<TABLE width=500>
4 P1 `* L; T. L# M% V+ c( t<TBODY>; Q5 D- J" m, v' ?* d2 B
<TR>. E" `9 l1 i- ?2 E$ R- y: Y& y8 e
<TD><PRE>Method 01
* d$ ^0 a! b9 Q=========+ Y" W" s, ~# D8 \1 E
% Y( ~; z' i; O4 X) T- QThis method of detection of SoftICE (as well as the following one) is' g: J1 x! y3 w' s9 Q4 }/ s* D
used by the majority of packers/encryptors found on Internet.
: T# P( U4 I; s( k: x. R% uIt seeks the signature of BoundsChecker in SoftICE6 }- j$ Z& E- P1 u
3 {3 V ~- K0 L- H. q7 z
mov ebp, 04243484Bh ; 'BCHK'
, `/ P, p' ^. P6 R$ R mov ax, 04h6 B7 ?: f. ~) @) c) _' V0 w$ ~
int 3 + i+ x) a, T0 W* g- D; ~, g" ^
cmp al,4; R( P5 V5 t. m* i+ E$ x
jnz SoftICE_Detected' D$ N+ w4 N$ M, |3 K7 P8 l
$ g3 i) c! A- ?; J8 {___________________________________________________________________________
! w t% |- k2 W" j' g3 |5 F/ |3 E6 L+ F
Method 02
9 W. Q6 Y: X, l2 ~1 ?0 w=========
0 m, T0 W0 o9 l& o/ \; c2 {; Q$ V9 }% s; e: }
Still a method very much used (perhaps the most frequent one). It is used
; ?3 G3 J+ p% g3 A3 Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! t% A6 t1 e8 o6 m( ?or execute SoftICE commands..." K5 u. m2 ?8 s( S
It is also used to crash SoftICE and to force it to execute any commands
0 ]0 u; }. Q8 q! h(HBOOT...) :-((
; {6 m+ K- B* c: o* _$ @( K
) u( E2 o2 e6 uHere is a quick description:
; P6 r& M0 q8 y-AX = 0910h (Display string in SIce windows)" ~$ ]4 b" J2 B: |) i" d5 Z) G
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( ?) s' P) @7 l-AX = 0912h (Get breakpoint infos)
# o% L7 o" W# h* k& K. P2 ^3 ?, T-AX = 0913h (Set Sice breakpoints)' k! J1 R$ |' I6 V7 Q' W
-AX = 0914h (Remove SIce breakoints)
4 Q2 T4 c# E1 j; e: m/ M. I* j4 {) }9 z5 ^6 U8 \
Each time you'll meet this trick, you'll see:0 g3 d$ M. g' G, |6 r* F9 g, ^
-SI = 4647h& I+ ?# v; @; ^: b0 x# ]! C; M. t
-DI = 4A4Dh
$ X7 A( p. [: b) _Which are the 'magic values' used by SoftIce.
8 i$ k7 b, P' N+ ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& a% \' j4 n( U# w+ q g
5 W/ M" {" Y- n( L1 ~1 YHere is one example from the file "Haspinst.exe" which is the dongle HASP
; i% m5 l7 y3 dEnvelope utility use to protect DOS applications:/ k$ a1 f' J0 A9 C
5 N1 n, N" Y# n7 J# m$ k0 z( h. ]* \ V: f- m
4C19:0095 MOV AX,0911 ; execute command." _( D& P& ?( f3 O, v+ T* S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# Z# R1 f/ b' R4C19:009A MOV SI,4647 ; 1st magic value.
- g5 k8 b) w" T0 z9 u. I4C19:009D MOV DI,4A4D ; 2nd magic value.3 n$ Z: ^$ t( f) x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 y3 g( ^, k6 W- v1 U! p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, h4 s7 t' X/ F4C19:00A4 INC CX2 v: V/ l1 A: I& `7 }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 K! i2 l( F5 h# I
4C19:00A8 JB 0095 ; 6 different commands.
* w3 n/ d; [! G5 ^$ `0 ^% t, p4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, r" Z+ L- { |4 Z. |5 v4C19:00AD MOV BX,SP ; Good_Guy go ahead :), e; j$ o. K3 s$ Z
1 M4 I& M9 L) b
The program will execute 6 different SIce commands located at ds:dx, which8 A8 s0 f+ x; F: [' Y; N( I$ H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, v0 s8 r+ V0 H0 J9 Q8 L3 _: P- P" h, R* K4 Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. O# m& i1 h$ p6 g5 }: K0 I
___________________________________________________________________________
8 i8 S6 _2 a5 ]0 w4 C$ l+ B' X+ q# a, v
* e0 W4 e( M2 @+ |( f
Method 036 C+ ~) ? N* B2 ]( o- }# c4 R
=========* n: l* A6 W( { o- U0 L( n
' J3 S7 O/ c% h) `' W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: q6 X! T: l9 K/ H$ V0 C7 }0 C(API Get entry point)+ q: g/ w* E8 h2 ?" F4 S
4 y& `: m1 d" b4 _2 o6 B H; {5 u8 P& I
xor di,di
7 w9 P0 h( l# ~8 n1 @/ T. i: o4 m mov es,di. `* [* k D. S# q3 R' e' S
mov ax, 1684h
, Q9 b% |* U0 f a3 R" T: y; ]2 ^# l mov bx, 0202h ; VxD ID of winice* m7 X) H" V# C' q, Q
int 2Fh% x: |8 Z0 _7 [& l4 r T
mov ax, es ; ES:DI -> VxD API entry point
$ u+ D0 y* n2 A# k" T add ax, di. r* A: B' ~! t P2 D" C9 g3 @
test ax,ax$ G1 x8 _+ M7 G* M V
jnz SoftICE_Detected( D) g* n: e1 `' |
9 r: f9 [2 A0 @/ S4 M# i: b___________________________________________________________________________; v7 t3 t7 C0 u* t- w y( l' c$ S
6 b% y0 E: u$ K
Method 043 F! G' G: ^1 b' G: A
=========
& a, e$ I) u$ G' I
9 D* K) s. ~% i2 |& iMethod identical to the preceding one except that it seeks the ID of SoftICE
4 F+ L% d3 A9 Z' {8 xGFX VxD.
# k; B9 k( X+ d- z$ p# n3 G/ h- Z; ^8 m1 d6 |% ~
xor di,di
: P8 U( H) A* Z7 v0 Z mov es,di
% {& B/ r A: [% ~ n. a) \; t mov ax, 1684h
, p8 \& v @- `" V' O# K3 n- j mov bx, 7a5Fh ; VxD ID of SIWVID- q% y# e1 ]- W' k
int 2fh
- {3 `& f, r7 w; f- i1 Q! q, P/ p mov ax, es ; ES:DI -> VxD API entry point" }( P8 U1 e, I8 L. N! i: b3 S5 T
add ax, di
- c. ?( D/ q F- { test ax,ax
0 `7 \2 K8 T) z6 Z# ? jnz SoftICE_Detected
' e% P* O) T S1 {
0 g1 _6 w6 B" Y- t__________________________________________________________________________
6 h; W& v$ Y# b
5 [1 o( u [, W- }
' b2 D7 u- [) N# L. K" i; A9 TMethod 05
6 x: M3 h( L6 t. C' O6 W2 o=========
' J2 ]4 x7 p% t- g
1 s0 x- b+ m. a' v0 J. n+ Y7 q2 XMethod seeking the 'magic number' 0F386h returned (in ax) by all system
0 d( ]2 Y" l' w' X& gdebugger. It calls the int 41h, function 4Fh.1 s4 L3 y8 C+ l% H M) x% X( z
There are several alternatives. " A7 y( m5 j& T1 m5 ] i
/ z, }5 q4 J4 J* r
The following one is the simplest:
, x7 U3 X4 ^! t; U5 F6 [# r; d5 \" ^: ?( Y9 M+ a* a
mov ax,4fh
, s: ?* A1 ?6 b3 J% T, J, Z int 41h
7 r& f1 N y2 Y: P y- n cmp ax, 0F3868 o- ^, a$ n: { w2 P
jz SoftICE_detected4 E# m4 x* m7 n8 B% o
1 g/ W" y2 J; w% @1 U4 k% ^! ~
& ^5 T- @% |0 p, mNext method as well as the following one are 2 examples from Stone's 7 C' v# A3 i% O3 D& [' B/ |
"stn-wid.zip" (www.cracking.net):
( o' ~/ m O5 p7 J" P( {5 ]; r: L
# f8 A4 @$ t7 b& K, a0 j mov bx, cs* n1 R& _9 A; l0 I8 j% u1 l
lea dx, int41handler2, ~& W8 R/ M% t) t- P/ w9 c
xchg dx, es:[41h*4], ~' l4 K6 {# f+ e* [: q" D
xchg bx, es:[41h*4+2]
! \0 [1 \+ p* d) g% c mov ax,4fh
: U- ?% _' C6 r* ~2 f int 41h1 U' v( B4 j4 ?, F( h- I4 K
xchg dx, es:[41h*4]+ n! ^4 P; y4 T' I' J
xchg bx, es:[41h*4+2]
# C8 h4 R9 c4 K cmp ax, 0f386h
6 g4 _$ c' ?3 S% }& l+ I jz SoftICE_detected
& y; o R2 Q7 |, t' ]! M0 t, |3 x' ?
int41handler2 PROC
% S5 ?& ^; O! i- x9 ~7 F K; B) v iret( o( X+ \: Q0 e+ J
int41handler2 ENDP
' n9 F; Q3 K$ W e0 S- e' x! [
: A1 E. q: u# X( O* y
+ o+ g4 D: s/ F$ t7 ?; X_________________________________________________________________________
$ F" ]& c. _+ X8 ]4 l
- I% {7 p/ M6 U! o/ p0 E8 ~1 n h$ ^
Method 06. j; e6 d; e' ]: `2 X. y1 k
=========, Z* W, j& w8 a2 ^2 ]+ Z
7 \ G- @# v- U3 Y
0 B7 z# m+ I) L) D+ m- G, `
2nd method similar to the preceding one but more difficult to detect:; v+ k$ p/ y! @
# d: C) q1 h6 a4 Q, ^" F. N: f/ z' {
int41handler PROC
* U9 _! [' V$ A8 N mov cl,al3 |2 x- a: d, A
iret7 g+ z& Q0 y) [/ B$ D, w
int41handler ENDP2 H$ I- P2 w2 X8 F: t9 f
; h" p9 U; D7 v% s) F( ?
& @/ N w2 V0 [+ I: x" C3 v
xor ax,ax1 f w+ @+ I7 U: s( A" r
mov es,ax* F, x5 E7 N7 w3 b( t. ~& G
mov bx, cs
+ p- N/ L$ N; R2 R8 E lea dx, int41handler& v5 s9 j2 i( N! O
xchg dx, es:[41h*4]6 i/ X; Y* r7 r9 Y- I/ [+ H
xchg bx, es:[41h*4+2]
( J4 ~ n! _: V3 U in al, 40h' \8 p9 ~ a* D2 a( W/ O3 Q
xor cx,cx. k" F( `) w V
int 41h
7 T4 J3 u0 R" r8 |$ Y xchg dx, es:[41h*4]# q$ w z/ a- G' @, ?1 x
xchg bx, es:[41h*4+2]
9 Q0 m3 l+ `" U, X/ f- u cmp cl,al
" u2 j: |4 X2 a& w jnz SoftICE_detected- w* w" v4 c: U# H9 n# e, T) K
0 X* x j$ Q* J& `: {( f
_________________________________________________________________________3 W& E7 R. C( s
# `% Q3 M+ V" bMethod 07
e- s: p* f% O9 U=========
2 X/ }/ n) ?8 g3 u! m( A* r8 x9 l6 J/ \
Method of detection of the WinICE handler in the int68h (V86)
) m' K* a8 |2 K# [5 f
. ^$ }) v0 J0 q mov ah,43h
$ D, a- U9 l8 v9 }! H; I int 68h
0 Z* U& T& q& |. b. l F cmp ax,0F386h6 i8 }7 F+ W" L1 ~
jz SoftICE_Detected
3 m! e" l/ c+ r* N: Q9 [" _7 z; x% x( u( }
z9 m& S% q1 {( S- ~$ ~1 S; ~- r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. N3 }6 p7 s& e0 z' y
app like this:/ l: @0 }" x: B& Q8 |4 K2 u
: q* l! Z3 P( h( F7 q5 I$ S9 s0 U ?
BPX exec_int if ax==68
+ t& Y+ D" j4 G3 P) v; U (function called is located at byte ptr [ebp+1Dh] and client eip is
8 w/ ?( C! Q- T+ q) c located at [ebp+48h] for 32Bit apps): _) d9 g0 x Z/ K! S" s* N
__________________________________________________________________________( B$ M. [9 V) t7 G i6 ]
( J" t2 f9 X$ \- T9 u+ x. W% \" W! [9 b5 B, p/ G/ p5 K
Method 08
0 }5 W* ?( O3 l' U=========
* S$ x' W: h6 k) S e# a" N" q: e# Q4 ~+ Q% \' w
It is not a method of detection of SoftICE but a possibility to crash the
" r. Z6 F# X4 o' R, U% Lsystem by intercepting int 01h and int 03h and redirecting them to another
6 e% q9 t( V, h# J' uroutine.
; }: H! @; {4 O, r% n2 nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' m! M! z7 m/ m: s# m, hto the new routine to execute (hangs computer...): C2 z: O7 c* P) ^& `% K* N% w1 a
8 g% g3 G9 ^; X+ O. V% B) _3 C- q
mov ah, 25h
: W5 H1 K1 j u! r- K mov al, Int_Number (01h or 03h)* o. J! l, E3 x
mov dx, offset New_Int_Routine
4 e* F9 N& C+ ?" a2 K2 d. m+ |3 v9 [ int 21h2 R& {; d1 X$ K
, m' ~ i- y; E7 j__________________________________________________________________________7 y: X4 u1 G) G- ]
# m: { ]* }5 f- G M
Method 09
5 |# H* {- L: z) m& V=========
2 T- p/ I5 N% G5 B! C" {6 |2 `- M# ?0 S
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" M( n+ G q( A _% ?( s1 g# k
performed in ring0 (VxD or a ring3 app using the VxdCall).
: A `* P- I$ A- t) e vThe Get_DDB service is used to determine whether or not a VxD is installed( X, y1 G& f0 s* @# l) l
for the specified device and returns a Device Description Block (in ecx) for
4 N* m T8 X8 ]) h* f9 W& Ithat device if it is installed. C7 R/ \1 |) Y, t9 V0 Y0 Y* s) I
" r. ^. u9 p& ]3 |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID {8 k% z" E; W! g& u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) ~0 Q, o- S: D, c. `+ p. D# @ VMMCall Get_DDB! Z% @! @* ?1 Z$ i2 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 Q. r; M& w" D7 r0 B
% b* o4 o$ ]4 m: o, m# H) v; b2 b
Note as well that you can easily detect this method with SoftICE:" D5 x. \7 C% @& L. ]% p: b
bpx Get_DDB if ax==0202 || ax==7a5fh5 I# a; W; P b e
( E" M, Q% _2 O8 K+ [9 V% T__________________________________________________________________________; V" a2 A# v' e) E- u
+ v |# E% x* G9 cMethod 10
8 [8 e: c n# Q0 m4 Q4 G=========
4 s* B& o. H) j( A7 g) Z3 }2 _
7 e: h' U: r0 v& j1 z9 J1 W=>Disable or clear breakpoints before using this feature. DO NOT trace with$ C- i4 s, p! f6 F5 l4 [5 R
SoftICE while the option is enable!!
) F1 B- c4 |* D5 s% B( J
4 O% P x' ^( n7 k Q! p9 }$ OThis trick is very efficient:
C9 E$ m6 l: f- Cby checking the Debug Registers, you can detect if SoftICE is loaded' x1 s/ z4 a* i }1 Y% R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& U, y+ T0 l( c; {% t7 Y. dthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 n( M8 W9 _7 ^
value (in ring0 only). Values can be manipulated and or changed as well& `+ Z U/ e9 b; q
(clearing BPMs for instance)
& s# v3 g9 H; L9 |# C! B0 e8 B2 {3 [- @( S( J* v7 J- v1 ?
__________________________________________________________________________
9 U6 L7 g1 G+ X+ Q0 c, I/ |' K8 T4 B1 p; T _* f9 y
Method 11
; y, j& A6 S9 R. Q& d=========3 c1 k/ V) F; ]7 ^ S+ A1 J1 p
; P" L. s: T, ~$ I- g2 ~
This method is most known as 'MeltICE' because it has been freely distributed! k" m( w0 M1 g' [7 i" g2 L
via www.winfiles.com. However it was first used by NuMega people to allow1 I' X; a% d; n3 A7 r! n9 \
Symbol Loader to check if SoftICE was active or not (the code is located; I, N7 M, W$ A0 U
inside nmtrans.dll).
- Q7 ~3 k9 s) W0 v' F7 V' v7 Q3 E/ r2 E, c' C& U+ Z
The way it works is very simple:
6 f7 [+ `. V X# gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; U' ~9 ?5 R# n* ^0 o2 i) g# h# k
WinNT) with the CreateFileA API.
& b% H" z& B+ s/ W( t' w% C, _$ K3 ^
3 s* i) T0 G+ C" [7 b9 MHere is a sample (checking for 'SICE'):
, j7 M( U" d2 W3 {) f5 U% `4 a% @/ |$ V3 T
BOOL IsSoftIce95Loaded()
# U; c% F% m- {{1 `! R, f: b" {) J
HANDLE hFile; + V; y! T, e6 X' w4 u) o
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& ]3 T" S0 y8 j- r
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 H! L$ w* W" r( B) ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 A3 @7 x2 i0 |+ W) u4 V0 l if( hFile != INVALID_HANDLE_VALUE )
6 {) O' g5 C) ]: b7 Z5 f9 ] {8 U8 O6 t$ L/ B& p" h
CloseHandle(hFile);/ I: L* r6 y$ i# M: Y
return TRUE;1 j5 T4 h; E1 y# W, w) m5 M
}- L, |* x& j1 I' I2 {
return FALSE;
8 Z! w, ^. R1 k7 h}0 S3 U' D' Y, W0 ]
) F5 l% Y- l5 \9 x" {
Although this trick calls the CreateFileA function, don't even expect to be* v8 z, A- x0 j8 q, X7 B
able to intercept it by installing a IFS hook: it will not work, no way!
/ v* j C6 `$ b6 X$ ^# PIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" S0 F2 K& v0 p2 hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 J; s- U+ H; N3 S: a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ Z* `$ }" V- u' r) M
field.
/ A# h) e) V, n- V% u- zIn fact, its purpose is not to load/unload VxDs but only to send a + ?# o0 n4 t3 w# G( }0 l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# a' o! T- j: e1 w4 b+ k% S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* a6 w5 C. Y1 B2 F+ e1 L% j- E& Z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; \6 O& p) @5 K1 k, Y3 kIf the VxD is loaded, it will always clear eax and the Carry flag to allow( d$ t( {* N/ q+ i
its handle to be opened and then, will be detected.
8 k: ~4 i) [, g/ h, j4 Y$ ZYou can check that simply by hooking Winice.exe control proc entry point
3 j$ ~" t& p2 M# V9 x' hwhile running MeltICE.
+ z- H' B' P* }" u6 J+ B5 X4 t: i4 ?( j1 }: C- ?, |1 Z
# K+ q" k- p* ^5 p) B+ q
00401067: push 00402025 ; \\.\SICE
& D) g, a$ c9 n+ t( e 0040106C: call CreateFileA
8 x6 q. S, n5 Y+ y1 }5 ^ 00401071: cmp eax,-001
- s+ D& M" {% {% t 00401074: je 00401091& x, c" @* v. P& f3 R
* z- H* c. r- g" R" Q, x
h J: ]# P+ E0 |. j3 c
There could be hundreds of BPX you could use to detect this trick.( {- {9 Y2 ?% M& {
-The most classical one is:
; S$ |) ]; E: x; N7 h& C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 l7 u" Z( f: o7 u( d) u *(esp->4+4)=='NTIC'
0 B7 |2 J: X0 t* @; r3 L
# z+ @. [0 ]: O, d$ Y-The most exotic ones (could be very slooooow :-(; h; @) E K+ s
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. r+ L Q* b4 z! S# {6 P, Q& f ;will break 3 times :-($ a' a% b8 c9 h, z
+ m0 t5 G2 S6 y, \$ O/ a, m-or (a bit) faster:
0 i% N1 C! }1 B BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); I% l' X/ V) y" y6 ^: ~
( E+ Z% f4 ^) | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 L) V ?5 E& \7 }' a ;will break 3 times :-(% v W. E2 F2 @7 C, C
/ c2 m2 t) z( K% j-Much faster:
u* o5 _8 Y7 g( H( H" [- S, ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 C Y) @) b' y' `
1 Z& ~. X; j& q6 u: \& `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# b: j7 Y% q4 S; B0 E. e2 v% u6 Ifunction to do the same job:
- }5 o3 @* {9 c& U2 ]( @6 S* k/ F2 I+ v+ U% {3 ]
push 00 ; OF_READ
2 }$ m3 D4 N+ U1 J$ P( X& M) W7 l. y mov eax,[00656634] ; '\\.\SICE',0: S" v9 k: M7 n6 z8 E" K" k/ j
push eax
( t4 a( r, X; T8 P$ J5 E call KERNEL32!_lopen j8 m" Z8 _( E/ K
inc eax
3 Q# w3 Q1 {; |6 H% P2 y' x jnz 00650589 ; detected' U" z. u1 T0 A3 T/ E
push 00 ; OF_READ
" H* i7 }: W1 z, r) E* U mov eax,[00656638] ; '\\.\SICE': ~# r8 h+ V7 ^, x; n
push eax
) b5 Z, ^: Y+ E9 f) o) ~ call KERNEL32!_lopen
" e1 G% d/ W5 Q inc eax, Y( e) L2 w( M5 p* A# a. T
jz 006505ae ; not detected
/ [8 n& m+ G; e. r! f* _
" }& \2 k: i$ e% ?
6 W, |3 O y7 N: @, Z__________________________________________________________________________
# x4 U# y0 ^5 y* R* ]4 A8 a, R# r
# r/ V' B+ K/ ?Method 12
$ L" ?9 P- a7 N. A1 {' e8 J, A=========
, m+ m3 ], n, H+ Q$ A9 q# U# ]
+ G5 `$ E Z* a; YThis trick is similar to int41h/4fh Debugger installation check (code 05. r1 g. m& Z4 |
& 06) but very limited because it's only available for Win95/98 (not NT)0 F3 A1 k; U6 a# N& f0 d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 t0 {% B' Y3 |, p8 ?5 Q% T
! h7 ]2 |' n! P% q1 M& p push 0000004fh ; function 4fh1 [/ B5 u+ K% g
push 002a002ah ; high word specifies which VxD (VWIN32)) k, j9 u4 t7 ~8 ]9 ]
; low word specifies which service' j6 T# [1 ]; D% @- _, F0 ^
(VWIN32_Int41Dispatch)9 n2 V) H+ d. Q F% o) X
call Kernel32!ORD_001 ; VxdCall! o. b" M% G3 f$ V0 z
cmp ax, 0f386h ; magic number returned by system debuggers" H3 V0 ?: I1 f3 s3 B( u- H
jz SoftICE_detected
. D8 t( g* c9 H2 m2 O' H7 x. b, E1 P
5 s: m# G6 t! d ]5 l9 @Here again, several ways to detect it:
2 l& \+ F' Z; k+ Z+ P* J! F5 S. k- N% s; `3 |8 i
BPINT 41 if ax==4f
# t# h/ h& Y7 T$ q+ n2 b( i, t: z+ S! y2 x, v- v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& z/ L: [, k2 g5 K9 T8 I$ p$ A- ]
9 p) n7 N; W5 {. G1 |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 Y% K8 K4 y1 u8 D5 z! j+ d
" s/ M- ~$ o$ O$ U! `" y- M* ~8 k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 O) ]$ N7 Q. N5 D( Z, V/ r! v5 n0 q6 W2 x1 t5 j7 K7 v
__________________________________________________________________________9 s: `% F" K: A a
. \ Y" j& c3 W7 |Method 13
. ~3 J! f5 `, c5 D. ^4 c4 ~# O=========
$ i1 W' C3 `% J3 q+ x! K& J) U4 t( I
Not a real method of detection, but a good way to know if SoftICE is( @5 U8 Z a) F8 Y9 `
installed on a computer and to locate its installation directory.
* `% [5 j" {# O2 y- e: v+ YIt is used by few softs which access the following registry keys (usually #2) :, S/ _6 v' Z2 G+ x {, A
! A8 I6 Q: s% B; d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" v/ W/ t! S* Q' `! h$ R8 U
\Uninstall\SoftICE( \7 e p! ^4 n3 L& F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- m4 A4 i$ H% k8 ]4 V3 W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) Y8 T3 f& G0 c. x9 n
\App Paths\Loader32.Exe
; |6 R/ t: p4 r# p0 i3 j* r5 K, U( ~2 b4 n
2 [) X2 @; z- v' t/ q; U* }6 iNote that some nasty apps could then erase all files from SoftICE directory
" m q4 U3 b, B(I faced that once :-(/ U6 q" L7 `0 D% t, l* o
" w- h d# g* G: y: m( S- t( I2 o# h
Useful breakpoint to detect it:
4 S6 ^" ^9 ^! g: }: y0 y) i( G5 E/ k; c2 L9 c1 P2 Y: i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 Y. J8 ~! z9 \7 `) j; h
6 p% Q ]" `' O" U! i. I9 c8 E
__________________________________________________________________________# s. f8 p, K4 X
! h4 m0 n0 _' y. P6 _
! a0 j8 ?& v4 E8 _& i. F" o1 x/ OMethod 14 , k+ M1 c* a9 r
=========
) P8 y4 z1 \, J' G2 n' l* ~6 w" q* [, T# Q* M1 n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. @$ N3 P/ o% q
is to determines whether a debugger is running on your system (ring0 only).; \ l4 `" T/ n6 F( h& Q
w3 ]$ ~) q5 c8 Q Q VMMCall Test_Debug_Installed
V2 B* [' B1 p, ?+ m! @0 m je not_installed
0 A4 Z1 | d9 H" W8 z$ g
; x# h$ F$ B# v. n+ R, u; B; D* jThis service just checks a flag.
. l0 o5 W: A% B( }</PRE></TD></TR></TBODY></TABLE> |