<TABLE width=500>
8 H; T! h! e: h<TBODY>
1 L' v, F1 L1 x+ B' W5 O<TR>
7 ]/ y E' B! q- b! S& {# F' ~<TD><PRE>Method 01 : p f! [) R) i( a8 X/ s
=========# O- @: a1 z$ _
[; e2 t2 @; p# M! ^ ^# o
This method of detection of SoftICE (as well as the following one) is
3 V% D, l+ ?$ m$ k. r0 uused by the majority of packers/encryptors found on Internet.0 k+ Q- W# S7 ~: Z3 z( O
It seeks the signature of BoundsChecker in SoftICE6 Z. E; S3 y7 U
# ?! \( c6 _& ?, X. R mov ebp, 04243484Bh ; 'BCHK'! \! x. B# o6 x% {
mov ax, 04h. ^: z/ i9 f* \: R7 K
int 3
! b4 ~' m2 d- `' o) D cmp al,49 i" s, |1 H) Q
jnz SoftICE_Detected3 X* R' A$ z/ a8 j; b! P
1 s8 R. u5 d7 P8 |' R {, L
___________________________________________________________________________
2 z) J; }7 K0 ~/ }( v3 r% F# M' X* I) M
Method 02" ]8 M4 P) {" [6 a8 p- X J
=========
4 \& [& [2 |- ^4 p+ S, j/ j8 w* I1 U- Q/ Z6 r
Still a method very much used (perhaps the most frequent one). It is used; P. m0 S c/ H( h# X2 v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& l0 h ~, W! ]& w; H) l1 ^# Ror execute SoftICE commands...
; Y- k; @! ^ T: o. f- Y( d7 iIt is also used to crash SoftICE and to force it to execute any commands
5 H% K" K" x/ l2 \7 a) {(HBOOT...) :-(( ' F# E( U) e( `1 z
, Y) }* d/ m: R4 V0 n# B/ EHere is a quick description:" V, G/ B* F) ?* s( d# O
-AX = 0910h (Display string in SIce windows)
" X6 r1 x7 ^0 i- F9 t1 r k! p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 l, e7 N$ s v" A# M' T3 s-AX = 0912h (Get breakpoint infos)
+ x+ K$ K" g/ w: G; a! V-AX = 0913h (Set Sice breakpoints)
. ?, x5 o. N, A5 \+ F' V-AX = 0914h (Remove SIce breakoints)9 w8 C' y8 W* R5 _; V0 y( y
6 ^% |! p4 O$ ~, B4 X
Each time you'll meet this trick, you'll see:
% }% h9 d7 C6 L5 A-SI = 4647h
, _5 S, a9 u' d( r: @! n ?: G-DI = 4A4Dh
0 L1 N+ ?$ d( a7 ?* w+ _Which are the 'magic values' used by SoftIce.
( A! ~% |0 @3 k3 b, w0 w$ t% ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 B3 E* ]; m( z7 F2 a4 z0 D, R
4 y: O3 u0 X) C7 G& P, jHere is one example from the file "Haspinst.exe" which is the dongle HASP
' N5 P& z; I& M y+ QEnvelope utility use to protect DOS applications:8 n+ e$ g. @2 B: P& w+ c% P1 g% K
! J( o1 _8 Y3 w
3 l3 C9 o) t/ ~$ ~/ |; o* x4C19:0095 MOV AX,0911 ; execute command.8 B G# a' X/ b( I3 v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 U4 _( k) D0 D. z& L G
4C19:009A MOV SI,4647 ; 1st magic value.
1 D/ S5 f( x5 M/ z* @4C19:009D MOV DI,4A4D ; 2nd magic value.
- N3 t# @, c5 u( v/ l, N8 P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, U5 e2 ^# s. ^( _8 \8 t4 K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
Y; C$ p0 q2 c: U4C19:00A4 INC CX0 g- X6 _6 P5 U N, ?( A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 G) B& S" c4 u
4C19:00A8 JB 0095 ; 6 different commands.' {2 D$ v5 g+ d, s$ e, i$ l2 N4 ]: |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.* `7 F7 w. C a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; A. b9 ]4 J: ~# C8 b% O& r5 u$ h% ]! f+ h1 g3 V
The program will execute 6 different SIce commands located at ds:dx, which
5 C- j: X A* dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 u( E3 W" ^: w* ^8 T) h5 v7 h) D6 C5 Q; H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 q- p; ?% Z3 o$ S8 h" E___________________________________________________________________________
. l; M2 W( n8 p# E$ p
2 U6 H! n0 Q( Q( ?7 e
: i* Z; I! L0 zMethod 038 e2 ~' K+ }/ u8 }+ f( B% X
========= W0 Q$ m4 D8 i0 t l& I" S4 @
7 K9 f: n4 ?& Q# dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ n7 s9 X6 K" {; s' Z
(API Get entry point)
+ Y. E( g$ q0 k/ D3 i& D$ a9 u L ) t) _- r& B/ ?* R
6 R$ I8 Z/ c4 g$ M3 ~6 l# s! P
xor di,di
. {; k2 r" K/ c6 v7 K3 A- g mov es,di) Q% G% } R0 A" t/ H- v& |7 m
mov ax, 1684h + ?; g y, C6 p% E+ S8 W$ X
mov bx, 0202h ; VxD ID of winice
5 o! g5 [" k* n int 2Fh4 }6 e# ^+ C0 f/ t/ E2 |% S
mov ax, es ; ES:DI -> VxD API entry point
8 M+ ?. M: R# x add ax, di! P* y/ \& i& }5 R1 D: V& Y: Q) g
test ax,ax
C' T5 k6 }; O# i9 K# x# y4 X' I jnz SoftICE_Detected r' H6 ~9 G) t& I
: L+ C; p" a% c& U6 Z" e6 z+ N; F4 [5 a___________________________________________________________________________
& L8 S3 X" j; |: E/ Y L4 o! X- w: j3 d( E z; |
Method 042 k% U) |! Q, W( J5 U+ S
=========
! S0 o1 d( [- d/ s( b1 V. G" }$ z8 Z) S. |( ]3 y* j
Method identical to the preceding one except that it seeks the ID of SoftICE
3 m- k- A3 E! AGFX VxD.
2 y0 y3 r& O, Z! Q B3 E/ V- L( {- O2 f6 {, s
xor di,di
* k5 y8 [. C& W mov es,di9 m3 } e, r& Y
mov ax, 1684h
; [% ]) g1 h4 i9 N" o1 M6 M7 _ mov bx, 7a5Fh ; VxD ID of SIWVID
5 o& Q3 z9 I9 Z( |3 @3 ` int 2fh/ h( r0 Q& x) t0 s. i) i, S& L
mov ax, es ; ES:DI -> VxD API entry point, J% e! I- l4 s
add ax, di2 n- Y# E2 J2 [$ [
test ax,ax
f" Y" ~# S* @, B7 g+ L jnz SoftICE_Detected$ d1 Q4 x7 n6 y, _1 ^: f7 l
0 c! ?% d6 u6 x( B__________________________________________________________________________# Y- k" B7 Y8 i' Y; p/ J( l
2 E- i. q0 @3 I" X+ i! V K
* c/ w( O$ z& p, |0 d
Method 054 O' _% u5 t4 G3 w) Q+ s" J$ A+ a
=========9 H6 C5 A( v6 o7 g6 q" }
1 ^' v0 w: b ]& W, K* d A6 gMethod seeking the 'magic number' 0F386h returned (in ax) by all system; ?4 _8 j- W/ g
debugger. It calls the int 41h, function 4Fh.
4 K) s" u d) c- T- \. Y0 s5 l' MThere are several alternatives. - i2 O$ g5 m; L& V) `5 h' Y" Z
! O! s, Z5 W8 L" D
The following one is the simplest:4 c" Q( N% H$ W9 j( I
1 ^ e- g2 G* h7 A7 r
mov ax,4fh
3 f" i. K* l3 I/ H, a0 C b int 41h
3 c( H* {& _0 O; K# b5 R! c cmp ax, 0F386
" b [8 s- H; ? A jz SoftICE_detected8 v; q9 ^% V& t5 d
: m9 W/ J) Y( ]/ j! A2 q- x4 w1 D: C1 @ q* h1 ]9 o. _
Next method as well as the following one are 2 examples from Stone's & Q" h' P9 ]6 y8 M6 u l0 u% @7 w
"stn-wid.zip" (www.cracking.net):
! i/ `; I- V8 [, J+ ?: ?* K. X" t' e; D5 E& ]% f6 ?
mov bx, cs- H2 m- w2 s) }: U4 T9 c# v
lea dx, int41handler26 H# z9 i. B9 z$ Y
xchg dx, es:[41h*4]
' @' W# }" N8 q3 Q) X9 ^1 k2 D% l xchg bx, es:[41h*4+2]% G r% \0 U7 q( ]2 Z8 p7 b7 u2 |7 b
mov ax,4fh
1 h6 K( W8 s1 e int 41h8 s# h& _+ H" u/ t7 h4 i! y
xchg dx, es:[41h*4]' k- F6 H3 C( v) F
xchg bx, es:[41h*4+2]
" _5 G# `3 h; U6 ~- D cmp ax, 0f386h
* h5 A& O Y/ K+ S" [1 _ jz SoftICE_detected
4 y+ D9 a* P% p6 K
7 g# h- o( a/ _; ~int41handler2 PROC
' L& S# A0 Y( ]0 `9 D# ? iret: i' i! w6 E$ c# @0 L' O
int41handler2 ENDP
4 |4 ]" n8 r! _4 b6 f2 w+ d7 U3 x
" f/ x0 {7 y9 D0 G$ o" `$ B& n( T, ^8 Z
_________________________________________________________________________
4 J. o/ k( o, H. f3 |1 t2 a9 Z$ _
& C4 D' }1 A) y4 @, b5 c) K7 E# F: b; s" y; ~
Method 063 [4 W7 ^& \: O. U, f( W! Y* V+ _
=========4 J- H" p# x" g* I
, c3 i" \1 `" ^% j! }& z# J* U6 c
2nd method similar to the preceding one but more difficult to detect:4 `: w( s F- b& Q W, D
" T0 U3 [ I' q: a6 @
# @7 e( t. r% B+ sint41handler PROC" f; {* [6 r; T1 m- D& a
mov cl,al
* B `; M6 a+ b: ^* b5 A7 y5 G8 R5 v iret* X' u4 L A/ x' t0 R
int41handler ENDP
0 ^$ M% D- F7 \5 U
3 H0 Q |! x1 z/ c/ d
' M0 K3 F4 L. P$ j+ A8 r, _, T+ ? xor ax,ax4 m1 O6 o4 b0 Y
mov es,ax9 R+ U* Q- _+ ?: v
mov bx, cs
% z- K+ y3 v1 x lea dx, int41handler* n) I( M0 J1 g1 ]
xchg dx, es:[41h*4]3 E$ i; E# U+ u2 |
xchg bx, es:[41h*4+2]
1 d# p# J( X( j+ r! ~& H in al, 40h
) J' I" h' u7 b) t! l/ Y/ P T xor cx,cx
+ |* E/ v. m' g int 41h
8 t6 u* ^# u* y* A& N xchg dx, es:[41h*4]
$ p. z; o: ]! ^8 a" J/ Z xchg bx, es:[41h*4+2]
- i0 L1 R- s1 J5 u6 `- m cmp cl,al) t) \1 k: ~8 {
jnz SoftICE_detected
1 s/ z+ a9 b& [$ ~
& D! A, u" ~$ G- A( u- y( P_________________________________________________________________________: G* K4 X) I8 l' W3 _4 m: s1 e
$ h) B9 Q5 c7 v* R3 s& T( P7 uMethod 079 b& A& z. B' M9 L' K& l! y
=========
1 e, V/ A* t H+ g; X8 M& L# X: f
Method of detection of the WinICE handler in the int68h (V86)" _( }, r. D. H7 C
, Z# i2 z x2 I6 C1 O& y/ G mov ah,43h! W7 q& O" ]- W% j5 k
int 68h
' O9 q1 }! h3 t; G cmp ax,0F386h
{ H; e7 w7 y jz SoftICE_Detected
; s1 V [1 b' }
* m/ _: ^- S: E
; E1 N9 V2 Y; ~( J* \% _6 I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: ], D9 F* i F5 V app like this:
5 A$ w8 R5 Z* {/ U7 |3 }2 } I; K' }2 Z. z
BPX exec_int if ax==68
4 h7 K$ X+ v6 `+ x% ^ (function called is located at byte ptr [ebp+1Dh] and client eip is
) G2 l& a" Y& b% r2 U located at [ebp+48h] for 32Bit apps)
" e, h7 y" E4 W! S7 f) t, X7 D& X3 w__________________________________________________________________________
9 L y/ r4 c; a& l; `4 K" O' a6 x$ V* W
/ l6 C" k% z9 q( a
Method 08, R: v) d9 i/ q8 P
=========
" P: t) \3 \7 c' I, [# I% f2 F0 f
$ v/ n8 F# L H4 }3 F5 } G% gIt is not a method of detection of SoftICE but a possibility to crash the1 H. t' ?' K9 w. F/ a
system by intercepting int 01h and int 03h and redirecting them to another" P" a* K. L0 I$ u! \
routine.' W! V- n# x$ p3 r9 h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 t0 S5 H0 }& C% W, A$ ?, X& Y
to the new routine to execute (hangs computer...)6 ?3 X# K8 B, B0 x3 U
Y/ A2 b% Q* K$ q0 a: m mov ah, 25h! o6 m5 R* u1 f2 H
mov al, Int_Number (01h or 03h)
8 G7 T+ h) w! n: `/ v$ n mov dx, offset New_Int_Routine
. v, Z& K! Q5 g! a+ o) | int 21h' n8 Y# @ ^3 q/ h, x' }
+ J# d* z1 x, ?! {9 G- Y v__________________________________________________________________________
, G, c e1 }' z/ J& I
T1 `3 U4 o6 }/ l4 tMethod 09
- U, v! l7 n& O- }( e$ ~' j* r=========- Y+ r- r- K8 u/ q; m- ?
! z0 x- o$ L- G( k$ M" v& vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, c" Z) H; a( }; dperformed in ring0 (VxD or a ring3 app using the VxdCall).
, ^) m6 u! r; Z( A6 sThe Get_DDB service is used to determine whether or not a VxD is installed
2 }* ~4 A0 r/ o- F6 J- c( @for the specified device and returns a Device Description Block (in ecx) for
8 f" R1 W+ ~* h" M# C8 uthat device if it is installed.
" v1 V6 q" T! v0 i6 | N i1 \# w H( h+ H! [4 t
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 \' z- f3 Q7 ?) ^9 H9 w# G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 Z8 ^9 M1 O' c: c VMMCall Get_DDB
* Z/ O; J' h# @; u0 W ~( M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: \+ ^8 w, X+ R7 _$ e" O- O
9 W* u7 j% ~; `( ^
Note as well that you can easily detect this method with SoftICE:: S# C& S: |( K1 u% k
bpx Get_DDB if ax==0202 || ax==7a5fh/ |9 `- C9 g2 H# |( ]( I
5 {6 b* @/ |$ W6 f- X__________________________________________________________________________
" O. x1 x1 s; ]0 w' h$ h0 e
# G& x' A- s: i/ X6 WMethod 10
9 i9 h: D" a% c- z. o=========
& N: R! J1 b, g. \! U+ H, }, d& C: B8 c6 t
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 D6 @3 w! N0 u SoftICE while the option is enable!!3 ^& J3 ?+ a' d1 z4 B- M
8 I7 r1 R8 e A( l: Q+ o \" `7 aThis trick is very efficient:* Z3 C' N# @4 G+ e8 H: k! o
by checking the Debug Registers, you can detect if SoftICE is loaded* b' g; K' G1 u3 x/ c- s1 @$ D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 N4 @) A& x5 \! w2 t8 o. }
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: ~$ J+ `1 U2 |1 c$ D# j1 ivalue (in ring0 only). Values can be manipulated and or changed as well
1 R8 R% M9 p. I8 m(clearing BPMs for instance)# I7 g8 E' _8 c# ^
. |1 N$ z& b6 h7 W/ X& s. h__________________________________________________________________________
' @+ H% @5 x+ A; q" ]- L6 t* v) j+ f
Method 11
. T5 v0 M) u: d0 M=========
+ q' j* k n$ {, e
7 Y. X- }5 T9 W/ x% D/ J# N, O6 UThis method is most known as 'MeltICE' because it has been freely distributed0 s3 d0 F$ F0 d- o5 V. p
via www.winfiles.com. However it was first used by NuMega people to allow! c, ~& K9 u4 N6 V$ _1 D A" x
Symbol Loader to check if SoftICE was active or not (the code is located* J) ]- ^- E0 s8 V
inside nmtrans.dll).8 |7 t7 c/ Z: m. A- c, E& h
$ U' g; c/ m, S4 r5 pThe way it works is very simple:* M& {+ n1 y; r+ `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 o. A: M+ x2 v% e" a8 ]& U9 ~& S
WinNT) with the CreateFileA API.+ v* c$ r1 c5 @7 T' l
, z- Z$ R) F" p; ]Here is a sample (checking for 'SICE'):
5 i& p5 [' o; a9 f
0 A Q( k8 }; PBOOL IsSoftIce95Loaded()% r, U j' S% o3 B0 I
{
& m# ]$ u$ ~# h/ D: l HANDLE hFile; ! x+ f- _& m9 T( ^8 U8 W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ \& @* Z$ z+ x, s8 H" S* F1 I FILE_SHARE_READ | FILE_SHARE_WRITE,
. }* j: f' P. u/ V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ [( @7 g. X) `: K4 M) k* X
if( hFile != INVALID_HANDLE_VALUE )' u( z6 k0 y+ q7 D8 l
{
. |- [& y& t5 X& q, G" i# \ CloseHandle(hFile);
# b) G: q5 v* z return TRUE;
- ^6 @9 d$ M* Z9 V3 C; r }
5 Q$ i) k- r5 Y- H" x+ o4 ~* e. V' s( ~ return FALSE;4 `3 ?" {5 |0 i8 y6 O. ?/ f9 v, h
}2 Y/ ^$ \7 R! H
7 D1 ]! u, J# V, Z$ L
Although this trick calls the CreateFileA function, don't even expect to be2 b1 P' A* s" P. F* J
able to intercept it by installing a IFS hook: it will not work, no way!( T7 Q0 B+ r. @& L) e$ Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 U: L+ Z9 Z4 U3 c' G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 ]5 q/ z: e/ tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% A+ I; c/ V2 Kfield.
) z! }6 k" d, H% M. u2 SIn fact, its purpose is not to load/unload VxDs but only to send a & J' q, W5 A, p" o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 F! F; @2 O( W0 u, _; K* u. Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; @. B( t' c7 \7 k. M( G! z4 Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).' Y4 V+ a) V0 i7 @8 V C
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 l' h& N& K! k/ [
its handle to be opened and then, will be detected.
3 T3 q O3 y/ K5 I" m) h3 l' B& vYou can check that simply by hooking Winice.exe control proc entry point( K! e( _$ W7 ~& w
while running MeltICE.9 c! Z( K8 g7 L6 H& n
3 d- c+ c9 p0 x) _+ H/ h- h3 V/ }% J# Y( Y2 X0 G4 l
00401067: push 00402025 ; \\.\SICE
9 b2 f% ^0 U+ r7 [0 t# F8 E 0040106C: call CreateFileA2 A5 Z, A7 ~# [4 w$ J- ? v* r' l
00401071: cmp eax,-0018 @8 Q+ P6 j( b/ E
00401074: je 00401091
9 n8 X+ [! W7 j* V( K& Q4 j/ F4 p! C
' E# N0 S: ~: e2 }1 s5 ~7 ?+ Q2 t) A# y
There could be hundreds of BPX you could use to detect this trick.0 Z- ]2 i H: L0 P
-The most classical one is:. A$ f! X" K% w. a; D" g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. Z; p! {6 q) l1 u1 g
*(esp->4+4)=='NTIC'
6 u" z# a9 x+ a* H+ C1 x
" Z) ]7 d# p. g( G; h" ?5 c5 i# F-The most exotic ones (could be very slooooow :-(( O8 S ~, U4 F$ M+ o/ C
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( M6 B) ~. Z6 l( { ;will break 3 times :-(( f) t2 g4 h+ ]9 A) ]6 g
2 O4 R( u+ f/ P6 O2 {# I-or (a bit) faster: , T, I& m- e9 ^' G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). h5 ?, _5 Q: [) Z1 p
# ^0 ^; E" g. A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , M- i7 R9 i7 Q7 B( ~! j9 x
;will break 3 times :-(" k! T; ~- M# S
' x- T! u0 W3 U6 `1 v' I( ^& h7 x. Q8 w
-Much faster:2 K3 M4 D# P9 N" b+ U3 _ G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', }! U! \6 v0 S$ M" ^% w, w
0 ]6 X+ q) V, s9 |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# A& m' R; W; Q1 b1 \' A$ gfunction to do the same job:" Z+ Y2 B u) B: r2 W* g1 U
9 R& w+ d8 G9 H+ A. A: q& _ T push 00 ; OF_READ
; w6 U+ n0 q* k ]2 P% @ mov eax,[00656634] ; '\\.\SICE',0- B& U7 {' y' Q4 ^# ~
push eax: X' k# Y& n9 r9 A5 e' B
call KERNEL32!_lopen
# q! S8 ?3 j# C/ l" U inc eax
1 M$ }4 }: v2 P; b+ H jnz 00650589 ; detected! ]6 }% C! |: B% Y& s8 F# U' ~# k
push 00 ; OF_READ% `$ u* U6 B" |( U
mov eax,[00656638] ; '\\.\SICE'
4 G4 {3 m9 i, U3 X1 C% Q" y push eax' s3 c+ o9 e! J$ F$ a9 f8 k& }
call KERNEL32!_lopen* s, ]+ S$ O, ^3 x7 q: S
inc eax
D. x! y4 o8 B jz 006505ae ; not detected$ C' Y- W! m# a! A0 @
" o8 j2 A. _# b0 a- m8 N/ D, ], [4 y' I3 o' W; A
__________________________________________________________________________
" @% @3 A% v# H" p! n2 K; l' T& v4 M+ \3 G: a
Method 12
! l. o( M( o7 k( f: B=========
2 B% l' z1 n s6 n6 B! w" `3 s/ m5 X2 z6 P* P( x
This trick is similar to int41h/4fh Debugger installation check (code 05! n5 {3 e3 U* |2 _7 r, D& }- w
& 06) but very limited because it's only available for Win95/98 (not NT)# z: Z/ ^4 p2 K' e! O0 o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( Q3 ^1 ]. ?; O# i5 v) ?( N0 e4 i
9 P0 L1 t0 B- }% D' H6 X- D3 { push 0000004fh ; function 4fh( _- |. @, A) ^; z& Y# t4 e
push 002a002ah ; high word specifies which VxD (VWIN32)
4 l, [+ j: Y- D6 r- ]: N C ; low word specifies which service6 v4 G+ g7 W+ B+ v/ ?
(VWIN32_Int41Dispatch)
) r8 ~& A: x4 S9 z8 \ call Kernel32!ORD_001 ; VxdCall
% J. s' M W9 y- w* W% C cmp ax, 0f386h ; magic number returned by system debuggers8 A- H: f: \) R/ `: g9 E
jz SoftICE_detected
7 w- G9 c }0 L/ v, |% R( B6 C }# O5 l4 b
Here again, several ways to detect it:3 M: b( r4 C8 t4 y) h% K. X. k
/ P o4 {0 {* Z, q* M
BPINT 41 if ax==4f0 _7 _+ i0 n* r2 f
0 s' p+ [ ^3 G/ N6 _' q! b6 e BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 J/ D8 `2 _' l5 R" W, k
9 A* h* \, M/ ?0 K, v. Y- q0 X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 ], d9 ^. R) x8 m: e% i& k: F. M: D7 C- J1 P1 H$ }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 X: q( D$ y' P) a( ]
& l! h, B& x1 J& J9 y__________________________________________________________________________
& D0 ^4 H9 r* M; a4 g
2 `) o6 G% q3 [" YMethod 13* g, F9 R9 u) j6 ?
=========/ o% ? j( t* M' f) [2 A9 t; @
9 t: V/ n6 `( PNot a real method of detection, but a good way to know if SoftICE is
: H$ ~2 ~# |, l* ^5 Hinstalled on a computer and to locate its installation directory.
" c" a1 K) x% o* a) ]1 Z! mIt is used by few softs which access the following registry keys (usually #2) :9 |, d" o+ s8 `* V( l
) M# D9 \, Z. r. _9 f& ^1 [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 ~5 f% j5 |/ U* O. G2 D$ o
\Uninstall\SoftICE3 i2 r+ J4 ?% t& A7 H$ @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ x8 I5 z7 Z- P7 V. @* P5 J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& c: s* c8 L1 Q K# q
\App Paths\Loader32.Exe" ~1 M6 _' ]% l
% P; _# C, X/ M; m' M9 W7 y; Y. n2 v; v5 Q. i/ q' i3 q
Note that some nasty apps could then erase all files from SoftICE directory b i' [+ K: Z9 C4 l; z
(I faced that once :-(
. h6 m9 u& z; m, K% G- t# _& U# y# o9 U2 o' i5 ]6 y7 v; r
Useful breakpoint to detect it: e8 m& ?1 e; n& w& L+ {, \ k6 e
- G/ d* p8 k- J. F" }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 t$ ^4 s1 f- Y# s: y0 X
6 i/ m0 W2 N, b# W$ T__________________________________________________________________________
, A) l/ } A. {! |% F+ s) j" s" K' B' P. N
5 O0 f8 }& X8 l. x9 }- I& c( N/ A
Method 14 2 q7 ? Z* E( p! t4 r/ _
=========0 t* T8 s, c7 Z$ L! h; }
9 a# L) e. q% P4 n1 HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% x1 c( j3 Z* a; m& Tis to determines whether a debugger is running on your system (ring0 only).
: X! ?" s; S, V4 a3 ~- x. M7 W7 h' J& x
VMMCall Test_Debug_Installed
2 \1 \% V( n# O( U Y$ Z1 H je not_installed
+ D1 Y7 d( O$ d. K9 B
7 S& \0 x3 h$ x+ uThis service just checks a flag.; I$ h, D) N3 R" w' R8 X
</PRE></TD></TR></TBODY></TABLE> |