<TABLE width=500>
0 [' o8 p6 d; ]5 e) J<TBODY>
' G4 Q" l/ S; \: m6 [5 v<TR>4 ^! h. Y- z; R% c8 s9 h. f% m, k
<TD><PRE>Method 01
* B# F- l/ W7 p' W=========! G$ u* ^& D G$ ]
, g. @- H# K" QThis method of detection of SoftICE (as well as the following one) is
' V# C7 D8 y3 }0 J8 g. Kused by the majority of packers/encryptors found on Internet.
- O* V' n% M( T& Q8 {" LIt seeks the signature of BoundsChecker in SoftICE, l+ {, g& z* @
$ x, X- b8 d( a6 I# q! Q- I9 E mov ebp, 04243484Bh ; 'BCHK'2 s# x$ b+ Y, ]& q% P
mov ax, 04h# R, O) n' O, T: } i5 w% Q ~" T
int 3
" J2 o& y. u. f$ ?# Y cmp al,41 E" R% `9 @3 W( ~$ G( w$ q3 }! @' ]
jnz SoftICE_Detected
" {# j, ~# i( s, X% n& |, n6 T3 s! W, q9 L V; w
___________________________________________________________________________$ U8 s* Y% e) u; b# A2 ]7 }( z- R q: y
O) k* J7 v# p. O- }. ~Method 02
( ?' |" k4 s+ H8 C=========
. P( R1 n, p6 Q- O
W: T4 [ {+ L5 X" CStill a method very much used (perhaps the most frequent one). It is used
* o; N6 w+ ~& D; [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 L- M4 p2 d+ x+ T1 o+ \9 B
or execute SoftICE commands...
2 W3 E$ W4 o3 @4 X5 P, UIt is also used to crash SoftICE and to force it to execute any commands. P- a7 ?8 k. U W
(HBOOT...) :-((
4 x: ^# K. u$ e: d; ^) ^7 T2 E7 O% \! P* K" {, y- f) `
Here is a quick description:
5 X* @& y; f; \( x* W/ [-AX = 0910h (Display string in SIce windows) ~5 V& o! f% [3 O; x7 j
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% O. G2 M) o7 ?, a
-AX = 0912h (Get breakpoint infos)9 i! z. N6 _! D( ?1 |
-AX = 0913h (Set Sice breakpoints)
# J1 Q# N8 t: ^! B' f-AX = 0914h (Remove SIce breakoints)
1 D9 T! y, ?" \+ U' ?7 j
% t5 O0 X" p; U! J iEach time you'll meet this trick, you'll see:
; E& J8 e& S2 P$ U0 m: H2 R-SI = 4647h6 |, P. e/ }* A8 `) {, i0 R8 ]
-DI = 4A4Dh7 ]/ P) l- i1 ?; q$ U4 R: f" U
Which are the 'magic values' used by SoftIce.7 T g$ y5 H! f. Y, r* l% X! }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 ~' [" E6 P8 @6 e2 h/ e
; A4 X7 J( ^& B! I z+ R# ]Here is one example from the file "Haspinst.exe" which is the dongle HASP- ?* `" F+ e/ g) P
Envelope utility use to protect DOS applications:
, I9 Z3 o' S( ]* a8 j
- h- u- ]4 F( w4 J, N+ c/ H( W! W8 T# {( ` Y; N
4C19:0095 MOV AX,0911 ; execute command." l" c' ~) U2 Z+ }' N4 H# C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 e: `, g5 R1 @7 a4C19:009A MOV SI,4647 ; 1st magic value.2 A8 a8 c* _/ |7 d$ ?$ r
4C19:009D MOV DI,4A4D ; 2nd magic value.2 f) j9 p6 R2 h6 M& }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) t; O* b M$ C) E/ D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. H5 B) \' J; J$ S7 P) e4C19:00A4 INC CX( b6 v; g+ S5 f4 X0 F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 s8 G9 G4 z9 E
4C19:00A8 JB 0095 ; 6 different commands." B8 Q) S/ u% U4 Z. ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 I, V( C1 Y- N1 |1 t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 u- q# J( y* x& B4 \; G' F& f8 Y5 @$ i3 m
The program will execute 6 different SIce commands located at ds:dx, which/ @- M. B P0 _9 P" }# y& z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) p: e9 |. ` G% G5 r5 w' O7 E6 z1 B3 _6 V" @" @. T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" j( C8 h5 U7 a; M$ R) E# i___________________________________________________________________________9 K! Y/ [9 Q, ~5 u% i+ H. C* U
6 W- s$ l- l7 D. m% O: E& d; j
, v( r. A3 V. B/ T
Method 03. d9 H- @9 ?3 K% B
=========0 D: b7 N: Q \# [2 Q9 o h8 w" O, W
! ^1 v0 O& U0 C5 V! K( G" w* Q( y4 }1 O+ I
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. V4 E. J/ \ p- X7 u/ f" e
(API Get entry point)& t6 }1 s7 w8 Z
. |& [* B2 z: @/ e- G/ ?6 x% Q" s- n/ ~7 x/ F2 v
xor di,di
7 X; |- X H. @" B4 L mov es,di8 L( I, Z5 W4 i. @, l- r; t, U, Q
mov ax, 1684h - E2 d6 ?# o! X5 h
mov bx, 0202h ; VxD ID of winice
) g& H0 _9 t) E int 2Fh
- w3 ~7 Y' E+ b# _ mov ax, es ; ES:DI -> VxD API entry point
% S9 g1 b$ ? M9 x. M0 ~! k add ax, di$ T0 N* b2 u6 T2 |) w: e, y
test ax,ax, n) K1 V4 ^4 A/ W) h" P4 C
jnz SoftICE_Detected8 j1 S* a# Z/ m1 W0 b \7 k
& G3 D* R% q- H: e
___________________________________________________________________________
6 I& g: F8 P! d# Z- K
% ~; T1 I7 X# j7 \Method 04
; s( O& z' i* e=========
0 \* {, w; {2 I5 k% X# E5 p; P6 S1 r
Method identical to the preceding one except that it seeks the ID of SoftICE
' D- J U. G4 {) p% ]" yGFX VxD.
, i m" p4 ~* N- E+ [# K- B: M+ j0 N6 S# I; c5 x9 Q- e
xor di,di* e2 ]3 B4 O x0 H7 @& q6 f
mov es,di4 Z) [/ v/ j) Z ~( o: h
mov ax, 1684h
H3 A- D C; ~& ~ mov bx, 7a5Fh ; VxD ID of SIWVID4 h& k) K& m ?, M" q1 l
int 2fh
. I1 g8 Q- ]! f: W mov ax, es ; ES:DI -> VxD API entry point
8 u* c: k+ b; D( M9 U add ax, di
$ K7 p1 F( G( U7 ]5 j$ O test ax,ax
! m) j- f! ^8 p5 o& J jnz SoftICE_Detected0 I, ?" Y% n6 ?( C! Z! `5 n
9 ?: z$ b$ J/ {__________________________________________________________________________
( c [. A6 j, y
3 g+ l) \' R4 f9 @! A8 I d/ b' k2 X' D5 d9 [
Method 05
0 v, H# w; u7 i=========
+ W+ k* P5 e# k q, q+ T0 h( O$ v: G5 X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* A! e7 t1 ^* T' Jdebugger. It calls the int 41h, function 4Fh.; c' v: a1 u' o k) a
There are several alternatives.
; r0 V' L* b. Z M) O( |. A9 k
2 \& E" q- z) d/ ZThe following one is the simplest:
4 D& P+ ?2 o. ~0 s. v; e
1 H( m2 x$ z- W: L5 N; b mov ax,4fh' |+ }7 [: v/ k' Z
int 41h
v; K) F3 z2 T$ I, ?! c$ p, a cmp ax, 0F386
[5 ^) ]+ x) v jz SoftICE_detected& Q4 @, h4 j5 T- U6 Z8 w p$ G" N B
- D0 E9 h( g+ Z4 }
/ u) J! ~- [" S) S/ r8 @
Next method as well as the following one are 2 examples from Stone's & F1 t5 m+ v8 E
"stn-wid.zip" (www.cracking.net):8 W- d& n5 x" B) M% _
, W+ P8 }2 k8 ?, e mov bx, cs1 G/ s; j9 z* n5 z8 Y
lea dx, int41handler2) W. ^- I5 W, i. q: a
xchg dx, es:[41h*4]
* |+ A$ n7 ?5 T6 A/ L3 e) E w. c8 C' S xchg bx, es:[41h*4+2]. l& t& I+ a2 I* h1 k3 D
mov ax,4fh
1 Y' F2 k; Y% a. r5 Y7 b# f int 41h
$ e4 [9 q! y+ o+ w5 c; I xchg dx, es:[41h*4]; X3 k" L% b1 N4 y1 V8 g. o: j
xchg bx, es:[41h*4+2]+ V; p D$ F) M
cmp ax, 0f386h
* C4 l4 |4 F$ l- B u# l& h& R' e jz SoftICE_detected
: P: I$ l9 {2 V
5 h, P8 B' j- U" E% O- y* ]int41handler2 PROC) S8 ^% q6 w/ P6 r) I/ i/ Q
iret& Q! i9 Q4 H2 X) T4 x
int41handler2 ENDP
: B" U) P. Y( b2 n: ?! T l
/ Q8 h; U: s' y2 i. m$ q/ f) A& {* Y+ v; |* E1 J
_________________________________________________________________________. b5 ~# M' p" J* Q( D k
' o U* X, z/ j8 }6 X' I6 ]
) I F2 H, X9 N# p, N9 h" J+ G
Method 06
4 b t# I; @/ E+ A=========$ u$ e# @ O( q' n8 W1 E4 [: M$ G/ Z
3 N1 f+ {% G2 i7 P6 O$ K
! Y5 K; p8 a: ?2nd method similar to the preceding one but more difficult to detect:# Z1 y5 G9 W; Q; i1 F% u7 v
( r. \. D0 t' u% T# V* ]
( Z% ^$ C$ v7 w5 w1 A: ]" Q* bint41handler PROC$ E5 S- r9 X6 b- u4 B
mov cl,al3 I& p1 E8 U5 B2 t* c7 H4 R, M3 A8 _
iret
, J$ A/ G+ O( p" R+ d3 X! D0 |1 Jint41handler ENDP$ P, m) k/ y r. o$ E
d, z; c3 Q4 N" ]0 Z0 r& X
& h4 n" `& ^# ~& G xor ax,ax
' ~" x7 h! [4 j mov es,ax
* p. w1 s4 q9 s, g% g mov bx, cs
' Y- Q$ J& {* Z lea dx, int41handler
$ }# T% p( }1 g' z! e' S xchg dx, es:[41h*4]7 j. H) {# H/ i' s: K
xchg bx, es:[41h*4+2]
# G/ l( @- g6 r/ ]7 j in al, 40h7 O3 m( E1 ~& f
xor cx,cx
& ~7 ~- C& a; [; P5 I( K. e int 41h
. S3 y! v" | Y% X) P" n8 u% V- W xchg dx, es:[41h*4]
& }6 L6 j; Z& H' n# { xchg bx, es:[41h*4+2]
1 t4 I5 A! Y5 O cmp cl,al; B6 _9 c% f/ _. ^. |3 ~/ G
jnz SoftICE_detected
Z2 w( h4 W8 x1 P8 k0 S9 m% ^2 `5 O# K" Z* u/ N; e
_________________________________________________________________________1 N0 w3 A2 l) h, g, K
& K( _, x N% ~6 n0 ~0 HMethod 07
, y+ o2 J; X; A=========
7 ^' f3 E, f* x( G4 E5 Z& S% v2 [
& G' v C7 _: ?2 |# y7 ` @Method of detection of the WinICE handler in the int68h (V86)6 j' p0 B- J/ E5 I, S
; ^( f. \( d4 s P# P- `' i mov ah,43h8 w1 A5 j* \% c6 T( z% H7 X- H
int 68h
+ ~/ A' n, Z6 s6 ], @1 x0 a* g cmp ax,0F386h
9 Q4 R- L4 U1 K! X% }- l jz SoftICE_Detected
" i* c9 D, ?2 _) b* K9 @0 [. ?+ a" r% F1 V! A: |4 q
) r9 q) I$ w9 [7 y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 ]: I5 `+ f" S* l app like this:
5 Q" _5 f4 j7 \/ H& q" Y6 f) o1 E6 m. ~" [- M( _+ ]* u
BPX exec_int if ax==68+ w1 @# o7 {6 k3 V5 a: V
(function called is located at byte ptr [ebp+1Dh] and client eip is& f. `: ?9 c4 J0 x0 i5 G% N
located at [ebp+48h] for 32Bit apps)
o9 I) z1 f+ n$ K$ h__________________________________________________________________________% l, f( U3 C2 s& V3 n
& m) r. y& E- {
1 G* `( Q5 z3 G# ~# d4 R
Method 08
/ J `3 U0 g: l8 g2 d- z=========
1 V/ o- u- i1 i$ u: R
1 w3 g7 H; t- Q. ]2 n1 ZIt is not a method of detection of SoftICE but a possibility to crash the/ [' H% T; r: L
system by intercepting int 01h and int 03h and redirecting them to another* E- i2 |+ Y& }! Q7 `: [
routine.
: r! |) n5 V" l5 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; w2 h5 r0 h8 Z% E7 X2 \to the new routine to execute (hangs computer...)4 x% d( K! x# [* M$ R0 g. W# _# a4 \$ z
C% ]: S5 G6 A7 e+ d6 A1 n& O4 b
mov ah, 25h+ j! h/ p" X5 O4 E8 c) m, L
mov al, Int_Number (01h or 03h)
% S7 D7 X S" ?9 R( R mov dx, offset New_Int_Routine$ y3 x# f2 b" v; n8 q7 \5 u
int 21h
Y* L4 c5 d0 `" Y: J' }4 G- I7 F- k7 _. e
__________________________________________________________________________+ o) ?- F+ B1 Z) p' H" K
* [- H3 h, a- \9 r, s: B
Method 09* b4 Z9 L# s7 L; |" ]
=========
. p3 G- `2 v# x9 [! z
8 v- p( R/ [ k5 C; U0 b; ?6 A$ S8 VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" o/ ^: m& C" j% H$ I4 hperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 S: P% H* V3 O9 zThe Get_DDB service is used to determine whether or not a VxD is installed+ Z% }- ]: |; ]) c1 M% W+ b# G! h8 L
for the specified device and returns a Device Description Block (in ecx) for
! c- K, A9 [5 f+ c; e% q1 wthat device if it is installed.
; i. n e4 R5 u. _2 j4 u3 D) [% x; @2 w r+ ?
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; B( I5 _ @3 v% l7 | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 U# ?; k: A% f1 u; K f VMMCall Get_DDB
( w; w0 g) a, k! @; k2 e# v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' E0 K. R2 Q$ c8 V( H
: W8 m( T0 w, ]$ R+ Q8 Y8 uNote as well that you can easily detect this method with SoftICE:
8 C" {/ Q w4 \% V: ^ ] bpx Get_DDB if ax==0202 || ax==7a5fh
; y, q' U+ ~% ~) }: X c L3 a7 G# G- R$ I3 Q% H- x
__________________________________________________________________________
. N, x, }; _! I* Y: i# ]
( }, A1 j% w) X. k0 d& u) b" _Method 10! T) |/ O, N$ K7 E3 g7 E, m
=========
5 X9 R" Q/ ^$ h j4 h7 v g+ C V: o8 c q0 k8 `" J4 b7 i# l( e
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, T! S! x# n+ x7 a, C SoftICE while the option is enable!!
# j2 {+ W" {2 y6 A9 X" A: p8 Y. j% ~ |
This trick is very efficient:; J1 V0 m, g8 g$ W
by checking the Debug Registers, you can detect if SoftICE is loaded& O* v( T8 A' ~; p2 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" |) i. c/ P* F$ \- W# J% F
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 V$ o( R) Q; [
value (in ring0 only). Values can be manipulated and or changed as well9 ]- Q1 p9 n1 C" [; t
(clearing BPMs for instance)8 O) V; L; T* W2 q8 }) T
& s. X) {7 Y) b: I1 f4 z9 \8 C__________________________________________________________________________+ ^- W3 I% y' v! K# i4 J4 h
7 Z p0 B5 g( N0 I! l! x/ ^
Method 11, U9 h: V- |9 R' {& [
=========, f( l; ^/ f$ F: M+ T- g6 J
' o0 j, Z# g) J- p
This method is most known as 'MeltICE' because it has been freely distributed Z! t, E8 ]( b
via www.winfiles.com. However it was first used by NuMega people to allow' H$ Q+ \. i, R9 C, k4 q
Symbol Loader to check if SoftICE was active or not (the code is located
: \' r% Q! k$ ?inside nmtrans.dll).
0 |* o: {% j6 P3 Z+ g% Z
4 K* j4 ?3 m! i* EThe way it works is very simple:
. I. X+ x( d8 dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 {2 T: k4 c, D1 [7 WWinNT) with the CreateFileA API.7 q# V; o2 |( |; Q* i A, q7 }
' j5 o: a2 x _6 M
Here is a sample (checking for 'SICE'):2 R! `$ g4 ~3 C/ W2 G
$ D/ T! z" C- b
BOOL IsSoftIce95Loaded()
3 {3 v# s3 ?- z5 a+ e{
: K Z* [; z8 K0 } G+ F' H& w+ H. A% | HANDLE hFile;
: @3 f! h m$ C4 R5 y- r3 `: v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* s# P0 j. Q* J2 C
FILE_SHARE_READ | FILE_SHARE_WRITE,
% I0 d4 E9 A3 |4 J/ ~5 O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- S. }- _/ a: R( {- a; { if( hFile != INVALID_HANDLE_VALUE )
, J9 A( B. J9 j2 q9 R& ~ {- m W. t4 @2 M; g: g1 T' I
CloseHandle(hFile);
9 d' o1 B. ?& p$ d5 m j return TRUE;
; I& c5 [9 U( z# j% D' z }3 V4 f& k2 C5 x' W- _) \
return FALSE;3 d$ N4 u% a2 d, ?3 G% j
}2 ?0 {0 W$ w8 t! g5 o
% A" t7 m, z3 w BAlthough this trick calls the CreateFileA function, don't even expect to be
9 i4 T# q& @, f+ `3 {8 s8 Fable to intercept it by installing a IFS hook: it will not work, no way!
9 @% q% O) f( LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ d8 R3 K% u) d; R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 W& k7 U( \6 I7 }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 |/ d& A j- ~9 w
field.: C8 P% k+ s5 h( I3 V6 W5 o4 q
In fact, its purpose is not to load/unload VxDs but only to send a ' H' W% O* {" o9 Q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- V/ B/ D% d. g" W4 M1 M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 T3 I F7 L' C- ]8 P" Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).( k- m# G3 |1 p, M" a$ W" E- E
If the VxD is loaded, it will always clear eax and the Carry flag to allow" {. T9 C3 d6 Z/ S9 ?) [
its handle to be opened and then, will be detected.
u1 y6 g2 X T+ H yYou can check that simply by hooking Winice.exe control proc entry point
! k' b& A7 {2 z( |( b5 ]7 Hwhile running MeltICE.; e% q- x. d2 a: ^8 {
7 ]8 w8 B, B |) k
$ X' k$ \) y3 A7 _2 r% C 00401067: push 00402025 ; \\.\SICE6 H4 w8 r! H+ F9 K0 ]
0040106C: call CreateFileA) J5 o M6 d1 @( t0 O4 W+ Z3 s
00401071: cmp eax,-001+ X N5 R( W/ J( b) h! [
00401074: je 00401091! Y- k& w7 o7 m0 {- y# x( \% u
) ~8 \8 N g3 f; T* {7 x
/ Q( \! @( q+ I' m! vThere could be hundreds of BPX you could use to detect this trick.6 j( |2 O3 A- F% X' ^- q9 x$ ~
-The most classical one is:* A" T0 N, }) b5 X9 n
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( E7 j; y+ ?# C *(esp->4+4)=='NTIC'
, u" U3 ~+ F, G! ~2 k3 y5 g. I t/ X) c, @2 k
-The most exotic ones (could be very slooooow :-(" G2 {& O+ l" Y+ J3 V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ T+ t0 J) P( e% T) V/ Q ;will break 3 times :-(
! Q& k! U* k1 s# G
$ Y# w1 y5 s( A# e0 q0 L' F, M% N-or (a bit) faster:
$ z$ B4 Y2 D( w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 A- t+ B, _$ X* x5 f3 [3 j7 p% T
0 g# @* C8 n {% ` M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; g/ `' M1 f+ O6 F1 z' E# d4 x7 ^& [6 }
;will break 3 times :-(4 n; w0 l& \9 H p8 @
. [3 M \9 p' z! m! y+ p
-Much faster:/ t/ x- @, s6 B; n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 ^+ F$ P) w+ i, \
$ e- ^- S/ k9 N& l- h0 N3 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! Z: h) d' U8 e2 m
function to do the same job:
4 c. E! O! x/ R8 N4 x2 n' e9 h5 F4 e1 d* X5 e, H
push 00 ; OF_READ
! _4 _7 C- F# b4 [: b mov eax,[00656634] ; '\\.\SICE',0) P8 ]6 o2 v( k) B; n4 ^7 j( a
push eax4 z5 T0 b% g! m8 ~3 D
call KERNEL32!_lopen
; T0 H7 N; e( ?0 w/ q N/ n5 z inc eax5 h$ Y: }/ }, D8 x3 r: h* T
jnz 00650589 ; detected
0 j3 V6 H# }1 J4 g8 | push 00 ; OF_READ
, Z' L7 n x+ W+ K mov eax,[00656638] ; '\\.\SICE'
/ t, \5 H Z3 M' m7 L8 [, ~ push eax) t* G$ M" t9 R6 s/ v; G
call KERNEL32!_lopen
* |+ ?2 C6 U: V4 k/ w/ i2 L inc eax
; x* J' A2 f+ }- p( t3 | jz 006505ae ; not detected
. _" M, p: o' d* f
4 ] ^. l0 T! k
1 ^- v; {1 r- B y5 a__________________________________________________________________________
7 F- w/ Z/ t) e! B# w
, M; J4 T- D. ~1 T% B* c0 sMethod 12
6 D1 V! x: I- i! q=========4 ?! M% r- [9 ]; Y
; ]; V" P6 r, e* i+ i2 J
This trick is similar to int41h/4fh Debugger installation check (code 05. D& _- d" q$ n/ l
& 06) but very limited because it's only available for Win95/98 (not NT)+ s& \6 W- s3 z; X) g2 f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# S; r: o0 X" g' \* W
6 w1 q/ `5 q! r @) O1 W push 0000004fh ; function 4fh# O" [8 X& Q% P0 s9 g6 U1 ^- N
push 002a002ah ; high word specifies which VxD (VWIN32)
5 o# ]+ E. C, \6 y |/ g% Q" m8 }3 O ; low word specifies which service J8 F6 ?1 I2 W
(VWIN32_Int41Dispatch)7 D5 J3 T7 ]& a
call Kernel32!ORD_001 ; VxdCall
9 I' [( \) N9 M1 O; ~8 ~ cmp ax, 0f386h ; magic number returned by system debuggers
! ~3 S3 c! C2 i/ d7 w jz SoftICE_detected$ ?& n$ b6 ? @( v# R4 K- j
: O1 w! h5 T8 r0 \( K7 {5 |Here again, several ways to detect it:
) {+ K' z6 B; c, V3 F6 ]" D4 ~. ^! ^; \* Z- u
BPINT 41 if ax==4f
3 N$ S) D( ? S0 @% K5 y8 u5 d+ q5 g) l3 Q3 k) a7 [* h* d5 ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 i, \& h! i& D( I! Q
: ~- U( W; l$ g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 w$ F5 k/ ^7 I; l
/ e+ o. ?8 }8 ] BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) s& t7 w% c! j- J
! X* h, X6 G( f: f; o) K- x! |
__________________________________________________________________________+ u# c7 V! J" Y. y
( t( l7 D* E9 z! g+ @, D* y9 @
Method 13
3 v" e, J( e. P) t @, |=========
1 f2 `7 Q0 A! Q8 v* a) M7 U& k3 S
G7 Y+ O% I# m" jNot a real method of detection, but a good way to know if SoftICE is
/ r9 {, V- ~8 c" Pinstalled on a computer and to locate its installation directory.
" X E- p. w! H* P. }It is used by few softs which access the following registry keys (usually #2) :2 G# O0 g4 B/ N. ^
/ {- F2 v, s$ @9 @. Y$ A! W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 [ P5 R- t: P3 }5 |
\Uninstall\SoftICE
0 M2 k- m- f3 _# B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 q P$ d; e9 x- C5 @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 A5 f7 [& ^8 X6 y( w+ g\App Paths\Loader32.Exe
% R* s% Y. f4 f) E, H
" G& q' h! n5 o% _( X
3 M; E$ h( e( w7 c5 d/ c+ TNote that some nasty apps could then erase all files from SoftICE directory
- T# J( I. s* e( S* n) u(I faced that once :-(8 d8 b3 @2 ]' J( \, w
4 j0 s: I2 w. u6 D
Useful breakpoint to detect it:/ {6 z& e; t8 {4 c+ B9 O
% F+ ?, F1 K; P- k% ?6 r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' N0 p. \8 B/ E
! T! _( K* r9 ]! f3 \
__________________________________________________________________________4 q- z, ^3 X& j1 @! z4 T
( t/ j4 Y4 M: s$ y+ m
" G6 b% Y- R3 q& Y
Method 14
+ f" S' Z+ K1 O: F4 j( ` A=========
3 }3 W. ~+ N* r, e, z
, K, M6 r9 x- m1 N; _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 g P/ S3 b, P3 ^
is to determines whether a debugger is running on your system (ring0 only).
8 B/ P( w& g d U& @# a/ q' c- ?, D1 U7 q8 h* N
VMMCall Test_Debug_Installed8 _; _' b6 u' g6 Z$ G% P7 ^7 v
je not_installed
7 ? |* e5 Q1 @% a2 h
6 X! C3 ]3 X- i3 U6 KThis service just checks a flag.: c8 i! r) X1 |) d" q1 u, S; L! J7 x& |
</PRE></TD></TR></TBODY></TABLE> |