<TABLE width=500>9 e2 ^: w; y1 w. q. e/ V
<TBODY>
( c, D) T& b% F# Q9 b<TR>
7 L z# T7 O+ y) `<TD><PRE>Method 01 6 O( I+ O( Y, I- \9 O, O
=========9 ?0 |# V. P( j' Q- z5 p
. B- X& M+ c6 RThis method of detection of SoftICE (as well as the following one) is: Y. V. p% n1 o7 e( C1 j
used by the majority of packers/encryptors found on Internet.
3 K- e1 C$ x* ]It seeks the signature of BoundsChecker in SoftICE
7 v. G2 q" Y& ?+ j1 \- c" F Y5 f$ t
mov ebp, 04243484Bh ; 'BCHK'
8 Z1 N: L' c+ ~; ?3 @$ ? mov ax, 04h! U( w6 P* b& t) ]# @# `, I% |
int 3 - \. |( B7 b: q
cmp al,4
$ C, W; U) V& u. r- m! {, x jnz SoftICE_Detected
$ E2 S" V" N2 s( `% j) @% g7 E Q/ i6 _* L# a) g$ B
___________________________________________________________________________) w( I$ s6 \- x8 j3 n o1 D, d6 v
, E- L+ o& D2 G3 X+ \
Method 02! N! ~# w* W, K ^
=========( l& R# w8 e/ E R
, Q1 H% C R' I7 P5 ]8 P+ z3 U5 ~Still a method very much used (perhaps the most frequent one). It is used
) s& a7 ?, U; dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' S5 ]( h0 o1 d4 a
or execute SoftICE commands...7 A* Z4 v- N6 a+ V
It is also used to crash SoftICE and to force it to execute any commands
) l( a) B# r# w. ~(HBOOT...) :-((
$ L' O! E- q: i! f
w, I: S0 ~+ u6 `1 VHere is a quick description:
8 Q6 }/ O0 ^0 }! ?-AX = 0910h (Display string in SIce windows)
# a/ L. U- K; m. c; r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): i/ t1 g: p- ]: ]0 ?
-AX = 0912h (Get breakpoint infos)
4 A) Q8 V3 Z7 Z5 O# g. ^" c-AX = 0913h (Set Sice breakpoints)+ ] ?3 [$ s, e6 T
-AX = 0914h (Remove SIce breakoints)! I" g+ W8 ~4 v3 }, `
( ^" u2 O6 `; g
Each time you'll meet this trick, you'll see: V$ g! ~- n: `: e$ Q
-SI = 4647h
3 s* B% O/ w8 y& S-DI = 4A4Dh
! y# V) M8 R( @# lWhich are the 'magic values' used by SoftIce.
N! l# P/ ?( h7 {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. e2 w/ k; A7 l5 c6 h& j0 x! j
6 l5 N0 H; t O! a
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 W3 f& t7 O$ jEnvelope utility use to protect DOS applications:
' ^( O" i( F" v- E5 J# R$ l: S o3 Z$ q/ Z/ ^+ V- r. r
, |$ I5 r2 i0 a) P( F
4C19:0095 MOV AX,0911 ; execute command.
t' y- H- e! g; c) C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 }2 \6 H/ m, t- r* B. z4C19:009A MOV SI,4647 ; 1st magic value.
4 o3 p* k1 l* n- p& |$ {4C19:009D MOV DI,4A4D ; 2nd magic value.# s4 i/ ? F" X5 O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) o+ y' V$ ^$ U. d; ]" [7 {7 d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* V* I* X+ J" P% N& c4C19:00A4 INC CX
* Z8 g! r) x2 T: H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 i$ e2 |5 Y) X% w+ H: c4 L
4C19:00A8 JB 0095 ; 6 different commands.0 K) b. a* L) |, Q6 \
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* c# T" K3 j* E7 V+ j" D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 ^/ A* V" `) _+ p5 A; M( ^7 w9 D
c8 l: N- z) J9 @ yThe program will execute 6 different SIce commands located at ds:dx, which
2 A- P+ T6 L; [5 P- y- O2 Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 [* ~5 }1 ~* {" Q; j9 A
, y( u( c- Q4 Z3 i* o2 s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 ] k& a8 T3 u. T* D6 @___________________________________________________________________________3 n( f; `1 \( i1 O
* U; P, x' u& G
/ M7 I. R8 }7 G) v; c1 e! B* T( lMethod 03+ W# \) i' s$ U0 {
=========5 L' q5 t$ g; b! {5 Y% L) k
8 o) x/ V- `! G$ h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% q$ D& T+ J; T$ e
(API Get entry point)
9 x/ ]& B, Q4 v( f, F/ U. J1 ]
# Z# v3 I$ I8 R- E
' a+ [: A$ x+ h o0 |5 Z" p1 c+ s xor di,di
0 q7 g& t# ]% a) Y- z mov es,di
; D, W, }# Q: l; d# Y, J; g# s' j mov ax, 1684h 3 _4 r# x9 y" V% j
mov bx, 0202h ; VxD ID of winice
3 p( K8 M) M" k! L# ], n- Q int 2Fh' A* x; A2 o- |* x
mov ax, es ; ES:DI -> VxD API entry point* v6 ~! a. ~3 e2 x& j
add ax, di7 d! z4 \2 \' Z& q( n
test ax,ax! Q: G. q5 N( n; E1 J
jnz SoftICE_Detected
! [# o h1 w0 l2 M0 M( v/ G" k
" L) g4 B$ ]' ~/ [( }___________________________________________________________________________; y Y! r1 X9 [9 M
- ?9 ~, G; E* X& G7 ` W9 M
Method 04
/ k0 M- m0 H4 N$ w=========7 ]5 v) K9 I; X/ s
9 x5 Q' U* l/ {
Method identical to the preceding one except that it seeks the ID of SoftICE
# B# t g% M) [GFX VxD.7 w) L& O# f* _6 E; s9 o
; D: k* d ^+ w% ?# R
xor di,di$ P# W. a# n' Y# O- O
mov es,di' k- k& X4 b1 P( S- t$ S. W3 Y
mov ax, 1684h
8 V/ l8 r' Y+ X2 W mov bx, 7a5Fh ; VxD ID of SIWVID
1 o! O' J9 k' W; s# O) X int 2fh' Q4 B, [. i' k. ^9 \, `" P0 v
mov ax, es ; ES:DI -> VxD API entry point
D( i/ N* P* \$ \ add ax, di; C( v- c( A' v4 D/ ^8 w& B
test ax,ax% ]1 e0 U# z. n2 }: h- k
jnz SoftICE_Detected3 N1 R# t" U0 n5 K4 k& b
; w5 |! B1 O5 T" I1 ]" ?( K
__________________________________________________________________________: ]9 o6 A1 c; E+ r, P
7 A8 t5 i: d; p2 [! _
4 E% O r! F- N5 g
Method 05
8 r) Z& m$ b& _& t: l2 n8 }( }=========7 J& Y4 o5 [# O9 C
$ ~8 Q3 g/ }0 n3 q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
h% _# P) o6 b* n5 z5 g1 Adebugger. It calls the int 41h, function 4Fh.
5 Z8 r+ P+ F5 m" `# AThere are several alternatives. " H" i! X! e0 z# y- b- ?% M \+ O
- Z8 i7 C- g! }$ ?0 j
The following one is the simplest:
. E v1 U2 P/ u1 H6 U% @' x1 Q/ f7 e% |: K+ e/ A1 s
mov ax,4fh
& q+ ]! o" c. I1 ~ int 41h" r% i8 E0 y+ P3 O: g, L8 z9 N) S8 L
cmp ax, 0F386
9 |( z/ u& j, ]6 J& x8 t6 Z jz SoftICE_detected1 W7 g" f8 D4 j- d
# P! l6 l; l/ }
6 P6 d" @$ Q" J4 h0 H0 Y S3 C4 N/ VNext method as well as the following one are 2 examples from Stone's ' ~" A' r8 q/ p/ Z# Q3 ?
"stn-wid.zip" (www.cracking.net):% o# U* u* }7 G
! M- l9 O3 l$ p: R mov bx, cs
: t$ r8 Q, G" Z# ^$ {/ M" _ lea dx, int41handler2
! k' f9 A% P$ d( s; O, t+ s xchg dx, es:[41h*4]
5 K7 n4 Q8 L) `" I3 V) B xchg bx, es:[41h*4+2]
5 s( u+ z$ t! z! V f mov ax,4fh7 }7 s/ H9 _; k
int 41h% T: v7 f8 c6 B k$ A7 Y. G2 w& C* t
xchg dx, es:[41h*4]
3 L5 `+ k! `( S2 t9 D xchg bx, es:[41h*4+2]
- P* F; I) Z* _9 i cmp ax, 0f386h
3 V. ^; f" y3 ^# M; Q1 t jz SoftICE_detected" f3 x% F0 f& {0 e0 W* t: m
2 D! V0 W( ?1 T7 t) q
int41handler2 PROC
+ Z2 [5 P$ I# }' p5 q4 Q iret
' x. G0 b. F) O* d+ b7 rint41handler2 ENDP. {1 {+ @: j# |0 ?9 g
: a& q- f" V0 R7 ?9 m- l
% }/ ]5 {" F( {/ T; \_________________________________________________________________________. E+ w! n- [* w6 L
0 P: a- V7 d7 ?1 N
' _% G/ J$ K: V! q- x2 \/ J. x
Method 068 \6 r) i& `4 G% @4 k) q D
=========
' l9 ?9 h' Q( ~( m$ G7 ?& a# h( Z' V2 ^& N8 e: b
3 @0 |( F9 d2 l6 _" v6 f2 ?
2nd method similar to the preceding one but more difficult to detect:( n* A$ E( w# Q2 i7 W) R4 d- p! G
7 f6 |7 [$ ?0 x* g6 ?0 U
1 {, u0 g+ q+ j3 W. T3 Kint41handler PROC
. D, [4 a+ [! g7 K! h3 ^ mov cl,al, Z& e* d# r" C" e0 F# X, C
iret
8 b+ x5 e7 r7 j5 jint41handler ENDP
9 n7 j" Y1 N9 R9 D( g4 I3 U% U" ?6 R# K, C. p
7 d& S1 n6 {# Y% g2 E xor ax,ax% D' _3 T) F9 {8 ]) s' I/ \1 G
mov es,ax# z+ |% b% E' P4 m# m: U' Z. n
mov bx, cs, Q: J' S8 T6 C8 k( ^( \7 E a7 d
lea dx, int41handler, V3 H) Z% I( h0 h' b% N: y) z. O
xchg dx, es:[41h*4]% e, e8 t. p& c- f' A
xchg bx, es:[41h*4+2]9 E f f. P2 ~$ h+ W1 C1 _" ?: [
in al, 40h' \9 H2 S* N* g. I' b4 ~
xor cx,cx
. v7 ]; e# L w( B( B1 z+ I E int 41h
0 M8 Q/ D/ l- a9 w) M0 B. | xchg dx, es:[41h*4]- [) S( Z& ?+ [: r! t: X' |3 s7 P' i2 v
xchg bx, es:[41h*4+2]3 T! D+ J' ~' t; ], z
cmp cl,al
, x6 C) c- E3 j* t, w; p. m S jnz SoftICE_detected* Q# I/ h, V5 g5 e* X
. Y) Z4 f. ~( a! V" Y- r
_________________________________________________________________________
$ B5 z8 O8 m4 H6 b" P
0 t9 m! f7 T6 B- I5 p# S" xMethod 07
# |1 J% _0 I* g2 a" R=========
R' F2 {& Z) F+ V f f" @3 X# Q4 y
Method of detection of the WinICE handler in the int68h (V86)% s% s3 j1 P+ u0 j
- J* |$ F3 M5 a' T$ n# O
mov ah,43h
) o) q; X: X& h/ Z) `8 a s F int 68h
: T5 J ?" F+ u4 } cmp ax,0F386h
: J2 G# e) _% I7 X$ C0 F jz SoftICE_Detected* Y0 Y( o* d' y+ U5 J
+ t! D+ p9 c3 ?0 O3 X; ?$ M
6 F; u' c# Y t# j) |: S5 w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 e3 P5 |" W J0 _ app like this:
& W- b5 [, x' h# D* c$ X
8 x# N# A* M% c \ BPX exec_int if ax==68+ A! E; _& n1 @, q/ S
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 C0 h. C1 F' Y ?9 k) i located at [ebp+48h] for 32Bit apps)
. z; }2 w S& f- k. R' g__________________________________________________________________________
) V c& Y. L5 W( M) z5 a& M3 t3 M( x2 t0 Z& Z3 N- H
( J* g2 k# n+ c+ e3 s2 I1 m
Method 08
! \& Y% v) n& T* q=========% i# e0 P3 n% \8 w
# r5 n3 \% Y- U; `) |# R" I* i4 ?1 C
It is not a method of detection of SoftICE but a possibility to crash the& [7 g, T- ?2 @
system by intercepting int 01h and int 03h and redirecting them to another
# x8 @7 r9 b& E. b. [( [9 @' L4 Eroutine.
- h9 c# B0 q' q# }8 t7 j! X% R% n [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 U: ^7 f% @: `0 f3 B L
to the new routine to execute (hangs computer...)! ?5 j! ]% V, F; P
/ R0 m L. P5 d- |
mov ah, 25h
A* W4 `, ], i8 \9 D$ _ mov al, Int_Number (01h or 03h)
+ y& s% i$ t$ v mov dx, offset New_Int_Routine) v! u7 I6 w. B7 x0 b( V
int 21h/ e- G# O" U2 Q! |) \1 o9 K
( X$ o! t2 k0 v( c+ o; W
__________________________________________________________________________* b# L7 D; s" D5 @1 q1 K2 Z$ M! \
8 ^$ S' P0 j" ]
Method 09; }; D. \- y6 b; Q
=========+ u# ^3 G3 `8 o5 S6 [
, ^* X" K9 \& ?% M. i/ u+ d2 d8 ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 n3 s. o5 N7 u1 p8 P
performed in ring0 (VxD or a ring3 app using the VxdCall).5 y5 [- }2 x! E+ o# p) U! Y
The Get_DDB service is used to determine whether or not a VxD is installed7 E; C" g _+ j% k8 M- O
for the specified device and returns a Device Description Block (in ecx) for# y; @% c# M! y
that device if it is installed.
. w; E0 [, K' w# @5 D& X$ f1 Z5 k* [0 }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 S# M# I8 v: ?- _3 f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); s9 K+ X1 i0 b+ x
VMMCall Get_DDB
% D& j2 o) V2 m2 w& l% A, E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: Q+ R* ]* y0 }8 c/ Q8 I2 Q
( F8 E2 Z* O) }# n* x/ {5 \( @
Note as well that you can easily detect this method with SoftICE:9 T$ v0 L5 c! q9 u
bpx Get_DDB if ax==0202 || ax==7a5fh
0 `+ F; s) X* j. z8 G- { d$ m1 k, w7 d
__________________________________________________________________________/ g; l. a5 o% B( w
w5 r3 k# p0 r, t1 [+ a$ l9 O
Method 10
( R2 F3 b3 s6 V; U2 D4 I ]=========
" B% j. w3 h4 y9 c
5 j0 B$ y$ y/ W" M# i, a. Z=>Disable or clear breakpoints before using this feature. DO NOT trace with1 u6 ]( B, K+ N
SoftICE while the option is enable!!
$ }" J3 X \ X8 A* S9 {8 w b& h4 Y8 W. z
This trick is very efficient:
% v2 c6 z$ \7 C3 d- o; p. P; kby checking the Debug Registers, you can detect if SoftICE is loaded
, C t$ @# E7 B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) t! b5 q ~, G
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 ^. X' v4 z. }9 a, [: ~value (in ring0 only). Values can be manipulated and or changed as well
2 @9 c, J/ H* I(clearing BPMs for instance)
. b3 U5 @0 P1 M# h
# k& [: G/ r' {) t4 i' y9 [__________________________________________________________________________' Z1 g% h4 l# R2 p' F, l
. I% | F8 X: z, ?; ^
Method 11
* G; ?) l( C/ i; I) q# F- u* r$ u=========* N. X2 d! P, Y' c1 f' I8 Q
# }* P$ p n" ^8 A: c) M# e! NThis method is most known as 'MeltICE' because it has been freely distributed1 P% `8 T; Q0 j8 ^, d
via www.winfiles.com. However it was first used by NuMega people to allow
+ P" Y0 g. ]1 E5 l" ISymbol Loader to check if SoftICE was active or not (the code is located
* p* I8 l4 u1 K4 F$ \+ p+ oinside nmtrans.dll).' A5 L0 ?. H) o
3 ?& W2 \( a3 T3 m# {1 z# l, [
The way it works is very simple: p, z3 s. @: r& ?' B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 a4 ]! P1 ?% eWinNT) with the CreateFileA API.
2 b3 D0 _/ }2 d* g0 s* [ Q: |
$ T7 w( }2 M( e7 ~; M+ M/ ?Here is a sample (checking for 'SICE'):
/ k9 K3 P9 ^& Z! _( p7 r+ I9 _% Y) A' X
BOOL IsSoftIce95Loaded()
7 e$ F9 Z" }' B* i{
. W K; m: s; |: }- c; ~ HANDLE hFile; - d! t3 G; ~6 j& d- {/ ^& H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. m6 _# p9 z$ z8 Q# W' I
FILE_SHARE_READ | FILE_SHARE_WRITE,& g* G; ~1 S$ Y% z( U) @
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 x3 R1 p3 X2 F$ C7 D if( hFile != INVALID_HANDLE_VALUE )
4 m& u# w1 q* t% Q {
/ y9 m% |) D) J& M9 D% F2 ^5 o CloseHandle(hFile);
, q) n* W: o* v return TRUE;; I2 V' q* D1 v$ s
}
! ?9 a3 w- h4 H5 s return FALSE;
0 P; L; ^9 A. D( s8 A6 D" t% b+ e}
# N8 V4 a1 B' Z' ~* @
; q' n4 V$ S4 ]6 GAlthough this trick calls the CreateFileA function, don't even expect to be) p( b2 u/ |# a# u' d
able to intercept it by installing a IFS hook: it will not work, no way!
& U% c! B0 o9 |6 G/ N5 hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& _1 u" M5 b0 m/ F1 mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- K6 K& K/ I6 g$ ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 U1 ]: x$ l1 _ l8 h8 t3 v v2 q
field.
& a2 M" T0 v/ d* J* p( o0 @) a0 \In fact, its purpose is not to load/unload VxDs but only to send a 4 S8 u/ a2 _- N$ W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ t% y, x% u3 }: _9 }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ B4 @- P1 H8 e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* \3 }9 X7 c) v4 @/ }, y7 V
If the VxD is loaded, it will always clear eax and the Carry flag to allow
a! y2 H# [( {* j9 s7 ]/ R% r# b8 Fits handle to be opened and then, will be detected.
) Z8 p" s/ Z8 oYou can check that simply by hooking Winice.exe control proc entry point* m& P7 {0 a% X
while running MeltICE.
+ M% Z7 C3 ]" F/ G/ B, s9 `: O% r3 F" h' M
@' J& T9 [- g* w" P7 Z+ W$ ]# x5 p% U 00401067: push 00402025 ; \\.\SICE( J6 L9 f. m% h9 h) r0 F
0040106C: call CreateFileA2 o' _5 w: Q2 Y+ C" m6 h' C6 }
00401071: cmp eax,-001
n2 w) a+ s( Z0 n, D. Q 00401074: je 00401091
3 D1 F! v5 {- @* l9 A7 Q0 _
/ l) |& p) d# T9 O5 z$ } P) n% b- o
There could be hundreds of BPX you could use to detect this trick.
7 V2 t& y. ]* \1 b$ L. l-The most classical one is:4 N" J c7 U3 f5 ^$ B3 y$ a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' T- k9 T$ W9 n' x3 e *(esp->4+4)=='NTIC'
( n- X, u" H, G; i. M7 L# H
0 \, C& `0 X/ l3 {5 c-The most exotic ones (could be very slooooow :-(
- ~6 H3 X; E, ?1 ^6 M v) w BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 C: l2 f* x' l: L
;will break 3 times :-(8 y# Q9 ^4 }) R7 d
, ^6 _7 F2 M5 H& F4 ~3 ^
-or (a bit) faster: ! e2 \5 L5 ]& l7 I1 w4 Q3 B, E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 L. _6 l% z; W# t( B9 R( d' D
, p( b1 Q, M; K; g2 I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 x* q! A: w `1 n7 J) E" C$ r ;will break 3 times :-(! F* S% C N' Q( w
* e7 _3 Y6 G5 X
-Much faster:
1 L7 i% J: f, J2 ^1 q! ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, m# W& {" W8 D$ J3 S% A
$ ^( v1 u* j' k' [, I0 b% VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( J, h6 V& b$ Z/ x- Ufunction to do the same job:7 l% s8 ^7 }: |# L3 N* m
0 r3 E3 Q8 I" M6 M/ S. U
push 00 ; OF_READ: I% i ^& t/ }2 ]" r3 \/ E2 v
mov eax,[00656634] ; '\\.\SICE',05 @9 |1 A& B' C- O. y+ E' V' k* @. n
push eax7 J7 i( ?4 U# q% b# e; w$ e
call KERNEL32!_lopen, ~; ]- T% b5 T5 z, q" ]
inc eax
! f1 k7 v3 a* {, l, h, { jnz 00650589 ; detected
, L, x* c( l( a; l# o) T push 00 ; OF_READ
* `8 x, Y9 ~5 `2 Q3 Y" ]" _6 t0 p mov eax,[00656638] ; '\\.\SICE'
+ ^: c- j+ M2 _0 }: Y push eax
' q p5 X2 T' N* ? call KERNEL32!_lopen+ D. M1 s: m u3 r7 q" g
inc eax
( q8 U9 p) ~7 ]! E- { jz 006505ae ; not detected9 x3 h% m: n6 t. G$ j1 |
3 ?& P/ W7 P- _2 ?# u
" v% s: ], c. D
__________________________________________________________________________
o3 U; O4 r, _
+ G2 q( w3 k2 `3 F mMethod 12
% X$ k' G& b8 i9 l0 j2 P- v( h=========
) \+ s9 e1 f2 y F) [- j) E5 ]- n/ T
2 U# ?5 ]; D" \0 fThis trick is similar to int41h/4fh Debugger installation check (code 05
$ }( ]& T3 c2 X/ o4 ~& 06) but very limited because it's only available for Win95/98 (not NT)7 G, a8 e' J! [% B& ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( \) P9 J Z$ f) W: a: K% M* y
+ g" T% K( G) D% U4 _ push 0000004fh ; function 4fh
, @2 K3 O. F2 c. W1 ^ push 002a002ah ; high word specifies which VxD (VWIN32)% h* P9 J1 t l
; low word specifies which service$ Y# v9 n5 D+ g
(VWIN32_Int41Dispatch)- l* w/ X1 s# i; C7 Z
call Kernel32!ORD_001 ; VxdCall
$ p* }( Z$ G4 r5 z cmp ax, 0f386h ; magic number returned by system debuggers) e* ?9 m* N5 q
jz SoftICE_detected- J4 K, ]+ e( z; ^+ t$ ^5 ~+ P
- v7 M( u0 n6 g
Here again, several ways to detect it:
# x% X9 N) I2 k6 _3 V, x! v; [$ q+ t- k+ Z0 m
BPINT 41 if ax==4f. Y. |3 g) f5 `4 ^8 p& @
, z/ \! x$ y0 v8 e8 C4 u, B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 u6 D' S1 i/ F( Q7 M
/ |; E5 ?' O4 }) x" i5 }
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 c2 W6 Q- @. M4 C7 s( U2 G, g' [2 U. L% J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 r& s, ?& t; R7 M) V' A5 ? r7 f) N; \7 Q4 E1 p6 r4 y
__________________________________________________________________________6 j4 Q k2 f' K0 B
# h0 U3 u1 F. M
Method 138 \! L/ X5 ~2 m# N! C5 r
=========/ k. W; a3 w# r K6 Q! J
7 S3 O3 l0 k8 A7 O
Not a real method of detection, but a good way to know if SoftICE is
1 a! E% s% Z! b$ b" B: i6 J/ Ginstalled on a computer and to locate its installation directory.8 S" F& l- T% |, U4 _
It is used by few softs which access the following registry keys (usually #2) :
' K6 V# [2 z8 f; u0 ?1 L6 m7 p' \3 h- P: y0 i) N9 G0 \7 @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) c8 N, Y& `1 D- s i' I$ o
\Uninstall\SoftICE! J) q' L6 s3 D% @7 V* |( R% s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: z! l; v$ Y) O3 d4 i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# i- q. A- B3 x\App Paths\Loader32.Exe
( m3 q# t1 v! I7 h8 R2 k
7 w+ S$ F b* p9 G7 K [! @
7 u. F, m% ?; @7 ]5 o) O' NNote that some nasty apps could then erase all files from SoftICE directory, [6 Q% z2 a% s8 |* E
(I faced that once :-(6 t, Y2 u+ y# x. X1 b, k
; q1 ~ ?7 C) {: Q+ }" O( n) \Useful breakpoint to detect it:# ]$ F! w" T+ C$ W$ p
3 A9 j! r8 \* I; w( o5 {& Q& f. j" V) R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' O4 f1 r1 j& D1 v+ Q) m* F' B d
, {3 }# Q) P4 B- v3 P8 o
__________________________________________________________________________$ G5 _% W7 j) t- D2 P! D+ K
+ Q6 q5 s! Y" N- J2 Z
$ @0 o. g9 e) G1 q7 U- U/ c+ G
Method 14
' X* _1 ]. k A+ ^========= F/ H+ s( R- U" m# h8 T9 \1 G
& N% k" g- F. G$ B$ s3 T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 ]' j0 P6 D) O& L' R
is to determines whether a debugger is running on your system (ring0 only).
! ^6 Z8 g0 V. g/ A( c
, y W# R: V _) R VMMCall Test_Debug_Installed: u+ Z! S/ ^$ s/ W2 j: A$ y, ^
je not_installed7 ] z/ w% u( b' J" R# E
5 B. m2 a' E2 _( kThis service just checks a flag.
. i( m+ ]6 ]% C: g# f$ E</PRE></TD></TR></TBODY></TABLE> |