<TABLE width=500> E0 ]0 u. i' }' s0 }- E4 H
<TBODY>! x: y, D( R. F: Q
<TR>
! B/ f, n1 z5 C$ M- Y<TD><PRE>Method 01 * ?- Z& {1 E/ _4 |' I8 ^- U
=========
/ Z8 r. n) ^# r o+ l; d9 |' ~2 _6 I! j9 f. a
This method of detection of SoftICE (as well as the following one) is
/ i- g" J A4 sused by the majority of packers/encryptors found on Internet.
# x% D- ?) p" {$ BIt seeks the signature of BoundsChecker in SoftICE# t p4 [4 [# Z# F5 |
; B; S% x0 C* p1 l; r mov ebp, 04243484Bh ; 'BCHK'6 F# ]( T( @ G& F! \. `7 ?2 k) g
mov ax, 04h
$ Q5 d3 {0 y+ I& g& J: o. e int 3 2 k! X$ R- l, T. X
cmp al,4
, H- q' B8 M6 K$ O3 s( P jnz SoftICE_Detected! n+ c$ f2 b) D0 v+ ~9 y' y
9 a7 f2 y( W1 a4 B$ M___________________________________________________________________________8 Z$ Q3 x& g/ W- ^
0 O% A* t& y5 L$ z& h# ?Method 02- H8 o/ K. ]9 H5 b/ J# ^2 v$ j& Q
=========
" f) i4 S& H$ f- Z' `* K) P- {& I3 X& ?& U2 @5 E( z `: y
Still a method very much used (perhaps the most frequent one). It is used
7 N6 k) K# Z* @& \1 l' {% I: qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ {4 s$ r( a" ^: m" ?
or execute SoftICE commands...! t) U& Q8 ~, |$ x+ u" Y
It is also used to crash SoftICE and to force it to execute any commands' U8 b0 _' ^' h
(HBOOT...) :-(( 2 ^. G" t- ^% ]/ r! o$ T
G# Y( f3 [/ l* v. \; IHere is a quick description:* u6 ~8 W7 E0 v, u' a, G
-AX = 0910h (Display string in SIce windows) O a5 f& |$ |# E2 ]% x% c" [. j
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 ]/ L* ~7 R! D! @ s% O; E
-AX = 0912h (Get breakpoint infos)- e% L6 U" V& ?* q9 ^
-AX = 0913h (Set Sice breakpoints): E' g1 k+ m& W
-AX = 0914h (Remove SIce breakoints)2 g8 x2 j! o% n0 l7 |9 ^
/ k5 n( f2 T+ f+ q0 g
Each time you'll meet this trick, you'll see:, M, Y0 `/ A1 J6 ?# A0 s8 E2 A! c
-SI = 4647h7 ~( B: u" @9 m! U0 j8 M
-DI = 4A4Dh
3 D7 i7 z8 t+ f% o" K* ^9 _Which are the 'magic values' used by SoftIce.& l7 c- Q$ K9 D; ]5 ?7 D. I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 U% W5 a& G" P7 Z Q7 {, d9 q' E9 `) g: @! z7 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ Y a, ?6 V$ _Envelope utility use to protect DOS applications:
8 V2 T2 X+ s9 } m3 J
: Q+ l# E) a# E, Q! ~" T& {! H, K" W4 I1 K; A* y
4C19:0095 MOV AX,0911 ; execute command.+ D* H/ E4 i+ V7 p d2 X- h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." w. f4 M( h& b# z5 m" P. P7 _
4C19:009A MOV SI,4647 ; 1st magic value.: v O* j) ~! s
4C19:009D MOV DI,4A4D ; 2nd magic value.* Q. Q0 k. Q9 x6 X8 C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 L [* W6 L" Q2 Q8 }" M, _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# Q, b/ S8 E# Q6 `4 o/ X4C19:00A4 INC CX
3 h# D* h) P% \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 v' r% y. N' S' s3 s' ^8 H
4C19:00A8 JB 0095 ; 6 different commands.
5 T+ w$ _6 s+ V( D4C19:00AA JMP 0002 ; Bad_Guy jmp back.' f5 X* x G3 l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% u/ t# q' @3 p' g- s ^5 o
! Q9 S, V- o" TThe program will execute 6 different SIce commands located at ds:dx, which3 u P) _) ]+ R' z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 V% o) w, h; e" K+ o2 E
3 x4 w3 G) h: V6 T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) r' T9 G( B9 e Y___________________________________________________________________________
) |1 j8 S- {& E( \6 g/ x) D9 a; \% P. l4 ?
# {* R/ w4 \! k* e2 oMethod 03: U' Y* Q% g/ j, P6 m# T7 V& i
=========) a/ o! N- |( ?( f K0 M' \
4 _8 X2 @; O' y2 rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ Z! O. C$ l; Y+ I6 H7 r$ k G+ L(API Get entry point)# @5 `) S* j) l! x1 u- j+ [/ u
! a u; `: p! r8 `! w- j6 A& B, n
xor di,di
' X! Q. o* R% W/ G0 P4 G mov es,di, y* U4 ]( j1 n9 q. o, O, |/ b# C$ C
mov ax, 1684h
& b5 q4 T- H/ g3 y0 {" Q" Y* d mov bx, 0202h ; VxD ID of winice; c! ~% c' n h
int 2Fh. u- w5 _* q* q$ ?0 G
mov ax, es ; ES:DI -> VxD API entry point
: A! Z- [4 R2 {0 e& M+ w add ax, di$ V/ V2 W; }& H Q# g' k
test ax,ax
v+ ?6 w( m: j X1 u jnz SoftICE_Detected0 @" D8 h+ h5 o8 l8 {
/ Z1 U* t( N) ?# m: L: Z___________________________________________________________________________
, k% ?6 b: N# V9 _- Z9 _5 E0 ~; U% v5 r: W; p+ H& i* g
Method 04
' x# y0 p; o6 S5 F=========" P! g: m- }9 ]. ~* y
- h4 b- H, j5 o: q, F# [
Method identical to the preceding one except that it seeks the ID of SoftICE1 c; [! _- X m* [
GFX VxD.* k4 ?6 r0 B: j2 T( l
& p l, R2 j- g4 {+ w5 l8 Q! Y xor di,di" i' F; r( m/ E9 Z; R( r' z$ e
mov es,di% q/ j, K; g, y6 V4 C6 p
mov ax, 1684h
6 }. v0 I% Y9 ~) U* u mov bx, 7a5Fh ; VxD ID of SIWVID9 ]7 V. n ]. B3 R/ K6 W5 Z
int 2fh# I( S8 ^- S. r6 Y) o
mov ax, es ; ES:DI -> VxD API entry point
# c( I1 r2 z, I J4 c- C add ax, di
- \0 [3 U3 e/ u& Z test ax,ax4 M W) H }7 i
jnz SoftICE_Detected9 n) k k- p/ [- h% m
+ t, p3 u' m; y__________________________________________________________________________
% Y4 d, v/ E d
/ N5 T2 H- R U6 G5 S8 `2 u
6 X7 O! E3 s# S/ pMethod 058 f, Z+ T5 y9 U D- w9 m8 |4 A
=========0 m" I4 o) f! ?5 W
0 N" h; U0 {! s# n3 ^3 C
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ ]7 Q4 l7 ^, q$ u3 _8 [# }debugger. It calls the int 41h, function 4Fh.
* d, g& A$ m6 s8 L) U5 fThere are several alternatives. / N7 K% Q4 d: x8 H/ {3 s$ u R F
+ I2 n+ d+ f; oThe following one is the simplest:5 K1 ~% g. P* q; @; Z/ `
$ ]( Q. C; n6 r* S- r! {
mov ax,4fh0 D+ H7 ^$ I. U6 y8 h+ e
int 41h' S1 V& J" x# I1 H
cmp ax, 0F386
; o) [/ J; \5 E9 W9 q jz SoftICE_detected* x, [) n3 [0 \/ m P" G
+ a# X' f/ ^- y3 k& n! X: D& v: @& `" R; p, n( X$ A, \
Next method as well as the following one are 2 examples from Stone's
0 f& r3 m2 \7 I"stn-wid.zip" (www.cracking.net):! I" p( Q" s4 y# H# C/ Z
' d3 V* ~* F1 }) G
mov bx, cs
2 Y, c2 D8 c4 D8 | lea dx, int41handler2
5 s; q/ C4 V' r* c5 g1 u, a xchg dx, es:[41h*4]
. U/ ~ p8 r7 e* n- Z1 D: X xchg bx, es:[41h*4+2]
" b d% Y# o% o. x$ o mov ax,4fh
& U$ ]5 \0 ^, [: j int 41h
/ [# v( W3 C$ |, E, T2 f xchg dx, es:[41h*4]. B/ C5 |( m5 @. D$ a
xchg bx, es:[41h*4+2]1 T" D+ M5 r4 {
cmp ax, 0f386h
5 S) p$ G+ X" |* z, u3 p% t# d jz SoftICE_detected2 `; G( J9 s/ c
0 K% V6 m) K* K
int41handler2 PROC
% u( b9 h% c- \ iret' |1 i( b+ i2 k2 ?2 _: q0 B
int41handler2 ENDP
8 e7 Z% x0 F) g! A, ~3 C- r6 U7 u! R# C o
# `) c* X. p1 z4 m( |, ?. c/ g, _5 X
_________________________________________________________________________
/ n6 c5 _8 \5 ?" f& I# p' N& c9 V; ] K6 O
: t1 G: Z4 `8 Y$ D3 ~# mMethod 06
) g2 ?- J8 n5 m+ o=========
* }* T$ x; W2 ~; T" n' P2 z2 L8 u" Y! |8 u; v/ u
# P7 _" c- g! j1 z! n) N- P
2nd method similar to the preceding one but more difficult to detect:
3 [( G$ R, I/ P$ Z$ O) V% Z u2 u7 R% m X# Q; G9 @
# Z- Y; w5 h8 e. kint41handler PROC+ O* q$ x3 s. [8 H D/ g
mov cl,al
( u1 f; `" C2 g @4 ^% \7 P iret8 ?* U+ G: T! o7 L% H% C Y9 E
int41handler ENDP" D0 O5 D; S& W2 ?3 n" J
. b/ H* |. D$ n" \) g0 a
B. C: t- K: c# `/ z xor ax,ax
) a# e4 H- @3 b. k mov es,ax
: A1 V: ^9 M+ x3 q: J, D mov bx, cs6 f" M- J, T7 e# E: e* X
lea dx, int41handler
+ ?2 I% o; A. R+ h1 I& V- P' i* | xchg dx, es:[41h*4]: A; q. ~0 S8 e; \$ i8 n
xchg bx, es:[41h*4+2]& ? N* T3 w) e" P9 ^7 d
in al, 40h0 r8 D& i" `5 N* X) h
xor cx,cx4 a( E1 G# v: J) O7 J' ]0 P
int 41h
5 Y7 P; ~5 H; |) \ xchg dx, es:[41h*4]' A; r9 B' W$ e
xchg bx, es:[41h*4+2]
5 \) K2 j# o8 n6 p4 ` g$ g cmp cl,al! K& V" L8 F4 z# i; }
jnz SoftICE_detected, x6 L1 z& p3 z4 ?
8 M8 O, y7 D v" H% m$ y" _
_________________________________________________________________________
! h4 f: _, A5 t/ z1 G( ]2 l4 U
2 ^- l5 d% l2 j! @: n v# j1 p3 bMethod 07" `! t8 e: `6 f/ M
=========
0 ?4 h; R' Z* B7 t1 j- E0 D2 _9 h6 U1 V, A5 T, g
Method of detection of the WinICE handler in the int68h (V86)
% ]. _& X, p, V4 x: c; T
3 } P$ L% d7 U' B" H mov ah,43h
4 w7 \ R$ Y% M2 Q" j int 68h+ p3 K' d/ v' `# P+ L
cmp ax,0F386h
7 v' t1 _$ S @4 H' z C jz SoftICE_Detected
$ v3 m2 E/ d8 _8 r, ]* o; T; @" j, Y2 |# F( w5 b
( r4 X' P/ G! P! B9 }2 A0 o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- F* U( b7 w6 f9 y% w! Q7 s app like this:
! M, d; I) j% U5 G3 }& j }* @/ P/ w8 y2 S
! r2 U& s# B% G1 T0 C BPX exec_int if ax==68$ C# K* ]: E7 W$ t. `! L& ]
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ ^% n0 u- E7 d# a located at [ebp+48h] for 32Bit apps)3 G: _; N$ I6 a, {+ g1 Y
__________________________________________________________________________
' H4 ~# ?- p {9 P/ }- A# T6 P9 ~+ u* P0 h; h
& p m- h+ |% {6 z2 c4 g
Method 08
7 y4 f# \2 z+ P! ?! P$ s# ~1 I5 c6 H$ [=========
" l+ u( ]/ X5 X" X# c* W b" ~% j6 g' p4 s: ^$ P* b* \% @6 I
It is not a method of detection of SoftICE but a possibility to crash the5 z8 }, L! B, A- s1 `6 c- A$ p
system by intercepting int 01h and int 03h and redirecting them to another/ B @8 z# ~3 J6 r: k8 w T' J
routine.: \# X( P6 d3 z0 [3 p9 O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ a7 Z* r# g6 r9 e p
to the new routine to execute (hangs computer...)
( a: [$ g* ?6 M% l( x7 N3 k7 G% W4 t. F0 u* A! I
mov ah, 25h* @6 v$ |& e0 L- k, f$ U1 J
mov al, Int_Number (01h or 03h)
: R* u! j Q3 W1 ]) O! D mov dx, offset New_Int_Routine7 J8 j: P4 e- o9 l+ V+ B. u
int 21h
4 i4 r4 \0 N8 q; `) ~) |; v. h0 t
5 h4 E m$ g& Z# u) e# ~2 p, E__________________________________________________________________________) N1 V5 s( B& y9 U4 x
3 Z' m! |2 M$ G/ A6 `
Method 09& f2 U8 M" t# V4 U8 t
=========: }2 q& u- O6 J3 I1 G
) ?9 V3 V# }& o( c. nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ ~) e0 s' h; m8 q
performed in ring0 (VxD or a ring3 app using the VxdCall).
, i4 A* r0 Y- y: z' eThe Get_DDB service is used to determine whether or not a VxD is installed& v% D8 E9 a) [$ v# c4 y
for the specified device and returns a Device Description Block (in ecx) for
$ L: n7 C0 U. Y4 P- A3 gthat device if it is installed.
$ J; R4 K, y3 J- n( O! x+ `
- T6 B+ u" e; M V9 \& y2 w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# r, p$ |7 [4 R7 K5 k: D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 j( I8 s9 f' A# h+ w7 b7 v VMMCall Get_DDB9 \* I0 ?; V& K; c$ R- o, C, C
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* y6 B8 X) S/ V! ~9 J- U
; B, u$ P; \. b: y
Note as well that you can easily detect this method with SoftICE:$ G- h+ }- H. Q Q& m7 G
bpx Get_DDB if ax==0202 || ax==7a5fh
0 P6 ]0 m$ w1 s: v
' h C0 ~, n+ ]5 Z__________________________________________________________________________
/ o5 |7 g5 e9 j% x* w; o' l4 F2 A4 M* A
Method 10
% f: [, i, V$ l5 G6 X0 V: i7 Y=========* Q Q! J( c1 M) t) E9 x
# w' {1 f8 \' u) _" E9 ^7 T0 W
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& x& c! S% a3 Z% E, y! {; V SoftICE while the option is enable!! ^- \( D% k! m# T! Y1 S' p; j
v$ }2 c2 C% L1 v
This trick is very efficient:
2 v' d! i0 B; g. U" iby checking the Debug Registers, you can detect if SoftICE is loaded
. y& i8 b6 Y( A" u3 \. h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 N" U1 o# b. x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 O; V$ G; k! c( m* }* X" Avalue (in ring0 only). Values can be manipulated and or changed as well( s/ I, ]) r! i5 O( I
(clearing BPMs for instance)6 X) ?7 H: S, C) g' H
3 Y# v4 A. ?6 _7 ?, n" G" p4 t. k__________________________________________________________________________9 E0 `# F a6 d$ I* w1 m; V
p6 \) s' f F0 F& k
Method 11
) g5 ^# t# {3 V" `0 e=========' y, U/ X9 c2 a
! f( ]/ S" h* J
This method is most known as 'MeltICE' because it has been freely distributed
/ |3 R9 p/ v" h# rvia www.winfiles.com. However it was first used by NuMega people to allow
- c( W) ]. r6 [$ e8 N; r; S* vSymbol Loader to check if SoftICE was active or not (the code is located
7 U! X" g& P; x% s2 _inside nmtrans.dll).8 D! a! s; s" h& o
$ k: E! \, @5 C8 yThe way it works is very simple:. H; B7 T; F! u7 P- M5 S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# r) t) V; }- E9 J8 UWinNT) with the CreateFileA API.
. x, U! k- L7 X: v2 _9 e: E( ]4 ^7 U" ?+ B
Here is a sample (checking for 'SICE'):" {1 W' O* `. E. G% C
9 D- e8 N9 M* u* jBOOL IsSoftIce95Loaded()' C: M8 H) K5 w7 A
{
1 x a1 _) ?& E: A8 x4 A HANDLE hFile; 1 O8 H& k$ Z% x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 o, s* D5 C& P/ v- q) E1 v$ p FILE_SHARE_READ | FILE_SHARE_WRITE,
( V3 ]& r) x4 Q. D& U' ~# p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; Q* N; q, w4 }6 h3 I3 E if( hFile != INVALID_HANDLE_VALUE )4 x: X! w$ `3 q, O
{: n0 C6 |+ X' ]( k0 o% t6 I
CloseHandle(hFile);
& B6 }5 O+ n' D$ y- `0 ]) D [ return TRUE;, V) q. j! Q- t
}$ l, @: w+ [; `' {, }( {4 a2 a/ L
return FALSE;
g( L0 l* k- S& [! w' x+ Z}
7 D7 N1 t$ l, q% J. D' \" `$ K+ ^3 B$ U+ O
Although this trick calls the CreateFileA function, don't even expect to be
4 z9 u( N& g& O& }+ T5 nable to intercept it by installing a IFS hook: it will not work, no way!
- R% t6 A5 D, m7 @3 A! NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: ^; ~! M8 |4 e9 C0 T9 ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ j2 J1 m; u4 a. h0 jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: o: _" O. L. A% N5 i' s* Z! [field.- r0 m2 [" ~: `( u
In fact, its purpose is not to load/unload VxDs but only to send a 5 s4 u; J D3 F" Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! P. }: [9 h8 z$ r
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) Q+ s4 t( t# `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- O4 K/ t# s0 f4 J. b5 N) QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ n+ ]1 B; m, pits handle to be opened and then, will be detected.
- o3 k, o( s- g1 O, B/ L( TYou can check that simply by hooking Winice.exe control proc entry point @0 x+ K7 E! E5 T3 [
while running MeltICE.
. i; @+ W5 M- s; q& u0 {2 P' R, K; S2 r% s! i) Z9 }9 ?
- F' H1 q& p. X9 @. Q2 u 00401067: push 00402025 ; \\.\SICE
8 N( E' f$ p+ F/ o$ G( i7 n 0040106C: call CreateFileA
C8 d' P6 K0 i. G9 I: o Q 00401071: cmp eax,-001
% K3 H9 K4 Y" v% N 00401074: je 00401091
m$ k" D2 U' O, i# }3 ]5 D& @7 C% b1 D2 J; M
0 Z9 w: D) _; EThere could be hundreds of BPX you could use to detect this trick.; i3 O, I! `' V ~1 G
-The most classical one is:8 ^6 f5 X: n/ |0 z; p) I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( e6 Y( @3 H( X& @; ?+ l7 e *(esp->4+4)=='NTIC'
/ X C; U) `: C3 x8 A+ v
" y, p; O! i: f8 C6 ^/ Z: e-The most exotic ones (could be very slooooow :-(- d- m( m8 L8 f0 G$ x7 A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: @8 o. @2 }6 X* _% D5 D0 i ;will break 3 times :-(
' m8 o. n7 d2 t5 a( [/ j5 D3 A4 D+ U# J t" ^
-or (a bit) faster: 5 u) ]7 O1 m# @6 b# C7 m6 C0 I M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* @3 k8 m$ }; S! I s# Q
- n) B' d& w% q$ z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - M; Z, `# ]8 g0 Z4 J: g1 j& y
;will break 3 times :-(
: O! h: H X0 e4 u+ w3 s. d2 o6 ?/ E0 R8 S( Y' Z; n
-Much faster:
" \7 s! k/ v4 D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 C# l0 y6 g3 Q8 W
: N5 J* h; N. k4 w: G6 @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% M0 T3 k2 M, M7 c# M* _+ h
function to do the same job:
7 |* f: _/ z3 X- f, Z7 L* j" a6 h* Y; Y+ D' e: w/ O
push 00 ; OF_READ7 P; J; w8 c5 k3 f" a
mov eax,[00656634] ; '\\.\SICE',0
% l" W( Q8 U1 c! D" l9 E* Q5 ~% X push eax
8 M; \6 X4 s( G9 Q# y [% @! S: { call KERNEL32!_lopen
/ d6 ? X" D( H8 b6 e inc eax
& l$ H: @9 h. a jnz 00650589 ; detected/ f* m6 k$ @1 `$ X7 A0 w# Y
push 00 ; OF_READ
6 K' f/ b. T$ P" Q8 n( B mov eax,[00656638] ; '\\.\SICE'
1 C& W3 ?! F! J7 Q- e& p push eax/ p8 n( s( Y$ g4 {
call KERNEL32!_lopen
! o' {! D' k5 u: V inc eax0 I, o# J( x6 _; u) k0 f2 K
jz 006505ae ; not detected
. h) `# e2 w* Y2 b0 Y2 I% g* O# X" V4 J
" z" O' Y& l* c5 A% d, R, ?( x
__________________________________________________________________________
q2 }5 S: y, u9 B4 a
5 [+ g% q3 u" q1 W4 X& c/ [9 V# xMethod 12: `8 t- l/ f! u/ V) u( E
=========
1 L$ y2 m- p5 y; s* b3 [1 s% ~5 S6 s$ E" F9 p
This trick is similar to int41h/4fh Debugger installation check (code 050 |+ {- w9 ]5 u6 E" o9 {9 Y
& 06) but very limited because it's only available for Win95/98 (not NT)* N, W5 l% e: h* M* H! B% s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. w9 O. W' z* ]7 `. l& o
6 S+ N9 g# C( z) x) [# f push 0000004fh ; function 4fh! I& W8 U( c) E* M4 r# h
push 002a002ah ; high word specifies which VxD (VWIN32)
# I8 Z j: }1 B# G* R, Y ; low word specifies which service1 m3 j1 B& U! _- ?
(VWIN32_Int41Dispatch)$ d% ~: R X/ [1 X8 a
call Kernel32!ORD_001 ; VxdCall
% \( c8 T( l+ j( q+ J7 Y) | cmp ax, 0f386h ; magic number returned by system debuggers/ g* g5 q; B1 u& F; [, C& \
jz SoftICE_detected! K( ]; V% w) B
" }$ m* J D: ]" RHere again, several ways to detect it:7 v, |6 B! j7 k+ _8 d
0 l% O p3 X3 I5 U
BPINT 41 if ax==4f) z- \3 N) ]% W6 Y( i
7 a+ ]: ~- Q- ]1 y% \/ Q; x- k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- t. {2 x7 k1 ]3 z
7 E: ~+ L! N$ b8 R- t3 a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 a# Q- g2 l& G
/ W7 \) R' N2 M# J w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" S+ \! q0 p0 K$ @2 y8 I; f
: E! L: [# L0 n7 }# F; U7 Y8 U1 B__________________________________________________________________________
4 l1 I4 m# x3 z/ @' R* J: P
8 t+ m3 |( w& ?" B7 n9 \1 kMethod 131 N& Z( q! {( ~. x9 T
=========; ?+ a, N* @* X/ n' G0 Y
) d# ^7 j- X/ V" z
Not a real method of detection, but a good way to know if SoftICE is
! [/ P$ J; C7 o$ Einstalled on a computer and to locate its installation directory.( W, ?. D: X% X; [ s. {% u
It is used by few softs which access the following registry keys (usually #2) :' x: x1 d `5 W2 m
# c8 k5 p4 x% _; S' P2 x6 s9 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ `% f$ q, T6 J- D' ^& x\Uninstall\SoftICE
5 h/ ?0 P+ O7 G" C# @/ z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 m4 G& r0 |8 a' i9 r# S- G
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, h. s `' o( n" `\App Paths\Loader32.Exe
0 N* l. E! q) L0 w% w: z3 ]: x, u$ P. p8 k
7 E! H6 w1 @0 d9 q3 a- A
Note that some nasty apps could then erase all files from SoftICE directory
. s! N; D0 }. [" k! q(I faced that once :-(7 |! F" n" J: P% q. O* R
! r; Z2 _. A) a, g$ E7 X3 w. `6 f6 A3 qUseful breakpoint to detect it:
5 `3 k; h2 p* w0 A: {. M: q1 t8 [8 y4 U2 d5 r; U( g# e1 `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 W8 K C- u! r+ B/ D
. l, ^& O9 J; X) s__________________________________________________________________________
4 O& ^! X7 @6 D1 |& ~2 |4 |
4 q1 Z3 k1 B6 _* e
( _* a( W2 \0 Q) e2 jMethod 14 # @! U9 F. _* K% Q" b0 x
=========2 Y5 o( y: l; K$ N7 V+ ]+ c" p
+ P+ d* d- }1 d/ v; e. P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ q4 F: b v# Y& ]is to determines whether a debugger is running on your system (ring0 only).
$ A; g9 S1 l& E( {3 G6 W9 D/ l- o
VMMCall Test_Debug_Installed3 ?* f6 F' W: f
je not_installed
3 s/ J: Z' {# B! G% j- C
9 ^- T6 Z0 A" w3 p. XThis service just checks a flag.* c- i% K1 o" h
</PRE></TD></TR></TBODY></TABLE> |