<TABLE width=500>( u4 }+ ^; X, A( @# d$ K
<TBODY>% K/ y8 t, V' H) X! K% u
<TR>
9 w$ Y& y+ Z) e/ U) r<TD><PRE>Method 01 1 o, Q3 _9 r5 T2 ^
=========
6 A/ h: L$ T! T/ z
2 o; g) d6 G2 G. yThis method of detection of SoftICE (as well as the following one) is
# _5 t! ~9 }- c8 M( H2 p9 sused by the majority of packers/encryptors found on Internet.
6 P- Z. ] ~- v4 q- R& KIt seeks the signature of BoundsChecker in SoftICE
8 X0 a- x4 M+ e6 Z+ K( M! R
; t+ u' g& i, a mov ebp, 04243484Bh ; 'BCHK'
+ Z$ S ?- w# \* O mov ax, 04h
8 R- W5 s2 K3 t; y8 x4 Q; D. v int 3 1 c: _5 R% o x$ B& E' f. m9 M
cmp al,40 q; H6 `' M& G" d* s0 q
jnz SoftICE_Detected
" |% [" p( e, L. j
5 W" }( J! |& D3 @___________________________________________________________________________
9 q/ M) o: u2 R; V" T/ r3 v- S8 i3 @1 P0 E; i7 s5 h$ W
Method 02
7 o( G# W. {! F+ n=========6 n7 m4 B: e- p* A9 {- X+ E
: x/ Q4 _: y; t$ D
Still a method very much used (perhaps the most frequent one). It is used
! H1 X" @- x/ v, {# `8 Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 V5 m% O$ u3 [ o. s
or execute SoftICE commands...
$ t \7 _3 ]4 d7 C0 sIt is also used to crash SoftICE and to force it to execute any commands
$ o5 a5 G8 a3 j' w% o6 j9 ?* M. z9 j(HBOOT...) :-((
1 Y1 P0 X' n$ M3 c6 r
: z0 r5 |1 _- r& ?/ B& SHere is a quick description:9 |3 Y& L* A4 q4 }* m( z( w
-AX = 0910h (Display string in SIce windows)
- ~: Z; Q- B* l0 y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 l" U. U/ e3 P' K+ V
-AX = 0912h (Get breakpoint infos)4 r- J* T% U e1 @/ G0 r8 a
-AX = 0913h (Set Sice breakpoints)
/ p) J1 Q0 c+ z$ V k-AX = 0914h (Remove SIce breakoints)
2 {( f* X3 _4 H9 g4 J5 Y5 P$ o4 ~4 m( L- x. k
Each time you'll meet this trick, you'll see:1 Q8 L! ?/ L6 e$ q
-SI = 4647h
; v( y0 Q- m/ Q! P8 K-DI = 4A4Dh; q6 x; c) ^4 p6 E5 c" U- E
Which are the 'magic values' used by SoftIce.
- o6 x) T3 h& Y2 ~! VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( ?, n7 N- u' w7 Y! l& I7 F$ j) Y X5 F
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' e- l0 R; h+ F: X. o h4 N8 S. uEnvelope utility use to protect DOS applications:
" H% w8 ^" H4 V% n- Y L# y: ?4 V6 {1 k& {5 s# u( [
0 n& |0 S% y5 E" x& b4C19:0095 MOV AX,0911 ; execute command.
- n& [2 Y4 Y6 \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 }7 k( S% m: {; \0 t. S4C19:009A MOV SI,4647 ; 1st magic value.. F4 J5 g5 N' ?% `* K, `1 o
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 Z# H4 t8 ~! u1 t! R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& f4 A7 y4 j1 E( @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 _( N1 ?/ W5 L4 i/ j
4C19:00A4 INC CX6 q* v8 X) ^- S2 G$ r% q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! |# r8 @' }- P/ z7 w% ?4C19:00A8 JB 0095 ; 6 different commands.
' L1 S8 f8 Y# g2 v+ _) Y% n4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ C$ ~ Z9 J, Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 V: s5 [( m, E
: p' o! M- f) Q: d! j- s, FThe program will execute 6 different SIce commands located at ds:dx, which
$ ~- j6 A7 Y) i3 c3 j2 Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& i! `% f. J3 @: U; ]
( V1 R; M3 U9 v8 N' N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) c9 u, j9 ]4 {- n( y, C/ t
___________________________________________________________________________$ l: v( e4 e6 B
9 i9 E8 q3 m( j1 L
5 U# L* Z9 ]/ ^5 dMethod 03
9 S) P' ]# j# ~! t8 B=========( r7 ^2 }( u' B; `' j$ H$ }
4 {9 m( ` ]% @! y9 h3 U" cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 I+ V+ {8 ~% L4 U/ m(API Get entry point)# M# L6 }. b9 |" [& A2 p
7 f# K6 o4 b( w; n9 d
; [* j. J0 e9 S2 B4 E! N xor di,di
4 a& @5 l% Y. u$ ] mov es,di
# t/ N7 U6 ~( f8 ^( S% w mov ax, 1684h
6 {$ F" `, ?! `$ w8 ^ mov bx, 0202h ; VxD ID of winice4 l0 a0 V: e$ u! f5 G' l, K2 D5 W% K1 h
int 2Fh$ x2 T: g1 v2 t' z6 g
mov ax, es ; ES:DI -> VxD API entry point" l0 U1 ?* J$ j7 O
add ax, di
+ m" W+ C, f$ G. L* K test ax,ax" k7 m- K2 `5 ^# @
jnz SoftICE_Detected
* w5 f2 \0 T+ i: J# o
; K i1 w$ q. |' ^, ]___________________________________________________________________________' O2 c& k& ]' l# h
4 @1 r* Y+ C8 S, n5 {Method 04
/ n9 ?" \6 o4 c& Q# I j=========
$ y& t, `+ M8 s: G0 ^1 l" v2 b- a+ k
Method identical to the preceding one except that it seeks the ID of SoftICE
" r4 x. }6 q6 F G# eGFX VxD.+ `& i& n# F: @: l( C
+ E9 Q- R: C0 s( |8 ?" U- E% r xor di,di
4 |# f2 u: n- r% A mov es,di
5 ~4 ]: R6 u- F- H- K mov ax, 1684h
3 i8 R H3 }* g1 { mov bx, 7a5Fh ; VxD ID of SIWVID' [! q1 d- v' Q. Q
int 2fh
( U: s6 D" g% U4 O1 { mov ax, es ; ES:DI -> VxD API entry point9 N; h M: ?2 a' |
add ax, di
6 r! Y, p- \5 j% ]- S test ax,ax( @% z2 R& e% B9 c, y
jnz SoftICE_Detected. X" C! p' t& ?
% ?* X( l% j- s$ [4 {$ s. _7 j__________________________________________________________________________
' u6 ]$ F6 R+ r C X4 F- K7 S3 c3 X5 y
: I; Q! D" Q# a# Y& K: @* k0 G
Method 05
) T* V! [! \9 Q+ F=========7 R6 Q3 J1 c/ d6 s4 X0 L
$ x0 H% s2 @/ ?* W. r6 l
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ y9 ]% d8 \! z6 e/ T7 F( U) h
debugger. It calls the int 41h, function 4Fh.
5 w {) M: l- i% VThere are several alternatives.
- s* p3 K5 V% N: `7 z1 v! d
+ Q: ^3 N" H# h" Z; GThe following one is the simplest:# w' v) V v5 @
1 `4 k9 x& ~+ p: ]. J5 ~) F% X( C mov ax,4fh
. Y; _2 z2 ?" B. c; D: A6 M% R7 a int 41h9 _- Q- a# g0 |+ |% L
cmp ax, 0F386
- I h/ p0 a3 l% Z" l% q& |& E jz SoftICE_detected
) U6 k7 S) p1 N! h
/ ?, u% i7 ]5 ]4 ` J( U% l1 ~) y: p8 m
Next method as well as the following one are 2 examples from Stone's " V5 k; N# q3 |) @* ]: [ \- w6 } U7 P
"stn-wid.zip" (www.cracking.net):
$ d3 h2 Z' a ^7 {9 `: d z
& P4 K* ]. y" e! Q mov bx, cs( l3 @2 a/ x( Z
lea dx, int41handler2$ ~5 O# Z; p3 k; A; ?! R" m/ i
xchg dx, es:[41h*4]6 Q" G2 _# X2 k$ J% }
xchg bx, es:[41h*4+2]6 K% n% {( w* b9 q$ J
mov ax,4fh
% E( y8 K# X4 s; ^. [ int 41h7 A$ D% B- ]3 q+ p3 v( Q, o& |; P
xchg dx, es:[41h*4]
0 W1 |4 ?, c9 ^. e; @8 p) O xchg bx, es:[41h*4+2]
& h6 n% q" ~6 K* F3 W cmp ax, 0f386h
) G1 _6 t7 n0 ?0 p( I jz SoftICE_detected
: g& [1 c) ?- V- q: s) n$ ^. N
0 {. n" x0 m; U+ z9 \int41handler2 PROC" m: ? j; D* Y! @
iret
" o: p. K+ I. c" R" m/ }3 G0 y3 P8 sint41handler2 ENDP
" M( C* s0 O" v: h7 Q" X% X
: }/ g; ?2 K. s; i0 @
6 U" Q: X9 m! s8 G_________________________________________________________________________' ? d9 o0 l$ u
# V; b3 D" t: x: x/ m/ v# E2 J' P2 r; \2 @$ L) K
Method 06& B+ o8 D o! t9 H
=========
' c! d' `" [# T2 p, s- |% _0 t6 w! _- J0 e* ~! k5 v( n
3 }" V% E1 _; Z+ d* X2nd method similar to the preceding one but more difficult to detect:! ` W6 n/ h- |* R
8 j% O2 y: M7 I4 A7 F& M9 o
9 N' P7 S- z0 @& D
int41handler PROC9 w. c8 v F& X1 p7 ]# B
mov cl,al
, E0 ~0 F; P( _& ]1 {6 H iret
0 Z+ q) z" o; E- _# lint41handler ENDP
" Z! I5 d: D0 q! k @1 U+ F0 X$ w0 U0 ~
4 H( T( `( Y9 s5 W
xor ax,ax
' W/ e) H$ J [! \- P+ m* I, b, L mov es,ax
" f" F: x# D5 o" d! Q [" S mov bx, cs
" B& _6 [0 N5 y Y7 j8 v2 r. [ lea dx, int41handler' Y3 f" f ^4 E$ a: @
xchg dx, es:[41h*4]
# A. S; R6 C' d7 ? xchg bx, es:[41h*4+2]
. z U4 V' E/ x$ r1 x in al, 40h9 d" {0 \2 P6 a( R/ b4 _" Y& K! Q
xor cx,cx6 W: e, w0 S( y2 m% P* W0 i
int 41h
, b# Y# x8 Y( _" G! h xchg dx, es:[41h*4]9 p3 l& ~6 q( F! e5 Y p w* [# k
xchg bx, es:[41h*4+2]: c/ R1 J5 j* T# ]7 Z7 e+ K
cmp cl,al
. l+ S! |) d# i9 M% k6 W jnz SoftICE_detected- q$ ~% D" k' y: c J* Q
# q# `) u8 j9 T/ M% a }
_________________________________________________________________________
& J( Z3 ]1 i9 x! W8 m0 }3 N: R* S! ]) e0 M- \, E' R1 F6 k
Method 07
5 m; Q- Z- T7 K4 ~8 Y) o0 N=========/ G x: c% c7 {( u3 E
y) k4 v2 L* _& V$ W4 P8 K* e) I
Method of detection of the WinICE handler in the int68h (V86)
; I0 R1 K F M( X& r" I/ e# t9 R4 @5 h9 _1 C0 O
mov ah,43h1 y! u) X# r8 s" X" J$ O- ?
int 68h7 }5 U% b. } K+ N
cmp ax,0F386h" t- c, }1 I$ J9 n: T% C5 U' U
jz SoftICE_Detected9 u+ A8 u) R- O1 x. w3 w6 y8 i4 F; ^
3 H) t# q8 H6 E8 G( m2 ^" k" d4 ]
& |# q0 n- |9 P7 z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 H3 v- S6 }$ M
app like this:7 I+ j+ F& k& z9 u" U5 s- B
+ `, d( W1 Z' _& T
BPX exec_int if ax==68
( ?% B6 l. n* t% U% _% i$ M (function called is located at byte ptr [ebp+1Dh] and client eip is* w. N$ ~0 U! |/ c/ I3 n
located at [ebp+48h] for 32Bit apps)$ v1 Q5 u5 W$ w
__________________________________________________________________________
- N( w& a- F, a' m" \! r3 x$ ?( \* w* I$ p. p8 ^- U
; \9 Q5 D( l6 ~% \' e: VMethod 08
" j& x# \( n! o3 X% {$ m=========
6 N4 B# n) I! x. U6 O' z" Z- F/ Y! q6 h, i; f7 h/ E/ X
It is not a method of detection of SoftICE but a possibility to crash the4 U: ~1 S7 C( T$ T- a; F) R
system by intercepting int 01h and int 03h and redirecting them to another/ O/ x( k$ i. @/ e$ _& a4 a9 S! S
routine.
* R. Y; j* V/ V# n I2 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" L# s3 V6 P/ {7 ]to the new routine to execute (hangs computer...)4 t* t( i( }4 K1 l- Y+ y
, _1 P3 d9 S) o
mov ah, 25h
4 `; ^2 @6 a2 w; C% G, F mov al, Int_Number (01h or 03h)
- s$ o) t% m; O7 B mov dx, offset New_Int_Routine
0 p% _9 S8 w* D int 21h' ~9 n* T, r) S
: b$ B# s- i# b7 B
__________________________________________________________________________
5 j% I, H) n; Z; N. _5 f/ g9 \& o$ ^7 J% D* t5 B0 \' @
Method 099 `! h* L) g$ N0 ?+ O
=========
$ {, Q+ u( ?2 S6 U+ ]
% D' W+ ^$ h6 V2 C' ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! S+ F: B1 m. ~/ @
performed in ring0 (VxD or a ring3 app using the VxdCall).; M- L0 R( |& y' U- b
The Get_DDB service is used to determine whether or not a VxD is installed
1 u% j( D4 Y: K: sfor the specified device and returns a Device Description Block (in ecx) for
, d1 }- _6 Q* V4 i- ~1 R2 rthat device if it is installed.
2 P5 u& A% g0 m
7 h: r+ C# ^; l& ~. N" D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
X+ \) K2 ~$ ~/ l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 I7 h/ c3 T9 H% j
VMMCall Get_DDB
; M, I# Y+ U+ D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' O) s6 V- C! ^0 o& B& ]
5 r8 U2 V+ P2 N9 B! A& h6 B0 ]
Note as well that you can easily detect this method with SoftICE:: K6 X" `7 E. e' f2 z6 d/ ~
bpx Get_DDB if ax==0202 || ax==7a5fh
3 W, R1 {9 O0 j0 ^% u6 C
2 e, K0 T0 c2 M__________________________________________________________________________
: _ `5 c2 o2 r+ ~- A+ |- B0 Q/ B3 A1 d. n0 p
Method 10
P* R- Z9 S& v( W# x. a n1 f- t, @=========
2 l7 L: Q5 J) R( A# f
$ Y) z5 x" ]4 F1 | f2 ?=>Disable or clear breakpoints before using this feature. DO NOT trace with) P$ e7 X% \$ q" _6 m
SoftICE while the option is enable!!
G- K6 J$ Z& C* P3 ^
9 z. B+ U+ m: U0 W5 L) p& b0 B/ [This trick is very efficient:
9 }7 D( U9 l+ f+ z( Gby checking the Debug Registers, you can detect if SoftICE is loaded
- l; b" Y! t5 A2 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# ]4 Y i# N% ~: Q8 [% `1 j
there are some memory breakpoints set (dr0 to dr3) simply by reading their( b# H0 {; S4 Z+ e
value (in ring0 only). Values can be manipulated and or changed as well
! H. y4 \, t8 E2 z3 v(clearing BPMs for instance)- C# G5 F- u, J: W" K. d
& \( l$ I; j$ {, P* ^2 g6 N( |0 Z0 F
__________________________________________________________________________0 }9 Y% g* l6 O/ h* v. E! j
- S% Q, L1 b, [$ j q) s8 S/ R
Method 11- d9 s$ x7 I' [! M( y
=========
% s0 R/ S( X- E! w
8 u4 s. [! j& x6 W$ v7 hThis method is most known as 'MeltICE' because it has been freely distributed
x! s8 p! p |) a e/ k E" B) ]via www.winfiles.com. However it was first used by NuMega people to allow
+ z' U( l9 F2 Q; kSymbol Loader to check if SoftICE was active or not (the code is located: H( N( E* k) M( i; ~( k
inside nmtrans.dll).
8 _3 A( e1 r3 w5 ]& d! y
u$ q7 k8 {/ U( oThe way it works is very simple:
5 m, |. g& y W) ]: t* L: dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, O* C9 S- ]# N" F6 mWinNT) with the CreateFileA API.
: o% u' |1 u) C/ W9 q; j
5 O. y& E L b) d) ]% b3 EHere is a sample (checking for 'SICE'):" @. \+ ]5 [4 B& l
6 d5 [$ k- T g5 G4 N1 x1 X
BOOL IsSoftIce95Loaded()
; r, u* H+ R: \7 F1 J+ ?% v9 Z{
% V! h, h# e, W- U HANDLE hFile;
* C$ B* o2 M3 h6 ?, f0 S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# s$ k1 p0 s+ ?3 U
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 @) Y Q q$ D. C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 h9 Y4 ^( c) }& x0 o( c' N
if( hFile != INVALID_HANDLE_VALUE )
9 B8 x, k! [ Y3 D7 w) [ {
3 n2 J8 z7 B; U6 d# A3 [& v- G CloseHandle(hFile);0 j8 `' }0 r. r0 v; x: ^
return TRUE;. G) q" J3 g/ Q5 |( j7 Q
}
3 X3 O9 [! i. w return FALSE;
. ~" q5 l# Q( @0 b ], N# O9 \" K. i}
9 ~# ^0 h1 Q% I5 A; \+ o) [9 h5 K
Although this trick calls the CreateFileA function, don't even expect to be
; D1 z# v" T% l! h- ?; `0 Gable to intercept it by installing a IFS hook: it will not work, no way!
/ U& @2 @) a5 X3 iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 v" Y* I! N4 n3 y" oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* n8 `9 s7 h9 s5 tand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 j+ K h' Y' A
field." W& h: n9 z% l
In fact, its purpose is not to load/unload VxDs but only to send a ~8 S" J! G) {6 P2 S3 P5 C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 {# e% Z0 o' ?. D% Z; F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# k: _. \/ ~" c. e) j( N0 ?4 ^3 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." {# t3 x1 {# t$ l2 T& G
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( G8 X% j7 J3 f xits handle to be opened and then, will be detected.4 K( k% i) v% _) Z/ m
You can check that simply by hooking Winice.exe control proc entry point% B! S* W. w. v1 F9 _# Q
while running MeltICE.
* P# O. B4 [ l, X5 O0 ~6 U, a4 d$ }0 i! }/ _: W. x
# P6 C; d% z9 V3 b0 z' D
00401067: push 00402025 ; \\.\SICE
( N! D5 ~0 l5 G7 ^2 x 0040106C: call CreateFileA& n5 V/ Z! Z! u0 H
00401071: cmp eax,-001: N9 v; @% Z: o9 R% T3 N8 Q6 ]9 F
00401074: je 00401091+ V9 t6 }# [" P! I. e9 h2 @( q$ y
* Q& U5 G+ x" c% ^+ Z) ~' ^) V
" t: i) H) R/ ~$ ~
There could be hundreds of BPX you could use to detect this trick.
( L+ H# d: ]) p' m-The most classical one is:
( T8 U& Q7 [ T$ a) U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- o7 ?7 _) L1 P. @1 n% F6 k2 B7 v( k *(esp->4+4)=='NTIC'
\' K$ |3 p/ ^+ l# \: H& L2 F* @# l' f5 _+ E" H6 j
-The most exotic ones (could be very slooooow :-(
8 G) u9 F: E3 b' ?# X p# T( J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; `- a6 H* y& B% z# w2 O C6 T' Y
;will break 3 times :-(" m6 M: _) P: p- j7 e
8 ?# j$ }8 d2 w2 Q" C- \-or (a bit) faster:
7 Q0 Y; {1 Q% T& b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 X# u' s: y3 B$ k9 q
: w. N. N }# q, f N$ [2 N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 r1 e7 Z2 B5 h. Z q ;will break 3 times :-(
) }3 O; D' s( g. @$ x
! m0 j9 [% q$ j% S-Much faster:) C2 J/ q# W/ R0 E1 t( h4 q) J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& s; C" v2 H2 r% {& ~$ v
+ U! B4 g% h1 x' n
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 z8 P# { W& {9 T; ]; v0 Y$ s% gfunction to do the same job:$ R$ ?4 b* Y2 l& g5 [
2 R/ i9 _/ l. b0 {5 G3 ^8 y push 00 ; OF_READ
" v& J% W) l1 w mov eax,[00656634] ; '\\.\SICE',00 O. B, P: A8 F8 j
push eax
' d. Y. _( c& Z" J, Y" S k R) ` call KERNEL32!_lopen$ `! b4 G, m. _9 ^ J( r
inc eax
* K% O5 l* I5 R jnz 00650589 ; detected" m- h3 g" C( M( U. O
push 00 ; OF_READ
' L# a# \; [) R0 I* y mov eax,[00656638] ; '\\.\SICE'; b9 J9 R- C7 n1 r; q. U
push eax* I9 R7 W9 q6 U9 @
call KERNEL32!_lopen. n) |( p2 @3 A* y6 B/ w: }
inc eax
1 o% _' C6 N" h& k jz 006505ae ; not detected7 Z* ^7 J1 ^ o8 A# r
% l* o4 j' ]9 Q5 T; ~
2 E7 ?# x1 A$ h2 D
__________________________________________________________________________/ @8 @* f2 y4 i* ?
" A* Q, B- Y2 Y' J- E+ f
Method 12
! H1 g+ ?9 N1 B% L y5 {=========* g" y @& G/ @4 [
$ v J9 I. B9 X$ hThis trick is similar to int41h/4fh Debugger installation check (code 05* c8 t0 K) C7 O" x; o
& 06) but very limited because it's only available for Win95/98 (not NT)
' b# K3 I8 O S" }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' p: u6 s7 j1 Y1 q% F
' N! k, a, U- Q9 k w8 a& n$ k; H push 0000004fh ; function 4fh
. ~. K% `+ Y0 u) P/ ~( {- h8 X! v8 p8 Z push 002a002ah ; high word specifies which VxD (VWIN32)
# t6 u8 _5 Y" |( W, `8 k* L( M ; low word specifies which service
! r8 {4 d/ ~' R: `9 r! z8 j (VWIN32_Int41Dispatch)
0 a2 j+ R: a* w/ M) K' V' e2 y call Kernel32!ORD_001 ; VxdCall* ]# p; C3 n* l" O# J1 o( o1 Q
cmp ax, 0f386h ; magic number returned by system debuggers/ t2 }' P3 e1 k/ T
jz SoftICE_detected
" R: h! J; Q/ @/ N# A: j" u* X' k) Q9 v7 `/ u% a
Here again, several ways to detect it:
3 E. B2 V# U6 u7 c
% H0 H: \4 ^; X! s& B, R. {8 W9 S BPINT 41 if ax==4f' E0 V: a0 n9 |! `1 v! ?7 a5 @
3 O. U4 _# y. A$ n0 d3 v BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 ~, V8 q. U6 o
4 u; q- J7 s1 E% e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% [9 i! Q' s% @5 F3 J" v; q
$ P; Y& f, f4 l! h, `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ Q8 v' Z# }; N+ H8 h
8 `- A$ a! x+ | K2 _% X__________________________________________________________________________
0 J5 i4 ]! w2 s$ `" g( Z* O0 ?2 F5 r# ~
Method 13$ e( j5 l# y/ D& Z8 B& Y, c0 Q
=========3 G* a \4 L8 j: L; M) n
4 q9 [ S4 J2 d7 A$ u/ Y" k: v V6 ZNot a real method of detection, but a good way to know if SoftICE is6 @, l7 F* G0 c( q+ o% o- y
installed on a computer and to locate its installation directory.) I, W8 s+ [- ~) c
It is used by few softs which access the following registry keys (usually #2) :
& w q4 u- X. j, X/ j, H7 A) q/ V$ F+ n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& T6 o0 H* i) M+ z
\Uninstall\SoftICE
+ T* P9 F2 U& C& i9 A( x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. Z( p+ ?+ ~% I( n, h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 v5 Q$ \- @8 B/ f\App Paths\Loader32.Exe( G3 v; N7 f5 G: Q
, F z7 o# k: L9 F3 Y4 @% o
; ~1 [- {! c4 s" `Note that some nasty apps could then erase all files from SoftICE directory
! u* w( M5 {* ?6 n2 ~(I faced that once :-(, A! f: K8 s. R$ m! l: e5 I
9 k6 T9 K8 A& q. x2 K* s% q) v5 ^Useful breakpoint to detect it:) R* Q! r6 k- D0 a( |. Q2 G! A4 R
; C: ~* O: P: F" f: Z4 Z3 `3 D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 \- k+ P( L! W0 o. N
0 D' y6 P- o" r) o* i! Y K__________________________________________________________________________
/ W2 x. V) @& c, e2 ^
" n) j% p7 Y( Z" x( w7 {
# G% d- Q1 Q! E/ k; x" |. mMethod 14 # R$ u. ?- U0 r* u
=========
4 G5 J+ X. S0 C. E) _/ a" F6 m, ]( ^& O4 g9 X; s4 t* |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- q" h# S4 g: w
is to determines whether a debugger is running on your system (ring0 only).7 x8 U1 \% h4 I- k% F. s
8 _) y; x' ~2 l) J3 R
VMMCall Test_Debug_Installed; {2 x/ f6 r. v* M$ R, D
je not_installed
* H( K% D6 v( U& y/ g" c+ R2 P( j) |2 m$ y
This service just checks a flag.
: b9 |1 @1 G0 r* E/ Y! d! C</PRE></TD></TR></TBODY></TABLE> |