<TABLE width=500> {4 A! O: n, q& I h/ |
<TBODY>1 a0 j' ^$ ^% I7 v! Y- R
<TR>. N2 p5 G& I) r; n9 _6 o
<TD><PRE>Method 01
7 L/ i$ Z) i7 ?8 }* G1 X=========
9 a" a# V1 e2 a) o" ? [8 E7 {- T
This method of detection of SoftICE (as well as the following one) is/ y: {4 q" V. R2 Y- C3 m
used by the majority of packers/encryptors found on Internet.
6 _+ q9 }4 Z& m1 R4 ]5 ]% [It seeks the signature of BoundsChecker in SoftICE. M1 F& j5 s* y2 h5 ]
0 |; f$ A+ k, S3 a! G- u" U8 M' k
mov ebp, 04243484Bh ; 'BCHK'
& N ]( I1 n- T; {. i mov ax, 04h6 f2 t) @3 ?8 X; J& M
int 3 # ^- W8 q' O+ F3 `# g* q. V
cmp al,4
! q: q: r8 R, i! m* i6 E* N jnz SoftICE_Detected. H5 E' m5 Y5 M" Q4 Z$ w# K
. m# J4 O( z2 z
___________________________________________________________________________! w0 W( E- F; L9 u
! n. a$ z! [8 t, C- D) E7 t
Method 02
: ~; O- l7 ]/ X- o; z=========' x4 u( d6 X0 @
6 j! _4 Z8 M) l9 W7 h1 n$ ]Still a method very much used (perhaps the most frequent one). It is used
- c9 n5 _9 F" r$ P( m4 }' b- Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: R W q! O: {
or execute SoftICE commands..." y* d: p- D! [, J0 E$ ^
It is also used to crash SoftICE and to force it to execute any commands
0 _9 j+ L7 e7 a' d3 H5 r: g(HBOOT...) :-(( / A5 m9 x8 C [. z# R
% z; K% s4 v6 z+ ^/ v b' [
Here is a quick description:( ^) G7 t7 w) C5 t4 W4 |
-AX = 0910h (Display string in SIce windows)% E, s; a0 ]) _5 O+ T2 L' W7 y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; I, `$ V! }- Q. }( {7 u-AX = 0912h (Get breakpoint infos)( z2 ?4 Z' h% x8 T
-AX = 0913h (Set Sice breakpoints)
. x: [$ D( i8 ~# [ Q n. {-AX = 0914h (Remove SIce breakoints)/ l& r v3 X* i5 O' e# U8 I
! X8 i+ D2 h8 u u
Each time you'll meet this trick, you'll see:
3 s3 n' Q* P1 {-SI = 4647h
9 s$ P% J: e; w0 K( H; K# r-DI = 4A4Dh
3 Q: h5 V$ p# o/ `3 |Which are the 'magic values' used by SoftIce.5 ^+ J, j, q& I, V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) K0 y4 L4 \, U1 [* t$ w t% C# z' E z8 t; f3 ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' E# ^# c! y" [& _Envelope utility use to protect DOS applications:
4 z9 W* Q" @- k( f9 a; o" u1 H `9 O" E1 l( }, ], U
0 Q- I& z$ t+ R) y& n
4C19:0095 MOV AX,0911 ; execute command.2 T2 g& I5 X6 @; w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ ]- k2 F5 } j$ @4C19:009A MOV SI,4647 ; 1st magic value.$ ~ n# Q6 }' S7 D
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 Y4 y4 O) u3 o! M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% F9 f) _- i! S) b( q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- U# {# L/ h/ T5 r+ ?# I K8 v4C19:00A4 INC CX
! i0 Z. C# }4 k0 P; {. a, d* ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! t1 G) n2 d1 J ?9 ~% A" ?5 P4C19:00A8 JB 0095 ; 6 different commands.
( d+ t) D" H! i4C19:00AA JMP 0002 ; Bad_Guy jmp back. L( }0 q. v$ m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 a9 ^1 W( d' j2 G- M Z0 A# c0 g. x( [0 b8 D+ O3 |- O( i
The program will execute 6 different SIce commands located at ds:dx, which1 J4 y' b& Q( \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 `4 ]: I' ~% |$ b# X% h
% q3 y# e3 ]! {5 ?* M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ j' H: {4 o0 V9 E; O___________________________________________________________________________! c, X9 r5 D8 u" S& x0 W7 ?8 f6 L
+ z$ B$ a( @; G; Y# F$ P4 O4 t
7 C% g- l) d: ~ X* s
Method 03
/ Z& o" {( f8 D# R8 P+ U: z=========3 U6 |! ~7 r0 c7 I) w/ l
! i: J: w, H+ s$ X% d* l% E
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( G$ ^* J0 {; B$ m, G1 f/ X! ?: o! d
(API Get entry point)) u3 D! ^: C1 g) w% R z' L
6 y8 G5 n# \. I6 _, v& ^) D
7 n. X9 K3 c; N0 V, F. { xor di,di
7 f* k8 V; k- y W- Y mov es,di
6 J# k* Q& T9 A/ g mov ax, 1684h
' C4 S9 |; P/ P0 b mov bx, 0202h ; VxD ID of winice
% f, C6 D/ o- B int 2Fh, ^. R2 H( }! f4 u6 p
mov ax, es ; ES:DI -> VxD API entry point) y" F/ ~8 i8 R! K
add ax, di \" a3 M* v* ]# \; [
test ax,ax
6 E3 Z: H; p& _ jnz SoftICE_Detected
3 o5 w5 E; D. p; V; ^' {
+ M$ V- I- r" _ ]___________________________________________________________________________# x. ?% X/ d. X9 B8 `& f! `
B- n) y. X W) b2 [/ ^) {' U; bMethod 04# \2 P( F# u6 a. T( U$ T: q
=========; B. W( U* R$ Q) w5 @
' B8 J& p x d1 q x' j
Method identical to the preceding one except that it seeks the ID of SoftICE- j5 w& T, K( u! H3 L
GFX VxD.
. {$ j- Y) G( Q" a5 y5 c1 n, i5 n. f" r" A7 m5 n( P, A0 I
xor di,di
. a2 t: g2 [5 F mov es,di
3 k, Z6 `, @. \& n( F7 f mov ax, 1684h ; J: `4 x) |4 |# \
mov bx, 7a5Fh ; VxD ID of SIWVID
4 P* b4 V6 A ?+ d int 2fh
* o6 F% G8 P8 E! x+ t. z4 w- T4 f mov ax, es ; ES:DI -> VxD API entry point
1 b9 X5 _4 Y. V8 n9 s add ax, di' }2 H2 p* v# N3 D) Q' P8 ]9 B8 o
test ax,ax, ^' f' R$ p2 y8 a! g
jnz SoftICE_Detected8 ~2 w! h, F' G& u# o
% Z- K3 E3 [( I' J! w* Y
__________________________________________________________________________
% a7 W3 h/ l. V3 L- f; Z9 |6 `9 D9 ~0 `; n1 |
+ f* v6 W( b8 G; B8 C% BMethod 05
! H6 g; |1 U* W1 Q- J=========
- Q4 O) {) n( I7 q7 i$ F% }9 \# d" u% w; m# Y& W6 ~0 x
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 Q+ Z2 q) d u) Kdebugger. It calls the int 41h, function 4Fh.8 H' \. e7 _1 t6 y; |
There are several alternatives.
9 x! J' Q# L- @3 ]- q3 S9 L# x2 ~! j3 R* L' r/ a: D
The following one is the simplest:. l5 T9 X% I. P C/ b6 D9 |% u
% _& f+ D6 Z9 s8 k mov ax,4fh
# G# k/ s& ^. Q% T8 y" V% Q2 N int 41h
, Z+ o$ J7 ^% x% P J cmp ax, 0F386
3 E( Q, L( j9 k jz SoftICE_detected
& @! l6 x# Z0 ]5 }
; R% ?( m1 }- Z$ e& j2 q+ Z" N+ v4 C
7 T* E3 ~1 V$ iNext method as well as the following one are 2 examples from Stone's ; x+ p# p9 R c n+ i! G. F
"stn-wid.zip" (www.cracking.net):2 O3 l+ T( d) q+ n4 J
+ i% y' z1 u1 F8 ]) H( ~
mov bx, cs
, w' W' S3 F. r/ s lea dx, int41handler2- ?# \8 u( |8 o f4 f
xchg dx, es:[41h*4]
% ~! Q! a4 }4 b7 b# f4 B- E xchg bx, es:[41h*4+2]" `9 V# G( }) u% O! e
mov ax,4fh- k: ]- i, b7 n9 ?3 o J3 V
int 41h+ }8 b/ G8 s2 b( a$ i% o) p! M
xchg dx, es:[41h*4]
0 _' Z- f% \' E, a xchg bx, es:[41h*4+2]
/ O6 [4 }7 D+ w5 U0 Z6 y cmp ax, 0f386h6 F; h/ E0 j6 ], h, [; C* @
jz SoftICE_detected
0 Y2 S; a- i# t: C3 `9 t
! ~5 d7 w) h& P* l+ @0 l8 xint41handler2 PROC
2 Y6 V. K1 m- [9 A/ F iret
! g5 U/ M/ m8 `int41handler2 ENDP# p5 A i# Q: {1 w3 z! u1 R
2 ]8 ] b0 x8 v* G
8 d+ F8 {' I, W% c% v' m_________________________________________________________________________" y, x- u9 E% j9 l& h$ F
6 C" q; U O5 A$ `0 a6 B) W5 B9 G
7 U9 ~5 E+ B3 I5 p& P. AMethod 06" h/ e* t5 X W% c ~
=========
5 t2 |$ N( M C6 p2 G6 _/ _, G* k3 @5 [/ o7 n3 M) h
: u6 ?* a& v2 u& \) y
2nd method similar to the preceding one but more difficult to detect:
' V" p# N- |* A' B6 K
( R! ^) y$ A1 j1 I" O. l
" E+ b% }8 h% S7 t( r: m: [int41handler PROC
% o% X1 o3 B( ^8 f- @ { mov cl,al
Z _7 h+ {1 Y; _( ~ iret
; N8 K( \( _5 |int41handler ENDP
0 P5 L, Y. S- ~, g$ B0 P, J
) V1 D5 i* @; c- r% |6 N
i- ]4 D% Z0 S. X5 K( M9 Q) C xor ax,ax+ K2 p* M$ D5 p. ]0 b _! V
mov es,ax
" t6 Z) q7 g3 Z$ i5 L% q% V mov bx, cs
8 v1 I6 ]# K9 b' H% ^( f lea dx, int41handler
`1 b" |! X- G/ n xchg dx, es:[41h*4]4 p' x; x2 s$ C+ b( d
xchg bx, es:[41h*4+2]0 x) [ m: E2 ?2 `; l
in al, 40h6 p0 K3 d/ w7 q* W: S' u- p# f
xor cx,cx
3 O1 z8 e2 j0 \. Y. C; {( D4 h# _ int 41h- _/ A+ t# k' @- n: e
xchg dx, es:[41h*4]
6 Y' G5 Q% y; G) ?4 U; I% G2 n" n0 F xchg bx, es:[41h*4+2]6 \2 A* g, }$ J0 @4 K! s
cmp cl,al6 f$ }6 [7 }1 O% z2 d
jnz SoftICE_detected
* X- V' z* K8 J8 Y
4 S7 A. u7 d2 D7 S2 e# m8 R$ @_________________________________________________________________________5 m4 ?$ A- G8 w5 T* m4 v
, J) I6 Q, u2 p' ^$ w9 }Method 076 s l! y& q/ Z5 o2 i$ |6 v
=========
* D7 u* k3 P. r6 m' z8 e7 o. u2 n* g5 q9 n0 ~' @
Method of detection of the WinICE handler in the int68h (V86)1 ]6 i( P4 E6 D& B. M3 l
x4 {. t% m3 c
mov ah,43h K0 P/ d' J; o$ E6 p# I
int 68h4 T. d; I; }. ~3 y! c2 f
cmp ax,0F386h
, i( J9 u% u+ {* n. a jz SoftICE_Detected
5 a5 E6 K- S7 Q
. H; m1 J6 r+ f9 _ J9 A
( b: v3 k1 w( U4 I& V* H! q7 I" m8 x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ j& K6 R6 ^$ x; i+ }' w
app like this:. c' L" |- y9 @1 o6 h3 A* n" F
6 W3 ]3 E) }$ u1 C* ^% {3 f BPX exec_int if ax==68
9 U: n' F5 b6 g% @: y3 a (function called is located at byte ptr [ebp+1Dh] and client eip is* ]5 s& G# U; u7 j) d+ A! z
located at [ebp+48h] for 32Bit apps)1 S4 b& j' [; e4 Q7 \+ {& \
__________________________________________________________________________1 q( _7 Y p8 ]4 z+ m
, ?3 ]! K7 H) Z5 W: Z; @+ e9 T" S. C2 y6 U- t) A
Method 08
0 W9 N2 b) J5 u% R, p" [=========
2 J5 ` }! s! \, B0 c
& q9 G# I9 c w" ]& YIt is not a method of detection of SoftICE but a possibility to crash the
8 i" x( x* Y0 d+ X: hsystem by intercepting int 01h and int 03h and redirecting them to another; g, `: g: x0 I
routine.# O% [& a: A" s) z9 u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' h# w/ D# z' c$ Y' |1 \4 Ito the new routine to execute (hangs computer...)
& K9 s L+ ?0 Q( B1 F, ^
9 e; t6 N3 z; ~ mov ah, 25h
7 T& G o; z0 a' o% O0 z mov al, Int_Number (01h or 03h) ^8 n6 {8 |3 Q+ [+ ]. [8 {
mov dx, offset New_Int_Routine3 e' @/ R& y& S' S
int 21h
* e4 G; W: U' a% W( H0 e
" x' {; v! z/ f6 U) G__________________________________________________________________________ p( `& m, a* p! n4 b
y+ y3 k. U, }) I/ g
Method 09/ p5 D% B: I! w+ ]& h* s x
=========
( R: q6 g) n+ C2 o
8 E& g8 e* ~, M0 A3 _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ O, f+ h* u( H, U4 G" Jperformed in ring0 (VxD or a ring3 app using the VxdCall).0 c4 C+ C/ W% V% \
The Get_DDB service is used to determine whether or not a VxD is installed
" T( }! P. ?. I9 U8 H- j& g& W' Vfor the specified device and returns a Device Description Block (in ecx) for! d6 B: j8 Y; `, j& [ N
that device if it is installed.
2 d: Q5 X7 N4 k7 I9 w& k! }5 ?4 d+ j9 _2 q* ]7 s' N; p+ z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) W" c& S4 @* H6 p; U mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
c" ], K9 s% l: S1 c1 B VMMCall Get_DDB
) x; ^) q0 F+ V! F, M. x mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ j" w" k9 t+ Z3 A" O. x% e, \
: g$ ]$ j. W; \, z" N: XNote as well that you can easily detect this method with SoftICE:8 l1 |% M% d4 g0 p8 \
bpx Get_DDB if ax==0202 || ax==7a5fh
! Y9 m% m* q- k/ f% v: W- q* K9 q/ p/ c L- n/ X
__________________________________________________________________________
# r! @( R4 v" c# C7 |# g. P2 |2 r+ p4 U0 S7 D
Method 10/ z) _; `6 P: g4 T+ |5 b
=========- ^7 } E' N' d% W/ Q" [
7 m2 I6 C& i5 X
=>Disable or clear breakpoints before using this feature. DO NOT trace with& _3 j4 D2 {: Z1 U$ M, V( L
SoftICE while the option is enable!!
; g2 o( b7 v( m, |! Y" f j s" B3 Z. c. N7 S [7 x1 c
This trick is very efficient:
7 ~# x5 ~/ n7 a: u$ kby checking the Debug Registers, you can detect if SoftICE is loaded
* d* e5 @ |3 M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( o; `( w0 \. N( R0 }
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 \3 Y* E( R% P# @8 nvalue (in ring0 only). Values can be manipulated and or changed as well
$ s$ X3 X: z! D+ Y9 C(clearing BPMs for instance)" h' T: H; M! ?1 \ c
- E. K( j" d7 ?3 r9 @% e$ N__________________________________________________________________________, `0 a8 v7 S# S8 ~
# p# F) q8 r* n4 w* S7 NMethod 11
) N6 f- X5 }& w* k2 E, B3 j! _=========0 @' z7 H4 m9 i J3 u( v
4 E) j; G" m$ J b$ ~This method is most known as 'MeltICE' because it has been freely distributed( w+ b: Q' X# y8 j% k! |9 n
via www.winfiles.com. However it was first used by NuMega people to allow
! V ~7 I @- F1 M2 ZSymbol Loader to check if SoftICE was active or not (the code is located
/ f; ?* P, J8 W, h; |inside nmtrans.dll).
! X0 a) d" d4 c( ^
, O; ]1 u9 }4 g5 j) a6 u% }0 y6 pThe way it works is very simple:
) o/ \& t2 s/ ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ d* o+ ]2 f! _0 j( X! JWinNT) with the CreateFileA API.
7 Q. Z* _1 R( e2 |
. r* q3 s) L* t! jHere is a sample (checking for 'SICE'):
& w9 I4 P! h" r4 f
" t$ q( T1 ^6 n: S% ?4 N% gBOOL IsSoftIce95Loaded()
+ R" |# s9 Z0 U2 `' h7 r. G7 ^{
, ]% Z" }5 }/ X, K) ?* G. ] HANDLE hFile; ( x6 Z" U% Z" E, X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) P: [9 \/ }4 C e FILE_SHARE_READ | FILE_SHARE_WRITE,7 F1 f/ O6 ^! |, w- e" h. b# V1 O; _' o# e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" l# |+ M2 j2 c5 z( C
if( hFile != INVALID_HANDLE_VALUE )+ d2 z0 C6 M7 b2 ?
{
9 D: ]; p1 K+ w$ c( y! ]6 _ CloseHandle(hFile);/ I4 ]% k, M1 `! l
return TRUE;
( E) D! d% Z% ^ }
& n/ q1 e6 q4 g8 p: w t5 F return FALSE;
! L" h( B0 \) U( N}
* V* f. P, J5 G
1 r1 Q# j- p& x& y; E e% LAlthough this trick calls the CreateFileA function, don't even expect to be. y# i* [& X" t3 r C2 M
able to intercept it by installing a IFS hook: it will not work, no way!, m( H# b9 n _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 Y1 q! O# Q% N; n- G) z1 z% @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" T# A% k2 i- hand then browse the DDB list until it find the VxD and its DDB_Control_Proc g. c% I( T: e
field.$ F! b) S1 y: ?% Y: X
In fact, its purpose is not to load/unload VxDs but only to send a
# h5 ?& R1 O b# X3 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 f9 T, ^! c# Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try8 {6 }7 K5 G% N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 Y9 N9 R! c& b, uIf the VxD is loaded, it will always clear eax and the Carry flag to allow: {6 C7 o9 u( I" `' Q# J
its handle to be opened and then, will be detected./ d8 r# A" P. u, t6 p" q: a7 f
You can check that simply by hooking Winice.exe control proc entry point
9 ?$ ^- T9 \+ C3 m- x9 zwhile running MeltICE." K! T; }! `+ S' D6 ~
8 o6 ^) D, f' L: t. _3 R$ C
" f4 B5 m/ Q$ a; }" j 00401067: push 00402025 ; \\.\SICE" p0 Y/ R* {- P' C
0040106C: call CreateFileA
( d, X: t# N; V f, Q2 z& O+ T& i 00401071: cmp eax,-001
7 g4 K# d4 F" c1 K& b8 K 00401074: je 00401091
4 X2 }) D r# Q# v w
% R) E) L5 i9 M% j2 A
' L. k# T a, `, g3 JThere could be hundreds of BPX you could use to detect this trick.! s( t0 {1 ^3 l: \4 N
-The most classical one is:% |! v! }+ Z' [. D3 [1 v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' P4 f" p' {7 `/ `$ w! ]' Q8 Z *(esp->4+4)=='NTIC', N. J3 n1 ?" |' l7 @" f
( F1 j# Z( e- \-The most exotic ones (could be very slooooow :-(
6 W' Q, M9 E) ~+ C; W BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 X1 g& k$ ^% S1 l% u0 i
;will break 3 times :-(+ D ^, S: F! w$ }; T
! a4 d5 Q# `7 g7 G
-or (a bit) faster: 5 v7 |6 @! @$ b- w% M! [
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 l& D2 K" M' o' w9 j
. A G/ y$ t! q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) M! E* R7 \4 Q4 b: f ;will break 3 times :-(
# L. h. w# G) z9 ?+ \2 L( e% T: E# M& \& \! {7 c H( m
-Much faster:
$ r% H& `1 ]! ]9 M- ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ G Y9 F5 V, t0 X, l9 h9 m2 d5 l, K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen S: y$ a' W( Y7 c, @7 G- b
function to do the same job:
+ b* a# i) [' \& ~; U1 ~% V2 h5 m4 C$ z* G2 ?1 w
push 00 ; OF_READ) f+ j, s, }! D7 S( A" P
mov eax,[00656634] ; '\\.\SICE',0- U0 `% l! G$ A* ]& s A! ]& D
push eax
1 r9 d& U( q' W' E0 ?- k6 @+ r call KERNEL32!_lopen+ m [/ u5 T5 A' M+ W
inc eax
, _- b3 o1 m0 s7 T- a jnz 00650589 ; detected
/ t! G) @' m; {) ~' `$ v$ z push 00 ; OF_READ, Z" T6 B" M- z$ J& I& ]
mov eax,[00656638] ; '\\.\SICE') o) B8 ^* `* `: N. i1 z
push eax
8 P6 V. Y! O3 f8 G# q3 M: e- t' ` call KERNEL32!_lopen
" S' |6 A+ v: F& o inc eax* ^! v/ O: h/ X$ b
jz 006505ae ; not detected5 F- ~" w7 g& C
. }0 z3 l& j# R+ M; D8 B2 G, n1 @
2 K0 Y2 N& q: G, M3 a" \1 M& g
__________________________________________________________________________
& \0 V- ?2 {7 O7 z* P! B/ ]
3 m8 r7 v3 R9 O! C7 C) }Method 12
9 Z; `7 s$ G- y# P9 {3 a1 V: g=========
) I. _0 A0 ]( H" G" p! g4 m6 Z
+ A( C; t" q" a4 M8 zThis trick is similar to int41h/4fh Debugger installation check (code 05
0 n$ A1 ?+ w( m) d% t; b- B m: D% v# i& 06) but very limited because it's only available for Win95/98 (not NT), m0 f9 g3 S d7 O; L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; h( f _: R: t3 [& Q
0 d! U, v1 f1 S- R& O; q4 w4 L! X push 0000004fh ; function 4fh
8 J! ?/ n/ ]% B4 V! h( z9 u3 b push 002a002ah ; high word specifies which VxD (VWIN32)
1 X2 E- _+ M* V ; low word specifies which service: D3 x; p- X% H. ^7 B
(VWIN32_Int41Dispatch)
5 ]7 ?4 {6 [$ v& y' c5 h1 F9 P call Kernel32!ORD_001 ; VxdCall6 F# R2 h1 m @4 `, T% j E
cmp ax, 0f386h ; magic number returned by system debuggers# ^: p9 ~8 k9 S$ ?. K# c5 U
jz SoftICE_detected
5 n# q2 @5 C- H- u, n' a0 e% B* {7 F- h
7 X6 |& x& P3 ]9 FHere again, several ways to detect it:0 H' `" p! A5 X
: y, k- G9 b5 o9 q v1 t5 V
BPINT 41 if ax==4f
( [ n; f: L: {' s# `& [: b: I4 w5 _% d: [) p. |4 F& V9 l
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ u* t. r: d; u0 q m( x4 [) p y* t$ ~
# T! n& }% j7 d0 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: e9 U. ~+ d7 G/ Y5 L% o3 \* f/ F
7 m2 e& J' D9 h7 y1 j* \# `& C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ b( U: o$ F- R, t9 i. r
) ?' g& e: Z9 M+ E$ }- n: ^# j) b9 }__________________________________________________________________________
' O8 @* E* f' n1 T% S
+ ^8 R/ H! J/ C CMethod 134 [0 V8 I& {( I
=========/ g+ p& R( Z& ?2 G$ `6 D5 ~# R7 S v
`7 @1 j4 C* h1 ~Not a real method of detection, but a good way to know if SoftICE is
7 a9 y: g) _* W% y Jinstalled on a computer and to locate its installation directory.7 T3 Q9 @! U3 W3 R# ^4 {# ^0 R4 M+ l
It is used by few softs which access the following registry keys (usually #2) :
( z. J" }; B& t% n2 P" Z& ^; G/ [( A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 ]/ S' z- O! A2 C7 \; L* ^
\Uninstall\SoftICE& w* D U' \/ t# ?, O# V% y: k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 x8 m+ G$ Z$ p3 F4 K J& ^: \) O; O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& D- K: M) _4 m3 v3 a# i: j6 @\App Paths\Loader32.Exe0 q }! ^- D; O7 |2 [) x
4 ]' X9 n2 I1 q- {, t# q6 [. [1 }$ S. B# u- T
Note that some nasty apps could then erase all files from SoftICE directory- n, I8 E( T" c) I
(I faced that once :-(
" j) i- u6 N$ U: i6 f" f9 F1 C- N
1 c6 W. l" E* y( X/ w0 BUseful breakpoint to detect it:
4 ?& w3 p& W1 p$ z
* G' z( U2 B/ q T: ]2 r+ P* Q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 e4 ^5 J& m& c9 G5 H' D- S0 Q9 V0 L! g/ v) i6 Q$ g
__________________________________________________________________________
/ q& H2 r1 S2 H1 g' I( n$ t4 i$ v% _# l" q
) c7 M8 ^; q& g5 ?- F
Method 14
& V( K) G2 c: T, H6 I3 i========= H" _ R3 J! }! t3 y9 m3 q1 O
! I' v8 d1 H9 L8 O5 _- fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 m0 o, M5 t2 T# I) u' @5 g2 r, uis to determines whether a debugger is running on your system (ring0 only).
: H8 ]# ?1 F6 g) E
9 J. `4 L1 }! _) n) }' Q. K% L VMMCall Test_Debug_Installed5 w* b( b f" k7 e2 Q& O) d( M
je not_installed
4 t) q8 N! @9 g, `/ v* N
6 T2 m. O/ x3 TThis service just checks a flag.
7 E! t- s" ?8 [. E) l6 _( C</PRE></TD></TR></TBODY></TABLE> |