<TABLE width=500>3 @# N8 J! b+ @6 [: c0 |" o
<TBODY>
9 m, E2 H# Y; K* m<TR>
6 z0 K4 Q' U1 N, W<TD><PRE>Method 01 , v) ^6 W) I) ~
=========
0 q' X) g6 C6 G# a4 a- }4 V |6 {( Y; a2 c$ e
This method of detection of SoftICE (as well as the following one) is3 @: b- K) `# F* S, d4 n# }5 e
used by the majority of packers/encryptors found on Internet.& Z& S# Q( k/ i0 F% C) Z
It seeks the signature of BoundsChecker in SoftICE$ \3 [$ r' P: k- |, l8 i
" `: E; G. y+ | mov ebp, 04243484Bh ; 'BCHK'
+ p$ Q$ c$ j2 U0 x% }0 `: q mov ax, 04h# h/ g! n+ f: w; `9 t4 J% [
int 3
' M4 ~' ^/ [& l, w$ j cmp al,48 M- R* i' c2 I) \
jnz SoftICE_Detected
; H' m$ H- e+ c7 X' Q6 k
4 s& D5 R( f; b* q* b; Q; ]& z- P: p___________________________________________________________________________
, M# P* D+ h' Y$ X
( O4 R8 f( P I: m0 m% `Method 02
+ p+ p. Y9 W% R+ P1 B5 m=========
3 _% _' ]; o2 W- o
' F* G M, H7 r- iStill a method very much used (perhaps the most frequent one). It is used/ L' n1 ~+ Z- K4 P0 @- D" J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' F" w$ F w* D$ F
or execute SoftICE commands...
; Q+ N5 C: q! C8 o" ~It is also used to crash SoftICE and to force it to execute any commands
5 `# k: W- O4 Y8 G) F. q(HBOOT...) :-(( 0 @ t( O" O- c# T& K
d8 t0 @% j k/ j* C6 ?) Z; p
Here is a quick description:
& ~! a c6 i: z3 K( W4 [3 C-AX = 0910h (Display string in SIce windows)9 H, }: c& n' h. e) t& o& g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- a8 T2 ?/ }; E _-AX = 0912h (Get breakpoint infos)
1 O1 B3 }: h X: G5 W/ ?% D0 F% L-AX = 0913h (Set Sice breakpoints)8 `' V Q6 L {% |' M
-AX = 0914h (Remove SIce breakoints)
/ f2 H4 s" n3 W( K9 b. B
S" {7 Q% M# b/ p5 R- t* B- k! tEach time you'll meet this trick, you'll see:
' p F/ a0 e) ~% M. \4 Q% [-SI = 4647h
+ d+ _7 ?$ l$ W! i% ?+ y3 Y7 o-DI = 4A4Dh4 R6 v. s6 `. M0 _/ ~
Which are the 'magic values' used by SoftIce.
) a& G# {: a. G% t& z7 e8 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* j9 U2 o8 R' Q y D# e. j# x& `# }% X8 y6 |8 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, g$ h: o: @/ B0 d E3 J7 pEnvelope utility use to protect DOS applications:
+ B5 M' j, j- x* B. A7 k1 e* w
! D% I6 _2 g" `$ x
$ Q2 C3 _4 o- e, P+ n* u; P4C19:0095 MOV AX,0911 ; execute command.
% e6 Y) }4 N; K; m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ A& m+ i# n2 {2 M: S4C19:009A MOV SI,4647 ; 1st magic value.
4 G- y+ {4 c" y% X) f4C19:009D MOV DI,4A4D ; 2nd magic value.4 I( b O# f% g0 a/ v- B- q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' L( K0 H, e& V- F* z; c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 ?9 |8 y1 ~ f' m: s& O' d- B$ \4C19:00A4 INC CX
d A* A' k# [5 E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% s" b* R2 B* E% y4C19:00A8 JB 0095 ; 6 different commands.+ a" p! X# r5 V$ T( B
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) Q& b4 g2 e. k2 V& A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" I9 o y3 |# ~0 h8 j. h+ Y) S8 e& o* Y# I7 \6 D
The program will execute 6 different SIce commands located at ds:dx, which: V0 `- m& u) P% @! |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
C0 F% r% L( L6 K6 i2 E6 A
. z: c' J# D7 h0 V3 \" D1 r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 }. e, P- o8 W. L6 R6 @# h9 R5 \
___________________________________________________________________________
, j; [# I) U5 Q; k1 ~+ F" C6 H1 f4 y K2 H& L
' z. E! ]# }/ K' \2 g% `& aMethod 038 }5 I4 M5 q6 q: P4 l5 v( ]
=========# G# g) }, z% E9 O" ^
: r8 E) u" W7 @& }: L+ @2 \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" f5 K f/ C U- v
(API Get entry point); T! f; ~, P0 h' l0 T f) @* J
0 M7 m# M1 u" Y& a& V# J' v
# G) _! L* {# B0 @- r' U xor di,di9 H" U" ^6 [8 c8 Q2 K& N* P) N
mov es,di
4 B3 j: d1 h: f K# u) E0 z/ y8 e mov ax, 1684h : x |( d! _9 j2 W* F9 I( B5 D
mov bx, 0202h ; VxD ID of winice: H% E B0 }8 s5 X
int 2Fh! @6 a2 N# p u" E
mov ax, es ; ES:DI -> VxD API entry point( Q4 w" z! ^' |, k" `3 R
add ax, di8 V* H) T: [3 j+ Y m2 N
test ax,ax; }: _; S; p' V
jnz SoftICE_Detected
0 [4 t/ K1 |* M) g) X* f% K# L2 h' P$ D8 }4 b/ W* K$ ?
___________________________________________________________________________6 u- ?' o, u1 U9 F2 K
1 S; R1 U8 K) U$ A
Method 04
9 o1 @' w' W+ c) T0 Y=========
5 Y% t% |$ b, y3 A4 m$ D+ d+ A0 j9 O& u1 ]4 H$ D, P/ x
Method identical to the preceding one except that it seeks the ID of SoftICE& h: A/ [& Y$ b& J+ y! ?
GFX VxD.8 o- y- H/ U$ f5 @
' X/ I. t" _: C r
xor di,di# n$ ?* M V" T7 W Z1 m
mov es,di
' N3 N! }, s" L7 n2 l mov ax, 1684h 5 c$ w' E% _' n/ K" G/ {" d% F' t
mov bx, 7a5Fh ; VxD ID of SIWVID W6 X% x) Q( g. M' r( t
int 2fh6 r3 ]; b5 U ^1 |0 H: v3 r& b
mov ax, es ; ES:DI -> VxD API entry point" s/ @% s( R1 ? B" T
add ax, di1 x7 Y& L( C5 P; F- K# D
test ax,ax
# P5 J$ z% W3 Q. |- D jnz SoftICE_Detected7 b1 i" I: L0 m# t
/ e5 W7 ]+ k( x5 K
__________________________________________________________________________
9 o9 O: @# Q( B* l: L- }& b5 o5 T. b) q2 z
$ l6 X& K3 B& B$ XMethod 05
7 Q. ^; r( P. r& N: s0 b1 o; U=========& z, O' f' J D; K2 I( M
4 C, w# P8 ]8 a& j5 U: IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; f3 T! O% A3 o4 j) U! ]debugger. It calls the int 41h, function 4Fh./ e, z6 G7 g1 _' R0 Z
There are several alternatives.
5 \( d, X! C( B
! g" j) U" R; C) b, p: i5 I& PThe following one is the simplest:7 P9 x' b; K2 ^3 o2 V! {5 J0 F
3 u: j O) r- u5 R; e mov ax,4fh: A" E- g& C# J# L0 `% r
int 41h, k0 r$ P6 r3 }9 ^2 g
cmp ax, 0F3869 Q" H) X' t% W# F5 S6 M1 t5 c, y
jz SoftICE_detected; J8 N. T, g/ c( X% S' R
! B! }4 W5 e' z* m- v( V% N
0 h) l3 }' a1 K5 |5 @9 ?1 u# _Next method as well as the following one are 2 examples from Stone's
; k$ X9 s& j3 U* z7 i"stn-wid.zip" (www.cracking.net):( z, S; n& _! t" `& r: `
& ]6 W; j: m1 p7 F mov bx, cs7 i2 \( I; S4 B
lea dx, int41handler2# v E$ ?9 |. u5 \" z6 [7 \
xchg dx, es:[41h*4]- K& s' {+ ~( `, p- b$ O, P6 v& Y0 n
xchg bx, es:[41h*4+2]2 z+ h/ \5 m: B! t2 G; i
mov ax,4fh
( b! K% S1 J- U7 r' B/ s2 y int 41h$ A- V6 M. j$ O
xchg dx, es:[41h*4]
. q# N8 y. w V1 O xchg bx, es:[41h*4+2]0 |& }( I* k% v5 m% i, P- n. s
cmp ax, 0f386h
/ r) A7 b) D% l+ N. }9 F! w jz SoftICE_detected
) u4 A, e! V* A7 ~0 {7 u; _; S/ r( t! J; q
int41handler2 PROC0 r6 N- }! u. @1 V ^
iret
, W; U9 D5 C: z- nint41handler2 ENDP. L( F* _( W( s- h5 \
% [. G8 x. x, s& E1 N3 U6 ?* X M- o; k
_________________________________________________________________________8 ^; y3 A; j0 s! i
) ] s+ C; p! l3 d
- K8 y+ v# R. S, j. tMethod 06* W! V5 Q' O- D+ R/ G* ?# [. a
=========
( [# t3 j+ R7 v& H& \ s6 m- Q) K( u$ n" Z$ L
( k! h9 F; }: h {# D
2nd method similar to the preceding one but more difficult to detect:8 |0 x5 K* T9 ?: E$ @* M
: `, J# v% y( e0 w. F8 u. C, ]8 b; c! \7 t4 ]5 ^9 t
int41handler PROC! T/ W2 y, \2 s1 h7 R
mov cl,al6 }) Q: o$ ^% f
iret c& Y9 k4 {4 i& R0 \) W# a
int41handler ENDP, u! h4 j6 u2 k! a2 F, n% h7 E- E' [1 \
9 d; N" J4 t' s* z+ A9 c+ B
% m }! I4 k1 \3 w; d) K xor ax,ax
% j' B+ C- M" u- @: g mov es,ax* W8 C& Y3 o, S8 A9 i! E
mov bx, cs1 Y. L) ]8 L* F* P" z( G9 E
lea dx, int41handler, c5 ?) f4 s, x. U- w. J
xchg dx, es:[41h*4]
/ j# P% X+ y* m3 A3 b$ j- y. P xchg bx, es:[41h*4+2]
5 T l4 A" ~. g. j, ]% ~% f' Y in al, 40h
/ {3 F j S8 f) ^% V& L xor cx,cx
' L2 ?0 s% O& K" \ int 41h% o9 l( T, y \2 T$ f4 R
xchg dx, es:[41h*4] q" |# f, a( d& y
xchg bx, es:[41h*4+2] o/ E8 P- Z! q2 Z7 [
cmp cl,al7 D# Q2 t3 O" s8 G( f
jnz SoftICE_detected/ r( g& W! R; F. W
: L5 l) S: d+ z: U8 a
_________________________________________________________________________+ o7 S: E) B4 J# v6 X! H
; \" f. l5 z, I5 x8 X$ B
Method 07
4 c" C" y7 Q& v' t9 Q" S. G, H=========
, |/ I4 _7 |2 [1 e, h+ Y$ n7 W% c- S, {$ O+ ~# q. B" H
Method of detection of the WinICE handler in the int68h (V86)
& @; ~% Y c% r1 y( w
. m# g. o4 F. R( g X. X mov ah,43h
; n6 v" B$ s x$ b, s1 n int 68h- x! c+ E- U3 q3 F- m3 \: p
cmp ax,0F386h
4 L0 k/ o0 N7 c7 S: w$ B jz SoftICE_Detected4 v4 _; U4 g' P4 N$ D
) ]( g; o; {) E5 R
: F0 N0 M8 r9 F" _/ f, ~* S, a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 C( C7 r! @1 j$ R8 i
app like this:
; ^: q6 @& P# i; u: x/ K8 ]: J- Z/ A% Q1 l% } q9 `; g/ x! B- _
BPX exec_int if ax==68* ?% R1 s/ l: t4 ~% K
(function called is located at byte ptr [ebp+1Dh] and client eip is. x6 E3 E! a6 T7 C; [) z& x2 Q
located at [ebp+48h] for 32Bit apps): k+ F u" P: V% w, f) K
__________________________________________________________________________5 O7 o3 S0 D* M: N- y8 G
! e U5 U6 X- O$ C, q
7 j! i9 J2 C, z7 x1 v4 q- a
Method 08
, M, U$ X, ]" |9 {; N' O- z=========" p5 I7 s% V/ L2 e- w& a$ y
) b% @6 q% ^7 r |8 b7 C b
It is not a method of detection of SoftICE but a possibility to crash the
7 i/ O* j9 m5 N$ Q, l& w1 qsystem by intercepting int 01h and int 03h and redirecting them to another
' k8 e9 P T, Y$ Q7 ~; sroutine.5 e% c! T5 H3 k) `1 u+ X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- E& z0 K( H$ w0 t8 x
to the new routine to execute (hangs computer...)0 i. o" T% {: [- f! w j! ^; }4 Z9 Z( |
5 I; P4 {. L& i& G r$ F8 \
mov ah, 25h/ Q+ A' [7 ? Z7 n+ R# w6 |
mov al, Int_Number (01h or 03h), e$ g, [+ B7 s' l5 @% ]: ]
mov dx, offset New_Int_Routine* j) ^: F9 M; f: ]
int 21h3 S' x& f5 u7 ~1 y
0 ?. v+ U$ w; A& _4 L
__________________________________________________________________________5 g; i# E) f z: X1 f" g
/ T, U' ~5 R( X- f& D9 pMethod 09" G& }! o7 T2 O$ w% \
=========5 I% m7 A# w" h& m, j+ L+ s
& X) [2 O: g( {, J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 M5 j- W/ Y9 r7 G' {2 tperformed in ring0 (VxD or a ring3 app using the VxdCall).
! }! L* n$ r$ }! [The Get_DDB service is used to determine whether or not a VxD is installed
4 o& c: \( H1 m3 B% B1 @! F3 Wfor the specified device and returns a Device Description Block (in ecx) for) D+ U6 K" Y3 T2 L* H
that device if it is installed.- o/ @/ C7 n$ p
6 T/ i3 u1 n v6 ^8 p" I: p, |2 l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 w* [: ~0 Y. w# {8 i4 ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ X/ O( k/ H# I; F- v1 B VMMCall Get_DDB
- U# P# T7 D: S8 u/ Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ n8 A2 |) e$ Z5 e% J
2 c+ A1 p4 Z4 |) w r+ ?
Note as well that you can easily detect this method with SoftICE:
% @; c) r$ Q0 m& I" _. s- B bpx Get_DDB if ax==0202 || ax==7a5fh
, Z8 d; Y! y, v" R. t! @# X: v9 f# z: b. K# c; {
__________________________________________________________________________
* H; `, |6 q B
2 h% e d J+ N ^& Q5 H- P: r' G4 [Method 10
/ v" x: S3 D0 S; }! r=========0 U( _0 j% k; w& R0 A6 d
& T9 v, I4 z. B5 ^, U G=>Disable or clear breakpoints before using this feature. DO NOT trace with2 d2 F4 L6 q2 Y6 l
SoftICE while the option is enable!!
' B: P- i6 {2 Q9 M1 a! j* ]& h# Y7 v2 Z* p, `4 x' K; k/ B
This trick is very efficient:
5 A) D+ c' T C- r9 `by checking the Debug Registers, you can detect if SoftICE is loaded( s: R' C: u$ g: k. [1 m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ y8 u/ k) x2 }$ U6 {9 k
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ F5 v: E1 @2 X' F2 A9 q9 f- w; Pvalue (in ring0 only). Values can be manipulated and or changed as well" q0 @* r' t9 U3 r: g7 r
(clearing BPMs for instance)
6 r) G/ C% R: i, i5 D2 y7 r6 w9 p1 W' |" b1 b- L$ F" R
__________________________________________________________________________ ?: A* U1 B; E; m! P" S8 M
" {5 w1 ]. Z$ i- KMethod 11 L1 v" U- q0 r/ E& p/ R+ D
=========
. |) s1 W8 o2 W; I6 P7 m. d" v/ @; t0 ~- u8 e) W
This method is most known as 'MeltICE' because it has been freely distributed
$ H) ^3 h; \2 V& h- e# x5 K7 U- yvia www.winfiles.com. However it was first used by NuMega people to allow
( A% d9 Z d$ K" ]7 U8 ]Symbol Loader to check if SoftICE was active or not (the code is located& u5 d; {4 ^" k1 G7 Q7 o
inside nmtrans.dll).: X3 @: c4 x# k
o% m/ Q7 K s9 ~% t6 }! J/ ~
The way it works is very simple:5 K. M+ j ]5 J0 x. X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 S! w0 N9 S( }3 C, L9 k% S- TWinNT) with the CreateFileA API." I/ a3 a: x8 y L, l& [
+ K) `. J' K' _( T) V7 F4 qHere is a sample (checking for 'SICE'):( y6 a' j* H; s
6 A# N' r5 q" ]( a3 t
BOOL IsSoftIce95Loaded()
3 a# q# {; g8 [* Z: J{% ?2 E+ M4 k* g. @% C
HANDLE hFile;
/ S+ n/ a( [0 S+ x4 Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( [* W) r2 G) a' G* b FILE_SHARE_READ | FILE_SHARE_WRITE,
: o5 G: }* ~6 D) a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); U* a- n& w5 L0 l( R
if( hFile != INVALID_HANDLE_VALUE )9 T( N: a2 Q# v& x8 q
{4 _& l# Z0 x$ y9 a5 W. b
CloseHandle(hFile);
' H+ a) T6 B: J) E; h* v1 _0 | return TRUE;# t( A2 p' g- \% Y( T9 q) H! k
}0 E* L3 q" H: u
return FALSE;$ u" F7 w6 g' _3 N
}
) ^6 l* L3 |4 Y& L9 Z1 m# I! Q$ K# Z4 k2 X6 r( _
Although this trick calls the CreateFileA function, don't even expect to be: e$ k) g6 H3 F( y% }
able to intercept it by installing a IFS hook: it will not work, no way!1 h. L+ c: j! _. F; w6 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ H, Y& H0 y% c0 t0 E% R% F$ H6 G3 v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- g' c& V" }8 E: U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 q) G" ?, q; s. y
field.
1 b# Z! u5 O2 c# _6 e- ZIn fact, its purpose is not to load/unload VxDs but only to send a
B6 M' x2 H) T+ U, b9 _& MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ v0 h( L/ j# g3 Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try" Y) N8 f" C( Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! a/ z9 `5 C8 R6 \+ G/ \+ o3 ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 W6 @3 H) ?- P1 P% i' k
its handle to be opened and then, will be detected.
. l: S. {6 y& ?9 u0 h3 o$ kYou can check that simply by hooking Winice.exe control proc entry point
3 h5 T2 b5 H9 ] ?* Lwhile running MeltICE.
" g) I* U* Q1 s5 B- k
/ g7 G) O K/ F5 \/ y! }' _
5 Q0 l$ d. I( o) \; b 00401067: push 00402025 ; \\.\SICE
+ [- Y: M T6 Z! B [6 f, h1 G 0040106C: call CreateFileA5 ^/ b) i( ^9 t8 l# P
00401071: cmp eax,-001
- ?# J( b3 N% X: \2 R 00401074: je 00401091+ Y$ C2 v' Q8 u/ L. J9 }
- Y2 B# C6 A1 E/ d; C' l
5 d) i. U& c7 b, {, xThere could be hundreds of BPX you could use to detect this trick. N u {6 G+ X; A i; K) }
-The most classical one is:+ G$ T! \0 T' c/ K6 j
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: p1 `# G. O% f# `
*(esp->4+4)=='NTIC'% t- @$ M! C9 k
2 c6 W- A* E9 G
-The most exotic ones (could be very slooooow :-(
; y# k( w% b3 _7 o$ r; R# b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % I; ^1 ^* n1 T
;will break 3 times :-(
! {$ j3 C. u; c( m
0 N& f/ ~1 F2 I" ^* I, c: L+ Q-or (a bit) faster:
+ F" [ w4 ?7 \) s0 @+ h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ M s" X2 C9 p; @2 g# D6 ~; L" m
& I: l4 b8 B$ k% G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& U% H+ D; z& D ;will break 3 times :-(3 _; o1 J9 w; l2 l c! Y3 ~
{7 M6 `& h( _0 r6 q* k-Much faster:$ {7 w& A8 Z4 i* l9 e9 E- U5 w
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% ]$ ] U% v' ^4 U2 {' C" N, W. `" K4 J3 Z. e2 z0 A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ r! K! a- L/ L+ f
function to do the same job:6 Q$ b1 V$ ^! j% [! Q
1 _& S/ Y3 ?) S$ z! X push 00 ; OF_READ/ ]8 n% j" Z, V7 D- E, b4 p" a
mov eax,[00656634] ; '\\.\SICE',0! _* q6 E6 o @$ ^5 x* l
push eax
2 I: t2 v7 Z& [& ?) F call KERNEL32!_lopen
2 @* v1 Y) Z- R' k. m inc eax
- R; W U# m' `4 H+ Q jnz 00650589 ; detected
% Z4 z! s; E4 x% V% }& @6 z4 g# O, j/ b push 00 ; OF_READ
b1 B8 r: W" _4 K6 p9 ]1 O- E; a8 O mov eax,[00656638] ; '\\.\SICE'/ I/ |: S6 B- Y1 c s* g
push eax$ E4 X6 ~& t2 b7 T
call KERNEL32!_lopen/ \0 w( \5 \: W9 \' R/ }0 K
inc eax, ~1 u9 X6 `6 a V$ f9 m
jz 006505ae ; not detected# ]5 [4 o% Z l5 e: Z
& f/ r# L3 q4 X1 X0 A
$ `2 W. O" v/ S__________________________________________________________________________
, Z& {6 k7 J- |2 B' B* S3 \) W* l) ^% H% n& _
Method 12
5 c* I) z. ?' E# `0 K=========
& m5 Y/ `7 {! P, b& R7 W' E. g5 @3 u" c& E( ]1 L$ c
This trick is similar to int41h/4fh Debugger installation check (code 05, v9 r+ {9 K# S& p3 c
& 06) but very limited because it's only available for Win95/98 (not NT)
5 H( O+ C+ V: U& R w0 h/ qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) V$ M3 d0 T" z1 A: i8 D7 v* Q' _! v7 z6 r! c
push 0000004fh ; function 4fh
0 H* K3 Z6 i% w) R/ l push 002a002ah ; high word specifies which VxD (VWIN32)
" b( W6 M) r, d& H. s3 | ; low word specifies which service4 G, y1 j7 r! C% M8 E, c8 g1 {. \+ e _
(VWIN32_Int41Dispatch)
3 x" U. G8 ]3 H) o* K r7 \3 t call Kernel32!ORD_001 ; VxdCall
P T. V# }" w: q4 h( g) T$ o: j/ ?5 K cmp ax, 0f386h ; magic number returned by system debuggers2 Q* G& O2 S5 i" ?% B+ ?
jz SoftICE_detected$ L* z# S" G) c5 L3 G
' @- A7 v; E0 Z, q J/ W' V' g
Here again, several ways to detect it:& u! k+ L/ ?& }
* j& Z' R. I9 [) N
BPINT 41 if ax==4f
4 X& O) e. ^3 @; M) T
" i+ d; U2 y0 v1 }3 e BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 z5 |7 @# b" M' w: B2 j
/ S6 W* {- l* ~# Y- L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 U' ]2 H1 P$ M% V2 ~9 p! W+ G7 h+ s9 ?& Y5 a+ h* K4 M7 v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' O* N% s4 Q! z1 z# N
X2 \8 \+ @ C) Q. V- [__________________________________________________________________________) G0 c4 Z }! j4 v+ n3 K
' z: F; u* |4 b5 _- \
Method 13. h; g9 J( E: M# P- O3 I
=========
$ B7 M6 x; d0 h- M+ h5 U
& P8 }* Z( h, Z! l$ T1 a4 tNot a real method of detection, but a good way to know if SoftICE is& @6 k+ X) J) f4 Y8 F, P! b$ Q
installed on a computer and to locate its installation directory.
3 N7 @0 B4 F8 ^It is used by few softs which access the following registry keys (usually #2) :
( L2 x' @8 F; Z/ t+ g. @
1 L3 \5 e! z1 g3 O5 j) j+ I* x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 P6 I- u [7 A\Uninstall\SoftICE
1 X7 q- ]0 W6 H; N4 Q& i2 G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 l+ W# h! }- `$ t3 ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 |2 n+ e2 \% c) E7 L
\App Paths\Loader32.Exe
# d" v' U, A$ Y3 v
( e. X: f, S* U& Q4 w F! X9 z
7 G' C# r5 P1 q3 A: GNote that some nasty apps could then erase all files from SoftICE directory6 M' C1 U4 Q, F y+ j1 ]5 Q& s/ _ G
(I faced that once :-(
( c& P( k i3 `+ t- F
5 F2 b5 F: _% Y' KUseful breakpoint to detect it:, F" P% g* V. N1 _
; P1 Q# g! _1 o. P2 S) v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 `3 r) X. o. u7 l5 w% h( ^- t( p. e9 z2 j+ I* i" R
__________________________________________________________________________
# |1 V/ M! H' w2 u
Y$ _ x) R- o$ U) U
1 \2 {( {4 q9 ?% T8 BMethod 14
* }* S; W0 T/ {6 W=========
0 M' |% @* ~: C6 ? \6 Y
; M: n) F9 U3 E( ]' O7 D& P, EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: m% C. k; i% j# {+ g
is to determines whether a debugger is running on your system (ring0 only).% E* ^. D8 Y i3 M) C
4 g* I% |0 m- G; C
VMMCall Test_Debug_Installed6 m1 L) L' I6 m0 I v
je not_installed
8 @0 @% ~/ j1 {8 K5 x/ o
. G; m$ ~' s# L- m% YThis service just checks a flag.$ }# K' D! `4 c, L. T
</PRE></TD></TR></TBODY></TABLE> |