<TABLE width=500>
5 e" p0 q4 \# K) N* m% t<TBODY>5 _) Q: e! ]. b
<TR>* ]7 m) S6 z& f O. R
<TD><PRE>Method 01 ( `$ @6 R7 y) {% k) h
=========6 F/ N) E) P2 _
: T0 y9 w n' [( DThis method of detection of SoftICE (as well as the following one) is+ N% H' W3 R6 m
used by the majority of packers/encryptors found on Internet.$ W9 s3 D/ s$ t/ p6 W( L
It seeks the signature of BoundsChecker in SoftICE. s/ O4 b( A7 k f: y5 ^- R2 R
/ R& U" R; Q) _, r s3 j6 V( v mov ebp, 04243484Bh ; 'BCHK'
4 m& L x2 M, @1 D+ R8 ?9 ] mov ax, 04h
4 |5 ~9 @: X9 @) [; i int 3 1 g' `9 E# c' a3 s: \ m
cmp al,4
0 b4 K/ ?- l& i" J3 r jnz SoftICE_Detected
, Y! B# @. }/ C
7 K8 K* v9 n- u8 a0 i0 i3 p___________________________________________________________________________$ j( m! C- y3 b& [
) U9 I# b J% M$ ~8 G; a' R
Method 02
$ g. h- _$ A y/ d=========
; {. `: ?# D8 {8 @+ q' j
# ]. ]" x5 R" R+ n- O1 {: {Still a method very much used (perhaps the most frequent one). It is used
& s9 U7 B8 p3 cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 I7 L' L2 K/ Z) O( O) q# F
or execute SoftICE commands...
) g, M# L1 R- x2 n3 m* X( @It is also used to crash SoftICE and to force it to execute any commands; S: V6 z- `/ s+ I$ c6 z& U
(HBOOT...) :-(( - I* M8 g! ~; s% l, X. X; c
6 k$ x2 \6 b2 QHere is a quick description:
6 C4 @; @8 ]& m2 q1 _-AX = 0910h (Display string in SIce windows)
$ s* ~ g" T/ Q$ ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). t1 a& d. q2 g9 K9 ?
-AX = 0912h (Get breakpoint infos)
3 Y* V g' P& y! P# q! ?-AX = 0913h (Set Sice breakpoints)) e/ ]# @/ B3 W5 q
-AX = 0914h (Remove SIce breakoints)
+ Y) }) ?( K: s
( v8 {7 X, a$ P4 F& ~Each time you'll meet this trick, you'll see:
. e: j! |/ X% C% ~-SI = 4647h
0 ]2 [8 a6 X2 F! n+ C-DI = 4A4Dh
5 Q* F3 p0 n& qWhich are the 'magic values' used by SoftIce.! p, a0 _' C$ j. u8 [; S, j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 c1 v9 v( z) `' z
H- m" V+ |9 u3 _) THere is one example from the file "Haspinst.exe" which is the dongle HASP
' m0 A' u, @, R5 K2 O8 gEnvelope utility use to protect DOS applications:
0 h0 A% B; T! g8 Q# i( k- W5 W7 `" W9 N( w2 ]
* Y/ D* u/ z* v7 R# o& X0 r
4C19:0095 MOV AX,0911 ; execute command.6 e6 Z9 W" ?, k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 o; P1 b% Y* w6 s a4C19:009A MOV SI,4647 ; 1st magic value.6 p' b5 x+ `4 |5 `2 }
4C19:009D MOV DI,4A4D ; 2nd magic value., N) ?- X y4 F i- p" J+ V1 g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! N& ], @& ~) x) w' z. D4 D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ l4 {9 s0 R; e+ D/ f) ]! n4C19:00A4 INC CX
# b2 ]- [1 `" m5 @4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 Z$ G, ?3 x. p; c, V# U# o
4C19:00A8 JB 0095 ; 6 different commands.; o* q8 ?) v3 `0 u# T
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ C V4 }8 z$ I2 @; @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). ?. }8 t8 A3 C3 H
: I) i4 {$ G( X- W9 z
The program will execute 6 different SIce commands located at ds:dx, which
% k, U7 L' H7 b/ [6 Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) D, c$ C+ x2 f/ ]3 E# K
" b: ^6 a& k9 H9 S2 J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 _9 Z: u6 y8 c+ @
___________________________________________________________________________
2 g( X& ?( q, G& j: o* z( J( s( F% v, Z) n6 G9 [0 w: _' Q& c
2 J# b6 @0 m1 }1 N/ I# Y
Method 03# D/ [0 J# {6 D' z! d4 D
=========
0 H2 b' i2 V& K8 G3 e# n2 n+ b
1 R4 N' c) M4 q! V2 wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- g7 n, U$ D" q# O2 C
(API Get entry point)0 n0 n3 c* m% R* v8 s( @
) r6 X' d8 H, {# i& u4 l- Q5 m f' L; D: E
xor di,di5 ~' M$ d2 k f
mov es,di
; e/ S2 _; ?0 Q. p& e9 p mov ax, 1684h ) ~0 m- r: M: q' I
mov bx, 0202h ; VxD ID of winice
4 f/ v7 P5 q0 H( V: ]4 K. x' A int 2Fh
" J/ _9 l7 |, F) w7 W mov ax, es ; ES:DI -> VxD API entry point, v7 F& x- F/ \! w8 w
add ax, di! F) I0 j: j+ J8 o) V4 R6 U4 p6 E& b
test ax,ax( d7 w$ t* J1 I8 b w y' a
jnz SoftICE_Detected
) J9 {/ _: c* m9 l
6 N0 _& P: q2 h6 x___________________________________________________________________________. f: |2 F! h5 z5 m2 S
( b' A5 y( A& D# l) g3 E
Method 04
, F9 Z9 C* M/ s" N=========
; i" @/ l7 {5 u, c6 n
% [6 [; z& D9 TMethod identical to the preceding one except that it seeks the ID of SoftICE
7 O7 C0 C8 k6 F& gGFX VxD.- _7 \. E; g5 P0 ~( P, N
7 `5 b8 D" {* \ xor di,di) s/ A9 b2 H# [% y
mov es,di6 m9 o& W" U8 r
mov ax, 1684h % }5 e6 G' T+ \5 ^' v3 s
mov bx, 7a5Fh ; VxD ID of SIWVID
( z* t( O; K/ \/ M9 F' G: G8 {( F int 2fh
* G7 b" g/ W5 j+ h0 r: c3 D8 q mov ax, es ; ES:DI -> VxD API entry point+ H+ v; h& K! R1 q) T( u. O0 N
add ax, di
! r* d% X E- @9 O' Z test ax,ax
5 i* c/ @8 L5 v, Q3 s( y. y jnz SoftICE_Detected2 x- a3 s0 D% G K5 n8 E/ ]
0 F+ q" W d) r: p4 C4 m0 a5 x: Z% x
__________________________________________________________________________: l, h6 s- G! g
9 l5 D7 n2 D; _% P3 k
) O \, i/ ^2 VMethod 05
/ K) U) |; I% ]: V0 z: ^=========
0 y9 o0 D% F& C1 w% @+ D9 _! ]$ U# j5 ^5 }, _+ f
Method seeking the 'magic number' 0F386h returned (in ax) by all system J* p' \$ P5 r* G
debugger. It calls the int 41h, function 4Fh.' U/ B5 Y" Z m# ~( d
There are several alternatives. 2 D5 _+ B+ J$ f# n( N9 L8 p, e
; C6 S J' E& }" n) P" D5 z
The following one is the simplest:
0 ], k4 \% H8 z2 f7 V& x9 _5 o# o7 m+ a3 x2 o3 D S O9 ~
mov ax,4fh
% Z9 ] c- [5 s8 } I& a( w int 41h
3 u+ Z" F) ]3 N1 W9 } cmp ax, 0F386
$ N, B4 P+ f$ H" H9 S f5 d jz SoftICE_detected, R: o4 r7 } b9 i$ [
o2 t2 [" D. _/ c
6 d- I$ Z! T+ o* `' ANext method as well as the following one are 2 examples from Stone's
- r, h- Q( R9 X# N, x8 ]2 e2 e"stn-wid.zip" (www.cracking.net):- d1 r4 s( H' m3 F5 x; Y% P( x: F
: ?+ D- M* F1 s4 h4 v( t
mov bx, cs" S. F- n$ Y7 a. p7 \; Y# v0 P
lea dx, int41handler20 g8 \0 w4 f7 q3 G
xchg dx, es:[41h*4]3 ?- f0 X/ r/ h* h+ N
xchg bx, es:[41h*4+2]! B9 V; q8 L% Y4 o' u' S
mov ax,4fh
+ c* c& y: U R+ A# P7 I) B# e int 41h. S# K- t; ^/ w- l
xchg dx, es:[41h*4]- W6 v$ C) r/ _' U! y: \3 I
xchg bx, es:[41h*4+2]' y* L* K; c# i: O# O
cmp ax, 0f386h
" B6 E$ \# W- w' K jz SoftICE_detected
8 T& D' m/ u; e3 d1 Z7 k' h# s3 ^8 n8 l- u N# a7 d
int41handler2 PROC
; m1 i6 g6 l/ O L1 h3 a iret- B+ Z+ ]1 K1 S
int41handler2 ENDP) r& L. M$ D6 ~0 w. \+ K
" Y- {, ^9 `8 o/ Q4 B/ D) }! u# g. Z& X
_________________________________________________________________________
# c# T- l+ Q4 e# g
6 _ H7 A" R$ I$ |+ X+ @* |8 W1 h/ l$ L' T! M$ D! U$ C8 n
Method 06! i/ C4 X* ~% O: c5 l! x" a
=========
% P+ Y7 J: M# t7 j4 F6 G
( ^0 R2 s8 c- M( g/ \
2 p, ~1 v+ h/ l$ P+ C, L K2nd method similar to the preceding one but more difficult to detect:
6 p# P) |# M7 A) M0 i& i4 f
; B" ~% }& T* H& g; p9 y* e* Y/ y. H l7 d/ f; M
int41handler PROC
) _7 t% H" l$ N5 S: P6 | mov cl,al
6 j6 Q- ^9 Y1 L, t6 @( p! } iret1 K9 l; ~$ y, i* Y, s2 S6 l
int41handler ENDP
. F/ T. r; ~6 n: }
2 }$ u4 M& i! G( d7 X$ l: c
6 q! ^9 f* s5 N xor ax,ax* ?; a1 c# {) k' d
mov es,ax% W3 `! ]: G3 |) l( }
mov bx, cs
' y4 M7 T* V6 M8 _2 g7 v% `1 b lea dx, int41handler$ ?+ m5 B! z' G# X* [. ~9 y
xchg dx, es:[41h*4]0 }4 s7 E$ ^; z! g& w9 k- {
xchg bx, es:[41h*4+2]8 ?/ u# b* Q1 y
in al, 40h
5 b% n+ `& R M8 T xor cx,cx
; l6 S3 |! ` V! o y X int 41h4 k, ?( a M& `$ `. k9 ^
xchg dx, es:[41h*4]
$ C4 J V9 Z. h5 L* l) \4 e xchg bx, es:[41h*4+2]
* g' v7 P; n" {& T( r cmp cl,al, u' f8 d/ H! A. S7 z+ E
jnz SoftICE_detected
, A; J5 o4 R2 ~3 }. J e" G+ ]' n
_________________________________________________________________________
t2 [. n. y1 L( S. Z* i# T, G: o2 {4 v7 L; h) @
Method 07( i; I4 u. R) g+ _2 J* i5 |
=========
. l6 h. j5 m5 V
/ ~( C! W" R+ F" q. R6 mMethod of detection of the WinICE handler in the int68h (V86). k- a T* \/ {- `& W4 ~
& h- u E" X9 e1 a$ z1 o mov ah,43h
3 b( `* Y: f' }8 M6 t int 68h
2 U3 j+ l; q f/ v+ T1 ?8 w cmp ax,0F386h7 s2 O% d, T0 r3 [7 v
jz SoftICE_Detected
* ~# M6 ]/ r3 a: N8 s
2 e4 I- y) G8 D* A+ i! a
3 M* L, g3 C" m% G- l0 u7 h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" }0 j0 G. Q9 r0 o3 U# ^9 ]
app like this:
" S# P! u& y k6 a8 f# q" T" Q! Q. J1 ?0 j4 b
BPX exec_int if ax==68: Q' s: S# |# ]9 G0 S% W+ u' \
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 l& k x: V5 c: P" P located at [ebp+48h] for 32Bit apps)
J# T# t; g( v( Y4 `6 t__________________________________________________________________________
! `' R/ s$ [6 u! f+ z, o/ ^1 i
4 Q2 P/ _* J8 c9 z3 j: J
0 x( X& X" v' S5 B. t3 kMethod 08
$ n9 j4 _; E2 Y2 r=========
$ W. ` h" U; D
# k& A. N! g: X2 WIt is not a method of detection of SoftICE but a possibility to crash the8 ?' O' i I. r w2 Z6 Y0 H* }" Z, b
system by intercepting int 01h and int 03h and redirecting them to another v4 f3 @% ~( h
routine.
0 `8 K4 Y" v% w0 g* {* r9 cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- r, Y G% F% u: `to the new routine to execute (hangs computer...)
* {3 N: [! @/ O
$ F: M6 q3 Q# k8 w0 I mov ah, 25h
, Z* j m; X+ f# D! j mov al, Int_Number (01h or 03h)$ v$ `( H% D1 a
mov dx, offset New_Int_Routine
& b$ D' [+ ]& B* {+ H& t3 [ int 21h
$ \7 d0 H8 j- u/ q: G# U5 E
0 `$ ]/ o6 b5 n2 ^. R9 M9 o__________________________________________________________________________$ }$ \2 Z3 c9 p( F7 x3 Q2 l- V
6 O9 b5 v" ~; g- m6 r, VMethod 09- ^5 f4 n) ?; W2 w
=========
+ @: c e9 N( G1 D
0 A" D1 P6 d) D, ?8 a7 hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 s, w# Q6 d" A" }! A/ S8 B/ M& operformed in ring0 (VxD or a ring3 app using the VxdCall).9 `# T+ i/ \ V. o% K+ P; D1 M
The Get_DDB service is used to determine whether or not a VxD is installed
- J) |9 A2 T1 d/ lfor the specified device and returns a Device Description Block (in ecx) for
3 O, _- w/ T2 C7 Z7 f2 t4 ]that device if it is installed.8 O; e2 |, l4 m2 U
- c4 c* q* }+ @ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! f1 `! m5 p, c% j! v$ S5 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 x4 C0 ]0 L3 A VMMCall Get_DDB/ X m" Q; w9 D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) ]0 q# `) o) g. L) |2 @4 a, d
) k o S) R* J$ A, A# n/ S* j sNote as well that you can easily detect this method with SoftICE:
+ g. m* x+ m+ S# n bpx Get_DDB if ax==0202 || ax==7a5fh
; r" C5 M2 s9 W* \, @! F. ?. {4 {9 m( K* a, I7 |7 n
__________________________________________________________________________
/ C6 G2 M, C: f8 o5 m' v" O
8 E+ u" v4 v( J# _: eMethod 10
' H+ _% m) D4 w$ ^=========: g' ~' \; a. _. \) F) u( W2 J
( T- _, P* _) I2 @' z+ _8 A; D=>Disable or clear breakpoints before using this feature. DO NOT trace with
% H, o+ H& H- q) B SoftICE while the option is enable!!5 l9 a: m- r$ t
. W+ l9 S. z# L. QThis trick is very efficient:
8 [: k/ n& P% k# `by checking the Debug Registers, you can detect if SoftICE is loaded
, N9 E" z2 `) N% }- E0 P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 s) }6 `2 |3 M& b( [
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ y0 D1 t1 I' Y3 I; E- V6 o
value (in ring0 only). Values can be manipulated and or changed as well9 D* k% i# q& a. W1 w6 Z" t$ S* |
(clearing BPMs for instance)9 V% o. I5 Y& |* z; O5 k) V
6 @- O, h/ }# ^; P1 L__________________________________________________________________________
7 `5 e, Z( l. N. @
3 d# m. L% ], |% J$ q$ WMethod 11
: B. |# ~* ` @+ [2 J2 u=========+ D( D' q$ @8 V, O1 ?2 M
+ O" [ @% W7 N; Q
This method is most known as 'MeltICE' because it has been freely distributed
5 h7 B' @/ k, {; n* Ovia www.winfiles.com. However it was first used by NuMega people to allow
5 w; \& ~3 G# O8 Y* l8 BSymbol Loader to check if SoftICE was active or not (the code is located
D" d y1 v' n8 w) iinside nmtrans.dll).
. Z4 t4 _; u' ]
( E8 D& x0 O% _' {2 r) `The way it works is very simple:
+ \8 k7 A" G& k G+ M& B/ t5 nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 @+ G9 ]. [3 ?. ^- X7 DWinNT) with the CreateFileA API.$ k* H0 o* H* H+ m/ p s) _# t
6 y" M: Z. r1 Z7 p
Here is a sample (checking for 'SICE'):
) @2 H- \3 r3 N* ~5 A- i/ k) |8 ]# E
BOOL IsSoftIce95Loaded()- g, s! E- t# h
{
/ B- {4 g3 z7 Y, n& ~' j HANDLE hFile;
, g+ y, c, H9 N( ]6 s% {4 F9 O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- c- G+ b ?$ i% _
FILE_SHARE_READ | FILE_SHARE_WRITE,2 [$ A" Q) R/ T$ n S( g L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 O5 [7 ]5 Z! z" C4 G
if( hFile != INVALID_HANDLE_VALUE )0 E& o! y7 i S0 t) @+ c% k
{1 _' E0 r( v, X, A/ V* K4 z
CloseHandle(hFile);
5 e. N8 U/ s3 N% e% Z$ a return TRUE;1 ~6 f: \; L' V
}* t4 `. z8 C; b" I5 ~7 C' d
return FALSE;
) o( Z5 z, H. w( Y! V}
7 X q8 n9 R4 k7 E! D. p3 K4 G) P. d6 y8 }& g0 @
Although this trick calls the CreateFileA function, don't even expect to be% Z2 w8 \4 `4 r: Q& }0 Y
able to intercept it by installing a IFS hook: it will not work, no way!, M$ j% H# v+ Z, Y L
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& Y/ s& c) v4 r) gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# Z8 v9 r; J- `# B3 kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& O# u* J1 R1 K7 [! |field.$ H- B k" f+ V: w* M1 d- v3 k7 A
In fact, its purpose is not to load/unload VxDs but only to send a
, J q& T0 b9 W% P" _- fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) f4 p; W2 t6 G5 u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ f& M# D! n1 `! O7 W E( g" [to load/unload a non-dynamically loadable driver such as SoftICE ;-).' o! v" `( n+ ?; L2 E8 N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ ^+ z" B9 E1 y2 U+ v vits handle to be opened and then, will be detected.0 z* d+ r7 v; N, P' G& A$ ^
You can check that simply by hooking Winice.exe control proc entry point
, F6 `* O- W5 T; \8 q; F3 gwhile running MeltICE.
" F0 Q# L6 F* z( }- v$ e; d# w% X d, S( i" I6 H* D/ y
, b i7 V3 o8 i+ v 00401067: push 00402025 ; \\.\SICE
8 i; B: f- U8 e' |- d8 j 0040106C: call CreateFileA
2 J( h/ M5 F; Z7 b' N# p 00401071: cmp eax,-001
1 U2 g) ]4 m3 A! y3 J 00401074: je 00401091; }% K( \3 K( R% [+ F
q3 a* X" M6 z" b2 @
& r! j H! [' k% c8 K; x3 DThere could be hundreds of BPX you could use to detect this trick.% d: Q: q1 v' T/ l0 D5 p
-The most classical one is: O# f& t; o3 \+ {+ r5 D. R# E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" N+ I% w' o9 _9 C: }* M8 }
*(esp->4+4)=='NTIC'
/ [3 E2 |0 I T9 d/ r5 q: t K
8 I$ }; r& l* b% W3 U-The most exotic ones (could be very slooooow :-(" D$ v1 \" D6 ~/ q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / P2 L' ?" v, W+ y( Z4 D8 o
;will break 3 times :-( I J/ q# l- Y. M9 T9 y5 m I
: j4 t5 m4 f& J$ W$ j
-or (a bit) faster:
! i) ]0 c: X/ c5 t% p0 r8 k BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 _: o. e/ a" B9 E3 K( @" d; `8 J6 q$ |9 _3 A; z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - z9 r& r4 ]- d5 X: [& ~0 k
;will break 3 times :-(0 i' C2 z/ y6 R' B3 k( j! v
9 R6 K# [ f5 d8 [
-Much faster:% B# g8 L+ P% N" K0 {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ Z8 o* ~, P6 M0 _" R4 j
6 w$ y0 B6 }& X0 c: v. y) \* j7 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' `+ u! V' C; x/ G& Hfunction to do the same job:2 E5 H; S, w. Q6 T% J) X
+ B ?6 O" I2 n+ K; Q push 00 ; OF_READ- W! l/ G' T, a6 B* b% D/ {
mov eax,[00656634] ; '\\.\SICE',03 j/ `; r6 k0 _9 P) ]- o* J
push eax
# Y# [0 k9 _3 m& N: b0 a0 Y- j call KERNEL32!_lopen6 v$ I9 G4 v: _% D8 n, Y' a1 y. f
inc eax7 N, r1 y8 ~, i& R1 \
jnz 00650589 ; detected% ^# m' w Y+ Z$ L: X4 h( G" v2 I6 C
push 00 ; OF_READ6 u% {: p1 [' |* M& t) r& B: A
mov eax,[00656638] ; '\\.\SICE'- v( J/ ^4 v# ?1 n
push eax
7 V8 l, J/ g: M6 O5 x call KERNEL32!_lopen
2 A1 y6 o I3 i) L6 R7 o; b inc eax, e: m" X: s9 b7 d0 _# c4 b/ A
jz 006505ae ; not detected* J% N/ I) R# L2 u
, v$ a% F4 U8 J+ ?+ l* j5 @& U
* ?1 V s' b$ `9 U- m__________________________________________________________________________
6 A/ {4 V2 `& s2 F% [4 ~6 {
8 t( z' _$ Y( X" [Method 12+ j5 h$ y- n: n# O
=========+ Y% K, \4 p/ |( E! C4 @1 \
$ @9 s3 `1 k* w& ^* Q, c9 K" T
This trick is similar to int41h/4fh Debugger installation check (code 05' q+ y8 X3 j+ L' w& M6 y
& 06) but very limited because it's only available for Win95/98 (not NT)5 y r5 n$ f) n& c" L7 q( K0 e5 r) }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: Z2 o+ ]* w2 x! l2 N7 g) U( g1 ?
# Q8 B5 i2 t) t& a( x% m8 v push 0000004fh ; function 4fh7 p' L5 G3 T( t5 @8 m; e; |
push 002a002ah ; high word specifies which VxD (VWIN32)
' y) r* K* P* E2 ] ; low word specifies which service
$ w1 n; V8 t' ~5 L3 [ (VWIN32_Int41Dispatch)
# I7 P; w# R7 U$ F call Kernel32!ORD_001 ; VxdCall2 g3 n& z* c5 _+ E
cmp ax, 0f386h ; magic number returned by system debuggers8 D: ^% m+ o4 C, @
jz SoftICE_detected( [0 C/ b, A2 c2 b7 r
! c0 z+ p) ^* W- h# z/ n8 J1 U* L
Here again, several ways to detect it:8 g" l V2 l- t C6 W+ _
1 O: l9 `$ H9 a; A! z7 {! s BPINT 41 if ax==4f) e* x3 [" Q6 r3 [3 d
. L7 N& [9 D% z3 c BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 i) `) I5 V0 f, B! Q* y, B! U) M
5 r$ u$ W8 Y& W) Z# h; r5 y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 c- B- U+ s* d- Y) Y' e: |' v. E5 G* O4 ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" \! v, |" \ `) g8 O% G/ \7 b R) }9 y- i- J5 `1 I4 R0 w
__________________________________________________________________________
6 C" H% q, j6 p( U: R. c% a6 `$ W0 w
1 z9 Z! @/ E) `Method 13) s6 o+ J) S2 B1 B5 ?
=========
* ~8 B$ k' Z# W
* J$ ]! s% s B9 T1 hNot a real method of detection, but a good way to know if SoftICE is
8 U' `) f# ^; H$ M* N9 winstalled on a computer and to locate its installation directory.( G) U# W" p4 w4 X2 l) l M$ A
It is used by few softs which access the following registry keys (usually #2) :; K& F3 E# Z0 A% C0 r2 D
* X, [! R4 h. u& Z: x3 S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ t' O g7 V5 }. V" D2 {
\Uninstall\SoftICE
& d, l0 g1 N! o- W; c: F9 O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 }6 ?; m y' O" d1 Q; L9 k( R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion p7 g( f& F+ U" @$ W( j$ F1 X, r
\App Paths\Loader32.Exe
^9 P4 z8 E- e- m1 C3 A( w0 r8 {( i7 X' w! r( O
# e8 L2 T% l: Q0 b
Note that some nasty apps could then erase all files from SoftICE directory
7 k5 ?' @8 w$ [5 o(I faced that once :-(! R/ E% V& G2 ]: H. w) {3 q( @
6 T3 w2 u3 L) p1 u7 d0 L
Useful breakpoint to detect it:
# R, G' ]3 a$ {" e% _$ @4 i: u
1 c& r R% A$ b. g, w: k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ q8 I% A# R! {
; i* L7 R) F1 C__________________________________________________________________________
9 |- A% ?2 m- y/ u$ B- e0 }4 N$ ^" S2 z3 t
0 H* m/ c0 A2 i! g5 V7 AMethod 14 ! O7 f8 t9 L$ u4 {, G
=========
8 s- K. c h3 k1 \) P7 \% F- Q; }/ c; v; v, K2 ]3 N" D4 p% q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 l; x% }! j' R4 g5 }/ G8 ^is to determines whether a debugger is running on your system (ring0 only).
* v. [$ o5 J7 w. I" U, c$ ]4 i5 x# r9 u
VMMCall Test_Debug_Installed
0 F, Z+ E( Y+ r: f2 q je not_installed' ]* k6 l; x$ U/ ]+ {) F
/ Q: d% p- a1 Y& j
This service just checks a flag.
1 N4 B( m6 [3 F0 k* @# T1 L! M</PRE></TD></TR></TBODY></TABLE> |