<TABLE width=500>' Q. [) h: R; D/ m- k+ W9 u+ V
<TBODY>8 c i2 R5 |. ?! c- }7 n: E( s
<TR>
* Q# P! a* e' A: w5 S<TD><PRE>Method 01 9 w$ u5 h4 c3 _# {& F) h
=========
3 V4 S- M! o$ Q+ i/ n" Z
- p' [* A) H3 f3 I2 e8 eThis method of detection of SoftICE (as well as the following one) is; E1 B4 C$ Z1 \' ]
used by the majority of packers/encryptors found on Internet.2 y4 \5 T( {: g5 d) d
It seeks the signature of BoundsChecker in SoftICE
% x$ V5 Z; u& ]7 t. O: O9 p1 c9 s8 b9 u/ T4 B. D
mov ebp, 04243484Bh ; 'BCHK'* h1 D; s, x' G7 w S
mov ax, 04h
0 |2 K$ J+ l! {$ ?6 u int 3 # M' v- G' W3 w" ?1 Q( ^
cmp al,4% n5 k# B1 C+ W0 v% M
jnz SoftICE_Detected4 B! z, J; X2 A, P- J. m
, H+ G- l$ j1 m! e# E! A6 d1 \___________________________________________________________________________
3 u; S2 a! R8 U* \4 L. F8 Q
" L5 b: T9 `0 m& x2 ZMethod 02
' N/ e. ^3 u8 s=========4 b n1 `& ]2 L0 V! ^8 p
9 z1 ~" H) |8 x6 I' W
Still a method very much used (perhaps the most frequent one). It is used
9 ?% c% J `; V1 cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( h9 Z# h& F/ F$ N# a6 t) Gor execute SoftICE commands...
* M3 m) [8 A d( u0 PIt is also used to crash SoftICE and to force it to execute any commands. U4 E& c7 E1 p! J/ r1 q) y
(HBOOT...) :-((
}! M: t; ?$ A. |7 {9 X" }( x( m
Here is a quick description:
$ s! c! |! e5 W$ x' _8 ^$ R- w9 p-AX = 0910h (Display string in SIce windows)& Z# [! U! g0 v6 k. k4 Y1 z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), n0 \( I8 ?, K$ X7 Z
-AX = 0912h (Get breakpoint infos)
8 Q3 z0 R0 G# K: S0 p-AX = 0913h (Set Sice breakpoints)
5 |$ x, f, s# N-AX = 0914h (Remove SIce breakoints), T. E, q) B7 k$ p" e& ^( v1 Q
4 [) |+ a6 u9 r* V0 Y9 P$ jEach time you'll meet this trick, you'll see:
2 d- }' B6 o- t: r- P8 N-SI = 4647h4 v& W4 g+ R/ B; a7 Q) I- S
-DI = 4A4Dh( O0 {6 J. e9 w# _
Which are the 'magic values' used by SoftIce.
6 k2 J" I7 S/ ?/ |( K6 ?7 T$ kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 @; R, ?6 _5 ?/ y9 n* u
1 E/ q: Q) G6 M0 OHere is one example from the file "Haspinst.exe" which is the dongle HASP
( Q/ ^- }* b, O/ l3 UEnvelope utility use to protect DOS applications:
/ T+ P$ ~+ g3 Z6 o$ c& H% ]6 j/ J7 S a" [+ L0 q+ U
! V/ l: n) ]+ H1 z( p( S0 g- C( n4C19:0095 MOV AX,0911 ; execute command.
' O' i( a5 x0 m9 ?- {3 K' Q8 Y7 G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. `1 [6 b# B3 G& Z% x2 S% ~. E4C19:009A MOV SI,4647 ; 1st magic value.
E2 ^: x& w/ d, Q$ ?4C19:009D MOV DI,4A4D ; 2nd magic value.
6 c$ y& E$ R, h' v% i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# B: ^0 i# L: m& Z6 d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 _. ^9 {' Q; i. P/ }3 P' [4C19:00A4 INC CX
: m3 K8 O1 u. |6 O& o0 O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ i; f3 e$ Z+ |9 J+ t: [4C19:00A8 JB 0095 ; 6 different commands.
. i) a* g" u8 b/ g: w0 @5 M! `4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; ?# f8 ]( D4 `% j/ i( W4C19:00AD MOV BX,SP ; Good_Guy go ahead :) X% P' L# ?' G( Z; ?" v0 G
8 `0 e1 K4 R& }& d0 jThe program will execute 6 different SIce commands located at ds:dx, which
/ v; d+ i+ W2 g3 Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! I/ j$ t9 g- Y: h7 k0 l# j
- E1 i1 j8 m3 ?% J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* c9 k/ K9 A2 L( G4 v___________________________________________________________________________
8 t5 s: i+ f2 l* Y4 ?% g1 a0 f, i* p. ?& y; c
& W0 s" B' Q, \% v+ t( UMethod 03& d5 E: v3 D8 `" H8 n
=========! A# p2 n3 _! `- b0 o
) A3 S* D# D# d7 t MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. E0 i* P& J1 @4 j7 v1 U
(API Get entry point)4 h* i4 P+ [0 O( c2 V' z" h
, }! S! S( R, ?* z: ~& j- B- ~* S1 {4 X5 ?- z5 F) z+ j
xor di,di+ M: Q/ S: O8 h: A6 _& k
mov es,di
/ p$ e+ s% u7 m! _) n. i mov ax, 1684h / z n6 ^6 e2 I$ |' i
mov bx, 0202h ; VxD ID of winice$ z$ z. M, ?7 g9 E2 ?( d
int 2Fh; h+ K. ]0 K& A1 }5 L0 x
mov ax, es ; ES:DI -> VxD API entry point# V8 _/ O" \# ?7 L. u0 s
add ax, di
; [ w- M% m# K& F test ax,ax
s, T3 z! [" Q v. L0 n! A jnz SoftICE_Detected+ q3 F9 Q+ z$ r' ?4 ]3 N
! P' N3 s; x; {" ~" k' `, o# D
___________________________________________________________________________$ \8 v( _" U! {# I \* M1 |
( o$ C, c, q9 e& g# d$ W( U) l, B
Method 04
& L% C3 K9 D( }; @9 J, w=========
4 o6 e& M3 P) h- O' ~) x i+ q8 J
+ f; [" j2 @2 `0 WMethod identical to the preceding one except that it seeks the ID of SoftICE" I; S% v: Y) M2 E" A9 i$ k# z
GFX VxD.7 `( |8 ~( s& j3 M1 ^" j2 c
6 X6 n, S0 |* E xor di,di6 c' ]9 E- s$ F9 G9 J( a
mov es,di
; K6 l. k1 e+ y9 G S2 R& A3 {3 H mov ax, 1684h 6 A8 d6 O. I e- `3 G+ v* G* I
mov bx, 7a5Fh ; VxD ID of SIWVID
! [ K- H* o! M. P int 2fh# o9 `8 ?9 `+ r2 _# O1 q# e
mov ax, es ; ES:DI -> VxD API entry point; \, @% U; s9 V; {& ^, q0 @- C
add ax, di/ ] y; |9 G: }% W: j
test ax,ax" T$ a3 ^ i3 i7 r
jnz SoftICE_Detected
; j4 t$ w. f8 K G! z7 u) J+ [5 c) ?3 i
__________________________________________________________________________
) b( }7 f- B6 b" F6 G5 A
8 r* N+ g4 O# }. r! g# |7 U0 _" O& b& Q
Method 059 g, i2 v! m7 @- V
=========
! d( X3 S, A( t5 D2 G& Y6 B. P+ S6 f( ]3 s* n1 S8 s* G1 b9 K
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 P- c5 x$ r5 ] E0 y. ldebugger. It calls the int 41h, function 4Fh.
( _6 i9 B: m U, P8 ^" k6 WThere are several alternatives. / ^9 v% q, r$ b8 o7 P# v
, D: a- D& S2 Y" qThe following one is the simplest:4 c1 c( I' _( u
0 t) }, _6 ~6 U- M3 C mov ax,4fh/ L) i: [1 Z2 o/ |
int 41h
( s8 Y w5 {/ b3 c5 B cmp ax, 0F386
% U( S( a& R9 m+ ]2 x jz SoftICE_detected
" l" s7 w) ?/ K1 H+ N0 z1 Q0 Y
5 m* M( m. K$ {1 z; Q1 [
" D7 S# I! x- o* C sNext method as well as the following one are 2 examples from Stone's
% m, f4 K( r. F+ f$ ^) v0 T7 w3 r6 Y"stn-wid.zip" (www.cracking.net):
; u4 \2 Y# i: K. Q, S) r; o$ Y% {, B, p2 M
mov bx, cs
9 T4 B, y8 e- | lea dx, int41handler2- X8 t0 s' y) F& n, N
xchg dx, es:[41h*4]6 h6 E% }0 t( ?# g5 q$ ^
xchg bx, es:[41h*4+2]
1 w. r, Q/ a& o& A+ o mov ax,4fh8 y9 x ^1 G- w) S" t
int 41h
. W& d3 V/ w/ A% D% z! [ xchg dx, es:[41h*4]& w9 ]9 k( F' k( X9 P
xchg bx, es:[41h*4+2]
e. I/ H# j9 n( Q7 Y cmp ax, 0f386h$ b- E& @( L- x+ W
jz SoftICE_detected" \/ V @4 X( |% X: f3 N5 B
2 {) {5 K5 p- d4 k, F) Y
int41handler2 PROC3 {' Q. u6 U5 N4 v9 u
iret f5 a+ e9 Q( ]
int41handler2 ENDP
9 @# o+ P7 ~2 | ]1 e" v
* b% d/ t! l5 F5 G S+ a
) j/ T. m, ~' E1 E/ e- Z_________________________________________________________________________: D0 i3 e( o9 E: @1 t2 A0 C' w+ I
) h! L9 C* H1 L
/ h2 x3 s8 Y& A6 i9 X+ C Y- X' BMethod 066 k" G& W K# u. h/ d
=========( z; J% h/ N2 ^5 {
/ q9 p8 w2 ?- o, ^0 d' U
; M2 d, }* k* v$ f- u0 j2nd method similar to the preceding one but more difficult to detect:* S, W0 C6 B( y! U0 U) Y
* V1 l% E; m' U
' M0 O$ z1 j c6 L: z1 N0 M
int41handler PROC* d8 Z/ D! f O
mov cl,al% y Z6 k% V9 Y: S
iret* C( T2 F6 ?1 M( p
int41handler ENDP
. ?, G: ^$ a) l6 K& \- C
+ O. A V: H W+ P" b
; Z: L; ~7 H$ s9 D xor ax,ax, F( l6 I! b. e! z2 p
mov es,ax5 U+ k2 t. l) X
mov bx, cs
# P9 z! I8 f9 ~6 d q. X! U lea dx, int41handler) V2 d8 i- M4 h
xchg dx, es:[41h*4]
) ?; Y! x: S& D0 F2 f b! j xchg bx, es:[41h*4+2]
" y; U5 g3 `3 V5 w: [/ z$ [( v in al, 40h, H, i, |8 d* k# p
xor cx,cx" h, |: r/ v: O, `1 U
int 41h& _2 k& K$ s4 O& p1 E( M% z
xchg dx, es:[41h*4]
/ e1 w! N/ y/ g& [ xchg bx, es:[41h*4+2]
- G8 T. ~# f# f0 h# C cmp cl,al
3 n5 g3 Y+ k0 ?# j8 r jnz SoftICE_detected- Y6 U q0 t8 s' x% d
, M* J, N0 W% C' d- O. B_________________________________________________________________________
8 @) f+ S! g8 z+ T/ g/ O6 x6 c) ?& f7 o1 s( t& p( U/ g3 |2 R
Method 07
& E. R9 V- p% k! c=========
9 I/ M, C, ^) m8 I s) |
3 p) ?; R( R, A' D' AMethod of detection of the WinICE handler in the int68h (V86)
# ~) ~6 L4 z" |. n. S8 I' H( F9 |4 P; E7 A* }/ x$ c* G$ ]9 X
mov ah,43h# e# D7 P! w' T* P, X
int 68h9 n [: {* y& P% P' x/ r# I
cmp ax,0F386h& R* {2 W$ v$ W( Z8 t
jz SoftICE_Detected
8 ^+ e$ Y) t1 e% U7 |/ Y0 X/ W2 B( [5 e, r$ e2 Y H0 |5 }
, i2 Z+ d) T. X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ V+ T& k9 x# t- r( ?8 @
app like this:
$ s( c5 l9 i8 E i- h; C! I) Z1 O# y5 c7 `" k! h
BPX exec_int if ax==68- }# a" b7 m0 K( P$ O5 F4 W2 X+ D9 m
(function called is located at byte ptr [ebp+1Dh] and client eip is3 c) d4 ~! e i' ]- E, `7 D
located at [ebp+48h] for 32Bit apps)4 T. k# C" [" r" s# K
__________________________________________________________________________7 F* o. ~9 d3 H4 `5 J
& P% { |9 z. G" X9 ?4 z9 y) O- G! R* F; [+ g* m
Method 08! u* d( D" w% |
=========6 l5 O. ~2 n" s; V o( m/ X0 u
9 w8 ^6 a3 ` C2 d _5 h. H0 F
It is not a method of detection of SoftICE but a possibility to crash the
8 Z/ i a2 k6 k% |% Esystem by intercepting int 01h and int 03h and redirecting them to another" J8 M1 @+ n. B9 [& ?) r
routine., V. Q: O+ d7 n* r) W
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 B! G6 Z1 H7 S( U
to the new routine to execute (hangs computer...)
1 E( j' l% p# h- t0 S2 X8 c) @4 B \. f) |% T
mov ah, 25h* k) M4 [* l% X( M1 ^
mov al, Int_Number (01h or 03h)9 q j) P& B! I
mov dx, offset New_Int_Routine
( E; o/ L# r% z1 F# @5 h; i; S3 I int 21h
# \/ P! D; ^& Y2 C+ W) S/ O% e
8 k% `5 s( [% y( n. l__________________________________________________________________________
$ I5 `( ]3 s. u+ X0 F5 T
# L2 F* B3 l7 KMethod 09
, O9 R1 i5 C3 J=========
5 j$ }/ n9 n' R; {0 G% B6 k
. K" H- R7 ?& Q. m& l+ @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' {# o( @5 a; d- g |3 J8 d
performed in ring0 (VxD or a ring3 app using the VxdCall).
. r% N, z: Y8 e& jThe Get_DDB service is used to determine whether or not a VxD is installed
) \3 g' Z X8 @) r" z0 a/ T$ L8 _for the specified device and returns a Device Description Block (in ecx) for
7 _8 n+ P( V* j* w) o# l# Z& N0 kthat device if it is installed.- A, L, L' c# e: W5 g$ J
# {, p( d% B* m- J) `$ ^* s1 _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, { G8 q3 P! Q2 l
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 n( y2 B0 b. i1 }+ P1 p, f# n
VMMCall Get_DDB
5 Y% S: B0 ?! V& U- a- U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" h% k% J3 M9 \4 O7 M( D1 _2 v3 U9 X. E* ]
Note as well that you can easily detect this method with SoftICE:4 r+ T5 f# l! Q! e! s/ ?0 G/ f
bpx Get_DDB if ax==0202 || ax==7a5fh
3 _$ d }* U3 f% p& D6 U* R* \8 y1 R2 ^ D T- Q5 Q1 C
__________________________________________________________________________6 i% t( V4 A7 q6 G
2 ]6 Q% q: Z: B" b3 L
Method 10
( L2 f% Z1 g4 w) Q: g/ A+ B=========
' r/ M; z3 @2 J" T6 S- S7 ~- J& z* P/ W' P
=>Disable or clear breakpoints before using this feature. DO NOT trace with* R" r+ @: B' I( l z- @ a4 P, n
SoftICE while the option is enable!!
" r: u: Y0 h% Z$ c' a0 S5 P
: H% c; S$ u! }3 z% M2 r, | [9 V5 LThis trick is very efficient:
) N! `( y. ^6 E* s8 p& G! ~" e1 eby checking the Debug Registers, you can detect if SoftICE is loaded
, b: H' p4 v' W9 y, @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 ?/ q: T& P, K* W- }1 c. K( sthere are some memory breakpoints set (dr0 to dr3) simply by reading their$ A1 R$ c" u) b( Q. z% D* b' y9 H
value (in ring0 only). Values can be manipulated and or changed as well
. b) k" K4 ]+ B(clearing BPMs for instance): g7 t9 ?2 p6 w0 O6 {7 m7 d
/ H5 b) b( S& @8 B" F
__________________________________________________________________________
1 S1 @ n6 I$ y6 Q
4 W7 k& \) B, M8 ZMethod 11
2 g( d+ P/ Z3 {% I=========
0 _9 S4 k+ w/ t( R" X4 Y# Q; F% G2 c
This method is most known as 'MeltICE' because it has been freely distributed
9 C6 ]+ I8 l1 ]via www.winfiles.com. However it was first used by NuMega people to allow% i0 t$ N7 h- g: p
Symbol Loader to check if SoftICE was active or not (the code is located. | y$ k; Y$ N- v
inside nmtrans.dll).
; d, Y7 z0 f" N. P6 k' @! }1 n* W, F5 `4 k. f( y
The way it works is very simple:
3 M A& k4 m8 mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 Y0 c9 m- z" C" O/ xWinNT) with the CreateFileA API.6 w9 E J. S, |2 ?, W0 c6 [5 y# s
2 y5 G6 L* b' @& E# F9 ZHere is a sample (checking for 'SICE'):% l% ~( A* i% H( q
; ?! ~0 e. p; |$ W! N, X( r7 ^BOOL IsSoftIce95Loaded()
) `4 g5 g. N3 ~ M2 l{. M7 u6 M9 l! m) l
HANDLE hFile;
1 T* y1 L6 r' F1 r7 y# h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' K. f& \% l( H+ o3 J' y
FILE_SHARE_READ | FILE_SHARE_WRITE,
( U0 I4 r! r9 J/ R- u1 j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! B0 u6 | H3 c' v5 |# s2 } if( hFile != INVALID_HANDLE_VALUE )4 H+ K/ m5 F" F
{
; z# u+ H& ^$ ?1 b% o* Z, d CloseHandle(hFile);# A4 F. B3 X% X/ R8 a
return TRUE;3 z9 `( N' N$ y w; Q
}
3 V7 R3 B: i" M3 { return FALSE;4 e5 N" `$ R& ]5 O5 X
}
, ^1 @9 U# \6 a
/ [6 ^+ i- U/ C% p& m8 HAlthough this trick calls the CreateFileA function, don't even expect to be
. v& p, k c' Q! I A3 Wable to intercept it by installing a IFS hook: it will not work, no way!" @8 q% w% h6 e' A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. j! H+ K; D! \$ i! m* lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* ~) T. k" f, N) ]3 i" U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" Q" P% H! `6 U2 Ffield.3 M# @2 s: J. b5 k9 y# T! _) n1 S
In fact, its purpose is not to load/unload VxDs but only to send a
0 I; M' H0 y7 zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 T v# x# s) J& [to the VxD Control_Dispatch proc (how the hell a shareware soft could try& o9 O7 A) r, B9 f3 v! _, J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. T' G; J: @# a* r; W, b I, oIf the VxD is loaded, it will always clear eax and the Carry flag to allow! E- y- n5 H6 `1 r: j$ n
its handle to be opened and then, will be detected.
4 r7 z2 d% O$ V, X2 l: a" ]+ q2 tYou can check that simply by hooking Winice.exe control proc entry point
3 j% b- j6 {) U- q0 kwhile running MeltICE.7 u( G5 P9 p( h- \$ ^* [$ S
+ {2 J& E I+ u/ B2 m
1 s# b7 b% |* C; h4 Z! S) p+ L
00401067: push 00402025 ; \\.\SICE
' U: e2 D* ~& y' M 0040106C: call CreateFileA
+ F7 c" d( R# [4 E) P3 }* ] 00401071: cmp eax,-001' s H7 P$ q* l
00401074: je 00401091
1 r2 E6 W4 h- |$ [. E( Z3 |1 w/ \0 e! u+ v7 l( G& Q
4 ]/ d* j+ f& g) d4 i
There could be hundreds of BPX you could use to detect this trick.8 ^9 y/ @+ o! `$ |( c8 ^7 K
-The most classical one is:
0 U; J/ ~2 A+ @' h BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 b6 H5 O# V3 O, W$ P- k *(esp->4+4)=='NTIC'
' t6 b2 p D0 l/ Y3 U$ A3 O% |; h2 I
-The most exotic ones (could be very slooooow :-(
* V5 W% g% |- B0 `7 z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 t0 F! W! v' B5 p- C( ^* @
;will break 3 times :-(5 Y8 a C% e- a- L
" K. R# ^6 j6 [$ t3 Z
-or (a bit) faster: 0 f# Z8 J- k/ a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 ^* ~6 _8 Y# Y' n- C u z/ P3 J3 E2 y$ }' o
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; R h* i0 e8 u
;will break 3 times :-(+ j* l) \( ~" @+ } \
) t! E# e, E: N# v4 d( d# ~
-Much faster:
: `2 B' r( E/ ^6 v& ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 \) D; N5 A( n4 |0 L
4 U6 w/ H. [1 NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 k) P7 e* c5 w- x% a7 j" Gfunction to do the same job:
( [' U2 g( i$ Q' A* ]9 u" ]
0 C& ?# o- p: w push 00 ; OF_READ
2 ^: l" y) ?( M) @% F; w0 A) r mov eax,[00656634] ; '\\.\SICE',0
$ G& n+ c U6 P, H push eax
' q" ]2 u; `6 O6 Y9 h call KERNEL32!_lopen
+ W3 ^9 F. Q8 K9 f2 r+ e) \ inc eax" [" N& A/ {& B) ]% o; r& ?
jnz 00650589 ; detected
& b% l7 K* N/ J4 h% }" Z0 ^. k push 00 ; OF_READ" z9 G3 M; W: s
mov eax,[00656638] ; '\\.\SICE'
/ t4 O% \6 z. V4 o9 e$ e push eax
4 f% T; O- y+ a' F$ L3 \, R( [ call KERNEL32!_lopen4 \. U; q! B. A+ G1 h5 ?& u1 ~
inc eax4 d' h: ]- n5 r6 u: h
jz 006505ae ; not detected
6 d& b9 D" i5 y: c
7 K5 z$ \7 b1 w$ a* r+ i/ F/ R/ Q9 V& A4 w6 S; e6 v0 k; A
__________________________________________________________________________
/ d0 M8 |# u% b2 S) N x& T4 B7 C
6 A" m3 W2 P$ n4 \9 N. N6 |Method 12
+ D# q) O! v% c- V0 k' Q2 t=========
* I$ _" L9 d8 {; I; W, F9 n4 D2 D$ ^5 e* w; X; g" V- }
This trick is similar to int41h/4fh Debugger installation check (code 05/ k, O/ O4 l$ m0 t' y4 b
& 06) but very limited because it's only available for Win95/98 (not NT)
% E, c. Q/ M* s4 D# j7 X" Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 ~/ y% P% q- w
. q; @& b. z( l$ r" l6 i+ j push 0000004fh ; function 4fh4 M6 D3 L: N M
push 002a002ah ; high word specifies which VxD (VWIN32)
1 x4 V# V0 F3 R- F; k7 R) G* J1 i ; low word specifies which service
" }" U& o1 p! r (VWIN32_Int41Dispatch)
: q" n: E; d9 h% `9 ^ call Kernel32!ORD_001 ; VxdCall
- Z: P2 u5 v) s% l3 W cmp ax, 0f386h ; magic number returned by system debuggers2 f% H2 i, }9 `1 q: f
jz SoftICE_detected
+ p* _- v, i5 f; Q# X- P- r$ V h1 @0 [
Here again, several ways to detect it:
6 k5 j! Z5 ?( x( l2 }% O' }1 r9 Q" |2 @7 b( o( n. d
BPINT 41 if ax==4f; {1 {* O* O" z. O3 T/ v8 K
+ C( H3 J7 Z* F- [% l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& W$ R M5 E: R0 s D* G+ X$ `7 z% P' q6 Q4 i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* B! B* d' S& v/ Y9 b/ l, a% K0 c/ ]& I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* t" K( W$ l) h6 f( A4 s
* K6 t) g) y+ U5 U% s8 N
__________________________________________________________________________+ f0 J8 @4 V/ _6 Y" \1 e
# Z2 w f% A: S$ ]* ]
Method 137 `; ^- j$ l. j" Q
=========; [* H# m x5 u( Y' S
0 v( C1 b% W' `8 ?! e" l$ }& eNot a real method of detection, but a good way to know if SoftICE is: e0 Q+ N( }% ^# q. l5 W7 P
installed on a computer and to locate its installation directory.2 H$ G6 U. C8 T% ], K7 ]
It is used by few softs which access the following registry keys (usually #2) :. L5 ]' l$ X- v* \( m: O$ A
& s3 G% S; j0 U1 Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' @' m( R- O4 j7 d+ l0 z0 ^0 j$ ^
\Uninstall\SoftICE
P, J( V( f* m9 l9 H, Q- O3 U. F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" ?" \+ M0 o: @2 H, _3 R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 y5 X( ~; l' _0 o5 u* P
\App Paths\Loader32.Exe- h( L- a" p# S& N! [2 M
5 W3 P; `& r7 V0 E% W3 e B% T
: X$ X; ]) I4 |, a3 _5 Y; {/ G
Note that some nasty apps could then erase all files from SoftICE directory6 a: K/ G& p* E" X d$ \
(I faced that once :-(
/ ]. e+ u/ e+ a! }! R
6 ? a7 P( c* ]9 ~Useful breakpoint to detect it:
5 T- v& }$ K$ M' Z0 q2 W1 L1 I" n' B. Y" L5 u8 u" V( B; k* x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 v$ V0 m0 b. j% j
, H, d& H# Y% p( r__________________________________________________________________________3 b/ W" J- K( X
$ _( |+ E/ h/ j) ?& f9 B: m
! v3 Q; T2 @; F, p* l+ I2 WMethod 14 ( T$ M, _; C Z; l
=========# j0 D$ O1 J% O& H
" m, T9 R& L e: K7 I2 M8 k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 B2 a. y- k8 C. X& K( n
is to determines whether a debugger is running on your system (ring0 only).
5 ]* I& V& x& g/ }6 @2 }0 j4 E# z4 K2 E, V, v
VMMCall Test_Debug_Installed
3 [4 A. k( ~% `' K( R je not_installed
( @* i! p0 t0 m' G* k5 j' \' A
' x( D# l+ X# \This service just checks a flag.0 L* E! l( ], h! m$ v
</PRE></TD></TR></TBODY></TABLE> |