<TABLE width=500># j; T5 W3 A$ A% @3 n
<TBODY>
1 q3 t0 `; {9 X6 g" C3 f J<TR>* f0 w5 L1 b$ t+ |
<TD><PRE>Method 01 % E1 \! [ D- J4 m7 ?. K
=========
$ k. b, {0 [1 g* g5 X) x
9 W: a! p- \! J, L3 q, nThis method of detection of SoftICE (as well as the following one) is( W) |5 _9 ?; B
used by the majority of packers/encryptors found on Internet.2 B1 E) f' `8 e; T7 c2 h
It seeks the signature of BoundsChecker in SoftICE
( @; u8 t+ G- I5 W) W' c: }
% E/ b* H- w2 J2 B mov ebp, 04243484Bh ; 'BCHK'
3 A' v! ]- F$ E) ]% C! m! p mov ax, 04h
' U1 Z" `1 O7 T' { int 3 . d. ?/ J/ X' _, }
cmp al,4
q- i* l0 h4 s0 c jnz SoftICE_Detected) i0 ?" x0 j) r/ e% t2 X/ d
/ B; r4 s/ k7 Q e___________________________________________________________________________$ q5 t) p! Z: m9 W& T7 V, L% j
; ` o" U% Y8 m
Method 02' J$ w+ d" ^( ?, [; }
=========7 v6 ~5 V% j5 u l, b6 R% H' p
5 n- ?9 `( F2 [3 s) }6 e8 |( EStill a method very much used (perhaps the most frequent one). It is used
8 C: _) z; g: \, C' Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 R2 l% K" h+ ror execute SoftICE commands...
8 @" n. ?. s( B8 T6 o( wIt is also used to crash SoftICE and to force it to execute any commands
4 A+ Z; z$ r2 ^(HBOOT...) :-((
* f, @' W# Z" ~% p% A9 l6 r/ P
9 }, B/ J5 R) Z7 k; b) Z" i/ a; ~Here is a quick description:
, t! Q9 w! b$ r0 A7 d5 A* q& _-AX = 0910h (Display string in SIce windows); G* I& k( r1 p. T: f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 h, U$ A& y5 Z1 B% P& j
-AX = 0912h (Get breakpoint infos). L) @$ D- a; g8 r8 m9 B+ s
-AX = 0913h (Set Sice breakpoints)) l9 c' l6 q$ J, J
-AX = 0914h (Remove SIce breakoints)
$ y5 ^* R: m" T7 r
) I6 e3 r, u2 ?3 yEach time you'll meet this trick, you'll see:) ^6 V+ p3 o! m B2 B8 t
-SI = 4647h& U" P/ f6 t$ \
-DI = 4A4Dh" ^5 c$ z W' `* O
Which are the 'magic values' used by SoftIce.
) z- @+ x6 [6 k( TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., N* I- K. f% I' u
* G; S, p2 |6 D
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 i/ X0 M1 j2 x* }Envelope utility use to protect DOS applications:
- k& L! O5 k4 E8 c/ H3 T/ D H6 n7 }9 L5 d$ ^
" C/ @7 @" Q, } J A' i/ A) B/ o4C19:0095 MOV AX,0911 ; execute command.
! A2 H/ v: E$ w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 s$ t# O# j7 F% x# I6 C- N2 s4C19:009A MOV SI,4647 ; 1st magic value.
9 I# d' A; q2 H) R/ D+ i4C19:009D MOV DI,4A4D ; 2nd magic value.
, }; g. }" a: k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ t& V7 D2 _! z+ C- `$ b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! r. F0 v! O6 m4 P/ M8 E4C19:00A4 INC CX0 |4 c; V/ e( R; \( N6 c
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ q3 r& P3 x; n( ]- V' \4C19:00A8 JB 0095 ; 6 different commands. {5 O7 x6 ~) z1 G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 m2 q1 G' s0 A* M5 C* t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 A9 x, Z0 C1 N; g- J
( C8 h& x: l$ g. C: v
The program will execute 6 different SIce commands located at ds:dx, which
2 e" l0 ]# Z9 r- `: Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 |% U' A$ I4 W8 S; K9 X& X
$ Q8 h& n! |' L. Q6 ?( S
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 r( e! s$ H1 G: P- A
___________________________________________________________________________, O6 [4 e3 `' ?; F+ R1 p" M: ^
4 i# ?1 R8 a& I* T* r- U/ L
4 r* f, ], b6 r" V* ~9 _Method 039 W0 P5 J! }# b" L
=========# e6 e2 o# W% Z1 C1 u
! i: v1 p# S. G) @0 F$ DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! f* V$ i; T3 L" C* u6 E9 |* e' u(API Get entry point)
' z0 Q' d! g+ r3 u$ f/ X - V) G% i# ~5 e7 M6 L
9 H6 M2 W" _1 n+ a1 i
xor di,di. k0 G8 t+ r# K( K( R
mov es,di- Q. d7 f; C: d* `% L
mov ax, 1684h
q1 T4 I5 }6 n5 J- Z; j( { mov bx, 0202h ; VxD ID of winice/ z9 a: a$ w$ n0 \
int 2Fh# m) a/ i. X0 y- b$ n
mov ax, es ; ES:DI -> VxD API entry point
2 b8 Q8 p7 k3 V add ax, di
& D5 t4 R# ^6 Z! ~# d3 i3 Q! C3 b test ax,ax
9 N* ^7 C8 I( D. @ jnz SoftICE_Detected' @# P! J( S4 E3 }: b
" D! v3 |0 E0 i4 K+ K7 K5 ^2 ]___________________________________________________________________________
3 G0 C9 x" _4 d4 M, m8 q" Y p
3 B0 ?. |8 \' V0 ~. Z6 ?8 s$ vMethod 042 S% r. t3 ^( r) |
=========
2 J" ?6 C6 s2 \, E, a
% d! N+ \2 a9 @Method identical to the preceding one except that it seeks the ID of SoftICE, j* f9 C, l7 [
GFX VxD.
# J4 g8 Y2 I v- e
$ \* ]9 k* R3 z9 z# |9 O xor di,di3 \9 C! j6 S5 W8 S4 n
mov es,di3 R* r( U; ]8 q( Y% [
mov ax, 1684h : c* f4 K0 {4 i3 G# a7 E
mov bx, 7a5Fh ; VxD ID of SIWVID9 f: ]$ z3 u' ~
int 2fh
6 W( p8 ~. K& ?: \ mov ax, es ; ES:DI -> VxD API entry point; O% n6 a* A) X8 x, C$ p4 d
add ax, di' j( r- |9 L8 V" ?
test ax,ax' o. @8 S% r8 E Z1 z3 R
jnz SoftICE_Detected; Z, ?+ w5 n/ A3 t; @7 L
$ z: d$ \; ^5 e" E
__________________________________________________________________________* k! d7 I; I% _
( \% f( n7 a% r' l; T0 U2 [
, v) C3 w; V8 [$ `3 B2 K
Method 05, y( r9 y# |. _; @% _% Z
=========
: H! P5 i$ s% N* R6 o3 k. e) m9 b& ?. M9 T: b- W0 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- M$ L) t3 R0 Wdebugger. It calls the int 41h, function 4Fh.$ L, o% U" @8 @# N+ c
There are several alternatives.
* s6 d8 v! _2 P8 V2 j: G V
% l% z6 @* v& L( p0 r0 C3 P- B/ yThe following one is the simplest:5 p; A; e2 R7 S3 `. d9 K2 L
x' z4 |; U( I9 s0 h5 o8 n/ \5 T mov ax,4fh
9 W* ], u+ @# ]' v/ f! K int 41h
. p i; w h2 s; O2 h cmp ax, 0F386# j; |/ u0 H- s( H( V8 d) f
jz SoftICE_detected
* @) @! A$ w: A4 s& X9 _
x5 \$ h8 M: Y/ K1 c U5 y$ _* _2 X2 d) s
Next method as well as the following one are 2 examples from Stone's 8 C4 L0 h+ ]: R- Y; u3 O7 p
"stn-wid.zip" (www.cracking.net):
) W* n' }0 ~* m7 F! e) _
, y6 b% F4 S+ Q) Q0 Y7 B mov bx, cs0 M2 {$ I% x7 F8 P3 Z1 E5 U
lea dx, int41handler2% c" K; n& }0 ~) }8 E% _% G
xchg dx, es:[41h*4]
/ J% u! |0 {* n6 i% ]4 K xchg bx, es:[41h*4+2]
J; {2 B) u8 Y9 W- q mov ax,4fh
8 V4 O6 y8 i y9 J1 | int 41h
9 r) Y) B" c, p' u" y( {3 n xchg dx, es:[41h*4]9 V1 O$ k* r" ^5 E) Y/ ?! [8 x
xchg bx, es:[41h*4+2]1 A! U" L3 C, }* W
cmp ax, 0f386h
$ }: k, |$ I! d( {, [ jz SoftICE_detected
! ]. t9 I: d; W) S7 S3 ^$ {, g$ r+ F5 X5 x R# t
int41handler2 PROC
: Y$ n" n6 o" f iret8 l0 j$ b. v% o6 c0 `
int41handler2 ENDP
/ h! B! ]) n, k4 ^. a9 U
4 l+ U0 `/ H: r/ ? T# t! k, d# \3 \1 V9 i* X% @" m
_________________________________________________________________________
: B7 F: t. P$ p* o9 z" c* X p7 ^2 z/ Q
g* B+ u/ [: m( c9 PMethod 06
- c! O$ G/ ?; w$ ]4 T' K=========
' i% _$ Z7 n2 R; _; S% k0 p2 Q0 q# A9 o1 c; U2 Q
& `! _; K7 r5 }4 U' R2nd method similar to the preceding one but more difficult to detect:7 l0 V2 F& D. x7 o$ M% W4 _0 F
3 |3 ^4 u# H5 j; ]) Q9 N& p& S
: k9 v f; r5 ^% o8 J% t: P& Rint41handler PROC' r4 @. |4 H, \
mov cl,al
2 H% ~: X6 N4 j& y5 ^8 O iret5 z& J" _8 X( S2 `7 X
int41handler ENDP0 S! k( o8 p2 S! t$ \
% h% T! E2 G" T7 U4 K% h: X
/ u/ U; H" t# b( H* f+ x xor ax,ax
* i& v% u" U7 A3 W: O& z4 u* ? mov es,ax
1 \3 A _; D" @7 o6 d F- Y1 M mov bx, cs) O# Z1 E) C" w j# H
lea dx, int41handler
% s$ }) Q+ |" I xchg dx, es:[41h*4]
# r4 e) d. _9 r4 s xchg bx, es:[41h*4+2]8 X# S, H4 g$ d& z+ K* R3 g
in al, 40h
* K- \7 ^; o' o7 t* @; u xor cx,cx" [: ?' r7 V3 Z; N# m
int 41h
7 G( c+ | o4 n) t- ^: R xchg dx, es:[41h*4]
% e' E( q% ~" c1 A) R5 ]% Z xchg bx, es:[41h*4+2]
7 G# p5 B( g' G) R( e! A$ E cmp cl,al
* b+ r/ J+ a; o1 C+ p/ N" u& r jnz SoftICE_detected
D! q0 |" l5 K; ~3 c
) P2 d( v" w4 c0 z_________________________________________________________________________" y6 @8 P& b7 g# a: ]0 q4 q
3 Z$ ?5 [" B% [: x$ J7 w- c% uMethod 07
! |9 y9 I. n# q! R) |. m' Z=========
4 y$ _; b- {5 a8 ~3 z0 H- a2 p+ ]; f
Method of detection of the WinICE handler in the int68h (V86)! v+ W" v2 C2 y6 G
. ~4 k) T( w% ?4 u2 G mov ah,43h
* E5 n0 E* a( h5 d' l3 O" |! g. o int 68h& Z" t" E$ m% V
cmp ax,0F386h
( X7 t! P, v' Z3 B+ o! N! Y. t/ _ jz SoftICE_Detected6 z3 c$ R5 H1 d( g+ q
5 J. ^8 k* e8 @+ Z4 X N! P: F4 o
1 C. a! p0 i9 }7 c=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 ]& D8 {2 g1 d( ^& M
app like this:
% b8 p- x+ Z8 _0 n5 w
# c' W A5 c' i BPX exec_int if ax==686 C9 Y4 V& F) k# t5 S
(function called is located at byte ptr [ebp+1Dh] and client eip is% E% r9 U1 a# x( t% V! C
located at [ebp+48h] for 32Bit apps)
) _, t) C: O" D9 |__________________________________________________________________________1 A4 X l7 ~$ u# j/ k' _" P
& r4 I b# @. b+ A. g! L, W$ @5 X% t" b5 ^ ]/ Y( [) R
Method 08. q i7 j* `, s5 g7 |
=========
- d6 g: B8 `) ^! ?" V: `5 p5 P+ Q7 d+ U: w/ W, }! z) k+ B4 x9 R
It is not a method of detection of SoftICE but a possibility to crash the
4 N& p2 ]: Y. W6 h! ~* i1 csystem by intercepting int 01h and int 03h and redirecting them to another
" @, c( M6 w3 w$ d$ h3 Lroutine.% B1 \: }: r2 M: r! m+ H. m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 \) n. N) e, {$ s- P8 P! z
to the new routine to execute (hangs computer...)
" H- r, U1 J+ |# ~' ^7 e. q+ a
7 P& q) @& y' j! G. Z! P. b mov ah, 25h; \8 r1 A( e$ s% [
mov al, Int_Number (01h or 03h)
% Y5 y# S( q3 ?* z# M( K mov dx, offset New_Int_Routine7 k0 E+ z [: _- e9 ?
int 21h
$ ^9 Q: d/ d! R* a' ^' C V8 h
& u( t9 t: ~7 P& X__________________________________________________________________________
$ ?3 o& ~6 Y" @, _9 l0 {- W% {% o; w9 }7 C1 H7 ?% e8 ~! ]
Method 09
h5 ^. a {5 Q. J7 u=========
6 W: o2 y8 B" w/ A# ?' s% l
5 J# h0 r2 @8 X- g7 ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; T' H, S: d4 J/ |+ P5 K5 s
performed in ring0 (VxD or a ring3 app using the VxdCall).) L7 w7 t+ A4 ?( s3 r% M6 @
The Get_DDB service is used to determine whether or not a VxD is installed9 Z/ S- |0 ] e' k- a( a; k
for the specified device and returns a Device Description Block (in ecx) for9 a6 H* R: |2 Q! L
that device if it is installed.
7 l# @9 N. r: d6 u/ c: K
" E8 G/ {: f: i3 k2 t1 P2 u6 n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' D; z5 j4 y; O/ T9 U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" b% F* w& i1 i, w J VMMCall Get_DDB4 v+ [4 C% v) K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# S/ D% T+ p4 v1 G$ H
" O6 E! d3 V2 i5 y QNote as well that you can easily detect this method with SoftICE:4 }5 L1 Q& ~% P" t
bpx Get_DDB if ax==0202 || ax==7a5fh
5 ]0 F7 t! a m! e$ m
8 V5 e; r! S1 `: t/ s__________________________________________________________________________
) y+ S6 ?: Z" Y7 B% U9 k4 r7 e8 @" U
Method 10
# y' _; B- Z3 Z u0 b$ X=========: R$ U5 k' f* n, m6 m) `$ r4 u; f( H
. I3 c4 m) X1 z=>Disable or clear breakpoints before using this feature. DO NOT trace with
. V: ~4 x9 U* v, v# J) ~( V SoftICE while the option is enable!!8 M5 h" |4 f G; Y
* O3 A5 [8 F2 P1 }* z' m
This trick is very efficient:
: N1 K. Z/ c' j; h' h6 a+ f% Dby checking the Debug Registers, you can detect if SoftICE is loaded
# X+ Q- o' a' {+ w2 K R4 I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) Z3 U2 N k5 T6 e" T, Y2 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 {' H x/ Y; \3 p2 _3 f' u- Jvalue (in ring0 only). Values can be manipulated and or changed as well
$ H# }+ R0 ?$ g7 d* y(clearing BPMs for instance)# K2 e- u% U( g% O
! d3 S7 `6 ]7 z3 r( c
__________________________________________________________________________" T* ]: Q, d5 `' B w
( I! c6 k) F) r. D3 q7 gMethod 11( U# W% m% O6 p; c4 Z' r- \
=========1 Z6 A+ H2 J. o T# q; [1 T! z
" A- j: y' T7 n: m/ jThis method is most known as 'MeltICE' because it has been freely distributed3 X" U7 `6 \7 [0 A) E3 l6 t) W
via www.winfiles.com. However it was first used by NuMega people to allow% H$ y7 F& H& |+ |, m4 C b
Symbol Loader to check if SoftICE was active or not (the code is located8 _! B C0 ^( v p/ i- G
inside nmtrans.dll).0 j% B; {9 W6 W2 ^
1 j6 V/ @! P* A+ @4 G& G8 E
The way it works is very simple:
0 O# `, U9 K+ @. SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ j) ?. R% x% u b, Y7 z- B& sWinNT) with the CreateFileA API.: [& r, v. A) G2 t) s! X* Z
/ A- P6 `& [) |4 ]0 r1 g5 d5 BHere is a sample (checking for 'SICE'):
- W" j' x8 @' y; O v( L
# k3 y; R9 J2 V& L8 }BOOL IsSoftIce95Loaded(): E" I8 c% S1 T, ^
{
8 b, ]; O4 o0 C HANDLE hFile; 4 h8 w7 c# ^7 }' ^+ D4 p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
I* X4 |+ w6 J$ G FILE_SHARE_READ | FILE_SHARE_WRITE,
$ R1 \6 U x, q. I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 P. |, A- w+ Y! G( x if( hFile != INVALID_HANDLE_VALUE )
. h; h" }; c0 P1 @7 L {
- H8 O2 g+ o9 |1 n0 o% ? P- k CloseHandle(hFile);
! d$ W7 y" C+ |: u# D return TRUE;: {' M3 Q- o: L ^9 S) b
}" T5 r9 \1 @5 p9 m
return FALSE;' d- P# R: h3 {: A+ n+ @
}# E% V, D; d% ^8 h- d
# S4 _/ z/ \0 Q! Y( i' _5 rAlthough this trick calls the CreateFileA function, don't even expect to be4 Z) j& K' d) F$ \8 v
able to intercept it by installing a IFS hook: it will not work, no way!4 W. F" A4 o, n& a" C4 b1 ?- {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& @. c$ M# _& Z+ p. N+ o) z1 kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
\9 i! x: W' B7 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 k; R5 g, @* g* I1 B" p* w6 Q
field.9 A0 Z) Y# X% b! S7 L( q
In fact, its purpose is not to load/unload VxDs but only to send a ; H- n' e! E1 g' A$ g/ h8 w' g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! Y: ?* i2 p5 n2 d$ f5 W! J0 q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( i% D( Y: s3 r4 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) u0 I+ ^2 @+ {If the VxD is loaded, it will always clear eax and the Carry flag to allow
! ~% M8 ~, c) D7 ?/ U" D/ ?its handle to be opened and then, will be detected.8 k H7 ]5 ~8 q: m5 a( p4 t. K: z# W
You can check that simply by hooking Winice.exe control proc entry point% l3 [2 `) m. g1 c; y# l7 B
while running MeltICE.! d% B* E$ u7 {. ^( a' G
; U4 f+ z/ }! U3 m$ J- j" V
; X; [' Y' g4 h, l1 E 00401067: push 00402025 ; \\.\SICE- u) J$ R7 s7 f0 X0 b0 C8 G# I
0040106C: call CreateFileA- V+ ^2 x9 X, g/ Q% c
00401071: cmp eax,-001
: c5 W; m2 j9 k! W! ] 00401074: je 004010914 h* j4 x7 b" F: X3 x
& Q* t/ {' f# M8 ~* x/ o: v& T, U1 s k
There could be hundreds of BPX you could use to detect this trick.1 n9 b6 O/ e! @( s+ u& P7 K: Z
-The most classical one is:
# c8 P" k* X b0 s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! ~" C; e0 }5 ^4 E1 I4 j
*(esp->4+4)=='NTIC'
$ d3 |9 r* B# W- E$ d v# h- g9 O, T4 {
-The most exotic ones (could be very slooooow :-(* `, z) i& a/ Z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + {! w! d$ e, F" D5 w
;will break 3 times :-(& q6 R- \! m; [' r+ ~) G6 D; N
, }8 S( H. p0 e, w7 u-or (a bit) faster: ; I( m" R/ f$ l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 J5 j. Y1 s- l6 H/ D
4 a: [" D& E/ W7 s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) H8 e# h% V8 V' R$ o ;will break 3 times :-(* \4 ] \4 b/ f$ s' } c/ R
3 T, X- T% w# b-Much faster:5 t: x6 [0 ~; |) z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 Q; k1 P6 j$ S E# h$ M8 \" D: x
, V% p4 L5 v! ^2 u6 kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 W. i: B+ Z: O
function to do the same job: H4 D; E1 X& d k0 K; J+ ?
7 w& _# X8 G. ^: m' m
push 00 ; OF_READ
$ e. q! K; J+ r. e4 b1 y2 E mov eax,[00656634] ; '\\.\SICE',02 q& z E" R& L) [1 [1 c0 {
push eax3 M" ]/ f! s. W& O' W8 Q; f; P9 D7 [+ i
call KERNEL32!_lopen
: L, m" R- N7 t2 v$ p& q" y- u inc eax" x8 ~, ]# X n9 g4 o7 U# V
jnz 00650589 ; detected
$ ~3 j" l/ S+ p" ?/ {5 ? push 00 ; OF_READ
# t3 F& H0 s. k) h mov eax,[00656638] ; '\\.\SICE': H2 u# i# I6 x& B
push eax
6 K7 G: A {" R6 h# m) a8 C) ^* r call KERNEL32!_lopen
7 A* B# {1 L+ _: N" V& _ inc eax$ G7 {+ o. o* w$ g7 w) b1 e
jz 006505ae ; not detected
# }0 w4 k. q5 v. p
# {- o, q+ F5 ?6 e
- D, o) m' @% O2 ^% U6 m__________________________________________________________________________
8 Z( u: q3 d) R3 ?) S, U
, e( _$ F* Q3 p1 B9 y( V5 J: WMethod 12
, H. f Y3 J8 \% z( _=========, A, O: g# h$ `: y$ _3 s! M+ F
$ }2 q; C7 P) j3 } l& ~# G3 M
This trick is similar to int41h/4fh Debugger installation check (code 05
* S/ Z% N2 f( N6 Q5 [7 z1 A& 06) but very limited because it's only available for Win95/98 (not NT)
! g( ?' l* S# Q- w6 p2 Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 h) l2 @8 i3 a" P
' U' W) q9 g$ u4 @
push 0000004fh ; function 4fh" X. ~7 ]8 |$ }# b* q6 n6 E, x
push 002a002ah ; high word specifies which VxD (VWIN32)$ a' A- l4 m+ I p0 Y7 F
; low word specifies which service
" \3 j! d( g& G (VWIN32_Int41Dispatch)$ I1 b' H& s, ?8 y4 d- t
call Kernel32!ORD_001 ; VxdCall
7 K; @4 X+ j7 B) [4 C' X' h5 p cmp ax, 0f386h ; magic number returned by system debuggers( q! E7 d0 W' U
jz SoftICE_detected1 c s0 H0 t- i" x, }& I) A
- M0 z/ G3 k% w# B+ s5 F; f
Here again, several ways to detect it:
1 Y5 P: K% l |4 ^4 D; b- c" G9 ^
# P! y+ O* V! T2 ~+ K: J+ C! D* F BPINT 41 if ax==4f
: W/ G6 E X; H9 ?: I \) R9 ~) W2 e7 T2 T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 c& f# `' L x# N3 {0 f2 b0 ]* g1 q* T2 Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& d7 A+ H/ e1 K6 [; t8 b
9 m5 G9 w6 J* J& m" F' t7 |
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 ^! {& H5 ]$ p- A: c% A; B; N
$ b+ z7 Q1 ]) B' u" F- }__________________________________________________________________________
; ~2 X) c6 Q- T' ~0 N
: x( K) i( c1 I0 |Method 13
1 D: J; N s u5 i; _=========
+ j& E s6 y1 T9 e8 [8 s) H5 }8 `& X5 x' k& o5 }8 Q, x- s$ D; [! j
Not a real method of detection, but a good way to know if SoftICE is
1 v' X; Q! U+ v) c6 ainstalled on a computer and to locate its installation directory.& p& C% i) k( h: e
It is used by few softs which access the following registry keys (usually #2) :
- Q" D3 f5 `) R8 E9 [# W+ e) ], m6 P/ g: i' m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" h$ ~0 [# M2 m5 I* k* G( [- V
\Uninstall\SoftICE1 a% u# l! ]' m9 Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# s: ?1 J/ I" v# g9 K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 @ P# a$ d# ~& l" c- h\App Paths\Loader32.Exe3 I! G; l9 I- `4 n
2 g6 B+ h0 R) c% h
$ |8 `+ N) f! T, UNote that some nasty apps could then erase all files from SoftICE directory& G; `8 W6 K2 U9 v9 c
(I faced that once :-(4 C: G, X& O. t! x
5 S, e# F) q4 o9 Z2 u
Useful breakpoint to detect it:7 _" Y# d. w$ R# f; v8 F( S6 e+ L
* Y* M7 v0 u5 ?% ^1 K
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- ?, [9 O5 c% x) A. ^
4 g8 E6 a4 |* Q/ s4 W# Z! n4 N__________________________________________________________________________
# K/ E- m) y! t8 }3 u. v$ u* K0 @* D3 L$ D
' ~; K5 L7 A4 Z3 eMethod 14
; h, r9 J/ e( R) W* r8 z' p! o/ i=========
3 `4 G# F# y( C9 v& ?. G2 O6 N- g) b% T5 ~2 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- M4 D0 l; x! j4 r# _
is to determines whether a debugger is running on your system (ring0 only)." K; j2 q' w' L
% Y/ m$ y M1 i
VMMCall Test_Debug_Installed" U$ p- C* d4 Y2 o- k
je not_installed' T# b/ a) b7 h, F8 m( [
7 Z$ f: N- u. a* f; q* \
This service just checks a flag.7 C& N6 D$ j; w8 ]7 Y
</PRE></TD></TR></TBODY></TABLE> |