<TABLE width=500>$ I5 b6 j" y9 J7 l1 o3 s
<TBODY>" y1 Z9 q) ?0 [4 s3 \
<TR>
0 L3 B1 u- O, f) P' c+ w# \<TD><PRE>Method 01 . }) `$ b* U; R, z& T& V
=========7 @6 S6 t0 F ~) G+ K2 T
$ m7 K; z. w: X0 x; ]: xThis method of detection of SoftICE (as well as the following one) is
7 W7 Y9 h0 s0 o5 v& xused by the majority of packers/encryptors found on Internet.
* j4 [' D& t5 z9 r' {) L/ _2 y; W* rIt seeks the signature of BoundsChecker in SoftICE
" C! G0 W$ W7 z" l
% L* e2 r1 \# U- F$ D mov ebp, 04243484Bh ; 'BCHK'9 ~* Y, Q6 i- G2 p' a6 ^
mov ax, 04h" \( @& Y8 e$ P" A$ [) s0 P8 Z
int 3 / y( A' ^! d# l3 y) |$ H# c
cmp al,47 C7 p7 c$ ^. ^
jnz SoftICE_Detected5 e7 w4 y& F9 {9 C% {$ O0 f
, C8 N! G9 T/ D+ w___________________________________________________________________________- c. Z r2 r" F0 L7 Z" Y& P
; c1 f2 W. O0 t, k4 j
Method 02
- M Y2 G& J! }0 H: d' T- L=========
* f b b1 k' W0 s S' v
, ~3 |/ a% ?( G% UStill a method very much used (perhaps the most frequent one). It is used4 S: b1 T% F6 Q& ?; y; r$ `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ _! o4 X1 `" ]+ n4 O6 z. h) vor execute SoftICE commands...5 v, ]7 E# j/ B- l& `- e! `3 D
It is also used to crash SoftICE and to force it to execute any commands4 ?! i/ i: r0 N& |
(HBOOT...) :-((
: ?' I3 d9 R0 y& l7 X4 v' D, n/ u' b4 ~& {
Here is a quick description:
0 J8 }8 T# |0 _# P' ]-AX = 0910h (Display string in SIce windows)
7 Z& e% Y1 I9 A5 X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); P# i4 @, \3 ?
-AX = 0912h (Get breakpoint infos), e% o6 }* e0 x* K6 b# ]. E3 y
-AX = 0913h (Set Sice breakpoints)
$ W& Z9 q" p, o# x5 `8 k9 F-AX = 0914h (Remove SIce breakoints)4 p; D- j; P3 e! p
6 Y F z6 _ D% Y8 u
Each time you'll meet this trick, you'll see:
7 e4 J8 r; n5 m3 N-SI = 4647h Q( }8 q' R% p9 z( G
-DI = 4A4Dh
. A- Z2 ]9 Y: |# J+ i1 b7 NWhich are the 'magic values' used by SoftIce. j4 i1 Q) }* `) Z) w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- L3 z+ e4 Z# x7 q {" W8 m4 M' W
* S6 \* _5 B1 {0 H& q: LHere is one example from the file "Haspinst.exe" which is the dongle HASP
. S$ D" q. `9 R: PEnvelope utility use to protect DOS applications:& Q# s2 I& z8 T0 K
+ y |6 a) C- Y0 N
1 u! f- o) s* s4C19:0095 MOV AX,0911 ; execute command.# \2 j2 ^% H# m& b& ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' n4 d/ @5 l5 w c' A+ f
4C19:009A MOV SI,4647 ; 1st magic value.0 e& Y6 I+ s5 j- C/ M- l
4C19:009D MOV DI,4A4D ; 2nd magic value.+ g6 ^" T% D' s, ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# c; v* | k. r+ f; E5 w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& R8 j( g" l1 U; {4C19:00A4 INC CX
+ p% R& F/ @7 L5 k, G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% k2 r s9 X2 J8 J% O4C19:00A8 JB 0095 ; 6 different commands.6 [, X5 v; B, Q& R$ ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 D( _5 r' j/ D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 p6 K% o" r) l& h# X* c# X4 p
: {! f f$ d. ^0 w) V, nThe program will execute 6 different SIce commands located at ds:dx, which
$ G. H; i* w' Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& J- h/ B( n/ r h0 M
1 B' B, M5 w9 D x# C( `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. g' _2 F L4 W8 m6 v- ^! Y
___________________________________________________________________________4 ~& t5 i" H- v/ a
" @* \, I0 K: u9 n$ U5 [% t3 Y5 P% N- @# b' I X
Method 03( N) T; K ~$ m6 ? k: r
=========8 W& j" ^2 d+ q6 P0 U
8 Z4 M# h6 |* v" R3 [7 T. J7 K
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 l* p+ x ~# G: W( ~/ p+ i5 @(API Get entry point)
$ C# U6 ?5 t0 B& n; i5 C3 s% [
/ E* ~, D+ K U# E/ {) t# c+ C6 D+ w: K" ?" p6 d8 o6 A8 c
xor di,di
' k2 k+ S/ d1 N3 t9 U( y mov es,di
4 V; G* g0 [( T mov ax, 1684h
1 s' T2 q5 w$ o mov bx, 0202h ; VxD ID of winice
# q7 C4 G2 U# D3 p- {, M, X int 2Fh
4 d: B, i+ `, _3 | mov ax, es ; ES:DI -> VxD API entry point+ W/ C# r$ W7 @1 s, R8 H5 T
add ax, di
) @+ J& y1 \9 v/ L8 v$ u( W; Z* @ test ax,ax7 a' \* z6 ~* o0 @+ M/ C
jnz SoftICE_Detected
' L3 F" ~/ t. n! B7 Q1 G$ c
! G6 ~. n7 n0 \/ k; Q___________________________________________________________________________; q; w" s: Q |$ ^
, p0 @8 l+ s' b; x# N# `- I, mMethod 04
& M; ]% I7 i5 D: G7 o=========
# ]/ f- J+ u: V" G' c, V1 S8 U6 X' s% K6 ~: q3 ~! w* V2 B
Method identical to the preceding one except that it seeks the ID of SoftICE. o) e1 i3 b! W+ K
GFX VxD.1 J/ o1 E: I( r: U
( b- ~6 R) h5 D) m# q# s xor di,di
9 }- r. a; H" _% I5 I mov es,di, C$ [9 f% i7 g8 Z" L2 [* H
mov ax, 1684h
6 e V9 D& P$ T, k6 E mov bx, 7a5Fh ; VxD ID of SIWVID/ X, C0 v- h6 y. W; w- f4 ~* D
int 2fh" p4 y! O$ n% U4 c$ G
mov ax, es ; ES:DI -> VxD API entry point
8 f8 D5 _9 i8 b4 { add ax, di' L! E' A$ X2 g. W1 h+ v
test ax,ax: a. R% k" D" k. d/ f1 ^5 O7 m
jnz SoftICE_Detected0 n' X% R F% A. H; D/ }6 B
2 N" k h6 u0 e$ W0 p__________________________________________________________________________
. w8 }# ^' C3 j* p5 y# x8 R
; B% X! l" }- L% W6 o; \2 S* d) q" p/ J
Method 05
8 i# v* ~5 h {' d J/ N=========
& \6 I2 P- v7 c2 ]2 j. p l) L$ \
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 s% C& e. H4 ~! d; s; g+ e
debugger. It calls the int 41h, function 4Fh.: m+ c0 X1 M" D
There are several alternatives.
6 ~) D( R% `) a) L0 K) x2 L2 c5 Y3 @" A/ J2 J3 Y* j/ ]9 r
The following one is the simplest:
) s6 o# M8 b0 z- r- r K' [/ e( @( I) |3 D
mov ax,4fh
' S6 T7 p+ T" X/ f9 Z- ~0 K int 41h, |# B% j9 Y2 o7 e7 p( }
cmp ax, 0F386
3 B0 m9 K& c% z3 I& H3 O jz SoftICE_detected- m) O1 _4 Z$ V) `3 p
9 d4 I8 B* x4 g
- J4 Q6 ]/ E% O9 sNext method as well as the following one are 2 examples from Stone's
) q( i# A4 f9 |4 p+ t"stn-wid.zip" (www.cracking.net):
, D8 D+ z& n1 l! Z9 \2 O* _/ I+ c2 K$ L! j$ ?- ^( g
mov bx, cs9 Z& W% W+ i6 E" F+ b/ v0 o
lea dx, int41handler2
" j0 R+ r& C8 } _' K xchg dx, es:[41h*4]" s5 n' C% o7 L) P( m- _0 i
xchg bx, es:[41h*4+2]
. |7 \) A9 [& y* F0 Z! W mov ax,4fh; x+ O6 o% n" H+ i' B
int 41h% F3 D8 e% @, ^, N; m; c
xchg dx, es:[41h*4]
/ m" s% i' q& g5 h* H6 W7 J xchg bx, es:[41h*4+2]% O5 P X9 c4 Y" [8 O0 J
cmp ax, 0f386h' V( k7 K* R: C h
jz SoftICE_detected
k7 G, [ a: ]6 q P2 u4 C7 X5 y! o
int41handler2 PROC
0 o) j" C: r4 | W) {# S iret
1 f* ?5 w( ]" H* j/ L4 I3 h1 Cint41handler2 ENDP) ^7 @, M0 s5 X, z. g0 |
( n6 g% l. d) f7 u5 j
! T6 [0 a" q1 R$ H& f7 E
_________________________________________________________________________
0 W( A8 [1 a6 ~8 Y1 W( n
" y1 ~2 e$ {# O3 u/ M2 K4 m+ `6 f
& H! t! S: ~5 o% q; JMethod 06+ g* X3 f7 c8 H8 {1 g
=========
2 r! f4 R7 L0 X$ s/ O. h3 v0 {
+ ]. ~4 c% _5 m! L
' F' t6 Q% J) w3 v2 Z. o. X3 _0 G2nd method similar to the preceding one but more difficult to detect:
; [1 I) H; w; [" l
8 Y* f* p. r% w2 N6 |0 L- s) d+ Q, Y; |+ b; Q# d8 f
int41handler PROC- g3 L" _/ t3 N0 Q) ?: h7 ^
mov cl,al6 c9 d, {3 X; t! g' ~: P# A
iret
- ?3 t/ P. X' a/ Xint41handler ENDP* q/ {# g" j4 k9 ~' x1 }& K- T
& y/ z& g) s I& a, l; D7 T( ^& l& B: q( x1 `# J8 `5 P5 x5 ~# W
xor ax,ax
* g$ n/ [+ k8 V# g3 j: s3 v mov es,ax0 I5 |, q2 @' `( T
mov bx, cs2 i4 w; @" f' N% H( D/ a! g @
lea dx, int41handler' R6 Q7 q" l6 L) E% n2 Y) {
xchg dx, es:[41h*4]
( |2 H# E+ B$ C) Y! F xchg bx, es:[41h*4+2] h. V8 F' [, L# ^) j0 \
in al, 40h
1 k7 A9 A. q1 W xor cx,cx3 K0 q% ^, V! q/ L1 g
int 41h
2 z7 C+ i! _3 ]* H% j, g( W) Q# P xchg dx, es:[41h*4] v! W6 l9 f+ L
xchg bx, es:[41h*4+2]
) _* [/ [% q, k' v, ` cmp cl,al
. A( f. u+ Q4 M jnz SoftICE_detected
0 {( M$ R# ^6 u9 l
; D2 p% { d* s) q$ t$ E. I_________________________________________________________________________9 R" w8 Q2 j0 n$ h% {- e; m
% v9 ?' s$ E0 P: JMethod 07
! e, n, k: p* {=========
V. ]. I$ D+ H; @2 ~" X7 U9 S% [3 Q% n& w1 I) O6 l2 }! w+ l% a4 o( L
Method of detection of the WinICE handler in the int68h (V86)
% g9 ~' R8 D( \) n) F
? c; [; @" |- k6 J* h/ K: g mov ah,43h2 w* I1 x* c% i' }8 o, C
int 68h
$ S! q9 T# l6 l cmp ax,0F386h- S, `! h) Q, W1 ~$ s1 |- R
jz SoftICE_Detected: K9 d2 S2 O) M
7 _* d# a& F x# B5 u- U' @5 r5 z, b; _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: _6 M) n! v4 F7 _ app like this:
6 L0 `" m- d+ k7 U
, }" i" G5 H0 f BPX exec_int if ax==68
& E. ]0 @/ L0 h, h (function called is located at byte ptr [ebp+1Dh] and client eip is
: p8 Z% ~% s! [8 N' L located at [ebp+48h] for 32Bit apps)
" H# }* c3 M3 D: O B5 g__________________________________________________________________________5 z( _9 J3 O+ P i* W3 E8 f% F
/ Q& N5 x4 A3 L
0 k4 J7 M a9 }: _5 Q/ D) RMethod 08
- T9 C# W, \5 b$ L2 J0 x=========' b8 y- @/ d3 ^7 n$ \# ]
1 p! F4 S$ a) \$ I' K2 t6 UIt is not a method of detection of SoftICE but a possibility to crash the9 i( h4 T; O' D( N! ?# H) {8 u$ T
system by intercepting int 01h and int 03h and redirecting them to another
) {. ^- k/ n6 x+ vroutine.
, q3 C1 Q& G) \2 h( PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# z1 Z/ I! H7 x7 }2 ]& s
to the new routine to execute (hangs computer...)
0 j, Q9 E, l6 D4 K' a# M' w8 ]9 X+ p- t2 r, H6 h, C Z
mov ah, 25h9 G+ ?3 Q, q# p8 I8 R7 S$ i
mov al, Int_Number (01h or 03h)% D( h) P5 L* U% Y k
mov dx, offset New_Int_Routine
( G/ Z- G7 \ v" y1 r/ p$ M$ Q' v int 21h
2 W% o4 B5 X" r8 ?8 N6 S6 q
% S$ K. U% A) B( t! S% _4 Q__________________________________________________________________________" y. g% I, l3 J
' _% O, W" ]: X. H/ Z
Method 09* x3 @3 A8 v! G" {- s: b: W p
=========
0 O- n1 D( Z, W. {+ h2 @+ M0 k
8 y. _) \" P+ |3 U9 H) zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) o2 N3 P5 l4 h1 z2 {+ p, D
performed in ring0 (VxD or a ring3 app using the VxdCall).
! _9 @% U: Q4 wThe Get_DDB service is used to determine whether or not a VxD is installed
1 _- u% F6 l7 Q# qfor the specified device and returns a Device Description Block (in ecx) for5 N, X. x+ C. n6 ?# @) K- O
that device if it is installed.
+ j3 n+ V6 f6 Q$ z6 z
7 e) E# w6 |& Z1 V) F( v1 i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 W" _5 z4 Q7 s- g# K+ ~" ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), X n1 m2 F9 m& L) U
VMMCall Get_DDB
8 j' G) X7 G$ H8 O# N9 j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. L: L2 q- ]# k' S8 y. \
- E) E5 m& @, _) l& h0 {Note as well that you can easily detect this method with SoftICE:: x) E5 K! c( G$ h& t8 [
bpx Get_DDB if ax==0202 || ax==7a5fh Q. g8 J" ~- P/ x
6 `/ ?* P/ {- u6 ~ X6 ~
__________________________________________________________________________6 N! h8 \& q& c
: ^, B+ Z: F) D2 b8 e# t
Method 10
& E) K1 S; D# J {2 ?=========
4 R6 e7 C4 I+ d6 u! R
9 y% m5 E: U" \' f" G8 X=>Disable or clear breakpoints before using this feature. DO NOT trace with
" q% W/ @' q( C Q5 g2 g) O; k Q SoftICE while the option is enable!!
" W4 \4 w8 V: {% T, j' C% d& R2 i6 N3 \3 k d( o
This trick is very efficient:
) _ N" S- m5 Q" ?4 | Bby checking the Debug Registers, you can detect if SoftICE is loaded3 L# n' q' Q! F* R0 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 I+ Q' W7 f) H1 D1 c1 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 O0 v" R/ L" b4 u8 U: g4 m1 c7 y* Y
value (in ring0 only). Values can be manipulated and or changed as well9 I2 @" ~' ^& P1 h' S
(clearing BPMs for instance)) A( K- G/ o/ |/ J8 _2 V
y, _8 b" R# W& w__________________________________________________________________________" \+ h. }* B- c" b- ?# n# _, S
; i# l$ G. ]- q7 L9 D0 L* q& K( B0 O
Method 11
0 A, I/ C U/ j! { e=========- G! J! v( F) A: z
5 B0 X% t& I, x4 G% b) R" Q1 vThis method is most known as 'MeltICE' because it has been freely distributed2 ^/ W/ F6 r. e
via www.winfiles.com. However it was first used by NuMega people to allow2 V3 C- d/ X9 C# f" h' [
Symbol Loader to check if SoftICE was active or not (the code is located& d; @3 N! V: G) V( _) L
inside nmtrans.dll).2 z8 a9 F2 T8 J1 G( s
6 s% K( ^' w+ x
The way it works is very simple:0 Y" i* p# I( Y* `/ o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 s t+ G- O& p' W3 k
WinNT) with the CreateFileA API.
& m) @2 {7 d: U( G
5 r2 O4 [" z! z6 b/ sHere is a sample (checking for 'SICE'):
4 a, t' c9 D5 R
1 B3 L% X2 A8 OBOOL IsSoftIce95Loaded()
( I, O# Z) Z" Z1 U8 J4 s% l% r{
0 a! T7 x& I# Q. M$ a1 v W/ A! O HANDLE hFile; 0 D6 R! L0 r" \* [, g4 |
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 Q6 w7 l' \) C$ g
FILE_SHARE_READ | FILE_SHARE_WRITE,7 E% n, i1 K! s) O, l U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ j- V% c: r0 k* v3 \. i& k9 r. N if( hFile != INVALID_HANDLE_VALUE )
, e7 f6 b1 v; b {3 Y; b" T) P, A0 {! L. V- W' b
CloseHandle(hFile);
6 h, @$ F6 G" ~$ i return TRUE;
7 `4 x& v# h# W+ q }3 @% H0 X. d& F1 v0 R, V8 l
return FALSE;
! F# M `3 Y! S6 u% S}
! Z& k9 d* T* Y0 ^0 k3 p# L: v- r5 W
Although this trick calls the CreateFileA function, don't even expect to be3 [, o, r' Y, S
able to intercept it by installing a IFS hook: it will not work, no way!
1 Z3 `" v( L; D' [+ F, ~& fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 K% ?8 i, j4 { j1 A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' S; s$ p, Y: ~ s& O: |' h3 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! Y, a3 o# @4 }" n5 {, Ofield.
8 {$ B: A. C: `0 rIn fact, its purpose is not to load/unload VxDs but only to send a
) E+ t5 Y% m" dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 q& s3 r% U& |" s6 q; O0 X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 U4 f: F6 `7 {3 Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( O9 c& @! i7 k5 j) m1 LIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 Z1 \2 a S$ z' ~* d4 v% e& R
its handle to be opened and then, will be detected.7 _; |: G R4 A
You can check that simply by hooking Winice.exe control proc entry point
* `2 s7 }6 R; R9 ?while running MeltICE.
& c" R' ]6 i0 H; v+ Y! c4 i, m* d7 i# f! ]4 B7 {
! X8 z3 _- r* \2 |7 ]6 B, {
00401067: push 00402025 ; \\.\SICE
l5 ?$ i4 W7 _2 A/ b 0040106C: call CreateFileA
# {9 N7 B- E3 A 00401071: cmp eax,-001
& R3 X( C/ y5 F4 p+ k1 d& X 00401074: je 00401091- M' j' B* g- V% c* G
, G8 a& r& y# B
, m2 |/ ]& H) c* @* [8 ~There could be hundreds of BPX you could use to detect this trick.
6 g2 ^4 \7 K* s. B* m& B& _8 ?, n-The most classical one is:$ p; y* K' d9 ], a1 C3 w
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 G+ L8 J4 }3 s8 m
*(esp->4+4)=='NTIC'/ d, D+ L7 q; ^! h% a) z
4 o$ E5 s) L) g# [5 y3 `1 A0 A
-The most exotic ones (could be very slooooow :-(
5 T, Y5 H# B1 ?# H BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
f; G7 g1 Z) C! x B4 v+ w: n4 i! \ ;will break 3 times :-(
* z- X- F$ B1 B/ m* c! u8 `0 Z2 }( S4 g7 r: k+ A0 y
-or (a bit) faster:
+ @! l, N& s E' Q6 o$ N BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). o( C5 I* }4 [
2 ^5 G( f$ S; b& n) u& M; K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
" ?$ Z0 A4 L+ K! S% L# T9 G2 ?* c9 y" G ;will break 3 times :-(
; `1 ^1 ~) k3 v* Z
% g8 @" j; R6 N9 |* f-Much faster:( b( s, j( M ~" z# {% a' a
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ q8 V0 d4 G( B/ R. d0 B" J$ {
* x3 ~& b, F. s" _2 s- MNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 t6 i7 \4 A% N* V; B
function to do the same job:
6 ]; Y( J- c; ] h: G2 s; Y& c. f
+ S/ U) |4 I( D* M3 [; q: J push 00 ; OF_READ
9 E0 e) ?- g. F2 }8 |* l$ _ mov eax,[00656634] ; '\\.\SICE',0
T/ ]; n* T7 K; s2 J, H push eax- H$ G! _7 w( k
call KERNEL32!_lopen
5 C1 \& s6 b h" N' }! n inc eax
1 k. S5 i- n9 s$ R7 K2 | jnz 00650589 ; detected
5 Q( U% u! q6 k# D. V( S3 \ push 00 ; OF_READ" E% v& a- X9 p, E# s
mov eax,[00656638] ; '\\.\SICE'! X9 {( U! F3 j
push eax) V6 g# }. s4 `5 O3 B: |
call KERNEL32!_lopen
' i; Z8 t) u2 G/ |- N inc eax0 m* X' t+ i' n; t5 G
jz 006505ae ; not detected2 z3 Q5 c* J/ k5 ]# O- I2 y8 z
! \# o, g4 ]( G' c: J! f: P$ O& S9 `2 D. ^& T; [
__________________________________________________________________________
6 o! i7 y$ S3 Y- g7 q4 q4 B! ]1 O: A M& t& m9 F/ Q
Method 12* n3 _; B# A6 c1 N
=========! b2 W. J- p" D9 m, V! [
$ [3 J/ I1 v% E a2 V5 e A5 y
This trick is similar to int41h/4fh Debugger installation check (code 05
% R% z. ]" Q( e9 c" V4 ?& 06) but very limited because it's only available for Win95/98 (not NT)- b8 a: U% C$ B! u" q/ Z9 E1 Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: c0 a/ T" G. u7 i
$ C) J8 ]6 Q2 M5 g5 f( C push 0000004fh ; function 4fh
+ Y9 Y2 e9 T/ h' a1 i! y push 002a002ah ; high word specifies which VxD (VWIN32); A9 e* H! T M# n, p5 E) E. j/ o
; low word specifies which service8 G9 \) K/ {8 n8 g) r, E; u
(VWIN32_Int41Dispatch)* H+ u1 `3 f5 v- ^+ Z1 ?( Y
call Kernel32!ORD_001 ; VxdCall1 L% a: r3 H/ s2 T) E
cmp ax, 0f386h ; magic number returned by system debuggers
4 e( f# ?. M$ m, j' K* O/ M4 S jz SoftICE_detected
$ g- F) _% g7 [6 R8 V* P. M& F" n, d& D0 e* Z. n
Here again, several ways to detect it:
1 `. e+ r$ w5 `& W; |2 t' e% ?/ M9 m
BPINT 41 if ax==4f
1 \* B: P' K$ x; v
3 g9 u: a3 F1 Z& J1 w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 C$ d \4 `% p, c( \3 u% Q, h
, k1 S! E, y5 K0 ]$ C, ^9 ^0 o7 B0 d7 e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" [0 _, r: O* d# j* ?$ Y6 i) e
+ B) w ?6 I8 b+ f/ W& z8 U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: y" s2 f: W% g$ y/ ~" W
, I. _, x7 R# y/ o
__________________________________________________________________________6 M w- M7 R! G) J2 o
" N- `% z. i2 @2 P7 N8 R8 O0 \5 ~/ EMethod 139 x8 f. b( `/ Y$ A9 F+ |
=========% t: L0 l+ J- P: x8 j
: G1 t+ {. g" I" k
Not a real method of detection, but a good way to know if SoftICE is
- j5 E O2 E0 }- G% w0 L5 q) a+ cinstalled on a computer and to locate its installation directory.
. I3 [+ }8 T! b7 u$ j& K- n& @. sIt is used by few softs which access the following registry keys (usually #2) :
: x: x: E: w& e/ s7 X: T' ~
' S L) K5 ~0 E6 m& z4 S4 `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 M' |* R3 M6 H8 w Q
\Uninstall\SoftICE. b- W: Y5 L+ [# k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 x! N4 o8 G7 {$ ?' [# [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* u ?% r& P6 a7 Q' _* Q* V
\App Paths\Loader32.Exe! V b: {6 K2 K0 t7 l* H$ H
) H$ X4 E/ V. o: j; d: g! v% O4 G' R N# J; t
Note that some nasty apps could then erase all files from SoftICE directory
q4 G7 I; Z) ?! T5 ?6 l2 X(I faced that once :-(- Y! f F5 i5 ^- Q* r
/ |& I2 [* T4 q+ i, X
Useful breakpoint to detect it:
' p$ K; g) Y7 v' G) A+ e3 b$ Z5 y
, R, h- Q M5 L$ \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 z1 @1 {, |' o
/ {/ M) R, b# i/ o/ t$ r
__________________________________________________________________________
, `3 Y1 T% e' S' ?) r; ~' X3 @8 _
( ]4 k; ^4 A0 F
: H+ d+ p/ B1 Z# yMethod 14
4 b4 \* K4 f. D. R6 J- j9 X$ Y! W=========8 ?+ @* D. N, c% n1 g0 ]1 A
! A- p2 Y `+ H( ~* |2 J, L* AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) e6 M) [7 _8 h' S
is to determines whether a debugger is running on your system (ring0 only).
9 \9 {/ k6 \. U) s% b3 R2 x
) ` G8 n+ y* t" e3 |; F# ]% _3 r; X VMMCall Test_Debug_Installed6 y3 W1 {* r) v: b4 |; X& U
je not_installed
# t. ~7 M" @0 ?# c5 W& j! y! J+ C' K* q* S6 z( r3 U
This service just checks a flag.
) [/ q3 S2 ?: h* n' o! p</PRE></TD></TR></TBODY></TABLE> |