<TABLE width=500>
; r" d( F8 J( `: n# I<TBODY>2 g3 @& q$ m: ?* `$ d: b5 N1 z0 @
<TR>
2 g$ y5 w* Q3 k. f3 s6 Q. o<TD><PRE>Method 01 * v( r/ R+ K7 [) _" ?
=========
) d+ i. Y! B }( w
0 s+ A- e/ f$ G+ F, E5 H1 |This method of detection of SoftICE (as well as the following one) is3 k5 m$ Z7 ]6 Q% v
used by the majority of packers/encryptors found on Internet.5 |6 s9 L3 T" Y( m1 o
It seeks the signature of BoundsChecker in SoftICE
5 S- P$ ~. Y) ]8 g0 g! r+ r
% _1 D! V0 R; g& X: l mov ebp, 04243484Bh ; 'BCHK'4 y1 p6 `& ]1 C S$ v; ~- e
mov ax, 04h
, u' R% I/ L J* ^( O" a int 3
4 }3 G$ O- t+ R8 i! y, l" L1 w cmp al,4
. F- A: u- `, t2 S. F' { jnz SoftICE_Detected
+ \: r y/ n. H8 [
. o% b0 _7 U. s___________________________________________________________________________# k8 l& p& \7 H* i5 V0 R# R# C
& y' a, o6 u6 p" Y+ T$ x) _8 ~Method 02
* [5 A5 _( w1 H m) m1 L z=========
o# s3 \9 R# N( K& C7 z" w! p1 h: s( H( ?# j B
Still a method very much used (perhaps the most frequent one). It is used
, {+ @6 [% w- ?1 W pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 ^( L1 s7 ]+ \1 k5 n) G4 h
or execute SoftICE commands...
: W9 E& j. O" {; B- g% d' GIt is also used to crash SoftICE and to force it to execute any commands
# B I9 k3 _0 D% ](HBOOT...) :-(( ; c' U& a" b8 P# y* Y1 ?- t
: z# f: s3 n- ` k
Here is a quick description:
. J+ b& y' L+ z- w-AX = 0910h (Display string in SIce windows)
: ] J3 R; S2 R7 j% P& `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# z& `. n% m, A& V4 i) {-AX = 0912h (Get breakpoint infos)$ S$ L/ J# M$ p; e/ I& N5 [
-AX = 0913h (Set Sice breakpoints)3 v _1 c1 k" D: P" }" W" A0 P4 t
-AX = 0914h (Remove SIce breakoints)
0 M0 `# V& i& { Q( p2 \! [8 E4 y7 O% M4 E. J g9 U* C
Each time you'll meet this trick, you'll see:# I. Y( Z: A2 s2 [6 S. }( K7 L a
-SI = 4647h, @- P0 A5 o$ K3 d& q5 x" u
-DI = 4A4Dh8 m) ^* w x1 ]
Which are the 'magic values' used by SoftIce.
- f: b5 F s$ r, @- cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 A3 Y4 o) T$ `& t0 _
0 G; s0 w, t' w! MHere is one example from the file "Haspinst.exe" which is the dongle HASP
: W% c. u6 w: B8 V" \& }' BEnvelope utility use to protect DOS applications:' x2 n" [/ ^# {1 H
, h4 r) X4 e$ ?6 @( @4 p' G0 B
4 b% T* j' I' l% B% ?
4C19:0095 MOV AX,0911 ; execute command.
E7 P, G6 M' ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# i2 l2 f5 g a3 h+ a' @8 j$ ^
4C19:009A MOV SI,4647 ; 1st magic value.7 i! j9 d6 A8 U. f3 a! S1 a
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 i3 C, W6 F! Q% K& Q* d3 G% I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 F" L, r0 i9 W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( Y* `/ a- M1 [: g$ Q6 O
4C19:00A4 INC CX
) ]# J/ ~6 ^0 T9 k8 V2 I4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& ~7 U; O7 R2 e
4C19:00A8 JB 0095 ; 6 different commands.0 ?- U& t" ?/ v* b" Y* E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! ~2 Z' o& C1 n }2 j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( H3 h9 z, R! K2 v' I" M
: r4 V! ?6 _2 y
The program will execute 6 different SIce commands located at ds:dx, which4 v: a- G# o- m9 k) f$ P% x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" B6 f/ Z/ {( ?* s2 T; f
R" `* W* m' p, W7 E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: E( W8 p) r. K$ X% `! w* Z___________________________________________________________________________
, n- `7 j! Y& G' L" q- A+ X8 F
. _; V3 c N: K% h# g' B% p4 e# B5 K4 C! m4 l: Q
Method 038 L, `! ^- l- u8 ?
=========0 e1 W5 C) B9 ]& q5 e
% T3 Y& t1 Z* T
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 K& p% V$ C# E: [0 u
(API Get entry point)" ~/ y+ c% e1 B7 e# c( F9 l
8 @2 r3 V( y0 U! N
! K& Q# f! {, F; ]0 @ xor di,di
) C9 q4 i7 C7 k7 Q mov es,di2 {) W8 `* r) u( D& k
mov ax, 1684h 4 ~0 Z* w# C% B7 S, {0 v
mov bx, 0202h ; VxD ID of winice
( l) C: `: x$ R$ c: A, g int 2Fh c+ R! L* |( m3 i q
mov ax, es ; ES:DI -> VxD API entry point8 m9 S, @" z, v6 }
add ax, di! S# C, z% T9 f* i3 a2 y, a) Z( Y
test ax,ax
& V5 j" a' K3 _ @ jnz SoftICE_Detected
+ c7 O: s3 H/ R1 ]+ b0 M/ c3 k, u% z# @9 x t1 {' ?
___________________________________________________________________________; p5 S8 }. ^" G; o
$ K( u9 k$ B1 oMethod 04: D0 z% L! K- ]
=========# l/ F: ?0 K8 x7 g
: g! K6 K+ l- D3 |3 QMethod identical to the preceding one except that it seeks the ID of SoftICE/ R, {! s! ^! N9 j6 Y
GFX VxD.3 Y5 W, O, K4 S/ A2 s2 u
V4 Y/ K5 f$ Q7 F6 v
xor di,di( V1 K( @" j! U; V- k0 t8 y& V9 D
mov es,di
; m* n& u# U) T7 K9 \. T8 j mov ax, 1684h m! o8 _+ Z. j7 C, i) @
mov bx, 7a5Fh ; VxD ID of SIWVID
F$ Z* `4 A! |- A' v+ z int 2fh# S; @6 O* Q% ]8 H# \9 `! i
mov ax, es ; ES:DI -> VxD API entry point
- y7 Y8 k+ b) H3 n8 F; E add ax, di
# f1 j+ a7 [0 B3 T- E test ax,ax- `! C+ j3 W& a+ R7 m3 F! l$ t( m9 o
jnz SoftICE_Detected7 G9 B& ]; L2 d# D' Z
% @$ l/ |9 i6 r9 @3 _. i
__________________________________________________________________________# x3 }* ]& |1 Q! m. e) k3 a f
0 o% v: u4 Y2 J; v' o6 g$ s# Z, ]& G# f U. U" s5 R* o
Method 05
" \( T! q1 e* C=========2 p3 \( l" `6 u7 Z. Q
+ o: h1 {) u# l% ]& i; v/ Q4 J
Method seeking the 'magic number' 0F386h returned (in ax) by all system" M0 ?2 K& p5 s9 d z: ?* y9 p* w$ x
debugger. It calls the int 41h, function 4Fh.
. I+ G' _0 H1 y; e* g* L5 \6 I5 bThere are several alternatives. 0 l3 P2 C6 J" J! P8 p' l
4 z" I! t& k" R8 vThe following one is the simplest:6 i) C: T+ Z0 r+ A" d
4 s; T% n& ^( g" \) r mov ax,4fh
" g2 v: W5 p! J int 41h
1 m' F0 l; l( [5 n cmp ax, 0F386
/ G4 @8 l0 _9 V' P jz SoftICE_detected
) L' X; C0 X& b1 V& j* d- v! S8 l3 s3 {/ u% |& a$ G3 p/ h" g, y8 ?/ [
' o* h1 Q+ }' J' K) ?7 H7 p8 ~ _( _Next method as well as the following one are 2 examples from Stone's + Q( c, I; c% |. f) h: U) h0 ]
"stn-wid.zip" (www.cracking.net):/ Y) B& i; L' F4 [, M. ?+ Q
1 K) ], s; S& T* [# N
mov bx, cs9 {' P0 O8 j( j+ Z/ y
lea dx, int41handler2 C6 D6 u6 f; K+ b- `
xchg dx, es:[41h*4]
( J/ Y n/ }5 R- _% ~5 V& j4 c z% i xchg bx, es:[41h*4+2]
: Q e2 N. i9 ] G' b mov ax,4fh
9 K4 q5 A. ]$ g/ ^9 T int 41h
$ @$ A3 ?, A4 l: M. p xchg dx, es:[41h*4]
: l. f1 w+ J" g' O7 r xchg bx, es:[41h*4+2]1 V7 D2 I8 b3 ?8 u' r$ {
cmp ax, 0f386h1 X8 @. U+ ?0 L: ?" P+ y9 o
jz SoftICE_detected
, T7 s; [+ R& u0 A: u; L5 B: s/ z+ H
int41handler2 PROC, R, Q, {$ V3 M |8 A2 D; B9 c
iret
7 n' D1 n' r) _: Y \int41handler2 ENDP: d6 m7 y: C& V+ H
+ @ c2 Q4 R; b" Z
' y" T4 G0 W4 N8 h_________________________________________________________________________
; \* z) b! d" H3 y
1 z7 L2 n' T P3 F- |( X; d
& ]+ h# X! t( e! g" I) HMethod 06
) Z K/ G8 S+ o% q/ P6 k=========
9 M$ O0 U; f0 p3 t' B0 Z. O
W2 B: V- E" o4 C9 d6 j/ l. k
7 x/ g3 t, e& c! R& W3 K8 f3 {/ c. {' A2nd method similar to the preceding one but more difficult to detect:
7 b# ]" G# L, r( B: a; r8 Y" i" m) r: u* u8 `
! P+ I. r# k! }3 B) Yint41handler PROC. W0 E$ L, Y/ F) l7 j' W6 k
mov cl,al
3 t6 K; X" Z$ E+ V6 B iret
2 h% W$ T \. A! B" w G: e$ m5 `% p- tint41handler ENDP
8 E2 N# d* w% T0 i4 T5 m
' G1 N( s$ k# X' N2 v* V! l& t: d o! A M, H |
xor ax,ax C7 d7 l/ u1 k
mov es,ax
) c! Z7 c- `5 P) O mov bx, cs. E% [( y2 ^) [8 p4 ?
lea dx, int41handler
# B5 Z4 n# P4 _6 E7 T xchg dx, es:[41h*4]9 D- h7 R/ `7 E+ |4 |$ m- Y- V
xchg bx, es:[41h*4+2]
. c5 z2 |1 L' k' G in al, 40h% E# G/ B$ K2 A$ b& O
xor cx,cx4 t/ }8 p: S* s. Q- ?% r" V# e
int 41h
/ k8 q* Q2 P( R xchg dx, es:[41h*4]) {7 Z! n5 K( v
xchg bx, es:[41h*4+2]
1 v8 {. I# V- t' y cmp cl,al: ]4 W4 |9 D+ W% h/ m, ?( R
jnz SoftICE_detected
% T1 Q, V3 V [/ o$ |6 g& I* y# V; [0 t8 N9 b, I1 e8 Z
_________________________________________________________________________
9 y* j7 _' p' ~! G* T1 T
W( s: F! \: c; S7 T1 M4 _, {Method 07
3 q4 A' d# B) q- \=========5 U- X+ H% p7 o- y
$ j7 d. V5 E- b' a LMethod of detection of the WinICE handler in the int68h (V86)" M* m% E! e) o7 ?
6 _' B" s" I' o0 C
mov ah,43h
8 e+ C) G' Y. H! T3 _ int 68h0 B# u3 f H* O0 c0 f" R
cmp ax,0F386h
6 y+ a% N0 L: l jz SoftICE_Detected
$ b# r0 ?4 k9 @' c2 D+ i; L4 b9 m$ B& t' D' d
5 E; d2 D9 Y6 _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& U, B2 f) ?( ?9 |, r o7 B app like this:
x4 v9 P% y, l w- Y$ Y1 B
4 O# `& N' u' j ~2 ~# C BPX exec_int if ax==68" x8 r \4 c d9 z
(function called is located at byte ptr [ebp+1Dh] and client eip is
# Z3 B+ ~5 _1 J) x located at [ebp+48h] for 32Bit apps)
G1 l2 U! n1 _/ c# l2 b__________________________________________________________________________5 D4 [9 F8 H$ z- M" [
* W1 l4 D ] E+ _ {. {2 ]8 G
& a- A% e, ?% X* O4 a5 t8 n5 UMethod 089 ~6 j0 M% {7 I6 V$ o
=========
4 o5 R5 p' b7 z G
( L( A: ^; q( A" B3 b Y( V" ]It is not a method of detection of SoftICE but a possibility to crash the5 h7 L B/ A1 V A: C! T
system by intercepting int 01h and int 03h and redirecting them to another5 [" q1 b! C' ~7 F9 ?3 Z* M! {0 @
routine." ?- e" }; o6 O+ [# h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 W( r% E. w6 h" e# a& Mto the new routine to execute (hangs computer...)& ? s' m1 x6 P" a2 a [
^# V; J& m# z* E! h. v+ X
mov ah, 25h
9 C( K( i! P1 K4 f& I mov al, Int_Number (01h or 03h)
1 h, F# G" x* v3 W# u/ }8 R mov dx, offset New_Int_Routine
K1 l/ N5 q. f int 21h2 K! h, D; i+ Y( j" b8 b1 @& g
& e' o8 s; e) |- m+ p2 w__________________________________________________________________________
) \9 {( @" n3 H/ S5 j Z
( K- m8 {5 ^& v. @/ R3 BMethod 09
' B* A. {$ H1 |=========4 u2 h- U( s# g; _* I1 c- T4 j: ]
1 V) e) t! L! z) }. c/ r& s4 {/ OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% I" ]0 @' r$ I; }" ?$ G; k
performed in ring0 (VxD or a ring3 app using the VxdCall).
; J2 A; J6 |7 [) HThe Get_DDB service is used to determine whether or not a VxD is installed
_* p) o: P. Q0 d# J+ [1 ~! rfor the specified device and returns a Device Description Block (in ecx) for+ F/ V: G. O6 G, I: P
that device if it is installed.
' M; P1 x, ^. ]% \4 d2 F% a; ]' Q, ]3 Q' Y# B# u$ o* S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ S7 l" D# ^: W% h, ]' z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# y" V6 I% W9 @* B! w VMMCall Get_DDB% I8 `2 e0 m! t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% K+ i+ G8 j$ Q5 ^/ L7 Z: l; [+ J; H- N# C9 F0 {; s
Note as well that you can easily detect this method with SoftICE:
; R0 J( h: _" i# p bpx Get_DDB if ax==0202 || ax==7a5fh
. S8 j5 r3 N; w1 }$ b" h: o, i; {; [+ q6 o
__________________________________________________________________________; m f; x; `$ e1 g8 F
% K% F. p5 H7 f5 D# M" w' b
Method 10
+ @4 U+ J" G8 x7 ]/ ]=========
2 {" C5 E) z* |, H3 D/ u, G% a
2 ?4 X- S+ P) m8 z% A=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 F t$ ^+ u! Q7 ^' d- h$ V SoftICE while the option is enable!!
7 ^+ s! C5 e: l2 @ n0 i0 d. K
This trick is very efficient:2 W9 H: p4 p) g N7 Y- Z+ a
by checking the Debug Registers, you can detect if SoftICE is loaded0 [& C! }: L3 a3 B- ]: ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 A- e2 m* h, x+ A" U, C
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 j |& M! t" b W J" l( |
value (in ring0 only). Values can be manipulated and or changed as well
8 v: I" p* \9 j1 u- S$ C(clearing BPMs for instance)
, ~( l' i2 h7 c. W6 k9 N! T# k
8 e ~) P$ B" }__________________________________________________________________________
8 u$ ?8 e! m) ^7 k+ E$ ^6 ?
& Y- h# H0 G* sMethod 11
- u, R- Z" o2 _2 g# t+ V=========0 z7 C; h2 s6 H4 J1 S
$ Y% J# h' M6 e0 I% ^9 v% ?! AThis method is most known as 'MeltICE' because it has been freely distributed
' S" u% G- P9 s8 x* D zvia www.winfiles.com. However it was first used by NuMega people to allow1 K$ ?2 y/ Y4 h4 l2 J$ I6 E- O
Symbol Loader to check if SoftICE was active or not (the code is located% n- s7 J3 Q2 m/ L4 [# k- W
inside nmtrans.dll).
, n, o1 Y% N2 O$ Y
- R$ E+ C: }( H5 Q$ c8 W4 MThe way it works is very simple:
0 A* }) r3 N; u3 h- ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( r$ L; V4 m" d/ K7 _, WWinNT) with the CreateFileA API.
% N+ s/ T# n' P" M/ y0 c Q+ H8 J3 [( H6 f5 w" H
Here is a sample (checking for 'SICE'):
7 k: r. Y% a$ K) t* }2 l" u2 f+ F: e p
8 H, B8 i! r; S9 f" ~6 t1 |6 r# EBOOL IsSoftIce95Loaded()
/ D; a9 U8 C: Z; p% F9 E{
7 C0 M: A/ M4 m8 p* y' O( J HANDLE hFile; . k3 Z- w) H# m9 G3 Z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 A. L& K" u& m+ e' `3 A _ FILE_SHARE_READ | FILE_SHARE_WRITE,
/ O3 Z% l6 O2 B$ m- |4 [- } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 J( G3 k. e$ C* T$ |. D% B1 i2 ?
if( hFile != INVALID_HANDLE_VALUE )" }9 b1 P7 p/ x8 H
{, \, E$ r0 E6 x. l1 { m$ _
CloseHandle(hFile);
. n6 q5 n- b1 I return TRUE;6 a; _. W) Z! c( H6 w
}
' X: w0 l1 r n8 O1 p Q return FALSE;
% ~6 \, I8 l, L* _# y! M" P* X}
3 `6 ~- d& |! C. H5 w
; W9 e) O% Y+ s7 S9 k" o W1 o' ]Although this trick calls the CreateFileA function, don't even expect to be8 s$ D/ R2 x& H0 B4 s6 P
able to intercept it by installing a IFS hook: it will not work, no way!% }+ J) U5 [+ j! _4 _: `
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' H; _; I2 W. L! v1 c* H4 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( M% H$ x* J5 I1 `* o9 k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ c+ v- Q9 X3 Dfield.
/ _3 K- o5 P+ \+ dIn fact, its purpose is not to load/unload VxDs but only to send a
% s0 W0 A/ q2 U B3 H- c3 A2 y8 ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 _: A4 u9 M1 p1 O) ]7 z/ ^( wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 X$ y* K) [( J! S0 hto load/unload a non-dynamically loadable driver such as SoftICE ;-).' t% d* B9 a6 B: x. G! `6 g
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& n9 O0 L6 } j! q: A" }its handle to be opened and then, will be detected.
6 ~- t0 K6 `8 [# Z- wYou can check that simply by hooking Winice.exe control proc entry point) P" O% l$ a/ ~$ t- d
while running MeltICE.
8 O' s3 V) y2 c4 Y" X* L+ F- ?
) K( C+ M1 J1 Y8 k- Q# c2 f' E8 s5 l1 I7 _; C# x9 k# i
00401067: push 00402025 ; \\.\SICE
7 r4 X" e6 q: V; @: g 0040106C: call CreateFileA
; i' K4 i. t, `% ]! [1 R 00401071: cmp eax,-001+ O3 \+ L Y3 y' c
00401074: je 00401091
{3 U; \4 X: `/ Y+ A. y0 Q: ]# w+ O. A7 D
* u# M7 m' a" c' \There could be hundreds of BPX you could use to detect this trick.
; |" e) B; ]' n. j+ d4 S-The most classical one is:0 }' `: X0 I0 b, J
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 M: ?+ {, ~9 |% B1 V
*(esp->4+4)=='NTIC'
6 Z9 ^7 D- _/ I( f
5 t0 Q% O- o: J1 Z-The most exotic ones (could be very slooooow :-(
: C: V$ @2 N8 B5 y7 d9 ^9 H BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 W7 f$ l1 W ^2 l# j ;will break 3 times :-(
! `6 r! c1 h2 D$ l& v; q
; v+ M) @+ Y( }! `0 {1 [' K+ b-or (a bit) faster:
0 x) G8 N) f! _. w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* u$ Q7 U# {$ J* G" L2 _) E
7 k$ U D+ s% _! {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " ~. O7 U" U. W, U; h
;will break 3 times :-(
6 x5 k S( N, X& x3 N0 L! i, s' \1 q8 h
-Much faster:: V/ ^* ]2 @1 s! R& j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& W y0 S. ?4 D$ S- {6 t; d2 R, T4 \: R+ |) I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ e& ]9 c v% n
function to do the same job:
* C2 l% Q# r8 g
, `4 E+ V2 _/ b) w push 00 ; OF_READ6 [' H. Q" `/ ~. W
mov eax,[00656634] ; '\\.\SICE',0
& G* o7 P! N" @. A! w/ k# w% s push eax) A; R$ O& z. q8 `; c
call KERNEL32!_lopen
; y; n$ c& _; D, P+ ] inc eax
$ i' ~8 q) D! S5 P/ X8 S jnz 00650589 ; detected) S6 y% n# B' O1 Q& q
push 00 ; OF_READ$ Q2 n0 k% ] {) Z s* h) _$ R
mov eax,[00656638] ; '\\.\SICE'% l0 E2 U$ Y5 h1 }- K
push eax
+ R% Y3 H. _; w0 N3 W call KERNEL32!_lopen
9 l2 y! m. j. u1 R0 k! A inc eax
, i6 U* B0 Q4 q jz 006505ae ; not detected0 i2 P. A( r4 W* ?2 G. q4 J
8 r* }) ?& I& Z) E3 `9 ]
- J$ `1 s# @' T+ o2 ^# ~9 c8 O
__________________________________________________________________________
& s8 \- o) F6 k+ E1 @5 _$ ~: h9 A$ X% y6 d& v
Method 12
& Q6 C/ `. l7 M=========
8 l7 ^+ X$ w7 d* l# Q# u
$ D1 t1 r/ F! ], F% L% I! ]" f% p. zThis trick is similar to int41h/4fh Debugger installation check (code 05
0 I, P0 x5 j1 V: v& 06) but very limited because it's only available for Win95/98 (not NT)
4 z; |% f' y( n! p4 cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; ~3 s( {0 Z, |9 g# t5 L4 P
: A' x2 W2 Q/ v# R$ v push 0000004fh ; function 4fh
" g9 `0 ~! k+ M# } push 002a002ah ; high word specifies which VxD (VWIN32)
, ?. C) K. ` D; Y# x ; low word specifies which service
$ `! {2 O+ A, n$ h (VWIN32_Int41Dispatch). t, g, S7 o$ f7 \. I5 h
call Kernel32!ORD_001 ; VxdCall
$ }8 E$ ^9 F m: J) A cmp ax, 0f386h ; magic number returned by system debuggers( u- ]- m {" \1 M
jz SoftICE_detected2 O% m, P, [( l( u3 s
# W7 [) D) L: M. z6 i3 U2 K" w
Here again, several ways to detect it:, y" l3 Y! G' K$ ]& D3 Z" z5 w
) g m$ D6 H9 e: r4 K+ z+ e1 }+ ^1 X BPINT 41 if ax==4f& |5 X5 E: B9 s4 O, |/ S+ L
$ V8 F9 G. c- j+ X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 [1 e: d, c' b. k8 y. ?, O
2 g. |1 \9 b J4 f( J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& C1 \" _$ V* w% w
, C- |4 K1 {' s) i9 [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" m5 t1 m+ H+ r/ j' m; h) {
, x+ f/ p6 U5 p" T1 Z7 A/ `__________________________________________________________________________
' O5 Q( P, w5 o, `! S: O
% x' F$ J3 X7 [! R6 HMethod 13
+ |" ?6 `6 m, _: u6 _6 Z# g=========
' X- Q- A8 q0 e# i& _) H2 r9 G, d l
6 }2 O% n+ o6 j0 F" mNot a real method of detection, but a good way to know if SoftICE is* Z8 e, ]: d( y* }' W7 l
installed on a computer and to locate its installation directory.
# L Y$ k2 {- X2 g* i) |" qIt is used by few softs which access the following registry keys (usually #2) :* P p- Y: [+ I, x
* b$ K$ u$ O3 O% E5 ^9 v# d$ B1 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 i( O* o3 f! K\Uninstall\SoftICE' z% T- R3 u g9 \* l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 B/ j# k. d8 e5 K$ I. n0 {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& P4 S8 ?) S, }9 j* W4 R2 V: M\App Paths\Loader32.Exe4 }8 e N# Z2 M% g2 U
% I2 k6 j# [3 _8 j9 H4 L+ E
; v# H- g6 u2 M5 e) T6 j t5 v0 }
Note that some nasty apps could then erase all files from SoftICE directory, K; F t2 E' c; Q
(I faced that once :-(
; U1 Z( G+ q3 h8 \1 ~( U+ c4 P# C! k D
Useful breakpoint to detect it:! _' K& I& t: N @
2 o0 ?, E3 W% w$ [7 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 F: H7 }+ ~( e( y0 l; z
9 ]! ?8 U# k2 ^; e7 ?__________________________________________________________________________
+ y; ~% B' P" [# I9 b! r- p. q2 K+ w v0 ?# E; [
% X0 o. N% n8 J5 d, C6 \Method 14 7 D% X' m* R! d( C
=========7 S: y! I( |/ t3 ?2 }; \
/ j1 h$ n/ x. {3 o$ xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' c9 h' Q, _/ z. ais to determines whether a debugger is running on your system (ring0 only).% X. e6 V1 O' y3 n
8 @. S5 M$ [8 I: E9 m3 u2 |
VMMCall Test_Debug_Installed+ j! Z2 r0 [; z4 U* _
je not_installed1 U }! @/ o7 N! f4 C$ D
( l6 V3 F \* J9 p0 E& _4 }8 EThis service just checks a flag.
6 r3 T% `/ k+ l</PRE></TD></TR></TBODY></TABLE> |