<TABLE width=500>
& V. A, `0 n: i0 m# f1 x4 v [<TBODY>5 s* {8 F' V- D1 U7 z7 @3 L
<TR>. F: y9 F3 _4 |
<TD><PRE>Method 01
$ C5 E3 J+ x0 X. `: T" K=========9 a2 \( K9 m) \; o, H# i( \$ G
3 ~8 c! x, o$ p- k: j
This method of detection of SoftICE (as well as the following one) is
4 i% J- @% h4 H9 ]- oused by the majority of packers/encryptors found on Internet.
) C ~' k% R5 x* ~It seeks the signature of BoundsChecker in SoftICE
( }% ]2 \. v! R6 y' x1 s5 ?1 Q E. S$ X5 Q+ j7 w
mov ebp, 04243484Bh ; 'BCHK'' k& {5 |: [# T6 |) s( C7 A
mov ax, 04h- [$ Y' j# b: H* O) K: I
int 3 6 q9 g& e' B' l: ^
cmp al,4; s1 b/ D, v; O
jnz SoftICE_Detected; `7 f7 z5 w4 @- K& ~
; H1 f8 E/ v, U8 }( w___________________________________________________________________________
# w5 A: ?. `! x9 G3 i$ E3 P1 e8 r+ H" t( c8 T
Method 02- [4 o9 H7 @- L, I" o# C
=========0 y& `* O) W) p9 H9 p5 W7 I, i
& X" j: O+ |) RStill a method very much used (perhaps the most frequent one). It is used' N# E$ b# E3 ~9 ]( m/ B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 x( G) V4 N5 E( e! ?or execute SoftICE commands...
4 z3 Q+ r$ z( C' u" s3 vIt is also used to crash SoftICE and to force it to execute any commands6 `6 k9 S* C9 U
(HBOOT...) :-(( $ h+ Z4 b9 {) W# T3 q
* q) [( V* U/ i8 w7 u$ t) YHere is a quick description:* }0 |9 Y2 p4 N6 e( C- s
-AX = 0910h (Display string in SIce windows)8 x3 @ k; n; ~. {: e0 M6 o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ h$ v2 K+ w+ k3 U7 U' U0 {/ C
-AX = 0912h (Get breakpoint infos)* t# g+ p' i! r
-AX = 0913h (Set Sice breakpoints)
' p% ?7 K* p8 P1 ^-AX = 0914h (Remove SIce breakoints)
# H5 U; c. \" A: q0 U* P$ ?- y1 ~1 O# F
Each time you'll meet this trick, you'll see:
; P. L: h9 }3 s. X( ?" E! v-SI = 4647h
# Z; f" s7 O) Q0 G, l' [1 y3 U; z8 G-DI = 4A4Dh9 F4 V: y" ~% q: ~
Which are the 'magic values' used by SoftIce.
_, H0 f8 l9 m" y6 X0 QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 N1 |+ |6 a3 N- I! q" i
# @0 N; v% L3 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP `0 }: l) A$ d
Envelope utility use to protect DOS applications:
1 K4 O! h9 y( z. d& p% s3 `. B1 a1 g$ W" Y9 N1 y
" h, Q- @* I+ i; t6 z
4C19:0095 MOV AX,0911 ; execute command.; m8 g' `, v% e5 h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; Q8 C* \, Q& v9 q4C19:009A MOV SI,4647 ; 1st magic value.
$ ~3 \( m2 w6 V; R5 {6 v5 t# `" ^( r4C19:009D MOV DI,4A4D ; 2nd magic value.3 O8 F. ~9 R; _2 t& P- A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! L& C9 p9 x3 {( S7 K0 T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 A4 V, K" e/ R4C19:00A4 INC CX
1 Z2 `. j, ], Z! V; e A4 |) u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. ~* R; x+ Z S
4C19:00A8 JB 0095 ; 6 different commands.
: ]8 `! ~3 b# }, V8 @9 p4 H4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ P& Y, A5 s: }! y, |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) @9 I' x3 T( i3 t% t6 ? J
/ X/ w L; N# O3 r. M
The program will execute 6 different SIce commands located at ds:dx, which6 G' T6 m" ~. I, ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ _* R+ E6 K2 p3 ^6 X6 \
# b/ ^/ y( a7 M5 L
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% r/ x0 |2 t1 U, @
___________________________________________________________________________ c! ?+ Z0 \" H" S( N! h- G& t
: F9 Y, R* m5 W; i* d# d2 Q
1 ?0 {% R6 T0 c2 L& e7 o4 Q4 V3 @: e
Method 03 B- c0 B, o% K6 B
=========$ r. i* }( E/ h$ g1 P! G% j
r" l; Y# q; q% h: ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 C& j% V' N, k- b(API Get entry point)
# p7 S/ ] H& i! Z" ~7 Y h4 c
3 r7 |. t! {7 G5 D( h" N0 j6 N8 p
% ]: u4 L9 Z7 u. S7 b xor di,di4 z" K2 @) A2 b% m0 B( F9 E
mov es,di" O" r6 D) k7 f* D# h
mov ax, 1684h
# K1 U: \+ o4 u$ I/ {8 R( M mov bx, 0202h ; VxD ID of winice
7 w6 K2 @: N3 t2 _# v* O, q int 2Fh
* v* j9 T* I; G; b mov ax, es ; ES:DI -> VxD API entry point) K, Y+ t, N# k
add ax, di0 K! `! j* @' i1 s/ ]
test ax,ax
( }0 H4 S* v2 ?+ O, R jnz SoftICE_Detected/ \% }8 z: O* M H& R( I
! M8 [& p* O5 G& [: G* `___________________________________________________________________________: J' J& F3 f0 L, {
5 M$ q* ]9 c/ S- G2 f. _Method 04
+ g1 U9 M: Y/ C) u4 \) r3 B3 d=========
+ }# w& B% a* l+ y0 u# ]* [0 U% G6 L/ u
Method identical to the preceding one except that it seeks the ID of SoftICE
' l* m {+ S# J2 z8 MGFX VxD.
8 _5 _& S( H. e" a: Y! m% e4 c
5 ?( z, D: L# _3 a6 [0 v xor di,di" I& T8 c# W. U/ {+ E5 A; w
mov es,di$ G) K# i. }; T
mov ax, 1684h
! l, b' C: v s mov bx, 7a5Fh ; VxD ID of SIWVID
9 v* I- o; M) |" R: P int 2fh3 ]. K5 u+ v/ Z, c% T, h7 _: \
mov ax, es ; ES:DI -> VxD API entry point
; B% q0 f! \7 B+ R7 y) K add ax, di4 r7 ^! O Y& ~( v9 p& F
test ax,ax
4 K$ {2 e" [% y2 ? h# m+ i jnz SoftICE_Detected
+ ^5 }* A- {# d" q0 n$ Q0 n& i1 i
__________________________________________________________________________. O- B+ l. V; R5 G% w
0 e4 o( N2 J& O* L& J% X3 W) `1 ]% x: I5 a" _6 x
Method 05
: h6 \, d/ ~. V5 T2 }=========7 B* X# t& A, X6 ]
* t" E$ R' P1 \, A
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: u& {/ H$ C- t1 a7 |( A; ?debugger. It calls the int 41h, function 4Fh.
- S7 b9 K/ |$ ^& G+ `/ q+ K/ ~+ h- dThere are several alternatives. : S% a) y$ i; b* u$ U x! h2 b& A
; @. @" B! _7 E+ ^/ J2 ^9 u1 JThe following one is the simplest:
: l! h! z6 R+ P5 Z$ `- p/ D. `
. n* ]5 E4 v! f; Q mov ax,4fh0 J9 Y- z( S: M( z9 M/ _
int 41h
8 `& M" z2 ?5 o0 q& I- { cmp ax, 0F386
1 r( Y# |9 s6 u. `. p3 W' R$ Q jz SoftICE_detected* ^6 U/ W4 L8 ~# w
' m, r) _1 \$ ^& @; Q
; t5 K( f$ d/ m0 K: e- H+ cNext method as well as the following one are 2 examples from Stone's
0 k0 Q+ N" C- u! y- U4 v8 G"stn-wid.zip" (www.cracking.net):& B) h" o5 L B2 u2 I
' H7 a: T i8 g4 m; M' t
mov bx, cs
6 I- m; u0 h# Y0 X" j- P lea dx, int41handler29 i5 A. j- \1 H$ L, t: U) a
xchg dx, es:[41h*4]
. `/ v1 Z N' d5 j2 S6 y' J( x/ C; m6 R xchg bx, es:[41h*4+2]5 c2 R0 q0 ?: r0 S
mov ax,4fh
' U. Q# e# w" X4 c# S/ I3 h* V int 41h
+ f9 Y3 L9 K6 ?1 h% k+ o2 w( J' A- w xchg dx, es:[41h*4] ^) h4 G3 P2 r! [6 ]' @- E# h
xchg bx, es:[41h*4+2]0 x/ ?3 M, u! `6 y
cmp ax, 0f386h6 M) |6 V9 q3 K! s6 [7 @
jz SoftICE_detected, l& N0 V; O7 ~9 @- @4 B
0 B, ^ J, }$ A/ W6 t/ T% I3 O0 Q9 cint41handler2 PROC
9 U H% S1 A* H# H: l iret
! W# h( j9 ^+ @7 o) ?6 ]5 Z5 xint41handler2 ENDP9 N% L+ ?8 h7 f9 f) l- P4 ?
0 y0 V, H/ b0 G6 T" o N* S& D, v
! B0 g1 E( Z! v9 {% O0 O; W
_________________________________________________________________________
& _; q' c1 a' S$ Y! W8 `. j7 N/ S4 T3 M
9 }3 {: y9 H9 X7 L7 YMethod 06
# u/ q' S* Z2 Y- r0 N }' b=========
4 m/ D1 N8 u; @, y' m+ T8 w' D& m" g2 d' K
# u6 ^/ M0 c o2nd method similar to the preceding one but more difficult to detect:
, ^* l' y& O: ?; S
, s! l8 G! j" F' y6 Y" Y( L; a V6 B5 Y) v l% Y! k i2 i- a
int41handler PROC
9 P. y8 q9 o0 a) k mov cl,al. @+ P8 ]% J' c( a/ t
iret( g# u0 }. [) E9 n
int41handler ENDP5 S9 }9 B, f% [- H5 G* O
: i% x; R+ z( b' \ {7 t# \. _( Q9 {
$ H" o- y& j( i8 V2 g Y
xor ax,ax
- ?% M0 k; r* I: C4 Z mov es,ax
0 l3 h; R% h4 \ mov bx, cs: F! N; ^' n7 M" c
lea dx, int41handler
, K8 m: k1 d% B; {. J, n+ r xchg dx, es:[41h*4]" c' Z9 X1 }" ]( c3 J! e8 X2 B6 h& F
xchg bx, es:[41h*4+2]
7 B0 q! u" n5 K: b in al, 40h( t' e0 [1 d; S* J+ {. {
xor cx,cx
. x* d8 [* T N% m5 N, `1 l3 | int 41h$ T/ Q) K3 L1 H
xchg dx, es:[41h*4]
4 U( [8 G4 q' p5 P, L2 v xchg bx, es:[41h*4+2]
7 o9 q0 U/ J2 u$ U+ Q" u cmp cl,al8 w7 ^$ a8 R- c7 q- n
jnz SoftICE_detected$ _3 _, g* r+ \. y O
$ b- H( R" e+ A8 l6 x
_________________________________________________________________________+ x/ Y; C- J8 e1 w$ y$ |
6 S+ [: @) H) a5 I) r8 ~* c9 ~Method 078 x( B% q# _; n( ]. t" }
=========
4 n5 C: X$ p/ r. w3 Q& a
) ? S' g" Q' ~9 OMethod of detection of the WinICE handler in the int68h (V86)1 A2 a. W3 Z! d& X8 Z( n( F
7 D& `: c7 C6 O8 R
mov ah,43h) C! b( M7 G; W
int 68h) Q3 R1 r+ @4 ?+ E8 _; W, K
cmp ax,0F386h8 c. ~: s! F7 E# d
jz SoftICE_Detected7 q' k) f j X
: p2 c) A8 ^. Y. E5 d7 F
# U/ O6 I4 ^' j( _+ d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; y, Q6 ?$ a9 X9 Q app like this:
6 O# R1 B( ^/ e& w( C; _, f' \2 L" j8 G4 V) N2 L) q
BPX exec_int if ax==68- R6 a3 p0 J' l) N
(function called is located at byte ptr [ebp+1Dh] and client eip is8 P' {, O+ ^' }% r* x* K+ p
located at [ebp+48h] for 32Bit apps)
$ W& y- w6 [: g, o. I__________________________________________________________________________
$ S$ N, Z# ?- z- o! t
& m$ e8 c$ I% d% Z2 D0 U8 G
/ \7 ~1 S; V) m0 H4 oMethod 080 w+ {/ c, `/ ?# s. R) n \" b
=========
6 p2 C4 m' I' J+ v% P# a
6 n' v5 ^+ j! C( _# ~It is not a method of detection of SoftICE but a possibility to crash the. j* k9 o | P/ C8 c/ C" H$ {1 Z
system by intercepting int 01h and int 03h and redirecting them to another
# u5 ?9 z; J: F+ M6 Wroutine.
- J3 Y S* [. e- z5 i' F3 EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 B: p9 K! d$ \to the new routine to execute (hangs computer...)
9 J4 B# {& q) l/ J- Y0 D7 d7 v% S( n) c3 i4 l- D1 F
mov ah, 25h& p9 j8 Q* {! V4 X% p) T
mov al, Int_Number (01h or 03h)5 B% l5 ?. u8 I" I+ m$ p& s
mov dx, offset New_Int_Routine
* M% Z* X8 X* [" j int 21h
' \ O' L. X% @& w$ M" s/ y2 U) N$ x4 c5 I
__________________________________________________________________________) z1 u9 {: D4 P
& F* O/ n1 G0 F3 Q- _
Method 09
3 _9 o4 Y4 h. |+ m========= F( ^- Y* n$ p3 v+ C
6 u B' Q O6 m% u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; f( N, A1 }- `2 Y' o& sperformed in ring0 (VxD or a ring3 app using the VxdCall).7 |4 j' c7 B. k7 e0 |1 V7 [$ `
The Get_DDB service is used to determine whether or not a VxD is installed+ B7 A) ~ D# h- X R- X# ]( U
for the specified device and returns a Device Description Block (in ecx) for" u, r2 j b0 r. {$ v1 q. c) H
that device if it is installed.
: J d3 `3 b3 F) n* K% a8 r
+ ^* r8 _; }. s7 O5 p% S# D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ P2 X# a: S, [! ?( }1 H mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# X- y) B8 L" T. ?3 D
VMMCall Get_DDB
" N' }. l# I8 P1 ^: F7 U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
{( c. n- }" x) c8 I7 Q& `/ n9 W: Z7 {% k0 s A
Note as well that you can easily detect this method with SoftICE:1 E u! F( q) E. |
bpx Get_DDB if ax==0202 || ax==7a5fh
4 S0 V: ^5 v% g3 D, @) @7 v& x! p2 L& ^* K, e
__________________________________________________________________________
+ R3 R, [8 c$ i+ \( ?3 F \0 a( |
Method 10 Q. o1 n7 X+ @- C# \3 t& z" A! e
=========
+ ^4 W- P! r0 a, [' H5 q: b+ ~* k' y" |% l2 F
=>Disable or clear breakpoints before using this feature. DO NOT trace with: u( Q. W, ?- R: a4 A' i
SoftICE while the option is enable!!* _4 r4 O" C. ^- n3 K, `
( H1 s v$ D* g m2 U
This trick is very efficient:
+ @- q, I; e+ t3 U* E! nby checking the Debug Registers, you can detect if SoftICE is loaded, w6 H/ x: B9 O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 Q" j) L$ q) t$ Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 Z6 x6 t& d, xvalue (in ring0 only). Values can be manipulated and or changed as well2 q) O" w) D% S# \' p6 Z
(clearing BPMs for instance)+ ~# ^7 R8 M) ^( J) W9 H6 A
5 G2 e% U( I8 N6 H, U
__________________________________________________________________________" r, W5 B7 L# e4 b% G" Q% a8 D
; b4 t" g7 d X3 U5 F+ d+ J1 _. {9 ZMethod 11
, h, S8 |) P! a& F' x; o' z=========
# n$ d- l. _* ^5 V! _4 [3 z. D. H) @$ Y
This method is most known as 'MeltICE' because it has been freely distributed" l! D7 f) }( D( a* D: k {
via www.winfiles.com. However it was first used by NuMega people to allow; C9 H- j1 Z) d* n! W
Symbol Loader to check if SoftICE was active or not (the code is located
: {$ [; |% V0 [9 p7 Iinside nmtrans.dll).3 g* x6 X* R0 A8 C# P4 n7 p
: m, G0 y0 G4 A! ]( |' K
The way it works is very simple:+ Z" X( F* U% P" e+ h& J3 T% ]+ |
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; V1 o( q% E4 v+ V" ?WinNT) with the CreateFileA API.
" v' e( c m( l/ q7 A8 L$ b' Y0 I8 ~! \
Here is a sample (checking for 'SICE'):
* Q: K. j+ \( a2 _6 ?/ e" V8 F! D
a( e! f4 B# K2 V" ]" E8 u+ ]BOOL IsSoftIce95Loaded()
: O; b& {1 E2 b7 m2 p{
* C. `. S6 w" [7 c' Z HANDLE hFile;
1 B& _4 }2 x3 w2 h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 D8 |; }! Q5 Y/ j+ m8 z
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 A+ a/ G x6 Y6 e. P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ L8 q* _0 T( v" G, ] if( hFile != INVALID_HANDLE_VALUE )
7 a, _, B! S, T, o- a$ I( m, B {
5 z4 {9 G( H& w1 o7 x' y CloseHandle(hFile);# O v3 b) l7 \& m$ i/ k: D
return TRUE;
- ?3 b$ ^3 b0 f+ v }
* [: @: T' [8 e$ C0 \8 C return FALSE;
k! A3 ?' K" \: w3 q}
# m: Z: U/ J) W. ~3 C" w1 l
" Q9 L+ v- o( W8 ~Although this trick calls the CreateFileA function, don't even expect to be. j0 }# {1 U% W3 G: m# ]. n0 ]
able to intercept it by installing a IFS hook: it will not work, no way!
* Z" N, O' p8 lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F9 P( Y9 L% d* x Z# c1 H* w7 z! U9 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); ? E3 P1 ]/ g; i* l2 Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) R! a$ l" a' r. @3 Lfield.
; n" c' [( e- Z: VIn fact, its purpose is not to load/unload VxDs but only to send a
# F) L2 b6 e4 G5 dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- \, R3 V" _5 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try" R. O2 ]" w' d! V# z% E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) K" B- A7 Q" l \. C6 J6 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow! N' Y1 V! `" Q) X' l# J" @- y
its handle to be opened and then, will be detected.- a% K- L' w; K
You can check that simply by hooking Winice.exe control proc entry point
a0 W a* E1 l( L( Z5 B, Q; cwhile running MeltICE.
4 a7 K% ]1 c3 X
Y* A& D( X1 z( p6 s! a2 l, |: ^5 e1 C
00401067: push 00402025 ; \\.\SICE
) Q* c& E( V, G$ m 0040106C: call CreateFileA! V; w' J$ v* p
00401071: cmp eax,-001! q5 D6 x! |+ g1 ^+ n) @( Q& w
00401074: je 00401091: \# ^7 K2 e, l; a7 u( p6 ~
( m+ w. M2 G; G
" X; n# V2 k9 S( ~( B" Q+ iThere could be hundreds of BPX you could use to detect this trick.1 z8 Q" Y3 Z: E' d+ C. G! l: [
-The most classical one is:
1 i- Q- H" Z: u4 Z; Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( q ^8 i8 X3 e# f: C2 t
*(esp->4+4)=='NTIC'$ ?) t+ m. \. a( M8 O# h
6 u2 l, I$ t# A o/ n, X-The most exotic ones (could be very slooooow :-(
- F0 Y R2 `$ n5 {3 E6 F: k& @ t# Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 [. s v: c0 g" q, u7 a6 g
;will break 3 times :-(
4 X& t- d! t% Q/ M, N) s! l- c& p: Q7 r% i( I. Y
-or (a bit) faster:
2 J6 K4 N3 t: g4 @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: T" [% | h/ t5 K! G
3 j, n3 E' Y, g* ~: X# z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 l: V8 c/ e5 S% l: r9 C! l$ Q, v8 R1 p ;will break 3 times :-(5 E6 ?5 K# z% o/ Q1 D: p3 }& W9 f
8 x7 `; j* [3 \& W+ Y: M5 j-Much faster:
; g! m& D9 S0 e$ W/ P. X( R* R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 a* ?- M- B9 D( e0 d: l L0 i5 y I
- y7 s5 c5 N* B+ c+ ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 ]" {# U& N3 }4 Gfunction to do the same job:& }0 Y9 t0 J0 s8 x+ b
r7 W& I. W$ X
push 00 ; OF_READ4 Y3 s$ S" J: w
mov eax,[00656634] ; '\\.\SICE',0! Y$ |' U! h6 |: y' M- L
push eax
* V8 ^/ \* l0 Q call KERNEL32!_lopen4 n/ L& G; U6 w4 C
inc eax! l( b7 E1 P: o4 q! W n: s: k# }
jnz 00650589 ; detected7 _( X' M5 g3 O T( ]. g6 F- g
push 00 ; OF_READ
* E2 O8 m3 \0 G) A5 P9 G* r mov eax,[00656638] ; '\\.\SICE'
+ x1 z" y0 n- [5 a push eax
+ M' K0 e( G2 F, n; |% n call KERNEL32!_lopen
0 o: U$ q$ H% D9 a! C+ Q inc eax
w2 l1 e% B- z% j! i jz 006505ae ; not detected
5 N, t$ r ?4 |2 W4 y3 i
( r% [% y% q0 g/ m, E. Q, w- V. d/ o) a" _1 E
__________________________________________________________________________
2 l5 H4 l7 |# V8 Q+ D+ n# B; v
Method 122 D. ?4 E l2 b, W# E" _, t
=========
T, W) O \; Z5 k
) D* w4 S: [8 V5 x- \+ o2 c7 Y( wThis trick is similar to int41h/4fh Debugger installation check (code 05- T* D0 p" W* t- p" N4 u
& 06) but very limited because it's only available for Win95/98 (not NT)
# R$ g. V& T5 G4 c. C5 r- a; W5 Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! m2 @' R+ Q& M, U8 S, X, r
: L7 o" L; ]2 @4 y push 0000004fh ; function 4fh% ^ ^4 D1 [$ Q. a& k. Q' p- G
push 002a002ah ; high word specifies which VxD (VWIN32)- Z. L/ O0 s5 P3 F1 R9 O Q7 x
; low word specifies which service. v- ?. E a% j* ^, W* s2 o/ i
(VWIN32_Int41Dispatch)3 z F$ H# H# Y# ` L
call Kernel32!ORD_001 ; VxdCall
8 _. {. Y# L& E cmp ax, 0f386h ; magic number returned by system debuggers& Q) w* @4 V' w! |4 F5 i
jz SoftICE_detected8 L4 E* T2 H. a6 `( P4 t
# K; Z: g% S e! }) A; aHere again, several ways to detect it:
$ a/ F$ e) Y( _4 C( B
8 L- A+ {$ j/ q0 k" S& \$ p BPINT 41 if ax==4f
9 ?3 e9 J! v! ~4 d; d
; C, X p8 f1 }% } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 m4 B7 n0 {* A- f
1 j' z2 H: e% F q5 Q' `
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 o l2 X5 h. l# F9 }& Q4 X
- O9 c V% k( Q: ? ~7 B: M& { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& \' N. i3 n8 d6 S4 |6 P- Q, S5 R: X
5 `5 E- Z8 b9 A__________________________________________________________________________; u- u1 N; X# \& K
( v; M! Z! a+ F* x# F" a
Method 13
; K6 Z0 A _6 k=========
1 [: s3 U* Q$ A: e, Y! F7 r! \1 ]* F% z3 B
Not a real method of detection, but a good way to know if SoftICE is8 R& r0 _' e; ?
installed on a computer and to locate its installation directory.1 w/ r& ^; ]1 S2 ^/ }
It is used by few softs which access the following registry keys (usually #2) :
! y- Z6 {# o: T) L& K: K& O
q: ]' k# Z4 ~" p& z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" i, X+ Q. o2 u- J3 S\Uninstall\SoftICE+ m% T4 l" ^3 c# T J/ s) G4 [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ v* y. ? ^+ p, r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, u% x c( g4 ?" G4 E2 W+ c; d) ?/ K* d\App Paths\Loader32.Exe
" O! ~: c1 c" B" Y% d! ^" b# Y, u$ y
' ]" x' X" |! d* _1 h
Note that some nasty apps could then erase all files from SoftICE directory
! S1 d ^7 v& d(I faced that once :-(
4 u- F; Q! [: f: C7 T4 l# v: D$ k! M" K2 j, h1 l+ e
Useful breakpoint to detect it:
4 M2 i* x5 U5 b; i$ G# u. A. C
2 N4 ?/ D, h6 R% F; J& R( | BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 ?! i4 {0 G3 s% y8 a, J8 ?
' y, G: l4 z; R$ x d- K
__________________________________________________________________________# C6 I, K8 Z/ W! p: k; ?+ n
' ]% L# u" }0 h, V! T6 Z- ?
# {0 G+ R; J5 M
Method 14 . ?* {1 x* M, ?
=========7 A* b9 {9 r7 D9 b: b
' |9 s- H- I0 f% u W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 C2 X2 J, W! e+ his to determines whether a debugger is running on your system (ring0 only).
1 P0 ^% x. T' S8 D/ S( F& E9 z/ y" m+ m5 I* _/ p7 E
VMMCall Test_Debug_Installed
1 b9 G. L8 \1 _ je not_installed
0 d) S8 R. u5 J' W" v- ?0 q0 y1 H
This service just checks a flag.% T" t% }5 U. p, T
</PRE></TD></TR></TBODY></TABLE> |