<TABLE width=500>
4 o V7 A. l0 h: m& c9 T! C' q<TBODY>
& C! W0 H( R _" Q) g<TR>
6 z3 ^4 ?" d: v8 C6 ?" ^5 r; q1 S<TD><PRE>Method 01 % }3 \8 u; S+ i+ x5 D% k
=========$ v( r5 o! ?& O5 e0 @/ N( Y
& T0 C& W% `8 F7 q
This method of detection of SoftICE (as well as the following one) is
. i+ z2 J/ J2 m. I" eused by the majority of packers/encryptors found on Internet.
& M: v e" ?2 \4 `$ }+ d6 IIt seeks the signature of BoundsChecker in SoftICE
5 ?. P. w/ O' v, Y5 c: v5 L& \+ @% H8 Y
mov ebp, 04243484Bh ; 'BCHK'; \7 D7 Q5 c; [) }% L' e- j
mov ax, 04h
7 V$ I$ W9 q% P% k( \( \ int 3
' Z% \* x! G: x' V, V, e4 t cmp al,4' S" A- [4 S6 z+ H
jnz SoftICE_Detected
3 E- a$ ~6 G, z- W: C$ s z
3 j _# j$ {' [/ Q2 D) @___________________________________________________________________________# R# p. u$ D- `8 W
' @) }& }$ `6 C7 s
Method 02, B% n% o- n, ~
=========% @ }# A1 a0 i1 Y5 J: G# t
' L Z! W4 d* Q7 l. \8 C% }9 ?& z
Still a method very much used (perhaps the most frequent one). It is used
9 w1 W" a% ^# Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- @. c* e# I3 u
or execute SoftICE commands..., k9 ]) h( I* _+ M! d5 k5 `! M/ l) ^
It is also used to crash SoftICE and to force it to execute any commands
( ^) E; u" {& `0 N/ L(HBOOT...) :-((
$ B* y; _5 I5 b) ^, X# E4 {9 B7 V
Here is a quick description:7 J! H# f) Q; L
-AX = 0910h (Display string in SIce windows)
R% K/ z- L1 l* O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). t) _8 F. X* ~' p* x( o
-AX = 0912h (Get breakpoint infos). y7 ^# u) X' J; l" y1 L
-AX = 0913h (Set Sice breakpoints)! i! W. b- r4 v1 l' `2 @
-AX = 0914h (Remove SIce breakoints)
. q# d. }; k0 p6 i+ [) [! m, a4 f) U! ?. |7 c! U# i, Y3 |& a0 t
Each time you'll meet this trick, you'll see:
- t# R O5 P; ~% U" H-SI = 4647h
. m# p2 P5 P' i- ~, z2 q-DI = 4A4Dh
3 a) z8 f T+ BWhich are the 'magic values' used by SoftIce.
! T+ e- g3 `% R1 G1 r- ]7 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 }; W k/ {: n, }
; Y8 a) ]! g9 A$ b' aHere is one example from the file "Haspinst.exe" which is the dongle HASP
6 A; D8 [) ?; s6 a" z3 s6 mEnvelope utility use to protect DOS applications:& r v, u3 P" {
D4 I# Y% K4 K% N O! U
: i; N; D x& E4 R4 P4C19:0095 MOV AX,0911 ; execute command.- M* l- {2 a# Z7 J& z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* g- b2 P* L X6 a% ?* H' b
4C19:009A MOV SI,4647 ; 1st magic value. |3 m; X J0 K3 E
4C19:009D MOV DI,4A4D ; 2nd magic value.$ l! F. O( h1 y& x7 N
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 h0 {) ]: ~, s4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 b! B1 j( h) f3 b
4C19:00A4 INC CX, x9 [( Q- A, S) q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! i# T& [, p- |# j3 ^, ]4C19:00A8 JB 0095 ; 6 different commands.
6 T) {3 ^( J0 v3 N" q8 J, s4C19:00AA JMP 0002 ; Bad_Guy jmp back.' G6 t$ n- X: l$ ^& s% D9 @" l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" D, b* p3 V5 L; J: p% I. T
& |, X9 W: I1 O: ^3 [' RThe program will execute 6 different SIce commands located at ds:dx, which
/ u- l6 M9 v# Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( x( t$ c" p' v! q
; r4 W( F; _' ?/ E! e* e
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 I# z) t w! A0 E& B/ W9 X2 V2 w: d
___________________________________________________________________________
" O6 ]6 o% \$ O t) O' P$ `/ a a$ n2 c2 ]- W; c
! L2 B4 w$ o8 @- c, N' Q6 y' y
Method 03
, z9 Z. ?% O1 C6 p4 M4 v: d=========+ _" b1 {4 a6 l" k& a
$ ^: N4 `/ g) R4 C; N q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% j( y" Q0 R6 a, ?( @0 O(API Get entry point)
5 y. }3 |/ ^( U+ }2 P/ ^& y* `
, g) q$ x3 U5 R9 l) y3 i2 N u0 u: e1 z; u7 |" J9 u3 D: O, I7 J
xor di,di$ h$ J) _2 D8 _/ W' m
mov es,di* @0 z: b e. K/ T& L' I
mov ax, 1684h 8 V9 o X: [, a7 R& Q" n# \5 e
mov bx, 0202h ; VxD ID of winice
9 ^' l0 k( P0 y; s2 G' W$ | int 2Fh! {: P, K# |5 o: q
mov ax, es ; ES:DI -> VxD API entry point
. ~9 v9 c& Z* r6 E add ax, di
+ D0 o& Z% K4 g test ax,ax& e* E4 o' Y. z( l
jnz SoftICE_Detected! ?2 |8 X! Y4 u& F2 m! H
# F" z, {4 S* L! [! U6 L% o___________________________________________________________________________
6 \8 y h$ V4 X% z
+ J! i; r) s, I. d3 MMethod 041 T; e5 w# b. X3 m& S& ] ]+ ^
=========' W4 J- {) Q& U- h* h- M
# C( a0 M5 o) ^; z2 @
Method identical to the preceding one except that it seeks the ID of SoftICE$ a0 R1 n/ G9 v+ a6 u) S8 Z$ C
GFX VxD.% O3 w* ]: {7 p }
- x8 ?* _8 U8 ]$ y5 ^* s; f8 x0 x9 B
xor di,di
6 D# S0 W' {& B9 F mov es,di3 u/ y( [4 k$ W9 J
mov ax, 1684h
" _1 s, H: O+ n8 f9 E' v mov bx, 7a5Fh ; VxD ID of SIWVID1 G- U' f2 }0 q+ |
int 2fh
' b2 }7 n" X V- ?1 D) F* a G mov ax, es ; ES:DI -> VxD API entry point3 J- r$ J6 ]0 j6 b/ t0 M
add ax, di5 ~2 _8 D8 A' X! k6 F
test ax,ax
! R* p2 p c+ D jnz SoftICE_Detected$ t7 M9 S& e ? n: g% W
4 L# V$ r5 e% [" k2 m$ z
__________________________________________________________________________
$ d# m5 d+ ]5 `% T x- N7 d. s% ?
- P4 x1 Z& d* y3 |: z9 k3 U2 y; n9 M- w" X
Method 05! z: i7 q( t+ B# ?! `* e% G/ L* L
=========
, A: ^# U$ h% P% W8 L" a- C. L! a2 | i/ ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 q1 p: @% f) w5 ~5 Bdebugger. It calls the int 41h, function 4Fh.& c3 _8 w I- t
There are several alternatives. 6 f- U* o) M! W& C# h
3 r* `6 r* t+ t q& iThe following one is the simplest:
6 w1 m# w" B" j. x- H$ q/ P: ^' `
+ Z% i; z+ C6 k$ m0 | mov ax,4fh2 l% G1 W5 R7 c
int 41h( n3 [" P! y$ E% P. A3 F4 P
cmp ax, 0F386, a6 D( X9 X6 K3 A" {( t) Q
jz SoftICE_detected
7 p2 Q# c! N% ?8 N) H! Y' L2 U) }1 @: @+ j1 C
; @) w: ]2 M; m# ? b7 }5 l& kNext method as well as the following one are 2 examples from Stone's % U7 X3 n6 T$ T; S8 b0 T6 ?8 s
"stn-wid.zip" (www.cracking.net):7 N. v X4 T5 Q" K+ t- D3 M
( u/ ]3 g. ~6 u7 r2 P$ E! M2 H mov bx, cs* {3 G/ v: b( B' w* q
lea dx, int41handler26 B$ z* I. s {. g- w
xchg dx, es:[41h*4]
- B5 d/ Y% O! P# i) p xchg bx, es:[41h*4+2]6 d( v' O. ~& w
mov ax,4fh
" F+ a& j [' Z* F/ _# z( I int 41h- K. I7 L7 g5 |- n+ h
xchg dx, es:[41h*4]
+ a% |( ]$ k/ j7 p! n' d/ S xchg bx, es:[41h*4+2]
5 i) N2 @% a) r) L( I cmp ax, 0f386h5 n+ Z; `6 l5 R
jz SoftICE_detected' o3 t7 B; t' r- c, g0 E, R3 ~
3 i5 M, J1 b3 m
int41handler2 PROC4 L8 N: q# U% ]$ E' t
iret
+ {9 o8 Z) W3 ^int41handler2 ENDP r- S) ?/ }% {' [2 D
; I n, k2 f7 m2 S/ E3 O) n
, F7 S8 s7 b! ^: M. N9 _4 z
_________________________________________________________________________
' v- t: a: d' T* l- x( [8 x! F! x( W
$ q; A9 g1 Y W8 x5 w: ~
Method 06
- [6 F3 f1 h* Q% a: i8 I8 L* X=========. O& D4 n2 p6 N) K# {
( q( Z7 T+ U: r& E/ q. q
. D% i) D2 d& V' P2nd method similar to the preceding one but more difficult to detect:. [2 Y* t( `% A
) y F# H# a# c2 s. Y5 @* m5 j+ F3 {1 I( c
int41handler PROC
) i8 V7 L/ O) j; K* k4 t. { mov cl,al# b, v# S e0 T$ ]* T0 H
iret* R( v# i% d3 N# U9 b9 v- o; z/ k# H
int41handler ENDP4 c" x+ j4 }5 Y
* c3 H% S @& j* K
9 p" W: k M9 g3 |$ q) k' A xor ax,ax" C2 a0 k" m4 Z2 ?' v( l6 U
mov es,ax
# _+ _$ G! y9 u mov bx, cs* p$ H: _% n2 Z/ [% ]
lea dx, int41handler
, d5 y6 @2 a- c$ O/ @5 d xchg dx, es:[41h*4]; k3 o. y. u2 v
xchg bx, es:[41h*4+2]
% @. s+ q8 |* @- r: z' E1 O in al, 40h& K0 `& Q4 Y! r5 U& ]( I& X
xor cx,cx
( y+ ^* K( G; T% `0 F4 m int 41h
" ], M1 i2 ~2 f+ r/ w; k xchg dx, es:[41h*4]$ X1 j9 T* q" k
xchg bx, es:[41h*4+2], Y1 N, t+ }; s9 R8 x: Q
cmp cl,al8 Q' c3 r6 _9 G" K
jnz SoftICE_detected8 w3 R0 [3 W! c4 G, V" y
) K# C w7 d. m4 b) r3 D_________________________________________________________________________ l7 J% U- d: Q. K( Z# R
$ e0 ~$ b3 n# U# L, s; Q- i
Method 07
8 ^% e3 w- b: n+ L8 U/ \5 d=========) [0 U1 }0 B$ a- z6 } K
" V( t) q! o8 L! y/ b
Method of detection of the WinICE handler in the int68h (V86)3 f% u2 q% r6 d+ `) M* {* h
; l) |& P: I |, V' T mov ah,43h+ b) S% z3 k& g6 Z' Z7 T* x
int 68h$ x: S' R A* D. A6 A& H
cmp ax,0F386h1 V/ W6 W) U, N" Z
jz SoftICE_Detected+ z2 O* Z0 |0 H: i4 u/ [
$ G; E5 g2 u2 l% L
6 ~0 K. o) d- k: g% @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 @4 `, [5 l z: r( o( {( ?" ?
app like this:
2 I; ~' S7 c, u1 ?. J& w5 P2 @* \' Q, c# R" V5 L; L R
BPX exec_int if ax==68
/ F5 {* s. W2 _+ |& } (function called is located at byte ptr [ebp+1Dh] and client eip is
7 Q! z% M0 t j0 X! o located at [ebp+48h] for 32Bit apps)
6 t Y& f" l3 Q, b" [__________________________________________________________________________0 \. `3 J R4 v i' u
+ K3 n: @2 F# w: u, |3 y) p% Q- `5 H
! f" k5 U" r* ]* w4 dMethod 08( b" W1 q1 }/ g* S* F% f
=========# W( @2 K+ ?. O% ?: W; T6 C: x
3 j& h' Q# S; N8 X' Q3 Y* QIt is not a method of detection of SoftICE but a possibility to crash the: ]3 S ]" Q* V H
system by intercepting int 01h and int 03h and redirecting them to another& F; w3 K! x2 R- R
routine.
- E; |- M+ O" @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% m( O% E! O9 ~1 xto the new routine to execute (hangs computer...)$ y# |1 o3 T) M% b- Z6 m8 U
5 @$ q. C. _# W5 |' S
mov ah, 25h2 m" T3 `1 Q, N/ n+ H8 I
mov al, Int_Number (01h or 03h)
& G! t$ N4 o5 Q" u: V mov dx, offset New_Int_Routine
! n- k1 s2 `& k' _: M0 x) z int 21h
; u6 s) @9 @/ B% Z% P) z
: C' D5 }+ r$ z4 p__________________________________________________________________________
) e G" J0 Q* w0 |1 v. |% b4 z0 B
' E" a5 v) o/ D3 u( a9 j1 tMethod 09
. E* [# G8 Q! ?=========
8 p X* I% J! [; {- g+ q! K# {* k1 [: c. j8 s' k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ I$ n* |: B A' e# A% q! w
performed in ring0 (VxD or a ring3 app using the VxdCall).1 o. ~8 s$ }' w, j& a
The Get_DDB service is used to determine whether or not a VxD is installed0 T( K4 y# @' F8 c4 I9 m
for the specified device and returns a Device Description Block (in ecx) for+ U3 I! C% X/ h: \6 \& U2 ?% Y
that device if it is installed.! ~4 U# b0 P$ s; g
$ P. l3 |: w, f9 U& c* W# b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% b7 P! q/ V' c4 ?5 h: [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! w1 w. l3 I+ m) u4 ~; J
VMMCall Get_DDB6 R6 h1 g" _. V6 O5 n
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed N* e& J0 n$ P# l9 q- D& \9 Q& o
9 v3 |' U' x( ], J yNote as well that you can easily detect this method with SoftICE:
' k* ]4 O8 Q4 y8 i/ z bpx Get_DDB if ax==0202 || ax==7a5fh
. f" X# |- {" F4 l" `2 h, T `
Y' w! I' ]. L# |: X _( c, q__________________________________________________________________________& A, W- L2 R' f% w- e
& I2 O' H( t6 L
Method 10
; R7 j: p _4 S. j=========
5 p* Z B5 x7 W" v) ~) y6 H6 f# O0 F W" u6 x3 i2 I# {9 C
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 S( O! ]* x1 }' G5 C1 c
SoftICE while the option is enable!!
& t) \6 V' q4 @8 V" j$ ]! B, W% z0 Q7 o: S6 ^
This trick is very efficient:
) \. M6 E+ @# E9 S/ q9 F( vby checking the Debug Registers, you can detect if SoftICE is loaded
! k+ G' E5 b1 d1 F- o v; _9 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% ^$ s2 b% c& D) V4 T
there are some memory breakpoints set (dr0 to dr3) simply by reading their% J' G/ o3 v- e& \/ `, f6 B8 P1 X5 L
value (in ring0 only). Values can be manipulated and or changed as well$ n: ?: [* p! N$ h
(clearing BPMs for instance)
1 C* ~- ^% L* e5 `/ y0 M: g6 T F) S7 K/ G0 b& L3 B- ^& T1 S
__________________________________________________________________________
6 A3 Y1 H/ ]. X, _
- X; T v0 t- \1 p8 u+ QMethod 11' J& W" w- A$ Z+ U
=========( ?1 h9 \/ `) k* l# B( v
) `% ?4 X3 b1 ~( q) a$ M
This method is most known as 'MeltICE' because it has been freely distributed
- q" W4 \* A- Y/ g" fvia www.winfiles.com. However it was first used by NuMega people to allow
) O/ D: s2 R: }Symbol Loader to check if SoftICE was active or not (the code is located6 o6 k, e( u6 B( f
inside nmtrans.dll).. u* g: @' o! i1 ]5 {* `' k
, N' O# [) C# u
The way it works is very simple:
6 @$ C" U# d' p7 O/ OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 A+ e7 d3 X- ~- e8 BWinNT) with the CreateFileA API.
* O% ^: g/ w# T/ X, F. V4 C8 a$ O. l- Z% u
Here is a sample (checking for 'SICE'):9 E* Z4 d/ R4 ]
! m% o& N" S1 M s- ?# g
BOOL IsSoftIce95Loaded()
, T; N1 t* ?" I, v6 Z. c{7 j$ c3 m. Z& B. }
HANDLE hFile; . I7 \" l2 E. v' s9 \- v
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ a0 d% ], y# V9 ]5 c( |) {. q% o FILE_SHARE_READ | FILE_SHARE_WRITE,
2 o$ P* L! H8 k5 i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 e7 q9 |% e, E/ [! M, S. ^* t
if( hFile != INVALID_HANDLE_VALUE )
0 n+ X) U) i _ {: B# e. Y2 w1 n* y: v+ \/ q0 w
CloseHandle(hFile);
5 r0 k0 \ f0 R. B5 R return TRUE;
6 H6 ?1 W9 O2 o4 `+ ~* _# Z }
6 v* t8 W) `) d4 E$ J return FALSE;# F9 E" Y* J1 X$ B' M
}, h2 r3 @5 l# _$ v& ~$ x* d
2 W2 U$ M' i4 K
Although this trick calls the CreateFileA function, don't even expect to be' W' ?& L0 @3 ]0 I/ |' ]+ [( ~. X+ ^
able to intercept it by installing a IFS hook: it will not work, no way!
& f* @7 D6 x' Z. Z/ hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. v6 g% L# {0 A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). A2 I+ y! `' L5 O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 o! x. q6 l+ ~! j/ O7 dfield.8 F x: n' s( n v% g& T* b0 O7 F
In fact, its purpose is not to load/unload VxDs but only to send a
1 E/ M6 V! `/ p' B( C" i& vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 ^, [4 ~ c$ f8 d2 U1 R8 ~( Y I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* ?9 i; M6 d# L! U- |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) e2 ?/ i1 P2 _& G; _If the VxD is loaded, it will always clear eax and the Carry flag to allow
: y, S" M# J6 v5 u+ Y) `its handle to be opened and then, will be detected.
" v t7 x# V4 S IYou can check that simply by hooking Winice.exe control proc entry point2 C1 l/ i) x+ N, `1 K) U9 u$ \
while running MeltICE.
+ v, \5 |) D# M8 s2 e0 U6 L7 G& k" V. ?
8 M. A+ o2 B9 b, U6 m2 d
00401067: push 00402025 ; \\.\SICE% w# q: w" i* R& c: h! |/ B- w
0040106C: call CreateFileA4 y0 h4 b# |' _
00401071: cmp eax,-001
9 ^- P: ^% V, \$ _7 c 00401074: je 00401091
+ I1 w X+ T' X4 z( e% e p9 G; Q( @1 Y4 p6 e
0 k' i& _, B* ?# O0 u$ P9 ]8 ]6 c
There could be hundreds of BPX you could use to detect this trick.# n' m0 P- `$ |; n
-The most classical one is:+ c1 n5 s, F* J! O" C! v( ^3 J
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) n2 H, K/ |! K4 t* h' ? X
*(esp->4+4)=='NTIC'! [/ |2 e- ~' I" K; h
8 I1 o4 B$ p0 U; y$ h, f
-The most exotic ones (could be very slooooow :-(6 O2 G' b5 m+ {8 f' e6 A! q* k7 P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 T9 M+ _! S C7 d( }( e1 @5 X9 ? ;will break 3 times :-(
0 F% r- ?$ [* J$ S4 h6 l9 w5 y& B- B+ ~, U/ L8 M2 E3 Z4 A" Q, e. N2 \: k
-or (a bit) faster: @- V: f& x1 F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* v' t) \4 h4 ]4 V' ^
- |4 ?' k6 ~4 [' X/ [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% E" b" [/ i) i; o- R/ A7 q$ b3 C ;will break 3 times :-(
! v0 J3 V0 v* \8 z( ~7 O9 L! i
, a3 v E$ i5 g-Much faster:
7 V- ?+ Z4 B g( y/ v BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ L& E3 C# E# c5 j2 T% @- X! s: L3 R3 {% l( Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% S$ Z) r* Z' n; |
function to do the same job:
+ a) d' s! `+ B+ S
* G# L0 `( c# s push 00 ; OF_READ
4 C7 b" M1 m6 R5 S$ e7 e1 q' m mov eax,[00656634] ; '\\.\SICE',00 P0 D5 _1 N7 {9 Y
push eax
8 G. Q# R% s& k. \3 \# D call KERNEL32!_lopen. I+ `( \/ I! g) C6 p
inc eax H& W5 o; Y3 A' A6 |4 e/ u9 i& R& p1 ]
jnz 00650589 ; detected, _# _: a8 h. w- u8 d7 u( w2 R+ `
push 00 ; OF_READ
3 z2 e, l' h" J% r4 H mov eax,[00656638] ; '\\.\SICE'
% I0 x, ?0 B; b push eax$ W1 P4 X) i) a+ S f
call KERNEL32!_lopen
: T$ l ~9 K7 ? inc eax
( y0 E7 X+ \/ l jz 006505ae ; not detected
: @/ R$ H8 l# a0 R6 {. m3 b+ _, G9 U" d% ^' M; r/ q( [3 f) V* L3 B
) f; A' m3 F( w* W- m
__________________________________________________________________________" y8 j3 A7 B1 L! H( }9 r
! X& H, T' G# t6 T6 vMethod 12
5 [6 i# f+ R% { f0 q+ u=========# j9 q6 O5 L! a$ A
- |7 z8 l/ b& L- mThis trick is similar to int41h/4fh Debugger installation check (code 057 Y1 m2 o; b4 G( C
& 06) but very limited because it's only available for Win95/98 (not NT)
( A% E4 x2 O0 g2 H9 L9 z4 s2 y! Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" {* k: q2 P- {* H+ o' Y+ d: i
# A. K" a9 i" J6 j8 ~! S push 0000004fh ; function 4fh
* T" O' V: D E! c ~6 I( _3 ? push 002a002ah ; high word specifies which VxD (VWIN32), m' d o' C% s
; low word specifies which service
2 e9 r) ^$ F5 P6 \5 k8 m) `) T (VWIN32_Int41Dispatch)
" K" Z+ w" g0 Q; u call Kernel32!ORD_001 ; VxdCall
( T0 G [( `& f u3 g+ Q# ]* G! D$ M cmp ax, 0f386h ; magic number returned by system debuggers. O( ?, T( j8 _: j) `( O
jz SoftICE_detected! m8 D6 d$ S/ c! l: A' p0 I6 H
2 N6 E/ D/ W. P% f+ A+ I$ t
Here again, several ways to detect it:
0 n: Z1 h# Y! d( ?% i" q8 j/ {( \, t3 T* f" ], }1 D
BPINT 41 if ax==4f, h( Q- s) t' l U) ?1 m) v! M K7 ~
' M& Y: q. e$ e6 J4 S) R/ A1 Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- `8 c+ A P. R [$ b
! i, v% d6 c) L! C7 t0 G5 C4 V* h BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% c6 z& r/ p+ M/ i( d) ]; w
* P7 [9 K/ n$ W- E) g BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 P. w$ X+ m( ^4 T# f
! _, ]0 c% y# h8 e- C8 E__________________________________________________________________________
/ h+ }/ ^3 D7 R4 G$ w: p% H5 e4 g! L$ p
Method 13$ i/ h- y: f% f3 r5 O5 c* Q) v
=========
- N% _4 E& ^2 O
u$ g5 e1 m% {Not a real method of detection, but a good way to know if SoftICE is
+ B0 u+ N1 D8 t# G/ m: tinstalled on a computer and to locate its installation directory. O% u1 [6 d- G% o2 C0 P
It is used by few softs which access the following registry keys (usually #2) :
" V+ _. }7 O; \1 V3 E: d; s% ]* ?) P% e" y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 R: d5 T1 {3 v
\Uninstall\SoftICE) _/ {, u2 _, D( A$ N, w* M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, w" e% Q& r; A8 W# f8 `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ W; D% O( w+ Z& k& h\App Paths\Loader32.Exe9 C2 O8 L+ [3 p/ X
1 l; m2 O& ]8 K+ X: O
" R/ @) ?! ?9 q3 X D- u) F: uNote that some nasty apps could then erase all files from SoftICE directory2 F3 V6 P/ F: O1 k; y
(I faced that once :-(
/ n. _' b3 A1 @: G1 I# S/ [- q {! E6 R( c( N
Useful breakpoint to detect it:
) t: s; Y$ U% ~& `' u+ D# X: O5 C+ j% ~- r! J0 L4 y/ j) k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' {% H' N0 j1 p! F: y$ y* X
2 k0 E& v# g' t$ N% A/ t
__________________________________________________________________________6 C; I& i; w b
* y- O! D. i; n" H$ a; ~4 N' j; O
Method 14 . l- ~) s* l8 P7 I, ^+ m
=========2 a, @# w, g3 W) y$ m7 P
P% ~" w# {" `% ]2 ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" ~5 }( @4 E$ e) G! g( mis to determines whether a debugger is running on your system (ring0 only).1 {( g: {2 [2 ~! @0 L/ e
: N! ?( V8 d* q' z VMMCall Test_Debug_Installed
0 d2 G8 B) K9 k7 |+ ~7 l je not_installed- Y0 r; v" q, K) u r, C
4 p/ `2 a- M$ R( L
This service just checks a flag.
+ C1 n3 j+ I4 i, N</PRE></TD></TR></TBODY></TABLE> |