<TABLE width=500>
& Q# p6 D0 ?# p9 P4 N& _) I ]<TBODY>
0 q: M8 l; e+ P/ ^( j<TR>
: t" s8 A X# b& S7 `4 O: ^$ K: T<TD><PRE>Method 01
4 S/ D% Q( N% ]7 |+ s=========5 p4 c$ p& e% l3 ^" F3 |+ F
3 `, V$ y! V$ h. k0 LThis method of detection of SoftICE (as well as the following one) is ~/ @' Z1 J$ e* D6 C& v
used by the majority of packers/encryptors found on Internet.
& z: M4 z: e* k( l$ N; f+ y6 bIt seeks the signature of BoundsChecker in SoftICE5 ?2 b# ~0 k o6 P5 V/ B
$ U; V8 [6 Z9 x9 f) ~ mov ebp, 04243484Bh ; 'BCHK'
5 B$ L- {# K* n% L9 j mov ax, 04h
$ ?0 [, D6 W5 N+ X/ ` int 3
# _" E) @. Q% J" N! G: C( u cmp al,4+ V/ u; F$ J+ h7 k
jnz SoftICE_Detected
- Q; {& v7 m; l
8 z* @) }$ z( M8 @3 ~___________________________________________________________________________) o/ [0 ?. V+ u
* R, |4 ]7 k. P0 D% ?
Method 02+ n5 h1 `$ |; r" Q6 f8 R" H: x
=========4 ~0 J) I: H9 J
6 C' k# S4 S! X& s; c" ^2 [
Still a method very much used (perhaps the most frequent one). It is used: n+ n- Q# Q) y2 K% v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: Y Y* H2 s6 N- X' A) j$ `0 d, Q/ @or execute SoftICE commands...
* ~, K$ l- g0 V, A# h5 W _8 fIt is also used to crash SoftICE and to force it to execute any commands4 A* D# \& S" Z. ~
(HBOOT...) :-((
* O( P0 V: W+ L8 L0 c4 d+ t* S- o4 ]# f$ I, e
Here is a quick description:
# D1 `" a& k( ~5 m-AX = 0910h (Display string in SIce windows)- O, F" Q f" {6 F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 a( B8 O; z3 _) W
-AX = 0912h (Get breakpoint infos)
" b) T6 }8 ?0 j R. `-AX = 0913h (Set Sice breakpoints)
' {+ z& D c' f( `-AX = 0914h (Remove SIce breakoints)
1 B7 F) G6 J$ B8 J9 G3 q# z$ Q# ?$ s6 ? H& a
Each time you'll meet this trick, you'll see:! G+ j; [7 `: K4 X
-SI = 4647h
9 \7 Y4 D3 a x-DI = 4A4Dh, I9 v V* ^ Z, ~1 d6 s) Z6 k! _
Which are the 'magic values' used by SoftIce.
) M) f" P T" y) y# dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
J% o7 c; m6 r( e
% Z* ^# h, n/ @4 R# W P% JHere is one example from the file "Haspinst.exe" which is the dongle HASP2 K! c* A3 u! O S
Envelope utility use to protect DOS applications:9 g9 D) I- v+ }2 U) ~& k$ \8 `' x: b* Z
0 W3 S7 [6 r; e) e
2 `+ T5 A2 ^. h! s0 p) [
4C19:0095 MOV AX,0911 ; execute command.
6 H& w( W: t4 ^3 d/ ^9 {# H. s" e/ D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# T- }% A& [, b" `& F
4C19:009A MOV SI,4647 ; 1st magic value.
& f) J, U8 T0 V4 z2 {4C19:009D MOV DI,4A4D ; 2nd magic value.. q1 U1 J1 e9 t% y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, I0 g- o9 L4 ?# K& ?! k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% D- s1 T$ u, g- |! x/ J3 K" c) S4C19:00A4 INC CX
9 ~1 @, t/ O. A3 [" j0 ?- o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' @" ]6 b$ f6 `5 U) J
4C19:00A8 JB 0095 ; 6 different commands.: G# c" e& _$ M) H) J* t- C+ R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ h" c6 X4 I/ k1 C$ Y. B4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 ~; }8 f$ y0 d+ X" ?7 @% _
: g& u+ Q/ b. C4 [, D. b: E6 lThe program will execute 6 different SIce commands located at ds:dx, which% r9 I7 z1 n- ]3 G* {; D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: _- o1 K4 I! I3 l( o; A5 E
( M5 Z6 T% h5 M% T9 o4 m& o- A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. D) Y( Y( ]( H( V$ j* n& k___________________________________________________________________________
6 P6 S$ |( y7 @6 ]; O( l: J. d- |) [& ]
# b! E! J7 U2 W, t1 ~; m4 \) A9 l8 D
Method 03+ ]% t; J ?; t( N3 X7 q6 }' R2 q- I4 S4 \
=========, ]5 |5 W& y0 u' R
- c/ {/ F% Q U7 p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h q# u8 X4 A& n( ]; d
(API Get entry point)
' v1 Q% V; @( o* I- f2 a / ^( x4 [9 R! H0 T
e8 G" v* R7 m2 m3 x' ^* R$ b+ z
xor di,di
( d3 b# z i1 X; A0 a9 @+ R mov es,di
" U! s- P( c: j; ~6 _ mov ax, 1684h : X$ z6 j! b' H" [
mov bx, 0202h ; VxD ID of winice6 y' t4 @. ?4 C8 y9 E+ @
int 2Fh4 R c, y7 h6 V* f$ z w A
mov ax, es ; ES:DI -> VxD API entry point" h. R6 p5 O8 i, u5 l4 Y. f- m' o
add ax, di
) `' N) e: I3 ]. ~' N test ax,ax. N; d. u6 t9 b& m1 _
jnz SoftICE_Detected" H; M- B1 n: [+ ]
: T- L+ h; \; Z2 k& n' N2 R, f
___________________________________________________________________________! `; c! ^$ e: A9 \( W
# K# b# Q* O' q" q0 m0 x& `( A
Method 043 G( o) ]. s7 o/ N4 P
========= I* s0 |7 \( Z! ~
1 ` k, k; t! D# xMethod identical to the preceding one except that it seeks the ID of SoftICE
+ k* b% l0 F4 k% \$ WGFX VxD.
1 t& r2 ]: S6 ^. o, o0 n
5 R: f# t. z2 L$ E) @0 z, K, ]* { xor di,di' C6 ]) y1 [6 t- `3 Y
mov es,di
2 y4 I) H0 P- K$ @! F mov ax, 1684h
' ^* D- H8 h/ N- p mov bx, 7a5Fh ; VxD ID of SIWVID
: ^7 L i3 Z4 b int 2fh4 M: S% _. ~6 y- }5 B
mov ax, es ; ES:DI -> VxD API entry point
2 X/ j _$ s4 V% Y add ax, di
9 j% F t4 C5 N( G: f. Q$ J test ax,ax
1 O# M0 m& H' r/ o' b jnz SoftICE_Detected
) G$ o1 W4 P M. Y. ~! b; \9 N) a$ \3 j0 }
__________________________________________________________________________
7 d4 C5 j. X- A4 G, k' K0 U( O
% R/ _- h7 T: U1 W( f8 b) n: n1 M {. H$ p
Method 052 }: Y3 ^! B% b; f
=========
. S. n6 i; Y- O J
+ _6 G2 d B1 n* B; K d: |/ nMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 }! |6 S/ x$ `$ z% I2 L4 W% w( h5 v
debugger. It calls the int 41h, function 4Fh.( d3 v4 Y- B' G1 h# C2 ?
There are several alternatives. ; y- N! O) S$ t% v6 @+ l
! e7 I' ^4 q. a! Z2 F- BThe following one is the simplest:! W# i% d3 p R9 q- F- Y
, T% F8 S; E. l
mov ax,4fh
' C c% P q* D# j int 41h" g. D, M, u7 E' W) w2 E2 i
cmp ax, 0F386
2 Y$ q$ `4 V! Z) x: ?. h jz SoftICE_detected
3 _- Q5 z, q- T* d5 D- L2 f$ ?
. N* T9 g$ H. ~" M, g. l! l: j& g& D4 m9 j5 `+ G* V7 m- k8 N @3 [" K
Next method as well as the following one are 2 examples from Stone's
# ^2 ~- c& ~; M) c$ d' L"stn-wid.zip" (www.cracking.net):: B3 d k! u& }) T
; I" u' s* b6 c7 F0 |) k$ i- G
mov bx, cs
$ f$ _$ r' G5 G) [" d1 v$ f w lea dx, int41handler27 g% K m7 o3 q! O
xchg dx, es:[41h*4]' Z1 p: V! M% D1 D q: c
xchg bx, es:[41h*4+2]# l J2 b% {7 \: t& f# q+ v- i
mov ax,4fh
7 b5 {$ M- o, _7 ~: G+ p int 41h
' G# B: x$ C; |& y$ O8 x: J xchg dx, es:[41h*4]
" S- x3 C7 n- R x4 E- a9 ?( P xchg bx, es:[41h*4+2]$ Y; u2 X( H: p0 ^: Z! s
cmp ax, 0f386h9 N1 W; T9 {$ o
jz SoftICE_detected# f3 c. p. T# C
4 s" P5 I( K/ M6 Z( Cint41handler2 PROC, F! X, X) Z& h5 `- f4 J
iret
2 w% ?$ a7 X- R; b5 s. j9 a: p$ wint41handler2 ENDP: [& }' V( T/ T
$ Y% \0 q% v: R% w6 L2 D4 W4 g! e+ Z* z/ D6 ~" n* F
_________________________________________________________________________
. k7 E- [' |5 \ K' U8 \+ U& m4 h+ L4 F& f5 R/ k1 |
- N4 \- [' l V- o! ^: fMethod 066 W8 q" e% F! C) n' j. M
=========
/ H4 q, d; `/ P+ k5 t: Y; A, J- q3 D
" l. q; B! L) m% Z$ _4 @3 Z/ \2nd method similar to the preceding one but more difficult to detect:. _0 m; ~& P& L
, w, S! M: S$ \6 U: a& L
6 |4 K- w4 H5 ~* ~9 d" B( F1 qint41handler PROC
( {2 j0 t; f8 g mov cl,al
+ Y1 F/ {# O1 Y$ Y+ V/ H7 O iret/ x$ {. d5 o' ^! b! ?" ?, |9 M* q k: x
int41handler ENDP" {- c$ o$ A! m6 R( @
0 p) g w: J" p4 u7 u g
- W# C7 ]- b+ w2 ?/ b8 b
xor ax,ax2 H0 g2 ?) M: I# D
mov es,ax
9 m$ c7 }) _8 C, N9 Z mov bx, cs
9 C3 w" V: e) ?' D lea dx, int41handler i& ]2 X1 j9 ^" q6 A/ {
xchg dx, es:[41h*4]) U9 v. T! t& A5 l# U; l
xchg bx, es:[41h*4+2]- j! |; C0 ]' T6 r+ y1 d
in al, 40h, R$ C( r9 a$ N8 F0 A
xor cx,cx
8 S* {# J/ j) Z! L1 B int 41h
9 y, ^' P+ s; W" ^( f5 [" c4 A% u xchg dx, es:[41h*4]
* }$ X$ W) U+ S" ]. k xchg bx, es:[41h*4+2]
1 l# b7 I( A( _( E& d cmp cl,al
0 R% j% p) d$ T; {& Q jnz SoftICE_detected
1 f; ?9 Q3 F8 {0 ~- t
7 j: R I1 c+ ^/ a: k, `' G; j_________________________________________________________________________
8 ~0 G$ X- p4 \4 `$ Z3 `# e+ m7 _- V1 G! ^- j! D# P7 ]- X
Method 07
8 z" m+ }) g- ~6 {/ j- j& W4 q=========7 [' A0 g- E1 [
% Y, c$ Q8 j: N9 WMethod of detection of the WinICE handler in the int68h (V86)8 B$ d8 u/ X d6 _
2 C9 \+ s, j; y% i0 R9 o
mov ah,43h v: Y! Q# p1 A3 w0 l3 W: Y: D
int 68h
* C: X5 l9 R# c cmp ax,0F386h
! g# e1 v+ z( S4 ^ jz SoftICE_Detected& a. B' _* J( T# U/ Z$ W- J; y
; B, {2 `' g% G" G! B1 y
, ]6 G* B5 Z* `2 A0 V3 B3 D; `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ J& ^: j$ v* o. D' a+ h3 Z app like this:* B; Q9 H4 k5 d: F
: J5 l& u8 I6 }# h; G# E
BPX exec_int if ax==68
6 ~; ~! }$ R* ~* L6 C (function called is located at byte ptr [ebp+1Dh] and client eip is
; X6 W @ J8 W/ m5 M: s located at [ebp+48h] for 32Bit apps)$ x7 H+ [6 x% C' N
__________________________________________________________________________
6 [, g; N; {: a, n& p
$ y! V" E, u% `- {' B5 K0 ~7 c" Z3 s5 F" n' D
Method 08
) T# A1 {" f4 I3 P; X6 ?0 b=========5 n& G& R( g) E$ l1 c# R$ z
# `, B r7 l# o
It is not a method of detection of SoftICE but a possibility to crash the. X) @; \; I( {7 o4 k
system by intercepting int 01h and int 03h and redirecting them to another
1 f* ~) {) g) C0 k; Sroutine.
1 x' V* `0 M4 d [) zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( {/ L7 J; u. D( yto the new routine to execute (hangs computer...)* f3 p' R" j9 `* D; h% Y3 M
. _4 R6 q. W( Q, S7 b0 ^5 J6 L7 N! A mov ah, 25h7 f& I& C. f, O9 ?8 e- J7 o" K
mov al, Int_Number (01h or 03h)
8 W# C8 ^: B s- q4 { mov dx, offset New_Int_Routine2 J+ c6 t: o$ S+ B# ^/ A) I2 J
int 21h
; v( C7 J8 b7 R g( f* E3 W/ |9 M W
__________________________________________________________________________
# P# H+ j$ \, _# S' K, i
$ w- M" W. ]8 l" AMethod 09
8 ^6 |9 ^9 ~ g+ I8 e: h=========
3 F A1 O1 o$ c1 q2 O
* w3 A- M- w5 M Y2 y6 ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 e* A0 P% _$ _- s+ Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 X/ r9 D+ v p' T% N( HThe Get_DDB service is used to determine whether or not a VxD is installed: u4 d. k/ _: E( v
for the specified device and returns a Device Description Block (in ecx) for3 W* m* D& z* R C0 i" m
that device if it is installed.8 O* C0 l) ]. H5 h0 i
+ P& O5 C! Y5 I6 x1 { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: i" i" b9 |8 i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* m3 V8 S; d7 X VMMCall Get_DDB
( ]# f7 ~- l9 ^7 ~' O( K0 e" M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: F0 Y# m G! M- I& v4 ~( J" a q# _! n2 D }/ D9 b
Note as well that you can easily detect this method with SoftICE:
9 G# v6 C$ R6 U! ^ bpx Get_DDB if ax==0202 || ax==7a5fh
* X8 x+ ?# `' b3 E* [# r. D- F, Y6 a7 l' E2 D& C" _- d5 y
__________________________________________________________________________1 m1 K1 C: V+ t" f
; f3 }/ u3 a6 X) `3 e/ C
Method 10
: G2 Y! _0 x( a=========9 a' W+ _3 r3 H: j# Z( O
$ n. `/ n9 v2 D; [=>Disable or clear breakpoints before using this feature. DO NOT trace with( \! _6 S, t1 |( ]0 I7 |
SoftICE while the option is enable!!
$ E; m w' N4 v9 ?
) v2 n+ ?# c, G% SThis trick is very efficient:+ p" F! T' o3 f! }1 W
by checking the Debug Registers, you can detect if SoftICE is loaded
! C% F4 O; ?% a$ h9 x5 G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ a+ t6 b9 O) t) m) v" u+ Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' d- N" A* W: K0 tvalue (in ring0 only). Values can be manipulated and or changed as well
5 O; [% u% v* u! |! p(clearing BPMs for instance)
; a5 N7 `! l7 }" x0 ~- _( E U7 z- _9 z; S1 D
__________________________________________________________________________) E6 G; v' ]; I8 [
3 K, q8 F8 y4 W, ?
Method 110 B+ S8 K8 y; C! m# t- E; S' T+ P
=========
% |! J+ }% f5 _; O; Q+ s! k+ ]& b; c% v/ j8 C. T
This method is most known as 'MeltICE' because it has been freely distributed0 {7 I; A4 H. V7 [
via www.winfiles.com. However it was first used by NuMega people to allow: ?4 S0 H( T! ~9 e& n0 ?
Symbol Loader to check if SoftICE was active or not (the code is located' W% _ C6 P8 Q: F H4 Q" [4 s
inside nmtrans.dll).
7 M, J9 k& A/ [( }. S2 I- ^; J( |0 G5 M# R
The way it works is very simple:. M; s. q; X1 r% v% U. U! ~3 T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# n4 \4 }4 n; w( fWinNT) with the CreateFileA API./ Y/ c8 j" A( |7 _- e' l3 i
4 |. W4 S3 L6 qHere is a sample (checking for 'SICE'):
! Q7 K- ^# y! a) S! M/ ?, e; \2 {: r% T; ~6 f/ l7 A
BOOL IsSoftIce95Loaded()
+ e2 u/ o4 m' Z4 [4 A{" h, K5 X/ V9 S, B5 `. M* G$ e
HANDLE hFile; ) ?9 X) O# [8 R+ c7 X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 O9 F1 l" f3 t! z2 l @8 c6 i5 j& ? U
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 _! @( {* c3 e3 _1 ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* n4 V/ b5 Z0 ?/ W; {! I, C
if( hFile != INVALID_HANDLE_VALUE )* H( ]* k- h5 r6 c
{
/ [3 w" S, W) {* x CloseHandle(hFile);
( y+ r% Q7 }+ |7 L% ^$ ` return TRUE;! T2 s2 k& o/ p- |* B+ r
}3 V3 Y! u1 ] r/ ^- Z
return FALSE;9 n' }" z- I) i8 Z0 D% Z
}6 b) h6 t3 @" M. H$ z# o
s: i5 v+ _$ m) K m: dAlthough this trick calls the CreateFileA function, don't even expect to be1 a0 a7 c" c, R2 e1 {
able to intercept it by installing a IFS hook: it will not work, no way!
' @% \: I/ c7 I" H% m: |1 z5 m) \$ zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 D0 ^1 e, V |" V% e8 {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# L" Q% f6 Z) g% p$ |' Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( V$ W" \1 w* r" n% \' Y( L" wfield. I$ n, o/ S% s) o% p# N
In fact, its purpose is not to load/unload VxDs but only to send a & J( u m7 C6 r$ I) g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 \, j+ S7 _0 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 b) |; c! O1 lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ m$ C j# E! c3 KIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 ?/ L! |8 ~: ]6 P- x# o5 y* R
its handle to be opened and then, will be detected.
! E% ?# A& j$ l' y& {: YYou can check that simply by hooking Winice.exe control proc entry point
4 d* M) `! ^$ s! T0 P7 gwhile running MeltICE.) x D6 s) F u- K, D2 }% o/ d
2 G* N& R/ u3 K; Z, b4 @
, _# h) U# v4 z! j I0 A# a 00401067: push 00402025 ; \\.\SICE, i" T3 f4 I1 N1 h. j2 y2 A# D I
0040106C: call CreateFileA: a' e( ]! h: m5 r% J) S
00401071: cmp eax,-001
+ o7 L; _4 k. Y9 g& T# x4 w 00401074: je 00401091
: G0 ^0 L, J! Q. l5 }5 R) I5 T7 h5 m8 f5 m- B7 F M# _$ x, {
3 @8 T! J6 X: V- C, L, ]
There could be hundreds of BPX you could use to detect this trick.9 ~% c4 I! t3 r$ {' v
-The most classical one is:* E( @& |! v* ]. w/ r. n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; o) g6 p* a( {* k4 I9 V1 j *(esp->4+4)=='NTIC'
5 p7 q! i7 n; v. P
1 j( e6 `! Y1 B! z8 y: P9 p-The most exotic ones (could be very slooooow :-(
6 {7 `: k" ?3 s9 f- M" V BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' u7 K0 i2 J- F7 c8 e( \( b ;will break 3 times :-(* o8 `2 |) ^$ l6 N0 `* n2 T& L
, s7 u' x5 r" r7 T% I7 f-or (a bit) faster: $ v% x5 z8 q* x( f& }
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 p6 J( ~+ w% [2 z' l8 y$ @( F0 e2 r0 q' r+ _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " C/ ]; ^) l$ t) x0 w0 ]3 M$ `
;will break 3 times :-(' R; Z C8 z, O
7 G. f' E, @' b o0 ]+ ^
-Much faster:
$ t% {! E+ G0 V7 r* i/ y2 e, n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* m6 @ j6 y3 l/ l
% @, U( [# n2 Q0 N! }6 rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- A" |6 C% n, @5 g4 F% K( [
function to do the same job:9 X# V, |4 S# ? Q/ \& Z. d
8 R- w) z( ~1 T, q) I push 00 ; OF_READ
3 Q, P7 N: e" g9 F mov eax,[00656634] ; '\\.\SICE',0
5 c; ]& H6 c- P9 v# O. m7 A push eax
! g {) W1 }6 U8 i call KERNEL32!_lopen+ j Y4 M0 Y: {; M9 a
inc eax; z% [8 L3 U# v4 u1 u
jnz 00650589 ; detected
1 [5 @( C$ a$ C4 Q' A% e push 00 ; OF_READ1 M4 T* x$ n; Y# B
mov eax,[00656638] ; '\\.\SICE'
4 C3 P9 }5 h$ T) N( N1 G push eax |! _1 g/ k3 G; j" Y7 T# T
call KERNEL32!_lopen
- S& B8 [) o4 _4 ?. r inc eax
& C: j6 g% S4 r+ f- S3 s jz 006505ae ; not detected
) @& a- N+ o! ]8 S
3 A/ Q* Z1 a. w4 d: g7 T; H& M4 x" o5 L5 f9 R4 o/ m2 F' o$ |
__________________________________________________________________________- X/ v" {7 ^' Z) o1 f, T8 a+ W. ]0 R
# W* ?7 X b* ]+ J$ q7 DMethod 12
: F( w$ ~% f. U=========
2 O0 @9 H( v, h: o. g7 a5 H* e" w
This trick is similar to int41h/4fh Debugger installation check (code 055 \) C" ^, g0 s$ l! P
& 06) but very limited because it's only available for Win95/98 (not NT)
6 @) p! W' m3 r# O: P q7 w) n( Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# J( q" _3 U$ K: Q3 G
8 g8 t# \0 s5 I4 u, y push 0000004fh ; function 4fh. W0 C- {4 R' L- ?1 Z) b |9 i- z
push 002a002ah ; high word specifies which VxD (VWIN32)
! k: j8 f' t7 I+ D ; low word specifies which service! H7 x: @6 z0 w8 W
(VWIN32_Int41Dispatch)
+ R1 n4 E Y! u: r; P call Kernel32!ORD_001 ; VxdCall0 ?5 V2 ~3 C- p) [! ^
cmp ax, 0f386h ; magic number returned by system debuggers+ V( A+ p( j( D7 a. z$ m# M8 T" A9 L
jz SoftICE_detected
4 ] H! t+ \% t) ?2 K& A
9 U6 w7 o O% o) S9 X% xHere again, several ways to detect it:
+ ?4 t$ g' x# a3 w) ^. P$ e# ?$ Y# P* K6 x5 x4 i
BPINT 41 if ax==4f/ J% Z* [! Y- F; [2 E! @
2 p! R v6 {. p C; _( U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* n Y2 M3 W* C3 O8 r3 a: U/ `
* l- Z2 I/ k; v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" n K4 t# w9 l
9 X# @" C8 `1 M) h% [0 b' U F8 s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% h8 S7 a! M% D7 R7 \4 {9 ]8 [
__________________________________________________________________________8 V* k1 ~! t8 j" b/ N* U8 c$ G! x
) z" U: E& D( F" c' G( L$ OMethod 13
0 V; _" \* H' {5 o# \ y, t' m4 `2 F=========8 j N9 _ D" n. x
; e: Q1 i$ M1 t$ r! NNot a real method of detection, but a good way to know if SoftICE is
3 f9 y0 I9 h$ F$ t. u' Sinstalled on a computer and to locate its installation directory.9 k2 f1 E; t$ s, [
It is used by few softs which access the following registry keys (usually #2) :7 `% N4 s5 a3 i0 v- M! U* L' ^
/ O. J# I: K" U4 _9 C! U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 F# M/ q% n+ S0 F; n\Uninstall\SoftICE% h5 W- j8 \# w$ d, y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: `! N, f. W) l/ k+ B% k5 x& `4 N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ G! o8 @; h# V4 {) v) e1 C; R\App Paths\Loader32.Exe0 M/ H9 F( L6 |8 A* R
2 ~, a# c. ] t8 `! F/ d8 m- V& n
X5 w H! u l2 I
Note that some nasty apps could then erase all files from SoftICE directory( ^0 h+ ~4 o/ w4 s
(I faced that once :-(
- _1 s, _0 V, Y/ f7 T5 t% w1 z1 g" x: S z
Useful breakpoint to detect it:
( `3 m* ~- C0 g: z. O& e. q% K, A0 r6 e' u& N& g$ ^' `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. W' K$ i, Z l& J8 f3 _
8 _: G3 S* W" F& c! K, ?" o9 D__________________________________________________________________________
( A8 _2 y: x6 f* n* I
' b. O9 ~! o N4 X4 a9 P
; o2 k. Y4 f' F& p, _Method 14 * T2 V6 K {& W1 Y
=========
7 W* G+ Z- t3 C3 T- n" ~8 _! M+ j* |( ^5 H! p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. H% z' W* D ]8 m% F3 N* P
is to determines whether a debugger is running on your system (ring0 only).
" o: U0 q/ m6 L6 |' k8 ~1 H2 d
, _! y/ b5 E/ a( ` VMMCall Test_Debug_Installed
8 P9 l4 \5 t( K: [' R. ` je not_installed$ H* J+ F! S# F
" p. V2 g+ b" k3 V! \* ~1 y% J' u
This service just checks a flag.
1 s6 B) {$ w8 n1 E9 G. A& F/ }</PRE></TD></TR></TBODY></TABLE> |