<TABLE width=500>
1 e9 t- f& [5 f, a+ D, \0 m: z& b! K<TBODY>$ {4 o; _; |9 K
<TR> W6 B- o3 B0 a6 b" U
<TD><PRE>Method 01 & R( o# Z# t4 \4 ^
=========8 o( H# m9 X( g) a c
' v; R6 q9 W, {" n8 S( T7 y3 VThis method of detection of SoftICE (as well as the following one) is, O; p7 ~6 R8 C% z- i% O2 F
used by the majority of packers/encryptors found on Internet.
+ i) j( c( K: L; B# s8 i$ bIt seeks the signature of BoundsChecker in SoftICE3 u9 R2 L$ V J+ a( n' w
! O S1 e5 Y5 t) p1 [! |+ H W mov ebp, 04243484Bh ; 'BCHK'
# V9 f" P) k% o0 m( c mov ax, 04h
0 e |9 A B3 n int 3 2 S2 [! _0 F/ ]% m7 d7 I
cmp al,4
' `4 p$ `. F7 R) ?. w# F jnz SoftICE_Detected( s. O7 s/ ?/ `7 V" S
3 d4 a" W& G' q6 ~- }
___________________________________________________________________________
& S* C; c$ {+ G3 J- h" y+ O' H8 c/ R) j
+ I: @* }, q- w! \ H$ [Method 02
6 e( E) {0 J5 A. u6 w& e3 }5 I=========1 x$ i$ d# F" m& K8 i _9 B# ]
. Y# E3 k1 t2 Q$ d& v6 J
Still a method very much used (perhaps the most frequent one). It is used G, C1 k" \, q# v8 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* d: R5 p# N8 J" Qor execute SoftICE commands...
" Z0 R% [9 U, ]: e, HIt is also used to crash SoftICE and to force it to execute any commands
0 [( h2 K7 _/ c(HBOOT...) :-((
+ Z6 l- A5 d \) s+ ~/ [ U
0 ~: ~/ n8 G, y4 q& S# \8 B+ VHere is a quick description:
" d2 r2 I. M9 o5 C( d9 P-AX = 0910h (Display string in SIce windows)
! c9 h1 }/ ?' H9 |( L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) y! f W0 |% K& p5 J
-AX = 0912h (Get breakpoint infos)) v4 i* v1 Y: O! ?
-AX = 0913h (Set Sice breakpoints). M( s8 f1 L) n
-AX = 0914h (Remove SIce breakoints)9 i6 [. H1 ]8 W9 w% ^
$ R1 Z8 W& z& U; g) E1 d; }
Each time you'll meet this trick, you'll see:8 s5 \7 f: \) G3 ?# W
-SI = 4647h0 ~0 k, u) Y! r3 D b; l1 Y
-DI = 4A4Dh
$ b" m" v4 e3 ?. H hWhich are the 'magic values' used by SoftIce.! u* G1 p8 S1 k) ?& S$ P2 K0 v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% U5 v7 V& X1 a' ?+ `6 f( S
) U5 w7 o- \- U' _; gHere is one example from the file "Haspinst.exe" which is the dongle HASP
U2 v4 p! z. D" D: [5 o3 oEnvelope utility use to protect DOS applications:
, S. b* i, u) n; |8 O; f5 K$ ^
2 F# }; b: K* d7 e# ^2 o" ~( b/ P u4 u, b( i; D3 r5 c
4C19:0095 MOV AX,0911 ; execute command.
% E1 s# a$ {" A7 m! r0 g2 ^4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 F, |# w; P* E- N9 Z
4C19:009A MOV SI,4647 ; 1st magic value.
. @" \1 e2 v( v4C19:009D MOV DI,4A4D ; 2nd magic value.! t8 A! A+ D3 W# l, \( w
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% K. U6 u; b' r1 D, E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
_+ i. b- C' V+ u" S4C19:00A4 INC CX
, ?- k' ?/ s) t e% D" o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 D( j: S! \2 A. G4C19:00A8 JB 0095 ; 6 different commands.; s. ^4 U. E7 f( H8 _1 Q0 S( V
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* y6 X+ B/ X' ?& Q3 D$ H. x9 O3 z( K" k4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. }; h) m7 ~. w9 e/ g* ~
' s! n9 ]0 ^6 S2 @The program will execute 6 different SIce commands located at ds:dx, which: L1 j6 K6 I- Z z: c% f6 ?
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# K P% { e9 U y/ U1 z. z; D
7 }/ r5 i0 B3 i" F8 n4 |( Q/ r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) y$ {, b9 a/ N$ F( K; _ R% k$ q+ c
___________________________________________________________________________* _2 `6 r1 j5 `6 A0 J
5 z, m+ S# b6 b+ i4 e3 i N
, D; y: C* g0 h& ~8 A( `. b
Method 03) u, U) N5 V# n* B4 \
=========
2 U5 f. b% Q: r! q
. z3 m& c0 a H7 r2 tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: y! C* J2 W) T. L(API Get entry point)
) L$ k4 l+ u( ~1 H0 F: P ]+ a& ]
@& j1 U; H2 r. p! a( o x) p
xor di,di
5 }" \% u% @5 {7 q( y" _ mov es,di3 t( M8 G8 t3 w8 {6 V
mov ax, 1684h
0 o, h. @3 o# w% z+ ~: R mov bx, 0202h ; VxD ID of winice. t/ j3 ^5 }# S
int 2Fh$ v, [$ G8 p1 [- p$ N- ^
mov ax, es ; ES:DI -> VxD API entry point
9 I9 G& D1 |9 D, J; B6 ? add ax, di
4 E. w E5 D$ O- @: u test ax,ax* M% G0 B4 v# _. g
jnz SoftICE_Detected, ^0 G7 _0 `( u4 m+ a6 o; e
, O# Z( {1 q- `+ K7 n& {7 ]
___________________________________________________________________________
, M9 b" }7 I- E: a- n; E* @. d: i# f, H0 l8 q- p- H5 I" Y( S, u
Method 04
9 ^2 s' u( y0 _( W5 ^: B=========% m# s+ e4 s# V3 e0 W5 K
, R1 e8 w) E" ~4 D+ h9 Q
Method identical to the preceding one except that it seeks the ID of SoftICE. N8 O3 w) o& x- k; w% k
GFX VxD.; V* D7 ?! b$ I. p4 H$ n9 A
' ]! `9 W _, D* d3 ]- R6 V( q) ^
xor di,di2 P; M! E; |3 r8 L) W
mov es,di
; t! N! p: \' P- z- ~ mov ax, 1684h
2 B- |' ]; ^1 @; B( I- H2 M mov bx, 7a5Fh ; VxD ID of SIWVID0 l7 Z' b% n7 p4 |$ X5 o& Q
int 2fh
# K2 H- p w% v mov ax, es ; ES:DI -> VxD API entry point
- k+ e- h# k) w. s add ax, di: |( D& v6 S& G( N* z& ~0 W
test ax,ax' l$ L: A: c6 x) j) h
jnz SoftICE_Detected
% i5 M5 C" H- s8 b5 R- z3 ^; m" \- e) R6 [4 W! N4 h( d, H6 x
__________________________________________________________________________# v0 ?: |7 f9 y/ L
1 Q) B" C7 w7 h; v0 o
4 y( W* ?4 x. x8 l s. ]Method 05
7 V+ t' S2 G3 n" t=========: z% J7 h% p# b
3 s+ B7 X3 a. l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# v Q+ F, I: \/ Y9 L/ m1 a2 X5 ]% `! ndebugger. It calls the int 41h, function 4Fh.- d! `) T& G, j0 {
There are several alternatives.
0 [. w0 x1 j" G! r' N9 N5 \; z: F& P8 n, H3 g' n
The following one is the simplest:6 x3 S2 v1 W" W: ~$ v/ b
3 h2 i8 m3 ]& F1 I mov ax,4fh
7 R6 }% j4 G% ^2 X int 41h: V6 E4 A J% `% Q6 P/ z" y3 ^# o
cmp ax, 0F386
/ _1 n. e6 I( y- G6 P/ j4 m# r jz SoftICE_detected
) Y6 q" ?3 ?! L5 m1 k& Z: u3 k* e' H& F$ n, z; ^& |
. R; H/ d; h( Z- N3 D- t) \1 s3 fNext method as well as the following one are 2 examples from Stone's
3 S, j0 U# j# o4 T- g9 k: o9 h7 Z"stn-wid.zip" (www.cracking.net):
/ |" N$ y/ N& M, I' H: j: M9 }+ u- f. _$ X
mov bx, cs T8 L1 D6 j6 ~+ k+ D5 z8 L2 U$ V! D
lea dx, int41handler2; e6 `% R; Q! t7 l% ~ K, b* i
xchg dx, es:[41h*4]
8 K* [3 P4 q; l* `$ P) i' K( M xchg bx, es:[41h*4+2]
+ G/ \- ]9 n5 c8 z' k) l* w& n# H mov ax,4fh# z+ R O, I$ w$ [, z2 g
int 41h/ C, a$ {+ w" B
xchg dx, es:[41h*4]
. I* v2 ?+ s! @0 h2 w xchg bx, es:[41h*4+2]6 B5 g( t. T# c' W; x
cmp ax, 0f386h
. l4 S3 B4 h( ?+ D6 B4 H: P. \ jz SoftICE_detected
5 E6 r# N8 ]* n- g2 B$ I! {) w6 |) K( f8 ]# p
int41handler2 PROC! S4 }! X. l2 r
iret" b* L5 J) Y1 @2 F* Y/ _6 J( p
int41handler2 ENDP
$ B8 w8 ~1 R- N9 s; e- _/ K
8 W& |7 ^6 H2 T1 T9 A; F) u
: {# J/ i" L. c1 C_________________________________________________________________________9 j- M" Z: N3 m$ X1 k) p+ H
0 i0 x9 \ }# j4 h) _
9 Y4 X4 ^/ k/ Q. d; s" EMethod 06
& A% y1 v& d5 [: B. S9 U& Z=========
9 a) j" M' w1 X/ \ D7 K' `6 u# u0 L- H$ n
6 |, q1 u2 i/ f1 E2 Z
2nd method similar to the preceding one but more difficult to detect:! L5 L8 |! t u; N
8 `" B) v+ j) B' O
8 j4 m' F% z, _int41handler PROC
7 L& i" b3 |* ~) c6 ` mov cl,al4 W: E$ P& Y6 _* L$ w
iret( B1 }( S+ [# |% {7 {2 M
int41handler ENDP
[* h9 b5 _& j$ L6 G5 r4 ^: f: [! I; o- C! b
$ a1 `. {# s& j xor ax,ax
* ^ I7 ] p7 p% u' K8 B mov es,ax
3 w2 ~- V% ^3 i! S mov bx, cs
2 {% k) g" _ p& c/ @1 D+ ^/ v lea dx, int41handler
9 `( K+ ^( `, Z8 E8 }! X. a- N9 N xchg dx, es:[41h*4]
0 w% `9 P" F: O9 K" b: _* v+ D" M xchg bx, es:[41h*4+2]
' ~) K' P5 `8 D* H8 G0 p in al, 40h
8 b$ w5 @3 a" c& D$ j xor cx,cx
; G, L, q% X% a4 H* X int 41h
4 p: U: s! \( t' J1 `6 Y+ ~ xchg dx, es:[41h*4]
# N, C" K8 d+ W( P xchg bx, es:[41h*4+2]$ v2 T' v3 m5 O2 E- U( O
cmp cl,al% ?) G, ?$ V$ _
jnz SoftICE_detected
7 S8 D* H5 p; y6 H+ l
6 ~' c' I7 n. C- {: u+ i_________________________________________________________________________. Y" O0 t- I/ L: @0 g- U
3 t$ U& p9 F, b# oMethod 07
; S- ]* {& k/ N$ F+ M- X; d=========
( F: V! N& v% q+ `
" v* K. j+ ^ }# v, N5 U8 MMethod of detection of the WinICE handler in the int68h (V86)
1 L# y; o! {# h, }8 V
; b b" m( A3 |3 ^2 d mov ah,43h
N# c( T, Z# L" ?( Y, f int 68h n z, |- x P, f0 T7 Y3 F
cmp ax,0F386h
7 r% H! `5 a. z3 e' ?- I; |2 J% o6 ` jz SoftICE_Detected
1 \* Q, v- U6 T& w# C% L
* D7 ]4 ]0 H& R- A* A/ k* n
$ c) z, F u* E0 a; B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 y- G i, }! ^8 L/ u
app like this:
5 g( ^( x9 F: f& c$ D% }6 }$ W& p X
BPX exec_int if ax==68
|9 R8 p$ I0 T5 { (function called is located at byte ptr [ebp+1Dh] and client eip is% t Z# z( Z$ N1 _" s# \
located at [ebp+48h] for 32Bit apps)
% j6 w& O$ [. C1 R__________________________________________________________________________
& D) f: f2 ?1 P$ d6 E2 A' ^" w6 m6 A- b6 A3 |3 R5 V/ x" Y
$ a$ D8 Y' y; |% ]% t# aMethod 08
9 U* @( P3 T( I4 o' Q=========- B5 _/ V2 } s$ j3 u" D
% ~4 K) M. l( {* u4 m% o. I; zIt is not a method of detection of SoftICE but a possibility to crash the
, b' h. i* T. e p+ bsystem by intercepting int 01h and int 03h and redirecting them to another' g I" u2 Q/ y( j! m) p* a2 R
routine.0 x. u0 y, Q0 o7 T# U; l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& }. }7 I# q9 }% C. E3 pto the new routine to execute (hangs computer...)
( }, z, Y+ d$ r8 @6 }/ \( W/ E9 d& m& S* k, B+ O* D, `& Z
mov ah, 25h
X" o* @4 ~+ | mov al, Int_Number (01h or 03h)
3 E. l" { N# C# f3 C: V mov dx, offset New_Int_Routine! c: E1 b+ Q' }1 D0 `9 ^: D2 w
int 21h
9 R- R* @; X+ g5 o" o( k- ^; q0 k
& L! }7 u# y! H1 n$ w5 [/ Z__________________________________________________________________________
1 i# g5 Z4 ?8 O/ q% i
/ W* H# i- Q9 x! [& L: iMethod 09
5 G: A) ^; l! p" X$ o h) W0 @: x=========
9 @1 Q+ ^+ N9 W& }0 \" m% [8 y2 @. ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" {8 T+ s- C4 rperformed in ring0 (VxD or a ring3 app using the VxdCall).5 [9 w# H" `5 W3 f
The Get_DDB service is used to determine whether or not a VxD is installed
. }! d A! z* Gfor the specified device and returns a Device Description Block (in ecx) for
+ }2 [. J) W3 \7 e9 T6 gthat device if it is installed./ g9 Q' G1 W) H7 U! Y* P
# P9 W! J* w4 Y! ~- e% E; e3 c mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ s! e" H1 }$ A. R" K; c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) F6 Z6 ^( C% P VMMCall Get_DDB' `+ t$ C6 i' ]+ r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 K# P! K* j/ [6 p. b' C1 n2 W
! Q% y5 x4 J' F G: S1 r B" p5 o
Note as well that you can easily detect this method with SoftICE:
! y$ g% |8 J; a bpx Get_DDB if ax==0202 || ax==7a5fh
1 \, }' y a! c& u
6 ~3 I% D% H9 _6 Y__________________________________________________________________________
+ L- d+ b! ]1 r& p% L, X+ e/ S
) S; N' R1 x# h2 wMethod 100 a4 ~ ?* O$ @5 g6 R6 e2 {
=========/ S( \( o0 U4 n
' w" S- T4 u5 |1 m% W# C=>Disable or clear breakpoints before using this feature. DO NOT trace with
& q) f( g4 w2 E/ C SoftICE while the option is enable!!. E! F- M# @, g! F4 u! i
2 I5 I1 [' t. v# h4 b9 v. D7 g
This trick is very efficient:$ c$ Y& N/ T+ R+ ~: J6 ~& v
by checking the Debug Registers, you can detect if SoftICE is loaded4 q8 N: m: e. d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# o* P! K8 Z$ {$ zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ P9 p) Y) b4 C$ mvalue (in ring0 only). Values can be manipulated and or changed as well
6 m3 [8 G% A% a(clearing BPMs for instance)3 [* R& G# U' \* d/ h* R
2 z+ ~4 A5 E% j# m9 I
__________________________________________________________________________ N+ u$ \/ G/ @$ y
, t, z# W& M% ]! s/ \: [Method 118 v1 h+ ?4 [0 n5 M' v+ n
=========
5 M" w' ?0 p6 p" ~( i5 T) j1 Y3 {3 M+ ^, E0 p( Q
This method is most known as 'MeltICE' because it has been freely distributed1 o' c3 T, p3 B" H
via www.winfiles.com. However it was first used by NuMega people to allow9 J8 ^3 t2 C+ V0 B
Symbol Loader to check if SoftICE was active or not (the code is located
7 H: n" R" @; O+ ^! Binside nmtrans.dll).
7 {, X: L/ `+ |( B& m/ P% b1 o+ I+ H" v; _: F
The way it works is very simple:
' a( p6 w* v9 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( a6 j! o- I$ v/ V v& a* m
WinNT) with the CreateFileA API.
- e/ V+ y& H$ l/ E; W1 P, Z5 @2 @# ]: ]+ J) G& k( }) h
Here is a sample (checking for 'SICE'):! Z- I, R% E: G2 C- {& Z: x
/ B! i5 G! [; m# f* c8 zBOOL IsSoftIce95Loaded()
! ], L2 b. X; w{$ S% h+ X# c( O$ d
HANDLE hFile; 8 T4 h0 N( D, o1 ?( `( P" t
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: c" I! X; u; J. T: u- |
FILE_SHARE_READ | FILE_SHARE_WRITE,
( f- \* E0 Z( r- l NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 g3 H' R: p0 V" t5 K. I4 v% ~; j if( hFile != INVALID_HANDLE_VALUE ) E) V) P8 x F' m1 G# U4 E9 T
{
4 @1 s( x9 r3 w! f/ j# w7 L5 T CloseHandle(hFile);/ [ Z) b, H& K( F) L
return TRUE;
1 g+ }8 R8 m7 H0 V# a }
: |) s) q: a2 z/ X- v# T return FALSE;
( ^! ~" o/ }) R}
/ S2 V5 P# u) A* ?0 Y. e' \3 U9 d+ @+ X" l
Although this trick calls the CreateFileA function, don't even expect to be
/ N B$ G S& o& Zable to intercept it by installing a IFS hook: it will not work, no way! O/ f) N- E: O- |5 p5 R# Q5 p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ t: y* g7 f" x; J' z: o7 b3 q) Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; u5 T; U% |$ R5 \' J |. [and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& o! X' O0 P0 n" hfield.
5 J5 a8 _" i+ w2 G0 c6 jIn fact, its purpose is not to load/unload VxDs but only to send a
/ L z3 e4 K, _: A! p E! xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! y6 m+ m; P6 e" h* Q# W& [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" C% m; A# l: _$ Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 S6 l: u4 A$ x5 RIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, P* N. |4 P- d% a, |9 d0 b- Xits handle to be opened and then, will be detected.; Z# a, r& J- `# D
You can check that simply by hooking Winice.exe control proc entry point
8 d! u! U' ]7 }while running MeltICE.
# q6 C5 _1 q1 a: E# a$ _
2 f g b0 n: x( p' q# d6 |
! B- g8 X5 k& |# `! m, C; v% l 00401067: push 00402025 ; \\.\SICE
" |& r1 G$ F) {; M" r/ j& _ 0040106C: call CreateFileA
1 j8 a* ]- m9 E4 M 00401071: cmp eax,-001
! w! c+ X/ o1 Z* c4 g! h! T 00401074: je 00401091
. y9 o; ]2 H; O' Y- e3 j" s5 O. \# k, [5 n4 o9 l
* F6 K0 V& N2 r# r5 L/ L, W {
There could be hundreds of BPX you could use to detect this trick.1 p) ?& e- X% z! ~7 z9 s7 c
-The most classical one is:2 k" d3 R! |# h
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% w: \$ ?: |1 i, u, j" S *(esp->4+4)=='NTIC' R" S& R& J) T* N
; `+ K. ^7 J+ |; I-The most exotic ones (could be very slooooow :-(
~5 o& ]1 r. w9 l% { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # w* @8 Q' d. w8 p5 u
;will break 3 times :-(
) x! `2 ~7 ?7 o0 o
! s3 L* }+ ^/ e( B- j3 [# O. M. t2 D-or (a bit) faster:
% j+ c2 |9 t0 d1 I5 k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 w7 z, Z% D) w% W! ~7 X0 l$ x
( G9 f# V8 ~3 m0 o, e9 r; P7 B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ E2 r/ \9 U$ M! w
;will break 3 times :-(* n: \( M5 p/ i$ a: T
) | N9 [0 @, D% D7 B-Much faster:# T, X" i) i" M4 s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 S( d2 [0 {& d' f& p5 \* f
3 y9 J4 I' b+ e- C9 U; ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, Q, L/ `- g% W6 e5 }2 cfunction to do the same job:
+ Z% |: j( b! q0 Y, x- _& Y% R2 b5 B1 w7 @8 s0 q& P
push 00 ; OF_READ
- H# b, R6 j' B+ q# h0 z mov eax,[00656634] ; '\\.\SICE',0. W( X* ^4 h/ u5 F6 p- r0 b
push eax
/ }1 `' C- @ w0 m% E5 ] call KERNEL32!_lopen+ Q0 z5 q& S! y& b, C0 W& H5 C: d! l
inc eax: x7 h! f0 R- _$ a m# M4 S. N
jnz 00650589 ; detected- \& \! I3 b, J
push 00 ; OF_READ
0 r4 s6 w! S( {, I$ s0 X# g mov eax,[00656638] ; '\\.\SICE'( ~% ^8 g0 V8 Y( f
push eax
* D9 |7 S: n8 _$ q call KERNEL32!_lopen9 R4 o4 @+ A0 u) \' Z+ q
inc eax+ p: m0 c0 L. l5 P; w
jz 006505ae ; not detected' [7 U* Q' G6 Z) U8 J
4 t8 v1 z9 Q2 H S- e( }% u' \( }, H
__________________________________________________________________________9 m: o0 u1 W+ q3 D8 j/ a( v7 C
' Y5 |5 r; r1 s' `- P! `+ OMethod 12$ D/ P: k3 I% h) ~) D
=========1 |9 \9 D9 G2 ?& C
6 A+ t% t8 H: |4 l
This trick is similar to int41h/4fh Debugger installation check (code 05
6 G8 K. ]" o: q, o1 y& 06) but very limited because it's only available for Win95/98 (not NT)* b" S2 \; K4 h4 H' M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: t+ f( V4 P, e& J! k% R/ X7 G8 j# H Z! `. H2 ~5 j. f8 d {
push 0000004fh ; function 4fh
# ]% I% v* o% |, f) U push 002a002ah ; high word specifies which VxD (VWIN32)8 M( `. A( I z+ n( p* U
; low word specifies which service! t" r& @! K9 |3 y
(VWIN32_Int41Dispatch)1 T+ u4 l$ z4 Y2 L
call Kernel32!ORD_001 ; VxdCall( n2 ^4 Z) k# \* B8 d. d
cmp ax, 0f386h ; magic number returned by system debuggers
4 z4 d* a7 p5 @3 v jz SoftICE_detected2 W O2 @$ V4 \1 z/ T4 P
' }* G4 }! x2 Y0 I e) x0 @" E7 mHere again, several ways to detect it:
& y- E8 z; e: ?5 V6 e! k; V2 w- ?6 T g5 X% W
BPINT 41 if ax==4f
6 U) o% p* ]7 j8 F, m/ R0 A8 d3 Q. |; t) Y* l
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, J; }. l: ^! i- j, ^
; D, `# ~+ _7 \' z# P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 J6 `% R7 {: u* c6 ?
m$ N* q$ q' D; k D6 n( l# b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ n% M3 @' O; \: L9 w* a
* N) y0 l. r5 h1 r, G4 z
__________________________________________________________________________+ J$ g4 j8 Y. w6 {1 |* H
; e8 E6 B* i) ^0 @$ p* M1 M! ?Method 130 f* t6 m# l& C7 s6 X
=========2 u$ p5 ~3 l, a0 h* ]
6 B4 y) E) a, {0 `# u: wNot a real method of detection, but a good way to know if SoftICE is/ a! p, P, j( Z. s) Z, p
installed on a computer and to locate its installation directory., r8 ?9 S2 n2 _- h# S% \
It is used by few softs which access the following registry keys (usually #2) :
' X9 y/ g# s7 J
3 X* B% ]7 R3 |" E8 J9 i0 ?8 t G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 k% i; s( J* t/ l- g, X2 n1 ?) s\Uninstall\SoftICE
2 `+ G; [" R8 R" u3 w) b- @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. ], M6 i% j3 Q+ _! w/ ^- X0 |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( l$ @5 \* p$ Y# v1 W& ?: E. l) }. v\App Paths\Loader32.Exe7 ~* Z) V, u4 J& o0 l( j
9 }; t% ^9 ?& a$ e: w0 K& N& \' v! ?# d2 F% u1 X! G
Note that some nasty apps could then erase all files from SoftICE directory9 _# k. ]% X# F
(I faced that once :-(
/ A# f O$ W+ |3 D0 T
* t. L8 U7 C- @9 f( RUseful breakpoint to detect it:
( s) A. ]2 @6 _2 x7 ]: R1 Y: T
6 S* F8 w2 v+ L. x7 _4 d) s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# N% o, c* u2 M# a; q
1 m2 C& E' s/ ~5 @( s5 B7 Y7 U__________________________________________________________________________+ a# _+ y- B4 A& `* a
0 l& A q) B* v) {# h+ p3 l4 L3 R ?$ z+ W$ W1 l. P0 Y
Method 14 " ?' |' d) V5 R
=========8 H7 u: I, L( B) Z y* F
1 G) D4 }+ T. Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ s( L4 ^8 \) p+ eis to determines whether a debugger is running on your system (ring0 only).$ i1 P% T# I0 i, ?
" X3 X+ u! I) o8 g t t! y VMMCall Test_Debug_Installed" \! J1 y2 R" s$ s2 U- ]
je not_installed4 E6 o# M0 T7 d) p3 K0 G
# i; r4 u y* ^0 a) G5 J* G# t2 b
This service just checks a flag., \ P2 N% S1 e* b: y: p9 H1 r
</PRE></TD></TR></TBODY></TABLE> |