<TABLE width=500>
* {* N5 _8 C! C& M9 M<TBODY> R' I4 e. o4 A) ]: `4 V
<TR>+ v- c" I, a# s8 B: m
<TD><PRE>Method 01 ; z( V Q# g. n! J* C% s* B$ b7 n
=========
1 V. O% J# i4 X2 A: M
- c* n4 w g g, `This method of detection of SoftICE (as well as the following one) is$ t! b; [9 R4 Y% _6 Y& ^
used by the majority of packers/encryptors found on Internet.% I6 t$ f/ h I' p7 N
It seeks the signature of BoundsChecker in SoftICE
) w9 x) q, S6 ]3 s0 L* Q: Y% l- M
8 ]9 }% W; t1 Y8 C! p9 b mov ebp, 04243484Bh ; 'BCHK'
1 [. {# s- }5 \ mov ax, 04h
. h; Z- }0 [- }0 B9 c. e) Y int 3 $ X; y! G9 i6 b1 ?1 M/ o
cmp al,4
! P* @! ] w! d jnz SoftICE_Detected: O0 ~- p( Q& {& T' ]1 B9 G$ m" R
) i/ y3 X- M8 }+ j/ c1 m Z2 ^___________________________________________________________________________
. V% @; W6 p: V/ E7 Z2 ~
4 d% d7 h! [$ ^' }% qMethod 02# M3 b3 L& o9 h7 {+ {. W: P0 Z: N
=========6 K, a6 o( U) \0 Z3 R2 U# D' o
7 h) K0 [' O* y) U2 T) k8 VStill a method very much used (perhaps the most frequent one). It is used
9 P9 ]1 r' ]7 H6 ^5 Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; h5 q1 z5 g2 For execute SoftICE commands...$ h5 L# J( X7 D- J9 L# x
It is also used to crash SoftICE and to force it to execute any commands4 N5 C: M* b0 o
(HBOOT...) :-((
) C6 D/ N5 j) r; m3 W) Q% i& T
6 t) i9 C2 p( a% T2 [- Z4 xHere is a quick description:
5 w" n( k; `$ n$ l4 \) F-AX = 0910h (Display string in SIce windows)2 O# N. t, N2 H: `+ J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 {" ?0 ^- l N2 K1 h( W
-AX = 0912h (Get breakpoint infos); ]1 W/ c0 Q3 L ~ Q
-AX = 0913h (Set Sice breakpoints)* J8 K9 Z/ H/ X9 w. G5 G* Q8 S
-AX = 0914h (Remove SIce breakoints)
# ?. W) {. s; U+ u, l. L% K' l7 U" y- e! Y( t& u
Each time you'll meet this trick, you'll see:( @! T: D. j' K) R
-SI = 4647h+ w* e" x, d2 i. }( k3 L) x, o/ L) z
-DI = 4A4Dh
) E$ r% Z5 s2 o: G$ i F, F" N' }Which are the 'magic values' used by SoftIce.- l: L$ f, n# k! ]7 `) ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- i1 P' }9 j% j0 Q$ l
/ y2 Y L3 r- N, i. AHere is one example from the file "Haspinst.exe" which is the dongle HASP
; p$ i) \7 z" AEnvelope utility use to protect DOS applications:2 i9 q. G% Y! y% e# v! C! {6 s; a
( q; l. {) A/ u: q" \0 j6 z/ H$ f
+ Y3 g8 }; k# p. W! |( M4 d4C19:0095 MOV AX,0911 ; execute command.
" N6 ?1 }5 e1 J0 U& A) V4 L* O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! n N# D, w) v4C19:009A MOV SI,4647 ; 1st magic value.- L/ C* [" A! x% }
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 h4 M* N1 p, @5 o7 O/ Y! ]/ P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. q) w: T& ^) h u( T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute I1 X' `6 L- \$ f) a- h# _
4C19:00A4 INC CX6 r+ w0 ]8 V/ R* h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, c( z3 }5 |& F. T4 m3 _4C19:00A8 JB 0095 ; 6 different commands.
9 ~3 R' X8 r. ^# ~& Z2 c* G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# `, N! Z. Z" L4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 m( O S1 F! J5 ]# `8 b4 V7 F. B; q
The program will execute 6 different SIce commands located at ds:dx, which# b+ k! c, I8 u" @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 G1 A4 Q5 F! J3 U9 p) }6 ]
! j- W2 e9 @# J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: l4 z! {7 H+ I* u3 B___________________________________________________________________________
8 H; P! E. I9 O3 n1 E; x
# Z! J. J, W& y0 w
# j1 ]1 [* Q8 |# R3 t# pMethod 03
) d" r, n* V+ m+ q1 w=========) {3 h [, C2 x; a
9 G2 J* A1 x- j0 e" T7 O
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) I" L- f7 G% h(API Get entry point)* H8 A6 M1 Y' L4 f+ \
+ v, A: c) ~; X/ V' m* g' G# b J) j
" u# U( S. D1 E* L) E9 p! b
xor di,di
( M l! i; t' G: u5 P8 p% Z$ ^1 @ mov es,di" k6 A7 d6 ~' o: g8 t, m! `; h
mov ax, 1684h : @1 `0 P' B* V% ~6 M4 a
mov bx, 0202h ; VxD ID of winice
% E2 Q5 }: n/ a3 x$ ~3 y3 W5 u int 2Fh
; p+ ^7 s7 R' y& U mov ax, es ; ES:DI -> VxD API entry point0 f* a0 O( z$ I% r7 c( H- M
add ax, di: C+ C' r$ K; v+ g% g
test ax,ax
$ ^: J9 r7 m4 z jnz SoftICE_Detected" }7 |8 B6 _. |3 J) [$ @! B
5 o5 r+ @" J* Z. O
___________________________________________________________________________
) m4 c9 J1 U" C' W% e0 k& ]0 R0 U; U' ^9 K
Method 04
; O! ]6 i# Z+ a=========& {6 B4 O& I5 T) K
8 I2 a, v+ m" y; A1 \; EMethod identical to the preceding one except that it seeks the ID of SoftICE7 R- V( I0 N# C e: ~" t
GFX VxD.# [( b' x6 R+ E6 J \
2 c7 ]! \) \' [$ y/ G( s8 D
xor di,di& }6 S& W/ h% _
mov es,di6 K- U; j" M* {* h7 H% b# [
mov ax, 1684h . ]5 L8 {& }, Z- w+ u
mov bx, 7a5Fh ; VxD ID of SIWVID- e; y& \( c* q* L+ a3 u
int 2fh
, {6 Q. R5 \5 D, N0 C0 t mov ax, es ; ES:DI -> VxD API entry point
) ?5 O1 [8 Q1 I& P! D add ax, di
8 k9 B- ^3 P# r+ l! c, S! P3 A' w# k test ax,ax
& v4 z H0 l. z8 v1 e5 C4 @ jnz SoftICE_Detected) q7 @3 A4 V- m$ `" n
+ R' O* d/ P+ {! K$ j: k8 R1 `__________________________________________________________________________
3 a6 f" V2 Z) v
0 w5 o q _# @; F! B$ y0 ` y Q8 l6 n9 p
Method 05
4 _$ |& V) e' b" S# A=========2 M" d5 ^+ k4 d l6 x( b% A7 \4 x
6 n+ t& u' a' i6 }9 c: h
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 x( t% y8 e6 B
debugger. It calls the int 41h, function 4Fh.
6 h/ {: E0 \9 F5 S$ E3 tThere are several alternatives.
" [ S/ e, U/ K% S$ w3 i
7 a9 j7 K. |# Q# ~: o# mThe following one is the simplest:# o" \+ Z6 X5 K% G" V5 a1 ?
4 [/ z. @- L m- w- O+ H& E mov ax,4fh
4 v- K" _3 q& \$ a4 G1 i( F0 M int 41h
6 Q( u. l' O+ F$ N cmp ax, 0F386* P% G: v9 Y! K: [( N" i
jz SoftICE_detected
3 K( p( \5 J- R/ a% F1 @1 ?/ F! H% F
) n2 P( A1 m3 r3 G ? g
Next method as well as the following one are 2 examples from Stone's
+ o) O1 w$ Q. e* c"stn-wid.zip" (www.cracking.net):0 S6 g( _) j; g) S. h( I
5 Q2 V; N' r: l" o; K) C1 A1 o; C
mov bx, cs
( z q; @ y% b lea dx, int41handler2
& e4 J2 h& n" e' Q xchg dx, es:[41h*4]
+ |0 }3 J+ t6 n7 j' S, p xchg bx, es:[41h*4+2]+ v3 T6 m( o- J% S9 R. d& f3 ]
mov ax,4fh
, V' c& L, |/ x( P: k- q& T. H int 41h) B- X( P7 j. J) J% Q
xchg dx, es:[41h*4]
2 o2 q0 m1 Y: J. C xchg bx, es:[41h*4+2]% |) S% y! f; {5 a+ x4 p
cmp ax, 0f386h
( l) I4 h0 _7 H% [3 A jz SoftICE_detected% z7 o0 _7 c/ | h
( Z. h( g* [% D# g, ?int41handler2 PROC8 a$ v! T% k$ n
iret! R' O" I) ?" c3 z4 r' n
int41handler2 ENDP- V& {, r3 k, L% i
/ ^- A) T% j" n+ W
4 e# C+ Y: D# ?% @4 u" g_________________________________________________________________________
1 }7 f4 m' I* I% l" y' }; e6 ] V
1 D7 [: Z9 f. d- n& X( X9 C" D4 f1 }1 f; X
Method 06" k1 }# K" D' {3 ~5 F% }( e( C4 b# C
=========
5 T" n/ [* \ p( r+ Q \! v% d
/ T# ~ D0 }" K4 ?( S
$ t% h$ \% E1 P! m2nd method similar to the preceding one but more difficult to detect:" Z! m4 P( ?* p8 s5 R, W/ K
; I" i7 b% }8 c
! `4 f/ T1 R/ n$ H: F5 H7 T# ?& g# Gint41handler PROC' }. Z9 e' u8 B
mov cl,al2 Q& M; ?4 ]0 ^9 [) A% E$ Z
iret
; _) i4 ]: r8 X- e/ A& ?int41handler ENDP+ O8 n& q1 D& }2 b1 D
4 ]4 T7 F% `( l9 r1 j' M0 |, u- D4 ~) L" Y8 v
xor ax,ax/ H; E k# }$ e
mov es,ax- x4 A ~% X% L- w* X
mov bx, cs
( `+ x4 m) E4 k9 B2 J lea dx, int41handler
/ T6 ]) p6 a1 I t8 } xchg dx, es:[41h*4]
7 {8 o1 U/ A- ]% v xchg bx, es:[41h*4+2]7 _5 M0 r" L, p' O
in al, 40h
" N6 Q; r6 D8 z& ~7 x xor cx,cx
% Y% F& T& Q7 M" P5 o/ O4 E0 W2 B int 41h
8 P2 e3 u' q1 v! N7 {1 u+ F xchg dx, es:[41h*4]- G% P4 B! _3 y( y( o4 N& G/ I
xchg bx, es:[41h*4+2]. w2 \' E4 H- |1 [8 X9 _
cmp cl,al
" N6 v& b3 P b; i* S jnz SoftICE_detected
5 o5 y7 E5 i# [% T! N: j- j% g! q+ n1 K. ~6 [% a; m) m
_________________________________________________________________________
+ G& b. ]8 Y4 N R& I" C
3 I8 k/ `4 X; v5 k' z4 N9 _Method 07! l5 [8 X6 A$ A) Q6 B
=========
" d; f( U0 G1 ]4 T2 h
! G# {& X+ S, y- G4 M0 K; xMethod of detection of the WinICE handler in the int68h (V86)
5 E2 I/ ~' m: K" g# ]% ]
l+ R8 t, [$ i. m3 u5 P mov ah,43h
# B' W8 y `2 d& ? Q. q6 Z int 68h
: _8 x2 \. j0 @, K cmp ax,0F386h- k7 ^8 m# Z* q$ t/ D: c
jz SoftICE_Detected m! R9 J& |, H, V" p0 g* g6 x
2 M/ c* Z/ q3 J' A) p7 G; I0 R+ ?8 H# t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 W9 s1 u4 m% v" V+ c app like this:
: f, g5 z; a* x: D1 y, q" f
6 \9 S I7 y: ?* Y* v; {5 F7 e) e BPX exec_int if ax==68
9 w+ {- h. K1 D3 o# |. _ (function called is located at byte ptr [ebp+1Dh] and client eip is
8 d/ B: i) _3 E1 q* a located at [ebp+48h] for 32Bit apps)
9 W$ E$ i% G( W! {( g__________________________________________________________________________) p3 L8 A1 I7 l3 ^0 ?) n
) B" ~, b* W2 v7 |9 o# d
/ ?" `" Z+ N1 W; y: K' {; R2 _) N; EMethod 08
* G$ Q8 A, x) t=========* [: B2 y! x3 Y' x
- r& W4 a" A7 M# ]/ _It is not a method of detection of SoftICE but a possibility to crash the2 z( B3 O' w: o9 y
system by intercepting int 01h and int 03h and redirecting them to another. O( L$ Y3 \; X. k) _2 O
routine.
; y7 ~$ b1 Z# I. m' P, m C8 mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 F" |; v4 K1 ]& I( K
to the new routine to execute (hangs computer...)
. S+ e2 R. b& g+ f& C# a6 n0 C
2 E0 b) g! j+ q0 o% G% q" @ mov ah, 25h/ E; D S6 I. p/ k1 `6 r; W9 N& J
mov al, Int_Number (01h or 03h)
, e$ @ J3 h: {5 l1 R mov dx, offset New_Int_Routine5 ?2 d! r% [4 W& D
int 21h
% y7 }: r$ e0 K5 Z0 L' Z+ p; }% Y; D! J* C( ]2 J+ ~( r' w
__________________________________________________________________________
% T* o$ A8 S% w; O# f I
/ h8 b8 R! w+ ], w/ w( ]5 K4 OMethod 09
: D8 S* [# c! e=========
3 a* I' U; o3 z
- v5 n6 x, t6 KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ ^* x: |$ }) b) E2 g Eperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 _9 I ^/ }) @! GThe Get_DDB service is used to determine whether or not a VxD is installed% P, g1 l" p8 N7 p
for the specified device and returns a Device Description Block (in ecx) for# S, {( ^/ f% g G) v
that device if it is installed.7 v) l7 V% B* l( r: ]6 h/ Q
6 H8 C" |3 L7 ]4 W8 l- Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: L& M4 G0 S% l" v( c
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), ]. I, u: B3 R4 ]9 j
VMMCall Get_DDB' [8 q0 f: q8 |7 A0 l. K1 H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) A$ L' ^" T/ n' A3 o/ ]8 P
5 N4 v- y+ U/ g. l$ v+ L. A9 JNote as well that you can easily detect this method with SoftICE:
5 ?8 R: i4 a4 s7 A$ \1 y8 S bpx Get_DDB if ax==0202 || ax==7a5fh
* y+ N" @3 H9 O* P& N6 y N- B/ ?
5 F- I& X5 U/ S: T__________________________________________________________________________) n% L& D# i8 V ?% |. y7 O
5 y, C2 i6 H, m ]
Method 10
$ m) J: z0 p& D& i7 O/ S=========
& z; `' q( v5 V* a8 ^0 q
! {6 R s' A" C) G3 G: r8 _=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 x% U7 J j: _" T) D SoftICE while the option is enable!!! s* g4 W K. X8 s& p/ ~6 V; _
o- ~& c. b" g# SThis trick is very efficient:
: A7 W( o* g8 ]by checking the Debug Registers, you can detect if SoftICE is loaded
9 g% ^% k5 C& R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% n8 _0 U3 x9 e3 C% S% B( _there are some memory breakpoints set (dr0 to dr3) simply by reading their/ i0 {/ R/ @! U% }0 s+ m& ?
value (in ring0 only). Values can be manipulated and or changed as well0 }$ f+ H% G) `' g, x! s- K) k+ e
(clearing BPMs for instance)
0 U( a6 X! N( R
* x; Y: ?' a, ~8 R; m- m__________________________________________________________________________
% Y" Y; a& M4 l9 e2 C( E" u0 W4 k" V7 A, i2 V% ^
Method 11* T0 C7 c& g {
========= {! Y, |0 B z% x$ v
- Z. @8 h v+ F" k" P0 uThis method is most known as 'MeltICE' because it has been freely distributed3 }; T! i# r" Z/ n0 O
via www.winfiles.com. However it was first used by NuMega people to allow- c( e, n& ^! E; _
Symbol Loader to check if SoftICE was active or not (the code is located
: n$ o+ m5 g- O* M2 iinside nmtrans.dll).* k4 m. z8 c0 Y4 b- t7 @0 i& K7 j# k
5 A0 V' m$ k6 W+ h; u
The way it works is very simple:9 `9 n. B) @7 v/ p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ r; k* B# l. V# K& DWinNT) with the CreateFileA API." E3 p1 A" A5 Z3 e1 g
F) V- r5 `6 M
Here is a sample (checking for 'SICE'):) R$ m; w8 e+ D
/ |( f" X; V8 d9 v+ ]9 SBOOL IsSoftIce95Loaded(): D; R2 i" L+ q. H9 y
{# ^% p; H$ y3 E$ x
HANDLE hFile;
$ C8 O' p. l& T( q; F( D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 K& P+ X( N0 l" o3 i7 j( y0 P/ e
FILE_SHARE_READ | FILE_SHARE_WRITE,! a5 J% E2 i& k6 k+ f$ A9 ^
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 w/ p8 U+ r/ y$ @ if( hFile != INVALID_HANDLE_VALUE )9 E4 D+ k3 ~( N! ` b/ ~
{) l+ u V0 R# ]- u# A( x4 {
CloseHandle(hFile);
2 U, g: l- p, ~5 _& T return TRUE;
% |9 h- X1 U/ T0 N% }( c }
" U8 @3 C h3 f) m return FALSE;! ~7 j: V$ A1 M$ _ F
}
, J6 Z" r9 V! |5 S! P/ v8 z8 W& m4 ?- S' n
Although this trick calls the CreateFileA function, don't even expect to be
! c) C1 B3 q3 @3 v+ B( R3 Xable to intercept it by installing a IFS hook: it will not work, no way!) j% d K/ F# n# D# u* s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% X$ B4 \5 W+ I3 O* R5 R5 m1 D# p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 W5 y3 t9 C* c( V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# a0 s/ Z0 h! ffield.6 M' s& `# O, @; E! I2 b
In fact, its purpose is not to load/unload VxDs but only to send a
% v- |3 N& x; B, r2 a- N9 ]/ J- W& KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 J1 z7 h6 C" n$ k' X2 O8 Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 X) r1 O7 W% d
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 Z" v8 W& o0 G
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( R. Q/ D+ n3 U9 `) U- eits handle to be opened and then, will be detected.0 I3 T- i+ x0 q ]
You can check that simply by hooking Winice.exe control proc entry point
) M- Y f, D; }( h3 I9 A3 ]9 V. Jwhile running MeltICE., ^& S2 [) R7 n# h$ r9 X
7 _- x# a: B( Q z
, v( B. C i! d6 \/ O0 v# B 00401067: push 00402025 ; \\.\SICE
) ]) d0 J2 b) m 0040106C: call CreateFileA
7 Y7 G' d! w! S7 [ I# h 00401071: cmp eax,-001
7 I6 c+ G( `9 {8 N- e- Q4 r 00401074: je 00401091! x+ v5 J8 T1 f) E- u& _
# }; \: _' N* Q, B" v6 }8 |# E3 H* P9 J2 t
There could be hundreds of BPX you could use to detect this trick.
, g9 W& T0 z0 z-The most classical one is:; u& V+ @4 N- X& _& b4 ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- J; z3 i/ V2 o5 `- G *(esp->4+4)=='NTIC'
. t3 C2 P4 i! {% [( l' A% J0 W& a( ~1 W8 R- h+ f X; ]& c
-The most exotic ones (could be very slooooow :-(
4 T1 W+ c A- ] u2 v7 @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 v" z/ i, @8 m
;will break 3 times :-(; e+ W: ]! ^' x6 K# T
+ @& F: y8 G8 C) o5 M+ J% u
-or (a bit) faster: 3 h. d1 A* _ D% S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 |8 Z% w" t3 S0 ?
! c4 k [8 x7 I# U BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. f. F: M% q7 o( }" d! }# T ;will break 3 times :-(4 W0 o8 s# ~8 H |! c2 I
) b! e8 f. u; X3 k3 T' a-Much faster:% x7 U3 R/ u9 i6 y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* Q' C: ?, h& _5 P2 E) T# G* f, r- d" c% F* _& ^; N* {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ X( _( h/ A, Z1 E6 v* l' _
function to do the same job:6 J; ~1 ?9 @, R e- W# ?) f- x% K8 `
X7 o, z. @. m) n% Y
push 00 ; OF_READ
+ C" l# C, y! d" E) q& [' P mov eax,[00656634] ; '\\.\SICE',0
/ @) n0 n5 ~" T t) B, a push eax5 ^. J2 R/ R: B6 J2 [
call KERNEL32!_lopen o' y0 ?$ s4 v- G7 e6 G
inc eax
% h% U4 x" l5 a( @0 K4 m jnz 00650589 ; detected
4 o$ U' @0 {! h push 00 ; OF_READ
' W1 u* K, H9 K+ G! l mov eax,[00656638] ; '\\.\SICE'* D" X4 V& l. _8 o3 g1 Q
push eax3 r. T) h& g8 M# W
call KERNEL32!_lopen
/ d8 m A8 O3 M* \0 @/ S, f+ u inc eax& S' a& V1 I- b0 @
jz 006505ae ; not detected/ G+ x- b, N9 }! @2 U
* n/ C/ r% J" d5 d1 H' M) J F7 e5 B* B
__________________________________________________________________________
* @, y! Y6 l2 _1 S8 K+ w4 E2 ^* Z; ~" d- y1 o7 W
Method 12. i! k" p, L% Q2 e
=========
9 i8 I1 h0 y0 n( V6 T( v. A, J. p; E5 U7 F* P& ^% j
This trick is similar to int41h/4fh Debugger installation check (code 05$ `, L8 m# ?8 |2 ], [
& 06) but very limited because it's only available for Win95/98 (not NT)& j% o5 ^) H2 a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 v# j; A2 P/ J5 O* g2 l6 u. Z9 I3 G' u
push 0000004fh ; function 4fh
/ A2 ~$ l+ R; D4 o+ y push 002a002ah ; high word specifies which VxD (VWIN32)
7 _' d/ x* x& b, e( u ; low word specifies which service1 R3 B$ N( ]8 o d. F! ^- C8 J" ~
(VWIN32_Int41Dispatch)& F, i0 E- R0 g. v/ p" k
call Kernel32!ORD_001 ; VxdCall; H3 a- O& |4 z9 u8 u
cmp ax, 0f386h ; magic number returned by system debuggers
6 Z* C m/ W# i) `$ `; ` jz SoftICE_detected7 c3 o* m+ ^4 }3 w9 O
2 I6 x+ Q1 t& w7 i& `, ?% l: P4 J6 |Here again, several ways to detect it:% @' M) W" G W) C8 P3 }( Y; ~
# y5 o5 D$ y" N/ O0 l' E4 g BPINT 41 if ax==4f
. T: H0 f; L9 }0 X
/ k1 j0 m) x+ u6 t' c3 r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 M% \, X4 @2 f l
, X# [( x% i% U9 @1 d! {" J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 {1 F. h: y# C/ D, ?
2 j4 t3 b- F( `5 I' p% D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; S, r$ j7 d" _6 Y- z8 p5 Y6 W; D+ `5 l, R3 X1 H1 `
__________________________________________________________________________
) ?2 A8 E* h' A3 I6 M! b; T
) s6 ?* I9 k8 N mMethod 13
- s, t. Q5 b" }% j=========' K7 R1 ^. {! \" Y8 W1 k5 ?# a
* g9 z( I3 f% }1 ~Not a real method of detection, but a good way to know if SoftICE is
6 V: F1 |4 W6 E' |& Minstalled on a computer and to locate its installation directory.
) L( c; d: ] a0 z) o) K4 GIt is used by few softs which access the following registry keys (usually #2) :
0 ^" G3 O& d3 t5 X" w2 k! n/ M( A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 x) R/ }6 _% N9 u3 ~, ]; ^\Uninstall\SoftICE' V- g" S6 v, Q+ ?- o0 f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* J. A! Q& _% M' Q' ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 a$ y: S: x8 Y' w\App Paths\Loader32.Exe
0 N8 e' F. s- ?/ f# |1 N2 t2 S$ I6 O: a) x
& r- N1 G% ^# z* a2 J
Note that some nasty apps could then erase all files from SoftICE directory
1 E6 @6 N' w7 {- x(I faced that once :-(& E5 M) N$ e% v
& E0 m0 H2 ^" B- e7 ~- G4 t
Useful breakpoint to detect it:
1 a) Z0 G7 R" I% i
7 T6 }- J5 N t, s8 c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- W; u1 Q! F2 I: @# L+ O9 ^- \" ]0 d- ~# |0 `' N
__________________________________________________________________________* Q8 U5 X8 n: M4 E n @ T
7 Q: T& H0 r- w
8 E& t6 c$ U: e# e( N; m6 ^. GMethod 14
# W7 I! D: T3 k=========
% x$ ~: q0 H- S0 Q5 X z" k8 h. M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( P% Z3 p: r5 C. _; N# U
is to determines whether a debugger is running on your system (ring0 only).
& }6 _4 y/ I: d Y- w' A
8 [5 S. Z/ K4 Z& X7 X( n VMMCall Test_Debug_Installed
9 w0 J8 x$ G# O, `. Q+ q je not_installed
/ M% b0 F X7 x* \2 j- [# o7 X3 L- Z4 u, @. L
This service just checks a flag.6 g/ S! ~9 B$ Y' `: H$ {6 }' W
</PRE></TD></TR></TBODY></TABLE> |