<TABLE width=500>
+ `( y3 X7 g0 J! L0 X4 Y<TBODY>
8 ? V# Z5 D$ J( B- m, p+ e3 F<TR>
7 z: G' Q5 z% A% C, T/ m<TD><PRE>Method 01 - |/ Z* {% p& w$ Y, @$ A
=========
0 c+ w+ `2 W' a
# y8 D3 @2 O- `( O q L1 gThis method of detection of SoftICE (as well as the following one) is
6 s" K, V7 t J4 v" N& }' _9 {used by the majority of packers/encryptors found on Internet.
5 O3 r6 a5 i. |It seeks the signature of BoundsChecker in SoftICE
, Y9 g! O3 |/ u0 L3 C) f/ w: }1 d6 T+ |9 C% T1 \& S/ C
mov ebp, 04243484Bh ; 'BCHK'
$ \$ k# i( c I+ W5 h. j mov ax, 04h
( I* Z/ _( w" G& j1 y/ @5 U int 3
5 D6 K& \1 R% }- B+ i cmp al,4. q: @# F' e, p
jnz SoftICE_Detected
- y. }7 I8 q! h8 Z" O! S9 U3 t" f }. R, Z/ f
___________________________________________________________________________8 x( s8 k/ t' v- B- J
r* l8 V0 k w/ U8 E' f
Method 02: K6 B( n0 V* Y; E. V4 x" v
=========
, V( Y, E% s" b: Q- [; E0 P% F* J- i8 d$ d
Still a method very much used (perhaps the most frequent one). It is used
2 ?- t/ G+ k; t2 n% F+ _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 r6 G0 ^5 ?4 f; ^* r5 C# [: Q& Sor execute SoftICE commands...
& u2 q8 K6 b8 ~6 B4 gIt is also used to crash SoftICE and to force it to execute any commands
4 n# B# m* e. h(HBOOT...) :-((
; Y: p% }- n+ `' d i4 \ T- T2 Z' r4 K
Here is a quick description:& u! \/ a/ ?3 ^0 d* r
-AX = 0910h (Display string in SIce windows)
2 X7 ]- t+ z& m# m# u) w! F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 v, P( f6 S6 m2 ?; ^2 d7 o6 Q
-AX = 0912h (Get breakpoint infos)3 b1 | ?" \4 U! k1 x% L
-AX = 0913h (Set Sice breakpoints)
! h. ^( r8 o* H3 \1 j: a-AX = 0914h (Remove SIce breakoints)2 y7 C' j6 C6 T- t8 I6 e* S' v
/ u s6 R& b* @$ e6 g( o
Each time you'll meet this trick, you'll see: m, V6 _* f9 e$ c
-SI = 4647h" u" l& T* C8 C% J: b/ D; M
-DI = 4A4Dh
* t" M* G( D* M7 I7 t, eWhich are the 'magic values' used by SoftIce.( X0 U# x$ J% e- d' [6 w& H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; e( k9 y- N h, P8 J# o0 ]
' l1 T+ g) e! a+ W! t$ Z1 |
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 N1 i9 z9 i8 W9 H$ Y. AEnvelope utility use to protect DOS applications:$ Q: U+ }9 h8 n/ ^7 b/ S5 C, `* O
! R, P" K; s& l6 t0 _$ e; G' l, \
( ?5 `" W1 A1 A E9 u x4 g4C19:0095 MOV AX,0911 ; execute command.$ N7 `4 Y' S0 F! A) \. |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% E: R Y% i; P j) D. n8 U8 U4C19:009A MOV SI,4647 ; 1st magic value.* q* u2 ^4 \, e4 ]: `# x" l
4C19:009D MOV DI,4A4D ; 2nd magic value." \# [7 N9 p9 \4 B" L- ^
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( o7 P5 G. c& @6 e$ C, [* x. x+ v3 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: {& F0 T u" [3 |4C19:00A4 INC CX; n7 l1 |8 n4 }: I- C
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& X. I( E9 S6 F' i) ?4C19:00A8 JB 0095 ; 6 different commands." S( v$ u$ \5 y8 N, D# F X0 V! ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ { D8 J( n8 l3 s( U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ ^- [# P1 I% j1 @
: D1 f" q& d; C0 \The program will execute 6 different SIce commands located at ds:dx, which& Y5 m2 F3 L1 a' B4 q l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# I& y4 ~/ i- \5 A! G q* k% h
: D# m/ _* j2 F3 P8 I' f4 |+ {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. U" @. `4 s' i* K; S/ ]6 x( M
___________________________________________________________________________3 \, M# u( t6 n. p |4 n
, T0 i, @9 M/ y @2 S) t, ]" v& y- f( t: d* |$ i
Method 032 h1 m2 N3 T: i9 O
=========
. K7 i9 p$ U; V4 z# S
. F: K% q$ Z Y! M% x( ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; v' H' V% X. h(API Get entry point)
* v7 c/ L8 e! Y5 g9 X & i8 M* t. I/ U2 d/ ~+ { I
1 r8 j0 Y0 I) q" E- H
xor di,di* z+ p- @- E0 U1 n2 l1 J
mov es,di0 `# f" @% H5 c: W: @
mov ax, 1684h
# z9 [& v- S8 J3 [% t mov bx, 0202h ; VxD ID of winice5 s# u! k; W8 O( t# P: [/ k
int 2Fh |3 A# L+ g# C4 [7 Q; ~# ^: ~7 z
mov ax, es ; ES:DI -> VxD API entry point& [: j; |3 Q" {4 N
add ax, di
/ T0 } w( G9 r) I4 {! `. u test ax,ax% B4 H1 b5 `9 Z1 b7 `7 e
jnz SoftICE_Detected
$ L# ?2 {2 t `0 X# n. U' @0 b
! P [7 O+ N) k& }& H___________________________________________________________________________
+ B1 _! a' s9 x5 P. t- c6 {
; ], k5 X/ ^- ]Method 04: Z5 b3 V' u9 I3 s/ F) S$ T. o/ B
=========$ H" P$ B( c8 F8 `( l' d
3 B/ B, g, B' `! i# @Method identical to the preceding one except that it seeks the ID of SoftICE
8 |* {, s% X- a0 U1 q JGFX VxD., m }% M4 _1 `2 ^
$ d; j: U6 @9 e* U0 T: S* j
xor di,di
0 P* t4 j# T) H# {) R* w mov es,di
1 d9 W2 D4 D! A0 a mov ax, 1684h
1 _+ B0 Q8 p0 K2 D# N, W% T mov bx, 7a5Fh ; VxD ID of SIWVID$ R( y. I/ o6 Q* [ r X
int 2fh* J5 p! Q' _0 \5 G
mov ax, es ; ES:DI -> VxD API entry point
# T5 [5 W( z# k, B( A; O0 \ P add ax, di3 ~1 A9 g' H1 ~6 g+ g! B( h
test ax,ax2 ^& N# p1 \) D( o5 C3 m% H4 n, q
jnz SoftICE_Detected6 ^3 c+ [$ k7 t( V9 _4 k
* P. v8 c) K5 P/ a0 i; K
__________________________________________________________________________* I+ x3 M$ O$ n0 d" h
& o: b! ~' }0 x" B5 y% {% P% v% {/ e7 B* _% s2 {" W7 }+ o" R* `7 B* |5 h
Method 052 d" K7 c2 l2 f0 z0 {
=========
' Y% R+ i" J( g! p8 o$ y" o7 u+ L( V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* O& v4 h) \ V- Y3 o5 Adebugger. It calls the int 41h, function 4Fh.
* Z* Z$ q0 |) w! q( e& Q% ?) \There are several alternatives. ) }) U; W3 A# v% v6 i( J" i( u
5 s6 m% Y* x# t' F6 c- A! ?0 @The following one is the simplest:) l1 U' P+ y" k% h
! r; N6 S6 F, }1 h. M mov ax,4fh0 e; R! I$ R' E6 c/ t
int 41h
4 P9 Y4 t9 R3 W! u( {' _; d cmp ax, 0F386- f, ^! r0 M% G3 N' b3 E+ \% t
jz SoftICE_detected/ r. w7 T- ~- J) e; _4 h
6 _; i# S3 J5 o; L. F# m( L
, w! B; \' H( @7 `4 bNext method as well as the following one are 2 examples from Stone's
* e, s3 i6 n! X% P"stn-wid.zip" (www.cracking.net):$ ~$ r: {0 \0 l
$ F: m) E, f9 b
mov bx, cs
~+ G6 B( B# ]* ?7 W4 n lea dx, int41handler2
U# q7 l% {3 Z& C9 q+ A- O5 T- |" g xchg dx, es:[41h*4]
$ V* x" @) N- t0 a6 O9 v xchg bx, es:[41h*4+2]1 t8 _6 {: q! R+ A& {# P
mov ax,4fh
3 e( f: o. O/ G int 41h6 V3 V/ |$ b& j
xchg dx, es:[41h*4]
; ?8 x+ ^+ L. v. L- l& y0 C xchg bx, es:[41h*4+2]7 Y5 Q( u6 g% a | v4 v) v
cmp ax, 0f386h
" h8 l8 x& W U* o3 ? jz SoftICE_detected
9 m$ y R9 C; e5 I! b* J& [+ Q o0 [) G
int41handler2 PROC
& r( j2 C# W& B; Z5 C' s4 }! x iret) f# E2 f) |, a% }
int41handler2 ENDP V; }6 G4 `" Y, D. g5 K5 D
) Y0 v* a" G3 `- E- n
. y; |& v9 r$ n, G; J6 e. D
_________________________________________________________________________
( a1 L8 s% K8 H$ Y% C; z# v7 J# s% h3 @9 s$ N
% X5 X1 `4 d/ H" f# A" K
Method 06$ Z/ j2 L8 i- z" `
=========& E+ u6 S( D e# T+ M
' w. r& J: k) k0 q1 l6 L, _$ x4 |' \: V* t/ u; d) M3 I* K7 X; h
2nd method similar to the preceding one but more difficult to detect:: b7 F* |, e& F% ^, i: w s4 [+ z
3 `1 }8 u, V W8 n+ u- A W/ |0 l- m; [2 M+ e( ^% q% O5 _
int41handler PROC* D) b6 L" x& c/ L
mov cl,al* F. D, s& ?1 U6 }- e5 i
iret
$ l/ Q3 E5 j3 u: c2 e# w, sint41handler ENDP; _7 W: Q7 C& B$ o! ~" c
: C- y$ X% \9 |: w) x8 v
" j+ l3 o( _, o4 [& j xor ax,ax
$ w1 J& g5 R3 _. B" I. V6 N mov es,ax
5 s" V9 T' L5 |' [' g8 \& I mov bx, cs/ T2 T, p( a5 V& W; B
lea dx, int41handler( z; ~# o1 G0 C
xchg dx, es:[41h*4]; \3 _, P$ z- o4 k( n
xchg bx, es:[41h*4+2]
; I6 W" F6 Z& O- B1 X# L% _ in al, 40h
- s+ h# M' p. J5 A: E xor cx,cx
% w; E& L4 @: A, ?! }$ i int 41h& Y3 J$ U! K7 M# X' Q( W& Z
xchg dx, es:[41h*4]
7 }6 G) r W |0 W. p: C xchg bx, es:[41h*4+2]
l& P# e9 v; f; ]' I# q cmp cl,al
4 x. |' Q+ y' {6 A: E+ _5 j5 S jnz SoftICE_detected2 `" o. C3 H' P G; t+ _! r& v
+ T( M" e: ^0 f% x( @
_________________________________________________________________________; h4 V: a: s8 N3 p5 x
& o/ K8 T. }; WMethod 07
4 a- _8 g6 N/ G& m=========
3 B$ r! q5 w" n; l F m) ~
, i: p9 j' w/ E U' G# ?! eMethod of detection of the WinICE handler in the int68h (V86)+ D6 v5 Q% @* n* i! `
; s/ W$ D+ M+ s6 _( X4 W7 h! a mov ah,43h
) K* T0 l7 G% D$ k3 }9 T0 ? int 68h5 t4 }3 {/ |! j8 D! n. ?- [
cmp ax,0F386h
" x" O" R1 [; H jz SoftICE_Detected W* q, G' M* y' U
6 O) M, h ]9 h2 O6 W. g
# |1 d" r6 k1 N h0 ~* f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 M; E& x$ ?% w' H {: m% q
app like this:
- r+ u- `/ g- q7 Q7 O# P( P: i; Y' Z
BPX exec_int if ax==68% V/ a( L% j) m9 O- a! s
(function called is located at byte ptr [ebp+1Dh] and client eip is
# L5 W$ s6 D, O1 w7 z% _' r located at [ebp+48h] for 32Bit apps)
" y c2 }: Y% s, ^__________________________________________________________________________- m9 \- @9 [2 h2 u
4 g. l6 x+ e2 B0 u0 ?; z) p8 B9 Y5 W1 x7 k3 d
Method 08: Z& ^1 g8 j# D; u' Z
=========
( ?% x" k* v9 y. c# y# p, B& N
* k' M% q1 _' h( V5 FIt is not a method of detection of SoftICE but a possibility to crash the
0 @! m: n9 j# M2 fsystem by intercepting int 01h and int 03h and redirecting them to another
* q; J% \0 \! s, J6 ]routine.
, T: n9 m3 J; i4 n- P( s+ z6 @; k' LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! @( R( R2 ?7 g" {& s3 ]
to the new routine to execute (hangs computer...); j- f- ]" k2 x2 I! Z& n; B4 x! }
; J( T2 ]+ Z9 i3 C4 _( E mov ah, 25h
/ H& i) @# _7 H* k( f mov al, Int_Number (01h or 03h)+ ~9 A6 d3 I: D
mov dx, offset New_Int_Routine
# L% }. S5 }; J8 ~1 j4 R) v: a int 21h2 |0 V9 r0 ^2 _* D6 O9 a
) q5 j9 A9 l L- s) H__________________________________________________________________________, B! g9 F/ @* ]+ N( P/ R2 m
: F5 h$ v9 o, J0 D! |* l, g' \
Method 09
3 l1 Q1 \/ j a4 G; ]& Q=========
; X8 @) P+ ^8 N/ ?" y4 ~# ^7 U8 J$ s" }7 M( J8 L9 S H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 n- `: J E0 J! D! v+ _' operformed in ring0 (VxD or a ring3 app using the VxdCall).
H6 c6 [8 z# W7 j: u. U6 w/ h( h4 y/ xThe Get_DDB service is used to determine whether or not a VxD is installed+ z& W& ~. c5 h: z. t7 R
for the specified device and returns a Device Description Block (in ecx) for
8 V8 R* { @9 M: Uthat device if it is installed.
3 j' i7 N- J4 H K$ d* S6 {4 |8 ?, U: M& f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 a8 [2 Q+ [" a9 I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 w' m) g' n# p# u& R- F2 ^ VMMCall Get_DDB% |* M/ p/ r# R3 N/ b( n) D2 g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: v. s1 N7 J# w0 I& O8 X- s Z
( E1 X3 W; g" R9 k+ P- }5 {# \1 r! D* e
Note as well that you can easily detect this method with SoftICE:
/ S8 I O3 i: q( @8 o bpx Get_DDB if ax==0202 || ax==7a5fh
! m- o$ M I2 ]
6 v: w! i3 W- T: L# B( M i- k__________________________________________________________________________7 w: e6 h; D7 B0 `1 K
7 H4 @) L* V; hMethod 10
9 w) ~5 p" b0 H4 I9 h1 e$ L8 |6 e=========
- e$ h0 k* i% ?
- L/ {2 D, ?* m, [2 e=>Disable or clear breakpoints before using this feature. DO NOT trace with
; B5 K: L3 X; V4 Q$ M SoftICE while the option is enable!!
5 q+ }( h" E8 l2 \' J& a5 K& t9 a
This trick is very efficient:
2 h) Z7 c6 E2 G; B/ H, C; ~: Xby checking the Debug Registers, you can detect if SoftICE is loaded
{+ d! ]6 T1 o- o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( S7 h/ G9 E& U# | X. \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 Q, k P M B- Hvalue (in ring0 only). Values can be manipulated and or changed as well+ u( |4 s" b! p/ L+ x7 X1 {
(clearing BPMs for instance)5 h4 g2 U8 F6 i5 q
4 Z3 m# ?7 m2 W& N1 ~
__________________________________________________________________________
: `5 q+ x! ?& S; v4 l
$ F' e# \5 W6 ]Method 119 `1 D) `% ]% E- A
=========
! N5 @ a$ C4 q0 J; K/ k! ~) k& J% l, @( J2 q; M2 O- S
This method is most known as 'MeltICE' because it has been freely distributed& h4 u/ X6 W: S5 s& ?( g( ^( P1 @
via www.winfiles.com. However it was first used by NuMega people to allow
/ |( c6 x# N1 k8 t) E# SSymbol Loader to check if SoftICE was active or not (the code is located
* V ~$ S; ?0 Q; W. Qinside nmtrans.dll).
) Z; `$ ^( J9 E+ J) n- n, u% ]
+ o; f; O" }5 @. X2 mThe way it works is very simple:/ R; g: m7 \9 x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; z r2 `2 R4 ~& r" n
WinNT) with the CreateFileA API.
2 P2 X6 i2 \, c$ B- {! R% B4 B4 N0 o* |. x. k5 q7 U
Here is a sample (checking for 'SICE'):" l5 F. R. T/ ^9 F( W4 p
& Y7 P) [+ N# O; aBOOL IsSoftIce95Loaded()
+ |- {) Y, D2 H( A3 E{$ Z8 G' F6 H6 ]" Y+ ?- T$ |4 ?
HANDLE hFile;
3 V4 H4 _' w( f g! f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. Z0 H! n, c' f4 m
FILE_SHARE_READ | FILE_SHARE_WRITE, O0 W1 G0 X4 ^6 U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# ~0 j/ j2 P4 y% x6 N
if( hFile != INVALID_HANDLE_VALUE )1 d' U$ U' E, \
{) ^+ k* b+ }) ?1 Q
CloseHandle(hFile);
, v, g3 S) I1 } return TRUE;' ~' B0 `1 ]( s+ h, Q# u; }0 ^3 A" u
}) b% O; C+ s" K* K% i( j9 r2 l
return FALSE;
& E8 v0 n( j& |7 g# ]% [}5 X1 z, }5 q1 A- e# ^
$ e$ ~( s" p9 _' j; c
Although this trick calls the CreateFileA function, don't even expect to be+ ~3 j, H& b8 m+ K. e
able to intercept it by installing a IFS hook: it will not work, no way!
. ?% `5 @/ c* E7 G9 eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. y# k* a; ~+ X! v* E( Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( H4 {0 i5 y" r8 z% a# O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( r Y0 g" ]+ T4 Y, F
field.& w. q% f$ E( `0 H6 X: e
In fact, its purpose is not to load/unload VxDs but only to send a
) K8 G- a# ]. t* z( kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 ~) S3 K1 g; `) W7 ^% q2 m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 `) W2 F" x5 a% I2 R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' p y8 o! c V* i1 [% Q9 F3 jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, [9 M3 j- q% v7 {its handle to be opened and then, will be detected.& m+ N$ g' Y; t% g& N
You can check that simply by hooking Winice.exe control proc entry point. N" x: f8 F( _3 ~- O3 | O
while running MeltICE.! `/ h7 O) a; T6 ~
; U0 Z9 f$ D* i* O' Q# V
! l0 y; W# |3 G( T5 i+ t5 k+ ? 00401067: push 00402025 ; \\.\SICE
- E+ `# A: E/ ~, B$ j7 H+ D" ^ 0040106C: call CreateFileA* w$ g/ X$ m/ h$ V. q$ G
00401071: cmp eax,-001
3 I, J4 S. W8 O) f+ R 00401074: je 00401091: h2 J; s# d* W/ k
' ^# c7 W5 F$ K$ F! k
! H0 b2 }5 P X! E
There could be hundreds of BPX you could use to detect this trick.
+ Q; M4 x+ u) [-The most classical one is:3 ]1 |# Q6 e( F3 ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: `7 Z% [# [2 I( s: p, `8 D *(esp->4+4)=='NTIC'
J: v) i0 m7 x! z* t. {+ A8 }
' G0 q3 W/ c0 M$ O& x" ?-The most exotic ones (could be very slooooow :-(- g$ U2 D+ ]1 J0 r" `! X S. L n T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 R( p- d8 S$ r2 T. \( f ;will break 3 times :-(6 h# ]0 j4 M) @; O) K* `+ C0 `6 i
% X! d# M4 A+ H$ I-or (a bit) faster: ) l0 F' ~) w! c+ u; \$ P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 t6 y: c( x) }+ I1 G
5 v8 l3 \: ^+ R, e/ [; k8 u' h! p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( l! x* i$ ?; V/ {
;will break 3 times :-(
, c( }2 X t- m
8 x3 |: ^, v: L. b. j* Z-Much faster:
* C8 C) G: J8 ?( C5 \: q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* E2 ^* _+ r0 u$ K& E8 F1 N
1 ]9 w- Q: | B" p" lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" w8 W# g3 P) D7 s1 dfunction to do the same job:
. L0 ]8 v; ^* }) A) _ k& g' n3 H
7 S4 H: p7 U& ~3 g7 Y push 00 ; OF_READ6 T ?$ M' \! a% O* G
mov eax,[00656634] ; '\\.\SICE',0
9 h {" c& T) c* o3 F push eax
2 R. [* a! g! R5 D4 v call KERNEL32!_lopen
9 X; j: P) \8 B9 i8 _! Y0 M inc eax
7 V# L5 ~( e$ u7 M' X1 t' B jnz 00650589 ; detected
2 ]( I" U& V6 l( C push 00 ; OF_READ
' p1 F( l/ I0 B mov eax,[00656638] ; '\\.\SICE'
6 K& f, U ?! O6 } push eax
|+ k' P+ f0 ^8 } call KERNEL32!_lopen
2 r. M. @# |3 \ inc eax: W. Z4 P0 a1 F3 ^5 r f
jz 006505ae ; not detected
6 {7 f) Z0 _7 N5 {; B
/ ^ b; c" `8 y4 q5 ~% v& @! \, o8 @6 E) ?; z' B8 W
__________________________________________________________________________
" G0 |5 X. ] h
" u1 R3 D* f$ d, SMethod 12$ K7 S+ M; s" t; |6 z% K/ y
=========6 v/ p; U: g& d. [( ?& {0 E; N
3 j6 t4 j9 h+ U K% a
This trick is similar to int41h/4fh Debugger installation check (code 05! i. r5 v/ ?- v& b3 w4 I0 [+ Y% \
& 06) but very limited because it's only available for Win95/98 (not NT)
q+ h! \) q6 Y2 t S" N. Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 U0 J+ l- Z; p" C) f" O( z: X( ]
/ {8 d! n2 K( n2 V$ N! R
push 0000004fh ; function 4fh
" u2 w" G) l/ t% c0 a push 002a002ah ; high word specifies which VxD (VWIN32)' @0 x) D" d7 E" \4 O: y; y1 m5 z
; low word specifies which service3 F7 }6 _2 }; X1 b
(VWIN32_Int41Dispatch)2 @0 [( S S, t; a% F# L
call Kernel32!ORD_001 ; VxdCall
2 V. G+ j4 y$ [6 ] cmp ax, 0f386h ; magic number returned by system debuggers% D. f5 b5 W5 |" ]. C
jz SoftICE_detected
, V# w- C; N% I5 W( Q2 a/ O' i* p( p. F6 {1 O# A7 F
Here again, several ways to detect it:
( j* v; n( ~8 q5 `
, E% j' |7 X$ o4 p% u' J5 G$ v BPINT 41 if ax==4f
, y' |+ P* `# K
P; F( N9 X p# @+ o6 q+ _" k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# U" G3 e( `" b
7 @$ g9 \$ O1 O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; A' P6 o: f; i4 G/ k' E: j! q' u
$ N0 O/ ^0 O# X: D9 ]$ L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 ~+ M0 ~' b& ^8 m
9 Y6 {. {- a: Q" V2 c__________________________________________________________________________
" c* [: ]$ W* n S- u$ p( B8 z2 A. U2 h" n* y& s
Method 136 h; e& K1 h" Q+ t; Z3 w% F" `$ L
=========
F r1 }/ y d) L* [8 O4 k, i+ e! m6 { X, Y$ m8 @
Not a real method of detection, but a good way to know if SoftICE is
; I7 n$ H& S3 ~! p% X3 ]7 `# sinstalled on a computer and to locate its installation directory.
" M* e+ y+ i* sIt is used by few softs which access the following registry keys (usually #2) :
. F9 _2 k5 ^3 p7 W* Y# y+ b6 H, O7 E: y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. @- K1 G3 |( ?
\Uninstall\SoftICE6 C- J& y7 m4 x) G" V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 k: i4 }/ _) s9 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 ~" P! |6 H Q. J\App Paths\Loader32.Exe
$ a9 k$ P3 A4 K7 k( v& }) q9 Y0 x; \
% X4 R* C% F# q0 \! k$ v/ G; g. O9 l+ tNote that some nasty apps could then erase all files from SoftICE directory4 u$ x4 T" O" m' S
(I faced that once :-(8 B) ~+ V2 s$ N7 A- O& ?
+ }! a4 q8 b- M; t3 ]1 Z
Useful breakpoint to detect it:* _+ S8 v6 z, n# @) U- w
* P7 i7 ]& `. w0 h" e% |/ \/ m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: ^: M5 j7 `9 k: L3 O7 z0 Y% o9 X8 M( \/ g* z) ~
__________________________________________________________________________7 G8 h4 S- v; D" T" f8 m) \* U
, p3 C1 t/ Y" T& \; @0 P
+ x% B. }0 O' D+ a8 UMethod 14
$ U/ v* D( ]' V, E" s8 z, T=========/ P: U5 R, P8 @( a8 ?- o) w0 X J
7 O* v3 P! @* r0 e- U1 j4 uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ e8 u5 A$ ?' K! R- Ois to determines whether a debugger is running on your system (ring0 only)." r+ a, t- `( X) [. r% W
- }* f+ s! w* D% ~4 g VMMCall Test_Debug_Installed( k k2 M! z6 b- H
je not_installed U) S& G9 Y- D) K: ~
( d2 ]2 `! q% g8 X: s- V
This service just checks a flag./ S) h9 a( r$ R, x( p2 F
</PRE></TD></TR></TBODY></TABLE> |