<TABLE width=500>& `0 g8 K9 f. e" _3 m
<TBODY>
7 N1 \" f4 [/ m9 v<TR>
; @5 Y4 I6 R) N. P8 R<TD><PRE>Method 01
5 C# e( E' o R" j' H=========
" v, ]5 z; f" w9 }0 l$ b; M. S+ _7 Z; t. O
This method of detection of SoftICE (as well as the following one) is+ u0 n, L/ R5 T% H G
used by the majority of packers/encryptors found on Internet.* c/ S0 m" ?+ J: }7 [) Q
It seeks the signature of BoundsChecker in SoftICE' W: \5 Q) r' w! z% W
& u* Q" h2 {* o
mov ebp, 04243484Bh ; 'BCHK'
$ N2 Y- h4 f- N% e mov ax, 04h
& d- ?/ }6 z, ]( ? `+ ?( x int 3 3 S+ ^% u: ^( W
cmp al,4' | Q1 [8 J/ K7 p
jnz SoftICE_Detected( N, p; Q' R/ X
- l- @, g- p+ D3 @6 y___________________________________________________________________________
$ L* Z6 a, |" i2 B6 ^( [3 J2 V) p4 r0 }& n- N1 _
Method 02: _1 ~1 O& f, ?+ Z$ Q7 k7 L9 v/ l
=========# O7 E+ c" k( m/ W
/ W. m" C) |/ w- H6 VStill a method very much used (perhaps the most frequent one). It is used, z+ t$ }3 |4 ]$ C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- u: P% q6 P5 v2 S- a
or execute SoftICE commands...' A# _: ?$ ?1 U, p* U
It is also used to crash SoftICE and to force it to execute any commands+ L2 W! g: w9 k
(HBOOT...) :-(( / P- `9 Y7 Z' n5 Z- n
3 W, t& o& z, a2 YHere is a quick description:
$ Q+ j) b( P/ E4 H' u-AX = 0910h (Display string in SIce windows)' T6 A) P t. |& P7 Q0 J x6 F/ X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ g/ f6 y- m X1 t5 P* v/ x
-AX = 0912h (Get breakpoint infos)+ A3 n* h( A2 @' K
-AX = 0913h (Set Sice breakpoints)
% G v3 q0 A4 m-AX = 0914h (Remove SIce breakoints): q. y% o/ z2 v
2 \" z4 H0 `+ ]# L' O* OEach time you'll meet this trick, you'll see:
* D: J/ S; ?, ~9 J-SI = 4647h
" Q: E- K$ T. E-DI = 4A4Dh
) i( v: q4 E( y" K2 u3 vWhich are the 'magic values' used by SoftIce.% e( M* ~" ^! H) Z- }+ a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 F6 M0 E/ }/ |# T) c5 E
* N* y" Z& [8 _4 M9 z' kHere is one example from the file "Haspinst.exe" which is the dongle HASP3 |; C5 Q& `; x2 A
Envelope utility use to protect DOS applications:
A+ n& ]+ C. {" {; X. q* F& e4 u. f" E+ W" r' n
% ~/ D9 w) c# t2 K4C19:0095 MOV AX,0911 ; execute command.
& ~5 U! B& h9 f+ R' z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; {* I, N- s Z2 T# p9 ?7 F4C19:009A MOV SI,4647 ; 1st magic value.
1 P) \# g$ `8 Q. E( `# C7 u9 e7 A& B4C19:009D MOV DI,4A4D ; 2nd magic value.
4 y) [" `" T( `8 e2 [7 Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& \* e6 f5 d& }: [1 A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, i' d/ j; |( j& S
4C19:00A4 INC CX: i& w( W/ i. E" z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) M; I! A+ h# X h: ~7 l" j4C19:00A8 JB 0095 ; 6 different commands.% d& `, I4 w+ W: y0 \6 V1 {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* P- i) t+ S2 ]. _4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" v' w3 J$ Y3 O! o2 r
. m7 U+ @+ h8 S% i8 y
The program will execute 6 different SIce commands located at ds:dx, which) X- H* Q' u6 A6 A1 d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 J2 w% K9 a% C8 E) G) w& o- M5 `* ^# L# J& E3 y; ~3 s7 \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. i ]0 Z$ F4 k' M- u/ c___________________________________________________________________________
, E6 e% b. C+ E! ], _2 r( p& n4 b+ ~0 F& V" Q# p4 b) H8 Q
* A; V* p5 {5 ~# [
Method 03
( M W+ x$ S- t) \( D=========
% j# ]8 S: d: H* e0 X! }
' f0 a/ I* o6 [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 g% ` N6 g9 I* P) t# a. l
(API Get entry point)
8 {7 }; j3 j" @$ i; i ) v! S6 v6 c5 p1 H
9 V3 N# x: D# u D! l/ c% N& S xor di,di
, s- u7 i$ \( ]0 d mov es,di
# z {' M8 v- y! V mov ax, 1684h 8 f) V+ Y# h7 J D. l
mov bx, 0202h ; VxD ID of winice3 ?" @6 O( Q9 m: W0 B
int 2Fh
' h/ c, ?8 x. b, I0 X* O! l' V. \1 a mov ax, es ; ES:DI -> VxD API entry point; ]2 _( K* B5 W1 |. t/ @
add ax, di
0 O! p& X V( k" ^7 S% z. x z test ax,ax% R9 q5 _9 I" c1 B( ^
jnz SoftICE_Detected: }1 p8 g' e' I& F$ a
; [2 Y3 e- W( B5 q n0 K% j
___________________________________________________________________________: O0 a l4 F/ h
# r6 j/ h, y4 h/ o, p0 D7 DMethod 041 l y0 i3 ^" j) t
=========. E+ Z$ g* J! H; N* A
( Z; t0 z* D* D2 GMethod identical to the preceding one except that it seeks the ID of SoftICE! S* J# B$ y6 b! l; |
GFX VxD.- A& N5 \* r: u9 S; d# T. s
- S8 M3 n& j& d1 L1 A
xor di,di) c# Z$ C5 V% ^/ ~* W
mov es,di+ f1 g# b* U, ~5 F
mov ax, 1684h
" g2 r" V1 ?( z4 k mov bx, 7a5Fh ; VxD ID of SIWVID' [2 K! I" [" K% c1 _- C' p
int 2fh
7 w2 G8 x1 s% R4 O4 ?4 K6 Y mov ax, es ; ES:DI -> VxD API entry point$ c) X6 U5 l/ P
add ax, di
" Q/ z/ m& O0 B5 u test ax,ax8 g6 e! A- b$ x1 ^$ ^3 v
jnz SoftICE_Detected
+ `8 x" q8 V6 X$ [) H
' m9 c; [0 R1 d: V__________________________________________________________________________: l1 f9 Q4 z0 |5 |# o5 p
- Y3 g, K+ Z/ k0 V. r P2 U( l& n1 u, h0 P' r5 Y
Method 05
" U; W/ ^% ?6 z=========
% |/ |. ]6 M! `* M C5 l$ p
7 S* C. m) K3 lMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( M1 l9 x% v) \+ Xdebugger. It calls the int 41h, function 4Fh., z) B2 P6 s. W
There are several alternatives. ; ?0 k1 C$ q* `2 g
0 z+ q/ ]& w* [& b- Y `; |The following one is the simplest:
0 D- V% u8 Q/ u8 z. r r
* Q$ S) O2 U. A" e" x- O mov ax,4fh
' @9 d" ~8 t3 m2 z& x- ] int 41h
& [; i: l9 t6 `; _ cmp ax, 0F386
1 ]& ]4 S, M% J7 l& r/ h& z( C; E) L/ @ jz SoftICE_detected* {; S: h7 U( w% P% b [
3 }5 X: l8 v/ B& [- \
- R' O* D/ K6 K. L9 u ?+ A0 ]Next method as well as the following one are 2 examples from Stone's
' j1 F9 a$ T6 X# D- Q( l"stn-wid.zip" (www.cracking.net):' C) V# @3 ~+ u2 V% n/ R; {
. p7 h7 |: p0 {7 G mov bx, cs9 k9 [# Z8 g) I
lea dx, int41handler2' h' C3 A9 |8 B/ _3 @( Y' c
xchg dx, es:[41h*4]+ |) ~" }! w8 e
xchg bx, es:[41h*4+2]# u: W7 m' A% u: ^2 k H
mov ax,4fh3 t6 _# I6 I! O/ c" ?9 ]
int 41h3 V8 `7 h6 V- ~: B
xchg dx, es:[41h*4]
1 T/ h6 {( q" Z/ \ G- K( C xchg bx, es:[41h*4+2]
( O) G' ^0 W( [. B cmp ax, 0f386h
- J1 q5 i; i9 f) f L* g jz SoftICE_detected1 h9 f& |- P- @$ [. d' Z
; r( q% P g7 K9 Pint41handler2 PROC
. @ {2 m6 k0 @3 {7 i$ i# ~8 }3 h4 a iret n6 A7 h; P2 x
int41handler2 ENDP3 z1 S$ k: I) l/ a" B2 q6 ?
+ h' c4 L7 D$ Z- N p- s1 J
x0 s: D! C- X E5 s/ C: c4 X
_________________________________________________________________________
4 Z6 d* M2 L% o1 _/ `" {. Y8 `0 }: o* ^* o% g' w
* `8 G4 b7 ~+ y3 \( I2 `
Method 06# p* J" I2 F: \" G y: V" S
=========
7 P/ Y( g& x/ e5 d/ Q+ \. {8 V' J$ [* O4 G9 u8 K" T6 S2 J
5 m. z* h( K. O7 F2nd method similar to the preceding one but more difficult to detect:
- M) \: D; e5 l1 T) Q9 |
& G9 I# {) }/ M& j' v" t: H: W6 Q7 G: h8 J/ u' p3 p9 ]: |
int41handler PROC [1 w) {6 U9 F* R& a' c, G
mov cl,al7 i5 t9 y* }0 p8 I# a9 ^5 c
iret
$ S/ P7 a2 m0 X) o) s7 a" f# jint41handler ENDP7 s1 |7 W8 i' R
9 x) Z5 N! s$ k) `5 U
+ G: k0 d* D+ [ xor ax,ax
- ]9 O `% a: a2 j# |% b6 R mov es,ax
1 ?5 \4 J3 y. t) y# ]+ Q5 c mov bx, cs
: D( T. f" t8 c/ r/ G8 Z; q8 O lea dx, int41handler# E Z+ @$ R; N4 \$ ~" k
xchg dx, es:[41h*4]
# U% _0 v% i6 n xchg bx, es:[41h*4+2]# V- _. v* O- n' e, W! s z: w+ p
in al, 40h% A' G7 {0 l* c- Q
xor cx,cx2 U* P I; T6 b' k- \3 c/ p
int 41h4 `- B( w8 {, l3 @6 ]* n7 j) ^
xchg dx, es:[41h*4]
) D) U& u% M8 Y xchg bx, es:[41h*4+2]# C7 S6 m6 B# `7 S; N- N/ o
cmp cl,al1 x) `. J; I4 T! H5 T
jnz SoftICE_detected
+ W4 m: E3 j' d. t6 K
' h4 w( j/ h G% |/ M! }_________________________________________________________________________
" ~: Y# }5 v9 }: d% r }' Q6 x: |& p! D, X& C3 s3 p* w
Method 073 w& ~! O6 N& Q% Z
=========
& L$ Z2 I$ ?/ n' G" r/ P8 o1 e4 K9 _4 S0 Z' E# s/ g
Method of detection of the WinICE handler in the int68h (V86)
4 g3 R! B9 u; ~) l& v5 D& O# `, E' \! X( x; u
mov ah,43h
2 C J; b8 |3 G, f) a& { int 68h
0 i! j( a' g6 |# ]& \* }* d3 h cmp ax,0F386h+ _' s2 y6 r- P" z" m
jz SoftICE_Detected
2 E. B$ K, C0 t
: |" {9 l0 D/ u8 F( |6 {/ h/ Z/ |: g2 |3 Q0 k+ C$ p; Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ ~5 K1 y) s8 A' u* m( [" ?. c) z7 c app like this:, }6 F, x1 Q: R
! U% @3 ]4 x- D0 |1 K; k BPX exec_int if ax==688 w9 r" S' f5 z2 U
(function called is located at byte ptr [ebp+1Dh] and client eip is
, s. F2 p; S* Z6 B, Q( q located at [ebp+48h] for 32Bit apps)
+ O+ I, R- x; G0 Q% b* N7 H__________________________________________________________________________; b$ `+ L9 b; L" F8 V* {
1 m+ S2 ^4 w8 @- c. |/ U# H1 Z! } Y$ h5 Q B1 {- E) s
Method 08
( ^3 T4 ]: D9 X=========8 h; ~8 l+ \: M* r
3 _& a E) e4 mIt is not a method of detection of SoftICE but a possibility to crash the
u3 ^. a6 I$ a2 I8 i- usystem by intercepting int 01h and int 03h and redirecting them to another6 M: ]& ^' a0 c$ i; W
routine.
; J! Y7 ~7 C7 L) q3 r( T5 O- ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 m& ^: f8 [' \to the new routine to execute (hangs computer...)
, k2 y: U9 r: I/ N o0 Z7 Y7 N' k! ? s, b1 e/ `) F
mov ah, 25h
* d% B5 r( u7 U$ W mov al, Int_Number (01h or 03h)
: B1 V2 o; o5 i/ E8 j mov dx, offset New_Int_Routine
; m$ Q2 U2 ?) u int 21h
$ }9 B5 V' ]4 I9 Y2 @0 l/ @. w1 C. K6 |! b, V' R5 R
__________________________________________________________________________
3 l* @* o6 |+ n, Z6 @+ o
0 j Z+ \5 |- a& z6 TMethod 09
* [2 O) }0 f- T! X$ f2 U/ C=========
7 j6 m. \ K7 K) q3 {% i7 z
) p6 _9 I& B; G' \+ VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, P, `4 @/ K1 C, |" I* V* Z
performed in ring0 (VxD or a ring3 app using the VxdCall).* U' q% `& D& R. N G
The Get_DDB service is used to determine whether or not a VxD is installed- D. M6 e. v/ v. _6 \
for the specified device and returns a Device Description Block (in ecx) for
t s+ x( l9 x9 Uthat device if it is installed.
m& A' R+ H3 i9 A( R
* j- [2 z2 j/ _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ^$ h/ A$ W) P. j, { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# s3 P; i& M: C+ A; k" i
VMMCall Get_DDB& F. ^ _. L3 r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 f/ S1 Z, D' r% q
: V: U! i! s: _# e) ]- P& Q; n& NNote as well that you can easily detect this method with SoftICE:' W1 Y }8 k! }+ C# V& L' g& M
bpx Get_DDB if ax==0202 || ax==7a5fh
& J8 k7 X% q! m: O; `* D4 Q. A/ [
__________________________________________________________________________8 A! b/ Q7 _# U d
1 q, P5 A6 T* t7 `7 p/ VMethod 10
" d4 f u6 f8 w2 T- E5 e9 g8 ~=========. ?1 ~! B: }1 x# j# `4 p5 q* v
% Q* @: m8 u# k
=>Disable or clear breakpoints before using this feature. DO NOT trace with( _4 W( m' Q+ d9 T
SoftICE while the option is enable!!. G- _2 z7 c+ n; f+ f) o" S, I
7 K+ w- y3 A* ~4 d: Y
This trick is very efficient:9 r: H% ]( u8 k4 j
by checking the Debug Registers, you can detect if SoftICE is loaded+ A- Z+ x4 O: t5 [' G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 Q5 P& O9 b2 U* q, d4 X$ G8 q# {
there are some memory breakpoints set (dr0 to dr3) simply by reading their. s, A( p* E w+ q) ?
value (in ring0 only). Values can be manipulated and or changed as well7 H9 u/ L* T# b7 R! s5 i
(clearing BPMs for instance)( H+ _7 c7 a$ I8 {& d
3 O( ^" ]; \6 U1 [3 F$ c8 X__________________________________________________________________________
0 e" D- v1 V% q6 D
/ B6 Z: J$ Q+ E! J3 _* \1 x5 |" TMethod 11: R& \6 }7 Z7 K7 S! N
=========: |/ A/ B( ^$ |" ?
f0 {& g/ I2 z- y1 C7 J4 f" d. p: rThis method is most known as 'MeltICE' because it has been freely distributed8 a- S6 [/ D- |7 E% K9 Y5 G
via www.winfiles.com. However it was first used by NuMega people to allow
& t# p. i4 |0 ~/ Y6 Z, CSymbol Loader to check if SoftICE was active or not (the code is located
. K) T' W) F( q0 ~2 c- [1 sinside nmtrans.dll).9 B# x3 W9 Y; D7 n$ d2 K- y9 ~
% v8 N6 }( f! m/ X5 m# m- r
The way it works is very simple:# m( ^4 {& n3 g2 D0 A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 V0 s6 M0 X: |+ H9 f7 M* I
WinNT) with the CreateFileA API.
f9 y' k$ I. t& U% h$ E
, `3 Q' Z- _$ {6 Z. l t/ S# Z3 T: FHere is a sample (checking for 'SICE'):, _, w- n/ a7 F, J
7 x; @3 w& h9 Z0 b1 `BOOL IsSoftIce95Loaded()+ P+ O) W7 {1 J% m) Z" n
{; Q( t, h7 z4 f! A
HANDLE hFile; J/ @" A' A7 H# J! D" a. t {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- i; S. \, e" I- A
FILE_SHARE_READ | FILE_SHARE_WRITE,1 I: y6 a2 F) \5 h4 N8 {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- ]& Y/ o. m- Y. ]" b if( hFile != INVALID_HANDLE_VALUE )' q' b% t4 ?, l6 d/ G
{
- z+ p k/ n# X8 o( n' X, b CloseHandle(hFile);
. j1 K# R# y/ b2 W; x return TRUE;0 t5 k! J1 I- _9 ?6 e( _
}& n/ S5 u3 L- N; f
return FALSE;# J2 h4 G {7 [. H& l/ _* q
}( Y3 q( F6 g% [2 j8 h% ~+ n
5 H7 q, l, m. ZAlthough this trick calls the CreateFileA function, don't even expect to be
. X, b# x4 m% W7 lable to intercept it by installing a IFS hook: it will not work, no way!7 v% F' R. [$ [
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 `* j) _; ^) lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). J* h- O$ h, g% G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* h& O8 F' Z5 A+ Wfield.+ c) _2 S) m; d6 E# i$ U8 G
In fact, its purpose is not to load/unload VxDs but only to send a 1 [, k( Y7 H. |0 S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% x, E4 C; \, I% _' t l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* i W7 d( |! H7 B, ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).# h; K/ D2 K0 R' A& a
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 S6 E; v, s, Y3 A* O
its handle to be opened and then, will be detected.. ?0 P$ N2 [5 c! g) X3 e
You can check that simply by hooking Winice.exe control proc entry point
|3 H* v' ~0 W" Q, a* qwhile running MeltICE.
2 v. @ @9 e* ]0 A9 h0 [2 a( Z
& C8 b+ c* N+ o4 L e0 l0 w
8 ?5 `5 ^8 n! i1 h" x4 ~3 { 00401067: push 00402025 ; \\.\SICE5 C( @ `9 ?8 m- G3 t |
0040106C: call CreateFileA
9 h! |2 h2 @" r3 |0 l2 r! h 00401071: cmp eax,-0015 S) N. U6 z0 {+ j" i8 r
00401074: je 004010917 j. j Z' w( F1 f+ P8 G2 Q
3 f& A" s! d* P* E2 r1 m# n9 N9 g
! f Y$ I1 @: \) J: hThere could be hundreds of BPX you could use to detect this trick.) X% { m4 b o( U* {0 j M
-The most classical one is:
E+ {* y! _# u) f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! U( X1 t5 {6 H4 D, c, J: O
*(esp->4+4)=='NTIC'& U5 Q( q8 T3 _1 h4 A
9 ?* z* d7 e/ B* B5 `- o# s9 \
-The most exotic ones (could be very slooooow :-(3 h3 Q8 g" k) ]# k# H' |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: n9 M4 U1 `- ^* Q& s! \$ a ;will break 3 times :-(6 m7 i/ e7 x3 c* Y9 i% y
6 i! k9 G5 ^7 h8 S% j2 ?( n-or (a bit) faster:
1 E( G% V: f. ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 c- f- r9 d" v% ~) p% r
* b* _$ w+ x2 M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 k) ]" [2 i' S, `8 ^# {: _
;will break 3 times :-(# P! w+ U |5 Q, V2 O
; K. \( b" p2 `: r% [: u5 ?-Much faster:/ i0 W4 d9 G& l& }6 J4 I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 ^. z& ~+ ]0 y4 a7 K* P5 o8 }
! F4 S. N! J, d; W% k4 U& u! f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 v) z }6 d4 A; t, Q2 |, X9 n! \
function to do the same job:7 u# i% ^, X+ \- P7 o+ L/ i- e' y
/ v8 h: q0 u: J9 v push 00 ; OF_READ
, w3 f/ T9 k I& H mov eax,[00656634] ; '\\.\SICE',0( O0 [% K; ^4 |+ x5 M' [3 N
push eax
3 `1 V( e1 g% {1 ~. k, }' V$ Q call KERNEL32!_lopen2 ]5 m8 E) l5 Y2 p
inc eax- A2 G7 Y: u. S
jnz 00650589 ; detected* ?- @. ]+ Q$ C2 B7 z
push 00 ; OF_READ
% k3 i @1 q* J* u% N' p" n mov eax,[00656638] ; '\\.\SICE'
5 v+ J) Q# d* z4 ~- C5 W8 Z# E% s push eax2 ^$ y) z; ]% Q4 }, C8 _
call KERNEL32!_lopen- f& i: ~1 U) }) ?, b& v6 e) U' g
inc eax' f' V! j6 Z- v3 O4 g6 D+ m6 ?
jz 006505ae ; not detected* ^% l2 N- N& M1 a, O6 i2 y1 ?
: f. Z( W* C; m: N' G! R# a8 S" S# V! R' ~
__________________________________________________________________________
+ {% b3 V$ s6 I% _) ]
8 D# L3 T: u8 g# M2 [Method 12
/ M: L, z! |# x+ D$ Z/ y; W=========7 _5 _; k/ L# B5 e- _
) D4 P1 ]; h. f0 J& m9 a) G$ R
This trick is similar to int41h/4fh Debugger installation check (code 05 ]: ~: h# X4 V/ j7 s1 w
& 06) but very limited because it's only available for Win95/98 (not NT)
5 m' m3 C, \, P* H u3 Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo., O9 R- l. d& a, m6 Q0 @
: m2 m& J+ r( I push 0000004fh ; function 4fh
; g; C- u2 _2 {# j2 G push 002a002ah ; high word specifies which VxD (VWIN32)' A5 N3 N' H8 p, |7 @6 C3 |
; low word specifies which service; [4 z# X% `( t& h7 {4 h
(VWIN32_Int41Dispatch) }$ _8 C' R$ n ]: A
call Kernel32!ORD_001 ; VxdCall ^% n) h" c% n3 |, N x& C" H0 `
cmp ax, 0f386h ; magic number returned by system debuggers; Q2 n4 p9 i* r% l
jz SoftICE_detected, i2 Q9 s1 Y) r3 w
9 X% m+ W2 p+ WHere again, several ways to detect it:, M' R$ [( E' }2 O( Z1 W
5 O, @: }, e4 }3 Y0 [! l8 ]: F
BPINT 41 if ax==4f7 a `0 F p. X K, ]) m# C
4 ?7 A L- z: Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( U) ~- g* U0 ?4 j
4 z: t) b+ R0 ~- t5 P* X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* a1 }& p8 c% G% L7 U0 }9 C& k; ~; }$ F. E4 ~. Z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 E( p! p" I5 s$ T" @ x1 S& N
* l1 a, D; w# m/ Z& v
__________________________________________________________________________
4 C* T6 B" p- M/ ]! `- }* r2 Y9 c8 O0 F& z% o; s
Method 13
! Y" w" W5 e; v=========% {6 I8 N* J; L6 }1 W8 L/ L
/ }% i: Y9 [/ I+ fNot a real method of detection, but a good way to know if SoftICE is) v1 i- c4 y- ~% y9 D# I5 [
installed on a computer and to locate its installation directory.
( P9 E) R! f, j' ]6 ]It is used by few softs which access the following registry keys (usually #2) :$ A$ l1 `# p& y V0 Y1 q
, Q: y3 v* P! B' `. p& h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# _. w4 M2 X% s/ e0 X. {
\Uninstall\SoftICE
% o+ \# J& T9 Z( T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" u8 E' S/ }+ x' S! ?8 d' s; b6 h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 m2 S+ p4 Y# B8 ~' q$ v0 F$ \7 X
\App Paths\Loader32.Exe
' A+ {$ C9 n$ C! Q7 |$ a& }' O, T8 g& S- |% z/ t2 b
6 q5 W, h% ~: i. G* Y/ y KNote that some nasty apps could then erase all files from SoftICE directory0 S t7 b7 ^9 c
(I faced that once :-(
$ t. y0 j9 M8 @5 e
1 E! G) Z. P0 ZUseful breakpoint to detect it:; C: k6 G: Z, O2 ~) h/ @
' i4 o I/ {7 @/ f! E BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! [' u) k9 I& e8 D$ M$ T# G
. e' a' v/ ^3 u: n+ J, I
__________________________________________________________________________
+ b5 q. U0 I0 s1 e
/ \8 m, `3 ?3 d7 n& g! [: p% n, z6 t7 ~6 W# S; u
Method 14 : ^: m% S+ c4 ` w5 _* G; V
=========6 z5 |# C) b7 W* w" W
3 V3 Q" G* K1 z' M2 ?) w& AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' w5 g8 U3 J4 @, B2 O4 X
is to determines whether a debugger is running on your system (ring0 only).1 M% t- I9 ?* I" p
9 h; h4 H) \3 G: l2 _7 f VMMCall Test_Debug_Installed2 B3 W! M0 k4 K) l
je not_installed \# ~( m0 A2 K6 e- Q3 Y
, t, k5 U7 M3 I" h' O7 E$ [6 [This service just checks a flag., R! |5 E1 z" ^ Y
</PRE></TD></TR></TBODY></TABLE> |