<TABLE width=500>$ l: O& ]( ~. L
<TBODY>
+ `* }$ Q0 M3 J: P<TR> ~' |# T' o! N
<TD><PRE>Method 01
1 U2 {3 [7 z! g" x3 M=========
8 H$ a, b: [5 B
* H/ y* k* ^; q' OThis method of detection of SoftICE (as well as the following one) is
% z; a7 I& b5 l5 ~* yused by the majority of packers/encryptors found on Internet.7 q9 `- x+ T3 B
It seeks the signature of BoundsChecker in SoftICE
! d! b& G. _: [5 B7 y1 D' w& A# T% r2 f' z* q
mov ebp, 04243484Bh ; 'BCHK'4 i) ~+ o8 x% M
mov ax, 04h
5 D/ [6 d; f- l' S5 ^2 e ?1 | int 3
3 l9 C- f6 h# }5 J. q cmp al,4
" C ~7 S/ @! b0 c1 W. p jnz SoftICE_Detected3 o& U; v+ I9 }3 R6 s N: H
4 v' h: H3 Z& g% A
___________________________________________________________________________7 y5 p4 u: \% @ D9 l* ^$ P7 m: P
- Z' ^$ [7 c6 O3 U
Method 027 \4 J# ~) Z" g5 `# ^& h
=========
2 {7 m( v# k& | X1 A( p. M P g% @' I& ?7 W; y
Still a method very much used (perhaps the most frequent one). It is used" d$ K; a) \$ w' n( {6 O8 U0 P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 `; v$ u" v$ M* z) T6 K& For execute SoftICE commands...
( s* I4 N1 g! `9 m( B; W' f2 O' y5 NIt is also used to crash SoftICE and to force it to execute any commands. R1 F& j5 _3 _9 D
(HBOOT...) :-(( ' ?9 Z& G/ Z' y' d/ e
r) d* F5 G+ @( L5 N5 Q* F& FHere is a quick description:' }5 J# D) _, E& T9 c5 G; T
-AX = 0910h (Display string in SIce windows)
7 T: n+ C5 y" X9 ]2 Y5 b-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 \' B r# _* ~# U4 T; k-AX = 0912h (Get breakpoint infos)
9 g, p9 j$ R) }" e) P-AX = 0913h (Set Sice breakpoints)! \% E% O" ]7 J$ o5 ~
-AX = 0914h (Remove SIce breakoints)6 E% L* U9 p; L% q3 E
/ N. z+ y, H+ N) vEach time you'll meet this trick, you'll see:
$ I3 {" ?0 q4 q3 ?1 j2 H-SI = 4647h
$ q: H: y8 q) i9 w4 e& u) D5 P-DI = 4A4Dh
( o& Y' j; z: G6 f" H5 vWhich are the 'magic values' used by SoftIce." z7 W5 W' k8 @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 @, r0 \& G$ }5 H
# m6 i, [0 @) _ e9 }" ?/ `& L8 XHere is one example from the file "Haspinst.exe" which is the dongle HASP
! o9 A# H/ Z/ VEnvelope utility use to protect DOS applications:
) ^" C' D, Z2 i0 e( J$ F! ~: K, K
4 v3 v$ L" W/ P" D$ ?4 L4 j0 [# @, n3 ]% E0 u$ j1 q( p1 A
4C19:0095 MOV AX,0911 ; execute command.
; v8 M! D; o2 i4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# R' D8 H0 y8 [$ X6 d4C19:009A MOV SI,4647 ; 1st magic value.
# I/ U) R" p3 @) w+ N8 U6 }& G6 t4C19:009D MOV DI,4A4D ; 2nd magic value., q6 R+ n9 i/ ?! `# I4 w6 m6 r
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), P5 |7 e# g/ {) g4 A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ q5 s, ^ ]( j& j: c3 R
4C19:00A4 INC CX
3 G9 K$ J# Y- ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& B( @7 P& K6 f) U4C19:00A8 JB 0095 ; 6 different commands.
+ c# V5 a! B! N, I4 ~+ A- V4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ H5 Y: B/ e" W8 P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 k9 C( R# f. k$ s; {8 z. z n* Z
The program will execute 6 different SIce commands located at ds:dx, which
1 V% s6 H- w5 u' k5 h# o$ m8 L1 Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., x: n2 h: E5 b
- s6 g, G6 P3 K9 A8 v. j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 z' G7 J7 V2 _" B! d& N4 l2 H
___________________________________________________________________________
# w' ^7 g; D. g: z" u
- j3 |7 B: P) u7 \ X
! G' {2 H/ V8 P4 r' T8 @Method 03: |- d G; Y# A. v) Z
=========
( z( _4 P) s e' e& t( s
) i, X4 _3 y( u' G' vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 z8 v4 n& l( x9 y5 h
(API Get entry point)$ D& P+ H" n* c& D1 y. ]
% k% p( {. s" ~! d; L
; r" ]" S) F2 h1 i1 L Y xor di,di
. V# i& o: K1 W. d+ w1 [ mov es,di
8 F0 G i) x* p! e4 z, n mov ax, 1684h
. p0 Q) D" Q3 _4 T& L4 x mov bx, 0202h ; VxD ID of winice4 k3 i V# p3 J# `: | E M; ~" H
int 2Fh$ M4 M" ~7 I8 ]6 J$ Z: ?8 c9 h7 B% W
mov ax, es ; ES:DI -> VxD API entry point
& a/ p3 k) y9 E/ Z: _+ U2 g add ax, di/ A! s' c) P0 o$ P, a1 d) a! {1 O2 d' @
test ax,ax
+ {2 E1 V) P# S jnz SoftICE_Detected! g; E, ^0 i1 P
* Y4 A8 g0 |# J. `
___________________________________________________________________________8 c' Z9 I' s' t& w4 ?4 F& S
2 k; f$ q: W2 |- A8 _& w' yMethod 04
( Z2 e0 s8 t G8 G=========6 @7 [6 W& v6 S2 Q
. H1 E, M$ J c3 t
Method identical to the preceding one except that it seeks the ID of SoftICE
+ h- u0 t0 |0 rGFX VxD.% Q" Q4 R+ Q2 {
$ r* ?8 Y- _) I& q' y xor di,di
0 S* L) S! }6 m; y mov es,di
3 Y7 ]* L+ T, A/ H: z mov ax, 1684h # ]- H) [% r3 @7 I7 D$ y
mov bx, 7a5Fh ; VxD ID of SIWVID
7 V! J5 r8 Y3 ] H int 2fh
8 H7 L/ d* _- g! X' v* T T mov ax, es ; ES:DI -> VxD API entry point
5 m4 \3 m3 w. I: l* _1 e add ax, di
& [9 K5 d+ p' i& v/ K+ B9 r test ax,ax3 P# y: H, q/ k* i4 M
jnz SoftICE_Detected/ @5 R4 [- v* r3 ]1 G# \( w7 {' z5 N
5 U" e' H* @! `3 j
__________________________________________________________________________1 c' k; w4 K! t& b3 O' f+ A, I
# |2 J" s( ?3 o/ E. z
- C) l% ?, W! V( c0 V/ fMethod 05
C5 l5 \. E$ `=========: O: i' |- o2 n2 n4 B4 A4 G* T& }
- T7 o7 o4 S. N m
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, j, R0 F+ Y$ E1 ~5 D2 t, h) hdebugger. It calls the int 41h, function 4Fh.+ a! }* q, J* |- p3 p6 a7 Z0 J
There are several alternatives. 4 x7 S7 h. e# L2 P) Z
( _! s, ~* k" R* iThe following one is the simplest:( I5 q, Z: `4 X `9 m
2 n# s. l. |0 Z8 [: ], e) t
mov ax,4fh: r! z2 ?- G6 A
int 41h
3 h* X4 _4 l# \7 e- p% ^! X! R cmp ax, 0F3867 J+ s% m/ s! K6 E" Y! v* g# g8 M
jz SoftICE_detected
: j0 s( i- o+ W3 ^
. H5 |! ^0 L# ~ [
) @2 j4 c- _* I! W6 ?Next method as well as the following one are 2 examples from Stone's 9 D% V/ `# p: \# X1 z; G
"stn-wid.zip" (www.cracking.net):
4 U7 k( a1 a$ d% \7 B" C
5 m/ f+ s {* G ^7 f9 f mov bx, cs6 }$ ~3 l& M4 u0 y% ^4 m
lea dx, int41handler2
7 Q: \1 W% q8 _6 s* }, F" I xchg dx, es:[41h*4]
2 D# N7 M- B8 D' R: H' \ xchg bx, es:[41h*4+2]
x3 C0 `% x! s$ t! U6 \) l. _ mov ax,4fh
2 @5 x6 |) p1 E" j. D* i int 41h$ V- N' ?* ^- D' M, w: P6 n
xchg dx, es:[41h*4]
5 T8 Q' ?5 F1 h: T7 _* d O2 p xchg bx, es:[41h*4+2]
1 \9 s; M. L4 d: s0 c* k5 Q cmp ax, 0f386h: r2 H5 Z2 @; F, h% b* G7 ^$ Q
jz SoftICE_detected( k( c) o6 q" O0 V; e' X @2 m" h% W
0 n4 [! M- m4 v3 ?" x" e
int41handler2 PROC
; y) {' m" @) A' ]2 n) R# `' `7 E iret
' `- Y5 Z# ]4 b6 r7 ^. {1 U) T" uint41handler2 ENDP2 a% M k P3 n& j" B* U+ o3 P
6 [0 l+ }( S' c+ x) O" n
' Q. Z; t2 D+ a$ G' N2 w6 G_________________________________________________________________________4 ] b( i9 b- g! a& E
- k- {* A* `% a' Q9 `9 x
. T1 t5 w) S8 k( z2 ? V RMethod 06, x2 Q' S- x+ V, I2 b+ y
=========
% u. Z! j5 `, ]7 D2 j1 c" ^6 U2 O* x% N+ U9 w8 P7 n
1 F- G# E' y2 V; x9 r2nd method similar to the preceding one but more difficult to detect:
( d Y* v' ~# J& o$ |3 f9 E J6 h- B2 V% t) m
4 G; p* O" N/ e( _7 k! h% e
int41handler PROC
- I5 ]" Y a7 U' p4 G- t( X mov cl,al
: s- l/ U' ]5 T" F. ^2 X4 Q. n# O iret ?$ e+ p" u' f& V
int41handler ENDP. d. R/ a S2 B1 L% Y% S, s7 y, Y/ L
6 T E, ~. e2 m7 t4 }" [3 M
+ R! t8 Z, y1 D- k: }" [) l xor ax,ax4 o9 D3 C" A/ n* d
mov es,ax
0 A: R6 R3 {! F* h! L: s5 x t mov bx, cs
8 O1 x4 D [. J( M& F3 O+ T lea dx, int41handler) k. p' X2 O: h$ b
xchg dx, es:[41h*4]4 M9 F- q4 R. ]; w/ h5 o6 }
xchg bx, es:[41h*4+2]
" g+ d# Z3 Y$ C/ i6 b7 Y) A3 D in al, 40h
! u, Q* B3 }, t+ y$ Q+ a5 W# \ xor cx,cx5 F! ~9 T9 X5 H) U
int 41h9 `. P4 i5 b( ~+ T% ]: U$ p" U
xchg dx, es:[41h*4]
* V- H1 S* R' Y6 @. L2 P0 t2 y xchg bx, es:[41h*4+2]8 f/ N: e3 G6 H3 G
cmp cl,al
+ t! ]6 p. O( w4 |, D% ? jnz SoftICE_detected2 ^. S" n% `9 G$ S v- i, s# z
& d- C# W+ m9 T7 B" v, k& O_________________________________________________________________________$ ]& X# S' \9 S. d
3 q1 z, E& Y/ b( l! d9 p
Method 07
4 q% G2 w" M& w5 \=========
& d1 z* E" k" f/ s- C- \0 q! H" [ f" m4 g' C' m. r# a0 D; q* _
Method of detection of the WinICE handler in the int68h (V86)
9 M1 c3 m% o( s2 g/ g
2 q% Q; k% A5 E( N0 d mov ah,43h
2 f+ G% C6 G6 k& X- a int 68h. i7 y( E4 V1 [' I
cmp ax,0F386h8 S+ ], j1 {" Y6 t: A
jz SoftICE_Detected% { j( g9 [7 ]( d
5 c X7 D- ^# D; ?- `9 }2 h' ^/ |
5 I) F, ^% {- A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! J. f5 y _5 l; L, { app like this:! a. a0 f* O' t
; o# g& a2 p5 k/ { BPX exec_int if ax==68
4 \% T, U+ P6 y! s (function called is located at byte ptr [ebp+1Dh] and client eip is
: ~0 w* k% Q3 \2 P v located at [ebp+48h] for 32Bit apps)
/ U' U) M. x: s3 r* ^__________________________________________________________________________
/ k: j# F, t3 k) \( Y$ }
# ^* B; _! C( H" M# i# N K6 r I* d% e/ Y% e" j( m7 z- t
Method 086 Z. R, J3 A' L. G# `0 h5 \ U; Z
=========
! z: B) R+ r5 |, `
/ G: U! c; K( T8 w/ S! a2 l; uIt is not a method of detection of SoftICE but a possibility to crash the
9 q" [8 e7 m1 h( c3 [system by intercepting int 01h and int 03h and redirecting them to another
. N0 _$ ~) U& n' ~routine.) p4 |# |) t' [4 p$ R4 p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 S, G& X+ f% g6 O& X; @to the new routine to execute (hangs computer...)
s7 q5 h6 W- N6 G# c3 H5 k. B
; b, ]# F( z! p: Q mov ah, 25h
. g* ~; f2 @3 K. u3 ? mov al, Int_Number (01h or 03h)% G5 Z0 R" r% K' J/ @
mov dx, offset New_Int_Routine ^- q' O! b ]8 V
int 21h
- F- R* ]# ~/ l( I2 r2 q) t6 o/ @& T1 t! d2 ]
__________________________________________________________________________1 E1 z0 h! G# F: H
4 j3 b) u% X# v& |+ L9 h
Method 09! f2 u8 v8 @4 X. l" D3 i
=========% Y7 I7 N3 E0 W& X) [# I; k \
1 X p' ^$ K& M. S! Z; H( KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% A. B- S* ^* Q8 vperformed in ring0 (VxD or a ring3 app using the VxdCall).
% G+ U( k9 C6 D+ E0 I+ K: \The Get_DDB service is used to determine whether or not a VxD is installed
, }; K& I7 ~5 J" I3 h* I3 Efor the specified device and returns a Device Description Block (in ecx) for0 k% e5 m+ B2 U# {$ n
that device if it is installed.. Z. F. O/ q& C
) J: V# n# u/ a* w$ L. W \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: q! A+ F: c5 R J# B/ H; `0 i( u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 M m9 |5 z; y7 Z2 X
VMMCall Get_DDB
" J& `4 i& t# k) F- `& N, j8 n mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# Y" z! v2 Z7 d2 s; e
: e! H4 `- N, N5 x4 J3 h
Note as well that you can easily detect this method with SoftICE:
6 ~0 \4 X% ~% u- ~8 x( b. t# a bpx Get_DDB if ax==0202 || ax==7a5fh
2 E: w" j" J+ `- P
* E Y$ v* b" _3 g__________________________________________________________________________
" u# H, P& {$ ^7 E G, M9 @% Z$ l6 }& X- e) B0 ?2 O3 B' u
Method 10& |* U! D6 E( m2 l$ i5 x
=========
2 d* O B+ O% B; I0 X% P5 g1 Z# O: r9 S* |; A5 z' [
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 w' b% M0 V2 f" L
SoftICE while the option is enable!!
3 o; d7 L* l3 C2 R, I
% D) |, X( D* tThis trick is very efficient:! A+ O0 Y+ g' C8 B+ b% a3 K* k: D( [
by checking the Debug Registers, you can detect if SoftICE is loaded
0 Y) d/ E* m- i& r: S: o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 U+ ]4 m; t9 f2 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 n. ~$ `8 p G Q5 \8 T" f& |1 ?value (in ring0 only). Values can be manipulated and or changed as well' s: [( A- X- b% a7 C2 @# o
(clearing BPMs for instance)9 Q% R& T! N; F/ j& V
5 n, H( v9 z0 t% H/ V% P
__________________________________________________________________________0 i2 y8 @8 B7 W/ k8 P3 _
! K0 Q7 ?" ^/ z) ?: R" {2 \
Method 118 c& U7 `+ R V
=========
7 T4 ?7 {4 t" v y" M
; S3 O% D& P+ P; aThis method is most known as 'MeltICE' because it has been freely distributed3 x% ^# z: t) d2 t- N2 G2 [
via www.winfiles.com. However it was first used by NuMega people to allow( V0 a: K0 s/ S
Symbol Loader to check if SoftICE was active or not (the code is located- {& ]1 _' B u- b# a3 D$ B* g
inside nmtrans.dll).
/ ?$ ]3 S {: l# I, A$ z' w2 [
" j+ _4 C2 i; U9 N+ MThe way it works is very simple:' n9 S ]; h/ B0 m7 `2 |) w: ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* o' Y# W$ ^0 \5 u" K; TWinNT) with the CreateFileA API.3 _& L7 X {! G$ y7 r; C! l& n
1 @+ n9 i5 B5 [. q7 i: wHere is a sample (checking for 'SICE'):
( y9 N5 j, K8 u( M' J* Z p. G* N# L V, i) z1 f5 s
BOOL IsSoftIce95Loaded()0 K, n6 V( g; t0 q, p: g
{
9 x. w- k: I, X2 n HANDLE hFile; 0 z. U1 _3 C3 g( f# l" o
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& b( t- Y r) s& Z# D, _# I
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 e: ~9 F _+ l8 b' q Q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 T* N. S3 l, Q% c. u8 @: I: [ if( hFile != INVALID_HANDLE_VALUE )+ C* o8 e* _! y/ U& s) K) [
{) l7 J+ P! p9 X/ _" Q3 t- c
CloseHandle(hFile);
/ l. n3 l0 i% A+ Y return TRUE;; I/ g. c) H% W- q5 L: ]! m t+ D
}" X: @' y/ u9 j* |- J
return FALSE;3 W0 W! C, {8 a+ i
}2 L3 j2 h* f- y" t1 D* Y; e& s
" v# p0 g6 c. FAlthough this trick calls the CreateFileA function, don't even expect to be
8 n2 m6 u8 d* a S- Lable to intercept it by installing a IFS hook: it will not work, no way!
" { C, M1 e8 ?( a) b) U yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' p3 j' ?+ \) u1 e2 eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ m4 r: Q8 z j/ y7 h
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; s8 F5 R$ R' W* R( x
field.6 O$ p8 t9 B3 f" ]5 U
In fact, its purpose is not to load/unload VxDs but only to send a 0 K5 v! {" q0 Z/ M8 _8 I; f b9 r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 e' Q, X! v% ~# rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& x/ H+ _1 r# v( q' j* O( a7 Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
! B* q! I$ [' ~" jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ H0 q2 o: h! dits handle to be opened and then, will be detected.
: P- z7 O M' {* g2 LYou can check that simply by hooking Winice.exe control proc entry point% q$ t8 G1 H9 G% |7 k
while running MeltICE.& @( C+ c3 Y3 g" ~
( \9 I, F( E3 Q( T. C/ ^4 _) [4 J7 M) ^8 C
00401067: push 00402025 ; \\.\SICE
- U. O( `6 k$ {# C( S 0040106C: call CreateFileA
, B! H0 s8 a; b8 H6 s+ x e' w 00401071: cmp eax,-001& Q& d8 B6 S" P
00401074: je 00401091
6 E: C- N) C( U5 w- Y* v1 A0 }# Z7 [. _( Z( A: b( w" W
5 w* W* F: q9 Y) bThere could be hundreds of BPX you could use to detect this trick.
0 p/ X" n* V) @) `, c-The most classical one is:& m% h5 |, Q4 P) e" b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ U5 J: R: W* F+ V *(esp->4+4)=='NTIC' v, {7 `& z! P' [
" D6 W$ @. z f# _ e) V2 B
-The most exotic ones (could be very slooooow :-(2 \5 I S6 m- ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 u. u7 `8 q* n# X5 a
;will break 3 times :-(
/ I" w ?' p9 ?
% H" ]: @ r& @# J5 W- P/ m+ b-or (a bit) faster: 4 O) Z6 @, E0 t9 ^6 k& S b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 P* Y0 S: m) Q3 n7 }7 Z
% L D( S" o& _; H) f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ e2 T8 \9 V3 k7 `/ l ;will break 3 times :-(: Z0 v3 v1 ]) z4 V
/ F5 I6 m8 f0 j+ x
-Much faster:
* [) C6 p8 r* H# U5 B7 \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' j# ]. V/ }2 `! T
3 z: |. o; y4 y/ S3 l# R4 GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 v' [( G9 ~) R5 [3 s
function to do the same job:
1 T0 U' r( R( X0 d1 C/ J" k. G* v
push 00 ; OF_READ; c6 ~- ~! H5 d6 b8 _
mov eax,[00656634] ; '\\.\SICE',0, ^) j4 {5 a0 z$ U1 Q% ?
push eax
( l: j8 M( ?& s4 W5 X0 k call KERNEL32!_lopen( O* j- h% S- @- M. ^
inc eax, `6 h' o5 m# L: U: H
jnz 00650589 ; detected
p* s* d# L" z5 U; y" e push 00 ; OF_READ
( T; X, {( t; L7 T mov eax,[00656638] ; '\\.\SICE'
, C" n; k& b) A) |- Q. i push eax1 Q& z" C5 C; t: x/ O* S# Z
call KERNEL32!_lopen
8 B/ p' Q# R0 T( ~3 F inc eax/ D% C1 \, Q/ y3 U
jz 006505ae ; not detected% Q, v+ d; U/ M% D" w7 ?+ D
1 \( R# w5 G) u+ E) {% c4 N8 _9 B1 m( T3 e- x
__________________________________________________________________________; k" p4 @' F4 M3 }
& h5 O: R. {1 K0 b% [5 X" S. FMethod 12+ `" A- J3 [ g0 \5 Z; I7 \
=========
* n$ P! z6 |; |- T1 j$ M
6 {& L! p7 T) |( M4 C! K* fThis trick is similar to int41h/4fh Debugger installation check (code 05
4 J5 U7 v ~$ Q1 L; ]4 w& 06) but very limited because it's only available for Win95/98 (not NT): K: {1 A7 V6 G/ R/ R, O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: G: t) V8 i( I( ?% A9 E# m. p9 t+ m
push 0000004fh ; function 4fh+ s! S( g* Q2 z7 G
push 002a002ah ; high word specifies which VxD (VWIN32)
/ ~5 S# E- I1 d" K6 ` ; low word specifies which service/ \ H5 x$ r7 T
(VWIN32_Int41Dispatch)
( r5 P/ _# O, m; p9 J$ D1 x call Kernel32!ORD_001 ; VxdCall! c- u9 }/ I& C: _" u/ d
cmp ax, 0f386h ; magic number returned by system debuggers$ \% {" v9 }. ^: Z/ V. [
jz SoftICE_detected, F2 D% |8 r; g) ?; A( h
( ^( m0 Z; O- x X2 |0 r! r3 K
Here again, several ways to detect it:8 {" e( i9 C# u% J# `4 r s
! C7 D1 B7 P# H4 w& Q$ C. s4 Y
BPINT 41 if ax==4f/ |# c1 J) ?) D5 t: o
; E2 u9 B2 L- n: S; U4 w6 ^ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ E, q( u. W$ l4 q' t0 B+ p% c5 m3 U) T0 Z0 J7 N+ T& {+ g% @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) o' b2 B3 m& Q( r" b, z) D' m, ]2 A
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 @% s' B" R- b3 g. ] t3 V Q
& w# R$ U+ M, V- d4 W' l
__________________________________________________________________________
; Y, {2 A. X R0 s5 n
! l9 w8 j+ ]7 b( j/ M/ M7 J; IMethod 13
, [' }3 L, M" @, f% K6 M=========
" a- I- \3 J* r( ~4 h- g# V9 k
Not a real method of detection, but a good way to know if SoftICE is
$ O; g! R( N* y; I+ U) j! e3 z5 U( cinstalled on a computer and to locate its installation directory.
7 b$ Z3 }, ^$ I: {: i+ VIt is used by few softs which access the following registry keys (usually #2) :1 [6 p/ |& ~/ Z# O
$ w' J6 r) n. l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 }+ @" g4 i" O; A m
\Uninstall\SoftICE
" p4 ^( G5 d: f/ h# {& b O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- `5 @/ L& U0 j+ ]- F' u5 L! |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% `& ^' l$ x( e( C% \$ S3 t
\App Paths\Loader32.Exe5 l8 Z! z! h. ~
, {; s% Q( G& o5 I0 }: p9 }1 C
2 R$ g! S$ H1 Y) F- NNote that some nasty apps could then erase all files from SoftICE directory' b% s9 X, C& g j! b5 X
(I faced that once :-(7 {# n1 n! x- }4 @" K7 f
* {& e3 v- s' F6 zUseful breakpoint to detect it:
1 I: [0 f5 U$ }7 E! |% o3 F9 O4 F; o! B5 Y7 Y& N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 q+ W2 ^! k# N; G h/ V0 i* A% J) W) L6 ~2 f) s9 g
__________________________________________________________________________( Z4 o( h. ?4 c4 ^) ?, y
1 c# i" \- K4 F; ~) z% R8 \" F$ K. G6 X4 a& P
Method 14
A- R6 ^5 O2 Y9 {) [=========& R) r. B4 g7 F. h
' O5 o0 U) ]: @5 [; k. |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 j6 U; Q4 ^0 {. |/ r% T" l- N( Ais to determines whether a debugger is running on your system (ring0 only).
9 ?8 b( y0 v+ ` _; Y3 c: S: C& h% w @. y5 x: w: V1 k
VMMCall Test_Debug_Installed
3 P: h% i% q% c$ C* Z! Y je not_installed
* i& P1 @8 e$ D
' Z: I# I: A8 a6 L4 E- qThis service just checks a flag.1 G- g, L2 w5 z5 A
</PRE></TD></TR></TBODY></TABLE> |