<TABLE width=500>( g1 O6 z" y; u! M
<TBODY>0 z; [0 Y- w* R9 T
<TR>0 G0 I# P8 {# O# L
<TD><PRE>Method 01
5 B* p/ W: u, `. w9 O. j2 s=========" _3 L1 X8 e" G% e0 }! Q
& H- U; i# N) @0 ^' V6 |! cThis method of detection of SoftICE (as well as the following one) is
9 b" d% r0 x' }8 Z0 }used by the majority of packers/encryptors found on Internet.
! c& i! m& F ~+ h* JIt seeks the signature of BoundsChecker in SoftICE
0 |0 J3 e$ P5 g2 p9 g
% m) ]! n/ `+ ?) K) ] mov ebp, 04243484Bh ; 'BCHK'. p$ C7 [; S& n( t- @6 a
mov ax, 04h
9 y1 s, V. U% o int 3
! h4 n; @6 j% Z. b; B cmp al,4
- J" N+ o7 c# n* [ jnz SoftICE_Detected" b# e/ ]8 `2 [- i% z' _
/ h* W; g9 j+ C$ M- j3 k
___________________________________________________________________________: h5 K( S: [. n5 G
- ^: ~4 C2 F/ a) m2 S' g
Method 02
4 l0 i" i+ p) ~* T; Z9 a=========
! A6 H7 E4 X, Z7 T, X; p+ `5 g! ?8 c' q: `1 W
Still a method very much used (perhaps the most frequent one). It is used, L: N6 b1 a. ?+ ^4 A( T, E0 F5 v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 q3 j7 b3 z, A) s4 Eor execute SoftICE commands...
9 \6 p5 a# X! |" KIt is also used to crash SoftICE and to force it to execute any commands6 [$ W! x) S. S) f$ Y/ K ]" h" _
(HBOOT...) :-((
% V" L$ {0 Z+ D2 ]' c: V, N$ b& J
' \1 v; T0 S9 C$ X+ CHere is a quick description:
( K F7 ~* j2 u% y) L-AX = 0910h (Display string in SIce windows)
8 y0 A6 _: |8 }& H8 z, i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. _& N% a: E- {. w- ^" V# ~' z-AX = 0912h (Get breakpoint infos)
7 O9 M1 k4 F3 P! d, k-AX = 0913h (Set Sice breakpoints)$ x! Z x9 k4 C" J
-AX = 0914h (Remove SIce breakoints); ?! e( p% O9 R
) G# u) ^' W6 E
Each time you'll meet this trick, you'll see:8 q4 M$ }- G7 j! Z3 E
-SI = 4647h) g3 Q. e/ ]$ { w4 j
-DI = 4A4Dh2 |* m' v8 _) G o1 ^, W% S$ Z
Which are the 'magic values' used by SoftIce.
# ?' \& q2 U' ]; _: S% i1 T8 UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 f. p5 Z6 g" x- p3 [$ i( t
/ y: |. L0 K' X" m) ?1 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. K0 P2 _! t" V n2 l3 d" \Envelope utility use to protect DOS applications: `6 Q6 |% y8 y2 W: U5 f; T
: S; {1 k D6 m
' \* J1 ~9 b/ U' _: ] Z. C- j# M
4C19:0095 MOV AX,0911 ; execute command.; u/ }$ d v4 X" U Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' r+ c4 g+ F( c# v' j w% h7 @4C19:009A MOV SI,4647 ; 1st magic value.1 ~6 l: r; Y) v( @ {
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 y2 E2 r# q; O) @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 y7 B& v+ B$ l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' l( |3 A" A. n, d
4C19:00A4 INC CX
7 T3 J# x( i6 n6 }4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 B, R! L# B% b _
4C19:00A8 JB 0095 ; 6 different commands.
8 k% {5 r( J; Y0 |1 Z1 u1 R8 U) k4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ z; I! a: s2 U1 c4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% A" J& ]% s u/ \$ W' j- A3 |. f0 C
The program will execute 6 different SIce commands located at ds:dx, which
9 v. M6 {. P3 k: Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ U, |5 n* u" _2 M, b) f
) @, ^& a5 m- Y4 p' f u, c; r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% {- H5 c6 Q+ o$ j$ t$ q___________________________________________________________________________, o9 I; U' I; {$ b4 y# G5 s
' X% ~- S# L' n6 }0 m) ]$ t& I ^ z( V
Method 03
1 D. \+ Q, G5 G( {- O8 B=========9 X! K" L; I; G4 ?9 b: ~* v ~3 t
+ |$ ^) d, ^% `' g& ^6 Z( `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! Z6 ^6 X$ D3 r. i: x+ v9 o(API Get entry point)
- X* m3 k6 g5 ]% L1 ]6 d. T" } 0 ~2 o$ b& R: H9 E
6 v; m9 T" Q* r) \9 T
xor di,di& s8 T) t( [0 m- c% J- y) _+ Y
mov es,di' e" C8 b- q3 [" z. q
mov ax, 1684h
! t7 b9 w5 [) F K! [ mov bx, 0202h ; VxD ID of winice2 C, r8 X9 ]: u4 ~* H
int 2Fh
# X( K& i" n: |, | q: u5 L mov ax, es ; ES:DI -> VxD API entry point
6 X* T2 K. }& G+ ^( q add ax, di
+ m# {( |* v5 b( w G3 Q test ax,ax
% Q4 m$ d5 J0 Y jnz SoftICE_Detected1 X5 g; J* [: f
/ n+ ?- Y- T, j4 ? H2 E: V___________________________________________________________________________" W2 Q. ^+ C9 s5 a7 ^# U4 d; I. Y
9 P- {& K# q( r7 {3 b$ t
Method 046 n+ r' `% B i" ~# e
=========
$ E1 z) y2 c9 P" C9 f
. J! `2 e. {0 q2 m' XMethod identical to the preceding one except that it seeks the ID of SoftICE& p/ t( p2 t; h" U9 s
GFX VxD.. q2 T/ I8 W: s. @" `$ e" r
7 Q/ {3 `; m# J c0 w xor di,di
& y; Y1 E# C+ s, T mov es,di
% o( I- H, n$ X mov ax, 1684h . g9 n+ T, _/ V
mov bx, 7a5Fh ; VxD ID of SIWVID
8 {# Z& E* g9 Z3 Q' A int 2fh) V) {* Z- ^4 g2 |% ]- ]; D6 t% K
mov ax, es ; ES:DI -> VxD API entry point
3 k) Q4 D$ a2 j; w$ X" \6 W add ax, di
8 e7 m. ]8 `, [ test ax,ax0 r0 \5 `4 e' ~6 ~% X6 n
jnz SoftICE_Detected5 ~* Q X+ U9 s# Z8 a
7 j, Q; f2 C: e( w" \$ x L5 S__________________________________________________________________________
9 }; m+ ~' Y$ ?2 W+ Q" k! r, s, e% ?
0 W1 p0 { Q% w7 i+ u8 B/ {! ?! X3 f5 W! t1 C
Method 05
: `6 Q$ [! t& o: L=========4 D3 ?- q# w, X& U* V' q
. z5 n* a$ L- u M$ Y; c
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 ~* O2 t4 ?" @debugger. It calls the int 41h, function 4Fh.
2 i; c$ k& z# K7 a& ~) }: _There are several alternatives. 8 m: j' U, a! R. \
2 K3 X# q0 b1 u% D
The following one is the simplest:6 r, ^1 F0 o- p* N& B9 f
7 p+ O3 O. f% }& J7 [1 Z' A3 t mov ax,4fh
7 Y. I1 X" F! S! M/ m, x int 41h& G. j$ }' {/ }( F2 O3 H
cmp ax, 0F386
4 _, @* V- c$ u3 U) T jz SoftICE_detected5 D* W2 @4 r. x5 X9 Q
2 j' q0 a( P" E
9 q& c/ D! A( C0 C, J" p# INext method as well as the following one are 2 examples from Stone's
0 h8 g" v8 h2 B' t- Y, E/ w: u"stn-wid.zip" (www.cracking.net):
9 P+ a' _% [- U$ T: |* h& v7 } i9 _& @6 |3 z( [! `
mov bx, cs, K; z0 W- r$ t# A% e
lea dx, int41handler2, `/ u1 [" b9 a. T) y- ?. d; p
xchg dx, es:[41h*4]3 H# o% M. k. x% q2 G- y
xchg bx, es:[41h*4+2]# S; C9 C) v5 y
mov ax,4fh
0 ]% b: W) U9 ~ int 41h
& g1 P( r9 p) O! N xchg dx, es:[41h*4]
' I; f/ Q6 c* A) c! a xchg bx, es:[41h*4+2]
# x% H3 |$ W( x cmp ax, 0f386h2 b, B. `- ^. m/ |1 X, ~
jz SoftICE_detected
0 L& ^/ Z3 e: y1 @( R5 @7 v/ X* g; F! S. W. T- x2 E2 M0 {& P
int41handler2 PROC
% Y) N0 p0 J: A3 }( P" F2 S6 w' z x iret2 t: V1 d+ m, ]
int41handler2 ENDP
1 ], t% K& p) \. P2 O0 Y
O! \% T( D8 U8 Q% b4 k$ _" I0 `
/ l- }$ z$ D I- B+ M_________________________________________________________________________
7 ~8 l1 L/ h# y( U' r, Z$ M. ~$ I7 l9 b/ W2 }% ~. s# ~
* | H/ X7 O- wMethod 06# Q& {% q$ t V: W# y
=========" V1 y2 y' R. A. H- d
1 [! a# q) J8 H: R" ^
7 n9 {/ g: j7 `9 o. q" b9 m2nd method similar to the preceding one but more difficult to detect: K1 [. X2 X" R
5 ^: u" v$ b7 G* p4 {; f3 T
: {: ?. h6 }1 W* S
int41handler PROC0 N+ [3 z5 ]) q$ ]; x- }
mov cl,al) L9 \+ a/ ]6 @: o, X+ g
iret, W, w% Z" o; g6 `- k
int41handler ENDP
( ^7 s9 k# o/ L( G7 i- A4 U7 E% _; G1 ^1 S. \4 ~, E9 [: ^; v9 d
( ~: t* R& n1 \. |. E xor ax,ax
( q* [9 _" t- p1 H, c mov es,ax
6 F' Q, v8 q Q+ M* U5 u. r) `9 x: _ mov bx, cs3 `# M8 C# ^/ U7 n( |3 A
lea dx, int41handler6 ~' n6 u) E) p7 u7 x; X3 z
xchg dx, es:[41h*4]
* j4 f5 n4 n6 s: T Z+ W) P xchg bx, es:[41h*4+2]
' _ ^+ w* g |: @0 V in al, 40h
6 u. Z9 Z5 ]/ ~1 X1 o xor cx,cx6 l; B# E- k) D2 j) i
int 41h
, c8 e8 Z- X$ S xchg dx, es:[41h*4]
' g! O2 h4 {8 l8 z xchg bx, es:[41h*4+2]
0 v7 X$ m8 T V( m cmp cl,al: p+ s0 _5 l3 p: ]5 S/ Z* a
jnz SoftICE_detected% f2 L3 H) i: _3 ] o. E( T$ |
7 p( {2 L+ M8 Z* O2 n* ^4 F
_________________________________________________________________________ G3 d+ R7 @4 H* T
. b4 g6 n; A8 H3 F5 c) `6 PMethod 07
0 E K3 f) [; U5 U" j5 r=========
% o8 N: z4 \' U3 m+ Q, T4 W# X. j3 K- q; w
Method of detection of the WinICE handler in the int68h (V86)1 z+ w$ D0 S; V6 { F# b$ O
! I4 I# R4 V2 f( p/ y% ] mov ah,43h2 i! N: X* z' z& o a
int 68h% S: z1 S) |7 o
cmp ax,0F386h
6 a% s- G1 k4 G0 w) a jz SoftICE_Detected- H( T1 h0 Z1 W/ X1 }" }
0 K! @* F- ?8 O7 S: V
# T" K6 s$ y5 b n: V5 F. P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 S& G& Y. P6 k
app like this:: I1 }. W+ r5 a! h7 {: u
* r2 W8 |( B i+ a5 ]
BPX exec_int if ax==68- G8 P7 }: J5 w
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 P y' |, Q# m$ w5 E located at [ebp+48h] for 32Bit apps)
# {" y3 i3 X9 V- b3 g: d; i: l__________________________________________________________________________! D; I1 ]0 a& ?3 Z
! g/ _' T! ` g# W( K! Y2 N
. B/ s, o* { R3 ~3 pMethod 08
- O3 y* G* E t=========
3 R& R' x4 `0 L6 m3 S8 i4 i7 s3 _) A V# `$ {
It is not a method of detection of SoftICE but a possibility to crash the0 T V8 S& Q5 M# m" T
system by intercepting int 01h and int 03h and redirecting them to another
( U7 |$ @8 L" t; F, {0 T+ Oroutine.3 g# X/ X4 S8 |. I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: p- s m- D" s' C- o0 [ N
to the new routine to execute (hangs computer...), j/ U z! X% b2 q. N. \2 G; B
3 c& I# }' {* s3 z0 f- R
mov ah, 25h
, t h8 x0 P4 @0 u' W" x mov al, Int_Number (01h or 03h)" C% t9 A H* |
mov dx, offset New_Int_Routine
. W+ M' w% ?$ J int 21h
5 ~6 f' ~: A4 b C& Y, _( `7 F
E* [# A; B: c' T/ h- b& ~__________________________________________________________________________
; G9 n t( M1 T \( G- p' V" }' C+ n3 B! c
Method 09& G; Y* Y& t7 w8 {7 s
=========
4 X! w! z7 z- R5 Z W3 n, ]9 Y, G$ X" y" g0 |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; s2 V9 ]% H1 H x% [% }
performed in ring0 (VxD or a ring3 app using the VxdCall).
& x/ a8 w7 L' k4 B7 L2 e" `The Get_DDB service is used to determine whether or not a VxD is installed
E9 L1 W- j1 ]for the specified device and returns a Device Description Block (in ecx) for0 [( a; e/ h0 Z- d( @
that device if it is installed.
( Y9 M, l Y3 ]- n3 L& b/ e3 t, b" G5 A/ |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 q' N5 F9 Z+ |& v" b% @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ k+ k' v; f0 G) Q( Q) Q; d
VMMCall Get_DDB
* F+ U1 X6 o9 V: A# l! W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; E# d# D! T/ d
1 |$ b' r1 v7 N4 }3 R# q8 y2 f. \Note as well that you can easily detect this method with SoftICE:
" Q% {5 S% |0 F& D/ A; q! f bpx Get_DDB if ax==0202 || ax==7a5fh: y; {6 }- R" `4 J
4 O/ R" i/ \9 P2 W# l V: N__________________________________________________________________________; }- [- I- Y" u, O8 o0 [- D
+ u1 ^7 \, p V( x4 }9 p# {Method 10) o% U. x0 \4 D
=========# t5 {$ w+ O# U: i
# d' N* ~. C, Q7 t=>Disable or clear breakpoints before using this feature. DO NOT trace with0 }6 B/ G; r6 Y: b
SoftICE while the option is enable!!4 o) q! o8 h. p# _6 y9 ~; z* z
3 O2 V6 @) g9 ~5 d" r+ r) w
This trick is very efficient:
7 c5 V/ s; m M: K! K" hby checking the Debug Registers, you can detect if SoftICE is loaded
$ C8 \$ _0 |, g9 A* o6 `7 n: }: z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. @8 @% u: B9 L( a/ j$ b8 i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 }' w* _0 ]+ A9 P6 u/ k9 ?value (in ring0 only). Values can be manipulated and or changed as well1 q7 A, C! |" `, | ?: d( Y
(clearing BPMs for instance)
: @& Z6 D+ H3 ?! q, S: I6 V. s
__________________________________________________________________________7 ~6 g2 ^# R) f4 G3 `7 [& P
q& M0 {$ y% d) s2 d+ cMethod 11, L/ v! x0 I8 a
=========
- `0 _; r. l& C) q: h
j0 v# P% c* K* ^& F4 MThis method is most known as 'MeltICE' because it has been freely distributed- o' Z ?) b8 L2 \) T3 x3 `
via www.winfiles.com. However it was first used by NuMega people to allow' _! a; r( q, G2 X6 T- V. n* X0 y
Symbol Loader to check if SoftICE was active or not (the code is located
4 F) [6 _6 O* S$ j- S0 t4 Qinside nmtrans.dll).- p0 @* x) w$ a+ p
3 T7 A q- g' g3 z* OThe way it works is very simple:: k) p; Z: k9 r! A0 _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
\# u* g q: @WinNT) with the CreateFileA API.
; l: }+ l; E7 {4 }: x' @" R
2 b) e) @0 t4 c8 _Here is a sample (checking for 'SICE'):
~ l( v/ S* A' S8 ^
a1 ~* e& M9 [/ qBOOL IsSoftIce95Loaded()% i3 l9 V& O. Z n: [2 J
{
, X, B0 p" `7 f" g; K HANDLE hFile; % A) w$ |' L8 @7 z. B
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 ]* B, i$ M. a
FILE_SHARE_READ | FILE_SHARE_WRITE,
5 a3 Y6 i) x5 t- W9 j# ^. K% I% M; _; @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 }2 {. C7 k# K4 I; f" a D. C. q/ [
if( hFile != INVALID_HANDLE_VALUE )
( O7 Q$ _, w9 Y1 Z$ k9 P n! L {0 i! V# q* K! q8 w4 F$ j5 ^6 ]+ K b
CloseHandle(hFile);' L* o9 L1 o0 r1 v. I; M
return TRUE;* B4 N/ j; i. A
}
- a7 R. M0 ^, {4 D return FALSE;: s- i; T; |6 `/ p
}7 k5 b" K! h4 w/ \, ?; b7 t
! I% F3 R" h. u( r; L% @8 oAlthough this trick calls the CreateFileA function, don't even expect to be
# y: M3 a, Z( Rable to intercept it by installing a IFS hook: it will not work, no way!( Q" U: z) Q; n! A# B4 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' F" e+ `, D% @8 Z' Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 z( L; H2 O; W- C& ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 s8 O3 d8 _ Q- \2 G9 \ ?
field. u( k- n$ k6 j6 W
In fact, its purpose is not to load/unload VxDs but only to send a
- ~) h T3 t5 \6 s9 lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). \. _% o, b! a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 o9 V5 ^ Y) u, L& u3 f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 \$ |* u; l' T/ _7 n% P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# Y' T, S: b# ] E& ~$ h6 Tits handle to be opened and then, will be detected.
3 I% M7 B. W2 i1 YYou can check that simply by hooking Winice.exe control proc entry point
, l6 N" o c/ Pwhile running MeltICE.
3 [, s3 Y1 W! ^* \# x4 \0 _6 O! o0 j* t5 \! x
+ r; z2 j& C w- k2 T% F: G7 E 00401067: push 00402025 ; \\.\SICE
- e1 E. B- v9 e* F0 K 0040106C: call CreateFileA0 U4 \3 }, T% |0 D. k, F4 m" x& D
00401071: cmp eax,-001; k* S- V- r7 A7 g1 B
00401074: je 00401091
& n3 f7 w, r- c
. r/ T1 y4 y5 H$ j$ W. w. ^$ o, F& n! |* e& e/ m) J0 N( K! s6 W
There could be hundreds of BPX you could use to detect this trick.
: E- D/ w( y( w2 z5 b- \" D; t-The most classical one is:9 d9 P3 N8 v/ x) T9 B2 u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! D7 a, E7 i- C* T u *(esp->4+4)=='NTIC'& M( J4 i6 V, S" t: p% P
0 l4 ?" N) j+ k/ V0 e
-The most exotic ones (could be very slooooow :-(
/ k. x8 o* k& Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' u& D4 x) j: K h/ q# D
;will break 3 times :-(( t: }3 J. F: m: B
. z6 j/ z' f3 w- b8 u8 n- W
-or (a bit) faster: u6 ^4 p2 V. u8 f9 \$ s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. Q. S5 N4 A! I! |8 F# P& z) Z; l, M8 x& K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 R2 w; I6 p! \$ l7 ^! z ;will break 3 times :-(
9 W" I& r' I# j1 F% A1 L# @! T, _( l, f5 ?- u$ p
-Much faster:
4 o: x8 L" J+ c& z+ } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 {$ D) T# b9 J/ B/ l
% C7 S6 W- E. _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; a, n, W c9 P
function to do the same job:
& R' R7 j) S" D
" _3 W5 i& n3 ?. Q! _' O push 00 ; OF_READ/ O4 d% q3 r" c/ @$ K
mov eax,[00656634] ; '\\.\SICE',0/ k% q" {/ w; P, f/ z: P j
push eax+ n8 m. j0 w" b) S8 v& r9 \
call KERNEL32!_lopen
5 f2 t" O" F7 n2 P- M inc eax4 w# K5 ~$ F$ `8 S9 V6 Q+ A; L C; b
jnz 00650589 ; detected0 S7 O4 q; O6 Z
push 00 ; OF_READ+ }3 ^ a! ~, ~3 y2 {1 H
mov eax,[00656638] ; '\\.\SICE'# Y7 q! ?& N% V% L
push eax
( `; ?4 c$ k6 H$ r* v: x call KERNEL32!_lopen
6 G! I/ y( ~7 i4 ?2 N( U inc eax8 j' k* x. Z: |) R
jz 006505ae ; not detected. u7 i0 v& c7 F v& Y, ?
& x3 q4 }# @) p w( N
" |2 P9 C3 L; ?+ K Z2 c" R__________________________________________________________________________
: r2 b9 M0 a$ c. S" v# q; x) R7 f. k9 m3 h" v k
Method 12; j+ m. O5 ~4 D
=========+ K/ I6 w8 R+ e# m
X [% \1 L& |/ mThis trick is similar to int41h/4fh Debugger installation check (code 05
: P& c s& [ Y& b% \" I3 M& 06) but very limited because it's only available for Win95/98 (not NT)
" B$ ?) h$ V! ]0 `0 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& \2 g4 e. L0 q0 s: J4 E2 c- ^8 _# v, p( J- }0 \
push 0000004fh ; function 4fh `6 R0 U; Z( g- C
push 002a002ah ; high word specifies which VxD (VWIN32)" l0 i! t, H) }; ^
; low word specifies which service
& {+ {& y+ S. B/ x; Y (VWIN32_Int41Dispatch): f* P! V) |* P$ V6 B$ }# q5 l
call Kernel32!ORD_001 ; VxdCall
9 ~7 S5 A- b6 m$ u0 M cmp ax, 0f386h ; magic number returned by system debuggers8 I& g' y, D$ G( U
jz SoftICE_detected3 K7 w2 w8 M `3 ]- a, b
( C: n; d/ s, C* _0 g' p
Here again, several ways to detect it:' _3 z5 d) }( L$ a5 o! _% s
/ I) F# x) b0 Y" \
BPINT 41 if ax==4f( V" \* {5 Z' h2 ^
- \) K5 `: e9 L1 h- Y# L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# p( R4 T- ?' g
3 W* G- ~3 e8 C% d) T3 H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' ?& B! v( u a% g
6 q6 j- }- p7 s- s7 f6 i2 u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: s& v+ k3 z- C' w, p4 t+ w4 b( c8 s4 V& _% d; P8 \0 ~
__________________________________________________________________________
' K1 I9 x7 E0 u W! _1 T3 {( d5 I8 G+ V0 ?+ V4 s z
Method 13
8 v1 ^$ v( t! N=========! M2 N9 b ` b) V6 ?) x
/ B" q9 K" d$ y
Not a real method of detection, but a good way to know if SoftICE is
7 c: q' n+ X% Yinstalled on a computer and to locate its installation directory.
. y9 C6 z6 N/ t- fIt is used by few softs which access the following registry keys (usually #2) :6 c+ E* f0 p3 v/ B8 O
9 q4 k6 n( }/ o6 f4 N; S1 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 p6 s" p0 |3 P2 Y: N\Uninstall\SoftICE2 O, j0 X/ G8 r% \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ n( f* A( C) Z" _3 v" O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ y$ W3 W( c+ r/ Q, Y2 B\App Paths\Loader32.Exe
% s% z5 o& y5 V* I9 w; G Z, j+ |' E- E9 S* n
2 r% }* K. q2 w
Note that some nasty apps could then erase all files from SoftICE directory
' o5 \1 {& o9 V# t3 H0 V5 _(I faced that once :-(
) \! K: m* m m% W5 L# [3 R+ `
Useful breakpoint to detect it:
) C/ W2 A. Q. Q3 ~. c' z2 y$ p6 f7 h! a7 A8 @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 W% h( q+ [- n1 P% h) {6 g
: x# K6 r& M( M5 c: n P__________________________________________________________________________
) H5 ?9 `8 e1 P' t, R( Y- H! N3 W# G2 | y! _* F
3 P7 |3 P& K; o {+ m. U5 R
Method 14
, ^, t! A% B. V; d/ \=========
8 ]/ b+ o; e/ z% M U' O4 S% ?
) ?" U G* K; V3 O0 t! u. QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% M( {; X( F5 l( d+ u6 H0 e: k2 _( Uis to determines whether a debugger is running on your system (ring0 only).7 T6 `+ b2 z+ v1 p# U
/ c' D ]" T \+ q: `
VMMCall Test_Debug_Installed, w" h# s7 \% A; p
je not_installed# ^7 p* Q! n9 z2 `
4 w D, X) a" y7 Z0 q4 u6 h( ]
This service just checks a flag.
9 B5 q+ p4 {2 j( j0 F3 _% O4 z2 n7 Z</PRE></TD></TR></TBODY></TABLE> |