<TABLE width=500>
3 x3 ~2 C" l! e* z" L2 u<TBODY>
7 \ A4 A- h* F<TR>
( b5 W4 V. X0 n% Z" G! V% d" D7 q<TD><PRE>Method 01
, @: H, k# _. I8 y9 x5 [) u=========* I. L; m( r6 N; \, l
# f3 E; w! A* d% J' N
This method of detection of SoftICE (as well as the following one) is
3 o6 _* L$ `, nused by the majority of packers/encryptors found on Internet.
& z, d1 B! u5 rIt seeks the signature of BoundsChecker in SoftICE
% |+ b& p) x$ V7 D. e& Q& v/ v4 W% ]( O
( u. ?+ m6 u# Y. E/ O% X, ^ mov ebp, 04243484Bh ; 'BCHK' `( s" e7 v- d, n* `# q% J. j
mov ax, 04h8 H. s. ?% S& C0 _: ~
int 3 . G4 h9 q; k8 C6 ~9 z
cmp al,4; ^+ q/ l$ }" h1 c4 K. j
jnz SoftICE_Detected
* J+ q* X K2 p, V2 A4 ^, U3 d& E! i- d4 n& j
___________________________________________________________________________' e% Y8 }6 X: E1 B7 n) a- @
, H' J3 h9 N- t3 M( d, _+ ~Method 02) [, I( U B! Q/ H* Q. b4 P
=========) n6 d j- d+ s
/ K1 a4 [5 G; u7 vStill a method very much used (perhaps the most frequent one). It is used2 {. @$ t& G2 B) S: Y+ n5 T
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ Q, {3 f! R- @% h/ o& d5 b3 hor execute SoftICE commands...* y1 i4 G3 M- Z& m1 F
It is also used to crash SoftICE and to force it to execute any commands
5 Y# {. g* U3 M: `% p(HBOOT...) :-(( # z. k# l2 v6 `/ v% d5 X' I
5 K' D% w: x+ T& ^2 OHere is a quick description:
' T4 H ?8 g! S-AX = 0910h (Display string in SIce windows)- k; z) y+ `* M4 A( A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 O- T. ~2 j' B; C( U3 a! N& E, \
-AX = 0912h (Get breakpoint infos)
; X5 ]3 e0 ~2 J/ z0 R# Q; b-AX = 0913h (Set Sice breakpoints)
9 o1 p$ i! ?4 g R-AX = 0914h (Remove SIce breakoints)' K: P2 ~ _- V8 l$ t$ T
: _/ E, @3 G6 b: T9 P% E, ]7 f' GEach time you'll meet this trick, you'll see:
3 M8 b# w ?3 H6 h0 h: k4 F: F-SI = 4647h
* e5 R0 B: [8 Y) Q+ }! R V9 q-DI = 4A4Dh
: p+ ]1 F) X0 DWhich are the 'magic values' used by SoftIce.
) m2 Q5 P; Z6 A: BFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 k% h1 Z2 E0 E O! f
3 `4 l* H: V' L; o! q2 ~2 X" @Here is one example from the file "Haspinst.exe" which is the dongle HASP' a2 i: z/ _, p3 O1 \
Envelope utility use to protect DOS applications:
- E# e4 T( T% s* I) k1 I( g E
& f. y; v3 J- }6 [2 M
. S( N; B1 Y) j& l4C19:0095 MOV AX,0911 ; execute command.4 b5 R) U0 [8 L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% P8 c1 K5 p- S1 z& p1 A8 Z* h
4C19:009A MOV SI,4647 ; 1st magic value.
1 J' w8 g; Z% ^; O, a F. a+ K# E4C19:009D MOV DI,4A4D ; 2nd magic value.' y0 @+ s8 i( {1 W# H% q* j5 |5 D3 v
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& [; l1 ~+ D. a! Q6 o' i g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" A) v- X/ @% \. I' G
4C19:00A4 INC CX! h8 D- \; C) V) M1 h! v$ `2 o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& W2 e2 a; U5 `6 m2 b3 H7 A4C19:00A8 JB 0095 ; 6 different commands.
4 t5 ~$ h8 B# C4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. u% S# H& l6 ~ G4C19:00AD MOV BX,SP ; Good_Guy go ahead :) R* {6 h6 j: k1 L8 P
: k1 c( Z+ A) PThe program will execute 6 different SIce commands located at ds:dx, which: D3 `2 W X$ V4 U# }) N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 h$ d+ P* p: O0 ]1 [$ ?& t/ \- T, _* J. {+ m0 j) B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ \4 B4 Z& Q4 e___________________________________________________________________________( v" c! Y @& o6 r4 S7 _
3 J9 l' n3 D3 P4 t0 Q: V0 j) L- ~
7 F1 H$ E$ S% X1 C) Z, KMethod 03
1 {0 J$ P. m5 i' m* r=========
1 ^; L: Q6 F5 y+ u; s" Y/ x
! s) r- a1 d2 K) v- l/ B$ Z5 l9 dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 v/ ]8 O8 X1 u6 ^ w/ n(API Get entry point) I D \6 L3 c, [" N6 y: x' |0 ]
: Z! \0 t; V* ^' j/ L7 W
R V' L# I+ I& b8 U- w! [ xor di,di
+ A: r& D+ A, g" d# R' B mov es,di
( J! P3 y: W. k3 K, M& h8 u1 @ mov ax, 1684h / o* R: b3 B% P3 ?8 z
mov bx, 0202h ; VxD ID of winice
$ B3 I+ O7 k3 z7 i- [ int 2Fh, _+ M/ g8 f& @
mov ax, es ; ES:DI -> VxD API entry point
9 K6 [( A0 i8 ^8 ~2 A0 B9 Z% o add ax, di4 J( I: V/ D# ?; a8 s* ~: u
test ax,ax/ u. `3 q+ g$ f3 G; `3 J
jnz SoftICE_Detected* g c6 E. H% P' n& }$ u
# ^4 G# K/ r' C7 R7 v Y0 S; g
___________________________________________________________________________
7 }, z& T8 f, ~% r8 \7 ]
+ n$ X' W5 _# C. @ i7 gMethod 04
- ~# b2 V/ G! P' `, x, e* [=========
5 c! n6 G% g+ {* t z5 ?
. S) u$ N1 z; d4 HMethod identical to the preceding one except that it seeks the ID of SoftICE. x# E- Z+ d! X7 w
GFX VxD.
: ~: R2 x0 m3 m' v% O. a K
: o" a/ `3 ] w7 J) r3 ~ xor di,di: g* l# r2 |1 B( a
mov es,di
1 T# q# D5 D3 p i' U. t# p mov ax, 1684h
9 V$ o8 H' i; m mov bx, 7a5Fh ; VxD ID of SIWVID
0 Q+ }% |' U& V- C5 z4 u: c$ |$ g int 2fh! \9 G. W/ I( m5 X) |# y+ [
mov ax, es ; ES:DI -> VxD API entry point
; n$ b* p6 w3 N3 j, b$ w add ax, di
. P& i! k7 z: T K# S5 H6 p test ax,ax# `% J, V- f) f: B/ T+ T$ Z, G
jnz SoftICE_Detected& j; K8 d- m9 l
% P% L+ H: b% t__________________________________________________________________________& V4 g+ v7 x# M. W9 @1 Y ^' z
) u: T; s2 ^( J9 |+ a) e8 [5 ]) W# N& t0 {; G- \
Method 059 W, z/ |' J* G4 q* \5 N
=========% B" B# v! C- h9 |+ \0 O
2 ^: a$ h2 X4 Y8 H' z' uMethod seeking the 'magic number' 0F386h returned (in ax) by all system# ~7 N: Q! @1 H! w' x1 z1 s! M6 m
debugger. It calls the int 41h, function 4Fh.
- U% b% x" D# i; yThere are several alternatives.
8 B# m2 h' R' Z3 m3 f" T" H3 g2 |) n' A0 Q2 R3 E
The following one is the simplest:) h2 I; _ [+ d5 i1 w
7 s2 y. ?$ u1 j# _9 X, I
mov ax,4fh
6 R s8 S! G' r# I4 B1 L. L) G6 ? int 41h; V3 @! {/ M# y% @3 m; w
cmp ax, 0F386: j R) k( @. m, U
jz SoftICE_detected
$ L+ b2 L7 f( V
$ F3 m7 ^! O, o, J& G
& Z8 i+ ^* n& }Next method as well as the following one are 2 examples from Stone's + s0 O8 F4 K. E! a8 F# d7 h2 [
"stn-wid.zip" (www.cracking.net):
6 O3 c2 c6 p/ \+ H8 b7 e
( h" M1 L2 C1 ^2 ? C& y, T$ Z mov bx, cs
1 x( f# Y Z7 Y' v: F& S lea dx, int41handler2- u6 j1 B. q& T2 \ T" V: F% s, v5 y
xchg dx, es:[41h*4]
. I2 s" c" G2 G0 C! y1 h) R xchg bx, es:[41h*4+2]3 C8 z- v A0 j) O* P5 l3 o
mov ax,4fh7 [: x& q1 c; F1 D
int 41h
3 d7 ^" c& A; o. a: _# s( X. x0 b xchg dx, es:[41h*4]/ N9 v/ U* b7 s8 ^
xchg bx, es:[41h*4+2]& _7 i( \. T( t
cmp ax, 0f386h# s& p& K/ J; Q0 \3 e( X
jz SoftICE_detected# A& T) c: v9 C+ F' B7 `) _2 M
7 K* |) O; A& u: k" Oint41handler2 PROC
) a( R7 y; g9 Q; j6 f iret3 \/ S( V9 m1 C% @
int41handler2 ENDP. m: o& I5 l s7 [8 F# f
) Z0 {% d+ k! ?4 a4 g- S
$ m. \2 h8 \ B: Q. @8 c; q_________________________________________________________________________
4 J( I# y1 a. p3 d2 y# E+ d7 t$ N! ]) f1 o/ u# m
! i1 Y- Y! {' K' f% S T
Method 06
+ g# N1 i( R# }3 V: {=========
' ~3 h/ e# H( u) `: I2 R: u- t: x* T _% ?: K4 a# X
/ _; X* r8 n* `9 y
2nd method similar to the preceding one but more difficult to detect:
% H0 k5 H" Q1 I
+ V$ ]& @7 i8 A: `% z' t! I8 T5 G# W; |% O* g
int41handler PROC
9 L8 Y( g' U7 W# r4 S mov cl,al
4 e" Z7 F% {3 i" m$ F" X iret( O( B1 T% G2 K6 [3 E8 S7 v
int41handler ENDP
# A1 F& w, X3 t! W9 V. @$ ?5 f0 }4 ?* W0 D* [/ D# [
1 X2 B! s4 `- {) l% F; v xor ax,ax
( Y/ K! E. w; l( } mov es,ax0 }- T7 _& d$ E) G. z
mov bx, cs' J9 X7 g% D7 v: X
lea dx, int41handler: J2 j% B+ B; }' K+ L) T5 u. n
xchg dx, es:[41h*4]
2 h: i# |" N8 q' `5 c( @/ o8 N xchg bx, es:[41h*4+2]
0 ^# ]6 n2 y" [; p7 @+ }0 P in al, 40h! K6 z4 C- w. S1 K" R4 k
xor cx,cx7 ~* @) b# p6 A! q0 e
int 41h
7 h4 a; R: x# h. o. [3 c4 h xchg dx, es:[41h*4]
- E/ B h% I8 K1 Y( n, X+ J* d xchg bx, es:[41h*4+2]8 g3 q; a4 x7 A% d/ L4 w" l5 M& i
cmp cl,al
2 n( J w; Z; b- j jnz SoftICE_detected
9 v: d8 K/ ?4 n+ M
$ b$ p3 g5 V5 g8 F# W_________________________________________________________________________, f6 L. ?% G% p& ]
) d( o* Z. c C- A/ L* Z0 N3 |
Method 07: p) s! @; t8 c
=========3 j4 f: D1 L* B7 m! K1 X
$ v z( e" L r- ?
Method of detection of the WinICE handler in the int68h (V86). |- b' Q- Z7 v9 ?6 Z
4 v1 Q6 x( e3 z mov ah,43h
1 u6 b9 }. z6 i1 }' h int 68h& W! \ r/ l4 V1 U% i2 V' C
cmp ax,0F386h, c2 X6 R& J4 b& r8 R" x
jz SoftICE_Detected
+ R, t& z$ }4 p, X5 Y) M8 s2 c5 D, p9 h* d' t* a! B) `: u) R* L* F
1 S Y p- V" J/ B0 b
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 v. s d) S5 Q3 H( ^7 j8 i9 c app like this:5 l' e2 e/ ]8 R; Z9 K% p
, K* L5 H$ M1 @. A2 G BPX exec_int if ax==68
6 D9 [- N3 p$ o, X (function called is located at byte ptr [ebp+1Dh] and client eip is
E" }& I! K& s; \7 \7 \ located at [ebp+48h] for 32Bit apps)
' [1 K! m; z1 j: u d__________________________________________________________________________
* `1 T) n* j; i- |8 j) O0 V
i' ]1 @5 S9 y0 I: w5 |6 B. c# m3 e* F7 a/ ?
Method 083 u. [6 m/ l% \6 u
=========9 p: }0 V, a: [: Y$ a" z& K2 H/ Q
) `2 H2 z3 Z. n vIt is not a method of detection of SoftICE but a possibility to crash the0 t, S8 o4 f5 F& ~. j
system by intercepting int 01h and int 03h and redirecting them to another9 A/ _5 h2 B6 T2 ^" k" m
routine.
% ^/ `: A% `8 n- ]4 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* Y% q/ M2 F* F vto the new routine to execute (hangs computer...): [: `2 w9 o8 q( K
' e- A* S# P5 J4 ?3 |
mov ah, 25h
. y' _) M( E5 k4 i7 \9 J7 H# i mov al, Int_Number (01h or 03h)
, ]# D W* W0 W6 H- O4 b mov dx, offset New_Int_Routine
; s' r. `' b6 p( K# g$ B: K int 21h
# M B* ]- p3 J
9 r; D& E* h9 c7 B0 M b__________________________________________________________________________
/ w) H8 o; M7 ~) z! v1 ? D
& t' g8 M; j4 z& S5 u% B* QMethod 09
; I( T# S- p/ t2 T5 ~7 l=========- P! y, ]: q: R H/ P, U; d
5 }+ _# A- y# D8 _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 r% V! P7 v% v0 N# t7 m) Z# `' W
performed in ring0 (VxD or a ring3 app using the VxdCall).6 {- N9 \4 _4 d; I
The Get_DDB service is used to determine whether or not a VxD is installed
1 I5 R) H5 D. }' r3 t" d/ T5 g* Hfor the specified device and returns a Device Description Block (in ecx) for
$ N* A+ G" w/ P9 ]that device if it is installed.
3 y" Q& l9 l8 b0 q7 N; V0 w6 n9 H
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ H7 i a# ]. l$ `2 ]- ^5 a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) I) ?$ {; D. p/ P; c
VMMCall Get_DDB
' |( X5 w5 V9 z' | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 q( t5 h* M \# c7 x1 p- z
. l! ~4 X/ W" S. c3 p- nNote as well that you can easily detect this method with SoftICE:
1 a( ~8 J+ j6 A2 E5 {. l3 t8 P' s bpx Get_DDB if ax==0202 || ax==7a5fh3 z' w7 F( B U8 |
* N6 m% ~( d) G8 Y1 a__________________________________________________________________________
9 l3 Z2 l v) `( H# o5 \% l% q7 A+ [! _' D/ ?& P e( C" m
Method 10
) o( f- u8 Z- t& R: z=========4 Z7 w+ C3 Y! ^6 V
3 W- Y |& ` a3 F X" R
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 P4 |3 K" Y: _5 X SoftICE while the option is enable!!: b1 C% X" \+ u; \- h& ~+ }
6 \' F! \4 Y5 i+ k& x8 H5 v+ V
This trick is very efficient:; Q5 p* O) i! g# }5 Z- Y( Z( ]
by checking the Debug Registers, you can detect if SoftICE is loaded0 O5 q {) n5 O' Y$ ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 T+ ^5 e) D8 K8 _. |0 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' d7 c% n( |7 p$ f7 V+ o* nvalue (in ring0 only). Values can be manipulated and or changed as well& |( |! X5 X- N1 J& s @
(clearing BPMs for instance)
1 U' \6 T* R) b- ^$ d2 L9 x" Q
+ @. b2 ~8 @" E__________________________________________________________________________8 ?# R; y; g& h" J0 `( A3 V# Q
" `; c. j$ s2 I" x# t. cMethod 11
$ T, G( M6 {, _9 C=========0 [' h3 u2 C5 S
! _' ^) [% E, @( R- E3 W* a
This method is most known as 'MeltICE' because it has been freely distributed0 Z/ }4 g/ ~- v) d4 k! K
via www.winfiles.com. However it was first used by NuMega people to allow
% E" B5 M0 V/ t1 w* MSymbol Loader to check if SoftICE was active or not (the code is located" w! e3 v! s2 [
inside nmtrans.dll).
; z; U8 i9 H& |* U) T0 A) g1 @5 \
) _ n, J2 R# k# f' f0 Z$ u9 a( AThe way it works is very simple:( t5 F, I" |: y$ j8 N, w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; D, z+ l4 [0 l8 jWinNT) with the CreateFileA API.
; O( t2 W! e3 ^, Z' i2 C
8 V; G6 Z0 k+ g8 F4 b; Q6 }Here is a sample (checking for 'SICE'):2 f' J( s/ ]$ D8 w4 B
/ r! G( s6 ?3 o: L: d
BOOL IsSoftIce95Loaded()
# _) ]; t" J4 f: [! p) I{
+ L0 E A: @- r/ t2 [% \ HANDLE hFile; + I+ E7 B# w( S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- _9 ~7 V: K# s/ ] E/ W P) S FILE_SHARE_READ | FILE_SHARE_WRITE,3 g# l4 F) ~2 G, Z5 Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! c9 G2 I6 k9 W7 l1 d
if( hFile != INVALID_HANDLE_VALUE )# K# r- G6 s% T4 K' q7 E" H
{7 s( E! X3 O+ Y- Q. ?! @
CloseHandle(hFile);' {. Q& ]8 E( ?; C6 ]& _* `
return TRUE;. C ]* i; u; ^& B. s
}% J4 `0 W1 E" d2 C x8 y
return FALSE;
4 W) f0 r9 G d5 T}
, e& \! H& m1 |- g2 A
1 E# W) @: I. Q4 ~0 YAlthough this trick calls the CreateFileA function, don't even expect to be
* D$ z/ f y7 e) B2 g! } gable to intercept it by installing a IFS hook: it will not work, no way!
! L; y: j0 v: b# q1 o8 SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: D( x! G8 b# E v+ C5 b3 Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 l" h& J6 i$ H: ~5 w9 Q- Q( P- band then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 C/ b8 ~# {% [2 r# Vfield.
" K* ?; s7 r! l/ r& A7 PIn fact, its purpose is not to load/unload VxDs but only to send a . h C" I K5 B: D2 r" B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- }- ?3 g1 v& t" l" m c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- C) ]- ^& ?+ {# F5 ~7 U2 {5 {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' H/ a% A$ Z# lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( F# M: e# ? e# M" Xits handle to be opened and then, will be detected.
3 O1 B( C; X- C0 t" A* cYou can check that simply by hooking Winice.exe control proc entry point$ r' e0 }# j' s+ H8 ]6 W0 P9 f
while running MeltICE.
$ q# a2 f0 N* ^" ~. g$ G" u
7 a7 a$ e6 c. U6 \+ @3 a( S$ \3 y w+ x! j& m% M1 N+ g
00401067: push 00402025 ; \\.\SICE8 c# L- ]0 h+ m$ K- B
0040106C: call CreateFileA$ p% T/ d! ]" }$ U2 P
00401071: cmp eax,-0013 d4 H$ M* N# U7 F# B5 ^/ o
00401074: je 00401091- \' A) j0 ~4 R5 c; p
! J# a) O4 l" Q$ d/ L7 Z5 H) m0 O) y: v3 u
There could be hundreds of BPX you could use to detect this trick.1 z0 i% n* v$ @ k2 K" a, m
-The most classical one is:0 r; H7 Z. [6 f; E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 v$ `8 W" Z4 M0 h# A5 B *(esp->4+4)=='NTIC'
) U# B2 r9 N2 t/ ?, B: \8 q
J* F$ M1 H" ~0 i& Q-The most exotic ones (could be very slooooow :-(3 L% m; M( i$ C& |" i! M
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) v! e( r3 k& B! [$ P+ \2 L) x ;will break 3 times :-(1 B: q+ p7 d4 M$ W1 X
* F; I, P y* B5 b' `' I. U) H3 L
-or (a bit) faster: ; b1 n& X$ I7 k H1 ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 c% ^7 \, v% ~3 O0 w) h+ O+ \8 F& |: b" n
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 J: B4 s. m0 j3 e' t9 q ;will break 3 times :-(1 D: W6 p& x7 e9 s, L
9 R4 `- W h2 X* v2 n
-Much faster:
& w6 V) Z/ C( p( B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* x& b W' i: ]+ p3 h
/ e* }8 f- k* F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ W* {- C' A jfunction to do the same job:3 M/ \9 Z5 C0 k# ?$ l+ u& {
7 Z; b i/ O7 B: F _: ] push 00 ; OF_READ1 ^6 _3 Y0 P! y; \
mov eax,[00656634] ; '\\.\SICE',0
; i9 y' }# B/ ^' t2 R! v push eax
& \4 X5 a* a+ _% E- _ call KERNEL32!_lopen0 o; D7 H9 K9 f2 z
inc eax+ ~0 |) M- }( R2 H) x
jnz 00650589 ; detected
* z6 U" S0 M: L push 00 ; OF_READ( `* f7 R# V# o7 l' A: e
mov eax,[00656638] ; '\\.\SICE'
' t' }3 _* A2 ~ h. C push eax
, n+ j/ U2 J6 @; D call KERNEL32!_lopen% ^2 Z- S- V# m0 r: `2 L
inc eax7 ]8 j3 l. C+ a2 E, v- V
jz 006505ae ; not detected4 b8 m0 n% _$ y7 t
/ J# y6 w) D0 V" ~& A
& J' k- T! L8 _) y0 J__________________________________________________________________________
1 V0 H. O# g, b7 O8 h3 q6 s
' e- g* o2 Q4 F+ x7 `Method 12
0 n8 K. k! d; ?=========
; N& c' W) z2 d& X; H2 G9 Q# T7 f5 K; F {5 U8 G3 y
This trick is similar to int41h/4fh Debugger installation check (code 05
4 D! X9 y: K2 v& 06) but very limited because it's only available for Win95/98 (not NT)
8 W6 v" x- _; T) a1 k$ m3 b( uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* I1 Y/ L, S& I+ R5 b
5 {# I' x, @1 ~/ l& p
push 0000004fh ; function 4fh
" S9 q$ a& H0 N2 H, u4 _5 k push 002a002ah ; high word specifies which VxD (VWIN32)& R1 R$ g3 \ f/ z- u( l
; low word specifies which service
4 m5 o9 c) p0 `0 t; T (VWIN32_Int41Dispatch)" o0 ~( o6 F1 ~ @
call Kernel32!ORD_001 ; VxdCall, G0 B/ j0 X$ f/ @
cmp ax, 0f386h ; magic number returned by system debuggers
7 S- b7 P0 H3 ?$ X9 Y9 @% V jz SoftICE_detected/ `3 J B [2 Z6 c/ y$ T: N- n
' } U0 Z! V) KHere again, several ways to detect it: w5 p8 V6 H7 m" x; f6 y1 z
# u4 ~8 f) [/ S/ I- [
BPINT 41 if ax==4f
- W0 i( s* W- l3 r: K( G2 Q3 h' I% b. u) h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& ` e2 [8 J3 C8 v( ]
7 M6 z& p% _; U! z& V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 F; E, ?: {0 o
) ]& @3 }* ?4 t5 O; _; g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& O: ~# ]9 K6 G/ V Z6 I1 ^
; k% o' Z' c0 |" l r, |0 t__________________________________________________________________________
- r k. v& }2 I) ^6 S0 z5 {: |! }# h: @
Method 13
: ]2 a8 H5 J% W0 Y+ U6 o=========6 w. }( i* ~. O1 s% ~: r5 g$ j
9 x- w3 ~% A6 p* J4 e* bNot a real method of detection, but a good way to know if SoftICE is$ G v- P. }* K8 Z2 r" z( q
installed on a computer and to locate its installation directory.
# Y2 y) n; `: ?' g- ?: L* yIt is used by few softs which access the following registry keys (usually #2) :
/ N. l4 w# H9 B' u4 T" e t% N9 ]/ c2 R* H( C3 ^8 M! V0 v# c& k+ Q4 L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 B2 ?5 J5 Q; }/ K
\Uninstall\SoftICE
$ O H! } w3 }& L. m, ]1 w-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE H; J5 x* h# e) G+ l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 ]3 r3 @, K: x; R1 P5 p, |/ z- @
\App Paths\Loader32.Exe
6 U* u7 z5 W3 L& z
0 d' A# B! q, s
, L7 K* \# F- c& A0 @Note that some nasty apps could then erase all files from SoftICE directory v: H" s8 m P: x0 D7 W
(I faced that once :-(+ B& K" L- `3 ?. x# n
8 `7 y4 S* {* j' fUseful breakpoint to detect it:
/ F6 I' P# R$ F' q- u& B6 Q. p* F" L4 |0 C/ G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ p D9 p' n' M F8 q
9 _# y8 L& ^, E& R( o7 t4 c( E
__________________________________________________________________________
) D- }. U& L( |0 A2 a6 }( N
; A8 u- D4 y9 C* Q @% o4 y1 ~* F4 Y- E* @. Z4 D
Method 14
8 a; O( P& f, \, x+ c=========% L) h+ {* V0 ]0 h' e5 g4 m" w- c
9 ?* Z2 `3 j; R& E9 S! ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ ]- U& B8 a; [ s- u+ l! c3 ^5 E
is to determines whether a debugger is running on your system (ring0 only).$ B9 q% d0 Q- \! ^' X1 w
( p$ @8 z4 a4 G/ R* n
VMMCall Test_Debug_Installed
" V4 F0 a. {# H+ c je not_installed
* l- j: r' f5 K* ~
( T2 j/ ?) i' f( r+ xThis service just checks a flag.
# b6 J/ T! I4 z9 O# b* s</PRE></TD></TR></TBODY></TABLE> |