<TABLE width=500>
( o( A4 _+ f& e! r) `1 X6 M<TBODY>
% U& O( X, T( ]$ T' |( [# T<TR>
% r( C( E; i, I9 j. M<TD><PRE>Method 01
4 Q) i* A1 i: Q/ b4 }+ M=========
4 ` ?( w a9 M4 X8 w+ t
8 s1 `/ t; k& }. F! z2 V, xThis method of detection of SoftICE (as well as the following one) is% }* K2 R5 I, k1 J ~! t+ i' O
used by the majority of packers/encryptors found on Internet.
: R" ]$ M W# T6 }It seeks the signature of BoundsChecker in SoftICE
; |, e) T) i/ l; p# |9 v' ]" \" S, d' X
mov ebp, 04243484Bh ; 'BCHK'
1 d$ n/ \1 v* X$ P; y/ c Q mov ax, 04h
) [8 r' `2 v8 V0 |9 R! q4 d7 [ int 3 ( x' Y! l$ v9 s, U. q" S+ }
cmp al,4
# b9 U0 G# @+ H# D! h3 C5 R- O jnz SoftICE_Detected
5 s. q9 d! ^8 U% R- i
, C" D y, L: C& d i/ h___________________________________________________________________________
( S: m9 J: y' ^6 k1 Q: k+ F6 I6 o6 N- J& C& x, R m
Method 02, |# m+ M, O0 h% m/ W
=========
$ n' y+ I) M; g* i& o# R
3 n; R5 z2 C- n& o ?& T( HStill a method very much used (perhaps the most frequent one). It is used
2 Z& [5 r1 s+ s3 B' U, N' gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: O5 m' v) H) o* c0 {
or execute SoftICE commands...
! e* C( r! J( F- d1 |9 d4 T. PIt is also used to crash SoftICE and to force it to execute any commands
" E; A' B2 N( T- e! |(HBOOT...) :-(( * D- E3 z1 |) Y+ I E' B
# ]- V. K0 k+ Z
Here is a quick description:0 G/ T8 F+ w3 |. Q% D
-AX = 0910h (Display string in SIce windows)
. p/ `6 h, p( h( t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( Q u9 C2 R, z0 [, Z/ G7 c-AX = 0912h (Get breakpoint infos)/ u, |, A2 d- H6 ]+ v$ ?0 ?
-AX = 0913h (Set Sice breakpoints)
* C/ l* t; y8 j, i-AX = 0914h (Remove SIce breakoints)
- m2 m" m# }# d+ e& `0 Q
3 t3 u/ e$ v( UEach time you'll meet this trick, you'll see:' U; Z! D- ]. O$ L# U" Y; R* z' n
-SI = 4647h
! \, P4 k+ C! D9 m$ S. R$ g" p-DI = 4A4Dh
* ?2 W. d; F* l7 T; b# `Which are the 'magic values' used by SoftIce.
6 e4 F6 x, W+ h9 W4 n; HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; U: J" U) ]- _6 T- f. ]/ C) C
! P- t3 d) `5 Y: P$ }& y% FHere is one example from the file "Haspinst.exe" which is the dongle HASP
- ~1 n- R3 n# S! yEnvelope utility use to protect DOS applications:! L0 t; G" H# Y5 n. s& _3 T: O* j# l
% O9 J" Z! _* v0 Y# n
& O7 y7 H* M; w" y( @" d5 T4C19:0095 MOV AX,0911 ; execute command.' m: d U. O) B5 G' p$ q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) `' s' S a7 z& _4C19:009A MOV SI,4647 ; 1st magic value.
5 R, g( s4 ?% L) \0 q4C19:009D MOV DI,4A4D ; 2nd magic value.
, I8 V8 A2 w. h( k9 K' t* j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% w2 h1 Y- R$ a4 |: Y$ V: o' \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ H5 g. E9 w* G! a4C19:00A4 INC CX) D/ B9 {) l" @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 ~- S( e" H" Q8 m; U0 q! A, B4C19:00A8 JB 0095 ; 6 different commands.* z6 ^1 B' x% j8 ^- R+ X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 ^$ w/ |( p9 N9 R4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 o% p/ U' D% ?! h6 ]9 d$ q! J
5 r; o& \5 s" T/ I7 {+ Y
The program will execute 6 different SIce commands located at ds:dx, which v! [4 \& ]% I/ C6 {4 h4 s) K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ T/ s5 ?+ v& |* ~+ G% O0 t* e+ }+ Y. s& Z/ q- v3 Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; Y+ X l, V* C$ p2 w8 |, Q
___________________________________________________________________________7 h/ e( L+ h) a
$ r8 a1 G5 N( Y( F2 m( F
' j5 W9 D9 t7 M. E+ Y. R+ ?/ xMethod 03
+ x/ ~4 J K/ f4 s# L% M$ R=========& `: f" y7 J( Q6 O3 R
6 f4 N: @4 k I E3 L: {, bLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
P ~9 N+ z d- \" _- d% B$ G1 y(API Get entry point)
% n4 q/ M( N- O; N6 `/ M5 W
( U& J3 [' e: y- w G" B) p# D' q
* L ^( R- M8 P' a: a xor di,di
m: e" g+ s) p6 P9 L' E/ y mov es,di( N# r6 ^* j- |( D* [: I6 s7 a
mov ax, 1684h
r3 n5 g' s" P- A: E; |. m. ]0 v mov bx, 0202h ; VxD ID of winice
3 ]8 Q! Q. K+ y! n ~, ]0 D$ L( f int 2Fh3 O$ V6 s, @' s) s' W- `
mov ax, es ; ES:DI -> VxD API entry point# O$ C% w: D5 P h
add ax, di7 k" E( Y8 k: v2 @" R" O
test ax,ax
" f) [2 O5 x& U( u8 E+ H4 g jnz SoftICE_Detected
& _" |/ e( G( Z1 m
7 {7 a& Z9 A8 n$ c7 G___________________________________________________________________________
, d, [+ ?. q' k& K5 t, Z
f# w5 L1 y% m/ p, Y& [: TMethod 04
- I. g$ [( |5 D: K, [0 `=========% @9 I- F! v3 b% T: W
0 L* N+ K( E" \( T* q7 f/ ]Method identical to the preceding one except that it seeks the ID of SoftICE
1 v! y7 W# H$ U h2 s# MGFX VxD.
9 o3 `$ n) x! r8 d9 c: ^ R5 \0 Q1 O" ~$ p
xor di,di+ o; F3 a! ?+ |$ [, B% c9 D
mov es,di
9 b$ E6 X3 A% G% ]* { mov ax, 1684h
0 K& z7 T& R% i6 L9 y2 q/ Q3 N* s# w% u mov bx, 7a5Fh ; VxD ID of SIWVID
1 [- l' w% F0 y; ]8 j$ S int 2fh
4 s0 i9 k2 G9 U, p mov ax, es ; ES:DI -> VxD API entry point" d3 C1 ?0 d5 k# s+ P4 D3 j
add ax, di
p0 q6 E* N) e4 y. x+ H" M1 ] test ax,ax
; E7 k" P6 I7 u4 x jnz SoftICE_Detected* f4 k& E& B1 D0 d4 {0 H9 F/ ]
4 `. ]3 w3 U8 \' b8 ^__________________________________________________________________________
. s7 b1 v! F) j- F1 B, W9 |7 \9 `
/ B. a: k' N5 kMethod 053 {/ |" u2 I) q! e7 E
=========
$ b* \4 o$ l+ w2 v! W
. f) l$ ~% n5 ]$ e8 t$ A1 _. bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' K" B8 `/ t- P9 v( d. u2 o7 L. O( Sdebugger. It calls the int 41h, function 4Fh.. ] M" {. f! w4 j
There are several alternatives. 5 S: l9 w1 Y+ K8 C: }& A& _
9 r* C+ Y9 \" ^9 S0 g4 i6 {3 E
The following one is the simplest:
2 a. k+ Z- R& f I- L7 R; l/ X
, A$ \; p* C' U6 J; p) P mov ax,4fh
- u6 j, p" @, m; w8 A int 41h
. _+ g( z0 t; Y. W5 g3 j: N0 r4 H% G cmp ax, 0F386
6 K. R3 H$ Z: d. g( ^( R2 k jz SoftICE_detected
6 {& w3 B9 n6 U3 m9 c6 o5 }; d- j2 I I! o, R p+ j
+ v% }. K3 y ^! u
Next method as well as the following one are 2 examples from Stone's " e _4 O" N% A' _( A. ]
"stn-wid.zip" (www.cracking.net):' h3 P3 l/ ~# O5 J1 G: p6 t1 J3 _ }
" V& m. s) a" D9 y% ?5 t' P mov bx, cs$ T. u/ V3 K8 _7 p, J
lea dx, int41handler24 d* t8 v) [ D1 P& ^% m
xchg dx, es:[41h*4]
7 M! W. W8 h! d3 p3 w xchg bx, es:[41h*4+2]5 | j& _4 H1 ^0 F; l2 E7 g( E7 D) `
mov ax,4fh8 }; B4 N! V: a4 X' r7 V
int 41h
, [1 W6 @. V! a. W xchg dx, es:[41h*4]
; A/ w, T0 V2 T7 g xchg bx, es:[41h*4+2]
- z3 w- z$ x! }6 ^ cmp ax, 0f386h9 G( g+ I- e# R5 ~+ L
jz SoftICE_detected
9 E% R6 Q& M7 Z5 X' M: m/ p4 \4 u) G. L9 ]
int41handler2 PROC) M+ C4 L8 q2 @: a* F( d
iret& Q1 Y! ]& \! ]
int41handler2 ENDP6 M b% l+ d& u7 T
' g+ W& |! a7 Y2 x8 Y
3 S3 u! L# q4 `_________________________________________________________________________
; e" v( N0 M# \0 }' I# e& v! c3 J' Y: d
# T* _0 G& T/ y$ @Method 06- m: P; f) c2 i1 b+ r& P
=========' K8 W7 \1 u5 N2 [. `1 f
3 L9 V1 n9 x8 F/ q: P
3 B8 x! a$ N9 r/ k8 ~" t' ^2nd method similar to the preceding one but more difficult to detect:
4 }: v, W. [; ~: N
! ^2 v9 i5 H# Z- H0 a
+ n! d: f" d- G5 D' |8 Pint41handler PROC
0 ]. [' s* o; `( ~+ F" P& D mov cl,al
' Y" p# K+ _$ r6 g# c, f1 R iret
& o7 ~& @) M* _3 q Wint41handler ENDP
( } E+ a* n% }2 |* P0 L9 |) N0 I) c: H
6 `" Z, u) E5 d3 `' s" Q xor ax,ax
6 |% N+ T2 X6 ^# m" V4 j) ^ mov es,ax3 L0 [- A' K$ H2 g4 z( X g
mov bx, cs3 l3 `! W+ [ o
lea dx, int41handler0 D( g+ N3 q2 f$ h, v
xchg dx, es:[41h*4]# z( s$ |! _) o9 r0 a- s5 d
xchg bx, es:[41h*4+2]' b) M5 K& |' M, U
in al, 40h' G6 Z: P( v8 F* N, ]
xor cx,cx" |% x+ F+ ?1 C
int 41h0 x# O( M4 W, L
xchg dx, es:[41h*4]! G' X- ~+ t: _: V" |) O9 F6 W- j
xchg bx, es:[41h*4+2]
0 N6 _! J4 e: M: W cmp cl,al
) Z# w* r+ m- v* y1 m jnz SoftICE_detected
& B$ D! X: `/ l; i* N2 H
# u6 Y- [' b4 K# Z_________________________________________________________________________" r' ^$ K$ \% `$ P
$ z1 k* i, I9 j3 ?Method 079 j" ]+ I! i! J0 g8 y z
=========8 z! a1 N& X, Q
& n2 Y. _5 d; D* p; e) _( I
Method of detection of the WinICE handler in the int68h (V86)
% I2 f/ N7 D7 q9 m! d1 D% t# ^& x) c
mov ah,43h& @& }3 X2 x% k0 I. x# m* h
int 68h
- e6 T$ n+ }, \) W7 [ cmp ax,0F386h
: b) V- J$ J# x9 j% _+ L% k5 Q jz SoftICE_Detected h! l1 Q; Y6 \/ G L0 f$ |6 _/ ]
5 C) k+ x4 m6 r! Z
' t3 z2 t7 F! t9 ~3 T& a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* y; c. J* S0 Z: u% e; h
app like this:( U0 r6 l; \! s9 Z7 G
1 F; y2 g& T% V
BPX exec_int if ax==68
: N" M( [. }: B4 d4 B9 K (function called is located at byte ptr [ebp+1Dh] and client eip is8 J+ D% a4 w) y4 d9 K5 H* j
located at [ebp+48h] for 32Bit apps)2 ^4 T/ L/ ]4 |3 C6 ~# C
__________________________________________________________________________4 H: c3 k8 s9 } y% y ^
/ b( e- T- P/ w0 `' \1 S
1 S" R: r) B& Z u3 ]) mMethod 082 ^9 Z @7 b; e' G7 |# @5 {
=========( c7 W$ N$ {" o2 s* D- K' \
+ k( G; X+ Q t1 `: hIt is not a method of detection of SoftICE but a possibility to crash the5 e# b5 S1 n" q# J. \3 i& i" K2 Q4 F
system by intercepting int 01h and int 03h and redirecting them to another/ W$ A$ l9 y; Z+ \, K$ A2 p/ ^
routine.
. P6 f/ a" p' ^# kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" H/ l8 J0 f# |
to the new routine to execute (hangs computer...)
8 w7 @' f: @# f! _( X' ~, u F g$ b& `* j+ v
mov ah, 25h
8 Q7 I f5 B* L' C mov al, Int_Number (01h or 03h)2 p6 y9 f7 `! @0 \: w1 R/ F
mov dx, offset New_Int_Routine
$ y E# q; }: \/ \ H3 ] int 21h
6 u3 O( \/ X) ~% _& i/ L1 N+ z+ m& ?+ _! Z2 t" h+ B
__________________________________________________________________________& r, ?2 A: ^/ ^2 Q2 i; x
# e& f" N5 m$ hMethod 09
: w9 [2 Z) I0 Y=========
! F+ R: y. U! p- e) }
! }* E, B/ |; t7 E8 r3 T, V% |; aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, X4 I1 }( c1 T1 |
performed in ring0 (VxD or a ring3 app using the VxdCall).1 z! }" j" F8 d R
The Get_DDB service is used to determine whether or not a VxD is installed! B( R4 p( z- o/ |1 v
for the specified device and returns a Device Description Block (in ecx) for2 Q/ V2 p$ e9 E2 Q$ o5 U" h5 S
that device if it is installed.' D, z6 _' g1 e* k2 B4 E q
w1 S9 \0 v; O$ x' |- I. ~+ t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 X* M* p! j: s/ H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 M8 `: Y/ N1 U. C* h/ }
VMMCall Get_DDB
8 n; Q5 U. }* D2 b5 ~! D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: c( ]$ k N6 b( S# R' g F" o0 {' w- f2 ~" Y7 i
Note as well that you can easily detect this method with SoftICE:4 H7 M3 C5 K# Z
bpx Get_DDB if ax==0202 || ax==7a5fh4 b3 P$ W, J! _5 p* p2 T9 I x
) ?% d2 y9 W' i% y- V$ V' C; M
__________________________________________________________________________
0 R7 A \; J8 _: _3 S7 o; V. j
+ L1 P! S( K# M$ CMethod 10" c; f9 T5 Z( d |% L
=========
- U: E ~; l$ |# {. U+ L4 s- g. w; ~5 D k8 m% F
=>Disable or clear breakpoints before using this feature. DO NOT trace with) A$ e4 w0 @7 ?7 f9 q
SoftICE while the option is enable!! F8 u+ i* M3 W2 J
& v! b9 n) Y b% m8 e5 U. |This trick is very efficient:1 i% o$ H) l' t4 @* k/ T+ Q
by checking the Debug Registers, you can detect if SoftICE is loaded
; F/ R# F/ B& K( l0 [8 l. F+ Q* Y; N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' n2 j1 X- g- q6 P/ b( ~8 Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their+ M6 z9 G) F# F2 U
value (in ring0 only). Values can be manipulated and or changed as well
6 w) L8 [) E; ~2 Q, u8 [(clearing BPMs for instance)
. K' @: u, ?6 \ ~9 G# t/ L9 J: }
__________________________________________________________________________
" B, [% a* m3 j( E* c
2 l- b, d) p o c, YMethod 119 G b4 }# I$ q4 ^
=========+ {" x& b4 c! o0 r
+ c- _0 Q6 ~5 p) X2 X
This method is most known as 'MeltICE' because it has been freely distributed4 c4 a+ ~$ R! T, o8 F
via www.winfiles.com. However it was first used by NuMega people to allow
& g$ o, Z, K0 y" \Symbol Loader to check if SoftICE was active or not (the code is located+ N& P" j \3 S' a' C5 u
inside nmtrans.dll).1 V# O8 x% u" T% W; |' o
7 v6 ?8 Y. f/ E- A( u
The way it works is very simple:
; @. p7 M: W H4 GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ M; ^7 z+ g: f( @6 W; D9 P MWinNT) with the CreateFileA API.
# Y. \7 l7 m1 C5 X
2 P* [; M! ^% XHere is a sample (checking for 'SICE'):7 R5 M' }2 w( X. x
3 `1 J# s; t) c1 ^; y
BOOL IsSoftIce95Loaded()- @, z3 a/ I* L1 y0 L. |1 K+ I
{( {* v- P$ j0 ]
HANDLE hFile;
: t! U4 }" } S( ` hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 W B5 b7 L1 i; m FILE_SHARE_READ | FILE_SHARE_WRITE,4 m+ W; e" W+ J7 k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, _' N! L5 ?# E" a if( hFile != INVALID_HANDLE_VALUE )
- z" s$ f- G, h& R) t {
8 U8 N( ` j) ^, a2 ? CloseHandle(hFile);
( Q8 H; K/ t' h7 o. J5 \8 c return TRUE;
: J& r: x6 v. \. k8 x! n" F7 L+ q }
% \; k. F+ J! _) T, V return FALSE;
5 z* Q4 @5 b/ y3 O5 L" d, }}
7 i) g7 |) c9 B8 _% d) o5 r' G v- }4 t7 r# \
Although this trick calls the CreateFileA function, don't even expect to be" d& a! Y+ ?" d) I' H( W# e5 j
able to intercept it by installing a IFS hook: it will not work, no way!
% ] ]; s7 U2 H- T- SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& J+ Z. e6 I2 u7 g; T1 r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ E! w r4 [5 D Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) E& K* i. o2 C! k# xfield.
w6 H" l7 D+ ^In fact, its purpose is not to load/unload VxDs but only to send a
( \6 i# O1 m! CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 h( l/ c2 w9 q6 q3 vto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 i0 r9 M% X: m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 Z `5 H$ F# y+ dIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, [, r2 l z8 s+ u9 @/ H/ t% M& I" |its handle to be opened and then, will be detected.
3 Z, W/ M1 p2 s0 ZYou can check that simply by hooking Winice.exe control proc entry point
8 u) [: u+ ]. v0 Lwhile running MeltICE.
; m/ [7 S5 _, ~4 o) t6 y4 u4 X3 M# t# r: i# d
& D( `0 g! J7 A9 \5 w% D 00401067: push 00402025 ; \\.\SICE
9 w/ D! o7 d: @ 0040106C: call CreateFileA+ p% ^5 [! D2 J Z
00401071: cmp eax,-001
8 Y$ r) g G. R; y0 M; k 00401074: je 00401091% m# g% o, d9 h) f
$ g) y& T. Y0 N, L) r0 b
; E, J, k7 R) h0 z' J& b5 tThere could be hundreds of BPX you could use to detect this trick.; D3 b8 N9 Z6 {' } e# i9 y
-The most classical one is:
: X2 T+ c# x% Y* b" n+ U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 k- n9 r; ` v# ]4 r- F1 c+ ~8 Y" _" i *(esp->4+4)=='NTIC'8 O" f+ U0 _- }4 \: Q$ r/ ]* @7 J
, _5 D9 s6 V. E V-The most exotic ones (could be very slooooow :-(
( O) d8 j& ?8 w; n4 d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) C- s/ h$ U4 F6 H x
;will break 3 times :-(/ e( C, s8 ^( M! e: R
1 j& }% c# ?; O4 B* l; ~5 a! f
-or (a bit) faster:
! i& U7 D! [6 b( j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; T8 s% l# }- c( g. v4 [) O0 Q& F! i4 [4 F% M' J, L+ ^7 R
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 J! z. c- y o f6 f. v$ [; O, O
;will break 3 times :-(. `$ C5 z8 F" ~, \- \
: |/ Y) P( u& j5 h-Much faster:
0 v! ^+ M/ X% L/ e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 u8 ^* N7 H" V+ O
; k# V0 ?" D; ^8 e9 [# Z2 H/ GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 Z7 z0 q! C7 Q- C# |
function to do the same job:+ b6 J; j0 P* j3 S' V O
! ~5 T. {) z! @2 g# v# c% V: |. U! F
push 00 ; OF_READ3 b& v! Y4 Y" `& F
mov eax,[00656634] ; '\\.\SICE',0
. U- s+ v! q: |( w# i: @ push eax% k( P; O' N7 F1 K# T0 C+ i
call KERNEL32!_lopen
" H' ]" A Y5 c/ F inc eax" M% \# ]+ z7 O- D3 L
jnz 00650589 ; detected
; X3 r# |0 z; t% U0 v: a push 00 ; OF_READ: I. I; n( ~% y+ S% }' T; c
mov eax,[00656638] ; '\\.\SICE'
# x2 u& \ t6 U, Q push eax
y, k% C0 R2 S9 ?6 g call KERNEL32!_lopen
# X0 _6 X5 q" f( `% P" e7 C# { inc eax
% Z, @6 m6 r* R7 S6 o jz 006505ae ; not detected
; x' y" M K" R) M" M& L: J8 ]+ w8 i) p$ V+ M1 h' i7 r! N
/ `4 P% B! X& L' z& w__________________________________________________________________________2 @2 ~$ p: F* c& x3 s* a
: v, v3 Q- N6 o
Method 12
; T+ n) V: i# V. k" `=========1 O2 ]1 m& f8 W8 D q
# _1 p' x" c. U5 u: u* l
This trick is similar to int41h/4fh Debugger installation check (code 05
( h+ Z* R- L$ Q& 06) but very limited because it's only available for Win95/98 (not NT)
( F6 ?1 R9 e9 @# zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" O4 e/ [: T/ ?- u
9 V% i# h7 [0 P) K9 A, c push 0000004fh ; function 4fh
, }6 u; w6 z7 a9 }8 I0 J w push 002a002ah ; high word specifies which VxD (VWIN32)
3 N* \2 D7 x [ ; low word specifies which service
- e- g( {6 p p2 P (VWIN32_Int41Dispatch)
2 `2 k; ]' `* _! f' Z6 E1 J call Kernel32!ORD_001 ; VxdCall/ X9 s+ P. Y* L. o
cmp ax, 0f386h ; magic number returned by system debuggers* |; n5 G# e% {) z. y6 Q
jz SoftICE_detected/ p4 ]: Q0 |3 H, d# |1 D
* j7 d8 l+ S% O) q1 u
Here again, several ways to detect it:9 N& Y3 }, C! H8 L
k- _" }; o) e+ X2 A BPINT 41 if ax==4f
4 z8 E( C: m1 u$ p/ R# ~( j9 o- Q' b) s& S* a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
S7 t! z( [# q& A0 U: o8 P4 E, Y6 ?. c2 U0 W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& ~& C6 A0 f# I' [ d2 |7 Y
5 O& V3 `" j' b+ ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ q$ I3 o8 a% u# n N. E
, g1 z" z) P% [, E6 |, n- n) f$ m__________________________________________________________________________) [! ]( c6 `; \+ B
5 S% K4 V% m" ]7 _Method 13' j( k) K6 c* r$ ^& i( N* l+ P
=========. e# p% {4 S9 W) g! u2 ^5 `
) Q' b* R7 j) X1 g' W3 u1 V" c6 {Not a real method of detection, but a good way to know if SoftICE is9 n! l3 W4 `9 F: @7 ^1 `
installed on a computer and to locate its installation directory.* d9 A6 Q2 f* I
It is used by few softs which access the following registry keys (usually #2) :
: j2 d+ Q/ l7 W1 z. y0 V+ c$ l2 S7 i* H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# a h2 D3 C: G' M6 x2 d
\Uninstall\SoftICE
) \* C7 }3 ^& H: v N3 R4 b6 x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ ~/ c* t) @4 l E5 D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) l/ X: Z- Y& A% b. z7 D9 I* I7 u
\App Paths\Loader32.Exe6 i, _1 p8 q6 h# k) |2 |$ c
$ r+ w" A! X- d/ L
& L* H: I1 M. x; A3 b5 h3 lNote that some nasty apps could then erase all files from SoftICE directory8 r& E4 A, s' O9 v1 V1 k
(I faced that once :-(' N% Y. }: O0 l5 s/ D
9 m |4 z5 v) _0 Y' l5 ?
Useful breakpoint to detect it:6 I( S# Z' |* \+ p
2 C: A' d$ {& b7 { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', z) @# \- S1 ^; c p0 \
, ~+ p6 N3 l9 u) T* S
__________________________________________________________________________. ]. Q; t I% |& v6 S
3 m% |/ J/ F; e3 ~' h; T
! `& A4 ], S; Q, JMethod 14 2 I. L, m/ Y, |; v
=========
v1 [: s4 s8 A, h, D) c5 S5 o0 r
6 q# N. w& \- d- s6 E) p# S! L% E kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, _8 I, a% S% k% g( E; N& j8 \
is to determines whether a debugger is running on your system (ring0 only).
* v9 R, T% D5 t$ u' r$ Z8 R
' C( u+ o7 `) U* P% W1 I VMMCall Test_Debug_Installed
9 r) p* u G% r% Q, @% G je not_installed' n/ m4 I4 n2 n, A8 |: z& a; u d; M
+ K# J- B. Z. i+ c8 p* z& J
This service just checks a flag.
4 ^: j: P+ W7 ?</PRE></TD></TR></TBODY></TABLE> |