<TABLE width=500>
) z" }7 u+ L& c$ q& i+ R& @<TBODY>
; B% r; R; w1 w<TR>
, A5 l- U, H5 e<TD><PRE>Method 01 , ?7 a' a& v' v7 A3 O
=========
6 T/ a& d5 `$ M' n- V& K
2 A6 ?6 d6 j, qThis method of detection of SoftICE (as well as the following one) is
% w* O8 A* a9 H3 K, Gused by the majority of packers/encryptors found on Internet.1 X6 ^$ f6 L' O' P+ E D% @
It seeks the signature of BoundsChecker in SoftICE
. }* L3 V& N+ ~1 c4 T
+ z3 Z. O0 G" f( T) h! @6 L mov ebp, 04243484Bh ; 'BCHK'
n: E2 h% b4 |, H) Z1 {6 [- k mov ax, 04h
2 d9 K8 n5 }: O5 s+ A3 g int 3
0 ?. R E. K7 I5 l* H* m( ? cmp al,40 j0 }( ]% l1 g! Y9 f
jnz SoftICE_Detected% {! _0 i2 {8 S2 L- f
& X: T* D8 u& R___________________________________________________________________________
# m0 V5 j( t7 I7 l9 ~3 u, D, y$ |* L) x9 C
Method 02# L a3 V' m' l$ _2 R
=========
! m) n2 q4 k9 q% A: O, D/ ^2 W( r+ D1 N4 O. i+ B' s
Still a method very much used (perhaps the most frequent one). It is used0 ?( i7 w$ A( j3 J- s0 F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 B- m) j9 G( a- v. s& c7 Ror execute SoftICE commands...
3 n' m$ X! Z d4 AIt is also used to crash SoftICE and to force it to execute any commands
4 r6 H- ]3 \5 F# s(HBOOT...) :-((
# N4 u( }5 J; _5 G3 p. G) h4 z; z' @# C0 `4 _# V9 u
Here is a quick description:! g2 b/ N9 T" l P
-AX = 0910h (Display string in SIce windows)
4 `7 @7 v1 j) W1 `. k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) q4 _ P, r! j# r-AX = 0912h (Get breakpoint infos) }1 H p8 O6 `' ?3 O4 g+ ?5 g
-AX = 0913h (Set Sice breakpoints)6 I4 E4 A$ d+ L* G7 u; u
-AX = 0914h (Remove SIce breakoints)
9 f p7 f, F( d# Z
" q! V7 V/ t% T7 {, \Each time you'll meet this trick, you'll see:
. B# M" K$ j" U& d, g-SI = 4647h, E, g7 s; _2 m X5 m
-DI = 4A4Dh
8 j G" l7 O+ \/ B7 O. l- Z( _Which are the 'magic values' used by SoftIce., v9 _- w8 P& q/ e' b9 Y% P; @4 e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
i0 s$ u, v1 B2 R3 h# e. c0 U9 E6 O+ V: N$ s+ G# l; u
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 k+ d4 E- _ s I* W$ U
Envelope utility use to protect DOS applications:: _* F) V. y; D( H" M5 L! o2 D
! F5 @) q& y0 n6 f- r8 I
! a& T" `/ o& _! r7 e2 T
4C19:0095 MOV AX,0911 ; execute command.
; {! V* t1 h( z' Y9 z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; l7 B) W/ i7 _: r3 h3 F0 ^4C19:009A MOV SI,4647 ; 1st magic value.
K* b+ O M1 O6 ]6 S2 T4C19:009D MOV DI,4A4D ; 2nd magic value.+ N) R& ?6 }# E- y ?6 {% Q+ ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 V- P* k1 o! z* ]0 v
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 H# Q# g2 T* E1 O, `4 N4C19:00A4 INC CX2 p+ g6 X3 V$ X* G) q+ V9 W( C
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( a# p( T( y" y8 L2 S U
4C19:00A8 JB 0095 ; 6 different commands.; Y7 n3 c% y0 v* O- j
4C19:00AA JMP 0002 ; Bad_Guy jmp back./ F- c8 S& E7 \5 L0 B3 }, f; q" K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! ?$ D, S4 Z& f5 v. W0 n5 Z1 T6 k: T& ?6 @
The program will execute 6 different SIce commands located at ds:dx, which
2 C& U9 r9 _; `& n Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- N! }( f& x1 F6 ?- G0 x" Q+ ~# m& c2 d
5 `" B c% U6 W# z# G" H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: p v* x5 m. Z( t( F: o+ L- J; D6 j3 {
___________________________________________________________________________- R/ H/ K2 Y' E, y- a
* H2 R: z% R5 [' a" G! `2 V% Q0 C0 ~0 S. C# L' W4 |! |
Method 03
5 u! W# w4 \ J=========
9 R4 @% H% @+ X% p- J0 C* X
- E8 d; @9 y! I4 Q9 k9 sLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 ~$ P# o) ]- L! x8 q" @
(API Get entry point)
3 W2 q/ a0 |4 M5 f& {# h : H- t8 O; h" J% @$ f& U
; ~6 n$ }) L: `
xor di,di
0 Q- n( y$ Z/ O" x7 g mov es,di
8 @% Z6 j# i& l" |6 r( C mov ax, 1684h + U- o2 e7 q- E( b& y
mov bx, 0202h ; VxD ID of winice
$ {/ D0 O# c, |3 U8 {8 s: p6 i9 W2 I int 2Fh+ u3 h- z% t; R/ A* t5 i
mov ax, es ; ES:DI -> VxD API entry point
( r _- M9 {2 j/ H# { add ax, di
6 d% k3 q) A8 g& w test ax,ax
" O, j. Z4 `3 f3 C8 L* { jnz SoftICE_Detected
1 b1 U% {5 F a/ N0 c% L
8 D+ B) `7 L1 l) g9 I2 P___________________________________________________________________________! y- `; }! h A& h; ^& o2 M8 X2 p
3 \+ Y6 z6 [0 e6 nMethod 04
1 N1 q) _' u- d, ]* U- A6 J1 `) P! H=========! r4 C# S1 F) h3 ^2 {8 F
5 i$ o# h* G5 d8 Y" VMethod identical to the preceding one except that it seeks the ID of SoftICE
# y6 m4 W3 E) [7 q8 v& wGFX VxD.% Y; |. D# R* o0 m
) Y% z9 A* M2 K) @7 u- D( i2 c
xor di,di/ L: B7 v" u a' |# M1 h4 }
mov es,di
/ j- E4 J9 ~6 L+ P, D mov ax, 1684h
. j2 R" F9 q8 c% \5 R4 Q9 r mov bx, 7a5Fh ; VxD ID of SIWVID
; |7 P2 R' k& h+ J4 [6 L int 2fh
" a! @. t" S7 o1 H0 j& H mov ax, es ; ES:DI -> VxD API entry point
' {) n' B; _1 k9 R0 Y. i add ax, di+ a+ M- Y! t1 N& w$ X
test ax,ax
/ |1 A; S$ M3 T* l" u jnz SoftICE_Detected
# R0 d* M( \3 W4 m2 x$ Z( \3 K5 k5 M1 _1 e4 ?( Y: g9 }
__________________________________________________________________________5 ]# `: p& v# g3 t& a' q% T3 O3 G
/ ~9 f! G4 e1 b+ I3 z' X0 X. O6 g
Method 056 U5 J5 L% @5 Z/ k
=========3 b, J0 g7 Z7 i: u. v
- r% N2 v, B. e. i C- I6 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system a4 E R- @" ^0 s$ a7 y
debugger. It calls the int 41h, function 4Fh.
- z1 n" x7 T# qThere are several alternatives.
0 V9 N: P! L# O6 D8 ] j
7 @- [4 y( U4 d0 _The following one is the simplest:
; A4 l7 z8 [ w) r/ o3 b/ c3 Y1 ~8 p0 z( e% x
mov ax,4fh/ L4 k4 l! [/ n& {3 i, c- A$ m4 W
int 41h% e8 m" g2 i4 }2 z) W+ \
cmp ax, 0F386
/ `4 W8 f9 B# ]' Y3 F, Q) e jz SoftICE_detected U: s6 o9 K0 D" J. v+ B" j
- u7 r) h8 B* H6 b
6 \' C7 @2 Q F9 _( F( p
Next method as well as the following one are 2 examples from Stone's ) ?3 T9 G0 D# C2 n8 e# H3 r
"stn-wid.zip" (www.cracking.net):
* r; z; Q9 K0 @9 k @9 W( ]# W; s. \6 d
mov bx, cs
4 @- M: u6 n) }! o4 L lea dx, int41handler2) d" o8 x0 T3 F" d; |
xchg dx, es:[41h*4]
' s& s# y |. ^% k& z xchg bx, es:[41h*4+2]
# ~; d0 R8 a' w/ I mov ax,4fh3 O/ F% [8 S' V& G& f
int 41h; I+ J- N; q, F7 P- v
xchg dx, es:[41h*4]
8 q& p, Q( [4 f# n; j& P- t- G6 A xchg bx, es:[41h*4+2]
' |: |; w/ U1 O } cmp ax, 0f386h& P' h- S$ b9 j4 G0 h; b; v; y, S
jz SoftICE_detected, D: j( W5 z* W, q- b( g8 V: O
; a9 i1 o5 y1 Aint41handler2 PROC6 J: J, T9 @. m U
iret8 q. Q _' P& x4 M5 M
int41handler2 ENDP7 {9 A/ ` L/ O+ N0 S# ]$ F
! r. X1 D9 Y8 J) c' `
& ^! o, M* \& W
_________________________________________________________________________) ]* u* |& w: C6 `; _
" i2 G1 L+ |4 ^1 w) ~. @
9 j, y4 ^* H& q4 v2 D. rMethod 06( g a) w% x# f% X/ W- ~
=========
, j2 k* u, X7 Z# W! Z; Z* x6 F0 g: G n
' ~! f$ t# X) M; H+ x
2nd method similar to the preceding one but more difficult to detect:# {; u+ E. m ]6 a. S; z
3 j2 V- k9 e3 l4 O4 K! `8 L) B1 G7 J) V9 W) l2 w( g r0 \; `
int41handler PROC
, p! T H: v, ?7 c% l mov cl,al w# H: Q5 U, {. j* h
iret
9 }5 r; E3 C! A, [' g& Iint41handler ENDP( o7 s* U7 j( S5 J1 e! A6 y
6 x* G7 O( e1 T
/ v" ?; L) ]& Q$ g: f
xor ax,ax
" ^4 B5 k1 J& P- Q, [' f* P mov es,ax
1 Q M. |4 G) K) G- Z mov bx, cs
# W( Q3 R: v7 r; ^& F. N lea dx, int41handler
4 t$ h+ b' m. t) p0 M+ U xchg dx, es:[41h*4]
7 r- M7 F- G$ P4 _9 v7 E2 k xchg bx, es:[41h*4+2]" ^7 \, o7 s0 {7 K! P0 \
in al, 40h
1 d2 r. G d, W% K4 ^ xor cx,cx
) K3 A" H. T/ S6 ^: W k; L int 41h
- X$ g$ q3 R7 r8 S xchg dx, es:[41h*4]2 _. i/ C" B: T
xchg bx, es:[41h*4+2]& X+ l6 } W( G }
cmp cl,al
, P, y! j+ o2 i3 s% ` jnz SoftICE_detected
; X$ R9 |2 C0 r" A4 B& E0 D0 i' ~# C9 m, P f1 _( Y1 j* j
_________________________________________________________________________
+ N8 r0 ~2 ]. w/ S$ \
0 h1 p: F( a8 S( S7 fMethod 07
+ W2 l& G: @ B2 Z1 ]4 ]=========' b, ~0 a) S8 ?% S" K
, f0 ^6 B! P* [/ L
Method of detection of the WinICE handler in the int68h (V86)
& u$ U1 G7 d1 G% K5 O- D1 F; O' @1 N; m
mov ah,43h
/ r; s6 t1 Y, }0 C int 68h% C4 k! \& _6 l. C$ p) e
cmp ax,0F386h% B: {- ^0 D( s
jz SoftICE_Detected
j$ p# H! l8 ?) }/ @% f
3 ^, _5 z) F7 }- e7 e( b& K/ g5 w7 u [0 e: a3 s/ K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ l8 |" e' g# g7 I4 ]
app like this:. Z0 c) C( D& H1 x& z( i. d* e% i
5 h" J9 Z/ P( Z1 r3 Y' V BPX exec_int if ax==68
1 n/ n2 M# ~9 E0 z7 K (function called is located at byte ptr [ebp+1Dh] and client eip is( {3 r2 J" i8 Z* {7 b" t0 J
located at [ebp+48h] for 32Bit apps)
$ f) u% q0 e: x; i3 |7 p__________________________________________________________________________( k8 @$ \: W/ t( m/ U
- |" i2 t7 w; ^% I5 F, R9 q0 W/ F6 ~; f% H' i' c2 L; w
Method 08
4 z# U; @4 T" D3 C7 p=========
+ x' N3 I& e. z7 r" _0 \6 n* v) A
5 o8 P) _% E: Y/ ~; x+ u$ mIt is not a method of detection of SoftICE but a possibility to crash the! d( f1 L, e! M8 y" M$ S
system by intercepting int 01h and int 03h and redirecting them to another
$ a/ V) L( b' h7 froutine.
& {1 W& [0 a# ^9 g1 P1 c1 a& GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ m; F4 {$ V8 s
to the new routine to execute (hangs computer...)/ r5 s/ k! B. L; a# b* F2 [8 v
# Q5 M* k+ m+ }7 d# ?5 n% i mov ah, 25h
H7 N1 R0 o" J7 o! J) j5 o: l mov al, Int_Number (01h or 03h)
; c( b7 k3 Q4 S2 l O9 x mov dx, offset New_Int_Routine
1 x- d* T! L- x! ^ int 21h
6 d, g: ~, m+ }6 R
; B0 \ r3 W5 V4 b& b__________________________________________________________________________- T/ Y; g U' H& L4 X
7 a- ~& B W: i, W7 z2 w
Method 09
3 x& a2 ~. }0 n! |. ~ t* A=========
4 m: i" s! t! V5 t4 [4 t. N) F5 J9 x
6 g# L6 e5 X% e7 Q& w: gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 x( O+ v4 m! d# s9 W
performed in ring0 (VxD or a ring3 app using the VxdCall).! v# f* n# s! w
The Get_DDB service is used to determine whether or not a VxD is installed
( b7 A8 \$ H" T1 `( @. G9 gfor the specified device and returns a Device Description Block (in ecx) for
, [$ v4 [# S, M+ G( o* Z, {7 }that device if it is installed.
5 P- F1 Y' U% z4 j( M8 t( U3 P% ? ]+ f$ Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% z( |7 Z* _0 d4 n4 m5 w& Z' P/ H mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% U& V! O7 P) M& J( C" z1 L9 H VMMCall Get_DDB. P) O1 J8 s5 S( [' q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& l' a3 e/ t2 A
$ w7 G% n. \9 [: ]Note as well that you can easily detect this method with SoftICE:9 }! D7 D8 p5 b% p* R, v
bpx Get_DDB if ax==0202 || ax==7a5fh
! H& g6 z9 j; R( N8 ?2 _5 f+ }/ W3 e+ B. p* c+ l5 k+ r# s
__________________________________________________________________________
1 o7 M9 P9 o; H. a
- `8 g' K" T G0 B! D4 AMethod 10: _- X1 y; z4 h6 [$ d
=========
) O: _5 z5 f' S5 S p) v
: t) `7 n* E! s8 S8 T' C# d=>Disable or clear breakpoints before using this feature. DO NOT trace with2 v, `' _' b3 G/ |" c% F( Q
SoftICE while the option is enable!!% z7 ~7 t7 [9 O+ T$ o! v
1 c8 h$ d* D% ZThis trick is very efficient:
- C6 R# `3 i+ Zby checking the Debug Registers, you can detect if SoftICE is loaded
% p$ w# q4 P. o2 u8 J0 U- B& p/ U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 {3 A, A4 P' R0 `: Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
( |: E3 {4 Y" ~ @% ]7 C+ ivalue (in ring0 only). Values can be manipulated and or changed as well
0 ~, A2 o1 ~/ u% @; T(clearing BPMs for instance)
+ L$ f4 V9 n# h9 m" ^( r/ e: n% a' B% q! j1 x" }
__________________________________________________________________________
1 j$ p" P6 `5 u+ L$ o
: a# Q, [0 Z& D- e4 z. RMethod 11
, _1 k& \3 U* w=========1 q2 t' L8 ~' p) Q0 I
# z" b- C' R. x. i4 y7 _8 jThis method is most known as 'MeltICE' because it has been freely distributed
$ F3 C, M8 _0 m8 Y" I7 W- `via www.winfiles.com. However it was first used by NuMega people to allow5 o! b* L+ @1 B
Symbol Loader to check if SoftICE was active or not (the code is located
3 l2 {3 P' v7 S! t1 R& E' W& linside nmtrans.dll).
4 [# x# I4 |( x* u
8 X5 I( A1 H& V: {8 NThe way it works is very simple:
, I; _2 U, H9 s+ d$ E& \It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
H5 Y( L# u( f- A. P. Q2 WWinNT) with the CreateFileA API.
- b" ?! U ^' x) D! D2 V
* E4 V/ A* g4 c3 u- UHere is a sample (checking for 'SICE'):
- v& Z- o8 W# t1 m: F+ c5 S1 w2 W
BOOL IsSoftIce95Loaded()) E( G3 k- W) V! F" O5 b7 h! O* S! K
{9 R* l+ d, E7 s- o
HANDLE hFile;
. Y. Z- {( h \3 `' C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- d" t2 [" D1 P& S- F, q# G" J
FILE_SHARE_READ | FILE_SHARE_WRITE,
* R, z8 t8 C8 H' L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' o Z% q- ^$ E5 L4 m if( hFile != INVALID_HANDLE_VALUE )
# t H5 e9 T$ U$ g( N! w. I {
* o! T0 g0 y9 A& {- V2 ]1 n CloseHandle(hFile);( J5 r6 g! K; K( w7 R
return TRUE;! T/ q6 A |$ t) i" k+ `' D
}
1 `) W( Z) z$ e; X return FALSE;) w8 [4 r4 G0 x, b; h
}( V; t# e/ m( T" h7 C; G; w
* C- {& a+ q- ], U8 \Although this trick calls the CreateFileA function, don't even expect to be
6 c" e) G$ x1 Z# F/ J8 U0 x; b7 \able to intercept it by installing a IFS hook: it will not work, no way!
& e* W: J. `7 y, H/ z0 _( W* sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! [2 j5 \7 E# h: `; ^3 Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* K% G+ r0 t" k" a8 ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 K6 `* K! ?6 v0 l$ s5 Z. R
field.
! T: P4 E! J g. x( ?/ AIn fact, its purpose is not to load/unload VxDs but only to send a
/ s/ o, {( @. a6 s# |# ^* Y& w, i2 YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ g/ p% B; S$ P0 Y& V. [to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 _9 [3 l" |0 x: m% }" h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 T6 J* s, k# \If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ `6 N. ^8 F7 f# m6 Vits handle to be opened and then, will be detected.
' i# L: ]% ]* [; G; BYou can check that simply by hooking Winice.exe control proc entry point/ \8 M( p! _! T, i
while running MeltICE.. n4 R% o! F% i, l4 J
! m# Y9 N# P( X6 h# [0 \7 M
- b/ ?; G8 w# |* Q! y! {# {
00401067: push 00402025 ; \\.\SICE
% F) |+ _ h! L 0040106C: call CreateFileA
: |& y) T: q) G6 ^' ]. U 00401071: cmp eax,-001
0 B; S6 x+ j4 T. S 00401074: je 00401091
* ~; N5 T# }1 S: J7 ]! O9 b
0 u4 B/ F+ C; I1 b2 W+ K2 U; `2 W8 R/ f* x+ K# ~6 t9 x% ^
There could be hundreds of BPX you could use to detect this trick.% Q/ j. n/ m9 v8 F' o, w) u7 O
-The most classical one is:
9 S% [( ~0 ^0 s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 e/ R/ ~, x( k *(esp->4+4)=='NTIC'
! \4 I% a& G' f: I1 T% P }4 d: P' b7 D9 o
-The most exotic ones (could be very slooooow :-(" V, S$ C$ r/ q. w4 K' v
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , p$ H$ j, h6 v+ \% G5 g" Y: Y
;will break 3 times :-( \) Q9 q4 i6 h" i- E0 Q
% z) v" T* x7 o. L2 V
-or (a bit) faster: ! A1 Q6 B) _8 W3 V+ E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') G/ l0 a; u) |+ Z/ W
- p Q* c- K( V, h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 `- e7 k( n8 x4 {) k& |5 l0 P; b2 H ;will break 3 times :-(
; T+ }9 ~; P |8 B u7 w; X4 Z# j, T
! V L- o( g& ?! K9 |* |-Much faster:
$ m4 l8 b" [2 D. ^1 W/ G6 h: G2 G" n! c9 ? BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 p! y' F( ]1 i; H+ h2 ~% x) [2 A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 l6 t: L- m4 [function to do the same job:
( u- O$ L/ F& d6 B7 ^
$ Q h; Y, E7 ~5 x* a! \; K3 X4 b push 00 ; OF_READ
6 A. E4 I; \8 V _# N, E mov eax,[00656634] ; '\\.\SICE',00 {' c8 b/ R% w* p7 q
push eax
8 [; P J( A% j4 i6 t% D call KERNEL32!_lopen% V; R4 P3 f4 g. a( T# S- j' I9 ^
inc eax; w1 T5 Z, I8 a1 v. Q
jnz 00650589 ; detected* j# |$ X; {$ _6 j" |
push 00 ; OF_READ
0 I* I) h( ?4 R0 `8 g: L mov eax,[00656638] ; '\\.\SICE'
; [2 h$ I$ W. y push eax4 k* P3 _7 T) e ^* I% ?
call KERNEL32!_lopen c. z0 S5 N& C3 F& T: @
inc eax
: Q8 @" V9 ]4 ?& H4 k( O7 u5 c jz 006505ae ; not detected9 q. \% ~8 m# o. w0 f8 z+ m8 n# M
& r+ k2 s" C9 ^# c) p5 o5 O* A/ {3 W. A0 D. [ |: i
__________________________________________________________________________8 m. o4 E* C' _1 j' c7 F3 Y3 U
b$ p8 ^3 D+ X# g/ s) ~ J$ N QMethod 123 l6 D5 {: x, W5 K/ Y% R
=========* y k: U; z- R8 p* [) d5 Z! p9 l `
2 M% B a- v+ I$ O
This trick is similar to int41h/4fh Debugger installation check (code 05% v/ ^' [+ l6 r
& 06) but very limited because it's only available for Win95/98 (not NT)
/ V9 \% H3 U% r7 }$ z% {7 sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 `" u& }+ L" \0 a) a- S) q7 V! |
G% ]# p& h7 k ]8 S; w& `
push 0000004fh ; function 4fh4 R* R! e% j6 c6 f, U
push 002a002ah ; high word specifies which VxD (VWIN32), O4 q: j# r4 f$ k
; low word specifies which service: @7 k* x% x* ~1 L% F$ S
(VWIN32_Int41Dispatch). X: K5 q0 P. Y
call Kernel32!ORD_001 ; VxdCall
) L5 P+ t V0 T; Z; ~+ Z2 A2 ~ cmp ax, 0f386h ; magic number returned by system debuggers
5 N$ o! x4 k5 t% E jz SoftICE_detected
& y3 U$ |) I- a: _' z. b Q4 ~: O J
Here again, several ways to detect it:
' L0 e; D4 ~2 i) p" b+ d, |
# B0 d3 m# P( N BPINT 41 if ax==4f4 Y' o9 |- l, s+ O
' u5 {: d! O3 u1 v2 I5 g
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 m8 T- A0 V3 O. X0 ^) z' s
! H- ]' U$ P& V7 i! r& i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 x- O$ X9 f+ m; l2 G! m6 w! a& k# B; Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- i# H% G! Z" `4 o
- C' I) j/ b/ Q0 F+ f0 |7 I4 {- ^__________________________________________________________________________
3 X+ p- p- V9 D" u% ^4 B; {9 o/ w- ~+ R+ b+ J
Method 138 d; ]& K! ]- v7 p
=========
0 A' Z$ Z G6 @
9 Y, D8 ~* h+ ?Not a real method of detection, but a good way to know if SoftICE is
; n3 x) `7 m r X& xinstalled on a computer and to locate its installation directory.
5 S3 G) ?& |5 I& ]4 ZIt is used by few softs which access the following registry keys (usually #2) :
4 }0 l& f4 A# B8 ^5 H7 u9 y% L* I2 W/ y6 B3 l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ b1 Q3 F& Y# ?
\Uninstall\SoftICE
- | }( D5 O1 B: o-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 H* M! P. G- u& c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 i2 S/ u- K% M1 B6 P5 f
\App Paths\Loader32.Exe
7 y: Q! l8 x( V. ? A2 S* y; V; t) a3 X% L% l9 @
7 [- R5 q) G! Y; g8 J) ONote that some nasty apps could then erase all files from SoftICE directory3 c5 v' J' U0 w1 C
(I faced that once :-(! N. M/ ^- S/ ?9 w6 ~! M
( a" M4 |$ K4 g% Y3 y; o S
Useful breakpoint to detect it:; B1 q7 i, e* P
4 u7 n, g! A* n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, S8 x$ u) i. Q O" l0 R8 V* h) s8 N0 O9 C$ H N. Q; r
__________________________________________________________________________
4 P3 g# V& Y$ d+ O' \9 k: E
E6 q. ?- y0 R2 c& V
) H6 t& x. E. g# ?Method 14 ( Y( r' L( A- c6 N
=========
9 x) t9 K3 b: W
4 |8 M% t" d: {5 O' QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 N" D( v/ M; h7 @. Yis to determines whether a debugger is running on your system (ring0 only).+ Z5 W! U. J/ r0 g5 n& e% m
4 _2 L2 d$ X" E3 a, V3 ^ VMMCall Test_Debug_Installed3 i% ]5 d0 F0 J; M4 C9 U7 m" j
je not_installed- _/ I, z) v3 a
' g j& [9 z X; {This service just checks a flag.
0 |0 o6 `1 X& d0 G( H& I% H</PRE></TD></TR></TBODY></TABLE> |