<TABLE width=500>4 u. }6 r2 Y1 G. U) U1 K. b
<TBODY>
$ r) _- v: w u& ~$ w+ Q5 {<TR>" q% i9 _0 [) s8 R7 O9 [
<TD><PRE>Method 01 8 u W0 k4 V2 r5 N) h$ Q/ k0 @, R
=========1 C6 t' T+ E1 h+ W7 _+ v
$ |+ s: }& ], W; ]+ u4 tThis method of detection of SoftICE (as well as the following one) is
, M6 y' {' a3 Q) pused by the majority of packers/encryptors found on Internet.
* Y$ `* n" _4 q* P) g3 G% ~It seeks the signature of BoundsChecker in SoftICE% v) H/ E; a$ U# ~: \- E
, f. E& a$ b3 O F$ e mov ebp, 04243484Bh ; 'BCHK'9 U; q) p. ~4 A4 i3 \5 d
mov ax, 04h
& v6 p- Y, }" f* d) C int 3 1 G% y1 R4 X" |8 R" Y" ?, G
cmp al,4
& _ w; Q, D% g$ S jnz SoftICE_Detected i; T3 q8 G @2 _+ r! p) ]) J
$ Z5 f" ~5 L( ? J/ @" [___________________________________________________________________________
6 U' o" W$ X1 V4 v& @& X. W# L2 `5 L
Method 02
" r& e# C h8 Y, r9 E& n* |=========
: y8 |" B2 c5 [+ y7 f8 B$ b' k! y6 ^2 K$ `' L, y
Still a method very much used (perhaps the most frequent one). It is used) L; ]9 v4 g: Q9 V a& H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
~+ n% E* Q; C# \! cor execute SoftICE commands...+ \ ~6 }' V. _" I% k3 t+ \& N
It is also used to crash SoftICE and to force it to execute any commands, h- _- ]# Y1 U
(HBOOT...) :-((
9 Z0 V9 N8 e" i, B5 R
- A0 ~/ A" X& C/ e k9 A( y5 cHere is a quick description:3 C* J3 ^' V6 D4 [$ S
-AX = 0910h (Display string in SIce windows)& l- M8 ?. V# c% {% B* e J* N9 O* h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 x9 k! P- I# Y! L# x
-AX = 0912h (Get breakpoint infos)" g& @* D4 s% R) f& _* D, O0 q, p
-AX = 0913h (Set Sice breakpoints)+ T- t! y4 I1 u3 ?5 |" L
-AX = 0914h (Remove SIce breakoints)
$ D! ^2 [5 z! `, o1 L* ?$ e O" T6 F+ E- J' k
Each time you'll meet this trick, you'll see:
( z2 a7 y$ G: _: [2 H, i-SI = 4647h
5 W; l" @$ O5 Y* y/ T-DI = 4A4Dh
( H8 Q& ?; L1 PWhich are the 'magic values' used by SoftIce.0 r1 V0 F' n% h* q( u: c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* P. V0 W$ Y" G6 n; }9 i- l- L% ?1 c* ~; }2 T
Here is one example from the file "Haspinst.exe" which is the dongle HASP# I! ^5 v8 Q! }; n
Envelope utility use to protect DOS applications:. y. a" n Y% B/ K
6 ]% A% j) _* {. s! O, v+ w0 y4 J, Z
- Q g, d" A Q9 V0 o
4C19:0095 MOV AX,0911 ; execute command.
' H( C% d/ p$ r4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). U) b) N3 a# s, v: S4 r6 o% e6 x7 K
4C19:009A MOV SI,4647 ; 1st magic value.
$ f5 d7 Q) `* T. X g" M# r4C19:009D MOV DI,4A4D ; 2nd magic value.
+ |: d3 W* R" Y2 R0 b# N; V I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 R2 E& V* y6 b, y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ P. H1 s1 U F4 \* b: K4C19:00A4 INC CX: @1 H/ @+ i6 o0 m8 n7 w3 N% Q" U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& ~5 K0 M$ S+ ~3 G# T. n' i; [
4C19:00A8 JB 0095 ; 6 different commands.4 l% C) x, e s0 \/ O4 q+ _2 W
4C19:00AA JMP 0002 ; Bad_Guy jmp back., a D" y! @5 \/ v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 i3 [) _8 |; j$ t
- S3 w# l6 j6 j% u& L$ p: A. RThe program will execute 6 different SIce commands located at ds:dx, which; a; [9 g) e9 G) Z4 J- b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 e8 p0 y- P: e. N! i: v
# l8 [( }9 ]% [$ {2 z; {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) f% j8 n7 j# F1 _# Q___________________________________________________________________________
7 F3 v& C$ z" X# c! q9 t
, v. u0 H2 D. Z1 M8 _
' Q0 J' G: n% V0 q- ` E( _6 DMethod 03, k+ o* f u6 \5 L" O
=========
0 O' b% e; Q6 A2 e# j' S9 g6 |
6 x- ]7 q6 h/ P/ P( ~% k# sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 P& X- O/ F Z8 j
(API Get entry point)
4 `# h/ J3 a/ G% G1 m
$ V* S8 V! v) r& I7 V- E
8 s' L2 C* Y7 s T xor di,di
' b' I! O# Z: H# Y' H% }1 n mov es,di
' l" L3 L3 I, E/ U7 A9 x! k6 W mov ax, 1684h 8 j# l! U$ R4 K) g
mov bx, 0202h ; VxD ID of winice
9 _. {3 O! Z+ Q* x- `- Z int 2Fh1 O% g; I I$ z& i' @
mov ax, es ; ES:DI -> VxD API entry point
! ~/ D5 v' l& e" O) } add ax, di' U2 Z5 ~4 h8 P, ~* d
test ax,ax
3 \8 I F& L: w o jnz SoftICE_Detected" F8 g \! y% ?: ]2 A' R1 t
F' |9 ^# D2 Z' L___________________________________________________________________________
; k1 g' }+ A* m4 v1 i
4 y+ ^0 @- |- i. S5 |# DMethod 04# |$ c% a, {( D" T
=========
" ~# V& H" Z: b$ w9 S$ \* y9 `! p9 i) a
Method identical to the preceding one except that it seeks the ID of SoftICE8 S+ e# }' K9 F i4 e' h8 X
GFX VxD." c! O% e: h# X
& |2 V: h) i$ ], q* F8 E% E4 F' N
xor di,di
: u+ d* i. w% L2 W/ @. }; P: k0 S mov es,di8 f; I8 Z3 g* E$ }
mov ax, 1684h
8 U& c! p9 {3 ^4 m6 h, P7 o mov bx, 7a5Fh ; VxD ID of SIWVID
8 y6 ]( {. p! M: k9 o int 2fh
) u+ ]; n9 r7 ~* @( i# { mov ax, es ; ES:DI -> VxD API entry point
* H6 [) J7 Y! c$ y add ax, di
5 V; l' t3 F; m: ~ M1 C test ax,ax/ I5 X3 b$ e. D9 K% k. U
jnz SoftICE_Detected
( q1 j" a8 I6 i3 I# w# }' N- D1 E# V( M& I- `( G
__________________________________________________________________________+ X+ [6 z- K7 p( ?
4 J+ A% w# N" p# C- O6 s8 g
# p J! y, J& I$ y+ ~$ x: v6 S7 }4 AMethod 05( h9 [2 {5 E9 ]) [% E
=========
3 `6 f' z, G5 p! G, R6 g }5 ]) ]. t4 {2 O& W( y& f" W
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ }3 S' L5 }, Idebugger. It calls the int 41h, function 4Fh.
! M( H; l1 R' m1 S) ?( Q/ pThere are several alternatives. ) }+ ?1 h2 M' k
9 E4 c2 d: f( g s' `0 XThe following one is the simplest:" @# [" A& u3 B5 e
8 V* `3 o4 m+ ~3 W5 \( h6 I( K: {
mov ax,4fh
: } d9 X: C' ~! J6 | int 41h
$ J$ E0 v2 I+ ^ cmp ax, 0F386
2 N8 E& T L/ z6 C, w jz SoftICE_detected
1 ?) h1 A9 [3 `
4 X/ M( [7 r! B" s: \: P2 A# Z
Next method as well as the following one are 2 examples from Stone's
7 c/ n8 ~' W- f& f, y) k! e"stn-wid.zip" (www.cracking.net):
: [! s/ I3 r/ ]; u; w
4 g6 K5 L/ |# _ i# O mov bx, cs* M% R7 m4 m9 g
lea dx, int41handler2! Z2 m3 h9 O0 _- R. T
xchg dx, es:[41h*4]
9 b: p6 L% N M! ? xchg bx, es:[41h*4+2]# W. \ `6 V) o6 F, R& z
mov ax,4fh
5 o3 [5 F% x9 F ]# Z, Y int 41h
0 i8 y( V: g4 @ xchg dx, es:[41h*4]
% j' }. n1 A5 B {8 O3 ?! c xchg bx, es:[41h*4+2]* `- F0 O, }: P" A
cmp ax, 0f386h
1 C9 O8 {0 O; n; I jz SoftICE_detected
0 k7 F0 U0 [. |* j3 }' M+ c3 I8 H$ r
int41handler2 PROC
1 W8 Z2 m* O3 d( j5 v iret; W: w0 x6 R( F' q0 E6 \: |
int41handler2 ENDP6 L, F) d; X6 C+ F
' @$ c' i" d, \
1 O% c3 W) A& }5 Y2 A$ N
_________________________________________________________________________0 Q) D3 A- Y$ V1 e3 f+ ]9 r% u
, ]: q3 M# Q; z I' V
: f$ N9 h( {& hMethod 066 [+ O* m+ }5 z7 p5 u& g" i/ @
=========4 i+ @& J8 o3 C8 I
, G7 b1 x6 i t6 ^/ c" T, a3 d/ K( ]) @$ B- f# p M
2nd method similar to the preceding one but more difficult to detect:
( P, r4 x4 W' N- r7 h& }& |1 h# A3 K) \7 Q
$ \' J3 {2 ^. v# y H/ L6 Bint41handler PROC0 I) |) k' p Y! H4 c( N
mov cl,al! k4 { l8 z" Q9 T6 h' U& G. G- j9 A* B) \
iret
3 t% w( w) U) A- n) Xint41handler ENDP
4 c# Z, c& @+ X4 ^7 s
8 ]+ ^0 i" V N0 Y8 E! e+ G3 U |7 j2 J: V2 E4 t# r f: |9 `1 {
xor ax,ax
R# e# n9 G" R. g2 v& X mov es,ax
, E O: R0 t x4 m mov bx, cs
$ e, {4 ]5 A" B9 K+ _7 Z lea dx, int41handler% u3 w( a5 h) u* M2 U! H# S2 _0 r
xchg dx, es:[41h*4]' J! V- f$ C+ t9 W5 @' c4 m, {
xchg bx, es:[41h*4+2]8 a Z; M) G Y$ Z; v3 p
in al, 40h
+ D2 T. p' t9 h1 G+ |5 z xor cx,cx. {) j, A4 t$ M$ o
int 41h
. L% O8 f. \% D8 h6 F" ]" r xchg dx, es:[41h*4]5 N+ P. J. b# d
xchg bx, es:[41h*4+2]
" z1 g% B3 [$ v, K5 ] cmp cl,al4 g" t/ y; E6 ~0 Q
jnz SoftICE_detected
) a5 G9 F) h6 ?. v# X& R4 v! @
+ p7 T" Z6 V/ W3 k; i( A2 g; T_________________________________________________________________________
! I0 F9 l# x6 |' L* U- O" e% H6 O' |- [9 v) }' A
Method 071 {9 i/ @3 j9 ?
=========
- k( v' Q2 r* y2 r6 V+ R
. k% z* o3 M: EMethod of detection of the WinICE handler in the int68h (V86)
# x# Y6 G; b; h- i3 B, L# l
7 n T+ ~& J1 j* \( ? mov ah,43h% W1 [; I% y. _- t S# _
int 68h
% V% d. C0 s5 L( B cmp ax,0F386h
- Q- j; V" a! A jz SoftICE_Detected
+ X% P7 r* `5 ~: N2 I w5 A( a# T. f0 A+ J) ~
& Z( n( H4 ^+ Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 |2 v3 }3 L1 @1 Y' c' H app like this:
/ J& B# y! @7 A( {8 c6 V
; {$ n: c- _0 k! Z8 ^ BPX exec_int if ax==68, h/ Z- ]/ {& ]8 E* G0 S
(function called is located at byte ptr [ebp+1Dh] and client eip is
" A2 b E! h: P& m1 T( r located at [ebp+48h] for 32Bit apps)
1 n( p5 i- J2 k! \$ G__________________________________________________________________________
! Q _4 ^! L+ P$ N1 `$ z: e
! i" a% l+ p. D% q2 I$ p) ^. L; L; m, s$ _) ~( }( V
Method 08 L( w1 D6 \- y5 U* X/ s3 J
=========
3 [( v x3 x/ T- R& y' x
2 B, ?- Q+ P( m/ k- U2 sIt is not a method of detection of SoftICE but a possibility to crash the
, q' q+ q' c/ S% c' l8 z P" q6 q7 ysystem by intercepting int 01h and int 03h and redirecting them to another, o9 U7 C4 @; z% J( @* w; H
routine.
8 d# E2 t ^! p2 c8 ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 K! ^, k/ G O4 ?* w2 c
to the new routine to execute (hangs computer...)) c. V) M" |3 t" C$ p4 p9 P% p
$ v0 q/ x2 J7 {% P' X/ O4 F
mov ah, 25h
# g6 z8 w$ f: \+ V4 h: g mov al, Int_Number (01h or 03h)) O1 w% |! a V' P$ a5 i/ t
mov dx, offset New_Int_Routine
% M) }4 c7 c( |5 l. \) o6 D int 21h
- D- G3 P6 Z1 R2 s
: q) @9 z. o% F__________________________________________________________________________
: J( q% p- }- V' U
9 y" \# f6 S8 Q( `- x% CMethod 092 Q3 z8 e& ]$ Y. d, B
=========* K5 z% O5 l$ s- O+ u4 e0 v5 ~5 r
8 C% X# _- V" M0 P' O2 [ `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" r; A. M$ J* C6 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 o* ?" d; S* I- W# oThe Get_DDB service is used to determine whether or not a VxD is installed
9 k( g: @ c0 [: w% P: N4 e* a4 `for the specified device and returns a Device Description Block (in ecx) for, y- Q2 g9 j X, @7 P3 L
that device if it is installed.
/ w6 a! _# y3 T* n& x# A
: [" G5 e5 Z0 ] mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& Z' @- e7 p% Y2 V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 R7 O- d1 P8 N0 W$ i VMMCall Get_DDB" e) N0 B3 k+ @" g6 `
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 B8 e8 ?' P7 W' w
7 W4 @1 i; x& uNote as well that you can easily detect this method with SoftICE:" n, \" n; |( C! H j% }2 U
bpx Get_DDB if ax==0202 || ax==7a5fh* M! }/ T4 x$ L; y \ k
$ z) O% q/ v, j- s. g' ?: L
__________________________________________________________________________
) ~% ~; Z* Z2 g$ X( Q. Y8 s [! @% c
5 Y3 f! ]7 a3 pMethod 102 P& c0 y1 |1 C! w
=========3 g9 a0 m7 F+ I5 ^' T
9 z$ V" O/ J6 }9 ?$ _# u, e=>Disable or clear breakpoints before using this feature. DO NOT trace with! ~- I+ p! ~8 c: a- Q
SoftICE while the option is enable!!. c' J& V! n: q# n8 N
5 _' K/ [/ ^$ s9 `; ^6 p- J7 Y" e" B2 fThis trick is very efficient:! m5 e8 d0 w" ?) T5 v3 C; [( W
by checking the Debug Registers, you can detect if SoftICE is loaded
% d2 J& ~( l% k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- k, i8 {7 t2 S$ I0 U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! \; o- x! |1 X" b) nvalue (in ring0 only). Values can be manipulated and or changed as well7 s+ E4 J |+ T5 @3 u7 U1 t: {
(clearing BPMs for instance)6 z, b6 g R3 v7 L5 I- F- B. g7 U \
; \& `% }9 w. R__________________________________________________________________________
$ n- D; o5 m0 q: l/ e* v* }0 m- T3 A( W* {$ J4 O
Method 11
& F; B& J( v; C2 A+ ~' ]1 I=========; g8 P8 a8 y1 }8 B. V
6 C* Q! m5 v N" F3 n
This method is most known as 'MeltICE' because it has been freely distributed
T( X! W ?4 a7 A" O7 avia www.winfiles.com. However it was first used by NuMega people to allow/ Q+ P. a7 W- g% I. q
Symbol Loader to check if SoftICE was active or not (the code is located
/ @4 B' e5 M- ]; ]! ` a! Jinside nmtrans.dll).
4 Y; \! f0 \3 V" I' Z$ B
' g5 i& |3 s X! mThe way it works is very simple:
6 E1 c8 I7 U/ t3 @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: \# J2 q6 j/ b: i! a# tWinNT) with the CreateFileA API.
7 C7 w" m; W; P: S2 D7 [* P9 {
3 r- m) D! s! |, b& [- e: I2 ]: }Here is a sample (checking for 'SICE'):
0 Z) t, t' l; k- t4 X) @1 c
! j& M5 ^& E$ c3 @BOOL IsSoftIce95Loaded()! m! m/ q# r3 h
{
: m. O( J/ w6 U) [- w. l% s$ z2 V HANDLE hFile; * i( B( D5 G' z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* S" I' n7 M4 o
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 F6 {: q3 S. \4 K- O9 E+ O# C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# [ x9 g w( o* N# { R# j
if( hFile != INVALID_HANDLE_VALUE )/ i+ z. H( u3 p; J% t
{
# E! |0 v: `- @% x CloseHandle(hFile);! K1 M( n8 d4 g G Y
return TRUE;& P, x* Y5 ]. \5 U9 a: u, k
}
4 z( @& Z! n% r6 a return FALSE;# g/ f( W. u3 p) p1 b$ w
}
7 P( N8 k/ y, u' ^# g( w
' q, D+ q B' a6 c6 _! v uAlthough this trick calls the CreateFileA function, don't even expect to be& e+ `- u+ g+ y# B! L/ o: F0 `$ Y
able to intercept it by installing a IFS hook: it will not work, no way!- _0 c% t/ {$ E8 a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# ~3 T- S x) v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ B' U! f! O% y9 j8 w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* m5 h, ^! P5 Z \2 pfield.5 F$ O& \/ B" p! ^9 Y) o
In fact, its purpose is not to load/unload VxDs but only to send a
$ Z) s+ B% D+ u( ZW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 E- u3 } Z4 Y: x1 m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" ]8 `2 y6 d# uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. B4 K8 P5 f1 k; z' f% J: P& v2 OIf the VxD is loaded, it will always clear eax and the Carry flag to allow- K; T4 ^$ Y! | V; C3 b3 I
its handle to be opened and then, will be detected.' L- i/ S4 ^6 h0 Q2 u. D, L9 i
You can check that simply by hooking Winice.exe control proc entry point
2 f& d3 E$ p T* ?; C5 t9 Mwhile running MeltICE.
& c3 B! W% g+ D
6 T1 }* Y- i( D, l3 A
3 a( P2 _4 D |& n Y 00401067: push 00402025 ; \\.\SICE
; U, c; v* e2 \7 {% c3 Y0 U, w 0040106C: call CreateFileA" N7 k: r8 r6 m& b
00401071: cmp eax,-001
0 P s8 S3 |# c; I$ N+ q 00401074: je 00401091+ Y; N4 q6 w2 }6 R1 W" u; M$ Q$ l
# g# _4 s2 Q V" [( t3 ]; M2 ~* U2 P
9 |3 L) A; V1 P) M! T
There could be hundreds of BPX you could use to detect this trick.. N L+ M, C8 Z! S7 N& v
-The most classical one is:
( o. P% N% Z: i8 v. z' K BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ R6 K4 c9 H c
*(esp->4+4)=='NTIC'
# Y( z) O& e7 q; a9 H4 R0 K h J4 R7 \1 u [& Y( x
-The most exotic ones (could be very slooooow :-() H. |- l9 u9 @0 V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) A8 D4 Q. ?0 E; { ;will break 3 times :-(
! J* _, {# h$ O2 p1 Q: E* m3 n3 C2 T. d1 f8 Q0 G+ _6 m
-or (a bit) faster: & R% D4 P+ e) V
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 s; H2 l9 n8 x$ l/ j# u
& _) g( {: r) W7 E! K, _7 U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% Z; Z2 i# G, j, Q ;will break 3 times :-(- \7 N6 R$ e, k& ^
% Q5 F' a. a! G2 V0 m' R( R% `2 R
-Much faster:2 X5 f6 ?; d# ?8 x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', h+ `% f+ Q2 H- `
, f; ?' ]6 W( N- W, g9 W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 }5 q/ u# i* g
function to do the same job:& `6 s0 l" N0 O
- ~, N6 M `: y7 u/ k4 |4 J+ ?! C push 00 ; OF_READ
1 j9 T) R# r4 [7 G8 ^+ c mov eax,[00656634] ; '\\.\SICE',00 M) \0 r" |1 v
push eax+ X# L( y6 Z6 j4 a3 o1 b
call KERNEL32!_lopen
; @) ]6 ^1 Y. m* X, i1 N inc eax2 c6 H/ R w5 D4 z% F+ D
jnz 00650589 ; detected
& }8 [" K. c/ U: |; T# j push 00 ; OF_READ8 a7 E( _5 ?) m' A
mov eax,[00656638] ; '\\.\SICE'4 l6 e7 ]& @4 z( |$ [
push eax4 Y$ b; }! J' ?) I3 P3 z1 k% ^
call KERNEL32!_lopen
0 j/ G" p9 S' O `# V inc eax" n) N$ `( Q* x. `2 V$ C
jz 006505ae ; not detected/ T# i7 z1 Y3 }; c7 ~ e
5 h- o5 Z( @$ G5 a% h) y0 l# a
/ U! I# c9 p* Q9 M2 E1 A
__________________________________________________________________________) ] g( x" Z1 |9 J. v
# }* z! ^% y$ k& y- n' wMethod 12 |& v x2 ~3 \, s' |
=========
: H% E8 e4 C4 q1 p" n6 [9 S1 x2 u- e! l4 S
This trick is similar to int41h/4fh Debugger installation check (code 05
, m, X4 H; ?0 {( @& 06) but very limited because it's only available for Win95/98 (not NT)* n" p; e4 q/ |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 I, o! z% _+ A$ x* p2 U
- R. W/ T9 E, T6 a$ k( `$ r push 0000004fh ; function 4fh
, |- N9 Q. ?8 _4 M push 002a002ah ; high word specifies which VxD (VWIN32)
' A' M. Q, p* ?" Z7 J ; low word specifies which service
- h1 B$ K6 a3 C# C6 x4 r (VWIN32_Int41Dispatch)4 ^; t' n6 H! E" e1 _: K. h
call Kernel32!ORD_001 ; VxdCall4 n. ]+ ~' ~4 A$ ^- `' v
cmp ax, 0f386h ; magic number returned by system debuggers
. G% P/ X }& D1 a. f0 }+ g& C jz SoftICE_detected$ |. e8 a+ ~" w* b
5 G5 J+ L$ q K. K' ?Here again, several ways to detect it:
7 S+ i8 C1 x& _+ w2 r. n6 k+ m
5 c5 I3 C4 n: g) M- K BPINT 41 if ax==4f
3 @: J" ^$ D0 a6 ^
. u5 C6 f9 p) w2 _# @4 ^; ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 k. K3 C5 L. o( {
* U4 i( m! v+ \4 q5 ^5 d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 _( C6 j' u1 p7 w! z2 D8 O! a# \% \" u, q- X \$ H# k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 N% s) ^- N% T, [5 N1 G. T4 L" k. ~* z2 K k& S% ?" u/ o
__________________________________________________________________________
/ Z7 F0 s! y! F+ S: l/ r) m R7 n- s/ r$ H9 w! Y* C7 c9 O% v
Method 13
3 L0 Q5 M6 X0 h- h3 g3 @=========% E# E# d9 k1 l- n' O; y- J7 ]
5 H- Y8 T- \9 ?
Not a real method of detection, but a good way to know if SoftICE is' H& i& D2 c3 b" Q/ I% M# W# A
installed on a computer and to locate its installation directory.
* S* d1 {! c+ \It is used by few softs which access the following registry keys (usually #2) :$ n+ S4 G3 l! v+ T3 F
+ D3 z c( z* _: U3 A: T7 ?3 j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! R3 k% Z: l; |
\Uninstall\SoftICE
) m9 \3 U2 A+ A) [6 Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% L3 `1 v' T3 K; Q% B& X$ U+ w/ V-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 H: A1 o; |" O\App Paths\Loader32.Exe3 U7 `5 r4 m) D2 g. D$ A/ S
0 X; ^( h& M& e4 u# C2 H0 t3 R% e7 t- K& L& P# m, v
Note that some nasty apps could then erase all files from SoftICE directory
. t8 S; B* z% W(I faced that once :-(+ b4 T' ?! Z S$ I
2 D4 @0 R% c4 F8 @1 ~) Q4 {# \
Useful breakpoint to detect it:5 U. L! e% C, p4 c; }( U! W5 T
! P5 {; _+ `$ z" ^0 U: Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': K: j8 G$ {* T
+ E( @6 U3 F) B Y7 M__________________________________________________________________________
; [$ D$ S/ X# C
" ?3 Q7 b7 O& u/ v5 v& M/ j: A, N: k- i& ?
Method 14
3 z f4 b, P8 x1 F7 u. F/ v=========
6 e' i7 _* s% |. u, _1 z( W8 z3 p w! N* @+ I- {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ ~- n8 c6 y- M* B: R/ Bis to determines whether a debugger is running on your system (ring0 only).
7 u' q: u D+ e! p) Q) k# e5 J: v {& Y- C* e) t4 C
VMMCall Test_Debug_Installed
9 a, l5 @/ x+ Y8 m1 V) M" @" b je not_installed
2 o& U! @) v; Q E( f9 h$ B r
! `: Z; b& r- D, T0 P3 X) G4 dThis service just checks a flag.
4 H9 {( A$ N/ n$ f* p4 N</PRE></TD></TR></TBODY></TABLE> |