<TABLE width=500>* J! Q2 Y+ u, E( O: w6 U
<TBODY>- C5 W9 {' }9 c! M3 N* H" w* s
<TR>
. x* s3 M, m" Q. j* o" d<TD><PRE>Method 01
, N9 x0 @6 K5 ^=========
9 ]4 j3 G0 v2 W2 N8 ?; X e! c
7 ~' g& I- ?7 b3 u6 u6 |! r- pThis method of detection of SoftICE (as well as the following one) is T: M- _2 w2 z" ]0 c
used by the majority of packers/encryptors found on Internet.! P1 H; C1 T; W0 l- f
It seeks the signature of BoundsChecker in SoftICE1 I* d1 Q& j0 y3 D$ ~
1 }6 i5 R8 u l; `3 K mov ebp, 04243484Bh ; 'BCHK'
( t7 b9 g8 z; ]$ @+ ~ mov ax, 04h
' p9 n% y. R+ @1 G0 W. e int 3 7 l9 u6 q( H+ J4 {: v {6 y" K
cmp al,4& f g- f% x- G$ Y- H0 ^# l
jnz SoftICE_Detected6 k) x5 {" ], H" u
! c' X4 _# m3 z& Y/ I
___________________________________________________________________________
3 U A4 }7 G( C6 h# L1 Y- P; R- y; f% ]- t
Method 02
9 u3 q; \/ J1 z/ t N4 ]=========
; \) J7 }2 @0 o' V# o
% ] @0 q4 {$ ?: CStill a method very much used (perhaps the most frequent one). It is used
: M$ w: u, j& T- z. }" rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 {9 O }" R: @% g4 a9 v; bor execute SoftICE commands...
! n( _1 f- l4 l# u5 e) JIt is also used to crash SoftICE and to force it to execute any commands
# d; Z, Z) `4 L, d& M+ H3 s(HBOOT...) :-(( ( q% t9 E. t- ~. I
3 j1 ~, J# O; WHere is a quick description:
, k6 ^* B: b7 z6 e1 N* ]-AX = 0910h (Display string in SIce windows)
$ n/ K( P: E1 U# K1 g. G, U1 r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) Z4 M: R7 C/ U& T* o b
-AX = 0912h (Get breakpoint infos)
8 S* g. S! p% k) v1 x. l. d0 k-AX = 0913h (Set Sice breakpoints)* y5 R3 @: `! B5 R G
-AX = 0914h (Remove SIce breakoints)
], ?: q F8 @! V! \
. H" {( F; M" {, t7 s7 f: OEach time you'll meet this trick, you'll see:8 [) ^$ D3 Z: }4 }
-SI = 4647h1 J1 H# U O. \1 X9 e
-DI = 4A4Dh
4 {# m3 L/ Q" VWhich are the 'magic values' used by SoftIce.3 a M6 ]8 Z$ V5 C1 x
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: ~& C X' U3 e
) l* D1 J& \9 e$ [
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 p2 Z8 \7 }- ~5 s0 }2 l" C: r1 zEnvelope utility use to protect DOS applications:
- M, v5 E+ n3 C4 [
" X0 i% m/ ~% j0 J# ~+ o
9 i9 e7 f: G W; n$ S4C19:0095 MOV AX,0911 ; execute command.7 a& ?7 M5 \) N, Y( y% I! W0 x1 \* h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. c0 {! B: K) }7 r7 q; I
4C19:009A MOV SI,4647 ; 1st magic value.
, @+ e( f4 @" N- q( U* S% N. w4C19:009D MOV DI,4A4D ; 2nd magic value.* c- d( Y2 G/ f, u" r2 C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: L A' R1 f% r* w/ }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 Z$ {2 b& V' P8 U% b4 E3 k4C19:00A4 INC CX% m9 k& W" E- s/ J% x2 b% S; E. o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 T" H* x! y o. `) {4C19:00A8 JB 0095 ; 6 different commands.
% @& ~ r! }1 {# }$ j: L4C19:00AA JMP 0002 ; Bad_Guy jmp back., t0 ^/ N- T& P/ U
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 Q" D( ]+ Q+ c5 d
$ y4 I# F3 p. k/ E7 _The program will execute 6 different SIce commands located at ds:dx, which; T- ]* f" M: k5 S( o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 _& p$ Z, I. d7 p
) M# S$ t- H' B6 b9 `9 ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; K7 W9 C: q& E( {- O* I% v
___________________________________________________________________________
/ {9 P( \7 ?, L8 T v1 d3 y( V7 ?- }4 e% K; G. `- k
% F/ y f& O7 J, h
Method 03 K C9 F" k: O: P( G
=========* P+ _) w0 ?. m
9 d D& g6 o$ S, I* v! D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h z4 Y. m1 k8 z3 i3 B
(API Get entry point)) T8 a) _7 o- W/ m2 B# O7 G
; a7 @8 {- z4 U9 w
& j1 z) j) p! U- m) u3 R& R! X xor di,di
) X* A0 F4 m9 Z mov es,di
7 r& b0 d! L: V1 R8 N mov ax, 1684h
3 u& ^) Z$ q4 N S9 z7 c mov bx, 0202h ; VxD ID of winice! J' a+ |5 Y5 y5 X
int 2Fh3 m4 V+ c+ _% ~5 \
mov ax, es ; ES:DI -> VxD API entry point) Z4 }' A( o" q7 x, G2 H* C
add ax, di) l' n; N! v$ M' I6 q+ A2 K
test ax,ax
: `4 [5 o& w4 M2 `1 S# O jnz SoftICE_Detected0 `: w5 w. F H- \
7 I; y+ f8 r. _' V. w
___________________________________________________________________________4 I! Y7 N% Y/ \: l- W* e7 N
$ U. p( a1 ^. O# _8 r3 G. eMethod 04' N) ?% X" J: o& F, c w+ \
=========
5 m1 \ a1 X. r6 k. B, u, c$ g5 _0 l- M5 U2 R; p: Q E
Method identical to the preceding one except that it seeks the ID of SoftICE
) H M) s0 G: l9 ~. G1 zGFX VxD./ x( b, N M2 F+ }5 R6 L2 ^
6 D$ o; J, R8 ]0 T+ R xor di,di0 N/ t% Y7 _7 v
mov es,di6 f/ ~+ X+ F( E& {% Q! E
mov ax, 1684h
+ y. [8 q" V; b: G! C8 i mov bx, 7a5Fh ; VxD ID of SIWVID- P2 P( h; _" p, @
int 2fh* |8 r" O5 y4 A; R+ m) T( g
mov ax, es ; ES:DI -> VxD API entry point
$ E" h3 O6 N: x! h. ]/ f6 ? add ax, di2 x! L- c" C6 ^& y
test ax,ax- d8 l6 w0 s8 k4 p2 [
jnz SoftICE_Detected$ R7 v8 h( W, u+ M7 Z
; o# J1 L/ [; b* A__________________________________________________________________________
/ `+ F8 q* y* K1 k$ ?9 b6 @ R' U+ `( c) o8 R/ K
. z* U* E5 O3 l5 e6 H6 A
Method 05
. q& x) Y1 t, d3 f4 Q=========
^! Y" ?. L& P( E! ?% k, @
- e% U. z* E- d5 d# g9 oMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 g& o0 i% m9 b% O
debugger. It calls the int 41h, function 4Fh.- z8 o' |+ G+ C0 N( J
There are several alternatives.
4 e: v) |0 m j v) V" Z
8 G* u# W: G$ X" o: D( QThe following one is the simplest:; d: g4 m' g& @! Q i+ [
& N, l6 x' R2 H5 P1 o- P
mov ax,4fh/ X. a# E6 ]# k1 z8 {9 J9 Q) n" m
int 41h
$ t# A. Z5 H) Q/ Z cmp ax, 0F3865 q' Z! g( ?! L7 o* q
jz SoftICE_detected, T. u" \* K0 B! A
7 o, R* n! D9 [* S4 K5 P) j& f" D
5 s3 e( a) s/ r) g# o5 P6 @Next method as well as the following one are 2 examples from Stone's
) p9 H/ b- }. c% y"stn-wid.zip" (www.cracking.net):0 U# d J c8 L; u# V* g" f
7 J, H$ |" C0 i1 ^
mov bx, cs
1 f. _& x' V3 d. j$ d lea dx, int41handler2
7 I0 _9 j( u4 g" i! }% ^, V: h# V xchg dx, es:[41h*4]
: E& S u# I" S# }9 ` xchg bx, es:[41h*4+2]3 x+ @% X& o3 o0 w! ]+ [5 ?
mov ax,4fh
$ }1 G B X) C! ` y X: g int 41h. q4 q) t1 L: o2 ?; d. m4 z" k. x' |
xchg dx, es:[41h*4]4 D$ _3 \+ U" ?* z8 f
xchg bx, es:[41h*4+2]+ a+ f/ g' H. ?
cmp ax, 0f386h& b! M8 c# S* u- Y$ |& X
jz SoftICE_detected
/ u+ I5 H) }/ F/ M/ A0 Q/ H5 q, E% M) x C
int41handler2 PROC) d7 `0 `$ ]4 r9 a5 e" }) V; y
iret
0 q& a% y9 \% j" T: _+ xint41handler2 ENDP, R& Z, D4 @4 l- ?; }
. v: A) u/ ?0 h. E7 F& q
o1 {: w( Z% `; D, B1 r3 S+ b_________________________________________________________________________
& ~( e* v$ f3 n. _0 A# }# v0 r/ z0 {7 G0 m
- s7 v6 } i3 ?, B3 @8 ~
Method 06
1 r J3 n5 d. U) I$ v! _$ I=========
8 A8 Y2 J6 x7 j s" N' B; h& n5 w* _4 m5 d7 q
9 A* g% t9 M/ u2nd method similar to the preceding one but more difficult to detect:
9 I! S, R1 H! X5 j
9 b1 T4 G# H) T% r" C5 [1 r) |+ i" w) l4 _: ?; R4 |( h9 @- h
int41handler PROC
6 _* j+ |) [1 n, ^ mov cl,al, [/ e: V3 v& q5 I# x1 |
iret2 K8 f* e0 [/ f+ T/ ?- T; u
int41handler ENDP* J! R7 V* F6 R2 M$ B) ^8 |
% f2 p. V. {# D4 U b
" B& U7 t; i5 N5 o% N+ ^ xor ax,ax" Z; E* _2 t! e$ U) G% C
mov es,ax
# { r3 L1 u5 c% d U8 { mov bx, cs* p9 k% U) C4 p% r4 V+ d0 S
lea dx, int41handler* k% z& U) o3 f
xchg dx, es:[41h*4]- u1 J/ B {/ j( h: o& I$ X. s
xchg bx, es:[41h*4+2]; h6 L; g; |9 b9 y6 Q0 Q, L
in al, 40h
5 V' z9 ]8 @$ M+ _% o0 \; P" b xor cx,cx
5 x) J; B a- V4 T+ k int 41h7 f" U; Q" g/ k4 Z- K) \
xchg dx, es:[41h*4]
# \" j- c, _4 w5 d! Q4 ^ xchg bx, es:[41h*4+2]8 t4 Q" T9 n: g- ]. N/ Q
cmp cl,al
$ `+ {3 g7 O5 ?+ m0 z jnz SoftICE_detected
- z1 u: p& M8 C
6 \, I; X# Y9 r: ~% a j_________________________________________________________________________& K" {: f( L, l
" o( ?/ Q- I) s* Z' j$ X7 WMethod 07+ _+ N. s' c3 b5 k% E
=========
5 c$ o0 [8 P0 C$ K% b4 y$ @( F" E! m* Q3 Q# A
Method of detection of the WinICE handler in the int68h (V86)
3 D! r* X0 p& s- S$ F( u' o, I+ T2 h
mov ah,43h
* Q! m7 B+ i* B$ G" Q! Y" r6 @ int 68h$ C R3 r- F( E+ n1 C$ S. c# p
cmp ax,0F386h
/ L3 W' ~! E! D( y* ~ jz SoftICE_Detected+ _8 n% a& U: a, X1 E, [
~: c! M; a' h# A- N* r# a5 L4 t. Y5 ~6 T, g/ S# k \- F+ n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% f: A& _0 [% j app like this:
5 B, q3 {( l X! q. Y% x5 s" ^6 d! s3 D
BPX exec_int if ax==68
4 h9 {% A& z% k (function called is located at byte ptr [ebp+1Dh] and client eip is Q# a( _8 @# ~
located at [ebp+48h] for 32Bit apps)
" O; {. M; R; B9 B7 \: E__________________________________________________________________________
' h1 _/ Q: L* ?+ |! Z
3 y I% R# s& u- `
4 n6 F( o, ?! H0 {6 y0 UMethod 08
: A; K8 `6 L: f8 v0 J" h=========
" w/ p* A' M4 k) Y, Y& R" N& N# t( P, H2 q7 d+ H% \# N
It is not a method of detection of SoftICE but a possibility to crash the
) k. e5 L; i0 k9 d4 nsystem by intercepting int 01h and int 03h and redirecting them to another2 ?( \# A7 l" S+ k6 g$ M" B& @
routine." X; I9 X" L8 S$ v$ d, x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ ], W* R" A2 v( Z& Y4 y6 U. |* ^% a! S' G
to the new routine to execute (hangs computer...)
0 C S. N8 Z Y0 C9 g9 K& d3 J: A4 ?
mov ah, 25h
2 ~# @9 R7 A3 F6 l$ B1 \ mov al, Int_Number (01h or 03h)
2 f# e- |& J7 t+ t& H! _/ B mov dx, offset New_Int_Routine5 y- u6 e4 X5 z
int 21h
' S! V' t( s; P6 N; Z
& S/ @: D P: U6 F" N1 b$ o__________________________________________________________________________
* | a" ?! D, s1 ? t
7 I+ @" Z$ U( [0 d# X4 o5 ~Method 09/ c8 ~6 O3 X' o4 H" T
=========5 \' n& I, e# I, h8 I' H9 d
+ u- z# I. L4 W& O7 q; |! ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) N, h3 _6 b0 f8 o6 H f* mperformed in ring0 (VxD or a ring3 app using the VxdCall).
% }% J ^4 r3 p2 h7 yThe Get_DDB service is used to determine whether or not a VxD is installed
' Y/ E8 s. x: L; Y0 e* | pfor the specified device and returns a Device Description Block (in ecx) for U- X: L, U) r; q7 t
that device if it is installed.5 J, u/ t' b3 u! }9 z
0 x, X; j! O5 H/ Q& V! c mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 d: t3 b+ ]* n
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ s0 @8 c! ^% ]$ `, H7 [: D8 q) B VMMCall Get_DDB
6 O, F% t" C4 c4 y: { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! A9 S3 B+ }+ v1 ]& \# K6 S/ X( K2 f+ g' e( z+ T" d# z
Note as well that you can easily detect this method with SoftICE:4 O) U8 }5 K. ]/ X* ^" R' N6 C$ `
bpx Get_DDB if ax==0202 || ax==7a5fh3 ^% D( o0 c5 A
4 L+ S8 ^# a& T; v__________________________________________________________________________
/ Z# D; b ^( [- [5 _5 ?! w: w" L( d) l7 \9 ]! `( M
Method 10
( i9 {: q& f+ Y1 q3 G/ K% `: H=========- c0 o9 F8 M. _+ a/ h3 J! x
! V2 Y8 _7 v; e* K" l- @
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 c' e% f- K7 f3 d
SoftICE while the option is enable!!
$ Z: R" E( a" q8 K( a; m* Y4 Q% D$ O0 @
This trick is very efficient:/ S* t1 {: P) a
by checking the Debug Registers, you can detect if SoftICE is loaded% i- A7 O+ E/ ~; v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* f2 n0 z3 c+ V1 `: @8 _there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ h( {8 ]) Q4 R; Bvalue (in ring0 only). Values can be manipulated and or changed as well, {, p9 q3 }% G
(clearing BPMs for instance)
5 o! w4 h4 C4 z1 S1 k( E# S3 T8 } r6 d- l" E+ k
__________________________________________________________________________$ l' Q, R! X* ?: b8 W% x
+ G. \( z+ t1 y5 r& M
Method 11
, {2 u6 S* I4 @$ n/ M=========
4 D P. j+ H: G9 x* A9 S
/ S; u, I! z& C* vThis method is most known as 'MeltICE' because it has been freely distributed Q+ ^5 e7 g7 ?! F# q9 a
via www.winfiles.com. However it was first used by NuMega people to allow
( M% s5 b. {4 M7 bSymbol Loader to check if SoftICE was active or not (the code is located3 @: D4 F0 s: X7 D
inside nmtrans.dll).
d& h) L; @& {8 g8 M, {5 M4 r9 P; P# E% p
The way it works is very simple:
5 d- Q0 s" \$ v: N. w& Q, {2 iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; c9 q- T1 I: `' Q4 S
WinNT) with the CreateFileA API.
4 Q7 ~9 V( | c
/ [5 Q) |5 `. G, xHere is a sample (checking for 'SICE'):
4 @3 ]( T8 O3 R: O
# u# ^! z1 z. ^1 YBOOL IsSoftIce95Loaded(); ?2 Y9 ^0 X) A
{
" ~8 F1 j+ g9 l. J9 V HANDLE hFile; ( F5 @; X. ]2 M6 N# }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. g; k# [5 O; ]5 o F: ] FILE_SHARE_READ | FILE_SHARE_WRITE,
8 }+ x8 ^$ b( z1 K7 `6 }) { NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
C/ H/ h: x. W6 A. M+ c; F0 u if( hFile != INVALID_HANDLE_VALUE )6 g9 B7 T8 W# }
{5 P2 D# E! [* a% x
CloseHandle(hFile);9 g, K) K. d) U/ q" x
return TRUE;7 Q+ C. T1 E% Z: e; k) R
}
# R$ X4 f1 w% U6 c- h' { return FALSE;
6 C, } N7 w2 s# ^+ g* A}
/ n6 Z8 l8 X7 Z' S2 T- Z
% F9 U# t. O" P; ?" XAlthough this trick calls the CreateFileA function, don't even expect to be
( @) S9 c0 q9 W1 table to intercept it by installing a IFS hook: it will not work, no way!- O9 e2 O+ }! ~" `' P7 k6 A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ U. v" Q v2 l: J9 z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 f- Q4 F, k; p- ^: W* J( A) T3 c7 L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* M/ W" D5 B% g
field.
5 v. X1 Q8 G* AIn fact, its purpose is not to load/unload VxDs but only to send a
1 _3 h3 t) M+ } V/ u' G0 e; CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 [* Q u$ Q, ~3 Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( q- L1 n9 i+ G7 F, }( k8 Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 ]/ T" G9 G* d: @8 z uIf the VxD is loaded, it will always clear eax and the Carry flag to allow% U( I: F7 t& b. l
its handle to be opened and then, will be detected.* A( G) r2 _! B4 v1 z1 q
You can check that simply by hooking Winice.exe control proc entry point
5 w/ x7 D. x' c0 X8 z- `+ Twhile running MeltICE.
; R9 ?, `5 J0 U7 ?9 i9 y/ c9 F" P0 t; T7 k7 u5 a' q) }
# m- i) ~7 t+ t8 n4 i
00401067: push 00402025 ; \\.\SICE: k- d& } K$ b, K9 j# l
0040106C: call CreateFileA
& q2 F6 V5 Q! a# x- q# ] 00401071: cmp eax,-001
! r, J% S$ S$ S o& [0 |) L: l- ^ 00401074: je 00401091
2 v, T" w( w. {
6 g7 D1 F9 M7 o7 W8 c' y
/ c; c. i- A6 d+ X) v$ |There could be hundreds of BPX you could use to detect this trick.
- Z# ~. m/ A# t0 F2 X-The most classical one is:: m0 C% N+ ?- b; \! n( {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ W; j6 p' Q) Z
*(esp->4+4)=='NTIC'
# ~; M0 b6 k; A, f& n$ d. i/ `( Z* a/ W7 Y4 F- L
-The most exotic ones (could be very slooooow :-(
6 P7 c+ ?9 F' H1 n# ?3 Z* t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' J' |" R5 s0 k, `" l
;will break 3 times :-(5 V( Q2 e( P6 b7 q, H1 v
8 i% _+ \# \, ~+ c# ~7 L% H, }
-or (a bit) faster:
6 G' ]( W( E% c- m BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& D0 i! p8 _ \# l. H
9 B) [% ]$ t% l) w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 X8 f4 i: A6 h' y5 | ;will break 3 times :-(9 l& E5 [5 X5 V9 G
, n/ m5 R& Z' w8 B+ i
-Much faster:
! p: p- F; Q+ ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 k, R, b: ~: j6 p s$ w+ P
+ R9 w9 I1 \- C+ b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 K+ A6 ], w$ J H' A
function to do the same job:
3 P8 T7 u, A" w, a8 }& C. O
& D- O# T# L6 r6 x push 00 ; OF_READ
, m( @1 Q# q b2 F6 Q* C mov eax,[00656634] ; '\\.\SICE',0
/ W( A/ L4 v0 Z+ }/ R push eax
. [* l3 y9 W9 D6 L1 v: K call KERNEL32!_lopen' o+ h/ o6 C0 D* p6 ^) N
inc eax5 }, m- K1 N! o1 h! F: t+ h/ L
jnz 00650589 ; detected
; S" p E2 v# V5 W6 e8 w push 00 ; OF_READ
5 `1 x7 u6 [5 O. s2 h! M) K7 ~ mov eax,[00656638] ; '\\.\SICE'/ @5 n1 v( F; u! I
push eax5 k7 M1 d! T+ j( ?2 E
call KERNEL32!_lopen# p( |5 D# ?' Q3 F! f
inc eax
* ?/ Q; L, z& O: m jz 006505ae ; not detected
# i; z F1 h8 V* b6 q9 ?
8 F; N; ~$ h/ U; i# h% {- A$ L. H* V1 P2 g3 A
__________________________________________________________________________
' w( K/ N# H* a- \) i/ y. O+ n N6 T. s v0 D
Method 12: c. T; q/ k& C, s& F! M4 D
=========
) I9 x+ ?2 F6 Q. {. Z# u
0 N+ s( u: d) HThis trick is similar to int41h/4fh Debugger installation check (code 05
6 Q9 A9 D0 a1 u, J- X& 06) but very limited because it's only available for Win95/98 (not NT)
9 Z; ]" p# v6 W% ]4 [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: I# T2 Y* k0 `& {6 ~
& w" V4 s; q( Q! \1 ]7 O
push 0000004fh ; function 4fh4 q" \+ C' t5 R/ p' @- L; s
push 002a002ah ; high word specifies which VxD (VWIN32)8 K! a" \+ o) t5 \- c+ ?" m
; low word specifies which service
& W6 H" [5 J$ A/ d8 |4 Y# q4 A (VWIN32_Int41Dispatch)( J+ o7 V& ^7 S/ V# G1 U/ ^
call Kernel32!ORD_001 ; VxdCall4 ~4 D: i D5 n' a9 V5 C
cmp ax, 0f386h ; magic number returned by system debuggers
3 G7 X9 T- R) B: J/ r+ f* G8 D: m jz SoftICE_detected
6 {+ L) W2 r- G6 P+ o$ o
$ `! h' k$ ~7 S$ X) FHere again, several ways to detect it:
$ M5 q) g( ~6 D: U
3 ~0 m$ f: ^ X BPINT 41 if ax==4f
( C. O3 o1 M( D1 g
2 q* Y' d6 i! [5 X6 |: S- a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; m4 P3 v$ E( s1 r- ~2 n
0 r6 u. r+ q, g6 J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ o% E2 a( _5 K" B! T
j4 P/ m, W. J, ~% ?. {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" [2 T+ m h% g; ~; \) m& [7 i
+ ~% c( g" Z5 A7 Y0 n \__________________________________________________________________________9 [! v' S' }- p9 Y! a
# S4 p5 S$ ?$ g, G* S) `
Method 13/ l. X$ b5 `1 _
=========( E0 O% C s/ L7 A0 K* V
4 K. [% F `2 @/ PNot a real method of detection, but a good way to know if SoftICE is) {& i7 r# I0 w- |$ K6 S
installed on a computer and to locate its installation directory.
/ o, l2 [3 j. f1 NIt is used by few softs which access the following registry keys (usually #2) :
" r$ H1 W9 G: q* T/ B2 o# B1 z5 z; n+ S: U6 M# d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- ^8 i* x0 w" r
\Uninstall\SoftICE
0 ]; S4 P/ ~. D# H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ S, ~. v% Z) z/ [) Z C) J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. |9 f2 D, ? v' D\App Paths\Loader32.Exe
, V y* M8 ~2 V- ?* l6 Z4 S
. }6 ~! y7 U+ d# F! a5 |- ]# n2 ^$ v: ~
Note that some nasty apps could then erase all files from SoftICE directory# U- k+ m7 v% Q+ N) J& A
(I faced that once :-(1 i( N! N% m7 h# m+ g4 w
! d* K& M( ~! g2 p/ N4 Z3 f9 U
Useful breakpoint to detect it:; x" a+ B. e W- }; m
y3 r1 x7 W" a" h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. v. p& f: y+ y& L4 b& |
7 @. `1 e" A4 n" O7 Q2 C__________________________________________________________________________
+ x. m& n) J0 x! S, J) F. ?# [) E. X3 r, ^! a
4 M! F* R% k5 F0 _7 ~& d. l
Method 14
% U% x3 @# ]1 W2 Z4 ?=========" I& p0 U, E: ?9 x
( Y! ]* k1 _5 o+ m. EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ D: K: F/ m9 k8 y: m( z! ~ lis to determines whether a debugger is running on your system (ring0 only).
/ ]( C, A4 s9 s# Q% ~1 K" L' }9 a6 S' w6 D/ G
VMMCall Test_Debug_Installed2 y" t: E0 h6 |7 B: e2 j: B; ~
je not_installed) h; ?$ |8 m$ ^+ M# [
4 ]% O) a6 A; `; Y$ IThis service just checks a flag., T! ^, O6 O3 R/ v1 Z+ D
</PRE></TD></TR></TBODY></TABLE> |