<TABLE width=500>4 I8 B$ G; t/ P. L Y% _- }
<TBODY>
4 o9 q! y$ G" v4 W) i, A$ a3 n<TR>
( T |" ^: z$ a! V<TD><PRE>Method 01 7 i" ^4 }" t& f2 x2 x
=========
& S1 M$ M, c; o7 {0 l1 O5 @+ u4 |$ ^: w' q
This method of detection of SoftICE (as well as the following one) is; f1 s0 W9 L+ _* I' B
used by the majority of packers/encryptors found on Internet.
3 A1 v: a8 M( j9 YIt seeks the signature of BoundsChecker in SoftICE
$ O/ _. l1 z# F; O3 q; q% J* W, w
! Q- P1 Y' k$ l* W+ I" N mov ebp, 04243484Bh ; 'BCHK'# ?8 |; [; ]* ~# L$ o
mov ax, 04h
; `- A1 Z- k2 B% [, R0 \ int 3
0 |% x' | y5 z2 J. r cmp al,4" a6 \4 K3 H( `5 P
jnz SoftICE_Detected
! B, `" O# c* T9 }7 D' o+ a/ f: Z( c( v% B# h' }7 l
___________________________________________________________________________8 b% B$ ]- @( t& F: m) s
" g& ^; U" c9 K3 b, u
Method 023 k3 z A$ ]* x" a7 }' b" W) G
=========
* f0 I( M# a- { s* W* e7 Q) M
Still a method very much used (perhaps the most frequent one). It is used* q3 V- d( l9 ^1 K, l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& c. l( @ g7 u7 Z* |
or execute SoftICE commands.... G6 I) _# Q% [" x$ n8 k. c
It is also used to crash SoftICE and to force it to execute any commands1 ?+ e" @- v2 F
(HBOOT...) :-((
6 y, i# L- ?; L$ P; T ~. p& P+ `! c" H4 ~
Here is a quick description:$ _" P& ]: X) p* H* r% n
-AX = 0910h (Display string in SIce windows)
3 s; h5 e8 T, l( J m0 Q9 K-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: o/ ?* J0 w! J- j" G) L* }# ^-AX = 0912h (Get breakpoint infos)& A9 Y0 ^# t5 R! a6 C
-AX = 0913h (Set Sice breakpoints)
& a0 q, x) N5 \! v-AX = 0914h (Remove SIce breakoints)
7 K. Z9 Y0 G, {8 @) V' E" _. @5 U. J- i* A$ \ \( d/ H s; p
Each time you'll meet this trick, you'll see:
* w" ?/ n2 e2 j* u- f-SI = 4647h/ V, x, @" k7 A
-DI = 4A4Dh1 K8 f7 M; F0 }4 {2 p
Which are the 'magic values' used by SoftIce.# I9 ^5 \1 J6 @1 C" a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; O: U. g- x ?% O8 d- n4 U L
) q1 a+ d9 @) d% y: ~2 QHere is one example from the file "Haspinst.exe" which is the dongle HASP( P+ @0 C; x$ W" I9 _, Z9 w' C
Envelope utility use to protect DOS applications:
+ _' j ?& e/ U# ]+ U' J! p/ d
1 n7 k0 m! Q8 G/ r1 M- U
) H5 m) |# x$ z4 E0 m. x4C19:0095 MOV AX,0911 ; execute command.8 `7 d; ]- _1 C. Z! L
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& M; F' k/ _( n7 _9 ?/ a4C19:009A MOV SI,4647 ; 1st magic value.
* L% X" |$ h7 W, V4C19:009D MOV DI,4A4D ; 2nd magic value.
9 ]# m0 h( a8 J8 ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# ^: i& O) ]3 t- _1 ]6 _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- W; K, i% y- y; Z% H, D& L, T
4C19:00A4 INC CX
; C# x- F& q. Q, ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 E& u$ U: Q- E4C19:00A8 JB 0095 ; 6 different commands.6 r0 u9 |0 s5 J2 t
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ D0 I& H, o3 [0 m( ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; d' h. i6 |, f7 x- N& f0 k. g- \; S. r
The program will execute 6 different SIce commands located at ds:dx, which
0 ]& C! Y A) e, F4 e+ N9 lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ v& U# O2 K- R4 ?" n
- ^3 S2 N2 S7 n- w6 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( Z* _8 t. A) E5 {1 |$ ^' v2 `___________________________________________________________________________
5 i! X$ B6 L( W( P3 T0 Z* r z% W7 Q9 i8 }
! Y g( B2 N. I, s
Method 034 C9 [ F: w' [5 |
=========
5 U- q+ O8 j- f: F- s) r3 F9 a9 I9 @4 `/ R5 f
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 h' K5 ^3 \- u/ o
(API Get entry point)1 w) J- m) V$ n
* k" F! c& C+ g/ M
- Y M% Y5 t) B5 f. T xor di,di
$ D% y& V% v0 c) d( M# F& N; O mov es,di
5 |2 v& K* a" R9 Q8 W+ e mov ax, 1684h ) M/ ?1 G& E* `. B7 r
mov bx, 0202h ; VxD ID of winice
3 z4 q0 }, U- c8 k int 2Fh# R" j9 S2 S, N
mov ax, es ; ES:DI -> VxD API entry point5 {0 a- W: |& T
add ax, di
, H% `9 {$ x- T- A _6 V7 P test ax,ax
B- z P; k h' H2 Y jnz SoftICE_Detected+ N, [8 F8 `/ g# y
6 P4 T2 j/ x C( [9 u- ~___________________________________________________________________________
- W5 g+ L7 y* I- O% y$ _- K g. _3 N$ E
Method 046 q X# l9 y0 b; q
=========
+ v. \- c0 _! V" V$ R
# M: b- \7 ?5 a' J, v& Q6 jMethod identical to the preceding one except that it seeks the ID of SoftICE5 i+ A: ~- N9 B
GFX VxD.
5 G0 x. |+ ^ p
7 q+ t h: \# `& }" c xor di,di% |" y" V' D7 p0 ^
mov es,di9 G% P: z6 J/ r \* S( ]
mov ax, 1684h
0 P7 Q% i) ~& t' u4 {* d9 B& G mov bx, 7a5Fh ; VxD ID of SIWVID
9 m' U& w. l8 k int 2fh3 ]+ ~, i. `" b& E# E; g# _" r# g( n
mov ax, es ; ES:DI -> VxD API entry point) N( n0 q3 {( n& P% k( ], h9 j
add ax, di6 I1 v Z1 E# q, s, T
test ax,ax; f0 t! \# C4 ^/ q
jnz SoftICE_Detected1 D8 x; w+ i# j4 o0 ^2 {+ K1 k
$ O. g* E% r$ X6 w# ~ E
__________________________________________________________________________: t5 m8 y) f3 i
* z# J- E1 y4 X% G( S* Q& L% p8 E4 E5 z7 C# Q3 l: [" t
Method 05
4 k" e* l$ J# V+ }/ l=========3 D) A7 C' `6 E
- |- D1 t; E: p* ?( ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system* C8 o3 i6 u6 X( z; s1 W" G
debugger. It calls the int 41h, function 4Fh.
! q2 u( e+ d6 O: K5 p% SThere are several alternatives. + i: I$ y7 g; l, ?4 ^
$ e: ?; {1 G2 R0 ^ l, ?9 y# r
The following one is the simplest:: [2 [. J# j! U0 d9 }
& U' D6 f* r: r$ {1 V F mov ax,4fh
) E8 K% i% e6 Z! L W$ {5 p2 t int 41h( ~$ t l& E! o) y% d4 j) {
cmp ax, 0F386$ d6 }& A4 ]. _2 ~3 ]7 o8 k. e; {
jz SoftICE_detected" L) j- \9 ~* I2 ]& _
; s2 v1 B2 h" L9 G6 q9 H( P# f7 C* ]* _- Y
Next method as well as the following one are 2 examples from Stone's # l4 X% b- w P4 ?3 x* Q; U6 e
"stn-wid.zip" (www.cracking.net):% {- ]" B- A7 S3 w7 b% K' s
( h! ^+ e9 \/ H* a G mov bx, cs, s' g) c7 b3 _
lea dx, int41handler2
3 j; _; j1 p2 M N6 _! x xchg dx, es:[41h*4]
/ V; x ?6 S0 y- x) [* R xchg bx, es:[41h*4+2]0 S! i# _2 {* m& v" y$ I
mov ax,4fh) N% i+ o1 r2 M9 G; l
int 41h6 X- Y5 a& }$ H' ~4 G
xchg dx, es:[41h*4]
3 k8 a* w- O: I- o xchg bx, es:[41h*4+2]0 v7 D. M% U' C N' Z9 M
cmp ax, 0f386h
% D" M$ Z4 X9 B. h- c8 d jz SoftICE_detected1 f1 ^% v0 P1 ?. X8 b. e
- h( H8 d7 O- |6 m
int41handler2 PROC5 f! Q$ t' ]* F$ [. t+ |8 s1 @; L
iret1 W. a& Q2 L3 S/ a* x
int41handler2 ENDP
" L' r2 K0 N# f+ K/ C/ z/ s# {8 X! g- ^( e/ Z) N6 Q# c9 o
* v, ^' f/ _( Q- W6 E) N
_________________________________________________________________________5 }- Z0 r$ [2 r2 P+ L' Q
7 u6 {, k* ?! L
" d- Q( _2 ~" j. o8 E& N7 S, dMethod 06 m; c4 P1 t8 ^& _! n) v1 W
=========
" m8 [$ E) ^3 K6 a3 q, k+ g o( Y* D1 m! M. e
' E6 z8 T% L3 J( i) V6 m/ }1 p2nd method similar to the preceding one but more difficult to detect:
. i% P" S& h; ~- @
& k% |; d1 S5 F0 b2 V
: Y( Q% ?# h% N. X: j5 Kint41handler PROC
3 A% P6 w6 P) s) e' Y; G mov cl,al6 R( o+ C7 {! i+ X
iret
) e& E1 m8 t) Cint41handler ENDP8 i5 T/ A3 S" K+ Q4 l: p" s
" N3 Q8 |1 s& n. R1 T5 f% ~! g
( c) n: R6 |4 c2 [
xor ax,ax
, H5 u# q/ V: s& n& A, N4 b2 `0 j mov es,ax
' s; V* i; [% b' X mov bx, cs3 [* ~* P5 W6 ?- X# `
lea dx, int41handler
" B9 q- y' t1 U" y* h' R xchg dx, es:[41h*4]
6 b6 E+ @5 o- V# Z xchg bx, es:[41h*4+2]
( b! w- \ A) ~+ h! E4 d in al, 40h$ c& b2 {6 x0 [
xor cx,cx9 d+ e$ [. ^5 a3 w4 z* t3 Y7 A0 ]
int 41h% C/ r" q2 O; p" x; U
xchg dx, es:[41h*4]
) ^% U* g( t: O8 r& a' i1 D+ Y xchg bx, es:[41h*4+2]
% n, @0 Y P" c& ^) N; P6 B cmp cl,al) \8 z' C7 l1 Q0 c" p
jnz SoftICE_detected5 \- v2 X: P+ O% l) \
' A1 o5 d M0 ?( g7 d
_________________________________________________________________________
& h, A ^1 ^! a( x$ u" [0 b+ ?9 L4 B. A( M: V+ Q
Method 07
' X9 Z0 G1 L4 ^3 Y=========
7 V: Y3 h: t* C) Z, T* T5 s3 S, A, K. c$ p
Method of detection of the WinICE handler in the int68h (V86)( a# r( ]4 q! n
6 d: r, w+ s- t4 w9 { mov ah,43h" \ w) L) T& P' N0 H5 D7 U
int 68h
3 t* G' q2 k1 J7 J9 g3 l cmp ax,0F386h
. ]& W6 } h0 w jz SoftICE_Detected
7 Q0 W1 F8 B6 o' V
! \1 x! W: u7 M* g8 y
x( T# o- y; E9 x) P4 k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* c8 d+ K' \1 N- M( w
app like this:
) r' a; v: O$ e8 \4 ?' N* }, x% D! o6 e) ^/ C7 l
BPX exec_int if ax==68
2 ]& p5 z6 h/ a$ @$ h& y0 g% Q5 I( o (function called is located at byte ptr [ebp+1Dh] and client eip is
) u, [5 q( i/ ^7 X located at [ebp+48h] for 32Bit apps)
( i2 W* m' p2 l; N+ h' Q__________________________________________________________________________ L0 D7 a' r) m& ^7 C
5 q( l# `8 j+ T
3 o# N* J4 C- U' I+ r
Method 08; _ ^+ Y' _) u0 N& z/ u
========= T) W3 P( s& p. E1 g) [9 O
3 R& K: e, {9 W9 F
It is not a method of detection of SoftICE but a possibility to crash the5 ^0 p* B: W: F4 M+ V! v
system by intercepting int 01h and int 03h and redirecting them to another% e# b7 G: A* \8 L, [4 w) N* g
routine./ I/ h2 R) j6 e$ a* n" n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 ]% ~: T$ V+ i! g9 V2 a6 ito the new routine to execute (hangs computer...), ^! u' X& S( u0 j7 E2 c
7 F0 F$ g$ f+ h% v0 ?% a9 N m
mov ah, 25h# ?" b0 A- d4 ^' X( `8 ^
mov al, Int_Number (01h or 03h)
. `0 R/ d; A# t mov dx, offset New_Int_Routine
9 ?: v% Y! d1 t# l' s int 21h9 i1 R. M( @! _% }& a
& l% V* ?7 Y' { I3 ?- Y__________________________________________________________________________
, |; G9 v' C9 g! X5 B9 b, [: O/ b" B% @* ~2 {: d
Method 09; _0 G* }7 E! N/ _
=========
9 P7 f' e, Q5 _
+ A; m( d+ ^0 mThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 W! y) H# j. j2 F* Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 y- L; G8 P+ aThe Get_DDB service is used to determine whether or not a VxD is installed
' B$ \! y( `4 D! m6 pfor the specified device and returns a Device Description Block (in ecx) for {& e) V U& r1 S
that device if it is installed.
* R: Y7 I ?; I7 T+ G' Q( Z/ H: U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# O' f3 j- d5 _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( a. L6 q- R/ b% c( d VMMCall Get_DDB
* a% _6 ?1 d- ~ ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 X/ m+ p$ \, l: y' x
+ ]% E. e1 `/ QNote as well that you can easily detect this method with SoftICE:
! |0 l1 A9 V' @ K& k. w" [1 v bpx Get_DDB if ax==0202 || ax==7a5fh
* v& i: @4 q8 j6 [' ]: B9 s
! L2 z8 x2 {0 w1 c7 G__________________________________________________________________________' g% g/ y: C+ O* V
, o* i5 _% }9 O2 [/ X3 ~( TMethod 100 i: B& t6 M# \" U% v+ \' a1 |
=========# F L! O! ]! |, \% Y
2 I5 z9 ^% E& Z: `=>Disable or clear breakpoints before using this feature. DO NOT trace with
# m9 K2 B5 z9 y SoftICE while the option is enable!!( a9 j0 j) ?( V+ J
+ F& X+ n# M9 Z4 j8 E/ yThis trick is very efficient:
" k& l1 P0 P5 k/ V7 d4 }4 w* mby checking the Debug Registers, you can detect if SoftICE is loaded0 v! ~* q3 o$ Y" U& ]
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- S& d( f5 l" g8 i8 b
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% B# T: q' i: m; ^( k4 O3 r, [" M; _value (in ring0 only). Values can be manipulated and or changed as well- o1 C- o0 f+ s8 n9 ~& `; d
(clearing BPMs for instance): a, \0 N. M/ d2 ^
/ {. G9 o/ Z4 K( |9 ~
__________________________________________________________________________
9 F6 ]$ {( d9 I( v, y
" v. p, g2 H8 @: D7 A* d& RMethod 11
$ Q" q; K m1 R% i=========8 V/ y/ V. M9 j z6 a; j( i
4 |) {8 J6 u- V& z8 ]This method is most known as 'MeltICE' because it has been freely distributed
& P z W) R" p B$ }! Svia www.winfiles.com. However it was first used by NuMega people to allow/ J1 e. z, E0 `# ]- B6 y7 G
Symbol Loader to check if SoftICE was active or not (the code is located! R3 Z9 L( a% t4 u) z
inside nmtrans.dll).
8 J/ P. E9 x& w$ A! [/ y& i4 v0 M" `) m+ Z
The way it works is very simple:
3 ~. X4 y# k% d# [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- ~! e$ J, \9 {( F1 b
WinNT) with the CreateFileA API.2 v3 D1 ~' ?/ } O+ Y& F
% q# j. C3 \9 ~, x5 x+ x; M9 lHere is a sample (checking for 'SICE'):
+ x) c8 M# Y' j; @
6 Z- F+ [4 Y4 x" C2 ?9 _BOOL IsSoftIce95Loaded()
% n6 {8 F. r* I. R( }4 K{4 e5 y% W, N c2 x1 M8 _
HANDLE hFile;
/ x" m) p7 b W; W hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 x5 g2 h, t: ~ FILE_SHARE_READ | FILE_SHARE_WRITE,
( S6 R' k8 x! r, B E' z! R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 K! |+ Y) ]% X/ K. ^3 ], y8 @3 a if( hFile != INVALID_HANDLE_VALUE )
2 D! z3 ]# Q8 v# c4 H {: S8 h: j: S/ O
CloseHandle(hFile);
, [" V& k! s7 b( Y return TRUE;
/ h9 |& f p/ F; _ S0 L2 i }
# o9 W; Z8 Y- s. G return FALSE;( H9 U4 K7 G. U$ G& S
}5 f' P4 E" r: U) ^; A% m4 h6 b) m
2 O: F6 Z' j2 m/ R% z" m, X
Although this trick calls the CreateFileA function, don't even expect to be
! W" O5 W4 g* Pable to intercept it by installing a IFS hook: it will not work, no way!
8 E- I J8 H' Q" H5 z" V8 qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
Y. D" q) h7 z. w% O" t# zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& Z& u8 ]) o9 H6 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 p6 u h6 `) A; i4 W! Q& |2 D% cfield.
; I$ o% c& u+ DIn fact, its purpose is not to load/unload VxDs but only to send a 2 s. z+ v# s# W- o- P# a5 O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- v1 i$ [* G0 i1 f/ N. E( T/ ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try( i: O: m7 \+ H* E' M# I$ k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 f/ ?) _$ E3 Y+ KIf the VxD is loaded, it will always clear eax and the Carry flag to allow; G) {% N% A6 n _ j0 C
its handle to be opened and then, will be detected.6 f( U1 f1 T4 Y( S
You can check that simply by hooking Winice.exe control proc entry point4 o' V9 E T3 F# r. g; A7 _6 A2 ~
while running MeltICE.
1 t; `4 N x4 N! C- ~5 ^3 h9 J6 ~0 V# K
* Y2 c) D6 P+ t, g6 I+ J V
00401067: push 00402025 ; \\.\SICE* o& U: k6 ^4 s$ |: {; i) ]
0040106C: call CreateFileA3 U, y: y# @* o* r! _4 A1 o& |
00401071: cmp eax,-001
, R, L; {5 w# v, M7 s3 R$ D" D5 A2 ?9 { 00401074: je 00401091
# H* g4 X2 v& n3 I
( {4 H7 f4 n3 a. M1 H" Q
! S/ [& Q& G6 d7 ]: V: oThere could be hundreds of BPX you could use to detect this trick., R3 c2 T2 p3 j* w
-The most classical one is:
1 E. j# O" w2 [2 w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; _9 l: w: v% Q5 N( I6 @ *(esp->4+4)=='NTIC'# X8 k% W4 Z) @6 k2 h3 R+ t
) f6 {% m1 z( n-The most exotic ones (could be very slooooow :-(
$ R) [( f, q: m- _! I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( S2 g0 v% a& ~6 F1 J- B
;will break 3 times :-(
* [2 z( f- t% L9 K% J1 w
, G7 T+ o! o. H4 v-or (a bit) faster: ! E7 q; W' m2 Y1 s, G+ R+ G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' O1 g7 R7 q; \( B M# ^ Y% j3 K' I! H5 \4 }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 J7 n0 u: L6 @1 ?0 k% J- y5 D3 a ;will break 3 times :-(
: B6 k7 i/ A/ B; s
* {( i: O' U, N5 w+ G-Much faster:
2 X/ ?* q" d+ m' K, }6 K BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 j3 e- Q. E O5 R! h7 L- @1 U% v4 K: L* l5 |6 e L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 ]$ V' H3 z( |function to do the same job:
M4 B9 y1 d% \, |& P/ f% Q) V- @: n
S/ W+ W" |) r push 00 ; OF_READ
! [( k {# A- V2 r* i0 a mov eax,[00656634] ; '\\.\SICE',0 ]: C- w- `6 B" s w2 X- K7 C0 a
push eax) m! h; r1 o; |$ j
call KERNEL32!_lopen
: i% }" ]$ k" G! B3 x- @2 k6 E& W inc eax% V7 K5 G9 c* M- ^5 {$ W2 L
jnz 00650589 ; detected7 \7 g# @3 A1 J+ E
push 00 ; OF_READ
- X6 H5 i/ V/ G2 ` mov eax,[00656638] ; '\\.\SICE'
- H5 f9 k0 }8 p5 Z push eax- {* C. l' ~/ j6 r% F4 c1 D! X
call KERNEL32!_lopen4 e/ P; L( a' L, l
inc eax
/ f3 @" d+ r, F jz 006505ae ; not detected" q1 \0 r" H, @% J7 `; @
0 g* ]/ {! ^1 {, J/ @* d4 t' l
a. d# }3 f9 q4 q__________________________________________________________________________& M$ j9 t1 l4 \4 q" o% J5 n
9 I) R' j9 }$ [# }0 i; q( TMethod 12
O) p- w1 f) t5 w=========6 ]. g. @2 k: M: v
, h6 M; ^- s u; }7 e9 b5 U5 pThis trick is similar to int41h/4fh Debugger installation check (code 05
; w. A' I" [+ B; T& 06) but very limited because it's only available for Win95/98 (not NT)
% w1 f. N+ m! R J) [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. j* q. o+ l5 l3 A
8 [* d/ d- m, o$ n8 ~ push 0000004fh ; function 4fh
/ w# i7 }8 @" W) x push 002a002ah ; high word specifies which VxD (VWIN32)
, x: B- Y0 X( ` ; low word specifies which service; ~# M" d! p( F& y
(VWIN32_Int41Dispatch)( G& e6 J @5 W/ }1 w$ q* l5 Q! N
call Kernel32!ORD_001 ; VxdCall& {+ V1 O$ n$ R9 r0 ^4 z& [
cmp ax, 0f386h ; magic number returned by system debuggers2 u3 ]- n; P* y: E0 e* ?5 H$ Z9 { p
jz SoftICE_detected
) O6 a) ]) Q: ^/ f- M9 d8 n7 O9 j* U! K. f
Here again, several ways to detect it:8 E0 w5 Y$ t0 ]9 c4 F( U$ T. Y
$ ~6 z. K. z5 z. O; L4 H BPINT 41 if ax==4f
% m2 l5 S+ y3 P# ]$ s, {, K6 x$ o. S0 _
! I. r" C0 c) ^* F+ f U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ t( d. \+ t2 i
2 v0 u: ?7 z# w2 E BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 Z& q. y1 F: Z8 k0 _3 }8 M2 t* r8 q
% k2 I& o5 O+ [6 t2 H" d' `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! d8 y1 z4 Y: V$ A; V
7 c ~+ j; x' Y" V# d, }__________________________________________________________________________8 t2 R2 U( z0 ?" ?& H; P- L I
1 @2 ]7 S( m* x. _% S' M
Method 13
2 ] m' g; E, J' x5 b=========* s# r$ S* ~- o+ d+ Y( `. [, U! O
) `- }5 r/ a& D) C8 l, e2 z
Not a real method of detection, but a good way to know if SoftICE is. h, o* K" ^2 V' W" Q
installed on a computer and to locate its installation directory.
- p J- {( {8 M' Z4 @6 s% }- YIt is used by few softs which access the following registry keys (usually #2) :
( x: y! W# L- p
6 c2 m+ ~' a# r T# \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# X/ e" J6 `, T0 m. C3 n\Uninstall\SoftICE
3 R1 W7 P+ t& T$ W* N2 E2 D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% ^# ~3 t- I7 Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 X6 w5 u- e0 X# d
\App Paths\Loader32.Exe
' b3 g t S+ n" L5 V) L4 U0 Z# S8 t+ C6 [6 m3 P) W5 d
0 v3 \/ f+ j) U6 c+ S; Z5 M/ b" U
Note that some nasty apps could then erase all files from SoftICE directory
: a1 e2 N; P1 l(I faced that once :-($ a0 U) b( b! Z- a
6 J: [4 |: A. F; @8 [( GUseful breakpoint to detect it:; p& Z$ z1 [- E9 J7 V
. l! l0 U1 p) k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 U- w9 f0 Y7 N: @
& j9 F/ A8 H5 ~) e+ U__________________________________________________________________________
# s: H, A" Q8 V& _* R( \5 m$ \3 d r* v! `4 k
1 l5 e* G7 B2 l3 y* AMethod 14 ) _# `7 T% R$ H) _+ [6 G6 o
=========- u; |6 L( Q6 h1 {* J& H! x& u
% A$ |( {6 ~8 b- S, w qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% [! A' J' \6 M3 a4 m
is to determines whether a debugger is running on your system (ring0 only).' c8 H3 \% s# H$ u: @
, r6 l8 i7 G* X8 L% e VMMCall Test_Debug_Installed l" h8 }4 q. C9 \7 ~
je not_installed
% c# m9 ^1 j, p& G: Y$ Q; q/ c7 O& w* f+ S5 X1 O/ l$ h
This service just checks a flag.
: p1 \! \3 O) X( X</PRE></TD></TR></TBODY></TABLE> |