<TABLE width=500> [6 p% s5 n& @+ N" E: c* A2 k6 p
<TBODY>0 _/ C, a4 j2 h5 K% F5 Z
<TR>$ l m3 S/ i, c, p
<TD><PRE>Method 01 ' N/ D0 @. M. N4 u# z& ^: N
=========
3 e" L9 p0 W) P" l0 y: K# M" _; j4 A* _9 z ?4 y' b5 r+ v
This method of detection of SoftICE (as well as the following one) is- m$ ^4 u7 G+ Q. X0 H( o
used by the majority of packers/encryptors found on Internet.
$ w) j5 Y0 l j0 h5 HIt seeks the signature of BoundsChecker in SoftICE; W7 y; [, a6 g! M# F
1 u1 }9 M+ r, V
mov ebp, 04243484Bh ; 'BCHK'/ v0 ?/ s( _3 R8 _, O
mov ax, 04h
) P8 s( x' D8 Q! H int 3 + C) `' O6 _6 A4 u& `2 I
cmp al,4
& H& i" L4 k5 j jnz SoftICE_Detected0 u. Q4 ?% g* n# v# B& a; h( p
& p8 n2 U) F6 N, O# u# j7 p" D___________________________________________________________________________
) \6 P i7 A$ M5 i1 k# {5 ?
6 y" |1 m: y d3 L# {. I& pMethod 02
2 q! X$ K& r! l. \* Y! G=========
5 `3 H% m) [% A6 [' U1 [0 H% V. S8 G' E( E
Still a method very much used (perhaps the most frequent one). It is used
% Y$ i7 P- G1 X% k2 V$ Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, @4 @8 c8 X5 t; u* m; \' yor execute SoftICE commands...8 \4 }& Z" r8 A$ }" m7 S( p& ]
It is also used to crash SoftICE and to force it to execute any commands
% |, Y: _6 ^! x$ c(HBOOT...) :-((
% Z8 i& `% Z- M, ?( {! C; |/ L; N4 e3 d0 y% N6 z! w9 J3 B
Here is a quick description: ]% n. m9 ]) j5 m2 W
-AX = 0910h (Display string in SIce windows)
% B3 R( q0 J: M9 U( J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 `. X( G9 n7 ?% D/ ?) T/ @; _
-AX = 0912h (Get breakpoint infos)' a" X! P' M7 z; L
-AX = 0913h (Set Sice breakpoints)! b7 p2 s2 t% H( P: R0 }2 r
-AX = 0914h (Remove SIce breakoints)
- Z H t9 G0 b4 |) b) a4 t Q/ ^. i. `* X
Each time you'll meet this trick, you'll see:
: I; x$ h; U+ v+ }. a& F$ T-SI = 4647h
4 Q& F. Q0 K1 S! v6 [) T3 W' S; J-DI = 4A4Dh
/ j5 ^# I" V; h5 [5 g+ D |Which are the 'magic values' used by SoftIce.
2 T1 W6 f- l9 @& i/ L' P% `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: }0 R0 o, p9 i! S1 H
& K: h# X+ |! ]1 z! B! EHere is one example from the file "Haspinst.exe" which is the dongle HASP4 l4 w9 Y) ~% H8 m- e# \
Envelope utility use to protect DOS applications:
' W4 A3 L7 J/ v% k9 ?* q, L- P- G" q' C; O
% t% a8 E; E3 Z9 q, g0 p4C19:0095 MOV AX,0911 ; execute command.- Z' ~0 \+ E+ C! ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( ^9 d- a3 z. V/ [+ m7 T% u
4C19:009A MOV SI,4647 ; 1st magic value.) A1 I( F4 j8 _, {' K
4C19:009D MOV DI,4A4D ; 2nd magic value.
- N6 \* a& f7 N _' m: O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* d# N& \( ?5 x4 E
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* D3 K D, ~& K9 L
4C19:00A4 INC CX: Y' g& v3 ~* i% }5 e: k+ P4 Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 f3 P) r7 Z! d7 ]2 z, l2 R, V
4C19:00A8 JB 0095 ; 6 different commands.
7 m, Y& A$ q# }4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! r& c' x F& @9 O' W( N1 A M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- n# y$ q9 n' H; B6 f b' |
" b T' j1 |' o. ^) SThe program will execute 6 different SIce commands located at ds:dx, which0 M* T- u) Y0 b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." F9 ]: f4 z6 D7 Y& e! f) w9 O
4 U/ j/ g, X' E$ O5 N- n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ b t2 b0 |( }1 f5 c C8 D
___________________________________________________________________________
& ^' ~* w$ e2 x& N+ [0 {3 V, j9 `$ f( f) O1 U7 c7 |
, E3 i! v8 E' n; Y2 JMethod 03
/ U& L( z$ r: B=========$ ?: j' \5 k+ Z9 N+ O) g6 c
4 Y& Z5 d' f$ x, ~Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' p( c" ?. H1 `2 Q
(API Get entry point)
' y2 T8 g# h3 A2 f 5 y, I4 F3 ?" ~5 \) f8 b$ v' O
9 D) c0 r; K4 c, E; l
xor di,di. o. o0 r$ x9 O* j% x
mov es,di# D$ u6 _4 B A) m( B
mov ax, 1684h
$ ?, N: {, q7 j0 ~/ G6 a( e mov bx, 0202h ; VxD ID of winice
- Z5 Z% _$ | g3 ] int 2Fh
$ O( i9 V& u: J( U5 [ mov ax, es ; ES:DI -> VxD API entry point- E2 C, i( z$ S' D
add ax, di# R# t( K% q* V' J, I
test ax,ax
) }$ t; c& g f+ R4 n6 _9 D# [1 _ jnz SoftICE_Detected& v/ G- |% l; N- b$ Y. [9 J
0 L8 j- X! H! F* u; [___________________________________________________________________________
# B( H- I3 L) F& X: Z8 d6 U6 E& u H
Method 045 f; D2 t+ y+ Q1 g. [& R) S
=========
9 O3 b& ]- N. D' G/ {8 a
% C3 D/ ^8 R8 X5 M- d' mMethod identical to the preceding one except that it seeks the ID of SoftICE0 m, r' Q% Z% k
GFX VxD.7 L% \" a6 W6 u
: n& |. V1 V/ L, k: \: L$ A. b- y
xor di,di- g' r; }4 v8 h8 u/ e
mov es,di( _6 b* x T( D. ~0 `5 M2 }1 @
mov ax, 1684h
2 u5 c; b" f4 g4 p( x. I mov bx, 7a5Fh ; VxD ID of SIWVID
+ d/ \2 l" M1 d+ y4 k int 2fh. ?7 u; P" A% Y' U5 i
mov ax, es ; ES:DI -> VxD API entry point
- k: O+ o- y' n add ax, di
" D6 T4 f. j) c; p test ax,ax
- W; X/ L1 `7 K# B0 U jnz SoftICE_Detected: [& N t. w! t9 Q
; o& E: a4 \, {' K__________________________________________________________________________0 f: S& o: h B( r0 a% r4 s/ v
8 X& d6 l# S/ `( W. z0 Z% r/ @; [1 a3 l3 J: j$ S2 x
Method 05
) _+ b4 f) }2 T* W( V2 T/ R' o=========( H) u+ ?8 ]' l* A( [8 ]
9 t2 P) P1 p$ \Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 m5 C _6 L8 Z4 k$ fdebugger. It calls the int 41h, function 4Fh.. \ j+ I; h' M# Y
There are several alternatives.
4 M, W/ Y+ @3 N2 Q6 C/ u
# g- m- f5 x e ] O/ o" h; YThe following one is the simplest:
, T9 ~0 q& a; i+ f8 e+ x1 G ?6 h% R! ~
mov ax,4fh
1 u" D) h0 z; m5 F& N' N int 41h- y0 ^8 w4 D# a* m$ m
cmp ax, 0F3862 y( j4 G$ i# b, o9 M x
jz SoftICE_detected
: Q) q8 O; g5 F: C0 L- u3 W
6 e% t7 q$ Q9 K9 E, f
+ F8 y! R/ p+ N0 g: w% kNext method as well as the following one are 2 examples from Stone's
1 }. _# L6 F& y+ j2 s A h# f"stn-wid.zip" (www.cracking.net):8 `6 y: T- y' Q# B
d5 `5 k( X* I. s4 P4 d; _; F mov bx, cs
6 D: @. x& T' k& V% Q lea dx, int41handler22 Z) S9 W7 C; G; L7 z" I3 w
xchg dx, es:[41h*4]$ g4 P) e8 D4 C9 u4 q+ u
xchg bx, es:[41h*4+2]% e% m! W! J" ^& d
mov ax,4fh
( |' [5 C0 F s3 m int 41h+ D0 T+ c7 w& D" u
xchg dx, es:[41h*4]
$ P- ~' r; M) N j2 E! m. R xchg bx, es:[41h*4+2]
" X6 f' c0 J* {! r cmp ax, 0f386h. A. i' h% \7 k% Q6 @/ H
jz SoftICE_detected$ ?% T0 j2 d1 I% ?, A
) H: V% \" A$ q) g/ I6 Oint41handler2 PROC
" w+ V6 E1 ~' x0 |5 H iret% [' M- t/ [% m7 T9 u
int41handler2 ENDP7 B# T- G6 ~! ?5 \( t6 J# G
8 x% @9 p. `" W% c2 e6 p% v6 J* j5 {+ ^3 C; p: ]
_________________________________________________________________________, a) L7 G- C, n3 a9 K5 o d
( i( W/ F8 x. r9 J8 {/ }
. Z/ H( i% h/ s& O6 QMethod 06
% x" Y7 D% s: U8 o9 G" b, A=========2 u& G# u+ z/ Y3 k/ \4 Y
) J: N; h- H& H0 @0 W
& L2 a% l, l2 z: L% U; v2nd method similar to the preceding one but more difficult to detect:8 n; A& t2 s; ~* q/ k/ b
3 ?% J: ~' N9 W. X1 ^4 X8 J$ j: H
0 M' _4 d; ?9 r' o1 b, y
int41handler PROC
8 L/ @ x' {& ?# ]- P mov cl,al
: \1 H/ ~. c, j) F% a. l1 v iret+ P9 k5 c. N5 t' z
int41handler ENDP5 n7 y: M o$ }- r( v
& a p7 N1 U2 N0 w( Y- ~) q: t
4 ^" G5 {5 s1 z( R9 K# H
xor ax,ax
) _3 r- _# Q- e mov es,ax
4 t' c6 D4 x6 d. E) X" @, N) c' y mov bx, cs5 J- J0 `2 I3 D# Q& I
lea dx, int41handler7 ~# f9 R3 P1 b+ @% _
xchg dx, es:[41h*4]
6 Y" U* S& ~& E/ E2 @ xchg bx, es:[41h*4+2]
- ?6 ~7 i! T3 _* ^; P/ W in al, 40h
7 [1 }; r+ H) G$ W$ N1 V* F2 y xor cx,cx
' B/ F3 h) t/ ]3 a int 41h
6 ?; [% s9 R* w* \+ Y1 C' t xchg dx, es:[41h*4]
9 F7 X" t& M5 U9 \; |) w xchg bx, es:[41h*4+2]
" V' S P( R2 ]1 Y0 C. D' F5 P cmp cl,al
" X& U7 J7 L8 H3 u, n; g jnz SoftICE_detected
L1 Z4 e; |* {* ]; j' x9 u5 u9 z/ [5 e3 w4 @: H: P0 k) {
_________________________________________________________________________: {$ ^4 O8 B6 @0 @/ B$ o
4 w' A8 |8 @1 ~. lMethod 07
3 R6 a4 v: N& G) A=========% m( ?6 K: p) F; ]7 n
/ O- [& ~' {! |: u2 h, Y O
Method of detection of the WinICE handler in the int68h (V86)
8 J* ]4 \5 W+ j* ?2 a- P% d: K$ U* t( ^; n
mov ah,43h, x7 v* a# c* g4 |
int 68h
/ _0 Q4 x, l# D# `4 J- G cmp ax,0F386h+ T0 I# {& S& [% o, G$ F
jz SoftICE_Detected
% V! A9 O1 ], z- v; B9 O- ~: S+ |; P Y- P4 q O0 d: T' h
( s1 L: \, I7 j3 u4 O7 F" ?) ^
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ W. ]9 J" w0 `' @, }" p. R
app like this:
3 U/ ~1 f8 d: J0 k+ i& d4 d1 Z% Z8 K; d; w, ~. F
BPX exec_int if ax==68
/ P' R, \# R2 u' q (function called is located at byte ptr [ebp+1Dh] and client eip is
^" ^7 y- }1 l/ [! { located at [ebp+48h] for 32Bit apps)4 A! @& Y- q4 h
__________________________________________________________________________
% @8 K5 E/ G" H4 q* q- ^) t; D/ a7 i; W F [7 J
" h. O9 R3 J% \: l1 HMethod 08
p/ G: \) ^1 b, U! v* X7 H r, F( N=========$ P1 N9 _ ^( j3 B$ E
8 ? F( H" O$ S. k. k% n
It is not a method of detection of SoftICE but a possibility to crash the
3 W6 Z5 p' k8 `+ d% ^: t5 isystem by intercepting int 01h and int 03h and redirecting them to another
4 ]" L( w1 P7 b7 Oroutine.
5 y @- a) _ o& X) P2 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: U* U+ B) [. Rto the new routine to execute (hangs computer...)6 n8 U: z+ U% h P
3 n8 w1 m1 X6 C
mov ah, 25h: \" S8 p( \ s( t Z
mov al, Int_Number (01h or 03h)8 V; Y% N6 c9 ~
mov dx, offset New_Int_Routine
: {# F' u$ @: c" t9 B9 W* h) x int 21h4 z( u5 ~" Q) F% `! d0 H0 u& {
0 R" i4 l" k+ @2 W' i+ w2 M
__________________________________________________________________________+ T' h D2 }+ k( H
9 O: u# G& @( h$ H/ K3 N! I
Method 09
2 f: w& o- ^8 W2 G3 u! p+ L=========
4 y, N [1 t- A& P! |+ k; m. A; p8 L7 s, T4 a9 o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' Y4 k8 [; r" x+ |9 I1 m: z9 lperformed in ring0 (VxD or a ring3 app using the VxdCall).3 M+ R- q7 o( M. P* C9 S: Y5 r
The Get_DDB service is used to determine whether or not a VxD is installed8 ~5 X& e& E) A% ~
for the specified device and returns a Device Description Block (in ecx) for
, x/ b) Y1 G- P- d/ pthat device if it is installed." z6 A7 s" Z7 P: r! Y! A
* c2 K. u3 |' b( K" d# H
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. [: S" n' f1 T! r4 @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-): E% @3 |; J3 i$ c! i+ s: |
VMMCall Get_DDB) ` o, Z- g: N: ?# l" Q. F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' y% u0 Z2 s/ {- c$ A9 H
8 Z, b7 v& z) qNote as well that you can easily detect this method with SoftICE:
+ A L6 t6 ?" i& q! n6 P' r bpx Get_DDB if ax==0202 || ax==7a5fh$ R8 A, j5 d: o. |- A: G/ N
: [0 v. u0 O0 i; Z__________________________________________________________________________+ o$ K7 d0 \4 s6 M
5 p/ M& F! E9 P$ l# S4 G7 D& A
Method 10. k8 ?$ \1 o4 m$ h
=========
% c' z# B) B A: Q0 E4 m
; D7 ?% i4 @; c& t" _- {4 S& P=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 y: U m. J2 d* G" k. K SoftICE while the option is enable!!% y t" R4 U; K/ m
: h+ ]% x0 p# }3 x3 ]/ W, R! P
This trick is very efficient:
: |* w' j$ _' x* p t% M8 gby checking the Debug Registers, you can detect if SoftICE is loaded, N1 m% A. ?1 i0 m, l5 n/ X' C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) ~- r. I2 d# O Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ U/ x/ j& m% I4 Vvalue (in ring0 only). Values can be manipulated and or changed as well# o0 z0 x$ M' k- X2 J
(clearing BPMs for instance)5 \- S1 Y. d0 H, ]0 F( o" A0 \* C
0 o/ P$ @/ ?* h0 P# ___________________________________________________________________________
8 T3 V& o- S* r3 v& U$ } @! D5 D& ^$ a* p9 k9 j
Method 11
5 i1 ^$ U% L' \8 r7 v N=========
9 W: g- `* O! n7 z/ t" c2 |
$ G6 Z, Q* \7 q* j! BThis method is most known as 'MeltICE' because it has been freely distributed4 l, }% ]! C; A D& F) \4 S; Q9 q0 r
via www.winfiles.com. However it was first used by NuMega people to allow
- N E9 W: p; _/ j/ X H7 M: FSymbol Loader to check if SoftICE was active or not (the code is located, ~; C, j v2 P3 F0 O U2 t$ B* o
inside nmtrans.dll).9 }7 o7 I1 ^' I4 ]% h
9 C* j5 Z, }1 k0 lThe way it works is very simple:
& J8 g6 P$ l: U- l+ K( LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 e1 o& B: y- H1 }WinNT) with the CreateFileA API.$ D& H! ?2 I% d0 U1 G8 n5 K1 G; e
; m$ ?) j! E! \% F) VHere is a sample (checking for 'SICE'):
1 O9 C$ U; O8 T- r% d5 b1 h6 s: U6 i
BOOL IsSoftIce95Loaded()
( _' i/ T* J& ~; d3 ?{
9 U8 x! w) i% `' e8 V HANDLE hFile;
3 ^% \9 y$ q0 P& ` hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 J/ G; a( R- K/ Z" v! D, S4 @
FILE_SHARE_READ | FILE_SHARE_WRITE,- ?/ n+ I% W* ]; C# h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, o( n- S; C" N+ r
if( hFile != INVALID_HANDLE_VALUE )2 j8 O0 l+ b3 T! j
{& B. g* }- t1 x, y# s2 f w
CloseHandle(hFile);) K; O7 n' z+ M! j6 Q
return TRUE;# w; k& C( C z: V) w; N1 K
}9 U z' @" V' A" h# V( ?
return FALSE;0 B7 G9 ]7 e. ]- y
} \3 ?3 |% X. f/ r
# t% x/ Q/ d) }/ }% d3 V1 FAlthough this trick calls the CreateFileA function, don't even expect to be
9 H% w& O& n4 _- T5 B- xable to intercept it by installing a IFS hook: it will not work, no way!
7 M( O3 b- ]2 F1 H" X: K0 b& R5 cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 u- @+ N' J! z# Y4 p Z: U( ]; W. k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 H/ m4 g* q: ~6 f4 h& j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" p/ p6 u4 v S/ K) C, w3 M; hfield.
" x1 \! B! T7 S# P3 U/ s5 nIn fact, its purpose is not to load/unload VxDs but only to send a
1 f4 v. o# Y+ J4 s' d- @7 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
w; p7 u2 P. Q x' M7 \7 jto the VxD Control_Dispatch proc (how the hell a shareware soft could try: u) T" E1 v+ t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% T) X% P2 ?5 R1 s" E/ b5 ?6 O( gIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 ` c0 Y' R5 O% N
its handle to be opened and then, will be detected.2 e! p" q' v ^( R
You can check that simply by hooking Winice.exe control proc entry point8 H2 k! y* k9 Y2 p6 U8 C
while running MeltICE.
! V7 ?- P" L+ s* Z4 ~2 {3 A% ]# Q7 t7 ~. U$ Z
4 _& _" T2 K0 C0 o$ { 00401067: push 00402025 ; \\.\SICE. a, t1 v4 @, ]
0040106C: call CreateFileA: d* f5 y/ j) g5 I3 I/ h
00401071: cmp eax,-0015 O5 i) k& X" o! F& u0 E( I$ h8 }. V) g
00401074: je 00401091
, g% D, D9 y' T; S
. N9 a/ I# U, W# ~. z$ W$ c+ U6 v) L3 _8 {
There could be hundreds of BPX you could use to detect this trick.
; T: g, Y8 M. t6 k' M-The most classical one is:
4 I" I. m# `% X/ E6 L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* q n. g: R8 x: [' X *(esp->4+4)=='NTIC' |1 q+ |& }( M
/ n" `& |6 _/ ~% W2 f0 a-The most exotic ones (could be very slooooow :-(
6 O9 `$ Y& {. j ]+ s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& W4 k; S) b) i0 [$ x7 }4 Y0 ] ;will break 3 times :-(
. V; W/ Z. t5 U) O3 {% ^& q; d7 [1 {) h4 A$ V/ C o, b0 P
-or (a bit) faster: ; O" N4 B" W$ e5 I7 |* F" a& ~
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: z! q7 X- J; W# W/ t7 I- N, t$ s4 i% u( Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' w* Z3 R3 ` I ;will break 3 times :-(
1 n% q2 @" v8 {& J
# Y5 b) y) [3 r& e1 n1 g( S-Much faster:0 y3 d9 E4 V* X- w/ r5 y5 _3 I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ x$ G- ]% p" j/ I q2 l k- q3 q7 c( T4 m7 k d3 j7 x* n0 y4 I& y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. x8 z) C3 H- p7 Y. Sfunction to do the same job:
s# [3 ?& D3 g# \5 ?1 U
s4 V4 t/ o: b push 00 ; OF_READ
' H( Z* g+ r/ N- k! l4 u2 y mov eax,[00656634] ; '\\.\SICE',0
# Y- [& s8 u, h2 e7 c) `# F push eax
, O6 I# O+ R( }: M call KERNEL32!_lopen; ?4 U: g; A1 ^8 W- v7 F: T
inc eax
/ ~0 l$ d6 ]" U" M, o jnz 00650589 ; detected! |& k% p0 O5 Y/ N' \
push 00 ; OF_READ; X! m' s) e" @4 \2 R( u
mov eax,[00656638] ; '\\.\SICE'
5 F7 w7 f5 r2 z' v2 a! ` push eax
, j F) r) K" [: B @ call KERNEL32!_lopen
) i: R$ e$ c1 s: y7 S; Y inc eax
- c0 g0 c4 _8 @$ @! Y+ [ jz 006505ae ; not detected
! b5 h% f! i- [. ^( J [/ v/ N* Q: m0 C: g$ f
C1 ^, K) h3 E1 P7 r
__________________________________________________________________________
0 C1 e+ V2 `2 |2 k: z0 {/ m* |! G& X
$ q& Q0 r7 R% o9 g% A; O Y! nMethod 12" B1 E6 M0 @( a# J4 t& p# H
=========3 ], }9 m4 S0 e7 [7 ^! X( Z8 D! a+ ], F& ~
5 I% B4 }8 l8 G2 `
This trick is similar to int41h/4fh Debugger installation check (code 05
- A5 F2 g( f+ d1 X- B* _& 06) but very limited because it's only available for Win95/98 (not NT)
1 h: @% {5 j6 M5 Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 Z& j1 \7 a: b9 C. ~4 ?
' M# X5 c5 y, S% J' m& j push 0000004fh ; function 4fh4 T8 w- B8 X% r6 z$ `
push 002a002ah ; high word specifies which VxD (VWIN32)" t/ ^$ i4 Y1 {5 N
; low word specifies which service; ~: F1 i* T8 k M G/ V. |
(VWIN32_Int41Dispatch)
+ k; z% c, L4 }# e7 _ call Kernel32!ORD_001 ; VxdCall
& Y6 V+ S, O! U) G3 ? cmp ax, 0f386h ; magic number returned by system debuggers- s: w/ d( _3 o* r
jz SoftICE_detected
* ?5 P% c) E8 x( @/ B
; p- T/ z/ C. {1 h+ ~Here again, several ways to detect it:. }( l0 f* Q; c+ w
1 | D% [ g7 o: e" h/ Y2 [% O, z7 P BPINT 41 if ax==4f# z: F4 `: q$ S1 e* u, w* D
7 A# r8 g4 t# m' T, R; b3 q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& j$ S" F& `9 c% u
1 L* \% {* {: H( u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" N* P: j" k7 V3 A
3 e) _- ^3 F" U: q2 T8 [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) L+ x+ e/ L6 A0 t% a+ l7 W- r% b3 `
# @4 p# Q7 P0 |* b__________________________________________________________________________
( A* P4 D5 c; B: @ g+ N: R& Y- E0 n& A6 F: _
Method 13
5 k# c5 ]! B3 I3 |' e+ z1 l=========
: D: p1 S# L9 ?- j# i1 G& a
9 y5 j3 k2 Q3 _Not a real method of detection, but a good way to know if SoftICE is: b. t. w7 W0 K
installed on a computer and to locate its installation directory.
' {! u9 S% B6 e0 W; n" nIt is used by few softs which access the following registry keys (usually #2) :/ c, x1 f2 @4 B0 y5 E7 A; @9 A
( @- |1 o9 ^, o7 @+ q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, h o3 t" Q5 M* d' U o4 n
\Uninstall\SoftICE U3 Y+ t8 B5 K/ {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. W& o; a" Q% j6 i/ }3 T! U6 h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ D% o6 z+ W9 x8 ^( a
\App Paths\Loader32.Exe
/ y1 z2 S9 E( M8 ~
& n, b( n, o+ B9 q! R& }: |/ z9 g5 C' j
Note that some nasty apps could then erase all files from SoftICE directory
! n Q9 m& w/ r# z4 `0 D(I faced that once :-(
3 k6 n# E/ A5 m, P9 N/ i6 N
1 n% N& l& O6 ZUseful breakpoint to detect it:, P: o: m; ]* m$ `
. B0 G5 b1 Z6 K! Z+ c9 t. H3 N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ k I5 |. r6 B5 N* M
- t f2 c( Y, ?& B- m$ ^% G ^$ |__________________________________________________________________________
z& ]8 v4 O$ }
( b* O5 c1 P# W: S
1 J& F3 v. \2 h3 X- Y/ f6 sMethod 14 " V/ {9 \% X6 Y9 @3 L2 J9 e4 C3 q/ V
=========
* |- R+ E8 M" t+ @2 k9 e/ f9 H0 g. D/ n8 h6 R! z# J' i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! B8 n( k5 |4 d4 A! W$ g9 J
is to determines whether a debugger is running on your system (ring0 only).) _2 y% y- t4 Z1 U& [6 P% B; g
- }" Z0 k& U/ i' X: L VMMCall Test_Debug_Installed$ o3 D% r$ Q5 `
je not_installed
9 [. w# c0 L0 U( q0 e( a
6 K' b* D6 b! p1 i' k* qThis service just checks a flag.; A! L4 d; Z# y0 l
</PRE></TD></TR></TBODY></TABLE> |