<TABLE width=500>
8 u" h9 r$ o* g6 @# h- n: J0 u& S" F+ z<TBODY>
( m; T( U( _5 E3 Q# g<TR>. o0 v/ y" f3 Q
<TD><PRE>Method 01
* | o: `; h: A=========8 o2 T# E9 D) F7 z
1 Q/ c( D* v5 E7 u' O
This method of detection of SoftICE (as well as the following one) is' n! ^7 B( V0 g: K& { j0 |9 S4 P
used by the majority of packers/encryptors found on Internet.4 ~) [- K- s' f: B
It seeks the signature of BoundsChecker in SoftICE3 C* A# h3 ~7 z% p' v% b4 c. x
/ i: c# N% i3 S: L/ `4 T) I mov ebp, 04243484Bh ; 'BCHK'
, c& |9 x: B) P, i& i mov ax, 04h5 z. D- G: |, W" G
int 3 ! M/ m. q* G( h! q- `. `8 G( M
cmp al,4
+ z( \0 ~! O2 l jnz SoftICE_Detected
" C5 l* q* ?4 |2 m% r) e' Q, B, @) G c6 Y- L* p. j; A
___________________________________________________________________________
9 B3 v$ j4 h; f/ D4 r" y" J. \: |6 k1 }1 c
Method 02+ ]0 h! R; `( A* a7 s+ I
=========# q& a, ?: q7 r& ^% d4 e% s( v
/ c! m; }4 O( c! kStill a method very much used (perhaps the most frequent one). It is used
/ K1 K2 F' B1 ~$ V! G( Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 T' J' V9 P# ?
or execute SoftICE commands...
4 l, {& C4 T! p' Z8 ZIt is also used to crash SoftICE and to force it to execute any commands% Y' k% U* m2 L' H5 l
(HBOOT...) :-((
; L+ }, E$ G, }, j7 T8 L3 a4 G% b4 u7 F5 B( G
Here is a quick description:! J+ R$ U8 Y% H# ~
-AX = 0910h (Display string in SIce windows)) `2 h/ g+ b$ z1 G' j0 B0 B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( N1 l3 s: _- p7 z7 ~" K-AX = 0912h (Get breakpoint infos)1 o' [4 m3 Z+ a/ \: ], e5 t m
-AX = 0913h (Set Sice breakpoints)& ~5 W# W! R0 y) ^" s
-AX = 0914h (Remove SIce breakoints)
% o# s4 }4 P; r; E8 w3 F8 H
7 d. a# e* H7 {- N1 U- |/ bEach time you'll meet this trick, you'll see:9 M9 G. F9 w# e5 R
-SI = 4647h( K3 r8 w% z! F% {& k2 L
-DI = 4A4Dh
6 ]/ j5 J- F. e" ~% ^: hWhich are the 'magic values' used by SoftIce.
: ~2 n2 S& G N1 [5 tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) o: ^3 C# @# v, }$ r$ l
+ l- C4 E/ o) d) b6 ^) Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP; B ?/ p7 b0 t
Envelope utility use to protect DOS applications:
- g, }3 W% F/ Y' @$ u ?8 b4 l2 d
- m- c* B8 h9 F! T/ I
1 ]- A" n* j1 c. D* o; N2 N/ M4C19:0095 MOV AX,0911 ; execute command.; S V7 y- K. [3 @: b: W; W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) Z* |7 [( E: Q/ t4C19:009A MOV SI,4647 ; 1st magic value./ W4 U4 L% }% v
4C19:009D MOV DI,4A4D ; 2nd magic value.: l5 V0 I# Q6 |; x4 v
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* C6 F& ?+ ^7 ?* Z% ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 U& L. N6 |( g* {% `4C19:00A4 INC CX
' c! w# d" ]! i. Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 A5 k, u- z4 h) K6 P
4C19:00A8 JB 0095 ; 6 different commands.& B# }0 V E& \ h1 j3 ~7 f
4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 f: t3 E; q0 l3 D
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 ]3 A% F$ {( o/ c6 w/ C' k7 H3 s) t2 a+ i
The program will execute 6 different SIce commands located at ds:dx, which
" k4 ?, [0 D5 Z1 {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 j7 s* T0 k, T- u" x7 m0 v, I
2 A( p1 c3 v* x5 b; |1 g' x$ }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: b1 X6 _* o5 x3 B& F___________________________________________________________________________
* V+ @* D7 V5 a9 f$ [1 G8 U2 T1 t8 Z' e% r. `7 y7 V
0 B: z' g5 H- q& q3 r9 bMethod 03
# a* R- E+ m# N=========8 A4 v( H$ D7 Y: |2 D% X8 `9 p6 n
5 Z, f2 R1 j8 SLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 C6 ^' v$ g; s
(API Get entry point)
- v5 Z4 O, |. b3 o( U
( Z" u% z2 P7 Y( E2 `
. F: p; J$ v$ }$ r H xor di,di
' ^" T1 R9 f" Z* b; `! r5 U. H) ^ mov es,di N; K: `4 n- I# D
mov ax, 1684h
) d6 T- w! P9 e5 N0 g mov bx, 0202h ; VxD ID of winice
5 X" `* s0 [" K int 2Fh A9 c' E% V, \/ H
mov ax, es ; ES:DI -> VxD API entry point: C& V& d2 Z/ d
add ax, di
6 |0 r8 Q. P) e: o test ax,ax/ A; I: m0 F( y8 _
jnz SoftICE_Detected
7 H$ S+ l! T! W: a! C z" A( L# z9 K1 K P
___________________________________________________________________________1 P" i: k& N* p) L/ ?
; \5 y4 h( _+ i, }; p
Method 04
' U) v j3 T# }( L$ D; _=========% U# j& b0 z( r$ h" x4 Z: y
2 j7 p1 j A( @, OMethod identical to the preceding one except that it seeks the ID of SoftICE
. d7 `. U: V5 E0 L4 B9 Q8 sGFX VxD.
6 c3 F1 o: q7 G- ~+ e
- _6 t2 b S. y* C xor di,di/ n( ]/ c7 r, [; ? |8 m" M
mov es,di
1 n- L: Q! v, ^( P1 X P4 ] mov ax, 1684h
0 q% U' n" g4 H5 O- d0 s mov bx, 7a5Fh ; VxD ID of SIWVID
! m. [( Q1 O' K8 T0 g( b' H- m int 2fh/ d% p# ?* y& G+ I$ P
mov ax, es ; ES:DI -> VxD API entry point
t+ X! _1 W: | add ax, di5 d$ p$ Y9 e6 k) F5 l
test ax,ax+ f1 k& F7 a$ y2 _% E- D* U
jnz SoftICE_Detected
3 z2 _# A! ?: O L, w/ j; |0 K; I' N
__________________________________________________________________________
/ s; j, G+ L/ U( w/ E& s
6 }0 o! x5 W6 E$ P1 w7 o- h- l# C5 l) B9 C
Method 05
2 N2 {6 @; W$ i4 b0 W. u=========3 W: L& {/ W6 ^3 y- f: C
1 m! x. ^. q" h4 C7 \' G6 |; e9 Q# X
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 v4 g) h: {; x' G
debugger. It calls the int 41h, function 4Fh.
: T; r9 q3 h' NThere are several alternatives.
2 a7 y9 D: y1 { F- i3 T7 k; z! a; M3 ~0 n& m7 i- r
The following one is the simplest:
5 b& |' Y/ |8 D' j7 H3 M
: y" l! f {& f" R7 ~# l mov ax,4fh
! Z' w& T/ s3 o$ E1 ]! V, w int 41h! ^5 f$ V6 D6 P8 }9 v' h& ]1 l
cmp ax, 0F386* T* d2 F4 t C. }3 @" I b
jz SoftICE_detected
% r* U6 ]) {7 E
9 I4 C( ?- {! s+ T/ ^5 e# ~9 l; g- O
Next method as well as the following one are 2 examples from Stone's 4 o* X2 S; l% e( n& P& z
"stn-wid.zip" (www.cracking.net):
, C! D. p& \' w1 j" |
. o7 N' E1 M, j) Y3 p) `/ g mov bx, cs
. y% J$ _# V6 P lea dx, int41handler2
1 a5 b4 N. n1 X I- U9 F6 j xchg dx, es:[41h*4]
7 i" J( N+ a2 ]0 E( X3 }1 I xchg bx, es:[41h*4+2]4 Q# v2 o8 n5 U
mov ax,4fh5 J2 `6 ~1 |" P3 b* W7 D
int 41h
) g% B9 C$ {: H, @) ]/ h( M2 j xchg dx, es:[41h*4]2 E% i. F+ _( J, b4 c
xchg bx, es:[41h*4+2] n) g( {" Y& P8 b6 |
cmp ax, 0f386h
' T, c0 O4 w& U# ~ jz SoftICE_detected
, A% W: B9 x# R+ S9 ?7 S9 v3 E! s" v5 O5 h0 p3 C
int41handler2 PROC6 F/ k! @4 @' ?
iret- Z% D" N; c1 |5 a/ R9 S
int41handler2 ENDP: ?1 \# v$ O& Z+ ?3 h* m
% \% ?; W5 S6 o; K. S3 {: O6 p5 Y
0 h# B4 ^0 O% w4 j- R) j8 q. c7 c, r_________________________________________________________________________
+ r& }% S, ?$ j5 q
2 `# ^! A; R1 b5 Y; j; Z
) W* F( S& U. D( W TMethod 06
' x9 S/ z* b0 } ^, G e# m=========# u G& Y! z, i6 T
9 g5 v9 ~+ K) A- r% z8 Z6 S" r; E
7 E* y6 D h3 W2nd method similar to the preceding one but more difficult to detect:
; V# O5 `5 C' b- g8 ^0 }9 X
- [ l) a$ Z# |; t4 N- \
2 b& [, C9 ?- S, c7 X' m; `9 Nint41handler PROC
2 C; S. p2 k/ @' B mov cl,al+ w H9 U0 Z& ]4 P* e- A. o
iret
3 H5 V, w; ~! z9 E1 U: a: m1 N& kint41handler ENDP
+ D. m7 b# U6 [# ]2 n& e* r' ? r Z, Y% t% H6 z( |
" K% Y: P% O- A8 k3 _1 {5 p
xor ax,ax" P) R' V, J; U6 n8 A8 A; v: [$ A7 }7 i. u
mov es,ax
3 s6 o7 n0 e# E& y7 V) a# ^5 q! N mov bx, cs* M4 O" v0 e$ M) S9 L, ?
lea dx, int41handler
U, ]0 d% R: K" E. M4 _, G- C9 c d xchg dx, es:[41h*4]
9 G7 P" _. o2 x% R xchg bx, es:[41h*4+2]+ n$ J( F, E t" n5 w
in al, 40h
6 H: v% x1 {$ y- j" ]% S4 l xor cx,cx
6 H/ `3 C% H8 Q* B/ T int 41h h# F7 c6 K0 Y
xchg dx, es:[41h*4]! n$ b0 n5 c1 ~# g9 w# I
xchg bx, es:[41h*4+2]
# r$ n( m3 T |7 M$ U+ a cmp cl,al/ p5 y& P* H- i+ A R" _. N% N
jnz SoftICE_detected
* J3 A& G. V6 |4 d. @
: ^( Y1 I% q% Y t* k- K! Q_________________________________________________________________________
# G; l. V5 W3 I, p: h& C- k, }. Q: s) U! N8 I: x
Method 07
1 i) I6 |. R1 S- O2 h) I=========1 x8 K) ~& T4 ]* F, w, }" n8 J
. O- s% N) @% O7 F* B- p5 p6 n: D9 EMethod of detection of the WinICE handler in the int68h (V86)( A- X; M: \- F: e- J# j
; \. a+ v" v; H: v2 w
mov ah,43h& L. F; M. ~/ O0 I
int 68h
1 J. m- s% X3 k! ^ cmp ax,0F386h8 g0 f5 v" W' i, w$ [# z/ e# |
jz SoftICE_Detected& N/ D+ ?2 Z; t0 _' B7 g) j
+ l! d! Y* P* O" r
" w9 U% y, E- M$ B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 S0 Z( U2 v) J }: [4 O3 Q
app like this:
2 p z7 i; h) v( n# k& J h" F; s
, ]( X' B' n6 C BPX exec_int if ax==68
2 H! f+ s u! f0 X (function called is located at byte ptr [ebp+1Dh] and client eip is
3 x% s# S2 E3 y/ c: x$ P located at [ebp+48h] for 32Bit apps) ] @7 ~* v( @
__________________________________________________________________________
1 L- \, x8 `! h, d) e# P. c
8 R/ ~% I0 ?+ P. { C
9 O/ C6 U2 r) R/ M( O6 RMethod 08
. u9 o5 s; g" @/ K1 }=========; K3 e3 } n( x
4 _" q& W7 ?! [7 O4 }; K( F
It is not a method of detection of SoftICE but a possibility to crash the9 R4 C% } y: v# S
system by intercepting int 01h and int 03h and redirecting them to another: p B5 d+ u1 R9 q
routine.
H$ E N4 j. @: N! [% OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! W* j5 ~! X6 {to the new routine to execute (hangs computer...). O w. `! X0 `: v2 N; Q- R
5 ?- U/ Y+ }2 [ mov ah, 25h
% e8 X9 F3 W! b* B7 d7 F3 o mov al, Int_Number (01h or 03h)
0 b x0 r% C8 A mov dx, offset New_Int_Routine5 k1 J' x: T1 e% T! U4 V
int 21h% {$ U0 T3 s0 b' t6 a) Y! l, l
) s0 g8 _6 c& I* I! m& N__________________________________________________________________________
! s. m& e$ j! W* R/ E
8 P8 a A7 ^3 d7 v8 l( g- k4 MMethod 09' \8 \) W5 b. a' h
=========
6 J1 r+ }7 }0 O X" }! ]* U
4 T8 s5 K5 @& s: o( a/ ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. y! a) L, `3 w! a8 L& w: Wperformed in ring0 (VxD or a ring3 app using the VxdCall).5 D, w9 V# B5 V/ m. h0 _
The Get_DDB service is used to determine whether or not a VxD is installed
0 ^9 O6 s) T" V& y1 Z" Qfor the specified device and returns a Device Description Block (in ecx) for( w- b3 j& ]0 s7 k
that device if it is installed.& V& r0 [) c9 k$ l& u# r
$ r0 H8 E% v" u1 s) S4 e& ^$ }$ A# r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ U1 j1 K4 E& O" ?5 g3 Q! g: P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# d% s- D* K+ i$ A VMMCall Get_DDB
) r- ~; o- c: ?- s, H, C% h) c* Y4 B mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 k: C1 U6 h( z' x& _- S2 t2 M& t% U' v9 v# c2 A
Note as well that you can easily detect this method with SoftICE:: j8 m) p$ D' ~* u8 k7 s* |( y
bpx Get_DDB if ax==0202 || ax==7a5fh* @* I. I9 R8 F: @, W c
; G" n% o2 F9 ~4 b7 G7 ~5 F+ g__________________________________________________________________________3 f) T2 g& v6 Q4 }' A& c+ G. a6 D
+ S. y5 ?; q' _: c ]Method 10
3 D% v& j, T; ^7 u/ P3 N=========
) q/ c; r4 T, P# g+ W- [+ Y* f5 {3 X# x2 p0 Y2 ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 o3 C8 K5 G$ p7 a$ | SoftICE while the option is enable!!
2 Y' Y3 m, ^. @, v" j5 F
1 o. S# {9 u6 A, u0 } qThis trick is very efficient:0 f, { B5 H0 e1 z
by checking the Debug Registers, you can detect if SoftICE is loaded
1 f$ v4 b8 [" o5 h% r4 u1 f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; q- S, i# \9 M* a' F! j0 F9 ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% r% w& h" K% B, z+ A. qvalue (in ring0 only). Values can be manipulated and or changed as well
) F* s" ]% c: h/ J& R(clearing BPMs for instance)) j' I: `$ |. X+ S$ @# @
& Z& R+ C, G$ i8 W$ D, j. a__________________________________________________________________________! p: j9 _. p0 t' b3 x, i3 X+ l
5 k; _! ?5 u8 g% dMethod 11( ^/ A- O I+ P
=========
$ I3 P6 u0 f3 O8 \6 S% Y5 T5 L/ s2 p' g Y; @( U3 X; I3 g
This method is most known as 'MeltICE' because it has been freely distributed# x# ]; r. k9 g- E; s& r, q
via www.winfiles.com. However it was first used by NuMega people to allow
/ |7 X0 g3 b+ ?3 W& g4 }Symbol Loader to check if SoftICE was active or not (the code is located
) |/ D& r+ q; K& g d# @2 E: |& h/ tinside nmtrans.dll).
: d3 n: e! ]( w: ^" b9 y& A3 n6 m
% Z( y1 n5 N0 F { b% ^, GThe way it works is very simple:! S1 V+ A4 H2 y! \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, u0 y( E t4 m, d, i% qWinNT) with the CreateFileA API.
( W" ~1 }1 N& [7 f, q( A
9 d# D! j+ Z+ T5 _2 \$ mHere is a sample (checking for 'SICE'): ^0 v% i, \+ y: B2 {" `9 g
2 x# N. J9 n% g6 ~5 J, S: q/ wBOOL IsSoftIce95Loaded()
$ ]$ G; `8 \9 ]4 G& s{
1 {5 `+ _3 T& e: X, K6 T; l HANDLE hFile; / B9 z( ]6 s7 M3 B$ i
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. v9 j: H6 x3 H+ O- |' k2 A FILE_SHARE_READ | FILE_SHARE_WRITE,
. N$ R8 ^2 m3 M! O( f8 B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* J, a% ~( i# P6 O if( hFile != INVALID_HANDLE_VALUE )+ I. H# A. T5 N) N: j
{" g; W8 a" h. ?/ `" L' r) E
CloseHandle(hFile);$ F. ?7 X0 ~( @- g \
return TRUE;
; a$ L& X# s# I3 b& Q7 T }
/ ]! }, |6 j( O- v" p$ w return FALSE;
, Z/ L! A& Z1 M9 H}
3 G3 J: A& W& Q1 q* ~3 `8 ^3 w* H* K1 H C
Although this trick calls the CreateFileA function, don't even expect to be
; z1 \& n! E/ k! dable to intercept it by installing a IFS hook: it will not work, no way!$ ~4 t. r( J5 P# S+ W( ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 v! d; B/ K- [2 A1 l1 Y+ y- D4 y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 s X& L, I, A' A5 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* t8 R* x% u8 H" G
field.
+ ]% |% O/ @& c9 ~8 C0 z& O' jIn fact, its purpose is not to load/unload VxDs but only to send a + l' ]/ x' s# E- @, b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 f$ U" T% {, D2 K: w2 d* Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
p2 ?6 E; H5 J7 P" ` Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ M! Y5 j# [3 T+ c) @If the VxD is loaded, it will always clear eax and the Carry flag to allow
- R; Y6 N6 ~# X' ^8 t5 W6 r, ~its handle to be opened and then, will be detected.
& L: c' Y. b, k$ V* {You can check that simply by hooking Winice.exe control proc entry point" \$ R9 r/ p6 p; c! k
while running MeltICE. R* @7 A$ A9 Q0 K$ E( e, j
' s+ N& W, D. J: @8 _: |- G0 R
* z6 b0 f0 i- S8 U
00401067: push 00402025 ; \\.\SICE
2 v Z: x2 E G2 v; { 0040106C: call CreateFileA: m% s4 h7 H% m. s V: N" i
00401071: cmp eax,-001& p4 O" ?; x p* \ H; {
00401074: je 00401091) k- {+ k/ i2 o& S9 A0 \
: n( s. |4 k3 e+ {1 t5 p9 u# t. t
g( R/ W* _5 W. ]' h: xThere could be hundreds of BPX you could use to detect this trick.; p7 O8 ^. g6 M0 a) x8 g
-The most classical one is:
2 }8 _4 a3 O3 \/ k* |# q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ ^, W7 Z9 I _$ s6 m( ^( D( { *(esp->4+4)=='NTIC'
: G% ^& B5 Q* I9 {/ _! P" ]! b3 \
# q# {/ J1 Y0 O7 S5 }# {$ `5 P" x-The most exotic ones (could be very slooooow :-(+ _7 a6 b) ^2 i. f* f# k: o4 o) p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" n5 e! a/ g- P& E' p( S ;will break 3 times :-(1 |) a! ?- l! d2 O; j
5 J* k/ s0 R& {* r
-or (a bit) faster:
7 A5 D0 l1 s% G9 _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 Q2 q: I9 v+ Z' S% V* A1 ^
' x. ? L9 S. ]3 } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 a9 A* \4 X) H3 j6 b% B
;will break 3 times :-(7 i* L+ S. v4 x
/ n* K+ P* d& W, U4 t
-Much faster:9 S6 ], e5 J! V" k6 f
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' W5 K% j# C+ E. @
9 Q3 X+ r! N3 X6 j6 M6 C7 O5 b& TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! @7 e$ \5 A3 s: f8 @9 w# X8 {function to do the same job:: P8 d( u' ^; {, y; }
5 m; _7 R5 C9 O L, R. k% p, M K push 00 ; OF_READ" K }- F+ ^ }4 D1 {
mov eax,[00656634] ; '\\.\SICE',0) A/ ?+ d/ h% e6 ^$ y
push eax9 d7 O; U+ x+ n4 S# Z
call KERNEL32!_lopen
# @- [' i4 t3 c0 l3 | inc eax2 i: Z9 K; C/ k) K/ \+ q: T' p) x2 k
jnz 00650589 ; detected( h1 |+ \- c. Q$ u, T# w
push 00 ; OF_READ6 T5 Z7 @$ P3 x: z
mov eax,[00656638] ; '\\.\SICE'
. ~3 j! X& B/ X. e, G5 c push eax
, Q% S6 u+ b" @5 r) ?# S call KERNEL32!_lopen" S9 B6 {( r2 R9 U6 l! d6 b2 j- ]/ V
inc eax. c, r) e6 t6 [7 R ~
jz 006505ae ; not detected6 f4 n/ b. r8 F
' x# I# K" } v( V1 N6 E- ?3 O' V; g
+ w9 E9 n1 U# j( O5 G) @ A D__________________________________________________________________________
9 Y4 o# Y# ~5 \: x5 { K: |6 J! G1 @6 o& `: l
Method 124 X8 O' h3 g% T! ?6 T" u: `5 U
=========
4 O: i, N) S* X7 \+ H; [) ^! l/ \- _; Y% w$ C) }5 ~
This trick is similar to int41h/4fh Debugger installation check (code 05
H g# m2 m. k+ v4 |2 n6 `& 06) but very limited because it's only available for Win95/98 (not NT)* H2 |, {( w& k, E& |$ T# c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, G& j8 p: C6 r- S- }6 n2 Z( R5 c+ W
1 ]( n0 |( u: T) a3 @, {+ A( Q push 0000004fh ; function 4fh% x O- n+ D+ b2 g. d' J
push 002a002ah ; high word specifies which VxD (VWIN32)
$ I0 b$ C% [& B$ U1 U ; low word specifies which service6 g5 O4 D& h% j) p+ Q
(VWIN32_Int41Dispatch)1 K: |6 _+ Z5 `+ m& K3 o8 s0 g+ T
call Kernel32!ORD_001 ; VxdCall/ m9 ]: e( h3 y( ~
cmp ax, 0f386h ; magic number returned by system debuggers* x% I3 E. n v p j( y+ n
jz SoftICE_detected
u( q/ }: @' _0 T8 c$ p3 h: Q$ f4 @; g) c8 ^8 W
Here again, several ways to detect it:
: D* h5 [$ j$ v4 v% S' Y g1 |9 X) Y9 u4 U0 z
BPINT 41 if ax==4f
/ E4 F( \: b: Q5 F+ G7 e' w& y5 k3 b7 g0 t. U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* J+ B9 P7 i$ j+ S8 L% d2 E0 \
. t- z/ }: s o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; h3 `7 ?( \% H) o' t% B8 g
8 \0 {+ c2 b' ~" }& | ?/ X1 x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* R' ?$ G4 t! P' A! E0 ?% M
" R' l. Q7 I6 @( m/ [7 `3 P__________________________________________________________________________- I6 V7 a- J) r# h; |) A5 g7 ~0 I
2 A1 S2 M! o! _
Method 13" g/ a* D4 F1 Y* A8 X4 B( j
=========
2 |$ F& r) ?* S
5 c( [. y- b x4 W- h: UNot a real method of detection, but a good way to know if SoftICE is
4 \2 ]' }/ C3 d( `' v' linstalled on a computer and to locate its installation directory.
/ K$ u5 |5 j: Z$ T* gIt is used by few softs which access the following registry keys (usually #2) : n ]8 q P5 A' w9 X
3 N: W! y+ A) N+ e t9 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- J" Q: J, B' z\Uninstall\SoftICE' \* ~* R! L3 c" L) M2 J8 ?+ P5 ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* W1 L& j( z! `' N4 o0 P9 s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) N/ {' n$ Y8 i8 X7 k
\App Paths\Loader32.Exe
. `+ j3 n- m! o7 I& v. m! M+ x U: v: b% D
; H5 k2 f7 T k$ T, s
Note that some nasty apps could then erase all files from SoftICE directory* n6 E$ c5 A. n3 m7 h5 S/ Z: Z; P
(I faced that once :-(
5 Q8 y/ P! v0 j5 l) C: z/ g/ x/ Z2 p. C
Useful breakpoint to detect it:+ t* e6 v' N, j' B
& G/ `6 j% `( e2 @ B5 D6 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 ~; P1 L, J. W7 f" Z2 b% E
3 ^. ~1 p& Y& ~4 u+ [) g' B" f__________________________________________________________________________
0 r; x+ f! v2 L! L& ]6 n
. M. I5 c0 a: d2 K, o
- g2 B1 H8 e s& }) zMethod 14 $ J8 u; [6 W2 f4 t0 }; a! g% M, a! c8 E
=========( U+ X* b& I: U( U( E3 t
; Q; E" @) o/ x3 o% }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 }3 T( S% F, D, ?
is to determines whether a debugger is running on your system (ring0 only).
. R" @# A' u/ u$ i
; c: M1 Z, N" J( C; l4 S VMMCall Test_Debug_Installed
E: r, L& ?& b% l. L- E je not_installed, P) F$ N" y$ q7 y4 B
6 |0 _9 b* j7 C0 }( g- O, U ~' @2 s- f
This service just checks a flag.
2 ]: C6 ]8 ?! ] s' O3 H</PRE></TD></TR></TBODY></TABLE> |