<TABLE width=500>
$ o* s$ @5 l4 K1 }5 x" K0 D/ i<TBODY>7 x1 }2 o* |# L& z
<TR>
7 \7 h. \' f: o X: B$ h/ _7 t<TD><PRE>Method 01 6 Y" p2 X2 b% _3 o: a
=========$ p7 ] V! ~$ |" `1 H4 B- b
. N) S7 x! {' ]% M( D: T+ ^
This method of detection of SoftICE (as well as the following one) is! L; L: k" |. @ c5 P
used by the majority of packers/encryptors found on Internet.
% j8 \ D' K# D: |8 S$ JIt seeks the signature of BoundsChecker in SoftICE
( ^. W, B+ A) {4 U4 K( q
8 ^9 V9 U7 ]. K' p, L% m mov ebp, 04243484Bh ; 'BCHK'% @: t- }) u4 Z, }3 @, [
mov ax, 04h
6 V4 M! q3 U% w' M int 3 1 `! W# `. \0 d
cmp al,4* V: Y# N5 i# [; j
jnz SoftICE_Detected
+ [( G9 z) o! B( W0 { s; b' b1 l
4 k# L, S% p) x4 T6 P___________________________________________________________________________
- e* D- u% N6 ?" Q/ _: M- U1 C
" ~$ p8 x, t! u* _Method 02
+ K( L( s0 |; w9 e2 F) b=========
8 V; x( s3 X E! K) U" p* i2 W4 D$ i
5 ^8 G i+ q4 Q2 { d3 P, DStill a method very much used (perhaps the most frequent one). It is used
$ p5 {3 |( J9 U# \1 Q5 m% Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" J6 h- M' r) r* l" Xor execute SoftICE commands...
. ?7 n& T i4 c* \: L. }, P, WIt is also used to crash SoftICE and to force it to execute any commands
/ i7 [$ \$ [( ?) N! [$ S(HBOOT...) :-((
/ R& D7 j8 y) ]+ ]
( `4 l5 A+ r n6 `( y& JHere is a quick description:% N8 C" d$ y# ?# N- I
-AX = 0910h (Display string in SIce windows)7 _" v. I1 p" {' y1 g3 p1 X& c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& N3 r& C8 m- s' Y3 N3 k+ B
-AX = 0912h (Get breakpoint infos)4 g+ J8 O& n' |: N4 |
-AX = 0913h (Set Sice breakpoints) {5 Q% Z. x" A. ^9 I" P) F+ P
-AX = 0914h (Remove SIce breakoints)
/ k4 @" `$ u* |7 |: U! A$ ~* G- w7 o: H: O6 M+ g
Each time you'll meet this trick, you'll see:
* Z! ~' s# ^+ C1 z, Y+ f-SI = 4647h
7 C* v! {7 k. x ~" {/ a-DI = 4A4Dh* q2 c0 b \# B$ c
Which are the 'magic values' used by SoftIce.9 G4 Z/ `% M2 ^- U+ v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; R2 a- `' c4 [& _5 [
6 E8 [+ I3 H3 c7 [" p* v) d+ w5 CHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 M; ]+ s1 R8 V( z2 ?+ NEnvelope utility use to protect DOS applications:, r7 o9 P% ]; q r2 p8 g4 {( ?+ Y
) j5 G. w4 P7 [: k( o( n9 s4 ?4 j3 }* O3 i6 x$ S7 R
4C19:0095 MOV AX,0911 ; execute command.
1 @$ E \% o1 b9 P- J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. p' h- Y% f; {
4C19:009A MOV SI,4647 ; 1st magic value.
* k' t) F! s* A- I0 S; g4C19:009D MOV DI,4A4D ; 2nd magic value.3 Q' j" m8 d# e$ f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) h% X% A6 W; u: s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) _7 n$ ~6 ?" U2 h/ f$ J% D
4C19:00A4 INC CX, y7 g/ x! @0 E7 M9 X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 W' ?$ z7 |, ]6 r, O
4C19:00A8 JB 0095 ; 6 different commands.( o; {+ V# J; l7 L/ }- g; }9 b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* l2 y) W% |" u7 ~$ S- X/ c9 j6 `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 @ S* o7 g# t" ?# E: l- A
' K9 R; T. p, W1 _# @) {
The program will execute 6 different SIce commands located at ds:dx, which
& D2 \: E2 g1 t- o7 Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 f1 B* i- ^% x& {7 X( B# f
' G2 k9 L: [! }- N% ?$ F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- c8 m, S7 c( G) q" L
___________________________________________________________________________
+ y# B: q' V9 w
: w1 r1 c0 H' v7 e' q8 Y6 Z; q' p% U3 H
Method 03% o$ T( N$ P: d J- K8 i; |
=========8 c- j3 J+ z9 c! t
" Z/ x8 D- z- S+ o! O6 L2 Q) [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! s$ L) {' v7 c2 c+ u& x; p
(API Get entry point)' H. J) m8 M2 N2 h
4 o& u+ e; i D$ o# C! W3 Q- z& y: c; p* v
xor di,di
/ L' E$ g* I/ m) A0 n mov es,di) ^7 Q: o3 V, }2 C, b4 ^
mov ax, 1684h
; N$ i4 b9 k/ m8 ] M# F mov bx, 0202h ; VxD ID of winice
1 ^4 G4 g- P0 Q& { W" H int 2Fh- X' {5 s" h, H. @/ A
mov ax, es ; ES:DI -> VxD API entry point) e' a& {3 ]9 z" g3 q3 p, e
add ax, di
: G9 Q+ \& Z' G, e9 Z test ax,ax$ M9 j# C1 Q7 ]" z' \
jnz SoftICE_Detected
5 {+ e9 |( ^- |' K1 m0 a6 c% ?8 m! k1 V
___________________________________________________________________________6 Y) N3 w/ I+ q7 X& p* ~( u& R
|+ f3 @0 u Y4 [) |6 ?& R! |& o4 A
Method 04
4 V; u5 ?" k" U=========& f' R' I: ^0 Q( F; S' z
) r4 b8 e! `# r, P3 B1 v3 m1 O7 o4 Z/ HMethod identical to the preceding one except that it seeks the ID of SoftICE# ?- t V J5 A$ v7 D' b; V, c
GFX VxD.8 V0 y. ]: Z9 t( L/ l
6 Y+ D) O( o5 i6 U6 e% K( R j
xor di,di
g0 u$ S9 y1 [# l Y mov es,di. Y# K; @9 |2 X# N+ L5 n
mov ax, 1684h
! O E$ [- R) L mov bx, 7a5Fh ; VxD ID of SIWVID
2 K9 y4 q' F Z9 U, ` }" A int 2fh* g' m# O+ ^+ s( g2 N* n
mov ax, es ; ES:DI -> VxD API entry point
. y0 `0 p) |: l add ax, di
, \; W6 A- n7 w* S; P3 r test ax,ax# t4 S+ [$ g; Z2 U
jnz SoftICE_Detected
+ l ?1 {0 c1 U9 _& s a7 J6 T0 l P8 j: D9 @, U6 Y/ }
__________________________________________________________________________
) \( M% Q$ C0 b6 E% V+ M# w* n. c+ Y9 W+ v4 x! F9 n
. g* b4 r: o6 c: J# s
Method 05
$ V' ?! t% S1 _% M4 K=========* `$ N' K$ C2 b1 }" y% h8 L
+ X& b' c( L4 q$ U% Q# u3 r0 }
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; L& D m+ u" r |$ Q6 y' }) S0 zdebugger. It calls the int 41h, function 4Fh.
5 W4 a# F* j( pThere are several alternatives.
1 B' I% m6 d" W
& M0 T( f* ?6 n3 Y+ A- v: |The following one is the simplest:
( B' w: A; V, i F3 K: H( M
# }# O' v3 Z" _4 j mov ax,4fh/ u2 j" m8 ~& s+ k
int 41h
" K9 ?7 N% T" Z5 J cmp ax, 0F386
6 r A! H, w1 o jz SoftICE_detected
6 z8 f* X$ p2 d" Q
/ \( l' j' w4 S& n R
; S% |# Z% O5 aNext method as well as the following one are 2 examples from Stone's
% q% W8 p; W" {+ E! P0 U' o& x"stn-wid.zip" (www.cracking.net):
, ~5 q \2 @9 a; j
$ S) v2 d: F$ h2 M7 U mov bx, cs
S, m( C1 O# m, h% I; ? lea dx, int41handler25 x5 [5 p5 ]- r( C+ [9 S8 O( n
xchg dx, es:[41h*4]
/ k p; p! Y! y& W) R( H xchg bx, es:[41h*4+2]; I' z3 H' O2 n/ e' }3 O3 o# b
mov ax,4fh- ?: N9 T0 n- `8 _+ `, D- }3 K
int 41h4 g7 P% n8 n) H) T* P0 O0 z3 {
xchg dx, es:[41h*4]
5 J! f4 `# n7 L- B+ \ xchg bx, es:[41h*4+2]2 F$ P, C1 R$ U7 l$ @7 y
cmp ax, 0f386h- N) L; [% h% ?/ p
jz SoftICE_detected4 D) Z+ c9 u8 ^
' I. _1 \& b7 U
int41handler2 PROC
* g6 s% \8 F" I. t iret& l) I! S; n, J3 v; N' x
int41handler2 ENDP% }/ M R" T m
/ I1 |0 k2 t/ t. T+ k# @) z' ?/ x" O& D8 z4 x B+ c( q2 ?
_________________________________________________________________________/ ?: A$ d' \/ N) B/ F: U# }
9 h% x# j& f/ s$ [' S0 n" n
3 u8 \, A: s' h- e
Method 06
. ]8 [4 e2 y4 J" R* g7 I2 b=========
X" m$ W6 f9 y5 a8 l" g+ K
8 P2 g3 J" y9 F8 I) @
+ c5 f* T# x. b! h9 P2nd method similar to the preceding one but more difficult to detect:
$ a) f q- a9 T# U# i/ M( V! f. P* ^4 Y# o
; f7 V0 Q; P n) X$ P: B; l i7 R
int41handler PROC% k" \: X7 x5 M0 k5 f0 z
mov cl,al
- S- r! a0 X* d3 j4 y( e iret
3 S3 Y/ \, D, q, x* Kint41handler ENDP! U! \2 T# n* p: e- s
3 f' z) N9 ^4 [9 D' m
( o/ U" M- y+ b, R) t2 V$ ]$ E
xor ax,ax
9 x; i) J9 W- [% a mov es,ax
9 x1 F: U! O( p6 }9 \8 M$ C" z8 q3 p mov bx, cs
@+ ~% G4 V! @/ i lea dx, int41handler
4 e' A5 ~ U7 x3 m xchg dx, es:[41h*4]: {5 A' e' s- w5 g2 x5 w
xchg bx, es:[41h*4+2]% s$ D3 B3 _+ I
in al, 40h6 K' z( e; O6 l$ [ P3 d: c
xor cx,cx. L I9 H' ] [! d ]' J3 {
int 41h% P; }. Z8 b# @$ f
xchg dx, es:[41h*4]
9 L3 r6 [4 A$ ] l xchg bx, es:[41h*4+2]! M& V# T, y) U$ r( K1 D
cmp cl,al( s( k0 c0 G; L. b3 N7 f! S
jnz SoftICE_detected
4 E3 h1 K( p( y: f4 G
' F( U0 ~) l3 z( \_________________________________________________________________________) J+ G1 X: j( f+ {+ ?9 D5 ^
! Q+ z( M! o4 ]6 O: W: U `. E
Method 07* d* y6 w4 A2 l4 Y
=========
) {9 ?) R+ @: x/ C( {0 H0 `' b0 _/ q6 b6 s9 ^
Method of detection of the WinICE handler in the int68h (V86)% V) ?! `' i3 x! l
- x1 u& Y" s f1 o- p1 V3 `& s) Y" }. p
mov ah,43h! W6 R2 ^6 {! v2 l3 P6 q& D; e" U6 r
int 68h. `/ X; Q" T) p- i+ Q
cmp ax,0F386h3 I0 l& U, N" u& A, u4 b5 H& u
jz SoftICE_Detected v; _+ Z' I) A0 X( y& j
4 p! Y1 o7 k; _8 q( g8 j# B1 I
' u) H- X! R [4 Q/ q0 Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) n) V: x: g8 d/ i, v6 I: n app like this:) q# s6 v0 @) ^1 E+ A. A1 [ y9 E7 z
5 f; U. Y0 b: Q; x
BPX exec_int if ax==68 P N7 S7 k& `3 ]% E! ^! Y- d
(function called is located at byte ptr [ebp+1Dh] and client eip is" n% T& H8 g/ x
located at [ebp+48h] for 32Bit apps)& @; [% z# F$ v4 `8 L
__________________________________________________________________________/ S ` S" Y& T/ Z; l) |- Q6 a2 [
- S8 \' [0 C& }- j' {
; J, S: b; i0 wMethod 08
, ] _1 x6 `; f, H6 I=========9 H2 k! a# e. @8 O/ h
2 n. z; }2 o# F4 r9 |
It is not a method of detection of SoftICE but a possibility to crash the
4 `% K1 O/ Y2 B3 lsystem by intercepting int 01h and int 03h and redirecting them to another
. k' G/ L1 V) _+ M- froutine.5 F/ R" ?# f( Q# O; V& W3 r8 F0 D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 `. T: @5 n/ n' d4 p+ D7 d
to the new routine to execute (hangs computer...); h% y" J ~4 p L8 ]
! l& ~$ I" h/ } mov ah, 25h
`0 H1 A# z3 h mov al, Int_Number (01h or 03h)
& Q5 U5 B& X+ H% t; c mov dx, offset New_Int_Routine
# k$ T6 V. O! ?, _ int 21h
# V$ S# m& @3 R
. c8 V" S* s O/ Y( \6 Z: a__________________________________________________________________________, m s' k/ x* q0 V _( z
* ]3 k/ ^7 V; _( V
Method 09* t6 b& r! e( ^$ {2 Q5 o. k, Q( J
=========( F% J" A' @% d5 T, f p
2 }! Y. D/ p1 x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 O4 t- q% b4 T
performed in ring0 (VxD or a ring3 app using the VxdCall).
) s4 \4 C/ }% l- t6 D/ g# N# Z4 @" DThe Get_DDB service is used to determine whether or not a VxD is installed
" q1 K8 f' X$ \0 ]. y9 K; Cfor the specified device and returns a Device Description Block (in ecx) for
3 I* q p s% N) T: `' d" lthat device if it is installed.& s* H" C; t( a, p0 s! T- c
+ h2 T* p; F* U7 Q- w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 J# z; a* E" y- J2 \9 q- _ \! p
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 p) h" \$ Q$ f0 i6 Q
VMMCall Get_DDB6 L5 \5 a9 f; t9 _' i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! ^1 C, U1 e% S* N w# T6 V1 k; j. X
9 |7 ?" t; q `, J' E2 G( O( e
Note as well that you can easily detect this method with SoftICE:
' B% y6 x! u! H! o! f. U bpx Get_DDB if ax==0202 || ax==7a5fh7 u, w5 l% k7 @
0 H6 K* L2 [+ v) M% [% F R4 f) o
__________________________________________________________________________7 i5 N+ H# Z. t9 \: P" Y0 _# j0 _+ J
' ~* q8 P: t5 n- U. F, T, E/ U
Method 10
/ G, d6 a o6 a' Q1 L=========6 _; \ l6 b* `6 d- K1 J. @: y/ W: M9 q
& s8 Z ^8 }# H% g
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 {& J" F$ |) q# N3 T. r
SoftICE while the option is enable!!
' S; a9 F! ^; c6 _# P1 f3 N+ E
This trick is very efficient:7 P( `+ a, K/ o4 f
by checking the Debug Registers, you can detect if SoftICE is loaded
" i" D! N6 j2 l+ d' L7 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' m% I7 m8 {5 k0 H2 Z: e/ n0 `: _
there are some memory breakpoints set (dr0 to dr3) simply by reading their# Z$ V0 {4 C, p7 L( Q+ y8 X
value (in ring0 only). Values can be manipulated and or changed as well
! Q/ ]4 d* @7 g; }(clearing BPMs for instance). X1 _, I( B/ K
) M7 G; g. k ?, A" F& Z* e
__________________________________________________________________________
0 _/ g8 p5 L3 y8 l& L# S& x
" e1 o" z7 Z$ o' i1 [8 M4 z) \Method 117 C9 g* c, ~0 V& B
=========
9 n5 M* t, Z" i+ l6 F% T2 @% T# P7 K& \6 J$ r% E
This method is most known as 'MeltICE' because it has been freely distributed& C g% K @$ H( R+ N- f8 L8 N7 h
via www.winfiles.com. However it was first used by NuMega people to allow3 n. V; ^4 I; Q9 ]4 p+ V
Symbol Loader to check if SoftICE was active or not (the code is located
/ t% L+ S% _& y1 a$ Uinside nmtrans.dll)./ g% h2 O& _5 Z
, E3 y* n! k$ X+ u M) z7 L
The way it works is very simple:. n( E( i Q# l9 E9 b Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& {0 f) j; A6 l9 y+ d# HWinNT) with the CreateFileA API.. t; h" E$ ]" B, C H9 a
+ \. ?- c/ W* R. o- @9 yHere is a sample (checking for 'SICE'):* w4 m" m* Y9 i+ i! L, ?! O2 V
& R/ |; W. h( I, L3 y
BOOL IsSoftIce95Loaded()
, Y3 T6 l2 f5 y8 ^- f# }- t. j& a{
' [$ ^& }! N: C% X& { HANDLE hFile;
: I, N: A, c- t' I5 L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 j4 L- l: ?# W
FILE_SHARE_READ | FILE_SHARE_WRITE,
: L0 p9 v& ?4 T* p+ N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' {( q3 u% c& Z* x( o p; z
if( hFile != INVALID_HANDLE_VALUE )
1 b- |1 ~" ]; |. b0 d+ ` {; k1 u" P* }! ^, S
CloseHandle(hFile);
4 O& t" D, o( C2 h return TRUE;9 s% Q0 C0 {4 B2 b; y, J4 d" }* T
}
7 `) z) l @4 Y& L' S- p8 e return FALSE;
; D# A. [5 W$ |& @2 X: O7 a9 k}
+ _# v( {) F7 U" o9 [+ N' J! T+ a# s- X- P3 b
Although this trick calls the CreateFileA function, don't even expect to be" O. r5 h$ Q; x) h5 A4 a
able to intercept it by installing a IFS hook: it will not work, no way!3 {$ Y. \1 _' g/ P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: \/ m8 _: w0 F$ D$ O, x; lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* R8 `6 R5 y! Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 w" D# Q: h ifield.
! z! t0 D6 \ k6 _0 JIn fact, its purpose is not to load/unload VxDs but only to send a
: I/ Z( m s7 r7 S* M! y. {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 l6 ` l! z. `! Z2 E2 s+ z+ Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ S% }3 F# E9 J) _& s, f! j7 f3 @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 M3 b8 \' F5 i7 O1 l$ WIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( A0 Q9 N& {' N" Q5 f$ G! J5 xits handle to be opened and then, will be detected.
+ q# p, N, ^* P' DYou can check that simply by hooking Winice.exe control proc entry point
3 m, E) e. V! E# Dwhile running MeltICE.
. z* b: G% e( x; J, s5 @
9 H# t: w! {( T! M7 a% C6 `
& V% L7 B% _# w6 x: z 00401067: push 00402025 ; \\.\SICE o# s- h& A+ B* q. M: n6 m
0040106C: call CreateFileA% t, j( r6 q+ B/ V9 X; l3 d' n" x
00401071: cmp eax,-001
5 W2 b. e" z0 j; o/ {, \3 l 00401074: je 00401091& [4 Z" X6 T2 ?' |
# d& C+ G# ?, @& O9 {
" Z) `8 L& ^7 {) _* A- YThere could be hundreds of BPX you could use to detect this trick.4 o) F9 J2 F5 y3 J
-The most classical one is:/ |2 ~# }, e" R) q) {3 d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 H9 ?8 W7 o8 W
*(esp->4+4)=='NTIC'
: A9 t% X" J4 i/ r' |) e
: e: E+ U& u5 h* p% |5 O-The most exotic ones (could be very slooooow :-(, q) L/ I0 {/ V9 | `( R9 }6 B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. X" B6 d' Z& V% n& W ;will break 3 times :-(
' Q0 V6 |% e9 U# T" E& k u8 V# c
-or (a bit) faster: ' I% U# ~- a/ F2 e3 w* H" F2 F5 o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- X7 U# N% b/ D1 @
# b/ T) U2 A. e1 G: ]
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 t0 B5 u. r& Z9 D1 e/ o
;will break 3 times :-(
* c8 f" T8 ?: d/ E; \: w# z
# q0 z' u* l! U$ W; l& x-Much faster:) P9 o% O& d, Z# ]/ b8 V7 K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 G; ^) k' J" S2 j; w5 S4 T
2 w( d2 g# I0 J- I1 L$ Z9 ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, s6 H2 S# C1 Zfunction to do the same job:
& K: `9 _& g, Y2 I! J6 |* W: o4 q- L
push 00 ; OF_READ5 V& [4 p5 N. h0 J1 {
mov eax,[00656634] ; '\\.\SICE',09 A' D! d/ S4 f- W( R
push eax
5 d3 ^# f7 T. d+ k1 U2 P call KERNEL32!_lopen% T2 k- g' @5 ]( P3 p: f
inc eax4 \, G' z" z; d& \
jnz 00650589 ; detected
" k6 j, z0 D" R3 Y4 ^ push 00 ; OF_READ
+ r" T: Q% I+ Z+ c" \0 W8 w K mov eax,[00656638] ; '\\.\SICE'5 h) @5 p% W% {: r( \
push eax _* s/ D: s; J& H* b c6 s0 {
call KERNEL32!_lopen6 [) N$ P3 l* v k
inc eax
, x' G8 O2 ?- W( y( u jz 006505ae ; not detected4 p. H4 Z" K1 m! s: k
# d F3 j4 C; w# S6 |
9 {- X" u$ ~6 o* c) W% P" {( L__________________________________________________________________________
: T$ h( ^4 v# i1 ~" C9 q& W6 K. k2 e, p$ [
Method 12
8 y% n+ a( f$ I6 B$ M=========
" L1 [& ^; I7 t, y: u! s
' r/ |7 w) X2 F2 n) D' q9 S1 eThis trick is similar to int41h/4fh Debugger installation check (code 05
7 n- e5 ]+ F+ O8 Z& 06) but very limited because it's only available for Win95/98 (not NT). j( c' J" L8 F% ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' x, @* a8 R) y$ H! I8 W2 p! n) v4 f( K8 s9 I- e
push 0000004fh ; function 4fh% c; A8 w' f; y, t* ^5 G- t
push 002a002ah ; high word specifies which VxD (VWIN32)( j$ X8 ]& f! f' m
; low word specifies which service
$ U3 ]1 Z- V0 Q. e% [ (VWIN32_Int41Dispatch)! Q( t6 L. J+ P5 l
call Kernel32!ORD_001 ; VxdCall
* g' ?# G/ Z. q( i* Y6 n cmp ax, 0f386h ; magic number returned by system debuggers
$ v7 x2 {8 Q! _# J" d jz SoftICE_detected
. C5 m9 y3 _1 J& @3 ?/ k7 V0 t- k. ], D; u) [# c2 q( P
Here again, several ways to detect it:
7 p3 E$ ?3 u! l$ }5 F$ y3 G1 `+ d* q7 z
6 k3 b3 k% X# P- s$ K BPINT 41 if ax==4f' G% [3 T0 P% f9 J% ~' p
* s, K3 p5 i: }) D, L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ S+ O; k. u" s
0 z% S) e1 d! p& ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* a9 X7 e% l' A! k/ K, @0 |9 w' i0 d& U& F0 L- }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ D, R) \$ F$ b$ j0 C1 T
4 q* X+ q# l0 S8 \9 l7 Z- E
__________________________________________________________________________6 g4 ?2 B! U- a# c( C5 l/ Y
( T0 U- Y W& i( c8 A6 B# p Z- zMethod 13
; X3 ?: _ V5 g% F/ S& R=========
/ v% i5 ?9 a5 ?. ^4 D+ q' h
: V% \! ^9 w& T/ T) XNot a real method of detection, but a good way to know if SoftICE is
5 ?7 i$ V/ X" t0 Ginstalled on a computer and to locate its installation directory.: O. }2 [1 \8 y5 h- Z3 y5 Q
It is used by few softs which access the following registry keys (usually #2) :
W y4 z0 x# r. z
/ L+ T) ~& A! f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 @ B6 V( ?4 e4 S\Uninstall\SoftICE1 x/ c1 H8 }0 B" V9 h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 z, ~8 [- t2 h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; h7 ?7 @ Q, [
\App Paths\Loader32.Exe
) _; O" C- t( _$ O
2 B9 B X1 G9 M7 `( Y/ q! r$ A; W' i+ n( v
Note that some nasty apps could then erase all files from SoftICE directory/ R0 P9 b0 e7 v0 Q$ i
(I faced that once :-(. c( r1 A9 @% |& `
' K. |) Q2 y6 K. v- n/ {7 i* K
Useful breakpoint to detect it:6 Y: ]2 F3 q* Z
7 |* J) V5 M' l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 o! D7 @0 G! A9 H4 Y8 V7 P4 w
, D+ @" ~/ c3 K( t1 ~
__________________________________________________________________________3 e9 W! c& U* f5 i. R
+ y8 W0 J5 p; |- Q5 d' R) X% U* i2 D3 g( T8 f0 d' j) b( Q
Method 14 ! x) j* t, d! I" R2 i$ n- w/ x1 |. ]
=========) c1 W# `& G6 _0 r% s2 }7 F3 L
$ d8 x2 ~3 _( p1 ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% \+ p$ r& @$ z4 Zis to determines whether a debugger is running on your system (ring0 only).
' l5 O( ]& T6 u0 J- @+ N5 Q- e0 g6 h1 h. v- n7 j: X
VMMCall Test_Debug_Installed; O$ E# }& @0 v! i
je not_installed0 Z' ? u) G4 m: D
d2 V! i* ~. v3 _ J- rThis service just checks a flag.
8 r k4 R* a( l( n. J6 M1 W) i: S</PRE></TD></TR></TBODY></TABLE> |