<TABLE width=500>
7 i8 H* F6 }& n* H- [+ a L- ^<TBODY>5 G; q. m3 ?; l* ~ m
<TR> P0 }% u8 A U; e7 ^& ~& b$ t# `
<TD><PRE>Method 01
% ~8 Y% g7 [- k9 c6 W=========
: t0 O$ o+ h7 @: D3 s, l, k: g( k
& K' ^7 G# c. ~This method of detection of SoftICE (as well as the following one) is
S: Q8 {) {0 G- N% Uused by the majority of packers/encryptors found on Internet.
' o( U; a' H& QIt seeks the signature of BoundsChecker in SoftICE
- S2 ~) p- {4 E7 \
* d3 }; H5 d8 b* f, a, D mov ebp, 04243484Bh ; 'BCHK') Y, u; N6 R8 b( h Q* c
mov ax, 04h5 w- A. H& N9 p5 M2 U6 ~
int 3
2 ?' \9 A$ T" @ cmp al,4
9 q2 T9 y' y3 Q* a' E jnz SoftICE_Detected
' `6 i/ v! c1 r" A9 {- R
0 x1 `! d7 @3 H& D- p___________________________________________________________________________
/ J- [, E& ]6 Y; n5 s3 u* C" g' J; G
Method 02
( {0 E9 m, F8 y+ y( f0 `=========
$ T7 G( ]4 l4 ]% c
9 x7 _2 Y( }$ y" s$ ?' RStill a method very much used (perhaps the most frequent one). It is used/ i% c4 u( ]2 i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
S5 ^2 a8 v6 lor execute SoftICE commands...6 V; e( v3 H( Y
It is also used to crash SoftICE and to force it to execute any commands* i' L" x7 x3 I! z! X$ Z
(HBOOT...) :-((
8 U+ n2 x3 h% Y1 w
( O& b3 c4 T6 f; z$ g- ^6 SHere is a quick description:+ T& _# f6 c2 P6 ^% u
-AX = 0910h (Display string in SIce windows)
) Q$ b" J6 q* i* s' S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! h) D0 ~! }6 ?; _0 C* w-AX = 0912h (Get breakpoint infos)0 `0 e1 A; Z# ~; l; C5 S% B
-AX = 0913h (Set Sice breakpoints)
" f! T4 h' s/ a2 z5 j; ^( `-AX = 0914h (Remove SIce breakoints)/ o& }& U3 n" Y
/ J0 T% C6 K9 O! @Each time you'll meet this trick, you'll see:3 ~% w3 q& }& B- {2 e. C+ _2 Z1 u Q# g
-SI = 4647h
; A7 e3 d5 ]- `5 i2 a-DI = 4A4Dh
5 V3 a3 O8 X5 q7 d# R" D" U# QWhich are the 'magic values' used by SoftIce.
- M7 s0 @, w/ k4 s( LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ K' D F8 z' c- Y1 T& V1 J& _& X8 t8 ?+ M" \7 u
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ @1 d$ U6 L# k4 G& E; G
Envelope utility use to protect DOS applications:
% O \) Z0 x' \! A- {
! o( E4 [/ }, G/ {; z( Y2 d! X+ J
4C19:0095 MOV AX,0911 ; execute command.6 F5 r8 C/ y H1 O+ z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) ^" o" _& v: j) R0 T8 D9 E
4C19:009A MOV SI,4647 ; 1st magic value.
) C6 N7 t4 f# W2 O l1 _3 z# ]4C19:009D MOV DI,4A4D ; 2nd magic value.
5 D, E% b; p* F0 ?% k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 O% i: \1 Z4 s7 }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ ?( V/ S m: _4C19:00A4 INC CX
+ {3 v; }. ~7 m. y- E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 N5 Y6 ? g' y: e: c4C19:00A8 JB 0095 ; 6 different commands.8 a) w0 J( C, i+ q$ p
4C19:00AA JMP 0002 ; Bad_Guy jmp back., c: s9 h7 Y( f* v, E% F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 {7 f$ c+ s, o; x$ N; W) I7 k, Z7 y
& K0 z' `3 O2 A% \; @+ K) f6 zThe program will execute 6 different SIce commands located at ds:dx, which
' M& S, _: p# Q9 @# p; }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) e8 w9 i* H1 k: O8 A7 h9 N8 k h
% q/ Y* L/ w A, S5 i% r- ]$ T0 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' h& p6 f, ^! n
___________________________________________________________________________
! m3 }* u+ g2 g" M7 o; f# B% N
- n7 {) l3 Q% `" h& g
7 D1 D& I( D" F. c: v# GMethod 037 l. q5 {! G+ n+ ?$ {, p
=========, O/ b# G, o5 ?
& c7 I/ h C9 ]5 v- l! }
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 S, a2 K/ ?& l(API Get entry point)2 a, W) e; }" u; b4 X: J% K
6 x7 b/ i( k+ D, n; n2 n
0 e! V2 x- d( ~) p# K C xor di,di6 V2 s* U6 d7 O6 h% J |. }% e
mov es,di
$ p6 E6 `# P9 p) v" V# Z mov ax, 1684h y8 D0 c. \' c/ k5 h6 v
mov bx, 0202h ; VxD ID of winice
6 `9 {1 z9 z+ D1 U, J# ?1 u2 C- Z int 2Fh
# i: b% L. O. f: M# P mov ax, es ; ES:DI -> VxD API entry point
! O* p$ ~- W0 M4 ^4 [ i add ax, di
5 S5 {0 p S$ | test ax,ax
3 d: C7 n" i' w A jnz SoftICE_Detected" B' O F0 c$ J
% l+ o( l% F2 A
___________________________________________________________________________# }! E2 Z! K% @ {+ K! S$ v, p
9 K: \8 s9 G j* S. u% I8 i. sMethod 04
6 _/ h b1 `& h2 g' _=========- g/ R$ [+ d- b0 f
p: Q, y$ A+ T( o1 ^7 M; LMethod identical to the preceding one except that it seeks the ID of SoftICE
1 f& l# w. X6 `* D+ J+ f: \3 A C& eGFX VxD.+ K! o- L1 U0 K
) w$ l, r7 e9 r2 x xor di,di7 R' R9 g) C; a6 r, F) A
mov es,di
7 U% H4 L+ s1 v" ^/ ?, S& B mov ax, 1684h
" m; F% x$ k/ ]. P8 @/ D9 ]5 b mov bx, 7a5Fh ; VxD ID of SIWVID, q5 G* }6 N) Z+ p% k% H- t% b
int 2fh
6 C" L% @# a$ ?! x0 d0 L mov ax, es ; ES:DI -> VxD API entry point
: G1 l. f* ^/ z& t8 j add ax, di- F) Z9 Z: V! Z' ^/ @
test ax,ax
2 u/ W) a2 H& w+ d) u G jnz SoftICE_Detected3 H, _# r+ ~8 G' E3 u
& Z j9 e& ?# s& V: D8 v% |__________________________________________________________________________- `3 b, ?0 T2 W: M
" I A. Z! R" l" V6 m: {0 K9 }0 ^. n5 U. ^. f/ e8 ?; o
Method 05
) K" g: s- v0 O! r) a1 q=========
4 Y$ [4 J: Z; y, A1 Y
J9 W0 w; }! [( \7 qMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 T4 I$ ^% P# p+ Q0 k" Z( `4 J) |
debugger. It calls the int 41h, function 4Fh.* p. F- ^5 c K" r( B* \
There are several alternatives.
9 S8 B( }6 z* M) q' B
$ ?& C# e4 S' {/ d' Z4 }The following one is the simplest:
' b& T2 l5 J' c9 x, N l$ Z8 g2 y$ ]/ z
mov ax,4fh
9 R5 u. S3 z. H1 O int 41h
% |1 n& l6 H' {0 u% P cmp ax, 0F386
' r( W. w9 Z, V1 s1 L jz SoftICE_detected# h, u$ ?. Q& S+ J+ B& j( H" x$ F
" m8 w0 F3 R8 a# S/ T
( f5 A- G i1 m/ V h& cNext method as well as the following one are 2 examples from Stone's
( |( d4 e8 i+ _4 W; P5 Q% B- w"stn-wid.zip" (www.cracking.net):
& W. R" l! {* z& a1 h9 L3 F* ]5 Z
( q8 R0 ]* E( k" o ] t mov bx, cs0 B- I, J% z# ?$ ~! i
lea dx, int41handler26 H" g" M$ t: C" O9 y2 e C1 c
xchg dx, es:[41h*4]
/ d% b8 J$ H% u9 k% A/ H" e G xchg bx, es:[41h*4+2]" I) g! w! {$ b" J
mov ax,4fh
5 l3 g5 v+ X& g: J* { int 41h& w8 G! R* l3 _
xchg dx, es:[41h*4]7 X; c1 X5 X7 G5 K# `% \- J
xchg bx, es:[41h*4+2]
# u! y2 q7 V9 s& }/ w# c6 x cmp ax, 0f386h. ~: H9 t/ K" h; Y4 N* k
jz SoftICE_detected
2 a/ d$ A, ?2 _- f* }2 L! |% C; H$ P
int41handler2 PROC& @' O5 _+ A a6 c9 Y( Z
iret) G% a9 o% C- g4 P4 F( P
int41handler2 ENDP
: B/ O4 _) c9 u4 P0 u2 x; z1 o$ y
& d) y7 c, e0 K0 _$ }
\7 J) }8 u0 `$ U_________________________________________________________________________
' U' B& |1 U. E- f
0 I$ J/ j# v) O! F% h- j4 b) @
1 I! v4 [7 I ^ k5 O% L1 B% NMethod 06
1 _2 `1 {4 j/ [" P1 F" I! Y=========. ^ R0 v# R/ V0 \1 n: Z; b
+ I% i8 l d, a' d0 ^( u
2 m, S5 V- y0 o1 f0 V2 w8 h2nd method similar to the preceding one but more difficult to detect:3 f# }6 b+ @+ Q+ n! q
/ D, R1 @2 q- Z: `, T% X" t: p
1 z* Y6 H. Y7 O
int41handler PROC/ d6 K; g3 K) o/ V' _
mov cl,al
3 |5 h- W# u' R1 s iret
& c3 K9 t/ j% G. N. ?int41handler ENDP% ]7 K B3 }& ]0 _% n" K
0 {0 ]/ l" \* u% k1 }* K, F
( g# r" H. { y' X& ?6 P' y
xor ax,ax9 R$ M/ w8 A+ z$ p2 Z' |' p
mov es,ax
0 I C* w: }3 o6 N mov bx, cs
: Z) g; [5 ~* A& ` lea dx, int41handler
: |- u! S( C! ~. D# U xchg dx, es:[41h*4]
2 G* @8 ]1 U) Q xchg bx, es:[41h*4+2]$ v9 ^8 m! I# R8 u' X6 e
in al, 40h
% a2 f3 O U) o. b. ^ xor cx,cx
# @$ T+ E2 Q6 ?; U3 S! b int 41h
V% C( B+ W8 [' f xchg dx, es:[41h*4]
1 U5 J' U/ Z$ z- z# B) M; L5 D$ R xchg bx, es:[41h*4+2]
K5 ~( v; _6 ^( u+ Z4 }( F cmp cl,al
6 z5 t, D- j' V- n5 { jnz SoftICE_detected
9 w. @& p3 b' w7 I8 F, D0 f& i8 H# A8 z+ p
_________________________________________________________________________6 {9 I I/ Y& ~% L
5 w- s' g, \% D/ ^$ C& [1 X% k3 T. v5 Q
Method 07* X$ \$ _7 v3 @1 H3 {8 J! X
=========
3 ]8 V% d8 g: T4 ^4 V S: b Q- A6 m$ W* V$ U+ ^& P2 w
Method of detection of the WinICE handler in the int68h (V86)
4 Z1 C( P8 r$ r$ X4 y) o1 S
2 p& `0 q% p& ]3 u8 u2 t2 \ mov ah,43h
R; J& [1 @5 h3 L8 A" d8 n+ H int 68h2 S; d# ^0 {5 ^+ U y. K
cmp ax,0F386h
7 K: v8 `" c& R jz SoftICE_Detected8 S$ F6 T2 w3 s/ y) B: g
4 s( Y* h% Y$ L. [
) x R: [: ^# m6 w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 s+ W H7 k! e# l app like this:
( f. p1 L3 \1 k5 ?
; Y! z! O6 k8 ]7 u( ~9 O( k$ | BPX exec_int if ax==68& f3 |/ |- L: Y7 }2 D. r# P
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 u+ b6 D1 S0 o, k% K* q located at [ebp+48h] for 32Bit apps)' A) G! R' k) h2 g
__________________________________________________________________________
( ], j; t# R7 K7 ]( P
" _1 D2 `4 t$ T; P+ F( n9 _& ~& z' X( a- N/ X9 E' L- W" T
Method 086 V' @, } r8 Q/ }! H* X: Y
=========
8 e; F/ S8 r, R5 c3 V, t5 ]9 F4 E/ s! i. k* l% }
It is not a method of detection of SoftICE but a possibility to crash the
7 j8 N4 R! a8 q) N+ l: isystem by intercepting int 01h and int 03h and redirecting them to another [$ K& J- S! ?, v/ w
routine.
H6 X k- B: z; V" nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 E& N6 p) ?7 e$ ^6 ?6 f6 C2 b
to the new routine to execute (hangs computer...)
: X7 B0 B( c- [
9 X( @. d0 N: n S+ E0 }- G mov ah, 25h
6 }7 j3 P: C: s/ u mov al, Int_Number (01h or 03h)% z! U4 i/ O& p6 ^5 m/ i2 I0 W
mov dx, offset New_Int_Routine
# A& O4 N+ K* q% s3 g w* v int 21h
, ^, r! u1 g1 ?: B# h9 b" s, R3 A% b
__________________________________________________________________________4 v8 N) [- l9 S) }
{) @+ E# q( l4 u8 p6 t
Method 09
2 i0 p7 l+ k/ T4 T5 l=========
1 y" w# R3 i4 P. {
! k0 i) y1 W8 Y( z/ j; pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& }5 ^! H6 b; r' @* @* _$ q) u
performed in ring0 (VxD or a ring3 app using the VxdCall).7 r- e+ @9 V. x8 F5 D
The Get_DDB service is used to determine whether or not a VxD is installed, U Y, i: @6 |9 o" k9 _: `( q
for the specified device and returns a Device Description Block (in ecx) for
. K: d; D; U$ z; e7 xthat device if it is installed.
- ^& E; j3 b p1 w' ?" ^0 l& D( I1 o9 f4 g4 n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 [6 a# q1 [# D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); U4 n( I. ?3 X- ~) z S
VMMCall Get_DDB
% {$ B/ P) ^9 w0 f& O3 K! ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed r7 B6 E7 y- a; ^! }
4 F0 z! G: v0 h" n0 uNote as well that you can easily detect this method with SoftICE:
$ k1 l4 v- {) ? bpx Get_DDB if ax==0202 || ax==7a5fh7 ` @! T' D$ i* K4 X
- }5 X. L$ V& S, W, X__________________________________________________________________________
: f( w, f6 Z) ]0 j, J7 b( w! u
3 l3 X) N# ?. dMethod 10
6 O; j, o4 |6 |; B=========2 x) a) E1 S: P! f/ i w. g0 K& S- W
9 p9 O2 K, @- w0 R=>Disable or clear breakpoints before using this feature. DO NOT trace with7 _# }* R) S* _% U2 @3 q+ a
SoftICE while the option is enable!!3 L% U) t7 d4 ?8 @1 f# m$ g; l
1 K6 z. D/ D! E% |7 h
This trick is very efficient:3 g7 G& ~/ [: f! h
by checking the Debug Registers, you can detect if SoftICE is loaded
4 ?* l' f8 r: |% O! L! t* m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& L& c% {5 H/ n! J) cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 s7 A. N2 q7 T& Svalue (in ring0 only). Values can be manipulated and or changed as well
7 r, d$ s2 c( @! U(clearing BPMs for instance)
. G; `$ U; @9 r+ T( ^5 q' N
# a& k5 M- r5 i; e__________________________________________________________________________
& W" V0 W. d/ a4 a( N; k1 }2 `5 { n; H3 X
( _2 V# G( W8 Q6 f% S; c" lMethod 11( Q$ @ @, E3 n5 p
=========
) J* B. p* n5 ?$ i
! e. f; r* y, Q& i( a; S+ q% [This method is most known as 'MeltICE' because it has been freely distributed
7 C v+ o" Z$ r9 f5 s' T% m3 @via www.winfiles.com. However it was first used by NuMega people to allow
; i, C5 t+ f8 S" E! ?Symbol Loader to check if SoftICE was active or not (the code is located7 f9 O- B+ ^7 U
inside nmtrans.dll).* @# _7 G# A2 ^# I; \( O
4 n2 _* z$ k5 a7 c& G
The way it works is very simple:
6 w- T1 x: q2 E0 w0 @, |7 @: dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# m' d* G: ^1 l1 L0 C
WinNT) with the CreateFileA API.
$ Q! b2 V1 `! ~; x+ @% W4 x. W' R: o( o6 d2 x) y
Here is a sample (checking for 'SICE'):4 G3 U/ K- G+ D8 ?8 n" A7 T
( N2 ^3 _' H7 V6 r3 N: Z1 V' o+ [BOOL IsSoftIce95Loaded() q! u; i) w. ^) r9 z+ J6 R
{( W# i2 Q" { n$ A; V* c; {2 E
HANDLE hFile; 5 y; W5 v. y4 f0 H$ k& h5 Q- |
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ `" @7 x- K Z FILE_SHARE_READ | FILE_SHARE_WRITE,
6 W! I: P: m# a8 a0 e& n2 p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 B. s" l$ y% }. d# R) D& O if( hFile != INVALID_HANDLE_VALUE )3 c! E; S2 T& H" S" S" q. U( J5 D
{
( E6 z1 i* Y# E0 o: p# J CloseHandle(hFile);
3 A+ i; s7 _9 X$ s( | return TRUE;3 R% W i+ N/ [
}
H: n' ~$ C0 `+ P- ^ return FALSE;8 q- r: N9 d2 k- _+ r h( P( P
}& F9 E. n5 u/ O& I5 l1 j0 E3 I
, \2 J* j$ ?8 @( [$ b6 ] F8 uAlthough this trick calls the CreateFileA function, don't even expect to be6 W: g+ c# g1 d; I* N' n0 }
able to intercept it by installing a IFS hook: it will not work, no way!
' R" g) h* f) QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* P0 G8 q, u3 ^8 `, q) F) f- c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) t* y( l, W/ D$ B6 N- H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 z4 i- Q7 v5 K: Efield., _$ N; ~1 O; R
In fact, its purpose is not to load/unload VxDs but only to send a / \+ o N9 H& a- ]# w7 b( l0 z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 v5 y) { n+ k" }to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 _0 I) i' p( Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 a8 |. F" w$ f8 [, t" iIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& ~( J9 N% |% Q/ ^- Wits handle to be opened and then, will be detected.
. T5 w3 q H3 L9 H8 HYou can check that simply by hooking Winice.exe control proc entry point
9 s- L$ l/ l% G% Ewhile running MeltICE.
( M' B; e6 v+ G/ U0 Y# ?2 B4 t3 x8 F$ Y$ j' N
( i3 v5 X" x# J1 Y, U/ c+ B
00401067: push 00402025 ; \\.\SICE
( a4 c6 D$ O9 E, t' I& B 0040106C: call CreateFileA
, T) ~7 v, i+ v. h5 Y 00401071: cmp eax,-001
! K- [% g6 }% L5 _ 00401074: je 00401091
* k9 w) F+ T4 t" ^. d% z
}1 B2 F. s; R1 s& K8 k9 o. G1 A, K# ? f' d
There could be hundreds of BPX you could use to detect this trick.3 H; \! e; T. ~% k$ A9 d- Y2 d) |
-The most classical one is:
% R L3 z- ~, t# ?3 p5 K& ]& S! V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 n% Q" m& K% I: L" ~ *(esp->4+4)=='NTIC'
0 _. q' w7 H x0 v
! @+ F% a7 w+ x! o- C-The most exotic ones (could be very slooooow :-(" f- W$ E) h: [& w4 s$ B. L4 d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) @( y0 Z6 s4 G/ k# j1 J3 h5 p ;will break 3 times :-(
# H3 n$ R3 G5 R% o, M( `- N) I# P {( n& N
-or (a bit) faster: 9 R( S! c+ k$ l' o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" h6 {2 M. H V+ w5 P4 k! }9 Y+ o
7 v/ _) C9 |* T( Q* n BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * u5 U' {6 \* ]+ Y' T& p
;will break 3 times :-(
- T! U) B4 | u9 d# i. C
1 n8 R. M+ ` Z# |8 u9 P$ d& M/ r-Much faster:
& B2 a0 B% B; N4 `6 U; r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 R) S) L, W$ A) e4 z4 a" ]
8 A0 U; H T( }: NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 C% X% [' Y/ bfunction to do the same job:
/ |* L# A% `. \2 N& M! u
8 L7 [+ k8 h( x3 |# i- E! f push 00 ; OF_READ/ V) i2 d0 E* R
mov eax,[00656634] ; '\\.\SICE',0
6 T4 d9 o6 n* P1 X9 o push eax! B5 o4 m6 v2 _' s9 p
call KERNEL32!_lopen
% m& M# K6 z6 x! t inc eax
) ?4 b. f1 p, F' q. M jnz 00650589 ; detected
/ C6 ^- |1 C! V3 m1 b9 W- c2 c push 00 ; OF_READ
: X8 Z* T2 i, B9 M$ \ mov eax,[00656638] ; '\\.\SICE'
; T0 E* f0 I7 I, a: G7 \9 p push eax# [+ i) z! ~3 J' f+ p4 N
call KERNEL32!_lopen
& z" Q6 M- @" C' u( V& \, s inc eax
/ f7 c' V* X; n, ^0 x: \' c2 L jz 006505ae ; not detected: v- W" f' w Q( i9 P6 W
+ f+ |" r+ g9 Y$ e2 _
6 P" }6 c/ D' S6 o/ Q. {+ G__________________________________________________________________________0 L: o8 W1 I: e- r/ V# U
# v! e1 ^: p/ P y n% u" DMethod 12% t1 R6 M# r/ M
=========! F- z9 m: Q6 a( _5 [, ^
$ }/ Q ]1 \" V7 N% ZThis trick is similar to int41h/4fh Debugger installation check (code 05
' c1 ?1 p( P$ i5 ~& 06) but very limited because it's only available for Win95/98 (not NT)2 r( Q% h" p" e: a: j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." H/ f% K3 {7 I) u7 t
a+ @$ k5 B0 J0 F( ^% V push 0000004fh ; function 4fh K o3 x f' Y- Q1 s( z
push 002a002ah ; high word specifies which VxD (VWIN32)
7 P j; ^" ]/ T4 ~' H ; low word specifies which service
5 x. X" W9 ~8 P9 t: i (VWIN32_Int41Dispatch); P' @4 F( ]- m. I- c4 @! f! N
call Kernel32!ORD_001 ; VxdCall: o" C; T% f, _# s# R3 I' [
cmp ax, 0f386h ; magic number returned by system debuggers
& G U+ H5 v' r% G8 i jz SoftICE_detected: j% H; Z# Z! i
# r: V9 V: f4 a( E
Here again, several ways to detect it:$ J8 X' C& x- J7 _4 a, s4 i# |
: H8 J9 j; T$ F U' t5 K BPINT 41 if ax==4f+ [8 W- O; G2 I: w! G
: g: [+ m6 r* y7 M4 {+ B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, v' f; {* ?' N# l7 V, {8 z- j, l- O" \& L' \. |0 Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( `7 W. h; L$ |/ X `8 o
: c1 ~3 S! ?2 b) ^8 ?5 K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- E8 W" ]' N7 m! W0 y6 n1 N
" S" T# \ U( r+ q
__________________________________________________________________________
5 U ?: G, M( K# z
2 E1 i! d3 M7 T3 Z* WMethod 13# _. K$ I' G' E% p3 D
=========
/ ~" E0 B# J8 b# W; B9 t7 W; n' I) ~. S- t- ]( Z! t
Not a real method of detection, but a good way to know if SoftICE is R9 c$ {9 O, w4 U
installed on a computer and to locate its installation directory.; ?9 ]1 i0 p1 `; `/ Z1 [- Z G
It is used by few softs which access the following registry keys (usually #2) :
, m" y9 {0 V7 z0 b6 s1 j8 F
# q6 ?& t: t5 E* G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 Q. X O5 f4 B5 A\Uninstall\SoftICE
3 c9 p% \( F- v: f' \' W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) l; |, F" _' O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* z$ _. F+ @3 [) I3 M\App Paths\Loader32.Exe6 }: ~4 L; p/ f {# Q: ]9 Q
* @+ D5 a' B& g+ o0 K' b0 |
9 x) _& [' L" h& [% ENote that some nasty apps could then erase all files from SoftICE directory
! U6 c* Y/ A& R6 ]* K(I faced that once :-(
) Y$ P0 l) H$ e( X9 a) u# |* s0 k7 R$ g* H8 G
Useful breakpoint to detect it:
9 z& ?$ j d4 U! K8 M) X, D
8 F" k0 j3 F9 s9 L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 j+ e/ H% x* {! L9 h9 H) n( o
6 w, E) V/ t: ^) h. {, Z& Z__________________________________________________________________________
. y* T+ C u6 C) Y# o; f# F5 D1 l3 t
. r: z; e9 q5 G' `# z K, q9 uMethod 14 7 d; n$ ]8 ]" k* t
=========
2 n4 O( r1 e+ Q% y* a$ N% x
2 D7 q2 v4 V6 f* t! p! ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 m* P% N7 k7 C) w2 His to determines whether a debugger is running on your system (ring0 only).1 n9 J5 n* p- N6 a N% c, s" T
5 S. p( V% k7 X" P VMMCall Test_Debug_Installed o" H1 k8 P% f9 o& h( E* M
je not_installed
; b9 e6 q( M2 r( q
6 P$ [) z% I3 ?6 y9 S# DThis service just checks a flag.
9 t4 T: C1 O* a0 C9 g" I</PRE></TD></TR></TBODY></TABLE> |