<TABLE width=500>+ B! i4 F% Z- L4 U, a+ E+ D
<TBODY>
" ~( ~. [ O1 r) I) T<TR>7 G$ b& [2 [9 T- O% G' a
<TD><PRE>Method 01
) J# Q4 k5 ?/ ? F; a( ?0 C. m=========
6 m8 s, {' a) @' m4 u, y- X7 v4 N/ y, h3 k( y
This method of detection of SoftICE (as well as the following one) is
0 k( e( @3 z/ \8 K4 tused by the majority of packers/encryptors found on Internet.
( u" h- x) |- `3 ~) D( NIt seeks the signature of BoundsChecker in SoftICE
B+ D" [2 l: L/ P6 M; @$ k3 w g
mov ebp, 04243484Bh ; 'BCHK'
; ?* R3 s$ x. W mov ax, 04h
& e6 @8 [ G8 @ int 3
X. N1 ^* ^5 e6 o3 ^ cmp al,4
" K5 `2 ]5 Q9 F jnz SoftICE_Detected
7 ?; \$ s5 ?/ h, k
0 L% L& P9 F) ^+ P___________________________________________________________________________8 s, I9 f* l. K( w5 L- _
( m" X0 I7 p9 H/ E! vMethod 02, `* z) L, t/ L& S b
=========
% ^) k! ?5 U o' j7 f- v: `! ?! z) [& Y& f' _
Still a method very much used (perhaps the most frequent one). It is used! ^# r& h7 f; x: m* j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# Y& u, _ f- ]8 ?/ ior execute SoftICE commands..., I* D0 Q, _7 A3 Y
It is also used to crash SoftICE and to force it to execute any commands. B1 ]) d: N) H, k ^( n
(HBOOT...) :-((
! }( A# ?0 g$ h& p
% ~0 I3 w! i* BHere is a quick description:% E5 M% c) P, l: |. e. w2 F! G
-AX = 0910h (Display string in SIce windows)
; O! @ r! B+ |1 V: V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 E1 x6 Y/ o1 [* w: ~-AX = 0912h (Get breakpoint infos)( r0 T! E9 {4 C# w
-AX = 0913h (Set Sice breakpoints)9 D) i1 @: }1 t/ f( r3 w, f
-AX = 0914h (Remove SIce breakoints)
; z' U6 r; X& C4 j
/ z* A$ D' n/ P* o* sEach time you'll meet this trick, you'll see:6 s5 x) N+ c9 W' f
-SI = 4647h
+ t! H, f7 @0 K$ v* b( a9 w% O. ~-DI = 4A4Dh& r% E: x, Q, F/ p
Which are the 'magic values' used by SoftIce.
! k7 i( b( x* y; [. o8 SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 ~# S. s9 A1 f( `
: n5 m+ c9 I4 f' H7 iHere is one example from the file "Haspinst.exe" which is the dongle HASP( l; {. Q6 W/ m% G4 ?
Envelope utility use to protect DOS applications:
1 J+ r- K% }+ R+ U
6 m* M% w9 P3 n! i/ e) q# l0 n8 [4 p; ?
4C19:0095 MOV AX,0911 ; execute command.
9 R- B, p; d$ A7 A# p$ `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ C9 V }. D' m
4C19:009A MOV SI,4647 ; 1st magic value.
. x% S" D' n- e, z3 z4C19:009D MOV DI,4A4D ; 2nd magic value.
7 {3 o; a+ R* j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' q; ~( X2 [9 ]9 x* d. g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 z# C3 t5 {1 ~) m
4C19:00A4 INC CX: N4 N! w+ J; M2 v) }& W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 r/ v& \/ `) Q" {1 J5 s4C19:00A8 JB 0095 ; 6 different commands. u7 T8 c: O( A
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ X% D7 o& T1 R- C# N. {$ {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), Q: @+ \: n: O
) P: w% _6 u# N( s$ i" o, W4 EThe program will execute 6 different SIce commands located at ds:dx, which
0 Y& Z. F/ a4 A6 _4 ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& Z; R# s2 B5 N( s2 T. D: Q0 B7 \7 e2 a: q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; m" \0 ]! _. I( [0 t) _
___________________________________________________________________________
% |6 _3 E' Q4 Q m6 g8 s
& T5 Q2 W8 C6 k' x
. t7 Q5 S- P& t$ _% g' OMethod 03! t6 N) I& B5 O1 \8 W' c5 v
=========
$ w9 _" l$ S+ f" T
7 a+ D# M E6 O0 \4 ]+ d+ T% KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 u7 y1 G& l! m2 h
(API Get entry point)
4 h+ R3 I% U. s1 h/ U 1 J+ n, L% t" Q, m+ R5 {
( N1 `% p" H8 @ xor di,di$ M8 c# A* k F* M0 \
mov es,di
+ Y: R8 ~* C u0 \* T3 W4 j mov ax, 1684h
% b4 b3 s j7 O& k& |3 s mov bx, 0202h ; VxD ID of winice
+ |, }' |# O3 B! [: z b. G1 w int 2Fh
+ W, y2 c& z' P1 C2 g mov ax, es ; ES:DI -> VxD API entry point6 \: H1 |4 X" F$ A
add ax, di
1 t/ L" r) x! e. Y test ax,ax/ Q( U$ m/ z" g5 W
jnz SoftICE_Detected
. p4 ^, c+ A" c& H) \$ v/ v1 [ l& d
. D- q u& ^) n8 L6 w6 T* s' t___________________________________________________________________________; L# B# F# J; A' g, e) m! ?4 ?
5 e' s5 f8 p( ^2 S- |Method 041 w T8 U+ r4 P( a% L
=========
; p! x R" z: F6 f
9 F' ?% y: v1 C2 Y$ CMethod identical to the preceding one except that it seeks the ID of SoftICE
2 G" v5 B8 O# g: MGFX VxD.. V( A& N2 `1 V( @. L
9 w; |3 K4 E" D: w, y6 M* l xor di,di! F; V$ m) k }- Y3 N# s
mov es,di
! C* ~7 N3 t3 j2 l; ^ T' g mov ax, 1684h
3 o3 U( ]6 {7 n4 Q" s7 x- U3 L mov bx, 7a5Fh ; VxD ID of SIWVID
9 }/ _' m. \4 ^; E0 P$ e( w$ l( | int 2fh3 ?8 \+ R' Z" v
mov ax, es ; ES:DI -> VxD API entry point
, R" S/ d1 G5 o% q9 x4 U: n- { add ax, di0 h" o3 G7 P, J8 ^0 ^ E
test ax,ax
2 W: O9 @% @, G' s ?0 L jnz SoftICE_Detected1 d9 ~" I( o) d2 u
; C5 l0 C5 c0 g__________________________________________________________________________( N7 {% \9 y( {
" I) b& O6 g3 J" C
6 A* ]8 f* X2 l2 I% dMethod 05
. H1 H% b1 M; y7 R=========* I2 Q& L, H; Z ^2 J. y0 g& H+ N
- s2 ]1 A# O1 n; t0 X
Method seeking the 'magic number' 0F386h returned (in ax) by all system# q4 w/ W' w' H1 J" a
debugger. It calls the int 41h, function 4Fh.. |9 B9 ?# S4 { p
There are several alternatives. 7 e H0 q9 i- a* b
4 p( l3 d8 F! u" g8 f3 r+ o
The following one is the simplest:% U/ H% B2 [" \2 S& x
2 J( W2 ?1 C( B2 W; B mov ax,4fh
; Z/ F( K9 k: n i) k6 Z int 41h' o( E: Z" C6 m/ j/ V1 \" A
cmp ax, 0F386
! w% [( p- {, A; s9 l( K' S8 o jz SoftICE_detected# ?% @* H. u/ m0 Y! ~. X' r
. ~4 p' } R; S7 C. A b! z; k
2 { o! I8 P; [
Next method as well as the following one are 2 examples from Stone's # V( y8 C+ ~7 W1 N/ a5 A# x
"stn-wid.zip" (www.cracking.net):
. q- C2 ^# V3 T7 V+ v' T8 m+ G! G7 W1 f1 }, }" a. L. u' k
mov bx, cs9 Q7 Q8 x4 Q- E6 a( S* o% ~" z/ f
lea dx, int41handler2
) _8 y0 J ?1 V xchg dx, es:[41h*4]
; H: C0 ]. u* B8 @$ h* k9 T' }7 {) a xchg bx, es:[41h*4+2]1 u* } u) K! l' Y" H8 d/ T
mov ax,4fh' y: ]$ d- i, b2 w
int 41h
1 h7 I+ h+ e; ^& u) T7 t xchg dx, es:[41h*4]
4 i: Y* }# c+ l% d& R xchg bx, es:[41h*4+2]
$ E) l- y, u. L( z( g7 _) R4 V cmp ax, 0f386h
9 M+ Y' n0 ?8 K+ s; V3 D jz SoftICE_detected
$ ~$ ]4 S: P' e8 t7 s) S- l1 o/ F1 Z) i
int41handler2 PROC6 o6 \3 @; S2 C
iret
& e" I2 }% `% N1 Vint41handler2 ENDP
6 g7 T7 d. P3 L, J; Q0 o/ x
7 U( O A/ ^- m. r3 J
6 U4 D& i* X5 c N' m_________________________________________________________________________ [0 k1 ~/ o. F" G0 s' A5 Q
2 J6 W4 b/ j5 ~
% C$ Y/ w3 Z( aMethod 06
0 U( f( O0 `% K* h. T6 V=========
) [! d9 k1 T5 ^/ |& |
0 X3 C- A, N' D. F7 R2 Q+ X% c9 g
9 W) e" k) }9 X$ l2nd method similar to the preceding one but more difficult to detect:& e( j* Y" ~# m/ a3 c3 v( a
1 [. N# H; N2 P2 k, I7 _ O/ @, q& M# G$ }
int41handler PROC6 @+ I6 z7 v5 d% ~$ C1 }- v
mov cl,al8 e9 {7 s$ m9 m ]3 Q- k2 d
iret( k9 \& d x6 H1 U" c* K
int41handler ENDP9 @- J8 Z- ]8 {- A3 _) L
9 s5 B' B4 y C+ I0 k+ E
$ C" ?$ P7 i! u0 [ xor ax,ax" }; R3 Z! K3 u- j: _$ Y
mov es,ax3 @* [1 x/ t# `, J
mov bx, cs/ I- ~) {- C K: H7 z
lea dx, int41handler q% s1 G; v( H$ \
xchg dx, es:[41h*4]5 s' J7 m4 K4 R
xchg bx, es:[41h*4+2]
6 X. `/ ]$ s8 g in al, 40h
# ]; H1 i0 z( u B0 T' Q. Q$ ` ` xor cx,cx
7 Q6 h+ |1 r" P8 U int 41h
9 D+ [* F2 [9 O6 p5 q% z# w' l xchg dx, es:[41h*4]( U+ c+ _8 K p/ F
xchg bx, es:[41h*4+2]9 J: U! U7 f: H! q
cmp cl,al
. ]) y9 F7 }9 i jnz SoftICE_detected/ i# D' L6 O- i+ y0 Y: d3 `
o1 }( _$ Z# M2 t5 b1 H6 L
_________________________________________________________________________* e" s8 {9 |1 Z* r% T
5 M R. p5 J- h A
Method 07
( i x/ J4 x4 T. q=========5 t* O2 x7 P2 Z
2 J3 q) q9 ?. E: S# b# B- sMethod of detection of the WinICE handler in the int68h (V86)7 P- Z. n* J. W: s" @4 m
( P. H" F) m/ s$ _8 T
mov ah,43h! o! s7 [9 D$ ?1 W1 U3 }
int 68h
7 N' W' \ }& A" x u$ [ cmp ax,0F386h! j- i7 r* U8 I- j' W
jz SoftICE_Detected% q E/ T- X' Z4 n2 [7 N3 @/ I
9 b5 u4 \1 W4 ]- c/ W
' f. s! X' c6 [" z- A+ z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! v# ^7 j/ x C4 i app like this:0 R2 N/ o1 |( D6 Z
" u( L5 q$ q: b BPX exec_int if ax==681 q# ~; E. w8 { L0 Q6 e
(function called is located at byte ptr [ebp+1Dh] and client eip is& d' _0 |7 X" `0 ]
located at [ebp+48h] for 32Bit apps)6 y% [2 O' A: e) l' p
__________________________________________________________________________# ]% L2 g% y* o1 x6 l
0 L$ t! C0 M2 x$ y
0 e- B8 E- k; |( G
Method 083 V+ B* d5 T0 H# _, Q" f0 U4 B2 O
=========" `1 S" J t2 q4 G0 d
7 q- R6 j6 ~1 e7 b+ H. H; V2 ~
It is not a method of detection of SoftICE but a possibility to crash the# Z2 ~7 U1 \9 g! W8 n4 i' ?
system by intercepting int 01h and int 03h and redirecting them to another
7 A8 c T* c) b, e7 y, Droutine." b+ N7 W7 f$ y2 X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 A) N' M5 w2 E6 \; T" uto the new routine to execute (hangs computer...)4 [! o9 {2 y- v2 E
: o) ^# }7 F: g
mov ah, 25h5 M! o7 {$ B1 }9 e) g7 a9 Q
mov al, Int_Number (01h or 03h)
4 g. b$ L2 Q* ~6 W mov dx, offset New_Int_Routine" X! m( d3 Z$ m$ h
int 21h
, j3 a* X' e/ \% [# a% O# p/ T1 t$ a" p6 G
__________________________________________________________________________
# |2 }0 [7 E& _
# C }4 f e! F& s; c) GMethod 092 V5 g; l+ I* ^* u3 m. M# ?# |: Q
=========6 H3 E: @3 t! p) g- `# L
% Z# O, S& f$ n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! `8 ?: f: L; V5 x' h& Y. v1 @* tperformed in ring0 (VxD or a ring3 app using the VxdCall).
- o1 A2 D9 t2 T1 G! AThe Get_DDB service is used to determine whether or not a VxD is installed
3 ?% P* H6 L. O, Cfor the specified device and returns a Device Description Block (in ecx) for( A% R4 V$ T1 s' j( ^- [: {
that device if it is installed.
) j% p" J3 S, F5 i) L7 f& s! J& z% `) V2 W) Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. u+ o* {$ g7 J4 t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 C5 z1 c$ j) m$ k VMMCall Get_DDB: \6 b- W5 P; x5 s. Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 @0 ^" c) k' E. G- i0 V
/ F: a* z @$ s% W, h
Note as well that you can easily detect this method with SoftICE:
# S/ P f$ Z% e9 O2 w! V; Q; l bpx Get_DDB if ax==0202 || ax==7a5fh7 ?- y: e# G `$ ]- [# @
) l3 [ ^3 Z: R+ [( ^
__________________________________________________________________________
# N9 b8 U$ w' M, E
9 q. e2 w, W- Q% yMethod 10. o- {$ F( q& O( i$ e
=========/ _4 k3 O- h3 A# F; W
) w# n0 e0 j" d! p
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 @; A* i$ G n' A5 j SoftICE while the option is enable!!2 y# a( k8 e/ b( {' n' ?
- {, o1 C4 `9 M9 c6 yThis trick is very efficient:
( S; ?; b5 i0 k6 H$ ^0 \4 c8 j2 Uby checking the Debug Registers, you can detect if SoftICE is loaded
0 b& I6 b8 F% g. a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" q1 f O2 ]7 J0 g0 ?. G- V" w
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ U( @/ [& ~, Cvalue (in ring0 only). Values can be manipulated and or changed as well
; |" A" ]9 @# R0 ^7 x( e7 [0 M" k(clearing BPMs for instance)
+ i5 ~# z |7 H) K/ S
# d A" d! T( r3 e1 @7 i__________________________________________________________________________' P( C$ E2 q! ]; Z
: e- O! I3 y q) w7 AMethod 11- b" K+ `/ r% n. e, @; ]7 F
=========
+ b: B% L. n- ^% m& r% M+ e
0 n; L% b! d) _' J+ I9 GThis method is most known as 'MeltICE' because it has been freely distributed
( ?+ ~6 e; Y' b% E. {* m# cvia www.winfiles.com. However it was first used by NuMega people to allow
4 G" j8 ~" ?+ V- g/ a* U1 w ?Symbol Loader to check if SoftICE was active or not (the code is located4 A: n; x/ e5 i. x) c
inside nmtrans.dll).
$ ]6 u/ Q4 L/ p2 w3 d, v1 I$ v1 } L5 f5 f
The way it works is very simple:1 X: ^. f# e w: K0 D) {; L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 z* X3 g7 G% @ {1 l7 n' H% D0 `
WinNT) with the CreateFileA API. _- l9 i8 c* l, Z# _9 _
' @- e5 Y( A" [7 K
Here is a sample (checking for 'SICE'):
5 Y: h" q6 e o, Q( x7 j2 g! ^1 H! j) j6 Y; \: m
BOOL IsSoftIce95Loaded()5 O2 I- r$ I! N. c( v0 V! v
{
" J _6 n5 X/ K4 p1 {8 }) t HANDLE hFile; y; ]2 s* ?- v! g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. W8 Z2 ]/ L5 f/ j) y
FILE_SHARE_READ | FILE_SHARE_WRITE,
) ^4 U: }) `: r4 _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! `" w7 Q( H' u# F9 X$ |6 k% h if( hFile != INVALID_HANDLE_VALUE )2 U, X2 i2 Y n. j6 x) q6 v) E
{
* H# r0 `# F9 A7 M CloseHandle(hFile);' s% E3 N; j' o7 e d
return TRUE;5 {8 r& `/ v0 a. H. x
}! I+ X) C9 m+ [- V2 E: K' w9 l8 b
return FALSE;
4 f) [0 Q' ^$ Y+ h. c/ F7 h& b}
p- s, ]' S7 k | H* W; w( E" I) V+ j: n$ I% D- @! V: x
Although this trick calls the CreateFileA function, don't even expect to be
$ l2 j$ C2 H6 w& ?" _' Q4 Wable to intercept it by installing a IFS hook: it will not work, no way!
+ r' \2 R& m. h! `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% K% ?/ q2 X/ Z8 K N% aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 P5 I$ K9 n1 j, p* L! u4 Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- h0 e; z# o3 w2 i! P4 T/ C. Gfield. i4 ?/ t' \0 A' r
In fact, its purpose is not to load/unload VxDs but only to send a 7 V5 y2 J. Y1 T- A; M: C5 G6 z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): ~0 V$ W. n& c0 e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 y# B$ w2 f' [0 F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ j% b( k" Q9 i, X3 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
" p, W5 \; J. [" g" Lits handle to be opened and then, will be detected.
( E% d) K* G5 Y8 Y3 P- z6 t3 vYou can check that simply by hooking Winice.exe control proc entry point
; @1 J h" l5 f' |& c1 [; Qwhile running MeltICE.
0 U. T5 k! z2 K- x% J6 g8 _0 Y, [! G( c
& c* q# o+ E T# O; q1 G, f
00401067: push 00402025 ; \\.\SICE
/ Y; r( q: q9 t) f% F 0040106C: call CreateFileA
% t( R6 u7 `+ r$ D4 @4 ? 00401071: cmp eax,-001
3 _# z! ~) v. x- J' T6 {; h 00401074: je 00401091* D$ c: k, y% t3 q% `5 v. D
$ D" g" R/ O1 ~ h, ?! d, g# S$ O! J, [: @" w; T
There could be hundreds of BPX you could use to detect this trick.
! w z( A" v+ L! H# O @-The most classical one is:
" F. f( Y4 N M6 C0 I" ]9 ^% y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 }8 V$ z- A& L# R
*(esp->4+4)=='NTIC'" ]7 P: L' |0 Z& S
' S' y& W8 g# i, ?1 K, i! h- c- D
-The most exotic ones (could be very slooooow :-(
( W3 U/ r( h/ q) X2 _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 T1 Z# W% e% A9 E: q ;will break 3 times :-(- Z0 d) |' J8 L# T
4 T$ w- r9 J4 [7 Z% v
-or (a bit) faster:
2 X3 k% o3 ] ~3 ]& J+ u; G9 v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 ?3 }% F" I! Z7 L4 l" d: X* D3 @
4 }+ P; o: e9 r# j; |7 Z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - O: s. p" {7 N
;will break 3 times :-() S) m3 h( o1 h9 v6 d% L7 l
# f( l" l2 k' X( O
-Much faster:8 K9 `8 B& R9 r2 l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* V2 O) ^/ F' h, J; L9 S& |7 I; Q! K- t L1 r' C! C9 k8 o" r
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% ~4 Q# F' A. E! G) Vfunction to do the same job:2 u! h1 {- x9 q* I4 a( G
- e5 A" e" M8 \/ B3 Z2 i- P2 x push 00 ; OF_READ
3 b3 h% \+ e; x# n9 } mov eax,[00656634] ; '\\.\SICE',09 y1 e2 b( ^- k1 R/ l! T; o. @
push eax2 }$ R* V) |0 f# P* d! N
call KERNEL32!_lopen
9 u7 }3 M4 j7 `; h inc eax
/ W/ S" I$ @6 z# Z1 k jnz 00650589 ; detected
+ {% F0 f9 w0 I a push 00 ; OF_READ+ ]7 M" }* Q% g5 k, `) t9 [7 H
mov eax,[00656638] ; '\\.\SICE'; w, E4 c3 H- m9 h: j
push eax5 C$ |8 T# H$ c2 [( N9 L
call KERNEL32!_lopen3 j' U/ G9 J4 b6 P- i" [' I
inc eax6 R/ U5 k; {% Z$ ?% S! L' x5 R% s, ^
jz 006505ae ; not detected' G9 x: D1 |1 D' u3 ^% r- x i
! {0 i" ?) r4 ?$ j5 u
5 \ r( ~9 Q$ @5 m& U9 I__________________________________________________________________________
8 z, j7 z: X$ M3 B
. U' p& G7 |* TMethod 129 f9 ?) l$ E( G! ?. t4 s
=========
9 D. B1 q5 `9 ~& e( ]5 C& u, g& [9 Y# \' @+ G3 A, a* U
This trick is similar to int41h/4fh Debugger installation check (code 05: l9 F2 W7 R; n* `$ p0 a5 s! I
& 06) but very limited because it's only available for Win95/98 (not NT)
' H" \0 a# T6 g$ H( G3 B& [; Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 B# {4 v% M7 r S$ o! x
6 _0 l7 x* k; M# u7 w
push 0000004fh ; function 4fh/ y" y0 S3 a% r3 @
push 002a002ah ; high word specifies which VxD (VWIN32)
- [8 ]/ U' L6 y' I ; low word specifies which service% W5 l: b9 z4 R. ^1 b: n; X
(VWIN32_Int41Dispatch)8 ~0 o3 ^& h2 ^9 z( k0 v, @
call Kernel32!ORD_001 ; VxdCall
; }! C/ B9 D7 A" t6 w cmp ax, 0f386h ; magic number returned by system debuggers% x, ]) }% h) _ }
jz SoftICE_detected2 a% {; v& K7 a' w2 M$ w
# D; @0 v* l( e- L" B; [
Here again, several ways to detect it:
. a7 o" s! Q/ ?: z% Q; X$ A* L' ^* ^+ x- v
BPINT 41 if ax==4f
1 r1 @# N) Z! M( E5 X* }4 Y; W- z
+ p) T( R* @, s& E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ L" n" k5 t: d# G: T; U0 p0 L0 d
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 H2 S" U6 t, F! b# O, v5 [
" m8 [; F5 H: C* u& F7 {# M8 S" ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ K" U% B0 }* `8 u) V3 A
: C! J; O& m( u/ R( l) {- j__________________________________________________________________________
" n: X* n" B: Q' ~: Y: j
. e+ {" {0 c0 E+ }8 _Method 13
: n; E: r; S1 p9 p" L2 a; u=========
. ]. m; C% ?0 ]( h: R/ ?5 L1 A1 t! S( q
Not a real method of detection, but a good way to know if SoftICE is
7 q5 E) ^- n2 j) q& V/ h/ qinstalled on a computer and to locate its installation directory.
/ t' R7 {- W f$ W `It is used by few softs which access the following registry keys (usually #2) :1 ]- i& j+ F6 }" k7 v
+ ]! i+ K( s( e; V" T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 V5 L( n) L1 A/ t# Z\Uninstall\SoftICE
/ k7 t, m( u& U2 Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# k+ N- ?7 H9 l( V& J. o-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! f1 |* T$ V% V" o8 N! U\App Paths\Loader32.Exe# M6 J- @# T0 y& K' V: U$ Y7 v7 l
) G6 b+ N0 P! I8 {! b
3 v4 Q7 n& U1 p3 @0 S' dNote that some nasty apps could then erase all files from SoftICE directory
& t* L* q+ ^" y(I faced that once :-(. g8 y# l1 t/ ]# ]& P \1 I! r0 x' q
+ A! I7 x n5 V% M9 aUseful breakpoint to detect it:2 y! g) v. q9 v- M$ k
4 U7 q. t' M7 L! l' t6 b# |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 }! P# N4 j/ A' _$ G/ A. _, [8 L4 m( s+ M& A
__________________________________________________________________________
- j2 `( @+ `) G4 J; j. l9 u, s/ M/ N" ^" N) c; w" E
$ K3 y$ j/ {; F# e" ~& J S
Method 14 0 [; H$ y6 q' w0 c* w, h
=========# e; l9 W) r) X8 |/ U
* j4 `$ ~5 t6 {) U2 r. F# j) \% c& \, d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- `5 s8 B5 A3 b( W C+ a
is to determines whether a debugger is running on your system (ring0 only).1 Y0 B5 ~ O4 V/ v- @/ C4 o
9 C9 D" G9 V2 I1 v6 o( y- I
VMMCall Test_Debug_Installed
3 _% w! a) J8 f. y6 j8 Q je not_installed
7 d; b- e4 e3 T* C$ w7 H- F E2 Z+ D
( t" T( Y0 M+ n5 W2 C/ g, gThis service just checks a flag.
3 G. [4 T1 D ], [' c. M6 D</PRE></TD></TR></TBODY></TABLE> |