<TABLE width=500>9 i8 x! k* H7 l
<TBODY>
. o. g7 E5 A& I. d<TR>- i0 y. A* z: |. i
<TD><PRE>Method 01
! P. P0 Z5 o u=========
5 ]: ^0 ]2 @! Z& j, P- |3 {' L' X* y+ x6 u6 v$ M
This method of detection of SoftICE (as well as the following one) is
' o+ V, L: A$ w2 b1 c8 F0 i5 mused by the majority of packers/encryptors found on Internet.
- o8 [) F" F2 ]; G0 x: v( j, i+ DIt seeks the signature of BoundsChecker in SoftICE; H* R( R9 {& L r. H
+ ?) @* K* j; s4 I0 H mov ebp, 04243484Bh ; 'BCHK'' O" v5 _: |; L/ C4 n
mov ax, 04h% a9 g. }2 m3 T8 {! x& X' M
int 3
8 M2 p) {2 Z* M0 ^8 N cmp al,4 a3 _. F% U9 H) F& x, U
jnz SoftICE_Detected2 r8 k& E/ h Q8 ]" R! [
/ a; u( d8 x7 b2 ?___________________________________________________________________________ t# x* N- Q* ?6 o/ L1 ]/ U! o
2 c1 k" b8 L. x2 qMethod 02
8 I# G" S& ]# c" z2 o/ _=========
$ r: B; B; y3 D9 H T( q2 z, R& V0 Z- e2 j: I$ q! ~
Still a method very much used (perhaps the most frequent one). It is used" Y3 t' o% B* ]9 f @3 O. o
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, L6 B: `' m8 d) T
or execute SoftICE commands...0 q9 @' q9 D7 h
It is also used to crash SoftICE and to force it to execute any commands& u, q0 N6 {9 N0 A" r2 _6 z. K1 f
(HBOOT...) :-((
\. a, A) I, A6 ~. w8 S1 p2 w8 i( G: \
Here is a quick description:
3 L4 P' ]( q$ g3 B: A& ? u8 B-AX = 0910h (Display string in SIce windows)
4 x5 I6 \ ?% T. d6 F1 t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 ?7 \& y; Q4 l4 Z% ?
-AX = 0912h (Get breakpoint infos)+ ^+ a9 l( b$ K5 ^# b6 ]
-AX = 0913h (Set Sice breakpoints)
z( N8 j5 _2 g9 C9 c1 `& q) W- _: ?; ^-AX = 0914h (Remove SIce breakoints)! e' B) l$ ^' D3 L+ p# O
1 l+ J: W$ P0 h$ z J! l) hEach time you'll meet this trick, you'll see:
- O \, Y) X8 j-SI = 4647h
) Y. v7 }# j4 h+ V-DI = 4A4Dh$ m! T1 d1 v+ I
Which are the 'magic values' used by SoftIce.3 o8 p: d- H5 z8 N
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( m& T }& e6 V% b) J9 ?8 T& v
D. a& F1 z: B) s$ g6 D& ^. f- B5 `; iHere is one example from the file "Haspinst.exe" which is the dongle HASP% _( o4 |( Y% j/ o
Envelope utility use to protect DOS applications:# B$ ^$ M% v+ e* `- A/ `; q
* \ I! D+ O; m* z- p, O8 M8 d; e* \5 T+ B1 C) f. D, s' D# s# _3 I
4C19:0095 MOV AX,0911 ; execute command.
$ a1 X$ X5 S/ s1 E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" U- P) e6 \7 e9 V& M, `4C19:009A MOV SI,4647 ; 1st magic value.) {9 ~& y- u- i' _2 [
4C19:009D MOV DI,4A4D ; 2nd magic value.+ w6 A3 H" g' V5 I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 ]- d9 R, {2 p1 D4 `7 r4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, M7 [9 {$ g5 \5 N8 K
4C19:00A4 INC CX
* B4 N% I; t/ d) j$ U8 u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ H6 [. u4 J& Y, J# V5 [4C19:00A8 JB 0095 ; 6 different commands." f& V3 ^- G" K7 u' `+ \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( |2 a2 i- G( F# @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 _+ G$ U; u$ F7 ?. T- @9 A
3 O" ]6 y1 ^; i% d# Q$ P6 hThe program will execute 6 different SIce commands located at ds:dx, which
, S4 [1 q3 R" }4 C1 W7 [3 Z3 Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' z1 ^8 `. p U6 i T! r2 L4 H3 F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 l6 c: v( M+ I" ^___________________________________________________________________________& P1 y1 A6 @5 ^/ B! `7 ^$ w
( U( D$ T% v5 \1 |: z, g& ?5 g
! W) \" E: x7 F1 T
Method 032 m: O. t! R, T8 i6 k4 [: G. [
=========
3 I% `( H' V* ]# W
/ u# C. L: v# o9 ?6 l8 PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& H, \6 @0 \! Y* y# }# z(API Get entry point)5 q; _: d+ D- }* {! J
7 _( _+ Z3 W2 O4 `: m: [, y' A+ {; {0 B# k/ d
xor di,di
- [9 ]9 M8 w, r4 d! W* G mov es,di+ D( R4 b0 |2 P8 B; ?, s
mov ax, 1684h
+ ~, Z j w; j; m& I2 Q mov bx, 0202h ; VxD ID of winice
! g, N" X! H: E5 ` int 2Fh6 E4 q$ H( _1 E; A) t- Q; j
mov ax, es ; ES:DI -> VxD API entry point
I9 V: e% N! H; N add ax, di+ q7 v! ?, V d8 b3 \
test ax,ax
) ?: F% l# j1 W. E( \ jnz SoftICE_Detected
! g/ s6 k2 ]% z0 t% S/ Z
: g2 X" w. ~0 P___________________________________________________________________________$ \7 A' A8 A+ O% R: `
* l! o0 l; t0 U D
Method 040 k0 J& ~1 O. M. z6 p6 U- J- _
=========7 o+ a7 t5 S( W4 T
2 [/ V! |& N$ [' `; y- N
Method identical to the preceding one except that it seeks the ID of SoftICE
( ^4 h" F& ?0 R! @! g8 K4 G8 |GFX VxD.
) L$ e. O- A5 n& F5 |' P, C
. P+ i- ^* N/ L j xor di,di
% E6 x' a: g. Z) {) [ mov es,di
& i! r5 ~7 U0 \7 P mov ax, 1684h
- D. Z8 g+ n' j% a mov bx, 7a5Fh ; VxD ID of SIWVID
8 _" R3 z- Y: p( K( v int 2fh
4 r3 y/ T5 S% P6 ? mov ax, es ; ES:DI -> VxD API entry point
. X3 h% T" h& ^ add ax, di
. z7 m* f8 h/ j) G. V+ { test ax,ax
" B' l( B% g+ k$ r- L- B jnz SoftICE_Detected% e# I5 ~# T8 K# n
3 H6 j U3 w3 F% R3 p& ___________________________________________________________________________" A P2 {2 E) H& ?% w0 H" @
+ k" A" O$ `( M
, e. D7 @- p+ V# D; F1 y/ OMethod 056 T" f- M$ K) f5 d
=========0 n* J3 I" F- O; f2 A1 R, r
5 K9 `3 X7 H, R5 ~ i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 }# V0 o/ T1 t! xdebugger. It calls the int 41h, function 4Fh.
' p8 R& p% X% F# mThere are several alternatives.
' N. u" v, U8 m' H: D. r: Q" L
' K# r& T/ W( x( gThe following one is the simplest:; c% s' v$ m8 g9 Q: x7 |) R, c
) X& k! A! r* n- G0 ?4 K
mov ax,4fh2 O: H7 l5 _1 u5 E: g
int 41h
; s" _5 A. |" V+ P cmp ax, 0F386/ E" J9 Y5 a, j
jz SoftICE_detected
$ N/ q' l \# [1 N- ^' X1 J5 w6 f+ G- [) G' G8 A5 F
! G' T: u, O( q8 o; e3 D2 x
Next method as well as the following one are 2 examples from Stone's
1 e4 x+ p- s0 u"stn-wid.zip" (www.cracking.net):$ w0 I# Q4 q- F8 E* W
. b7 [# D$ ?1 U5 d$ m8 C* |3 I! q
mov bx, cs- {5 c$ u* b& t
lea dx, int41handler20 F3 J! F% @. v, \; W( ?
xchg dx, es:[41h*4]
: c/ [) u1 [4 b3 y$ D xchg bx, es:[41h*4+2]
8 P* E$ v) W+ D; F: ?/ p* T mov ax,4fh. h+ Y4 I* D. _0 M" s {! g* q
int 41h
7 L0 t Y. u' w/ k$ B& k' l7 X, G- o6 R xchg dx, es:[41h*4]
2 G, \7 s7 e8 ^ C n xchg bx, es:[41h*4+2]
4 \- X6 B* A1 }7 I# ~/ q. T8 u8 z cmp ax, 0f386h
8 f3 F& ]3 B4 X" r/ n jz SoftICE_detected/ [% D# s& l: T3 [7 I1 ?- I: `, e1 ]
Z1 {9 J. w# Dint41handler2 PROC" G3 G5 f! P6 x8 @* m7 e
iret
, t! |1 b3 K( }0 wint41handler2 ENDP
2 G; i, S5 p, p* Q6 \- M+ W- {" @) Y0 O; _* j6 e7 ~
; U ^2 Z) t" u/ k
_________________________________________________________________________
3 x0 {! X" T, h9 s
: {3 F+ d8 ]( N- m$ m+ ~ V7 e2 l% @& T( K, b! o
Method 06
) F' h4 r. P( j8 {% o=========/ C& i+ M; X) u2 p8 _7 Q5 S+ `
1 ]3 n" Z! L# V7 K* l8 V7 C: N5 u2 U6 Z1 r6 p' v
2nd method similar to the preceding one but more difficult to detect:
9 D$ f) A7 m' a9 `8 y( l1 T/ C) j3 F* @. }
7 b) X% j. O+ P; R) p8 G
int41handler PROC
}0 r9 m5 U" W* }3 a- t' N mov cl,al
& p* R' e- O. c8 U$ ~+ O iret5 }) r. u' [& U
int41handler ENDP, f8 N* {5 f; @4 L
* [. b4 e) q$ x6 v$ H
3 ]( b. l0 a. `; e( K4 i8 c3 O xor ax,ax
: t. G3 [# ?4 G$ e mov es,ax s9 T0 [ ^1 h0 N1 c# X# o
mov bx, cs. P: Q5 K7 [! L& Z" ]$ ?! F
lea dx, int41handler
7 E2 I+ d5 I7 \+ Q; g xchg dx, es:[41h*4]
Z1 i* J' q n# f1 I5 E% E1 C xchg bx, es:[41h*4+2]7 G6 F' \& [( s0 z7 k
in al, 40h" M' z \" H' ~0 T: [, R1 t2 ~6 p$ Q
xor cx,cx3 y1 w- Y7 g& n0 A, W
int 41h
2 k3 O5 X0 z; p9 I xchg dx, es:[41h*4]
$ u/ O6 d, s+ W$ x* a" } xchg bx, es:[41h*4+2]7 N8 z# [: x7 H( d
cmp cl,al
" S" {' c! {2 q4 I. y jnz SoftICE_detected
# t$ Q; |9 c% R* ^- Q) U( g: M7 }2 K; M4 G. ?9 `! _3 m
_________________________________________________________________________+ A% C' r9 f( K! z1 y9 D
8 z3 s. j( R# k3 u
Method 07
' L! g' z6 T2 [, A m6 m- u0 ~=========8 w+ Z- W* M/ t
1 `% k1 D: m6 X. SMethod of detection of the WinICE handler in the int68h (V86)) Z/ X5 p- X- ]
7 `2 L$ z3 _/ q! K
mov ah,43h+ q/ K) s0 U9 f9 [! k( ?
int 68h3 p& W+ Q% N2 G' G: a. t
cmp ax,0F386h a* S, w6 V1 }6 R, e
jz SoftICE_Detected+ c: F, c; V* A' b& l: N5 `2 p
" @: t) r! J3 R# R2 ~# z
8 O1 @, G, s; {=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 g7 k' H+ ^7 m' p app like this:1 H6 x) b4 |. A0 p5 S; v
6 b4 K$ X& i0 j
BPX exec_int if ax==68
( Y- y8 W& I0 q. k" o- d$ ` (function called is located at byte ptr [ebp+1Dh] and client eip is
$ T5 m( B3 {8 T1 k located at [ebp+48h] for 32Bit apps)+ S/ w. A Z9 v' X% m7 Y; ^7 i
__________________________________________________________________________
, g, L7 v0 i' _& D& u. N& F6 G" y3 W
| x$ h4 d& F$ W8 }
Method 08
* V; ]& p C* A=========% C( V- S* b$ {# j
( l! M8 `2 a' f/ \2 o
It is not a method of detection of SoftICE but a possibility to crash the0 _9 Q% r# o! m6 h( ]& d
system by intercepting int 01h and int 03h and redirecting them to another* s9 {, h5 J& J
routine.
1 x/ u5 H, {7 vIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 _4 n" J$ q& c
to the new routine to execute (hangs computer...)' ^5 O) ^+ C9 U4 n1 E
2 m% P$ s$ V t' U; {( d$ m* L+ y/ h
mov ah, 25h5 u: E+ q/ o7 Q9 t% Y( b; [
mov al, Int_Number (01h or 03h)
0 r; t! J1 a& V, s2 l mov dx, offset New_Int_Routine( ^6 o' K( f: F! ~" Z4 l0 s) |
int 21h
- p0 o& i: a2 N( P. x: s' L, t' ~; p0 U6 F: v, o
__________________________________________________________________________
! h3 z7 c6 {+ ?& S, k* J
& s9 r$ C3 m7 c- Z! G4 k$ p0 k. t9 O4 gMethod 096 Q% Q# m- o1 k* A- p
=========
9 _3 P6 N Z9 [( h" K0 t- u( Q0 B/ w9 W: T: L7 w5 B; S
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 T* i) _* }& s6 }( G' S$ A7 Z: q, Dperformed in ring0 (VxD or a ring3 app using the VxdCall).
! \( m5 w! M2 @The Get_DDB service is used to determine whether or not a VxD is installed* b- p3 e( o0 w) [4 y1 t
for the specified device and returns a Device Description Block (in ecx) for
+ ^" t) m- |( ~that device if it is installed." N3 ?& I9 d8 I. b
! F3 r! m ~9 N4 J G" D! ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: n* w" ]4 X& Z/ e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ u+ V5 M5 H3 |2 |- N( E, q
VMMCall Get_DDB3 U' e; U1 s( K4 D3 [. N: A
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) ^2 J1 Q$ D- D0 `5 Z
m# v e# t: c' N8 j5 kNote as well that you can easily detect this method with SoftICE:) r# d2 [3 r' `9 u
bpx Get_DDB if ax==0202 || ax==7a5fh
! q1 e# P' @* @, U- R! p6 n% [. `7 ]* n# q! k: v
__________________________________________________________________________
6 G2 }# |" ?3 ]; D% @# O( Z0 [6 ` z$ [/ c( p Q. k/ m# G
Method 10
. p. R' X6 q# ]4 H=========+ Y* r) o8 X5 ]& n1 J8 f7 S9 l
7 a8 `" J- J" s2 a. C7 I=>Disable or clear breakpoints before using this feature. DO NOT trace with6 S, }: Z- P2 T2 i9 m- Q% y+ ]" c
SoftICE while the option is enable!!0 ~7 K- h+ E; e% }
0 S/ B7 w ^! \
This trick is very efficient:
3 I) S8 ~7 R) |2 o: H1 x0 F6 O% fby checking the Debug Registers, you can detect if SoftICE is loaded
7 F+ J0 z5 l7 P8 I: R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* `- e$ X7 U3 F+ X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ f( I) J9 c% V; Y1 a9 U" i# B; Vvalue (in ring0 only). Values can be manipulated and or changed as well, h5 `( b- k- r4 I( w: M
(clearing BPMs for instance)2 D' P/ Y) ~1 N4 K- Z
; p% R# ~4 C0 ]; G' Q4 F o. w" k__________________________________________________________________________
g! c2 [; V0 N8 B5 \6 s& p4 z: ~
Method 11) \7 Q. R4 l- A7 a% b
=========5 r. P9 r1 ]0 R1 s6 D5 d* y
! ~/ ~0 ]$ M( k' i: gThis method is most known as 'MeltICE' because it has been freely distributed, z& ^2 m+ I2 G4 A( d( o) f
via www.winfiles.com. However it was first used by NuMega people to allow
3 I/ ?8 R3 p3 x# v! ^/ USymbol Loader to check if SoftICE was active or not (the code is located
1 y' F/ n G2 ^9 D2 ninside nmtrans.dll)./ |8 i5 Z: P, r3 F7 X
' o* D' e z1 n5 |% r2 GThe way it works is very simple:* B' m* n6 {; I% B6 N0 }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* |& _# d/ N" Q
WinNT) with the CreateFileA API. c' y: |$ w/ U, B
/ t. [6 |8 y* d% k% l2 P
Here is a sample (checking for 'SICE'):6 }% H! Q4 B1 M' J8 s2 Q
/ T2 q8 O$ N; uBOOL IsSoftIce95Loaded()
/ e3 D; u. n1 }! ^+ T3 }8 S0 X{
) A5 ~! m h8 a/ w- F9 j d/ P2 a HANDLE hFile; ; J( V1 p3 V& T5 ^# T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# j6 Y8 o/ H& @ FILE_SHARE_READ | FILE_SHARE_WRITE,
1 ^+ a4 |& P9 K7 C$ x% i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 M g+ k9 B0 z, | if( hFile != INVALID_HANDLE_VALUE )- S+ N' C- j9 s0 p0 ]; s) _- r$ G
{
1 A* _3 e+ z/ F2 B7 ], L/ `5 v CloseHandle(hFile);3 p. j( w4 l7 {: e+ U1 a* G+ j
return TRUE;
( ^! e- u w, E4 s3 b6 w* ]' S }
/ U4 E" g3 D# O- \0 z$ a return FALSE;$ E5 d3 V% A9 P6 I% m/ ^
}' F1 b& [( P7 [4 ^
# j2 M) ^6 _( ?' o1 k1 p @Although this trick calls the CreateFileA function, don't even expect to be/ V. s: D9 w/ [# l% t. ]6 O% D c
able to intercept it by installing a IFS hook: it will not work, no way!
5 Y5 [$ V4 X# H6 }! aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 \2 w. n8 l, F5 ], v0 c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ J0 {2 P) D5 S J0 _. T( T* ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 `( D* Z& T8 c( ffield.
8 v! t& `! h7 d9 j6 b/ [0 tIn fact, its purpose is not to load/unload VxDs but only to send a ! ~/ G: O" i; d2 d) r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 n' W! e4 ^& d3 Q, ^' M, W: X; J8 s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
c* G* J' J/ N+ u7 N& w* J; Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; M+ k( V6 W# |4 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow, C4 G* O) ^4 D% e3 V# E* l( b5 ?4 P
its handle to be opened and then, will be detected.
; G2 m! s5 ^( n( E. e; A7 dYou can check that simply by hooking Winice.exe control proc entry point W7 w% Z9 v% ]: | a
while running MeltICE.
# b7 m& ^, ?5 L( @2 y$ ~; P/ \
6 _/ p# G5 r4 _7 v% s7 w
- u3 B! p: p& f( c+ X9 u 00401067: push 00402025 ; \\.\SICE w' [' _7 U2 f% k" e
0040106C: call CreateFileA/ N( p, o' t# f7 ?+ |
00401071: cmp eax,-001
* a# C G% Z- } Z/ j( K 00401074: je 004010918 {9 f* Z7 P1 A4 G1 ~" X+ f. P0 @
" r) ^" l$ B- t& ]6 {& l" n( `( [0 ?+ ]
There could be hundreds of BPX you could use to detect this trick.8 `& ^- l7 Q% Q3 a/ G& B! U
-The most classical one is:0 H$ }8 X* e# d5 z- R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 ], N! O& \* A" R. o
*(esp->4+4)=='NTIC'
$ M; w' q! q: I
4 f- f P% ^; W0 W-The most exotic ones (could be very slooooow :-(
d, v6 {# h& L7 J0 W BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 u2 T/ o. J3 V7 y; r/ C/ j
;will break 3 times :-(% T4 o# r) r8 q1 e5 M
; ?, F7 g# {. M4 V+ } Z
-or (a bit) faster:
$ W7 B# ^6 l# P1 n) @: V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 ?# l# v# ~2 b) C! ?, F# ~
/ W- k9 S: e7 B3 O, m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. Q+ b$ ~( O* y* j2 L" w ;will break 3 times :-(
6 b: m! G7 @2 H5 b# m
1 @. i3 ~" J# P8 o7 T# q4 J-Much faster:
7 L( X: _2 _7 S6 T, B. k BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* Q0 o/ A3 e' z
; e6 L. C5 F$ ]" [& \: n( j
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; w$ G' K. F1 o# afunction to do the same job:
& V0 f$ b) C3 W A5 z
: |# {+ l# I0 v; [- v/ A) B push 00 ; OF_READ( g/ i5 n' R; Y$ |3 I0 Z+ V
mov eax,[00656634] ; '\\.\SICE',0
& y1 [( w8 t) `* b1 W' u; _& H" b' R9 \, S push eax5 H9 H' z0 Q9 K: t1 E2 {) }
call KERNEL32!_lopen5 u3 c' d. I2 ~; l' S) [+ e
inc eax! ]/ n5 o& R& m4 V8 i; U% J9 X/ J/ a
jnz 00650589 ; detected
+ T* ?$ w: j% X$ Y! @ push 00 ; OF_READ# C) n- X0 |/ b1 U% X) @$ X8 G+ L
mov eax,[00656638] ; '\\.\SICE'/ ^: k( m$ l+ }
push eax7 R# L: T% `- a* f2 G
call KERNEL32!_lopen* L2 \: f$ k+ w' Q) T
inc eax
) |" f* f9 Z% g8 S$ v jz 006505ae ; not detected1 n4 y! ^, {: L8 c8 {- \7 S
1 A. a" |: z; W7 V
) w$ A0 [. Y6 I__________________________________________________________________________
0 U! l F! E3 S) x$ w7 R! U3 c( ]1 \3 w2 l$ E
Method 12
. x7 Q! g. M( c2 ]=========
' J8 Q' A# g# ^) b
! Z3 D K3 |6 W0 p% ]1 QThis trick is similar to int41h/4fh Debugger installation check (code 05
3 v$ d$ W0 f3 }; }& 06) but very limited because it's only available for Win95/98 (not NT)
& [4 T: C, ^- ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# Y0 R N* i! q! H/ n! `5 Q0 G1 ]# m7 M& V2 g
push 0000004fh ; function 4fh. W: m" B3 C6 W6 U
push 002a002ah ; high word specifies which VxD (VWIN32)
7 o8 N# }" l3 T5 Y6 d; h ; low word specifies which service
, r; a! p2 U5 {- }/ d$ X+ U( n- L (VWIN32_Int41Dispatch)
- o* X0 Z# i2 ^" `4 @; l. N: w call Kernel32!ORD_001 ; VxdCall3 j' V1 x+ d, p( u
cmp ax, 0f386h ; magic number returned by system debuggers+ A0 A) i W. k% [
jz SoftICE_detected
" j; P7 u' Q, d3 @. @8 q" c8 q, t
% [# W: W3 V: C% d' c6 p6 O0 bHere again, several ways to detect it:
% |9 W% U3 H# P: ?" G
) K: M$ U! Y3 t" S BPINT 41 if ax==4f* x1 X" z- V$ x; v0 M9 J1 `
$ E g! j' c0 g+ @5 j- n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; u# f( u1 ]( f* B: Y' a! Q
# A, h7 _4 y$ k, P! s+ \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ e/ T- F: j7 O( F6 g) q
1 A* W% b: l- I0 J1 Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
Y) ^. L7 x$ c# O) J* N& B
' e9 A' F9 L( T9 A__________________________________________________________________________
% a7 f" d2 f/ T. \ |+ n0 U- N3 V+ C2 I% `8 r1 h
Method 13
+ p3 |5 S; t5 k7 c# W1 G3 X! ~=========# e$ e( o- [0 e' p% u
+ P9 z7 o2 v) ~3 \( Z- q5 y C
Not a real method of detection, but a good way to know if SoftICE is
8 e) F U/ f& c+ |, Z8 B$ T, minstalled on a computer and to locate its installation directory. |( |2 ^! O6 O9 r& R- h+ a
It is used by few softs which access the following registry keys (usually #2) :& J R' F7 h* R1 s1 {: {
+ L1 m. r5 v( s) l7 B- Q; h& D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 y! w; M- n$ w! N3 P* @$ {# E
\Uninstall\SoftICE
+ [. J4 \9 u/ N% Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 s' ?7 A, o$ p5 r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. y X* z* H: D
\App Paths\Loader32.Exe
5 [# g+ c8 f1 N& s
( w' l7 o8 ?* h8 ~2 i+ h3 ~( P
& S5 q1 q. h4 u: B. c6 GNote that some nasty apps could then erase all files from SoftICE directory
0 q- y+ I* W9 M Q2 c" c(I faced that once :-(
9 V2 [/ `1 S1 O2 ~7 A6 `. u/ `9 C9 @) U3 S
Useful breakpoint to detect it:9 r: e4 Y- ~" Q
$ W5 R, _! x. }6 t8 C. ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ z! C- Z& j) F+ d. F9 M/ w" \! k4 p+ s
__________________________________________________________________________5 p) h. ~: L/ Y# L( R0 g
& }7 X1 \+ V* S+ P8 P9 W0 w5 H
a/ V7 J. G& T- m0 A
Method 14 ' m# v3 P4 o& z* F- f
=========1 N9 T, A' a" t/ j; ?. J
, [! }0 ~; y. ^5 j* nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 K1 C! _1 s6 Iis to determines whether a debugger is running on your system (ring0 only).
, W9 Y p6 H, c) |8 b4 B; k# E% d' x" x7 M* e; _6 b% `
VMMCall Test_Debug_Installed
# F. X- ]/ d" g, N9 X% o% K je not_installed
4 b! n. O4 l4 t1 Q9 A0 w7 m4 _: F( b/ W3 [7 o: k, B6 ]* `
This service just checks a flag.
" s$ ~, N; R+ P0 s</PRE></TD></TR></TBODY></TABLE> |