<TABLE width=500>
) g( T' _2 T$ q8 L t<TBODY>1 n: G6 C9 y! q! O, O
<TR>
% k! t9 ?: ?: \1 B1 R<TD><PRE>Method 01
5 ^0 p; R; k( }' W4 o- l=========
p' o8 L& o- u. f4 l9 ]1 u' V' R# |; O; q
This method of detection of SoftICE (as well as the following one) is
. j. H6 Q% K" V0 N0 Q" P0 sused by the majority of packers/encryptors found on Internet.7 I7 w# m9 o ]3 d2 n7 n
It seeks the signature of BoundsChecker in SoftICE4 o" Z2 o5 E! Y
4 {1 N* m, c) H4 Z+ i$ [9 O mov ebp, 04243484Bh ; 'BCHK'
( y; w* R' W+ @( v: @' i$ Q4 A' } mov ax, 04h
% \/ \9 n3 B7 s int 3 % b) W; k, V, ]& ?
cmp al,4& U. y( I# N: o
jnz SoftICE_Detected( b& _: T) ^; a$ N$ w" x
" {# o3 S" l$ h9 A0 j$ _
___________________________________________________________________________
6 F- \" R2 t. E6 S a
' w2 t, [" K$ ~* [Method 02
/ T7 N* V) Q6 }3 ~' `+ n=========3 \ i' T* U! Z' p: m/ Q& _
" B! X- \; j) Z' j+ `2 ] UStill a method very much used (perhaps the most frequent one). It is used$ r$ \3 j& K9 P" ~( c' i w" A8 x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ s4 f- u5 F6 kor execute SoftICE commands...
, V( V9 h5 K% d/ u" G6 QIt is also used to crash SoftICE and to force it to execute any commands W( [) l9 j5 K( ?
(HBOOT...) :-((
5 q4 S9 o# ^3 r/ w* ?
3 ^# m# H; G" |6 u! T; q. w& K+ OHere is a quick description:
7 B; B* j) D# a" \: f; S. P-AX = 0910h (Display string in SIce windows)
- y# l( q$ ]3 G4 a# A7 W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); z; _- E6 s1 }4 ]3 R: H0 m' Q
-AX = 0912h (Get breakpoint infos)
3 L) q% G) p( ?4 l/ O-AX = 0913h (Set Sice breakpoints)
B4 v& j3 ^4 `1 l! t _8 I-AX = 0914h (Remove SIce breakoints)
" a9 u$ O2 Z7 [0 X4 G8 X& r+ k
/ I. u1 f6 R9 z1 g" T: t( YEach time you'll meet this trick, you'll see:
0 U' ^% g$ D4 S6 C$ T& U8 S-SI = 4647h3 S8 B! d; b$ o! K/ P, B
-DI = 4A4Dh
: M+ _9 W# M# dWhich are the 'magic values' used by SoftIce.$ _$ J j/ B0 S; L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 [! d1 K( R2 V# i" M" q1 g+ U
" ]0 W9 R- `! d# s1 eHere is one example from the file "Haspinst.exe" which is the dongle HASP
1 a5 Y4 d) a r9 vEnvelope utility use to protect DOS applications:# y6 B5 K8 H* K" x# N! {# ]: z! c$ u; e
4 o0 R2 f" U- K4 p! e' m* A( D) ^+ n1 J
4C19:0095 MOV AX,0911 ; execute command.
. g) T9 i" b% K& I7 g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; z$ e0 E6 ?; Q% L; I4C19:009A MOV SI,4647 ; 1st magic value.
, ]5 E* Y) {' c z+ H- ~4C19:009D MOV DI,4A4D ; 2nd magic value.2 A& x1 i+ Y4 O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" t/ u- L' H0 T/ x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
r3 N i. [4 Q2 C! g4 `' ?. m, [4C19:00A4 INC CX0 R, S; ~ l- ?
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 U/ |8 G+ {+ B* J3 k* m* f8 {4C19:00A8 JB 0095 ; 6 different commands.. Q: ?8 \ h# P7 ~0 t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 V+ r3 b2 j. _3 e0 g- Q/ `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# W+ U6 Z. |/ N% G7 }, D7 i* }" d# P# g9 [8 }( w1 ?
The program will execute 6 different SIce commands located at ds:dx, which/ A2 e1 l8 O% F _4 ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& B e2 f) q: |7 `/ N1 Y
4 V! N6 |# D/ Y* S9 ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 A/ {: }" k. m! b
___________________________________________________________________________
$ ?0 [1 o/ K9 _8 B" A/ R5 q$ A5 G0 h( k
" m H+ e# y b+ f5 OMethod 03
+ x% q( E2 q$ t* z# Z=========
' S8 o/ ]6 {* r
/ C) ?) K) w( \: z# rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ d& ^, s" C% S7 A! @+ p# N(API Get entry point): q& A# L( z6 ?" l
+ V \5 g. j( f
1 X7 ?. c& ^% i: N' S xor di,di! i2 J$ f( C% y+ b4 h! R
mov es,di
' D) b% N% p! C: v, @2 U mov ax, 1684h
b4 a/ x; e& `! v9 I mov bx, 0202h ; VxD ID of winice
" U) ~* h$ N3 z N& l int 2Fh4 ~, o' J2 Y9 H0 x4 q- H
mov ax, es ; ES:DI -> VxD API entry point
; W- v x6 P3 O1 @8 H0 ?; e add ax, di. z s: F# Q- H+ L$ p% D
test ax,ax
; ~% i6 k2 c2 e3 I jnz SoftICE_Detected( ~' f* p* e( l" W
3 g! M6 ^* d$ @, e" @( m, B+ |
___________________________________________________________________________
6 {: b* X, f' E8 P# v" U) R2 B Q5 }' O! d4 w) K2 g7 I8 p
Method 04
4 k1 K% b$ |- f& f=========
- C& i2 l2 }9 j, s8 R3 F! J; x! F& @+ I/ }! h; G. i
Method identical to the preceding one except that it seeks the ID of SoftICE
1 N( \# ^+ m0 [+ s7 Y1 Q0 H/ }' JGFX VxD.4 ~! v6 h: K2 S9 w+ S0 a
% F( X! I( \; u+ G/ J; G; f
xor di,di( F1 b. w; Y2 d# S$ e4 ^+ ?- j' k
mov es,di# G+ i4 i/ t% L3 V% g; C( i
mov ax, 1684h ( N! v& S0 ]8 n- E! M# e9 J$ e( W/ C
mov bx, 7a5Fh ; VxD ID of SIWVID
2 c- | c% Z. W9 t# q# U' |% J5 e int 2fh! b2 y$ L* B. R2 @, x) z2 L
mov ax, es ; ES:DI -> VxD API entry point
$ Y' D! b1 M( F& K add ax, di
: j) J5 E8 M8 }3 K test ax,ax4 ^) X* ], H8 r+ X- z" u: k1 l
jnz SoftICE_Detected
$ a* B7 \) j* m$ z
. ^" ]! w" q/ ]__________________________________________________________________________
1 W: S: u% N: g$ b/ {. S, ^9 d0 k( R; n" _% d$ K+ O
7 S- X; ]: y$ v
Method 057 w# ^9 X1 E+ A! U0 H5 X
=========
. f2 I/ i4 j K3 G" y+ z
2 H2 W# t5 u3 D2 dMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ o, k: b' ?" q! y; b
debugger. It calls the int 41h, function 4Fh.
$ Q' z F, Y. ^9 F J$ ]% QThere are several alternatives. & `1 i! j. w3 B5 _$ i
% z' O8 l/ M7 L3 G ]The following one is the simplest:' }! O* G. A) w3 K9 ?; |
3 _# S1 _" U7 G2 O* \8 i mov ax,4fh; d' g* {+ `0 W" s/ c
int 41h
2 c! i6 m+ G/ Y cmp ax, 0F386' H! E) Q" T! Y1 L' Z/ R* x! R
jz SoftICE_detected
) h) H, t6 O7 ]8 N
/ a, F2 A; v+ @ H d% |1 {/ C
% j5 j A( Z2 }: c6 S: K4 @Next method as well as the following one are 2 examples from Stone's
2 j( d* v; m. t"stn-wid.zip" (www.cracking.net):
/ J! c ~- d5 v
9 j7 E! A) D i# W: l0 V mov bx, cs5 H1 ?' n4 G& z/ a, `
lea dx, int41handler2
, E4 Q0 `& S; `3 C xchg dx, es:[41h*4]
1 X1 i. F$ B: u% p, v7 [ xchg bx, es:[41h*4+2]+ y$ x4 i. \) a* V5 T1 @3 s
mov ax,4fh
/ z( F) t' n+ Q3 V int 41h
# j4 O+ v* z, k xchg dx, es:[41h*4]" g/ t( w6 W; N9 u
xchg bx, es:[41h*4+2]
! R5 x9 V" _9 v8 |) e2 l: D cmp ax, 0f386h, K* ^. r9 i# i# \
jz SoftICE_detected. t6 i2 f, h. I% P
$ r6 [6 a4 v; N5 C4 t' t4 X
int41handler2 PROC- d! [/ T, i% ?; c: \
iret$ A( ^- \" g& Z* p; j5 j" X
int41handler2 ENDP, I4 f. S2 r7 t* i* G& S5 B
% |: N& I ], X: i. c! e2 H% P
9 V7 u4 c" G0 P: C+ c O* a1 @/ H
_________________________________________________________________________6 ]8 {7 r& B; O# _+ r; y) W
& Q5 d1 i0 \) ?5 h$ j
9 s% E7 F+ k/ H7 n" W- b) J1 K
Method 06
& S+ T2 o) n7 @=========
+ x4 W8 _, ^0 v& ?
8 Y: Q c( l$ J8 H& ?
! e m, H) ~) r6 C, W2nd method similar to the preceding one but more difficult to detect:# b( L' i$ M8 _6 i0 W$ [/ ]
* k+ n$ p) D- D/ M5 X) D
0 }7 _0 g1 t. ?. O% V( T0 i7 Wint41handler PROC- b$ [. I3 A" n2 v$ \
mov cl,al! p4 V9 k0 Z. H
iret
$ W+ X- b; w$ Z1 a) D' G7 kint41handler ENDP" s3 } r; R/ R" O$ \
9 E) Z1 ^: c% G, \. p$ n4 G
' w6 r; m( I% X: C xor ax,ax/ E9 q+ e: R9 L4 s. U
mov es,ax
7 ?# y7 m; J. [; J9 ?. x mov bx, cs. i0 b, o5 d# P* o, s
lea dx, int41handler2 P0 T; k% @7 m# z, M7 L8 C
xchg dx, es:[41h*4]
* z5 O6 s3 S3 F xchg bx, es:[41h*4+2]
% K: W! m- o& e+ C in al, 40h+ @/ Y) w% }0 U9 @6 @9 k) y, o
xor cx,cx
b( r% a9 _4 F5 I l int 41h
/ B# \1 K2 V/ b. _: p& ?$ r2 [ xchg dx, es:[41h*4]
( b7 h2 i( E+ `( } xchg bx, es:[41h*4+2]
6 r4 |% o5 u/ C8 f1 i cmp cl,al
: S0 f2 ?7 E+ I$ f1 b$ M! X jnz SoftICE_detected
- l# B# h+ A4 _, R$ R# G
% p% j5 A) [- C) o_________________________________________________________________________
$ I: o! ~* F8 J7 [0 k2 c7 X! l
5 t1 d8 t2 l3 h7 ^Method 07
; B" d4 C( L5 s2 t% U! `# S' B=========
9 X7 D) s: V7 k3 Y; F+ u6 `' C9 x6 r' N1 {* J
Method of detection of the WinICE handler in the int68h (V86)
9 D$ B7 ?0 R) w4 J6 d0 S7 V4 d/ c
mov ah,43h/ {( O; I, p6 J& l3 v
int 68h$ P% | c* N! I; d" n% ~
cmp ax,0F386h
& d n9 O! Q# y; V) ^ jz SoftICE_Detected: k; ?6 o i. w. C- `4 G
3 K) g. o9 r& o
+ D( d3 K% b' X( v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 J5 ]7 Z2 Q# U# Y" g( U
app like this:
+ H. f% c! F4 H8 _. @( E% s% T( Z) @/ w) j- S
BPX exec_int if ax==68
( j4 w: I7 k; u3 G6 g" W% S8 m4 [ (function called is located at byte ptr [ebp+1Dh] and client eip is
, k" s# f3 V0 n# K- b* t5 a located at [ebp+48h] for 32Bit apps)
8 Y4 U0 l. o4 i__________________________________________________________________________
. V h6 V' g* w6 J0 v
1 q7 a! Y$ t. Y2 [
0 M" h1 {* T+ n: d jMethod 082 c# P) `6 d0 }; M6 P
=========
8 q& V i4 o9 y/ j0 E7 h7 h& f$ M7 u, C
It is not a method of detection of SoftICE but a possibility to crash the$ o% S+ A' t, x+ _- w
system by intercepting int 01h and int 03h and redirecting them to another
1 w6 ^% T* t! L7 A/ ?1 Lroutine.
4 U Z( i8 T3 Q" w- Z) f# MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ H1 F' U/ m1 _2 O# ~0 Yto the new routine to execute (hangs computer...)
# x8 n! V' a1 o3 h! |# g+ C+ L* [& W( k% J
mov ah, 25h
5 ]1 x0 a$ u# }0 \+ |. {; E x mov al, Int_Number (01h or 03h)
+ ?) k; i* z$ \9 i3 o mov dx, offset New_Int_Routine
8 t4 v" E: i, M4 Q9 v7 C int 21h# ?* l* D( B$ J+ o( N
) \: z! c; B8 C( `; ^; b, w
__________________________________________________________________________" p( U% U1 _, z7 T% i. k( D
0 R$ A6 F6 Q" J
Method 09* S& Q# v: S# H+ B
=========
5 [6 q* `2 ]1 P- z9 u" u3 Q
6 V7 D: U6 m1 E+ C& XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ }7 v' }7 Q+ i, F* f' ]
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 F3 @5 q& v6 t cThe Get_DDB service is used to determine whether or not a VxD is installed2 v, T+ b" C8 l i* L* L$ P
for the specified device and returns a Device Description Block (in ecx) for! B: C7 E4 {. q7 L* X. w9 @
that device if it is installed.5 u$ [; }1 ]- F: C- ^
1 {; T8 U/ N* P: p) j6 T3 ^. L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& F( K$ b. C& w" |+ N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), ?; f+ N" b) O% t# }
VMMCall Get_DDB
@' _3 B1 ]- _0 b, O6 X mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# Y p# Q4 H" e$ R, a
3 b8 `8 L3 K$ F1 f9 I- h- F6 `$ N2 HNote as well that you can easily detect this method with SoftICE:
% L2 g9 }7 i+ Q; j/ o- m bpx Get_DDB if ax==0202 || ax==7a5fh* P$ y' ?2 A, n. U
6 Z- H: |$ k1 F/ Z( w
__________________________________________________________________________
; a; {# Z6 m& l( {* ^5 \- G8 Q' i3 V+ z& G+ U
Method 10 X9 o5 A8 V- Z" A$ s
=========. s" \7 R& Z$ P2 m0 T' [ A
) \( m7 g# j+ c+ I; w0 L! a# w
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. G1 c6 R; i4 }; q SoftICE while the option is enable!!
; b( q7 E# u% Z+ n; g
0 K1 O: ~( I! }# ?4 N8 d7 F, cThis trick is very efficient:
( G. @9 @2 ?# @; Z2 Cby checking the Debug Registers, you can detect if SoftICE is loaded
4 R& \7 C( u9 d; i. B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ ` k. n9 v* n+ [( p$ z1 Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. t9 ]( H" w' ]value (in ring0 only). Values can be manipulated and or changed as well$ b+ z5 E6 A- M$ b9 ~& S
(clearing BPMs for instance)
8 S L7 ]5 B- Q5 t- f a- q: k1 Q
! A3 z0 e9 l7 _& G, w__________________________________________________________________________8 Y! _3 t; E2 i" z- V6 D2 x9 M
) s. m' A! h- Z mMethod 11! l/ u6 f+ _0 O+ B8 u
=========* d$ B1 i7 j( O( o4 [
8 _* h7 M. `4 n7 V0 Z3 vThis method is most known as 'MeltICE' because it has been freely distributed
. n% j4 O) Z* nvia www.winfiles.com. However it was first used by NuMega people to allow
! g' S2 O1 `# a# HSymbol Loader to check if SoftICE was active or not (the code is located3 l1 v) O/ \* x
inside nmtrans.dll).
6 c3 W1 } C* J ?
& n2 j& n) r0 t" r" {The way it works is very simple:
- q( \9 h$ Z1 ~# [0 j7 FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- q9 o$ M5 k# W; w
WinNT) with the CreateFileA API.) ~. T; _8 j5 S) P
$ g+ M/ h+ J8 ?" K( r. c' }3 T
Here is a sample (checking for 'SICE'):
7 G! r( b0 l% D6 t2 N8 T, m0 K: I% U0 u" c0 l# n
BOOL IsSoftIce95Loaded()
% o, D1 F v D. g{# q/ a! F/ A$ O3 _# _
HANDLE hFile; 3 Y6 d6 g3 ~$ v1 m+ B9 V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 o8 I& ?: c+ F4 B( k
FILE_SHARE_READ | FILE_SHARE_WRITE,1 P/ n6 X) F, `7 Q( k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 ?; q$ j7 N4 V' k6 y3 l! z
if( hFile != INVALID_HANDLE_VALUE )$ x4 t' J+ F, k# H
{
+ q& r: v9 r+ ~1 L/ s% g9 n CloseHandle(hFile);
; y3 I* r6 R" |1 G [ return TRUE;4 j u3 b( y7 A
}5 m" W9 M+ x' G( D+ h7 r
return FALSE;
- }$ x/ Q2 j) u2 E# r0 }6 g( \4 b}8 H: r" ~5 e' b9 f @, N; N! p8 g Y
. G7 S# a3 X2 I$ M$ o+ MAlthough this trick calls the CreateFileA function, don't even expect to be' C) b S/ N4 M9 C" N1 I- Y
able to intercept it by installing a IFS hook: it will not work, no way!
% d& ~8 L3 M% ?9 W3 A* N jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 ?: ^5 W4 e/ \8 Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& B. z0 q$ N) h! A) H: a" ?; Y( l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" r3 m- V7 g1 u2 t9 V `) G( k
field., F0 y2 e8 E4 i' m
In fact, its purpose is not to load/unload VxDs but only to send a 6 }+ E+ @8 q/ S+ K$ D% {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% W* ?0 ^, u8 r* ^/ ^2 u" E6 z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! e& B |- X& z k; R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) G q4 C3 W2 M* C; _- u
If the VxD is loaded, it will always clear eax and the Carry flag to allow, l; b! b3 p/ P% U: ~# Y. P
its handle to be opened and then, will be detected.
A7 f2 q! I; l! B& {5 w! e& {You can check that simply by hooking Winice.exe control proc entry point
, _8 ~- V3 v Y7 r$ d! l; `1 v5 Xwhile running MeltICE.
- i0 \& W$ q; ^* A
0 C3 u- n# O0 U( e7 N" \( h T" W) t+ q- O5 t! ?* u6 J! u$ C
00401067: push 00402025 ; \\.\SICE
% {* J. \% V" f9 F* | 0040106C: call CreateFileA9 K2 h/ _$ D! p
00401071: cmp eax,-001: i7 c% G) C. {8 D8 t
00401074: je 004010918 H0 x* C0 ]! g. i3 ~: W# a3 _
) ?; c4 [4 |( m1 I
$ }7 y/ n6 ?+ C$ k' IThere could be hundreds of BPX you could use to detect this trick.# l- ^6 G# u2 A3 z9 t# y
-The most classical one is:
3 K2 h& o( e7 s) O$ n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% b* B: _3 d; ? *(esp->4+4)=='NTIC'" t7 `( @: w( A8 L5 w' `7 V
3 G- B! c7 v9 e
-The most exotic ones (could be very slooooow :-(% T) ~, p8 P8 D/ C' M% T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 q! S" q8 O8 X- b8 x5 @ K. Q ;will break 3 times :-(" i! N! t; g. Q
, u: z2 Q4 L+ S7 j* R! r9 K
-or (a bit) faster:
, W4 f5 E" i! k7 S% p( Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' |+ D$ w/ o% X2 L; j9 c
4 v& b M$ ^# o+ D$ N- U2 C4 h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% n* z) S: j$ I. G1 d3 u0 t& u/ ] ;will break 3 times :-(& ], ^, |2 q" q# q# O
% q; r9 [4 Z4 [( O-Much faster:
8 `- Y: d( }7 ~# L& H5 F1 D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 N* K. ?' W/ i4 O p5 Y$ ~" U# i/ d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) T) U/ W% o& `" \* l' Y1 a
function to do the same job:8 w. i! b1 F/ U# i ~- N1 T
, a( b& R5 t, @+ F: s$ w4 C$ M% _
push 00 ; OF_READ7 v( ]; M$ D0 F6 ^8 r) E
mov eax,[00656634] ; '\\.\SICE',0
# }% ?3 P7 M0 Q+ f; I push eax+ c3 g* k1 ~, U/ k0 G2 h `
call KERNEL32!_lopen
0 Z3 P" h6 W- ~- Z5 Q6 e inc eax4 v, v* Z* f1 Z
jnz 00650589 ; detected
! e9 R: D6 `$ K- i" T( O' D* [! y push 00 ; OF_READ
4 B1 @5 _7 [3 G6 _0 l S" t mov eax,[00656638] ; '\\.\SICE'
' S/ q1 k4 Y3 ~ push eax
4 i& f& V. h) w) M7 z4 A4 p3 D call KERNEL32!_lopen9 [, W- x7 J1 i* z
inc eax
+ b5 i0 w3 Y% P7 w* B0 K jz 006505ae ; not detected1 b- {/ f7 @& j$ N' X* I- {
0 V7 a4 K( R8 Z* k+ [9 n
9 d7 ~; y& p3 K$ R2 C6 R6 }9 q__________________________________________________________________________
/ Q: ]$ P; y9 x6 v/ {1 A5 y$ O: p
. j/ s0 O. l+ v$ J3 xMethod 12! s8 P% j3 C' \
=========
- Y7 ^ Z8 A" D( L, V6 ^5 ]8 H4 j
This trick is similar to int41h/4fh Debugger installation check (code 05
/ v7 _/ S( c; [, Y, I$ x' J& 06) but very limited because it's only available for Win95/98 (not NT)
# P4 k) J. c" t$ f5 w/ m$ Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% q% r! h+ C$ R8 n# H/ `3 s. e3 \: r
/ G/ X$ W) [3 n) a) N push 0000004fh ; function 4fh
0 `. I9 ]7 `* H$ V* k0 d! `; A. X9 @ push 002a002ah ; high word specifies which VxD (VWIN32)
$ @; u7 Z r; K3 L! y ; low word specifies which service
X) e+ z3 l: e9 ^ (VWIN32_Int41Dispatch)" W i4 q% j1 F% C. L* M+ i+ D1 H4 V
call Kernel32!ORD_001 ; VxdCall
1 g% |; G& a+ I cmp ax, 0f386h ; magic number returned by system debuggers
1 v6 _7 r8 Z L8 z jz SoftICE_detected
. m0 D' Y7 b& S' N' [! ]% S4 b
$ y2 X7 ^, y) V: u9 ]Here again, several ways to detect it:+ E; a" ` z* R4 k2 ~2 F
/ C- u5 y$ S% U8 x3 K BPINT 41 if ax==4f
% ~; k) r. P7 k1 B& m, ?4 j, q/ A& o4 ]( Q) m0 L* n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 I% c8 o! M! p0 Y" \ J3 H2 `- k* h8 E. Q7 L# G7 f9 X: u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- R* D1 d+ Y& }/ K% g( F& Y0 z% f, ^: \* a2 ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- S# [1 y2 K, m) \
" \9 O$ }+ p2 U8 R+ T5 V5 b$ e' ^
__________________________________________________________________________' f. X' E0 D- V1 @
# W3 P3 a* X2 E4 @: E6 C0 G6 _6 @
Method 13
; ]# f! _9 S2 J: r) _9 f- \# C) ?: K=========5 g9 H" q6 G* Q% u
: `' ~# w- A5 f0 n9 ^" ^8 U
Not a real method of detection, but a good way to know if SoftICE is/ s' w8 k% ]/ ~7 p
installed on a computer and to locate its installation directory.
+ t9 q/ D. j$ ?, WIt is used by few softs which access the following registry keys (usually #2) :
: U+ z/ z- ]+ M$ x/ ~ E& r# s8 g! E) X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* S+ D x; B! C; d2 \( Q, p. I\Uninstall\SoftICE: P' M6 U* f/ T( W% w" e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 S: P- \5 c2 o6 K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
k4 P' h0 r" F$ X' U/ c\App Paths\Loader32.Exe
. j7 x+ b$ V& N) s4 ^ i t" y3 f4 |
3 I& a" v- }/ m3 y
Note that some nasty apps could then erase all files from SoftICE directory) | m, w2 i. S$ o$ a0 G6 O
(I faced that once :-(! I/ x; e' x& y3 b6 j
( h( z$ K. Y" u- z- g8 DUseful breakpoint to detect it:
: u4 |' h4 g" f9 |
3 U# L" A* G9 |; ~1 J% u% f! { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. \ Q, B/ @1 G3 d) c
4 W: t7 K$ s6 j9 ___________________________________________________________________________! J& S/ R) A% g- x; ]
9 Y" v; r7 I3 Q. O- i6 r7 @
8 L$ C7 U* T3 U9 Y C7 E
Method 14
. T8 h4 \" W6 f P9 E v=========* n- v c$ x- g
: J" \1 s' @4 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; x6 ~: _( K# E' n6 Z" Qis to determines whether a debugger is running on your system (ring0 only).# v, R0 B' ^. h: ~" d! \ T8 c% z
, C {* n- z. r0 c; T- a$ H
VMMCall Test_Debug_Installed
( c/ ]: F) ~0 }. L! m! \0 U6 w) T je not_installed
9 k& s3 ~4 y* r2 m, V5 @1 b; i0 S: F/ g( H
This service just checks a flag. v& A; I) d) \' j7 x2 O
</PRE></TD></TR></TBODY></TABLE> |