<TABLE width=500>
- |- F- |- X, O5 W! p0 N<TBODY>
- V2 u8 ~, [+ n) P# a<TR>
0 t* i5 ^' G% _& U/ k$ R/ N! G1 o<TD><PRE>Method 01
4 n+ b5 a% c! T2 Q/ ^3 ^8 k( v=========
, r0 o: ~& [5 ]4 B4 Y7 D) s( p" s/ q
This method of detection of SoftICE (as well as the following one) is
4 z1 O! s+ j4 ~used by the majority of packers/encryptors found on Internet.
) E" G" a) \# I* QIt seeks the signature of BoundsChecker in SoftICE- r; Y. W" t9 G0 Q7 ~! d
5 o: W* F0 q# Z7 j mov ebp, 04243484Bh ; 'BCHK'
7 s( g. t7 l2 k9 {! K' m: B/ K# Z mov ax, 04h7 ~+ |% q1 L! d5 c! I6 ]" _
int 3
1 N8 F5 y [# d2 D9 a/ w1 f7 D! ~ cmp al,4
: M: G/ {9 T" _. p2 u5 o" k+ Z jnz SoftICE_Detected
! d: ^* J& ~5 f9 y2 R. n) @- i$ j3 g9 m+ h$ Y# f# B
___________________________________________________________________________
& X. d$ c- a0 k0 B8 e5 f9 D2 o
5 w5 G% c, C6 F+ _5 S0 k9 w; Y. yMethod 020 X# b o. b) G5 M4 p$ p, B3 ?4 n
=========6 R4 H3 e6 s4 r. @5 y1 {
: w& t6 F; J) y/ F( N3 `
Still a method very much used (perhaps the most frequent one). It is used* ^- |* H) c7 [' [! Q9 A0 ^7 q" Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 i" P9 j$ N% Eor execute SoftICE commands..." Y, R2 w* N6 p5 h
It is also used to crash SoftICE and to force it to execute any commands
6 K; k3 r$ K$ ?" |2 j(HBOOT...) :-((
! T2 x2 Z) F1 o! ]7 \
- @* X) _% z5 d" pHere is a quick description:
; k6 a, \: y1 @$ h0 y( [) C7 B-AX = 0910h (Display string in SIce windows)" J6 o1 N* n( z. u0 a4 |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- \, p( j7 f$ W9 P8 i8 G
-AX = 0912h (Get breakpoint infos)5 O, L1 D* h" W z3 Y# [
-AX = 0913h (Set Sice breakpoints)# P2 D* S- j0 J7 u
-AX = 0914h (Remove SIce breakoints) m/ p/ v8 y8 ~
" ^& }/ Z( Y- N4 A7 ]3 w
Each time you'll meet this trick, you'll see:. ^" I6 E3 G, {. e+ u: _2 y' E& y
-SI = 4647h* R" I5 p, x: c+ \5 I* c/ m. S
-DI = 4A4Dh
4 \4 N Q" e$ d! dWhich are the 'magic values' used by SoftIce.
. m( R6 F) v$ C7 \) F0 AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
`; j% }% a+ d' g( M9 \% R
1 s J# F0 y- L1 I; |Here is one example from the file "Haspinst.exe" which is the dongle HASP) ]" {+ p5 E2 `3 ^
Envelope utility use to protect DOS applications:) q* N8 S$ L+ k
1 O/ d( k& f( ~+ F2 A* C( T {0 Q5 r) a! p i
4C19:0095 MOV AX,0911 ; execute command.
# F0 `8 e" r' G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% M! V) C- W* Y' w: T; D
4C19:009A MOV SI,4647 ; 1st magic value./ Z0 ]5 ]( X1 I7 O
4C19:009D MOV DI,4A4D ; 2nd magic value.2 N; C6 {2 M" y4 @
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ X3 x# _. F% J- t0 |0 f
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: S4 i1 T# S* m, ?0 ]# W) ?. T
4C19:00A4 INC CX, e; i$ K" S# V$ |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute `$ o& n5 J1 A8 w* l: P
4C19:00A8 JB 0095 ; 6 different commands.# x4 A C$ w& O/ g
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 `3 u$ J- P; O$ B; O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) s6 e" M4 D6 ^% H
; u( }8 L; ]7 a( U& a- _6 _The program will execute 6 different SIce commands located at ds:dx, which
) k3 h, ]9 O9 h4 \ q% }; ^are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 k$ k/ }0 {/ r b" |6 x! n+ f
9 W( O2 p, C, J8 U* {8 N7 t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' O" P' V3 U6 `8 Z- M) w: n4 ?
___________________________________________________________________________' U+ U3 B' m* a( q0 Q, \+ H' u
+ y0 V" j$ A! d% q, Q0 T7 d7 [' g M
Method 03# n+ v% Z1 _4 p8 D K) I
=========5 M3 S# u1 W% |' h* s" w
" D" f, p8 q- V8 E1 _& E7 j! X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 F. f( Y! c$ ?! ~7 J& x(API Get entry point)* M) }' V2 l7 I0 \( N
; U' @7 d* J; t; v
( @, w5 W! n# G
xor di,di
[: m( i3 P6 B mov es,di
* M! M1 E2 |) p2 C& ^9 X9 R mov ax, 1684h
. b8 T+ W# B ? ~4 e/ F mov bx, 0202h ; VxD ID of winice- m: w5 M: P$ E! z5 z
int 2Fh3 F8 o( e! E2 w, x B2 l' D& r
mov ax, es ; ES:DI -> VxD API entry point
# q& k, c- u7 }0 \& [' _/ E add ax, di6 t9 ~% [8 `% C* z5 f
test ax,ax$ j' E6 B3 x' B" k% `
jnz SoftICE_Detected
" L* S7 u- C) q
1 O# W: _! a) r/ A' R___________________________________________________________________________
& ?3 s/ \" ^4 g8 R x0 m2 O4 |* m% x9 f% H8 H
Method 04
' D' C# S: ~/ I6 E=========! L5 [: C& n4 J
8 ?. }1 k1 p+ eMethod identical to the preceding one except that it seeks the ID of SoftICE
( z( |$ d4 a* ^; D' x$ E1 I$ J3 y" [GFX VxD.
5 n+ D) k, p0 w) M
7 _" x0 f6 I* D. t! p7 o1 H# L xor di,di) w$ ^2 r5 C) t" ]
mov es,di
0 o( b( h2 L* q" g, s- J mov ax, 1684h
9 k% N: ^4 m7 V- a" h/ O mov bx, 7a5Fh ; VxD ID of SIWVID
8 R- z( o/ l2 Y% T& I& I int 2fh! P% ~1 ]5 {0 G3 L5 V$ M# R
mov ax, es ; ES:DI -> VxD API entry point- ]9 E2 ]. Z. G7 c
add ax, di* ^2 c2 ]2 v) v% C
test ax,ax1 m4 {- N1 F1 u: M1 k. t0 B
jnz SoftICE_Detected* Y% M7 o0 ^8 { T- t
! ?& H) a% f4 k% ?7 k3 r__________________________________________________________________________8 y# z' ~ q8 [2 P, Z
! {2 `& l4 z9 n5 O. c, @- G( m' ]
, k6 S- ?6 a$ z" W/ w* uMethod 05
# g4 v5 Z$ ~' K; @=========
0 C/ x. c/ @1 f6 f; N8 c) u& z$ {/ P# w
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: ~( c( [# U+ S0 e, C/ H% |debugger. It calls the int 41h, function 4Fh.+ K# {4 g: S$ z
There are several alternatives.
- K h W n7 ?2 z: }, \7 d. ~( o7 T# i: g% p' X; J/ ?: W
The following one is the simplest:# u$ d5 |* m0 T9 f: l
$ E O5 X9 n v8 [
mov ax,4fh
2 I2 N- K# S4 q1 v1 i3 j8 ? int 41h% n9 y6 F4 C5 {2 }4 s
cmp ax, 0F386
( {' W/ X9 x. R+ u) e' d" l- C jz SoftICE_detected
/ \+ W8 G( r, S5 ? e! M; U1 G' d% r- J% X9 j- z# ]) |( @' J
2 \. m. h! y- [, H" N7 `5 W
Next method as well as the following one are 2 examples from Stone's
i# C4 k, B# _- S" N1 V$ |/ N"stn-wid.zip" (www.cracking.net):
5 Z4 D9 [' v# M/ w0 W" ?) G; h; w7 N9 g( r8 a
mov bx, cs1 [5 d) P$ `0 b" p$ Q8 U
lea dx, int41handler2
4 }0 U: m9 y/ c xchg dx, es:[41h*4]
6 L {* z2 |2 U% ?/ _) H- N xchg bx, es:[41h*4+2]2 {; \) i5 n- O( ]
mov ax,4fh
" c# q8 l: y, B% B0 q5 h2 g4 N# J int 41h
9 m* p Q4 l- ~3 k4 l: i: M# z xchg dx, es:[41h*4]
. Z1 O# [4 t) e" b, A xchg bx, es:[41h*4+2]
8 g) Z8 X n! M1 Q cmp ax, 0f386h
, W9 `4 P E& u6 }' u- p. ] jz SoftICE_detected
, X" L+ f& @* _ ?" S$ H0 b7 e P! H* J9 M7 [7 O( f- X
int41handler2 PROC5 C* y& `/ A3 Z5 M/ I
iret
% w1 j [6 E+ w, Lint41handler2 ENDP
& E$ i& ]: K! M! g
( U5 c# u- Q u) M3 D" d/ ?) v% y
_________________________________________________________________________
. }3 A, _2 w+ A; h: [* R
3 H0 [: a# {6 Q; E0 X; }4 j- v0 c4 E: I1 U( `8 `! F7 U
Method 06* ~( U4 Q. }% A& N7 {! i4 `' m% |
=========# }* Y: Q4 H8 I0 k3 N; N
% {$ }9 k' b3 `7 i8 b* d
7 x7 S8 s8 d* V$ n2nd method similar to the preceding one but more difficult to detect:2 G1 [4 s8 F$ s7 b2 C1 P1 J5 e# t
3 h# G$ }8 B$ H# s- Z2 n: w! g% W4 o" J; N8 |3 n
int41handler PROC+ x/ M* w1 a3 `
mov cl,al3 l& o, P! L- S- t1 u& \
iret4 |* S" s. D5 t1 v- N) P; w4 |% h* j
int41handler ENDP+ n' e9 [2 H6 ~) Y( D( D
& ^% t0 R h9 n6 u# ?# _+ Y# M8 z& {6 w- Z5 F, j7 a
xor ax,ax
8 v% S, x7 N7 K# a! L* ~0 l( H mov es,ax6 s; ^; k& o& i& Y- G
mov bx, cs
9 e7 W% L! I, d5 k5 y lea dx, int41handler& i4 `' b" S0 N; h0 H
xchg dx, es:[41h*4]3 h a) U3 y! W$ r* Q0 v0 x% J5 i; ?, P
xchg bx, es:[41h*4+2]& B/ \9 t' g8 ^& g9 R# S. V ?* g
in al, 40h
8 q. E) [0 z) A/ G7 r' e: R! a xor cx,cx
. a; {, Q$ S- A# l+ C int 41h3 G, l4 \1 J c
xchg dx, es:[41h*4]
8 ]; C8 Z2 U8 C3 v xchg bx, es:[41h*4+2]/ w, ]. ^! i8 d6 }2 y
cmp cl,al$ s% Q& J7 [- K4 ^
jnz SoftICE_detected# M8 n3 B7 v! @/ O( \) ]; s- M
5 O0 Z; P/ o I& B" L$ z_________________________________________________________________________
& e8 o0 c- p4 W4 R5 S9 P7 \/ S8 H4 N1 ^: m6 d- G6 }
Method 07
" T9 e, j8 U" j7 A. K8 y. i- b=========
9 i. G. b$ {7 |9 y& N( m z/ X
Method of detection of the WinICE handler in the int68h (V86)8 v' Z( e9 H/ H4 w
0 B( X0 u, F1 H' D4 R, \7 l% E mov ah,43h, q3 G" b7 l7 A
int 68h
) \& R9 C# ]4 r( L: Q cmp ax,0F386h3 @. N- r4 K* U+ { P: j
jz SoftICE_Detected! i8 l& J. A o- \1 I
/ r; }' }0 p" s4 C y, I$ s* [; v6 q! ]2 r( d3 `* L+ F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( n. A( }* O/ |" R. _- |( N1 Y app like this:5 g0 u, q# M1 k) K8 l
1 h& p% i# a& C# b$ l& V/ W BPX exec_int if ax==68
6 j; h7 B2 V1 V1 F) G (function called is located at byte ptr [ebp+1Dh] and client eip is
* U1 q; T- j* b8 c* X e) P located at [ebp+48h] for 32Bit apps)7 C' k' I& |6 W
__________________________________________________________________________
7 b3 v2 [. u+ B+ B2 J( u1 H* v0 p0 e/ d* P& a* c/ H, ]
& |7 a5 {& z4 e# t t+ V4 tMethod 08 |" V; T9 a2 W) a9 ]
=========3 B5 S) u- O$ L5 k2 z! n* {
$ D9 C% V: N9 h3 X. f& Y) bIt is not a method of detection of SoftICE but a possibility to crash the8 p4 D5 c3 D+ U/ g# a- ?
system by intercepting int 01h and int 03h and redirecting them to another ]7 n6 `; u) ^9 ?% X8 ^9 m
routine.
8 s0 B5 O* U, l7 o1 X1 Q6 HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 n! {7 V4 P) K
to the new routine to execute (hangs computer...)
1 ?, W( c& b$ }' S# ]; W) B! d o! E7 s
mov ah, 25h: U3 {! W% ]! A" f( I3 t
mov al, Int_Number (01h or 03h)+ c' q) ^: `! A/ x% A
mov dx, offset New_Int_Routine$ l1 i( l2 w m% o5 p
int 21h% L# j6 g, p N1 M8 N
- F; J3 `1 ^5 h9 z
__________________________________________________________________________! q* c; i& R, ^% B/ h* V
: @9 O1 M% p/ x4 vMethod 09% e& j7 a' E: l8 f1 i
=========+ o; v; E- B/ \6 w
/ {0 z" s7 `3 j- a @8 y) Z2 SThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% F) q" w# H& n
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 t4 p- a) e+ x' j' M: X6 |The Get_DDB service is used to determine whether or not a VxD is installed
: h, C* x( Z6 n2 x [: x, Afor the specified device and returns a Device Description Block (in ecx) for
3 s- R `0 q( P; z. Lthat device if it is installed.; j+ C) i( V0 \
' ?, H. @8 i7 w3 r9 U6 F9 w7 N" I1 {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# L6 m$ g D: W. f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 ^4 O9 x4 X" U; ^% w% H VMMCall Get_DDB
8 y1 {- O" k" y% {# X, H9 ^9 _ \3 y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' @* a; R4 H6 D- V
* p% @" R- S% q7 C. k8 Z! H* TNote as well that you can easily detect this method with SoftICE:
# ^$ n1 k2 S' |- ^) F- L. e bpx Get_DDB if ax==0202 || ax==7a5fh; {6 v3 B; V, I+ | ?: Y
. {# g( Q* a( p
__________________________________________________________________________1 M7 j" N& t+ D. n- S
3 T: U1 N1 e: N9 S, R3 cMethod 10! M2 a8 w! ` {0 C
=========
- r% J! I4 r# j) B# E7 b# N, ~ z* q
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 [3 ~; z; J- q* b9 O/ d
SoftICE while the option is enable!!
( } a) m4 H# D z n0 V0 a. V0 ^( H/ j! F' ^! \& t
This trick is very efficient:+ a" I& ]" P% w2 h
by checking the Debug Registers, you can detect if SoftICE is loaded
1 r& ?! S& c7 ~7 f) J; m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 t# \# m0 l) p7 m' d: c
there are some memory breakpoints set (dr0 to dr3) simply by reading their; I: p2 I) }1 c4 Z
value (in ring0 only). Values can be manipulated and or changed as well% l' d9 K0 m5 P! t0 }
(clearing BPMs for instance)2 M: Z: _ h) y+ v, x$ N4 s- ~& L
2 j% H+ n+ N' {/ U
__________________________________________________________________________
* X$ E, P& ` g, S6 e0 b
4 u, E( F8 E; w+ FMethod 11) k% x7 M% E! E1 y: s
=========: s# `/ O6 _* ]6 [% D! h
) r. N' w a- K# t3 G2 zThis method is most known as 'MeltICE' because it has been freely distributed
* K: v8 _5 n# F% avia www.winfiles.com. However it was first used by NuMega people to allow
% u0 @& J( w6 F/ f% u5 }Symbol Loader to check if SoftICE was active or not (the code is located" X2 ~( i+ {" S- d* \
inside nmtrans.dll).$ Y) Z8 M) L; C( C
6 l/ q8 H3 Q3 }
The way it works is very simple:
' g3 L& ?6 N5 e* w4 }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: C/ l0 Q9 N. l- K5 U( o) K' Q$ C
WinNT) with the CreateFileA API.7 B. m' K& T2 ^% L. F4 m' {. c# L k
0 j7 Q7 \: p6 B! vHere is a sample (checking for 'SICE'):1 [% T) u6 H8 F/ \
6 g4 q* W: r. | g8 t0 S8 z
BOOL IsSoftIce95Loaded()9 w7 i- ~) u4 J2 ]0 R
{
5 `& |1 `6 Z1 \" `" D; }* ^4 j: P HANDLE hFile; $ p! K. G" C* z T5 f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% j+ S, y% o/ V, b! Y) ^1 L, J FILE_SHARE_READ | FILE_SHARE_WRITE,
; `- d8 K g/ [9 h( ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 X0 f2 s* Y) ^' l% r if( hFile != INVALID_HANDLE_VALUE )! A% @0 I# j& i9 ^- G
{3 n0 m& \2 }! c& h" j& J! [
CloseHandle(hFile);
5 [* S0 `5 \2 N: C: }% d8 N return TRUE;! h- ^9 y, d" j8 J! h
}
0 |9 U# J) f, J2 r return FALSE;
Q8 b5 i2 m5 ~& P5 I7 F6 a}$ t, X) E- C/ @* ]
2 E ^: d, |5 I% `# a
Although this trick calls the CreateFileA function, don't even expect to be4 ^2 R+ I( M' Q
able to intercept it by installing a IFS hook: it will not work, no way!/ \% @% t* T3 X6 a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* O4 h8 `+ @# U: D% B. Y% F! k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 D& M" ?6 @% x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! V$ o8 u& V9 m8 P/ H
field.
2 o; B9 t) z! G! v7 @ Q. o s7 {In fact, its purpose is not to load/unload VxDs but only to send a ; B4 Y% P8 g! r% M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' n! _7 W @0 {to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* r5 Y: z6 z, C* v. D1 Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).: N0 P& ], S3 p6 M- d% l- \
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; q/ d1 N, B: C0 {: [! U1 l- L2 Hits handle to be opened and then, will be detected.. b6 V" y$ P3 ? Z
You can check that simply by hooking Winice.exe control proc entry point
. g, z9 a2 n7 V( N! v* uwhile running MeltICE.
2 e1 L5 Q9 t+ P+ a! r0 L/ ]3 U8 M( f( Q4 T. m% o1 S" _. x0 B( Q
! z1 ?9 _* b t+ l; J+ m9 w
00401067: push 00402025 ; \\.\SICE! v3 H l+ x. v, `4 B
0040106C: call CreateFileA' L8 ? o7 t% }
00401071: cmp eax,-0011 d M' x2 _$ Z/ z6 @
00401074: je 00401091
. W! Z* g7 s) e
* J( [ K) K% q5 A) P) H9 B9 k$ h" D. n5 q! E
There could be hundreds of BPX you could use to detect this trick.0 E# `: S+ l& l
-The most classical one is: x$ H4 M8 S9 d; y6 c9 J5 H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( D. U! Z/ A1 I/ F; p- _ *(esp->4+4)=='NTIC'0 c4 b! v3 b) q, u( F. g
9 e" K# W% ^$ G! d+ m7 M-The most exotic ones (could be very slooooow :-(
. k7 g0 I6 i1 V% X6 L- X# @2 \0 I" c! _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) G) E0 S) v v4 A) c( ?4 h+ E/ q/ j ;will break 3 times :-(& j- E: J1 {5 @; Z: R" N$ h
# S* ]/ H. l, k3 s6 E) r-or (a bit) faster:
, M) m8 L+ m" B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ J/ J f9 S. h5 @( p- i7 t/ }
. Z' h5 A. t) A; Q# J' a3 X: i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 }+ `/ U' q; W$ X' \- z$ C ;will break 3 times :-(
! A# y: z1 e' _0 i
' _6 v/ K/ n2 \+ n" y* D-Much faster:
4 ?7 P+ @) d! G5 Q* x% h7 U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 S/ A8 q2 m' d, f3 d1 c
# w0 J; U: M3 l' D0 W* y% fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ q- U! f7 k$ w8 ffunction to do the same job: k7 T# k+ U2 ]8 Z4 v( h- m6 p5 l
) I& O( C; {5 `( s1 g0 I1 V
push 00 ; OF_READ" z8 z9 J! N4 m* |! u$ [% z2 n
mov eax,[00656634] ; '\\.\SICE',0; C( B9 o4 T# B0 [
push eax3 c2 s" _* D5 e
call KERNEL32!_lopen3 I2 i: I1 M; I: L
inc eax2 e4 y/ \6 a; v0 }* O$ K- Q; l
jnz 00650589 ; detected
: H2 {3 S4 {& G push 00 ; OF_READ
3 [/ K. }- a9 [: I, v) L mov eax,[00656638] ; '\\.\SICE'
9 w, c/ j% a% _) d: Z8 m) r9 b$ | push eax
- j q0 n. W& }' H# F call KERNEL32!_lopen
p* l$ J! |. B2 q6 c' Q inc eax
" g+ i7 d3 F0 d jz 006505ae ; not detected
" A% a2 u9 \3 s6 ~
3 }5 x# ~9 y) k1 l4 J$ G8 ^
8 @& C5 Q [3 B& }/ W: P4 r__________________________________________________________________________
9 Y' H @4 F+ }& `, @3 H2 o0 ?0 D7 T# Z C2 Q9 M0 }
Method 12
- B; c! o) O# h=========0 c6 y! \ x; h) Y" Y2 x4 W1 s
2 V& z% R @' k' R- `5 N+ z
This trick is similar to int41h/4fh Debugger installation check (code 05( E$ `- b7 z6 {
& 06) but very limited because it's only available for Win95/98 (not NT)
& s! A1 z! E4 B7 H. h6 Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) `: F6 b9 h5 C! }
5 b. q" n3 [8 t7 X8 v push 0000004fh ; function 4fh
$ p9 k; a* w* _3 _) Y ~1 L. T1 A# E push 002a002ah ; high word specifies which VxD (VWIN32)
\. \0 b E" x5 B n ; low word specifies which service, Y4 y+ v* T5 |" [5 I! d$ d0 C' \3 b
(VWIN32_Int41Dispatch)7 E* `" e2 w& \2 I
call Kernel32!ORD_001 ; VxdCall
- ~; n) c4 W' y+ v cmp ax, 0f386h ; magic number returned by system debuggers
; D5 E7 M n2 d! I \ jz SoftICE_detected
- z. j1 _5 l6 a" g/ K; E9 D4 X+ \; v- k- r1 ]2 E
Here again, several ways to detect it:. @3 [- ]2 F9 E9 S8 B4 A/ h4 S
% m* P. r) g1 c* w
BPINT 41 if ax==4f
1 ?+ g9 ~1 v' c P) n! E) E% ?+ C& Q3 Y3 k7 p) g) W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, x3 I* U. R7 ]
4 }8 X: M U0 O" t6 ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 x1 m1 ~5 u9 f; I, x$ L4 G1 i( C) V5 ?; l. D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, {' G1 G+ E$ I
8 C9 B. |6 |( m6 q9 ^
__________________________________________________________________________' {2 P: C9 A% O1 p; V' [+ i
8 W! e/ j% A" }3 U) e
Method 13
$ d/ x0 ? A0 R+ \$ f=========/ o$ C9 y0 O- a' T7 b' v* k* Z `
: a8 b6 W$ }% C" NNot a real method of detection, but a good way to know if SoftICE is6 Y6 H9 v$ }0 L( ~
installed on a computer and to locate its installation directory.
1 e! D# M+ \" tIt is used by few softs which access the following registry keys (usually #2) :
5 l! Y2 [/ f3 O( u3 L% f& h& t9 e6 t' |8 b5 C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 ^: M& v! T4 W! ]( a\Uninstall\SoftICE
, L2 E( M& i3 ~* Z0 |+ L. S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) k* X1 s; e8 k* i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ _) P U4 G. c) b. {5 i
\App Paths\Loader32.Exe9 M! h* R% |$ I5 @; I8 U) }
, J. L$ W7 @* f1 W0 h% M0 e
6 s0 R' C; N% y! Y! }0 M' ?
Note that some nasty apps could then erase all files from SoftICE directory
3 h* K; a8 Y* A% s* J$ a1 t/ N* [% @- a(I faced that once :-(& {' g& C# K. J! F* Y
9 L) I! |/ ]8 {( L
Useful breakpoint to detect it:
) F' `# a e- l$ Q8 F7 y9 @1 }8 P( F6 ?
" w- e) D# `1 m3 u! s1 L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 e: ~: }( T& w" m6 J
7 {9 j4 V- l( t__________________________________________________________________________
0 k6 E& ?: `# `) |% p, s0 a. `4 d5 l v# G3 Z0 @! @3 k3 O2 I) _4 r
( N: H( u( C, v9 M. Q' R, M/ tMethod 14 & G, C1 S" o' ]% L! I# h: R' t
=========9 D0 d9 g. f7 W3 H
T4 Q; G' x- i+ C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. t1 ]; ~! F: A3 S- g: cis to determines whether a debugger is running on your system (ring0 only).
+ f( T+ }! s, m( P S# y2 f, r0 ^# G
VMMCall Test_Debug_Installed- _+ @1 [7 i" B; j) V# r
je not_installed% n3 l: R8 W, g) ^
2 D( l6 V. b, G) gThis service just checks a flag.( e, q4 e: Z5 ~6 t
</PRE></TD></TR></TBODY></TABLE> |