<TABLE width=500>$ J/ J; O( O, @2 ]$ ?
<TBODY>
+ [7 ]* I* a" U. @$ ?9 s<TR>
& a. I$ f: p. Z/ }, q<TD><PRE>Method 01
! P: S6 \" n1 H=========* r9 z9 H3 ?4 ~% a9 ?
- b) _: Y2 Q: i: N+ q2 \7 `7 z
This method of detection of SoftICE (as well as the following one) is. {7 G% Y8 l' s/ g7 m5 J _2 k! Z
used by the majority of packers/encryptors found on Internet.% T/ Z7 O2 _5 w" ~
It seeks the signature of BoundsChecker in SoftICE
0 Z4 g; c5 V4 ]% a. }% G/ d9 K4 {. b U: V4 M3 ?( h
mov ebp, 04243484Bh ; 'BCHK'
7 W0 K" F4 F* U5 A1 u2 a8 q3 |6 n mov ax, 04h
! U' p% ?( R$ a int 3 * R2 o0 x8 q% {6 C( P
cmp al,4
6 U7 ~$ `( I1 y) h0 Z: {& w jnz SoftICE_Detected
* [9 ]& ^4 P4 n) x8 D; O; y" F3 V& u/ V7 a8 f1 M
___________________________________________________________________________" P% s D! Q: S7 _8 C3 q1 H$ m5 m
8 o* ^* `. U( j& e, F% C
Method 02( q% W( u! m4 M4 ~- H$ R2 F# p
=========! Z: Q \( I! G
: K9 E: q2 T3 C$ c
Still a method very much used (perhaps the most frequent one). It is used& V- ~3 O$ \! e# v& d6 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 j- M$ ]2 p2 j. b; S( g
or execute SoftICE commands...
" W/ t9 Z9 `9 h9 z$ LIt is also used to crash SoftICE and to force it to execute any commands1 y9 T( K: f8 L/ O! m+ b
(HBOOT...) :-((
0 a& q+ K: G& `. a8 }' R
$ B. V, N: c7 hHere is a quick description:
: y* a# Y2 e" l T/ M7 S-AX = 0910h (Display string in SIce windows)
, K; ~' ?8 R+ @& w/ ]! g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 }; C9 O4 n4 ~ g
-AX = 0912h (Get breakpoint infos)5 {' E h$ E( _; k
-AX = 0913h (Set Sice breakpoints)# a" e1 K5 _+ n3 @; c8 u0 C; D
-AX = 0914h (Remove SIce breakoints)
& w% `4 ^! p/ B/ G
! f- r7 O; m* r# _9 n% tEach time you'll meet this trick, you'll see:2 |1 v! J% C! z; D- A; \1 c
-SI = 4647h
+ X6 `: L6 d/ k, T4 {! V-DI = 4A4Dh
; F" O. v3 n- q2 tWhich are the 'magic values' used by SoftIce.
: A: L7 `' E' T/ F6 g7 ~2 l5 tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 w/ {! a9 p' x6 u/ Y1 l
3 W1 G5 y! v+ e1 EHere is one example from the file "Haspinst.exe" which is the dongle HASP0 R$ w8 z* n6 J# L2 m r
Envelope utility use to protect DOS applications:& G! ^& |7 Y0 o3 Y4 o) b2 U6 U
# O2 T6 |" }6 o; q' d* U9 Z' x% h# l( d4 r0 {
4C19:0095 MOV AX,0911 ; execute command. b& e8 a8 F1 T, W3 R- _' M9 y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# w6 T3 F: h0 o" k) _( s0 b4C19:009A MOV SI,4647 ; 1st magic value.3 m! ^3 M8 k6 h. o, @. `
4C19:009D MOV DI,4A4D ; 2nd magic value.
! @# C$ d$ n- A% i/ N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 j; E8 B8 i9 ^) m7 Q0 }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ v* K0 c3 n$ s/ v% H
4C19:00A4 INC CX
( r& U. f4 K4 z+ c# Y# W; p3 O# n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 G9 O9 b2 g3 E% A2 @2 Z+ \: C/ t
4C19:00A8 JB 0095 ; 6 different commands.
5 x8 x! b, T/ r: w/ A, ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 ?! Q( g1 u& _9 S2 y* w1 c9 d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 [( }6 g& Z r; }! z e
" ?6 h$ w A8 k/ ]$ L0 k& WThe program will execute 6 different SIce commands located at ds:dx, which
/ _' p# y2 w+ I9 f, Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; o( k7 h# K. G. \* G5 |0 G
. ?# X! J- K4 ^0 W- O: R2 P: _5 N4 ~- _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 }( E' e! R% n T; r% R___________________________________________________________________________
: p( J9 r, a8 N# B. o, I; ?- S4 @) |
; v: J" H# ?9 J) ?% L! T9 [4 uMethod 036 d+ Y y! J( q; Z2 {
=========! ^) O& D% A' X- |
/ t2 ~/ \7 p6 p. g; Q; {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& F& v; M" P) K
(API Get entry point)2 W5 U6 x( d! R, {, p/ w+ B
6 Z4 `2 | D4 U
; W; n% c1 e- V+ }6 n$ x5 E xor di,di/ b; J9 s' X5 a0 S) O
mov es,di5 W. F9 L9 m8 N5 i q8 M
mov ax, 1684h
+ _5 j8 T) i" `9 [1 `9 i mov bx, 0202h ; VxD ID of winice1 e# N# i z4 D
int 2Fh; D" U9 y) @' ]- v# ?0 J- ~( q$ g
mov ax, es ; ES:DI -> VxD API entry point
3 ]8 W z! {! o% [3 ` add ax, di
& m) d% s6 R: D) ?( a2 k test ax,ax, G/ w! b2 [! v l3 Q# z2 P$ t
jnz SoftICE_Detected
' I/ Z8 h2 f- w H+ R8 U( ]
$ U n+ G0 e6 C3 c( {- a___________________________________________________________________________
1 J& a5 J5 e, f5 X9 `" x; {# T/ @( R( A" h: k$ Q, \
Method 04! d% R& i5 A( p7 K5 Q
=========
' N& U O- V! E
& ~ K- \9 n+ `* MMethod identical to the preceding one except that it seeks the ID of SoftICE8 t" l5 A, p5 r$ J
GFX VxD. Q) J+ j% p; u
1 X# m7 W+ H' z2 g
xor di,di# B% ]2 x- @7 c& r2 O/ a
mov es,di
8 F; X; M* a$ @' u" w2 _3 C, y mov ax, 1684h
; _ S* w- M8 O* D7 ^ mov bx, 7a5Fh ; VxD ID of SIWVID% `( }' C5 I4 y8 s% n
int 2fh
- ^8 k3 }* y4 O mov ax, es ; ES:DI -> VxD API entry point
9 w4 S! n$ B0 w" u' ]* P) j/ [; { add ax, di
7 X- f9 b! |2 {6 t9 | test ax,ax
5 R$ M' N5 b. F jnz SoftICE_Detected! ]6 @ I9 V3 d( }% Q9 r% i" p
4 ^- h( @2 j- F. r
__________________________________________________________________________* W8 g5 E$ {/ h! _5 u |
9 W$ {* r! w2 ^9 T1 x H2 C. P; t- J6 a" V, ]0 \
Method 05! S/ D- H, q9 w5 Q- {0 d
=========
) U X. e+ [# ?7 s$ {5 j4 e, b/ I: S1 Q; y, a
Method seeking the 'magic number' 0F386h returned (in ax) by all system J$ I( B, r' r0 f% b( T
debugger. It calls the int 41h, function 4Fh.
- w2 g% V7 |- s! J5 ?4 n" oThere are several alternatives.
2 K1 c( b- I0 L) O2 n* x
& I+ G5 b! E8 DThe following one is the simplest:
. b$ Y' D+ ]+ Y J
. i) L$ G# a& s+ |& i9 B/ [ mov ax,4fh
6 I6 |# B) h/ X& T int 41h
$ N+ I, t% G5 c. J cmp ax, 0F386
7 v+ H- G+ ]7 ]/ L+ o) d. |6 ~! {1 [ jz SoftICE_detected# S1 b4 B: J7 f
8 j- @1 @9 \$ C8 W: t& I+ b+ ?5 H- m6 u, h5 j6 V) N/ C
Next method as well as the following one are 2 examples from Stone's
. Y o( X4 ~2 ?7 \"stn-wid.zip" (www.cracking.net):
& a N) |- j4 D; f; i4 V
$ C$ F0 y: B0 y, J- X! c0 n mov bx, cs1 z: I& k" Z1 H- t: `/ _" l! I
lea dx, int41handler2
4 F0 u# s; I1 q# ?5 k4 z/ ] xchg dx, es:[41h*4]) o7 J; s) `: F
xchg bx, es:[41h*4+2]; Z: U$ w7 E- ~8 W- G8 d
mov ax,4fh: F8 f# P0 E5 [8 E
int 41h) K& q7 n( J& P
xchg dx, es:[41h*4]- C, K3 o8 v' V/ O8 r
xchg bx, es:[41h*4+2]6 v' V% n# o- G, a
cmp ax, 0f386h
: ]& {: X# B1 u jz SoftICE_detected
4 `6 T3 s4 B0 A# e4 J) l+ ?- h g& Q$ W+ H+ I0 g. D3 S; i1 Z
int41handler2 PROC
2 b- _ o( e9 v8 ]3 D1 ? iret
7 U( |0 u- r5 G" l3 Rint41handler2 ENDP7 o$ i1 v( `& ^
! l- @. @: D* ?. L9 `
" x- N; ~+ N$ s5 r/ G/ C6 r3 R- A_________________________________________________________________________: Z1 ^4 L" ]- S0 w9 s' t& g0 Q
# q1 a( ]6 `" S% z, g2 v
1 z0 i& ~* o/ F' E+ Z+ a
Method 06
0 K" I5 l6 }6 h4 ?6 Y# J: i! m. A=========4 G1 Z9 H: H; t4 f3 c% t+ b
) r, \1 t0 F1 {) d, s6 E3 N3 U7 N
. w7 f% g' K' A m& Q9 t7 ]2nd method similar to the preceding one but more difficult to detect:/ @" D4 A- t6 {) W
' s, C1 c) U# w( |8 Z) l
( |- y( X, L! h
int41handler PROC
8 b* |0 [$ r" C' ^- t mov cl,al2 b. `, X) c1 x2 T* y4 Z l* {
iret6 x2 w% b6 p1 x* F
int41handler ENDP# T, R5 _; R: @$ |1 ]
4 F% z1 T# R& Z/ l" Y7 ]% T
) J' f4 W5 s8 U$ l( A# I; _8 | xor ax,ax
$ N" q: t( R) g' s mov es,ax
0 v5 Z: b5 F( b+ z% ^7 V mov bx, cs, q- B. B! h Z
lea dx, int41handler
& n0 @2 {2 I2 [ C# L, n xchg dx, es:[41h*4]. O. |! s' F+ q
xchg bx, es:[41h*4+2]6 m2 q0 T' V0 W9 f2 R, x+ d/ a
in al, 40h+ C5 t* L% z/ v/ Z
xor cx,cx' b& W( \$ }+ d' e3 @
int 41h9 |7 X/ `" s5 y4 O7 h8 x
xchg dx, es:[41h*4]4 Q; y( J# l: L3 n
xchg bx, es:[41h*4+2]
+ v6 {6 q. l2 o. K* Q3 L& g" f cmp cl,al( `6 n+ t% w* e& t
jnz SoftICE_detected
5 K6 U5 v$ |# s1 G: O2 L" } ]+ n( _
_________________________________________________________________________
7 Q; M+ C$ O( O6 `* x( D; U1 d3 ]- G! q0 `
Method 07
0 H) S& B5 V% ~( |; y6 b8 G6 Q* E=========7 [" K0 M+ a+ P
. i. E- w; @3 A5 E# \* Z- c" G$ Y0 ]Method of detection of the WinICE handler in the int68h (V86)
; j) Q3 ]% b: i
. v* @3 H( j5 ^2 R/ F mov ah,43h( E! L' V+ x _- L5 h( G& I
int 68h
# P/ i5 u4 ?; X) o1 o9 P3 [' d cmp ax,0F386h
/ b: X& j. Y) i jz SoftICE_Detected
% h" U4 o R: q; m( o. P- ^5 ~' p0 o8 P
0 L9 N5 |3 l+ @- x v
" f* o1 v: c3 f+ L9 u% x2 H0 T H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* j! V1 G; s3 A$ h; ^/ G app like this:, a. i/ m) s( S! I3 \" x
1 F D0 \& O& g* p. R o
BPX exec_int if ax==68
) B8 A) {8 I/ G5 |1 y (function called is located at byte ptr [ebp+1Dh] and client eip is+ U7 }$ S7 Z4 D6 u
located at [ebp+48h] for 32Bit apps). ?8 t" }) ^; t- v% F9 l7 S! `
__________________________________________________________________________; i; h8 S- I+ E. l; i8 F
" X& X8 r, \8 C7 a
. \2 h1 M$ Y2 \7 m) `8 J) @# sMethod 08
* t7 M- B4 D* H1 P1 f- P: A L=========
P, d T$ E& \
3 |( g; c* ]! u6 b' c; S) |7 G6 p' yIt is not a method of detection of SoftICE but a possibility to crash the
6 O- f1 z, T* V1 s( B* O9 nsystem by intercepting int 01h and int 03h and redirecting them to another% F" _* |: R) X( V
routine.7 j6 S) [- [# d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( I7 u7 w5 m1 C8 F
to the new routine to execute (hangs computer...)
P; i; C' K* ]& w& G& ^: p9 E4 e3 ]9 q" |" a& b' V
mov ah, 25h0 w- s! O9 I2 |5 V
mov al, Int_Number (01h or 03h). @3 a I; L7 R
mov dx, offset New_Int_Routine/ n/ ]0 b0 b9 T# V3 K$ V
int 21h! n2 a, r0 @9 [# b4 z3 {
% V; g; N$ T) Z2 A8 ]4 m* q__________________________________________________________________________$ E q3 G+ L. p
R" E: V b0 Q
Method 09$ d8 g/ t( c& c1 | `
=========
' d! {; O# |/ n+ E# C7 `/ m. o- c: ^* i! o* ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
\( R. t4 V4 [: Cperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ q T6 W9 O1 @5 m; [% e2 v5 aThe Get_DDB service is used to determine whether or not a VxD is installed
& E# q' D4 N/ e! i6 bfor the specified device and returns a Device Description Block (in ecx) for2 c; w" m3 h+ n
that device if it is installed.) p' G2 V* Y. l9 x7 H5 Q
6 ^# L, b4 i- ?9 p5 w0 C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ b, v; l, Q. \1 {6 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 X: l1 m+ |3 \3 h+ L
VMMCall Get_DDB
: ^4 S) v, a/ l7 b* \; b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 k! e( w P" o3 c; o0 ~9 m: F3 H( J9 |1 e& m
Note as well that you can easily detect this method with SoftICE:4 z' B; E! k) ` R4 J
bpx Get_DDB if ax==0202 || ax==7a5fh* d) T' P* p. s% J
A" b- U$ G- X0 l- `" ^0 N__________________________________________________________________________; R" \' J) t" X1 @4 K- f
. O0 H+ [, O9 e ]( CMethod 10
& r: ?+ q" t/ k=========) k3 h+ a# I4 @1 V' M' V O
5 |/ Z: Y8 Z, g" m2 q=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ }" G6 m' d9 E7 T. d' V2 b1 M SoftICE while the option is enable!!: h& l' q* h5 j7 T
1 v6 c3 U; l3 R8 R- O$ \6 R
This trick is very efficient:, ?4 v. q4 `8 r
by checking the Debug Registers, you can detect if SoftICE is loaded# x) q, F9 o' V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- r5 A& ?8 g" Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their$ h+ n/ b+ T! k( N- Q) _; Q
value (in ring0 only). Values can be manipulated and or changed as well$ y1 ~( ?* K d3 Q
(clearing BPMs for instance)
0 E. q, ^3 Z ?
- j4 e4 W& J9 s9 G8 m3 E__________________________________________________________________________
5 I. T7 _/ W+ ]9 ?% M9 o+ M- t4 a a1 [' P& {5 z; |
Method 11
0 U$ M) x0 \9 r* R2 ]=========' X# S) |, f) e" @! C6 F) {4 ?( Y
" {* }. P/ K2 p5 c/ F* AThis method is most known as 'MeltICE' because it has been freely distributed
( z( `" X B3 H X5 d u lvia www.winfiles.com. However it was first used by NuMega people to allow, U) \9 u. s3 x6 b3 F
Symbol Loader to check if SoftICE was active or not (the code is located6 b+ C7 t) k P) C
inside nmtrans.dll).4 c6 T- \$ H# f+ S
- l5 `( S5 ?3 H
The way it works is very simple:8 v& z% Y' L5 I# w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& R- u* `! ]) n5 F5 ]3 N
WinNT) with the CreateFileA API.
5 }5 m; {2 A2 }% n. u9 |
' y0 y/ p' \ M1 A5 o/ d) mHere is a sample (checking for 'SICE'):+ X3 \8 |- t$ o1 _4 `' F
- Y2 Z9 k+ S/ q
BOOL IsSoftIce95Loaded()% C* y" D R E7 @ }# l' M
{7 X2 e1 J2 u1 N0 y3 ^+ y
HANDLE hFile;
0 c) |6 u- J" @; O6 b# N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 l: z% m2 {/ l- P7 |6 P- T6 @ FILE_SHARE_READ | FILE_SHARE_WRITE,! _6 S: o1 Y( d$ ?( b9 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& R9 @5 F) W0 q7 B& f
if( hFile != INVALID_HANDLE_VALUE )
) D- n8 y4 T8 F, i9 f {! B" s* _% P7 n# V% Z6 J
CloseHandle(hFile);# A/ R3 j7 i! }) O7 F4 E
return TRUE;
- ~7 ]" i( S; h. H" x) o }
4 e( }, F4 `- z9 ]1 `; E return FALSE;
7 o/ |6 i3 E8 y- C7 M}
6 X }9 V$ }; k6 m6 r& _. k0 F& q7 [% E- G: C
Although this trick calls the CreateFileA function, don't even expect to be: A- ]- _0 J% m9 j( A& I/ }7 d
able to intercept it by installing a IFS hook: it will not work, no way!3 I ]$ R& G) \2 ?0 R. T- T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% [! A$ N4 k S* {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& n0 S' o% ?# S; X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ c; u8 ^& ?* i. W
field.
% r; I2 e2 e4 ^% HIn fact, its purpose is not to load/unload VxDs but only to send a
Q# L w0 L) E- S; l/ ~# C2 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 }$ V# \7 s F/ ~! H+ fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( t) f" P+ E& `9 D% Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ k: Y c2 r" K+ oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ p' i) H p# \- z* F! k3 e2 d$ f! Sits handle to be opened and then, will be detected.
# s. m. L# i" F# eYou can check that simply by hooking Winice.exe control proc entry point. L! F( f1 Y# v8 J* K' r% ~" B
while running MeltICE.
4 W; l0 J' |! y/ ]! b
& q6 ]" P" d" U7 S3 d0 n$ X+ L w/ g* q
00401067: push 00402025 ; \\.\SICE
+ n! V2 B1 g4 t! Y: l- k; } 0040106C: call CreateFileA
* o+ W! E! g# j) G! [' h 00401071: cmp eax,-001
9 M0 j$ f q# e$ s 00401074: je 00401091
& A6 t1 m$ ?2 a0 `+ |! b
3 f* e$ o" [) C; _! @ c9 u0 o# G! C* K0 c( f2 O* K* U& X
There could be hundreds of BPX you could use to detect this trick./ A8 d: M! t- j" c8 e. h
-The most classical one is:
) E& _$ D+ p" U% |) d$ Q M) p U( U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 V/ o6 {4 e6 l/ ]! A: t, V* M$ x *(esp->4+4)=='NTIC'
) V# F* W: V) Q7 l; y5 g- w9 g+ w6 ]- k
-The most exotic ones (could be very slooooow :-(, \4 Y' C# ?7 n/ A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : a" t% J9 A+ a
;will break 3 times :-(. j0 z7 }# `4 A
5 y. G' I) n1 O1 S% f2 t4 B3 ~
-or (a bit) faster:
& E- w' G8 v8 Q* ~% m* x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" m a5 A# ^/ q. d4 ]2 P6 B# h' ?
# P7 p( Y5 o# X1 k0 @- Z5 E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : H7 W( M# v( Y' O" \0 H
;will break 3 times :-(. g( U% y5 [5 I# T) N% M. m( e2 N
+ g4 T7 s$ j3 K8 E; R! \* M3 p-Much faster:
% g6 e! |5 R0 ^; G8 {7 @1 J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ X4 q# j( O* `6 O
' h4 C; `- K' Z; HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 N, f$ ] [6 L1 H4 H. ]
function to do the same job:
5 e' R8 W. [ j& C5 K
0 \3 D' }0 ]* F* w" K4 m; x push 00 ; OF_READ: J- `* b: P# M: L' ?
mov eax,[00656634] ; '\\.\SICE',02 B, Y; b( X G
push eax
0 t( p& J" a8 t- [0 E# V call KERNEL32!_lopen, ?3 `* Z/ Y' s2 `, B2 a
inc eax
1 P0 v9 I! n# I jnz 00650589 ; detected4 A) ]$ O: u1 F! u
push 00 ; OF_READ7 O- c0 |/ E }
mov eax,[00656638] ; '\\.\SICE'' O& [) Z! w8 y# a6 J9 N# U
push eax
4 {1 ?) K. Q1 i5 z% R call KERNEL32!_lopen4 F( I- h5 G2 w l. F% h% z5 u
inc eax
$ I& k; J/ K1 ~ jz 006505ae ; not detected4 e+ H; k8 v3 U, X Q2 [! h }# c( @
1 ]9 ]& x; ]( J8 l; Y6 N5 W0 N
& e. `3 R2 T$ t, A+ X, V/ ~) S& v7 I: }
__________________________________________________________________________
" _) {, y, q- {! T: c+ j8 |6 d. {! I" P2 ]6 p9 _. p
Method 123 P( _! @ `& r$ ?
=========8 l! ~6 r- d4 G7 M4 W$ t
& a' ~: G2 h2 F% f4 \This trick is similar to int41h/4fh Debugger installation check (code 05
- i0 H1 W9 \5 w& 06) but very limited because it's only available for Win95/98 (not NT)
6 b, @' b) U( L0 Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* x2 x% L2 z5 Y7 Q6 r+ p
$ O+ o j+ f3 R6 a" I# \- c push 0000004fh ; function 4fh
- f+ L1 N$ S5 d) f8 U push 002a002ah ; high word specifies which VxD (VWIN32) K8 H. W( \" e3 t9 M8 K x
; low word specifies which service
- ^9 K# A- y$ g (VWIN32_Int41Dispatch)& W/ B1 A4 {. J+ x8 ?- C1 d
call Kernel32!ORD_001 ; VxdCall
) G5 |, O* f8 ]( B2 g cmp ax, 0f386h ; magic number returned by system debuggers
+ G" M/ D+ {! I! y$ }7 U jz SoftICE_detected. v; w3 B* o" O, M2 E5 s, U$ P
, h* i) h6 ]8 F1 r9 i& B7 j
Here again, several ways to detect it:+ G5 U0 j& s7 ?
% e- r" V/ f; T5 {) X BPINT 41 if ax==4f% T9 W6 N# b- q
# c( ?, b0 k8 e0 k- N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; n) \4 W( ?8 x2 j5 m
! d! c: s4 x; Q! v- @ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& {5 U/ r, |0 y( H0 |; W$ }
& d# K6 W; x( ~ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 ^3 K0 e) x4 Z( A* a$ g" O0 ?9 e# {
' W& T8 G9 y5 h8 s: z+ @: G__________________________________________________________________________ l4 q4 J8 S. P
# _1 P+ g- I0 P! j0 [# zMethod 13
$ r% f" \+ G Q; I5 R0 B6 r=========
) [& ?" P9 s2 X; f# m
1 `; y9 U* H% D8 C( |! E, jNot a real method of detection, but a good way to know if SoftICE is3 K9 n: g% M2 p2 I8 o, h+ p
installed on a computer and to locate its installation directory.8 o0 [% V# D$ y* v- N; c9 w: T
It is used by few softs which access the following registry keys (usually #2) :
' f4 ?/ Y: D; a0 L$ p# U, J/ z# S$ m! O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: n6 m3 o/ {& n2 t$ q5 H
\Uninstall\SoftICE/ q s' q J3 C. F2 G* K9 r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 G9 K7 q6 s) P+ Q1 r! g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 b" w- V8 Z3 K5 p2 ~: j
\App Paths\Loader32.Exe
7 i5 |; g1 V% `4 ]4 T. I' G/ v6 O. G$ p8 D0 X. `. |
0 U, j" A& @. Q9 \8 o
Note that some nasty apps could then erase all files from SoftICE directory0 T6 {7 \2 @- R5 j/ y2 K7 b
(I faced that once :-(* i0 n7 B I6 U8 U( O" v' v
' a+ ?! |. l# D- D+ q
Useful breakpoint to detect it:
+ V% i, ~0 E- ~! U
- [- Y F7 H& q8 Z/ g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ \! J+ Y7 V( @: p+ b6 d! O1 D# W7 {" T2 ^! _1 j" _
__________________________________________________________________________: _/ s3 @6 z( M$ [1 s
& S" ^' a$ q! j2 f
% G3 ]- V) [$ Z0 T! U3 _Method 14
2 K( j/ D. c" n; y5 f/ s ?=========
% i6 X- x# \4 `6 |# j, _) `' l; a' I9 c" G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' b. i& _- S. f& g/ e Cis to determines whether a debugger is running on your system (ring0 only).5 x- e9 _( k- b4 p- R% F
( X" Q7 o2 x% P8 `
VMMCall Test_Debug_Installed0 l3 E% t% _9 ^$ o
je not_installed
6 J/ C) I! o: k
! V* x R- y3 m4 e& E0 ~This service just checks a flag.( V! S1 B# k7 O( l$ G i
</PRE></TD></TR></TBODY></TABLE> |