<TABLE width=500># d/ @# B5 V8 ^# y5 |# ^
<TBODY>
& o" w) K0 h4 F2 |' T. x6 f8 R<TR>0 i0 p! l% d) c- U- N
<TD><PRE>Method 01
* y$ Y- I/ l" P6 s5 w7 T=========
/ s K) P6 L2 N, z$ S! `* D5 T- w! }" b4 V; v% [- o
This method of detection of SoftICE (as well as the following one) is( K. c/ k0 |, y+ r
used by the majority of packers/encryptors found on Internet.
1 F: F' B$ J# K( m! [- E- AIt seeks the signature of BoundsChecker in SoftICE
. E2 G( q: O% t% n
, A6 _5 V3 L5 a$ E2 v mov ebp, 04243484Bh ; 'BCHK'
& t7 N5 V$ l; G5 Z4 }! o8 }( u$ \4 W mov ax, 04h- a6 f) X6 O& o% S, X4 |
int 3
1 J# a z o' p" z' v4 J: _ cmp al,47 u8 ~; n+ \ D) S% m* S
jnz SoftICE_Detected0 |% M/ w6 X* M( ~& O
, Q) Y. Y2 s+ Z8 |
___________________________________________________________________________4 i" Q4 h9 O' y) X
- T8 n& @3 \4 O" T3 Y- J4 K. D6 [5 p
Method 02
* {& W+ V1 J) ~( I! r2 D=========- F0 }8 g& F+ t+ z% U1 S
. c" j& _# T) l: v. Z% ?9 I+ j- V
Still a method very much used (perhaps the most frequent one). It is used
2 K$ [7 A& b6 n; T _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 x! N8 B* z1 B: N9 C uor execute SoftICE commands...: K& ]% V% a( U' j( H4 d
It is also used to crash SoftICE and to force it to execute any commands
( [! W2 q" W3 G(HBOOT...) :-((
/ }1 K9 }1 e9 [$ L. A& x
6 s" K& a& Q0 E+ ]( z; CHere is a quick description:
/ H0 c4 J; S" w) {-AX = 0910h (Display string in SIce windows)% M5 _/ S' C9 o, M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* P, E2 a: V" {' n6 ?" i
-AX = 0912h (Get breakpoint infos)
' y. {' U) U# a* w& s9 ]% m-AX = 0913h (Set Sice breakpoints)
`/ l; I" A4 W5 |5 ]' {-AX = 0914h (Remove SIce breakoints)
) N2 W% ~& F! E* @, @+ R& a' I* n: z+ L* C
Each time you'll meet this trick, you'll see:
+ F) n$ S. J; H# K-SI = 4647h7 r( A, l& K: v9 D/ B9 m2 E
-DI = 4A4Dh
2 D/ L5 s2 \- Y4 nWhich are the 'magic values' used by SoftIce.8 n/ v9 B) C+ j3 C9 n) j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' v1 f$ @8 a$ W0 C" f. {
, \6 B0 y1 U& Y# } v4 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 \3 \) |4 A' P7 V3 g2 REnvelope utility use to protect DOS applications:
) e( H( L- w) q5 \
/ J& D! ^! u9 Y/ q. _5 O. k. N+ d7 m2 x% d
4C19:0095 MOV AX,0911 ; execute command.
; x* c4 N- h0 M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 F4 T9 m% n, {& M; Y4 E4C19:009A MOV SI,4647 ; 1st magic value.% K& a, |' a( t' u; A- K
4C19:009D MOV DI,4A4D ; 2nd magic value.; q2 X5 m/ a4 b2 ?$ _ }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) r4 y" ?" `- D( i4 i+ K# U* r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 Z" l0 P% S5 T! D% S2 O4C19:00A4 INC CX
: i* ^' X6 l2 X7 j, X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& o) E+ k0 H; w; B ]& ]
4C19:00A8 JB 0095 ; 6 different commands.) v& ]( x) N9 D; o( R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ l& y3 K" G! l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) i/ O2 X0 l c9 B- Q$ R9 R" Q5 _/ F4 c5 J& ^: v
The program will execute 6 different SIce commands located at ds:dx, which
% K, F7 E3 V) Z, \: k Z6 Z0 _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* E k& W \" C9 x- p& |% p p- {8 ]: v( U/ {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( m/ I8 r5 i0 |# K___________________________________________________________________________. e; l- R. O! X9 w) l1 E5 L2 s
$ m/ E# t8 c" _* `4 N# S& _2 H
+ N( F+ h' U) `: _$ K8 FMethod 03
2 i) s; A0 |$ Q3 Q+ y. C/ \=========
% A$ _* P R! I" p* g! O3 t
. v+ L9 W( o7 J' q. j y. }* l8 ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 V" N; g1 d1 Q. l# n(API Get entry point)
1 l: h( S1 A) J& }6 G
0 ~! h! @0 w# f s( A' H4 M: }: i( u% J4 D5 n
xor di,di
1 j/ S! l3 Y( P# {* Y* k, Z mov es,di( R; ?. M) v* _: a
mov ax, 1684h
1 I% a+ `( ]9 Y) R. b1 g mov bx, 0202h ; VxD ID of winice
( v; H8 N3 f5 t int 2Fh
% p2 D( m$ Q5 x! W" ]4 h- S6 B% n mov ax, es ; ES:DI -> VxD API entry point
8 y- x* u& q/ [: u4 @9 C+ k add ax, di! h* D; c! Y1 m' }! s" ~6 m
test ax,ax
# i$ j( S. v6 `. y( ~/ j6 Y jnz SoftICE_Detected' F+ O* @$ ] h8 e B( A8 b
2 W$ X1 b2 W2 a2 e' A( i___________________________________________________________________________6 ~) P) K; ]8 v6 u! w! Q
' W2 I6 o& M( P; f
Method 04
6 w8 }' f7 |' ?# m=========
, J4 z+ z) D; M& \) a4 R
6 K# E, U! z" v Z; c; VMethod identical to the preceding one except that it seeks the ID of SoftICE
+ Y) |9 r! z8 k. W* V+ }. YGFX VxD.$ ^# L5 K- ]* b- C' n Y
- E8 m( V. Q5 C- }8 i
xor di,di) C1 q$ I5 j3 n, }, h2 z
mov es,di
: i0 @7 F, y- b' g4 j7 V3 p mov ax, 1684h
& t+ z; q" e* a( J* K# U8 | mov bx, 7a5Fh ; VxD ID of SIWVID/ Q2 C/ e! l/ Q; b- K
int 2fh! q" t$ c8 \& ~3 Y
mov ax, es ; ES:DI -> VxD API entry point
3 L( T8 ?; _3 K add ax, di, v3 c" x4 f& H1 `
test ax,ax0 f8 F; Q6 B% W; W* p$ i+ p
jnz SoftICE_Detected* h7 K5 v$ ^; A9 v1 W7 [, Q
) s: H' D7 X9 K1 `, B
__________________________________________________________________________
2 N& X$ p D$ E4 }: V7 |2 `, H9 W9 e0 \. \
, P4 z1 Q: y# R. C' l" O# e. E" JMethod 05$ @% V$ ~" X: t5 f! c5 A
=========% t$ l9 J- U; a" @2 h0 F
$ `2 ]& ~; t t% ]3 ^4 x- G5 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ S; i# E4 K8 W4 f7 k. c: y* N
debugger. It calls the int 41h, function 4Fh.
( h8 x5 W& @8 l+ I HThere are several alternatives. 7 D) g* ~* N3 s3 ^9 k- H( `
$ F( [* n, h$ f! {; r+ M
The following one is the simplest:( i2 w* N/ A e( u) {
% z' z8 W0 \( q3 |2 r
mov ax,4fh( m( ?4 Y* g/ `4 B% ^
int 41h
6 _ N. o+ D Y, w1 Q' G0 |& @ cmp ax, 0F386
$ T1 f' x* ~7 [; w: V% K jz SoftICE_detected
- t5 k# r, {+ q* I* z* M# i6 `
5 f$ P3 o3 X1 _9 O5 i- r: _4 Z6 z" ~% f2 i( a% q
Next method as well as the following one are 2 examples from Stone's - }4 ~( M* ?; t
"stn-wid.zip" (www.cracking.net):' u8 `3 K2 K' m, k* ]- x, s. Z% ?! i
$ C: Z$ |/ s5 g8 b6 h" p mov bx, cs- U" q$ Y' V8 G# Y3 [
lea dx, int41handler2
% p& N9 ]! z& }6 R1 ? xchg dx, es:[41h*4], O9 W) F( n( E0 T+ \. ?
xchg bx, es:[41h*4+2]
8 Y% ]8 P( u% J# S3 @ mov ax,4fh( H6 U4 T9 a+ S. o
int 41h
u) [. A1 I) M) R xchg dx, es:[41h*4]
$ l) J5 S. M- t! N# } xchg bx, es:[41h*4+2]
! l! }# t0 I- h0 x cmp ax, 0f386h
/ U. v& j k1 E jz SoftICE_detected
4 P! E9 d; c: B2 e' I% M3 u G7 H: d) L7 ^( f3 A
int41handler2 PROC
" n5 V+ z. m( U! c iret
) W4 \$ P- D: @7 xint41handler2 ENDP
$ C0 p: a1 t# E$ N2 ?
. r: _! ~7 Z9 }3 c; t
6 k3 O0 T* r$ q( W5 v, n_________________________________________________________________________
$ _' U4 w) ^3 F: s: N" V* @9 l: n. H; p+ v
1 B, T: O4 ?+ y9 f7 |Method 06
4 {' [: L" m9 Q" I1 ]=========
! H4 j' H- W8 q1 \0 S/ [% f5 ^' \: ?0 R
5 \: E" k. W3 ^2 Y
/ `2 f6 E* U: \. }0 u2nd method similar to the preceding one but more difficult to detect:
/ J: P7 c% }9 U5 `/ H( Q4 n& s; V! ?( z% {6 b; B
+ T" Y: f. b3 K& |; p
int41handler PROC8 E) G. a5 S6 K4 M
mov cl,al( X- m& ?' q& v0 C0 t# W# `
iret
, _' s% N9 v( z6 k6 P1 Y8 Q( i' V; ]int41handler ENDP
$ n" `1 C8 q8 Z% U, l/ Y. U$ [! y5 I; J5 o
8 M; x/ J' @4 y3 m
xor ax,ax6 H4 ^8 E& ~5 |% R: U( s* I8 Z
mov es,ax
4 J& T, h2 \9 d5 B E0 L mov bx, cs
9 H- Q C1 b' G9 a0 G lea dx, int41handler% f$ x2 ?% ]9 g& z/ F, Y
xchg dx, es:[41h*4]# f4 [! E" I7 t* }
xchg bx, es:[41h*4+2]6 |: B9 p8 ^- X
in al, 40h4 ~' I$ O$ O0 f, ]: \6 `2 S% d, L1 i
xor cx,cx
+ r' u& A' L5 e. X. N% | int 41h, k F9 ^( O9 b+ o4 \
xchg dx, es:[41h*4]
. ]' S4 w# z# p xchg bx, es:[41h*4+2]5 y( ]5 K/ f1 Z; M4 x7 A# c% y b, w
cmp cl,al
* Z/ ], u9 |& N- A2 u jnz SoftICE_detected* Y1 f4 p5 ?: u
9 Y9 }( }. `1 @; [5 t9 {+ L% ~_________________________________________________________________________
3 ]8 P( c; U( h
1 M2 i, X g" S7 F( YMethod 07
% p L) {) |. d6 @' F! H2 ~+ ~9 C1 y" N=========: g8 }; Q" S- K9 E
. k+ q6 E2 O1 ]- H
Method of detection of the WinICE handler in the int68h (V86)
2 e# G9 A2 i! F( c% u/ o$ }# x9 k) n; D. G& c' [' C1 k
mov ah,43h
8 y, u& G: S) P' [7 ^5 r int 68h' c$ U7 X# _8 v2 F0 l: N6 {
cmp ax,0F386h
: g$ B; v" I! d9 f6 e6 l3 {) b jz SoftICE_Detected
2 t$ R- C9 j9 ?% Y. A6 D7 M# N" n- T: {
& f/ r6 \/ ]$ P) L=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 C# V, J y4 L% u app like this:# s- H( V2 i7 B( N9 w9 y" g4 [: N
3 u* |6 f2 Z3 I- G. k i BPX exec_int if ax==68( e' X) f2 p, O* k% j% V* w7 i
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 Z! v3 s4 [& N7 u8 A h located at [ebp+48h] for 32Bit apps)
% N. y" n' S& N& f6 o__________________________________________________________________________
: Y! b2 Z; L9 Q; W& H/ a6 Y: d$ r0 D
1 x$ [9 @) Z, ]+ x! ^! k6 X
Method 083 J# U0 z/ H. v( r- ?% f! b n
=========
6 U' m& K7 |9 O% d+ m: Y) W
# k( `( L4 Z8 t& K5 k/ tIt is not a method of detection of SoftICE but a possibility to crash the& g/ ~ x; I! Y% ~; ^
system by intercepting int 01h and int 03h and redirecting them to another0 t5 ~0 `6 J4 t5 V4 n
routine.. P1 z: ~. ~) b0 D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 Y! V# U8 T" K" z; x: m. }. Nto the new routine to execute (hangs computer...)* V u' h0 i( T! `, h
/ E' s7 {; _" t+ v mov ah, 25h2 {# X' P. @+ e. C* L; _
mov al, Int_Number (01h or 03h)9 T$ t# _/ G" u! [- E7 `
mov dx, offset New_Int_Routine
1 N7 T' [# O0 t! h$ R int 21h
m7 x" }# z5 {/ [- U6 k
, f$ Q7 T& `+ b1 z! r& [) ^! X* B" J+ L__________________________________________________________________________. E G3 u" x0 Q' a \" }
4 r1 \. U) v8 V0 U7 f- K, M
Method 09: L; q/ H* A' s- h, H
=========
- ^& m2 \( |$ Q: |) k; Q
2 B2 g$ B: u. q/ ]; p' e# uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 D5 I6 Y0 S, k' P9 G" b/ H+ T% f% _performed in ring0 (VxD or a ring3 app using the VxdCall).
, i- E9 r" Z1 a3 t/ pThe Get_DDB service is used to determine whether or not a VxD is installed
$ U! D8 I/ u2 Ifor the specified device and returns a Device Description Block (in ecx) for
& f& ]: i9 z5 t0 c/ L2 J c) ` hthat device if it is installed.
) O- ~! _# t' Q5 I8 P$ ]
2 R2 d" L) Q" ?" }9 A mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% z: _3 x' r5 W" L1 W, W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( L* x0 H) y9 x* g: e VMMCall Get_DDB
, B! Q% n3 H" k# |+ m( l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: u/ g" ~1 e$ ^2 `" b" m# `1 J& U0 T( i
Note as well that you can easily detect this method with SoftICE:4 N+ w- c+ v2 k: y9 c- N
bpx Get_DDB if ax==0202 || ax==7a5fh
- y6 B+ I9 D1 ^( }" [% b
3 x( p/ a% f9 W5 M+ \, ?__________________________________________________________________________+ v/ r! m( o0 {
5 g- S A. |) B7 I' @, ?
Method 105 M* @4 D5 `" G1 F
=========6 O2 z2 [5 h$ ^* x2 a6 n
8 t- \- x+ \" M3 ~4 f
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 D; F$ C* l- } SoftICE while the option is enable!!
9 b( T7 k. K- W4 A6 F, I0 B& f
; D* T% |. |9 s* Q7 |This trick is very efficient:
, v* q# _1 D3 s p" S/ H/ [* rby checking the Debug Registers, you can detect if SoftICE is loaded+ |+ W: ]9 y- f8 V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 H- L! `" F) T( B; g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) I5 {* B. R4 r9 V5 w1 Dvalue (in ring0 only). Values can be manipulated and or changed as well8 \7 q7 }) T0 ] P- U+ z; Y- O, C
(clearing BPMs for instance)1 U9 {6 B- w; A
# }+ _% c J7 y1 \* N8 ~& v* g7 W
__________________________________________________________________________$ R1 P; C: z2 ~4 J& U" D. h
$ @: M2 m h9 V J- w' B- SMethod 11
& g$ w3 |% L5 b7 F2 t! q. f' S$ |=========
' w+ h1 }% }! S1 N
- x9 Y0 v z! L4 n0 ~This method is most known as 'MeltICE' because it has been freely distributed
, R2 W% q* k5 ~+ B2 ^via www.winfiles.com. However it was first used by NuMega people to allow7 J/ r% w$ [" v6 |
Symbol Loader to check if SoftICE was active or not (the code is located7 I- o% D, U, K* \- W% n. M' s
inside nmtrans.dll).$ {! d% B, i) ~) t" ?2 \ w& f
6 B% g8 `6 F- U& }
The way it works is very simple:
( Z1 b" o4 ^* k" p y! yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, J% P5 ~* ?) f: @
WinNT) with the CreateFileA API.( Q4 c3 Q& I7 ^4 j+ M8 g8 H/ H
$ Q# G$ k7 n& N9 T8 K0 cHere is a sample (checking for 'SICE'):
& S; P; d: \: k) |, u" m' R$ q% V1 ~/ T- a. u
BOOL IsSoftIce95Loaded()
, @3 _2 p8 q6 h8 O; J( K{
/ D8 K- B0 X- X% M, G HANDLE hFile;
: f; k# G& J, f$ U" I! S0 G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ \: f! \8 P) o- A: L" q7 D/ L
FILE_SHARE_READ | FILE_SHARE_WRITE,( z4 U0 ~- W) @8 E6 x$ `
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ Y! b. E5 o6 L M& b: c
if( hFile != INVALID_HANDLE_VALUE )
/ @& ]" }9 ]5 l9 ?+ O1 J9 P {; N8 Z6 r% ] t% Z) {
CloseHandle(hFile);$ n6 S4 x6 b: C5 }, G
return TRUE;: Q' I) `* `' y9 q" `
}" l, R, `& s; t$ i
return FALSE;
! B& M G! r6 Z; X5 v; S( D}
# i% i0 F" e. H( n O9 R* j' \9 p6 t$ X1 ~% y8 x% J! J1 @
Although this trick calls the CreateFileA function, don't even expect to be
4 `; t& @3 V4 c. ?- X: p9 lable to intercept it by installing a IFS hook: it will not work, no way!# A. }6 @4 n- q# [" w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 r; B* N/ P5 I) ]" a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. b+ Y9 p4 h/ P& L, S# g) dand then browse the DDB list until it find the VxD and its DDB_Control_Proc% R6 V- l, b1 M; J$ a/ z L( r
field.1 x% G" c* e! m) U) _5 B
In fact, its purpose is not to load/unload VxDs but only to send a
) m; C8 g) b& E+ |: jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 ?2 M8 y$ ^7 ^5 Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try% L* H# N, Y$ D! W7 j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' r# _$ c5 S5 w& w4 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 F! n1 \8 m% @/ h' s# t3 V6 gits handle to be opened and then, will be detected.# ?9 r" L5 e0 J5 Y
You can check that simply by hooking Winice.exe control proc entry point
$ j4 [! D9 `; A+ W. V2 N. x, Bwhile running MeltICE.
: W5 Q; j. e$ y% v5 z x1 G: s3 K9 a
, k) R% q @' W- Q- }, o) x 00401067: push 00402025 ; \\.\SICE3 |) I4 G' f& I: b
0040106C: call CreateFileA; [8 A5 h) W2 ^
00401071: cmp eax,-001, V0 Z* d/ s3 V+ U0 o
00401074: je 00401091, o- {" j$ a8 W
" m5 D0 W6 {+ Z8 ]9 w. `: s
% E. W) d0 r2 ]$ P3 \! U
There could be hundreds of BPX you could use to detect this trick.
0 v. l! _8 o# k4 t2 {8 S- c7 o-The most classical one is:
1 _" c+ o/ [, d) _. D, {5 q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' P7 H& _% d6 A& ^. Q# x
*(esp->4+4)=='NTIC'
7 }) y& E* P3 i- p+ o. x; x4 h" h3 ?. q" V
-The most exotic ones (could be very slooooow :-(
# Q) n, e1 o/ |5 U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& z6 k- L! S4 U( O; R ;will break 3 times :-(
0 v, Y+ p6 O! d5 f+ N
$ e! w o8 e( k: ], w2 l-or (a bit) faster: 2 [2 c5 |. h5 k# ~
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 V \* _" h! s6 `2 i
Y( e% ]% i' g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ ?/ J) I5 J$ @
;will break 3 times :-(
/ I3 F4 `2 m O% u# ]6 g% K
$ D3 v# H0 A- U1 ? W: W-Much faster:
' B! i7 Z! g5 A1 c! F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. c+ E" r: O g8 i, I/ C! `2 a
/ s2 X' N+ S/ T3 rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 u! N' r! v& F& Y6 ^. m
function to do the same job:
3 F0 c+ z8 Y& ^; o) B, o& A
' s1 W- T: Z) L- ]8 `6 `, _ push 00 ; OF_READ' a" {1 z7 z) d4 v9 c* G, ~
mov eax,[00656634] ; '\\.\SICE',07 l% c& L3 ~0 S$ _6 `: s0 G' ?
push eax
; \6 N, E7 A1 N+ d# t) h$ C" F' ~0 v2 t call KERNEL32!_lopen
0 n+ F( N! c- x inc eax4 |1 ?/ n9 ]! k' G! n
jnz 00650589 ; detected7 P' `. [. G4 X3 o4 M% c
push 00 ; OF_READ
8 m2 z4 b3 g. P4 ~ @8 F4 O mov eax,[00656638] ; '\\.\SICE'4 k$ a4 w9 g% [& |; N3 w
push eax
2 }' ]3 q6 F3 J call KERNEL32!_lopen- Y7 k) [ Y8 d- J
inc eax
' K5 g8 f% R' B2 @8 E2 Q4 j$ V" u jz 006505ae ; not detected7 ]9 b1 N# @4 G& ?; i8 f
5 C) v+ L1 r. A; g8 t, l8 Z0 t U
0 c( a# I3 x( ?; u) B__________________________________________________________________________! n# G2 P( T" n: f/ ~8 K
; A- Z2 u; Z6 o! s9 BMethod 12
l) M% U$ q9 z, ~: m' @$ R4 [; E=========
1 O5 i v3 s8 A) L4 H0 s6 b# P9 _$ K E C$ Q/ r
This trick is similar to int41h/4fh Debugger installation check (code 056 n4 q2 J! c# X& Y. o; V: E+ `
& 06) but very limited because it's only available for Win95/98 (not NT)2 f$ B1 d3 T; q. J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 \8 S! ]3 \* O( n; X/ X1 K4 Y
: {: J1 F% Y/ R5 m$ L) B* a push 0000004fh ; function 4fh! M `' X0 E; G, ^$ A4 D
push 002a002ah ; high word specifies which VxD (VWIN32)
i7 g- W% h5 i, M# S0 m2 H ; low word specifies which service8 r0 C4 I5 j% G! d2 g" ]
(VWIN32_Int41Dispatch)$ j" v. x: k, |2 q
call Kernel32!ORD_001 ; VxdCall
. r H; Z* n+ M6 n cmp ax, 0f386h ; magic number returned by system debuggers
4 _; Q1 G4 S7 w/ m8 o3 M jz SoftICE_detected: N5 \ X0 D% |1 |8 W% l
7 [% }; o o3 @* M4 dHere again, several ways to detect it:
5 u' x- F3 u+ E6 [2 ?3 z
f: G3 {; I/ y% t; a/ J. h BPINT 41 if ax==4f
" B6 z7 l4 ~2 h1 F. A% o+ W( `6 h
. S; g+ y$ ~, s) o" m) ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one x. v1 T( f- P7 t5 J
) y2 R% V5 z* O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* c p* R. S0 Y2 ]9 f# z! p, o _& g. }
' I- h H) c* P8 s `) I# [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ }3 y- o& i: n$ |( r1 |
0 D4 j8 v3 E D' b__________________________________________________________________________
" C/ S2 S7 y! l9 Z Y/ W- x' o( M( g: N. ]+ B3 Z3 z" ^- x d
Method 13
$ L" j F% j1 v. n5 Q=========2 {" D v: \! ?1 X
2 Y& m' f# @( k+ {# b
Not a real method of detection, but a good way to know if SoftICE is8 x: b3 ^& O, G( W u
installed on a computer and to locate its installation directory.% t0 W& n0 i1 j- L4 F/ q$ y" d
It is used by few softs which access the following registry keys (usually #2) :
7 ]1 r2 c% G$ R8 B2 M2 q8 J5 u: A5 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 G) P5 k$ g' L5 ^0 y& R, J E
\Uninstall\SoftICE
; Q# Q a5 S; x6 u' S, I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' V: t9 Y! c* F$ b2 C* z6 _$ O ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* m% t: Q' M- w$ o7 ?( u5 u: Y- j\App Paths\Loader32.Exe
Y: H" M! k5 E+ s, U% z9 K; ^& ], i
7 O4 _6 @. {! N# n# V. W5 P3 eNote that some nasty apps could then erase all files from SoftICE directory
, {' e" d: a$ ?' x/ z(I faced that once :-(
5 }1 R' j& }; U6 l# L: B5 d7 W( h3 \8 X5 U
Useful breakpoint to detect it:
+ w& l+ E5 F7 @* ?3 y3 ?! G {$ h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- h; ]2 g! Z9 E! o
. r1 T6 B) _$ h0 c7 L( @( B' U__________________________________________________________________________/ d! @9 e; v7 ]5 }3 ^
+ O6 v9 y5 m) `( G( g- o* |8 w1 r F4 W) ?, e
Method 14
7 d7 l% a5 b" R- \. |; B/ q=========
9 S1 g0 i; y; J' z7 r/ V$ l, U; Q5 [- B- I* y% E1 c9 V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 o4 |) y6 v0 ]$ s$ ]
is to determines whether a debugger is running on your system (ring0 only).
+ E4 W2 k& m5 _- v% l3 n- I5 T' l, x1 l
+ b5 t4 O, E6 r* Z8 K: t; |% E VMMCall Test_Debug_Installed
- R+ v: D, E1 P2 n% ? je not_installed
4 r- B/ z: m5 V; |+ t
0 q1 T3 U; T- r: S/ HThis service just checks a flag.
1 h/ `1 d# j7 d6 c</PRE></TD></TR></TBODY></TABLE> |