<TABLE width=500>* x! [5 |$ a2 \5 k
<TBODY>/ V' U+ ]; B/ ]& T: w( M. n% P2 Q6 v
<TR>) Y k" S8 y: [% W9 X
<TD><PRE>Method 01 ; O/ ?: u4 d/ {. N3 _' Z1 j
=========+ Z, g" I; Z& K, V g# c
( i/ T3 D1 H8 W/ g6 TThis method of detection of SoftICE (as well as the following one) is
& d' w5 _4 v" Mused by the majority of packers/encryptors found on Internet.
2 d, u! r1 g) [It seeks the signature of BoundsChecker in SoftICE
0 p% n+ I* L/ {+ w7 T9 N
5 [, {) I( N- s/ d mov ebp, 04243484Bh ; 'BCHK'
% O' E: \* q! C; K* i: U" x- @ mov ax, 04h
l. I$ h, r) c& a* e int 3
0 O. A- h4 K" F5 D, E2 m cmp al,4- ~, V1 D0 Q. k0 D! B7 T
jnz SoftICE_Detected6 Z0 g& m% Q6 X% N
0 B+ M- Y: q- k- Z___________________________________________________________________________
" Y& Y( W8 ^ U. M5 y$ }" o
! w2 Q3 E$ e$ p7 _Method 024 P2 x: {! [+ L
=========/ n$ @# f/ N( x! n* _
0 C; S3 b% W0 O/ e
Still a method very much used (perhaps the most frequent one). It is used
7 J* L2 k+ G% U: v# Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) f7 Z0 _/ n' l( c8 u3 H" Q2 x5 `& E
or execute SoftICE commands...
) W) e7 l0 E- ~8 d+ \; gIt is also used to crash SoftICE and to force it to execute any commands! g$ W: Q6 e8 N5 _
(HBOOT...) :-((
5 B- S+ U& w# Y- d3 E
5 |& U4 x0 {; T$ L- `% K4 fHere is a quick description:
: q0 k( `" v U% Y-AX = 0910h (Display string in SIce windows)+ S# M, ^. n3 n. |5 c) L$ i; w) g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 M. N4 e2 v7 V* r
-AX = 0912h (Get breakpoint infos)' ?4 \' Q: `) `: G' Z& w2 z
-AX = 0913h (Set Sice breakpoints)
9 t$ r1 S2 j8 I" J$ ?0 W* [-AX = 0914h (Remove SIce breakoints)& G; j5 t( J8 k8 j7 k$ k' |" p
& `0 a0 F/ `6 N8 s5 q( ]9 KEach time you'll meet this trick, you'll see:
2 h& D. ^& f4 t3 w+ F-SI = 4647h
: n% d( T; _7 h-DI = 4A4Dh
1 s) ^7 ^$ b. Q7 t( VWhich are the 'magic values' used by SoftIce.- Y5 d: Y j o! i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. A3 @$ S' ?' I1 z) v
' t' \+ A& V# O8 o# ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ b! \$ h( f$ K) e1 p5 l+ ~5 G# ?Envelope utility use to protect DOS applications:
" F! ^; l0 o; c; z
" Q% p& t- i% ~8 G0 ^0 |8 N+ l7 L( {$ Y' T
4C19:0095 MOV AX,0911 ; execute command. l0 ^. l4 A- ^) p p x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ f4 ~$ D* O3 y2 g4C19:009A MOV SI,4647 ; 1st magic value.
# l$ v0 B# X, _1 K5 ~4C19:009D MOV DI,4A4D ; 2nd magic value.2 F# [6 r8 t& L" l; a
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): j( s2 ~6 f' `: m2 s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 y& c) h& m4 o0 A; |& `* `
4C19:00A4 INC CX
2 \# f. m( I! e1 G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- Y' B! G- s$ p+ c4C19:00A8 JB 0095 ; 6 different commands.- \$ _+ [( Y8 O% C6 U# ~
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' G2 m, v' h& C/ b+ S+ }- z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; d9 Q) X2 t3 w% S- q* C! \5 i2 u5 b2 q
The program will execute 6 different SIce commands located at ds:dx, which" c$ l. s, N7 {1 @2 |$ ]2 v, B/ y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; N9 v' e1 g- d: l1 i3 Z/ ^* {( | Z( z0 ?7 P' g/ Y% ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 O/ k ^9 p1 O" L___________________________________________________________________________
5 h2 d0 P/ r* H% K, w) }$ s' b6 c- ?4 N
. ~' h$ P5 p/ ^ ?
Method 03, `7 J/ M/ z* l
=========
& Q& Q* k2 C7 d) |
* o% _6 }# z$ t( k( e( iLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 O9 R- N! t; @% M, W! X+ f: X6 p(API Get entry point)# H, d! n2 l0 R1 n: T
1 T2 ~6 P+ ~+ c. E! O+ n& M$ Z) p/ x2 F6 H
xor di,di, L* c# v0 ]! q% O$ A! e7 A
mov es,di( O8 a6 M" [1 c: S
mov ax, 1684h
4 |! O% J* H! ` mov bx, 0202h ; VxD ID of winice
; B& _2 K! J1 k- I int 2Fh3 R" X+ V( r( H+ J+ F( A, K
mov ax, es ; ES:DI -> VxD API entry point
" T4 S4 q V4 K+ u( f add ax, di
8 f. }/ z. e8 `1 `" X- i8 l5 I; F test ax,ax* R" ], s3 u0 Y: G
jnz SoftICE_Detected5 m: q! ^9 C; s; N s# Q8 g
4 i; y7 E! j+ e; x" T7 P
___________________________________________________________________________6 n/ E. k' v5 U% h# q
6 `& T/ x- h7 h# G E: Y
Method 04
2 n' W0 j; E; e: b0 y- V: t=========
, E5 S, W1 n/ ~ x7 A" E* s# `4 @3 k7 T- _( Z8 M
Method identical to the preceding one except that it seeks the ID of SoftICE. ?( {: I c+ k/ i' o- l( k W
GFX VxD.% ^( G9 O& y( u
3 F, K; G/ S! ?$ w9 q& o; x% p( ] xor di,di
/ ?; _) j3 y8 q4 y2 p& H* P mov es,di
! n( [5 N( l# o. q6 l, W2 I mov ax, 1684h O8 ~0 e5 S0 |1 t F9 C
mov bx, 7a5Fh ; VxD ID of SIWVID# u. c& w) }( a! U/ A/ z$ ?
int 2fh# T6 B3 e2 n3 }* {
mov ax, es ; ES:DI -> VxD API entry point
0 g2 g) ~; T% W, m add ax, di
4 O( a# b, e! d test ax,ax
" C1 t- K; i2 e U& L K7 q2 P# p jnz SoftICE_Detected* E1 } x; {3 J9 `1 j! C
% j6 k1 T# {" I/ K__________________________________________________________________________
5 z( @7 t. M6 w: X+ p: U J6 D# e3 w; {
% d+ g6 ~9 W+ Z' ~9 _$ E& e* B; [ o& GMethod 05
# b! S s& `, R1 \4 o& O=========
! P% c$ O2 z4 ~" o9 g0 S# ~: ^0 Y( l" W% s4 {- H& ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 V, U" o; I! p* Tdebugger. It calls the int 41h, function 4Fh.8 g' K$ E6 d* J5 Q
There are several alternatives. 8 t; H. O/ Z" Z
8 o Q. G* T: {( W5 D8 [% T
The following one is the simplest:
5 z# z1 U& K. K0 s9 g U3 Y3 i& b3 }1 k7 ~- D! [3 [8 F' i
mov ax,4fh/ N; ~. ]- k, r9 x+ q
int 41h
4 m! |: v% K! s( w2 W6 s- W# J ] cmp ax, 0F386
# a" Z8 q! V/ ^' o/ z4 I jz SoftICE_detected2 ]: P$ V' h8 u0 h K" `& S
1 g; q/ w' A9 }: D. v8 g2 ]) G) q H/ v5 C7 x
Next method as well as the following one are 2 examples from Stone's
! L( f( a8 b9 m; y: y# X& o"stn-wid.zip" (www.cracking.net):0 H6 b( S& S2 U1 _# n
5 b$ U# X- E3 ]7 o$ K! y# Y+ ?3 ?
mov bx, cs0 `/ n* M0 b" r8 R* q
lea dx, int41handler24 ^. |% g0 t8 L! K6 \% E" d
xchg dx, es:[41h*4]
5 S9 G; `2 p& G* f6 n xchg bx, es:[41h*4+2] e7 f$ y0 |1 Q9 N
mov ax,4fh$ u0 J& [1 x j2 e$ Z
int 41h, f) S4 ~9 w2 v: a& E; _" ]3 s
xchg dx, es:[41h*4]
# y4 t! H( X. x# V( L' \ xchg bx, es:[41h*4+2]
2 t D8 q/ ]1 Q: c cmp ax, 0f386h. z6 a0 j" r f! E* U% `) c
jz SoftICE_detected/ d. V0 |; b+ G) i
$ \ I, } u8 x7 @6 C
int41handler2 PROC+ I9 w1 O( n9 H' d$ _3 f
iret7 d! K( _" P$ N7 N! ]
int41handler2 ENDP
8 o4 L" i8 I8 X- M: n+ k& w
0 b) `7 P" r7 @% u
7 N7 `" Z9 l& ^" Z_________________________________________________________________________( u8 a5 i& Y: ~" o
% r8 E; [8 [% m: J: U8 l& W# q3 w8 Z
Method 063 Q) E: I1 m9 p" ^) q m* I0 d7 V
=========
: c2 F7 h9 S1 B) M4 K7 g( t, V' C* I* M. Y V% K
6 X+ H3 d# `& S; B2nd method similar to the preceding one but more difficult to detect:8 f. `7 w. Y- E* g
6 m+ `! e7 m9 Q' B8 ?
' t, M: B L+ p7 G7 K& ^
int41handler PROC
; y' ~* A6 {+ ^+ q mov cl,al& e9 J; W1 B( m- k1 p
iret2 H/ [& ^9 ?$ \0 i J
int41handler ENDP, O, s. k, c# z5 H
. u# w* a1 |; S- M! S. X# S* I1 m, a+ |3 b
xor ax,ax
s+ m+ w0 U6 E2 n* z$ d* U# A; [ mov es,ax
5 f6 ~1 U5 B9 b( Z7 e7 x mov bx, cs+ J2 b: j; } j/ G" E8 h
lea dx, int41handler- d; s3 E o4 a8 P- X
xchg dx, es:[41h*4]
+ _' ^* E6 Y: F! _ A8 w' q$ J L/ C xchg bx, es:[41h*4+2]4 S7 v g$ X8 L( f
in al, 40h
$ L5 r! {' X5 K: g+ a3 ~6 ?/ b xor cx,cx
; j/ C9 Z2 B, k9 ] int 41h
# F ]7 Q9 a2 t8 E$ q' V xchg dx, es:[41h*4]4 k9 K+ f4 B' o/ J$ p
xchg bx, es:[41h*4+2]' R% @6 d1 r8 l7 i( U5 _! |
cmp cl,al
" @/ O; d" D6 W, T$ k jnz SoftICE_detected( s( F6 N Y% Q7 H: s
5 _- ^0 b P" v. F) }9 [1 S6 P_________________________________________________________________________9 e2 T& g0 [" x' o1 a( A9 E! v
6 Q5 V* V8 W+ S4 a" O- o( ]Method 07& q& Q$ X/ O2 i2 _: i
=========
J0 v' x: @8 ]6 N4 G9 a5 _' x7 T1 V f0 R4 e4 P; P: E& Y b
Method of detection of the WinICE handler in the int68h (V86)9 F7 `2 S/ T/ G3 f' f
4 `& }! H1 y8 o+ r; c D6 F5 R mov ah,43h/ d3 h/ o' C* p6 {' V! {% c/ k
int 68h
" \: \) y4 z+ y4 D: {9 H( _ cmp ax,0F386h
# Q% F4 a+ u i7 A/ S9 C' u jz SoftICE_Detected+ |8 q. g2 D/ G$ B" u3 P3 h
# J w# m! E) g Z. E G' d- u3 A$ Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* Q ^ S) v0 H& e$ q0 Z5 t app like this:9 }* H$ i$ \$ R, T
3 D0 @+ A' J/ |) d- @2 {/ i
BPX exec_int if ax==68
) H4 `" ^, s$ r7 r5 F4 q2 S" J2 d% @ (function called is located at byte ptr [ebp+1Dh] and client eip is' ]( u- {1 D8 x
located at [ebp+48h] for 32Bit apps)
( O$ Z2 H2 K" ]+ c3 p' U$ ~__________________________________________________________________________* q: `' \! @! F6 g1 e6 c
+ S( [5 D5 x# C% [# [
& d1 R b* ]" f% f' g1 ]Method 08% ?, s1 e1 {8 N$ e" E2 i# k% w
=========
! k/ m- n, D) o3 J$ V0 F" w& X3 @' H* W. l
It is not a method of detection of SoftICE but a possibility to crash the
7 N; o1 Y C S" C7 l, y% csystem by intercepting int 01h and int 03h and redirecting them to another" D1 f J# r$ J9 c8 e. l9 t
routine.
! w8 C& q# {* _8 B8 ^( iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. Z4 Y$ R% L2 f) M+ h3 s. |to the new routine to execute (hangs computer...)! O3 {& P0 p7 l8 j$ m
6 y. L, B3 T( f' o
mov ah, 25h3 g6 l- J" n4 k: N) j8 e8 `
mov al, Int_Number (01h or 03h)
+ N! ], h# d9 k7 g; G" y mov dx, offset New_Int_Routine8 y' q& ~2 t$ `9 K6 g1 R$ r
int 21h
, M) L; X4 a; d8 h {- ^- x" L/ v; N' o# ?
__________________________________________________________________________7 T" e4 j/ ~* ^6 Q) J2 O
* h5 ^& S, G4 t" N- Z9 L- tMethod 09
* x6 x0 H" ^) w5 M& f0 L$ ^=========
; X& |1 C9 E6 M& A6 Y
5 P* f* v5 \$ }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# i9 c" Y4 }. O& {( aperformed in ring0 (VxD or a ring3 app using the VxdCall).2 I/ g2 _+ b/ Z- T. U. ^
The Get_DDB service is used to determine whether or not a VxD is installed
8 T3 `( G" D2 d6 l2 c9 d* Ifor the specified device and returns a Device Description Block (in ecx) for
- t' W6 g+ s6 C) q% ^* r5 athat device if it is installed.
! d9 G; t9 l }3 h% d, U _( b
) c* F9 ^+ J0 i: k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) H. n# }( ]5 l b+ x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# A1 H+ V. t; N# F VMMCall Get_DDB( k1 z4 _+ i9 g8 E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 v. x( V# u B; y8 m/ p/ G
8 V2 S9 I) J! H" T) S" \0 y
Note as well that you can easily detect this method with SoftICE:
) A0 Q+ l% g6 {% ^5 S bpx Get_DDB if ax==0202 || ax==7a5fh$ h4 y0 J) s. ?2 [
7 j* i9 M0 a+ i8 k$ B: W__________________________________________________________________________
: i8 v6 M( x+ K, E) _
' r8 H% U& x6 ^' nMethod 10% J# w2 U( y- V% V" k
=========
6 U. v: F* e" w+ Z
8 @) l3 _" u7 i: e2 ~% X1 S=>Disable or clear breakpoints before using this feature. DO NOT trace with: ?& s2 x9 q% ]/ j
SoftICE while the option is enable!!
2 `& ?3 J2 y3 o* B
- X, h5 S$ @3 M+ Y uThis trick is very efficient:
( _1 Q( m/ d/ j5 Uby checking the Debug Registers, you can detect if SoftICE is loaded5 H0 h& e4 }! `- F! Z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% s. O3 \2 Z | C5 ^+ s' V ^( C
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* |. |/ o2 \ A8 hvalue (in ring0 only). Values can be manipulated and or changed as well# b+ S l4 X2 H' ?" {( O
(clearing BPMs for instance)
* z4 g1 x6 G) \3 i% a8 b8 X* Z/ z$ z& a/ n
__________________________________________________________________________
/ d$ g4 z: ?, \5 [! O$ [+ n
6 M7 O [3 X: ?4 [Method 11
) d8 n7 B P& W& R: O=========9 a' v) m, c7 x/ Q( i: \! [
3 W! ]! t2 N( \% G+ i
This method is most known as 'MeltICE' because it has been freely distributed4 ]! w) ?7 u/ x+ j
via www.winfiles.com. However it was first used by NuMega people to allow
1 x" `8 @( ^8 n& s# A; YSymbol Loader to check if SoftICE was active or not (the code is located3 I5 a% [; Q1 K- e+ k7 x
inside nmtrans.dll).
B5 z: N5 y. u7 X# ~ |* O+ j `+ D/ f4 D _, ?! w1 N ?
The way it works is very simple:1 v, c3 i. a! V( o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 s- P5 ^8 h/ Y! Q+ `: GWinNT) with the CreateFileA API.8 D. G3 a) O5 A) h- Q* y0 `
8 c B& _( }6 H2 K: ]$ l% v* x2 XHere is a sample (checking for 'SICE'):) [( I' P: L6 r, e a7 R, `7 n
9 U2 {& d# _$ fBOOL IsSoftIce95Loaded()/ ^& V) k/ k( _; K2 Y& N4 ~
{
, n+ O, M" l" D1 v: Q HANDLE hFile; + N& C: K4 v! A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) c. M" L, T, Y4 U6 E
FILE_SHARE_READ | FILE_SHARE_WRITE,0 `0 j* }; d! d X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% D/ x5 p$ c: _ if( hFile != INVALID_HANDLE_VALUE )% ^9 g5 ^3 B, A
{9 r& o3 z q9 B
CloseHandle(hFile);% A# f3 b( G& P
return TRUE;; E- B5 ^3 t* Z, Z/ Y
} {; {' q. m p1 D
return FALSE;( ^* @* j2 K- e( f: g; A& v% B
}
( s4 h. e5 c2 L7 Z+ L/ k2 N8 |) c: {5 h/ {$ m
Although this trick calls the CreateFileA function, don't even expect to be& v& \$ [9 }$ b7 S _# s7 G
able to intercept it by installing a IFS hook: it will not work, no way!8 J: [: h( \$ }' O% A0 D7 t8 \% y& a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ Z2 q6 d; E- w# i( Q4 A, r" {0 ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), [ b2 t+ ?* s1 Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; l8 }: _/ Q' r6 L3 |
field.# W4 a: A& ]$ F# ~, Q
In fact, its purpose is not to load/unload VxDs but only to send a 1 Y7 o- S- A+ k1 t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 a* ^4 d7 L3 f F3 oto the VxD Control_Dispatch proc (how the hell a shareware soft could try. t% _6 l& _% F6 t6 @1 w: u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 e; R4 F# {& N6 F/ pIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 N( R. X v: @1 s- n' Y
its handle to be opened and then, will be detected.
/ m) C# O+ K6 f4 W" ZYou can check that simply by hooking Winice.exe control proc entry point# X- T+ `2 W4 t, @
while running MeltICE.' `' r" O8 w. |6 e6 [
. \1 J% z/ Y1 B; H
( O$ ]' J+ a' a1 K" {; B
00401067: push 00402025 ; \\.\SICE
3 q/ u# \" F3 t8 I- Z# h# } U% P 0040106C: call CreateFileA# E1 p# T y+ M
00401071: cmp eax,-001& ]# o- d7 U: x, {
00401074: je 00401091% |! V" z0 n1 _* @ v
8 a5 c$ _* B' O! k. w. v5 u: v1 V2 o+ G& N
There could be hundreds of BPX you could use to detect this trick.2 v* c8 G5 w: o) G
-The most classical one is:
' D/ J4 _- G. A( E4 M( { BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( m. C/ Y6 L) h; E! V( l7 } *(esp->4+4)=='NTIC'
4 A5 x8 r V; F8 c
, O8 m% S2 b% W+ B-The most exotic ones (could be very slooooow :-(
& X& A8 w. m Y1 k0 d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: ^7 w7 [" _* g+ }; p ;will break 3 times :-(- x& {5 y+ B. u& I; W3 Q& T7 U
; g2 B' ^3 {' W, L8 u1 X: j1 ?-or (a bit) faster:
" r9 k. F1 F; E8 B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; ^& I& O, [9 j( |; V1 n' a7 \1 Y: S' }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( |( K8 k9 d E' P/ w7 C O
;will break 3 times :-(
. k( ?3 P, U# H! Y' i2 s$ u9 A( {$ `" z% L
-Much faster:; C, I6 g2 [8 g8 R+ _* o8 p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
`0 k! S2 w" c/ B4 u r( B; s
2 J! c% J" ~2 G0 K& R8 o% @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 E9 t3 D, m7 k! b) D0 \
function to do the same job:4 q: A5 C, J2 i) c5 t Z* T
2 V$ w/ J; [9 F9 q- E+ w; X# L2 {, d
push 00 ; OF_READ1 { |& l( G# J% \
mov eax,[00656634] ; '\\.\SICE',0
`( D9 @6 W5 n8 ?$ ` push eax& \7 G7 f6 X4 J1 D- J& J
call KERNEL32!_lopen1 Q' Y3 N& Z! Z, }
inc eax/ `$ N+ q; n4 I# z" O5 L$ T/ C
jnz 00650589 ; detected1 s1 n8 U0 Q" ^# x0 p) `
push 00 ; OF_READ
% ?2 G- ^! M& O- D5 S; D7 @+ H mov eax,[00656638] ; '\\.\SICE', l' n. O$ G) t2 m$ |0 ^( n3 F, |
push eax. D7 n2 K4 J% O
call KERNEL32!_lopen
7 Z' l( y3 L# k! e* C inc eax+ S7 W3 p h! W) h
jz 006505ae ; not detected
$ u; j) t( Z" U* ^! f O
# r: H( R$ d" c: a; w% q0 k
# B1 g* \# _) F) }0 e; A__________________________________________________________________________6 E o- ]( F0 t2 S( F& O7 D
- x* N9 V2 }/ m( K7 j, W1 g
Method 12
" [/ R7 w" I) N& c9 G) T=========" |2 k0 t: n8 w3 D0 T
# ^( a* v+ Y5 i7 K# v. b( c
This trick is similar to int41h/4fh Debugger installation check (code 05
! B& n2 c! `6 |' D7 C& 06) but very limited because it's only available for Win95/98 (not NT)$ x" ?- i4 x9 K8 \' q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. i* D5 ?% Q: x- \2 W8 J# U3 c
X6 {: T+ x; V! X/ p! W. v3 v
push 0000004fh ; function 4fh
$ G' B- Q/ r2 p) U* F push 002a002ah ; high word specifies which VxD (VWIN32)
8 e2 K( O" V1 C2 V# S ; low word specifies which service8 U6 `- e$ `) s+ W3 }+ g
(VWIN32_Int41Dispatch)$ E/ E& _# y" F" q. B/ Z) }
call Kernel32!ORD_001 ; VxdCall7 g. T' {$ v( |6 y' {
cmp ax, 0f386h ; magic number returned by system debuggers4 j% {# A) E: N
jz SoftICE_detected- }. u5 b3 u3 i5 S3 V1 B
& m, q. D# _% u, p- DHere again, several ways to detect it:% ~* a. _+ O9 I3 Y% q1 T
9 l. Y7 {3 Z$ s2 ?* `, |
BPINT 41 if ax==4f; S" \+ k- Y7 L; q0 q$ ]3 |/ [
7 x2 _- |. u0 @: ?) S" B( B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 Q; x; d6 e8 l7 J+ O
- {' [$ P) G* t, e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" x3 T- m0 C2 e1 Y3 g5 p8 j( a
3 _; F% k, } _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! w8 _4 g3 n( t0 z3 U! @" [6 y* U! q; l
__________________________________________________________________________6 a) i# K5 D7 w
9 N9 }/ T5 q7 ?, U# O/ J
Method 13% B: Y2 [. H2 w4 j% Q; ?( K( E
=========* y8 Y# Z% x8 ]& c9 x
5 L* x. U8 \+ Y1 F3 kNot a real method of detection, but a good way to know if SoftICE is* O$ P. Z! w Z, `
installed on a computer and to locate its installation directory.3 C2 c' p: \ r: k9 Y
It is used by few softs which access the following registry keys (usually #2) :) B! y& m A6 f& u3 }/ ?
% K/ Z) Q( L% v9 F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 }8 B9 b6 T3 }1 b9 T
\Uninstall\SoftICE
j7 Q& X5 l/ [& K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% ~# w: e3 d5 F% x: M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 X0 f' C9 k, `2 R0 ^) o9 T
\App Paths\Loader32.Exe
( ^( `. n+ k1 j9 f/ B& a& L6 P4 f. E2 B( @$ E5 h2 r" l
$ \/ }% O! K- A- ANote that some nasty apps could then erase all files from SoftICE directory
, b$ P( u) ]4 ?8 b2 W. Q% ~(I faced that once :-(
- w9 _& @5 R1 G: U! k& n. l; r& p1 A6 K- F. i
Useful breakpoint to detect it:5 ~& |" x& z; j' _
' X( E* s3 H5 {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; ^1 O& S* K; x' y1 p+ w3 |5 r
- L$ J* f1 D0 X) U__________________________________________________________________________
' d/ S1 { m5 a5 \) h' d, ?0 }3 H! g1 u% ?+ c
- V1 C: U4 Y0 U- u% D x
Method 14
- l0 r9 m# I1 U9 Q2 `: n7 f=========* s+ q+ g3 K9 r( B% f* y
, }( M0 ^- l5 H3 w2 U @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& o% l$ S) h" K4 \- A3 n0 [! t
is to determines whether a debugger is running on your system (ring0 only).# P, Q/ W* q4 V9 S! D& f4 ^
0 t+ w- } o: W1 S% j VMMCall Test_Debug_Installed
! f& i9 x. G$ h1 ^( p8 N* r. N% q je not_installed
' L6 Y3 J( C9 G, d9 e$ M6 B! y D$ G8 {; M5 p# V- \8 U" y) y
This service just checks a flag.
. d+ L; c) ~: i$ A+ U n</PRE></TD></TR></TBODY></TABLE> |