<TABLE width=500>+ S/ Q( J$ P6 X! {# z
<TBODY>( H4 E( ]: x# ~* Z* D
<TR>, |* E% P: G9 n$ i
<TD><PRE>Method 01
* g' _9 _8 j, b% r$ K=========
( m8 S1 U" C# c7 m4 ~4 [
, o! h4 f M0 i3 K, X7 @9 U; O4 k2 vThis method of detection of SoftICE (as well as the following one) is
6 V: j1 W# M& |used by the majority of packers/encryptors found on Internet.
; {" K: x% {6 f4 V JIt seeks the signature of BoundsChecker in SoftICE' X4 b$ e* _6 I/ J( t. o% T6 |
7 ^" y& o1 i* f
mov ebp, 04243484Bh ; 'BCHK'
( I4 n) S+ O# E! s" S mov ax, 04h
3 P* ?/ \. [- Y* J2 c6 f, @ int 3 , p% u" J7 j( a( x/ K$ l: E6 v
cmp al,4* @2 m2 C! c3 t# }
jnz SoftICE_Detected2 |. F8 |3 Z$ K X
. v7 \7 S& P1 b7 [( n___________________________________________________________________________4 C e! X: \( g9 v5 D
0 }1 Z3 Z+ ?& M$ q8 t! VMethod 02
0 S2 u$ z9 k9 ?9 N=========
2 v" s9 @' z) J; V- {* G
$ P( B% O; i& U+ _; @Still a method very much used (perhaps the most frequent one). It is used
) l+ r$ y4 a' U' y& o! xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 D: r3 g# H/ P: d* m' N7 R& Nor execute SoftICE commands...8 r, [4 J* i5 y: t) V9 E
It is also used to crash SoftICE and to force it to execute any commands4 }4 A" Q/ ?8 i) p9 K1 }
(HBOOT...) :-((
2 U' D8 Q9 v/ G8 i2 H" G$ E# m1 N' y) H' x+ H. w
Here is a quick description:
# r' J9 K/ L/ ?-AX = 0910h (Display string in SIce windows)
6 }5 Z/ o1 j* \: l, E. x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ v; X1 B8 X% |7 e-AX = 0912h (Get breakpoint infos)5 Y, H/ k) L z
-AX = 0913h (Set Sice breakpoints)
& }' A3 X1 v: r-AX = 0914h (Remove SIce breakoints)) Q1 a* F. p1 M4 ?
. ^6 z! x8 n. I1 q9 g" X9 w
Each time you'll meet this trick, you'll see:
& a/ t' z( {+ |. [$ t! N, o-SI = 4647h
9 d! p9 m s4 ?8 D/ K-DI = 4A4Dh, I8 v; B8 h) r$ | _% P
Which are the 'magic values' used by SoftIce.
. h' h' N3 W7 {, R |( ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) L5 Q2 O9 Q* {, J
# q* \$ y; [+ h( }Here is one example from the file "Haspinst.exe" which is the dongle HASP+ J- F/ ^) _3 U) m8 e" D
Envelope utility use to protect DOS applications:% G" [" G0 H" \! U# J5 }8 L
: J- z, R$ K/ j3 J* w% @' z; A- W: |4 M
4C19:0095 MOV AX,0911 ; execute command.* _$ V+ `/ f( o+ R' _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% S* O8 d& R' w1 A( X/ [
4C19:009A MOV SI,4647 ; 1st magic value.4 P' ~* s2 I; e/ Q& Z
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ d4 {4 w- c2 j4 F) d/ Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' [0 h2 |5 x$ e- a/ p; z# L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
w/ }5 H4 w. b7 h+ N4C19:00A4 INC CX& O6 z! W$ v+ f% k" O/ E" Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 j! F6 q7 v0 p4C19:00A8 JB 0095 ; 6 different commands.
+ C5 K7 T: c4 m( U4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% H" c+ ?- _, i( K0 ^9 q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' m5 A7 `/ L; u/ @8 W2 |) s4 v' m( C5 y- f0 P
The program will execute 6 different SIce commands located at ds:dx, which
/ S$ t: W: C, e9 |7 Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 M3 t4 S9 B8 O3 j
7 d% U4 D& u( ?' Q1 D* g* ]1 Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 M3 K* H# B& w% @0 B' R ]% K0 d
___________________________________________________________________________+ N% E( z: v& h! z8 {3 E. _9 ^2 m
% R8 _- Z! W* P, Y
; f( J$ a! A4 l; T/ m2 d2 D& N; ZMethod 03
0 g0 @, {' G! q' P=========; j* h% \, F- z
0 q+ m( @$ B5 }2 |3 @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 S& f G( F" e! J" E: d3 @
(API Get entry point)
: `% r; g0 x* V; e' g( d# C 6 g5 }; L# T$ w, \) I$ {. ~
! C" D$ V# n: {6 ^
xor di,di* _/ N, ]" Y$ x
mov es,di
9 ~7 R/ h5 Y+ B: s& w mov ax, 1684h 8 E8 i, A' }5 s0 o, { ?( r
mov bx, 0202h ; VxD ID of winice- T$ G' d% M+ m" ]; s: i ^
int 2Fh
# Y' i9 r. _; e3 j7 a mov ax, es ; ES:DI -> VxD API entry point
& }4 p1 k" ^9 I9 y4 r" d) s! E add ax, di/ ^( O! d! U$ J" {3 a
test ax,ax
. U* c) b5 m) B, b jnz SoftICE_Detected
7 T" k V4 n, y! Y- ~* [1 g
" O. b! {6 y1 | Q___________________________________________________________________________8 G* c+ a+ g* l" w
4 b1 {# {4 G2 R+ r
Method 04
3 u# o0 U q0 e=========
4 N& w' o$ F' I. ~& Q
* D( u5 i/ X" i% W3 ZMethod identical to the preceding one except that it seeks the ID of SoftICE$ X% J' X3 S8 V7 s: v0 L
GFX VxD.8 p" G y9 f# T$ L0 V. w3 J1 c
% l6 C. t7 T8 L0 G5 D6 ~ xor di,di
6 s& g4 C& @. Z/ a- A: i mov es,di O$ i+ y% F0 b0 Y; V4 ~- G
mov ax, 1684h
% U- g* O' x f- } P4 @ mov bx, 7a5Fh ; VxD ID of SIWVID5 v8 a. c6 \0 z5 x$ {8 K' |
int 2fh
0 o# S1 H7 H% Z j- }8 Q" d mov ax, es ; ES:DI -> VxD API entry point
6 i/ Y5 E& }7 X% G* {: l I! [( L9 m add ax, di X( C8 J g8 C+ p
test ax,ax& r7 E7 w, m7 O$ z. M! D# V7 U
jnz SoftICE_Detected r, N3 g. R1 A$ m7 M- Z5 k
( y7 D+ Q0 R: k n1 R
__________________________________________________________________________
; p& M3 i7 P& J6 S
/ @! {9 e7 s& K' W: c L* }0 W. o' S. ?4 b: s2 y2 e
Method 05& {' b' Y( k4 Z$ e5 a
=========
& B; `. k1 m8 S: R" e. U, H+ e' v( [; p
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 a* ]# J$ P3 p; @" ^$ s% F p
debugger. It calls the int 41h, function 4Fh.3 `8 b: p' ^# Q" S
There are several alternatives. 3 `" U* |) H2 r: Z. \
" d3 E1 M1 h: V- S4 q5 T% x
The following one is the simplest:
4 i4 {# k# E, f5 f( _( F0 Z+ H
9 M: [4 |6 f5 K8 q# c" W7 O* U- t mov ax,4fh \) d, L* L5 D0 [
int 41h
* D/ P9 K! L7 T1 M7 Z z- } cmp ax, 0F386
9 `- Y9 X$ ^& O$ m jz SoftICE_detected2 k, v% ^+ ]" `- z# E
! k' b2 A `0 N" \8 t' r, T
F: O7 d4 t( V$ [; j* S. XNext method as well as the following one are 2 examples from Stone's ' H, [- ]* c* q
"stn-wid.zip" (www.cracking.net):
+ a1 h: L; r7 g. k, ~* W& ], C) } A/ z# ?
mov bx, cs
0 K x) `- x) K$ F, N lea dx, int41handler22 l7 ]8 k f+ `4 y1 f
xchg dx, es:[41h*4]
s% p& G6 Y* O6 A1 Y2 K xchg bx, es:[41h*4+2]) s5 _' T* @" |+ L+ a7 E1 N$ ]
mov ax,4fh
- r& M( D5 ]# y' D8 b7 K int 41h
# S" s2 r5 I, a* a9 } ~/ i$ u xchg dx, es:[41h*4]
4 b* J- z, `/ {! { xchg bx, es:[41h*4+2]% j3 t! Q, C' |5 _, ~
cmp ax, 0f386h
% E5 G: t+ p- w: n jz SoftICE_detected/ T' |9 h8 j3 e5 V+ o
% K' J3 l8 V) h; }! B
int41handler2 PROC/ v. j3 D) h( |' _
iret
6 O, f J( V* @5 J1 K9 wint41handler2 ENDP/ v+ z) r: z9 ^. P3 p
6 u! r" r3 `: L. h* _1 ?
& v& X3 e* P4 c5 S! L! S) w, H
_________________________________________________________________________/ Y4 Y* ~9 Y' J1 p/ C- E( K
2 h% V' V& w( F# n6 E; ?6 U( }
4 T# l0 N) F" m4 R+ j0 c# q* j9 OMethod 06) i* j/ l% H; d) C+ G/ @8 S
=========
- a' @( o2 [" H* i1 d
& I [1 r# m( ~& N
$ s/ a! A$ P1 ~6 f2nd method similar to the preceding one but more difficult to detect:
9 l4 l/ N; d5 A1 s/ q
4 L/ w: W$ n- m7 z
+ A! K4 X6 `4 v# w! {; d' w; n5 nint41handler PROC
% i; U; j$ f; ^ mov cl,al
% Y: Z4 ^3 k. ^- @, [$ ? iret
6 f: ^$ T9 U) I# X+ Aint41handler ENDP
5 ]# F" i* Y' J( Z
5 [( c. \2 F. J/ k; I6 N
. E! B, G$ Q8 N9 M5 E: ~( V xor ax,ax
7 p) T3 b6 J' D4 Z9 }0 K( Z% A mov es,ax
; Y0 b6 P& h; {3 ` mov bx, cs
' D( W! b) ]( ^ lea dx, int41handler
6 T9 Z# @, Q/ E6 `8 k xchg dx, es:[41h*4]
q: F& u. g% X% w3 M xchg bx, es:[41h*4+2]3 [% `8 T9 j1 D9 b% r& V, W
in al, 40h
8 k8 i% @: |% ?( G- B1 ^# x xor cx,cx
1 ]8 y" b: q. F% I: [ int 41h
/ {- l9 y1 y5 b2 i, L) K- ^ xchg dx, es:[41h*4]
1 B) [. h' k& P* q xchg bx, es:[41h*4+2]4 t0 B/ {. b! K3 x6 K4 X
cmp cl,al
) E7 N3 L6 S0 N3 Y jnz SoftICE_detected4 W) ]) n# \/ Y9 B! D' y
6 [ ] ^& h# m4 z_________________________________________________________________________1 l' f, p2 T. R1 A8 G
# D; [0 D1 M1 H& q' y: _
Method 076 P3 M0 `2 v' m+ n: Y; Y* E; Y
=========' t6 k- E$ i" N* P6 G
" V* O& |& U/ ^" h& P& f0 H
Method of detection of the WinICE handler in the int68h (V86)
7 \+ @) |' o2 @5 Y+ z5 b0 D! O( ~4 J) ], ^0 r. F4 u/ ]
mov ah,43h% u" V: q X+ I ]: n+ W8 V
int 68h
1 C. J( m: Z( p6 I2 ~, m cmp ax,0F386h# T1 ^" T. f; A( ~* D& s3 g2 \
jz SoftICE_Detected
1 |* e$ Y% a& ^! C. B$ T- ]! m: B! ~4 H! {1 | j' h
) S0 x/ k& d1 E* N. o8 ]3 N; z' v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 w Q" H5 f5 l: B app like this:, V" f2 l& C/ w( ?7 T2 {1 ~ X
1 Y6 r! V8 A0 R1 q1 d4 j BPX exec_int if ax==68
o* |; a& N1 x# p1 G (function called is located at byte ptr [ebp+1Dh] and client eip is
6 O2 Z; v5 ~: p% l2 {2 @2 u! Y! A) n located at [ebp+48h] for 32Bit apps)" _! n, L. c$ l" l7 K0 W
__________________________________________________________________________
! R, W) j& T& w- s- W! x# h
9 y S: h) g5 @/ T( u
+ E6 |: V8 \$ L$ r* J4 TMethod 08
0 b% v+ `! c! y5 y6 Q H$ F=========
2 e% A* o5 D& x6 @8 e5 O; r Z* p, }( ?+ w( E. m, K
It is not a method of detection of SoftICE but a possibility to crash the
0 w, x6 x' E4 K2 Wsystem by intercepting int 01h and int 03h and redirecting them to another
4 P2 o" D) n" L5 Vroutine.- m# N; t' B9 |9 o0 g+ H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ p4 G N8 H0 b" A$ c9 E
to the new routine to execute (hangs computer...)
" V& G3 P- Y2 n3 _7 E( e) E$ m6 P9 _( _. S# y* m( o6 D! y: o+ a" ?
mov ah, 25h# F. n2 t: L8 P/ u, K# r/ r
mov al, Int_Number (01h or 03h)
4 X9 h7 A- U4 O: @ mov dx, offset New_Int_Routine
( j6 a0 Y2 p7 {' ~2 r" ]* i int 21h
& k( Z) G' l, H
6 D Q0 Q: d: g+ j__________________________________________________________________________2 a7 b1 r3 o7 v& |
# b v" K6 Q8 z& U7 R: X- d5 e
Method 09
( p. Q) k; i' @- _! c1 _3 [# i=========
# f, q' _1 b. H1 J& U; q# C, u* A. X; q( B Q, t+ o5 r* n' j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 e' O% n( I& f; D% X
performed in ring0 (VxD or a ring3 app using the VxdCall).
. h5 h3 z5 d, R+ E) Z4 H( X IThe Get_DDB service is used to determine whether or not a VxD is installed% S/ b$ t3 w7 y. K2 o
for the specified device and returns a Device Description Block (in ecx) for
. D" {. X# C; a( N3 s4 C' c" Xthat device if it is installed.
+ I' X; z' c ]; a) Y* C) Q
1 M, @: m; A8 A3 F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 `$ o) B* m1 V0 K+ `1 J4 W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# L. Y# p: ~/ \2 s& f7 D" a VMMCall Get_DDB6 b, }- }2 B3 U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' \+ _) O; }3 R4 I+ O1 T
) [8 t' k l. r" WNote as well that you can easily detect this method with SoftICE:& h- {7 K/ E% K) Z& C5 ~5 p0 a) T
bpx Get_DDB if ax==0202 || ax==7a5fh' ~6 w# X4 l q0 }
( T7 A h5 n. V4 \+ H9 q8 {+ Q; ~
__________________________________________________________________________( l. g8 ?( L* T$ C+ ^3 U
* u' T! y- ^# G! L# `# g" d# J# {; TMethod 10
: T b- c- a% W1 Q' ^; Y=========: S2 l1 X1 k8 i( P+ s
) e# |; F4 X$ ?' T$ l0 H6 w=>Disable or clear breakpoints before using this feature. DO NOT trace with6 _; q% t+ q0 N3 n0 `; r8 H, ?
SoftICE while the option is enable!!
1 u( [: ^% E* b
+ n8 ]" X' r+ X, s4 N4 F. y+ `! |& SThis trick is very efficient: `2 \; {6 ]8 c" L5 m
by checking the Debug Registers, you can detect if SoftICE is loaded
% v7 x. K" Z5 I- I+ _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; x5 V4 L/ m' Y# Q! z( E% v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ {9 X/ X- Q$ U) Gvalue (in ring0 only). Values can be manipulated and or changed as well
i8 {+ N- S: K3 C D T* o(clearing BPMs for instance)
" P! `, k# ]" [
4 T" e$ E `, e8 z__________________________________________________________________________
7 @" c5 f U9 w+ K4 S# t/ `9 i& x6 d4 y+ ^( V
Method 11
1 d2 _, G5 K$ i9 g* B P* u=========
& s- P, q3 D& b P7 L" U$ M0 J
7 G1 O$ {+ B$ u+ Q# U1 t# _This method is most known as 'MeltICE' because it has been freely distributed1 O4 e3 @3 c4 H
via www.winfiles.com. However it was first used by NuMega people to allow6 v3 h( W6 ?7 t7 }7 f3 f4 P8 E
Symbol Loader to check if SoftICE was active or not (the code is located
7 T9 j: M* F! i' X! x, ainside nmtrans.dll).5 D! C: H/ [+ z' B8 W- @0 d$ ]- J
7 g! t- B2 b2 w3 hThe way it works is very simple:- Y$ h$ X' o' H+ f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; y3 [& ]8 G8 `- `; I
WinNT) with the CreateFileA API.
, d$ w8 ]2 O4 ?8 u* I3 X: U! q
- \8 N4 o6 ]! ~: G; eHere is a sample (checking for 'SICE'):& v: V# ?- ]$ a" \( G
& e4 \8 i0 W# y! n0 O( _
BOOL IsSoftIce95Loaded(). D' v+ M- d5 O0 z: O6 f0 U9 X
{
/ U$ a9 R& h+ K. [3 X% C/ H0 q2 Z; l HANDLE hFile; 7 K. Z( j8 C. O5 V2 Z) f3 x" A( m# t8 O* T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 X' i8 K/ {1 O, e m$ Y4 V* p FILE_SHARE_READ | FILE_SHARE_WRITE,& F3 p0 w. X# n: X y5 a( b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( p% Q$ }8 L4 @; C M if( hFile != INVALID_HANDLE_VALUE )
/ o, u' H9 Q; Z* `* P: t {
4 z& k; o5 i, h' R6 }) N T CloseHandle(hFile);, x& f' r+ @+ v1 B; ]/ D J
return TRUE;
- N p2 k k1 |# N }2 }% e [. X, R. D. E# `
return FALSE;$ M7 s- K1 D/ ?1 {$ m1 s; P
}) W1 D3 C; a4 Z8 d- y' X
1 m, d) U' L/ Q: WAlthough this trick calls the CreateFileA function, don't even expect to be
/ b6 a" f' q, {! lable to intercept it by installing a IFS hook: it will not work, no way! N% _. \3 \: w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 }" E9 ~: V& W; g* U1 T8 mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ d* A1 }% S& T' Y1 jand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 |$ u I) k& @) x
field., U& e, Q4 D" } ]2 g
In fact, its purpose is not to load/unload VxDs but only to send a t6 Z A) V. j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# R$ b. \3 c7 c; D5 }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try X3 |# N8 I5 n, C- p
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 c2 S% f& x+ z: KIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 \8 [' {: Y) p% Qits handle to be opened and then, will be detected.
0 ~% b) H5 t0 s* QYou can check that simply by hooking Winice.exe control proc entry point4 p" D4 x3 j) [( x8 l
while running MeltICE.) w4 F' o6 o/ {% T
5 B# O0 W7 j6 \) t* i" \) g% E, j2 I$ t
00401067: push 00402025 ; \\.\SICE
+ k! J) a7 @2 f3 o$ u 0040106C: call CreateFileA
# U4 a: ~ I x3 X3 ]. { 00401071: cmp eax,-001
0 o! E4 a- k4 `8 ~ 00401074: je 00401091
7 ?7 k! a* o- u! v
0 i4 ]; K( n& N: q& l8 \: P6 `; z% h; f' t" W- L
There could be hundreds of BPX you could use to detect this trick.8 K* E4 q3 F9 _; G; N" V4 G
-The most classical one is:6 @. M* @) ]# C6 J& o1 \/ ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. h8 H& y& u9 g2 E. ~! ` *(esp->4+4)=='NTIC'2 N C! a7 h+ q; L- n% G' l* F' E
; {7 I3 g3 @9 P- U7 w& S$ \1 k-The most exotic ones (could be very slooooow :-(, f3 @# X. X% D
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / x, j. e [& Y1 V- V0 E$ B9 e
;will break 3 times :-( @' ^5 t: p5 O0 h
0 c1 p9 W W( q, z: Y
-or (a bit) faster:
' o5 ~% r/ c' K. u5 @7 Z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 l. x+ ^5 w3 O5 s# O& Q
- H2 r2 \* x- R$ |8 b, h) Y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + f" l0 s; K! D2 U+ U: _; ^
;will break 3 times :-(
; e# { W) A: m( d1 b; H' |( W: t! P# \
-Much faster:: j( e1 e5 v1 d7 S1 Y, f+ K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') h+ |6 U3 z2 T- }6 e
' K1 ~& o) Q/ P) U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 T$ [$ z* @$ e/ v; `* l$ o; j3 T
function to do the same job:. A4 t" g9 j" J, l' s( \2 a
/ \) `9 } f( @0 p2 ?, E
push 00 ; OF_READ
- P+ L+ S0 P3 Y3 b# O* i mov eax,[00656634] ; '\\.\SICE',0
) A" r, S4 ^+ O/ t push eax, J# r* p/ r8 D( i
call KERNEL32!_lopen
) U- m* U8 e6 m- z; o inc eax: c0 Q# e, X+ x% ^
jnz 00650589 ; detected
' _8 H8 g W5 I1 t5 p+ f push 00 ; OF_READ4 H, l0 y! h* j8 `4 _7 H
mov eax,[00656638] ; '\\.\SICE'$ A# f9 w0 g% `* z7 C" v, D
push eax+ ]6 a4 f2 J. _; V4 V, P
call KERNEL32!_lopen- ~: R4 i1 A( X U% \4 ~$ x. K
inc eax+ `. B( ~+ v3 b/ o
jz 006505ae ; not detected
X5 ~$ W( T# W* j' `+ m7 S5 w1 F: u7 F
( [2 z' M1 l4 r( f% \: l$ Z( \
__________________________________________________________________________
& R3 N5 K. n r# x& O! E: g1 T$ H4 H+ e8 L& _6 N
Method 12
5 n g4 P: C! i& `# x5 \=========
c: Y" s* D. A4 M3 X3 M* M8 B- ^. {! y8 r: \3 E) ?9 C
This trick is similar to int41h/4fh Debugger installation check (code 05# @* ]) M9 B" I P% F, V; [
& 06) but very limited because it's only available for Win95/98 (not NT)9 f' J7 h7 K- R0 b9 I7 Z( k1 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& ^ d5 C8 N$ X. f' n7 q' U! m1 {8 ^* a$ Q+ p
push 0000004fh ; function 4fh
" h5 K) b5 e, ~: o% p9 K8 c push 002a002ah ; high word specifies which VxD (VWIN32)
6 m6 Y( ]' x# J: p4 o0 ~4 i ; low word specifies which service F/ J- a3 ~" Q$ r+ h0 P2 C
(VWIN32_Int41Dispatch) g8 J* y# ]$ K s# h6 o
call Kernel32!ORD_001 ; VxdCall5 j2 h. E& A! X6 c" j
cmp ax, 0f386h ; magic number returned by system debuggers
& e% M5 ?/ H1 p6 M) {% }: ~; f jz SoftICE_detected% F, f# ` C* E% h5 V
4 g U% \' H4 D/ l6 _Here again, several ways to detect it:
) k" O$ C% d5 Q' h8 U4 d! {% H1 z9 Q- l3 u8 x- Y) h/ X
BPINT 41 if ax==4f
) P9 C1 }: b1 n, C, C2 k
! T5 r9 u1 `) X BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 p4 ^& c( u7 U# m5 v, H- l/ s% y9 A5 G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 U4 g* y' E7 R$ {9 B: s1 Q7 A+ K
6 O( g- P0 x! B0 S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 A- Y# w4 Z: ^% d4 q; n: I6 [( y& y( s
__________________________________________________________________________: S3 N- Z* e% Z: _
) i8 ?# W: z: ~5 s* bMethod 139 ?. [3 r `3 s1 }7 K& a) k' L
=========8 s2 \2 ^0 y$ e2 @1 {# m0 H0 ?6 _
6 @$ _( Q; o8 y, ^3 FNot a real method of detection, but a good way to know if SoftICE is# D$ w% ]7 Q1 o9 @$ T
installed on a computer and to locate its installation directory.
/ z# x6 F1 f# n' D& ?. n& kIt is used by few softs which access the following registry keys (usually #2) :
, S8 F7 S) t* L+ p" U- K6 V% u! A
# a4 c( D8 z1 {3 N5 P6 x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. B" w7 [) h; M) {
\Uninstall\SoftICE
6 u6 d/ `9 x, H2 @0 P: t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 p, i0 ^4 ?1 d3 b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 Q6 P% T! D. t$ l
\App Paths\Loader32.Exe
) X# K, y6 Y; S0 G
^( U5 X/ T+ m; _5 T& ^
# Q3 r* m6 X$ B' R- [* r8 MNote that some nasty apps could then erase all files from SoftICE directory$ y4 ^4 P) ^. C7 q, x
(I faced that once :-(9 O6 ]7 H `9 r8 t$ v% P1 C
* j5 r/ }6 V) X- O3 z6 gUseful breakpoint to detect it:- C% `4 c6 u+ r
0 v4 j) D; r1 T6 S% A; \* x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 A6 [, V9 I- X; p6 G3 A$ F5 \
__________________________________________________________________________3 j- n5 r4 ^5 m0 K/ J
7 s- I5 E& t: A; X& ^- O
$ j2 X/ o$ F4 ?: b; U. ]+ P+ hMethod 14
8 M1 L' H. C8 D! P4 b( o=========6 B& R$ _7 }$ B
) M- b9 }( I( e. M6 F, Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 D, U" _; M1 W, ^1 B4 D
is to determines whether a debugger is running on your system (ring0 only).
6 ?' @, x# a0 ^3 l- O3 |& x! A4 L" G" H- N! O W. l$ q
VMMCall Test_Debug_Installed8 {. U; I! M5 j' f
je not_installed" c: x# y5 H% x& |9 n- e) p
! t; r' @' W" z) I) e% F% C( |This service just checks a flag.
9 T6 N5 q2 V+ t# a9 Y</PRE></TD></TR></TBODY></TABLE> |