<TABLE width=500>
7 v' o; H% H6 k<TBODY>! }% K% N1 ]- ~: a0 q0 A6 j
<TR>
, Q$ n: D6 n' ?4 b$ S. r. M. k<TD><PRE>Method 01
2 o, Y( h) c# u4 f) n+ U; Z=========
/ W1 o1 L9 S% l) r- T" G# S' r5 \3 F; [- E
This method of detection of SoftICE (as well as the following one) is1 d; u* P, W# F+ ^. R' s
used by the majority of packers/encryptors found on Internet.1 [, q( c" M3 [4 |$ J8 d
It seeks the signature of BoundsChecker in SoftICE0 V, i- a9 S! z9 i
) q+ Y3 }4 ]- }; I U
mov ebp, 04243484Bh ; 'BCHK'5 p" N% {" e2 W( c! M, c1 {) Y
mov ax, 04h
$ y% V- c- A7 ?1 {. |4 E5 c int 3
5 G' b9 M& Q4 _: Y( Y- o8 t6 k cmp al,4- S5 K% P# _$ \4 @6 D" X
jnz SoftICE_Detected
5 e. ^. B+ u: L' ]8 i* i! v' Y
( [. V Y1 Z3 n4 k* z, M) E___________________________________________________________________________) \4 b: P' i4 ~1 r" t
8 m5 z, H6 R; p) g* TMethod 02
& W0 X( L/ u5 `) W=========
6 H9 {, B- D( t8 A0 n/ X* ?4 i! j+ p0 V
Still a method very much used (perhaps the most frequent one). It is used
4 x* u3 f ]9 Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 b4 o4 L( {% m! P7 e3 O8 P
or execute SoftICE commands...8 Y( P1 y# l/ D7 g$ u
It is also used to crash SoftICE and to force it to execute any commands
, e) ]& T4 {* Y! t& d(HBOOT...) :-((
& n2 N) E7 V" m: v
S4 V/ E; J& l9 `* \* y1 s! k E- UHere is a quick description:
' o: C" ?! A! @; X-AX = 0910h (Display string in SIce windows)
) ^' M" }3 p$ M* P* m1 e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ b6 E! g) g; G0 F, G) M, o
-AX = 0912h (Get breakpoint infos)
+ h4 N8 w f7 i1 B1 z-AX = 0913h (Set Sice breakpoints)2 Z6 D, X5 n! I7 E0 L. x( a) ^# B
-AX = 0914h (Remove SIce breakoints)! |) I4 X# d9 f+ i$ O" X6 J i, v
( v, m& N& U/ M" |- x
Each time you'll meet this trick, you'll see:
0 v, d: O& F3 G: v( T3 ?-SI = 4647h
+ d1 l% q' j4 s9 x8 |0 E4 b# _-DI = 4A4Dh* f: [; d# |/ u
Which are the 'magic values' used by SoftIce.
. L2 N4 p2 R o, g; ?9 Q" r6 ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' v5 a$ V2 d- F+ d# N2 Q+ ?% R1 o2 e/ Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 E8 `( p9 k, \
Envelope utility use to protect DOS applications:
8 i% Q, U7 a( ]2 i2 `3 V3 n5 }4 Z( s8 H& s+ |
) x8 K5 D! N: n/ d1 M7 u1 g4C19:0095 MOV AX,0911 ; execute command.7 l! P( `& w R# K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& j' o$ }/ k9 P& X( {
4C19:009A MOV SI,4647 ; 1st magic value.
) ?0 E, \* k* u! O4C19:009D MOV DI,4A4D ; 2nd magic value.
: s& y& O' R! M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 ~2 W6 Q: f1 F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' J# r9 h' A1 w) `" z
4C19:00A4 INC CX2 m: \0 \! J. c% d4 \4 V* e& h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 T; a% {: Z9 w* {! S; P0 N! f$ ~
4C19:00A8 JB 0095 ; 6 different commands.* g& L% ]. k- z. F T1 F1 R$ |
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ B3 I* n5 t5 ~, }0 V- U6 w$ E0 ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 e. U& V4 p4 L7 ?. J( ~. v H) P# m+ a& C6 N; S+ b. [
The program will execute 6 different SIce commands located at ds:dx, which
) `. I2 Z. x4 j' J3 |# Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( w8 ]* C$ R, R
* i8 z+ ^1 d' J6 h" e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. y3 h( }- B8 s$ w( ~3 ^
___________________________________________________________________________( f1 t) f7 D8 r4 K& ~8 F
4 @8 M' T5 i3 I: r8 x$ x' C
. E& L. S% M% R: SMethod 03
# N& A0 |2 q, r: s=========
1 `9 y* S# U- g$ X
$ n9 t; a, I5 \, T9 n HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 m' g% F: t3 N$ D6 o
(API Get entry point)
@8 O9 Y) ~& _
' F/ B* b/ M* R/ U9 j' d o% V p, J: b* \ f
xor di,di
3 R& X( J1 l+ W2 P8 u mov es,di% i/ R7 q+ w0 `; j# J+ Q
mov ax, 1684h ) G& e- w& u5 x; P x$ X5 O
mov bx, 0202h ; VxD ID of winice
, ^+ e4 T5 u$ E8 q int 2Fh
0 B m4 H$ R. Q4 s0 A# | mov ax, es ; ES:DI -> VxD API entry point$ `" y/ ~% Y- o+ }; s& S
add ax, di
7 b" G9 A- w: s8 g' i& l* v test ax,ax% S f( B6 y/ |& x6 m! }
jnz SoftICE_Detected. X: m3 s% B) A, f$ B0 R; c
$ W2 u" z Q5 J) G( ]% `___________________________________________________________________________
\; c* C& N8 c2 N' G: \# h. c& W6 [6 k+ I
Method 049 |7 [. d+ W* D6 ^+ A: A" n7 Z
=========) l' f Q- a8 p5 [- o! B. t
- T" p% X9 d5 q) Y7 ]
Method identical to the preceding one except that it seeks the ID of SoftICE
S$ l& r+ x! d' ]; Z5 T0 wGFX VxD.+ Z" d/ s8 p9 }
9 ^5 j5 r9 G0 ^% } P xor di,di
Y) S# e% Q9 ^3 w3 |4 W d2 ~1 C mov es,di
# F8 ^& Q# k7 D" m7 q) G1 Q" A mov ax, 1684h z+ @, Z( D, h# N
mov bx, 7a5Fh ; VxD ID of SIWVID
# j4 ^- y% y/ s5 G# g/ z int 2fh
7 I$ }8 C) R& ]/ k5 N mov ax, es ; ES:DI -> VxD API entry point
+ `7 Q. E+ N2 u1 i- Q2 d3 G/ o+ o add ax, di& H6 v3 e1 ^5 k: f9 o4 y4 }
test ax,ax+ ~+ Y% ~$ b: H# ^: w" \5 G4 V
jnz SoftICE_Detected
8 C, c+ ~# V' h% e' `2 Q) @3 U8 Q% k% W! i# v
__________________________________________________________________________1 W; S9 w" K N0 ?
0 i; o" u. l0 U! t
0 |+ o( X7 @' {. g C3 }Method 05
6 o' `: }, M/ H$ _* d1 H=========
$ e% C% ^2 L# X5 a
( R2 U; I. V1 {8 F* q1 Z9 hMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 R ]" q* j% |# I
debugger. It calls the int 41h, function 4Fh.
9 Q: Q" ?! t& R( N( `There are several alternatives.
: [$ W& C% }: s/ Z6 j5 I& h; v [0 }/ X
The following one is the simplest:
* W, U2 Q% d( h
% Y0 w8 r3 I" p$ U mov ax,4fh" Q; V* P6 @* d# O% k# }
int 41h6 l F' |* P3 ^% p+ R0 q1 I, l
cmp ax, 0F3864 i1 Q7 L6 e7 ~2 h
jz SoftICE_detected
8 c( Y6 W; i: m1 U; Z% H/ f' o9 L7 P! o
: z. \% z2 \" w: a2 H
Next method as well as the following one are 2 examples from Stone's
0 r0 `. }! C7 }2 b( F. }& Q"stn-wid.zip" (www.cracking.net):) \. p$ p% f* d( H6 O$ m* V
' s( |* i! b( T
mov bx, cs1 _# j8 `' O% C6 b0 H4 m3 T
lea dx, int41handler2
' K, M# J% A" z% w+ s& A8 u xchg dx, es:[41h*4]
% [+ E8 f! o9 s xchg bx, es:[41h*4+2]
0 s* u) r8 m Z2 f- K mov ax,4fh
5 C; a: g( T. Y int 41h% v9 r% S# Q1 v/ c2 \6 R7 m
xchg dx, es:[41h*4]: L! T6 ^) {, {8 f: e- H
xchg bx, es:[41h*4+2]( m5 V6 X/ f, ?+ q5 j( V
cmp ax, 0f386h$ E' T+ _; z7 |5 n' B
jz SoftICE_detected! q+ t6 j- t! d3 E2 V' z$ J8 P/ O
$ Y8 _) B8 f: a/ [& }1 _; K# M1 F
int41handler2 PROC+ |: b2 t4 w5 {7 F0 ~4 d# `* s
iret. g- T0 N' Z' ?/ l0 a2 Z+ G
int41handler2 ENDP0 _( f- Y4 w. @( I2 j- I1 d
! m* T, m+ O' P5 z, [& O
' z7 E! O' G2 _0 ]8 I_________________________________________________________________________
( V5 N U( s" G2 S9 i2 V! o7 W. f; \1 j/ o( q7 |
Y- |3 _+ I, O- S2 |
Method 06
3 V) s3 e7 W* _ U4 [ [( C: N=========
& Y) B2 T: C% m+ {, x: n8 `7 i& o% M. k* F
) A9 E- ~) H1 ?2nd method similar to the preceding one but more difficult to detect:0 j' D$ ~0 \6 U; J) t
$ N7 I1 I5 L1 ^
! k* @# B$ H& Hint41handler PROC
" L2 W2 b' v# C0 t& z mov cl,al
6 h' g1 p0 q7 t# i+ ` iret
) w4 v6 Y( h& X5 ]6 y* y) d1 Xint41handler ENDP1 m0 O5 d4 [& f; t) f
2 [8 d5 ]: F% Z! e, {/ v
" \ M, [+ g% E. x R xor ax,ax
4 D( V' W+ o/ S# m0 u3 l7 s6 W- l mov es,ax
3 p! p. Q4 _: w" T l5 t3 H" J }+ B mov bx, cs
/ v H H6 s" j+ t$ G X lea dx, int41handler' j& |- O# y6 u. j! B( h7 ^! U
xchg dx, es:[41h*4]
: [' @* u( q5 I/ G+ { xchg bx, es:[41h*4+2]
, n" L, ~. A( Z8 P$ F Q in al, 40h; E3 w( w9 P/ p* C2 T6 b6 ^* R7 z
xor cx,cx$ }$ j6 @3 e4 L/ D
int 41h
) m {, Y9 M! p; f8 w" y xchg dx, es:[41h*4]8 Y$ h1 ]4 y3 a# o6 g. ]! N% y6 I
xchg bx, es:[41h*4+2]
# ~/ l* P- L& l6 C cmp cl,al) L: F; I% d# _
jnz SoftICE_detected. c9 V+ Z3 g' O; o- Z" c* {* f) I8 x9 t
: _: \$ I) x, t4 J1 O1 d_________________________________________________________________________9 \/ X7 ]2 p4 d
b6 Y& I6 j' p! I4 t
Method 07- i( H' x. g8 P# o9 Q0 y
========= {( X6 B8 S1 p! c& ?0 E
7 H. @- S; c3 o. h5 l- wMethod of detection of the WinICE handler in the int68h (V86)2 q. W, p" E5 t9 F, ]
: Y4 S5 a- y/ a8 P* E mov ah,43h
+ y% o( ?8 V, c9 F int 68h
2 o- {6 S+ _; R2 D6 d- Z cmp ax,0F386h, t; u2 ^, K5 I2 R
jz SoftICE_Detected5 F G8 p: p8 x- B, E: F* Y6 Q5 j
& B' M/ A* R. o: P" \1 H% J$ j7 N3 _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- l8 K/ R) s' W8 W
app like this:* r* {8 _* J7 O- ]5 j! h) u) {( G
# l L: @9 k7 t, t- k% T7 e
BPX exec_int if ax==68& M" E G$ @, ?5 _" w3 b+ Q; r
(function called is located at byte ptr [ebp+1Dh] and client eip is# |! X7 s6 X1 L
located at [ebp+48h] for 32Bit apps)
( K3 c1 z/ i7 c# o; m__________________________________________________________________________
5 E. G$ {6 l; k
" p8 O! c' \; f+ H$ {" _2 H6 i$ t; O* d4 b% r
Method 08" s6 p9 _! ~& Y: i
=========& ]. u- M- ?. l: o+ ?
: f+ w- S' C* x0 k
It is not a method of detection of SoftICE but a possibility to crash the
8 E8 ?1 ~: m9 {0 `8 wsystem by intercepting int 01h and int 03h and redirecting them to another% o; p/ ]/ q0 {6 g/ d
routine.
- f2 O7 s T6 ?# p( m- s7 c8 QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: O2 C5 M' x) G6 h0 W1 q1 r) g/ u- x
to the new routine to execute (hangs computer...)
3 k: K5 ?( b' X0 P6 P, O. p+ m" U4 d# a' Q( x" a% ?% \
mov ah, 25h- U, r' R+ A0 w& ]/ ^
mov al, Int_Number (01h or 03h)
: T* ~5 \$ p1 e mov dx, offset New_Int_Routine
, U% J' A7 X3 R' w. ] int 21h' q* x# e* r+ [
C- \9 @' a' @% ^/ G* T" I' |__________________________________________________________________________
( d9 \7 k. r, N0 X) o" E) j& w# r$ S: l9 U d3 c% O9 W
Method 09; f/ Y* V; V9 n B: i8 c' Q3 {
=========0 e2 M7 z. V6 V0 Q
2 U# ]6 d* _' Q( k* X( dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 `; f; F: J+ \6 Z& @
performed in ring0 (VxD or a ring3 app using the VxdCall)., H0 a. j, T5 f$ p8 W6 h3 M
The Get_DDB service is used to determine whether or not a VxD is installed* e5 o3 {( k0 e0 c; p I( u
for the specified device and returns a Device Description Block (in ecx) for
P: N) a0 h$ [$ ?; v9 t; tthat device if it is installed.( V# n/ ~8 Y) E
& X4 m1 I0 r6 e0 ^7 x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 C8 a( ~. p7 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ @! d3 ]7 |) L
VMMCall Get_DDB
9 g. ]) A. f( ^1 Q2 J0 N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ {# W# S5 n$ L5 h' j
' |7 S t6 j7 h2 P/ _Note as well that you can easily detect this method with SoftICE:1 A. p9 Z* r' W: u$ F6 T) y! [
bpx Get_DDB if ax==0202 || ax==7a5fh. g( D6 C8 ]8 F( ~; h# y
$ o; E" h1 c2 |, [: \ c3 u$ |3 u__________________________________________________________________________
! h# p! ]0 M t( h& F0 h9 X# \5 g8 W5 K* s0 ~6 `3 Z
Method 108 L4 [% r; N k
=========! h$ j5 ]' O9 x' ^; G
" l. a1 m' H1 v* H=>Disable or clear breakpoints before using this feature. DO NOT trace with4 ^3 _5 L4 k4 h7 z$ `* W) k
SoftICE while the option is enable!!
S, A4 G. Y9 G2 Q/ x' J$ c: [3 L$ I& P) |
This trick is very efficient:
* y+ }3 H9 G, z# @3 Y% Hby checking the Debug Registers, you can detect if SoftICE is loaded/ i1 b7 B* M; [3 r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 E; y( A4 _: c6 Q- ^; s# B4 q
there are some memory breakpoints set (dr0 to dr3) simply by reading their I* b( ^2 T1 g; H u9 F6 {
value (in ring0 only). Values can be manipulated and or changed as well
4 O4 Q" a( E9 p(clearing BPMs for instance)
, c8 g _0 p f9 d3 M ]- u& w0 H* H: z% E: p6 a
__________________________________________________________________________9 x1 B9 E) j6 x) k h) G% X- L
: i: V* b" C" a% r+ B* d* G9 Y
Method 11
% }2 k: n. r. g4 B r" m( e=========
0 b+ D: M- k* v0 K# B5 |' f0 F8 a: X( x( h" c. j# Y+ M+ [
This method is most known as 'MeltICE' because it has been freely distributed! d: E+ W: |; c2 d% S7 B8 n% l
via www.winfiles.com. However it was first used by NuMega people to allow6 B, k+ \: b9 J/ s+ l" S
Symbol Loader to check if SoftICE was active or not (the code is located
& f: V& J2 N9 A; U Uinside nmtrans.dll)./ U7 x6 h8 Q! [ t4 L
J/ ?1 S% g% r* h0 hThe way it works is very simple:" G a1 i" B' c' n' P3 x- ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! s3 _3 x+ ]6 Z" n& c$ yWinNT) with the CreateFileA API.- H$ V' k8 w& z9 b
3 s; J* h1 R% D% U; P i2 OHere is a sample (checking for 'SICE'):
$ P/ Z$ E+ q l+ E$ k6 I
: c% Y2 b5 j3 j/ ~' r* YBOOL IsSoftIce95Loaded()
7 X$ \$ p( Y0 u/ F{
0 a+ Q/ }6 C% ~, m HANDLE hFile;
5 i' X. z* ~& b7 t4 y: H5 D9 E hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
{$ E6 p7 Y" l6 G2 I# L% B9 s' } FILE_SHARE_READ | FILE_SHARE_WRITE,
1 f, P9 \5 w. t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ Y8 D$ }( V3 m8 W
if( hFile != INVALID_HANDLE_VALUE )
1 Y. h$ k% J# Q( D0 s7 L {8 b2 ~+ |) R( g( e4 k$ R$ W# A
CloseHandle(hFile);
! E+ @ y0 G9 t0 v return TRUE;
1 F/ W, T# o5 R. s }1 `# W6 {8 Z/ J3 M! q5 g
return FALSE;
, }# h3 G. m' U: E}
: R2 U$ D$ V) K9 [7 e, r
6 r2 S! z9 V4 u$ \Although this trick calls the CreateFileA function, don't even expect to be4 Y2 g2 m- |4 f/ D5 }1 H
able to intercept it by installing a IFS hook: it will not work, no way!
" [" d h. Q& R" E. v9 e6 Q- Q% DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: G* d# d8 k: u- v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; c' ]1 u6 F6 f" e+ J8 o9 ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 f7 e: N! \6 F$ n4 p# afield.0 A5 X+ ?, Z* x, I3 z3 T
In fact, its purpose is not to load/unload VxDs but only to send a
) k3 P2 K S$ k5 ^( KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ c! z7 Y. D3 P; s, e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 K9 [& x7 P# Q1 j; `% `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 z( }) M; }1 W6 _ @
If the VxD is loaded, it will always clear eax and the Carry flag to allow* C7 J- d7 c# t% F
its handle to be opened and then, will be detected.. I0 e$ P& q; S, w- d* U8 ~
You can check that simply by hooking Winice.exe control proc entry point" X- H7 q7 M! M! n+ z, s) q* e
while running MeltICE.
" o# ^! X# g- f Z
" A& q9 \ B N* k$ ^: u: U- U0 k& M; X1 e' r' j% M S
00401067: push 00402025 ; \\.\SICE
f2 Z& e5 \9 F9 n. Q 0040106C: call CreateFileA
+ Z/ d) W% _. K# W) [3 u 00401071: cmp eax,-001
9 l, d5 c' h3 S _' U 00401074: je 004010916 Q* H( ~+ r2 p: c
1 U' d F, {2 t6 b. a3 n' V/ Y, V
G' ?/ { u- [5 y1 Q% {* O
There could be hundreds of BPX you could use to detect this trick.
8 R) |6 j0 J( b; j0 |7 h-The most classical one is:
3 b( U! b9 X* ^0 d4 Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) b$ Z2 |% L( f( {9 L. x- S' O
*(esp->4+4)=='NTIC'1 O4 d$ T- U8 `. ~
7 d# ^6 u6 m" A
-The most exotic ones (could be very slooooow :-(
' X( j9 C J/ q9 [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) d5 r$ Q" f, M% j. I
;will break 3 times :-(9 Q2 |/ Z) H4 a- G9 l2 P8 A; M" S
) J \8 `1 u3 _7 T$ q) J-or (a bit) faster:
' r7 M& T' S& d0 v2 ~ { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 Z! I) w! r& M5 x `- t9 f
% Z# Q$ x) j. Y$ A' N/ V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - @3 V& b0 A5 s0 {
;will break 3 times :-(7 s8 _6 n' C/ q+ d
. E9 O/ s5 A |( _7 }2 {" k
-Much faster:
2 i0 o1 c4 b! A+ r k1 @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% C3 W8 @. Q4 \: k. G- W
' v0 W' h" p/ G ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# _# |1 E2 j' T2 B Ofunction to do the same job:3 J8 x6 o: A7 J( W3 E$ q
2 l1 U- P% O! ^4 O
push 00 ; OF_READ
/ Y# [* D' F9 t, N mov eax,[00656634] ; '\\.\SICE',0
# T: f% z- ?) Z0 z/ c push eax) a# }% e; d3 x+ t7 K
call KERNEL32!_lopen2 \+ R& V* U- k
inc eax/ F- E1 v3 W$ ?. V5 F- [
jnz 00650589 ; detected, F% L7 S8 e1 @. U
push 00 ; OF_READ0 s, O) `3 Y, p5 a0 T: c( x
mov eax,[00656638] ; '\\.\SICE'+ ~0 t" o, _8 Y) h4 F
push eax
4 d' b/ @' ^6 [# T. W call KERNEL32!_lopen
% _, V, L- n$ C S5 I' F inc eax/ A" F o) @& m( \3 r2 Z, I+ T
jz 006505ae ; not detected, f- G* l8 E- u1 }2 Q
3 ~) [/ E- Q9 J9 `, j
6 a& f3 Z n+ H9 [5 V__________________________________________________________________________
# G7 X' {8 O$ X7 ]7 e+ a: x% }: u5 k. b2 u; _& K
Method 12
Q* y: C7 C6 C2 ?1 q: H=========
# q3 w. L1 A$ b# h& W$ j" n" u" h' G6 N7 T3 \3 T% a
This trick is similar to int41h/4fh Debugger installation check (code 050 K$ U8 t1 |+ Y( {5 u9 {
& 06) but very limited because it's only available for Win95/98 (not NT)
& t5 W8 Z+ F5 w" v( L) ~. a4 Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& x. w/ K7 {+ y
) \5 k$ {6 D& C2 r1 N push 0000004fh ; function 4fh
6 D$ H% r7 P8 J push 002a002ah ; high word specifies which VxD (VWIN32)
5 l. y u3 ~+ e* p( h6 W5 g7 x ; low word specifies which service5 q8 E, ~2 S" v+ S' b; W$ b6 z* P# t# b
(VWIN32_Int41Dispatch)4 R8 w" I+ T z1 \% ^
call Kernel32!ORD_001 ; VxdCall1 c& c! C3 o, s2 X2 ?0 N
cmp ax, 0f386h ; magic number returned by system debuggers' [4 a) K3 X# @6 Z; Y" k
jz SoftICE_detected! `& Q" l: B8 N" ]( f, ]
- N8 w) t/ C# M$ W% c
Here again, several ways to detect it:) j5 I! F3 A: ]6 a) l3 [- P9 X/ m
9 m S# U0 a6 x1 k4 k' F1 f BPINT 41 if ax==4f
3 D) `) _, \8 i4 i6 Z3 W" }( H* a+ t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 _! J& k8 V% g/ P9 E1 e8 m" M, q. f: a) ]$ _' @' W# S7 a' l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# G& d$ S. Y9 a$ g+ l
; Y6 [% \1 A& ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: d d$ L7 O- |9 m8 ?# V5 G: m0 ^* s/ a2 W4 j
__________________________________________________________________________
7 | F" k/ d: O. {9 B: T o4 t
- H" I' L- S3 s, X uMethod 13
+ [* B+ n6 n" d, h( \) z! G. n7 V: x' o$ ^=========
8 h% V) ?/ A0 G/ a2 J3 k
' N9 o( M* h- w( Z' h9 q6 {! WNot a real method of detection, but a good way to know if SoftICE is
; `, k% x! o9 \0 s+ { j) ninstalled on a computer and to locate its installation directory.( V, n& G z1 N* S; w
It is used by few softs which access the following registry keys (usually #2) :
& E2 K$ k; A; Y5 L
) Q% {- h. x8 @/ m) u- {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
U5 s/ [5 a8 ?+ o1 B2 H! U\Uninstall\SoftICE; x8 ~0 }# H1 u8 D6 L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 r+ t9 [8 {# g; C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 S% F3 I* G# A1 q$ i\App Paths\Loader32.Exe
9 f& I* A6 |3 i/ W
% a9 i; ^- |1 T$ P) i
6 P0 N+ }3 \3 y8 ]Note that some nasty apps could then erase all files from SoftICE directory- c3 s8 J8 h& n' H& l) {$ d
(I faced that once :-(
8 H6 _- f/ b$ J$ _5 f; S5 C" I v9 s$ b0 z5 ]9 F" h
Useful breakpoint to detect it:6 B- S. c0 y: }4 x8 s
# W+ e( D# _* g( x3 B: @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
V* `# |: Q$ s) Y y" C' Q
% O8 Z/ s2 x9 c- _% u8 v; U__________________________________________________________________________% E: P5 P/ I/ Y" w- b/ K, Y( Q
* o! g1 W5 v0 L% D; c
( s* v! W# x" aMethod 14
' N4 X5 a3 l' w2 @1 `8 h# m=========6 V, Z9 }$ H/ }. y
- G2 I" X+ x1 U: Q7 EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% O0 Z" R- }2 P# o7 m9 o
is to determines whether a debugger is running on your system (ring0 only).
. [% d3 x% q4 C) X$ y/ h
/ o( g- Y; c" ?- ] VMMCall Test_Debug_Installed
6 R3 \' I3 E2 j/ L$ |/ l! p je not_installed, R1 f9 p6 J0 f- V: U- q- p7 f! ?
: `- q/ e0 }# c( y) G4 T
This service just checks a flag.
! \% Q8 c% ^# d% u* p/ M</PRE></TD></TR></TBODY></TABLE> |