<TABLE width=500>
& o5 B2 f7 C& w3 a3 S<TBODY>/ m1 M% e5 w. k% s; [3 q. c
<TR>+ I, x @& V& c4 P; P: u
<TD><PRE>Method 01 I& A' b/ u8 N: c' a
=========
1 M0 X ?* y) T* e3 z* e7 s: N) O; p4 a
This method of detection of SoftICE (as well as the following one) is
3 |6 E5 H" y0 y" Oused by the majority of packers/encryptors found on Internet., c& }" i9 m, v, X) R
It seeks the signature of BoundsChecker in SoftICE8 {) X$ J( U& K* t
: e8 Q- P' Q2 t& z4 z- E; c; @8 ~
mov ebp, 04243484Bh ; 'BCHK'
4 Q" \0 v" |6 }9 \* N/ M mov ax, 04h: X3 _8 l7 y7 O" n) P* k
int 3 7 u' x7 `; I0 G
cmp al,4
! b" J1 w+ \% A4 I4 @ jnz SoftICE_Detected: T+ x( v9 z+ W$ L
7 }% s5 F7 ]) G) O: J1 B___________________________________________________________________________ ~$ ` d5 Y# Q
) i# H q* C& v- x% Y! [
Method 02) g0 K ]" k0 d
=========
. d+ d. ~; \6 M" v; k
' U! f+ p& h8 {( y( HStill a method very much used (perhaps the most frequent one). It is used
" h& u* v' W! W: `- s+ Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& Q% I7 o3 [- I
or execute SoftICE commands...
% [- A3 s/ y0 X1 ^, q fIt is also used to crash SoftICE and to force it to execute any commands
" |; Y) U$ j. a F) p; u/ U(HBOOT...) :-(( t3 I* x, x: W9 q" B
% v0 U/ x4 a$ A% {+ {; H% n; ]
Here is a quick description:/ {% M) Q4 A; K+ H+ e
-AX = 0910h (Display string in SIce windows); I- U7 h( {7 a' r
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! [% J2 b4 ]* g2 t# O! f
-AX = 0912h (Get breakpoint infos)
: Y. s8 k, F' {9 P7 v C-AX = 0913h (Set Sice breakpoints)
~% u% G5 P" K. {9 P7 }: J-AX = 0914h (Remove SIce breakoints)
5 Q2 `" X6 C% z1 y h, n1 t3 O5 n. Q2 m' s% S
Each time you'll meet this trick, you'll see:( z6 w, e& O7 A; ~ |- P
-SI = 4647h3 F+ ^& n. N+ g8 o
-DI = 4A4Dh5 B# Q& _. Y5 \/ ]& \. [
Which are the 'magic values' used by SoftIce.$ E3 p. B( ^7 B! P" a% r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 T# K' ?& u/ k4 N: r
# w. Q1 @: |: @6 y6 p& [2 aHere is one example from the file "Haspinst.exe" which is the dongle HASP: t7 J* Y# Z/ U0 G% T, F; V
Envelope utility use to protect DOS applications:
$ }5 K. F2 H$ E' g1 v1 R# g7 v
0 f5 d' C9 S. j5 a: C' x
- X& i+ ] p V( ~8 O4C19:0095 MOV AX,0911 ; execute command.
) j+ X6 r5 X5 R( s* B" p# ~" R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) x2 n7 L" {1 t J0 K1 z
4C19:009A MOV SI,4647 ; 1st magic value.
8 H1 M8 b `5 ?4 o$ I4C19:009D MOV DI,4A4D ; 2nd magic value.
4 B7 O) ]: q* C+ ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" L' Q, m9 w3 A# ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" a4 f$ E y5 C, N& C$ G9 F
4C19:00A4 INC CX0 e& n1 P2 d$ t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 u0 q$ M% b9 @4C19:00A8 JB 0095 ; 6 different commands.
0 O8 Y# t2 f. s% b3 C% w4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 b% Y. x- R! j! l2 j% b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 V* G# a. C- ~- _/ [
! C8 R8 m5 s* k. n/ ?; IThe program will execute 6 different SIce commands located at ds:dx, which0 v0 Z7 Y! @ Y$ N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ d( V5 D/ O- m8 [. L: r3 N. L- e8 M: `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 I+ ~/ j8 P1 S* G5 f/ b0 x8 v1 N
___________________________________________________________________________
% v6 ^8 y0 T N! f m; A* _! `
8 k }# O% {' ^% k' p; O6 P, LMethod 03
- o4 m5 t3 K' w. X, u @=========
) z+ c" `% I! G4 y) l+ g$ Y+ N; U0 e" ^" ?% ?9 i6 I/ Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) Y* i. U, W- r3 y% y
(API Get entry point)
1 L" @6 W2 _, @ ! Y- ]8 z& w% l2 }: [1 Y* y
- @6 m8 U% X+ U7 l& X xor di,di
' O1 X% U4 f9 V mov es,di
4 y0 `8 _+ A- _1 m/ Q0 ], O mov ax, 1684h
: M3 Q$ P8 A) l' f: {5 { mov bx, 0202h ; VxD ID of winice
" C _. E4 ~' p6 B% _/ r0 { a int 2Fh- F% \; N, E/ C5 t. K' j" k( p
mov ax, es ; ES:DI -> VxD API entry point* K# X* Q0 x9 [* Y7 O
add ax, di. a) A, b4 j9 {0 n) ~5 Y P/ [
test ax,ax1 Z% F8 `0 |1 Z D7 C
jnz SoftICE_Detected+ q, o; q$ k5 e- u
# A' S6 ?$ ^& V# W/ C/ s___________________________________________________________________________7 x6 c" r! a" s, w' @) o& N3 p! [
! J% |8 a& K: w, m5 E: gMethod 04$ X& s2 B' F' V7 g% m9 F
=========( U( ~! C6 o% `9 P& x
' w8 v& T# X+ y+ ~Method identical to the preceding one except that it seeks the ID of SoftICE& m' n* i# }$ _6 W
GFX VxD.% j& D l. j/ G- m) q9 \" E1 a' W7 E
1 v) q9 ~9 G ~' X2 b- f xor di,di
6 L8 F- g4 ^2 N% X mov es,di3 `4 ?+ x2 }( @( p2 w
mov ax, 1684h
6 ]. F8 n5 R( K. B6 V mov bx, 7a5Fh ; VxD ID of SIWVID; J5 r* }5 {2 s/ A; X3 S5 g& Q
int 2fh
; E5 W9 a+ `2 D( v mov ax, es ; ES:DI -> VxD API entry point
" e1 [2 J" n8 Y1 v: V8 F add ax, di3 P6 r+ D# O; Y
test ax,ax
( l6 P3 j3 X3 R. ^2 G f. U. ] jnz SoftICE_Detected
, r+ E/ Z5 K, U# x
5 G& q: O# p2 c g, o. l__________________________________________________________________________1 q2 q5 |2 K6 O- R" h
, o7 j& g! y8 x' j) n* {2 _6 J$ L( j7 d8 n6 U1 k
Method 05% n# ?8 I# v& g) V( I
=========) t& f8 l- q6 r
8 j# s5 s4 \6 Q8 w0 ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 ^0 t+ x4 V5 d: N1 ?8 b" v* idebugger. It calls the int 41h, function 4Fh.% Z2 r/ Q; M3 R
There are several alternatives. ; b( o0 _7 b" _2 g- i6 K+ s( h; @7 O% [
5 s- U2 H& W6 q! t: G2 X- M
The following one is the simplest:
2 U; O, w4 [" J0 _3 o; A" D
& h% c. m T6 B' G! X l6 ?4 w mov ax,4fh
; w+ ]" v* o9 o: y int 41h% e+ x8 E) ~" W2 P8 y
cmp ax, 0F3864 N# S% {% i/ @/ O
jz SoftICE_detected
5 f/ S* i% u" ~) d+ U2 ~$ P/ k w3 U
+ [# }7 V; X2 ]% G2 yNext method as well as the following one are 2 examples from Stone's
6 u- s4 s2 R+ d$ B* R"stn-wid.zip" (www.cracking.net):7 B$ d$ U3 J8 u
0 c m1 W* ^: J$ Z' a% [
mov bx, cs" v- P# D& g9 b" R3 X
lea dx, int41handler25 x2 B \2 {3 s" R+ M
xchg dx, es:[41h*4]! J, ?( K) h. d- y: _& g7 z
xchg bx, es:[41h*4+2] l! m+ f/ \& O% x5 @
mov ax,4fh
1 T+ L: l, E0 h9 _- w' N int 41h5 s4 N) O9 g8 d9 N O
xchg dx, es:[41h*4]
1 I* i+ z3 f7 ^3 r0 ]5 V xchg bx, es:[41h*4+2] y/ x$ Z' d7 s/ Z3 m
cmp ax, 0f386h9 H4 k5 j2 E j+ g( n
jz SoftICE_detected
. m3 w: ^# g. r, g2 |" q4 T- ]
+ n" w( s1 n$ x3 n& Uint41handler2 PROC! A- i" M4 N4 ]( q' B
iret v$ F5 ?% c; M$ G1 B- ]& D
int41handler2 ENDP
1 q! ?4 _! K0 w4 k0 k2 \4 s
' F1 G$ l! q. Y
, o Z8 M9 g& F* S8 N9 m4 q/ P_________________________________________________________________________
, L' P0 W! [# g' x6 ~
3 t& j% e1 M- Y" a0 N. C+ U4 n2 H' n8 U* Q- s. V
Method 06" z4 M" T- g1 S# f P
=========) L' o# z7 ]6 m4 o6 q: u. ?, a% O
7 m# K: j! ^6 t$ ]7 w+ D- E4 x- _+ O7 E0 l+ \
2nd method similar to the preceding one but more difficult to detect:
4 w. [% `$ D+ R- x5 A7 z6 v" O9 B' _0 y
+ m3 B5 j0 }# I! C1 h& R0 N3 j6 ?
int41handler PROC
$ a. A& Q/ R6 J' M7 t$ _ mov cl,al
! H; L* M# f0 i- ]+ B* x# ^ iret
3 P( i- x' r& U/ Q Rint41handler ENDP
+ s- c, h, ], g
) y6 H3 G/ K0 d# m) X
$ K8 D1 T2 E! R5 [) U xor ax,ax6 T$ g3 a! K) h9 o" J; ?
mov es,ax
' ?) q2 d p% |; Y8 i8 E2 t mov bx, cs" J! M9 }. W% U
lea dx, int41handler
& u0 I. O ^" V xchg dx, es:[41h*4]
% F& K: l2 j2 i& b# m! ?" m xchg bx, es:[41h*4+2]
! p; o; x$ `' L* r4 r9 A in al, 40h
/ ?/ f7 O! H2 x, V% | xor cx,cx0 O( S' y. c$ J- k
int 41h
' f l/ @( J( o) g xchg dx, es:[41h*4]
, g4 H2 S; l+ i0 {, |; k xchg bx, es:[41h*4+2]
, W( l+ i6 P% M cmp cl,al
# D! r: g# G B) v3 r8 b jnz SoftICE_detected
& ?" b9 Z6 i u7 z9 `) w) A9 z8 Y, E% a5 x3 V
_________________________________________________________________________
7 o4 Y% P0 j, I6 {
$ L W8 J6 p/ S* P) tMethod 07
/ W2 @% c/ k5 [========= t3 {+ L+ T, Z; _* V
7 a% |$ @( p9 i: b
Method of detection of the WinICE handler in the int68h (V86)7 `9 r6 k0 T/ K0 l4 s/ ^% n
0 e. i4 l/ O: B- a& N, C; t mov ah,43h/ K$ b" w& j7 P9 e
int 68h- m: L4 q/ [' j& a9 \0 V/ x2 v
cmp ax,0F386h1 {2 Q2 ?9 ^- R
jz SoftICE_Detected, d Z' Z) X! t. V3 i0 i
# w. g. H9 f/ @3 Z
% _2 s& ]' k1 G* _0 {=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 L3 L5 L, H2 n1 G app like this:
3 A% E- T8 \$ E. ^6 L4 a! P1 K+ _ r c! o
BPX exec_int if ax==689 v" Y# y7 j5 P+ i1 g8 l7 M
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 C7 q% R6 x# C* i" d# b9 B located at [ebp+48h] for 32Bit apps)
& E3 u/ O$ F0 z2 i/ S" E__________________________________________________________________________3 u7 J5 L# X; b. w4 {$ k
% j6 R- m( t+ s. R2 p
% o6 v- a7 ~; t9 p# IMethod 08
! [! J8 p F% r- }# ^4 y# T. b=========; |/ `6 v% D4 F0 ^' }) D
. i7 ^* ]$ ` `0 L( Y) _0 C* GIt is not a method of detection of SoftICE but a possibility to crash the
# D9 Y. D8 ^- B. Wsystem by intercepting int 01h and int 03h and redirecting them to another
$ H' T" \ I5 P! N& s6 Z1 Mroutine.2 Z. B3 I! }3 X! G. A, ^( K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
`+ v* L: f. M% @. ^) B" x v4 Pto the new routine to execute (hangs computer...)
: z9 ^; r3 }0 \* u3 v5 P8 y( L! [4 e3 m) M& v% N% {) P" P& s
mov ah, 25h( f7 u' l$ ? V' t5 C# E" q0 S* p
mov al, Int_Number (01h or 03h)9 H9 c" S T. q# T4 ^8 @2 B6 S
mov dx, offset New_Int_Routine7 e% l/ S8 h! x5 C8 w$ h. N
int 21h# a# l8 X$ w1 u2 I' b, u6 Q0 c
' y$ }& K, ?; m) z3 x2 C2 y__________________________________________________________________________
0 |) ?9 q0 D! n' M; z+ y5 R# Y2 y* j
Method 09
/ `+ w1 h) a6 m+ ^=========
$ K) E; r2 u/ d2 k# P+ @- Z" Q1 {+ X6 L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# O5 a' y9 k2 ^* f. t3 {: O$ q
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 p* ]8 V, X/ [- @The Get_DDB service is used to determine whether or not a VxD is installed6 K" i8 |& [& u4 I% m, c
for the specified device and returns a Device Description Block (in ecx) for+ G, C5 q" L. k- U$ |* G3 F
that device if it is installed.
" Q; ^5 Z( H: N4 Q3 v6 _
4 O# b @# E$ _" Y/ a2 p/ S mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: J0 ~- v+ P# Q* s- L5 U8 P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; P4 @8 c! o9 q7 T$ g Q+ X7 ] VMMCall Get_DDB" m. L1 o2 `3 p: U' x4 Y1 b6 q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( L( a/ K6 L, U" R
' B4 ~3 Z! R* E8 D7 Y! JNote as well that you can easily detect this method with SoftICE:
- y; {6 W9 x4 z& p' { bpx Get_DDB if ax==0202 || ax==7a5fh
- ]5 _; S2 Z0 p+ }
! ?% p( X# E* b4 Z) x3 T* W% D7 h__________________________________________________________________________ X6 r \9 a; V1 h) }/ l
8 ~- H# A: p% U* \" }" A7 p0 C
Method 10
, V6 H0 {1 _0 K/ e; Q; g+ e: y+ i=========2 _5 `, J4 I/ L
- \% l7 F5 S8 d7 l* a
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 [* Y4 `! E! X SoftICE while the option is enable!!! g/ t8 k# g& q. h" H
( K% e" u% z @/ ]2 ?. i2 D4 HThis trick is very efficient:
2 S/ w: z, G4 w3 }4 Iby checking the Debug Registers, you can detect if SoftICE is loaded
" C% n4 V& t9 u m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 m; ?& p' J& T6 e l
there are some memory breakpoints set (dr0 to dr3) simply by reading their% A4 |9 l0 O `/ H6 I) W- U
value (in ring0 only). Values can be manipulated and or changed as well
+ q. Q# }: J* U! \. j(clearing BPMs for instance)
7 J8 E& }: T" J0 M, H! x2 b
. c2 o9 M0 D$ E H7 A__________________________________________________________________________
* ~8 i$ S! o! I2 d. O# t+ e! C/ t* M4 S" Q/ K6 B
Method 11! { B) A: Q0 k p' c- l
=========
0 K, s1 l4 h8 q7 w4 {' c) f" t; ?4 I
This method is most known as 'MeltICE' because it has been freely distributed
3 e/ u1 V* U4 |( E+ v# `6 ~via www.winfiles.com. However it was first used by NuMega people to allow
; u M+ ~' g7 N4 C! `5 R, P. \/ O4 nSymbol Loader to check if SoftICE was active or not (the code is located8 ], f9 `; v) D4 a4 i
inside nmtrans.dll).
% V( R" L# e3 Y" z2 \7 k( p9 ]3 ^7 d6 l8 u$ m8 B: A3 O
The way it works is very simple:' e' j! D# |7 [6 J: F4 q8 G' v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 B0 ?" [$ W2 ZWinNT) with the CreateFileA API.2 I% e. _. ?' e6 z) ]
2 I4 R a+ a" z; ]1 F& R: |Here is a sample (checking for 'SICE'):
- P- o2 F7 l2 Y7 E9 s, D5 @) e& f0 t0 ^$ C
BOOL IsSoftIce95Loaded()+ F& M$ a, s$ h N/ \+ X
{
- t6 T3 o; q4 f# l HANDLE hFile; # \2 V/ T( x& K, H# E) G y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 q* }; K* W: f g% i9 K4 h3 G0 e
FILE_SHARE_READ | FILE_SHARE_WRITE,
! r: j8 ~ I9 L% n- Z+ O# S' e NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ ^ {( L$ g) e0 j. ]6 l H5 \ if( hFile != INVALID_HANDLE_VALUE )
3 I" Z7 K( }1 s) n- t, f {7 y# n5 U; T# O8 s0 C8 F% i' M
CloseHandle(hFile);
3 x+ w( c. ?4 D, | I return TRUE;
8 e; F* \7 k7 U/ o- _2 {( c9 G }
" M# v2 a1 a( }$ x" o! G1 [0 e: j# X* H& w return FALSE;
8 M0 g8 }& \0 ^( n2 V U8 _) T}7 ~7 x3 b8 B( K9 |
& f) h& i+ d/ t* u
Although this trick calls the CreateFileA function, don't even expect to be
, b( A0 y0 j; s7 p/ vable to intercept it by installing a IFS hook: it will not work, no way!' m0 t! l( K& w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% Y4 d$ ~6 E3 h4 P! R" K, u rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): s' \' i2 V. Q! ]! |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# ?/ Y0 w, W: ^% dfield.9 j: P u, H5 |
In fact, its purpose is not to load/unload VxDs but only to send a 0 k5 ^( }$ i% g4 ]2 c# O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ ?2 \5 I7 v) x1 w [( O0 Yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
- Z2 K6 P4 I3 E0 w2 wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 q% t3 p6 x [9 r( iIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 q$ E: T3 W$ P! }its handle to be opened and then, will be detected.' E0 ` N0 p) H. c, R8 a
You can check that simply by hooking Winice.exe control proc entry point8 u0 ^2 G/ h" \& \$ W
while running MeltICE.9 m$ F* }# X7 y
* `" Y# C; [- l6 c' q% W
* _+ r5 [4 s0 u" G+ a6 }2 c
00401067: push 00402025 ; \\.\SICE
" z1 _! x. N; x6 ~+ L1 a2 w" M2 P7 d9 U 0040106C: call CreateFileA
: B) U% A5 f4 u7 y, q- B e0 j3 ~ 00401071: cmp eax,-001
! r9 ^ u+ S( I3 s& d) G 00401074: je 00401091
. f) | q# N; r" `3 `8 d8 K$ t/ {, p
8 L# D" e: e# c' p# S* l/ aThere could be hundreds of BPX you could use to detect this trick.7 J, C8 e* C& k; D: H3 D
-The most classical one is:! h- u9 ~8 u" Y+ q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! x- S! r2 E; {6 C6 \ *(esp->4+4)=='NTIC'
4 q# s8 |3 z$ I$ b8 i. N) n
' P( B; J4 Q. s* m# C) o-The most exotic ones (could be very slooooow :-( e7 z& K) Z+ b5 C( ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) p q1 K0 u. v' _
;will break 3 times :-(
1 P2 P( V: y- J+ n* t
9 }7 k4 ?+ o" \+ H% d; T) Y- V: @-or (a bit) faster: % L, I& W* P# u6 ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* `0 r) V7 o: S0 K9 A
, b: {. e8 l& ?/ d2 w6 k1 p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; z- r0 \$ Q5 u3 T! ?& R
;will break 3 times :-(
0 H, l: e3 L! L* _1 l
; a! O* I4 }) ] Z( Z1 T# P-Much faster:
( Y Q0 C0 Q' f6 X- H( ?3 e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& @2 b6 }! @- ~/ x
1 V6 x5 X2 l) S, GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 O- q6 D, c) Xfunction to do the same job:
* ^. Q/ I" i- L6 a1 v) c) E; F2 z3 {4 M" \, L$ O( d
push 00 ; OF_READ
" H5 r# m' [4 T f' P, K! ~ mov eax,[00656634] ; '\\.\SICE',0" l2 s( k% x1 K m9 _# U: l
push eax
2 N0 C4 _8 O+ v2 N% {5 ] call KERNEL32!_lopen0 |7 l9 C% x; X. ~# m0 H! `
inc eax
R) Q! w& t8 \* O) c- G. s& X9 N) T jnz 00650589 ; detected0 u( z! P; S- A+ E/ |
push 00 ; OF_READ* X) B5 j4 v+ f
mov eax,[00656638] ; '\\.\SICE'4 ]9 X' N. s" Y# k5 b7 ^
push eax
9 F* m; u6 T. R9 J% j call KERNEL32!_lopen
7 c$ P0 N/ q& ? inc eax- q- {7 W- B# l8 r6 o3 Y: H' u( Z! g
jz 006505ae ; not detected+ H" z# b) P8 x F8 Y" q
# Q5 F0 e# \0 H1 C6 Z. K
& z* `- C: l5 K' ]__________________________________________________________________________1 d# ]4 ?! _* p, a# K4 y+ D, Y" q
3 `3 J5 S9 C2 y O5 i
Method 12
0 G) j2 W6 X/ h% t5 N# f=========
, V0 ]7 `& }; Q: |# n+ ]; \/ D1 M+ T1 d7 @5 k0 D* F0 V0 ?% n
This trick is similar to int41h/4fh Debugger installation check (code 058 `" g0 G3 _. V7 N2 ~) T* B2 D( a
& 06) but very limited because it's only available for Win95/98 (not NT)' b. X! b. B7 o2 {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 Q1 p& R( U; K* R9 L8 J; f
: O( L: e+ `/ |" a& L9 U' U push 0000004fh ; function 4fh
& A; x z6 s% {( g& v push 002a002ah ; high word specifies which VxD (VWIN32)! @. }/ v( ], G- l8 c
; low word specifies which service
* T$ L ]: ]+ ]* I2 R8 X5 b (VWIN32_Int41Dispatch)9 I8 N; y2 f1 G1 f! |
call Kernel32!ORD_001 ; VxdCall7 z. N0 O7 E: T" @$ E4 ~4 `
cmp ax, 0f386h ; magic number returned by system debuggers7 e ^( {% g4 e/ M0 U5 d& D. T0 _
jz SoftICE_detected" `# w% q* K7 A5 \! E
% J8 h$ J& `7 ?; A. V! E
Here again, several ways to detect it: a4 f/ m& A: E5 o
4 C _! ^$ Y0 w6 O" F2 J: S BPINT 41 if ax==4f/ @- y$ D& h5 a" G2 D
5 c5 r6 k) ~7 a& s8 h1 L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 q: _" j+ b$ q W" H+ f# y. i
5 S$ w! \( m" P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 i/ s" L) C( a/ M8 L: o
" c+ d/ u2 d5 J% k) R$ l BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- k! g: J3 D8 V2 A3 b% X1 [6 T4 l/ G: @+ h D, {" _5 \
__________________________________________________________________________- u! W* Q+ v' T
R7 y( ]4 S7 ]) O& ~# B }
Method 13: j6 \- i% o* T _1 u
=========+ m; o V: Q& t6 j
' s. {+ H: Q% pNot a real method of detection, but a good way to know if SoftICE is) f9 R) n8 X. o- }4 H/ ]& z
installed on a computer and to locate its installation directory.9 |- u. n) P/ x( v
It is used by few softs which access the following registry keys (usually #2) :! Y% Z0 L0 W1 q1 e
/ T: ]6 i( j$ s5 A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 b* t F9 ?' ]) j- F! H7 {! {\Uninstall\SoftICE
* u7 e- k' @) N# X. e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 `7 P& t$ L# s( u$ J$ B" N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" \4 z6 x6 g+ H3 F\App Paths\Loader32.Exe
& Y! ]" L- b% B2 W( `$ ~/ [9 P1 t4 w k- x2 D! c1 l- b$ ~+ P9 l
8 C G6 D4 m c6 r6 m. o4 C v+ Q5 _
Note that some nasty apps could then erase all files from SoftICE directory1 ]! Z/ \1 _4 }! i @7 J1 ]
(I faced that once :-() M% w* J4 {$ j) A+ y4 k. L
' Z9 Q7 D) p3 l @, QUseful breakpoint to detect it:
+ ?! s$ S' s/ t/ @' F3 B" {) u8 M, \$ h- N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% m6 V) i3 \* l( N1 ? F
3 x, a( h5 H& K$ I__________________________________________________________________________1 g5 g$ _$ o- Q& }
: O3 @+ N. F; w0 a# ?
. ^- i, k' ?; g4 O \9 fMethod 14 7 ?9 E6 H/ k5 n/ `8 k. \
=========
2 J- q5 q4 Q. r& i. p# ]0 E
* Q$ j1 @: x" J8 DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 k5 A5 O; z& W0 ^# Wis to determines whether a debugger is running on your system (ring0 only)." _' [- e. O: t
8 a5 [) e1 ]3 G. z
VMMCall Test_Debug_Installed
+ P$ U5 h4 c4 [" S je not_installed
. C# y- R1 u- d+ a. B' s5 L3 |) }; H( Y
This service just checks a flag.
3 @8 H( c; l& j* o" }" w) F</PRE></TD></TR></TBODY></TABLE> |