<TABLE width=500>2 R: ]. i; U0 [1 M" q; N( e: |
<TBODY>
7 ^' o- u/ }$ r, R# M! U3 _<TR>
" D, D2 x" ?' ^# m<TD><PRE>Method 01
' l: w$ \* L: L! z. V' X8 F=========* ]8 q: j% @% v5 i" g
! h4 r9 `, b: c( X, v* LThis method of detection of SoftICE (as well as the following one) is
* ?* f) ?/ {7 n* A1 Q3 F' q @used by the majority of packers/encryptors found on Internet.
3 Q5 k; {: w) l# E. r, FIt seeks the signature of BoundsChecker in SoftICE4 Q5 i C% {8 k& k! n) C
2 p2 Y3 y% @/ ] mov ebp, 04243484Bh ; 'BCHK'
! h, Y! \+ `; r+ l mov ax, 04h
1 T" A! O# p/ F" P0 C int 3
- q# S6 r5 ~+ `! D$ O$ p" T cmp al,40 H# V, R. a7 ?7 s4 J1 }. ]4 K+ l
jnz SoftICE_Detected
, g0 y2 f# h Q/ n! |
3 w4 [( q, } W* p* I/ g( a___________________________________________________________________________; r: `/ T8 r! F9 D
$ |0 d# U# u/ f# J% A% X& F sMethod 02) H C$ a: M7 v4 N% a
=========! k( b* i7 @! A4 X: l2 Y r
; R# E! E7 C* j% [2 X0 t8 M
Still a method very much used (perhaps the most frequent one). It is used* _. G( Y# V6 U8 E- f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 p6 q) S/ J2 m0 v/ X
or execute SoftICE commands...0 N( v3 i0 {! w. U% [' b( ~. {
It is also used to crash SoftICE and to force it to execute any commands( L& _& {( c9 q4 m$ i
(HBOOT...) :-((
2 g' a' ?( o8 c( \7 D
S7 b% x9 G* J: _Here is a quick description:* `& q$ H+ V1 m# E6 j! u! p
-AX = 0910h (Display string in SIce windows)
+ N7 b9 H1 }) ]; `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# ~/ p! G. ^! v: J-AX = 0912h (Get breakpoint infos)
1 f: _ e! E& w-AX = 0913h (Set Sice breakpoints)
3 Q6 N/ ? w- I# M" H( l" J-AX = 0914h (Remove SIce breakoints)
; _. w/ g$ Z, a- i1 K
8 U; S1 f( X# a2 KEach time you'll meet this trick, you'll see:
0 T( l" ?# L h9 ~0 X-SI = 4647h
; G0 s9 [. H6 e1 m5 {5 t-DI = 4A4Dh
$ o8 V6 V1 l4 v; ?3 ]Which are the 'magic values' used by SoftIce.
3 q! n$ Q( i% r9 p% ~3 p; ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 n* F9 a& r# p- V9 \$ x8 _) W& Z" E3 F
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 R# ^& {- m. C. h% r) r! r/ t* H8 X
Envelope utility use to protect DOS applications:
z( ~6 o X& p; B* L3 B. |# g( c; W( S+ q
- H( P' z& J$ X6 F% \4C19:0095 MOV AX,0911 ; execute command.
3 S. }! b o; F( F. u( m2 `! ^8 u4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 M4 U- m$ ]% g6 V4C19:009A MOV SI,4647 ; 1st magic value.+ q5 n. W1 ~( N
4C19:009D MOV DI,4A4D ; 2nd magic value.
! J+ I# l% h: y) I, s4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 M$ w, I# T. ~8 ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ _1 V$ b$ z5 }! `4C19:00A4 INC CX+ Z% O2 E w- v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 O( g, U! H6 s0 r, D0 q4 R
4C19:00A8 JB 0095 ; 6 different commands.
( s4 x- O! l, k4 n/ {4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ V# j: S7 K2 e9 Z- K) e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 l' U s% F8 \1 h: h8 I0 @7 D- |, E
The program will execute 6 different SIce commands located at ds:dx, which
0 b9 X* }( o- l) Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 o( f# X {6 e" r& X
' h7 ^/ a4 u( ^+ w2 W( J; {% q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ h+ ^/ z4 W, ^3 Q+ E3 |: t0 K___________________________________________________________________________/ t( J- N2 J+ P% T
0 u) P/ Y3 X2 z$ l: F" W0 F; [+ l9 o
Method 03- C" w; M% _; t% x2 @
=========
* l! `2 A+ j* s7 l# b8 _4 y3 K3 i) v0 O: R2 a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 Y8 s: M! [7 _+ s F! a; b3 d: D(API Get entry point)
: |# i. u' G) K( r4 [' [. U
$ R9 \6 ]* u2 B3 {& [* F' n& l, c8 \5 {. O1 o
xor di,di7 H8 P# r( V8 x7 V4 z
mov es,di
$ k, w9 D- l# B! y9 P3 ~ mov ax, 1684h 5 w( ~. q& @" N& R# k( N, u
mov bx, 0202h ; VxD ID of winice
4 s. I7 j3 @) d% } int 2Fh, ^' a1 q4 M" [: V- b7 G8 E5 b
mov ax, es ; ES:DI -> VxD API entry point
- f1 z9 a3 | K/ O add ax, di" y& _2 ], K0 `9 ]/ s
test ax,ax2 I2 |: \; \4 q9 b/ K% C
jnz SoftICE_Detected
' H6 H2 A* H0 j ^; R' }& O! s4 r- ?8 B6 r- n
___________________________________________________________________________
' i @; w- n- X- k' \: I: q2 \
6 x5 W7 n0 `+ ]Method 04
7 W7 t) @* C; J4 K=========) l+ y# v& C1 J! l* i# \8 O# r; P
1 `6 a. @: E* ^5 Q3 O+ k
Method identical to the preceding one except that it seeks the ID of SoftICE9 N5 h, _) a+ O* c" R6 J" P6 C
GFX VxD.- J5 ~$ u; m& b( W) `0 X' R- A
" f% S! m! W0 h0 ^+ [ t, N; R9 f xor di,di
8 R6 A5 d& Y1 Q mov es,di" B# u s5 w# q d# ], A
mov ax, 1684h . j" g3 _2 g' T" j
mov bx, 7a5Fh ; VxD ID of SIWVID
, g0 c, {0 f( R x int 2fh; i8 [& q" x) b: b" O) U
mov ax, es ; ES:DI -> VxD API entry point1 j! l; Y$ J/ c: Q, Q5 W- u
add ax, di
3 @" k! N7 C9 z( e7 W' r, q test ax,ax) m( Z$ u0 q% [" |
jnz SoftICE_Detected
; a1 \' d, u! t+ l6 J5 Z6 |$ f' w
__________________________________________________________________________ Z/ Z. X4 B6 a5 @, `, j
4 I8 i% W/ u+ {) x
! i, _ S2 ~; c/ L CMethod 05+ X" m8 s( w: q, H. A& |/ a. p
========= a8 U/ ^8 B6 z" y- r ~! n
8 g; c8 i L6 y; cMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 I& m3 ]! F' i) o+ Y5 f
debugger. It calls the int 41h, function 4Fh.8 O$ S4 K( e# s7 a- Y
There are several alternatives.
2 j ]6 L- e( x8 J; Z7 H
+ U7 B' }. Z. T! f* X. W. ~( x" XThe following one is the simplest:
# E! b9 A* U6 m$ I0 D
2 h' F: c2 d! z, A7 ]2 l- m mov ax,4fh
+ l& l, \' T/ G' r, r& i int 41h' e- `6 k% A3 c, M8 z/ m4 B* V
cmp ax, 0F386
# ~ S/ t1 N& d! _( H jz SoftICE_detected1 x* D; S1 A: W
) m, m% k+ ~2 ]6 f7 p. S" {6 g
9 r3 J5 ~ i7 j4 K
Next method as well as the following one are 2 examples from Stone's
! E# i' q4 R0 L- C- S0 W* X"stn-wid.zip" (www.cracking.net):
/ y4 Z; R: r2 B3 F+ @" z( e" _
' U* Y* w* D+ D& V5 z mov bx, cs( n# x- m+ {( p1 U% s% u
lea dx, int41handler2
% S) U" J0 I# N x% d! q xchg dx, es:[41h*4]& U% u- R, a# G7 G
xchg bx, es:[41h*4+2]
4 w- Q5 @7 E& e8 d; ^ mov ax,4fh
4 p) q2 k. j5 _, ?: ^# M/ { int 41h4 H$ z4 i% W3 {' Z1 m% R
xchg dx, es:[41h*4]
# l' C5 l" N, b6 w xchg bx, es:[41h*4+2]
- g0 Q3 G- b& ~ cmp ax, 0f386h
/ A$ x; i S" Y, {- J% G jz SoftICE_detected: z4 z ?- J" P4 ~0 Q* b: I
1 c5 A2 c/ Q. T
int41handler2 PROC! }6 m' U1 _$ y7 f5 j
iret
. D5 X6 B3 e0 J% L2 i4 P# P3 j) W Rint41handler2 ENDP
9 B; u4 s% f/ Y8 r0 i) ?4 u! v2 r) _
- E9 |+ m0 p( e+ ^; _
_________________________________________________________________________
) w' p' k' d2 K& G' D# u0 ^- h/ W0 D% m1 \/ `: G; F4 }+ e! {
& [1 P4 R9 {) z6 E: s: vMethod 06! \: W! l) L9 d8 e5 q8 J
=========
! L4 N7 D$ G1 ~. ^
- a* M; n/ A" v: P- U
0 P) E7 T# T; S6 J2 c$ E2 A) n8 U2nd method similar to the preceding one but more difficult to detect:
% o5 r; X y( Z% A
! u5 ?8 A; P* _; @
8 C; |( b+ W) A" lint41handler PROC7 H# B, s, Y5 J1 G' s% P; N
mov cl,al
8 e5 r# c) \. r iret
$ ~! M" l+ O" w M8 _int41handler ENDP
+ O/ n; i* H( u: E4 G4 K, |% j1 d
I2 ^5 F) E, q8 c4 q0 a8 ~, m
xor ax,ax
' \+ ?/ ?: r8 d# X5 g" v' X mov es,ax
9 |) k9 r4 S! Q% ] mov bx, cs
7 q5 y/ H$ T9 A; ?% M9 m lea dx, int41handler% s7 a: h7 q: O5 i! y
xchg dx, es:[41h*4]
" R6 ?; X/ ?! \. x xchg bx, es:[41h*4+2]. R6 R) c p9 g4 X7 b
in al, 40h/ @7 E3 ^- v( C
xor cx,cx* L0 G0 K, R2 F; g9 \8 h$ q0 e3 Z0 u
int 41h9 Q! t- \, T4 H
xchg dx, es:[41h*4]
( W! ?) a4 I; u* x& c: S xchg bx, es:[41h*4+2]
/ v% Y7 q: n3 H2 | cmp cl,al' |' h# M7 M" n% C, M( W9 F: Q7 ~
jnz SoftICE_detected
; b5 ?, B& V, p4 w4 f9 d9 D3 j* d) s) C8 W. E/ U1 I& d
_________________________________________________________________________- a, n9 p! ^6 B' @( L$ |" D
Q5 v' I4 L+ b& q" EMethod 07& Y. C- ]4 x5 f# e) P6 C
=========
2 i& ?. ]3 `- Q2 s) \, S6 M S4 H
& g: i. [( I0 l8 S, V+ n/ jMethod of detection of the WinICE handler in the int68h (V86)
& O$ o( E6 v4 Y+ h0 L; q& ]7 J
4 `0 p `0 N1 b$ @& u mov ah,43h% }+ T r+ H4 y, p9 u0 n
int 68h
+ S8 K( g4 y7 ^) K3 ^ cmp ax,0F386h
3 H- t" s% g! r6 A7 T7 |) h jz SoftICE_Detected
; g: s! a- H+ S/ q8 P- V. Y; ^4 X2 P8 j4 y
3 m! o' ]! }: @. T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 ]3 X/ {0 l4 }- l
app like this:$ Y. C5 x) G; M4 |# p% H
. B& L+ F; J1 k( J
BPX exec_int if ax==68
1 S- e: E! C4 B4 H- h0 z (function called is located at byte ptr [ebp+1Dh] and client eip is
; \( D. ^' a" Z+ z1 _4 w located at [ebp+48h] for 32Bit apps)
5 m( \$ D& h! w) X! n( U" ~. C( U1 Z__________________________________________________________________________
( i+ y% j- Y. y/ @1 T5 {# [+ ^6 m/ A( b2 U* c. }
; C C3 c7 s9 Y2 q' q8 a% [. a! F! sMethod 08: B+ s8 P- H6 o) E( W
=========. z2 q% G& }0 S8 k% a& Y
1 X' n4 P' X0 z! S( ~0 C0 \4 l7 R
It is not a method of detection of SoftICE but a possibility to crash the
9 w5 V3 w4 ?0 T9 ?system by intercepting int 01h and int 03h and redirecting them to another& n0 {5 B& g* c" l O8 O
routine./ L% S1 `6 k+ k: g3 G6 t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% v) Q, u0 n {) T" d7 [9 c7 s
to the new routine to execute (hangs computer...)
/ M9 F; G3 ~0 c5 a7 g: n! s& G0 n- p9 s5 y
mov ah, 25h/ `/ X* `3 E( i L
mov al, Int_Number (01h or 03h)/ }4 l& `3 @! K, l
mov dx, offset New_Int_Routine; J& N7 ^, H/ |% n2 Z# B
int 21h/ U) E X5 ` g
2 Q" ~4 r% d5 d+ e% l
__________________________________________________________________________
; y0 X; {3 e6 j- g7 p5 Z' f/ i) B5 G! K) t
Method 093 _& Z. k8 ] {& E( Q! ^
=========
# I9 Q' O6 H+ R9 Y- y
$ {; m$ _/ B. k2 w0 F( V. V% u! IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 ]3 |/ }1 h- k- Z# Z5 P rperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 `6 [2 _8 s) B* y0 L7 m/ oThe Get_DDB service is used to determine whether or not a VxD is installed
6 i V$ b/ t K- h3 r1 X. Q* Tfor the specified device and returns a Device Description Block (in ecx) for: B, U( {0 p' Y5 }) L T& H
that device if it is installed.. V; F6 K; Y& j6 Z1 i$ N$ e( S: ]
( B. t* }+ @4 p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% W6 m0 R% q0 g# t+ w( v/ \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* U! X @/ _8 _) k VMMCall Get_DDB! {) F) Y, m/ N9 w9 [$ k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 {. n1 r v# Y" G
9 X6 m* E, z* Q# X/ ~" tNote as well that you can easily detect this method with SoftICE:4 a, p# _0 t$ [( b- ?
bpx Get_DDB if ax==0202 || ax==7a5fh: }# q6 z; U) @6 y
. z4 O" W: w! v1 Q7 W5 \$ r__________________________________________________________________________# e. l" C6 H8 b% V5 L2 N M
/ z& ^- r: ^+ R9 f
Method 10/ s! |$ n& T' F
=========
! X' o( @9 U q! b7 m; k' p5 e7 @! Z5 _ Q( T
=>Disable or clear breakpoints before using this feature. DO NOT trace with) m$ h! `0 s1 O! w0 y6 G0 j3 z
SoftICE while the option is enable!!8 i W$ P$ m. R1 Y6 ?" I# a
! L" ?% D7 L+ qThis trick is very efficient:
* ]( `' W0 {4 P1 e4 Q: rby checking the Debug Registers, you can detect if SoftICE is loaded
+ E& R$ X2 y6 \! r( s# w4 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 K' c E% g( p9 D3 W: ^there are some memory breakpoints set (dr0 to dr3) simply by reading their/ y1 B b6 ?% Y1 r
value (in ring0 only). Values can be manipulated and or changed as well
9 o+ r9 _* b; b A(clearing BPMs for instance)
5 s7 T% c4 U3 u% X9 g3 o: \
, J+ v3 t4 p' @$ m& U" ~+ J__________________________________________________________________________! J8 X/ G2 \$ Q/ k6 |* a7 j- w
- e! s- Q& r. w8 P, N% VMethod 11 @; K# _: w9 l. r3 m+ O
=========
# I6 j3 d% J$ o7 x: m. ~; n" ?) \' y) u$ J3 I9 j) | @2 O) c, W
This method is most known as 'MeltICE' because it has been freely distributed
" l3 V& ?! p9 W' [, F* Ovia www.winfiles.com. However it was first used by NuMega people to allow. r+ E; ~: C' N- Q' r! T
Symbol Loader to check if SoftICE was active or not (the code is located
+ c: A6 |4 r* i, |# V zinside nmtrans.dll)., y2 j9 b' B3 R& q
" `$ p$ j p! C: o* ~: {' R1 uThe way it works is very simple:4 u& i7 S. h6 p% g7 g% c6 w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, p9 k$ Z8 ^5 h' K, vWinNT) with the CreateFileA API.& I' ~6 t% m5 Q
( Z7 j+ b4 B7 O; f
Here is a sample (checking for 'SICE'):
7 h. V+ l" R" M$ x4 d( e4 P: B/ ~/ m) N3 u6 H% f! Z+ h2 K& m
BOOL IsSoftIce95Loaded()
+ k3 e6 B% Y% ?# X( b# y4 {{
+ Q: S A4 }3 `% {9 q$ @/ o( |( { HANDLE hFile; 6 C" @$ \5 K* K# ~4 B
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 q, w6 Z" m4 j) b FILE_SHARE_READ | FILE_SHARE_WRITE,% X `. ^& _8 Q9 \/ Z- R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- B) h- ~- y- j$ c( n2 Q if( hFile != INVALID_HANDLE_VALUE )
3 Z d+ x( A3 e s. Y. v0 q7 X {
! A# S2 y1 k- @9 D2 M( c CloseHandle(hFile);
2 G8 f# q* T& p* Z2 S# e& Y return TRUE;& x: {) K6 [. o. y {/ s
}6 q3 }% J& B( i2 g c: O& `% ]
return FALSE;! L( y) B: S0 r) L* z
}
6 B% k. M+ @3 F1 M4 L. Z1 \0 w
; v" u% o9 D5 W4 AAlthough this trick calls the CreateFileA function, don't even expect to be; a# I) M% R% l" g( B! f% e4 @, a
able to intercept it by installing a IFS hook: it will not work, no way!
' q% o ?" T0 ?1 g/ ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' e6 @+ }6 E) X. H% B& G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! ?0 W' _% J9 A! B" ~" \2 hand then browse the DDB list until it find the VxD and its DDB_Control_Proc) L k. ~3 s' w& H' A# R2 \' }
field./ @( ? d; ^4 h4 a0 D+ o. y5 v
In fact, its purpose is not to load/unload VxDs but only to send a
1 q Y: C# V8 e. c3 @! ~0 x: V. xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): U% B/ E5 Q3 t! x1 X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' z/ v0 m! R$ z+ n8 dto load/unload a non-dynamically loadable driver such as SoftICE ;-).; {( y0 q% |3 D
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 `3 t- `7 k n( ?
its handle to be opened and then, will be detected.8 j1 i+ e- f$ r% ?0 u
You can check that simply by hooking Winice.exe control proc entry point( f' _8 _! p5 w( ^
while running MeltICE.8 I3 m9 \8 ^! \2 ], Y: p
/ t3 [2 I) u' Q$ U* S; @
1 R% ]3 U5 E3 C# E0 [# J/ G
00401067: push 00402025 ; \\.\SICE
/ `1 {7 F2 P5 @6 b6 G; g1 u 0040106C: call CreateFileA+ _0 H/ I3 V2 t+ h S q/ A
00401071: cmp eax,-001, Q4 z5 n5 Y5 |, @
00401074: je 00401091
# }# l# B+ X) f1 B0 s
A# j! j6 |! k/ T% t0 j8 I+ O6 Y, h% R3 x/ F6 ~
There could be hundreds of BPX you could use to detect this trick.
% d( ~5 R- t7 |& [3 p' M-The most classical one is:& X8 L) g2 A0 U1 [4 C: B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& g ~2 ^& ]4 r5 { *(esp->4+4)=='NTIC'
5 X! T2 [- I0 ^ v7 r+ x5 g8 q% l8 L! G* g9 f/ x
-The most exotic ones (could be very slooooow :-(
a- M1 _5 S/ x" E2 `4 p BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 F" B5 O( N" b( a4 @9 Q5 I ;will break 3 times :-(
$ H- k5 `9 i: Z. ?
- h3 J. A9 ^% I0 ?1 a: e7 p! S-or (a bit) faster:
5 e6 S: M7 p: ^9 f* A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 d1 V0 M4 ]# T( p
0 L5 S% \3 O( G: j- t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 h9 F% I1 G9 X& `; w2 u6 t ;will break 3 times :-(/ R' }5 Q: R9 H* h! I- ?. A7 A
0 {6 ~, E7 A$ ~! V5 u
-Much faster:
0 I: A5 O0 n$ O1 p BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ z0 |5 A9 j0 _
, m9 ~$ ~8 e" P4 b' W7 B6 N* O" q% s# PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen3 Z+ |% |: M1 ^3 C3 i9 K4 U
function to do the same job:
+ @) x# H' p9 ~6 i2 p' k% N, L. ?! X1 M5 C# D! _, X
push 00 ; OF_READ
- F1 ~. A9 b5 Y# q# C mov eax,[00656634] ; '\\.\SICE',0
" g0 y! d' s6 k8 a4 B0 w% q push eax0 o4 [ z" Z( \
call KERNEL32!_lopen
( f/ v% r. i, l8 e inc eax& }6 q% j2 i8 {9 ]% W( m$ P
jnz 00650589 ; detected
. D# a6 w. |2 e& \5 ?4 X# B) D( ` push 00 ; OF_READ4 D/ u" N& M U/ b7 A3 J* Z. j
mov eax,[00656638] ; '\\.\SICE'
' w5 U" J" x9 Y* Y% p0 a: o( o push eax
. s6 v( X! ~% _% o r* h call KERNEL32!_lopen' }9 r0 N; Y* i
inc eax7 H) j0 @4 M) G0 E& x' X- Y
jz 006505ae ; not detected% ]: O4 @9 @5 U8 N0 y
) h( g/ k! I% v7 { Z3 h* O, u" k1 g( F4 \* ~* A8 r2 h* k
__________________________________________________________________________
! Q9 Y9 h) x0 l$ `! p8 T8 u6 B# s
; y* t1 P7 G7 p6 M2 n# vMethod 12
) ]& f( [, ~/ N7 l$ I3 C=========$ n$ S; E3 Z( W6 M1 N# Z
9 m5 \7 a7 k7 A% ?This trick is similar to int41h/4fh Debugger installation check (code 05
' y% O' {; }! C' Z& 06) but very limited because it's only available for Win95/98 (not NT) s" c# j) O' Z2 N# ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 ]) G' P( A+ L0 v; S; u
5 W& c6 H9 k2 U push 0000004fh ; function 4fh
) Q! h4 V: i2 B# e# r& K5 _ push 002a002ah ; high word specifies which VxD (VWIN32)
" b- Q, j: V5 r7 K% E- w ; low word specifies which service
: t+ J3 R* H# \0 {9 N% N (VWIN32_Int41Dispatch)3 p* o) [2 ~5 t8 U9 B
call Kernel32!ORD_001 ; VxdCall& y1 V$ p: A0 h$ A
cmp ax, 0f386h ; magic number returned by system debuggers. \+ G; K8 x7 ?! v3 j
jz SoftICE_detected
/ |* K2 }2 u& v& ~8 d
/ z% G3 O* P/ u& j5 B6 n( g4 [" fHere again, several ways to detect it:3 _/ F0 ^, w7 a: r- w5 t$ f
* V: q' l+ x4 g( l, J9 V' X
BPINT 41 if ax==4f
5 S7 A) r, O* `$ o/ A( j- J; L
# C4 w# U7 o+ u( c$ @' l+ n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 \. _9 B: ~+ V7 t# X0 I! a3 {* j9 O9 K# n8 v8 I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 X6 D! A; |) E; W: M* |" A/ \* q
0 I. Y% P5 t: k' {* N: l BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 l! ]3 M' a7 c' i5 _ S' `+ l, U# _, D& b0 P' A: k3 j8 Q$ [4 ~
__________________________________________________________________________1 o1 U# ?! i$ K. j$ Z2 o) s5 \2 x- f
1 J( l* g$ l: P2 c+ f
Method 13" l! s# p) I. F) M) `% J0 _( M8 C# N
=========1 r2 V8 C# J$ Q4 G5 Q
5 O9 _7 |: Q P( ONot a real method of detection, but a good way to know if SoftICE is
( W# l- x! |8 w+ e* y, sinstalled on a computer and to locate its installation directory.
* y$ N# E8 H, R" qIt is used by few softs which access the following registry keys (usually #2) :
0 V# E: T! d& s( J& m, H3 m- U
5 p' O& D5 j( Z+ q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% M9 k; S& H/ P5 I5 ?& s* [\Uninstall\SoftICE
|4 ~$ z* l, F. H u' p7 z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ s2 N- \, x1 \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; e) F+ D- `. E0 ?
\App Paths\Loader32.Exe
C: j; `. ?! w: Q% a7 k$ V! Q" C' i/ \5 q) U
7 {! v$ i: \& k( J6 t& p2 n' xNote that some nasty apps could then erase all files from SoftICE directory& Q( E# M0 T A
(I faced that once :-(
2 I. ?9 o* o) E# k. H) ]
3 v: r/ D- y7 N8 @( b; \9 d- x" W, ]Useful breakpoint to detect it:
! K8 n: ]: ] Z. A+ i0 Z9 T# F3 |" B( r0 q; f0 ]1 A- l# R, S6 V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 ?3 E4 X! }, h- G+ Q+ N
" I1 {* U H5 P, \4 U9 k+ L8 o" b2 V) Q__________________________________________________________________________
) A5 X u0 c: Q$ M. W0 \* V; \- f" C' H
3 B# D- S3 Q1 N2 u; D5 w* sMethod 14
$ X% F/ u, {/ Z6 P* _=========
3 J4 r+ \/ M' U1 z) o; D0 l; l9 _! p* z- z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 I9 W2 ]! T z- ris to determines whether a debugger is running on your system (ring0 only).( y- S* C/ u0 l w" `. X, n! I3 n3 G
5 R2 C( y$ X" v% ]% b* R) D" c
VMMCall Test_Debug_Installed
$ I: n0 E* \( E' \, \! S1 }( E; n je not_installed
: m0 N: _5 b7 ~, [. k( S- i
- |; h, f* Q, A* P% e$ @1 XThis service just checks a flag.
; |! V( y7 `- R' K* d</PRE></TD></TR></TBODY></TABLE> |