<TABLE width=500>* R2 D9 k8 ?$ Y9 F' O e% b2 T' b3 J3 q
<TBODY>2 v0 W! Z; b6 P" z& I1 W! V; l' H
<TR>
|# W, U, ]" o& s- {* ^<TD><PRE>Method 01 3 L& ~" ~4 r/ @3 J
=========
9 n2 q! R; l; F4 ~; t
* G+ A e+ V, F' |5 E; dThis method of detection of SoftICE (as well as the following one) is
$ U- Y6 Z# U5 i$ f+ zused by the majority of packers/encryptors found on Internet.
0 C% ]2 W6 u0 X2 D& B; h$ `It seeks the signature of BoundsChecker in SoftICE
+ f4 V( l0 i& I/ m8 q( E1 h, L) E- Q4 Y, `% D
mov ebp, 04243484Bh ; 'BCHK'
6 f9 f( P. c9 [* p( c mov ax, 04h+ r" c% e8 E1 A g9 x) F' q) n" U
int 3 ) h; x M& s7 D# M& b
cmp al,4
N& W I/ {) ~6 s jnz SoftICE_Detected& q- m% }5 p d4 g+ ?
% Y& y1 z) u: m7 d$ Y) e
___________________________________________________________________________. j6 ]6 b. ~/ f. X. V) Z* u1 Z* ]! o' x' N
) d+ C0 ^ ?. V: l5 a h
Method 028 |/ E' w# g9 Q( T1 [. [1 y+ Q" b
=========4 l- Y/ R, _5 y
) Q: ?2 v e! e U7 q5 D, q
Still a method very much used (perhaps the most frequent one). It is used
9 }' v! Z& J3 m* qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 b7 d: [0 D% z- g
or execute SoftICE commands...' w( C; q5 F ^' S& N ~1 i
It is also used to crash SoftICE and to force it to execute any commands
3 z! ~5 v0 a! p% C" f) R: B(HBOOT...) :-(( 7 M" R' ]/ u, | Z" w8 E) a
( a5 K! _3 m% Z/ g4 G! gHere is a quick description:
8 X" j5 x' E4 D$ V( H2 j-AX = 0910h (Display string in SIce windows)
. O' h) ~8 U d$ P% G3 D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 |5 e+ H2 ?2 U! W- i
-AX = 0912h (Get breakpoint infos)
3 Y; C( X4 U$ R. p. d. p& N. b9 y-AX = 0913h (Set Sice breakpoints)! K" S. I8 k' h
-AX = 0914h (Remove SIce breakoints), n* E* q( Q9 l) b) R% q1 p% j, c; e
; m- ?" t$ }6 L: n" B) U: oEach time you'll meet this trick, you'll see:
- `2 U4 M1 l, O6 b-SI = 4647h. d6 M$ G- B2 X$ c8 Z" N
-DI = 4A4Dh
1 w$ H# X* l% h5 O; a7 e$ a( A( XWhich are the 'magic values' used by SoftIce.
( I' h: {. a/ |/ \" n5 f4 kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% K( r0 M7 }% G3 ~/ h; k4 `5 o* A0 @; ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; q6 L" j7 @4 Y4 k5 p$ ~Envelope utility use to protect DOS applications:
: F7 V5 h1 ^4 P0 d) \! H; w! u( i* L! K
* ]3 D/ |. v1 f' ~4C19:0095 MOV AX,0911 ; execute command.! ?; h( v1 ^: ]4 C% z I. A5 Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! S; _( ]0 q" E* e) P
4C19:009A MOV SI,4647 ; 1st magic value./ i* M$ Z& r, x$ B+ A
4C19:009D MOV DI,4A4D ; 2nd magic value.6 `7 a& L; n6 U4 O; |8 y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 [+ U! m1 s. U& a8 J. e- O& [
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 b7 N" K8 _* z& e: G! Z9 j4C19:00A4 INC CX
0 f! K% B7 w4 `- H a* Z X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, N7 I% ^3 }. s& y- S
4C19:00A8 JB 0095 ; 6 different commands.' R7 q: M7 r* ]4 F$ w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: b7 ^3 Y+ u+ m" e$ O, m4 l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 p. @5 O$ @ y$ b# V& u3 Y( y* g
The program will execute 6 different SIce commands located at ds:dx, which
( k# F% z) j9 y! i$ kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 p( c0 a* l/ f2 }8 v& t; n; i
! @+ c: Q" ]8 I# h; t" n0 c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 t) f( ~( B, O! I& |
___________________________________________________________________________
, Q2 P! N, E: i+ A+ h$ B: h
9 |8 y# q% `) r' Z5 g6 z4 O @4 V. B) [5 B, k' y
Method 03
' ^# N! n3 Z, `- e9 K=========
3 O2 E3 \7 V F& a0 n! u _
. x" [& b; T/ i. K) y" {: ~, dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ N9 k5 ?& w# M" z$ Z
(API Get entry point)7 X- |: @" [* P1 m
& \' \' n' B, D, ^4 u1 ?$ r
% K9 s6 F2 S! W; Q9 u+ A' Y xor di,di+ s$ E: \ @& k$ j3 c+ W& ]; n% Q
mov es,di- G) W% R# C @/ f) {6 }; f- N
mov ax, 1684h
" x: `8 O& {! v! A! p1 h mov bx, 0202h ; VxD ID of winice
9 h& z. c! j; [3 A; E int 2Fh! [0 }+ l8 T' c0 l! u
mov ax, es ; ES:DI -> VxD API entry point' v- }) e- ~4 v
add ax, di
) V5 _# W* \1 d: C6 j& y test ax,ax. s) X$ F( f, W& i h
jnz SoftICE_Detected
. H1 M4 G2 z; l" R% @5 e
3 G2 H: J4 h6 Z" [$ ^___________________________________________________________________________5 @" `+ J8 C" ?
: p! Z0 R& E4 Z/ o p& s( XMethod 043 r2 W- A# n- n- o. @; I
=========7 c% {2 p5 t& ] G
& F+ l% _6 J6 H. b! K6 P4 I% Y5 S) r
Method identical to the preceding one except that it seeks the ID of SoftICE
7 W- v2 z- n) ]' I& g" z: OGFX VxD.
7 f1 P2 b6 X- a0 L* u6 ~' f- u0 S1 L, v) V1 i5 G& K# q: P
xor di,di2 `$ p3 {7 }: {5 J( R3 _( {
mov es,di# _$ _6 v& z7 @& t) [6 k
mov ax, 1684h
- k7 G7 D8 {4 u" s' @) V3 q mov bx, 7a5Fh ; VxD ID of SIWVID
1 M5 f/ d- A0 N. I int 2fh6 b8 j" Q' N' P& J
mov ax, es ; ES:DI -> VxD API entry point( y1 u( {9 L# c* f2 w; w+ Q
add ax, di
1 w7 d% k p" i# K2 r: ]# D test ax,ax
. Q# K. C" J* t- E& Q, j* M jnz SoftICE_Detected$ V+ d, B- T# T
* Y1 r" ^: x6 T6 z__________________________________________________________________________
! S$ q5 `6 g% Z `0 d
9 f" b' S, T) R9 j( N, S9 ~' x! j" C0 }3 n9 v
Method 05# |; l0 k& ~" ]8 f* `
=========
; X$ q' |! i9 M2 R, ^! ?; }
0 o& ~( E& O' H; G4 z1 G7 u. [Method seeking the 'magic number' 0F386h returned (in ax) by all system
. p8 ^/ @( P( o+ adebugger. It calls the int 41h, function 4Fh.
2 M! K/ @0 x5 AThere are several alternatives. 6 f3 r6 ~9 M4 _. |5 R
* W2 R# ]. F1 t% V7 [7 p% u
The following one is the simplest:
9 ^! g' N: D, t; D4 h" Z. X7 X. ^7 b
mov ax,4fh
+ ?4 {* Q( e E \ int 41h
- S3 F+ D( I C& g9 j7 Z$ C cmp ax, 0F386
9 n6 n, q. h! f( h jz SoftICE_detected
6 k: y4 v7 p7 K' ^: g
( A4 O* O: B# S8 w. z9 a/ g# m7 U" y4 Z6 F
Next method as well as the following one are 2 examples from Stone's 1 e1 A0 J% X$ F
"stn-wid.zip" (www.cracking.net):
& T! X0 G! h& N+ B+ L* ?
( c! a) k8 r9 x j3 `/ H$ E mov bx, cs# @# P1 P( y5 y( m, f
lea dx, int41handler2
2 Q @1 P ~" e# p' o xchg dx, es:[41h*4]/ G9 ]% j, ~8 S1 F% I
xchg bx, es:[41h*4+2]& }9 e3 N- P, {' K5 P
mov ax,4fh
$ o' D; V+ Y6 @8 n, p+ { g6 c! J int 41h
! G" P4 R3 a, @* ?3 G3 k5 B xchg dx, es:[41h*4]
' N+ W8 |8 h0 g xchg bx, es:[41h*4+2]5 T" _, m) `+ E" Y
cmp ax, 0f386h% M# `: W7 ~( ~5 X4 d, d( I, X
jz SoftICE_detected g) o+ W* e8 y# S! q2 m3 r
7 A& n, W0 C8 `2 W1 ?
int41handler2 PROC
1 W# ^1 v9 Q+ n$ L* `9 d& ?9 \& N1 \ iret
4 a6 l' ]5 K9 R' U" ]int41handler2 ENDP; I6 I% L# |' H
2 q! ]: V* ~5 I6 |
. P8 r4 I# j$ G- i1 N$ v' G_________________________________________________________________________
' b5 C6 Y+ F" j" K8 P/ s$ C9 ~6 J `3 i; S
% v& Z3 K) K1 y, j I4 Z
Method 06
( X; ^* R% W1 l1 h5 n Y& w=========' A. e6 M8 I6 z" j$ B' J
0 w' K) l/ {4 n/ `0 |2 s: |. X) K" t0 Y. q
2nd method similar to the preceding one but more difficult to detect:, U$ A5 @: b! R O' ]
' r: h4 C% f. z! x0 q) G- }; M
& }2 v! I0 H- b; v
int41handler PROC$ c% M& u: n4 N" y% E- c" @' ~
mov cl,al9 X6 f+ D( ^9 `. p: S7 A
iret! l) K# w' r% v- f- A6 Z! {" I) F* `
int41handler ENDP
6 k! D- U5 q9 E, S7 X: A ~* o* d/ t) N% D' s8 r+ n& Q
' r' r$ |1 `7 K5 |* o X% j
xor ax,ax
, Z) s5 [$ h' W mov es,ax) S$ ^7 l9 Y5 \
mov bx, cs
% r* p- {, F1 B6 o/ B1 f( O5 N lea dx, int41handler, d! ^8 S) q8 _2 v, z2 `
xchg dx, es:[41h*4]: a, T" v4 _$ j# d& S: u
xchg bx, es:[41h*4+2]
' Z6 d* L) w9 `8 _, y& N in al, 40h
$ Q4 y6 o5 y; K8 o- r xor cx,cx$ y }5 r" y9 W3 u9 v1 l; Z/ y# x
int 41h; ?) e/ s# j. ]: Y; j
xchg dx, es:[41h*4]
% F* B. f+ ]5 v, z9 [ xchg bx, es:[41h*4+2]
6 G" [: E: t0 E2 n4 }' J cmp cl,al
- {- Q) d9 L V% u; o1 T) ] jnz SoftICE_detected
, \+ I0 Z4 r' Z9 E- M. ~5 h0 z9 {7 ^$ z
_________________________________________________________________________8 K3 h- W; Y7 \& i) {! Z
, w/ A4 Q( o4 { T- }& _: K
Method 077 O6 e! n5 [3 `, c
=========& \: i' h/ ?9 e# J
% C' k( p' M, i/ z+ JMethod of detection of the WinICE handler in the int68h (V86)
& i+ |% U- d) z2 ]8 d/ a9 n+ t3 _5 [- Q* @$ p/ ^
mov ah,43h
& C2 i0 c- s; i' o9 k+ T int 68h
3 l! @, A; b- W+ t cmp ax,0F386h
% j" f7 F" X# ^ jz SoftICE_Detected
6 q9 Q* n2 N, H6 g y+ Z
' L$ O/ a' {7 n% L- z& q$ H
2 w% c# E5 \& \) ] p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- O0 T' A- K0 {* ]* J) A app like this:
& u+ F6 M% |" _) P2 X# [2 b s4 F3 Q* a: }" y6 m5 b- M& |( C" r! ^
BPX exec_int if ax==68, h$ I1 t0 ?4 b y: [; A
(function called is located at byte ptr [ebp+1Dh] and client eip is( }& b' @/ H, c) E; y' H
located at [ebp+48h] for 32Bit apps)0 _3 X" D5 O& K) o7 v9 p
__________________________________________________________________________
2 v/ b2 ~- Z: V( U/ m8 c; h4 c/ R* V
% E& t$ M0 I; R4 ^4 D( wMethod 088 d @+ P/ g! @, E0 h* f
=========
) o \; o, r" I% D* J, p8 d& `6 O' o: ^3 |) u2 S- S
It is not a method of detection of SoftICE but a possibility to crash the
- ~9 T$ N+ e& ]0 psystem by intercepting int 01h and int 03h and redirecting them to another
; H; c/ z$ m9 X) f% Croutine.3 Q& `- y4 k, k7 L: D0 [+ U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. K/ w# V1 M# n! H- L5 P; z# W
to the new routine to execute (hangs computer...)$ m3 p8 w! A; E7 D# A" l
' R1 t! `; D2 l1 U, }6 [5 z mov ah, 25h
# v1 d" Q9 C5 l) \ mov al, Int_Number (01h or 03h)
# a4 j9 y7 w) ?8 G9 X mov dx, offset New_Int_Routine
: A ?+ W; u" G5 p) p int 21h
. Y; n# b0 k% Z& J1 M+ K7 H
) ?% P' X: m! M4 ]__________________________________________________________________________( e3 y3 _7 }: B/ V0 W. S# K* |- p9 S
5 u& l p$ p9 v- e
Method 096 N# m* M- ?( R$ z8 X
=========: L& _# r$ G- b, G, ]4 m
% e( P" @. q1 O: x/ X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- u- V; |9 O( \* wperformed in ring0 (VxD or a ring3 app using the VxdCall).
y" t% e1 ]6 e' tThe Get_DDB service is used to determine whether or not a VxD is installed
: ?8 b( W( X& Z& {% Cfor the specified device and returns a Device Description Block (in ecx) for
, F. U1 d% y6 n. X4 E! uthat device if it is installed.
( F0 E7 @4 t( P! M$ }; r, X. k$ o" @2 k, ~( \% n/ A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ C6 m ^& `0 N1 c% y% f' u/ J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ W6 f: \- Q/ B
VMMCall Get_DDB
- T% I- m4 o9 c/ i S' f- o5 A* N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ M- D3 U) N% d
% Q2 b+ j' O, p0 s) ^
Note as well that you can easily detect this method with SoftICE:
6 r# [" E9 ~9 l& D3 v9 g6 G2 } bpx Get_DDB if ax==0202 || ax==7a5fh
1 }5 t! g- n9 t( x' K9 Q$ S% @( Q8 B
__________________________________________________________________________7 g6 F, g0 {. I7 _# j* R) ^. A
; o1 {0 c4 m; _2 cMethod 10
% f& F3 M9 L$ W0 f! ~7 I$ |=========' v$ e! s1 ^; s* m% V3 T
' O$ W T+ o v6 L4 y! u; b1 D& W=>Disable or clear breakpoints before using this feature. DO NOT trace with
# [/ w [! q& Y3 O* ]0 X SoftICE while the option is enable!!
! @* ^( |, I. x; u+ c* |" T/ @
/ z" t1 f, E3 n) d- v" [# x3 YThis trick is very efficient:
: e; L3 M# |' J/ Z8 F/ e: Vby checking the Debug Registers, you can detect if SoftICE is loaded: B5 w0 o. q0 y8 Y4 Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- m( ?6 \0 ?- w p: [+ C) sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ t. U: _% e, W" I2 qvalue (in ring0 only). Values can be manipulated and or changed as well O; b S7 _" s( B
(clearing BPMs for instance)
$ h# L: k' T8 r' o5 e% f1 o
2 ^* ]3 u# N7 `__________________________________________________________________________, ^& f9 I& c. r, N; W- m$ b8 C3 B
% u- {9 b* b' G! E, n
Method 11
8 v- L* x+ `; E1 F=========4 Q- n3 f7 B) [1 z- b
6 E7 ]" r. w1 VThis method is most known as 'MeltICE' because it has been freely distributed, t7 d- ]; S* c2 x- M( T7 T( ^
via www.winfiles.com. However it was first used by NuMega people to allow
/ v r7 C4 z! N/ k& sSymbol Loader to check if SoftICE was active or not (the code is located; D: _. R3 N3 @
inside nmtrans.dll).; {: h) c4 G" f& x. a( ?
0 L9 L3 s7 V; r! ?5 oThe way it works is very simple:9 k6 B0 {) r1 o. x6 \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 ]' {+ a7 z7 U6 }7 Y% g& W* nWinNT) with the CreateFileA API.$ W, U8 i' v) s# @# K/ ^+ b p# N
+ x" m% p& C( c/ k, @
Here is a sample (checking for 'SICE'):/ g; Z* y/ H) T+ m/ G* ]
* O1 z) ]5 U! |
BOOL IsSoftIce95Loaded()7 E7 \0 G$ q9 i3 e6 d) Z! c( w/ }
{
: @4 ~4 D6 j! _( z, s- G HANDLE hFile; 8 }6 z( M! ~5 N
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 b2 J/ G4 N, y+ g- b, y1 i FILE_SHARE_READ | FILE_SHARE_WRITE,& {$ t+ D0 ^! l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 H" r. S. t7 A- b' U6 u
if( hFile != INVALID_HANDLE_VALUE )
2 ~. {: R7 n. A {
8 n4 x5 q; l0 h: C5 ^7 a1 w. O2 j# f- h8 j CloseHandle(hFile);
, E) u8 r5 K6 K( X return TRUE;
+ V' c2 R1 ^) u: t }1 J7 x, S5 r0 R- @! v0 D
return FALSE;
& Q1 d# A ]& Z* l$ Q6 ~}7 j) l) m) S/ `( `; I/ @
. l5 { ~! h/ e, cAlthough this trick calls the CreateFileA function, don't even expect to be
$ j( ?7 [8 p% N- qable to intercept it by installing a IFS hook: it will not work, no way!, }- W* [5 z1 V# j1 C& X1 o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 f5 d, F0 P8 q% Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ E7 o; R) s; Q" D5 K$ K1 e6 Band then browse the DDB list until it find the VxD and its DDB_Control_Proc" m5 d: X' j7 L5 `) R
field.
8 y1 W% O& U0 D8 E) aIn fact, its purpose is not to load/unload VxDs but only to send a $ m z! E' F4 W! |7 z# s! j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- j# E2 ?+ Q# X2 Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
! N# O, J6 C2 |6 W2 j7 N0 oto load/unload a non-dynamically loadable driver such as SoftICE ;-).: ^, K, o2 K J2 |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 n" i# s1 b8 i# x" y) Zits handle to be opened and then, will be detected.# E- x7 a* |6 F0 O E; |
You can check that simply by hooking Winice.exe control proc entry point
# \3 \. j. d* P2 ?' ?while running MeltICE.& e" Y7 ~' N0 n `) w# \
9 s6 m7 Z4 }" w& h: n$ @$ Q! i I m% ]9 ]
00401067: push 00402025 ; \\.\SICE" F8 b; S7 C2 I9 H2 |: V+ Z
0040106C: call CreateFileA5 o$ v, u& @$ {9 I3 N, z$ {
00401071: cmp eax,-001
" R% H& I, ?2 Q5 T1 d 00401074: je 00401091
2 C; A P9 _ J* _0 J
, q+ r# h+ X/ b# H/ H' V! q6 k" r' w/ W
There could be hundreds of BPX you could use to detect this trick.
: \. R3 l- I- a E/ L+ V5 c-The most classical one is:
5 ]/ `8 }) M+ G1 G, F4 w BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) A9 o; N( P0 m. J- @
*(esp->4+4)=='NTIC'' F* w; a. V! K! ^1 f, [4 M
: r) F$ F+ |* N
-The most exotic ones (could be very slooooow :-(
, _; x8 H% Z2 f* J* K: @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 ?' \: B+ ?. i ;will break 3 times :-(
2 D$ V1 H7 O# p" I' E
: Q; P) I! B0 \2 }* q% }4 }-or (a bit) faster: $ _: k, K, P$ \5 K5 ~8 A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ Q- ^2 E! z+ o; f+ F9 s8 ^/ X
* C% R" F; X0 Q2 v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 h# L8 S( i1 p4 {; \' E3 U/ h
;will break 3 times :-(
. I1 ]2 i2 t3 q$ e
1 [& ~: E3 o$ o9 C) V# @-Much faster:
$ F) R) r$ I+ }4 I" T( }1 ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 H- x) x1 {$ `7 d" n$ z8 x+ q: o) ^3 m" J
- L h# ~/ I7 Q6 e/ j3 Y5 _/ v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' L1 _: ~& Z, E( Qfunction to do the same job:
1 ]4 n, w+ O3 y: x) f5 B
R* A+ N: A4 H, [5 r5 F4 N push 00 ; OF_READ
. X# `8 l0 h( R+ [. K mov eax,[00656634] ; '\\.\SICE',0. x3 {+ q$ w* Y6 P( u5 I$ ]3 M
push eax
, l6 M8 g3 b- E; ?6 W# F- r7 i call KERNEL32!_lopen
. I& e) v M' z9 j0 B8 {1 O! p. l inc eax5 X+ k f* j/ H
jnz 00650589 ; detected
2 ]( k8 U4 |. `6 x push 00 ; OF_READ% m: Z( c" [. Y
mov eax,[00656638] ; '\\.\SICE'4 s3 K& }! v' _; g) o( \; W1 {
push eax) F, L/ Y" p. ?5 U/ D W8 ~$ `% D
call KERNEL32!_lopen
4 l1 x4 s8 G& W6 x6 V, l inc eax
7 S) [( D% t% g jz 006505ae ; not detected
' ? m: Y. R* ^' B3 X7 K. s2 r! I
: h5 _4 k) x5 U7 J; W" V__________________________________________________________________________0 k+ n8 ` C, z9 s( t( [3 u
1 x9 [" a% n' X6 X0 q7 p4 sMethod 12
5 W5 i* H8 r% z( i0 w=========9 ~8 I+ s3 g9 T3 F; P9 `4 ]
4 P" Z! ?' p' X8 y5 y4 rThis trick is similar to int41h/4fh Debugger installation check (code 05
0 j/ Y; h3 V/ N9 z) Q& 06) but very limited because it's only available for Win95/98 (not NT)
! G% s- e0 |, }- zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* \8 T# [9 \6 g8 Q2 f! i c: G7 D' I6 M
push 0000004fh ; function 4fh
7 }9 k# f5 t! [4 t& q push 002a002ah ; high word specifies which VxD (VWIN32)5 D! D9 u% Y1 d2 u# r2 ?3 E7 O
; low word specifies which service/ }3 S9 o+ T' ^
(VWIN32_Int41Dispatch)1 w3 j' U9 U3 {8 b3 i+ l
call Kernel32!ORD_001 ; VxdCall
0 j7 \. I' e7 h% S cmp ax, 0f386h ; magic number returned by system debuggers
, r# i1 W, E; E jz SoftICE_detected
) l0 a$ j3 I- S; W8 H% M- O2 q( S! K
$ Z4 w( m4 S) V* vHere again, several ways to detect it:# q7 t b; ?( z% `" a% E
% U1 [% r% a+ J+ g5 F8 R5 C c BPINT 41 if ax==4f
& s: \8 ~+ s& v7 e1 N6 ^0 a+ Y8 }4 D, y5 V5 a) ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( m( T) F( p0 a4 A, {: N- k8 p
/ X* s( C! F* B0 J3 i/ S& O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* P2 k3 i0 Y x" q, [7 \
- P: d" [, J) e! B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 I( V- D6 z% \: @8 \: v# C0 u: r8 k2 ]4 I: K4 e; Q+ i% B
__________________________________________________________________________
/ r2 U- ]( T% S2 p; x# C& K" a1 e- c( H8 Y9 \5 e1 V
Method 13$ E* K* m9 A" b q2 ]9 e! ^
=========
: p9 w# Q1 T4 X
+ q& I/ L/ e! g' D d; ?! C) BNot a real method of detection, but a good way to know if SoftICE is
9 B! }( a$ @5 w9 u& Q+ V2 Ninstalled on a computer and to locate its installation directory.
& k$ G* y( c) O2 x vIt is used by few softs which access the following registry keys (usually #2) :
$ W: x6 w# ]( b" c! l
: q9 A Y( f4 [: S2 g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& q/ R$ M2 A; ]) X\Uninstall\SoftICE% W! `7 \8 n# a, x. ]3 V0 w# F% u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' ~0 C$ y5 H/ M: X. K9 _# Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& D. H" x+ s* M% c7 r
\App Paths\Loader32.Exe+ }. ~! q) y+ L
' A$ }. s! N. B5 L4 [! d' s% s/ e$ w3 ^1 Z. G* @4 Q
Note that some nasty apps could then erase all files from SoftICE directory
0 O# @5 R( S9 y& f; W+ j( l! a(I faced that once :-(/ d" E% M7 j$ o. x+ o5 u, _/ r
8 G$ I2 M5 P! y- _' X( bUseful breakpoint to detect it:' q" r+ @$ e5 g0 R$ Y+ x0 ]+ I% O
) C* j4 K) x& G) p3 f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' b3 O2 @$ ]: A# E
F D1 k) a* q) C5 m__________________________________________________________________________* k" B- F. M) Y" @( K+ \
! n3 G. o K0 J
" X5 g# F" }6 L KMethod 14 & A( J$ f9 p3 ~( k
=========/ i& E: ^. Q4 z' c+ |6 S
+ E' C. v9 I# n1 W9 R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* \, x$ m3 G, f% J. e: f7 T# gis to determines whether a debugger is running on your system (ring0 only).; Z, T1 R, v$ L. \. Z! I0 C" j
% e( N2 ^* u3 z( ?; @) _2 ] VMMCall Test_Debug_Installed
# B2 P6 p4 ~/ R X9 n0 u# B8 @; f je not_installed) L6 j8 c: L: m3 z
# ]' y! w* q& i5 u9 Z1 q2 I; M
This service just checks a flag.
' }. D3 X; H7 d" @6 `</PRE></TD></TR></TBODY></TABLE> |