<TABLE width=500># Y) ~ x$ |0 P" y! {+ `
<TBODY>3 \0 L3 P9 i/ Q$ N% d% v
<TR>1 v1 I5 z7 W; o% u6 X5 l
<TD><PRE>Method 01
4 b3 u2 _( i( {! {/ s; M. Y. V=========2 y# n/ V* x) c
$ i* l4 [1 C) P9 \9 ]9 P# ~ Y
This method of detection of SoftICE (as well as the following one) is: C% c. @) s7 G# V
used by the majority of packers/encryptors found on Internet.9 ]& A( P8 E" d( @- g. D
It seeks the signature of BoundsChecker in SoftICE. U: U$ l" c( @; ~. @9 H3 E3 F, p
, i% d, F( b' V% r1 g/ l% g* n mov ebp, 04243484Bh ; 'BCHK'
5 M0 `! U/ B _( O7 Q/ b v mov ax, 04h
0 x, W- m& J& j' E$ ~ D int 3
1 D7 w `+ e2 J; { cmp al,4% u o, A7 o3 N. u
jnz SoftICE_Detected2 ] U8 ~8 |9 U6 b, u
/ c& |+ \1 V; o/ C+ W, q
___________________________________________________________________________
P& P) i: I8 W) H' K8 S! `3 z! D$ G: d7 j
Method 028 P1 P4 Q b) F* [( c3 }
=========
. B( @. K& b; l, @/ N
4 b, u% S# q. T2 N, I% pStill a method very much used (perhaps the most frequent one). It is used1 X5 Y! s- N( l0 H3 j6 w4 L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% r. U+ F& n+ @ uor execute SoftICE commands...
) d) m. [! L% z! \5 eIt is also used to crash SoftICE and to force it to execute any commands
' r5 P" n/ D; C' B(HBOOT...) :-((
_1 N4 x8 g/ O
2 Y/ j' V% E2 m% B, V9 L0 WHere is a quick description:6 Q) Q7 x2 N, i4 C6 c \/ t% b/ X
-AX = 0910h (Display string in SIce windows)
# A" `. A G7 z X, M2 p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' h$ e3 P* n6 {! i, O9 }: L& n-AX = 0912h (Get breakpoint infos): q& x7 F/ r% E0 m `( Z Z
-AX = 0913h (Set Sice breakpoints)
! a5 H0 E- F% @! t' Y3 s-AX = 0914h (Remove SIce breakoints)
7 k6 A2 u9 k x( p; q' C1 J! R& S4 {9 S% q7 S
Each time you'll meet this trick, you'll see:* @6 w" Z/ z. C
-SI = 4647h6 ^4 ]% v2 b ?& l- R1 p" h
-DI = 4A4Dh5 @! n: J! C: y9 ]2 v$ y
Which are the 'magic values' used by SoftIce.
0 c$ c; h% S% u5 p3 mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ I3 K2 d2 d% K$ E" A
2 C! V1 [/ C" {- p# ~ o$ m) yHere is one example from the file "Haspinst.exe" which is the dongle HASP# G& G' E( h6 `% h8 W$ i
Envelope utility use to protect DOS applications:
, o8 h. ~$ j/ k2 I- C0 [. t" M/ L7 P' L6 [
0 T% d2 B- w; F, n% m
4C19:0095 MOV AX,0911 ; execute command.
/ m( y1 Z! M+ b" \* Q0 a: V8 W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' I% W: v/ A) L! A1 q! B& I$ e4C19:009A MOV SI,4647 ; 1st magic value.
4 @! a3 X! \* A2 B( c8 H1 s4C19:009D MOV DI,4A4D ; 2nd magic value.
* U; X' i; [# Z/ o$ S' u/ N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. J, e2 n9 C* r( w, V; Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 s4 L9 g! V0 O, p, m7 s z4C19:00A4 INC CX9 t/ E( g9 z% j) D1 {' E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 @) T( Q% i! X) ^* G9 N
4C19:00A8 JB 0095 ; 6 different commands.$ n' h& f+ j+ u7 A, r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 Q0 W9 L7 y8 T2 `. p. x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' p! r$ I, S j- p
# }& C$ o4 I( E# }The program will execute 6 different SIce commands located at ds:dx, which
- x; y! V* S- R$ o0 B( r. vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 s1 J% y4 O: ]: |; i2 O/ ^/ P
[! Y& x6 ?' _6 j1 L( C! a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 _" p9 X4 X1 @+ G c1 S7 S
___________________________________________________________________________
, @. N$ k5 Y6 {) z2 ], t6 I$ p' f
- M. ]+ z7 \( k! M7 tMethod 03
~% e0 b4 m% p k7 T* r" b=========0 Z# I6 @1 P3 h4 D+ _" M
E6 J3 E) }; i" e7 NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 t7 c6 k( e& ^(API Get entry point)
( x+ K/ \7 f/ M3 u9 {- G
) M6 o3 A6 D+ q
$ L9 i9 ~( }* Y( |( g xor di,di
) b9 r" r/ s$ Y ?! J mov es,di! V5 p9 r2 x/ C) X" G
mov ax, 1684h
' A. z" [; H: ?" D' p mov bx, 0202h ; VxD ID of winice$ H/ B' u7 C. M7 a O$ u7 |/ `" m
int 2Fh
2 b/ Q& q2 m' A' h& D/ d( z8 y mov ax, es ; ES:DI -> VxD API entry point
u- J, ~: B$ M3 }) k2 Z add ax, di9 L0 P H/ `5 c6 Q+ O! k# u
test ax,ax
) V0 Q/ F; v) \1 @ jnz SoftICE_Detected$ w# z+ V1 N- n7 i# R% m1 ?
4 T: f2 S- }8 z! r* \6 {$ ]. p( R___________________________________________________________________________( g& j3 t, y$ n- w
8 _0 ^# m3 A( d, V
Method 04% @% z/ R. ~* I/ O. _
=========
$ g+ v4 ?" p; z; X- l: u4 X2 x+ S- J% t+ M y% O3 m
Method identical to the preceding one except that it seeks the ID of SoftICE
0 r0 j7 R* V& ~& A0 x! [$ ^GFX VxD.- ~: g4 `$ m! G
. N; ?$ C: V; r; `% w- ]9 ?, \
xor di,di8 u: z/ ?- r: ?* R/ k' R
mov es,di
. Z3 ~/ E- g* s9 ~6 Q. d) u mov ax, 1684h
& a' E5 i7 r6 j8 A6 L mov bx, 7a5Fh ; VxD ID of SIWVID) b; Q6 M+ X1 S2 h y b
int 2fh5 K6 K3 u, o& r6 J
mov ax, es ; ES:DI -> VxD API entry point
6 C- }2 R G# k/ c add ax, di
5 S6 q) y- a0 b2 I* c test ax,ax; k. h5 ^8 ?4 {9 ]4 J8 B1 I& |
jnz SoftICE_Detected, S5 d; o0 x$ h( b" \) R
+ u3 n; r% h; m1 G# \: [8 g7 z- y
__________________________________________________________________________* j3 y* M- W7 w4 ?$ G4 y2 h
- H6 F& r. N4 O/ H" p6 }# l
" a9 Q3 n% J- j. _' I% K7 pMethod 05
8 F7 M4 E% y1 ]=========; N, t+ B5 i' \+ B; L
4 Q8 H) Z9 c* R+ p$ B; BMethod seeking the 'magic number' 0F386h returned (in ax) by all system% Y" d8 s! K& S2 I" i; G" F
debugger. It calls the int 41h, function 4Fh.7 _$ V) W, v$ q% u2 K& P
There are several alternatives. 9 _; H9 a2 K) H! ~4 F Z4 M# q
a& K0 L; R( B
The following one is the simplest:8 k. ]0 O v% B- X/ V+ ~: V
9 {6 U' K- V" Q3 \4 o mov ax,4fh
5 U. o# u7 L! _. @ int 41h8 R o. I0 s# } ?1 \0 \
cmp ax, 0F3860 j* G5 e1 z# U# C+ @
jz SoftICE_detected
% Q- i( ~% H( A# J. @; t% j0 S, \5 T# y# u2 ^4 {
9 R" `0 w; f3 K! |$ m a* uNext method as well as the following one are 2 examples from Stone's
9 ~! F# D, f1 T: E" d# F7 s"stn-wid.zip" (www.cracking.net):
: k; f; M9 y8 z- ~; H/ q+ J) u1 K! e7 Q b- E
mov bx, cs
2 p3 u7 \9 V. _6 B* E lea dx, int41handler2
1 i! y6 _+ f) v( G( F& a xchg dx, es:[41h*4]6 [; _1 Z: V/ E0 w' }, C& _
xchg bx, es:[41h*4+2]. d5 Y: a0 }7 v
mov ax,4fh
6 T$ {! b9 g; @7 D$ N" V% S, ?! x int 41h
) N0 \" i8 A( N; F xchg dx, es:[41h*4]
2 ]; ~+ e# h' c2 g1 ^9 Z1 y2 S xchg bx, es:[41h*4+2]( _1 Y( h- }! L1 N* P5 }- X
cmp ax, 0f386h+ k% H# v7 Z" F0 c
jz SoftICE_detected
, ~6 ?- f0 G+ e6 Y, N
8 `; ~& j/ U. o* Lint41handler2 PROC
0 F( Y) j: v) }3 p iret
% }' u8 Z% m' V J/ ]- k- ~int41handler2 ENDP0 u8 C; J- K6 P! \
6 }5 ?. V( W' j: N6 P7 R
, K) }+ i' @/ G1 U_________________________________________________________________________) P# [9 Z8 J. q6 q( [; F. e
! l- F* |* r( p* m$ M7 j
" |( j; k% K4 E# QMethod 06
! O% t: w( O* E6 Y=========
- `( }* \9 V+ g. Z% }$ p4 T$ D1 |0 |. `0 B& s4 Q4 f/ a$ s+ P
+ j, P$ L6 Y1 h8 l
2nd method similar to the preceding one but more difficult to detect:
/ @; {& ^2 e+ K/ J! u6 y1 ?0 ?8 K: Q
4 {3 D. H, k+ D
int41handler PROC
8 Q; F( w6 u" B3 X) @- _# ?4 y mov cl,al
% m5 B) D) D! `& Q0 d8 u+ D iret
, V. x5 e/ l1 C& v# a. s( L4 Wint41handler ENDP
! }4 u: g% P8 \2 j; n% {- J$ K+ i9 N, z0 e
+ K% _1 y5 J3 Z( s& ` xor ax,ax
+ _$ B0 R. ~; e5 @ mov es,ax
) t* Z- Q' F4 j4 }' q mov bx, cs" I8 i$ Y) m- ^; b& D
lea dx, int41handler
- a: {, U6 ^8 h H* ~0 j xchg dx, es:[41h*4]0 k$ B9 X) p9 F8 O
xchg bx, es:[41h*4+2]& p$ i0 j; [8 X( R' @0 _" w" y
in al, 40h
7 L8 K. V+ z6 { xor cx,cx
( B1 i: k' Q- B" l int 41h
7 o9 }( k- g2 L. @& _* }# O xchg dx, es:[41h*4]& V$ X" Q+ O" B9 C$ Q* f: h5 T/ v
xchg bx, es:[41h*4+2]: ^1 A! U2 m1 q: @! |8 v1 r
cmp cl,al4 n1 G) K0 y' L: {1 M t- O, K$ c; x
jnz SoftICE_detected$ i# X- F4 R3 w4 ?2 h
5 D( b' g3 p! ~; x* R# V- u6 e7 s& l_________________________________________________________________________
. ^' B9 ? N S/ t
4 y- T; a$ e* K5 |5 PMethod 07% J5 g: n/ B" M: t3 h
=========0 t, i4 n1 r6 K2 U6 j
/ D$ h. }( Y# n/ b' p( T* P8 Y& QMethod of detection of the WinICE handler in the int68h (V86), Y9 [; e6 b' {" U& q
+ \6 g% z ~- }+ W6 d& `
mov ah,43h7 w7 t! N( }+ a# h( z: o* D3 x& H# J
int 68h
0 K1 \1 m+ w+ A2 Q cmp ax,0F386h
9 Z& t( ] C3 z# F n jz SoftICE_Detected2 b) ~. ^/ j8 R) w) \
, {" H0 f( c" H2 I7 t7 E0 W
4 y2 K9 @5 M w& c, g8 }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 @& i- [: ?) [- O8 j0 N9 r; D3 y
app like this:
$ \) Q3 d2 o; m5 P; _) c* g
( S z$ x' U! q) K. J BPX exec_int if ax==68
2 a# t6 @6 L: C& x0 A* N (function called is located at byte ptr [ebp+1Dh] and client eip is
1 ^( w1 C, {9 i+ ^( ~' E2 p$ u located at [ebp+48h] for 32Bit apps)4 y8 i" P1 z% V) J9 X! e) [
__________________________________________________________________________
) v7 _. u$ Z0 |% ]7 q- F. N! ~2 N& U2 S# I
4 _: f) h) @+ e% TMethod 08, x7 {' H$ _6 B; ?
=========
/ q" _! d, D9 h5 F- Q$ L/ H; Y' w9 d0 J
It is not a method of detection of SoftICE but a possibility to crash the
( a# f6 D2 U& l0 nsystem by intercepting int 01h and int 03h and redirecting them to another
3 y. m3 _0 G4 ?" g- Uroutine.3 ?0 Q* y9 S/ _4 p0 m( W/ C$ R' V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' G2 w0 D$ \& r9 b4 T" vto the new routine to execute (hangs computer...). Z4 k1 }+ J5 G# M) d% g
6 G& k$ D) i. d" ~5 B mov ah, 25h; U3 ?3 G$ a- C0 B% x
mov al, Int_Number (01h or 03h)/ |; D! {/ w/ E& W4 S; J7 |
mov dx, offset New_Int_Routine {+ r. C- u4 z% B
int 21h2 n6 z/ i9 L1 @
; o' N% k7 m5 G$ P: |__________________________________________________________________________3 A1 _2 U. W. v4 R4 f
Y% i4 I* b& s/ t; f9 ^3 w0 pMethod 09; x0 V; C% G( E; D( Z& J& @4 T) B. v
=========3 c! H$ k9 r* ^, |- D4 w4 z/ F
( g t9 i8 i7 Y6 w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- q: I+ `% i$ h( _) w& k; V
performed in ring0 (VxD or a ring3 app using the VxdCall).8 A5 l4 H4 P* z# Q5 H' C8 o
The Get_DDB service is used to determine whether or not a VxD is installed& Q* D4 X8 Q W, v% u
for the specified device and returns a Device Description Block (in ecx) for; m& j z3 U" O3 |& z
that device if it is installed.* Y* Z: a# o( T9 _6 n
" a# S% n3 \. g# N f2 x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! Y) _5 ?3 P! U mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- l/ i) K" U8 d" u/ A$ @# j VMMCall Get_DDB
" y' h- u& M; w0 T$ g& D# X mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) n$ Y4 j" G4 g
P* ?' U# q2 H
Note as well that you can easily detect this method with SoftICE:# |0 [: W5 N" k
bpx Get_DDB if ax==0202 || ax==7a5fh% Y6 T& O- A4 c. `/ b6 ~* h
. c+ K5 U& P. S3 S__________________________________________________________________________
/ _7 C, @$ N+ Y0 ]6 x A
9 Q& a- M% G) dMethod 10) Z* v. b2 m u) h
=========
}2 [. Z _! I& F4 C9 W5 d! L# X4 [
=>Disable or clear breakpoints before using this feature. DO NOT trace with* [# k6 I4 ]9 f
SoftICE while the option is enable!!
& p2 V* U& \( N( |$ {; \
5 B& ^6 u: |2 C( \6 o3 [$ VThis trick is very efficient:" y8 J1 h* W0 \$ T, ^2 v
by checking the Debug Registers, you can detect if SoftICE is loaded
8 P2 W: u }4 [: ]! ]' \6 h7 W(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 r. V/ d/ S/ n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! P( Q. ? f3 N0 }value (in ring0 only). Values can be manipulated and or changed as well
4 p4 f/ E( R& \% r2 z4 V(clearing BPMs for instance)
9 g5 Q$ h6 ?) A! V" S2 p3 _9 S5 o) o% q& [9 |7 X' U8 I
__________________________________________________________________________: f$ G1 F& b* C1 o9 h
8 J+ Q; I9 i( }Method 11
' i2 I) N G( E3 q6 f- u=========9 r+ l9 `/ ~( L- l9 }
) r6 r0 L* v' gThis method is most known as 'MeltICE' because it has been freely distributed( P8 B {' H8 G) h5 d- X9 h4 L
via www.winfiles.com. However it was first used by NuMega people to allow
7 A2 h1 M9 X' e Q# Y; }3 ]3 mSymbol Loader to check if SoftICE was active or not (the code is located% B. M$ [9 w/ M; N/ i* h {
inside nmtrans.dll)." O6 b) E/ O" ^, F6 w
( y4 B- d8 g( b) g" K/ rThe way it works is very simple:
: r( Y0 Z+ U3 G8 ^- k6 rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
}$ D8 Q; `; Y' iWinNT) with the CreateFileA API. f2 j4 z0 i1 s6 q( R
" K2 z. N& i! [% t# ~
Here is a sample (checking for 'SICE'):
7 Q; J; K7 X2 C* _, c2 s- ^2 C: g0 M; `8 C1 x/ m( x3 ~
BOOL IsSoftIce95Loaded()! S m" D0 Y& N) z: ]
{
) j6 r: R( O( }- C$ C. @ HANDLE hFile; 7 e; U) j5 S0 Z9 {4 w# j% R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) g( S/ T8 X* M' A+ _- o( Z FILE_SHARE_READ | FILE_SHARE_WRITE,/ y" E ^. c7 u. J" d. R( j* [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; f2 m4 v5 i( m) @" Y if( hFile != INVALID_HANDLE_VALUE )8 _$ Z0 @/ s9 Q
{
, ?+ [& G A% D7 y" Z* ?, O CloseHandle(hFile);
% P1 ?8 o1 o \9 ? return TRUE;
; ]1 L, z* O0 F }
; K* [8 U7 v( S return FALSE;0 ~$ S# X" `, U3 H
}, S: H( W6 o1 |- B4 C9 \! y
, H1 w2 D L1 D: c' F! M4 x# e# I
Although this trick calls the CreateFileA function, don't even expect to be
/ d1 S; q8 L1 a5 N+ _able to intercept it by installing a IFS hook: it will not work, no way!
$ j9 p2 [2 B7 I( ?' q: ]) N4 HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 y5 u) F2 e2 M/ r3 d/ Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! S) x! {7 E) _' Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 ^7 C/ N% ?" C+ _6 f# y4 lfield.4 i g# J; o' y* T0 ~4 f& V9 s$ f
In fact, its purpose is not to load/unload VxDs but only to send a
, ?+ N; W& E0 tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) r; _- b1 G! [8 E! l R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( ^: \# x- n5 |' f: \to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 T3 Y9 {% n0 _% A P0 wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 `+ ~$ O6 K% }. J( ^its handle to be opened and then, will be detected.! s' r- s3 M4 a8 I" F6 w# U8 K
You can check that simply by hooking Winice.exe control proc entry point1 ]0 [3 {+ }. P; ]
while running MeltICE.
+ m1 P& \$ D4 M6 f9 ~: g, p: }+ w; I. r' r& L, D5 T3 @& F
' q7 b8 R$ U+ s: h( P4 o
00401067: push 00402025 ; \\.\SICE2 J* S- L) \: @
0040106C: call CreateFileA
# W& W) o' e" J8 j/ p 00401071: cmp eax,-001
" ?* D7 |* I) ]6 T& h 00401074: je 00401091
; Z) G1 {% Y2 G6 ?" U7 ~: i9 c) _+ I) {5 V& J- ]% K
/ m7 G4 [" M1 O8 b9 u, N+ R0 Z- ^
There could be hundreds of BPX you could use to detect this trick.
5 C0 D$ }( R3 e" }% B: ^-The most classical one is:
: }! D1 @# M# a2 y9 u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' b. `6 j1 _# x! }9 C) \ *(esp->4+4)=='NTIC', A0 E5 p" ^. z2 b% c+ \4 K
( g' Z/ f7 u/ N8 {1 O-The most exotic ones (could be very slooooow :-(
% a$ k: e" b9 x/ N) A: } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 n0 ~2 z* R: h$ M, L/ i
;will break 3 times :-(3 Y6 Q8 F6 _) j7 g# _
- h, y R. ^* z; `, ?, K4 E# m
-or (a bit) faster:
* ]1 b2 r5 S4 Z8 M) B+ c% s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' V8 |; J% g& y2 i$ r
: _" C: f: U- o7 W2 n5 S BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( T! p, B* G/ d8 X
;will break 3 times :-(
9 ?8 k; R5 k9 S3 @) M
" b9 Z2 t0 C2 l-Much faster:7 O1 H7 C D6 d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, T, V8 K& s4 _( W6 B v- X3 n" f6 W7 w: ^' m+ u; N) W) s! R" J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
\3 A# A# l- k! z5 P3 w9 cfunction to do the same job:$ e+ R) e0 m9 X1 ?" j
" G) C+ ~$ @! h J2 N) i
push 00 ; OF_READ
V. |# f* N% J mov eax,[00656634] ; '\\.\SICE',0
& G/ k+ g* Y. k! F push eax
' b& B: l, W X; B2 s% p2 x call KERNEL32!_lopen W: E( d3 e3 M3 j# S5 w
inc eax
( ~3 x( A" K* H7 p/ z+ w. ] jnz 00650589 ; detected5 C+ `" b2 j0 n; ~' Z. W% A
push 00 ; OF_READ
1 C7 g1 ]6 K/ u mov eax,[00656638] ; '\\.\SICE'
& [( J% B+ ^6 n4 `; D; p8 L# O push eax7 t" l B3 @; o4 w
call KERNEL32!_lopen
$ s% R' J, m0 k. r- `6 M inc eax
- }5 I; A5 x: x- p) r1 K3 U' k jz 006505ae ; not detected2 G6 n& k0 I; M0 `4 ]
: T+ N! Y0 R* v* p' m! y0 n4 b, l0 \# `1 |2 a3 e; _. @# ~
__________________________________________________________________________
7 y6 v7 W- I v- I( b" `
3 m/ ^" O. |9 JMethod 12
+ e J/ M9 E: D8 s' ~=========
* k2 }& q( B8 ^1 t' @5 g7 Y% d* r
This trick is similar to int41h/4fh Debugger installation check (code 05
5 E* t% h& l K/ u1 }6 D/ k/ W& 06) but very limited because it's only available for Win95/98 (not NT)$ N1 q" ]* k5 n3 y( j3 i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 u) Q' { h9 p. P6 n5 R6 O E9 }7 I# H) P( q( x
push 0000004fh ; function 4fh; b; Q) N6 `% h$ P
push 002a002ah ; high word specifies which VxD (VWIN32)! j4 `9 G0 m; C+ ^
; low word specifies which service
; t. i ^/ I2 S (VWIN32_Int41Dispatch)/ F4 K" O# ~7 j5 b
call Kernel32!ORD_001 ; VxdCall
0 c# P9 l+ X& t, D R1 h! b cmp ax, 0f386h ; magic number returned by system debuggers
, ~. U! X7 A& {1 v jz SoftICE_detected& k3 q; n! n8 F5 {+ z" P
4 ^$ M) k% D3 T' Q5 f/ @" [Here again, several ways to detect it:9 P: f2 A2 s' _* j
8 T7 d5 r, C3 N0 H$ Q; h& }2 G
BPINT 41 if ax==4f
3 Q' \# i4 D3 y- [7 m: T& @5 r, K( O% l8 Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 A6 F) n# E2 Q4 V
: C& ^& n! s" m& ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ T' R/ c( z, T0 ~
3 h- o7 D% B* k7 t0 w e, M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ n5 {9 x9 W& Y8 |
! X0 N5 \6 K- H+ ~" ~" m__________________________________________________________________________; d( j4 A. u& q' N, ^: I
9 f6 j/ K$ q4 a" ^) p. T
Method 13
- e5 O! L% j, e# `" @=========4 v3 ^( l3 a. [7 p
( s% K5 g: ~6 s$ g* vNot a real method of detection, but a good way to know if SoftICE is
' W; q# F; q3 w. z5 ~' A% uinstalled on a computer and to locate its installation directory.3 d) L+ X1 r% x
It is used by few softs which access the following registry keys (usually #2) :
6 T7 K- F. _+ E6 z0 C
]6 d" _0 k( O4 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ {& D- f9 Q' n9 k, p1 a
\Uninstall\SoftICE
% g6 p! W: @& \4 v" `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( y$ W" J) Y: j! S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) r! b4 I. y- j6 [ J, L4 C\App Paths\Loader32.Exe
* B* k" A1 ] r G
6 d4 P* E6 K) N$ y: w6 C0 R4 I, W& d# {% Q
Note that some nasty apps could then erase all files from SoftICE directory- E' ?% g+ w2 H3 ]* ^0 c
(I faced that once :-(. {! F% W, A9 T9 ]
) q3 z* |9 | \! A
Useful breakpoint to detect it:0 W; K" ^* H" o; b0 }' f
2 ~4 A% F7 o1 t+ V, X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ h" e% k2 c: ?- _( @, Z- J7 a+ f! M* h, }2 [' }# z/ O$ j# _2 F
__________________________________________________________________________
+ b; C& W$ |' D% S$ q* v, d( {
6 ]1 {2 a7 ~ B2 T- ?' f
, v/ c4 W' z) V! B/ ZMethod 14
# X W9 v/ Z0 |! c& `$ o% C0 x5 H=========5 V' j6 u; ?( n# Z8 q- V
; \* i) b6 u+ ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 B- X8 d: j' ] iis to determines whether a debugger is running on your system (ring0 only).3 W: a9 W! ?. V$ l
$ ~; K9 D0 j" S! R/ m VMMCall Test_Debug_Installed
( D' V9 e) y2 x0 N& b je not_installed1 p6 K& U8 m1 ]# @
4 k: [' [) G( X$ d- K( yThis service just checks a flag.
/ C0 m5 V) d B</PRE></TD></TR></TBODY></TABLE> |