<TABLE width=500>
; {4 n' j% ^! J/ }; H<TBODY>
+ c2 ] M. F& c2 U) O<TR>
+ R! h+ {) t3 o! v) e( L4 n4 |# B9 Z<TD><PRE>Method 01 9 R- N4 ~2 I/ i0 |
=========
1 U7 j4 ?! d0 S9 y3 P
/ O" o5 n8 L6 e1 a$ Q+ JThis method of detection of SoftICE (as well as the following one) is
% A5 r% A& y7 Mused by the majority of packers/encryptors found on Internet.1 d S1 z W% A5 @6 Z; A- s7 g
It seeks the signature of BoundsChecker in SoftICE
$ j! v2 r- j2 w4 i' n3 L; w/ W# U2 v5 b# {
mov ebp, 04243484Bh ; 'BCHK'
" A# ]1 `# n% _& F- H1 N mov ax, 04h
# f7 y9 [% T5 }. Z int 3
; r7 U: t% P; N cmp al,40 F" o. p6 \) v m
jnz SoftICE_Detected" h. |' r% v$ i) P3 [& g1 G
+ O0 V: [/ T+ k @ Y3 S___________________________________________________________________________
/ O( ~; ]3 a+ n' z! _- I9 k/ y$ Q# B3 ~1 w3 G' `
Method 02
8 V" q7 v, b, s q" k=========! q) z* @* {( v; Y& t) R H
8 q' Y3 F; W% r9 |5 M3 u* _Still a method very much used (perhaps the most frequent one). It is used
j% f) _6 O3 l% y2 S) Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 i# A. [7 G* B U7 h- t% a8 \or execute SoftICE commands...0 [3 s/ m! @+ d! {8 Y9 g
It is also used to crash SoftICE and to force it to execute any commands: \) x2 O- s M A }/ @; U* A
(HBOOT...) :-(( 9 \9 \$ _0 U4 M0 N
R8 d) X+ r9 y3 o2 p7 ^3 W# M" W
Here is a quick description:1 f/ J! P" }' N1 i* u
-AX = 0910h (Display string in SIce windows)
0 b' S% I9 l8 `' \-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 f& @5 n/ u6 Z- L+ G
-AX = 0912h (Get breakpoint infos)- V0 G! X3 d2 K6 |0 N4 a
-AX = 0913h (Set Sice breakpoints)
1 N* z/ n$ x* ?( d/ R( g-AX = 0914h (Remove SIce breakoints)
0 z7 k0 ~! {. ?- G" }4 y) c1 P& p* O* w! t3 c9 S$ R
Each time you'll meet this trick, you'll see:
3 M& i5 R) L1 ^3 ^-SI = 4647h9 f' u3 |+ ]7 B9 q* {: U7 P$ C! j
-DI = 4A4Dh0 @" x1 p5 Y) A% |/ j n8 n
Which are the 'magic values' used by SoftIce.! g9 Y0 G+ v$ G6 q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ }0 k+ \. a. t
% o% Q. X3 M2 Z$ G- @8 r1 OHere is one example from the file "Haspinst.exe" which is the dongle HASP& Z# u4 T5 L6 {3 t! k
Envelope utility use to protect DOS applications:
9 M: I0 M- T, v( A! t ~4 ]6 S4 u
^6 {" W3 D( }9 A
: L8 S- G: W; e8 o: m0 F4C19:0095 MOV AX,0911 ; execute command.
8 R$ z3 G0 O5 X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* o( H" J4 b: K; d( j1 U% P4C19:009A MOV SI,4647 ; 1st magic value.
, i% e. n% i, `/ J2 g) W$ `4C19:009D MOV DI,4A4D ; 2nd magic value.+ @% `" t9 [* c) w0 D# N( t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 L* J# u9 S8 f; X* _, G9 m) L4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 |/ W% s6 [4 G
4C19:00A4 INC CX- N3 a2 y6 e2 Y+ P, `1 J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 b) w1 B' A% e" g& H# P4 E9 k4C19:00A8 JB 0095 ; 6 different commands.
( F7 z+ m6 I. y! ~0 l4 H! l4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 C' Q5 F$ g+ m7 C. N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 A# A9 O4 S+ l& L
t# r- t$ e1 } U
The program will execute 6 different SIce commands located at ds:dx, which7 T) C% e" j9 q- [ Y- I' w: i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., v9 W, M( @/ W9 H+ l
2 {! e/ E: `" L* }. g; h! L7 D! H' |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." h) h$ x0 P- Q L" y+ ]5 Y/ s0 l
___________________________________________________________________________5 ?0 b' d4 e, R
6 I& r. w$ b# x! ~% y% T. D
( L& l6 [5 f- v5 V) B. ^
Method 03) l4 a/ ^4 m# @$ ^
=========% M. u: t t# n' `% K. O
+ O! k! g7 U$ P; r' b+ z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 n8 _* b2 N( T7 Z% d, f7 K( w, Q
(API Get entry point)/ i6 F7 t9 ~: v l: |0 _0 \( I% W" l% }
; \* u1 ~0 `9 n& G
& h0 S7 p- j( a0 c) n0 }
xor di,di
. O( s8 s% n) f* B mov es,di
% _: x( x5 k. ]; ~ V4 x mov ax, 1684h
, J! A, N' ]- p6 ^4 Z mov bx, 0202h ; VxD ID of winice
0 p! g, o' A5 |5 b% X/ ^ int 2Fh
9 x3 X% _9 p" W) U mov ax, es ; ES:DI -> VxD API entry point
5 T1 B7 I1 O# |# l- V add ax, di
0 a2 R! g+ A. J z3 v' } test ax,ax! f/ z) K, Q5 S2 I6 c) P( I
jnz SoftICE_Detected
( |- q R& l: i8 n) \' Y. y7 V2 A
. R. s: r: p8 V___________________________________________________________________________
2 j: ]& ]' l2 w: ?2 L9 x) J$ x5 ]1 q1 w1 S
Method 04! X, z8 S* @" `$ W0 }$ F
=========
% z9 b K7 M# A; E% z) @. R7 d" `+ X0 n
Method identical to the preceding one except that it seeks the ID of SoftICE. ^$ G9 G% x4 d, F" ?1 W
GFX VxD.6 S. \9 a+ E, B5 w, N5 B
/ @+ n# r) K0 n `; F5 E; v! R
xor di,di
9 y7 x3 E2 j( z3 H% K8 [) r8 v# ?" m mov es,di
, U: i8 X) ]7 k mov ax, 1684h
0 x/ O( s7 m1 ^. r: I7 [5 h" n2 ~8 ] mov bx, 7a5Fh ; VxD ID of SIWVID
' M a$ Z7 s1 U int 2fh& n0 y# s& K4 T0 h
mov ax, es ; ES:DI -> VxD API entry point
- |" h; z& S; Z add ax, di
+ `4 s6 G& G" L0 L: o" q1 v test ax,ax
5 F5 I. m @1 m' @ jnz SoftICE_Detected
: v, N9 z: ]/ ?; r/ W; ]
3 J) ]( V& A) T$ p__________________________________________________________________________( B) g0 B$ i+ U" G$ {1 k3 ~6 b
% J$ F) X: X, |7 @2 r% y
: c, G; M3 f" A5 C# D8 k) S
Method 05
( Q: Q/ `8 G* v' o5 W( z=========# M, d- X0 n" m* ?1 w- L H8 J& x
( V, B4 Q2 Y0 W# x$ NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# u3 E" a% t. b9 y/ x$ Xdebugger. It calls the int 41h, function 4Fh.9 I0 A0 o4 _$ M
There are several alternatives. " C5 o3 ]1 F4 m u
. V8 r$ A, S5 ]
The following one is the simplest:; H% P0 J! ^+ h( R/ C
- r- l1 J: I( d8 p
mov ax,4fh
9 g' n* S1 \; N/ u, x int 41h3 o* Z k; Y* _' H4 H) d$ I" I; V
cmp ax, 0F386 }0 \- c9 D- U
jz SoftICE_detected
9 y. Y* n* ]' p- [) H9 U% n' Y% t+ T9 d
t1 v6 \- @" ~2 M( [$ u
Next method as well as the following one are 2 examples from Stone's 5 X2 A& e( a2 S8 p9 v- V/ U
"stn-wid.zip" (www.cracking.net):, s S8 _# `5 V! w4 T3 J
2 F% v7 j) h; D# O7 e" h- o
mov bx, cs& Q* K3 a6 h5 p
lea dx, int41handler2
! T' t# D N+ ^ xchg dx, es:[41h*4]+ S/ f1 ~- ?) N1 Z7 X9 ]
xchg bx, es:[41h*4+2]
j; }( M1 w' } mov ax,4fh+ r" p, l# V0 m- i+ m, K/ g# T
int 41h
0 h6 ^* X4 b& O) a. d% u xchg dx, es:[41h*4]
+ O G6 O* [) G- R6 z% w1 Q xchg bx, es:[41h*4+2]2 X# e9 v6 a: B& u
cmp ax, 0f386h
/ k! U2 ?/ i2 Q5 C4 V jz SoftICE_detected% E6 H/ \$ G+ l% a# T
. P0 c( g4 R9 l! Y( Z: u$ B( Wint41handler2 PROC: e1 ^, h$ e3 B% x- j! Q: F
iret
2 p7 |9 y. v; r2 Hint41handler2 ENDP
2 v+ C% @# ^! F+ d' M1 }8 X& T% c) D; n8 _. a6 y
. r8 P9 l4 [$ w0 V% {2 }9 @$ r/ i
_________________________________________________________________________2 {# Y k4 [# w0 E- v/ H; ]
. o) R* }! d. z* t
: P$ f4 ]" a1 I! U- G
Method 06
% q. j5 [6 l3 d1 b=========1 {5 `- e) C% x$ X' X+ H1 M2 f
6 Y& ? y+ X4 s0 m8 u3 D' k
- M _' x' _( V0 I/ c* }1 S
2nd method similar to the preceding one but more difficult to detect:
' a# ?- T, Q6 X$ K! z& O9 E$ @$ }3 \% s! M! V4 r7 R7 a
- \. o" ^2 R0 L" d) r. L9 G \
int41handler PROC* i; L5 I- @% G5 c, L0 U9 u
mov cl,al
2 k5 [* k8 |6 w iret
, |. Q' o- r* n6 J5 d! \int41handler ENDP4 f D( M% e R: f v: f
- g3 R8 k' P8 }' w3 E6 s7 I
, t& H4 x% v' } xor ax,ax" C4 y U; u9 c% c! u) j, x
mov es,ax6 [4 R+ v% A9 r2 \2 B5 [/ \
mov bx, cs* r5 [& e/ q7 X4 J/ M( w B% d! e& [
lea dx, int41handler
4 N& x6 N& N6 i xchg dx, es:[41h*4]
3 C- [: |/ O) R/ @$ a" } xchg bx, es:[41h*4+2]
$ B5 |* _- `, s in al, 40h
7 o \( a" Z' ~# E0 z( ?/ C5 e xor cx,cx
/ r7 W# \. ~6 c! I; G- G int 41h
# [& x& b) u: u) s" \6 s xchg dx, es:[41h*4]! g/ q: A! @" A; V; b) L0 c
xchg bx, es:[41h*4+2]3 D" D. S& \# D* c
cmp cl,al
( V6 V) e- p2 j6 S+ K) D( v jnz SoftICE_detected( c( M7 @! [) `9 U
6 ?1 z3 `1 r @) M. w5 Q1 r! |% o
_________________________________________________________________________
! d6 y* [# I9 N3 c. g* a
- T8 A( s A' U b: {* J# p0 tMethod 07
3 f, T" {1 d8 W- b k2 u=========) [3 S7 q( @( T& v# n \% e
4 F6 t0 M. ^1 i. S8 EMethod of detection of the WinICE handler in the int68h (V86)3 S; T K5 q0 X- Y5 H
6 W8 M4 f& H( \+ q% v- ?( f mov ah,43h
" Z' e; ^* q8 Q3 V$ }7 j6 {6 `$ } int 68h
8 E9 M) [+ x/ e$ `+ t5 E cmp ax,0F386h: t& V; x, w' t4 |" o7 j, z9 E4 {
jz SoftICE_Detected
5 C0 L9 u# c2 A) E1 D5 x
% @& p0 p. b- u# K% z0 |! [
! v+ a& f8 x. L8 i0 W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! }7 q& Q' O9 d' f, G4 p7 d
app like this:
2 u# Z j* W) E" |
5 E* G" W/ A+ y BPX exec_int if ax==68; g( x$ q- p4 d2 Q2 m* F
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 b% u4 x: R6 Q* W0 g located at [ebp+48h] for 32Bit apps)
+ A4 r, }, \4 M0 V8 N5 y' {; D__________________________________________________________________________! n2 a* Z1 i5 H1 }" I( N6 X
) V4 l* C3 D7 Q, `
) V" {# l% U! A" v( B4 t o; wMethod 08
: v( ?6 m, m& i! e+ c* b" d=========" f8 K6 o% Q: g' ?/ P/ {% p
h5 m: r& v( `3 V7 IIt is not a method of detection of SoftICE but a possibility to crash the
$ R+ y+ }- s, j8 p+ Jsystem by intercepting int 01h and int 03h and redirecting them to another
& j! j1 `9 f( W, K0 [' w2 L" _4 Droutine.
: x: ^1 [4 Z% C# H9 z/ RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ _8 O- E5 f2 a& u& S
to the new routine to execute (hangs computer...)
; Z4 i! V7 v" Y! B$ z$ G. ]8 m
+ X/ D8 t* H5 r5 S3 B mov ah, 25h# I2 [: Q# P, {" c% E- _7 z
mov al, Int_Number (01h or 03h)' W9 S! f d; o5 D8 \1 o/ S
mov dx, offset New_Int_Routine; Z1 j9 c2 ]6 M9 J( [: E
int 21h: g" h" m: k4 |8 C
( L$ |9 x# [/ m2 ___________________________________________________________________________
* B: C. g: H# t& b- U
2 ]1 |. A$ V3 D6 Q" ^2 x! A% GMethod 09, x, v6 E* Y+ g
=========2 y7 S3 c3 Z+ q+ k& W
- Q* z6 \" `3 I! [% B8 n2 b5 ]3 RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# q8 {* n* }' B7 x3 ]; K
performed in ring0 (VxD or a ring3 app using the VxdCall).3 f( t0 c1 U& _% I# D
The Get_DDB service is used to determine whether or not a VxD is installed
6 l+ [/ J, I' p' Lfor the specified device and returns a Device Description Block (in ecx) for
* b3 v3 U- w7 N/ J' }! S0 l( wthat device if it is installed.$ B/ P$ t, z, r. P$ U4 V
! z P1 I- S8 `: k. }/ [* V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( C# Q9 q$ g5 S+ n P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 O0 d- g! m& M
VMMCall Get_DDB
' @% w Q8 Y1 g E, _: i1 X mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 m7 H. x, g) i' W" ?1 g2 B: L7 k
+ K7 E3 h7 ]3 o& a: CNote as well that you can easily detect this method with SoftICE:- |/ C4 z( h) G* y
bpx Get_DDB if ax==0202 || ax==7a5fh
0 H! ^7 g, |! Q2 L) d$ A0 x" y" \% _7 C( Y+ C' v$ f. { c
__________________________________________________________________________
3 ]7 f. W+ w' v' z& m) N% J* O* _( r% t f* c8 s+ T. N' X6 d
Method 108 r( f$ ^! ?$ v P/ [
=========
9 S7 E9 R- T. u
3 e" R, u, ?! @8 ~+ [=>Disable or clear breakpoints before using this feature. DO NOT trace with$ ~, j( P5 \& ?7 H8 T4 g' ^# H1 s
SoftICE while the option is enable!!
0 `% L& |* |4 [( g& t
l# u1 c, L @" A) E5 BThis trick is very efficient:
' @# }! D0 p% \1 t8 n6 yby checking the Debug Registers, you can detect if SoftICE is loaded7 B8 @' P0 J2 `# O6 I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 s* D0 m" e- _% p7 o/ t5 a
there are some memory breakpoints set (dr0 to dr3) simply by reading their& b; }- C/ Z6 a. b5 [* G4 ~
value (in ring0 only). Values can be manipulated and or changed as well" `0 P/ j V" y8 ]- s: { J" J
(clearing BPMs for instance)0 @, n& j, S2 H) N9 M
4 ^6 B0 }( }" @9 ]. F0 u! W0 |3 }
__________________________________________________________________________
* E3 e* T9 j" l# V# \0 k7 g! {& Y( L
Method 11: ?0 b" T. A4 }/ V: M
=========
) Q9 ]) J% a; N8 F0 o9 w7 }/ {' M3 x. z d
This method is most known as 'MeltICE' because it has been freely distributed
2 a H( }7 N) M8 l3 Q2 Dvia www.winfiles.com. However it was first used by NuMega people to allow- s# f% w0 V6 q) u
Symbol Loader to check if SoftICE was active or not (the code is located9 ^+ f; H! e G* X, {1 g& ^
inside nmtrans.dll).
5 q# j3 r% Y* ^7 P! @" o/ t/ O2 ? v1 ] l4 M3 W
The way it works is very simple:
. `5 A9 h) q9 o( yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! [: y: ]' T/ K8 |% w
WinNT) with the CreateFileA API.
/ Q [! r1 ]- t( A( K; R2 E9 }/ J; M' n' u# S
Here is a sample (checking for 'SICE'):7 [4 x6 T. M8 w9 H- j
( s1 S0 j' _8 ^% s N. d* v; yBOOL IsSoftIce95Loaded()9 O7 a x( w0 Z4 N- W& w2 m( I
{
' S* I; ~6 V/ w: j B" y HANDLE hFile; # x# ]1 O; n1 w9 q5 o+ a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" u$ L3 c! k% u' k. [; E0 } FILE_SHARE_READ | FILE_SHARE_WRITE,
( J- z* S( _$ E- I9 Y% u0 J NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ f0 {3 X6 c0 S; h
if( hFile != INVALID_HANDLE_VALUE )0 b( j( j5 k/ C
{+ ~7 v, z6 ? P5 u* [; I
CloseHandle(hFile);/ E; _ H2 c. a. v6 e
return TRUE;, `& f% K u. k: o5 _" m$ w/ f6 N
}
$ Z! S$ N1 J/ c: a4 | return FALSE;
, K: d9 b/ b Y9 ]& Q: w8 l) `4 C}9 d) {% @0 `6 S% w$ R1 F" N" R
6 }8 G9 @+ A' H5 MAlthough this trick calls the CreateFileA function, don't even expect to be: d4 q- O B2 [2 h
able to intercept it by installing a IFS hook: it will not work, no way!4 }0 |7 e* p( _! b4 d% }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ J u8 _) b/ w, w5 P3 gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 Z9 P# E$ \% n+ r. s9 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 v, v) T( `2 {# L, Zfield.7 u0 `6 ]/ y& z3 j# h8 U H
In fact, its purpose is not to load/unload VxDs but only to send a % l& f; C' b& q3 T! F- a l* n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 P$ \$ i7 p! T- S4 P! t1 F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 R+ X( u) L# ]" E7 M c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% j9 _/ [& R# S9 R! {4 ~If the VxD is loaded, it will always clear eax and the Carry flag to allow5 u$ \6 q) x5 }% ^: \
its handle to be opened and then, will be detected.
6 u# I) N5 R# T% x5 ~% vYou can check that simply by hooking Winice.exe control proc entry point: i: J* M+ I3 o j5 j
while running MeltICE.5 b, b: i1 ~5 O4 h
& B! n2 X; v/ U @! _4 e& B
8 x) s, w# @ k3 W
00401067: push 00402025 ; \\.\SICE# u# H Y7 U0 A) p+ _
0040106C: call CreateFileA. p+ `% b1 E- m
00401071: cmp eax,-001! I8 K8 Y7 f2 S* P
00401074: je 00401091: X& m& N8 M9 ^
, b2 V' t& J# v3 y1 \
( _' C: L2 e9 h' KThere could be hundreds of BPX you could use to detect this trick.; Q' r0 B0 F8 w8 t
-The most classical one is:+ ]) @7 I) t' o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 Q2 S! g( D0 z/ N" M& `1 _ *(esp->4+4)=='NTIC'
! Y1 @. U/ N1 h9 {( r& w( U2 A
& \1 Y! B9 c. n7 M) u-The most exotic ones (could be very slooooow :-(1 ] o" M! E# G: k1 Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " e( a3 C* V2 g
;will break 3 times :-(: \: |" i2 w% H( Z! l: \/ N
0 ]- [' P( O0 y: ?0 w/ u2 o o
-or (a bit) faster: ) c1 q9 h% I( t& L3 D8 R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% A L+ p& W+ }" _
" X+ b9 ]# r, b% Y$ P$ b9 | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: X- X4 t! Q* e# @3 Z; I4 b ;will break 3 times :-(
. A' K/ S2 s* p9 x7 U: |" W* ?( j8 [& k1 m
-Much faster:
+ j1 D4 z. q( | C% w; K2 ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% w) p% r5 L5 D
# x0 W2 J6 G& T: |+ A! k& nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- |2 n4 I/ [8 f S l
function to do the same job:( w- C4 X( O, @/ j
( {" v; d" b, z& g7 S$ W/ z
push 00 ; OF_READ, ^8 \) T/ C0 [
mov eax,[00656634] ; '\\.\SICE',0
. l! {5 o- \1 R) \! D/ b# \" j push eax
' W2 k1 o# \1 B3 W0 C/ V9 a% Y call KERNEL32!_lopen
% e2 s& A4 @9 }9 h; m; ^3 X$ T inc eax( ?* [+ Z T+ W8 n( B
jnz 00650589 ; detected; c4 _5 U# b1 G% Z7 o" c
push 00 ; OF_READ
9 m% V6 F2 L7 t; n! I! W mov eax,[00656638] ; '\\.\SICE') y, U6 J/ S+ M! c9 k
push eax
0 {0 e. p. o! k) o8 ` call KERNEL32!_lopen
1 U; Q* k0 c$ c+ y inc eax
h& x1 y" ~3 L jz 006505ae ; not detected/ o9 w+ t4 A* C# P% t" @- Y [
1 f0 C8 M, R+ _$ u/ E' U& |- y& P4 T/ t. i. q& ^$ E* F |
__________________________________________________________________________) q6 A; H: c! p% s7 I: z
. o! e+ F4 X. V, U1 F' f
Method 12' E# e8 |6 m( V- l' L
=========2 w# v7 z8 V4 |/ ?2 }
8 [0 |' r) k, A% MThis trick is similar to int41h/4fh Debugger installation check (code 05$ ]1 d- J. ^7 D3 }9 Q
& 06) but very limited because it's only available for Win95/98 (not NT)2 D, q: B/ W' S6 U+ P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ T9 [+ f' T. F7 g( V
" x0 i) I N3 M" M' N push 0000004fh ; function 4fh
' q9 m4 ]1 o" r( F0 O push 002a002ah ; high word specifies which VxD (VWIN32)
" _! y( h# T2 S2 W: i ; low word specifies which service
, r4 ?: o0 `. f h9 Y2 ? (VWIN32_Int41Dispatch)" D0 P: y/ K% J: O4 C ^' Y, D, _6 F
call Kernel32!ORD_001 ; VxdCall
1 B8 O! P" ?& h* f+ P5 B, H; u cmp ax, 0f386h ; magic number returned by system debuggers
7 p- G3 X2 e2 x U jz SoftICE_detected' t; u7 i9 m% T
& f/ Y0 F& ]8 {2 U3 V8 R
Here again, several ways to detect it:
2 s" G% r. k- J( m* m$ ` O# z3 g; z: c5 K4 O
BPINT 41 if ax==4f
1 ^3 q3 ?3 L3 M% P7 m5 T1 q% N- q
9 Y) t$ D3 w8 v+ G+ r# O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( c( y7 c* U5 R. W$ \0 W6 k3 l9 Q5 s% y
' y. e5 y1 m/ w5 U" ^, V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% y( F% X+ E& F
5 o0 \0 t5 M1 J9 X+ _! k {3 C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: U3 k; A. B. S' Z* L4 ~5 }# f3 L- f: R! Y
__________________________________________________________________________2 r6 W4 d, }4 Q0 z
% ~6 |( p) _4 I3 k3 e: G( uMethod 13
) I. I3 i& P; o2 E=========
" s" b4 f; s, B
6 T: d1 t' I9 o' v) V- x& a; G G' fNot a real method of detection, but a good way to know if SoftICE is
3 j9 ?: }; s( `1 ?, j$ V, @3 z+ dinstalled on a computer and to locate its installation directory.
5 ?) p6 Z; p$ aIt is used by few softs which access the following registry keys (usually #2) :
% P9 q4 ]3 W/ L' \; [% O; S
6 `4 \$ t) g8 D# K4 j. h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; i8 t* V$ Z9 j/ L9 N k; L4 Q\Uninstall\SoftICE$ z- w" }/ R g2 E* x+ P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 E# Y/ M" I- S) G! T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 f3 ^4 D7 O$ U
\App Paths\Loader32.Exe5 L& B& o" D* J. k! m
6 T9 p) x6 V0 O+ R7 ~3 }1 \0 w l
Note that some nasty apps could then erase all files from SoftICE directory
8 W( N% W; f6 o9 A, q0 @(I faced that once :-(
* Q' ~! m4 p; v* Q8 ?% }4 P) X$ H' Y$ m( X- z: v
Useful breakpoint to detect it:7 U) [0 p8 Q* B) G5 V
5 c( X z% X9 i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# H9 _; Y0 C2 }5 Y( ~$ S
Z7 B/ ^: v& e, ?! C5 n: Z- W__________________________________________________________________________
4 j6 w) N9 @ T3 B
2 R* [) `. c# F
& b0 ?! z; _7 [& Q2 lMethod 14
% G2 e$ m, O2 W8 [3 E2 X6 U=========
% q' n% H C4 y) T- B' D9 @! l$ ]. Z0 i- z* |+ U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' V# x7 M6 a2 Q$ H( R
is to determines whether a debugger is running on your system (ring0 only).- p, @6 v% k: R; C5 Y6 v
& Y ^+ G0 t: G, Y/ u5 ~/ v. Z VMMCall Test_Debug_Installed6 c9 `( ` j( m! o% m' @$ Q
je not_installed
$ Q1 {1 o$ t/ t- k3 s
6 h. Q7 `5 U4 M3 N& |0 XThis service just checks a flag.
/ M1 Y6 ?! Z5 f0 ~ A</PRE></TD></TR></TBODY></TABLE> |