<TABLE width=500>$ \+ Q* h2 G7 Z' J" [4 R9 o
<TBODY>7 ^; G7 @' g% u9 @" ]
<TR>4 C. b1 C: L0 R- z; |2 _# z. C
<TD><PRE>Method 01
4 C; |8 L2 {" u. g& A=========- L u# ]& |. Z
6 H3 p/ ]! @, `+ y$ ^6 G
This method of detection of SoftICE (as well as the following one) is4 m& w& g8 x5 B a- b; _" A( z' {+ O9 V
used by the majority of packers/encryptors found on Internet.
" U# M) M# q5 O8 R9 O2 d0 S/ qIt seeks the signature of BoundsChecker in SoftICE9 L7 {, u0 c% C- k" M; s+ Z! p
* m0 z4 C. ^7 X1 a
mov ebp, 04243484Bh ; 'BCHK'2 u# S% ^# T2 a* R( X* g6 W8 m
mov ax, 04h& M* m9 ~2 [9 u
int 3
, E+ o+ C" P0 D: z ] cmp al,4" k2 G% |' h% P, ]' G& U
jnz SoftICE_Detected4 B+ `4 y; a( [ @+ P
" ^! w0 D5 x) Q8 q
___________________________________________________________________________
9 K$ t5 P4 M' c% |
! W7 n& v0 b6 Z. c. @! @2 E0 a& sMethod 02
: x$ T0 S% _7 F0 A/ @=========4 ]$ p2 s, _ f+ D
) K8 T# w, z6 B4 ~9 YStill a method very much used (perhaps the most frequent one). It is used
8 \, t- T6 y. o# \% ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' M7 y. C$ T" g) m* U
or execute SoftICE commands...1 B3 D" U& R0 ^
It is also used to crash SoftICE and to force it to execute any commands+ O8 Q2 ~$ M E9 p
(HBOOT...) :-(( * V ^% p6 J0 S
1 d' G9 |' n1 C/ iHere is a quick description:
: |: M) K# O: L' [$ ~( H3 {-AX = 0910h (Display string in SIce windows)/ L( D: \* a9 F; W+ t
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% l7 K5 N' E% }
-AX = 0912h (Get breakpoint infos)$ C9 B' \! M, q! v* ]
-AX = 0913h (Set Sice breakpoints)% X8 ~0 d8 z6 t6 y
-AX = 0914h (Remove SIce breakoints)- O& l( r' P$ n7 f4 f
6 x# ?$ I, w' O% [; N9 {2 j- r
Each time you'll meet this trick, you'll see:
3 M0 q$ n; P: q& h-SI = 4647h3 m9 h7 l3 V7 B" Z# s9 S, t
-DI = 4A4Dh* V/ @, V1 k a8 {, u9 q( O
Which are the 'magic values' used by SoftIce.' e$ r* T4 t5 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 v, f! G3 ^8 I$ }
9 I2 i( u3 z; D! A9 D4 b
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 Y$ [: O1 }4 Z( c& [3 d
Envelope utility use to protect DOS applications:
# t9 G( U: v% Y: S) z6 ]
9 q9 e4 ]9 @! {& c4 H _# F5 y P8 ?/ |5 [
4C19:0095 MOV AX,0911 ; execute command.9 L9 T* q, j- ^( i) j n3 n
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 o; g+ b- Q; ~+ \+ Q4C19:009A MOV SI,4647 ; 1st magic value.
5 q8 h- x! F9 U4C19:009D MOV DI,4A4D ; 2nd magic value.
& V/ W. R& U/ }, v, R& n! t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), ]6 W' I0 f) t6 }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: T) r1 i5 |0 ~- B! ?8 L; c( F4 X4C19:00A4 INC CX
' X- p. M+ W; [% H; V9 n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" m1 O, l* }" R8 ]4C19:00A8 JB 0095 ; 6 different commands.
# c4 Y7 B( ^ h. T, B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, P6 k+ e% x' s1 S& ]0 E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! d% O1 U5 R0 G3 N" J$ S+ Y c8 x1 U" W
The program will execute 6 different SIce commands located at ds:dx, which
9 M( C- q9 F, P. b! |2 Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 c, H; ?! U1 _* Z% k
4 f' P3 J5 v# ^* F4 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; b. L6 f. U, x* r7 B8 x7 @___________________________________________________________________________. }, z9 Z; @7 t3 \; e
3 ~/ P$ C7 R% Z7 C( A1 H* {( A; B& S" I
Method 039 a3 K2 z8 A9 }" i' @ j2 O; f
=========
7 `* {, h; h- `8 r4 S9 c- w
+ F* Q3 Z0 j* {- M0 m9 B( xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 d$ w' p4 @4 o+ G. M8 A1 S7 t+ l
(API Get entry point)8 U l: ?' m! I. r. Z/ z9 Q/ [
8 \" e+ ]" U+ v7 F& R/ h( ~5 U; L3 _4 ^. N" w( e- N4 O7 d
xor di,di
* a# P# \. Z4 {7 R T, L mov es,di
3 y' |8 y9 s$ Z mov ax, 1684h
- e1 a) v, V) T g$ Y7 w mov bx, 0202h ; VxD ID of winice- ^& \( Z# L& |7 K1 z/ g) a" L
int 2Fh
+ A- G! s$ U ^ mov ax, es ; ES:DI -> VxD API entry point/ M: N$ V" \) I5 f4 s5 m$ m: y
add ax, di! h! s) O! i. n9 D6 r
test ax,ax
3 p: S; g+ `& ^* T+ F: U6 T jnz SoftICE_Detected
$ D f8 j% F% v* ^8 ~, f
. Z: z, z3 V1 r. A9 m1 |1 B: z___________________________________________________________________________5 L! h8 L# X) s% O2 a
) W1 U/ X' t# t$ R0 @
Method 04! U$ J+ p a8 _) D7 {6 n
=========
0 y' r" u( S5 n S0 N: S e
# h: c: w9 T8 I W/ h" Z, ]1 JMethod identical to the preceding one except that it seeks the ID of SoftICE+ ?$ ]8 c G8 F, e6 k
GFX VxD.
) |: `$ ]* _8 t; j4 d/ B5 M0 j( a, Z7 Z+ h( u2 Y" i V8 |
xor di,di8 c. c/ b: S* F7 t7 B3 x5 w
mov es,di- k1 @2 C1 c5 N7 k U- [* {
mov ax, 1684h
4 u! f2 m, D9 z$ s" y- b mov bx, 7a5Fh ; VxD ID of SIWVID7 y! V/ w8 r3 r
int 2fh
: n/ R! p/ O1 H3 t1 r mov ax, es ; ES:DI -> VxD API entry point
7 }' m, Y" s- B8 U, l add ax, di6 x! i1 ]* G3 r' V; V1 e
test ax,ax" X9 n: x; l: M
jnz SoftICE_Detected
: W* @; S3 G2 l2 j5 H0 o
0 ~2 y" F0 T! e1 X; \9 F__________________________________________________________________________0 ?$ }2 s) O2 Q& b
# M" F) O4 q7 @3 \) K) ^2 E* u! e
5 G W2 B, m1 N- [+ R* e3 F$ SMethod 05
- ?; Y# j9 S& ]) {2 H=========0 C* j( T c2 L, ~ L3 e" V
4 _- h- P* E, b6 r% D" }' C- e. OMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ ?6 |9 ]/ O* Q& [: g/ {
debugger. It calls the int 41h, function 4Fh.
4 Z% d* t# k* q5 O. i: `There are several alternatives. / |& O$ L, s1 Q: B$ Y: Z
) d/ e- P) Z# wThe following one is the simplest:
+ i6 H: {( c3 g9 p' ?2 \5 J4 W1 y" T- c
mov ax,4fh
6 ]# O% K3 ]7 | int 41h
0 P/ m) j' Q! | z% z0 m cmp ax, 0F386" F$ ]7 f: T$ V9 t
jz SoftICE_detected
; u, l T& o m+ v- _) C
4 {5 G2 ~, u* m
P2 K1 a1 o8 M% g1 E( ]6 n, Q5 T wNext method as well as the following one are 2 examples from Stone's
Z; w# S: u7 R ], V$ s( A2 y"stn-wid.zip" (www.cracking.net):
. ^7 Z: X, S2 l
" G q5 C+ w' x& `7 d mov bx, cs6 o5 ?9 Q3 T! h/ ^3 I( L
lea dx, int41handler2
: J/ U3 v8 ] s/ e; w3 M1 s1 d xchg dx, es:[41h*4]6 {9 b* c6 k1 v
xchg bx, es:[41h*4+2]* R9 H$ G; J" |
mov ax,4fh
6 ?1 B6 a4 S7 n1 H) d. c. n int 41h
9 U0 E: k: E, z, Y. N3 d xchg dx, es:[41h*4]' @# A- C0 D9 a; p8 A+ s& V6 c0 Y8 \- d
xchg bx, es:[41h*4+2]7 }$ Y% ^# P( F+ S' E
cmp ax, 0f386h
5 o. U# j+ D5 w jz SoftICE_detected6 u" D' ~7 |/ u/ a3 h9 J
6 c8 X) B; A8 k2 ^0 Y2 `int41handler2 PROC
6 d- u9 ~- y1 r9 m. i iret1 E1 Z, ]9 N I! c, U% C8 Y
int41handler2 ENDP+ z B! f5 Z- A+ b6 o% R
4 g/ z @5 _, f& k' a& j8 f0 _
# M1 \ {% l* U& G
_________________________________________________________________________
$ o- a* i. E5 g _" ]. [. d- f( {% Z4 V1 ^* g+ Z3 G) i
$ m6 E& B4 x5 ^% i0 H- K
Method 06
3 b1 B3 Q% p6 N) Y8 x/ l% j=========6 V0 c6 {- Z% _2 h4 G( f
3 H5 ~0 g6 T* z' Y
4 Z$ _/ V) z" _% j) Z! w2nd method similar to the preceding one but more difficult to detect:
5 y1 b! f9 F) w1 ~* k3 K6 C r/ t/ ?7 E, N' [/ T2 Y
H0 G1 m5 L( ^ {1 m6 Rint41handler PROC
. |# d+ ]- ?) S1 a; ]( N# [1 I mov cl,al! U7 f, `& b( @9 Y# x
iret
) J6 I% M- m7 _- B) I X3 x: F! aint41handler ENDP
: Z o& ?& Z9 X1 X/ P" s$ @
1 P" Z# [- B, _/ l. y9 H' K0 ^4 d: V: A8 |1 c
xor ax,ax
* M: @; s) B" L1 ~- m {; c1 v mov es,ax/ J3 N) S+ t8 s- Y ]" a
mov bx, cs9 | H7 t& n9 u. h! r x
lea dx, int41handler0 F6 Q V) i7 n0 P' b2 H" A* D' i
xchg dx, es:[41h*4], Y) r2 }. L4 V
xchg bx, es:[41h*4+2]7 `. h7 Y. Z9 {9 J. e J
in al, 40h& Y' A+ n0 a# H, y% g* [" t
xor cx,cx6 K, I1 L$ k8 F! U
int 41h
* R% u5 r1 F0 R! @: M* K6 u; v xchg dx, es:[41h*4]
7 W1 J5 y' }# S* ` xchg bx, es:[41h*4+2]$ ^/ X) C5 I M8 b8 K7 e
cmp cl,al
* ?4 r( Y: h9 G7 j3 |8 [ jnz SoftICE_detected
5 ^' s, _" \- Z0 {. R ]* f! i, j1 x- A1 x
_________________________________________________________________________
( e! B6 E3 _* E' E7 ?0 h# p0 {. ^; p
Method 07" M" A: N& A3 @! K
=========3 m; i3 a8 y( i; u! _* R
1 U1 t% H: c: }
Method of detection of the WinICE handler in the int68h (V86)
2 j& V0 m& |4 T9 O# K7 R* r% B- _( D" F" ^, `3 B$ w5 U. T
mov ah,43h% L; ]% B& J& w' }4 Q
int 68h/ A# w. c: |% E: B0 G
cmp ax,0F386h4 i; l# U6 u: Y/ ]# h9 \
jz SoftICE_Detected
( E- g% O4 M2 [5 S) a- z, A* \# j
# E/ _2 T% I* d! V+ T- @0 h5 N# e3 O
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( j' I1 i! Z: y' K9 h+ e6 O" t
app like this:
g8 P9 l& r/ V
( T- X+ c, G+ s& E9 r BPX exec_int if ax==68
5 T4 Y9 X3 F1 J K G/ @ (function called is located at byte ptr [ebp+1Dh] and client eip is
. D0 q) s! T& J4 m" j! v located at [ebp+48h] for 32Bit apps)! c) k% i1 \1 v g; D
__________________________________________________________________________
9 K" b$ u2 \. ?# o( q+ \* o1 \5 p% o$ @( r2 U
- W% B8 V5 X3 U3 j' h" U
Method 08: V: U6 M# _' N
=========
% T H+ E: {$ j& f1 \8 M8 }) |. X$ p
It is not a method of detection of SoftICE but a possibility to crash the
8 d" b7 J9 J1 f& r$ f8 d. S9 Csystem by intercepting int 01h and int 03h and redirecting them to another# K& K" ]/ d- \% X! I K
routine.
; h! a3 G ?; ~) WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: y3 J. M7 j# R* c9 xto the new routine to execute (hangs computer...)) a7 o- P: _0 {% ~) |
' {9 b7 X% f9 d M0 N' p, o
mov ah, 25h6 U* M- A% M- ? Y1 r1 x
mov al, Int_Number (01h or 03h)
( ^8 n/ r3 K1 _, ^8 t& i, j mov dx, offset New_Int_Routine' I1 r5 U, d- F, N" {: @ u
int 21h
" `$ l" U2 X, J& z( f& Y! g- @5 E3 z6 ^7 ^- g0 f
__________________________________________________________________________$ @1 q9 g6 P6 S* Z
4 V7 ?5 t# r8 f, N$ z" z9 T) c
Method 09
6 g7 Q& U r8 W) X6 ?8 B# [( x=========
7 \8 {: S7 `7 T, l6 i5 q+ P7 V) y1 m4 c1 g- `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 e. `# t+ P* y9 S3 y
performed in ring0 (VxD or a ring3 app using the VxdCall).$ Q& f2 A9 a. w t
The Get_DDB service is used to determine whether or not a VxD is installed. ?; J( M3 U, k5 ~' b: u7 I
for the specified device and returns a Device Description Block (in ecx) for
! D/ N: f/ l* ]4 P% m- Kthat device if it is installed.
1 c) t8 n3 [4 \" R1 X
' x/ c3 |) W4 Z- a- F, T( T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 u6 l9 }. L& O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ x6 Q) `% \. @5 @ R VMMCall Get_DDB
: e. o: Q3 G' { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 j6 ~2 U: w3 ~
3 m a: N3 [- q* c' X7 k! L* f5 rNote as well that you can easily detect this method with SoftICE:
2 _9 r" X7 p! i% Q/ W bpx Get_DDB if ax==0202 || ax==7a5fh
% |; P: |$ V" v. C Q$ V f* d+ j' \* h7 g) \
__________________________________________________________________________
7 |/ L" d, u$ o! `
+ H! s! g8 ~9 Y% o$ s/ HMethod 10
! A8 ]8 L; P: b- O/ j% I; y=========
! v6 C% ?6 Z5 {* B& z2 V9 Y" P9 c9 a, ]8 V$ h% ]# n h4 @5 s2 r
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. o+ D, } ~6 G. `3 \ SoftICE while the option is enable!!. a( F* J- k, E
* q5 k3 Q2 k3 ]7 I \6 d( c2 @This trick is very efficient:
! O7 J+ q1 G2 @ kby checking the Debug Registers, you can detect if SoftICE is loaded& ^& o( W) o( A5 C8 J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( Y( O* ~! T! r; othere are some memory breakpoints set (dr0 to dr3) simply by reading their3 H2 b5 f) {$ x
value (in ring0 only). Values can be manipulated and or changed as well
" V+ l2 N. U9 a2 K: f7 t2 N9 x' `/ d(clearing BPMs for instance)
; W. s$ B: I% b$ r# r; b% a
4 g( Y* m z' A$ r: m }# n; J4 B__________________________________________________________________________
/ ?4 t8 z$ t" @7 g; W7 a. H3 q, Y& G& M s& u
Method 11
4 a m4 ? O* O9 X: j! H=========
B) W( a4 k" R% p* \7 k6 e5 W, O( E+ C' v* {
This method is most known as 'MeltICE' because it has been freely distributed+ ~* S5 I& k0 O& L8 w
via www.winfiles.com. However it was first used by NuMega people to allow
4 j8 A' n/ \0 P( D& XSymbol Loader to check if SoftICE was active or not (the code is located0 t& w1 j. M8 R
inside nmtrans.dll).0 K" r0 F0 w" v
& X( _* U: [2 O. N- {/ J: ~
The way it works is very simple:
" L) i; J9 K( A+ u, SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 x' Q% x3 ~. E# I% c' H
WinNT) with the CreateFileA API.
" r5 l; _2 v. G3 |9 N2 }: o& z: Y( V. s* p
Here is a sample (checking for 'SICE'): @) l3 Y7 y6 B' X
2 X! b+ I9 J6 ~, yBOOL IsSoftIce95Loaded()
; h- X+ b% u& b& Z2 x! f{1 D o y0 ?+ k
HANDLE hFile; ; O4 \/ @ g5 T; o! J$ s) p3 b' }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. h# C( G3 {. L FILE_SHARE_READ | FILE_SHARE_WRITE,
g) [7 |4 I2 L% n1 r$ v0 q- u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; o0 `* q B- P$ a2 k8 _( ^
if( hFile != INVALID_HANDLE_VALUE ), g8 N3 _1 m2 z* P9 r
{
- z$ V7 P' H- h- l8 ~ b# U CloseHandle(hFile);
: C3 ]; B; D2 V return TRUE;
/ z) y \5 X2 A/ y" T }' ~9 O9 v: n5 n
return FALSE;) F) c# ^% i, L2 u6 E3 {3 H
}
0 M4 t9 M" |2 v
$ n" D+ t+ h1 O; P6 C. U0 uAlthough this trick calls the CreateFileA function, don't even expect to be! [! I6 y8 ^6 | Q: ]1 H! t
able to intercept it by installing a IFS hook: it will not work, no way!4 O' B( J+ d V1 `) K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ Y$ |4 O1 Q L, e m) u4 o s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 ]' {: }( `* b* f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% ^6 v( H( _4 G# O3 Q
field.* ]* G$ q1 p4 Q5 R. f
In fact, its purpose is not to load/unload VxDs but only to send a * _% e0 S( [' l, B, ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): P- s+ @3 w$ ^$ o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, y8 B0 X. ]5 [& \) u! |/ r5 M8 i5 ] wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- R% x- s; D, y5 F: XIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' s. |0 X8 t: \ B/ Fits handle to be opened and then, will be detected.
& K4 N4 q" L' J1 @You can check that simply by hooking Winice.exe control proc entry point
/ s/ D" o; t( H7 awhile running MeltICE.% G) r% Y, n/ Y( D2 X4 J
: B1 t1 ]% a& I' p( E, v$ Z; t! d. m9 U& i q' k0 u2 A( }
00401067: push 00402025 ; \\.\SICE) D& k- {7 P: o; R/ T% a
0040106C: call CreateFileA
. H! z: K& j. E; A1 Q! [3 g2 b9 | 00401071: cmp eax,-001 S9 |# @5 D$ c- S5 j4 D$ {
00401074: je 00401091
# i7 N1 Y/ U/ G" N
4 Y1 w6 N9 g" h. k- G( _% |. a
! i/ Z' c9 t- K' l# O9 @There could be hundreds of BPX you could use to detect this trick.4 m: O- Z5 `/ Y- n9 R
-The most classical one is:
. b# W# Y' Q/ W; k. N1 u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 e) ^8 R& w# w; m
*(esp->4+4)=='NTIC'; f( ?# j: ^# @0 g
7 k4 b$ i' Y/ h-The most exotic ones (could be very slooooow :-(7 v! H, D& o8 O% b! Z4 t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - M4 m3 q& l0 p% H. Q# R
;will break 3 times :-(, U) x1 L, T( l! K2 {
9 ]) d V* q, H8 K5 R
-or (a bit) faster:
5 R0 Q/ }/ I' D0 S BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ E& j7 Y- s( ^5 }+ H
) e, D- s" f2 W: B4 \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' n* y4 n" o) E: ?: i. ?& t Y
;will break 3 times :-(
* k( H; d1 ^# i h# S/ r6 { j# i- b7 I7 S+ h/ Z
-Much faster:
. k* \1 A$ I7 b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ c+ F3 W/ n* f* B3 U5 q
. P- M t* ]4 ?0 b( l- _$ U* ?. H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; r6 `. w9 _" |: M. E( Rfunction to do the same job:
/ q4 V5 t5 W+ o) v0 S/ w
- Y. w) Q; v5 P; m$ Q push 00 ; OF_READ7 t/ S8 B; S1 S/ Y
mov eax,[00656634] ; '\\.\SICE',0
, `4 q0 T$ P6 O8 A push eax; Z Q4 p1 M* Y3 D6 G
call KERNEL32!_lopen& n. r' w3 m1 h+ f/ u
inc eax+ }4 c* p4 Q+ r0 R, z
jnz 00650589 ; detected
6 O. Q$ @2 H/ b, ^* G# j9 w1 B push 00 ; OF_READ
. c3 ^2 d+ o- M# d0 K- F8 e0 r mov eax,[00656638] ; '\\.\SICE'* h4 n0 [9 s0 v: i
push eax# l$ g4 d& W1 f. _
call KERNEL32!_lopen
* u" p, r) v' m& u' h inc eax
: l* c! Y6 H' P1 i jz 006505ae ; not detected
M% ] A( B$ M/ Y
2 O- |5 ]* |4 y: C7 c0 s- {
; \- g8 E% R- Q__________________________________________________________________________
9 Y! C6 Q0 R% W' n0 Y6 g2 k1 t- M6 H2 l$ Q, O; i
Method 12
* L& f: w8 I: M6 w, t ^, O# o# A=========) {8 I4 n% l' E. `( U) B
5 S5 ~2 \' `: z5 p+ o2 C {% CThis trick is similar to int41h/4fh Debugger installation check (code 05" q8 B1 j7 q# E1 w* C2 Z
& 06) but very limited because it's only available for Win95/98 (not NT)" G1 L3 R6 ` \4 u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 I* J9 K& X8 q- E$ H5 {
6 k8 }/ p0 a- I3 ]
push 0000004fh ; function 4fh
; Q" W p, V# X$ B4 v1 b4 `0 S% p push 002a002ah ; high word specifies which VxD (VWIN32)3 f, m0 A p# d+ S
; low word specifies which service
% X1 C" K, s" n" q! I (VWIN32_Int41Dispatch)
8 I! O5 V5 p' T R. S call Kernel32!ORD_001 ; VxdCall
$ y5 E; }8 T4 W" H* h# ~. H cmp ax, 0f386h ; magic number returned by system debuggers
* S! R/ o0 j. E2 o jz SoftICE_detected
& {0 N6 ^3 N# x6 i$ _
( j! U4 L7 l& m* ?1 c3 v' r cHere again, several ways to detect it:
1 B4 n- G ?* ^" ]0 Q( q7 G1 ?% r+ }- X6 s- F( N6 ]
BPINT 41 if ax==4f
3 a+ l4 p/ Z4 I! C& X/ Y
( R. j5 J* _! W9 Q7 @& s7 } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ y8 e. h/ C6 r9 M* L/ @ W q2 G
# m$ X& U9 Y3 z! N c! O! ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 G) W( }0 m6 t) G- B- Y/ S+ |0 [9 y* z$ P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. i. i1 I9 g. M Q. z+ m! m! {+ n" }" K$ q9 I. O$ H- v
__________________________________________________________________________% o9 Y9 L3 G& z" e. W/ o4 w* U
" R" n- T" k5 `4 U2 T5 i% _5 d) }- H
Method 13
/ D; v8 l) |0 k5 b=========. ^ C+ e4 B0 z0 P6 {2 X* g
2 K( Q- p& B8 t+ ]4 e: I4 v. UNot a real method of detection, but a good way to know if SoftICE is: [6 T' _) b/ ~' B o }
installed on a computer and to locate its installation directory.
0 }9 K. g; ]; U/ g/ c0 fIt is used by few softs which access the following registry keys (usually #2) :" L! C/ M+ G6 f7 g3 y. p
- b) s* m. I6 a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 X4 H" P! O/ y/ }# f8 I* g
\Uninstall\SoftICE1 w8 C$ d W( i6 h" t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( f7 M5 x: `! P2 x+ C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 R$ T6 [; i' ^2 B+ f6 x4 C\App Paths\Loader32.Exe
6 W, _) H( r8 V0 ?+ N
6 q, y& X- P* F3 w1 f% f A3 M8 i p/ c2 z; d/ @' Q
Note that some nasty apps could then erase all files from SoftICE directory
: P: I0 A" F. ?(I faced that once :-(
+ _7 I( C. N/ G5 g) g) L8 J7 A4 n) a5 N! i; V0 L
Useful breakpoint to detect it:( c( Z; k' R( }/ v' Q8 p) c
/ T3 s. X' K# K, `# A# m" n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ U( @* n6 U% D6 U3 u( L. A+ i
1 j5 w! I; }4 Q( t# A6 J__________________________________________________________________________# d" I& A8 q) E; x
3 l! F$ Q {1 o; n
& R- V/ N0 d' H+ X" |& iMethod 14 + S+ l( f# V% D" c
=========4 W/ a6 @; A% i" f- J/ n2 V# }8 S
. t* H4 P/ T0 R7 S2 {& W+ [9 LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: R% ?" |- s1 L7 Y: W
is to determines whether a debugger is running on your system (ring0 only).
4 ^( n# k# B7 A6 G2 L/ i, ~3 O
. t* ^! O8 r) H q VMMCall Test_Debug_Installed
0 |* ~# r( W7 T F* G8 E je not_installed
& ` t9 u0 ]+ k
( ^. q3 o0 H+ Y: J- x# U! w" hThis service just checks a flag.
* r! r% k, n% o6 c: r3 \) }3 ?7 w</PRE></TD></TR></TBODY></TABLE> |