<TABLE width=500>
) C; D2 G6 m- g0 V<TBODY>& I& a" `, c4 o: F
<TR>
" C6 k2 ?9 N! o2 }* z' `<TD><PRE>Method 01 : h& k2 W/ z: ]$ _/ k+ ~$ A5 }
=========- o( u" m. D! E# Q" a
2 l l# |( T8 g( h8 G
This method of detection of SoftICE (as well as the following one) is! O( D: E' }8 Y
used by the majority of packers/encryptors found on Internet.
8 l" ]" L2 s! _/ r/ W& OIt seeks the signature of BoundsChecker in SoftICE( H0 B0 C& s* ?0 a1 W; P) y4 t
& h7 T9 |0 v0 h. w6 y- [ mov ebp, 04243484Bh ; 'BCHK'0 o, x* `2 t: ]- s
mov ax, 04h) d- i5 @/ w* f, N3 e
int 3 & L( a ?0 o7 d2 s
cmp al,4
4 {' p( _- b/ K! ]' y9 X2 c jnz SoftICE_Detected
$ f. Q* B% c7 x8 j0 X Q0 a2 N* K" u7 u0 T6 _" Z
___________________________________________________________________________
7 k8 U* v( z! b9 |5 B/ `4 P6 h8 O& A6 I4 e
Method 02' k" ~- k* k6 t0 z
=========
& Y" T! }4 G2 X7 s' k) F% k i f. ?7 Y* E; ^/ F
Still a method very much used (perhaps the most frequent one). It is used
6 c$ D, N9 s: m, m! B5 W5 a' tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' n5 E' O- r/ o6 ?$ r( x! u
or execute SoftICE commands...$ v& A' U* q) n! H9 X6 Q5 J5 R' ~
It is also used to crash SoftICE and to force it to execute any commands
& _0 `) I$ E' `2 \(HBOOT...) :-((
h; x, |0 m; q" t7 J) P4 I/ K+ f- U
; _" ~$ h# e3 Y- _& c9 U1 u4 JHere is a quick description:5 H1 ]- [7 }$ |' S# G( X
-AX = 0910h (Display string in SIce windows)
5 P8 U' }. r8 m! K8 g% B9 ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) }3 X* W) o1 N5 _) j) }-AX = 0912h (Get breakpoint infos)
. y# _; Q/ S# ~/ a9 _-AX = 0913h (Set Sice breakpoints)
1 F+ `' i5 T4 J$ a" ]-AX = 0914h (Remove SIce breakoints)
( W" [" [( c: ~8 w: R3 q% _% i. u0 U. f( m! C
Each time you'll meet this trick, you'll see:
) a+ h& y5 |, A4 ?: j5 m-SI = 4647h
1 l9 N, j7 K! i-DI = 4A4Dh
9 U5 L$ e; f; F5 _Which are the 'magic values' used by SoftIce.
, Y) u7 ^3 x3 o5 e1 kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: W m; x7 x1 C" G0 K: o: o
7 s! G- F p$ U5 j9 G
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 S y& {: \0 X0 y% T/ {Envelope utility use to protect DOS applications:1 S0 Q/ K+ i4 d
. _ b% L0 B; J1 J! b) v
! I& }- }( I J/ d Y
4C19:0095 MOV AX,0911 ; execute command.5 u t5 a+ t5 O1 f }2 k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' M& k2 |6 q! A) c( T. O4C19:009A MOV SI,4647 ; 1st magic value.
7 @/ n7 g8 {1 t& C# I8 s) \4C19:009D MOV DI,4A4D ; 2nd magic value.
5 O& z% y3 Z0 [/ C3 F: N6 m% @) P' l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ S4 m1 W, ?* j8 |# E/ r* {* Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, g3 {6 T V" @% T( |$ K
4C19:00A4 INC CX
" O& P1 F9 U6 t+ {% t3 Y7 e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! f0 U2 J: z4 g4 }+ v# Q. u
4C19:00A8 JB 0095 ; 6 different commands.# p' r) r" E, `3 N: x7 Q' U1 |$ _
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' X- j8 e% q+ w# z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, E' p5 ~ _+ G1 b! e) V- G$ M s2 ?4 e$ `( D7 t
The program will execute 6 different SIce commands located at ds:dx, which* C: r+ g; ^ I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, O F, l d! N/ p. Y3 N2 A
( [+ |1 m% F2 U4 F- D: H: U3 s" r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ y5 h. D. w' ^+ z4 G___________________________________________________________________________
8 z+ L$ \3 Z0 t) Y4 L2 S0 ?6 g. w7 I4 x0 U
& Q0 l' o" w' K
Method 03
( I3 U) `3 o' ^8 P, u* ~% D) o=========/ U" o( @% t- Z/ {; E( C
. {0 k* t: j! a1 L2 ?; C& B( [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 m7 E; O2 |: W. ~
(API Get entry point)% B E& O7 D/ f# k( d/ ?4 [
9 r& c7 V' {; Q. Q9 {
4 ^0 {9 Z$ k: O0 ^6 p [
xor di,di1 u! A- c0 {7 P9 d* ~* }' C$ l4 j
mov es,di
8 P& m) j7 |" U3 W mov ax, 1684h
4 {) f; W" S4 D mov bx, 0202h ; VxD ID of winice
5 r" }& ]3 P* v1 F: S$ O int 2Fh4 ]/ F3 e( i" v: a5 `" T
mov ax, es ; ES:DI -> VxD API entry point
7 u/ l. R* ~% `6 {7 y& Z add ax, di! t1 D2 X( W6 `3 j$ ?
test ax,ax
7 I, C: N0 r5 e/ s jnz SoftICE_Detected
0 }1 W- n: {7 f( D& E( L; r: p W& |) _, R: f" l. K9 I" x
___________________________________________________________________________( {' M- [% X1 Z+ V# m8 j, C; B
: x1 G2 X# X T$ g$ g- oMethod 04
" i# e% A: L* ~=========: z' }4 q$ @2 I
0 u9 E' K. _" |% X- Y2 ^. U- KMethod identical to the preceding one except that it seeks the ID of SoftICE4 n0 o! @8 W8 i* f4 v% p( t) h
GFX VxD.- \' [1 s6 i& m& u( ^4 I! U
- H& ]$ d6 Q1 Z, t0 ^ xor di,di
# l, _% Z9 k8 B mov es,di, ?+ C& c: @1 }2 Z' H
mov ax, 1684h
6 G( X- V. d# H. t/ T, n mov bx, 7a5Fh ; VxD ID of SIWVID
! H8 J$ W- [5 B" m8 S9 i int 2fh
$ X: A) f; @/ q1 H% y mov ax, es ; ES:DI -> VxD API entry point5 q4 B$ L0 I% l
add ax, di! v+ B T' T3 b( ]
test ax,ax
8 @2 [: ] U* R* K8 P jnz SoftICE_Detected' |* T3 \9 _* V1 b: n
6 M) n/ o9 @2 ]# {- t y__________________________________________________________________________
- x4 u7 [) j: ^5 ]+ J
& U9 Z' x3 L5 N
) z5 T Q* m* C0 I) r$ N" _Method 05
4 F( \/ J8 n( y0 Y% ?=========
2 T5 h$ k* u: q/ W4 _2 K
+ o2 B6 F: C r* XMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 t: M9 Q) Q! O/ X
debugger. It calls the int 41h, function 4Fh.
7 N9 p N9 r4 p4 q3 {) \ g+ ?6 kThere are several alternatives.
2 {( Y( E& m7 G U$ s3 c- E0 Q: y& n) n4 K/ K; K$ x4 c% B6 t
The following one is the simplest:0 `6 w. J9 u) G% L; w: F+ k0 x
# R* R1 i4 B) P& U2 A+ w
mov ax,4fh
" Z s4 o j: q, l3 o. g p3 U6 M int 41h6 } ~3 k$ Y* n8 h R
cmp ax, 0F386
# |; d% {0 F8 L# W! q; O jz SoftICE_detected
1 W: E7 ? A U3 |( \# y1 k; |
9 `6 c) ?6 I0 X j, P
9 M# d( [4 x& Q( i( c9 ]+ ANext method as well as the following one are 2 examples from Stone's
+ h; q/ J2 X0 | g* v"stn-wid.zip" (www.cracking.net): P% m" y- `8 \5 g+ o
: E% R& a$ J' n* I+ Z2 m mov bx, cs4 _( w% P+ R- e' d8 R" g
lea dx, int41handler2
: w. N4 w- p4 R2 U1 Q1 [ xchg dx, es:[41h*4]" ~8 b F2 \& ~( a
xchg bx, es:[41h*4+2]
! D/ k: R* o% y* l% z2 a mov ax,4fh
* x+ j2 z k4 @% D int 41h/ W1 L0 G0 o6 d
xchg dx, es:[41h*4]
- n# t/ N- x! I* G8 n xchg bx, es:[41h*4+2]: x+ ~; ?! t: b* d/ z' h
cmp ax, 0f386h
# t/ A- A% a. u3 b, I jz SoftICE_detected
; i" T3 e8 N8 D* z8 k6 U# t4 |7 A
: T7 W+ U2 m* ?) T- S Xint41handler2 PROC% F+ M6 ?$ x0 u8 S) ]% \; G
iret( ? u) M2 M4 _7 ?. {
int41handler2 ENDP
* R. \& g4 U0 g/ y
; {6 m- G; w/ t$ v6 @& F/ v# @5 F3 Z, z0 e* Y5 j8 y
_________________________________________________________________________; v3 v2 q9 Z- U8 Y
" m' q+ U8 u, a3 H; z! Y' N. j
/ }& K2 m! D; ^6 C4 Z, ]% G
Method 06$ }5 F* U1 ]9 `. |
=========! i8 v4 Z! G; q0 N; o7 |
1 C0 O- T# K& F: z2 M" b9 o! K% \3 |$ h4 X2 P
2nd method similar to the preceding one but more difficult to detect:" y% y0 X! g7 g! i
; f' A( B: r6 }6 B: T4 v" Y4 Q `! \3 k
$ _) }/ x* `" I* J8 ~' E, {int41handler PROC. D7 ^5 y: Q; F9 c
mov cl,al
* ?1 {" a1 N& O$ V4 n iret: t% D% v8 ?1 {. K* }
int41handler ENDP
- G, O* ?, A: v0 D% m" u. u( @4 S: P+ C
1 Y( {* Z* D5 W1 e5 m% A
xor ax,ax
( e6 q. W2 b: b/ q mov es,ax
5 Z. {# M+ M' i! e mov bx, cs% t0 W5 }( G+ z% o
lea dx, int41handler
% Y% P* A$ @$ S- p7 v4 N xchg dx, es:[41h*4]
r8 U- Y/ `8 l8 n, q2 \9 ]8 D xchg bx, es:[41h*4+2]! ]: [) h+ X4 Z0 j1 |( G
in al, 40h# |+ k- d4 m) ~$ H2 F- ^, p* Y
xor cx,cx
" L' k; g1 G) j int 41h+ V1 ~3 e0 r6 @% q7 g
xchg dx, es:[41h*4]6 b6 }7 r/ l3 v _
xchg bx, es:[41h*4+2] ~: l& o! K6 B4 e2 K. e+ p
cmp cl,al
1 l- _" G# f1 x jnz SoftICE_detected
! r7 S8 z E, `* d/ j" Z6 ~8 Z. ]' t' Y1 @8 c3 Y
_________________________________________________________________________: {& u: K7 d# F2 D( O+ i
! K5 P7 I, f& ?) Q" @9 mMethod 07
& p' X3 }4 b/ R2 x( A=========7 M7 G4 b1 O# A6 G# V$ y9 p. H
2 p* \6 I' }& N% ?6 fMethod of detection of the WinICE handler in the int68h (V86)
3 z* L5 H0 ~8 {+ }# o" i" _& e$ T) M/ e, e' a1 `# ~4 X) a
mov ah,43h
* {& _( ]# T, O0 u int 68h8 g9 V) C% ?9 E7 k8 w/ j4 c5 y3 [
cmp ax,0F386h
' G: X% I/ n; t% _ jz SoftICE_Detected
) F$ d, Z) G, b9 i5 J0 a0 s5 X. [) J" @# v0 k3 {
8 x( Z- T- R- C; h: V7 C- R. x
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 P+ @) H0 }& U. X3 Y7 I/ |
app like this:/ s0 R; k- w7 ^, p& ]
- {- e" k; \. d
BPX exec_int if ax==68
7 m' G1 N4 l% _ (function called is located at byte ptr [ebp+1Dh] and client eip is
! m# Q8 |! `2 t2 C) l. D1 | located at [ebp+48h] for 32Bit apps)3 E, N- e1 s0 O
__________________________________________________________________________' w5 R0 h9 O, z3 z8 m2 m2 [+ ?
e+ f( B1 }: N* K
. y; U7 G7 n" F4 XMethod 08
3 O% p$ Z, k, J& C+ G=========
5 a. t& w, y% B0 d/ q" K
) Q1 S" B- r; c( f, _; u% l9 {It is not a method of detection of SoftICE but a possibility to crash the
/ O2 {: e9 ~( {# Dsystem by intercepting int 01h and int 03h and redirecting them to another
8 k9 q, ?& L# A' L* mroutine.
/ ~: I! r9 b4 N! RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, h3 W% U/ T. A2 h4 oto the new routine to execute (hangs computer...)
* Y5 p5 s/ W% s, |1 q$ S" u1 @% W+ V
2 y, {4 E1 w# O8 S mov ah, 25h% Z6 O* y9 v/ U/ H! j+ E
mov al, Int_Number (01h or 03h)
l$ A/ D/ }; p# T1 C mov dx, offset New_Int_Routine, C( M% _. c1 L0 ~2 a( S
int 21h& [% ]% |$ g: x2 y/ T+ f
3 o, M2 ~- y% z9 t- D4 X& m__________________________________________________________________________
, [1 c g0 [# V* X) K$ g6 T5 p/ ^, S
Method 09
' L5 U: T. H; W H( @=========
2 S k0 Q1 Y: p" F
# W6 o) a, j+ k/ z `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
I' y" g$ R8 [" eperformed in ring0 (VxD or a ring3 app using the VxdCall).
% N* T5 S( V' B6 XThe Get_DDB service is used to determine whether or not a VxD is installed5 ~( h. T, l- n2 i, J6 a0 v8 |
for the specified device and returns a Device Description Block (in ecx) for
) T, J0 i1 m& Q( J! x& |that device if it is installed.& N3 e0 l9 Y! w4 K- @8 P
" n# w$ g& I$ h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* f% l: k' W' P* @% w' o- o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) Z( }) N$ y" {- `- z
VMMCall Get_DDB
v' S0 t; w3 ?5 }' G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% Q4 Y& A0 o7 _7 ]3 i! ?% X; z% L0 K1 V5 L% A+ R7 {
Note as well that you can easily detect this method with SoftICE:) S! _1 K* E% K! J
bpx Get_DDB if ax==0202 || ax==7a5fh @7 t$ D& o. j! ?/ ~) V$ J
3 K6 A& v( ]3 N__________________________________________________________________________2 k0 G! f( P$ _/ |/ _/ L
' Y* t5 I. |: B! ]1 LMethod 104 {* ]2 Y% w% `- W+ A
=========0 k! T3 e3 T- C; A
0 N) [- L. z" r2 D2 y6 F. x
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 c1 c5 [- W& _: a
SoftICE while the option is enable!!
' ?9 [8 l; u$ |/ E1 V' V/ t
* K8 h% D0 ~1 z G0 N ^This trick is very efficient:
! ]# i$ U; h7 a/ P- j sby checking the Debug Registers, you can detect if SoftICE is loaded
; m0 r2 J: Z4 V8 B6 [, P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) f1 n6 N) i" Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their& K5 w& Y+ z9 h }0 t
value (in ring0 only). Values can be manipulated and or changed as well ?6 s8 e$ F! z2 z }2 i5 D/ Q
(clearing BPMs for instance)4 h/ w+ q# I6 r8 n% }
; X2 K9 X9 I& D: H
__________________________________________________________________________
/ \ y" W7 C9 Y0 o" Y* W, T+ y7 K" O" x5 \" M- o7 G* _
Method 11
, b/ u5 E L9 H- h2 o& W) F=========( g5 ^4 {, H- ?5 M- K& R
, M. t. o: R5 l3 O Q* J
This method is most known as 'MeltICE' because it has been freely distributed
. _: y+ G9 _6 j4 f. p; ^via www.winfiles.com. However it was first used by NuMega people to allow# B- _9 y/ ?7 h, @' k. D
Symbol Loader to check if SoftICE was active or not (the code is located
" B$ r q% E7 `6 ]inside nmtrans.dll).
e2 F% W0 L" Q/ C0 o' |+ `1 q4 z* S* K( _
The way it works is very simple:
1 D& x8 O! F( F" a& ]( _! ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
H+ I/ |% [0 u3 m6 H. ~$ N0 _9 ZWinNT) with the CreateFileA API.
; T7 x. Z. E, M+ {$ q O9 D$ B8 I: {( f
Here is a sample (checking for 'SICE'):
! `) {- T4 ]; x$ f$ N( G! v, j5 K
% ?( Z! B: m: _" _BOOL IsSoftIce95Loaded()
6 N/ ^) C: I6 n; v; ~9 G/ F' d{5 n9 x, F% d: n _( H+ c
HANDLE hFile;
. Y2 K$ S: I9 `! F# }! n$ Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ f" g5 }+ c2 U5 v; h m
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 y: j4 q. k$ ]8 J NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 J, t! B" |" l$ E if( hFile != INVALID_HANDLE_VALUE )0 I, M: E7 @4 j6 n, N
{
1 o4 |: [! ^& Z0 J CloseHandle(hFile);. M1 Q. F l/ n- i% ~
return TRUE;
6 p& j; q; l% w& n# e }* G# X0 V7 q- u, [5 Q) c
return FALSE;
" _% w! ]% U( c' S [}
& s: W" c# m& c: p: ]% {; r6 F* H X! X/ C3 H
Although this trick calls the CreateFileA function, don't even expect to be; }* ?6 I6 p7 C) y$ a
able to intercept it by installing a IFS hook: it will not work, no way!
+ O+ Y* ?$ a2 T0 ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* P. L1 X) ?5 }; p+ I/ @! ?
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ Q% j2 O0 B0 Z$ }2 g( z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
[, I8 Q/ T/ D; t7 |field.- B- R! ]7 S& ^. Y+ j5 L4 y
In fact, its purpose is not to load/unload VxDs but only to send a
, ~; s4 ^ h/ GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& q% w7 P2 e. l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! x N5 g' t0 ^7 ~) o4 I# sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- T$ e' u% M) K7 j0 @If the VxD is loaded, it will always clear eax and the Carry flag to allow+ _% U' H2 {& Y
its handle to be opened and then, will be detected.. Q. ~& n& c& l* ^1 k9 Y6 R6 H& Z6 t" T! L
You can check that simply by hooking Winice.exe control proc entry point" {, E6 J( J' n" z% p
while running MeltICE.
2 X; n2 q9 T" R3 u1 X N
3 V( q# q! \9 B; ~; Z: \3 p' _6 ]' m6 T1 y
00401067: push 00402025 ; \\.\SICE* T' @$ V6 Y/ a; Y; v2 y' K
0040106C: call CreateFileA
* c3 l: ~$ h3 C" d3 ^( V3 v9 b 00401071: cmp eax,-001% N5 s6 @. z0 T
00401074: je 00401091
5 q7 e3 O; t9 [* p! M
! s! d5 `3 N# }
' E# c5 {) R! m. T7 |) N. vThere could be hundreds of BPX you could use to detect this trick.
4 w5 A) S" j- f; ]# N+ z-The most classical one is:
9 w2 V0 q8 m9 X" X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 `; D, o8 s6 t; I2 q *(esp->4+4)=='NTIC'0 Y( l% J% L7 v
* x* Y8 Y$ W/ I2 Q
-The most exotic ones (could be very slooooow :-(
# ?$ _5 O m0 D: O2 m4 @2 B4 G( l BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 b2 K8 N% L4 T( w ;will break 3 times :-(" O( \; h. F1 J7 P4 @
% w4 }0 k# X" l( {5 ~9 @, ]-or (a bit) faster:
$ ^8 z' ?/ ?5 { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ B X! E0 J/ s% q
2 N; m: a7 O% T* }1 w, G+ A# i) n% k* C$ G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( g( C) G {% h$ [# {! y
;will break 3 times :-(8 X% i! J3 y, M; t- n5 v
O6 j7 j4 Q5 c-Much faster:1 \( C+ H0 ~1 \4 H J( i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, R O9 g; I% z1 A
7 C; Y; c; L5 f6 g% d, V) tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 X( Z0 Y- v+ `# M
function to do the same job:
1 H( ~' {/ P7 y+ R3 X" m% p# |$ ^0 ] }9 }2 O. C. D, c
push 00 ; OF_READ: Z0 I5 J3 n7 B
mov eax,[00656634] ; '\\.\SICE',0
I$ ?, a5 v6 W# W( d. z/ d push eax8 p' z2 T$ ^ ` N
call KERNEL32!_lopen. T0 \ \; w A3 {$ O
inc eax
9 G# U1 F- _: Y! W jnz 00650589 ; detected
2 n. @: ^4 R) E4 c push 00 ; OF_READ
$ I4 }( ~4 n+ f% Z2 x. a8 k mov eax,[00656638] ; '\\.\SICE'- R+ Q% T5 s- ] f/ Q) P9 B) _
push eax7 d" e7 \8 ^/ S- I7 O* n! ?
call KERNEL32!_lopen
' y1 Y" K3 L) u" ]8 s0 M) W; c inc eax
+ ~3 J/ |; h5 r+ p2 O* g$ v jz 006505ae ; not detected
3 W: H. B9 f9 {1 z$ f6 v* o+ _# z+ L! A, @+ y' N( f
8 S6 g8 Q2 \' F; R( }( g6 J
__________________________________________________________________________
! J0 V' C) L: Y% C7 ~* l% Y1 |) O" ^4 z( ^9 T& a/ z6 b! M% |
Method 12% a) r+ Y! e' s0 g- X6 L5 y' Z+ r
=========2 `2 v+ L. M! b, ~- J0 b
% H0 p* v0 i! a. t3 y$ ~! ?. N
This trick is similar to int41h/4fh Debugger installation check (code 05* s8 t# ]: ?+ a) f9 c5 C6 L, [& f
& 06) but very limited because it's only available for Win95/98 (not NT)/ J* `5 q/ ^# U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 e2 l) v2 ]2 A( l2 ~
$ D! m" s7 l9 w1 j) c' R. d push 0000004fh ; function 4fh" h6 `; l6 S! ~* I$ W' z* N
push 002a002ah ; high word specifies which VxD (VWIN32)1 c2 i. k* g% m% m( ?( ]% `
; low word specifies which service% }3 o# N) T. P. A
(VWIN32_Int41Dispatch)* R) d1 A% n) ^3 Q& `* O9 l! z
call Kernel32!ORD_001 ; VxdCall
: \0 I( d& a" Z- Y( Y cmp ax, 0f386h ; magic number returned by system debuggers- ?3 N2 H% Y$ N6 t: E
jz SoftICE_detected
% D q- S6 k) U! D
/ j% o# q1 @6 D$ \Here again, several ways to detect it:
) t* C- N' h2 s0 W5 N8 p7 x
! ]3 ?, P& m7 L$ R BPINT 41 if ax==4f! m# |* c8 l$ {" _, m% e
0 j9 G5 Z) R9 m: j& S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 v( U( [8 K" t m3 J( S9 K; ~ ]) h! n3 n M# ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 X- O9 |0 ]4 N h
: ? f, P5 ` D/ o% U5 h
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( W8 v! e7 C4 `
; ?* y* E% \; M( N. S. `; ]2 r__________________________________________________________________________
8 E- B& E' W2 k |3 A/ O7 X
# A6 x/ z: z$ H/ T$ i& tMethod 13
1 V5 B+ Q! v m6 M5 p, ]=========( r5 L2 Z8 i1 b" Y5 Z
. _3 ?5 t6 V0 |. B7 g
Not a real method of detection, but a good way to know if SoftICE is
6 e1 P0 ?& }$ o2 C# H$ _. minstalled on a computer and to locate its installation directory., |8 C, z* x! R" g
It is used by few softs which access the following registry keys (usually #2) :
`- [( L' L y3 V( x
5 S5 z/ E' \7 |( v5 e- c' x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# m; O% S) O% r! \0 G5 }4 J
\Uninstall\SoftICE
+ K0 x" t m' J: Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. ]0 Q5 t4 O0 r. ]7 E, B$ M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ L+ d1 o. V' J4 A! q
\App Paths\Loader32.Exe
$ ?+ i) x- _) s: \1 G8 `- ~$ D) e. i# [! B) e1 ]
5 n5 D; D* {5 w2 J, w! hNote that some nasty apps could then erase all files from SoftICE directory' S' L, o( P0 I% X) R
(I faced that once :-(7 I7 w' p# p# E# i7 N
) X/ |! o6 c) |! A/ T3 pUseful breakpoint to detect it:# b$ D: q+ y; q# w- n. i
v* b* T% @. T3 U, W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' [9 o- u6 q: ?9 o2 ^1 l, o
; l" h9 w+ }! Y. A1 v
__________________________________________________________________________
' |6 j, f; a! {+ V1 N8 }7 T: Y
0 S; w! c" b5 B& T& J& T, F$ T0 p) F) @1 Z
Method 14 ) P4 I8 v( E3 w/ N4 O. h
=========: z8 d( [- h$ w% h, L
. e ~% x, `0 E* y) Y3 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) _9 n7 S$ M$ Y
is to determines whether a debugger is running on your system (ring0 only).
* z$ f- y7 s2 l; ?& d# n9 e" E: q0 ?3 X; F
VMMCall Test_Debug_Installed, x+ A# r4 k7 H
je not_installed9 S+ q2 w; N$ @% A0 q7 [
3 z. x, s% I( @1 g* Z: V# ~/ w& rThis service just checks a flag.; J# g0 |8 |2 O$ k7 o5 U7 N1 N# f
</PRE></TD></TR></TBODY></TABLE> |