7 K+ _
Method 13
) D) ?% w' E9 t( u, m8 w) I( H=========3 a; q% x7 b5 @9 Q' ^8 `3 c
+ W+ w/ B9 E6 v- G' C% e, c, dNot a real method of detection, but a good way to know if SoftICE is
# y0 I: f- h7 Ainstalled on a computer and to locate its installation directory.7 D; D! c! ~* G
It is used by few softs which access the following registry keys (usually #2) :1 |) z- m9 D# I4 [# `2 l
c! `0 W# k; |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: h) q/ {" j* Z& B
\Uninstall\SoftICE
8 i& O1 k# p# ]5 b9 F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# d H1 r5 \) W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 \ a5 B% X9 l' w
\App Paths\Loader32.Exe
# ]& J7 t3 w$ `( \8 G2 {/ e! w
. w) U' y* m0 K! r+ d8 T
9 d: u; h+ r7 N9 m, I: J+ eNote that some nasty apps could then erase all files from SoftICE directory b4 m( K4 `; b! B/ Z# p
(I faced that once :-(
8 Y: S4 x6 K* I$ X, b3 i& a+ s. v- N$ J. B' W6 p8 a
Useful breakpoint to detect it:1 X! s$ b- n3 }0 J
* X: ^5 d' H# s' g7 M7 l) l9 c# P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 W. L# j1 X6 f6 a0 c; E; V$ G! D: D; ^. W% C5 w
__________________________________________________________________________
6 x/ S5 a. P" c; R
! D3 G7 R, ^: v3 h, t: G6 ^% z2 j/ K2 H
Method 14
, [" P" E" ? n. l6 R* Y=========5 M# S& h* `) C8 H& [7 ]; c4 \: t$ L
4 @4 x* k' {- l! A2 i" f+ `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 n8 ~% L q# y4 y5 {$ j+ ]
is to determines whether a debugger is running on your system (ring0 only).
4 m- D. p6 k0 x$ y2 P, w5 n# V' e8 {5 d1 M
VMMCall Test_Debug_Installed
! o+ X3 k2 n) \) V2 g( }- O: p" Z je not_installed, q5 }2 L0 `* W: u) x) }: a/ c' e9 f
" O! T/ y3 |' H( R8 zThis service just checks a flag.# C9 }( l M, A8 D# E
</PRE></TD></TR></TBODY></TABLE> |