<TABLE width=500>+ C3 L* b% H& {2 Q* O9 O
<TBODY>
2 r% t, V( O- q! g* G<TR>
; c% V! f8 t6 n2 ^, t+ H) p<TD><PRE>Method 01 : e# u7 Z1 B; d7 M* o3 u
=========
q4 X9 @7 H$ ]$ w/ g1 C- t
; b: @( S1 O# NThis method of detection of SoftICE (as well as the following one) is
: h. Y) u' Z" \1 O$ bused by the majority of packers/encryptors found on Internet.
! d% }5 Y4 F$ K UIt seeks the signature of BoundsChecker in SoftICE- `4 V( g& F) B; l
- ^7 t/ o6 B( [) n7 u& Q4 Y mov ebp, 04243484Bh ; 'BCHK'! G# U, ?! R" g# V8 i$ @3 P
mov ax, 04h
' [# W% s) H( N `5 j' X7 d' k3 A int 3 : e9 p# L9 P& `. h) Y
cmp al,40 b8 B! b$ o% y% |5 P' |
jnz SoftICE_Detected
) e9 l) \3 W2 p
8 p5 m. ]" z, h9 L! m1 B___________________________________________________________________________
; F. b2 S/ L6 }7 I/ H& | C
) W- k @0 l0 w bMethod 02
, T" J& k4 M3 p8 `* @/ k3 c=========( w9 e( ^3 k+ t6 m: y5 x: x) ~, s
( S9 A" t; O1 b* i0 B' @Still a method very much used (perhaps the most frequent one). It is used
; |: W. {: Z$ y3 V1 A. x$ Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- x! ?4 E j2 [/ mor execute SoftICE commands...* E4 \6 U1 h# h: k6 o
It is also used to crash SoftICE and to force it to execute any commands
1 I/ ?7 {6 P/ s/ u(HBOOT...) :-((
' \) k7 {2 j% {* y+ v! U1 a9 n1 D6 j' H3 F t
Here is a quick description:2 Q: F- o8 X. S6 i }, [
-AX = 0910h (Display string in SIce windows): i6 k/ @, j1 w
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; h$ l/ [5 Z" W! N, ^9 |% q J! L7 }-AX = 0912h (Get breakpoint infos)
) w$ i2 @" t/ G, Q3 ^# N* S3 k-AX = 0913h (Set Sice breakpoints)- J9 f, F/ w1 \$ b
-AX = 0914h (Remove SIce breakoints)
; v/ H' T$ G* p8 L. s
" j8 l* v- {1 ~8 Z, N! k) W" MEach time you'll meet this trick, you'll see:; u- z. M+ u, y, A( S! D
-SI = 4647h
7 V$ C; g4 W S. I0 ^1 M1 m-DI = 4A4Dh
6 [" o ^8 x1 \, m( m+ ?Which are the 'magic values' used by SoftIce.' o; d" K, ^$ Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' [! }& B# W y8 @) @) W: f0 |1 K3 ?: j
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ h, ^& h' p$ H3 ~; U
Envelope utility use to protect DOS applications:% C- [' s; T, P
* J( a, J& [# u f# G q/ l
4 ^' D1 F# [" { y5 b- B% i
4C19:0095 MOV AX,0911 ; execute command.% A$ ~( x) l7 K* [% h) `6 s
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 }; Y: Z* S; M0 m _: n" X4C19:009A MOV SI,4647 ; 1st magic value.
; [7 P! y5 P' z S" j0 F4C19:009D MOV DI,4A4D ; 2nd magic value.# i* f; ~+ ^$ n3 a& A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 y9 I" w/ S9 h4 R2 P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 s9 m/ Y' `3 u& R4C19:00A4 INC CX
* ]* Y9 w% C' c- m9 h, A: \6 I4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) _' i) b8 V/ k) ^8 Q6 |
4C19:00A8 JB 0095 ; 6 different commands.
8 W( K: e# j' J. ~6 i4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' g6 O2 D6 S4 d+ W6 a4C19:00AD MOV BX,SP ; Good_Guy go ahead :), i; r1 J0 g' Q1 t6 d9 |% q, `
& ~2 I3 Z9 i4 Q. k, A' F
The program will execute 6 different SIce commands located at ds:dx, which' e0 e) V2 u9 e9 X/ _$ m; C p9 ^& c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: }7 P$ M F g7 _; Y* A
8 k7 @: P a$ Q! U$ l6 w* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ }( A; ?5 ~3 x7 G$ m___________________________________________________________________________, i- y- c# J: p
$ |# _% b" _1 v0 X7 O' |
( \5 f$ v, U8 J4 O' lMethod 035 p* @& x7 U$ y% Q3 C1 r
=========: ^; y( b+ f' s. q2 Z
8 d- l6 }9 j @# W+ q7 C. o2 p% A1 w, N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 [$ E# s' {3 Z8 [(API Get entry point)
' `4 t$ R' p3 G9 S
8 I% V" u$ @( Z# U' V0 |
7 i3 o, v3 P$ g" o1 I$ f: W' y xor di,di
$ O. L$ h( i% F ` mov es,di5 J& V% P& J7 s" t' M
mov ax, 1684h
# n8 d4 _, `$ A! u2 g7 m1 p mov bx, 0202h ; VxD ID of winice
# o/ \1 N5 {/ e int 2Fh; {2 b8 b. D) \+ T7 x# A& R
mov ax, es ; ES:DI -> VxD API entry point; d4 U3 N u* D( h5 k* B! a
add ax, di
* H! s& @1 u# y0 Z, ^! y: q5 V6 c test ax,ax1 K* g0 @3 L$ A/ m! b/ j3 f
jnz SoftICE_Detected+ V6 R+ h% T# |% R
) m/ G4 ^2 H' r___________________________________________________________________________
+ y2 E/ G* i% x# k9 u% V5 U6 L
; W% D2 Q9 P' V" oMethod 04
3 r# S' G B9 X0 T% i. d5 D=========& W5 H3 }9 \6 `3 K) d" N; {
8 ~. C U- F' s7 j: v$ aMethod identical to the preceding one except that it seeks the ID of SoftICE
# Z3 B& ^) }3 gGFX VxD.
2 v! `& L: x1 _: w9 r9 k% j9 m0 r l1 C6 G
xor di,di' t) Y3 Z. L. ]! D5 s; M
mov es,di+ ]3 }1 F4 C% I, o/ i) i
mov ax, 1684h 6 x, i- m* a* J: i3 {6 P5 f1 m
mov bx, 7a5Fh ; VxD ID of SIWVID
$ d, J- [: U! M8 _% x2 ` int 2fh
2 f7 }; r9 i* I& E* O2 G& F9 o mov ax, es ; ES:DI -> VxD API entry point$ |! n$ ?7 R \) T, e: R
add ax, di4 @# w2 l3 }; i( K
test ax,ax# n) N) l8 d+ K; N
jnz SoftICE_Detected
. ?; l; o, T% ?7 ~ }; w$ H8 ~" Y" y: Q% M6 y
__________________________________________________________________________2 Y7 p: T! c4 s! \4 t" q
! F4 ?" ^9 w6 H! E+ U! l @1 U' \/ n* w
Method 05; P7 T" O4 S, V; Z+ l( Q, ]
=========
, J1 p. V9 O. t# o {. P/ r( K2 B$ Z+ q6 m
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ R A5 v% A% a$ o
debugger. It calls the int 41h, function 4Fh.6 E( H _2 e) P
There are several alternatives. ; ?" L- [! B1 Q# G0 a8 i ]' [
4 |9 H' T& x: i! A3 U1 O' S. g- s
The following one is the simplest:
% o" f; G4 M+ J5 d! M/ k
2 D: Y$ q/ _6 u, I* o mov ax,4fh; z j% H0 D; [- y$ z* m7 V3 ?9 B# |
int 41h& W) d$ O: ^9 ?4 }& J$ n
cmp ax, 0F386
2 `3 Z- {2 G) U jz SoftICE_detected9 a. }& j" ]/ F/ `. d0 J" m
% M: W8 `" _' I
; U' k' L$ C2 hNext method as well as the following one are 2 examples from Stone's 1 W8 H# u+ Y E) C
"stn-wid.zip" (www.cracking.net):
0 U7 p6 e1 j* s% L( V# Z0 t3 o# c6 Y, Z1 [# d7 H4 F
mov bx, cs v5 ^! Z5 c: J4 c! d
lea dx, int41handler25 h- I7 P/ I7 H3 Q4 d# {. |% [& _# V$ s
xchg dx, es:[41h*4]
6 m3 X1 F* H0 ?4 d xchg bx, es:[41h*4+2]
@( N& I) t; R5 K+ k; ^0 i mov ax,4fh5 G+ o- W. j. \+ f" X7 X
int 41h r$ F5 m( q/ ^5 ?- a- h% @
xchg dx, es:[41h*4]7 t+ a S; C! Q% { f
xchg bx, es:[41h*4+2]! ?# K9 ] q0 w: g+ a6 L
cmp ax, 0f386h
7 Q+ X& z w# T9 X5 j jz SoftICE_detected6 @# D5 k3 I# a: i% A" T
+ @/ G0 F- i: z; ~0 L! H# [
int41handler2 PROC7 w( F* J& Y8 j$ ?* F; j0 p
iret
1 B. x# g2 n k# Y! @! b0 K' x. oint41handler2 ENDP5 Q* B3 z2 E; w' ?# i
5 l0 C1 C( y3 V6 l5 G
- b/ w/ G1 c, \) m7 |. ]_________________________________________________________________________
! E) z) j1 D% I# ~! [( v% s( `6 q, G3 h% i' W
" X( ^1 {4 c: } k- U
Method 06) A- O- h# e9 |2 \
=========
0 o, U+ D, s) U& j4 o! _' I- A" Y8 q) m8 s- M
6 P0 |6 G0 Y, ~! ~( r2nd method similar to the preceding one but more difficult to detect:
8 ^9 k9 Q. v* X3 u' e% `: O, o9 d" g4 l/ `2 J; |2 p
/ i% I y' Y# j5 M1 O
int41handler PROC' D B; x- n" q Y
mov cl,al: E) \4 g R# r5 b f6 p+ k4 u
iret
: g9 A, Z4 Y" R: J2 N0 c' B0 ^' W, `int41handler ENDP2 i$ u3 W# a% N, |3 R' V
- T; r" [$ s+ o. M U+ k- I6 Y8 n: G. o) A
xor ax,ax' C1 g9 n4 U: M; o) H
mov es,ax- ~* s/ \6 S" D4 M
mov bx, cs7 N' a1 ]6 r' n& Q4 Y
lea dx, int41handler
/ n' `5 N5 d& ^6 q xchg dx, es:[41h*4]
7 x" U; H' s' ]! u' X xchg bx, es:[41h*4+2]
) Q( ]) ^1 P0 O. k+ `7 } in al, 40h; F8 t+ M; q5 T" Q
xor cx,cx
! A0 N Z- }7 Y9 k+ f2 j int 41h. B2 @+ n) Q. c8 X- V7 O. O
xchg dx, es:[41h*4]8 ^$ I) g! M7 Q0 I
xchg bx, es:[41h*4+2]
3 e; t+ _8 l% F& v0 y cmp cl,al
0 W! ?0 Z; \6 M) [ jnz SoftICE_detected# y5 E# h) ?- \# x& y6 ?1 T( I2 I) C
8 W( R* ~; L: G
_________________________________________________________________________
- K, ^2 m& C, A/ T4 V, C1 r, m- o8 W# Y
Method 07# u( E9 S5 M) \3 g, `
=========
$ }+ ?5 c. B5 k$ W
% b2 A$ j1 p" S* o YMethod of detection of the WinICE handler in the int68h (V86)
9 b9 w; I4 Q) X3 t; i8 [
6 D& ?7 Z$ b/ O" U1 z mov ah,43h" S' w0 C+ z2 k$ Y+ k
int 68h
) C( b% V6 f" |1 X cmp ax,0F386h
7 O; r+ o Z. @. v0 D jz SoftICE_Detected
# o1 R3 h2 g7 z
O# X: h; k' w! i: {$ b' A/ r; r& T: h7 u- ?5 M; y- ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: h) I+ f- p/ A/ p1 L0 X6 f8 O( `% K
app like this:
8 T/ ]6 B% H/ b/ ]8 X+ z+ R
( z, m6 O* A- p2 i2 t2 |, d9 l h! L BPX exec_int if ax==684 I1 g9 M* M+ {8 ~( S7 M+ w
(function called is located at byte ptr [ebp+1Dh] and client eip is% G4 l" L! k1 S' T& b5 V% r
located at [ebp+48h] for 32Bit apps)- D7 Z3 }2 H" e9 V3 J' I4 u
__________________________________________________________________________
, }* t- O7 n* u; s" V- k" S* h8 C5 b# b, @! c% i5 z+ Y5 ^: X( R
- M; w3 c, E8 z$ O: m# l/ B8 C/ W4 {- |
Method 08 @2 n) o( r4 y. C7 O2 `
=========
7 Z' B# Q) B# [/ V' g( b& ~3 @
& w) ]# O9 E G) i/ m! S0 [; g" `It is not a method of detection of SoftICE but a possibility to crash the; W5 F4 {. ~% ~" L' u3 m
system by intercepting int 01h and int 03h and redirecting them to another9 A6 j8 N% H' {, b
routine.9 F2 Q* l7 r" z9 s+ b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! a( v# h3 [! q8 L. T0 T3 W
to the new routine to execute (hangs computer...)
. P# J8 O3 Z7 Y- j4 r" C+ i# n* ?( P- Y9 N6 Z3 [# [# {' P. m
mov ah, 25h E; d0 q- a) U' n7 h
mov al, Int_Number (01h or 03h)
1 F6 V0 }. ~$ S$ @: u6 E! f1 K mov dx, offset New_Int_Routine; E1 {- _8 M3 ^' v4 A4 q
int 21h$ o Q# I' V& V% j) r [: D
' g m8 H5 T* C$ p6 l3 y! h9 a
__________________________________________________________________________
1 U }: k4 n; k! |
& N& m8 v {5 Y. @- x) JMethod 09: I. P h2 ?6 S7 W! M
=========( T' y( m6 D+ b
3 O) A# m& ~0 j, lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* `0 U( _+ W/ c5 L6 G4 ?
performed in ring0 (VxD or a ring3 app using the VxdCall).0 W7 R: f. D2 P
The Get_DDB service is used to determine whether or not a VxD is installed& i) @% E0 b; c5 i8 j
for the specified device and returns a Device Description Block (in ecx) for; r4 Z& _, d2 y$ x1 {1 o
that device if it is installed.1 `8 d) E# a( U$ j9 ?# q( Q
8 Z7 S" [% U- \) d( { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. l7 l- ]' q( z+ w3 n2 L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 n) n5 @" k4 a! X( S1 I9 m# y VMMCall Get_DDB: V5 [' v, M q& X* l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ z+ O3 p' [- ?7 e/ T. j: C' P" W
* z; v: l, `- ]) @* YNote as well that you can easily detect this method with SoftICE:
# Z3 _* f% B3 E bpx Get_DDB if ax==0202 || ax==7a5fh
. D! { b* w P. t* V9 b7 X% T
6 v; Y6 c% ]. o4 e' |2 F: ]__________________________________________________________________________
* O- A6 n% U6 b; k3 E: T6 d/ z5 o% H0 w! ^; Y
Method 10- T$ ^' W3 x8 S$ S$ F5 m- |
=========$ O! B' n7 m" X; E! d
* m2 L( ?, m% e ?6 F; _- i=>Disable or clear breakpoints before using this feature. DO NOT trace with7 ~( i& s) y9 o4 s
SoftICE while the option is enable!!
5 a% ^, \6 w& X2 L/ O
9 l+ E8 K9 ~+ w) ]. W7 F; OThis trick is very efficient:
8 M5 x( r3 o7 |. f# ]by checking the Debug Registers, you can detect if SoftICE is loaded' }/ g( W% P8 l# l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; i: ~; Z) S# c" W, Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, i Y( Z8 `$ Avalue (in ring0 only). Values can be manipulated and or changed as well
4 B$ M# f$ Q* U2 i& i(clearing BPMs for instance)* x! T) R. l9 `% U3 { k
* L3 p; f8 d" f# ^' t5 k
__________________________________________________________________________
- ?: i% X7 d# J1 z
( H) X6 H* Q7 C) OMethod 11/ N5 Q# U& d0 k
=========
* m# h/ C/ L* ?( W
/ i4 t0 z+ T/ @This method is most known as 'MeltICE' because it has been freely distributed
* [6 i5 M! t8 Z" \. X' r) F" I7 tvia www.winfiles.com. However it was first used by NuMega people to allow
" O) D( O8 e7 ?5 u. ySymbol Loader to check if SoftICE was active or not (the code is located | r1 L6 z- K3 p: C- P* t
inside nmtrans.dll).
8 [2 A' P/ M: A% E7 q5 o8 J: ^
- e% J$ x$ w+ i& j4 Y' u. p/ iThe way it works is very simple:
% [( _( K8 b' m7 N/ D& D& p6 jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" R. R0 j; Q8 I# r' \7 C% ^0 cWinNT) with the CreateFileA API.7 c; \6 x) `+ X l+ ~, v
/ F- d* i0 Q0 Y' h W' V
Here is a sample (checking for 'SICE'):, D* V9 {' [; Y! s( {/ `
) G' K5 L0 M* E6 {" N9 l5 V, l( f1 jBOOL IsSoftIce95Loaded()
5 K, Z- ?+ O% a0 _. X, W{
$ }% A: L) k z D+ |, Z HANDLE hFile; , ?: Y Z- W7 H9 E; w& g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, @# c- }0 t: d9 H3 O% F* [0 r
FILE_SHARE_READ | FILE_SHARE_WRITE,
G# f0 r$ l5 _) d& x3 M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ U4 E9 x) u" g! j+ W* N if( hFile != INVALID_HANDLE_VALUE ). f" q6 j8 x C2 ]) x8 a
{
' K# P/ G4 c. o8 V5 L CloseHandle(hFile);. H: i8 d( X; h
return TRUE;3 C# |7 v* [+ c. P8 P- }
}
7 ~4 a- M P+ B1 m: q+ v return FALSE;
7 z1 x8 ~" i |- s}2 @- W6 q* y& S. N- B
) M, R5 T g5 r2 ?Although this trick calls the CreateFileA function, don't even expect to be0 b5 y& e# b0 {- U1 j# w
able to intercept it by installing a IFS hook: it will not work, no way!
+ K% D& f& c+ g9 q: n, v @In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 k. k! T. |. e6 f- r% A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% i; |* i& ?+ Z" \8 i: jand then browse the DDB list until it find the VxD and its DDB_Control_Proc' A* K6 S' k! L& I: M: a5 X
field.
# e8 p1 @1 b" V# K aIn fact, its purpose is not to load/unload VxDs but only to send a 8 g4 o0 P C" |% X' D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! t; A8 v" x/ D# y6 t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 o: o5 ?" o0 U, e- mto load/unload a non-dynamically loadable driver such as SoftICE ;-).' M1 o+ Z' |! A0 v' W- |
If the VxD is loaded, it will always clear eax and the Carry flag to allow& J8 F5 _" V2 S/ s
its handle to be opened and then, will be detected.4 I7 G, \/ W' x
You can check that simply by hooking Winice.exe control proc entry point
: f% [ Y* a! O/ gwhile running MeltICE.
_6 d& ^) \/ M/ f- s; U& U0 O7 N" W
" m2 B1 i* T. c5 W6 ~$ ~7 I
00401067: push 00402025 ; \\.\SICE: R2 R$ h2 T# O. O! g
0040106C: call CreateFileA2 i, @. O/ |' g* L
00401071: cmp eax,-001
4 X6 m! }( W. M$ | 00401074: je 00401091
' A+ d" s6 O: E- L! ^' t: C& y6 o! a6 z, o0 ~2 D3 N; f+ [9 H/ N
% g1 {7 p4 Z& J. L& C# f' }" d" x
There could be hundreds of BPX you could use to detect this trick.
/ L/ A- j: H( l, Z7 j-The most classical one is:
9 O' y& S! r0 |6 l" i% `2 D BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ b9 m# x+ \, B+ `8 N *(esp->4+4)=='NTIC'
9 P5 F X+ j& f2 y+ G+ r
2 w/ w n0 s' ], a, F0 x% H-The most exotic ones (could be very slooooow :-(* [7 _4 I2 V2 K) r! r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. h1 R1 {2 w4 g6 O4 i' _ ;will break 3 times :-(
* r: ?. o4 i) l7 D# J! w5 G. X/ n: |3 Z6 T
-or (a bit) faster: 2 J. u- e* d1 z$ d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% \9 Z3 `; M- t, F+ n) Q
' _; |- Z- c9 p8 c8 Q6 d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; B2 Z+ R/ V, B9 Q) C, k" ` ;will break 3 times :-(0 |' I- W6 P* F1 D9 S
4 d* Z# e: p& T6 Y-Much faster:
$ K. F5 E: f0 Z# ]9 V v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* X' q, o) K# ~1 ~$ C' E0 z
$ o6 ?. w8 Y$ T2 r/ zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; L1 \8 E& }! x* J5 B: `$ A
function to do the same job:2 s0 s4 G8 v" Z! c: E
: m. @7 P1 z# C4 \# X; e( P
push 00 ; OF_READ; a8 X! o m- s, b* \' u: a
mov eax,[00656634] ; '\\.\SICE',0
$ y$ a: {3 ~3 I4 ?9 f2 g( a0 L push eax* F9 D5 p& i& u! G- _
call KERNEL32!_lopen& o' n+ ?# |& P7 E
inc eax/ A P6 X H' k. i/ W. v( R- A
jnz 00650589 ; detected7 m' q7 x; W. u. Y
push 00 ; OF_READ
4 f+ |+ j) {& B* A% \& M- W mov eax,[00656638] ; '\\.\SICE'
/ T0 c+ t# i0 u push eax
- @% \. ]2 K+ A. }! i( ] call KERNEL32!_lopen+ X1 P* p( Q* z" U [9 Z% o
inc eax
* [$ ~9 j6 g# O" J0 ` jz 006505ae ; not detected
! k3 L: d& B0 y1 o# U
; F2 _" O+ a; Y/ C# ?
9 T. T2 x) T# D6 l9 u; s__________________________________________________________________________" \/ {- n, Y5 V& D2 B% \
; h7 j: `2 q. fMethod 123 D5 G) x+ _3 u# E4 ~
=========+ O4 |( c/ m) J" E
* m; v/ [" ~5 F/ a2 vThis trick is similar to int41h/4fh Debugger installation check (code 05! L0 p# S$ q/ l2 w
& 06) but very limited because it's only available for Win95/98 (not NT)
4 N* V4 ?, g. f% zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% c! O5 N7 G! H( w( l% }
+ l9 h' q) _0 }5 o6 k push 0000004fh ; function 4fh/ z6 K+ G |$ x
push 002a002ah ; high word specifies which VxD (VWIN32)
8 Y0 r+ R) K. ~5 V2 o. k9 m ; low word specifies which service5 g- \& D% I; D% b& \1 V
(VWIN32_Int41Dispatch)
X0 q0 O: }6 r) T; s% U call Kernel32!ORD_001 ; VxdCall8 F @, E% N# @: ^
cmp ax, 0f386h ; magic number returned by system debuggers
" A ?- t, `+ J" }% F jz SoftICE_detected
, V. C9 G6 `3 U. Y+ P4 x6 T5 q. K( W
Here again, several ways to detect it:
4 w# ]- I0 t! D5 F7 P7 y3 L
; e# I6 I. F {4 I C% N, p, { BPINT 41 if ax==4f
6 a" z% ^: i# X* i0 s& ~! g
5 Y1 Z: A* E% y3 E- Z* G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 D, p; i1 ]9 N1 k$ e. A
: S3 N4 V7 T- ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. D& S. H F$ F" F( i2 H m& }, B1 G) b3 ^( M! F8 U
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ @/ `$ z* w# @0 O% o. F+ u u; k! e* Y$ p
__________________________________________________________________________: i" k3 j4 p' o! K+ A5 L9 Y; |
+ a" u& d+ z, vMethod 13
9 Q7 R" {% V% J$ [' F=========+ e+ s; A( {- {- ^4 s. Z
, W2 C5 q' C& u8 u# s ~Not a real method of detection, but a good way to know if SoftICE is
- E+ e; f" k1 binstalled on a computer and to locate its installation directory.
1 }6 d, J' q! f- o6 jIt is used by few softs which access the following registry keys (usually #2) :+ X) I% o4 |+ Y( b2 w
, m5 z* v' U! C1 C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 D/ B; q8 P) o
\Uninstall\SoftICE
0 E* ~$ L0 j5 M2 W; r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 ^: B4 ]4 f, o/ g" c- w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ E2 S" J: x( x/ Z h! |" Z* u
\App Paths\Loader32.Exe
; O( l- r0 ~6 y, L4 a/ ?2 o
9 F w9 l& |5 h& v
8 {- B1 z- ?8 J. C. N7 pNote that some nasty apps could then erase all files from SoftICE directory/ v; i2 X. v) |2 U+ L" Y
(I faced that once :-(3 d ?8 R0 T/ I+ Y; B& f, K
8 h( o7 T5 V# m" N( kUseful breakpoint to detect it:
9 Z5 R+ q2 D" _0 e2 n- h- N; ]& C$ @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. O; X ~3 {* ~/ S0 v0 z
/ P% z! c6 N) J+ i__________________________________________________________________________# ~/ ~7 X, M8 F& N, I
/ M9 d" c& h5 V$ Z9 M
4 i( P( q4 k; \, OMethod 14 + a! [/ Q5 S: W: R3 _
=========
" W1 [9 S- \$ Z8 c8 h
k! j3 a7 P2 a, [" TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ U G4 w% s7 `. R3 ]is to determines whether a debugger is running on your system (ring0 only).
5 c& r$ `& b5 y0 b2 s! p6 B% w" t; g) l/ Z. _
VMMCall Test_Debug_Installed. \# V. l2 }. r; G3 h
je not_installed
! f, s: Q: ` C9 d0 x4 ^: j6 G5 B9 c( E1 d4 M/ a; t
This service just checks a flag.: A+ Y e4 o! |- w
</PRE></TD></TR></TBODY></TABLE> |