<TABLE width=500>
& S6 q2 g/ i y( E9 ^' K( [<TBODY>
7 i+ `& x; W X# p( o! q* q) W<TR>
. r; ~% o+ i5 E" ?" H- B8 g<TD><PRE>Method 01 1 M. Q4 P: x" E# O. Q2 O# ^
=========
* T& D: [5 }, s* Y- Z% C, l* ?/ l+ M V. z
This method of detection of SoftICE (as well as the following one) is
% X% J: L3 w! K5 x+ _. e% Aused by the majority of packers/encryptors found on Internet.
4 Z- r" {* s- |3 Y! z" a. {It seeks the signature of BoundsChecker in SoftICE
. O& [5 ?' }& ?' f# \& o) u3 i
; M% o0 V x" d6 r+ a- s mov ebp, 04243484Bh ; 'BCHK'
$ ?) D& T$ N* ]# l& d( n. N8 p mov ax, 04h1 Z. K! ^3 D4 _; f: l
int 3 ( D. i5 C, E+ F: b& u. h
cmp al,4$ D% ^8 {# `# z: K& ]7 @( y* T
jnz SoftICE_Detected4 C# N8 h7 W0 u: Y5 |
7 ?; \4 |) O$ O1 e1 w7 T
___________________________________________________________________________
) I. y g6 m- H
: m0 k; A; b& v; p( ~Method 02' V2 c1 q: A4 u! L$ Q0 h" E, b& L
=========2 X# z- Z4 O1 h: E! A8 W" V% [
/ o% Q0 K$ @! V& ~! Q& GStill a method very much used (perhaps the most frequent one). It is used- e1 Q& g2 p$ m8 V: ]4 y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 \/ ?5 V/ e4 Z) T" tor execute SoftICE commands...# u0 H5 H9 A5 n, K" d" o8 R' [
It is also used to crash SoftICE and to force it to execute any commands
' m& }: D1 G2 r" q/ n1 y! b) R(HBOOT...) :-((
$ T0 a) x" ]- h, O) P+ b0 h
6 _. M0 b$ B3 r- ?Here is a quick description:
# g0 N C/ C3 F$ N2 J-AX = 0910h (Display string in SIce windows)4 G( c! ], N/ w; N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" y; m9 \- C) L: k' M0 f-AX = 0912h (Get breakpoint infos)
- d3 z5 ^ ^! t2 R+ z-AX = 0913h (Set Sice breakpoints)
! g' f" T' R1 ^3 d1 s-AX = 0914h (Remove SIce breakoints)
! T* L- H7 a( K6 p$ V# i+ E
2 m2 f7 R; A8 NEach time you'll meet this trick, you'll see:$ ?3 u$ L9 i$ Q8 I) E3 Y1 B9 G
-SI = 4647h
0 A. y$ {7 n0 j/ G-DI = 4A4Dh- U8 {3 F' b k% G S, b6 ~$ \8 ]
Which are the 'magic values' used by SoftIce.8 q! a* ]2 u7 s! F# X/ _( H4 `6 L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: M% t, V" _1 s' G( N
- a( O5 ?3 k4 GHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ y+ {, x: S8 e' b. sEnvelope utility use to protect DOS applications:
$ @; U, {( }0 \! M
! H7 K2 o6 H* y% T8 E9 ?0 X" j. }6 W9 m, Y9 e6 X/ [ S
4C19:0095 MOV AX,0911 ; execute command.
- I0 ^ |( q3 w: k* o7 b( i9 x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 [# Z4 E/ x4 P1 Z1 U4C19:009A MOV SI,4647 ; 1st magic value.$ x9 _& F7 _5 {/ {6 U6 O
4C19:009D MOV DI,4A4D ; 2nd magic value.! `" {9 c) o8 o9 _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! ~' ?; d6 {' G) F: p* u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 g; b. z8 r4 c! u$ n' l6 b S4C19:00A4 INC CX! S( x B, c8 o* i }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% a, O1 i$ e& j5 w+ N$ O7 P" w4C19:00A8 JB 0095 ; 6 different commands.
: V5 q$ `5 y! Y% V4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( F v& I+ K1 v" i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 J4 G: I" V. B" ?! M
( B/ w$ U L3 b! KThe program will execute 6 different SIce commands located at ds:dx, which. j K f) e0 G2 h* q/ j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ]4 c6 }" ]$ m2 l: A2 @- p
7 R4 Y4 d. C, `8 x# g4 H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 f1 V3 ~" N$ @9 ~4 U
___________________________________________________________________________% M% {6 ?5 z- C" v3 [$ a# o
: }' t k# J# Y4 W, s$ J* e4 d& G% l( D+ M
Method 035 l; B$ K! U6 p; Z2 o/ X) N
=========
, w) h, j8 ^, f: L
& [& e- G4 n2 e( F6 n \8 ^6 lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, Y$ g2 ~7 H1 B1 J" x" e(API Get entry point)
* c3 D( _% i8 U$ R8 K 5 e' d+ {& L0 O. h0 C
! V7 x1 q" {; V v
xor di,di8 W/ l* A# U# t, l8 P2 n" F
mov es,di
" X8 w# i% k0 Z0 H5 G& X- f, B mov ax, 1684h
( ? P' S8 M5 \2 F9 {3 T mov bx, 0202h ; VxD ID of winice- t7 {8 B0 s8 y2 ~( o
int 2Fh
2 K& X' {/ I1 c, G! e. b mov ax, es ; ES:DI -> VxD API entry point& r8 k. W* Q3 A; H1 f- f
add ax, di+ [# Y0 W3 n/ P2 q! T
test ax,ax
1 L& d% L4 S; e B" Z jnz SoftICE_Detected( C2 ?& o J+ q( O
* C2 ^: i% E% |2 g# E; s- K
___________________________________________________________________________. `. n l8 D# C6 v$ [
# w# R# |% A2 A' Y9 n2 ]& v9 U; yMethod 044 M2 x$ {( l$ j9 z
=========
' {& L# C2 M- Z/ i
8 L4 Z8 t; }: IMethod identical to the preceding one except that it seeks the ID of SoftICE( F/ F; ~; e2 W. ]; e
GFX VxD.
. g8 J( p' x3 T1 u# M. Z; E3 t6 ^4 L, P3 [ \% j: F
xor di,di1 e& A1 n4 F @# C2 e# b
mov es,di1 _/ \0 ^! t' n: C
mov ax, 1684h
6 B& O' l- l- r6 p$ D4 o; V/ P mov bx, 7a5Fh ; VxD ID of SIWVID% S7 O; B$ W0 E# b8 U
int 2fh
3 W6 Z4 c+ n+ ] mov ax, es ; ES:DI -> VxD API entry point5 k E7 \& z# S1 j% j9 X
add ax, di
$ A7 L; r: u$ @+ ^; ` test ax,ax* t! R; e5 C. g% G
jnz SoftICE_Detected
3 v5 o# G& f: {7 A/ @8 E2 V
/ A$ j4 ?5 D7 `% }* e! U__________________________________________________________________________
: Z" h$ r$ P: [" @& w, y0 B/ d! J. A- y
6 G. o/ e+ b+ v: a$ ~! u
Method 05) O8 x: J5 S$ H5 i
=========) k! a7 `4 {- h: u1 E' Z D) ~
; i1 i c( f$ q# p- o4 QMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ t" h! D9 V) W/ s# v/ h6 |8 F
debugger. It calls the int 41h, function 4Fh.5 D `- v( {# D
There are several alternatives.
5 U# w, J+ ?! x* Q
7 O& X/ w% _- H& t' I, m kThe following one is the simplest:& |: s$ }8 d8 H. _
) W+ E' s' V6 x: k" v1 }9 Y
mov ax,4fh/ W/ ]8 [. S: A7 f+ [& G5 V
int 41h
0 n& ^" C; _ _+ a' a& `# H cmp ax, 0F386
4 i6 f v# U- l! w3 r jz SoftICE_detected
6 C4 q5 Y$ M# o4 {: _, \" v3 C+ P# }( p1 w8 F! t' a5 B' _
" g) o+ p' q l. C: K) j& P
Next method as well as the following one are 2 examples from Stone's
! F$ d5 _" k5 A ^3 q"stn-wid.zip" (www.cracking.net):( l0 ^8 {3 ~4 {
8 F7 F3 R; ?9 {5 |- x% U
mov bx, cs, {) {, Y8 c6 L# @6 a
lea dx, int41handler2 p: x- W3 b: \- b" E
xchg dx, es:[41h*4]
4 D8 Y/ Z% A2 J xchg bx, es:[41h*4+2]7 \7 {0 O* B0 D, {. f
mov ax,4fh, [7 M4 F( P0 y
int 41h4 \. q( h3 o' y
xchg dx, es:[41h*4]
F1 u! P& U% D8 n' X* V xchg bx, es:[41h*4+2]0 `2 X* G* ?- | `! r% w( K& d) z
cmp ax, 0f386h: x0 j9 G( Y# D3 n3 F* S9 N
jz SoftICE_detected/ i' _1 T% d8 D& i! u- K
. g, f1 c' T, [) Q4 ^- F* m: Q
int41handler2 PROC) D: y P9 R9 T7 d4 |5 I
iret6 }1 Y- r5 |+ V) b/ D% e
int41handler2 ENDP
4 a* N$ D/ |) C5 V* d
5 x0 Q. Z( F! {; e: y+ C* Q4 r' h5 `" [5 T
_________________________________________________________________________
: Q' ]; I! e+ i$ n8 a4 S! K7 o
8 J8 o( e* u5 S( T/ \8 s/ y7 F. B2 R0 X; B( K
Method 061 A% P, {* B& G) x" c) `* V
=========8 m. e) w1 x3 A6 a1 z
* E D4 h7 w- N K. j. q" g" P; o3 D( e9 ~% `. _7 t/ O/ |
2nd method similar to the preceding one but more difficult to detect:" e7 `) ^5 l/ W# J7 J3 z
, G5 ] G( @2 ?0 @5 m3 k* i3 H P, r
int41handler PROC
9 F$ t9 o( `+ h mov cl,al, v5 z6 v0 A* F. c! |/ f+ I) v
iret
$ f2 u% c3 h" N' G) [5 Cint41handler ENDP# b$ |- W# I- H [% Z" F7 h
+ b% B6 `1 p& j- E: u% E. o- V
; M3 {! Q) [) u% p xor ax,ax5 M% Q, M8 A: G: `6 @0 e
mov es,ax3 }2 Y% x- J' A& m: Q
mov bx, cs ?9 \0 Q! U6 _1 {) F' j) y
lea dx, int41handler v$ x8 z% u/ w! D' s" R
xchg dx, es:[41h*4]1 a3 @5 P9 O! E! f( v
xchg bx, es:[41h*4+2]3 y0 p) j6 i' a3 J
in al, 40h0 Y# H. ?5 ]9 Z# s" l, O2 P
xor cx,cx7 c9 X# r. T i" R
int 41h0 w" ?+ F; t6 s9 y6 D1 [; E
xchg dx, es:[41h*4]
7 P4 ]8 p) \/ M3 X- h xchg bx, es:[41h*4+2]8 r' t8 Q. e8 d/ X. {. k \9 P$ ? ~
cmp cl,al/ d2 P) S3 c$ d L) W1 r% g0 Q% X
jnz SoftICE_detected
9 P1 A+ M$ m0 P C6 _3 u; B( `6 f5 U& q' [7 _! f8 K
_________________________________________________________________________2 U" c& N+ e7 }1 }
) R" z3 K6 A5 f# SMethod 070 J2 G8 c/ z# |2 j
=========; ] C- a/ A+ A$ K0 M7 l* q# S8 h
) \ q5 V% w- c. n- B) V4 s0 HMethod of detection of the WinICE handler in the int68h (V86)4 ^( i; b) C6 q+ g) c" s
, B7 [- i3 |0 y- _- v5 S4 i
mov ah,43h
4 O' M6 B! s( }* r8 D0 K5 I# T int 68h
* ~% d Z0 {) g. `) G cmp ax,0F386h( c9 [% o/ _% Y, ^0 q& ~' j; B$ z3 F
jz SoftICE_Detected% a! T6 ^$ E5 {. N
4 s7 ]4 A; @: L5 M" E3 w% _$ w7 Q* J2 X
! [% ^: r$ u. T6 t. ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 n# }6 x$ X1 I* O3 v ]9 F app like this:8 T8 a" R: I7 A& N" \
1 T/ Z, O5 O3 k. {* c/ _" f BPX exec_int if ax==68
# k$ K: B- k4 ^( Q2 d (function called is located at byte ptr [ebp+1Dh] and client eip is
$ `9 f, c/ M4 s located at [ebp+48h] for 32Bit apps)
" L1 I7 v$ ^! Z# F__________________________________________________________________________/ o9 _' r- k! y1 n
/ B0 Y( y% E H5 q o q" O4 E; _
# T8 M* r: B6 ^% m0 G4 h" v6 `( ZMethod 08
7 m8 E4 _1 I, l' h9 A=========
+ m; q- Z/ c, P1 ]
2 b9 V* A1 b) c7 qIt is not a method of detection of SoftICE but a possibility to crash the W" r0 j5 B5 h3 U' o, _
system by intercepting int 01h and int 03h and redirecting them to another6 }' Z% [# x: P+ Z+ v. d' w
routine. ]1 ^: T: \* B, V K9 r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 ~0 U5 j+ P( qto the new routine to execute (hangs computer...)- |% ~/ n- E" r- [2 V4 E! \
& C7 h1 K) q. M5 N9 h6 n! s, C
mov ah, 25h1 X7 s7 I2 |/ O4 \" G" }2 D3 ~
mov al, Int_Number (01h or 03h)- a/ e/ ~4 w1 F# y" s7 |' f
mov dx, offset New_Int_Routine
+ ^1 X+ f3 S: G/ ^ int 21h5 ~* C* h* p9 R' q
' Z( p# d' u- z__________________________________________________________________________3 U* r5 \. \1 Q! z
/ b5 K# Q; ~, E; W) F6 xMethod 09
Z2 z# q' G ~=========# V/ X3 ]7 ^9 L& T" I3 L4 h4 q
+ U% b# y0 K/ ~% Y* H* u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, J9 _: k9 }$ n$ V
performed in ring0 (VxD or a ring3 app using the VxdCall).4 O! k; p! K3 f/ Y& `) W) U. L+ X
The Get_DDB service is used to determine whether or not a VxD is installed0 }" }. Y5 V* O! J; e
for the specified device and returns a Device Description Block (in ecx) for) K: R. {+ I8 t7 t- L* I2 B% U) f
that device if it is installed.* {7 \, g4 e5 k. m, I% [$ P
8 K( g' }( z1 _- n C7 _% Q, M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* M9 C- n M$ V' k; u s, X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 _" |; M# A1 p' F i5 W; u
VMMCall Get_DDB
_( o) q" B+ {$ g. d5 t1 c mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. {5 i1 h& a0 k' m" M7 f" H" z+ R* H! {* v
Note as well that you can easily detect this method with SoftICE:8 ^# f; Y7 W" h9 @; r8 G% \
bpx Get_DDB if ax==0202 || ax==7a5fh, N( }! K5 V% {. n
" m" N4 C! S4 Q& c! R/ ]
__________________________________________________________________________
, V2 |% \5 p3 K2 \' D1 L" G+ z' {% X: `
Method 10
) k2 b- ]1 |$ {' X2 v3 G=========7 ]2 v3 k! G6 |$ M+ U( C
4 J$ u+ h3 u' ]% u0 x: ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 q' F) y: U6 \- W
SoftICE while the option is enable!!
0 ^ D5 Z0 F- w `3 U3 N$ L1 q+ }6 g
This trick is very efficient:/ i1 j7 b6 ]5 }
by checking the Debug Registers, you can detect if SoftICE is loaded
: D u' B8 ~+ A1 a/ c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 w) E( H: q8 C3 [% I4 X2 G/ D# _# Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 A: y8 R# D! A0 [( Mvalue (in ring0 only). Values can be manipulated and or changed as well
% Z6 E) ]5 v% G! k% x(clearing BPMs for instance)
9 ~6 ~9 }8 Q# f# S/ E7 |# i. Q; G6 E& I; n
__________________________________________________________________________
$ m. B+ C. Z0 i; |7 [: R+ P0 H
" i9 S2 y6 ]2 C/ m$ I. UMethod 11# p& D! y' i2 C# e+ {( C% G
=========: j- Z4 o7 v( j" z
+ V' u5 r0 W/ ^3 v. h
This method is most known as 'MeltICE' because it has been freely distributed( K- W7 y* l$ ~$ |( ?7 Z/ W. D1 l
via www.winfiles.com. However it was first used by NuMega people to allow$ [$ B" @$ ^" s. X X# j
Symbol Loader to check if SoftICE was active or not (the code is located& l l4 Y9 C" b
inside nmtrans.dll).; a* H2 V" z/ j" r3 d/ F
* I# p5 y. u! u1 X5 u; l4 V/ v" uThe way it works is very simple:- j# `9 x; r; {8 ?6 B* X0 }/ o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 F3 M3 Q& C0 QWinNT) with the CreateFileA API.
$ P* V: D/ J6 z6 R3 S3 D4 T# L% v- G7 H; n4 M% _. E
Here is a sample (checking for 'SICE'):
( g0 h. Y/ O, {6 ]+ f: s N* q* N) R* w; @, M" S0 ?
BOOL IsSoftIce95Loaded()6 j$ j2 Z: h1 |% v
{
( c6 V6 x. Y! q. q0 k HANDLE hFile; , w+ f) e5 C# \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" ^$ o$ {$ X+ ? I9 z+ A FILE_SHARE_READ | FILE_SHARE_WRITE,) g5 q( \- ]8 S/ j: s, E( v+ `2 ^
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 F D( [: ?, o+ C if( hFile != INVALID_HANDLE_VALUE )
. n% \: f; m6 B+ T* `6 i2 j {' A; p( q) X- H* `6 d9 g- ?! j
CloseHandle(hFile);
) i; D. G M% x2 s return TRUE;
! Z4 U0 p) n- X1 T9 @ }# N; N- r6 [/ E7 W
return FALSE;
, S5 E! j m0 f9 t}1 d& j+ X3 b) X" q; o+ T
; u' i( J, H' a3 V3 GAlthough this trick calls the CreateFileA function, don't even expect to be
: |( h/ X0 V* {6 lable to intercept it by installing a IFS hook: it will not work, no way!2 M+ {3 L) s1 M* o8 q! D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- U6 x8 r$ h* z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ t# j6 E: u& Y% D1 c7 F! s0 r( zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 r/ { U* _& A: b5 X# Xfield.8 A8 Z# b3 O; R7 x* g/ Y
In fact, its purpose is not to load/unload VxDs but only to send a " T5 y! J$ r5 Q! g" I
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- N- {1 O7 x& `, H, J* J& ` oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 r7 y: V) C9 G8 c j B' Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
' I! y- q A$ Z$ {If the VxD is loaded, it will always clear eax and the Carry flag to allow
* A; T, N" n" B# C3 Q' Y) uits handle to be opened and then, will be detected.
1 N& h" e- D2 Y5 VYou can check that simply by hooking Winice.exe control proc entry point: O: ?7 Q9 z8 |6 _# Q: b# G- W
while running MeltICE.
- s+ @1 Y$ h! l0 O c" p" Q* v
7 R1 ~( F0 `1 C! O- j
# x7 e% T: \7 N" o9 S. M 00401067: push 00402025 ; \\.\SICE- I0 l3 X# X/ i4 W2 A
0040106C: call CreateFileA
8 W' ~# f3 k$ [# K( i+ p! S 00401071: cmp eax,-001 ]. k# I# n+ g$ b+ H/ U
00401074: je 004010911 q: @: X0 {! [: C
7 l/ V( @* k0 E1 `* E6 q
) r7 i, }& x- A% EThere could be hundreds of BPX you could use to detect this trick.: O0 K* |+ b/ o h
-The most classical one is:
0 m9 \5 D; M8 Z" y& [ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 }) \7 {2 n. ]0 k *(esp->4+4)=='NTIC'
5 ~' [% Z. U! U) G# |: w2 A% y) M; h! Y% x3 Q
-The most exotic ones (could be very slooooow :-(+ Z% P c5 u& q: j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. o. G4 T5 L+ z/ a. E ;will break 3 times :-( E5 n K7 l6 [ S
, y! D! [0 V2 p! {6 d8 _( \9 M
-or (a bit) faster: . ]) F4 A2 v$ c; o9 ~5 K4 r; E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! ~' i1 L# N; y Y9 ]
/ q' | _5 ^% K# |* T9 W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! i( B7 |# l6 x. E ;will break 3 times :-(2 _- |4 j8 C5 ]% O. _4 r" H G
' u7 L, W7 Y# X-Much faster:6 j9 [/ K' i2 J$ T; `0 b( J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 x; F1 N+ D1 h( H$ Z* J4 j/ t5 H& b9 e4 M! Q6 l: l0 Q! B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( r# {: \, Z" s' o
function to do the same job:
_; y. | `2 G8 f: B; `# [
: Z1 W, T7 ]$ {0 Q4 F push 00 ; OF_READ0 J1 R) e- \+ p
mov eax,[00656634] ; '\\.\SICE',0, S+ _. J. [, Z9 u
push eax8 E% G1 M7 } V7 }0 C
call KERNEL32!_lopen. w/ D% {) P2 }* J1 K
inc eax# M' `9 u2 x9 A8 R" [0 p' I
jnz 00650589 ; detected
& U) ~ w6 [9 Y M: j/ o push 00 ; OF_READ3 i$ H, K8 u8 L( P
mov eax,[00656638] ; '\\.\SICE'' M2 P$ ^$ P3 |$ }
push eax
: w$ j! Y w6 |9 l call KERNEL32!_lopen' b# f$ ^ S+ y1 C; j% `2 u
inc eax& O$ O3 T$ i7 I5 |+ P+ @9 k
jz 006505ae ; not detected
" G: x; D4 [% ]' h7 U* A; |2 G' b2 ^% J& {+ }8 l
# o9 N! D. \( S" H__________________________________________________________________________4 y7 }, G. j9 j$ `9 {+ V
9 Y9 `% N5 O+ c, rMethod 12& F% [1 I( h- I8 x$ ~) E) [/ u
=========
* e- O( I3 f( N: W$ y7 j0 z# @ x/ h0 R6 s! e! k
This trick is similar to int41h/4fh Debugger installation check (code 05
; t8 {) \2 a+ j% y8 D; R2 |& 06) but very limited because it's only available for Win95/98 (not NT)
& g) s Q. y! h% r1 Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
@9 a5 C4 i" m) ~; T. G! l7 Y9 N% u7 u$ V* ]. `2 A+ t O
push 0000004fh ; function 4fh
; l! G D8 u1 a, \9 s5 X push 002a002ah ; high word specifies which VxD (VWIN32)% Y. b9 ~+ |0 G$ S) t( K% S+ W) N: I5 I
; low word specifies which service
- u1 j' v4 b0 k/ x1 W- \ (VWIN32_Int41Dispatch)* t5 k4 M! s4 b7 e/ ]0 Z% G9 |
call Kernel32!ORD_001 ; VxdCall- R2 O) K9 ^0 g3 K; L
cmp ax, 0f386h ; magic number returned by system debuggers" R' X: A4 l% S5 z8 J0 d* v# `
jz SoftICE_detected
7 p# Y. q! W& G! a7 M) G+ f$ V$ d. z5 @' S; @
Here again, several ways to detect it:* ?! U) g v- H6 D8 V6 R8 Y
/ B. V2 {2 p4 j0 p7 C
BPINT 41 if ax==4f0 r5 H; R- [. J
% u Q* G- S P& E8 ?% b) M BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! b- u8 L: k& \. N/ ]* P
4 z+ O3 h m- j) k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 p# k) y6 Z9 @) X0 u
' |* r% L2 q8 e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 y9 j0 J2 L. l# _
. {" [( E0 [& Y, P5 M__________________________________________________________________________
9 x3 ~# q/ n& \* B
0 w* e; Q8 i! w5 f3 DMethod 13
3 K% c X% z- X8 }8 ~0 A=========0 c" I O/ m+ ]* z+ p9 b( J- `7 I
: k) e( R7 c- x* ]Not a real method of detection, but a good way to know if SoftICE is
( _6 ?- g% ]7 y' n G* _# yinstalled on a computer and to locate its installation directory.: W' o+ d Y7 W. b5 o; m
It is used by few softs which access the following registry keys (usually #2) :
( h1 t; O1 e2 W8 M$ @& ~$ i5 g4 ?( w0 g/ o- {+ y/ v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: a9 Z; d& J* p {\Uninstall\SoftICE$ X5 |9 z1 i' L7 p$ {* ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 M, k- j# C9 @6 K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ }) }3 d# r# T D( C8 M4 v4 I
\App Paths\Loader32.Exe
3 X7 |3 X7 I- a/ t) W
' ~/ a* Z$ i+ | Y. x& K
5 ] {5 ^( `; J4 z9 b9 ZNote that some nasty apps could then erase all files from SoftICE directory
5 y6 t0 @$ q1 ^& X+ S(I faced that once :-( y; t# H% O4 i
# I8 H4 y9 p! w$ f3 L8 Y
Useful breakpoint to detect it:
( r0 D& t" J# g% d
! Q2 P# b2 v7 P4 U$ B5 I BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' a" ~, g% j4 e7 \9 T e& M0 j+ j4 o
. s( i2 s5 y, L: R( e5 L" d__________________________________________________________________________
( J3 c+ v3 u$ {" K3 P9 ^' F7 W- r7 s$ M0 a0 c, q+ F q
% [, R" i# F/ l; p! }
Method 14
m) r( Q$ S9 p3 T' v/ P: _=========
* j2 r- V1 N* x5 D2 J" G) {$ ]4 |4 ]! h# `( J0 L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' A/ g+ O$ F& F. s2 S0 ~0 [0 O
is to determines whether a debugger is running on your system (ring0 only)./ d$ C' F9 @) P9 ~
/ ~( `* m R: G0 ~9 x
VMMCall Test_Debug_Installed
! g* R" r8 H. Y3 m) n je not_installed6 i# k4 ^" Z1 q5 @
* v$ D4 {) P/ R! OThis service just checks a flag.
/ ]1 P9 k1 E* b</PRE></TD></TR></TBODY></TABLE> |