<TABLE width=500># k& B" z* t5 k9 k
<TBODY>
) R K; @* ?4 B: `! `# a4 ?9 V<TR>+ t9 ], w0 [0 ?/ M
<TD><PRE>Method 01 : a! f& u( K7 m [
=========: z& s! y, m. g; z
9 T8 Q& G8 ?9 L ~1 D" k @6 m4 n- ?This method of detection of SoftICE (as well as the following one) is% O* I9 M4 M4 ~; |1 h$ \. {
used by the majority of packers/encryptors found on Internet.1 c$ ]6 ~0 R" F" E
It seeks the signature of BoundsChecker in SoftICE
0 X$ L1 l& q, d# g* X9 |8 X9 y/ e7 i( f: V
mov ebp, 04243484Bh ; 'BCHK'
$ R' s( X! J& Y+ z7 i+ x mov ax, 04h
4 n1 _1 T3 s3 i3 N: O/ Y& n+ O int 3 7 r( r0 e" T: f8 k1 B
cmp al,47 `7 S7 j# q0 A4 q8 [" j
jnz SoftICE_Detected
5 n$ F1 @% _ ?
& M6 ~% ]( g6 N. r. z: Q___________________________________________________________________________$ p7 B% }( L8 T* \5 I( y
1 j* T, A/ r. F
Method 02
$ n4 _3 Q& D q/ Z=========
8 L7 k. t* L( h, p9 X- a/ w1 F4 B2 J7 k1 M* h
Still a method very much used (perhaps the most frequent one). It is used9 H; Z _" G4 e1 G8 J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) Y& l& k( _/ K! g0 h |/ |# I
or execute SoftICE commands...
9 x- N/ u( Q+ g& I" T6 WIt is also used to crash SoftICE and to force it to execute any commands
& I. S5 m" u& `4 K(HBOOT...) :-(( ( R( h0 ~$ x9 _+ }- C x
7 q Y" L1 [2 ]+ K4 N& h. C- ]
Here is a quick description:
4 B; J |3 }6 x$ v/ V1 {" x' G-AX = 0910h (Display string in SIce windows)* r- y r! Z% i8 K5 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ v" ^. U8 s4 W2 K
-AX = 0912h (Get breakpoint infos)
) o G1 N# T0 M% H/ f6 V+ S4 h5 W-AX = 0913h (Set Sice breakpoints)
' W& z e" C% i! A4 J/ l-AX = 0914h (Remove SIce breakoints)# x* Z# {" B: q7 {$ L6 b
. P* x' t9 |' e/ @* o1 sEach time you'll meet this trick, you'll see:
! \) `0 t* o/ D$ I-SI = 4647h( J: N: Y5 u% |7 \( Y5 L+ s
-DI = 4A4Dh) D& P" ^3 C* B# ^, u/ e6 G# k
Which are the 'magic values' used by SoftIce.
- @5 D6 z; {8 p. R" Q7 wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. Q) }" i& ^9 u& `5 w2 L3 {
' o6 b* p& J$ z' ~! Z+ WHere is one example from the file "Haspinst.exe" which is the dongle HASP* u$ d- Z7 N; l4 ?3 U- `0 H
Envelope utility use to protect DOS applications:5 m! o" y( L" i3 Z3 z4 I# [1 R
: {2 N( D! \5 @% J7 ^8 n
6 M/ K! [: i( W0 [7 W! d
4C19:0095 MOV AX,0911 ; execute command.1 Y/ x# M3 A) |) x3 {8 M8 g- u- c1 g
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 O% l" r) z0 I% E4C19:009A MOV SI,4647 ; 1st magic value.
) V5 {( N/ b: l, X- H4C19:009D MOV DI,4A4D ; 2nd magic value.
4 L" m) N4 `) _. G% H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 Y3 S ]$ y6 [+ O
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* ^& A( ~. D) ]- _9 w
4C19:00A4 INC CX
& a$ u# H9 j0 X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 Q$ I# Z; `# h: k/ ^
4C19:00A8 JB 0095 ; 6 different commands.
# x7 y' t h2 ]8 Q! I2 N) h8 ?8 d( |4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, h; J9 s) j8 D; \+ J+ j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& ~2 ]# v# e0 [4 I1 a3 j5 m
i1 c. Z' B" b7 r
The program will execute 6 different SIce commands located at ds:dx, which
2 `8 b* i' R2 u& V7 Z, Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ p% I2 u5 h0 {# X, J* z4 n
) S8 f% V4 \ ^% O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." A3 g% ]5 ] j0 T' p( t% P
___________________________________________________________________________
8 k5 O! k0 }/ a9 G2 w5 Y/ ?0 E- {2 Q9 H5 _ X
/ E4 p) T+ a: x5 t R. P9 L1 R" E
Method 03
' v& \+ Z% z. s4 ?========= F' `0 G2 I7 L8 J, [, M& O
* N6 q# t8 t7 l8 P9 g- w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 P9 q6 n" w# J+ C1 k(API Get entry point)0 v+ o" r- L2 |( X5 K- T
" M3 `5 g' a3 A+ Z- \1 K# E4 P# F
# k/ E) M5 d! B2 e9 q xor di,di
3 k' N& }; s- g mov es,di
/ F5 \4 x$ n5 Q: n mov ax, 1684h $ V6 \% P7 k, r: U: \1 T: u: X
mov bx, 0202h ; VxD ID of winice
9 M. |+ H$ G6 k! F int 2Fh
- e- l' ]0 N- k% m7 C mov ax, es ; ES:DI -> VxD API entry point% h) s8 _# ~& _8 V) g- R' k+ k0 x
add ax, di2 B) c- U! p# [2 b: C1 {
test ax,ax' c: r0 N3 i, B" k$ T: z
jnz SoftICE_Detected" I+ O- j& | h6 q( h! s0 y
' U: l5 j# O% `
___________________________________________________________________________
3 r+ X2 [4 r6 [2 @1 s2 Q3 j$ v
: h0 R n, ~0 |. ZMethod 04
. O4 S# z- f% k* L=========
/ ?# u. s$ b, Z6 Z# H* o
' D3 p% k/ z R! nMethod identical to the preceding one except that it seeks the ID of SoftICE
: j ~( y+ n7 E6 K6 VGFX VxD.# v( ]% a0 }8 [! ~4 F H
( J3 t E5 e, n# c5 r* p9 J
xor di,di
& O, j7 G a* c b3 e mov es,di
+ L+ u$ l$ \2 X2 b8 b8 t mov ax, 1684h
6 v, l/ ~9 S% U' {. J- j! ?' D3 | mov bx, 7a5Fh ; VxD ID of SIWVID+ D; a: r+ X, _& Q
int 2fh& U" @, K/ c+ g: P' J
mov ax, es ; ES:DI -> VxD API entry point' d# ]% y1 ?6 Y- @
add ax, di& r1 s) n# j# }& @( K. {
test ax,ax2 ^6 ~8 g9 ^; \2 a7 Y" A& y
jnz SoftICE_Detected
% I3 ]; R. R! [4 L/ u. y4 A# U6 M# ^
__________________________________________________________________________/ i2 G" C8 @$ u. o4 P
, t, a3 _6 j( y3 F) b" h
; C, _5 |+ N L$ _& tMethod 05
' C3 H4 E, Z- ~; q- w" t=========
$ j8 V9 u6 r% B8 g" u4 G! _0 B8 j8 T9 i; H! v+ J4 d+ O/ K" v
Method seeking the 'magic number' 0F386h returned (in ax) by all system& x- s' y2 A m6 {
debugger. It calls the int 41h, function 4Fh.
! j3 X" f' {8 _ e8 b2 T% NThere are several alternatives.
; p w* T9 S0 C7 }9 H+ S: {6 E/ `. b' g5 R
The following one is the simplest:
0 H$ h7 p, Z) i
9 K+ u. H E$ G+ t mov ax,4fh
* a# X0 v8 g0 ` int 41h
+ G+ H/ L" P, w- w' ^- a cmp ax, 0F386; U6 J2 ^2 _/ k
jz SoftICE_detected( S* D9 @/ `' Y. h
) ]0 A5 J1 p1 m+ J& D# a! H
$ i* n; i+ }9 ?6 g4 M
Next method as well as the following one are 2 examples from Stone's
$ E8 f7 K9 J# L8 J"stn-wid.zip" (www.cracking.net):: O- j, l9 _; @& Y$ }
" [" e/ Y ?6 x* l1 ^* u6 N mov bx, cs
) q3 J; K$ r+ ]5 I0 e lea dx, int41handler2
q5 _5 D3 W$ m) _ xchg dx, es:[41h*4]
0 D! s) b& x) G0 {" M# r xchg bx, es:[41h*4+2]
. S6 a6 O1 E- D% p mov ax,4fh
6 ^8 p8 Y$ L. R7 r: k int 41h. F8 ]( Y0 b N- d- `" f! o3 r
xchg dx, es:[41h*4]: B5 C0 s& g3 D- g; k8 L1 X% s
xchg bx, es:[41h*4+2]
2 E5 c" b0 B9 V6 M* }9 c cmp ax, 0f386h
7 p( I- j. q( z* ~ jz SoftICE_detected
q0 J$ i( _! ?, ?. e# d
5 P* ]1 I8 B9 J5 [8 @# cint41handler2 PROC8 q3 ~5 d/ ^, ?1 h5 K
iret
! B5 O* ?( N* Dint41handler2 ENDP7 c, l4 y# m/ |) ~* I, e" K8 a
$ W% v5 s2 }1 z' U+ v' a4 c
5 r( X3 M2 @. S' F: Z$ z, p! i: R
_________________________________________________________________________
% ]! O1 R, T: I7 J
, o- W2 \, L* ?
: i$ Q( \. ?- i$ PMethod 068 h" E0 t( s, J* W- y f
=========: X: Y+ E& a) r3 c
% l2 g2 L9 S! r2 J9 r5 u u) t1 @4 | o1 y
; P/ s/ L$ {" W9 b8 d% s% \2nd method similar to the preceding one but more difficult to detect:) P6 R& f' Q0 X
) v) t$ p7 }; I6 a# n) D5 z: e! B1 o7 _- X
int41handler PROC7 N9 I' j* Z* U: e2 e0 P6 q0 h) j
mov cl,al$ v; ]3 i/ [* |
iret
: {" y3 A+ R& ~0 Wint41handler ENDP2 D% C0 _' P) }1 g% P A$ F
, i2 |$ N! C. f# E+ R# h6 p/ @7 K9 G B
xor ax,ax! ~% ]* i1 Y+ x- o* l* v
mov es,ax- e6 R! P; w2 w# F! B/ G% `% U' Z1 @/ ?
mov bx, cs
3 j3 G$ a+ c% P# ?( T, B2 b lea dx, int41handler
. {4 ]9 Y: D, a xchg dx, es:[41h*4]
: f+ M$ E) z3 Z( G! [ xchg bx, es:[41h*4+2]
9 |5 ^% ^7 v! h7 o$ q) M in al, 40h
% Q ^% V) T6 F8 \# }' M xor cx,cx E# k! p: Y" A% C- _; K
int 41h
) Y* P+ b, n6 v0 b) u; l xchg dx, es:[41h*4]
( `- Y. F' _' W7 I xchg bx, es:[41h*4+2]5 o1 T3 o, r5 L2 A5 k
cmp cl,al
$ n; c3 c9 `- \& d% c" O jnz SoftICE_detected
* M g; B5 s1 ~4 `& j8 v s6 u, u" h& s/ y' N1 ?1 m1 Y: G% V- ~
_________________________________________________________________________
" Y4 A* o6 L8 ]4 u* l: F7 L
0 r! ]" K4 ?. g N8 u- G6 lMethod 07& z: I" A/ j+ Z! D+ g. L# |3 }, B% X
=========
+ d. N# l* q6 l* }" S
, B) O5 Y: \" G) OMethod of detection of the WinICE handler in the int68h (V86)5 v: r! M+ A2 k! E; R
$ \1 W4 j; r: c2 F; z
mov ah,43h
, I1 u' B- s; s" t4 v int 68h
/ N- g$ |, `! l5 H cmp ax,0F386h) p- e3 }: h- {. h6 X' D0 R
jz SoftICE_Detected
' R4 r1 m# ?* g1 |& i% C
5 H4 y6 a" F+ n+ f) m5 T1 }2 ~& O- `9 Q& _8 a1 b) n) _5 B# I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 _5 H6 x8 f9 c$ a; X5 U app like this:
$ m; F% Y1 O5 h2 K3 W7 g8 T% r9 |9 ]8 C* ^
BPX exec_int if ax==68
( d; t5 T# o3 m1 Z) p% q (function called is located at byte ptr [ebp+1Dh] and client eip is6 s4 ~% I/ {8 l- L- b4 A* s2 P! w
located at [ebp+48h] for 32Bit apps). m9 x( z) a; k2 h: d0 ]7 w- r
__________________________________________________________________________
7 x; v# A' h" d
3 D0 U2 H' o. Q; g& o2 _6 a# N7 R. S4 L5 Y1 i
Method 08
+ Z w2 o) o( W/ q1 T=========) ~' M" {! P. t
% |& @4 R- T/ `- Z& F
It is not a method of detection of SoftICE but a possibility to crash the
8 s1 w, o9 i3 e$ p( ssystem by intercepting int 01h and int 03h and redirecting them to another
" { N, p9 e# C5 s7 Y0 _- e7 [routine.1 ^# Q% y& K: a. [" \/ E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 |; P( ` R0 i: I( t' K3 P
to the new routine to execute (hangs computer...)/ R/ [3 p' b& Y; B$ U5 K
( B- R! n' R/ O& J" x7 U$ [
mov ah, 25h
- k) n9 n% B. I6 C mov al, Int_Number (01h or 03h)+ f8 G+ ^6 k c+ ~% }6 n
mov dx, offset New_Int_Routine' G' |8 y9 F: e5 c5 ?3 }
int 21h
g _( m) S: U' h( h; p
% q3 H3 Y" O& u% g3 X! o__________________________________________________________________________; N0 d+ p! z2 q4 G
~2 u( M4 C0 l4 I: {- XMethod 09
2 i4 T9 B& P# H=========
( o o# A: K, |, Y0 E7 U1 G& B, d) {* j& M$ \/ ~0 E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ \& d/ I2 ` h9 N2 {performed in ring0 (VxD or a ring3 app using the VxdCall).
: P$ p6 H2 d( }3 GThe Get_DDB service is used to determine whether or not a VxD is installed
0 o7 F% U5 N4 _5 r3 \ n6 Sfor the specified device and returns a Device Description Block (in ecx) for
1 t/ S. y# t3 [that device if it is installed.
( L5 k3 M2 q8 L1 h9 W- ^, k) _ t# f, [2 X# l, `' D1 o s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 `. F/ I! K' {/ \7 \7 Y$ m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! P. T9 `# o- E! @, i$ o
VMMCall Get_DDB. v! \, f" |$ a* u& W( \ ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ T2 ]4 |1 \' G! ` @" S
5 F ^- ~+ Q: o# wNote as well that you can easily detect this method with SoftICE:8 k# A2 r' L! L, j! f+ Y* |
bpx Get_DDB if ax==0202 || ax==7a5fh* z5 A8 c6 N" |* ~( y
) K. g5 v; H4 n
__________________________________________________________________________
) p u7 w3 k6 S- K& R% k
: A8 _) @# A$ h; lMethod 10$ z0 j5 H) P( O! [
=========" C. X' m7 t# y- Y$ |( Q0 q2 u# [
) d' O5 h4 y) T3 s# O( r5 h=>Disable or clear breakpoints before using this feature. DO NOT trace with( d3 @: a- L7 z0 M; ^
SoftICE while the option is enable!!/ @2 x; [/ ^3 h
/ M4 U0 d: D2 x, m+ W
This trick is very efficient:3 e$ r1 Q* ?# x! J" @
by checking the Debug Registers, you can detect if SoftICE is loaded( ]7 {/ m7 y( f8 n- U: `( o% R) E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 F8 I& C D. z( f4 ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their i4 ?( b: ?, N5 q
value (in ring0 only). Values can be manipulated and or changed as well9 }9 l+ I3 V$ w" D
(clearing BPMs for instance), l7 h4 G) Q. ?
- }0 ~% p6 U$ m, q L3 a8 u__________________________________________________________________________
) s! w% A, i' t2 t0 i. I, m* Z8 u9 X5 }' \
Method 11
" X$ B+ B& S: `( }=========
' c* F5 ?: g' d6 T3 h" w0 h3 v; r
3 n3 b. V4 ^+ Y+ f2 X3 B! ]This method is most known as 'MeltICE' because it has been freely distributed
( ~4 r4 Q- K; D% X) c+ M2 h9 rvia www.winfiles.com. However it was first used by NuMega people to allow
" I. a6 E) s% P) ?' ~- R8 @Symbol Loader to check if SoftICE was active or not (the code is located
5 B( _7 G2 H( I3 p- {( minside nmtrans.dll).
5 o! n% s/ E! ]8 Y5 T# B* l* z- `* @
The way it works is very simple:
, j( B0 Z; E1 n' [7 p4 z6 R/ PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
U% ]( N" x! J$ ^7 D; |WinNT) with the CreateFileA API.
5 |/ m) `$ w/ i. N! Q2 J. Z! E+ { U0 d9 i9 `
Here is a sample (checking for 'SICE'):4 l o; n% _# G: u* g
: h# G6 x. d7 u# w: d0 ~7 VBOOL IsSoftIce95Loaded(), I V7 O' @; G
{
8 e% x9 V; R1 N# s9 ^ HANDLE hFile; ( }4 Q) Q1 X/ y+ z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- @% y. h! D$ z FILE_SHARE_READ | FILE_SHARE_WRITE,1 E0 h. L% N+ N( D. j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 i# ?& l! q% i/ `7 s' J
if( hFile != INVALID_HANDLE_VALUE ). l# M: z8 U9 G0 H3 `9 W3 x
{- E1 V/ r* h; {1 N1 q% Z# e4 l; E
CloseHandle(hFile);
- _* U/ u( z3 l. B9 D, y return TRUE;* i8 r& O6 \! [+ S
}7 u- {/ E) I% e Y6 s" f
return FALSE;
, w* R* V9 L$ Z0 m% \6 E% G}
6 P/ K5 |# u7 v
5 C; j' \' |, `' h3 E/ D1 nAlthough this trick calls the CreateFileA function, don't even expect to be
8 z9 C0 j" F- v$ l: M) W7 u4 z+ }able to intercept it by installing a IFS hook: it will not work, no way!% y8 `* }; w: V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, L: f9 j7 h0 B- `, Q+ e+ |4 P3 K4 I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); K4 d( x- X# w/ j, a: B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! j/ v& K L% ^. c7 J
field." d# r1 _" p" k Q/ D. E9 P6 {
In fact, its purpose is not to load/unload VxDs but only to send a ! z/ s- ~8 j0 ^8 G; \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 ]) d% p5 @8 Y/ ]; c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 \ g$ A; n4 O, ?! J" p# ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 j: P; L* f8 m$ x
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 g0 g4 ~% G4 ~5 r# f8 Z& E5 ^) j
its handle to be opened and then, will be detected.
0 X. C }: d* c6 @You can check that simply by hooking Winice.exe control proc entry point9 G3 [+ C6 m: _3 F& p3 C7 P
while running MeltICE.
& i% k' O6 |- o( P! R- _" K% [9 r; L5 _: N8 u" \
g1 x( _; |8 }: n$ [0 R' E
00401067: push 00402025 ; \\.\SICE5 n' a4 C# L4 ]
0040106C: call CreateFileA7 t% O% E$ |( R! D
00401071: cmp eax,-001& e" k$ \/ H0 p. _
00401074: je 00401091
8 @2 k4 l" X! b# P6 H2 L" A8 ~ r+ T8 m& d z& t
5 b. r+ J E9 _. U$ \There could be hundreds of BPX you could use to detect this trick.
3 n9 s" U$ a; E" z, O-The most classical one is:' o2 W1 c5 n: ^8 N$ _: Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 q* u# @! X3 n; o: W *(esp->4+4)=='NTIC'- l' q0 i0 q* X6 b# E3 ^
7 d$ Y [. r# S
-The most exotic ones (could be very slooooow :-( u: \+ @3 w5 F6 m2 z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' S# ^! `& V( M7 l+ T& U, D, T
;will break 3 times :-(6 Z; `# v4 Y' D; W
& ~) H/ F: F" q5 u0 k
-or (a bit) faster: 5 L: K2 d7 J; h J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
{; |$ C1 X& D" u
5 ^! w1 E6 [) T: T: I5 b1 M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 O6 z$ q4 c) R) f: q' [4 F
;will break 3 times :-(
9 V8 k" C; E* G) |4 I K5 b+ V- I, T$ F6 ]/ f; _& b
-Much faster:7 d2 A0 \+ K$ w: ~. W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. ]- o2 A# C' e
9 l% y' `& W# N1 h" J3 r, Z+ RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' v& y7 o, D" W5 K9 q7 S! s6 N( y L
function to do the same job:" e6 z# p7 p0 }+ \. W! w
! p* _, M0 w$ x c4 w: R
push 00 ; OF_READ7 |$ Q9 ~' L3 x+ g, L9 Y
mov eax,[00656634] ; '\\.\SICE',0
* c& Z# U+ c. c& ? push eax
) ^; A% l' ^) A+ s0 ?% w call KERNEL32!_lopen! M; n) P3 t6 C0 z& c# y1 f
inc eax
( |8 T1 M( ^$ }' O jnz 00650589 ; detected @/ P) h, f* Q4 r8 s* F3 \
push 00 ; OF_READ- v* Y; U! M# o. U: ~$ _; l b6 a
mov eax,[00656638] ; '\\.\SICE'
% p# U+ r( \* A5 T; {9 K push eax* X' |9 ^6 c5 b# [% y4 j" C
call KERNEL32!_lopen
x4 O0 B$ a& Y7 ^ inc eax! r6 f8 g. {0 V2 ^2 S* w8 b% L4 j
jz 006505ae ; not detected
2 | b6 l6 N( O& U2 R
# S' x) p1 ?6 J3 V, P( C: r) g/ d- K" Q; m
__________________________________________________________________________. `1 `. A: N/ N+ F; ?& @
5 Z* a/ i& e, A6 c' X) C& E+ k
Method 12
. H8 O9 w: H- p' p) t! V=========
" h$ N% W, L. O _2 j$ H
) G- I y U3 v; @/ D4 F' DThis trick is similar to int41h/4fh Debugger installation check (code 05) |: Z* x% _& {( n; [4 K& I
& 06) but very limited because it's only available for Win95/98 (not NT)
$ [/ g7 g' h" n1 I1 Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' R5 v; @9 D b$ s8 A
3 B& l7 p$ J! n push 0000004fh ; function 4fh
/ x4 d9 G8 r5 s9 s8 @ push 002a002ah ; high word specifies which VxD (VWIN32), B1 Y/ U2 Z! u6 G0 N, N
; low word specifies which service
( {* |! e6 R2 _3 k1 N* r+ d3 X (VWIN32_Int41Dispatch)
, z5 x6 {. L- v1 A1 [& i @ call Kernel32!ORD_001 ; VxdCall- J( h4 N1 m1 A O3 u
cmp ax, 0f386h ; magic number returned by system debuggers p- W7 t' V1 j" o; f s7 X
jz SoftICE_detected, b' _# \# }2 Q8 f4 ~
% J8 D( H. U0 z! i' Y6 F
Here again, several ways to detect it:
* v3 t% I+ P) u7 x6 V
! l \& K$ }) b6 S3 k* I: s1 D! Z. | BPINT 41 if ax==4f
6 l5 d9 A9 ~4 G! _
$ W8 [. Y* x2 [" W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 O0 y& x3 u o% H. B9 s, N. I! P5 z- D$ _ b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ o! L+ A5 p {) T7 Z, x. D6 F
7 R; r6 c4 k" A! Z% z9 n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 W: |" U8 ~8 T; Q3 c T
3 K; y# T7 {1 s8 H1 f__________________________________________________________________________
* [+ v) \; V% H* J$ G9 z$ \ p; z% u" t0 l$ ]2 M0 K+ e: s) O
Method 13" D) e- `. Y3 `6 x9 U
=========. K1 K$ w8 K. }. w/ i* C
1 L" U4 a6 t1 E4 r: H
Not a real method of detection, but a good way to know if SoftICE is8 Y& K. D6 e2 }5 J- B
installed on a computer and to locate its installation directory.3 y( C( k; x. ?/ m* E
It is used by few softs which access the following registry keys (usually #2) :! d" r# V1 P. g; {
) c% q1 Z. w! l+ r9 ?% S+ B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: G2 a3 [) L7 L\Uninstall\SoftICE$ M. S- a9 l5 }4 j* P3 h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! e+ }9 I& J/ [! l8 V-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 c0 ]9 _* [$ }1 [/ s, F0 ^! F0 o
\App Paths\Loader32.Exe* y9 y+ @7 A8 g: S+ z
* A: N$ [& B, N' @8 W' V$ Y
# B4 j3 A; ?5 N% mNote that some nasty apps could then erase all files from SoftICE directory) X% G. ]9 k3 ]! T- \7 k% i, r
(I faced that once :-(0 U/ M# I7 U- s3 y" I7 [" t( g
1 W9 K3 m k0 N
Useful breakpoint to detect it:
# G9 q4 }6 @, {+ w8 ]7 [4 k7 L4 n4 `0 W8 U* K2 p% S9 k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% P, O2 U$ J9 P' U7 m; ^4 T! e. j3 V) D' ]7 x0 @) m* ^% i2 M( L) o8 [
__________________________________________________________________________
+ ~( |' `2 M3 _) W3 d3 p! B% k' Y0 @, H# R( s
; g! j' w2 O: pMethod 14
' H. h T3 k0 [6 A- ~! s=========
+ [6 r7 m- g& `9 q, x9 I# E0 D- m$ P; I' U+ r: u& D5 F0 V6 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, s* q" E7 @5 d6 R# Uis to determines whether a debugger is running on your system (ring0 only).
% e% ^. I% {9 X e3 R" L8 H( \+ @' B- F% Y6 h, V! ~
VMMCall Test_Debug_Installed5 Z) g7 P4 P+ h8 V2 G) k% x
je not_installed
" I K8 m% T9 ?# W% G! ^3 W1 o) m+ k, Z% \6 @
This service just checks a flag.' \2 z- t, K; X+ n$ k8 y7 i
</PRE></TD></TR></TBODY></TABLE> |