<TABLE width=500>
7 E9 \- w$ x8 q4 {+ y1 [& O3 B<TBODY>
5 W9 t( ^& n& V; f$ ]8 |5 L<TR>
5 x5 o' ]1 Q7 X; Z0 U/ q& x0 s( z<TD><PRE>Method 01
2 x! \7 ?" n) v b; y. A1 V=========! |9 E" D* {1 N
6 q5 ]+ B+ B* nThis method of detection of SoftICE (as well as the following one) is
$ M; q8 \" Q W8 a `5 E! Iused by the majority of packers/encryptors found on Internet./ Q5 i: \! F7 A6 j/ Q3 g
It seeks the signature of BoundsChecker in SoftICE: j o1 Z& n- w1 n
7 D; K$ K. k) G& Q mov ebp, 04243484Bh ; 'BCHK'
$ u* q: z* @; }: R0 E7 i mov ax, 04h
6 L8 c* _3 A3 | z0 ] int 3
+ g0 H1 f% w7 X: U/ z cmp al,4% D: R1 U! ^9 m, @, ^1 G
jnz SoftICE_Detected- x5 k! K+ m( }8 c
+ [6 S3 o j8 i6 G5 l# h5 C
___________________________________________________________________________
5 Y5 L- y* r. R2 m0 T4 h
; r9 @4 U* H- ?& KMethod 02
" p1 v- g, g' @$ F3 C; L- S=========% E4 T# p4 @6 ~, _+ K+ v8 h+ a' p
/ z3 F* _2 o+ z0 `+ |. x: e
Still a method very much used (perhaps the most frequent one). It is used4 }, T7 G. F, @) q# A- {7 |3 Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: {% P: A3 ?" Dor execute SoftICE commands...
0 I$ L: W4 `0 R* q# b0 O+ H9 \$ oIt is also used to crash SoftICE and to force it to execute any commands0 a7 L& B# ~# t
(HBOOT...) :-(( 3 F, h1 Q% P. i5 w: p% }: `
. R+ m3 e( Q. F9 sHere is a quick description:
' e) h9 g* y+ l5 N5 C0 K' u-AX = 0910h (Display string in SIce windows)8 r K/ m$ p9 `" g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! s; A3 l1 _7 V/ l1 ?7 R
-AX = 0912h (Get breakpoint infos)
* ^; {* e. s2 y8 J; Z' G-AX = 0913h (Set Sice breakpoints)7 I1 q: D) l; V4 a0 o) ]1 u- P
-AX = 0914h (Remove SIce breakoints)& Z$ v* s1 `; l+ S* l1 W9 F
- t! m5 Y6 ^ O8 I) ~# t, R
Each time you'll meet this trick, you'll see:/ |2 F E& Y/ M3 ~' h U) z
-SI = 4647h
; m; Z* }6 F" x; [$ M-DI = 4A4Dh
: W; K7 }# {7 Z* f" H6 z6 S) R' ?Which are the 'magic values' used by SoftIce.# ~' a3 ?; E! r( r* P' j1 R0 _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. F( v, Z! x6 _; C9 b4 [
; ~ v! Z2 q: F
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 f! `/ s9 H& b5 j5 [) e! ~4 l* {
Envelope utility use to protect DOS applications:: k: E# u9 o* m. B
- N/ }- I& p" h5 A# E! F$ I8 B. {% d$ m% Q' r: ^
4C19:0095 MOV AX,0911 ; execute command.
- D' i; @; y1 b% F; O4 N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& p: t; C+ ~8 L$ K5 A4C19:009A MOV SI,4647 ; 1st magic value.. }7 U1 s" C k0 E2 y
4C19:009D MOV DI,4A4D ; 2nd magic value.1 W9 A( H& B* t" k5 k. V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 [- M6 x4 M6 ?' Z- t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. @* u9 q' e' p1 u8 d: l4C19:00A4 INC CX1 b, Y: h4 c1 r2 j% m5 Q! ?
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 I8 e& [8 v( L! N
4C19:00A8 JB 0095 ; 6 different commands.' Y. x, C, O. S* U( }$ K9 c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: O1 S2 \. f4 v$ z3 z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( s) C9 p7 {' T
- _; W8 q0 X$ X1 L& t" r" xThe program will execute 6 different SIce commands located at ds:dx, which8 E @/ }$ H. v1 [* J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) I4 s. g" B: [" a' R" @( W' H* A- z' i& g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* s! D4 M' h' U. I/ ^___________________________________________________________________________
7 K! k2 k0 N. S8 N' ]3 H7 \& `& A
# l3 [& _& t; GMethod 03" q4 {' S- j& v6 _: V2 G2 M
=========
% [) G4 ~8 x8 i" v# N: e& x ~5 D1 k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, h( \1 m) N/ Z; t X6 Z& u(API Get entry point)+ p. X3 ?( f- A
: h) x V2 c4 H% L
9 J2 h# \1 D4 r n7 R) _: l
xor di,di
' h6 L# U9 f0 R# `! T8 [- D mov es,di
0 B1 L$ y$ R k* j mov ax, 1684h
L% h A" J t2 s7 J0 v# F. f mov bx, 0202h ; VxD ID of winice0 ]6 G* h) h, m, z. E' E B5 _
int 2Fh% g; Y* S; U7 O
mov ax, es ; ES:DI -> VxD API entry point0 u$ F Y$ k( e1 J& G) e
add ax, di* Q) r; |& P8 \- U8 y& M
test ax,ax
3 L( v1 R, ~& P. s+ ]5 O( M jnz SoftICE_Detected6 B0 G5 b t9 R' r' a( W
+ M$ m T8 l# Y3 G6 @- r___________________________________________________________________________( n) a+ N" t4 U
) |! L3 m8 C- ^# {+ O5 TMethod 049 }7 H4 p) H: J6 V
=========9 ^2 E+ V5 _1 p( O; a( Q
0 ?( @% Y8 }) c' E L) H
Method identical to the preceding one except that it seeks the ID of SoftICE7 @" l1 W: ~ L' o: V1 C$ n
GFX VxD.
( |7 K+ _3 a; o! d$ C5 o
3 g% _9 m3 F L! c3 B4 P xor di,di @' v' ?( P- V, ^/ C$ w' A9 @6 \
mov es,di8 e. w& ~1 P$ z: T/ k- G$ I
mov ax, 1684h / }1 }4 k8 m% B6 V8 G( t
mov bx, 7a5Fh ; VxD ID of SIWVID
. v! i7 z3 U9 A- ~ int 2fh
3 V; {0 Z$ Y3 q! }& A mov ax, es ; ES:DI -> VxD API entry point0 `* q. M; f) U$ H8 o& @( M R
add ax, di
" d# S0 s+ b# t' Y8 ?( z test ax,ax+ [/ h7 l" Y0 h& Y4 _
jnz SoftICE_Detected
) K1 }0 n( [# p, l7 V) f
/ f; p; s5 ?# n__________________________________________________________________________
7 G& h1 y! `1 |' m T1 n# ^ s" S/ W! y) c: r' d/ z7 V& i$ O
# G ^4 r/ g' l+ O+ y9 j4 BMethod 05* S. w6 V/ F( _! ]: s
=========
; L f7 Q- Z1 U* d7 b2 S) L% O% m1 z. w! _: u$ \) C5 B
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 n1 s" ~/ m) Z e. w* l
debugger. It calls the int 41h, function 4Fh.
, c$ a5 t; ^9 }! H" l$ m; GThere are several alternatives. ; N z( W; H/ M' z* |4 X* u
- B+ t9 o( Z9 Y1 D9 m+ n2 b& C1 uThe following one is the simplest:- }* e* o2 K9 c+ ^# q- {
- g7 l/ y3 \2 ?! e1 z mov ax,4fh9 N; T* u0 a+ [2 S5 n/ ?, H8 R( T2 d
int 41h
) L6 A! Q& _) o, `1 X X# ~, T cmp ax, 0F386
+ @& T1 T: P. V2 v _, r jz SoftICE_detected
1 _; a- S T* L& f* ?. q# Z. V8 |; y" y& y, ?4 X- |$ I
c3 n7 l- \7 l5 D; s7 JNext method as well as the following one are 2 examples from Stone's , T3 r. e5 n9 P5 ?
"stn-wid.zip" (www.cracking.net):0 E! w+ d1 B) f n! Z' X1 h
7 @6 H" h8 Z0 v$ \1 }
mov bx, cs6 r8 h2 @) j5 }8 v5 n
lea dx, int41handler2 Z3 h) C+ V9 f, J7 L! ~! [ T
xchg dx, es:[41h*4]
4 N v4 _ ~4 w t: V$ L xchg bx, es:[41h*4+2]
, r7 |. m0 T7 z$ p: q `5 o4 ^ mov ax,4fh
, b5 }: _+ h; P& {$ U int 41h
/ S" D* B& w1 y6 `2 ] xchg dx, es:[41h*4]$ T! Q7 z% A H& h W6 u' X- @$ R6 o
xchg bx, es:[41h*4+2]" J# b X3 y9 |3 z! {
cmp ax, 0f386h
: g' h& X h5 p$ s7 K, Z4 O jz SoftICE_detected
7 {* H& m% ?1 G' V' L: X4 N
+ m' |: k6 Z1 U! q. t& zint41handler2 PROC% ~4 P* ?# {0 }6 z
iret
3 F0 V8 _$ O+ Jint41handler2 ENDP# n. \$ m7 X$ K$ i* u
; b# q# K3 z W% t( t2 Z
( O" M4 i3 [# ?0 |8 k% `6 r
_________________________________________________________________________( M2 r @% w! U" y9 u" d! n
6 z$ v( }- ]: J4 h7 b/ B8 U6 `
6 W* F+ Q2 K' @4 H2 v7 n7 qMethod 06
) j) a( p6 S$ Q) I! U. x=========
' c0 h! q1 F: u7 |0 I0 P# J$ p, D& x) `6 l$ t+ v$ L6 S
/ s' I* u3 n# A" B, `& \2 p2nd method similar to the preceding one but more difficult to detect:" c! T/ ^$ t, V r6 x& D
% W7 I! K4 R6 w
9 A' {( s0 e* \3 l( B
int41handler PROC; l* O3 `( r! C# o+ b
mov cl,al$ e- U, z; X8 |* Q k
iret
2 K8 q6 S8 T8 @+ Nint41handler ENDP
* m% {2 }, E3 x; f9 [3 p3 O/ v0 w" H% P+ `5 T! \, F4 f8 C& f3 f
1 A. d9 v6 I! {1 I
xor ax,ax
8 @" F! p. F; D$ } i) Z) Q9 q mov es,ax3 F" w, I- d' U& H- N* t
mov bx, cs- t0 z3 i X# r1 k7 R2 }) V
lea dx, int41handler
( ]* X7 u/ m) z1 G0 |9 | xchg dx, es:[41h*4], N- k2 \ C6 \- h+ k
xchg bx, es:[41h*4+2]+ S7 I) y% I# F9 n, q* s- F
in al, 40h4 M7 e! T# f2 Y
xor cx,cx& r* J" L7 M! C+ F
int 41h. {, j1 i/ P. w
xchg dx, es:[41h*4]
0 o9 {1 _ v1 | xchg bx, es:[41h*4+2]
! D6 u) J6 u# Y cmp cl,al
, M0 m9 n, [. s jnz SoftICE_detected3 ]. A, r) r8 _4 O
" M4 O; q0 m" ^: x" s
_________________________________________________________________________
4 S" T) |% U( j% J4 c$ j* Y' s2 B' }, d. y8 U
Method 07
2 z( q8 x3 X; I=========: s2 X: X" z$ c. a* q E
: E0 B6 |/ G w" yMethod of detection of the WinICE handler in the int68h (V86) b- ^- t1 W/ I1 V! F7 k7 D7 Y
( f: H+ c6 j9 i) f' V% C
mov ah,43h. o( @3 ^; ?- K# N; E& L( d; J
int 68h
: s; Y* x, |8 M7 a9 l cmp ax,0F386h2 [* h/ Q% l/ }) l. y8 d: Q
jz SoftICE_Detected2 C$ G5 k: t" D
# q% s; L$ S5 ~2 V
3 |3 j& V% F, F* s) A5 p+ `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% ?$ t [- k4 W app like this:* g. y% K: d: M' L$ G
2 W0 O) g* @1 G8 @8 @* `$ m
BPX exec_int if ax==68
8 R/ L' \( T0 p: H) W (function called is located at byte ptr [ebp+1Dh] and client eip is
% B+ i9 G- P/ Z" S% R: _9 ] located at [ebp+48h] for 32Bit apps); I6 l) ?( T+ H/ j3 J) ^
__________________________________________________________________________
9 j+ l- q8 J: P4 E0 H7 c* o* c9 Z4 U! s' B
2 @4 x2 o5 a' D7 z
Method 088 h% t% h7 b( r9 Q* v
=========; E1 V; I4 K! K/ m0 y) p4 J
/ o" R0 ?* [% g
It is not a method of detection of SoftICE but a possibility to crash the
4 u8 r& |1 Y9 Y/ L' Q! a9 }system by intercepting int 01h and int 03h and redirecting them to another
9 \" V( S# ~- d h9 a5 proutine.
) Q% \; G: E& }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 y: Y* p8 L: N
to the new routine to execute (hangs computer...)
2 X3 c a# b/ g9 ~, g
0 s/ M: o' U4 `: `/ B* ]' A8 l mov ah, 25h! b" F' g. m; l( H# U; \9 l
mov al, Int_Number (01h or 03h)$ y- s h* S- U( k$ ~
mov dx, offset New_Int_Routine9 Q, P% s( F4 h0 c% X% d1 E$ v$ ]
int 21h Q/ h; }4 L8 d* ?$ w
! m- C+ G/ P' W, h$ Y$ y__________________________________________________________________________
( E9 H# z* W2 z2 b1 v
5 M3 N9 v9 D% pMethod 09
2 O) W$ ?& ~, o=========
4 P; P% e; |! b9 {
9 h% o* ]! t& V+ D; [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ Y& t* w' l" x& y
performed in ring0 (VxD or a ring3 app using the VxdCall).1 g) F% B. A2 P# _+ O1 k9 _$ r
The Get_DDB service is used to determine whether or not a VxD is installed% V2 Q4 }- b, V
for the specified device and returns a Device Description Block (in ecx) for, J. Y8 L: H8 {* q4 \
that device if it is installed.- N" B3 @$ Y0 _. F) R
$ W( C8 d2 F! d: i& o9 W2 b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" l4 G+ l0 H+ [- q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( ]2 ~& d7 a9 @& G3 B
VMMCall Get_DDB
3 V" p5 ^& E1 i% w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 @, ?& [- _7 y" R2 ]7 H9 C ~+ i$ Q/ [+ q& l
Note as well that you can easily detect this method with SoftICE:
% U( s$ a! V5 h& [4 O bpx Get_DDB if ax==0202 || ax==7a5fh2 ?# Z1 Y* |/ X- J$ N" @5 D
6 t' L3 y6 g9 ^6 S: c! C__________________________________________________________________________! [3 L; X: n+ Y5 G( u
/ S; i0 y7 c2 {& `Method 106 p" {9 m' s7 ?" M* [
=========
+ S3 I' ?7 U* p! V& y) T# R+ N! D9 ?7 D* W5 d, }, I) m0 [
=>Disable or clear breakpoints before using this feature. DO NOT trace with% h% P. S, x5 v* [+ E4 _
SoftICE while the option is enable!!
" J( A5 A; T) u, l3 ^4 G. y/ k; B% s
This trick is very efficient:
6 J0 o) F0 S5 \, p# Hby checking the Debug Registers, you can detect if SoftICE is loaded: g# ^9 H( y+ W* C. {' F t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 s% z' n* n$ S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( w, B% I$ W1 x4 t: G2 fvalue (in ring0 only). Values can be manipulated and or changed as well
, n& b4 B7 t5 T- a(clearing BPMs for instance)
9 k. k" K* e/ t1 K0 R+ [; k' @
* g( S8 m7 L0 Q0 J8 v1 Q* Z6 U__________________________________________________________________________# L0 b9 y& I9 i3 s5 X$ b
& Z7 ~' Y" \5 c# {$ j* MMethod 112 ^5 C _! Z6 M# G
=========
7 ]# t: `/ E0 ~& f/ e
/ I/ g$ x1 T# S9 S% aThis method is most known as 'MeltICE' because it has been freely distributed
" \) e2 n2 {" \, O/ h! v* T+ f$ fvia www.winfiles.com. However it was first used by NuMega people to allow5 n% a9 D- l0 w0 ?. D
Symbol Loader to check if SoftICE was active or not (the code is located" a. W, Z U1 ~$ i5 D# r
inside nmtrans.dll).
! r9 H5 X; c- b% k$ Q& N( u) q# ^. m4 q7 [& {
The way it works is very simple:
9 j5 B8 \( m( r1 s3 H+ |% g8 }) W, SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, M, ]& @( Z# q! D0 v0 @" _WinNT) with the CreateFileA API.5 W3 U! `7 {$ ?: ]" N1 e4 a6 N
0 C* E. \. }% Y# F" mHere is a sample (checking for 'SICE'):; K& B# e, b" N9 U% Q) y
, j) c8 G8 R+ oBOOL IsSoftIce95Loaded()- K8 p: F+ l; T* Z! C$ \; ^, {
{
8 o8 g: M4 T& A4 B8 Q: S HANDLE hFile; 6 t$ V q+ l' }+ f: z. o7 X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. L9 j+ V2 ~% B& |: _0 d
FILE_SHARE_READ | FILE_SHARE_WRITE,& x% w4 c3 K z# Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ h4 W0 |1 r( n* \$ Z
if( hFile != INVALID_HANDLE_VALUE )
?* ] r& ], T& N/ R$ N% g; a1 ^& G {
2 K2 w" b" t. F0 ]: I7 d CloseHandle(hFile);
% x1 b& p Y. I+ K& B' k/ _ return TRUE;
3 d& n( [ _! j7 S _5 b5 | }, e9 b; @; e. U8 Z( V: Y
return FALSE;& _' n% T! Z1 \4 u/ b/ p- T
}
# P( S' F$ W2 K! n. z8 [
! r6 A2 ]% k$ G( h( w; LAlthough this trick calls the CreateFileA function, don't even expect to be
0 K: ?' ^" u4 uable to intercept it by installing a IFS hook: it will not work, no way!+ n$ H) c2 V* }$ r6 a2 m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( c" s& Z( Z4 E. t9 D# ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 p$ \. v- W$ oand then browse the DDB list until it find the VxD and its DDB_Control_Proc X$ S' |! H) f$ M9 x( t9 b4 C# U. ~( Q
field./ g0 Q0 Y1 i" |
In fact, its purpose is not to load/unload VxDs but only to send a
$ O8 ~4 r1 i1 |0 B( @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; j2 z- _0 d3 \5 n( fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; P" c1 [+ @) t! M& |1 @to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 \" @, ^- G; t/ F) P9 \5 b
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 b3 x o& B# V
its handle to be opened and then, will be detected.) w7 H S1 N- B, _6 k
You can check that simply by hooking Winice.exe control proc entry point8 [: i) ~8 C4 V7 Y' _# t0 o
while running MeltICE.5 Q5 S( b' R, G+ V9 u9 U
8 a+ s) @) c( O9 z
7 t2 x. m2 }* P2 [9 E$ }: |
00401067: push 00402025 ; \\.\SICE
1 A) ^5 D0 W! @1 j$ R+ P ~ 0040106C: call CreateFileA
/ }) @! Y; b" `/ _2 M% r, T* p 00401071: cmp eax,-001
& h; [( }. r, s" b 00401074: je 004010914 T2 w- {5 b: y( e0 W5 K) _( R2 E4 P
8 \' b; w( _" ]
$ }# [# j4 K O' aThere could be hundreds of BPX you could use to detect this trick.
% i5 I; A2 x9 S6 S-The most classical one is:
& H6 o- Y6 m% I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 l A X! ]7 {9 {. u
*(esp->4+4)=='NTIC', C; [" X9 _. \6 j& ] P! E* Z
6 [. j7 F0 g2 r3 V& T
-The most exotic ones (could be very slooooow :-(; h' K: _6 H2 T; p1 R% Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , `5 r$ `% H# f( I
;will break 3 times :-(
4 ^3 n& m4 K0 p0 l( h3 g$ |; d. s" h0 z! K& Q2 g% k
-or (a bit) faster:
0 _4 V. g5 }# r6 X+ q3 p BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 V- t9 G' m+ o
2 }9 H# g5 m4 F! r5 H0 j* z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ Y3 V# y) ?9 `7 { ;will break 3 times :-(( X j) `) Z7 f/ g1 T5 ~ ~
3 P: G- M7 o6 c: h& k" F* u-Much faster:
[3 \+ g: r8 H2 u( A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 e6 z: Q; t& |# K( C4 N
; O7 D( Y- Z% Z) n$ KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 `- s ^% W0 w" I& U4 f2 f7 R
function to do the same job:0 d( U4 f+ n) l% Y
9 H. |. v+ C& f, m/ r" R+ u push 00 ; OF_READ
, Z( y1 O: ]+ h6 p; a mov eax,[00656634] ; '\\.\SICE',0
8 L3 J4 y3 s# v8 ^! e4 [. o push eax
- n2 f: u- W" D( z+ N: a+ r" V$ J. F call KERNEL32!_lopen
; t+ l9 x, c# m$ i1 U% d6 ?0 I' f' u inc eax3 ]) D& ], x1 u: r/ F# i# m
jnz 00650589 ; detected6 a$ C" m- }" s
push 00 ; OF_READ
; {# `) C+ O# ?8 Q mov eax,[00656638] ; '\\.\SICE'
" ~, Z9 z9 f) p! S/ q& S push eax$ l( R: s2 q7 I ^/ n
call KERNEL32!_lopen
. |% [" V( K& q. h }2 b inc eax
" G3 T# J% v. n- N8 j jz 006505ae ; not detected
m" [9 b; v" ?" D d4 p
8 d4 ?3 @% A$ v* _6 D9 N! T5 `5 A* \
__________________________________________________________________________
9 g, E* S8 Q# O- T) h4 D
% S3 e4 T4 o' l: ?, cMethod 126 [4 N0 s( x; J! f+ B5 U: r& f, V- X
=========
' d7 N u% o. J2 w& g$ U5 v0 V2 G6 Z3 _
This trick is similar to int41h/4fh Debugger installation check (code 05, f0 ~' k5 F8 z% S( e
& 06) but very limited because it's only available for Win95/98 (not NT) G7 c. W$ a# l+ T4 E2 k8 W) p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 C! f2 r9 [% P( q4 m" h3 n
: j4 [5 ^' i) r. |1 p push 0000004fh ; function 4fh
* _/ G; Z1 H3 I& {& C push 002a002ah ; high word specifies which VxD (VWIN32)
# l4 s% V" W1 E1 ^ ; low word specifies which service. O) f* C' E" A1 f H
(VWIN32_Int41Dispatch)
- _0 P/ R) N+ \/ v5 N& `/ c call Kernel32!ORD_001 ; VxdCall% c' Z C8 \- j
cmp ax, 0f386h ; magic number returned by system debuggers
G p" G9 X4 i. Q+ ?4 p jz SoftICE_detected A- a# K- [ m' G( |
. \% K. _- j/ t4 O7 IHere again, several ways to detect it:0 \( l/ i2 L8 G. S) D: I) ~
+ E5 z5 S. V* l8 L8 B t1 K BPINT 41 if ax==4f
, c6 j8 x- a4 f' M( b
( w1 [7 Z$ q3 |& ~+ Q1 I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( I* }& ]6 E8 Y Z
3 t! g: M3 u6 b BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 f" f' y% W7 f8 V, m6 j
t6 u' [. ^) a6 U+ u! [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ M, Z% d5 g. {2 V4 V3 v
; m- _# ~ Z; C [& x7 m__________________________________________________________________________% t. v0 C( H! |# ]) s
/ d5 W& c- x$ y5 o' a. r9 vMethod 13
! _! y: ], H( L9 ?0 V7 K. h8 t=========' e" A3 k- J, X0 ^
- \+ A; C) h9 A
Not a real method of detection, but a good way to know if SoftICE is3 A2 X) E {7 d+ v
installed on a computer and to locate its installation directory.) ^+ y) d% Y% B! }6 d& P
It is used by few softs which access the following registry keys (usually #2) :
7 t0 p" `/ S3 R# x3 ?
& o! @5 W D g6 X, ^3 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" a% T4 P/ [5 G. f9 U( a6 ]\Uninstall\SoftICE
5 f' M/ o' A) G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ r( A: \- {% J# O2 o9 T0 a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
b+ I9 m( b! j2 @6 `\App Paths\Loader32.Exe
# g0 a7 Y# g) {" V G% Y+ Z5 D/ w
4 X6 ^2 o ^0 w
, j2 l& ]' k: N/ LNote that some nasty apps could then erase all files from SoftICE directory
' F0 a% W8 [" W6 b, E0 l+ Y(I faced that once :-(* r: v: ?1 Z4 q1 \( R3 u/ b* t) \
% J& m! Y: Z& l+ i; R5 P, U7 d
Useful breakpoint to detect it:; G) r8 e* f' x
% C' S# k, {/ ]/ v: z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ k$ h: Y2 Y7 ` s6 p4 ^
& B/ ^: h9 Y3 u& K, Q8 F" I
__________________________________________________________________________0 d* u: j9 D4 X* ]- A8 O
9 P1 V( t- H. S5 S" Z; Z; t9 k# B: v9 Q8 U" B( J {9 S. w; B
Method 14
; Z9 C( R: b4 J O2 u A2 x5 [7 J=========
& `, O4 ]; `+ c8 U
+ h( Q( H( a( ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& b$ q# p, O7 \9 [8 _% a2 G7 ois to determines whether a debugger is running on your system (ring0 only).2 H$ b2 Q, n7 N1 E% i4 l/ N
* R7 Y* ^8 ~! k" Y; I1 M1 w
VMMCall Test_Debug_Installed: X8 K2 Z" q8 T1 [( D
je not_installed% U' k& D7 q; X w4 f: b: O/ Y
2 }$ a' [/ d2 e& e) d+ S8 M- o
This service just checks a flag.: f" S5 J1 U- c. D1 \6 v
</PRE></TD></TR></TBODY></TABLE> |