<TABLE width=500>) d% n: T2 H# k
<TBODY>
1 C! ^; _8 g9 ?. k4 n<TR>% D; ^7 i, b$ x
<TD><PRE>Method 01 $ O5 ^- Q( F4 b2 P) ^
========= H; x( _& O7 F3 i" U
$ U- i* O2 w* j* |& [This method of detection of SoftICE (as well as the following one) is
$ M, C% i( M8 sused by the majority of packers/encryptors found on Internet.3 g# c6 M5 A3 Q g6 h, ^9 @
It seeks the signature of BoundsChecker in SoftICE- |5 T7 S W/ _$ {" e6 R9 C
- A# r4 m/ d8 m mov ebp, 04243484Bh ; 'BCHK'4 e" R g R; Z
mov ax, 04h
! w- B" D: S o# o. f; X int 3
, b9 q7 k# l3 p- X' e3 d cmp al,4
0 H: ~' x/ T' T7 E: D+ [) L jnz SoftICE_Detected
" @9 w9 Y! F, y0 m. e, M* C m; h
! L, ^9 v$ @. o7 h___________________________________________________________________________
" B2 u# E( Z1 G) _" n
$ K: n: Z6 `& xMethod 029 T0 R& E+ n. d6 e1 A# i% t! v
=========
& V$ K' _# _" C% e; Q( r2 ~& [/ u! n9 r) T3 P+ y) ]6 i
Still a method very much used (perhaps the most frequent one). It is used
& b) R6 r; f& y# ^9 M+ Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: B; `: b6 R) M: K* w6 N6 }; d
or execute SoftICE commands...) l: n0 s9 {. [7 G6 M
It is also used to crash SoftICE and to force it to execute any commands( |$ r9 ]& {% F h1 Y q$ D
(HBOOT...) :-((
7 R+ T: m7 y% [7 z# J( Z0 @
k0 z! L: u9 u5 mHere is a quick description:
7 E& D4 o* {2 M+ H- j-AX = 0910h (Display string in SIce windows)+ g6 a8 L3 i- L* A+ V2 k2 R% L, t
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% U4 |" ?- j+ ^, P9 ?* Q& b' B-AX = 0912h (Get breakpoint infos), c8 z8 D" V% `( M# L
-AX = 0913h (Set Sice breakpoints)
( b- N& v! `' i9 L( s. V" g-AX = 0914h (Remove SIce breakoints)
/ D# K) N" |9 t# E( n/ d$ ]# e. ~. v% f g- q, p7 `# T o
Each time you'll meet this trick, you'll see:
+ C0 x9 S8 G+ `-SI = 4647h" K! s( K* W7 K4 D/ \( O
-DI = 4A4Dh
$ d7 Q% y# m8 x8 N b$ _0 r' t7 ^6 XWhich are the 'magic values' used by SoftIce.
% B3 v5 Y1 O$ X% ]) h2 lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# b5 n l5 g8 B2 I) I* W: r9 C0 f3 i1 m
' U; P4 k) L8 E5 R( VHere is one example from the file "Haspinst.exe" which is the dongle HASP5 P, \/ u! j' s) i* e
Envelope utility use to protect DOS applications:1 o2 d0 A0 a" f# _) _$ m. k% _
0 R9 I3 t2 i4 h) w* O1 L! L& n4 j/ S% C3 X& ?( j# x
4C19:0095 MOV AX,0911 ; execute command.2 {7 O, u& D, h& @7 o+ z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ p7 @7 |# @0 ~: J* S$ I4C19:009A MOV SI,4647 ; 1st magic value.
5 `" A2 `! e! ^0 I1 O4C19:009D MOV DI,4A4D ; 2nd magic value.
6 ~$ R( V! T; K, V( b9 N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# z* X; J% j% X/ [4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ ^& S( r( b3 V. _8 \) o. }4C19:00A4 INC CX
& [, B& `" K4 _: P4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: V4 X+ Q7 _* q5 Z- M4C19:00A8 JB 0095 ; 6 different commands.
, k. a( l# i3 y: f ]. t4C19:00AA JMP 0002 ; Bad_Guy jmp back.' t0 z+ `# d- U0 C& m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( r- M- v$ Z9 f) D
! X1 o; l' E& I/ W8 V1 @0 C7 L" @
The program will execute 6 different SIce commands located at ds:dx, which/ X( x6 x' M4 f7 E3 u# a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
@+ Z5 |& \4 x$ M1 p' T- v. E9 I8 v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
M" Z$ _( A! R* ~2 S" @' `" r___________________________________________________________________________
, T k5 m! r! h0 X; X1 O) F4 Q+ P, s& o
# o$ k- @$ X+ I; Y8 r0 ~
Method 039 ^& e( k+ V. t0 j" O1 _
=========& t: h- m, F' x9 Y" g a
2 e6 G7 R/ Q% XLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% d" C' ^5 Z0 U% d. w( U
(API Get entry point)) W6 ]2 t& R& q3 h) U
! o" M# n1 L/ o4 t; A! s
& L* }6 U3 a/ I U- B; f9 P xor di,di* ^$ e9 N8 W* k! ^% N4 Y) `
mov es,di% z! H* ]% q- S% h: T: Z
mov ax, 1684h
: _; f* ?. t) z2 o; R+ t mov bx, 0202h ; VxD ID of winice
$ F4 ^5 x4 H# l2 \) ]/ e. p, D) ^ int 2Fh, E& y# M0 c/ Y
mov ax, es ; ES:DI -> VxD API entry point: x* E$ A+ G4 l$ H; c" T
add ax, di
5 `& K* m: `- Y; f, q& e0 u test ax,ax& f# ~$ X4 ^$ y5 \3 ?
jnz SoftICE_Detected1 T3 p% Q2 J& ^9 ~ v& v3 W% h9 j1 x
. q* j9 n$ V! B; a! _ L
___________________________________________________________________________
9 W" ^, c" H- v) l* H
) U3 \1 N% N. ]" w" S, q7 b0 XMethod 04
5 @5 j+ z+ D2 U) R/ h0 ~, K- ?8 {2 [=========- i4 Q$ B ~' A9 w
5 q' @0 ^1 a; S# VMethod identical to the preceding one except that it seeks the ID of SoftICE
]0 q! P* y: J$ {" jGFX VxD.
$ L$ F6 \% F" }4 t* E0 U0 h; Z# ^
^ ?, _. ^9 \' _( j xor di,di
' Q0 }' b* u6 W7 d H mov es,di
, m. {6 l N' H! H- E mov ax, 1684h 4 t. ^ a- f4 R8 C3 l3 l
mov bx, 7a5Fh ; VxD ID of SIWVID) l: P$ W& M, @1 p
int 2fh# Y* I) X/ F3 V: H% \, V
mov ax, es ; ES:DI -> VxD API entry point% w2 L! ^/ R% m% c) |
add ax, di% b0 }# |0 [! b) v6 W
test ax,ax
; E$ M3 l$ s' [9 p) o jnz SoftICE_Detected4 F( I7 O2 ^* O, b
6 o4 w( r# F+ t( u' x2 _( a
__________________________________________________________________________2 O' s' H( S$ `( x, u5 f
6 Z' _! }( b8 ?1 z7 N& X$ |4 d4 \' h0 t+ V, E+ u# ^
Method 05
0 ?% q( U, S' r4 O=========- W* ?" C4 p3 [# U Y
+ S4 J4 f2 t! ]) P7 DMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ Y' P& |% S5 e& y- v
debugger. It calls the int 41h, function 4Fh.
7 X+ H( B) `: J3 v; k0 zThere are several alternatives.
( z6 \$ B! p1 n, T
6 F; U# v: u0 C; W5 C4 hThe following one is the simplest:
" ^* ^; O" |$ {" l1 @, @* H
& w: V% v' V. \) b, d& n mov ax,4fh
9 b( _, n' ?7 d2 v! y1 d int 41h0 `: e$ N, h* I# l! T
cmp ax, 0F386
8 o" D" R- f; I7 S jz SoftICE_detected! D* u' j; U0 L9 U
4 R6 t7 ? e( s8 R# r5 f
9 v; l" O' @/ S+ ?: _
Next method as well as the following one are 2 examples from Stone's 1 Y D* X% X3 a! s
"stn-wid.zip" (www.cracking.net):2 I3 C( V( c* y% @" V
# a; Q d" A4 `+ u K; f4 y+ a mov bx, cs1 a- x4 ]3 j. D8 o
lea dx, int41handler2$ L; c- N7 P0 m8 M+ T7 Y
xchg dx, es:[41h*4]9 N; K5 O5 U& ?
xchg bx, es:[41h*4+2]
2 s, {, x8 C: B# d" h% N( E' N mov ax,4fh
) z4 ?" H! P( M8 c6 @) o. H4 P int 41h+ @* x, y. o( d& s! M# R+ I
xchg dx, es:[41h*4]
. a# r+ ?/ g9 y: x xchg bx, es:[41h*4+2]0 Q- S, ^, t3 R
cmp ax, 0f386h# c1 ]2 a1 x7 s/ r# w1 o$ J9 _3 s' v
jz SoftICE_detected
( I9 N; y( C0 D% S5 D
: m' S& y ~( o: Uint41handler2 PROC! E' F5 x* {9 c4 w$ R
iret m# u! W. ~( a I( O: E
int41handler2 ENDP
6 l1 M; f2 v$ L' c1 n
+ {* ?( ?. J# Z' k5 g6 A! l5 P( D& j, t. d
_________________________________________________________________________
. z2 O# f6 G t9 v$ P* w( N: d: a5 u; ?( k: e5 q2 [ M# c
8 C1 t. Z' F9 y+ q& LMethod 06
4 t1 k+ a7 r7 F6 m& B+ L, U/ T=========
' P! @$ }4 I* K# U8 b+ ~
8 h% s; B+ e) H2 h, K! f/ m0 g9 v! f' W6 f
2nd method similar to the preceding one but more difficult to detect:
, o( k2 q9 v8 j U3 W, S3 K3 ~" I9 w0 Y! e/ I- X8 J0 O
6 N2 w1 K3 v0 [! W+ p' w8 S* L! g# xint41handler PROC
. e. p) r3 {0 l7 s mov cl,al
' C+ K1 c# U$ C% M iret) p7 F' ]/ b) \: l7 ?4 x5 U% M
int41handler ENDP
8 M n. z" u1 Z+ T. o, l4 G a3 P5 i8 C- s
# {( A# i+ {' j! k, W
xor ax,ax) c, a% b# ~) R+ T. |
mov es,ax
5 X. {+ Q% O; ~8 E mov bx, cs
7 z4 J9 j$ m2 y; A lea dx, int41handler
2 A1 f; ~/ ?3 N* R xchg dx, es:[41h*4]
" H( }2 [$ N4 ?# ^0 W' |6 n xchg bx, es:[41h*4+2]
" H5 z. K3 V1 o$ Z& T1 I" K, C in al, 40h
. J. W: D# @5 F8 l) _ xor cx,cx
- [" u9 f4 J# t5 J int 41h
* V2 T4 S! u# V5 i0 k& N; G% o( F xchg dx, es:[41h*4]
% `; T, O v- E2 }7 O xchg bx, es:[41h*4+2]7 s7 M4 _# q$ Y
cmp cl,al C* p9 q( A" i) k! B- E" v6 g
jnz SoftICE_detected' Z; z3 f* ?* O1 M6 z
" v* K1 t: _4 z( R6 F4 `% w1 u
_________________________________________________________________________& _( o1 E6 I2 X; e0 l
! G. v/ e/ C1 i' cMethod 07
# P! h/ G+ \" }7 p8 T0 j9 y=========
1 }0 \8 M6 n2 o1 ?+ @) L9 I+ T' d. A, ^1 G
Method of detection of the WinICE handler in the int68h (V86)
6 }- E# e. b' }' m. H$ s0 I
4 ~* Z% g$ z7 c' B ? mov ah,43h
; L, z: ?1 b+ f: X- y5 K. K4 X, K int 68h
( E: @4 p$ x0 k- Z cmp ax,0F386h
7 @- I7 T5 r3 k& n |) c. _3 D `9 I jz SoftICE_Detected
! K( N6 e, f( e' q* y h; M+ o0 T% {% Y8 a4 J
+ j5 X6 W; F7 K9 K) @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; f/ ^ i( c# O; V; B
app like this:
$ r4 ~1 @3 \) p W2 [
! a2 R; ~9 I! G, N W BPX exec_int if ax==68
( f( h; F( G8 E (function called is located at byte ptr [ebp+1Dh] and client eip is
; B' U! B s1 s$ G) e+ L: X) D- P located at [ebp+48h] for 32Bit apps)
* y% n8 X/ m) r9 `__________________________________________________________________________/ ?! d5 T1 `7 z' I( i/ }4 Q* p [( N
+ u& ?7 V- O1 |
; H" o/ Q/ o' _" O, q
Method 08
8 D; ~9 F. l& L# @# ?# r=========4 i2 T8 Y* b; \3 ^* S P! H: N
L! \% q) g0 w/ M" N' V, J# \
It is not a method of detection of SoftICE but a possibility to crash the! w! t) q! t, s0 \4 G4 h" {% ^
system by intercepting int 01h and int 03h and redirecting them to another
( E8 g* B) |0 P- I8 i7 Kroutine.1 P9 ^, H; v( |5 q) Z. _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 z# _# J# p/ ?' ^- z. }to the new routine to execute (hangs computer...). Y% [5 j- \% ^$ R& L# I
! f3 z+ B# Z7 _1 y
mov ah, 25h, ~, H; }6 o! h; k% m; I; S
mov al, Int_Number (01h or 03h)( C$ r6 J f" l& v9 I, D
mov dx, offset New_Int_Routine
- [4 G5 g: G1 k4 @2 E4 H7 a int 21h9 Q2 I% H4 ^: i8 K
6 J4 k* P0 Q0 x9 D- b" [
__________________________________________________________________________8 _" ?3 `; V9 h( f
9 B9 T: }6 ^ e1 ]Method 09% C; q8 ~) I ~* _ |$ I1 e8 `
=========
. e# \: P; v$ e; w; p7 W% K- _: w; u5 j z' v" U# \3 E/ c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( Q& x" f) l# a5 J; aperformed in ring0 (VxD or a ring3 app using the VxdCall).. Q% A7 J2 K% H( V
The Get_DDB service is used to determine whether or not a VxD is installed2 e5 M1 w& _0 I. [
for the specified device and returns a Device Description Block (in ecx) for7 x4 t! B- B" X: `$ b
that device if it is installed. W5 L0 a' s2 A/ y# y
5 ?# ^" }+ O4 u# ^+ ~+ L; S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# T0 }4 i; X2 G% \( l
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' e0 S" t& J4 D: d( N, N i
VMMCall Get_DDB
. E# r! Z9 z+ v+ a7 k! } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" a' y" c0 k4 J& u. e! I2 Q
$ `7 t: `* w7 XNote as well that you can easily detect this method with SoftICE:2 a& y1 P+ D$ ]1 P) Y5 {
bpx Get_DDB if ax==0202 || ax==7a5fh: F5 G k3 }/ s; w# K" p' M
8 F3 E0 f( q4 {& z! z
__________________________________________________________________________
+ D9 m$ R8 n8 ]- ~1 E
7 s4 K7 }' \, Z6 ~# V; MMethod 10 M0 t3 X2 }; E; Q* E4 G$ m A
=========
' J" B' D# h6 `0 E5 O& l
6 R6 E" ~0 q9 _8 l% w* d3 {=>Disable or clear breakpoints before using this feature. DO NOT trace with$ M' U; P9 _& o% s
SoftICE while the option is enable!!, Q/ j. Z. r- m3 U% }
! \! _' S+ q, T0 d9 A3 Z8 ?( `
This trick is very efficient:4 S: b% ] p/ T, @! f
by checking the Debug Registers, you can detect if SoftICE is loaded
! M4 n9 C8 ^! t% A+ w* ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% d* o3 T* S' a+ _8 |, \there are some memory breakpoints set (dr0 to dr3) simply by reading their! U3 @% D) T4 u0 u0 a' Y
value (in ring0 only). Values can be manipulated and or changed as well
/ W! L/ a1 T& w4 x- f7 Q" o(clearing BPMs for instance)2 Z$ j+ ?' p& s8 V# k ^: N
6 x4 W2 O6 \8 [1 U# R__________________________________________________________________________% E ?! O& x6 q* q
" j! O" T; Z) V2 Q4 R6 y& c F0 ^5 ?) ~
Method 11
# U' R5 b& v/ J/ b=========
2 D; \( M& Q, Z4 p: {* j* G+ n( V# L7 t1 e; X, @4 F6 Q+ W" p# @
This method is most known as 'MeltICE' because it has been freely distributed
' U7 t1 H0 z, Y! G6 T7 l1 r5 [via www.winfiles.com. However it was first used by NuMega people to allow
8 `! t' l5 C. R X. CSymbol Loader to check if SoftICE was active or not (the code is located ?# i6 g- b* K% W4 a6 S; L2 o
inside nmtrans.dll).
! h2 D0 M) K: Z7 p2 G9 q6 b0 k
3 |, n6 v/ |! S9 [! _9 YThe way it works is very simple:+ B& ?9 y7 @8 T4 R( p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ d; m3 S% e {8 _' X+ R7 i* YWinNT) with the CreateFileA API.
* \# n8 _+ I2 R
$ E( a/ K r/ fHere is a sample (checking for 'SICE'):
9 V% G# x# b8 p( q( l+ w6 N9 k8 [$ G' K e% k, `
BOOL IsSoftIce95Loaded()
/ }8 m, T1 F+ ?: x1 T% E8 x! A{
G L- ^6 C7 e6 m6 [( Z HANDLE hFile; 2 m: {$ K( ^! x" w5 x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% b* Q, c, s' J
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 x' m. j$ c( K; ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# U, s4 i- _" z if( hFile != INVALID_HANDLE_VALUE )9 {( d4 c5 Y4 l3 z1 G% j+ }: |
{4 D; U' o7 z+ W7 I+ B
CloseHandle(hFile);
5 C% F ^: G2 X+ {. r* D return TRUE;' \- R7 [/ |' I6 U; f
}; S, ?# }9 H9 @0 B3 ]1 p
return FALSE;* q+ I: {$ i2 T$ Y
}
: ]7 Y6 f1 l5 X. x5 B0 u5 k; ^" ~2 L# d8 ], x: J0 M- W
Although this trick calls the CreateFileA function, don't even expect to be
0 i' ?& |4 F& R! ]3 P% n. pable to intercept it by installing a IFS hook: it will not work, no way! i. ~# L6 o) e( C" f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 Z9 }) }7 S+ K' B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 V8 h) P( `6 m6 E% V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: I6 M- a3 D7 w7 P1 M, R; z
field.
- X8 h" M: S0 H" J5 [; dIn fact, its purpose is not to load/unload VxDs but only to send a
, ~) R1 ?0 i0 V. z) L: M! tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) t+ k; c) ^4 Q0 I4 k; S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ y* J0 e; {) V/ C" H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 a- C0 X: H; L! m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 ^9 |% t4 o& j8 ?6 ^its handle to be opened and then, will be detected.
) W% E: l7 c6 z' A3 R" xYou can check that simply by hooking Winice.exe control proc entry point
6 D6 I5 h1 O! F+ B. C6 p( f" }while running MeltICE.9 I5 t1 K# I( n% u8 m0 Y* u+ X
3 t2 Z$ J$ d0 T/ Y
! M% v+ `3 z2 P' }$ \3 ~8 F 00401067: push 00402025 ; \\.\SICE; |4 W6 Y+ D5 a2 s0 T
0040106C: call CreateFileA
3 O1 o) g3 `- ] 00401071: cmp eax,-0012 T6 r/ r0 w$ T$ h
00401074: je 00401091+ M& [& p7 w" C! \, U
% n+ L( |3 a6 g/ ` _- v5 ], c* ~. s5 P5 |
There could be hundreds of BPX you could use to detect this trick.
9 G# K) H; t0 [7 d! f-The most classical one is:
+ @+ Z' f+ u( T$ w7 x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 [$ i1 G) F" h
*(esp->4+4)=='NTIC'# |% E& b9 I/ ]/ ^+ \9 e
$ e" g: ^. D3 R! b-The most exotic ones (could be very slooooow :-(
( a/ e! |7 J# S5 c) a# M" h BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ o) q- H1 `0 r9 N0 Z ;will break 3 times :-(
4 z6 t9 H; Z* F) z) s% z) y" M* C# y! h1 g0 C- d
-or (a bit) faster: 5 b+ Z/ d; g' x/ t) k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) V& W- K. N$ n+ P3 D6 H- x+ x
9 @$ y; ? \$ n5 x- s3 V9 G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % W; ]/ F5 x$ d& W2 a
;will break 3 times :-(
% c2 c3 ^- Q1 S0 R3 C) j( D; D+ f0 {7 M
-Much faster:
! N/ G1 Q/ J W7 C" k' m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ L+ P; i Q G, l3 U
* V2 ]" z9 G" r V7 |Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ s. W4 j+ @5 A. Xfunction to do the same job:
5 N2 F. i& {1 m8 O8 x8 v
8 ^+ S3 r6 F: P8 w, [ D push 00 ; OF_READ/ v4 K- U+ j+ w* Q+ f$ r- j
mov eax,[00656634] ; '\\.\SICE',0: Q+ }8 m' @( S1 J+ c
push eax
5 ~) O( H* W/ y! R l call KERNEL32!_lopen
& W4 [7 [8 u8 @ inc eax$ K. Y0 C( U# n9 \ h7 A
jnz 00650589 ; detected
d8 P; _: |; F/ N& }6 R push 00 ; OF_READ w! y2 g) [& Q+ p4 z2 [
mov eax,[00656638] ; '\\.\SICE'- E# t5 U) _3 E" j c
push eax- \) W4 h1 k0 _$ w8 c
call KERNEL32!_lopen
" q& @3 K' { y7 R; L( } inc eax2 l# B5 d3 _- W* ]7 ]1 I$ d% \
jz 006505ae ; not detected
& |3 r1 j+ t/ t# W& l# J. l" e6 M3 n- x6 k- @+ e
1 r4 s3 ]/ I* _$ c1 Z( m__________________________________________________________________________/ C z. G2 L8 F" |
$ e8 F5 Q5 p( ]. {
Method 12
/ d, O/ ?" e: X! K, [. w0 n=========
, v' M) m- R; Z8 c2 B& [0 t
% [1 A: {# K0 z4 @7 @This trick is similar to int41h/4fh Debugger installation check (code 05
+ p, q7 ?* e6 e4 ^0 ]& 06) but very limited because it's only available for Win95/98 (not NT)$ Y' T- E! E p5 j. ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." y/ U& L; V5 l7 U( W. K5 k! \
3 R* f2 ^: v; c& B1 e9 V push 0000004fh ; function 4fh& ~7 I( `/ q6 F" U
push 002a002ah ; high word specifies which VxD (VWIN32)
9 e0 L1 q0 J% ]2 X) q ; low word specifies which service8 F8 R/ |1 o8 o6 y" F
(VWIN32_Int41Dispatch)( d! n8 B, k; F
call Kernel32!ORD_001 ; VxdCall
. A8 u& R1 h) D Z: \2 | cmp ax, 0f386h ; magic number returned by system debuggers4 p7 Z# L1 r) R- Q2 w
jz SoftICE_detected
6 r) p7 }2 R( G0 z0 }
# j. C$ a$ r+ WHere again, several ways to detect it:
5 b! |# q# m# Y- t7 R& ?9 m
' f% k( b+ j1 v0 v8 d BPINT 41 if ax==4f
4 v3 t; w8 j. q+ s0 n8 f* M) l w* O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: l, O3 p3 J& |/ `, H: ]
8 v9 A2 P! { u3 Q' \2 T# @ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 N6 M/ A: ~* h0 S- g L4 Z& {8 k; u6 g4 w
& y/ E, K+ w- k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ U- p; N& J0 x3 Q. b
- C m3 d9 o( b' R__________________________________________________________________________
4 Q% O# `; c& v. ]" Z. {- f9 z6 s+ d
Method 13) [+ W c+ P3 e) L% x/ s
=========
4 {! ?* C2 K7 c+ _) d V1 v5 d5 L' \& o* w. u
Not a real method of detection, but a good way to know if SoftICE is! P* h6 `! l3 L# y3 i. H; k
installed on a computer and to locate its installation directory.
$ V% D# B, p0 {9 O8 A/ JIt is used by few softs which access the following registry keys (usually #2) :+ c- J6 F6 M4 ~3 w' O
, _( G7 h: ~$ F2 L! h% j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" [2 W% u9 m+ d- @5 R* L/ L5 a( G
\Uninstall\SoftICE S+ e4 a ?& g0 G- w8 U# i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" @8 { V; h$ l G- b0 v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 u$ Q y. O2 D" W4 M\App Paths\Loader32.Exe
: A/ g* _* `5 \% Q+ }0 E
/ D+ s q/ u' W7 V9 g
( @5 m! ?8 o5 W2 x k. XNote that some nasty apps could then erase all files from SoftICE directory
/ ~5 y! H8 q' H, A(I faced that once :-(9 }* u& @) ^2 u
0 C( U7 H) c |Useful breakpoint to detect it:/ R* w: B' a# E; U% O- Y( j( ~
; E% Q; B4 M+ ]7 I1 v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! ], i3 M$ }, f8 l% A2 _
: Z4 b. _9 P% z+ f2 S
__________________________________________________________________________
: \# ^. F/ O* g9 \; t) F5 F1 p% C5 D) a8 O
1 R! u" l5 q2 OMethod 14 ! J% s! H- \/ ~7 |& c6 \6 o* `
=========) s' v8 W. Q% T4 ]& D# a' z
z$ g6 b, _# t( L9 |; tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 ~0 J; h; p! m3 z' }* P6 J& zis to determines whether a debugger is running on your system (ring0 only).
+ ?2 i6 b$ b3 _2 Y+ ]2 j3 f3 C' B( ^
, p2 a7 e: t$ l* M- q& z& B- @( ~' t VMMCall Test_Debug_Installed
# F7 j! g$ ^! t$ u je not_installed
/ p H9 q4 r W1 ^' K5 I+ \- v( ?6 k4 w% `
This service just checks a flag.
1 f/ F; ~1 F( c</PRE></TD></TR></TBODY></TABLE> |