<TABLE width=500>
1 `$ _6 j" L) U. S<TBODY>
! w. R. h( j# f2 [ p<TR>
- W# y3 i7 \; G' j<TD><PRE>Method 01 7 L) C6 n* g4 g8 R
=========
8 O8 ~$ S5 |7 c' n3 U# u* |6 G' m* _9 y0 r$ x) q* A6 `
This method of detection of SoftICE (as well as the following one) is
! ~4 K# I- P) K- l" Tused by the majority of packers/encryptors found on Internet.! ^& R. ^; [5 |" i1 L6 b: B
It seeks the signature of BoundsChecker in SoftICE6 l$ a; y6 X2 G/ h9 V4 k
' v9 P5 E8 x/ C/ `
mov ebp, 04243484Bh ; 'BCHK'1 \" m7 [/ ]7 Y& a& _% h& _
mov ax, 04h
; E7 o, c# k+ b h7 K6 w( G int 3
$ S9 s( A4 m7 m cmp al,4
6 L1 n' y9 w5 B$ w o+ K; _ C jnz SoftICE_Detected
% J- @2 r+ M( o5 J& Z
9 t/ v+ E( j% Y0 M( S___________________________________________________________________________* A: Z/ F% v4 Z9 z
9 U5 b, C; F5 i& w$ r* H0 [3 I
Method 025 b* W3 U) o7 A8 i/ ^; \' O
=========
' J" h4 U8 S& S2 Z
; |5 o( @# G/ n" K# M; PStill a method very much used (perhaps the most frequent one). It is used
) u% ?1 a# R6 |3 ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 A8 O1 L9 N- D$ H: por execute SoftICE commands...5 `6 S0 ?4 ^) b
It is also used to crash SoftICE and to force it to execute any commands
8 \) a; B* Y, M(HBOOT...) :-(( - ~# D/ i" {0 Q" I
- U7 H# E$ l3 ^; @4 LHere is a quick description:
; b+ \5 ^: c; X" D7 ?-AX = 0910h (Display string in SIce windows): c+ v5 `+ J7 j+ r# Z/ q1 Q6 M& L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 [4 h$ q& q3 S4 O% I-AX = 0912h (Get breakpoint infos)
% C. S, X( Z" l5 `& g, S5 O5 X/ R6 V-AX = 0913h (Set Sice breakpoints)
m/ n+ v. ^3 N-AX = 0914h (Remove SIce breakoints) B- G; B1 ], h* d- s
% I1 B7 x- t! \, x9 v( L5 l: j1 ]Each time you'll meet this trick, you'll see:
0 n$ H8 ^- `9 j7 K6 Z3 g" ?2 ]' D-SI = 4647h
* S) ]1 o0 A; t-DI = 4A4Dh
5 R" C1 w& ]7 z8 d( b( mWhich are the 'magic values' used by SoftIce.4 Y8 N1 M# g0 R5 j/ r0 z z' v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( v" Y4 m+ y, C, z- p8 d
1 f( U' ^# M/ V, ]Here is one example from the file "Haspinst.exe" which is the dongle HASP+ A& X' w% {0 d8 ]$ F; r
Envelope utility use to protect DOS applications:
; c5 t4 S8 h7 P7 |! {! M
, U( Y. o0 W8 U) q# \0 @3 u6 h
- K; V2 n' M) C6 E& j" I& x$ q- F4C19:0095 MOV AX,0911 ; execute command.$ q. x& g3 ]: n) z H6 j, k4 ?: C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 s1 ^3 k5 [0 K9 U. S4C19:009A MOV SI,4647 ; 1st magic value.
4 w3 \8 {- ~, x0 K- T* G K4C19:009D MOV DI,4A4D ; 2nd magic value.
% b# S( w" [7 N$ ~4 d4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 {) }0 N' ~5 u$ e4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' P: x' h3 B3 V/ U6 j
4C19:00A4 INC CX
! z5 M# |+ e# {) u2 M4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" f: f7 ^) z: [9 S4C19:00A8 JB 0095 ; 6 different commands.& ~5 `6 }" B8 f" T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 D/ i+ n8 H3 Z+ i# H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 F. A" i% o! J# V/ W! k8 v& x
& `$ ?( ?/ s6 w: ^" {, v9 S, \
The program will execute 6 different SIce commands located at ds:dx, which9 A- f/ R2 u9 N8 Y3 v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" \+ I$ b+ n R. Y
6 k2 N8 v: |, g T* N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& ~0 O' u C2 q# ^$ {) [6 s___________________________________________________________________________2 x ?; N4 ]/ A v2 a( g3 ~$ @0 Q& D
# n; t' R- P9 q1 ^: J+ C9 e4 h8 [/ H+ Q; ], z0 X* Z! H
Method 03
9 C6 ~ @0 r/ Z1 j) J+ @7 V=========& m* ?) v: r1 d0 M0 U
" |& ?. ^6 H CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 Y9 c) G* \, m1 M0 c2 J) v
(API Get entry point): T; }: ?) e; t& r& O
; Z) [( m0 F2 ~' F+ d' r9 @2 `1 }: u/ ]* L* R: J. E
xor di,di
% a- V; T7 T7 a; _& G! M mov es,di
: t ^) ?# X* n" u1 s; b mov ax, 1684h
( f, f! F( Z, l! ?$ s mov bx, 0202h ; VxD ID of winice
. o" {1 G* q! m# P- B int 2Fh
$ H: Z; g3 p. H0 \2 p G6 k% a mov ax, es ; ES:DI -> VxD API entry point
" Y+ D$ ]4 w$ w/ L! R add ax, di
. m' t3 l; I( o8 |) k0 B/ W1 A% R test ax,ax- h2 a! g6 g( B: t& D1 l" z+ N0 _
jnz SoftICE_Detected7 C: u; f% A7 @; ^& E* d/ f# w
+ H, {2 m) q2 G \1 y) J___________________________________________________________________________6 S# U. C4 Z9 \, o8 e/ k
* x% R4 V" |2 L6 F- U6 f
Method 04
S6 E4 y# j/ W9 ]7 @. e5 S=========
& p; ^! v1 L) K5 }% n: T
1 U6 m' n1 r! ]2 G$ [! ~Method identical to the preceding one except that it seeks the ID of SoftICE% t' t' r F0 ~5 a" d0 m
GFX VxD.
( Z7 X! X* c2 X+ F% ]! O* a1 i. Q8 B) n9 R8 x% K. o
xor di,di
+ l' |9 ~% i6 l; Q. d mov es,di
: f0 a) y8 P7 L( ~/ @ ` mov ax, 1684h 8 m5 `; \4 O2 F: e& f R/ \
mov bx, 7a5Fh ; VxD ID of SIWVID
, h, V! ^, r; c+ t/ L( X' } int 2fh
! H( d( i; I4 A5 A# l mov ax, es ; ES:DI -> VxD API entry point
7 e% J/ l% Q7 ^3 _2 f: c, m% X add ax, di
: N3 l7 j( }5 F7 i test ax,ax% _# e9 y4 k% G9 T% P' x4 b5 `
jnz SoftICE_Detected/ j. S/ r$ Q* U2 m8 k! M% p
* e: t& D3 g0 p. t+ n__________________________________________________________________________
9 ^/ d+ O; `' i/ Z; m/ Q" q) m+ D& u- d
6 y( r8 Y$ L' M& u2 Q# i' Y
Method 05
2 d+ j+ U5 E0 P& ]& D! N, g=========! J: t7 [9 L# i; M- V7 X4 s- d
3 `1 ~4 H: G: ~! k, oMethod seeking the 'magic number' 0F386h returned (in ax) by all system( g* C+ k+ o6 O
debugger. It calls the int 41h, function 4Fh.. R s/ @& s, l# k* R4 u
There are several alternatives. 8 k' N/ ~1 B; l9 ^% @
# e" I2 s& @& L) D, b. j9 }
The following one is the simplest:6 Z3 m/ I2 o$ |4 L
9 ?% O% C5 s9 G. [5 j. J' L
mov ax,4fh, t4 m" h0 }+ ?
int 41h
) A$ ]$ x- x: C o: U cmp ax, 0F386+ L G1 R. n1 p
jz SoftICE_detected. c- g0 Z% {# ?& i0 U2 E
9 Z6 t* _! ?' d4 C' ]6 u0 L
/ e/ n3 L) h" i/ H
Next method as well as the following one are 2 examples from Stone's 1 f; b- R9 z# s$ d. O* D
"stn-wid.zip" (www.cracking.net):) `' V) K7 Z8 H
8 J" c% |: S `+ p8 ?8 b mov bx, cs
7 E0 g( Y/ b) M0 M. }7 r, I, R lea dx, int41handler2
9 f v1 g2 H7 u' u$ d# c xchg dx, es:[41h*4]- t& ]- Q* K8 {; r. x- Q2 i+ T
xchg bx, es:[41h*4+2]
! V( \: ]8 n8 D$ i3 j mov ax,4fh
" z/ w3 k6 @8 x1 V" R! U+ e) J/ w int 41h
! @0 g9 k4 t( A2 y- j3 j xchg dx, es:[41h*4]
5 |# l! {5 \5 V2 q xchg bx, es:[41h*4+2] S* R& _* m' h6 b& V# i2 I
cmp ax, 0f386h
- p/ c% O" Q i jz SoftICE_detected
* \( w9 |) F. E
% P0 g( z7 o; X. Q; bint41handler2 PROC* T+ o8 V4 k% \+ v3 W
iret8 B1 T7 g6 H1 u5 u
int41handler2 ENDP
; j% F( _6 ?- @( ^) Z1 Q" l4 x" y* T1 f- R+ S
: V7 Q+ [! m" u+ j
_________________________________________________________________________
9 |: b9 ]1 ~. `" y% w e' \' L0 d8 _, d0 W
1 B$ h& @1 W2 G* }8 o' ?Method 06
0 A& a9 Z+ n* }=========' W7 ?" I; e+ Q+ J8 g6 h
) ?, l5 L8 ^/ x. Q; f& [# y' @
W' o! O/ A( O) B1 b
2nd method similar to the preceding one but more difficult to detect:
0 M. ] \' L1 G [6 Q* Y. X9 x& c/ _* m7 ~% v* J8 y
+ g H6 c1 l8 ^ T
int41handler PROC
! e6 S9 a# m9 q9 u mov cl,al
5 z) _- g# j+ w7 z7 {) G: R( [ iret# ^* B' d5 y8 L! l- Z) N
int41handler ENDP
1 p/ T5 I2 g& Q; a! E7 u: ^1 I5 V$ t
% l# u* A# e2 I+ D, E% D- w; J3 |
xor ax,ax
, Q7 j1 Y- W5 U4 j( W3 E& W2 ^ mov es,ax
! x. h- U9 E. P8 F3 A: Y6 a mov bx, cs+ H4 _2 x" A9 x# \0 V$ K: ]
lea dx, int41handler
3 O7 l: X, c9 V3 n3 r& _8 ]7 I xchg dx, es:[41h*4]
% Z$ l- Z7 p3 `6 P xchg bx, es:[41h*4+2]) |1 l) e* x1 [5 r! s
in al, 40h% K+ Q' r# z4 Q7 G5 C- j
xor cx,cx( j! }* m0 i c, k
int 41h) Z- e, ]4 @4 d# y0 a& w4 f9 @
xchg dx, es:[41h*4]0 O9 Y6 S0 l' y$ v2 |& }6 p
xchg bx, es:[41h*4+2]0 f& G k; K8 G' |
cmp cl,al
! _, m. D, Z4 M4 O9 \9 m jnz SoftICE_detected5 C: i9 E( \ ?
- q9 T5 U, Z p4 i; F4 P
_________________________________________________________________________
1 L# m2 T( h" S" `) @# Q2 i2 `* U0 M5 N% |1 t( j
Method 07
( }1 U) P. L$ V' x=========$ E/ T# u' n& i- q: |3 a
) z- l8 ^+ c; ]. i9 N4 S
Method of detection of the WinICE handler in the int68h (V86)) N, S, [/ l. _& c( x. e
# _; l; a8 w- T' G" I4 K mov ah,43h
o4 h7 P5 m3 {" @ F. m int 68h
& F0 y: M/ J m& { cmp ax,0F386h
$ N+ x! V, | n' U& x% M; r% L0 Z jz SoftICE_Detected: |# b8 {( J# i6 a3 J- }' G: P
, |$ D5 Q" K3 ^( o
' `2 ?, a; q2 ^, s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
g+ } N: w- N' ^+ ? app like this:# [. B* u& O8 K* A t" [6 r7 e
9 l/ L' W; B" S2 o$ o8 o, g3 i BPX exec_int if ax==68
- |1 n# z' U7 N4 G (function called is located at byte ptr [ebp+1Dh] and client eip is
! D) o$ m# k2 _- k/ V' ` located at [ebp+48h] for 32Bit apps)
v# v- @, A1 [__________________________________________________________________________
0 B/ P1 x: t; ^4 x9 d2 D
* Q" P: S1 s1 ]) f2 G! R# t: a3 p$ b5 K
" d1 J& W: x* f' v( b$ N0 kMethod 08
' F8 ~2 b+ ~/ z0 w3 c=========
; A. a6 u( I2 w& o* h- J. j
7 Q& @9 v+ |# p) H( u5 FIt is not a method of detection of SoftICE but a possibility to crash the7 d# V, U! ]& v( h5 ^
system by intercepting int 01h and int 03h and redirecting them to another% _ q) t6 Z/ w; k1 n
routine.# h8 j6 c7 I: E; P- ]$ _9 j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" g8 L* G8 I2 Kto the new routine to execute (hangs computer...)
3 w5 K- E7 P. T1 V5 \/ C( u. O$ F" i- E' O1 N; @" _
mov ah, 25h
% ~: {( f K% h" J$ W mov al, Int_Number (01h or 03h)0 @8 t6 ?# U1 g$ }0 [3 G
mov dx, offset New_Int_Routine0 J/ }& C% t5 @9 k
int 21h- L8 Z2 s: m( e5 G! N
4 s1 n! k; D( a4 L6 [' {
__________________________________________________________________________- q2 C4 g( u1 u$ y
, L$ X* t' z$ M& ~5 m
Method 094 b5 c$ C$ b8 p( `% |* d P9 B
=========
% I0 ^6 `# e. `' D2 I8 k S( ~- q6 o6 \# k; _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& S+ X4 T$ R' w5 e* {& U: V+ e
performed in ring0 (VxD or a ring3 app using the VxdCall).
. b8 I$ u7 d3 [7 T: N. \. @The Get_DDB service is used to determine whether or not a VxD is installed' L0 i: V: o# J( s' O
for the specified device and returns a Device Description Block (in ecx) for
) |: k1 @; C4 e$ P/ n d. k0 Mthat device if it is installed.
% X7 B4 Q5 w$ x7 e% k1 s+ E$ K/ G
( e: K, P& N- P" s mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! u5 G& q4 y1 I: Z8 z# i& d z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 \! w/ T9 Q% u VMMCall Get_DDB% k) D& `( C& {8 U0 d% ]
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: q8 v H- f) `. c$ x( E; v. _, G- H8 r( ?( f. ]
Note as well that you can easily detect this method with SoftICE:. t, u' o* Q; y- ?/ x
bpx Get_DDB if ax==0202 || ax==7a5fh
) O4 w" K; H! W/ H
" t2 X6 J- D! v) Q6 D__________________________________________________________________________6 M1 d& C" k: g$ p1 |) |+ |. g
! R3 p9 | ^6 r6 C. d; m. M
Method 10
0 v2 e: B6 f4 {/ z. o# Z/ \=========
8 y: j6 {, R6 _# a- B, [& a9 @& k! H5 y2 i3 Z4 d4 U1 `! n
=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ |* f Y9 L1 d+ {# a! o% ] SoftICE while the option is enable!!
1 j) Z& } u: k% a& Y4 L) T8 C" L, s/ Y) F' ?
This trick is very efficient:
+ o& V1 G i9 }. T, j+ {by checking the Debug Registers, you can detect if SoftICE is loaded
: F3 A3 h/ r2 W) \& U' M" O) e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. w9 T4 E: [ s7 u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( | U6 }, z# C: ?9 Wvalue (in ring0 only). Values can be manipulated and or changed as well
# M# B, m5 S. F7 t+ C/ R+ n8 o" v(clearing BPMs for instance)
0 R# X; s# _; }4 U; J$ z3 d0 f8 R# ]# ^: ^+ t
__________________________________________________________________________
0 B* Q, c# i8 r) v( x2 k/ [8 `. q4 V( a, J0 ]
Method 11
) e5 z, z1 ]& l=========
( J0 n. t3 o; X# A
; T8 y6 ~' i; C) yThis method is most known as 'MeltICE' because it has been freely distributed# @! Z5 C1 a( m4 |6 h8 Z. {5 M
via www.winfiles.com. However it was first used by NuMega people to allow
; L* R& A8 s# v, x6 xSymbol Loader to check if SoftICE was active or not (the code is located- t& ?. v1 y* |( N: Y$ ~7 \
inside nmtrans.dll).! `5 L/ B! M: X+ ~. v9 z
6 E1 f1 S" `/ i8 qThe way it works is very simple:/ j" I8 K7 Q* n9 C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: Z8 T& g4 o. I) { J% K U
WinNT) with the CreateFileA API.4 p* n8 a4 R. n( r
0 C9 g0 i3 d/ @* ^Here is a sample (checking for 'SICE'):# k/ M- I) }/ N
- f Z. m" B1 _/ RBOOL IsSoftIce95Loaded()
* m5 j) z! f% Z3 U0 A1 O{
8 o g+ V1 e: @ HANDLE hFile;
" Z. |7 l. I- c4 u7 E2 ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 V8 R0 D. n" ?; C3 B* w2 i FILE_SHARE_READ | FILE_SHARE_WRITE,
) X9 Z) ^/ q! f* p$ y( B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* P; b* Y, o5 ?0 c, R5 J! G; z if( hFile != INVALID_HANDLE_VALUE )7 j4 D: x( J7 O( c4 `& P5 l- `
{
* L. t7 i* C: F8 N CloseHandle(hFile);. |$ L$ `7 i2 ]& c! e
return TRUE;# R7 {5 R, D8 a' @- ^9 _
}, H3 n, A) |9 t0 v) J' P3 e
return FALSE;- f( a* h* T( |$ u
}2 P* f6 w/ f3 ^6 h0 d# X+ y3 k9 N# Y, W
0 y( D3 v" f& LAlthough this trick calls the CreateFileA function, don't even expect to be
) I. |+ L0 D; K. Jable to intercept it by installing a IFS hook: it will not work, no way!. z# F- K R' S" k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" _; _, e3 c: o7 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! A9 e( ~& ~! L! p! B# W8 M, Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ e& I ^. ^2 d# Z+ w2 B* Dfield.
$ p; y3 c5 f! Y9 g/ w4 bIn fact, its purpose is not to load/unload VxDs but only to send a / `1 \1 }- n# F8 g6 g' g) j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; i6 F3 }! |; W! pto the VxD Control_Dispatch proc (how the hell a shareware soft could try# B+ D$ E' _7 z2 Z) a5 Q8 y: ^- U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 J I5 K. x7 \3 F, @
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 _ I; X, ]1 W' K; {
its handle to be opened and then, will be detected.3 z# c: V: X2 T! n8 O* e* [0 t5 g" _
You can check that simply by hooking Winice.exe control proc entry point6 e4 D/ f4 l# U' M
while running MeltICE.
. ^7 ~$ Z' E5 }, w: w9 g- V9 w( @- ]( d1 G% Z v
% p: `: O! k6 g. T
00401067: push 00402025 ; \\.\SICE! c. D2 O: W. E0 C
0040106C: call CreateFileA
+ q0 A+ `1 U) o4 x% Y 00401071: cmp eax,-001* A% J# t7 m2 V) M" w
00401074: je 00401091( @+ O( S3 c+ z( m; {
. `: `8 l! L/ m/ E t& S
3 \* F8 N( `& G! l% [& pThere could be hundreds of BPX you could use to detect this trick.
3 x' @& W5 g; n' R-The most classical one is:
# z- e1 Q- p9 V* @8 S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 P9 N9 d. e0 \( d$ Y5 g1 w. M- s *(esp->4+4)=='NTIC'4 A+ {6 V# d" u1 b' Z
& x* d! R3 t# g9 ~# F% H- g% l+ E
-The most exotic ones (could be very slooooow :-(2 e. g4 P f3 v* |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & W5 P7 T, a) ~, ?# l9 F$ H
;will break 3 times :-(! k, R2 |5 f& _# G# b
1 U3 z1 L8 {) u
-or (a bit) faster: 0 e' N5 E: O8 G! t$ L
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( v$ u5 a8 L4 E* l) v
3 [! O$ P' f r' p) z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 ?$ a% }+ z; O( i5 M* i, Z
;will break 3 times :-(
7 D# p! |* [- [9 f' y' _% h7 o
-Much faster:
1 `( F- M1 ~2 F, D3 D# g p BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 N- {& l, ^( g. v0 _) E% C* b! ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: q. e% P- b; c4 t, y+ dfunction to do the same job:
" x% \8 h4 j4 [: g- j2 Z: i/ |4 u7 ?% s. @/ g. h# h
push 00 ; OF_READ
& Y ^% P( a. l mov eax,[00656634] ; '\\.\SICE',0' i/ w+ W g% ` B7 J1 y
push eax
! {) E' H6 V8 a: f call KERNEL32!_lopen0 R, z, H" C( }; f& [# [) R0 ]
inc eax4 Y/ a% K' h I1 x" S5 w3 X7 K* X
jnz 00650589 ; detected
C: z0 O. l, I$ E- | push 00 ; OF_READ- A! e# d9 O. z# t* e- S
mov eax,[00656638] ; '\\.\SICE'
( P# ]4 n- A, f9 n8 r push eax0 |& o" _( f; L Z/ ^, _' R9 ~1 `3 W
call KERNEL32!_lopen& l9 m' Z7 _6 F$ F# H% }
inc eax) q- m e0 `! ]3 U' E
jz 006505ae ; not detected
2 O/ C1 F- v3 u8 I& ` a9 ~1 ^0 Q/ q2 [; @
! l! K7 @2 W+ ?/ @4 j+ r% H8 o__________________________________________________________________________% x1 B, k- O9 o( Y6 _# M
* N" S3 Q7 C. W+ m
Method 12
, t6 Z$ d! u" h3 x8 o( Z=========
% `5 y% {' \$ V v8 Q- X
5 l8 M6 Y: T) J0 K+ b& s$ DThis trick is similar to int41h/4fh Debugger installation check (code 05, ?. o* T& q6 z7 {
& 06) but very limited because it's only available for Win95/98 (not NT)
5 V# f1 N6 U: {+ N9 p+ N6 bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 p/ x& n0 ^3 G4 ^1 I/ E
) M/ ~: o( ?; r0 j3 Y: P push 0000004fh ; function 4fh4 j+ Z# a9 Y' P/ M5 C- F( y+ ~- i
push 002a002ah ; high word specifies which VxD (VWIN32)6 _/ k( ~! x1 R2 I# `2 t
; low word specifies which service, s9 ]0 a0 m5 J7 z v
(VWIN32_Int41Dispatch)
7 l) [/ I; Q( O7 Z4 q ?2 r call Kernel32!ORD_001 ; VxdCall
7 H$ A* A. X& w" S0 J" A/ M7 S( N cmp ax, 0f386h ; magic number returned by system debuggers7 i' b: m4 E2 b3 E
jz SoftICE_detected d" F2 m2 f# Y$ L- T
+ L- h& U* |6 r0 i: o" z
Here again, several ways to detect it:0 W: m( X1 K) W+ P$ w! ?* f
2 t* r* w7 K' L! {& Z. _ BPINT 41 if ax==4f
& \! j9 P0 @: ?' y; u6 n
( {6 ]( @$ S8 l, g2 z% [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. h% B& ~& _- d% }9 D" V6 b
2 [" T$ W( ^- S" e7 `- g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ R7 Q! [6 u9 y1 Y; |0 R
1 H$ Q; U$ j7 z+ m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* q5 M4 w$ l, W! ~2 ]
3 K# |1 L0 q- z5 O5 r4 a__________________________________________________________________________4 A# Q; {% u* E8 x) z4 ~4 j$ j5 {* [
+ k5 `5 S1 i) V
Method 13
# H% k1 C* C1 Q# n" I# q, A=========
7 L& ~# P# F0 o% Q4 g
D" a; V* C: f# VNot a real method of detection, but a good way to know if SoftICE is
7 H- p7 u% D- f* M, _. binstalled on a computer and to locate its installation directory./ Y; u! ~% F$ z2 {
It is used by few softs which access the following registry keys (usually #2) :8 q; j6 `5 q5 P5 o$ K Q1 j
# V) p' n( r1 D8 [7 j9 s; v# m8 b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( t8 D+ @& G) e+ r* l! o8 `/ ?/ j3 L: _\Uninstall\SoftICE1 c0 w. {9 t2 _1 n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! @, \; x! q% y6 j" S( L" r v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- _1 B* P! U0 L# Q7 f
\App Paths\Loader32.Exe# B9 \ o/ s: r0 d
9 R. Y" _( _; |7 x# M2 _) f) ~) m
( G, K F. q H' s: _2 oNote that some nasty apps could then erase all files from SoftICE directory/ h% a( X4 g- @$ d C
(I faced that once :-(
2 V# ~, q) i' ]# Z% h( c7 A* |+ H
Useful breakpoint to detect it:. z0 a, T4 a9 y; k* a7 r
" L& m4 B' P9 r
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! P9 [- h9 K/ y1 r- R- r, p
- z' n z( `, X
__________________________________________________________________________! u+ f% j7 o8 r% s3 M1 h+ Q1 }5 J
. b' S6 f# f3 g# T: W( S& A9 S5 i: V! ?* _# ~+ L5 Y* v
Method 14 2 Y& U8 y$ r2 G! p% O3 _
=========) @9 ]9 x) q% ?4 E
! U( |) @3 s! P8 o4 K0 X/ JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ [! x1 G! R1 z8 _6 c9 _. t. Z
is to determines whether a debugger is running on your system (ring0 only).: g9 S+ ]$ O4 c6 S |2 _
4 L! N9 J- t A+ S7 e. k/ [! I VMMCall Test_Debug_Installed
+ m- P ~% |0 C$ r; U je not_installed
0 k0 a I7 w# P" A# W5 a. K6 O% x$ q2 l+ v! Y" f% a
This service just checks a flag.6 [& y. a: u% K( d
</PRE></TD></TR></TBODY></TABLE> |