<TABLE width=500>
- K8 j: l% |( v- d<TBODY>
& o0 W- W9 {1 B8 l7 {! ?8 N<TR>
& t) X& r5 b' Q<TD><PRE>Method 01
3 f8 K: F/ W6 W/ s, f. I0 n, o=========# ?" n' a( m/ k
. G' E5 B) [4 v0 F, g: ]This method of detection of SoftICE (as well as the following one) is
9 `6 v0 n3 k5 ~- T: |! d2 Gused by the majority of packers/encryptors found on Internet.& @" u# B" k/ _8 v8 i% C
It seeks the signature of BoundsChecker in SoftICE
" \2 R6 L$ [. K4 a1 z z0 R7 O" F B, X2 s# A
mov ebp, 04243484Bh ; 'BCHK' C: Q+ W1 o7 R
mov ax, 04h2 H$ N w( L) ]
int 3 3 i2 ^$ `8 t. Y. U
cmp al,4
" j- c# ~" O5 H2 ~. P5 n/ l jnz SoftICE_Detected% A# J% ^+ |% Z
. \) W. `- `. U. P( I E
___________________________________________________________________________
1 c% @- w8 r8 A7 n0 {2 m
7 ?+ h. ^+ i- fMethod 02
5 i- ?0 `+ t3 k2 a=========
! y2 a" G8 D0 ]1 x$ A. X& w
% p, @: \: }; c$ w# O/ K; N* cStill a method very much used (perhaps the most frequent one). It is used6 s% w% `" l! \1 s- k6 _5 O# N& g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& j. J ~+ a% T
or execute SoftICE commands... T" e7 w. s2 [5 c6 `
It is also used to crash SoftICE and to force it to execute any commands
9 ]( C* R. [% N* u& I9 W4 n m(HBOOT...) :-(( : J4 ]4 |( U2 t K! s% `) h7 K
2 ~6 k9 A- F1 x" j' ~0 C; |! M% KHere is a quick description:
, C+ r w" F+ Q% |* U-AX = 0910h (Display string in SIce windows)
. E O; p4 k. g8 `/ b9 k- N) i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ {- y8 o7 t8 V% c3 i-AX = 0912h (Get breakpoint infos)
* p6 Q* \$ } ]. m6 m5 i5 o; X-AX = 0913h (Set Sice breakpoints)" k& C# T6 G) T: u% h
-AX = 0914h (Remove SIce breakoints)
( i. G8 r2 ], |! @/ a0 G% p% H+ M/ Q2 B8 o2 k0 `- b
Each time you'll meet this trick, you'll see:
3 M2 y& x; I5 [7 H0 s- t3 M-SI = 4647h$ b7 e: m; Z4 `, N
-DI = 4A4Dh
: p( f e& Z$ ~3 r0 ?Which are the 'magic values' used by SoftIce.
8 J0 O5 p! e* p M! yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, B% w, H7 W! ?- y
$ U; ]6 g0 Q# f4 ~1 uHere is one example from the file "Haspinst.exe" which is the dongle HASP
1 e" ?; n4 x+ ^+ CEnvelope utility use to protect DOS applications:8 s. m0 E3 R" s7 Z6 b1 B
0 P! o6 n. J- R- Q& R
# X; D; l1 q2 A% N s4C19:0095 MOV AX,0911 ; execute command.5 c5 H( v' g4 J$ i9 k2 @8 j5 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& d4 J" i6 P# A, I7 S0 ?9 F3 U4C19:009A MOV SI,4647 ; 1st magic value.
! `# T; W6 v6 T4C19:009D MOV DI,4A4D ; 2nd magic value.( N7 F8 L" T6 _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) W9 ^' M' L2 `* h8 X* I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 x5 K0 e8 S8 o+ C9 \4C19:00A4 INC CX
$ I( Y9 l. g8 w/ w- l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( Z, o9 L, @0 v2 i4C19:00A8 JB 0095 ; 6 different commands.; ?6 |( a+ E+ W& G2 i9 u1 e( C% w; a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( N$ D( q2 c; K, ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- K* R! O4 U7 x3 y$ M* p1 n+ D
2 y. P5 o, k7 z) G- w2 ]# q' m# }The program will execute 6 different SIce commands located at ds:dx, which
% d; t, ~9 y3 N3 mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! r1 ?0 _7 w% H
+ _/ C4 {' \: w6 ?, ~8 r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* [# {7 D) ^1 [2 w& N. }+ d___________________________________________________________________________
& z j7 x0 ?: b: x9 I; A
! V: n$ Z. e0 ^, k4 g/ i2 O; R' l& l1 c
Method 03
9 z- B* R8 E' `3 q=========
; k. u" w7 P, f; X' |: K& R7 H) F/ d+ S$ F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 `( g$ {; [* \) \, c! a7 b
(API Get entry point)5 b% H/ f; o4 k" O) }. }# ^7 i6 [- b
) H+ j! @/ b* \
4 D/ L4 Z" k0 @4 |! {5 I# o5 I" w xor di,di1 C6 \/ n, |2 T% }1 Z- ~
mov es,di/ S1 l: G! @# X
mov ax, 1684h
7 g- w% c4 W$ P5 }' u mov bx, 0202h ; VxD ID of winice- Q ?" B, P7 a0 a
int 2Fh
# B; \9 y2 R) l6 p; k: m mov ax, es ; ES:DI -> VxD API entry point
' ^" B$ P! h; y" i8 ?6 d add ax, di
$ `" r. B9 h- e( k5 O test ax,ax
! r) L0 z3 ~; k jnz SoftICE_Detected
& I4 Y; @. z7 J' L* B- o1 O/ r/ d- Q( k
___________________________________________________________________________
6 X# X+ K& {. J+ ?2 M
; V e$ G' u% m+ u. ?" kMethod 04; @/ o! Z) j: H; T6 `
=========
' _/ ~: m6 P9 S' L4 J; h# d1 J. u& A6 g
Method identical to the preceding one except that it seeks the ID of SoftICE
) r5 J* J, f0 _; TGFX VxD. f4 D6 @2 f8 k* h( S$ W
4 D% v4 b* s- f. ]: T xor di,di, P! Y8 D) s1 X: w5 N& Y) g
mov es,di0 A% c" N- I: n# O7 `& V7 K- u
mov ax, 1684h
" y7 e5 I' Q; }2 N mov bx, 7a5Fh ; VxD ID of SIWVID. S: b) e7 \6 p
int 2fh
, e3 k. [2 \/ ^$ L# H, p mov ax, es ; ES:DI -> VxD API entry point
5 c7 ~! H3 W2 U: k1 e! D6 ?2 p add ax, di
3 m! R Y9 w- ~* U% a" n1 M test ax,ax1 V! l4 u7 L$ }8 |! Z
jnz SoftICE_Detected
4 Z: u- \! k$ j! C: y
' B3 o/ z" r9 j__________________________________________________________________________$ ?- V) a G& W* t/ z& ]
3 |; p' E6 v1 Z1 n
$ l0 E2 g. o" K7 A& {$ [1 w: eMethod 05
$ O+ [8 J" B+ @) t+ `/ t7 g=========, ?! l! I6 X; ]. k2 [% p
6 ?3 J. A1 [$ k) HMethod seeking the 'magic number' 0F386h returned (in ax) by all system. [1 l6 ]. E. m* G
debugger. It calls the int 41h, function 4Fh./ p3 Z* ~! d$ \) a
There are several alternatives.
. d( t* R/ q/ Y+ Y
4 }* {8 r0 J {The following one is the simplest:3 C3 p+ w l7 n: L
" b$ e' K0 L2 q9 j1 H; y3 ~
mov ax,4fh2 k+ h' Q) X1 ?( E3 F+ J! \: t
int 41h6 k( b& k9 [4 Z4 ] M* F
cmp ax, 0F386
) f& W( J0 P* ?+ `: _! k jz SoftICE_detected
* ?; o/ V0 I+ x9 b. e; T! D! @' O! V0 R% h
+ r- Z. E& A+ t8 K3 I! g1 @
Next method as well as the following one are 2 examples from Stone's
4 F- \; D8 R% ?# x; ]2 \/ l$ H5 _+ A"stn-wid.zip" (www.cracking.net):( ^% }: a- _3 {
( p: F1 b; `" S7 t! m
mov bx, cs0 [8 U3 q0 Z8 z, j. z% ~; t
lea dx, int41handler2
/ R% Z( f/ e% H5 }8 K* m4 l+ z' s5 I xchg dx, es:[41h*4]
, b4 h- E" K7 O6 z xchg bx, es:[41h*4+2]
6 H+ X; v9 [, ~+ T. @0 s mov ax,4fh
: W( v. Z8 M; V2 l- W" ? g int 41h! O% l9 N' d) A4 q
xchg dx, es:[41h*4]
5 B! x, |0 l" k xchg bx, es:[41h*4+2]+ v" v* O% {! d; c1 _! A5 x6 ?5 B ?. V
cmp ax, 0f386h# P, \/ m- I1 Q+ X' N
jz SoftICE_detected
! \* c* {" Q* v5 u) S9 d0 B0 h Z C( _) z& p
int41handler2 PROC5 L3 v9 q3 V) J# B) B" [: c( C
iret
6 U" ^5 j. v" f$ N2 b0 {" d$ M( ]int41handler2 ENDP1 @3 ]$ g5 r# _+ o* q/ \ O# p5 {
0 U2 l! E" D4 K" w
3 ^; ]1 X1 ~" i1 i3 Y_________________________________________________________________________
; V) F5 U, y6 u6 \( n; x+ m. `6 E; J3 y/ l# A, U
- l9 ?# v+ Q; e$ ?+ v
Method 06 }& j/ {3 M2 g( K5 H" }
=========
8 \7 { T) o; m' L) g( A' f; e" V6 h" H( l0 [4 d" ^4 _. n/ A
% {8 [ G0 ^" U( E, U" Z
2nd method similar to the preceding one but more difficult to detect:# f b) v. Y l( v- z& K
: o# f" o$ f0 n- }/ \0 ^
% q" c% O9 q; ]0 |& f( Xint41handler PROC* E q1 ]9 F) u; r) b% F; ]
mov cl,al
i8 @/ r" Y( l8 W iret
/ O6 a1 A4 q3 \+ |- h/ aint41handler ENDP4 K) O4 d: o7 d; u, B
7 w- `# e) i! _, F4 k% p# o
& y' }3 ?/ V; K$ f! x& Y6 T xor ax,ax
: O" V6 R6 i) R3 E9 Z- V x mov es,ax u" o" ^/ I/ ?' E4 F
mov bx, cs6 }8 W, @3 A6 H+ S7 p
lea dx, int41handler! b& v* F2 q) c
xchg dx, es:[41h*4]' ^/ K; G! ?% C5 l
xchg bx, es:[41h*4+2]! A9 r P0 P7 C
in al, 40h$ Q2 y/ c3 v5 |0 F3 O; i/ W
xor cx,cx
' R! l5 t0 E3 j; I( E* Q: T) m int 41h" c% g. W0 b: g0 w( {9 m
xchg dx, es:[41h*4]
, P5 L$ }4 E7 D. h) s xchg bx, es:[41h*4+2]' j0 i# l- |+ j5 v8 Y
cmp cl,al e- m5 P i8 H) a r- |
jnz SoftICE_detected
4 a: O) L- ?" C2 o' R/ @! E% H% q" K, N5 R
_________________________________________________________________________
4 e- }8 Q4 I3 N1 [/ \% G' L" P- @- b
* T. g% J) N: j! e. f) c1 n; TMethod 07! E2 e4 Y! V. v+ R9 R' _3 p
=========
! C9 t. N5 w W, X: K# M' {) d, P! }" W% V; U3 U
Method of detection of the WinICE handler in the int68h (V86)
/ O. C* Z$ I6 E/ e2 |9 C4 J, K* N
# r+ T( E* p3 K/ y3 b% M mov ah,43h% J' o# k; _* V* ?- N
int 68h- e* e* R( J$ R% s8 Q3 q
cmp ax,0F386h
6 z# g- n# b& |$ C$ u5 C jz SoftICE_Detected G/ z5 }* ]1 n* [9 ^% D& x
7 X% |* T3 s- u) R/ {' q6 Q5 e; G' j
6 E) F$ B" ` s; `! B$ t; r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: K# d" `: N) } app like this:: o4 l& [3 w( Q4 v
! E5 y3 u3 v5 c: C$ l
BPX exec_int if ax==687 l- a9 `( C! P8 f) R
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ b/ _5 x- F$ r: ]5 N! x located at [ebp+48h] for 32Bit apps); i0 U Q& H2 r5 l& Q$ c" j
__________________________________________________________________________' Y* b; M% G' c+ k
9 s* Q6 c5 X+ ?* H; W% R7 d2 k: g
Method 08& C% b& F6 _' ]+ {
=========/ A0 f/ c% k: s
. _) V& P. v( d; ^7 q! N, R* {2 Q
It is not a method of detection of SoftICE but a possibility to crash the1 A, k% H7 Z5 |8 A2 _8 [
system by intercepting int 01h and int 03h and redirecting them to another
3 \- a( r6 Z5 ]& ?/ @# u d9 froutine.
. U+ b& a: w4 ]0 f& I4 dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& ?' X1 [3 r( Q) e0 @to the new routine to execute (hangs computer...), r8 [5 w2 y. V# L) S( Q7 ?9 l! w
3 f* ]+ E' g! J( ^8 G
mov ah, 25h
) P( p v1 U3 D5 t: h mov al, Int_Number (01h or 03h)6 X8 w: d5 x I: V. @2 X7 T' {
mov dx, offset New_Int_Routine, L( Q r9 C* v6 `* }+ p' V; S
int 21h! `) K: e; j3 ~' E# Y0 s
' [4 B" M/ }. ?% u2 R4 c4 m__________________________________________________________________________
, C; ~/ x) j4 M) N1 X g
8 V. {* ]2 b' _% m* u0 Y2 GMethod 09) k* _+ Q( _( K0 K
=========
4 O& z* t3 I! l" j
0 T/ f" ~- a7 d" r) FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, T' t/ \# B; X6 ~2 u, Sperformed in ring0 (VxD or a ring3 app using the VxdCall).% y! d4 i9 N. C ?9 J% J8 _
The Get_DDB service is used to determine whether or not a VxD is installed+ j; P( b; u) N2 i3 H, J" @
for the specified device and returns a Device Description Block (in ecx) for
( H6 L3 k/ w" Vthat device if it is installed.
5 T* `$ [+ z/ ~! J7 ^/ h
3 _) y7 B6 d; X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; \) S, T$ T& t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 V4 X8 M" X% N
VMMCall Get_DDB
% t! I) G* X9 ~, X mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. Q. ^* @2 S* [+ M3 i- a7 v( Q7 I; ^. k9 R5 i
Note as well that you can easily detect this method with SoftICE:
g1 ^. y3 c. ] bpx Get_DDB if ax==0202 || ax==7a5fh+ Z( v; m3 J- s
* p) }7 G; N, ~7 o__________________________________________________________________________' ]9 j. B2 G& F. n: W; ^
" G/ I- m2 Q; F8 j! B! o2 \
Method 10
+ S# N. x S M=========
2 @8 s8 |; u# y7 c$ @0 E* R, y9 k4 `7 O% d# ^6 R, D/ ?# }2 a
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 k+ v8 h+ z4 i5 x' I* M [7 _6 x: a
SoftICE while the option is enable!!
3 G: W" T, \% R
0 D( w# x3 Q1 }, j+ jThis trick is very efficient: b, ]- A/ [$ n" h: V7 H
by checking the Debug Registers, you can detect if SoftICE is loaded/ I5 g: p, T( p; E( P6 L
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 I/ q( p$ T! V. F" e; wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 g6 N" ^- ]( B1 D% B. e! N pvalue (in ring0 only). Values can be manipulated and or changed as well. l+ c/ x4 ~! @; I* P9 a/ q n9 K. Q
(clearing BPMs for instance)+ V3 U! x7 {: l# G
/ C$ @' g5 H1 j: [8 o9 Q) N8 c& z: m__________________________________________________________________________7 h8 l% z1 L* G$ n# ~
" q2 X) t' K$ H1 ]
Method 112 a: Y3 a* v# o. G4 X \4 B
=========0 q2 [+ @6 D( s4 ]2 |
9 a1 z* h/ T, V. I1 X% [This method is most known as 'MeltICE' because it has been freely distributed( J7 X$ @/ _2 L8 e* s# p& e3 y0 b
via www.winfiles.com. However it was first used by NuMega people to allow! U; W/ H9 ~) ~$ a
Symbol Loader to check if SoftICE was active or not (the code is located
1 G1 @1 q5 k1 j- s( {inside nmtrans.dll).
/ C- p m6 b8 I) y t) Q7 Y3 L1 ?0 G8 u" c
The way it works is very simple:0 }7 e5 G/ K2 g r6 A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) y' v) y" X0 _$ P# X
WinNT) with the CreateFileA API.
# l, y' h U7 U5 Y g& V0 Y! v7 i2 d% p
Here is a sample (checking for 'SICE'):/ G9 I8 `& I4 ?' V$ o3 G
0 n) N. i# m5 {3 m" O
BOOL IsSoftIce95Loaded()+ G9 K& s' v+ o, R# j6 u. K- f
{
- E) H( @) ~6 E6 M! v% ?+ z HANDLE hFile; 7 b8 |. b8 r( L& z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; @; R+ }5 \. S! T5 F: | FILE_SHARE_READ | FILE_SHARE_WRITE,3 I/ q) l }& ?4 R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 J7 N0 d8 @& H6 O# Z6 J+ l2 a if( hFile != INVALID_HANDLE_VALUE )# q5 ~& s4 P! E E
{% ] C: [- E% R5 }
CloseHandle(hFile);
0 r# H' P, n; g0 y* H6 p return TRUE;" |' o2 }& H- U% ?! H2 U0 `
}, ]& j' b- J M N
return FALSE;
2 o8 V$ v' z2 g! f# C& L}6 W: b; c* L/ H8 W6 @/ W
. q" R: H* p. z+ I! v
Although this trick calls the CreateFileA function, don't even expect to be
$ H6 {' o% a+ z @able to intercept it by installing a IFS hook: it will not work, no way!8 O9 J$ t0 X6 `$ c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# k. r2 _, G- {8 U% Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 Y+ ^ p0 A+ B( Z' ]5 Z8 C& r+ H$ x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 [% R8 J$ L G& |" N3 B2 |
field.5 [* R$ k* k5 L3 [+ {' ^! I
In fact, its purpose is not to load/unload VxDs but only to send a * V# T& s( \3 x* P* I6 I0 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' R! A" |+ X8 E, l( W; W4 V. Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 u9 r6 m4 z8 P# V; Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 Y8 P$ e) o& q6 X% z! L) B+ BIf the VxD is loaded, it will always clear eax and the Carry flag to allow# M) ]) R( Y$ U9 j6 T7 d
its handle to be opened and then, will be detected.
% m6 q! E) {. \$ ]. X5 W( PYou can check that simply by hooking Winice.exe control proc entry point
- f# T5 q8 e. t; R8 q, gwhile running MeltICE.
8 R) h6 y& ?4 W3 _' K6 [- Z% w# `, T/ }& o5 W0 o! i
1 e! I8 _. g# P9 O' d. R# k 00401067: push 00402025 ; \\.\SICE" c. g3 p- e" V9 Z |
0040106C: call CreateFileA
7 ^ W9 H) d' m4 O( ~; _( H 00401071: cmp eax,-0017 j3 K/ c1 r$ g/ l4 ~3 H# C
00401074: je 00401091) o; _; R# \; [6 H0 J4 S
' s1 k/ S+ ?0 V" Y6 b( x6 P' j
}) z* R4 }) h/ n! W" yThere could be hundreds of BPX you could use to detect this trick.
6 u$ d" d8 b& N( z-The most classical one is:9 X* I& O6 m* G8 t) B7 K: R1 H+ |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ x! F4 C( S1 @4 \ *(esp->4+4)=='NTIC'
7 l# K' T. k- z9 [: d5 I4 q. i* i0 k& ^1 ^+ G. X$ c d
-The most exotic ones (could be very slooooow :-(7 \6 m7 c1 A/ j, q N; X; g( Y5 i; O' D
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 F9 k$ L7 u/ {+ X2 d! ~
;will break 3 times :-(6 d* a3 c) `6 g5 k+ O
: T& S: C; v x$ w; ~2 Q
-or (a bit) faster:
2 {8 L3 B b' N( k/ a8 t& |8 c6 U BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 t- ^8 A- a( S) B
9 T0 U+ r* Z% O+ C/ y$ I- p
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . Z; X8 v8 |- b
;will break 3 times :-(
6 r$ W. f @; x9 E$ ^+ }& B/ b: J! W
-Much faster:. t; u; K3 G' y) I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 m# Z/ H5 B* d. I2 ^. W% T. d/ o2 X9 j) X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- L9 T% j5 N5 ^5 `+ |4 \: t! ?function to do the same job:
& i9 H5 m' Y/ Q: W! q% j9 d3 O. g Q
push 00 ; OF_READ6 @/ q7 J2 J% J+ j- T
mov eax,[00656634] ; '\\.\SICE',0" Z5 j" I" z9 x5 r
push eax! b& d3 t9 l4 |$ }( S* y k
call KERNEL32!_lopen% W7 H* C* c; J6 Y
inc eax
0 w. ~4 R. e# N2 a jnz 00650589 ; detected( R1 g. m2 o1 j2 v/ x
push 00 ; OF_READ
0 B6 s" d' T; d) d( R mov eax,[00656638] ; '\\.\SICE'
& `8 b4 S' [3 X0 k* Z: y7 I push eax
( F2 V; c6 Z1 ?6 X4 g9 }, I. ` call KERNEL32!_lopen
7 e5 c/ _6 \7 e/ K) L" R inc eax; s* L# t- L! P. x& }% M& c
jz 006505ae ; not detected
' d9 ~: I/ f6 i& T3 [: D! h8 a4 t# Y
" N" |( g" y' g: A1 N* R5 N; a__________________________________________________________________________
: ]/ a3 `9 h7 a* X" z' g5 J0 c
/ Y: a& N' g) v) E, Z4 L* MMethod 12
0 T; {% Z1 t9 [) @' I=========! A1 O# Y* J6 m z
; J! Y1 z, w. J7 L3 q& D' `This trick is similar to int41h/4fh Debugger installation check (code 05. i" t; f9 _8 E+ |# s3 P
& 06) but very limited because it's only available for Win95/98 (not NT)
2 B7 y4 i B; x6 M; \4 b9 Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# j& V9 J: F) N j" P) E. F. h5 K8 G
+ z3 ]7 A% d6 e+ j% S6 ] push 0000004fh ; function 4fh
. T! K2 X! G. F: ] push 002a002ah ; high word specifies which VxD (VWIN32)& t1 s% _. _/ P
; low word specifies which service
' X& n6 v. c2 q9 c* B, }- K; U! v: S (VWIN32_Int41Dispatch): b! `. y( y1 n. I) |4 ~6 @
call Kernel32!ORD_001 ; VxdCall
4 V5 r9 X/ ?0 K# R) n cmp ax, 0f386h ; magic number returned by system debuggers
# u2 n! a& L- y jz SoftICE_detected
; z2 w6 ?* f! R) ]) M7 l9 a5 { H* V2 y
Here again, several ways to detect it:- a4 n4 i8 h1 N& k$ E, p4 n
0 h9 A ~9 f& l8 c4 i; S7 c, g3 [( f BPINT 41 if ax==4f
3 _6 \2 Y7 Y1 ^6 L& r1 a3 g- N; [, F1 W: K: n, T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' O; J1 W, ?8 w5 V! q7 a& S5 l5 X6 U
, w" w/ f% o5 J5 j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 u" H9 { c2 g/ K8 b1 ]' [1 x1 d; }- p# S: f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ c- g0 v1 S% V9 }6 F$ d
$ E' I5 Q1 g) n) o6 h3 G
__________________________________________________________________________5 G! F3 o! f& a6 w, `
' w. F1 ] D5 e; x. P* m5 xMethod 136 ]5 w) a0 ]. ^0 w* g( Q2 z
=========- i" f* X' r- {
) l6 ?# |7 h# L0 V& |1 y+ z2 q A
Not a real method of detection, but a good way to know if SoftICE is
6 x* v8 H: S) @; O4 @- c Zinstalled on a computer and to locate its installation directory.
& f1 ~) e( d7 |' zIt is used by few softs which access the following registry keys (usually #2) :
" j. v% t( G1 _ q# L
6 Q7 O/ W' B0 U4 `! \% E# T& k c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 K6 S$ _6 b* b- @' L\Uninstall\SoftICE
- z2 {% ?* S% t' S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' t# k$ N7 s |! Z# E% `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; B! m- k) b" _$ \5 `
\App Paths\Loader32.Exe' D2 i$ r7 ?8 B* n. K7 v
8 P7 P$ a: `/ Y
3 o% p$ T6 v' |/ }# ~& @
Note that some nasty apps could then erase all files from SoftICE directory
6 u' V7 P. j3 ?# C(I faced that once :-(" T( o5 ^4 f$ Q: e
" z9 ]. A/ N) G! {/ Y) b) E6 F+ Y
Useful breakpoint to detect it:
) D2 G* \8 j5 w4 f! u5 Q+ K
2 o8 B3 |# I% N" d# n# v4 e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! b$ \! P! D; U( `1 e" h1 b
; T8 |2 Z* Z, N% w, T__________________________________________________________________________; Z$ H& P* u9 U8 M
9 U6 E( O2 b' x+ u
) y& [. m: Q2 K3 p/ E
Method 14
8 C! p# d( \# ^=========- |% g7 E& D3 {& G/ M
' U; K. z, v2 ~$ ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% O3 @% ]6 ^1 v0 q: l9 q: ois to determines whether a debugger is running on your system (ring0 only)." N( K9 n9 ]' t
0 i J, W& \; g9 h3 E1 d! m
VMMCall Test_Debug_Installed
5 o( }) u3 [7 o4 M( c je not_installed2 t. x8 o. a3 @# |+ \
: u; z0 J2 l- b$ m) C$ i
This service just checks a flag. ?1 z0 {, L1 j; ]5 V9 ]! {
</PRE></TD></TR></TBODY></TABLE> |