<TABLE width=500>
4 g' l9 K! o! m0 Y7 {2 Z0 k4 c$ w' F<TBODY>
) R5 y/ b% l6 K/ d2 c* L<TR>! w: w. R6 I# ]
<TD><PRE>Method 01 6 s) H6 S6 P. P- G& H# H
=========
" l) m/ ~3 E( a
! O; R3 y6 K4 v n, [% LThis method of detection of SoftICE (as well as the following one) is7 n5 E2 T8 z9 ?- c4 O
used by the majority of packers/encryptors found on Internet.: }5 T6 R( ^9 b# g* y
It seeks the signature of BoundsChecker in SoftICE2 N6 `/ O5 J. H- u+ l8 [
# U) u+ Z8 I1 I3 }7 r- r$ A
mov ebp, 04243484Bh ; 'BCHK'
# ]) e- P' g$ d) c mov ax, 04h
% r0 F! I0 R. N( o |6 [6 `6 P int 3 - p. }! f t- P. {
cmp al,4
& z3 Q6 U3 J3 p" M jnz SoftICE_Detected
6 N! K; H% Z% ~' b; i, [: D# ^6 O" x5 B2 p4 U
___________________________________________________________________________
Z8 ~4 w, R0 M: \- {, Y- d B! X, d+ m
8 D2 w) B0 X5 }, Q0 g$ qMethod 02
- r3 B% g, r5 R, e% u$ ]& h=========" K. h+ V/ u; [9 H/ p2 [
" a& J4 K& a% S/ r/ FStill a method very much used (perhaps the most frequent one). It is used
* k3 B7 l1 c bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: B' b8 `" G8 P: S; T$ k g
or execute SoftICE commands...& H A9 y& d9 P9 `$ t' V
It is also used to crash SoftICE and to force it to execute any commands2 b' ]. [: }9 Y) c+ L3 D7 U4 |2 s
(HBOOT...) :-(( ! s8 S3 \% `1 w. I4 u
3 `$ E0 x; u! {/ n1 v
Here is a quick description:7 |9 E" i5 s, m, Q; \& U1 A1 m
-AX = 0910h (Display string in SIce windows)# K7 a7 C1 L+ } l7 ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( z* U. P3 F5 Z' }
-AX = 0912h (Get breakpoint infos), y# ?2 y" P8 W; C B) H4 l
-AX = 0913h (Set Sice breakpoints)
& P. V* N9 G) k: i2 {3 q-AX = 0914h (Remove SIce breakoints) p2 t* @# N$ m6 A8 p) u1 {- I
" V: E2 z9 I+ E
Each time you'll meet this trick, you'll see:
- p9 l( o: f# ^6 l) H-SI = 4647h
8 ], c0 k; Y7 C/ C2 ?& i-DI = 4A4Dh* g: \4 `$ i+ O& ]3 J3 H
Which are the 'magic values' used by SoftIce.: j7 _3 G, n8 `. E" M% I& J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 ?7 Y( D8 O+ q' I! g& C" E! i. b9 F
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: ~4 @ V. i! Q6 W, }Envelope utility use to protect DOS applications:4 Z3 X; J+ [& D# W, s
" a+ a% t2 H7 b
/ f* C2 k1 h/ Z; e7 w! ]
4C19:0095 MOV AX,0911 ; execute command.
8 T7 b2 \" ^) N8 ?: Z9 f4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; p9 T- a d. C; d
4C19:009A MOV SI,4647 ; 1st magic value.# `. G* W5 u# E
4C19:009D MOV DI,4A4D ; 2nd magic value.5 e4 M' \9 M/ `, _9 S
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" i, P; A- t: m1 u3 ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( ^ r' |' L. u4C19:00A4 INC CX
/ L4 E6 z- ~. t+ i% t9 L( P) a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) _6 r; N. E7 i6 X% `* s6 Q4C19:00A8 JB 0095 ; 6 different commands.
* T; @* W4 f( h8 h3 e) G4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 L/ r) i9 l' }3 A& O" M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& b2 R. D8 q( Y8 e2 g0 X- d
9 A/ c! [7 @; s6 @, e* G; @
The program will execute 6 different SIce commands located at ds:dx, which
& `* v" F9 n% Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ R. B M! Z1 Y3 O0 |# i( h
1 Y* f1 w2 d) t4 c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! _1 b# _; o+ x: Q: r; i7 X5 I___________________________________________________________________________
; F7 r0 V4 }1 n, G, e& u
' O! g6 Y4 H$ ]! O- e3 Z3 a: g2 i% _; l8 I
Method 033 ^7 g; X! F3 y0 y
=========
8 b5 o# Q2 O/ F2 s& Q& i/ d: J. R+ Y# u/ V' J+ x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# k( Y) y% l/ x/ d1 H# K
(API Get entry point)+ Z+ a2 M9 _8 G' C$ h
! E, U G+ o. `# A
( i7 I7 ^1 w0 f$ t+ \! T6 N xor di,di% D7 @0 p& v* X2 e% m' V& i
mov es,di
$ V* a# j5 L9 a mov ax, 1684h
~* }6 a- h4 z) F mov bx, 0202h ; VxD ID of winice1 i% W4 r d2 `
int 2Fh
5 E- R5 Q( A8 C' U mov ax, es ; ES:DI -> VxD API entry point4 G& ^$ m9 G$ w0 P3 x9 X9 b
add ax, di
: k" \1 W7 @7 B# W$ C( b; t3 D. w! ` test ax,ax
% n! u% E+ Q& k- ]8 [ jnz SoftICE_Detected; D; i/ V% {/ P
" s6 A5 f: }- Z( e4 p1 E
___________________________________________________________________________9 {! ^ y7 s8 h$ j' r. K3 {- A. V
" }) |; n8 t( R3 s* _3 l7 _ b. K7 fMethod 04
+ k$ \; n! d" _) C! H=========1 s5 m. s) D+ |) L$ h+ q
. Y+ G( i. |( L9 V
Method identical to the preceding one except that it seeks the ID of SoftICE
4 E r4 ^! {6 F* e( X& iGFX VxD.2 H0 d' C) o7 L/ ?, D
- B+ f f. D! `3 a
xor di,di+ J$ ^, t0 Q4 Y8 l
mov es,di
7 ?- Z6 l; |2 o& \& q mov ax, 1684h . h0 a7 O9 x& i. X
mov bx, 7a5Fh ; VxD ID of SIWVID& `8 S: c9 N7 u# B1 f) V, a+ k
int 2fh
, a" g; P# ~ f0 ?9 K& p. d, ~ mov ax, es ; ES:DI -> VxD API entry point- k( Y& G; O0 {
add ax, di% T; }! \1 G B H
test ax,ax
- g7 E( u0 f5 a, ~7 V jnz SoftICE_Detected
W; Z- }! O* u" x5 d( s* z- V# y" o$ ] ~$ D- t( l! m
__________________________________________________________________________( ?; m8 u$ K% B5 }. i8 X
; N, N9 ^( V. [% r8 r4 o4 o: G* I* D, ]7 ^" T6 Q
Method 05
% y' ?) k0 d4 Q8 l5 v1 i=========- i" v) @% {. Z' o& T. G- n/ q
/ h" f' J) Z2 ^6 W7 d* ^8 i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* V$ o$ Q& o2 q; u9 H2 k2 {debugger. It calls the int 41h, function 4Fh.! Y: m2 e3 R! W% i
There are several alternatives. & r0 |# `2 \ W l0 i' r# U
# i! z0 G4 p/ b r, D. R* A1 `The following one is the simplest:: \& z5 c: b* ~% @
% y2 b2 L$ o& p4 v
mov ax,4fh
; [5 H) L# G8 W int 41h
* d2 j" b- |1 E cmp ax, 0F386' Z C* @9 }1 T: `4 N0 G4 k6 m
jz SoftICE_detected
# }- Z$ d% D3 i6 M
: a2 u+ h% P* @# ?4 p. _& a" v4 o8 r. h+ ~ Q
Next method as well as the following one are 2 examples from Stone's
+ m& B3 H! @, t( o9 d% k. N3 ?6 j"stn-wid.zip" (www.cracking.net):
f+ k$ o d# N( @/ `$ f& H
! C8 |. g& b& {7 i- A# b2 { mov bx, cs
5 S$ ~8 k, l1 c8 a" g lea dx, int41handler25 W' Z% R' k9 a1 W: J h9 M
xchg dx, es:[41h*4]
- `. d* b& ~- o xchg bx, es:[41h*4+2]
" x; d J* q2 V% H( x mov ax,4fh
) I' H7 g9 ]- l, I4 R7 T4 D int 41h- f1 z1 r0 D- r
xchg dx, es:[41h*4] ]* u1 ]8 V+ b! l: ^$ m8 A
xchg bx, es:[41h*4+2]
* {% u+ T: b% x' p# y/ h* F+ l cmp ax, 0f386h6 n6 Y2 v: o% v/ g# D/ z
jz SoftICE_detected1 F- b( s( `, _. c# Q6 W
; X' m* `! u, m, S! q, R. O
int41handler2 PROC
7 K4 }; v" I2 a! s1 G) | iret
8 V$ h2 t5 S- Hint41handler2 ENDP+ u6 _8 {/ U: f( |6 C
6 g! y9 R/ [% k2 s! p2 N- N
6 s, w$ b4 D C1 T! j5 l_________________________________________________________________________2 R2 v# ^* I! Y$ T, y# O
5 Y# r* j& j0 V" v
8 g z" \, a, d! OMethod 061 A5 K8 n5 |8 k" G4 t! L+ x2 K# L
=========( n) z7 H! I( @
8 O' z, Q& ?6 I) J
" v Z& Q/ B' W* S3 k2nd method similar to the preceding one but more difficult to detect:
7 h& S9 v6 s6 A J: ~, V: ]( `7 q7 a( Q! y& v
& ]" x3 `- t1 Z4 V1 P/ x xint41handler PROC
$ x2 z1 U& Q# ^ mov cl,al# [0 l6 ?* i) @- [, q, A1 @4 D
iret
/ ]/ L3 O$ {, I9 e( E- Rint41handler ENDP
1 X* \: {) x' i, }, m5 @2 r
1 h7 g( w& z. [
: F- X$ F! M+ R2 N* _3 w xor ax,ax: V4 {3 p) S- e
mov es,ax6 }4 `' {& i& g7 d
mov bx, cs9 x6 J6 E1 @) x T% n9 g
lea dx, int41handler7 D% u& w" t- g2 q
xchg dx, es:[41h*4]2 ^4 t+ G& D# Y; y
xchg bx, es:[41h*4+2]
" h; X8 A7 a W$ i7 U7 G. M in al, 40h* Z9 r9 D4 s9 v' X' I3 \* {( `
xor cx,cx
" Y, l( F, T" R9 W C int 41h
( u3 z0 n# k$ }8 z6 j$ P* } xchg dx, es:[41h*4]6 G k- B9 \; a. Y* c5 v6 j) g: V c
xchg bx, es:[41h*4+2]2 ^( H; K v" T; M x
cmp cl,al
( E. J$ A* Q4 [; s9 t2 s jnz SoftICE_detected
9 d" D( c7 L J
# }/ B' J5 n& y_________________________________________________________________________& B$ M) |: X+ F: _
" v ^3 L: |. ] ]0 @
Method 07$ Z" L |/ E9 w$ n* `- g! m
=========3 H$ v/ M) f! O4 Q
' t+ d* ]3 a; H: q) l
Method of detection of the WinICE handler in the int68h (V86)
- x. G+ k2 W# o6 i6 i) S( S0 R3 N- o, a. V# x
mov ah,43h
: R8 E; }* J4 g- G- a int 68h
, x5 n0 U3 c7 B/ z cmp ax,0F386h
# `+ B: j9 x/ \& t: I9 d" J jz SoftICE_Detected
9 C- g4 _* M; V8 t/ ^( _" x' C) r7 R, D9 g3 u6 o
* R( j3 e: J" i7 W: v$ Y) G5 g7 O
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ z S0 ]" i% ~- {" @6 r6 f" }
app like this:
+ u* x# `, y/ Y( a! _5 E
( O/ r6 a7 l* Y8 R' d; y BPX exec_int if ax==68
0 Y2 h9 y, p7 X2 x (function called is located at byte ptr [ebp+1Dh] and client eip is4 l5 b9 k/ I) }3 P0 [- f
located at [ebp+48h] for 32Bit apps)
. Z) ^* e! v$ \. f/ e1 E__________________________________________________________________________; q% s" T5 C: @# E
5 \- v% L$ c# _- z3 J* d" p6 C& A0 c
Method 08
6 f; E: R! q6 M1 p. X=========6 E* t. g' g ]9 P' M
+ `* {4 @9 ~# O
It is not a method of detection of SoftICE but a possibility to crash the
7 f, Q' a2 \. _- ]% N$ t9 |system by intercepting int 01h and int 03h and redirecting them to another
5 \) e- ^7 v. _% Eroutine.
" }: ~. K; q$ s4 LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 v! u1 \, r B- u0 e
to the new routine to execute (hangs computer...)
# Z+ j' S+ [# y: i$ z
& j4 @' T r# u. v6 W0 H" C0 m E) Y mov ah, 25h( w8 N a% I G& K0 {
mov al, Int_Number (01h or 03h)( T% Q, z f, E8 N6 w9 ?
mov dx, offset New_Int_Routine+ M7 N7 Q a! X) m8 Y
int 21h2 [4 W' `* K$ b
2 C. L4 F/ }, r2 m
__________________________________________________________________________; h. k3 v4 g- t4 v) o. g" J# f% \
, b p; n9 C! ~/ SMethod 09
7 x- V6 P5 O/ K: Q" e, J=========
' }9 A% g: `" T. u; v6 ]
3 ?6 k$ H1 m# m3 cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ T5 A" c' v* }. N& sperformed in ring0 (VxD or a ring3 app using the VxdCall).4 o" [# Q' V4 I! z& ~9 [
The Get_DDB service is used to determine whether or not a VxD is installed
1 V2 C$ j3 r! j8 Q- U& J$ vfor the specified device and returns a Device Description Block (in ecx) for
9 @2 o7 P0 p! E' B7 @0 k, othat device if it is installed.6 J+ m- B6 A; v# @
# |$ v4 w: _1 K2 d( M! e% r7 t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ r [$ \: o6 D8 O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ |3 i) Q3 Q* l
VMMCall Get_DDB
8 q3 ~+ O' v8 {3 ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 V: x1 B9 ]) r, X& g
! `: X* k- ?4 z1 O; G8 \$ L
Note as well that you can easily detect this method with SoftICE:
& f$ |7 d# t3 D1 E4 P/ }% s bpx Get_DDB if ax==0202 || ax==7a5fh8 G! G5 L( B3 \& `% O' G' L
8 ?$ Q4 a: V8 c/ C5 G( ^8 U7 f__________________________________________________________________________( T& A8 a: B0 x6 i3 F0 d
; ?, i8 ]7 e+ k! h2 U
Method 10! l2 g- E& D2 T+ W8 r
=========( K& c& @* a/ n+ K/ [) x
2 p" J; J! r; w. Y) O& i3 J( \7 t=>Disable or clear breakpoints before using this feature. DO NOT trace with. c+ n' Y/ [6 g7 N: u; E
SoftICE while the option is enable!!
3 u$ c! [: L( @% P
O/ |+ } n: hThis trick is very efficient:
' m' H) F K1 d- k& C; l- \8 Vby checking the Debug Registers, you can detect if SoftICE is loaded1 S8 p/ O" N/ j4 x4 }% T$ A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ @. s0 r$ l" D) ^3 V
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: q) ^0 |# v8 J+ b: m! ]7 _- xvalue (in ring0 only). Values can be manipulated and or changed as well* }! v/ f% L; l! V: X4 H+ z' ?: |* j
(clearing BPMs for instance)
' y$ P9 h! M) G) e$ k: Y& ?+ Z# B( e/ j7 r) z$ @
__________________________________________________________________________
, C9 K+ Z4 j. m* T: ~; Y7 F( z. f8 K1 |* f
Method 11
) l4 Z7 _% ^3 ^( X) h=========; K* ~# t) m% V4 P+ ~
L; o7 T* G! p- g2 z# {. w
This method is most known as 'MeltICE' because it has been freely distributed1 i! l) B- T# F; a- D( u
via www.winfiles.com. However it was first used by NuMega people to allow) C+ x; f# v; }& e
Symbol Loader to check if SoftICE was active or not (the code is located
" V( s* z: m( ?, W# Einside nmtrans.dll).4 J. D! U5 J1 r' Q( w
" J+ d8 Y8 p4 F" S3 t# kThe way it works is very simple:
9 F9 ?+ x( t. N* b; C7 u/ {$ `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& x* m7 P1 x6 z1 k8 k/ [: i5 M
WinNT) with the CreateFileA API.9 _& t J8 T, e( x9 ?/ Q
( n4 Z0 b0 V3 K$ w3 y6 p
Here is a sample (checking for 'SICE'):
" j/ S; [4 J5 m2 O: O, \ j! ^' g1 U0 A7 x9 {# L
BOOL IsSoftIce95Loaded()
' f% m x4 m) M2 k; B{
3 m8 ~1 h' y, x+ d2 A HANDLE hFile; - X0 h) W# G& @: r; f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& X7 ]3 x/ g) b- \ FILE_SHARE_READ | FILE_SHARE_WRITE,0 U& A% v4 F P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' @$ Z9 M& o( g s& H0 A if( hFile != INVALID_HANDLE_VALUE )# i4 W7 O$ m* Y& K% v
{- P8 `3 s4 D, H( }% F
CloseHandle(hFile);/ G+ W1 W# w* [% U4 n
return TRUE;
. t4 i9 f! K; o }
0 x) S+ {7 I/ k! q: t1 T5 W6 E return FALSE;
1 B+ v/ H- ^; r5 ~( i}
) t- B% y1 K1 |# C
& m' Q1 W, `' W/ m ]9 \! DAlthough this trick calls the CreateFileA function, don't even expect to be
5 h- X' _7 L. `6 \6 R6 Qable to intercept it by installing a IFS hook: it will not work, no way!3 T3 ?3 j$ Z5 }( ~3 U) I$ i/ v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 w i; U& f) |6 C* g; e3 j# N wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" E, @ j$ S* j, zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ b: v7 _1 C3 O3 T$ rfield.
6 K. Q$ ]; |3 t5 `4 O4 |In fact, its purpose is not to load/unload VxDs but only to send a
, b! f) J, \: B7 i. B. U1 FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ t6 h3 u. ~6 D% _. ?5 c Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try, e. B: h" L: Q6 Y3 f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 _) P6 C$ W; ?5 A r* N! i U; c
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 U) F9 B1 W* i& s: R, |8 H2 O3 `
its handle to be opened and then, will be detected.
( v( S4 f {4 L! e8 E3 V. g$ nYou can check that simply by hooking Winice.exe control proc entry point
, M2 a1 L6 E: J0 i6 M* hwhile running MeltICE.) y7 Y6 Z% T( B- _6 f# d
( s% j% m5 k0 e* I$ ~% o# b
/ j, t( Q, q- z$ c9 E) U& r, @4 x 00401067: push 00402025 ; \\.\SICE( T: P2 c0 `+ r( v' }4 s3 V
0040106C: call CreateFileA, B( Z0 Y/ b0 o* ], L# U
00401071: cmp eax,-001- L3 X( A G% |! T
00401074: je 00401091
& U' b T: \$ n) @4 w' N
4 w9 O) n7 r2 [" Y! e4 v# k; a+ ?+ V- C' |& |- i( S
There could be hundreds of BPX you could use to detect this trick.+ g' m$ m5 }7 F# y0 i5 m
-The most classical one is:: d% Y) h6 ^, n" e( Z, C2 }- t' x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 m. k7 o2 w, S/ b ]5 w' a
*(esp->4+4)=='NTIC'
+ d+ X* c8 C# Q7 Q* C
) w8 q5 f# o8 H [ n-The most exotic ones (could be very slooooow :-(
$ u* S# P' @* \- e$ h0 Z$ n- a BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 v$ P4 y8 J" L$ }+ t6 V1 K ;will break 3 times :-(
3 s6 y7 A ~' k; K" F0 d E' ^' B) _5 C4 N$ y ]
-or (a bit) faster: 4 m/ O/ b( y! w/ Z- y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). i h- T% b8 g8 ^, h9 B) z z6 P
( g9 o8 R# I9 z. m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
v0 n8 @* {0 A* U4 D/ e ;will break 3 times :-(& q" ]. `9 c2 h, @' i
1 ?- W' ~2 g1 M- l) h* [, Z
-Much faster:: l7 p) `6 l: d. r. t% U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; L1 l$ }7 V Q# S* y
, M* K: X/ U9 u& P$ t. ^; [& F9 GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" N) y* }, L$ A5 C, {$ [& Y6 qfunction to do the same job:
5 Y$ t5 B/ F2 @0 _. Z4 ~& F7 c- C
- Z0 @" L8 \/ e push 00 ; OF_READ
& y6 y: e, O9 `2 L9 r0 j! f% X mov eax,[00656634] ; '\\.\SICE',0
; z2 z( o( k; I& Q/ d0 V push eax/ h6 \ v% U7 A% e
call KERNEL32!_lopen
1 r; B% Y; V* y' B7 }: h( y# g inc eax
/ Z, _# y" p M1 W jnz 00650589 ; detected, b' D( F; k# }& I: y9 ^' C( _) D! a
push 00 ; OF_READ) t2 ^1 @; O( n6 q% x5 L7 v
mov eax,[00656638] ; '\\.\SICE'7 n( b9 [- {( |
push eax9 }$ J0 M( {0 f' y/ ^
call KERNEL32!_lopen
0 h, `3 g$ j8 A X inc eax
# W) p5 M# U: d9 Z( s, @ jz 006505ae ; not detected2 @5 U$ i/ E" U
: {& n s8 d% i0 v8 a, E% u. i- ~; V [# B* {
__________________________________________________________________________* e# g- T8 `0 K% \ t" k l! }. {
' d$ X5 O& i( {Method 12
3 Y$ Z& X+ E; T- R" O: M=========6 G$ |* ]7 W* b
) Y: _ L- g# ] E. SThis trick is similar to int41h/4fh Debugger installation check (code 05% u& M' [ u- a* M9 a
& 06) but very limited because it's only available for Win95/98 (not NT)% a5 M! h. L% l2 [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ r8 z3 W _5 U6 a0 _8 d
% L9 O: e4 P' p2 r push 0000004fh ; function 4fh
3 x* [6 d0 c$ q push 002a002ah ; high word specifies which VxD (VWIN32)
+ F9 {. l8 o1 D ; low word specifies which service
7 _' U" N& ]7 Y (VWIN32_Int41Dispatch)4 ^+ O. G+ m6 |1 |; ~
call Kernel32!ORD_001 ; VxdCall
" C* z1 ^3 j0 f cmp ax, 0f386h ; magic number returned by system debuggers
4 @# I* Z& L2 s$ b& `% a jz SoftICE_detected
" P$ |! B& P$ }* e/ w/ ]3 h4 \% R- F% ]; U- g( Y: ~" `0 ^
Here again, several ways to detect it:0 r2 Q; @% ~1 K
3 N6 x1 P0 G! N" U
BPINT 41 if ax==4f0 I: n# L5 s3 Y. l% S a5 u
1 @' \" A" S$ ]/ s, h BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ P( d% }) V. _: o* m! A
* P! p; a. h0 u6 o/ D7 L) K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ W6 C9 E1 `7 z5 q
% E. |) K. I- n1 I# ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 L \# g5 q; v8 Y
3 J& {" ?& C7 B5 l0 }0 Z% F__________________________________________________________________________9 r) S. ^5 G- U+ q- ]
/ l# L/ j6 C8 v, `+ TMethod 13. n% C8 s; r F" z$ `
=========
* k1 T s! ]9 q; q5 x! Z6 q+ r" @, P+ \9 }3 T) Q6 a1 c
Not a real method of detection, but a good way to know if SoftICE is3 U ^; A. X' q
installed on a computer and to locate its installation directory.
5 [2 g+ c! G; n8 {It is used by few softs which access the following registry keys (usually #2) :3 T0 u% O. S4 `3 d# D# k. O# K
- m) M/ I' l- ^1 T* n0 n8 v0 ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 k* S: w' \, \: N. |+ ?9 \2 ^1 }
\Uninstall\SoftICE; R: D* U3 R% q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 D2 S* H4 `% k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 }4 P/ _1 j6 i C\App Paths\Loader32.Exe0 d% T/ p& B# k0 h
6 ~' ]: P' ^% {# ]' I* l0 ?2 ?
% D b9 b- W. H; A h* V: M
Note that some nasty apps could then erase all files from SoftICE directory
) O: `; C/ e* @0 K3 k(I faced that once :-(
4 m: l3 e( Q! i- w: N* ~% I4 \3 T# n+ U
Useful breakpoint to detect it:
- U4 o6 F: s4 x3 k! R2 J+ \0 k+ O B i. u6 ~* c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' G8 h/ \ l) p, C; }9 H; Q
4 L( \9 A. O* n+ L; `4 A+ f$ z
__________________________________________________________________________
' ^- ]* J% g( e: @5 o1 j/ c& [! f6 ]
( V1 J4 j: C" D1 U2 n7 }. B0 ]
Method 14
" Y6 h+ L9 i: {: @=========4 P, ]0 S' i! v+ x) h% c
& d9 S1 u' E, _. C. i" B4 n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ d9 U* {% p- M s b, b
is to determines whether a debugger is running on your system (ring0 only).- W# w, z/ S0 s2 z' q% `2 ?
' J1 R3 X! T/ v
VMMCall Test_Debug_Installed7 S: T1 h/ ]% r0 s s
je not_installed
0 \3 `3 t9 r) @7 S1 ?% a3 D
) I, \2 u5 D1 k8 uThis service just checks a flag.7 W0 V4 }- ? `, C O3 {! Q
</PRE></TD></TR></TBODY></TABLE> |