<TABLE width=500>
3 n& u# U8 r) q/ i% H<TBODY>
1 }6 Q% [# ]: @0 \<TR>
- @% ~+ t1 ]+ V1 G<TD><PRE>Method 01 & {* U8 F8 K# m, W$ t
=========
5 F3 @, ?4 N6 ?( ^' M% e! O1 s& Y9 |# c
5 p* Z$ U8 W, ^5 b6 UThis method of detection of SoftICE (as well as the following one) is
4 n r- G7 |3 F4 x2 f! O0 A8 A Zused by the majority of packers/encryptors found on Internet.2 w: D2 ~6 X2 ~
It seeks the signature of BoundsChecker in SoftICE' v% R+ D3 M7 U2 U
) x* f: x8 z# u1 [; m1 f mov ebp, 04243484Bh ; 'BCHK'6 b. t. i% f+ n, p0 i" ^$ w3 k% j
mov ax, 04h
- a! t) C t+ T4 {9 e int 3 6 a& O7 ]7 |2 x- E* j- P
cmp al,4* r* e3 V& A0 m7 g4 A' @& W
jnz SoftICE_Detected/ [# F ~' x, m( }
5 g/ Z( I$ A4 {" E, C
___________________________________________________________________________ r. P6 E9 u3 o: `' @0 d
2 v3 n7 }$ r0 L5 ?0 b; t+ eMethod 02* i7 D2 b* A% e. [
=========
[7 \2 a3 [$ W7 a
7 U) m7 s9 [$ _0 U% F% HStill a method very much used (perhaps the most frequent one). It is used# \1 M! C7 Z! I- P! A" E3 f7 x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% u5 b C/ Y2 n( |, c" ?or execute SoftICE commands..., |7 e: t% ^1 w Z; ^. `; s# P
It is also used to crash SoftICE and to force it to execute any commands
, w" [6 e' Y( A9 Q. L) j(HBOOT...) :-(( ; H! U! b. _2 W' x g4 a0 q
6 w# o& y( A" f9 @; f* B7 D" WHere is a quick description:4 V# o$ b8 f) g0 V T0 Q
-AX = 0910h (Display string in SIce windows)- \ C, O4 A, I' _- H" c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! ]7 W1 t+ J2 [-AX = 0912h (Get breakpoint infos)4 S0 J2 l& B! H* t! \
-AX = 0913h (Set Sice breakpoints)% |1 X1 B& T. } U, v; _
-AX = 0914h (Remove SIce breakoints)1 z! n; a. F1 ]/ z
) {6 W8 ~: g$ _ T/ M
Each time you'll meet this trick, you'll see:$ [: V( i% t0 m3 K& P
-SI = 4647h N# v' H8 o6 f' _$ `( ]" W
-DI = 4A4Dh
8 o9 D' G: q& }3 H( uWhich are the 'magic values' used by SoftIce.
. b/ A( T" m4 x; `6 ~( zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 w) s& w0 N' ?; t
9 U* Q5 T9 S% W' P9 `2 ~Here is one example from the file "Haspinst.exe" which is the dongle HASP
- ]' t. C+ H1 u; T' `& x& g2 OEnvelope utility use to protect DOS applications:# o4 B7 v6 Q/ [8 x) I
5 O2 {& ?; r8 V( k
( N! z' i8 [! H# ~$ e6 R, e, c4 m, T4C19:0095 MOV AX,0911 ; execute command.
9 S7 V4 R8 c5 Z: H1 c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' C+ `" s0 w" Y u H4 P. K4C19:009A MOV SI,4647 ; 1st magic value.
4 O# U6 D; W9 V) `$ f2 e( M4C19:009D MOV DI,4A4D ; 2nd magic value.& D: P' ^. ~& t7 ?+ W1 s* i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ R+ L7 ]9 K0 M' b, U. \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) b( G4 F/ P0 S; x! c! L" D# u
4C19:00A4 INC CX
& j# f* I' n7 p" T6 u5 N9 h4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 h: P! W9 w% D9 A% a/ @4C19:00A8 JB 0095 ; 6 different commands.
( F% f8 k# @5 Y/ P: U2 T4 n4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% s, w, d1 \0 p4 q4 L4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 i7 W6 v& E1 f' {1 L" |
) B2 P9 K+ p e
The program will execute 6 different SIce commands located at ds:dx, which# Y% M6 w% V" @5 ]) k( F& g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 o0 O; |/ V: U( L7 ]( r2 @8 U
/ F* ]& X9 m+ b0 x4 G$ h& s1 |- R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) Q6 l4 p [) f; m' @/ u ]% x+ y___________________________________________________________________________
# \8 z- z6 V/ {! _( N
; @( O4 d; D6 `" [
7 R w% o. X& a { M1 V! AMethod 03
) n. _/ V! d9 K- G% n& r8 f) S=========
3 S" C- B. E8 ]2 j( g v. @
: H0 {* b9 w8 C7 M* E6 yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ ?% X5 ]7 G) ?& ?& @8 P(API Get entry point)3 _ H, u. t" H, H4 Y4 L, n
+ |' a. R% p) w- G2 N& z, _' B+ i
7 T- a* H: k; E- s/ ] xor di,di
. ?) w) O3 b, k4 F mov es,di' k3 j5 y5 @9 I" ~/ ~
mov ax, 1684h 8 J. Z; {3 R0 R7 X! ^& |
mov bx, 0202h ; VxD ID of winice, R6 o3 {) v+ r( e
int 2Fh
2 N1 U7 _0 l' p* X: w+ n1 ~ mov ax, es ; ES:DI -> VxD API entry point" Q8 R. k$ |2 M/ s! f# C
add ax, di! M6 A, y0 B6 m* \( S: G: R% r
test ax,ax
) A0 r- e8 F* i! k jnz SoftICE_Detected, p7 N+ W- u# o3 x. L: P% S- X
1 q) x, d) ]9 ?6 n1 [; p$ s' Y
___________________________________________________________________________
% c! I. U8 E8 S# F" w5 P1 {8 ] e2 \& @/ U
Method 04# `3 ?6 M# W! p$ E0 L; e
=========
~% E9 b" g4 H1 e5 `/ u. @# X7 p$ O5 p9 [- q
Method identical to the preceding one except that it seeks the ID of SoftICE
. {# ]5 e1 ^8 A! F7 @GFX VxD.
" v4 x3 c0 o0 I: l, E# {% \+ ]% ]4 R3 M; {
xor di,di
& _3 [7 J, `' j: l3 D mov es,di# q d# _$ P5 c* h6 L- j9 a% F
mov ax, 1684h
( a# X8 a' A5 Z5 A& V# @ mov bx, 7a5Fh ; VxD ID of SIWVID
* u$ H. t8 ]4 c+ U8 i int 2fh
1 r% f9 u5 r- P1 O mov ax, es ; ES:DI -> VxD API entry point) m# V% f. K' L# `0 C+ h+ g
add ax, di2 g6 g$ Z, m$ K* Y" V( z5 e
test ax,ax
o' Y! b& f/ X9 g% f+ o4 H jnz SoftICE_Detected
- ]2 g8 K2 g4 o
9 k3 s8 x# G- |__________________________________________________________________________
- @( g: s6 b# r# f5 B+ B& r! u9 C+ q# q( b/ F3 Y/ I- K/ r3 U
) r, I9 O1 |/ y- F& m' HMethod 05& j$ c) O, w; D" S: B1 p9 D. Z5 x
=========, C5 ~# i# X. \6 J, m! k
: `6 i- E# H+ g7 l1 _; DMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: m6 W B8 |3 ^& ?debugger. It calls the int 41h, function 4Fh.# Q3 V8 ~, [( g. O$ ~7 M
There are several alternatives.
. B/ p+ J' t7 y. M5 S
1 }' G0 C3 H4 V1 cThe following one is the simplest:, s, s8 ?- J+ C+ u
; E6 z4 ^. j3 [/ _ mov ax,4fh9 D ^( j" m! J# V6 Z* q
int 41h
U+ y% E5 `4 ?6 v7 q, s# M cmp ax, 0F3865 U7 M8 ]* m9 v1 C' `' I3 o: S
jz SoftICE_detected
# c2 b7 Q. ?. ~) m
% k6 m: q3 B. r" M" ~+ ?' w
7 k( Y/ c" H8 C& y; z+ N1 q LNext method as well as the following one are 2 examples from Stone's
2 k3 ^0 H& H ]( |- h2 Z# k"stn-wid.zip" (www.cracking.net):
' c0 {. e: ^! i( L- C& J; Y/ o, P2 [
mov bx, cs( _) Z5 b* U( ?$ B4 l
lea dx, int41handler2- `+ k6 M5 ?9 w4 G P$ p
xchg dx, es:[41h*4]% {7 Q5 H4 t7 s. I8 J0 C; Q9 U
xchg bx, es:[41h*4+2]' j% i! l+ k, o$ L9 j
mov ax,4fh2 W& p9 A2 H8 K
int 41h
) [( T: b! A9 o3 m' g+ U3 f xchg dx, es:[41h*4]4 B: o. j, u% [) g8 l. m0 n
xchg bx, es:[41h*4+2]
" G; T6 F, D, G$ D Q) Y cmp ax, 0f386h0 K% o& ]7 n! B$ z0 @
jz SoftICE_detected/ n* @' Y7 x M t3 @6 P
8 J& n. h& i r
int41handler2 PROC
2 f/ [2 k2 y6 T0 P" G iret% W1 a: H+ `6 @; M
int41handler2 ENDP
2 W1 X( B* Z+ {' h0 x& J! o( F5 p9 h- L4 q+ Y
( @* b6 g# K/ t: r V1 J) N_________________________________________________________________________+ a9 [: X1 {0 _/ [
/ f N' c3 ]: v
6 y" }" q; S8 r5 N8 U2 O* M
Method 06- n) r' D" P: y% ]
=========
: B7 j) g0 a4 e, ^, C! @! ~6 b
, W, D& T: f& c+ E
8 q( _5 M( H- e8 I7 q+ `$ j2nd method similar to the preceding one but more difficult to detect:2 v0 X- `* P! ^ a+ q: c
! W" O, y0 l4 H' Y8 E0 d$ a4 q* u! _( Q1 t# U. S! C
int41handler PROC/ B5 g. e! F" i/ Z6 V' u( f: S
mov cl,al. d8 j& r& {: t, L; r$ h3 w5 O( q$ |
iret, X4 i( m( t- i( e% z# d9 @# J* G
int41handler ENDP1 Y+ A1 w. A* |: A5 l+ Q$ r$ U) Y
) ]6 R" P& o4 r z+ @2 p
5 c) s- ]) m- F xor ax,ax/ X* }. u/ z9 Y5 `! z- S& N
mov es,ax
' V1 s2 ?) M( f" } mov bx, cs; n7 m; k" ?8 `( X* K) p& b* u
lea dx, int41handler1 y; c5 G" u7 T. |% X
xchg dx, es:[41h*4]
$ O# D3 |3 m! n+ m4 k xchg bx, es:[41h*4+2]
9 G: i, B1 h) {, V( [ in al, 40h
! M6 x7 w. H# p T3 S' U( U9 B1 T xor cx,cx
7 J) m5 [5 ^0 l d) d int 41h
H1 t/ K1 n1 W O0 G. v& _/ s+ R xchg dx, es:[41h*4]6 @- J: Y: ~+ Z1 G
xchg bx, es:[41h*4+2]' j! L; Z2 z5 _- v" e
cmp cl,al
- q2 s/ l( e+ E" I) S' M; r; X* R; f jnz SoftICE_detected2 |$ H2 m8 N! n0 S8 P' S
' W* I* Y9 c/ Q2 C+ l
_________________________________________________________________________
% s8 l3 l& ], [+ Y
8 v, q2 a% T6 y) d4 ]Method 07, M* [' W0 @; T; ~
=========, ^1 r$ ^# q7 s2 j7 m5 y' b! I5 f
5 l1 |7 _0 N2 ~' e* L
Method of detection of the WinICE handler in the int68h (V86)& t2 \, H, w2 O
4 Y' e, F( Q. H4 \
mov ah,43h6 r X/ c3 @$ J6 Q* x: D6 }
int 68h
' J9 o* L1 i7 y. ~ cmp ax,0F386h
# d" t( n; M/ ~, [9 P jz SoftICE_Detected
; j$ M# {: L6 x/ f: C9 c: n& R4 u5 [: T3 ^1 T% c
4 m6 P% Z! x8 U, j s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( d/ A+ N- \# U* L, \' D( @, E- M
app like this:
3 `+ `% b4 b) ]( V% l# Z, J& L. T2 z; Q1 R; [
BPX exec_int if ax==686 t5 h0 p( G5 r" q4 p' W0 k
(function called is located at byte ptr [ebp+1Dh] and client eip is
( u" ]7 l# l; p* e7 ] located at [ebp+48h] for 32Bit apps) `/ _& I7 z/ Y' W, k
__________________________________________________________________________ Z5 P# C% [, U4 N& s) U
9 I) K" S+ c, c9 c3 N
* v" A! h0 N& R/ w. H0 _2 x* |Method 08; M6 N1 p& o( l Y7 D4 k4 q5 y: {
=========7 _$ \4 ^8 y# ~' p) G3 c1 F/ L
" H- N% d7 Y3 x+ \0 }& [It is not a method of detection of SoftICE but a possibility to crash the
1 d6 j: q& t, C, L: v# k6 [! a( _' Osystem by intercepting int 01h and int 03h and redirecting them to another
5 J8 j" F/ n6 s% g1 V* y/ {routine.
2 o7 Y# N/ r$ _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, \/ u" M& R; J0 s) J: e5 L0 gto the new routine to execute (hangs computer...)" m" o0 I. W. k( E6 K) ^
; S$ w" I/ Z0 M& g
mov ah, 25h
5 M6 K' p* d5 A mov al, Int_Number (01h or 03h): ~, A: L- y) y' P% Q
mov dx, offset New_Int_Routine
+ s; f; ^1 v5 U7 H0 j+ S int 21h: X3 \6 d; W- d. Y5 R. V
3 w: e* j3 z; V6 a0 k* T7 P
__________________________________________________________________________, v) N# b' W& Y
$ u6 X1 j" I7 t Z Y+ {" j+ EMethod 09% n3 y# m5 S5 B# I6 |4 V1 Y( Q+ P
=========
6 _9 O( i" \( j* a( [* k" i* ], V# B7 w1 _1 m# {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% }6 \1 S+ b' o- s; F- gperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 |# F+ w; x* ~: q' KThe Get_DDB service is used to determine whether or not a VxD is installed
6 g3 y+ ~3 |( r9 ` zfor the specified device and returns a Device Description Block (in ecx) for, U3 X% H0 O3 x9 n
that device if it is installed.
9 _. g/ g; g) r! G: Q
8 o% q& ^' [: m }/ X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: R: ?: L G2 h4 _" S [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! i, a3 ?0 i% M& ~
VMMCall Get_DDB
) O; L+ j* E+ b& ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! I- H% |0 s' r8 y/ G
, M/ A6 w6 {# |7 t
Note as well that you can easily detect this method with SoftICE:
$ x, _' o' l: a1 A2 w bpx Get_DDB if ax==0202 || ax==7a5fh/ n- v& H3 R6 J7 u5 q$ }8 \- k
* Q* w3 n" Z, h/ A H$ P__________________________________________________________________________
# g. v2 i& m# A$ c
# R0 X: k) q) O9 D6 {. O* k* G. uMethod 10
8 |& d9 d/ a/ |8 L=========
" v* Z" C8 _5 ?* E; y, B7 A- U: d) @( E5 a
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 g% V( [: c9 s
SoftICE while the option is enable!!; [9 M2 L* W( y- N: I
# |* B" d9 h$ q6 D
This trick is very efficient:5 G+ C+ B9 n& N& j: i
by checking the Debug Registers, you can detect if SoftICE is loaded; D2 J* U' b; w, e' ~0 B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( R/ Q' E" J/ b: X! Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their6 h$ L5 H+ x: V' z2 y! L+ ]
value (in ring0 only). Values can be manipulated and or changed as well
9 [1 r+ _9 T& H' j1 u. [; c(clearing BPMs for instance)3 U" |9 e* z& z+ D
( n& U, O0 |$ w5 o+ I9 S8 z& [) ___________________________________________________________________________9 Y6 R1 Y% t6 k# }2 X1 N$ p" |
4 |. P8 s) h0 P7 G
Method 11
7 m# y+ }4 d- z( ?& [9 Y, a3 T6 w=========2 b! y9 Y1 u1 f$ t0 Z
4 Q+ e" G& M' {3 y6 h) n6 D _, ^This method is most known as 'MeltICE' because it has been freely distributed& o# O, L' j* K9 j: D2 Z; ^
via www.winfiles.com. However it was first used by NuMega people to allow
: n% k1 u8 Z9 U+ q% K. mSymbol Loader to check if SoftICE was active or not (the code is located/ E: h0 B" v& L" B: `
inside nmtrans.dll).3 v! k) R7 o, k4 v0 A7 y
; {; a& ~9 c2 Z$ ?: }, dThe way it works is very simple:9 f2 x8 `/ W( F/ t8 l1 j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 c# q1 s* C0 LWinNT) with the CreateFileA API.
* _7 G5 `5 ~ {3 Z7 w& q# l
: U. J- e1 c9 THere is a sample (checking for 'SICE'):4 n7 D4 V6 S/ d
& Y/ Y1 G, \* {* [% Q$ i9 bBOOL IsSoftIce95Loaded()( a: m z$ f, A7 E; h, C7 w8 L) }
{8 F! s! ^' Q/ Q( ]% |, K
HANDLE hFile;
: O" [9 H. {! P hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 j0 W, {* |& G/ t5 |1 u9 ]
FILE_SHARE_READ | FILE_SHARE_WRITE,3 C" ]+ r; T- h5 ]/ I8 T
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% {2 o4 q6 W1 o* T) ^
if( hFile != INVALID_HANDLE_VALUE )4 ]" _# {4 n @9 }/ a
{
/ V$ `" y5 z& z5 S CloseHandle(hFile);( n ~" j4 T/ `$ G6 ?, T. _
return TRUE;0 F. m5 C- ] o8 l
}$ s7 n$ J: B/ u
return FALSE;, t3 l9 j$ H% B9 [0 x+ n
}( W1 c- |7 D) \# E* h- ]
* G6 D1 n, n5 s
Although this trick calls the CreateFileA function, don't even expect to be" a' O& D% V5 J- ?
able to intercept it by installing a IFS hook: it will not work, no way!
z! s) Q; |. h$ @2 G) zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 i3 I2 d/ y6 U' l: T1 \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 r- `' J3 k/ a" C$ Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# B* _4 P( g8 B
field.
v8 r- Z' P+ j+ _In fact, its purpose is not to load/unload VxDs but only to send a & D0 w! d0 P1 j3 D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 S1 W5 T/ f" E* I1 \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ k7 s( |4 q" W" M9 Gto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ S& M! {2 x. K6 b z4 p7 j
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# y, q7 m$ m" g Xits handle to be opened and then, will be detected.: c8 K0 b6 G3 @7 e
You can check that simply by hooking Winice.exe control proc entry point
4 G2 d& V- ^) uwhile running MeltICE.
+ T: s4 y1 a6 y4 B) ?
; i, K, m$ M- N5 H0 ]
% p9 X; T5 M: y+ j2 Y7 h 00401067: push 00402025 ; \\.\SICE" F3 }* C7 S5 ^, [, }
0040106C: call CreateFileA6 v- Y# c+ @: _$ u7 e& z/ f
00401071: cmp eax,-001
, z% E$ K3 V& M3 c 00401074: je 004010914 q8 c I* h# p9 q+ r8 f/ ]
5 J* F1 T p0 w' c. T; f! G+ R# L1 T+ I7 b, h% e/ H. p: D5 N$ E. q
There could be hundreds of BPX you could use to detect this trick.' ], m& I8 Q$ n
-The most classical one is:4 Q& u' C% T6 a/ k: ` ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 D9 {. g, D% j' T. J# F K *(esp->4+4)=='NTIC'3 F% }$ V" G3 Z \
( n( f# m" H: L: P$ O# W-The most exotic ones (could be very slooooow :-(
: b0 j! G% { L w! T BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& d* \1 y: F/ i7 g& | ;will break 3 times :-(
; H6 h+ D! K. p- [/ [- i; f: \& I* t1 @+ @5 C" A+ M, D
-or (a bit) faster: 0 }+ B3 M3 a |2 i
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# B/ a' W! p; H- o* l+ g \5 h' v' q) c U4 G1 E( f8 z9 p- i) F
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 d6 ^' r* |: P ;will break 3 times :-(9 N1 E+ i3 Y9 a I. Q
L. E/ G* `' }: Y! j: s( }4 E-Much faster:- S' ~% K$ j0 j$ j, u" d% N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" s1 A T7 }6 y: M
! q9 t& P0 W- y3 p! U7 pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) W6 S5 m! `6 D/ h! A& q- |
function to do the same job:
3 h" L I% M0 F C
3 S" v0 O) K6 c6 W [, ^ push 00 ; OF_READ' l: K3 I2 ?1 l# c6 X
mov eax,[00656634] ; '\\.\SICE',0
8 @' X. {% B0 \7 q2 J push eax
. d4 |7 z x/ W9 P call KERNEL32!_lopen/ [3 {% T% ]; S+ z) q
inc eax- S8 g9 m3 U2 _' u F
jnz 00650589 ; detected
1 }. \/ G M4 w% }9 L) | push 00 ; OF_READ
1 K2 j% V$ v- \$ J+ n, t mov eax,[00656638] ; '\\.\SICE'
! v% o/ B: O. e6 p* ?" J& W' v5 G push eax$ W# d: l u7 u7 g
call KERNEL32!_lopen8 W" \, Y" J) K
inc eax; K3 q- Z# F* o( G; c: \
jz 006505ae ; not detected; F5 w5 M0 M7 V- o0 D4 s9 ` g
$ C0 U+ P0 c4 O6 x8 U
! n+ P: [0 u& L7 T0 Z
__________________________________________________________________________3 h q( B0 J1 ]- k7 A
$ x9 \! B7 i( ~Method 12
C/ m5 a V: G=========, R. p% i0 l+ X. j& |/ F7 [( ~- R& Y
* W" o3 f/ Z0 C
This trick is similar to int41h/4fh Debugger installation check (code 053 q$ d6 J1 I1 Q8 b' [5 m( S
& 06) but very limited because it's only available for Win95/98 (not NT)
0 }2 n, J2 N4 }3 I/ {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ d/ G: F# O4 }6 I
) h& o, A/ ~( }( |$ Y* o- v push 0000004fh ; function 4fh
% t4 q+ g1 K% q" y8 ? push 002a002ah ; high word specifies which VxD (VWIN32)
a4 w) C8 G* Z' Z1 P ; low word specifies which service
- k! q' a, a E9 \ (VWIN32_Int41Dispatch)
5 g* e9 r" M( m) r2 L$ B" { call Kernel32!ORD_001 ; VxdCall9 X& j/ _2 V$ ?
cmp ax, 0f386h ; magic number returned by system debuggers
; g m6 A2 `: d9 \5 M, @0 l jz SoftICE_detected
2 p* V* d4 [/ {% ~
6 D# P0 {( d8 K; UHere again, several ways to detect it:. a+ g( T' j3 v( b0 V0 ~# i2 G
, O/ |8 \; y* s; T1 L BPINT 41 if ax==4f
3 l! k! ]# {+ I0 M4 x1 p K
- J$ z; ^; L( v BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, H$ Z2 {( _- @: G1 K, o# D( r
2 e+ }' e, A9 n/ K5 B BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
Z3 Z: H3 s+ D1 O' S+ S8 T9 h( `1 \8 s' }4 c' J2 C: |( Y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 c$ v/ Q* j( y, `# s4 X
* T$ k2 @% u2 l- r; j; B. a, E__________________________________________________________________________
, f x7 m. H" P; y5 x0 ^8 y- W1 I* \4 D3 L' d* @
Method 13
& M- g- f" W' X6 k=========; X0 P$ E2 o, i( L* A, R( a9 w1 l: G
/ | ^/ t8 Q5 u+ M' q* H
Not a real method of detection, but a good way to know if SoftICE is& A2 W4 @" _. L) u$ F
installed on a computer and to locate its installation directory.
- C, U0 b9 j# S5 I+ m$ p. |It is used by few softs which access the following registry keys (usually #2) :1 S" k$ `4 t4 {* p# }# d( g7 d
: z9 _7 C; h4 l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ h; B7 h% I# T" V\Uninstall\SoftICE
5 J: p3 L' U: m1 J; E4 _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 U8 p; t0 P) u# R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ y% \1 i8 h2 l\App Paths\Loader32.Exe
, E' Z# _' P3 E& K- J6 }# Z0 z" C) L- T
: Y+ o; ?" q4 B0 K' Z3 K* r/ hNote that some nasty apps could then erase all files from SoftICE directory4 |5 E9 P0 @7 q7 K: u
(I faced that once :-(
3 y- v2 l, y" t4 q* ^+ u% {" p3 l# t$ @ P5 s, ^% c8 z
Useful breakpoint to detect it:
1 t4 L( j1 [1 u
% F) i; w& f6 y7 _0 R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: ?' J1 h% N b% }) u( d0 |$ B+ r" _7 R" R
__________________________________________________________________________* U. @( \: ]" J- O3 o& G# H
M8 j& O+ |6 w0 n) O: ~; Y& _
5 s' s& F- c: G7 P$ q" l4 HMethod 14
2 z) j5 d' }1 h9 _# ~: R( Z=========
2 q0 m+ a* M1 a# g' Q; z/ S1 [: t1 f# ~7 B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ m$ n7 E) N& ^* ~7 B8 ?6 N
is to determines whether a debugger is running on your system (ring0 only)." w+ {# f3 V* y, e! P1 I
# L3 R1 r2 d0 G) F VMMCall Test_Debug_Installed" W2 k& Z# Z, Q C" h5 x( E
je not_installed
9 b3 S- {: v! X" z( z0 n
- y* ~+ y/ L7 f7 }; ~This service just checks a flag.5 g/ M# i. F! j. o
</PRE></TD></TR></TBODY></TABLE> |