<TABLE width=500>( C4 l& _ n4 Y; R" ^% I7 y7 D
<TBODY>$ g- U) C' @0 ~: J
<TR>
$ M; A4 ~! l- C, J. a1 E<TD><PRE>Method 01 ; ?/ F% c# p, f6 r. g
=========2 P/ v' Y8 \5 Z0 }2 _1 W( k
0 \$ v' S) G- {. ^ I: i
This method of detection of SoftICE (as well as the following one) is
3 ^ ]. H$ _2 `7 d& gused by the majority of packers/encryptors found on Internet., r6 u$ i9 Y" V# q. d* }4 @
It seeks the signature of BoundsChecker in SoftICE
a3 t* G# _& v0 E
9 Q! ~# H! S; {1 N mov ebp, 04243484Bh ; 'BCHK'& z0 o6 c" g; _2 @+ R3 O
mov ax, 04h
# p7 |- g& J: a$ H8 \! E int 3
6 l& ?4 C+ R# n1 C6 p cmp al,40 t, A' G- U# J0 b, W/ F; u
jnz SoftICE_Detected) I K, l- O4 n0 {; ?
" a) J) [! t A/ n' I6 s___________________________________________________________________________
0 t. \1 f, W v% X; ]: {% y
, L2 w. k; _* K8 [6 |, ?5 OMethod 029 f; _$ h8 ]4 O9 Y& p6 c& O* z
=========4 R& D: C, { w9 N
1 b( ^+ d6 g6 W
Still a method very much used (perhaps the most frequent one). It is used
/ T$ k2 B( G r1 v3 n: yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. m& T4 S, A h( E
or execute SoftICE commands...& s* u& T& r: f' O5 E, M- w
It is also used to crash SoftICE and to force it to execute any commands* H! Z3 ~ |5 g: e5 [4 u/ M
(HBOOT...) :-(( 2 L+ j* A$ X0 ?/ A- \
6 d5 {0 H2 N8 V5 p! U
Here is a quick description:* P' R! b+ m+ S4 ^2 Y
-AX = 0910h (Display string in SIce windows)4 r: R- X g- E( K5 R- Z/ x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ p+ G _* g! [-AX = 0912h (Get breakpoint infos)
& ?' L: ^$ g3 s s6 @ m' D; e* a$ B-AX = 0913h (Set Sice breakpoints)- a- v4 h+ m; y3 l9 _
-AX = 0914h (Remove SIce breakoints)9 O ~/ t/ l" m: w$ a2 Q+ u6 D
1 x' w4 I3 e* Z" u: d1 ^- s( M/ b
Each time you'll meet this trick, you'll see:
) ?, v+ G* q. ?) H/ m+ ?-SI = 4647h+ D& C2 X6 P& x) m* b
-DI = 4A4Dh
& |7 i" O" [/ _4 D" v3 aWhich are the 'magic values' used by SoftIce.
^6 v5 e3 b3 k7 q; K- H7 {7 e- ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- [' I( M- F/ C7 m! t8 r
C3 K! B$ t5 @Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 J% _% ^. I$ b1 A; k# IEnvelope utility use to protect DOS applications:+ z/ g6 o0 w8 e
* g) ?+ p! x9 j) ^% c3 \2 u9 b; D: c6 f
4C19:0095 MOV AX,0911 ; execute command.
3 L5 ? m; C$ v' x; e7 |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 r( X* E; y- w# s0 K# ?# ]" g! ^
4C19:009A MOV SI,4647 ; 1st magic value.5 K- W, x( n0 l
4C19:009D MOV DI,4A4D ; 2nd magic value.
, _" p7 F) l8 _$ ^- Y! S" }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 c4 Y5 Y( i5 y. Q' N' l* r& B! F* G# \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 \+ E( @1 U9 l" x1 _8 [) _4C19:00A4 INC CX7 S. [& I; d2 Y! B# L9 B
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, o/ u# \! j) c4C19:00A8 JB 0095 ; 6 different commands.
6 f9 I3 L: I- E r4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, h, o) w. ?. R4 i9 x' `5 F( B1 ]) e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 Y+ N. W" o9 W) L
8 b+ F5 e6 ~! ^& \% CThe program will execute 6 different SIce commands located at ds:dx, which" W- p% B7 S; K( C: {2 {) n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! p- l$ e7 `+ g t- p9 T
/ y- U! ^$ s. b# b$ M+ W! i7 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 B9 K# G1 U- B# n9 f! y: v___________________________________________________________________________+ |: \% V, J; Y6 V6 {* t
$ z* F7 c4 x& m5 f2 w5 W
! H3 K3 _0 ^5 `( }Method 03
% `4 M8 ^6 U3 N! |& ^' C8 J=========
* @2 z; T0 e2 z- y3 \( ?- i/ a$ }8 Q# l* B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' b0 G* T- _% t! c7 L(API Get entry point)/ R. c0 W$ D" f2 w4 F, M5 N
4 V8 E9 u/ q+ p) S- I4 e8 G
$ a" ]# @( C! Y. v+ V xor di,di0 T9 d* C. \7 n& f
mov es,di
2 K0 [" A% ^! v mov ax, 1684h
: U' f; I9 E4 t0 c0 q9 s: t7 _ mov bx, 0202h ; VxD ID of winice0 K+ q7 A9 f6 E0 u' x7 G
int 2Fh
# F0 o H2 m; \# A mov ax, es ; ES:DI -> VxD API entry point
3 E7 F' s" U9 H add ax, di
% j' w4 m# G7 P0 A# g test ax,ax1 \* j& r1 j* a+ v- f' w6 s
jnz SoftICE_Detected, N( X4 I# G. P- V! z
" j0 M7 v! D- ]
___________________________________________________________________________
4 X4 q( _9 s9 ?0 _2 E8 r& W9 D0 L5 p) M3 [: b4 m/ C
Method 04
# V: \9 H. Y: t9 I. D5 _/ C=========
5 T. O: t m$ L t5 C6 N" `( s' \4 J* c) l) c' M/ F5 }7 n
Method identical to the preceding one except that it seeks the ID of SoftICE0 n) K" L x7 ]2 J3 i$ c/ v: f6 U! ?
GFX VxD.
I6 {. n: q, [: f; p2 L
U9 }7 K3 F" [ xor di,di
7 }$ i- i1 v8 U+ @' m! E3 A5 ~ mov es,di, [; C: W2 |1 i( d# v& m* ^. i
mov ax, 1684h
: m2 | B$ f$ P& V, N( n k mov bx, 7a5Fh ; VxD ID of SIWVID9 a% I8 f4 f( f- i: |) Q5 {
int 2fh) g# ^, T V6 U7 L1 A$ W( s
mov ax, es ; ES:DI -> VxD API entry point
5 L6 Z* ^$ o$ [: c( v( b1 o- | add ax, di: I: `& ?/ q K4 p# ]+ M$ z) H
test ax,ax6 \! K0 Z. Y! H2 W+ z* E* U2 g
jnz SoftICE_Detected
! h" {3 M+ Q# R: X/ W% ?
0 i1 h1 q; j4 r3 H6 ?2 ]__________________________________________________________________________
* U& F' Z- H' r$ Y; }* B$ x2 F
; r! u; U: S7 e! W% S2 I) v9 E6 l) ?- r) k* m$ Z
Method 05
H: Z5 a: Z; r=========
6 ^: }: H4 ^6 v$ q8 \
7 p- O9 r/ n4 f9 `) KMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ ^& y3 p0 q( w9 T
debugger. It calls the int 41h, function 4Fh.0 D q: o7 |/ M- @
There are several alternatives. + o5 k& y/ N6 p% Z! h+ g
6 G' n9 z) S5 K1 t) e6 {; E
The following one is the simplest:
0 z v+ l7 {, u* H8 ?. J6 u3 n, P! r5 [: {. C8 r
mov ax,4fh
- Q7 N5 b# c$ { int 41h
- j, \& R' t/ g$ ?$ | cmp ax, 0F3869 s4 k$ c/ F& s$ }, `- w5 l
jz SoftICE_detected
% Z5 W$ n3 o! [% Y. i2 U1 M3 e+ q$ a( @ n- X' a) v
. }! Y' i6 V" t3 C# U/ e( wNext method as well as the following one are 2 examples from Stone's
0 |4 ]3 O- C* ?/ p3 q* F6 t5 x"stn-wid.zip" (www.cracking.net):1 Z2 A6 X' ?+ p2 D% q, K! C6 ^
8 M' A$ G, O5 D# u mov bx, cs
- I- k, w* f/ V O, P3 d lea dx, int41handler2
1 Z( R8 r- b3 t xchg dx, es:[41h*4]
# E" u! C! K2 v, H3 L0 s/ U4 S xchg bx, es:[41h*4+2]; I" D |% L: W6 B& p9 H+ Q
mov ax,4fh
% s9 s$ u) y) l1 _# T4 i. J3 f int 41h
, p9 Q e' T; @" C9 G xchg dx, es:[41h*4], S8 w' F6 I( y7 F& w6 i3 c
xchg bx, es:[41h*4+2]
2 ^0 N- b$ Y2 S$ N# z" ^ cmp ax, 0f386h
5 C4 [. L8 V: l; S1 a jz SoftICE_detected
* s! ?2 \& R' k. h5 G+ w+ [5 p7 ?( X8 E2 `
int41handler2 PROC
+ R1 p. K" q1 t3 ~! E! F: p: _ iret1 a' A1 n3 _ O: Y* T
int41handler2 ENDP7 p! J. s. [% w4 r2 j; ^ q& ?
& ?; E0 {0 U, C/ ^
0 p3 b5 F0 `+ c: C; h' N+ y* ]
_________________________________________________________________________
' g4 F0 A) j2 [. o! P
' j! z& G. x4 ?& A* e7 T a( z# b/ y6 u! U
Method 06/ |$ Z" F3 C! g+ A* v y
=========4 l g" }# \0 |$ c& N
( X- w- }$ q; _; P
/ x3 t S% n" A2nd method similar to the preceding one but more difficult to detect:) Q( W7 B- S# ^1 {0 z. x! I; S
. o/ x2 U# i2 E: A2 B6 v9 h
3 }( K2 s, I- xint41handler PROC7 G" j% `2 U! r. c+ r
mov cl,al
+ F5 z [9 T% c" D iret
* e! M, J- g q0 M! Zint41handler ENDP& F# v' \+ X9 E7 ?6 w) ?6 c
% P1 Z B9 A% U
9 U5 D a" T6 e xor ax,ax* Z' O1 Q4 j5 N0 O( [8 y4 U
mov es,ax
+ Z4 \) L, @- v( j& @ mov bx, cs+ o6 k/ E! K0 r t* a
lea dx, int41handler) i( _4 `5 f& }9 I X( s6 V
xchg dx, es:[41h*4]) H# ^( `$ J* v, X) M" s* v. l0 s
xchg bx, es:[41h*4+2]
; F3 Y! E$ z& b! H% \0 ~& u in al, 40h( B) q( E e7 j% j
xor cx,cx. ^# c8 L. B: O" E/ I/ Q/ k# a: l
int 41h6 ~& R1 Y9 R0 @; T& c+ ^ A
xchg dx, es:[41h*4]
. O' `- ?: p( p6 a/ y; k xchg bx, es:[41h*4+2]
) s; Z7 O! C# a& W% x/ [/ G cmp cl,al0 v" U% U% Z% v) j j1 A
jnz SoftICE_detected8 X# p6 [: q8 p, v4 o) W; z" _
: I/ `/ q" q; V5 d_________________________________________________________________________% z2 Y* g/ H# R2 s" m
, N, Y* \) D6 k4 v
Method 07) [$ N* D: I% C
=========
- I& n: U. P$ f( o& H+ H7 Z9 ~! ]( b. T
Method of detection of the WinICE handler in the int68h (V86)
! `8 C. o$ c* f' A# F
- H M4 Z8 y5 [- v mov ah,43h
/ `4 j$ B( a( \6 o2 K int 68h
3 {; o# s; p+ h cmp ax,0F386h
9 I- U p, [, T7 c8 A jz SoftICE_Detected; K1 Y7 Z' ^4 B
/ v8 z+ a3 H0 [- V! S4 h6 H a
/ {8 E( G f. B1 O) m: K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- j, C5 i8 ^# F7 ]. |3 v# Z7 a' D
app like this:3 h1 E2 g# _' Y0 I2 t
|; a) Y. g8 H& W w- \ BPX exec_int if ax==688 c" Y7 A% f6 z5 w V
(function called is located at byte ptr [ebp+1Dh] and client eip is1 i. c/ ]8 V; Y3 S( H5 e
located at [ebp+48h] for 32Bit apps)
! [+ q3 y. d( \* B__________________________________________________________________________
' \6 I" h. {+ m% z5 C% H
/ _* T5 e/ s9 f5 Q0 a
% w. y2 C# n/ p4 K" l5 GMethod 08
5 K4 f/ P4 I) t% b) W+ \=========" f' M( b- d. U. X) z/ x" }
- \1 {2 G% o1 y$ S/ KIt is not a method of detection of SoftICE but a possibility to crash the6 h6 P/ X$ e/ x' P) P& D1 R
system by intercepting int 01h and int 03h and redirecting them to another! l5 H- i( M. w: I' a8 Z) l
routine.
4 {2 }' A! o P0 U( w3 t! g5 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 z) q1 Z. J% p" cto the new routine to execute (hangs computer...)
2 t( A- r- g3 `+ p
$ i+ {* d3 L1 Y# W. o: T" u% n: E, R mov ah, 25h
4 g2 E, L Q# w5 L5 e mov al, Int_Number (01h or 03h)
! w" s+ e! Q$ |- Q+ H# w mov dx, offset New_Int_Routine
; R6 I6 a( y, { int 21h
1 Y% s* a+ x% _; T% |$ w9 O/ p0 _ W9 J1 t
__________________________________________________________________________
- ]& P# A% N) e2 O1 J0 s2 ~/ B; y, Y+ h$ m- U
Method 09- T+ D' K! L( q$ d
=========
) A. H% N* N$ g2 a
, Q5 i9 x3 q! M2 [5 X# PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& z" U) @( G% s k; a K
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 c+ X" r. L0 c, |2 ^The Get_DDB service is used to determine whether or not a VxD is installed
5 i2 Y# `6 u& I; J* v* A. O6 C4 hfor the specified device and returns a Device Description Block (in ecx) for7 x$ l/ [9 J9 j3 \
that device if it is installed.- h, }. c# ?3 C* y3 P0 w
# T$ u/ |! Y5 W+ }- f7 J6 H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID B s8 p" m$ h7 t, C! ^ \) x8 f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 Y" U0 }, F5 ~9 W
VMMCall Get_DDB
3 @9 _( X9 \0 b" h& M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 J' M. a8 g/ }% _
8 B! U2 x7 m6 s8 W3 j) Y h+ [Note as well that you can easily detect this method with SoftICE:
& `' K% X1 T @# M9 |" @$ G bpx Get_DDB if ax==0202 || ax==7a5fh
, g! h6 u7 f& z& Z
% ?. e) e$ V0 c' k' h* ~__________________________________________________________________________
' O# e; |0 ~2 R
+ `( H2 K! m: Q% s V$ _Method 10
: B# O& r: x( l$ L$ Y& f=========9 }% Q n, Q$ d e% X) ]
! B# S4 e$ M/ M* ^# B
=>Disable or clear breakpoints before using this feature. DO NOT trace with' t; v O! j9 W' X5 y4 x
SoftICE while the option is enable!!& h, K- g) [% ]1 m: x0 M& n
9 [8 v" Z! v* A' cThis trick is very efficient:
4 o2 M, P* O0 ~9 T: Y4 yby checking the Debug Registers, you can detect if SoftICE is loaded
2 V E- I# r, }: G* |* u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( w* \8 t7 x; ~5 B8 a
there are some memory breakpoints set (dr0 to dr3) simply by reading their; \$ _7 F! I& T) z: @/ U
value (in ring0 only). Values can be manipulated and or changed as well4 Z+ B: I N1 O& q% Q
(clearing BPMs for instance)
0 y. U1 I9 J% H% j
3 A3 x; J4 z" G, C6 }__________________________________________________________________________
" P9 _) }3 ?$ h+ t t9 M/ a" H8 ?# `
+ c8 T! ]+ b @! l/ ^2 qMethod 11
9 y( P$ t9 k- d3 e0 k# B1 p# T/ J; y* N) W- ?=========' G8 a3 |% O' l/ _
8 E" X/ ?( I( O6 x p
This method is most known as 'MeltICE' because it has been freely distributed
* i+ S9 b8 p: S' vvia www.winfiles.com. However it was first used by NuMega people to allow+ V3 K2 Q' G! M3 ~" w: E
Symbol Loader to check if SoftICE was active or not (the code is located& k W" h( Q* Y0 b# ~& z" Q) ^
inside nmtrans.dll).
+ X: R* o x- [; k8 H, s6 o5 X1 b. Z C" d
The way it works is very simple:
' A# n4 y' _8 ~% @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 H. w h" _& p/ q+ {WinNT) with the CreateFileA API.& M {& r5 e7 y
( j# w9 c* C: N% X- S* Y% Z
Here is a sample (checking for 'SICE'):
' ^- o! r2 U- Y) O5 |
1 W4 }) }- A2 hBOOL IsSoftIce95Loaded()
# _1 ^* @0 t/ _0 W3 T( \{+ k3 i' m; f+ {# l
HANDLE hFile;
& j& z4 K9 d! C+ W" t- A2 d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ _) Z; A( t+ E( X3 E) B FILE_SHARE_READ | FILE_SHARE_WRITE,
( s' ~2 }3 a5 W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" f2 I( g3 q# M if( hFile != INVALID_HANDLE_VALUE )
' b1 P7 I% D5 c( F7 \3 ~ {$ P! }! ~& {+ }) g
CloseHandle(hFile);( f" K# `1 h8 ~4 o0 z2 Q
return TRUE;2 d( }5 d0 W2 i9 ~
}
- M/ t4 Y! ?) z" Q return FALSE;, J1 { d# f" f6 I- W6 o
}3 q3 W: a9 d3 j" H: d
0 Q) t. G4 H& s* ~4 x/ [Although this trick calls the CreateFileA function, don't even expect to be
2 h, P% `3 Z3 B$ _able to intercept it by installing a IFS hook: it will not work, no way!
/ O$ x9 J1 p9 ~8 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, r8 w' k8 w s6 Q! w% D" Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# [5 x: {" B8 F2 ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. n+ U6 t' [( i' _$ m
field.
0 p8 u3 e1 ~. l1 \ M. pIn fact, its purpose is not to load/unload VxDs but only to send a
, w3 f9 M+ }; ]7 h2 r4 v! mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 v' q5 Z' _: D" ?: V6 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 L/ r5 \: f6 p+ H( x% ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 z" `9 K+ I# {% K7 p0 {If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 y0 y' W. T' F# E3 d1 i; y9 bits handle to be opened and then, will be detected.+ u- \6 f/ G3 e2 h" h
You can check that simply by hooking Winice.exe control proc entry point
* l; I+ x' ]1 D5 K3 }& @6 awhile running MeltICE.
3 Q, Y; H5 u8 m& e2 |# D- z2 f; Y9 }3 @' s
+ l/ U. d- @! i& B5 r4 h3 a+ f
00401067: push 00402025 ; \\.\SICE
2 \' b; r0 X% J, ]( a8 | 0040106C: call CreateFileA
# o- h; A+ I6 N# o( @, t 00401071: cmp eax,-0015 e- @/ O: F k8 Y( u4 E+ w
00401074: je 00401091
+ b$ V7 U' m1 v3 O5 s: ]/ C4 T. w( r+ E: S- `6 m
8 C( y _% o' C# k) ?There could be hundreds of BPX you could use to detect this trick.
( {; p$ n' r J-The most classical one is:7 C9 n) \+ C Q' d9 {% t- H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) {' s( J+ a0 N8 V ?9 [
*(esp->4+4)=='NTIC'
, q' K3 F) @3 _/ E8 W/ A
5 s8 b* I u, \% r' ~-The most exotic ones (could be very slooooow :-(8 r7 E. |- ?8 C& C4 ^* \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 o6 q8 Q+ @% _7 M# t6 F0 W
;will break 3 times :-(: r/ \! O0 o+ o3 r4 a' X
4 O: n* t6 t& a4 G7 O" t-or (a bit) faster: 1 F4 m j8 P5 q; @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; @0 O0 O( F2 z- X
' S0 J, Y8 D t# p5 A& M- j( ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 L4 f# e1 D' U! [: |
;will break 3 times :-(' ?6 F o. }& h) T
: ~2 u) H1 y0 \+ c! ]
-Much faster:
2 p, q; T( \4 ?$ X6 S: V7 F* e2 _ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': f. k" }0 z& j& G7 r4 @* k
! `7 O) w; v. k, n( |7 B, Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" i. n9 q. j$ k; J: l9 \& U
function to do the same job:
5 J: v! P+ ]# I- i0 h- x/ z
. o5 ~' Z4 q9 b7 q push 00 ; OF_READ9 ^9 y4 \8 p, ]
mov eax,[00656634] ; '\\.\SICE',0
/ A- B& J) a! E9 ^4 p2 q q push eax
+ [3 j; q. N# b" W, r call KERNEL32!_lopen
1 W: V6 |+ i% Q, c inc eax/ x& E# Y" A1 \$ S, R, n
jnz 00650589 ; detected' m: f6 _' I& f4 L. |4 Y
push 00 ; OF_READ" S3 U1 q4 h1 B; M3 z$ O6 h
mov eax,[00656638] ; '\\.\SICE'
' M: U# f9 b2 p* w; S push eax% I% S' G7 Q( r5 U
call KERNEL32!_lopen" n+ f- r9 J7 ~5 j6 l4 X- v
inc eax
+ P+ G( e# i' Q. k0 c& A5 X jz 006505ae ; not detected2 P, H' _2 t2 x m( _7 O
' C; j$ M8 U8 P9 e! ~' v
, J% l" i5 C3 }/ N+ x9 h2 j# p__________________________________________________________________________
2 B& H4 J; g! a2 i) b" y( X6 _/ _) D1 F
Method 12
2 ]0 v3 X7 T$ |0 |! P5 }: f=========
1 e+ J% r K+ O: O D: ~! D! Y2 K- H7 P/ X
This trick is similar to int41h/4fh Debugger installation check (code 05
8 b! K, z8 N3 f5 G& 06) but very limited because it's only available for Win95/98 (not NT)5 @0 h: L) _# h# b1 r& z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ G" n I, @6 f- W! d
0 k: d$ g$ d" m8 ^; H" s
push 0000004fh ; function 4fh
7 _; _5 p: A" g) }8 l push 002a002ah ; high word specifies which VxD (VWIN32)$ o; r& j; A$ P2 o0 @" i
; low word specifies which service
5 f3 u4 i; Y6 K (VWIN32_Int41Dispatch)8 V3 M5 \( w9 v( R
call Kernel32!ORD_001 ; VxdCall
7 ]: k( ?4 S4 G2 ]: G) @$ C4 X cmp ax, 0f386h ; magic number returned by system debuggers
5 H, ~; m: Z6 R jz SoftICE_detected
. j0 y: I6 i, K% B
U5 c. a, c, UHere again, several ways to detect it:
( L4 R8 l0 o. n3 F7 u9 T9 k* G0 i* g" b4 V
BPINT 41 if ax==4f7 ~; t5 k$ z/ W" m+ P0 a; z( S
( L5 | h# Y3 O* p+ o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' W; P8 N- D4 L8 n/ F, \* `! O0 G. M+ O6 ~3 N7 y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: W" h+ \/ E1 H; ?4 S
" Z# R. x, W; L" ]3 J# d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ d3 [) e8 O6 `. H/ ^
/ ? j4 n! J- k" I3 L6 ?, _ o! s__________________________________________________________________________
4 C( [4 E6 _# L9 @- } p
% S9 \! C% b- J7 v% j2 b, `Method 13
/ M5 p) E) f3 S! K# m. W=========
1 d" v/ j- E, n2 S# x' l0 W6 C0 K, d
0 P8 S( F) E3 z$ _& sNot a real method of detection, but a good way to know if SoftICE is
! _, J: X! u: v" E( O. Einstalled on a computer and to locate its installation directory.
$ A3 t7 {* x% U$ l5 P7 ^; z( G4 zIt is used by few softs which access the following registry keys (usually #2) :" \0 [6 |( N/ Z* L% O/ B% {
+ E f5 l% t" h( j/ ^ B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# l4 A) k! a( Y2 {6 m1 L7 [8 `\Uninstall\SoftICE; W1 Y# E8 l$ X7 Z+ i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* E0 v, C: \' @! ~/ g+ \1 _* U5 l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% C' |; d7 l0 u* ^# [3 t
\App Paths\Loader32.Exe" S) a2 b/ h! d5 i2 n; y1 }# b" q
3 ?' K4 t9 Q9 _7 k! U# D1 W
- a) x5 m5 t) q1 }! j2 J& B7 d! }Note that some nasty apps could then erase all files from SoftICE directory
4 D \- v, |6 ~4 q4 V(I faced that once :-(
* f0 b5 L3 Q: e D. I0 p" D+ J( w* a- H
Useful breakpoint to detect it:8 N Z1 l4 P# N( H/ O
4 D. P$ l" @* x7 A$ K- i& Y) w6 i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 ]" _& k, u- [5 H8 I7 r
6 i2 y$ ~& Y/ m3 ?# ?
__________________________________________________________________________ Z- C2 A/ i: p" I! T7 u
. p" M; I1 J4 P$ i$ y
. Y7 E3 I* [2 ~4 T% }- b6 s5 uMethod 14
, K( P; U4 a0 ~=========
( W" C8 ]0 c* ^# ~2 q1 m+ p6 A: O3 a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 r. n2 _7 T) R; eis to determines whether a debugger is running on your system (ring0 only).* [7 d9 F5 [, s; Z" E# s0 q; X
# N/ m5 A- T) ]2 x' g$ X' { VMMCall Test_Debug_Installed; p" l- w1 n9 r( x. m* s
je not_installed
3 p0 u1 q6 B4 C; m0 ~ u b6 Z- d0 h9 w* v+ o# z9 ]
This service just checks a flag.
! L, Q2 J m2 L! L$ O: K</PRE></TD></TR></TBODY></TABLE> |