<TABLE width=500>$ B4 e/ I6 \3 M
<TBODY>
0 x. ^( n( s( `" s<TR>
8 G2 M: `9 u; e$ h. D+ d<TD><PRE>Method 01 ! S7 c0 A0 H, b" n
=========. K: y. q1 r7 Y
# Z" }& g, H4 G7 g( X
This method of detection of SoftICE (as well as the following one) is
6 m3 l9 Y2 e4 Yused by the majority of packers/encryptors found on Internet.
# L+ |$ m0 r9 J! N3 RIt seeks the signature of BoundsChecker in SoftICE1 c5 }9 G% G9 C: @1 K
4 b# `; Y# G0 m mov ebp, 04243484Bh ; 'BCHK'
1 t! ? y$ h" N: T+ m3 d3 g mov ax, 04h
6 f+ A; f/ Y* G7 _6 x. x C int 3
" O3 H* r7 q$ H" B/ u. _: z cmp al,43 p- B( g( n( H+ ^6 V
jnz SoftICE_Detected5 f6 X' I2 m, h/ Y `
( N" d4 X; D( z) c9 m___________________________________________________________________________5 S" C+ T$ p" [$ @
' f8 M7 P/ \8 j0 v. ?Method 02% i2 a* j) k; Y* E9 l" k
=========7 _5 H2 R0 s) u6 D
2 J4 R) y( x3 q& r" T9 P8 e/ R/ SStill a method very much used (perhaps the most frequent one). It is used
) B7 q& ^% { D. T4 k# y! y/ jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 z7 n, s- B/ Z- q; r
or execute SoftICE commands...; j6 C, Y$ E* Y
It is also used to crash SoftICE and to force it to execute any commands, w3 u& }) U+ l; M$ W2 z
(HBOOT...) :-((
& t/ A3 \! A2 A. [. n5 \
! V& d; V, W7 v! ~( M* qHere is a quick description:
/ Q6 R" `! P" x3 D1 v* c( k+ I5 d& h-AX = 0910h (Display string in SIce windows)
! f: M9 O( q4 f, y+ P6 v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* _. ]/ ]( F i& `: ^# ^ j* r% u-AX = 0912h (Get breakpoint infos)
; ^* I8 [0 a# H1 r9 \; t-AX = 0913h (Set Sice breakpoints)3 f/ i+ O: X6 J3 s
-AX = 0914h (Remove SIce breakoints)
6 x2 O( s0 g- e
, ~( S4 p1 b6 s! U0 PEach time you'll meet this trick, you'll see:
2 x( U! E% e, O+ G-SI = 4647h
5 }, M7 `& R( u" v9 i& J-DI = 4A4Dh
5 U$ G9 K' j( `0 s- {/ QWhich are the 'magic values' used by SoftIce.* C$ ]( S# ~% Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 N5 m, d, f {2 U; I
$ e$ S8 [. z9 z. w, U7 H. SHere is one example from the file "Haspinst.exe" which is the dongle HASP, M& {0 G" J z7 c# m4 O1 t" K
Envelope utility use to protect DOS applications:
9 v# K1 Y# m L+ n, k& M# P$ r- p5 \5 v7 L: l6 q
. A5 P; P) f, u" w1 `7 c
4C19:0095 MOV AX,0911 ; execute command.
- v/ }* l& d7 k$ J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 c) {! ?2 f. r) G4C19:009A MOV SI,4647 ; 1st magic value.4 P2 L2 w; Q& L3 I! b5 X& d
4C19:009D MOV DI,4A4D ; 2nd magic value.
! g5 q+ D/ e7 i j- t0 ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 `/ m8 @9 T% ?, e+ ~4 k( {4 P, f- Q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; u& r2 Z' R" |' k! D4C19:00A4 INC CX! Q' r) z2 @1 y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: d) q) J$ }8 X. D$ T- M
4C19:00A8 JB 0095 ; 6 different commands.. u# B5 \1 N8 y/ [' f: B
4C19:00AA JMP 0002 ; Bad_Guy jmp back., W2 y- Z! ~2 W# c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
R, l+ K R$ O+ h8 ]) }0 y9 M6 k) i7 [$ l1 [- z# [
The program will execute 6 different SIce commands located at ds:dx, which
, m) `! I8 K. \: R$ C+ Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 |+ F8 {) V' G% K* N3 J+ w" n4 s4 @1 X
5 j) H- g" A6 E) A5 E1 m! l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& @0 }5 i$ K. _! V" n1 N
___________________________________________________________________________- `8 |8 s `& |! S1 b4 @- E. U
7 g% K& \; Y/ Z& @6 q
2 s, L R0 E$ v0 Z+ l8 Z
Method 034 I- F9 g" Z/ U, e8 h- O) B
=========; _" d2 g- \* I. x& ^+ l: A% m5 \6 v
, w! g+ b) \: I7 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 @5 v5 [" N8 f4 d% B(API Get entry point)
! |" @& `6 u( q + b( M6 F* B- Z) J
5 t' M. E: W: H
xor di,di
, q$ q$ G2 B0 o% M+ S8 Y& e! w# c mov es,di
8 |- [; f; l9 [5 ^; k( C6 S mov ax, 1684h 3 ^9 Y: ]$ K% k# U @! R
mov bx, 0202h ; VxD ID of winice8 X. C% l# C9 ]. Q- K. h/ k
int 2Fh
0 R/ f& ]2 @( ~& ~% b" z mov ax, es ; ES:DI -> VxD API entry point, n4 [* R y+ z7 U
add ax, di$ [2 C) O+ S4 c0 y
test ax,ax
8 S S M* T' H( g" t9 Q jnz SoftICE_Detected
; N/ z/ M X$ x" N' R* b& ^( P/ D* F4 L( _
___________________________________________________________________________9 v; c8 f7 x6 \5 l$ Q
0 `$ j. M) V9 W3 s0 ^7 z; h: CMethod 049 x* G2 E: U. }( Z! p1 Q8 W
=========
: j2 ] m0 ]/ K: ?4 {
+ S3 A& U9 S: ]9 S v2 w2 ?- dMethod identical to the preceding one except that it seeks the ID of SoftICE$ `" q9 {* x: V0 \
GFX VxD.
& ^4 Y$ [3 b2 E
, T0 |: W: W3 E( O; Y2 k xor di,di
+ a- {& a3 ?$ P! v. m mov es,di9 |% E0 r% b4 q7 b% A% r7 Q
mov ax, 1684h 3 t0 E1 d/ p( ]: {" x
mov bx, 7a5Fh ; VxD ID of SIWVID p. V( J! b) o
int 2fh
" j- L7 k$ t! `6 I mov ax, es ; ES:DI -> VxD API entry point
2 g! J, K1 v7 e7 \3 _ add ax, di9 Q% m0 i$ U& H4 I- c
test ax,ax7 ~% ?& L- a. p8 R
jnz SoftICE_Detected! \$ v; v9 |4 M& }
' ]7 e; o# B2 O4 n" u/ D* F& ]
__________________________________________________________________________
# e' d/ D! ^/ t& m7 B. m0 j1 _* m5 e% d" Z8 R5 D+ U; r& N9 N
' b: P: b' m0 V$ ]
Method 05
$ t% b, Q8 F4 I- C `=========$ {- `2 Y6 i b0 v1 p& U
. L. E9 _4 E/ [$ ]8 J
Method seeking the 'magic number' 0F386h returned (in ax) by all system% t: J$ m5 y! U
debugger. It calls the int 41h, function 4Fh.
; G4 c4 {$ A, s4 zThere are several alternatives.
; ^' r9 C! U1 H. q* `4 e7 J
' |+ V7 Z- C' G6 @9 A1 m; vThe following one is the simplest:
% d; H8 N5 l ~/ r
7 i- x" \- O: _' g+ o: O mov ax,4fh
( P. p7 |& m( D6 e' q int 41h
: F0 i/ f5 f7 |; g cmp ax, 0F386
, I* z. h0 W a jz SoftICE_detected
5 O2 w2 D7 ^+ @0 m# ~( L4 v3 O1 E) ^$ W* y7 A+ r# E
7 D4 }# c2 F, S8 D6 O/ t3 A+ J0 }
Next method as well as the following one are 2 examples from Stone's / o6 u T5 Y2 W# [0 z8 \
"stn-wid.zip" (www.cracking.net):- b+ ]3 L% J3 |0 F- b' J% [
2 ]9 `* A: B8 P* O" g8 _& w' Q7 ]
mov bx, cs
/ @" Q9 ~! e4 O! Y( j' `* e lea dx, int41handler2
- l' k! {: M+ r xchg dx, es:[41h*4]+ {, L0 I6 g% e( S4 `2 S
xchg bx, es:[41h*4+2]
2 O ?6 h, B: E; P& Y mov ax,4fh
+ C0 v4 m- t9 J. R' L8 l9 Q* o int 41h
B" b2 Q0 r: `; F) V xchg dx, es:[41h*4], B# C, r5 \ s. m- Y4 l, j0 _
xchg bx, es:[41h*4+2]2 Z6 {- A4 J/ n# S7 H
cmp ax, 0f386h
( m h, \% p, z! h" f0 D jz SoftICE_detected
" M8 w; v/ m# m; \5 I" V" Q, v
% x1 d# v4 t* l" T1 e5 j- nint41handler2 PROC# K: L) V7 r: c( m! `9 |
iret# c M5 k" L. Q) ~5 M9 [! \
int41handler2 ENDP) h1 Q- |$ ^* {5 S3 ^3 T
0 x v+ u- D+ [! a5 S5 J5 a$ Z9 N
% m$ b" M2 z5 X+ H! U_________________________________________________________________________% ^9 {+ F% w: T6 g' e3 S
$ H, w! d8 l p# g# t3 G
! H- U- k- O7 G' TMethod 06- Z! `, B; _8 k2 w
=========
% c) f& p0 I z9 n
$ K7 N. g C+ J2 b& P3 Z7 j( E! r1 y6 O8 K
2nd method similar to the preceding one but more difficult to detect:
2 S7 G/ K5 g0 o9 l# ^* M, `
5 l" u2 K% R$ Y1 l0 }' N6 q" o6 A$ Q6 C
int41handler PROC! ?5 x' ^7 _+ r9 \- c8 ]1 n# m
mov cl,al
# R' t& z2 A1 \2 m/ \! t2 n# p iret
% L' N7 H9 `0 X( Rint41handler ENDP
[) W8 e0 b2 `$ R+ Z: y
# Y! H7 {. k% R: i1 P) C# P: U7 U6 N; {# _4 D I, d
xor ax,ax
/ |7 v9 I( J) ? mov es,ax, ~1 K9 l7 V( l5 t0 e( P
mov bx, cs- U: ~1 D3 H! r" Q# ~3 |$ ?& b
lea dx, int41handler
1 D) V3 G' n$ N% @' P. ?& W xchg dx, es:[41h*4]
9 c y/ W) ^% B2 Q xchg bx, es:[41h*4+2]3 ~; B6 \+ P2 B- r. @
in al, 40h8 d' U7 V( L8 e
xor cx,cx, a/ I! s- P4 _4 S+ l% Y: q- v
int 41h" b4 l" H6 ?( c
xchg dx, es:[41h*4]2 z( R1 R4 o1 O9 V1 l! F4 W
xchg bx, es:[41h*4+2]6 p% \- z/ b( Y2 ]9 G
cmp cl,al$ K+ E/ U. D' b( g
jnz SoftICE_detected& k2 p2 B2 S5 [5 ~, j
O+ w. R: y9 |+ B! I8 o" j/ O% m# J+ E, ~
_________________________________________________________________________
: K5 P" a# n! Z( \- d6 p5 ^8 `1 `
! I6 k1 ^& [) V, E1 Q# }: F$ PMethod 07
; g/ [3 v0 _* Q& y( P=========! H' J5 T" P }, e- L
8 V! D* B* K( F g3 N. \1 {
Method of detection of the WinICE handler in the int68h (V86); D" y0 ~' `# Y. t
) _. D6 H! W- ] mov ah,43h
f" B0 C; z, ^- u' r" y int 68h
- U0 d* L) k* I- F cmp ax,0F386h. F5 Y2 }2 F3 I" e% i( {5 \
jz SoftICE_Detected% |5 c, d9 s4 Z+ ~) C/ C
$ P! y0 E) f. P$ o8 \! Q
) {8 {3 n4 m' ]' U5 }+ `- A7 s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& H5 V& P6 i2 v, h/ P% D
app like this:/ B: v* J+ t0 c$ i
$ l3 \8 R. A0 e5 h1 L8 r) U0 e5 P BPX exec_int if ax==68
- c6 _& _1 T8 B8 S+ i5 z (function called is located at byte ptr [ebp+1Dh] and client eip is6 k; ]. x7 o% X5 N" K n0 ^& M1 @
located at [ebp+48h] for 32Bit apps)9 g- E8 [' h2 Q k
__________________________________________________________________________: i. @, @6 F0 c4 Y
3 Z# k7 I# h2 W5 n; t6 {+ Y' |% g, W4 w2 Z) P6 v
Method 08
- U9 G) T4 Y% r4 s4 ^5 W=========# Y. Q3 v) R- v1 C" o. F# E9 Z
& u- [7 o: x0 c8 w3 n8 ^
It is not a method of detection of SoftICE but a possibility to crash the
( O4 f$ v R7 ?system by intercepting int 01h and int 03h and redirecting them to another
5 x5 O& h0 W& K. j% froutine.
+ T" U C4 t* U. x1 VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% Q7 {8 r4 Z) [( L2 K) c5 d5 Bto the new routine to execute (hangs computer...)
) `1 `: M4 w+ G9 x4 M, z& x3 P+ a5 E; p9 S' v& ~) U
mov ah, 25h
+ y" x* q Y8 v+ b' M mov al, Int_Number (01h or 03h)5 h3 ~# e! p$ i2 B
mov dx, offset New_Int_Routine* U' S6 h+ A- n; ?" O* {; I4 K
int 21h
% t& r* p5 e5 q2 j$ ?' P5 t! M; {0 {
. _; `; y3 ]" J5 { a, @__________________________________________________________________________
4 E- O( B" U2 e# I1 n9 ]
& r6 a3 K) _" y( O# }Method 092 i7 X# l |4 G
=========
7 r# R) X \/ R
' c8 Y, l* w: I1 h4 JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ z3 c) n9 a, k: H
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 p! z! g7 N, J$ k! rThe Get_DDB service is used to determine whether or not a VxD is installed( P E; r/ l0 s7 M6 F
for the specified device and returns a Device Description Block (in ecx) for
3 P6 d) ~: h4 \* `, k. m& |that device if it is installed.
" D$ I; ]2 B7 k$ h) b) f! K+ N3 w8 N
8 J8 K' E, z3 X/ x" o' [% g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. J% v. w- q# u, c" ]9 ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% r( Z7 G/ t% J. d8 r V. y. V VMMCall Get_DDB; r: e7 n( p: T% L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' c4 F6 g3 h [, Q+ J* \& A
, P- X1 Q" b' v. c/ Z
Note as well that you can easily detect this method with SoftICE:
; C* [4 t2 Y: @5 G% V bpx Get_DDB if ax==0202 || ax==7a5fh; V- d3 S2 |" G6 w$ V. L) s
% _# E1 Y( m S6 Q. d; ___________________________________________________________________________# L. X# h u3 D- V3 x7 j
. k0 [# B( t9 V ~, f! w
Method 109 w1 V9 H; q+ d
=========9 O" e, }2 s0 v4 N4 l& q. }
1 A2 |3 `: l$ D0 ~5 p& ^( G1 ]=>Disable or clear breakpoints before using this feature. DO NOT trace with& l6 G+ h) g5 H4 [+ c8 ?
SoftICE while the option is enable!!
) d1 i4 T; v8 q. C9 G- {3 B7 {% d+ ~: D+ ^
This trick is very efficient:
1 X9 a# T* k' Vby checking the Debug Registers, you can detect if SoftICE is loaded
+ N( `5 O* o1 E9 C3 ]8 o" q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% q3 {) J' |) F
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 |1 A+ {' d: ]5 [2 o- uvalue (in ring0 only). Values can be manipulated and or changed as well
4 C" A5 ^$ M/ u1 K: q3 B( h( A% D(clearing BPMs for instance): p& j) e2 C8 p' H
4 S3 \, w* ?3 B
__________________________________________________________________________) {9 |% U' C7 c1 n
0 A7 t- W5 e( C# ?' G, x
Method 11- r) o' b/ f' H2 p. G
=========7 I2 J: `" K. _$ E7 g4 ?$ y: r
, q+ s# K# G4 a a4 h
This method is most known as 'MeltICE' because it has been freely distributed7 }# C4 P& K- K( \9 N# i. w
via www.winfiles.com. However it was first used by NuMega people to allow
U" K, |$ C) N( dSymbol Loader to check if SoftICE was active or not (the code is located, v( ~' e& ]( A
inside nmtrans.dll).( p0 S7 D1 ]+ k! h
8 z! c/ N1 Q. M# E) O
The way it works is very simple:. W+ G \: H1 X Z0 F2 o. ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' `2 D% C) N, w, a. w2 i, }
WinNT) with the CreateFileA API./ c2 A6 t# ?; `6 O% M+ S
) ?& d5 q% }3 p" I5 \* oHere is a sample (checking for 'SICE'):- Z( t/ m5 \; J/ R
# Z) O+ r+ Q/ S( S- m( G# f
BOOL IsSoftIce95Loaded()0 e5 t/ A7 c2 u" R7 i
{
( \2 G$ Q& y: c" @5 B HANDLE hFile;
+ z9 p$ Y) X: x% \9 v' ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 o# Y/ i4 W: j+ ~& D1 K, d. l; V FILE_SHARE_READ | FILE_SHARE_WRITE,# C; j: ]# u; j4 J" w, b- q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 a& R1 s T/ _- x9 ^ d
if( hFile != INVALID_HANDLE_VALUE ), @ D4 [3 c* [0 P9 r `1 n
{
z, Q# t0 g# G s CloseHandle(hFile);
m( b; Z7 D) o' e4 C return TRUE;7 j+ e# I% F; O0 L9 K) Q2 F
}+ ~- u5 |; z/ h/ a
return FALSE;( {/ x$ o$ a- L4 g9 e
}% I, }% X+ r5 w0 j" I
5 x$ x) `% Y2 j
Although this trick calls the CreateFileA function, don't even expect to be
: n2 h2 m. y5 k- |, Cable to intercept it by installing a IFS hook: it will not work, no way! v0 S3 K2 f$ {$ a p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 t2 r# {; T" B# l( O
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 e# a. l7 v4 ~; p, T% j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 ?- i1 D( {) }3 p
field.4 r. B' I* `/ z: J3 s! _' N& ?- R+ _
In fact, its purpose is not to load/unload VxDs but only to send a 2 h3 Q4 {8 `# t4 i; r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) l' R( ~+ I. p ?! g" lto the VxD Control_Dispatch proc (how the hell a shareware soft could try. h5 U* q; L; m* z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- s* h9 |7 O1 kIf the VxD is loaded, it will always clear eax and the Carry flag to allow, f5 ?, x' l3 x3 d$ J
its handle to be opened and then, will be detected.
0 a% T5 a) q2 s7 U2 ^5 gYou can check that simply by hooking Winice.exe control proc entry point
+ V& e; A# F, g3 Y( bwhile running MeltICE.
9 C: i$ Z; W. v2 W. ~( ?" b
' {5 y! E$ ^; R$ g1 T8 h9 b/ Z, b3 i$ u9 m0 V' m: I5 l* a6 S
00401067: push 00402025 ; \\.\SICE
$ h0 W* G9 C- m/ _% `1 {( X% z3 s 0040106C: call CreateFileA2 z$ V" Y/ a2 l, G! j9 s- c
00401071: cmp eax,-001 X5 O! f- }$ g* J- ^' Y& [
00401074: je 00401091* K3 D4 M0 t& U/ }) C) ^
$ }& P) {( b4 f$ O! c: w; q* g
5 K, Q: E% j0 Y0 x( _) i1 }There could be hundreds of BPX you could use to detect this trick.
* G# I- Z9 C' z5 N. E-The most classical one is:
& s; x8 O1 `7 k; R& D2 A% Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 g' r2 A! P7 X% ^% {
*(esp->4+4)=='NTIC'
0 c1 I! A3 x5 l" N) w$ D) E! y) ]: i# x$ \) `" B
-The most exotic ones (could be very slooooow :-(3 ~# Z Q I: i, H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! M9 s( P2 r1 m/ _8 v# Z; J
;will break 3 times :-(! y, Z9 R! r$ P
9 |- T# W: n. A7 d- s
-or (a bit) faster: 2 V' j/ s. F& x& O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, C) g/ {$ g7 S3 W) H7 V8 B7 J
* d& I* ?) M$ \% x* ^% o5 g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 A5 _- ]6 x* A7 s+ Q6 \
;will break 3 times :-(
9 }2 q) t) f* q9 }' S3 K# U
9 M6 `8 h6 E/ o, V9 e/ R-Much faster:% I# O+ {4 o; I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 L, }. i: Z9 K* P9 C, E
) _4 U; \0 @- E4 Q$ X* TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 u6 z! t# d( v8 _3 H" cfunction to do the same job:
1 X$ a/ @+ d# B! V7 A7 d
' u- P" y2 l: E1 v2 E2 d push 00 ; OF_READ1 z8 x2 @$ f. i1 P+ J
mov eax,[00656634] ; '\\.\SICE',0
! B d. Q: B5 {* Q: Z5 ? push eax
3 a1 w7 ~# V1 | call KERNEL32!_lopen2 B9 ^1 a3 v e" E
inc eax
9 ~8 M7 p, s" S6 X# l jnz 00650589 ; detected! G7 n, M* s9 b! n$ X
push 00 ; OF_READ' U: b7 E3 e, X4 J) J+ |; P5 i2 E1 v
mov eax,[00656638] ; '\\.\SICE'# Z6 O6 s* v5 r$ x: B7 Z( Y
push eax
. y, A. A3 W0 G: f( k call KERNEL32!_lopen9 g* g" O/ q* H8 C4 @3 q
inc eax4 }7 Y, n* s, M4 C- m3 u* b% J
jz 006505ae ; not detected
+ W5 G! S9 l- D7 y! V& O
! ~( J" L; R( F4 f
5 U) A& i2 i" @6 U; b4 C__________________________________________________________________________1 ~. J' u6 a) f
+ e$ z: z; r. ~0 k3 k
Method 12( m- f& R4 I- c4 p K
=========! O5 t+ K) V* T- X# J) V7 d0 L
7 u& t( T! e: e6 x" XThis trick is similar to int41h/4fh Debugger installation check (code 058 u5 b9 ~; T# q! v
& 06) but very limited because it's only available for Win95/98 (not NT)+ X; b# k- a) j) u% n, z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; u' _4 S) K) q' { j3 L
8 N; i' I6 b' R9 U; M8 O1 F
push 0000004fh ; function 4fh
9 f7 _ x! r" O3 ]! I push 002a002ah ; high word specifies which VxD (VWIN32)( C) J8 `3 P) ^% K7 |, I) j
; low word specifies which service
% z& j* N, I L (VWIN32_Int41Dispatch)( c$ Y; U+ H1 Q" N# N
call Kernel32!ORD_001 ; VxdCall5 i8 m2 M' P1 |4 u5 I7 o% ]
cmp ax, 0f386h ; magic number returned by system debuggers2 A3 \- N- I- v' j
jz SoftICE_detected
, ^+ _7 v* E6 Y3 A- N) y) G8 U2 }2 h/ c9 X$ B5 ~2 r
Here again, several ways to detect it:" x6 {- b% H: ]% S
$ ~. i1 N: u: x! {6 F v BPINT 41 if ax==4f) e/ F& J6 ? j& T0 a) H4 O
0 q! |6 D: ^: i) A8 E9 J+ I- R% U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 ~1 F& [& `+ W% Z4 h
: [& R; O, N, Z- p' q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: a8 H3 H& ~0 t8 y" c- J/ g
& T- N# _7 b7 {% i6 f# F' D9 Q0 D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- O$ Y0 [2 H$ o& f' s" _
; [6 ]' v( M: [9 b% s
__________________________________________________________________________* O2 T; Z( V4 \ P' y* L% _5 ?* {6 {
, d b+ n; H/ qMethod 13
/ j' o h% J* G# X4 `=========
/ J% P% T* Q7 r) q4 _ A- d
0 R. Y6 O( D4 `) f2 e5 S& N% xNot a real method of detection, but a good way to know if SoftICE is
" u/ z J2 B$ ?8 t, Jinstalled on a computer and to locate its installation directory.8 Q0 Z* Y4 P, ^0 I& p( |
It is used by few softs which access the following registry keys (usually #2) :2 U5 }' _/ f9 V8 t; w [/ M
u( _5 J. A+ H3 S* p$ h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 }0 P/ Q% r* k7 q4 K! }
\Uninstall\SoftICE# D6 q. `: c2 f, z8 k3 v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" ~) F; C- u0 b" p* }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 z5 v8 k4 k! ~% k/ ^: U
\App Paths\Loader32.Exe+ ^3 M. \7 N/ S( k) v4 X' Y
x" l2 D6 k: e9 A @5 B# a
2 a; y1 [" y1 s* |1 ]4 Z7 h1 A
Note that some nasty apps could then erase all files from SoftICE directory
7 v8 P5 N5 p7 @4 ` ?(I faced that once :-(
?% N4 l5 r$ L
7 X0 d2 V' c U9 x6 C' V+ E- EUseful breakpoint to detect it:
' F% z% _0 O* C( V8 K4 x5 f3 V4 I1 ^ q! [ c }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& H+ M1 k; J0 ?" i0 x( ~
* s( U3 x |% Y; g% O__________________________________________________________________________; s7 L1 O+ u9 @3 V7 C
* W5 }$ U- u5 G) @+ {) @3 S
9 B0 t1 M8 R: R5 o T
Method 14 ' ?0 j1 o. \ j2 a1 v
=========% U( R4 O4 g& ^
1 Z# u. H% c7 S! v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- r7 Y3 ]% Y; F, e1 F9 Q7 his to determines whether a debugger is running on your system (ring0 only).) v/ O4 J. E8 v, @' r6 S
- V; Z4 j% E( Q3 A' f
VMMCall Test_Debug_Installed
0 ^% ?0 s% l0 O$ ^ je not_installed2 D" Q9 J4 G* {3 R! r
# S( g: u/ [: g5 N3 A/ dThis service just checks a flag.
% S* j) F! O! A. G0 g! ?</PRE></TD></TR></TBODY></TABLE> |