<TABLE width=500>: B: m% z y% X/ C$ R& E" V9 x
<TBODY>
3 m$ a( `. {$ _( ` H<TR>
( O/ o1 V( B0 U<TD><PRE>Method 01 : w' G/ q, b; ^ \: X
=========
o1 g: k2 X4 G$ i" a0 g' w! F' Z; M: w
1 d K" n, A% H D2 q9 x9 aThis method of detection of SoftICE (as well as the following one) is
, z2 ~/ U6 n5 O- g6 zused by the majority of packers/encryptors found on Internet.
% ^' g( g4 i& @It seeks the signature of BoundsChecker in SoftICE; k& o% d5 {; F; E: P f
0 C0 O8 F2 V" G# m* E
mov ebp, 04243484Bh ; 'BCHK'
& \. }9 m1 ~; |# ` mov ax, 04h1 p; }0 p& X3 [9 D' T6 X r G
int 3 . t. x5 g0 Q, D" b# U) q/ [
cmp al,4' i2 E/ I! X7 Y4 H2 M5 ^
jnz SoftICE_Detected
1 L5 C2 H8 Z# ?: H" [4 O8 S. a) Z% Z5 H$ X' Y$ ~# q
___________________________________________________________________________& T; ]5 |1 i% E6 o
& p6 l- t' q( s: o% q& H
Method 023 ^( ?4 T1 Q% s \" v. Q8 E1 S* D
=========" ?, o2 P/ R3 K g# F
3 ?$ o/ A- Q- n O, t( G/ xStill a method very much used (perhaps the most frequent one). It is used
5 f" x7 `! i# Z( c9 t. z: s; jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 w$ ^, [0 C( H( s' ?7 G$ d; |
or execute SoftICE commands...' i) r5 Q5 }. U
It is also used to crash SoftICE and to force it to execute any commands
/ p% r! k6 D! Q% v(HBOOT...) :-(( . y* z4 ~9 M( B7 M, h- Y
0 X f. K2 y5 L% m0 n9 F6 e$ M0 f
Here is a quick description:6 t' H# l1 P5 N8 [8 a& z
-AX = 0910h (Display string in SIce windows)' [4 h( l! e6 G5 g+ t, ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ Y" C2 T! p# P+ m, O& H; g
-AX = 0912h (Get breakpoint infos)
+ L+ k4 z, W! X5 m, E( n/ W-AX = 0913h (Set Sice breakpoints)
3 X, b+ ]! `9 d-AX = 0914h (Remove SIce breakoints), W7 J( d- U. y
; B$ e) m0 U3 x, m
Each time you'll meet this trick, you'll see:) d# d( ^' T) q
-SI = 4647h( |( n& }) ^ j
-DI = 4A4Dh6 m. c5 J3 C0 S# y+ o; f: H
Which are the 'magic values' used by SoftIce.$ ?* C9 M7 R* I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 U% ]: |2 n4 |0 r* |5 F1 w
6 s b' ?- g G$ c+ GHere is one example from the file "Haspinst.exe" which is the dongle HASP0 d2 F+ a8 o9 I' T, v
Envelope utility use to protect DOS applications:
3 k& b9 ]+ N% V0 |, Y
$ K3 n: V3 g6 _8 ~, d( s. D1 D3 K
4C19:0095 MOV AX,0911 ; execute command.
9 Z+ M* p9 X2 t% k) v# Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 j+ E c" l: O8 \& n A2 Q" N3 h6 {" R4C19:009A MOV SI,4647 ; 1st magic value.' V- u. |: U s* P( a
4C19:009D MOV DI,4A4D ; 2nd magic value.
' O( r9 |) k& I. a6 q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% F- a$ O5 c0 X% p8 u1 x2 [" V j
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" W& d+ t' }9 s/ n9 j4C19:00A4 INC CX
2 f2 |0 T0 M. N& h' M3 p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ t7 I; E. O9 @7 j$ c4C19:00A8 JB 0095 ; 6 different commands.9 ?+ t u' N4 r8 E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# o4 y! ]6 K( M- ?. Z* w8 y$ e
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( J* B' l; H6 a# F
2 s) ]; E9 T9 z$ [, Q
The program will execute 6 different SIce commands located at ds:dx, which) ?" s2 p, B; k' [* N1 s( S E
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, J/ n* M' H+ T1 ^: U; t. q* ?/ o- j4 W$ t2 x; o/ ?7 v1 h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- P1 a- \$ r+ f% s5 T
___________________________________________________________________________
8 i @$ [7 L, f" `
- E* O: A7 u2 ?" K2 {8 T! C1 v0 P' G2 i2 J9 X' Y0 X
Method 03, q% z7 Q4 H; t5 f- N1 t) M, i
========= a1 {5 G# }$ Y( K/ n, y2 G
U$ e7 D- H% x% E* i" Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 B: y1 ~) `$ q. `6 w0 U r(API Get entry point)
' p7 n. m3 C9 w. c4 _
* _+ m( W5 O8 o3 K: T; ]7 z) o3 A) J8 [8 V* t' p ^
xor di,di
9 L8 f# n) L$ V mov es,di
* j' {0 W5 N( y) |1 x, S mov ax, 1684h / g! x% a$ {' v
mov bx, 0202h ; VxD ID of winice/ s! D4 j0 [7 V5 o) e5 D% K7 t
int 2Fh
. o& h% ^3 V( { mov ax, es ; ES:DI -> VxD API entry point
2 S2 W8 Q7 E( p# y add ax, di
1 P$ O* @1 }0 Q test ax,ax
0 l0 p7 P, i0 Y" O, m jnz SoftICE_Detected
& C7 p) t3 f6 l% e8 Z) k* e: J4 o A8 d: Z# R$ _
___________________________________________________________________________$ q: \: `4 L9 m) U6 j U
: f' K: a, d: R* iMethod 04
$ `0 g4 [) Z8 h4 ?8 C7 }% i7 G- ?1 _=========0 @& O1 N& v* H. H! n: n
; |+ c: x( x4 c; B( o1 ? [Method identical to the preceding one except that it seeks the ID of SoftICE$ S) u" F# x# W- B" b
GFX VxD.
4 ~! r7 k/ N R' e
. T& r% F3 X/ Z8 v xor di,di0 |5 c: p: V4 U5 C4 z* B8 F- b
mov es,di+ Z1 M$ Y) {4 h' R( D( u+ h( a* ?
mov ax, 1684h # {: o0 S% E% P1 F& d0 K
mov bx, 7a5Fh ; VxD ID of SIWVID' l! @( x6 T$ _& y! j( ]
int 2fh& O2 N: p( f- t8 n: K; o- |
mov ax, es ; ES:DI -> VxD API entry point" j) X% V5 i& D! `6 x# V0 \
add ax, di: n% J( \/ e6 a) l m+ q4 `
test ax,ax0 w& {1 z; t0 `6 p% l6 ]7 t
jnz SoftICE_Detected
8 P2 [4 E* }' a! b0 V6 q& Z4 }# ^% \: d1 w. t( ?$ v
__________________________________________________________________________
4 c& F0 E5 q1 g K, l9 A% G ?8 h
% O' A- U* q. @+ {+ D6 M) k- H* |1 S
Method 05 Z/ k- N `$ l5 b$ x
=========
2 Q: _" p4 j: e2 h( O: O3 O$ w# g1 X, l
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 Q! Y4 l) C8 ]# \: l. B
debugger. It calls the int 41h, function 4Fh.
5 ^& O7 ?6 ?5 O, m8 H" nThere are several alternatives. + e! y0 U* W: z' }- S0 r$ y
% \ y. m, L' u% Z! l {
The following one is the simplest:5 a$ Y+ w9 z, D
$ p7 Q& N b. r4 S mov ax,4fh
3 y, ?. H) C. e+ W9 V int 41h
v5 L! }+ Q8 w# m$ T cmp ax, 0F386
) a& D) x- h, f: X/ [& H2 e7 ? jz SoftICE_detected
' l1 \6 X. h3 _7 j1 O9 b- |8 e/ w( ~0 q; G& ] G* l% u: T
+ q+ R( W/ V3 [: ^* Q- f
Next method as well as the following one are 2 examples from Stone's
# R- M) A7 b! `% L"stn-wid.zip" (www.cracking.net):( [; S- S$ W1 Y9 c$ A
8 o6 K/ U' e4 d# i1 C, J
mov bx, cs
/ f& Y: R$ h* y& ]/ _* g lea dx, int41handler26 a+ }: C7 ~/ Q7 l( r" o' z4 Q
xchg dx, es:[41h*4]* H$ P- o, [3 Q/ L
xchg bx, es:[41h*4+2]! ], o; f* Q( Y; x9 W P1 q- Q' o9 p
mov ax,4fh
* C3 P& ?* V' S+ D int 41h; ^3 J$ }$ I4 B8 E* I! f
xchg dx, es:[41h*4]& ~; ~' s) l7 a( y
xchg bx, es:[41h*4+2]
; o, J& M$ {# s. j- U cmp ax, 0f386h9 a8 F4 h8 T! @( g. l
jz SoftICE_detected5 A$ B! l6 Q d9 W) [
* c! \; H1 o- \" R& ~8 Q) ~6 n
int41handler2 PROC
' l7 z/ ~3 r- M. T: e iret1 c8 n# p% c( _( y* P
int41handler2 ENDP- f# ]3 x |9 c( g8 U6 J
3 [/ F* i( y" L0 k$ b5 S& W& ^! f" O, D# l" w% [$ Y/ W" n$ X
_________________________________________________________________________
4 g/ g( y# S9 E8 L
8 t. k% J [* \& y
0 r8 Y2 v* ~/ o. D" SMethod 06, A) v4 J7 Z- |4 ~" g: F
=========
4 r9 `4 I- [* o( F
$ K" {! Y3 ?6 S0 E7 R5 t) z0 t& k8 c4 `$ S. w+ |. p
2nd method similar to the preceding one but more difficult to detect:: l5 f4 H* z- {
, [* k# C1 h( L! \3 a6 f
% N/ ], A5 `6 p2 e2 _. |4 ^int41handler PROC
' B2 G. n k: o" t mov cl,al' R- r( @. _! f! \
iret' H! n; o! F$ Y7 Q5 G
int41handler ENDP# u. Z. Q& `, \1 _" A
& z( z2 g: k: l2 c/ @
" t) K+ w5 [$ Y: c4 q9 M$ _/ j6 m xor ax,ax4 A5 R4 @, G2 V C9 v/ h
mov es,ax
+ @: U K! e# H mov bx, cs
! I+ T+ i, X0 M. b: j- H lea dx, int41handler4 `# T# f8 {# l4 R$ ^
xchg dx, es:[41h*4]
9 S" s( H. V8 z; k$ H! r) ~ xchg bx, es:[41h*4+2]+ m% c. z0 d* u
in al, 40h# H# c6 X: C4 O5 _
xor cx,cx
, E# u9 m: T; G& f1 ~$ R int 41h
, R. n' p( l6 @$ G: s% K2 s xchg dx, es:[41h*4]
- O9 L& O9 a0 Y- F: y xchg bx, es:[41h*4+2]5 J$ `: v7 ~7 C9 u
cmp cl,al3 ^% B0 u- ^ [+ j7 V3 P
jnz SoftICE_detected
4 S* E J- f/ a8 K! V
4 |) j$ H+ o9 |& J_________________________________________________________________________
2 l9 C9 k! b- D2 m
l. P! w. g8 dMethod 07( Z6 E# q" x V& m6 N; L9 U
=========
! w& C( o$ O! X+ ` \1 n- ~' U/ K7 Y, r) M; g
Method of detection of the WinICE handler in the int68h (V86)& }! Z/ W0 b6 @: e
% N1 x: N( L4 F- ^ mov ah,43h
& x6 E* B/ H2 l. l6 [ int 68h9 [6 q# m5 X% g) f: f# ]# J/ _
cmp ax,0F386h
$ f4 c& }6 | t, a& i jz SoftICE_Detected
2 O5 i- J; l/ Q- d! k# C. A8 g6 O1 s, N( {$ U8 [
% U& b5 m5 J. \* S; Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. C# R3 |( P' r8 |. Z! B% z' u7 S
app like this:
$ b2 B, g5 L H5 C& j1 L' G; T6 n4 H+ W$ [2 B
BPX exec_int if ax==68
X, N/ M" _; I (function called is located at byte ptr [ebp+1Dh] and client eip is
3 q. c8 G/ q' o( Z) O" s located at [ebp+48h] for 32Bit apps)
+ X5 Y! D" u2 X) _3 T* b Z1 `__________________________________________________________________________: P! E* c o! ~6 k- l* G, N7 b
* f9 l* I9 \' J7 e7 ?0 W9 Y& E
' F7 k( x/ u/ M3 q, {! O" MMethod 085 k" d* G" i5 a6 l1 N! @
=========
?: O/ J6 ^- I! ]% X& I9 f+ ~3 r4 m8 G$ K, f$ k% t
It is not a method of detection of SoftICE but a possibility to crash the
8 e E0 P m' Gsystem by intercepting int 01h and int 03h and redirecting them to another
* B# y- \: y/ e0 ]routine.2 M% J4 n- B' w7 q, T$ ]* O- @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ k& i8 R8 E# |4 S( Y, ~& ^to the new routine to execute (hangs computer...)2 C5 t5 N9 u* z8 V! E
& `; z6 s0 ]. E7 p4 Q( u/ F
mov ah, 25h
. P7 S1 p. G. v2 m/ H mov al, Int_Number (01h or 03h)$ z) I6 G6 m* F0 T4 k& g* u/ V
mov dx, offset New_Int_Routine1 m9 e) n- I6 c
int 21h
- Y! N+ T9 B7 g8 X3 J: T, S9 M R3 {; O7 O9 m
__________________________________________________________________________
( B. V$ L7 \" { j. @; i* ~* t- A% x3 A5 K
Method 09
' B4 {. L' @" h# v$ f$ K: Y=========( C! H5 T! m7 R. u' I
# G. w) B/ G& a2 W! k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 @9 p/ Z" T# v# k# N& D
performed in ring0 (VxD or a ring3 app using the VxdCall).
) W7 E: _1 H3 G: b! c5 M) eThe Get_DDB service is used to determine whether or not a VxD is installed
+ G5 T; o! s) a$ {$ t7 Lfor the specified device and returns a Device Description Block (in ecx) for0 V1 U# b! ]4 m2 m: c
that device if it is installed.* {5 K; |2 d' o
: ~7 D& e/ r; d/ g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. c3 [) m! d; l( R) H( l+ _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 e E. x5 c& Q W: |! e
VMMCall Get_DDB" c+ r& n$ b9 i4 z# p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) R; v( Z$ u) R
* [# q2 N! V' Q3 e* hNote as well that you can easily detect this method with SoftICE:
: {# ?( m% r' ~4 m7 n7 w bpx Get_DDB if ax==0202 || ax==7a5fh2 S8 l# j5 W5 q, Y* K( o+ D
! c, [$ b2 ~- e__________________________________________________________________________( N4 `) P6 m5 a% P+ p
' T3 y+ u! H4 @6 P! \Method 10/ Y2 o# B0 k' o0 T5 Y" Y
=========* Q- v8 g/ _9 }4 p( B. l4 S
/ ^" W9 j: H& P& X ^8 t4 K* m7 {6 l=>Disable or clear breakpoints before using this feature. DO NOT trace with
( e- F9 v2 ^% Q* T( l SoftICE while the option is enable!!
" `$ e; h* D; N) G c
3 H( ~5 V5 P2 cThis trick is very efficient:0 x' u' C: O; N: o* f1 C
by checking the Debug Registers, you can detect if SoftICE is loaded" v/ c: [! h- n% x% q( B; {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; `% F/ i* \/ c v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 a4 ]- f# n4 B/ C! xvalue (in ring0 only). Values can be manipulated and or changed as well/ W0 f" q- t& y3 x5 t
(clearing BPMs for instance)
- \, e. b6 s* b4 {7 n3 v$ m) y* M$ a, @# B1 z2 B0 l
__________________________________________________________________________. G' w9 T9 ~+ M0 I* {! m
! g: u% }% Q+ o4 i2 B6 Q$ M& O7 }
Method 11* |% N) n1 _2 q* H4 h8 d" B# Q
=========
/ [5 x8 H5 q5 T; F9 v. `/ f1 z0 n# U
This method is most known as 'MeltICE' because it has been freely distributed/ @2 \" e- ?2 t/ w# w
via www.winfiles.com. However it was first used by NuMega people to allow
$ W( p7 H3 h* G' _( S- v( }Symbol Loader to check if SoftICE was active or not (the code is located1 @7 c8 v% |7 o8 t
inside nmtrans.dll).% E7 |7 x2 N& f% g
7 Z8 O8 a0 E& W; Y' B: k1 O
The way it works is very simple:3 I7 [5 y2 u3 A; B9 m7 x) R0 `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" I: j n' l% A" ]6 uWinNT) with the CreateFileA API.
9 E+ w6 ]7 n+ F1 c0 e) u
! N( K# _% Q1 w2 U- _/ U$ @% _1 p, pHere is a sample (checking for 'SICE'):
6 @% | }, t& j( u; [4 |8 V. A W' l; \5 F# e
BOOL IsSoftIce95Loaded()4 j! g0 N& J2 z
{1 _, w" e: r! S0 ~1 v4 l- r6 O/ C/ m
HANDLE hFile;
. H; o i" {3 r hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( Y* _# O) h& t1 |& N6 Q
FILE_SHARE_READ | FILE_SHARE_WRITE,, I. w1 A* D* I* [1 Z w5 m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 R6 l: w1 T& x& ^- v5 G if( hFile != INVALID_HANDLE_VALUE )
4 `/ D3 |) W! w4 V {" |' z# L" f# Z* M: Q2 I1 n
CloseHandle(hFile);( W6 U9 N; |3 u1 K
return TRUE;7 Q6 R& C' B$ o! a
}
4 Q( m, Z1 ]( x: V return FALSE;
' y0 m* V( v4 g0 ^. s}
/ A3 M; }6 Y/ H0 ~' A \% `- ~7 A5 B6 j6 w' s
Although this trick calls the CreateFileA function, don't even expect to be
% ^2 j* i9 i' J: |7 j; uable to intercept it by installing a IFS hook: it will not work, no way!
# o _! p; w0 Z* s7 o+ h, W0 FIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: d( Y5 d9 e/ y+ e4 ?
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 N5 D5 _9 l; x% f2 A7 ]" Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" i* N: b; H' \1 f. I1 [
field." d# F3 j; g1 | Z8 \5 l6 G: x
In fact, its purpose is not to load/unload VxDs but only to send a
7 f+ K+ |6 `( G2 LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 _3 M: S2 \3 a/ u1 e! V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ F- O7 y, O7 x) Z3 i6 lto load/unload a non-dynamically loadable driver such as SoftICE ;-).) m2 s# g: V- x
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 f. w* S2 |, t a) b) _its handle to be opened and then, will be detected.
2 s4 Y" E; L$ BYou can check that simply by hooking Winice.exe control proc entry point3 Y9 y9 _* p7 L% o- K, w6 g) A n
while running MeltICE.
+ ~% t8 S6 s( H+ a( V
* k5 ]/ g: {* c2 N
5 S; q0 c6 H8 {( c9 C3 q" y 00401067: push 00402025 ; \\.\SICE' q6 L% s, w: L& m5 p; G
0040106C: call CreateFileA6 x; O8 ^0 |$ N8 u
00401071: cmp eax,-001/ G% A: W+ m( ^4 F, V8 c! E% V
00401074: je 00401091
5 S: k E) S3 Z1 c2 C: G
) U1 V/ N8 o8 O8 D) ~# p
& L r& m- m7 q# WThere could be hundreds of BPX you could use to detect this trick.# d" U( M H8 h& M( @$ }" ^2 N
-The most classical one is:3 P& C/ Q( [& B% f0 q7 c) x# E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' M! J' C5 Q+ i
*(esp->4+4)=='NTIC'
; f4 @. ], w$ [. s$ }
; R# F& ^9 ]) W, p/ ^4 ^6 m2 B+ o-The most exotic ones (could be very slooooow :-(3 U( k% X) P& t# Q! W5 A A: u! ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ c8 O/ H" P9 y7 R
;will break 3 times :-(+ |" m2 v' e9 J' G% D
8 f0 P Y, N! b* g; D8 g, I3 h$ W
-or (a bit) faster:
+ v1 ^( {# [& J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' o6 k/ Y- Z6 R7 L
p0 N& b8 ^# q w9 | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 r( Q0 z: L) U' ~; D4 P! A% y- q ;will break 3 times :-($ m w& b, w# L; l' c" h# A* ?
0 o1 d# B( H2 H: E+ y/ r
-Much faster:, [' d( Q' N# V' h3 D4 d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 U. M+ g' F! j& T' u1 B
2 D: H6 ]& Q8 M* R5 D+ z& x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 I. r/ N, K) u8 a: hfunction to do the same job:& d9 B V; ]+ P3 H/ Q& j6 X# p
8 @ U6 I% Z& b( o* f2 i$ { push 00 ; OF_READ+ I0 l T4 F1 h$ ?0 u3 q9 Y/ X# J8 z* e
mov eax,[00656634] ; '\\.\SICE',07 b# d$ q: h3 q7 r- i: S
push eax
# C1 t- V! V. E0 M6 r, N# E6 X call KERNEL32!_lopen
7 w3 P- N5 w# B4 B inc eax
3 B0 w6 q5 ~9 {# V" o* U jnz 00650589 ; detected3 F1 `: k I2 w" H" j
push 00 ; OF_READ& U% s- c y t6 |; o
mov eax,[00656638] ; '\\.\SICE'
: P/ L) v* u; E" T9 L push eax
# Z$ }# Q" Y& ] call KERNEL32!_lopen6 U/ V8 |" t$ N8 X; M6 d: }0 A6 |
inc eax2 |8 d2 N$ z. J1 a% u3 D! F/ u
jz 006505ae ; not detected6 M/ h% J; u# v
' _) P0 @5 X9 d
; e% e+ g) n. |6 I" o- r__________________________________________________________________________% Q( ~1 y! s X( K
) y) w3 s* c5 N8 h- k0 I: c
Method 12
* G+ V" C* A% E; T% ~' W=========
8 A' X8 T i) q& p4 r9 A" {$ n8 c6 x7 h& Q' m# Z' ~
This trick is similar to int41h/4fh Debugger installation check (code 051 k1 {( w5 E% ^6 Q# Y1 y) w
& 06) but very limited because it's only available for Win95/98 (not NT)1 C/ ?( C. f2 v/ K4 i3 ?& l7 k4 M. {- @4 y- h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ q( Y) }6 K6 o6 l
5 N+ Y2 t6 |/ b# b) o% u push 0000004fh ; function 4fh
6 S- m4 a% w* p& _. H" U7 N push 002a002ah ; high word specifies which VxD (VWIN32)
: I- W" C6 c4 h3 g6 {4 H) C ; low word specifies which service: A. _* ~: }: U( M3 f% N2 ~, ^8 l
(VWIN32_Int41Dispatch)$ ^% A! I" p C+ I! o! H, K
call Kernel32!ORD_001 ; VxdCall, ?8 ?2 ~- K; X9 D* W2 R( y
cmp ax, 0f386h ; magic number returned by system debuggers3 m& L# s( a3 H: g- L8 a, Q
jz SoftICE_detected8 I6 t" Z5 P4 g/ k; G0 g- R5 g
- O$ Z9 C# t9 I& P
Here again, several ways to detect it:
9 _6 @; W5 I( T, }( Z8 ~- x+ @2 s: i
BPINT 41 if ax==4f
' X* U; y+ `. X" V1 W
( Y" j$ Y( T; m M9 a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 W6 a3 U/ L/ ]/ n H
/ Z0 M T: d0 x. s$ t7 S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' U, M9 E5 G2 c q: Z2 Q
$ R8 L- i* u2 U) [. U- _. y. `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. |$ ]6 B) \3 e3 {. w# L- m) n
7 Z2 D) d$ P" k, U$ `6 I__________________________________________________________________________+ [7 J2 t: }. t4 z8 K- v
6 J4 |6 M5 J7 k& kMethod 13
( T' B( I, A; g, F3 h) J& c=========
' b# _# K5 H4 L1 q" `+ W- ^% O1 y- L' o% K! c* P( H
Not a real method of detection, but a good way to know if SoftICE is
6 J% S! j& P& h0 [4 [installed on a computer and to locate its installation directory.
/ T/ {* Z/ [1 n, `! o) L; P4 t8 z3 BIt is used by few softs which access the following registry keys (usually #2) :& H* `" K) c' ~& e
^2 o& f4 \: z) S9 b# \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& A: m! m% f$ C- @7 G% P
\Uninstall\SoftICE
5 O8 l5 r8 @3 K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 \' g) m# B5 ^3 u3 K' r9 j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' U* d" M+ M' O/ K
\App Paths\Loader32.Exe3 y3 w8 S$ r. h. o
1 W" v2 k2 D+ P8 g
/ T( P" u! o( n m
Note that some nasty apps could then erase all files from SoftICE directory8 V @ p. ^+ C2 J, I8 R1 b
(I faced that once :-(
7 J4 {+ k' x* N- O, E- x/ [; O% b9 V# p8 K9 m
Useful breakpoint to detect it:
* ?5 k j4 k% g6 ?. J0 u0 z
5 S. S" q7 x, q/ f- y! j+ X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ m; ], w; P0 C( ~5 X
# u! m O* }$ w6 o__________________________________________________________________________
% I9 B, j" q( m) t2 Z- b/ y( e& J9 u# v7 ?. [
$ E- X) F3 Y2 b$ Q& rMethod 14 7 o j' K# ~; b0 r
=========
# w, r# B. G3 g' @3 B5 `
/ }% i* [; D: V0 `- T( f FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 k0 Y6 C. k4 E/ l! h& V/ x6 O
is to determines whether a debugger is running on your system (ring0 only).
! R+ C1 Z0 K" O; e% W- b5 P! t
3 _$ h( ^' p- u: K1 K, \ VMMCall Test_Debug_Installed
) Q, b+ i5 e+ i# B. k je not_installed: D9 Z- L7 K5 |0 I+ y( W1 m5 E" X+ k
9 D0 w5 b P$ P, p0 D& |
This service just checks a flag.
1 k9 H j- ^ _+ [5 p' E</PRE></TD></TR></TBODY></TABLE> |