<TABLE width=500>
) S( {, v: y" Y" s. o5 o F<TBODY>
8 }6 T2 C, s+ ]9 x6 U, d; z<TR>3 C! }* h b# ` Y8 t
<TD><PRE>Method 01
0 Y, @' ]7 s3 i H6 ]' j T: E=========* D2 j+ e! Z8 L& o, q8 v3 ^
3 I/ h2 z5 I8 r: p+ T( S2 m* N c# ]
This method of detection of SoftICE (as well as the following one) is: x7 t, v' n9 N& ~7 G* p
used by the majority of packers/encryptors found on Internet.
( O. E! x; w4 l+ J* f4 h! ]It seeks the signature of BoundsChecker in SoftICE1 K& c2 ^/ V- M
5 o+ o, q3 Q1 Q( U& U mov ebp, 04243484Bh ; 'BCHK'
+ H2 L- t, [, Q' Z* S6 ]) q2 ]" A mov ax, 04h) k, k8 X# B- h* ?8 G
int 3 9 p8 o- ~9 \( Z: ]
cmp al,4
% |7 ]% r7 F. p' z: D jnz SoftICE_Detected; [# @! ^6 A0 c& f U/ Q) A; l
8 U1 Z8 i( R5 O+ i2 T- c1 S# Z5 a# F
___________________________________________________________________________
P+ S, n$ C# i; v4 r8 D1 U. p$ ]: T3 C& o4 t8 W
Method 025 [6 L- i3 J# Y7 O+ S
=========
0 y0 z" ?4 w8 d; z( R. R2 N7 c& {$ \
Still a method very much used (perhaps the most frequent one). It is used# Q" s! Y6 \0 |) o1 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 e& s, z. k; B; P+ \7 ?
or execute SoftICE commands...
( E% u( @3 H9 j6 A) I+ w) oIt is also used to crash SoftICE and to force it to execute any commands
0 R7 N9 N( z d. |; v3 j1 R" \, D(HBOOT...) :-(( 2 K _* s$ R/ H$ q% f3 B" }5 N
8 I$ F" g) @1 `4 Y% r' ?5 `
Here is a quick description:
0 f# E: `! F5 E' {- e) w" G-AX = 0910h (Display string in SIce windows)
! r: b" T2 \& j+ D% P-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 L& e; N% D. o-AX = 0912h (Get breakpoint infos)# _9 }& a J8 I' Q* a- F- t! H
-AX = 0913h (Set Sice breakpoints)' b/ {- Y7 C3 ~2 m/ _# o
-AX = 0914h (Remove SIce breakoints)
) d. N- z* }* {* ?7 e1 c* v, m. t! v9 r9 [/ ?
Each time you'll meet this trick, you'll see:$ O* i7 ?3 K- `) C$ T; T6 r
-SI = 4647h! R6 |; j' S; j& z$ P+ A X
-DI = 4A4Dh
: P. }& _1 Y1 W. d! N: IWhich are the 'magic values' used by SoftIce.4 j$ ^( A1 \3 Q4 a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 Q& \0 f5 b# H& F3 S" Y$ g7 I$ H5 O4 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. {# h) {1 Y- ^2 f: w) Y; {Envelope utility use to protect DOS applications:" U' L" z" i/ k0 y# ?# P6 C$ H
. t+ {6 O4 B1 V6 D& ?' {
* L% O- y2 |% t* t4C19:0095 MOV AX,0911 ; execute command.
* c! d: |1 k* N, @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* c2 `! V" b3 B, g4 I' X3 i7 w+ Y4C19:009A MOV SI,4647 ; 1st magic value.6 j: b+ Y9 u: M- w k
4C19:009D MOV DI,4A4D ; 2nd magic value.5 s4 G, `" ]( @5 u) F5 k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; h: y' |/ @$ t7 u0 D! Z) k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 g2 u! j9 c6 q+ C: J
4C19:00A4 INC CX) W2 G5 v; u6 B- H8 q6 n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 V& H8 i5 r8 X' Y
4C19:00A8 JB 0095 ; 6 different commands.
. e' {1 ]3 X* X8 u0 k4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 x6 b" a/ u3 s8 n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* S0 K1 J: r, w2 h, {; L
9 v3 ^0 r. }% v9 p$ C b2 Q" {
The program will execute 6 different SIce commands located at ds:dx, which
" H7 F6 K7 U* [/ i. `# Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* j5 Q/ ^- O0 y Y2 y" A3 e- Q, \0 Z- O5 ^% D/ N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ n2 g* X: v) R$ P# k9 X" H2 W2 F___________________________________________________________________________
3 H" z. Z, x j3 B8 ~5 ]* `+ }2 G# K& \/ A9 g
! u4 G* g# T# m9 @
Method 03
: Z, `; y7 t0 L' f% t/ d# G=========
7 X/ p6 Y/ X+ i) a$ q
" e+ b- b/ V5 G4 ~$ h& O' TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* M) ?# P( W! A(API Get entry point)8 `9 b- Y3 t3 T$ W
3 f& c( A( |8 @' X1 N' M
s* Z' u$ r' F
xor di,di
1 r9 f3 \% z3 n9 b. H3 F! H mov es,di
+ F* w" L. K- i5 o. i% I6 t mov ax, 1684h
; A8 o; D6 c: E9 P P- o7 ? k+ h& U w6 L mov bx, 0202h ; VxD ID of winice6 h! {/ l% c- G' W
int 2Fh
' R4 m2 Z; ^7 f4 e# T8 ^, r; e mov ax, es ; ES:DI -> VxD API entry point }8 G g% i, G( X1 ]9 \
add ax, di4 y" e6 g2 I. s" I
test ax,ax
# l9 N; w; M& o( i jnz SoftICE_Detected
: M' |. {( ^6 ^8 V* q4 w" U0 J! e5 n2 D% X; C, O9 q, [
___________________________________________________________________________$ L: q1 Z s4 Q
" }( u# M t/ lMethod 04
" O. i+ B2 \4 t! P& g=========
! D: r( b# ?: b: R" @- ^8 R" Y9 F* C& l$ Z4 l+ j
Method identical to the preceding one except that it seeks the ID of SoftICE. o5 q. x3 Z5 N9 i7 }, k: M
GFX VxD.
2 x" R; A8 G: ?& F; I* Q2 T* m8 |/ J; _6 o( m/ a' G: p& _
xor di,di& A0 |; T8 N% c: F! @$ y, Z. B
mov es,di' a4 a# q* s8 C' |
mov ax, 1684h
' }1 E, \2 O' G4 | mov bx, 7a5Fh ; VxD ID of SIWVID
8 ?# k$ m" W1 a$ w; D int 2fh
2 L2 Y$ Y" D+ W, a mov ax, es ; ES:DI -> VxD API entry point1 _! s5 r$ y" q. J: q& x, X
add ax, di
; e! v. X0 I2 q8 o test ax,ax2 E4 i( H- ~- t ^* T
jnz SoftICE_Detected; z$ E2 P4 }# o
/ t+ G- M; k. V; C
__________________________________________________________________________8 ]' h. D& N6 r n) ^7 o: C" P
* E, P* C( e) e0 w* J8 @: {
0 B) p" @; V! e8 ?+ sMethod 05
* W! Z; z+ w* x$ a) l3 F=========3 {0 Z6 L5 ^" a# N; o2 y5 U- s
3 M1 [/ Z% R5 Q8 uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' L# M J" m3 k, M) Sdebugger. It calls the int 41h, function 4Fh.
$ e* q7 U0 \. o8 wThere are several alternatives. ^5 T) d& o3 m( ?3 p# e* a4 N
2 y, z9 p+ R; X0 h
The following one is the simplest:% f9 K3 o% V7 Q+ z/ B) I/ Y
* j2 u \2 z3 M" H+ M7 i mov ax,4fh ^' q1 @4 H4 P
int 41h
" C. o1 T; ?, r4 e2 ?9 V cmp ax, 0F386
* j: ?4 t% P# ?) e' ] jz SoftICE_detected( }7 s! m8 |) d+ Q, D. L8 v
* o2 @. H1 U, I1 ?
' U( C* N0 O* @' C
Next method as well as the following one are 2 examples from Stone's " y+ W% X/ |6 n& |7 W
"stn-wid.zip" (www.cracking.net):3 U+ d8 {4 V+ k1 z$ x, b1 w
$ o' _0 E* @1 d8 @. g8 f# c' n mov bx, cs
1 e( b4 y* N3 g1 a2 o lea dx, int41handler24 F2 j/ w7 j G+ V
xchg dx, es:[41h*4]6 J, P$ u2 t ^1 k8 i( k
xchg bx, es:[41h*4+2]( j! n2 x$ T: d- O+ ]" P0 b
mov ax,4fh
9 x: l; Q- S" ?4 H7 j! B int 41h
7 S- K( C4 A' ~# v5 z xchg dx, es:[41h*4]! I3 A4 k. _$ ^' j p
xchg bx, es:[41h*4+2]: j$ r* U) ~4 |, D7 C; b+ Z
cmp ax, 0f386h& D9 }8 q0 p( O: K( ^. j* y
jz SoftICE_detected
9 J0 y/ Z* d& s2 U. L, {1 }5 ]
* I0 Q! w3 y% v5 Q/ bint41handler2 PROC' K: j- W. F' p" B
iret8 v' F9 s' P$ X
int41handler2 ENDP% J$ m& D4 |) z; P+ c$ O
: _# Y3 x/ R: J! P: g- q) D! I& }2 `7 u9 z$ S5 Y
_________________________________________________________________________
9 |; M) Y. {* ]& E3 ~
; f' r' x5 a- t% Y5 a y4 d- s
. ?! ^& y) ]3 O& f6 P5 SMethod 06
, a# w" k K3 G% W, s=========, j& _/ I0 [' O; g! X- w
/ M! z" f9 B [4 V* c* u: |
( C; d. O- b- E: K: R) l7 S2nd method similar to the preceding one but more difficult to detect:
7 R P. P8 h0 f* Z; @: i6 b7 p5 T8 n1 S) Q, C" H. e
/ J% i$ J$ b! {int41handler PROC
& E$ V' \1 i) G s3 b mov cl,al0 a% C) u0 S: d9 ]8 u; ~
iret9 v; w$ c* L3 P, e- w6 H
int41handler ENDP
0 \1 R: O0 n- r H$ R1 b) B4 ^- J" k
2 K. {" ?# y/ e9 P! x s
xor ax,ax
; K& Z$ n6 @6 T: ^) V mov es,ax
" K! U9 B/ e7 s4 O0 { mov bx, cs
( E0 G( W+ F- _; ]6 k lea dx, int41handler; s' k8 K# C$ t) V8 }1 f
xchg dx, es:[41h*4]: X( {4 g$ s/ [9 R6 f/ A
xchg bx, es:[41h*4+2]
. N, S9 ]& c9 x% } in al, 40h
! \- Y+ ^# H& I0 I u5 T xor cx,cx
5 j/ Q2 Y( ]4 L4 v& s int 41h
9 w' _! t! H S2 O0 [1 L xchg dx, es:[41h*4]
1 b0 N; k: S; ~$ H. S% s5 s4 _ xchg bx, es:[41h*4+2]
2 z4 b5 u% e8 t* y2 q cmp cl,al
8 z; x& U6 _ J; V. y+ X jnz SoftICE_detected& w, Q% I& ^. s8 d4 h3 L
6 z7 w5 p+ q! z" X6 O0 V- b( T& K_________________________________________________________________________
8 ]$ L, S- O8 y1 d
6 a2 S6 w% K& I2 dMethod 07" m2 h2 V/ \% u% W% o
=========
6 m1 H; x( G9 ^7 f8 V6 f$ ?
* c. w; h5 g! _% VMethod of detection of the WinICE handler in the int68h (V86) a$ I9 Y u7 o2 ?* p2 O/ w( [
7 A6 [, K& @) q C5 {8 L% r& i mov ah,43h- p: p& y( L6 ~- c3 y- G" V
int 68h
6 K6 P1 F! m) |! ^6 l cmp ax,0F386h
! W d$ w x0 Z* ?1 c7 L jz SoftICE_Detected
( C" j5 \ r7 {/ n# {% `
- o& u: ~; D+ ]8 F( m5 A$ G* M ~$ v; y, d1 l" k. b
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. J; V( @7 m3 T; q
app like this:
, ?& A' C2 I/ F3 _' I, V
0 y) Y6 E5 q7 a1 L BPX exec_int if ax==68
* v5 z* @3 I+ }6 v (function called is located at byte ptr [ebp+1Dh] and client eip is
& D. @2 \" L( O0 o+ V+ L9 Z" w4 U located at [ebp+48h] for 32Bit apps)
: }" M2 f- [9 y7 `- c) k__________________________________________________________________________+ V5 |% r2 K0 i
3 I6 q1 T1 e- X
9 E, K2 } S, ^3 ], O1 J
Method 08' ~# L4 K3 L6 g5 R
=========
6 x7 j* E8 G5 G; u
7 l6 @7 L( b; D: y5 f5 \4 |It is not a method of detection of SoftICE but a possibility to crash the P9 _( u6 f* a* p: u
system by intercepting int 01h and int 03h and redirecting them to another
1 E+ w d9 e8 K0 B8 [0 sroutine.
$ ], o; @( I3 e3 d! LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! `+ L! g& f4 \" X
to the new routine to execute (hangs computer...)1 n# R! p# F S* F; Y& m
c3 }/ g% _1 J C8 w O) W
mov ah, 25h+ {1 t, P+ C3 @0 A/ S4 R6 S
mov al, Int_Number (01h or 03h)! w9 J% {& m$ H& z3 R
mov dx, offset New_Int_Routine7 Y- U4 G: y: ^7 |
int 21h
# e5 G' ^' ]1 s, q9 V( T+ M
% X- c4 v4 I1 L' a6 U$ @: Y7 c__________________________________________________________________________
' h8 g1 @! S2 X0 M) E6 J) Y3 W& x4 m" p4 H9 ~& \6 @
Method 093 T1 J3 E% _3 g* F0 n/ }1 C
=========
4 W6 Z% F( `2 f% c7 J/ r D
& e- L& e9 N- D' Z& j6 k2 nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; M9 c: a: O( E* U9 U+ Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
, h8 U e9 i; E3 W' X' y; pThe Get_DDB service is used to determine whether or not a VxD is installed
, n3 i, r: A1 ufor the specified device and returns a Device Description Block (in ecx) for# ~7 S! i5 G3 c: h5 e6 ^
that device if it is installed." z6 o, N$ R* \
4 c4 L R# c" ^
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 S1 e! f* L$ Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) y% X2 |. D0 [/ U0 W e4 m0 u; u! v5 T
VMMCall Get_DDB5 s2 s I: N9 f6 P8 D- N9 x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 I% @* {: u# C. |6 ~/ r; H8 W: x$ F; y" V5 z# e
Note as well that you can easily detect this method with SoftICE:$ [ m, K/ E( V3 P8 q5 F5 _
bpx Get_DDB if ax==0202 || ax==7a5fh
! D8 h0 t& E6 s. Q+ C# H" x& a5 u! P, Z, e9 V
__________________________________________________________________________& R& h- e0 V# V# T
8 h+ u: o- U8 a; Q4 J& AMethod 10
) ]; Z) S3 K" o" G8 v=========
+ e+ X6 O! ?: \' G* d4 {* j
5 C+ ~3 _- V: R=>Disable or clear breakpoints before using this feature. DO NOT trace with9 g& n- A3 W/ e; c& I5 N6 n [
SoftICE while the option is enable!!. S# J) I8 l8 L, ^" a- Z/ ]1 w
- ^1 \* w4 t+ o2 B# L. \' f- ^( i
This trick is very efficient:# j$ B: a' u8 g/ w) S' z N
by checking the Debug Registers, you can detect if SoftICE is loaded/ D) i, F+ h! W( O" F' ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 g6 Z& \. k+ z1 o! \. ythere are some memory breakpoints set (dr0 to dr3) simply by reading their0 A) f& C4 W6 K+ `" ~4 ?: ^$ _* r, }
value (in ring0 only). Values can be manipulated and or changed as well% J, E; B; k4 T* a0 b" ^2 x
(clearing BPMs for instance)
% O: Z( a) T5 \. A) I4 B. d( F! D8 @" {. z) Z/ w( r2 H% @
__________________________________________________________________________0 J8 F9 h2 u/ x4 o: R+ v H
o7 P0 e) M' @9 b
Method 11
/ }" O+ ~( R7 Y! K) q8 {=========
/ `# y& h2 L. ]( r# j1 _1 G8 h
& S- [0 |- l; v* m; i5 qThis method is most known as 'MeltICE' because it has been freely distributed. u! H3 Q6 x9 m& r: G0 P, a& q, u
via www.winfiles.com. However it was first used by NuMega people to allow
O; ^+ c! f0 I7 J5 j0 BSymbol Loader to check if SoftICE was active or not (the code is located
6 b; T$ A* ?' \5 e+ T% a9 winside nmtrans.dll).
2 f: \. S" N- W, q/ `( q4 Y# d7 ]' a+ t' a' ^# ]
The way it works is very simple:
! o# |: Q7 k: S! A0 BIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
e ^! V" Z8 DWinNT) with the CreateFileA API.3 O# }4 T7 N8 v
8 q5 K/ L4 N- Q' CHere is a sample (checking for 'SICE'):
' {4 S6 E% b4 S8 d8 F5 K2 c' B! \5 p
/ `" Y0 d& c& C" ^. ]BOOL IsSoftIce95Loaded()7 R* o# [% w4 E0 K5 \+ G2 @5 k( b
{
& d/ W' l! [" I( H: v HANDLE hFile; a5 K! G0 o& m. v- X% N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) `* Y* A8 ]+ w2 t: u
FILE_SHARE_READ | FILE_SHARE_WRITE,/ A' }7 u8 K2 N* \2 h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* v5 |* {! u; v" U! ^: ~' p% P
if( hFile != INVALID_HANDLE_VALUE )- o# Q: F: v; g& ^- v7 U
{7 U! e: @4 X4 c; C$ o" C% C
CloseHandle(hFile);1 M. G8 h7 r& ]2 K0 G2 ~% j- B
return TRUE;
% A1 g1 u9 V0 {4 B }) A( S8 }" r/ r% L
return FALSE;
+ L! \, V9 W* y- N% l}0 ]. J, l: y* L& ?( O
1 N I( T+ y- WAlthough this trick calls the CreateFileA function, don't even expect to be1 Y- }& V! Q6 j4 W# E/ Z: _
able to intercept it by installing a IFS hook: it will not work, no way!# _& p4 l2 V- U* }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 J1 H3 L$ B+ ~: M+ c9 {. [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: p3 m% u2 R# c2 H+ }and then browse the DDB list until it find the VxD and its DDB_Control_Proc! b, b' d2 F, Y/ ]3 z' A, e
field.3 G: D2 S! f+ z7 o+ d* g
In fact, its purpose is not to load/unload VxDs but only to send a - l. p5 q j7 {8 Q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( ]/ P1 Q6 `* _ _9 u" k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 p, F0 d9 e5 l5 |$ M
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." M' @! h: K! C0 j
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 B" N3 p3 D Z
its handle to be opened and then, will be detected.
' i. [+ Y0 C* Q$ n5 mYou can check that simply by hooking Winice.exe control proc entry point
4 v$ L! |2 r% }/ k& p3 hwhile running MeltICE.1 {$ W/ _, z% n( W; G
. S5 W5 `* c, H
5 g$ I0 E* l! R% U2 [
00401067: push 00402025 ; \\.\SICE! r3 Z. n* k. A# O7 X
0040106C: call CreateFileA
7 F; n$ g4 }9 q6 @, Y; r. P3 i9 z% Q 00401071: cmp eax,-001
6 ]6 e i+ m5 U1 V9 E! k 00401074: je 00401091
4 A$ x, o' H5 b) K l% p) y4 y) I- w% U2 C0 ?
% ]0 \# O1 y# v# A8 r5 R
There could be hundreds of BPX you could use to detect this trick.
6 r& s& I$ C, U1 ^-The most classical one is:9 z% l$ }+ V; l! z" M8 M
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, j, x* R! H* e% r! Q8 ? *(esp->4+4)=='NTIC'
7 T' {; u+ k8 ?6 W
! Y) j+ @0 B( w% N8 }$ S-The most exotic ones (could be very slooooow :-(
( D$ T+ h7 w- O1 ?, i$ b+ p BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 `3 S& Q$ T* l4 }: [ G. `1 H% Q ;will break 3 times :-(
4 S7 s1 U; G- o5 B4 ^/ l1 z, ]8 v F# E
-or (a bit) faster:
' O# D; |7 v/ T: H1 i! Q' ?& r" ~- y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( Y) ~; J8 M+ K9 W2 N
- l( W$ @" y4 ] J) U e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 }' L; ~1 {3 N' K6 S; m ^
;will break 3 times :-($ q# O5 h' P/ U; C" i
( L( ~" y+ X# S' H
-Much faster:
: L+ i4 T9 P0 M. g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 u2 v/ B6 v' U2 w- K
2 o, w2 a5 B e! l& y$ a0 [2 hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, s0 ^& U7 q, R. K6 Zfunction to do the same job:
$ H1 Z; W$ a2 U, x+ k- F" i
+ m* I* ^$ ?3 o; y4 U push 00 ; OF_READ
- j* j* a* V3 ^ mov eax,[00656634] ; '\\.\SICE',0" ?& P1 E4 Q8 e4 c1 J0 y) x
push eax
( P2 p! _9 ^; A! F L. }3 P call KERNEL32!_lopen2 Y, g L% r8 X- z$ o
inc eax
3 o7 N9 q3 h! Q! M3 G jnz 00650589 ; detected* k$ k/ b d; Q5 p
push 00 ; OF_READ
h D& Z: R2 G mov eax,[00656638] ; '\\.\SICE'
$ y# r( S3 h+ e4 r push eax- A% `/ j( a& ~0 V
call KERNEL32!_lopen- g$ V: Z: A& L0 @3 Q/ j) ~
inc eax
G" `7 H# b8 j; E jz 006505ae ; not detected
' K; @$ V) ?6 `& G# a4 E2 K$ l j; N- n
/ ~3 o* E+ b4 u/ F__________________________________________________________________________
' \/ g. B7 T- q8 h7 M3 c" Q; G+ @! N! ?8 n, z: y: J
Method 12
; L+ J( @2 G4 W8 j1 [! s: V=========+ {: C5 k) P: R3 O. P
2 Y8 h+ d" h i5 M% O! M1 ]This trick is similar to int41h/4fh Debugger installation check (code 053 g4 c2 f! l5 a7 z$ ^" c
& 06) but very limited because it's only available for Win95/98 (not NT)
{; f" m/ x) Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: s( Y* P* f7 n4 H* c0 H
8 S6 f6 Z% a2 W% X; e# b5 r) ^
push 0000004fh ; function 4fh
* N0 g6 `; p3 H7 e& T8 e( D5 b! I; a- H push 002a002ah ; high word specifies which VxD (VWIN32)" _0 V2 V; B8 ~; c) a: C% L5 u+ v& X. Q
; low word specifies which service& t- r6 q/ G$ q- g! l9 e
(VWIN32_Int41Dispatch)3 s9 D6 u, x' M9 s8 j
call Kernel32!ORD_001 ; VxdCall
: w( R, f6 @ k& b7 Q cmp ax, 0f386h ; magic number returned by system debuggers
# t& y8 ?& G* v( x jz SoftICE_detected# M' w; s% O' Z7 e, u( ?' N% v
4 O( ]3 B) A! ^7 E1 o
Here again, several ways to detect it:2 g6 u; A0 ?# r* x
, V7 |* L5 ~! C- Z BPINT 41 if ax==4f! E0 e' M/ K3 ]+ S9 c( h* z6 y# Q
: i2 t+ S, _+ p( k! o
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* }) x" a% S% q. E0 X
7 R9 `$ S2 |1 n6 @0 l2 E3 L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ b2 x; G9 J G9 O1 `, v
) b: U. `) _6 l- x9 e# t5 D3 e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! k. V3 p) i7 k k2 V$ A7 j
0 X+ V- P" J# x: m% C__________________________________________________________________________( ?/ Q1 ^3 B$ b% r" m
$ F$ }: u1 F& [
Method 131 F: P- W4 Q! }, u, h+ X+ J
=========
. N6 \1 j" S5 X v1 Q
7 I5 l' V7 `3 J- e0 I) sNot a real method of detection, but a good way to know if SoftICE is
. F$ s* q! W+ S& qinstalled on a computer and to locate its installation directory.5 Y ~! Y q: l/ U
It is used by few softs which access the following registry keys (usually #2) :
# Q& Q' Y1 s2 Y& H5 U" O( H( z8 h% Y! u% m6 C( A* l V, F& }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ ~2 `% K* Q p' X# `+ B8 w. E& R
\Uninstall\SoftICE5 W* }7 ^5 O7 H' j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ A: q4 M- W$ c: ~$ Z7 w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
j! h6 p# q. L\App Paths\Loader32.Exe: x" v+ d3 v' G ]$ g
' ^: I/ n6 `" x/ R7 q& {
( ]2 c. V) D3 B/ x4 a! BNote that some nasty apps could then erase all files from SoftICE directory" X! K4 M! r( t
(I faced that once :-(
9 U- c, |) r$ D' D5 o! U1 E7 p% r$ w% w! G- k5 `( k3 R( R
Useful breakpoint to detect it:
6 R: p- f1 D. T n0 U1 F/ Q7 U" [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 p5 m% H) w% ]6 | O- |' w5 B- P5 R) \/ L
__________________________________________________________________________
8 p. e. p0 H* k8 _3 p5 }5 ?. j* \
/ @# q9 s4 k. V2 d9 u
$ e* Q0 U7 q/ n0 V' Y. o6 yMethod 14 ) n3 O3 `% U- Q: @ Z0 }
=========/ Q* X* ^& j- y( }% k
* |5 [3 p) f; n2 Q( G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 G, O, g' M( Z K" a5 W5 R% W' Q- j( iis to determines whether a debugger is running on your system (ring0 only).9 G" m, T2 J* |' d. n9 G' r
$ g+ ]6 R% d- h2 J' T$ v7 j VMMCall Test_Debug_Installed* m3 \. Z" z/ F0 L9 \7 S3 Z
je not_installed, Y8 K! b/ x& m; G9 r* W- {: c
5 I4 R0 A& a' x% w
This service just checks a flag.
# }1 b! S+ ]9 s- \; i8 @7 u: n7 y</PRE></TD></TR></TBODY></TABLE> |