<TABLE width=500>* j6 L# U8 i4 `9 @$ A
<TBODY>; P" j% N3 F+ b$ q5 Y
<TR>
( w. I" G) X9 j8 E9 z<TD><PRE>Method 01
$ k: T0 v4 Q6 N2 M8 e$ U. e* o& o& ]=========7 U$ @! S9 Z3 Y& s6 y5 A3 p
" I2 ]4 t2 X; [/ Q: \5 h
This method of detection of SoftICE (as well as the following one) is
4 k" Y5 _$ e6 s: X( A6 Q$ Jused by the majority of packers/encryptors found on Internet.
) v' N i" Y( N" `* H9 u- U6 lIt seeks the signature of BoundsChecker in SoftICE3 ]+ ]" d8 A0 x, g6 ^+ d
% u- u3 D/ x d mov ebp, 04243484Bh ; 'BCHK'
! C D9 n3 u/ \ mov ax, 04h% W! F" ~6 W2 |6 S- C3 i
int 3
; v B. A% u& N# P8 p cmp al,4; O0 N! K( z2 {+ m5 U- e
jnz SoftICE_Detected
* _8 [; t3 s$ X, A: l
& X! |& M% q6 @5 W/ q___________________________________________________________________________$ z) D( |& R/ ?7 m5 t) l. o
; S' [$ `+ `. a* T% o, u' \
Method 02/ p) j) O0 |- f1 U8 ^" P" R$ l& I
=========
; l2 Q% A5 ]) ]( Z- ?; U" U5 {- }( z; j7 X+ M# t9 H) q' _
Still a method very much used (perhaps the most frequent one). It is used
% g4 h4 O# L. _1 I& \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 Z! {: @0 d* _9 k1 v- ^% jor execute SoftICE commands...% j2 u5 t4 U" i) f1 |, Y
It is also used to crash SoftICE and to force it to execute any commands
1 J* s6 y( ~# q: ~* t4 p(HBOOT...) :-((
& B2 }! L" m4 I P% C
\& [6 V: R) y) f: YHere is a quick description:# C9 Y P' t u1 y9 |; g1 }
-AX = 0910h (Display string in SIce windows)8 k+ W2 E* l2 t
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); k1 W3 i2 e3 i
-AX = 0912h (Get breakpoint infos)! |! C+ k; v, g7 h
-AX = 0913h (Set Sice breakpoints)& @$ i9 [4 |; A. y! d8 ^
-AX = 0914h (Remove SIce breakoints)6 E) K0 U9 Z) s& n" {' b/ @' O2 \
7 Z8 z6 m( Z C3 ~+ TEach time you'll meet this trick, you'll see:
0 U% `9 ]* b& _: t4 V5 [-SI = 4647h
) K6 A$ v& L. D8 D0 [6 Z0 V% F-DI = 4A4Dh
; t. C) R! C7 `0 {0 NWhich are the 'magic values' used by SoftIce.
% X, w5 b; {: z7 Z2 LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 ]' t. ~0 g; S: t7 {1 t
; N( l h/ w9 I+ B3 d
Here is one example from the file "Haspinst.exe" which is the dongle HASP( F. t8 W3 [4 f! L
Envelope utility use to protect DOS applications:
, [ F" a$ J( P# O
6 t: q* L! o3 H" o* r. v% H B& ?. _8 t4 ^
4C19:0095 MOV AX,0911 ; execute command.
( M# Y2 W9 T8 K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 d5 t% d }) G' B6 i7 ~' a4C19:009A MOV SI,4647 ; 1st magic value.
6 O! ~4 L- ^0 C4 z$ ?4C19:009D MOV DI,4A4D ; 2nd magic value.
# o- k6 g4 e8 B K* a. }4 U5 W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% ]. Z6 G: W# F7 Q7 O, M5 d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 O/ S3 F6 F( @ a& W4C19:00A4 INC CX
. k0 N: {2 J% ^' O: i7 Q+ Q" }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, J# n s: Z( N2 ]/ `4C19:00A8 JB 0095 ; 6 different commands.7 J6 R" R4 P6 s6 N+ B% p6 i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" \$ i+ ?6 a& _- e0 T4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% n+ D- D1 [8 D, M( T
& j J" ]" F; p( y
The program will execute 6 different SIce commands located at ds:dx, which' a5 h k: I9 o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: g0 l9 H4 P8 v; e. F. n+ {5 T8 @7 \- K" ~0 z+ T& f" ?1 S+ t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 M; t% s3 U* Q8 N. t8 I- N
___________________________________________________________________________7 E& y' `, C, r0 X! S" |( n
, K: u9 q0 W' N4 s
2 I% v U. o) }* j
Method 03
1 k; @! ]" a7 [. I, G/ v5 P+ W=========
: Y+ d5 G! h+ p
7 }* F. q2 o, n. G; B, ~' m. uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# d9 I) Y; z0 t# R(API Get entry point)
: @' ~$ v$ ]) G+ m0 O5 [' h , ^/ O9 X2 O; S! W6 B4 b8 ^
1 R8 a$ N7 p) [4 d' v& a
xor di,di
4 U0 T) j- b$ V5 U; w mov es,di5 a9 X; ^# t5 P l
mov ax, 1684h 5 K% N& ^' }9 e8 z$ _7 i6 m5 G7 u
mov bx, 0202h ; VxD ID of winice% j6 H& q: W. _
int 2Fh4 w/ v8 H! m% {, j( j9 Q
mov ax, es ; ES:DI -> VxD API entry point- E) _8 V; Z' {* c* ?
add ax, di' H/ e" R4 ?) m; o& @& k
test ax,ax
3 w* }( K/ Q8 S& R! Y `0 } jnz SoftICE_Detected. r- }; Z* a4 a% |
7 X$ m5 Z7 q8 H% i2 A9 ]
___________________________________________________________________________
6 s) Q8 x6 n/ @: @( H0 T$ E8 W3 S, V5 D# }$ M; z
Method 04
& f0 L) t, X U! z4 `0 R=========+ F! u; `8 C3 D e9 C
; n5 b* n) W8 F$ b- H7 q
Method identical to the preceding one except that it seeks the ID of SoftICE
4 n b- p5 \4 {( BGFX VxD.+ J9 @+ R4 e, [; {# I
, N6 Z9 i' e) F" `* W
xor di,di
8 P6 J; S2 i! r) H mov es,di
* ~5 I" Y% p2 x mov ax, 1684h
! t1 C/ M* t8 S" u mov bx, 7a5Fh ; VxD ID of SIWVID
: g# O% F, r) a# L0 ^' h9 C int 2fh
0 W# n" Q. \. k- M7 Z) Y mov ax, es ; ES:DI -> VxD API entry point
5 M3 f6 E( R7 G% g ` add ax, di
; L) \% W2 \8 l& d test ax,ax
4 V E2 s/ _6 n8 L jnz SoftICE_Detected
( E( E& n& l- v/ f3 I1 V+ w, v& ?4 m% B2 I! P2 f# z$ b- W. t
__________________________________________________________________________
; Y" x! D: W, D' q& G
/ L& d, @' `" C6 O }* }# p" P+ }6 e3 U) E
Method 057 S6 i1 ]" l3 W2 [
=========2 k$ {; e$ l4 Z, Z; C, R
8 e( U1 v) D& A% s2 BMethod seeking the 'magic number' 0F386h returned (in ax) by all system O& ~3 N% a9 \- L1 J% d' e+ g0 N
debugger. It calls the int 41h, function 4Fh.
6 C- j/ I) {! XThere are several alternatives.
& I5 |. X4 D2 n: U& v
( T7 ~9 R2 h3 G. p* [The following one is the simplest:
$ `1 H( B, y) x& J& Y
" x9 c4 H9 d; t* |% z4 [ mov ax,4fh. u+ H$ D# h5 H6 ^" l9 \' D/ Z
int 41h
1 Y1 t- P2 s4 A2 b& ?! A cmp ax, 0F386+ c& N. t- Z8 a9 X. x. a* U
jz SoftICE_detected3 f. R4 m9 [) \0 M
- V4 n. S( d! L: P3 e2 A" Y# H
7 m5 p* w o% i* c$ LNext method as well as the following one are 2 examples from Stone's
3 N! Y& N. q2 R# d, N"stn-wid.zip" (www.cracking.net):6 y/ u; ^0 g6 z: K7 e/ K* Q% A
/ V: P9 P7 \6 B: b I: R mov bx, cs
, I$ l6 a) L3 C1 F lea dx, int41handler2; k3 A6 r9 `$ T9 Q7 C- j5 y& r
xchg dx, es:[41h*4]
8 a' r4 n Q5 v* N4 S xchg bx, es:[41h*4+2]; u+ P; J2 j; F
mov ax,4fh
& b O N3 l' R" |: C- c int 41h+ D+ u$ ~7 d9 |3 q; W6 t6 M" c1 x
xchg dx, es:[41h*4]( _# F1 _. J, z+ S
xchg bx, es:[41h*4+2]
4 w/ W. z0 a# H cmp ax, 0f386h( [3 `% j4 E3 k- F/ W3 h3 v
jz SoftICE_detected
* m6 p- x6 ?1 K$ U2 |# z
" w6 a( Q4 {. f3 ]- fint41handler2 PROC: X' Y! h+ L) V8 g# H2 s
iret
6 R" `5 l+ B4 S7 ~, a3 I; t4 m. Fint41handler2 ENDP
. Q( X% R2 c9 ~; {" Z2 P
, F5 ^2 y6 R' o4 x/ ]
4 W: l( t4 g* O4 M, Y3 h& z! G- b_________________________________________________________________________2 R7 d: Q% s: W5 E8 n: m
* L C, V ]: R0 c
+ p2 t; Z3 u+ |/ h# R) L" W# _
Method 06
: k3 {3 A# G: N: S=========$ V1 R. j; X3 `# P" t
( k, b7 N X, _' b1 ? x# A2 O/ {- \. v% v
2nd method similar to the preceding one but more difficult to detect:
8 c/ b* H3 j, f* a$ ]. B8 Z( t) W
# W0 C+ V2 n$ _" q- V& t& k0 |0 h: C* Q1 L/ g* }
int41handler PROC
+ _! d: V- K7 z$ p) z mov cl,al
9 k' [/ ?0 I& A& l0 A( o7 D iret5 V& k0 x9 b/ N- q
int41handler ENDP6 y, u, v* Y9 k2 J1 T6 R$ _
4 o2 }/ ^0 h% x, R2 \$ n
$ o9 k9 {1 {6 A0 t, o xor ax,ax
& T" J6 l1 L: z% { mov es,ax
1 d/ h7 a$ u* L6 ?) U5 [* [ mov bx, cs, `& \0 S: U5 p6 m# ^+ S
lea dx, int41handler
* M3 q' x7 y. S, U* O2 U xchg dx, es:[41h*4]- j- a- v5 W% N# Y) @9 j
xchg bx, es:[41h*4+2]5 m* m. t& u; d, g
in al, 40h
+ e" S! n. A! l: ]! z$ D% l( v xor cx,cx
9 X6 o2 r1 ?; y' l int 41h& K1 `2 Q7 `, K; J5 d2 e1 d
xchg dx, es:[41h*4]
8 N# j: X; |9 f( v7 @; _ xchg bx, es:[41h*4+2] @0 n$ O H# K& W- J7 J( l# q) o
cmp cl,al
5 m) b$ k) V$ y/ O jnz SoftICE_detected `/ p( ^$ n6 n% m% E6 O
/ }) w5 c! t1 A+ f
_________________________________________________________________________
; L7 ?- ^! m$ S" ^& m/ i. X1 }8 G, [% d$ S1 s5 \
Method 07
. S* P' A8 x4 V=========
# @: N% t% |( I( g [( p% T2 t' j2 u: p8 ]: D) u
Method of detection of the WinICE handler in the int68h (V86). L3 n. ^7 D9 N/ T' E) v
% }8 j9 M6 |; \1 C/ n- f
mov ah,43h/ z! ]0 D$ t3 ~, q0 M1 }
int 68h
) k( G2 ]3 @3 D" B! d cmp ax,0F386h
& [- Z8 s" X4 k6 X1 M jz SoftICE_Detected7 b3 p6 W, A/ u5 B& c$ L
! @" ]" x+ u0 p5 ` A
/ s: X m# p: A# {# Q! y+ u$ [+ l$ R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! x2 R( x$ \- c: s app like this:
" x( l8 t1 o& t8 t, [ \4 ]0 g" h, f6 x
BPX exec_int if ax==68
+ ^4 N( a3 W/ O [% _ (function called is located at byte ptr [ebp+1Dh] and client eip is3 s' J0 X2 o7 H" Z& M: s
located at [ebp+48h] for 32Bit apps)
$ b5 m- {6 J; F/ T( `$ }; r__________________________________________________________________________
4 @% ^( }- N2 p, I2 y$ s
1 a, v# |( f5 Y4 I8 \5 T: F. O( z! ?" T
Method 08
; k# h' ~" U: Q4 V5 b=========$ b- L% c7 y, _6 S/ x9 U
( G, d# W& i: A1 Q3 J. g: yIt is not a method of detection of SoftICE but a possibility to crash the
1 |& ]4 z% c. B# U% |: u; Lsystem by intercepting int 01h and int 03h and redirecting them to another `7 w8 R4 i: @1 a
routine.
4 `5 p# e0 x/ W. K* M5 oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 ^8 G( `5 a4 H% V! A* W6 qto the new routine to execute (hangs computer...)
' d9 }; B' L$ q- a+ e c
- [4 {6 Y7 D0 Z1 s3 |7 p mov ah, 25h
5 X( r4 ]4 j- A) P. p y) F mov al, Int_Number (01h or 03h)5 e# V# E/ ?8 @3 q
mov dx, offset New_Int_Routine% ?4 l% _- q f9 k6 D: F) u
int 21h0 u& O3 ^, G8 E1 C5 ]
! p! U- p) V) `3 K__________________________________________________________________________- C; ]8 z' c; s+ B& H' u- [! _
% p. }! i5 [3 N* l6 G7 ^Method 09
, l4 H, W+ J' |# d6 k=========
) K( M; i h' k/ Y4 M9 u) Z6 i9 \, K( v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 C/ f$ ]; H7 ~
performed in ring0 (VxD or a ring3 app using the VxdCall).* U" c) Y+ n8 d W. l
The Get_DDB service is used to determine whether or not a VxD is installed1 o+ F+ l; z4 o H/ s5 z n
for the specified device and returns a Device Description Block (in ecx) for$ M# k) Z/ n7 d0 U! M+ w: {- d- X
that device if it is installed.
$ J5 f" _( [: l, B6 _0 a
, k; G8 S1 T: Z5 y R$ \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" |/ b+ V7 b8 G6 r, x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( A2 s7 v8 e" p& M VMMCall Get_DDB3 ?: ~. E. t: ]1 Q8 T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# g2 \0 k$ [4 f# U% c7 x- F
' s; n! x1 V) b5 J4 L# M' RNote as well that you can easily detect this method with SoftICE:- Y+ T$ _, H2 }4 j. K( K
bpx Get_DDB if ax==0202 || ax==7a5fh/ F" D; p4 p" a/ ]
+ M- P; b2 C* M' r" d$ j8 X. P/ Y__________________________________________________________________________, t* [' e* z9 r0 y+ K: ^( n: ?
$ `: T! k) q/ S+ }7 Q3 EMethod 10
+ w, h3 @ C# o" J, ~=========( l7 q4 a+ o8 V9 U: T
! l) F+ i( ^) Q" s9 g) H2 P7 t=>Disable or clear breakpoints before using this feature. DO NOT trace with$ @4 a- `2 |' P8 x' Q& S, E
SoftICE while the option is enable!!
$ M( N* ~. P$ Q. L& I: Q% B
! m3 w# ^ H( e$ s& L# AThis trick is very efficient:
( w) i4 q5 i. f; _' L2 M+ S* Dby checking the Debug Registers, you can detect if SoftICE is loaded( T5 [$ k- o( z' A- N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' H: c! r L: \4 u2 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their! r- a* ], ?* r7 g9 _# s* L7 ?4 c. F
value (in ring0 only). Values can be manipulated and or changed as well
3 s( b9 K: \8 ~+ n(clearing BPMs for instance)# b7 r1 Q7 b0 U/ f- w
8 d8 g% d, b/ A2 w__________________________________________________________________________
# l7 q. m0 [* I9 r2 A! t8 b c* ~+ p* z5 Y1 D1 f/ \3 W
Method 11
* W. P2 \. Z; D=========
8 l/ u! d+ z3 ^) N1 v4 Z M; u4 C* a- ^: ^0 f. {
This method is most known as 'MeltICE' because it has been freely distributed, E" P5 |/ b0 a$ B
via www.winfiles.com. However it was first used by NuMega people to allow
% r$ ~ }1 r' I- V. d3 {Symbol Loader to check if SoftICE was active or not (the code is located
- V! f! _& L8 uinside nmtrans.dll).
6 E; U+ z, ?# f& F% U# ?9 C! j7 Q4 D7 g! W& {; d; f+ ~
The way it works is very simple:
3 \# J7 P8 ?8 q! n+ z" D# RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 o& l- H( v; K+ ~! F8 w
WinNT) with the CreateFileA API.
% u, f0 K( A; \) A9 Q/ a& \" n' s7 g3 r
Here is a sample (checking for 'SICE'):
$ ~8 K0 P$ x+ M% e; e! \; ^
" F" G3 Y* o) T7 sBOOL IsSoftIce95Loaded()4 H- [- }! y7 n1 a Y8 p! G4 V
{4 j. p# L2 [/ m5 u; V
HANDLE hFile; / I9 d) J2 v' R: L5 p5 P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; k g! t3 J# N- {2 o
FILE_SHARE_READ | FILE_SHARE_WRITE,
* m0 v' ~- J: [4 z* [ P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 P% W9 ?/ \, }1 F5 t+ W! w
if( hFile != INVALID_HANDLE_VALUE )6 T; E- B# F- b) p2 O* G
{
1 A$ Y/ f1 u* M9 J CloseHandle(hFile);
( k- O, {9 C3 r# D5 ^ return TRUE;5 K ~) D, P- T& l+ }5 G9 W- m
}& N* ~( j, g/ T: S( x
return FALSE;
, Q* c9 E( L. [! V}
9 F- ~3 P; _6 L! _) h$ f* B/ p
$ G1 v% s& b3 C9 }Although this trick calls the CreateFileA function, don't even expect to be* y7 C6 j& E W7 ~. f; ?% ]
able to intercept it by installing a IFS hook: it will not work, no way!
5 w9 E2 `) k/ A. T# [In fact, after the call to CreateFileA it will get through VWIN32 0x001F% H3 b1 u+ w/ `$ E; ]2 S0 n& X W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ I( a; R- u9 Land then browse the DDB list until it find the VxD and its DDB_Control_Proc
# {! w+ W. M- l5 I. P# y( Tfield.
~" R. W$ E8 G3 S/ H7 d: K3 GIn fact, its purpose is not to load/unload VxDs but only to send a
) O! |! d: B$ M% e9 P9 qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: z! N+ V* h9 \5 t3 V1 eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 v3 n+ I+ S* _/ nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- W; [/ K8 |7 P! y) d" ]; t4 cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# @% R( E6 A" \its handle to be opened and then, will be detected.0 M1 H4 j- M) c
You can check that simply by hooking Winice.exe control proc entry point2 i, n, O: ]: Z N
while running MeltICE.
6 k0 E. Y2 k' A% u: [1 @& m% Z n, O; T1 }& U% H
4 T9 m* Z$ p# q- W; R. R. F& @
00401067: push 00402025 ; \\.\SICE1 P" U, r% x# h0 |; f
0040106C: call CreateFileA
! e# X* I7 a* o' s7 f" f2 c( `* L! D 00401071: cmp eax,-001
( N& e; ?* R m/ { 00401074: je 00401091
$ U# j7 o* \( J1 a( C! F* |8 i- \# J( v) f$ X
4 r( y8 M* r2 @! p w# IThere could be hundreds of BPX you could use to detect this trick.
+ r9 ~( e# [1 y# G P7 u$ u. r-The most classical one is:; J" i9 w- ~' H+ R+ I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" K9 Q$ D0 l8 e! Q1 ^+ ?
*(esp->4+4)=='NTIC'
# ^. o# V; s: c+ t. V% ?
7 z3 C8 N" B9 V ^8 k+ E-The most exotic ones (could be very slooooow :-(
; a& j! F1 n& k6 j5 v BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( Q( m: q4 u" t7 I: A2 q' y
;will break 3 times :-(+ Q: P: @$ p' }; |2 O% U
, G0 Z% q; Q. c. x1 b' w" g-or (a bit) faster:
( C/ x6 @6 V$ [) v2 a/ \# n BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 s% S# C* X: a
- H6 t0 U0 e1 v0 M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! Y* A7 y' Y( N9 x4 b7 {! S
;will break 3 times :-(( `/ V( b' h1 B% g# w
' O8 Z( L# A1 B7 G( F' d7 ^-Much faster:
3 Z) q$ l* `) e4 T5 v- y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' ^. ^9 ?+ L- z- l4 Y
/ _ X& N! n( O+ _; PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 b5 E' [4 x" X: n! ~) rfunction to do the same job:
: Y/ r& R1 w" C; u" Q
- J9 ^4 ~& W6 u6 x push 00 ; OF_READ- J9 Y6 N/ v1 }! {
mov eax,[00656634] ; '\\.\SICE',0
/ o( k5 f5 j' v push eax
/ l; g5 N; ~% h1 k+ e" Q' W2 e% y" G call KERNEL32!_lopen( U' T& y B# V4 p. q% }
inc eax% j9 D; S' Y* j: F. `
jnz 00650589 ; detected
5 t1 u) S- a) t9 _ push 00 ; OF_READ2 N, ~, [& L1 ?
mov eax,[00656638] ; '\\.\SICE') h5 o# J8 w. j1 A* x+ D; Y
push eax
( D# O# @' w" f8 H call KERNEL32!_lopen5 I. S b* Q/ ]: E* d* \
inc eax( x( F, G$ p( {5 E5 B$ I' \% Y
jz 006505ae ; not detected- {% N% @8 C6 ~# {9 {
$ t0 R" I" i3 Y
8 x( Z& }' ?& [, }5 u__________________________________________________________________________$ c( T; }, s( _# n7 r
; I& C4 ?& [& e3 y7 gMethod 128 s/ y3 R% w, J" t& U6 V$ i
=========
+ U+ B l) q# G" g! T: X+ n' [' y7 [3 j1 B0 e$ H0 t; Z
This trick is similar to int41h/4fh Debugger installation check (code 05% k) ^ J5 t( T7 J2 d& ~' X
& 06) but very limited because it's only available for Win95/98 (not NT)8 Y, D4 ^1 t" ]1 x* O4 Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ A% z9 b2 y: }/ W; i' D4 f$ L2 X9 V! _5 m7 F" C* Q2 a; U
push 0000004fh ; function 4fh4 o: W, k Y3 C: k. S" L
push 002a002ah ; high word specifies which VxD (VWIN32)/ u; T" a* n% L2 r9 @ ^7 g" @5 `
; low word specifies which service
, \, V$ e# z9 m+ d (VWIN32_Int41Dispatch)& G" U& I+ F! T3 b; P/ r* d
call Kernel32!ORD_001 ; VxdCall7 Z" j+ c5 |6 R4 W
cmp ax, 0f386h ; magic number returned by system debuggers
8 m7 s) Z' z2 H jz SoftICE_detected
( J7 S6 z4 h( J( U |$ Q* E$ {) ~$ r- s: w' ?5 }0 {
Here again, several ways to detect it:
4 w: i) s! n0 k6 c ^: U8 x% ]& ~6 Y; m* n3 X3 q2 @+ q. i
BPINT 41 if ax==4f+ l- I; _/ N' x$ K) t0 O
/ j+ F" j2 z5 ^1 n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* H- E( y5 Y9 N Y l1 F) ] s1 K, S% s! e1 c) B) P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 j" ~! b" q; O/ G2 w3 K* M' h
; B7 y. |! e- t8 l o" d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! v- k2 n5 s3 s4 b6 a; \
. s5 D' r7 W& g9 ?- m/ H
__________________________________________________________________________
" l3 ^% Q# P5 ]+ U( @: ^
, r$ ]1 B1 x) GMethod 133 T: u3 p8 k6 T) P
=========
2 ]. o1 a/ B1 e: s1 U, H1 L+ @* p9 `) r$ \
Not a real method of detection, but a good way to know if SoftICE is
0 U$ B* L' J4 n: `8 L) Einstalled on a computer and to locate its installation directory.
$ i- |8 H2 f3 X6 d/ XIt is used by few softs which access the following registry keys (usually #2) : B" H/ q+ X+ |
# k2 A( K/ S! m8 p {7 {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 L2 H% ]# d! t5 C, w; H
\Uninstall\SoftICE
( q! w: v$ G5 e% S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* o, R" T5 l2 c; s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 i, c C5 [5 T8 s\App Paths\Loader32.Exe* |2 {2 M& M U# J
! S; g* {- X- ] o9 I
8 M6 g* P( S* O9 E8 y% e& ]4 m
Note that some nasty apps could then erase all files from SoftICE directory$ p+ O% b- W/ \
(I faced that once :-(7 P- m0 ~, r$ { _! Y
; [' e8 [) q) Y v% O
Useful breakpoint to detect it:
* n0 q4 [! i8 ^3 ]9 o
& T1 t, o; B* N! ?2 y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( h8 D- G) d4 t3 A7 \( g2 E% O/ B) Q2 z, o: ~8 H% m$ ^% y/ u- v
__________________________________________________________________________
% Z, x" g6 o' i. v! y. T
$ f8 V y3 h' j# W+ t, C7 H2 m& W# g. B6 e) G& e" f
Method 14 3 x8 O1 ]+ Q: V8 q, }
=========
+ [% d7 c# w4 l5 }- c6 j3 x- B8 y. W; j9 \" l. I& U0 v5 \; }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* o$ X: \. ^0 z8 t% e) |is to determines whether a debugger is running on your system (ring0 only).
* P6 F" w7 {/ \3 c+ T2 Z0 h2 j& l
5 ?* }* F. _$ m" |0 r( R2 C VMMCall Test_Debug_Installed
1 ^3 d0 L$ w j1 y, a# X3 D- H je not_installed; O! C3 |) R- t
" J5 Y8 d+ v n5 dThis service just checks a flag.) g6 C; c$ b% y# V# \
</PRE></TD></TR></TBODY></TABLE> |