<TABLE width=500>
f: ], x% t$ m+ e+ d- |# X2 J3 u- e<TBODY>+ j$ K: [& u' q" [) z4 [
<TR>
: h5 t( W! p. n+ ?<TD><PRE>Method 01 9 w7 c& j$ R( W
=========! r/ Y2 N- g) |8 s
# ?0 @, w. v5 z8 h2 p; s
This method of detection of SoftICE (as well as the following one) is
/ }! f4 |1 j: }" ^1 [" V2 Sused by the majority of packers/encryptors found on Internet.
3 ]0 J) @+ J2 N4 IIt seeks the signature of BoundsChecker in SoftICE/ Y+ s- a9 ]8 l1 J6 C7 Y
( U! w0 [0 K& d
mov ebp, 04243484Bh ; 'BCHK'6 R' z5 I0 R# e, |, B
mov ax, 04h
+ l* J, j$ Q3 ?5 B8 A2 { int 3 " g3 \# ]7 j. B0 }1 `
cmp al,4$ b1 U t$ v% c# K
jnz SoftICE_Detected6 M7 T2 U/ R2 {2 C1 ~
( U/ w! @' ~1 t+ X2 w___________________________________________________________________________& |# z( L9 C& s7 Y
4 q. Q7 a& b1 Q- F N W
Method 02
9 v& p; S4 E6 w, l- p========= _( N, X! O% [: b1 w+ N
9 F {# r+ `4 J2 B& QStill a method very much used (perhaps the most frequent one). It is used
/ f6 c" E: p) x: ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 x( Z2 [& G+ ]0 F5 Q( `or execute SoftICE commands...( p3 ^0 p8 z9 \, r- A
It is also used to crash SoftICE and to force it to execute any commands7 }* g& f$ P' X: g7 S
(HBOOT...) :-(( 5 e" z7 d' J6 r8 ]
/ M' z. X ^7 H0 u" ?' l
Here is a quick description:8 N+ ?7 e( h8 K* o/ k
-AX = 0910h (Display string in SIce windows)
9 Q. _* N8 ^% j! `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% W/ N( m- q# ~1 E5 S& x
-AX = 0912h (Get breakpoint infos)
8 P4 A! O: r2 f7 g9 x! ?-AX = 0913h (Set Sice breakpoints)
) B$ n2 u6 r+ H6 m; l- j% t-AX = 0914h (Remove SIce breakoints)
Q# p' N" f Q5 R
& P' {) a/ L6 v' MEach time you'll meet this trick, you'll see:# C; u; z% A& J
-SI = 4647h g! T5 x- z5 T7 I( ]- }3 m
-DI = 4A4Dh6 {6 { E2 ^# Y5 v
Which are the 'magic values' used by SoftIce.
* ^# t1 q) F- i# N# q( TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
?' e7 _* X& C' D; t) C( H
' w( U! e. _2 f& _: U* ~" j+ oHere is one example from the file "Haspinst.exe" which is the dongle HASP0 v! Y7 I& [0 p, b' t6 H
Envelope utility use to protect DOS applications:
+ {' F; I5 _; e$ z# \
" x$ N' g& C. A5 Y# G5 \3 S, `) w6 o I2 x& p* B
4C19:0095 MOV AX,0911 ; execute command.
1 H& c5 @6 B& @+ W0 f2 N; `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) J$ s" q0 s4 r, K4C19:009A MOV SI,4647 ; 1st magic value.2 [. J# T$ K& S/ l0 ?; V
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 T H+ T5 o% `; @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# @2 s9 b6 [+ L; g2 b. E+ g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
X. e' U' N. {/ @4C19:00A4 INC CX- {5 P9 R+ z4 N1 K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 V- V( B/ E0 G B; p7 u5 m( X
4C19:00A8 JB 0095 ; 6 different commands.
6 h. u5 X$ d; Y; T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 ~3 g0 _; Q4 W O9 b9 A( t. a& N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- L' ?7 J& Z/ w9 a
# D; H1 |& P# T; `4 S& |& rThe program will execute 6 different SIce commands located at ds:dx, which. X$ c1 E' C9 m Y2 D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 k s. y6 l3 G* R: k
# x0 k* d5 x# \* U: N& D7 u* ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# }9 e1 Z4 C4 I; ~9 H6 P___________________________________________________________________________
0 v0 Y2 N/ m: C& S) t: X* A
5 p! R2 g! |& W; x9 l5 C4 X5 g. m
Method 03; w, o* }8 X& n3 P K
=========
( V4 T% k4 T5 x/ s' y. |7 m# B0 n
' I2 y+ [. u! U5 v/ cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- B( X7 P' E; W; J(API Get entry point)
" K+ j$ k0 K9 ?$ }% l0 } . h; Q) V5 N/ K! j
9 y2 Z) A3 R% k
xor di,di
! i' T7 r A: l1 @# P4 ?( w mov es,di
) d7 A* K% g8 z0 G4 o mov ax, 1684h
# c) [- }- i$ D6 {: J mov bx, 0202h ; VxD ID of winice! P3 p# D: a1 b. G2 W' j5 ?
int 2Fh7 e$ u8 w4 ?7 [1 y
mov ax, es ; ES:DI -> VxD API entry point* C( d& T: @; d0 e6 [% @
add ax, di
T3 |7 o5 B z test ax,ax
1 L4 N( r; q7 f1 @! D jnz SoftICE_Detected
2 p9 K5 A6 z+ C$ Y N1 q7 U
) w! c# S) o6 F- |% ]6 i! {+ V! x___________________________________________________________________________9 e6 ]& t% m4 B+ J
1 E4 y5 Z `, O: k$ oMethod 04
& n. g5 `3 K" s8 J6 l. v) ]=========
8 g5 P' J' Z' G3 v. O( Z
! U# ~5 m8 T# k+ RMethod identical to the preceding one except that it seeks the ID of SoftICE+ r& o# w' D0 h1 M- Z
GFX VxD.
8 ]% B% Y7 Y0 @8 l" T" }6 p
# m! Z7 B9 J- }- i2 `2 ^* z xor di,di3 v ]( t* L9 c, b9 ?$ N; [5 f
mov es,di
% a' H: H2 J: B& L mov ax, 1684h
3 k0 D( H8 Q( k6 x# a$ @ mov bx, 7a5Fh ; VxD ID of SIWVID! I# ^8 r* v: l& `0 p
int 2fh
. i) k* p; |1 i, f2 p" t r mov ax, es ; ES:DI -> VxD API entry point- s# j! G7 _* ^2 T0 @, _
add ax, di
7 ^- x9 m3 b7 X' g test ax,ax/ \: `3 E j$ U( z- s- ~
jnz SoftICE_Detected
$ N: G3 \0 ^1 x8 d, h3 P
1 S/ A k( s/ W) Q' g9 U__________________________________________________________________________. b% s, ]; c1 R4 m9 i8 s
; M6 A% y! W9 ] k, l. D
5 R! O: x/ |' m) B! U1 ZMethod 05
! R4 z* M Y( k' o; E8 f- V=========
# \* C1 w2 F! d' b. x# d, \
; M. Y3 W; h6 V$ k! o( A# ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system( {! q. p0 X! g0 T
debugger. It calls the int 41h, function 4Fh.
5 x$ f5 R ]1 {: \# \There are several alternatives.
0 W( B/ u5 J- W) b% j$ ^$ m8 v$ W1 D% H c' s7 B0 a, c C
The following one is the simplest:
- D2 u7 k$ ^* }6 q% E G9 l* x8 t& f2 A4 y9 L. Y
mov ax,4fh
/ I+ G# Z7 G$ K. H int 41h# I5 p8 c7 q; z7 K
cmp ax, 0F386
( S0 I: I! P6 D+ K% ^$ q jz SoftICE_detected. K0 F" O$ Q2 w, B
7 E& }7 q) T; E. }" a/ d: j7 h5 Q0 ], ]- c! B/ f2 B+ S
Next method as well as the following one are 2 examples from Stone's " T9 ~; Z6 o9 E% g$ X
"stn-wid.zip" (www.cracking.net):
' H, n8 `% \0 o, q3 @
" Z8 W" Z2 a" V mov bx, cs
_: w' Z6 K# c9 K& N1 x lea dx, int41handler2
" e" F4 j. o% D# F: L xchg dx, es:[41h*4]
+ @- d j% N! k! m2 A1 S xchg bx, es:[41h*4+2]
, l4 n( }1 J4 b1 J2 Y mov ax,4fh3 F0 C3 q+ Q1 j9 F8 P1 k
int 41h' p% X6 i5 _ O. d: E7 v
xchg dx, es:[41h*4]( n/ K/ M" g0 ^+ D+ a, n" [
xchg bx, es:[41h*4+2]+ B: U2 [0 o; [2 {6 a) j
cmp ax, 0f386h
/ |5 ~8 [( [: b c jz SoftICE_detected. L7 D6 T8 y, P3 z; Q+ m% u: O
9 c" d& e2 q/ z- ?$ a$ C
int41handler2 PROC4 }7 F0 b$ G, {) o% P5 L, [
iret5 G) v$ ~2 z$ _ C
int41handler2 ENDP6 Y+ X3 @1 ^$ v5 e
5 j8 }1 w7 {; X& y( P) ^
8 J& t/ s( N+ J( \1 c, \" v
_________________________________________________________________________
- e4 `' \& _7 N
/ Z! _( M, u. M* h7 ^+ O2 M6 @
' u( G1 H" ?. f6 a/ WMethod 06
1 ?! K, l2 X5 j=========+ Q* c: v6 Z: K! Q/ a
2 A, o) h1 `$ V( ]. x9 k. j8 N
2 U$ S( x& h# w& e- O/ m8 B5 R
2nd method similar to the preceding one but more difficult to detect:7 @5 T# d; y0 l* s4 R
; u( E! B5 h6 ~5 i. Z( _3 x) p
! B1 k6 U& ?+ Y( j7 q* L- `0 Hint41handler PROC" G8 x* l# s) m
mov cl,al" y+ o- [7 z. \2 y V
iret9 C1 g9 ^- A' u3 B5 z, l
int41handler ENDP
/ g+ ?, z, M+ J; T- l; ]
% m$ }# m9 a. u/ O8 F! N
! `8 W% ]2 q w$ a) g- s xor ax,ax
/ w4 L: R9 \. u* F mov es,ax; y9 `; u b0 R5 F0 ^- x8 t8 P* d
mov bx, cs
3 c4 @) b" o p2 ] lea dx, int41handler
9 X/ g0 Q: q6 l/ R% F* A( d! B# x9 x xchg dx, es:[41h*4]
: m$ H' t5 ]9 e C8 k) F4 k2 ] xchg bx, es:[41h*4+2]
; K/ S& ]4 a% {3 H9 y, V in al, 40h
" \; L' l1 b. n/ |( x3 A$ h7 M( ?* z" w) f xor cx,cx
9 J+ _+ }1 W5 U- a1 a5 T int 41h+ Y; m* R9 M0 R3 e5 [
xchg dx, es:[41h*4]
5 @( Z7 _2 K ~) P6 l xchg bx, es:[41h*4+2]# m7 [2 t' F1 Z4 D7 h) _
cmp cl,al6 ^ u/ S4 @6 B* }; H* }5 ~4 Y
jnz SoftICE_detected
; i, A; Q" i# a+ [* x
4 F2 E' _0 ~8 e+ W9 C1 I_________________________________________________________________________: d( d5 Z3 Y; F1 _" G. r; V/ F6 M. Q
1 X6 }& q+ i* e3 M! p/ hMethod 07
# F6 i) r+ I) j, X$ P=========
8 r$ k) }( m! M3 F, p; A" I- x) f" n' N
Method of detection of the WinICE handler in the int68h (V86)
5 O" Z- Z8 z# d- l
$ o' V9 K) A L mov ah,43h
, z6 P4 ^6 @+ X# P( q: ~1 d& D( R int 68h
4 ~* P3 r4 M8 q- E$ u cmp ax,0F386h; T& ? ]( f' ~) ?+ o8 L
jz SoftICE_Detected
- ~7 o: T) `6 P5 C1 E
# x' i& e# C7 a2 r
& F' _5 z( h* X$ M=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- J' q, Y1 p* A. A# W
app like this:/ V4 E, I* ?$ Z- J% u' o8 }
R4 T" Y9 d8 P& J% m; ^ u
BPX exec_int if ax==68
$ ]7 M: j/ s+ O0 z (function called is located at byte ptr [ebp+1Dh] and client eip is0 L1 q6 M8 U4 {" e; p. S; a; I
located at [ebp+48h] for 32Bit apps)
0 Y5 Q: g1 `- y o$ |; Z__________________________________________________________________________
0 r, F, p+ ?6 ^9 {6 J5 O
2 E' s& T; U% L2 g8 b* R, T
3 y# P/ J! ] SMethod 08
- E/ ?& g; N& ]4 r7 c1 Z9 B6 ~=========8 y' `- ~8 X. Q* Y/ i9 ^$ M
: J% ]6 D! H: t5 h; z
It is not a method of detection of SoftICE but a possibility to crash the
7 N- n8 [9 Q# O- [, r0 Xsystem by intercepting int 01h and int 03h and redirecting them to another
: e" W1 k4 z- J% e1 F: T6 Z2 [7 Z8 kroutine.
/ K9 h2 W6 y" a. K, B) s8 D+ IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) Q4 F$ ^/ U1 y& x; \0 `
to the new routine to execute (hangs computer...)/ q7 K+ ^" v$ L0 S8 W5 r1 k1 ~
( [/ B. n: j5 E- g# W
mov ah, 25h
7 C, L: F% T! @- n- W mov al, Int_Number (01h or 03h)4 G l. m1 Q& u
mov dx, offset New_Int_Routine
$ ?/ C! O/ ~+ N/ N4 q. y int 21h
5 t6 l5 c- O b' X& ]# o9 g" N+ h3 P6 [) D8 r
__________________________________________________________________________; Z: @: F6 i5 J
. K4 F |6 i5 w$ fMethod 098 Y) ?: v' d# P4 Y1 i- R
=========
4 S ~7 e3 Y, C: q0 \
- A. [' Y m9 ?, h. qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 ?: [9 T( c6 Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ ?: a' f% x( M6 E9 W1 e' y: z8 BThe Get_DDB service is used to determine whether or not a VxD is installed
3 m: y2 D/ x. i% N) `5 s/ P2 Lfor the specified device and returns a Device Description Block (in ecx) for- g3 h" o9 D. ^2 b* U" H/ @
that device if it is installed.
: r" n$ E5 i5 A1 i' r3 z% ~0 @# f# M; R3 p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" s& [; d! u8 X4 D- N" r8 N5 ?
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* b9 j- S+ ~0 ]" X) x6 _: ?2 S VMMCall Get_DDB g ~7 l0 B1 C4 n9 i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& C8 o" p1 B1 k1 {- P
: j& W1 e# s' L. fNote as well that you can easily detect this method with SoftICE:
6 j1 ~0 W% ^* a bpx Get_DDB if ax==0202 || ax==7a5fh
* ?/ y* A% Z. D* z" b; C: d" V
5 E$ N" c5 A: i) k$ u__________________________________________________________________________. R/ G7 e3 L; `1 d6 F7 n3 W
& z& c2 l* F/ a4 q; A. D2 mMethod 10
! A: B0 G! F" A, `* N$ Q+ B=========
- K m, D6 p2 j* n/ G3 {: ?
3 \4 n4 z! T8 z7 O: D5 |1 M- W=>Disable or clear breakpoints before using this feature. DO NOT trace with
# ^5 [- [5 L. y( c: C SoftICE while the option is enable!!# G) p+ ~9 N1 x% @! w% K
0 r' E: o& H1 J- n1 g; }
This trick is very efficient:
( y& s8 d) \: k; B! Q6 a, zby checking the Debug Registers, you can detect if SoftICE is loaded
, K( H$ n! F$ x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% V$ ~& T" W0 W1 P6 s; i' W
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 {6 `7 [3 b6 E, n
value (in ring0 only). Values can be manipulated and or changed as well
- i6 N) _0 E$ f1 W, s% [/ L6 A(clearing BPMs for instance)
8 l& x1 M, N( t6 v5 L
) U2 z- s* d0 C# W__________________________________________________________________________
0 b7 j" B& M' C* e3 [- z1 O8 k, q- M5 T- I" J
Method 11% b3 Y- f2 a% b: \" s0 H( w6 n
=========& b0 C' x3 |9 g9 p) U2 v, }6 L' P
" z# m7 F- J; `This method is most known as 'MeltICE' because it has been freely distributed/ n3 M$ \* O6 Z
via www.winfiles.com. However it was first used by NuMega people to allow
7 ^ q5 r! M# ]' ?Symbol Loader to check if SoftICE was active or not (the code is located0 ?2 @" K4 ]# N0 n y8 w/ R
inside nmtrans.dll).
# r: q( V4 d3 h0 t- P W" `$ F
# o% I: O& U4 i v, B" k$ m6 \& v- Z$ ]The way it works is very simple:4 c# U! R/ J" }- S0 c5 F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( o4 ?4 @4 Q1 M
WinNT) with the CreateFileA API.9 L- T' T2 f/ |1 f8 Y: Y Q
# y" }6 E l9 G* v4 n. s8 ?/ w
Here is a sample (checking for 'SICE'):- z& \8 }0 ?7 \' Z! V% {3 u! c
' L) F4 ] r% ~8 h- uBOOL IsSoftIce95Loaded()2 f) n# d; m& J7 ^
{
' ^) M: {+ Q, Z" P6 c/ c, X2 a HANDLE hFile;
& L2 I% j- u0 g. |" \- M# o7 B" M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( c8 H$ i7 O% Y/ r1 t2 w1 { FILE_SHARE_READ | FILE_SHARE_WRITE," D8 Y+ H0 [- ~" p }+ Y9 f1 n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* P$ a5 `( O& m$ Z( O) Y if( hFile != INVALID_HANDLE_VALUE )4 e0 A; x+ b P C
{7 p Q! W+ G4 _
CloseHandle(hFile);
1 r0 _ H! e3 b' g! _4 r return TRUE;
+ R0 k0 W6 ^2 i! `; o } n1 F+ C8 j* | t$ z* |
return FALSE;" C5 z& ~- {1 t0 W# a* h1 E5 r
}
9 m! G% a" O% ~
* h) \% [( P2 b' w8 DAlthough this trick calls the CreateFileA function, don't even expect to be5 I( ?2 O/ R1 N' Y+ _
able to intercept it by installing a IFS hook: it will not work, no way!
- N$ Z% O7 X2 K+ k r+ A, h; F! ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F( L! c! r3 o% @7 c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 x# r3 D: t" {. }* C: T) R* kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 @6 {1 A, F: _field.
, a+ J- Q2 l8 q4 B! p- c7 w( kIn fact, its purpose is not to load/unload VxDs but only to send a
2 B# g8 F2 C& C5 x- q! S: H' tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 ?: o) h5 i6 U- f& q2 x' k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 ]7 w- w+ M2 s3 W: I: w8 Fto load/unload a non-dynamically loadable driver such as SoftICE ;-)." u, T! y. m0 a7 e
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ P/ \) D3 S/ h: t
its handle to be opened and then, will be detected.! y% M# m: i R
You can check that simply by hooking Winice.exe control proc entry point
; {) r0 C# }) o. e \$ I1 hwhile running MeltICE.# Y3 u' `: j; Z. i$ i1 K
8 U" T0 `+ S# {* L8 V+ I# B M
1 ]8 U) P1 i$ O7 _( s" ]$ A! { 00401067: push 00402025 ; \\.\SICE1 I2 z- _* ~8 a
0040106C: call CreateFileA
0 L# A- t1 J0 o% a+ z+ V8 m 00401071: cmp eax,-001
# M" V: ?" y4 o5 a, F8 k2 s 00401074: je 00401091
B | K6 }- X' j) X) z& B: b2 ]1 p9 [ }1 h+ q: p. m& s/ Y: n- l
( H1 S: `" U) P' J# v( _There could be hundreds of BPX you could use to detect this trick.( q6 }3 f1 j' t; S
-The most classical one is:! J( |9 U g* n0 g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 s3 R, V; R \! c5 f. [
*(esp->4+4)=='NTIC', h' M) s, S& Z5 U9 @5 |$ Y2 h
; z6 P K! _9 K& L
-The most exotic ones (could be very slooooow :-(
1 `4 T1 q! L3 I- N0 e# x* p* P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 J6 K) [: z& p. K! m( q ;will break 3 times :-(
k; w. r, @, p. N0 K6 P2 `
, z' g, {4 y, T) F-or (a bit) faster: - V2 n' Q- q" U' R' z6 A2 A& T. q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) j& f' b8 n, l% ]! m
: k, x9 a- F# f7 F2 J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 f+ X' k0 i. n5 I) x, I1 J/ P* F4 n
;will break 3 times :-($ e v9 H1 h0 M: k& c5 t( n
) m+ P0 B7 i, h; ?-Much faster:" e0 R4 s" [7 x" Q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, k# ~6 |3 x; B% B n8 `5 P. c0 e) V! ^* o# r" f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 I2 _4 V1 X( A" `: V" _4 _
function to do the same job:, H# t) m* C! `
4 E; @& O* f3 q4 O) J$ E push 00 ; OF_READ
6 ?5 @8 l( I0 e* c8 P mov eax,[00656634] ; '\\.\SICE',0
3 B2 X9 m" w. x& N8 [2 p push eax0 v/ l$ ^0 c0 M
call KERNEL32!_lopen
' m/ F9 u6 X x inc eax& H0 Q* X6 H H$ L: I: m9 e
jnz 00650589 ; detected
3 z' v: m, `8 `0 A8 t+ s push 00 ; OF_READ# W# j Y3 T' ^: B; I
mov eax,[00656638] ; '\\.\SICE'% h0 b: _- T4 e$ j. Z
push eax
Q; r* n3 A8 s call KERNEL32!_lopen7 \4 U2 y( ]8 H' Q( p
inc eax
/ g* l" U/ {1 C. {# _) R3 P9 S jz 006505ae ; not detected
. F0 H- V0 n$ _$ ]5 M
e- S4 S7 L( ?" s) ? f$ o o# H: v
__________________________________________________________________________' g( R0 l- z' H3 c9 x; X
2 l* H: m, t1 \% V
Method 12
2 \. P0 O; D8 b3 u=========
6 q; E" s$ A6 Z$ z% H9 X e) @* }
) g# @8 V- a6 R2 ?- p- ~% R( Z+ LThis trick is similar to int41h/4fh Debugger installation check (code 050 ?+ `0 s @5 ?0 W
& 06) but very limited because it's only available for Win95/98 (not NT)
9 v9 a m& n0 {1 o$ Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 a: l; j& z4 f" D8 i3 S
; u; R# p) l7 |( A3 a& U2 y push 0000004fh ; function 4fh
2 I* f7 G* j# e9 @7 o push 002a002ah ; high word specifies which VxD (VWIN32)
0 w: x8 K6 E' n9 |' O: `$ M; _$ k1 Q ; low word specifies which service
7 ]8 d3 o0 _3 H" R (VWIN32_Int41Dispatch)4 r& \2 n: L) y/ L& G; l
call Kernel32!ORD_001 ; VxdCall
+ \+ z; b" ?( y) Z' P% Y% k cmp ax, 0f386h ; magic number returned by system debuggers
E! K5 n/ B. j1 z; p! j jz SoftICE_detected
8 j+ k( r& @6 c/ e* p7 B+ e/ l! ^& y* _* H* O5 f
Here again, several ways to detect it:# h9 F4 E# T; q1 E
, ~0 `$ W! M: B" O) H( C8 _8 N BPINT 41 if ax==4f
3 N: P' @/ B* M7 I: X6 k* n9 ?! G: d0 H& [* k# {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 p! C! f4 u- [$ C$ o& {) p8 V" B. D4 u. h* `1 h P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: t+ n) b3 \! E6 r& c2 ]
$ C$ h A4 R9 `) k) y& L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* B$ M# W9 f Z8 d1 M8 n, x
* b J' H9 v( f* \- m% D% a; ___________________________________________________________________________
& R2 r0 x4 n H* @, E% o9 F' v, b8 d6 Z6 V" y! B
Method 13
* \1 K/ F0 a) o! n=========
! _! `2 W. m4 `2 a" I. J
- J4 b- r: \, ^/ k" B' ONot a real method of detection, but a good way to know if SoftICE is
5 a8 M& m7 H" f0 Y5 Minstalled on a computer and to locate its installation directory.
8 b+ R$ r0 P, X& r0 [& W/ WIt is used by few softs which access the following registry keys (usually #2) :
7 h8 A7 t8 p3 w- s6 R! @& l6 E" W! a# s5 l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! B3 T6 `2 U; S6 ?# i\Uninstall\SoftICE' M1 Q- A4 v) Q/ J( O/ U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 B7 r9 p% k$ \2 B( P+ t1 \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 m# L+ S( J/ m x( _% m9 j$ t\App Paths\Loader32.Exe v( l4 y* A# u4 h# A. W
0 Z5 [0 O# S6 h8 t" n6 e
$ ~- v D5 G% a/ a- HNote that some nasty apps could then erase all files from SoftICE directory- [3 _/ R/ s* p B/ G- ]" Y [
(I faced that once :-(
4 l6 p7 c* e% c: y
* O1 f# }8 P5 U* I6 HUseful breakpoint to detect it:$ q' c7 _ v- J$ p. W. i* M5 G
, {3 e7 q5 Z1 `9 r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 b# m$ d, j/ L4 V* |* L8 p9 M* p- ^9 M, {4 m4 |
__________________________________________________________________________
4 F# p, b2 ?( |7 C u! \! z% o, Y7 f s6 I% }
7 U9 a/ L! \5 m! W$ T5 O
Method 14 : X6 g: d( O( \, ~4 P
=========
0 ^3 G2 \$ z( @, }
$ p6 x p# V1 [# |3 C# E, c r0 p5 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 O* i, K H7 O' Z/ Ois to determines whether a debugger is running on your system (ring0 only).
, k; ^+ v$ z3 i6 w! I9 r6 B$ R# H/ f% i$ R0 ?4 H# z
VMMCall Test_Debug_Installed
5 v. `. F( } }$ x0 M7 b/ a je not_installed
" G& y; E0 U% Y! Q1 \# H8 g0 Y4 D4 T/ y8 }* ]
This service just checks a flag.
; g' P# F8 o! T; {4 s9 }</PRE></TD></TR></TBODY></TABLE> |