<TABLE width=500>
, N6 G" m9 \+ s& ?<TBODY>
# _2 X B0 V3 h' U<TR>
; f! {; j$ |9 E, k& _" ?9 d6 z<TD><PRE>Method 01 # d8 B9 z# U/ j( I' T
=========
) A! t2 [/ n* X/ F0 o4 a+ q& {6 j" ~% a' l0 R
This method of detection of SoftICE (as well as the following one) is
% @7 A$ i1 n6 u2 }3 r* qused by the majority of packers/encryptors found on Internet.
4 n o: r, d% e& f& VIt seeks the signature of BoundsChecker in SoftICE7 Y3 b9 S! p. _2 E( w
- E7 }. h M% _1 R0 X/ Y( }! S mov ebp, 04243484Bh ; 'BCHK'# Y; Z7 b1 @4 d7 H" O1 Z5 s
mov ax, 04h
8 I7 ~, }; J0 j) ?' A int 3 $ ~: ]! z) @& t/ h6 f
cmp al,4
0 `' n4 c b5 @! I: I, K jnz SoftICE_Detected
; J# ^* u$ m: j8 {* f
2 L3 }/ x8 W9 t: x9 A. f6 C___________________________________________________________________________- H6 j5 U1 ]2 U" o, ^9 N
: e4 e3 G& g2 `4 D+ o9 ]Method 02
) L, B# l7 `1 J2 u% f9 S' o' L=========6 k4 U3 F8 C" E+ Y( q8 b
2 t% B @8 e* v6 _+ @1 sStill a method very much used (perhaps the most frequent one). It is used
3 W F4 ]2 B- p- H& M& L2 [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 q9 G1 I+ i' Y8 e5 \or execute SoftICE commands...
0 z" }6 I0 i1 @0 ]+ ^- A/ b+ \% G; DIt is also used to crash SoftICE and to force it to execute any commands3 J7 S0 Z0 u! A, s0 a1 `
(HBOOT...) :-(( 5 O- U* R& i' b' g: `
' F$ d7 R* Y' e9 B2 a; @; }- XHere is a quick description:0 u A7 O4 I: `6 j* i
-AX = 0910h (Display string in SIce windows)5 L6 P% f- A! B% f, z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" @4 z+ N: ]: ~. x( l: K-AX = 0912h (Get breakpoint infos)
; j! L* R$ j+ ^; H/ J K* {-AX = 0913h (Set Sice breakpoints)9 \3 o, S8 f% F, a5 ~
-AX = 0914h (Remove SIce breakoints)
# g$ N( ~8 H0 S6 g' U* \" {. b& T& l$ b( C. z9 N
Each time you'll meet this trick, you'll see:
* A) u# V) I( q-SI = 4647h
7 P, G6 T. m6 T/ S3 s) F+ x-DI = 4A4Dh- g2 M6 E ^/ X5 h3 M0 m
Which are the 'magic values' used by SoftIce.
) _) k$ C/ y @4 y2 x- G* E7 ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) ~" `9 b$ w' W B, h9 C- O( S! s- t' O/ z
Here is one example from the file "Haspinst.exe" which is the dongle HASP* a2 O1 _! Z4 p! V. D# c( h' [2 A
Envelope utility use to protect DOS applications:/ X$ c6 F0 ^: q1 l- y0 h& H2 D
4 f4 q$ U: Y! ^# O
* y% Y8 K1 t' b y" f% T/ t4C19:0095 MOV AX,0911 ; execute command.
, g v# \# i7 @* Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 n. H, y' [8 u; V& ]4C19:009A MOV SI,4647 ; 1st magic value.$ M: h6 \' @. {/ o- d& f
4C19:009D MOV DI,4A4D ; 2nd magic value.
0 y( n# f7 v5 X4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 G0 \; b# [! u6 h$ F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# r% Z. X! a3 v! T, n+ o4C19:00A4 INC CX) v/ q/ \1 `. t$ O( Y M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: a8 H- W$ V4 N! A: y4C19:00A8 JB 0095 ; 6 different commands.4 V7 i& @. g* x( X7 T0 [6 c: A+ ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ @0 f/ ~0 G$ K6 T2 u" n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 s3 S+ O( S5 Z( C$ O
- H: q3 G7 K1 m( n# d
The program will execute 6 different SIce commands located at ds:dx, which+ i+ ]0 E+ g4 G: A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 S8 t! x6 ^3 q+ I* y2 ~
" L, ]) F8 j7 O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 @8 {$ A: `; J9 h! A___________________________________________________________________________- p: M/ p1 d& R. j/ C9 V
, W+ c; W9 n H/ s G! R6 ?; s9 D: @( o$ a
Method 03; u% ^: K/ ?; m$ k
=========
t2 p& Q+ o6 I
8 G6 G7 x5 n O/ b( h; ALess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 }$ u4 ]) O6 D$ m" J! w" F(API Get entry point)
( D: T; {6 ?! c& S 6 o& G4 @$ } U9 z3 _
( R8 S+ P3 M! ~& N L xor di,di( U9 G/ k Z, Y6 }% G
mov es,di0 F; J! h5 U9 I" U2 x4 O! h! `
mov ax, 1684h
3 [4 Y+ z1 ]( o' t mov bx, 0202h ; VxD ID of winice. l+ w5 T% A& X, y
int 2Fh) B' f8 w; c" I2 e: W C6 I7 \
mov ax, es ; ES:DI -> VxD API entry point
9 w V+ M$ O0 X" b1 G add ax, di: V% P- ^/ I4 `/ |
test ax,ax
7 }! N$ R5 }% n! t& J& Z jnz SoftICE_Detected1 c" Q, e: C8 H+ D& S
! R: e! s9 M+ _ Q___________________________________________________________________________% [" a% t* _4 J
' O, V2 q2 b# N' dMethod 04' I. _# [' h$ g8 M0 z V+ }
=========
; Y4 M- a9 z: y; u: C' I8 m. Q+ _& w {% g" @. N4 h
Method identical to the preceding one except that it seeks the ID of SoftICE/ G' r! `- h0 ^
GFX VxD.
5 C4 Q5 ]9 V) w0 e6 D2 R7 s; W! e8 Z) k' o) |$ T8 o
xor di,di
6 M. L) z" U8 c& G' x1 S( h! A/ V( Q5 f mov es,di7 @$ M6 @! G6 w7 i% z- `4 O
mov ax, 1684h
2 O9 ^) O3 x: y mov bx, 7a5Fh ; VxD ID of SIWVID
4 j+ E, t! Q! n( H int 2fh7 u. v% J( V, E- x2 Y _5 n
mov ax, es ; ES:DI -> VxD API entry point
" ]& k- u& R E, z- L# P6 m add ax, di+ _, H) l8 s1 Z3 g; T, Z6 A2 A
test ax,ax/ i' I, f, D9 k8 W4 I/ @
jnz SoftICE_Detected T f# d& W R
7 {0 `$ V% N" T
__________________________________________________________________________
9 O( E) }0 B D* M' E
- y2 |0 G5 h% p/ q5 ?( V* W/ u" s, @ A
Method 05
; G, I3 y! E7 O, c# T=========
& ^6 j9 {+ S1 K# Q6 q" Z3 P8 R# ~1 b# [% r- j) m* r
Method seeking the 'magic number' 0F386h returned (in ax) by all system) B! A" T7 A9 y
debugger. It calls the int 41h, function 4Fh.2 k6 h7 Q" i% T5 O" j: v
There are several alternatives.
0 l: t" ~- z6 S: t* U0 H6 @) J
8 R4 O3 ?& ^8 V; {The following one is the simplest:
7 p# R/ |8 n" s# O; P/ C4 k/ S" @7 m( b8 Z4 [2 P1 o
mov ax,4fh
. ^6 `. |' D. u, `" M3 B int 41h5 g; o8 B+ d0 }& q2 `
cmp ax, 0F386
8 R, |- T* N8 V u jz SoftICE_detected
3 Q% g/ M5 X9 `8 ~
7 k) z l, {& i, @. _
4 e% g5 B, M W$ @. ONext method as well as the following one are 2 examples from Stone's
' M% ?7 G- W6 r"stn-wid.zip" (www.cracking.net):* A) [( t/ q% O( b& k8 l/ [
+ }4 m8 N: ^3 h6 W @' Q3 M
mov bx, cs
M% Y( A ?! i1 @% K" t- a lea dx, int41handler2
7 _# W2 H" N, g xchg dx, es:[41h*4]
, V, y3 N# Q; ]3 F7 F- \ xchg bx, es:[41h*4+2]) T" v# b9 k% E
mov ax,4fh
8 c# v0 x2 V, k3 `# ~ int 41h
' R4 B- y2 `% J xchg dx, es:[41h*4]1 y R4 n2 B$ T
xchg bx, es:[41h*4+2]
8 n7 S: v) S: D( C4 f- h* I9 H cmp ax, 0f386h# t% f4 `, R# u. \: H. _0 Y
jz SoftICE_detected
! p& c2 _! ~9 k% v$ @7 T1 y' i
5 ]8 v8 M+ u7 L5 z; Vint41handler2 PROC: r1 W2 C! q/ j
iret7 n' T9 n; v, W- S( o. A
int41handler2 ENDP* f7 z, W5 p e, Q* S
8 {" i* _ c2 N5 x+ {" Y1 g4 | {6 r7 _1 J# \9 o
_________________________________________________________________________( I- h: \1 N" T3 ~8 f* L0 i
8 k6 m. @, C5 e$ c7 `) a7 S' t5 d, r( g' ] m# s: w
Method 06
; T. o, P& Q3 l* c% H! ^=========
! c, P* z4 H0 W2 v2 e6 x- D/ u1 B5 v" P
& f/ Y$ m6 Q( p2 F6 c2 H2nd method similar to the preceding one but more difficult to detect:2 n* M! b1 s' [2 ~
: K# F8 [0 P& {
0 O. j) r- R- S: k4 H' _int41handler PROC: Q/ R# P( U( [( a
mov cl,al! W* k% o& P7 s; h7 N, D' a2 H
iret
8 g$ V5 H4 c3 X* e: F4 Pint41handler ENDP* C/ z2 z' {0 k+ a! y2 y
4 K" E9 Q& c4 v4 @& X
7 t8 J7 r% v7 D" O xor ax,ax
- m7 d O4 j. I mov es,ax
) m/ \8 ^# W8 g4 ?7 z mov bx, cs+ f" ?' O9 ?1 s7 L* v' m
lea dx, int41handler
& ]0 o& O+ x- p! d xchg dx, es:[41h*4]& g, E' r& U$ M
xchg bx, es:[41h*4+2]
, h4 h% h* D- I7 ` in al, 40h7 U5 s2 w+ U% _3 m* {4 j" s
xor cx,cx6 @. p8 P. _3 ]; B" U$ ]8 l
int 41h
# j) Q. X7 ~; t y& Y: y( Q6 I xchg dx, es:[41h*4]% D1 W( o/ T9 F- [ s; Y
xchg bx, es:[41h*4+2]
3 W+ a: i- ]' Y+ m d2 ?; W cmp cl,al
$ |3 I' m( D( }! z" K" Y jnz SoftICE_detected
$ V; A0 }9 E7 v* e# h+ z! U7 E2 U% k/ t$ G3 M
_________________________________________________________________________( I @0 x* Q: E0 k6 Q" b, a
$ [/ e2 m2 m5 D2 QMethod 07# e; z% E ]( `% Y7 F8 j
=========- h" ?& N0 i: |: }. A8 } g' j
& T( @. E; n4 ?/ d" O- N7 k( g Y
Method of detection of the WinICE handler in the int68h (V86)
- q( m1 M* x6 [& i3 D4 n' p( q* J t$ G: b
mov ah,43h& e$ Q6 a' r: L# X+ I+ ^& J& v: w
int 68h' a1 [3 U5 i& i6 E5 k6 i# C" Q
cmp ax,0F386h
5 |8 Z2 X8 T% G# ~- p jz SoftICE_Detected3 w2 b3 R1 ?3 v, ?. G+ z6 n( X
8 V, I0 _) k" T
! n% {3 |7 }3 T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( d2 ^7 h3 L- O4 P( H, G
app like this:
" U7 e0 P5 d& [; @" [2 i, T m
( f8 C/ _- Q; F: l( \; N7 z BPX exec_int if ax==68 @6 ?9 j7 B2 A3 g
(function called is located at byte ptr [ebp+1Dh] and client eip is" @1 [( `& Y0 }! L$ X( |
located at [ebp+48h] for 32Bit apps)
+ V8 p3 z9 Z- O8 y__________________________________________________________________________
: ~" I/ Q, F" s: B
) Q9 P0 U/ K+ g8 L5 P3 p- V1 Q/ R' t% F! O: v
Method 08
2 I) A. g5 N- r* K9 \=========, I$ [9 ~ H: i( G6 q/ U+ R
) o( W; d0 r% i) P( S0 d: yIt is not a method of detection of SoftICE but a possibility to crash the6 b5 e1 D7 s/ [/ b
system by intercepting int 01h and int 03h and redirecting them to another
/ a+ B& [* Q6 y, b7 @' C/ Proutine.
' K, b3 {7 w) M3 F/ o$ J6 f6 P. gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ r0 J" E K' t/ T+ t) U
to the new routine to execute (hangs computer...)
0 s; @: F9 p+ J% n, L) D' @$ |% S; L$ o
mov ah, 25h
: L& R W# J8 `# E% x2 b mov al, Int_Number (01h or 03h)+ `: W8 `' U( V; t1 p
mov dx, offset New_Int_Routine
y( T& E" j) q' } int 21h. ~8 r1 f, B) `& h3 j. D- j
: _0 }# h q. M
__________________________________________________________________________
, m9 R! L' h/ w1 v! S
) D/ x- H; {& x( aMethod 094 s k+ b8 h9 X8 x8 T" f
=========
" f' l/ t; @; B6 B; o7 @* K4 r8 j I2 R' U9 C( N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 x; F- a( z: p3 [performed in ring0 (VxD or a ring3 app using the VxdCall)." g( n$ Y' u6 F: k% X9 m" s( Z
The Get_DDB service is used to determine whether or not a VxD is installed A7 z; s- l+ s- n0 ~: `+ e
for the specified device and returns a Device Description Block (in ecx) for! Z8 R2 }: z8 @) s! _2 D
that device if it is installed.
: p; k; w( ^' c1 F
* Q8 w4 _: P& G l, a# {7 } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* r% S" I8 a( l) u& q" J$ C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ e" {! G0 y9 _7 z0 h, F+ q) w" A VMMCall Get_DDB
0 F3 ]2 z6 C( c2 ^* w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" R# ?6 B! C. v* C
8 W9 c' b2 j1 p" e6 k* |/ yNote as well that you can easily detect this method with SoftICE:
8 M! ^; f5 e5 @+ r bpx Get_DDB if ax==0202 || ax==7a5fh
/ d' @% G* Y4 `3 ]( c! _5 a7 U# m8 i5 b" t! b2 B
__________________________________________________________________________& u( |3 K, e3 {& j
) c3 |9 R- A( l* }. F, `
Method 10: y j; O/ {: I$ ?2 V, m* y3 u
=========
. g9 t6 A* w8 a2 u# l/ v% @- P. }: v7 M6 h5 v
=>Disable or clear breakpoints before using this feature. DO NOT trace with: M/ q5 ~8 E3 c; L( l5 y6 W
SoftICE while the option is enable!!
1 J$ J R& M3 L
, W' V' u8 \0 a: \6 q; w& CThis trick is very efficient:
" t1 R+ {2 e3 K! b- N& Cby checking the Debug Registers, you can detect if SoftICE is loaded5 [+ D0 ^& b( A( K( J! F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 o& q4 B: P( E. _3 _there are some memory breakpoints set (dr0 to dr3) simply by reading their
& ^7 }' i* F: Q3 u8 dvalue (in ring0 only). Values can be manipulated and or changed as well( D4 T/ Y/ Z* g
(clearing BPMs for instance)# t, T* x3 ]5 G& A3 f3 t
2 T. E/ V( g w% x__________________________________________________________________________; y4 _8 _) C; x( O- G( }8 a5 f! k% X
: o& x0 a" N9 e/ Z0 B( ]
Method 11; e( U1 r8 A! I* U( R7 y2 E
=========
6 j, S7 L+ M+ k, B% H( n2 d
3 `) S: M6 x. u+ D% d$ JThis method is most known as 'MeltICE' because it has been freely distributed5 |( p$ i% _! o" t2 o& U3 G3 ]& L
via www.winfiles.com. However it was first used by NuMega people to allow, K" a1 W1 K8 m: [* o8 z3 Z
Symbol Loader to check if SoftICE was active or not (the code is located
0 w# C! |1 @6 W# @5 pinside nmtrans.dll).1 C0 C% T4 F/ g; z0 I J
2 @9 x$ j$ V$ w2 b
The way it works is very simple:: o8 [. O5 L1 `. B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 A+ ~) E, h: N1 [7 U. {
WinNT) with the CreateFileA API.
* m D% y q; L
; [" A% P9 w7 U7 t4 j7 B" {Here is a sample (checking for 'SICE'):
& y2 [3 N& K- i# Q' }$ t2 J6 w1 j
BOOL IsSoftIce95Loaded()% c1 S8 n+ ?' i
{8 m9 H7 I; F- J* L% r- H+ d
HANDLE hFile;
4 I& }9 W+ } \# v p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
c: f E! I8 j FILE_SHARE_READ | FILE_SHARE_WRITE,6 H- g |' }4 U. V3 Z7 T4 V
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( M" R% V6 Y; d6 v3 J; P
if( hFile != INVALID_HANDLE_VALUE )
6 }' m0 |. N& X( f- H. B: s4 I {
& x$ U/ e! e* L! v/ K, w! G CloseHandle(hFile);
7 @/ ~. w9 e6 F% A3 S6 C+ r return TRUE;
" `. `! g5 ~, {% G }2 w! c' V' @) [. `8 B/ n& d
return FALSE;
: C; i5 Z3 g: p& O, T8 h! T}0 h. I% n, F2 @$ u( i. f9 V( W* I" s
' l' U# E: q7 g5 `Although this trick calls the CreateFileA function, don't even expect to be
- E& ]% Q5 T# a6 s, \! g. i6 U3 M& }able to intercept it by installing a IFS hook: it will not work, no way!3 y8 ]* D! \8 Z; i0 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 f8 q0 ?! Q, z, x$ Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 M+ ]: f! o; z$ E2 o* ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& f, z) H4 p A/ u& L& Sfield., M: t& t# j: n0 s$ O
In fact, its purpose is not to load/unload VxDs but only to send a
7 D) W! M( ?2 P6 `( ^ X. m( eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% M% I( G4 K& t; v7 v4 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 r5 m) t+ `9 h6 T5 Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 i9 ^4 Y. E* f. |6 `
If the VxD is loaded, it will always clear eax and the Carry flag to allow- f" V& A3 G O! y
its handle to be opened and then, will be detected.
# R! l( [4 d' ~' E$ P: VYou can check that simply by hooking Winice.exe control proc entry point
9 J5 W0 N I8 ^while running MeltICE.
% f% ]8 i, A6 T- p7 k( V, G2 t0 `; S @: e( K* K2 ~" L; ]
2 F* K$ g7 {# ` 00401067: push 00402025 ; \\.\SICE7 q0 U/ K: L9 t, g4 Y- u1 D
0040106C: call CreateFileA# }) s* p+ l7 e
00401071: cmp eax,-001
# u! I+ V2 c! R0 A0 ~ 00401074: je 00401091. q7 ~/ h; T2 j/ D2 S9 `! Q
% y% }# e! |9 D" \; |( m6 W6 J
. J6 X0 n( x' Z: O
There could be hundreds of BPX you could use to detect this trick.
% W- k- b: [6 r4 Q6 s2 h1 q-The most classical one is:: O# s- d0 k% a: e7 O; S- x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( |' t* [* \+ ~6 f
*(esp->4+4)=='NTIC'
3 ?$ ~/ Q- b8 R# ^9 A" L% K H$ N i; o+ n
-The most exotic ones (could be very slooooow :-(+ V1 c" q' |9 _# R$ @
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) h# Q: v( c" }; c, z5 ?
;will break 3 times :-(7 D3 u, I( N* \
q' @( V" k; N+ Q7 k8 k-or (a bit) faster: ! X. s0 K# C2 @# g' A1 q5 S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 k% E' x+ f: r& L+ p" R$ E
3 z$ R5 N5 z8 e. C( R7 [! K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' l; Y. E9 n5 C: }! s+ U& I3 v
;will break 3 times :-(3 e* g* p w7 j6 ~( \( A% k
1 {8 S% S( H% ]. F" a
-Much faster:2 T% s6 W0 u e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) w( Y, S& N5 s( p$ r. q4 H0 a" K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) N( g, B z& c- D$ O
function to do the same job:
8 g7 b1 u; h7 |7 ]) B! \8 g3 T2 N0 j0 s7 W1 [" i: {$ B! y
push 00 ; OF_READ
0 V' }6 Z7 m: [ mov eax,[00656634] ; '\\.\SICE',0# g6 u; l5 Z$ L; n5 h/ W* E
push eax) G; `1 T# ?% J% |! \" x: g
call KERNEL32!_lopen
) S' A$ q1 H% b( [* V inc eax% [1 J6 Z1 |7 ?% o* B( S
jnz 00650589 ; detected
" H) e; q8 ]- u- X- p push 00 ; OF_READ$ W$ L- s* I! V; }5 k; f0 k) N. x/ K
mov eax,[00656638] ; '\\.\SICE'* r( u' V9 g( K+ h
push eax2 Q7 G+ ~& C% v! K( X
call KERNEL32!_lopen
* @' X% m- e6 u# ]) R; s inc eax: M! s# W2 U, c
jz 006505ae ; not detected
% J5 U: _0 @+ A' j4 } v0 s8 P2 o+ H" n- \- S
1 B7 U8 r2 r2 Q6 n0 s7 I: a
__________________________________________________________________________
- O. s! I* [, d7 K8 }0 c6 I
! k( |: y. r0 w9 S; [Method 12# ^8 P9 e: P/ L- C, C& y
=========6 ~$ W- D7 ]' t8 N) X. ^# m
/ ^, K/ L; U! l1 f) y, R& J
This trick is similar to int41h/4fh Debugger installation check (code 05
$ D; @3 L; w3 A3 n- b& Z/ j& n& 06) but very limited because it's only available for Win95/98 (not NT)
3 D" ?; C: X7 q# O ]8 G/ R* |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 P5 c( s/ G' F
! C$ V5 A2 f! o push 0000004fh ; function 4fh/ x4 }2 m5 Q) j1 l0 p* {! W" y
push 002a002ah ; high word specifies which VxD (VWIN32)
7 F+ A6 }& q# `" ?; a7 \( G7 i ; low word specifies which service
1 ^' p7 }) F& H7 N. { (VWIN32_Int41Dispatch)5 `( _2 s( Q5 B; w* E/ S
call Kernel32!ORD_001 ; VxdCall& s! Q4 _/ g, P1 F8 k4 ^0 ^6 B N
cmp ax, 0f386h ; magic number returned by system debuggers+ t0 W. e, e8 v) Q
jz SoftICE_detected
5 s; b1 E x' V( P3 q% r- E! E! D
, ]4 w8 r% }* H( f* l# RHere again, several ways to detect it:0 A& W1 u+ x$ ~8 s
+ g x! f' o; T7 e8 H% n% @
BPINT 41 if ax==4f! d4 U8 y2 d# A& g
: N2 w% s4 B' O; L% o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" f: @4 K3 n3 X- e, t3 [: Y7 ]7 ?, ]
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* P- y2 I. Z L4 P4 B
7 L9 t: `( j- {! \! J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" l6 Q0 v+ X3 N6 } {) m
5 X8 _) f) N F__________________________________________________________________________( b( [5 q/ A" P8 _2 W
! _* @3 H9 z+ g/ y& o
Method 13
R" G" f4 B* h" E% j5 g=========
0 ^; I. L4 O8 J' x1 V# K' M9 v2 c& e8 `2 c" {* p
Not a real method of detection, but a good way to know if SoftICE is$ y7 ?+ ~% ~! A# c1 ^- Z A" p% ~
installed on a computer and to locate its installation directory.( J, c. {4 j# u. _) S3 n+ l- t; z
It is used by few softs which access the following registry keys (usually #2) :3 {' O- @/ f; S8 ?4 q- B5 I
1 V+ Y, [& M) G9 b5 E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 |' o- p5 x+ y- S0 y\Uninstall\SoftICE1 M. t( X) K6 p* V8 O3 `" a6 l+ a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: ~3 X* r! _+ H7 `0 X/ ?: r. F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 k# a( u* k, j2 t' D- T\App Paths\Loader32.Exe
6 z+ @6 I1 V. Y( S. ~: }
) ~: I; I2 Y: N* k7 L4 H, L2 N" J- l$ J
Note that some nasty apps could then erase all files from SoftICE directory
1 J4 O( s9 B4 `% P j* F(I faced that once :-(& x; u4 `4 d, M% k- ^1 J2 e- G
; F) Y3 N" L; ?7 k' |
Useful breakpoint to detect it:
; s: s+ G6 b+ y' Y0 C/ ?/ ?- X. d/ F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& U2 h% u1 f e" r
% D* ?7 ]) c; H% S2 V: N__________________________________________________________________________
7 W b. N- A5 L& N. q. @ P% B. ~* u3 C$ x. U8 w' `
3 r6 J2 G2 b3 V2 N8 V4 R
Method 14
# Y! Z5 G' h% d0 J! ~3 @=========
' G; S5 {. E" D- X6 B' d$ e# y4 y @" p# ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" |( ?% X' O8 d( x7 F
is to determines whether a debugger is running on your system (ring0 only).& t( h6 b; p5 K4 ]7 }
3 f9 p0 Q5 E# T9 }. ] VMMCall Test_Debug_Installed
4 y, W( Z7 l; { je not_installed
2 J/ p% i; g2 {- V/ v. |
3 j \2 {' Y3 ^: l/ b' F! CThis service just checks a flag.
) h0 D% ^4 }- G+ {! V. j6 Z/ C! i</PRE></TD></TR></TBODY></TABLE> |