<TABLE width=500>4 u, y7 i+ q3 B! U4 F! |$ q4 Y
<TBODY>% v3 M4 M0 O6 ~
<TR>
4 T& p- n- `5 O( u" k0 u<TD><PRE>Method 01
" ^$ @" w: s3 j9 t# {=========# i1 X% G8 v! L) G
! w8 B2 W3 }% J- o
This method of detection of SoftICE (as well as the following one) is
) T# u3 L! \) E& ]7 Eused by the majority of packers/encryptors found on Internet.* F6 B" X/ g( U% e- v
It seeks the signature of BoundsChecker in SoftICE
k6 A$ A) K" T% o5 \
" |" J& I& e) ~4 T mov ebp, 04243484Bh ; 'BCHK'
3 A: c- [+ X/ p$ p mov ax, 04h
/ m# g" g* `1 b$ h n+ G4 X: N# i int 3 ' K+ P9 Q' D2 a0 A1 }" Y- Y
cmp al,4
) M' S4 T9 P6 Q# ?+ d jnz SoftICE_Detected
% l M& [6 D& A% C5 L9 I, t
! _; B" i9 f( u; o& @9 B___________________________________________________________________________
$ @" f1 Z9 v; R5 y4 y X4 {# ?, _. V
Method 02
* H; D: w: p, X4 e=========) V- d3 A# w- p. S2 Q; w- a' l6 U& [
3 ?# m* g/ h" h# J" Q# G' \; G" ^
Still a method very much used (perhaps the most frequent one). It is used
: p/ n' j* A8 T+ ~" j& ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# L* |) z- c- z0 I! |2 z1 Uor execute SoftICE commands...
( y5 o& `1 r2 j' l1 aIt is also used to crash SoftICE and to force it to execute any commands
4 ^/ G5 l( Z/ }2 w+ ~% b(HBOOT...) :-((
1 \2 Z; a! `) p* s1 I0 }; H6 m3 n; G
Here is a quick description:
4 r1 y0 z' r! w0 W-AX = 0910h (Display string in SIce windows)
: N6 k* _# Y: @% ^+ y: E. d-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 L- J0 f! l" q1 g$ o-AX = 0912h (Get breakpoint infos)" C: B$ {+ Z- s+ F0 Y% y& e
-AX = 0913h (Set Sice breakpoints)
! c4 x+ ~1 V/ u/ |: J( i-AX = 0914h (Remove SIce breakoints)# o# V2 k. h8 u) C1 ?
: i5 j* D" J2 L0 E3 B2 {Each time you'll meet this trick, you'll see:2 }" K4 T! N0 r# u5 g. y# V
-SI = 4647h1 t* h" d# _- d- h# n
-DI = 4A4Dh
3 u, a; m4 q! y; HWhich are the 'magic values' used by SoftIce.
* o4 x' l+ ^' EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 Y6 W! V4 {& m" l& s! S
) e7 _/ e" S; b0 e2 x2 tHere is one example from the file "Haspinst.exe" which is the dongle HASP7 E5 ~! a0 s$ \* a' g) R( t1 F
Envelope utility use to protect DOS applications:- n. B4 o3 s( ~# i% G
6 _( Z. u+ |; h0 C U4 {0 Y+ O0 X' b. W$ m! f( i+ m
4C19:0095 MOV AX,0911 ; execute command.
9 P+ e- n% X& |0 x5 m8 P- D, Q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, d% J! Z7 m g2 j* b* F4C19:009A MOV SI,4647 ; 1st magic value.
; X0 c, |, \/ Y9 F% D4C19:009D MOV DI,4A4D ; 2nd magic value.
# o; m; o5 |& J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), o+ _2 L1 K# d$ f$ ]# ]' t; ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 _' B% \' }. |: s& I
4C19:00A4 INC CX
/ n4 H& p4 n3 G" \: q! Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
X9 D0 s/ y: Z" U# k4C19:00A8 JB 0095 ; 6 different commands.
4 x5 L8 a/ q; B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ q9 w8 J4 u b8 b1 d; I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& O% E: n% s3 `$ V
/ [ Q$ |' Z( t& v. d
The program will execute 6 different SIce commands located at ds:dx, which; ^5 F. f$ d ?- c5 C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 z. E+ ^: w( C* V: @6 E& Q7 U
& U3 U: J4 v* q; d# n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* u1 u! f* F7 I% f' Y
___________________________________________________________________________6 g2 P/ c9 `. e- ~
: t# j! F- T: _( m2 R5 U5 E B, g, C. ]; k! K- e
Method 03
: I D. O9 ?& s. P=========
4 B/ H- m' O) ^$ v: }, E8 `
7 G( A4 N4 V, U, ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; t# q# t: h+ d) v9 f: i1 z" z4 `
(API Get entry point)) J' ?3 L/ X0 E$ {% k
/ T; | N7 ]+ a/ F9 w
" e2 \3 y$ f( s z xor di,di
6 n% h; X L$ p$ w9 r# i: f/ [ mov es,di
. c1 j$ f3 F2 {! o& _ mov ax, 1684h
: }" i3 ?7 v4 u! U! J8 |- R mov bx, 0202h ; VxD ID of winice
# ^) j: E+ I: m& i. L2 H int 2Fh' T% l# }- F# m) u( T5 @: v
mov ax, es ; ES:DI -> VxD API entry point
: t" I) b1 T+ t add ax, di
5 G! M% O! p9 H+ z+ T& l test ax,ax
# g- [ D) W. c8 Z! } jnz SoftICE_Detected
+ V+ _8 m6 S, ?/ x2 H
. c* h. ]/ h; i$ [6 G___________________________________________________________________________
! H) j0 |8 @% ^2 l
3 d1 e1 F" ?0 T8 h! C' {Method 04
5 _; L, x) Z" F) ]=========- {4 I. ]. G; D' c
$ A( Y) T) D' D: y& n" wMethod identical to the preceding one except that it seeks the ID of SoftICE2 O2 H; ?2 w: A2 e' L
GFX VxD.. r+ E: ?5 P. ~
7 n0 u" {) C. M {, ~4 `$ O+ S
xor di,di
' x5 e6 r; _+ D( l) x5 E mov es,di
0 a2 x m* A: R+ v mov ax, 1684h
$ f3 C: S6 W5 f4 e7 { mov bx, 7a5Fh ; VxD ID of SIWVID8 g: X/ S5 L6 r4 G/ D( Q
int 2fh
. f) i$ x# z% G mov ax, es ; ES:DI -> VxD API entry point, \4 V4 f: j ]3 H, Y% i
add ax, di
" u- X5 O3 I: D test ax,ax6 {& j0 n1 [+ F; ~" y" E' S
jnz SoftICE_Detected% m$ w1 L: Z( R) S1 a
4 O b/ g1 e% w. e/ f
__________________________________________________________________________
7 W# `, f$ e' k% l2 f% E+ _5 O- ^7 d
9 j, _0 m% F! t. D2 Y% T! h( u
Method 05
/ v. a! {# a# ]. y5 W=========
0 Y2 m6 p! g8 j6 B' ?' N/ x2 ~* Z0 C4 X2 z$ A% n P2 @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' d# I& x5 ]9 ~) ^2 l$ [debugger. It calls the int 41h, function 4Fh.7 u. H$ U4 `) u1 D9 h2 ?
There are several alternatives. 7 s U% n y ?1 n" t5 p: R C( a
$ h4 t d) u! W$ J- D6 i0 iThe following one is the simplest:* w, h$ k' f, U8 V
+ R" v0 Y6 D6 H( I) t! n mov ax,4fh
5 Z6 Q& J1 [! E$ p int 41h$ b+ R: w `" x/ T$ O: O: E4 L) J8 B; j
cmp ax, 0F386- y# h% J% W( o7 }
jz SoftICE_detected. e6 ?- W2 f/ |% H; m5 w
" r4 C, w3 W3 k5 \- e- F1 a/ z. l0 _& D, |
Next method as well as the following one are 2 examples from Stone's
; w3 j; a6 `3 j' ~" u! J"stn-wid.zip" (www.cracking.net):- N( f0 M) M9 {. F( O
% s7 |7 Y: e, w) j# G6 g: y1 @
mov bx, cs! }; }7 _9 E$ ?9 a# ~3 ?$ m0 O
lea dx, int41handler26 g$ w" q* w% ~6 o$ R8 H' n2 A
xchg dx, es:[41h*4]
# l( l6 N! B( S' e E/ i xchg bx, es:[41h*4+2]
8 x- N, n; M- j% X" i mov ax,4fh
* p4 X5 e: D; W int 41h: O0 x2 |2 z4 P d& Y$ t% |( I7 l
xchg dx, es:[41h*4]$ j; o' W( ~1 O) A
xchg bx, es:[41h*4+2]
6 Q8 d% _1 S% f' d% t cmp ax, 0f386h/ C: B2 H6 L! [" M% L: Q8 O
jz SoftICE_detected, d9 r7 ^% T) A5 Y. p: L8 G
& ^9 _' C) z/ Z4 K) v# N" }0 L* ~
int41handler2 PROC' i* d- F$ x2 E( s" q1 |+ I K
iret
: ^$ G: c9 y8 Tint41handler2 ENDP- s! ^! q9 N R
}0 L& i5 Q! C: B2 L2 m5 x7 V1 ]+ I V( t; j& m& `
_________________________________________________________________________, [, O \9 ?' W2 p$ ~2 F/ `
( G `1 [5 M) U( O0 j; |# ^ ?8 J6 O6 R* {0 x/ k8 {
Method 06( s- E/ [$ G6 M; t. S& E I
=========
- s2 w$ c# f* x7 I4 T8 `
2 m/ P }5 Z4 t/ V/ x1 T3 I: p- \! g+ \% G- j: Z* n8 m
2nd method similar to the preceding one but more difficult to detect:
7 b& c5 o3 a" r' J3 _9 p+ ]" P" Y5 g* |' y. C4 x
, W, E. B# \, {3 u5 f
int41handler PROC
3 ?) O: J6 y4 g% D# P5 s& r# m mov cl,al
4 B6 w$ [0 e1 w: L/ I# h6 u iret, h) P1 Y) C0 F( q
int41handler ENDP/ J; U4 _0 t4 n* Z& b* r
* z% z! T, u7 G; H R/ h
$ o/ C$ e3 N1 z5 g: U& e% g$ W* Y2 T1 ^
xor ax,ax
7 K: o; q1 U& ?# _ mov es,ax
/ a1 @0 N& x0 }5 U0 U mov bx, cs
# Z }; k- u8 F lea dx, int41handler, F c6 n! O: B0 E" D& b# F/ H i
xchg dx, es:[41h*4]2 v3 B( @' p j
xchg bx, es:[41h*4+2]- Y: E. @/ }( y( [. x9 p2 B- L
in al, 40h: c$ u* j* @% ~
xor cx,cx+ p' N! T' h, l6 B b3 `6 C
int 41h2 S" X' _& k1 P7 V
xchg dx, es:[41h*4]5 L5 o7 A. M9 W. E0 {
xchg bx, es:[41h*4+2]3 a/ m3 c$ l. I7 E
cmp cl,al4 a b0 E. T- I8 L+ N D) \4 F
jnz SoftICE_detected: i6 H' z1 J' Z9 w- N: {& O
a( w- T5 m' c' E_________________________________________________________________________
6 I% [8 b' _% f% L& w: ]: O
, l7 }% G( R) N& w n, I6 B4 @6 PMethod 07
# H; t. E: Z3 O2 A7 J5 _1 b=========
( e( w* h" ~/ H% f% K6 S2 a4 d% z g$ \
Method of detection of the WinICE handler in the int68h (V86). I. u. i# H1 l8 _& v
9 H/ x3 Y' R' W: u( l
mov ah,43h# H+ J) ^( g2 W6 f- [
int 68h
: l: n2 v6 T# x& z5 V, s( s# ? cmp ax,0F386h
; Y" I, O' w, {: \: n. Y2 w jz SoftICE_Detected
+ \- j8 P \9 x( d$ A6 B/ ~' P' {$ `; f$ |. y! h. [' }' Z6 l' J
3 B0 ?& k; P3 J' ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 A5 V2 x2 [# C- N* i5 P( W1 m app like this:
9 z4 A2 m1 a7 @) m4 g& f
7 d5 y( X% E Z. `) o6 H BPX exec_int if ax==680 E5 K( E4 d& j; t a- r
(function called is located at byte ptr [ebp+1Dh] and client eip is$ h6 L1 H t9 Y$ T, r
located at [ebp+48h] for 32Bit apps)9 y7 r) y+ i2 d6 k1 N+ ?
__________________________________________________________________________
& J6 W$ E. f# N: s% i. T0 H) i- `* K8 d6 s0 z" V( g t
% R" H* Q% {7 |* V& E( WMethod 08
& C6 j* |/ u, c; i z+ K, p w=========
6 j) W+ r1 L6 y! |6 Z7 x0 ~
* m' \/ q3 L/ _/ E. C7 `It is not a method of detection of SoftICE but a possibility to crash the1 e. ]2 X' \" \6 v* b, E
system by intercepting int 01h and int 03h and redirecting them to another
7 W" p- Z, l9 _( h5 n2 d( xroutine.
7 A) B( y6 E3 c eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ B& A: s. |0 F% Uto the new routine to execute (hangs computer...)/ |% _2 e. j6 \# _
: `, m9 y; h( }* {
mov ah, 25h" c6 w* q7 Y' I; y$ d. ^9 d) E' x
mov al, Int_Number (01h or 03h)3 s+ h/ A$ E8 b# \
mov dx, offset New_Int_Routine
: I: ^- E% I5 |4 O" D int 21h) X7 [3 J9 s3 C9 b( Q8 I! ?; M
1 V5 f( x% j9 ^: @( I& D
__________________________________________________________________________
# C2 M5 e f% c% c+ r$ f& i' P4 }; ^' P
Method 09
" y$ T. F, R3 S2 F4 K=========
+ @+ E$ {! g9 a U
( g5 [$ h% z; C6 o. BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 x6 C q/ k+ k# k, q0 y" g
performed in ring0 (VxD or a ring3 app using the VxdCall).
. `0 s% I3 R3 [The Get_DDB service is used to determine whether or not a VxD is installed" v6 t5 l) i4 a5 X: S/ t
for the specified device and returns a Device Description Block (in ecx) for
K$ [' U; o: M4 w& P6 K& b2 f2 a* [that device if it is installed.0 q5 O3 u# j) H7 E
) I" J1 h7 w+ [ L/ \3 ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% p) I4 P% {0 F( N* O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' Y {. o- V5 y VMMCall Get_DDB
! {; a3 E- V. W% D$ U4 |. B$ i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& q+ f4 x9 b. U( u. @; b' f$ R! j* `. G+ q p1 U: n
Note as well that you can easily detect this method with SoftICE:
. M5 x8 A+ v; Y' u8 t* Q bpx Get_DDB if ax==0202 || ax==7a5fh
( b/ ]! A2 k2 P
" T' r; I! R7 L+ V__________________________________________________________________________1 |' ]5 Z9 L0 x* P
W; H7 f5 G. I5 H: _) A
Method 10
/ `" r- v! \2 u3 t=========
8 m, J* t' v7 S# R% k. V
) D E; U+ y' P+ U2 [. c=>Disable or clear breakpoints before using this feature. DO NOT trace with
' e+ E) r P4 J SoftICE while the option is enable!!: F: B3 `3 g2 [5 I: ?
# o6 Z9 u, o3 h1 S' D- h
This trick is very efficient:, m+ m* h% n* v a7 s4 F
by checking the Debug Registers, you can detect if SoftICE is loaded& Q) t8 p+ t5 i& v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! w" D. {3 y0 u8 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ e% A' ~1 m& W* v$ E4 g
value (in ring0 only). Values can be manipulated and or changed as well
+ F/ C/ V+ U& d6 V! V/ s- L$ Y(clearing BPMs for instance)& r0 [6 b' N* @; A- C. a( o
) {2 E2 e# @5 U$ e9 I
__________________________________________________________________________' m- o: ^8 O- `7 G0 s! f" a2 s
5 k8 U3 [; T4 f( |+ z8 r& o
Method 11
% P2 }" `! a* ]! w/ `# M=========
- F! q" L" a: I8 Q; A' E- q. o7 h
1 `; ~0 i, s. @- s" I( Q/ CThis method is most known as 'MeltICE' because it has been freely distributed0 H; v' b8 I0 Y1 u K6 K T
via www.winfiles.com. However it was first used by NuMega people to allow
8 z1 D6 k8 d) A$ q+ J/ I! o) H" gSymbol Loader to check if SoftICE was active or not (the code is located
- m! r- ?/ ?# W$ F$ s) {9 Tinside nmtrans.dll).0 ~# B& Y- S; w9 k7 D1 B; L4 N( n/ b& z
: ?& O" p' u* a. L* Z( L8 p" rThe way it works is very simple:! o9 E5 h3 ~# Y) f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& o- }$ v( ~! j6 I# kWinNT) with the CreateFileA API.
* n. }0 ^+ @0 y. M3 g
8 q2 g- _1 ]* tHere is a sample (checking for 'SICE'):
& q9 i* B- W& C1 {& p. e5 C& W1 Z! I- L
BOOL IsSoftIce95Loaded()3 B% Z( I% t6 v: V
{
/ }/ N+ g1 N: T9 N; A7 f5 a% ? HANDLE hFile; & r+ U1 A+ s% p! _3 P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& [+ x- c, k `; R# a( J
FILE_SHARE_READ | FILE_SHARE_WRITE,1 h5 O4 A- m" b' X U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% i0 ]6 ^6 c1 B! J$ M) Z& T if( hFile != INVALID_HANDLE_VALUE )
& A. O5 {$ ], y# v P8 l V {
/ r) F2 n- A! W; `" Y' \- Q: z7 T CloseHandle(hFile);
) [0 x5 f' e3 u0 Y9 R return TRUE;
! U5 j6 W7 U) Y( G }
9 C8 Z- G0 B7 r: E. D return FALSE;
$ i7 U4 \, M9 B' J4 G& q( x) c}$ y# C) G) K* ~* a# N& m' ^1 t
! d3 Z+ P" z- B* D2 gAlthough this trick calls the CreateFileA function, don't even expect to be! L) U6 I) R; b2 u) ~
able to intercept it by installing a IFS hook: it will not work, no way!
* J; [4 N: b7 ]5 D. F% HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 t* H" D2 Q: K/ t T8 W# _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 s+ V, h6 ]6 w2 m1 k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; I; L- H8 Z+ b2 h9 k
field.9 f0 A% e5 ^: j: w' l
In fact, its purpose is not to load/unload VxDs but only to send a 2 C' l: ? v( Q* R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) E$ M7 F _4 ?. X9 E9 x) ?. z: Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( d7 k+ M9 w! s0 Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
, h5 [3 P2 K) _- k* lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- J1 L0 i& O- o, @, U2 Y4 Qits handle to be opened and then, will be detected.& q9 o" h( M, @4 C$ \4 V1 B
You can check that simply by hooking Winice.exe control proc entry point7 _+ X4 U* k& M% z9 y
while running MeltICE./ ?# V# y+ G4 ~" W+ b9 x( S& r4 X
9 Q) J [% E1 X
, R* Y. A \+ j" C' a- N* {3 v
00401067: push 00402025 ; \\.\SICE
H, I, i2 s8 \6 t" b4 _9 z 0040106C: call CreateFileA' l, \( N$ d- q% p/ T
00401071: cmp eax,-001) E2 r+ v* _0 W' w- u) \( J
00401074: je 00401091
: w0 o! q* d' H# B0 L- y8 z
6 k$ j: E5 j) W) G; Z3 V3 W6 @# J% f4 X$ r' C( G$ B* _3 K. l
There could be hundreds of BPX you could use to detect this trick.* [( o% ]- U, v9 }5 U
-The most classical one is:
Y: t( \; w% M% a0 c. b$ f% U& @ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; H% X/ K% U3 Z* }8 Q9 z$ z *(esp->4+4)=='NTIC'7 u+ c5 E- U, ]7 S d- ]3 _; F
. Y# v3 U `8 i1 i" t5 a! L* D* J- W-The most exotic ones (could be very slooooow :-(' m8 x% S& S1 J1 J6 {
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" z& v3 [: h8 L% Q3 ]" @) J( c4 @ ;will break 3 times :-(
7 m# {% K" V) j) J
* q4 p U+ j! _& @, v. {! N-or (a bit) faster: 1 v0 m8 g5 G* {+ S$ Z' m
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 `3 X2 `# _' @$ i
. ~ ^4 f% j) d* Q) c9 G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! [' S5 m; d/ L, x5 B! j8 h9 ~
;will break 3 times :-(0 u& N, h1 O3 C& X& Q
: q0 K- }( e/ m-Much faster:
0 c, m- e( |( v z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. H7 f, }6 n" x ]; S9 A" R6 O4 l+ Y' S6 Y1 Q# k! n9 R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 ?: Z) D8 B F8 dfunction to do the same job:
h. c8 u2 f3 i/ G6 Q
: e+ d+ A7 G/ b3 f! }" r push 00 ; OF_READ
3 Z5 S& x5 ^5 Q( |( G0 M mov eax,[00656634] ; '\\.\SICE',0( f7 ~) r$ g% k" |8 Z# ]$ v
push eax
# A2 o6 w: Y4 `. { N call KERNEL32!_lopen0 I( C" l% C+ i' y8 ?3 W
inc eax Q3 o$ B; j+ _1 M1 V# @
jnz 00650589 ; detected
+ |" O( u" o& X push 00 ; OF_READ
R) [* v* a6 m1 q1 z: w% T mov eax,[00656638] ; '\\.\SICE' m; X* U" W3 v5 z/ ~- I! A
push eax
( X+ g4 b7 j5 c& ~: p k ? call KERNEL32!_lopen
0 |6 V# @7 J# Q, n& B inc eax! b& a' N, n5 f
jz 006505ae ; not detected* G7 s" `8 y& M# T- S! v [, c
2 {3 @$ K. B, ^! Q' Q7 E
" _! L2 n3 A$ ~0 P2 q8 ~
__________________________________________________________________________
/ r6 Y" |+ s, z" D9 E |+ }5 |5 b+ U9 ]/ `0 f
Method 12
5 Q+ w5 A+ n0 Q# H/ W0 g+ `# Z. _=========
+ G' m% A: \) I5 p/ k9 f$ g; y1 N+ H6 P1 T# d/ _' [
This trick is similar to int41h/4fh Debugger installation check (code 051 M' ~- Z6 R9 ~
& 06) but very limited because it's only available for Win95/98 (not NT)
% Z+ \- Y. W- [1 xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. O) R' e7 X" v" \
6 t$ g/ v3 H. [5 c7 | push 0000004fh ; function 4fh
, x* r0 m6 ^3 q( W push 002a002ah ; high word specifies which VxD (VWIN32)
7 K9 O' s, Q3 \7 y8 M ; low word specifies which service
- c8 i! t4 x9 p (VWIN32_Int41Dispatch)6 j, @$ U4 d2 j. B: Z- A+ e+ m: m0 @
call Kernel32!ORD_001 ; VxdCall
% R" A% @3 p2 c cmp ax, 0f386h ; magic number returned by system debuggers
9 ~7 j' E' O, o$ L3 O4 w" o; M jz SoftICE_detected f/ Z$ m- C) f8 u* ]6 V! |
8 P% r+ \, {' M) N' J$ J) a+ l
Here again, several ways to detect it:7 {5 X/ Y v [% P6 @, x3 v. k, w
! T: n! Y1 a$ o) b0 y BPINT 41 if ax==4f$ i; M' @+ Z `* `8 F4 G8 Y
# t4 s' }4 `! `* F/ a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ s0 j0 U) F+ K! C
- R7 p5 e$ L8 r& H( |7 o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, k8 @2 O4 I( \* m
0 `% A5 y7 I& w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ L! p$ o w& f' G$ `: O
: T: R+ B3 Y; r* K; C6 G. t) ~__________________________________________________________________________3 N u% E, w' a! ^+ a+ h6 ~
+ m2 \& l" `' e3 L& A, h/ FMethod 13
, [* t Y8 B! b! e/ m=========# G" u; U1 F7 t m
7 t6 ~4 `! M; R( v6 c3 qNot a real method of detection, but a good way to know if SoftICE is! _- s3 k$ E4 h3 Q7 K2 f
installed on a computer and to locate its installation directory.9 a2 E) Q3 ?6 [' W2 R
It is used by few softs which access the following registry keys (usually #2) :
/ m* B8 S) q2 r& h' o7 C& W; ?' h7 A! A6 |2 G" U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 l# F& p$ X5 P9 ~; F* y; T* T7 Y\Uninstall\SoftICE) R% c6 ]' F4 ]2 M! p( j- W$ V; ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 m1 T* l' H9 i7 x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 `6 j5 P# H3 O4 |8 g\App Paths\Loader32.Exe
8 @! c$ l, p' y4 V9 w
6 ? b9 D7 h& @ ^: I
% E. P# q6 h9 s9 H1 ]. p1 gNote that some nasty apps could then erase all files from SoftICE directory
; W% _7 S+ h4 s8 z; H4 \9 f(I faced that once :-(
# {) [2 q; ?6 s( g) H. h/ ]+ L1 {8 s
- P; l! \5 t9 R) [. p% yUseful breakpoint to detect it:: ^: i# j- O7 I% n9 E
, w7 N* j+ X4 |5 F& c3 a
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( C! f- r9 E# K: t% {' H, r1 w' k
# V+ |& N& R* o__________________________________________________________________________+ T- A( u3 `' I7 N5 C. u
! [, v- D1 j! Q& k" D/ D0 b
: M4 F& Y* n( T6 m. ?: K: V" P) |
Method 14 & P m7 a5 @) i" W: v! P& s' M+ u5 `9 K
=========
. i8 \ Z% o8 g3 }: n8 ~
" l- X. {2 P! @2 OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, @' O* Z* J$ }
is to determines whether a debugger is running on your system (ring0 only).
0 @+ \% C O, c2 W* a1 t2 y
+ i7 X2 T' ]6 e4 _; o! t# l/ A' \# a VMMCall Test_Debug_Installed. n# f' z. d) a/ r( `+ Y
je not_installed) E, u$ }( ?1 `$ b
! J" p2 I3 M) o- d$ \# \) V4 `( iThis service just checks a flag.0 d o! v% z L
</PRE></TD></TR></TBODY></TABLE> |