<TABLE width=500>
4 R/ C" \* D: m; h" M% p! N<TBODY>
8 s/ P. x) r# g& T- A, N) |<TR>; u5 q6 k8 Y. }% M W
<TD><PRE>Method 01 / |1 [* l* J, [7 N$ Z' o0 Z) ~; R: D
=========% I, R/ S$ p' D0 a6 V1 e
/ z. ^3 l+ k7 H1 H5 O/ }. SThis method of detection of SoftICE (as well as the following one) is
9 i1 z3 x$ X3 {6 yused by the majority of packers/encryptors found on Internet.& C8 M6 |- O, L: d1 k0 Z! v9 i' C
It seeks the signature of BoundsChecker in SoftICE
! s9 [5 R& d- ?
) d+ i; I7 A# x9 x! b0 n: b+ Y% V mov ebp, 04243484Bh ; 'BCHK'# e0 y4 d- p- P+ W+ H
mov ax, 04h# g, L1 H$ m, B& g* C, u
int 3 + y/ D+ V0 b4 o" L0 }& y9 {
cmp al,4
! i0 K) j8 j/ T6 q4 r jnz SoftICE_Detected
& U- V' V9 \5 S+ R P
1 S) c. g( ?4 G5 ^: N8 j8 W___________________________________________________________________________
4 c+ u, F6 S2 w6 L: a! r! N2 K* L1 G) `; d, b" K
Method 02
% B! b9 W* G z3 Z/ M=========5 x+ t2 l' B ~# |( ^
4 d4 B% [: B$ [, e2 ^
Still a method very much used (perhaps the most frequent one). It is used
7 K- C) s+ z- zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' K5 n; D3 M, J5 p. hor execute SoftICE commands...) W# |* h7 y0 \' q/ i3 \
It is also used to crash SoftICE and to force it to execute any commands
7 n( l: B7 _; a' {7 j$ ]* l0 k(HBOOT...) :-(( $ f9 V: R4 i' M1 {
& V5 m: y6 g0 F' C
Here is a quick description:* ~4 ~! E+ V; q* v
-AX = 0910h (Display string in SIce windows)/ p; g/ X6 \% c3 f$ [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 O4 o' P) \/ I
-AX = 0912h (Get breakpoint infos)
7 Y2 z; i9 ~' T-AX = 0913h (Set Sice breakpoints)
8 `4 @/ T: G$ L1 I-AX = 0914h (Remove SIce breakoints)
# k$ _# u2 m# h# G% B# m
( S0 q) Q1 v+ ]8 cEach time you'll meet this trick, you'll see:
' e- P( a @. Q( P" [, |( q! J& v-SI = 4647h
+ V# i$ z" G" n, |- l/ e3 V# B, k-DI = 4A4Dh/ B [' e+ Z! C: q$ X' G$ \ B e9 B% A
Which are the 'magic values' used by SoftIce.9 H+ T" G: ]; R1 W+ O+ }( }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" g) G# D" p) B4 m" F1 a. L2 d% M' s3 }, o& V
Here is one example from the file "Haspinst.exe" which is the dongle HASP; r6 z$ \* Q+ m; O/ t2 N: n
Envelope utility use to protect DOS applications:
, A2 S# X3 S" d6 i V0 ^5 k8 V# K0 t) P8 G% y
% s3 x. m7 B: ~9 Q7 y
4C19:0095 MOV AX,0911 ; execute command.
1 i+ o7 R8 }- f0 Y0 V' K2 d4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# U, J& n7 V# S8 | s: f4C19:009A MOV SI,4647 ; 1st magic value.
2 R5 U$ n/ i4 Z6 d/ {5 n) R! D* `4C19:009D MOV DI,4A4D ; 2nd magic value.$ }# I2 K; I' ~; P3 R, j. v
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ J; r. N8 \; b' R4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 _( a6 g3 V9 S% G5 F2 n4C19:00A4 INC CX
3 m7 k' Z* t/ ~# _" m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 o) m, K: h9 [) |9 ~! O! \
4C19:00A8 JB 0095 ; 6 different commands." Z/ F( w4 }- n0 B
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ z2 A3 ]- j2 ]" `
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& a! g, A; M; j/ Y; M
8 |- A3 }. L: ~The program will execute 6 different SIce commands located at ds:dx, which9 P; S0 a! N( \3 p( d6 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. H( Q7 i4 k0 N" p( N8 I( e
) R1 h0 i3 O; \) l: s- l& @ n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* Z- B% r+ b1 C0 ~# R7 T3 m___________________________________________________________________________
9 P9 v9 N& m1 b$ o3 r! ?* l! M( u0 L6 y% m$ n1 b
) K5 p# Y5 z' PMethod 03
+ h9 P! v* g+ S=========
0 S$ N& k% ^ z6 \
0 k( z! m7 Q( i' B" M( X' yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# _& t0 a, p) q
(API Get entry point)
# z6 e% f0 D2 j" k/ z u2 ^ : F" Y' ]7 x4 H
4 e/ Y# s# ^7 E7 `! l* g7 d
xor di,di
* x5 l+ s% z7 n mov es,di# q1 R4 S6 w n2 v+ J2 q) i
mov ax, 1684h ; ^! x2 z9 ^% c; O( k
mov bx, 0202h ; VxD ID of winice
- H: o0 B% i+ P Y/ ? int 2Fh
. x% |7 @- M _ ]$ { mov ax, es ; ES:DI -> VxD API entry point
0 a' x! C8 y! ?4 m: x( q add ax, di/ b& G( {5 G, K: e/ b/ G; X, v& W$ U% }
test ax,ax
9 W7 ~0 H: _0 w& R6 H1 ?* H( x+ B jnz SoftICE_Detected
3 h( N) F% x0 _, S/ n; X6 W7 q. c2 u) g6 _
___________________________________________________________________________
* J& i2 e, e* C% _, X% r; C$ r
Method 04
% n8 K5 m/ Z4 S4 v/ z=========
4 y: `. C% h. k f4 t
& \4 x' J$ l6 M% eMethod identical to the preceding one except that it seeks the ID of SoftICE
! `" _$ W0 u, e" h& f5 o+ O% ZGFX VxD.
8 A2 v8 I& Z* P! B3 O# o: e* W
" R; U# a* b# Q/ f- ^) u0 J3 o xor di,di# l7 R/ [ y' ^+ R6 G
mov es,di
. c& e7 m. N, p3 e mov ax, 1684h 2 p& Y( {5 F7 s( ~' L, V. S
mov bx, 7a5Fh ; VxD ID of SIWVID
4 L. L; v( M, Y7 _0 i int 2fh9 K; D; O/ W: m' h
mov ax, es ; ES:DI -> VxD API entry point7 b3 {8 T1 T; ], v" Z3 Y
add ax, di1 B z T: @7 d: P' M3 Z% J
test ax,ax5 \5 j) z' ~ U' P: p# j
jnz SoftICE_Detected
& ]: D; C4 E" M: q& a2 j: a p( ?# G
__________________________________________________________________________% `# F6 o. f* ^& o
: ~( }" \2 O( F, I4 _. x4 i/ x* d- o! c2 }2 M
Method 05
+ y; F$ |% E7 m0 B$ H |* {0 c=========
1 q5 u4 W [ Y% P& v* A4 o* W' O+ Y) e( K2 i& s8 k8 I `
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 F, J) C0 b5 h" }) ^, g. Z6 [# U
debugger. It calls the int 41h, function 4Fh.
; N7 l# b9 l1 p# L: K6 n+ ]There are several alternatives.
0 @8 X2 {- T( ^ A8 G! Y
8 a c; y- ^; Z" n' mThe following one is the simplest:
5 V0 Z+ G3 p; y( k% L# D- ]. I
8 w Q' G: u% O7 q mov ax,4fh
) l4 D; F7 `. u. Z int 41h5 h' E0 I' |7 @* A8 J( O0 x
cmp ax, 0F386$ w3 w" T6 {( b. {0 I( a
jz SoftICE_detected
, w. I$ ?- l1 M: w% ]5 @. j8 Z1 {
2 ~0 x! f- p# |% {. j: o- O4 `2 nNext method as well as the following one are 2 examples from Stone's 4 m) V) A+ I! f! M7 b% R
"stn-wid.zip" (www.cracking.net):6 f: g& u; g' F3 e' v5 a
+ n" M3 \ j: X mov bx, cs8 x/ B2 ]# L1 d, c# G# b! q
lea dx, int41handler23 k' {( Q1 a) p8 D, B% L2 q* a* s. `# l
xchg dx, es:[41h*4]( V0 b! Y4 {) e e" s
xchg bx, es:[41h*4+2]
7 u: w9 p1 g( U$ S0 S: X" B, ? mov ax,4fh2 z4 J2 j. C1 t4 ]/ O1 M l
int 41h
; c+ Q3 L! H* j8 ^6 o& r xchg dx, es:[41h*4]- o. Y; A/ l) \
xchg bx, es:[41h*4+2]
) t% t5 \0 ^, o& K9 ]$ A cmp ax, 0f386h. J7 |* \" O! r, i
jz SoftICE_detected
8 o1 N1 O* \/ ?; f% q
, }+ U+ r6 ]& H9 \* s' }( W2 Yint41handler2 PROC4 j1 v3 `! c. E0 r
iret
; j U9 D/ s* {- n; bint41handler2 ENDP
& j3 V! m/ t6 F
* U$ N; s7 I o- I3 M1 k. N. m0 F8 q3 b# E4 a' U
_________________________________________________________________________
* p W3 t# ~" y9 Z8 c# ?
; y* q/ Y& o$ H
& ^3 u! ]. q% n. L, ^+ R% R& [Method 06/ Z5 t% j5 u) a# N; o
=========% N K8 n5 @+ d$ E1 Q
! p9 z$ t2 g4 o3 ?2 X
# S1 Z- g2 M$ g9 j! o2 U( X' \
2nd method similar to the preceding one but more difficult to detect:
6 ] }5 }5 g/ s! ~6 }
( Z" R8 A3 @' ?8 Q* J# \$ t
+ w) _. \/ f, o& ~& U9 Tint41handler PROC2 U/ t: A l8 W8 A& k! G
mov cl,al7 L# G" F& o# U7 l. |
iret
$ H& z! z1 v% s& _4 _int41handler ENDP& l8 X0 T$ m" A( C5 W
2 \, K4 ~# o) L5 M
& ]0 y/ _ N: O R xor ax,ax ]( g u& m- q8 k' s
mov es,ax
$ M, D% c6 w4 ^ mov bx, cs0 l, L3 P. u$ S2 @. `0 T; S- h6 A" T
lea dx, int41handler* z6 k) A1 L5 d. `$ }; G
xchg dx, es:[41h*4]
$ h G. N1 I4 k' v- s$ T" b xchg bx, es:[41h*4+2]# t. M5 [9 B" R8 ^- P% w/ V8 ~( O1 l
in al, 40h
4 q M5 S7 F, O xor cx,cx
G% c/ n& W3 ?0 Y* P int 41h
6 o6 B0 \8 Q+ ]/ m) P* H* } xchg dx, es:[41h*4]
/ p; J: H( e; y6 \0 L5 T xchg bx, es:[41h*4+2]
5 V3 e6 e: y( ]7 f cmp cl,al: [' [' ^2 V5 T" E7 \/ G1 o0 m
jnz SoftICE_detected
; [ M+ D ` e! M1 ?/ T/ e# x/ p0 @0 A/ Y' p0 o" p# ^( r+ E y- c( [+ M
_________________________________________________________________________
1 \8 z0 Y" Y, x
' ?0 j, @. A$ RMethod 07
; w A! | {" ^" A# z# f1 U=========7 s% l: `$ I: `% U; t
. F7 O( `) m) @" U! B
Method of detection of the WinICE handler in the int68h (V86)
7 f* i' R' t0 o d6 u3 p5 w0 o; b* ~# ]. t( f1 o [( k' F
mov ah,43h3 P5 S/ {8 k; g$ i
int 68h
$ h+ G, a3 ?9 R/ \0 C' K# Z5 j8 n cmp ax,0F386h
4 ]2 w- x& A8 m jz SoftICE_Detected! E2 R3 \# b* J8 h2 h/ m7 ^
G r3 }/ B! {! O5 ?
! {1 v" ~0 _3 \7 x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ F: a# G$ t1 f1 s" {7 ] app like this:( t9 s- t1 @ _' L) _
1 F! q- g" d$ S8 I9 L& w( w$ V
BPX exec_int if ax==68
7 ^/ n( v. V) t3 ]# ~, E& K (function called is located at byte ptr [ebp+1Dh] and client eip is
; T* u' x$ S0 q9 H! K located at [ebp+48h] for 32Bit apps)
/ w' o8 t: ] E& }$ t__________________________________________________________________________
* |3 O3 Y- k, x! V3 [7 G7 ^
, k" L+ Z% [# I4 F& p
- C Y" f& `2 HMethod 08# H r6 m! V7 O+ C3 a3 S
=========
0 g0 x) F# j6 D* S5 z/ ^# E+ I5 b) m0 x) n% I6 k
It is not a method of detection of SoftICE but a possibility to crash the
9 u A4 l# e) t6 S3 o" fsystem by intercepting int 01h and int 03h and redirecting them to another7 `5 _2 K4 A% p3 ~
routine.+ I$ J \. p1 P8 ~: x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 |4 |# L% X2 T% c' [
to the new routine to execute (hangs computer...)
~" @$ B7 b1 s7 p0 y" a- ? P3 m+ `( T! M N1 a3 { o
mov ah, 25h
" ~7 k8 C W3 H mov al, Int_Number (01h or 03h)
3 ~$ {2 J$ m0 B, I6 n) q7 n8 R mov dx, offset New_Int_Routine
% ]9 I+ _$ l3 ?& Z8 F) H) V0 X int 21h
9 ^% T6 @: s \8 M
, k/ m# u" P: e6 _, D__________________________________________________________________________! y: r7 r- q, f6 y& E' r5 Y8 c R4 m
1 M3 q8 I3 ]9 d. V8 i; f
Method 09
( w4 r+ \- r& R. K4 i/ k/ e=========9 h+ z% J0 M! s& s
4 G0 Y$ ]5 ?8 m8 \1 B5 t: H3 a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 d# x; H, K* X q
performed in ring0 (VxD or a ring3 app using the VxdCall).' d3 o% z7 Q" i |, ~
The Get_DDB service is used to determine whether or not a VxD is installed
/ M/ i9 X. }6 T5 z# \for the specified device and returns a Device Description Block (in ecx) for5 a' s" E1 v3 T5 g
that device if it is installed.0 K5 ~$ h+ O: _( S8 Z8 _7 I
y/ f! m. v- M+ Z& l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ F g8 X* ^+ a" r1 w# k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 P: H6 K n1 `2 A9 H! A
VMMCall Get_DDB$ M _/ \# c- r. I; `1 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 K9 k: H& E+ w% s* b7 [+ u! g
5 \- C# ~, O( S4 `6 N8 V9 a0 m7 z$ dNote as well that you can easily detect this method with SoftICE:: n( f9 A( D: {) B+ t3 _4 P2 l3 H- \
bpx Get_DDB if ax==0202 || ax==7a5fh; e3 n4 k" o1 M7 g; E; \1 g
, _. b: r x% G8 S__________________________________________________________________________0 x0 U7 P' S- R+ _) d9 ~1 H: _
4 Q+ Q. {5 }) ^4 G) O
Method 106 G& g# H6 Z7 s! K
========= C3 w* n: ?& b
: i# a3 ?' z+ R2 G* d=>Disable or clear breakpoints before using this feature. DO NOT trace with0 D, L+ R7 L5 e) [& b3 U W
SoftICE while the option is enable!!- u& q5 L# F$ A8 K" U
- J$ Z+ l6 o( c) z' Q! t8 u- \4 h& gThis trick is very efficient:9 O+ t/ i% p0 w9 Y
by checking the Debug Registers, you can detect if SoftICE is loaded
# u2 `# f$ @, @) s2 m' |8 `+ M# N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' ^) h4 H8 K; [9 c! [there are some memory breakpoints set (dr0 to dr3) simply by reading their5 x0 R6 @, F( z0 N
value (in ring0 only). Values can be manipulated and or changed as well% l7 p4 _, q4 [; |8 X: z
(clearing BPMs for instance). D/ e# h4 u# F9 a% b) f) W
( a, ] E+ X. a9 B
__________________________________________________________________________
" e: ], X8 P/ i' X6 z0 `. W( k% d j+ s1 Y% S
Method 11 Q! s' K' h, P# `/ A7 G/ {
=========1 ^* Y, C2 y, q. k1 G, L, L
, ^/ N" U |3 X+ o6 b2 J1 C
This method is most known as 'MeltICE' because it has been freely distributed! x2 U+ c# r* w E
via www.winfiles.com. However it was first used by NuMega people to allow- ~. g% ~& C- i/ p2 Q6 t
Symbol Loader to check if SoftICE was active or not (the code is located
* X6 ^2 K3 }0 p- w: Xinside nmtrans.dll).7 K, u! i x, m" w5 `# J$ y
: ?, c% C, q, }; y( X, sThe way it works is very simple:% A' K6 ?4 P# q; A8 \, {% L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ Y. e) M* @+ _( j
WinNT) with the CreateFileA API.
/ \2 k" e9 f3 T W$ }( A* i% a. @+ @- a) B
Here is a sample (checking for 'SICE'):# C* m: ?6 T" ]+ f! r9 t
7 A3 b3 |% w# k, E, d5 m8 B
BOOL IsSoftIce95Loaded()8 M9 f4 B. z! u# V; b
{
. i, C$ t5 l( u4 ^% k HANDLE hFile; : p& Y; i/ C% u$ D+ R1 h' n0 a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
D+ W$ b1 X( h( f' T7 m x* R FILE_SHARE_READ | FILE_SHARE_WRITE,
7 k4 p& F& a9 s" G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ r" C7 ?! J6 {5 b
if( hFile != INVALID_HANDLE_VALUE )% y+ T1 W# L9 V8 H, s5 f
{
% U/ X/ \, l* N+ ? CloseHandle(hFile);5 X7 B* D/ b0 F
return TRUE;
. T5 \6 |! W) ^4 B }
6 \0 _ W7 h0 R/ h( b return FALSE;
; B) y+ F* O1 x3 `2 n4 @( ]5 n. C0 W* I}) ]. W8 F3 `* P% A
) P7 p) l( e& [- S1 d1 o8 p, dAlthough this trick calls the CreateFileA function, don't even expect to be9 @ C7 L8 F8 M9 F
able to intercept it by installing a IFS hook: it will not work, no way!6 c! N+ E2 e+ X: J; M8 V% H) Q7 s: n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F X0 Z3 E* i: O( m4 _+ I$ ~6 {0 d4 x
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- e& y5 A3 z5 E, Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 G/ f4 T& |. P! qfield.
" m5 o3 q+ |$ f3 _* qIn fact, its purpose is not to load/unload VxDs but only to send a $ _7 ?6 a" {1 ?+ U1 i3 O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 } v. j6 @% N$ }to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 k. ~+ ]/ ]9 `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! X9 Z: h: n- g) ?' h* _* \If the VxD is loaded, it will always clear eax and the Carry flag to allow$ `% m4 x* j) d
its handle to be opened and then, will be detected.( k: P& A9 M* z h0 w
You can check that simply by hooking Winice.exe control proc entry point. w7 y+ r" e) k" {6 f2 T
while running MeltICE.
" T. q/ K7 y! |* |5 e) A% _
% G3 H2 w: [9 u& O$ X: q k6 N' {: `) ?" A* D9 k. Q
00401067: push 00402025 ; \\.\SICE+ y: O5 U* ?& H9 A, F, B
0040106C: call CreateFileA
N, e" q9 m1 ?2 a" m 00401071: cmp eax,-001" q' S) n7 L5 P, `; r6 D" V
00401074: je 00401091* q# \( r0 Y) a) f% H L `9 ~: o
3 K2 c2 y7 B$ W* d& ^1 E" K0 i3 v! A6 |8 K) G. [% f; Y
There could be hundreds of BPX you could use to detect this trick.
* O' l& R2 g& O9 y* F6 N( s-The most classical one is:/ [! q' i6 T5 D% q$ T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% _: @4 j& N5 n1 F
*(esp->4+4)=='NTIC'; r' _2 y+ L' a% M N. V+ V7 v4 ^
& Y% S+ }) r$ i( O7 x: N: L-The most exotic ones (could be very slooooow :-( o6 Q: ]0 N1 Z0 j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) ? s! W0 Q! d* A$ Q% e
;will break 3 times :-(
2 K; T; \. M# `- \! c& \' h8 ?
5 u- q$ X% p& M-or (a bit) faster:
4 }! y) b% I+ _ BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): s/ k8 ]9 J/ E3 S0 g
8 Q6 E# J2 ]0 S. W) \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 t( R" x0 {! I# `) m' Q1 o/ Y ;will break 3 times :-(
% x9 p6 |" k4 F* U" \6 Q* ]9 ]$ `! W
-Much faster:) P- F& ?/ C# q8 S# [% P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% w1 p& U$ e& o
& X, Z: I: l% `9 N3 kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 q+ h7 D+ U- a
function to do the same job:
6 }! M3 D1 j3 W& G4 l' {# p- I
7 D& W7 y' b* o# |# j5 L push 00 ; OF_READ: d) v: h9 z5 _- A* G8 D% C
mov eax,[00656634] ; '\\.\SICE',0
0 e$ m4 T( ~( s9 o! ]4 m+ G, h5 g push eax
1 J" E* D7 h. I/ H: L call KERNEL32!_lopen- i5 H0 S( @8 @9 h
inc eax
. i! |. O: l# Z/ N jnz 00650589 ; detected
9 g& `' T5 t2 \ P/ y. q" C push 00 ; OF_READ' N$ g9 @' B& r' }; D
mov eax,[00656638] ; '\\.\SICE'; ?. s" k$ V( z# A+ R5 J, s0 j
push eax3 V4 |. K2 X X; P0 @
call KERNEL32!_lopen
9 w0 c- ~5 p0 T7 S i$ m' B inc eax3 p2 t0 g2 o1 Y, |& J! Z
jz 006505ae ; not detected
0 Z, {! H) ]$ q O$ P3 U% ?
) ?! w |# b; g. [
7 D |/ ~" o! }$ a) c__________________________________________________________________________' S8 b% `/ D0 d( K. z) ^3 Q+ o1 g, t
8 p- b) l: ?' n9 \2 N6 B: cMethod 12
. ~9 F% j) Z. x, A=========
% y5 N/ b* j3 [7 t( U6 o7 D
) l8 n. y* z$ YThis trick is similar to int41h/4fh Debugger installation check (code 05
5 Z3 ]/ ^! u" p! i5 E5 w& 06) but very limited because it's only available for Win95/98 (not NT)
; N/ m1 Y5 p, Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ Z2 a8 z: g/ c/ y7 k: C) d% m: A2 d2 u& ^- \ v7 ^. Y
push 0000004fh ; function 4fh
0 x; O( L3 q2 F9 f) r. E push 002a002ah ; high word specifies which VxD (VWIN32), {3 n# ^2 q' P1 N. N) S
; low word specifies which service
9 p; G% F) g: }. B4 U) q) u+ } (VWIN32_Int41Dispatch)
/ j( Y. K7 y7 s6 O call Kernel32!ORD_001 ; VxdCall
. i3 O2 k- p! U1 {( ^% s cmp ax, 0f386h ; magic number returned by system debuggers
6 J9 d. F! F+ x: P% m) ? jz SoftICE_detected
5 v1 I+ k6 r5 q. [- L+ h9 d
i5 q/ C: l) y7 [4 XHere again, several ways to detect it:
. G# i; r* E* N4 t, [
4 Q; V3 b8 k# {4 G BPINT 41 if ax==4f6 ^6 H( ~& B+ e4 h
i/ K, l$ c( f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 ^! F; W& C+ i
. C1 |% U" M. ~0 q% i8 k% Y S- { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ g# v7 E/ ^3 P# E
4 u" X" ?: a: W2 p8 a3 S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' D2 E) ~( i3 I3 J' `7 [6 z, H6 ~3 i) o+ y
__________________________________________________________________________% ~. T0 o/ V6 t
1 @: D! f& R9 s) T% eMethod 13
& L! u2 j9 Y% p4 B4 A2 }; ]=========
4 a7 W2 H+ h" m v! ]: p4 D x7 w; D1 {1 {* r1 q1 J" m
Not a real method of detection, but a good way to know if SoftICE is
, A. p/ d/ q' u+ `, Hinstalled on a computer and to locate its installation directory.
- n+ l" a5 n* d2 X s5 o, g3 K& UIt is used by few softs which access the following registry keys (usually #2) :
+ F" Q$ f# O4 D/ a4 I
) s" C: t7 o9 ^7 w, o% e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! X% E+ F& c+ r
\Uninstall\SoftICE) _, k7 ]* ^ M6 k; s' G% G, m3 k$ z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 Y# v Q. o& B% W- T4 ~. V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ `9 r- I+ S' {
\App Paths\Loader32.Exe8 \ l; G1 B( y3 H
; {& b: m- y& I! N. w
; K% d2 s! ?: z* l9 x0 LNote that some nasty apps could then erase all files from SoftICE directory
# T. R/ e% o' I- q, ~% b, o(I faced that once :-(
8 j+ {5 q9 p# g8 \8 |/ x
6 s% K# O8 N" M# ^+ y/ u# dUseful breakpoint to detect it:! j; [. }( \9 D" b5 W
) b) J' X5 u3 ^/ C
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 ]1 @+ D) @- E( o f9 f5 Q6 Q2 j' [! S
__________________________________________________________________________& p; A. ^6 l3 T% |1 a. Z
) n0 C l3 w/ i. g- I7 t& c
5 X7 g5 }' Y. {' t! L8 U
Method 14 1 f+ U# v$ x" h$ ]9 |* T7 h& d
=========
4 @. @" n5 Q) K1 t, a6 y. ^
! Q0 w) F9 R% X4 b7 f+ n0 F" {+ |+ h3 c" E. eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* B+ K. G# Z/ d% Iis to determines whether a debugger is running on your system (ring0 only).
: [$ |5 E2 b" F0 F2 b# S! c# m
% B H& H; c0 e: H VMMCall Test_Debug_Installed
: q: D. f l" @. _; P* ^ je not_installed
# I( j$ Y& n8 s- Q: I5 Q) x: d+ g+ Q! e- ?+ V0 F
This service just checks a flag., Y4 h) ^2 z2 S) Z1 R
</PRE></TD></TR></TBODY></TABLE> |