<TABLE width=500>
) q, w1 |! m( Y# h1 h<TBODY>1 \$ l% m8 ~. ~" _
<TR>$ p6 l% N, N# K3 h Z; F% L
<TD><PRE>Method 01 $ g, {! K6 X$ m- r6 j( k
=========
" F. U9 k+ N: J3 ~7 d
1 O% ]/ z# {3 h$ a9 s" pThis method of detection of SoftICE (as well as the following one) is+ L# N6 ]- w9 r7 s, R
used by the majority of packers/encryptors found on Internet.8 N$ T1 s) j; J9 @% S, H. J6 b
It seeks the signature of BoundsChecker in SoftICE
! P: A% A6 T1 C3 B
8 ^6 d2 z; F5 }8 t( w mov ebp, 04243484Bh ; 'BCHK'/ O- A9 u5 U i& l. B
mov ax, 04h. P: {" m% N& F; ~2 Q% c: N3 y
int 3
. Y( q, C" ?. h9 ^' e( Z: c0 }0 F- A cmp al,41 o ] K' E( G0 Q
jnz SoftICE_Detected
+ |3 Y& _7 z- C4 X
8 r" E2 y4 b# K p9 _8 ]% F___________________________________________________________________________4 E! \" Q. q4 u3 G# Y
; S5 {: T" v: s; ?0 H; W
Method 02
b$ W. C$ e+ V7 O; l, z=========/ u* k2 b% `% U4 @- i
+ g6 y0 R q2 H* f$ YStill a method very much used (perhaps the most frequent one). It is used
0 Z; P; s; F# `4 ?) Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& T0 Y# M" R1 Ior execute SoftICE commands...
! T0 Z1 Y# f0 N: ZIt is also used to crash SoftICE and to force it to execute any commands% Q8 j8 V0 f+ g" @
(HBOOT...) :-(( 8 Q; n8 Q- I; |1 H E3 s8 W
5 Y7 ]5 ~5 z+ ? G+ D1 WHere is a quick description:
" n' t5 p; v/ E' X-AX = 0910h (Display string in SIce windows)( V- n1 U8 y3 B$ g: K
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 ^8 N+ i% ?1 x: s$ j-AX = 0912h (Get breakpoint infos)2 G( ^! I0 e9 p$ m& ]; v. X
-AX = 0913h (Set Sice breakpoints)4 C1 t* L. q, Z# J
-AX = 0914h (Remove SIce breakoints)1 Y4 E6 l4 E9 G4 E% Y
. t8 ~8 z% [5 B# s* g7 Q
Each time you'll meet this trick, you'll see:
" V9 l* U' C7 m% F! [- r2 D9 u$ A, J-SI = 4647h8 }: G0 e8 v' j
-DI = 4A4Dh# `' ]! y7 E' J
Which are the 'magic values' used by SoftIce." u3 e' V. _% L8 i* Y/ `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; @5 I5 r7 F! @. y
! q2 A" _1 H7 h( T& ?Here is one example from the file "Haspinst.exe" which is the dongle HASP) U$ w7 l8 g r, B) k+ \) e
Envelope utility use to protect DOS applications:
2 n; v+ ]. L( M% ?7 j7 x3 ?8 z/ h
6 c8 u, Z. q) M& {/ `5 t" r+ |) X3 s
: H5 W3 u0 h8 O5 t' g2 |! A% y4C19:0095 MOV AX,0911 ; execute command.
/ e! B" ~( `2 T8 ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 T2 `, H0 P& s4C19:009A MOV SI,4647 ; 1st magic value.
" X0 E1 s+ t% \' Q6 g! H4C19:009D MOV DI,4A4D ; 2nd magic value.
) H9 g& F3 W' x ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 j; d. t* ]; u" }5 S7 T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* }6 i; k$ u) w. o
4C19:00A4 INC CX. R' a4 j# G8 P P# x7 `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( S K2 {% L) D9 m6 C3 E# c- K; [! K
4C19:00A8 JB 0095 ; 6 different commands.6 Y5 m' K: f4 _. Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 @5 H w F2 J' A5 c7 q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% g& I6 k! n$ @# f
1 A1 E# Q; C, \. H' @! m) k2 ~- uThe program will execute 6 different SIce commands located at ds:dx, which7 s @/ R5 T8 E* a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 g6 [, |* [8 W7 G( v& r
1 P" L: I9 w9 E! f+ @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 |& C& ~* W3 t) b- @
___________________________________________________________________________
" |) f; i6 B4 a' R2 ^+ T) C; \! F; m$ E z5 [4 E' Q0 ]. B
* H) o1 V* a3 h" r* H4 _) r
Method 03; W; R( P3 m3 w3 `
=========
$ i0 @6 v( K. V- m N- t& h3 l# n0 p5 z$ X8 b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 r% s3 G5 @: S! u6 B n(API Get entry point)' I# h& l- _0 ?$ `0 }
& ~ d; \* X. {7 h L% j/ u& B
% u7 W, k4 l6 `" X6 x# J xor di,di
5 T: I5 i1 i. G, F/ G4 k; E mov es,di# B& B( H6 ^0 Y3 v8 J
mov ax, 1684h ! V: O" E! D" l
mov bx, 0202h ; VxD ID of winice
/ y7 \" c2 Q$ ]9 w1 a5 ~ int 2Fh
) P2 {, E& Y$ k& f/ e% J mov ax, es ; ES:DI -> VxD API entry point
* R( N3 a# [2 c add ax, di- i5 _8 n D* J( W
test ax,ax
$ E5 n3 m: l( l- J C6 I jnz SoftICE_Detected
" Q0 M t- R% t6 X& W8 n1 X* v; B+ h3 e! W. B# i6 z H9 K
___________________________________________________________________________
) F0 h D2 C$ A8 J7 v. n5 |- K @! x. @2 o5 |+ y- O: J! |7 k# C
Method 04
7 ~& k6 r# n+ f- Q=========
- c. `4 }5 n# N+ O7 h* ~8 V( s3 q7 y* [2 V# n' r
Method identical to the preceding one except that it seeks the ID of SoftICE
# {$ g3 R1 }; }& dGFX VxD.
% }* o: Z8 F, l. {- T5 a) C# v4 f4 w P
xor di,di
# L2 p3 M1 P3 K' B, I mov es,di
* S, j: Y6 B# Q: i; t; I3 p mov ax, 1684h
2 S7 p$ ?) Y, @9 Z. Z6 c+ u9 w8 { mov bx, 7a5Fh ; VxD ID of SIWVID
8 ~4 H! s% s# g$ ]$ |1 C* A int 2fh
4 A1 ^) S r- k$ t0 |) R( v mov ax, es ; ES:DI -> VxD API entry point0 i3 u: U) F+ ]5 F9 \
add ax, di
& O1 \2 ]/ s s9 w test ax,ax/ l3 L9 m; R/ t( P1 a. u$ W
jnz SoftICE_Detected
9 [& L1 T& Z% s$ J5 j
: g4 U% S0 X# P__________________________________________________________________________0 G) u! S/ C5 a0 q; G* w
8 w6 h/ Y4 o6 O! Y- D
N& }8 k! n* K5 p; s% H# ?6 w
Method 05; P j: o3 [. I4 A3 `
=========
+ K4 A+ x5 ^8 E; [7 j! f- b
! R& _2 |6 w& p7 NMethod seeking the 'magic number' 0F386h returned (in ax) by all system' f3 ]# m# Z; R
debugger. It calls the int 41h, function 4Fh.
* Q8 d J+ n, uThere are several alternatives.
3 j/ p1 R. D2 y" X8 {' c# g- e; ^/ F6 i
7 @: \7 S X' N$ F$ `# \, QThe following one is the simplest:
# K7 x9 o2 J d. u1 N* |; k" n% {7 Z/ D8 q/ x4 R) F0 Y
mov ax,4fh3 P; e- X& i0 a" r
int 41h
6 ^4 c& r' g; @( v5 e cmp ax, 0F386
5 ~1 _ n5 C2 L9 v5 d: H jz SoftICE_detected. [9 H+ N. ?, ?. A& @) i) [
& c3 o: h3 |/ Q2 v8 O- ~
1 K. h( z6 {* gNext method as well as the following one are 2 examples from Stone's " L# g( A8 c7 V1 B/ L- F
"stn-wid.zip" (www.cracking.net):
. B( M* t5 o9 C- R
7 m( h; @. y1 S4 D mov bx, cs: C, J$ q9 ?# T
lea dx, int41handler28 \' |5 j+ P- Y+ L, m
xchg dx, es:[41h*4]# @5 C2 [4 V$ @0 ~ c0 z; e, J+ G
xchg bx, es:[41h*4+2]/ n5 u' h2 M8 ~ D
mov ax,4fh) v6 o" l9 n3 n d: S G3 L
int 41h
( ^& l# K0 ]3 t" Q, g& { xchg dx, es:[41h*4]1 P: ?( M6 l" v- y9 W- ?
xchg bx, es:[41h*4+2]
$ v7 T" x' d! ~- A1 C) e$ A$ `! H. d cmp ax, 0f386h
0 p; X& w( d! K7 O" F jz SoftICE_detected( ?$ l) d" k* z( m2 H& M: Y6 u
- z# r& X% d* @$ D; S% V$ ~int41handler2 PROC z, |$ F3 Z4 ?4 b/ t+ ~+ Q
iret: K, v5 F& S% U. W6 f7 h8 {8 i: o# p
int41handler2 ENDP
& {) a/ w1 }1 K7 X& H3 ]
$ ~0 U* T! B6 Z! \" I L1 i
$ e* M9 E2 [( }_________________________________________________________________________4 N: |0 m f! X
# y; m! n6 O# Z6 {0 }7 j( g. O- C6 \/ M# b$ E2 z" U5 |+ v7 i6 b
Method 06" [2 a0 Z& K+ Y
=========
: c) }$ r1 d6 a* W+ X# H7 O7 |( r( L6 G' g4 q
- T( x4 k) G/ L' N# Z
2nd method similar to the preceding one but more difficult to detect:( q* v) I8 ]" r) w
Y& v& z/ o5 _) G" Y
! q2 b; ?3 G! e2 W- \ aint41handler PROC2 _/ ^" H; t; U
mov cl,al+ G; k3 [" r p# k; o$ `, g
iret
+ u/ Z, w0 [* Z) L9 c, D) bint41handler ENDP9 R1 R* v+ c2 S. ]& m
# o" d* e' W- P. \9 ?: M
; q; d6 e4 ]1 k xor ax,ax
- Z) Q5 b+ `' n mov es,ax
4 G: I% C( `" [+ s mov bx, cs% L0 U% U& r2 t+ k/ Z F
lea dx, int41handler0 F o) U: Z" @
xchg dx, es:[41h*4]' m. i9 Z( [; q4 ?
xchg bx, es:[41h*4+2]
' P: |3 [( H1 ?2 M- g% m- D in al, 40h% ]; }5 x+ E* g& r2 E4 B
xor cx,cx: ~! z- L. j% u7 H
int 41h
$ _2 c" `8 l+ R; Y$ W xchg dx, es:[41h*4]
" u9 }2 v& h" }+ J2 h/ l xchg bx, es:[41h*4+2]# o* | c( ]' O7 W
cmp cl,al; ^# e6 q" V5 E/ O. C
jnz SoftICE_detected
0 `& D% p2 l. B4 `/ k) F& @0 e! |! T+ B% H& i0 x7 t6 ~
_________________________________________________________________________
2 ^( V6 g$ p: M* [/ u5 z% F1 k
: w" _$ z6 \' u- C2 dMethod 07+ @# j! X! M; I- x" C+ Z5 U+ N
=========
5 T7 i6 w9 `2 Z4 j+ f/ p( l; `5 e
/ I2 G6 E+ w, n/ ~Method of detection of the WinICE handler in the int68h (V86)$ M3 Q$ [) K, u* R* P- x+ ?
3 {) g. n$ Z, P' [- a mov ah,43h' @0 [/ b7 x. [: D% U
int 68h }( F* x/ }, S( g
cmp ax,0F386h3 d5 I6 P" s/ M2 P" M/ Q2 _" _( Y, {
jz SoftICE_Detected
/ S6 z3 s- b7 W- w2 I2 O7 B
( H* m4 s% X, ~3 Z9 |+ @5 | z2 f9 O6 O7 x" l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 S$ a7 y, Z# M- a: P) a% ~% M) I
app like this:
7 [* w$ ~) \2 l9 A+ K7 d3 d3 Z9 s8 T0 X6 F$ O% m8 y2 }& R
BPX exec_int if ax==68
3 L# J) V1 A9 i# c, m4 }! } (function called is located at byte ptr [ebp+1Dh] and client eip is3 W. {5 w" j" ?
located at [ebp+48h] for 32Bit apps) g; t" _5 g' H+ W
__________________________________________________________________________* p5 R- t( ]0 o/ y" k0 R. i- E
0 v$ w* ^4 X( C, A% m* f& h* I4 s# ^2 @- V( t0 k& l# O' e4 v. {, G
Method 08" ^; J8 b# a1 ]$ f; h
=========
, t( W" I: E8 U: G
9 F r% N& z. l+ \( H: MIt is not a method of detection of SoftICE but a possibility to crash the* _1 x' t2 r. Z+ T# D
system by intercepting int 01h and int 03h and redirecting them to another
8 E' d3 Y( t2 `) r2 Lroutine.
H9 z& N/ Q( xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& q2 F6 z( j* |9 k4 P" i
to the new routine to execute (hangs computer...)
9 y3 ]7 F" n& k4 X, S/ o+ N
5 N+ I# r. [8 ?7 ]. \- B& a! G mov ah, 25h0 ]- ?) q; p- C! ^
mov al, Int_Number (01h or 03h)$ e2 T- O6 F! u! b
mov dx, offset New_Int_Routine
, i% o% d. |* N& q int 21h
1 Y$ A: o6 `1 n
4 e3 e/ O& s8 o% t* Y0 ~__________________________________________________________________________
# Y% M6 r* p& w( A
% n7 F# @) I% p* V* m: H) xMethod 09
( V& N T; k: b8 N+ b1 r=========
! ^$ U7 Z6 r. a Q2 C, U* X" q. l2 y4 |0 i7 h R4 v4 X; ^# `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. F# n5 x+ R* Q ^6 [) n6 ]
performed in ring0 (VxD or a ring3 app using the VxdCall).
: b+ I8 b% I( u2 PThe Get_DDB service is used to determine whether or not a VxD is installed
" y2 U8 d, ^+ M$ t0 [for the specified device and returns a Device Description Block (in ecx) for- ]9 r% k* m9 V! i% d8 R9 w
that device if it is installed.
5 E# d) @9 \6 Q8 d
2 i! i% s$ }( }$ s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# F$ ?+ T9 h z- [ x7 N' | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, B( |% V5 W3 ~$ ^ VMMCall Get_DDB
8 @& D( ?2 [! }7 k8 n2 e! f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 x- ?6 H1 j" F
$ H K g& F; ~5 q! A4 F9 V4 g
Note as well that you can easily detect this method with SoftICE:$ q& b$ K# t( u
bpx Get_DDB if ax==0202 || ax==7a5fh9 k& o1 l: q! ?6 ~
/ V9 E+ ~8 T1 Z& J! G Q1 L9 S7 s__________________________________________________________________________
. D, C- y! ?* H8 N* l( O9 }1 ]- _2 w/ }; q8 `4 i
Method 103 a6 C3 F- l- r9 j3 `- R; G
=========' A4 F/ U1 B/ [, d) M. }
( s+ @2 i4 @0 ]9 Q _$ ~8 o' O=>Disable or clear breakpoints before using this feature. DO NOT trace with
' G3 _5 _9 k. E/ h SoftICE while the option is enable!!
* m% u: T, A- H# h
$ {1 {- r: x! IThis trick is very efficient:
% V! ^3 o' w& o% E% dby checking the Debug Registers, you can detect if SoftICE is loaded$ D+ Q8 w; W: D& X% i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 U5 p" `3 g- H! O! S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! m9 `* }% U9 `1 _9 {value (in ring0 only). Values can be manipulated and or changed as well3 S0 K# X/ X# r/ d5 R% Y
(clearing BPMs for instance). q/ D, y& i- O7 y$ ^ V* |4 e
& v3 K. a3 g. [+ ?9 v* A7 ]7 ^
__________________________________________________________________________
4 }% u7 c0 s# {% i1 G8 B2 d6 b) W1 Z5 k# K5 d% w1 y
Method 118 g1 x6 Z: S# a
=========
! ?" F# O; g/ [. ^) B k
) i9 z* y1 o/ N$ r& _& B* rThis method is most known as 'MeltICE' because it has been freely distributed
1 d6 u7 E3 {( e! V* Y9 evia www.winfiles.com. However it was first used by NuMega people to allow
# m6 @* M/ C0 W( b& WSymbol Loader to check if SoftICE was active or not (the code is located% l8 \/ B1 [: l# n' A' `
inside nmtrans.dll).7 s s9 P7 f3 Y9 U
, G W) g9 R# v+ [5 M0 }
The way it works is very simple:) n9 x: t Y# u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" C" W) y; r. A5 P. H" o( c, w& ?WinNT) with the CreateFileA API.5 X) I" d- C& M* C% }
, R" d3 m& \1 i ^! O
Here is a sample (checking for 'SICE'):
8 M4 l8 W; Y3 q! [) w6 x/ I$ [# n: C! j
BOOL IsSoftIce95Loaded()$ p7 P" V& ?6 B( i3 L5 `7 ?. d
{' g, T/ L: ?7 I; U$ _! M
HANDLE hFile;
, H, w$ {( |) q" F3 [: g$ t H" F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 ^8 N% y% y! E+ g- B6 K @) T
FILE_SHARE_READ | FILE_SHARE_WRITE,
: @" N6 ~ J& m, t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 D! p2 D5 E6 A: N% r7 L if( hFile != INVALID_HANDLE_VALUE )* L# D, w# P; S7 ~
{
" X( U% r+ B4 w& G, [2 U CloseHandle(hFile);
/ N7 b" x7 d1 O/ g return TRUE;
7 v9 u- j0 o. B9 F& a) N% M }. } v6 W% k* W7 T% D7 D/ ]
return FALSE;
0 R/ @" i: ~0 K6 b}
0 A/ a# C: c) _
4 W' _0 O) \, F) h9 b4 ^4 jAlthough this trick calls the CreateFileA function, don't even expect to be( r3 a2 v7 v$ M4 Q' ]- ]
able to intercept it by installing a IFS hook: it will not work, no way!' r r2 t$ _( O3 L6 \3 G! |9 }3 y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 o* B5 Y( C* o
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 m# m9 M# L9 t. B/ Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc& K9 F" b0 P& b1 y
field.
5 h: y) t8 ?' f! dIn fact, its purpose is not to load/unload VxDs but only to send a ! l; f: [8 D: K* R' b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ ]9 z: E$ f9 R( z1 K' \% ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try! k) f O) A+ p) w( X# w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 ], ~/ A \0 @. M4 U: f6 c& k8 CIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ g" `5 m B- L
its handle to be opened and then, will be detected.
4 m# @' }. z- j! i9 a' W- U7 fYou can check that simply by hooking Winice.exe control proc entry point! _6 k' j2 s* P3 ^1 q
while running MeltICE.
6 z$ b. U/ q# i. I V i7 V& a0 i1 U# k% q. w4 g
6 O& ^2 y: B* `% D# g
00401067: push 00402025 ; \\.\SICE* W q+ y" U/ t$ k, t4 b
0040106C: call CreateFileA. F* h& }0 A7 p1 X
00401071: cmp eax,-001
8 m3 U& P d- x5 u& v6 T/ d 00401074: je 00401091
5 l& a1 B' g3 S6 x/ r* V6 `$ Z
' R$ p/ B, Y/ d2 G) R/ G
% O8 c; v) b8 ^/ m! B* fThere could be hundreds of BPX you could use to detect this trick.. t7 ~4 H7 @# o. Y0 _
-The most classical one is:# k4 h/ c# l0 w* Y% D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, \; K. D( \ E$ z8 A
*(esp->4+4)=='NTIC'
) D$ s! W b$ d( `: y8 ]7 q$ o: w5 f6 z
" F7 f4 J: {) X) `6 R-The most exotic ones (could be very slooooow :-(
* W* t. { Z F4 W# G5 ~2 _3 e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! f1 |$ ^6 @- B9 T. Q' y7 I ;will break 3 times :-(
5 `( t3 q, T7 b1 @( \, }/ ~: ^' n9 W0 u$ B# ?% d+ `3 y
-or (a bit) faster: + |6 _$ A& I x+ ?5 `$ C2 t; q; L
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! @: S- V# j' d. N
7 K5 @, _ |$ l; D7 _8 y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - a6 ^1 Y# _# Y6 o( m9 i3 L. x; o9 Z
;will break 3 times :-(, ^0 W7 Q( Y8 C) u
. g; P Q0 v/ m! O9 `1 e
-Much faster:
4 b* f/ f# I% z" m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' s8 `4 f* `! g& v+ k4 a& A1 V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: d* r6 b! }8 @4 T6 P9 }; |
function to do the same job:
. q8 @' u1 l: [8 e/ [& q: L; P( @. m
push 00 ; OF_READ
; v5 ]* F. L; s5 j( w mov eax,[00656634] ; '\\.\SICE',0( e7 B* z" Z) w4 Z' J$ U5 i2 u! m
push eax [' N7 i9 a, P6 ^: M
call KERNEL32!_lopen8 d7 W- ^" t/ k' h
inc eax- R9 w9 g8 G- ]: e9 }
jnz 00650589 ; detected
$ h3 d( v9 u: Z. g: s7 M6 L5 {$ R5 X push 00 ; OF_READ
7 P* E+ a* D. N) r mov eax,[00656638] ; '\\.\SICE'! X' d& A) @/ s2 G* p
push eax) @1 j) r3 B/ q8 F
call KERNEL32!_lopen
5 E3 _/ O N- }3 t* k O1 S inc eax$ c% m; @. R1 O& U: i1 n
jz 006505ae ; not detected- f2 j2 Y+ x y, P* m4 q: r
* C0 D$ r5 s: E6 m" s/ }/ T
N3 i9 u% `" s9 m: G- Z$ Y4 [
__________________________________________________________________________1 N" h# |! j5 A5 E) g) Z% H' P
9 E" a4 E6 y7 ~
Method 12
! ?2 _4 M& \8 ~% g( F=========3 M$ j! b- f5 L9 L2 E7 F S3 X& T
e! L% [3 l! p0 m. h6 a, ?This trick is similar to int41h/4fh Debugger installation check (code 05
# o* X" e& b! ^* r4 l5 p0 a& 06) but very limited because it's only available for Win95/98 (not NT)
* t* y$ ?) ]4 d3 Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 }, S. H8 K' Z( u
: r8 P$ T) j" K. N' `" M# [- K( t& w
push 0000004fh ; function 4fh: d( c! r) K/ Q D% ~
push 002a002ah ; high word specifies which VxD (VWIN32)
* s; l3 l% H" w/ k1 `0 s ; low word specifies which service) r+ p; ^8 d6 W c) t0 W7 Q! k
(VWIN32_Int41Dispatch)
+ Y7 o, V) I$ \4 d call Kernel32!ORD_001 ; VxdCall
/ ~. [% r6 o. t4 O' l. p4 U cmp ax, 0f386h ; magic number returned by system debuggers. A8 g- m1 N. O: [) q% N* X3 b
jz SoftICE_detected
+ t3 U8 D# [! }$ h+ [4 J; d1 q' i, n3 d+ N* h
Here again, several ways to detect it:8 |0 n: ?. y5 k$ O% ^
$ i& o) e( {' h, V$ y BPINT 41 if ax==4f- M5 s" z5 q& w( g$ K6 _9 v
. n* W5 c. h! c% n: H0 n. p4 q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# j. s* ?: n1 w, L
5 i6 J5 P( L( G* { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 i9 _0 A1 z3 Z5 j! ~% c9 H! d9 C8 J+ U; K8 r3 T4 a7 U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) i7 H* D/ Z2 }" i6 B' p) q
% b' Z) t5 U: P4 r6 O
__________________________________________________________________________
9 j$ p- n9 F- x5 T- K- P
( B8 ?- K/ P( ~. n+ {8 }Method 13
! L. Y. q$ `4 j========= Q' ]( g* _8 Z& e, S* ]& s
5 Q6 X7 u$ Z' t O4 ~% e4 sNot a real method of detection, but a good way to know if SoftICE is4 n# }, n. Z% [. z( C4 ~1 V
installed on a computer and to locate its installation directory.4 c, `3 v. w7 x" T. a9 X
It is used by few softs which access the following registry keys (usually #2) :
; M3 ~6 U1 T9 R6 \! @4 ] ]( H6 j3 x2 O7 R6 D/ C+ e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) }' v, c h2 u+ {5 \; V; x
\Uninstall\SoftICE% C% d1 y i3 j) ]3 m. ]1 F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% M, L7 \5 A6 W' |0 Q8 {5 R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" I& r8 u" O- J: d& N$ c, t' A/ Y
\App Paths\Loader32.Exe- T: Y9 Q3 E7 m! V8 F: `) K) V& @
N6 N: i1 N9 d+ z9 w6 Q6 _9 d
( H q. c7 a7 V/ \Note that some nasty apps could then erase all files from SoftICE directory
$ `( b/ R: ~! |) x# A+ @(I faced that once :-(# X/ y. d! y- }! {' R
! k+ D$ |7 y; _ z
Useful breakpoint to detect it:
2 j, J/ ~8 _% |( ]8 A& o7 L6 O$ V& R1 {# m( G4 _5 B. d: ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( x7 m) [0 F9 a0 M( H+ d6 Q) q% C' [4 v8 A. ?; q: Y5 g
__________________________________________________________________________
8 H% B# r& K, u5 }3 V
0 u1 d# \ ^2 x: E& o3 o6 m, X6 y" k+ d! c' m* |; ]. t
Method 14 1 i0 q, D( a$ ^- C
=========
: e0 b2 f( C6 i# S
# P; `7 d: y# Y) h. OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 i6 \; n7 i' c9 F, K8 J. K- xis to determines whether a debugger is running on your system (ring0 only).
/ h; f1 G. p) k3 o! k, Z: W8 l
VMMCall Test_Debug_Installed8 a" r. c) K0 _& U) e
je not_installed# }( P' c/ f' q& ]2 V
7 \! M2 ^- d; f# {+ \# ]% N
This service just checks a flag.
2 A; B, h+ f, K, d</PRE></TD></TR></TBODY></TABLE> |