<TABLE width=500>
. I7 [7 H) B3 c% L# F5 P* E<TBODY>$ F1 F+ T0 d+ L/ b+ E+ V P
<TR>
" |3 a" b/ X$ G# `! ]<TD><PRE>Method 01 & Z0 H/ ?+ B" v( h! S$ [6 o/ K
=========- L2 |- }$ _% O7 L f; g
) K2 V! v2 O( e, x# i
This method of detection of SoftICE (as well as the following one) is8 ^+ b- P. l* Q3 D' P# Z+ y
used by the majority of packers/encryptors found on Internet.; r k$ P* f# [3 b
It seeks the signature of BoundsChecker in SoftICE, y2 V7 k; v- O5 e/ e8 r
. {, F% x' @; c. C
mov ebp, 04243484Bh ; 'BCHK'9 ~6 w6 S* f9 V
mov ax, 04h* p+ o) E- N; X- n
int 3
+ ^2 x1 Z7 K8 l cmp al,45 |+ o% C3 L; A' B. F0 `8 T
jnz SoftICE_Detected6 \1 Q4 K/ N Y9 D9 v7 u1 U& {
4 V# P/ E- |( @( @ `- Z- d
___________________________________________________________________________: w- |. _3 V! G6 M2 Y) `) M
3 O' l! ~9 k$ S9 R4 KMethod 029 R' o y, N' ]
=========9 D1 \- @2 e' `+ t" l7 ~
. o5 K* n2 t+ y* i! m+ J
Still a method very much used (perhaps the most frequent one). It is used
; o$ \4 @0 m% [1 f; hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- I) L# D3 k3 e! O8 D- O! k
or execute SoftICE commands...
: ~4 `4 S! K% E" G( K- C1 eIt is also used to crash SoftICE and to force it to execute any commands8 j. O* m- }# q8 Y q
(HBOOT...) :-((
7 R& C: I+ D5 S2 `: S* f& u- J5 C
/ G8 b# D" |1 s2 EHere is a quick description:
" I" T9 x+ |7 |' Y& S$ \-AX = 0910h (Display string in SIce windows)) S4 m2 w1 R8 g; [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 h9 u3 d* M5 o/ z" @
-AX = 0912h (Get breakpoint infos)# @/ ]/ J7 p0 \1 m8 `, V
-AX = 0913h (Set Sice breakpoints)
' V# y9 E$ y, B/ p: B+ X+ q c-AX = 0914h (Remove SIce breakoints)! M5 d- h# w" _% v4 \
; S# s& y# E$ F! C
Each time you'll meet this trick, you'll see:9 y, y3 K0 W! {- }# F* z+ z& u6 J
-SI = 4647h/ L7 `0 B6 U' s
-DI = 4A4Dh
6 M/ \2 O* g0 x rWhich are the 'magic values' used by SoftIce.* ^7 L5 Q$ n$ I+ p/ \8 Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ x* g W# [3 U- x2 ?# h. k8 T9 e
Here is one example from the file "Haspinst.exe" which is the dongle HASP# g/ `. A: q0 K, {7 L( A
Envelope utility use to protect DOS applications:! q( P! o! Q# v" P
: K( w2 e! @6 }9 W. J
- B7 Z+ _! I, U" i6 ^2 \& F* P
4C19:0095 MOV AX,0911 ; execute command.: k9 ^( X* L$ |, e4 Z- ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 r$ y; q- {+ [; H7 I Z
4C19:009A MOV SI,4647 ; 1st magic value.
6 Y9 c$ W: F0 e h, d4C19:009D MOV DI,4A4D ; 2nd magic value.
6 K1 P, P5 e0 [/ P; e: L$ y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 A7 `/ V; D9 v3 O: X5 x( `8 p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- A0 X5 L3 k! o* S9 Q9 g4C19:00A4 INC CX
8 |$ {( S/ s/ Y$ u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute! I) O- M0 n' ~& f8 Z2 R5 v$ f
4C19:00A8 JB 0095 ; 6 different commands.# q" f" T, I- H" h! I
4C19:00AA JMP 0002 ; Bad_Guy jmp back. H1 C2 O( C9 m" b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) d6 ]' w- ]9 C
. S8 T/ c! U& {" D1 KThe program will execute 6 different SIce commands located at ds:dx, which
/ o8 K, G$ k7 U! Q. a* kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' @2 l$ p2 Y3 V: @6 {& \3 P8 H0 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* S8 `3 _# G @" A4 A___________________________________________________________________________9 o% ~2 b N( v H
( u0 W6 T) G% ^. |# ^
9 U7 T# H0 Z1 U; I+ `
Method 03, l% x6 z6 k1 h
=========
( \; u, L# i3 {" h) {) u' M: L6 V
' W. V7 l2 X+ u8 m P' QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ l! r8 I% t5 k1 |
(API Get entry point)( R" ~2 ?6 H0 Z' ~* K" j: ^
# {9 f; \9 Y8 d: S9 n& i$ @6 g# P/ w9 U
xor di,di' H Y# O. j) \( o, Z! ^
mov es,di$ d, q# v" z* S# A$ ]- c5 | g
mov ax, 1684h
) r- R+ Q$ s; ? mov bx, 0202h ; VxD ID of winice a; H0 v3 l+ D4 \9 Q. ~
int 2Fh1 b- P. a3 m9 x8 q. @% N
mov ax, es ; ES:DI -> VxD API entry point% h J) q. e1 Z2 A
add ax, di
+ `/ g" {1 k/ Q test ax,ax) q/ f( f4 J- O8 ^
jnz SoftICE_Detected& d4 n1 I9 C4 J, x `
' Z \% f$ t* F. w1 M/ u! w* A___________________________________________________________________________2 y! D5 }" N. R v: m5 V
; g# p* `) R" m* g- b# j$ k+ a6 wMethod 04; [0 |! _3 t; O2 X! p6 B& o
=========
+ v( E# @3 k5 }1 k; e0 c: R$ w- k) Q
Method identical to the preceding one except that it seeks the ID of SoftICE
' W7 Z, v d* g. Z# d) `GFX VxD.
3 n5 \9 U9 B6 ^* I, \# k0 S: l3 B4 h$ Z# I: c1 e8 y
xor di,di+ X2 ?! K+ U$ p8 E
mov es,di) X+ u. d0 H, t1 T* H
mov ax, 1684h & ~3 a7 O9 `) k, K" K$ Q- j6 |" h" [
mov bx, 7a5Fh ; VxD ID of SIWVID
4 |0 ~* d( s4 i5 ]$ H int 2fh- F* O0 [/ ]( h% @2 r; N) m
mov ax, es ; ES:DI -> VxD API entry point: S W* [3 P3 ^- W
add ax, di
' G) K. [# V6 c4 f4 F& ` test ax,ax
3 u& W) }; E# T jnz SoftICE_Detected
7 a6 x( g6 c- E' S
2 \6 ]6 k( v* ~ t: m6 z8 R% ]% L__________________________________________________________________________: J% p8 `' e K0 @
7 J, X9 A# E2 C( d l1 i5 x6 P$ m
3 Y0 s. g& E+ a+ N3 t7 R4 @/ h6 mMethod 059 w P+ G' o/ B' W* \0 a/ s8 q
=========9 e8 f/ t! N) K3 }) M
; m' d! \- }* DMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ o' [, F( A q9 c: P9 |# Zdebugger. It calls the int 41h, function 4Fh.
+ p+ [7 p4 ^! l& xThere are several alternatives.
' @- D" z$ W1 Y1 f: x# ?
: u* X+ v1 C& |$ bThe following one is the simplest:9 h! t" \7 v/ |# v& C
, {* r: ?* l. R( a0 h mov ax,4fh# F: \/ v5 a0 L5 I: J: A3 n Z
int 41h/ |7 Z1 f' V7 q) B/ {! z
cmp ax, 0F3860 j4 _$ }. f U. A
jz SoftICE_detected
4 D, u1 }' G% |* M' h9 S& c
6 E$ V' ~4 F j! t9 z
|& w5 H3 m$ B) f+ X7 A6 W, cNext method as well as the following one are 2 examples from Stone's $ A8 t: c8 k' `4 L' d; I
"stn-wid.zip" (www.cracking.net):" W9 l: W f" u: M$ |
, T+ I9 `& I' k9 `9 _
mov bx, cs
8 a" K H$ s. E! r) j lea dx, int41handler2! V% g. h# s' a' S
xchg dx, es:[41h*4]; U7 A: }% i' z; l) U* M
xchg bx, es:[41h*4+2]
; D% s" O* T" c2 |' O( [% T5 G mov ax,4fh
9 ]6 ^; O2 _6 G. O8 `8 Y int 41h
, X3 _9 a9 M% W xchg dx, es:[41h*4]
$ P6 q9 m K) J$ y- E' L- h2 ~ xchg bx, es:[41h*4+2]" H9 f$ P8 o! \" ?0 e
cmp ax, 0f386h# ~8 \9 }0 i+ N# e) M* x
jz SoftICE_detected
( Z$ Q5 r0 `0 ]$ A1 y
0 V( b( u- u# }5 Iint41handler2 PROC
# r* o" D+ \, O' m. M4 t% U5 w iret: a7 Z8 H8 H& c" F
int41handler2 ENDP2 ~ H# F6 r: J- p- p! e
7 s* {: T" d* e0 f" u
. B( R) _; Z: O2 H. Z; j" ]0 ^_________________________________________________________________________
& e. p' _3 A+ J- o
; U3 Q) L( Q5 k4 j. F
) |3 W; x) t$ V- C9 y1 e6 ~Method 06 E# A0 ^8 W; B; `0 c
=========) [6 C$ K) m; R3 }. ]
1 g7 Y2 ]0 |4 S8 {( `; m
4 b! M* A* w, n U) _! D3 M
2nd method similar to the preceding one but more difficult to detect:
0 ?( Y$ k5 l* ]5 }% Z2 N
( o, l5 o k+ M8 ]0 c( t( C1 C
6 g. k. d9 X, s+ `2 y) Sint41handler PROC6 L! U( v! J+ A
mov cl,al
- L) a( p: b4 k' l8 a9 X iret
3 z2 C$ R7 d' oint41handler ENDP
C5 m2 f' s a, \, k; e6 p
3 S( Q& ? ~1 \' t! n' H6 H5 M8 r2 y, Q- H
xor ax,ax# ]7 ]8 q7 h3 l! _4 s
mov es,ax2 X3 \! O- x$ O. D
mov bx, cs
0 h8 f5 d! c9 O3 \2 u3 q lea dx, int41handler
% l9 H0 }; p P5 j5 v) @ xchg dx, es:[41h*4]
% X( M7 p" X! b o: ~# T xchg bx, es:[41h*4+2], n2 s+ G' F* s. t7 y( [
in al, 40h
" [0 ?9 i* i; Q' r9 G4 \1 N xor cx,cx* s+ i' D6 U7 ~( S& ]
int 41h6 u( ~) {# c; F2 o1 U9 s& G
xchg dx, es:[41h*4]- k# _" v& ?) Y
xchg bx, es:[41h*4+2]
8 }2 {2 G, k% Y# z; c( _ cmp cl,al, r( C+ W `% z
jnz SoftICE_detected
) L8 j' ~8 T; k9 G% q6 X; Q& j/ y! o! O: G/ e" m
_________________________________________________________________________
# S+ a% H- N* D; ?1 g5 l7 H5 _# o, ^$ k. O1 M
Method 07
! e3 W3 P! d1 E) Y5 C=========# {9 o4 ~) p4 ~) W
7 x6 D5 Y" p8 s! a Z- ]$ Y
Method of detection of the WinICE handler in the int68h (V86)
& o0 i. K! c3 ^2 d+ F# T- M9 w' I0 a) d3 ?- ^
mov ah,43h
6 l( q9 X! @2 X5 y2 }- H int 68h' H4 K( ]% I0 z4 M) g. d
cmp ax,0F386h
# g$ T4 l+ P' P } jz SoftICE_Detected9 [: a) u1 I3 h: R, F6 ?1 L
% p. p, B6 S' M
5 L; t4 {1 n+ Z! b* V: W1 m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 n$ b& Q7 k; L# v2 r9 `2 X8 C app like this:
* i+ c: ^8 c& L; n) u' I, A+ w& R/ ~& p) z7 N( G, V
BPX exec_int if ax==68" r* |3 T& e, O) H. c
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ o7 h6 h6 ] ^5 @ X located at [ebp+48h] for 32Bit apps)
2 o2 e) H d" n9 G) R+ ~__________________________________________________________________________9 E3 q4 l1 x; D+ f2 u5 y
* u6 w7 e/ _1 D5 y1 U0 O; c( F- z! l) c
Method 08% E; a$ Y7 y7 K; P
=========
3 N) h; }4 u; }/ V1 d8 D6 p4 p
2 W( T' v3 V$ I- b. mIt is not a method of detection of SoftICE but a possibility to crash the6 x& k/ a: m$ I4 s7 ?9 P4 f* A# h
system by intercepting int 01h and int 03h and redirecting them to another: p6 T! a, t$ H0 u
routine.2 x% t3 c$ w9 F: A5 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 u" w3 q7 ^0 h% t4 ]6 M
to the new routine to execute (hangs computer...)! E3 T/ ~6 M& Q$ l! z! m
4 j+ \1 C5 |1 Y/ y. L, {+ e
mov ah, 25h
$ s" O- u3 p L+ L4 B mov al, Int_Number (01h or 03h)
* N: s# S! t$ @2 n+ Q: ?2 z! W! F mov dx, offset New_Int_Routine/ ^! j& |* `+ i4 K, x, _
int 21h6 ^1 @7 O: D6 o2 n& A! F
/ x& G, |) B3 F/ L9 f
__________________________________________________________________________" f; H+ c0 C( ]0 e- ?; E
% v0 O/ }' f% i- T4 q# _+ I
Method 09
4 c3 S- x" j1 A* w1 a I9 A=========/ i8 I8 b( M/ i7 R
; K; N0 m1 ^: p- `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ Q, [ ~2 j9 M" z A- h. fperformed in ring0 (VxD or a ring3 app using the VxdCall).
% v) q) V& L& P* MThe Get_DDB service is used to determine whether or not a VxD is installed% H' m c" x$ H+ H* L" g
for the specified device and returns a Device Description Block (in ecx) for3 F- \ c( r( M6 h4 S. _
that device if it is installed.) N. `+ L4 g6 x3 s7 ~# B
3 q6 G) x F3 B6 p# d- W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 b* i5 E: F# h( U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* C8 U1 X2 I' [
VMMCall Get_DDB
+ f* R' p; r* d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# W* F5 s9 _2 d7 S0 B
3 q- M* ~- y) }1 F/ VNote as well that you can easily detect this method with SoftICE:5 a5 q1 j; M3 Q1 \
bpx Get_DDB if ax==0202 || ax==7a5fh
r n2 s: b; h% Y, a
- k- w3 w6 x# T R: k1 }__________________________________________________________________________; \+ Y7 D, f0 A5 v& u
9 Y4 ^' f7 k& y. NMethod 106 ^: \6 X5 I: N& I) G* R
=========
8 B( T |: D/ ~1 q8 Y
+ ^" k0 w0 a5 [" G=>Disable or clear breakpoints before using this feature. DO NOT trace with, o- D* N {- N2 W3 I S
SoftICE while the option is enable!!
p- N( K; z/ d3 ~. _9 y# T* G: t5 z
3 X; n) B% V! cThis trick is very efficient:0 Z! J" ], P! Y2 Z: P; E
by checking the Debug Registers, you can detect if SoftICE is loaded
! {% ?4 H4 i' ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ d0 }5 S# b) }* [+ y; G1 |there are some memory breakpoints set (dr0 to dr3) simply by reading their- A' v1 j! E% P# K
value (in ring0 only). Values can be manipulated and or changed as well
& b9 b1 l* t1 @(clearing BPMs for instance)
0 z% P5 @! ?' g' n4 R& |8 o
4 g2 M0 K' S, n8 u$ S5 `__________________________________________________________________________( _) l$ N+ N& I3 R6 U
' O. D: m+ t( p
Method 11
# R3 w) _7 v" X# L; E' N2 T=========! p+ |9 _1 n3 Y. P- W
' }: Y1 J' c% x9 W' H5 n4 N! IThis method is most known as 'MeltICE' because it has been freely distributed. k( l% j; s" B
via www.winfiles.com. However it was first used by NuMega people to allow
: t2 n Q7 G4 O0 }Symbol Loader to check if SoftICE was active or not (the code is located/ D9 Z# \* `1 j2 z' @, d
inside nmtrans.dll).
! k3 j: `+ w, w+ [6 }- @- H4 t
' G; O6 Q. f0 W8 EThe way it works is very simple:
. }8 [! y) w4 B) x8 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. q" @0 A7 x0 x2 Z: v) e5 v- b& WWinNT) with the CreateFileA API.
1 C# ]2 S$ @; v8 u% ^) k6 h7 W) s! h: O( h4 N$ D
Here is a sample (checking for 'SICE'):7 X+ k& M8 a' v* b% J
! z5 z( D3 G! p! c# p4 Q
BOOL IsSoftIce95Loaded()
6 A, w1 c( h. Y; e3 ~3 l{
; f8 {9 l1 o L9 S( I( @& i* a HANDLE hFile;
: J. m5 w+ b, j# _" ~7 Z1 k hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 O9 Z. g+ N3 T L3 Q7 U FILE_SHARE_READ | FILE_SHARE_WRITE,& O; W' H" S% K) J$ a$ Z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& N3 J) ^/ N) L% q9 m if( hFile != INVALID_HANDLE_VALUE )7 H' k Y2 L1 z
{
1 }' A C' l( ^+ m CloseHandle(hFile);; A, a, v- z I y9 s- t% x7 Y4 `
return TRUE;
! m0 m- u% e* B5 b, |8 b! h }7 Q5 o+ K p( G. q6 U' w% M) T. U
return FALSE;( ~( y: Y3 c1 ?# ^+ j
}
7 E/ I3 {+ c1 y$ z7 _
2 r' G$ I+ y& ^3 K/ N8 M% o1 qAlthough this trick calls the CreateFileA function, don't even expect to be+ J! s' b# u2 w |4 U
able to intercept it by installing a IFS hook: it will not work, no way!
- u% s3 n9 O9 g) V8 aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) E9 b1 Q1 N+ u5 [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# K1 x4 G0 D6 D# _1 o% w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( D1 D- {- [) x# ]( |
field.8 d% r d8 E4 A
In fact, its purpose is not to load/unload VxDs but only to send a 6 z9 N3 u/ J1 X2 V* I
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) q `& j; G3 ?. [6 b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 u' \, D5 j" t1 ]" v" b- u4 j3 Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! a O9 `* r6 N" G
If the VxD is loaded, it will always clear eax and the Carry flag to allow" X. l. y& T( F& O$ j& C2 u
its handle to be opened and then, will be detected.
5 g& M1 P- O' kYou can check that simply by hooking Winice.exe control proc entry point' ?# T: d/ W5 A; S( S
while running MeltICE." J! ~1 H1 h0 }8 i/ E
* W2 E6 j6 q$ q1 @& G m" N$ @: a9 o6 e6 s4 n* c
00401067: push 00402025 ; \\.\SICE9 @* ~! p$ I5 t
0040106C: call CreateFileA
1 u" U; M0 b2 V' z$ b 00401071: cmp eax,-0015 F" _( f4 I- H
00401074: je 00401091
) w/ g) \# l) w' h l! J% W( U1 a+ g( M" ^
L. E: x1 b, m4 n Q
There could be hundreds of BPX you could use to detect this trick.
9 n" J0 [) n- E* N5 X-The most classical one is:( @% A& {/ ^6 L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, y" r. q' z5 [. x) M+ O. S
*(esp->4+4)=='NTIC'" h; T9 {* X5 T' {7 ?# j5 |5 V
& f7 }/ t: q/ h: n- u% I; E
-The most exotic ones (could be very slooooow :-(
# O- N( J3 f, \5 B' u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& P; @+ l, J. L1 l1 N( d+ v ^ ;will break 3 times :-(9 C% B7 R. S; @% N
* ?. b' |: h% p7 _2 v) B7 D$ n
-or (a bit) faster: * x& I; i4 ~) T( J, c. k5 q, H
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ F5 v0 H# w6 \) E* b5 n+ m& \' `" R5 Z7 R" Q& B, i" E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 w: ]8 s: w$ h2 d ;will break 3 times :-(+ c5 V7 Y) [+ u" ~
. b( g( j! H1 Y1 x3 `: ?$ X-Much faster:
. [0 m7 @' B+ X: f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, Z9 J+ \1 e; B6 _. M) A1 U# O
2 L; p0 y( D* o8 s3 h0 ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 ]: X% {" e! f X( Pfunction to do the same job:
. \! W7 A* g( A! P; C
, B& E5 e' I Y) M8 Q( ~ push 00 ; OF_READ" F3 t; n; `5 n1 b- ^% O2 D
mov eax,[00656634] ; '\\.\SICE',0
! E) o, o6 `0 @4 D9 g push eax' q+ T' A5 n# g) W
call KERNEL32!_lopen7 z6 L$ V3 g8 f
inc eax
4 z7 S, W6 V+ z) W* f4 W jnz 00650589 ; detected
) T( H$ {) j& O) ? push 00 ; OF_READ9 e3 n. D2 s7 S: W, R
mov eax,[00656638] ; '\\.\SICE') K- j4 p8 F% T- G1 Y
push eax
$ `1 k1 R! v) t1 }5 m( L call KERNEL32!_lopen! y. o6 h; C% ^4 `6 w7 T/ `
inc eax5 U! P w, K2 M
jz 006505ae ; not detected
3 e4 I- J8 o' x" K9 [: E9 p, m5 `% t5 w5 }. {
2 c" X. K) f9 b* Y# W
__________________________________________________________________________! w, X. u! j- G9 O- `, O1 R2 J3 ]
$ F# A. W, S# i$ r9 Y$ [. D u$ K
Method 12
- b' s+ j8 o7 F& v) n a* U=========
7 S! K: U; b+ W. _4 x
/ p: V, j0 m4 OThis trick is similar to int41h/4fh Debugger installation check (code 05
( Y, W, @+ d$ |. d5 i! C6 M0 L& 06) but very limited because it's only available for Win95/98 (not NT)$ H! q2 p9 Q6 N6 M" B! g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* A( f3 W+ l# X0 r7 E; s
8 I6 C! J! X6 p' u4 l/ K- K push 0000004fh ; function 4fh S2 T6 r ]$ a8 {' x2 \6 I
push 002a002ah ; high word specifies which VxD (VWIN32)
: B8 \9 Q$ H) M) w- t ; low word specifies which service+ l, {- @' L" ~) ?
(VWIN32_Int41Dispatch)
6 @8 Y, `2 a: _( [* } call Kernel32!ORD_001 ; VxdCall
$ Q- A/ B3 ^! Z- P. w P cmp ax, 0f386h ; magic number returned by system debuggers
0 H; h: x, {$ }# |8 z4 G8 d jz SoftICE_detected
; _1 Q4 S' l3 e+ L. ~& l* Y! L" Q
Here again, several ways to detect it:& l @- _9 Y% R% O7 R1 h
4 o8 r7 E- r$ ^& y! |7 ?% ^
BPINT 41 if ax==4f
8 G. w* ^9 p) g3 [0 Q) P7 q7 l2 T1 P' N0 f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 o9 {3 G W8 ^ e" I H: r# d. W* @% m# l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ M" b( ]( S" [+ X, {3 S- C3 k+ E5 V) L/ n1 K! Z0 ^8 r2 |0 s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( {7 b n; k9 S: B2 u/ m; l2 E4 x3 B% S7 B9 ?7 R# Q
__________________________________________________________________________
0 `" h7 e9 ^; x& h% k1 r2 q6 y0 H. ^
Method 13* C6 ?. _6 F7 \' g& e% L
=========2 f0 x9 H+ K `6 s8 `, h3 e& h
( F4 a" p, n8 h" I6 v7 q# ]/ W# ^
Not a real method of detection, but a good way to know if SoftICE is" ^$ Y. ?# g1 w1 f7 ~
installed on a computer and to locate its installation directory./ P3 J" c$ W( j3 T. n4 {* \0 l/ G4 \
It is used by few softs which access the following registry keys (usually #2) :1 Y8 V; o. G9 `, H4 i; }
& r& O, S1 t4 g! c5 U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' |6 t) G y/ u5 G
\Uninstall\SoftICE
- [: s8 z D% F& ~! G# \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% Q; E8 n2 |0 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( h: x |: X/ s* J
\App Paths\Loader32.Exe) e4 I7 I+ `7 D. e& v
; y& r$ \" q% a& G3 O3 w5 X0 g% @. J3 @1 W m1 _! p! }
Note that some nasty apps could then erase all files from SoftICE directory
" d( d, s2 v6 ~(I faced that once :-(
]; h2 b) N( P* t( v. e4 m* R. O+ P
Useful breakpoint to detect it:6 z) ^2 b) V( f! |
0 d, ~: Y4 u: c8 _: W& ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 l: x3 [& z# a* \1 n- O- Q* o U0 N5 j! W; f6 `/ z
__________________________________________________________________________$ m! _' B7 t9 \: i2 q6 B, I* a+ h
; l" ` h0 k0 `# {$ o5 e4 O+ G r+ s1 Z% `8 c
Method 14 8 C/ x G, h3 j7 e
=========
9 @4 O- c1 B+ ]) M) U5 w4 f# K7 L7 Z N; Q" S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ t) g2 h7 S1 H! n
is to determines whether a debugger is running on your system (ring0 only).
- F- ?8 \ L& p! z6 E q5 ?* B' H1 ~0 L" [' X/ w) _
VMMCall Test_Debug_Installed- L/ L |& ]& U; j3 o( O' u: Z+ _9 u
je not_installed+ i7 I' l$ _4 a
- L7 j8 j. I7 m! G6 O8 X5 TThis service just checks a flag.* F) B) A: h \ j! h1 I5 w9 _
</PRE></TD></TR></TBODY></TABLE> |