<TABLE width=500>" [8 y. j5 x- q
<TBODY>7 d: o" |+ S, g" u
<TR>
' s7 I6 C# H+ \5 [<TD><PRE>Method 01
4 M6 G. T, G/ v, N8 }4 O=========
9 m' D3 k) r1 ~$ C. w3 C, Z. r* M6 M8 S
This method of detection of SoftICE (as well as the following one) is
+ N) T* w: a4 v% f% ^used by the majority of packers/encryptors found on Internet./ l, N& L9 x. U
It seeks the signature of BoundsChecker in SoftICE
3 z) Z& k% w" n- f7 | w, M
& f7 n2 |4 B% R. Z! O9 ~/ k+ v$ t, b mov ebp, 04243484Bh ; 'BCHK'4 w3 P. M/ T( }; G2 q- {4 p
mov ax, 04h8 I. A# f1 S+ D' B- w. t
int 3 ! P6 O) R, y5 w4 h/ d o4 [+ C
cmp al,4
/ E9 e* }3 q8 W$ Q, [" I8 ` jnz SoftICE_Detected8 {( n; t% R7 J# S3 E
. [+ @) b" s# t9 B! j( `
___________________________________________________________________________+ ^+ [- a# s8 d* A! X
/ G+ _0 S, \8 G( d* Q0 [, z
Method 02
% M' {# N0 x0 P$ d+ ?=========
9 ?9 M; {( t' _, w6 D# d7 ?$ y+ y; b" u% I9 T' |$ x
Still a method very much used (perhaps the most frequent one). It is used
3 ]- `9 T7 ~0 g5 b3 p, k% E ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* [2 R4 o w0 K+ ^" _6 |
or execute SoftICE commands...! W* B" ?- r5 D9 O
It is also used to crash SoftICE and to force it to execute any commands/ O/ Y4 @- V6 p( A. W
(HBOOT...) :-(( 3 ~# v9 e- P. q6 |# E
0 N6 O5 o3 u: k1 M0 F7 sHere is a quick description:
5 i a4 K1 B! k% k( N7 G-AX = 0910h (Display string in SIce windows)
% D: M" D4 R J5 q2 i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" J4 M6 Q3 }8 l" }/ ^- V-AX = 0912h (Get breakpoint infos)
1 B2 X( O5 x% q# [: K( G6 q-AX = 0913h (Set Sice breakpoints)0 h5 q( _ P. w( f9 W
-AX = 0914h (Remove SIce breakoints)
9 h7 _# W& |4 d4 l8 G) B* }4 b6 @+ `! |& Q' C0 O! Y
Each time you'll meet this trick, you'll see:
% v# C" J! ?8 ]5 S+ g-SI = 4647h' G' b: g* I$ E% _! S3 j
-DI = 4A4Dh; }9 R. B) e% R: |, j
Which are the 'magic values' used by SoftIce.) o' x/ r& W+ U6 U% k8 U- e# y3 @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ I9 C5 ^# B! \% A% G
3 z. T" @7 o$ q, `: S5 wHere is one example from the file "Haspinst.exe" which is the dongle HASP
# O0 e+ _: \2 o/ o UEnvelope utility use to protect DOS applications:
k( |: N8 O* K) |2 J; I6 U* a+ b9 ?5 }( a
; R6 h$ V6 O0 _ C4 p4C19:0095 MOV AX,0911 ; execute command.
& V9 F* A4 y; E6 ?1 P4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* |$ c$ e6 d2 G4C19:009A MOV SI,4647 ; 1st magic value.
4 J+ m7 i- T" C1 }. |. ]3 z+ M4C19:009D MOV DI,4A4D ; 2nd magic value.2 f- W/ ]$ Q& x8 q, x- S& O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' }# X. f2 N' @; ^: ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! y2 A! S4 a8 n" D2 j0 t4C19:00A4 INC CX
. t( g r2 K# \. B) I4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ v9 u% G2 f3 X% J: y4 g4C19:00A8 JB 0095 ; 6 different commands.
# r% |, o; U9 o6 e E/ W ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.; G/ h4 U! ^2 n6 W
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 ^( K3 `' k+ y" M0 i9 J7 L( ` Y! c& I1 @* z0 B: {
The program will execute 6 different SIce commands located at ds:dx, which
% `2 {. s! |2 B. M! N* ^( c0 N( Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 O9 ?0 q. ~' y9 r+ F/ {
6 p& s) y2 D& B0 q' n( p/ a: }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 F7 g8 S' f" W
___________________________________________________________________________
4 G; }% K9 x) y+ l o! l- M7 I; m) X) T) i
/ l+ n! {: x0 U% Y- n8 [4 zMethod 03
0 w( {: J' @& }=========
# x) l( o" j+ [7 z. ^3 B0 j: b( ]4 [# g: X- j
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* {8 P& R9 @2 D5 i! n& m
(API Get entry point)
7 T1 b1 V# M9 S" P( K0 K
# L& L5 Z5 g& z; U& k* W% N; [" Q9 K1 k8 Z2 N v1 M
xor di,di; @6 a& W: b" G6 B
mov es,di2 Y& r/ y9 w1 ?% m
mov ax, 1684h / e6 L/ v9 r2 O6 P6 A4 f
mov bx, 0202h ; VxD ID of winice9 _6 w6 w6 X3 f' h2 E. F
int 2Fh* [% Z! v! m/ S& |
mov ax, es ; ES:DI -> VxD API entry point( K- Z2 T# r$ l
add ax, di# l6 l, S8 m5 ]
test ax,ax
0 K0 H/ [3 f8 Z, j' Z/ T% H! Y jnz SoftICE_Detected
3 m. i$ z; a5 P/ J
6 V! k+ y1 {+ c2 }$ i1 B___________________________________________________________________________7 Z8 n! L2 D6 t$ S9 k& C3 R
1 \. t% Q/ y( L! M- [Method 04
6 q0 A4 d7 Z2 ~2 C: _=========
8 O5 m; W. v( B0 Y& a$ P/ M$ v! l& C0 t
Method identical to the preceding one except that it seeks the ID of SoftICE
4 x* k4 C5 o+ bGFX VxD.
$ T6 a3 j# W# I8 ]
% K$ v1 L+ K2 [ xor di,di; k: r2 V r" S; x+ z
mov es,di
! ?: E% q, s+ \6 N* j0 h mov ax, 1684h - h% v8 l- B1 r# e& L! [ `/ O5 T% Q
mov bx, 7a5Fh ; VxD ID of SIWVID1 S9 A0 a+ Z$ f0 W
int 2fh y% F" D9 h6 i7 x
mov ax, es ; ES:DI -> VxD API entry point8 [, ^% r+ l' I1 c! C8 W; V5 {4 t
add ax, di, ?9 g+ |! v) H7 [# `- s5 F; Y
test ax,ax
{* V+ P& X$ \: f' I# Z jnz SoftICE_Detected0 {3 m8 L% j0 e2 a4 e% {& h. J
+ L9 M" i) o7 n
__________________________________________________________________________
, P% f# U7 U$ S. ?
0 G2 i+ n1 L5 c- U4 f8 z+ W3 C0 A9 _# [9 }
Method 05 Y- i: H& Z- l3 V
=========
# e# C% q! o+ ?, w% K, X- z$ L( k8 G* s, k* ~) e( Q7 t
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- ~9 h7 g! ?; }# j" ndebugger. It calls the int 41h, function 4Fh.
. k3 [6 H( } o% G }' qThere are several alternatives. + L- t6 x- O% c" a% `4 V
1 B5 w" Z% @: F2 H# O3 d8 `5 B
The following one is the simplest:
+ R- f: J' p) K1 n! y/ @$ ?1 r' ]: E" g
8 ^7 o2 N$ g2 h9 U, [/ c/ W mov ax,4fh7 i1 E- c+ V8 r: f
int 41h( ?& k: V% [) P) o7 ?
cmp ax, 0F386
) r5 V8 J* {% q0 g jz SoftICE_detected
. \7 x8 v5 B2 ]& X& W9 i- I
* O L/ r) p6 a$ M& w4 a
3 s3 C. Y$ }+ s" z' t) NNext method as well as the following one are 2 examples from Stone's 7 S) k7 U( N$ s: `3 Y2 t' O4 M5 \6 m
"stn-wid.zip" (www.cracking.net):
8 e0 ^8 s. S" b, [ j' [$ A
j4 h; l @0 n" C+ e* }) [ mov bx, cs6 V9 X9 ]* C4 I$ `; [/ Q
lea dx, int41handler25 V8 o/ Y# `/ Q f3 _
xchg dx, es:[41h*4]
+ L) l1 u/ j- ?; E" R! D: \ xchg bx, es:[41h*4+2]
4 z# Q6 A3 e6 X mov ax,4fh
% l+ P" |: O! E+ A9 \9 J int 41h+ r" S* F! W* ~0 b% E
xchg dx, es:[41h*4]( T9 ]: w4 c8 d" o o# x
xchg bx, es:[41h*4+2]
) z5 m( y2 ~9 w- }/ P I" e cmp ax, 0f386h
2 z% L0 p, U" J3 W( W7 U- ^) } jz SoftICE_detected; {' E: R# u+ H
* k4 n" {* d# \" {& z: mint41handler2 PROC& }7 n' R& f# H# a- Q
iret
$ n) @2 c2 Z9 Y! vint41handler2 ENDP
3 G( w1 B7 ?8 ^! R5 [: O
$ D7 ?$ L; x) G2 ]8 n% N+ N7 u
& ~, e! @" v$ c_________________________________________________________________________& k- g2 s4 e* {, m {" i
: l3 s- z# |) O" g& P; K+ w7 }# l
' x! f/ d* ]9 [' YMethod 06# B! _& ]5 U, b7 T* V
=========( g8 U" c$ u) i! N6 ~
! e7 i% D: c8 ]3 o1 [! o
& Z j8 l3 g8 }3 b8 ]
2nd method similar to the preceding one but more difficult to detect:
: t O+ [3 b: o! q0 O; }/ y7 Y# P% S1 {: |0 ^
' o1 q9 |* t5 x: u6 c: \; k6 z5 f% n
int41handler PROC+ v# {9 X) M5 a: }" L3 u5 b+ ?
mov cl,al# M* W. H5 C5 j' Y0 X
iret
1 L {, f6 A: A! G# J* G0 O$ cint41handler ENDP
0 ]- O4 n& g" h* T1 o6 c8 ~- @' E6 B9 s% |7 J8 e0 N# I' u
/ q: L! a) M: [ V' F8 _ xor ax,ax( N. [% a- B' y$ L: z
mov es,ax8 t( `. @2 p* r6 \8 H9 |
mov bx, cs
& X$ [+ H7 t; z lea dx, int41handler! ?. C: D8 a: o, m& g8 Q
xchg dx, es:[41h*4]
8 J1 d) _2 `* C" V9 V xchg bx, es:[41h*4+2]
& W* j! @# Y9 Q" ~4 H% Y5 n in al, 40h. g- G5 S0 E! }% S! r( T o
xor cx,cx7 D# y) f. d3 b: T: c
int 41h
2 z' r# v2 a1 b* S: N: e5 m xchg dx, es:[41h*4]9 n9 I; N9 }$ m* j) C* K' D: g
xchg bx, es:[41h*4+2]
* Z" x4 h- ]6 I+ B3 k5 s$ e cmp cl,al, t2 h( G7 _5 j; Y. y, A) p" v: I
jnz SoftICE_detected
1 Z8 e* ?2 ^+ i: @+ Y6 K6 I+ s+ s& U( O/ i2 r, X
_________________________________________________________________________5 ` v; V& `" d* e% |/ q
8 Y2 s& U! w3 P, {4 ]& z0 LMethod 07+ z$ h8 V+ B- v/ {3 `, T
=========
8 x3 [) E0 [/ |7 |6 m J" X
! b- m0 f$ F" R" O5 H7 }Method of detection of the WinICE handler in the int68h (V86)
0 j/ B5 m5 W [4 i6 }- X1 N1 Z* l$ a- j: r
mov ah,43h# j* I. P8 k& M5 X7 \9 L! P
int 68h9 k# w c2 \! O$ A/ b3 h1 b
cmp ax,0F386h
6 Z, ]* Y& i; n% J jz SoftICE_Detected
& P- j( Y4 ^. K* A: ^6 ^& r# g, A/ |
' s |0 l" y) X& z% C* J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- C. h3 Z4 w' l0 J# k
app like this:
. c- g2 T7 ^( E/ j# D1 S9 n0 ~9 Q* k
BPX exec_int if ax==684 D" |: O! i3 S5 Q( ?, D7 l! S
(function called is located at byte ptr [ebp+1Dh] and client eip is! r. O1 M( b) l- Z* W- K
located at [ebp+48h] for 32Bit apps)
% ]# s% J2 `2 j- k) S* z__________________________________________________________________________6 \' q& p7 A) ]3 A/ }' M
6 Q5 V" {! K) n6 y1 K
" k0 c s8 y0 E: \
Method 08% q: |5 d( q4 s. F6 h
=========
, S+ @; ?! |6 ]; a) U4 ?( q* ~; l3 I' x! `( S0 D9 P, ~" B
It is not a method of detection of SoftICE but a possibility to crash the
/ N! k; o$ ]& W9 B* Isystem by intercepting int 01h and int 03h and redirecting them to another6 b7 b3 _% `! `: o
routine.' W4 V( z; X3 K6 p5 P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* @, M; K9 q4 L( `4 @1 C' vto the new routine to execute (hangs computer...)% M7 z# k3 B1 Z6 e" I# ^3 n0 h
5 {, P& L9 }+ O( n mov ah, 25h1 a. m( [ R( {% \. b
mov al, Int_Number (01h or 03h)
0 ]0 @ H3 c1 \- A mov dx, offset New_Int_Routine
0 s* O2 T! I2 v% k int 21h
" k: s. ?( |" J) S1 Q
3 R9 d" H! V$ h# u' m__________________________________________________________________________
- O5 }, _ ?" H$ \" ?! _- o7 \8 B2 Q# o3 c# {
Method 09
; U- t" `+ h) i7 i+ M# Q2 N2 D=========1 g2 s. I4 Z. k O* y% `
6 J3 Y: N7 v7 Q7 k }8 ]9 @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( ~; Q9 N: r: o3 o& P# ^" _0 h
performed in ring0 (VxD or a ring3 app using the VxdCall).. P6 ~+ S, n) s0 f! B v
The Get_DDB service is used to determine whether or not a VxD is installed
' F5 U8 ?- k# u- |! K% mfor the specified device and returns a Device Description Block (in ecx) for) f$ |6 \; V8 _. V% |: V
that device if it is installed.$ {6 p/ w' h' W6 o6 e
2 x6 j& ~* r6 {" N4 v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 L# Q/ z1 \6 E u W" s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! V6 K5 R& }* w; ?0 P/ T2 A- S
VMMCall Get_DDB4 u J/ B( l- K: j h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed d: a; l- T% n6 x1 t, i! K
% Z- D( y' j/ _: y$ J
Note as well that you can easily detect this method with SoftICE:
/ a9 w1 c0 r2 V/ c0 _- X% b bpx Get_DDB if ax==0202 || ax==7a5fh& Y1 M2 I. s# k
) i% B1 |' `% ]3 s__________________________________________________________________________# @0 F) D$ @" ~
( W. `/ p* v7 R+ A ]" _5 PMethod 10
: e1 D9 {9 X0 y=========
) {0 h! A. u3 B" s' t2 v. c
/ y/ I& Z ?3 h) p7 w=>Disable or clear breakpoints before using this feature. DO NOT trace with
- s( Z- {2 z$ n9 U; D/ ] SoftICE while the option is enable!!
' K$ A: v1 ?1 C& E9 S0 Y6 P; v" R/ V* V
This trick is very efficient:% k9 ]8 J5 u4 t" a! T! `. T D
by checking the Debug Registers, you can detect if SoftICE is loaded
8 P$ G9 \# \5 ~* M6 A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( v& N x+ @7 V6 h0 D6 F
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# o/ b; Q( F1 h% X) ?' o8 ~8 ]value (in ring0 only). Values can be manipulated and or changed as well
& J, |+ ?& `" [6 S7 f0 b(clearing BPMs for instance)8 q5 H% T% z/ h
2 ?% y: [" c( `2 ]
__________________________________________________________________________' v1 f# E: \9 W6 _
# `/ p% i# p) p2 W1 t/ y' Z# b3 i
Method 115 |/ ~4 C5 H& h
=========
2 d6 a5 `# d5 `" c8 T8 P3 E$ v$ v9 Y0 D$ C" Q* C, M
This method is most known as 'MeltICE' because it has been freely distributed3 \, R+ |4 x9 i2 \: j" M
via www.winfiles.com. However it was first used by NuMega people to allow
9 l/ i% k: A; V& ~7 c7 oSymbol Loader to check if SoftICE was active or not (the code is located' i, G$ P& y* F( w' y
inside nmtrans.dll).
( ~) v1 M! N0 k( f- H+ Y
0 q. X2 u* T3 a7 lThe way it works is very simple:$ V5 }! ~1 G8 h, Y# M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 Z' O; W7 e) k+ `" [+ jWinNT) with the CreateFileA API.* p4 u k0 T: S7 Z9 F2 ?
5 Q2 b s5 k# ?; k% Z
Here is a sample (checking for 'SICE'):
5 L# j* s! V$ O* u: \& u% z/ a
0 e* G+ W4 e( S; XBOOL IsSoftIce95Loaded()
u0 I( }+ ?% E; }& T% c{
' R) t* r5 f& u/ |; C HANDLE hFile; % d/ e- g& g* d' ~$ V2 Z. |
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," O' s( S- W% I7 Q
FILE_SHARE_READ | FILE_SHARE_WRITE,+ p8 t6 ?* p0 {; t# Y' i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* i& C" q: P+ o if( hFile != INVALID_HANDLE_VALUE )
/ j+ a8 l9 {5 W" z. o: ~: S. ] {' \, B8 {4 Y; h- k
CloseHandle(hFile);+ k7 y) {+ i. d
return TRUE;- Y% t& @1 Z2 G+ ?- H
}
3 t6 {/ L6 l% \! J# m$ r return FALSE;* H/ ~$ o8 E" }! r) e1 G
}
+ `0 X7 x; n& w2 ~6 Q" i- \4 Y: W" g- u$ S* u8 S( X: ?$ c6 Z
Although this trick calls the CreateFileA function, don't even expect to be% |6 w( ?, k2 S) f5 |; }7 Z0 R+ @
able to intercept it by installing a IFS hook: it will not work, no way!
3 l! a4 C& k2 F. {; t" b: R: O0 c0 IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 R* E/ L( r: B U2 y2 p5 u1 mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" {1 ]1 a6 Z' g! u" rand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ \9 V8 _& q! C( x8 W
field., u7 W. E1 I9 g; g
In fact, its purpose is not to load/unload VxDs but only to send a % U% J4 W2 f+ S, L9 }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. L9 L1 s% Q8 x x8 uto the VxD Control_Dispatch proc (how the hell a shareware soft could try R1 r7 {0 R+ Q1 d) e5 ? X% }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 k, {* n- S" d9 K+ K: N( W. hIf the VxD is loaded, it will always clear eax and the Carry flag to allow x4 A! A8 T( _! O( V6 }
its handle to be opened and then, will be detected.0 q k4 R7 u. F3 e9 i+ W" m
You can check that simply by hooking Winice.exe control proc entry point
6 e5 a C: V# e; X+ v5 m# Fwhile running MeltICE.
( N4 @+ L/ b% ?. T8 a0 [0 f% i8 M+ R- N) H/ U
( G( r, }' r: u4 Q/ r7 E5 ~
00401067: push 00402025 ; \\.\SICE. D. u, x7 m5 k0 g6 ], ]
0040106C: call CreateFileA I; C& |5 n# U4 r$ _% R, F0 } a( i2 d
00401071: cmp eax,-001
, C1 {$ B' P6 Q5 A, q 00401074: je 00401091
! L3 _6 v8 \/ w! i; @+ ^: C. N' G5 \* J
7 A* ^ b. j( N7 ?% DThere could be hundreds of BPX you could use to detect this trick.5 h! ]) U' V( l; e/ {# Q: e O! R
-The most classical one is:
, W* t; v# M" G1 b+ F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: J+ `: u( @ h
*(esp->4+4)=='NTIC'
% ]; e+ Y& \5 y& b$ b7 j+ L" ~) y- p( K: |% g; B
-The most exotic ones (could be very slooooow :-(
7 l1 C9 G- s2 T BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " W9 g5 C I: g4 ?7 ^ @, H4 ]
;will break 3 times :-(
7 I% {: D6 O. K7 V) D- A) a
3 j& Y- S d$ k" U9 z. y$ N3 z-or (a bit) faster:
; }+ n$ p! p N9 i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ { P4 q& H3 l& Q0 H# b G* H" y, s6 w% J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( N+ W9 E) I# V) C' x P9 V6 i
;will break 3 times :-(: ~# C8 h% _% l8 Q, r; s @3 {
# w) Z1 v/ b) o+ J+ @! n$ @, n-Much faster:
+ {: o8 g" _& m3 B$ Z" E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 U( o; U5 f( q" J( u) e6 h- ~3 m0 n, h! H& S* E8 x$ _4 B$ I1 H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 K, f4 ~, |! gfunction to do the same job:# r0 h& v8 f% k% @
- Y O; h9 B0 c# Z. F push 00 ; OF_READ
' g5 h: F9 Y" I mov eax,[00656634] ; '\\.\SICE',0
4 Q0 ]0 Z8 o: k% h7 e& [" K push eax
' d/ G s4 [5 K call KERNEL32!_lopen
, N# @8 i9 A: c h inc eax, \+ L/ X+ s1 O) X* m- X% |
jnz 00650589 ; detected
; _- F- k! H$ I" z* R0 Q& k# ~4 m9 ~9 ^ push 00 ; OF_READ3 I" W0 x- T3 y" F( p
mov eax,[00656638] ; '\\.\SICE'' H6 m# O7 r" d3 A! _9 b
push eax
2 O4 \5 @! G3 ^ call KERNEL32!_lopen; V' ?: l& E: J2 k* [) z& B" f
inc eax
( t+ ^6 t7 @ r3 [8 s jz 006505ae ; not detected. X5 y+ l& B6 ~
; W- O% K1 t" D" K: [' U
. |9 }# S( q& A( c
__________________________________________________________________________
" D" C3 H3 k5 x) J, b2 }9 T! d6 Y0 }) o8 D3 ]8 b
Method 12
1 t. l) r; Q! f=========) d0 ^4 f8 W% c7 i
# i6 u5 b0 V7 q6 |& q* U4 y% j3 n
This trick is similar to int41h/4fh Debugger installation check (code 05
2 @) X* Y# z, b& 06) but very limited because it's only available for Win95/98 (not NT)! l l, d9 z0 `" d4 B+ w4 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 |( @% i1 N# ?- U7 N. F
+ M! o% o# K. C- q T! j push 0000004fh ; function 4fh
1 h3 V& }9 E6 Q2 o1 b push 002a002ah ; high word specifies which VxD (VWIN32)+ a- ^- B; F2 ]) n. f3 d1 n% j5 ~
; low word specifies which service7 c9 ?; I5 E) ?
(VWIN32_Int41Dispatch)& E3 ]1 j' B% H: J- }6 Q% [
call Kernel32!ORD_001 ; VxdCall
3 g' C: ?( J' n* T5 o cmp ax, 0f386h ; magic number returned by system debuggers
7 a3 T' k8 b. h jz SoftICE_detected
' C) A; e/ S- I1 y' G$ `" @; _1 D6 E; u, r/ _& g
Here again, several ways to detect it:2 J- \0 D) [) H) ~
% i0 P5 X3 Z f) g ?: n
BPINT 41 if ax==4f
, K+ W5 t, }) o2 ]& Z( d; O2 B1 r
1 Q/ x: e7 D2 `; Y/ a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% p+ A2 A+ E1 E9 O, d1 ]
1 u0 |. |; k5 _9 ?+ t' D3 |9 e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& z+ I4 _( Q3 A* r1 [: y) b, g- W# e/ F
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( J- Y* [6 |3 `# |" C9 j
5 O3 Q' c4 c m6 ~; i. T
__________________________________________________________________________: c- z* W+ ]' P. L+ Y+ f3 d
0 f8 A8 w% q$ h: j6 G% U
Method 135 f0 d3 v9 q4 l! y
=========- \8 d8 ^! {% O8 y
+ i; i A+ M! Z: U) {1 t
Not a real method of detection, but a good way to know if SoftICE is8 I$ @8 @' V( Z0 X3 W% B" k
installed on a computer and to locate its installation directory.
0 n) T3 p% H- i% sIt is used by few softs which access the following registry keys (usually #2) :7 [3 I, V9 l Y! M5 z
1 R4 X- \ L5 ]. u& z! v/ ?; Y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& _) S) @/ m) p/ w
\Uninstall\SoftICE2 c9 u% p+ f7 j/ V% d- m8 ~8 _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) u; z9 R: a# m( o' V1 g4 f6 b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 R# }" q. N$ o" l P% {% u- i\App Paths\Loader32.Exe
( K4 g5 C9 W' s! J$ t$ i7 T- t6 n+ e) B5 e, A( t7 f, y4 {4 [
$ N) e' n) S8 VNote that some nasty apps could then erase all files from SoftICE directory' H; c. r+ A+ y3 m% G: S7 m2 ?
(I faced that once :-(
0 N- ~4 j% \7 X3 [: u$ N: I6 ~' b6 [4 |
Useful breakpoint to detect it:! I2 B7 f5 R, g" c
. T( c+ h5 N3 U0 q2 X- M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 @/ s: J# L' O! J
- a& D8 j/ T2 f( [, Q
__________________________________________________________________________! c; P' m# Y( M. M
0 r; W/ X) `* Q2 K, u
3 E8 T9 i6 e$ x! ?6 n9 [Method 14 2 j! Q% Y4 T, G+ l& U* m' Y
=========+ |* i* _$ g% u1 y8 C9 n
' J* G1 |7 X# x% ?$ |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' _9 B6 H9 C7 S1 k! O
is to determines whether a debugger is running on your system (ring0 only)." {, q' e/ E% e" m0 U2 g
0 ?+ j+ b, v. {; d& {( r VMMCall Test_Debug_Installed
, a$ ?) z0 ]0 {0 l% `7 T6 H je not_installed
- q8 B# E' y, d2 H" M
' s. { ?4 v% s$ D# } c# fThis service just checks a flag.4 }# l+ M/ g, G$ V6 k2 [8 g4 ~% M
</PRE></TD></TR></TBODY></TABLE> |