<TABLE width=500>
% {8 G+ K# p( t<TBODY>, ^4 [* r; r) s7 s# T3 e
<TR>
) f- G# g. S' D2 I7 m' K) T5 y1 b9 t<TD><PRE>Method 01
6 A1 n/ n7 r# D- o; ]=========! O4 ?& k1 d3 ^, z. o1 b
0 V5 T H+ ~7 n
This method of detection of SoftICE (as well as the following one) is
7 i$ e) P7 x1 Rused by the majority of packers/encryptors found on Internet. [- [1 b o( o
It seeks the signature of BoundsChecker in SoftICE5 `+ W9 X: m7 Q4 R
/ s* o, G5 l$ e# q1 n, b
mov ebp, 04243484Bh ; 'BCHK'
& s) o. Q) S! S/ Q mov ax, 04h
, j% M* b: @9 b3 ]. }4 J int 3 - w6 R/ e! \( f/ P
cmp al,4
! i9 c& X. O% [( p jnz SoftICE_Detected$ L Y$ f6 t3 o1 f, t" C
4 k- `% u* V$ V" J% u___________________________________________________________________________
2 {. [/ y( e" E4 n/ A4 e* W
$ o( S) C& F, O" O; t$ R/ S# hMethod 02/ c" @ ]: T# y
=========* F/ i1 Y1 |" t9 d
) l. s5 j" e+ X# `/ X( Y) E
Still a method very much used (perhaps the most frequent one). It is used1 y4 D% z& Z! q2 x- `" T$ G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- M% b. D1 }; T$ h+ M9 ?9 n3 t6 `or execute SoftICE commands...
& ^* X& g7 Q4 a; T% l' `5 }$ L {It is also used to crash SoftICE and to force it to execute any commands6 o; t- P: L& X" \+ F* R) D
(HBOOT...) :-(( 3 J4 @# l+ Y$ {5 H0 q( A5 p
$ ~' a' J6 ~$ s2 G4 b! Y9 g! g: K$ L+ a$ THere is a quick description:7 B; \! i( b* j0 A* Q7 ]
-AX = 0910h (Display string in SIce windows)
$ A0 a: c' G( Z; X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 {, I* I+ }) z& B-AX = 0912h (Get breakpoint infos)
1 {* k6 x4 c' j Z0 N o-AX = 0913h (Set Sice breakpoints)
7 f& t% a) {+ y! I* }0 i# R-AX = 0914h (Remove SIce breakoints)/ V, a @ Q: D- U# a' r* @
) o3 `. L" g6 ]: { w9 z
Each time you'll meet this trick, you'll see:
5 |9 ?4 W+ w) ^/ |! b-SI = 4647h7 M! u Q1 e" ?3 I# G
-DI = 4A4Dh
& V" z; @4 F4 o* ]2 eWhich are the 'magic values' used by SoftIce.7 i Z. v7 r( q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 X/ r0 Z; s5 w$ L6 x
- @2 X. ]( F+ q% E$ U7 I2 ^: s
Here is one example from the file "Haspinst.exe" which is the dongle HASP* L4 D' _- L [8 h
Envelope utility use to protect DOS applications:
1 K' i" k( C" J+ \0 H/ D8 d+ x- k0 o1 K! |* |) \" O* X' B
& y( r9 a5 {4 Y2 ?. @- R4C19:0095 MOV AX,0911 ; execute command.2 l; w) F- x$ n
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% D' J! I5 K# V2 A/ F4C19:009A MOV SI,4647 ; 1st magic value.; D) q' J) V1 F
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 A5 Z+ v5 N0 b2 C$ V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 i+ E/ m( P2 s6 i) u4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 S) _* h$ {) }4C19:00A4 INC CX H+ T: D% L4 U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ Y4 |1 W/ N- y7 O
4C19:00A8 JB 0095 ; 6 different commands.5 d7 y6 l0 p' J F' K+ U! V4 s5 y% L( O& E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.. Q$ l4 d- w+ ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- E) u- A/ d" [5 h6 C; W
6 @% I- }# a" w/ s" l; fThe program will execute 6 different SIce commands located at ds:dx, which1 C* U% v- I. j- \2 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 x7 C3 B4 L, C+ G
, [+ g1 o& c4 r6 B3 G* K3 r- Z+ h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: {( p [) F0 _7 |5 i- V: u
___________________________________________________________________________2 R4 W7 `1 J" h0 Z4 i; x7 o
" |/ H) {. ^. P- p( O. R4 S! a& p2 ~( J( X( G$ J
Method 03
4 P/ t" v1 N: }! d6 c=========2 |% S9 K2 n: X" {
" D$ @: I$ ]7 @7 v
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- g- w1 c5 Y. W% W: p(API Get entry point)
) `7 _! o' _ G. v7 t5 g6 X X+ Z/ e H6 G/ l: v: [& N
) Y9 F5 V! z2 n# P- m xor di,di
/ m" g1 | U) J% B: L7 T mov es,di1 ~2 f, S4 y8 t& E8 F0 T0 Z4 y7 L
mov ax, 1684h ; K% F- }( G7 {
mov bx, 0202h ; VxD ID of winice( r! z: s1 w. z; |, c
int 2Fh; ~+ P6 e4 H5 ]* g+ {3 y7 H, X5 p& N
mov ax, es ; ES:DI -> VxD API entry point1 }$ q+ X% k7 {+ X- w3 y& p: n8 C
add ax, di
9 M. Y$ \5 D2 g4 C test ax,ax
6 R/ p% z) x l* r jnz SoftICE_Detected* @, ?4 H# a8 b2 _
, F+ j8 K& |( Q8 Q
___________________________________________________________________________6 `- ]5 D. y9 E2 ^
! I& \7 Y$ K; X* e" K& Z
Method 04
3 i9 }2 W9 @6 W, ?3 v7 Y" P; ^" _=========. b* B9 t4 w5 q N/ X
4 ?* v7 @% a0 w' `( [+ F3 c1 r
Method identical to the preceding one except that it seeks the ID of SoftICE
' F2 F* v, d6 g5 I, NGFX VxD.
1 i: e8 }" k+ [2 L0 e# c
, B: J* _3 B2 P" A% ` xor di,di) p/ q& _& M0 H' m
mov es,di
9 C C- O9 O3 t: j0 T9 d; \( q mov ax, 1684h
- A/ w2 A* j6 b! R0 R1 _% z H mov bx, 7a5Fh ; VxD ID of SIWVID# ^9 \# u( p0 l1 S
int 2fh- Z s9 k* i- m, M9 x
mov ax, es ; ES:DI -> VxD API entry point4 z% ^- S+ E" i0 {8 z& P% B$ J
add ax, di
/ k4 U) p( K$ s5 Q* e6 T5 Z test ax,ax2 b5 I5 K; `$ Z
jnz SoftICE_Detected
# s8 T% ~( B/ Z# L0 I# \( ], U$ e. l/ U- G
__________________________________________________________________________' I; F8 G4 w$ Z
4 U- O( f/ V6 w6 y% L
7 v8 s$ v4 h2 D, o0 L, ?/ D4 v" pMethod 05
( N- W1 u, E: F! l9 Z6 k3 [=========* k$ a: J. e4 L! f7 k0 y5 _
' u2 l( h- B& @9 p$ `3 p
Method seeking the 'magic number' 0F386h returned (in ax) by all system' W7 X. r9 z* i/ d8 f
debugger. It calls the int 41h, function 4Fh.: B0 J b1 ?, |+ e4 w
There are several alternatives.
8 D6 ~/ W) s$ T
. G2 G% Y6 p4 x: O0 r) W/ O9 \% P" RThe following one is the simplest:% b; E6 k3 B/ U& [; Z$ W+ l
* H, g N! a7 z
mov ax,4fh5 a& D6 E% A( C: n( g
int 41h
( B1 }7 U6 @$ I" P/ b5 G0 V/ n* j9 r cmp ax, 0F386
% t$ \+ M' [" o. U2 j jz SoftICE_detected. O' Y0 T. j3 X9 X0 \: C5 C
* M7 R: J1 a0 }' x$ N
0 b$ O( x& P2 t5 Z( c& _% e8 |* m
Next method as well as the following one are 2 examples from Stone's
' c$ v9 \4 u3 m" \ t"stn-wid.zip" (www.cracking.net):
; X) J4 l L3 c( i- I \$ n3 |% g: Q& d$ A) {
mov bx, cs
6 j2 {" U2 s" y. o" N lea dx, int41handler26 `7 W5 h! H; A7 f
xchg dx, es:[41h*4]
# H0 W/ I' J# P, M* D0 g xchg bx, es:[41h*4+2]5 |" w1 T) O; j$ u/ y' |
mov ax,4fh( z2 ?. E- E. G& E$ V$ C2 S
int 41h ~. t+ j5 Z" N
xchg dx, es:[41h*4]! Q m7 D/ C b
xchg bx, es:[41h*4+2]7 o$ N; }/ u! d# h: ~3 p
cmp ax, 0f386h, D* j) X' d7 G9 b, R# t5 q
jz SoftICE_detected
* U. J; I9 \5 m1 x' k5 a
3 E8 T0 E4 f7 Aint41handler2 PROC' D+ C5 s, V3 M1 R& q! U
iret4 ]) N7 F- P0 v4 r2 N4 Z) `* A6 N' x
int41handler2 ENDP$ I! |& b8 ~" s' ?0 ~: x. f
* f; e* w5 z, N3 @7 i* D. `! M
/ n0 e+ u! i6 { h# W! ]_________________________________________________________________________ m( P% b' y$ I7 P9 Z, {
9 U/ f, L8 {" f+ M7 c1 y% @, t' ~
]& a8 C! g; ~" rMethod 06
, f5 t. c6 Z" d k=========- X2 H: T; b4 U5 _
1 [! }7 y/ F) ?' T( U& ~$ ~
( i' X) R: B$ z4 ~0 H& r- E8 a
2nd method similar to the preceding one but more difficult to detect:
# k" ^7 `) K7 M) R3 v8 K9 T
2 |% v5 O% o" n, N
* m) y1 v. o8 M$ X' qint41handler PROC' B0 y% {" m# n$ @6 H
mov cl,al
9 N" z/ g+ J$ Q iret' m6 W% C: N; K# _6 }
int41handler ENDP
0 _# e6 |, X7 V4 J6 D+ o o# \& G" Z
0 b# q& _( F3 X$ x k xor ax,ax
) ^9 A7 ~8 g& k3 J" q8 t- N mov es,ax
6 k3 p( A( G5 P" w' ?: x mov bx, cs
2 a; i1 Q: j2 o9 p( O3 E* } lea dx, int41handler- o( x) h, U1 d7 O. G+ v0 P7 I8 J
xchg dx, es:[41h*4]1 y. K! b0 R+ f; P
xchg bx, es:[41h*4+2]3 d0 i+ ~; i% O# G/ T% {
in al, 40h3 ^6 F% ]* p! }4 s
xor cx,cx6 D; c( l U. |
int 41h
, [/ Q( I/ \4 \ xchg dx, es:[41h*4]
" j% I i7 N/ |# c8 O2 U- J xchg bx, es:[41h*4+2]
% b9 D n- v& u6 C) p cmp cl,al
7 y0 w- R' q. E5 z I jnz SoftICE_detected2 r) l$ [: \# `. B+ X; k
m+ ^2 b2 p/ @( O_________________________________________________________________________
9 F! |4 t2 N0 S: k; p6 `' L+ i$ R3 w: ]' w: ~8 w
Method 07
& e9 n& J" T, O# F, x; ~/ R' ^=========
/ O& N) u* ?) B2 n y4 |0 I. }/ H7 U0 D) G8 |4 g% o
Method of detection of the WinICE handler in the int68h (V86)
, I9 ^% c! m4 |' G7 v+ X
H! R1 e- d, D( d, G( _ f mov ah,43h
, _' M1 f6 N' Y- r int 68h
7 U9 G3 B7 e6 x cmp ax,0F386h4 Z7 ?* I+ d2 K3 f
jz SoftICE_Detected
5 v/ U1 f- ^$ U7 a! H. Q; t+ x& J% S2 X0 B- N5 r7 N2 z
- D% o6 L$ `* b9 G. \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 K3 ? ?4 g2 |+ |6 ]
app like this:$ |- G' t7 r4 j+ B0 k4 q3 ~: P
}7 X2 j' x, Z
BPX exec_int if ax==68& q3 s4 u+ C% E, n3 G
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ o+ z& W) i0 o/ ~& q! l located at [ebp+48h] for 32Bit apps): w. _" N0 Y8 i- T
__________________________________________________________________________: H- ]+ D) J. j2 U2 V/ g
* a, |5 G* h% o
4 m. m7 p5 W3 v" |* [Method 08" t# `- T9 I# o) V8 C7 D+ l% V
=========
6 U, c- V7 q; q( {
* C! ~! b! g8 M( [2 ~It is not a method of detection of SoftICE but a possibility to crash the
~1 t4 [3 i& E' x- C I2 q `2 q0 Osystem by intercepting int 01h and int 03h and redirecting them to another
Y. y! \* v( ]. i0 |routine.
2 Q, s; y& V: f, ?2 g- kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ B, m( U2 B8 z2 ^
to the new routine to execute (hangs computer...)! d* n6 }) X; H
* W- y0 L0 t% P4 U$ A mov ah, 25h# b3 A: d1 g% Q2 W
mov al, Int_Number (01h or 03h)
4 I6 G# m; n# O& v, l0 A( { q mov dx, offset New_Int_Routine
- w! t! h' I. ^1 [5 N( `: h int 21h' b; m! Y! }. J: v5 k3 ^) O6 U
o, U% l3 _: l) J8 F# ^% f
__________________________________________________________________________
( W* R( N$ f, Q f8 W+ S8 ^( r* i: H, G8 @
Method 09 m# J; h/ {8 c: _8 P# u7 j
=========: u- r+ M/ `% X4 ?
$ U8 g4 S4 o! X0 x( b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: \9 M( h. C. A, E; a N/ {performed in ring0 (VxD or a ring3 app using the VxdCall).: [3 s: n& a" l. D+ l: G
The Get_DDB service is used to determine whether or not a VxD is installed
, p( ?# ?8 Y, O9 L+ Zfor the specified device and returns a Device Description Block (in ecx) for
/ E# l# y) Y) k1 z$ K$ C& }$ Lthat device if it is installed.
+ a4 e% S" u( @; I/ [. {+ [! f6 \4 e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 E4 Y. U( L! k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 Q' U% i2 v9 H" }3 p$ B VMMCall Get_DDB' e' [* R9 y6 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& ]& K& c0 m) G7 g4 B. c
4 E y4 }; L1 A5 F! u% V4 dNote as well that you can easily detect this method with SoftICE:, u7 Q; ~+ F' E7 }
bpx Get_DDB if ax==0202 || ax==7a5fh \/ V n0 k( B5 i( @
5 b$ s- l; ]! Z
__________________________________________________________________________
- g" G X+ T% R" h* y: S6 z0 i4 ^ g& B/ Y5 I% [0 J
Method 107 Z: t# P* g+ S
=========
& v h. A H( _1 k" k( T
r6 I0 H* F3 w" n3 {" c& g=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 {# C9 ~: u4 r6 h7 L8 e SoftICE while the option is enable!!/ L! N" C5 U9 p! ` ?' [# k) N8 K
5 P# ~6 g% X0 P8 [: ?This trick is very efficient:
& r& }% _3 S7 }3 ^* F5 c) @by checking the Debug Registers, you can detect if SoftICE is loaded9 M) G0 ~' ?# v4 a$ s6 q* F7 D) O# M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, @' g3 [" @* ]4 e: d$ Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 z- @8 V$ J/ l8 }, n/ E* c
value (in ring0 only). Values can be manipulated and or changed as well. ~* D/ g& u( b$ n! `1 n9 r
(clearing BPMs for instance)
, ?8 l0 q( v" b6 L- R; n8 K! n) z2 e2 Q, Z
__________________________________________________________________________! ]5 A) V: B. ~. m
' d) U8 |$ _. i1 M) TMethod 11
/ V9 a& j3 X' x: {=========8 {! @+ ~& G( k
R& w, |/ F0 ]1 x/ R" h* qThis method is most known as 'MeltICE' because it has been freely distributed
- M/ C/ m" R5 y, Y% uvia www.winfiles.com. However it was first used by NuMega people to allow
2 U/ _% C; W9 a9 ASymbol Loader to check if SoftICE was active or not (the code is located
2 S/ ?! _. x. E+ {$ f2 Finside nmtrans.dll).
7 O6 q2 ^- Q% T+ Y: ~
$ v( u5 A7 C8 v" b- RThe way it works is very simple:
% V; X: `. T# _ x" Q4 B. ?) wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 i+ E4 T4 e1 S" dWinNT) with the CreateFileA API.
. U. H9 X) X9 C, R! E8 g# x# L$ `$ P3 v
Here is a sample (checking for 'SICE'):
7 J/ h) Y* T2 Y6 A. x' j4 ?# H" m6 z2 e0 X
BOOL IsSoftIce95Loaded(): b/ g9 P% k/ J! |% J: _5 p
{. |9 M+ z$ z# k+ B% q; ]
HANDLE hFile; * L' Z2 S+ Y, p* s$ @8 o1 z1 Z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 G# P; v2 J' H" m& K
FILE_SHARE_READ | FILE_SHARE_WRITE,: [, C: ]( y7 |4 t$ \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) C/ {$ t7 J' x! C5 U
if( hFile != INVALID_HANDLE_VALUE ), |: R, K* \# F Z
{ b3 V, \- _4 D6 M( P
CloseHandle(hFile);
& l- S/ \0 p6 n return TRUE;
; [; t1 E2 _ M7 R/ |. Q7 c }
6 m: Q5 J+ q8 a% i return FALSE;9 f7 m9 z) L8 b' c Y+ W
}2 A5 }5 M- G' K+ s
, N6 W; I7 N: b* D* [; ?1 A* MAlthough this trick calls the CreateFileA function, don't even expect to be
: @+ | ~/ V' g, F3 Jable to intercept it by installing a IFS hook: it will not work, no way!
% [. F, {8 F& V4 qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- S1 ~, u# P# Q. Q& mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); z4 K- d& C) ?" i) x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% I! S$ i$ ]* w Q2 ~1 hfield.. t1 b3 Z) g- x1 B) f
In fact, its purpose is not to load/unload VxDs but only to send a
3 K! | O3 s. G: n5 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% R" y: X* d: {( p. _+ i. \9 k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ C$ z: R' Y5 g; {( d
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* l( A( o, I) r1 b/ Y2 b3 `! I
If the VxD is loaded, it will always clear eax and the Carry flag to allow& \) D4 ]' Y. T
its handle to be opened and then, will be detected.
4 f. N x- L8 E9 m' ~, DYou can check that simply by hooking Winice.exe control proc entry point
9 w" Q9 z5 G0 m4 ]* e. H4 C7 ~) kwhile running MeltICE.
2 m! ]( p6 H' A; ]8 M2 ` \% Y* s2 t# c7 v }* v! H( F; B; l
3 } M1 @# d$ L
00401067: push 00402025 ; \\.\SICE+ u* l6 ^' \, u6 M G* h& K
0040106C: call CreateFileA
& [/ ]' F7 b* {8 a8 `9 m/ S- { 00401071: cmp eax,-001
. q+ [, q, W( l6 B1 h% R 00401074: je 00401091: ~& `" h/ V, I( g
, |. G8 o- K6 O o* a! ~! K. ^. Y
! f H( F: p3 S, D
There could be hundreds of BPX you could use to detect this trick.
) l' x! P( B% [-The most classical one is:5 t& P2 E" u( V9 }) O4 G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 b' t: k% B% f3 @5 j( W *(esp->4+4)=='NTIC'
q/ ^0 M( D+ z, F4 |( Z& i5 H9 h2 g+ G" s# R1 k j9 s4 h
-The most exotic ones (could be very slooooow :-(, ]+ o( d6 L: v+ @1 i2 v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 i( t; x0 j* j ;will break 3 times :-(4 K( y8 b5 `3 b2 `8 P
1 ~) P$ o @( B+ r-or (a bit) faster: 3 P- s d8 s, r; y5 I" I+ j6 A- o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 m0 g* N# i4 s k! v% |8 V
. [" c3 H' t+ n `' _* Q$ o) V" C1 x BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 j! n+ e/ _# J0 H- A4 e* I
;will break 3 times :-(
0 A) j) h: `5 V: U
' ?: e4 ?; E" b# X3 {: V- I-Much faster:
0 p" d/ B `) E3 t7 a BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 k1 h7 E4 v4 O1 O$ U ]- y1 G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ \# N j& _ u* I& e6 v
function to do the same job:
& E8 |, i9 `( W' E$ d, N% K: c: n5 Q% L, n% b2 |
push 00 ; OF_READ
* ?8 P3 K8 ^% M+ W: p# C mov eax,[00656634] ; '\\.\SICE',07 l) \: m. ]% V) K' ?4 C
push eax0 ?1 t/ c' F7 ?# Q
call KERNEL32!_lopen
2 n w" @& b: G inc eax+ ^. e; C3 t0 Z# G0 M
jnz 00650589 ; detected
4 {' @* }( \% G push 00 ; OF_READ7 L8 Z. v3 K+ t. n7 K
mov eax,[00656638] ; '\\.\SICE'
/ i$ R3 X3 T9 ?0 A( b* _ Q push eax
! A$ l1 s5 I2 r/ |5 o7 r call KERNEL32!_lopen% X n" F6 ~5 S6 n
inc eax
% s4 r% v0 M$ h* D1 S' I jz 006505ae ; not detected6 ^# W L, e2 N
9 c4 R6 V, W# s j) {
" r c7 w8 x6 k r* V* I8 K__________________________________________________________________________
" H. K( a t5 D I6 W
; V8 J: H/ V2 K* l5 jMethod 12
: V+ _( q3 E. }% [; \=========% R2 [3 @5 A. ]# `: t
3 k7 G* l! o% r# B3 ~4 _
This trick is similar to int41h/4fh Debugger installation check (code 05
2 i2 C* ?. }, o& B. l3 m& 06) but very limited because it's only available for Win95/98 (not NT)9 N" k4 S$ F. _, \. s7 V& V
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 [ x+ `5 |- i1 C5 k l, w
- ?# [8 B/ x( l% Q( H+ K0 m/ _ push 0000004fh ; function 4fh
6 ? s: P/ O! m push 002a002ah ; high word specifies which VxD (VWIN32)4 W. j( s; R) ^$ V
; low word specifies which service# e1 s- ~: e N
(VWIN32_Int41Dispatch)& h. x! {$ n9 s" K
call Kernel32!ORD_001 ; VxdCall4 k# u! D( R( W% p/ ~
cmp ax, 0f386h ; magic number returned by system debuggers
. d2 _) z! P8 J% e$ y jz SoftICE_detected0 h5 Q8 I$ F1 N _
2 s- U$ ^" M- E
Here again, several ways to detect it:
0 S% I8 n" Y4 Q5 E" f3 u K* R4 F0 M( T2 l2 |4 z
BPINT 41 if ax==4f Y5 K! R0 F; w+ \/ q6 \, K
' h) V% z! l5 L8 Z" t( D: W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 R* Z `9 S" c) ~, ]7 }
% r+ h1 i; ?" M! n8 A! f" ~& S( Y) Y3 _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: n1 L" K3 Q: c3 `# X4 I2 f# _* Y1 G$ |4 P5 _9 r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& e! f1 B) W7 y* s/ g, _
! z, ?( N+ y: A/ r$ \
__________________________________________________________________________
& `% A; z9 Q" N3 [$ @
! C2 i- J; K/ E7 |4 t2 U' f0 CMethod 13; N. V9 H2 H, W* ^$ u. D; G4 H9 V
=========
9 j( j8 r( S! c- ^) A
( U0 [) B$ Y* F* ^0 u* b; XNot a real method of detection, but a good way to know if SoftICE is
+ p' [3 P6 _$ \8 q+ `; |; v" ginstalled on a computer and to locate its installation directory.
1 E+ U( ]+ Q* `1 {* U2 bIt is used by few softs which access the following registry keys (usually #2) :
" } i6 o* Z7 a& `. W# H, b& C4 V. b9 ?/ v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" h0 c. C1 }2 r/ L7 L5 Q8 P- }\Uninstall\SoftICE
4 f, L) l- z( P# O1 ~/ ~6 f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( B: D$ v4 `# S( [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 U8 d4 V2 G# @" d1 K. ~% K
\App Paths\Loader32.Exe
2 d- N4 }, U* x" w* H4 ~" m; ]* ?- ~/ s6 M( {
% z2 N8 v, K6 S
Note that some nasty apps could then erase all files from SoftICE directory
: h- L. F _- s(I faced that once :-(# @' G$ _+ x9 {4 m1 r- M
6 x5 ~. o# ^6 ~$ N2 Z+ uUseful breakpoint to detect it:
$ k7 s) H* h7 }6 J3 Q8 {$ W2 S9 d9 n7 f) [) x" O4 i* P; a6 H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
v7 }$ V' Z4 B* f# O" G! A; G
+ N: I: c* x8 ~- Z% }/ V__________________________________________________________________________
6 U y2 [' \- `+ k
% x, M) R: s% n; n/ `* p$ J( D
5 B% \# a/ h& R$ i+ Q2 IMethod 14 ; w5 O. X2 F( w
=========* Z! O- X w% h T! r
6 G. G9 s& l- l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. ]; I) j6 e% _# b8 |is to determines whether a debugger is running on your system (ring0 only).
8 T5 T9 U( H$ F1 E
( E- o& Q! Z; i: @ VMMCall Test_Debug_Installed
$ ~5 j, W' ~( o# O; x" T2 o je not_installed
' W: c8 p% k7 e `3 W: x) O! m2 O( x5 d. s( a0 L5 `$ `/ d' L
This service just checks a flag.
. k2 ]& C8 M7 W8 L6 r8 h4 R( N, H</PRE></TD></TR></TBODY></TABLE> |