<TABLE width=500>
' A! }6 A/ E) c<TBODY>6 E4 X& {* I& c! q+ A2 j- G
<TR>
6 z3 C7 W0 a) W* r( n3 H<TD><PRE>Method 01 : [$ M7 h1 @, ~% b" w
=========
8 k; c% C0 [2 x
( l" K6 j6 o# [6 J8 j% oThis method of detection of SoftICE (as well as the following one) is: W! m( M- Z1 o* p5 E' c @5 k9 N
used by the majority of packers/encryptors found on Internet.
7 h V* x6 P: ^/ [7 @It seeks the signature of BoundsChecker in SoftICE
% V4 w. @- n; O9 T5 e( |3 U) ]) }0 p$ S4 ~" n K$ `( Q
mov ebp, 04243484Bh ; 'BCHK'0 ~# r! K5 t6 @. v
mov ax, 04h
" b7 _5 B% ~- g2 _! c8 }: | int 3
+ a0 V! s, \. ^% K- `: F2 \ cmp al,4
$ F, g' O1 r1 G; i( i9 o" R1 I u jnz SoftICE_Detected# ^% J$ @1 [' O7 N
. z1 b9 W/ d0 c2 t' k8 N
___________________________________________________________________________+ i/ @5 m# |/ ?6 b$ z; G
4 j( n+ e* r, l' X0 L7 u% O
Method 02
9 M5 b. |+ ^9 q' M' ^. F=========3 P5 s0 W# K( m
1 O% H" A2 U7 S
Still a method very much used (perhaps the most frequent one). It is used
+ |8 q: D9 G: Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 E6 P% l8 n2 I- ]. v4 w+ S' q, @
or execute SoftICE commands...
4 E. U' z% n$ S+ p% EIt is also used to crash SoftICE and to force it to execute any commands# K% y% `$ X7 Y
(HBOOT...) :-((
: x$ ~1 D1 h* s0 S' O1 y
- r5 _4 `% t; y% L! nHere is a quick description:
5 F( U$ c2 _0 q' \7 E-AX = 0910h (Display string in SIce windows)$ t, _6 N6 w/ |! |/ l# s+ ]$ e$ o6 b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' B& b$ d' `' U* L. b-AX = 0912h (Get breakpoint infos)6 B- Y3 {# B x, r7 t: h
-AX = 0913h (Set Sice breakpoints)/ l& N0 B. d8 O7 I( ]
-AX = 0914h (Remove SIce breakoints)
; P6 e* f2 \( X& K
' w0 ]$ K+ x4 S8 a! u5 ]Each time you'll meet this trick, you'll see:
" X9 v/ S. [, r# r, @9 |8 }% \-SI = 4647h: p. |2 L, u( x6 X" P
-DI = 4A4Dh/ G( s M( g3 D! x8 f7 `; l' K
Which are the 'magic values' used by SoftIce.1 ~ |0 c9 g; v; f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. m) L+ J& b% {, m$ B% z! }' _
4 |% f, \" [" X5 w J% X! x2 MHere is one example from the file "Haspinst.exe" which is the dongle HASP% z' ~- ?, z# e
Envelope utility use to protect DOS applications:
4 I2 e% F% A- C2 Q+ O- n8 N" w9 n. N0 {5 X2 ?
D) ]8 W. i6 ^5 ?/ n
4C19:0095 MOV AX,0911 ; execute command.
. h; \: @( {8 h C9 p9 j9 A8 D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' e$ I5 X6 Y( C$ |
4C19:009A MOV SI,4647 ; 1st magic value.
9 ?4 L& Z# o2 G4 ^ c4C19:009D MOV DI,4A4D ; 2nd magic value.
+ h% P9 \$ _. F9 u. u# g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 j' x- A' V$ C: F( Q1 m( Q* X" A9 b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, E0 a, f9 O Y- C h9 I4C19:00A4 INC CX
9 H& k* c5 q+ J' `& G! }4 O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 d1 {% d$ t, b" g4C19:00A8 JB 0095 ; 6 different commands.& q/ [2 C/ y) j* A3 v# f
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) @4 C3 L, c$ L
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 u3 T% Z1 }! B5 b9 I0 f9 T% P& w% o# B, O8 @
The program will execute 6 different SIce commands located at ds:dx, which
/ E/ ^& u8 l! Q9 yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, `: j( m# s: ~+ b5 s% ?. ~
+ j& T6 Z4 e* G T& O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ K+ p, r, p+ q; G
___________________________________________________________________________' T' Z! `: O, E# i' B
# S3 {3 n# H7 n& ]# i
( g$ U, I/ L- r- n- O/ e+ lMethod 03, |0 Y) e% u+ |- x6 z: F: |
=========
5 \$ ~% T; D$ h. {) _
) k" s" }9 j$ ~( f$ X. Q uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h ~# {; H7 O' r6 U
(API Get entry point)- M7 h) I% E2 J" m& [
" d& I3 Y! u8 ~9 Q
' |: H4 f6 D3 q; F% X1 B7 v$ ^6 V xor di,di6 I. e9 c7 l" S0 P" Q
mov es,di; [1 Y+ X- V' `8 \
mov ax, 1684h
3 O. |) Q1 h. Y: F# I8 C. ?/ o$ R. } mov bx, 0202h ; VxD ID of winice7 r: k" {& E" F
int 2Fh
% B! S% `) r+ P- k% t/ l- q4 A mov ax, es ; ES:DI -> VxD API entry point
4 ^1 u! X: E4 I* J- t add ax, di
) v, G o T) J2 F7 _ test ax,ax8 {8 ]5 h9 |( _- t2 J+ ~
jnz SoftICE_Detected
; d& [' b8 N' l }
0 k. Y3 Z: Z. `5 u& i___________________________________________________________________________
8 Y" C. K- T1 A$ Z1 t6 O4 K
0 [+ w5 L0 u; g! RMethod 04 P4 v# N, q- n
=========
# b$ i A7 J" _, r3 Z/ t$ s& r
% A& E3 H+ d; @% L% `) V* R# WMethod identical to the preceding one except that it seeks the ID of SoftICE3 R; H# e/ ~* k) g. ]8 C
GFX VxD." l" {) o% M( H' h
9 A+ x9 p8 i* ?6 F0 s& m xor di,di, t7 A- f. [! S2 G- F0 O
mov es,di
0 g) q l. i" L8 P; h mov ax, 1684h
* p* j, W# _, C8 C' w3 w. \ mov bx, 7a5Fh ; VxD ID of SIWVID
" E' u( B( X0 a& b/ g int 2fh$ p. {1 y# c5 T* U
mov ax, es ; ES:DI -> VxD API entry point( y* M9 S0 j2 k$ E
add ax, di- M. M* N j5 u
test ax,ax
/ d1 m) R3 L9 Y6 T4 J( u" W jnz SoftICE_Detected* \. [3 n: D$ Z' }& H* t
' u8 E; \' U5 L: Z9 t) R {__________________________________________________________________________" O5 `6 ]* k) b5 P9 ~7 ^
2 _. b) M, R$ _" W* e
8 a1 x- r6 ?$ |- x! jMethod 05
1 u+ z/ c# c8 q/ D=========
' H$ ~1 P0 S& j. ^( l0 K/ Q
( U; q; I/ d% z+ E' O9 ?7 v2 _Method seeking the 'magic number' 0F386h returned (in ax) by all system
( D. O R0 d6 E# N( R8 P. cdebugger. It calls the int 41h, function 4Fh.7 C- Q% V( x! ?) R% g
There are several alternatives.
, |+ y' T+ Z) q6 h" U
# }6 C1 C, J$ c% e% J% xThe following one is the simplest:% Q8 G8 U, t8 {9 D( {9 A( ?* ^
- Y, u4 N/ q" ^( d mov ax,4fh5 u# _' @& l# v
int 41h
8 P4 e" }6 ~* i8 e# [; k& ] t cmp ax, 0F386+ c/ g" G/ l i1 B; L
jz SoftICE_detected2 F( M6 |& E* O' P. k$ D9 S
8 d1 O1 d3 B" e8 `$ E2 I4 c% w1 b0 C# x# R$ n+ }
Next method as well as the following one are 2 examples from Stone's
, t% O' ^) Y7 M- c"stn-wid.zip" (www.cracking.net):5 A" [, k& b; ], K8 F! I
" S/ P9 r4 [$ ^5 D5 O' ? mov bx, cs
5 q3 Q B1 c1 J) y1 j0 x, ` lea dx, int41handler2
2 l t5 x6 V" |4 }) i7 }" m/ | xchg dx, es:[41h*4]
' f+ z! i6 L( _, |' d7 S- A xchg bx, es:[41h*4+2]8 ]0 |0 ~. B5 c+ g
mov ax,4fh% `- M6 G; q, a' M
int 41h
2 [- x8 q' g# a* Z$ a5 j xchg dx, es:[41h*4]7 j! }% d$ S% `5 y+ a& `
xchg bx, es:[41h*4+2]
1 S( m; y, V; N" v: a cmp ax, 0f386h5 m" ?1 i1 d" f# p1 W, `
jz SoftICE_detected
6 `& k3 i; T# G1 X \* M/ x0 a9 o1 d4 `" |; Q& W4 i
int41handler2 PROC8 i4 z# p" W: T$ |
iret
1 ^" ~: x; L# D& _0 {- o: Xint41handler2 ENDP
. \- Q+ ]! s v- d
8 B i7 j$ C( J3 \
" V9 B, r/ S9 j" C_________________________________________________________________________
7 `7 C$ ?: b# l+ \7 d
8 A. \4 o7 {4 }- W- J- J# r- h* ?5 q8 G- N( [- D
Method 06+ p- d% t$ v6 s1 i4 F0 L
=========: o) A+ p/ f6 i) y6 b
) S" t6 d% G! h7 Z
6 P+ n6 w5 }* T0 ?; @% o
2nd method similar to the preceding one but more difficult to detect:1 e! E$ a9 e" f z, I0 s' \: O
1 g3 `2 n+ |$ K' f: x
) k- b( F. y4 f) v% u$ E8 Nint41handler PROC
5 D' b2 s1 ~- n8 u+ E, z } mov cl,al0 G `* k2 W4 @' C) ]/ X! `" I3 \
iret& c* E4 J' _- u4 Q
int41handler ENDP
/ Y5 u) S, ~& Z% _2 Z, e; U }! a1 a0 J
' I& B% |, H- m/ A" r
xor ax,ax; ^9 e2 a' D! {7 w4 `2 B4 u
mov es,ax. ^' O) H$ h4 }! o
mov bx, cs
& Y7 @% s3 Z& N: X( U% c lea dx, int41handler
% U7 e7 c' d7 x( I3 T xchg dx, es:[41h*4]: z2 u4 T! w+ u- V" I
xchg bx, es:[41h*4+2]; a1 t; v7 g2 }" S- @6 V" A
in al, 40h
$ L# L9 d/ @( b. ]; F xor cx,cx
4 i0 h4 [8 }9 q( x7 v$ `: w int 41h: Q2 W+ l: z- L% y1 f
xchg dx, es:[41h*4]: O6 @, b$ \3 |5 x5 ^
xchg bx, es:[41h*4+2]% t) ~; {- T0 i. G F" E9 j9 }( G2 |( m
cmp cl,al. o7 k& {& ^( V8 M- R) j
jnz SoftICE_detected
# b7 ~' u2 A+ x# q ^# c% O# D$ p; i* P& y* Q2 d% ]. |" G
_________________________________________________________________________& @. P9 s7 F, P! m# k
) K% C) m, o0 }7 V1 I
Method 07 Q% q, L7 N7 f. O/ p* {$ J5 V
=========
. T7 a' G6 r/ K! j. }% [, P0 w/ k8 N4 e- ~& a) [% Z
Method of detection of the WinICE handler in the int68h (V86)
0 f' o& v2 g, E# B! {: c7 F8 P4 m7 R; M; v c. l) V, D* ^3 O
mov ah,43h
* I. a: A9 G4 `7 D int 68h% J. [2 n0 B0 U U. C6 D& T4 ~9 s, y
cmp ax,0F386h: i+ ]2 _8 @+ p6 O: v
jz SoftICE_Detected6 }% i2 a4 V4 j$ E- {
! Y& L6 \& P" P3 m. C, ?) `5 j9 }3 P' I* l3 Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 ^) W# Z& k. h( O; p( w: Z
app like this:
( h u2 U- R" _% W; Z4 a0 ^* h, M. ]! y( C6 w# U! N# t% R
BPX exec_int if ax==68
/ c6 d' O- v8 ^# }, A& x8 P (function called is located at byte ptr [ebp+1Dh] and client eip is, O9 f G# N: B/ c' |
located at [ebp+48h] for 32Bit apps)+ ~) K1 a% E/ E' @3 E' j
__________________________________________________________________________6 j5 C/ N: ^& g0 k3 L: I8 E X
; ^1 \: B, J! D9 J$ L' V2 _) a2 x: k' x5 t+ f5 e e
Method 08$ M w* {9 h/ F& v* r2 }
=========9 ^7 M" W5 S2 T
' }/ V7 ~8 B# U L0 d9 M5 d
It is not a method of detection of SoftICE but a possibility to crash the
# e% o8 e! N/ o2 j6 E2 {" Ysystem by intercepting int 01h and int 03h and redirecting them to another2 E* c( b7 t# |0 f0 {6 l
routine.
; H" q; \% _* o7 _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ G" _) M. C3 z% d: y- W5 \& `to the new routine to execute (hangs computer...)3 X* `8 C6 Q9 h( c' x7 U3 Z5 G
+ B! C4 G W$ z) q% {# X( ^7 B5 C! i8 W mov ah, 25h6 U- G6 S( r) m3 \+ D" ^
mov al, Int_Number (01h or 03h)8 x: D; D; a1 q; e- X; I
mov dx, offset New_Int_Routine
) p0 ] m/ Q- ^1 r1 d" H int 21h
7 |" D: B- s! p9 g* h2 I4 }! @3 ]5 Q9 q/ a! Z4 J
__________________________________________________________________________3 ]% O6 L. Y; [5 `+ o3 c4 q H3 {
$ t3 G, i3 x! J/ ~( a
Method 09* f) T2 G- W' b* g8 c
=========
2 |. ~7 t0 [. U. N9 N4 v: d) L+ O8 ?2 d/ c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only J( R1 n M1 f2 B6 c/ Q
performed in ring0 (VxD or a ring3 app using the VxdCall).- f" ?3 e5 a1 x+ s8 y0 N' V3 z
The Get_DDB service is used to determine whether or not a VxD is installed, c; B1 {5 Z3 R8 m& V
for the specified device and returns a Device Description Block (in ecx) for& @( a) V ^' l9 b
that device if it is installed.
: k+ R* K% B: \. n4 _4 `. G
/ ~( g- b) ^: K, j- S: A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! c" ~0 R! t8 O% L
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& y; M3 [- ^. @! Y' K+ i# R( T8 E- h& S VMMCall Get_DDB
% `- B; K8 F2 h3 P5 j9 c( } y- r. ?3 Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed J' X8 ~% j) m4 g$ P* X
& j8 |# A1 X8 mNote as well that you can easily detect this method with SoftICE:
' `8 \4 u: z6 G9 U6 H bpx Get_DDB if ax==0202 || ax==7a5fh$ _4 }2 V& {+ ]
! j: } {6 a! n9 h. S. [' L__________________________________________________________________________
9 n3 s; B; ~( b2 g8 W& i+ \3 P% j, p& Z+ M6 a" j: ~
Method 108 ]: \$ t( J2 y$ u' Y+ A
=========
5 l5 ?9 p/ e; u3 _! W& e
) `3 r0 W: b; F% W B+ _: o=>Disable or clear breakpoints before using this feature. DO NOT trace with6 c2 d: T9 d1 B$ R
SoftICE while the option is enable!!
! \- f) |6 {3 W0 Z; A: k- X
9 P# E8 X; \" H! j, s9 J5 m" uThis trick is very efficient:3 t. S F* A1 |2 ]9 c( e
by checking the Debug Registers, you can detect if SoftICE is loaded
+ c. S7 J3 B! P1 U1 U+ F0 D. f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 Z5 D8 N! v1 l8 X
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 R9 x( h' I4 @. N
value (in ring0 only). Values can be manipulated and or changed as well
/ t' y6 n/ g/ Q$ d. a* _# F! M9 I(clearing BPMs for instance)
Z3 I* A2 H5 U5 o- J
, T- [, c/ B! z2 Y. Z8 _. @9 }__________________________________________________________________________: @% K o1 f+ f( X) p1 Z2 @
" R& a8 T- U5 K2 v) B: `& iMethod 11
; |5 V& G# [3 f4 F' r8 O, D- g! H=========4 @& x; V6 `. X
/ r" J- a( p" Z8 `& n' ~# I1 U
This method is most known as 'MeltICE' because it has been freely distributed
# m" R+ ]; R1 O' {via www.winfiles.com. However it was first used by NuMega people to allow7 L( B6 [0 Y' S" E3 q
Symbol Loader to check if SoftICE was active or not (the code is located
7 b! d9 ^0 h7 W/ p5 _3 \inside nmtrans.dll).
, E) t$ m: a% s! S7 c/ H
2 H- T8 D7 d/ O% l( o5 V1 S8 D- OThe way it works is very simple:9 d6 m4 G0 V( }5 s$ y/ v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; [( Q% c s2 a- n: Q0 ?; xWinNT) with the CreateFileA API.
+ C$ g3 {7 i! d5 [9 Q- C4 _( }8 V
4 z3 S! Q# h6 }) jHere is a sample (checking for 'SICE'):! k' o8 P( U/ k' w( j% |5 l8 [
; O* F2 w9 N _6 I) D( Y
BOOL IsSoftIce95Loaded()
: ~: R2 J, O* I{* [+ x7 U3 w% K; R
HANDLE hFile; 1 d. p n4 _- n7 B4 J% k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; I4 C: a# @$ Z# O/ w FILE_SHARE_READ | FILE_SHARE_WRITE,% |) F, h9 z; A* O1 _& n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 V$ h/ \& p0 J7 S7 e' E# n" Y* F
if( hFile != INVALID_HANDLE_VALUE )
9 k! d' m$ |% s k; a0 { {
3 u8 K4 C3 U; Q W CloseHandle(hFile);
# N' Y2 X9 k: J3 M% k return TRUE;9 G# ~8 f* H* j( N2 r
}
- F1 {" t2 U6 x8 [& o( {3 l return FALSE;
$ h3 e5 l1 u; J}
2 F8 _# m) [. f+ C& Z" Q7 c. a; ^( N$ C# I
Although this trick calls the CreateFileA function, don't even expect to be" l! }1 x# A( `8 X: Q; _
able to intercept it by installing a IFS hook: it will not work, no way!
* Q+ R* |+ U. i# }7 i2 { VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
?# _6 S q; Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% h' E9 e4 b( u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) l' H9 N# o0 N [field.
6 s1 h8 U4 R8 _) }1 G( ~In fact, its purpose is not to load/unload VxDs but only to send a
6 v4 T: T( T' NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 Q9 T# R! s2 W9 \5 d8 B# P4 _to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 U! R2 F; W. Q+ ?% O, s3 Q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% O, |, D3 p' r- N. IIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 a. q; a l+ O+ C: X3 Q
its handle to be opened and then, will be detected.) b5 S8 B# x; g9 [- A- Z3 n, l
You can check that simply by hooking Winice.exe control proc entry point
' F4 Q: F9 N) l. A* d/ ewhile running MeltICE.
# H+ `* |7 q/ W
! s& Y. I, V& f, X# H; c/ P
! M5 I5 s: c/ l 00401067: push 00402025 ; \\.\SICE9 u: `- x. L7 E
0040106C: call CreateFileA" S7 Y! d @# }) H+ I
00401071: cmp eax,-0014 E# p" B m6 X0 p6 V3 Y6 A# ~* g2 a
00401074: je 00401091, j0 Q; P) f& A
4 x L& D& I* _. r1 {5 C8 B# _/ ~2 b* ?0 ]. ~
There could be hundreds of BPX you could use to detect this trick.3 g0 M) |! ]/ g6 ^! w O) C
-The most classical one is:6 V2 O( s9 O, k
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. h! J8 s% @, w8 c' {* U
*(esp->4+4)=='NTIC'' |7 M& b" O, h4 { @
4 F1 N, D: X) [+ M
-The most exotic ones (could be very slooooow :-(/ u2 ]# m3 A2 w9 Q4 C( i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ L) v" o" n n0 r
;will break 3 times :-(
1 J1 U6 h0 F8 x6 R" w! N
) z' u% D% x$ q3 o) i" p B# Y-or (a bit) faster:
4 P' @+ w1 _" Q% b% e BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& U" P/ k/ |% ?7 {
4 [: _8 K: H1 C( ^$ C
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 W @+ o' y4 Y5 ?, O' d
;will break 3 times :-(' d/ X1 e6 P% O. f
1 u2 N, o% x4 r$ e" W
-Much faster:
: U: G* R0 \+ l0 I. X" p- {. Y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 y3 N7 g( N- h+ x( l4 c
" R" O6 u8 f0 I2 T J wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 C, p5 _, r$ g, U* c9 m' ^
function to do the same job:
: N% B) i2 x& s/ l+ P8 z% [( y; u, y. D4 O
push 00 ; OF_READ* }, B/ j% b% @! W1 @+ s6 Y
mov eax,[00656634] ; '\\.\SICE',0* M" Q5 I G2 u# ]
push eax/ l0 ]) j, {( e# h
call KERNEL32!_lopen
; |8 H6 p' i' V6 x2 L inc eax3 M) A! O+ J( T% \6 B# n
jnz 00650589 ; detected
- j# L$ v9 [/ Q5 h1 u0 t' U* X push 00 ; OF_READ
1 k1 K i/ ?$ [' n8 P mov eax,[00656638] ; '\\.\SICE'
! W- k7 }. e4 c( j t. D+ M% u push eax" d& l9 q8 N0 R$ x, {& Q! M2 f8 @
call KERNEL32!_lopen
* C7 s- k4 [! _! a6 {/ l inc eax: @: A/ h" d% P) _* J8 y$ Z
jz 006505ae ; not detected6 N( B) [+ A3 M6 X; K' v7 k
5 ?( @# w: v7 m: s
5 X( k$ E. |% q/ t__________________________________________________________________________
' z0 t# J/ c9 G) S5 Q2 n, E+ a3 K
Method 128 Z4 Q* o9 B6 g( X8 `
=========
0 f: Q* x0 ]0 M- c- s* I: c
& f) k! a" J5 t3 O- j9 OThis trick is similar to int41h/4fh Debugger installation check (code 05 X# [! Q0 h% [$ N' a# k0 L+ X% T
& 06) but very limited because it's only available for Win95/98 (not NT)4 K/ {5 ?! }( ]0 h$ `9 C
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. I5 Q ^7 d6 Q. r1 n) X0 `5 o5 y8 ]% \0 H7 w; w0 ~
push 0000004fh ; function 4fh- |! t3 l! h6 g0 [0 H' {) `# ]
push 002a002ah ; high word specifies which VxD (VWIN32)
9 ^3 t% h/ f4 y ; low word specifies which service- [7 ^! m8 d1 L+ A- z1 h5 y) E. C
(VWIN32_Int41Dispatch)
% B: a b4 r/ `6 u, P( K2 [ call Kernel32!ORD_001 ; VxdCall, U2 A6 w: P3 o
cmp ax, 0f386h ; magic number returned by system debuggers
5 h+ p! [( T1 S0 h: Q+ F$ Y jz SoftICE_detected" x+ Y: k# A7 v, z
1 V# m+ U$ t* I9 nHere again, several ways to detect it:
; m y8 P; {0 S/ n( I
8 ]2 G0 A! K1 w H4 }. o BPINT 41 if ax==4f
! `$ j; a! ]9 s- x& u9 W+ y
' _( }- h# _+ B2 |3 | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; w9 B7 ]% v& L5 t
4 Y A" O: ~9 `- p9 ~3 S' M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* V4 n) `: ~9 q
; R0 L7 B1 W: j1 z* U BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 q/ W( O# l7 t: n% S f
. o, V% _! d7 @" y; h/ s9 o; |! x
__________________________________________________________________________
. S3 `" u7 F B9 j1 |
9 p( M* ]0 c6 l3 ]7 X8 T9 E \! lMethod 131 I% d( s6 X/ n. C" Z9 R7 Q
=========/ \, L" {5 |6 X. A3 E
* T. U2 V$ e, F. M) i* M3 G
Not a real method of detection, but a good way to know if SoftICE is2 B6 B$ {( Z7 X
installed on a computer and to locate its installation directory.) u3 E7 c4 o8 f# Y8 c/ [7 a
It is used by few softs which access the following registry keys (usually #2) :" g9 W" C1 Z1 c" m
' H- z- S$ k$ s9 l) o8 S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 U* A Q! ]! g8 T
\Uninstall\SoftICE
6 y0 U% q" O/ n. P" C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 H$ ?) V5 \# e; M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ }0 G* {6 _% e7 Z" L8 c/ ^
\App Paths\Loader32.Exe
2 D8 X/ u; |" Y$ Y
: N7 G0 i2 F/ x; Z$ r+ |; B! i: G! X: ]; H. F* V
Note that some nasty apps could then erase all files from SoftICE directory
3 }6 Q: r+ e$ E(I faced that once :-(* l+ a/ o6 B% ], V
9 P, W3 U- W: V) W0 y/ T& |Useful breakpoint to detect it:2 }7 h4 p" f$ S: ^+ ~7 C0 v; d- n
; y7 W9 Y& f5 w, Q* L/ n( d- m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ O W2 v M6 m$ F5 r" [: |9 ~
/ }/ n5 }3 H% Q
__________________________________________________________________________
U" U( j* i+ A# i- l
& p1 T- f& x3 ]0 Z
$ I$ J' \! R- sMethod 14 & |$ L4 M; E3 r" k
=========& l. ?) @% J4 X$ z
* _/ ~0 U i E ~; z3 Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% t2 \' O B* H/ s$ G/ }6 K" G$ S( kis to determines whether a debugger is running on your system (ring0 only).
! H% m8 I! X- `& y" _0 g* [+ e3 Z- W0 u9 ^2 h3 \% g3 a
VMMCall Test_Debug_Installed2 M/ S% W# _1 M* ^
je not_installed1 s% J6 A* Z9 M' W
8 i0 F7 K- U: x; d6 P# w G# B
This service just checks a flag.
( v* ^6 ~3 \4 }+ r6 h @! e</PRE></TD></TR></TBODY></TABLE> |