<TABLE width=500>5 U8 c% [; q+ L$ e' x
<TBODY>9 o8 g4 o* }; c. A5 F
<TR>8 q; o& A( i" F
<TD><PRE>Method 01 B8 s( {6 e4 k" r. e
=========
( b- G$ K+ l# M: D6 `5 w9 ]" T; F% u7 R3 X
This method of detection of SoftICE (as well as the following one) is n% j. t% g# t3 M
used by the majority of packers/encryptors found on Internet.
" |: i0 F$ c1 lIt seeks the signature of BoundsChecker in SoftICE
& r1 V- @; U# O
% k, D" E; _9 J9 y mov ebp, 04243484Bh ; 'BCHK'
' z% r3 D f1 h( F) N+ ~ mov ax, 04h# ^* _$ w' m# }+ j& F5 O
int 3 # w v5 r& t' ^6 }# v% Y$ p
cmp al,4* }& W3 S. j5 n/ V5 Q, H
jnz SoftICE_Detected
% N6 S7 W0 N5 q4 x7 s) R2 Y2 _
0 P$ Z7 n. S3 w* t___________________________________________________________________________* W% d, s4 U8 J
5 E% o1 F/ Y2 L* N& {" }
Method 02
+ F2 F2 H* F# l! c4 j8 x=========
' h' N1 Z2 |& J7 X7 \1 I! E/ C; t/ D( S+ H( s5 {- T8 _* M A1 ^) x V' G
Still a method very much used (perhaps the most frequent one). It is used
4 ^# N/ M- p/ z' T: rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 d& F, ^1 m" m
or execute SoftICE commands...
* ~5 w& J# T. x2 }# DIt is also used to crash SoftICE and to force it to execute any commands3 d6 k) r& {: B# Q; D t
(HBOOT...) :-((
, A1 g* L; G5 h: d# ~' K. F& q) y# ^) B
Here is a quick description:
1 t0 B' ~8 {# P$ G- @0 B-AX = 0910h (Display string in SIce windows)2 x# w9 B5 ^+ e- ^1 D0 d9 y3 e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ o Z; g: D# Q- q-AX = 0912h (Get breakpoint infos)6 A; i$ l" D% w+ l
-AX = 0913h (Set Sice breakpoints)
: T9 q) M5 Q% |+ |-AX = 0914h (Remove SIce breakoints), E l2 _7 |$ j; [: j8 u
0 G$ u3 K# V# _4 l) Z* pEach time you'll meet this trick, you'll see:4 z5 S9 [4 H ] a" T( z
-SI = 4647h; c' n* k5 \8 \7 {' g: b
-DI = 4A4Dh$ n4 S0 A1 |% O4 Z2 C9 L/ a. J
Which are the 'magic values' used by SoftIce.
$ v$ \2 f" n" O* C7 Q7 W7 n2 a0 DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* H; K$ ?! w$ G) G, ?
4 j; K) u& {* WHere is one example from the file "Haspinst.exe" which is the dongle HASP
( k+ _# Q# B$ M- p$ \Envelope utility use to protect DOS applications:
$ O4 T: p4 Y- }3 x m" [/ s4 t
2 X7 o6 H V4 M2 Z
; a+ ^6 W2 j% N( t+ j4C19:0095 MOV AX,0911 ; execute command./ t" S( a: K& ?6 P3 _2 X7 |2 d
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! I4 M( P% r, Z- y& e9 \4C19:009A MOV SI,4647 ; 1st magic value.* \0 L3 J4 }6 ]4 T
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 r6 [6 s6 t' q1 }$ m I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 e% v+ }0 C# J" l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; F6 u- R, p! ?$ U
4C19:00A4 INC CX8 c7 F7 b! ]' P5 P8 g4 N% v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 v2 `: O9 a# q7 P; A4C19:00A8 JB 0095 ; 6 different commands.
' e! m4 ?' m. d1 Z: @+ v2 N4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& W' k- A( g7 f; O4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 @' @8 C+ Z; o
5 h5 L. h# k! Y1 |! }" @0 s l6 G4 PThe program will execute 6 different SIce commands located at ds:dx, which$ c& r4 Z- ]- S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 T6 {- j" h. G9 n- }. E6 B* T+ `# U2 {! z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 V1 b w! A' o. s4 X
___________________________________________________________________________/ `4 e+ [7 ^' y4 v6 C: \
: q0 A! ?7 v" q
' E/ d: u+ d+ B" u+ dMethod 03
3 Q9 E9 O6 ^& c4 H% \8 D=========
3 V6 g% }/ M; ?* W" ]) P8 R3 Q1 C8 W6 }- J) [ G# A+ Q7 B# s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( u' z8 f5 _6 x( z+ c& N* O" o
(API Get entry point) s% `# ]% K8 {* n l2 |
, S* J9 H; H% V4 C6 p
& c# _( n6 }8 u5 i xor di,di4 ?1 X0 V2 A) p5 v
mov es,di
% v1 d# _/ f( |7 m- f mov ax, 1684h $ m2 A1 t( Q# @9 H i
mov bx, 0202h ; VxD ID of winice9 s) v7 T5 A' k8 a
int 2Fh) @' d" A5 T* f; l& X H8 M
mov ax, es ; ES:DI -> VxD API entry point% r& j. Z, \6 a4 _3 }
add ax, di
/ Q& S+ { A" i8 n# @, G test ax,ax& d. z( K$ X+ x/ |+ z" v; m
jnz SoftICE_Detected
6 m% Q7 g5 ^ }% ]4 m9 L+ b5 H$ E2 B
___________________________________________________________________________8 |$ v5 ^ ^ F! `5 J
% U' e2 x0 G% h4 ?8 G5 J8 e# l
Method 049 L/ ]) a. A0 y9 z* K
=========9 s" J8 n- B/ F. ?0 E, D. B
2 U* `: a p) ^$ R' e; W
Method identical to the preceding one except that it seeks the ID of SoftICE
0 ^- i1 t( u6 TGFX VxD.
. }) o1 b& S% ?/ r1 J% c# ?: B( t1 O( i9 H) e2 A3 s9 P1 _! B& \
xor di,di
/ ^4 F* t) x' L( v1 k mov es,di) q/ s6 r: `8 h9 ?" x9 l
mov ax, 1684h
4 f" d4 p% q- v! q4 v- c } mov bx, 7a5Fh ; VxD ID of SIWVID
# l4 s) L# S3 |! ]5 h' d int 2fh
, G9 h0 R% Y& t. k% V mov ax, es ; ES:DI -> VxD API entry point2 Y& P, i9 o) L1 x, G
add ax, di
/ I# F4 s6 D' J5 v/ s: _+ t test ax,ax
+ W- w' n3 P: F/ ~( C1 G jnz SoftICE_Detected
0 Z( ~# k; Z, p- l" x" N/ q/ J
8 \/ O# \, B9 [0 \__________________________________________________________________________" R: D& F. }7 p# \
6 ~& s3 ~* x( r1 l! K5 b
/ N& ?: E) A6 k2 P" `6 V6 V. hMethod 05" O: n7 w6 T( h- T: [
=========, t- d0 G, I0 j4 B# q+ j. r( k
) R/ L8 s, \( W
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 ]( E/ F: L4 s5 L/ pdebugger. It calls the int 41h, function 4Fh.
( M x! M) z7 H' q0 P. DThere are several alternatives. 7 g# {" k4 ~4 e5 o8 ]
4 g& Y1 v: a$ _0 [The following one is the simplest:
. |1 a0 ^! w. L0 F$ f& h: ?3 f! D& h* K) K! L4 \9 D
mov ax,4fh: E1 O3 Y! H0 `+ i! n6 Q
int 41h
. R! m1 A# A; P5 I* C5 X+ K- I cmp ax, 0F386- ]% _$ d; Y' r2 K y3 Y
jz SoftICE_detected
2 z8 J- V# c- k( O- z
l6 g6 |3 c x1 P
/ x1 _1 @! i7 H" m8 `" ~: _Next method as well as the following one are 2 examples from Stone's
6 ]; Z- M& ]# f$ S$ c"stn-wid.zip" (www.cracking.net):
0 u5 I8 y: h/ S8 N7 t8 `
/ l4 K6 M. R! e6 h; p, V3 x mov bx, cs2 M0 |9 }+ C& I2 [ P; Z# {; f# ?
lea dx, int41handler2
( y- c9 z8 H% |7 Z" t/ b" R7 ^4 Z xchg dx, es:[41h*4]) w; r) i! L2 w5 t* p
xchg bx, es:[41h*4+2]# H/ f6 F0 g5 E
mov ax,4fh
* r- @& o, S6 a. S int 41h* x2 X/ o2 s! E$ o# n/ j c
xchg dx, es:[41h*4]
( T3 C+ X7 _6 p, P7 |# B' P xchg bx, es:[41h*4+2]3 I6 Q3 V- w5 ?7 a# v- m
cmp ax, 0f386h2 E! C) c/ ]' H
jz SoftICE_detected/ g8 q* ] r) K) T" D: ]; ^
# U* l$ S2 {, |& v: }, Zint41handler2 PROC
% r* B. e9 E8 \" b) ?! i iret4 k: g4 l9 @% c+ W' E- V, _
int41handler2 ENDP# Y7 R0 }: c: h; L1 L
8 i; H$ m+ P4 L/ X' }! W* V! f2 o
g( w% G8 t! z/ }: _ E7 I8 i) i( I" j_________________________________________________________________________/ U J5 x$ B3 w# u7 L% c7 f
; T! J- T2 e# X! q$ `' ^! W' y5 d
0 }! S! [* }' I6 e$ G& {' y# A8 AMethod 06; m/ a: G( N" E
=========
3 ]* t: F- ^3 l" g! T. M; z
) F: w6 t; M3 y8 k
% k2 s# [& _8 J( a, V2nd method similar to the preceding one but more difficult to detect:% q5 L, g- q8 {7 {1 K, M0 F
2 L4 s4 x1 l; t4 C a
; n# g. f! c f x" B- g
int41handler PROC
" g. e/ }: k" a8 J mov cl,al
+ `9 _" b# H2 Q1 I, u5 K; D iret
6 t7 v. B0 t; g6 X3 hint41handler ENDP: S, P0 J6 r e% e) _/ N
( F' Q- v5 m$ J1 f& ^' u
6 F- g h1 j1 t3 O/ T! }7 l xor ax,ax& D' M! r/ U5 Z' R7 |, f* T
mov es,ax
4 D4 H2 e, h# E1 [ mov bx, cs& N1 T, h+ @% G/ L w* _) A! ?
lea dx, int41handler7 W4 Y# M& t( }: p
xchg dx, es:[41h*4]
: J/ X* \* z2 u xchg bx, es:[41h*4+2]7 d. G& E; ^. L- v/ u
in al, 40h( c+ T" p/ g) C/ q% ~7 N, p
xor cx,cx- }8 A) r2 P1 F5 p3 g9 z; f
int 41h
) P0 k9 T" [0 O4 E! N2 H+ o' m xchg dx, es:[41h*4]- m( s7 s3 n7 S) }' N4 x
xchg bx, es:[41h*4+2]: n8 F- e6 {+ M _7 p2 U
cmp cl,al
; [4 {8 ]+ [/ ?. R0 k) O jnz SoftICE_detected
+ L! O1 B8 r6 z) K( ]0 {1 W3 M
0 ^3 H( u: s1 p8 V7 F7 H5 o. r_________________________________________________________________________
2 q4 d k: s( r
; f- U- {8 Z4 ]7 HMethod 07$ D. |) [7 \4 N) X- ]$ q
=========) G5 m' q3 C* H% q
/ @- @7 \% V2 z. d
Method of detection of the WinICE handler in the int68h (V86)
, ?8 h2 V7 L% A3 T" a, f6 n0 L. J; D( P' V6 c. u. y
mov ah,43h6 ?7 `. f& o6 l {% I& M% R
int 68h
# `2 z9 U0 z% j7 R( f cmp ax,0F386h
2 h# {: c6 h" P& v4 \ jz SoftICE_Detected
~' h( H# c' o/ a, V' f+ r- U& O) j0 M
2 n" f. h' \; h6 K9 a& r" `( h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 I5 x, x2 J9 ~* ^
app like this:
& l( A1 {( D7 l) h8 r/ g, [# o# {4 `( k9 `5 h& C- i1 u
BPX exec_int if ax==68) n- `- f; t9 k7 C5 I+ C
(function called is located at byte ptr [ebp+1Dh] and client eip is
: o- w) w k+ q5 H2 W" D* f1 t located at [ebp+48h] for 32Bit apps)( U+ p0 P* E/ g
__________________________________________________________________________; B% V4 k4 x5 R% T
L& L; B: b2 z" |; S3 Y+ i# ?: R" d( S' M
Method 087 L5 E# U# Y! K! i# ?
=========) V; `9 q- U8 P- U3 H
; J5 _: c5 G( V9 `# R: cIt is not a method of detection of SoftICE but a possibility to crash the3 b5 o, z" ^! h# X# r3 n! @ @
system by intercepting int 01h and int 03h and redirecting them to another
# k( {0 h# b4 k/ z) Z9 }0 Y e, _routine.
( l" f1 f: B$ M+ [! ~2 TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! u4 }$ n! W: i4 ^( Bto the new routine to execute (hangs computer...)
% {4 @+ H: S% c% j/ @3 t/ ` ?# [5 M5 Q8 d9 t
mov ah, 25h( A9 T" H" K) m7 ~
mov al, Int_Number (01h or 03h)
& P) Q( p) g: d" m% G/ l2 f0 O mov dx, offset New_Int_Routine) b% Y% g; @( u5 N1 _. {, c* u
int 21h
9 ]% X( T1 S6 G1 A) ?" `! f8 M, t% a: {5 |' \+ {0 U+ }0 s
__________________________________________________________________________7 [% R. D) y) G) R9 K' e8 I9 J( A
) c' k# _: k5 X& v; d4 j6 |9 KMethod 09
; M S! o: S- [1 Q; W=========
5 B) V' q8 I% |/ [* a# V- y" E% {
. g/ m0 O* W+ g4 u/ `( f; h5 @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( q$ f! Z, Y0 Z' N, ?
performed in ring0 (VxD or a ring3 app using the VxdCall).4 x) W1 s1 W M I' B
The Get_DDB service is used to determine whether or not a VxD is installed7 U; [! K+ u- s& g) T+ h D
for the specified device and returns a Device Description Block (in ecx) for0 c/ x4 x3 ? o8 K
that device if it is installed.
" z/ k4 ~. u* A; A$ \
/ r9 x3 n7 F) Z# l: Y) l8 O mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 Q0 D: Z0 b+ v+ _+ d1 R mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ S, j! p! _' b- q; i, v! v6 x VMMCall Get_DDB; N- \, ^3 q# f( R2 n
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( a8 Z$ o* J" l0 G
1 b0 ~: K9 H' {) ONote as well that you can easily detect this method with SoftICE:
* S8 U' S5 V8 {' `6 `3 u" b bpx Get_DDB if ax==0202 || ax==7a5fh, N& l' V) S5 ]$ V9 k
, p, [+ I' H' L8 V- J8 N$ W__________________________________________________________________________' d* n& Z% ^! A0 {2 x
; | t7 p3 z7 j8 \2 K: L& AMethod 10
. I m* P, y6 V+ o. J) s5 B, v! k=========4 f0 j6 ?; y- M- z. A& V5 U" ~8 {
, u) C2 ~3 M! U+ V* T# y=>Disable or clear breakpoints before using this feature. DO NOT trace with( [8 b p, r [& g- z( U
SoftICE while the option is enable!!
+ E/ w/ Y8 E; |
0 M0 a; F% l5 ?# a( K, gThis trick is very efficient:) i. J* f5 x% X Y7 s
by checking the Debug Registers, you can detect if SoftICE is loaded2 t3 D; ^- j/ S9 x! I5 _# d0 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- R* L$ w* v M& _6 Z- u5 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their- X4 u6 _' [( F7 T( ]- J" P* J
value (in ring0 only). Values can be manipulated and or changed as well) Z9 A' G1 E+ z" h( b- b
(clearing BPMs for instance)/ }) V4 |$ Y9 `% D1 n$ w9 \; {
8 N9 `7 ]# K1 g) v9 h1 I
__________________________________________________________________________. Z! N6 M/ A6 f/ N1 ]
) P: f; U+ v- q: y( v E0 [2 {Method 11
- B& A- N. p w! T# h=========8 Z" m) A2 t9 e1 H4 o8 L! }
: M+ E9 o+ L# }8 C" YThis method is most known as 'MeltICE' because it has been freely distributed( k5 g: q. A, p. j3 p( N( T
via www.winfiles.com. However it was first used by NuMega people to allow
" O7 E& m6 Z4 b4 K! p0 r% |* y$ xSymbol Loader to check if SoftICE was active or not (the code is located
1 `- l6 T: r( iinside nmtrans.dll).
; p1 s2 p8 n# M* w
P. g% ~: u4 O) FThe way it works is very simple:
2 b, u) P/ ]# E' {& AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; C" \3 t% K- f# l( y+ K1 @WinNT) with the CreateFileA API.7 t, r: I% |# @6 r
1 `7 e* i- F1 p' C9 {3 s" `, ^
Here is a sample (checking for 'SICE'):4 g* O5 n R$ q& R; w0 `# K
6 @' q( i) ?/ u$ v9 t }$ \% h; KBOOL IsSoftIce95Loaded()6 _* f5 q/ p( Z* @, P4 m
{
( j1 X2 |7 `$ L9 V+ Q2 _' P% C HANDLE hFile;
: j* \. R, M2 A' L# ` hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# W% Q8 R0 N c/ D FILE_SHARE_READ | FILE_SHARE_WRITE,- S* D# g# O' V; ~2 s/ M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& J% C+ \; d `0 v4 B) C/ B if( hFile != INVALID_HANDLE_VALUE )
* H7 H" c! N d {' b X: r9 }- |$ ^9 u1 V
CloseHandle(hFile);
* P$ k$ F9 \0 V' f } return TRUE;& v" X' ^& s& O; U+ Y& U4 u' C
}
1 r l6 O- `9 S- V4 _ return FALSE;
% V$ r6 ?, w# n4 Y; q3 `& d}
! R V9 I% [( K! G5 F: Q- b$ q; \2 T# m. v w
Although this trick calls the CreateFileA function, don't even expect to be
# E$ Y1 `$ g, d. j' k5 o0 [0 W+ O! `. pable to intercept it by installing a IFS hook: it will not work, no way!6 l0 @ J' U' Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( s: ]) g% ^! G+ K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): i$ U9 e$ B, F; T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 X- r/ q5 N# } `, H4 j1 O1 f
field.0 X2 K% E& U1 `1 D
In fact, its purpose is not to load/unload VxDs but only to send a , k5 V& [$ [/ R. B- @( Y; ?& V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 k$ f# h/ u2 u* c* S5 s' O, O' wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 c! N# ]8 u; r5 g% ^9 Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
* b/ `0 Q* z3 u9 @' r( _If the VxD is loaded, it will always clear eax and the Carry flag to allow2 ]& E5 S& _# Y0 L5 d0 ^* a. h
its handle to be opened and then, will be detected.! @: b; G x$ }9 [# ~
You can check that simply by hooking Winice.exe control proc entry point
$ T5 ~% E9 u% u" \while running MeltICE.
( P) W5 A) z* b* q8 h2 E. \
$ @% M+ t9 S* Q# p/ R. \6 s. G m& i. ~
00401067: push 00402025 ; \\.\SICE
6 s* K5 O5 x6 M* K, `+ ~' V' ^ 0040106C: call CreateFileA
" n6 {8 {3 u+ @" q 00401071: cmp eax,-0013 P) s9 U( C' \6 V2 b+ t6 D) @$ C- N
00401074: je 00401091% p. \% K4 O* Y8 l- {$ t
6 r% W7 ]# D8 ^& T4 h' r( g
+ m3 `. G2 U# w$ T' _9 |; z6 dThere could be hundreds of BPX you could use to detect this trick.
) B8 j" @. e' u3 \-The most classical one is:* B# T0 ]. B& E2 |0 |1 E8 p# H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 M( Q" D- F: Q6 L
*(esp->4+4)=='NTIC'
& ^! J8 M) U9 p2 `
# o# j0 |% x% h# L0 M% G-The most exotic ones (could be very slooooow :-(
) H! z" [6 ^; o/ `, K. G P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . i6 U+ `: D D# w( {1 R
;will break 3 times :-(
2 y& @* i4 f) W8 `5 _# b! i5 G; ^+ o9 l
-or (a bit) faster:
. Y* R: p% l7 F& d u5 S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* z2 l. ^7 L, M/ d6 D, H; y Z5 I
" \/ L: R( e9 u% O. L! t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - e7 Q/ @7 n3 O* g; D( N
;will break 3 times :-(5 O- G" h9 n' t7 h( h4 w
Z, ~, Z+ p' N
-Much faster:
0 v# p! a4 U+ a% D) t% @: t BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& _+ H, |" M- G j
/ Q: e7 N$ T" `3 u# D/ JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen3 s2 a) C0 y& Y1 c. `" @
function to do the same job:: N6 U. W+ S1 P8 V8 i- R2 G, k
2 C- T4 @) W& }3 Z push 00 ; OF_READ
/ e) J% { T. k: m( @ mov eax,[00656634] ; '\\.\SICE',0
9 z' e' `* i! Z0 q# `. _ push eax
8 {- q2 g0 ~9 g, p# y/ l call KERNEL32!_lopen. r* r# q" Z8 ]) G
inc eax, `1 n' v" T% W- T% K
jnz 00650589 ; detected
5 x# V- \( j7 K K' C& S push 00 ; OF_READ* Q, O: [8 s2 n$ G0 x+ M! t
mov eax,[00656638] ; '\\.\SICE': b% O1 n% I3 i2 z/ T: S+ G
push eax
( @. j; T! l0 I" N J call KERNEL32!_lopen
% v& l( i8 _4 D3 Z inc eax: S: o. K* d7 h6 |4 z& f: }
jz 006505ae ; not detected
. ?; P2 b0 M- e9 ?) n5 J, H
' ^0 `/ j" ]% j7 y
; P p5 G+ {% Z- h/ J5 R6 V) c__________________________________________________________________________2 U- o5 M& E/ ~
- J, q6 z4 G9 g
Method 12
I& w2 ~, }; B# [' e# X=========
- M" V) A; t; z, d6 P8 x- Q. d" d
1 ~, G# K$ l3 O" t, |9 `+ a, nThis trick is similar to int41h/4fh Debugger installation check (code 058 Z4 @" m. k- k- @2 D0 s, f
& 06) but very limited because it's only available for Win95/98 (not NT)- P, Q: I+ z& H7 V- a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, L \" A' Z. ^6 x
8 J" p6 F9 L3 ?" @( i push 0000004fh ; function 4fh
3 ^8 [, _6 U- N$ F3 i push 002a002ah ; high word specifies which VxD (VWIN32)
; m, |) I8 \: @ ; low word specifies which service
1 S% b: k! A( }8 N8 T1 p6 a. X" Y (VWIN32_Int41Dispatch)1 C, b7 s9 _: d+ s, D/ Z L
call Kernel32!ORD_001 ; VxdCall
& u+ u R1 U7 z" p. k$ N cmp ax, 0f386h ; magic number returned by system debuggers1 s3 K4 G `! ?. _# Q6 a
jz SoftICE_detected
. |7 _% g! y$ Y" I* z. D% E8 T# S: m* n" U
Here again, several ways to detect it:6 ~$ j+ ?/ |: ?6 v
3 I' i0 O7 G1 \ h+ Q$ |
BPINT 41 if ax==4f4 R: R5 w9 I. k# S
* f" O) ?" {& M9 n; W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; S, k# U+ Y: \
7 h1 M( s8 P8 r9 p* h1 G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 [8 w4 K& X( M5 ~6 m+ [4 g c# u2 N! p p* s2 ^1 u+ ^8 e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 [7 g& j6 I3 \. k% x& _
' M+ I7 G4 l7 O& z5 Z__________________________________________________________________________
& E* p; S1 L$ r, V' }6 W3 T7 _9 j/ D( D
Method 133 c& G4 w& L# r: } Z
=========# N$ N- _+ p( F% F5 {! p3 d
( C) l7 R2 ^4 Z& A) c
Not a real method of detection, but a good way to know if SoftICE is
5 P! t% h4 w. A- Y- Uinstalled on a computer and to locate its installation directory.1 _* B! S2 Y( @. e. e7 u1 r9 \
It is used by few softs which access the following registry keys (usually #2) :
2 w6 h6 M: d3 e; T% Z8 d
+ T) E7 K9 Q# M# p4 {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# v( G( Q0 p2 Z4 p- G4 j7 A
\Uninstall\SoftICE) l8 g0 C/ T: _* C4 P7 ^6 K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 K3 W: ]$ C3 V/ k' P1 ]% z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! S) a! J( o- w* ]
\App Paths\Loader32.Exe
' O8 c, {9 Y9 y Y+ G3 x" `" c% E. X1 g& w$ m/ i) ]
, [6 L6 e E7 p5 g k( v2 z5 mNote that some nasty apps could then erase all files from SoftICE directory) S7 J" |: n9 w& j4 v
(I faced that once :-(
# T" u2 F$ C, W
3 w# C6 x; Z+ ?/ w- ?' bUseful breakpoint to detect it:6 b! `! m( H2 l b
& F# x4 c+ r- E7 J8 \1 K, u$ f! d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ t: x9 F! |* r) {5 c7 I* z
) m8 w3 K, M. ^9 ?9 g6 u: R% h__________________________________________________________________________
* M, y; r& Y: v. r& s0 u4 m+ u1 H9 s: U/ ^ V$ k6 O
6 H$ ^: ~# ~7 U: T
Method 14 " {. Y; m+ L& q) {: f+ Y. ]
=========
% } T& [" e9 f' @& v: C; V9 d3 f3 e" D# P* I1 D9 u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' z3 o& V( B [5 P4 D |
is to determines whether a debugger is running on your system (ring0 only).8 ~2 e) K1 N3 I- T) r7 l! K
7 a# c* u# H Y# W8 o
VMMCall Test_Debug_Installed2 g* d3 h p! l
je not_installed9 T. u+ x$ `1 B- ]( B
/ E5 T1 A7 Q7 L' K& P/ \2 H
This service just checks a flag.& W$ y9 Q5 J( L- {; S3 s
</PRE></TD></TR></TBODY></TABLE> |