<TABLE width=500>7 x2 F1 s: A/ {0 z
<TBODY># `/ F; s% f! v
<TR>
/ E7 x; O7 M( }1 d+ W$ x: ^/ Y<TD><PRE>Method 01 5 M' T: R( \- ^, a1 d
=========
3 x% C7 r7 n4 U+ g7 Q# E, x+ U% Z/ N3 R+ Q
This method of detection of SoftICE (as well as the following one) is
7 h6 x* j" B( [4 C/ o0 x0 jused by the majority of packers/encryptors found on Internet.* ~6 t3 I/ a( Z+ x; J; \" C0 Q
It seeks the signature of BoundsChecker in SoftICE' _& T3 Y; V* e) @4 }" U
J' s- S# Q! V( t# K* @! c' w6 _ mov ebp, 04243484Bh ; 'BCHK'1 b% U- m% i9 {- a. [& B7 _
mov ax, 04h
' c7 e1 }4 n" c, h/ p int 3 ( {) Q- H9 `' d
cmp al,4
2 v/ D' n- y& n jnz SoftICE_Detected. y. X. T) k0 _; R1 {
+ T1 p6 k' F- B9 H8 }% i
___________________________________________________________________________
, ~, m% s; M' @2 ? @; K
# _' W6 G, A; A9 X+ x" A& lMethod 02: r4 V+ D3 [% a0 @
=========2 Z% D# N0 _2 D: d
4 x+ W, C$ C: i: ]6 O# JStill a method very much used (perhaps the most frequent one). It is used
0 e0 H8 z5 _& n3 Y8 e5 E7 Ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,' h9 H. v V* ~ R, P- \ \
or execute SoftICE commands...1 | A8 v9 D7 `6 I# B7 t) p
It is also used to crash SoftICE and to force it to execute any commands
N+ d s' d) v9 s: `0 I8 f(HBOOT...) :-((
; x2 o/ D6 h! }" W' Y+ t c0 A% E6 I
Here is a quick description:
; \' k, q) f0 d# h$ b-AX = 0910h (Display string in SIce windows)
3 y: J' n8 G# e0 ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* b' m9 e' {$ H3 B( O6 @, n6 j3 E* p-AX = 0912h (Get breakpoint infos)
7 O2 P8 Z( j7 G n& V3 g; P-AX = 0913h (Set Sice breakpoints). S! g! Q% u1 B& b( n
-AX = 0914h (Remove SIce breakoints)0 C1 J3 O) t6 u% Z' p* \
6 w- o# E' ^' U2 J7 {9 o; Y+ a
Each time you'll meet this trick, you'll see:5 V2 v$ `* x% k: ~( d! F/ R
-SI = 4647h
; K8 w+ F: r+ o; Y$ f g8 a-DI = 4A4Dh
! [2 U" j' b6 Y& ]) c0 z) gWhich are the 'magic values' used by SoftIce.2 O" _0 z/ D- F, F* h. l U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ q( a4 f6 {) [% h7 P6 s y' l+ c+ Y* C/ @* q- @0 N; S
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 S5 C" ^5 R, n2 [: R: o' r; SEnvelope utility use to protect DOS applications:
( g1 a8 }( h D9 `4 o: a; g+ m8 Q4 }
/ s6 S! I9 x# R9 s) H0 Z9 W4C19:0095 MOV AX,0911 ; execute command.- U. ?6 y" k' |# w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
y) [; ~& g# I) C4C19:009A MOV SI,4647 ; 1st magic value.; m- S: Q; T# h9 J
4C19:009D MOV DI,4A4D ; 2nd magic value.
" ^- T+ l) F# F- z0 V, Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ C3 B& U+ z! f' M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, [5 K3 `& h. S" `& E! e7 f. o
4C19:00A4 INC CX6 P$ V5 g( x7 u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 ^4 l$ w2 X- V8 N* W1 o
4C19:00A8 JB 0095 ; 6 different commands.: N4 `# v6 d+ u9 a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 T% ~% w9 ^0 w6 S* e$ C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ H) b- _5 L7 L. W$ N/ ^% J* _ K, d5 k# l5 N. Z0 ?
The program will execute 6 different SIce commands located at ds:dx, which! g, i- [& a; q7 u8 y8 I; d5 V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ ?1 T6 g* ?$ G, R
0 y# W4 G3 P/ O( M C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' L2 H, m) c5 V% p! |
___________________________________________________________________________
5 Q& a6 T+ i! u$ v
- |8 v: Q0 j% o3 y# Z9 ]8 h4 d9 q8 [4 j4 l
Method 03
0 F- h5 b" k$ m9 a1 }=========
2 |. f h" |$ c6 u8 h4 a: J: A, Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( I! Y2 U7 _9 X: p* E( z(API Get entry point)
7 }9 i$ d; i5 e3 i- d1 N1 D 1 O# Y9 H- P3 ]0 ^$ c
& K/ N5 O3 h& y, `0 s: a0 y
xor di,di
$ k' W0 d$ [8 I& G. q mov es,di
; r, W3 m0 A+ e$ t! b; w) v mov ax, 1684h
8 w Q6 }' A/ r$ w( Q mov bx, 0202h ; VxD ID of winice. Z2 A" E O3 k* w
int 2Fh; e8 O; I8 Y3 @# w, `, d+ E
mov ax, es ; ES:DI -> VxD API entry point
- b' ^) R: g: ?' j add ax, di' v5 }5 [$ z& m) R( d
test ax,ax$ u5 y6 |4 C p) M4 D9 m1 t2 g- F
jnz SoftICE_Detected
- S7 H v, g! C1 |/ k$ n
- W+ t' [, N; q% @8 V' m1 b___________________________________________________________________________- z% a8 U' ?7 c3 G/ W/ w
& }3 |, ]) \7 Y
Method 04
G. J8 n: ?/ p% ~=========* n% g6 a x, r
# ?# h) \$ G7 t0 y; ^2 S$ OMethod identical to the preceding one except that it seeks the ID of SoftICE, {1 z! h. J9 }
GFX VxD.5 [& n: `) ?4 q5 S! d
/ o& N) S% m6 q& g4 X
xor di,di
( Z# V# H* n* k7 r- s9 q mov es,di1 N% u6 N) N- e/ v$ I# P2 Q3 T* q
mov ax, 1684h 4 D X& }: _( L- {( L0 p
mov bx, 7a5Fh ; VxD ID of SIWVID& [+ r Y5 Y* B! n5 ]
int 2fh
8 Q! ^6 P' ~4 m* L mov ax, es ; ES:DI -> VxD API entry point
6 }$ E- Z. B3 m9 e$ t- n! S# G$ G add ax, di
3 h) k0 F+ x- ]- w% y4 M( p1 L test ax,ax8 `7 k s8 T( s' g
jnz SoftICE_Detected
3 O5 |5 V! a$ f. p V* Z& l
R4 x% ^5 X# g) ]+ v) f__________________________________________________________________________3 K; [4 S+ ^/ g3 b3 R
# P( N b I6 ~& _9 L/ q' U0 ]1 }/ C" K! k, d
Method 05
1 G- z1 y& z& o% B2 {=========) C2 J" \# G2 p3 p( j' p8 h- p
$ Y( _0 B3 P8 B2 @' J7 |& H# E
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 t$ V# j$ [4 y, N8 b( w6 jdebugger. It calls the int 41h, function 4Fh.
3 }8 C! O. T' x: z9 D' cThere are several alternatives.
0 d/ t$ g4 H [* N) a1 v% y l; I8 b
The following one is the simplest:
) Q$ w: x! B: U$ `6 c1 U8 H3 @5 [5 J' S
mov ax,4fh1 a* h; j6 S% D1 ?, r8 f: t O
int 41h; B5 H; r' u1 t+ ]0 J# s; Q
cmp ax, 0F386. V# g g6 F4 `" H
jz SoftICE_detected) p/ U8 [! K5 k5 w' J
& G+ G% O& o) J9 x, W X7 a0 M
/ i q$ @+ `6 B5 K
Next method as well as the following one are 2 examples from Stone's " a: |0 b1 ~1 w+ y" w
"stn-wid.zip" (www.cracking.net):) C& y( P6 w$ @7 x
* o( h" A( x# D3 w2 P' Z
mov bx, cs0 a- v! s9 ?, S r
lea dx, int41handler2
5 @9 `0 G7 }3 s9 } b* j xchg dx, es:[41h*4], D) K* V" F: S' ^8 y
xchg bx, es:[41h*4+2]7 X5 F# r1 u/ ~0 j5 h
mov ax,4fh
# a; X" k+ Z0 [; A! L8 i% { int 41h
! o9 U! u2 w; W; ?, f& i1 j/ J xchg dx, es:[41h*4]
& y9 X# g1 E( I4 Q& {( c6 c( [! B9 { xchg bx, es:[41h*4+2]* f& N4 ~# B! J3 S
cmp ax, 0f386h8 t3 h) W- y8 v# G) [
jz SoftICE_detected Q& H9 h4 {* N! P5 o S% M
2 S1 S6 D6 W4 H: J; k8 q3 v
int41handler2 PROC* q8 l( G- m) |
iret
! n/ F% A S# Bint41handler2 ENDP. ^! {! L; {! ]; g4 F0 } C! F4 s- |
$ I7 s% i1 L" Y. o
" C/ O& _; ~0 G4 t( `_________________________________________________________________________! `* g8 Q- O2 w, m
8 d3 S# {" }% W* D# j. w7 L9 h3 T' K, u
Method 063 s. N" x) E& n- [8 _4 p2 v7 H
=========
/ E+ ~8 v i0 L- l( F1 T9 N
2 g) n/ K' c8 F' _0 r; K; ?6 E" k. r6 x W( n- N: ^
2nd method similar to the preceding one but more difficult to detect:
( \" t, h: @! U( s/ Z4 | q) E0 o1 Z0 U
/ l* ]3 Q$ N) a3 {" Q% yint41handler PROC: [! X$ l- s" f0 {! b8 g7 ?
mov cl,al& Z6 W' `) e4 i( \' m1 q. |
iret
2 J4 ^) p8 ?8 f0 c8 wint41handler ENDP9 D Y8 u) q/ p
% R3 j6 T `4 C* o3 Q; `& l
: z6 ^' j6 I2 k; e xor ax,ax+ J2 s5 u6 @2 z1 ]# h# k: i) ?
mov es,ax
( n. {2 j3 j/ Q* {) O mov bx, cs
% T+ k% h! Z2 W- p8 M lea dx, int41handler0 r! m- |$ P. F: G8 o7 v/ S
xchg dx, es:[41h*4]
- H1 v9 z$ B6 c xchg bx, es:[41h*4+2]# e1 D: q2 a! k- I# t
in al, 40h
) t) L- |9 A, v# i- p! X xor cx,cx
* V4 b* M( ^; x/ m# I int 41h: n. n" G6 A+ i, {) I
xchg dx, es:[41h*4]; g! C* Q+ E. `. ?2 b, j4 [
xchg bx, es:[41h*4+2]
1 _" y7 q/ X# }. o cmp cl,al
6 o* M: b J& j% c% J jnz SoftICE_detected+ y! z6 y6 T7 b/ C4 h+ q. p9 S- R6 w
6 |$ X6 X! y, D p# P_________________________________________________________________________
! B/ _: ]' A2 u9 U$ E* y5 [% A% E; `/ d* l9 X
Method 071 L9 u7 y2 t f3 X
=========
3 P5 F3 b) O" k2 ]; F* |& {& f7 A7 r/ y3 d4 N
Method of detection of the WinICE handler in the int68h (V86): h" C, b) K ~" X5 s, l
; |& l& J6 P3 Q6 v' {6 `+ [9 p& j
mov ah,43h N# Q/ U; P7 C; m) O% H
int 68h
- q& R% `+ i) K' p8 \' r2 o$ x cmp ax,0F386h/ U2 i! b& {( F2 K: a, a/ v! R
jz SoftICE_Detected
% M, \9 j. e" T& L0 n0 n1 Q0 h: I- ^( f0 k
, `. m7 G6 Q8 v" p
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. A& C6 ?& V! S$ v8 }! X3 `
app like this:& N a `9 b- N1 k
) u# v \% i2 Y1 E: H
BPX exec_int if ax==68
; [3 T8 x1 H- [ (function called is located at byte ptr [ebp+1Dh] and client eip is
4 t" C1 x8 e: \3 | located at [ebp+48h] for 32Bit apps) ^' p" O+ q6 I" t* `5 }
__________________________________________________________________________. h, t5 V# P! _3 V
) F8 ?% t) F8 C, V" u: b
- [2 B, p6 k" U% h% g$ `0 ?8 N! y: l9 K/ sMethod 08& U: x1 m& \6 L, l
=========) G( H1 e1 ]& ?
p! G6 Y! V( d% vIt is not a method of detection of SoftICE but a possibility to crash the$ v9 @/ @! C) l6 t; ~
system by intercepting int 01h and int 03h and redirecting them to another; z W( E2 p- J1 O
routine.
- f. Q) p+ P+ c. Q+ P5 @9 ~* JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. |- _9 C0 p; u1 n& Y- k( r+ J3 U
to the new routine to execute (hangs computer...)" Y. A9 @$ U j3 L7 h! R5 f% I
1 L) T2 x( E& |0 O2 J( e
mov ah, 25h
- }8 x0 S6 G* p0 n mov al, Int_Number (01h or 03h)
, O+ l p1 S- d6 x+ g mov dx, offset New_Int_Routine
6 E# |4 U7 \ T0 V- r1 f int 21h
8 O/ x; g6 k% n3 Y8 x( P A [0 u( z9 Q# a
__________________________________________________________________________. ^5 \' h4 s0 }, |/ B
' |# b# A5 _' g, k! jMethod 09
1 G! e+ H$ z) b: r$ x- t0 ]+ W: i+ ^9 y=========
% i3 w4 B* m2 d# i9 [
) @) z! |, v! w0 W7 K" ~7 QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. n+ V6 y5 N0 ?7 U- _' a, D$ eperformed in ring0 (VxD or a ring3 app using the VxdCall).) T, i6 a5 v; g j! d5 b5 M
The Get_DDB service is used to determine whether or not a VxD is installed
5 x4 @4 v$ [( H* {for the specified device and returns a Device Description Block (in ecx) for+ M6 v+ i2 v( N! K
that device if it is installed.4 ?- z7 ~# z! f4 f0 f
: a4 c1 [; t2 g& I8 n
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% `+ t+ G' k5 h. I& h* E) y% E$ L
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ [9 ]% c, @& e V; L: O VMMCall Get_DDB
0 Q' [ p7 j# ~0 z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 }2 ^3 a( m$ M5 _2 O' D2 C t J
3 `4 q0 Z/ q) T$ q% W- t3 a
Note as well that you can easily detect this method with SoftICE:
5 ^7 m' w! L% w# C5 p# h bpx Get_DDB if ax==0202 || ax==7a5fh
: z4 g* ^4 x$ b3 Y( ?* S. c) D- o( ~5 W4 F, F6 m
__________________________________________________________________________
" |9 ]1 [' w2 L- d' P( r+ y2 k- a7 e, L( j
Method 102 i! }# B4 l! s3 I( M3 r \
=========
F$ v/ O: {6 d, {" j6 x
$ ~: @4 h ^, O4 g: e6 N. Z: S2 R=>Disable or clear breakpoints before using this feature. DO NOT trace with+ K* V. @2 |, e
SoftICE while the option is enable!!% @5 Y$ \& J% n/ Q) T
8 @+ r4 p$ @: O ^8 Z+ YThis trick is very efficient:. [6 v4 n# r' S/ N, p2 J. z
by checking the Debug Registers, you can detect if SoftICE is loaded) H/ L2 n$ o1 ~* ]; T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 W! g9 ~" `4 S/ T% F2 v) Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their, ^0 u4 q+ o! U1 f4 Z, d
value (in ring0 only). Values can be manipulated and or changed as well
$ @; J. l, _2 T* s+ z0 {(clearing BPMs for instance)
; `$ ]& x$ i/ H3 B! o* E* r# U9 N8 ^) P2 l0 ^1 _! h0 g" }
__________________________________________________________________________
. z6 x# w' c6 M) p. F- I2 A, m/ n0 `4 v7 X
Method 11
, g+ k4 x- d' Z! `$ R=========
1 E, S( h/ V2 N8 ?$ a! c+ }4 j" d" X: N
This method is most known as 'MeltICE' because it has been freely distributed
1 h; c) S( W, Z2 U8 r1 y0 Dvia www.winfiles.com. However it was first used by NuMega people to allow
! e' t5 P+ [8 I. M' H" Z# nSymbol Loader to check if SoftICE was active or not (the code is located
5 a( P6 h9 F. f1 O# F. H5 @3 Tinside nmtrans.dll).
1 E0 w" ~; M+ [
2 k; G6 Q6 f' P0 FThe way it works is very simple:* k" S5 ?/ I; R, k' ?4 F$ i
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 s5 h4 l e/ a1 M" V% D+ a5 x
WinNT) with the CreateFileA API.
; |) z0 J3 X, g
* G( |2 _7 X9 y4 Z0 j0 O1 uHere is a sample (checking for 'SICE'):
/ v& }; _" ~8 r6 `% b0 Z! x
. l! a3 @1 M$ `" WBOOL IsSoftIce95Loaded()6 j3 x' Q# r* @. H: m% U
{2 l" e8 L9 d/ B0 q8 O+ N
HANDLE hFile; 5 e' D! ^, G# L2 A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
E1 v E- Q0 t k1 j- d0 ?1 t8 @4 V FILE_SHARE_READ | FILE_SHARE_WRITE,
2 g7 g# w- @. G) S% k NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 V( U/ i- @9 r7 M3 u! c if( hFile != INVALID_HANDLE_VALUE ), H9 p! w! @' I, `' M/ `
{
. _2 |" @* q/ J% }4 i A% @+ G. n CloseHandle(hFile);8 n5 G* A% P* \ `- F8 Z* g& I( d
return TRUE;- ?. a0 L5 P' S' y) `- Y* ~
}" c! f) r+ [7 S/ M. w6 h% K# p0 W
return FALSE;
; B, R g6 W0 Q( ]! B \* x7 f. Y" F}9 f' d; i9 I, l3 g! j) \
) r6 h# Q5 p% [# K9 l4 k% MAlthough this trick calls the CreateFileA function, don't even expect to be$ J' ]5 W. [# _
able to intercept it by installing a IFS hook: it will not work, no way!8 H5 A* i: O* L$ Z8 }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 k+ _8 u7 }; ?8 H d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& a" f+ l ?% Z# q5 E0 X0 Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc, ^/ z* m7 z- n4 }! l
field., ~5 T4 Q! c7 y7 F& T+ E F
In fact, its purpose is not to load/unload VxDs but only to send a 3 [/ s- S0 U0 R# k, C* u5 H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( a: l) |$ U9 n$ o9 H+ J2 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; Y- l! r# F7 a: Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).; W; U/ A* t! B$ c
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 d1 M# u6 G) s C
its handle to be opened and then, will be detected.
`( h/ m+ B( m& WYou can check that simply by hooking Winice.exe control proc entry point1 k# k' v5 a3 w( `: p4 s3 F
while running MeltICE.
, h, M# R: K: U' B' m# z
8 j4 P3 P5 m7 I3 B, N2 E: Q0 p& C' Q b4 L- I
00401067: push 00402025 ; \\.\SICE
- ?0 `& _- F) Q$ e* c 0040106C: call CreateFileA
* D3 o y$ N7 g: H5 g) c: p5 C& k% |# f 00401071: cmp eax,-001+ F, t% c' V2 O; _& G/ m3 \8 U M
00401074: je 00401091# `- p t% \5 ]
. \* B3 D3 h* l
" Z' `2 L1 f( E! O) q. ]There could be hundreds of BPX you could use to detect this trick.
; _# k7 J" g2 G' D-The most classical one is:4 l. A5 s3 X- J! k, e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- l! x3 p6 k1 a7 \7 C
*(esp->4+4)=='NTIC'% h" S# r) `* {# n ]
6 S/ a! A P; O-The most exotic ones (could be very slooooow :-(9 F) d4 ^+ a4 u& J3 T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ A+ {" X0 P8 f, R4 K) N ;will break 3 times :-(7 l4 N2 q0 z9 s8 k2 N2 S
3 Y t. d4 }0 M9 b* e7 O
-or (a bit) faster:
! _: k) Q' k/ }" u* e1 T6 |+ k9 J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( @$ ~. x0 M+ |1 E" r+ i
+ M' m( D$ c& L- h$ ]6 L3 l4 ]/ C
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 Q4 m% a9 l: r. k7 p ;will break 3 times :-(
0 V- O5 D) G5 E+ y
$ [! e% b; I3 u% G7 m8 D4 z K-Much faster:0 z9 r+ n+ F5 Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ p. \" r* Q9 t8 \
5 Q1 O& R" S* ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ x" O! b+ N. j- S4 ^
function to do the same job:
% p. I# a6 ^2 e8 n8 g& _3 ?+ b7 I; P. U- W0 O, n9 X
push 00 ; OF_READ$ T2 ~+ d2 Z' o- S
mov eax,[00656634] ; '\\.\SICE',05 T x# U6 T& T1 { p9 d8 X. H
push eax
# |0 u- e. L, ]+ s* ?& [ call KERNEL32!_lopen
. M& O' x- y# f! l inc eax) R0 f/ l, l* I% V0 x
jnz 00650589 ; detected2 V W$ L6 L( P; |
push 00 ; OF_READ
3 H( R. }8 K8 O0 Y- t; ~% }; R mov eax,[00656638] ; '\\.\SICE'
9 v7 O/ A2 w5 G& b; ^ push eax; {0 E8 b+ N4 T* z+ G4 Y8 ^
call KERNEL32!_lopen- J- Z% x3 f0 f( F
inc eax
1 z. [$ g9 ~9 B jz 006505ae ; not detected
$ ~, x# t0 @; R" O% k. n! J
, _7 C' j: t2 E% m! z! M$ R) _; U8 D8 S- i8 c& N" s2 r0 |
__________________________________________________________________________' X% r6 j3 k' ?0 c2 G. C: o, Q
3 m# b% J3 m& x
Method 12
- U2 V+ ~% f$ t6 I. v( i" g=========
# n$ I3 D" z+ m+ \
7 t% F' a# ^$ H3 L0 o( Y7 MThis trick is similar to int41h/4fh Debugger installation check (code 05
3 S. F3 P8 Y% V) w& 06) but very limited because it's only available for Win95/98 (not NT)! P) p- @; d1 O$ ~( H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 I8 w. c `$ z9 @! u& B2 c7 V
# e' l+ l' Q( t m' r( A' ?* C" ^
push 0000004fh ; function 4fh
. R2 H; P% a! J# P: V0 O push 002a002ah ; high word specifies which VxD (VWIN32)( h. s) A7 `! K; ~
; low word specifies which service
7 H) ?( V Q" t' z# ~ (VWIN32_Int41Dispatch)) p6 ?: c" N. u# r# @' w* z, C
call Kernel32!ORD_001 ; VxdCall8 Q( r( U# w- w
cmp ax, 0f386h ; magic number returned by system debuggers
9 m. ~0 i5 G! |9 A; { jz SoftICE_detected
7 ]5 N" Y1 y5 i$ S; `+ F
4 H7 E: T4 S8 d- U% e2 oHere again, several ways to detect it:& t. a6 z- v# R _$ ~) A! q
; I. R0 q+ M. a3 `3 M
BPINT 41 if ax==4f
) A7 b. z3 M: s: W. j6 ]# `, U4 g7 y4 H! w7 Z$ K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 {, Z5 h( r" Q* d( i
7 S) y. H" W$ }$ Z# P @ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% R+ C( E* T3 b% G$ i- f* a3 {6 m* U$ [' Q* E: K/ T" F. E1 m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 d3 H6 [$ N8 S+ Z
% r8 N/ g& Z/ L( D__________________________________________________________________________$ O9 a' X) \5 C* ^( ]( g
) _9 [+ F J! n. h/ z" t% A* q
Method 13
3 `3 @0 g v) c% R4 a' \0 A- m=========0 f& j }$ v9 k4 ~
! [& }2 t" E2 u% p: M
Not a real method of detection, but a good way to know if SoftICE is
( B" G3 G$ u& Z# W/ l9 F# ainstalled on a computer and to locate its installation directory.* N5 C# ?( \3 o
It is used by few softs which access the following registry keys (usually #2) :+ M4 b0 U& w K; V; E) x: S/ l4 C
& k! C* { ?, {2 U0 D- [$ H5 U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% P* ^% f" M9 W' s! n. V9 r
\Uninstall\SoftICE! z8 }! q4 n6 e. j6 ?5 _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 A! X) C, T- v) |7 W, _& w& @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 [3 h$ W6 l9 O2 ~* g' k
\App Paths\Loader32.Exe' e! v3 p+ I2 C! R( ]
4 ]# U# u( F# u- o% D) t' @. q# q
3 q; j- D3 i2 H0 j1 O" H) LNote that some nasty apps could then erase all files from SoftICE directory
# K) R! X4 L- t! y* z! |(I faced that once :-(
5 D5 i/ \9 _7 ?+ T8 ]) `3 z$ x' V7 A9 K2 b' P8 p$ q
Useful breakpoint to detect it:0 L1 n2 A) g1 k+ Q* O* \ s) I) t- b
) ^9 J7 h% p* C% \2 f- Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 z4 }: Z- X& ]
: D6 Z, I- D$ a1 g C__________________________________________________________________________
9 ?. o( e0 t0 H. V/ I( b' F& v/ C3 o6 L. i0 L; z @- q
" T5 {$ n' B# k# g, h* |Method 14 # v# S& n1 Q: B" H. Z
=========4 u& Y* t0 H) b5 ]( _9 c
2 {1 k: V; d9 l8 \8 _2 u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) T8 K, U$ `( {' v# W- v8 t
is to determines whether a debugger is running on your system (ring0 only).( l; S* {: ~: X6 e1 W9 \( ~
j* y3 h' Z: Y$ I7 p I VMMCall Test_Debug_Installed" K- w+ d# Y5 X/ g' m5 d2 t) `. L
je not_installed2 D/ M" G0 @9 J4 h
" W) t" K5 X% v# B
This service just checks a flag.
8 F) K6 D- X- Z8 \5 q+ R</PRE></TD></TR></TBODY></TABLE> |