<TABLE width=500>
g" B$ n; p4 c' W<TBODY>7 R+ D# |$ B# y* z4 s' b! t! ?
<TR>
9 @* W! ]4 s' C q$ g5 |% Q* Q<TD><PRE>Method 01 ) f, Z" P7 D: P% t( p
=========
% i1 F ?0 m4 `$ C! V: _# j* ]- p3 p9 {* g1 O0 V
This method of detection of SoftICE (as well as the following one) is
/ t# {! Q) T% X: n3 s. ~+ Fused by the majority of packers/encryptors found on Internet.+ E4 t. ^0 p' R. l. I2 q
It seeks the signature of BoundsChecker in SoftICE
% m0 W- @# [1 v+ y' l1 _: U% F( e# J- H
mov ebp, 04243484Bh ; 'BCHK'! o. z7 N$ a* ?5 i
mov ax, 04h
* k0 b# }5 q: ?9 a) D. X int 3 }+ I/ V' [/ d3 i; H: i/ |2 t
cmp al,4& s' P7 l% B( T
jnz SoftICE_Detected; N8 U; L9 @0 V( I+ K
% X9 V6 W8 Q- P
___________________________________________________________________________4 \8 I; i# p* x. L% S8 a5 A
- \9 g& I: i7 zMethod 026 K& n% e4 p) {0 \
========= z! F% k1 c. P4 Z7 ~1 e$ ~" x
- h U8 _, @" a* I7 j7 W% Y
Still a method very much used (perhaps the most frequent one). It is used0 s8 p4 J' g- n/ k) E4 q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ Y3 H0 w' l# w" I% For execute SoftICE commands...
0 ]% _1 X6 r2 p- I9 L# _9 L$ LIt is also used to crash SoftICE and to force it to execute any commands' @9 ]5 D5 F1 H! }
(HBOOT...) :-(( 7 C7 j2 d9 H% A7 x- r
. O+ ?' e* A% ^4 _3 ^+ n
Here is a quick description:7 o! B; {% {: _5 u
-AX = 0910h (Display string in SIce windows)
, p# q# P6 l+ W7 P5 }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' u3 J& a+ [& s4 B-AX = 0912h (Get breakpoint infos)
! U# r7 u* l# O B! b: O-AX = 0913h (Set Sice breakpoints)
L! ^+ r+ ~; M6 K4 c/ B5 d-AX = 0914h (Remove SIce breakoints)
0 L9 }1 T) r: j+ G) L/ f, X; R* G# D: Q2 y
Each time you'll meet this trick, you'll see:
! V" ~) q; H; _8 M8 P-SI = 4647h& S* c2 G# Z, {' C- u/ |
-DI = 4A4Dh
, c' m0 j" u# Y: F6 x: Q# f$ V: qWhich are the 'magic values' used by SoftIce.9 S' s4 r) [; _, J6 Z* t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 f; G0 N2 b x5 f+ U! b+ P9 v" L9 T
9 o6 N/ ]! F1 H7 N4 B
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 b1 a( u: W) D
Envelope utility use to protect DOS applications:+ u, L8 b+ M4 y- _; j2 x4 H) ?
1 ~) p; M4 }: V# S% ?
6 i% {6 Z2 b9 V5 u; y9 F2 X4C19:0095 MOV AX,0911 ; execute command.0 Z( Z2 K4 |! m. h0 Q, j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! y+ s6 S0 k7 y3 t/ _* Y O X( o! {
4C19:009A MOV SI,4647 ; 1st magic value.: g0 P$ Q/ w* C
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 C7 D* ~' p* y. p0 Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ k7 x2 O8 ~7 n$ V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
w# |6 ~0 G; j. I) y4C19:00A4 INC CX0 V3 E9 s3 z1 H, V
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ O3 ~8 ?9 C: G6 U4C19:00A8 JB 0095 ; 6 different commands.2 n/ e8 W5 N$ K4 A& j
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 W( ?3 w) d, K0 g5 n5 \# a" r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! {# f8 O6 ^8 x1 e s8 f
# I+ l G/ ~* [0 a
The program will execute 6 different SIce commands located at ds:dx, which
$ ^* J" c8 H3 u- q. I; H- _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' _1 X! t# G! J" ^1 G y ^2 N$ i+ a: U4 E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 F* V0 |; \1 U$ N8 {* S7 x
___________________________________________________________________________
/ Z+ X$ Q8 y$ y
3 t) l4 o& c+ F' `- l
& l* P- m% p) p" ~# s. bMethod 03
7 H& {% V4 d& i/ s" T=========: C/ r: I0 H s7 y2 ~" O
: h: }! n& b# H4 f+ N# XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 X1 w2 E# P. }7 _4 G$ m
(API Get entry point)
) J9 N2 g5 Q. f7 [+ V, ^8 F4 b
+ p* \. g0 A+ W
9 g. Y0 Y- F2 A) H xor di,di
: |; U4 g. Q9 n" m mov es,di3 T8 M4 |8 C7 K" L. A' x0 Z0 e
mov ax, 1684h + b4 I% e" E3 N9 i! M4 |* n! C
mov bx, 0202h ; VxD ID of winice9 `$ M8 l2 V8 V0 Q' W6 B& o
int 2Fh" V9 Z, r+ I" f+ u# ]" h* z
mov ax, es ; ES:DI -> VxD API entry point5 W/ i" ?/ F8 R
add ax, di
4 \( v$ A7 J* b$ `- m9 |: X* B. p test ax,ax8 K! Q' N) H. J3 z
jnz SoftICE_Detected
) ?$ i, u/ ^0 _1 L2 G# @2 C0 o( p0 D# a' a
___________________________________________________________________________
: W0 Z) _3 {" {% Y: j- \; F- c" g1 I; _7 U+ E7 Y1 G, u* s
Method 04# c% ^& \+ L. W
=========- }; d( M k/ F0 M/ u
4 Z" y& c, r+ V3 ]/ F2 z) L; c
Method identical to the preceding one except that it seeks the ID of SoftICE/ f8 w9 O: g$ \! I
GFX VxD.+ K/ A5 i& t! X( A# V, q
, }' }' H- k9 T' t; L2 \
xor di,di
! g. x1 X: @& S; f mov es,di
" G$ J( |# K0 d; J! }0 B mov ax, 1684h + ~" I& T, J6 |/ ?% o& Y
mov bx, 7a5Fh ; VxD ID of SIWVID) Z! W2 w/ [9 V: X: } n- N9 `
int 2fh" p5 U( H% U9 r0 {8 ^4 E# Q
mov ax, es ; ES:DI -> VxD API entry point' c* t# y% {* o( w J6 ~* S
add ax, di: L; n- l0 a9 L0 x; L
test ax,ax9 H& P3 P) \ o5 y
jnz SoftICE_Detected# w& i9 ]% Q: w0 y; o
( x$ I- w ?1 e) K" Q% a" h5 y
__________________________________________________________________________
: j$ R1 n* {6 c/ `) g6 b1 T/ R& y
- u/ c2 w( y, n8 W# X7 r4 F2 \
$ s2 u# _' s$ r3 Q4 G$ I' rMethod 05! t) E) [& m+ D; m8 U" t
=========& e! `# k) J% G* p- G4 j
4 E0 H% L+ y1 E0 a3 Q/ ~, \
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, A0 m5 D$ h0 l: t4 J" q; N. J! c! K3 M/ jdebugger. It calls the int 41h, function 4Fh.# J# r9 Y1 i; t5 T% X: Q N0 d
There are several alternatives. 9 q/ d' Z! n" H5 T0 c$ J& y( K) g
8 R0 R& g0 e& K0 v+ Z$ h0 o3 d2 ZThe following one is the simplest:( P' L( p6 _& a. r5 g
4 P4 `1 t% v. ~! X& L+ O$ g2 K
mov ax,4fh4 F* L, ^6 o- Z u. d
int 41h
" F$ C" S& z3 n cmp ax, 0F386
: O# L% C( h1 R6 Z/ P& @ jz SoftICE_detected9 o! C6 n: b/ P. \( k
/ f% U. Y. l# z y, }1 h& d& b) S6 T/ S% c8 F1 s" G) O1 m L- k
Next method as well as the following one are 2 examples from Stone's z& h- L( {1 K
"stn-wid.zip" (www.cracking.net):
8 r& g: ]2 k4 f8 n, _* |- X' f& L' Z1 o( X! K
mov bx, cs3 D7 @7 V4 {" S4 J
lea dx, int41handler2
% \1 F1 i7 D: l2 W xchg dx, es:[41h*4]
5 }- Q9 R) M6 P! w xchg bx, es:[41h*4+2]
2 d% \, h5 C( w( f/ h/ \* |0 K$ o; ~ mov ax,4fh3 @9 r2 u* p( R/ K$ z: O6 s
int 41h( e3 n" ]( r+ y& Z
xchg dx, es:[41h*4]
8 @2 v" z3 h2 A; R# A# W8 l3 t xchg bx, es:[41h*4+2]
3 y8 w h! M3 { cmp ax, 0f386h. B S2 L* G+ }6 d/ y
jz SoftICE_detected4 T/ @1 o8 M, q5 ^% E+ {" _
" W! J( s; c4 a5 u6 l5 q. n9 }int41handler2 PROC8 I& w+ C( r- g4 L8 e
iret
* p% N* S$ ~$ [( P' K- ^: t% Xint41handler2 ENDP
7 J, i/ E9 L+ W. U! W0 L2 Z$ @
6 s5 Z; ^) J" Z" B
! Z/ T# t0 w/ o9 e6 T) G5 Q_________________________________________________________________________1 d! H2 l2 x( X+ a6 g
, o- w- T6 u+ }- E6 {* o! x R
6 S0 x8 `! _6 z, x2 }Method 06
. q7 ? E' L# O$ a2 d& ?9 k=========
+ U& l1 m/ |& K7 H6 W9 Q- l$ Q
8 H+ g; p, c# x8 \. w2 X. P7 W5 ?0 E5 k2nd method similar to the preceding one but more difficult to detect:6 M' s! K: D4 i
) ]: c A& o7 P1 ?: g' u% s
5 p" ~: S5 X% h. ^/ Z$ q
int41handler PROC; W6 n# a* x* q4 F6 v$ a2 ~
mov cl,al- k: S- H }8 v1 Z9 N% V+ a
iret
5 ^4 G% ^4 m: o2 ?int41handler ENDP
" o# P: e* Z& {, l- T: x5 B. m* P
' g' A' h" e$ n2 s
. @1 D5 r% e/ |' } xor ax,ax/ r. `- x4 R' u( Y% b) S
mov es,ax
, l: F$ i0 Z8 c8 {9 T' E mov bx, cs, Z6 p+ x, x, `& \& `
lea dx, int41handler, H ~ R# y5 c, r& W5 Y% o
xchg dx, es:[41h*4]
- T8 {: o5 e" L5 H2 L6 T( } xchg bx, es:[41h*4+2]/ E" V2 \$ T6 b0 b
in al, 40h7 p& r" L1 P/ i% P# U/ I. j* F6 I
xor cx,cx; H. x4 h0 l' Q# v# W3 S
int 41h. x- j. K. m/ f( K
xchg dx, es:[41h*4]
" c. n/ M" K6 B; ^ xchg bx, es:[41h*4+2]5 _! c1 Z8 \, I4 A: O# V
cmp cl,al7 K# D; h8 Q- S
jnz SoftICE_detected- Q# M7 R% T6 Z' R8 |
( ?; b4 @ i. I- B0 a/ [! i_________________________________________________________________________3 V- W' d& S, ?) ^3 e% ^
9 s8 k. O. B! Q) W a4 }' h
Method 07
' U- K3 @% C& A9 Y=========
, l- C& j' n1 T0 G% N E j8 _: ]: _) K# F' Y
Method of detection of the WinICE handler in the int68h (V86)+ q/ Z7 _4 d" Y( A5 G
# \& m. `' f8 Q' \3 C2 Y, l mov ah,43h
) J% E: o9 o; _, a int 68h8 l8 w' g+ L/ _& Q9 @1 R1 }
cmp ax,0F386h$ K& z# k$ x- z( ?$ ]" }
jz SoftICE_Detected
I& q" z- m' s4 y3 L5 i' G1 @2 B3 `! T7 {% u6 H3 D' ]1 q
2 T) S3 q! ]1 p/ C7 e+ M W5 F2 @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. A+ ~4 e0 S/ h0 }5 H
app like this:
9 |. i3 K% G" V7 ]" M, e3 k
* o2 X3 [5 g" f+ ~6 ` BPX exec_int if ax==68
2 D v* ]8 j7 @, ?. Z, v* E; Q- \4 ~ (function called is located at byte ptr [ebp+1Dh] and client eip is1 d `& d. |% ]2 B. o: v
located at [ebp+48h] for 32Bit apps)
+ {, w0 K M, O__________________________________________________________________________9 N% d" s! H# A2 q. e
2 e! Z0 D3 u& r7 K- x0 F' x
4 W! f1 d' T1 k( s6 u9 p9 _Method 08
" O: [% V' D& [) d; Y=========
$ w$ o- r& A) Y: W
, M$ s* ]* w `8 }3 ~It is not a method of detection of SoftICE but a possibility to crash the9 l: R% c! l0 K/ R
system by intercepting int 01h and int 03h and redirecting them to another
# F. `" m$ o" O- t: Yroutine./ i r5 { @; F1 Z: N$ U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, y7 ~+ T2 E! ]8 z4 l4 b
to the new routine to execute (hangs computer...); a" q" F- Q8 A" k8 d! K
$ i: P+ s! T2 u' c' Z mov ah, 25h% O' y2 t* F" B+ b& n2 D5 n
mov al, Int_Number (01h or 03h)2 M" v5 R/ A# l+ S+ c4 L5 M
mov dx, offset New_Int_Routine
) w2 F4 O/ ?0 p/ d! g1 e int 21h, U9 l4 w, X' Q0 G; {6 y
_ r3 P. @0 C- h3 l__________________________________________________________________________
; n( G1 O8 n- M, t; C( a7 b+ D( S% S
Method 098 c1 ?6 Z6 l+ K3 h: R7 Q% U2 D) A* P
=========
0 z& @# A- P4 D+ C1 i: a9 Q' P7 @9 Z- C+ Q) h# p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% D, A; I6 X8 {+ ~0 v
performed in ring0 (VxD or a ring3 app using the VxdCall).
' D( T; P) W/ x) YThe Get_DDB service is used to determine whether or not a VxD is installed
& g, i R# c; P wfor the specified device and returns a Device Description Block (in ecx) for
+ l+ S x. L% j* I$ \that device if it is installed.3 b0 m/ O$ G! c" d* K
; ]7 T* t* h: I0 Z; M% w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 R5 x9 A; X! |) y% }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* r$ j7 @4 j. | VMMCall Get_DDB7 M5 K# O4 W; ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. t, f5 }4 s( D/ T; J9 C
0 t5 C5 |0 `# p9 y" P8 {. ^
Note as well that you can easily detect this method with SoftICE:
/ v$ w2 ?5 Y9 U. y4 F# c bpx Get_DDB if ax==0202 || ax==7a5fh
6 @9 q, |, C8 N) n
6 q, `! S k3 q7 X__________________________________________________________________________
4 V6 `7 G) ~( E( g; y
8 K& E4 B& y! |Method 10
( j! p1 f1 ~1 b3 A=========) }8 [6 U. | H- O
0 F$ ]* K: ]0 w5 I3 p t5 [5 u, u
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! S6 p( W. U; R4 c" L0 z! U SoftICE while the option is enable!!
+ F3 P9 G, R/ C1 R6 d" \+ V$ S+ |/ v) e6 g, t! g
This trick is very efficient:
( Z1 O `" c# w2 d1 N& i8 d! p, N% V* Mby checking the Debug Registers, you can detect if SoftICE is loaded% B H$ `0 P2 z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ w5 L) I/ X: @" Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their0 }/ {) y. ]5 G; P t
value (in ring0 only). Values can be manipulated and or changed as well, @; C6 K t4 B" Y, ^
(clearing BPMs for instance)" r& C, k4 u7 B/ k
& C( v# P- p- y' a- O( x
__________________________________________________________________________( n) y. W. Z9 ?* o& W
2 j |# Z2 ?0 I3 Z6 r, v$ wMethod 11% o1 S6 G* }; e' {7 G- { J/ z
=========% G) _# P3 }+ {5 q% p+ i
6 E- Y' c, z+ h4 o0 z; ^
This method is most known as 'MeltICE' because it has been freely distributed
7 A- Q$ \7 G( _2 Y% c8 Kvia www.winfiles.com. However it was first used by NuMega people to allow
. ^& i% G2 m8 tSymbol Loader to check if SoftICE was active or not (the code is located0 `) [6 B- w& Y& z9 J
inside nmtrans.dll)." L- y+ D e% r6 Z1 m% |
7 `1 \. s; g( MThe way it works is very simple:
8 K+ f8 e! D) A* H4 kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; ~, a) {- b4 P6 T7 B tWinNT) with the CreateFileA API.
) G6 Y; H/ z& s
' E1 ?) K- n* p7 SHere is a sample (checking for 'SICE'):
6 M: S/ t+ W7 _1 E* [. n. _4 E" X0 m# K% ~' l D8 C% S
BOOL IsSoftIce95Loaded()
$ S% k' p/ R V% [{
* M+ Q3 u; N" F; @0 O4 o2 C" ` HANDLE hFile;
/ T( B3 e4 w' B! f5 v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, W& K3 F' O$ [* D FILE_SHARE_READ | FILE_SHARE_WRITE,9 w) u* G$ ?1 }6 j2 b7 y8 Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" b. D8 f: j8 U" q
if( hFile != INVALID_HANDLE_VALUE )
4 i% U; i! i- _ {
8 H0 ]5 s" s( L5 i" \% r CloseHandle(hFile);: H& Z( w9 I# o7 `& N0 h
return TRUE;% I j5 x4 c& }
}: _( X q0 c) \
return FALSE;8 d1 q# U" n7 m
}* V- ?1 t% g! b j1 ]
: }; f4 U" o% G! G( t3 }0 ^
Although this trick calls the CreateFileA function, don't even expect to be
/ W' V x# s( L/ f7 i# [! {able to intercept it by installing a IFS hook: it will not work, no way!
) A( d9 Y% P) uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 ^' _! Z3 o' K/ d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 u, Q9 N# F: ~, b, s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% [" ]& V. S" k2 E8 y
field.* u; ~* s! ~" X8 F9 `; p4 T
In fact, its purpose is not to load/unload VxDs but only to send a + r" X% \0 o" ^- P/ O( ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) I/ ?# X1 i: f- y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 E1 s$ ]: K& T! i8 a4 Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" ]$ M9 @' J& m GIf the VxD is loaded, it will always clear eax and the Carry flag to allow
t4 I/ ~% V- J) ~5 ?its handle to be opened and then, will be detected.
1 y8 L, \" @/ j! l, AYou can check that simply by hooking Winice.exe control proc entry point7 I( t9 d. M& P( O# @% m
while running MeltICE.
; B& S3 a' K* m% R% M1 t, @$ y( |, p @7 F% a+ |- M i9 U
& }5 |! f q- q 00401067: push 00402025 ; \\.\SICE1 P2 g. |' }+ n2 l7 v+ @9 f
0040106C: call CreateFileA/ u& g o. w* n! F j( z, D
00401071: cmp eax,-001+ Z, m- w* H; A+ @
00401074: je 00401091
- c Q" W# @3 |# }2 r/ \8 n) C% E
, a' t8 r0 k: y/ L! WThere could be hundreds of BPX you could use to detect this trick.2 L5 p+ t& y! K. v# N5 y
-The most classical one is:; m9 D8 F; W. d) Y+ H3 {+ B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 M1 q7 C; t, _3 k* b( g" W z8 ?4 R& V *(esp->4+4)=='NTIC'
+ O* [% i" t Z9 y- s4 K" l( O! w$ p$ l1 i3 Y* S8 L
-The most exotic ones (could be very slooooow :-(
! \/ a# F/ `5 | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; Y; x4 G1 }' s7 \# ^
;will break 3 times :-(
3 u6 P% X4 x" {. P( h5 g7 J
6 E( V$ n) Q' }" B; H8 G-or (a bit) faster: - \1 L0 j( H7 n j/ R( V
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# U! C7 g4 R* d) s9 ^5 ~; q( D. M N8 r) ?, {1 F0 s3 X+ U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 n- C0 N e" @5 S! e ;will break 3 times :-(; Q: P# C& i7 @1 p
0 Q) I3 T& N+ H/ n, x$ s-Much faster:
* |2 T6 g; T4 X1 i3 q8 m/ k5 v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ a( J0 y3 J- v6 ]- g6 O9 }! q- d) G3 b9 x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! P7 ]6 f8 @7 D- u. W' B+ gfunction to do the same job:! i6 {2 ^+ D0 {; i" m
( R# ?0 R6 S( S8 B; w
push 00 ; OF_READ3 F9 J2 U2 t* S& n4 S
mov eax,[00656634] ; '\\.\SICE',0
. ?: m" C* j$ M) g' S- H! I/ W; I push eax
* f. D! |3 {0 b$ Y3 F( K call KERNEL32!_lopen
. c( h# \7 ?( n4 }6 \5 |+ z& J inc eax ^1 A2 p; N" I' o- c( d
jnz 00650589 ; detected$ u( l' A3 M- |
push 00 ; OF_READ
) J; ^- f6 q* x! \ mov eax,[00656638] ; '\\.\SICE'0 \; x* j' s9 O: [
push eax
* Q% G2 f* l6 l$ k+ \& z call KERNEL32!_lopen5 R% u! Y$ f. ~
inc eax! d$ n/ `. N- t# v' j% @, u3 V; m
jz 006505ae ; not detected0 c1 Q" G" P) C7 m! s# {: e* B7 P
' ?+ u% j6 u1 ]4 r9 V
7 l1 w0 N& V+ Y. b0 @# H
__________________________________________________________________________
3 x& b0 v$ J7 |* \) M3 J, u5 L0 S& ^' Q
Method 12- n$ f8 G1 b ~5 ]7 m
=========2 ^- n6 y, U! b6 r1 x! o* F( G( r
9 p& y/ @2 i6 E r+ J6 h) |
This trick is similar to int41h/4fh Debugger installation check (code 05& Y& s0 E' N' b/ m
& 06) but very limited because it's only available for Win95/98 (not NT)
3 _, c5 T9 j) H* L: ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( D9 L4 G D) ?9 r2 {8 s+ t
/ S o# d6 E) g' u push 0000004fh ; function 4fh
% C; E' r& ~6 [7 L push 002a002ah ; high word specifies which VxD (VWIN32)0 b2 G% W7 s w
; low word specifies which service
6 Z( E# G9 i( x% [ (VWIN32_Int41Dispatch)
2 w/ G; p X Y* w* T call Kernel32!ORD_001 ; VxdCall
) E4 V) [: d& ^ ?' L cmp ax, 0f386h ; magic number returned by system debuggers& ]# ^' l! {5 K, t7 \
jz SoftICE_detected( I( b- t/ W5 K# B( |- P b
2 E" I) x. p, X* _) T! U1 KHere again, several ways to detect it:
! H9 y- d$ f M8 b: _+ n
4 I# a% N. j4 V- K3 ] BPINT 41 if ax==4f- r; T3 [+ J- x1 y6 A. I1 G
( g( h0 `6 M: ^6 ]. e3 q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) S0 }( h- q' V( f' U2 ~
; W9 W1 l! T' f6 b! N
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 @# X' i% k+ y7 [% t7 H
+ V% y! N# ]$ t5 `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- R- P2 `% F/ G- I$ f& M7 _2 p% K1 h0 U& R5 D+ v
__________________________________________________________________________
& A8 {* \/ c% q3 t3 M) x& h5 q5 Y. \- r) Q% l( s9 O
Method 13, v0 S# y: \2 Q* a6 d+ W% P
=========7 }( G' F5 D7 l- ^5 C. r
* ^. q* h3 i% X2 f
Not a real method of detection, but a good way to know if SoftICE is/ }8 f( j+ N- _5 h3 S; H8 z
installed on a computer and to locate its installation directory.
# j2 D% p+ R2 @ FIt is used by few softs which access the following registry keys (usually #2) :2 k B/ R, W9 N' x# x' ]" h
& h4 X" N0 q% A; a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, T; z% C! X1 J, y! U- Y\Uninstall\SoftICE9 E m B1 M( g( a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ {3 @# T4 k9 g* w% L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 `& x. {+ R0 X5 E
\App Paths\Loader32.Exe3 r. h& `, w" k. _# ]9 p2 `
7 V7 A8 Y* _+ X' a2 r& x5 N1 {
7 ^. Y k# Z# c+ a
Note that some nasty apps could then erase all files from SoftICE directory$ {1 r; I3 i) Q9 k6 y! m
(I faced that once :-(
! D% s/ S" i3 }' i, _* b$ ^9 s$ y6 X" }7 ^
Useful breakpoint to detect it:
5 R( t& T- T7 {6 b1 k8 \
+ C# [6 ^) v6 u$ H BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 B/ S% X2 E. c$ }
" j/ l1 g! o& R2 {__________________________________________________________________________$ P% t& G, ~7 m3 U
- s* w6 U* ?6 Z) V( [8 u% g7 r( t. C1 r! L+ f4 h) F* B
Method 14 4 {4 x7 p) q5 Y, V
=========: G3 q/ E; |2 x7 x" Y" K
- f/ o1 A0 q3 t& S6 Y& {& Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 ^* r0 }& s* [1 P8 |' Ais to determines whether a debugger is running on your system (ring0 only).+ R& l& z: t# g6 [
1 {% c7 s6 k7 K2 s- v# J$ Z! u
VMMCall Test_Debug_Installed
. Q3 q. J5 D" `2 H7 G: d je not_installed" X% e3 u3 ~# y5 H4 }0 ~( K( N
: I. y4 z4 }4 z; W3 _* ] c
This service just checks a flag.; U8 o4 @" M" W8 Z8 G+ m
</PRE></TD></TR></TBODY></TABLE> |