<TABLE width=500>( A$ o% N+ M1 a) M# E1 y
<TBODY>
r, T) P' D8 ]0 w- }2 p<TR>- E5 L3 [* L9 c/ _" l0 ^0 X7 v% s) g
<TD><PRE>Method 01 ! v. d; S) t8 W" [& `+ ~
=========
( t" B0 A$ `3 f" z7 @
- g1 E: Z0 u: g. }. g! K. ?This method of detection of SoftICE (as well as the following one) is
5 I- |! b6 a" v% `; Vused by the majority of packers/encryptors found on Internet.
, p& \9 H% C' h TIt seeks the signature of BoundsChecker in SoftICE
5 U8 ]/ C2 z# g) A/ {/ V- b* m! B. I1 j! P+ r
mov ebp, 04243484Bh ; 'BCHK'
( y5 a# `3 w$ v: _ mov ax, 04h7 A2 N: x+ R6 B( \1 }. H' s
int 3 0 s) ]2 i$ d# } U5 W
cmp al,4
" L8 K6 R. o6 s! {; Y/ C/ L3 @ jnz SoftICE_Detected
7 q! N2 q+ s( m
0 S) k. |1 ~" _2 o/ u___________________________________________________________________________% a, a) y8 b: \3 y; I% X
- |- h& h5 y* R9 Y6 [! h: o0 ]- QMethod 02& T1 z- e( i0 ~/ a- ^( g$ U
=========$ C& r3 D2 d$ ?% ~" t4 C- Q2 X
& \; G' g1 }: B6 n0 F
Still a method very much used (perhaps the most frequent one). It is used, u% E" X9 V, @* x9 ^' C9 {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 b. D) |, |3 x8 d# b- i
or execute SoftICE commands...
) a4 w2 `. H: ^It is also used to crash SoftICE and to force it to execute any commands
. K/ s6 y2 g9 C6 Z' ~1 q- X' z(HBOOT...) :-((
) W) J L+ t) R7 n4 w) [4 x
1 d0 l2 X5 q1 E, A Y- XHere is a quick description:
- J9 Y0 V6 g% }) M* I-AX = 0910h (Display string in SIce windows)6 m0 b, t8 B0 A5 j8 h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- u/ ~4 {, E: U5 c& W8 G
-AX = 0912h (Get breakpoint infos)
. T- e) t: q9 ]. b-AX = 0913h (Set Sice breakpoints), Q0 F$ U8 l& t
-AX = 0914h (Remove SIce breakoints)# X# P1 i) t9 \4 t
3 ~1 }' @* F6 [ \6 b
Each time you'll meet this trick, you'll see:
" N9 |7 R5 p( W! u-SI = 4647h0 ~4 r8 N! u7 C% M: a7 t
-DI = 4A4Dh7 D2 ?0 G( b9 d7 V+ [1 l
Which are the 'magic values' used by SoftIce.
. |2 i1 Q% w. KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- H+ w- s8 g5 f9 l
* {. S0 T8 ^7 @0 CHere is one example from the file "Haspinst.exe" which is the dongle HASP
# N' K! _0 n* g7 `- _& aEnvelope utility use to protect DOS applications:9 O1 Y1 W- M( `8 r# @- j5 u
% P# f7 S; J# g; U$ n6 x+ Z9 ^5 [5 |- T4 k2 L9 F( e8 g
4C19:0095 MOV AX,0911 ; execute command.
L6 g! u, q) R1 [) q5 m+ A* C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ F5 ]' y0 `- c! c6 d4C19:009A MOV SI,4647 ; 1st magic value.
* ^* N5 P0 `, t6 I3 J5 p4C19:009D MOV DI,4A4D ; 2nd magic value.
$ E- r/ z5 c5 n, u' s2 _! f4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 t' ?7 J/ h8 j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute x" `; T/ ?/ y) P9 } k, \
4C19:00A4 INC CX- C( ]) `: O$ Q7 I$ m: [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 L, o6 Q2 E- W* A
4C19:00A8 JB 0095 ; 6 different commands.
3 @. n: v' k6 H |% m6 P6 ]; ?- H6 a4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* }) ?; g. u! a4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" [2 n$ U$ K ]6 B! Z h
, a' T, Z% M+ L7 p6 k8 wThe program will execute 6 different SIce commands located at ds:dx, which
( Q+ i; g- T; U0 t% Y9 w, tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' O" I; V0 V% `# d6 }' v8 a9 {9 `6 U0 ^% t( t4 k( o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 i4 B7 M, Z0 r" |& M3 R( v5 e
___________________________________________________________________________
# L, y, J6 k4 _/ M# u. k
+ t K1 Q* W" |: ]6 O7 _( q- f% S, w
Method 03
: c4 E3 D7 b9 d1 n; K1 s( [=========
g3 _6 `% c3 T- |# L4 H
+ G) k. t& o8 TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ n: r1 I, f0 g7 O
(API Get entry point)
* `2 W w# V7 P! u# ^ ( h6 L% T& n' w+ y2 L) z0 v
) @; v" M E9 J$ q' s xor di,di( n6 v. n: ~2 Q" l4 ]3 _5 ]' u/ W
mov es,di
: P8 P& t3 z/ Q- Y1 z; t g4 x mov ax, 1684h 5 f O% d) K9 L: H" L
mov bx, 0202h ; VxD ID of winice
5 ?6 m* D# f, V1 }) m' Z; e int 2Fh+ w& y1 x- G2 M6 j
mov ax, es ; ES:DI -> VxD API entry point
6 I3 A$ ]( u% g0 s/ E# x add ax, di
. w9 a4 z+ e$ m0 q2 [) D1 U+ z: }, z test ax,ax6 w# ?/ A( P+ @; \
jnz SoftICE_Detected: f, x' a; \6 ]* ?& f: _
. `/ j3 n' E! q. }" c/ K___________________________________________________________________________
% Y) C+ | _, R* f2 L
! v y/ ?# i5 b% XMethod 04
0 D5 ]8 K5 v7 ~=========
5 n' U1 B; M$ K8 h; R9 h( A( N- q$ S; |# f. `
Method identical to the preceding one except that it seeks the ID of SoftICE
& j; F) N) K! @) W7 F" zGFX VxD.
, N# y7 J j. l! l) D& U
& F7 |, [8 t2 e9 L" e& a xor di,di# o8 ^4 Z D7 C8 d( E ?/ E( N
mov es,di
% B; W3 V, ?* O) O+ ^; y mov ax, 1684h + j' t _7 D* q) _# k" M" `) y
mov bx, 7a5Fh ; VxD ID of SIWVID
7 u, w6 u1 S" x; P3 a int 2fh
$ |/ n3 j' p! D mov ax, es ; ES:DI -> VxD API entry point
( C9 E- \$ v$ L4 }' _ f, q add ax, di; n) _6 V; f k, T2 C: f
test ax,ax
: F) _1 n1 W6 C jnz SoftICE_Detected
5 J5 k F7 d/ R% p
3 G" w1 [ Z. m$ v# A__________________________________________________________________________& u _, _( S& \
# |" J; D& F. F! Z/ m) ^& O* E4 z2 \( {) x" v' X
Method 05
$ ^5 t9 [: T+ {: ~* R7 [+ m=========
& v. K" W: y* H4 P6 U0 v) G8 K# A3 V. t. S2 w% F
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ R( X ~2 [2 G: Odebugger. It calls the int 41h, function 4Fh.3 s" v) }6 R" a
There are several alternatives.
6 A- T" `" e, C9 b
" X# {2 R6 k d5 K0 B) FThe following one is the simplest:
- P1 A( j- [" \& F& C
! J4 b5 l& J7 z! f mov ax,4fh
& o- r' C/ N, `$ N c% ^, h) Y6 G int 41h0 l% e; O v+ j( y
cmp ax, 0F386
5 t4 }& o1 S' O4 I' m- L jz SoftICE_detected8 b" J1 \0 p+ ?! Y- w9 S$ ~
% _$ A' S; X$ n$ g' N. h1 n
7 S# t8 Y. ]4 j- U( m/ `6 O" C; f; v
Next method as well as the following one are 2 examples from Stone's
& y' h4 V4 I& N6 Q3 C- b"stn-wid.zip" (www.cracking.net):# a- |9 Q& k8 X! Z
' ?0 t# W* P& {# r* b" | mov bx, cs
7 o& Q* X F: g# }/ _1 @ lea dx, int41handler2, L G$ x% ^# ?7 W
xchg dx, es:[41h*4]: G' m: \! }2 p, @, l
xchg bx, es:[41h*4+2]( X/ u& ]1 p, c/ K
mov ax,4fh7 V' D5 J* [- ]8 G: y7 b
int 41h
: T8 N! C! [! `$ |6 c$ c4 w, t xchg dx, es:[41h*4]; F/ s1 M. ~) p$ O7 {- w8 \! i
xchg bx, es:[41h*4+2]$ b2 J$ K: D5 W
cmp ax, 0f386h, a8 c" {7 G, {9 E e1 E# d) U
jz SoftICE_detected+ Q7 k, M! t2 }" V. w: R) h
) Z) X9 m6 Z7 T* r1 e
int41handler2 PROC
( }" @( j8 s. f& x0 ]8 R iret. W: d/ y2 s. K
int41handler2 ENDP5 i: v; |% Y1 [) c; ~
: k) I9 I' L& c* Q/ o- k! y# K( g) b
_________________________________________________________________________* Z' S$ F W! _9 D1 ?, Z, ~- a
( D1 E0 u5 O i
. F' a' e9 d% d0 F2 MMethod 06. }# _+ R. p# q( \ y+ S5 e* ~
=========9 }# n+ O% |$ l( D: M, L% h3 W
$ \5 S4 h. s$ d5 }
" H* T% N6 J6 ~! |9 J9 m3 u2nd method similar to the preceding one but more difficult to detect:9 A* ]& y* Y( j5 K! b
$ H+ N$ L. l. M2 a
4 [7 @3 ?$ N9 eint41handler PROC8 b. o+ f0 s$ U6 l
mov cl,al
3 m, L5 Y4 l6 T- _6 p: N @2 q$ _ iret( g6 I3 J( t( X# @3 u
int41handler ENDP
: X6 B* o F9 M0 t+ @% h3 u% G+ _ E7 n% m0 {# Y& \
: I) `5 `) @- J1 x. {" N xor ax,ax' k$ m: O6 g z" Y& O
mov es,ax0 D! ^( }# M7 |& Z5 Z0 A8 p- Z
mov bx, cs
" A Y# p0 k3 G( q5 h0 R lea dx, int41handler9 D* ^0 u) R; A8 o+ G
xchg dx, es:[41h*4]4 W7 L. C, M D* j. Z6 J
xchg bx, es:[41h*4+2]
w* y5 n% q6 Y) _ in al, 40h
* r7 i3 \. G% [0 m" M xor cx,cx
' n& S7 Q1 G* K& F int 41h" {/ L3 G5 Q: K) `9 p8 Y3 z
xchg dx, es:[41h*4]
0 D7 z+ ^, |$ { xchg bx, es:[41h*4+2]1 ~4 L) |; z" C# G7 s6 J7 i
cmp cl,al
" v6 }: K- f( O% C" @+ Y jnz SoftICE_detected* z( `2 u" n9 Q- K
; T$ Y; h* ]3 }' K$ K_________________________________________________________________________
. v" o8 U! b4 I* {# X& c
- o2 B# [" I& [Method 07- u, P: h, ^; [4 S1 B1 M
=========
7 J! K: g; B% t
! t1 i( i9 T7 @9 Y( L- zMethod of detection of the WinICE handler in the int68h (V86)
6 P% h" `. o& I3 }8 ^3 K, w
! ]1 i& v% j6 }( K mov ah,43h7 @% W# _3 X1 t4 o2 ]- ]4 Z* S
int 68h
/ Z5 U+ v$ \& ~ cmp ax,0F386h
* ]. s {+ i7 h' I8 D) [1 { jz SoftICE_Detected
0 ?3 C- n- d9 G/ G5 G
9 M8 u# f; V$ \" y8 ~# b7 a+ E* d5 _3 x+ y1 i$ z: c' \3 f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 E, t5 c$ {4 T1 W% x2 F% T* j) u
app like this:
( w4 P/ I% T7 c8 g
2 D3 C! Y# K5 h V5 l3 D4 @# M$ j+ f( @0 a BPX exec_int if ax==68
/ c' f( h! q e (function called is located at byte ptr [ebp+1Dh] and client eip is' A+ Q$ K4 c( R! [
located at [ebp+48h] for 32Bit apps)" d: Y+ J, N$ y& _4 R5 H3 S& t
__________________________________________________________________________
1 I( i: F9 N/ [9 d5 o9 H% p4 b( n% I# _/ [# c! N6 N0 o
1 P6 F! j6 U: @6 k" b; C% EMethod 08
0 p* C L, c0 S; c9 L+ y=========
/ B( C, t5 u, c; Q4 |( w7 s- N9 f1 W
It is not a method of detection of SoftICE but a possibility to crash the7 {& X. Y/ }& j& P) M. K; P2 L
system by intercepting int 01h and int 03h and redirecting them to another8 c e' O7 q! V" s
routine.# b* @" \9 @& V* q+ ~+ i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: V3 l0 S/ X0 G1 z( a8 e. a5 X
to the new routine to execute (hangs computer...)9 ?6 E$ l' `9 R: G5 A
1 ]9 _7 T: f c( M+ W3 O( ~
mov ah, 25h7 x9 q% M7 w# V. S7 Y* U4 q' j' V4 ]
mov al, Int_Number (01h or 03h)
! j, C% M. L# z- {' B4 r2 m3 U. | mov dx, offset New_Int_Routine% @/ ]5 d5 }5 g
int 21h
0 ?- g, P8 d8 D4 U# C. u* L3 N, @5 T: J6 U) e& }# \# ?8 y
__________________________________________________________________________
8 @: k( Z9 w% a! ^0 r; Z. F1 r
2 S' {! \( d$ \, F9 `Method 09, z' }% J k1 s& e+ ~; b3 i" j
=========
% ]- g- O b$ I! Q
9 [0 q# R0 W) DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, A; D7 T4 z- R7 {1 p: m
performed in ring0 (VxD or a ring3 app using the VxdCall).; ?6 `1 Q5 G1 I% u% Y. C8 Y
The Get_DDB service is used to determine whether or not a VxD is installed
5 U& q* C( f. {' T) C$ wfor the specified device and returns a Device Description Block (in ecx) for
& E6 d! C( C& q8 lthat device if it is installed.# }+ p* H' U6 N: |" X% g9 a
6 X$ c3 L" P( w+ E& M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
Y; W) n$ P: c! n& ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 d4 k6 Z1 D: ] |2 z0 r VMMCall Get_DDB
4 j& \$ h0 v/ c3 k$ I/ b b3 g. F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ k0 K- n) i/ S( T; B
/ c3 T9 J. J2 }0 Q. hNote as well that you can easily detect this method with SoftICE:5 v: I6 j# U6 b* o
bpx Get_DDB if ax==0202 || ax==7a5fh
8 a! T0 G" u. y' A: e& p* ?, u. c6 L6 K9 P' t% O* U& s
__________________________________________________________________________2 r+ C5 `: F; ]5 m% F5 _
) }/ v2 u3 ]( C3 X4 v, @& C3 k/ uMethod 10 T3 T% i' [1 g( D6 v5 A
=========
: U$ l7 P3 I0 ?! f8 D X
( t9 l) A# b( _0 P S1 |=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 T# f" k3 H6 c3 W SoftICE while the option is enable!!
0 x) ~' r ?+ T0 ^1 e0 M' K- k# K- }" G0 w
This trick is very efficient:- N6 e0 j) n( Q8 T( C5 B* l
by checking the Debug Registers, you can detect if SoftICE is loaded8 H( S; e& f( P4 C! H0 e/ s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 o' Z/ z* U; ~* e1 O8 O: U" H+ e
there are some memory breakpoints set (dr0 to dr3) simply by reading their& O' k6 h' T' ~* X# l6 c
value (in ring0 only). Values can be manipulated and or changed as well
) A4 q' z( V: W4 o5 e5 r/ v" }(clearing BPMs for instance)4 C- C0 ~7 W P8 U
# P' T( z6 T5 {8 \1 s
__________________________________________________________________________
/ M" a; o8 g) Z6 Z- N) ]6 `$ a3 J3 w, W) k: n
Method 11
/ D+ R6 @ B* U4 b! i6 ~7 l3 @( c/ G# N- o=========9 s* Y( l& n6 _& K2 d* y
( P: x4 @# S* I; C' D' v! X. ZThis method is most known as 'MeltICE' because it has been freely distributed
/ a4 r" @( i! r0 f4 t+ |via www.winfiles.com. However it was first used by NuMega people to allow5 \2 [; P) s6 O' T0 H
Symbol Loader to check if SoftICE was active or not (the code is located
& E) v! t. y' |+ A/ a. yinside nmtrans.dll).1 y- w7 U4 R- z0 E
$ v. l) v6 |. e% U- e
The way it works is very simple:
R3 A" Z8 z, H4 o. z! hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: z5 H5 g5 I: b$ p6 ]7 v
WinNT) with the CreateFileA API.
/ j6 J4 c1 x6 `' p0 y4 N4 u+ A; ` V3 V2 R
Here is a sample (checking for 'SICE'):
8 T5 R) z* F+ M0 Z9 e
8 K2 Y i* W5 o. x. C. |) _BOOL IsSoftIce95Loaded()
% D, _6 z; P# c/ I! ^% C c! u& l8 t{+ z+ ^. V0 ?, Q' B$ ]& t
HANDLE hFile; 0 W1 i" ?( [ d6 V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. |7 r% e* s5 z3 \/ }/ ?" O7 I
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 i) _5 S! s) q& Q+ n& |+ i- c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
L, A! z3 B8 S; n2 J if( hFile != INVALID_HANDLE_VALUE )! K! ~, j+ k" X, l' w8 I: W
{2 R' G' |/ P+ |7 ]* x9 }) [- [
CloseHandle(hFile);/ g8 |* M; p$ D
return TRUE;9 t# H4 l4 p+ ?) f6 Q
}
+ }" S' E% f; N3 ?) L2 a f% y4 b return FALSE;0 q1 }7 I x. d# B3 Q
}1 `% H9 s O) c6 t4 f3 q
4 j" y7 o2 r, @9 \
Although this trick calls the CreateFileA function, don't even expect to be o; u' Y* h. w+ V9 H
able to intercept it by installing a IFS hook: it will not work, no way!
! F, E' y7 v0 o% M& h" tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, b! `% C, Q) C+ O( Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ A+ z# Y; M( c; zand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ p. `6 ?5 j9 O: k- M$ U! p
field.
% L/ o' r) g# i6 HIn fact, its purpose is not to load/unload VxDs but only to send a
( I0 a. f, k S2 `0 k" xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! ` T* M% _, y! ?& O3 _" yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ a) v) R7 R' Q& `+ e% B% wto load/unload a non-dynamically loadable driver such as SoftICE ;-).- r. A5 x3 c, W, S' j
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ ^* d$ b6 j( E
its handle to be opened and then, will be detected.3 ?7 \) r8 {6 e" }# V
You can check that simply by hooking Winice.exe control proc entry point
# \: n# O' I1 D6 a" Cwhile running MeltICE./ s1 R" _. r( t2 z, V4 |/ U
. j N. R( K4 ]! P( ?+ `
( E) N0 s g- ]
00401067: push 00402025 ; \\.\SICE5 S+ ~. ~" H- j1 s @ u
0040106C: call CreateFileA
7 Z1 ^9 f8 K! `6 r 00401071: cmp eax,-001 i; e, e0 _0 ^' m, w1 `" C# R5 _
00401074: je 00401091' F% E% A( D3 ^6 R7 o) @
$ o1 V7 Q7 o; I, [2 N
3 a8 k0 `, G) |0 WThere could be hundreds of BPX you could use to detect this trick.5 c C5 W' _: ?0 f V
-The most classical one is:4 [, B6 J, c3 q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) H( H! N7 d+ j: M: ]& @; [1 C
*(esp->4+4)=='NTIC'/ F! G4 l1 A( M9 R+ M1 u6 s" b
* ~" R7 ?7 M; P' v. _
-The most exotic ones (could be very slooooow :-(' n: F B M; i5 d6 Y9 D. j& k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; @ ] W. d4 ]1 c$ V
;will break 3 times :-(! `3 ]' u3 y' n% k1 V; ~
% P2 y# M3 [* j! G7 g( ~' G-or (a bit) faster:
" }: k6 Z. X2 x8 y" ?+ X. a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 o% R# m/ u- S& @% P1 @, G
$ ~+ X1 Q4 x0 P2 K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. Q* S& E1 P3 M0 P ;will break 3 times :-(- m* q0 w t* V" j
$ N% `2 k8 P( q# q9 x; n
-Much faster:
$ [8 t: e6 B# ]1 c s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% G& J* R. D# p0 w
- V% w* q7 a# E" [: ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 Q+ A; I s) {# j1 |3 ~
function to do the same job:+ S/ B, ~, X. Z# [ S# n, _" _
5 f# K/ l5 e; e
push 00 ; OF_READ
/ E' a$ r. l" @) J; m9 b5 O+ L mov eax,[00656634] ; '\\.\SICE',0! ~1 G5 ~, e t
push eax
2 O3 D" O2 L! T( Q call KERNEL32!_lopen
4 P& h! F; b9 F4 N4 k7 _8 u: N inc eax) }6 M- \. }6 h7 z
jnz 00650589 ; detected9 v; [; c2 h9 c1 ~) M
push 00 ; OF_READ: _ ]0 o& v2 V
mov eax,[00656638] ; '\\.\SICE'
8 N7 X% t- F3 q2 T push eax9 y/ k9 z) |# O; s+ U5 U
call KERNEL32!_lopen
& z) p) F6 T" K2 I/ E% a inc eax
9 G0 E7 H& q/ v6 z4 y- y jz 006505ae ; not detected; P% E+ h+ u1 j' \6 z) K0 S
/ W4 n& V" y! @# m. t+ h9 B, J( o
__________________________________________________________________________7 c: \8 A" y6 {3 c& n1 r
* R" k* m5 {- x" y! `) C& X) IMethod 12/ p+ x5 N, X* P7 w
=========) @$ t8 a i4 x) A" ^
8 z5 g C! _- U0 |
This trick is similar to int41h/4fh Debugger installation check (code 055 y) J( ]3 k; j' z3 W# Z3 f
& 06) but very limited because it's only available for Win95/98 (not NT)
Z+ a; O( y4 V# ?3 Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 k$ b+ }$ ^0 {. f2 L1 V+ \1 v
3 @# ]0 j3 e4 V1 `: k1 Y0 s
push 0000004fh ; function 4fh8 W7 G) @, j8 } e
push 002a002ah ; high word specifies which VxD (VWIN32)
/ I( O0 C/ N0 {( K! f ; low word specifies which service" k: P: u. w9 X6 z5 b! R" G6 X& R
(VWIN32_Int41Dispatch)
6 i8 E k0 k) f; q+ e% w call Kernel32!ORD_001 ; VxdCall
7 K% A# S' ~' b7 O: w! Y cmp ax, 0f386h ; magic number returned by system debuggers5 ?6 s# [; u: ?% q
jz SoftICE_detected5 S" e' K5 i9 e, C
3 a M& h- t0 v
Here again, several ways to detect it:
" z; k. R c8 X4 L8 T
^/ m5 s5 l6 }/ C( A3 @% H5 w1 ~0 ` BPINT 41 if ax==4f
! A$ y5 i/ q6 g( m: l. X9 X% Q- |6 E( j. X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! G d, W8 J- V8 L# p- y$ t% ]
! R9 M5 Y: `. b+ R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 R6 v Z# c% N1 R& k8 K
$ _3 y' C* G$ V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* v5 P3 F, [; ?7 t. D
3 v7 R/ {( v& C, ^3 H__________________________________________________________________________4 C& s H2 Q0 Q5 ]" h2 R$ c- y
. l9 F( d# |, y8 Y+ B# k- E
Method 139 w3 S' t. L2 r8 `
=========
. Z0 t; P( S$ M4 j7 H# q% P6 d* k
1 M8 R* _* Z d# rNot a real method of detection, but a good way to know if SoftICE is9 a/ r5 g: d; B- I2 x. R
installed on a computer and to locate its installation directory.
: s4 o/ e7 {! n( G$ r: rIt is used by few softs which access the following registry keys (usually #2) :6 K% y" m; E4 o7 _
- j5 Y; }% O9 @0 L9 S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! |; k+ s p C5 ?\Uninstall\SoftICE8 V" Q+ ?& b- a1 h5 u2 ^6 x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; Y# H! L) S' @" F! o+ G7 s' O+ F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; ^9 b' t3 B9 _, P d1 V1 `9 Z7 W
\App Paths\Loader32.Exe$ B) ~6 m: U1 N
, i" l% h+ `; e* a9 D' C+ p; }, a% K/ y: {1 W' p
Note that some nasty apps could then erase all files from SoftICE directory E. s3 q/ {/ S8 j/ e2 D
(I faced that once :-(
0 ^0 U3 u k6 }- o3 M% G( I
' x0 w9 q( }7 C1 i3 e5 \Useful breakpoint to detect it:
. N, \6 ]2 h* r) C2 [( D6 ?; G
3 X- Q8 @1 a8 M5 ?+ X W: ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 m2 \# q" b6 _5 r
2 K0 v) i( l4 \" O% @/ \' D__________________________________________________________________________) O; I6 G9 }8 _% U1 e% \1 P) P, _& ^
. f* m: q' y) |7 G1 j4 q9 e) N
& H0 I" |& P5 r# i- f! l, X
Method 14
8 S7 ~" H' ~) H! W- L$ B w! m2 b=========
9 v L& @1 ^! ]0 B: @4 M1 U$ C0 {( T! R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* V* v3 @* g' `- Uis to determines whether a debugger is running on your system (ring0 only).! e$ \0 v! B% L2 d
- M, L! [- m3 o& L% i VMMCall Test_Debug_Installed
% Y7 K2 [7 B h" h4 a; }" D je not_installed& _! V& K: i; O( w( t; K
, Q& r! L, C: c# {This service just checks a flag.9 v2 }: {" t2 N3 V1 x; I
</PRE></TD></TR></TBODY></TABLE> |