<TABLE width=500>6 t3 E0 s) n/ C) t; w+ b
<TBODY>6 \, Z2 e4 x9 d2 m. D
<TR>* `' r3 c2 l+ e" P0 x
<TD><PRE>Method 01
# O! {3 r, G% K5 i, q( U, }=========
* l, e4 `: @& @; ~$ v# T
* y. ]' w( @) @This method of detection of SoftICE (as well as the following one) is! z5 }% G% X0 o
used by the majority of packers/encryptors found on Internet.' m3 x- d+ U2 j6 _
It seeks the signature of BoundsChecker in SoftICE
) r, D/ p" Q% l- C# ~
# w) k, Z! B3 N5 M4 M mov ebp, 04243484Bh ; 'BCHK'4 \: A9 P) w5 j
mov ax, 04h& W+ Q" ^9 b. q. y0 v1 P
int 3 3 m: Z4 `) h6 p& `8 F, G# Z* h
cmp al,4; b# m1 ~* g3 M+ q. Q0 S, }: a
jnz SoftICE_Detected
& |; d+ G: r1 G7 r- Y* d+ r5 U5 z
2 h9 N1 {6 u+ a( u! j/ \$ N% I% E6 [0 Y___________________________________________________________________________# k4 q& q9 N5 y) Z
3 T: O7 K% q; c `) W4 [4 pMethod 02
' T# `; B% @" q- h2 z, V1 f=========
) o% n/ ]0 w5 ?0 O! n2 b A2 U/ ?& G1 a6 j! [
Still a method very much used (perhaps the most frequent one). It is used5 b& J) L; H, G! ]4 |
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% P3 ~8 H# `9 c1 L, J7 wor execute SoftICE commands...
. A6 s2 Y& w! d& jIt is also used to crash SoftICE and to force it to execute any commands0 u+ w& t$ s& J
(HBOOT...) :-((
# f) `5 h* B9 ]9 ^; k
2 [* u" d. U. Z5 i z# b) n) [Here is a quick description:. ]9 s! G/ u9 R9 R( ]( U0 t. H
-AX = 0910h (Display string in SIce windows)# ~5 C# z8 E4 [$ l
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 h' e0 q U) s6 v& g-AX = 0912h (Get breakpoint infos)/ s4 w: S; w- U& E0 ~) t$ T2 O
-AX = 0913h (Set Sice breakpoints)/ S+ M, P& D+ B! Q+ s( Z
-AX = 0914h (Remove SIce breakoints)$ q% }0 j( g1 x3 M! D* C
& Y3 F& q$ d2 Z" y5 Z; DEach time you'll meet this trick, you'll see:, q" ?/ @% r' j$ A) f8 k. h5 Q
-SI = 4647h+ ~2 z& h [9 r* j- \( U
-DI = 4A4Dh6 J2 u( U- o# Y3 x, L8 U3 ^7 I4 W4 M" D
Which are the 'magic values' used by SoftIce." `3 f0 s" _. X$ P/ J/ b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 Z9 X6 S) ~% p. w
: R2 U% y3 i. b; o& v
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ g K: b* n/ d* l/ l3 WEnvelope utility use to protect DOS applications:6 d) f: X! C. s
4 y1 J. ]# a. _- H! M% |
8 A3 [- T+ M1 x6 k6 J
4C19:0095 MOV AX,0911 ; execute command.
# J# k L( b9 O1 n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% E1 ?: y, `4 l5 H* n4C19:009A MOV SI,4647 ; 1st magic value.
. N0 q9 A; {: z# J: P3 k" Q4C19:009D MOV DI,4A4D ; 2nd magic value.
" X- O+ j0 {: w0 i5 H# B! _7 q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, S/ L; ~& t3 @9 Q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: q7 k* D/ t8 F4 r/ v4C19:00A4 INC CX/ ]# M; }: S5 u/ n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 R5 f" `- w" l: L% H) o
4C19:00A8 JB 0095 ; 6 different commands.
& S, @8 i4 ~# g7 e+ V O& w$ I4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 ~2 H9 P7 ~4 F( A# \/ y& [& \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* V. C: z6 t6 ^3 v- G
& a% S% x+ V: h
The program will execute 6 different SIce commands located at ds:dx, which* V8 g* ~5 D! h0 R9 I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 \. g5 p$ o+ G" `" |
. N5 ?( y! m2 p$ T0 ~$ S5 O! l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 E/ k4 I" G- d4 K3 r___________________________________________________________________________
8 _0 c0 u. ^5 R
* D! i/ q6 L: o5 O
* T, T. G2 o$ ?3 Y' t {1 NMethod 03
' E: n. l2 n- J- \* T/ K=========
! @8 K) l; W* a$ n$ @
$ y7 R% h& S- A+ F$ V4 aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( s$ y( w( r4 S5 k: n- v9 \(API Get entry point)$ \1 x8 ?# H7 m g x: ~! r
% x( `2 N* m$ z& p4 Q' ]- c( X- F$ a
6 ?; k& ?6 h! N xor di,di, D5 Q( z* k8 Z
mov es,di
' V/ z8 U( e. p# A, d4 ~( p mov ax, 1684h ) M- T: r$ i" }
mov bx, 0202h ; VxD ID of winice
# K& G6 z! I( k4 W! c9 S! ~ int 2Fh; e$ T* G; ]" p8 A
mov ax, es ; ES:DI -> VxD API entry point6 M+ n% J) c6 z# s
add ax, di
F9 M+ I* s% U9 K4 h test ax,ax
# ~ G4 e2 Q$ e5 e# c jnz SoftICE_Detected7 {/ x6 t3 P+ W2 i8 v* \' Q
: Q$ l' v9 c: B9 I___________________________________________________________________________6 E" `' y( y6 _+ W9 \! R2 W* p
4 G9 C/ B5 S9 I
Method 04
" k8 c8 j! d& I! m8 _1 m- ]=========
( e$ Y& w& D& f4 B( h/ Q4 f
9 ]( \9 ~7 e! g: [4 UMethod identical to the preceding one except that it seeks the ID of SoftICE" l+ q- ^. {2 e) {. d
GFX VxD.2 G6 z" w Z; C3 n
4 C E8 X7 E5 I4 ]% v
xor di,di
1 z4 R7 K- F1 f0 H* z mov es,di
0 \) Z2 l2 E3 `( P9 q mov ax, 1684h
, w$ Q% A& o E+ S! E! V5 z mov bx, 7a5Fh ; VxD ID of SIWVID5 u/ e- ^. o3 g {7 R3 w: T! j
int 2fh
7 p& |! j+ _& r' E; U7 z& Z mov ax, es ; ES:DI -> VxD API entry point
; s1 P: t0 W! ~4 h, V6 ^: K( m add ax, di0 z. f) }0 u$ |/ s3 y
test ax,ax+ |, x5 z3 }3 V/ @5 j4 x
jnz SoftICE_Detected
( b; m" d: I7 _. E' H1 K& `
# q- C2 M$ s- O: T8 p( k) g5 T- O. O__________________________________________________________________________5 s6 X, d" ]1 t- R/ @
W; Y$ U y+ Q4 e; s j
7 I; j$ x3 K' m4 u, r5 \Method 05; I2 W, G0 i1 i9 v8 b: G5 s; _
=========
/ v0 p/ v; D1 k% _$ y7 k: @5 B, D1 G$ i
1 B! U2 V$ A% L1 ~; @. oMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% Q, u- Q# J& |! Udebugger. It calls the int 41h, function 4Fh.) h \; A, X6 Q- [
There are several alternatives. " g$ W5 C D2 K4 W {. T; g
9 I1 u7 C. F6 P* t4 c3 rThe following one is the simplest:* |; _. o& v2 g6 V$ A
1 l% W, k6 v1 E$ t' [ mov ax,4fh
; Z: j, [# H7 U int 41h
& x3 m; n: Y; I6 U, x7 G cmp ax, 0F3868 v8 f: H8 A/ J h
jz SoftICE_detected
$ X' O5 n0 K/ l) Z% ~8 H. j6 H' F, z' J7 @
! I& g) F, p5 A
Next method as well as the following one are 2 examples from Stone's : C; G# R8 n1 Q
"stn-wid.zip" (www.cracking.net):
! A6 [3 N, e; g4 T6 g6 m. `2 p: `* K! W
mov bx, cs7 I) \ K9 d9 B/ |) Q0 M
lea dx, int41handler29 p5 F: R( H- m$ F: X6 f! p7 V
xchg dx, es:[41h*4]
h$ S5 M4 x8 {0 Z* a" P5 T' L# m2 Y xchg bx, es:[41h*4+2]$ a _. j* K O7 Q
mov ax,4fh/ g2 ]8 a S# ^
int 41h
& }$ i3 K8 b% N' E( e h xchg dx, es:[41h*4]
# v" c" d- W R xchg bx, es:[41h*4+2]1 L ?9 e* w5 t: t' |
cmp ax, 0f386h& R! ?0 k/ e! G" x* e T' z5 x
jz SoftICE_detected
( M& b5 u0 Z: U2 r7 M
, t/ u3 A. ?5 i' d' K* Vint41handler2 PROC* M4 [' S1 v2 h5 ?+ J
iret, @3 |: T# l! {) s
int41handler2 ENDP; W- J8 I6 p( Z! s1 R
2 [! w* d# f% y5 _8 W+ n. C
4 B0 u; v% @: Z6 Y$ z. |3 C/ w% ?
_________________________________________________________________________
/ z1 K6 Q( \, Y1 x2 g; w V; B& S& V+ H& F! `; S8 v
& d5 \+ N6 a( ]3 q, [" V9 v0 `" W1 l
Method 06
6 K% Z4 E, d4 y( Y=========
! m- A. {/ G+ w. n# p5 ~! T7 X4 k
; G1 H( `2 t2 W( ?2 x% \
, M/ c& ?8 V' q2nd method similar to the preceding one but more difficult to detect:# ?4 U5 g: ^( t7 g; N$ I/ s
! j4 Z" W( q+ Y2 ?& V
" T" W4 [- l/ L* m5 y% Zint41handler PROC
+ D) Q. o1 M. y mov cl,al1 H; D4 C6 V$ p; ~) D
iret% L- i. f' _* P. q' `
int41handler ENDP. A" x4 h3 w, _8 E& z* `
" a8 g* f& o% l7 z2 ^% d
4 H5 i& d' l' Q4 R
xor ax,ax
$ f5 g; V8 M5 l2 V mov es,ax% E, C6 H2 {1 u
mov bx, cs
, Z. i \1 b4 \: U4 ^' c lea dx, int41handler
3 J9 V# \& F( X6 J xchg dx, es:[41h*4]
7 t, G$ [+ J3 ? xchg bx, es:[41h*4+2]) G' {' b* T& a2 w* ?. F. _0 t
in al, 40h2 ]6 k" y+ C2 [
xor cx,cx9 E y; K, `( s
int 41h
) y! ?$ \+ @' u# U3 A; q xchg dx, es:[41h*4]
9 c' P8 `* H/ U2 G xchg bx, es:[41h*4+2]
! c$ ~( R3 Y& D3 s. [ cmp cl,al
' Z j% R5 U! Y2 v' i/ z$ g jnz SoftICE_detected
8 n6 b3 K0 X7 I9 E5 m J
2 k9 y! C& {5 z) ^& i_________________________________________________________________________% s) t: v; s0 p5 ]2 F! j6 }
' x3 t9 m; w7 K, v* X. y2 q |
Method 07
q, ~! X! m- m$ \/ [=========) y# p6 F5 M& W4 O
2 ~/ R1 F% \( X# D( Y0 DMethod of detection of the WinICE handler in the int68h (V86)
" {5 [" R( L- l: P& O6 L
1 q1 R+ ?2 ?0 e; N4 H' E. f3 |2 i mov ah,43h/ w' `/ Y5 O1 z8 Q
int 68h$ y, E5 Q' u- V4 X/ x1 h
cmp ax,0F386h0 m4 {4 p, w$ b- D3 ]
jz SoftICE_Detected* a. x% A4 ]# G/ ~2 U
' C$ J5 M X# ^7 e0 K$ E- O. G( A/ }$ L
5 Y) O X6 X1 O& o) K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 @$ P+ A2 O$ ^ app like this:
& U; @; i$ d# o, e3 d
$ }0 B2 g. }( m9 E! e' k BPX exec_int if ax==68
5 K1 [' j$ \3 D9 a2 A! K7 x (function called is located at byte ptr [ebp+1Dh] and client eip is
6 [( R1 \. W2 Z6 t! Z located at [ebp+48h] for 32Bit apps)0 H! ^5 i" i0 |% n3 G# `: D% ]
__________________________________________________________________________
0 D5 f$ P7 L; a, q& q& ~/ l4 o$ m( Q! C0 K. U' ?! n: n
`/ t" a$ |$ N/ p6 |. I" ^
Method 08
( {' @' ^, B$ \% c: E0 T! H4 C/ Q( P=========+ B# p. z4 G1 P2 m0 w0 W' ~
6 J3 ]- e6 o" k2 p$ N9 V
It is not a method of detection of SoftICE but a possibility to crash the
- r, J! E9 o- O: c& asystem by intercepting int 01h and int 03h and redirecting them to another
" V% X; t8 y. A, K+ l# U6 V uroutine.
/ l0 k/ R7 w/ [1 D, j8 b0 DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ |9 m- v% I9 Q+ h( O' xto the new routine to execute (hangs computer...)) p4 M+ n4 h; J+ X
3 z% n7 p, e8 w3 F1 c6 D mov ah, 25h
! B; G; U5 g# I7 v2 r/ ] mov al, Int_Number (01h or 03h) n& H1 X( F7 ^! \+ C* O
mov dx, offset New_Int_Routine8 D- O% A d( k/ r5 _& M
int 21h
# R- P$ o' E L0 Z8 M4 o }2 a8 C+ y2 E$ `, ?4 c2 ^
__________________________________________________________________________- Q* E ]& B* [- M9 O7 Y# \' Z5 q: y
4 ~4 h7 U7 O' U; h t
Method 09# f, O. \4 O+ f* H: M% l% U
=========
5 j' ]8 d, E9 ?8 i! g; J- ?# y& M$ I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 t- s) v' U4 r! p' V+ j7 q
performed in ring0 (VxD or a ring3 app using the VxdCall).6 L3 D' N2 e D9 V
The Get_DDB service is used to determine whether or not a VxD is installed- V; w& {) |! ^
for the specified device and returns a Device Description Block (in ecx) for$ U' g+ ^# \7 @7 s- _% e( h1 W/ w
that device if it is installed.
P* g# }8 D; |- E9 C! {
/ t( f$ D8 y# u/ y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 G: a; `9 I* }) h- p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* F; ]9 m- {6 q/ k/ _+ C$ L6 \ VMMCall Get_DDB2 R# u3 a8 K ]) C% G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 e$ K7 t; A2 y' M/ M! J% t" R4 B- W1 ]5 o: I) H" P& U
Note as well that you can easily detect this method with SoftICE:& m9 R$ T z& f; q# b4 J9 G$ }# b
bpx Get_DDB if ax==0202 || ax==7a5fh1 M; L J3 ]! j8 \; U
# h u/ Q0 Z# z1 {3 w__________________________________________________________________________) f. W+ ]+ y% B4 s
\7 j1 f2 k1 }5 L* E% ~8 t7 g
Method 101 n2 J9 o, t% K0 |9 I, Q; Q
=========
- U! `4 b% A) `( a* Q0 W3 T" o* Q+ i1 z, T1 k
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 I1 g6 J% I+ W& Y; y SoftICE while the option is enable!!9 Q5 V: l1 P9 B" Y
& y' C2 |+ f' _( AThis trick is very efficient:
$ @5 z( S, j8 ] L7 }( Kby checking the Debug Registers, you can detect if SoftICE is loaded
8 A* ~2 H) k* Q3 H9 Q8 a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 ?& S5 p' d0 h. N& ^& m7 Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their F8 _4 z1 U0 H/ r+ B: \
value (in ring0 only). Values can be manipulated and or changed as well
3 [. k2 s1 {; _(clearing BPMs for instance)$ L( }, g) L4 O1 u9 [9 T. ?
1 I- P6 \- J9 C# r5 F0 A L__________________________________________________________________________) x$ U( z2 c$ d
+ R$ p# _7 k: W- R9 r
Method 11* L" u8 Z- n) ?1 k
=========: ]: ]8 n; p4 \
: e8 W& k6 t' J- Y* c1 i+ Z0 v. ]
This method is most known as 'MeltICE' because it has been freely distributed: {* \8 X0 t: J, [3 `4 ]/ u. W
via www.winfiles.com. However it was first used by NuMega people to allow7 L# W. d+ g0 V( ~0 N7 S
Symbol Loader to check if SoftICE was active or not (the code is located
, W( o( b2 ^! {" x6 K) tinside nmtrans.dll).
* @; f. x* K8 c$ g9 t, }2 D( |1 O1 r' z
The way it works is very simple:
1 E- { e" J/ n1 W# `! ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* P& @8 l& F0 q$ r! {WinNT) with the CreateFileA API." Y ?8 f5 O$ K
6 h( h& C; j5 X$ |- Y
Here is a sample (checking for 'SICE'):
- {" W8 _: [4 [- ^; S' e/ `1 A- H0 ~; \# r+ v& Q1 i7 ~
BOOL IsSoftIce95Loaded()$ j' B5 p$ a* \% l1 N D q
{/ i' R1 V3 z' J2 h
HANDLE hFile; ! c4 ^9 r" X) z" g; Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 i6 |9 M+ X8 I# C
FILE_SHARE_READ | FILE_SHARE_WRITE,6 q7 }' O' A8 j9 X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. k. w( }# n0 E
if( hFile != INVALID_HANDLE_VALUE )
7 V' M3 l. ^1 u. `/ C {
9 D0 T3 x% O7 p5 H CloseHandle(hFile);
$ F; y0 ?' E9 T6 n return TRUE;
8 F3 y3 ?0 O n+ `- P }; Q+ c/ H ?1 a% v8 Y$ |1 w
return FALSE;
3 o; e& b7 D! n& C0 w ]}
6 u2 ]+ b1 }6 x
5 |; ]' Q# ]+ {8 q9 }2 |$ N9 ~Although this trick calls the CreateFileA function, don't even expect to be
- u3 D' Q1 g \able to intercept it by installing a IFS hook: it will not work, no way!
2 z- A" \. x' }3 V( M% r) UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' s9 t. ]$ ]& v. W' D4 N kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; ^2 o2 B' ^) Q7 K$ ^* band then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 F/ ]9 o: J2 G1 T, `7 j+ F6 T5 Lfield.- u2 H5 c3 r) }# g4 F Q
In fact, its purpose is not to load/unload VxDs but only to send a
! w3 b& a, F% `8 w0 i- q5 PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 ~5 H- T( K9 v" y. |) jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 A( V3 g# }4 C- }8 Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
G( j5 t8 D0 L( `' }; r$ `" EIf the VxD is loaded, it will always clear eax and the Carry flag to allow( ^0 x; T9 s) J- l5 l" `. }* [
its handle to be opened and then, will be detected.
# E0 L* f5 M1 s+ c bYou can check that simply by hooking Winice.exe control proc entry point
" f+ r. G j% W" L% j, Qwhile running MeltICE.1 I3 M* s) L+ l% |+ n* c- C
E- W' ~( s6 _6 W
. O+ q% F% i4 a5 f1 K/ l* @ 00401067: push 00402025 ; \\.\SICE
+ y5 F6 y3 m3 p* {% D& ?- x 0040106C: call CreateFileA, ~# L7 N7 \$ D2 b) u7 ]% D. y
00401071: cmp eax,-001
2 \& X, x u* y# |2 t 00401074: je 00401091
5 b4 j6 L, x; s# c, k9 e# _
; o. t, I" `& u- }+ j/ ?* i% a& T! Q9 C) z; f5 v
There could be hundreds of BPX you could use to detect this trick.
* w6 s1 N/ z" F-The most classical one is:
( t, l/ e6 d2 A5 b/ D" G BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& ?& R# I0 {5 {5 B$ ~
*(esp->4+4)=='NTIC'
+ [% r7 M5 h5 {7 g/ C3 b( ]& j. ^# l) ?) y: I0 \
-The most exotic ones (could be very slooooow :-( c; Q9 A8 a' w$ h! L+ X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 L; H. J, I4 J9 e. M ;will break 3 times :-(3 ^2 r, @1 D" f2 O5 W( h
5 S6 z3 D, @# X-or (a bit) faster: ; D3 T3 k+ `: M+ x* Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 T; Q; ?7 f+ x
7 u+ P+ W j( e, b6 ^3 N* o) U& A BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 P# `2 j6 |9 G* ` ;will break 3 times :-(
" g- r0 {( Y% v6 L2 o6 N; j: {- R5 v. E* t
-Much faster:
Y+ y2 ^" D; q4 @1 F' Y' | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% R" \/ G( E6 F# O, H
0 }6 N: D( g6 p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- S; T2 I- O2 R9 o3 P
function to do the same job:
! }& |7 Q# O0 ]# B5 m
: Q' }8 @- L- \1 Y7 ?; A7 d" S push 00 ; OF_READ# U! }# h: ^8 P% W! f: D
mov eax,[00656634] ; '\\.\SICE',0
; U$ r9 Q5 n8 ^9 w push eax
0 h3 Q' N# v' i call KERNEL32!_lopen
1 Y, ]/ g- B" a inc eax% g$ _- f0 w' V7 y
jnz 00650589 ; detected/ \% R: c) p5 `& |, b8 X i
push 00 ; OF_READ
4 x! U( O7 m8 Q! K mov eax,[00656638] ; '\\.\SICE'
' b% a/ z' U8 Q- B* g push eax
, D4 Z: ?" f) E7 ^ call KERNEL32!_lopen
1 K8 K4 A8 s8 S* R) y inc eax
; D7 r3 j' S7 o4 A6 T1 f8 Y5 S jz 006505ae ; not detected% @$ {! ]; S$ V
$ ]( {' _0 r$ q- {3 `! Q3 c3 {: Q5 r
3 v- ]5 ? n5 R8 y p4 T__________________________________________________________________________( ? D( ?# R5 o. H% M5 @# ~
" B+ h4 ^: N0 r) q" {( A
Method 12% l# t/ _" t" n1 i8 u3 J! b
=========
! K3 g' [ h$ j% M o5 q) y6 X, H0 A' ^5 S7 j" P
This trick is similar to int41h/4fh Debugger installation check (code 056 w' z7 o: _+ u' W4 n( a+ ?' P
& 06) but very limited because it's only available for Win95/98 (not NT)
5 k7 u& x! y7 Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.# f2 X- X9 R- m
% M4 ]" j" }2 E4 Q! q* s! ` push 0000004fh ; function 4fh8 o0 [+ E" \& \) a) B4 P% |( l
push 002a002ah ; high word specifies which VxD (VWIN32)
: W$ M) l& ^: |' C2 T ; low word specifies which service; A0 d% `' f, l
(VWIN32_Int41Dispatch)
1 O. R) R2 z; j5 \/ K call Kernel32!ORD_001 ; VxdCall
F: j5 S* r. q) O cmp ax, 0f386h ; magic number returned by system debuggers
0 d: q, \! [2 l/ U7 T1 O jz SoftICE_detected
: u; x" ~ Q& S2 e
( I+ d4 y- ~" J! B) j5 zHere again, several ways to detect it:. J& h0 a$ d! f9 s6 ]
1 J! m- g- k# P BPINT 41 if ax==4f- e/ n V8 }7 J7 Q, Z0 F
1 G# p: ^1 i6 b7 w& Q( A+ y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) @3 n* T! ~9 U% ~# r# m6 j( [3 ~# w4 E
* |2 n6 H4 r; D( S; r2 p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 g- W4 m' |6 V; `) A+ i/ {; l
3 N% ~# f% M, @3 k9 O+ Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
J: y0 ?3 j+ V% Q Y- ~, u8 S1 T4 g
. g0 F: @1 Z/ ]5 `3 Q5 R) k__________________________________________________________________________
/ @: @% A& @) d! |( m0 e2 p3 F# r# L/ [
Method 13
$ y2 F' F" T2 F4 z=========
+ k H. A4 l( L4 z. F* P5 A* v0 \0 q' x
- @) C) F1 ]% PNot a real method of detection, but a good way to know if SoftICE is5 U+ r4 R l/ \5 ?# o
installed on a computer and to locate its installation directory.: u }, A. V4 U, |/ S
It is used by few softs which access the following registry keys (usually #2) :" d6 P$ F# k1 t
) {7 z5 ^, K9 S0 r$ q0 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: M6 C* \+ B0 S: E6 d\Uninstall\SoftICE) U4 B3 ] {4 F; Z, l. k1 ]$ ~4 ?0 T
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 {- c9 _ Q" c9 @& H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 g: G: P5 @3 o
\App Paths\Loader32.Exe
0 W2 e+ `- j( v( B) F2 j; o" ~4 I0 @: N6 O' R8 ?0 \
4 |$ d9 b' W3 i9 [% t
Note that some nasty apps could then erase all files from SoftICE directory
1 E/ U! t. U& N d* n(I faced that once :-(
$ R, J S; ^: A1 {7 U! n1 [* v0 \: I6 @
Useful breakpoint to detect it:
; f; E/ X1 O' Q) V8 h
% U+ P f6 L9 }4 \0 X- P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 y& M- U! W' G1 O4 D
/ R+ T) C/ p, l__________________________________________________________________________
. ]4 C2 ~- g5 N" v- s, k, E$ x$ b! o2 f% M
" i7 k' U# ?& o M+ q- _
Method 14
) Y" L# n( R) e/ ^4 |=========
; p/ C/ l" p) i' ?& A7 T- z
2 @7 F( H. }, m2 ~! a, RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 D; E1 O" |1 kis to determines whether a debugger is running on your system (ring0 only).
4 U: a0 `3 X& X- c' m3 F0 p' N8 y4 g0 Y2 x. X7 _" e8 p
VMMCall Test_Debug_Installed8 W+ p9 ?0 w9 _
je not_installed
5 r1 C7 h, _0 @. K+ s5 K; @
* }- `( E+ }3 E: c: HThis service just checks a flag.
+ b& N/ _) l$ L; j* f _</PRE></TD></TR></TBODY></TABLE> |