<TABLE width=500>6 x* M) X. V. H O+ l' F, Q4 C
<TBODY>+ q, L" H9 U% y) ]9 x; ~' W! ]0 n
<TR>5 Y5 k( O/ ]1 K: r4 x* X" o- t2 y
<TD><PRE>Method 01
" V! M' \' R0 p" p6 n3 ?# o=========( O8 o$ E; \ d+ e( j# Q0 H
: ~4 |- R- e$ F/ s" `# |- |6 PThis method of detection of SoftICE (as well as the following one) is
6 G- O( e5 W1 e! |used by the majority of packers/encryptors found on Internet.& X0 m2 F+ w* n2 \7 P4 E0 W; r5 d7 A
It seeks the signature of BoundsChecker in SoftICE
! V& O5 p! A/ I
& K; N- W4 Y: d8 }2 U! d2 [6 V mov ebp, 04243484Bh ; 'BCHK'
4 I3 C/ |7 g( H0 f mov ax, 04h7 O5 M: n' T" a1 ^/ G7 n% g, p
int 3 / U" s; C0 y l( S% `
cmp al,4
& c5 Q, B2 ]0 L+ R3 L0 g7 H jnz SoftICE_Detected
$ R8 `5 ?% S, s3 s7 t1 k! N* U
. F B9 |! I6 f; C- P* k' z, [___________________________________________________________________________3 u" G" h: j) n$ E' U1 `1 g* U
* l# d) N2 u7 R8 {8 p
Method 02
$ i' N/ g+ T1 ]$ {=========
& y8 }$ H. `* o5 X
: U2 v: h& {5 aStill a method very much used (perhaps the most frequent one). It is used
4 `/ W8 g) W. Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# J- L$ q. I1 @* x. u! |
or execute SoftICE commands...
w! Y( n. c/ C$ ]/ {It is also used to crash SoftICE and to force it to execute any commands# d W/ K* A! X3 T8 ~
(HBOOT...) :-(( ! |; g* k' n4 r+ w |8 |1 K7 Q8 w
) r+ V8 h$ o. W" M/ c& v% e- y
Here is a quick description:
* S8 L) f8 }' s9 _; H- }-AX = 0910h (Display string in SIce windows)
% Z+ u- K- g& e: W8 D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' Z# i0 j# N; L( ?: W3 @* u
-AX = 0912h (Get breakpoint infos)
6 B# k3 f& C' |% ^-AX = 0913h (Set Sice breakpoints)0 X) ]/ q' u/ ?- a5 N5 \" A
-AX = 0914h (Remove SIce breakoints)
% Q* j0 I* v2 j. c; l% Z! W& w% ?8 p& z
Each time you'll meet this trick, you'll see:
* P: d3 L) U4 P) u-SI = 4647h
z6 D! @- P! Z# h9 ~-DI = 4A4Dh
+ x; b, f6 d7 G* p. a. DWhich are the 'magic values' used by SoftIce.
7 ? y- T2 m$ ?6 Z7 JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 |/ c, K3 r5 W' O8 O
+ x; e; j( z% N# K1 }Here is one example from the file "Haspinst.exe" which is the dongle HASP
( s. _2 {0 ^1 h) w1 WEnvelope utility use to protect DOS applications:
- N4 w6 w6 h2 C' Z. Q7 `+ }' j* ]8 b# C \8 S9 `9 j2 b
" m! |! h$ V* ?. n( H
4C19:0095 MOV AX,0911 ; execute command.
$ }, D) f2 h; t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! x; h5 T- l1 e/ m+ g* {
4C19:009A MOV SI,4647 ; 1st magic value.
" E( b5 q' }) K& L1 Y E, t+ B4C19:009D MOV DI,4A4D ; 2nd magic value.
1 `+ y" N- v" F) t& ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% Q/ V' \* L/ d3 ?( S% }$ F$ i4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% x& p% u7 _3 h! G9 g7 v# V) Y( r
4C19:00A4 INC CX8 G2 w+ J& C. G0 O# J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- j# a6 `+ J5 C$ l
4C19:00A8 JB 0095 ; 6 different commands.
/ I/ W8 O3 D6 ~% |; j4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 {/ j, C$ `2 Y5 T% X! g2 k' `
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- {' q- B% c, v) r2 \2 J' F+ _ p0 W
6 [8 G3 h6 w5 t% Q7 `( y' I. QThe program will execute 6 different SIce commands located at ds:dx, which0 M1 ~5 Y0 f% e; F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% n9 n3 A2 l8 o3 O; `& g* `
2 d; B/ F6 v* }% t i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. q+ X6 L1 Q1 T3 D3 J
___________________________________________________________________________8 M. L! `: y+ t4 v) f- T
3 I6 o& {9 W/ G9 A% q9 r$ T
8 H) T* X- F( ~$ J- M! eMethod 03
2 N2 O6 t! ?( Z7 v9 k=========. F4 R: K9 L( A0 I" R) @. U, q% n
: [. I5 ~+ g7 x' g) I$ U- m( w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h v& Z, m8 n P W
(API Get entry point)
& O+ c, R& t" \6 @
M2 y* e7 x' c- S2 A. h
7 L3 O* n, s3 N3 ?1 F xor di,di
8 L! C7 j) k( q1 l5 {. [3 ~ mov es,di! }3 z' o9 n# Y8 {. J
mov ax, 1684h
- l3 w! N$ k, i$ v5 R9 E m5 O mov bx, 0202h ; VxD ID of winice; i6 f1 E$ z, R/ s
int 2Fh; n M6 j" L) _" w
mov ax, es ; ES:DI -> VxD API entry point
% a% p0 U! s7 `* o* T. a+ h6 x( ? add ax, di
$ O g+ ?" s% Z test ax,ax; t" `7 b& M" K* Z) B0 }8 d
jnz SoftICE_Detected- s6 L( Q' `1 Y3 g5 [
, a. h6 ?8 N" d4 P
___________________________________________________________________________$ O4 j, r; s) ?
/ m, f% M4 P* `0 C P U: sMethod 04
2 N2 ~, r% t0 C; x; U4 {% D=========$ f+ D4 [$ A1 r1 S
: J$ R: |1 b" d1 ~: XMethod identical to the preceding one except that it seeks the ID of SoftICE
$ ]" m; L; V$ h+ H/ B9 y7 sGFX VxD.
. C* ?7 Y7 x1 ]! [- Y0 b. @; A' f f! U2 M5 i# } a
xor di,di' t9 a8 I8 `$ _$ |7 ^* b
mov es,di
E; d2 A- q8 K8 F9 K$ i mov ax, 1684h ; R# V; R9 [% F. A* c
mov bx, 7a5Fh ; VxD ID of SIWVID
/ q8 y9 W) \* N7 B8 @" J int 2fh- a2 h) T8 u0 M" O: [. a
mov ax, es ; ES:DI -> VxD API entry point" n; J: `, A% b) p
add ax, di
( ]/ H1 U- G2 f, C test ax,ax
, Q5 J2 Y- n+ J jnz SoftICE_Detected
# }4 x) u! D0 u+ ^5 P3 [- S) D) O8 c
__________________________________________________________________________4 }9 K p) x3 Q6 M+ m) W1 p
* ?! F8 p# \, }( o4 w( ^/ N, A+ j8 k# ^
Method 05
W& j! c" V, Y z=========) W0 q( }& D; Y1 ^9 F$ L4 A
$ `8 S$ u3 k* m3 | }Method seeking the 'magic number' 0F386h returned (in ax) by all system, u: k2 w; R0 M
debugger. It calls the int 41h, function 4Fh.# l0 x& j+ b' Q5 w$ f
There are several alternatives.
; j5 a' q& ]" p3 N% ?1 V0 ~" s+ K7 O' f4 y# Y( f
The following one is the simplest:3 J: O+ l" J4 x. Q* H7 U
- D* O6 T. j# J7 Y9 R* o0 _- J
mov ax,4fh
0 Q T0 G. Y4 b, k int 41h
; Y( i. v& I- m. J6 t cmp ax, 0F386* s/ c, a6 M2 C
jz SoftICE_detected1 O1 X' s9 U/ v; u1 g
5 P! [: W4 w7 b- N7 i
: }4 Z& V: M8 a$ C! V$ aNext method as well as the following one are 2 examples from Stone's
6 s, y% _( {: P; j3 E"stn-wid.zip" (www.cracking.net):
0 i o6 G$ w: g* e$ H; H5 k9 V; N; C/ n3 I$ c8 I7 ~
mov bx, cs
6 k) y7 q, t, N; l2 D: ~0 t lea dx, int41handler2/ p% x. D5 ?' l/ L, h) m
xchg dx, es:[41h*4]
2 n o+ D. ~1 F! O# K xchg bx, es:[41h*4+2]4 T( N8 p' N, `+ T! _- z
mov ax,4fh
! V: [+ C# w) T int 41h" Z: t q s8 r: k1 D3 S# u
xchg dx, es:[41h*4]% ^" N8 d- I5 Y
xchg bx, es:[41h*4+2]
+ ^5 j! L1 S% f9 T, C0 ` cmp ax, 0f386h
* D1 W, a& ~( \5 M# @% Y jz SoftICE_detected5 {0 X8 K( b+ x& _5 J# X
# S: c# w! e7 W3 U3 R. m$ jint41handler2 PROC
, R5 R* ?$ j0 A iret
- s$ w, c8 v2 w9 R, ]; e8 Jint41handler2 ENDP1 D# _" \: |) K
3 Q7 q3 ?- L; e* \) M* f. ]
6 S4 ?: w$ r5 l_________________________________________________________________________
+ G" l3 Q) W) G! Z
6 v$ ^7 D- V' E% L' ?2 ?
( c0 j8 u% i5 x- `1 d9 j/ g: AMethod 06
+ w0 R: p! j- S* }. A+ F=========
* ~2 A) u& m7 @, \- m+ k# O- p9 C, U; i6 A, S9 h1 R* D; m
" h6 B/ P0 a& j# }5 _2nd method similar to the preceding one but more difficult to detect:- c( D5 W4 v6 D9 y! k
- n9 f! m" W: b9 i0 l F$ E
3 O) {. |1 V* f* s5 R: v
int41handler PROC
. [7 N( x D9 W% ?, w5 y' w* F mov cl,al
' s$ P9 M" v. p8 N# c iret" n" ~# a3 x6 G2 P
int41handler ENDP
1 A! o# a \) x4 K& q# ~% I1 R' J% Z$ n
. W$ V/ {8 P& H: O4 k/ I xor ax,ax5 L9 M3 ]: v) V% _4 x
mov es,ax6 d) |% ~1 a) U- d( _. H7 r: D
mov bx, cs, R& u ? V+ X8 v9 z* q
lea dx, int41handler
8 B5 |9 U7 P! u1 v$ M1 i+ @1 d xchg dx, es:[41h*4]
7 h$ A& n0 L ^8 n* A xchg bx, es:[41h*4+2]
2 Q$ h }* i4 \9 v in al, 40h1 f7 J) h6 ^0 r" `0 y6 F9 Z% m
xor cx,cx
' [8 |2 I9 h$ u$ D D. j$ } int 41h
. i7 e& c n5 A. p xchg dx, es:[41h*4]
& v4 ~+ j% O- n6 v6 y. B2 V. D xchg bx, es:[41h*4+2]
# f) m! Q1 P$ E* k2 D) U, J* Y. L3 D' J cmp cl,al
1 m& M& f5 S& ?) D) }7 L jnz SoftICE_detected* ~- u% z q3 C5 f& J
7 N8 w E1 x/ u' v8 S: D$ T) E0 k_________________________________________________________________________- ?- j; s! x# ? V
0 Z" p0 s/ H& ~9 }1 nMethod 074 x) x* P% ^8 Y) ]4 U: e
=========3 J+ w( P7 w: \( n
; v! j6 W7 c9 t
Method of detection of the WinICE handler in the int68h (V86)5 {" m8 T: c: r* T8 F; @; Q
# {; E, D' M9 U! |. e% I# r
mov ah,43h
9 l* G( w5 p' d) \2 \" j int 68h* W6 d' R: k2 F1 W6 p
cmp ax,0F386h, h# Q" }2 J2 \: ], o z
jz SoftICE_Detected
/ f, f3 U% y% Q$ i- k6 c
2 N: E$ m( E! L' `* H" G
, e" f' c# }3 o) E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 d$ G5 @& Z6 D6 T app like this:9 k8 ~1 ], I4 t
2 e% i2 C" O4 m4 M" T( q BPX exec_int if ax==68; T' L& ~: ^3 I$ f! [
(function called is located at byte ptr [ebp+1Dh] and client eip is2 q' K3 `6 ^* F2 q* \: k& m
located at [ebp+48h] for 32Bit apps)
1 [4 \- i8 u+ s/ v__________________________________________________________________________
5 M( ?9 X, i; I/ X/ j# k- f0 @7 t: F9 {+ S
6 o* H2 |7 a% kMethod 08' k g5 R( [% H, j z, z0 L8 s
=========# J& a$ F! @* a2 v
+ r2 f& Z7 {+ ` m
It is not a method of detection of SoftICE but a possibility to crash the) f% Y3 @6 P w+ J) X7 W" p
system by intercepting int 01h and int 03h and redirecting them to another/ g* p+ w/ ?7 H0 W! j7 n: }% E, d
routine.
3 C" I, X8 A: L$ \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* d" }$ ^/ d Y2 D) t, Dto the new routine to execute (hangs computer...)
: ` a* G2 ~' J9 ]! Q0 h: D& a' t6 z0 ?/ F2 I
mov ah, 25h
$ S8 D# M) z1 e) w( z* e( _3 @ mov al, Int_Number (01h or 03h)( l3 G* k) ?. u
mov dx, offset New_Int_Routine
' h- r, m& |' j5 e& |6 }5 { int 21h& u' [" I5 ^& e7 e+ _1 b
, `+ i' b6 O4 d- n2 u. e; h__________________________________________________________________________
h% u5 j. g- y @0 ~8 V: g: a1 @" E
" b; z% L7 L3 Y! @" v, jMethod 091 V: `6 ]4 a( w8 \. J8 B1 l/ n9 G0 W9 b
=========4 G* D# H {, o, @
# }1 w. |* G/ U0 d7 e9 s; E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ _2 M' e* F6 U! G4 ^. e1 N
performed in ring0 (VxD or a ring3 app using the VxdCall). a9 P4 a8 | g* y" y8 I$ K; A' j' q
The Get_DDB service is used to determine whether or not a VxD is installed
' k2 }$ H9 S/ f) }& kfor the specified device and returns a Device Description Block (in ecx) for
0 w5 P- {9 F. s/ O3 \that device if it is installed.. @6 u/ S) }. y" r; _ l( q
9 Z0 X( W6 l% D6 { U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) b$ s) W& E! N. I3 x! j8 S mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). C( j1 G9 G# k. Z; A5 {
VMMCall Get_DDB* z$ `9 K6 d! \6 n6 u( i8 B+ c. K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* [) p/ i7 ]+ k- k; y; u( V
, D" n! p4 a9 ^! M6 q) I: x
Note as well that you can easily detect this method with SoftICE:
5 p6 a. }3 I4 g* x% c( ]3 x3 c9 _ bpx Get_DDB if ax==0202 || ax==7a5fh
& c3 w2 E5 v- { x5 C0 w
. Q) u3 A" j# J__________________________________________________________________________
/ \$ u5 N0 n. n& t5 J# v: n. g6 I) Z: z3 K# u8 _
Method 10
* T; S. r4 }, w4 c=========
7 S7 R' M$ D& m' p( r* q
Y3 w {, y% F# v. {=>Disable or clear breakpoints before using this feature. DO NOT trace with
, m" o b. a& n/ u, f SoftICE while the option is enable!!/ y K% o: K( V6 |# [/ a
+ `* r7 ? h3 S; hThis trick is very efficient:6 I3 e. X& V/ y% h& p# g
by checking the Debug Registers, you can detect if SoftICE is loaded
1 q8 i6 t. \7 K4 X) A+ u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ B6 m- ?$ f3 K0 h5 k
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& l$ H7 q$ ~; y& Qvalue (in ring0 only). Values can be manipulated and or changed as well) H$ Y$ y0 f9 k/ S4 l3 t
(clearing BPMs for instance)2 j% F/ g8 O* Q( ^
1 C6 \- B7 d6 E4 ]) U__________________________________________________________________________7 ]' c2 n0 i5 U
0 J {+ x- @$ M* C1 y! x. e4 T
Method 116 }9 ^1 X: w- n4 v' u5 q& d
=========
4 M7 O. `) D0 y& }- A$ E$ i# Y
( k, z1 a9 J* a) HThis method is most known as 'MeltICE' because it has been freely distributed
7 a+ A+ X g4 a: a: Bvia www.winfiles.com. However it was first used by NuMega people to allow, b' o0 |6 {: e: ^
Symbol Loader to check if SoftICE was active or not (the code is located
0 U' s6 s, E% Finside nmtrans.dll).
* J1 d" L, [! H( x' b9 f8 o
P' c$ B9 X' p' K9 GThe way it works is very simple:0 G7 |5 A0 P6 T* D1 E) t* }" b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* l9 j/ B4 K9 yWinNT) with the CreateFileA API.( R; ^+ u/ w9 J" W3 R& w
" @4 l8 N$ }0 `! `# Y6 J. O4 c9 z
Here is a sample (checking for 'SICE'):
+ w& O/ ^2 P) d
! X6 m; F- N! o* Q" y7 }+ _BOOL IsSoftIce95Loaded()
# w8 R+ y& h+ f+ R5 G' r{1 v* K- c& W# C5 F# _* E5 V* s4 D
HANDLE hFile;
6 ]& ~4 m- {+ r d, L5 R8 | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 u: U D* P, |
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 t4 ~* R) z5 ?7 H9 z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 [8 U; ~6 ]5 s if( hFile != INVALID_HANDLE_VALUE ): @$ z: `$ w+ x: L3 p- s2 E
{
5 ]$ a3 ~& o/ Q& [7 i& ~" ] CloseHandle(hFile);
: w' I# p/ I) v7 ` return TRUE;
( R/ |7 W4 p: ]0 `7 C }0 H, y: \' j+ t! x. T+ d
return FALSE;4 X: k4 n8 {" t' I8 B! r
}
s% b. [) z* v! E
' x& z/ k; h' i6 Z" W* r1 NAlthough this trick calls the CreateFileA function, don't even expect to be) J6 [: l3 P& n8 _# t( N/ c
able to intercept it by installing a IFS hook: it will not work, no way!8 r* @' F% Y$ l: j/ G! g' T4 ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( x. ] Z# G: U2 k' G5 d- }1 u( xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% o' q/ T% ?6 {7 v' U6 fand then browse the DDB list until it find the VxD and its DDB_Control_Proc( `% n! |' Y7 _, d& r
field.
9 d( t4 {6 h( y! }2 f& ]- T9 GIn fact, its purpose is not to load/unload VxDs but only to send a
' n$ n5 L9 C% {8 ^/ LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
R: n0 z" v; I2 R3 lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 W9 e2 ~2 U: C9 i1 dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 r& g) G+ s! W$ UIf the VxD is loaded, it will always clear eax and the Carry flag to allow, |' K6 O) G8 P6 u' n- s- ]9 T
its handle to be opened and then, will be detected.
: e: j/ L( C- @% \% @: |( n/ rYou can check that simply by hooking Winice.exe control proc entry point
4 ]5 [' F6 @6 S' Nwhile running MeltICE.9 ?7 O. H2 J2 q% t2 F" l4 a r
7 J w% \, F& u1 D7 G
( A3 J$ R5 K1 @* S
00401067: push 00402025 ; \\.\SICE; O) n$ k- T4 y$ a$ y$ C, b( I
0040106C: call CreateFileA( {# w% U- {3 o
00401071: cmp eax,-001
* n: j/ Q# r4 c, p. L8 {8 A+ n2 [ 00401074: je 00401091
?1 s1 k7 s5 z& J+ j$ q" @0 G$ W2 N+ N* j' d% t; z' G9 f
) w X+ l: Q- t9 I6 `There could be hundreds of BPX you could use to detect this trick.
) ^1 b1 i( @: Q2 @1 u. |-The most classical one is:
" v) B6 u- ]: p& z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 b; K8 x% I) `! @0 F) z9 m *(esp->4+4)=='NTIC'
% f# Q1 t4 m6 D$ d
$ f& A' _: N- G9 o9 P: g-The most exotic ones (could be very slooooow :-(
2 K: @! G3 [+ F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ r; F, S$ P6 ^5 z, c" H7 { ;will break 3 times :-(
* U1 B: Q1 y' K1 h" \! G; }1 t/ m, U3 `' o. @
-or (a bit) faster:
, F' R+ e1 X) l; W7 P7 a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 _0 D6 k. X! }
) D) E. t$ r. y* _6 ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' a1 N% c# B% e5 l) l# k# Z; H; s, E
;will break 3 times :-(& V4 q: L: M4 m
: K0 S# ^# Z( A% x% }: }6 E8 I
-Much faster:
7 h/ Q5 [+ q3 {* L; i$ z' ` C- [6 F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' [ a, I9 R# L7 \4 O7 P3 u4 m
8 |! } D# o- f1 C' KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ ~- g$ ~6 U! k C
function to do the same job:
0 k5 l, p8 X$ b7 [0 z! h
( N) G& `1 f6 D1 i0 g7 ^+ m, H push 00 ; OF_READ$ m+ e' n3 t: W _. ?
mov eax,[00656634] ; '\\.\SICE',0
9 \5 K7 U) q# M: L2 F& G# h+ J push eax
7 S% }5 f) x) ~4 p' Z call KERNEL32!_lopen
) f1 s. t D1 V inc eax
/ D5 H2 w+ s3 J; I1 {% |; {5 a jnz 00650589 ; detected8 g. w3 E8 ?1 s
push 00 ; OF_READ
/ S% `8 S8 s. Q9 x mov eax,[00656638] ; '\\.\SICE'8 o" B/ c: X8 d- |" L# j
push eax
6 j6 s7 ?9 C& D1 c) t- W: O call KERNEL32!_lopen
* B: x+ H: N- L+ ~7 r) N inc eax* W$ ^& }" E: ]% \# Y R! h
jz 006505ae ; not detected) {" e8 u; Q8 u0 Z* Y' U/ t
6 b. H& q. F1 \
% [# O) K9 o3 D! u
__________________________________________________________________________
* T3 Q# f$ T. p6 h; G$ {! ?0 k- ~* B( w0 V- h( C. ?
Method 12& l ?! m( j/ k8 r2 X
=========
4 }4 K: h, Z) o" d
9 C h4 c+ L& b( A- I! \. n4 C5 GThis trick is similar to int41h/4fh Debugger installation check (code 05$ p% F2 w7 Y2 ~4 ^3 _
& 06) but very limited because it's only available for Win95/98 (not NT)4 j, s1 M @: G! j7 L7 C; m8 F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 F; l1 T! P+ ~9 M; d3 `4 H2 P- t$ r2 h1 q' G( A
push 0000004fh ; function 4fh& N( v1 Z4 k; z' f. u$ `- P
push 002a002ah ; high word specifies which VxD (VWIN32)5 d" \( y+ m' L* t n
; low word specifies which service4 L9 R- m' m+ Q& v
(VWIN32_Int41Dispatch), `% u: A# U4 w4 g8 k
call Kernel32!ORD_001 ; VxdCall
- z" q6 B$ M9 \0 u6 C1 x cmp ax, 0f386h ; magic number returned by system debuggers
e" T1 L+ z) m' f7 r, N* O1 s jz SoftICE_detected3 d6 c" R2 F5 d: [% @
8 F, B* l* G! YHere again, several ways to detect it:( B3 G' C4 ~! V, D
! H/ F4 @# S( C5 s, V g$ h% a BPINT 41 if ax==4f/ O, n& d& ?' v( l! [
3 r0 x6 y4 H# J) ~% d$ a+ M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' E2 Q% n# f/ q, d6 b
& N: _& T) `2 \# z0 o% n" q& I- P4 i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) |; M5 Z7 M6 q4 E5 C
- Q, o! {7 ?% {) F: ^: e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" m% A: r; g! G I
' W7 {) T. }- q. M' V, L__________________________________________________________________________$ C. r( m9 G0 K, ^1 e
* M: V& C9 g8 O9 Z) wMethod 13 s7 T9 K6 y0 u+ L6 R
=========3 s1 q; P- K" k s) C5 _ E% N/ s
1 @6 }1 I! j7 }: u" u+ KNot a real method of detection, but a good way to know if SoftICE is
- X! h- u; w" G! h) oinstalled on a computer and to locate its installation directory.8 \1 j0 ^- O- ? d, I9 N
It is used by few softs which access the following registry keys (usually #2) :
3 ~; E( o# c! {% @, Y
, {, q9 C" B3 |2 u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ m$ c' O" x2 _0 w) h6 b8 s( A( k. O
\Uninstall\SoftICE: ~- q3 b8 }6 E: ^- }8 ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 H& r. b) A( _/ w* y" P/ D; w& x9 P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 @, \( P( Y9 R d: s3 L s' B, t\App Paths\Loader32.Exe6 n! o* T, K3 _- n1 X4 h
4 d2 x7 V$ t$ l }* u) t2 d5 }2 Q2 T5 `# U8 W! Z
Note that some nasty apps could then erase all files from SoftICE directory
$ r. h7 ?( a# o P# @7 e(I faced that once :-(
7 X# u& X) i0 i% ?9 D+ u/ y
- v5 y% j" r s) I1 O5 l- N) MUseful breakpoint to detect it:
3 z, _; \4 r$ o/ z( \$ ^) @- H
% r4 K, B; |6 C2 m& `( t+ M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: r' K' G; X2 s' U) I s; S/ o
__________________________________________________________________________
; \4 T( R" `; |) [/ d, U2 M) B: h1 ]% ~+ N: [7 S
2 K5 L1 O! Q' B+ B0 qMethod 14 0 q7 D& u% w2 y
=========
7 ]% ]1 P; Y1 Q! z R
$ o0 f" r6 L, d7 \/ [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- f+ A" F6 o/ ~& ~ t! r
is to determines whether a debugger is running on your system (ring0 only).1 i' B' L4 s# p2 h6 J4 f& ]
/ |9 G/ \( `4 B3 a/ ~
VMMCall Test_Debug_Installed2 j+ J" t; Z2 i: L8 A" G3 @
je not_installed- H- B9 \! o- o; Y" E
& h$ Y5 E3 |4 S
This service just checks a flag.* D; H( ]7 k2 A/ {9 y+ }4 m/ ]
</PRE></TD></TR></TBODY></TABLE> |