<TABLE width=500>
$ L- u, h. |1 \* }; }% h<TBODY>( V7 {( L C8 S) G* d: u# L% j; x
<TR>: J& P: u0 T! e3 W6 Y1 S' i
<TD><PRE>Method 01 7 M9 `) M6 l$ R3 c
=========1 K7 d0 J, A! k4 L
' A" {, I4 P' A) B" l
This method of detection of SoftICE (as well as the following one) is
1 l# K6 C! j. y2 f z& ^used by the majority of packers/encryptors found on Internet.
" t: k; C' [6 b1 {+ YIt seeks the signature of BoundsChecker in SoftICE
# A$ Q0 m4 w8 B' v( A5 \. Q- g9 o4 `8 i+ \, q6 \
mov ebp, 04243484Bh ; 'BCHK'
+ C0 T& G7 N! |2 w5 l. t mov ax, 04h
8 u, h9 K! q/ C8 [2 `! f2 D int 3 5 O# I( {% j# L( e- f6 u
cmp al,4
- m) q2 r4 u9 a5 P: ? jnz SoftICE_Detected8 `; k! j4 P3 Q. V
2 m' a# L1 L9 l- Z0 Y. J___________________________________________________________________________
0 R g z# l' F- \- d/ Q; t3 P
1 c, O; U$ _# ]2 _: \1 M/ p' QMethod 02
! f, d- ^" G. w- g! ]. F=========
6 c% e }5 v% n: P% U y3 Y
9 N' F3 m7 R( H1 r% eStill a method very much used (perhaps the most frequent one). It is used
$ p. ]$ @. o4 Z3 M8 uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) |+ I' a, A& x7 I z) g& m
or execute SoftICE commands...8 d$ `, b6 n3 Z- ]2 ~. P
It is also used to crash SoftICE and to force it to execute any commands
- ]% l: e* C, w6 }7 e; @% k(HBOOT...) :-(( $ l! T& M4 e+ `% S# _
! T4 r! `5 v+ L: d: Q' i% H* sHere is a quick description:1 r; \$ \+ n9 e4 |/ k" Q
-AX = 0910h (Display string in SIce windows)
5 o- s5 m5 L |* X6 Z f' ]' J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 e/ t# u1 _6 I/ u+ D-AX = 0912h (Get breakpoint infos)
1 ?" n4 t2 ` s-AX = 0913h (Set Sice breakpoints)
# w3 R) P- X0 F$ y-AX = 0914h (Remove SIce breakoints)5 Y- `% o! q7 O, X/ e+ y$ a3 G$ @! P
3 o3 h+ x" W8 {" zEach time you'll meet this trick, you'll see:) `0 O" [ O& w
-SI = 4647h% O7 h& ]* @5 U9 }3 h+ c; t
-DI = 4A4Dh: H( J. }8 U/ }7 x
Which are the 'magic values' used by SoftIce.
3 ^' a7 r8 i+ {, h' wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 ~! N8 I9 ]* ?: v v$ w# G* b3 h: f
& G$ n$ p) Q) C% b8 o) v
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 u$ h* N X& p0 n. \0 d
Envelope utility use to protect DOS applications:
; m5 z: g: y% E0 P& u' R& j( @+ _4 @' }; h) ^
6 c' {: i! |& [3 Z J o: `, U' v4C19:0095 MOV AX,0911 ; execute command.
& | F+ D* W% d A% Q( {7 Y3 L2 h/ q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% ~4 v2 n8 X* L2 F, h
4C19:009A MOV SI,4647 ; 1st magic value.
5 G9 W; f/ ~: q& y4C19:009D MOV DI,4A4D ; 2nd magic value.
- p% D! G& u5 c. Q% Z8 c4 |; s* Z. L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* c9 D3 P" e b9 J J8 @4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ T# z# M7 r) p$ P& X; c4C19:00A4 INC CX
. Q9 H0 ^9 @8 ?) W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 O; ^, T" ^1 u" k* k
4C19:00A8 JB 0095 ; 6 different commands.! n( r \5 D& ^/ `+ T
4C19:00AA JMP 0002 ; Bad_Guy jmp back., f) D2 {+ u+ q8 S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* d4 o( L. \( p" T& ?
* O* x3 d! P& k$ i, d: vThe program will execute 6 different SIce commands located at ds:dx, which
; w. R3 Y. e3 Z( ~% j- Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* N" C3 H. F3 [% J" h5 m! A: s
5 U( ]* D6 v: I( d1 E2 P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, Y; c8 s2 n8 F- w/ X$ l, O8 g___________________________________________________________________________
+ _ E& B5 B8 S" D! ^' d* z% m% |% Y/ f2 R9 d
! X( |. E C' x8 y: G# n' zMethod 03
/ J' d' W9 T! I W+ n=========2 x! s$ O! s- J
' T r1 [ A2 |/ H5 I( C' M- N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ N* z# E* e8 @4 z0 K" `. A/ {(API Get entry point)
+ a' G% t+ s# y" Y9 W+ ~
, e' G+ r4 K+ R" I, W/ t
1 j4 k. F+ G: W' Z* ?/ L/ ]& k xor di,di
' P9 Z+ F; V( k% `1 N mov es,di
6 w8 e" W/ h; d" f; U& u3 D mov ax, 1684h
3 w ^. g! U# }" ? mov bx, 0202h ; VxD ID of winice: S T/ F1 Z" E4 E0 g }
int 2Fh
t% l9 F. r) [* c, R% p& K mov ax, es ; ES:DI -> VxD API entry point
t& T% q3 B; H- A& l add ax, di
; q' E) }* q3 h test ax,ax/ L0 f; c# f8 M- V }4 f0 k, {1 x3 z
jnz SoftICE_Detected. B P- \" o$ S- Z+ H
2 a* s7 V8 I8 F" c+ L5 R___________________________________________________________________________
. h# H' r/ x3 J9 O9 d" d4 }* M V- d. G
Method 04
. [6 c, D" j# y" r: n% E=========4 G' k6 T9 c7 m3 E& h7 a
) q) Y* K/ V: s9 y( x$ z' u
Method identical to the preceding one except that it seeks the ID of SoftICE* M& x. w6 l L9 B1 g- x; b1 ^
GFX VxD." L( G7 M) U5 D" U: j9 p- F* [
, @$ s- O! }( C" D9 B0 E xor di,di
6 H* q0 Y6 X1 M- v mov es,di a1 e& Y* o V5 d8 Q8 E8 j
mov ax, 1684h
7 Q' l8 w. V- v mov bx, 7a5Fh ; VxD ID of SIWVID' s, W0 T, H9 ~% ]8 k% y0 e
int 2fh: q$ E* ?3 X/ F* W7 |& Y- n
mov ax, es ; ES:DI -> VxD API entry point
* ]* K' f/ y- l) F4 _$ p add ax, di
0 U: G2 [9 p8 V- g" {6 H test ax,ax4 T7 d( t$ Z* T( J- J' V
jnz SoftICE_Detected0 o; a* n! L. Y# ~5 N6 C
# v& G ~! {& @- e. \__________________________________________________________________________
: u: z2 ~, b( i( N& k" k- w y! i) K6 V
/ }) {; N! S! _. u9 |5 {' I0 [Method 05
# G( z7 o7 ^" @2 {; X=========2 ]0 i! L* S! u' w* r
% |" p$ H$ A2 G- {: p- ~: |
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 Q+ b7 o! J l p, q1 K+ s8 m6 E
debugger. It calls the int 41h, function 4Fh.
* `4 V- m5 y9 l& z( r, qThere are several alternatives. / v4 F% X9 A) i) r( p6 f
; [" F! X. i- { b$ q% m( ~" c
The following one is the simplest:
\: X) t: }$ g4 [( j! h+ C% [: [. {3 C' L4 n/ Z) j( }
mov ax,4fh# c2 n$ Z! S! r5 N+ C
int 41h
. O8 b5 ~4 R$ O) [ cmp ax, 0F386( Q9 ~7 O/ U3 U) {9 c
jz SoftICE_detected5 |7 z+ E4 K2 V4 o# ]
2 o9 N0 K& l( _% ?/ E& N+ E! o+ k- n% d$ j% V- s& W2 ?7 o0 `
Next method as well as the following one are 2 examples from Stone's
2 w0 {9 G: \+ O. t" z. k"stn-wid.zip" (www.cracking.net):
# Z P1 \! \9 B+ ^
- J1 F6 G8 j$ H0 |2 ~3 m( L! v mov bx, cs
# v& D: }2 A7 D0 Z3 Q) W: T* A lea dx, int41handler2
3 f3 e; m3 v' M; ^8 t xchg dx, es:[41h*4]! ?% Y7 W6 A4 [5 Y( [( Q* W I
xchg bx, es:[41h*4+2]
8 B% x6 C6 k& y* w! N% p mov ax,4fh, o# s+ t6 A3 ]" Y- ^9 n$ F+ V
int 41h2 o$ N: g# D/ G7 U: z l4 p
xchg dx, es:[41h*4]
' y1 @' Y$ y/ c; Q+ X# V xchg bx, es:[41h*4+2]
$ |( Q- Z! v* w cmp ax, 0f386h
! `; Q+ \' ?8 i' Q' ?) l' _ H jz SoftICE_detected7 @, Z6 }! `6 X/ i1 @
; x+ r4 N5 f8 C; a$ [* g7 Kint41handler2 PROC1 b/ C d1 A8 V$ r; W
iret; z5 F; e1 ?- A# f6 M( Z& [" b' u) ^
int41handler2 ENDP
& N- l2 ~) \( o5 }9 {" i. Q5 h5 E+ Y; y- B4 [
* C; Z1 p% Y0 m& W8 N( w8 F( k- P+ `_________________________________________________________________________ X2 M( \! B" m& p
' t/ p5 U1 `. h9 A) ~
" N" X8 @# p$ Y" a- `9 `# f
Method 06! \& r' c2 [, o1 p1 `* e
=========
R$ O4 v$ W9 Y* ~
4 w5 @( I F1 o2 h8 ~3 l9 Y& M# V4 ~% }$ U& \! W
2nd method similar to the preceding one but more difficult to detect:
6 }& V$ T. y- O- I. i$ H( f/ S2 b9 N3 Y$ q
/ w# g( H D2 d0 dint41handler PROC$ u2 u0 u4 P( ^/ \- x2 z
mov cl,al9 I, a" s' M3 i, u+ F
iret# x$ Z7 {, h$ c5 _9 L: ^) p
int41handler ENDP
3 }) V7 O l0 a( m/ Q
! t3 @# u+ L5 E0 ?+ E( `! d: X, Q) H3 i+ p
xor ax,ax
; z* A) `0 L: V. t/ Q$ g mov es,ax
& W( B8 M0 X4 S mov bx, cs
) h1 g* F0 N6 _# y P; T6 K8 C lea dx, int41handler
. U' }. V+ O4 q) c0 l0 O2 d% z xchg dx, es:[41h*4]& B8 h6 M, u8 V4 ~5 W
xchg bx, es:[41h*4+2]
5 a' P1 f5 y4 ] in al, 40h
9 {) G+ i; f3 b. i0 P3 k4 R: y xor cx,cx& k; h. h- ~7 I' @
int 41h, ]: f8 `5 @1 y/ a
xchg dx, es:[41h*4]
% e& N: ^5 w# T" \/ Q5 U, f xchg bx, es:[41h*4+2]
# }0 j3 w9 h2 M7 c3 I- n. Y$ M% j5 w cmp cl,al
. k* e( O5 j4 a& N jnz SoftICE_detected& K; [9 M: g6 o: u5 q3 j
" P- c- K R2 W2 }6 A- }* Z
_________________________________________________________________________6 R4 G3 s" J/ p. {
! l9 F' `4 `3 T! `* f& AMethod 07
/ Z5 B, J- r/ l- ]=========- P7 f5 x+ F8 `: F% W
, h& O. N4 t1 X1 } L, cMethod of detection of the WinICE handler in the int68h (V86)
% H1 M% \. d6 N4 n5 a) Y$ V5 M: ?7 W7 [+ X- y7 @
mov ah,43h
: ?; X' J% Q' [ int 68h
% H6 e& p( ?& Z S' E- M cmp ax,0F386h9 d7 H' \/ O+ `! J3 ~4 ~$ a7 W
jz SoftICE_Detected# ^# W; V! B% `2 l
( ?4 @; t! I$ e$ V) h# @7 l+ d
1 m! d6 ~+ [2 J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: f% {3 v# ]7 t. }+ n
app like this:
, Z: m5 d8 }! _2 x: Z) P. w% @3 g# @& X5 s$ j& q" s( l+ J, G% L
BPX exec_int if ax==68( `, T! l) P, u% g" F+ f4 O* |* T
(function called is located at byte ptr [ebp+1Dh] and client eip is
6 n. L5 Z2 @. b) A e1 V+ r9 [ located at [ebp+48h] for 32Bit apps)5 s$ w$ r1 }8 W; N) w
__________________________________________________________________________( e7 `4 V# c5 t s
+ @. ~# c6 b/ P( D' }# G
0 r4 S2 }7 D. Q6 u( H' z1 {$ S% nMethod 085 E5 K8 B/ W. J+ m% A! y
=========
% [8 ?; Y A5 q" l, s- x Y( ]# F
* c/ D* Y, L0 m$ }It is not a method of detection of SoftICE but a possibility to crash the
7 \. J8 j. s9 F! ksystem by intercepting int 01h and int 03h and redirecting them to another! y3 B/ b+ P! Z& A9 |2 s0 H
routine.4 `' H8 s4 Y* q6 x: X6 i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 E" q+ D/ K1 q! F9 d0 `0 H8 p/ Sto the new routine to execute (hangs computer...); L) ]; S1 t' `' {- q
& V) J9 F' U) H9 k8 M& X mov ah, 25h2 f! t) ?# G9 J
mov al, Int_Number (01h or 03h)0 f- J. B6 @& A! _. z, m' p5 l" j( L
mov dx, offset New_Int_Routine, ~( Z0 w }4 V5 E0 s) |- F# p8 b' s* L
int 21h$ }+ T" K" K+ y% L) H' @5 B
* c1 i& Q/ U- I4 G4 {__________________________________________________________________________
+ e( R' Z0 k% _9 O- A- j9 _# i% F; U" D% V/ n6 F. ?
Method 09. |* a! l: c- m! s) h
=========9 l, O5 F* ~- a
$ e% D1 j$ O( k. P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 b& |6 A% I9 i
performed in ring0 (VxD or a ring3 app using the VxdCall)." b, O. I4 ?% N7 s4 m0 h
The Get_DDB service is used to determine whether or not a VxD is installed% @% H1 }- Z( \0 l- ^
for the specified device and returns a Device Description Block (in ecx) for
+ O+ C+ d% I# w- Rthat device if it is installed.6 ^0 q+ s9 F: f3 B) l# J
' _( P; j6 Q5 x4 z; |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; E" N- P0 `. Z1 v- a0 ]# p
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! t+ F$ q9 k% U+ p3 I$ \1 E; t VMMCall Get_DDB
9 d2 U+ R* z6 v9 A- f3 l: L$ r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 ?1 x( V- [) U, E
% E3 h4 k9 s% b0 O' l3 Y ENote as well that you can easily detect this method with SoftICE:
+ P4 M2 [3 u# v2 I: p6 O/ G bpx Get_DDB if ax==0202 || ax==7a5fh( \* I9 h: y7 I4 n# T
0 f0 T( m. Y4 C: d' y2 B' e__________________________________________________________________________
: b! r! y* g: U) J( M4 i$ g& G( t' [0 u, I* y% L' o7 V% V, p2 z
Method 10
+ F: I1 D8 O6 P3 i1 T* y0 I# d" H=========% _2 t' m& C/ N) _
+ R# E* c9 v, d9 d! H: O=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 D& o, G& R. ~/ t* T& x( O SoftICE while the option is enable!!- ]: E. C/ k+ Z
4 R/ c& @2 R0 f! E$ E q- ^0 J" B+ tThis trick is very efficient:3 c7 Q# W( I( o2 O
by checking the Debug Registers, you can detect if SoftICE is loaded' n. a/ @# c/ d8 P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, K) P3 a0 c1 i+ |* A6 A _; U
there are some memory breakpoints set (dr0 to dr3) simply by reading their: u- J% x: ]5 N, q+ C
value (in ring0 only). Values can be manipulated and or changed as well; P" a2 O9 N% M8 J7 e3 Z
(clearing BPMs for instance), h% O% |9 n! w
- N$ W" o$ M- X0 w__________________________________________________________________________
: b0 w$ C' h3 |8 C
2 f1 G" s0 E! a3 mMethod 11
& J7 j& ^0 L6 A2 c. [=========
H; F5 p2 y# o+ T. T
; T/ h$ k6 l% _This method is most known as 'MeltICE' because it has been freely distributed
. x3 A" t6 N# u1 \/ J+ N' v! X, Cvia www.winfiles.com. However it was first used by NuMega people to allow
5 p z( }0 v+ }. {Symbol Loader to check if SoftICE was active or not (the code is located
1 P) _' T/ w4 D+ k8 K2 linside nmtrans.dll).2 B- v& X7 W i5 [' u( h7 l+ G7 X
( z, L- {# g( C
The way it works is very simple:; F$ ]& K, |8 B9 l6 y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& K: |; D, |/ ~4 XWinNT) with the CreateFileA API.3 b5 c1 p: a! _. F/ Y8 @
" R' E9 a. a( `" Y
Here is a sample (checking for 'SICE'):
R( O' l, k' _: S' f1 k1 x& R( P$ Y5 ~
BOOL IsSoftIce95Loaded(); p' m7 @7 G; S3 ], q) R5 c4 @% f2 k
{
5 _8 S# u8 t' G' p* x HANDLE hFile; 0 s# I) M7 \, X- c) g* u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, Z7 Y4 V' h$ @6 f* [
FILE_SHARE_READ | FILE_SHARE_WRITE,- ~9 i; U% Q1 |- Q$ O; J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 I0 `9 e, Y+ a" y if( hFile != INVALID_HANDLE_VALUE )
0 q5 Q2 I& w/ x {
- y& O) B$ J7 O5 U! g CloseHandle(hFile);4 y, r% l5 j5 H- t" N' G8 j; ^
return TRUE;
& m* p5 T R9 Z6 W }& j# S: ]7 g5 V/ A- N
return FALSE;
: ]3 Z8 d. h- F; u}- f4 T# I k0 j% j" N2 N
3 z+ l5 i) c( OAlthough this trick calls the CreateFileA function, don't even expect to be$ U9 ^0 I: Q2 k4 l% }6 E
able to intercept it by installing a IFS hook: it will not work, no way!
3 v' ~7 m7 z" YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( ?9 M+ K4 g: ~; }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% X* ]: O2 M( ^5 n2 eand then browse the DDB list until it find the VxD and its DDB_Control_Proc# d" Y: y7 L1 [2 e# y- y4 @3 y" k
field.
) t3 t6 k/ K/ f. TIn fact, its purpose is not to load/unload VxDs but only to send a + u7 P: I. G l# m8 X5 }: k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 G u. O& H% H9 Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ o2 t9 ^: B( ?/ K% gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 {) s1 B8 {/ ]8 Q9 CIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 ^' t' k4 ?( h; G, h% C
its handle to be opened and then, will be detected.
8 x/ l7 X) d- Y7 `You can check that simply by hooking Winice.exe control proc entry point) f" J1 n I- S( U4 b0 T
while running MeltICE.. ?( |- }4 U+ K" K, \. B
7 ?4 y4 m& U: V. N' e
+ ~% ^( @5 u- ^6 S( F 00401067: push 00402025 ; \\.\SICE9 y" c7 a( S4 Z
0040106C: call CreateFileA+ e$ X N$ n- W) C3 H
00401071: cmp eax,-001
% y5 N9 b/ A5 O$ i% C3 C 00401074: je 00401091
" M, H! S. D% C6 G: j: \7 I& u% d* \$ u5 N' E6 {# K" k; i
8 o4 H: L4 q/ U* ]
There could be hundreds of BPX you could use to detect this trick.+ ?$ S$ S3 A5 w# y
-The most classical one is:& a! M: i( q' k& }& ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ r! T x7 g* ^2 f3 f *(esp->4+4)=='NTIC'& k* j9 P( i1 f
5 a0 R4 p" a4 |2 `2 j-The most exotic ones (could be very slooooow :-(
& ^9 R+ o3 p0 P/ ^8 y' F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / G3 d* F' u2 B- a/ x5 L
;will break 3 times :-(
1 ^" W/ o" R0 b. \ q
$ D R% G) ~! H6 U. u-or (a bit) faster: ; b5 }7 E% ~+ N+ N& I# Z* o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 h1 F) T. i- c. k0 C" |# r/ k l$ l4 G: D% V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 N) k! n% B7 W
;will break 3 times :-(3 h% R) j) _) q$ H
; H# O; U* H, M, _# j1 [-Much faster:) B# J6 b" E& f9 V, v/ z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! z" c9 j. @7 F+ g$ X3 D! x
/ Q' e' P* G# s5 H( e9 p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& D+ \$ X0 C8 q; m$ I0 E* e
function to do the same job:% o" ^0 y' _) R4 ^
$ {- R! m) X0 E" M Z# c
push 00 ; OF_READ2 D/ M$ I- _& M6 K
mov eax,[00656634] ; '\\.\SICE',0
$ W* m p& f- q) O push eax
9 V5 | W: z$ E. _# b# B call KERNEL32!_lopen+ i Q- d, g, \5 i
inc eax
3 b f* w/ H+ ` jnz 00650589 ; detected, p# \' v+ d7 V- m8 V
push 00 ; OF_READ
& r! G& l# V% h, G( w0 r j! d) W mov eax,[00656638] ; '\\.\SICE'
- d6 L" S3 j( Z0 ~ push eax4 g0 ~- E5 o7 o3 Y$ d4 b+ n
call KERNEL32!_lopen. x2 S) v3 w' C" Z3 v
inc eax+ o; B& a; w7 v( {; u5 U
jz 006505ae ; not detected. S% w! ~/ p8 A. \
6 N% @' j. A' v4 X
& a. t$ _$ N, p7 J0 ~! W/ f$ @__________________________________________________________________________
# Q! r( s) u. u, }. t) [$ b b$ l9 |$ X. y: o; b7 k
Method 12* Y" n; ]7 d/ Z4 C$ K
=========; I( Q3 i! d4 W/ Q" D
# E" M2 R6 |, V2 C0 A1 J4 g1 }, H a
This trick is similar to int41h/4fh Debugger installation check (code 05$ t$ u m+ a( c' _. ^
& 06) but very limited because it's only available for Win95/98 (not NT)
) N! `$ R$ G. D1 ^8 x/ L) eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 a% U: Q, C1 ?% Y
. A H3 Q' w5 v+ K! l/ t
push 0000004fh ; function 4fh
: \$ n+ D# `% v( C( n, H, Y6 m" K push 002a002ah ; high word specifies which VxD (VWIN32)
( K; A3 s/ L8 a! C( ~1 r ; low word specifies which service
6 q% A! ]. P7 F (VWIN32_Int41Dispatch)( N: q" T) [) H2 g5 E# n
call Kernel32!ORD_001 ; VxdCall
! w; c- g T7 Z/ H8 N1 ^' W6 X" j cmp ax, 0f386h ; magic number returned by system debuggers* ?. K& M, x; w' w6 ` y5 v
jz SoftICE_detected( u5 B' U; q' B' g! h
9 |1 d* `3 T* \5 H$ XHere again, several ways to detect it:8 P- V+ @! H4 v1 n3 ~
3 q2 H7 V4 {+ Y/ Q( S0 Z BPINT 41 if ax==4f
* a, j# h9 I' i4 a. ^
8 q4 N6 v& Y8 _ ~# Y# E% R% N9 E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# L' O5 `' K" |
1 b" A+ f0 j- A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' [9 N' k& Q: `7 E: Z1 @/ c: v
& P; K5 u, y4 B H) f$ h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 t6 K$ _1 G" }/ O7 S2 C
0 D" Y- J7 ~8 i, P
__________________________________________________________________________$ }9 {$ x v& y/ A' \
: q7 F' t% ~& J: D( k0 w
Method 13
* w0 X) i; Y! ~=========
2 g: h. ?4 t1 k5 } @$ Z. `, p
0 I7 f8 v0 M6 n$ X% E6 @! D* FNot a real method of detection, but a good way to know if SoftICE is$ M& G8 |5 |: Y2 ]$ o3 \
installed on a computer and to locate its installation directory.
0 A+ {8 m2 ], lIt is used by few softs which access the following registry keys (usually #2) : R' |7 F Y: O! c
; P( |" }; @* ~5 u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# }" G" E+ j4 S\Uninstall\SoftICE. |, k9 {0 R: I) G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, A1 O* C: x9 Y1 e1 k: Y9 ~) M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 |8 \; L) y: Z$ @
\App Paths\Loader32.Exe$ [ j3 d, W/ O' V
6 F, U2 Q3 u2 K
1 M; x' l* W/ `' [! XNote that some nasty apps could then erase all files from SoftICE directory, W9 C8 Q4 n2 Y0 b. }
(I faced that once :-($ c# Q, U' V U3 G( C2 q
2 V& D9 c) q+ `, K$ Q! b
Useful breakpoint to detect it:
: M0 N. ?" t$ |1 U' b! n% G' t1 [: t- Z4 n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 p- a" ^$ I9 D" |* P
6 P- w( u* k9 Z__________________________________________________________________________, A4 f* W# s, F5 l) G/ Y8 Y
1 n. W0 P# N0 H* k6 _4 H
/ F9 a6 C6 I$ W. g: fMethod 14 6 R0 E9 [1 e5 c/ E5 l
=========3 @2 F+ i" O0 I ]- q: X
8 F F/ u' `5 o9 w( t) BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; m; S" V9 e0 b$ z2 i1 p% g
is to determines whether a debugger is running on your system (ring0 only).
" e0 R- b W! K5 f3 }. p0 {
6 j f# _2 q( ^$ R! c# K VMMCall Test_Debug_Installed7 Y& S \+ | w( ^1 C$ P
je not_installed
0 V- q- w5 u! l2 y- j2 c* k/ L
- H8 i+ E+ }- T( |This service just checks a flag.& Q$ r1 ~2 r S' T" X' L
</PRE></TD></TR></TBODY></TABLE> |