<TABLE width=500>
1 S" o! o( I3 r* Q<TBODY>. l# L; o N/ G7 V o; i, {4 e$ d: V
<TR>
2 t. z- ` j5 \1 m3 x T$ d+ @<TD><PRE>Method 01
% y8 h' ?) I w9 l V=========; p# n3 w; G8 q/ E( |
9 g/ [' V1 D$ yThis method of detection of SoftICE (as well as the following one) is( j2 {) ^+ U! @+ s, P
used by the majority of packers/encryptors found on Internet.
& X! m C) g7 { h4 mIt seeks the signature of BoundsChecker in SoftICE
' z2 b9 P! S3 E: z' k0 e) p; p! }0 O7 q( G0 r! ~. g' i
mov ebp, 04243484Bh ; 'BCHK'1 k) w6 E0 _" U( C6 s; Z
mov ax, 04h F$ R0 M/ Q, \7 K# I/ o
int 3 + D$ T; {% m% A1 m n$ t
cmp al,4
" Y0 z0 v: q6 q/ l0 U% Z jnz SoftICE_Detected
9 g4 W- H+ p% l9 ` F7 O' |
4 x: \& P5 D# t( T. v9 P4 P& m___________________________________________________________________________ t% i9 \, a5 ~; }8 u
2 L K/ Z* t% \: N. s# [
Method 02
1 l, |3 H% h" E- N, }0 L=========8 L" u. F9 L8 b) `- \% o
1 p# Y; c: V1 n- @. X8 x, o6 D
Still a method very much used (perhaps the most frequent one). It is used# U K# b$ v& |4 s( R* j6 @% e& p4 V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ |1 {+ D) i2 |8 [5 x
or execute SoftICE commands...6 ]9 T6 f. w" W7 n/ t- a7 z
It is also used to crash SoftICE and to force it to execute any commands; _3 G( [8 e3 X' }
(HBOOT...) :-(( - q& _5 J# d- C7 D; e8 u0 ?4 \
) X* z: b" V7 O: c
Here is a quick description:3 _0 n4 m! g+ l" L: X
-AX = 0910h (Display string in SIce windows) r- r {0 s0 I, n( u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# Q9 l- j9 r- ~' L' U7 I" l-AX = 0912h (Get breakpoint infos)) H: g3 R/ e. ` P$ k' F
-AX = 0913h (Set Sice breakpoints)
' M4 s& x, Y* D! K. f/ A+ C# l-AX = 0914h (Remove SIce breakoints)0 f R% Q. o" a4 s
1 W+ i! W, U+ f/ f/ K; ~" zEach time you'll meet this trick, you'll see:
+ k( n* F H O0 j1 l" M-SI = 4647h& T: E `$ D* ]9 e( |
-DI = 4A4Dh
# ^9 w4 B& b4 t Q% H7 nWhich are the 'magic values' used by SoftIce.- U7 f/ @3 w) z: d, t5 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' k- o& t. }# }3 f R b
3 {" ? y- |; v# `4 @1 c/ qHere is one example from the file "Haspinst.exe" which is the dongle HASP4 F; g. }" D) n0 L! x7 M) ?
Envelope utility use to protect DOS applications:
0 E! K: r1 `5 a0 d$ n% w: s- `7 J' t, [, b# ~$ h4 w3 e
0 E" V! i& V8 ~+ Y0 h9 L
4C19:0095 MOV AX,0911 ; execute command.
9 i9 u( M5 Z! L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 G8 ]6 @7 ?* P( L$ B
4C19:009A MOV SI,4647 ; 1st magic value.
, ` w. t+ A8 f5 ~2 o, I& E1 }4C19:009D MOV DI,4A4D ; 2nd magic value.& l9 h, ^% K/ X+ n. N; m, L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 @# E. h9 Q9 ~, o2 \1 O. ?8 G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ ]" R+ ^/ [- e
4C19:00A4 INC CX6 U/ [* s/ C: V4 o- G3 X* h, K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; {( Y3 ^6 O8 K8 ~9 I4 O4C19:00A8 JB 0095 ; 6 different commands.
/ R% O9 N. m# Y6 D$ i2 `4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 Z7 j5 b% O- |0 f2 b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& e4 @4 W% H& Q0 M+ G
9 r9 }& W5 _8 FThe program will execute 6 different SIce commands located at ds:dx, which
g4 h, G9 A# j3 gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- q8 g4 L; V- x. ^+ j: @$ W& w
/ |9 S4 X* L$ \2 U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) }: t! U/ q* {: D0 w7 C/ z6 H
___________________________________________________________________________# L' i8 x# X4 a- s" \2 w
% W" y2 }* o3 ]& X& |$ ^( X) G2 E: a0 i( [
Method 03
# V& ]" p5 N4 k. l=========
9 W$ j5 Y( F6 L$ ? z. x
6 A7 Q9 E+ c3 W! }/ aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' ~& {9 e3 K, z& e" [& k+ r(API Get entry point)% O' U1 F4 f# j0 R
; j. i3 h# o& U
; t$ j* s) a9 ^% ~6 { xor di,di _. A6 t9 s8 c; @5 e: b/ Q# _
mov es,di7 x. A% c( D& ?$ o+ q
mov ax, 1684h
+ |: b! N0 ]# A3 k mov bx, 0202h ; VxD ID of winice
$ n8 A) P' d8 e int 2Fh
! F1 L' u1 m) h% M3 s" h I mov ax, es ; ES:DI -> VxD API entry point: I! u! B5 N ]- C' `
add ax, di
! s" \" @) k1 r; r# ~& a test ax,ax" U8 B1 H/ U4 N, v, t, U
jnz SoftICE_Detected0 \* z( }- P3 F1 T9 q w/ d, ~
. w1 p" ~; X* o
___________________________________________________________________________- J Y( O Z8 {3 V6 c
1 o- t3 M5 K z( g5 _* F/ H
Method 04
+ w( ?% D1 H" C ^& ?=========$ L# \: i5 x2 g1 `
( h- [ b; u2 T/ QMethod identical to the preceding one except that it seeks the ID of SoftICE- \1 Q1 V( D5 u7 J7 {4 J/ n
GFX VxD.; k' w5 e* H2 l) {8 B* I( O
: r2 i! e P, a1 @3 i6 ]! }, z xor di,di; p' h; s4 b# U' A/ u3 J$ W
mov es,di& f1 V$ W5 I4 Z, p
mov ax, 1684h
& R$ c- A$ R; k mov bx, 7a5Fh ; VxD ID of SIWVID# K q' v H; @! f# o$ Y, C
int 2fh- k k5 _& R l2 D: |' `
mov ax, es ; ES:DI -> VxD API entry point
. w, z3 Y# c8 s! p, C O add ax, di" k' C: E) M: I& a9 O" c
test ax,ax
6 T; \' N% r6 Z jnz SoftICE_Detected9 {- `3 l) j J. H f4 `4 Q
$ F. X7 [& p/ ?" A. F__________________________________________________________________________
1 w* A- t2 @3 H6 v
; |# Z2 W5 f) I* a0 @3 ^
' `& R% r, ~% f# _, _/ n- PMethod 05" K9 V/ j+ F" w: q$ j* z
=========. A# l; y$ @; m; R
5 _ z I3 h0 R W& Z" Q4 U$ ~# i& M
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 c( g6 `2 H7 d h& ]2 z0 ~6 i7 ~9 gdebugger. It calls the int 41h, function 4Fh.* \( K& C" P( q' o, A8 P# j
There are several alternatives.
* x7 }* Q% s- }' J' L" n" o1 l9 z
$ l+ z* X/ S" J- R$ BThe following one is the simplest:
5 v m U. e- Q) l% V
/ b4 P$ h0 x" o1 F' V8 h1 Y7 Z mov ax,4fh2 j! e- H6 [% j& j# K: F( f- a
int 41h
; ^, D7 d2 I, X0 \ cmp ax, 0F386( w& x/ d. ]' l) F' y
jz SoftICE_detected
$ V/ }+ c5 h& r: N
9 |9 v! K- L& R: D9 O
* d6 a( d; A" q) xNext method as well as the following one are 2 examples from Stone's
: H2 K7 c) r4 b* ^ t/ B. ~4 ~. U"stn-wid.zip" (www.cracking.net):
; a9 e6 T$ J' g! k! ?% Z. C9 {* B, D. E- ]2 ^3 u
mov bx, cs
" ] X1 x# q% U lea dx, int41handler2
- I" W. g/ D8 r- L) K3 K xchg dx, es:[41h*4]
" m1 }8 ^& c; h4 u xchg bx, es:[41h*4+2]+ K* J2 a$ N9 S! T" ^/ ~
mov ax,4fh
: G, N9 Z+ r- _" P6 h. J# V int 41h
+ M+ R# v( W! }# b xchg dx, es:[41h*4]
. [" d% `' T0 V) ~1 C# H xchg bx, es:[41h*4+2]
5 J+ B) a, j$ R# V0 o cmp ax, 0f386h7 Q" q7 c A' t; x1 ]* N
jz SoftICE_detected3 z: V8 `8 H) _+ k0 V
& q- ~" a5 e2 E: o
int41handler2 PROC9 Z3 S1 J, N+ g4 q
iret0 w: ^" Y: a/ y0 A- d% T
int41handler2 ENDP
9 l' t" O( N4 I/ J9 y9 z
) F& X3 V+ s0 Z# F9 }
+ T" K% }8 \) k0 E, f6 P- r3 t_________________________________________________________________________% b R0 o/ X" O2 O# j" Q! ^1 c
, A& n( V" E4 }# r5 o+ q5 V ~5 Q4 h) ^# l2 t; M! Y( O5 N" N
Method 06
$ r3 a$ |% k. J+ F8 X: I/ ~0 ^=========+ ?) v1 v5 R8 T0 e# o
$ u' y3 D2 A3 q1 i/ I8 y; |5 S
+ L$ `" e6 a7 [2nd method similar to the preceding one but more difficult to detect:
% |) v5 k9 c5 q" ~* V5 J$ c3 t. g5 X" Z# j- T
: x3 t$ \8 P( F0 Z5 ^int41handler PROC
3 b+ c& Y3 x0 \' O# H mov cl,al3 F; ^9 S# S8 W7 s& v
iret
/ T4 c" y/ p5 g6 ?$ p+ m; hint41handler ENDP
! U! U- k6 d3 D) l. v; [+ G5 r4 ]2 F
7 i, ~$ H" }0 N0 f5 A% v+ y0 Q; A% n1 `' S& t% {2 }& L6 H ?+ b0 k; l
xor ax,ax- m# S2 `! I& ~
mov es,ax& y& T& q: P5 J: E7 f
mov bx, cs
+ F( Z4 X w8 O" Q: l( q1 c lea dx, int41handler9 p1 j/ r. }! N: X: l
xchg dx, es:[41h*4]
h3 O0 D. s% X k% o9 ] xchg bx, es:[41h*4+2]
2 @3 g9 l% o6 I6 O3 K' }8 D in al, 40h
. L% g* y" e7 o; o/ r5 O! w( l+ Q xor cx,cx5 W; `, O6 j9 \$ H/ Y4 K/ `
int 41h' J* \/ f# u1 O6 ~2 n& o
xchg dx, es:[41h*4]
$ o& _# q( J7 [% F. K7 u p& H xchg bx, es:[41h*4+2]9 m6 {5 c/ C; C" a' n; p' S2 P
cmp cl,al0 o) A" |! Y/ E
jnz SoftICE_detected
2 q) [. _) K8 R
+ Q4 v! e8 t: Z- j9 Y5 Y5 b# o; u_________________________________________________________________________& s, ^1 n, a0 r) @7 Q
D2 E' s% E. _3 {; p$ \Method 07
/ H% Y# \0 P5 I$ M=========
/ f: d6 `, N0 x8 f8 E" l. c% u# c; n. Y4 {) x5 }3 O
Method of detection of the WinICE handler in the int68h (V86)! [( L' y! ~/ B7 I6 H
9 f# U E: w Y- k$ D
mov ah,43h: b+ Y% O0 y/ E9 B X7 |( W
int 68h+ p" p) `0 c) `) }
cmp ax,0F386h
: _$ H, \% D8 A& y' k jz SoftICE_Detected
) _0 P; ~/ r6 c. o z
+ J a- s* ?# C3 ~9 k' V: U1 _1 f! i
! T! Z/ k, s3 m* X% ^0 d2 }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 z, F" N6 @) e% M/ ~ app like this:
, ~+ o }% W! O+ y; K
$ W" n& p/ Y( \, m BPX exec_int if ax==68
8 z% \/ P0 ?2 H (function called is located at byte ptr [ebp+1Dh] and client eip is
/ M0 k, Q) B, S5 x& i3 l6 w located at [ebp+48h] for 32Bit apps)
1 n1 W8 p6 i3 O1 i' E__________________________________________________________________________' o( y+ z( o' l# r' Q; [% b
. l$ p2 `, S9 ]$ K8 p
D. o. ]5 `& x" b) t2 @5 Q. @5 xMethod 08" S. t# p6 r& Q; G; s) M
=========: r0 k( T+ v/ v& l
- X& R, Y" ]3 _! k2 l, gIt is not a method of detection of SoftICE but a possibility to crash the0 I7 t# b( ~' }$ j
system by intercepting int 01h and int 03h and redirecting them to another
. D" i+ c" x; ^# R( ]) u4 xroutine.
1 B- {9 y' F. Y8 \5 m! W. |4 ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 t" B( s$ M* ]9 d; n$ C. sto the new routine to execute (hangs computer...); X6 L+ H* L+ A% f! t' t% e
. H- L8 Z1 m: T! ]3 Z" F# a mov ah, 25h
* M1 V, ?) C2 V$ x+ B9 l1 c. \8 v mov al, Int_Number (01h or 03h)
+ r6 V- x6 M: L( Q mov dx, offset New_Int_Routine
- s* y& _" y. e6 u2 u3 Z int 21h: T S4 w$ ~$ T' M5 R0 Z6 q# o4 ~5 n
. w9 o1 q/ f. J" F
__________________________________________________________________________4 x5 l5 H8 m! a6 X. ]
' }$ z' }# h! D F. g$ A) ]8 ?* WMethod 09. q4 C( f8 p" J9 u+ P
=========
! l$ j% z! f; ~" S! d" `( ?! f5 {3 U' c% R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# N: {1 N) k! ~ ~( {- n; t
performed in ring0 (VxD or a ring3 app using the VxdCall).8 ?1 V2 ^; d4 a |+ h8 u
The Get_DDB service is used to determine whether or not a VxD is installed
' e& b4 K0 I' z: d# P, u( Cfor the specified device and returns a Device Description Block (in ecx) for
/ u- U# [; S: g/ q+ dthat device if it is installed.5 e# M4 V6 b6 O! H& \( f
: a8 J$ ]/ C8 u& X$ k) u, d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 o7 u0 F8 W2 C) C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 @0 e- \% J5 C, r- ]; b VMMCall Get_DDB5 m& I* I6 Z( h2 n, h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) p) e+ f: l" C! D; j4 ]; d2 K0 l P
Note as well that you can easily detect this method with SoftICE:
2 O" g# q, x8 ~5 X# d bpx Get_DDB if ax==0202 || ax==7a5fh
( y! ~$ `+ c z
* ?& a0 i, x2 [0 q7 ~6 M* `__________________________________________________________________________9 S( F; s. w5 I* H5 _4 O
+ Z7 s6 b' h, w: K3 ~
Method 10
. `% Q% b) t/ C( b# [=========
$ ^( I y% Q6 g3 m" z' t4 `* p4 ~6 k8 @# v% I. W8 H; L
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 w$ V. A, N. k, ?& |& M) C4 ] SoftICE while the option is enable!!" s! H5 f7 n, k+ J: T7 R/ S. b# \# V
, g3 r( N3 v$ |( {' C6 U- g9 Z: s
This trick is very efficient:+ ?" F) T# ]! b8 E& j* }2 s, T
by checking the Debug Registers, you can detect if SoftICE is loaded
- C, Z/ s. s; H! R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; p4 u+ `. i4 a# Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their- i5 s0 h# @5 O; y- T
value (in ring0 only). Values can be manipulated and or changed as well8 }& l3 f+ V9 D# g
(clearing BPMs for instance)2 B8 `+ d. r: x, w% R
4 _1 d4 q/ E0 r6 L; a4 A__________________________________________________________________________
) s6 @5 Q( h$ I& E* N6 |3 p8 C* S) r3 ]
Method 112 S! H# |: Y# ?$ x% A3 E
=========
4 c; g/ y# f$ a. G0 s: @; T, j0 E: \( c5 K" H
This method is most known as 'MeltICE' because it has been freely distributed0 E( B' ?( l! L1 x
via www.winfiles.com. However it was first used by NuMega people to allow
D1 a+ }8 r/ \' Z+ zSymbol Loader to check if SoftICE was active or not (the code is located7 I; R6 \6 O0 y2 M
inside nmtrans.dll).
% `9 W6 T0 A8 \
' O! R- E6 a lThe way it works is very simple:
5 r8 r& U" b3 p1 x* J8 DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 O1 m/ x- s# EWinNT) with the CreateFileA API.4 y8 n7 j2 w6 R% s
1 D/ }( f& C8 j& Y) K$ j8 QHere is a sample (checking for 'SICE'):: ]7 e2 V4 w1 T& r9 b; W8 z
9 {8 u0 `" p; l* kBOOL IsSoftIce95Loaded()- ] t; r/ h* _5 X/ _% Y( w- U
{1 b& l8 }; l, P( F" [) `! R9 W( z7 r
HANDLE hFile;
; C$ ^$ i- y3 V) w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 c" F- t: p+ E7 Z! K
FILE_SHARE_READ | FILE_SHARE_WRITE,
* \3 T# }9 v) ^' O& X" K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); t" b) z7 x, u' `8 |
if( hFile != INVALID_HANDLE_VALUE )( H$ B6 X' p# z
{" J9 U9 `. y* R8 D: F
CloseHandle(hFile);: Q( U2 Y+ ~5 k6 A" C
return TRUE;5 a/ V% N9 ~% h) A
}
7 R5 k* {7 e* [; [, @5 o return FALSE;
* k7 R$ V# I1 {! Z) X4 c6 I}' P9 T! C1 b( Q9 L
3 l$ ]1 W8 s: m, F7 V5 m
Although this trick calls the CreateFileA function, don't even expect to be' u; I2 B, ?9 m' Y& C0 J
able to intercept it by installing a IFS hook: it will not work, no way!
" |7 ~8 }- C/ C0 `" t2 n7 p/ VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 w; x0 k3 C3 m: N4 e: H4 a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 ]& B# {% K+ {9 k, iand then browse the DDB list until it find the VxD and its DDB_Control_Proc
. t5 f# E3 U' \- `9 Afield.
0 x0 J. l1 Z, Y; n; wIn fact, its purpose is not to load/unload VxDs but only to send a
2 d2 I9 G T$ Q hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 t; U; d1 |( r, m7 z* q; m9 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 F4 y3 z+ D' }$ G4 c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: c3 F' Z) n W" I% c, R6 |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! k8 s, W: Z0 F/ c% V- gits handle to be opened and then, will be detected. E! c9 b) C, v
You can check that simply by hooking Winice.exe control proc entry point! J* d1 b! ?6 P# F' {. D7 H/ m! {
while running MeltICE./ P+ r* [3 u; V, P- g; [$ m" R
7 L* o C) K! e* }
, b" k2 q- z9 C4 ?) k1 g
00401067: push 00402025 ; \\.\SICE9 Y+ D( y+ q# H, w/ T
0040106C: call CreateFileA
# u7 K" o0 y5 W) U 00401071: cmp eax,-001
- J, _7 P1 q5 N 00401074: je 004010915 `/ j8 r0 w! {8 J# v; Z$ @
* X2 p, F# | b% O9 R
0 k: f6 ?- N, F6 K. `6 U; p, wThere could be hundreds of BPX you could use to detect this trick.- }- [7 D4 Q6 x
-The most classical one is:
" _. F9 @1 Y3 ~2 D5 { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 [+ p- c3 d2 A2 w9 u5 c
*(esp->4+4)=='NTIC'4 z7 c3 e8 U6 _) \+ U: `( u
$ Q' {# y: p1 Q* _, Y T-The most exotic ones (could be very slooooow :-(: x4 f( i# b h$ m2 N
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 m7 p! l2 N: P) l ;will break 3 times :-(2 M% x/ V7 k$ {
" K4 t$ c5 l- e/ B, p8 u
-or (a bit) faster: # E& i9 I0 Q- Y: h$ x* N9 ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) I: |$ m# v- Y$ {$ Q: F6 o
4 a8 s% @: u4 m1 Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / ~- _3 M& g5 P. ?' ]
;will break 3 times :-(, C% D: s; l+ [/ J8 h# J
& a& o! v6 |, _4 O6 e- Z) _- t-Much faster:% g- T b7 a0 s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. N4 ?6 a) H: D6 H* Y3 U' c4 [
}5 H# h. D X, YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- w1 j. D2 j, ifunction to do the same job:
9 u% z2 t* M1 ^* W, P: M7 |3 q/ C
& U; Q! M! S: @* A push 00 ; OF_READ
* \0 M, l4 {4 g3 L mov eax,[00656634] ; '\\.\SICE',0
# t1 Z# ^6 s6 H* [ push eax$ d0 G, f- w$ H5 ]! c/ d5 k& p
call KERNEL32!_lopen6 H( O7 _+ u, E+ Q2 ^
inc eax
1 z0 Z |4 }4 h9 E6 k jnz 00650589 ; detected
4 i' v: f: |/ } q% U! h7 c+ L push 00 ; OF_READ
/ b0 D% V* Y( L: b$ _ mov eax,[00656638] ; '\\.\SICE' r, a+ D8 }& x2 y- m
push eax. b: y9 F: u2 [, y9 e% E5 n
call KERNEL32!_lopen' U8 v. }+ ?6 ^
inc eax
& q8 Z/ Q$ D( g ?& h( K jz 006505ae ; not detected
: O% O* h# B( y1 f2 @
# t* z9 S- j. q% S1 t) L
y# v2 F( m1 O__________________________________________________________________________
3 |; K6 `, m. V5 M7 B' @
. s+ _0 I5 ?) c" w, n7 _" WMethod 12
5 M' i% k6 h' L$ ~7 k=========
" s+ V* u# Z- T+ k. R1 E/ ^. _3 o1 X) S. B
This trick is similar to int41h/4fh Debugger installation check (code 05
7 J. @3 ^( F D3 ] z& 06) but very limited because it's only available for Win95/98 (not NT)
( w9 p4 j% R& e$ w7 V4 R5 D3 oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: X2 O6 O2 L8 l1 R( x
/ S5 m E- x8 y/ A( W* F. `. W
push 0000004fh ; function 4fh: A6 B6 g5 l' w3 a2 B/ l
push 002a002ah ; high word specifies which VxD (VWIN32); x; ^6 I4 g- n; \) S
; low word specifies which service r. J3 I+ o$ V" `
(VWIN32_Int41Dispatch)
. ?2 s" C+ ~: I' m. X: g# b! G5 F( r9 x call Kernel32!ORD_001 ; VxdCall
. w* z4 e' G5 B( u/ k cmp ax, 0f386h ; magic number returned by system debuggers
" _0 |) O2 i2 i( l( X' Z3 V& i) Z# y jz SoftICE_detected' {' M5 m6 C. o2 k ]! m5 H8 S
$ Y) k, f' _" R: qHere again, several ways to detect it:
- J( Y4 s/ x- {' d4 ]0 \3 N( P- j5 V! B/ A( l1 G
BPINT 41 if ax==4f/ r8 ]& z1 X3 C3 X+ P
' }* o4 ~1 \3 u7 D. u& y3 P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; ~* A& U& G# ]: W- S* F$ `( c* b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ }0 R# g! D) G' W+ X0 p
! e K A% C8 ]# U' B) y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: C: R @. a/ @ z5 X9 ^, e2 e) w5 N/ u7 v4 F0 a
__________________________________________________________________________9 B9 L! c' x/ ~ B# ]) c
6 V% N% l. L7 Y B1 y. mMethod 132 }& d; @4 X0 \* O: ]
=========
# R4 R- J8 B8 ^+ H' {" T! L% Q1 z! t5 R1 d1 f1 T9 i
Not a real method of detection, but a good way to know if SoftICE is+ F; A: ^4 n3 m
installed on a computer and to locate its installation directory.
* N8 J: I. ]3 `5 l( j% S, nIt is used by few softs which access the following registry keys (usually #2) :
% w6 j4 J8 p" G T# Q1 v6 u* f; }! w4 v j I4 a3 X, p( {* m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 e; Q4 J+ K+ x. d- S! k
\Uninstall\SoftICE& F8 Z1 O0 U! M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 u8 y' Q0 g0 e5 Z3 }# V; d' C: E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 q" y: _0 ?$ e
\App Paths\Loader32.Exe" p3 a! ^, L) [/ x% Y
. @) L/ M v3 k% r
* P: w+ O/ [$ L& p8 Z' p( A _% g9 ONote that some nasty apps could then erase all files from SoftICE directory. a' Y- B$ P; |
(I faced that once :-(
0 J, z1 Q8 U1 \. w7 t* {2 e6 D, u' ]- j) s) f( V; f# [
Useful breakpoint to detect it:: ?( }0 [% u: R' G0 }! O
8 X N* v; v8 M7 U r% `. _; Y" Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ e) `6 E+ @% z0 D
0 M% N$ q; N8 K/ n__________________________________________________________________________) l' ~ \+ T4 p2 S/ D4 _
! ^" p" G& F4 ]: v9 A" e7 Y9 u q* @& G0 v0 F. e9 r
Method 14
1 o j; ]3 c: b( q" k8 Z=========6 @3 l$ {; X0 i: X6 e. P
7 S9 Q4 S& d. gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose U. F; e) J; d6 n d& B0 j1 @
is to determines whether a debugger is running on your system (ring0 only).* c7 d) s6 q+ g1 O# f4 m
f7 M% k' Z) N1 n) w, K
VMMCall Test_Debug_Installed
7 s. L5 Z) `) j) H3 |$ a2 D je not_installed# H" S+ C9 i% l) }. j3 l9 ^6 ^; _' ?
6 S; s. B, _: Y7 H3 @/ P: Z
This service just checks a flag.
; w' _9 J" a6 U7 T! T</PRE></TD></TR></TBODY></TABLE> |