<TABLE width=500>: {9 [* T! }% w2 a! n/ C; |
<TBODY>% L$ `- \. M. C# v
<TR># J# a( y8 P- i; T" s: v& e
<TD><PRE>Method 01
% m7 c! m4 u/ p. ^=========
: U( W" \ h: n, t! z2 p$ K
/ p* d' v- v. j6 L6 ]2 PThis method of detection of SoftICE (as well as the following one) is4 e F$ F1 a+ Y z8 O
used by the majority of packers/encryptors found on Internet.' v* a/ H% m0 ^, s, Z% y# T1 y% C
It seeks the signature of BoundsChecker in SoftICE' K! p5 y$ k+ d& |' S" f" a
& o4 u# }" q; o
mov ebp, 04243484Bh ; 'BCHK'
) ^3 Z) U- D& X# [ mov ax, 04h
! d0 x9 A0 l5 |1 r; n' Q1 L) h' [ int 3 ; E0 [5 |# |: h i
cmp al,4$ M$ r* i: r& X! D8 l* A: o
jnz SoftICE_Detected+ G) P5 C% u2 |8 M: M9 P% A
; t$ U4 \2 @+ B v. u
___________________________________________________________________________6 _% k1 v. q r; g
# Y* @* K& z6 ~- J5 S8 b
Method 02
6 Z0 V0 T; X# ` l9 D5 n8 G9 y=========; @' S- J6 t- J% b0 _& a
( D- t" ?9 X5 ^! V, H
Still a method very much used (perhaps the most frequent one). It is used
7 S3 E0 |7 y/ F7 v' Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: _9 ?3 f h+ V+ `or execute SoftICE commands...
" h! p* Q {! n9 B1 J# uIt is also used to crash SoftICE and to force it to execute any commands
, C6 c: t, r4 F1 ?(HBOOT...) :-(( 2 |# g1 M! l0 ?4 w& K
& X1 d9 @! D# Q. ~" U, z/ i' B
Here is a quick description:
$ y R5 Z5 i2 p0 i5 V& M-AX = 0910h (Display string in SIce windows)# ?- I/ H! p$ ^2 J
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 L) g; ]; i h# t9 S# a-AX = 0912h (Get breakpoint infos)
/ @5 A7 S9 ] z-AX = 0913h (Set Sice breakpoints)
8 \5 D. j q- l4 n2 n7 E3 o-AX = 0914h (Remove SIce breakoints)
! h% o: X) U8 f/ L/ W, h& v/ r! J# {# ?
Each time you'll meet this trick, you'll see:8 n4 P8 ~+ V0 K% k( B6 e
-SI = 4647h9 @9 a( i' _9 M+ P1 b, p( J2 I
-DI = 4A4Dh
3 X' S4 K/ p: k- _Which are the 'magic values' used by SoftIce.7 @6 V7 K7 t. b \# G# E* I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 z( H* l" ]% T. [) {5 o& e/ P Y
! N( u' s Z W _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 t- ^5 f( O" s1 q" |Envelope utility use to protect DOS applications:; @- g) g. E4 g5 d J) q
7 L/ }- y- ?+ s. k$ d
! @: q7 P; j( X4C19:0095 MOV AX,0911 ; execute command.
; C$ `4 G, _# C7 P/ Z/ |6 n4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& E/ X/ [ o2 B9 R7 w4C19:009A MOV SI,4647 ; 1st magic value.
# a4 T0 c2 \& x v, C2 J# V5 E' a4C19:009D MOV DI,4A4D ; 2nd magic value.
0 S l& J( W7 _$ {/ S! O9 |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 I& u" R, x0 \' t! i5 M: x4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ y* J0 ^3 X' N* T4C19:00A4 INC CX5 `* k) F$ F( c/ Q4 N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 E4 Q4 y" c" P# K& c& n
4C19:00A8 JB 0095 ; 6 different commands.
) e* `" n r4 C- b$ j- {/ i2 T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
C/ b8 g& Y, N, D- k4 f* Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- _7 P, @5 \7 K! O# q7 l; O ^
% @# R, X8 M8 \* OThe program will execute 6 different SIce commands located at ds:dx, which
! C" y& K. w8 ^% Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% o" ^7 X/ G) d$ [) y& a' Z
% a* R% n6 P$ k( \6 m0 ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. e R* p( J- X( c8 m( X, {! D___________________________________________________________________________
% J. U3 c: h9 n
, a- S1 k8 s0 I+ A* D5 M
6 @ M6 S- d) q5 ^! ~0 PMethod 03
# V0 d8 u" a. \1 c9 x' a/ g=========
( M( R3 B. ^4 w& T" J8 {0 T3 W" d( m1 x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) v6 m M$ c' z+ @: M/ u& P(API Get entry point)/ }6 c' D; i8 s: |! D& c
0 u4 Q- I& C# v- @' `$ D9 S
* Z0 @1 n7 S: v2 Y9 g. C xor di,di
7 p: n. z! k) j4 H3 V mov es,di% d& A! e/ K* g' ^
mov ax, 1684h 0 M) ?6 L5 Z9 z$ C6 D
mov bx, 0202h ; VxD ID of winice
& d0 |2 B: I( z$ n9 g int 2Fh2 G7 O* ^+ W) p$ f
mov ax, es ; ES:DI -> VxD API entry point
: G# Z0 |( e8 k- ~/ P add ax, di6 q# J* Y8 s6 T8 B8 u5 D
test ax,ax
; A$ x) F# F% K+ K6 U! C/ ` jnz SoftICE_Detected
9 {, v; k$ i* K6 y: W! C% Q/ q# I
___________________________________________________________________________
4 Q* d2 D5 ^+ W/ L
9 n9 Y2 B* u$ @& J/ f4 W4 FMethod 04
# p' I* _6 {' T ]5 `( f8 N=========
8 J4 ~, b6 B1 |: s; q5 w
7 j" S% c- X3 k" ^Method identical to the preceding one except that it seeks the ID of SoftICE
# I7 b$ q0 q" d6 H- TGFX VxD.: O4 h( J0 Z, [0 ^4 P
; ]# \7 S5 T3 k
xor di,di6 b; M2 u8 r' E
mov es,di
8 q4 f! i! p R mov ax, 1684h : ?9 w- b. c) o9 j$ \
mov bx, 7a5Fh ; VxD ID of SIWVID) E" ]+ B* x) i# p
int 2fh& G( i3 ~* w1 C3 ]/ j- z+ [$ ~
mov ax, es ; ES:DI -> VxD API entry point
5 ]* i% { s/ H( G add ax, di
. C; K- x; Y; T# `( s" Z test ax,ax
, r8 j4 }( M6 C6 w, d( w& s& c2 N+ O jnz SoftICE_Detected c+ P) o4 d! N
e* N8 y! d9 o- b* l( T
__________________________________________________________________________2 N$ T( k: V5 z: h0 a
]- C$ J) {! V( E2 g7 W0 _4 G
5 e% y$ `- x' t
Method 05
. r) n& o+ ~! G. c) F! o( u6 h=========
7 M7 S5 t$ F$ F! U4 |: a/ D# ~2 d ?1 |( E! J/ }: S
Method seeking the 'magic number' 0F386h returned (in ax) by all system) b8 c1 I0 @0 | _+ @ _1 q" z
debugger. It calls the int 41h, function 4Fh.
& D. n# ^8 v/ ?There are several alternatives.
( M2 {- h) `, g/ _5 ^) s* j! ]" Z
The following one is the simplest:/ W6 L+ \0 A. E) q. L9 M7 n; h
' W9 o3 [* ^" d0 W9 A! @ mov ax,4fh
8 [: X a8 ]/ x+ | int 41h3 x1 X7 }% Q3 P3 L" v
cmp ax, 0F386
4 A% ?0 D& e/ k! V! C( T: g. i jz SoftICE_detected
p8 ]) a: \' T' i2 k; j& n( z* o" V; C5 \* M# g
1 V) x d1 ]& P1 u* X
Next method as well as the following one are 2 examples from Stone's
6 }. N2 J. t3 N- O8 O"stn-wid.zip" (www.cracking.net):5 H) q' i( x0 J. v1 L' _
% Q0 s, g0 |" Y h/ G) E G
mov bx, cs
% u/ k: d g$ H8 a. t( J' n' X lea dx, int41handler2+ @9 |' [+ I& }
xchg dx, es:[41h*4]% F- ]7 F* v0 B; m* R. y# s# T7 F2 g
xchg bx, es:[41h*4+2] E1 o& I5 `" g- Z3 Y
mov ax,4fh
0 R0 D: ^1 R2 |. O9 z# B! D int 41h
$ ]4 g, t9 ]4 |% |) y xchg dx, es:[41h*4]
2 o3 f) P0 {- x xchg bx, es:[41h*4+2]$ A, k) Q d9 K9 ]) w" k
cmp ax, 0f386h* a8 @( U9 w7 R
jz SoftICE_detected4 V+ U& K$ c5 t: L
. M1 n9 ]7 I9 V7 H- k
int41handler2 PROC6 r! x) O B5 X9 m5 T3 `% ^
iret
) S. d5 p7 _, S& t: C8 k, z9 oint41handler2 ENDP
3 K8 m" |0 w4 m3 s# x
8 V9 W: M2 `% ~4 m1 @7 \9 ~! b! m* s# @7 o) C- F6 r2 V
_________________________________________________________________________6 p U' P6 b7 L8 J* ?3 B+ M
4 B/ A3 }+ W2 l6 a% R4 C
4 H1 z: ^0 A c$ t5 U& dMethod 06
( q" e5 S4 |6 P$ u2 C7 o8 f+ M=========
, a) n9 o* F1 q+ c3 h y
0 O X2 P6 k( H, R2 m3 s
% s( S5 e+ e; }+ o6 b2nd method similar to the preceding one but more difficult to detect:
" i. Z1 S6 [% M x" s9 c/ e: i+ c: t0 T. C' h: i
" L1 t) Y2 I% p( A. r
int41handler PROC1 @4 S, [- p6 N+ p9 }
mov cl,al
1 A) |; Z) B0 P& t iret' D4 k( @% J0 f! Q; f
int41handler ENDP. y$ C0 W3 F0 d# M6 [/ H/ Y
9 L: a5 h* F" u: H. q* \6 L
/ n0 X9 O- M, _# Z- F/ Q
xor ax,ax
0 P+ U" o: |1 }, B4 a) d- q mov es,ax
2 f% u; [5 P. b- L mov bx, cs
0 N4 G% a t" n1 c lea dx, int41handler+ a1 m7 m" V7 m+ D, c- r
xchg dx, es:[41h*4]
, |9 a$ n4 r. Z" @ xchg bx, es:[41h*4+2]) V9 r3 [% n* p4 x/ m1 f b, d
in al, 40h" k" x1 M$ H) M
xor cx,cx
5 j$ n0 D8 C( ~7 ?, F4 g int 41h5 P; D5 [( S2 U+ o( E
xchg dx, es:[41h*4]
, ?' T+ _* q0 r* D# n4 L xchg bx, es:[41h*4+2]( a4 F4 @2 K% M8 x) `
cmp cl,al
: T# X' g; ~7 a- k5 Y! s jnz SoftICE_detected: D* m. O# q- A( F. @8 s$ k
! [+ l. J2 p2 t
_________________________________________________________________________
( A7 d; L$ M0 B3 M( L! E, \& N' _+ j9 b8 ?
Method 07
, w$ l! @: S! G7 G, L# b; r" u* p3 F=========
. T6 Y- U, Y, T' f5 f/ i) n" j! y1 P
Method of detection of the WinICE handler in the int68h (V86)7 G1 v3 m5 z5 `1 Y/ S
0 ?4 e& U2 u+ N9 g8 c mov ah,43h
@0 ]# w( @" U7 h$ r, P0 j int 68h
- [# J p0 b" n" d) G9 r; r8 ? cmp ax,0F386h
5 C2 x# Y0 p1 e" J z% G: a jz SoftICE_Detected6 K4 `. m. j, Z3 o# Q0 M- R
( J7 E. a3 C$ @* P$ Q
3 k4 K" W0 a% ^4 J" {, r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 [- v2 _# B! k: E) s3 I app like this: L5 x( ?, o2 e! b% _
9 j, v# W$ v. N3 {2 m$ w
BPX exec_int if ax==689 o" l5 m) F' }, H4 f
(function called is located at byte ptr [ebp+1Dh] and client eip is
' ?8 B0 ]3 ~/ O- s3 M( G2 U located at [ebp+48h] for 32Bit apps)
9 ?& w- V Y6 J" e__________________________________________________________________________
+ S7 j0 V3 Q ^, T
3 }: ?2 Z4 f* N- h }% A4 `8 A( A& ]6 W, o& R& y& H' B
Method 08; k; C. I/ B) N7 E7 b3 V" g0 l& H; }
=========- u% d; c4 a/ ?/ N5 C" K2 z4 y
! U5 x8 e: ]1 J
It is not a method of detection of SoftICE but a possibility to crash the
# }8 ?" y& z* u3 X {6 Ksystem by intercepting int 01h and int 03h and redirecting them to another& e: b) H7 }5 H2 ]) x0 J
routine.# e# s0 R$ L+ S) }; Z1 p; p+ b& U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* d1 a4 H! W4 y8 W5 n* d) tto the new routine to execute (hangs computer...)- R! x( I$ ~0 S4 z4 I D
" f1 g0 a/ p* m. Q& b5 M mov ah, 25h
! h3 ~3 I+ j5 m- [ mov al, Int_Number (01h or 03h)
V: T* s' ?- L5 R# u& o' E2 z mov dx, offset New_Int_Routine
" O% y+ s8 W9 w/ r( F! g int 21h
0 C3 s+ J# ~7 n$ T6 s
) T" o+ T' G& G. T1 N7 J) M__________________________________________________________________________
5 l) z, ?, E0 C! E! [3 q- f- E* t" l; F
Method 09+ D/ @4 d7 p/ \' `" I* v* o* T5 ]
=========
1 b, C+ ^4 Z( C: ~9 L- f7 K) u
8 D" \8 p) h. P& o8 L# s* t2 oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 I( X. o6 _7 G' n& W
performed in ring0 (VxD or a ring3 app using the VxdCall).# u' i5 Q8 c" ]5 o
The Get_DDB service is used to determine whether or not a VxD is installed# v" { }; F0 Y# H, c
for the specified device and returns a Device Description Block (in ecx) for, C4 @, b3 g9 D1 g
that device if it is installed.( U$ Q* Q- f/ n1 {. p' @
; y/ M4 \; K7 R9 x, z' b mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 x8 J9 {% _, S5 j4 L0 E8 j% S mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 t# E" m& g0 N' s
VMMCall Get_DDB
: v& y) L7 |) R; G- | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
K9 d3 ~5 y, \: g6 q- i$ g
& }) O- T4 v" ]& XNote as well that you can easily detect this method with SoftICE:
% `" F9 j( i1 M bpx Get_DDB if ax==0202 || ax==7a5fh
! B8 S! i. v- q/ J: u+ V( B
& y! T2 r$ ?7 i: u1 c( e__________________________________________________________________________
4 u3 D* G/ G" m# { d6 w3 }$ D' t5 ^+ t
Method 10- e0 {4 X6 ~, b) r
=========
1 T$ e! j/ ]. N" s( N1 s/ @3 p$ d4 o( H* F
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 q2 s& J6 N- ]! s% n
SoftICE while the option is enable!!
$ n! o- z' N' A% k) t/ k
( |! ~5 U2 {1 B4 lThis trick is very efficient:/ S/ {* m0 A, p" X9 k/ [! Y+ [
by checking the Debug Registers, you can detect if SoftICE is loaded! x/ h& Q4 n" s- a8 S$ n5 v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( @' d! o1 M2 L" A8 q" T/ l* u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 U7 ?! ?- I$ _5 M: p% A0 Bvalue (in ring0 only). Values can be manipulated and or changed as well
, U* D7 r, }! V8 j(clearing BPMs for instance)
; ^! [& k1 i8 m* e% H
, x: f# m- o: K S; B__________________________________________________________________________
7 X- v, B* Z; \4 E1 X# ?! I2 ~5 }* a! G3 ?" _9 C$ J
Method 11
/ F6 h' }7 A# ~% ]$ }( b=========0 U; I R0 O% f) B$ i
2 S5 b- O( q, F+ X7 _8 g. [9 J4 ~
This method is most known as 'MeltICE' because it has been freely distributed, D' R& Q2 }9 \: f% M- F' ^
via www.winfiles.com. However it was first used by NuMega people to allow- l3 t- Y$ O% q7 _" p. ^! Y6 k
Symbol Loader to check if SoftICE was active or not (the code is located
/ j2 ], C# H8 r+ D: Binside nmtrans.dll).
" N9 D# f3 ^. M2 q3 Y3 ]( F0 c8 r, q( K; z0 o/ [" i
The way it works is very simple:0 _+ ^; O9 L; H P _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ Q: k' P% h& @1 q( L' L0 W6 U
WinNT) with the CreateFileA API.' w4 h- K- O# `( }( c1 i
# l. }1 e+ a8 G+ ?, dHere is a sample (checking for 'SICE'):* l' A& o7 \! n" _! {
) ?( A3 d) h! e: o; DBOOL IsSoftIce95Loaded()
! _/ B" D8 ^5 @+ P{
" [& |; A0 |/ V HANDLE hFile;
$ J$ K9 t: s9 ?9 k, b4 }" ~4 }- Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ V" D: z$ [- p. f1 a3 y3 h' e O FILE_SHARE_READ | FILE_SHARE_WRITE,
" O1 {# ?0 G% W/ [ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ d2 L2 X, Q: O4 Z2 E if( hFile != INVALID_HANDLE_VALUE ): h7 Q- `/ u) c% p
{
# K1 n S" l) y( V1 x& ~) H. w1 n CloseHandle(hFile);" i c7 b8 l8 l; ?
return TRUE;4 a$ ~. [) ^" K) |
}" Y* f1 [& _0 X% L! Y5 L
return FALSE;' j- G9 N5 @% Q. Q2 L
}
* Z8 E0 Q& S8 E8 j
' m1 q/ A7 U$ q4 ^Although this trick calls the CreateFileA function, don't even expect to be* W- z0 J( s E7 Z, f
able to intercept it by installing a IFS hook: it will not work, no way!
' H& _4 v: T& {% b$ x5 fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- p9 E& m( K7 g, \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): f M! }+ D3 n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- M9 L# F" T& t3 o) y; n# T2 n1 t
field.. P: G6 {" g. |( `1 G
In fact, its purpose is not to load/unload VxDs but only to send a
# x( i4 S8 ]; AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& I9 @/ ]) H; M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" k8 U4 }2 N: v- q" B1 r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) h8 Y- ?, K/ uIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: X p# E7 K, W/ S& P6 }* B2 u. c- Y9 ]. fits handle to be opened and then, will be detected.
4 u" ~( g% K- \0 EYou can check that simply by hooking Winice.exe control proc entry point3 H$ H# e- | x
while running MeltICE.3 V% G0 X6 v: H0 h6 I
7 }( S4 \; o6 w4 K; Q i! P$ f7 @( f; j
00401067: push 00402025 ; \\.\SICE9 ~3 ?" K/ X# b* X6 K
0040106C: call CreateFileA4 U7 P3 k' R+ F( x1 Z
00401071: cmp eax,-001% @& B7 F! ?( z: B. j
00401074: je 00401091) g4 V/ t& v1 j" M+ P
0 i" V$ C q& R5 ^# j5 V6 T- Q+ n! K; N" n
There could be hundreds of BPX you could use to detect this trick.
2 m, O6 h& [- X" j/ X( u) g-The most classical one is:
2 ^4 |# H; _/ t7 J0 B, t( B" }3 G6 {; k BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 x, E9 E. h T" \9 o: B! Q
*(esp->4+4)=='NTIC'2 i1 t7 C) I5 c9 E
, w7 m) M8 }: c0 P-The most exotic ones (could be very slooooow :-(9 H; X* [; s( Y- h4 p
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) q9 E1 N( K# ?6 W7 r4 z x ;will break 3 times :-(0 O! M/ N- R4 f% i% M8 y w
* J; Q5 Z, s+ D6 c0 S
-or (a bit) faster:
) I& g7 e: Q, j( g) N& @+ R4 p. Z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 a {! f( P3 }
6 Y5 c. J% A% O# O! x0 \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 j" i: I1 K3 Q6 v
;will break 3 times :-(; I5 V6 l' j0 x( u; `
& S3 H) O7 F; U7 f, _: }+ C% b# u% u-Much faster:; R, z* Q; w$ ?5 l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) m6 |( d, b6 A( p4 N) ]
. J% e; O; d. A% n( j4 \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 n6 [6 Q$ N; C. @: Z' W: vfunction to do the same job:( @0 K2 b. _. m! r0 `3 d
( o2 ~! }/ T* W4 O% s
push 00 ; OF_READ
p+ N0 m% m: T3 B9 E mov eax,[00656634] ; '\\.\SICE',0+ ~. a: `$ R" ?9 O$ p. _8 f, ^8 s
push eax
; H( @! A9 x& s( |9 Q call KERNEL32!_lopen
4 |! L! H2 E0 [, q, j" a. _/ r7 n inc eax
8 y% h' Z) T- R& g jnz 00650589 ; detected& L6 F* ^- h8 D+ i
push 00 ; OF_READ
! I& _7 ~# w5 ~$ H' A mov eax,[00656638] ; '\\.\SICE'
f4 E6 v+ v% F1 ~/ y push eax! L* x# ~4 C; K. A0 r: F \- l
call KERNEL32!_lopen
/ x( d u: v. T5 u' W5 M) D2 I inc eax* C. N2 x) W: ?5 O' D
jz 006505ae ; not detected
m. M# D0 y! g9 p% U8 x
8 ^7 P6 i9 r2 e4 ]2 b$ @4 n% q# `) `# b4 K. _) g3 }
__________________________________________________________________________1 R, T$ z: W9 \2 k2 ]$ b5 o+ i
2 Z% ?3 [- q" O) u @/ f3 P
Method 12" D7 G% }' |& y7 G, Y
=========6 T1 ^7 l$ r# ~; K5 ]( g( p
) K7 Z7 M5 w5 JThis trick is similar to int41h/4fh Debugger installation check (code 05' i5 X5 J2 f& W% i( F0 _3 Z
& 06) but very limited because it's only available for Win95/98 (not NT)
2 Y5 U! H: y9 H. pas it uses the VxDCall backdoor. This detection was found in Bleem Demo." L- K5 R( C& w
7 d6 }' k. O4 [8 @7 }4 y
push 0000004fh ; function 4fh
2 D8 V" t5 H# h$ E push 002a002ah ; high word specifies which VxD (VWIN32)- O! c: |& r: R$ h. r/ K& h
; low word specifies which service
% l+ S1 E+ E2 V& l* q$ K% T$ C (VWIN32_Int41Dispatch)/ }/ Z7 U2 }5 u. A3 f$ w
call Kernel32!ORD_001 ; VxdCall
) z+ l+ Q2 [3 t+ }+ x7 N4 D cmp ax, 0f386h ; magic number returned by system debuggers
# L5 ~; g. }1 W' O3 K) o' V8 a, `' E jz SoftICE_detected
2 U. z3 G' ?: g) D9 `+ i9 f" T9 V0 D: D2 m5 I
Here again, several ways to detect it:
2 @4 u1 s* r3 j! v' l" k) @$ M3 \; L$ m+ L' r
BPINT 41 if ax==4f
) z- t' @! W$ Z, O9 b% d7 x4 t
( p8 {( N1 ~" I4 L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& u6 @ r8 t4 S5 n9 {% F4 o
' t( o% l* V _5 Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
V$ W1 P; O L D3 y* e: [3 u8 k0 v) m! Y3 I: R+ y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( T) r6 Y8 {4 g' Z
" Y: \ l5 w+ [% `__________________________________________________________________________% [- d9 {7 q6 `' g
' B" U# n9 a* z# m8 p' \4 R3 K* n
Method 13" F. J- e0 C5 P4 `
=========0 L' C+ G3 O" s& |7 }/ I/ P& a5 [" l
2 I* e3 L; ]) B* T2 R C
Not a real method of detection, but a good way to know if SoftICE is
6 O0 ]4 x- t% ~, M! Vinstalled on a computer and to locate its installation directory.
2 f) d% N9 X8 F( M+ v# o6 I2 \! yIt is used by few softs which access the following registry keys (usually #2) : }, N( y2 [: B8 B6 c, j' W) `
: Z2 Z! x5 F$ A! j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
C# M) E& C4 X C$ Q# Y\Uninstall\SoftICE9 k0 t6 J9 P* ?$ }& G ^ E A+ {1 L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 u5 r: _, e" m1 O/ K0 m. A7 J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ I7 k; P3 J$ b9 t
\App Paths\Loader32.Exe' o& O2 m7 L$ j/ \7 X
- H9 y$ u5 X2 `8 X& J' N6 P
; E& }. E( d5 f0 bNote that some nasty apps could then erase all files from SoftICE directory8 J5 X3 {) J: n9 z4 |8 O
(I faced that once :-(' X L# C3 X" Y6 l1 [
* O9 H/ F. X0 u% I! BUseful breakpoint to detect it:! A1 P3 t! A: X0 x; U2 Q4 y, c5 B! }0 L
, U8 L) M1 L8 d8 l! y8 q) F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 A# s' R, Q: m$ x
' ^5 `! b* g8 w__________________________________________________________________________% `5 Z9 M4 V' g, K
* m/ D4 b% A* h4 ^) @- u4 k. @. f+ R
4 f. n" ?, V' N
Method 14 ' m" L- o! _/ T. t' L- p
=========
R1 f7 w6 F: H1 N0 v# m
: `$ b2 @- U, h/ KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; \ L" d4 j0 B6 i: a+ W
is to determines whether a debugger is running on your system (ring0 only).
9 `" ~) n4 u! H0 H5 B+ R* h
; ? b# n+ N( G, m: z W% t VMMCall Test_Debug_Installed
+ ~9 O7 q0 ^) ^ je not_installed
) J- ?7 I8 T$ i, v+ K/ w& T
( m& ]: ~& s: M9 l2 _/ rThis service just checks a flag.1 v9 q4 Q' p9 N. b- Q+ l1 g
</PRE></TD></TR></TBODY></TABLE> |