<TABLE width=500>
4 l: \. e# R' Q* f& G<TBODY>
2 B K0 g! ~3 ?6 T1 F<TR>
3 K% |: ~. u" H' m8 F) @& N<TD><PRE>Method 01
- k, a$ e# P3 [6 ]% a3 `1 O=========
" i9 E) g4 F- ?4 M+ m! Y7 j k! Z% |# m! P# o `& v4 S
This method of detection of SoftICE (as well as the following one) is
$ i3 M# _) m. A; Q' }used by the majority of packers/encryptors found on Internet., P5 X# u8 d& d5 B5 i# {1 }: L- z4 R
It seeks the signature of BoundsChecker in SoftICE2 Z. e# y0 d, C# Q6 S; ]
9 s _0 ^$ [: X" u. a% M mov ebp, 04243484Bh ; 'BCHK'
' K- p6 [7 C) \* d: S- I3 i4 F mov ax, 04h
7 }: j2 u1 v- w0 V: C+ S8 r int 3 & } z2 A+ x! X
cmp al,4
( h" I- _% W+ O. |7 l% L1 \ b3 j jnz SoftICE_Detected
( ]( r2 s9 C. S5 B$ _) p4 K6 [8 \* K# H" I) N1 {
___________________________________________________________________________; S# e- c5 s( K5 N! ?- O
2 @4 |+ l0 F o, vMethod 02
8 h. i( ]7 z3 z# T& d( E M=========' v& j( U4 _# f# f- |. Z$ y
0 H( L( f! c( l1 ~) ^1 fStill a method very much used (perhaps the most frequent one). It is used. }" R: N6 d4 v1 P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- q+ I$ p' l: J* d2 B; P3 m2 N4 mor execute SoftICE commands...' | [0 K0 E4 h* c$ Y
It is also used to crash SoftICE and to force it to execute any commands" P! i. O- [! R# z6 ` ?
(HBOOT...) :-((
6 o( F/ P- s# j# J
2 \1 p$ a6 D3 Z; PHere is a quick description:
. s6 l& E2 E" k( |5 j$ `9 \-AX = 0910h (Display string in SIce windows)" B i0 o$ g* O5 x; e) ^6 v; e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* \' B$ Z! _2 i/ J2 M1 d- k
-AX = 0912h (Get breakpoint infos)
. n7 r( a0 J7 ]1 T w-AX = 0913h (Set Sice breakpoints), V$ W) O* {- i2 T; _8 Z v
-AX = 0914h (Remove SIce breakoints)
! ~" E- p; G. j/ n7 `7 c4 U/ M; u( Q, Q
Each time you'll meet this trick, you'll see:
3 {$ M4 X6 M$ P4 o" w" e7 m-SI = 4647h
2 H. d+ F" l5 P7 `3 o5 \-DI = 4A4Dh3 X$ P* j" |# [9 M* P9 R S
Which are the 'magic values' used by SoftIce.
_( H* y! ~$ G0 v+ JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 O5 {8 X( s% C1 `: K% D
% f4 P2 ~" p+ x7 ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 J+ X' e5 U8 [6 T! ?3 ~8 ]Envelope utility use to protect DOS applications:
0 q; p6 h7 U; U2 P1 q# i. _, z
3 m+ e! T* p# F- t9 i7 k' r' O9 A
4C19:0095 MOV AX,0911 ; execute command.
$ O4 d; x9 e+ Y& d4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 o7 k3 O- B5 m9 Q& ], o2 s4C19:009A MOV SI,4647 ; 1st magic value.1 Y5 l$ r* A( U! I$ d5 J' Z
4C19:009D MOV DI,4A4D ; 2nd magic value.3 \5 ~% \+ L+ H( b# p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ s; i8 H4 A4 Q* J- B, T Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 k" n/ C* J' P4C19:00A4 INC CX
( E: Q3 v% |" J& Q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( n% d, v, C. |/ ^4 I3 ^4C19:00A8 JB 0095 ; 6 different commands.& [, d, R7 j% |6 W3 v+ O1 Y. T! `
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; F: |& d3 {2 ?/ p, m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ p7 p+ |" l& O* ^9 U
) h E5 K5 C* `8 P* _The program will execute 6 different SIce commands located at ds:dx, which. Q+ Q$ z1 T$ K9 j2 h* \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 k8 f0 j0 i4 }7 w3 B
% j, P" ~. R7 \3 }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 h) d) f' l: l9 ^
___________________________________________________________________________' l: y4 s$ `9 W c- y
' _( @* `$ M# H) W! P+ p
0 M% n( H( H+ M" N X3 f" n
Method 03
" ^" Q8 @; W- o/ l=========; K6 X/ N Q% o- ^' m" c7 R \
$ Q; a, D" g8 l) J* RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" W) z: w+ r. f% V# e
(API Get entry point)7 I, H! z! P+ o$ a
+ L7 u- M5 _9 W
% x: [$ r! C( T) a% b! x/ d: O, G xor di,di N7 F1 L/ \8 V+ d; V) `# q/ x, Q
mov es,di m8 z; n- ?4 E. U4 g* l
mov ax, 1684h # b+ C& R3 G; w8 T% m5 ~# n
mov bx, 0202h ; VxD ID of winice4 b- j5 i! U# z" V9 f* d
int 2Fh# Q m" ^" t1 J- j) [
mov ax, es ; ES:DI -> VxD API entry point0 i* T" u7 K5 c
add ax, di% c% Z! J# a* a1 V0 h
test ax,ax* \- o1 q6 L& w* Z
jnz SoftICE_Detected1 |) [; U/ K. }$ V4 U, e) V* L% B2 I
4 [" n: A8 D3 `3 _( p" J
___________________________________________________________________________
& l+ K" r. M j! a( |: I. J9 N2 C0 h+ @3 b/ w5 D' x
Method 048 x! e$ ]: l# T& b
=========
% J- Y6 E: n- y1 S$ J, d
& J' i1 V$ D) m% hMethod identical to the preceding one except that it seeks the ID of SoftICE
+ r( g8 I( n" ]$ T" i$ \, uGFX VxD.
+ c1 Z# J m/ n& D) y0 @5 @
3 o1 ]- A& j, L xor di,di
+ g( O$ L0 J4 \; v mov es,di, X4 ~1 \3 `( X- J
mov ax, 1684h
0 L( M. K, ~6 @/ ]- r mov bx, 7a5Fh ; VxD ID of SIWVID4 l9 D+ O0 W6 z# L8 }
int 2fh- k; Z: b" |2 ~# t
mov ax, es ; ES:DI -> VxD API entry point+ a' p, T( \' [
add ax, di
; l0 G1 O) Z6 h8 o6 m/ r test ax,ax" f: W# @7 d) N7 u" h3 x
jnz SoftICE_Detected0 H+ K4 c# r3 r4 Y z8 v/ c. ^
4 w" k" R+ g( C
__________________________________________________________________________( u; `. W/ G" G- c' ?6 U
. \5 H* U0 F- G( O% \/ C! [, v) M7 n; W6 u/ o! q: |$ y8 `1 a
Method 05/ A/ I2 U, f! ]( C& Q! T/ l( M( _
=========
) k; W7 U, Q0 a5 }9 w, x8 y
& _7 T& `/ U8 d2 G. Q2 d9 f5 b: GMethod seeking the 'magic number' 0F386h returned (in ax) by all system
q( E6 }6 Y: mdebugger. It calls the int 41h, function 4Fh.3 y; l% h) \& H4 x7 d
There are several alternatives. 2 F q4 `, |# P
2 E( |$ T4 ]9 w3 H5 B( k, wThe following one is the simplest:
. j2 r# D( g' m( x" [) D* Z5 K% m' y; N/ V/ H
mov ax,4fh9 U4 P, y( X% G6 r5 \
int 41h
. h8 y) ~! r. Q$ k2 O cmp ax, 0F386
! z1 s5 z$ x2 s8 N7 L jz SoftICE_detected
; c0 ]( H, _9 B6 B4 z9 K/ t
' C/ J T& P/ {! I; \9 Q B& H# H1 z+ w( r$ w. Q, B& L* B
Next method as well as the following one are 2 examples from Stone's
; m9 [8 _+ k$ a+ t" Y1 t# Q6 M. T# C"stn-wid.zip" (www.cracking.net):
2 c J5 m. T- U4 B) j# ^- r# ]) w' ]) ?
mov bx, cs- l0 C6 @$ l6 [0 {! I+ n
lea dx, int41handler2
& u( G: ], {) l, `7 y xchg dx, es:[41h*4]
+ M9 A; @6 S, B0 F( g; y# i+ f xchg bx, es:[41h*4+2]
# \% v9 A8 }$ h3 g! C: I: s mov ax,4fh
8 \; f7 J( |: ~# g int 41h
# [/ u+ u: Y. A: L; l! t$ d O3 Y xchg dx, es:[41h*4]
" V- ?4 B3 q' e4 ?6 ?" c" A4 u xchg bx, es:[41h*4+2]
5 d2 P2 c) F" X4 w; T0 E cmp ax, 0f386h
' |& K% R- }- v$ z J jz SoftICE_detected( `" ` H) p2 ]
& Z* Z! v3 K. W& N* H. N
int41handler2 PROC
8 W0 b! V* m9 {) H iret
: E9 e& o8 Z$ o( X/ z8 |int41handler2 ENDP
! ] s" N# f# k
. C. x# w$ m1 d/ Z/ i6 c0 f3 O* l' s4 T
_________________________________________________________________________# ^( @+ @# I+ _
) `0 z8 }9 Y: T) t3 c. J; y4 [, Z' _. n
Q6 c3 E0 e( ]8 P; L' u
Method 06) m0 L) r3 j+ b: L, Y* ^3 V- y
=========
h' r& m$ S" f0 `' O6 f, u3 Y7 U/ z* l% X/ u+ |5 f6 h+ s8 f
. t( x# j: H7 n" _
2nd method similar to the preceding one but more difficult to detect:4 U7 c2 Q" Z7 P5 [5 }/ Z' ?- s+ i
& N) o8 D# E* F" s6 M. H
7 a2 a+ y$ {7 \& f- i$ kint41handler PROC( J! n0 s* L; q2 s' U
mov cl,al& ^* z3 X2 X+ K* W$ V6 h
iret T- d5 v6 D3 Z* T w5 `# Z" y
int41handler ENDP8 p$ Q3 W- |" w% [
9 W, C9 g% c! @: N7 V
, Q! b9 Q ]2 m0 p. u9 Y xor ax,ax# C, D) F* j6 h5 j0 n
mov es,ax$ x1 M0 U9 i+ K
mov bx, cs
: @4 p( H) z& D; q) A x lea dx, int41handler& j9 h/ A3 X" y# V
xchg dx, es:[41h*4]
) Q& X6 Z% ^5 i8 H xchg bx, es:[41h*4+2]' D' c/ w' {: n6 [& {; K
in al, 40h
g. g5 w3 P; r* E& s xor cx,cx- O. R2 [9 D& s# [% E
int 41h
1 T6 [9 c6 n' f% r. ^0 U' @ xchg dx, es:[41h*4]
9 B/ |+ a! `" Q" m* s, H' F xchg bx, es:[41h*4+2]
, l; A4 A( a7 S6 }/ P* R1 x4 y cmp cl,al p% Y7 |% k# S
jnz SoftICE_detected2 m$ R" E# p4 G1 m; s
$ G' y& K* h& ` w_________________________________________________________________________
. @: J4 k! G0 i( n6 ^0 W/ l% O$ f/ Y& S. j( Q
Method 07
& l5 f: i* U( S X5 l a=========7 r/ X5 }' C, e/ W0 Q, I& B" [# B
9 k% A' T& t' M& L( F" x1 `
Method of detection of the WinICE handler in the int68h (V86)
9 A4 ^1 O9 B( I5 t$ |( q ?
. _9 ?- T) e: L" ~) n. } mov ah,43h! \3 F' C# i- ], T
int 68h q4 S; N9 J! T5 Q9 W- T( L
cmp ax,0F386h
0 N {, p7 o; g5 B' T! t) Q5 J jz SoftICE_Detected
; p" a* B Q2 u5 z! o
* N% p7 T2 w- {1 Q( h8 `" f9 P
! U# M3 L }7 \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 S" x+ l: L$ l2 n
app like this:
0 |' |4 c& p6 ]9 J& I& h* {8 \$ Z* P! i
BPX exec_int if ax==68 e! @/ [ B4 E$ `9 c) l, Y3 n
(function called is located at byte ptr [ebp+1Dh] and client eip is! f. `- g" W7 U
located at [ebp+48h] for 32Bit apps)
* Q R9 |0 g1 Z3 u, f+ E__________________________________________________________________________
/ i! e, W. z9 p: T# s- V- d9 d
$ i# b* Y4 r1 T, W f1 r) @- S
Method 08" Q5 D3 ]. e- r: k0 X% p: @
=========2 W9 T' w9 K) Y8 {; T/ F! _
3 e& J2 O# t. O, sIt is not a method of detection of SoftICE but a possibility to crash the t i5 S# H. Z; n* D4 `' a
system by intercepting int 01h and int 03h and redirecting them to another) N) m# U8 i1 @: \& c- G
routine. a* T. W9 v+ ]5 v' b( S" V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 c0 W% R- m4 J% f" n/ \4 yto the new routine to execute (hangs computer...)
9 T' f. m# t, a3 c: i& ]+ s" ]1 J2 v% F: }% w. B( v' D& r
mov ah, 25h B% ~2 l6 w, ~: U5 K% }4 p
mov al, Int_Number (01h or 03h)
8 \, k% Q/ A: U9 f2 o; M mov dx, offset New_Int_Routine
+ j% Q" h4 @" _! w3 B: l1 ^ int 21h2 m/ H+ Q) L' Y( u0 d8 s1 q; K. f5 q
! @" x- p- w7 H. |__________________________________________________________________________
* I# c% Q b) L( m& N$ s) K, ~
1 _1 c$ e1 ?2 [4 L1 k: ^Method 090 b2 I7 \3 }8 l( N
=========4 Z* ]5 K+ G& r1 x2 A
1 x8 r) W: d9 oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 n2 B2 U8 O& ]* s
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 J1 O. `$ y0 ?: [' GThe Get_DDB service is used to determine whether or not a VxD is installed& I1 w% L/ Q9 |
for the specified device and returns a Device Description Block (in ecx) for
& ~: O3 s' J: n9 @that device if it is installed.
+ C5 P K/ s1 b0 w; W6 w0 x' c7 E4 \4 R* h8 Z+ @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ E4 s, R. i7 R5 I, P+ b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( b$ y" h! Y4 e' m" m+ [; h6 e1 i7 M
VMMCall Get_DDB' U3 x( `) q; k' b6 y0 m, G1 P* }7 r+ G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 ^: {/ V' o8 c, o5 W( s U: \
/ Y% V# [+ [1 {
Note as well that you can easily detect this method with SoftICE:' g6 V$ U2 c# F0 c# l. L
bpx Get_DDB if ax==0202 || ax==7a5fh
, w5 e6 C( A6 M- F- n$ X$ m$ c( G! }! `( u5 E
__________________________________________________________________________) _5 M# I, [0 g! c/ B( O1 ^) g
/ f, q- y# E8 g. ^( _+ {
Method 10
y: v7 s/ Y [=========
. ]& u& m) z4 Y4 o! }! G% i( x; {. v
=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ O/ a1 Q) _- @8 W, W, b W SoftICE while the option is enable!!+ x+ i+ n# N- _
0 T' v; E' |, r8 Z
This trick is very efficient:1 }5 b" f& T2 n4 ]2 @& z- T3 O
by checking the Debug Registers, you can detect if SoftICE is loaded3 O# k6 M, `4 V, h L: x/ T* k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% @9 _9 o5 C& A% j/ {: f
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 `0 a- h/ w& x- J; z$ w5 W) B, W
value (in ring0 only). Values can be manipulated and or changed as well
. Z# H# ]! M' E5 X1 S(clearing BPMs for instance)) b' v$ T4 O$ J' v( t x: |" c
/ F: R* X- H; ~' c; W+ t
__________________________________________________________________________1 r+ R1 u4 c ?9 t. I
* r9 j/ S! @7 F# o1 }/ r9 hMethod 11/ |) v0 y6 U* ^ f+ e3 Q
=========
8 |: I2 h1 b& p* O4 J% V+ [% n9 z" i* H1 G5 y
This method is most known as 'MeltICE' because it has been freely distributed* Q" q9 C4 e$ o+ j: I) O1 [
via www.winfiles.com. However it was first used by NuMega people to allow
" R4 X3 h. \0 nSymbol Loader to check if SoftICE was active or not (the code is located1 Q$ m% P! ~6 A' f$ m1 t
inside nmtrans.dll).
7 t/ p2 H V$ m9 }4 n# A9 @/ K& S' l4 W; g/ p6 B0 r/ ~; o. u1 d- G
The way it works is very simple:# G2 E2 A/ S0 s8 A+ X. m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* m: U2 J% d: b) P& O5 q1 oWinNT) with the CreateFileA API.
4 G, P$ ?8 V, W4 E4 |2 h7 s- |: v5 u8 i
Here is a sample (checking for 'SICE'):
& M! y. `6 H+ W; `9 y _6 O1 [$ i1 C* A9 y$ M
BOOL IsSoftIce95Loaded()
& v/ |+ W" `- m3 d6 O! v6 T6 R& E% a- ]{
; W+ ^, z, x. t: F7 N HANDLE hFile; ! T' {2 K7 i! {. q& D! u1 d$ A6 E' @
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 W* ]/ z3 W" J( V+ q) L& r FILE_SHARE_READ | FILE_SHARE_WRITE,
; ~( ]+ C/ Z) H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: H: V7 v; p, ~; i if( hFile != INVALID_HANDLE_VALUE )
4 o8 N& b( S3 B4 l4 R; u5 q, z4 J {/ M5 I" X$ f) D L
CloseHandle(hFile);
5 Z: |3 b1 |5 z: V' C return TRUE;
3 w7 L2 R. W9 g# ?, U9 \) [: k }5 s {9 L, ]6 I8 L
return FALSE;& _7 ]4 a) _8 ]/ d6 ? f
}4 z7 {4 m1 B" o
( A5 T+ F' A( S4 ]3 Q! F( Q. fAlthough this trick calls the CreateFileA function, don't even expect to be- P1 z0 b2 G" S+ b
able to intercept it by installing a IFS hook: it will not work, no way!* l3 a! E3 `4 D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! W/ o% f; h+ B$ fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- }$ _; u. b+ T# L. Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 P4 k( E3 {) F" O; Q
field.8 u& u& d4 K: Y3 r2 m
In fact, its purpose is not to load/unload VxDs but only to send a 5 B2 b0 q9 C5 c% s7 N0 a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% t* M% f% T6 L5 A' V5 W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
?9 `9 N0 }0 w9 Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& _4 U/ Y ]; ~# p, P* `6 ]( LIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 M$ {; L2 R( F' r$ x' j' D
its handle to be opened and then, will be detected.
5 ]+ a9 c; ?) T9 ^5 Z z" xYou can check that simply by hooking Winice.exe control proc entry point
5 o' _: h$ A# {* X+ i" B0 Z) Mwhile running MeltICE.
2 ]! M+ l- c) D t: z9 m, ]9 s8 d/ Y N& }2 b
8 T O$ g9 o* [/ M* z3 }5 Z, j' n
00401067: push 00402025 ; \\.\SICE# o% E: a; P; ?# O+ }, L) M
0040106C: call CreateFileA7 C9 q6 f( u' d5 d
00401071: cmp eax,-0011 H' l1 n, j# U* w0 G9 n7 u
00401074: je 00401091. j3 `: c2 B' y3 `
) e4 u% |0 O5 _7 r) q0 o+ @
- r) Y5 n( |- `) Q( k) r
There could be hundreds of BPX you could use to detect this trick.
9 l; r* ~$ J* N: ~-The most classical one is:( |) e% I; p% q5 N' E$ O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 c' T6 d. v1 ]2 p) p *(esp->4+4)=='NTIC'% l" Y( C6 p5 Z
( t% Y+ p( B4 w4 p# Y-The most exotic ones (could be very slooooow :-( t! p" x: g3 H, x# J
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! t8 d5 n4 V j" H! V) F3 r3 D4 S! S" i ;will break 3 times :-(
8 r4 {1 T/ a, y3 e
7 m0 m. U' L* i0 g& z-or (a bit) faster:
6 k+ P2 U# J+ C* q" l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% y7 E, K* \ z; |! a7 b0 p Y! ^( g1 p( y7 y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 i0 X3 X q1 ]7 A
;will break 3 times :-(5 m% I2 l. @& d% g
1 ?- V* ]( `0 ~* y! I. ^4 ]-Much faster:& D9 l6 `/ x6 K) E+ \5 u% [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( ~3 u8 z2 @* p3 E
+ e7 W$ \3 e' {/ k) u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) J( h$ D$ p# u) [8 e1 Nfunction to do the same job:
d* J* u% N) z2 ]3 [4 B$ U! z+ k# u/ N& ~
push 00 ; OF_READ
/ |2 N0 V: J! _5 `# K( t mov eax,[00656634] ; '\\.\SICE',0
5 Z7 X; C; b" o m0 z) ] push eax/ Y& w4 W4 a' M% f
call KERNEL32!_lopen" w0 z8 d3 V/ f3 p% U
inc eax5 R9 E6 j& o0 ^2 ?% h1 b: ]
jnz 00650589 ; detected4 `5 e( f+ q5 T9 ]; t) F- z; K |
push 00 ; OF_READ
) U$ J* R2 }$ ^ mov eax,[00656638] ; '\\.\SICE'
: R8 j- F3 |$ n1 B' n1 n push eax3 y- P. H+ U& V+ w# _
call KERNEL32!_lopen
+ K) z& I* i2 `0 M8 D inc eax
* s& }6 l6 e3 z) B! z jz 006505ae ; not detected
# [$ I Y, @, j- x- K. B! `( d3 c: D' G$ w, \
$ `- f5 S1 b% a$ o5 a4 g) K; s: J/ I0 Q
__________________________________________________________________________- Q' m i! s4 {1 Z
: T2 G, H# G8 V5 {Method 12
% a% U. g1 i3 n8 \) ]=========
; _$ k2 n/ {, n8 q/ r& T/ K2 S2 @) z0 C
This trick is similar to int41h/4fh Debugger installation check (code 05' @9 S$ p9 B& c6 M
& 06) but very limited because it's only available for Win95/98 (not NT)3 I/ O; G) ]$ y7 `. T) L, z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) p3 w$ |1 u0 C) N n3 n2 ^0 v
+ a1 q9 t( A2 m6 X( ~2 [5 X push 0000004fh ; function 4fh
# \6 K3 C; \/ v( N push 002a002ah ; high word specifies which VxD (VWIN32), T7 S+ b- I" \: N$ \
; low word specifies which service8 X0 ]( ~8 r3 r) \8 p6 x4 J/ ]) g
(VWIN32_Int41Dispatch)
/ r2 o' A9 M# | W& F- u. B call Kernel32!ORD_001 ; VxdCall
: W9 u1 T2 _2 ]$ T+ j h cmp ax, 0f386h ; magic number returned by system debuggers
7 o. k$ x( c0 O3 d* { jz SoftICE_detected) [7 F, O+ P/ w1 x ?
! i {1 I# A D) G) t3 m
Here again, several ways to detect it:
8 _3 K3 U% j K2 {# ?% T, `3 I# v, W) `
$ G' ^) N7 @$ g7 @% n h BPINT 41 if ax==4f% W1 A Q( K6 o% S* f( _
1 @% N3 _9 @ Z8 Q2 a+ Z- s
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; b( S$ z2 J2 A" i0 C. ^
: h$ @& ?* K7 ^
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# ~9 m9 s, ]( D& I; t& t
* r9 z8 @& r6 v BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 U8 ~0 _, `3 }, |" U% M# F& z @: Z8 v$ i* R* t/ O+ k
__________________________________________________________________________& v/ t. ~* w( i0 L
# z/ Q+ J( |5 G* @. ^/ Y4 u
Method 13/ S3 D' h" P( w. H! J; _% ]
=========
8 Z' k. L# y, |( n* ~ C8 ~+ t4 l& h
Not a real method of detection, but a good way to know if SoftICE is
7 P) c. a1 [+ R- S! Z. Winstalled on a computer and to locate its installation directory.
* _4 p1 ` a k% J0 wIt is used by few softs which access the following registry keys (usually #2) :8 x# b4 e C/ }* U6 h6 o; ~2 N
) {( E3 C2 s( d2 {9 a3 [: n4 X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! c6 k2 m8 w( R$ x5 K4 P+ ]
\Uninstall\SoftICE
% W: h5 Q. o y# z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 H9 y7 f D$ V8 W0 J' s" I& p- u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! E# J) Y5 R+ _0 r+ X' d* P% i\App Paths\Loader32.Exe
' L7 a1 x+ S8 K' d; N2 A* ?
" R7 y9 Z% v2 ]$ M* k/ K9 B
' d) A# E+ r) fNote that some nasty apps could then erase all files from SoftICE directory
7 L# p! H5 S% h0 U1 T: x) `/ l(I faced that once :-(9 ~/ c2 s& { T6 `
! v2 ?. \) ~, |, S/ }
Useful breakpoint to detect it:) w9 m8 F O4 q
; ~# w) u% a6 U& k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 q' I9 q r$ Y3 Y
+ f6 s; x' G( W' A! j$ D) }__________________________________________________________________________
6 Q; A7 Y* s( x' n0 |# @, g
) b6 Z0 q. H$ w3 e; ^8 {- i1 _+ e j+ {7 }( m* A- y3 m
Method 14
. k r) b( h3 _5 V8 h=========
9 Z0 u% X3 H O( _) H4 l2 {
' n! F q5 Z6 Q" b* r5 W- GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, o+ |- T8 z# ~/ s! A+ f, k
is to determines whether a debugger is running on your system (ring0 only).
0 `% f2 ?* W8 S9 v3 C* O+ [4 l3 Z# \$ g
VMMCall Test_Debug_Installed
9 O! Z# t* k1 D+ e- A7 i je not_installed
$ v% e, s4 U S1 K( b9 T6 Z! @1 d( c' b$ Y7 q% R" G# F: Z2 H$ m6 ^
This service just checks a flag.
4 n8 s$ o* S4 k& X2 w6 O</PRE></TD></TR></TBODY></TABLE> |