<TABLE width=500>9 P$ f$ _" d) j3 V( r
<TBODY>
$ q t; v0 Z! t<TR>8 C0 A1 }! M. E
<TD><PRE>Method 01
3 f" ]: d, }3 u=========) F4 w& D4 r- ^# p
% u' ?; X1 G# [) I" v% w
This method of detection of SoftICE (as well as the following one) is
* b. j8 N4 G3 ?, vused by the majority of packers/encryptors found on Internet.
' c, n i/ ^( j* ~It seeks the signature of BoundsChecker in SoftICE. G4 g% I6 C8 P! N
# Q! N1 c; p; W3 H' A& R
mov ebp, 04243484Bh ; 'BCHK'8 O& a) l( r0 O" S1 U
mov ax, 04h' {4 y4 u5 Q# ?5 N
int 3 , l3 Z F' x/ y& V) k( S: s
cmp al,4
" H# N- P* b1 ] jnz SoftICE_Detected! x' F4 U5 K) D
6 h) E4 ?4 B; Z6 j7 f' @: w3 l
___________________________________________________________________________# X' K( y1 D w8 }
4 m% G3 A, b) C* hMethod 02
6 H8 H' p; \+ Q, n4 H& U# M# Z: \=========
* D9 p! W5 G, M4 c2 l9 @% s% d8 y& `, F& }- F2 O$ l4 b2 a
Still a method very much used (perhaps the most frequent one). It is used
- Q6 ?+ |8 B% ?" R, K& u5 wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& P4 t0 j; H# n& M6 g
or execute SoftICE commands...( Z$ d3 n. }" i; G1 P% v
It is also used to crash SoftICE and to force it to execute any commands# W4 I2 p7 }1 n. E' W9 F
(HBOOT...) :-((
, N. X. K( v2 m/ h1 h; t4 Y) @& z& P d* u
Here is a quick description:
- g/ i4 E3 J2 ~0 B-AX = 0910h (Display string in SIce windows)/ B! r! T1 x- ?) P2 J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 E6 ?+ c: T w) J" o-AX = 0912h (Get breakpoint infos)
5 t# W. }' A/ u& @: M" ?/ u1 b% \-AX = 0913h (Set Sice breakpoints)
" j5 t8 o, C% L/ U8 n# K-AX = 0914h (Remove SIce breakoints)
' ?4 u8 O! r1 V+ t
* g0 a2 g6 x& v' z% o3 \0 ^/ T% ~Each time you'll meet this trick, you'll see: S, X/ N- V5 b. ~$ _# j
-SI = 4647h
& E2 W' Q) L( m" \6 V-DI = 4A4Dh
8 e, A0 B& F [. C( \% ^0 ?Which are the 'magic values' used by SoftIce.
7 ]% d+ e2 C* CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 r+ a: }: i% r
0 ^" n# ?/ c# V' `Here is one example from the file "Haspinst.exe" which is the dongle HASP# c' @/ ?5 g" r+ ]; I7 j4 f1 E$ u
Envelope utility use to protect DOS applications:
' v! D' [+ d3 h# x: @3 R/ Q7 A2 G% K; Z0 D
/ g1 N( z2 X) ~4C19:0095 MOV AX,0911 ; execute command.0 X2 s" [& L3 C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: _3 ~$ G! g" |% g2 r$ H7 f4C19:009A MOV SI,4647 ; 1st magic value.* ~7 W; B ]1 F' o
4C19:009D MOV DI,4A4D ; 2nd magic value.
& [: K$ K: b" U/ m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! C8 h* S# y5 [4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- N3 ~) }/ ^' q- l V4C19:00A4 INC CX
: s P$ G5 g" j% R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ A* [5 n" ?; C2 }4C19:00A8 JB 0095 ; 6 different commands.3 t/ t( ~: L% |6 i8 q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, j8 _* ]1 D8 }: A+ ^3 f4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 D+ \# }5 G6 \8 G' W) z5 L" q# G) a. V: ]! v: Z [ W6 j
The program will execute 6 different SIce commands located at ds:dx, which' r3 W: W, W% z7 ^ b" L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 s$ b/ t3 j6 r7 u" @. P
) @8 V) p1 A: j. `8 P1 n% ^4 x9 | ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; ]% q; i* t# t___________________________________________________________________________' v) s: g0 u" n0 x4 H @* M; \8 d
) z/ X# k/ s4 N1 a6 L T P: c
Method 038 v' P0 P. _8 z- Q) d
=========
7 ?) N; h2 r) w+ j0 C2 A
7 w; H% e1 o1 c( R' vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) p3 Y% h" N4 L2 W5 ?
(API Get entry point)
. k" j" i1 D R H5 i
9 c0 _( k: i8 z! C1 W6 j
4 ]) J6 b2 K* b& K: V( _ xor di,di
- Z. e- k8 c) v2 T mov es,di
9 D. V4 U' D: r$ N mov ax, 1684h 4 ]: `5 s8 R$ K& `
mov bx, 0202h ; VxD ID of winice6 }3 i8 s8 p; m7 L. D
int 2Fh
1 f4 q" C$ B( x$ q' c# c mov ax, es ; ES:DI -> VxD API entry point
, ^% a# v f) t# A5 ]. K% A add ax, di/ L& ?2 f S- [/ w
test ax,ax. `, U3 Y" A% g6 Y" ]+ e: O' `
jnz SoftICE_Detected
! N# w7 ^& |6 n4 e- b8 X1 f% Y$ D8 M
___________________________________________________________________________
! k+ r: F9 `2 ^' ?3 H8 ]
+ e+ `, I3 o8 ~) @& v) _Method 04
# D6 g7 S% n) M5 w6 l% L=========
& e4 i8 |7 P2 u# T( \$ Y) o( t. R6 b% {6 ]6 F, u" q1 P
Method identical to the preceding one except that it seeks the ID of SoftICE
' i! o9 Y8 I9 {+ a# tGFX VxD.
: T8 Z3 q ]& t- k4 ]9 x# w8 ^) O. f" S& C' s1 a
xor di,di
F& R0 o% _" B# p mov es,di
% M: ]1 w+ R- k o6 M9 _ mov ax, 1684h 6 j. J. r: A3 V! j$ N6 ]
mov bx, 7a5Fh ; VxD ID of SIWVID
I0 t, Q8 o4 I4 q# L int 2fh8 O: [9 P0 Y- f" \7 I
mov ax, es ; ES:DI -> VxD API entry point" z* K% L" _9 ?9 g4 D3 Q
add ax, di
/ K+ v: _% V O2 S0 j' ~) n; w test ax,ax# `6 n; ?# a% M: ~# g1 U
jnz SoftICE_Detected, i1 h6 ?6 K; V
& k! f% J5 M3 _9 E- |+ i+ B2 i% I__________________________________________________________________________
8 Z$ @- C( O! A1 ^5 g) F I$ Y+ V- g4 O4 O
6 I% x& ?9 y) D/ F8 |1 c4 ~
Method 05; H9 l/ G3 l" Z p
=========- [- ?$ e$ G4 N: G6 B9 k
6 O" x, I; k4 Y, |4 [- nMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 T0 s0 }! ?* @# s+ q4 G
debugger. It calls the int 41h, function 4Fh.
* i: M9 q j6 h+ uThere are several alternatives. 9 m5 ^ _ A' `0 f! ^! c
: K) G* [/ r, n$ OThe following one is the simplest:
+ _0 X* J" q N7 [2 F# C) ?( K3 X! M$ h1 Z- W" c. G
mov ax,4fh
+ h5 W E( H# l int 41h
& `3 I& R$ Z+ l- [ cmp ax, 0F386
' x$ L% ]+ |. p; R1 o) c/ a! C jz SoftICE_detected
\5 h9 N+ d& F$ {. x3 H6 O D6 E* V# Q/ M
5 j: q2 P6 } w6 L& ~9 p- d& ~Next method as well as the following one are 2 examples from Stone's
% N; ]# U* \. {% T9 G"stn-wid.zip" (www.cracking.net):% n! t/ I) N. l* o4 _
: h; J) U2 z# R+ L1 ] mov bx, cs: [+ g' I- {" ^- I7 {3 O. [. {
lea dx, int41handler2
; L( r5 n8 J" M E" j. A xchg dx, es:[41h*4], g) v. m0 o) L
xchg bx, es:[41h*4+2]: ^& I) h4 Z' `2 V! {; F
mov ax,4fh* m8 p! p- s/ M# G, |' W$ G7 o
int 41h$ w3 D5 C$ N; u& j
xchg dx, es:[41h*4]
% N3 I" {9 X6 ^4 K9 V6 d xchg bx, es:[41h*4+2]
" [4 M# q o/ t) B cmp ax, 0f386h, ?, y8 ]! R9 v( j/ a) N
jz SoftICE_detected) z& p' E5 N7 y* A) b, d4 S( u% X
% H% P L& b' n+ j2 P
int41handler2 PROC( Z n- I: Z! @" i8 j# w' l5 q
iret
7 F+ ^4 t* L9 @4 [# r3 U$ @' ~! D9 gint41handler2 ENDP4 [9 g" Q" U& t/ ]; T X3 c3 b
9 {: v& g5 F# G# M
; Y L6 [, Z) D7 O$ F' f1 \; g_________________________________________________________________________
7 D$ O. w% I7 l+ H0 I
' v3 f; Z- M W8 Y7 w: Q0 w" m& Q5 Z! M, w3 N d' Z; G" T& F
Method 06: N9 w4 x6 a3 q' W( J
=========
6 o* Z* o) {/ O, Y, R" Y: M: v5 q1 s/ D* E0 K+ s
* H+ _$ o1 b8 s8 v4 _# J. J" R
2nd method similar to the preceding one but more difficult to detect:
" u5 u& m4 e# _, k! n
( I& `; i1 r* N. v8 \, s+ l s( ^& Z
int41handler PROC1 B( \3 I7 R2 p8 r. U: A8 V
mov cl,al6 P, Y) s) j6 C1 k; ]
iret
4 c& ]5 s/ r# @int41handler ENDP& u; k, K, Z' V
3 g- T. M4 v8 d7 ?+ G% H1 B9 Q/ W* |' l- X9 t) f
xor ax,ax& r4 r7 O; K& `8 y3 b
mov es,ax
h9 u/ Y% D8 S3 c mov bx, cs+ s: U" `% F/ @
lea dx, int41handler
1 Y0 F7 G7 |0 L v+ { xchg dx, es:[41h*4]
+ A& e; ]* n6 i3 a, Y. g xchg bx, es:[41h*4+2]
4 P7 U& Y% S4 }1 K" p in al, 40h" ` d4 @2 G) q2 h
xor cx,cx
3 P' o- k; G$ N$ ^, ? int 41h
& @. c* H% f ]6 O* F xchg dx, es:[41h*4]6 p& k( k! z2 w& Q. f$ Y$ C
xchg bx, es:[41h*4+2]
/ t, {/ F" }0 [& H" \2 G cmp cl,al
- u1 X) n# {2 n* f9 O; U jnz SoftICE_detected
8 S R6 \9 c: P% h# m! L6 r8 F* g+ r- W: V+ t
_________________________________________________________________________
6 @6 z, @. X3 b* N9 m4 O
2 S8 _% g' R! MMethod 072 _8 k4 ~% u1 v' n; X
=========1 H: y# L" ^* u) F
W. B2 s6 m7 J# y; Z, U8 y1 U8 _. j
Method of detection of the WinICE handler in the int68h (V86)
. C+ F" {9 `0 `5 W) R; A; A6 Q k* x: D
mov ah,43h
6 I8 C' h6 m0 k3 }! }5 v2 L( M& A int 68h/ w3 V# G1 ?( ^% e, O5 {
cmp ax,0F386h
; C; c# a" f$ A4 b* J9 O jz SoftICE_Detected
& r9 T. }. X6 O" o/ Y
$ `* b2 H# x$ r( T) |
: S6 J0 Z) N+ g" ?+ @* z( p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( e% T* ?0 ]! R' N' }5 z) v1 u
app like this:$ Y, S2 W2 v( g- ~( Z8 s, `
$ H* U* s z+ u X1 Y% o
BPX exec_int if ax==68$ E q- ?8 E. X. V0 |
(function called is located at byte ptr [ebp+1Dh] and client eip is9 T$ o6 c& M5 T2 K1 }
located at [ebp+48h] for 32Bit apps)8 ^# e5 [! f8 y5 T' u$ L
__________________________________________________________________________
; F1 L3 }& D# y$ x+ i7 z( `
" s9 C" @( r& Y2 [% }7 `: \6 t2 O; f' C& `2 n9 p6 l+ y
Method 08- |: }' W+ n0 ~# Z' O# F# F( f% \/ e
=========
' O! R1 Z8 g% f0 Q) F3 X
( j) {2 w& M! e" X6 pIt is not a method of detection of SoftICE but a possibility to crash the+ R: Y. J- ] D+ [
system by intercepting int 01h and int 03h and redirecting them to another
7 b ]' g ]" {" r8 e/ T" p% v" Uroutine.
- D8 p1 D0 _0 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ s( J2 g' Y2 c' b$ G/ dto the new routine to execute (hangs computer...)6 D( P' a' k2 ^
7 R( ^- {4 g& _ a1 v2 j
mov ah, 25h7 ?) W! `, o U- {: y
mov al, Int_Number (01h or 03h)! A7 F c: ~; E# R
mov dx, offset New_Int_Routine t$ Y0 E. T/ t
int 21h+ t/ Z) O# H; k' q
2 s# r3 I$ d' r+ M7 l
__________________________________________________________________________
/ ^2 z- D6 v6 d4 F C. m# J% Z* O# @ M. c
Method 09+ i1 j* w# }% W Q+ ?- Q. i
=========
) ~- g h1 _9 F8 c h
) }2 d( `& I8 z& a7 eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 E+ T# R- Q Z& @0 \$ l w7 i* v
performed in ring0 (VxD or a ring3 app using the VxdCall).
% L' L6 v8 L; gThe Get_DDB service is used to determine whether or not a VxD is installed
1 \" o. y; c( Qfor the specified device and returns a Device Description Block (in ecx) for: S6 Q V4 D- `0 f4 q, s4 f
that device if it is installed.
1 k# I0 G/ V4 s
4 c: G& S% a8 i& W# L5 m9 A$ T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 q3 P! M- O4 M
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). G) V h% f1 V2 ]
VMMCall Get_DDB
+ p3 Z+ ]% K) o. r& A' ~7 e+ m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" h# J& J/ i) i$ X2 V8 `' A
% o. h2 s( [: INote as well that you can easily detect this method with SoftICE:
% M5 p# D6 d) a6 k bpx Get_DDB if ax==0202 || ax==7a5fh
: P v' [8 d/ S. K" y4 G8 n/ A# X" s2 ]! h4 d6 T5 t2 N
__________________________________________________________________________
- \ x5 d A: N
$ H R' V, A% y, q) k. H7 [Method 10
% Q; b. S2 d+ ^9 T* L5 v=========
+ o3 p! J% g: k" F" }
$ m& [% F- V/ i' x. p1 J" k=>Disable or clear breakpoints before using this feature. DO NOT trace with
# {( U1 O, Y' y6 e, C% G SoftICE while the option is enable!!
]# h; v9 d0 ?- n, c" w* d+ N( O! g! V. y
This trick is very efficient:- Z/ g* ] a6 `9 n' w! A9 J* ^
by checking the Debug Registers, you can detect if SoftICE is loaded: k/ q- l3 U k7 e6 ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 g; x& I- R" E
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 `" F" }: y8 p* i+ n
value (in ring0 only). Values can be manipulated and or changed as well. [5 L- K7 T8 W" [! h! d
(clearing BPMs for instance)# A8 a8 K: X$ e4 ]
# ^/ Z% L5 ~" M( o__________________________________________________________________________+ z2 z- L" | ^% W" \
& o3 H0 Y4 U" `. `7 d. A3 tMethod 11
4 P* j+ d9 E s2 h=========
- k2 c1 w& S& u4 }: Y" ^, h0 B* l7 a- p& _, |8 }
This method is most known as 'MeltICE' because it has been freely distributed
+ Y- \$ r" n4 I8 qvia www.winfiles.com. However it was first used by NuMega people to allow, R9 h$ _& z- w- K/ V8 J
Symbol Loader to check if SoftICE was active or not (the code is located' r( }8 R! G8 }8 M+ n0 x
inside nmtrans.dll).
* i) Q& F5 z E o- M
* k: [! _0 D& w) j- G" h( L3 aThe way it works is very simple:
5 w; A; g$ S( OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! o; `2 N1 Z# L8 i( P
WinNT) with the CreateFileA API.% {' ~+ \8 e4 W3 l; v2 l1 o
7 e0 R3 b2 m+ ^& X( H) H, c
Here is a sample (checking for 'SICE'):6 R8 X) D# m# s. o& M6 j3 {7 m
) N3 ]9 F: S1 m3 u: h& x
BOOL IsSoftIce95Loaded()( p( c; ~" }/ s: A3 _
{% N7 W2 x8 Y; y" T
HANDLE hFile;
5 E7 i% w8 i1 E" W; U. {! S: ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( F; {8 k! ?9 ]& q8 Q
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 {3 C* U" M* _' n1 U* W3 T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 P- D7 I1 A9 Y, r( Q; N# u if( hFile != INVALID_HANDLE_VALUE )3 U( k5 B) z4 Y" j
{
0 @! C. f/ N. x4 i4 [0 ~ CloseHandle(hFile);; O$ [1 z. R2 K2 m, \, A2 ^
return TRUE;$ R8 Q9 a0 g/ z
}5 @$ I. c4 F! ^
return FALSE;
3 g+ j3 e) c& {! l* I, e}4 f% p4 P) r4 `% A5 Z2 } D7 I4 x
, @ ^/ p/ ` |5 s# c; |8 e# T
Although this trick calls the CreateFileA function, don't even expect to be, i9 M% a3 l% b E, ~
able to intercept it by installing a IFS hook: it will not work, no way!
5 v+ F1 s3 n5 H7 e1 E8 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 q6 R* F! E. z7 }/ iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 f Z' z! ]; d. r2 tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 x- g8 |7 w0 g* E" kfield.
: l. q. A4 h' E- {7 Y# VIn fact, its purpose is not to load/unload VxDs but only to send a
0 I6 n% ?; n+ t" V8 E7 N% GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
\% q$ p7 F/ `4 U' }to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; c1 ?, H; {3 i6 Z+ c7 S) fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
! h) i7 Q3 n/ D' `If the VxD is loaded, it will always clear eax and the Carry flag to allow; }$ G( l. i8 k& D6 z1 ~
its handle to be opened and then, will be detected.
& t& l+ g& R8 m: }You can check that simply by hooking Winice.exe control proc entry point
( v( B% b G. R0 B5 G6 zwhile running MeltICE.
9 ?! O& e+ K, j; {7 `+ L) k" |, ?2 ~' d# z' ?
. _$ b/ V. m: m, | 00401067: push 00402025 ; \\.\SICE. t' D& ?* V" G* }; I) H/ F' u
0040106C: call CreateFileA* u! D3 O0 J, |5 @8 p
00401071: cmp eax,-0015 t, s2 f( |9 M6 ]# S! n
00401074: je 00401091
$ `6 a. q- I" K2 w) Y( U
; W1 x' {7 ^* S( F" W
- r% {3 D# o, E; n# M! n4 D* @( `There could be hundreds of BPX you could use to detect this trick.
& i2 B/ y# K% w* e-The most classical one is:
+ ~4 b& P2 E {/ s4 u3 w9 P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' t! K/ F: h1 L/ {/ S
*(esp->4+4)=='NTIC'
' o/ e# @- R3 c( q# S* s$ o$ ]% Y& ]9 N% q" @: \- b, U& m
-The most exotic ones (could be very slooooow :-(
c" S) U" S k' [( u1 t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : e) q( [1 X/ ?4 `8 H9 ?9 b8 ~
;will break 3 times :-(
; ?" {* z( B0 N& d4 q/ S$ M% p4 T; I
7 j$ {6 @1 A- _5 q, P1 |! A2 m-or (a bit) faster:
: N; V$ g/ r2 H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ S9 x: s) r; K3 [$ m1 o, P# X
( f. A0 F5 }/ u! u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ A/ H9 [. T6 T }
;will break 3 times :-(
& ?5 V. Z$ G6 N+ N8 m4 E& N+ ]% m z3 `" X7 a$ K* }' x' E
-Much faster:
9 u* F$ M0 v4 \! }( B4 l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ S. N6 Z& R( }% y0 M( b
% A7 z4 d) T8 M' Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! }7 {6 G8 w, o, {6 o# s0 s
function to do the same job:+ ^ \/ L$ p; D" N* B6 A+ n
: ~5 J. Z6 M" q1 o* p7 F; E push 00 ; OF_READ- K2 U/ h* v( _/ \5 _5 a
mov eax,[00656634] ; '\\.\SICE',0
. k3 K: H! {. }% n( q' j* a push eax. b- H$ R M H
call KERNEL32!_lopen
+ a) k. r0 Y8 q; _6 U$ z inc eax
' J) |8 |: |. w) A- C8 I4 S jnz 00650589 ; detected3 s; @+ L" ^/ P9 J6 J/ @
push 00 ; OF_READ* ?1 E4 M) l; ~
mov eax,[00656638] ; '\\.\SICE'% I& B- H- m1 o
push eax/ I2 b8 ~1 C2 e* i# v! O
call KERNEL32!_lopen
( \' i! E+ Z# l1 {2 L% G3 _! u inc eax Z0 u* u- z' J, ^ Q
jz 006505ae ; not detected5 Q; y0 u& @. f
* _+ `6 B5 [2 h# [) A7 W
$ }# p s& H: i8 @0 e' `1 Z A: g0 S__________________________________________________________________________
/ _) N; l' c5 Y4 h" S" v/ b7 X& k' a; |5 Z* A
Method 12
' l1 G: t& c- w. X=========. z5 ^7 E3 M: T. u
) q, m* v2 K+ u) N$ x
This trick is similar to int41h/4fh Debugger installation check (code 05
) p( c0 x9 Q( [& s& ]( q+ I& 06) but very limited because it's only available for Win95/98 (not NT)7 S. s5 |1 ]! d. G8 k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
l/ g3 d N0 s' B
, q0 R j6 `5 X* G- ] push 0000004fh ; function 4fh
) A; h8 ?# T+ L W" @ push 002a002ah ; high word specifies which VxD (VWIN32). [! h6 @ ~- A) ?
; low word specifies which service
8 @7 C4 p: X, O, ^( Z* X. a (VWIN32_Int41Dispatch)
1 L; L) d5 ?- U call Kernel32!ORD_001 ; VxdCall' d! p; T. k* Z. t8 m" e' r/ n+ O. e
cmp ax, 0f386h ; magic number returned by system debuggers5 U$ s2 f5 @6 w2 w6 k6 H* J/ ^; [
jz SoftICE_detected
6 }; s2 y4 O$ o( G9 U5 c; O" U4 n0 l
Here again, several ways to detect it:5 Y) v* |3 F9 d/ j. {
, `% U+ H1 h& d1 `0 T' d! [
BPINT 41 if ax==4f
! R7 }" X3 k0 ~2 ^1 I. P" a
/ Y! s3 B+ n' g4 j" r5 j2 `8 c4 {9 ] BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: Q. A* m0 B! o: j+ D. G/ j8 q1 m" U
2 g9 J! \3 s4 o: m( w# t' L) m BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! G1 r/ [. I& F# R2 r
7 M( n( j. v; J+ H1 x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. k* G+ Z1 h2 o* }4 A! ]" v1 s1 A. j; }9 t4 B* u
__________________________________________________________________________
6 O6 L4 R! A1 p' r/ \
( u* U$ Z" w# h9 }- P2 XMethod 13
- B3 H; t2 z5 u( z5 W! @=========: `/ E: W1 B, a2 k8 O
+ m* ^6 Q( f J) p; Q
Not a real method of detection, but a good way to know if SoftICE is
( d' R) m9 q3 U; o" ?! Minstalled on a computer and to locate its installation directory.
( \: Y6 D7 }+ i' N8 s7 XIt is used by few softs which access the following registry keys (usually #2) :
: b0 _ B8 U! \' I x6 f, V0 z
0 ?2 ?2 L& x& I4 k- L. Y4 J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. Q2 u8 ]8 t. b
\Uninstall\SoftICE% f5 e* e; F5 C) T8 b6 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- V( q' `$ n; b1 \$ {6 O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# Z9 f5 h) k/ Q7 ? T! U( G
\App Paths\Loader32.Exe
7 N: ?7 |: `$ o: y4 R* ?; \0 P- R; ~ q* w5 p5 u+ ?$ i
( Z: g: {& } f( K4 a
Note that some nasty apps could then erase all files from SoftICE directory
; _" N) s3 f# r" ]8 E. u$ p(I faced that once :-(1 e+ q) e& N8 J0 h* Q( G
3 J% P1 r4 I/ Z4 U7 e. A( dUseful breakpoint to detect it:
. m- ]6 f/ a1 w' J
8 i( C- D+ }: V BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% i' m$ V1 D) r) h( ?3 r
8 [* O: _% F- J. @- u/ a9 C
__________________________________________________________________________
% e& h2 Z0 p5 Y+ ~0 B+ T. d0 f/ Y' l1 o. p/ ~5 T+ l" V
* T. D0 G" H( B4 k" H8 J6 t7 _" l
Method 14
; e1 \0 w& P- c0 @$ x=========' ]! h7 v' Q* @& B
; K# t3 L9 ]; U9 X$ I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( i; T/ n' s2 B7 g* V
is to determines whether a debugger is running on your system (ring0 only).( ^# j; V1 z$ g$ ~: S0 T
" U3 U, H7 h, S VMMCall Test_Debug_Installed/ K2 q. }1 y8 E ^( A
je not_installed
$ i8 g2 @ D L9 P' s
' `% a. Z" X0 }) FThis service just checks a flag.
" h8 T8 m# w7 e; I+ H5 Z! k* P</PRE></TD></TR></TBODY></TABLE> |