<TABLE width=500># |3 W! c# G% Q/ n7 d+ Q( S
<TBODY>* Y6 g2 ?6 E" k- q/ { N
<TR>5 z; ]% c$ B( j* A
<TD><PRE>Method 01 * j) [7 M* p. S( D- f2 D5 l
=========2 c0 j) t4 x* D0 s# h
% y$ t; X/ ?+ h) w) ~
This method of detection of SoftICE (as well as the following one) is! I9 x+ p3 y) N0 V
used by the majority of packers/encryptors found on Internet.
! X2 w% I, R! T. G8 W7 H# d2 w: `* mIt seeks the signature of BoundsChecker in SoftICE
( O! E# S0 U0 c+ ^0 }
7 m2 I6 p$ z$ m- c( a mov ebp, 04243484Bh ; 'BCHK'
" _3 V0 I! E/ J* w) e, i mov ax, 04h2 u* P8 M0 |/ N& ^0 M- E) h, Z
int 3
) |) p5 a- E0 Q5 k# P }+ [ cmp al,42 |5 _/ y! k. Z8 d: I/ G. ], n
jnz SoftICE_Detected
0 O. g1 ~( d/ I" {8 O
& O& X9 x* C7 t# O; @3 Y___________________________________________________________________________
& m; P5 R: }& A+ J: h% e) M% Z7 X6 r6 r
Method 025 q0 {6 H7 h3 R- c
=========7 N( S+ [; u- E- `6 k$ U$ x$ ^9 N# M# g
: t5 { Q4 O! w1 _" F' _2 b$ dStill a method very much used (perhaps the most frequent one). It is used: ]% J- Y1 t- l; g- }( p& B; g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ Z) w0 ]- W S# c& hor execute SoftICE commands...
5 O( ]0 O/ B7 t; _6 f6 U7 {It is also used to crash SoftICE and to force it to execute any commands
2 R5 m2 a# ~% V# m(HBOOT...) :-((
5 \) |; k+ D# C( x& Y0 h) Y3 u8 q# `- K
Here is a quick description:
( ^8 i+ X( M. D. ^# I-AX = 0910h (Display string in SIce windows)* L! K7 j% P5 j# ]! f6 Y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ b: i4 f/ B, M2 P7 R6 I
-AX = 0912h (Get breakpoint infos)
" I& T: C5 [1 u% x$ L0 S-AX = 0913h (Set Sice breakpoints)
. U6 G4 H0 J7 X, K-AX = 0914h (Remove SIce breakoints)
/ ~6 Y/ p: f$ }+ S
2 r Z3 C, ]8 K2 T' j% }3 m+ dEach time you'll meet this trick, you'll see:
/ G7 C- k4 O8 d4 ^8 i- `-SI = 4647h. i2 N( [+ t3 R4 `
-DI = 4A4Dh6 {7 S6 m! _# N* b4 n% z
Which are the 'magic values' used by SoftIce.% e" I% {' r* L% d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. V3 J+ V6 \ f1 c6 r+ S. C
1 O/ a5 F# M" \
Here is one example from the file "Haspinst.exe" which is the dongle HASP- [ E0 f* k9 |% d
Envelope utility use to protect DOS applications:
' l. a% I0 e( F; P# Y) A% q$ k% i* Q9 Z% E! {! d
8 T4 W3 y: Y2 _$ d
4C19:0095 MOV AX,0911 ; execute command.
8 }1 Y4 t: d/ [1 Q. {! V; }: D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 J5 P# E/ p: {; Q5 l& O$ A) g/ u4C19:009A MOV SI,4647 ; 1st magic value., {% ?( f2 g$ d
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 ?3 z; A& [4 W- Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ A' y. G+ W- M# Y: E- W7 @4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( M* Y5 {( k7 s& j8 u' m7 `
4C19:00A4 INC CX X: e! Q4 G. s& g, r4 F% d+ Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 \5 d: Y& | y# c: U
4C19:00A8 JB 0095 ; 6 different commands.$ F2 ?7 B/ o6 l, y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 ]; R4 T- ]+ I
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, d# n |1 x" @6 L7 z
5 b+ Q: I4 Y9 n3 `6 A! L6 gThe program will execute 6 different SIce commands located at ds:dx, which& I+ H, E: B; d- k1 u5 ]5 q; T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! A4 ?8 l( I p: I3 J& G' i
( F3 K; W2 X. H' u- \' \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! F1 `5 W: ]% C, L0 J# u
___________________________________________________________________________
. j ]; \0 ?9 S$ O
2 P! k2 Q. R) o# {1 |% Q- d0 r" g/ }
Method 03
/ X; Z8 A8 v( H: b( l! [2 p* \" T=========1 w) Y" G; O, J: m% U) @$ r
m9 X3 Q( z$ bLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 i+ B( ~% Y6 A& M1 v- Q) u4 X(API Get entry point)- ?; ?. ]5 f% }6 j t
7 t) v8 f; B2 T* W: s' J* ?0 x" H2 b7 A+ K: q0 k* u; y
xor di,di
# F6 G( p' t0 U: w mov es,di
- a8 l3 Q2 H: O5 E3 b, j% w1 T mov ax, 1684h
% ?1 ` N; \# u+ B mov bx, 0202h ; VxD ID of winice
% l2 X& k5 I% r: N" i int 2Fh" [5 K" }0 c" g. H1 Q9 d
mov ax, es ; ES:DI -> VxD API entry point
1 _# L4 `; K8 M8 l# o2 t add ax, di
7 G2 ?( G; m4 ^ test ax,ax9 b- o8 Q/ z) v2 @" j$ y& J8 Q
jnz SoftICE_Detected
$ Y3 n9 f; t2 Q ] L9 p1 y- r1 l, p) N5 u
___________________________________________________________________________" A/ u% b/ U8 ?4 V
) O* A+ a! m" N5 M4 ZMethod 04* k9 l- z$ w& H8 F
=========- I5 |% j3 P! J$ N( |
$ j. P5 P( L: p0 d' O; b7 b7 F! ?Method identical to the preceding one except that it seeks the ID of SoftICE
1 R! X6 _2 `: ZGFX VxD.2 R, Y7 O+ {& R) g& M
0 a7 t7 C' n/ W3 F" W; K& q7 r
xor di,di3 E" c+ d- b' s! ]6 C$ X
mov es,di* Z1 p) t8 B" o9 `' Q+ B
mov ax, 1684h 2 ^5 b, L* s( Z& j
mov bx, 7a5Fh ; VxD ID of SIWVID
8 Y2 e7 @) J7 H- L$ U+ d int 2fh; x: z+ l8 N0 |, a
mov ax, es ; ES:DI -> VxD API entry point- F$ `* S' b3 z; t
add ax, di
8 y1 y$ P5 m3 Y, B) ] test ax,ax9 t+ s8 l- T ? Z3 F; J) e
jnz SoftICE_Detected: m% E. ^. p3 `/ c
" h2 c) x& H" @
__________________________________________________________________________
4 C! J. z& Z' ?. ~2 \: I! | e1 T+ G2 e$ d& g0 \' D
/ C& L. l, k1 w8 k& B# s1 {Method 05
& G1 g1 C, g9 D, O2 L=========/ }1 D# T/ o4 y7 S7 j. |( s
4 _" b7 `; |# H* t+ B7 ]0 r4 M5 uMethod seeking the 'magic number' 0F386h returned (in ax) by all system" w+ ?3 `, W9 {6 M# K0 U: R
debugger. It calls the int 41h, function 4Fh.
& ?3 E) O4 b! VThere are several alternatives.
9 g, h, T* v3 M& ~# A5 v5 `4 m2 `/ F) |: O5 l% k
The following one is the simplest: Y* `& k! P$ w1 H
2 u2 z7 l7 ?) X mov ax,4fh
3 T$ f& c5 s: U4 C; H# L' g int 41h
+ l! l4 s- I- L cmp ax, 0F386
7 i5 G7 r( D9 @9 k: ` jz SoftICE_detected) s5 V( _8 ~+ h9 j% R7 q
" t3 A7 S4 _. M8 }' [3 l$ @
$ j6 a9 W+ j8 A$ k% LNext method as well as the following one are 2 examples from Stone's
0 f% N" Y; p. N) x2 |- b+ V"stn-wid.zip" (www.cracking.net):& K6 ?. M7 q# q) V
" v" I3 l- L( s; c: P6 G U0 j
mov bx, cs
+ o3 g( W. c8 T5 x& a lea dx, int41handler2
& T( X4 ?3 w8 n0 [4 ^5 ~ xchg dx, es:[41h*4]
0 D6 E) A' p. G; H1 M0 V! A! e1 _" k' @ xchg bx, es:[41h*4+2]5 ]3 m( T! x- ^) x/ n
mov ax,4fh& I9 |1 y/ \/ e4 Q
int 41h
. P' i. y3 e$ X xchg dx, es:[41h*4]) ]7 R( ]+ N6 R4 P3 U8 M
xchg bx, es:[41h*4+2]7 D- n$ `. A% d" y
cmp ax, 0f386h
& W( i( W) e3 j jz SoftICE_detected
- p: \5 f! I$ t o# M- o
9 o6 a! D2 e0 N5 [8 iint41handler2 PROC& D* ]7 K/ u8 p$ ^ ~6 `+ q
iret& N3 A3 u0 r1 e: `1 e
int41handler2 ENDP7 S8 z1 L. y' h
Y; t( q, ?+ C4 I1 o) j
" P: B5 D' }3 _& N6 I0 J_________________________________________________________________________
/ ^* ^" e1 b- ?* I* u# f( j/ ?4 J( s6 v& m
3 n7 B, G# G: h
Method 06
! ~; {1 t! x$ b2 e( }=========; h5 I1 X& S. m2 m/ b& m$ O$ W
& c7 r c% b( c) ?5 e1 h: z- `6 ~) A) O" e; T6 S) I# `
2nd method similar to the preceding one but more difficult to detect:
0 a$ ^, S& ~ m, o
+ u# p5 {6 u3 [' Y; x% q7 R
8 ]8 N, c# @! l! ?4 A6 g) X* tint41handler PROC, C' b& v: x' ?
mov cl,al
7 [* b# i% M, d3 ]- g3 j' i iret6 K" B, \) e1 ]& s+ X! U& z+ J
int41handler ENDP6 u7 C% X1 K/ e& \) a. S4 V
; g7 `8 k: I1 Q2 J u$ f: E( y8 j. O# Y! D7 z/ @
xor ax,ax
. C% f' g# e" y0 X2 Z! p( `0 z mov es,ax
+ \$ \+ t0 P3 ^" F5 i mov bx, cs
0 ~( [& [! j' F/ }& F lea dx, int41handler7 n9 o9 D' b0 d
xchg dx, es:[41h*4]
* ^. r; X) i# l/ g9 Y# Y xchg bx, es:[41h*4+2]
6 x+ T8 |! y& x# u in al, 40h
# ^' J$ w% K2 C3 U2 f" z4 V xor cx,cx2 ]( m; Z- f2 {$ l
int 41h
7 I& L V D- R" t0 M, H8 ^ xchg dx, es:[41h*4]
, {, f, \! ?/ Z; r# l xchg bx, es:[41h*4+2]7 v, k! O/ u& M6 O7 I$ K: o( q
cmp cl,al( s7 ]( y( K& S' { G% w
jnz SoftICE_detected
( H( \; @! \ I" i) Q: I- J1 Q5 V9 [% a I% I( F
_________________________________________________________________________( @) n/ R+ W- J
& C6 |. Q3 U& I \, d5 Y4 X$ TMethod 07
. d. r$ {# J3 {=========
G( b. I- ]/ z% l$ v8 r+ W; d, m# \2 s0 e( C+ {8 s" i
Method of detection of the WinICE handler in the int68h (V86)8 {5 D3 K- l5 v6 I
' R* e u/ E0 g7 e mov ah,43h. j2 T0 K$ G1 I+ G- L* v. ~ K
int 68h
+ W8 E8 _5 w" K8 U; |8 a7 J% c! ?6 c cmp ax,0F386h
4 h+ y2 i% x9 B# u; p jz SoftICE_Detected, H+ B2 F' s8 N2 e% U
+ E) z7 S% G3 ]5 I- y8 g( f/ g
S, |5 ?# G! X) a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 O; H9 u& O" V; P app like this:7 y2 D0 e+ l" m) ]* S2 N* w8 Y
$ ^# P6 [" R- l! r
BPX exec_int if ax==68( w. v1 s4 {( U8 O( j% Z5 {" @
(function called is located at byte ptr [ebp+1Dh] and client eip is
# E! n; h0 x0 z9 \& { located at [ebp+48h] for 32Bit apps)
- @. c5 x5 t5 f1 B$ S, |, |3 L__________________________________________________________________________/ U- T+ j: D, x$ P' ]5 Z
$ x7 @7 x; P3 w; J+ o/ J4 F, B/ i! J1 e
Method 08
8 [2 k- w5 ~, [7 }3 e- E* T4 a5 _=========% e) D' [0 L* g$ _7 t( j. S
3 v* K- ]* W: B- i8 c- \It is not a method of detection of SoftICE but a possibility to crash the) A6 P- U0 _8 f8 d, K4 _2 ]2 V
system by intercepting int 01h and int 03h and redirecting them to another% d" P6 F. v! y
routine.3 p% P: G+ j4 K3 B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ B9 j3 _% A: Z- m) m/ |, @( Z% d
to the new routine to execute (hangs computer...)# \1 [6 O- ?3 u: \7 O
9 W! Y- X$ R5 S* k) x& i! v mov ah, 25h, J b2 \5 G1 Y7 i' W& T, S% Q2 _
mov al, Int_Number (01h or 03h) i8 K) ]+ k4 P: @( x
mov dx, offset New_Int_Routine
8 }6 ]6 \$ b: @0 \" r7 X int 21h& j4 I- \+ _& `& Z8 I
6 J: `3 n5 F" k3 ?4 b
__________________________________________________________________________
9 e- h+ v+ ?1 C
2 d) D0 B4 o) F3 O* ]% AMethod 09
& {& O' E: d0 S* } \# s) g=========
/ H5 N: y% t7 t- p; m( D8 ^
% A- x1 Z) K! |7 Z: t, c/ \( yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 M4 H7 I" I Q8 yperformed in ring0 (VxD or a ring3 app using the VxdCall).! I0 i. M( G8 M1 V
The Get_DDB service is used to determine whether or not a VxD is installed
% R7 S$ S* _' P' x. sfor the specified device and returns a Device Description Block (in ecx) for% p1 v( E4 B( I7 A" Q& i
that device if it is installed.6 @! q* D; c+ d/ @
/ f- L8 |% g9 M" \7 H3 A4 f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& b- [6 }2 A. [! A2 v7 T9 D3 y" }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- @, m5 K( Y2 b' t
VMMCall Get_DDB
" F- i/ C& I" L8 M0 D( G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% M% {4 M9 U0 {1 S1 y
7 ^4 r5 k) F9 `7 {4 aNote as well that you can easily detect this method with SoftICE:
* ?9 r1 v$ w6 x) V3 V+ [ bpx Get_DDB if ax==0202 || ax==7a5fh
. X( \9 \* |7 }& |; L
' ^9 U/ s& V( D7 i+ N, x__________________________________________________________________________
. V7 I) D2 n3 U) ]6 x, C) h( G0 k e8 d9 k4 |# ^
Method 102 z! B/ s, y1 v# D9 b
=========2 I" g2 s0 e0 m2 v0 R' c; }
# R" a1 G2 ^+ |" B* c) p
=>Disable or clear breakpoints before using this feature. DO NOT trace with# N! @% Z; a$ c( s1 L5 L
SoftICE while the option is enable!!
. m2 ^+ y+ b' [. M
% x2 A+ `: Q9 sThis trick is very efficient:( X6 Y' f7 G4 {
by checking the Debug Registers, you can detect if SoftICE is loaded
. T8 r; H) u7 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 D$ Z! l* e6 S* a$ s% W! cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& N0 `: X5 G, m/ z( ]4 jvalue (in ring0 only). Values can be manipulated and or changed as well# |! t- |+ t1 x6 b
(clearing BPMs for instance)
7 }( \& n6 A2 o/ g7 P& s& R4 m& `8 W+ N2 W
__________________________________________________________________________
$ r5 @7 H1 s5 R* b
K% l! u, E/ {! w5 W. kMethod 11* Q3 s) ]( I' l) B" r. D( g8 K
========= I5 k9 b3 A: L- X- I
- e/ C% B1 g( q! K' G% J3 }$ t* Q
This method is most known as 'MeltICE' because it has been freely distributed6 P. } L/ H* p
via www.winfiles.com. However it was first used by NuMega people to allow3 ?8 T N8 ]/ G y3 d, D
Symbol Loader to check if SoftICE was active or not (the code is located
' W# s Z6 a; ginside nmtrans.dll).
% d4 D6 R2 G9 t/ ?8 j! `' @, @9 T G1 T" v/ L) w+ F+ b
The way it works is very simple:& S# w! g9 V7 {. s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ h o7 b. J, m$ L) t) z' \WinNT) with the CreateFileA API.
- x! ^4 { o* \
$ y/ n" Y+ h# _Here is a sample (checking for 'SICE'):
" M$ u. L7 r6 I9 \8 b7 |# P
* }6 ~6 M' O0 `3 r% @BOOL IsSoftIce95Loaded()
0 w& K3 S; Z# ]3 E0 b- T0 ^{
2 l% [9 e7 |) l- z# w G$ q0 W HANDLE hFile; |* e% Q% {1 K v: \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 i* X) V+ r+ r% _9 i3 B% Y3 ~
FILE_SHARE_READ | FILE_SHARE_WRITE, N% n3 O. g6 |: ~9 R9 c' A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! |1 N9 j" y0 s, {9 J7 ? if( hFile != INVALID_HANDLE_VALUE )
+ Y$ y6 @: j7 f {
& z+ z& b* W9 H! f& e2 K0 j* G CloseHandle(hFile);1 n" x+ U, y: r6 E& R
return TRUE;' w/ s P( x) b( J
}" e4 U+ Q& w) o0 j1 F
return FALSE;
' Z: m$ e' v1 x' O+ i8 {}
4 b0 A% v( V* \9 p
- }* X+ {# p6 u3 W9 `# SAlthough this trick calls the CreateFileA function, don't even expect to be
+ I% j% g$ k( eable to intercept it by installing a IFS hook: it will not work, no way!
- ~- ~, A5 d5 {3 } pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, z6 }3 I+ }4 r$ F3 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* Y3 k8 k: p9 E; B) F* Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 y9 u1 b. r, j, d/ Qfield.
! l9 |: c6 K$ q; e3 ~3 I4 a5 tIn fact, its purpose is not to load/unload VxDs but only to send a 6 P/ G5 A5 O3 G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 r, \/ E4 r/ g8 w0 g7 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" o; p3 v2 m/ E7 e9 [' @; p" }to load/unload a non-dynamically loadable driver such as SoftICE ;-).. w) Y$ i1 ]5 U e! S# X% n
If the VxD is loaded, it will always clear eax and the Carry flag to allow. C1 [# }( R4 G d4 U
its handle to be opened and then, will be detected., a! z% e; R$ Q
You can check that simply by hooking Winice.exe control proc entry point C, }- a& d' k% `2 Y
while running MeltICE.; ?6 I- X8 l% q, t
, ]6 e6 s6 m, ]: H8 g
5 _# H0 F; S4 [2 P8 _
00401067: push 00402025 ; \\.\SICE. h1 D/ m$ R- P1 k- M$ U
0040106C: call CreateFileA+ }5 T) K8 S7 i$ a! _; @9 T
00401071: cmp eax,-001
. e' H5 H+ G( S0 X 00401074: je 00401091
* b' l2 s$ M% k
/ z* ^% c+ n4 }
! a7 I% L. m- g( Q1 C/ Q) YThere could be hundreds of BPX you could use to detect this trick.; T* o. q4 K! R& T
-The most classical one is:; N/ d. P) l! d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 ]- \" f) d! N, {8 f: ~& p+ N4 @
*(esp->4+4)=='NTIC'" \& ?/ J! `3 A) W. r4 U! f# g
7 L- G6 T0 Q& z( H# y
-The most exotic ones (could be very slooooow :-(( Z9 @! U* l; Y) p5 v* j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 g8 S9 p1 Z: [4 [( B# R ;will break 3 times :-(
9 T9 r0 J" l- I3 ~1 f0 G7 d
4 ^1 L6 R" _/ H5 u-or (a bit) faster:
5 [0 b6 A- g8 b- [; S4 j6 n% X9 w0 \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. p. S; S" U# G6 d J" n" M* ?! o0 d' X7 G
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ L" D7 Q9 f3 }4 v) ~ ;will break 3 times :-(9 d' T$ W: A+ c: O" o! H3 z. g, U
* `2 l1 I2 R3 _! O4 w4 A-Much faster:5 H' i; B; M! w/ O2 W+ C1 Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ r4 n3 t& W0 k5 W; m# D* T/ i3 @; [. C- g# T# Z* `5 H: q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 p, z. c; T! s0 T# rfunction to do the same job:
l. Q6 W, o7 ^( d. t! e
! s. J6 b& q% R* Q4 B& L push 00 ; OF_READ
" B; {& p, y& d ~8 Z mov eax,[00656634] ; '\\.\SICE',0$ E9 V) a- x9 p
push eax* V- k* r* {, ]0 S- n
call KERNEL32!_lopen! H8 m a+ i) O% g3 {) A
inc eax ]/ `. i# Y N3 C
jnz 00650589 ; detected& V) |- F9 L* u. S/ U
push 00 ; OF_READ! h, r' R% c% C* v- F
mov eax,[00656638] ; '\\.\SICE'
( I( Y' C4 K0 E. k push eax, t# Y* n6 o& d
call KERNEL32!_lopen8 Z; a$ n" ^6 c+ j i. e) d
inc eax
) w& z) g5 N/ ~" |* M* Z$ _# @% e jz 006505ae ; not detected
! Z' V, a* R% w( H# C s. S- D) C* C" j" B' f$ b1 H' Q
0 E3 n- t9 y/ |* t
__________________________________________________________________________
" n% F7 ~) D) Q% s" Q9 S; u- P+ v0 V& j {4 S7 F
Method 129 u$ z) C. N4 c; U+ y4 k
=========$ Q- |/ j$ {; |6 C& @: v( M
: b; D6 y* `; qThis trick is similar to int41h/4fh Debugger installation check (code 05. N7 U. y: T# o% Q) X z
& 06) but very limited because it's only available for Win95/98 (not NT)
% W! {/ Z l; ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 z o9 ?0 H6 a. @1 k6 D
; \7 {+ R0 u8 H; `/ B: a
push 0000004fh ; function 4fh4 k. L; d( e# |' X% m+ B
push 002a002ah ; high word specifies which VxD (VWIN32)' p: o& K& E8 n" h$ E" L3 {
; low word specifies which service' \$ @) D+ {( }( x; r
(VWIN32_Int41Dispatch)1 }; \( Y1 _( H2 G: \
call Kernel32!ORD_001 ; VxdCall
, g& x% s( y8 v cmp ax, 0f386h ; magic number returned by system debuggers
& A- [$ s( k) s( S jz SoftICE_detected
, f7 s7 m) h0 ]! g1 Y$ v9 p4 h0 D
Here again, several ways to detect it:4 [3 H! i$ X7 R9 a" C; r( B
' n% G7 `7 q% q- b" l BPINT 41 if ax==4f- U$ S2 R. L3 w# |4 b9 Z
. Z J) o1 ]. P) A% f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ b: a3 `4 R3 Z; |8 @( J
* R9 X2 j. u0 t8 A/ Q0 F0 } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( s; _3 h- I* d1 P# Q3 N8 M
8 t! s5 I& Q5 s8 @" s3 O. _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) ^% g; @( Z8 l5 p0 o+ P2 R
; P! o8 b1 G! Y5 G__________________________________________________________________________1 p2 e3 t8 k; u" W& @& O
& T$ q6 X) }+ l% R& TMethod 13% g2 B; Q) ?6 k! U
=========
P/ u8 Z, h* ?- J- d, N/ t$ p# m# [- a% M2 J4 r
Not a real method of detection, but a good way to know if SoftICE is
' c# f6 E! ]) g! r5 i7 ninstalled on a computer and to locate its installation directory.
: J& n( W9 C- W+ _7 YIt is used by few softs which access the following registry keys (usually #2) :6 o$ D$ y5 P, F% F
3 L) \! h& i( {: O-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 W( R9 c( a, ]: h4 K6 z
\Uninstall\SoftICE7 q% s- Q. }6 u3 ^( g8 @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 |! l9 S: {7 t( K. a* z* h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 ^0 h4 U* I' p" K) p\App Paths\Loader32.Exe# G4 Q( V4 t! R; ~# U
$ R7 N; U. ^% x9 |+ m
, Q2 Z/ [$ `, `1 vNote that some nasty apps could then erase all files from SoftICE directory' v8 \& y4 J/ s: ?
(I faced that once :-(
- Z4 g# b9 Y& ]1 _/ K* f
( N& J/ q9 W& F3 C4 d+ ]: j6 KUseful breakpoint to detect it:
- w) ^, G' ]6 f' C7 h$ \7 f! W/ b. M1 }4 X& \+ Q8 `3 s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 o$ W! f$ W# F! `# [
) `. i/ {( Y3 r$ B__________________________________________________________________________- b$ |8 A% y7 b5 S5 h; [$ R) J8 ~
$ {( \$ E3 c* k( v8 c2 ?' o2 g/ t
2 g h4 E5 u F+ k8 Y3 A
Method 14 . M* x" d! k# B$ N; {& q' g; P0 X
=========: x% z4 L3 e+ S5 @4 p$ c! x% i
* e! D: R, D( i4 ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) s5 k# [' j1 x! Kis to determines whether a debugger is running on your system (ring0 only).
+ d4 m4 K$ v5 v ]
& t2 |2 n% a; F VMMCall Test_Debug_Installed- O! O0 g8 m2 K
je not_installed
% Y0 l6 A7 v4 M8 V. U2 l- K# @8 ^! L
This service just checks a flag.% h$ u# c$ `7 f5 i9 ]* i* h& a1 i
</PRE></TD></TR></TBODY></TABLE> |