<TABLE width=500>+ M2 U# P/ c8 C" M
<TBODY>* a' o. Z1 j s
<TR>
* C, @1 K2 j7 h- A1 e7 o, x( s! t<TD><PRE>Method 01 ( R h( n5 p. K0 k7 z) {, U
=========6 }) A7 u3 _& }/ G" T9 w: h! Y8 N8 u
( p2 B" o3 [( n7 x. i# Z' o
This method of detection of SoftICE (as well as the following one) is
' Q6 F7 A' Y, c. A. z0 Bused by the majority of packers/encryptors found on Internet.+ B+ \% a \) J# G5 X
It seeks the signature of BoundsChecker in SoftICE
3 |! M. n+ X i9 x' F! m9 p+ _: M$ n; r6 i; E* C. `; k
mov ebp, 04243484Bh ; 'BCHK'9 }# H4 E2 }4 _ \
mov ax, 04h8 h2 R, r9 @) W6 Z. x. O
int 3 ; y% ?7 q* l# m k) [
cmp al,4
/ n5 n. k$ k7 R) D* T! z1 E jnz SoftICE_Detected7 F- Q& b. L- O# T
: R0 ?; k; ~. x, y( Q
___________________________________________________________________________6 J; g! C, z+ Z9 n6 B4 p& W9 {
# \4 c9 b! O" zMethod 022 i3 j2 m5 e- k
=========
* e, W2 @4 c, J3 o T
t3 s$ Z! M5 g1 [8 b5 ^+ ^* eStill a method very much used (perhaps the most frequent one). It is used
" ^. C( F0 E' I3 Z* ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,& R! K& s$ a: p, r2 h2 ?! ~; {
or execute SoftICE commands...2 T1 p3 X/ Q: E8 K& K' Z# E
It is also used to crash SoftICE and to force it to execute any commands
0 o2 |, I2 F2 [: `3 @(HBOOT...) :-(( ; @5 C3 _6 P& T1 h: J! H# K3 ^
, J. n' P* D7 z
Here is a quick description:4 Y6 s K. {4 n1 m
-AX = 0910h (Display string in SIce windows)
# R; L( i A; p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 ? m; O: L! N* n-AX = 0912h (Get breakpoint infos)/ D, n% [4 @) L
-AX = 0913h (Set Sice breakpoints)3 J1 n$ t/ H' s" d C# l
-AX = 0914h (Remove SIce breakoints)
2 l* s, I2 t* k$ ]; a- {6 w; W- Q: t& k9 B
Each time you'll meet this trick, you'll see:
|, K- e+ |, y2 ]2 F-SI = 4647h
3 e9 \& ]6 Q8 Q% m" b' O' k-DI = 4A4Dh
i0 _+ d9 r& kWhich are the 'magic values' used by SoftIce.* y+ S/ t" {0 h& [) g
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! f2 B, X& L4 K8 y" H5 O
2 ]: f( ~) y. t; \2 Q8 NHere is one example from the file "Haspinst.exe" which is the dongle HASP" c; F1 K$ A1 r
Envelope utility use to protect DOS applications:5 D8 D$ ^8 C& {1 `/ K4 \0 B3 ~
h9 Y' Q ]" d0 k
. E% W4 ]. q* b3 l1 z
4C19:0095 MOV AX,0911 ; execute command.; M+ _) O/ J# m1 X% a9 k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( A! C* P3 ^8 j+ x. Z
4C19:009A MOV SI,4647 ; 1st magic value.
2 z9 f2 j/ s3 Z0 p6 \4C19:009D MOV DI,4A4D ; 2nd magic value.
# s7 o1 G9 Z" P- k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ [" I4 t' h3 j! ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) M. U& ~0 g% M. ~4C19:00A4 INC CX
: o- ~! p- n* X( P# R: X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: t. `7 U Z& l
4C19:00A8 JB 0095 ; 6 different commands.0 k: k: J5 J/ `/ |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: w% a" y- x1 s# i9 O! ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 V; @: D2 @8 @# W5 ?
5 n* n* U+ Z* T$ j- l) f: L9 p6 }5 A4 c
The program will execute 6 different SIce commands located at ds:dx, which
2 e# E: H8 s! ^1 N, @! Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% {* ?9 K$ t, y1 i9 u! ^5 ]2 K
6 }/ v5 C# F& L7 P7 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 C, |, D8 j8 U7 d: Y1 x1 e- l9 y___________________________________________________________________________
1 R; ]0 s8 v. z+ E! q$ G0 }' m8 C+ {9 h
0 I! Z4 m3 Z* h. q
Method 03
% | F. w4 M& m: V8 Q2 L* `=========
8 h$ I# a2 U5 v' J! ^0 F# n( D6 K% h2 o( t# K5 G
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( a* K/ S& c$ b5 F% R$ s
(API Get entry point)
; O6 R/ ` f8 N+ F5 g
, z4 |" y+ m. t: X1 F. } J+ j) R" e- b B! M
xor di,di1 o+ U" d$ ^- h! j& v& \
mov es,di/ y& `& N0 M4 y% v9 j; N5 S
mov ax, 1684h
; K$ \9 L/ _0 ^- G9 \; _ mov bx, 0202h ; VxD ID of winice& z3 t4 l& b, J- K3 t; J
int 2Fh) i" J4 z8 l6 k3 a
mov ax, es ; ES:DI -> VxD API entry point
2 d5 Z/ ~4 l5 ]# `) V. d add ax, di
8 U) {- M! e1 e8 h3 B" q% V test ax,ax
& }4 d. L( x: M0 U: t jnz SoftICE_Detected
8 U" b) d9 {# }3 ?; Y1 }+ \( k9 \7 Y! M; I& k
___________________________________________________________________________6 b8 r( | ~- O4 \
/ L6 C% F9 x+ z9 C: G" _
Method 04
i# e+ x; X0 z=========2 w0 W" a5 `7 L# `+ F
* _- l y/ ^7 R6 x
Method identical to the preceding one except that it seeks the ID of SoftICE
7 K4 z2 j# V& {! vGFX VxD.1 {2 ?; z- E4 d/ \; V3 t
; b0 R( T* V- z3 E; g- U xor di,di
" l" R" u: F! b, L/ E* H3 b) `4 o mov es,di4 G$ l: r& d% |; @4 k
mov ax, 1684h
Q( }# J K9 H- i$ g5 g mov bx, 7a5Fh ; VxD ID of SIWVID) O0 H. T( y5 y4 u2 b
int 2fh0 `4 n: ?- Q, q# v9 Q2 ] Z$ ?. i
mov ax, es ; ES:DI -> VxD API entry point7 ?1 T- y2 a9 c0 A
add ax, di$ T2 J0 V6 b/ u# u" X* {' Z/ H
test ax,ax
6 F1 }4 V5 h7 H7 F: [1 M jnz SoftICE_Detected
- l8 ^& |, z% H% ^8 `/ G0 f: s" i( c
__________________________________________________________________________4 X# Z- k* b) \; R
- S3 Q$ \8 C8 d, ?
. z0 {& }9 j( c+ b1 B7 `
Method 05
: q4 T% P3 J) q; P4 F========= I* |6 [& a4 ~: n7 s8 K# E
; a, D/ y9 G* w, k
Method seeking the 'magic number' 0F386h returned (in ax) by all system* _! y/ ?7 b$ B! {' i% b
debugger. It calls the int 41h, function 4Fh.
2 b. x8 N2 F/ }% u* WThere are several alternatives. ' Q; ?4 V/ _' ~- T
- a( Z. T; W! D- T4 ~1 f @& h: ~
The following one is the simplest:- R! s* w+ N1 X* l% ~2 W
( @! u, M3 e" d, d/ W
mov ax,4fh
) H r( N: t9 F( H int 41h
9 _+ d2 o; w4 F5 @( m2 v# ~" Z cmp ax, 0F386
7 a/ o- r0 k! K% p" d+ R jz SoftICE_detected
) }3 c9 ~) a0 b( ^9 k5 C$ T+ V1 R2 V% c7 p7 V% H; F6 j9 w: x% z
% j n% o! ~' T& {/ A; \2 P
Next method as well as the following one are 2 examples from Stone's
' W! |: g3 K1 K$ a"stn-wid.zip" (www.cracking.net):: O, ]. N: l7 G7 X5 V" s6 Z, z
) c6 M4 e( f# s! z5 \8 I mov bx, cs
( `+ m3 v8 b0 ~5 o' a! J& s lea dx, int41handler2
; b) L6 o' S9 `" a w/ S" k- b xchg dx, es:[41h*4]
2 a* f* p* i) \/ y& ?8 J! u xchg bx, es:[41h*4+2]
) X+ X3 }+ K, N# s mov ax,4fh7 r# Q8 Z1 q- |, I- u1 u7 k+ U9 k
int 41h
( u- {. z+ n; h+ |" A xchg dx, es:[41h*4]
8 l0 Z8 w, }! z xchg bx, es:[41h*4+2]8 X' ~1 x+ r0 x, Y+ r* P& D5 w
cmp ax, 0f386h" ~" j5 x# W/ L/ B' u
jz SoftICE_detected
3 P% F# B) g* Z. V% K f' U
7 l5 C6 f' k. v7 h/ Eint41handler2 PROC
& s; ?" Q0 Y8 A' @ iret6 f( Y) F9 z2 z9 y* v+ F! }
int41handler2 ENDP
8 ?' b. N" L- I9 h1 v& z& I- r. ?
" }* ?4 \3 \% c5 ~$ P& C% k6 b8 Y_________________________________________________________________________
' t3 C5 i! L) a7 B/ p, k$ x) N& ~& O1 R5 p- J# g
5 O; a) }1 u! N- ~- |
Method 06
3 O) q3 W- u. t' }=========
+ Y* ~. e, z$ a! |1 I! T5 J
1 c( z% i, o G: ` I7 |) b) y. K
2nd method similar to the preceding one but more difficult to detect:
I) |6 V' `1 o/ s) E) y+ m
0 G" A# ?: @( x$ y7 j5 p
" H" b! i- ]% O( Y% Kint41handler PROC; H1 w) A5 ?# C* c
mov cl,al
: {& w: }) P2 \# r) ^* Q iret. N+ D5 O, j9 e7 {
int41handler ENDP
( a+ [& D& o4 v/ L0 S+ B% ]2 I; @# p+ e/ x4 \5 e
6 q( M7 ?( y$ k: u' C
xor ax,ax A! `5 A8 B- X# p
mov es,ax8 k1 {# }# n3 x, p3 G5 |4 N& ^
mov bx, cs
$ `& l- |3 M6 S7 [0 B& T4 q# x lea dx, int41handler" _+ U7 E, i# E. e6 j& s; s
xchg dx, es:[41h*4]
3 A/ [2 k b1 }( l0 @- ]1 N0 m xchg bx, es:[41h*4+2]
# M1 G1 P; ~5 H6 M2 j( E, w/ {1 F in al, 40h% q& m+ h5 W( c- u8 y( ^
xor cx,cx
, ^, u5 T+ \4 c w int 41h
; N$ ?! \' Z, F/ A6 Q) @' w8 i$ |( a% a xchg dx, es:[41h*4]
6 `8 z+ m$ r4 Q3 q xchg bx, es:[41h*4+2] k+ N. D/ p8 T/ x
cmp cl,al
6 _ P! P! R4 c" v: z# {5 z% D jnz SoftICE_detected
+ ~% h. f M: |- l% W0 l! [, p( j* V% }
_________________________________________________________________________
) F: U6 P$ B0 K ~$ m- q( H, O
/ A0 u x# V. L$ bMethod 07$ N6 @6 a( h/ {) R1 Z- B0 v- v
=========$ Z( G. e+ i6 s. \& f, y; L
, W' u6 b6 g- I, ?, ~
Method of detection of the WinICE handler in the int68h (V86)% m8 T9 V- s5 p! `* _
8 ]; V3 h5 ]2 b9 D. ?* H! {
mov ah,43h( s2 Y9 J5 [3 }8 R3 x
int 68h- I4 J, a: A% V1 I/ @" u
cmp ax,0F386h" L8 o3 p3 ?+ t! |; B) x5 E
jz SoftICE_Detected+ u# |: U! J- F; e f: n- f6 j
7 E+ [: F+ S# a1 u
$ |9 u/ J, q! p7 D5 c=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# t/ S( P+ r H8 r
app like this:3 g% X X6 T9 ~5 L+ @( N
2 e& ]( _4 V; ~ k BPX exec_int if ax==68; n' ^% O% j, ]2 t+ x
(function called is located at byte ptr [ebp+1Dh] and client eip is6 F# X; @: c5 o7 I: V
located at [ebp+48h] for 32Bit apps)
6 q% [. Y- j! D/ P9 F3 ` A__________________________________________________________________________) O J; W! e- K7 L! _' H
& [9 d; M# J% C& c5 f& a: O6 J7 T4 ?
Method 08- K, y- J6 c% m$ c5 }4 _3 m
=========
; q( h4 R# }6 f( v& p* J9 Q4 H3 B5 ]
It is not a method of detection of SoftICE but a possibility to crash the$ J3 Z8 r8 k! }6 Z1 l
system by intercepting int 01h and int 03h and redirecting them to another* q, E. F- ~; D. G
routine. v/ C0 e5 \0 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 u8 u8 [* t( q. y$ Wto the new routine to execute (hangs computer...)
6 v A2 S2 w' ^, b# {# Q5 O( x3 z3 m8 Y# E# q
mov ah, 25h* T7 {1 w6 z7 o/ \0 z) B
mov al, Int_Number (01h or 03h)( q! z( l5 x% ^
mov dx, offset New_Int_Routine# o% D. c0 }3 Z. @/ K; \5 {
int 21h
5 A) s; g4 z9 A3 F& e
0 I% X x0 I$ u$ W, Q4 F__________________________________________________________________________
Z( w' W1 W& a7 {
4 I* Y1 c, r% A( d6 H- `/ nMethod 09& F1 L; D. M3 o1 D$ E) U
========= w% @7 e* |, Z3 E8 d
. D4 d k4 g3 {# w% A( o" lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; z: y9 Q/ E- S, S
performed in ring0 (VxD or a ring3 app using the VxdCall).8 G# o/ E& w) y/ y9 p
The Get_DDB service is used to determine whether or not a VxD is installed
. L9 W b$ ?2 Nfor the specified device and returns a Device Description Block (in ecx) for3 ]; f6 V" g' N* r+ o8 d; R
that device if it is installed.
% V1 ?8 z7 f4 j9 ?; a5 {5 O0 B& t# A+ t" {/ X
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 K. o% ]; @! f) \! G! Q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! }5 k( y3 l; Z) U! f. } VMMCall Get_DDB
* j8 ^/ |8 {5 r- g7 ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# E2 d9 a7 D# s- L4 e; W1 t* x: H+ W: b( m, G9 ]$ N
Note as well that you can easily detect this method with SoftICE:& U$ P( O1 M7 `+ z! z/ x
bpx Get_DDB if ax==0202 || ax==7a5fh
+ U) T- f& ^# _/ f) Y# g9 w
0 m/ d' n% q1 {1 D__________________________________________________________________________
. L8 x" v6 u* j( S
* v; \* ^( y2 {: d/ ]8 E% W* cMethod 10
: g; ~6 v% K5 y+ j! Q v$ `; q7 I=========) M+ W$ G( f, Z! B# N! w
- g2 D: S/ r) l! V2 ], L. h=>Disable or clear breakpoints before using this feature. DO NOT trace with- K& P" Y+ @1 t, s! w+ l |
SoftICE while the option is enable!!
+ {0 p5 U1 T6 O
$ d: g' o% d: y6 D5 uThis trick is very efficient:
( c K' I1 c' `" n( l+ gby checking the Debug Registers, you can detect if SoftICE is loaded
# h F' a" u, l) M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 i9 |4 Z; F$ }# D' T
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ |/ ~7 P+ ?' W7 }
value (in ring0 only). Values can be manipulated and or changed as well% N$ F. I! w$ ~7 F! \" s5 Y
(clearing BPMs for instance)1 s% `) a/ V3 [4 H) X2 M
' d" T3 \# t* j- c
__________________________________________________________________________
k& R& a8 Q- A) b6 z2 N$ j5 ^2 ^/ U
Method 11
% Q# B5 X' L% b) h3 d' d=========
) C; r8 M4 d/ B9 s# X+ a4 N* a l" ~7 I6 |* L4 R0 v
This method is most known as 'MeltICE' because it has been freely distributed
1 H! L& |- y/ D% I" uvia www.winfiles.com. However it was first used by NuMega people to allow
7 i6 t. \# x: v$ ]4 b5 ?) mSymbol Loader to check if SoftICE was active or not (the code is located$ j w# u- _0 H/ z) q: I
inside nmtrans.dll).
$ x# T! n* i0 a7 p! i, L! X% R
' X' y1 e. c2 _, p3 f- b' CThe way it works is very simple:
5 ]" @) d" R- i- t, x4 r, TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) l) r9 _* A; Y. S3 T9 E6 D
WinNT) with the CreateFileA API.+ H8 r2 Q `% d) h2 _
. v( d. S! o2 B2 ]: v. m. w
Here is a sample (checking for 'SICE'):# N' y( |; J4 N
2 x4 p- _) M6 J
BOOL IsSoftIce95Loaded()
5 J2 O: t2 g8 W% V6 [0 ~( u. t7 w{
8 ]0 ?& k2 M9 V) F8 S HANDLE hFile;
/ L1 k3 D) X0 b1 T4 F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- `/ ?9 p/ x: V& M FILE_SHARE_READ | FILE_SHARE_WRITE,
3 \7 F2 V( G: f$ K& C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 f4 L' y, j; K if( hFile != INVALID_HANDLE_VALUE )
$ D# |9 [. ~9 `% H4 t {
+ s. B: o& L+ j6 s9 ` CloseHandle(hFile);3 k* A. F4 F7 E6 j
return TRUE;
% u1 |5 \: y. P5 w3 v4 j3 z }
) `( \! g8 D% ~2 n8 ]; Y+ a return FALSE;" t, g! i5 k4 [7 W A' Y
}2 a/ H% r/ P- N
7 m2 t$ }" ^0 b1 C9 s3 |) v" ?
Although this trick calls the CreateFileA function, don't even expect to be! @4 d, O- I* {0 F% _" w
able to intercept it by installing a IFS hook: it will not work, no way!( [& X4 d! [' {7 q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 N: z$ n9 M/ ]; ^4 \" vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 D0 I2 R) _; H y3 E
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 f7 `, T/ v: Q& P4 p
field.
) C. X1 a( N }5 l' gIn fact, its purpose is not to load/unload VxDs but only to send a
1 L. `2 Q4 V# ^. N$ [: {4 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, _" @2 V, i2 @to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 \; `7 T* v+ l* zto load/unload a non-dynamically loadable driver such as SoftICE ;-)., e7 X7 _4 u b; y; J% [& w2 s
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ Q; }9 i5 Q$ {* R6 f0 p' b. a! qits handle to be opened and then, will be detected.4 f f% k$ S# _$ F) x' a
You can check that simply by hooking Winice.exe control proc entry point' U" A$ g( l: x( z- G6 ~
while running MeltICE.4 W+ p& F- T- r
7 E0 E) i0 F' F5 N; C
4 @! i* P( ?: z/ [; @ q9 R 00401067: push 00402025 ; \\.\SICE/ g V8 O' h2 A; m. ?" Y5 E+ _
0040106C: call CreateFileA
% X( `$ k0 o9 Q) R+ y0 Q+ U1 K 00401071: cmp eax,-0012 v/ p: I8 m% y/ c9 a$ S' f
00401074: je 00401091- {9 h. t, r$ D/ T4 t; q
. B0 X7 d! j6 \2 @
6 E% U' j2 L4 G) @6 T, lThere could be hundreds of BPX you could use to detect this trick., D2 E$ z! i! O$ H/ {$ Q& q( I6 S
-The most classical one is:; l. m0 w7 Z9 r- ?* c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ K, j: k( J) ]% F
*(esp->4+4)=='NTIC'4 f+ S$ y: W* g) O% R( C- i
# [2 k' N4 q, K3 l# B
-The most exotic ones (could be very slooooow :-(
; x8 h4 Y( Z h0 { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 W+ R; B, Z% E" D+ [! I: h7 f
;will break 3 times :-(
Y. i5 A7 t. [
& H6 E2 U% j& m. R0 f-or (a bit) faster: 3 n6 c: ?2 q8 c! {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% \- ]0 q; v& s4 g
" h/ Y# l' Z0 Q: c3 s5 c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / z& ~7 V& P, m6 B2 ?" N
;will break 3 times :-(! n* q' n: {, q! R+ B7 o d
0 D$ Z4 } N* Z/ b+ r1 a
-Much faster:. Q6 ~8 E0 `( A3 M$ s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 `, P3 S) n3 _( h/ M+ d/ F+ z6 ?* C7 U* ~0 s6 l3 `% v* l* s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 Q, \1 V3 p, d& h: a L
function to do the same job:
3 _' i0 v4 T4 M. v$ L% m) s2 S
) ]& X$ H5 G8 {- Y3 Q push 00 ; OF_READ5 ]: D" s' I$ E; f
mov eax,[00656634] ; '\\.\SICE',07 L) {) ]# X6 J7 t& u: f6 u/ x
push eax9 \' k% ?( M. f. O( z+ ~
call KERNEL32!_lopen: J1 _* F# A0 F' T0 c4 @
inc eax
. E' [2 e0 G- S% I: | jnz 00650589 ; detected b h5 J& T, I: _6 G- n/ C" a( y
push 00 ; OF_READ
3 V: v0 O0 e7 _& p+ P6 r3 @; C! j2 J mov eax,[00656638] ; '\\.\SICE'8 | a, `" e- G. Y8 H1 I2 s
push eax
+ q5 K4 ?0 I8 ^) v! D; ` call KERNEL32!_lopen
w' h2 J; o, n% D4 ~ inc eax1 Q' q7 X3 [! d: \8 q. m$ K
jz 006505ae ; not detected- W/ a- V% U- x
- `" @. M* {/ |; p1 K9 _
4 W9 X- |$ r. P1 [ Y7 C: R
__________________________________________________________________________2 J7 V8 ]" D' W1 s
* I. H* y# l% f# C* BMethod 12
+ g6 e5 G' [ H4 {) i m=========$ c* R, C9 n6 Q! Z9 z/ |& |2 \
$ F2 F* G$ I9 k; F! j0 A# v
This trick is similar to int41h/4fh Debugger installation check (code 05
2 {1 u. g$ N q' ?& A, n% g% V# K& 06) but very limited because it's only available for Win95/98 (not NT)
9 z0 Y$ s; ^4 r3 t6 Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* a9 z4 ^3 T6 i+ R' }
J2 z3 V+ M6 d( q/ K2 l
push 0000004fh ; function 4fh0 L( J0 v" }8 D) A6 F
push 002a002ah ; high word specifies which VxD (VWIN32)
: K+ F- g1 J* Y8 z" H# U& c8 E% n ; low word specifies which service
1 `3 \' N( ~( I4 v1 @2 R! u% N (VWIN32_Int41Dispatch)9 q! N4 c: B5 I# J8 s* _: i, ]4 ^
call Kernel32!ORD_001 ; VxdCall
& r3 D) x9 p! {6 e8 r! B cmp ax, 0f386h ; magic number returned by system debuggers: R2 X1 N, q- N$ |$ s& i- q3 P0 c
jz SoftICE_detected
6 N! a! C4 k6 r7 o1 @: W- t6 _4 D' r
Here again, several ways to detect it:
4 _" ~! n' N4 |$ Y9 g" J5 } D+ q5 i$ }8 @1 p% X/ c, K7 \
BPINT 41 if ax==4f
8 s6 k; E- o% U- g
& `; J, a; U0 ?) D BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 l4 q2 o( A# ~0 U$ _ h! D+ e) O" ^
5 i# P7 X: ]' _; @6 x' t# e! w BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
R0 @8 I- y7 E" R7 D2 Z# T7 m$ F/ Z! K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ W( L4 b. J: r0 h; N; R- ~
?8 @0 \2 N0 S- T
__________________________________________________________________________
8 ` o# K4 y& z8 S, v' l
* j$ u3 T- R' sMethod 13
0 w& d! D. w! R8 S+ E( g=========
4 R B; |7 ^& z% S( ?+ H+ k! X
& y4 P& w2 A, ~/ Z! S, dNot a real method of detection, but a good way to know if SoftICE is
3 v( g) T4 c: A6 y' J# M- ~$ `$ c0 }% Finstalled on a computer and to locate its installation directory.
; J8 g5 J% ]; M8 FIt is used by few softs which access the following registry keys (usually #2) :+ P" L7 U& _4 ], a4 c/ W' i" D* w
4 ^9 q' L- h* C( J8 E( \2 i2 m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: F) P1 U% V% G3 ~/ U, g\Uninstall\SoftICE
, X) l1 y u; r5 F: J- j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 Y R0 ^' t' {. P3 q- B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; B! }5 r9 ~; B; J\App Paths\Loader32.Exe
0 V9 T) Z5 \+ t" s: }) ^! B' l7 I) r2 d1 M
0 Q* U7 k1 g8 B
Note that some nasty apps could then erase all files from SoftICE directory
. W& z6 G' r0 y7 e(I faced that once :-(( H0 ?5 z: v9 u' K; {0 \; S! ?2 K
/ r5 H8 W7 Q8 i6 B0 ]Useful breakpoint to detect it:
5 H W/ d$ `# K, }4 b
: G; Z3 k d" b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 R* l* k" Y+ {
1 X$ S% K) U0 S7 w
__________________________________________________________________________5 @/ i4 s6 p. b6 N/ O
/ L" P" N2 }, F f6 [* J) e+ B
0 q! q; S; E. r) l' O; |Method 14 " A* M2 K% H Y1 Y: {
=========
# ^1 H* J. m% h7 K& e
# _! w& L# N% Y) Q% g9 b" j) TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ X- d! \' D" ~( O
is to determines whether a debugger is running on your system (ring0 only).9 M6 y& A' L9 k& {) J: e4 f4 Y
5 P" ]: `- G0 s# D$ i7 { VMMCall Test_Debug_Installed8 r; ^0 m$ e+ H Y+ ^
je not_installed3 X$ H. ?; V& H) S" O4 G& S* A' |4 {
- v* H9 K) G- {2 U0 d" J/ E
This service just checks a flag.8 b+ a% N0 f s* e) E6 ]
</PRE></TD></TR></TBODY></TABLE> |