<TABLE width=500> f$ H2 p+ l2 ?5 h# {
<TBODY>3 X0 d" u4 \7 W
<TR>! V$ s/ f, f* j/ N: b7 A
<TD><PRE>Method 01 2 ]- [$ Q2 c2 j; c0 |
=========' u+ l. u' p) [/ Z! u
9 e5 L2 T; _+ q( x z1 N
This method of detection of SoftICE (as well as the following one) is
( y0 X% V4 g: [% |1 K Yused by the majority of packers/encryptors found on Internet.
% Q2 @' Q# a3 c1 q/ ?, \: FIt seeks the signature of BoundsChecker in SoftICE
4 p3 N+ | U3 W+ H: ]
4 W/ P$ Q- X) X mov ebp, 04243484Bh ; 'BCHK'+ Z" t& _3 l4 i
mov ax, 04h
% b# L' ~. J, [ int 3
& i( K/ d, s, F1 l cmp al,4
- ~4 f- B% H+ \, q" m1 ] jnz SoftICE_Detected7 u% ~. N. {7 c* @* e2 T \0 A
% Y* x. T7 K0 E
___________________________________________________________________________
( S8 ]4 L+ G! f @- q2 G% |+ W4 H$ D2 b; H
Method 02" u: G1 E+ W3 Y, y( ]& K
=========
& e |& f+ r4 Q3 I% F3 n5 I0 n# ?; Z) S: w/ {
Still a method very much used (perhaps the most frequent one). It is used/ b" t b9 h8 ^9 f2 @% G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ k" K4 S5 J/ ` H9 T3 q r8 nor execute SoftICE commands...
/ w) k* z& ^; o+ ~% ^It is also used to crash SoftICE and to force it to execute any commands
3 Q1 i4 u- R/ v. d(HBOOT...) :-((
% H. x0 y& o9 N- E8 T9 I% j- Q z3 u! S' z2 ~$ W/ |4 N+ V
Here is a quick description:
: M; ?; ?7 \/ K, C7 [-AX = 0910h (Display string in SIce windows)
( U/ h2 W# [% _: G+ G! a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" |- `; B" b7 p
-AX = 0912h (Get breakpoint infos)$ a, `6 Q6 K! t
-AX = 0913h (Set Sice breakpoints)
" R% Y! j+ ?) m$ F-AX = 0914h (Remove SIce breakoints)/ q1 M' d: ~/ |2 x1 ]$ v# |: W
2 Y8 Y- j; }, h9 d/ o1 w: w; w
Each time you'll meet this trick, you'll see:
; c. K' r. W6 X-SI = 4647h
" G% I- i# T/ N-DI = 4A4Dh
1 t3 ?7 E8 X1 qWhich are the 'magic values' used by SoftIce.
7 e8 b0 v( E( b/ e6 MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, T/ i) z) u4 D6 X+ ~. n) m! B( i" X Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% O3 R+ N* d3 H! GEnvelope utility use to protect DOS applications:
. l* K" O9 F T4 ~9 i0 G+ i) t" I6 ^/ D
; b- S, f$ y8 t+ N# G# G
4C19:0095 MOV AX,0911 ; execute command.
& u/ ~9 s0 w# r x$ O2 q8 W6 L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% E7 K" ]" S, O3 z, H& h9 |! }. O. t
4C19:009A MOV SI,4647 ; 1st magic value.
# D0 w f% q' u1 S3 t0 d4C19:009D MOV DI,4A4D ; 2nd magic value.5 ?. y+ m4 Y8 ^4 o2 W! P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 U& V6 ?1 ?0 f, A2 D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 m1 S: f& M) _0 A5 U5 c p' e
4C19:00A4 INC CX
, N8 B: r$ k2 i# B+ M4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 h4 `2 j$ V- N) k6 Q& b/ j4C19:00A8 JB 0095 ; 6 different commands.
5 j- y, x6 y( ^/ L4C19:00AA JMP 0002 ; Bad_Guy jmp back.- C, ^3 E3 x0 ]( ~, {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 x# O. A$ b0 w0 S: y4 P9 k+ N
$ Y: N, N c* E1 O% xThe program will execute 6 different SIce commands located at ds:dx, which
" }0 C: k `5 V/ e9 a& k8 \: Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; ^3 z. v& e! ?6 m _. F$ m* r8 W: \2 q7 t5 N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; O) z' X' ?7 Z1 T. M" Z
___________________________________________________________________________
1 c- ?: v2 |/ P' u
$ p: H- [9 ?. Z; y0 q5 T$ y9 F& G
0 v& \* ~* Y1 K. y S) U5 p. FMethod 03' K9 }* P. j/ e l
=========
# T3 ^% x# n: {! D8 a8 r" Y. c) J# f' d$ \# H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# a+ ~" u; K4 T( m3 l(API Get entry point)
% p- S; [7 O' T % F o# _4 e) n
$ c$ u' E+ V5 d. r$ b xor di,di9 w* ?" V v4 G1 e/ @5 m+ [; o
mov es,di
1 f+ u+ p D$ ^ mov ax, 1684h + b* r+ b1 l) E4 U
mov bx, 0202h ; VxD ID of winice
3 B7 o9 C; p; j! g# g( d4 x. Z int 2Fh6 e9 j7 B8 C! L0 z* D+ j5 {
mov ax, es ; ES:DI -> VxD API entry point
% L" q$ P; n* ^9 t# R2 B0 a+ ] add ax, di
4 E. x4 G# f: `3 } test ax,ax" X. X% [; g! r3 m& s: [2 j. M
jnz SoftICE_Detected
+ P6 r: B8 R( e+ X6 G
& r4 _, v1 f% m2 N" j8 ?7 C___________________________________________________________________________, Q- ?! n+ v- B2 P1 r" s: q3 b- w
, M- l* T8 o& W7 Z$ h" mMethod 04& g( e0 p" p" r! E
=========
: O3 e! o8 d/ Q6 V. C, g1 j7 E [. H l. M2 I$ A* a7 f+ m
Method identical to the preceding one except that it seeks the ID of SoftICE
m+ M0 r/ Z- VGFX VxD.; |/ L1 { f. {2 ?5 x0 ^
+ t" ?* O: E5 }- |. D xor di,di
- F& N- r( [ L5 w1 ? mov es,di# C2 ^3 j: O' A6 Y) R8 q
mov ax, 1684h ) g9 O4 w1 r, |, T: L2 F) I
mov bx, 7a5Fh ; VxD ID of SIWVID" m) ]: s/ E4 Z' L6 Y& s- h
int 2fh
. D M$ V' t, K# g5 Y mov ax, es ; ES:DI -> VxD API entry point/ c; d3 D( _, u9 L4 Y2 C4 {
add ax, di
9 ?7 t5 X$ c* u test ax,ax
" M" a8 Z' _) O3 u. _! Y jnz SoftICE_Detected
/ p- @9 U& z) k
( l3 V* D! j* t0 K* d__________________________________________________________________________
8 Y- G) l) \3 e$ x3 y; {
" F' h- B4 k7 T0 ^6 w8 R
9 N& f, j+ L! a0 h, t, h# l. _Method 059 ~3 t0 `1 ]7 ~ g7 H, U) _: u
=========- R# {* N3 R. c. ^1 U4 }9 S2 j9 n
/ t$ u T" k$ [5 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system
j. R$ @+ E# h4 U# @: A, Ndebugger. It calls the int 41h, function 4Fh.. r2 I8 z! x% J5 |! l9 G* }
There are several alternatives. 4 [. T- v$ K' b3 z% W1 G3 P9 I
4 _" A, @5 J6 ^3 H* ]/ sThe following one is the simplest:( ^* m: r5 o, p/ O! [# Y
1 ?0 D. ` \- P6 j5 a
mov ax,4fh3 `. j3 y1 `; E+ r0 K
int 41h
0 W. L) D) Y! }: G u$ H cmp ax, 0F386
0 e7 Y& s7 Z" K jz SoftICE_detected+ G- ?- {! D" X7 A+ a
* X$ m. P4 |0 M
! Z& `) l: T* K6 M, H0 A* X" CNext method as well as the following one are 2 examples from Stone's ' O s& m+ L- x1 {; N( Z: I0 A# E: l
"stn-wid.zip" (www.cracking.net):
/ v7 ?6 x v7 X+ M/ ?6 G4 e) ?1 }& a8 o9 S& h
mov bx, cs* M' s" M. r! m* b" d
lea dx, int41handler2! { G- W3 U( @4 @$ l; {
xchg dx, es:[41h*4]5 `0 p, A1 f5 P& b$ X
xchg bx, es:[41h*4+2]1 H) W) ^ n9 a2 ^, U4 T
mov ax,4fh
) f' u! W! n$ g+ _9 K: o8 _ int 41h
$ h h8 L8 p; O! B. Q xchg dx, es:[41h*4]
' a, N, P: \# Q2 N% J/ G2 ^' e: E7 P xchg bx, es:[41h*4+2]4 z9 m3 y, o) ]) o' C: l, v9 K
cmp ax, 0f386h
% C- z9 T5 D# m7 l jz SoftICE_detected
) o) N( J+ c- ?6 P. g
+ @+ n9 w; e) P. O% A$ wint41handler2 PROC
/ J ?+ x) q1 k' q: M iret' B: K8 m3 S0 e- {7 ^$ n
int41handler2 ENDP( U7 L5 U: }6 _5 N
% U7 a& `% Z+ y
9 [5 E3 c: d V) [# A_________________________________________________________________________( i0 J4 u& q2 Y
, T# X) ^' m' C. B9 l7 o$ n. N7 c v8 D
Method 06' m8 h+ B; @$ _% \- a' i
=========: Z; q" b7 c3 y% K$ y( ?
2 g3 e& _ `' Y$ B; ^+ |3 F+ j' L6 G. O& O' ] P7 D
2nd method similar to the preceding one but more difficult to detect:, F( j$ ~2 I3 r/ @$ o w$ s7 A
1 r0 W- {9 g7 O% y, @! F9 {1 ^! F$ N- ~
int41handler PROC* X& d- f; b+ K! S( G
mov cl,al( M+ y) O8 p8 V/ d6 @, t
iret
, p1 | z0 U- C! [( G5 K, Cint41handler ENDP
. h$ x0 l8 }2 E( g% N
, `4 ]' x2 J3 P& {; `+ R& x6 d. {$ V3 A+ K& B
xor ax,ax
& ^0 R4 Q9 w5 l; @" X/ | mov es,ax' h3 N; m/ E$ |
mov bx, cs& ~7 Q7 v$ G: n4 y
lea dx, int41handler% I1 x- @! k/ W1 ^5 `- {% }' B+ W/ K
xchg dx, es:[41h*4]
% x) H! N: S% J) @ xchg bx, es:[41h*4+2]
- E- z$ l+ H, _+ S; s in al, 40h3 p9 g; m& N9 C
xor cx,cx5 z; U1 ]7 a/ o3 a: u9 m: x
int 41h0 m) \6 h/ E6 R' d& ~, ^
xchg dx, es:[41h*4]
' w& D& t5 v% e& u xchg bx, es:[41h*4+2]6 N! f* }: q7 e1 F$ U
cmp cl,al3 \+ s& ~5 T9 z: K( h
jnz SoftICE_detected
7 D0 V) v* N, J; @0 J& l% v$ F& y2 U( ?4 q, L- Y$ m( }$ I& C& N8 ?
_________________________________________________________________________+ c3 \9 _+ ^1 `; L3 X1 u5 V, }
1 }$ o! ], S9 ?9 ? uMethod 071 j/ f3 u! E1 q6 U5 z2 i9 E" J. n0 F
=========; Z3 Z; n% x3 `( I/ b7 p2 _
* u5 ^5 W8 X6 b+ dMethod of detection of the WinICE handler in the int68h (V86)+ w$ e- g$ l g
2 F$ p. C: M$ a' L* ~3 O mov ah,43h/ {: o7 s% R$ i$ C4 K4 k2 \: b
int 68h
/ e: B6 o1 C$ M6 z$ d1 y: o1 k cmp ax,0F386h0 g2 o! K5 k! O2 F9 c
jz SoftICE_Detected
2 [5 j' j# z- _$ g/ ?* R/ `; s+ F: O$ z! N1 ?8 P a2 X
- @. ?/ U; K T+ Z) y6 _
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; K% B6 V+ v* r$ w& ` app like this:: @, M- B3 _7 s
4 b3 v [/ ~$ P+ k
BPX exec_int if ax==68
$ ^3 M+ g( \) X4 G/ V- P (function called is located at byte ptr [ebp+1Dh] and client eip is
$ j$ `) L. y4 B located at [ebp+48h] for 32Bit apps)
. T+ d2 ~4 J* u- h__________________________________________________________________________, `8 R8 a/ k5 Z( R
; \5 E- u: y9 {- j( i
* y5 M* k$ A7 W) x. J% M9 HMethod 08- j: Q- H1 d3 L) q2 n: j
=========' c* t! e, b( U9 x/ G' w% Q9 ~$ C: J
) X; W' f3 N5 u5 q4 K6 ?$ ^It is not a method of detection of SoftICE but a possibility to crash the
4 o, |. u: E& B8 G. [& Isystem by intercepting int 01h and int 03h and redirecting them to another1 X) o8 g9 l/ p$ j9 v9 n
routine.
- B' M* m: d. {% c5 G6 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% c' x3 ?- ^- {4 z0 j R" P/ Dto the new routine to execute (hangs computer...): O! a1 j8 g7 G6 I O, C
; M7 {* x) X9 [* w
mov ah, 25h }; z% q I* w- F# A) E6 ^7 b
mov al, Int_Number (01h or 03h)( J% N0 @ B3 X( S! c
mov dx, offset New_Int_Routine
m4 v( O3 s# H: k% {- L1 n5 c8 R int 21h
{2 ]. J: k7 Q2 {1 ~0 }4 u# w: \) P
2 H/ O+ x! q" `" Y* q- O__________________________________________________________________________
0 `; s S4 G2 i
* U2 l) o' z, J6 D' {/ c$ ~$ tMethod 09
! o- c' D* h9 Q4 i& ?# Z" {=========
& @. D2 m) S* d `% I. ^3 O3 S7 `2 v( U3 P u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! n- a* A6 p" {+ G) ?9 p }/ t9 V
performed in ring0 (VxD or a ring3 app using the VxdCall).
. J/ _! ?( U$ h) `The Get_DDB service is used to determine whether or not a VxD is installed
* W9 e% ~5 w7 ?9 `/ C R1 Xfor the specified device and returns a Device Description Block (in ecx) for
" U& ]0 T# g7 u3 wthat device if it is installed.
0 \1 O3 M% l. F2 A6 y. g" c( z0 b/ `; a" A3 C- ~' a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
[' ~. N+ j5 u6 a3 v' E* t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 q+ m5 N( x# R" z/ _# F VMMCall Get_DDB* K$ j% [1 S6 _0 J2 [4 C4 y' R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( w+ A2 y+ }, ]. Q8 u1 B. D1 j" w9 k; t& k% ?) z a
Note as well that you can easily detect this method with SoftICE:" l/ {- p6 F( U1 l* _- v( ]- s
bpx Get_DDB if ax==0202 || ax==7a5fh
8 T% V; j) M2 q9 i+ D6 r+ U, \. e6 X6 Q8 E+ x$ {3 m/ L
__________________________________________________________________________$ |" H# N+ Q; V$ Y
! Q. X8 n# E4 {/ _5 S* {; H
Method 10$ L/ a, _% z' ~
=========# h! T8 C. i! \/ M
# C5 [ S" ?1 ^" u1 |" f
=>Disable or clear breakpoints before using this feature. DO NOT trace with. [# c$ v! ?- A8 Q$ h+ r7 v
SoftICE while the option is enable!!
6 M J6 G. C5 x9 o \4 \
5 B, M* |' d! |5 [, T% E$ RThis trick is very efficient:# k! N& t0 s: k8 ?. s7 Z
by checking the Debug Registers, you can detect if SoftICE is loaded6 y7 k+ j3 g: `3 v" C) n, m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 ~$ Q0 g3 b, B- B+ mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: t; b5 f2 N5 v% S" k# t+ Uvalue (in ring0 only). Values can be manipulated and or changed as well
+ x; x7 u9 y. e7 B, o- U5 ]3 _(clearing BPMs for instance)
! N( `4 u) M2 M! F2 S r
2 e, n/ o h. R! R__________________________________________________________________________- J( Y; C w' a5 \3 y% c
' ?( d* d0 `2 D6 W; a' uMethod 11
0 @5 B7 E* b5 E' r=========! ~$ s( O, p' ]1 h
7 c; ]9 b2 J( l' c# \& M
This method is most known as 'MeltICE' because it has been freely distributed
. h! r, t5 J' ?$ U* e) evia www.winfiles.com. However it was first used by NuMega people to allow D! N$ C" X5 ?2 O+ o. k1 x. E
Symbol Loader to check if SoftICE was active or not (the code is located: X! b5 } [9 g& b$ p7 k
inside nmtrans.dll).8 e' `9 z! b' a$ e& ~
+ I2 u! i# U* o4 p$ i5 v: @The way it works is very simple:3 t( o J, ]- f% o; f8 y7 O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ Q q3 v, N7 b
WinNT) with the CreateFileA API.
/ j3 L, a+ { R. Q; |2 D& d- u+ G) w
Here is a sample (checking for 'SICE'):* h0 { T$ o+ W T; n1 V, h: b
9 N) ?; ?- i7 a# k5 J5 ZBOOL IsSoftIce95Loaded()9 ~& N. z' o/ p4 k" q- Z
{, d' D/ J6 q- L9 v# s. ?
HANDLE hFile;
: w# B& H# c6 j! m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" y/ e2 _0 p/ r$ L0 ^ FILE_SHARE_READ | FILE_SHARE_WRITE,
* p! Q7 M+ T7 r$ F7 z! m& q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% ~1 \( C0 h$ }: w' { if( hFile != INVALID_HANDLE_VALUE )
/ W7 |/ L" Z1 k, `5 s! b. Q {7 b$ ^0 X9 C8 _) b) E
CloseHandle(hFile);
3 C/ }' c0 ?. w7 \" k* R0 E7 k return TRUE;4 Y# J4 o) l% }8 [; A6 e
}
. n* N! H4 W. P! }) P5 o1 f- O return FALSE;, T& V* [2 B' p) P D
}; }+ X( D; }; W$ e! G) P/ g
0 R" w: t: k8 L* SAlthough this trick calls the CreateFileA function, don't even expect to be
( i7 v% N1 p7 Xable to intercept it by installing a IFS hook: it will not work, no way!8 t2 m5 \3 M8 h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 m. A7 D% T! R; u2 f* `" Y4 v1 Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' a- R0 f7 l$ R: V- F' C l/ Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc H: {! d* u% n$ G' P+ Z' e! }
field.
. r4 j( ^8 R0 `In fact, its purpose is not to load/unload VxDs but only to send a
4 n! b, D+ }3 L& \/ x) e3 ?1 ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# v7 A/ I: u: {% I B/ N! V0 |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 X3 K! |. s9 d2 `3 \5 Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 b8 B) ^ r- P. i: v9 {If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 ^# b& h! Q0 q3 Dits handle to be opened and then, will be detected.
. d+ G* L% M+ B ~You can check that simply by hooking Winice.exe control proc entry point
# h% a2 o) Q' k! W# zwhile running MeltICE.
: v: D. V% y( U7 n7 k
& w: \% ]4 e% s1 A' _5 {2 ^& k& Y2 @9 {5 k& w1 E$ P
00401067: push 00402025 ; \\.\SICE$ e" M% q, S! h9 q
0040106C: call CreateFileA
7 |: h3 o; m- F2 q( C3 _. N/ {% E5 N 00401071: cmp eax,-001
6 o m$ c: s: | 00401074: je 00401091
7 M4 V3 i+ g/ O; H& \$ F) Y3 o" l2 |, O6 g* k
' h' \- b) D( H" LThere could be hundreds of BPX you could use to detect this trick.
9 y8 H' _/ G J# \6 o- ~! `+ Z-The most classical one is: y( N6 z2 ?/ v) ?. F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 H5 f+ E7 W; W$ x/ q' ` *(esp->4+4)=='NTIC'1 K; t" G. z$ W5 p& q* F
/ Q& u3 P. H" k/ ]7 V9 M; V( k$ {
-The most exotic ones (could be very slooooow :-(( [8 A1 Y; |8 ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( G( i) v" B) M* F; u- n6 ^7 p
;will break 3 times :-(
! z0 P2 F2 S7 \) ?; Z. i
! ~4 |. R$ z/ C) E% k z! j-or (a bit) faster: 9 F1 | ]$ g5 b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 T& {- y+ L' k5 q- a
1 [3 g" G& K/ n% B) m6 Z A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, ~: E1 x N- u, @# T ;will break 3 times :-(4 W5 I/ [0 R- R
+ [3 c' `" Y4 ]1 O; u$ M; y
-Much faster:7 _2 h4 U2 R: V/ a; C& y8 b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: ?+ z! ]; Y& I# `7 ^3 C' d! C
2 B; D9 c0 h$ _' Y* aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
N$ ^! g) r2 V( u" |: Jfunction to do the same job:& n1 c& }5 d7 h$ e; V
5 `0 q8 r$ h! z; n4 c push 00 ; OF_READ) }2 O1 N2 T# F
mov eax,[00656634] ; '\\.\SICE',0: N$ i4 _7 E! Y* ~3 a
push eax
% A. \4 i* x: e) _% o9 } call KERNEL32!_lopen% ?: `( `5 B& c% r8 l" R( f# K
inc eax) z& w. f/ w& G& p7 T
jnz 00650589 ; detected
( q' G: f0 N! B$ x( x push 00 ; OF_READ2 [) J8 L+ e; A: |
mov eax,[00656638] ; '\\.\SICE'
7 f. E3 V' m# q+ p push eax7 O% F/ y( J+ s7 l e
call KERNEL32!_lopen$ r1 ?0 O3 ^5 K" l. F* s% E
inc eax1 p* ?# K; e, w: z4 c) ?
jz 006505ae ; not detected, P2 A4 F# `& A0 \7 @; D1 }
) l/ m& Q7 F1 e2 |3 {* X" d
( W0 S( @. s) A0 T% S. K
__________________________________________________________________________
* b0 T( q2 T$ o3 R! I+ X( Z) m: U& `' `; e
Method 12
9 R9 R, s2 b! @, J1 {=========
0 D0 s* j+ O; ?% f: }) m& P% E8 [/ e
This trick is similar to int41h/4fh Debugger installation check (code 05( ]4 O. l/ s4 P! J* P! ~
& 06) but very limited because it's only available for Win95/98 (not NT) P+ M7 A- x/ G Y9 l$ ?7 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 P* Q$ H4 o6 x1 `* Y9 ^- P
" T# Q& P9 V' u4 r& z# @ push 0000004fh ; function 4fh
1 c; F) v. d8 h1 {( S& S* J push 002a002ah ; high word specifies which VxD (VWIN32)/ m: T+ C6 ?& T# s' M1 `- l
; low word specifies which service
2 g4 ?* v4 H/ t e! i& ^ (VWIN32_Int41Dispatch)" w/ f( o! @. ?
call Kernel32!ORD_001 ; VxdCall0 t/ t' h2 h8 N9 P+ ]( ^$ s* |
cmp ax, 0f386h ; magic number returned by system debuggers7 d& ^! J- k a
jz SoftICE_detected: e8 m! V: Q. {/ q7 T) Q0 f
9 z9 Y! n# L5 ~( ~Here again, several ways to detect it: w. z9 P- Q7 R, O; S' q
& B6 {9 K3 I: f2 z' { BPINT 41 if ax==4f
) y. f3 H- v- f4 ?1 `- }1 T
7 t2 E8 i0 {. h: X0 U" ~' \# d) R9 n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 o, t/ o, V# Q' ]5 x1 z& W
2 Q$ |9 c' D. V) N* y& ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 b( R8 e4 [; k6 B
& F& ]0 m8 z& _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; f8 o7 _7 @4 c- B. e% v/ Z. u* X! R0 w
' u% f2 y7 L1 }* B1 P2 N
__________________________________________________________________________
+ L% k. c5 k" F. ^' I$ y. y; Q# `/ b' \
$ p# E/ U* W O! M9 RMethod 136 W3 ^% {# x5 e- a
=========
2 R. u" t, s% O; w& H/ z* [+ p. I9 z3 b* ?
Not a real method of detection, but a good way to know if SoftICE is
( h1 T+ Q+ y3 q9 \ uinstalled on a computer and to locate its installation directory.7 x a1 \5 d$ M9 n' L
It is used by few softs which access the following registry keys (usually #2) :
+ x3 P2 t' {0 c1 `5 m7 V" a2 v: A3 {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, y1 B; e" k# s. p
\Uninstall\SoftICE/ k2 ?: @" z( f9 w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" _/ I L+ ~6 Q4 W' S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: W* w% w; P% ~8 W; `3 S0 c& a
\App Paths\Loader32.Exe
/ W! U- |" t# f9 R- I
7 P0 }- u+ N" D' G
9 Y( S. ~1 Y& m: g5 tNote that some nasty apps could then erase all files from SoftICE directory \( U% I, I+ g# M% t$ x4 G: H
(I faced that once :-(
( k5 M% ~5 z0 O' v/ I, a* B- p4 O
Useful breakpoint to detect it:: V* t5 t) J. |5 K* P# c
1 S+ g5 H$ f$ G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ B0 d% c; z+ s* J
- E% A m; ^% |__________________________________________________________________________9 f3 m' X2 Z: f) I v* g: C
( O3 N3 R+ E0 e6 W/ `
- x, d6 k# P3 P0 ]! |* V
Method 14 - O( ]/ s r. r# h- V
=========. h$ v2 B5 h" S. f+ c
, T( [1 m! s4 s) U2 ]% rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, O# y- [8 A! X; F) c* Y+ i5 {% l1 ~
is to determines whether a debugger is running on your system (ring0 only).
+ Q' E0 E# _# u1 S/ m# |, l! u) X
9 X) B6 L. }0 a6 t* e. y7 M1 q VMMCall Test_Debug_Installed
/ f( a$ h4 w3 @5 S je not_installed
8 K. e- t# U$ x* n
. o' O1 b: {! n5 s, UThis service just checks a flag.* C D3 E) s" }
</PRE></TD></TR></TBODY></TABLE> |