<TABLE width=500>
8 N2 ~- f( G$ e" M9 t0 e' c<TBODY>
6 c& ]/ Y5 E: y/ p/ C+ v- i2 d<TR>
2 G( p4 O/ b x/ ]$ z3 }<TD><PRE>Method 01
" B- q- t Q$ r4 h1 E4 `5 @=========
$ }& f# Z: z; G8 r, G+ {( X0 m8 Y- N3 o3 g3 u4 L4 P7 o, z
This method of detection of SoftICE (as well as the following one) is9 ` g! j. S6 J" B, J: T
used by the majority of packers/encryptors found on Internet.$ {5 u& s# e6 P, ]
It seeks the signature of BoundsChecker in SoftICE2 J: f4 |6 ~* g; K3 U% [
0 f. Z. T3 ?! w
mov ebp, 04243484Bh ; 'BCHK'5 K' T" |8 T2 t" s9 i
mov ax, 04h% y" c; h" O2 D
int 3 . f8 i Z/ X) k/ ?) ~
cmp al,4
3 e5 A5 y' x$ [+ W* m8 f jnz SoftICE_Detected" R1 g# d+ w- ^0 g2 S" B
4 P. I9 g$ V/ K D# h( G6 ^5 s___________________________________________________________________________4 [6 p3 _: j5 l4 U) c& x
' A9 [; V) C ]' RMethod 02
0 w( q4 \, D& ^) i: x=========3 { ^5 Z$ x7 G
3 U2 i: B( N/ E/ |/ t' W5 k
Still a method very much used (perhaps the most frequent one). It is used
0 k% s8 T/ h; M- j1 ^% Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ p$ a. l- ]; \5 U8 R; j% O- X! Z5 n8 Z
or execute SoftICE commands...- Y* R3 S& m9 F
It is also used to crash SoftICE and to force it to execute any commands
5 o5 @5 ?6 q6 V( @& R2 d1 [(HBOOT...) :-(( 5 z# Q0 t% p) w# [
( r* x2 `: z# A3 D# n
Here is a quick description:( }' x% l+ y6 [7 P! S+ M
-AX = 0910h (Display string in SIce windows)
+ i. U8 E) F, r( T# e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 t4 p4 G4 x) i
-AX = 0912h (Get breakpoint infos); J# a& t9 R5 d. O5 }0 F
-AX = 0913h (Set Sice breakpoints)7 P9 U3 t1 F9 a+ m9 j/ S1 T
-AX = 0914h (Remove SIce breakoints)
# F: R5 X2 ?; x% l8 u6 U$ W) _, [' n6 m3 [* s
Each time you'll meet this trick, you'll see:8 x) p9 X. V5 z% s2 ?; g+ y
-SI = 4647h
/ s, C9 T& n) B/ m& k( Z% y* w3 L( ?-DI = 4A4Dh9 F, N. O& f9 f2 f4 X1 _2 g
Which are the 'magic values' used by SoftIce.
2 \0 I2 [* u3 w3 \, [; sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 O3 V% [; [5 y
- @, U2 P* X; \8 B" D$ C z' @Here is one example from the file "Haspinst.exe" which is the dongle HASP
' O: }$ _) M! L% {+ YEnvelope utility use to protect DOS applications:( Z6 Z B+ U2 c
" J4 R9 a& m' }6 j# j4 v
* j) K5 c. I- h# y0 \4C19:0095 MOV AX,0911 ; execute command.8 V+ J; V5 T5 C W Q! R7 b" z# o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! {: c. @& ` ^' A! [; D3 }; v( V; R4C19:009A MOV SI,4647 ; 1st magic value.2 B# \6 V8 a& K2 _
4C19:009D MOV DI,4A4D ; 2nd magic value.
) D; l4 E: m$ U. M: b# n# y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- C/ E& h& j3 t1 C- U9 b- R. K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ X, T0 s5 S8 d+ b0 i9 j. P; ~4C19:00A4 INC CX
# k: j0 Z# o9 N: j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ |2 Q! N% |; \) b: |. q' a
4C19:00A8 JB 0095 ; 6 different commands.4 P6 A5 w0 d; a( d/ G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( _, ~+ ?: @1 P$ y. W, L7 x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; q C! T7 Z3 y: R' P! B9 H6 Y3 E; Y
The program will execute 6 different SIce commands located at ds:dx, which
0 N' |. ]) C2 H A0 dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 {) V, ?/ `. V1 v B b" K
7 F9 I9 c& N* p9 e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 M0 j. _( a5 U% P
___________________________________________________________________________
3 e% h' W0 D5 w5 D) ]% g3 ?6 N$ [5 b9 |/ t
) d4 X6 z3 V$ E9 b
Method 03
( i% I0 H8 q0 Y=========+ x. d* p* v6 D' z7 ^
! O3 `+ S* @4 \5 Y* A$ \+ {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 ?5 N* {' b. M5 R0 X2 S
(API Get entry point) p, o4 \, g4 C% p+ ]. u5 }3 R
& _4 @: u/ T7 d: t
: C2 W( @1 t4 J( W$ i' P
xor di,di
7 U/ E! D; k5 i( i' @# ?' g mov es,di2 Q- c7 r8 }3 E7 H) z' o6 k
mov ax, 1684h 6 e% s0 @% G. d) f1 t
mov bx, 0202h ; VxD ID of winice
# U8 r5 V% Q- o9 Y* I int 2Fh2 U8 F* q/ [, g; b& y5 Z* ^( w
mov ax, es ; ES:DI -> VxD API entry point
7 v" V; t/ i, L" l2 l add ax, di
! F8 z i$ w& P2 ` test ax,ax
- q" ]9 p. ?2 y- M2 d jnz SoftICE_Detected+ g# M& N, \# K. q) D: v- e' X
% j" |0 ?8 E& z% \___________________________________________________________________________6 |4 r" E8 l( T. h
9 F9 M+ a6 M5 P" M* _
Method 04
9 q; L' t& J" W: f6 G' N========= w. Y( N0 N g
4 h( ~, {4 G0 {# Y2 GMethod identical to the preceding one except that it seeks the ID of SoftICE- q. p d! S4 A3 y4 n5 `; e
GFX VxD.
, t2 E. J1 m% s$ ?7 I$ W& Y: \6 _) @2 D4 f% c" G
xor di,di
( v& R0 w1 a# T. P0 u- R' [/ h8 P mov es,di' g9 C$ y/ ~( n, z0 c. X
mov ax, 1684h
) Z3 S* c7 `- p0 u mov bx, 7a5Fh ; VxD ID of SIWVID. t0 `3 j m. \
int 2fh1 ]# H6 g& x. @' v& f
mov ax, es ; ES:DI -> VxD API entry point* I" V" b6 U2 X
add ax, di
$ f$ W: g" a+ I1 K: F; @% ? test ax,ax
( R. l, ^- ^. [: K1 @: ] jnz SoftICE_Detected
6 x8 s2 u- @% \$ i& h, O; d- p. Y
. J4 j* f5 e5 N/ _% @; E__________________________________________________________________________
. `1 a2 f1 a$ @7 K6 M# j1 x4 [7 p" ]- ^" M, L3 j
7 `: d6 d9 v4 h' |# z" Q$ I" d
Method 05+ s: i# k+ e* B' u
=========4 i6 P$ K; ?0 `' B
; Z4 C6 J y2 ^6 A& t+ G' g, x3 ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 k1 p; @* {6 P" Q3 w( ?debugger. It calls the int 41h, function 4Fh.
5 L; ~: [4 k3 r& W3 D6 nThere are several alternatives.
& B6 k' O) u7 w4 w8 B
" g1 [5 r/ _2 v3 \) FThe following one is the simplest:
( H0 Y, ~) c5 R$ b# O
% k+ f$ S# o$ j1 w& a6 O: x% } mov ax,4fh/ D# r% p3 H9 n; ^
int 41h p4 \0 l# Y- e, ]& R* ]
cmp ax, 0F386
& t6 Y) m" K f- d' [ jz SoftICE_detected* e$ O) O9 z, ^2 x% k, e
- |2 N9 g# i& U0 i3 B8 s7 o: N0 y" `. S# ~* S# }
Next method as well as the following one are 2 examples from Stone's ) |" y. b8 V4 o' J# B3 L
"stn-wid.zip" (www.cracking.net):! ~5 i, P: h& \2 q2 ]
" V2 m+ j7 G, f1 }* x9 {& M' p: r
mov bx, cs) f- `: k8 w+ a+ g
lea dx, int41handler2& ?3 V% l. M* [8 u' @0 t& c
xchg dx, es:[41h*4]6 M' s' {" [; d& h8 V' M) i. q, R
xchg bx, es:[41h*4+2]- y7 q1 }& Z1 t- e6 P' t! M
mov ax,4fh
# |9 C; K! w/ N7 p! N- b6 \$ c int 41h. K: I! `2 N) B9 |
xchg dx, es:[41h*4]
. L; j% f4 U2 ^# E+ ?% S xchg bx, es:[41h*4+2]( @7 @- }0 z3 \9 @
cmp ax, 0f386h0 |/ ]) _8 J4 ?1 ]; S% \# S
jz SoftICE_detected! s2 L) K6 v+ O5 {4 j o" d0 W
# _& j& }$ c) L, l7 Dint41handler2 PROC% B7 H% M# \! R! U. w$ Z
iret1 D/ |. d4 X# g
int41handler2 ENDP; V) y5 G; h+ @' s% K
$ Z9 B) {( s9 z) r }) h" S1 X7 a; X% v
_________________________________________________________________________1 K! K1 J/ l7 u( a! i: n! w8 ^) |: l
. P+ z: Q1 [( m3 D0 a4 v ^
- Q9 a: h1 o8 n1 {, A
Method 063 s; {: {2 ]" c# t
=========
0 ]2 u" m% a7 V$ ` O% }
7 u6 y" ~; D/ m; H% X1 u
5 y5 l& P& Y. q2nd method similar to the preceding one but more difficult to detect:
7 M" _1 d) L6 V1 n' O
0 [6 n z# }4 j/ F# f% }" w# ]
& f: h' v" d. X( Gint41handler PROC$ A" |0 v' Y i2 s6 x
mov cl,al
$ j/ h2 ^$ P" ?$ G$ T iret1 o6 p, P9 S9 T9 \9 i- C7 e5 ]
int41handler ENDP
7 n$ K7 Q; O5 q1 l" ~0 I; w# Q4 q) h6 e6 h ^8 @3 T
1 ^4 p: `" Y/ Q9 b
xor ax,ax
: s# B7 H4 P2 n% R" ] mov es,ax
2 U9 W5 n) U4 l! O1 ^, v/ E mov bx, cs' t, E0 v$ L- g6 ?" d
lea dx, int41handler
- _ ]! W3 R9 _3 ]8 _ xchg dx, es:[41h*4]! Y9 C( F' i! `+ X
xchg bx, es:[41h*4+2]6 C0 [; s* v5 g/ b+ v
in al, 40h! J& l% i, B' a+ s9 n' |
xor cx,cx" |# J4 \; M1 N) u( ^. n% l$ c1 R
int 41h* v3 K% q V! g( s
xchg dx, es:[41h*4]
/ J" G: [4 E4 { xchg bx, es:[41h*4+2]
0 O6 T) P4 q* n( s) A cmp cl,al, q# F9 t6 v, N+ {! i
jnz SoftICE_detected2 p5 A. Z. @% d6 {
+ S# u" p2 K+ Q$ T- v; K_________________________________________________________________________ @: x" A0 d$ P: o8 l
% Y& y1 |' A3 ~/ v- x5 {* FMethod 077 W5 y R$ j5 R7 Q& ?. P: @
=========/ l1 b4 Q" r0 @. C3 h. k
, \$ m3 G. k/ }; `3 X& |4 G, B" a% V' c
Method of detection of the WinICE handler in the int68h (V86)! S$ i9 S! t- z. i6 }( ~
" H6 M$ r6 ~2 j' {
mov ah,43h( v \7 l: s+ K0 o1 w8 W
int 68h# V0 F2 O5 j/ P4 y/ C' g
cmp ax,0F386h
# T7 R% \, O/ a/ M jz SoftICE_Detected
+ `1 h2 \/ g% K1 A; y9 ]. H; z& b; }* n
' Q0 Z5 M1 k4 r4 n0 K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 l! l/ o4 z: W. W/ m- P app like this:
" c& u4 V1 ^4 U6 y. P( A% T3 C, t, B# M0 _( k( r
BPX exec_int if ax==68% o5 N! f1 @7 }$ O/ j A
(function called is located at byte ptr [ebp+1Dh] and client eip is9 l/ q$ l1 w( Z! y' d4 k+ {" S
located at [ebp+48h] for 32Bit apps)# l# Z. ~; G' m. n
__________________________________________________________________________
: `- H3 V( }8 s0 {, J5 T( p% w4 P Y5 ^) }- r7 X
2 r1 s( V' V( c& d; lMethod 08( s) D7 W! u# \0 b( c7 v
=========
' O$ q( W- G2 L4 p( C9 {$ I- ~7 q& ^, ^) g% H; u6 B: U( `" P7 W
It is not a method of detection of SoftICE but a possibility to crash the
( G0 D. n6 r6 Usystem by intercepting int 01h and int 03h and redirecting them to another
1 i: P1 a+ d- N+ G2 l, e+ Mroutine.2 Z$ K3 Z4 f- l2 p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 z+ x5 ^# r# u7 y; |to the new routine to execute (hangs computer...)
9 ^; k1 c. }/ k9 S0 R- q; f/ y5 U/ g* U$ S, k
mov ah, 25h
8 G, `% Z" i4 x5 D; ]2 A mov al, Int_Number (01h or 03h)
$ ~ ?3 W P. e* L$ f6 L2 K mov dx, offset New_Int_Routine% C( B% Z; h6 c. X: j4 r2 {7 t! Q
int 21h
2 P9 J+ y: E' E# k
: h. k+ S* D4 s) `__________________________________________________________________________5 Q0 z4 Q, ^; t4 U! X' i# _
3 I2 Z) O% E* n* q% aMethod 09/ T) n# n: q- ~: H# D
=========0 d2 a$ l5 d' H3 p# l/ X) C
: b$ @7 W& O; {9 Z4 ]2 }1 V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
O( W: ]* T! Q6 U# Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 r9 t" Y- p4 W2 o1 u. U5 x bThe Get_DDB service is used to determine whether or not a VxD is installed) |5 X: g) Z+ T$ u$ S. B5 X
for the specified device and returns a Device Description Block (in ecx) for8 ~4 T2 k2 A q9 A9 V
that device if it is installed.5 V. |' n! u! J, Z4 x
! `( s' @& V- R2 e; C5 z* ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' i: _' n5 K y8 U: {: J* N mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ c. q( ~ X L$ o3 ^# [ T
VMMCall Get_DDB3 ]1 x; }1 I: ]8 a- w! K2 U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 n% J% D; E, D* n' f
2 O3 Z3 s& U( D, N, o1 _0 fNote as well that you can easily detect this method with SoftICE:/ d) S; ?' J) C/ W# |
bpx Get_DDB if ax==0202 || ax==7a5fh
. W3 c" {' K3 d7 z1 v4 V, v( v, R( b& X# L& n. r9 D: l; E/ X' P
__________________________________________________________________________
8 e X3 b0 f2 l/ ]$ z3 D! M$ N* Q! a1 Q( i0 b
Method 103 W6 C: a5 d) w
=========
# f2 `2 p" c% K1 X1 p4 |; X
5 k0 {, L* M9 |6 t! {* T" i=>Disable or clear breakpoints before using this feature. DO NOT trace with6 l9 E$ f' I0 X2 F& t
SoftICE while the option is enable!!
' B5 H W; l5 H$ v! [; k: j: Z/ ^* I$ T4 q& v2 v
This trick is very efficient:
# E$ U6 c) W4 x3 O7 s3 Q1 Lby checking the Debug Registers, you can detect if SoftICE is loaded" {0 L( }; l! B) n: o$ |+ v/ q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* \9 u# Z0 m7 I ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their& F7 s# [% Z# h' t( r. H
value (in ring0 only). Values can be manipulated and or changed as well; Z, ~% |; `! _2 A' m
(clearing BPMs for instance)0 d9 u5 p9 @/ M+ U# D
2 w) v: Q1 p0 V9 r7 b+ M__________________________________________________________________________. d7 _! }1 i9 _
/ T* H2 D+ l% E* w7 U: D1 O+ \Method 11: f- a6 R" M7 n; R1 N% g
========= a3 K. P. }" S
6 X$ t4 Y Z: z7 a4 l$ }
This method is most known as 'MeltICE' because it has been freely distributed/ U9 A9 v8 a- }! Y
via www.winfiles.com. However it was first used by NuMega people to allow
; d* {! N" V2 ^. G3 ?! JSymbol Loader to check if SoftICE was active or not (the code is located- g* A$ U7 T0 }$ b
inside nmtrans.dll).7 {3 j9 p+ x- i* f% Z/ A. ?
( y7 F+ P2 Y$ t8 r. I# c$ C# YThe way it works is very simple:: o% i5 H- U% c7 s a) [: H! U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- v1 {( t) |( P, ]7 T. J8 IWinNT) with the CreateFileA API.
" t; o' p- X% p) E9 ]; O1 U+ ^6 r: Z3 [: Y
Here is a sample (checking for 'SICE'):8 Y7 S. M" ?( i# G) u+ N8 L3 o
/ Z, ?' G; c: wBOOL IsSoftIce95Loaded()0 C4 W! X+ j- a* g1 R' [0 ?- D
{
% }0 `1 M# }/ x1 P6 T9 x2 @ HANDLE hFile;
8 _: A: h; s' S3 R! y, X( P hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 }7 `, a* ], H7 r2 L2 _2 ` L( y FILE_SHARE_READ | FILE_SHARE_WRITE,
! ~! l( e# i z( e' u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 N% X( s5 d8 v! a% g if( hFile != INVALID_HANDLE_VALUE )0 F+ ^" A, S) Q2 y+ k
{
! N, n% v \3 w) w; o: ?0 t CloseHandle(hFile);
/ V( D* Y# d* V. @; u return TRUE;
9 A2 }6 J$ l0 ~" S, J7 x1 @ }
0 B& A J0 D7 N A return FALSE;% V8 @; I7 W/ r4 }! s. ^
}+ }# t" T/ S; D) g9 @* x0 T
8 [! ~1 q; a8 x+ e9 I6 hAlthough this trick calls the CreateFileA function, don't even expect to be2 ]$ A. n, d* e# _5 ~" D
able to intercept it by installing a IFS hook: it will not work, no way!
; u5 Q: ^/ b# o9 Z1 C/ OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, \# L) [4 H9 z% x2 _4 _9 I5 w8 Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 }3 P4 F; G/ l& T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 v6 g0 e2 R4 X; E. ffield.
9 I) \; Y( h$ b o* I& |: g. OIn fact, its purpose is not to load/unload VxDs but only to send a
3 A. }3 b* c/ P7 B8 a( b1 yW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): K$ N) E( Y1 y4 m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% ?# q: _. z7 ito load/unload a non-dynamically loadable driver such as SoftICE ;-).: q$ c8 E7 i& H# w: G$ W) [4 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow! S* ^; W% i% X: Y. f
its handle to be opened and then, will be detected.
3 K0 X9 h' P* g* BYou can check that simply by hooking Winice.exe control proc entry point3 Z& h9 f5 q. N7 t
while running MeltICE.
& M0 _# j# ^3 u3 ~( Z
9 }* T. w7 C; X2 ]# w, d; d
; D: W6 j4 O( Y 00401067: push 00402025 ; \\.\SICE. e- m& E* I; @7 u( L; `
0040106C: call CreateFileA
2 [3 Q! U& L! i! D$ [ 00401071: cmp eax,-001; ?, r/ P: R0 R! e# M
00401074: je 00401091
6 y3 I- i2 A3 M6 a' I' M' a2 o6 O0 e4 o1 Y7 N
) V' h/ C' P& g# @4 i# z
There could be hundreds of BPX you could use to detect this trick.
! C8 q; X0 H7 Y1 Z a-The most classical one is:$ z$ ^) D) |( O4 ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
W3 _- u8 ?0 B6 m4 I" I5 y *(esp->4+4)=='NTIC'5 i; R. ?) h$ N
5 Q B2 W! t, `& M' k2 r
-The most exotic ones (could be very slooooow :-(
6 ? L d- j8 V3 s* Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 Q) {+ {, J. p b" B. B7 C0 k
;will break 3 times :-(
9 D; Q0 Y# o" ~1 U
8 H% ^! J# m, q# M( U; c: \-or (a bit) faster:
- S: H m `) V) t! Y- F* J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 _ v! L! L E3 @
9 {" M# m1 \1 h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- A% A0 w, ?1 v+ B# d ;will break 3 times :-(1 l+ A9 R+ r+ h
. @$ d) O7 U8 U-Much faster:
( e9 d3 J0 W! }- e% M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- S J4 x9 v, v4 |+ O% E
M1 b* B6 f+ ~% ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 Z' \0 j: }- Z4 U7 V& X7 c
function to do the same job:
* ^" l6 ]8 w% _4 y- a# ]
! d5 M" G1 M; G0 ]9 C% y push 00 ; OF_READ- B1 z* t. i8 j% @% E: v
mov eax,[00656634] ; '\\.\SICE',0: s" ]3 B0 _1 j5 w
push eax/ Z$ I5 B0 m. u; B j2 b5 Z
call KERNEL32!_lopen
( Q; D4 t7 ^2 a, A" E" H# [ inc eax2 `5 o5 k% l. r1 Z
jnz 00650589 ; detected: l y& ^; e7 o( r
push 00 ; OF_READ+ w# I! Y) }" x5 p
mov eax,[00656638] ; '\\.\SICE'3 K" |& ?; d s1 ?* p
push eax. b% a! E+ a; } z! a) o! q
call KERNEL32!_lopen) K# E! N2 A' r" L$ Z5 a6 |1 L
inc eax+ k2 _+ p4 ~6 E& \1 ^
jz 006505ae ; not detected& {7 y7 ~4 x3 p
# c( R4 F: C5 S9 _4 f) G
$ r+ U2 X: H" R9 d9 e" k( d__________________________________________________________________________; W" t) ?" O1 y8 _( r: U. Z1 i
3 ~' V/ f* f+ E' V7 Q5 |
Method 12
" S$ o- A1 O; {+ ~8 H. V=========. q3 E* ]! s& X+ V
% L& ?% y5 R* H( [3 L& Z: n
This trick is similar to int41h/4fh Debugger installation check (code 05: j: ~3 w! {. Q) M+ A! @1 u( w
& 06) but very limited because it's only available for Win95/98 (not NT); Z- e: F* c- v8 b0 l: L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 A* U7 r. p9 |' e6 r4 f3 ]8 ~: T. J" \5 ~+ M" ]
push 0000004fh ; function 4fh% p% z }" L: Z) i! Y" l
push 002a002ah ; high word specifies which VxD (VWIN32)
& J0 M" f$ `! e2 I# d o5 {! e+ r ; low word specifies which service
" c4 D& Q8 R' h! w- [! y (VWIN32_Int41Dispatch)
* Z& a1 x- y q- Y$ c! F' a call Kernel32!ORD_001 ; VxdCall
$ T" {! ], J, X; ^ cmp ax, 0f386h ; magic number returned by system debuggers' Z8 \8 s/ M% ^5 `( F8 u# c7 @0 b9 G# k7 E
jz SoftICE_detected
. j. o: c4 E3 W: b+ b
- ^3 \3 O6 ?0 }" K) r% LHere again, several ways to detect it:
. e4 c7 ]( o1 N2 z) A; M+ r$ P/ U; ~' ^$ y! }) k) N
BPINT 41 if ax==4f
/ P" x' {7 |/ O: f" p* d% y6 B+ N4 [6 [+ B0 ~! A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; A2 o c1 A5 `( E0 N$ N; P. d0 D8 r. u" y% ?$ k1 v. l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# Y( @8 p' y& r* O
; F) P, H+ s( A( G4 Y+ T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 c: P+ T6 x1 V( X) G7 S6 s
/ h3 D+ [. L( B2 i__________________________________________________________________________
/ P- m( f. m$ m; r3 N
8 Z5 J" o8 j' b) SMethod 13) j7 h- c0 Y# T+ ]* D, C1 u
=========, L- Y% x) i0 Z2 Q
( x/ G& h8 _$ d( n# H& j) l
Not a real method of detection, but a good way to know if SoftICE is
3 {8 r8 i$ r# @4 \+ ginstalled on a computer and to locate its installation directory.
3 v( @! H; Z6 ^- y/ F; \: A7 V+ EIt is used by few softs which access the following registry keys (usually #2) :
! R7 ]; x0 u1 }" }5 M; {" S% _- ^+ I
; o/ N* F; p3 D: b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) K+ N$ V& x4 ~0 x7 W% C\Uninstall\SoftICE
. S P b) ]0 F; P# Z q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% c) M' J9 k/ U6 n( u& Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 @' v( v! t+ }$ ]$ [6 B
\App Paths\Loader32.Exe
1 |: L' A' c$ {, A' v! @6 X, {
( X- u# f, [5 A! d! G! k) C9 X @% }) G- @. n
Note that some nasty apps could then erase all files from SoftICE directory
x5 A* G" N: N; D# D9 d/ t(I faced that once :-(* \3 K" m, o$ ^5 ]" ~) I
& b! q+ ~6 n* l6 x/ B
Useful breakpoint to detect it:
+ T5 B; {2 J1 D, ]0 p
( W1 Y! T) Y% J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 ]. z7 l: J1 ^. q7 R5 s; G5 {% P! [5 g( ^' z! x; P9 z
__________________________________________________________________________2 l) o% n; o' w
& [- f( }& Y5 X% R; x J6 g8 n4 y
Method 14 1 m/ @& V: `6 _" X; ?
=========
- z" a( Z4 N( b6 Y+ i$ G. k- }- P9 k
; ]! g2 ] Y! V9 D; {; oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ T i3 @; ~1 L# W
is to determines whether a debugger is running on your system (ring0 only).
3 u0 ^6 E7 Q% F5 ~$ }; F( ^/ Q y0 G% S y) Z4 v# q1 m; V1 X; z$ @& |$ _* P! D
VMMCall Test_Debug_Installed
/ ~: Y3 G0 T9 [ je not_installed7 H, `5 P3 |! K: T, l' C
2 ?$ ^8 J: p# ^9 J& B: b" b, [This service just checks a flag.
4 o' U6 O5 n( ~: m& N" r; A' U( U/ B</PRE></TD></TR></TBODY></TABLE> |