<TABLE width=500>
7 k, |5 [# l3 i* M( ^: h<TBODY>
s/ h* l8 j3 c& h; X- q<TR>4 J: ~% @! y1 Z3 m+ k9 K/ h
<TD><PRE>Method 01 4 g" F% w Q" ]) ?2 L( v% i9 y
=========
9 n2 n/ f$ M& A! ~' X/ I6 V* m! X% r/ g' |
This method of detection of SoftICE (as well as the following one) is/ S$ w0 m/ S: l+ z6 q6 E' J
used by the majority of packers/encryptors found on Internet.
' x: r2 u D5 T3 g' d9 z0 OIt seeks the signature of BoundsChecker in SoftICE( ~) H4 R0 ^& J
" U5 r X7 t$ c! J mov ebp, 04243484Bh ; 'BCHK'
1 s% x0 E1 f" V2 X$ z- X2 j mov ax, 04h8 R7 z' g8 x! r; S5 @# Z& ^4 I N
int 3 $ Q8 @* m. \6 t
cmp al,4
! E% K* F; i( ]6 c* A9 h4 ^1 E jnz SoftICE_Detected
7 x9 W1 J% l; k% ]" e0 `( w5 O3 p2 W6 {* g2 |1 h3 z
___________________________________________________________________________+ _! g; x1 y# V% e( t$ T$ ^' o2 @
7 t( L' H- e% ]: U5 |
Method 02
% p. a' l+ Z, u4 r2 b=========6 e% \0 d9 z P F* {6 K
" J( {+ |7 Z9 p! n1 b- w% G! A
Still a method very much used (perhaps the most frequent one). It is used
( N& u# [7 D# R- I" }( f" l2 @, Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 ]5 S [% J; u! x( N* por execute SoftICE commands...
! g2 ^5 U1 ?5 o8 _" sIt is also used to crash SoftICE and to force it to execute any commands* x1 B2 y: d* n' a# u9 ~4 W$ X
(HBOOT...) :-((
1 W4 v$ M! g6 C. |, O. r( i c( g1 {# H) y9 r$ |" `! ^
Here is a quick description:$ J/ u$ d4 ~; M4 T$ d
-AX = 0910h (Display string in SIce windows)
' x2 Q4 [- I4 V" h) T5 v-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% U# N- R; v4 t! X-AX = 0912h (Get breakpoint infos)
; i7 H, B6 \, u6 r-AX = 0913h (Set Sice breakpoints)' D/ Q7 b- e. O: z, L) q- n
-AX = 0914h (Remove SIce breakoints)
X" S: F5 [* g
r: X+ Z* |3 |# pEach time you'll meet this trick, you'll see:
& _, Q8 b* ^3 M8 y# I-SI = 4647h0 A. p$ h o( c$ Q
-DI = 4A4Dh
4 A6 M. [* w/ J% x! K5 v1 NWhich are the 'magic values' used by SoftIce.
) z' `5 Z( l" F% A5 P1 ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) H: ~4 h/ x1 c8 s4 m4 ~
" o: W1 l) u( A! a; M/ o+ f
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 o' _. d3 G5 V, B @Envelope utility use to protect DOS applications:4 e8 F h9 o/ O- L5 ^
& H# D/ ~$ C( M, V
8 V: W: T, u) s4C19:0095 MOV AX,0911 ; execute command.
* A- C a8 c- y3 B/ ^9 f2 _4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 ]# S. q! s3 X( H7 y) h+ e4C19:009A MOV SI,4647 ; 1st magic value.* E- d7 ~1 a2 d; v% G7 E' \) Z
4C19:009D MOV DI,4A4D ; 2nd magic value.
U3 m2 h! }/ \- o; H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 B9 p+ B% Q" K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 ]- n( u: w0 w3 o: T& K3 T
4C19:00A4 INC CX
- l, y" l, G7 p. z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" y3 L) G. W7 M8 ?- [( C! h7 R1 \4C19:00A8 JB 0095 ; 6 different commands.
! n" c- Y3 \6 m7 \" L" N1 _4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 P- H. L1 X% I% |. [" l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 j' Z$ p. x7 G# {: \
; S, g: m8 q. Y; ?' q4 A( {& }% z. f) k
The program will execute 6 different SIce commands located at ds:dx, which9 A3 Q( a1 N# c" t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 c; n; r4 Q4 K: l
5 y9 Y3 M2 ^6 \- G; L1 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; A* M2 |* i' U5 k# K5 d- a
___________________________________________________________________________
. @* o8 M8 T2 ?, J5 z4 H0 Z: J3 r- O# X5 [1 ?
- X0 W9 ]/ D5 AMethod 03* J7 K$ z+ P8 k- J! Y
=========
; V$ g( Y( E: [
! u, Z- ^3 K) @7 `8 d1 xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ @8 y/ k" X9 ]( b
(API Get entry point)8 b6 _: V8 Z: x, B0 \4 Z j' P5 c( z
4 B k, i/ |( t8 v5 D
9 N( H9 w; w& N xor di,di: t6 _ l, ]5 Y2 `, k4 f
mov es,di
4 {7 k9 ?% Y& \, e" j8 d# [ mov ax, 1684h
3 O* |6 B1 _ U5 q- z8 z3 J& O mov bx, 0202h ; VxD ID of winice7 D$ s0 f: N( x7 ~4 Z# y; {
int 2Fh
4 o- W \1 H4 `6 Q4 H) x mov ax, es ; ES:DI -> VxD API entry point
3 I$ R- c; [, P/ F7 q add ax, di
1 A: @4 \* a2 }& K% X6 R! j test ax,ax( ?' w; ]$ J$ P( i
jnz SoftICE_Detected# n0 i W1 y( F3 R
6 m: L! ?$ O, T+ u: W, ?6 Q& j___________________________________________________________________________: `8 |* F4 B* M3 @5 y& z
- X4 b8 v/ v1 [6 E- h
Method 04
" Q, q+ c, E% t$ Q+ R. V=========
; L! ?+ I# B3 o- V: l& |& h
* R, P; r, f+ M \8 u0 X5 |Method identical to the preceding one except that it seeks the ID of SoftICE
7 B1 R! P j# c( o5 bGFX VxD.
G7 Y1 Z: Q9 N# h& _
6 Y+ C( U5 ]. @* g xor di,di
3 V- n. \& k2 `) Y mov es,di
& h1 t' u/ v- P$ R mov ax, 1684h
/ g4 C- I B t) y& Z$ Z5 ]9 r: ] mov bx, 7a5Fh ; VxD ID of SIWVID
1 R" H* o" ^6 ]1 L' X int 2fh; {$ j3 A& F6 _
mov ax, es ; ES:DI -> VxD API entry point
8 l; K2 E. A& c2 z8 Z& U add ax, di
$ a% q& F2 d" f/ s! \& Z) H test ax,ax6 o G" q) _6 Y
jnz SoftICE_Detected. {- l) @( `6 m1 O
. u m* b7 P/ Q: c__________________________________________________________________________
* T. [, R- n/ ]2 _2 P1 E/ p$ }9 n5 G2 {% j
1 m* G# b2 t6 U4 C$ N) r
Method 05/ S4 |$ f+ I ?5 |
=========
5 p* l6 e! n2 }& V# O, O+ M/ \: `1 n; G" @- J
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 d* b$ \* x& x, B) H6 e
debugger. It calls the int 41h, function 4Fh.
4 d* f/ p" x, w7 o; \7 o0 YThere are several alternatives.
( ^( I% B/ M4 M
3 p: E* w* P" Z+ r9 x6 h1 SThe following one is the simplest:1 m, H2 p. M4 B! R$ _
, q: M7 c8 a- | mov ax,4fh
) ]5 e t9 }; p. i3 E G U int 41h2 c% r8 g7 P e# B) d
cmp ax, 0F386
s6 @( x5 A+ {6 l4 W jz SoftICE_detected3 x0 K. L! H3 k* Y- [# v) G
8 J1 f# G8 |1 R) y2 w2 a8 V* @; s8 H* i4 H; N4 R
Next method as well as the following one are 2 examples from Stone's
+ v: p, Y s+ j; `. i"stn-wid.zip" (www.cracking.net):7 d {4 c; j2 v5 I5 ~* x; w
, _8 N) n3 x" z6 P9 G1 G ?6 A mov bx, cs
- R9 P3 [) P& _; c& A" g* Y lea dx, int41handler23 Z4 z @* d- a* v" k9 m* G
xchg dx, es:[41h*4]
4 i& v8 G t& ~- S: s+ R xchg bx, es:[41h*4+2]( m* k8 g. o6 C1 M# u' l
mov ax,4fh
! E! ^7 C" G' b4 Y- x# ]& O1 H) p int 41h
?( C5 h" [ }: q) Z xchg dx, es:[41h*4], D9 u7 y! p8 c: J
xchg bx, es:[41h*4+2]
; J& d) {/ X2 I: q6 s7 {6 Q( ` cmp ax, 0f386h0 r0 y" y R! q; G+ G
jz SoftICE_detected; T Z9 B' j$ z4 m
& i: r" b% x! L
int41handler2 PROC
* P( _$ e7 `0 s( y iret \5 W5 n, E( r1 m. v
int41handler2 ENDP. i i, z ^7 q
- V7 K, Z6 J0 X. B
7 i) [$ B' Q$ h: w
_________________________________________________________________________
# ?4 e5 @) m9 r. R" y h' v' r7 R
X$ p, I% p1 E+ A/ Q0 K$ Z, K2 B h# ]# a
Method 062 c$ R/ ?* }0 M$ E: L" @) ~, \& [
=========+ r# W9 X6 ?8 ?
& ?& L& J7 `5 P6 j* c
" f, s& l/ @, i3 b
2nd method similar to the preceding one but more difficult to detect:) e# }5 L9 ?; V
. `: J; m. [ Z! G1 D& ^ Q; K
" J! K# M8 \* J! g
int41handler PROC
6 q6 f7 ?1 y0 R, s* N1 }- v/ N mov cl,al( X: S: S* v4 m i' _
iret
( b) ~9 C4 [. y. c. i" {int41handler ENDP- i3 x! m$ `0 O% P
2 n; T. B: ^+ ?5 E' |2 N8 S0 n
' v$ \1 J; z2 h( F- T
xor ax,ax
" h% I$ Q0 T E2 m& B9 G mov es,ax7 s5 N8 M7 T# b& a8 `9 V
mov bx, cs! q" y5 n/ u# Z2 q
lea dx, int41handler5 m. ]9 H9 H% S2 n. C( d# i6 A4 [
xchg dx, es:[41h*4]$ z% ?% I* L4 E o3 ~& c
xchg bx, es:[41h*4+2]- u; b7 g2 \0 [( q6 ^$ m
in al, 40h
0 a( M9 V V7 J xor cx,cx* B- Z1 Z; i- S7 r6 v+ y
int 41h
$ i6 g3 f8 b* p" K3 ~% I* s9 O xchg dx, es:[41h*4]) P1 r8 M" N! o( Q0 l3 \
xchg bx, es:[41h*4+2]; g; }) M0 H, o. [ q; m+ V7 N
cmp cl,al" \& m/ U3 A. ^) \
jnz SoftICE_detected
5 a0 T+ O: N5 P+ j! @$ y5 t5 [
% P8 q, I3 l l/ j_________________________________________________________________________7 ^0 u$ ]( a4 N7 V* F
! {* d5 q0 z- A QMethod 07
# }+ y/ s# l' Y% H=========
; R: R# b; R2 W$ a& l
+ X3 e c ~7 n! Y& f: M: H4 }Method of detection of the WinICE handler in the int68h (V86)# c5 \: T) ?$ X8 v
9 Z7 C+ v" C! m: t mov ah,43h5 T& L4 S. ?; @0 ~; P
int 68h0 z: Z, |+ T" F3 j. A, u* C u$ t
cmp ax,0F386h* } X6 c/ J& [3 Q. T
jz SoftICE_Detected
% B$ r& n$ }5 {2 \) v% p' a" K( ~- v& u. u
+ S; {# V+ Q2 X3 Z" e) O" y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: z A& O2 ~. h! Q6 ~
app like this:+ K3 z O$ k( Q% J6 w
2 b% l. o& N8 i
BPX exec_int if ax==68
* ~# X' j$ u9 T6 f (function called is located at byte ptr [ebp+1Dh] and client eip is# @+ O7 X* E6 E: I
located at [ebp+48h] for 32Bit apps)
) B* E0 w0 c' `__________________________________________________________________________. E/ X( W' z( O9 O4 Z! z
& u$ q& {" P& h6 k5 K% i; ~: L0 y
% }& j# `8 M3 @3 V# L' Q0 b, Z
Method 08
) C8 ^ C. G9 j* R, Q=========
% Y1 X* u( K0 r$ R
9 V( l" q" B! ^1 T2 X2 VIt is not a method of detection of SoftICE but a possibility to crash the
3 f9 Z& b; @1 s+ r" ^5 o9 B# ]; Fsystem by intercepting int 01h and int 03h and redirecting them to another" Y4 O0 e! R4 q9 s9 H) y! U. O
routine." F5 B( v- N. Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 o. m4 |6 i* @8 l# O
to the new routine to execute (hangs computer...)
1 f$ a+ v; A4 f( Y4 a: P4 G; I& p7 J# s2 {8 v7 U2 C
mov ah, 25h- r, y2 Q$ @! H# O
mov al, Int_Number (01h or 03h)
7 X# k! v, i( J! k% R! _2 a mov dx, offset New_Int_Routine" i7 D$ ]# p, y: r& T
int 21h$ U5 H. L5 s& E
) F" u4 L9 l, b( } W
__________________________________________________________________________: A% z9 j A+ i4 e
, M4 o: k2 C* ]( }Method 09. x! \, n6 Y* O, w( b ~' I% B& i! u
=========
' S- y/ ]# ~5 a9 U" N8 S* _
1 V& F: q2 J$ m9 q- eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* M. Y9 O8 `5 N' w2 D0 q+ wperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 q: M1 T, q7 C# E$ }3 xThe Get_DDB service is used to determine whether or not a VxD is installed \) A5 y. h9 z" k& T
for the specified device and returns a Device Description Block (in ecx) for0 W! y+ s1 U; F! w% e$ a* Z
that device if it is installed.
' P- \+ V" X) u, u! T: z Z1 F4 a' x5 t. V" v5 x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* `6 p9 _1 f- l1 x5 B( T" J- w# q
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" M9 c+ P, R' u VMMCall Get_DDB
4 |4 n% {, z4 [: R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 f; \6 X# v9 o* i( t& L
" o5 w; z. h0 [2 I u# [$ I
Note as well that you can easily detect this method with SoftICE:: @7 c0 y! g4 W5 J, C
bpx Get_DDB if ax==0202 || ax==7a5fh$ t- w3 p5 V5 ~1 \- b. p, ?
! c1 K, S8 A# i
__________________________________________________________________________
' T, w# U9 F8 O$ T+ d: Z O! g' a3 Z# V& ~2 s
Method 10
: L5 Y2 [; j8 _+ B=========
# X& T8 y% w9 k. u! L5 V. T+ B% I; C; S0 h5 Z" G; n! N
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 b' N0 ^/ x2 E- N' y7 C/ V
SoftICE while the option is enable!!4 Q p! ~' N+ x/ Z- X5 p* R
' e6 z. D& O6 d! ?- O9 kThis trick is very efficient:7 k2 B; D2 q& {6 A0 `3 W# o7 X# B
by checking the Debug Registers, you can detect if SoftICE is loaded
4 r; O% ?( e* }' S3 B! A0 M# B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% ]8 u& L5 j: D. [3 H7 w' A
there are some memory breakpoints set (dr0 to dr3) simply by reading their; w5 B* `% Q, _
value (in ring0 only). Values can be manipulated and or changed as well+ y: b9 j5 a* }* {* g
(clearing BPMs for instance)
$ ~- x- M: R+ Y7 G. l t+ Z# @& p4 ^ g
__________________________________________________________________________0 r; V7 U7 i/ A$ [+ B N
9 x" j) j! D! E* X. lMethod 11
6 ?0 @3 \9 X& }( w8 S=========! a' t9 ~. X' ]
9 K& I' O) I( n# y# W+ N$ Z3 `- |
This method is most known as 'MeltICE' because it has been freely distributed0 ]: n. b7 l: q4 Y
via www.winfiles.com. However it was first used by NuMega people to allow! o/ `$ R7 ]+ Q8 X
Symbol Loader to check if SoftICE was active or not (the code is located
! i# |6 d) m3 h$ E1 q% [inside nmtrans.dll).
, w( M: D9 A8 c' P7 T
9 u A5 X$ m# V: O' \& [; LThe way it works is very simple:
5 X$ O$ \! I, |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. D3 [/ Q, ?8 j$ n* d! \7 i
WinNT) with the CreateFileA API.! W0 f9 `3 L: T5 o+ d% g5 e2 Q
. k+ A# \, \2 X. w/ ?' |, XHere is a sample (checking for 'SICE'):0 M- |2 O$ N8 F5 v
: }9 J# U" F' m- G7 X: r& I( p
BOOL IsSoftIce95Loaded()
" g) N, X& F" N1 ]" c, k$ H: j{
% ]$ j2 m5 X* H" I; U$ J, c& O! x HANDLE hFile;
* J, {$ c( m' j9 J4 b2 Q7 T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% n9 g$ a, d8 v" w6 S+ O
FILE_SHARE_READ | FILE_SHARE_WRITE,( G+ B# C/ ~# v2 E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 J# s. T7 P: L4 ~& T6 i$ Y
if( hFile != INVALID_HANDLE_VALUE )
4 Z8 Z" U" h3 M5 X1 h& e {) l: Y# n3 s- T/ N& W
CloseHandle(hFile);
( b' b# k" {+ f4 r3 }! P" K return TRUE;: [" z5 V& k, I
}8 Q, }4 R! P: ^# h
return FALSE;
' _8 Q: k- N0 Q, K: S) \# y}" L A# s% J- W: ]
1 j3 I/ J% n5 P# _7 WAlthough this trick calls the CreateFileA function, don't even expect to be8 u0 L. ~' L# X3 J5 O) G* T; a
able to intercept it by installing a IFS hook: it will not work, no way!
9 A- ]6 b- ?7 e) N; [( X. oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( V6 O+ v# u+ D
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* y1 f) ?( J: m3 C% e, T/ N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! t8 H+ P! p {# ?& Y) X
field.$ D! p2 D' s- k: o3 M% `
In fact, its purpose is not to load/unload VxDs but only to send a . F3 T1 T1 [/ ^( ]8 x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 m0 i7 x$ N' r5 Z k6 a- }7 B# I9 Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
K4 @* I" r% ]5 E+ s' [7 g. E- s4 n% Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 C9 W' A. _! |+ S) o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 A- F3 b( x1 m9 Y( `its handle to be opened and then, will be detected.' a% `7 i: D" S& e9 ~
You can check that simply by hooking Winice.exe control proc entry point, a, X$ W* r# }% K. w
while running MeltICE.
/ p% G2 F1 f. l1 x
6 n: R; G5 T# r$ W! G5 l1 v0 d/ O# {! j# T8 _
00401067: push 00402025 ; \\.\SICE
$ [) P( u% c) j7 p) @ V+ E! h" P 0040106C: call CreateFileA
, V& p7 {$ m( z0 U1 e 00401071: cmp eax,-001
5 i9 u; T1 W7 d+ \, I 00401074: je 00401091
4 ]: j- F" ^) _6 M8 H
0 c+ ] d' i: ~* `& t
$ Q" ]! y6 ]! K! yThere could be hundreds of BPX you could use to detect this trick.
+ t8 e& ^, p N! e7 G-The most classical one is:9 O. F6 X; c2 c+ ]" n5 R/ F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 ~. M; F" {0 @$ R: V$ s( j3 k# m *(esp->4+4)=='NTIC'5 p" j$ ]9 [- H4 C
W' f3 b, ? h+ y) ~. |7 g Z-The most exotic ones (could be very slooooow :-(; W- [) Z K5 M/ _9 x2 Q* U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + z: t* q$ c6 o# b, ] h7 e$ D
;will break 3 times :-(5 E6 D" q# @: @ b" E# ^
D& a/ G1 x" a& i- B3 V
-or (a bit) faster: , B/ K( M f; N9 i' R% C
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): C W% J* J6 ~/ S' M7 [: F& v5 T
7 i' K& s$ ]8 I( Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 i: M: p: m" f' |0 b! Y
;will break 3 times :-(
4 ^; }$ M4 e, r& V3 B1 y5 b/ e2 k0 h# \+ L
-Much faster:. A" H8 h) e7 c: u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' i$ C1 v: A! `6 X5 P; w1 J; n( @0 e
1 Z; o+ G8 w- r/ R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 Z2 g; ~1 P( [
function to do the same job: {8 Y# J/ ]/ g% ]4 o7 g3 n' d+ j# Z
$ o% D# _( { u7 e push 00 ; OF_READ
! n* Y5 P1 f+ k- @ mov eax,[00656634] ; '\\.\SICE',0( ~( Q2 C+ H3 v) l7 m
push eax
4 I1 L. s9 @# n7 s call KERNEL32!_lopen# [- h5 ]) e+ S4 {( K5 U! O
inc eax
' f+ x) S$ c( N5 H' U9 D jnz 00650589 ; detected: F( z3 y" Q, ~/ v
push 00 ; OF_READ
6 @& G9 _* P6 ^2 u% H8 F) L mov eax,[00656638] ; '\\.\SICE'
; f8 T; D- o: v `# e' n( ` push eax% y; s! O5 j* L
call KERNEL32!_lopen3 v% m7 k1 \1 X+ J6 J0 v; e# E
inc eax' r+ q4 Z7 H4 H/ d
jz 006505ae ; not detected- |# l% l6 G) Y, u# R/ G g1 b
+ _5 r4 L A+ e7 E; C! d- D
9 V4 y: T9 ~; i__________________________________________________________________________2 l% n) b9 F/ @4 A$ O8 \
' G8 }( V% z$ d8 J6 Y* g3 m
Method 12
' t, V1 y6 f4 F8 j( A, K=========% d5 H5 C9 ^/ y. }$ A2 I8 l* \" _/ J
+ a ]) _; a2 A' R4 U( k" D
This trick is similar to int41h/4fh Debugger installation check (code 05: \* q1 Y' D' D, {( _1 U
& 06) but very limited because it's only available for Win95/98 (not NT)6 F+ u4 f" O( f% d) I; @: `
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 Z/ f1 B- u: }6 ~, F8 u
6 B9 u. E3 V3 m push 0000004fh ; function 4fh& G3 o( F. X' Q2 k' C
push 002a002ah ; high word specifies which VxD (VWIN32)
/ a f5 T+ s% K5 A' ]0 o0 v3 R ; low word specifies which service* h1 B- Q* m# p
(VWIN32_Int41Dispatch); q+ n8 J7 ]3 _8 @/ j+ E
call Kernel32!ORD_001 ; VxdCall
. G1 V, I7 ^7 q2 T( `6 _% M cmp ax, 0f386h ; magic number returned by system debuggers
0 Z& t2 w0 c% `& S jz SoftICE_detected
+ U$ P) ~1 F5 H9 v6 L, D% p9 b( v% t$ b6 n P" o' o) d J
Here again, several ways to detect it:- M1 e/ L( J: i/ A+ w* Z
/ v$ P. H5 U, Q& G1 u+ A BPINT 41 if ax==4f
" f) c4 d( I6 o1 R1 g: O0 B- @* P% A' b9 G0 R/ O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. r& O3 h- k# H
0 s- P4 ?1 v3 g+ B' m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! I7 E% U3 e7 E6 a- b, @
. X/ k+ k! W- N; U' h8 z3 N4 m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. y. x& `3 L1 `6 Y: A
/ t/ ~' i \2 d4 L, X j( n
__________________________________________________________________________+ k0 B4 S* u0 w9 H9 P D/ q5 O
% x& O( U& O6 Z' V2 b9 E2 y. _Method 13; g, x, L- {* O6 e/ Z
=========
: `- N& ^ Q3 W( w. Q$ f7 L; G5 k! L
Not a real method of detection, but a good way to know if SoftICE is0 x. N3 V. b2 r# s( v" [
installed on a computer and to locate its installation directory.
[$ f& Z( @8 L) g* C2 fIt is used by few softs which access the following registry keys (usually #2) :6 A/ i2 m$ p2 {6 z& }
+ J( s* n& l. R6 m, L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# @3 m2 O! s+ {0 x0 e0 M
\Uninstall\SoftICE+ _) M+ F" U. o+ C" M5 m- l6 S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: C" D, p+ C- A0 T: h0 ~) A8 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 k o3 P3 \" t
\App Paths\Loader32.Exe
% m' Y: x. J) S9 @: D4 i
! c6 Q- S- e' K# b5 h. u+ u3 K' S# w: z: a% _% P* ]- x1 Q$ n
Note that some nasty apps could then erase all files from SoftICE directory6 P1 G; B/ w& j% L- d( `. ^# E* p; k K
(I faced that once :-(
% o0 l# O' L* o4 z p- Y8 L: M$ @$ I
Useful breakpoint to detect it: }/ z. q2 ?, ~6 W6 H" {
; X( o, X0 w& z6 B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' b" n; F/ o: T# U2 a( o. G
4 @4 S1 q# y, v1 c' m5 i' w
__________________________________________________________________________/ ?. _8 v) d, {, K- L% X7 i, t$ x
! I+ ~* p/ d+ i0 p7 y; {* K2 c& x4 d$ p- U K& D
Method 14
% m! d7 s. N* j2 W; }/ y/ a. N=========
/ d4 a/ g9 v# G" a5 M0 X/ s* |
; e0 J4 q" [7 ~A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& v8 ^/ l: o5 h5 v
is to determines whether a debugger is running on your system (ring0 only).
" z, X$ k2 T% i E+ r; X1 U, u: I% g5 @
VMMCall Test_Debug_Installed$ N" w- U5 \" Z3 T- g8 E* h% Z
je not_installed: z) Q( H/ m& I* E: A& ~2 b( o
1 L/ T" o) j1 k5 d
This service just checks a flag.$ ^1 {$ I' s2 U. i, o( S
</PRE></TD></TR></TBODY></TABLE> |