<TABLE width=500>% [: R* V- e# Q1 Z- m
<TBODY>7 s+ G$ t8 A E7 L7 D
<TR>
; u* z$ O- ^6 e1 Q" I( O<TD><PRE>Method 01 / S* R. @/ ^: g. z Y( q
=========1 s9 z* K" I2 w( q$ X3 O
9 O; X# t: P& |4 ~
This method of detection of SoftICE (as well as the following one) is
9 B, U' `5 G# R8 Zused by the majority of packers/encryptors found on Internet./ x7 Y+ t9 [0 v/ i
It seeks the signature of BoundsChecker in SoftICE6 W K0 ~' `4 B# @" d
# `" _0 g D) p; U+ Q j
mov ebp, 04243484Bh ; 'BCHK'
: X# r; G7 P. a/ \/ e' r mov ax, 04h# z/ C w0 R& @% p/ l; y; C: Q
int 3
; G. t$ S) M# q& G; S) N' s s cmp al,4
- V9 A* L! N' \3 D4 I% b) j8 F jnz SoftICE_Detected
- L, z0 V. I% `# P
5 V% d) g! T3 Q0 U& x4 H___________________________________________________________________________
w4 c- G. C/ y6 c+ j8 q6 T; E5 L+ Z6 ~0 r& N
Method 023 B5 w, b% O& P5 [+ k" W! d7 T
=========
4 A8 r$ W; y% F% ^7 S" ?" O. x3 D1 f K) G
Still a method very much used (perhaps the most frequent one). It is used$ ^/ l# ~% E& {7 y E% A0 e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 u5 \$ V8 a( [0 F+ Q3 ^2 kor execute SoftICE commands...0 Z6 S" a4 c& d5 \& B" W2 F
It is also used to crash SoftICE and to force it to execute any commands6 {5 I$ f0 H+ E5 I) k# s
(HBOOT...) :-((
' F- m7 N* w; s' w( z& H( X% w$ \5 n& j( ^# o6 |9 C: U" k
Here is a quick description:' s/ k$ a3 t+ t# s4 ~7 X3 w
-AX = 0910h (Display string in SIce windows): Q3 z2 ?* h1 ^8 z( n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); |+ r+ I0 j! I( y ~' v
-AX = 0912h (Get breakpoint infos). I% f( e9 x7 z- `, _2 i& `3 ]
-AX = 0913h (Set Sice breakpoints)
8 @' X6 s1 y7 `5 h1 \# ^-AX = 0914h (Remove SIce breakoints)' @; X) E6 d' C: S$ q
1 A1 v$ r4 T- b# BEach time you'll meet this trick, you'll see:5 X" E- `4 h/ v# i. x: J& h
-SI = 4647h
5 @/ P& J+ Q# H-DI = 4A4Dh
2 P5 e; E$ B5 Q$ PWhich are the 'magic values' used by SoftIce.' I! _% Z& { I5 Y! C2 I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' N* M8 [" o" a% {& D: c
5 m \8 E" X8 ^% n$ @! `Here is one example from the file "Haspinst.exe" which is the dongle HASP
; t' o1 a& g7 ?0 v) IEnvelope utility use to protect DOS applications:
u. Y+ N7 m. c: q E! f
" a+ m! S) o/ \
, ]1 D3 t% D5 {4C19:0095 MOV AX,0911 ; execute command.
- Y$ Z* ~6 p# D9 H; \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 }7 @6 o8 g0 F4C19:009A MOV SI,4647 ; 1st magic value.
/ K% `; O1 O+ f/ d& V4C19:009D MOV DI,4A4D ; 2nd magic value.
! |: Z) ]8 T1 C; Z8 o4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); w# r' y* w+ D/ H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# r. P8 t* `+ _: [/ r8 Z
4C19:00A4 INC CX6 `: a5 b( ~6 E) E3 y: Y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 {7 {) g0 [# S
4C19:00A8 JB 0095 ; 6 different commands.7 j \: g" \' \5 l7 C1 j+ ^2 ?) S2 b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 |1 M u: f5 `( ^+ K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! M. c( q! Q: p, Z9 g: ]
/ {1 d, Q& N& \! C2 gThe program will execute 6 different SIce commands located at ds:dx, which
4 w9 P% |% i( s9 j N& nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 Z# [# Y& p% b* t5 b( |, y/ {4 I; f/ K& U& H6 q& v$ N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* O- I3 n' v9 ^+ F. f' ~! n
___________________________________________________________________________, J% l! u6 P) Y9 F* W
3 i ^ ~% I, i
* e& {( \1 m# ]5 `9 y/ wMethod 03
) v/ R# r4 F& A. P! y- S0 _=========
2 f- G1 `% O( d* U# g5 }0 @. i# O# T" | L9 o$ ?: \9 v
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 B, G4 G$ r- W4 k* O
(API Get entry point)
A. ~9 i- S c1 O
: x! Z- i0 D- i. U/ v( a. I
! c5 y4 f0 l$ Y I5 N xor di,di
L2 P2 S% H% c9 v! r! f2 i3 g4 W mov es,di5 o: y H V; M6 U! G- [
mov ax, 1684h
& Y4 p X! B# @1 N mov bx, 0202h ; VxD ID of winice
9 T% U, r: H. y int 2Fh
; Q. ^1 F8 g3 M4 r. n mov ax, es ; ES:DI -> VxD API entry point0 q' g+ q. o2 w) [
add ax, di" @- D4 d2 k% u5 c
test ax,ax# n# C* u) i6 K
jnz SoftICE_Detected. ?: X2 E' K3 V
7 O: e& q# i* {
___________________________________________________________________________' A$ j( x @! `; U* e. b& d3 ?
v- J8 [6 M( o" m. G& K
Method 04
% s3 _; O; C0 A0 V, p=========$ {6 d3 J5 P B3 |8 b( p
# y9 J. d% E6 B) u7 C5 ~
Method identical to the preceding one except that it seeks the ID of SoftICE
7 }7 F6 x9 m8 gGFX VxD.7 c1 N: }4 W; @! w; h
/ ^- L6 s% D" K% ` w* n
xor di,di
% s5 ` f+ y3 T$ k mov es,di
% B# J# C& u& @ A2 O mov ax, 1684h 5 A- `3 Z9 t/ Y Z7 o
mov bx, 7a5Fh ; VxD ID of SIWVID X0 J, d; j! b# B3 X
int 2fh2 v/ p2 ~$ I$ W0 J/ p9 p- I; M$ t8 H
mov ax, es ; ES:DI -> VxD API entry point
! y' \7 ~5 l" Z" O I add ax, di
; W; T1 _& e: z test ax,ax6 i% J! |: e* l
jnz SoftICE_Detected- e2 P9 o' m) q$ G
+ x9 S2 p3 v( d__________________________________________________________________________
* H$ `) B1 E7 N4 M; {& z' C' Y4 G) L8 G5 }2 z( _6 P
* @2 Z1 b, }# j4 h% |
Method 05
9 h( ]( T$ B% g6 K/ M. _- m=========
& n4 N N, m4 `$ ^2 X/ M+ @2 G
- ] f, p" V6 g0 WMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 l& X! {; E4 T: i& M# g
debugger. It calls the int 41h, function 4Fh.7 o0 T" {2 H& m3 j$ H' y! G, f
There are several alternatives. ' E/ r9 G- a( T) t
# l' l1 d- F3 [* L \ l/ a
The following one is the simplest:* I4 h: c3 p6 W: [" ^
% q# V8 G! U& D8 S4 W7 t mov ax,4fh' ?, O& m4 N; G+ Q7 b) Z4 Y
int 41h9 ~: [5 a* w* L
cmp ax, 0F3861 b/ E+ C1 y2 e0 S% Y& q2 B
jz SoftICE_detected
! |% p6 l, F: m- t( x# P# k. d8 G% L* E. Z) A5 R4 n
, V( h; Y- Q, X( ]+ ~6 L
Next method as well as the following one are 2 examples from Stone's
" s5 ]+ j/ Z# x; s* Y* V ~"stn-wid.zip" (www.cracking.net):: T+ r1 X% B& `5 a9 T+ R- @& h
0 ~! `& B8 O1 n% G5 A2 `7 ?
mov bx, cs3 u* a) J2 {9 i2 B! z: |
lea dx, int41handler2
4 a7 g$ _5 ]! m6 [: F( A xchg dx, es:[41h*4]
, e) A; @) V/ n- ^' ^" h$ A xchg bx, es:[41h*4+2]8 j& H$ H- i; A. B% g5 ~ D' O3 v
mov ax,4fh4 T7 A/ f' b7 M+ \
int 41h
+ E1 S F7 z( {/ q# |- X xchg dx, es:[41h*4]6 t1 a& @$ A6 `+ J/ I" @0 Y' ?
xchg bx, es:[41h*4+2]
; u( z$ O2 R0 e H1 h# O2 ^, I cmp ax, 0f386h
7 l" c9 D0 O/ X jz SoftICE_detected* t4 H H: H' h5 F* o
# Y3 K) h2 w* l% I8 i, t2 u6 W- u" I$ sint41handler2 PROC& z& \( s1 ?& h9 ?4 S! H
iret% @, C! r3 W* J R/ W* S+ {; s
int41handler2 ENDP8 h3 y' x/ e0 o9 [- g+ N1 Z
6 N: P. M9 x0 \! p- }, S
; i2 g' l F" O. {4 I* }_________________________________________________________________________5 `7 m& e# _* h* o
5 P0 f" J+ h' F/ K7 J
% {& E/ Y0 L( d) l& b# V& w
Method 06' H' `- w. `7 h2 D, ^5 C, c# U6 Q5 ]7 W
=========
5 x4 q |0 u; z; D) |5 q, t0 p4 g! a6 B! f: A" X
8 e! w% v6 O; Q
2nd method similar to the preceding one but more difficult to detect:- i0 h" S9 P+ V7 t6 L" P
5 p5 U. f1 Y3 {4 u- s9 A( U0 C/ P& q
int41handler PROC1 n! V/ n$ Y, p+ }3 V
mov cl,al9 O4 K* T9 o3 u
iret$ v5 s1 n& w4 R4 j- n% Y* ~: u3 r
int41handler ENDP. B/ T9 o X0 H* u, W# u4 X% c" }* o
" g$ n$ K) Z+ M' O% D& N( Y
6 V7 \$ R: L/ `% x xor ax,ax$ v' ~$ X+ t( J- V" E' f; A
mov es,ax
0 f$ P! m: R' m* o) _$ w mov bx, cs
" Z( G2 |0 ~, b6 j! f- ] lea dx, int41handler
/ O3 g6 j3 z6 |6 `& ?+ ^. i xchg dx, es:[41h*4]
" D# Z7 K% | E, g& Q$ X& | xchg bx, es:[41h*4+2]- f4 R$ V8 T& H: g* a; n1 i
in al, 40h' r, t; `! |" r* |
xor cx,cx' N2 v ~ ]1 s1 C; [
int 41h
- r# a1 G0 G" J3 c- s" B xchg dx, es:[41h*4]% w2 v7 n% L; h: G9 p d
xchg bx, es:[41h*4+2]
* `6 y5 t: n$ d# L) b$ o cmp cl,al6 N: T- i. [) D1 L6 o! g4 H. P% a
jnz SoftICE_detected
3 Z! Z1 ]9 Y# M( h" q: e/ r4 [, T- A( {) l* B
_________________________________________________________________________. w! a) r5 \+ j8 x3 u
# ~8 H6 b" E; X
Method 07+ T7 a; E# R1 U: b8 t
=========# ^8 F8 k) Q% B4 A/ ^
2 {8 n/ J) x$ a* J
Method of detection of the WinICE handler in the int68h (V86)
|6 j: @4 a% T
) C6 s5 m# H9 m! `5 p8 s c. z mov ah,43h: ?) y2 p% n u6 J
int 68h) ]4 [4 |! Y$ ?6 B
cmp ax,0F386h
, g/ V& r- t) ^& N- ] jz SoftICE_Detected) O6 a7 D( O, `6 t/ H/ T
" ^" e1 A: x5 n& U/ n
: |; B0 j8 Z/ g8 x( T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 W' G$ }0 z" ~8 m& ^* t app like this: \1 G3 Z$ Z' H/ A' G
# k* Z5 t- X+ [# Y3 a' r. y BPX exec_int if ax==686 J) B/ o/ N G6 f' v* _4 L
(function called is located at byte ptr [ebp+1Dh] and client eip is( w( ]# n" `, v9 F) g4 \5 L/ d( u
located at [ebp+48h] for 32Bit apps)
$ j! n* n% C1 A1 E2 O, |3 k' ___________________________________________________________________________/ I* s5 O m" Z- b7 l3 B
1 R: D/ ~, O; O l$ K: z( S
3 Q! H: S/ }: C- w* F B
Method 088 D# N# i# ]6 z/ O7 o# D1 P
=========6 R2 @) H% o& k. I/ g
4 J( x$ A( y( J6 q, ]& @
It is not a method of detection of SoftICE but a possibility to crash the7 l) q3 g. S# b. `7 B, O) h
system by intercepting int 01h and int 03h and redirecting them to another
( n8 h& N# Q" l2 V: l9 d. Z9 A8 V% [3 Mroutine.0 |2 s8 C4 S+ e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 J* S% w; L% l
to the new routine to execute (hangs computer...)5 d/ ^5 |1 e+ X6 y% Q$ e+ E+ r
! T! v9 r3 d$ A1 t
mov ah, 25h. v& F. b7 `5 z$ P
mov al, Int_Number (01h or 03h)3 o K* _5 R# w$ F7 y
mov dx, offset New_Int_Routine( `, n$ t/ p3 I
int 21h# T: \. s+ _9 B, x9 Z" [
9 c9 ~ i1 ^3 }, K. D4 m__________________________________________________________________________/ r7 m4 T( O/ a1 w+ Q! n9 ?; k- d
* R0 [$ C* ]8 q! u' m' xMethod 09
. M, w: |, l% K! Z=========) T/ e8 L( @- h. e- u3 |
& A+ r; x5 ` w) B8 {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) s4 B) d( X$ m& f# aperformed in ring0 (VxD or a ring3 app using the VxdCall)./ M# T3 ~3 V U! b; a% f% k
The Get_DDB service is used to determine whether or not a VxD is installed
& I, q- }5 u, H, O& P! }3 T9 _for the specified device and returns a Device Description Block (in ecx) for8 z/ g" M2 h0 S0 \- w" C
that device if it is installed.
- k, Q6 g) N! ?9 Y! k+ a! J' _5 h' X) u
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' t9 }( C E$ h5 ^0 j! o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). t7 N O3 Z( n
VMMCall Get_DDB
8 U# Y" Y- }" f0 h9 | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 }+ P' m: ]) ` G) A, M
) A) d* i0 `, @+ o' XNote as well that you can easily detect this method with SoftICE:5 a; D5 R" ~ D) G6 D2 [+ ^
bpx Get_DDB if ax==0202 || ax==7a5fh
. h9 m& Y- t2 R5 s9 j2 P6 ^: T4 [3 M: S
__________________________________________________________________________/ ]1 N( b+ M6 z5 K- O
2 K3 m- Q: Q& lMethod 10
* i3 n% g% [ m& i* t% } I5 F2 G+ n=========
8 u6 v; s. g4 Q' T9 x; ?
! }) h( g S! ^5 V+ D0 J=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 p6 }; Y8 l" ]& S SoftICE while the option is enable!!
% \; V [( s" ^* E8 U
8 `" u1 Z! F& H/ vThis trick is very efficient:
+ D( c6 x* i" h. D5 X7 \) m3 gby checking the Debug Registers, you can detect if SoftICE is loaded7 j( `& o x. P3 K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 ?* v- q: }% X, V- Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
s% L, r0 }, Lvalue (in ring0 only). Values can be manipulated and or changed as well0 \' L# v# o# U/ O% l2 I
(clearing BPMs for instance)% l# Y$ d* N1 C2 q( I
6 o9 I' F" `0 Z1 t/ g+ T) n5 E__________________________________________________________________________; C$ [, {9 b& [7 U0 F" |( X+ J
( o" s! r3 h4 R
Method 11- p0 F( N# E2 s
=========# z, ^/ h a. H* v5 ~
. S6 S- t4 L9 |5 n
This method is most known as 'MeltICE' because it has been freely distributed
# a- D V' Y, P( hvia www.winfiles.com. However it was first used by NuMega people to allow9 k- x0 C) _; V4 ?+ y: O8 g. b% P
Symbol Loader to check if SoftICE was active or not (the code is located
2 h8 u' q( E: ]inside nmtrans.dll).
' \: h; ^8 e- m& T, Z# p4 d T v2 v6 b# d. L
The way it works is very simple:
Y' X R: B' C) b8 \( X( I4 qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ P% J9 H' f4 g3 d3 S! {& W2 HWinNT) with the CreateFileA API.# l' u1 W" y. [
9 a" R8 R/ a2 Y" c( r8 @4 ~
Here is a sample (checking for 'SICE'): n* }$ l# y4 e0 V V- p- n% k
5 S8 Q- K7 n6 ]/ b1 m" d( F, j, a
BOOL IsSoftIce95Loaded()2 Y9 u. M% u5 z' }0 y
{
9 t% M/ R/ o4 E+ D: t HANDLE hFile; % E" s- A5 E3 }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 k- P" s5 j* C; W. {! r2 ]
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 ]. f6 A+ J* X; N$ Q) \. _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 u; e: L/ I" R
if( hFile != INVALID_HANDLE_VALUE )" R6 G$ M1 `: x8 _# n( N6 V
{7 C1 t8 h6 x# U6 k7 t# s
CloseHandle(hFile);& V o$ b! R( M m5 W
return TRUE;
8 `$ A1 T9 V7 ` }
3 ]' {* R. D6 N9 q( h9 A# F return FALSE;
0 O$ N Q' X) A6 p9 P}
; K8 A0 L/ O) c0 n$ P
3 n, x! N8 E. CAlthough this trick calls the CreateFileA function, don't even expect to be0 K, e3 D+ d5 X# n U) h# p7 \
able to intercept it by installing a IFS hook: it will not work, no way!
- y; c( L/ o7 WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! f! |: R \1 P" i( }2 [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). I- v) W$ }# ^. E: k2 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 r% E; S3 Q# y
field.2 c2 O1 A' m. q! H" _9 X+ j
In fact, its purpose is not to load/unload VxDs but only to send a , B8 g# H( x Y. G( S8 A, f+ U) s& y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 G0 [* \/ D2 \( w0 q: D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 D9 f, l+ f0 m+ c* Q2 q& F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' l" ~; O8 [. {: B: Y( u9 @/ _' @# h
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ q; a& c/ d. f$ U' u0 m! M. e
its handle to be opened and then, will be detected.; G3 Z: P9 |9 H Z) G
You can check that simply by hooking Winice.exe control proc entry point
* C1 O, S: B$ T5 F* m4 U' D8 z+ ewhile running MeltICE." a4 z z3 v" ^2 j8 z8 `
8 r: V1 q2 Z9 Y) S% X
# u7 a3 i, F/ J5 w+ q 00401067: push 00402025 ; \\.\SICE# h. v% S, R* \& m5 f
0040106C: call CreateFileA) @# y9 [* k4 J8 w0 Q: A& V
00401071: cmp eax,-001
6 C; X5 |: I/ u$ J8 {7 V) y H$ [ 00401074: je 00401091
L! l+ i2 Z' [
$ |) x4 k ?2 H, s
0 p9 H/ }0 I( q1 g+ p' i1 N" gThere could be hundreds of BPX you could use to detect this trick.& Z2 y, b& P- I) D$ i& l, a4 _
-The most classical one is: _5 F. d' C# ?) M* }5 o( [ j0 H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& C: r+ Y* G: R7 M6 m. K, s p8 k1 A3 L
*(esp->4+4)=='NTIC'# b' b4 Y# T% g3 ^, D! Y1 r
0 D* u3 R2 r1 ?# _-The most exotic ones (could be very slooooow :-(- o: W L9 i( @# w' j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * a" w2 T+ s; Y1 X! C/ p
;will break 3 times :-(5 X* g; B$ f0 j9 X) H% M; W4 r
- ~- b. k' @ ~/ u: T-or (a bit) faster: 9 T4 \; R% O+ ?1 q/ l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 b2 Y6 k& H* h
! _% v1 \0 @: B4 A% g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( a5 p* @/ ~7 |! m0 j- _; |5 j ;will break 3 times :-(
1 O- `4 V% H: |" m! F
. D# ], u ~' r1 K* [; {0 m- R-Much faster:) Q% G' K* {$ U( L' @; s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ B/ ]8 n3 _2 @
9 |# E6 B% }; {; w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: H* T5 b9 j/ C* I* h
function to do the same job:
0 j4 ?9 v! O. G" O1 H( Q$ Y3 q
+ R% ]+ c+ ~: |) F$ I push 00 ; OF_READ8 \6 E) e2 t/ T9 e1 k0 z
mov eax,[00656634] ; '\\.\SICE',0- w) W: U2 ^9 d0 H W
push eax) U/ C! t# \ g; E
call KERNEL32!_lopen7 B) ?4 K n/ Z) e
inc eax2 Q* E1 @$ Y/ V1 r/ d+ T
jnz 00650589 ; detected b, a9 j% l. d- o1 } U3 O% K8 g
push 00 ; OF_READ
) ~- ~; Q9 ?9 ~! O3 Y0 z mov eax,[00656638] ; '\\.\SICE'& W; z6 ]; Q' [% A% }# V: v/ M8 `
push eax8 a3 k; F! t6 a* A# k# S# S2 c
call KERNEL32!_lopen& p" i0 m) m2 [ B+ \
inc eax c l7 n' C1 C% Y" F2 ?; z' u3 @
jz 006505ae ; not detected6 p/ |0 c# ^0 w7 x! ]
" x; q. C1 Y+ t/ I
* l. G: P- d- F0 e/ z2 Q__________________________________________________________________________; Y! Q$ T$ ~& j. Q/ s6 \# U7 a
- O }5 B9 H9 w* r
Method 12
, O/ {9 f/ X9 Z1 E6 q=========
* w0 y& v: v" [ z5 n% d/ P/ g5 p# d" | U
This trick is similar to int41h/4fh Debugger installation check (code 05. b- u [0 D9 e! a7 g1 E
& 06) but very limited because it's only available for Win95/98 (not NT)
* T: i; T! \7 K- ]4 ~7 Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 |' Q% n7 n4 H$ j2 {1 o% Q" O) R+ ^* W" ?: c; m
push 0000004fh ; function 4fh
* j. P- M* D8 x& B push 002a002ah ; high word specifies which VxD (VWIN32)
3 Q* J' A' x- Y2 o ; low word specifies which service! N6 c) ~1 }7 i- o7 Z
(VWIN32_Int41Dispatch)
. \, k$ }7 l* O( P1 Y# o& N+ B ` call Kernel32!ORD_001 ; VxdCall
& n4 r7 j; s# X! B5 V( Q0 } cmp ax, 0f386h ; magic number returned by system debuggers6 Y" O) ~$ j+ a* F5 [/ f: {4 q0 G( s
jz SoftICE_detected
* k# x! P1 G. w" a5 n
2 q- c/ Q0 x; Z9 d1 CHere again, several ways to detect it:
/ y Q2 j) [3 q C9 o4 i' S; v
7 u9 ~5 w8 b2 \7 q' D& N! S+ t BPINT 41 if ax==4f
. L/ r' r, x9 z2 g. G, ]% {% @* @/ C0 a7 D2 w( j
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 R% _* P, S& U' A9 }
5 f0 ~0 ^& _ w8 A( }4 I6 K# n% J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 G! s) v8 w w8 J3 }; B8 L# a- R2 x
6 W3 j; P* n; |2 a
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* K6 [ w6 w3 s8 y& F. Q0 Q+ S8 p* N
__________________________________________________________________________+ g7 b0 k2 J1 A, Y: k( R5 \+ p
6 Q3 ?6 ?# G- n* A) TMethod 13# t6 c% a2 ^% h2 ^6 ~: _3 V
=========& b. J4 I. v/ g# S: [( n
8 R$ Q9 o% @& ?9 S/ j. R+ L- o
Not a real method of detection, but a good way to know if SoftICE is
+ f" A* [4 L* E8 ` P' v& @3 \! \ A) P6 _installed on a computer and to locate its installation directory.7 o1 Q) i$ h. `& v7 ]; {, U
It is used by few softs which access the following registry keys (usually #2) :
9 e0 t& z; d. @% v( Q2 ~& i8 o7 T, e, t. y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; L$ U( z2 J$ E8 a1 }2 J3 z\Uninstall\SoftICE
. o7 s' l' i i; A9 d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 w7 {1 s) u4 ~& P3 y" m- V/ Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 ]1 C: X( z* E& n+ E9 I; k
\App Paths\Loader32.Exe- m. t2 Z+ K) P9 {
Y$ r' o4 n u9 U: p& l* K4 W
1 b4 u* }( r# Q& i
Note that some nasty apps could then erase all files from SoftICE directory3 h' r1 ]6 J& x" ? @- K0 J* V J
(I faced that once :-(
; C& y Z. n& B7 j
0 J4 a. o2 R/ E0 l. g. t* lUseful breakpoint to detect it:
3 E0 o1 Z4 B! t; @- s0 V% z% [# c% v: C4 ~# Q5 S$ I7 \0 e b
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 n& J0 s9 H9 P8 ~
- h$ y! t, A1 \( Z3 |! M__________________________________________________________________________& g1 A8 `" y% ?
" F* ?5 u8 s1 u' D% J# h3 R
4 T& M6 y, A: z% V
Method 14
! s. l+ f- h8 N; {; D% Q=========
0 I$ J. |0 k- X9 S7 a1 v0 s3 C* Q: w, S% U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 y2 o% G/ ]4 xis to determines whether a debugger is running on your system (ring0 only).+ s& z/ Z1 J+ @/ h: i2 F
8 G: N; j; K6 j8 h. g
VMMCall Test_Debug_Installed
9 U3 c* d. D, D! w* ^) X/ F. T je not_installed
" A2 {! S4 q/ C: L( z
& Z, D8 I- X" W6 i; VThis service just checks a flag.
3 ~* C$ {$ K8 Y3 {) B</PRE></TD></TR></TBODY></TABLE> |