<TABLE width=500>
. z& f. `' f3 {1 k<TBODY>
- M: r+ j( e" Z<TR>
* z- n" A, M6 ^$ d1 @9 D/ K<TD><PRE>Method 01 6 k1 ~( ~ u% o, K' O( I7 H
=========% P; ?2 G1 B9 E' M5 H. K
7 O9 Z" K$ ]) t" D' d* ?* H% TThis method of detection of SoftICE (as well as the following one) is l$ d# j8 l" x/ T
used by the majority of packers/encryptors found on Internet.
" u- o8 X" ~# K/ Q$ E2 eIt seeks the signature of BoundsChecker in SoftICE; P$ S; ]6 n# B7 h& M
9 S S b$ t* V- t mov ebp, 04243484Bh ; 'BCHK'3 {% g" Q4 y9 K0 @% Q
mov ax, 04h
4 D b3 D3 e6 j8 }) N int 3 9 h7 s/ ?# V8 R5 Q
cmp al,46 K! e0 Q# C2 t s0 p4 n
jnz SoftICE_Detected
2 o8 C7 F5 p- M
3 i" B" Z" j0 {1 a___________________________________________________________________________
1 z* E* i, c$ H7 Q" x
: a9 D) P/ I/ }5 A% C2 a* U8 GMethod 02+ c7 t; K6 u/ v6 n: o
=========! M, K3 [! L* h# Q8 z) n' I: `
. C+ @9 A, d" v' n0 B. N: u
Still a method very much used (perhaps the most frequent one). It is used
- H/ {& J c9 h' t8 u. P; ?" zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 w% ^0 W! ]6 u$ bor execute SoftICE commands...1 o8 f. G4 l: u5 W" W4 v: m: |# }
It is also used to crash SoftICE and to force it to execute any commands
" Z0 [5 N3 H$ i& h, @1 ^8 e(HBOOT...) :-(( / H1 l, s- f9 D- r2 @1 A! v
0 g0 ]0 p8 |+ e8 _& _% g6 ZHere is a quick description:. }9 @9 y; o. ^( C9 Q, I. I
-AX = 0910h (Display string in SIce windows)
; Q6 \4 G* O0 @; ?$ {0 P+ z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* l" }( P6 o. ^1 \/ U8 \0 P-AX = 0912h (Get breakpoint infos)* c( {/ V4 d2 ]
-AX = 0913h (Set Sice breakpoints)$ R/ u4 U" W3 F: Y
-AX = 0914h (Remove SIce breakoints)* {5 `; I; I8 W
3 v) O! s: P" G" j+ a! h! p1 L
Each time you'll meet this trick, you'll see:# l3 F, m; ^8 {! X/ v
-SI = 4647h6 Y* t$ [% d5 {! h$ u
-DI = 4A4Dh
3 K9 b3 n; I& [) P- S4 \# QWhich are the 'magic values' used by SoftIce.0 U# ~7 J5 m2 l- O$ ~/ P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 ]& J' h6 c: \0 `; b: Z8 k+ x8 e3 b! S7 \. w5 |7 j0 N. w
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 ]3 q$ w b( Y3 B
Envelope utility use to protect DOS applications:) G! Q: i& S# U; l: t: E) u
; j5 C0 A: s: m3 n; c: W( Z( W: S2 u4 B4 X6 C1 @
4C19:0095 MOV AX,0911 ; execute command.) d) m' { [- I. p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! t D! O( i, f2 U4C19:009A MOV SI,4647 ; 1st magic value.
& O1 R) G, a! {; P1 ^ p4C19:009D MOV DI,4A4D ; 2nd magic value.% I( u; L- I, l6 }) Q( v7 e) \. M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 l! S# s& ~) o. T( u4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ C& f0 w% G+ U) q9 a$ l6 ?' M4C19:00A4 INC CX- S2 u; d: L% Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 o1 M4 s( P2 |6 ]4C19:00A8 JB 0095 ; 6 different commands.& {9 v$ {& e6 I3 K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.* B9 f3 d3 J) D3 {: L
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" n! q% R' L1 n+ u. q2 `
" ^( {+ O6 w7 F8 pThe program will execute 6 different SIce commands located at ds:dx, which( a; Y4 U$ P1 f! J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 v C9 M( }4 s! M! k& y" D- m) T
( l I. l" u. T% t# M8 z9 W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! g; E: U S1 F___________________________________________________________________________8 ]" i; r% c- A0 E1 C& F# y; m
* ~, n" Z+ B8 U( _
& |$ `7 p8 [8 ~7 |Method 031 w8 G# b' s, s8 n
=========. d$ H7 D1 @9 q! m; c! y, b3 R' H
8 N$ X0 B e4 p5 B* wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. m! d& F/ k+ z9 _$ k, @: Z0 p% F" m(API Get entry point)& h. x; }2 F8 h" @1 v+ i# O9 s2 o( T
' M, b, F; [9 {( H7 L
( a9 W' ~5 t! [' b# F; q
xor di,di" l8 G& g* Z& l, r3 w! M7 l
mov es,di
$ j2 i) p. F" F9 o mov ax, 1684h * K. V8 {: j! X% X R
mov bx, 0202h ; VxD ID of winice# V8 w1 D4 ^9 } y
int 2Fh' N1 G& E2 N: c& }( d* P8 I
mov ax, es ; ES:DI -> VxD API entry point
& o, r, H! s7 A, ]/ v. G add ax, di1 p- q, C2 I+ a& X3 b( z
test ax,ax( `( ~/ d9 ~( L$ N
jnz SoftICE_Detected
: D, e5 t' W3 t4 u2 x) a, `# A' i' o2 {$ _, W8 ~7 F) v
___________________________________________________________________________
+ O0 {' b" k' }4 y- X6 }' s- ?1 L5 D1 o) z2 \+ ~ Z$ J7 R
Method 04
& w. N& Y6 J b3 C& u) N========= O4 [2 z+ z' T: M3 d: B) i5 [3 h
! p) A/ ?9 U6 N1 l
Method identical to the preceding one except that it seeks the ID of SoftICE
( Z6 I( p( N; j, u" X4 M( jGFX VxD.4 _+ D% v- f, v. Y5 R8 \3 x
$ q6 K5 Y) t9 ^# q. v
xor di,di
. I' Q% j& e8 }' O mov es,di2 X2 I; P9 u- |8 s! B
mov ax, 1684h
" ?' U, k1 i5 F0 |% a0 ? Z4 q mov bx, 7a5Fh ; VxD ID of SIWVID
/ k0 ?; O6 K4 T! w int 2fh
- ^' x1 v! W. x2 l5 X( k f- X mov ax, es ; ES:DI -> VxD API entry point
% ^6 P5 g; N, _ add ax, di4 M8 e+ Y8 O6 i* J7 i
test ax,ax
( _! h! \; r* X' H/ o jnz SoftICE_Detected3 |% y1 F, x5 F. u
, R* z5 G( }. L; Y3 o" q__________________________________________________________________________( z: z2 s- a# @. i0 ?9 R
: r& m* k6 s/ M" Q' o, B9 R o/ P9 z$ n7 |( [
Method 05
# q4 D% ^) g" G( r=========, ?% m4 {3 Z: D
5 k1 t# q y7 P$ b8 LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, }2 e Q& X2 k- sdebugger. It calls the int 41h, function 4Fh.4 `; i# H+ f4 M" j; t
There are several alternatives.
* ^4 V+ k! e7 @' S
" R+ D* \ U* N: x: i3 UThe following one is the simplest:
3 @* P" z+ J/ R9 L2 F! q# T8 |/ t/ x3 J8 r0 I( P
mov ax,4fh
# i9 ]9 y/ ], G0 p A- A int 41h
+ w8 x! \4 a0 d# B W) S2 v0 ] cmp ax, 0F386
R5 p" @6 V1 M+ Y2 J/ o9 ] jz SoftICE_detected+ x: p/ f# _3 j: X: f% p! d7 S
+ U% s# L* O+ Z; Y
& r* k3 y5 ?! z% ^4 m" Q# yNext method as well as the following one are 2 examples from Stone's ) W {% s) N- d% i4 U
"stn-wid.zip" (www.cracking.net):
+ [$ J X: }# Q% U! ^9 X8 V: Q$ @. X! ^/ _- ]; ?! i& R/ y( N+ s
mov bx, cs
- B# W5 z3 P0 \0 a9 }9 v! V( D lea dx, int41handler2; \9 G+ y$ c- k5 r2 Z3 D
xchg dx, es:[41h*4]
: K5 Z% u& O6 C ^9 |1 x6 M xchg bx, es:[41h*4+2]
5 A) k, _$ m1 S3 Q5 j$ T mov ax,4fh3 n/ e% [- i3 J/ x) a. k
int 41h
4 \1 l" o" \5 W/ R) R& D9 B3 d: t xchg dx, es:[41h*4]! b4 S" a, f2 b
xchg bx, es:[41h*4+2], |( x% D& F: E w0 ]$ A
cmp ax, 0f386h
7 n" h8 b0 k M3 | jz SoftICE_detected
) f; R& X1 T7 M1 t# o, B) E1 E; G0 d6 [' P7 T7 [" j3 u
int41handler2 PROC8 Q; X: p2 T2 y* W
iret
! h+ ^3 e8 d6 }( Q- wint41handler2 ENDP1 e! f' _# o! \% o
, q9 q- _/ E& i+ d5 a" k& L- ` }8 \% s( b. o4 \* p6 d
_________________________________________________________________________
' B( v2 y. |: C
* E2 o$ Y4 q9 f; X
" y% t9 c( p& R" {' eMethod 06: ]- k0 L) b4 y2 d
=========! B. ]; ?' E ^
/ O6 c% T3 `! O$ }' G
9 t2 [3 L: u. Y9 e% {* z
2nd method similar to the preceding one but more difficult to detect:9 @4 N, u& ]3 u$ R5 d) A
% C5 z2 M3 n$ Z7 v
j/ y3 t0 w2 \1 nint41handler PROC: X; \3 Q' S' K8 L' C/ O
mov cl,al
8 ]5 ]6 h( U7 P1 F, C7 V iret
4 f( Q( g' ~, @1 Mint41handler ENDP
- Z% D6 L0 v7 e* d( Z
* `+ N) N/ L# J, w E
& O$ d4 f, {, m' B9 |/ g xor ax,ax9 G7 l# }9 h; S9 \0 |
mov es,ax
, w% p* H" Z3 G9 R; N" J. e8 c0 f mov bx, cs9 z& G }& }8 t3 Q* _# d6 o
lea dx, int41handler5 Y. b' a. F9 f' ?
xchg dx, es:[41h*4]8 @4 o: ^" x2 H( a! s( x7 I
xchg bx, es:[41h*4+2]7 [' p. [4 ^: K( a: Z5 B% R
in al, 40h
8 B$ s$ J$ s6 G" u* L xor cx,cx1 N0 }9 J1 g2 p8 w( ?
int 41h w; N8 a2 |* `' `+ p. P, y+ T
xchg dx, es:[41h*4]
: Y) w* t' c- V' O" a# L: l xchg bx, es:[41h*4+2]+ V, `& p: ~+ Y6 ^( T
cmp cl,al
E& N, \4 T! h. p jnz SoftICE_detected
0 K$ S, x( U" \
4 z* {: y+ w3 J, p8 \2 U_________________________________________________________________________
; A! g' S' D7 Z$ }3 H
5 s# Q# e3 x" w* {. j6 }0 Z ZMethod 077 P3 f4 h/ ^. x+ ~& U/ Y
=========4 v. g% P. Z( }1 a3 J: C: P: b
2 _( [% i% }* o; c/ k& ZMethod of detection of the WinICE handler in the int68h (V86); M6 ^* s3 K5 D! p( u
* P# E) ^) ?; H2 P( }! m mov ah,43h0 D z5 P) L3 R- I; \- L
int 68h
5 j0 C- ?! B2 F3 j cmp ax,0F386h
+ Z2 B9 k8 E) i" P7 |* o3 ? F jz SoftICE_Detected, n% r% J6 K# C. T' p
. j n3 a4 G$ B7 V- L' @
, g0 r B! r1 W E" Q/ L
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: E3 J) y) ^1 F% n& o V app like this:
O. z+ I* f' K3 c4 | i% Z ~4 j2 V+ G: r6 C! l' ]$ M( N U7 t( z
BPX exec_int if ax==68% y( q# @. h/ x: I. \
(function called is located at byte ptr [ebp+1Dh] and client eip is
& l g* D& ~$ |! L! x" G' N* e located at [ebp+48h] for 32Bit apps)
D; X7 ~6 ?! m__________________________________________________________________________
; I5 v# s8 w1 i! o; n1 N5 f" d: u8 g" K* d
B u- Q d5 u% h
Method 081 g/ `* Y$ a: S n
=========/ Y6 W, a! B" U* S
; z V1 c* y( t. x7 V2 }
It is not a method of detection of SoftICE but a possibility to crash the
& U. A* P7 c2 f4 ]4 \6 ?system by intercepting int 01h and int 03h and redirecting them to another/ c' H0 y( Z! `
routine.
+ r# L) X2 Q6 j SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 r" F4 W3 c3 r: E* V# N1 H
to the new routine to execute (hangs computer...)( q; u* c' q0 X+ }; Z9 F7 C/ v4 g
, ]( i# Q- F1 N$ ~: b' M; h. z- p
mov ah, 25h6 @" i) m& }' ]! G0 F) U- a. t* U
mov al, Int_Number (01h or 03h)
: ]1 b- s; T- f mov dx, offset New_Int_Routine
; P7 p8 o s- x8 ~5 @% M int 21h/ i) K. r7 X, c3 }2 f2 E
: r5 ?/ g' z1 N5 K9 B3 l$ O( S; |
__________________________________________________________________________7 V" z% \4 p/ t* K. F+ I1 G
4 n* i1 C" m6 L! S9 G- s8 X5 g4 N
Method 09
+ ^6 x( c( s1 L( y=========
$ F$ m5 X4 k# a4 z# `- j
$ y V, I' {- b+ @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& r) z1 x1 A# u8 [9 q" o5 B' B
performed in ring0 (VxD or a ring3 app using the VxdCall).) c* a4 ^$ W4 C$ p8 x% h" q* D0 w
The Get_DDB service is used to determine whether or not a VxD is installed
: o* [$ v- U) E$ Gfor the specified device and returns a Device Description Block (in ecx) for
1 l- A4 Z5 ~; h6 Y. y) H# Wthat device if it is installed.6 _8 H; S I4 Q8 P5 W! k
& G6 L1 t! D/ g4 X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
F1 [2 A% d: ]2 { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 H7 \/ [0 Q2 Y; P; x& | VMMCall Get_DDB
, ~# O2 b, ?5 i/ k+ s2 S mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 o8 V5 ]/ }# l9 ?# U$ ~
+ S9 T3 W) n* yNote as well that you can easily detect this method with SoftICE:2 ?# l) b. F* Y' {
bpx Get_DDB if ax==0202 || ax==7a5fh& d: f' O5 R" Y k+ t4 o7 A- L
, A" f! ?/ j5 o: g3 l__________________________________________________________________________
# Z+ B) L* N6 t1 X
) l; G, p# o# _( v; A5 uMethod 100 w3 _2 i0 t. R, X# e3 R
=========5 ]+ L( p: _8 u; T# e( r
* q/ v+ K% N5 w- y, t$ E=>Disable or clear breakpoints before using this feature. DO NOT trace with
& D$ {% ?" K$ u" V: b W) Q1 q SoftICE while the option is enable!!+ e2 p! _: Y1 h" F
/ U! A5 q- i' q! j' m
This trick is very efficient:! P: }3 w. }$ \
by checking the Debug Registers, you can detect if SoftICE is loaded3 p b' L. A1 ^: W# E+ F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 I* x4 `+ u& ithere are some memory breakpoints set (dr0 to dr3) simply by reading their) N* ^7 C, ~$ D. H
value (in ring0 only). Values can be manipulated and or changed as well& O# g, d7 w2 J/ @/ N' r! Z
(clearing BPMs for instance)
4 e2 w. G+ a* _! ]; t- o3 l. M; B, m% ^
__________________________________________________________________________& K$ Q6 y* P1 D
5 H0 ^4 w/ o) L) x
Method 11- O0 ]! N2 m8 n, P
=========
7 c2 ^ O. S$ z. \- n5 X" c' [5 U/ ^0 s- y8 B4 X
This method is most known as 'MeltICE' because it has been freely distributed
' v8 c. w4 p1 Ovia www.winfiles.com. However it was first used by NuMega people to allow
- J9 x0 `; D" T6 t+ qSymbol Loader to check if SoftICE was active or not (the code is located
" e( J+ O z% d0 }8 n7 Q Jinside nmtrans.dll).
3 `0 Y& z) p+ n
8 V N, k* r0 S7 N$ W; ]4 W6 D- mThe way it works is very simple:
. \8 X6 U' ~" vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- K3 I0 M+ ]7 f; E* D- q
WinNT) with the CreateFileA API.
+ `! M4 A8 [: K# N K: m( H
6 L9 L6 Q Z( f8 H3 K$ _9 \Here is a sample (checking for 'SICE'):
1 l% D$ H. g4 n1 A1 s- k! M- n- e1 _; |! S" V% @3 Z
BOOL IsSoftIce95Loaded()
0 l6 t, ~$ B+ B8 o4 [{
1 b' o3 Z0 k ? HANDLE hFile;
8 J7 e }' U0 E! S! F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 K! e% o: ^+ c; [ FILE_SHARE_READ | FILE_SHARE_WRITE,# N( V; ?9 f! w9 E/ d, H% o1 ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 V8 {& p$ |6 n! b# K if( hFile != INVALID_HANDLE_VALUE )) _. p7 d0 T$ f5 R
{ b1 ^. `- U& S! P
CloseHandle(hFile);, j% K# V1 c0 r( B- I) Y
return TRUE;5 C7 y# m8 q; r0 X% \0 U
}
! z1 Q. X% m o# t2 V: d return FALSE;
6 f. Z$ m( W/ b, \/ L: J}' J3 t/ }1 ~* Q& H7 i# \
$ ^; b1 Y# b0 W8 |9 Y, p
Although this trick calls the CreateFileA function, don't even expect to be) c% [+ c& r+ E* N! Y9 J8 |
able to intercept it by installing a IFS hook: it will not work, no way!0 Y8 f; B' |+ E4 Q# \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( D% w4 J+ \' p# M( j& Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 Z$ R; s: d" Y+ L- ~* _and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. u0 Y* q% o0 x# C4 X8 l4 c# rfield.; N* O' n, `' S* k( {4 u) n
In fact, its purpose is not to load/unload VxDs but only to send a
' n9 J' l, T$ K/ j" L& }4 aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' x& t+ B4 ^+ K, Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ z/ b2 D# q: S$ c: A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 X ?2 H: z( V3 ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow* h! M; O. s5 L
its handle to be opened and then, will be detected.
( h* H' I- O0 Z4 e4 x' HYou can check that simply by hooking Winice.exe control proc entry point
2 i% x5 N" O! l- J7 L7 R y5 [while running MeltICE.
% c2 e0 x/ F& @5 h/ P
1 E& B- y% }' L" t) \! s* w# s) z) F' N9 e! f
00401067: push 00402025 ; \\.\SICE
; M0 J; l! _' x$ a o 0040106C: call CreateFileA
& b S: j, y* n6 q. X+ U1 [ 00401071: cmp eax,-001& v9 k- k) t2 ~8 B4 Q
00401074: je 004010912 {. e; R; `! M" D
7 q4 A0 |& F$ r+ y
$ T# o( P: `) L) Z! f* @ `9 D
There could be hundreds of BPX you could use to detect this trick.
/ O2 S& t: t5 {8 K5 ^: D: ]-The most classical one is:
' e( B4 p* u) z; ^5 M7 b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- d6 o) k5 G$ L
*(esp->4+4)=='NTIC'
: O Z8 W. e: J7 ^- L/ W. {8 N! m6 b- e u" g) y
-The most exotic ones (could be very slooooow :-(
1 W7 F( q8 h& f& R# Z& ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 _; z+ T9 `$ F9 a) `
;will break 3 times :-(
! z k& z( {/ n2 a, q& J3 { S6 o+ N) D% |! h, H
-or (a bit) faster:
8 B: ]& j/ p( I& I }9 O( d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 X) z2 k q/ t5 j% A
5 @7 [# p: J5 n2 G `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 m# w0 f3 y( l% v8 P ;will break 3 times :-(. V5 j6 F7 b5 P# X- v$ h
7 @* L, W7 I5 Y& n; M2 O% v
-Much faster:
- D3 n$ S- U7 [2 M5 o% V8 |6 @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 F& l k! s3 O1 t1 X; F1 W" e+ _9 s9 f& ]* ]$ D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! K r8 U q$ J: F/ e5 Y9 B
function to do the same job: L/ d* H" A G3 i7 b I
0 C7 _; K8 Q( S! `, Q; v; e. ` push 00 ; OF_READ
4 t! E! L. y! t mov eax,[00656634] ; '\\.\SICE',0+ V3 G) L' t2 j
push eax
& R- J+ l, e0 Z" w+ K call KERNEL32!_lopen
) i4 ?& J7 m7 t) a$ J( T. s3 ?' K inc eax
/ ~/ p6 {# [- D% F% j& h jnz 00650589 ; detected
- [$ J+ A: ~5 V0 g8 j5 n7 N push 00 ; OF_READ% h2 k# U4 x4 q9 `7 ` J
mov eax,[00656638] ; '\\.\SICE'
% r) s+ B% l5 V" I' [ push eax2 b2 k _ A6 x- Q1 B
call KERNEL32!_lopen
# t1 ]( ? A' f; o* c inc eax
5 [: g+ o3 k( {' @! q jz 006505ae ; not detected
4 N8 J% G% k( g+ n- ^+ C7 e
& }" h/ D8 E8 J$ v1 ~! [6 ? z% x7 I
__________________________________________________________________________
, e" Z* T: [4 D
0 G. z+ j D3 f) |7 TMethod 12
0 ]% I$ T: O) }. f) d, Y=========
' j7 l7 s# [: ?& d6 s: e: |1 T7 O0 E7 Z/ w
This trick is similar to int41h/4fh Debugger installation check (code 059 F/ v5 c! |/ ~- I& r* f! A
& 06) but very limited because it's only available for Win95/98 (not NT)9 {! {$ @5 p1 L7 L/ d. H. r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' ^# n' T% ]% w, }/ S0 |/ h8 y
6 X- U& o. r. j) n6 I0 Q0 f push 0000004fh ; function 4fh
6 @' n7 E% K k5 _ push 002a002ah ; high word specifies which VxD (VWIN32)
7 N* u$ N( M% ]1 t ; low word specifies which service
: l# a6 h/ h% O4 q3 x# a (VWIN32_Int41Dispatch). @0 Y8 ?. Y7 D0 i/ c" w' e' b8 H
call Kernel32!ORD_001 ; VxdCall6 q- G& H5 M# O+ {- x, s# v
cmp ax, 0f386h ; magic number returned by system debuggers
5 D x( u3 T0 `+ s; K9 C jz SoftICE_detected
{! L; U7 S" l. Y* @0 X$ X
* N0 X1 v' {) m8 N/ |! r# Y xHere again, several ways to detect it:
5 ~4 X, c& ?! U1 g7 d6 t* O% I5 K7 T# l8 K. p
BPINT 41 if ax==4f9 G# A; O. y$ \% b
8 S2 S. C5 E6 W, l6 E0 W* M' A/ l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 _) q5 L, M. @2 t
% |' K; S8 F8 L i# B% E6 C BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) p7 T6 Q0 t" x& f1 N
i( Q. K0 C, d! N: E! d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ v- U- w- r2 ]. `2 d9 k: {$ W) V
@" ~1 m% F0 v% [
__________________________________________________________________________
) w! N. q3 g5 _7 @$ O
0 K! D* b* ?. ^( SMethod 13
, x7 D5 Q! z8 U1 p! C=========
# b/ u) w3 s0 ~& b* h* `; }- N i7 l' f, c
Not a real method of detection, but a good way to know if SoftICE is( K) B$ _2 z" N( Q8 y3 R: q" R3 P; {
installed on a computer and to locate its installation directory.
, D5 [* h1 k3 G& l% PIt is used by few softs which access the following registry keys (usually #2) :
7 z3 Z4 K7 `& T D* `2 [8 g5 b' H% u" I+ l2 p% b7 t/ I7 }) q: ?, }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. }# @: V6 |: ]8 X$ |\Uninstall\SoftICE
8 U2 j" `/ L1 ]; U; s+ f* x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ `0 O/ [, @3 E* [/ I/ |% f8 e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" R4 f# Y' Q9 Y! z- j. F\App Paths\Loader32.Exe
" \( Z: J' P" C* ~2 p5 _' _, f) \
$ D @% l' E' w
- W8 L" c2 M! A' mNote that some nasty apps could then erase all files from SoftICE directory9 B6 c% U! k+ S" R6 L
(I faced that once :-(
; R) Q6 c. |. N' U! l" }* [' n0 h4 u0 z$ Z2 G4 J
Useful breakpoint to detect it:, C! O9 w( L( u6 I& ~
! i& Q( C. j! p/ `+ @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# w2 a: e. X, W5 E
# [5 d1 {% K& {1 P' b& n% q0 N4 g
__________________________________________________________________________
6 x, [8 ]" A; {. n% |9 ]* ~& t) S) J' O+ ]( Y; J0 t' d
8 o* F) N5 J& |7 o
Method 14 : s+ t& n+ T: C# {- \/ j
=========- O& L3 a( l7 T6 B7 S7 q
]# b3 N9 J, ~) W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 M* F$ H' X7 S
is to determines whether a debugger is running on your system (ring0 only).
' G$ v9 D' C. l5 h! S; J, T
7 r: f5 x* \% g* v7 X9 Q% g VMMCall Test_Debug_Installed
$ {. A, x; l4 R* y- c( A je not_installed2 g1 j% C4 B' P5 n
; M2 h/ C7 t: k5 Q& U
This service just checks a flag.
) O% Y- J, R. F2 x( \/ e</PRE></TD></TR></TBODY></TABLE> |