<TABLE width=500>9 v7 r! `5 l. f% m* X' v% C/ ^) Z4 J
<TBODY>2 x& u# C2 A3 W2 u& \4 F Z. ?
<TR>
. Q2 j0 Y& C* q0 J. N" M) I<TD><PRE>Method 01
/ n- {9 c0 `3 f0 V. K1 L" U=========+ p6 G: _# v- T! c1 X; H8 `! A
. e/ i- }! z9 |8 n. ~* w) Y2 ~6 eThis method of detection of SoftICE (as well as the following one) is6 Y9 i0 r, [/ B8 q9 r9 i9 w
used by the majority of packers/encryptors found on Internet.
/ l0 I+ T0 E/ n/ K1 PIt seeks the signature of BoundsChecker in SoftICE; K. V3 m& y3 g. z8 I4 x; x0 |" [
3 A6 A1 k5 Y% Q
mov ebp, 04243484Bh ; 'BCHK', ]: F# a' u; q5 K2 B0 q
mov ax, 04h
: x4 O6 D$ X! K) F9 Q int 3 3 D0 }& X0 z2 [0 H
cmp al,4( W# N! Y3 N2 D5 g& x1 `" w- {* E
jnz SoftICE_Detected
3 k: ?$ a0 p6 q4 P' B4 l' R! P. k; B" w1 t4 ^2 D
___________________________________________________________________________, \8 g+ ^9 H2 n5 ]
( P7 s3 h; {; _) h% A' G; W. p
Method 028 x: A' M6 X& \; U" R2 T5 I
=========
" I4 N/ V- |6 O+ j3 {: y
+ G. {2 Y8 Z1 k. i3 p5 R( FStill a method very much used (perhaps the most frequent one). It is used- }! r' ~6 Y' U: G- x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 w3 S* X5 x2 F( U# i
or execute SoftICE commands...- Y% ]4 a) @, X9 [
It is also used to crash SoftICE and to force it to execute any commands
' Q- `, L2 f" ~' |4 B(HBOOT...) :-(( 2 ?6 E5 S5 r; M
$ X% S! |; ?2 a, k& o$ X2 |Here is a quick description:* Z) S! O* s9 b1 E
-AX = 0910h (Display string in SIce windows)/ q8 M7 b9 U( A4 |1 }9 T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), d/ q8 S+ A9 i( Y% N4 ?( d2 f
-AX = 0912h (Get breakpoint infos); ?2 H: K! L+ L% u$ @" @+ h
-AX = 0913h (Set Sice breakpoints)6 h) [- N. b" n e. z; x5 b
-AX = 0914h (Remove SIce breakoints); S- z! V0 J* s
' ]' A! n, h. pEach time you'll meet this trick, you'll see:2 j- M0 I# \0 E5 N+ U) s7 C
-SI = 4647h
& d# @$ L, d3 f* d6 v4 C0 S-DI = 4A4Dh% k( t+ X3 K7 v; h- L
Which are the 'magic values' used by SoftIce.+ j) j3 R- K& J2 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ K8 I, q1 m( ~; m
3 w+ {5 W/ n9 p# C/ OHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ x* d) i7 e! SEnvelope utility use to protect DOS applications:
( _% L. l) g! r2 ?0 \1 S& k1 d
+ @9 w o; ]! h2 D& [. w2 r" T! J) N
4C19:0095 MOV AX,0911 ; execute command.; H7 V& k8 `5 |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% B1 ]/ r8 L) C/ {$ h$ r. p
4C19:009A MOV SI,4647 ; 1st magic value.2 g" D# j v. i2 }
4C19:009D MOV DI,4A4D ; 2nd magic value.& a/ [' F- U/ e& C. h( |* m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 }$ Z K9 |/ _. V3 E
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute A* k" x9 z4 q7 l2 p" A
4C19:00A4 INC CX U! q3 k7 N7 E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 E) a$ s" j7 K+ U: s2 |4 i* c4C19:00A8 JB 0095 ; 6 different commands.0 q: Y! q: y4 T. }
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; \. o% r1 p8 x7 K: e8 U1 ~
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 S' k. @' }) F9 c
Z; ]& D" b8 A* R% ^# ]' o
The program will execute 6 different SIce commands located at ds:dx, which$ O) D; C3 _/ f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 d* R2 Q7 j1 [/ R1 k- Z( m! O% K3 I
% D, ?) F: L: }% E) Y. H6 d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; j M" ~3 \1 n1 x' Z1 v7 Y" }6 X___________________________________________________________________________
1 H' V5 a- g3 X$ l' g" |) H( w: G) e8 T( q; {2 I Q! d
' q; a; a) s0 SMethod 03
2 y* u3 s: K! [' x) R* o. T' o=========
: c. |: ?( [6 f- V% F% _0 Y$ i/ ?; c, B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: o3 i8 A& O0 e7 j9 g(API Get entry point)
N2 K, L6 |( `; P: @
) X; k" D) A( D& ?$ L2 D4 l" n( W w3 v. \$ r
xor di,di6 {! n) |% g4 K7 l; S
mov es,di Y! ^$ ^) I- d. f
mov ax, 1684h
F5 b3 ]- R" x9 b }( ~8 A1 R3 G mov bx, 0202h ; VxD ID of winice
6 Y* v+ Z( Z+ \: b* n+ m int 2Fh/ _% h7 A1 ]% p. P* y
mov ax, es ; ES:DI -> VxD API entry point+ Z$ C% [" p( v& p! M1 {
add ax, di
+ T9 X" N9 Y$ s test ax,ax
: U K6 x# \+ D5 `: q. y8 e jnz SoftICE_Detected, ?* u: D/ O$ H, l2 P
& b9 D+ ^+ O% c. R1 G$ U$ U. c
___________________________________________________________________________" n/ ` R1 O/ H
E" s3 i+ Z" V& E, n' d' q
Method 047 G3 ~ T7 y! b! ]& h. j+ O
========= l3 G% N# A: `
* v2 ~4 }* E7 L& w' qMethod identical to the preceding one except that it seeks the ID of SoftICE3 u* m( e( }! F& J
GFX VxD.0 a" a; ?# f+ z. ^2 m+ f* E
# v8 H0 V/ t; v' _$ C- [/ g8 j/ s5 p xor di,di
9 Q6 _$ l3 _( o mov es,di
! z% H8 X/ | ^+ A+ ~# M mov ax, 1684h 1 G4 `4 ~. c3 G G, q
mov bx, 7a5Fh ; VxD ID of SIWVID
. h. \. O; C) f( w( _+ |' x int 2fh7 [( i' {7 @* H$ X, w1 N3 F0 v
mov ax, es ; ES:DI -> VxD API entry point; [/ K3 }( j) Y1 @5 w/ }( ^! v
add ax, di
* o5 G1 G& t, y7 \ test ax,ax
) d; e- {' z! E3 v jnz SoftICE_Detected: ]: L9 L" X9 ~$ t
`7 n8 H4 R+ I! B2 C__________________________________________________________________________) t% @. p& o. Y0 t" n* z2 z
4 u+ D2 ?/ M. c9 \0 T. t5 c n r; Y' j$ x" L8 F! `) J
Method 05
. [- ?: _* E i$ Z! G=========
+ q$ U' n$ P0 z0 G S2 r1 J1 J4 g
+ ], l+ o* j+ c. G, k8 qMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 I) O3 _ T }+ U) m1 b
debugger. It calls the int 41h, function 4Fh.
- q/ j8 _/ e( J6 l0 w; f1 OThere are several alternatives. ) o4 F+ t7 G6 L; C% S( Q& }6 u
, m7 [' ^6 V! o" N2 _The following one is the simplest:8 @% [" X, b, S8 K6 {1 ~8 x
h K& M5 w! ]' [$ ^+ X7 w mov ax,4fh
+ j* t* I, {$ J/ o! I& x3 u int 41h
" z( f1 n8 Z7 D$ K cmp ax, 0F386
& g% H c$ O4 U' ]7 \ jz SoftICE_detected* C' g$ M7 E: M5 _ q
% s: g3 o2 R9 Z, P
2 B( R8 [) f$ Q6 u
Next method as well as the following one are 2 examples from Stone's
( w9 D: n- k7 n% \" a v"stn-wid.zip" (www.cracking.net):! |. I4 v" l; D, X) G) d
) N" a8 Z K5 ^+ o
mov bx, cs
5 I0 g/ C9 A+ ~/ ~9 N( \. ? lea dx, int41handler2
# W* i$ j- ^' K+ ~6 r# R" l xchg dx, es:[41h*4]* g1 A- R! l( F# V9 m9 o4 ]
xchg bx, es:[41h*4+2]
. K8 x& U- w$ D$ n/ s mov ax,4fh
% e( R& m, z2 _7 k0 X7 p9 y( U( ^ int 41h
; b- o5 \+ l- L xchg dx, es:[41h*4]
% l `- o2 s5 A/ o& R xchg bx, es:[41h*4+2]
0 W4 H, x; ]( f cmp ax, 0f386h
2 t( B3 }' k' b6 b p# y0 L3 g jz SoftICE_detected* V C# x; z! q3 P S7 ^. j
4 [! {/ t2 Q! r0 B5 c) [
int41handler2 PROC; A7 G& J* M8 X7 P
iret
5 U3 q: U9 b; e+ Z6 P" E- Gint41handler2 ENDP
1 A; F3 J3 R; A, P N# y/ l
% W4 X* [5 G+ B+ n8 N* L% c- b S9 y) O# }$ P: ^8 U
_________________________________________________________________________
l+ ?9 H9 n/ k1 g2 V+ c' W
4 u/ ?9 W6 |# V& m' E7 X% b+ i& W1 O3 e$ Z
Method 06
- q( \" _% `" s$ p% y3 T=========
; a4 _! O4 ~. m5 c, O6 ` j: ?" a% P, q
& \# U' b' u6 ]) w% R# p
* k e: M+ v9 \+ ]6 z2nd method similar to the preceding one but more difficult to detect:- q* b2 x& c3 x4 f. {
* E! E! _4 n2 l$ I- r7 r# q9 G, O+ D2 ?
int41handler PROC; w F0 q& G V+ ~ b: G* z
mov cl,al
0 \6 j9 E4 o, P/ k3 Q iret
1 A4 L/ B5 F K/ [4 Q2 ^9 zint41handler ENDP
! P2 z( q- X4 n! P& ~- f; A( [7 \8 s2 C& y0 U7 C$ i% G
k4 v& z; t8 ^) P# [
xor ax,ax6 w$ z- } u, z
mov es,ax
- Y5 j( m3 O1 _# N* S* @; J mov bx, cs
' n1 b( z) q+ F( f7 ^6 a$ f lea dx, int41handler1 Z" A% j0 W' W3 ~' T
xchg dx, es:[41h*4] O' x+ V5 d! w# k/ R8 P9 c6 Q
xchg bx, es:[41h*4+2] p5 [8 n7 W f4 M
in al, 40h/ _9 Z ?+ H0 {1 F
xor cx,cx
+ }6 k! P2 Y M* K4 j9 y+ A int 41h
/ |$ J2 m ~" P, f" ~ t+ K% O xchg dx, es:[41h*4]/ G4 m2 | w8 f
xchg bx, es:[41h*4+2]
# E3 o# b% N. P( d% C' C: m0 j cmp cl,al3 U' q) j: y$ |) I H) l( h
jnz SoftICE_detected
' K, O- ?, ?9 U7 |% V3 J7 I. W0 k4 o" }3 Q0 g6 S
_________________________________________________________________________
2 Q# P- Z0 T2 }) o) z/ Y+ y y& ~5 D& g0 }6 `! ~$ K$ A5 k
Method 07
, d$ D Y" Q I3 I) V=========
+ g8 g- x$ B* y
7 ^/ F# p. o/ L* m& VMethod of detection of the WinICE handler in the int68h (V86)9 y& {$ H0 H, Z
0 q2 R# ?6 q4 c$ T5 T/ w
mov ah,43h) W( v6 a" c8 h
int 68h! I( O( C6 T) f
cmp ax,0F386h) N4 O# w( S7 k( ~
jz SoftICE_Detected0 v8 P! l/ k! p. k* O8 B1 }
, ?) L* N, ]+ p/ {% G. [2 ?! t( f) U7 }8 N% n1 I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, q8 u+ i! C6 x8 e& t" U
app like this:6 u8 _) r; X4 b B0 I6 _
7 a5 g$ X2 H1 C, z3 u2 p" w2 W
BPX exec_int if ax==68
x# s3 [4 L! l5 ^0 p# } (function called is located at byte ptr [ebp+1Dh] and client eip is
( e# a& }' I6 u. I) i" e0 G- Q2 U located at [ebp+48h] for 32Bit apps)8 c O0 t `4 j+ R/ K. j" f+ M* e
__________________________________________________________________________
r+ j& b& f- v) R/ c% t
* v( q8 Z( b- @! y; j- B; O# D& W+ x4 B
- t" p7 @, s! K6 @Method 08
& p8 J' j% S' N; o) q=========
& v8 W/ ~4 s) `( ]8 E, Y
- f! o1 U! v4 a' v9 F: a+ z0 iIt is not a method of detection of SoftICE but a possibility to crash the- b: T: @7 H$ {) V
system by intercepting int 01h and int 03h and redirecting them to another
7 G6 l; c& F/ h `! h, P1 sroutine.
0 M. w3 |* c( p. m6 K2 ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ ?1 i; x1 ]5 u
to the new routine to execute (hangs computer...)
% t: t' B' X5 r; g1 c
. P; u" j7 X6 Z+ n5 n! X% d. C" H- } mov ah, 25h, D) `& R# W q9 I+ X' C
mov al, Int_Number (01h or 03h)
: s4 H' A3 M/ w; C: I mov dx, offset New_Int_Routine
: a* U, D R7 P1 G. }8 I int 21h2 R# Z( A9 T+ |% U% \" y2 w
$ {! E+ X" n2 W) {2 h. e
__________________________________________________________________________
% D. S& t" [ M4 v) [/ C: ]$ j+ l4 B g: D- V: W
Method 09
$ g$ {' ^2 B. Z; ?; S2 {2 r, N=========. V2 ]) _; r1 v) z* @ P1 z
* k; T0 M& U9 L% J, b8 Y% E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# W$ P) Q* i1 B3 n5 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).$ Z$ n, r; w. k1 o+ X3 @
The Get_DDB service is used to determine whether or not a VxD is installed
2 T+ v& z1 T7 N6 |for the specified device and returns a Device Description Block (in ecx) for
6 \) I* k1 z( ~8 X& G4 Ithat device if it is installed.
. i& R1 l9 B2 r& Q( ]% D
7 e2 J8 Z5 ^5 m y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID- F$ ~+ p* p% U; ~7 J6 S
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! Y: J! O c/ ?, W1 C9 i
VMMCall Get_DDB+ u7 x. l+ r& P( b- M3 H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' \+ t0 C7 `! B. ?7 }" t
( i* R5 w+ _1 l# _Note as well that you can easily detect this method with SoftICE:6 x/ K, R6 S& i: O
bpx Get_DDB if ax==0202 || ax==7a5fh" r' P$ F( C- `9 w4 E! y3 Q
" h# T) Z3 K- F& c# z: v4 P__________________________________________________________________________
2 T0 m B% ? W$ ~
7 `: b# `( P) K& x8 i- AMethod 10
/ W! G' ~7 C) A1 w; h: H: }=========, [4 Y9 j/ I |. a# [+ ?. I" F8 H& G* _
% j3 i. C8 T) m# }7 P" Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; o' d" u7 J/ j: @* g SoftICE while the option is enable!!, u$ ?5 u+ V C" U" o
- I- F5 u3 x) i5 `7 n" ]# bThis trick is very efficient:
# a3 j3 |& G. ^/ Y4 i5 {by checking the Debug Registers, you can detect if SoftICE is loaded
) x- X& c) v, p+ H6 d7 l/ `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ a, ~6 R4 Z. u3 v: Q& A
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 X( B4 N$ L# {0 S! z/ u$ b6 a g
value (in ring0 only). Values can be manipulated and or changed as well
1 y" q: Y$ M2 Z* ]) b( ?8 B; N(clearing BPMs for instance)
# k9 Y7 S. Q$ T7 N/ q6 U# K8 ?' D& G# a4 Z+ i
__________________________________________________________________________0 T9 h. w' k% w. S
3 O; e o! J8 B+ NMethod 112 s5 ?/ v0 D( o7 N& @
=========
8 G" v- i8 k! ^0 G& O8 k7 L2 j S& l3 T5 o; M) M+ G- D
This method is most known as 'MeltICE' because it has been freely distributed
/ t3 Z) {' B d3 F0 {" Pvia www.winfiles.com. However it was first used by NuMega people to allow
1 l3 |% b% a h5 B+ T/ P0 y0 dSymbol Loader to check if SoftICE was active or not (the code is located) O9 v1 n& u5 t$ w( `, p+ e. B' _/ {
inside nmtrans.dll).
# x* Z9 |/ r N. S6 Z
! g6 X }7 o6 q7 P7 g& ?The way it works is very simple:. z1 V1 D8 g o" ?3 q. j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 Y2 m$ i M1 v# b; [2 K8 sWinNT) with the CreateFileA API.
# z! F" t( k0 t, j) D; f0 s( y& P; `5 B6 a
Here is a sample (checking for 'SICE'):1 T( i. o5 U6 @! S9 F
- I" [) Q2 j( N
BOOL IsSoftIce95Loaded()
5 X7 u. e# A( n{
5 y Q$ \; P3 m! W! { HANDLE hFile;
7 k0 ?: r( N+ c& Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 r3 ]/ K* T, f6 i
FILE_SHARE_READ | FILE_SHARE_WRITE,
; H6 }' H! W4 ?' j3 t+ N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( D. d; @! X! { if( hFile != INVALID_HANDLE_VALUE )0 m" b' e0 O) s9 H) D
{+ J1 a# b/ o9 Y! L8 N; _0 X- O2 N, r
CloseHandle(hFile);. P* B* ~) \$ n& a C J. z
return TRUE;" Z4 h( |! `0 y
}$ L; e( c/ d! e0 A# q% f! j& O0 `
return FALSE;
* g7 S( [, {; l; ]- b% r, y6 Z3 |}) D9 M. H4 o3 N6 }- R
# ~/ P* E4 J. M$ F, c" P) Y+ u8 _Although this trick calls the CreateFileA function, don't even expect to be f- q x: r) f( R) Y0 W* k2 F
able to intercept it by installing a IFS hook: it will not work, no way!
6 o1 l! @+ ]8 d) N4 pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 d" z- f2 D' ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 H; H# q- J( N' B) a4 M$ Q8 \: F/ _and then browse the DDB list until it find the VxD and its DDB_Control_Proc# s; n A- U. p- |5 Q! P- J6 _" R
field.# g/ h6 F, f/ V. g
In fact, its purpose is not to load/unload VxDs but only to send a
6 C$ n( Q& W, ~7 E" T* k* a7 hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 }# M. k3 R2 a9 Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% w# T$ j4 D" i6 v# {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, y8 ?; `) R; d0 ~ a" Z7 i6 yIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 v; q. g* l6 f
its handle to be opened and then, will be detected.
! J. f" B$ v# i, y) S9 P2 jYou can check that simply by hooking Winice.exe control proc entry point
/ S( V8 p e* |while running MeltICE.* |; X: _ r, k. C2 g
. v* n* C2 I# t
1 {$ j8 k2 n: t0 v1 n 00401067: push 00402025 ; \\.\SICE
" z6 o/ Q/ `) E! \6 m 0040106C: call CreateFileA
( R1 v& d8 |, M" N% h; O& g 00401071: cmp eax,-001
/ E6 |( X; t) l 00401074: je 00401091
4 J# x& F, C8 J& D9 i3 |/ h9 O. L+ P- y
* d, }3 E7 O9 v
There could be hundreds of BPX you could use to detect this trick./ O$ M' B% P4 c; i7 }0 u1 N
-The most classical one is:
! { J7 C9 \# s- A( D# y5 W BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" k, b5 q! v- g7 T+ y *(esp->4+4)=='NTIC'3 ]1 M4 Z" f |( c
1 |$ H+ h4 [7 M8 l! V-The most exotic ones (could be very slooooow :-(6 l' H: O+ v; u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') |: c' a- p$ n* L
;will break 3 times :-(2 M$ d4 `8 \# ]3 P7 J
8 s! Y) f: Q( K
-or (a bit) faster: + o5 e5 j! H& v: ~0 `6 P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 R5 k' S" C1 H/ ^
# X( _7 W' `4 H) o5 x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 e/ v/ l/ n" k/ j
;will break 3 times :-(
3 z# E, [# U( v/ w
* [, B1 j: s* T-Much faster:- i r& Q. Y! T+ ?3 H+ d, y. F# `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 j$ |9 [5 p: C7 z1 P4 f# A. ~! p! X& G3 v" N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 f E @8 `% d1 R" Z7 Vfunction to do the same job:
: v* L9 O: [, w- z) f$ H- s$ f+ c" E
push 00 ; OF_READ
) ]. i. Y4 i* k8 B( f I" E" I/ E mov eax,[00656634] ; '\\.\SICE',00 ]+ G6 s, t2 J- w2 F% N
push eax3 Z1 Q6 d; B. y, s' v# [
call KERNEL32!_lopen
9 u( ~) s, x$ X( M. y/ j inc eax: d) m+ |% M5 L) j/ E1 N
jnz 00650589 ; detected# v* M2 |2 e( A# l7 }9 u
push 00 ; OF_READ6 o4 t+ M8 b# E+ z$ R0 j {% ^
mov eax,[00656638] ; '\\.\SICE'5 p6 N( h4 ]+ X4 Z
push eax
7 f9 A' a$ Y- {8 v- s6 ~/ k: I8 Q9 [ call KERNEL32!_lopen- o4 o. C, e9 F) s6 H
inc eax
2 o$ J/ T# a. R) G4 b$ ?$ y jz 006505ae ; not detected& h* G, s0 F% \8 f0 {
$ I% q+ Q- Q0 ^; P
- w8 p( H1 d4 Q
__________________________________________________________________________
; @# w9 Q o6 M, z) H K
% c0 u% D3 S0 N& RMethod 12, u+ }6 F; r, t) G+ q# p
=========
5 T% |" I0 e' ]/ ^& u, x7 o7 V; o; h4 K7 G4 U7 i4 x0 A
This trick is similar to int41h/4fh Debugger installation check (code 05
+ k. u7 k! o* u( C3 g2 u& 06) but very limited because it's only available for Win95/98 (not NT)! K- W9 h B( m9 ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) ]* {6 K5 D8 U+ w5 \ Z0 @" J+ S/ ]
! j5 |4 {; ^' {! C' b- J) U
push 0000004fh ; function 4fh' j I. n+ j4 r2 d- V3 T. W
push 002a002ah ; high word specifies which VxD (VWIN32)
1 i, C% E% x4 [: Y ; low word specifies which service6 _6 ~# L/ C2 [; T a- b
(VWIN32_Int41Dispatch). I" i* W+ A4 K( Z
call Kernel32!ORD_001 ; VxdCall$ i1 ?% ?# r7 t. `, Y
cmp ax, 0f386h ; magic number returned by system debuggers' V" A7 W8 K' s
jz SoftICE_detected" Z; e; z' W- i) o4 j6 u# |" v
6 C7 e+ [" n- }. v/ x2 J8 F: T
Here again, several ways to detect it:. W V d; {4 P8 ~
* O+ Y! F2 q3 [, K9 Q$ q* L5 j l [
BPINT 41 if ax==4f
& R8 k* L3 |& N8 k! S3 T8 ]9 r ]- \$ t5 R4 a/ N5 r- X2 A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& n1 v7 ]/ I/ q7 _9 x. p: K3 h
& i- l- a3 H8 u5 N0 y G" M1 ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* m3 n9 u7 A1 ^0 Y4 `- D! Y" f
! @$ Y3 M0 y: ^% [* f8 B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
?2 N4 \0 Z( {0 o* |% o8 U4 N0 z! X
__________________________________________________________________________
& ~5 ? s( f5 A* e+ i; S* |: s1 u+ O
Method 134 f; p3 J O) J k8 X
=========( z/ M, i( n% N9 m$ W, W5 g" O
; i: T( o/ }. A- h9 ~( Q9 |Not a real method of detection, but a good way to know if SoftICE is/ b3 t& u7 C- {
installed on a computer and to locate its installation directory.; D8 p6 e8 _& l- `( d% X
It is used by few softs which access the following registry keys (usually #2) :
+ i. v# @, F6 B/ U# j9 \. z, \8 v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 b2 n$ a9 r: o# |7 k+ M5 A4 ^! U
\Uninstall\SoftICE
% _; Y) o4 Y$ W; }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 K% d( Z% t* F) L+ f4 H! y4 h! r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion }2 V8 c; j& `+ i8 R+ h
\App Paths\Loader32.Exe3 _" c, P+ E( H: [! a
# ?! L5 m; r( z; l
1 n9 U$ i: N/ o! i, [% N" rNote that some nasty apps could then erase all files from SoftICE directory
) ?9 [! G% M. a9 T% a- N(I faced that once :-(
% O0 b1 M# Q. s2 v3 _: \# T! ?- f0 x
% t) [9 p) m: W" {4 mUseful breakpoint to detect it:
# M7 G+ I' p* l" p) U& c# K B
4 V! l6 U; L; {) @8 T% m5 P% N% t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ T2 @0 ~" x; r7 A% C
$ }1 I& u* Q8 b. }' C__________________________________________________________________________. Q/ T1 b7 j2 I
- j) F8 \7 C. s: ^) E
: F- V2 a. N: wMethod 14
8 F2 r3 [. L$ g; X$ j8 s) \& u=========
$ D3 N+ c7 G. v4 ]5 r& M! }
0 w" X9 `& P7 s5 BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 \' K4 W8 P! j6 y6 [* Eis to determines whether a debugger is running on your system (ring0 only).5 j9 e# m ?0 G4 q5 I9 L# b
1 R$ S2 y% s) [! I9 _ VMMCall Test_Debug_Installed f6 `8 Q* n$ k6 B2 G9 X8 W* c
je not_installed! n3 ~7 S5 A1 K) }' V
% x- p* _2 ^9 v3 n) f6 `3 A
This service just checks a flag.; d5 i7 A* r3 c. H) t! r
</PRE></TD></TR></TBODY></TABLE> |