<TABLE width=500>( _# F0 A! Y8 y- F! x& K
<TBODY>
1 j+ P4 u" ~' a4 I6 p C<TR>; I' M) i9 B5 G- e. K
<TD><PRE>Method 01 0 ^# |% k' b' m, v
=========
0 R- v" Y$ N: K/ \/ U0 I; \- |4 Z& J' g
This method of detection of SoftICE (as well as the following one) is5 m' Z1 N" @4 H4 N3 u. v
used by the majority of packers/encryptors found on Internet.
1 ~# M6 Q U( _# c. G& S+ D5 bIt seeks the signature of BoundsChecker in SoftICE U( I+ B) W7 i' q% Y
$ n3 G3 d) p: D# i! ^9 k- a- v
mov ebp, 04243484Bh ; 'BCHK'
6 z% b& Y3 f( W2 }, t9 V. t& n mov ax, 04h% H- `; H; t/ c6 D& K8 ~
int 3 0 d7 W0 _+ n4 W! o5 d, B
cmp al,4
$ @$ ?; F+ l- R. u* p" g8 l6 I jnz SoftICE_Detected
- y7 C3 B# L/ A; r4 X1 Y- W/ Z( ]* E! j. g/ m* k4 ~
___________________________________________________________________________8 B S+ Q) P- d. R+ ]+ H
$ c5 S8 Z3 i4 X2 w5 {: w
Method 02
& o$ O4 y& K8 b- c: {# l=========# E- ^% Y* i1 Z7 d- ?
% W4 a4 }) p3 j5 N% L
Still a method very much used (perhaps the most frequent one). It is used }+ d) L, N: z% x* d4 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 a, o' E$ t8 v: x; _& Ror execute SoftICE commands...) D0 A6 H* @" u! M3 A/ f
It is also used to crash SoftICE and to force it to execute any commands* N& d; U5 X) a% } ?. X
(HBOOT...) :-(( , u6 a; A; }9 H2 V
, Y f0 J+ f1 ]: c3 ZHere is a quick description:) A L6 n6 A$ r. q3 w1 m8 K& r
-AX = 0910h (Display string in SIce windows)
/ `. t, V! E' e8 ^! x- D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 W' [ Y2 g9 W+ P/ O9 \1 R2 i
-AX = 0912h (Get breakpoint infos)
' x8 w$ e! {! x2 `3 h-AX = 0913h (Set Sice breakpoints)! w; {# s& m; r3 v# I4 x
-AX = 0914h (Remove SIce breakoints)
, ~, h6 S! h# E5 k7 I2 M8 M: Z/ N1 F }% b9 E& U! M
Each time you'll meet this trick, you'll see:
7 T* R8 g% k- N7 u: T& Z-SI = 4647h% Z+ f) S9 \# g
-DI = 4A4Dh, ^# m8 A; d9 g q2 }1 Z6 w
Which are the 'magic values' used by SoftIce.
4 k d8 M$ r. f- v3 O! N1 XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 Y4 n F( C( u2 N
( d5 B+ }. `( H5 d5 N7 bHere is one example from the file "Haspinst.exe" which is the dongle HASP% E1 d' Z5 D9 t9 ~5 ?
Envelope utility use to protect DOS applications:
$ t5 N* X8 u9 ]$ {3 O+ V7 A d
! O I) K* p1 |1 c+ ?, D7 M D. i& b% h2 f* f4 v7 m h+ ?
4C19:0095 MOV AX,0911 ; execute command.8 O$ }7 Q9 t# p3 q2 z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. T5 }; F: j7 M% \$ j) J6 Q% I
4C19:009A MOV SI,4647 ; 1st magic value. ` m1 A* o# n, C* q
4C19:009D MOV DI,4A4D ; 2nd magic value.# W; T; G& n. \% E6 W$ c& s7 i" R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- W: b$ S9 Y$ p9 h* |) p3 b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ Q. b& p# K2 v9 s& ?8 T0 t2 f4C19:00A4 INC CX6 `8 o" S7 l6 ~% ~' S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& v4 m" i4 N7 N4C19:00A8 JB 0095 ; 6 different commands.
0 f% K4 l( J* I3 E- J- U, Q$ U9 u7 J4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 O6 Z) Y2 o* Q" X
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); V% \ {( }5 @& S3 f$ N6 k
0 t0 e, o* l) |; H3 @The program will execute 6 different SIce commands located at ds:dx, which M1 M# c; ^2 u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ F; u% {3 q5 ?# r# w& d+ Z4 l+ x
7 U* |$ Q2 a m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- I# t3 v! x7 j9 n G$ a# k___________________________________________________________________________* y3 r! F% H" }* |2 o1 j
( T# Q- N& g! ~# a
6 h5 S T! O; ?2 a5 TMethod 03
; w0 O9 r# ?( c; G1 S& E: a=========$ n- g7 K- N d1 j8 k8 x
: J. r O; M5 t" d0 V
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- s ?/ C% ]+ n |/ Q: a) Y# A, K6 h% z
(API Get entry point)& g* J6 k* e) t/ D5 r) A0 I0 R+ R( M
( Y6 l* Y" _' O) c4 r
/ q% p' S! z+ L3 ? C( ^$ }
xor di,di
H8 }: w- ^9 C, Z mov es,di! x3 A* I9 U0 b
mov ax, 1684h
, m4 q3 x' D6 R! w3 _/ [ mov bx, 0202h ; VxD ID of winice3 b6 E% f6 {. g% U9 ]
int 2Fh
, P9 `5 \0 J8 v! U' m8 i" v6 j2 B: z mov ax, es ; ES:DI -> VxD API entry point1 l, x4 A- @: l8 f; M- D; U+ e* n
add ax, di" z2 W. |" \( n: I/ M- D. C
test ax,ax6 |$ s: l9 ~ Q0 @( Q8 P! O2 j' T
jnz SoftICE_Detected+ R3 z4 ?/ |) U7 t. Q4 B+ \% m
0 L+ i, y: O! n" M1 W
___________________________________________________________________________) J: |% d5 N+ z1 J7 X
4 H4 `( I0 v; ? e, }Method 04
0 j6 @# A5 \9 ]) h9 u* b- J=========
- m, q0 D( l; C7 q/ J7 @$ P7 k8 {+ n
Method identical to the preceding one except that it seeks the ID of SoftICE
6 [' d( l1 c- p" [GFX VxD.
! S" ]: Z3 {5 @# \" e; e3 D0 @
" W& b5 T }# a% V xor di,di
, e( g. i1 z- i2 Q" q. o% | mov es,di( D1 i6 r0 \+ I) g7 y( W/ R
mov ax, 1684h 7 a) v" O0 v. T% t0 O' K
mov bx, 7a5Fh ; VxD ID of SIWVID
( G' l: Y5 M1 Z" S8 Y int 2fh s0 I! u. X2 _, f
mov ax, es ; ES:DI -> VxD API entry point/ q5 d& x# x+ ~6 H. O/ o
add ax, di* L6 @- V* b4 |( E- n, K3 }
test ax,ax
" i s. v2 y7 g9 L6 v jnz SoftICE_Detected ~4 `) }+ `* } V8 q
: q# h2 h& c8 |# w. c) y2 V__________________________________________________________________________
7 f- g0 V2 h5 \. e# O* |4 x- _, s5 b2 h2 O4 P
\4 F' b4 P: @
Method 05" i# L: ?) @9 x
=========
8 E$ q8 o1 I. r& _/ H7 ]$ ^7 i0 q" M- C& ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system" m4 e8 t6 ~* }) V9 S
debugger. It calls the int 41h, function 4Fh.
" r" z# A4 {; u2 m- ~There are several alternatives.
7 Q4 z( n, J, ?; }
$ m, P% U/ K4 s( M) Y' D/ R# EThe following one is the simplest:
5 c: W; k- A" g& I3 V! {/ L$ L
' U5 P! ?9 c' @- d mov ax,4fh
$ k& B/ Y5 @( q" Q9 ^ int 41h
% Z4 f! ]6 A' u6 m cmp ax, 0F386! g: L7 t$ |( P8 Y+ @
jz SoftICE_detected+ Z0 m. f. ^$ H
: ~$ y( ?7 f- z! X
3 Z/ ]8 n9 B% DNext method as well as the following one are 2 examples from Stone's ' |. J0 _- ~& @- S7 ?6 ?# h
"stn-wid.zip" (www.cracking.net):
9 j, g, x3 S5 G8 m9 V
! x" B4 O, J9 c4 P' L) Q mov bx, cs( L( |* ?7 Y, Q
lea dx, int41handler20 ?8 X3 X+ r, a3 a8 @
xchg dx, es:[41h*4]
( t x& Y8 D9 Y" w xchg bx, es:[41h*4+2]
( ?7 y. s' ^2 j2 X mov ax,4fh
4 d; {1 {. F9 |, {! T | int 41h# ~. i9 R; z/ g; q9 {1 Q! y
xchg dx, es:[41h*4]
* b1 i$ U- b& Z- x xchg bx, es:[41h*4+2]2 E1 j5 j. Y1 M* |
cmp ax, 0f386h: o, G2 s( Q8 G; ~8 \2 Z
jz SoftICE_detected3 F/ y# ^4 ^8 |9 E- ^2 r
. R2 [( n- Z. a+ {
int41handler2 PROC
+ l2 f, G9 f% }- \' p iret6 d4 X" t7 i3 `8 ?$ D- N
int41handler2 ENDP: k, H3 a0 P2 s" p0 {0 n8 y
1 H' @# C& ~! m! {/ H' l+ b3 a
: b. }4 c) Q" x. N! G: p% O_________________________________________________________________________. y0 z4 A9 L; N! T; N6 Z: ?, M. l o
. B, a4 Q. d7 Y4 s, U1 q( _) o3 d6 p0 J( ?
Method 06
4 c8 q2 C9 W* p) m0 n=========
" y- A: {3 q- O' M6 c) q4 I( p6 c' }0 ^2 |2 Y# b' J, `: K0 D
?# W# |3 c* C) ?
2nd method similar to the preceding one but more difficult to detect:, z# J- b0 V3 U9 Z' F( F
9 T0 p( n6 M' f F& W+ j- U+ D- p
3 X0 f! @( D5 M
int41handler PROC4 g% o8 n. v$ A7 @5 g# _' c/ D. C
mov cl,al
4 k& b8 @0 K. i k- F iret
# [2 {5 F: v2 t" dint41handler ENDP* Z$ A; [; J5 p. f
, F( _8 t# o, @ r) k
: C; ?$ Q+ U+ W& N, b5 Y- P" i xor ax,ax
4 j) T8 R$ r' x mov es,ax& w% Y+ `! I W1 I& v
mov bx, cs! E$ Z. W9 h. M; U
lea dx, int41handler
# f! Y. x, c3 {9 ^, @4 w2 j xchg dx, es:[41h*4]' M$ s. r* k) |; O; u( w
xchg bx, es:[41h*4+2]; M8 }$ i4 ~0 A9 d
in al, 40h
) n; w6 Y* ]7 i* [: r xor cx,cx
E. G! y% v8 h. \( A4 M int 41h3 h9 |* d1 l; S& E
xchg dx, es:[41h*4]
9 v. q9 {0 r6 T xchg bx, es:[41h*4+2]
2 i* }5 w" p" ~! t' C2 I cmp cl,al
: J; h" N8 M7 P9 W4 ~# t' Q# ^ jnz SoftICE_detected
! R# X5 x3 h: g9 L, S9 A* J. m1 n% b9 ~2 s* J
_________________________________________________________________________, Q* ~, a3 C9 u, ?' K5 P5 c ?" i8 S
4 q6 P+ b+ q2 c7 L9 X" v9 D5 XMethod 07+ }' ]6 u" c. h
=========
4 B6 Q& F% s! k& W
3 Q1 [* l; T" H2 P: m0 mMethod of detection of the WinICE handler in the int68h (V86)
4 A3 [( S8 z4 I# m% x& {' a5 n* K2 |. j7 _& r0 t
mov ah,43h
+ g; C( b) c, Y3 R int 68h
( b8 j2 E' @* I" E: o: l; K9 w) { cmp ax,0F386h" b& M. ^' C& x, J& |) _
jz SoftICE_Detected
9 @( f+ c( c/ v" ^! d; e. N w4 D5 T- e& W
4 W. O6 U1 z0 F# B6 I1 ^5 T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
z6 z6 G# f% T2 a3 o& p app like this:+ a2 f# K& g6 T7 s1 e& y
7 G! l' _5 r3 p \& T) \& R5 X+ p BPX exec_int if ax==68. ?1 r* O* ~# M7 X3 @
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 N$ d- }8 t7 Y4 z located at [ebp+48h] for 32Bit apps)# @$ n7 j7 ^( \' S
__________________________________________________________________________; f# I, r; j- f, C/ _; u
2 G* _+ ^8 K; y e' u$ m) X) D+ Y$ R! {- ]
Method 086 b* v; G9 t9 o' C# O6 [
=========" D% w" D ]: c! u4 h& N t4 ^
/ G/ x6 c: s" K4 k
It is not a method of detection of SoftICE but a possibility to crash the# d) L4 _) t9 V, p
system by intercepting int 01h and int 03h and redirecting them to another( Q- l' p# o5 f) {; e
routine.* @. `1 t" Q+ R3 e" T' Y @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; q3 @7 B( N& u0 J6 t; T! ito the new routine to execute (hangs computer...)% q. J2 W: c' f* w4 s
$ G2 u! `) K+ A9 S! B0 W1 e mov ah, 25h
/ i/ z. X+ p) X! a mov al, Int_Number (01h or 03h) ?# T; @/ P( B7 p5 D4 o
mov dx, offset New_Int_Routine5 w5 u; m+ _% t4 S
int 21h$ S% i6 d* W$ G/ }6 P
. `+ w- `7 S7 r: k0 P- N__________________________________________________________________________
; Y7 z1 }# r! d; ^3 D R' V7 R: {
4 K, t; D- n& o0 tMethod 09
, R* T6 [3 i3 i- K5 }0 v=========
* \; M9 b/ F4 x) {, {8 Z! C }0 x, q' _5 _. D
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! M! I4 [: E' \% h: t* ]; qperformed in ring0 (VxD or a ring3 app using the VxdCall).
( ^9 \9 c5 I" p' u6 MThe Get_DDB service is used to determine whether or not a VxD is installed0 ?* K9 K3 e3 J1 F( g
for the specified device and returns a Device Description Block (in ecx) for+ J% B6 L" Z" x. N! x% `% N
that device if it is installed.9 `5 l* u ~( w ?+ A8 H5 @
5 G& Z, G- M) } f" {. R6 j$ V) a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! y! G2 C L3 J$ [$ x: w$ l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 Q1 F8 p) A9 O4 H3 o$ K& H7 z
VMMCall Get_DDB
2 v; x8 I" u$ f# e8 [% h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 W+ M0 ~- Y+ u' J. B
, P7 t- ]8 o0 f( t1 w: `0 D* d
Note as well that you can easily detect this method with SoftICE:
/ L1 h( t# M: [: ^ bpx Get_DDB if ax==0202 || ax==7a5fh# i$ q* Q9 x6 n* v( N! j) X
! q9 m9 O }. u% r/ r6 n: f( \9 E4 |
__________________________________________________________________________
; {6 o2 n2 Z; {, [: V4 @2 ^
, z9 P I8 p* d. [Method 10
, c( w9 |8 h' ^" x" P========= K% U6 N7 Y6 j
+ {: W- M# T5 f. c
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 S% n3 U9 B; H; E% \ SoftICE while the option is enable!!3 V# `4 U: e8 K9 Z- Z
& T1 L; S% g4 U x+ D% ]5 L
This trick is very efficient:
) o% r( X5 w1 L5 {4 ?. J) Jby checking the Debug Registers, you can detect if SoftICE is loaded. k7 I2 w o$ b% p9 B: C9 N+ L! y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) f6 ]% m+ b0 ^, e; o- r& ^there are some memory breakpoints set (dr0 to dr3) simply by reading their
& {% V, ^4 F6 ~0 ~value (in ring0 only). Values can be manipulated and or changed as well) w! E. P. B7 a2 ~# r3 t
(clearing BPMs for instance)
* A* o& g, y* g7 P7 m) V. B6 g/ O- [$ g
__________________________________________________________________________
) L( v k) U7 }2 }( o, q# O2 w% d5 ^0 m4 U7 i; v, |6 e! k
Method 11 f' G2 i9 t3 c: D) w! ?6 N
=========
) _9 z' k5 A7 p0 x" ^ U" V* x% W& ~/ O i' Y4 R' J
This method is most known as 'MeltICE' because it has been freely distributed
( l" H4 L" q2 }5 x2 o! g" evia www.winfiles.com. However it was first used by NuMega people to allow0 y$ l/ s, d2 c+ P$ ~; W# \# ?
Symbol Loader to check if SoftICE was active or not (the code is located7 q. I6 g7 N& J" m: F' c, |
inside nmtrans.dll).) [: y5 ?! X- F
9 K1 z+ u; B' i. C
The way it works is very simple:
3 a: ^' O& J* HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 {4 t% v- h! X7 B' j5 DWinNT) with the CreateFileA API. H9 {& }! s+ C. @5 W5 }0 P
2 ^- q) |/ @- ~9 a5 _' l
Here is a sample (checking for 'SICE'):3 s/ G4 C" U. r
7 I! M; J( F2 J% j- B3 pBOOL IsSoftIce95Loaded()" g4 B) O; R1 a
{
9 q1 ]) c# T% B# \4 b" Q9 a HANDLE hFile; - d+ ?4 [6 X g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( l% I& D" `4 `# Z* D( ^+ u
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 T" N+ _, r8 i% e, s# u& U' v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, M( N) t8 m) E" s3 F
if( hFile != INVALID_HANDLE_VALUE )
' a4 @$ b% ^% ^% b( k# F; D/ E {6 r1 t0 k! z7 C' k5 p6 e
CloseHandle(hFile);
: A i5 r* Z3 [ return TRUE;6 p8 u; Y% n) A7 ?# s
}
5 p& o8 j. e; V5 B, J: B) W, M return FALSE;
9 p' S9 ^$ [' ~) {$ _* e}
: R/ z/ z1 T$ z' z4 V: n, S, r* Q7 p- ^& _, M9 V
Although this trick calls the CreateFileA function, don't even expect to be" z& z: j d! n& W; H; ^
able to intercept it by installing a IFS hook: it will not work, no way!
N8 F3 n8 q l7 [4 t" x4 V- E# p+ QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 K( i, p# }4 s/ R0 b: i! n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 E5 t3 f5 c2 l: E/ ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; g9 T7 R# f: t/ r! @' H3 z! B# gfield.
- z! p& q% l, s: O& q" u$ {/ JIn fact, its purpose is not to load/unload VxDs but only to send a 5 i l% H! j! r7 b$ A7 o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 E- n7 [0 G5 p, F, o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 b' A1 z3 }# U3 [, O0 t" S# V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" k7 j( ~2 o+ m" f+ zIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- C- }; B2 ~7 \/ s4 p. r U7 {its handle to be opened and then, will be detected.
8 p% f2 l6 }9 ]You can check that simply by hooking Winice.exe control proc entry point
1 H+ n4 F. ~3 [ b1 P" kwhile running MeltICE.
/ B5 b3 L, ]) `# C3 h
% g1 T# E3 Z' m4 o
) x( ]( `# Q8 o. ?0 z' ~ 00401067: push 00402025 ; \\.\SICE
. R* G: c0 H- G8 X, k* `9 m' b 0040106C: call CreateFileA
: W# M$ ] |1 } 00401071: cmp eax,-001
% m1 j/ T7 I* `! g. T; A/ e 00401074: je 004010910 \( a4 O* k/ v
; v" b# |/ _7 [( ]% n, c2 S6 x% k5 A* l
There could be hundreds of BPX you could use to detect this trick.
7 C( Q8 N& J( B) C F-The most classical one is:( B5 R( o* M& S/ D- D% v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 g3 q) W, n8 } *(esp->4+4)=='NTIC'* w% L" D# a. a8 u. w
4 h, ]0 ?2 |( ?" g, U" k
-The most exotic ones (could be very slooooow :-(* q% ~! Q5 p, y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' s- e; H7 n; v; Q ;will break 3 times :-(2 Q0 Q7 r! v% r4 f9 U) G' S
: C& X2 D+ Y# K6 y: _! B& x( Q" B-or (a bit) faster:
4 k3 m; ]( L0 P BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 b' q2 r& e; A2 X8 k& U) k
8 E, B6 N7 a' x" l" \+ Y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; D9 x$ o7 O) Y/ Z
;will break 3 times :-(9 u0 O- G+ V" N1 C4 |6 ^) ?, g
! r$ X: L3 V1 |7 j0 j$ `-Much faster:
3 F- J7 r2 P) }; u: F' M* w1 Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 T( Y/ E' W Y: E8 u
* q# E/ P( r5 x2 J9 jNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: u: Q3 ~- P( A; `
function to do the same job:5 e* S4 ]- o6 b5 u
0 d* A& @2 y) Y/ Z3 J
push 00 ; OF_READ
; N% I4 x: m" h mov eax,[00656634] ; '\\.\SICE',02 e4 p( _- ?) k0 L9 `
push eax7 `& L, C, h/ H: n. t/ L7 R6 T, T
call KERNEL32!_lopen K6 ?$ p8 M$ `, O
inc eax
* _! `1 P' Q4 }9 v/ @ jnz 00650589 ; detected
# |! z! G% ~+ w+ P# r! w+ Y5 r. Y push 00 ; OF_READ
8 X! `/ }/ h: e4 j. F mov eax,[00656638] ; '\\.\SICE'. z$ d. R, }0 D6 X* q
push eax
% F& G0 i( a! J* x: p! n8 |/ N# f call KERNEL32!_lopen
' K" ]% E) l2 U! ?- V7 y inc eax- s7 B0 H6 I- H8 e
jz 006505ae ; not detected: c1 W9 E. }* ]! u, E2 h
: q j4 s( P5 _* Z
) }5 p* s7 Q' a5 B8 c, [__________________________________________________________________________
|: s: }# F1 L' o+ N- V
6 d+ J8 @/ B& q1 O1 O" h( n9 x! O/ ZMethod 12
3 H7 s- L5 t: H) p=========
# L. U& O4 h7 f5 W# O& T0 n
, }3 e2 k5 Y: T4 {+ @: hThis trick is similar to int41h/4fh Debugger installation check (code 059 d7 {( v' N! _; Y
& 06) but very limited because it's only available for Win95/98 (not NT)
5 n4 V5 @7 [8 l4 E* Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% j* k2 P! z) d& q1 m$ b2 ?
+ m4 A8 g# _6 @ Z8 |4 J push 0000004fh ; function 4fh% m5 l6 c- k: V
push 002a002ah ; high word specifies which VxD (VWIN32)
1 s+ n2 \/ l: ?! f" K6 R" v ; low word specifies which service
! S) x9 Y) m/ Y Y [8 V (VWIN32_Int41Dispatch)1 D- D" T% \ p2 \9 H6 y
call Kernel32!ORD_001 ; VxdCall3 s$ c4 `/ ~ f% r+ ?5 [2 i; k
cmp ax, 0f386h ; magic number returned by system debuggers% v2 e0 }! s0 \7 W1 x7 ^+ K5 f
jz SoftICE_detected
0 H" ^, \& \- h1 s3 B2 w% c" @9 d! U; ~: K2 F* \' j6 K$ Z# s- s
Here again, several ways to detect it:
9 m2 l; R: v% @; K6 Q E% `
$ E6 S7 ~4 \# } BPINT 41 if ax==4f; C# p3 i7 M- f. f% ]5 e' z& {5 P
' T7 `$ p- N0 u% Q" j6 k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) w- o* e6 z# i) a7 T
) L/ M( @$ j+ j+ A0 c1 N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 f! o$ k2 S6 H- ^ ]- | ]
) J% [1 c+ P$ ]; V l n" V0 E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! @- c2 q& Q8 e- T$ G# Q3 N4 J
# b5 @. k* H w8 E__________________________________________________________________________1 z; P: u+ f# Z/ ^9 D& N
% E7 m! u! Y& F% }Method 13, m2 s) j0 y5 {! g g8 v2 h
=========& @# R) C0 v- {1 |6 e* ]2 D6 S
1 J: y2 U) ~3 _2 E8 M9 b! [9 oNot a real method of detection, but a good way to know if SoftICE is
2 Z1 s/ I- q9 f* F4 k) [installed on a computer and to locate its installation directory.' g: d4 J1 Z5 L- k0 T2 Y$ B" X
It is used by few softs which access the following registry keys (usually #2) :
* O, R/ R8 d V! y" T: m5 q0 G) K# s, n) A6 Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 E# z$ I' D: B4 {" Z2 i
\Uninstall\SoftICE& B- `# ?8 n) y8 z* X1 z" e0 p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# d$ M% u5 J( E$ ?- @; h- S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! y8 @+ M, U- N9 |- ^7 s
\App Paths\Loader32.Exe, t B% y5 A$ z# p7 W
7 a$ W! o; ^3 e5 E
r! |( F3 b( B; F, ~3 T
Note that some nasty apps could then erase all files from SoftICE directory& b$ H9 ~4 a1 b- ?' \7 x' L
(I faced that once :-(
% K/ T; ~% l" |4 ]0 Z: X- j7 l- j
Useful breakpoint to detect it:
2 r# e$ x. R! m, y) T2 p7 a0 M6 G( C; x p* u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 n' s4 {: ~$ Z4 B) O7 X7 A* z- g) B9 [: c, G; Y/ X
__________________________________________________________________________' l/ i+ y1 A3 Z9 m; f
" i( ~% O1 P$ _$ b* ?
2 C& G+ O4 `# X* `
Method 14 ; F L( C# k* A1 U j7 N2 V( ~! p
=========
; X4 d1 G7 B0 t1 ~9 ]" s( d
% M& j$ A, [9 x% d9 WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 n d- k( }: E' u! |+ Y8 z2 ris to determines whether a debugger is running on your system (ring0 only).
" \5 w, a8 Y; Q2 K) w) w9 G Y; e, U7 Y# m2 o5 d I0 s9 F6 S8 f" c5 s+ f0 I! K
VMMCall Test_Debug_Installed
+ t% k* h1 [; e+ @ je not_installed
7 ]; {" R2 F3 W" N a" D
2 R8 N: I3 D7 y2 wThis service just checks a flag.' V0 E: d5 u# l. g/ \! B' O! g
</PRE></TD></TR></TBODY></TABLE> |