<TABLE width=500>
) Z5 Q1 z+ C7 l1 {3 }/ I" ?: c<TBODY>2 _2 h" W! d0 n# {) A
<TR>/ J1 ]1 @8 ?( ^0 z/ l7 D
<TD><PRE>Method 01
8 S3 p3 F2 R1 V8 ^$ f=========7 C5 |- ?( }- A- j3 z: k( ]2 x) [
. d! B/ B+ k: J& F: NThis method of detection of SoftICE (as well as the following one) is
7 s3 h1 _+ D ?used by the majority of packers/encryptors found on Internet., |+ l, a% ?. l- e9 z8 K
It seeks the signature of BoundsChecker in SoftICE
* k# ]( o, a% t, B( r; r+ x) e: {+ F. y: F( R. V
mov ebp, 04243484Bh ; 'BCHK'* D1 h" a3 e" C" h6 ^; a" W8 D
mov ax, 04h
2 b* \( H+ S6 n: q9 ^5 V int 3 , k4 N* B" L X
cmp al,4
/ D, o$ A% K* [0 N5 M jnz SoftICE_Detected
3 L* a. s! l- v$ \
4 Q! h z* s( N2 A___________________________________________________________________________
/ N+ f3 I4 }! |! E( ]; M
& j. `* n) s, J+ }9 oMethod 022 _/ L' r+ H8 f3 P" W7 z) [, U
=========; K( E; f0 E+ K: ~9 Q+ }$ C3 w
( I5 H7 ^% r) _8 g2 J& @Still a method very much used (perhaps the most frequent one). It is used6 N1 l) l+ Y& a4 m& u% h% H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 F) _, a2 v) C
or execute SoftICE commands...
/ f& c9 M$ T: Y( q8 G6 v8 x7 ^It is also used to crash SoftICE and to force it to execute any commands- \' o l$ w' l% s
(HBOOT...) :-((
9 i3 {, _5 c- R% l( M$ P C$ x' H- x% K& u5 ?& @2 C& e" L
Here is a quick description:3 r/ {6 {6 q7 I k; [- j
-AX = 0910h (Display string in SIce windows)
( ~# W8 N5 Y1 H* k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 A% D/ _! D' O5 z1 T) P" ^
-AX = 0912h (Get breakpoint infos)
- f7 w% u$ h9 S-AX = 0913h (Set Sice breakpoints)+ z) |6 @! T+ m9 {
-AX = 0914h (Remove SIce breakoints)
, r+ _( t& k" p# z5 p; d, I! _
* p- r9 Q1 W! v9 x. L: o- OEach time you'll meet this trick, you'll see:
Y$ C! ]% M! u$ r% t3 K9 m-SI = 4647h
9 n) k$ S0 P h1 @! Q; j-DI = 4A4Dh* B0 Y! ~' q) Y, Z
Which are the 'magic values' used by SoftIce.
1 n5 f, f) h) K7 |, EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 R2 j: Y9 X- B6 G% ?
4 `4 n* r: k. K! I& W0 {6 V
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 I+ K H9 Y a. q% A" q
Envelope utility use to protect DOS applications:9 j3 S( H' x! w0 J: N
0 x% A! u! N: W+ V5 c
3 }! x8 p9 U# |8 Z0 p- `4C19:0095 MOV AX,0911 ; execute command.
! l4 \- c5 g" e' v! I+ E9 n% S/ Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 B( ^1 z9 F, G) K+ f4 {4C19:009A MOV SI,4647 ; 1st magic value.: d4 z2 i# {* s; B
4C19:009D MOV DI,4A4D ; 2nd magic value.
) O F2 q O- O7 D# n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 I! m; k% c1 o% O) p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& \( S3 o+ B+ W5 [7 m$ S0 e4C19:00A4 INC CX; S3 P5 Z# Q' ^; |; K% I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 j: U5 l% d. C* a4C19:00A8 JB 0095 ; 6 different commands.& e' ]/ p7 _5 |$ T: ^1 ^4 W: t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( K7 n+ H, W4 V8 K5 t- s9 p; T# ^, {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 T& ~. }5 ]$ H1 B
: Z- |/ E7 C0 z; zThe program will execute 6 different SIce commands located at ds:dx, which7 U4 k* o8 s+ l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ }( ~7 z! H3 g: R6 ?1 W R% F5 o2 t: `, G7 C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, u; ^3 Z" Y& b9 O5 b9 [* P- [* u___________________________________________________________________________
! _* \4 v; r' P) d3 \: E; h3 R
. D h/ z4 ?1 N, o" [5 J# u/ P0 B5 S
Method 03/ f b; j, o7 E3 v! ?+ t
=========
+ ^& E* u7 H% H& k/ y5 S" ]& E. z9 ~5 g3 s0 q. X$ A$ h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' o" j) M) N1 r. }' y" C5 Z6 g(API Get entry point)3 q$ s |0 s# c! q. H2 k2 c1 C
5 n/ ?4 a7 i8 H/ y( \$ x" j: s3 h y. l$ }( g' t) a
xor di,di
- F- R5 P. H# o. w mov es,di) B1 p3 X! w+ O. @8 M k
mov ax, 1684h / h, T1 I' A8 r- Y& Y. J
mov bx, 0202h ; VxD ID of winice
% R* t, }( {; J6 g' I/ M' M int 2Fh
7 B4 Q4 Q& w1 I3 ?: b mov ax, es ; ES:DI -> VxD API entry point, [9 S+ F/ A. B) j% ^
add ax, di
1 @5 v' a% p. [) ~+ \0 o: @0 v test ax,ax. B4 J; n5 a: t2 U
jnz SoftICE_Detected2 B$ s' g" G W& r9 e0 l" {3 Z4 s
9 {: ]" t2 M5 M$ I- Z2 j
___________________________________________________________________________
/ X: u% ]) E5 [+ }
4 f) U: z7 c5 q- [+ VMethod 04' w# n6 G- P& c1 @+ ~ a+ k
=========0 K) W0 `. F8 x# \
* \6 f* l6 D2 t% }Method identical to the preceding one except that it seeks the ID of SoftICE
9 N6 k4 K( g) G- O. `1 P3 }, ^GFX VxD.1 s+ x1 h' ^/ C2 s) \
) c! `4 r6 n% |" @5 F xor di,di. E6 O T$ G7 h% O; h4 {
mov es,di
) M6 l+ z% H ^3 \# o } mov ax, 1684h
- y8 E! N; O: R8 m- c( e& c mov bx, 7a5Fh ; VxD ID of SIWVID
3 ~7 |5 l' K) m. I! h" |7 [ int 2fh. i' k2 q7 E9 U
mov ax, es ; ES:DI -> VxD API entry point
4 h, r$ H+ g! y' |- D add ax, di- Q5 e( {7 n+ H" a, I% X3 J
test ax,ax: U0 E2 J$ {- e' K1 Y5 ?
jnz SoftICE_Detected
6 s* }8 ^ V0 @' D$ \9 ]+ L/ x, W) X; Q6 z" Y; K3 Z0 \
__________________________________________________________________________
) s0 n. H5 Z" i7 P% {* o. f- ]" x- X9 b) h
/ Q9 ]3 r$ ^2 ?& h- S! F; x6 zMethod 05
2 m8 Q7 v) f- f4 Q, c" Q=========
' M6 v8 N# \" G( P+ S% e* {0 e/ B( Y0 K* I( N
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' k. T- I6 H9 H7 i6 Rdebugger. It calls the int 41h, function 4Fh.$ h! b0 _4 d5 U5 U
There are several alternatives.
0 M V, a5 z, ^6 `9 u2 s4 j: ?# h3 v; @* E8 m5 P
The following one is the simplest:: x U- Q8 R, f
. c+ F" d5 M- u/ { mov ax,4fh/ f! Z; t* u. ~" C9 g2 W
int 41h N6 f. ]4 f1 Z2 v+ Y5 D2 W0 ^# [# W
cmp ax, 0F386
P+ I0 @ M0 _* a/ K2 h jz SoftICE_detected
0 O/ ?# B# F3 R# V7 I. H! \8 @" p3 E# |
+ j/ |7 d5 ^( L0 l- oNext method as well as the following one are 2 examples from Stone's # ]; w4 z/ ~7 @) l
"stn-wid.zip" (www.cracking.net):" r3 @! x. V! l$ X, s8 k
9 b# {+ p6 Q0 ~# E Z mov bx, cs
2 `3 F: Y j( Z3 J3 x/ W lea dx, int41handler2+ M" \, a/ V7 U, ^& ~8 R, h# [* R# I
xchg dx, es:[41h*4]7 b E5 ^( F1 y* u6 m
xchg bx, es:[41h*4+2]+ V* c, U. _( b. i. q
mov ax,4fh4 B/ }! b! W0 @1 y, I3 J
int 41h8 T; g% N9 j3 u! V$ k* J- ?2 f" s4 L, j2 j
xchg dx, es:[41h*4]9 A8 b( |# x: g$ [
xchg bx, es:[41h*4+2]8 w1 @2 k8 z, Z2 P3 ?* y4 ?4 {
cmp ax, 0f386h
, H/ m9 p3 Q n8 |) q7 { jz SoftICE_detected
L- O1 L \7 M, N/ q
* w" B4 O, O$ [' M0 jint41handler2 PROC" _/ a* S5 n2 X; C. Z8 c% }, n s" W
iret
$ _# A7 N6 m' N+ \: cint41handler2 ENDP
$ }0 \% A3 ?: E6 Q
0 X- m7 j2 R' {8 I, D! e) w( x* G, O) L& H- Q0 }
_________________________________________________________________________
5 ?& C$ ^0 a& [/ h+ e+ T8 i
- E2 l) z' {3 k/ q! d* J( F4 P' x6 b1 L+ n F5 c5 P( |
Method 06
% Z) t. o. J$ l9 Y% J=========
6 w& ^9 |) p _$ g* f3 z( ?: C/ A+ u, l
- u3 m( t1 x1 t. j/ I* B2 L2nd method similar to the preceding one but more difficult to detect:6 f9 q- v, W& k: W
4 u# U% t4 A6 O* q! \* A+ q3 n4 U, e8 f [0 _! M- W
int41handler PROC: ~: H/ U4 q$ q' K- ? @' q
mov cl,al9 d' W* \3 C& Q) j9 J% P
iret& C( I4 w: O1 ?: M4 U
int41handler ENDP
9 c, y o# U I! R- p& _# w# j& O, ?: I* T, F- \/ x
8 i+ @1 X$ w; P* c xor ax,ax, W# v1 m4 B" T# ]4 Q' X% V
mov es,ax
, l# X( U' P7 O# t+ A0 I mov bx, cs
5 ~, ?' \3 X! d8 t6 [ lea dx, int41handler, J6 z* T- d- J ~6 n* ^7 [# L/ f
xchg dx, es:[41h*4]! R x! K2 E. D
xchg bx, es:[41h*4+2]7 {7 F" p' ?" \1 O
in al, 40h3 h" c& b( O( R5 }# @0 d
xor cx,cx1 |9 L K% `+ L7 X
int 41h
7 E) a3 b5 q8 e xchg dx, es:[41h*4]
* g( Y, ^/ i9 b' S& _# N7 z xchg bx, es:[41h*4+2]8 H4 @* i" a/ J8 z
cmp cl,al, L( k6 K7 @7 z" n1 u- @! }' K
jnz SoftICE_detected: Y; `. J Y+ J$ y
8 M. T) _6 c, a* Y [# C" S_________________________________________________________________________( A6 m. o! X9 F* M% q
, q c, V% L6 R# ?2 k. [Method 07, k3 p6 ~8 S. T
=========" C& R" u# ~3 U% D
+ _/ ~! n `8 U4 ^9 m5 a [
Method of detection of the WinICE handler in the int68h (V86)8 W7 G% p7 }/ X# ?
. j$ ^, Y1 J \) p
mov ah,43h
# L4 t" `+ e, X8 h- S1 V! \ int 68h$ r8 ?" z: l- c. X+ F0 x4 s5 w8 s
cmp ax,0F386h$ h9 k: i2 p/ e* e
jz SoftICE_Detected
5 q0 j0 U8 \: x. N, t# S
1 V- Q( T6 } R/ ]2 I1 w' ^8 |* R* f$ _( F* s8 o% p
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' a/ k: u5 L7 u" x5 `/ ? app like this:" q. T' Q1 o' U0 ^0 V( L
7 k, z( k4 h* v; Y0 v% P
BPX exec_int if ax==68
! w8 u/ k. Y8 K: ?: V- H9 u5 r- _ (function called is located at byte ptr [ebp+1Dh] and client eip is
5 J3 s* X. _5 F" e# }+ z located at [ebp+48h] for 32Bit apps)
2 E, T" d% L# g2 T9 d__________________________________________________________________________
: ?. M, {2 {' K P" I
8 u. c5 M Z5 q0 z6 C1 m" v) @4 e
Method 08
% F* ~9 ]# e9 ~=========( M. U, X$ U2 }0 v
3 J y9 Q; v& k( r$ d
It is not a method of detection of SoftICE but a possibility to crash the
+ y% I- F% _0 o3 fsystem by intercepting int 01h and int 03h and redirecting them to another" L3 q K; \+ d I1 o. T
routine.
& H$ |$ D% ?( h7 p' xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& Q. R& V, r( P3 _! ]: p. v% ~7 vto the new routine to execute (hangs computer...)
5 `9 \$ R& _6 @# f
$ B* O+ @+ F7 b; S1 ^& S mov ah, 25h7 u5 b8 }/ O8 i4 ~) q7 T# m
mov al, Int_Number (01h or 03h)
3 ^# X2 v% t' M( s4 N: }& S mov dx, offset New_Int_Routine# k$ C/ l9 W6 @% M' b
int 21h
3 `# _- | D/ ~$ ]& H8 W7 W) ^7 H+ Y# O: i3 W' q- ^
__________________________________________________________________________
$ |8 e% z4 V) r6 ^4 ]( ?
* `9 @% \. `) i7 OMethod 093 _. l; V" U1 [: d' L! W
=========( S% _, {9 D$ e7 I7 [8 i
$ Y7 q1 g4 a2 I) A9 e+ W3 t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, g" @* P2 p. sperformed in ring0 (VxD or a ring3 app using the VxdCall).' Z( \: d% X- W2 I- K" Y
The Get_DDB service is used to determine whether or not a VxD is installed4 s3 z$ n7 P& Z# W/ w
for the specified device and returns a Device Description Block (in ecx) for* k" v* k8 k1 n
that device if it is installed.. e7 U1 c0 {/ K+ U: I% `+ b$ N
- ~: _9 N- j5 }* f mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: V( \' W; f' d9 A
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 U3 R" J8 l+ C! W VMMCall Get_DDB. t, ? a& T$ C/ N+ X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ h4 S% `4 Q$ `; z$ i% I4 X: {7 |- C7 _/ D, y! D
Note as well that you can easily detect this method with SoftICE:
0 y- u+ P7 L" V, B4 X, E# @- {! K2 n bpx Get_DDB if ax==0202 || ax==7a5fh
' K; o i3 B* g
0 \# h, e, N9 E$ a& S__________________________________________________________________________
# o" q6 H3 r. N& T9 p; I9 A6 {3 H) J% P& o
Method 10, m' U _% O- v. m+ _9 z, g
=========; f* \$ x) G) {
# u/ T& W J0 B3 j. _5 e
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 P! D0 q. i' h; A0 K/ H SoftICE while the option is enable!!/ r3 B; t+ j+ d0 L# O; C& w4 T, O
0 j+ |/ D0 B4 U+ k
This trick is very efficient:
- O: u; L/ {6 p1 yby checking the Debug Registers, you can detect if SoftICE is loaded
2 H: f1 l7 N; ?* L/ p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 q5 v$ i% N5 U+ Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 E7 a) Y7 m2 o7 Cvalue (in ring0 only). Values can be manipulated and or changed as well
+ s, t; C& u, Y9 a! c(clearing BPMs for instance)
5 n* B1 Q, y8 |$ M; n) d* D
" |$ r% m( O. V# w8 B( W__________________________________________________________________________7 M' w. b: c4 g K" r
% [' Y' E# F$ u: M
Method 11. y9 ~; c4 k7 Y
=========
2 w8 ~5 O% s- s! J) O
: D! S% `+ Q5 T0 fThis method is most known as 'MeltICE' because it has been freely distributed
3 c! I9 S0 Q: p- O: o i3 Fvia www.winfiles.com. However it was first used by NuMega people to allow6 O3 V& @2 u. q5 R+ Z
Symbol Loader to check if SoftICE was active or not (the code is located; l1 [; N6 [3 A! c# f! g
inside nmtrans.dll).. }7 G7 i/ G1 h0 |$ x+ D
$ o: a, d" d) F" @" u' eThe way it works is very simple:
7 S: f/ m2 N+ z! |4 ?+ }, cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 G7 T* |3 K8 Y+ z0 ]" i0 W
WinNT) with the CreateFileA API.
( {9 e; t7 w! t% d
1 m! `/ I# b, i0 t$ Y9 C- V) }Here is a sample (checking for 'SICE'):
/ c" H X7 P' l( f- `: W1 E7 z; T% g) v1 t: a3 B: a5 p
BOOL IsSoftIce95Loaded()& O1 k+ [& n9 Z6 T& p
{- o1 H A" s1 w
HANDLE hFile; 6 Q! B0 ]$ y3 Q9 e* W& g' M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" [$ A% A0 @6 e+ n( p FILE_SHARE_READ | FILE_SHARE_WRITE,
\1 L& N$ q6 O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" a# l" ^9 I Y4 T" a if( hFile != INVALID_HANDLE_VALUE )
% X4 K3 Z; g; F5 y {! t, |, W, Y9 g1 T
CloseHandle(hFile);
5 D) e0 J [; {% l& i8 q% t return TRUE;. U: v- O: ?2 V
}0 N. {% h- w0 z' y* U
return FALSE;' x: Z4 e |6 _+ p6 X' j9 n
}% y# \5 x1 p* R# X+ P
( O8 k/ \' d1 x" S( b0 ~- A9 p$ WAlthough this trick calls the CreateFileA function, don't even expect to be4 d, G" W/ o- D' [& w+ i% h
able to intercept it by installing a IFS hook: it will not work, no way!. c2 z' j) A, p0 f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* _: @8 Q- Z5 X( x t rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" [8 h0 p! N% b9 x1 s! j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- S* ?- G; g# [8 J* F- R* k
field.
! C, |( W) H; G1 t$ _In fact, its purpose is not to load/unload VxDs but only to send a / T" S+ Q2 j( a0 ?4 B; Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, [6 B& }( F# J2 V `& mto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ \) d, J9 Q( x6 r# Z1 O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 a+ g+ b7 [4 i( H& D0 b* @If the VxD is loaded, it will always clear eax and the Carry flag to allow
( B2 O- h0 E5 _! Kits handle to be opened and then, will be detected.
; R$ I7 e, X8 _4 l9 FYou can check that simply by hooking Winice.exe control proc entry point
& J2 q) Y: a& ]: _while running MeltICE.
1 e# Y; T) _/ n! ?/ B
# x$ x, d9 D/ V3 _) K% w8 X9 D5 f
' j& {: R2 u0 {' b9 }9 V 00401067: push 00402025 ; \\.\SICE
D: G( W( U U1 \$ A4 P! O4 g 0040106C: call CreateFileA( p8 G) d X: U+ t B& p6 X
00401071: cmp eax,-001( H n5 [! u- Q l7 u
00401074: je 00401091 i+ ?" i8 S% Z) Q8 j) f
5 e- y3 e9 c. n% n& X& m& s# k) t/ x3 S5 w" \3 k
There could be hundreds of BPX you could use to detect this trick.
1 f6 C9 E8 V# y' t" B* Q-The most classical one is:
- N+ Y- f# s5 E) G) t% P/ m! O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* N7 y0 c# X7 {; [& }1 b$ l! U *(esp->4+4)=='NTIC'
6 P d' N' ?: M" |! @+ V7 z" N! z9 z8 B
-The most exotic ones (could be very slooooow :-(+ H% N0 Y# O& g3 h; W# ~: S1 h6 `7 g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 L8 _8 t( x6 u& ~* O8 { ;will break 3 times :-(
1 D) N' h2 Q: W+ I W
8 y& M2 T. @8 i/ B-or (a bit) faster:
1 y( z' M4 ^8 F BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) W% h- P) |& v: |: [5 R6 ~
/ N. o6 S: Q" G8 \& x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 d! u4 o7 q& o$ Z, x
;will break 3 times :-(
: }' T% k! b- z( r0 f
' V8 Q* R. c2 X* U-Much faster:" v1 a( w8 ~' t E4 t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 _" a' M( J0 p! T% H* \: M4 f4 }+ n" d! ] B y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, I( o$ t' v/ w
function to do the same job:( h0 J, a8 |2 }8 D6 I( b
7 {, }8 y+ R- z1 O( O
push 00 ; OF_READ
; c9 n- p. b. q* f mov eax,[00656634] ; '\\.\SICE',0* @% M" ^# y! w1 f1 y1 B
push eax
, r$ D5 E* @' P3 Z call KERNEL32!_lopen
- ]* ?" @) E6 ] inc eax
W& F" _' R" C( g' U jnz 00650589 ; detected$ E! k5 w- K& E7 H0 q
push 00 ; OF_READ
; v* V& {% u0 y3 s" n+ [# X; x mov eax,[00656638] ; '\\.\SICE'
6 E/ s* Z) R: D push eax) ]% A' p/ \% m0 ~3 b
call KERNEL32!_lopen$ L* K: n' _' V3 T" v' A" C
inc eax
% c" p8 m" _) _1 A1 A8 R jz 006505ae ; not detected4 d' w/ P+ d" a& N! X) Y
: }1 j+ S' O& {/ z: S" `0 N" P) }1 o
__________________________________________________________________________
1 X! `" S: P5 u* h; w
0 t- [" D6 H" D' U7 rMethod 12
) p% M& M, A, E9 b% V; g=========! Q" ~8 [; ? N( e
8 T- I/ P3 A# o0 s' t z9 j9 e* m
This trick is similar to int41h/4fh Debugger installation check (code 05/ C" {. f- r; n5 M
& 06) but very limited because it's only available for Win95/98 (not NT)! V! Z+ c2 ~$ ?. F! m8 C+ i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" }1 h; [$ r. e. a: x' k. @! k& h1 G3 T
push 0000004fh ; function 4fh7 V3 ~) V( [3 R0 G- P
push 002a002ah ; high word specifies which VxD (VWIN32)7 @( l$ L; n& L* Y! a' ^
; low word specifies which service
/ a }6 w' t( E- ~6 H (VWIN32_Int41Dispatch)
: y/ s: M! T8 @9 Z! T; i call Kernel32!ORD_001 ; VxdCall! S0 W# e- e& @ t! H* m: g
cmp ax, 0f386h ; magic number returned by system debuggers
; T( B, |6 V. g F1 z7 W jz SoftICE_detected& M2 a1 p4 z* p
8 N* j7 ?% l+ b( n( G
Here again, several ways to detect it:
+ V$ F- L; T7 ^. ^' w/ q7 N' j* z9 R$ B) T) M
BPINT 41 if ax==4f& f9 R( o2 `( D+ b* P9 ~# v$ z7 e
) p: H2 E$ T6 P5 Z& i% H. [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
s% m) Y, x- E/ {- `6 D
6 {/ R9 k B% i; ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 w0 {9 S0 A: f8 ?
3 @: R* Y, n- ], J1 o' ^6 i3 o$ S) O9 j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# c3 f" A# m4 F
# W( r) V$ o4 P1 ~
__________________________________________________________________________8 W0 B% W5 l# [7 B
% T. i9 k8 p9 w/ i* x! V0 N% W& t
Method 13
0 j* P! _- y" A& w d9 J=========: l L3 J3 B9 f- y( P
7 r1 k5 `# g. j4 |. g* |1 ZNot a real method of detection, but a good way to know if SoftICE is
3 Q2 k! c4 ~$ ?- s& y+ kinstalled on a computer and to locate its installation directory.
9 }& V6 j( c* SIt is used by few softs which access the following registry keys (usually #2) :
: n) H3 D+ H1 Z% h2 e$ V1 P8 u' ]! Y7 q$ y( y m$ a* N, s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: o- U8 `2 o$ x! R) W4 Y
\Uninstall\SoftICE. z% j( T( s# m0 T+ m% G3 ?9 F3 v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; Q9 ^ [1 {: z3 u+ _0 d& b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ x3 B$ p( Y4 {1 q
\App Paths\Loader32.Exe: n2 i5 x8 b- L( [$ z; S# B
, S6 T& }8 v' {
; e9 g0 X6 N aNote that some nasty apps could then erase all files from SoftICE directory# x$ Q4 a) l5 X7 g
(I faced that once :-(1 b' D$ H! ?1 `2 P6 p( J6 X( g/ f
; s- Q) `+ M7 D( ?! N5 c9 _Useful breakpoint to detect it:1 d9 r9 b- c6 c! E: O
7 A: k* k$ o8 s& U$ j; |) P8 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- A, T7 B* B, }2 j% t
& K0 X/ P8 Z2 M# a |/ S, Z/ I% ?2 S__________________________________________________________________________
4 v8 i1 E, f$ s ^, }
. n# ?* ]8 t7 c: s: p; R+ c o* u. `; V) T( v1 h3 ^
Method 14
3 O5 M. B: `; x- }# R. ~=========" _* T; X7 c8 C8 }2 h
5 N, |% T4 s) N8 R8 z+ z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 d" j2 w( t. [9 eis to determines whether a debugger is running on your system (ring0 only).( F7 }% {( D+ p4 t0 b1 `
( G$ S5 d+ d/ W L VMMCall Test_Debug_Installed8 L1 W+ N U- Z! J8 s8 ~
je not_installed
, a Y. @& Q5 Q' @, C/ W" t
6 ~% x: a. K7 Z' gThis service just checks a flag.
3 J! |& W& ^% q3 T</PRE></TD></TR></TBODY></TABLE> |