<TABLE width=500>. J2 p% Q, c/ k; k" r6 P
<TBODY> J1 ]( ^4 l4 X& e
<TR>3 N' o* n# k t7 b1 D, ~
<TD><PRE>Method 01 % t R3 k- R! _$ M3 z) u
=========7 w$ Q. Z% w3 Y
4 |) r+ ~1 p9 e8 t9 G+ xThis method of detection of SoftICE (as well as the following one) is
4 y. o# s& e3 L0 W" N! \used by the majority of packers/encryptors found on Internet.5 i3 l2 k! Y3 u, a! x0 C0 ?
It seeks the signature of BoundsChecker in SoftICE
4 {+ f) @) _9 F2 s
2 q/ m! T' K- `% a mov ebp, 04243484Bh ; 'BCHK'$ c% y7 A& y4 y- ^$ G$ h7 Q
mov ax, 04h
! [* a0 ?5 `+ |& o3 h; c int 3 % @3 s8 m6 d" }* N8 l
cmp al,4% ]" c/ r. y/ g
jnz SoftICE_Detected
3 ^: s" e' D" s
2 l0 F6 Y9 l: }5 v# R) ]" Z___________________________________________________________________________9 [4 G# `) ?0 _4 _% s+ B
' w8 e* w2 L. p; O/ u8 Y5 X7 ]Method 025 I$ }5 e) G, d2 h2 S, o) i- C9 ^0 T
=========% o3 T8 G( |5 [/ w
- A' b, D9 l# @; q! hStill a method very much used (perhaps the most frequent one). It is used
+ ?- F0 g" F6 u9 }9 `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 L6 x" t, M% D" Gor execute SoftICE commands...
, Y# N0 x8 Z# b1 C: `' X1 c. v }It is also used to crash SoftICE and to force it to execute any commands6 U% m4 \4 Z) j* T7 P# Y
(HBOOT...) :-((
" E% S) F# Y$ j% r! \1 r& K1 h/ N$ Q' i P4 _
Here is a quick description:
Q# M1 W2 H& u8 r8 k9 _-AX = 0910h (Display string in SIce windows)
% R, H c9 z5 D$ l1 U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' T0 m+ o9 C5 R3 K- `' k! J
-AX = 0912h (Get breakpoint infos)
/ p: \* z" g: O! G-AX = 0913h (Set Sice breakpoints)
& O' H4 B5 @+ v" n+ T. r-AX = 0914h (Remove SIce breakoints)
. [# I$ A R/ J3 m7 L& y6 \6 K) {2 D0 {! F0 c7 X- u5 t
Each time you'll meet this trick, you'll see:
! a3 K3 N' P5 b% G$ s0 h-SI = 4647h
5 g9 O$ } A T4 a+ ]% |-DI = 4A4Dh
. ]( ^" r0 C( IWhich are the 'magic values' used by SoftIce.- N# t$ t% `! E% c- r1 ^0 @8 a+ }5 P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 h: J' ~$ z3 z
' y! H2 @7 @5 m" }- b' N2 {9 }1 G; x1 B
Here is one example from the file "Haspinst.exe" which is the dongle HASP! Q: J" H- ~7 L+ }/ ?% O. C
Envelope utility use to protect DOS applications:0 b( Q7 b. t* h: V% B" x9 p
2 e( B" A6 `/ A; e: T
: C$ }4 j* J4 e& F
4C19:0095 MOV AX,0911 ; execute command.
& ^% ^2 ?8 h; I7 F+ Q. {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. h+ [5 H# L; ~/ U7 n4C19:009A MOV SI,4647 ; 1st magic value., I* t I u3 I2 g/ V
4C19:009D MOV DI,4A4D ; 2nd magic value.
) X1 d9 z8 L2 G, E" j$ ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; u* u# Z! ~! E& ^7 }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 h3 k: F! W% ?4 d t5 ?4 }4C19:00A4 INC CX9 \& `( t. u1 \. b0 B3 | ]9 F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" C1 P+ A* Q/ ~/ g5 D2 V
4C19:00A8 JB 0095 ; 6 different commands.
9 v% x. J( W8 f, a7 ]8 @4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 s# p5 }+ \! n% s! G1 I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 \) t+ i' ?# w# {8 e: @0 H: Y1 ?) e
# u% w8 h l$ {, w. r D/ |) v3 nThe program will execute 6 different SIce commands located at ds:dx, which7 N+ `8 }& R- n) b0 a/ ?, _! l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 O! a% e9 {. V/ C
& H N' h: N( P7 \9 s7 g- m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: T6 ]- e; [+ A" T
___________________________________________________________________________
& ~1 n) z. ^* F' q
0 r Q- ^5 K N- w
1 E- Q' R) { z. C% ]# oMethod 03, I" u5 y) T4 e! }3 L
=========
, g5 t/ B; q' n+ }4 ?) \3 c7 @9 v' D" d: v3 r! P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 K B7 o2 r8 g1 y(API Get entry point)
7 V$ B' o9 x. A0 o- s* H
( i7 Q& a3 O( _; h# i ` S% L, M: s. k& N& ^! x# d- U4 R
xor di,di
3 w9 U8 f, x3 @% W. ^; R mov es,di
: C+ e2 E* g8 @* ] mov ax, 1684h
2 `# t* S; |- U% l+ {/ [ x mov bx, 0202h ; VxD ID of winice% r9 Q- [5 u% a6 P* n# v0 e, A+ |
int 2Fh
3 Y& u& ^; a0 p mov ax, es ; ES:DI -> VxD API entry point _( ~! l" i& {. V6 c1 t
add ax, di2 \# g0 ?( F: L/ D6 q$ C
test ax,ax
+ J2 V* w0 M, O. c/ \1 a0 U jnz SoftICE_Detected5 g: j5 j2 \7 {( g( F: n
1 y& x7 B* z @4 _8 C& p* _2 S
___________________________________________________________________________' v& A# y' E" x i: i/ k6 Z
9 v/ G; r" m' j& @4 [Method 04. g; k6 e# C1 ~6 [
=========( R+ S% E% _$ \, u+ i! B
$ r( D3 Q% b0 Z
Method identical to the preceding one except that it seeks the ID of SoftICE* H* f; U4 V' u# n* p' [; D3 Z3 v
GFX VxD.
5 H% L# W. h+ z' R6 g9 r$ E; S6 W" s1 S0 h2 t8 M% T! |1 m( ^
xor di,di" M$ j) R( C' @- X1 `0 l
mov es,di
8 u" U C) U5 H6 v1 ` mov ax, 1684h
* C9 S; ~ ?+ E* v mov bx, 7a5Fh ; VxD ID of SIWVID. |$ {" R5 o+ R, \
int 2fh3 n+ B' T1 ~) r# R) d: Q
mov ax, es ; ES:DI -> VxD API entry point
8 m0 B% o+ h3 c+ U add ax, di9 q1 ]# {+ o6 ^
test ax,ax7 y) Z2 W9 O/ S4 ^
jnz SoftICE_Detected
7 j9 o6 |3 o) Y6 v' c
7 j' r3 h3 ] L1 {0 K7 P9 m__________________________________________________________________________
7 O0 c9 ?$ N7 c P3 w
, m8 `/ \) S4 n) j
* L& w" d0 k. m6 Z7 b' BMethod 05
. O, ?9 ^ W ]=========
0 \8 i. o% S, C( r* ~8 i0 |3 X- V' V: ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 b1 d2 k+ ]# k/ S8 c* d
debugger. It calls the int 41h, function 4Fh.+ B) z! @! T% k/ ^0 c. i' s1 m+ O9 ?
There are several alternatives. 3 M/ a3 g, ~2 i7 n+ b2 E
" M4 ]% R& v* B) K4 V
The following one is the simplest:% G% q+ f* A' k# p1 v$ m* V* w' f
7 z8 n/ F6 Q- e, O3 [
mov ax,4fh
, r+ i/ t3 \/ K: X: h9 L int 41h# p8 p% w' d1 j. Q0 P( |
cmp ax, 0F386
% \6 t" G, w+ R0 K jz SoftICE_detected
( A7 j/ r$ A4 s9 ?' C8 U! @; i
: r# G1 l" w: u& h$ F1 Q( S
1 @& ?8 k! W6 }1 ^/ g2 QNext method as well as the following one are 2 examples from Stone's # K/ R2 d+ q3 }( }% K9 I2 {3 b
"stn-wid.zip" (www.cracking.net):
7 z. n7 {5 R2 b' E! a) k7 H2 m6 N) `; v: v
mov bx, cs- r/ Y' Q# A0 E6 E7 p3 \ H! M
lea dx, int41handler2
, p5 n }0 P6 A, d* @6 T" N' R xchg dx, es:[41h*4], A! V8 W5 d3 k; b5 Q" a: X
xchg bx, es:[41h*4+2]
5 y% w y& m' r; |* G5 u, e mov ax,4fh& g" E1 K+ [/ }4 ^: N+ Q
int 41h
6 D1 E: |; T$ _ xchg dx, es:[41h*4]
4 r+ f; Q e( X# P xchg bx, es:[41h*4+2]
8 I2 q' b! I. ] cmp ax, 0f386h) N% f. j- O/ c
jz SoftICE_detected
3 l* R4 Y1 p- x3 s
; S/ t' m6 @' tint41handler2 PROC6 q1 P7 |: R/ F5 ^
iret
6 H+ ]. N0 u# V7 ^# fint41handler2 ENDP
$ y, Z6 V, J8 P) V$ c" }( \ f/ O% {
, v: F9 w. n; u6 A7 N; ^2 ~_________________________________________________________________________# _+ k7 A" a% E4 S
2 q' s0 W/ [4 e k
$ \3 D! ^" I( l' ^& x/ S9 }Method 061 l* U9 p: `+ B! j- Y# b
=========
- J3 A+ s/ f9 T) O9 k2 e2 `( t* C: Q V2 O+ `" H
- A* d6 L$ ^' P2 P2 Y2nd method similar to the preceding one but more difficult to detect:# T6 T6 K/ r1 b* ~" V
6 d& n/ `8 s2 y6 s9 V. }
5 G- N$ b1 R% R8 m" S1 v. P* Oint41handler PROC
/ |, C6 y7 n! _$ b, }- f4 f d mov cl,al! ~* |% U: _! r' Z, e
iret
6 u O; v8 m [# Nint41handler ENDP
$ ]) B; W: q/ S7 l% m" e. Z& Y5 f6 \! `+ i. J
. R( g% |- C x. p% ~ xor ax,ax7 y0 _4 S# `+ T& k( c# ]+ e9 B0 R" z
mov es,ax
% d4 A% F+ T# F! ?7 P, O& w' } mov bx, cs: j2 N9 g; w7 M: B1 E
lea dx, int41handler- K6 I; C! P6 E) I c$ X, z
xchg dx, es:[41h*4]
/ q8 P! F: _- C/ ~8 E+ w! U xchg bx, es:[41h*4+2]# {5 w; v4 `* p+ w
in al, 40h$ _1 O" x3 Q, [1 t& n
xor cx,cx- W2 a- l% Y3 s( r
int 41h
& l; a. \7 f: b" A( c xchg dx, es:[41h*4]- L) I* K8 C" ^# `3 A2 D. q
xchg bx, es:[41h*4+2]7 `* M: F# l0 X0 H4 U, L
cmp cl,al
6 t, G- z1 n/ {8 Z jnz SoftICE_detected; F, E. v9 m/ @2 I9 k. l
" D' x0 g! H0 Q. p
_________________________________________________________________________
0 S ~* {: c6 g" h
0 ?0 e* X3 Y" pMethod 07
: l/ N/ f% A1 s$ O=========& g3 w6 C& \3 I8 K+ {8 P
) v2 q8 N/ t4 i; o5 t a, V4 X2 y0 xMethod of detection of the WinICE handler in the int68h (V86)( n, p* F$ J# s5 Q
% p* h7 t- M* C4 r+ R
mov ah,43h
9 y6 d8 P, e3 X1 z" w- L" z0 o; N int 68h
+ S# C3 R7 p: `. p3 h) _7 A cmp ax,0F386h
/ d+ E+ X4 V! R- Q0 N jz SoftICE_Detected
9 M, Q* O. b h- o) Z1 W+ U4 l1 g# p. a' A; T! v
/ o; w: H% V4 W. `* t( U7 a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) w- I( R6 Z, j
app like this:7 X2 d0 q) g) N. a s
4 U# ~. o: ^+ ]! B. s/ b BPX exec_int if ax==68! ?$ N$ x f! S* d# G
(function called is located at byte ptr [ebp+1Dh] and client eip is
& R2 D$ A, ^4 K& i. m located at [ebp+48h] for 32Bit apps)
9 m1 d: d$ T2 F# {8 ? r__________________________________________________________________________/ L3 m% C6 Q- a; R! ]
2 j- t6 }( P) N
% R$ V8 X/ x* Y- q+ b7 b
Method 086 N8 i, G0 Z P
=========4 [" C H* v. M& d
4 W3 s4 M& X8 a# V2 h8 [
It is not a method of detection of SoftICE but a possibility to crash the# s+ [; D# m, ]3 r' }# \
system by intercepting int 01h and int 03h and redirecting them to another
1 q& k7 g" r6 J8 y8 w* r5 _routine.
5 c+ G$ i X8 }: A9 M8 d) {2 K- iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) B/ Q% e1 D2 B: r) eto the new routine to execute (hangs computer...)
, N- u7 c1 C) U: G# ]+ X
" k- W S& o* F! j8 I2 Z: ^ mov ah, 25h* M$ x, k( t1 m( c1 w2 D O& `' _
mov al, Int_Number (01h or 03h)
+ d0 A; c; P b: C: h8 e5 w mov dx, offset New_Int_Routine
+ G4 t) c9 L: t) v, E4 R' X int 21h+ K5 S+ _+ T! ~8 a6 n4 ^, L- B
q6 T) G- k7 N4 k/ P
__________________________________________________________________________
$ o: T% Y! a/ ]# n6 `* [) A9 L$ Z! l$ m* d! W
Method 09
9 [+ F% u4 B' Z$ n7 f! U% I=========+ r( j2 ^2 F1 c- K8 ]
% O! g; r/ [7 a/ @$ }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( `3 c/ c* c, I- W% y. E5 t+ Kperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 D) b, X6 D: i$ i; JThe Get_DDB service is used to determine whether or not a VxD is installed6 }3 q) M9 B9 Z. e
for the specified device and returns a Device Description Block (in ecx) for& r3 p# b X" o! V
that device if it is installed.
" j. V( L& Q2 @* _5 ^
- Z6 z% n$ _, I0 o! v7 B# t, T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 a% h* r- G O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; ]5 T; q1 @0 `- Q) f: b3 S& } VMMCall Get_DDB
( k4 f) S: v, H5 J- ^5 L* M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- n8 l& ]! Y/ V% P0 ]' w# Y ?
: }7 L' @) B% h" t; d5 XNote as well that you can easily detect this method with SoftICE:
8 z+ Q0 b5 |, G& a1 z bpx Get_DDB if ax==0202 || ax==7a5fh
. W0 n& q. X" c7 \ N3 Q- Y( @
- b0 X1 N/ L+ J8 l% [7 C" a" M__________________________________________________________________________% }4 ~- _% w3 {+ e- B
. Y7 g7 y$ C# {; Y- z$ |
Method 10
3 J' ]+ G, Q1 ?=========( C1 P- f( s: M! _+ B' I
( `5 X; w! {4 K=>Disable or clear breakpoints before using this feature. DO NOT trace with7 Y W* m8 E! V* N! k, H
SoftICE while the option is enable!!( N; W/ Y* h9 T, `% f: h
# G' u: s+ D X
This trick is very efficient:# F: y. X# t8 x* b3 V. _) M8 b
by checking the Debug Registers, you can detect if SoftICE is loaded
8 E, d1 m' W8 P- h* G(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 X5 |% e+ A" I1 m8 V, lthere are some memory breakpoints set (dr0 to dr3) simply by reading their! `0 }9 ~: I+ ~$ D# n0 U- [# B
value (in ring0 only). Values can be manipulated and or changed as well: M4 x: n9 l7 K$ A& ]2 K
(clearing BPMs for instance)6 e" ?8 A6 r% G1 o
4 ?( l9 R+ ?" S- q0 D
__________________________________________________________________________+ j% |/ H0 }! e" Z* @
, P$ E& q# R8 ~9 k d% O( L# DMethod 11$ T) ]! Z9 [7 X% j: ]* r/ @2 e
=========
$ q3 S+ W8 h6 x8 I/ c" E( G9 @: o
( m0 @1 D+ [2 i- S: `8 FThis method is most known as 'MeltICE' because it has been freely distributed
v) V" Z$ A% p4 v# m" O/ ovia www.winfiles.com. However it was first used by NuMega people to allow
; f g" K$ d! F6 KSymbol Loader to check if SoftICE was active or not (the code is located
! j1 R0 Z/ j: Jinside nmtrans.dll). o* @$ v' G0 {- i1 h
% Q' T$ S& J% {. z5 Q% TThe way it works is very simple:1 f! w, y0 x3 B+ m# d$ g" c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 P# O8 o! t0 ~4 KWinNT) with the CreateFileA API.- J* U# Y+ c( U) _% z N& K9 ]* }
0 X- j5 I5 }$ Q0 b, k8 c" c
Here is a sample (checking for 'SICE'):- R4 o7 \7 A& C3 z" R3 g
8 x# x1 q+ X, C( O( S
BOOL IsSoftIce95Loaded()
* J* G) a9 m, p# G( x7 G* a u{2 y D% S& L* Q; M8 U* u
HANDLE hFile;
" q* G/ b, t% J* |! `" J5 ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 j/ p3 ?& q* C FILE_SHARE_READ | FILE_SHARE_WRITE," f. @. f+ y r6 G: H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 O% p$ X6 H" W% D2 N$ f if( hFile != INVALID_HANDLE_VALUE ): _6 D: h% z* l, Q2 r
{
( F! \6 v5 V! u CloseHandle(hFile);8 u9 d$ t" u% A" v/ X5 x8 S
return TRUE;& W1 u9 x) a; F5 E! j5 U
}
5 ^$ W$ n2 c z1 w return FALSE;
) b$ x3 _- w0 o}! |% y/ ^ W4 N( P. ~/ y
p" {9 f9 \. o% w2 C& t
Although this trick calls the CreateFileA function, don't even expect to be! I: M. E' L& c& g
able to intercept it by installing a IFS hook: it will not work, no way!7 ~' o; S( x1 Y9 i, k1 n3 Q! [
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ K/ a& ~1 Y# S& u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( C- C1 L3 Q2 [ V/ U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" C+ y. e& m2 c0 L& n/ ^field.
4 t; P$ N6 V8 J5 r' S2 R( OIn fact, its purpose is not to load/unload VxDs but only to send a
* j+ d' e4 q# L; |' g* WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! v. b1 ^; G" c! G5 Q# ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( M" s( J+ f) V# I8 yto load/unload a non-dynamically loadable driver such as SoftICE ;-).' X( s1 ?1 R$ @: g4 Y/ ^2 g
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ }* A/ h" k* Wits handle to be opened and then, will be detected.6 G' B$ O+ A5 w
You can check that simply by hooking Winice.exe control proc entry point
; C/ E5 b& R" Z6 J( O0 ]' T8 J) `; Zwhile running MeltICE.
; \+ x- F" k- i% v( i) ]1 G/ A2 H& d( r3 @1 \
& ?$ X$ R! @8 V! M* I* k$ f 00401067: push 00402025 ; \\.\SICE
- N9 l1 I% Z# v) }" j n 0040106C: call CreateFileA( b: }6 N8 g2 f" j
00401071: cmp eax,-001
/ ]5 A1 |2 a. ^7 C0 @ 00401074: je 00401091
+ s/ g6 N: S, P K6 ^3 Z; c: e9 b" W0 z2 z
# H% v# j, t4 p$ J& E. Y1 f. F" W$ R- j, |) n& k
There could be hundreds of BPX you could use to detect this trick.
' g' M6 o9 ~7 U: g2 |; X8 \# f6 E* f-The most classical one is:
; M J A! V% I$ |& z* F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ ~, E; h& | ]. ~* o( z, c* O *(esp->4+4)=='NTIC' u, V- q7 t0 b, S% m
) Y, D' P( _- i' K, e-The most exotic ones (could be very slooooow :-(
/ k, w& |$ A% l: W/ ?' u! f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ C- `$ e2 [: l. } ;will break 3 times :-(0 x7 Q1 {- F# e* o$ z
8 y& g7 O7 k5 o' U9 k% j-or (a bit) faster:
" @0 V" I9 l! |, l% E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: V5 e* Q! `$ b9 ^) t* e( E) I( d; S' }8 D$ l6 H# ?1 J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: [4 I; l; _: y$ U& p: \/ q/ a; c ;will break 3 times :-(3 W A/ Q# ?/ j5 C j
1 [: K. c- }2 D
-Much faster:
$ f0 g% V( ~8 h2 t: i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ ~# F' |% l% g/ Y/ l; Q$ y/ {
8 O7 `0 o6 O+ g- J. r" \2 [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. l* D* l1 ]3 bfunction to do the same job:
# T+ r0 H4 `1 t! B6 _
5 s7 O4 k1 b" U9 D3 J; H0 l3 R9 [ push 00 ; OF_READ7 ^& V' g% {, t1 g. `' {; t& h
mov eax,[00656634] ; '\\.\SICE',00 c3 ^3 o0 ?/ g( G2 ?2 F# v% v
push eax
R4 {2 M; J& x9 ?: T+ S) O E call KERNEL32!_lopen
. C4 O8 L8 ^. `1 G/ t inc eax
h) V0 {# i" W jnz 00650589 ; detected4 A3 t9 ?. e! b; P9 T" G) k
push 00 ; OF_READ- z$ P& |$ ?; k. f
mov eax,[00656638] ; '\\.\SICE'* n- [, [# ?+ y5 Z' n
push eax
, K# P2 L! N9 R7 | call KERNEL32!_lopen
6 {# p: A' F( Z. Z inc eax5 l5 r% Z% C8 Z8 e! `
jz 006505ae ; not detected
9 _; H: ^+ ]; e& J; e0 A1 q* S9 K! H; h: L9 y
4 T& ]' s1 ?& f I* J__________________________________________________________________________6 z* B" g* y$ |6 u7 z
. C% G, h3 Q5 F5 T. UMethod 12
0 A( P6 w, E/ t+ [7 m=========
" }8 g+ X1 t; e. W1 k6 T3 @/ v; {0 ^1 d( y
This trick is similar to int41h/4fh Debugger installation check (code 05
1 i3 l t4 n: m/ X1 r& 06) but very limited because it's only available for Win95/98 (not NT)! Z5 s9 l5 P e$ l2 \% x. H+ t% U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( ]; G+ J# M7 H6 x# o. [7 ^5 [8 ~+ K8 e# t! [* @
push 0000004fh ; function 4fh
9 _. k- t8 X3 C4 X, V1 s T push 002a002ah ; high word specifies which VxD (VWIN32)
" y4 e0 M! r: F4 l# u ; low word specifies which service
' R$ G$ g% g3 t+ a/ R2 p4 w7 ]% V (VWIN32_Int41Dispatch)
8 }1 V( r( l* ^( m. l call Kernel32!ORD_001 ; VxdCall
3 G9 g3 X3 r# |4 F cmp ax, 0f386h ; magic number returned by system debuggers5 h9 W) C" c# A3 c1 @) t/ n" [" G4 L
jz SoftICE_detected: y' n3 q% h# i3 v
1 d& H; e* e: @: p1 FHere again, several ways to detect it:
4 D* A9 M! p+ l/ h" [0 r) w
7 n( Q( Y& e+ e BPINT 41 if ax==4f
s# s" k; \- \
1 c# G! F7 M3 |" M1 \+ n& p0 ?% s+ I, N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) h- G6 v) k( C; j# c: }: W6 U) D) G1 W! L1 g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' H4 O! ]! j% _. E( J4 ~3 R8 r
8 {* f$ p& Y0 n& m1 T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( P8 I( w1 D9 `! X5 G
+ M* i( P; V* |# I) q: T! v
__________________________________________________________________________- |+ w0 y9 {0 L
; F H# _7 R2 l/ s+ H$ e% mMethod 134 S/ b/ ?8 A. L
=========" j! [& p9 U$ S3 j
" _$ B) w, V# m7 S4 j1 ~9 PNot a real method of detection, but a good way to know if SoftICE is
0 `7 q8 y- [9 ^7 r8 ^$ oinstalled on a computer and to locate its installation directory.( a7 S% L3 F9 M5 |% f, q% ~
It is used by few softs which access the following registry keys (usually #2) :& f b; p5 h3 O" N8 I |) G
" @2 p$ v* }& ^" s% }" j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 g) ^# k& f' z; O. N! h) U) z
\Uninstall\SoftICE9 b* U% l! g! q' X: ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. n2 C) |4 x: }/ d# t5 d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- n0 k- a4 h8 N( h. |1 L3 w
\App Paths\Loader32.Exe4 x' Z* B1 `) D" _- L6 c
9 v1 Z! r F2 j: f4 [$ v% ?" W l$ w
Note that some nasty apps could then erase all files from SoftICE directory ^$ d$ \6 H% h/ }, J0 E, D
(I faced that once :-(& E5 n: _: s; x; v: ]! N* s
( V! g% n" m% J! o- r0 A$ WUseful breakpoint to detect it:
" X9 Z5 ~3 X0 G* v) w0 d
2 H* \6 L4 n' j. L' d3 N( l' d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! l; K, _0 a# D' Y, s/ D$ y: H) \* W$ F/ D% C" a
__________________________________________________________________________
/ \1 A+ B- X- m9 u/ U% o
* _) e8 ]+ S3 S6 W2 ?
5 U" d$ q+ R7 {- O& ZMethod 14 $ {, R5 N0 ]1 F4 `& e
=========6 Y$ m+ x7 g; [& T0 k. r1 n
2 b1 V6 e& }. PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: |$ d& H, f9 Z; y, w
is to determines whether a debugger is running on your system (ring0 only).$ C8 i4 D& O6 J. ]6 U
! X$ d( a& M! n8 f, L VMMCall Test_Debug_Installed
! \7 |7 l1 Y9 r# m je not_installed1 W# @" V3 E; y# j( l
) K. ^% x1 i# B5 t' n+ L: j
This service just checks a flag.0 n$ x/ S/ F( p& P" }! ^ }& R8 v
</PRE></TD></TR></TBODY></TABLE> |