<TABLE width=500>2 ]7 N2 M: G6 z6 t% O1 p' i6 H
<TBODY>9 c- k. u- \9 d0 Y1 e( t& h* T. n
<TR>
6 ^- C+ N! m+ `$ o7 V" M, r+ Z4 ]<TD><PRE>Method 01
* [1 Q6 a7 P2 Q5 n. v0 h=========3 g! a7 S. g' C5 {
6 e7 _3 K4 f/ ~/ f9 e% BThis method of detection of SoftICE (as well as the following one) is
" Y u- [( _! xused by the majority of packers/encryptors found on Internet.
4 ^0 |. ^; w' iIt seeks the signature of BoundsChecker in SoftICE: x* g. V3 w' L6 N
$ s7 F" Y# H* p5 H, E# b! c. o mov ebp, 04243484Bh ; 'BCHK'
4 T8 N( F; G+ u' \) @7 t1 o mov ax, 04h
O: c5 O) n+ Q' | int 3 6 J5 d. u3 w3 R6 V- r
cmp al,4! ]9 v. G% O) T( p. y
jnz SoftICE_Detected7 u* n) u# j( K! V/ V( B
% h$ `: p4 V9 h& v- C1 J. D% ~
___________________________________________________________________________
, B1 \) M- Z# c& O" m: n4 {+ o' Z) ]% e4 ~
Method 023 w/ Y* L% W3 c/ @$ } Q
=========
4 l- y1 c( u+ G/ l5 H$ X: Q0 I# c$ [/ I+ J4 g& u7 v' y1 i
Still a method very much used (perhaps the most frequent one). It is used
0 ]% O; ?: e( ]/ _1 i, G5 g# P0 Ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 ~* t/ _, r, A) s4 _
or execute SoftICE commands...
, @$ R. a# T: P& J9 ~* J4 ?" FIt is also used to crash SoftICE and to force it to execute any commands
# N& Y# X! q# S( Y2 u- I( u(HBOOT...) :-((
+ `" | k6 ^. t& h, B" E2 L! w
j K' H/ M* x4 h% {7 [Here is a quick description:
9 r$ A# ?" \0 @8 q3 B# P* o! a% E-AX = 0910h (Display string in SIce windows)0 L1 Z% W2 [8 ~! T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 l. j$ T) J D# u9 p0 K+ l }
-AX = 0912h (Get breakpoint infos)7 t6 }& k6 x4 A/ w/ G% P" p* f
-AX = 0913h (Set Sice breakpoints)
9 G, g6 p' m2 E2 v7 e-AX = 0914h (Remove SIce breakoints)' F4 y/ ^* @# P$ b3 X
- |6 y# R" D( n1 O* W7 g% GEach time you'll meet this trick, you'll see:
( \; c5 I! `$ m0 ?/ q5 m-SI = 4647h
, |* R( i, c* I; F-DI = 4A4Dh/ u* C; r, m$ p+ Y
Which are the 'magic values' used by SoftIce.
0 E0 ~/ P0 {5 z& @5 _$ qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 J6 i2 r; r1 Z: e( m- k5 o; w
' P7 _. r, t2 R2 z2 h g+ N3 D: sHere is one example from the file "Haspinst.exe" which is the dongle HASP; K% `$ A9 [; E) j1 u* p
Envelope utility use to protect DOS applications:; \' D9 L$ s, u: N5 B
j" N# E- R# i% ^. V! y+ w
7 l5 j k- l% }# w/ }( C4C19:0095 MOV AX,0911 ; execute command.
2 a7 |, G' |2 p G- _$ K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 h2 U) P% Z8 T# H1 e( g6 E: E d
4C19:009A MOV SI,4647 ; 1st magic value.0 t N% m" e, F
4C19:009D MOV DI,4A4D ; 2nd magic value.
! V3 I, O7 J; ~; a+ y M0 _) [3 |- J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# r4 @9 m7 H$ z5 i" \& {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 Z! O) V9 h: Z, y' L8 l: N
4C19:00A4 INC CX
) A5 E8 {3 V& y$ r* R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 U( n6 I" o2 I2 B+ i5 X4 I. j% q4C19:00A8 JB 0095 ; 6 different commands.
) g8 B# P# C) P: C% t8 P' j4C19:00AA JMP 0002 ; Bad_Guy jmp back.. i" u/ x/ f, j' b% Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& r0 Y! |4 Y. g, w- T, A9 E6 V7 R8 i
The program will execute 6 different SIce commands located at ds:dx, which
6 k0 M7 m# c; v% a2 U6 Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., a0 a5 a; M6 B4 O0 m! q
' L6 `; \. Z7 m# k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. P. x9 |1 d9 f* K; @
___________________________________________________________________________1 c( P0 L5 V8 G) p
4 K" k4 |9 |9 }4 U' w7 F' \1 z
7 v! _" ~: m! H1 l4 Y! U0 zMethod 03
* @% l: X; e- c+ r( }; C# n=========
& H* U# w# ~6 K! l; a
/ Z. f' m) z5 m lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* U9 _. P- U6 s) v# _7 ](API Get entry point)
( W# B8 [* @, o0 ^ * a6 r& t5 y: P3 ?
7 E$ i4 ~- G0 J, A' ]' T9 \/ W" e
xor di,di8 X7 e {/ t8 X# a
mov es,di: Y: E& E$ g, g6 Z
mov ax, 1684h 9 l r! [. u F4 `
mov bx, 0202h ; VxD ID of winice2 E2 w$ s0 z$ L8 ?+ E6 y, N# \2 R2 R7 L
int 2Fh$ Y) P9 H4 @. J% y
mov ax, es ; ES:DI -> VxD API entry point
8 N0 [% ~/ Z' j3 l add ax, di
+ {& o7 t! [% g+ [# Y, j test ax,ax6 e# h5 U. R# x7 [3 i% d; L3 o
jnz SoftICE_Detected4 W5 J" W+ x7 w, k
* V6 S% k3 n6 o1 S. `# i' R8 N* A
___________________________________________________________________________: ?% q! S2 }2 G6 K/ N+ W! T5 ~
J8 \! \2 d c2 D
Method 048 O; |& \& Z/ k0 r& Q3 J: w% ^
=========
- j, N2 {" K' u4 H f* M; g$ ]2 e6 K; u7 R2 j8 N- X7 s. n7 U5 I
Method identical to the preceding one except that it seeks the ID of SoftICE! \" R+ K9 D) T* ~% ~0 f0 K
GFX VxD.
% m8 S& P6 b9 f9 C7 R2 u! e6 F; ^/ x. x0 |/ n2 c
xor di,di" q$ C2 k* k8 ?7 Z
mov es,di8 L% ]* A/ J7 D, b9 `2 N# N- K
mov ax, 1684h
% f) G( y! m6 q' t: H; L mov bx, 7a5Fh ; VxD ID of SIWVID
+ i* y5 }7 ^; S7 e, C" a2 W m4 B int 2fh
+ o' q! o7 _, q) y) U- X mov ax, es ; ES:DI -> VxD API entry point
6 r" d( n8 I: A& ?8 d0 _ add ax, di
1 _: P0 c% T; C' ]5 A# v test ax,ax( t K, V1 s# m' T. X
jnz SoftICE_Detected
( r( z$ S$ D" G2 }# {
6 @8 i8 {+ d7 l# n( Y/ N__________________________________________________________________________
' M, ^% g3 s; t( e9 v6 ^& ^0 T6 a9 t) J2 J* ?% }
9 I3 C$ [- Z5 m% k( a) OMethod 05$ I. ~0 _$ s Z/ j
=========
3 W8 J+ f6 D' M& X, R# A1 t5 \% ~. [; p
Method seeking the 'magic number' 0F386h returned (in ax) by all system; F0 D) E0 H/ x' {7 o
debugger. It calls the int 41h, function 4Fh.
$ Z' v0 t6 q" @% NThere are several alternatives.
, U/ _# d( R6 D
/ S9 l( R9 W* W' m: IThe following one is the simplest:7 T3 H0 w. S) n2 q: W! {% Y5 j
) R- M& k( p4 {: M mov ax,4fh) {* g# W! X# G& g- I
int 41h8 f& v3 O# a2 }
cmp ax, 0F3867 _0 V0 o, q, C( c. A
jz SoftICE_detected' I% }7 _0 W5 y+ f6 z- V/ s v3 u
W* O+ _" {- Z
1 ]/ F% z* R7 e2 K7 Z( U
Next method as well as the following one are 2 examples from Stone's : r! x6 q2 P. P3 Y: h' O% b2 U
"stn-wid.zip" (www.cracking.net):; T( h# N% o# ~1 O
# Q8 E% @7 m& }+ _" ?
mov bx, cs9 K) g* f i% I
lea dx, int41handler2
2 d& E3 n `3 o% M7 |0 _ xchg dx, es:[41h*4]
+ m5 M3 T$ d- u xchg bx, es:[41h*4+2]% e9 M0 Y# ~2 \* Y, B
mov ax,4fh
% X" }3 i" j9 n. `2 a int 41h
& Y9 b1 V" b8 f6 M+ _' @' ?5 D xchg dx, es:[41h*4]
* M' ^( U i2 n7 W4 s# D3 } xchg bx, es:[41h*4+2]
9 U( C E% e- n: H1 ]4 f7 [ cmp ax, 0f386h4 k. b5 d$ r( g6 p' B; B, Y
jz SoftICE_detected) S! i& D4 o6 j7 L4 b
7 X4 ]4 C8 ^$ W7 D: X( i- Y6 S
int41handler2 PROC
8 C, {: q% S7 g iret% d8 e. ~3 X! D" T
int41handler2 ENDP
# l' j. z0 d9 {! k- e2 n) G* B( A
$ p5 V0 N) ]% s
3 S) U( S: {4 |% C9 G4 N3 G_________________________________________________________________________
2 t# w& q+ T' ^6 n i. J: c: T0 X; C( L2 N3 w
! c& G2 M) u1 s( z2 q+ y; Q
Method 06
- o; [" o w" E2 r' k=========
! ?9 B+ j! j4 G, g, n) b9 q" B! ~4 }; a5 q. k. x' o+ d/ o6 d
* ] T$ c, h4 P2 z5 ]/ x2nd method similar to the preceding one but more difficult to detect:5 W: q- ~3 ~, T5 Z8 \: t
* T" X9 C& g, |7 l- A) q7 e0 P2 |0 r* F T# H g
int41handler PROC+ n5 T) P3 ?; r! V
mov cl,al
5 V. y2 T2 i2 j9 s! | iret9 Z5 I2 |; a0 n6 M
int41handler ENDP
- Z$ g' i' E! F% \& j
+ v" T. D; M9 K+ [3 U1 @2 B& S
* t# H. I; m/ ?8 u" R( g xor ax,ax, u$ q; }. w2 ], b r- O! {! r9 U
mov es,ax
& q) \& R2 y' b! U" Q2 F: F4 m6 A mov bx, cs3 w6 i4 ~ i. K7 q7 U2 M
lea dx, int41handler; O- b: y) s' n
xchg dx, es:[41h*4]. A9 M& [1 W6 [
xchg bx, es:[41h*4+2]4 L9 ^( Y+ M! b5 h1 O
in al, 40h! F; a' I: [( b' N2 l
xor cx,cx/ A+ J$ M" |5 N- a0 J* i8 }
int 41h' E t l; Y% j& o/ u- u, [
xchg dx, es:[41h*4]
0 ]; e- G2 i) B xchg bx, es:[41h*4+2]
; n, W2 T9 I- I4 `" {$ u& y/ V cmp cl,al
( w8 n( i9 p4 B9 f jnz SoftICE_detected
$ Y6 I9 A0 ^; g1 k, ]/ e; t3 J4 p6 A3 E8 Q7 z8 i. w
_________________________________________________________________________
' I) N% c! E- q2 P2 Z; \/ C! c
: b4 r" Q0 I5 s+ B$ FMethod 07! ~( f; f& P, I" e9 x) Q ~- i* [
========= M; E4 g' [6 r5 J# R1 B- C7 G) G
: |, E+ l( d6 m6 @4 C
Method of detection of the WinICE handler in the int68h (V86)
; \, B- Q5 h6 V9 I( n0 c$ n$ f: z1 k: N# {( u3 G; p
mov ah,43h
9 i+ {" |4 { R# K' { int 68h
8 _7 i4 F5 S: n4 F: L' a cmp ax,0F386h
' V, Z% A' T R! {% z, m jz SoftICE_Detected
% P8 l' z; d1 K! b4 V3 I
2 F4 q8 v) Q. V7 ^! R$ [6 p; |. ?: f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" S$ W4 R! L+ C0 X7 k2 j
app like this:
: b1 u: O2 t$ P6 l c& p
& U% L a) T6 u& ]: s8 |( v3 P BPX exec_int if ax==68; X w% V5 D Y6 _' J
(function called is located at byte ptr [ebp+1Dh] and client eip is
. ?% v* w! `! W w9 d6 ^5 d located at [ebp+48h] for 32Bit apps)- m+ }9 s. A7 X' ?2 D+ K
__________________________________________________________________________. R4 q$ a* F" D4 b4 L" E
8 G% P4 Y8 P4 N- ?" Z5 r' Z
7 b1 k7 r6 w! \/ h9 p& }0 k4 OMethod 08+ L9 z6 p4 e9 Y0 W. u$ q( K z
=========
7 a) S" d& z5 x' T
; j- O3 }. M0 D8 a& XIt is not a method of detection of SoftICE but a possibility to crash the- J4 \6 L. S; ?2 c9 ?" k
system by intercepting int 01h and int 03h and redirecting them to another
2 }7 Y A7 }8 proutine.& B8 Q( n% f5 T; I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 }# K# N! m- ]0 G) yto the new routine to execute (hangs computer...): r3 U/ p" a! ^: E; }( \* G" h
: X# _- [5 c- Y! y( G( M* G% e
mov ah, 25h& i+ d, o) f ^/ D* D! ?; @
mov al, Int_Number (01h or 03h)
8 d( g8 |- j* {' S2 | mov dx, offset New_Int_Routine' u3 p7 f- q7 I2 E+ C1 W" I
int 21h
$ Z2 d6 E8 t& S9 k" ?1 t) l i* ]% o' Z8 Q0 y6 ^( G( ~8 S
__________________________________________________________________________! R8 W6 n/ G8 D, c/ P
& e6 e4 A. i' Z& F9 C! z
Method 09
# }2 w# ^, M% z6 `=========: `# j% P+ x, a6 J/ C6 X; v
* x5 D' { W. Z2 BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) F* D) q" N% |. E: }5 J4 x- h- Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ e! u( s+ _/ l r0 EThe Get_DDB service is used to determine whether or not a VxD is installed( M: E0 A# q0 L6 {8 Q; y% G
for the specified device and returns a Device Description Block (in ecx) for0 Z, L4 m: o" p9 S4 g* B
that device if it is installed.
1 Z% S) W* ^' Y! _. Y$ K$ _2 y- e9 [8 q0 }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 |4 L# J( D! Q* z: g# F/ u7 S mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" M2 c/ X6 K* D. g' D
VMMCall Get_DDB
U' c/ Z! t! c% a mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- [% w- p0 q% o# j4 l% d
) A. R* L; J! f. x, d* MNote as well that you can easily detect this method with SoftICE:
3 {' r: z' {$ p bpx Get_DDB if ax==0202 || ax==7a5fh
* m9 h! l6 y0 p. F
& r+ _1 I) Z) R$ P* S" Y1 e& ]2 J__________________________________________________________________________: a( O/ X, @, S& C$ m
0 m# r1 E, W* \) [. U P) C4 z- e2 \Method 10
" S. u' `' a9 u' N$ M8 ]=========
- g0 c) m1 N3 d
0 _% w( E O1 Y3 H=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ C& g7 ^. ]2 M8 {! i$ O SoftICE while the option is enable!!, ~* D$ o, U6 r& y
6 f" x! p' O7 W1 F! @- W
This trick is very efficient:
; ~2 f9 s& f! d- I& f# Fby checking the Debug Registers, you can detect if SoftICE is loaded
! X7 G: p7 H- {, _+ Y) V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* c; Y* \9 X6 u+ A. e: H4 M `there are some memory breakpoints set (dr0 to dr3) simply by reading their$ ~8 M& w- ^1 I6 }9 U& z6 p5 a7 k
value (in ring0 only). Values can be manipulated and or changed as well
# p$ a& Y- e; g7 N+ n. y7 t(clearing BPMs for instance)8 ]: b2 [4 H" z/ S; f0 N5 y: X! y& O
1 b* m# ^" t$ m( f/ Y& q6 ?, M__________________________________________________________________________+ W1 s- S/ ]. `
/ n. \7 H$ J; {) V" i! }Method 11' Y K& Y8 z2 G. p
=========/ l# q$ `' A$ {
/ X4 d8 C1 j/ T4 U
This method is most known as 'MeltICE' because it has been freely distributed
; D3 c8 [) S) |via www.winfiles.com. However it was first used by NuMega people to allow+ ]- E# S: r: g. I
Symbol Loader to check if SoftICE was active or not (the code is located7 a& h2 u2 A9 ]- \" F- r
inside nmtrans.dll).
# G& | e# T" j0 E: U' N2 j7 v1 B# v
2 g9 K3 u: V6 s' ~, R/ jThe way it works is very simple:
; _8 }. s$ T) n8 ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& z- V) F# l5 a0 a* k, F: T
WinNT) with the CreateFileA API./ t2 e- ^7 v) V* t }3 H1 h# W5 S
" E/ ]8 Y* b1 ]8 Z ~( r4 `Here is a sample (checking for 'SICE'):
" C( }$ V- \' o, k8 W
; `% _- g! n H [% Q( R! W$ BBOOL IsSoftIce95Loaded()
6 e$ q$ A( `2 Z2 P6 t# l{
. Q0 G7 `8 h1 k* G C HANDLE hFile;
) B5 d+ P! X$ g! d0 A$ x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 h; c) \: d( j7 t. K4 V
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 z: _; B8 ?6 y6 q2 a- W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 ` Q% l# Q3 T if( hFile != INVALID_HANDLE_VALUE )& q9 `# L9 T5 S; |
{# M6 G* ]: y+ f$ x# p
CloseHandle(hFile);
. b, M( `" b4 ^9 r$ _! U return TRUE;
: M7 G$ s+ z O8 U9 }- `" x$ d }; Z7 U ? f% @
return FALSE;& g6 x( j* y- }- n; W! a" p. D$ _
}% f1 U7 @: }3 x# G6 e+ V. }* r' S$ c
+ T/ O N( g' \% A+ C; w
Although this trick calls the CreateFileA function, don't even expect to be1 n i( a; n/ n. S, u
able to intercept it by installing a IFS hook: it will not work, no way!
) H1 x0 t' X5 z9 ]+ @. \In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* F- O/ y3 E* N' T( r; }, n! Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( K: F4 J7 _' ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" `, x3 o% F1 @/ O* o9 h
field.
+ E; r9 L% J. EIn fact, its purpose is not to load/unload VxDs but only to send a 9 z2 X- ?( p0 [% p2 n |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) i7 ]0 @: M' `) s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 F7 ^1 w. i6 p+ `0 mto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ U- b5 y& w0 Q: A: g. I1 `
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 z2 d9 Q6 ^: Z6 v/ K
its handle to be opened and then, will be detected.
/ w2 L: [& X! _3 @, {You can check that simply by hooking Winice.exe control proc entry point$ M( ^9 j/ u- d$ ?; i* Q
while running MeltICE.
% E2 \7 s& E$ {% n: b& \& X$ L, F5 a9 t9 D5 v2 d6 Z, T8 y
, q, O$ l" l5 F 00401067: push 00402025 ; \\.\SICE
8 Y9 A! _' s5 r" p$ ` N- i8 } 0040106C: call CreateFileA
% V e; b v$ d7 M) p7 h 00401071: cmp eax,-0019 K0 X9 v3 d3 n/ {
00401074: je 00401091 p2 i" ^# Z; i: K' _) S8 A$ p
6 W! x* H* J) F i( E( x
" c5 L: J8 i7 G. |) E& ]2 o; mThere could be hundreds of BPX you could use to detect this trick.
/ v. n+ h) _( q-The most classical one is:
2 N) \6 D9 [1 E: H6 q0 f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& t, D6 ]1 h% Q0 A$ |9 H
*(esp->4+4)=='NTIC' d1 r0 U j+ X: s2 A
6 Q8 D, b3 s( _: X1 {) S# h-The most exotic ones (could be very slooooow :-(
0 N I1 H# l- K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 D' n7 c- }5 j! `4 l8 B0 x
;will break 3 times :-(4 @1 H$ y, ` p% z- H N
& d! |+ o) D7 c& r/ O0 U9 h: W& a
-or (a bit) faster: % Z) B' B, _5 m2 }" x% c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 b; m; t' p1 g5 g% }
, U: x; w7 C0 n. {: f, ` BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / ^6 |$ h) w) B: x& A7 c- J
;will break 3 times :-(
1 c9 L! R! G( [- u {
& n# ?- u1 M8 {/ R-Much faster:5 y3 w$ i. n# o# c$ `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 c3 I G! k; x0 J b- S3 v
7 n$ s$ T/ m" F# z7 \8 B, m; B+ ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 F, K. ]+ }3 g
function to do the same job:
* K. ~# ^7 r* M4 F+ \
+ a. h/ z Y O3 x4 R push 00 ; OF_READ
7 n: W" i9 u! b mov eax,[00656634] ; '\\.\SICE',0
! Q% p6 O5 S! ?7 L push eax& C. B1 v1 R1 u5 A" q7 p% D
call KERNEL32!_lopen
# `2 L" T2 O$ P- a: Q! v% W inc eax
) h1 C2 U( ~1 s; t; P* u jnz 00650589 ; detected% X. r) A7 g" I: o9 M
push 00 ; OF_READ
5 H8 x. R( L7 o- z0 c mov eax,[00656638] ; '\\.\SICE'
# F4 p& V! g* C3 q( a push eax9 k# V- a. X7 q/ M4 w
call KERNEL32!_lopen" c. { @0 m F( Y; H) n. O
inc eax
; g4 S! U; N3 M! O: {2 [3 Q- I jz 006505ae ; not detected+ h, [. D/ |# x+ j. u/ S* N
6 u Y0 f: W$ R. s; ?# E* X& a4 Y2 C% _# [9 M
__________________________________________________________________________
$ m% \' T" v3 ]- Y' p8 E( U" E4 |, r- M
Method 12* G c. k! g2 V3 C
=========
9 ?. I+ s; `9 c! r5 H+ j E
: N1 W/ l/ b5 l" r# vThis trick is similar to int41h/4fh Debugger installation check (code 05+ [" G- N( y0 Q' G' f8 k
& 06) but very limited because it's only available for Win95/98 (not NT)6 P; m) y* h! E1 Z- a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: C* P0 f9 K. B Z. c/ {
3 s9 T. j: |" U+ H1 G push 0000004fh ; function 4fh& N; r- X$ e# ?( o; r
push 002a002ah ; high word specifies which VxD (VWIN32)4 F$ m! b/ x, D$ N+ b, D, O- {$ V
; low word specifies which service' A( L2 b5 u/ n0 \0 j
(VWIN32_Int41Dispatch)
5 [, Y r7 F& ]7 T( j# ^ call Kernel32!ORD_001 ; VxdCall1 K$ l* v% v0 o
cmp ax, 0f386h ; magic number returned by system debuggers/ C+ @4 A% o3 v2 H$ Q' u
jz SoftICE_detected. Z- C3 B/ T4 Z* {4 k: z3 J* c
! L. `, E7 w( e9 A' @+ C p, QHere again, several ways to detect it:7 _- n$ S+ @5 ?. i' ?. y8 L* Q$ Y
9 k6 J& K' F! Q8 Y BPINT 41 if ax==4f; P* @/ k8 X5 O; k6 k
6 W5 D+ f8 d7 B- U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& @9 R' e/ q' z( W( ?% r. M8 d& x6 k j5 C/ p$ m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ M0 s# h- y. c7 K4 U# g, ]
6 L, m5 j& x) n2 p8 `0 l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* m3 y% i$ K) S, ^4 Z
0 s2 D' \+ E- B
__________________________________________________________________________
! B. b6 {) ~: ? w8 V7 r' t! P
@9 ~- N& s5 hMethod 13
( n* `& w9 c4 ^=========) E$ S7 w* l& h5 {+ G
. l/ n9 B- @$ d: w: e, g
Not a real method of detection, but a good way to know if SoftICE is4 Q, v- d$ |/ F$ w4 q. D; e1 g
installed on a computer and to locate its installation directory.
! a" r o, [4 s' `( a0 Z# x8 v; p- v& n) ]It is used by few softs which access the following registry keys (usually #2) :( D% M2 B7 ?: j. c8 Y# B
# i, p+ r# w: B( t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, \# e% p$ T* h% _\Uninstall\SoftICE
3 `) U3 B8 g5 L1 j1 t( }- G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& G9 e( d( b* x; b2 ^. t
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 _$ k1 a2 p" |' K
\App Paths\Loader32.Exe E7 t- L" ~( ~: A
5 E q- ]% _8 d: {2 f& o
* t2 C+ j- f- X r/ O: i% lNote that some nasty apps could then erase all files from SoftICE directory
5 Z9 O) M3 m/ [% a9 [- s(I faced that once :-(
8 ?& c. ~# `4 n, o m( J0 v$ X8 h: K: C! w5 l D
Useful breakpoint to detect it:/ y. o# ~1 I u. E/ K. W
1 A+ w z6 l4 l: W0 E) ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ E) z! G0 L% `& F4 Z
6 j, d6 B3 J% f5 Q) z4 v: z# X
__________________________________________________________________________
- ]; K0 l7 @% h+ s+ u- D
" H' _7 F N2 l
0 l! J' ]4 l% y4 \! E: w e1 b* vMethod 14 4 D W" J1 {' ~0 j: P
=========
; ~" u3 ~; \/ w6 J0 s0 B6 J& c
$ m( |3 G4 w5 b9 s8 {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 t Q8 r! W7 O
is to determines whether a debugger is running on your system (ring0 only).
. N( Q. Z, S% O& Z: E" C
t' V' Y; {: F& Z VMMCall Test_Debug_Installed( T1 H& W. U( U: R' k
je not_installed
3 ~7 `0 U7 Z, q/ H' U4 J
! K1 a% N/ g/ G. @This service just checks a flag.
$ ^9 s) A# s* F S: h</PRE></TD></TR></TBODY></TABLE> |