<TABLE width=500>- c3 R; F: A {9 ^* @) T* b. u
<TBODY>) _) x$ P }/ F
<TR>/ m( d# n1 m8 e1 L% E8 U0 c6 l
<TD><PRE>Method 01 9 N4 L- h' V S9 F/ Y# T0 `
=========) M4 L# z; Y; E. O) W7 l3 d8 e( P+ k
' v7 P4 g, R0 E' x& |This method of detection of SoftICE (as well as the following one) is0 \/ d/ M6 m4 y
used by the majority of packers/encryptors found on Internet.
/ _. f3 |; q, B BIt seeks the signature of BoundsChecker in SoftICE
' S, ~6 ~, G8 ?+ d
& K: b& n9 A* V) w7 ^* h2 Y mov ebp, 04243484Bh ; 'BCHK'* }" u$ e' M0 {+ I9 r- J! t
mov ax, 04h
/ a/ Q- ?( N6 E2 {. x int 3 7 {0 `- L. q* e0 ?& z
cmp al,4+ w6 [3 \# _) J6 c8 K
jnz SoftICE_Detected
: Q5 f* E6 S: z& ~. ^$ t* `5 e9 p7 `. W. n* W
___________________________________________________________________________" I4 q: ^* [6 }
: A/ w8 H7 I+ s+ P) Z8 C+ ~Method 02
. V$ @3 Z5 b7 }* ^' i$ X=========$ e5 C9 X( p, z# B5 @& R
J* m3 u" Q$ m2 O1 g& |; Q
Still a method very much used (perhaps the most frequent one). It is used5 V7 V8 l$ O2 C D( ?) a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 z! O2 {( U! s1 D* y2 L) a
or execute SoftICE commands...
; o; _- K! S7 F8 I3 X1 n' r0 G4 LIt is also used to crash SoftICE and to force it to execute any commands# B" N: s8 I a; ~* ^4 B
(HBOOT...) :-((
9 f0 B! [" S8 Z7 \$ Z3 y; j, K, i4 x7 V# R
Here is a quick description:
, ^8 c* X+ L: U {0 ]-AX = 0910h (Display string in SIce windows); ]% `! n$ v# v6 @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# Z* X2 E" h( r( K/ n
-AX = 0912h (Get breakpoint infos)
4 C! `' X/ G& k7 d; g( P8 s; r* n& q-AX = 0913h (Set Sice breakpoints) ?% _- ^6 J) y- G' M4 ~
-AX = 0914h (Remove SIce breakoints)# S S6 y/ \- t' M1 {' E
& x* d6 y+ E' p: BEach time you'll meet this trick, you'll see:- n h0 O, ~! F# S+ [- K8 b% e& A/ \
-SI = 4647h. {# z3 ^5 L% j$ p9 l
-DI = 4A4Dh* U( c' p; ?0 w
Which are the 'magic values' used by SoftIce.
* f* o" h6 f' ]& l, O! O/ z3 w% [% xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. @9 B v3 m# v9 p5 n7 Q+ g$ J& z) h6 W% {' s) C2 N4 [& e1 e
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 t4 Y" C: O0 N) d4 B8 L
Envelope utility use to protect DOS applications:5 q; u' G# \3 M6 X: B
$ l$ P: v2 ~: L. w: w# }( g9 S
% n/ d! i2 g2 ~3 X0 Q! W4C19:0095 MOV AX,0911 ; execute command.
1 o" D' O* Y" C, n) @( f! ]2 P( g) F& H8 H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 O+ s2 K6 C+ k8 K# Q3 e3 a- ^5 K
4C19:009A MOV SI,4647 ; 1st magic value.& t4 J4 l: o# D& i# y. z& _1 p1 k
4C19:009D MOV DI,4A4D ; 2nd magic value.; e$ Y5 T+ M2 _# v3 `4 E- P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" x( X4 H1 F8 m& u4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 h. u, v9 `3 W
4C19:00A4 INC CX
4 m$ _# S$ t6 P4 s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ K$ u: x: Z+ g* N ]
4C19:00A8 JB 0095 ; 6 different commands.
! w" W7 u: q* k% U; G- R8 h) E% z4C19:00AA JMP 0002 ; Bad_Guy jmp back.( `( C% S/ B+ U! x* |1 \9 m2 m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- ^( b# V2 J! G5 k
" `# C! B0 l8 L/ _# K1 s5 cThe program will execute 6 different SIce commands located at ds:dx, which
o6 B# ~$ O+ mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 m/ B0 _! O! ^
5 j2 ~% W0 x) H# D6 a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 H* _) g% |' C7 ]; L+ d
___________________________________________________________________________- L" i h3 S& N8 N
9 j9 {9 ~: F, n5 S& F" H6 @+ M
0 l. x9 G1 K+ S9 DMethod 03
# W+ z+ o6 S3 j=========# L2 e4 m6 [' Z& U* L
" N# d3 G; z" z2 _& G3 E4 P! A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 F( Y+ r1 S) {: C9 s4 O3 E/ C
(API Get entry point)
# ~/ C* `+ L* d y9 M 3 r. m# e+ E: e
7 V, Q/ {7 P, l! O! U6 F- W xor di,di/ w" j6 W3 u( t2 u
mov es,di. H4 {# i$ m. @/ t4 ~. \# j6 p
mov ax, 1684h
1 K4 S$ L( E% K+ O mov bx, 0202h ; VxD ID of winice
* Z4 T3 h% y# c& ] int 2Fh
1 X( K5 P) \' e' z. o mov ax, es ; ES:DI -> VxD API entry point
+ i9 ?, ~, H' z add ax, di
, j6 j, Y1 @9 c& Y0 U& m test ax,ax
& T: Q* |$ p( s- a! Z* T8 }. @ jnz SoftICE_Detected
/ P8 q, |# ?4 F8 a- s$ U9 [. b- A& b* \1 N
___________________________________________________________________________
( M. I& Z2 u1 @+ ?$ `! Z" v6 ~2 F( O2 |; L! K5 X5 R0 x, x
Method 04
8 ]" w/ V t' T=========& R+ [% R# L7 c1 L6 Y" v
. @! I) V6 O+ R( K0 nMethod identical to the preceding one except that it seeks the ID of SoftICE
# m3 n* n1 }$ y* X' W+ B0 EGFX VxD.& g4 @5 p" j9 Q; q0 b% w l) G
3 B4 e. Q/ F% G3 O4 i! W8 p0 Z xor di,di
) w1 p3 P' N1 q. l mov es,di
5 m' v f% c% Q& h mov ax, 1684h 6 O" o0 N' @9 F3 j7 z
mov bx, 7a5Fh ; VxD ID of SIWVID
- N) e* s5 X9 d# D int 2fh: B1 g N3 j1 k2 ?: m
mov ax, es ; ES:DI -> VxD API entry point
! S# f3 m7 O) L* j4 [ add ax, di
' R7 [, s/ C& J- V4 V. p test ax,ax
) Z: c* l8 M% I+ b* Z jnz SoftICE_Detected
- [4 g& {+ n1 f/ i
% ~ @1 d% u. M% `3 `: ^8 _ H__________________________________________________________________________; X* c" i% {0 d4 R' N
. U0 c/ D1 k9 G# b% ? p, Q
# `* X" {3 |" ?( ^6 W( MMethod 056 K0 s8 q4 ]- s/ x4 S6 s7 ]7 F
=========; w6 ]9 v" c$ y# o7 ~
* Q% R" r' O% B0 `Method seeking the 'magic number' 0F386h returned (in ax) by all system
& r5 I5 }8 K3 u. I. w2 C& Tdebugger. It calls the int 41h, function 4Fh.3 K* ?/ i7 c( k9 O6 F: b+ g
There are several alternatives. % T, X; ]0 u6 @
, i" H- Z, `7 j- |# o- g
The following one is the simplest:
9 Q$ R' |& z& u1 B' a/ Z' \$ U* A( {; C- N
mov ax,4fh- X5 {: i! P" ^
int 41h
) X! X/ c4 U: b r5 I/ B5 W2 v/ T cmp ax, 0F386
2 k& Q% l! n- m" }7 @* c jz SoftICE_detected
4 j) x. u% ]) ?
0 H: \' c* @. m& l! N
* k1 }2 v# Q, s+ fNext method as well as the following one are 2 examples from Stone's
6 q0 q J& z$ P2 _# I6 g"stn-wid.zip" (www.cracking.net):! _5 P2 K: e) n: _. ?6 g8 D
' s6 [) w$ k- `8 h2 q2 O$ _* g
mov bx, cs
$ _5 Q( z0 I8 E8 b lea dx, int41handler2
* R5 J% o. h/ [( m% @( F xchg dx, es:[41h*4]
; I% L: v0 Q9 s2 k( V xchg bx, es:[41h*4+2]7 |4 f8 M: q/ q+ z" d
mov ax,4fh# P+ y: R' J( `! k2 l; o
int 41h* P4 b0 v/ o* k9 M+ R( u; r# j
xchg dx, es:[41h*4]0 A H4 F( c% J7 x) S" h
xchg bx, es:[41h*4+2]
6 w$ ]" d7 f. U& K cmp ax, 0f386h% U0 q' Y2 r) {/ ~; q
jz SoftICE_detected) l a* T7 W2 e5 i4 Y
# i( D0 Q% g2 x: r$ g3 aint41handler2 PROC9 M9 K: s; L1 w
iret
; s+ ~" ^( q. W8 rint41handler2 ENDP9 `) {& G! o- x( N& B$ T3 W3 ]% B
e- A1 R' ^. P# |/ S- ~1 _; J' A9 q6 L% q9 q
_________________________________________________________________________
# J5 T2 d Q i6 Z- o& _- U) W- z7 K% n7 w' y3 _
! G7 g& X5 V- E& [; w
Method 06
9 o7 B# g `1 _=========0 O. s7 x) f1 |# F5 v3 W' T5 J4 e
: k3 _2 d5 b) r- _* i# K7 h( F& D) P1 b$ ^/ J8 p. U) R6 h
2nd method similar to the preceding one but more difficult to detect:! M& s! X' P: l+ X
# D0 M4 o3 ]/ x5 a1 M& Q
- o. Y i0 q! g* T* e! \9 ?( t$ s/ e
int41handler PROC2 O& I) c( ]0 b% O
mov cl,al
5 [9 ~! a+ e2 }5 w iret
Q B$ r2 u. g% m# Pint41handler ENDP
, A, s% e% d; k. {) ^, u, e$ b4 l* [4 Z+ G9 O
/ q4 Q1 w4 O3 M2 A- q! s: Q- v xor ax,ax2 \$ E7 x, h, O) O- _4 T
mov es,ax2 A3 o2 k0 n6 p. V
mov bx, cs
+ T j$ W& d# ?8 S# \( T& l3 \6 p6 K( ? lea dx, int41handler6 Q& _( Z8 g$ u/ I! z5 N% J
xchg dx, es:[41h*4]! {3 c" R& H9 y, }% ^+ J4 N
xchg bx, es:[41h*4+2]
# u. }' {7 t0 o in al, 40h5 L% b6 g+ [ c! P. J* k/ _
xor cx,cx
! S! h. ~) s! e) o+ Q1 p3 u int 41h4 W% P" W1 ^6 y! A
xchg dx, es:[41h*4]+ k8 t( q& t, W8 ]8 F6 G( j: T: r; x) H
xchg bx, es:[41h*4+2]
( u3 I. c! K! A* _8 M cmp cl,al
9 P' ^! M3 ]) L& Y) _ jnz SoftICE_detected$ |& \5 w' ~: u$ g
4 [6 m+ |5 v% T$ n1 K. l* r! c
_________________________________________________________________________% N! V* C1 T3 H" B
9 D- s3 X! v; y! V% i' u
Method 07
' U: r, @/ J) h! k7 c) k=========
/ b$ T2 ~0 h; K3 Q% h
, w# Y' z$ V3 yMethod of detection of the WinICE handler in the int68h (V86)
$ r# T C$ J: Q6 ?! R2 Y) Q+ v v
0 @0 ^- i3 g. T7 U( U" L; E/ F+ T mov ah,43h
1 K( v8 @ s# ]( U9 T. k5 N7 u5 { int 68h
0 u) a( s$ N# ]0 k cmp ax,0F386h
2 l0 b3 Y8 m, z* C% X% c jz SoftICE_Detected( i0 P% m9 S& O/ a) ]# S2 R
& k! N4 c+ r; b% A. P0 E: k
8 d$ A/ z2 b& Q7 g( M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) c. t$ l; c' A* C app like this:
; @" v' m, A, Q) {& _" J# R0 L# \. k( I( C1 g8 e! n# |
BPX exec_int if ax==68
7 s) ^' W& {: e* u3 }6 S (function called is located at byte ptr [ebp+1Dh] and client eip is
+ e/ W1 ?; E' K; O @8 O( C located at [ebp+48h] for 32Bit apps)
; R/ k# P9 B; ]3 m2 |7 O__________________________________________________________________________0 @5 S8 ]8 p3 G; I4 r
6 E, ~0 Q w, L) B4 z( n- L8 E2 e5 a6 b" V) i' q: }$ }1 h
Method 085 x0 Z% Q0 k, O
=========& e. R& q3 B/ M
8 d2 K: o( d- \0 N _9 b! V
It is not a method of detection of SoftICE but a possibility to crash the, d, B" z( |- T
system by intercepting int 01h and int 03h and redirecting them to another
+ ~7 a, e% ?' E* wroutine.7 O9 \9 a/ i# G$ ]8 V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
i/ n7 D, u" u5 b8 \, Dto the new routine to execute (hangs computer...)4 _: D2 M) A, |5 g3 V9 N
8 C' J) T+ Q- j
mov ah, 25h' D: F/ o% w! `# C4 ?0 @; }
mov al, Int_Number (01h or 03h)- ]" q! F0 [( H( o# \* X! h; p
mov dx, offset New_Int_Routine
3 l1 M* P2 J7 a8 ^, f4 I. b int 21h
, @3 L0 h' O h3 @8 Q& W# s/ ?- Q. _
__________________________________________________________________________
% P5 e2 c3 n2 x2 o) R+ C
" R5 ^+ r/ P" T% E3 a5 L9 k# QMethod 09. o4 ]0 g0 k) R) {2 Q! e# ?
=========5 R4 t' Z0 W: O
: v/ n- M( t" H+ eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* n% l: A" i6 p* j9 Q6 R% m6 z
performed in ring0 (VxD or a ring3 app using the VxdCall).+ E% K$ @8 Y5 }# k! t
The Get_DDB service is used to determine whether or not a VxD is installed. ~. B4 x) D2 A+ G
for the specified device and returns a Device Description Block (in ecx) for
/ r g# R7 r3 _$ Cthat device if it is installed.
0 }( c: S" K# v+ {/ n% h3 e9 a) h; b0 I. x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; {, E1 J8 {9 k' p: }; d: e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# L4 m* X) x" i) V& l
VMMCall Get_DDB
& N& W8 m9 M* v/ P5 D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, i. ]: I7 k3 P" r+ a& M
/ T3 t: g L$ B( Q* P; b/ eNote as well that you can easily detect this method with SoftICE:
; Q i) M) z2 H4 x! P bpx Get_DDB if ax==0202 || ax==7a5fh) w4 e2 h* M; c+ r9 z& X2 f
7 g: f3 ^0 Y6 M__________________________________________________________________________7 }% Y) l' G# \- j( U* A) |
- C# L' v l. X! V
Method 10( l* S3 e2 t$ ^. [' D. I
=========7 B5 J+ P6 }! J" ]" W! Y
3 j0 x1 k/ ~' E3 e1 w=>Disable or clear breakpoints before using this feature. DO NOT trace with
" [" h0 ^: O( S# f' P SoftICE while the option is enable!!8 A: w) P: z( Q# w" i
V+ J! p2 q1 k# ^This trick is very efficient:
H$ |+ k& g6 K& d" z9 Tby checking the Debug Registers, you can detect if SoftICE is loaded6 Q4 F1 A T3 x; Q' P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- Z, x7 }5 q/ W. e1 f) w6 R- w( F
there are some memory breakpoints set (dr0 to dr3) simply by reading their, K: v! I5 i' T5 o: x
value (in ring0 only). Values can be manipulated and or changed as well
* X9 X' O6 X$ v# p( P(clearing BPMs for instance)( s4 ?. B J% o& l8 p1 `5 h& m
9 Y$ X s1 I4 {1 o
__________________________________________________________________________
d0 A% U, G: C7 f
' J( ?. r8 m6 KMethod 119 H% x, t# \8 s2 T7 t" i3 {
=========
& R' t. b) R9 F$ _2 B# |* q0 p3 t! p! p( V6 b; n1 J- N
This method is most known as 'MeltICE' because it has been freely distributed7 J/ d0 {$ D( f& {0 I# [
via www.winfiles.com. However it was first used by NuMega people to allow$ L4 s+ a1 K8 U
Symbol Loader to check if SoftICE was active or not (the code is located! K! q. k; {7 {7 g" ~
inside nmtrans.dll).9 l K6 \- S" {5 b5 u
0 S9 k& ^8 Y7 H `3 O
The way it works is very simple:. Y+ A! Z e/ z. ?) f& F2 o$ u! A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 p4 }) a% \% Y7 m; q7 m
WinNT) with the CreateFileA API.: f# A% `1 V' s
% z# d. X4 L) i# S d. A2 wHere is a sample (checking for 'SICE'):, D+ @9 U* a; U7 L
" v4 D$ }9 l9 i* E
BOOL IsSoftIce95Loaded()/ N3 h W* Y6 ~
{0 _) v4 t; E; W4 x* A4 N m7 B
HANDLE hFile;
3 p% l; [5 b9 f, I# X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ b! l4 w9 [" b+ f0 S; C, V FILE_SHARE_READ | FILE_SHARE_WRITE,
% M" U3 C" n" Y* i8 A t1 A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; G( r) H/ [# o2 L2 Y7 j: H
if( hFile != INVALID_HANDLE_VALUE )5 A6 F& k. N6 M I( a0 E
{
1 L H* _0 N* r0 Y8 W- p; ` CloseHandle(hFile);
: g O) ^9 I' V% T% N8 j return TRUE;' L' [: U4 t. u5 d. c l
}0 F2 O- }" {8 x' I6 ]
return FALSE; p$ s; {) k! C, O& C
}
6 ^# C# a5 s+ H3 F, a& Z9 z b' ~
# `; \5 b; n p9 d. M3 `' W; g0 o: H) XAlthough this trick calls the CreateFileA function, don't even expect to be, N7 s" |9 p5 I, K
able to intercept it by installing a IFS hook: it will not work, no way!
* F6 u1 b- N" {) NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" e, K* I7 n$ T. ~" U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 G, L4 Z0 `" X' d* Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc C% A6 ^5 X" s
field.
2 R! f; b; Q- f7 Z7 j2 l, P" BIn fact, its purpose is not to load/unload VxDs but only to send a / `# B. H" y4 G0 O& `. A* d5 T6 a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). l8 z6 T/ \6 ^# g$ P8 D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' L" C2 H7 m8 n' o" Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 ~0 @3 B& i/ N$ M
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 `% K/ m. t& A/ I; O' F$ \its handle to be opened and then, will be detected.0 {- o7 ]* J1 E. E' ^# E8 p0 X
You can check that simply by hooking Winice.exe control proc entry point- h+ p' I" j6 q
while running MeltICE.
: Z7 c1 w$ x0 J& |( F4 G* D6 q8 U( J2 Z" G
Q) Z& V! |0 u; q8 S+ E, ?
00401067: push 00402025 ; \\.\SICE
# x6 v- S# Q2 A$ \: ]+ D 0040106C: call CreateFileA* b' d, ^- o) z6 S9 T. n0 S! A
00401071: cmp eax,-001
. z/ x* u1 q$ t4 ^( m 00401074: je 00401091
9 S. [) A* \8 F% p7 G; a) W. ~$ w- z% z$ y) V
) j6 p$ n0 g/ ~0 @: P: ~There could be hundreds of BPX you could use to detect this trick.
9 D2 g' d. u! i2 R, ^4 `" D& w-The most classical one is:1 B/ |7 C- X3 M
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# `* D L. ]$ l3 H0 k
*(esp->4+4)=='NTIC'- m# J: L* x9 q
5 ]! ]6 b0 M; a; J* ^-The most exotic ones (could be very slooooow :-( `# y/ Z7 T: n4 g. H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 G. E. i) }* s% Y' b1 Q
;will break 3 times :-(( Z6 H& k, H8 _. x2 g" t
6 l3 e, A# c# Z2 v/ b# I0 i* c
-or (a bit) faster:
4 c D% ] N0 V: a BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): w2 }6 S5 x7 z
# z/ K4 X Q- L! h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ o% p) t* O+ P& z$ b ;will break 3 times :-(
. F. d# f9 ?1 A2 b, t0 K: c% {. t( F: o$ T+ B' p }
-Much faster:" F! ^ x! H' n: g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 F0 c3 C; x! j1 }# p, V# C& |: z
2 N" Y1 R) J9 e! A/ i) o! g5 q! _+ G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) o7 L& V- w1 h
function to do the same job:* t3 e, @1 q) e" A. K
. @7 W, N' V9 w0 ~2 \ push 00 ; OF_READ& H- E- I* M/ x6 l$ _- K
mov eax,[00656634] ; '\\.\SICE',0" o, ^ I( k( c1 C) `4 Y6 T
push eax
^* `6 f9 Q1 a! }3 J call KERNEL32!_lopen
0 S. |- a b! W/ ? inc eax
4 t% X: E, Q/ g Y5 u jnz 00650589 ; detected& Y( h! Y. ]) N6 d* v
push 00 ; OF_READ0 G( a8 ]4 y' n( i9 x4 @
mov eax,[00656638] ; '\\.\SICE'
) d' E6 w, [ T! W+ P push eax
@8 f2 I( U) E! v( G( f8 M call KERNEL32!_lopen. m2 J9 f# r# @, s& x, U
inc eax
G9 c& Q* p, L1 t jz 006505ae ; not detected
& } f" A0 y0 {1 a! u+ T! @2 r! w$ M+ J/ g0 I6 Y# X
- E$ X5 y& V7 N3 M" S& g$ a
__________________________________________________________________________' S( o+ y9 G1 _) ^: o2 L
1 Q& V% G* t' SMethod 12/ Y/ K$ p+ M G/ R2 {- T( A
=========
- Z, b# h# J$ w- n7 a! Y/ X, q" N( E9 @9 m" G
This trick is similar to int41h/4fh Debugger installation check (code 05) m# o0 t: e7 b8 J+ w$ t
& 06) but very limited because it's only available for Win95/98 (not NT)& P) Z# G3 L0 O% E& b9 K- {- G+ G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. V: @) z: S: x- |9 x+ F& E& V* Z7 l- [
0 \! I6 _0 E( T# q' A4 i# M2 Z6 B2 ^$ H push 0000004fh ; function 4fh; y# f# q/ a) p- M
push 002a002ah ; high word specifies which VxD (VWIN32)1 z# {' |# O" g" g" a, D& {
; low word specifies which service
0 m, `1 k9 ~- g (VWIN32_Int41Dispatch)
. L# G7 t! V! B# L5 h' L call Kernel32!ORD_001 ; VxdCall( _5 N( b, r3 G. Y# r0 s
cmp ax, 0f386h ; magic number returned by system debuggers
) T' a9 j3 g4 E# r. g( O$ E$ s jz SoftICE_detected
1 W D$ R3 Z& u, Y; A) o7 q3 y5 k. d, B, b) C/ z+ }) r8 V
Here again, several ways to detect it:
) L3 I' v) V7 x% Z' ^# G9 r3 e1 Y- Q" c2 x9 V9 Z" K
BPINT 41 if ax==4f X( l9 ]3 r/ N4 Q
& R# ^& \: G' o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ x6 N K0 w$ j+ j6 ~/ \
w, D: v( M8 \* c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; B3 Q4 o# n! t8 {9 [* ]
: G4 c, Z$ a- q5 b1 q$ h+ ]7 R" Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 e* z ~1 `, e& z, c6 q
5 V" L# s3 c1 E# B: o+ `; c) I/ L__________________________________________________________________________
; G$ S ^2 b1 l' P9 @, n3 U
* N0 i0 h& N% v# LMethod 138 X. r/ D( F9 C$ @1 a
=========
" P- d1 c) x D6 L! C
% B' a' u+ v& uNot a real method of detection, but a good way to know if SoftICE is: L4 y& t- ]/ x( t& m U
installed on a computer and to locate its installation directory. Y: k; Z5 F+ U# i* E) p- v' s1 X3 P/ L9 k
It is used by few softs which access the following registry keys (usually #2) :" m0 ?& s/ y) {' L+ c
% M/ \2 s, d0 b- b Q. U( `9 e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 `- M- {: _$ t* w A
\Uninstall\SoftICE* s- B, `( I$ g( G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! i. K& X/ y7 Q6 w% Z1 Z, o b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: R( ~7 l' [" |) S
\App Paths\Loader32.Exe
) Q* _# v. D) d2 z% K- {1 _; a( i. n' d1 v! G
. O0 |' T, o6 G! n$ U3 Q9 @, E
Note that some nasty apps could then erase all files from SoftICE directory
& b2 {: u8 p; S: Y(I faced that once :-(
/ Y( ^ Q7 p3 ?% Z; ?3 O6 L) X* b" T' [
l& x1 I( }$ r5 f! m! |Useful breakpoint to detect it:
# B* ]4 l4 c2 A. Y! F
7 A& g* i8 o+ F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* c. B( V) E" O* ?7 f5 c8 l2 p8 I9 m2 C
__________________________________________________________________________, Y' C) H% E# s) N* C: ^5 W8 R
! K* H2 K2 _. r5 A) ` B( i& T
; q* X8 s4 b+ D0 PMethod 14 " O% T! o4 K' U, e5 ~6 Y
=========
1 |. h. Y5 F; a' S7 a- R2 `" U$ _- l6 n# [1 {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ S, `& ~5 |% u. t' X# yis to determines whether a debugger is running on your system (ring0 only).
. t5 T$ h* ~8 V$ S) N7 X3 k' l+ P! Z- _
VMMCall Test_Debug_Installed
/ w2 q3 i+ G4 `. e0 M je not_installed/ t& ^% ~2 Q; S+ P, D: f
* H1 O d, E" e9 f
This service just checks a flag.5 O# y g0 t: A# P
</PRE></TD></TR></TBODY></TABLE> |