<TABLE width=500>& Q* B4 S$ ]8 S
<TBODY>3 s3 L) g: N+ h' I" U% F
<TR>
; n) f! I5 [0 A! \+ k<TD><PRE>Method 01 % N3 F8 \4 I2 y Q* v; Q0 M
=========* G9 t; M5 ]* R$ k8 _* M
1 {* k! T, g* |. _+ T
This method of detection of SoftICE (as well as the following one) is
- B. ^3 D) b) u8 iused by the majority of packers/encryptors found on Internet.
1 s7 m" q7 V3 D/ _It seeks the signature of BoundsChecker in SoftICE
4 S& A, z) K! b' s I5 j9 f
9 _6 e8 R& W* P$ R/ c! } mov ebp, 04243484Bh ; 'BCHK'9 F/ d9 r4 D" D: ?" j' d
mov ax, 04h
, ]# D0 O1 \0 F& ?4 z# x int 3 0 v- Q/ B. r# F. v! r% e3 B9 m0 z6 b8 Q" ^
cmp al,4
0 i, ? h& h& m- c) ?& E6 {; h jnz SoftICE_Detected$ }% y+ L1 d T: k7 s! b
2 y( [- P% A6 b, Y* [$ x
___________________________________________________________________________% @: e+ y K6 C$ Y
: j, ]6 `" m- K( L# ]) v
Method 02( q- d! P2 u5 m8 G
=========# D5 f- H, ]0 ^$ T
& G) z* [0 E/ U6 }! sStill a method very much used (perhaps the most frequent one). It is used
' j. C, U) x5 i* [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 C- z& G; t, |$ kor execute SoftICE commands...
0 V* c5 U* T: x7 b9 rIt is also used to crash SoftICE and to force it to execute any commands
3 ?" _# ] L( s5 p6 H0 `(HBOOT...) :-(( . a2 V# f& t1 i( Y+ v3 a3 b
0 b2 r) P; [9 o+ D0 c/ m9 Z
Here is a quick description:& Q( ?! ?3 z6 ?! {4 l1 I
-AX = 0910h (Display string in SIce windows)
) B& Q {; b! p5 @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 ~' f a" m8 ~7 g
-AX = 0912h (Get breakpoint infos)
% {8 \5 x& ]$ T" S-AX = 0913h (Set Sice breakpoints)
# L5 o# i& d; j# A# j5 @6 [% b' b-AX = 0914h (Remove SIce breakoints)
: Q7 f7 X5 _6 U1 R( E0 W* b& y) V/ Z- i! R
Each time you'll meet this trick, you'll see:
( Y+ W* P6 g- ?' B-SI = 4647h
6 D# O0 n" _! N+ ?" ^0 P-DI = 4A4Dh
4 I! D+ _2 i# l- ~. i5 zWhich are the 'magic values' used by SoftIce.
9 O0 W0 k% I% n" P; W, S3 zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* [/ r9 ]; O5 b0 N8 f* H
, C- D1 `' u- s: V( g& r- [Here is one example from the file "Haspinst.exe" which is the dongle HASP
! f9 p% J3 i2 P& n K' }4 c$ m4 B8 jEnvelope utility use to protect DOS applications:* C/ y1 z% R* ?1 f
& K$ _. B0 f" W9 [
8 M# I& x4 U2 R0 \; X4C19:0095 MOV AX,0911 ; execute command.5 v/ q) I7 t! ~' f! a5 ]0 ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 E' x1 v* u' _4C19:009A MOV SI,4647 ; 1st magic value.
% c! k# z4 i. S3 w5 M6 D! }1 _6 X& @4C19:009D MOV DI,4A4D ; 2nd magic value.% J B8 R: R4 s( M9 T: N! o) C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* B) ]& G- ?& @" z7 q5 J4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 }( y! G [# k. e+ L, v: E4C19:00A4 INC CX2 b/ V/ e8 z" l* K5 O) X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, ]- C& O4 E$ d' m4C19:00A8 JB 0095 ; 6 different commands.
, x. ?5 p. Y5 e$ y+ q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) j$ S: d Q- f* H4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 q2 l; c/ |" ?. @6 q* d, z
- K2 k1 h, N8 \: p, W
The program will execute 6 different SIce commands located at ds:dx, which# n w1 e* O$ d0 v$ ?5 Z; X4 i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 D p% c% z4 X. R* Q+ V
3 O) Z, L: F- S$ o# p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* F! k5 K" u7 {8 _9 @. m4 _3 V___________________________________________________________________________
5 j. f0 E6 G, l' [# b2 d, O; L% ]9 h3 l. q, u% n" Q+ h
9 M: N' m& R% O) n. TMethod 03
# N k/ {& I8 y( v- n$ J0 W7 ?=========' B" m. N6 G4 ^: X
; T4 x: h+ h" F- @' |. NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) H& [7 J7 k7 S
(API Get entry point)
Z0 [! E+ p, O* p
2 a1 z/ `5 |! a' C2 D- ]: o; @) i3 K f. B+ ^
xor di,di
$ B1 N) Z! z N- q mov es,di
6 t+ v+ P& Y2 m" [; n mov ax, 1684h
i& U; J3 |: G+ r! ?) f5 \ mov bx, 0202h ; VxD ID of winice
2 ]: c7 |1 U% D7 }: q9 l1 b int 2Fh' v5 u A, t; Z& M; P
mov ax, es ; ES:DI -> VxD API entry point* b1 c3 [" D5 P0 B. L3 r8 j# }
add ax, di* M( Y2 c5 N t# Q. C
test ax,ax$ \: a" ~5 E( e" y5 S8 P. R
jnz SoftICE_Detected+ `! _; C+ G; j' ^7 Q
}3 [1 [) \7 H; @7 S___________________________________________________________________________
) z& @6 M& r( E0 t$ @' n0 k; r/ l; f2 L4 k
Method 04
G! Z6 T0 n2 V: k" H=========
0 c7 h! O7 ~7 n- t' C$ p2 O: W* r. u5 F+ |* z0 D$ ?
Method identical to the preceding one except that it seeks the ID of SoftICE
0 d9 n1 r- q9 C) c* T4 U* NGFX VxD.
3 \% D8 p$ W( M4 P4 [. N
5 D$ p8 R, |/ E xor di,di' r4 m Z6 g$ K" q3 z
mov es,di
; ]9 H2 q6 c5 I# X mov ax, 1684h
2 ]+ F6 v0 c; I; } mov bx, 7a5Fh ; VxD ID of SIWVID
& E$ o0 F! Z5 @. P int 2fh
, X. L5 Q: z; ?2 Z! f1 ~! G* L mov ax, es ; ES:DI -> VxD API entry point
! f9 P; i) w8 z% T1 N( ^8 s F add ax, di) B! c9 I" N! A( @0 e, Q' K3 m
test ax,ax
$ V/ V' r, p4 s5 `1 A! _% A jnz SoftICE_Detected
4 M, o) E3 {& l( r/ _! O J
. @# z m" C0 b__________________________________________________________________________
n+ f4 P# x& u1 K }2 ^1 I/ p* ?) v& R1 C
5 U9 K" I/ h5 N) ~3 X, K( A7 p- M3 \Method 05( [: h2 P; S9 M9 y M
=========
; h) @, Z; S* z" V
/ _8 Y- q7 o- X# ]Method seeking the 'magic number' 0F386h returned (in ax) by all system" w1 }" e/ `! L2 U: C
debugger. It calls the int 41h, function 4Fh.
% D' R; t1 C2 UThere are several alternatives.
" _ Y* Y d& s& F4 [1 \4 F5 b. P! ?; V# i
The following one is the simplest:
7 [2 R0 O/ B6 O% j# D$ B8 k$ C% E x; ^ w) T6 m+ _2 ]: P! \( g& ?4 C* B8 v
mov ax,4fh4 Y6 N; t+ A# Q* ]+ j$ I
int 41h/ x2 j' t! N0 g$ ~$ E5 C
cmp ax, 0F3866 V+ w! ~4 F# e$ n6 w
jz SoftICE_detected; ]) B4 e0 l T" i. {6 K
7 d5 k, P% Y) [
& Y& `5 }# Y9 S, i, |2 HNext method as well as the following one are 2 examples from Stone's
: i; a/ I# c. ^% A3 m' p"stn-wid.zip" (www.cracking.net):
3 V2 n3 x- a$ q) i/ Y' r; s! U, T' j1 |+ t6 K+ N2 t6 t
mov bx, cs5 P! w8 P5 s, Q
lea dx, int41handler22 A+ L$ A7 e6 I8 q) n8 x
xchg dx, es:[41h*4]
# p8 D4 r* o. c) _6 X. P xchg bx, es:[41h*4+2]
, s" a1 }- U, {4 `% r/ C2 g mov ax,4fh3 Q1 n# r7 G: B; K
int 41h: C# v6 b& o0 A# G
xchg dx, es:[41h*4]& Y/ A, E# L* k- w
xchg bx, es:[41h*4+2]
8 `5 j1 K/ g) x cmp ax, 0f386h! V# K, I1 } m# ~. L9 d
jz SoftICE_detected
7 [7 J i9 z* G6 e
U9 @/ w$ K* ~3 @9 jint41handler2 PROC+ P: a g2 \" f* J
iret
* p" \% r; t$ fint41handler2 ENDP
z& L" M" s3 [( k% A) {) N, }: M+ `/ C
9 T* t. ]* ^* y7 u7 n8 {_________________________________________________________________________" [' M1 i) U" g) n
# ]+ i A; _( D. g7 E1 k8 [
3 n) b& t6 e# \- R7 ?
Method 06
5 G3 b9 v2 X- l) J# A# ~1 G=========
* J7 `- W1 M U9 k
, {9 s4 Q+ ^* H1 j+ P) Y) O4 E$ ~7 v6 O1 s1 q, b8 |3 X$ i, u
2nd method similar to the preceding one but more difficult to detect:0 C7 W8 o t' @2 F z! V# V$ I
1 v( K2 o2 v5 j
: I U6 b0 v/ n3 Y( x5 |
int41handler PROC
; ]# a6 ?6 b9 U7 i$ p mov cl,al
2 z+ w- T- ^3 @, A5 T iret
0 A0 ~8 `3 K9 `, _' I+ N0 xint41handler ENDP5 a0 o4 l+ b+ Y; P O% e. C
& l9 S) {& L: |! O" @, _
, C3 U9 I/ x% B6 O) w xor ax,ax6 z/ P. q- ?% V8 m# F
mov es,ax
5 B$ V. I+ S* g3 C% P mov bx, cs7 Y J* p" {; o. E2 O- E6 q% R
lea dx, int41handler# z! q1 O2 Y9 C% y
xchg dx, es:[41h*4]3 C5 n- [0 X- x! V
xchg bx, es:[41h*4+2]
( |9 |2 i% N/ g6 I7 p in al, 40h$ u) T" i& h% V+ {$ h. ~8 s
xor cx,cx$ M( _% H7 h- u- d% Y
int 41h3 Q# t6 g# K" T2 o; [: N* P
xchg dx, es:[41h*4]
; `2 S, }" \; o/ V5 S xchg bx, es:[41h*4+2]
9 E" P5 U0 n7 a! V( e cmp cl,al5 b" ?4 t. X! f: h( L
jnz SoftICE_detected- R$ W+ N7 k6 p( [% W
+ x4 l* y( N0 P L_________________________________________________________________________
3 h2 T1 q% V4 x' ^: I
& W1 K( C# `% v- a& jMethod 07
1 k5 I2 N% X J$ l: L=========
) X/ A) Q+ ]- ]2 B$ r4 T
5 U* {) k) U/ YMethod of detection of the WinICE handler in the int68h (V86)
* n* a- y e0 L# N- z
# t2 u: J/ P. k9 w0 _ mov ah,43h$ X! \; M) r! u/ o% Q4 G% L7 W
int 68h1 Y9 b. H& o; Z& l: L+ o4 R' G
cmp ax,0F386h; k2 G* @+ y' |2 T& C& S& T3 A
jz SoftICE_Detected5 ?! B: S, o9 r1 D4 F
* @( b" E9 T" ?! S5 q! W3 G, v1 a! |/ ]$ e h% j: c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 n' A- p$ ^ F- _ app like this:8 @. X, c& Y9 \2 ~
4 N D8 \: i2 q) s& v. g BPX exec_int if ax==68
) Q$ A$ `8 ^( P (function called is located at byte ptr [ebp+1Dh] and client eip is% I8 u2 p3 v, L* X Z$ d
located at [ebp+48h] for 32Bit apps)
0 {: i3 b2 s1 e( H, I. A__________________________________________________________________________3 \& l- o% P. U9 u2 D4 k- W) N
# S) |: N- S; \* F7 F. K* X' b8 l) \4 w2 _" I8 ]
Method 08
" Y( H8 C, N( W- a=========* X `* D- k7 t) m
$ [, v v% d! A4 b. W& @1 H' d# A
It is not a method of detection of SoftICE but a possibility to crash the: n8 `( t4 D5 T
system by intercepting int 01h and int 03h and redirecting them to another
! X- o! F- w. P: {- jroutine.+ y: o0 w1 `( l& \* j) _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
z+ i% m% H/ k7 O7 Cto the new routine to execute (hangs computer...)
* a4 w+ b# x& L) Z' E; T8 s$ e9 H0 f: a
mov ah, 25h+ J! R* C9 \% }( j5 {! Y
mov al, Int_Number (01h or 03h)* l; H; D% S# `" ~( O' m
mov dx, offset New_Int_Routine6 \1 F: P0 S7 \8 Z9 N8 A% ?- a& {3 {
int 21h, Q r0 r6 h% t0 ^
% P* J: v- p7 `3 H* o
__________________________________________________________________________& ~# |2 Z( X2 ?; c! j
8 ~4 t4 q/ K0 J% ~Method 09 ~( r) b- i& t
=========* Q3 r( g: e% ~% F
1 h+ k& t% Q* L4 Z" x A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 K6 m% A! v# R+ I6 Y7 Yperformed in ring0 (VxD or a ring3 app using the VxdCall).5 B5 ?$ H0 B: w1 c) h+ i9 I2 a0 V
The Get_DDB service is used to determine whether or not a VxD is installed
% R! M* _) P7 A+ F, V* W, ?" Ofor the specified device and returns a Device Description Block (in ecx) for
' k9 L- E1 u! Q2 ^! T+ b( a* |that device if it is installed.' h- k& }1 z$ o3 J
9 z: h1 `; a, P% W: h l- A" E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; V+ r6 \; q& \" k0 k- B, [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 m. ~2 l/ i, w% V0 \/ P4 ^' K VMMCall Get_DDB; R+ ?, u7 Q5 f* I% }' {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ \$ p# ~# r# z+ K$ p- {, P( t# q5 x6 \* x& S3 w1 w
Note as well that you can easily detect this method with SoftICE:8 w$ Y3 E3 p* R7 b
bpx Get_DDB if ax==0202 || ax==7a5fh0 T* R7 y" x, H! j0 ?
6 _, p( }" g; I R
__________________________________________________________________________
/ ^( [% H- p1 Z# |3 ]7 J2 T! P3 i: h+ ]% h& ?
Method 10
" r5 [- E6 N; o2 P; ]2 c6 n2 w1 w=========& e/ }9 Q0 Z6 q3 A
* r: I9 i9 ?5 H) A% W8 y3 |: @=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 \$ e, u7 V1 e8 _' R SoftICE while the option is enable!!
2 q2 P: o/ B+ \. r- A% m8 L+ g: @! G& l6 ?9 t" b
This trick is very efficient:4 j! p2 c' E' l1 \ S: a
by checking the Debug Registers, you can detect if SoftICE is loaded) i) R# O6 e2 h3 q& o5 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 D0 c7 S- C8 ~2 Z/ C' s
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ o5 e* h6 Y) M2 I; svalue (in ring0 only). Values can be manipulated and or changed as well; Z4 c# p" j& F& P% I( a. d4 c
(clearing BPMs for instance)
" G4 v6 |9 `- V: t* S7 A" Y( ~
6 A3 f5 p& Q: E. h. T__________________________________________________________________________
2 a; s! q ]& y
8 N: _( e8 O& Y$ B8 f: B0 R6 jMethod 11; I5 U0 |+ V7 I3 i0 G/ ^1 X4 {
=========
; ?! G# o: A8 I) H! _& _
6 l2 n* O; j# \This method is most known as 'MeltICE' because it has been freely distributed% M: y( O0 a+ K3 U# q s& o
via www.winfiles.com. However it was first used by NuMega people to allow4 m" z' r1 n5 d5 t
Symbol Loader to check if SoftICE was active or not (the code is located. c* g0 \$ g5 y0 `
inside nmtrans.dll).
; v. i% }4 }& \. T! c; S
* w1 e" Z/ ]+ j% h) g3 PThe way it works is very simple:
1 T5 _6 j, w3 `0 b0 a) y5 q1 V6 G, QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ [5 V5 [/ U5 V1 S% N
WinNT) with the CreateFileA API.
1 p# O& u6 ^3 \9 `# R( i, V: J; e
Here is a sample (checking for 'SICE'):, @$ f2 |' u4 H+ L, o8 I# z8 ?
4 A+ O5 A* j o- U( ?9 U! V
BOOL IsSoftIce95Loaded()9 d& g! e4 X/ s1 x" t s
{
x {! u9 [ e* k3 T, l! @( m HANDLE hFile;
0 g* O9 l; w' `. b& k; | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 L7 [ m0 `+ w
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 ^- W7 S/ B& Q8 g0 x! @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ ?1 n" A" A% p( m4 d
if( hFile != INVALID_HANDLE_VALUE ); ~7 @( e" n8 R
{! ]1 N" }; I1 v" q
CloseHandle(hFile);3 q% A! s' V: Q8 M
return TRUE; g# n' x/ g# v# O$ @; v& r
}( W' t% R# z, t
return FALSE;" ]' r" l% ?) y) P
}
5 h9 \9 Y9 p. O$ v" t, }8 S- A* K) F2 k+ w
Although this trick calls the CreateFileA function, don't even expect to be
! W( @) `. M3 j* j' kable to intercept it by installing a IFS hook: it will not work, no way!) ?# k w3 \2 }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 f) A/ G) k) j" A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): m/ @+ q- E7 m" `- p
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 o8 [5 J x- `! C9 p, V5 B4 \
field.. m# y0 s2 v% t% D- V
In fact, its purpose is not to load/unload VxDs but only to send a # m: | v3 g- G% D0 _" S, J+ _7 {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 T) n p. ?$ w' Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 r) F+ _2 {* \, {" Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).' V. Z9 Q! t' a! }. r, u
If the VxD is loaded, it will always clear eax and the Carry flag to allow( w% Z! g4 Y/ C# ?" S
its handle to be opened and then, will be detected.
7 M3 @6 Z- ^) XYou can check that simply by hooking Winice.exe control proc entry point
7 A/ e0 E! z! O q g1 Awhile running MeltICE.7 g& o1 P) g" x' I
! ]7 p( y1 e& s! v. D* H
" e& ~% v3 Z5 M) R: R# `) ?
00401067: push 00402025 ; \\.\SICE% C: W3 B& {: Q$ D
0040106C: call CreateFileA
5 @1 f4 q6 I. ]4 I' J 00401071: cmp eax,-001
$ n8 E' \' t& P8 K+ Y( M/ r3 a# X 00401074: je 00401091, |* L& M2 q, S s5 U9 I" }" b
~, F& e% o' }+ W0 T' ^3 p" @
5 j, w! c# h* h( N% x+ L! ]% N, b; n O
There could be hundreds of BPX you could use to detect this trick.7 W) a9 b6 U" ~, u
-The most classical one is:: u2 S _3 A) g v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 C- B: i- [! m% n$ _ *(esp->4+4)=='NTIC'" ^6 H# A) S: v& m: h
. z* I1 |2 d+ n& j) {3 B/ k-The most exotic ones (could be very slooooow :-(
7 D* X9 K8 u$ f" Q" Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & h1 o' e; G& G
;will break 3 times :-(
- ~# R3 f7 c: d) O# }6 u, g& w8 Q8 \) U/ {; G' ^' J7 P
-or (a bit) faster: 2 o2 R7 E! r/ y( _" ^- w1 R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 K, Q+ J: z& U/ a+ c
8 g4 c6 c+ K$ K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ ~+ m5 ]7 u$ }2 x1 Y; } ;will break 3 times :-(# Y7 E, h3 f% Y
& T& z* C! k) H& ~- }7 r3 F
-Much faster:! E N; `6 U4 _" w+ ?8 b9 g( y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, {+ c3 }, p* P# I/ I" e$ R
: s; l* R$ [( E( u/ h% V! l3 eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, O, l/ O& O' M& u9 {. a, Zfunction to do the same job:& D7 s( M2 h9 r% J3 c
2 `: f' I7 R8 M, H push 00 ; OF_READ
0 S" p! m. W3 |# e! u1 | mov eax,[00656634] ; '\\.\SICE',0
4 d8 u5 O9 M1 M3 p! s push eax
8 U9 I) J6 r' s2 w call KERNEL32!_lopen
& {! v$ ~% [3 w" T5 } inc eax: E8 \' O0 m8 A, |% f
jnz 00650589 ; detected
1 T" {; }% ~3 [% F$ V push 00 ; OF_READ
9 {2 l( Z8 t8 m. O3 K mov eax,[00656638] ; '\\.\SICE'1 A: U5 J* f ]& l# }
push eax
+ f# d. a y- l t call KERNEL32!_lopen* W" l G* R. r X# W6 W
inc eax/ O6 o' Z; j l4 C" y6 e" B
jz 006505ae ; not detected+ u" q3 i4 H; }9 R+ \/ @. c
, A0 ?1 o% }% S, X4 x0 @0 z8 y0 z9 n+ ?9 }
__________________________________________________________________________4 {! k d, r C: x
3 F$ _' X# C/ |7 e& }
Method 12+ [5 z; z9 w9 [/ l! u: x
=========
$ \/ L6 `) O* s8 i. @
7 b% ^$ V* e$ J6 u. CThis trick is similar to int41h/4fh Debugger installation check (code 05
/ R8 J K. {4 |7 E( q( _4 C& 06) but very limited because it's only available for Win95/98 (not NT)) o/ X" N2 g' X) \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: L X2 u" Z* V0 M0 q# J) E3 U6 N3 D: X: |0 w% Y; ~4 F$ ]' F
push 0000004fh ; function 4fh
. x/ z: N" M' C" s! ?1 k push 002a002ah ; high word specifies which VxD (VWIN32)
3 c' _. u' o7 P ?! x ; low word specifies which service
+ x) {/ |) |: }) Y4 @$ m$ o7 c (VWIN32_Int41Dispatch)
2 g2 r" ^2 _" v" G, V! D% K call Kernel32!ORD_001 ; VxdCall
9 q8 r8 B+ `) l- Q" w2 A. T) [ cmp ax, 0f386h ; magic number returned by system debuggers# S' c# x' x9 n
jz SoftICE_detected) s; `9 ]5 |3 ?
$ I N9 F' H0 _# u- k: ^
Here again, several ways to detect it:1 {8 w' d+ |' ?2 i2 u9 E
9 k7 B- Q5 E& A: P
BPINT 41 if ax==4f
0 U4 U6 z2 P; @
8 h% a+ `% L' A* b N _2 T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 a" _8 d. @! l
. }0 U; S4 b- M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 l2 ?4 |3 ?, _# `2 o/ v
9 `+ }* r# _( t D0 n1 v j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 h2 p0 F4 X- `5 m- G) {$ p9 F3 H* H4 S3 [* }
__________________________________________________________________________9 }! M1 c: i. f" p) w( Q! `2 y
1 d8 f3 b4 A/ ^% hMethod 13/ r7 e, s$ o4 [4 E
=========9 v/ [/ d) n V% z
2 O0 c4 T2 q. K/ ~
Not a real method of detection, but a good way to know if SoftICE is" l% Z5 b/ a1 w( |, j# U7 p9 d) D1 `
installed on a computer and to locate its installation directory.
" o, k% m8 L/ K5 @/ _It is used by few softs which access the following registry keys (usually #2) :0 `/ N# \) t- Y& k
+ v8 C) d7 Q1 b+ L0 \6 }8 @+ e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, m2 F4 R3 x: D" M" O. { C2 i\Uninstall\SoftICE7 s, W7 O q+ w+ f+ [: K, `. T
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 I# u" m+ k, H' Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) J5 i+ M6 |) r. r
\App Paths\Loader32.Exe) q1 l; V+ R/ v5 Z' K+ @1 {
0 b* `$ ]6 L, M) i5 r
2 N0 z' q: E7 z" {2 v. z
Note that some nasty apps could then erase all files from SoftICE directory
$ H* O8 ]$ ^# k- W: c+ V$ u(I faced that once :-(+ h1 O$ W0 E9 @8 g: \
7 R0 m, s! y. Q. G* ^0 RUseful breakpoint to detect it:
1 H: c* R( n$ v; d2 g6 o) c/ k2 t' q& h/ V' I( s: Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 |( l- F: `6 n$ N1 i
7 Q: ^9 ~% O( B" O__________________________________________________________________________0 K; q. ^% p$ h0 C" Z5 Y
/ @. O+ d1 t" J: l6 G+ r9 H$ y
G* X, |0 a5 C6 k0 n. o; Y5 BMethod 14
1 k) ` m: z! @$ f=========
4 Q6 \* ]) I5 S8 ?$ r' h. N$ v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 i; Z( ~ ]5 e' b/ @# eis to determines whether a debugger is running on your system (ring0 only).8 v" q( m$ ~- A" |- I$ N
4 v( o) L/ _6 N! K
VMMCall Test_Debug_Installed6 d' M3 P# g" M0 Y
je not_installed
6 U, x; `% z( B& A+ g- }& Z) x- X& G8 ^0 m, o0 G
This service just checks a flag.- [& S( X: [6 [) _2 d- X c& E
</PRE></TD></TR></TBODY></TABLE> |