<TABLE width=500> V1 h2 \, g3 C; t i" O
<TBODY>
# t7 b# ^& t1 P! N8 g0 D<TR>9 u/ N5 D/ ]2 P6 M+ `
<TD><PRE>Method 01
0 f4 {, P5 @ @3 ]6 z6 ~- c7 L=========
/ A! n# b$ M5 Q7 G) D8 i) d3 c7 w8 V) T$ \
This method of detection of SoftICE (as well as the following one) is
$ y$ @/ M4 ~3 _3 A* m( w+ dused by the majority of packers/encryptors found on Internet.
) P) x5 V9 t& [7 f$ _It seeks the signature of BoundsChecker in SoftICE: X6 ^5 `& m w: U
# ~5 V3 b7 E/ }$ g" b7 s mov ebp, 04243484Bh ; 'BCHK'" @/ L) n) T% a& ~
mov ax, 04h5 O: j$ [; K% u7 I! e6 f8 L
int 3
5 _0 P& R1 Z, I P' j* v* T cmp al,4* @& O& G& e' W' O4 @
jnz SoftICE_Detected* a/ l1 `" K; p
, P9 z" Z9 s6 q& J3 e5 e3 \___________________________________________________________________________
& t8 u0 @1 _4 m
) T9 _. f1 T% R: DMethod 02
1 a& d' N! l Z=========6 C2 d6 k6 t( ]. t a2 f
# b+ p: c6 J9 }1 [9 k
Still a method very much used (perhaps the most frequent one). It is used6 q, H/ t8 y0 h2 E4 `8 F$ q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 }9 C) v# f) G9 Q; N7 m0 [or execute SoftICE commands...! P. ^" U8 u1 h
It is also used to crash SoftICE and to force it to execute any commands9 Z; D& r' ?# }: j4 i
(HBOOT...) :-((
6 X+ M2 H& `$ y4 C k( C/ z, X4 z
' p9 h" F) F ~Here is a quick description:/ a4 X- R9 B5 T1 o
-AX = 0910h (Display string in SIce windows)* R# j1 h8 p* U0 k5 T, P
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% N0 x% G0 {/ c- Q& P- J
-AX = 0912h (Get breakpoint infos)
) P( y4 H1 E+ j# n: e [" p/ B' ~-AX = 0913h (Set Sice breakpoints)
! I. X+ H# C1 }. D; ^% m* d/ ~-AX = 0914h (Remove SIce breakoints)7 G1 K; m8 W- M4 P
( W* S3 j9 |' \3 a; c
Each time you'll meet this trick, you'll see:
! y- f0 y& k/ a% {+ T-SI = 4647h
; o; }; |, R2 H( g0 p/ V-DI = 4A4Dh
1 i) E/ w, |+ r$ v1 fWhich are the 'magic values' used by SoftIce.
# z+ R1 D) l3 ^' Q9 rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 r( |' t; `5 ?- _5 ?1 u- m1 {7 q7 ^! U3 D, c* { [9 C4 ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 Z7 l0 h0 I, P6 {* }Envelope utility use to protect DOS applications:
- P! B* Z! ~0 j" V: q
. e* e! Z" y4 H; f r3 F2 l p& r7 a9 i) J ?
4C19:0095 MOV AX,0911 ; execute command.
N! E H t ]7 I, | f7 ]' t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 s& d: W" I$ s: L2 x+ `/ j4C19:009A MOV SI,4647 ; 1st magic value.. k7 `6 d8 e2 Q1 T8 T4 D6 n6 Q
4C19:009D MOV DI,4A4D ; 2nd magic value.
, t/ ^6 [" P8 _3 H! Y- C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! p8 b; u' @6 H
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. _5 m$ W" I0 x/ |* V) p
4C19:00A4 INC CX
+ H* n0 G& j5 i6 T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) O" l- e7 p+ O. Q% _# d! `1 h4C19:00A8 JB 0095 ; 6 different commands.
$ \: }" V) J; r- i( E4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 U; Q3 r9 m. j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ t$ K9 y9 o# O3 p/ I4 h) o$ b6 ~( Z0 w6 F
The program will execute 6 different SIce commands located at ds:dx, which& i: ?" f# s8 H0 ^4 U( v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) h0 C9 _! [ Z3 s0 y i
* i5 `) D4 m/ E# _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* m9 Q8 s+ M( }' \___________________________________________________________________________
" O8 B4 V( {* Q. u9 t- m8 d
# ^( _ z1 p; }
( P v: B( _; Y+ w# BMethod 03
% A/ f' x" v( g- u=========
; u0 y, y# G! G+ ~
) g7 a3 k6 \0 r; _8 uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" w8 R# l% }& l( z/ [(API Get entry point)) ]* @ b/ j! a/ {
% T- ]1 I) e( I9 h5 x
' c! h% { F) H2 G/ r) S; ` xor di,di
3 e8 ?! i+ M; C* o3 ?& L6 ^+ T mov es,di' a' e- ]1 `8 j5 i( h* ?
mov ax, 1684h
9 N2 ]7 W7 U( X4 x) Z( E+ K mov bx, 0202h ; VxD ID of winice. K! a) ]4 w% T! y1 n
int 2Fh
' v# |8 D! B3 H4 @. }5 i mov ax, es ; ES:DI -> VxD API entry point( K( Z h) ]7 l( O& f9 d5 }' g& `7 S
add ax, di' y, k7 ^4 B$ [. b8 ^
test ax,ax
7 j( N8 g/ H% [, g# K2 ]' ` jnz SoftICE_Detected
5 f# C5 D. ^0 L, b q8 o# U# u% X! H
___________________________________________________________________________
1 H7 v( z. F/ |" _) G; ]4 n
L, S0 U7 ^/ d4 h% ]Method 046 Y' Y w" s5 }
=========
: U7 b Q/ I. N- K9 _% c
+ S5 F9 x. {3 o5 I. F6 M# h- x$ MMethod identical to the preceding one except that it seeks the ID of SoftICE
% r# N$ O2 x* b2 {GFX VxD.
4 x0 J7 E9 ^7 m& D# m0 w3 X' z: U: U6 e* h
xor di,di8 _9 e8 h% ^4 y/ T3 w) e
mov es,di4 s$ p4 N1 @8 @" d8 E4 u
mov ax, 1684h
( N9 G: S3 a9 Y+ Y mov bx, 7a5Fh ; VxD ID of SIWVID
/ s' L: t0 X/ S# K8 [4 m int 2fh
4 ^% X: T e: v. ^$ W5 Q mov ax, es ; ES:DI -> VxD API entry point& C8 C; y- J2 e' L; e# O- ^
add ax, di+ Q& j) D% X+ I8 g& C- |
test ax,ax* j: n% \9 `" S
jnz SoftICE_Detected8 _% v4 l: C) {3 o) S
8 n+ ~% B0 G& J4 {* F
__________________________________________________________________________
r2 W+ L3 Z7 n, S0 a _. b
& A3 }! Z3 J; O u7 g% k
2 v) M& j7 @6 p/ ?Method 056 j* Q5 Q2 m4 C4 X( t. ^* @
=========/ G" M1 U2 m7 E# x
) X% w1 z8 p: F; p% a4 K' O, [7 \. CMethod seeking the 'magic number' 0F386h returned (in ax) by all system: H8 ]% W, f2 T6 ?6 M% c1 j
debugger. It calls the int 41h, function 4Fh.2 Q* I9 b( F) Q7 }( H
There are several alternatives.
/ G! \( z4 a) _3 e* F. |% |) G8 ~% u7 y! a& [
The following one is the simplest:
8 n5 W5 c" { }, Q
6 b; u! X s( Y7 H; h mov ax,4fh
% J4 o2 K+ [9 E" L3 Q: p int 41h* `7 B3 e5 b4 j
cmp ax, 0F386
/ U3 h0 g0 z6 U8 m" D V, @ jz SoftICE_detected
: n( n. W W! Y U( V$ B; |: u2 i0 j( o4 J/ y( M6 Z
( ^6 A- @( ]- l! Q" v7 UNext method as well as the following one are 2 examples from Stone's
m' x( Y# {( Q"stn-wid.zip" (www.cracking.net):# U% \4 H( z9 a# x* R0 X
8 Q. {. t# x( h
mov bx, cs& R3 `5 E u. X4 R/ e) P8 K: E
lea dx, int41handler2
! \. \9 c! Q1 H+ I) d( c xchg dx, es:[41h*4]5 @# \2 x, ~7 o, v
xchg bx, es:[41h*4+2]
8 Y2 D( e5 e. G0 W1 _/ @ mov ax,4fh
2 U0 e3 F9 F, b7 E- Q$ n6 v int 41h
6 f1 Q. H0 t2 P2 d xchg dx, es:[41h*4]% L0 }7 f" p" {/ W: V, \
xchg bx, es:[41h*4+2]& q+ D4 _" d' ^! N" W: _' Y
cmp ax, 0f386h- b% n" ]0 F2 s. a1 X
jz SoftICE_detected, ^& {( k- w* ]1 ?$ X. f
3 d8 o0 ?9 |$ i" o7 Iint41handler2 PROC5 z; }9 R0 n5 Y& J: o( K! O$ F
iret8 | H) q$ X0 @+ I. F" v
int41handler2 ENDP
' i# C O7 z" [9 b
2 f4 F8 E! E: Q) n2 Z8 ~5 A) w
9 K2 j" A# E+ H! |_________________________________________________________________________
/ b& d& c" W1 L" \# k
z- l# n& z& I6 Z. \
3 \' s6 K3 ]: ~6 a3 Y; _Method 061 \3 n+ [# c: `" M' M
=========
" d( Q: }% r& s# b- ], w* }! t% B1 V2 e) _! j0 E/ {- F& O
& v# G. i2 ^9 a2nd method similar to the preceding one but more difficult to detect:" S) O. d) g9 @; a% b; B! s
) N, s% |4 r( [0 e9 G0 V
8 \( O# U1 C9 M y/ n$ U' wint41handler PROC
. e& l5 r. j4 E/ j* Y, @! O mov cl,al! k- W# V }4 E/ T2 B1 Q
iret
5 K6 B. M% G9 x1 H6 k+ w" vint41handler ENDP
, _# [) t5 k6 @! h1 g: A
, d7 ]- E, r7 @* c, c$ w
* N2 W3 @5 p* n4 X: a2 E xor ax,ax
; X/ j5 N/ t% d! t5 E3 l! w' C( b& M mov es,ax
' s+ k! G" U& W8 z% i1 z6 Q mov bx, cs0 [, F. v& Y* w) j" v: X% _
lea dx, int41handler4 ^& [: R4 q/ r0 ~0 T- V
xchg dx, es:[41h*4]; P. ]0 X- U! l/ \% a+ k4 h
xchg bx, es:[41h*4+2]
* ^! `. u8 y: T2 e( X in al, 40h# n3 Z7 z0 ], H x4 E
xor cx,cx
( G; P, Q* b4 s" S2 j- ?3 P int 41h
# t4 q6 B* w' Q* A xchg dx, es:[41h*4]2 g7 c" t0 r. O1 Z7 |, U
xchg bx, es:[41h*4+2]" j" y+ D+ W! F4 p- s; x \
cmp cl,al
1 D# n e: r% A+ ` jnz SoftICE_detected, ]) I3 E/ E: z, k; _$ K1 V
9 o# Y. m( ^" s$ [
_________________________________________________________________________
. T7 h) J; w) o, d
5 ~7 n- u" d0 C% E3 jMethod 07
! g* ~: j, a1 Q* \+ ^=========: o' `- j3 T2 {# k; H. X$ V6 ^
1 c B$ I' }5 h+ z+ p) OMethod of detection of the WinICE handler in the int68h (V86)
$ W' ^! p+ G( r6 E* i" l* V9 f* a3 @; }4 s
mov ah,43h0 F/ k7 A9 O+ q7 E+ S
int 68h
4 H8 M u! F$ c a cmp ax,0F386h a3 c% ?7 g# Q: |
jz SoftICE_Detected$ l, @4 H0 [& b. K$ d' P
5 e% D" \1 L, a n& v* ]+ O6 F. O, }: }$ O" i% G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 `1 l1 E/ h( }+ g' P+ r
app like this:) H6 u3 |: C8 F4 f) I! n0 u
1 e* m, {6 L+ o4 `: _ ^ BPX exec_int if ax==68
& z( q! J+ u% [% N- [7 B (function called is located at byte ptr [ebp+1Dh] and client eip is
/ l* c# {( S/ w6 J/ D) L2 A, K located at [ebp+48h] for 32Bit apps)" ]6 L( ?/ G q3 i' b
__________________________________________________________________________; X. m% p5 ^0 k3 F( {
, [/ h5 o) ^6 x& x. E: s% e5 L
% ^. Q9 q8 N' o. |+ _9 |Method 08
& _" h* a' J# [; U5 v- J=========' V1 k+ u4 v$ a7 B- K
5 _' [1 z, d' ]
It is not a method of detection of SoftICE but a possibility to crash the0 B3 Y) }& q5 t6 r; H3 f0 L
system by intercepting int 01h and int 03h and redirecting them to another6 D0 w) r9 I E9 y
routine.
8 C. A A0 d- t$ x7 k- N# r' gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 S$ z( ]9 K4 Z1 Nto the new routine to execute (hangs computer...)
" p) j7 f9 @8 a8 D" C9 J
, i% y6 @4 ]' _; {3 C. t mov ah, 25h- A0 }3 J" P+ F6 G# k w2 e: ?" }* S
mov al, Int_Number (01h or 03h)
, Q; F( E V* s$ w5 P0 }' P mov dx, offset New_Int_Routine) f8 L' v4 j9 O9 A: Z
int 21h
7 a! |6 u2 g1 X! j6 w$ J( w0 S, P' a3 b$ a, [
__________________________________________________________________________
; \+ g7 n& v1 a f2 B2 y" n; p
0 D2 [6 }% v8 {0 `# HMethod 09$ d! q+ j. P4 O) u! \
=========
7 X. Z+ F* u* c
1 W" {9 O' R2 I; R9 OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; }. F: x- X4 |& u& b
performed in ring0 (VxD or a ring3 app using the VxdCall).
! `; N; U$ E& i. c( ]0 _The Get_DDB service is used to determine whether or not a VxD is installed
! m8 X/ [; @5 [* C1 }for the specified device and returns a Device Description Block (in ecx) for O8 U. F$ p; m( @' A/ B& A9 H
that device if it is installed.
3 \4 h2 l [& D1 U. ~
7 C; j% B3 d4 m* d0 K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% R; ^& e3 i; b: C8 B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ U5 N$ R- }8 s
VMMCall Get_DDB6 W" o+ f8 A( V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 k3 y8 B& O. \$ B, p1 U
& k+ g5 i! o; o8 rNote as well that you can easily detect this method with SoftICE:$ q3 t- }* n5 ?6 @; m3 `- a
bpx Get_DDB if ax==0202 || ax==7a5fh% p5 ]8 m& S. i1 Z% @( d5 D
8 b" B* `- c. O7 r, l. ]! B; h
__________________________________________________________________________9 I. P l9 h7 H( J
; ~2 P5 E" ]7 U6 Z% E6 aMethod 107 s/ D/ P& w' Z7 J! X }8 w
=========
* y. h+ P" E# d( P; V7 D# a: B. _* H
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ |; W ]. u) L X6 ?, L SoftICE while the option is enable!!
7 @" ^0 n( P- U) L* h# h) q/ `3 D7 r! X
This trick is very efficient:0 m! r. W. ]4 Z
by checking the Debug Registers, you can detect if SoftICE is loaded9 P, A J5 R: S J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; H/ j* w0 i0 j/ |# V7 rthere are some memory breakpoints set (dr0 to dr3) simply by reading their* Q7 h$ ]2 n8 ]5 |2 ?# K- ?' p
value (in ring0 only). Values can be manipulated and or changed as well
- S+ X @: w7 U) w2 \(clearing BPMs for instance)
9 L, M5 l+ j* M) T5 x8 L. M9 u% _7 _0 t# z/ x' ?. A6 I
__________________________________________________________________________6 ~6 p+ s8 Y" L9 r3 E. R
0 T3 v+ Q" O7 ~2 B- D5 A* i
Method 117 J y( c+ y, }# Z3 L
=========
! G1 R$ J8 B! v- Z
; ~) C! r+ g1 J/ w. b5 ]This method is most known as 'MeltICE' because it has been freely distributed, I; j+ M) V7 Q2 U6 z9 I
via www.winfiles.com. However it was first used by NuMega people to allow
& g$ D ]3 d, `2 j3 L3 f2 ?, r2 t2 `! MSymbol Loader to check if SoftICE was active or not (the code is located
) X h# }4 O z% tinside nmtrans.dll).. b5 i" R6 k2 q2 {" q N- r" V$ T
# p& N1 y; f l" W o: @' @/ x0 d' R
The way it works is very simple:: X3 g, L/ Y5 _/ _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 h9 C! f1 X* U; i9 |; s
WinNT) with the CreateFileA API., `- G" O6 a6 q+ G9 n( D' r
+ c* ^, F4 _" ~/ A" gHere is a sample (checking for 'SICE'):8 k+ ]3 z+ c0 n. V0 r& O
U9 F% v$ K* Z- pBOOL IsSoftIce95Loaded()( y" |( D; k( H% q
{
2 a- L \; K v& {0 i0 g5 e, H HANDLE hFile; ' {4 U9 ?& s" [' g; @
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ v1 B" b% Y4 L& d j" p) E
FILE_SHARE_READ | FILE_SHARE_WRITE,
9 n# a& `1 }7 J O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 s- X, l0 W. ], g* X5 L: o if( hFile != INVALID_HANDLE_VALUE ). G8 B8 T9 l) ~! i ]
{! h: r9 [ P7 E2 i" @
CloseHandle(hFile);
+ x o6 k1 }8 z2 @' ^2 | return TRUE;
. y7 y1 V' Z7 t- G6 |1 V0 L3 N }
' E- V# ?- T0 v- o return FALSE;
4 O7 z1 r- r+ M# i}
6 i. F a9 A+ s ?+ g
: P+ \3 U- b% P3 b0 LAlthough this trick calls the CreateFileA function, don't even expect to be
$ x8 @8 r$ C" j; E/ b4 Z9 A/ r$ Vable to intercept it by installing a IFS hook: it will not work, no way!
1 z3 [3 T+ X5 U3 X, W, TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 M* U* F5 X8 u G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): A" U, w5 N1 A$ z {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
h) @% C, J dfield.* [7 Y" w: I7 U& N3 u$ c r9 c
In fact, its purpose is not to load/unload VxDs but only to send a " W! c8 J5 {$ ?# u! q- e1 H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 v1 H5 ^8 l: ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 {- x0 F+ a0 H6 X3 w4 Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).$ o7 O. N% s; J, |) u6 u$ N6 J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ h$ r4 T5 M: p: z3 ^its handle to be opened and then, will be detected.* m' D u5 {/ Z5 |& u( r
You can check that simply by hooking Winice.exe control proc entry point/ A0 x) O0 C" f) c7 F
while running MeltICE.
7 t* L/ Z/ P6 J' a9 ~- @. |8 h" J, c% L( C& ?& n& o
/ `' j% s6 V$ \1 n 00401067: push 00402025 ; \\.\SICE& M6 |! U8 W& V0 R4 y3 }9 v) I
0040106C: call CreateFileA2 |% W E" Q2 s& A' ?
00401071: cmp eax,-001
5 r3 I5 N, X% S: i7 B2 Z 00401074: je 00401091
8 \$ R: `, o2 W0 M4 T# a# b% q, `+ V9 D" J& J
0 u( f* K+ ^, }
There could be hundreds of BPX you could use to detect this trick.* U6 H* E- y* \2 c5 f" B( [ r
-The most classical one is:9 a4 f/ ^! j3 e2 b/ x0 y1 Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 A5 E: M0 P2 Z- f8 ? *(esp->4+4)=='NTIC'/ p+ Z% @. D3 G( [! Z% l0 W
# z1 f. a2 @ f
-The most exotic ones (could be very slooooow :-(7 w3 C# [( b5 U2 I1 W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! I3 o6 s5 S2 L: ^8 ?8 n& O ;will break 3 times :-(/ K, d" t9 e6 O5 c' s
5 O( i. k, c+ Y' l
-or (a bit) faster:
5 X& X$ ~) Z$ S7 @ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" q- K) l) d0 S, U. D+ z0 n2 I. v% D. \5 r6 z0 U. }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- o* d7 U! v& Z; B9 k* F ;will break 3 times :-(1 U0 X# `- I0 A/ _ v2 P+ M2 p# v
" z0 x$ z- V6 k
-Much faster:$ ?: a' Z9 U0 l2 c- U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" s) d, R& _6 |& a; `8 f" ~* R
' j* a( b& O+ [/ v+ m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: {! j5 E; S0 Q9 ]8 m, Efunction to do the same job:' g* s. O- t" G/ s
8 _5 X# @; }* j7 ^$ h4 q push 00 ; OF_READ
2 |/ H l# ?; K- x6 I' ` mov eax,[00656634] ; '\\.\SICE',0
8 [: `; m, A& Y" j) C7 e push eax* S9 e1 J3 S4 G
call KERNEL32!_lopen* v/ `. q6 b! j7 C$ K5 T
inc eax+ q& a, @& y+ y5 ?) ]
jnz 00650589 ; detected
1 r+ `. e( ~9 p& K) `$ x push 00 ; OF_READ
3 L: O( m! F: G. k" N p. D) G) e mov eax,[00656638] ; '\\.\SICE'7 F6 h7 {. _: Z( g) N" ^$ S
push eax
" v0 X: Q) q' B1 R! O4 a call KERNEL32!_lopen2 T% I, M- _" p! D( m' T
inc eax; f; ^ q* C# a5 F6 F; [+ k
jz 006505ae ; not detected( ?. d$ ]" Z4 V$ ^$ }; I( q r+ _
) J, Z. |" R; x, s% z! T( |
0 s# ?5 c7 v2 U
__________________________________________________________________________& U' I# F, m/ i8 ?' f# ^
" H- q! w. B* A* m+ Y# h8 o
Method 12
/ K' J$ r4 ~# C=========
0 T& R' Z5 E5 ~2 y$ F0 O( U0 R/ C% m
This trick is similar to int41h/4fh Debugger installation check (code 05
: f( j8 X+ c8 i( x) Y& 06) but very limited because it's only available for Win95/98 (not NT)
4 u- F; D) Q. i+ O7 V8 Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 a" Y+ B, u- |5 Y" B. E
, X- L% Q9 ^+ _0 _ ~
push 0000004fh ; function 4fh
5 u' [& x: x; @. q& n' P push 002a002ah ; high word specifies which VxD (VWIN32)
/ Y: g& h; {! T+ d; H( E+ k. c ; low word specifies which service
8 V. f6 l$ q7 Q/ | (VWIN32_Int41Dispatch)- H$ |) U' E1 o" ^3 O" x
call Kernel32!ORD_001 ; VxdCall
, J" l2 \; u9 k6 W4 o& w9 Y& [4 X, x cmp ax, 0f386h ; magic number returned by system debuggers
/ }$ t/ `" w2 w2 a% h jz SoftICE_detected
! g8 ]# V4 e2 @. }2 L( v- ^0 i3 v: U, q
Here again, several ways to detect it:* h k0 C8 h W+ e n$ p$ I7 R$ y
+ \9 v! U8 ~( _+ R+ x
BPINT 41 if ax==4f
% g: r$ ~5 w1 H! e( @. `" q; [- Q/ j$ m+ I7 j/ r
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& M/ ^* l4 R* M& O: Q
0 g4 _5 ~" [2 f" x8 O$ b/ d
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) \4 F9 j* a. B6 l, M
6 u3 P8 ~: x: a) R+ e( Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 U+ e2 }% n& ^3 {8 j$ a
4 ?! f2 k* ~6 Y# M- u__________________________________________________________________________
9 M2 O% h5 o+ b* j' s: Q/ P. F R6 g
Method 139 J& G. p, L1 K+ \& j2 x
=========) k: `- L, e+ x; O; I5 ]: W
?" b3 {" d* f9 j3 i# n0 BNot a real method of detection, but a good way to know if SoftICE is% m2 R% N9 Z; v! S
installed on a computer and to locate its installation directory.$ Q' O% w4 e! {
It is used by few softs which access the following registry keys (usually #2) :
k1 C0 X3 b; Y4 d3 n) g
5 M7 _9 B7 T0 u( P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, V; t! n* I' B. n2 \# ]6 {$ V7 N\Uninstall\SoftICE
2 |- C- o) R1 x1 ?5 P" `$ u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" J% |- z. z- _- N8 i( z' d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! |3 q+ R: j; {; Y m+ N7 j
\App Paths\Loader32.Exe& x' L9 g+ U( ^2 v
) r ?- W6 I3 \
2 s! n2 g/ o' j2 O2 MNote that some nasty apps could then erase all files from SoftICE directory1 j1 e0 W! {8 @2 E% [+ I- `
(I faced that once :-(2 S# w) h! R4 t# [8 c* {1 `
. c- c Z" f4 VUseful breakpoint to detect it:: r+ W+ ?( E6 q
' k Z# I. D+ A BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ f' c, c6 V8 y5 C
1 u3 l$ I) e& e1 M" X% }9 `" K7 L__________________________________________________________________________
, Z; J$ B% o* Y" {$ h# F Q
7 y) R& T+ ]5 R" H$ j
( Z( S$ [+ y) [5 fMethod 14 3 H* a, w5 I4 _
=========
$ ^5 E Z7 `% {+ g' |/ M! Y
, N. g8 ]4 D: F# ?' XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
M0 C7 l, z* V! c8 |) pis to determines whether a debugger is running on your system (ring0 only).
5 g1 @" m3 o+ R: K4 p# V* }
5 x# j% y3 h" w, ~+ y VMMCall Test_Debug_Installed
$ Q+ y2 J, z. N8 @2 e je not_installed
; S( l: Z% h; M) h' _
5 X1 k9 ~7 K, q, Z3 `; H6 W5 w& cThis service just checks a flag.
( ~0 F9 ?' F- o& `</PRE></TD></TR></TBODY></TABLE> |