<TABLE width=500>. W4 ~0 r: Y4 ?! S2 p0 [
<TBODY>
4 ~& b& c5 j5 @3 L# i s, G3 g<TR>! x% o8 N: ^! L- ]
<TD><PRE>Method 01
1 R' ]* u; Y2 k5 d3 A=========
8 a& w# G: x K/ g3 O
2 D/ I* [# n0 n4 L# mThis method of detection of SoftICE (as well as the following one) is
" A5 L' s4 S! o# V$ ~0 |; W; [used by the majority of packers/encryptors found on Internet.3 v$ c7 x" B" Z% O' s8 h
It seeks the signature of BoundsChecker in SoftICE
8 s5 [& P1 q! l* o' y
0 `$ z- p- A: t8 n) y: S( z mov ebp, 04243484Bh ; 'BCHK'
: M7 }% y+ Y$ _! k6 Q mov ax, 04h
/ ~* }3 t9 B7 _' R. l! { int 3
4 H. n- h. D0 S& n) V* B cmp al,4
) G/ H7 l8 S, O jnz SoftICE_Detected
7 Q" b$ c/ z0 k! ^8 O, |5 O7 R/ t. G. V- N! k
___________________________________________________________________________
) h5 O0 i5 C% i' q+ ]2 ^! h
$ Y4 ]/ L- K: g+ GMethod 029 F; T/ j) A2 \! S1 ^8 M
=========
k% T3 J7 {6 R9 T
0 T$ o( b) g) ^( \* Z, g/ dStill a method very much used (perhaps the most frequent one). It is used
% _6 T3 n) |+ T. gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! V( z7 Y8 P9 r. { I/ l/ J4 por execute SoftICE commands..." \+ s2 t5 W. k: |
It is also used to crash SoftICE and to force it to execute any commands
7 i2 r* g2 K) J& o(HBOOT...) :-((
9 f+ a( M: ^* R: R8 J! p
3 R9 ]9 x) h3 l+ EHere is a quick description:
" h) @2 ?5 s7 p) K; Y! |-AX = 0910h (Display string in SIce windows)+ L- W* U2 W) X' o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 L1 H1 K: }4 m D5 F- L
-AX = 0912h (Get breakpoint infos)
8 D9 n* Y3 L! f: c1 _& C: |1 d-AX = 0913h (Set Sice breakpoints)/ ~5 P$ J& F/ @
-AX = 0914h (Remove SIce breakoints)6 ?. L7 ~: ~" v: K4 X3 _# F
+ [( q5 _6 v$ A5 B
Each time you'll meet this trick, you'll see:
" }9 {0 M, J( W" |! Q* y- `-SI = 4647h. L; W/ G6 {- x& }. b# [; B
-DI = 4A4Dh
; o& P+ q" S+ r- Q$ D. p; jWhich are the 'magic values' used by SoftIce., u5 Z3 T* ^; q q7 |3 R5 L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 K* Y5 N1 a& r
' ?' ~) A9 S1 ^4 a8 l6 cHere is one example from the file "Haspinst.exe" which is the dongle HASP# l: V$ T( Z) o2 v- p
Envelope utility use to protect DOS applications:: V' a- J+ M2 D: A
2 p' y# P. y: l( y4 U o0 S) J; F- }/ ^# o: s W; }
4C19:0095 MOV AX,0911 ; execute command.& W. l" b! s( u, A
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 R" l2 Y' S: c8 C" `3 a8 A
4C19:009A MOV SI,4647 ; 1st magic value.
4 O5 Y8 J. J6 Z# K5 M4C19:009D MOV DI,4A4D ; 2nd magic value.; j3 p& j0 G4 U" A: ?8 E. P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ G v W5 H8 |5 T- N/ v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! R& j T- N9 }2 D0 P- n. i/ `* J4C19:00A4 INC CX
* W" m. ^- ]: p' u: R/ t; I4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' u" z! N6 U) R5 _ V
4C19:00A8 JB 0095 ; 6 different commands.+ B, Z4 j( Z/ o$ Y* F+ c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ A# D/ f( S# j3 L, F% g/ K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! }2 P8 ], l d; [" L
7 [- C4 V$ n6 m& E" o$ O* E
The program will execute 6 different SIce commands located at ds:dx, which x# a* l+ N. u* m: N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! t" f. R8 W+ K$ l, H8 J4 E3 f
6 f M5 e' t) h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 u. J/ l6 W. [' p w+ R' G1 r
___________________________________________________________________________ G+ t8 |, B5 d, w( y6 A! S
9 U$ X6 l# b! r, b
; o& t6 s) t" B3 J6 a- H2 L3 C( U7 aMethod 031 Y: ?1 p& I) ?3 H ^
=========* F. U4 W h3 i% q5 w) F9 ?5 w, K
d* V7 u7 ]* ~" D3 O& s0 tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 s, l6 v* ?3 C8 H3 a9 O6 l: h(API Get entry point)8 g5 e& Y, V! U
( w# p2 K+ N B. O/ S* K9 C0 n+ e) t! H1 U* f j( e* ?
xor di,di+ T) {, m B5 i6 b3 z& t% W' O
mov es,di
8 v: I7 k; \8 Q" Q! Q- P mov ax, 1684h
/ B( Y+ Q- C9 @/ g mov bx, 0202h ; VxD ID of winice
7 M. ~( s7 S$ o8 Y int 2Fh& V6 H( I3 s- [
mov ax, es ; ES:DI -> VxD API entry point/ o) W- u. l3 b* y6 C- P8 B
add ax, di
* O. U8 A" r8 M test ax,ax; w' `* h+ J( S; V! ^% T7 T% H$ ~$ p
jnz SoftICE_Detected
) z$ C( X2 \4 J+ H$ P, \. l+ _* r" ]! n. Y* h
___________________________________________________________________________
" g3 h: O- L7 Q4 M' C. ~4 Q8 f* q F3 z
Method 04) C5 V) I7 M( x U0 x" X0 `3 X
=========8 L5 M, N! ^6 _; R& q( b
$ G+ [8 B, u- _0 MMethod identical to the preceding one except that it seeks the ID of SoftICE4 Y6 }0 H9 e6 e0 _ v$ m% ^
GFX VxD., d5 K( h% T! |. z6 v& C; U: r
2 V2 `' s, C2 X6 A" m xor di,di$ r- Q F9 I* j* `2 t% A
mov es,di
7 g, W6 L4 \/ s. G! R mov ax, 1684h ) b( L6 n! N$ F9 q& t3 |" m
mov bx, 7a5Fh ; VxD ID of SIWVID
1 E6 ?# L- x& ]* f1 b4 X% ? int 2fh! N, ~; M h: z. O R
mov ax, es ; ES:DI -> VxD API entry point
6 W" o3 P# Q' p `2 H add ax, di% ~0 n2 f) V% i& D
test ax,ax: j! _, P9 X0 ~* T
jnz SoftICE_Detected
1 X9 V" k/ s7 W0 l4 R( H+ c2 d# z8 c& f
__________________________________________________________________________! m/ `# P8 L; B, F
/ X8 h8 ~) K/ P6 A) W7 A$ U
! W4 c1 |% y( y) {2 @Method 05
, A+ y* Q7 ^. c3 e q" L=========
`9 x, X* `- R' `
& }0 n' S( N+ f# ]$ k. NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 F% M' V* F; t" h5 U/ S8 c- pdebugger. It calls the int 41h, function 4Fh.
* w/ K: p- R3 c$ Y% P, n: U+ {There are several alternatives.
- _& t2 N# \8 k y; n) H5 t3 w5 A% v' u$ \6 g
The following one is the simplest:
/ q8 A. u% A; N, n
/ t: O2 h, @: O5 V9 E7 @ mov ax,4fh
' P; P3 A3 Z5 ~) n4 p# ~ v int 41h/ h; q7 N7 r3 M& j4 i0 p0 \
cmp ax, 0F3861 A# O7 N4 t9 S* D! a2 J
jz SoftICE_detected' d4 N. ?+ s* ]7 T1 ?( w
9 @ V% T# r3 }5 b5 i
$ y+ r: ]# q B: S) U* j8 k$ n# DNext method as well as the following one are 2 examples from Stone's $ A5 r6 ^* C: g& e0 e
"stn-wid.zip" (www.cracking.net):
) L" ? c6 R0 t" j3 m8 U; K/ @
" R* T ^2 o* a0 ~# a( q mov bx, cs
% Y3 w; p% i3 D/ g4 q' ]# s u6 B lea dx, int41handler2$ N- k: u* q: @. G( H* S
xchg dx, es:[41h*4]
2 {. o$ |7 `1 Q" ~/ Y xchg bx, es:[41h*4+2]
1 \9 g' Q1 q3 i- V- a; p% t mov ax,4fh
/ c* o; ~0 A2 w1 f4 L# C* x J/ Y int 41h& E& B" W8 f; K* b! m" w' A
xchg dx, es:[41h*4]
) u# _. @$ }) }: V m/ c xchg bx, es:[41h*4+2]
2 Q' I2 m% A# r6 W6 k" t cmp ax, 0f386h0 y& G% R Z, u9 H
jz SoftICE_detected
( R$ J# ?0 ~2 n0 S% a/ w2 j; Q( W l7 C" h
int41handler2 PROC" j# _! U, G) y
iret# y% \% Y1 e/ ~
int41handler2 ENDP
7 }; g) W6 F* s$ G3 e0 i# v
. _. j& v- K( \, i; Z0 V# Y2 a+ c0 A
/ A5 u0 a+ h3 Y+ X_________________________________________________________________________7 d; d8 J- ^4 W
u. J" g8 q+ j4 O4 G+ ]% T7 q! f6 q: e7 N z
Method 06
" ~' N/ F7 D1 R5 v$ s=========
2 y L% O c- G% m; y% A6 F0 z- J8 d% v8 ~0 v% ]
- l, a# i+ P9 j. C- s" d1 l$ N2nd method similar to the preceding one but more difficult to detect:( @+ S& @$ z7 p/ B
& H( W1 g6 q9 U' k6 C6 R* w
' Y& l. V; U; e7 G4 i: Pint41handler PROC8 n: X/ g% m) v p, ^
mov cl,al
! @# L) P: |+ R ~6 f iret
8 G4 Y! _, {, M8 S, pint41handler ENDP. c" j2 q6 q4 n; x+ H' d; Z
5 Z8 C( ^4 j! i# J# J" I
4 I" o1 Y. H9 E
xor ax,ax
2 R- z8 Z7 W( q U8 s6 _ mov es,ax
8 V6 q# H c, @, \. J! p mov bx, cs
, N7 V5 @. t% [& B$ c* h2 O lea dx, int41handler
6 n% l* [. v* J( n/ o: g xchg dx, es:[41h*4]
4 u4 i0 F+ }. s: c7 ^' c xchg bx, es:[41h*4+2]
2 [2 D# S5 D- s& g in al, 40h
1 O# {9 [3 z5 N3 q6 y xor cx,cx
0 P' e+ E$ N+ L. N6 r1 A int 41h" A' I2 _! U9 ~' V; O' f
xchg dx, es:[41h*4]
( M+ `1 \0 G) N1 z, q. W8 A0 { xchg bx, es:[41h*4+2]
1 m0 U7 t- f; y cmp cl,al. T% A- i5 ?. K0 n% y
jnz SoftICE_detected
" z5 O4 Q) {* Y( Z
m7 z+ M( p, N_________________________________________________________________________8 C8 X# ?3 f$ z$ I2 t
4 s6 N1 K% d4 P$ Z8 ]4 n, [) O
Method 07
- Z% ]* Q5 p1 F% M=========
9 `3 P8 M3 y0 q4 w+ |+ N3 q/ X2 Z$ U! j1 y
Method of detection of the WinICE handler in the int68h (V86)5 i/ E t9 d+ T
* w s y: |/ O8 I; @ mov ah,43h ~ x. \6 G$ s# a3 L8 ?
int 68h
7 F5 N' Q M& m" k6 v cmp ax,0F386h
7 `8 S; v# I* t. C5 m, D' _ jz SoftICE_Detected
2 @ H8 q) V2 G2 G& `
- P! |# W7 q! x8 Q- Z N F4 Y2 S
+ g2 i$ `3 D" ` Y6 H7 I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. x, S) l7 X3 s% C0 H
app like this:, C! n) d( O3 `7 {8 n
: W: S4 s g% v4 `
BPX exec_int if ax==68
5 D9 S- m, p a3 C0 v (function called is located at byte ptr [ebp+1Dh] and client eip is
. E/ g' q( Q0 C* o# U, ?' }3 l2 {; w located at [ebp+48h] for 32Bit apps)
0 C1 Q# g5 n) V3 @3 I__________________________________________________________________________
1 u* B1 {5 f% ?3 X! h* F2 n8 E4 k% w+ w5 P% }# d
8 M1 P7 Z `$ \2 F2 sMethod 08
8 i* w/ g. h$ h y) z=========
0 A* Z _5 K) @0 e/ M' z: ~6 e$ M
5 ?- I9 ~4 |9 ]It is not a method of detection of SoftICE but a possibility to crash the
T Q- }1 @, L9 \( L A3 Vsystem by intercepting int 01h and int 03h and redirecting them to another
" d6 Q6 m6 j3 @routine.) V8 j) ^# N/ U( F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; _. d* _- V# f% Ato the new routine to execute (hangs computer...)
& d' _, \" }0 f5 N8 i+ R1 b4 b6 g0 s; a) b" o0 u7 q
mov ah, 25h
3 B. B+ J/ l8 k# ]; O. { mov al, Int_Number (01h or 03h)
1 D& b- J8 k' |5 d mov dx, offset New_Int_Routine
$ f$ i r9 \6 c8 X0 m+ C int 21h
* z$ u- {* _- l( c( B4 r
2 E6 P' M7 x0 I0 I__________________________________________________________________________& P' X5 }, B! _+ z" ~4 l
8 \, c h: K* H0 S3 F- d& yMethod 09
- W1 v2 c' C3 X0 f+ [! }0 p=========% F" E( H) x& ~
0 S0 `8 c2 l2 t* uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ D5 v6 V! _: T
performed in ring0 (VxD or a ring3 app using the VxdCall).
I) S, `/ J2 m$ w8 l7 G* ~The Get_DDB service is used to determine whether or not a VxD is installed/ |' R7 U, [7 {
for the specified device and returns a Device Description Block (in ecx) for/ V9 z7 B! o( \9 _5 m: M
that device if it is installed.# _$ T7 }6 A( O# r
( l0 x! f7 A3 g0 L7 `% D
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
s* s6 h m1 |3 l" Y- D4 A$ V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), i! l4 a( J8 d+ z3 r
VMMCall Get_DDB
3 d0 E9 b' [* w* V# H+ g* I# k6 U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. X) s; Q2 f+ c W) @) o
+ z! X/ l* B6 VNote as well that you can easily detect this method with SoftICE:
i1 b3 @) j: q, t( c bpx Get_DDB if ax==0202 || ax==7a5fh: P, q! E+ }% ~! o6 p$ }
4 K Z. q& S# q3 A2 J__________________________________________________________________________# J) a+ d( ?( p
5 t7 S8 q$ N: [; C: K' ?" f
Method 10) S1 c5 I/ p# g1 `$ Z
=========
# l1 H* O2 |8 S
e) \0 k0 B9 Z0 M6 K2 d=>Disable or clear breakpoints before using this feature. DO NOT trace with$ [" r# l! {" s) W
SoftICE while the option is enable!!" t( r- C/ J K6 l# D$ d
; x$ }5 u( B2 H* q/ Z* f; D6 y
This trick is very efficient:
3 M5 e7 I5 a) S: `: ^, eby checking the Debug Registers, you can detect if SoftICE is loaded
2 D4 U8 {7 \3 h f4 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) {! m7 d0 L, b. t! k2 X
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 W7 W1 N/ |; L. N
value (in ring0 only). Values can be manipulated and or changed as well
0 d( F/ L. U# X- }(clearing BPMs for instance)# R" h9 { O4 Q* v4 g0 U( x
$ t. y$ p* v$ H7 H3 a+ F$ O+ ^2 S__________________________________________________________________________
, y; f2 l5 k; G, d& {+ N& P, Z7 f8 X' `) x& c
Method 11
1 F I9 A, t; H1 n=========' C. P: }8 V K8 o# _7 C
9 }5 N" O, j2 M( {& F0 E8 p4 AThis method is most known as 'MeltICE' because it has been freely distributed
+ u" V1 H7 S) {" P# J2 qvia www.winfiles.com. However it was first used by NuMega people to allow: z: U) i! ]& d+ J+ d& o( f6 {
Symbol Loader to check if SoftICE was active or not (the code is located
! g: L3 e- R3 c" W. {inside nmtrans.dll).
, { u2 Y# r z( h2 n* T$ f; G( v) q6 U, l$ P2 s, @
The way it works is very simple:
6 N) `, O C" R" }) oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; ~. \( ?4 H2 N
WinNT) with the CreateFileA API. x2 \7 D) _+ z( P% J! a2 ?1 j P
& F; u# A) T6 n9 Q" Z
Here is a sample (checking for 'SICE'):
; h5 B- U2 M3 g; E# O4 T Q0 H/ E/ g9 h$ e: u6 {$ ?5 s
BOOL IsSoftIce95Loaded()6 y) D8 Y4 [; v! h( J
{
. [+ U+ f7 ?2 B" u! U* a# l3 q HANDLE hFile;
+ G, s% f/ o) ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 U# l& h$ E& u1 q# T1 ]# q FILE_SHARE_READ | FILE_SHARE_WRITE,5 W" }) v! d8 u9 @) h4 }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: @8 Y1 c) }7 D7 l: P if( hFile != INVALID_HANDLE_VALUE )
2 o, ]9 A& B5 s7 S {
% B( U, c5 Q2 c CloseHandle(hFile);4 k( V# s! N3 a i) E( v
return TRUE;
. h+ x" J; _: x$ @3 ^5 U }
7 n4 J f& o. ~* M& w, x return FALSE;6 a% N4 b' g% L3 _5 M
}
" z% g9 c! H% }0 A2 j7 `% ~! R
' f) g* H. Y! f* s& t. [! MAlthough this trick calls the CreateFileA function, don't even expect to be
) [ ~/ v% U3 \6 d, Xable to intercept it by installing a IFS hook: it will not work, no way!
_7 C( ?3 p/ D( T) Z+ MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F9 D, r3 I2 b1 F7 Q/ N9 b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 S1 n5 O1 }! e: hand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 K* x0 {+ Q: d1 d! r
field.
e: e7 i0 U0 s0 `In fact, its purpose is not to load/unload VxDs but only to send a ( N @/ s: c/ J9 B, E; y. h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 W! x% j! J3 p2 W% f, A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 Q6 w' \; K, E3 \, v/ `/ Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).. l) i$ X* D7 i" T6 i" }
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 [' d, l% `2 W! s" o% ?its handle to be opened and then, will be detected.
# c) h* ~" D" ]8 v5 z! Y: y( fYou can check that simply by hooking Winice.exe control proc entry point
3 N1 B, _7 U. c+ mwhile running MeltICE.
2 _* e2 ~, g1 ?" ?8 r0 S. M0 G
, ?. o% L% L5 f% }+ D9 A8 ^' O; | O5 C" o3 `7 _0 V6 S1 C9 @
00401067: push 00402025 ; \\.\SICE
; H& @! y) ~: f) O 0040106C: call CreateFileA
1 P! c n( Z x2 U( j# v 00401071: cmp eax,-001
+ j, v3 @! d, i. X 00401074: je 00401091
, A' x6 Q e' z6 P9 i. L3 o3 X4 N- k$ e2 |9 J
7 i% {" s+ a _; WThere could be hundreds of BPX you could use to detect this trick.
( ]+ ]; ^( O' R6 n3 U-The most classical one is:
" ]; G6 [3 K% X- ]# L5 | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 \/ P: Z3 Q) F. x7 L: a *(esp->4+4)=='NTIC'+ l8 @8 U. {' q
8 `7 {" H9 {, u& X+ m1 ~
-The most exotic ones (could be very slooooow :-(5 l+ E$ P/ D# Z* k* ]# m5 V; |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') C7 U( K/ K! `4 v# T9 ~
;will break 3 times :-(' D% F$ Y1 i+ F. U% B9 a3 N' F
: k. ^& Y- E# ]; Q: \1 p& D5 T-or (a bit) faster: % C3 [( s" v. Q* h+ O1 d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 P4 Y* {& _: {7 y
/ [3 Q) L2 _' u F% ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( a O! K; p# \
;will break 3 times :-(
2 c+ a/ W1 k7 I5 R) S
! [( X- ?) j, X+ l" ?- \8 L-Much faster:! `$ n; v* e0 R- x$ r+ k Q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' Z. O( V! O, U3 t
" ]! q( y! r3 e& W0 G! w, `& G+ P- u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& q; Z! d. [4 z$ C" kfunction to do the same job:
) `, h5 ?( G5 G6 W' J/ e! R4 K9 V6 {$ K* [6 j% E" t9 p7 T% a1 ~! H) |
push 00 ; OF_READ x" k4 m% C% x5 f
mov eax,[00656634] ; '\\.\SICE',0) |/ {; t% D4 F4 [2 T$ ]
push eax
' \ N3 x9 M" ]" b; a/ q) f6 }3 x call KERNEL32!_lopen
' w" Q4 u; j' ]" `3 k6 q inc eax; S$ o7 L+ Z. H4 t% B- j' x
jnz 00650589 ; detected0 E0 \- u, A4 m: y$ U
push 00 ; OF_READ6 K, N/ Y1 E+ V& w
mov eax,[00656638] ; '\\.\SICE'* Y/ F% u! S6 H
push eax7 i' L9 {4 K. s1 M9 @7 a
call KERNEL32!_lopen
( s" u o1 \% D# v3 q3 S2 Z inc eax
- K9 J+ F' d4 f% L4 f5 T4 o' } jz 006505ae ; not detected% B6 N V$ R" @8 P
* B _' s q1 x
6 V9 u* S! H' v. ~__________________________________________________________________________
# M1 V3 C! }3 k, j
; C$ A6 O7 H9 K" R `Method 121 n& D. r" h3 ?/ O, y% b
=========
3 x% J. J9 E" G) b8 r9 ?
+ y) o; z) X6 D& m4 ?This trick is similar to int41h/4fh Debugger installation check (code 05
1 t8 k# i+ | k: v( Y& 06) but very limited because it's only available for Win95/98 (not NT)
# y) _# ]+ T, aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. @% x6 b$ Q% C2 g* k
! p. ^, e4 r( X) n8 z7 r, h
push 0000004fh ; function 4fh8 j8 E- Q5 v9 ?* R& H
push 002a002ah ; high word specifies which VxD (VWIN32)( o/ e, w' \( C) R ?
; low word specifies which service
% q$ w' h- ^) c- B8 ]* R" D (VWIN32_Int41Dispatch)
9 S, S$ A! h1 t9 [' r call Kernel32!ORD_001 ; VxdCall
6 U4 @# [( j6 L1 U. A) K cmp ax, 0f386h ; magic number returned by system debuggers. z4 S P" K- D# i- i7 A4 h; K6 e
jz SoftICE_detected
2 x- x$ d# K3 z+ k- w. g. t2 v! X" Q3 r! I @
Here again, several ways to detect it:$ W' R- L' ?' u S
S! m0 }/ b, P$ G6 Y
BPINT 41 if ax==4f; X1 G7 ]$ e- Z4 d/ C8 Z. A. q
. B* M; y7 k2 U+ Q4 @3 g: Y, U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" K# v7 y' n9 L( j) |
0 o' l) x7 b6 y1 ~* k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 X4 z& \: G4 O) z" \) c+ f
2 n3 o; P; X, `/ L, x4 m3 d K! W2 n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! ~: C5 }" F# p3 x
6 Q. F2 N6 c" |/ S2 B__________________________________________________________________________
5 v8 C1 w' ]$ z$ y: l2 |4 T
3 b$ d6 V( i" I# }Method 13
3 V5 z3 j/ g' R5 t1 K=========
3 g8 Q0 P3 W. D3 q1 B0 H5 L+ w1 r! y$ {* ]( l6 |& B I
Not a real method of detection, but a good way to know if SoftICE is" q# s: G3 r9 l) V5 G
installed on a computer and to locate its installation directory.9 q0 W) }( Z! H: y/ v# c+ [
It is used by few softs which access the following registry keys (usually #2) :! c: N8 e" s, g- b7 A. ^8 s
0 b9 i0 }. j4 F1 d6 ?5 o l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ |2 W( W8 t# I, b4 `3 m9 `\Uninstall\SoftICE
6 j" C" f P7 J7 h, E& D/ C$ k4 s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 k# A' [ F; |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; \ o c$ l l% u" r) l\App Paths\Loader32.Exe
0 Y J% P* y! w- I& R& R$ w$ z. C2 H' w
) e( b8 ?! R5 `" O) T4 r
Note that some nasty apps could then erase all files from SoftICE directory% q( b. Z9 w/ G
(I faced that once :-(" u' |/ t/ H' }$ U5 E5 i
$ K( l8 _$ j: c2 K: N R! ^Useful breakpoint to detect it:9 ?5 H; a7 I$ s ?! f5 C" y
$ ^7 C+ k6 J6 S8 e: k, A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 u! V6 x# W8 `8 R+ B2 O( L$ _% Q# l% R
__________________________________________________________________________
! u0 i3 i# T( H6 X# [
: U! y0 D% v6 }7 K: A. u
# I! g4 f- c+ U [/ o( {: nMethod 14
: D1 i. \+ J8 ~, G1 m6 T W=========1 \" z6 e2 l& F" U
7 W: W# D' D4 J! u- z9 FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 y+ ]$ a7 T2 P' Pis to determines whether a debugger is running on your system (ring0 only).
, m7 ~4 n4 N+ t: d' A* \* J4 W
% c. P' c/ R% Q! H2 b2 p* ` VMMCall Test_Debug_Installed9 s G7 x6 ~- V* {. V. J3 f
je not_installed
0 L' W/ b, |) Q# E7 n& k
2 g; K7 t6 N6 y# Y& C. {4 P# ?This service just checks a flag.
- N9 @# `8 R% A& H7 R7 b, ^</PRE></TD></TR></TBODY></TABLE> |