<TABLE width=500>
4 E& j3 n2 g5 n. V+ d5 X<TBODY>8 f! a5 ]0 a8 ^0 |; d
<TR>1 E3 U3 P9 F: M
<TD><PRE>Method 01
! W$ p, d! \& f" b& [=========
; G1 _- q, R+ f3 X+ i/ `3 m; r8 D
This method of detection of SoftICE (as well as the following one) is: z9 G* o2 ^- p) M
used by the majority of packers/encryptors found on Internet.. R t4 G! v2 }7 @7 r5 x: \0 g
It seeks the signature of BoundsChecker in SoftICE
. D2 H5 s5 o5 ]; z8 w- _' y
3 s& I' D8 f: w) o) C mov ebp, 04243484Bh ; 'BCHK'
2 L! j/ p3 j0 b6 L# {# W mov ax, 04h! k. ~8 c3 C* o" z. W1 G9 L7 N
int 3
- ?% R) y- s" @9 c2 I1 O3 U cmp al,4- [' `( K& |; m+ _$ {7 A8 `
jnz SoftICE_Detected: i% j6 Q" r! R7 b" p
# I9 A: o8 I" T' @( {- ^0 E___________________________________________________________________________
% x4 a& X3 q, ^6 i7 X7 i& ]8 S. i; ~3 T8 F5 k
Method 029 @4 u/ r; p/ y3 W& X
=========" L( E7 ]) G0 Y+ A! ~ {/ j, V3 z
& q' i) j7 T* X. L9 WStill a method very much used (perhaps the most frequent one). It is used
1 D" T2 W3 q- I" {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ A$ g k, `$ n
or execute SoftICE commands...
* |3 e/ f4 u: l/ UIt is also used to crash SoftICE and to force it to execute any commands
" F* z# o. |/ p8 a8 ^(HBOOT...) :-(( & @, n1 E4 m% s; k' k
4 ~# ~, P2 }- p' P8 s) B1 Z
Here is a quick description:
& E" z$ m0 B+ E% X w-AX = 0910h (Display string in SIce windows)
1 Y( t, ?8 N. o) B1 H& N% D& t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' N% l5 d3 b4 j' _3 q/ _
-AX = 0912h (Get breakpoint infos)
5 ]+ P% D. C" Q$ U9 X-AX = 0913h (Set Sice breakpoints)
' g4 n7 s' `+ O% x8 l+ m) b' g-AX = 0914h (Remove SIce breakoints)
2 S6 i: ?- ?& E0 O8 ]; h% G0 ~
* ]/ E9 j( L! g: }: y/ d- yEach time you'll meet this trick, you'll see:
0 ?3 D. J- o4 z/ T4 C+ ^. z+ `9 t, @-SI = 4647h, c+ Z t6 @5 m C- w- p
-DI = 4A4Dh
8 _7 E: }, Z) d: Z, l, l9 P7 e# ^Which are the 'magic values' used by SoftIce.( i) S6 ^8 M2 } d$ y' @# R* E( _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 d& {$ A" M; W* V! a( e7 Z6 g
! L. n* A" l5 J9 d! iHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 A5 r) J' L# a+ ^3 C( L0 \Envelope utility use to protect DOS applications:
0 I; S7 U2 v5 q0 q2 a: n0 C1 g# B3 k6 h( b# x' Y
' [' \; a% N' H9 A4C19:0095 MOV AX,0911 ; execute command.
7 [' b6 d, v# } q; Q: k4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 \3 x+ H4 l7 G4 H6 T8 E4 r8 j4C19:009A MOV SI,4647 ; 1st magic value.
" X: p! S1 }$ s4C19:009D MOV DI,4A4D ; 2nd magic value.! v) P! `" k+ \4 m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): g, t% H- N4 q3 X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% o% t) U. R/ B3 a9 Z* g# @4C19:00A4 INC CX
( z$ `; B, [/ U E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) M6 s! d5 X% T2 O6 k4C19:00A8 JB 0095 ; 6 different commands.8 {) A3 u$ k7 x
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
c0 S/ K4 q3 w) j" u; s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' O" [, Z) m+ n( k+ q; c, k
) n+ N6 M/ f. B, p$ p- ^6 uThe program will execute 6 different SIce commands located at ds:dx, which$ T3 _2 c0 Z. g2 U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) V- i0 N1 e+ ^" C& ? D y7 V5 _3 Z7 N# A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! B/ U" P+ d7 u___________________________________________________________________________
1 u* d# D( j G7 B7 i
V ?" z) ^( `8 n9 }+ \ V5 h6 \% @9 U; e4 E9 u3 M, T
Method 03
& {" g" a9 z) T6 T=========
5 S$ `% n- V( s% E5 V3 T3 r8 [! z- t9 N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ }" |! E7 q) M( H) m' D K(API Get entry point)- |' W. R4 a8 w5 \2 A6 i/ ]
. B5 ^2 v1 m) E( u7 x, z" v. V
! a3 v; D0 A! [& K' n. e xor di,di
- }- O+ T: p k% _( Q! k mov es,di
2 j$ U* L7 R( O0 s- ? mov ax, 1684h
7 C5 J/ ?+ \1 S mov bx, 0202h ; VxD ID of winice
8 V; {) M w, x9 b- \' s int 2Fh3 i, W. K& i+ x/ f% O& K% s
mov ax, es ; ES:DI -> VxD API entry point
; n. E# Q7 j$ K1 }# K add ax, di P7 j( [- `4 D5 f8 g" Z& w
test ax,ax, e0 W6 ]4 K, @# ^ b2 e+ S
jnz SoftICE_Detected
' Y C" l0 g d0 {$ A* \7 ~7 E& R% H' O/ O0 R& m# z
___________________________________________________________________________/ V, V$ r- n( c# h/ v0 Y ]
7 ?+ R+ S6 n8 p1 }+ |; e
Method 04
: Q1 t4 o6 Q, M; d( I( L5 X=========% m4 _' `5 j+ m( i0 {6 M" |
- z9 V$ |6 X4 [Method identical to the preceding one except that it seeks the ID of SoftICE
; E( z7 Y4 E, ^; c; Y8 h( ]GFX VxD.7 {7 l: h* z; R: @" K3 E. V
' |) }) R! \ ? d" W: {. N xor di,di
( e7 X, y$ u2 _. c/ z8 | mov es,di, L9 N7 o8 H" ^$ e
mov ax, 1684h
# }7 o# J) _" T mov bx, 7a5Fh ; VxD ID of SIWVID
7 D, a: Q- b7 _* U int 2fh
' C" M' P1 P; d2 w$ u mov ax, es ; ES:DI -> VxD API entry point
( m; o! L3 r; v& r4 L1 s' e; z3 W4 l( o add ax, di2 V1 `7 X& A# z2 D3 \% e9 [# v
test ax,ax5 N7 D- f; e+ O. `" K2 s
jnz SoftICE_Detected
" u. H: f, Q! k: L% ^! r. _4 p6 h/ H% Z2 i0 _7 ~0 w
__________________________________________________________________________
( w4 D$ ~' z$ E! V
9 a, a4 f- [& t; {- S3 |" v+ T' }. x( P* @
Method 05
. P: I4 _4 ~4 ^! ?: k=========
$ I& L& p- T: i; o$ w5 g# R0 i: ]2 \8 }) b+ W
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 b: i3 k i" @2 H/ X1 }9 v) f
debugger. It calls the int 41h, function 4Fh.
; P/ v. g, Q. P. L. d: [There are several alternatives. c b/ I- \/ _: f
$ A m! a9 `$ BThe following one is the simplest:6 Y; g5 Z% @, L+ _( y+ q) `
5 O; }3 M" M) s3 K9 @
mov ax,4fh
# i7 P f1 j' }1 G. a int 41h( D; f. j! _3 Y/ P
cmp ax, 0F3868 ?' e3 ]( y8 t
jz SoftICE_detected3 _7 ^; j" ~# y, q4 N. |
3 n: Q) \% w6 |7 W* O( h2 q5 l' i4 K* {$ P4 r5 m$ W% x3 o; R! \/ t
Next method as well as the following one are 2 examples from Stone's
! A3 U2 k+ i* l' D) E+ l% A' Q"stn-wid.zip" (www.cracking.net):
- o7 } O. Q# O! J' A" G3 C+ F" N9 O. \
& v$ }# o9 d4 J' h7 V% Q mov bx, cs
" t- c- }* m2 W8 y2 K) T lea dx, int41handler2' N& N! h, U! o& Z: s; ]) N: Z
xchg dx, es:[41h*4]" V$ ^( j% ?$ K9 f Q
xchg bx, es:[41h*4+2]' Q+ S5 x1 I7 d% Z9 W
mov ax,4fh$ \* y% E2 v1 ^$ r: H. ?
int 41h
* M* Y; X% M$ ]5 s) y8 \% f xchg dx, es:[41h*4]8 Y2 g7 l; L4 Q8 ~9 B0 |3 }
xchg bx, es:[41h*4+2]
0 N9 `( p9 ^( M# |6 o cmp ax, 0f386h
% V2 z: h5 a7 n$ ]) N% M jz SoftICE_detected: L }) C0 g1 b7 y# m! a2 h1 V, v
: i3 f4 G4 d: Q: P
int41handler2 PROC( O e. I. I: W) |6 x. \& A/ m3 e9 e. I
iret: M% o( }( E6 M2 c$ x
int41handler2 ENDP
( ^# ]4 `0 x( q; U+ }" H0 M
, e H9 v- A$ z$ \8 {2 m- A5 @! t# ^3 s5 a
_________________________________________________________________________; G4 i0 ~$ Y6 S3 \* \3 L* s
% Q# F# \' k5 Z+ W6 w
3 s5 j6 _( h7 C* o1 u- JMethod 06! B2 w; M/ k8 W( I) L8 f
=========
( D/ [( I3 Q, R/ ]% S$ R( o
% n% \9 o& I$ I+ Z& e& _
9 W, A) G: Z1 l0 s" }( Z2 c2nd method similar to the preceding one but more difficult to detect:
! a; q* L3 m) j7 \' M5 ~' l8 u- [( ~( w( U5 E) D; l( b
# R/ e4 L3 f1 w, t1 U- N$ @int41handler PROC/ O7 v' |4 f. U
mov cl,al$ M7 j: b+ m$ w+ T- H
iret) k b C% g. J U
int41handler ENDP
# h' ^% H& |2 a5 }6 X
0 q5 | T7 n ?, [
& m5 O! \2 L8 B. \9 j* p xor ax,ax
! a& ~" F: K- a+ [ mov es,ax8 X" w7 Q5 f! X; p
mov bx, cs1 }, ?& e C b2 l. o( U
lea dx, int41handler. h3 V3 j! \+ M" k
xchg dx, es:[41h*4] U8 Q% O( a8 {$ D
xchg bx, es:[41h*4+2]
% A$ p6 P: N9 Y3 [3 ~ in al, 40h
' S& y3 J( E5 D xor cx,cx
" f( {( B0 l: f) c9 B7 V1 {. i int 41h
9 C" u% J* N8 {- I+ K xchg dx, es:[41h*4]6 \9 V8 }( _0 O" q5 f/ Z% `
xchg bx, es:[41h*4+2]
6 G9 Q" E4 g4 M f cmp cl,al! [0 [/ V* T# O7 S
jnz SoftICE_detected2 i+ M v N( [8 [$ B0 `! r! m
6 U- R: h: G; ~& j
_________________________________________________________________________( f6 X3 c6 q1 ?5 ~1 ^0 z9 L7 _
9 }9 U1 h9 h" M! D+ K+ C2 @Method 07
: X( F1 `2 i1 w- @: H========= I A' H8 @+ O! P8 q' w2 x) }
; B5 U& u3 Y5 L
Method of detection of the WinICE handler in the int68h (V86)5 A+ Q8 w4 J1 V' D
8 e; q: n9 |4 [$ v: r mov ah,43h& ~- g, \# r1 j
int 68h
. \1 c6 O3 U/ l1 W cmp ax,0F386h, d) G9 J5 l; {: i
jz SoftICE_Detected1 f+ @" I$ t8 m6 L- v+ `
& Y3 J4 [; y( G3 C
- Z% p6 S3 Q" V0 e" L6 ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ v6 \9 g3 k: c4 B g1 v, Z
app like this:
' K# E \) `" \, N/ u/ }& C: c* L/ C3 r& Q2 e4 V% p( T
BPX exec_int if ax==68
* S& L5 C B) g7 [% m0 q- r (function called is located at byte ptr [ebp+1Dh] and client eip is3 R! n& {2 S) V% A( O& v! x
located at [ebp+48h] for 32Bit apps)
D; E- m: X9 k) y7 N9 S5 F__________________________________________________________________________
& S1 k. m' s7 F. ]" g: |3 ]. X" O( ~6 `) V. c* j3 w O7 B
3 E5 z3 n4 g- f aMethod 08
* T: w. }9 Y0 ?$ v. V/ x=========
3 K: S# ~6 P s. ~& d4 j
3 j% x/ \, a8 t0 ?: x7 KIt is not a method of detection of SoftICE but a possibility to crash the9 l$ q, V& u0 a0 _4 u$ R
system by intercepting int 01h and int 03h and redirecting them to another
8 V/ X0 G' s6 ]. b4 F; e! i" Proutine.
+ n! I+ I$ N" G) B6 c; y E- TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 m M" R, d; g, E- v" Eto the new routine to execute (hangs computer...); t j0 ^% B3 i1 Y* ^2 p; ] u
/ C, o9 Q+ n2 D6 P; J- P1 t c mov ah, 25h9 @( b, |4 y9 X" j
mov al, Int_Number (01h or 03h)) m9 O/ y; E+ [$ Z* t8 Q: T
mov dx, offset New_Int_Routine# c3 Q; y& ]- W1 B. p+ y7 x
int 21h5 I3 W. K' H8 g$ E
+ C& U; ]1 a, }9 E# U& r
__________________________________________________________________________6 B# z0 l8 ^1 |
4 i1 w/ _" P5 O0 p: C; I# J) P
Method 092 ]# I- D' `; j$ A
=========/ X1 Q6 t; P5 _7 R& U [4 g3 `
# G% h9 p6 ]3 r9 J5 D6 ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ E7 G+ I+ ^3 Eperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 h, g+ R" S7 D& G9 S+ G8 H8 f/ vThe Get_DDB service is used to determine whether or not a VxD is installed: W, X& j( X: B8 S- y
for the specified device and returns a Device Description Block (in ecx) for) ~- p8 P: V; G& I
that device if it is installed.' T% W) E# r* L. C% D' |( j
! y4 @) @' P( j- n9 ~# }5 k) j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 E- F2 k" i5 G4 w mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( V) r' X& t- `) H; o VMMCall Get_DDB
; x- v0 a j6 L0 L8 d+ d" r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
A1 B: z4 Q" _- h+ v: O! }8 J# t8 X2 y( @
Note as well that you can easily detect this method with SoftICE:
; w+ q2 ~$ a6 F: y! i N+ @ bpx Get_DDB if ax==0202 || ax==7a5fh, o4 N5 H! W, Z) p7 t
' S6 B9 t7 ?( b! j8 K
__________________________________________________________________________: t i: O# e1 N' D2 [
) F6 ~. t' Q+ ?7 y' ~ m
Method 10+ H$ e5 t1 t9 t7 D& L
=========
( ^* ]# ^# D+ k( S! l5 B: y
2 \* z4 C: Q& F" B=>Disable or clear breakpoints before using this feature. DO NOT trace with
% f! D; `9 u' x. y0 d$ m SoftICE while the option is enable!!
& I; t4 Y( M( T2 P7 g ^: S9 D3 K4 o2 ~7 F$ }5 f% u% |
This trick is very efficient:$ ^! j5 v' f/ c( N$ N* ^& Y+ t
by checking the Debug Registers, you can detect if SoftICE is loaded- S1 a% o& p0 L2 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ v. C0 k- p. K
there are some memory breakpoints set (dr0 to dr3) simply by reading their p1 T" J4 Y7 k% V" t
value (in ring0 only). Values can be manipulated and or changed as well/ e( X& s U) U6 y* k+ Q
(clearing BPMs for instance)
$ q1 @3 X( O% y1 z2 D4 {7 m# i# G0 M
% t* ^* c8 J; D* u2 l__________________________________________________________________________, g! `% w8 Y. e* f' i0 F
1 Y& W/ e! V; U. J4 Q3 [Method 11
t! c3 t V5 y3 V$ z( I0 e=========6 a0 }, L& s4 C( y( s9 }3 F. [
% F2 Z/ a+ a8 c) h; e. |5 T% w8 WThis method is most known as 'MeltICE' because it has been freely distributed
4 @0 p) |% _$ j: \$ h% P% ivia www.winfiles.com. However it was first used by NuMega people to allow1 W! p. _+ g5 S8 @, }) \$ {
Symbol Loader to check if SoftICE was active or not (the code is located
* i7 p- b- A& Z+ P6 b- W& N; rinside nmtrans.dll)." A0 A( v0 {; q( v
. U5 x; B8 w% R2 XThe way it works is very simple:) K6 T$ a3 P4 V3 a q+ a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* p+ J+ M/ Y" H: _WinNT) with the CreateFileA API., F6 `- D! |& P/ I! b
/ y; k N3 M# K) C
Here is a sample (checking for 'SICE'):
5 x" f0 v; f$ V9 h' A8 y( ]; Y& N4 Y$ x' ?2 b8 [
BOOL IsSoftIce95Loaded()
5 J' ^) i+ Z+ @% n9 `% P{5 }. W$ A! y: c1 n
HANDLE hFile; 6 n" G# \( s D( z1 N3 {1 T1 M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 i# H( _1 Z! t |
FILE_SHARE_READ | FILE_SHARE_WRITE,6 I" z: Y; i0 C6 f0 W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ z5 x* j, E/ L M2 d
if( hFile != INVALID_HANDLE_VALUE )
( {2 G& C% D* S( G$ t( }# V/ K C {: L5 y! ^9 P# I
CloseHandle(hFile);' |5 z8 w$ r: ?: a9 A) b
return TRUE;3 h2 ]- q( X& q5 _% I
}( W# f- I6 W6 H6 x3 }% @8 W' _
return FALSE;
) Q- p, O- d' ]# Z/ i}3 M" M' t( q8 S) ~8 |4 l. b4 T U
# n) B& P! j2 i) E+ a' {
Although this trick calls the CreateFileA function, don't even expect to be' `& w$ G& D' ^$ d0 R
able to intercept it by installing a IFS hook: it will not work, no way!. Q, `& N2 U' e8 |7 d7 j( Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 t/ P E3 F+ L) Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 d) M4 q* B! @# C% m! H+ @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! Q9 p' {& V( v! l! J4 B: \/ c. r
field.
7 h! b/ R* i( H! t# A1 IIn fact, its purpose is not to load/unload VxDs but only to send a : p; D5 H8 w; s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 }* a2 Q* V4 o* J0 ?% zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
H$ ?! m4 J1 A6 fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 \3 X/ W& k, n7 g, Q( M/ x' G. {If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 G M/ `: }. T3 ^3 \! Y& Xits handle to be opened and then, will be detected.
. g* p. u! @. c. c5 ^" JYou can check that simply by hooking Winice.exe control proc entry point8 s2 }5 o1 ^# I
while running MeltICE.
- d8 X8 v# x/ y+ Y2 t+ H+ d9 T0 T- _
" h* J( X1 ~1 k- c& g 00401067: push 00402025 ; \\.\SICE; E5 q! l3 V+ ]* K$ M; L
0040106C: call CreateFileA" R2 q- o- \9 o( m
00401071: cmp eax,-001# ?2 |8 i( t7 { }* C
00401074: je 00401091
0 q& w9 i" `/ r4 Z) ~8 d" g: W/ h6 @" G- f
4 |) @8 p. n1 E* ^6 Y, ]9 h+ SThere could be hundreds of BPX you could use to detect this trick., L- d* P$ v5 \0 B. V( z
-The most classical one is:3 w+ Z& ^& E1 e' w3 X6 s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 e6 _, g. G U8 f
*(esp->4+4)=='NTIC'
: O* u# v$ U. Z) s, n, u/ ^
0 R$ r0 d7 t3 y0 Z2 P-The most exotic ones (could be very slooooow :-($ q2 l/ d# u& C' \1 Z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & |1 @2 c0 J1 m' O) R! y
;will break 3 times :-(2 u. K+ ~; t5 m
' a" `9 M: k* w8 z# p
-or (a bit) faster:
. C7 v6 R. T+ }! H$ s6 {& R: i+ ~- e BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# h( J& ^, i! K% x
7 `8 ^& q* T+ @& T$ `+ q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 u% @3 T" _- j; ~# Y% a
;will break 3 times :-(/ H" I8 @. Z" q& F
: r, U: \+ @9 d2 m! m-Much faster:
' Z7 t# }3 c+ S* W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' x0 x9 i- S8 E$ P- C
) f/ T% {. i( Y) c9 ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen& v: I# M9 U* X( _3 f
function to do the same job:: |1 j. r3 X+ a' W) ]5 J# H1 N6 k3 Y. P
. z/ { v. E4 y/ q push 00 ; OF_READ
+ C; h; A$ h- Q% ~ mov eax,[00656634] ; '\\.\SICE',0, S. M A( _: H7 V5 [4 } f
push eax
( L9 t( p9 K7 J; h* A. x: O call KERNEL32!_lopen" a2 I$ p/ i' P' f5 k. @8 E) k
inc eax
8 |* }% O6 _" ~( Y4 V2 S jnz 00650589 ; detected
% C! I+ g; g; A N% b push 00 ; OF_READ
5 s1 ]+ H9 |3 t7 Q) B; T mov eax,[00656638] ; '\\.\SICE'# p0 t% ^! [4 p3 g% p$ u1 y& k
push eax
" B9 s2 @8 I, f+ }9 K call KERNEL32!_lopen
" `1 o/ n0 Y$ m& K' M6 f" M, ` inc eax
& u' Q( X5 r+ k, }# m! n, r jz 006505ae ; not detected
7 n4 m9 Z: V! Q
) E* O% n2 D+ E% s* j+ A2 e- O" G# a
__________________________________________________________________________/ [' g6 }' j' X! a
/ Z1 e, I2 x( d& \0 M1 R5 WMethod 12
& z0 F* i" X A0 W=========; D! T8 b& y: ?% u( }4 p$ H# h
+ E4 y9 {! q# c# p! ?# ?This trick is similar to int41h/4fh Debugger installation check (code 056 S# f O' B/ J
& 06) but very limited because it's only available for Win95/98 (not NT)9 ~+ \3 e+ R5 V8 ~: `- y: `
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 m: y$ L$ }# b4 q% R
3 z7 Y; f, V* j; W \) r push 0000004fh ; function 4fh
2 f5 P+ X. }7 ]; C. o' s r( x push 002a002ah ; high word specifies which VxD (VWIN32)+ n7 }1 Z* E3 S& }8 E
; low word specifies which service
; y# v, [( J0 k( k8 C (VWIN32_Int41Dispatch)
) L1 e) e& o) `* B8 A0 v call Kernel32!ORD_001 ; VxdCall$ e3 ~. Y! O4 U
cmp ax, 0f386h ; magic number returned by system debuggers! h# ?/ ^ g8 K% d, Z$ n+ ]
jz SoftICE_detected8 v; a3 n2 q5 `, z6 d; O
+ G( L3 e. p* z/ G3 @1 sHere again, several ways to detect it:
2 |0 ~( a; X& l. U7 }0 U: X% {+ d; n, z' |3 ]# @" v/ J
BPINT 41 if ax==4f1 j7 u$ H- i( p D
. k9 z* h# n, R+ v; s1 s. y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 v( f3 w0 s# p
& p9 U& h2 R/ m9 _1 z) @% b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 r0 Z* L+ j! {2 x
7 `$ \ T0 R; D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 x8 U! K/ h; b" I: x
7 @1 {- `% L3 m1 G& J
__________________________________________________________________________
' I( @% u ^) d n3 b O3 s- j/ {( n; a6 R& H1 _( k
Method 13+ j. n. I `' U$ [( \1 I
========= }8 z/ c/ b4 N$ _) N1 P! a
- a' i2 d9 H0 J8 t( kNot a real method of detection, but a good way to know if SoftICE is
+ b* C! V. a% Q9 }installed on a computer and to locate its installation directory.# Z* C1 I/ t7 y- d/ ^- P
It is used by few softs which access the following registry keys (usually #2) :
B m) n; ]6 d
8 O2 V* C1 ^: n! S d% V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, k; T) M. v7 E& t/ Q\Uninstall\SoftICE
) l6 u8 q+ N; h, R: y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* v, O& }; I7 r. N& \7 M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% n+ n0 `0 [4 E2 R# I
\App Paths\Loader32.Exe
' i% s3 M! w7 W7 w8 d% J0 S$ r8 W% ~: X. h* j$ f$ C
; j: o: Y/ D2 t. M5 e* M, A, @Note that some nasty apps could then erase all files from SoftICE directory
2 n8 W9 n$ f, a8 z; H1 i) L(I faced that once :-(
( R( Y' {, u5 X0 D
: j/ {4 z; b$ [Useful breakpoint to detect it: c& A6 ^3 Z7 a0 C [, E
3 D# A+ ?+ I8 q9 h8 q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; g9 \! x% \( [3 l$ u- C- b
* W* U; q! i* S9 h2 h5 q# t
__________________________________________________________________________
& k; P) N" S( P Z+ y* |7 `0 D8 t* v5 t8 q
7 F r5 g: ]5 A1 X5 L- KMethod 14
; w8 T! d4 t, g+ p. g0 ~0 B- b=========
4 ]) K+ }* m" z: s- u
! p; M; ^4 Q; n; }( }5 T: e: f' PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 N# ?# G7 q, Z' ris to determines whether a debugger is running on your system (ring0 only).- M \. C0 p& I3 ?2 |7 {- C
" K5 u4 {: u4 ~& c) a$ d VMMCall Test_Debug_Installed
- {2 F( `6 @1 | je not_installed7 s- C2 h& h/ _2 z1 P$ q/ a
0 Y! ^) @1 `4 P% a# d- c+ Y' FThis service just checks a flag.
U* R r: \ c# y& V</PRE></TD></TR></TBODY></TABLE> |