<TABLE width=500>0 C( p D9 H; s4 t) K* M
<TBODY>
$ U0 t, z( k( b: ~7 h/ Z3 c0 D<TR>5 y: ]; J5 B& w8 C; V: |
<TD><PRE>Method 01
6 t7 o; d5 J0 D- C4 F=========
. o# s* T9 M- h! d
: v$ @! J V0 b, X; kThis method of detection of SoftICE (as well as the following one) is
2 M7 U8 f9 F0 J5 ^9 [; mused by the majority of packers/encryptors found on Internet./ S' r8 C+ v' I$ X
It seeks the signature of BoundsChecker in SoftICE
" A0 b" |+ N- [
7 ?( ~# t% I+ G f mov ebp, 04243484Bh ; 'BCHK'
' U- S/ @8 N. w: I. v7 ^ mov ax, 04h; k; x5 x8 a1 i# w& O4 A
int 3 4 b# u! {8 ~& c* k, J
cmp al,4
' }* |5 z; c D0 B5 L9 s$ l jnz SoftICE_Detected
. _, l) z: M7 V" Y* N; S# V. z. S% m2 `1 o" z1 S" @- G
___________________________________________________________________________
3 k9 j2 h& h. g- c' W0 u: _' G. w. ~2 K. W% N, E
Method 02$ d" x$ p4 Q* D
=========5 P" w a- w. r2 Z7 s9 L8 t8 H# S: g
- g2 F* D) V7 s x, D! M4 y4 kStill a method very much used (perhaps the most frequent one). It is used* R# K! k% S: p9 z' V( _; P2 @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; N+ O/ a1 D- w1 s" Y1 Y5 c" k
or execute SoftICE commands...
Y: e$ F/ Z! S& a* W8 w, xIt is also used to crash SoftICE and to force it to execute any commands: F: C$ }, E! R4 R
(HBOOT...) :-(( & {. G( i+ I' o2 b% z% O
% p7 U3 I: @) Q7 ]Here is a quick description:
. F! p+ ^; f0 _( h6 A% L-AX = 0910h (Display string in SIce windows)
2 K3 E+ w, x* P" U$ v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 T, `2 h! A8 Y" [$ G1 I-AX = 0912h (Get breakpoint infos)0 y5 f3 B j" R: j
-AX = 0913h (Set Sice breakpoints)
! K; L& Y+ [9 } y/ M6 g( o-AX = 0914h (Remove SIce breakoints)! z+ G n! W- h. ~! S
8 d. B$ N+ l7 J
Each time you'll meet this trick, you'll see:2 Z0 O! A% U2 J. z/ \; @& v
-SI = 4647h
% ^, ~+ f w% D& U! d9 `" s7 s5 O# E-DI = 4A4Dh: G6 P" O# O$ B" a6 g2 f! G' [7 I
Which are the 'magic values' used by SoftIce.- F5 D& Q' N9 b' p9 k. u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ ^6 {5 t3 e9 Q9 K
; F- A7 D# u; U+ R3 X/ O/ {
Here is one example from the file "Haspinst.exe" which is the dongle HASP- s+ k: a- ?, O5 E+ L9 ?& S
Envelope utility use to protect DOS applications:
, h! c' R- L- L; c, T( L7 U8 F$ S \/ @% `
4 W( O) a+ @6 u4C19:0095 MOV AX,0911 ; execute command.2 x# ^6 Q. g9 X$ I% Z# T7 n! N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 T0 G1 a: o( ^) i& V1 T4C19:009A MOV SI,4647 ; 1st magic value.1 Y) U' I# o3 D; @0 O2 ~. n/ H
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ d. @$ A. }8 [! I; N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) L& k3 o( |, q( d, s- q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 c& C- X6 L5 E' Q* ~& q# ?, e
4C19:00A4 INC CX
- S7 M. _5 B' J) Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 ]4 b7 Z0 r1 J _; f1 Z4C19:00A8 JB 0095 ; 6 different commands.
, P k2 b. u* W! a d# J, S# \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 H4 l f5 O" l3 D. e: B5 G/ {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 G2 G6 O7 u; ~4 Q9 @) z' { d) T! s
The program will execute 6 different SIce commands located at ds:dx, which
& t# c0 \2 ]- Q* g$ ]" hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) ^$ z: L X* H' g! s( K' Q/ ~ r" F1 A* C2 N* O5 u7 T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 ?8 `- B I8 K* n7 f7 ~: j9 v
___________________________________________________________________________
9 _1 G7 W) T! e% i$ q9 ^# t; U2 }( `1 ]6 L
. x) L! m# B! {5 z) r8 |# d
Method 03
/ g- H# `; _7 X3 F8 |=========
9 a/ N8 o9 s9 a3 X
6 Q5 q" f C0 @, LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 l" p4 G4 [' H: g- [, k4 H4 n* o
(API Get entry point)
- z! [+ f2 D' B2 a. b* g, _ ( ^' _8 s6 L9 f l3 T: Y! b6 Q
) P2 n+ t% Q; f& O xor di,di
1 r2 ]' g4 Q4 S8 [' r# @ mov es,di
' |( [* ^/ u6 V) j& y$ I mov ax, 1684h
6 Q4 z$ g+ v" \6 f1 k9 b- O mov bx, 0202h ; VxD ID of winice
) @' ?2 o2 y* q$ ]1 B3 O int 2Fh
% O H9 }& m4 K mov ax, es ; ES:DI -> VxD API entry point
& O/ s5 H# ]: y- }2 z/ s add ax, di
# h, u% f9 f2 X( f test ax,ax# u8 N N& a; l
jnz SoftICE_Detected
9 a4 `9 M7 P* x* U& B) c6 g' [4 B0 `( h, M& V
___________________________________________________________________________
! {! \5 D5 {! b9 u0 e. U0 X; C m' o6 t, V- C; c
Method 045 ~% k8 R6 R. h# c, U% k
=========
5 B' [3 I4 k, _& r! [0 C( d, D# s$ z
Method identical to the preceding one except that it seeks the ID of SoftICE
3 \9 S. Q' K) g/ g9 J9 _GFX VxD.
! a4 f1 t% S. v
7 u/ f% ?. ]6 Q, f( i% C" o xor di,di# }3 x. K# e5 }, p& e$ N
mov es,di; C0 E8 {5 n, [$ ?7 l
mov ax, 1684h
1 b" P' T. d& G mov bx, 7a5Fh ; VxD ID of SIWVID; p) j( |: G" j# q, S1 P2 q
int 2fh$ {9 R |9 X# i
mov ax, es ; ES:DI -> VxD API entry point. M e3 W. Q: t; f6 d4 }3 j& `
add ax, di4 j6 R4 p) L; W# X% J! b( {) {
test ax,ax
1 c* e7 j7 v+ `5 A3 r9 w O( X# z jnz SoftICE_Detected
" d7 D) u$ K4 h! m# C6 i! G# G0 B0 D3 w; H
__________________________________________________________________________ V6 k* @7 m* s9 C- W+ J. r( Z2 Q
- ^$ |! p% D3 }( r: _( n
( @2 Q( s. Z1 ^' L# o3 D
Method 056 y3 q* D' T! x; ^& i; e1 g. U
=========4 \. H4 L! }; f9 o/ t
7 z$ K9 v5 D% f Z4 P: d8 IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 @1 N5 `& H, l4 D# Kdebugger. It calls the int 41h, function 4Fh.
1 W3 ]" G2 k6 g oThere are several alternatives.
0 Z% X( u' E- ]5 I- @
' Q. r r; C% QThe following one is the simplest:& H! k" c2 k' {
0 U- |7 n5 V# V6 d; x8 ? mov ax,4fh" b1 l! b1 q4 b# u, e
int 41h9 Q! x' |" j- H; K, w
cmp ax, 0F386$ V3 i& c# K6 i8 Y+ N0 _4 y" c
jz SoftICE_detected
4 ^# f$ l. M1 g/ I- p1 T0 \! Z4 b- \
( ~/ @0 }6 y$ r. q; b$ ?* XNext method as well as the following one are 2 examples from Stone's
1 O; F+ y R `9 u* S/ L& Y"stn-wid.zip" (www.cracking.net):
& t8 \: ?* v2 G* a& Q$ ~3 u! l% w" s- w7 k6 P
mov bx, cs
* |% v$ p8 [' f2 N& f lea dx, int41handler2$ V- X7 E5 h& o' u- w1 R6 ]1 I
xchg dx, es:[41h*4]$ d0 j9 T: c7 S2 p, F7 w4 S+ k2 e
xchg bx, es:[41h*4+2]6 u( x8 t9 {7 g8 ^/ h8 S
mov ax,4fh8 ]* \2 @0 w7 Y1 a8 L
int 41h" c* |3 D% @1 r$ z5 z, N; k q/ N
xchg dx, es:[41h*4]
: ~' M4 e0 {9 l; x4 y* J xchg bx, es:[41h*4+2]
! W+ h( O. Z& Y( @: ]: a8 U cmp ax, 0f386h
4 o* s3 a; I$ Q jz SoftICE_detected
7 Z7 Z; R: t4 Z2 j; K& W
6 e% M* c4 Y0 m; Zint41handler2 PROC5 M1 J, {# O0 C; T& X8 ]( l* `6 r
iret6 [2 V) v/ \3 N$ @8 S
int41handler2 ENDP9 I |/ |+ A0 t' m ?
2 g$ m; H2 M! v1 c% C
. e9 V7 ^- m' i6 Y1 b& B7 h
_________________________________________________________________________
, i" [; H6 o; t7 m' M: U
) I7 r G+ d- i/ _5 p0 T" K
B, ?$ g9 s2 X. N j$ ^Method 06
" y1 i3 M$ V2 f' K: B=========
5 b3 a) a7 I( ~; D3 K _5 I: c" e) g. f9 ~3 _/ i) j! U
9 ?8 D. r" x" A8 s/ b( {( k0 x
2nd method similar to the preceding one but more difficult to detect:
. m$ ^6 x8 Z! z" \, x6 e+ ]* x% I B6 V0 W Q( I; P' h+ F& F
7 ~; b' r+ R; j3 j/ G% ^) Tint41handler PROC
: \5 P z2 V4 E: @& ~- W mov cl,al
8 k2 z6 g% b& ?7 u B0 \ iret
; Y5 I4 l9 G7 [- z" M. Y# Nint41handler ENDP
9 v+ O: E8 j! C1 e$ p$ ^
3 r2 J, V$ c& ~) X) v6 L5 A5 \6 c: [" W M4 {
xor ax,ax
: C. [: i! I Y+ h& o1 Q mov es,ax" `6 G; T0 I- M9 O7 c8 L+ L! M1 @
mov bx, cs
/ p' q: q" W# e& k) c4 Y- o lea dx, int41handler, m: D+ P' H% [/ t7 j" t
xchg dx, es:[41h*4]
) v, e9 o p/ I7 n# L& e+ V- V3 s xchg bx, es:[41h*4+2]0 a3 ^+ [- ~: Y$ O+ y; n5 ^
in al, 40h7 \, B" O4 K' F" M7 i, G ?+ ?
xor cx,cx
* L5 X8 I: n: `- [$ M2 h' c int 41h9 F; ^0 s" v+ D- `
xchg dx, es:[41h*4]. R( ?1 R3 ^: a2 @
xchg bx, es:[41h*4+2]1 f1 O+ U, I3 H+ L& p2 c
cmp cl,al& L6 A) k) N1 U1 }( q% o
jnz SoftICE_detected
9 C2 r# K" G6 ]0 h! `
9 e. A: r# n' Y |" }_________________________________________________________________________
: u( R# K) l; L. S
! U W+ G& @) X! f* q6 v5 b- FMethod 07
3 q+ f+ D. }2 z=========
' a/ d! F' t& q1 s0 a1 b/ Z) a
* r6 g: N0 o* D# mMethod of detection of the WinICE handler in the int68h (V86)
; H. U. C; N# Z r0 r7 [9 }$ _' [" M2 |* L
mov ah,43h
4 r1 F5 l% ^' k+ v K int 68h- Z# M7 Z, \& J
cmp ax,0F386h% `/ h; u# q. r1 H
jz SoftICE_Detected
: k# z; T$ R Q1 |% H7 g: ^1 t' m5 F0 T& X
. N+ Z5 I) Y! [& C5 F: T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& [5 `' c+ H, C8 l% C, e app like this:* J$ U$ `) Q1 e7 J/ v" U. S
/ y) F$ y& T [
BPX exec_int if ax==68
" a2 p! Z! R# E2 m. u (function called is located at byte ptr [ebp+1Dh] and client eip is1 g7 N v' k9 y+ U7 g" C4 s# _
located at [ebp+48h] for 32Bit apps)
) E! v9 o! U2 ^( G, M$ {2 A__________________________________________________________________________3 u: s+ i {( s
+ _, m0 f8 `, ?/ v
2 N3 r" h# @- H! x5 L% A# W& R U
Method 08
4 v1 i% D# C: I" t0 ^=========
* I m6 c% {% L3 d' G
# i" G- L+ i' ^2 B; ~1 bIt is not a method of detection of SoftICE but a possibility to crash the' `2 p l4 @7 b X) @$ ~, y3 L8 Z
system by intercepting int 01h and int 03h and redirecting them to another( Y. W! |+ G& `
routine.$ D% ?1 R2 {0 L6 @# t6 [& V: K$ _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) t1 }4 H J; T2 o' U% P6 F
to the new routine to execute (hangs computer...); _8 R+ W5 s8 z$ e
! G6 _9 U8 Z( W
mov ah, 25h( _& _2 W9 }# V, x# W
mov al, Int_Number (01h or 03h)
% \$ D8 g8 E2 @. k1 }& o8 m4 ]( K mov dx, offset New_Int_Routine% G" A( i) f' Y
int 21h( s0 G& g0 M, b% c1 n
( L1 e0 J7 i; O% B) z! U2 ^
__________________________________________________________________________+ `& N5 \% M. `- ~
# N% @+ \0 V P$ ~# t* S& VMethod 09
3 e& U7 Y+ d0 l=========) O, Y2 {" q% {7 Z. g* K
% X; Z- i/ V, P% w2 T& N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ M' t# I. S, Dperformed in ring0 (VxD or a ring3 app using the VxdCall).
' m& R2 z/ Z) q! Z: aThe Get_DDB service is used to determine whether or not a VxD is installed: q* c5 n9 w+ T4 W
for the specified device and returns a Device Description Block (in ecx) for. R) y3 Q4 P+ j2 u
that device if it is installed.& i2 r, |8 [' S& {( P
- P6 W- u6 ^) ~9 b+ ?' M* B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 G% [# U0 ?0 v8 ~: ?# } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 A2 e6 B+ }+ T& i( | i4 B! g1 G
VMMCall Get_DDB+ F+ f# _9 ~" ?2 u+ f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 V4 R, }7 h+ g) x
) |' a3 h5 X, Q' ^
Note as well that you can easily detect this method with SoftICE:
! C; z/ l/ X+ ~" C! ` bpx Get_DDB if ax==0202 || ax==7a5fh" J ~/ A/ f% x# }5 z
. k/ @& P5 _9 X8 c0 j__________________________________________________________________________2 v; ^1 E% c) O/ A3 d
& M. {# _0 T/ h- c( U7 hMethod 104 X$ b( R5 E3 S; w
=========
6 B& ^; [. }9 V: x) r J. G+ W( k3 R2 G* r" {3 x' S! a( w. J. M# k- n- [! T
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 f, a, S8 \5 p0 I$ c1 g
SoftICE while the option is enable!!4 s) y- g' J3 j
* L* T4 v6 _, a0 w/ v# V
This trick is very efficient:
& T8 n6 q6 E0 E$ @/ u6 {by checking the Debug Registers, you can detect if SoftICE is loaded
0 X! y( X# m" S; [% r(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% o3 O7 r( O1 S8 i$ U0 x
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 d1 r, R {: a/ b
value (in ring0 only). Values can be manipulated and or changed as well
e" b1 A- m3 I6 {* P- f(clearing BPMs for instance) f* S2 T9 j4 }) L( g2 t
3 [3 Z. t3 l8 l__________________________________________________________________________. u1 z! _' ]2 S0 ]! J; q
4 d2 p) \! `; W3 y- ]4 ^
Method 110 _, S: ^6 @3 m: \8 N
=========" D* n+ I0 [& B& [5 t# y( e
6 W0 D2 _8 P( W DThis method is most known as 'MeltICE' because it has been freely distributed
& A; S) ?2 s% a# dvia www.winfiles.com. However it was first used by NuMega people to allow
5 d: X( B$ T1 Z, eSymbol Loader to check if SoftICE was active or not (the code is located! m/ t) U1 h- @( | l4 g
inside nmtrans.dll)." C |( ^2 J+ y3 q# m4 A
1 D5 p. Y6 }5 @* l, tThe way it works is very simple:
6 J% e1 r8 q6 n4 T7 Y. L aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# V1 v" l6 C' N# D. rWinNT) with the CreateFileA API.
2 j; Y/ { L3 N$ ^" E# h6 j S/ I3 k' j
Here is a sample (checking for 'SICE'):
k1 q5 I: r( X5 `/ R
- x' K: f8 O% L- ?( eBOOL IsSoftIce95Loaded()9 ] E# S5 `- V0 Q& z* A) y8 h2 D
{
( L) d4 R& a4 P! l) o# ]7 y& x HANDLE hFile;
9 l! |& K9 X8 ]) W hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& D/ y" O8 k8 `' v/ c0 W6 {
FILE_SHARE_READ | FILE_SHARE_WRITE,7 n! u( t# M1 [5 l2 R9 s% g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- V, d; R' f: l9 E( J- u+ ^) j' [% }
if( hFile != INVALID_HANDLE_VALUE )) V, K( G8 R9 o
{0 j+ M" [ \+ g, N' Q9 C. z, l6 }
CloseHandle(hFile);
) L2 n5 \9 ]: g. A7 f. a return TRUE;) c. Z8 [# \. c& L, X
}3 ~4 }+ V0 x( \: x: C' N% t" m
return FALSE;. U* H! T: g1 I; ?2 z: e
}
7 s1 D$ x w# V% a! t+ Y' k' H
4 w a0 R* Y9 m" m1 [Although this trick calls the CreateFileA function, don't even expect to be8 X. K. e# a' {6 \2 {
able to intercept it by installing a IFS hook: it will not work, no way!
% x, Q; \- T( H* q* a( q+ ]0 YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 l5 w# I& g) x; N$ H. f: \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' P8 H9 c- x' @+ P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ ^% i6 X, n3 Z; a5 q/ vfield.3 w3 x( }$ ?+ k) l+ c
In fact, its purpose is not to load/unload VxDs but only to send a
* Q2 t9 F9 I, T. c6 e: IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( e4 U- X3 k# j. \ [4 lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 S3 y$ k# j3 m! w; S6 @( |to load/unload a non-dynamically loadable driver such as SoftICE ;-).; e/ s: q9 M, ], ^ T) Y* ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow% H6 q) I" ^; H
its handle to be opened and then, will be detected.% A* ?; L" X& Q) W5 X$ \$ L
You can check that simply by hooking Winice.exe control proc entry point1 l" z# V7 Y& u, T
while running MeltICE.
# e- R- C T+ P$ W' b+ |
0 A8 e" T0 o* S# R$ M" t! Y7 f+ U7 U& O7 r6 G
00401067: push 00402025 ; \\.\SICE
" d/ Q6 L6 @" Z9 B1 A 0040106C: call CreateFileA
! X* g$ o; w" |& `# K5 D 00401071: cmp eax,-001
7 v: W& t2 P2 x 00401074: je 00401091
! S; k& ?- A+ R8 g9 \* ?/ d) Z' o$ Q; @; Z2 R8 G* [
1 l* l- c+ z# e) h3 q' \
There could be hundreds of BPX you could use to detect this trick.( k, T) V2 W& f
-The most classical one is:
; u6 T* W. a' c; s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 m0 s- }9 e3 f *(esp->4+4)=='NTIC'
+ R9 C0 p) F* C- k" K- E, V0 u4 R0 n! a" E( ^. y3 Z
-The most exotic ones (could be very slooooow :-(7 ~: E1 b' W! W7 v$ U$ y- m' ^* S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ h6 R0 J- q* C" N7 Q1 u ;will break 3 times :-( _9 c( m& q, \& P( }
/ i2 [( ^: h4 k* b) F- c7 z-or (a bit) faster: & C! L+ ]. X2 [9 e' ?* {* o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 S2 h5 _% p* V* x5 e: d8 l5 e% ^7 v
! h& e4 g9 C$ i8 M. P BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 v2 b3 u2 M5 h, h* _# {/ z ;will break 3 times :-(' Y) X4 W: ~8 v( |7 m
7 k t! A, x; \+ x# r- B: A-Much faster:1 M8 b$ S/ x. k* Q" f
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ d& P4 D9 ~1 N) x
8 A4 m" \4 k) ~0 y( z& |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" H4 i7 |% P. O R
function to do the same job:6 ~; t2 |0 p2 Z" B" M. ]- @! \- h
, s/ E& g" {4 h5 G; y h
push 00 ; OF_READ9 ^/ C) E' ~8 D3 C2 l
mov eax,[00656634] ; '\\.\SICE',04 {9 R8 r! P* w
push eax
/ x6 |' m7 `" r- A' Z! j! S4 D call KERNEL32!_lopen
* k! S5 y5 V* H) U0 I/ m+ o2 f/ [ inc eax
$ q q [+ M( n6 v6 \ jnz 00650589 ; detected- `; w" v) C4 V0 H( [1 Y
push 00 ; OF_READ
2 K" F( s- i# R0 ~* A! b1 P mov eax,[00656638] ; '\\.\SICE'
8 ~* ^( S7 j& Q z. C: f8 z push eax1 N, N5 T- y% |6 h% ]
call KERNEL32!_lopen
7 y5 q. T/ z, X0 w( b( ] inc eax9 p1 [% Y5 u2 S5 P
jz 006505ae ; not detected
" M. i+ Z3 Y6 t# C; `* b, O% @. q9 ]
& w- ]9 p+ T5 ~, d1 {
__________________________________________________________________________1 D0 ^7 P6 x6 L2 ]! v4 O
]2 d# N7 f5 w. z3 J- w/ H
Method 12
e5 m+ c' Q5 [9 |3 A3 q=========
$ g# h- B- C, ?6 l! g3 ^4 a5 n
( X% T- n; r0 p: f( q7 BThis trick is similar to int41h/4fh Debugger installation check (code 05
6 p$ }0 F8 F3 I- [) y1 l$ D& 06) but very limited because it's only available for Win95/98 (not NT)8 e# G/ l- r9 M6 Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ j9 h- K$ V1 T/ ~3 u, O- m# l! |1 f
/ c/ H- [9 e( \
push 0000004fh ; function 4fh
5 s4 B. L% E5 r push 002a002ah ; high word specifies which VxD (VWIN32)
* B: H) t) q7 [- U/ S+ t ; low word specifies which service% h2 A: A* C* u8 c ^
(VWIN32_Int41Dispatch)2 i6 h) j8 k' J3 L \! r
call Kernel32!ORD_001 ; VxdCall
7 i2 `( I1 J% u cmp ax, 0f386h ; magic number returned by system debuggers5 ?7 I! ]1 r. {# ~. `8 M m9 d
jz SoftICE_detected8 G1 `! ^/ W/ n% W, _
0 V$ U; b$ }6 ^' n/ B% t% V W7 kHere again, several ways to detect it:
- g; |% R" {* z4 s2 Y/ p {3 R2 P
BPINT 41 if ax==4f
! Q- H/ |* Y5 l4 E' ]: i, { ?* g+ l) \* U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 H! D; X4 e- U5 |1 C, @7 K* i( {, c S% y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 m: z. I0 A, ^
7 Z* \, f6 B( g- y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" ~; r- Z$ _" I2 V1 `7 `+ c9 L5 p) j0 k6 Y6 x q% y. u/ e' F
__________________________________________________________________________
$ w: [9 `8 O0 Q+ @/ i6 }; p( Q( e+ \# Y2 R
Method 13
) o2 v5 y6 A2 p/ P( Y=========, X6 M1 g) V* w: D* L
" W t* Q; V1 _0 l# \Not a real method of detection, but a good way to know if SoftICE is
0 a0 V; d8 c9 Finstalled on a computer and to locate its installation directory.
4 B+ ^( Y( v, R [% `! YIt is used by few softs which access the following registry keys (usually #2) :
9 r! K9 `; A; o6 v7 x! _! y: s( o
5 T: C8 S6 ]' X( k D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: I# K0 Z) k+ i+ ? U5 X# i/ X2 z$ d\Uninstall\SoftICE. `" I5 w N( }8 C1 q" S6 p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 k' R+ s& J& v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 w* n2 `- `$ ?6 ?( ?: b
\App Paths\Loader32.Exe
# n8 I% R4 R3 T
" J: R6 f1 j: H! K
2 `$ q8 M s5 U V( M" w; T9 ?- |Note that some nasty apps could then erase all files from SoftICE directory& ?/ M/ V$ e, N3 `8 @$ w2 L
(I faced that once :-(5 t5 i# M @) @8 l* S9 y
7 o) m$ }9 Q+ g
Useful breakpoint to detect it:# [3 `) j6 ?0 D( [/ w' D" _
' v" s# T1 }/ X3 m7 z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 k: E0 o |5 ~) Z$ Z
8 |' Z. Q8 T/ D% y# i' t$ x! C2 v4 Y
__________________________________________________________________________
- D* Q: o$ P6 P m
0 d: N/ d9 D; ?8 j; s2 q
0 |3 B3 I \1 ?3 [/ i; xMethod 14 & _+ q' b7 I" y8 T# Z5 |
=========7 }$ [* Z: i/ b3 [; R* |( M
3 V, p5 {9 C5 B: y' z* L, c* SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& q: \2 M0 f* F7 U/ G3 n% eis to determines whether a debugger is running on your system (ring0 only).
/ p4 w) d5 z* e% ]4 U6 Z5 A$ \' d
VMMCall Test_Debug_Installed5 N) J" s2 v& V" J+ N% X
je not_installed; ^/ ~. q9 G" o. I3 Q' [
4 K; J: g4 u' A5 E0 T4 k; FThis service just checks a flag.
* c' U. Z0 Y4 w) C, \7 Q. \5 K</PRE></TD></TR></TBODY></TABLE> |