<TABLE width=500>
) X& M" Z9 |5 [; k<TBODY>
. h b! h5 A# C. O: d1 b<TR>( I! v0 r' |5 H
<TD><PRE>Method 01
* K4 Y# X$ d9 ]- w7 M5 |9 b=========
: f4 H9 H* F; Y+ {
1 c H B. R O1 b' q9 {This method of detection of SoftICE (as well as the following one) is
- _5 h: ~2 R! G# Zused by the majority of packers/encryptors found on Internet.
' ^; @% b4 k: E7 W+ l# ` X" N" n5 [It seeks the signature of BoundsChecker in SoftICE
7 v3 o8 [7 I' C7 y
( K3 M. K0 N/ P' _$ v mov ebp, 04243484Bh ; 'BCHK'$ m) Z: r8 }* I6 ?3 v
mov ax, 04h
1 u$ o5 m/ t/ _2 \! `3 N int 3 3 e$ |4 T0 V1 q; Z9 K$ D$ b$ W
cmp al,4
7 H( R. ~+ k$ T: x& p [ jnz SoftICE_Detected
$ b* T$ [' g& l" q$ L& t5 ^8 |' a. }* M4 B0 Y6 }& s/ F. `- S8 W
___________________________________________________________________________1 E; i* H7 l4 r* f
5 x9 O2 s- i ?1 m$ J* T) B
Method 02
5 V) b/ @6 O, _=========
5 f" q L. k2 F6 g% Q
0 B+ u9 j5 M) V8 s. f/ }$ r* BStill a method very much used (perhaps the most frequent one). It is used$ z. R- @2 N# \7 @3 x" F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* t8 ^1 ] X8 V, Z. @
or execute SoftICE commands...
( i2 @# D/ M/ e8 ` i: P9 [It is also used to crash SoftICE and to force it to execute any commands
6 ~5 G' t7 x$ P(HBOOT...) :-(( 2 B F9 R+ y( [+ @. h; n
3 R; k' Q: h9 K+ l6 e! S& q- B
Here is a quick description:
1 u$ ?. Y4 }' }1 |-AX = 0910h (Display string in SIce windows)
) M5 y, A8 s2 w4 T+ o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 z0 n' x0 n+ p; f6 T/ \- I-AX = 0912h (Get breakpoint infos)
, u5 o( ]3 W- Z; _-AX = 0913h (Set Sice breakpoints)/ `5 X( t! p6 c" N
-AX = 0914h (Remove SIce breakoints)- w @. g* e; U) f; f4 ~
) J6 v: r) z4 e2 X% `# e6 H! c
Each time you'll meet this trick, you'll see:2 G" x {/ _) f
-SI = 4647h
- W* U/ [& H; E: U( \; x-DI = 4A4Dh
# m, q9 _- v D. K! J$ x0 nWhich are the 'magic values' used by SoftIce.
8 Y: d; S u4 s7 e9 `! L6 EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 o8 k/ c& @7 ?4 b
) i2 Y5 g) a6 v$ R* a3 cHere is one example from the file "Haspinst.exe" which is the dongle HASP
W8 |* ~6 Z" _. mEnvelope utility use to protect DOS applications:8 b+ P. B- q2 O7 B% q0 ~
+ P3 T6 Z7 \/ h. p
5 H, Z3 K- A% f+ r; z
4C19:0095 MOV AX,0911 ; execute command.& T8 {$ C, Q% K$ ]( v% r2 ?1 N {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 H) p0 i' W3 g* o4C19:009A MOV SI,4647 ; 1st magic value.
$ u+ F4 J& y) g% p: R% g- n4C19:009D MOV DI,4A4D ; 2nd magic value.0 x* G9 W$ L' e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 m) G$ V9 H% m8 e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! @# E; {: m V" Q* y, l' z0 a4C19:00A4 INC CX
4 M5 q1 @& w5 `% c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 p2 u+ ^7 N5 b! @/ q
4C19:00A8 JB 0095 ; 6 different commands.
) C+ [+ u7 e1 n; V6 i! w4C19:00AA JMP 0002 ; Bad_Guy jmp back./ p5 ~# k" ]. g6 u) x6 v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" Q2 q) o% M( F) w, h
) h0 O+ l% ]% q; o& o+ a) E
The program will execute 6 different SIce commands located at ds:dx, which( [; O- n2 j4 {8 q' x8 n6 X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. w0 V& |; k$ y8 [, z
# S% e3 C3 v% i: }0 u7 g" i% y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! m) d$ \, o% ^- i8 }$ E* Q___________________________________________________________________________, s e# N* `: X3 N8 g
. p8 C5 o* h8 z S- l+ D' P7 R( q* c. _8 \2 j0 {
Method 03
! F8 r( ?5 U. x7 b=========& z, X* B G- Z: s: e4 r
5 i4 ^2 Z% Y) F) v! q9 z/ J0 \ J- gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; A' k/ S E$ b0 Q" m- I
(API Get entry point)
0 x1 u8 h% l6 g3 \
1 B2 j# S' O3 {4 U/ g' P# I0 @5 K: `% l
xor di,di
( q, m, o ^( O mov es,di7 Z1 t4 r1 W: m. L
mov ax, 1684h
9 Y* h1 {* ^% L& D! f6 S mov bx, 0202h ; VxD ID of winice4 F, ]3 [" d0 m. y3 O8 h) R4 k6 M
int 2Fh0 o; o9 @- W$ ^4 T, s" G
mov ax, es ; ES:DI -> VxD API entry point
1 b" L- ?, d5 z- N& j add ax, di8 b- d' ?; Z7 M M4 r/ ~- g
test ax,ax
# A) J4 Y" D' n" Z( v& M2 y" ] jnz SoftICE_Detected' ^& x" }6 ^5 n
1 p1 c4 H& P( q% V: E___________________________________________________________________________
n* u" @8 c( X
: H2 }7 `, A, w7 {Method 04
. R$ p$ u+ c7 Q7 n7 \3 U/ U1 B=========) W' u% c; z% J: I
$ U7 D2 f4 r. ^: h2 \9 e0 y' Z
Method identical to the preceding one except that it seeks the ID of SoftICE! R, u- t# `. A, L: ?; q O
GFX VxD.
4 }" T+ {) D @7 ?% e# d1 f$ m- o# [. c" O9 F
xor di,di. S( M0 k# {, [
mov es,di; R- ~' ?5 i1 T
mov ax, 1684h
, B" T% N. _5 c" B t+ V4 ^ mov bx, 7a5Fh ; VxD ID of SIWVID/ Y' H8 s- t$ f( ]& a+ ?# R" Z
int 2fh
7 [1 G0 b+ f: }/ k. y mov ax, es ; ES:DI -> VxD API entry point
- ]8 F$ q" w3 W1 `$ z1 Q' g3 i add ax, di
3 N; S# f$ S+ G% T' t# J4 Y+ m4 a/ @ test ax,ax
, z6 [$ y* l3 V2 y' q5 I jnz SoftICE_Detected
( o8 O5 B) J0 K L/ B5 |
8 E0 x) K: z. H% d3 r" i9 y+ Y__________________________________________________________________________
+ h2 C; O* y+ U( A
/ V9 R4 ^/ E. \) O9 F7 b m3 |/ w, _! \
Method 05
2 S3 E+ x3 N# y6 [: b=========
/ {* } m/ x( }3 R+ c* }
/ u2 g( _- b L) Y, O. pMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) O3 L' {: n C0 e2 V1 bdebugger. It calls the int 41h, function 4Fh.* K# |9 G6 O+ K; M, N7 l: s2 n. [% i
There are several alternatives.
5 A" m2 O7 y( v% g0 G* [6 A+ v' y+ n' Y/ Y6 D1 q+ H2 s
The following one is the simplest:' T. z4 N V$ {& T% M8 ^
! _* p2 S6 U7 ~9 M) J' y5 U mov ax,4fh
" d0 _ T, _1 K( u& H! x; G int 41h; D' S- L: y5 I' Z' S
cmp ax, 0F386
: q/ c* b# b2 G$ Z3 B jz SoftICE_detected
# s, k$ c6 r1 S- `3 a
1 \. J) @) N. N6 f! D/ \
C& k6 _* J- f. m) L' f& `9 ~% lNext method as well as the following one are 2 examples from Stone's * d! `& y% y+ f% N# V
"stn-wid.zip" (www.cracking.net):
& P+ I# X$ Z0 O# I- j. q- @( u1 x! c: s2 a$ V* o) w3 u
mov bx, cs, ^7 I. T& J! k+ C
lea dx, int41handler2
, `8 p4 z, O* B* }. m* c u5 V) E; |8 \ xchg dx, es:[41h*4]- a; j; Y4 O& {2 ~- W0 g$ R
xchg bx, es:[41h*4+2]
# f4 F3 T, e& J1 Y/ M$ ~ mov ax,4fh8 l4 t7 ^2 u- ~2 R5 p
int 41h
9 v5 @* T! l/ } {: ?: T# q xchg dx, es:[41h*4]' \) Y$ F- a: F' a
xchg bx, es:[41h*4+2]
" c# ~ m- j- X. _* B) g2 F cmp ax, 0f386h
* }( ]0 u9 ]2 E6 r$ M+ m jz SoftICE_detected
% A8 i Z: {0 m: S% u3 h- x6 {) a! S2 I9 |) V& E0 G/ Y2 I
int41handler2 PROC
, v' I l' M* k2 L iret
6 p: l# C% W) N$ Hint41handler2 ENDP
! J' O, P) b( V% ~1 L: P
: S1 i1 q: b9 o1 B8 x4 E! L1 d/ t
_________________________________________________________________________+ n0 b5 j3 d. _# \3 f
$ q5 o2 z: C5 U& ?
* R' B" s2 T4 Z- hMethod 06
. h0 Z/ }- J1 ]: q=========
, p4 E+ S6 v4 K' n9 P! B# I, z3 K" K8 v4 m+ y" ]; p9 `
! k* b/ ^ { Q) i7 j% `; u3 U2nd method similar to the preceding one but more difficult to detect:
% h$ z0 Y4 _2 E7 o* u Y& o
) N: H: R6 U. P8 }. @$ Y8 v6 E7 i$ n* d; z/ e
int41handler PROC0 R8 @" l3 J% Q; R1 D
mov cl,al
; j9 ~& ?/ ?& o( T+ U iret% U6 s& R: U4 M0 E$ T6 ~/ T1 Z* ^
int41handler ENDP" ~: ~+ o9 M. i* `' v; n; R8 ~
2 [$ x/ D% v1 T# Q9 ?3 j" b
( J; w" _5 g& h% ]: u- W8 f2 ]$ V xor ax,ax
# [' U- j: `& h v8 F, E mov es,ax
/ f7 I% T' {6 ]- Z( L& Q mov bx, cs. Q6 W9 m- T3 |9 R6 L
lea dx, int41handler5 q7 c9 {8 z% E# L; [2 {
xchg dx, es:[41h*4]
2 E" ^' v d) u0 G m, U5 z3 y xchg bx, es:[41h*4+2] C$ w2 t4 z+ d. r% w/ A
in al, 40h
- \5 v/ w) J: ^6 x! B% ~ xor cx,cx y. \; J& ~# d
int 41h
. R6 G1 Y9 j5 y xchg dx, es:[41h*4]: \& U- G V; q
xchg bx, es:[41h*4+2]
$ ^! A) Y8 Y, _3 V7 t% ?' J cmp cl,al
* ~5 O; \9 _' Q jnz SoftICE_detected
8 {" @. J2 V( q
3 }: y: l4 d0 n_________________________________________________________________________% k. R: @ q. s9 m- q( S# M
$ g9 M- U( R. e1 y* p# {- c" b1 M
Method 072 K$ }) Z% Y" g5 X& ^1 b. }
=========9 H( R. S: g4 d' s, J* e5 K$ ~
+ G! s, h1 [; o0 O1 q7 [ N: |2 p# o
Method of detection of the WinICE handler in the int68h (V86)
: L/ z! A# h: l. P8 y/ H- M8 O, s; E: W& Y& f4 _ `: f& J$ r( |! p
mov ah,43h
6 [, r* @9 a5 V; | @- @" v int 68h5 }; l7 H1 b/ O1 x
cmp ax,0F386h) Y" W$ D% m; G) `. G
jz SoftICE_Detected, ^9 I" i: K! P" S" T
2 ]0 h' @) d* Z5 X" k0 ?. h/ n& L- u* q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& w0 a$ Z6 U: h- E2 a& X
app like this:
, S( O# {/ n( [+ z+ W4 R) @: S2 D" T, f# b* v
BPX exec_int if ax==68
: X4 [, p* T, y, {+ w# k) R) _/ }+ q2 y (function called is located at byte ptr [ebp+1Dh] and client eip is2 _* k6 \ [$ r0 M
located at [ebp+48h] for 32Bit apps)2 B9 ^2 q8 S2 p& W; W- {) X
__________________________________________________________________________
3 Z6 V3 N, `" A# `5 ?7 M
9 Y# }; }* w/ t
' [4 z' O1 X2 r. q% I# zMethod 08; X+ G; \6 L5 N! D* p* S) g
=========- e6 p% w7 Q G$ R
s f) R) n- m# U% A/ s' ^2 P
It is not a method of detection of SoftICE but a possibility to crash the
& j6 ^; I+ P- C O7 O/ V9 T. ~system by intercepting int 01h and int 03h and redirecting them to another
& e7 f' S6 D! Yroutine.
/ p) n9 l7 A+ R- O4 }: k0 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 R: D) Q! O. xto the new routine to execute (hangs computer...)$ Y- i4 }7 s* c; P
2 k/ y# R4 s" C/ q mov ah, 25h, g. f4 M" e! i( e1 c8 i/ ^
mov al, Int_Number (01h or 03h)
; N2 s/ ~8 c' _( V mov dx, offset New_Int_Routine, |. M- A1 L& Q6 Q
int 21h) l0 P8 E( ^$ @- U+ Y7 m2 k9 Z; U. m1 u7 Q
3 o/ j& i1 T' ?1 ?" S__________________________________________________________________________
& K) x3 Q1 ?! ^: Y
' }) W1 n$ d3 O( E" { i6 t7 N1 uMethod 09# h) e4 v1 y) j* A
=========
. k& M) g! E& G% e- |- y
" M( p7 i5 j" a b2 OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, y, l# B4 u# b8 H R: V
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ ?0 a; y- _; @( N' dThe Get_DDB service is used to determine whether or not a VxD is installed2 i: a5 J& T/ f M" \$ V
for the specified device and returns a Device Description Block (in ecx) for
4 K* Z ~/ `4 P; n( Ethat device if it is installed.
G% ] t: a' C$ W* k# t0 p9 e' \' e, S& n' }$ N! o4 n4 Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 u0 [4 R9 ~8 C$ X: B1 x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 _/ f* u# p! C6 h3 V VMMCall Get_DDB
" s6 e- `- _9 \" ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' }* ?# X6 }, ~; V* C6 G
0 F& P' @4 t" V) i( b- J/ \Note as well that you can easily detect this method with SoftICE:
3 X/ L2 Y3 U6 h% p# b, N bpx Get_DDB if ax==0202 || ax==7a5fh/ H% Q/ M Y: @7 L! s
1 X' G( E Q/ b9 H+ B
__________________________________________________________________________! q( G& A9 t# r/ a8 R: E( |$ W
4 ]2 w( P3 h+ {5 ^7 h4 M- G' i
Method 106 x1 Z1 v. f/ i$ P8 O* N
=========$ |: G3 @' Z7 A, A- O2 z
! z' q$ u8 A2 w9 [5 l3 l# m=>Disable or clear breakpoints before using this feature. DO NOT trace with
Z |; K e' D) B SoftICE while the option is enable!!
9 V# C* q" H' F# }
% p9 \# Q( q4 Z4 v% f! k' C; NThis trick is very efficient:) b) { C& c* Z) I
by checking the Debug Registers, you can detect if SoftICE is loaded" W3 n) r: C7 t5 B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, [+ f6 N. G' U+ m$ k5 j
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. h6 l$ A) o; avalue (in ring0 only). Values can be manipulated and or changed as well& ^2 J: `7 e9 R/ T U2 u1 E
(clearing BPMs for instance)
* v7 L' ~: @/ Q& \) }1 c7 m" Q% D* J* q4 p) W3 a" g
__________________________________________________________________________
- _9 m7 L4 ]9 L; F0 {) E$ t- t6 G6 Z9 }
Method 11
7 |# C! l1 T. q3 m=========4 Q2 k$ z( V% }1 v
) p) E- F$ v- }. @ g+ s1 N0 cThis method is most known as 'MeltICE' because it has been freely distributed/ O; d! L( l; `0 {% x7 y+ p, q
via www.winfiles.com. However it was first used by NuMega people to allow
# a8 T" l5 w7 U4 `( uSymbol Loader to check if SoftICE was active or not (the code is located
( l& u3 a: H4 o' p4 ?' g, vinside nmtrans.dll).9 D% d- o z0 G* r
2 z# A; y" A5 l M: }The way it works is very simple:
9 M6 Q! e5 x" W' g5 o1 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, l3 g3 x$ Y7 P. s: rWinNT) with the CreateFileA API.
7 s1 K, ?' N. W1 l
2 I" B$ o0 `3 L- gHere is a sample (checking for 'SICE'):! f( e+ l, e6 k5 N7 i8 `
3 a( S# O6 K0 N' Y4 a! `
BOOL IsSoftIce95Loaded(): a: B% r' \( `2 T8 T
{
8 I; Y$ \+ G- h% C6 C: i% B2 D HANDLE hFile;
2 W& m/ K* v; X: U a2 ^1 ~, p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ W5 P& ^1 J/ U6 O- {
FILE_SHARE_READ | FILE_SHARE_WRITE,% j, I& C- Y W1 Q* G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 T3 M' p/ i( O9 m- y) K( i4 B* A
if( hFile != INVALID_HANDLE_VALUE )
* V- {5 l3 M G f4 b" j$ S6 C {
3 m, f9 U: n' ^3 t CloseHandle(hFile);, F' T" B/ E8 W" P9 `5 W7 r( H1 J! J
return TRUE; S1 o, q1 D& I/ e
}
! L# L2 }5 {2 Z) h, k" c+ K return FALSE;
+ e' k6 u" X. b- l$ i; M2 V, a/ J}
/ c7 P6 a. |3 J2 |0 e$ `; E. M% b9 K1 g+ z# }' K/ x
Although this trick calls the CreateFileA function, don't even expect to be1 X9 W( y" F5 N+ E- I% t! W
able to intercept it by installing a IFS hook: it will not work, no way!
) U: {% C% G, p0 Z3 xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 e9 G+ |# ]" T& c. ?! Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 P3 r, X: R' t0 Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 p3 p5 J4 o6 l$ ]4 K. l1 nfield.8 [* P6 f& a2 U ]( d$ K
In fact, its purpose is not to load/unload VxDs but only to send a ' M: C7 m3 D9 \3 ?. ]+ ~9 w% a* k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) }$ _6 W! W' N4 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 B+ a+ b- p5 sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ H; W8 v& P$ R# ?If the VxD is loaded, it will always clear eax and the Carry flag to allow8 L- E& J8 e4 t2 p' G
its handle to be opened and then, will be detected.
+ Y; w/ N) v! \2 hYou can check that simply by hooking Winice.exe control proc entry point6 _3 R- } |' a
while running MeltICE.
8 _. e' W F4 j3 @
4 F+ V+ `6 Q, ?3 N# b8 _) @# D; D! {( c$ |0 A
00401067: push 00402025 ; \\.\SICE
+ z6 [. e' J' X- ` 0040106C: call CreateFileA& J' G" E: r' U
00401071: cmp eax,-0010 i. \7 ~* {2 ^* M/ \& k
00401074: je 00401091
3 M( p$ X( Z2 K- S& w8 p7 Y, m* y/ h9 N) \3 N9 n
) Z. N2 @ T1 V( ?) F6 W4 JThere could be hundreds of BPX you could use to detect this trick.
/ g) q8 A8 ?* ^; Q6 Y: ?2 A8 V8 Q0 j-The most classical one is:# |7 j% z/ n, n6 F% S- o2 b. z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ ]4 Y+ j; [6 ~7 g0 W9 o
*(esp->4+4)=='NTIC'4 R2 q8 u* |5 a* c
; E. H0 ]* D4 }3 P0 \7 c-The most exotic ones (could be very slooooow :-(
- \: ?- T+ M% {0 B4 Z, X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( }8 T( t, r, w& R
;will break 3 times :-(
# h) E& t( i0 C' _. k, `3 K% E6 E3 X! A. U4 G8 q
-or (a bit) faster: ) Y3 T0 d& l" @2 A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 l6 T" l' D2 D4 S5 Z3 X
/ v2 X1 u% Y9 @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 S. i+ F+ D( R( Q' Q ;will break 3 times :-(
# `2 e O' o9 L6 C* C. T1 V7 f, E2 p# v. s
-Much faster:
# o$ _" W% V; R4 n9 B. D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" b' f0 J, u+ L$ s. D% b1 a
2 s- j0 S/ @% C9 C% ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ a0 q9 P0 L- {, R& r9 s! A2 |: z
function to do the same job:$ H1 ?1 e' U) G) Z5 D. T
& @0 f" u9 | b. e$ Y5 f7 {: N* g push 00 ; OF_READ2 y! a2 k1 O0 E& W# r d. h
mov eax,[00656634] ; '\\.\SICE',0. B; ~' o2 w9 t1 h7 |
push eax
& R w. R! I% }) |4 C$ y call KERNEL32!_lopen) Y' g( {( _" O" q
inc eax# T) @2 U3 s( p3 E
jnz 00650589 ; detected
2 z$ |; c6 O" E9 V2 H! K push 00 ; OF_READ
5 T' W Z: @& Z7 @ mov eax,[00656638] ; '\\.\SICE'
4 r {$ S5 I$ Z& P push eax. n8 K9 u* r; O% f: J9 w' I: X/ s
call KERNEL32!_lopen: [3 d$ R8 c1 G1 c2 E
inc eax
# x0 |; K6 t) f) V" z. @% z jz 006505ae ; not detected7 [1 ^! _' R+ J+ S: z4 @
2 ]: b' f* _" ^; [6 Y" X
- ~# S, I( ?; y0 N* e
__________________________________________________________________________
/ M( @: o/ z8 O* q4 h
" P$ T" Z3 p6 nMethod 127 ?$ s/ {# [5 p. }
=========0 y8 A. F8 d% j! Q( s& P4 C
7 k1 e1 v6 ~; f- z5 PThis trick is similar to int41h/4fh Debugger installation check (code 05
- a5 l4 F( @ z. r) v2 w" \& 06) but very limited because it's only available for Win95/98 (not NT)0 W7 b9 M: n7 L( q) D1 z' x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: b# G$ n+ i3 K: M
: e# r1 k W# M1 n; p1 K0 O
push 0000004fh ; function 4fh5 W0 o T. z/ K, f% h" e y
push 002a002ah ; high word specifies which VxD (VWIN32)
0 [3 h J+ J3 @# q$ K6 Z! u ; low word specifies which service: ]6 G5 ~$ Z7 b8 B, _" q# Y4 _
(VWIN32_Int41Dispatch)/ M: H. }4 L" q r9 L3 C+ O
call Kernel32!ORD_001 ; VxdCall/ S% T& Y0 d1 A, a8 A! X
cmp ax, 0f386h ; magic number returned by system debuggers- N" u: q, B: T7 f+ y' ~
jz SoftICE_detected
7 D! k5 H, m/ u! i
' A6 l3 W% c' X H+ b3 v+ }Here again, several ways to detect it:
5 t5 J- {4 L: L8 B6 b' P. L0 x6 H, v' B! E7 J" p$ x( l' D5 L8 }
BPINT 41 if ax==4f& r2 Q9 z7 w) [) v: |
" V7 }2 G9 ^/ i6 D BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* ^+ ~$ ~1 J* M
0 I; E+ F z: F( } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& J) U) |! I: ~# P' r! [( W0 d. c4 [2 H* z3 \4 f/ V& i5 Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ w) r0 a# \( }9 q+ U) r
$ P1 Y; @, r+ [6 [5 F__________________________________________________________________________
/ o- v7 t1 s! N7 ^& S! @/ z, E) q7 s4 X' }0 N
Method 13
. n' G6 b! p- y- ] C1 O=========
9 P$ t0 ~* N9 ]) m) v6 S2 @: ?* ]7 m$ X8 s0 @1 g
Not a real method of detection, but a good way to know if SoftICE is
4 ~2 G4 c( r# Z" z: \7 u" Pinstalled on a computer and to locate its installation directory.3 E( T; H- c& Q! t$ r0 c
It is used by few softs which access the following registry keys (usually #2) :
% u% ]9 G* @) o: j+ h3 i: R
- F v. h: g$ F2 {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, ^5 `! y, z* m% j X: t& P+ Z1 T q" y
\Uninstall\SoftICE
/ o& ~3 P6 R' n3 U$ O2 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ S( R) P" ?+ w8 e; k7 v) o/ ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ A4 N& z, o* [/ H% z2 U9 r* D' w H
\App Paths\Loader32.Exe
$ j* S8 `: m- h. R! l0 W
& x4 z9 ]: {: C0 [3 I% n3 e _* E J8 P/ D9 O
Note that some nasty apps could then erase all files from SoftICE directory
3 x$ @& i4 U* s(I faced that once :-(
% z. N5 ~6 t. H+ u. E4 h6 H: r% l3 V
Useful breakpoint to detect it:+ m+ x4 X4 I' w+ Y3 x3 S0 I
- V/ H- b* Q, z2 _* f& t$ w2 p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( ]: I- z! k# F: f% ~) j
0 `- i! j; |+ a4 \6 p; y7 ~__________________________________________________________________________
x7 a. `8 g. W; N" H% d* s4 V# Z9 K: \; ]" i4 T/ f
2 R$ B4 G. R6 aMethod 14 4 s5 S0 P. {% v. P- X
=========
( K; E7 n' }, C! H6 l1 B( F: f3 P* i+ n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose J3 o# v( `# X* H7 L7 u
is to determines whether a debugger is running on your system (ring0 only).
* W7 \7 E( v# o) b* K
, X+ m% R2 e4 F8 J, t$ y$ R! M VMMCall Test_Debug_Installed
4 o' \, b3 M- i je not_installed
6 u$ A! I5 a6 M' m3 c3 C; Q3 w& b2 v: G. ~1 O- Y4 H. C
This service just checks a flag.
, k0 ^9 n& [% x( P6 e! y</PRE></TD></TR></TBODY></TABLE> |