<TABLE width=500>1 D i; s0 ]+ U
<TBODY>
) M E5 ~' ^9 E0 y4 k<TR>5 ~2 K$ _. h/ S% [9 ?8 l' i
<TD><PRE>Method 01
% L k8 h% z: y0 x; F# f3 T# D2 b8 Q; v=========- z- G& j: s, U
! E8 c' P) B- a: u/ _& R' aThis method of detection of SoftICE (as well as the following one) is4 q3 @ a5 @! y
used by the majority of packers/encryptors found on Internet.! S& p& q" {- v& B7 [2 C, c
It seeks the signature of BoundsChecker in SoftICE
0 W R" L6 Z+ u6 X- T
" z: ^) X# I' a% l3 U* O mov ebp, 04243484Bh ; 'BCHK'( j2 ]" ~# L) k* ^
mov ax, 04h
# \( ^7 N6 D7 P" |, F( Y0 Z6 e+ [- R int 3 + w9 n1 H$ q- c$ O" C) _6 K
cmp al,4
& h& X% T' p7 c jnz SoftICE_Detected
5 \9 R; ^+ h; z. `4 t- ]) N1 o+ l6 Y
___________________________________________________________________________
; u/ n M* p( ?- U
5 S% x' I( |0 o: N6 wMethod 025 s2 |7 E) ?4 B9 F8 `
=========) a2 q% R, z% g7 P& d. Q
) J4 F) F. H! W& BStill a method very much used (perhaps the most frequent one). It is used
. |: p4 E% q6 Z, |) Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 o$ j0 _5 N m* b! |4 W. ]or execute SoftICE commands...
; Y4 R) Y. K# K q. ?It is also used to crash SoftICE and to force it to execute any commands9 o Y/ \- P( \ k+ e. C
(HBOOT...) :-((
: I) _) }# c" {1 a$ D0 U6 g) Q* w8 W" X" N- n
Here is a quick description:% |, w$ n" Y' L0 l! a" N/ Z; y- X
-AX = 0910h (Display string in SIce windows)
- P4 Y# x7 W/ _; g5 E-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( B) @9 ~6 I5 A3 A% A; h6 X
-AX = 0912h (Get breakpoint infos)
6 z/ P5 T$ {9 J7 N/ G-AX = 0913h (Set Sice breakpoints)' Y/ A6 O: Q' T4 J) @5 b
-AX = 0914h (Remove SIce breakoints)- a: v7 F4 @# O
8 V# T( e9 a0 w" p2 X* Q
Each time you'll meet this trick, you'll see:
% ^9 s |' R: y( [-SI = 4647h3 u4 @. \+ [$ E# C- S
-DI = 4A4Dh
4 ]" S" b- i2 e+ h4 `& c* B, @ mWhich are the 'magic values' used by SoftIce.
$ h' C3 M9 R* _1 H) UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 j" {, I9 q9 j0 X& L' q X% k4 X) w/ N* D4 y
Here is one example from the file "Haspinst.exe" which is the dongle HASP y1 m/ Y- w \+ \$ @& C
Envelope utility use to protect DOS applications:
0 R7 ]- B* Y6 u1 x
2 O* l$ l! U, w9 A/ \
8 E# H" [+ [" m4C19:0095 MOV AX,0911 ; execute command.9 D# M' V0 f {. S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 y% a& _- _8 J9 o
4C19:009A MOV SI,4647 ; 1st magic value. e' l5 J5 r6 [: E
4C19:009D MOV DI,4A4D ; 2nd magic value.6 h6 x9 w& G1 p6 p0 l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! u7 Y0 a: ]$ {5 i+ f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; b( u+ T4 c9 q! `1 {! j/ |4C19:00A4 INC CX
, F8 D m3 L: z. A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 q5 a6 K# S$ M7 C
4C19:00A8 JB 0095 ; 6 different commands., ?6 ]+ W! y8 M- [# s) x8 _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 @' L% F* Q$ ]0 G+ e# j* e" l4 ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 C# C1 u9 K% Q& k2 M2 G$ q" M# H! _2 F
The program will execute 6 different SIce commands located at ds:dx, which R# E# }3 B" ^7 E9 M% l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. Y: v& B5 Y9 F s
+ L7 ]+ o; n" b5 F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., L6 `4 T7 `" \' b( D6 F
___________________________________________________________________________
3 V; g3 A! W( f: e6 y2 u3 f" j; s" P# G
9 x/ A& ] F( t6 I- q3 n
Method 03
( U/ |' G% i/ a# w/ C=========( ^3 R3 ~! K3 G5 j9 J/ _
6 I) B! G. a3 Z% s( dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ [ r6 p( a$ R) e* K5 V( d" G
(API Get entry point)
. x2 A4 ~2 _ D, t, t1 f 1 n# W: K/ v9 p, q9 }% x# Q
5 z/ z: a. h4 ~& Z4 S% m. D4 r xor di,di
+ S2 G s6 q9 k- J mov es,di
* W, m l, G4 B6 |2 j mov ax, 1684h # W5 h M$ r' x) X! J
mov bx, 0202h ; VxD ID of winice
1 {* F4 U6 ~3 h' s7 w& F: y* M- ` int 2Fh$ H$ b3 q% g3 N* C; L- ]$ ~
mov ax, es ; ES:DI -> VxD API entry point
5 t: e' e; y3 x add ax, di. g# p% _+ }2 P9 g- \: E( K3 w
test ax,ax
, X5 x8 |5 A% d1 e" H; | jnz SoftICE_Detected& P" Y: v0 }% h' N8 ]# o
# G% e1 i. o1 s___________________________________________________________________________
: S1 K1 J& F+ b: M$ N) b O7 y
, O9 x" H' [. S* C# v# j- k# V' dMethod 04
' C; i. U# c! q; h7 g=========
+ G% w8 m3 D$ Y$ c& \9 A( p# ~" N$ k! V$ q) t% I
Method identical to the preceding one except that it seeks the ID of SoftICE
! C; z* d8 O2 \: u9 X0 GGFX VxD.% j$ A8 c3 }; T7 w, `) d
6 @5 m0 S* h& w5 G. P xor di,di
% _# R3 B$ R. G' F) i mov es,di1 {) e" f2 d& Q1 [. k
mov ax, 1684h ( g/ W, X7 O: Q& R$ s- [
mov bx, 7a5Fh ; VxD ID of SIWVID- c. P: Q: {+ x; |; C3 C1 g S! ]$ V
int 2fh% P4 m8 p2 ?4 Q
mov ax, es ; ES:DI -> VxD API entry point
/ ]# H+ b$ |# f2 {0 E+ n: R3 j add ax, di
0 G1 v" I1 H8 k/ p! I test ax,ax" y5 n3 f& }1 s/ F. u; d
jnz SoftICE_Detected9 G+ f6 n+ ?3 G7 U4 k5 b
1 F& a; S1 H/ d) N__________________________________________________________________________3 A7 b" u X# ?* t/ Y
! n- S" E4 [3 ^1 |* i @
0 R( j6 @7 m; wMethod 05& X4 w) I, |6 o6 H! ^
=========
7 ~) l9 M* W. m
( @1 @, M; V% M0 |Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ s# x/ m7 [7 m* x# `debugger. It calls the int 41h, function 4Fh.
7 |3 y( ?. t4 r3 q1 c' L1 ^7 X( D: YThere are several alternatives.
# ^2 w& k' h* G) f& f3 e$ ~
+ ~; e4 q4 g; a- ]3 B( x- DThe following one is the simplest:' a9 v9 v- X2 j. ^, V+ _6 ?' b# z
6 |: h. Q: y5 o" I mov ax,4fh
* b" M; E4 R* c8 E" q! c# L+ d int 41h3 W1 X. ~3 T* P7 g+ t' Q3 a7 o" t
cmp ax, 0F386
" W7 d/ @# U" C1 @& E jz SoftICE_detected
1 h9 s. s* i w3 q$ w6 }0 \- v5 w. F B; d. k k
. G* v/ e6 d& |/ U" wNext method as well as the following one are 2 examples from Stone's 2 L" E$ l4 W7 l8 e! u' X8 s1 a
"stn-wid.zip" (www.cracking.net):4 i" i$ W( u$ V; t0 e
# [# C4 V8 S3 _. J( a# h
mov bx, cs' H1 m. a/ [& P' |% ?+ p1 s
lea dx, int41handler2
2 N& E2 b( U! B& M$ H9 w0 Y xchg dx, es:[41h*4]4 `% T- M P8 R0 r
xchg bx, es:[41h*4+2]9 }, h3 m9 F3 V% n. t
mov ax,4fh
) p9 [$ S: I2 V V* _ int 41h$ c: ~2 P7 N$ r4 r, ^; y
xchg dx, es:[41h*4]
9 K$ N. ]3 U1 `- U xchg bx, es:[41h*4+2]
9 v* J h: G2 t, S/ n cmp ax, 0f386h
! b3 s1 d" I4 K3 x/ j jz SoftICE_detected
3 ~# M8 O! }1 V6 t4 E8 Z6 ]% F! \) Z" n' r3 q
int41handler2 PROC k G3 }6 W! s8 p5 `
iret [1 R2 f4 d: c
int41handler2 ENDP
7 j* n- z3 B2 [) O* [/ ^- }4 Y% Z* q- D; |+ F+ `) f- U
n$ t( ?+ G. R7 j1 A4 G# |; l
_________________________________________________________________________+ c! J6 B9 }0 P4 Y4 p+ |
# ^$ ^9 p) M- q$ S7 o# ?2 r% n( b; d/ K! Z" Z
Method 06
, |. n" N) b5 P/ {* Y5 }! ~=========
" u8 u+ N A* }- p9 L/ i- w( K7 h& `4 w
) V* O- @- |( n/ X, M2nd method similar to the preceding one but more difficult to detect:
2 z2 N6 |$ C/ Q0 F' w
0 i+ d5 x! z8 q4 ^! Y! Z0 F* l- i) m& z. ?
int41handler PROC
C% o: U4 o& H5 G) g mov cl,al+ z, g0 [0 U$ |: ?5 i1 ^' R
iret
& d- H, V4 I7 Sint41handler ENDP
! | n* _) @. M: p4 l" ~1 r, i N) c+ Z9 @# J. `, O, e
! T2 |( T* g# G8 ^. l+ X, |1 P" I
xor ax,ax
( O' A6 N0 ]/ h% T* ?+ m. q& ` mov es,ax+ ]( J8 S P# ~6 E* K4 ^
mov bx, cs
- E \. ?8 b7 t lea dx, int41handler @0 o+ r! P( a. O `0 `& J
xchg dx, es:[41h*4]* v, f9 ~: {2 \8 e( c" ]) ?
xchg bx, es:[41h*4+2]
! k' {' O! E. Z+ K in al, 40h8 q3 F0 m; E7 T. T
xor cx,cx
+ j( a) ?+ T! ~, t0 F3 i1 X- y int 41h
& f4 g; `3 Q0 U% ` xchg dx, es:[41h*4]
5 [ L7 M( Q$ Z G J+ }/ z! @ xchg bx, es:[41h*4+2]
6 l6 [. c$ V/ P) }: e cmp cl,al
$ }' |( d' x& n9 |/ N2 G jnz SoftICE_detected
. ?7 W! w% z% f7 j
, t' c) |- p' S0 U6 q8 {6 W_________________________________________________________________________. [; T$ G/ m6 L6 q, X: `. g5 L
3 ?( E2 _1 d1 u0 q- b$ ZMethod 07
b- v. A3 J7 m0 W=========
: n. S @+ u8 A% L/ T
, k3 j0 g. m/ e) D4 n5 ^/ mMethod of detection of the WinICE handler in the int68h (V86)
$ Z3 p; n9 ~, @8 L Z$ h+ e9 E$ U, \7 N
mov ah,43h$ s# {" u" l( k5 F2 F
int 68h% V/ y& l! K2 x$ z6 U9 d; x( N
cmp ax,0F386h3 y% ?4 N4 U1 h ~: |
jz SoftICE_Detected0 C- Y& W9 D+ h7 n1 Y4 d" \
* ^1 M$ h- R# J# E7 p
0 p' h% A' }, q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 g5 m' S5 P5 ~7 v
app like this:+ d u- l9 J3 c+ m, \) w
! V( o/ v7 y- z# a$ ?3 i BPX exec_int if ax==682 H1 X, w" I. O) p1 ?. \, \( b
(function called is located at byte ptr [ebp+1Dh] and client eip is
2 O1 U+ R) }* J# R9 m% P0 ^ located at [ebp+48h] for 32Bit apps)6 R+ `! t& c# k* E9 X# V+ v
__________________________________________________________________________. n+ v5 T3 w8 m s
' I/ a/ c8 \! D$ u1 b+ m6 W; W$ B% s: c
Method 08* Y( Y* v8 U6 H) e
=========
: e9 W5 h0 Q" K3 W' O* |/ B4 Y- J4 G; h( B3 W* G
It is not a method of detection of SoftICE but a possibility to crash the" r% y& J9 `7 x" J
system by intercepting int 01h and int 03h and redirecting them to another
/ `$ E- t+ v2 _) ^0 |4 Proutine.% ^* [7 P7 g; l5 n! g1 w: U* [( B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# [6 L& w1 L2 I: W
to the new routine to execute (hangs computer...)8 T( q1 |3 l( l
" D! v* {9 t& ], [
mov ah, 25h
, ]& K9 E4 G, d- s: N+ [* s mov al, Int_Number (01h or 03h)( e# m9 D! n9 @, D( `* m; F
mov dx, offset New_Int_Routine' A; i5 ` g5 t& m# Z6 O/ A. X
int 21h
+ `0 H3 H" R0 c( ?; z$ |! ~# J9 R: _3 Y- d
__________________________________________________________________________
u& |( |& g8 R/ ? x1 o. d9 T
8 X' X# }: F% F3 ]Method 09
) O' q3 B( |( S3 F$ ~( M( y=========0 n5 J5 v* I+ I% s
. @. E$ f' S: q1 A4 t# g- B8 vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 I4 G5 w, ]' M! G( c# |/ v2 p* D
performed in ring0 (VxD or a ring3 app using the VxdCall).
# S+ f/ Z- N6 O* h3 | d* J, eThe Get_DDB service is used to determine whether or not a VxD is installed8 \% S/ G% `4 [4 } [& Q$ S
for the specified device and returns a Device Description Block (in ecx) for U: L" E! N# G: m1 f5 y
that device if it is installed.1 S/ R& f4 a5 E$ H# C
8 \3 J d" H, w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: b1 l2 P7 t, E$ B& H, J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( b* Z% ~+ q% r) O. M" P
VMMCall Get_DDB
- y6 Z$ B. }( ?% {7 Y, S3 ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# P' Y6 k8 G" o& k/ Q% Y0 b+ k4 ]
7 A8 w7 L" N8 `. R9 `
Note as well that you can easily detect this method with SoftICE:* b9 M# V: J+ L' |) M, s7 K
bpx Get_DDB if ax==0202 || ax==7a5fh+ E& @( \; ^1 m. B
2 p l$ j6 K& U7 }__________________________________________________________________________( |: Z# \4 d. q" Z
3 I& A, l8 q W( V, j3 I: e/ g( |% QMethod 10/ E$ i0 h5 N' P" ^. x& S
=========
0 U- V( q$ Y4 L$ G' C& H% v) n* M( C% Y' e8 ]
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 Y p9 l- K" f0 d
SoftICE while the option is enable!!
" n6 U5 \0 k' k6 P H H4 T; r. k' ]% e3 p
This trick is very efficient:
; V7 H& S# b- wby checking the Debug Registers, you can detect if SoftICE is loaded) n9 O5 Y" t3 V, D' [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* h0 U- a! b2 ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
) _. ]: r) r0 ^: n0 R$ Z, l7 gvalue (in ring0 only). Values can be manipulated and or changed as well. I9 Z! G, T5 v* n% }4 c" M
(clearing BPMs for instance)
) [3 {& U# x, b* S# ]
3 a- w% l2 x7 q# a' y* y! M( X__________________________________________________________________________5 [4 [% i0 x# L, D( M
- n+ T4 x+ }. p) N7 _" y
Method 11/ ?! T! e6 z& u% R; @
=========
" i g5 T. o' C. H' Y9 T0 P( E& w1 R" j+ t+ J, E7 h7 p0 k( c
This method is most known as 'MeltICE' because it has been freely distributed' X* `7 k: E5 i/ Y& G8 @8 b+ Y
via www.winfiles.com. However it was first used by NuMega people to allow) S3 S/ P; H! V% S* y* ?! r
Symbol Loader to check if SoftICE was active or not (the code is located
6 \- Z- O5 `. o) A( g; _' vinside nmtrans.dll).
* q! l) G. ~0 v: n* d4 W. j) O4 k/ b1 P% G
The way it works is very simple:
( N# W3 l4 r( ?: `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! X: \3 v' p' z! h: C) V
WinNT) with the CreateFileA API.
& ^) ^9 x9 M( k/ V0 M* X3 s/ C: f7 c0 @
Here is a sample (checking for 'SICE'):
6 P, Y/ h- B# U0 @) G- N( o
x/ Q4 B g: ]3 j- DBOOL IsSoftIce95Loaded()
' d- C5 k: t2 N0 b{8 }" W" t9 B9 `) m% t4 Q5 e
HANDLE hFile;
5 F# L0 ^2 I$ u3 A C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, g- m4 g4 j; L; q! |, E
FILE_SHARE_READ | FILE_SHARE_WRITE,
) W" X1 z S7 I5 t/ j1 @7 H5 T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 W& u( z* F5 c% s$ y$ @5 X; o if( hFile != INVALID_HANDLE_VALUE ). i- J" X6 \& _" N" p7 r
{
; u! H8 u; K& Y7 P; O& f CloseHandle(hFile);0 q0 }$ y( K+ T8 ^: n
return TRUE;
$ @) ]1 I! E( Q5 ` }
2 O1 q" [5 F( b( J return FALSE;+ I' X% Q2 n& q+ A6 u
}* e# L5 l1 R: K5 z6 H) u
6 U) @* {1 ]0 ~
Although this trick calls the CreateFileA function, don't even expect to be8 ~4 k! g6 \+ H4 l# t0 G
able to intercept it by installing a IFS hook: it will not work, no way!
3 E. H* s" ~% }+ e7 KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) j3 Q1 o# `$ `9 E; H" aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 [9 a( `' _9 J' L6 a7 m$ nand then browse the DDB list until it find the VxD and its DDB_Control_Proc# F# l3 Z& |8 A" T6 K) m. @; h
field.5 Y& |) e# n. `' q1 q- U0 [
In fact, its purpose is not to load/unload VxDs but only to send a ) p3 [' d* ]3 r- d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 S6 {1 K9 r$ E) n$ ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 v: D1 j* Q( q) O6 D$ j; R9 h" Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 y' f# F6 a0 {9 ?2 ~& i% eIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 N$ \6 c3 w; qits handle to be opened and then, will be detected./ j, v7 Y' Q( s- c, s! Q c9 l; r
You can check that simply by hooking Winice.exe control proc entry point
: ~, X! i6 d7 Lwhile running MeltICE.4 F% [2 p9 Z% p h( b
$ y. v& R5 n! M& X( N
" ?- C: A$ o" x 00401067: push 00402025 ; \\.\SICE" V% ?9 U* K& n
0040106C: call CreateFileA3 G' `7 @# N; f* O: p) [* y
00401071: cmp eax,-0010 {3 t: p) ?; ~. |
00401074: je 00401091
( O1 F$ p, E9 C7 X6 t+ n
: a! g+ F' X1 v' G
4 C+ i. U( v( AThere could be hundreds of BPX you could use to detect this trick.+ k' t0 R- \5 K
-The most classical one is:$ b- M, N; k$ V* E2 M- y' m5 l
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! L( R9 r5 s7 R1 S *(esp->4+4)=='NTIC'
4 \) B' h& |5 z. O( q9 ^
8 [9 X% N' \+ _4 `& @-The most exotic ones (could be very slooooow :-(' i3 k% H8 Z6 N: u; X7 P! A' q5 ?
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 o i# {) ~6 N3 b- Z ;will break 3 times :-(& P3 V. q6 U' X- ~- L
: @+ L- y5 ?; C8 K& i1 ~
-or (a bit) faster:
4 m( q- |* W* z& y5 j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' j! L* s1 S2 j$ r
& ~+ u5 y5 j3 }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 H8 @3 C6 t9 a, M/ A5 w0 X ;will break 3 times :-(4 ?/ z, K3 x! ^8 c7 s
) U4 t4 a8 Q% n( O- S5 C) p
-Much faster:
0 G! }1 ?6 h+ k( s# { BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 i2 U! z6 P* c8 D. c# d9 q1 d' ~3 m+ V
5 k1 q' @1 U- E4 Y. d# CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 ?; ^: h% H2 b0 ]
function to do the same job:
; t- t4 |) D. {$ Z- x+ v
" J3 r0 A( g5 F" K push 00 ; OF_READ, {+ e, ^* y4 j; \: H1 r7 F# }
mov eax,[00656634] ; '\\.\SICE',05 y5 Z c G& n, l b
push eax
/ ?6 E% c4 @3 K8 E. H call KERNEL32!_lopen/ ?: S2 t- ~/ E. `1 I- b- y8 F- j
inc eax2 q0 u6 g/ {) x+ f0 i `
jnz 00650589 ; detected
: p3 k; e3 l2 Z7 `- E& _ push 00 ; OF_READ
9 ^" `. |% C$ O' w% x- A. O mov eax,[00656638] ; '\\.\SICE'
! E' U- c7 K" n: E, E push eax, a( Q# W- w) K, U W4 U2 }; I
call KERNEL32!_lopen* x# W* g0 }" u6 O
inc eax+ w0 W( V$ j# j4 R- y \% p$ S
jz 006505ae ; not detected
4 c2 r& l. r+ v; Z F" |; d
5 v7 N& X% l, W0 V- L% G3 ^+ T, K5 T4 V3 O
__________________________________________________________________________, u6 z" @6 a- S* l
/ i8 y$ w3 |0 QMethod 12: l5 q' _- E6 F) T
=========
; o5 ]: b0 L" a
% V3 ^; y$ ^1 U1 m- l) RThis trick is similar to int41h/4fh Debugger installation check (code 05
) U) I5 y( [4 R4 W# h! ]7 {& 06) but very limited because it's only available for Win95/98 (not NT)& D2 P' K E# c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ \( }' ]6 o, x3 a$ n2 Z6 |) u) j
@7 W1 A; w7 H$ @+ F push 0000004fh ; function 4fh
& \+ u8 {. |0 K" _ push 002a002ah ; high word specifies which VxD (VWIN32)
! b% O& K$ F8 z* a M+ E+ R I ; low word specifies which service
7 n8 X9 Q& u' ^% @* k (VWIN32_Int41Dispatch)& [; W* |0 K! s X" M
call Kernel32!ORD_001 ; VxdCall( k0 A. F d# D" _
cmp ax, 0f386h ; magic number returned by system debuggers& H: M% c: ?7 F8 J* i' Y
jz SoftICE_detected) l1 d: t3 t8 A s: q% E( g0 G
5 [% o, H% Q" j& w. i. l. O" H8 ZHere again, several ways to detect it:- N1 p8 M% ~* Q3 y k) o. f
+ b6 A0 R) s0 ~
BPINT 41 if ax==4f
5 `. x$ F; N; l3 V- r1 N5 b | K, A5 \2 D" l2 r4 W' E8 ?
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. Q% G# p5 _( W7 i" Z( ?" t) h# U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, ?- Z+ L* S# }8 N. c9 q
# c! k2 s( `" T# Q3 ?$ _. }% c( m! ?5 r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
n) Y* V) m+ j0 ~
: e. _4 Y, h E5 ^) i0 J__________________________________________________________________________7 \3 o5 x. u+ Q6 w" i7 C1 z2 s2 F, A
! E9 {- [) Q$ F P0 @Method 136 i/ x, o8 |' ~0 m; X8 @+ v
=========: R* A) M! }% j
/ [1 d! X" S3 p( H3 Y8 UNot a real method of detection, but a good way to know if SoftICE is- k; F9 p' t5 Z: Z6 B1 R6 d
installed on a computer and to locate its installation directory.9 h1 }( e' l3 M0 F% n
It is used by few softs which access the following registry keys (usually #2) :
$ I' |: {) k6 c0 c
4 {- R7 U7 {1 S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) S# K; R Y, S% [) G( l* f( M
\Uninstall\SoftICE
" z! Z j" Z, Q% U8 i. w3 M; i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ }4 I1 g c6 ` h/ u: v& c1 L-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ R! y+ P! v3 q7 G: Q
\App Paths\Loader32.Exe
% |1 r& J+ @$ ]3 u1 I* I
+ u, ?& u' _6 ^2 W, l
: }! N/ K7 _2 A7 O$ u, i# j& b3 X" ?* rNote that some nasty apps could then erase all files from SoftICE directory$ [ l0 y# D) o: n$ G
(I faced that once :-(
. X8 [9 u: j" I5 y" S2 d) ]2 h+ z# k3 Z% U. Q0 H
Useful breakpoint to detect it:
' ~1 E6 p; J4 Z2 r% d" y/ B" [: B/ ]- I/ b9 \6 z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( y3 s1 s# {0 k a
( W4 W( ?* K5 P, E' ?, S4 z__________________________________________________________________________
; t, v) B8 m5 N- O$ i5 B
6 C: u. n2 |3 y+ x! d' @7 K
6 Q7 G- m+ z! pMethod 14
: {2 N" N8 x9 t3 e K=========" v" P' \8 b2 J4 d! l' r
5 q# Z+ z8 T; ]2 W/ p2 p: PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 I3 f' l. J- _% y/ ^3 R# x# y$ C
is to determines whether a debugger is running on your system (ring0 only).% s) x1 v) u' f' ?3 \
: ?; E! N7 g! s+ X) Q$ Y0 {5 c
VMMCall Test_Debug_Installed( ~! X& I9 y! d2 L$ j2 E
je not_installed8 Q3 d& j. M) o% k4 J b/ R
7 l! V, B4 X+ G# D! \$ K$ rThis service just checks a flag., k. s( }7 b4 E. U/ V/ f, H7 Q
</PRE></TD></TR></TBODY></TABLE> |