<TABLE width=500> N* {' @* W# j; q0 ~+ E# a) A
<TBODY>
- j+ `$ V3 {" C$ y3 P n<TR>2 P6 }# i/ y7 ]
<TD><PRE>Method 01
# W" t0 {6 n D2 t7 f=========
( A, b2 N, {3 p; `; h' i% G! b& b) z/ X
This method of detection of SoftICE (as well as the following one) is2 B7 a$ I* N& @5 g5 M& w
used by the majority of packers/encryptors found on Internet.* l, m/ r, g {1 M5 |
It seeks the signature of BoundsChecker in SoftICE7 H7 N% U% _" `: _. a" {
3 f6 d9 o+ p9 p. O% L mov ebp, 04243484Bh ; 'BCHK'; E/ O3 ]% r! L0 i6 }+ ~) R$ u
mov ax, 04h+ Z, u3 [% b0 d- K* J
int 3
5 c5 R0 C F- ], \ cmp al,4
, b1 s3 c: F( E, b9 O2 v5 g8 D8 w2 W jnz SoftICE_Detected
0 ]4 w9 H1 N1 z' k9 ?* U
, E9 P$ D8 U" {) N9 |" L: @* ]___________________________________________________________________________
* h4 I8 t: p0 h5 G9 M
4 M6 _) N1 Y; XMethod 021 l" M) I8 D: c3 A
=========
9 @9 d4 v* ?8 @) Y' \5 B. k* \4 X+ n1 @: p; h
Still a method very much used (perhaps the most frequent one). It is used3 @( I; u& F; p) U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 R3 K6 P' ?6 y
or execute SoftICE commands...! a$ x" d$ ~* K1 Y9 ^
It is also used to crash SoftICE and to force it to execute any commands
+ p# F$ {( A+ [2 D& `(HBOOT...) :-((
6 B6 I0 N6 e# x3 y1 @% f$ q) B2 b7 I$ t" D9 O: x- Q
Here is a quick description:6 ]& N# Z4 Z" f) o: i+ B5 O
-AX = 0910h (Display string in SIce windows)
6 \, Q: p2 X/ P& R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 M. b: t6 x& f
-AX = 0912h (Get breakpoint infos)
0 b. ^* d$ u: }" c& H-AX = 0913h (Set Sice breakpoints)
5 V: w, a) O: W+ \-AX = 0914h (Remove SIce breakoints)
; G ~% z7 I7 _$ g; L( {. b6 r) w8 W, T* N/ z
Each time you'll meet this trick, you'll see:
4 Y& G7 y: O3 _7 _" A" {-SI = 4647h
# g1 C/ u3 A. A2 C/ o-DI = 4A4Dh [9 d$ T' i! X0 J
Which are the 'magic values' used by SoftIce.
/ F: n8 I/ }+ @2 e7 i0 \8 {) U- eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' d& W; h& p+ y" x/ X B. U2 E2 `: S- R, c( o
Here is one example from the file "Haspinst.exe" which is the dongle HASP% B* W5 u2 i) m( a
Envelope utility use to protect DOS applications:
% s0 Z) {# g3 @) p& A$ G) f& o4 D
2 f8 R3 H# v9 G6 B4 e' V4 H# D) R- U3 U! ?: e( E4 T9 @3 p
4C19:0095 MOV AX,0911 ; execute command.! _0 O6 h, G) g8 v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. r0 `4 Y) l6 K2 B$ }6 T' N. C: w4C19:009A MOV SI,4647 ; 1st magic value.
: S" s% L: o5 X# g" I! E8 D4C19:009D MOV DI,4A4D ; 2nd magic value.# g% E& c, `+ ~' x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) U1 x. k3 E/ i' r; ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: V/ G b6 r' h
4C19:00A4 INC CX
* ]! O4 M+ x4 v0 f2 C; T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' F( a% {( d! X4C19:00A8 JB 0095 ; 6 different commands.! X0 Y0 L) I' m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 L6 |6 {5 G: s$ ^' o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' |% s6 S {& T" f' d8 ~) G
# a3 n' }% p4 ], M/ E3 VThe program will execute 6 different SIce commands located at ds:dx, which
# V1 y; t; L7 l, Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. h ?# W: X7 c
& L/ t8 M& B, u- B5 P6 |3 q' K1 R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( R! I ]; t. r' [2 [
___________________________________________________________________________7 O: {' A7 f! D
5 Y' \7 ]5 D- ^: e1 l$ C
- _8 b+ v1 J% O! I$ t8 c( V9 l! EMethod 03
4 r% b- I5 }0 s- {; c=========7 M0 \3 n, s3 P
+ T; r$ J1 `% u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! g4 e! v1 R( A6 R# ~(API Get entry point): p# G( H$ Z8 T* `
& u* F+ L3 Q( k8 ]4 q0 \6 C
6 z: t; ~. U$ U9 W3 u xor di,di
" c7 r0 \% k# v+ R2 g0 i( O2 g" J1 C mov es,di
% U; b: q( E6 _! X7 Y mov ax, 1684h
& ` a7 M* p+ { mov bx, 0202h ; VxD ID of winice* e6 y7 V3 E) f2 g# ? R# ^) A
int 2Fh
3 V# {- `) M3 d* v% o3 \1 @ mov ax, es ; ES:DI -> VxD API entry point; H- N% k" ^" T" }5 i
add ax, di! g9 A7 Q- [& M# _
test ax,ax
* E+ a- e" j6 R2 j* X% K jnz SoftICE_Detected
\& u$ ~% _/ u- X
6 u7 L' B" b. l3 s% q, D___________________________________________________________________________$ o/ f) Y. ^( W6 s5 i; E
8 x) g( W9 X+ g2 [" k4 TMethod 04
- C- o' w4 C0 U/ ^& s=========( `$ ^0 Y7 n& A& p- p3 Z
' h" ]: k; }0 j# }
Method identical to the preceding one except that it seeks the ID of SoftICE) v' D1 @* ^. Z2 s' s3 B: R
GFX VxD.
+ U* ~) x7 o" ^, K: b# F, ~* Z) @, D
3 z& w" y; X, _- X xor di,di# g* c( P; y/ Z6 R: N4 L
mov es,di
! D! Z# f' J: l& ]/ o% u# Y/ Z mov ax, 1684h + \3 v: L8 `! A$ _2 P: B( _
mov bx, 7a5Fh ; VxD ID of SIWVID
@0 z$ f" L% R4 b% c) Q( u int 2fh
% J: R+ v0 e( i mov ax, es ; ES:DI -> VxD API entry point
9 I. D W! u% e6 i! S- v add ax, di
3 L) T! x6 @ A& d4 y6 X6 } test ax,ax
/ Z( t% S* P: K. h* W% `+ s jnz SoftICE_Detected# I0 U/ N. ? ]
/ s t7 Q2 i. W7 d
__________________________________________________________________________
: s; W. ]6 a& J9 F, ?* D$ V W4 H7 N' d1 i! l1 H
* H# s# x ~# ~# E ^+ B7 d
Method 05
5 K( z" n& O6 W4 F, i=========
9 Y8 o% w1 a# B7 X* _; k) {3 v; u* H) R7 `$ C8 q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 o/ f7 V' L( o/ W9 o( b. `4 kdebugger. It calls the int 41h, function 4Fh.' `2 t$ l+ l5 Y
There are several alternatives.
; V' ]$ f, f$ y/ { R: [* K0 {3 c U* h7 ?
The following one is the simplest:
5 A2 |, H) R; d) f3 L9 M0 j9 k8 Q# l
mov ax,4fh4 \; e9 z. U3 X( T" c) ]
int 41h
& u, Y# T! o f; }1 |( z1 S cmp ax, 0F386
7 p9 {- S& R2 w9 ?8 n; T jz SoftICE_detected
5 N0 A' D' i! _* E
' P4 F) u! I3 b6 f; E4 s" q0 |8 F k& f
Next method as well as the following one are 2 examples from Stone's
2 z+ K; e: K2 V" R"stn-wid.zip" (www.cracking.net):
* k+ H& @ m3 ^" e; n9 {, c8 h0 V+ B3 s
mov bx, cs
- |. Z) E5 [7 N! {( r- b- G3 h, [2 s lea dx, int41handler23 t: ~* x1 E) u( Q+ [) c* j
xchg dx, es:[41h*4]
% s& Q6 A H5 a xchg bx, es:[41h*4+2]
* Q" Y4 M# N' S- M" o1 q2 i+ j* A) T mov ax,4fh
, q1 M2 N. a& ]3 R" e int 41h4 G" ^* }7 H( h: I; k1 I
xchg dx, es:[41h*4]. e3 K3 E" ?2 I% i/ r
xchg bx, es:[41h*4+2]" B! k+ W, x) o3 ]
cmp ax, 0f386h
$ D3 Q1 R* @# u% e c jz SoftICE_detected }( c& f: a6 l2 v- s) V
' F1 [" F9 ]. m
int41handler2 PROC
5 ]; ~5 I/ i1 z2 f! n, D iret
$ R9 G2 s' a: e/ m$ l$ U8 Q8 Iint41handler2 ENDP
: o, S8 X$ n! E; q
p& L- N8 d9 s# d$ P7 ]" V! }$ {5 Y1 y
_________________________________________________________________________& k3 k/ |& I0 e6 l/ V5 C
3 A2 M* O7 M; j$ b
2 k8 y1 v% J3 s$ \
Method 06; Z( v4 ^ C5 q7 ~
=========
; I5 p l9 k# D$ T7 R& B
' _. v6 H y$ B" j/ D* [6 Q; J! q" U& X
2nd method similar to the preceding one but more difficult to detect:
u; U' Z6 l G' m7 o# b2 j$ {' H
# |# `; t9 A4 u8 [7 sint41handler PROC
- }6 \# D& W1 S# ` mov cl,al
2 H0 r; H6 e+ c) J8 e iret
0 I: i3 j2 c/ d) R& `. b8 x, Zint41handler ENDP
6 I/ D D) S# D* L' b7 S/ N0 Q7 O! l9 u Z8 f# ~
, ~$ V+ P4 G- I xor ax,ax0 S( j5 _+ @8 F9 t+ O' [5 B( T8 ~
mov es,ax
- s# D7 h' X) ] o6 a mov bx, cs0 S) M* F$ w7 y
lea dx, int41handler: T% r$ I" z5 m
xchg dx, es:[41h*4]; p% I; R/ R8 @0 ?9 X
xchg bx, es:[41h*4+2]' h, b8 K; X) C: m6 g" G6 w; K
in al, 40h" z$ K0 e$ X* S+ {% C
xor cx,cx
4 ~, H* W8 w4 l% _1 B2 g' I$ z6 @ int 41h; o) F7 X p9 V$ @8 t% i
xchg dx, es:[41h*4]( O6 S }* }' ], U
xchg bx, es:[41h*4+2]
: A2 C9 e: a V" n9 f' ^ cmp cl,al+ I; r+ y- A( x' O
jnz SoftICE_detected+ G: S8 a0 C! z5 P
9 u0 N/ ]& a" B6 P; P0 v_________________________________________________________________________& |8 p) e) L6 l, k- F: `
' W, G; F6 S/ A" [0 z2 H
Method 07. r) E" k' \! r; y c
=========
; m3 X) w) L% U( a9 b4 C: H
1 W; ~# {3 m$ Z5 v+ [Method of detection of the WinICE handler in the int68h (V86)8 L- T+ M) p* ]3 A
+ m& @8 p+ [% v( ]) W
mov ah,43h r/ U0 y5 j$ n' B1 o6 B
int 68h& P$ Q' e D% a) u6 z
cmp ax,0F386h; p$ `7 Y5 _/ K+ W" a
jz SoftICE_Detected
; a# ?" S7 X4 C0 }3 ^( B+ l% a8 U
; q- o Y! t. [# q( A/ `; n% B0 k# W' u1 q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# E, j( `4 v5 y' r' j! R app like this:
, }+ j' B& p/ u
0 G; `2 G- h" x; N% }! D BPX exec_int if ax==68
* w: a* l- s4 T) D$ L) |3 J (function called is located at byte ptr [ebp+1Dh] and client eip is0 a( M( N# Y* N3 x: }
located at [ebp+48h] for 32Bit apps)2 b. M5 \1 g2 O2 e& P
__________________________________________________________________________
+ B% R+ v1 m2 z4 E1 c5 Z3 K. l# e; O3 Q
$ k, [1 v4 [ [$ D" `( cMethod 08/ ]3 y- D8 {- {9 x' }
=========
" {7 g4 N1 v0 ^" e1 y& m
3 ?6 o6 k3 O! U% i4 Q) tIt is not a method of detection of SoftICE but a possibility to crash the
+ `7 s3 C' w9 C7 A& }# @system by intercepting int 01h and int 03h and redirecting them to another
$ M- j* ?4 ~1 A$ H( Q B6 y1 k* Sroutine.! e9 ]& M9 P$ \ o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( l8 H2 L# l2 \+ P0 q. G* [$ \to the new routine to execute (hangs computer...)
! T; y- p( f- D. F/ P6 U5 F6 j: g7 I
4 s; ~. n3 {9 _+ O/ D- M1 S1 D mov ah, 25h$ Q8 }4 }+ Y' H* z, ~
mov al, Int_Number (01h or 03h)
- x( B" e4 ?- ^6 ? mov dx, offset New_Int_Routine
( M8 r) J) K" F* n int 21h
( u2 @9 z, ?3 K3 o
2 T6 u9 l) {) f__________________________________________________________________________
" l. X9 s* J+ v5 Q$ U' M$ s; t" u) v' S% O
Method 09; D8 G8 \ B5 i: E5 s i
=========
& P% c3 X8 D- c* l( C3 I! ]$ m! E6 e) V8 n N& y; T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* t0 Z# l, R% N- i0 @, I6 Uperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 p& Q% W7 s6 g$ t5 a+ MThe Get_DDB service is used to determine whether or not a VxD is installed, D- l9 F( w k4 I& q0 g: z
for the specified device and returns a Device Description Block (in ecx) for
& t1 l2 w N J+ Lthat device if it is installed.
3 ` @) O' o8 l1 _ i. X8 i4 E; j9 n: m$ _4 @* g' \: y7 W
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& m7 V2 t5 q' r4 {; a/ { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( \" B% Y+ u/ t# ^) I6 @) s) J8 e VMMCall Get_DDB3 u1 S3 R4 ]& w2 a$ ^* p/ f2 D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' ] h, Z( [8 R4 R
: O+ i3 W u5 W7 v7 L5 K6 H- \Note as well that you can easily detect this method with SoftICE:
$ K7 [% I+ h W; g6 Z1 ] bpx Get_DDB if ax==0202 || ax==7a5fh
. B0 Q! |- W) b9 ~0 P% u- C
; |1 X. }9 z- G0 f__________________________________________________________________________5 I8 I8 ~% X- Z
1 @$ g! |( G, E1 ^3 \Method 10
3 H: I6 V A8 l=========& F) P4 R6 ?4 ~8 k$ |4 Y1 m- x
& G% B1 e4 a+ A2 |/ `=>Disable or clear breakpoints before using this feature. DO NOT trace with
' i, L" u0 A6 c% o SoftICE while the option is enable!!3 O. j1 B4 |6 @2 s; S3 d
: }6 E R, R9 |! T
This trick is very efficient:
5 e# h( e9 w/ \3 iby checking the Debug Registers, you can detect if SoftICE is loaded$ x8 o* Y( l7 ?* l+ @3 `$ H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; u0 ?4 r6 i/ C% n7 ^) c
there are some memory breakpoints set (dr0 to dr3) simply by reading their& V0 n9 S2 b! H# d, ~
value (in ring0 only). Values can be manipulated and or changed as well9 `3 m4 ]' K7 F* n% \( e* ^
(clearing BPMs for instance)
9 u/ Z2 V5 z2 c7 l8 g. D2 [/ Q# y \/ g8 H4 y8 z' v
__________________________________________________________________________
( g/ W! q( G4 ?) K# l1 E7 |+ p" l8 I- y
Method 11
6 q) n6 H) \: r6 S' l% a! X=========
4 g; I! w* R1 K) p a* q
5 k- o. x: w% C* ~0 g WThis method is most known as 'MeltICE' because it has been freely distributed
) m* `. T6 u2 Nvia www.winfiles.com. However it was first used by NuMega people to allow) p% A( t8 n3 T% }
Symbol Loader to check if SoftICE was active or not (the code is located
5 U+ H6 M1 C" Rinside nmtrans.dll).# T6 a! J# b2 x0 z
7 O( \* u+ y Z `$ g J. d* J3 M
The way it works is very simple:
8 w) g/ P3 @" @/ |; CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# y- q2 \# E* P& h/ r5 sWinNT) with the CreateFileA API./ n$ \& V4 q, ~0 I" \" Y4 W
* t! m' H8 F9 _6 [
Here is a sample (checking for 'SICE'):* N4 |9 B' Y/ N: x+ g6 z. U
' K2 B4 _- k! E( F+ a- _8 wBOOL IsSoftIce95Loaded()) \2 D' p* s( h5 g& i- l
{
* `7 z0 F8 i3 w! }- o: S6 Z HANDLE hFile; , V9 U3 `+ S% O: |+ d
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% t# j7 H9 S- s FILE_SHARE_READ | FILE_SHARE_WRITE,
# T% r$ N; A! q& X+ r6 O; g' F6 g NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 y; o7 E! V7 B2 ^) D9 u. ] if( hFile != INVALID_HANDLE_VALUE )+ N5 K: ?/ e7 }7 m0 O$ d X5 W; J) e
{6 u% Q2 s1 e7 J4 A
CloseHandle(hFile);! p- {2 _3 k9 d0 O7 n
return TRUE;
( ~6 Z) y6 G+ ~3 h) G) T% f+ b }
+ Z0 ~( [4 {8 }+ g( ~6 g7 Z return FALSE;0 r+ z# d q5 N0 A N, q
}
, r7 i4 }7 f& P* i
( a! i/ u$ y+ O* U: k! [9 t. ^3 V" ^Although this trick calls the CreateFileA function, don't even expect to be; j6 s8 i/ p8 F9 H: G: x; k+ V
able to intercept it by installing a IFS hook: it will not work, no way!: X/ W6 ~2 X0 \. [; b9 [0 h( i. ]6 C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" c, S3 S" }, D; r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 E% k4 t" g- R# [0 C! N" D1 w: \$ Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 L# C3 ^. D% l, H( b6 Jfield.) M2 |- c: |/ X
In fact, its purpose is not to load/unload VxDs but only to send a
& _3 y" f. _" d7 R( A# ^. S: g' X" nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ F! p; m9 J8 }: jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 E/ s2 k# i. Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 `; X$ r9 L5 G4 M3 DIf the VxD is loaded, it will always clear eax and the Carry flag to allow: ^" g+ l& A0 }: L& R! a
its handle to be opened and then, will be detected.
$ ^9 [+ B, }3 X* k6 t5 M& d I7 N, FYou can check that simply by hooking Winice.exe control proc entry point& q# s& Q5 o9 @
while running MeltICE.
6 l& ^6 T a1 u" d
/ ?+ x. [4 T- B2 T4 ^0 j4 I( h, S9 u& p0 N. q( Y3 y( H1 s
00401067: push 00402025 ; \\.\SICE( w, _5 ]# v/ e, d4 m# M+ U
0040106C: call CreateFileA
+ N7 S" z! `! |# D1 q 00401071: cmp eax,-001
' v6 G% D: J0 }/ {, ]2 V 00401074: je 00401091
1 k% d' _8 ?- w
" l# o6 `. u3 F& n" ] m9 q) u* F+ [% Q; M% T
There could be hundreds of BPX you could use to detect this trick.1 @/ h% {) A" Y; @, S
-The most classical one is: a: p$ R1 u9 [+ n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; Z5 J8 c: i& y1 v6 H" j: @7 b, t *(esp->4+4)=='NTIC'
. j1 g# i" R; `; \1 y* |1 ?4 q, b! E9 j" z' L/ c) Y% P
-The most exotic ones (could be very slooooow :-(. C* Z& B" |6 }1 K( U( |8 h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . r8 z& l5 o8 a1 r( H5 q
;will break 3 times :-(
! _* ]. O$ O" S6 b& ]# F3 E( b G [- r, ^0 a9 O
-or (a bit) faster:
7 t0 ]8 y3 A8 D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ f2 H' @5 n/ ^
" I. o0 g1 s! |! p* `0 | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% N& T- u6 h! ]! T: _; f0 B- }7 B ;will break 3 times :-(
; {8 N+ J9 G) y. Z+ W( n) D7 l3 X2 ~! g$ J: v' J! b; h# k
-Much faster:
& z* \/ B) E4 J6 _ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ K; ? W7 ^8 B5 u1 J3 ~
; k9 r& P3 o% b2 f, W6 D; mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 A7 O6 x1 V& z `' i; N. F, w
function to do the same job:
* l, _, K7 ~8 i) w0 k5 d9 L4 B, @. P, M3 K; f) h4 D
push 00 ; OF_READ
0 g) g$ \0 }+ x mov eax,[00656634] ; '\\.\SICE',0, n2 i" V2 r7 j
push eax5 D w5 H! A: k8 Y \0 i0 J
call KERNEL32!_lopen0 A( a" R2 _* v: @) W1 C( P, {0 h
inc eax- a* X+ n8 t/ l$ w7 y# S& K
jnz 00650589 ; detected
5 J8 v+ C. L8 V7 i. F push 00 ; OF_READ! `1 @' _0 @. O4 j. I T
mov eax,[00656638] ; '\\.\SICE'
9 d A9 X" K. p0 J$ i* H" d/ W push eax
, Q: j- f6 [$ ]: Y5 T' P; F" \ call KERNEL32!_lopen
3 |# n# u1 a3 e+ I$ J inc eax
# k9 z2 q- D1 z% m9 |/ J. G jz 006505ae ; not detected( G- t: y, s. v6 \# O+ W6 f3 V
1 L5 m1 j; ~7 `& f. k
4 q1 ~* _" }" K( w) C( \5 T__________________________________________________________________________
) C+ z6 f6 M h% Y% @8 Y
9 G. X1 \. y) N2 L3 c6 `Method 12# |, w1 r4 I& C9 V) t2 p
=========
' ~6 e# s# O4 i \( v
, c# C8 ~9 `1 o2 m$ I) uThis trick is similar to int41h/4fh Debugger installation check (code 05
+ u. T6 M! A8 f0 m m8 I; Q& 06) but very limited because it's only available for Win95/98 (not NT)4 P9 i8 F+ Q% B: ~, R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 @) D5 F7 L- j( q3 Q1 T- S
n: v3 f( J+ A$ V* c3 ~ push 0000004fh ; function 4fh
3 b, P2 w( l4 f! \ push 002a002ah ; high word specifies which VxD (VWIN32)# r9 a/ T/ _2 K" c; H+ T$ I; E$ m
; low word specifies which service
) w' K& y9 t7 q" |. A* G5 q (VWIN32_Int41Dispatch)4 w7 R# m7 z8 B( ?% }2 p4 F% |
call Kernel32!ORD_001 ; VxdCall* y, V$ n6 ^, ]. V$ l1 t$ ^3 t
cmp ax, 0f386h ; magic number returned by system debuggers* ~" l" q i: s {+ @/ j# y0 h# ^
jz SoftICE_detected2 ]1 i! h& G. |3 T3 R
4 f8 v4 `# ]% ~0 Y% `% q& a* C/ y
Here again, several ways to detect it:
# z3 c& E( m1 x: B Y _; r% f' k f$ z
BPINT 41 if ax==4f* l8 f4 |3 G! b* _( h( N
$ u z, ^9 k3 d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 i% V1 q" r3 G/ }
' C3 h( P$ u9 T8 Q9 c2 y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; N4 j2 @1 Z2 V9 F7 z& d) n
) R0 e/ T, g2 W K, {. D: B' k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' S: K* {: [* q# r9 j
) j$ T* B8 V) ]! O1 }8 Z
__________________________________________________________________________
2 M( A+ \- u$ e" Z# U
' n& e ^) L# j5 G/ d% lMethod 131 ~/ v8 D/ b, j6 k9 h4 t! k
=========
7 O9 a/ D. p5 u# S! t& V5 e: D' ^# S) Y
Not a real method of detection, but a good way to know if SoftICE is4 ?) p7 w- {+ X# b: a* u8 p. y0 P; Q0 a
installed on a computer and to locate its installation directory.
. \, U W6 c* n0 g5 NIt is used by few softs which access the following registry keys (usually #2) :
. T) @' i" f! l3 l
; T% k5 Q6 k' m; q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ C+ k8 t2 s3 i+ K\Uninstall\SoftICE( {3 u7 N" p! a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# U+ o$ |% ^; _3 e$ l! z; ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 f) F# v8 s5 l- u* S
\App Paths\Loader32.Exe5 U L& [! B+ P. h
0 x/ ? R9 a2 Z7 C
& M z$ A: Y5 _7 s2 i% A' mNote that some nasty apps could then erase all files from SoftICE directory
2 Y! F! k$ k1 r% |(I faced that once :-(: P* r2 g- `1 Q( f/ J
. \3 _, s% f- g( z' P, K0 W* S
Useful breakpoint to detect it:3 N( G O0 j+ q* h/ C
" E9 L. _- O; f7 v" x. |: M) t
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- Z& r9 c& ~# B9 Q) x3 w& w% B) S. _2 j$ Q/ Q/ e. z; A
__________________________________________________________________________5 w# L7 q# S' h( p8 W, l
) W7 Q0 f: d) @* _/ a! w
# }$ k+ {5 B9 }+ F) hMethod 14
; E2 x# o' a+ ~2 C" d=========1 c }, M3 a/ c( H
! F/ j% g+ `4 y" w2 ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 G" Q! X4 ^# B+ D
is to determines whether a debugger is running on your system (ring0 only)./ J, n, t7 a7 r' Z$ O
2 G' E6 o* Z; v VMMCall Test_Debug_Installed0 i( D$ R6 o- H# c
je not_installed
& f' k& E8 ~5 }+ }0 W ^5 R) Y3 i" W. M& ~( x2 }. s
This service just checks a flag.+ y. N! J: r3 _0 e
</PRE></TD></TR></TBODY></TABLE> |