<TABLE width=500>
1 C8 \4 y1 F) ?0 e# p( B<TBODY>5 ]% ?+ U! P: t V% s
<TR>3 `8 W5 w0 h; F9 L% d; O1 ^
<TD><PRE>Method 01
) W. |( R" K1 w1 Q/ C# t; }=========" w* Z, i1 _8 I
" `' Z# }$ |- ?1 g% Z q8 ^9 iThis method of detection of SoftICE (as well as the following one) is3 z* b& Y# D/ B; A1 B4 m; t
used by the majority of packers/encryptors found on Internet./ b5 W: w5 q5 |# W2 F$ W( [+ U
It seeks the signature of BoundsChecker in SoftICE1 Q- R1 y; P! B0 ~% g: D" p
1 O! Z5 \5 A- Z- w w. g mov ebp, 04243484Bh ; 'BCHK'
( I5 z* i- t* | L+ L! A mov ax, 04h
# F7 d* j! c1 j# Y! C. a int 3
t. d) y3 o7 B6 G& K cmp al,43 b# T. U3 O9 N- V
jnz SoftICE_Detected [; T) l2 z6 F1 f
4 f$ w' l6 ^: i1 s3 m$ ?___________________________________________________________________________ \+ a9 v, h! ^1 B/ c, r) d
7 P3 J* P, S: H. t8 ]
Method 02. v1 ?! |6 u# j. r. H; U6 w
=========
1 b& U4 A7 j1 b& h. m& S* b
& r) i3 \0 z/ b. v# t' ~1 eStill a method very much used (perhaps the most frequent one). It is used
* `$ e+ ~1 S: e8 pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ [/ G- U) z+ Nor execute SoftICE commands...+ F" r( `" w, V" g
It is also used to crash SoftICE and to force it to execute any commands
" `, |# I7 X: o4 E: L(HBOOT...) :-(( ! `# W! Z8 I9 |4 b+ f
& a F3 V3 Q, e5 U0 v$ }( U H' S) J
Here is a quick description:
6 d4 c7 Z6 a9 A: T-AX = 0910h (Display string in SIce windows)9 l, K; k( @# j1 B6 V' V; ?9 d/ J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) o8 ^4 E; W; `
-AX = 0912h (Get breakpoint infos)4 {& L+ U; k/ I
-AX = 0913h (Set Sice breakpoints)3 y& u- T% d1 f. K) h
-AX = 0914h (Remove SIce breakoints)
" j2 }+ O$ ~* d2 ?( Z4 h d! v' b% p& a; }1 X' X* n9 }
Each time you'll meet this trick, you'll see:/ k9 ~; S5 E$ O: M- l. w3 y# a
-SI = 4647h' q9 f7 R1 c* \. e% ]/ X
-DI = 4A4Dh8 }+ y7 a' T! o+ k3 ?
Which are the 'magic values' used by SoftIce.: f% o5 C" [3 A8 z. j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% D& t" S7 s) J% r
" y) C' f* `* R- k8 A
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* Q- c, ~; x' O3 ZEnvelope utility use to protect DOS applications:3 W$ ^# g' N) N* J
E# Q( m4 t% _6 M1 Z; j! D4 j
# \6 i: r6 u2 a. K2 B. g% m4C19:0095 MOV AX,0911 ; execute command.: ~) a `4 y: _; _; J" t) e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 b: q% z" M$ [/ M$ c( |2 u& r0 a
4C19:009A MOV SI,4647 ; 1st magic value.7 k% {. X* @! {. s4 i. R% I
4C19:009D MOV DI,4A4D ; 2nd magic value.
* v- y) V# W0 {# t5 W1 b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* q- k \- g+ z9 _0 k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 m. C! F$ v D. X4C19:00A4 INC CX j* S; Z: b+ Y* U5 T# g" H
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. I2 K) E5 Y6 e- h* W: l$ l
4C19:00A8 JB 0095 ; 6 different commands. r: r1 v* Y' K! X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( W" z' L" _3 h' _+ w$ ^& K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 l" i' |4 p* u3 y* O' n& O" b: V/ ]# T% ?. w
The program will execute 6 different SIce commands located at ds:dx, which' u- q& N7 Y6 v+ Q( P3 L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* ?1 E: h" y9 [, d3 Q
; b% a$ V( l+ T; d* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 G" O, q. B6 q% g
___________________________________________________________________________
+ ~! x4 v, w }% p$ a v: D) G' Y" n# V; k
8 [9 i5 J" }3 R$ A7 n. K
Method 03
$ `+ e& n B' b: |" v( `=========
i* Z8 x5 J: g& h1 l& O* n, R7 ]3 J" ^' m7 Z2 k& O* u ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ i, N( q3 \) e$ G0 L' h/ ^
(API Get entry point)
! A) l3 j0 u# M% [8 t! Z- g
( H0 u1 \2 B) B- D- A' T" _0 J, `/ k$ f/ |
xor di,di! ~$ k# C. X6 G+ z, m. y
mov es,di4 X6 c4 W7 ], ?' S# {7 v
mov ax, 1684h
6 _2 o8 B/ G' R$ |4 t! v) ~6 l& o C mov bx, 0202h ; VxD ID of winice
8 ]6 ]5 a% l4 ~& X' ~- \0 i int 2Fh. U) h( E) |. e+ g u7 @ d
mov ax, es ; ES:DI -> VxD API entry point
6 ~, |: p) O. V8 @8 E add ax, di" w" L! m: u" @! {) ^- e/ n- G
test ax,ax
* B/ M0 P1 c8 H' G jnz SoftICE_Detected
* [6 o. t! X; D0 @2 I9 J7 j
! c. j) Y# x( z4 m___________________________________________________________________________
" |% h( {$ d m, h; i! E Z
3 l: c" U6 @3 E0 q6 L: q( G& PMethod 043 N8 s; A/ }" z2 B- ?' F
=========
( o7 S' {( Z, P9 D8 |' M3 B- i2 f& b+ G* j
Method identical to the preceding one except that it seeks the ID of SoftICE
2 F3 |, N& s( m9 @# bGFX VxD." p& D: ^7 e, i8 b0 v
}/ Y; s/ F# ^2 l% k$ ^7 |
xor di,di
& G0 J" |5 t3 k- ~7 @4 g mov es,di
: I& M2 A1 S& [. J/ M& C2 {' I8 n mov ax, 1684h 2 K+ l0 h% O0 a! H8 O
mov bx, 7a5Fh ; VxD ID of SIWVID" H6 G5 f- [6 T2 e! k
int 2fh$ L. @4 t# w1 Y+ ^# c
mov ax, es ; ES:DI -> VxD API entry point
! u7 `9 K: q& h% c c# n add ax, di. @" Q8 M& S. e, ]5 m1 h
test ax,ax
) R9 ^' ~! y. m& G4 W5 G4 m3 b jnz SoftICE_Detected& j5 O3 `6 z6 n
# r+ c' V' q) x2 X' C6 a1 N4 e( o
__________________________________________________________________________
4 V6 D6 g+ x+ T# t) `6 r$ L0 J9 z- A! m4 z6 b
0 ?2 P% I& Q7 `. k% m' x+ J# iMethod 05
9 G$ g' _. S* ~3 w, N=========
3 \" U* a: M. y; i/ R: R: Y3 { ]" C) l( e4 Z2 b& i( v& Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system; @& l$ T# O& T1 W& k7 u
debugger. It calls the int 41h, function 4Fh.$ F' W5 l( q" B* t# @0 N. R. D. b
There are several alternatives. , |; C/ j5 U+ y z# P
! U# F. A% N) v8 wThe following one is the simplest:) ]. {& t) { i! K0 r0 J
* {/ ^# |0 _5 t3 {3 ?8 J! ~1 L mov ax,4fh
$ y/ D% q8 P* m( x- m( i+ V int 41h- f/ G# u- ` v0 X& N% ]
cmp ax, 0F386
0 w0 k5 X& g; @& f# M F jz SoftICE_detected
V( c/ ]+ I& q; a+ J4 H, m! @; p4 i/ j3 O- O/ w4 y
, C N b/ x# w' aNext method as well as the following one are 2 examples from Stone's
( W( U# W! s8 p"stn-wid.zip" (www.cracking.net):2 Z) D# I; P! `
7 b* t# _6 d/ U3 }
mov bx, cs U! ^; S( _9 S) T+ _; U% C' E
lea dx, int41handler2
3 l. J( | m& w* b# z) @2 @, t* w K xchg dx, es:[41h*4]
" m3 K' ^! E: _, H+ V% J+ z( U xchg bx, es:[41h*4+2]
. G7 b# O. `8 @+ B mov ax,4fh
, F/ b7 y& ^ c/ l3 o3 J+ b int 41h
1 b. s' {5 j" a xchg dx, es:[41h*4]
' q0 H1 [% F; w' S; S9 W5 d xchg bx, es:[41h*4+2]3 h# H5 x+ x1 }/ @9 L
cmp ax, 0f386h) P' R. W7 R& ?3 d7 D- C3 ~6 D7 }+ L
jz SoftICE_detected
9 E! E# i( C; a, V( K4 Z2 x' D- c6 J0 s4 Z2 S6 s$ M
int41handler2 PROC
1 x4 D9 b, L# H/ _ iret4 D% R' I1 i+ P
int41handler2 ENDP
6 l2 K7 U# D5 v; J& @3 s9 \0 H, \6 g% s" M
* n/ P1 D4 N, q: U_________________________________________________________________________
( T; Y5 g2 ?* ^8 e; b; _3 w+ Z7 [) `$ c% u
* t1 l: W% |% Q! L" DMethod 06, C$ i3 P* N5 {- C, v: S) I% {
=========
0 O7 S+ ?. P8 o+ F' t; E6 C+ ^+ a$ Z: Z, C6 {. S: E0 K
0 R3 i# R/ m8 r+ }! W6 n, c
2nd method similar to the preceding one but more difficult to detect:! x8 z5 t8 Y3 h2 {1 J: [
8 ^# G ^/ ~# `( w1 |. {1 I/ G$ m w. J0 `
int41handler PROC2 {% y3 v/ v: a5 w6 H/ q
mov cl,al' q& v( b4 u! }+ ~
iret! `9 { [" Q' V; m7 t. [
int41handler ENDP
& o+ R! a4 J6 v$ i' r9 \( m& H/ F$ N( l! j6 B
9 z. X1 A. t9 y
xor ax,ax
- }3 E& R# \1 B* y2 n# n% ] mov es,ax
1 ^! ~1 y" q- E2 Q mov bx, cs' @: y; C G, Q' I
lea dx, int41handler
b: l; @0 C' ?, D; d6 w9 f xchg dx, es:[41h*4]
{ d" g& U# L+ O2 o, F5 g6 |3 M0 S xchg bx, es:[41h*4+2]- g4 r8 c0 k* J% z
in al, 40h8 R4 x/ _* L9 |( Y) H0 I! Q$ w
xor cx,cx
, I$ G7 G c/ h. q int 41h- h+ h4 g8 e( C5 M& L F! A
xchg dx, es:[41h*4]4 C; _6 _7 ]- }% P% w
xchg bx, es:[41h*4+2]) [) m( B- U! S2 n! Y
cmp cl,al
W* X! V& {2 E) u! [5 I$ b jnz SoftICE_detected5 a. @: c4 w" e
# m1 o5 m' k. I, P5 W5 N; w_________________________________________________________________________
& d3 M/ M: t& @
, i3 i6 o2 a) m3 A5 w( j5 Z3 QMethod 07* k' `: D9 f0 E y; [# g
=========+ m8 _3 @" h' x
+ a# N* j: S; |: IMethod of detection of the WinICE handler in the int68h (V86)
* c1 t& ^4 ^# f2 E4 T% o4 o. f0 L/ @
mov ah,43h
3 f; H! |* O9 I( I- | int 68h6 [4 I4 q! y1 B3 I( N
cmp ax,0F386h! V2 ?& W# @" {* G
jz SoftICE_Detected, i' C2 m! k% q! M7 c: \
+ a' W; A+ V3 D' P7 d8 W8 z
5 T. A/ U0 l, B* {=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 n+ z/ Q8 l3 z8 Q! X app like this:! W2 ?- X R" V) @: b
# t+ g9 f5 A6 R2 i BPX exec_int if ax==68; ^6 ^6 o- y9 `+ x/ ~
(function called is located at byte ptr [ebp+1Dh] and client eip is/ ~6 P& R4 b( o/ G; y, F
located at [ebp+48h] for 32Bit apps)6 H) _0 u+ P4 m5 e S
__________________________________________________________________________' s+ i( E5 A- T% J# ]- t, Z
* Q4 n ^7 D4 G- _) A; [% x7 ?
/ W4 C7 a: P3 v9 D* l9 b7 QMethod 08
4 c `- _" o( ~========= z. r1 V$ n7 {% y. D
! T, e( F/ \6 C
It is not a method of detection of SoftICE but a possibility to crash the
$ x$ w( D4 d6 {; M2 `5 Y+ u9 F; isystem by intercepting int 01h and int 03h and redirecting them to another$ ?$ L; r: b9 O# b
routine.
9 H2 y K; B" R3 l; nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 ? F- @7 B9 T' S4 T, k$ x" n7 q
to the new routine to execute (hangs computer...)# P7 n6 Z" {# J; L1 c6 h
$ F! N$ x ^0 A+ P( z mov ah, 25h3 g* D( h% K* w5 Z
mov al, Int_Number (01h or 03h)
2 p, ]/ k { H# Y7 A, H7 ^ mov dx, offset New_Int_Routine
; Y; \9 U# J- R, \- d# G5 { int 21h3 N! k$ \, T @! n6 ~
8 v T5 ~( ^/ g, p9 O3 C! u9 R5 g__________________________________________________________________________6 L; w% t. L5 f4 P {
8 r3 D) L( E9 j, H* G8 N, HMethod 09& \& H# t8 K7 {0 U7 U
=========
1 Z" e. g, [8 ~/ {
0 X* H$ N& c$ `; ~; }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 y" ~+ B+ N* \3 d
performed in ring0 (VxD or a ring3 app using the VxdCall).5 m- H" F! W& [
The Get_DDB service is used to determine whether or not a VxD is installed
/ a5 q3 F/ ]1 s+ kfor the specified device and returns a Device Description Block (in ecx) for
; |1 \2 ]3 I0 Q9 V$ T% i$ ]that device if it is installed.6 N- v9 M! f Z' }. Z
0 \; i/ ?7 _, E5 V- R& l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID a1 D6 A6 M; [5 Z$ X' j9 O. X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 H3 ^9 [' N. X$ V
VMMCall Get_DDB
6 E+ q1 z5 b9 J- p4 e+ V z* w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 A+ u& w! D) Q/ N7 h
" P' R8 w- D( m/ b' s6 TNote as well that you can easily detect this method with SoftICE:) d+ q" b. {2 D! b$ z
bpx Get_DDB if ax==0202 || ax==7a5fh
) Q( X# M7 C5 N- ^2 k) V4 h. k2 K B* D. m, N) Z) U( n
__________________________________________________________________________( b. N( I7 Z( E
2 K# X; v1 ]+ @2 c l
Method 10
/ I2 n9 j; z$ v; o! W( |5 o+ X=========
E1 P. L- r1 m1 U& ~' p5 w8 t5 e0 M9 e% [# ]4 K$ m$ y
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 ^9 l" G* u, D( r; }
SoftICE while the option is enable!!
7 T4 V4 m! m: F9 S' `$ H
: J* g1 h' r* H9 l+ s) t! ]This trick is very efficient:
# q9 V' C( Q' e7 y Oby checking the Debug Registers, you can detect if SoftICE is loaded
$ Y$ s6 j- n& k$ I& @/ p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# ?, Y% Y- z |5 ~; J7 m* i! }8 vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 c$ }( [# u3 qvalue (in ring0 only). Values can be manipulated and or changed as well% j( V# q- y. [% Q
(clearing BPMs for instance). \: \& [; U% @& C- r4 }$ X3 p! \
$ z2 M0 C; m! Q6 e, v
__________________________________________________________________________1 W( D4 A: ]8 y$ s
- Z, O; n, i1 y1 m- R
Method 11
+ @$ O( _) u8 [9 R9 }% ]=========
! l4 ~3 S- d) g; Z$ ^2 r: L
" c) g& H- z& jThis method is most known as 'MeltICE' because it has been freely distributed- ]4 ?& t- G2 o2 D" p* o
via www.winfiles.com. However it was first used by NuMega people to allow
* e. g. [* W5 F F* O0 vSymbol Loader to check if SoftICE was active or not (the code is located
3 J9 t/ _" x& ~( x- l1 a+ kinside nmtrans.dll).
+ ?4 o, i% ~ Y V" ]; R4 R9 \. b6 T6 Q3 Y* [! I. }6 j
The way it works is very simple:
' a4 u+ @/ @- {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 m9 p( \* C* m% P' L2 w% m0 z- M, H
WinNT) with the CreateFileA API.
5 h+ B0 Q( p+ l8 ~- I# I; l) R/ P* q- R5 D
Here is a sample (checking for 'SICE'):
; J9 b W$ S$ x |9 n
, r) N _! Z6 gBOOL IsSoftIce95Loaded()4 }( V7 a o# B6 [
{
; r8 ^9 ~( h7 t/ h" l& p. q# w; | HANDLE hFile;
" ~4 v: ? I2 Y: T4 p3 K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 r, I( p! }3 P& q) P( K$ n# p FILE_SHARE_READ | FILE_SHARE_WRITE,3 e4 X" J; Y$ _# L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 N# a/ _* d' b8 U' j) D
if( hFile != INVALID_HANDLE_VALUE )
* G) Q$ N5 b( \; @ {
' p2 s# L9 B* c" @) n CloseHandle(hFile);
: U* d$ ?. E; G8 g3 v! O y return TRUE;; I( w7 q% g) A3 N
}
( J8 U' r) M( A/ a5 C return FALSE;
4 x, l* c9 `( @& L9 v* b! j# X7 g N# \1 y}) U- x! k; a* X: }* n
& h8 U: O, x! w
Although this trick calls the CreateFileA function, don't even expect to be
8 g, E7 Y2 a1 p+ u/ \# Z% Yable to intercept it by installing a IFS hook: it will not work, no way!& D, W7 O* L5 |. \3 ]/ r$ t4 P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 ?0 ^7 j- |0 @/ I- i4 N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): r! x# p: y/ Q; c* W* P% s3 z* ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 b- b: j3 h! w0 a/ N# afield.5 ]2 i" s3 s* c) E' D
In fact, its purpose is not to load/unload VxDs but only to send a 1 ?. J4 l( n! E8 W& Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" s4 {4 d$ ^" z# b+ }5 \- v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, N. y: v5 t8 V3 d* G2 c3 wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; @( n5 B Y! |3 w+ S6 ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow% m' ~, ^3 V0 H- W& ]5 z6 @5 P
its handle to be opened and then, will be detected.
, |" |0 p+ @3 N# z# ]5 d" RYou can check that simply by hooking Winice.exe control proc entry point
' X. a/ E# U/ C& u# Pwhile running MeltICE.
/ i# s8 U! W5 Q ^
* e& ^, A# y2 |2 k4 K6 a3 n& h# w3 ?$ Y% D$ ]
00401067: push 00402025 ; \\.\SICE* i9 T; C% h1 D1 f$ q
0040106C: call CreateFileA
5 j9 L) o1 ~8 f) _/ o. M7 ? 00401071: cmp eax,-001
& I- e0 U+ v+ P1 b 00401074: je 00401091' p/ @ p9 o8 x
( o( c7 X; N2 w. C% n
% D2 t1 p/ }$ v& w! v7 \There could be hundreds of BPX you could use to detect this trick.8 L; r' e; N t6 t! b
-The most classical one is:) }0 y7 `& B0 u# d- f5 q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( i' B$ B. ?4 c
*(esp->4+4)=='NTIC'( r) T, O2 O+ n3 J1 I3 p; n
# M' z( x, t; z/ x-The most exotic ones (could be very slooooow :-(7 n( ]6 n" T" `7 t5 O; e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 q; r X% l& P: c: r, P/ X1 ]/ k
;will break 3 times :-(, a7 {/ c6 ?: m P9 ^
1 f* S6 a' Y% M-or (a bit) faster:
% }+ f+ M j: d8 q* E3 a. E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 b7 h; E/ C$ v7 R% }* ^; o p2 E& X* ^+ d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ j1 L$ a0 ~4 p7 @0 i, i5 c5 q ;will break 3 times :-(
6 q$ G# c+ L8 g/ A! ~9 l0 U& | v" O
) d7 p7 Y: F) h7 ~-Much faster:
# m1 W0 O! ]7 L5 K* v' G BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 q+ O V) z' v3 @5 ^
. x: P# i5 ?4 ^9 { J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* I7 U2 k7 r6 B1 u
function to do the same job:" _) ^- T6 g+ p Y% [
( d1 k% o8 ]/ ?) _" r push 00 ; OF_READ
) m$ ~. V9 R& @) _/ Z2 I, ? mov eax,[00656634] ; '\\.\SICE',0
* X5 C+ L* j% z( ? push eax
# d3 j' ^* j& o0 J8 }+ S call KERNEL32!_lopen; b0 i( t* Y- x$ U# Q
inc eax
4 ^' z7 \6 z) ~$ S6 f0 Z# i jnz 00650589 ; detected" X3 i; h; X9 [* a3 i7 q
push 00 ; OF_READ
/ i" G8 \% w5 q( q, u1 M E$ e mov eax,[00656638] ; '\\.\SICE'
) `: `4 N# C: p push eax- f0 z( z. a" Q
call KERNEL32!_lopen1 @9 }; H# W9 u$ E$ L, @8 W
inc eax4 \3 |& J- u6 \5 J# G
jz 006505ae ; not detected4 N6 C C [# ] k6 h U
& Z) B6 d$ O5 L7 g1 ?5 ^3 G
( K; ?2 \4 x0 K8 k1 B__________________________________________________________________________
+ y! i6 B% I# c( c- K; v$ p0 v! _5 |. \& o$ e T2 G
Method 12% w. w; x3 D, B1 d$ y- ?/ E& j% B: i1 T% ~0 a
=========3 Z! v; M: R' u
8 _) K6 [5 X* X8 G, q; QThis trick is similar to int41h/4fh Debugger installation check (code 05
7 J) q& {6 R( g; y& 06) but very limited because it's only available for Win95/98 (not NT)+ w( y3 z0 k' x7 ^, A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- X' T' E) d, o5 `/ H0 u! v9 {% A: X3 E# M8 `: M
push 0000004fh ; function 4fh
' I( s9 h# C. X' M0 e) q* C' W push 002a002ah ; high word specifies which VxD (VWIN32)
2 { v" `, c0 ]2 C ; low word specifies which service
& i! x1 y/ d E (VWIN32_Int41Dispatch)7 b/ n1 w5 @' o* t0 H
call Kernel32!ORD_001 ; VxdCall$ s2 a9 A) b1 f0 l! z
cmp ax, 0f386h ; magic number returned by system debuggers
t, \ ]+ A) \, z' i. a+ r/ h. K1 e jz SoftICE_detected
+ W& V6 q1 N$ t% u) Z
* ~) y; U; j- k$ o0 J7 k4 }. ZHere again, several ways to detect it:$ H' Q3 @/ }: Z/ t+ ?9 K
H" G# Q# V! H, J2 n BPINT 41 if ax==4f! v( U" P4 O y0 ^( a
# G9 O Z0 |' _+ d: { BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 [2 j4 m" g8 W6 r
/ U7 h4 F1 c' }6 c9 Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% s4 H& M( D* _" T+ R$ F7 A1 i
% N9 b) t) A. }4 t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, x! Y1 C0 |) Y
$ u! ]/ @7 M2 V# v( x% n3 b ~
__________________________________________________________________________
e& }/ y, ]( _6 N) C1 W) e X7 X& O* j# S0 j
Method 13
$ T0 V: ]8 X z% j' Q* I=========
1 j$ |( [% K& \2 F. z% H" u: c. D& B6 g0 ]* x% _% N- M, y
Not a real method of detection, but a good way to know if SoftICE is
, t* t! |6 A% P8 }installed on a computer and to locate its installation directory.+ ^4 G" q$ e$ ~- U5 J3 E* n& d
It is used by few softs which access the following registry keys (usually #2) :
* u/ n( x; u/ ^- Y* [; H
4 H' Q5 G! J+ [. a; u' t-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 G/ P& V, ~# l# K\Uninstall\SoftICE
. r8 _2 O6 L8 e* m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" T p, V! p2 u) }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* u) D/ H* i5 S( A* k1 W7 D0 P* O
\App Paths\Loader32.Exe' Z+ i" ~. v2 D. k" G7 k+ ?
& a6 s2 Z9 `/ @! z8 X$ U1 s/ B/ b
1 E) ~$ n* l/ w$ r! }1 kNote that some nasty apps could then erase all files from SoftICE directory" Q# G5 P: W' r2 D4 M! D' m3 k
(I faced that once :-( L# J; a- Q9 X: \" e
% S" D1 y" P% A: K7 h1 ^% `- N: ~6 s
Useful breakpoint to detect it:
, |4 U. ^3 X. n( |8 J. `5 x3 x8 y) r) x* S7 t. z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 u) D# g' @" K' ~+ C# ^
4 ?! n3 Q/ U5 H__________________________________________________________________________5 a1 ^! J+ ^# `3 r
2 p6 v6 o8 N2 v( R. U
' M3 F& ]( A, p% V2 S
Method 14
! E4 p1 [$ M6 n=========* d$ z7 a7 D3 _" D
3 q" R! X, n1 Q6 a" e! c/ X
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 X, F- L- i& F$ m9 Yis to determines whether a debugger is running on your system (ring0 only).# b$ s: x" {3 C" `0 S+ p8 N' D
# N) J& s8 H+ f. r
VMMCall Test_Debug_Installed+ [% C; d& S0 [! o( \ f
je not_installed
! k. X( [' z* \. b3 R8 F" b& }% j7 z8 f* d% X
This service just checks a flag.2 E6 k! m7 l' D2 u4 [
</PRE></TD></TR></TBODY></TABLE> |