<TABLE width=500>" ]5 t5 i9 j1 u
<TBODY>5 x) Y) f& p+ f4 C+ `! U
<TR>
* o. h1 }: c3 `' T8 ~( {<TD><PRE>Method 01 2 c# j2 n- z9 O: t
=========
/ k! u* `% M$ y& p& S+ e! G7 n. A" M2 V2 `) L2 P Z
This method of detection of SoftICE (as well as the following one) is
4 D) F/ \: ]% r3 p8 ^1 Jused by the majority of packers/encryptors found on Internet.' Z+ G0 n! Y6 s( Z8 D! O
It seeks the signature of BoundsChecker in SoftICE. z- p0 g/ Q, C7 w8 ~- ?
! e+ w3 c% c! m9 O7 t
mov ebp, 04243484Bh ; 'BCHK'
" a3 I+ T! r) _1 w5 z mov ax, 04h
4 W" o9 ]" j' {& W( j! Y int 3
[5 O8 [. I% p" M; O cmp al,4
, y0 X7 @5 k7 S! v, Z3 g jnz SoftICE_Detected
' r5 K9 w+ X6 N2 M
' x" x" d; k# |0 `___________________________________________________________________________& t) i4 g' }7 p2 H/ ?2 w! T: u
8 Q- {4 Z' [. i" e# J! c/ }# r% p
Method 02) Z l% V, P+ c' S& C9 ~+ Y! d
=========6 e1 A8 F; N! j" [; d
5 [1 Q8 Q3 h0 C# d, |% k
Still a method very much used (perhaps the most frequent one). It is used
1 a& g4 ~' x! f7 e' ?+ ^: B& Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 e4 V) k. O0 E, I9 u, x
or execute SoftICE commands...
% E+ J; s. O$ P9 y" z2 xIt is also used to crash SoftICE and to force it to execute any commands
6 `( l& ~% i5 } B$ T1 o& R(HBOOT...) :-((
w y! m7 ]9 n! y4 i f
/ L5 J* d, j4 ^% ~/ h/ ~+ F3 bHere is a quick description:
3 [9 m u N0 [- s( A# S3 Q6 v8 V-AX = 0910h (Display string in SIce windows)7 o+ f5 P, l& N" H/ s5 z P7 f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; {; X5 {9 X% D-AX = 0912h (Get breakpoint infos)
9 L. I! {. F3 q" t-AX = 0913h (Set Sice breakpoints)
/ k4 S# p, P0 {, R-AX = 0914h (Remove SIce breakoints)
7 F k- V ^7 g! Z a) b- q9 G5 u/ S- ?0 a' v
Each time you'll meet this trick, you'll see:
6 ^2 Q! a! I1 D( E( k-SI = 4647h
+ E2 G0 `2 Z4 H( z T. X-DI = 4A4Dh& U; Y2 L g( {6 K
Which are the 'magic values' used by SoftIce.
$ J# \9 F" |4 W0 ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h. b- P, o% c# Z$ Z& o1 J3 @# q
, B: D0 @" B' W
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" B# x: R- i9 M) X0 Z/ R0 Q, eEnvelope utility use to protect DOS applications:8 |) S# Y% Y3 p) t
: [# P5 [% Z& ], }# N" e) k% ]. [9 j& ^7 v
4C19:0095 MOV AX,0911 ; execute command.
- E2 {7 W/ j: g0 H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ L% _8 K* Q* w9 p! H
4C19:009A MOV SI,4647 ; 1st magic value.1 F7 `& }+ F3 A8 \( W
4C19:009D MOV DI,4A4D ; 2nd magic value.
. b# B, B9 @1 y. k' r4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! v# @( J5 R" q9 y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 j; i" G* H5 S ~4C19:00A4 INC CX
/ E3 Q; ~: b: Z% S; ?$ [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 |9 f) n4 B+ L. h6 O" J) f4C19:00A8 JB 0095 ; 6 different commands.
7 S0 q" ~" S! M4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ D7 B; `$ F; u3 t* r; W- `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 a3 W$ X" D. z; U# n
9 N6 e/ p4 A9 F7 [
The program will execute 6 different SIce commands located at ds:dx, which- R3 r4 U) W7 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 U) C u% W9 ~ @
( d& _& \$ z/ p+ U) S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* _5 C% Z; m7 ]; Z
___________________________________________________________________________
, b C) i7 S" ]( w- J+ A5 s" H4 W6 s# L F
/ x3 B* i7 D$ |5 |/ E. z* | @2 E
Method 03! ^1 S: j3 q* w1 U! u
=========% T" M) `7 p9 D2 @9 T+ `2 F6 S3 N
( f3 w: f6 F! J* x9 J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' g( @ n' e* E% C E/ O% u9 y
(API Get entry point)
( G( J/ V* K7 u# I% f + C A4 y; r, S7 `. A+ o6 K0 i' e7 |
3 `3 K2 o/ \3 E' U
xor di,di4 f/ F7 P7 ]: m3 v& n6 ^
mov es,di" Y: q) G0 N, B* R1 E: t
mov ax, 1684h
6 R/ x0 E( ~ y+ g( n mov bx, 0202h ; VxD ID of winice: d/ l. c K& }5 v
int 2Fh
! |4 G: @$ X0 ?) t" t) l mov ax, es ; ES:DI -> VxD API entry point( Y$ X4 O" w; l1 x& {( i4 m" Q
add ax, di; |( {4 @) F4 x7 K) F; e
test ax,ax
. a O" L" V2 _% q/ @% I jnz SoftICE_Detected
% K/ g% @0 J1 |# o5 b0 ]2 L+ Q; D6 K2 Q6 y
___________________________________________________________________________! J' _2 j7 J( L$ G0 w( D
2 q8 w* y2 W; a' u4 { `
Method 04
; N5 q- s$ [5 l# U6 D+ G=========6 J- m. o5 d+ G
" H8 }' C& Y: k" w6 b% EMethod identical to the preceding one except that it seeks the ID of SoftICE( |' |6 P: z+ [
GFX VxD.
& U, R6 q- V; |! H4 X8 o
/ v- o! C' k" c! I) \ xor di,di1 W5 B* ?; i6 |, F# \4 E
mov es,di
, ~: p; p9 I! j; m: Y2 r. s mov ax, 1684h
6 } a1 g/ t( s mov bx, 7a5Fh ; VxD ID of SIWVID) P+ f" ^! Q" R9 O& [; z; i5 ?8 `9 F
int 2fh, Q- o; P+ E! a. ]3 ~. j
mov ax, es ; ES:DI -> VxD API entry point
. w+ O! _) f& k add ax, di; b; d9 l" W! i I% D
test ax,ax/ v- I% C$ B$ \8 |7 Y7 _
jnz SoftICE_Detected
, Y6 x( l9 K7 [- J/ W1 M+ W7 ^& Q! U* M9 R
__________________________________________________________________________& p( p# f8 }3 n& u
1 u& y5 `2 |5 E' m, G
# }* k h1 ~" N, c' I' LMethod 05- Z# f! e! e. R
=========
3 m/ \5 e5 P. o! @0 O$ P- y
7 Y; e+ V' X3 OMethod seeking the 'magic number' 0F386h returned (in ax) by all system* N% r( w- |9 A* }2 A3 k; T7 n- l8 n
debugger. It calls the int 41h, function 4Fh.
$ I3 T& Q; _- S" j1 pThere are several alternatives. ( p, I% h n5 F7 @
* U9 P3 F) l; _0 z- x' W
The following one is the simplest:
+ l! g# C/ k0 d6 ^- R; ~' }' y+ Z0 @& M7 v. v l2 j
mov ax,4fh3 U- b' F! `4 q
int 41h
; t: }' w" v# N cmp ax, 0F386
1 p( G" {$ Q) ^) h) O" `1 K6 P: g jz SoftICE_detected, x- k4 E) e h+ j i( X
9 s/ ^ i4 ?$ G
& N$ e) x, K9 C z" W5 XNext method as well as the following one are 2 examples from Stone's 2 B _# ~5 T* Q; G0 o5 s
"stn-wid.zip" (www.cracking.net):
! I2 F0 W; o- M$ j! [) ?; ~% u, k: K+ r) J- c- Q' T! U
mov bx, cs7 L' I. R- A6 ]& P' M' }* V
lea dx, int41handler2$ n8 }! G6 P! r. z) ?0 f
xchg dx, es:[41h*4]
m2 q8 f2 w+ c& K xchg bx, es:[41h*4+2]
6 g5 W; E; j6 }% u8 s! ^ mov ax,4fh7 O/ B& J+ x8 X, f
int 41h
4 S- {5 c# z0 t* j$ ~ xchg dx, es:[41h*4]3 s0 B; S8 b& h4 p
xchg bx, es:[41h*4+2]8 m1 R$ F8 Y. S3 w. m
cmp ax, 0f386h* n2 T. M5 B& v- P4 X
jz SoftICE_detected. m1 o* X, a' c! h( _3 Z
0 N4 @' U3 ^. V* a8 \, y3 eint41handler2 PROC% W8 r+ Q1 r4 {$ ~! P3 {
iret
C2 P: c0 W) E7 ~6 Uint41handler2 ENDP" e5 p, S3 A6 O/ I! j) J8 `
( \+ O2 U* V" F8 R& J8 O7 G- l/ r& [0 H* F
_________________________________________________________________________% t' _ j+ o$ x' r8 a- \) r/ ^
, F# X5 _8 a% v0 {5 @8 K
% y; v; ^5 \2 ?. \) k) JMethod 06! Z* B) m% P; I' A a5 a6 n
=========
" {% L/ O$ {- [8 o% j+ f# K4 e6 N- v
& T' }9 L# j5 y' h
2nd method similar to the preceding one but more difficult to detect:
3 U8 R: e9 D. W3 P) ^+ n, {1 P
' _. e1 j$ @/ X; R8 R0 I3 G. K
5 l3 q/ E% q, {7 Cint41handler PROC ^8 {5 ], A2 t, l% |
mov cl,al
1 G) @/ J" ~$ F9 k; T iret
5 y0 J% v6 ]. @( U- Fint41handler ENDP# ?3 D0 I1 H- H6 U5 [
* X J e1 j+ R9 W1 r
$ w+ {5 a# F0 v* G
xor ax,ax
: L* u A0 s8 R& X* R1 P mov es,ax" o6 @) h# c a8 A2 G" k" M
mov bx, cs
) T; A5 c: ]$ \6 _6 C3 ?( d lea dx, int41handler
5 g8 w- D7 @: E* r' Z" e xchg dx, es:[41h*4]# e8 ^ k" g6 }; j% {2 i
xchg bx, es:[41h*4+2]+ A- T* Q& N; C. I1 v a( n
in al, 40h
, |/ o' O; d# | xor cx,cx$ J5 T: o# O. p* ^* h3 |
int 41h
( Z! ]% F3 i% L6 n9 U xchg dx, es:[41h*4]! U/ l" B8 Q( Z: q: G; n- C0 B; A
xchg bx, es:[41h*4+2] q; _% U5 W, D- v3 X* Z7 ^; g+ R
cmp cl,al! w8 @. q# {' Q6 ~6 H
jnz SoftICE_detected# t1 f% J' N3 C! x+ G
' F9 z5 e% V; [: D7 \$ }_________________________________________________________________________& j; K+ w) A# W: H4 d& c
% X7 R* P' s" o7 @' w) h$ m
Method 07- `9 S& I g) O1 A
=========$ b0 [, U# I& T+ R
5 ^* R* h- z/ T" c7 V; m* B1 pMethod of detection of the WinICE handler in the int68h (V86)5 @* q- F5 S: b& ^2 x. u( \) f8 Q
: S' m6 Y. `9 U. b: V
mov ah,43h j: g/ S( M8 n# g# Y2 _/ L
int 68h
1 ^* G2 M+ X3 |& A5 T cmp ax,0F386h
$ x9 F; _9 M* N. O2 V jz SoftICE_Detected
+ E$ t9 |9 z, ~ j/ E4 e
3 `, b, T8 u, U" I! h
; x* v. X% _6 Z" I5 L: D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% B1 H/ E2 U# W' ^
app like this:/ X6 z$ L' K8 Z: o/ y8 H0 m
3 a$ {+ I2 k B R* Z BPX exec_int if ax==68' j- \' p4 f- P; }- [1 I7 o, n6 p
(function called is located at byte ptr [ebp+1Dh] and client eip is
) w# r, M9 G; p0 p8 ^8 ^1 N located at [ebp+48h] for 32Bit apps)+ K5 l! }" q& n6 |) W! ]8 D( x
__________________________________________________________________________
' G- k6 r( O3 ~# h7 R$ \$ W) M1 {& q6 H/ F' i/ @
7 B$ Y$ t' h1 B& m _4 U+ hMethod 08
* b2 w* h0 y0 F8 i=========
$ X; E, }+ e- N( q& e) }3 n- ~( z9 K- R W; O
It is not a method of detection of SoftICE but a possibility to crash the
, J$ H+ Q# N7 j# }; Ksystem by intercepting int 01h and int 03h and redirecting them to another' |- ?+ ^' Y/ S" Y, u, w
routine.: P& g( z/ k5 B" s1 L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 M; k% T( w. ato the new routine to execute (hangs computer...)! w9 G, q( j2 G, ^* `
7 F" P8 e: K: Y6 E$ o8 A mov ah, 25h! z8 C4 s7 n, b7 V2 q/ `
mov al, Int_Number (01h or 03h)3 Y0 @8 o$ m0 y
mov dx, offset New_Int_Routine
W7 |" e0 F( a0 F int 21h, C7 r& \2 S3 G8 S9 }; H' E
+ z4 C# w' q2 N& o8 M__________________________________________________________________________
0 X- f, P+ R) M! k0 B
}+ i7 @6 `' i7 Q$ B' s# {Method 094 }* Q Y( C$ y8 J, Z. [- e2 I
=========
8 Z, c: |- d! M: E
% ?" Q- V' T: D/ a" PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* i6 t$ J+ y7 D& x) K5 N5 }performed in ring0 (VxD or a ring3 app using the VxdCall).
& d \1 S4 U4 w6 Q! j- jThe Get_DDB service is used to determine whether or not a VxD is installed& ]4 k3 L+ P7 l. X
for the specified device and returns a Device Description Block (in ecx) for
: V n; J' [* bthat device if it is installed.
8 z M0 q5 ~3 d+ S$ y! x
$ k8 `% @2 K. X; i' ^$ {% k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 F$ N) e" X! X; `" P r* \0 ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" _% p: Q3 _: }- ]: L VMMCall Get_DDB8 K/ H& M$ \0 D/ ]; w/ H" G+ |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 d; _% n. d* F3 f* u8 r
9 _' \, `& b. o
Note as well that you can easily detect this method with SoftICE:) d: w% Z8 _0 o" w9 W/ x6 w
bpx Get_DDB if ax==0202 || ax==7a5fh- o5 U& J/ B |
$ o# z7 ]' S1 l% z, X
__________________________________________________________________________
8 _* K0 Z1 [2 p7 A+ [# A2 I8 J8 E. `$ F. S
Method 10
, d* _7 A. T- \=========
" w8 z5 Y/ n# F- ]0 n
; d; i6 t3 J9 c. }" C P* m=>Disable or clear breakpoints before using this feature. DO NOT trace with8 j0 m% B( N( v& O4 M- W* t0 i
SoftICE while the option is enable!!2 M* |% d& D# M& ?/ s6 w
* I6 }- m m- c) R; K0 NThis trick is very efficient:$ w9 V) i/ U4 I! [ g, B
by checking the Debug Registers, you can detect if SoftICE is loaded
9 [, l, d7 r: \1 \% l+ }! o8 a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" ?& F7 n$ I$ q5 @1 ]4 O
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ d/ e1 ?" F! A* t) b; F' r
value (in ring0 only). Values can be manipulated and or changed as well. |+ f- o4 D7 j
(clearing BPMs for instance)0 q1 Y e2 D( {
8 s3 p, }/ p3 S" ], t__________________________________________________________________________
- u# n! b' h2 N$ \
; `, z6 G- `3 b+ HMethod 112 y8 e9 G: K# S4 @0 i- V& X9 R
=========
+ `: W" f! M. N1 K; W7 p# G* ?" z1 Z6 \2 q A. ^
This method is most known as 'MeltICE' because it has been freely distributed
6 ]" a% Y7 e. p$ t+ j+ Avia www.winfiles.com. However it was first used by NuMega people to allow
- ~# i4 N$ r4 D; f5 [; vSymbol Loader to check if SoftICE was active or not (the code is located
& v o# k: F$ h" Z- \! P8 yinside nmtrans.dll).
d7 h+ `7 w$ t" ~
9 O! b0 n8 |. \- v# x* bThe way it works is very simple:
" h8 z$ [( @, k( F; l- Y5 }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ e7 D b" e0 f% ~* MWinNT) with the CreateFileA API.& ^ n- j9 R' I E
, k% e2 _" H0 @9 R$ P( a
Here is a sample (checking for 'SICE'):4 S5 L3 e: W' ^$ Q
& K8 y% `9 a. q/ Z2 ^
BOOL IsSoftIce95Loaded()
1 l+ G9 ~- \* L& c0 L% U% U{! ~: K$ i |3 V) G
HANDLE hFile; ' V3 E( U0 h; c- D: ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," s( V0 j) I: G% F$ d
FILE_SHARE_READ | FILE_SHARE_WRITE,: z, _! s* f# i; F2 M
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- a" O) A6 R; [- m) ^$ Y if( hFile != INVALID_HANDLE_VALUE ) X4 {1 m1 t! Y1 ?# P
{
8 ~/ G, [0 M& N- D$ v CloseHandle(hFile);3 V4 ]' M% G9 P% }9 E
return TRUE;) M1 [6 ^4 Q( h# u k8 S4 c: p4 G
}
% k+ s% t5 s/ n8 V8 `' W1 D. e return FALSE;( p- @$ K- b1 g8 A: ~3 A1 e- E
}
2 `6 a9 v0 w* R+ Q: K4 m; D) e+ V) S( Q+ g& N
Although this trick calls the CreateFileA function, don't even expect to be" V& u9 s* |4 X: r
able to intercept it by installing a IFS hook: it will not work, no way!0 a& k7 U: b, n3 }4 d+ k) ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& i2 x1 Z+ k- X4 @) T8 Z Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 g2 r" d+ ~; e F7 z3 z# x& M+ ?: ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# V: T( X i% G! F3 n; ufield.! I n' L: h6 X ]) K3 E
In fact, its purpose is not to load/unload VxDs but only to send a
" g- P: F w4 N. h/ A' Y' [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 M+ D. |8 \" @& V5 n; nto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 p7 B( |7 s6 E0 N7 \/ i& g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; Z% W/ E( d4 ?* u6 n7 o; Y7 ]4 VIf the VxD is loaded, it will always clear eax and the Carry flag to allow* f S x( |9 ^3 Q% d4 D
its handle to be opened and then, will be detected.6 `$ q; O2 h- E z: V
You can check that simply by hooking Winice.exe control proc entry point
5 ~/ M; }4 x. U# V. b( H$ e" s) Mwhile running MeltICE.2 v, z5 s$ I' D* ~+ w9 X
# P o: L# l4 w4 a L
. ?( U, ?: t8 S+ y+ A
00401067: push 00402025 ; \\.\SICE; ^; q9 h- o( U7 \! \
0040106C: call CreateFileA. |3 ~" e0 \/ i/ `* {# w p) g
00401071: cmp eax,-001
( ]3 Z& s) ?8 c+ @8 I3 p 00401074: je 004010910 i. K% S/ S5 D- T+ o! e9 B& q
" S7 M" |" i) F* p5 O
4 x( [- `5 N4 t- B6 ?There could be hundreds of BPX you could use to detect this trick.
' G- f ~, ~- V2 c7 _$ q/ R-The most classical one is:
8 x" v$ }+ k3 |; N0 A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 h( w6 L. e7 u *(esp->4+4)=='NTIC'- c; o4 c/ V, l/ d" O- _, ~8 X
* l- H# Z }& C0 c-The most exotic ones (could be very slooooow :-(7 e& J/ ]. t1 K) T! p' {7 c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; h, C- v! e- G6 ]0 T ;will break 3 times :-( I, i( M" y% M" J; ?: a8 ~) P- O
5 I Z$ y; I& C0 `0 T
-or (a bit) faster:
3 |# R! r+ O: _& l7 ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 \) w$ }$ K8 F% e3 q
; q4 d4 d: }* { BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( o! D9 q# e/ F$ l0 U
;will break 3 times :-(
% Q1 r( {) L) F$ g4 ?; L4 h r. q8 j
-Much faster:
. h$ ?: g/ L. q: y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 [$ I; A( P6 n. u! I/ h/ o! {: D4 r% w1 V- s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& d) I4 \' B$ t5 d. u+ `6 ffunction to do the same job:- u; a6 |2 U) E0 \4 [
7 O( ^2 Z* i0 b% q5 m% |
push 00 ; OF_READ
/ W$ v4 @6 P: _% c mov eax,[00656634] ; '\\.\SICE',0
z) `) E: d0 D* v9 V" B! o push eax8 O* i3 x" P A# z- Y9 G
call KERNEL32!_lopen# s% a- F0 e: S# u8 G" S% Z/ u
inc eax
7 U4 N* ~( i. [+ b6 _3 X jnz 00650589 ; detected
. h! M; D. s7 P4 Y; k4 N# f push 00 ; OF_READ
% k {* B! p2 ^4 j mov eax,[00656638] ; '\\.\SICE'
! Y; ?1 v/ |# S: F2 h, P- @ push eax
: B' j$ j: h! c3 `2 |- \ call KERNEL32!_lopen
! L. i9 e; I1 R inc eax
: p6 K$ B8 f8 M( B jz 006505ae ; not detected+ D+ g' X9 Z, x( T7 A
$ U6 B5 V# [0 a, B, W! i5 }
4 {. d. Z9 M% N9 a# A, J4 N8 J' k" L5 u
__________________________________________________________________________: r: F1 M3 f! Z
* R' o" y& W1 C7 U+ S" w0 `0 x& X& |
Method 12
% n, m8 k# E/ o3 G" x=========- @- [$ H' q! |7 e/ {1 a
+ T) T& ]6 p" PThis trick is similar to int41h/4fh Debugger installation check (code 05& b/ o$ ^. c' Q5 H' R
& 06) but very limited because it's only available for Win95/98 (not NT)
# c6 ~) E/ @7 U; o: e& ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* G7 n5 e6 E& q
* P( Y! V& {# Z# q push 0000004fh ; function 4fh
+ T0 n+ B2 T7 |" i) X0 e6 J3 \# l! H push 002a002ah ; high word specifies which VxD (VWIN32)
9 H- l3 v4 S$ A( S( ? ; low word specifies which service
' x& B6 a4 o) s9 X3 [0 Z" e (VWIN32_Int41Dispatch)% s0 Q. Z: H J4 r
call Kernel32!ORD_001 ; VxdCall$ d( l; e/ C$ B! m; ~/ S
cmp ax, 0f386h ; magic number returned by system debuggers4 ]: a, ], b0 R' }) e9 W
jz SoftICE_detected
; A( ^% v) d: P1 D
' T& K' [ L2 r: K& {+ b+ Q3 XHere again, several ways to detect it:
% g6 h5 W0 X6 |, K1 Z- I Y2 v+ X& Z5 G$ }, j: W3 T2 S# K; P
BPINT 41 if ax==4f5 @, G" L* S/ A
8 R1 m$ N7 x# C. j BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" q8 J0 B9 d( W3 A6 L
/ F) a3 ]" g' L& V0 C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* p6 q" O2 k( \8 B# Q* f1 k9 I; `" c3 @3 k( F- }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' E" @4 K* U: k* t3 L
* ~5 ~0 T, _/ r__________________________________________________________________________$ V+ o- @! W0 I: x5 ]
; Y6 \; h. o/ [3 C {* {Method 13" G2 `4 \* ^6 U i! o% D3 t: T5 K
=========# n4 t0 R; }& l- v& ~
% g& ^, v2 t' m1 R$ n' qNot a real method of detection, but a good way to know if SoftICE is# l ], q6 h7 l- r8 l' d- G
installed on a computer and to locate its installation directory.( K6 h H3 N$ O# {: W3 C
It is used by few softs which access the following registry keys (usually #2) :7 K9 d+ d, H! v' X" d g
6 j/ X5 ` N, K1 A# k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 d' B- K* S: v* D, R, c/ t7 N\Uninstall\SoftICE6 F( O3 h* h8 W! p9 l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 D/ p- I( F* g$ N1 m/ Y o& v! C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) l) @, r) ?; R1 u( t0 ?\App Paths\Loader32.Exe7 f( n, E6 h `
@# ~. p& |* Q* P1 S4 m$ l! j. S( ? S. k8 Z
Note that some nasty apps could then erase all files from SoftICE directory$ u+ R* _8 |6 O8 H
(I faced that once :-(
$ y/ K5 o5 h9 B2 H* ?( \3 i
$ B3 E/ x. K, Z4 R( o1 c& z4 a: F' yUseful breakpoint to detect it:
# a7 |! i m+ K" U3 c5 u0 t2 y* x8 U' [8 b5 V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& C9 h e& e8 j+ x9 H* b* e, ?+ R. Y. M* A1 X( H1 P! b
__________________________________________________________________________2 m3 v% E6 Q* g5 Z* S
- {) W0 ]+ G. [$ k+ b, U2 q2 p
( Y; C# R) l: O+ |3 q7 @5 L# G+ m2 S
Method 14
7 F, [$ _6 W! J" y4 B) Z+ c=========) w( |" X, e+ l
0 M# k( |2 U7 TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose n G- V' {% R( j! g6 O
is to determines whether a debugger is running on your system (ring0 only).; U, Q8 e4 U2 S: ]0 E$ E
0 r1 ]% \& o1 o2 t4 X VMMCall Test_Debug_Installed7 j5 b. d- _5 N, A% M
je not_installed
3 U8 o) T& p" G. H4 x
7 \+ p. _9 Y! L, BThis service just checks a flag.+ I5 [$ W, e! c
</PRE></TD></TR></TBODY></TABLE> |