<TABLE width=500>
s2 \& [1 V, A2 R' g2 E9 I; ?: V<TBODY>7 u; z5 u7 {( I# V: |
<TR>
1 w8 e$ L; @/ t4 }) ?+ Y<TD><PRE>Method 01 1 K- d, q7 A: Z4 n* q& u% ~) K, o- P
=========
) v0 Y$ P0 U% f5 o; ^9 K+ q" S+ [2 e, s' R2 R K4 o
This method of detection of SoftICE (as well as the following one) is" Q% i) J3 o" ?$ H% `
used by the majority of packers/encryptors found on Internet.7 P- W; c* z5 S+ p0 R4 R
It seeks the signature of BoundsChecker in SoftICE+ _& o" U W! S0 G
( J {" B% }# K* y$ ~" N0 ]( r mov ebp, 04243484Bh ; 'BCHK'
; C" O4 v1 _: X; Y! G; M mov ax, 04h# D. @& n. m: z% t0 T6 Y0 Q
int 3
2 F1 T5 @2 a" Q S cmp al,4
' W% w+ p. Z! e& F5 e" a4 ~ jnz SoftICE_Detected4 [! l! k- ^% @2 d) o
6 Q2 g" Y- @+ d$ J6 w___________________________________________________________________________: P8 H; P/ K8 t
0 \& y4 V x( T! [! q
Method 02! O6 z& y6 p; O4 G/ }* S
=========4 H W1 R$ B% ?6 ?3 a
: o1 {. k7 j" E9 PStill a method very much used (perhaps the most frequent one). It is used& x% A, q0 L! M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' T# Y/ y0 m3 I B) F, M
or execute SoftICE commands...
+ S. x1 r; ~# C2 E F/ Q+ nIt is also used to crash SoftICE and to force it to execute any commands7 B% b* | M+ u" u6 P. w) E
(HBOOT...) :-((
' `' f+ Z& Y+ [* ~4 _3 V( h G. A
+ e" s) b& z a6 ]$ `4 t7 i; cHere is a quick description:! t* K' F R6 {6 `6 g8 M
-AX = 0910h (Display string in SIce windows)
) w- i& b8 a% f' K' w-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# b6 q# F5 q5 t3 q7 L-AX = 0912h (Get breakpoint infos), n6 }2 r5 g9 a" m6 u) Y/ E0 [
-AX = 0913h (Set Sice breakpoints)" {6 `% b- H& x& w; G
-AX = 0914h (Remove SIce breakoints)
. j/ `. _* B8 Z3 |: L8 B$ [& C8 O' a, [' p( G. }
Each time you'll meet this trick, you'll see:" y5 R3 Y1 g$ W' n) h) `5 ?
-SI = 4647h
j: n: E4 b" h0 t-DI = 4A4Dh
r, L6 j, W$ b" E( O2 rWhich are the 'magic values' used by SoftIce.2 W$ m: B% v1 x6 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& y! e S$ ?7 ~* l2 b5 e
8 U/ E9 b1 q" O+ ^Here is one example from the file "Haspinst.exe" which is the dongle HASP& L+ C, H1 P" O: M
Envelope utility use to protect DOS applications:
3 v+ E% [: D7 F. A
/ C# N& g9 O' {" {
+ @2 T/ A/ J# S+ F0 X4C19:0095 MOV AX,0911 ; execute command.
$ q8 U3 }# U6 \* R% o$ K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: G$ D) ]3 V+ \8 A; B$ y, v
4C19:009A MOV SI,4647 ; 1st magic value.4 X( C7 g- g i, h8 n( W3 e# x4 |
4C19:009D MOV DI,4A4D ; 2nd magic value.# i( O- d. K8 u* z7 r0 G$ g8 }: N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). ^, N$ |. S1 e5 b2 L( R
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* R; A9 R8 B0 r- k7 w# L
4C19:00A4 INC CX0 z+ z6 i) L5 B! T2 J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' ^& V2 L7 n4 K! o4C19:00A8 JB 0095 ; 6 different commands.7 m8 K' y. h0 ]5 Q6 F: b5 j- J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) B' q' o; p7 V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% K0 V6 q6 t0 e, D P7 u8 Q( ^/ y
$ a, J1 B6 p7 n$ ?4 L6 J
The program will execute 6 different SIce commands located at ds:dx, which
6 \+ w( z; ?1 {+ B+ r2 n6 yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ i+ P+ n1 @1 K# x3 w1 y7 [) P- X) H5 |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." D1 w1 [$ L' W3 H& k
___________________________________________________________________________3 a* q' g: v2 p
( D' x3 |- a, Z; u3 v
: t5 u" l! e8 J5 k
Method 037 Y {! `5 v _6 I( |# ^( j2 Y* j
=========
5 K0 f! v. e( L: g/ ^, b% J/ B% o2 ], J, V+ m8 J5 X- I; A) a8 Q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, S, C) I6 v* N5 j3 G- P(API Get entry point)6 f9 T6 L+ P& [9 Z, i4 H
9 ~ a. t& m j& K% u+ w9 @
, z9 v% o3 z& A) q+ l$ ]: b xor di,di
/ Y' o' l4 l( T mov es,di
( h# X: P3 {( }0 j! { mov ax, 1684h
Z7 D3 G- [3 n# e/ n mov bx, 0202h ; VxD ID of winice
! Q( B8 Q' ~! f. f int 2Fh( B3 M7 Q* C4 ~
mov ax, es ; ES:DI -> VxD API entry point" V/ Z( Y- T- j# Z
add ax, di
( H8 e# L: H9 f0 M, O7 h/ U. {9 ] test ax,ax% |+ o" }2 @# B
jnz SoftICE_Detected
, A( \, ?! H$ @; o: k3 l
4 n2 h1 T0 F; a) f$ {___________________________________________________________________________) G3 }/ y9 [) `- X; g: _1 B
9 z+ g% T- p7 c3 B' z/ J
Method 04+ x+ B* z8 k* z& z0 l- Z* e
=========
]8 U5 E. X- \% t& t) i
* {5 L( ?1 w& J wMethod identical to the preceding one except that it seeks the ID of SoftICE$ ~, N5 j: N* S5 ]- d
GFX VxD.1 \0 n: w. b3 z# v+ C2 F$ f
- _. j: x+ @! l6 l/ F2 A- D N4 J7 _
xor di,di
9 l0 a; [! v7 c j/ J) j o mov es,di8 n E$ c1 T! t3 u2 l) T/ v
mov ax, 1684h ; s2 x2 D% ?+ A
mov bx, 7a5Fh ; VxD ID of SIWVID
7 F/ X$ z! d, U0 s% n# c8 X. ?; m int 2fh. J% ^0 s, d5 x7 J: P( E" }5 w
mov ax, es ; ES:DI -> VxD API entry point
) h# K" c0 _- L, M add ax, di1 o# g0 [; F0 Q5 x L+ U
test ax,ax
6 B: s8 G; }8 H2 {& ~ jnz SoftICE_Detected" I, X* ]5 l" G" c8 O& I7 O9 z& ]" x
, T) a5 S K7 f__________________________________________________________________________
+ Q; R, H4 ^" D" Q3 u& E7 T
; |! }& |# P5 R4 z$ v! v; C' X' M4 K6 V8 C: M
Method 05
a2 W/ h5 ?! X2 E6 b) K1 y=========% s" Y; f2 c/ \$ a
4 P. c- p( C9 s2 _3 T3 U/ ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ ~# i% }4 r7 S1 }" [1 C4 Q- gdebugger. It calls the int 41h, function 4Fh.
0 X4 X' q. F) l+ AThere are several alternatives.
/ J; m; O, T# p: Z# Z/ l2 {/ h% r% l6 _0 s1 E2 z
The following one is the simplest:
; }2 F: z4 T9 _) K/ L( U0 L7 R. v8 Y- a# Y7 U3 Q7 T
mov ax,4fh( w$ H7 z8 ?1 s8 y( w. q
int 41h4 D; o7 n! w* P9 ]
cmp ax, 0F3869 @4 p6 y8 W7 ^* X) }& a% v2 {! P
jz SoftICE_detected& \1 [3 i7 s1 A j
5 U* o3 I; p& g2 h& j5 T
2 S6 C2 t% W$ ~& D+ }1 LNext method as well as the following one are 2 examples from Stone's . \2 j5 I; x& U( c& P* C- w
"stn-wid.zip" (www.cracking.net):
+ M. l$ K" M {, ^. b/ v# e( m
0 F9 z; R- ]' }9 X* e& H mov bx, cs* D! M" ?4 W9 E" ^' O
lea dx, int41handler2" s2 l+ d; u& O) ^! _# X
xchg dx, es:[41h*4]- T, f: _5 K, J5 l- q- W
xchg bx, es:[41h*4+2]5 l9 V" E3 |( F9 i! I. Q6 D) Y
mov ax,4fh
- }; e, j1 K4 n' U' w/ M int 41h# K$ s7 A0 [/ y" `6 |
xchg dx, es:[41h*4]
5 o, I' {; e; u( X: Y* l# ^% g xchg bx, es:[41h*4+2]
+ r. Z( A6 R# G# M3 ]. K cmp ax, 0f386h
$ k% G3 |9 C4 l: x jz SoftICE_detected
v% \( }) o5 B' X# ]+ g
5 b5 k+ ^! n2 f$ [int41handler2 PROC
, F. M5 w+ B4 p: \4 f5 ?( V iret
" F. g9 X; k! S1 b, w6 Yint41handler2 ENDP
3 ]. [# G# }& J7 C8 o Z K1 N% h9 Q. k' O2 I
0 E0 j7 K3 Y! n% { o1 y
_________________________________________________________________________
4 N. K q$ [1 V* l' T0 [, g; n( o/ X+ a# Z# s7 q& U7 m
' _. C, w4 h5 N$ V" xMethod 068 g2 E$ v, q4 v% w( M+ ?9 ~# s$ \$ U
=========
1 a* V; A* J, h" Q* U( q5 e! n
6 e& h3 a2 R5 o& B) N0 R$ {1 `8 t, n- x& l6 y
2nd method similar to the preceding one but more difficult to detect:
) c# i7 m6 V8 g& i5 J6 ], I3 D- J6 R/ s3 p/ t3 a
+ S; i1 @, r( J, v; {) sint41handler PROC) \( s2 O8 W0 Z3 J t3 Q0 t: C2 A
mov cl,al0 }- b5 R* a/ _" ?, c( `
iret- i0 N- [* z- X% M0 G1 P* u3 `
int41handler ENDP
) @( t# e2 a3 R( I5 F9 ?+ L/ ^ L5 m* ]" O
) |5 e. e9 ^1 d+ K2 \8 o xor ax,ax
3 g3 H) T& p: r; W1 @ mov es,ax
7 O' P. ?: j: f mov bx, cs4 S4 F7 H) u6 n5 v/ u
lea dx, int41handler
3 B! ]; z; y2 h xchg dx, es:[41h*4]
$ g; [7 x. J; @$ ?, r! o3 @6 ?2 ~( x xchg bx, es:[41h*4+2]
# S' m( ^- c Q4 l6 O1 ] in al, 40h) W0 N% q0 `1 V* v
xor cx,cx
8 C6 @3 p* x8 ^ int 41h
# ~" n r4 K) w& s# n9 ?2 W xchg dx, es:[41h*4]
- W- V0 M9 {) l& t% ] xchg bx, es:[41h*4+2]
& G& ~% K# y" f- B cmp cl,al* i: R# u7 t' P
jnz SoftICE_detected
* |9 f) Y7 c) U1 w; E' M* o( R9 {; ?5 z1 b, E s% h" \3 j
_________________________________________________________________________( R7 m+ G+ X7 o; q& }* j
9 v; H4 x( o) |: F8 f
Method 07! w7 _3 A; n$ r8 _/ m- V7 F
=========6 l1 y- w: ^! f/ p% ]
6 G( }/ ]8 J( z9 }Method of detection of the WinICE handler in the int68h (V86)
3 M& G0 M: c$ |2 u
8 ?1 }9 Z3 e: q2 I; Z# _/ q! x mov ah,43h. A) W9 ^/ r, x
int 68h1 i/ U) l7 h4 h5 `0 o/ H, D' x8 B
cmp ax,0F386h
0 I' u$ O1 z0 w jz SoftICE_Detected
5 W. D- J- \! ~9 V- ]: S, K( H) S0 P w! i, P/ s: p
) ]3 p7 @- d. O8 w# J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; P7 l$ j6 _- Y: [1 }( D& Y app like this:
0 n k) q& G% E/ l2 \ F* ]* k* C; ]$ L% \, a/ {+ h, p) I7 z
BPX exec_int if ax==68# f- n) J; {& I) _) R& X
(function called is located at byte ptr [ebp+1Dh] and client eip is/ c8 Z6 x0 e+ l" Y& \% ^" U8 _8 [
located at [ebp+48h] for 32Bit apps)
& B; N. X- j5 k' |$ Q__________________________________________________________________________
' v7 t4 `6 k: z! \: w! ?& W! b/ p+ D& p
" z3 ~0 Q; ?0 ]% W6 J, m8 n
Method 08
' v+ d7 }" a- v( W=========; j( O# Z0 K. z( `
. ]7 w: I' L) ^2 IIt is not a method of detection of SoftICE but a possibility to crash the
- n( _& t" B% F/ B8 y; Vsystem by intercepting int 01h and int 03h and redirecting them to another# j1 F9 g; L4 D
routine.
4 o' n2 T) ~; BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- Z D1 [/ N8 g! s8 e
to the new routine to execute (hangs computer...)
9 b! i4 ]. H+ E1 ?& c
1 P8 D" j$ I& [/ v& r9 p5 D: d mov ah, 25h, y) E3 K& V A. n
mov al, Int_Number (01h or 03h)
% O( h9 K& C7 \; q1 [2 h mov dx, offset New_Int_Routine7 k0 F; n4 H2 t* N
int 21h
5 \* V" w6 U& V/ W( A% U( y4 o/ Q1 X. \6 e$ R, e% n* I! r
__________________________________________________________________________, |' J9 M2 ~% e5 h- x) q3 ^+ i
$ {' [; ?: Q: IMethod 09. [- Z/ \* |4 ~7 p9 }* |: D7 G: c
=========
! m7 h8 D$ |" m; I& V$ M
, v5 A# n3 f( B; \2 KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 |5 U0 O/ r' e" Uperformed in ring0 (VxD or a ring3 app using the VxdCall).
' u, u' G2 Z4 a2 l2 k4 JThe Get_DDB service is used to determine whether or not a VxD is installed
1 i9 m" }2 X7 Ufor the specified device and returns a Device Description Block (in ecx) for
# X4 J+ h7 ]) Lthat device if it is installed.. {; z+ f1 {/ g! [
0 n; A4 @& G6 Z6 I* v& R# E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* Q& _+ k l6 S: i( j1 `/ w/ f, D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* N( s: i' _8 U* ]9 K _ VMMCall Get_DDB( e' T( s! Q0 W$ e( \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed i/ Z) z$ M% k1 _8 _
& t c5 K1 G& q. \4 HNote as well that you can easily detect this method with SoftICE:- X3 B4 T: H) ]) i0 H" m9 g# B- @
bpx Get_DDB if ax==0202 || ax==7a5fh
0 z6 H* o% _$ s0 K0 F2 w' K) g5 i
0 c$ g# m' ]$ A, ?. Q__________________________________________________________________________
) n; ]2 C; x6 x( C3 [7 Y
" G7 F7 q% T, f; j" RMethod 10
$ X# n3 f& O# r) a. p+ N=========
! u& S9 @+ `) `$ P" w) n! \ v7 z) l" `
2 }' q4 U1 `, Z2 V8 B- W=>Disable or clear breakpoints before using this feature. DO NOT trace with5 }' \0 U! }! ^
SoftICE while the option is enable!!) V# M& P7 u( [5 m) F
* S, v& |+ S' d7 d6 VThis trick is very efficient:
! }. J9 ]# A7 E& Fby checking the Debug Registers, you can detect if SoftICE is loaded2 T) m8 `4 t' P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) I! a9 I p- Q o, G+ {9 b$ _" othere are some memory breakpoints set (dr0 to dr3) simply by reading their
( z, U7 {2 V, H5 t3 r/ Wvalue (in ring0 only). Values can be manipulated and or changed as well0 k. R+ S* D6 k, j
(clearing BPMs for instance)
" s7 L( p6 X) k2 \' e5 }6 j
. o; U6 g3 C f$ v__________________________________________________________________________
# u# c7 A9 \' q+ V! ?7 [. Z3 u2 D6 Q/ ]+ L$ }# m
Method 11* \ s. Y5 X% @- z9 O8 P+ t( P
=========
2 z. i E+ h' E3 ?8 \8 g0 P" b: g2 f1 |" S
This method is most known as 'MeltICE' because it has been freely distributed
5 y3 u. H7 J$ _. P0 I9 V( Cvia www.winfiles.com. However it was first used by NuMega people to allow& t1 m" [) {$ b9 n
Symbol Loader to check if SoftICE was active or not (the code is located8 S/ v) W+ L' r( _7 X# y. |& e
inside nmtrans.dll).$ o9 r0 u0 ?3 T) J3 u
2 o2 C3 D! x' v! U3 GThe way it works is very simple:
, Z8 r7 j! s+ L2 T% K. G: U5 zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 a1 X4 k9 y" @
WinNT) with the CreateFileA API.
/ a a8 j' d2 h+ _/ ?7 V/ l! m+ {. Z; m
Here is a sample (checking for 'SICE'):
1 s/ k A; m1 ^) t) v& [& s1 q/ K
2 ^6 v# Y* f0 f$ [/ sBOOL IsSoftIce95Loaded()& l+ M; v3 e3 o0 \& V1 f' A
{
( ?7 U1 h5 ^5 K; D HANDLE hFile;
3 E& |- B0 A/ O7 _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," o8 I, W7 j: u" |
FILE_SHARE_READ | FILE_SHARE_WRITE,$ x8 W; L. M9 k- T: J/ x% H- _9 p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ k; f1 A3 ^9 }
if( hFile != INVALID_HANDLE_VALUE )
9 U+ S/ I! n; f; r8 i: } {4 e* b* @7 m3 I, r _
CloseHandle(hFile);, y* ~% f f' i) {
return TRUE;
9 C: _, s. u3 k" A }! f3 z5 H$ F' b8 t
return FALSE;! J5 o- G7 w2 X
}* P0 C% E# Y; i! o2 _
/ U0 r8 l& E1 `' ^& l
Although this trick calls the CreateFileA function, don't even expect to be
2 W- O0 r2 ?2 V+ U0 pable to intercept it by installing a IFS hook: it will not work, no way!8 k% `2 Z8 x+ _, R2 T% M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ l8 N5 k0 u6 d" t* {) ~! N' g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 ~! {; h+ l. {5 n. c+ I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# G6 w' \2 l5 f! N$ e, j7 a. W
field., G$ Y" F0 a! `9 F
In fact, its purpose is not to load/unload VxDs but only to send a ! s0 Y# Q, b* _6 ^5 Z/ |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 V/ I7 M$ V7 I5 `* h2 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try. a; J n# b7 o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ A0 r6 k( y( UIf the VxD is loaded, it will always clear eax and the Carry flag to allow; `" e& D/ o$ z2 {/ _3 l
its handle to be opened and then, will be detected. E$ c) `( C; Z6 A- `! R% k' p
You can check that simply by hooking Winice.exe control proc entry point
0 z; |+ L; A0 j/ l4 Twhile running MeltICE.
7 n. |( g b1 D7 O, p5 |, J- ~$ p9 T. w/ a' U/ Q. E' [$ k' z
1 P9 Q( o: S3 w( |) G5 ?
00401067: push 00402025 ; \\.\SICE0 |; U) q( e- y
0040106C: call CreateFileA
4 F# W1 ? I) x) U6 [$ Q! J 00401071: cmp eax,-001
; u+ k1 s' w, Y0 I 00401074: je 00401091- M) m4 h( b" \# G4 ?
+ N5 `+ X' ^! [* p5 H2 {/ W- Y* w) B! @( a# J7 \
There could be hundreds of BPX you could use to detect this trick." V3 h: c3 k: J7 {0 [9 D/ V4 Z
-The most classical one is:
9 R, ~6 a4 t( r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 c) t- T4 i1 _$ O+ D, F
*(esp->4+4)=='NTIC'" @/ D" A2 n( |% E* G' [2 o
' _- K D% V5 J' S' d, w
-The most exotic ones (could be very slooooow :-(7 w ?$ x6 j! i5 z$ f) B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& k3 I! Q4 l+ z ;will break 3 times :-($ N5 v2 \4 p; s1 X+ j# }
* k+ q% q$ T$ T7 n( W+ Q( X
-or (a bit) faster: 4 n0 k, D$ Q) e$ p6 |4 o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ t! A' E0 w) ]# D1 |
8 `. Q' ^* o) | V6 {% i8 M& U# T BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( J2 H/ g X7 d( G+ [& m# r
;will break 3 times :-(
' {1 h' B) [- m6 ?* W' X& A
) r% k$ r; W% B-Much faster:
/ k2 X Z! t# x8 h9 `3 j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* @5 g3 I/ V7 W! a% P7 J7 W7 N
9 A2 u' w, T+ l2 j& aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 t; _( h$ ]7 r2 Rfunction to do the same job:
7 c. z+ \% a- N" n
$ m5 l3 J, C- ?4 _. f push 00 ; OF_READ7 Z7 b! ^, p5 r, r% n
mov eax,[00656634] ; '\\.\SICE',0
6 @% H0 @! _8 C* I push eax" M' m/ w5 X# c% \
call KERNEL32!_lopen
6 o, i+ v8 b* | inc eax
2 _* ]. o, ~1 R8 j% l jnz 00650589 ; detected
2 L2 \6 H: I9 g6 ? push 00 ; OF_READ+ [) f7 r p7 F; N% ]# G; d
mov eax,[00656638] ; '\\.\SICE'
5 D1 u2 q8 Q" B0 ` push eax9 w' j9 f, \6 r: Q0 h r
call KERNEL32!_lopen% {4 u8 t6 D/ U/ y1 m0 T8 q* C4 r4 a
inc eax
$ j0 ^5 n& y$ h2 |& t. T jz 006505ae ; not detected6 M2 s7 @5 ]7 p: ]
6 K! [! X* y) k: }4 ?
( {, T4 {% [# K/ n8 D* H" u, Z% [__________________________________________________________________________
9 O* r. a; k* A
& S1 N) I- w. T8 P' s! N j eMethod 12
* h8 N: {8 }4 o( v2 F; M( y3 L/ k% t=========* }) M- `+ w8 l) N8 h7 F2 u% u2 X
) b4 X$ T" g; r8 zThis trick is similar to int41h/4fh Debugger installation check (code 05
& Z1 D: Y4 C) e& 06) but very limited because it's only available for Win95/98 (not NT)! ~" c! ` E1 f) X9 W1 N/ g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 j0 y& Y9 k, p$ ?3 y1 @
( K3 Q) R% d5 Y/ D" r push 0000004fh ; function 4fh
, V# R+ z# o+ n* e push 002a002ah ; high word specifies which VxD (VWIN32) C4 g4 L7 y+ Z. ?
; low word specifies which service8 e2 M ^& C! e$ d* i) t
(VWIN32_Int41Dispatch)
! b7 Z% o' @, e! j/ S1 \ call Kernel32!ORD_001 ; VxdCall' ], \: ?3 u H% i# s: X
cmp ax, 0f386h ; magic number returned by system debuggers
$ o1 n) j d' q$ B: } jz SoftICE_detected
0 {$ d9 p- a5 y* w0 u& _+ ]/ `/ F, f( \& h8 V; g9 E
Here again, several ways to detect it:# K4 t1 z& R6 F' m* B4 C
+ }6 S- [, \( @4 B( k7 n
BPINT 41 if ax==4f
- o, C' A, J' n/ Y- d
2 j4 y8 S1 h4 \1 A- T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. i$ [1 ^0 k7 ^8 Z$ B
, A5 h; |% M. z: _: I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* x. ^. F0 Q- l; ?
$ `0 } S/ I! _6 G2 c. \
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, A8 L" p5 S4 N B2 z; r5 ~
7 \2 V7 G- y* q; H1 T' ]__________________________________________________________________________
9 e9 g8 w. L; [2 d# M9 T$ e8 h& ?, B& Q7 J; Q1 w$ X
Method 13
# ^! h A% v& c=========) g5 K- h6 `0 G3 u3 R1 @) j
! F: ^$ w" O$ t1 Q3 ?( F DNot a real method of detection, but a good way to know if SoftICE is. X% {( X, J6 H! r7 d4 y1 l% @
installed on a computer and to locate its installation directory.7 k0 n- W% r0 J8 O: A
It is used by few softs which access the following registry keys (usually #2) :* U9 q4 s5 m/ f9 j
0 ^+ P) F9 E- G7 [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ t G5 |+ W- z& R/ \\Uninstall\SoftICE5 E' J s. Y& x# J5 r9 O; K9 t% ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: z( x$ J7 D2 R% ?4 W+ B% l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 O4 A' J8 r5 v, C( [\App Paths\Loader32.Exe( ~" I0 ?8 Q" T" m) D( \
7 Q F& U+ I* F% F( |( v; T& ^- i B; L' ]
Note that some nasty apps could then erase all files from SoftICE directory. _* c# C9 q& p6 K
(I faced that once :-(
2 a2 A/ K( |) r2 {: U$ z2 ]0 l, F2 B' x7 y i$ v' Z4 l9 T8 e
Useful breakpoint to detect it:
5 V0 f8 d6 Z0 L0 Z
0 A9 s& v5 @" a* | BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ O# L; U) P0 { t5 k6 y, ]' Y( c% Q( o! f1 T' P5 T+ T
__________________________________________________________________________ Z1 h9 X- p7 f: g' |% q2 v* s
; P6 w2 h2 P7 q" ^- l
- O- I5 k% C7 V, EMethod 14
9 e4 t( H+ ] D7 C0 R# P; Y- [=========
8 H: \- n* q/ J/ T
0 S3 v, Y' ^. L2 y$ s) \A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ g' R' X1 \/ ?7 U
is to determines whether a debugger is running on your system (ring0 only).
P! o5 A( b$ f) s$ c$ w! g+ [0 Q2 q$ w7 w
VMMCall Test_Debug_Installed! K7 B* A' z( a6 B! B3 q
je not_installed
4 [! w% C4 S" P: a
: E# e0 b! T. w1 r* K8 t+ BThis service just checks a flag.; @# t# O k; w; Y
</PRE></TD></TR></TBODY></TABLE> |