<TABLE width=500>
, y$ P* t+ _- x2 f<TBODY>& S/ N3 `8 q" z+ h+ S+ C V' X+ N& y
<TR>
2 A% m' B! P$ U$ `2 `4 R1 H! H<TD><PRE>Method 01 # H" U% E4 m* {
=========
" D1 m, @8 s# O6 F3 X7 H
, G( \" Z. U, j5 I# ]This method of detection of SoftICE (as well as the following one) is
" }4 o4 S" B. k" k- W7 W" Z+ yused by the majority of packers/encryptors found on Internet.
) z% m' z& O( q& pIt seeks the signature of BoundsChecker in SoftICE
# B& ~0 P W) e- {! s6 a. A1 w6 f" }" e$ X0 Y
mov ebp, 04243484Bh ; 'BCHK'$ Q& S2 q% b+ {" m
mov ax, 04h$ e9 ^3 X- \# g2 s, ]
int 3 # y8 Q: a* T' A$ n
cmp al,4% \0 [7 |2 Q. f: ~, Y8 q! S# l
jnz SoftICE_Detected
+ e! I3 i* J) E
6 P- x( [; j8 B- E5 l0 D g___________________________________________________________________________
- r1 Y7 J f: T- b/ @5 [
6 a# `' A! G. j BMethod 021 J6 Y2 ^* m: y
=========
$ S: e! [% p0 [( `! W2 C' a# j- k& W x- T6 ^" j( U
Still a method very much used (perhaps the most frequent one). It is used* j5 Q/ \2 ?$ r) r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) J( |- Q) `" R. K* D1 Wor execute SoftICE commands...0 r: E) K! W3 R) ]2 f
It is also used to crash SoftICE and to force it to execute any commands
( H9 O& l7 _- x J" L: f(HBOOT...) :-(( 0 I' V; f+ R9 j f2 L
! d, }( {8 d# s7 c( H
Here is a quick description:
8 Y1 l1 O1 v# m-AX = 0910h (Display string in SIce windows)& y( f. I6 S+ V2 N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( c0 _7 z' n5 M, E/ b' v9 h-AX = 0912h (Get breakpoint infos)$ _8 b3 s" W5 T4 e" H
-AX = 0913h (Set Sice breakpoints)" p% c5 v8 ?( S" w
-AX = 0914h (Remove SIce breakoints)
8 w6 G# m" R% W7 F' {* V; n6 t4 U+ h. l, t
Each time you'll meet this trick, you'll see:
/ ^, B& {& g9 Y$ P-SI = 4647h8 ]' u' d+ t) Z# [3 O6 L
-DI = 4A4Dh
/ H& r* {" r2 Z, T6 L. r- UWhich are the 'magic values' used by SoftIce.
) x, l# Z2 b" A* ^7 f( Z% }# d% A) W$ }6 _+ }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; X) n5 n1 R" E$ s1 {# c1 e }/ m! k6 z' y( Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 t' g- K: W* o8 D& y/ c
Envelope utility use to protect DOS applications:
2 N1 N8 v$ |8 d: B
) b. H$ K/ ?" Q( Y$ N" s9 _3 K8 m0 ?& H( _2 U' C: j3 R: `
4C19:0095 MOV AX,0911 ; execute command.) V. t: K! A8 t; h6 A, ]# u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* U$ _, }. S m. b% i+ T* _4C19:009A MOV SI,4647 ; 1st magic value.
% m2 p7 \8 s8 X% d1 F* G" a0 I! d9 _4C19:009D MOV DI,4A4D ; 2nd magic value.; ~: b3 b) L0 b# L$ [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" s W( P6 Q3 c! P
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 D: ^% C9 C/ A0 H7 b4 a4C19:00A4 INC CX/ ^" s+ P* T: o% u! ?
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
?1 B1 |; q. V5 c" K8 A4C19:00A8 JB 0095 ; 6 different commands.! f. ^3 {- Z6 W' K# Y* U5 y, o. K. R) O
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& L+ o0 g h+ f) {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* @7 g1 I/ n+ V+ z7 J
0 f" m9 |+ l" pThe program will execute 6 different SIce commands located at ds:dx, which( W# _4 d1 ?9 R3 l, c0 D9 Y2 L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; O6 b5 B5 `1 |# i4 X$ a! O( o
' q; b8 s" s# I5 H" h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 U: C+ W6 {- b- r7 f3 N, H___________________________________________________________________________7 h8 ?9 b# Y6 x( l
" I( N* E0 \. m- d$ V. y
- y; y5 t# v1 ~; b1 `* V
Method 034 J B1 l8 V: u7 C* K, d
=========# \1 ~4 [ L. b, R
* L) c3 I$ Y, s M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" I& T$ O b. K9 l
(API Get entry point)8 ?1 i0 `" x b
* J' c* w1 N' o. }
: x* u7 v! T4 e# g8 P
xor di,di
! k# f) I9 \) j; ^8 i5 [3 w mov es,di
. k8 I) u/ P# o Y3 W. @0 A y mov ax, 1684h ) l4 r2 v! {5 K$ ?; B
mov bx, 0202h ; VxD ID of winice2 z$ I/ H9 r$ o$ K" k1 o q( D- z
int 2Fh
, Q0 V& [9 t# ~7 b& z9 }4 t mov ax, es ; ES:DI -> VxD API entry point
; I( O1 F" g6 p8 o add ax, di
X9 \" A; L( V6 Z) t1 U test ax,ax% |6 D: s# d" d* x5 L3 C9 T4 ~
jnz SoftICE_Detected
& i6 V& U6 e9 E$ H# N- i# J6 T
/ T' ~! v; P2 }( u% n$ v) w___________________________________________________________________________
% i9 Q6 b6 [+ ?. G4 _' i" m; O/ Q! W% N- u |: ~2 Y
Method 04
( j2 p0 W! x* V! K1 |=========
8 K7 [- r" z5 {) g! e3 G9 T8 B
Method identical to the preceding one except that it seeks the ID of SoftICE* H) q, ] q1 y9 S
GFX VxD.
7 ]' N7 Y1 P# ]8 R. m! J/ ?; c* p
1 x6 T; r9 p* c$ Q xor di,di
/ l6 _) v ^7 U7 l% t9 u' ` mov es,di& ? r3 o6 e: P" M" Z. W
mov ax, 1684h z Y. Y5 [9 s' R, g2 t% @
mov bx, 7a5Fh ; VxD ID of SIWVID
' T) U3 _2 o1 D& ?) g int 2fh. N) t0 o) ]' B/ W: c* G4 [
mov ax, es ; ES:DI -> VxD API entry point
& G: d' E; X0 R' n1 Q add ax, di
7 V$ S6 D7 J. y5 u7 U O test ax,ax& r+ H ~) k% ~) V$ q+ _
jnz SoftICE_Detected
( E+ g6 ]0 Z) z3 j: ]) v/ j* V+ ~' ]; ]% D/ m; h1 Y# `/ `3 x
__________________________________________________________________________! d3 s! m& _/ C# q$ U5 R
& _0 {) J# F7 Z* ^% e2 B$ s
* L' y( n: d k
Method 05
) t" m4 {/ E! S5 p+ j8 H=========
- R/ C5 q; _9 b9 K9 i# {. i& \% P( l" f+ j2 t
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& {/ E% F3 q, o3 e* o; X- cdebugger. It calls the int 41h, function 4Fh.2 d$ S" D# g) j$ p h" F, W
There are several alternatives. + w6 f1 N6 {- ~2 e% T6 H9 g
# A9 N1 C' c8 F# ~7 D7 WThe following one is the simplest:
* E1 @$ y% i+ P! b' C% ]5 e( y
$ ?+ y& K4 n1 y& h0 | mov ax,4fh8 y% j6 S; Y* b" l5 _; Q$ K2 f4 c
int 41h. K p9 ~3 d, t+ l
cmp ax, 0F386- u! I, W; q8 O
jz SoftICE_detected
8 O$ G4 h; J6 |, d$ |! E" J
& |6 J m' L& p( m* ]8 P: V# ?* Z8 S# V5 @3 O
Next method as well as the following one are 2 examples from Stone's
5 E- n J1 {8 S* e1 _7 |2 T"stn-wid.zip" (www.cracking.net):6 M' B7 w% ]$ r
2 j$ G! l2 y N0 d3 G/ l" ]
mov bx, cs
) U ^0 W9 f8 L% `! ^2 v& |1 T lea dx, int41handler28 j ^- Z, U0 B# c
xchg dx, es:[41h*4]
, f5 l# }6 O& _" {, C xchg bx, es:[41h*4+2]
4 T& S& h- R; X1 @1 M& h mov ax,4fh: o$ G T, q/ b4 @2 r
int 41h6 n4 M9 `( i4 z9 Q. R
xchg dx, es:[41h*4]
9 f4 n& n" p6 [: d( k6 C3 t xchg bx, es:[41h*4+2]) I/ S/ t. m" t& e
cmp ax, 0f386h8 O: B, I1 Z- u; H4 l% A2 q' V
jz SoftICE_detected% F, b: C5 b/ T. l4 D& H6 V9 \
3 f3 }$ m: D( F4 M' R
int41handler2 PROC: J' `' n' u6 d
iret
k# A6 Q1 [6 Uint41handler2 ENDP
$ {: _ R$ ?& G, b5 F. z( F7 P9 x8 |- |
% e: b) C* Y+ [& m; __________________________________________________________________________& d: _; g; Z; V# a6 X Y( Z( P
X1 y, d6 R( Q" v( k* Q3 J' ~& k* k! J
Method 069 u( x1 n+ s$ O4 x0 N) B
=========
+ K2 t; d8 s/ m; U) [/ m( e( C" n! T7 J% h' }
* p4 z( o( [ G9 T. i# V$ q2nd method similar to the preceding one but more difficult to detect:. y+ n7 B: P3 S( `
9 C9 ~5 G) Q4 y$ a4 v
, \3 v) A: f; K! W& R+ {
int41handler PROC
6 f# B9 T% ~) C- ^7 b7 W9 p mov cl,al2 p- y! @9 ]: e6 v/ I. w
iret
9 R4 C" y0 X7 S, p T- Sint41handler ENDP
4 s$ t/ O( c) o# v) l3 r" V2 Y7 x3 |- U5 _0 Y
# h1 `! H: d) Z9 N
xor ax,ax7 H2 c8 \; W$ N9 v
mov es,ax
* n' A4 V: g( d0 }& N7 D" @ mov bx, cs
' c8 D/ k* [- e lea dx, int41handler& g6 I- a& @. N, N( m Z3 R
xchg dx, es:[41h*4]
- K! ]- o! a. ]* x# a- g' { xchg bx, es:[41h*4+2]) f% I# F( ^6 `/ P; u# y: I
in al, 40h( |' q# W2 X! o+ O
xor cx,cx
$ r) V" H- y1 H y! J1 p5 Q int 41h
b2 J. w0 T- \4 x6 E* [5 [ xchg dx, es:[41h*4]
9 g1 s+ ]1 n$ m1 m xchg bx, es:[41h*4+2]/ M0 p" w R) [2 r) e
cmp cl,al
( G1 E& d( S, y7 a" g' w" Q- }2 u% m jnz SoftICE_detected5 B) `: k9 u/ `& X. V- T
; C$ m N5 C" ^5 H1 O- M# \3 D
_________________________________________________________________________
' t/ O& E) p. x. a2 x( s9 k% d
1 x1 z5 g% s; b. Y- V3 i' B6 mMethod 07
: j q* ]# N. v! T o7 E- J=========
+ L. p' D5 i* a. {8 W. e* p1 B; U4 t) F+ x3 t
Method of detection of the WinICE handler in the int68h (V86)) ~5 o$ ^; I6 M- N4 [
) g; J6 O0 F$ I* s6 i' d mov ah,43h- g8 [1 M M& ?; Q9 z: F) i
int 68h
* h+ {0 j4 z! _$ l) L+ c1 ^7 m& k4 M cmp ax,0F386h* l5 a% x! i) m( C
jz SoftICE_Detected, l6 F; k% B: r1 W! y
2 x4 i' B+ k$ E% P8 p" a o
% n+ @! Y1 z! j7 n+ W- T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 l% m# h) h; ?# y" m( ]6 r/ J
app like this:
B7 @2 u7 X0 c% V! q9 `: t# x3 c" j+ H8 \
BPX exec_int if ax==686 p! H# o0 l: ~; j: i
(function called is located at byte ptr [ebp+1Dh] and client eip is2 s" P: {4 \- h- W, b3 b$ t
located at [ebp+48h] for 32Bit apps)
w0 D; @- ?2 l/ \' }__________________________________________________________________________
6 l- O: O* t* x5 y8 B1 l+ L7 d' h9 ]3 j" S* O
* I6 t. _+ N m0 J& R0 C
Method 08
8 B& J, f$ m7 r0 W=========7 y" X J6 f, n) G( b( r
* y- f7 [" e$ w' t" B; t5 sIt is not a method of detection of SoftICE but a possibility to crash the4 c# {7 N. J8 Y& h
system by intercepting int 01h and int 03h and redirecting them to another; P, F7 r& b; J; o" l
routine.; J: p6 z; j: L9 [9 X: H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. t( z: W5 }) }, T0 F7 f* ]to the new routine to execute (hangs computer...)! [9 ]2 O2 G* C7 S
, j5 Y8 y1 _4 D3 w3 g& o mov ah, 25h7 S" W8 E2 e- O4 h9 _
mov al, Int_Number (01h or 03h)3 i' u% d7 x9 A4 g0 ]) O6 O
mov dx, offset New_Int_Routine1 W2 q4 X/ k/ H) o: H; |
int 21h
9 n; _ v5 c' {7 _0 v ^- \+ x
__________________________________________________________________________8 C- G; k4 L6 v; \! O# _
0 Y! ?' `; e1 o, i @' q: A! e2 w$ e+ e
Method 09
/ G, J) }0 U$ H; f% A7 H=========
7 V: S' \2 f" j% {: S) l$ b5 y+ m( e( |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- T# T$ {& E$ s4 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).
. a) z) l4 V2 jThe Get_DDB service is used to determine whether or not a VxD is installed( J+ w- u9 }5 r3 g3 ]
for the specified device and returns a Device Description Block (in ecx) for
9 H" K4 P! t8 M! ithat device if it is installed.$ e+ G. p7 \4 n: ^5 I+ q
: C0 E1 D3 _/ Q, x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ _" q8 U# a1 ?$ F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. j5 x& q. K) C- V( n" Z VMMCall Get_DDB0 N6 ~# h8 Q& j+ h) {& U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed( B$ f0 ^* E' _* {+ i$ f
8 b3 o! f- K5 t- i( h; XNote as well that you can easily detect this method with SoftICE:
4 V; z* y4 l. \3 E( ` bpx Get_DDB if ax==0202 || ax==7a5fh V$ I; V: z8 d! n% M
, b) y0 C( o. Z__________________________________________________________________________# m7 E" J& n( ~+ {& S$ m/ Y
# q$ @! P# k3 K1 }: y t8 i+ EMethod 10
% `: ]% Q' L& r8 |=========
, z* t. `+ \7 P% j) C+ }7 ]
2 o7 i% g7 b& D+ C=>Disable or clear breakpoints before using this feature. DO NOT trace with* x1 d: j8 x- x l( a+ p S) e
SoftICE while the option is enable!!
0 G; r! S# K1 \3 o
$ c1 D6 @% s! L. \9 l. jThis trick is very efficient:
U- k3 H9 j4 G' S$ c4 T' cby checking the Debug Registers, you can detect if SoftICE is loaded
4 I* [: G2 E% ?% ^1 r0 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 x; P4 g& W3 g( |& [" y8 |, q% ]there are some memory breakpoints set (dr0 to dr3) simply by reading their2 T6 R/ ^" }( G" |( i
value (in ring0 only). Values can be manipulated and or changed as well8 G( T, b4 A! y5 z; a8 E
(clearing BPMs for instance)
6 K( {% ]+ s) @% B/ t; D( A. y7 m$ D
__________________________________________________________________________
2 Z! H. A& Q9 |/ F: }( x' f+ N
* j% v9 g( a1 ~; D+ j9 ~+ m# o2 CMethod 11
; M" g0 _: I- L( E* a========= f6 p' S- r4 d
" j- h [1 a4 B
This method is most known as 'MeltICE' because it has been freely distributed% A' P' `' `6 C% C" Q
via www.winfiles.com. However it was first used by NuMega people to allow
& A( L7 D0 u7 F4 e# x5 `2 k- L& FSymbol Loader to check if SoftICE was active or not (the code is located
$ b1 |* h: J2 ?inside nmtrans.dll).
( `1 N: e, B/ }; G& r# v, B9 C9 }7 [0 Y9 K; s9 {/ r
The way it works is very simple:* z* n$ U+ E0 s2 T; o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; {4 b5 c5 f# u& rWinNT) with the CreateFileA API.4 ^% M3 O# w( u1 w3 n1 B% T- q% [ b) Z0 _
+ G6 W3 |9 u3 R. p# {$ uHere is a sample (checking for 'SICE'):
9 U+ d4 X. E( b% |( ]7 h$ w: @2 D
BOOL IsSoftIce95Loaded()# |/ ]0 {- ~! z- F
{' M; P5 o( [3 Y) Q1 v- w
HANDLE hFile;
" J# |& K, n2 y( J) Y: `/ p; o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" @& `5 u+ {$ T( o/ K K5 f0 r FILE_SHARE_READ | FILE_SHARE_WRITE,
# S9 B+ L, [% w NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' Z: }" K2 U8 ]/ V
if( hFile != INVALID_HANDLE_VALUE )9 L& H* ]( O L5 {: _ c& R
{
: G" Z6 `2 @( ]/ j* ] CloseHandle(hFile);. k" Y$ H. ~' e( m
return TRUE;
: I' R2 j" P* V& Q! _) B! G4 Z! ~ }
1 P# U* I) Z, d- ]) a4 L+ T4 f! U return FALSE;7 g# z' [) F; A, C! O
}
6 I, V5 q8 f/ p( H. `+ m
$ \3 S0 K9 J6 y4 k# J6 \Although this trick calls the CreateFileA function, don't even expect to be
# {1 X9 v3 ~5 hable to intercept it by installing a IFS hook: it will not work, no way!+ P" V2 r# { ~: g3 `
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 }8 R( L. U8 ` ~+ wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: {7 D3 X4 P- c m1 j0 Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ M4 ]- R' |# a- f" k8 ~field.* A9 U$ y7 ^+ }7 t
In fact, its purpose is not to load/unload VxDs but only to send a
% ]8 ~" I9 w e, W# tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* H% t. }- v/ p7 k. j* j4 ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& T" E4 n( e8 j3 O; s! rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
' b0 _7 b4 o+ r/ oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ ` X' M* x4 s& T2 X) h/ }its handle to be opened and then, will be detected.
7 h5 y5 k' c& V' GYou can check that simply by hooking Winice.exe control proc entry point. T/ t2 F0 p5 ]3 p: H
while running MeltICE.! k0 J3 b' `+ p0 D* o4 I
, `7 }8 l& H; j. W& \6 _ h* A p: L& h# D' a
00401067: push 00402025 ; \\.\SICE) _ t* |7 W! e) U( C% l
0040106C: call CreateFileA
: s, b+ ]' L# s& @, Q& D 00401071: cmp eax,-001
) }2 L% e5 M4 I* F+ d" M 00401074: je 00401091
5 J/ r6 S: @. |" {. S! K! H" q0 r* ?4 `
" P: Y" Q6 ~* v) t! r
There could be hundreds of BPX you could use to detect this trick.. O9 u7 Y7 w/ s: x$ W- U+ @
-The most classical one is:, J- A$ A6 p P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ Q. x1 e. B5 Q0 M/ s
*(esp->4+4)=='NTIC'
: s5 ^$ F! D$ b/ U7 |( m
6 D: r! T" p/ G' d1 `; V-The most exotic ones (could be very slooooow :-(
( d7 m2 u! J) ?- ?8 M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 Q% {9 H( i8 A$ C. }, U, T s4 s/ Y ;will break 3 times :-(
) j: b5 @* B$ B) N; K! [# O: I P# U2 L" e' F8 B9 Z* }
-or (a bit) faster: 1 H$ k$ z) v- P- U
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- w) _" I* N2 U# M7 ?! S
8 F+ ~) a/ N$ ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : m; }+ d9 F g
;will break 3 times :-(
3 H7 |1 k1 q( p3 r: c
; _$ I2 }& @7 S/ \-Much faster:
8 ?" J* q& y9 B( v! x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 e4 \2 v) O" c6 \
] r5 p) o% q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. U2 s- |3 u5 s0 T: Mfunction to do the same job:! O4 j' Z$ X. J/ }/ h3 _6 G2 Y
" m" P0 M( C3 J, |
push 00 ; OF_READ' _3 V4 f8 g0 C* `6 C1 s
mov eax,[00656634] ; '\\.\SICE',0+ i+ u6 o- o- H h% V0 [& D$ y: f
push eax0 L8 w- f% ~: U- ^3 K& c4 \ {
call KERNEL32!_lopen
! k6 n) R' |' ]7 B" { inc eax& L& J# @$ \# ?) L
jnz 00650589 ; detected, n5 x- f5 J8 b5 j% f1 K# m, ]) J; U
push 00 ; OF_READ
4 O0 r$ _* d0 Q! a0 m% r mov eax,[00656638] ; '\\.\SICE'1 u' _: u- S; D4 W1 t* U
push eax
7 Q; f6 {" x' { call KERNEL32!_lopen
( t/ K+ V# @1 Z$ ] inc eax& D: {, x+ N" n# h: M
jz 006505ae ; not detected
. Y- t1 n. a% U4 i' {
# T9 J* f6 \2 O+ C5 N N1 @
- ?2 Y1 y7 H, c/ ?! L# b% I- t__________________________________________________________________________) s5 J8 l. F0 T# j3 C
# @1 O) T% `+ EMethod 12: ?) @7 }* E: E
=========& D; x. `: v y+ k& d
8 i: R# v: I0 Z% a2 M
This trick is similar to int41h/4fh Debugger installation check (code 05/ z) K8 }( U0 n' H
& 06) but very limited because it's only available for Win95/98 (not NT)
1 @- {7 d9 }8 j2 J4 q2 m1 Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! m1 I' G' Y" V J. H7 L# s0 J4 I
$ i$ M8 ~0 h- j5 @3 g push 0000004fh ; function 4fh
( u" M! z( n3 Z0 Q/ x push 002a002ah ; high word specifies which VxD (VWIN32)
# G# v+ \- `* |! k ; low word specifies which service9 J- U6 N( F9 E' t* X p
(VWIN32_Int41Dispatch); l4 r4 k3 @) ]; F% m' A: A
call Kernel32!ORD_001 ; VxdCall. @. O; b7 w4 Q$ q
cmp ax, 0f386h ; magic number returned by system debuggers
) s. q" O* O4 \ jz SoftICE_detected. p) \7 c T, Z) Y! k8 }: x
7 [' j3 R: ~3 l- @3 F# aHere again, several ways to detect it:
) v2 q: q# c, B$ P }) n% [% Y
BPINT 41 if ax==4f
9 K u) U0 R: Z' Z2 X
' p8 l0 J- |9 M+ ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 O% V, s( k8 I7 x$ }0 F5 M- h+ ?& \1 ^. a* |# s* H& _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
X& G& j" |8 `$ K+ F# D1 w) m+ Q7 V7 D
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% o3 X7 G- ^9 g' c8 ~5 _1 ? \
* H; F$ J/ u5 }3 r__________________________________________________________________________7 C( N# `! {0 O* o+ Y: l9 n+ ^# p
5 V: l: y& C6 F8 A1 d2 _Method 13
& [' H5 W9 G% d% f) ^0 `=========; {: N3 c0 l% r5 U( h
, T* d0 q8 i! T
Not a real method of detection, but a good way to know if SoftICE is
, K$ a4 _" [2 Vinstalled on a computer and to locate its installation directory.: a0 v( W/ \" c7 T0 n5 ]
It is used by few softs which access the following registry keys (usually #2) :. ^, ?& V: D7 x4 U+ k8 h
9 L+ U& h' n' Y" R M( ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 b) {5 S z1 t4 [6 r' X\Uninstall\SoftICE0 O2 ]8 d) K7 k) o# v |! a- t n1 z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! x3 M- }# c5 G9 H4 i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. }" W+ w5 K; T; E\App Paths\Loader32.Exe
, P8 n& y- n+ t( U
1 Q- t, P0 c; Q. B8 Z- H
4 m# R$ U! o# W* lNote that some nasty apps could then erase all files from SoftICE directory
J8 V! D+ k- k$ ]" C(I faced that once :-(
; A# Q$ }6 T# [, }+ p# U/ G5 ~8 O7 O# C: u6 y6 H
Useful breakpoint to detect it:
9 F+ X- W1 x$ K' [ d7 u2 D# X2 g) S, ]+ k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 x, f E* D8 l" V
! A4 H, N0 s0 _/ `# i* u" h, [* |
__________________________________________________________________________: H" w* u' Y9 _) Y
$ y0 E8 v* U; r
6 l1 w$ t {; _% U0 wMethod 14
! o) j+ ~6 A8 b! l=========4 J; A k& B6 O
: g0 Z. q) S; D- k+ H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% a% H& }9 t2 D/ cis to determines whether a debugger is running on your system (ring0 only).+ X" i1 ], [4 U, j1 M: A
* w" @. m9 z: }$ }- s VMMCall Test_Debug_Installed
* e) @/ T( O. q, ?$ B je not_installed2 `% V# M% \+ W" ^
* K# B4 u8 Y1 a2 A* iThis service just checks a flag.* k# X' }4 l2 v/ _) r; Y) m7 C
</PRE></TD></TR></TBODY></TABLE> |