<TABLE width=500>
1 T$ \, l6 W2 f( [# q% {<TBODY>" K+ D. @) r9 c H! h- @
<TR>) \# w7 U$ m4 B, d8 v6 Y; h
<TD><PRE>Method 01
: Z. M. P8 G1 ^6 I9 s! x=========
! |# o, h$ m( ]7 q7 b% f' S1 B8 \0 R7 h
This method of detection of SoftICE (as well as the following one) is3 q* H& I$ Q9 {# n2 b& [1 @. h
used by the majority of packers/encryptors found on Internet.
- O/ K; T' L- x1 ]& m( FIt seeks the signature of BoundsChecker in SoftICE
! l0 o0 P$ d9 Z" G, ?( \3 l* `" C5 L* A; D: X" ~7 B
mov ebp, 04243484Bh ; 'BCHK'
6 x2 p* _ U' L mov ax, 04h3 f1 D' K5 B# ]0 q
int 3
5 f$ T+ n; _. z- W: o; E/ ^7 P$ K$ u7 A cmp al,4* e$ ]& E' U% `5 `; X6 s
jnz SoftICE_Detected. Q9 o Z+ g8 [. j* c/ y2 m
$ G0 ~1 Q7 M' x: \
___________________________________________________________________________
$ x" `# [6 j& g+ s. p b# N' X1 g4 J1 c/ |( h' n
Method 02
" e$ h* v8 u# ?, ` D, k=========
" X* ^3 E" I& r% ?# p
0 {; |2 i+ [7 H# IStill a method very much used (perhaps the most frequent one). It is used
0 }. r. A5 ` G6 p( Y) c( ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 q: g. z: z5 A* y0 N- Por execute SoftICE commands..." |' Z o" {9 W* r, C6 v, y" A
It is also used to crash SoftICE and to force it to execute any commands! D% \" ~4 W2 e# t: Q) y
(HBOOT...) :-(( / ?& I2 s8 C% g. W% q
& k/ \8 A& |/ F9 f7 M2 nHere is a quick description:8 j& Z6 X$ e& q% K
-AX = 0910h (Display string in SIce windows)$ f# h4 k8 E' X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 s, v$ ~' h- Q; v4 u q-AX = 0912h (Get breakpoint infos)
% P- Z' J& }5 H$ h$ l-AX = 0913h (Set Sice breakpoints)
+ ^+ ~& p3 m0 S7 f3 O-AX = 0914h (Remove SIce breakoints)9 U% @) V- O0 O( x/ A) H
; g3 y- x! J" [+ W
Each time you'll meet this trick, you'll see:) z, s. e* D0 j- k
-SI = 4647h) M" A2 c) ^+ @- A9 e1 [4 |
-DI = 4A4Dh
* R, r% C# [8 d/ vWhich are the 'magic values' used by SoftIce.
( o0 n j4 B+ ]0 J. D# T3 k: _For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; T5 g A0 f# H% _& W
+ [( l3 ^* o8 v% ]9 r
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 `! N/ l0 x4 ^3 g
Envelope utility use to protect DOS applications:
. c, i3 D, ?: c4 j% R5 T+ m4 @9 P
0 j6 D4 M5 F- W1 K7 D0 \' T4C19:0095 MOV AX,0911 ; execute command.
5 K: ` x( L: n0 [) f0 z; W, H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& `: p3 k/ Z. g. P6 i) f4C19:009A MOV SI,4647 ; 1st magic value.6 y2 n% [5 Z! r- F( a
4C19:009D MOV DI,4A4D ; 2nd magic value.
2 u$ V' H. p, ~$ ]8 r4 P$ ~4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. n, U6 k; ^" X: k7 {4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; y- p/ S. u: F" Z9 g" a4C19:00A4 INC CX
' f8 P; Z1 V* n. v' ^! z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 R# f5 z' L( \4C19:00A8 JB 0095 ; 6 different commands.0 f2 j- l- v9 L
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# c- C8 O7 p+ {! X' M6 x% n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) S" d) y2 h* V u8 `% X, g- J' d% I) r
The program will execute 6 different SIce commands located at ds:dx, which
3 I- q) x7 M% }7 ^9 N1 o6 yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 X) Z5 r& E2 X1 ~) ?! p! H6 p5 `8 u. b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- u8 i8 E, \/ s. u___________________________________________________________________________" y9 ~8 I( B9 @, W; z
8 e5 ~0 S5 c7 I& k' {
$ z, M, B" z E9 `7 WMethod 03
0 }2 B2 c$ v6 U: c9 \( A) ?- O3 e=========
$ x2 \% b1 h! p' k( C. d. {3 y8 [8 j {& n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 M: ?$ u6 W5 m' T" ^9 r1 S# e
(API Get entry point)
: s7 Y1 H! d4 J1 o9 } 2 U) a0 B- j9 E; K5 `
2 |1 w. }7 b; N. J7 y0 A8 S) S. I xor di,di9 S c* w8 N1 ^0 N, D) O
mov es,di
) S* y' R, S9 l0 i' n+ B# | mov ax, 1684h
7 Y8 J& _, w7 c$ e& _ mov bx, 0202h ; VxD ID of winice
% u$ _7 a0 u6 t$ ^/ j w int 2Fh" n9 w- h% |7 g' l* H" Z! {
mov ax, es ; ES:DI -> VxD API entry point) S2 h f: }, s1 k% P
add ax, di$ o @' P: t. Q# C: o; L3 S6 X( A
test ax,ax
3 b2 I" Z. m1 L0 O( y jnz SoftICE_Detected# d- u" c0 E* A5 d. ?
5 |( p+ o, e5 p4 T) u. q___________________________________________________________________________& v0 ^* H2 c7 p2 u" l" \
3 T! J4 o5 A3 OMethod 04
# u. J) n0 \. k6 S) r1 m( `; t=========
: I; a7 C. @$ [* D8 p7 L$ ?( n- C- ~1 @) h
Method identical to the preceding one except that it seeks the ID of SoftICE
9 ]8 X6 U: |. m% hGFX VxD., W) Y$ I$ Y) V& ?) E
$ f6 k% z( ^% R( ]& E" l6 v" p. C4 p xor di,di! D! g( t) f8 }+ D8 R9 m4 V
mov es,di/ p3 g/ Z3 g7 N/ {% J; d$ H
mov ax, 1684h + B" j' [/ {, t. R' k
mov bx, 7a5Fh ; VxD ID of SIWVID4 l, C& ]9 ~' y& C% t$ ~' D' m
int 2fh0 A, D9 T/ b* M1 e, t) D. n
mov ax, es ; ES:DI -> VxD API entry point
1 O* }9 m3 e# D2 ]: r) [% T add ax, di! G1 b- `$ \+ v
test ax,ax
! n' V8 A8 [2 Q' P S& i2 l jnz SoftICE_Detected
( g& q0 ^ _7 Y+ f& L. }0 n7 l
+ i6 H( a! N3 G& U__________________________________________________________________________' k0 c- C- f0 e& u2 K! T2 k
: V Q* u+ ]3 f( k* K
8 j1 _! W, f, F% A+ a. C2 i
Method 05
0 x0 J5 {6 a# b3 v" k/ X=========7 q. {% h0 p* x, X$ ~+ m! P
. J3 p* A- L2 q: z, yMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 c* ]* ^ C6 F. G, o0 \
debugger. It calls the int 41h, function 4Fh.$ a; `/ x. V% D( C7 x* q1 N
There are several alternatives. + f" h8 q9 L: C. _
3 m3 x' \' Q6 ?2 [; lThe following one is the simplest:
7 H/ g+ w6 i! Y
9 K$ T0 z, _6 E mov ax,4fh
* o+ W) k8 x/ t7 N$ @1 Y( z int 41h7 \2 p$ G6 }0 k
cmp ax, 0F386
+ t. c3 Z* D! s+ _ jz SoftICE_detected
" z/ d) f' a. I2 d1 K1 w+ i8 ~# S6 C0 A0 E* i4 m2 c
2 f1 P! {5 ?, b" S0 KNext method as well as the following one are 2 examples from Stone's
" p3 O3 p) v6 C2 _: x' ]"stn-wid.zip" (www.cracking.net):
# I! ` [, R2 y: K1 N( @* T
: F* \: E4 E2 |7 [1 V mov bx, cs# t" P' P% c2 _
lea dx, int41handler2# ?# g$ \& @& u& \' V& W% D
xchg dx, es:[41h*4]3 u& D+ o p6 e1 s" U
xchg bx, es:[41h*4+2]
8 Q# A5 w6 _' v T1 S. y mov ax,4fh c' S0 U% L: S" a5 p1 c
int 41h
# _; N, G! y: d- W5 Z! G xchg dx, es:[41h*4]0 E. A' T. u- @5 F9 Z7 i+ m
xchg bx, es:[41h*4+2]' a2 f. I# K. O( L
cmp ax, 0f386h; n) `9 Z2 x: x5 Q
jz SoftICE_detected' Z; s3 w( v0 O" w
! D: n8 i' g# y9 U! h, ?' e
int41handler2 PROC: u2 J/ @. z, I: b' M0 Z z
iret4 r( O7 G) j$ k+ i8 y/ A0 p4 I$ u
int41handler2 ENDP
: a* d, d* s0 m3 W5 h$ }; J$ X5 k$ g4 O I f( q* }
, y' r T. [$ L_________________________________________________________________________: c$ L0 Z9 H4 e9 V
e1 k% A) c- S8 R! _, e9 Z
5 o6 f' W+ \8 W/ q1 R; x% c! x
Method 061 g9 A3 D, f7 L
=========
+ z5 c5 c+ [- J7 c1 h5 B; x
5 l% V- C+ o% P. R, D
# k9 ?7 C& I* b2nd method similar to the preceding one but more difficult to detect:( t7 [# G G5 Q4 O3 Y
^" M: g/ P) O
/ ?1 D( r; b- O4 ?3 O9 ^8 aint41handler PROC
8 x9 [7 e1 `/ t. }4 J& T f mov cl,al
% N: i9 I. E# ~3 b; T( M" ?) T& U9 b iret
8 c/ r3 t& c* a' _7 J; |3 c/ tint41handler ENDP9 k- l8 b! B. N' [" B4 s* c2 { ]
; j f8 L' c1 F* s; ~! l
. y8 s* y O1 P
xor ax,ax
- z% Y2 |. r0 ?; P mov es,ax
8 b; @4 F( G, W L) y& k7 }4 Z mov bx, cs) n1 x! m# h" p* l8 V
lea dx, int41handler
5 [( V/ S( ], L! X3 _2 o, U& F1 p$ X xchg dx, es:[41h*4]9 Y* I1 k2 W6 r/ ?/ P
xchg bx, es:[41h*4+2] m# Y9 U2 O% |0 \# L4 S
in al, 40h
! K# x& h; X# d( i* X xor cx,cx
3 M& [' F: Y( g2 r8 r- n int 41h# z% A0 A. G2 ?% f6 o9 C
xchg dx, es:[41h*4]
9 Y3 ~/ \7 t! L) E xchg bx, es:[41h*4+2]
0 g) w5 I9 x7 K7 N, Z. u9 } cmp cl,al
) T/ J4 ^" c" W! D8 h- S/ d9 c% {% h& u$ C jnz SoftICE_detected, n [9 d; S0 b8 D% i6 A9 U
+ v0 e/ q2 M3 |) A& h: C O
_________________________________________________________________________* O( k; R8 `. m! z
3 i. M/ c9 [% ^: z$ m+ HMethod 07
$ k( o8 h4 o3 ] y% H2 I=========
( I, z& o p+ y- h: P' W7 t
8 T2 X0 ~9 W* _, x* I2 U3 vMethod of detection of the WinICE handler in the int68h (V86)
6 @0 o `3 s8 P! W$ }$ V ]( B3 _3 f9 G* Q
mov ah,43h% h9 l0 f0 T# ~# } j4 j+ N
int 68h3 v0 B$ r( E+ m! v
cmp ax,0F386h! u8 f9 X$ f3 o3 ]; c7 J; m
jz SoftICE_Detected
* P. n* X. l# z) I/ h4 P
. G2 M8 ~4 D Z0 T x+ [/ v2 V% e' t7 j, X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 z2 t; @* \* K+ ] x
app like this:, z( Y+ V9 m4 d0 i
& }$ i% Q c, y; e" ` BPX exec_int if ax==680 c# b. [6 @. D
(function called is located at byte ptr [ebp+1Dh] and client eip is& U0 R' g( a6 Y: C' N" V
located at [ebp+48h] for 32Bit apps)
E6 N2 h7 o- b$ f__________________________________________________________________________# J. Z* x. a$ Y# z$ \: t( ]+ U& e
. l6 C* _- W5 J% o) L% J( t M" c1 O5 p) b4 g
Method 08# Z) ?# G+ N; [6 O
=========6 U. s H# r0 _5 z
% c2 ]/ @ n5 J1 o1 TIt is not a method of detection of SoftICE but a possibility to crash the
- a" m8 U1 Z" e p- fsystem by intercepting int 01h and int 03h and redirecting them to another; g, p1 L O' q6 U* V4 U6 |, z
routine.
. m: {$ f4 b9 e3 _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! L* \1 K8 p" n: T0 kto the new routine to execute (hangs computer...)& r/ d# k7 o: a/ l+ V, p7 y- o: l
; ^! P1 L8 Q7 I* h
mov ah, 25h
W( u# \% s' c mov al, Int_Number (01h or 03h)
( L( _. z! [% i mov dx, offset New_Int_Routine& Z; u8 s$ ?( D* }1 [: V8 S
int 21h. E9 A5 ?; U) l' B# w: {3 f; I
* S* S2 L t$ j, V__________________________________________________________________________) W3 i6 F4 `1 w" h) c7 q2 u
. ?5 x9 G0 |* mMethod 09
+ x: K0 k1 T" w4 H7 G4 ` D# V=========3 M* s; p+ u$ P6 u; @4 |
0 C+ z- R" s- R8 r1 _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only ~1 p) d; ~5 X' t0 J
performed in ring0 (VxD or a ring3 app using the VxdCall).$ R" B s0 W0 b4 }( I
The Get_DDB service is used to determine whether or not a VxD is installed
" Q+ j' l E! N" Hfor the specified device and returns a Device Description Block (in ecx) for
, |) |3 b, z! Y u+ Xthat device if it is installed.
3 [. F- e+ h; x% [- c! E, r8 u, y; R4 o, I& u x* z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* _: `1 X0 z; ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ u3 J; Q9 X, e3 e" B
VMMCall Get_DDB+ r. [; I ^9 ~/ O
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( C/ a( m1 w# D" l" t. w5 u- x1 O% ]# T* |+ e# f n
Note as well that you can easily detect this method with SoftICE:
5 `7 R# ^2 Q& _2 V% G* l bpx Get_DDB if ax==0202 || ax==7a5fh6 o5 `8 M( w1 h
! C6 c, P. T6 B- a7 b+ z3 {& f- a
__________________________________________________________________________; F* b* S! s5 {0 w7 N
/ F3 w0 P$ F& L# P' ]+ k. vMethod 100 T5 K$ F1 U0 x: h
=========) m5 S9 P. ~0 }5 I* s
9 `. v x9 j& `9 L( P9 _
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 b# i$ }) c; l# f: ^ SoftICE while the option is enable!!
% x: n7 j# J( P$ l: v+ f
. h5 Q- |: P1 w. r7 J; v. _7 BThis trick is very efficient:1 ~6 y T4 k5 q# P. N' p
by checking the Debug Registers, you can detect if SoftICE is loaded. g# P4 Z( E3 q3 V0 h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; `& F# Y" A/ J$ N% V8 s
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 L7 j s: S$ u3 v8 H; Z
value (in ring0 only). Values can be manipulated and or changed as well, d( Z6 l4 j5 X- I3 c. ^# e
(clearing BPMs for instance)
4 X4 R# b+ x* D1 a8 }# ]% {0 j {" D. g( \0 p3 o( F( I7 ^- [6 I5 b4 _" e/ Z J
__________________________________________________________________________
2 j9 s( D8 w( _
8 n9 k- B/ O& V5 AMethod 11
7 K! J7 ?& [* X# @+ w/ B=========. N; f+ D/ z7 T' k
/ A$ I+ f v* J! {6 H9 X
This method is most known as 'MeltICE' because it has been freely distributed- T; C$ M8 Y1 D+ @$ z0 p7 q8 l
via www.winfiles.com. However it was first used by NuMega people to allow
; K ?* }. h5 xSymbol Loader to check if SoftICE was active or not (the code is located
8 v8 U. k3 s" R0 Q1 l3 g; Sinside nmtrans.dll).
+ J3 I9 o3 h* |. q" g2 v: T. F: Z* `) ]0 H8 Y
The way it works is very simple:% _' N& Z+ s$ V/ I' q* Y8 I, ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* B5 ]9 a4 ]" g" _2 Z4 tWinNT) with the CreateFileA API.
W% b, H \4 E# f1 T) V, A" w3 Z, ?1 {0 h+ a! |7 l
Here is a sample (checking for 'SICE'):7 V6 V, y( ~- I O( k" z& l2 j
5 I" @: @5 S& FBOOL IsSoftIce95Loaded()* t y2 u+ V, D. F1 j6 a
{7 h: t. h, V+ [* y) q- [* D5 g! h
HANDLE hFile; ; i% A8 l) R4 d& P& E+ E g% o) `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 ^* i+ T% L) L- ]$ X; J6 \( [0 q5 N FILE_SHARE_READ | FILE_SHARE_WRITE,7 R* P* u. G; C2 Y$ T. S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ a% f1 }, ?9 T( B# d if( hFile != INVALID_HANDLE_VALUE )
4 j1 o; Q9 s. F- _% q! i3 B {( {+ R5 J! I( {/ S
CloseHandle(hFile);
" Z5 q$ X2 x* a5 O' Q return TRUE; L' t% n: ?0 s1 z* P# M
}
! _2 ^* x. A% O8 F return FALSE;6 y; \) Z) ]' t) {- i
}
+ s F' `9 l8 G- R( T6 I. G& O6 j0 t+ c* b: u( C% ^3 i
Although this trick calls the CreateFileA function, don't even expect to be
; ^: f5 U5 R9 A3 N( E! }$ Yable to intercept it by installing a IFS hook: it will not work, no way!* g" }) v R! l" y* v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 w6 }0 L {& Q1 F, N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, }0 h! P! P! x1 u+ B1 G' g# \ tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" m* G. K9 ]9 n+ jfield.
r; g; w' r+ q) L! m( IIn fact, its purpose is not to load/unload VxDs but only to send a
$ }# ]/ @8 x- h7 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( V+ m) D* v& X0 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' a4 F4 }$ O3 v, oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 Q; @% U( i% DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
x n# j$ u) m' J W& O# l6 Gits handle to be opened and then, will be detected.
: B6 y, B, B4 K V$ i' R6 T* KYou can check that simply by hooking Winice.exe control proc entry point
% o, D' k$ M. ~- x- Pwhile running MeltICE.9 Z! h! I0 M8 ^/ ~" M2 e
" n) Q4 N. \2 g( j: g
: ~0 I# @1 J$ A. U) ^6 u8 k 00401067: push 00402025 ; \\.\SICE8 Z/ z+ R7 s: y+ t5 V I; L4 E" V
0040106C: call CreateFileA
6 X) i5 S1 {% u9 f |5 y$ i; u! J0 |4 z 00401071: cmp eax,-001+ M& b0 b* T7 T$ p
00401074: je 00401091* q$ j2 B8 _4 n5 r
- n1 I3 G! S9 w$ |, A
+ Y! r+ Q! h# t1 ]# FThere could be hundreds of BPX you could use to detect this trick.
5 G- a2 Z! L- h! e% J-The most classical one is:
: c8 `: l+ Z% b# u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: \; q4 W, w/ s3 f- u *(esp->4+4)=='NTIC'
o2 b9 L! D2 @; P9 l
3 [" U/ m7 B+ W8 C& d1 _$ J-The most exotic ones (could be very slooooow :-(
$ N+ ~, H2 H7 O1 N" t5 | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& _- l0 o0 A) k ;will break 3 times :-(
9 ]; h! ?" L7 _$ z& |6 G+ Q
( }0 l. t, o3 e8 ~# y$ t- w-or (a bit) faster: 4 t* p' ^; f4 `& n. B ]3 p+ l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' R7 W: X) v% ^$ d# Q- D) M4 ~3 t2 O9 q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 W l' u' ?! H6 V$ ]
;will break 3 times :-(
' V' @% C1 O6 k/ `# T9 g3 K* S( k7 x) j: ]* V" ]5 O
-Much faster:
. I" m. }" d& ^4 I, R! m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" c/ O# G( {8 e2 v; X0 s3 S) q
: D% x8 F) O' bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) Z; |' `4 Z; ?4 v# dfunction to do the same job:
% [4 H& D+ J' O8 w- A& ?1 r2 A4 @! y9 _( |+ [5 M# g
push 00 ; OF_READ
0 z7 @" i' \" o5 @7 A3 m* H8 |, H mov eax,[00656634] ; '\\.\SICE',0
( ]* S5 |. n) d5 ` push eax
; e6 z) V; n# Y5 f: q4 ~1 c4 I2 e call KERNEL32!_lopen: W i; ~$ \, a8 t1 y9 ?
inc eax
# M9 u) Z( I) B! R' ` jnz 00650589 ; detected2 c0 [ i" g/ H1 q
push 00 ; OF_READ
, b/ t$ I3 a1 g mov eax,[00656638] ; '\\.\SICE'
: B+ I4 ?5 y2 d3 I: m9 v9 L push eax
& ?! J! x* k6 S" F2 ` call KERNEL32!_lopen$ ^: a, h: C1 ~# X( j4 t
inc eax
7 L# ]4 _3 A( p: ] jz 006505ae ; not detected0 l- M4 o0 _, J$ V/ h/ v
$ a. b$ r# B: J3 e. a
. w( B. d$ ?$ S& I" R) ^
__________________________________________________________________________+ ?( Z5 m' _7 |) x: d/ A( c
9 `# s% G$ }! P4 n# h. I
Method 12
& }. @7 G: S( ^) ]; q# k( X=========
4 a* j+ G0 ?2 `& |8 Y6 n: `% D- E; ` d* }5 ^
This trick is similar to int41h/4fh Debugger installation check (code 05
# h7 F; Y X& l. y" e! @( [& 06) but very limited because it's only available for Win95/98 (not NT)3 n# `% ]' R9 c# t0 \1 H# D# @8 }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 J, T" }$ P! _- s: ~
, M4 F: @% T2 i* L push 0000004fh ; function 4fh' c0 U W" a T) x7 e7 H4 b
push 002a002ah ; high word specifies which VxD (VWIN32)
/ l. `/ N* s/ \ |3 h ; low word specifies which service
& ~" c/ J! q& `' B; x (VWIN32_Int41Dispatch). S3 I; T2 [8 b
call Kernel32!ORD_001 ; VxdCall
& i7 I9 I; L- @ cmp ax, 0f386h ; magic number returned by system debuggers
8 z. t# Z- b1 E) _ jz SoftICE_detected H d' k8 E( r* T+ m" p
3 o2 w! R0 E; [ H6 X: Z5 U3 B
Here again, several ways to detect it:6 E* A: c# `# N7 A& N$ Y6 p n
A6 x9 d7 v/ e, W) P7 @( @* y BPINT 41 if ax==4f
" J8 }" @! J& m) V( [9 h f& b$ z0 s3 C7 r5 m; v9 y1 l
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* J% z4 M1 d+ X6 X4 `
' ?7 J+ Y2 u3 _; E! x6 G" k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) N% c# Q) O M& A# w; A6 y/ C
* [* r. S2 o; ~- K! P BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
E K! H8 j, J* G* y& B
; A8 m4 [. f; e1 ^$ h& s( Y4 j( U# A) Q__________________________________________________________________________
+ Z' x; f) W6 Q! x* g- Q1 Z& h( y
Method 13: I8 z* p& n4 O7 K
=========" N1 N8 I% C$ ~
& q5 B3 w7 l4 _* J; B# W. z# UNot a real method of detection, but a good way to know if SoftICE is; A! X7 Q2 d; y; \* i- ?2 O' m4 ?
installed on a computer and to locate its installation directory.
. X3 h' z$ [- Q. Z$ W0 j1 Z) \. LIt is used by few softs which access the following registry keys (usually #2) :
, [3 f! r! O% d* Y" m; _. O
4 o. T: i' [6 E1 ]. p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; l) M2 V, f$ U% m: b. d" d# E
\Uninstall\SoftICE7 ~+ v; a6 x ~- }7 I `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. j! `& G I! ^' X" w8 \4 a3 V0 s- O' q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 x1 ?& L5 ]9 C) h& X\App Paths\Loader32.Exe6 ^* c, P/ O8 Y9 ~ V" k4 k- n
" K% Z; D6 k) _, i. |
4 X( u) K H( ^% X) u' s, J c
Note that some nasty apps could then erase all files from SoftICE directory0 Y! h# Y& j4 A5 Z
(I faced that once :-(
% Y8 h6 p+ g' R- ~: e) D
0 \3 W# b3 D- V( vUseful breakpoint to detect it:
) v) c# f4 h$ B$ `: X" B3 a1 r3 r+ i+ @" O! [$ @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& I* @( k( C4 m$ H3 R; Z
$ z+ Y" d, w" F0 f2 R
__________________________________________________________________________7 x; l, Y9 c0 o& s+ T! H* _# w. Z
$ F4 V& U: H8 T A& o
3 y- @4 U9 a, k2 D
Method 14
* C; u |/ U! {, Y4 g=========
: k5 W# ]6 t5 j) M& f5 U `- ]/ b ?/ k7 P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ F# G# D5 ^- T
is to determines whether a debugger is running on your system (ring0 only).
% p% `" c8 U& J0 P4 U* G
B# N m% K6 u7 j4 i VMMCall Test_Debug_Installed
$ t: r% \4 ]' l+ k je not_installed
! i% k) c2 q% A0 Y$ W5 E
; `6 x3 r9 J, @! p: EThis service just checks a flag.
: x; a" [+ J; Z H</PRE></TD></TR></TBODY></TABLE> |