<TABLE width=500>) b8 K; {: @5 i! r! u
<TBODY>
4 r. w8 n' \. A# n$ W* V<TR>
1 z; x& U0 g/ N5 L2 f6 d<TD><PRE>Method 01 3 f- C1 x& t% ?, j) d0 d8 I: [
=========# |$ V2 b& K3 L* V- j# n
0 u* p, w4 @& j; p( U5 n, |This method of detection of SoftICE (as well as the following one) is
, d) B7 k, R5 C6 b7 G5 mused by the majority of packers/encryptors found on Internet.
8 k Q% ^5 z6 `# X! KIt seeks the signature of BoundsChecker in SoftICE
+ U8 e; e" `" T% m5 v- J8 ^) i- S2 s% K" s$ S" N
mov ebp, 04243484Bh ; 'BCHK'
6 t( ]" H% u% s+ j- m1 ~! l mov ax, 04h: c9 j5 @& o0 S6 F. [
int 3 $ N, g3 d u& i5 f8 j) a
cmp al,4 X3 ]* w* w8 T. [* _ o) _" Y+ S
jnz SoftICE_Detected5 e0 ^+ W8 |, `3 V
/ t; I! N. M; c4 }% e$ v
___________________________________________________________________________4 ]; T) F- V0 K9 e5 B$ a
8 `! ^. j+ D2 {4 s; d
Method 02) X. o/ |. D. Z% ?7 O C3 t J0 R
=========( o3 W. p& K# G k
; b3 {, v) K9 f4 U2 M5 f. RStill a method very much used (perhaps the most frequent one). It is used
9 `# F/ ]0 T8 Y4 h( S% |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ C4 z, X( a+ X2 M% |4 |or execute SoftICE commands...& z4 J1 t1 p$ B/ U5 L- v
It is also used to crash SoftICE and to force it to execute any commands/ R/ S8 g. ]9 L# \2 _
(HBOOT...) :-(( 8 P$ L, G8 f+ F4 o% G9 a; P" o
) I8 R( P& ?8 A/ ?4 k2 l5 w
Here is a quick description:
) m! E$ Q. I& b* S-AX = 0910h (Display string in SIce windows). c$ Z! h! F! ]2 Q, f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# I4 B5 C: G+ x3 G0 U6 q! ~4 ]-AX = 0912h (Get breakpoint infos)
* V9 t7 l( F+ u, w4 x' A-AX = 0913h (Set Sice breakpoints)+ v- n5 S; A6 J- E
-AX = 0914h (Remove SIce breakoints)
( H2 e! O# y- k; E" z, X0 \2 e2 P* \* e$ h
Each time you'll meet this trick, you'll see:3 o& l. l( A) _
-SI = 4647h
' E- N6 v. K2 y: h& K0 D-DI = 4A4Dh
9 d9 s, P% ]$ e) }Which are the 'magic values' used by SoftIce.6 }3 r" k# B& A3 O& B8 X# |, ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* g, w- J( w0 v7 w- z& d4 z/ I7 j9 w) b$ q3 v
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 w6 z7 w# ` s: \/ D1 }; N! OEnvelope utility use to protect DOS applications:
6 P. h u* `0 k: ^; e3 o
: w- u7 x# ?5 E* t r" i
# |- b; w; l7 @1 g/ X4C19:0095 MOV AX,0911 ; execute command.+ k8 j2 i8 P: `1 }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ C( e% \- _8 V& I" L( ]
4C19:009A MOV SI,4647 ; 1st magic value.# A$ Q- T( p, ^
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 ~7 C. ?# w) Z! B- D, m& X6 O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), p3 F5 B5 l8 R: T0 {# ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; m! R$ z3 A/ b" s7 ~0 @
4C19:00A4 INC CX
. m% \# R* ~9 N; \" y# g/ N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( ?4 o& _% v3 ~- S$ X) L; R2 v4C19:00A8 JB 0095 ; 6 different commands.
$ W2 m, E& Y( U8 J) S4C19:00AA JMP 0002 ; Bad_Guy jmp back.! ~) w u% `6 V3 c" P) z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) x: C' C+ k; C- v @3 }/ ~% W: f1 L( Y U8 G8 u( v
The program will execute 6 different SIce commands located at ds:dx, which6 f3 [) p/ D6 ?. S. _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; l @, \% M6 l' q" P6 W
; D( O$ T, F8 n; r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 {4 |! u$ c* E# k5 S. E" E___________________________________________________________________________9 W, g) A3 J: o/ D
- ]. n. A* w- \- B/ B5 r4 Q
# B {7 D+ u: M( h; WMethod 03! a& p6 v, b8 f" `0 R& l, }
=========2 _) H; y% k* d7 R6 X
1 w l! T. ]1 T# T* k+ N9 h& @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 J% Z# C2 Y, N) w. c C(API Get entry point)4 V7 n5 a9 Z7 V' {- `
! r* i7 a& D( _: i! z) i2 N9 H; U7 R6 O% d- |5 b
xor di,di: Z* L. ~& w. A/ n8 O) c8 j4 h
mov es,di/ v4 i3 v! _. O" P: e2 s
mov ax, 1684h
]0 J7 a9 F; X3 I0 d mov bx, 0202h ; VxD ID of winice
/ n5 r1 N% L/ X: C int 2Fh! n% M4 W+ Z% q% x; u
mov ax, es ; ES:DI -> VxD API entry point
' n4 W& o, t0 R3 B, } add ax, di
% b. h) @: U( B test ax,ax
4 S. c; H3 i- z9 G" N3 A, Z5 O7 i jnz SoftICE_Detected- N2 f6 L5 [# W9 W' V
4 W, o: T6 |, v/ a3 n4 a
___________________________________________________________________________3 @ F- }5 z6 i- R
6 j, O( e8 ] w+ [8 e
Method 04- I' _; Y. x9 F# O
=========
( b/ T, \$ a' w( D6 ]3 O4 C
+ D# s% a( _. Z' ?( d! bMethod identical to the preceding one except that it seeks the ID of SoftICE6 z; Z+ B: [1 \) \1 S7 F
GFX VxD.( g) d- ^6 r5 L4 c2 l2 M
6 `1 p+ S. A6 V1 d: w& |8 D xor di,di
$ Y1 N! I+ s5 D, J" h3 P+ i7 s mov es,di
! e9 ]! f1 m6 O, L# |6 M" t mov ax, 1684h ( @* C. M/ L0 m' I. X; U9 N) M
mov bx, 7a5Fh ; VxD ID of SIWVID8 F6 V: r7 T% K5 B8 [
int 2fh$ I& {+ |6 P6 Z* ^% ?9 }
mov ax, es ; ES:DI -> VxD API entry point
8 k I' E1 y1 T7 p* M add ax, di7 f# M! ^$ T0 l1 D- [5 q8 [
test ax,ax: p7 K( {7 ?8 X6 X4 v) G
jnz SoftICE_Detected$ d$ V8 z6 i7 t: ~' ^
4 T l) k1 M0 T4 T
__________________________________________________________________________
9 D( W5 Y; ^, n5 O, _* a, \- ^6 f+ x6 z
" n9 M) B' i! C7 [Method 05
( m3 M0 ~( V1 ?1 M4 [4 r=========
' U" M* q7 q: @* j) ]4 t" T# h% k' A9 R( @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' E( S' O0 Z* F6 udebugger. It calls the int 41h, function 4Fh.+ v: O" v! ]( G4 y
There are several alternatives. : u: A2 Q/ d* K- X: B8 B" A2 n+ B
/ ^2 I2 \5 r( A# q' P* g; j aThe following one is the simplest:
& Q" A7 ?! H! X2 P4 r5 C/ V8 X, ]2 O- B% X. R6 y8 K
mov ax,4fh: R8 c7 z7 m5 m9 M
int 41h
6 h0 ~# a8 h/ p cmp ax, 0F386* w; i' C) q+ n/ f+ h
jz SoftICE_detected
% Y. m, Y* }8 Y$ Q5 i5 |
2 ^, B, M5 x- a. e; K$ [
! H3 R4 B& m4 Z2 z2 D# S" ~5 xNext method as well as the following one are 2 examples from Stone's 2 n- A6 I( u" W, \
"stn-wid.zip" (www.cracking.net):8 I2 u! ~& b; Q$ O
3 V5 h( U$ P# P- g mov bx, cs
/ f2 l8 I. a8 P1 f, N, A, O7 E lea dx, int41handler2. \5 t2 [3 d J
xchg dx, es:[41h*4]
8 V% C c" ~4 d3 _ xchg bx, es:[41h*4+2]5 | e X* o; t% L$ G2 Q; Z
mov ax,4fh. Q' \+ @- {; X
int 41h
+ W! n2 m7 I' }) a. ~" t2 {) T, i xchg dx, es:[41h*4]5 V, L$ j, e) |8 q g: \
xchg bx, es:[41h*4+2]
- z$ t& v3 ~# N1 u+ X/ | cmp ax, 0f386h
) c8 t4 }, |/ Y+ \: R jz SoftICE_detected4 p' A5 n& J5 e
6 _* F% j4 s1 ~) Fint41handler2 PROC2 _* q9 ^( b) w
iret% U3 S7 V% T6 R( N
int41handler2 ENDP
5 _" ~# e" f6 X% E# l# Z2 }7 T# ~" {( s" T2 { |8 Y
( P1 n1 c$ x' B' C
_________________________________________________________________________9 B' v6 R( K8 _. C
( l; F6 F7 x m4 k+ p2 [0 a
; H/ m9 C1 E4 J4 a. l+ r2 r
Method 06% [2 q3 @7 U I; C+ @6 h; H' S: Y- R
=========
9 f+ s _1 K( j: r5 L; m* ]7 O! R& c" T8 \2 Q- B
( k r( l! X, z* d' i2 a
2nd method similar to the preceding one but more difficult to detect:4 E p; o3 J( \/ `
/ \4 E; u% K$ T1 x( a
( j) ], w6 c5 e X
int41handler PROC
4 d1 x$ O9 l2 R: ]' C4 Y* D mov cl,al
6 M6 {; Q2 t% w& k, v" ^ iret
8 D! H" k' p; P( v# Aint41handler ENDP; L* k, _& N \6 @# \6 r$ z
/ i5 | U# M* B+ E* y+ j# P
5 D. f) G9 I. E" d' l xor ax,ax
, D2 ]" T: _# t) g5 a3 k5 z mov es,ax
* s, r& t8 e8 M mov bx, cs! {% T# f# A* T/ W% [
lea dx, int41handler: q1 q/ [& @% e
xchg dx, es:[41h*4]
" v1 S/ C- |! u xchg bx, es:[41h*4+2]$ s5 c* V: |. ~9 B# ]- T9 H
in al, 40h6 Z3 z! Z5 P) B% O
xor cx,cx
* t1 M6 D* I$ G) T. y/ h. r int 41h
" s, I# t7 B- T+ D xchg dx, es:[41h*4]3 A+ m+ i6 I" A" l& f, b+ y
xchg bx, es:[41h*4+2] l9 d& l7 x/ E2 Y* l" z
cmp cl,al
& v& X$ J1 D! S5 p jnz SoftICE_detected
2 }: e$ r! X& ~/ e+ Z( \: d! E
6 m, e1 ~! s0 h3 @_________________________________________________________________________
/ B, E p% [# c7 U( e0 U5 N L7 k, R/ t: E% u N+ V
Method 07
& Z& F* K2 x+ T# G; \=========: M8 h; {; D" R6 W
0 P s- K. P: R+ k+ V7 t9 XMethod of detection of the WinICE handler in the int68h (V86)8 q& l6 p4 \7 D' w( l" ~
* e+ A. Y. o3 D/ D. y) e* {8 X+ G mov ah,43h
5 m) j! j9 g" u* S- `* H& O: D int 68h' U$ E1 H% {% }( Z' i
cmp ax,0F386h6 d# w# d5 f* H( m0 u F* S
jz SoftICE_Detected- h* K: g# w+ `' Y" w6 n
3 C) r6 _' ^1 b {; d
9 J" ^! M# I4 j8 d: C=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, ?. y( C) U/ f a
app like this:
: t/ k4 [8 D) N2 G/ q' r: N% v: F3 z* }$ N i
BPX exec_int if ax==68
5 @* c, D8 O, i: B0 t; I/ ` (function called is located at byte ptr [ebp+1Dh] and client eip is4 ~4 C: M% {$ f8 |# Z
located at [ebp+48h] for 32Bit apps)
# y& Z& {3 g1 t9 b- e__________________________________________________________________________
7 N- z# r9 M4 ?8 ]1 z: V
4 k4 T m! l7 A: L J& Q" F) o! ~. w6 G3 c& o) V" e* B |* Q
Method 08
, p2 u( i- E* s=========
/ J: V8 A5 e; c# x& x: c% }2 n# ]% V, @2 w5 \8 q2 | C* X: b
It is not a method of detection of SoftICE but a possibility to crash the( ? ^ F1 F/ B! m
system by intercepting int 01h and int 03h and redirecting them to another* z( z' N9 ]. f1 e& h
routine.
% z+ e! g3 X; |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) x$ z- d( h- n1 u& M* d6 \
to the new routine to execute (hangs computer...)
( |' w+ D0 b9 t8 y) v+ p) v7 L; }7 k: j& p! G" C& x8 {! M9 b
mov ah, 25h) c* S' t" E3 k" R- |
mov al, Int_Number (01h or 03h)8 g8 F) x: A/ Z9 H! N
mov dx, offset New_Int_Routine& Z6 m" [( S$ A( ?' l9 i
int 21h& q$ ?8 d- h/ s! x% o
: N% H) {; E: R0 b9 Z: l__________________________________________________________________________
/ L0 ^* }7 V5 j
1 Y. n) O' L n0 kMethod 095 z) ^% }. X# c/ V( u0 N
=========
; c9 o6 D% E' v$ a( j1 p
( ^, N# l: C* L* |2 H8 v* I( nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" ]0 M/ Q& a/ N a4 A& Z5 bperformed in ring0 (VxD or a ring3 app using the VxdCall).4 `% J3 L! q& Y7 s2 m* {4 |
The Get_DDB service is used to determine whether or not a VxD is installed2 m; E5 j6 d2 ^3 d/ b
for the specified device and returns a Device Description Block (in ecx) for. x/ ~" g b$ M% L/ n
that device if it is installed.! f( q2 w3 c) C# c6 a+ K' ^
" y- c. [3 x K5 \( L( ^5 A8 Y4 @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) U0 N- y1 Y, H' v. f2 O% s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' v; J$ I: a$ X/ B3 l. g1 L VMMCall Get_DDB: N# l& Q/ t0 v# ~( I0 ?4 j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* m- N2 K6 M. u
. j9 k4 z+ \5 ?1 W$ xNote as well that you can easily detect this method with SoftICE:" N; {) N/ y: i% l D9 G9 _( u: ?
bpx Get_DDB if ax==0202 || ax==7a5fh- H3 n. @. l9 u9 c$ t
" v, Q0 n% Z: E" q; k( y# y__________________________________________________________________________
* [" b, {& g3 P- Y! A V& _0 Q3 l- P
Method 104 V0 c; _3 O/ C: Q% T- N& F
=========- b$ H+ Z% g4 v: Q& i9 ]: i
+ y/ e" Q: B' v7 y
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# \! ^3 r5 w. S: }6 c1 _7 X SoftICE while the option is enable!!
" E! \& Q: a% P1 Z* c
4 B1 w, n8 T1 b5 z$ v9 u5 t6 Z' }6 @This trick is very efficient:
) M( f7 r4 m! B x8 C& S4 a: h& Vby checking the Debug Registers, you can detect if SoftICE is loaded
/ z' q5 c9 K# m4 V0 m4 f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 ^- k6 k6 D( Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their) M/ U. I8 e" K: K/ T }
value (in ring0 only). Values can be manipulated and or changed as well
! ~* l2 R6 L& E2 G4 ](clearing BPMs for instance)* V% ]' n: P: e6 ^4 N7 X4 p f
5 Y/ D. ~- v2 Z5 V8 w# i% F__________________________________________________________________________ p2 w* R4 ] ^' A; @
: s' P. T6 T D# {6 G$ \Method 11
# o4 X9 o* r$ @' {" }( a* J=========
6 H8 o3 s$ _$ ], C$ E9 Z* J! O6 ]9 Y8 U
This method is most known as 'MeltICE' because it has been freely distributed) Q, x; J+ d' k% M
via www.winfiles.com. However it was first used by NuMega people to allow
: T) L! b( y1 j$ |7 fSymbol Loader to check if SoftICE was active or not (the code is located
2 u# w. M6 D) \+ g: U! f( j( kinside nmtrans.dll).& q$ P0 f1 i3 S7 N9 U4 B
: i! T: u; o: \5 y
The way it works is very simple:
3 c( `- A% O1 e; F+ r6 AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. T7 T4 ?1 ]; t! R6 o- _$ U/ |
WinNT) with the CreateFileA API.
/ E8 J9 W1 D8 n2 O; a9 z @. t6 M% X B+ `( v
Here is a sample (checking for 'SICE'):8 a( H- [% S, n1 r5 j0 \$ O Z; h
K- A- R9 g3 v$ j m7 A7 J
BOOL IsSoftIce95Loaded()) ?& G4 T. A3 R i2 C5 \
{% P: \. m+ o- ]$ k+ ]( M
HANDLE hFile; $ k$ P! R8 o$ d' N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
J2 E1 \/ `$ d' X9 R FILE_SHARE_READ | FILE_SHARE_WRITE,
3 E7 [0 q8 O' J2 |& X# L. Y! n) L3 C a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" e: F: N% s2 J' Y( ?- _: r if( hFile != INVALID_HANDLE_VALUE )
' |7 } B. e- N$ [ {, T" w4 k8 B" K% @
CloseHandle(hFile);* x y" I# _6 u5 S; ^
return TRUE;* @3 c& j# R8 p y9 x
}
6 U) j, }8 {0 R- L8 Z* Q return FALSE;
2 V) @5 P, [! ?1 n [$ `}
8 _3 k4 Y+ a% E' n$ u
4 ]* e2 X% E9 }# e1 s; c- H: yAlthough this trick calls the CreateFileA function, don't even expect to be
2 X, q( q0 t* Q z$ s& ~able to intercept it by installing a IFS hook: it will not work, no way!
$ w: E( r+ y* G' S9 @8 HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( t6 X: e$ ?; ~( {, c' Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 o. J1 b$ i# I2 w2 u* Y. B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% N. F8 M7 M: ~3 U1 Qfield. P! c; N J4 k3 P0 f1 R$ V
In fact, its purpose is not to load/unload VxDs but only to send a
$ i, u$ t. [5 j/ k }. J7 bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! r( O3 Q& P) k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, f7 R; O7 M1 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 n* _* _2 f0 J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! _ ?3 `" ~) Z! l# @: cits handle to be opened and then, will be detected.; ~- B& ~, T5 m7 U. f( f
You can check that simply by hooking Winice.exe control proc entry point
; t7 |% W' H; _( b5 Q; V9 fwhile running MeltICE.
5 H0 A( y6 W6 n, ]' G J9 `3 ~4 ]0 @) t
+ B0 ?# E% _4 Y' m 00401067: push 00402025 ; \\.\SICE- O0 W1 p% e0 ?3 h( U. L
0040106C: call CreateFileA: j" H+ Y; \8 a: g3 d M
00401071: cmp eax,-001
! ^8 `0 v4 o7 Y" `& E 00401074: je 00401091
2 T, b2 q1 B) E% }' z1 A; d& b
7 k1 z, t) K" q, O T. Y' y/ [: `$ M* e4 W/ o: W( W( j
There could be hundreds of BPX you could use to detect this trick." A8 V/ I/ G$ ^
-The most classical one is:" v4 {& c1 p' G4 n& f$ o, V
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 V- `4 t# c: t3 u/ Q* c$ \8 z *(esp->4+4)=='NTIC'6 V" i& G6 C# N& I( b& T3 J/ O7 e
' a) q2 b( z# \, a6 r0 Y; s& B, G-The most exotic ones (could be very slooooow :-(
$ c; l+ a* l: I6 I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 ~$ I( T9 c4 s4 p) C8 M$ b6 j
;will break 3 times :-(* x9 V) T- U U: [# B3 K
. z8 Y7 E8 {9 H* v, e7 x- ?/ h) r
-or (a bit) faster:
! ?0 _" e( \! H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# }+ _' l D) T
1 p6 }5 c) d: O4 o! T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. t+ Z' n8 F Q) I4 b$ a ;will break 3 times :-(
e3 o# N7 p, O8 D( U0 \% @, S$ P# K5 J* F) \
-Much faster:, k1 K* }0 {% ^* x* M* L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 `0 g! s, [+ v- a9 |+ N
- N( A" o7 m. K/ w% ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 s ]1 u! u/ j0 @8 zfunction to do the same job:5 s3 n. o9 ]% j k
: [2 G! S( x3 z% {
push 00 ; OF_READ
0 ^" R4 G' f( q mov eax,[00656634] ; '\\.\SICE',0
6 M( u9 G3 n+ o; v) S4 u9 Z push eax
" N, s3 P4 e# m; u: T) j& }5 R call KERNEL32!_lopen
* I/ X0 Z. A* w, e9 b inc eax
4 |: _& @7 n# k2 c+ `% r) T! _ jnz 00650589 ; detected
2 z6 W, }9 A- e2 r push 00 ; OF_READ
; y2 V/ n* T1 } mov eax,[00656638] ; '\\.\SICE'! d3 J2 `; m- g a1 v, u8 y
push eax
" V. K3 c3 ~; s$ P$ x( }! s( S call KERNEL32!_lopen
! O$ I) ~* n. r# U/ _ inc eax
% ?5 {# R2 @" s+ n( k% p7 v9 @# \: q jz 006505ae ; not detected
5 Y$ \3 t/ V: Y0 f4 o) y5 z5 `$ [$ B+ ` |- Y% M! g
/ T' W+ h3 }& d. ~9 e$ A
__________________________________________________________________________9 `$ \) }) A! z' M1 T6 Z" ?1 {
8 q9 X' w1 C) e' LMethod 12
9 X! Y w* J+ `=========1 U9 v% a2 V1 \: f# `& w$ ^: u
9 }0 }7 P" s( d' y6 w6 u8 ?. D
This trick is similar to int41h/4fh Debugger installation check (code 05; u5 q2 o5 H9 `! U: g
& 06) but very limited because it's only available for Win95/98 (not NT)& [/ l) B+ g7 W( l! w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ G+ p; C& }% N' L( {9 x
' j3 V2 H# r$ `9 C7 ?8 t! u
push 0000004fh ; function 4fh# E) T6 X8 Q3 G3 s, o: W7 _
push 002a002ah ; high word specifies which VxD (VWIN32)
. z# U3 J7 H+ t2 d# P' h: I' d ; low word specifies which service$ b- p4 W# B/ f/ N7 e t* v& \ \4 K& m" ~
(VWIN32_Int41Dispatch)( w/ x' Z" A* o% N
call Kernel32!ORD_001 ; VxdCall" H: O e. Y8 k/ V/ r; R: J3 S- v
cmp ax, 0f386h ; magic number returned by system debuggers
0 _% P# A" {/ d+ H: k, E jz SoftICE_detected
+ p. N: N( j# T: P
' T D# \# Q5 e9 |; k5 o7 y. IHere again, several ways to detect it:
1 E2 u6 W7 E! a# Y9 s1 }! Q2 t1 z9 @* O8 C, O) m2 j
BPINT 41 if ax==4f
; y; d! V3 r. P: d/ e$ I y1 I5 x( T6 C9 M) a3 F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% b7 V7 \1 r6 C5 Q
" X! `0 q) `+ A' ?* F& `- p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A T0 N# y# o6 Q x# Y
* D, `7 V) H# U' T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 B) n$ N* y3 W" Z$ X M& C& q* l# K
__________________________________________________________________________
3 @1 Y1 o/ Q1 [: A: Y7 @2 B" Y7 L) O9 P
Method 13
) W6 ~0 F0 P2 b* u=========
- C4 _2 X3 J, A. Z2 x) |7 ` C2 z( S1 k2 h* X( G
Not a real method of detection, but a good way to know if SoftICE is
- H7 e: A$ g- ]8 Einstalled on a computer and to locate its installation directory.- R) N7 n" b6 v3 D5 G x. I' {/ A. e
It is used by few softs which access the following registry keys (usually #2) :8 f* p5 A. E5 X. r
3 |. G0 t; y5 |1 i* s- p, E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ _; w0 U1 z/ N8 i1 b. ^& G$ Z
\Uninstall\SoftICE1 F3 ~, t: N* n! R3 y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 ^6 m* N7 u3 R( C1 K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 n" Z& j; p5 f' e\App Paths\Loader32.Exe8 ]+ w5 r% r- e {/ N
" \2 E6 \6 s! T
; t/ i. R3 l1 L6 Q4 fNote that some nasty apps could then erase all files from SoftICE directory
! Y' g7 q8 ]. o3 y* b(I faced that once :-(/ L2 }3 _+ L. a9 `
; h. V F; F$ ?- U+ M+ m
Useful breakpoint to detect it:
: i( K0 M/ n4 ]. c/ t1 W! g
4 X4 ]! t- M6 h. v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, Y U+ u5 f2 J# \
% y- Z O3 V; R7 m V__________________________________________________________________________
' k$ M* }3 A$ j& z( Q k8 {, c- j) ~) y
- F. i% [! e/ R& q4 T/ E+ v' s. k6 K% J, {( S
Method 14 9 q6 W1 h r. J; e5 L% y+ V
=========0 M6 e7 B) m6 v- L
# K- ~! [/ a5 ]9 x1 CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 L7 _( i9 ^* m. r+ [
is to determines whether a debugger is running on your system (ring0 only).
$ P' e: E$ q/ t3 I$ [+ k* b r) ~0 P, ^. P& E- ?. ?" i) ?
VMMCall Test_Debug_Installed
' q4 U* `5 d7 c. I" [ je not_installed" W2 @+ {" E$ z5 u' l' j2 y2 a; }
/ P" L, R- V* f6 \
This service just checks a flag.3 n/ D8 x' z5 c0 t( E) T# X
</PRE></TD></TR></TBODY></TABLE> |