<TABLE width=500>
6 c2 t6 f5 T# ?<TBODY>) ~ _- g i' b& d
<TR>
/ t+ m! N* i" n<TD><PRE>Method 01
) J" ?: e' X# K1 H, k: v=========
0 |+ n `, {3 \7 n; r
% O4 p( R& | l% t, z# gThis method of detection of SoftICE (as well as the following one) is0 R0 V- \) Y+ p% P5 I7 |
used by the majority of packers/encryptors found on Internet.) s! F8 t6 w% w# r1 f2 C3 n
It seeks the signature of BoundsChecker in SoftICE
5 L+ y0 R# o3 p' g: C: _( l, ~* c4 w# T T
mov ebp, 04243484Bh ; 'BCHK'
) q5 D: U- A3 g% v7 J* c. J mov ax, 04h# o8 }; W# E- x2 |/ @
int 3
$ V& M S6 J0 ^% \3 e% a8 n cmp al,4 b! M+ w! c! J9 Y( |2 ]7 \) w
jnz SoftICE_Detected
3 @8 m# {1 D$ t" l+ u5 C
. @% V, _+ {' W! }! A___________________________________________________________________________7 x! y; p, U$ B) |8 @1 f
9 N* ^7 N# G6 l5 z8 U" R, k8 M2 YMethod 024 u3 o" |: G5 L4 n1 ^
=========' A# ]# p/ `; R9 R, [
" u% ?' N! b/ e$ r. sStill a method very much used (perhaps the most frequent one). It is used
7 m8 ~- T8 _2 I- `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ v. L1 B1 g3 P, p" Mor execute SoftICE commands...# W9 t( ^+ T: n4 c
It is also used to crash SoftICE and to force it to execute any commands8 L" L/ @1 L8 v4 }! s
(HBOOT...) :-((
, W3 | Z& s# p. b0 ^& d2 |6 k7 t; a; { V+ f
Here is a quick description:
1 H# O( w g+ o4 J0 }* G-AX = 0910h (Display string in SIce windows)
5 @ V9 g# L- ?) t# c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). O0 U( ]% ?4 t/ a8 ]
-AX = 0912h (Get breakpoint infos)% d* O. P: L% T: |) U- G
-AX = 0913h (Set Sice breakpoints)' _ D) m1 b7 Q9 t$ _, l" V
-AX = 0914h (Remove SIce breakoints); M% R2 L) s6 s* D- I
% D. T2 l! ?0 e9 g7 L
Each time you'll meet this trick, you'll see:
2 y6 U0 i5 r" N-SI = 4647h; k+ K3 D+ j d* y; M
-DI = 4A4Dh8 Q& ?$ F: Y7 q5 w' o6 s! a! W
Which are the 'magic values' used by SoftIce.
0 F4 ]; z V- o. }& {5 D; mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' d+ Z7 P1 Z# _
+ x$ |2 i0 m! o8 E1 V) [5 A
Here is one example from the file "Haspinst.exe" which is the dongle HASP, v6 `: m7 g: ?' x a3 i
Envelope utility use to protect DOS applications:
# Y$ ]! F2 A& b
: s/ v6 @& n# m& H! A5 E5 J; }- V0 i9 I" \2 y
4C19:0095 MOV AX,0911 ; execute command. J9 _, S, J Q& Z8 [# j+ p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( Q2 C( P/ s* s; \2 `# ~: Q
4C19:009A MOV SI,4647 ; 1st magic value.+ f, m' E6 x$ N5 {' v* K# k
4C19:009D MOV DI,4A4D ; 2nd magic value.
$ `$ Z% X: @6 B! H# J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& T4 P q' B0 m7 A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 d3 d- O+ H, c1 B( N% d: p8 [4 N, A4C19:00A4 INC CX
% O1 _. ?* n1 K! D: {( a t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! D* U. N6 c+ C+ e4C19:00A8 JB 0095 ; 6 different commands.7 X$ |$ b/ H" C* {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 d) I: q y6 ?; s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 q# @) t- x' p; j/ I- R- M3 Y [6 j' p! k$ c, u
The program will execute 6 different SIce commands located at ds:dx, which6 H% P# Q; F' t8 x0 g2 ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" B' r+ f- v: H8 M. j$ E! L9 a4 K R& F5 ?( ^% D: z1 }+ m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# [$ }' T! F2 H8 y___________________________________________________________________________
4 ]9 w5 ?" _7 K0 ~7 i. p+ G+ y7 g% G; w- G
) p p/ ]" q9 u* p9 |& |
Method 03
1 F [! [, k8 D6 J=========* { e- Q+ }8 ^+ Y" Y) H! b
u6 q" V- b' V1 ^. k7 oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 B. z* A. `: T! R0 n% J9 h# E D* m) u
(API Get entry point)5 l$ I; u! H0 s
0 I7 ~, [3 @6 `# H9 E
7 Z' R& ]8 u! \ xor di,di
; n5 ~9 p0 y. K# c mov es,di
/ M: R8 T4 y! v& A mov ax, 1684h ) m: P) V6 d2 G! E
mov bx, 0202h ; VxD ID of winice: N' E) H) D" T( Q$ I/ E
int 2Fh
, ?1 u1 D7 j0 ]/ E% [8 p mov ax, es ; ES:DI -> VxD API entry point/ {- `: P4 a# Q
add ax, di* ^2 u( E8 z6 [/ j" @ }
test ax,ax' M4 A4 I5 s I( h# J
jnz SoftICE_Detected
8 n0 S& }# w& w) Y7 `% E& O1 B( F! b
___________________________________________________________________________0 t7 V' m' D+ m! n9 o) v/ |
! x' `( M% B0 O8 \+ N2 T
Method 048 ]9 P" ?! l( e9 B. s
=========
1 N! x) {7 a9 X$ {
3 Z, f) g" ]& x5 e4 C3 r6 N, NMethod identical to the preceding one except that it seeks the ID of SoftICE' a) u: H$ h7 ?8 q9 h7 \& ^/ Q
GFX VxD.+ y( E' o7 r* e, `: V& X6 f
0 D7 [- G# F" O' J xor di,di: U; @5 J! [$ A1 w( @
mov es,di7 k1 }# O" r8 f z3 r: {
mov ax, 1684h
" W* n- V* D# U- T6 Q M! b3 t7 e5 m mov bx, 7a5Fh ; VxD ID of SIWVID
. _: Z6 S/ |- Z8 {0 o, v int 2fh
2 k% z4 I7 e% f" z$ T3 C mov ax, es ; ES:DI -> VxD API entry point
8 [- }& D7 A F1 _0 @% n3 a add ax, di
) ^) F: a" @6 }0 `+ \ test ax,ax7 p) h" ~# X' o$ h1 {
jnz SoftICE_Detected/ _. k2 X4 h2 [! s) D5 |6 j
# y) W4 v, \! X
__________________________________________________________________________
" k; @9 J+ C! U% W4 Y4 q. H' D9 x
. a6 X' ~% f7 K9 {Method 05
+ n6 C6 i! ?* C' c0 ~# C=========
1 i! G- Y6 i3 y9 i1 h( N6 f5 ~2 ^- V
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 f% c4 o) D& z
debugger. It calls the int 41h, function 4Fh.
$ K* C% H" J3 f: L! K2 J1 GThere are several alternatives.
8 B; n6 n j/ w
$ L4 {: f0 Y. @9 P& v$ f+ C4 ~- IThe following one is the simplest:* J3 e# @! U8 b) n$ k' M) g
: P8 w! r' W! S mov ax,4fh
; x6 |( c+ E* K8 x7 ~- G, V4 f int 41h+ `/ A3 z! U, z% w- f& c q
cmp ax, 0F386, M4 P% g |+ v
jz SoftICE_detected
/ t8 {7 n' q; p* }# E
2 X+ k% B$ _5 W+ v6 S6 i* M! _# z/ R* a, D+ _. E
Next method as well as the following one are 2 examples from Stone's ' T+ I9 `3 G* C& B2 p
"stn-wid.zip" (www.cracking.net):
8 s2 S* Y6 x/ K' }
) r; f5 J4 o+ V- b U0 a mov bx, cs {4 N3 R! E1 I) r2 [$ O
lea dx, int41handler2
% X# Q5 D2 a; }' f! K xchg dx, es:[41h*4]
* a+ ?; d! t+ l xchg bx, es:[41h*4+2]
1 U" {1 k& m. q- G; ]" L5 H8 r2 E- F mov ax,4fh
/ |; l, S. f: F! l9 f; R int 41h2 U+ N R7 E, D
xchg dx, es:[41h*4]
+ i! y; P' O$ Q- E xchg bx, es:[41h*4+2]$ A/ n! ?# ~% I! D* d' W7 i+ o; d
cmp ax, 0f386h. Z& C4 h5 d" d; Q0 m+ s2 s
jz SoftICE_detected, a5 w; E5 ?+ A
, @4 V& a% y6 l1 Z3 f, U' H) Iint41handler2 PROC9 [, E) P' I1 S4 v$ c
iret+ M5 O2 U3 H. D# G/ E
int41handler2 ENDP" b) G+ _/ W5 X) A9 a2 W, x
6 _8 G g3 }+ L+ ]3 V4 ~
/ y) M' D" M8 R @& Z_________________________________________________________________________/ V% X0 _7 A3 t( e: _
5 D3 t$ H8 L- n; H
3 R( P1 u: p5 t- c& GMethod 06
8 q1 Z- h G7 q5 e8 M. ?; o=========
4 n; A3 D9 L2 I" t% `
5 o. u. n* [; v1 _, y' O6 m; k S5 f. X T
2nd method similar to the preceding one but more difficult to detect:
6 P: V# p( t1 K' Z8 z
- o+ I; { p9 u6 E% h+ X
; ~2 M e; `2 Jint41handler PROC7 e4 {5 X% I# ^5 `3 t
mov cl,al9 u' x" y, v" o1 H7 L" t9 R
iret
# U0 A4 H1 C5 wint41handler ENDP
! c, Q+ e; \% L( w4 ]; }9 l6 |1 q; H- z$ T2 S* U' ^. Y
, q ?- {6 B. l$ W& I xor ax,ax- H: J) w. `, m
mov es,ax# {& x* ]- N* R/ [
mov bx, cs+ s G, L' X* [6 H( |: |. `
lea dx, int41handler
4 @+ B# ~# K. A) j8 O9 g4 W xchg dx, es:[41h*4]1 h. W8 Q6 i6 X6 P' Z5 c# i
xchg bx, es:[41h*4+2]
. ^* h, }$ }- l( R4 M" b+ T2 }8 v in al, 40h
- m# b( k* h2 @4 n! O- G9 p* A xor cx,cx
! L% `9 O \6 A' ~; |. v" t int 41h
8 h# v) R* c" b+ e% S* C xchg dx, es:[41h*4]& g; `* h0 Q0 Q! m5 y; O( ~
xchg bx, es:[41h*4+2]: V% T2 I8 g o6 S
cmp cl,al
4 k4 B0 p* C% ~. S jnz SoftICE_detected
) ]/ Q; N% k7 n# k2 Y3 g) { j: w9 |. T1 Y1 G9 a3 r: L) p2 N) N
_________________________________________________________________________
% R$ Q+ O ]/ o6 O. _/ s& S, T1 q0 D8 V' Q: ]1 z
Method 078 P/ h% }, k8 N& \" k, F7 X
=========- m) V) n8 F6 S) _8 P) t' c
" B9 q0 i4 M* `; N# }# dMethod of detection of the WinICE handler in the int68h (V86)0 I: v. Z* G# S9 L% y! X! [
$ X8 X; @* h8 }* L1 U" [
mov ah,43h% q, {6 v$ P. e3 ]
int 68h% @7 {* m% u, G* Q& M% _5 P% ?
cmp ax,0F386h
+ r0 U' A0 b% g H1 F jz SoftICE_Detected, p5 q1 u5 e: S& S+ v
& e4 R; n2 K( e* a
5 B: A3 o! @; o3 A$ o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' w' E$ T9 F$ I" V' {# ^ app like this:
. [% v; M9 n* X+ E% g7 H
, [) g% G: ^9 l- K$ a BPX exec_int if ax==685 M3 }; W6 Y# ], b7 Z
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ J) p, R5 m0 c! a' z( s located at [ebp+48h] for 32Bit apps)
7 ]0 k8 p0 f- W! M3 w__________________________________________________________________________
- e6 j8 l: l, c. V: @ B" \" T4 D, j. w) B9 Z( f
' }; c4 W0 g6 a5 h
Method 08
3 N. t' ]# ^# \! d+ Q=========
$ i- R5 X* ~5 V
& F5 R' ]$ i( f/ h; `0 {# LIt is not a method of detection of SoftICE but a possibility to crash the8 c) ]! ^: v" ^% S( J
system by intercepting int 01h and int 03h and redirecting them to another
3 U6 \% ?- G+ y6 O6 U, F3 Y1 Broutine.& w2 r9 p* A' ]( F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 E0 Y3 s" _* c6 L& ~
to the new routine to execute (hangs computer...)$ Y% ~& y( L; C6 H
1 J' s, W6 a/ H i
mov ah, 25h
3 K: b, V- x: G3 I4 }8 u" X mov al, Int_Number (01h or 03h)' a( Z( ~" { f! y* @, T0 M3 v4 o/ s! W
mov dx, offset New_Int_Routine8 o h- q5 i6 d F6 W5 F9 ~ o
int 21h# Z* r9 |2 B0 x" ?' @
+ ^8 n- g+ k1 x/ r& h/ Z
__________________________________________________________________________
' Z" s- h8 Y# H- D8 u1 G$ M' O0 O% P7 ~$ b% t, n q
Method 09
6 I2 M" _# V- u! {=========
& i( c* e- L3 }
+ m2 C& Z/ g! m0 Q$ u: hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 g6 }1 b* j$ W$ J1 \performed in ring0 (VxD or a ring3 app using the VxdCall).
6 `+ M4 I! X8 ?! v! _3 |5 F/ t: FThe Get_DDB service is used to determine whether or not a VxD is installed9 |; v& A1 l' ` b, o0 ^
for the specified device and returns a Device Description Block (in ecx) for
3 |4 n# D2 O- n# S) l) Qthat device if it is installed.6 A5 ~" T4 c9 g" w* k- W4 a# j9 n& }
. q0 W: q! I( H* [+ E2 d/ B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( q" L. H0 P! N9 k7 F2 G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); G0 V$ I5 O: d& J5 Z
VMMCall Get_DDB! S! |: j7 d+ N0 i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- \7 [- A* a* n9 _$ @4 E3 O
# ^+ u9 v8 Q- X$ V( C% P/ l `3 R2 ]Note as well that you can easily detect this method with SoftICE:- G% B+ g5 N: h4 l0 a4 A
bpx Get_DDB if ax==0202 || ax==7a5fh
1 x {; f4 @- @2 ]- }6 ?9 V
, x0 e: d$ q S% H9 ]__________________________________________________________________________
- O- v0 a/ F* B$ x7 s9 E; b7 I ~. C. j
Method 10
7 C/ `, N1 I: G: H1 x=========
+ _$ N8 A0 f$ W0 E7 _% a) f
8 {$ x) |% V# \' t=>Disable or clear breakpoints before using this feature. DO NOT trace with, C8 c' @' Y& u" b* s. ]2 p' {9 y
SoftICE while the option is enable!!
9 c1 @! P1 ~8 V+ r9 |0 m% `3 R) a6 D: o5 d8 M5 u- s* G
This trick is very efficient:. H6 z+ [7 B3 A& Z$ T0 f- e& J; u
by checking the Debug Registers, you can detect if SoftICE is loaded
3 t7 T: W5 h$ [7 _7 W0 ?" u \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 k* S! z/ I4 X: _' c2 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their! g3 z: P" u& q$ C1 x5 |
value (in ring0 only). Values can be manipulated and or changed as well
; D! \1 b* o- ?2 w(clearing BPMs for instance)
; j$ p9 F* \' C4 ~' S8 H" {: h. F* Z7 N( ]# a1 p; g
__________________________________________________________________________+ C4 t1 G- e( b8 O) U
7 k; n6 }& n1 u+ T1 {: O, A4 nMethod 11
0 R0 A7 d" j- Q) E/ {=========5 b/ f' V& E: x0 U i, ?/ w% R$ ^
. A1 Z2 l5 J1 D+ q3 Q( t% o9 h
This method is most known as 'MeltICE' because it has been freely distributed
/ f4 S$ U, G4 G8 Kvia www.winfiles.com. However it was first used by NuMega people to allow
i+ N. o& S) ?1 K0 ]Symbol Loader to check if SoftICE was active or not (the code is located
8 q: @3 U5 f6 t9 q5 ~2 M# l2 z# l% Uinside nmtrans.dll).$ L" ?& P: \3 Q9 D' k
3 m$ l: X' h# Y$ ^8 K% nThe way it works is very simple:+ j4 p- n' W! G) {8 `& Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. y3 ~$ U8 C* T0 ?( c Q+ l
WinNT) with the CreateFileA API.
2 I! I' z7 ?3 l8 J7 \- T A& }9 ]' G7 g
Here is a sample (checking for 'SICE'):
1 o' O8 T, e' E# r# K* k3 U' P4 K. l& n
BOOL IsSoftIce95Loaded()
2 I/ r; E. @! W$ M: {/ w# I( R{
& I; V- K# w! p9 I: ~ HANDLE hFile; 9 r4 L& i* E, r5 n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: e, @3 k& g. g& n4 P0 z( R
FILE_SHARE_READ | FILE_SHARE_WRITE,
! t6 O8 I! F- J# j6 t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 U3 w+ d. I- f7 A( U W3 l if( hFile != INVALID_HANDLE_VALUE )
6 Y) L0 a& ^/ u9 A4 P* ` {7 s5 i, z: u7 J
CloseHandle(hFile);' [8 S/ z2 `7 O" q
return TRUE;* d" i+ A0 x) ~" l, w
}3 }! E( A6 B) |: j1 y: t/ o
return FALSE;
& N; i) t( Q# U) B) ]}8 d3 n; @# w+ Q! P! q; _
1 \3 o; o$ d/ m! j0 O% NAlthough this trick calls the CreateFileA function, don't even expect to be6 P. h- z* I& Z+ w! P: m% O
able to intercept it by installing a IFS hook: it will not work, no way!
0 L3 c+ R3 @6 qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' k2 B2 y4 L& c5 T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) L( O f J4 v1 x/ H8 j; mand then browse the DDB list until it find the VxD and its DDB_Control_Proc' ]% ~! Z6 H k* s, b* I, O
field.
6 j) T& ~3 z, y" FIn fact, its purpose is not to load/unload VxDs but only to send a : U- Z5 h# y7 v1 z! i0 Q$ Q" ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 W8 _- f X) f$ O2 fto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 l% G$ ] E$ U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. ^, y1 P8 j( a7 e. o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& `: X) O- S1 ~& Y. J mits handle to be opened and then, will be detected.
7 d, Z6 X, }4 T# V; ^You can check that simply by hooking Winice.exe control proc entry point7 ^- K- }5 t4 y2 H
while running MeltICE.
, J) X+ `- F- s" _# `) w% b0 q0 v8 P& C
) `9 e$ Y* E" _) ?3 ~8 g 00401067: push 00402025 ; \\.\SICE" L, L2 r. p4 ]8 E+ s' K$ P
0040106C: call CreateFileA
( [' B/ T& T5 v! u 00401071: cmp eax,-001
* a8 y# S* z) g6 D 00401074: je 00401091 y- m; @1 L$ Y+ u: Q( O* _' a% H
; h! S+ Q% ~; i5 y* I7 \9 E
4 m" S" [' c7 k% \
There could be hundreds of BPX you could use to detect this trick.
! W) z$ V6 |$ z: U& D+ e-The most classical one is:7 m) n! ?) |! }& Q" j W8 u0 H+ \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || s* c) I0 l1 X7 g
*(esp->4+4)=='NTIC'
( O7 a; \8 c8 O+ b9 h3 F/ W. @9 a: |1 h; g0 z: s
-The most exotic ones (could be very slooooow :-(( Q5 }8 K, D: A ?# \) \) c* e! z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 S5 G5 c w8 T, N+ m0 s ;will break 3 times :-(
8 M, O9 k: E0 v/ F
3 m, @; u8 [ i7 C( r4 J1 E/ T-or (a bit) faster: # _9 C5 g3 E- A! `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 h( k, L5 X5 s Z3 H0 K I' Y
" j* Y" [! ~% P. Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 x; U! F p+ h y ;will break 3 times :-(
, o& y j3 ^/ z* T' m1 U ?- U7 U! Z8 @8 l" o5 {0 ?
-Much faster:
5 ]0 I( ~& O& j* I BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ G' O% M& v% D- K+ ^( `4 _- `
& v% N1 l2 ^ {$ aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 S& ]" O$ v6 p. h4 @function to do the same job:# g) J0 C( R+ O; P2 a7 k
! I9 ]$ J4 D, l2 a l: A, V( K push 00 ; OF_READ
% c; g+ |7 j( h) w4 b/ ^+ l* d mov eax,[00656634] ; '\\.\SICE',0" D: U6 Q; L- H, j6 y" n3 {/ e1 D
push eax
5 r2 I, R8 Q( r5 A call KERNEL32!_lopen; I' T; a$ ~' `4 v, h/ n
inc eax$ _9 k4 r/ a; Y3 e
jnz 00650589 ; detected/ @" P) N' @" U
push 00 ; OF_READ
! o# ~* b- e q* Y) Q2 R& X7 x8 F mov eax,[00656638] ; '\\.\SICE'2 W$ Q; o+ M+ k3 `+ }
push eax, n3 b& F. s( t' \+ h8 P
call KERNEL32!_lopen
4 T' o7 L5 Y5 \0 Q5 v% l8 ]! t inc eax- M: \+ k' H1 Q4 v1 R# F
jz 006505ae ; not detected, ] B1 n1 D4 k5 g7 r# P
% ^; w& D% u& v U5 Z( M; Y( Q
$ b: N" ]- i/ [4 `( R! ~# X! @
__________________________________________________________________________! k$ ?+ C2 z& J; j% `: K& D! C
: _7 l% I: H3 K1 p: M2 e: F4 L MMethod 128 W: l" D! F# z- A1 @! L
========= ~! i( j3 s1 c' O# c2 l
" q9 H% B) T3 d' FThis trick is similar to int41h/4fh Debugger installation check (code 05( ^7 T: h( o; g* m/ T8 r8 \
& 06) but very limited because it's only available for Win95/98 (not NT)
4 K2 B9 I$ W/ U4 ~0 s" @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% `! q1 s5 @+ @
; s1 T2 l2 k" h push 0000004fh ; function 4fh# K* P1 @+ n. w
push 002a002ah ; high word specifies which VxD (VWIN32)2 R; N* `- U( p/ B% k- ?
; low word specifies which service; F1 s6 x9 V7 c( M7 J6 ?# b
(VWIN32_Int41Dispatch)
$ s. }4 _! ^5 B call Kernel32!ORD_001 ; VxdCall
. U5 u6 Z- o/ u' F0 i' h! M- ` cmp ax, 0f386h ; magic number returned by system debuggers
# N/ v; ^7 i; v' Z# s4 P+ y jz SoftICE_detected4 n4 I2 S$ D; i- }* l4 W9 `! k2 H
9 e' P7 L( |& \# H; {
Here again, several ways to detect it:! l8 U* E) P1 h) S. h
]8 c7 w$ q: X j BPINT 41 if ax==4f
/ \: {8 F" y5 R1 [
3 ]" G8 t9 Z+ `6 r% [2 m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ g( q# |. ?( l
9 c& @9 R- v7 C- d. W2 A, v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, D5 h6 O7 h( S3 o. P1 e! U8 Q7 }% n+ Z) F) J" s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! A; R& s7 H/ x3 K
, W( B } g, F, Q9 i$ p' X+ e8 D3 g
__________________________________________________________________________
: m$ M0 L% Q n3 a% q' h/ Y% `
4 X3 w5 ?5 ]% s! ~Method 135 I: A5 G S. ^; M y
=========
& t: {; {& p0 v" _+ O9 u; o! E1 o4 U4 }7 N7 u6 j2 ~
Not a real method of detection, but a good way to know if SoftICE is
0 m4 }8 H4 P0 oinstalled on a computer and to locate its installation directory.
- @+ |: R; G( T9 B4 e$ I* }It is used by few softs which access the following registry keys (usually #2) : J0 S" U. i) I6 \
# x$ Y# s% D/ n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% k: V, Y0 H g0 K% U7 a
\Uninstall\SoftICE
. p! }8 U% t9 N& R% n9 ^2 s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 {9 m1 {+ D6 j0 A+ Y, D0 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, L) |. x5 {) m# P) L0 B9 h% X
\App Paths\Loader32.Exe3 r. r9 h1 w; T2 D4 e+ |: v
& \0 w# F2 H0 |, v, t4 q" l$ ^
& Z; M$ I" q# ~9 m4 }, W3 V' m
Note that some nasty apps could then erase all files from SoftICE directory. J. _, I4 D6 x+ J2 E0 f
(I faced that once :-(8 T$ o7 ^) ]; v3 r2 | r
' m5 ?$ N0 ^1 Y* ?7 P; S6 L* Q# iUseful breakpoint to detect it:) P3 A6 K5 q5 h* {0 L
" ]. H! _; G5 L' @( z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 r0 Y8 ?& C' a9 R- y
' {8 E1 U- v$ S; A. ]
__________________________________________________________________________
1 r3 ]* O6 o9 M% |" w1 ~8 C5 E# a4 O; {* ?; R( P/ J7 X
. N- x9 x' _/ Q; ~* @, JMethod 14
% j6 H' B' G/ f' C& R6 i" W=========! L7 b: k7 ~$ r& p2 C- e2 P
; k& ~# q- y) @2 E |' c9 ?A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, U6 e! {- {. t2 S+ N( nis to determines whether a debugger is running on your system (ring0 only).
+ z8 e$ ?6 v! g* h4 Q( T+ k, A$ o* M
1 }# {9 n( j1 ^) }4 O$ W VMMCall Test_Debug_Installed
* T# T1 K2 ]2 v' C! _- g9 [- j& x! Q je not_installed
% U% \5 \# M+ ~5 C$ D- f1 v, n( x
This service just checks a flag.1 x# [5 w" ~2 c4 O: ]
</PRE></TD></TR></TBODY></TABLE> |