<TABLE width=500>) O5 p" L+ w4 Z
<TBODY>
. G" Q" _; G8 E, W; @! I, X2 R, l<TR>& V% z1 O: o+ g- V0 Y
<TD><PRE>Method 01 $ P# |" A1 a) _' f: n- N/ |
=========4 V, z M! U) M0 _6 H
" y6 U' b) x$ SThis method of detection of SoftICE (as well as the following one) is, t* k& ^$ i# v: j6 z, J1 a- i
used by the majority of packers/encryptors found on Internet.0 Q# s5 E2 V) I3 }8 `& D
It seeks the signature of BoundsChecker in SoftICE$ o! G; h7 W. x. J* n7 f4 C7 [. }
2 _7 r$ {3 t# ^8 f! P. ` mov ebp, 04243484Bh ; 'BCHK'
' B% V8 M" d% V6 h. N mov ax, 04h8 c Z: i: \$ n* o) w
int 3
/ z. r0 n2 Q) }4 i# d* B' Y cmp al,4
3 F+ H% Z* x# Y- w" m+ ~ jnz SoftICE_Detected
! g+ L$ W0 G* @! B, z
% `9 n+ P! o6 v1 L___________________________________________________________________________
3 _( M! g; E5 K
" r0 g% m9 l! z5 S3 n2 ZMethod 02
}# [% v- y3 a2 n! _. @=========: w8 | f1 {3 n: L8 p
t: A1 h& Q" D0 b: M Y
Still a method very much used (perhaps the most frequent one). It is used! p' A6 V& _6 Q: J! P d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 N/ d- g, h1 \1 Z
or execute SoftICE commands...; |/ _* m. z- w# N% d# [: r
It is also used to crash SoftICE and to force it to execute any commands
3 g( ^: D0 p& G+ o& O7 D(HBOOT...) :-(( * i) U- g1 I8 E8 i1 i
1 z8 l! |! g/ M; r8 C: R, C7 k
Here is a quick description:7 R s4 W; a* b8 C5 T) H q
-AX = 0910h (Display string in SIce windows)
4 o5 \2 U* F$ o4 l/ J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 {! V+ M. A: M) D$ p0 X' ?: b
-AX = 0912h (Get breakpoint infos)
! Z: u ^0 m6 ?- n5 N& `) n-AX = 0913h (Set Sice breakpoints)
% }# Q' S; a5 U8 p/ ?-AX = 0914h (Remove SIce breakoints)9 J2 S' y4 L' a4 `) C: q$ j
) G& b7 G1 S9 JEach time you'll meet this trick, you'll see:
2 A# S; b M( W) c5 D- Y0 _-SI = 4647h. @$ J4 A+ E$ X& a; R2 i/ s# g
-DI = 4A4Dh. E& r% P* g! R
Which are the 'magic values' used by SoftIce.
) F' Z9 s) n- A t% S$ UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 `2 `0 P- Y, L5 m9 Y3 t% d% M0 i' ^2 F5 `& Y/ g# k/ ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 I5 T; x1 ]7 B4 a! q0 c4 cEnvelope utility use to protect DOS applications: b/ S% \: g0 Z3 ~) v: e. F0 o/ U
) @) z' ^2 p. D
5 y {3 y# y) D9 k) h' B! w
4C19:0095 MOV AX,0911 ; execute command.
8 I3 g% A) u$ k* ~5 r9 R( T# |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) {6 H/ @# ~6 R/ f+ e! A
4C19:009A MOV SI,4647 ; 1st magic value.5 h4 m: [6 X7 J; z! o' x6 `5 d
4C19:009D MOV DI,4A4D ; 2nd magic value.2 C" [0 u s7 X4 c" \' [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 U( L) g X) ]- \. d* S4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 |! M& S1 M+ A6 t- L4C19:00A4 INC CX# h3 p& a2 J) Q) Z* b& C9 }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; X+ o6 l: g$ e4C19:00A8 JB 0095 ; 6 different commands.6 k4 }' o+ r: [4 U; W* T& M; [6 {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- L5 h4 g/ `; W. ]/ v: A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). W. k$ o# B% l
% j, Q+ N$ P# }6 s- q0 W0 rThe program will execute 6 different SIce commands located at ds:dx, which
9 l; f! \+ v* n9 }- `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, `% c1 u. u, V1 H2 ]! J: [- k* X0 H/ h4 X1 i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 I/ j( H/ ]9 v2 T) |3 U
___________________________________________________________________________
9 T( G6 M. f6 h; C7 i( d! j% o% v- P# i6 g( V$ N% v ~2 |
" l* _* Y& t8 U( n* h, zMethod 03/ S( A+ k. F9 r5 [) Y; R2 B& F* ? m
=========. E6 {4 S; i6 t/ ^5 ~
, t' u8 h5 F, ]. j" ~2 D5 D1 C& j' }
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( q" S8 u" b: ^! e(API Get entry point)
1 g+ i4 w* h( L. d! Y
+ _8 O9 `! A0 i7 f) ?2 N* x1 f
1 M( u2 M, i G# G* N4 y1 z xor di,di
9 M( M H! O N' ?/ b mov es,di+ m: @/ S, O5 ?
mov ax, 1684h - b/ L. A9 ?$ @1 E: n$ l* P
mov bx, 0202h ; VxD ID of winice# G) K+ N) ]3 M# `
int 2Fh
' A5 \ d; [# b& A0 w+ E. H3 ]3 W" \/ m6 g mov ax, es ; ES:DI -> VxD API entry point
+ A! \9 ]+ G+ i) n, o add ax, di
1 G" ^6 I3 s7 h L) J* V( n% J! k/ j test ax,ax* s# j* b3 w, t. s7 A( f
jnz SoftICE_Detected5 ]! X& I; _5 q5 q, N, ]
3 o& [3 w9 A$ E5 ^$ U/ C
___________________________________________________________________________
! T3 t, A! F. J; L7 Q: c# M- f3 @ v; `& f' w9 `
Method 049 Q. w4 f8 j0 i* v' _% J
=========0 ^, V; H7 v( z1 h
% s, d2 b& V+ @8 R+ |- gMethod identical to the preceding one except that it seeks the ID of SoftICE
) \+ }$ H! _- M* ^- D YGFX VxD.( P+ g: N( s$ p7 l9 l- _4 @
6 \/ |% Y- X9 L8 [1 | xor di,di7 g0 P. F g# Z' I D4 g
mov es,di
3 E! S7 p- l9 u mov ax, 1684h
4 u# K. J, E. @8 ], L* y, B mov bx, 7a5Fh ; VxD ID of SIWVID" D* ]$ V. I) O8 `7 b7 {% V
int 2fh% f( I% n0 J/ U8 m
mov ax, es ; ES:DI -> VxD API entry point
* u& i1 b1 a9 x: G& i add ax, di
* S7 D4 D: m0 Y \ test ax,ax5 b% v2 {+ t, S# _: g1 z% R
jnz SoftICE_Detected
8 n# J8 x# }" X- F
. Z! E* t8 u- ]- Z& H__________________________________________________________________________
8 ^$ z2 J" l/ z# [* m5 K" s2 q% |/ O- c
. H7 g* ^, F EMethod 05; D( [' I- L# C0 @* d! i/ C) i9 t
=========5 D* u" \3 Y$ b/ o
3 F- d0 m) t) d1 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, S9 h9 F* X1 z, Q4 U- pdebugger. It calls the int 41h, function 4Fh.
9 O9 K; X# w* C2 H' f% ~, JThere are several alternatives.
& e) i3 y6 W$ b+ s. \' l
8 _% w0 k( `7 ?5 cThe following one is the simplest:7 \+ V6 w2 L: y+ r1 [$ l
) ?* G/ ` q5 z5 h
mov ax,4fh
1 g) i9 m- Y/ B int 41h
, f1 `8 g" f6 F; `+ ]# I) @ cmp ax, 0F386
' \2 ^1 i1 d0 A* S; b5 I6 U' T jz SoftICE_detected3 A' J1 Q0 n0 q+ Q
( T/ o0 v/ m& y
- O& H. j6 A2 g5 ?( _' b: C
Next method as well as the following one are 2 examples from Stone's : y( Y( m+ D+ x: H/ U% {. h
"stn-wid.zip" (www.cracking.net):, ]* s9 Y" ~. O6 }& T2 w$ }
5 ~$ J6 t7 p8 ~0 }* D& ?: Z
mov bx, cs
) _" L$ a$ [2 Z- G; H lea dx, int41handler2) O: r: k. M8 o9 C4 X
xchg dx, es:[41h*4]- f1 ]& `; o" I' j1 p
xchg bx, es:[41h*4+2]
9 ~( @5 ]9 z" s3 H mov ax,4fh
; [. ]9 e! u' V int 41h
+ T/ v- _) B4 [0 ]' Z) ] Z( q xchg dx, es:[41h*4]5 D" x# C# |" @0 w2 E
xchg bx, es:[41h*4+2]' [$ D* q5 J- J P: R2 S1 U
cmp ax, 0f386h
9 {- a# Q5 r) g5 A3 u- g jz SoftICE_detected
# u8 C. J9 [1 o9 V3 P4 l
" h1 [0 |0 R; W0 ]# fint41handler2 PROC! z6 w+ a9 V9 |) J9 H5 j( n3 |( J, U
iret: P9 e9 c7 I, s; k
int41handler2 ENDP N9 P7 `; Q- L; W( I
9 }0 E/ n0 b5 A, I
8 T% d+ Q- o! m2 X! l_________________________________________________________________________7 @1 I5 N ?0 i9 ?2 J3 a
' f. ^1 F) Y- k# x7 y% m, d( D
4 A) k7 @$ @5 |: g1 d1 R% C
Method 06
! y; }' r8 D% d" ^; Y=========
2 @ \ {( ]& ?$ `3 {7 g4 f: X* a- v \
" U& w( x" Q, t6 ?7 I" s, J- H3 ]
2nd method similar to the preceding one but more difficult to detect:
: G9 Q( Y p+ D- P' P: q q$ T* u( x; u0 A' X5 |
0 Y0 m, g* o% Y4 yint41handler PROC
) |3 c; ~7 d2 e mov cl,al( c8 V k X# @, R) ^
iret
* f0 k( o2 H: ~/ P! C! }5 j6 Lint41handler ENDP
8 s4 T K0 f/ n3 S: `5 Z0 K J: c$ s4 O5 R7 }
0 l. {$ x: ^* ~* X; F! n- n xor ax,ax
) P$ {" }, L* r( G/ K6 E- \2 }& K mov es,ax3 t) S5 G7 s1 C/ t2 w# s
mov bx, cs# }# p2 [* H. I. u- }' W6 ^ e
lea dx, int41handler
* q, X+ q. X& t xchg dx, es:[41h*4]2 b8 B7 |1 V- _9 t: j
xchg bx, es:[41h*4+2], R& u; [/ w# L
in al, 40h
i! T8 Y+ B. X2 m" z9 K; I xor cx,cx7 J" w# R7 w5 }4 l
int 41h' b7 x* {- {$ b6 Z, A
xchg dx, es:[41h*4]5 w- ^. m4 ?( l. v" _5 l M
xchg bx, es:[41h*4+2]
$ r0 g+ W8 e0 T5 _0 I5 s0 X& K8 \8 g cmp cl,al7 y2 a v) @! M
jnz SoftICE_detected* {+ N: V$ j9 X) o
) R1 K8 C. m$ ^/ c! n7 B% X6 ~
_________________________________________________________________________
7 p& }: l" r! o" K' {; G2 u! A$ z- l% C4 |8 H1 A
Method 079 E+ K I8 o7 @
=========$ y* G, e) \- p- M" a9 C* z1 [; u! k
& y4 M) e+ i. GMethod of detection of the WinICE handler in the int68h (V86)
) M, |! N1 j5 m t# J0 Y* v$ S, @- q3 @9 D' Z8 X/ z
mov ah,43h
& H! {/ v$ F" A) B6 L int 68h
* w7 E& B4 t& x& \ cmp ax,0F386h
# z# i: Q8 x0 s jz SoftICE_Detected# e7 ?2 {3 ]/ R5 ?5 l$ {! m" k
- P8 q/ A& e R
! Q9 V! w3 J o6 i1 J8 H; P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 v* f6 T4 A8 J3 n; {! q
app like this:: Y1 I4 Z1 s" o$ i- ~9 c% E# `
- w) i% T4 W- r$ a2 @$ Q5 R BPX exec_int if ax==68; w/ N) y+ ~7 W5 C4 L7 n
(function called is located at byte ptr [ebp+1Dh] and client eip is. |. H& _& j" j* P" D" B% H% C1 t; Q
located at [ebp+48h] for 32Bit apps)& m2 z, w! O! m8 \1 N6 m
__________________________________________________________________________
]* O" r* B. `! c' K) Z7 g7 Q# x- T* W3 E
0 A8 Z7 F* w% k$ nMethod 08
5 y: |2 x2 r8 F/ W=========
! o* J/ m! b$ ^; i. y% O7 o# S J" e6 m' F
It is not a method of detection of SoftICE but a possibility to crash the
" ^' r1 ]1 O/ L: W7 |( |system by intercepting int 01h and int 03h and redirecting them to another* y! n# j& s+ _: o0 M. m0 u& N
routine.
/ J4 S1 p9 N. ^8 w! @9 |: zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- o& s. J4 o( R) f5 I z
to the new routine to execute (hangs computer...)
' {8 \ F) `3 @0 t- j+ a. G3 z% x$ Y, e" [5 I# F
mov ah, 25h- C7 w" W3 `( p7 _0 S; j5 y7 {% [
mov al, Int_Number (01h or 03h)
) e3 d8 D$ u2 Y0 I mov dx, offset New_Int_Routine+ Y* M M& z6 M4 P
int 21h
; c Z9 N0 t- b7 D
# r% N& }" d6 q# F9 ]6 P$ r__________________________________________________________________________% w/ m0 P3 e* Y4 A6 ^' L
1 ?/ t3 N/ @$ b) d2 J2 y
Method 09
# \1 [- ?# i0 ~2 \=========! u8 ?0 L/ Z" e, ]/ \$ t
% Y3 v. h/ E1 M# u cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ I5 L0 @8 {6 D
performed in ring0 (VxD or a ring3 app using the VxdCall).
; N) X' v$ h9 kThe Get_DDB service is used to determine whether or not a VxD is installed
- K$ k/ u7 f1 cfor the specified device and returns a Device Description Block (in ecx) for
0 ~3 H1 `# y' K! j; b$ }& W, nthat device if it is installed.
5 X/ l! A" Y7 z
- C, D$ K7 S4 r, ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 y) M z+ f, P! X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 J9 p, \: B6 k8 F' h VMMCall Get_DDB. J' s* s3 m: v; l9 Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: H o. H9 s+ A+ o$ V) ]0 h) M- y
Note as well that you can easily detect this method with SoftICE:
$ Q7 G c9 B: h1 K/ x' I; q bpx Get_DDB if ax==0202 || ax==7a5fh3 a( c7 `, Q3 A/ |" h8 k0 ~7 [2 A
b6 S) q* i/ @$ b5 e) u
__________________________________________________________________________
' J- s4 m) V6 |' ?0 J4 ^+ A2 I8 U2 v4 z! U
Method 105 ]5 z* A8 G& m4 W1 }1 E6 n: `
=========
$ Q- l5 n5 y' ?4 P8 U$ D. ~: Q) V/ @- V
) ^/ K. G$ r* B6 v- v; S% x. H" C=>Disable or clear breakpoints before using this feature. DO NOT trace with, s1 b( n" h* Q
SoftICE while the option is enable!!0 b& n% W3 a9 ]2 c3 _; \. P% v7 O; ^5 t
6 ~3 l% c! _- p
This trick is very efficient:
' J: v/ y# g: c4 @, S& r8 ~9 Jby checking the Debug Registers, you can detect if SoftICE is loaded0 g$ P6 d' l3 V: d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 b5 L2 q7 r! a" _9 [% Y. L( d
there are some memory breakpoints set (dr0 to dr3) simply by reading their. b( d& [& v8 H$ O& N9 Q; Q7 s
value (in ring0 only). Values can be manipulated and or changed as well0 ]% l) y+ V2 w( y
(clearing BPMs for instance) c1 O3 o8 ]5 \8 \0 G* K
$ g ?4 N- J8 K3 S: L__________________________________________________________________________) U* C) z9 X8 \. Q) q
' P7 J; V$ B1 u* w) @7 fMethod 11
$ ], d# r. o9 |: M% W0 z% M; P. ?=========
3 Q1 H, v) q/ E( c1 Z& Y" ?. x. K9 |: @, C
This method is most known as 'MeltICE' because it has been freely distributed
% A& @4 ]9 j! Nvia www.winfiles.com. However it was first used by NuMega people to allow3 n5 g! M( ?" c: N5 a
Symbol Loader to check if SoftICE was active or not (the code is located
- @8 ?) X5 K6 f7 x/ l0 Jinside nmtrans.dll).! Y) |; Q! E0 U5 ?: K _
! W% [4 N+ |( _1 K$ r/ @7 QThe way it works is very simple:
9 _ d8 B* `' LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 e* H5 Z: N4 f! BWinNT) with the CreateFileA API.* Y: o: L7 F n2 |( Y- |
, I% N, I' y' g0 p) R; L
Here is a sample (checking for 'SICE'):
, ]# E: x( I/ a9 w+ Q8 j- O
& Z1 _+ n* t4 | J+ e. {BOOL IsSoftIce95Loaded()
+ e/ a; ? [) I/ c{4 @2 y9 N; z( k0 R, S3 D5 ~
HANDLE hFile;
, s/ J" D) o( B" b P hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 |/ t* i9 \3 R+ J1 \
FILE_SHARE_READ | FILE_SHARE_WRITE,# s4 H, b5 T, \ K1 t% m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 ?6 G; _ F- b/ w9 H' ]
if( hFile != INVALID_HANDLE_VALUE )8 v9 a. R Z, w
{( j5 T5 H+ Z/ r
CloseHandle(hFile);3 G( ]% u" \! z4 B7 r+ D7 v9 F
return TRUE;/ s" Z$ B( u: x$ z: F n( d, U
}5 i$ I/ L( R7 z
return FALSE;+ O& d; O3 M% L/ ?# j6 I
}
: @5 |2 h9 {& I! v' r5 t/ q' q. g3 b7 r: O6 K! [
Although this trick calls the CreateFileA function, don't even expect to be
( u4 \2 X1 w2 U! xable to intercept it by installing a IFS hook: it will not work, no way!
8 M+ n4 ^6 r# u/ vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ l6 o) \( c2 o) e6 sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 s/ ]; I/ M pand then browse the DDB list until it find the VxD and its DDB_Control_Proc" t7 z' Q" c: h* e
field.
( ^0 e! w' L) c, K0 e" B* m& kIn fact, its purpose is not to load/unload VxDs but only to send a 0 b' a* }$ w% h! S, E5 @6 |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% L# T) V; Q/ b& j& yto the VxD Control_Dispatch proc (how the hell a shareware soft could try) v! b, _& f. c! d9 m3 e. Y6 g# \
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." [* ~7 j2 S$ v2 ^5 x9 ]9 [! `
If the VxD is loaded, it will always clear eax and the Carry flag to allow# Z7 R' `8 B% k t; n
its handle to be opened and then, will be detected.
% G1 [/ i" m* A( x1 ], f# uYou can check that simply by hooking Winice.exe control proc entry point
$ P% m3 j Z0 j/ {while running MeltICE.3 }) N, D! K, R- k; X
, q' t! C) }- }' w
9 H1 y h9 @: ~! L0 Z7 T8 R 00401067: push 00402025 ; \\.\SICE# I- A# t3 K, v0 D6 j0 f, }
0040106C: call CreateFileA v/ s& T# B% j
00401071: cmp eax,-001 F. t: _$ x8 Z- Y$ t. H
00401074: je 004010910 f0 |6 ?7 C( h" P
& E$ B( T- v+ {7 h4 t/ I
' o5 Z& d+ s- `! M; RThere could be hundreds of BPX you could use to detect this trick.
6 |& z0 r8 r. `" Q2 ^( L+ t; U-The most classical one is:
6 E2 k$ {% P @* ^; m* ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 W& Y* _, E( T2 A, W( O( f4 i *(esp->4+4)=='NTIC'2 D' C5 n9 F) ~1 p
) ^8 E: w6 K6 D$ Z6 H% M
-The most exotic ones (could be very slooooow :-(; g0 o3 j" q' m4 S. N. d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') q! J$ n* W! ?) }& t3 g
;will break 3 times :-(: r# b! T- ?( x' r$ r6 ~! g
: V- c- a6 F6 G [
-or (a bit) faster: / C8 T n& U7 s: F1 Q1 J5 r
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): A5 V2 m+ W0 ]
5 b% G3 O0 ~- u( X* q# ?, t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + g `5 o' l7 M
;will break 3 times :-(- J9 C" j8 G3 c5 y5 _: l! K2 O
- b2 B( a1 M) I. x! H9 @' t-Much faster:& d7 y2 f" ^* V- D0 E" i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& V% j2 n9 Q) W7 N0 B- L% e/ h
" y7 M# k8 l* f( aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' Z5 c3 f( D5 S+ }" ^
function to do the same job:- V# k* K* C7 [: Q/ \4 _1 ]
5 ?7 f! }9 c" `+ @- i; e0 R push 00 ; OF_READ
B2 e5 v- v2 h$ j mov eax,[00656634] ; '\\.\SICE',0
! e: Q% j( [# M7 J) V push eax$ n/ ?& K. ]; }5 o6 T5 K
call KERNEL32!_lopen
$ L3 L& x% H: J8 f' ]* ^ inc eax n+ x. U7 @3 {& s9 I
jnz 00650589 ; detected" x: f! f4 e& l' U
push 00 ; OF_READ
( ?2 m5 G) \ }* `% {9 [: ? mov eax,[00656638] ; '\\.\SICE'
$ D/ }; i" O& U5 u7 |% A( d, f push eax
9 A* `. G# B7 d% ~ call KERNEL32!_lopen6 Z; T- Z+ L( v! h! a# D+ D$ Q
inc eax) h$ n6 o* j6 c& L7 }8 W
jz 006505ae ; not detected
7 \: ~4 R( T: x* T# M( E# a$ P: E% F, v
1 f: S( \% s y% e% b# k( Q3 B__________________________________________________________________________; \& W: ]# D3 p/ i& D/ o- k
- P9 g6 j6 e( Q# O& c' S% W$ Y
Method 12! p2 i# w/ c$ _9 E* a3 Q: {! j+ K0 d
=========' d$ I M& |/ T: Q/ N; K1 c" R% Q
2 B4 u( I6 t( e9 M# d
This trick is similar to int41h/4fh Debugger installation check (code 053 ]/ y0 g. a2 B& P5 i" S( a
& 06) but very limited because it's only available for Win95/98 (not NT)
6 N0 J8 S' m/ M! x! p& S; Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) [3 I* U: _" x/ X3 t- h* V( p
7 w, {; o: c4 n* ^* v3 u push 0000004fh ; function 4fh
6 Q( T0 e& I7 k) k. B+ n push 002a002ah ; high word specifies which VxD (VWIN32)
6 |1 c0 } n7 \" u2 i _1 w. M ; low word specifies which service
. t9 g5 a( r2 \" }) z6 c (VWIN32_Int41Dispatch)" E, T: M" g9 [; f {
call Kernel32!ORD_001 ; VxdCall
4 ~7 @1 b& [4 g" @% ?- T- o! s% b cmp ax, 0f386h ; magic number returned by system debuggers
E. l% w! u5 _; c) B: C) W' e jz SoftICE_detected3 X5 {" l: F! \4 u6 Q. z
* V# w- _" s6 u$ k; s
Here again, several ways to detect it:7 f9 n/ v9 g) ~" q$ Q
- Q* ^; A. C/ a+ F( o+ v BPINT 41 if ax==4f
2 [! z4 s0 h4 C0 F, E
# Q. b: P0 S0 x7 @! a+ n. u& } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 ?( {* j2 [1 f. E! T+ I8 X) `5 G
! d4 A1 D) ]; k& Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; W0 E! X) l9 \& H; b/ Q v5 P
5 N* p, t; M( ~- Z* c y* ~( r5 } BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! I" H1 t6 Q% Q6 u% o3 y0 N, @! g; s* |' k. D: X6 S
__________________________________________________________________________7 v/ M m7 P9 I7 `6 `* ]
[5 f6 K* u; X& ^2 M" aMethod 13; n3 ~/ W- K* V) K9 @. |
=========
; p9 ?7 q0 T, i: R) \6 C5 k3 y/ r& a$ w* t
Not a real method of detection, but a good way to know if SoftICE is: U6 ? d; [& ~
installed on a computer and to locate its installation directory.
/ h1 E0 e9 q0 XIt is used by few softs which access the following registry keys (usually #2) :1 q; }4 u6 O9 }5 I- M
$ j6 Z. l! T0 a4 Y5 g; w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 ?5 M% L1 W0 Z( U8 @8 U* b
\Uninstall\SoftICE! A1 v9 b+ {( g2 \( m. L" o: Z1 d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) H& `+ S3 P# P. M9 l8 x* c' R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 e$ r/ \1 }. ^. c. q% p2 V\App Paths\Loader32.Exe
, r1 [5 K' S: t
G+ E4 T! K/ f) ~
! P9 }7 I! P% lNote that some nasty apps could then erase all files from SoftICE directory
- T; g/ T I6 X% R* n/ e5 r! q(I faced that once :-(
^$ g8 u3 [7 y& ]/ P+ c# n z2 s* v" V* S
Useful breakpoint to detect it:1 @* A) W. I, D' V" }6 K$ ]; V
3 h- d' d$ w* P( S9 a; ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% T4 U1 N( d# X5 L
8 j( ?5 L" N) [7 v, f" n b__________________________________________________________________________9 `- x7 Q* ^6 S
7 }) [; r. E, @# A4 y. o
$ @0 a( t/ P/ E- i( K8 uMethod 14
& W% T$ C" b' j; M+ s0 o=========4 M+ X x6 d) h2 F- m
2 l$ j# i" f* yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 q/ z4 J/ T, L( _( t ^! f2 \
is to determines whether a debugger is running on your system (ring0 only).
! z% c: C0 c# E# N% G+ S" l
$ O N8 A6 p6 E VMMCall Test_Debug_Installed
/ u" u/ B# ]* K8 {5 g0 B je not_installed
& Q: f3 s6 g/ o" `* D$ g/ j$ ^7 F# g5 s+ ?- W; }( }' u) L
This service just checks a flag./ `% e/ w2 w/ m- l! [5 z
</PRE></TD></TR></TBODY></TABLE> |