<TABLE width=500>! r: L& @. S [# G3 [* O
<TBODY>5 Q* I! k( q" X
<TR>! B$ _, B h1 f* [& w
<TD><PRE>Method 01 # T: h4 s3 G, K+ J* Q. r6 F3 n
=========2 Y9 D9 `$ x" O6 }
( v' c# }+ m2 c c
This method of detection of SoftICE (as well as the following one) is
, U! {8 R2 D- C, E, }used by the majority of packers/encryptors found on Internet.
' [! x2 \6 `& r+ q0 ^' |It seeks the signature of BoundsChecker in SoftICE
* l2 N( D6 H5 b- M) }/ V/ m( x9 Q0 h N. S* v7 `0 d
mov ebp, 04243484Bh ; 'BCHK'$ n8 x+ Z! [" J0 D3 C7 v$ [
mov ax, 04h: x N$ o8 S& P$ x! y
int 3 0 G n8 X5 c4 p3 f) p6 d7 B% l
cmp al,44 T% m( k# B8 X9 ~: N9 o
jnz SoftICE_Detected
9 p3 X3 z3 t K5 ?* r' X8 r3 ~5 j5 v% A% D
% f- e' X) m' D& T___________________________________________________________________________
& v5 v0 l5 m7 `6 Q! u9 \6 ]- [* [: S3 A+ g1 }( J1 F. |% z
Method 02
3 ?% [( E f& W% }9 t6 }=========
1 o# p( B* _: C6 y2 c# M
; l6 J1 ^1 h8 |2 g ~% G2 mStill a method very much used (perhaps the most frequent one). It is used2 \3 g; B) B- }- j& m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* e5 J. ]" Z, N c
or execute SoftICE commands...: {: Y! V# p' H4 n& i \) Q
It is also used to crash SoftICE and to force it to execute any commands
6 p7 R, _2 [$ b(HBOOT...) :-(( / Y6 R0 t$ r. p: ?
+ D% a/ g# i( e* F" }
Here is a quick description:
; C4 U- K/ ?0 n @-AX = 0910h (Display string in SIce windows)
6 z9 A1 {3 D8 I' _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). S# w- l$ R- \/ S7 W
-AX = 0912h (Get breakpoint infos)
+ J6 u- Q' C3 R-AX = 0913h (Set Sice breakpoints)& H8 v: q- e2 y$ W/ q% @
-AX = 0914h (Remove SIce breakoints)2 p2 B/ C1 H( m" c$ D. s3 x
+ x: H6 N0 b; C: k0 U6 L( F
Each time you'll meet this trick, you'll see:7 Z. F+ [; l7 q2 O9 y* T% Y: _
-SI = 4647h
( A/ C5 D/ x H# ?' g-DI = 4A4Dh
$ Z9 J3 f5 w. [Which are the 'magic values' used by SoftIce.
/ t8 q. x1 { f9 z7 { J& DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* t6 {& U" V# w- n6 C5 y! P6 i0 i" N! d9 t7 |6 `
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ J9 v. p. |. V
Envelope utility use to protect DOS applications:
@% r5 F+ E W, n, n5 ^# J) [
# f& ?; y6 t( X& K C' a7 [. ?3 H, g' I. O
4C19:0095 MOV AX,0911 ; execute command.
+ d+ r& r9 s& M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 X$ R+ `- x# Q1 M. c% b4C19:009A MOV SI,4647 ; 1st magic value.
/ u) w0 O- Z. q8 f4C19:009D MOV DI,4A4D ; 2nd magic value.& O) k! v$ n$ i2 `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( c" t$ e/ V( `& n1 n% N5 r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 h C! F5 D& E
4C19:00A4 INC CX$ R7 q; G7 w8 r6 i; p* @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' L7 n$ N# f9 t" t! N4C19:00A8 JB 0095 ; 6 different commands.% G7 V( I( C {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 P j$ G9 D: b3 N/ J3 j/ }$ F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" v) g: ~9 w7 B" q5 p3 v: f' K+ K8 g! ~6 c8 r* B v: e
The program will execute 6 different SIce commands located at ds:dx, which
9 H# f( Z6 ~0 S. e; r6 g, Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. N" @/ J2 Z( Z2 e
) w/ c: f& K- j* N2 _4 U9 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! a" b' i2 [( O! I4 U
___________________________________________________________________________
9 P! D/ P h" V! z- x6 R3 B. b
0 E, W2 P# y3 C; m5 O4 z4 \+ K+ ^$ W; g8 [! a- [7 m0 L9 F* {0 E/ M
Method 03$ k& }* M3 Q% |3 A8 {
=========
0 F O2 _* ^8 W" X5 L( t# {( C
+ {, W; i; M6 V% y9 GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, L& j5 r3 a# o9 Y
(API Get entry point)
9 k" ~; p. g4 T/ q5 A2 ^3 i }$ Y* U: q/ ^0 L# n# w6 g: s
- ^8 Q J3 }) r( T: A/ G xor di,di
7 U9 d# H; \* j mov es,di. x) [( Z h/ H: v# |7 U
mov ax, 1684h ; N8 Y* [/ |3 D. e$ E R, }
mov bx, 0202h ; VxD ID of winice6 a h/ j/ L) W [
int 2Fh
& V( f, j e/ o$ c mov ax, es ; ES:DI -> VxD API entry point
/ |: d3 o# v' e* t" B' ? add ax, di! k9 n, L; L2 H* F* a# P
test ax,ax& J4 q A$ Y" k
jnz SoftICE_Detected3 o4 p- L% n- _7 [4 l# b, E% y" V
$ L; ^' n& y# W4 M
___________________________________________________________________________$ [& I! i5 R- p% E7 g, f7 m+ f
! l; B( @" D/ K2 ^4 M2 i' d U6 TMethod 04
7 T& n( @8 N( m. y$ |4 D p=========$ e& d& J. }6 q. W1 ?+ Y$ T
* Z! _3 N% b" g$ R" [Method identical to the preceding one except that it seeks the ID of SoftICE
4 V, A, X! d% p; k* d: h) k; ]/ J; _GFX VxD." {* T7 I' M, }+ D# S4 U$ P
# l, k0 ~7 n8 i
xor di,di
- c1 m2 v; a' X) }4 y% s mov es,di/ n2 \! ]4 s% r; A# R
mov ax, 1684h 9 y0 Q3 r: ^, P, |0 b4 `5 M
mov bx, 7a5Fh ; VxD ID of SIWVID- ?$ W [8 _& m
int 2fh. \' U4 J. x7 y) B7 W
mov ax, es ; ES:DI -> VxD API entry point! c; ?! g4 E! M; m
add ax, di3 I! C P, {5 G/ D
test ax,ax
+ K# j" f; ^& B+ I- s1 N jnz SoftICE_Detected
9 d s5 D8 i; c) Q
: }! n- I2 u* _+ J__________________________________________________________________________7 D# L& X* A8 p/ \& l5 {
! p" n# W& p1 P
/ q/ [& o: T) A5 m! h! ~/ rMethod 05
% J3 W4 h+ j4 D( ^=========
( D% m6 l4 i) j& Z" Z
0 t4 _! E! A; JMethod seeking the 'magic number' 0F386h returned (in ax) by all system) k. ?- O( x9 ^7 w" [1 U
debugger. It calls the int 41h, function 4Fh.9 S3 f- Q4 t1 i. q; P6 \& v
There are several alternatives.
1 B4 b0 W* f' W. m1 C2 u1 Z% Q: E2 o; Z1 c; _3 R
The following one is the simplest:
/ c: K$ ?4 ^9 J5 ]) l9 \8 ^6 M! L+ @
mov ax,4fh
& `) }, f9 m/ x- U int 41h
/ R, _. w4 G" S, ]2 F& x cmp ax, 0F386
) d6 b S2 z6 l! T8 S' e9 ]. V jz SoftICE_detected
7 R& U# f& h. x* I- K4 x( E0 ^: u9 E+ C2 g' Y# k0 {
$ l& i: Q/ f+ ^9 ?9 l YNext method as well as the following one are 2 examples from Stone's
" B& S) u; P7 ~"stn-wid.zip" (www.cracking.net):
- v+ c& B* l+ E& s1 d9 A6 A I5 r/ N |0 A0 m; g ?( u
mov bx, cs7 k/ r5 }! b/ G' u/ I) |4 b
lea dx, int41handler23 Y \( V$ n- k' j) y6 }( c7 n B
xchg dx, es:[41h*4]
7 N7 @- L/ I# a$ } R6 [, x; B xchg bx, es:[41h*4+2]. _5 p, K9 m% ?' c: S' W4 V9 k
mov ax,4fh* G4 E/ q+ V! P( x) Q6 O7 N
int 41h
5 r+ W% I$ q6 c. d! | ~* g( K xchg dx, es:[41h*4]
- {: @& z* o+ X/ c7 O, ` xchg bx, es:[41h*4+2]
) P$ Q1 [: d/ T cmp ax, 0f386h
~0 ~# W2 S9 j# l- _; C jz SoftICE_detected
. A; x4 T/ F8 x1 q& T
6 {, O) r; r4 @int41handler2 PROC- x9 Z# y( e9 I# b& s. i4 v
iret
! ?: ^' s9 P0 H" O2 cint41handler2 ENDP
1 t- \8 V4 F, ^& A" S
3 n& R, X5 l) J- S8 p& p$ T6 u y9 Y+ H/ k$ c* s
_________________________________________________________________________8 E# A: ]) H& x+ u5 `8 m
, b1 _0 F( G) H% ~- {2 M- v( H3 s0 `% Y# E$ u w. x9 G4 B% U0 x
Method 06
$ n; R+ D& U7 o6 U0 y# Y& \5 z=========
7 o. A J9 f+ }: Z# |8 P8 }9 {$ ]" o% z3 w4 B( [( Y8 a
/ O2 ^6 ?/ ^9 j' r( f c2nd method similar to the preceding one but more difficult to detect:
% Q5 F- V" A+ J {: u+ B
6 n2 F5 d7 A8 F- `/ g' G
# D' ~- w/ Q3 \) U5 t% b0 \+ iint41handler PROC
3 H# u6 w" |3 p$ ] mov cl,al
$ U$ k8 L0 b' H/ ~: \# p! X iret+ k6 A9 N8 s6 u4 ?" V% A$ \( o
int41handler ENDP- n8 X$ Z/ @) Y. V1 g
$ G- R5 q! l* A! x: U/ J; J6 k' G. p \) t7 j) n
xor ax,ax0 f% s- ~/ q {5 {
mov es,ax
5 Y( X; ` z! Y1 V% P/ ~ mov bx, cs6 l; ^- v, E* E/ H8 r: A& X9 [
lea dx, int41handler
: C0 L7 q6 b- m2 t; X o# A, n xchg dx, es:[41h*4]% y2 H; h/ ]7 J
xchg bx, es:[41h*4+2]
+ K0 i" T. a4 g0 q) y$ e in al, 40h
' q7 P9 }9 I. T7 W9 q, M3 W' ~& E xor cx,cx! l3 l6 C2 \* y3 c: w6 ?
int 41h& ]$ g0 p3 ]( K, c! x/ p) F3 k) X
xchg dx, es:[41h*4]
2 r( x1 b& h: | xchg bx, es:[41h*4+2]/ L. B w: d, B3 P
cmp cl,al
( E4 m _+ s5 w$ r! {1 ]* f jnz SoftICE_detected+ Q+ D- ~% C; T. K
+ s4 I( E" a7 J& s3 k
_________________________________________________________________________
, ~# M5 v, O8 v |/ |( V6 ~. p2 R# d4 {4 K1 O
Method 07
: b3 q9 F4 K9 }3 Y=========' Y) P7 M2 M& ?3 j% h! {# X
b9 f4 o% Y: A* f/ w% r
Method of detection of the WinICE handler in the int68h (V86)8 B" b( Z3 b% z& a7 G
/ T4 I9 \' N1 e, i" H; L
mov ah,43h
. [" `' z/ Y8 B" e% U0 `, M int 68h
7 o4 C5 C0 m0 l& d$ o4 {( s cmp ax,0F386h
. y1 a* H' V/ U' p# @ _ z jz SoftICE_Detected
. N3 D" }6 }+ x0 a) a2 z) Z, V
" q' X3 m' }; d9 P# N9 q' Z. z% E- c8 |$ K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: o# r) I' t) D0 n$ M app like this:
3 ]" ~3 h- [; }) d* U" Z. p; O
8 p4 S5 f# g$ _6 r' v9 s BPX exec_int if ax==68
5 Q* J6 b$ B. l8 \- C/ Y (function called is located at byte ptr [ebp+1Dh] and client eip is+ c. K( O K5 y: j4 Y
located at [ebp+48h] for 32Bit apps)
\# r: m& A) h__________________________________________________________________________
4 k' s [) a5 H) Z# y" `
! ?) S# g0 _7 T: f# q% v( B$ }0 w/ }& {) i
Method 08
+ X3 ~. i% C) m4 h) n+ I% {* a=========
J+ Z, e1 G8 }7 r) h7 N! X- H( w6 P
It is not a method of detection of SoftICE but a possibility to crash the$ ~7 M" i2 R3 R- p# f: P0 N+ l
system by intercepting int 01h and int 03h and redirecting them to another8 r- R, E- m% w; i5 m3 _
routine.
7 g2 z9 R5 i- D+ Y% n$ S: qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# c8 P+ G6 V( k# bto the new routine to execute (hangs computer...)9 `+ @ F( z' b8 t; D; @
$ S9 {# | E, @& @ J1 X# P
mov ah, 25h( x9 o/ U! Q- `/ r- g7 u& q, S9 H
mov al, Int_Number (01h or 03h)
- M" x/ R$ b3 [3 g6 ^ mov dx, offset New_Int_Routine
3 z" v( u+ g) d- v8 ] int 21h( l: Q7 D4 S% T: `
1 K% A# j/ F) v7 i# B. Q [4 N
__________________________________________________________________________
# W, s8 J1 r, e/ u7 G9 ~% l" e9 F8 ^, G2 A" q
Method 09- H, h( Q) G% B/ A9 C1 `+ U( P
=========- i, h6 m' I. \- {' h3 \& f1 Y0 H
& e. y5 Z& |3 Y HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* a1 ^/ p! M, p8 D9 V
performed in ring0 (VxD or a ring3 app using the VxdCall).' E* m$ C/ q: [2 H
The Get_DDB service is used to determine whether or not a VxD is installed
W" b2 i3 [& q4 ffor the specified device and returns a Device Description Block (in ecx) for! f3 L; [7 X6 [9 u3 B* t2 y
that device if it is installed.& V% g' o' x8 L: _7 x, D
7 i, |9 r T% v' G mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 ?! V2 ]! C' i( N$ A# }; g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 b3 l0 k& r3 y8 t
VMMCall Get_DDB
. I- W) ^- J0 ` R, D/ w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 W/ }; G, j h1 ]# v0 C
+ X/ E$ y5 ?3 i7 C% `6 }* L9 u
Note as well that you can easily detect this method with SoftICE:
$ X8 \- @4 j& F* p' m4 y* f bpx Get_DDB if ax==0202 || ax==7a5fh
d( |& M. l" L$ t* M5 l
2 ~1 t2 A. q: T0 X( Y5 i; o__________________________________________________________________________
' p7 ?# }, f% M. b/ a0 G* a1 s8 w
Method 10
5 f7 m" n1 q* T" {=========
- W2 A5 E* q" S9 F6 I! ?4 X, i" n0 {. {4 h' Z9 j- ?1 D: g
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 y A9 n! d$ W" s% T SoftICE while the option is enable!!& T3 K0 V4 J3 F
" |( ^2 p% ?- }+ h0 u# T
This trick is very efficient:' e$ g! y: A# ]6 C7 G- U
by checking the Debug Registers, you can detect if SoftICE is loaded7 ~! V: p! o# m( c. h8 j$ T, q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ D( A' `5 x7 I* E) ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" A7 u3 |9 M6 g3 e: Svalue (in ring0 only). Values can be manipulated and or changed as well
4 x6 ?$ z% ^7 z' l" ?(clearing BPMs for instance)
8 s* q& Q9 e+ ~' M/ ?% j( w
$ w6 f4 C- u. u7 \6 T2 t2 S0 S__________________________________________________________________________$ A( ]$ e" W! y
, l6 @! Z* }7 h7 GMethod 11# [+ E, [; a' ~6 y1 l
=========; W9 @9 x& H2 C$ G
! t) ]/ d5 J1 h8 A2 a
This method is most known as 'MeltICE' because it has been freely distributed+ m8 e) G' k& Z. j( R' w
via www.winfiles.com. However it was first used by NuMega people to allow
% Y: y3 @; r9 x2 mSymbol Loader to check if SoftICE was active or not (the code is located
; a6 B+ ?6 N8 P) Finside nmtrans.dll).* H# B3 T3 ~, \; e' P
, m7 \+ l5 T3 l/ }' N* M
The way it works is very simple:: j9 g$ b: a. ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. I: i \1 u0 C, ?: R
WinNT) with the CreateFileA API.# @/ o1 D& G* S* Q0 D
. V) g3 [# S1 Z
Here is a sample (checking for 'SICE'):. S |( g. X4 C# v- R3 e4 _
, s: L( d: ^4 L. f5 E; KBOOL IsSoftIce95Loaded()
/ Y1 T2 ~- Q; z$ L- H- t4 u{
& [! f; G* k( |+ q/ G' | HANDLE hFile; ; [0 v$ U+ r" G) a# V4 b% L
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ G# ]' t6 g! ?
FILE_SHARE_READ | FILE_SHARE_WRITE,
" M7 r* ~' t% p. x% { G2 _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; o: S$ d2 n# g if( hFile != INVALID_HANDLE_VALUE )$ ?; O, H) T, Y2 {5 X- B
{" B7 ~, x) R" a& X, K8 w0 M/ A
CloseHandle(hFile);. @* l2 {6 [: [
return TRUE;
8 V0 {* R' T9 B6 Q }' u! [) h" O% [# r
return FALSE;
( S$ T, p& W8 b( T# K}
4 L4 }) \% }" [0 R: \7 X- H# i; {- m I
Although this trick calls the CreateFileA function, don't even expect to be
; k7 v' y0 D h% m `# a# h8 Sable to intercept it by installing a IFS hook: it will not work, no way!! V. L% @! w0 {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! o% B% W2 E: u' M) ]. B) t3 _$ {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* W5 S# ~: |0 z/ N9 i2 a3 X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' x+ X3 P$ { W& x! Q% ?( a; `field.
9 w$ c! a6 b- ]6 ]In fact, its purpose is not to load/unload VxDs but only to send a 0 R' k4 @! A; r! [- @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- N# ^- K2 Z) d; r' C# b5 w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ a( \& }$ W9 ato load/unload a non-dynamically loadable driver such as SoftICE ;-).5 g9 W. |6 n2 T; O% m+ m& ~, p( R
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: c6 X( i% Z' Dits handle to be opened and then, will be detected.9 }$ j$ D0 ?; }& k
You can check that simply by hooking Winice.exe control proc entry point3 j% i3 b* }8 x) L; I( N& L
while running MeltICE., E3 o4 b, E) m7 _4 ?' ?
3 R& s4 Z! d3 S& ?* e A* \ c
4 i4 ]1 g E6 d/ Z+ m 00401067: push 00402025 ; \\.\SICE" O7 |* Z7 V- J
0040106C: call CreateFileA
9 v8 v/ e3 y- G% @6 p) K 00401071: cmp eax,-0016 I; I! z( Z. W2 u" h2 H
00401074: je 00401091) {: |( u" u o( J) V, ?- k
: S- X1 P% L- m/ a) ]3 G5 p
. X! z) G# p4 M& Q8 |
There could be hundreds of BPX you could use to detect this trick.
9 C# a5 D M/ T& `-The most classical one is:
- W5 R/ P2 x7 R. E1 K! R" u! g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||/ [6 ?' p! z+ c X9 F, S8 z# H
*(esp->4+4)=='NTIC'
/ J3 q# \; r, d2 b" m- P* B0 |9 P0 k n/ u
-The most exotic ones (could be very slooooow :-(" x. n' a, [& s2 o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - k! v6 D1 b0 z" q- H, f) J! f
;will break 3 times :-(- \3 `) i6 M9 o! w
% v8 ?5 s7 J6 M0 v: l' P
-or (a bit) faster:
, W$ ?$ |+ V1 { M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 C& z$ k; n# a/ Z
( t9 T3 d- w% j& s, c+ v3 V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ y/ |! B% w& ?9 W; K; d
;will break 3 times :-(
. S9 i4 ~% M6 o* ^$ z
, B. v/ K7 { @; ^-Much faster:3 s& z6 g. |& ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% y5 a2 p0 Q: m. {7 h% S
+ i: G& V% ]& q: \! C% RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- D0 ^% E ^- Qfunction to do the same job:; {- `3 l+ M5 H" K0 c" f
1 g5 ~, n& n) T: g& l, D
push 00 ; OF_READ$ J" M e {" n* u
mov eax,[00656634] ; '\\.\SICE',0
5 c, e) d% q8 s2 b push eax" q$ |: z/ d; i: Q0 ^
call KERNEL32!_lopen* I' n* [: j+ V" x* {7 H& Q/ V5 S
inc eax4 C1 s) O) J# A5 j6 g0 \
jnz 00650589 ; detected
( q F. f! i: R push 00 ; OF_READ' P- k5 O0 v- `! P6 \
mov eax,[00656638] ; '\\.\SICE'
( N% J* v! C7 N% w7 O push eax+ s* P6 z7 w7 Z, q
call KERNEL32!_lopen
0 N+ d/ {9 N# e* A1 E' v2 e8 W inc eax
1 L% G/ T' Q( C# n* U9 H jz 006505ae ; not detected- l9 P- v7 u& o3 H
1 K+ E* T8 _. w0 E" P" p
& F. Y. S' |5 n7 B( |__________________________________________________________________________, E+ @# u$ L9 j2 [ E
; Z+ [- i+ W, c6 A+ I, d# r. i5 W3 V
Method 12
6 r. f' T# n+ B& Q6 v8 m=========
, O8 m) J$ _9 G2 ~8 [1 f' J4 W: t$ ]% j L9 P; c( b3 ]
This trick is similar to int41h/4fh Debugger installation check (code 05* K4 ^5 Y* }; [ Z% A
& 06) but very limited because it's only available for Win95/98 (not NT): ]9 O ]3 h0 V4 v7 n. G3 B: ?6 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- Q; s' ]3 x( k$ ~- e8 e! |7 x8 Y7 H% R- q2 C% t" [9 [. g _
push 0000004fh ; function 4fh2 Y( o2 p( K6 D& h6 g0 n; ]# G0 f0 e
push 002a002ah ; high word specifies which VxD (VWIN32)' O2 v7 k* k! d- y4 Z- F
; low word specifies which service: U6 I# n) f! I) |& U
(VWIN32_Int41Dispatch)
1 ?2 r+ d5 O% W call Kernel32!ORD_001 ; VxdCall8 T6 E* {2 A/ \5 J$ a9 L/ Z. _9 i" v
cmp ax, 0f386h ; magic number returned by system debuggers4 \9 J o2 q# ?
jz SoftICE_detected" d. w' r* V/ Z1 \
& ^3 ]: {2 t6 ]" C
Here again, several ways to detect it:8 H. ]8 N8 H# R! C
" ]6 e. f; u6 H+ ? BPINT 41 if ax==4f
, H, o; h0 _1 z: u! j: i. l8 X
# v3 c+ {7 q2 S. a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 l6 _. u# o+ u( Z% H/ i
+ m: g. ?* M- `2 V* x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A K& x8 A, R0 Q) f6 _! m5 Q# o
8 h" h9 Y+ [0 u3 J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
c* N( o/ Y ?, s6 R9 C
4 x8 j' ~& h N- b/ u6 t__________________________________________________________________________
2 B; j. U$ \, n1 t, l8 k' f
3 Y# S3 ^. o" t, T; bMethod 13
1 u- X) W: ^4 q6 y=========
% C+ L! `$ i1 C/ M, i8 L5 ]
1 h& R1 P1 }+ n- s6 _0 \5 Y9 RNot a real method of detection, but a good way to know if SoftICE is ~* v" M8 f2 _ ?
installed on a computer and to locate its installation directory.+ l, U) m0 I0 d- G X
It is used by few softs which access the following registry keys (usually #2) :1 ]1 Y5 j# @7 E+ r: n
; K5 U3 j" z; {2 }$ a3 C& h1 ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! U. \( ^4 u5 ]' ?+ y1 R, ]* k+ l$ d\Uninstall\SoftICE
5 y7 ]- D- ?( m. n% g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 w5 @! G8 ?5 c ?' N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, y- b+ d3 M! g2 {; {\App Paths\Loader32.Exe, \+ |3 z+ [: e$ [, G8 G8 Z
- y3 v2 f6 [ N. b0 q. s( S6 m* ~. l& k" b; L" A6 ~ A l
Note that some nasty apps could then erase all files from SoftICE directory* ], d t/ n" q+ m- G" Q @- q
(I faced that once :-(
5 y' V. a0 Z# j; o$ w; s+ U8 J8 [$ O- ~( a! ?5 Q1 T6 s
Useful breakpoint to detect it:& o1 N) w: j$ N
7 V6 u5 j; F# ~$ i* F! c3 J t' c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- l- h( |# c( K3 Y% _2 e! ]- s0 N) B8 L4 H$ J/ C
__________________________________________________________________________# {5 C5 d- r X& }7 l$ Z+ d
0 `) J: }) `- x* `
' B& t2 u1 h% a0 J) y7 }* v
Method 14 * u3 U6 [7 Z- E! K
=========. A' N! M9 s# \0 |. e2 N
1 v0 l! Q" w3 E8 W+ v2 L( ?. oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 Y) ]7 O5 e( |" b3 @/ h' _2 _
is to determines whether a debugger is running on your system (ring0 only).5 A# p4 D% e; R {0 J9 a/ U7 z
7 a, f1 U9 J3 ~$ a: V* Z
VMMCall Test_Debug_Installed5 ?8 w4 [+ |8 Q) W) J: B& K c
je not_installed3 U/ A# F- Y2 m+ O
4 L& O6 q! u$ o( K
This service just checks a flag.
& h4 G2 I" h6 a; g</PRE></TD></TR></TBODY></TABLE> |