<TABLE width=500>
% b, i% Q7 O, V4 H! s; t<TBODY>
1 @$ \+ d& b6 H9 j. `4 Q' X' a5 D<TR>. H5 Q( R8 V( E3 a% P) h: r1 |
<TD><PRE>Method 01
2 z, W* f9 |' e. p=========
7 ^% v; I% H8 ~0 _4 k5 ~2 q, N4 }9 D2 t5 a& O. Z
This method of detection of SoftICE (as well as the following one) is- k0 C! w2 y7 n! Z5 W8 o
used by the majority of packers/encryptors found on Internet.7 Y/ K9 [. s7 S. B
It seeks the signature of BoundsChecker in SoftICE
" l1 c9 f. e5 {+ u2 |8 S8 [
; z$ |) m+ q( u& o# Y5 j; Z mov ebp, 04243484Bh ; 'BCHK'9 w( o/ u0 J3 A0 z7 |) Y
mov ax, 04h/ W+ d' d& [3 J9 N
int 3 ( D. W! p) ]% b, W
cmp al,4( d! x. j. ?3 i, b2 c
jnz SoftICE_Detected: w* T+ A" e1 t/ B
( W* e3 j% k: D& `
___________________________________________________________________________+ z0 E: u2 F7 n7 T
2 J- V6 g' ^0 o/ U0 d) x6 S
Method 02* l6 }+ L# c, f! b- P
=========0 t2 t; C( H7 a( x! {1 k
, c) _9 t1 z& P. a$ VStill a method very much used (perhaps the most frequent one). It is used
3 Y) ]" U( `/ Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 S7 {: T% R* i1 F! Por execute SoftICE commands...9 _2 y( \) H" J9 a" |4 f
It is also used to crash SoftICE and to force it to execute any commands5 H1 C. P& c$ i2 i' [
(HBOOT...) :-((
3 [# k; R$ l- G! r' [) a! S7 B7 }+ S- x! X8 y
Here is a quick description:" e! M8 g, V3 t- _ ]0 D& U
-AX = 0910h (Display string in SIce windows)) ^9 K d: u3 E- x/ J w% b* z/ ^. M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ G O1 t, x* @9 M-AX = 0912h (Get breakpoint infos)
( d6 B8 B7 o- l& f) \-AX = 0913h (Set Sice breakpoints)
# D5 k: Y! E: t$ z; ]' a0 E-AX = 0914h (Remove SIce breakoints)
& {2 x8 c* W( A, _4 ^+ x W3 ~) @1 k3 `
Each time you'll meet this trick, you'll see:$ A. {% r6 n$ {+ }' C
-SI = 4647h
; E/ M& |! @; a d) Y( R-DI = 4A4Dh
$ A- {1 O, |/ k$ `# R/ W$ n) YWhich are the 'magic values' used by SoftIce.
( z4 [2 u+ P8 M1 m `$ nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& }) ^, I9 ?4 Q+ L0 j6 F: W! B4 m% Y$ K% x/ Z7 k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 M5 S& c, J* a. NEnvelope utility use to protect DOS applications:
0 A# W" w& e9 Q5 _ c/ Y5 O6 ^7 v* G
" v" u" a$ a7 H1 T
4C19:0095 MOV AX,0911 ; execute command.5 `8 r( i' ~8 W( K- w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* G# M; i1 ?; Q4C19:009A MOV SI,4647 ; 1st magic value.' ^3 k1 g! E- C: D% g
4C19:009D MOV DI,4A4D ; 2nd magic value.
t3 N# B, {; L( z1 F+ @. v4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ B; H. k3 W: H* D0 t- r% ]; S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, Q) F; i& p; U) R( ]
4C19:00A4 INC CX
/ b" w1 M+ G7 O" t, c; L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 S1 f6 s6 _- m. R
4C19:00A8 JB 0095 ; 6 different commands.
6 t) }$ r8 R( j5 O0 \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
T6 g- W( E( b/ {: a: I) g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 A0 x" W* Q5 k* C5 @( n2 l
0 d S) I5 p' K0 |! Z" A( WThe program will execute 6 different SIce commands located at ds:dx, which
2 Q. N1 ^. y6 j0 a8 a% s/ Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ m g5 }* n. O9 o$ d
2 z" _. q2 w( f- [* z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
I+ r2 G5 ]; d6 |# y' {___________________________________________________________________________
: G: i1 E* \9 }: i$ f1 t# ~/ x# C9 W* \- @# q: M( S6 I' n
; x0 v+ D8 |6 x! F: q
Method 03/ l4 X3 l, Z& u7 C" F
=========
6 Q, } [3 u" |; l' r9 j
A# G" v: T' U) [& K, D1 i0 oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: C( D+ R8 E' |1 r, h7 t(API Get entry point)9 S) }- V4 A, w% O8 W
% M- A/ A5 ~( C) c
$ W4 {8 k0 l) s/ T O! @ xor di,di
3 {. K+ l7 |: L) a7 \: [; g# x" r mov es,di
- n$ ]8 ]4 J |6 L mov ax, 1684h
7 F5 B* t- {; A mov bx, 0202h ; VxD ID of winice
, |2 v2 @, ?8 Q/ D2 |2 a. J int 2Fh
( O `+ O; s. u& } mov ax, es ; ES:DI -> VxD API entry point
# \8 X0 j8 \+ |8 t* ^. l add ax, di
8 l: F" }4 L- ~: K: J' _8 T test ax,ax
' Y( r8 O$ b& N, r+ a" L jnz SoftICE_Detected
" a; \, o9 U8 N' o) P$ y; X% X' b3 K' ?* d( y
___________________________________________________________________________7 Z- J+ S/ C0 ?: g
* X- e# G& b7 A$ n% k
Method 04 N& `0 u6 w6 @: U% I
=========& ^3 @4 R; @8 n: p1 V; f
& T$ M7 _# V5 w6 `7 l5 y
Method identical to the preceding one except that it seeks the ID of SoftICE% x; u& P4 h, f7 |. v
GFX VxD.% y# z) } g5 v' I9 k" l
+ N0 F }! ~% p! W+ [7 _, L
xor di,di4 w$ t6 c' a* w
mov es,di Z l+ p$ f7 `8 S) P! M
mov ax, 1684h
5 e5 I6 Q/ d& H$ w M+ K mov bx, 7a5Fh ; VxD ID of SIWVID
( P! E& K% _1 }6 [$ b int 2fh
7 M6 }9 m0 K- M! B mov ax, es ; ES:DI -> VxD API entry point2 U4 g- t, Z. [* B
add ax, di
) u5 J6 e& M' D test ax,ax
" l4 }$ L$ d5 N, ~* |- K+ Z jnz SoftICE_Detected
2 z+ A; g5 G4 B+ `9 S
" @5 o( B2 b! R3 {% C' X# e6 H# p0 ]__________________________________________________________________________
2 s, C* T2 J! n* e
) C$ M, W" G& F h \
9 ]/ {- G, J& ZMethod 05' q- {$ H t; I$ c
=========7 S. s+ g- O- i6 |
1 O; w. [* s% V4 j# _Method seeking the 'magic number' 0F386h returned (in ax) by all system- X3 U. d0 Q) a9 B5 U
debugger. It calls the int 41h, function 4Fh.: u$ a8 N( F/ N+ p
There are several alternatives. # y, p% h- @$ m6 |4 B
2 n9 D$ d, O+ C$ D7 K4 jThe following one is the simplest:
9 h) X; p% ], Q" o' U# p; h: Y0 ]& h8 o% p+ p
mov ax,4fh( r' c2 X' u# k# r, l' c' Y
int 41h0 Y4 o$ l9 w0 q0 S! j$ J) C' H
cmp ax, 0F386
, \% O/ \) |6 M! V; D jz SoftICE_detected
% p% z, K7 q( F" O
; M% |' K I( N/ N
8 @* M: D$ N3 V: ?5 SNext method as well as the following one are 2 examples from Stone's
9 e5 |. @ a) D, Y"stn-wid.zip" (www.cracking.net):
4 T! m' { p* a. G ]
4 ?! e6 Q9 Z4 z! M) Q) [ mov bx, cs
# b* \6 C9 W' B. L$ U lea dx, int41handler2
# u% S* A$ @1 m* x. t! C xchg dx, es:[41h*4]1 \0 L, O u0 g6 Y2 z9 a3 D
xchg bx, es:[41h*4+2]; x' c/ |: T+ O
mov ax,4fh
# [% q( V* p# {/ I$ O% s int 41h
2 b4 k2 E! F* k8 \" T6 y* u; h& r& N' F. } xchg dx, es:[41h*4]
6 @4 p- [9 \% [" S5 } xchg bx, es:[41h*4+2]; X9 G: @5 d) E. J- s. q
cmp ax, 0f386h) w" a* ^; D M- _& u
jz SoftICE_detected
2 ^" K2 h, K; J, |2 r x! M$ t; ?0 n P. P; k
int41handler2 PROC
$ I: B H- s6 } N+ O+ z8 S iret% s, }4 w1 u7 [5 y6 _" b2 I
int41handler2 ENDP
/ f- g. L7 i% o4 M+ k) ~4 `2 u- a3 Z) x$ g3 O1 a
2 [/ P$ O0 M; A" z) W; C5 @
_________________________________________________________________________
% h' o: f! Q* n
: G0 U5 o( w, l7 `: D
, o% j; Y3 Y- f( s+ OMethod 06 J1 `* O8 g' M" h; h- T7 [
=========
7 ?+ @5 A: M1 k! v4 {- P! _% Y# v7 c3 c5 g- f& j
; O7 I+ v/ p5 F) c2nd method similar to the preceding one but more difficult to detect:) ]2 Y1 z0 K% O; ~# a
# p" V# v4 Y+ v) X5 W& A2 K5 \$ w$ y* O! y) V+ o
int41handler PROC
) {6 b1 A& g0 K! L6 Q mov cl,al
! N( a0 r4 Y8 e% c( m4 B iret# Z$ o8 U2 j2 e( I+ z
int41handler ENDP, h5 w1 Q$ l6 N/ |
4 f! `+ U) l( p0 W5 G# l" X
+ Y: _: W9 e& V xor ax,ax
6 a6 ]; F- a% h# U mov es,ax
! D2 {* w1 X8 [8 }( W* b" D mov bx, cs
) J; R& N$ q# ^, e4 p% B$ K lea dx, int41handler' x% ]0 J( K3 b I
xchg dx, es:[41h*4]
p5 r& R+ m5 R" O- ] xchg bx, es:[41h*4+2]
/ ]8 S' J3 q' v6 V7 P in al, 40h- R5 A& x: d1 Y- f8 c* S
xor cx,cx
- Q& `# h( @) F( D1 v int 41h
( w6 i4 M, T% ] xchg dx, es:[41h*4]
2 V5 Z- G) P% Z& \ xchg bx, es:[41h*4+2]
0 o& Z l' p7 q- _( L cmp cl,al
. P% U' k$ y/ e ~0 U jnz SoftICE_detected r* F! ^: y. z* O$ ], c
) g8 A n& t1 M9 k/ q2 F_________________________________________________________________________
( v) q! ^6 u7 n
- W6 ^9 H. w/ p+ X, u+ sMethod 07
9 n* Y9 t* n9 |$ F( F+ i=========
x0 Q8 G+ z7 f8 q3 n- m2 s# c. n. ]# [
Method of detection of the WinICE handler in the int68h (V86)
?3 B1 Z- N' j# w- ~
& N8 p7 l# d5 w$ x. H2 g mov ah,43h6 T+ E) l6 a: g% K6 v: i1 z; e
int 68h
8 {' x5 P- B4 z) f' }& Q$ x cmp ax,0F386h q' H3 a- s' |, i
jz SoftICE_Detected
7 j* ~ M; |5 \, f) _! Z! U* c2 E7 u) Q& z+ z
8 G: H. b! o: D8 B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 }% x9 Y/ V# U- W) U# ^' M
app like this:
. k6 K1 e* W; ]$ j
8 X3 K* e# x m2 n9 |% C BPX exec_int if ax==68. ?/ ^ D+ r" r2 ?: e5 C" e
(function called is located at byte ptr [ebp+1Dh] and client eip is
. @3 [" e% I" o located at [ebp+48h] for 32Bit apps) {, M F7 p4 y6 \ ]6 e6 e
__________________________________________________________________________# E+ Q5 ~6 k3 [! _3 m
, t4 n9 w" v" R6 ]; N R
, \4 L6 o# m+ d+ o5 k3 FMethod 08" H# a4 A! g) t- T
=========
5 ~; D4 K5 Y# |0 l% w2 |7 H1 ~- j$ z; k; n; I) v: i3 l" [
It is not a method of detection of SoftICE but a possibility to crash the6 ]3 W0 Z& M% Y3 c! A' A
system by intercepting int 01h and int 03h and redirecting them to another
V" J9 O3 H* `2 C+ N# s6 Y# z# M3 vroutine.1 ^, C& D$ ~# `% V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ M: N/ N5 ]% M# Eto the new routine to execute (hangs computer...)6 y& `# {9 h# a- R$ X
, s8 O; \/ Z: i mov ah, 25h& s+ b- E2 s: H! n9 k! ]
mov al, Int_Number (01h or 03h)& z$ T6 e0 M1 @' X/ ?9 `- s1 h b
mov dx, offset New_Int_Routine
, m) _/ v. |& c0 I int 21h
( W0 {# Z0 N+ l2 E* B; Z$ T( X0 |- I( t. {& Y* l7 Q* w; }
__________________________________________________________________________
2 d# v! q* ?5 { q( ]) l \* e) \% G
& l. K" p5 b0 A. t* A( P' yMethod 093 N. Z; k: t. t5 |5 [
=========: M T! P2 o$ i9 |9 D
* ~; K6 F) _% s1 Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only ]+ G: p1 u3 ]
performed in ring0 (VxD or a ring3 app using the VxdCall).6 W2 \# B0 I6 ?' A5 D
The Get_DDB service is used to determine whether or not a VxD is installed, O( r9 A& g4 `& A
for the specified device and returns a Device Description Block (in ecx) for G" q4 S0 x% e. `0 l- N( B
that device if it is installed.. Y: R( @: S" \! f6 [, t {7 t Z7 S
7 i' B! Z$ r! [% S% I8 B+ w3 M. u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" s" n" O4 w. v f" F mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 o a3 a, ?8 k9 |3 Z9 D2 a. u
VMMCall Get_DDB
" Q& U$ i4 z/ w- j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 ]5 T) R3 z/ C
- [4 m8 F# }2 w: oNote as well that you can easily detect this method with SoftICE:' ?% @# q2 {) b" O$ F: N
bpx Get_DDB if ax==0202 || ax==7a5fh. v) @# d0 m0 ?$ i4 r
' R n0 M$ v* j$ d9 o# g
__________________________________________________________________________& u' }4 ~# X6 {0 Q/ v4 k- r7 w
9 b G( t6 e: c4 MMethod 109 C3 P: x: J* ~0 f" m/ `0 e
=========
7 }7 v* `8 U$ V) Y1 e& J0 v8 S0 e3 n
=>Disable or clear breakpoints before using this feature. DO NOT trace with) j0 ?$ i8 J: k; m" o/ d
SoftICE while the option is enable!!
8 b m6 s7 Q" Q* a6 p% v5 \8 F$ d; F P" z) @4 k9 m
This trick is very efficient:
) K0 `; t# t' d5 Rby checking the Debug Registers, you can detect if SoftICE is loaded
0 N; E( G7 r$ J& |" S0 i( p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 D) j: q6 \5 y3 ?9 q6 a Othere are some memory breakpoints set (dr0 to dr3) simply by reading their! P# i1 q* {$ ?* i2 @
value (in ring0 only). Values can be manipulated and or changed as well6 q: e1 t. X' ?$ Z! G0 e. A/ I
(clearing BPMs for instance)& S6 D9 Z- @/ s0 o4 t
% a$ s1 h- O! ?, C6 `3 u7 \
__________________________________________________________________________
0 q& R6 I: K$ n
$ F7 W; S8 w. {: PMethod 11, ]2 j3 c+ h" H3 I+ N+ [
=========- X4 M/ U8 m% Z9 E) w" B& O: Z
5 `& S8 S% E M1 `- l. @
This method is most known as 'MeltICE' because it has been freely distributed
- f3 F. l" w7 W) @via www.winfiles.com. However it was first used by NuMega people to allow
$ O) t" w/ M+ L" uSymbol Loader to check if SoftICE was active or not (the code is located" e3 s! d# g! N" t9 b! b0 ~
inside nmtrans.dll).
/ b% U. z6 ?. s2 z/ P7 }3 N
) t! N$ y. n8 X3 kThe way it works is very simple:
% h1 K" v. Q. z6 w4 D" qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, v+ P' m$ ? FWinNT) with the CreateFileA API.& V0 b1 I* I3 h1 X. g
, W- y! m! t! G* _4 n+ x
Here is a sample (checking for 'SICE'):4 r3 D S3 w- m
& D! n7 `) ]1 w: O9 a
BOOL IsSoftIce95Loaded()
2 U! q" a7 i+ j6 l0 k" [9 ^5 x{, P8 D7 s N# h$ S, m' a
HANDLE hFile; # s' }1 ?6 R1 X* e5 M" T, ]0 k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 [" |; Y/ g& Q$ t4 z3 M- J
FILE_SHARE_READ | FILE_SHARE_WRITE,5 H/ p$ _7 c8 a9 R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% ?, s4 o, P2 q3 T" E" w if( hFile != INVALID_HANDLE_VALUE )
" M3 t$ U& S+ R$ z3 r {# t; j* `, L3 Z7 M0 ]
CloseHandle(hFile);* ~2 s" G$ [' x/ P% `
return TRUE;
' d0 y' b6 s+ j' b8 B- J8 x' h: v ^" h3 {7 n }
* S) {& \. }4 ?; C f& ]7 e return FALSE;
/ N1 m1 s+ S: N( J}
5 e. [2 ?! f5 `$ ~! c* O, C T" B: z8 y
Although this trick calls the CreateFileA function, don't even expect to be
) B: z# [9 C7 q3 M/ V4 ~0 ]able to intercept it by installing a IFS hook: it will not work, no way!
9 V; f5 f/ U; A) ~; PIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( K' T; I- d0 ]4 C3 g1 rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 |( b/ `6 w2 B4 q7 q* jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: @; b) f+ y, b @4 n0 ]field.! f' R3 ~# ]: {5 i
In fact, its purpose is not to load/unload VxDs but only to send a 1 y5 C0 z+ p. A }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 S7 R: Y9 ?' N' b+ @- |) bto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ X( Z/ [# w7 }' q, }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) y5 C* y- p+ ]& i' y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; Y; W0 W' t8 b+ ~$ }its handle to be opened and then, will be detected.# ~. u' Q) q; c/ X# ]9 a3 r, o/ z9 ?
You can check that simply by hooking Winice.exe control proc entry point" x7 @2 e/ u. N8 f
while running MeltICE.
* _$ W( Z" r$ i5 D7 {" ?5 H+ F" G' h4 t; P
+ _( Q6 O' s, j- I9 t
00401067: push 00402025 ; \\.\SICE
0 X3 C8 B2 E5 q* l9 c 0040106C: call CreateFileA) }7 @$ P- Q8 O$ O' b
00401071: cmp eax,-001
: @( {/ k+ d q2 e& H" r 00401074: je 00401091 j4 I1 A9 A* S. ]
7 D+ i/ X9 c, [2 P4 l3 ^2 u" }. E7 H7 v. l2 s
There could be hundreds of BPX you could use to detect this trick.2 M9 q% H; j; X A
-The most classical one is:
, b' }$ I! k4 U4 | Z, q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- C1 J3 C+ z2 b5 h4 ?3 U *(esp->4+4)=='NTIC'5 S {/ H3 d# E' ^) T( S5 n
: e$ |* }* A1 T d& T, P9 c1 c
-The most exotic ones (could be very slooooow :-(
& W: l" Q1 h' E1 ~/ b' V1 ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 p/ q A$ o& M1 K ;will break 3 times :-(
6 K$ i( i$ T; p* j# |
0 D7 O" E' C/ o* c) }2 }-or (a bit) faster: . b% f8 r4 X( g. r8 V5 c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' P( Q0 M2 X D+ f% v5 z! j8 t4 v2 I' {5 Z5 j+ K4 G# W& A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 r' e' K6 h7 Q# U7 t
;will break 3 times :-(! _$ _7 [/ p; Q
7 M+ ]3 n) V* {8 L4 I
-Much faster:
4 c! L1 J% s v4 G: ~. z+ C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" K; E- m6 Z5 r' S1 a# i* o f
C5 Q0 C9 d- {3 y: [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 r3 x! @1 T' c1 Y
function to do the same job:2 L/ s1 T% K j4 ^. G* x+ T
3 L$ ?% m1 F0 [9 q. y4 L0 ~ push 00 ; OF_READ7 e4 H7 O1 L2 ?) N6 ]
mov eax,[00656634] ; '\\.\SICE',00 [! t. K" _7 ]% [; t
push eax
7 j: w. ?7 W7 D; \( k call KERNEL32!_lopen
, a/ ~, {9 A1 I( b: z inc eax" W. k7 A+ E' G7 d# M6 `
jnz 00650589 ; detected/ |. V' t a; _) A
push 00 ; OF_READ) ]; ~- ]- ^, t. s* W9 |* I& ~
mov eax,[00656638] ; '\\.\SICE'
0 E( r' Z$ Q3 t' _: O push eax4 q0 v, |; A2 l9 n
call KERNEL32!_lopen/ J' A8 ^! j# K6 O0 i# E
inc eax
( T: l& U+ e7 Y5 ~ jz 006505ae ; not detected
8 h& m( _/ U; u* _! \# K' W; T- L
! s' H. C3 v; n' [6 [7 `" d0 ]# @% U4 O! x# ^5 r) Y5 r+ }
__________________________________________________________________________
3 V% V: l. v0 G& v/ U& B8 i0 [! [) A; c
Method 12. v% B+ [; V0 n9 B' D6 |
=========
( s j5 Z: X, E, F8 i# a8 J' I
7 d, B/ _2 I$ u. }0 U( _; qThis trick is similar to int41h/4fh Debugger installation check (code 05
: f" c/ u! r( p& |& j! Z2 n" D& 06) but very limited because it's only available for Win95/98 (not NT)
9 e, ?! L* o4 Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 f9 p+ M3 l( R% \
2 V) B; J" H0 T9 x7 e push 0000004fh ; function 4fh% P; G9 K7 n, z. T
push 002a002ah ; high word specifies which VxD (VWIN32)8 h+ P9 s' _( Y" b) N
; low word specifies which service
! ?4 D$ { Q4 U6 X8 s( g3 f& N2 b (VWIN32_Int41Dispatch)( d: F0 P8 T- g) V: h
call Kernel32!ORD_001 ; VxdCall6 Y! _& {, S5 R: P; S& N* P( {
cmp ax, 0f386h ; magic number returned by system debuggers
$ `; G5 C9 d+ f; N jz SoftICE_detected4 i" K5 L7 B* c( D" A/ k$ B# X
( ~+ ]/ j& p% c8 ^5 [
Here again, several ways to detect it:! q& w6 @3 G, t a* n- r. B- N
1 g" G2 y) x8 [0 j BPINT 41 if ax==4f% a- X/ a. O% t( V2 n
% V/ c8 T7 c* T/ ^# p7 F& V BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
Z! V/ a) z1 c% b( t: ~6 @6 r1 \' I& u: y3 K
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 h- f! q* _3 L X0 p: z$ z9 N% t2 ~; H5 I/ H; {0 t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 a m- o6 u/ G: u" K- n4 n( u# V3 i {' T0 D% q
__________________________________________________________________________. o) [" ?, R, G4 }0 H N6 k
# j5 C3 d$ P5 V m+ K( ~6 i5 C
Method 13
2 d' x% m: e/ g( K, u! {6 V+ V=========9 H' U9 G& P" E- b
* h0 s! T* s: q1 p0 Z) xNot a real method of detection, but a good way to know if SoftICE is& V, D* Q- ^" w& B4 A- x: y
installed on a computer and to locate its installation directory.4 w2 V5 o7 r o. `& c- ^. R9 Y
It is used by few softs which access the following registry keys (usually #2) :
3 s, t# v0 x7 T/ I5 X
U+ G6 \& Q/ O4 i7 S0 k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 \" B; C2 H$ x/ ]4 ^( _9 |! @
\Uninstall\SoftICE4 {, B. M! p* ?2 v# D2 u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# v/ V2 [. O: a% s' D! X }& P. _7 w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% s" K9 T' h6 W; e& j/ N\App Paths\Loader32.Exe8 [2 Z1 G. g1 Q5 i3 C* a8 u x
& t R( [) s4 D, O5 T5 y6 p4 n. m
5 `. }# O/ i# dNote that some nasty apps could then erase all files from SoftICE directory" v: \0 t1 Z, \# ~0 [
(I faced that once :-(1 q) j: Y- K8 |( }, j' X
+ w7 Q8 J' J% } R0 t9 AUseful breakpoint to detect it:
4 I: b6 q% `) \/ m( F$ T4 [* S4 x$ }; H# D5 G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ ?2 }, ~+ z: \) y- j
" C' s- h1 m8 k, U) o8 j
__________________________________________________________________________: A; D! g! ~! J \
; a# K, L5 e% b% Q; `1 P
3 |, m0 ^$ X9 M% ]Method 14
* g) l- g0 z# B, j& z; ?=========. g. e. b& H4 I6 ~. [ o. n) f7 N+ `
/ x: ?$ D6 }7 p6 s6 ^; q: w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! c( T" |/ N& h! \* _
is to determines whether a debugger is running on your system (ring0 only).- A; G, r. S* Q% {
. M3 @% y: N& Y% n/ I2 T
VMMCall Test_Debug_Installed3 f4 w, E) b/ b: ?% D0 q
je not_installed
- P# C2 V# w m7 c% Z. \2 s# ^/ w2 K% ~1 m. a# h
This service just checks a flag." G( D9 l2 l% z/ R4 ]" E
</PRE></TD></TR></TBODY></TABLE> |