<TABLE width=500>2 x* Z2 x1 W j8 u5 v
<TBODY>% N% a+ n0 H$ y; s$ w
<TR>: l3 q9 b" y" N6 K
<TD><PRE>Method 01
, V8 r) n+ r% q. O, F) e=========9 o3 v( O Y4 y7 M
/ B7 Q8 M k- J; T. a' u5 `" pThis method of detection of SoftICE (as well as the following one) is
# U5 E% E2 h8 t0 e# q- k5 @; y9 tused by the majority of packers/encryptors found on Internet.
1 f7 y" H( y9 m) t) ~It seeks the signature of BoundsChecker in SoftICE2 H$ j7 R. K/ {3 j* Z
3 P$ ]9 c' z% e+ { ^
mov ebp, 04243484Bh ; 'BCHK'4 M0 s$ v( k- ~; L" S8 O
mov ax, 04h& ~$ Q C& j w0 N7 F1 S
int 3 # y( r& r+ e, ~; z0 B
cmp al,4& J5 b+ N4 M6 K0 S: Q4 k: L) c: A
jnz SoftICE_Detected
4 B0 Y0 D, E# ~6 ]/ c5 p: ]: g9 z5 I- G8 I/ |( z1 e2 M2 |0 {
___________________________________________________________________________5 W0 G3 M( g# `# i6 u. d; R
1 S0 E& q4 \" T- G1 |/ }
Method 02
( a' R& H6 X( w* l=========+ T, R0 u4 k s& Y b0 `
2 B6 [4 C. @/ `& u- _; S
Still a method very much used (perhaps the most frequent one). It is used
; g( S" ~) w/ F+ s/ Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# U2 d/ h% Y) c$ d. ]# E+ Cor execute SoftICE commands..., ~$ I8 h2 l( g5 y# p9 u
It is also used to crash SoftICE and to force it to execute any commands
" R8 L8 R- a* k. i7 j6 B$ d(HBOOT...) :-((
3 q o& ?6 q. E b" H* Q2 r! t/ P# [
Here is a quick description:
+ X! |3 R8 t, }7 C-AX = 0910h (Display string in SIce windows)
$ `+ k6 T9 G0 M; R: S; I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% Y( ?9 Z+ M; T8 f5 _0 [% }, B% r
-AX = 0912h (Get breakpoint infos)
; O& F# O$ F/ U( e! s-AX = 0913h (Set Sice breakpoints); B9 {- Y8 j, q% L
-AX = 0914h (Remove SIce breakoints)
9 { W" p7 x8 O/ e/ k1 N6 v: E7 N9 J1 s- ^ C
Each time you'll meet this trick, you'll see:' n5 h- r3 ?7 x7 }# N
-SI = 4647h
+ |9 q2 z( |5 T. M1 B-DI = 4A4Dh- q8 i5 _; m( F0 u% N
Which are the 'magic values' used by SoftIce.1 B1 S4 z1 U/ L- U ^7 }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 J2 O9 D, D1 P" ^) ] v( a; g/ q3 p
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ P' n* e9 z( }2 |0 d& Q" j
Envelope utility use to protect DOS applications:% r4 h- t6 j! ]: x3 S+ z6 B" X
1 a& |' p, m/ y" C$ G4 V8 e5 e) L# C3 C" Q) X7 G) q5 }
4C19:0095 MOV AX,0911 ; execute command.
8 [* M' K6 e3 |5 F# r2 f# `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 a7 x# L1 [$ ~6 n& i
4C19:009A MOV SI,4647 ; 1st magic value.
. ? G9 k2 ^. c D% H4C19:009D MOV DI,4A4D ; 2nd magic value.# J' {3 w- _. k# X @ E2 n, O# L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); ^. s4 q4 b, \2 X% g* q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ X/ b2 i5 q. I
4C19:00A4 INC CX
" `5 X3 u% `4 J+ K6 P. {! i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ E, |* @' U6 p) r% B( @; X# d
4C19:00A8 JB 0095 ; 6 different commands.
; e4 R9 b8 L+ O4 n1 u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ X, U. [! e0 I- L6 |5 [4C19:00AD MOV BX,SP ; Good_Guy go ahead :): p% R) A, k) J
5 e! p, M0 C- E. v+ T3 k9 l! |
The program will execute 6 different SIce commands located at ds:dx, which
+ t: b8 Q8 C6 `+ c9 \+ A5 _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* k" Y" E1 I; |3 P" g+ ?
+ }4 z8 B9 M* R+ A; B6 k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* T( a1 i( `+ c+ q% \
___________________________________________________________________________
* ~8 f! }$ X' z* }- F1 M! N, x9 [$ A- I, U. X
6 ^# n) D- E! h& f! p9 e' b
Method 03
% D2 \9 x7 T- f5 {: ]+ s7 a8 Z=========" U7 m# b8 ^$ Q# y/ a# g5 \
# G+ Q' ] ?+ T/ l$ j6 W: QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ ?1 `: l2 k( C# L) d# v. f
(API Get entry point)& h3 {3 `* ?/ f" K3 R
! T7 ]! T* H" p q% n
`6 C% R& w/ f3 b, V& z, I8 v1 R4 x xor di,di1 I7 u; x V4 l3 U
mov es,di! }5 f5 B$ l: F% i
mov ax, 1684h
, z. T) V) ?5 {; J4 Y9 {# S mov bx, 0202h ; VxD ID of winice9 z' {+ I7 K- } \. C/ P% N6 T
int 2Fh* z0 s5 `& P5 _, B! \& w5 z
mov ax, es ; ES:DI -> VxD API entry point
' R* ^' m ]9 j! a K7 d0 D3 B7 g add ax, di, Y# K, s1 d! y5 G( H# Z6 k
test ax,ax
, l f2 |( L9 L2 a8 d jnz SoftICE_Detected5 q" D) {( f& v2 Y
# s* |+ v7 M0 y& K) `___________________________________________________________________________! {) I; q& T$ W
* T, w. Z2 e b3 |+ U2 A
Method 04$ R! w8 j# G( C
=========! J' {/ M1 E. N* J8 Z7 r
+ w1 Y% @" ?; G# sMethod identical to the preceding one except that it seeks the ID of SoftICE+ d' @1 k) U" B' H9 f
GFX VxD., B" t2 i' Y1 t% a/ o
; X4 @9 t, v- p xor di,di
/ N6 O0 B5 v* a/ s9 [3 i mov es,di
% e' d1 Y8 Y4 B8 m mov ax, 1684h
; p+ t1 b: r9 S' h$ Y; K5 Z mov bx, 7a5Fh ; VxD ID of SIWVID8 v) C% K+ Y% n9 [% @
int 2fh( H( W' u2 S& X: R
mov ax, es ; ES:DI -> VxD API entry point* `0 y' F: t4 \/ `) Y4 K7 F$ k
add ax, di& H- T! g+ w) p. F. }# |* Z' I
test ax,ax5 q' K* Q, Q( X5 T
jnz SoftICE_Detected
: i- c* ]- G+ o+ y
0 o! A/ k% E" c6 f& E% E7 I. L__________________________________________________________________________
+ ]2 c( ]( Y i- B) {% U4 t* R; l1 }5 P! d- Q& B
" N# \( g. ?. a2 {Method 05
5 _2 W8 Z7 ~/ B, W5 p/ c4 S=========7 j {4 A+ v+ j4 x, B! E
6 M O7 V! t: L7 \9 N6 CMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' m0 F5 r: K* H3 A* sdebugger. It calls the int 41h, function 4Fh." c- ^; ~- V+ I, M/ S# Y }6 g
There are several alternatives.
) V% {1 C4 I+ c& {1 g" \. r# r, {( v% P2 }9 ?
The following one is the simplest:
( Q% x; b$ ^) h9 [: L, D+ D8 }6 i8 z! G& D, F
mov ax,4fh
' i0 ~2 V0 K; P m int 41h
% J3 W; x- X7 J: s cmp ax, 0F386
% h3 {- r% T; {5 ?2 V$ Z2 G: s- y6 J jz SoftICE_detected
5 C, N, U- f: Y7 T2 Z$ q/ T; f) A% J
6 z( B# R& a/ ~6 L; ?: G
Next method as well as the following one are 2 examples from Stone's 7 ^! }& W1 h2 h4 \2 X8 P
"stn-wid.zip" (www.cracking.net):* Z- l$ l; { D" D) n7 C: o
( `0 u) A" N9 @" W& J
mov bx, cs
+ b# a1 y% J* _) V' d) m lea dx, int41handler2
/ q Z4 @5 K/ _; b) | xchg dx, es:[41h*4]
5 B, b6 ~3 y5 } ~ xchg bx, es:[41h*4+2]
: ^: A$ j3 I& `5 T; V5 p mov ax,4fh1 N s" k! v0 g; J5 ?1 l$ d% N
int 41h) W; \- ?* H1 c' M* Y5 }4 R6 X, a
xchg dx, es:[41h*4]
* ?6 H; c7 \8 ]) s& [ xchg bx, es:[41h*4+2]" f& D2 t7 ~) A7 a4 H
cmp ax, 0f386h0 G8 S* I% k+ S7 Y" x8 [
jz SoftICE_detected
5 p( A9 A* P3 T, U
, i+ C6 P8 S) I, jint41handler2 PROC& d) j4 L7 P# E! Y2 E
iret
7 f5 g2 Z; Z" O$ k4 K/ gint41handler2 ENDP
4 _! v; r1 P8 v, @
& j6 ?, H" N3 ^4 b
, P9 i2 [; |( W" d0 B5 f9 b_________________________________________________________________________4 } x+ }+ @, ]* n0 Q7 m
* `& m9 V/ s. N8 f4 x
1 |7 ~( H1 H8 h; H: U4 @+ x" XMethod 06" b9 \) r) p( e9 \" G
=========* _4 `8 {: x: P0 L
- c$ C( U- ~- S2 k# r
. P$ o5 c* F2 H& O! Z2nd method similar to the preceding one but more difficult to detect:( w2 F$ V% j/ z$ s
# M: x& X7 Z6 t# ^8 }
+ }/ i0 O) }9 Xint41handler PROC4 l$ e/ R) F$ Q; i- S: c! _
mov cl,al
O! \! e+ C5 l/ i% c0 E- P iret
; S% }5 ]) n1 G3 Tint41handler ENDP# O& C1 ~, F; F& u# i; `( s
8 T- M5 y8 _% e- A" d1 N8 r {$ q) }. g8 ~. B2 s5 z/ Z; ~
xor ax,ax4 P( s: Q, C" N/ S, Q, R
mov es,ax
% \; s6 H7 ^' R5 { mov bx, cs
, ~2 A" i* g% z; _ lea dx, int41handler
# V4 U3 {0 P0 @; r9 `9 Q xchg dx, es:[41h*4], M6 V* @" l+ A9 b3 o
xchg bx, es:[41h*4+2]
. b. p2 r% k& X. ]5 K) [7 y in al, 40h
8 o1 N6 P! ?; q xor cx,cx
1 _' T1 `, k3 j" V" ]( w/ W; L7 V int 41h# t- ~5 ]$ c6 n7 V8 o3 e2 M
xchg dx, es:[41h*4]5 J; A, \! R/ I( h% E( N- O
xchg bx, es:[41h*4+2]
' c% ]! D! F; @. V1 X# r cmp cl,al" t% y/ n3 x0 e# A) g/ h
jnz SoftICE_detected
1 m$ {3 T" E( h7 j1 p8 a' c$ [7 A7 Y" L; c1 a! {
_________________________________________________________________________) x* T4 Y7 w8 A
2 y% S9 ?! t( V3 z) BMethod 074 {; _; j% B' M
=========: a# S2 V4 s# {6 e W5 Q
0 N( a& U! o, D! y
Method of detection of the WinICE handler in the int68h (V86)
2 ^0 _! x# N( W3 O2 B0 M% A1 l
3 T. T+ ?- t' i mov ah,43h7 Y+ d' L$ X" }2 U$ f( [( P
int 68h
" F$ ~+ g3 p' {: i6 U5 _ cmp ax,0F386h+ j8 g* X; ~% }) D. B0 x" Q+ ]
jz SoftICE_Detected& F D3 }7 P% f& Q5 ^$ J4 {: C
# I& I% P/ q, _8 H k4 t6 R+ e7 x, v" v' \" c' h0 [* F* F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ }5 k9 G5 ]) X: N" B/ z app like this: L+ s& {- l0 i# ]* Y* e
% |2 s' H0 \* X3 { BPX exec_int if ax==688 p2 U- N: j, z4 N
(function called is located at byte ptr [ebp+1Dh] and client eip is. R) S, X1 f9 Q; x! M
located at [ebp+48h] for 32Bit apps)
) a. i* F# d$ [6 H: I, R__________________________________________________________________________
" c$ E! Q% x# J/ B$ M; m( F3 d u* N2 T
6 Y Q3 G7 f+ p# s3 C7 m; V
Method 08, N! L' X" C5 o& w/ N. c6 r
=========
% j; W S5 ^3 Z; p5 T; P% W1 t+ \% k% I4 L: m* S4 W1 V
It is not a method of detection of SoftICE but a possibility to crash the0 ^! c& O# b$ u
system by intercepting int 01h and int 03h and redirecting them to another
" l, Z: ^9 i8 j% P& \routine.# V5 m: N- S& A/ c) w- U8 e4 f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. j) X/ z7 y6 }% x/ D# nto the new routine to execute (hangs computer...)
; J- q6 Q4 {8 P( L4 m6 i7 ]" }. q5 N( t- ^1 H
mov ah, 25h- C3 {, l" ?/ U/ K
mov al, Int_Number (01h or 03h)/ G/ X; h/ V: D& o3 C
mov dx, offset New_Int_Routine
& l, w3 l( t% E$ l/ A" m int 21h {6 H, g& o! l6 ^! C0 K6 |! Q) P4 M
- E5 R! f+ h6 X4 T__________________________________________________________________________1 s# q$ L2 a* T7 O
$ U5 k W/ q# L" UMethod 09
6 N/ Q; s, ?& ?5 X=========4 `5 p- F4 h0 A2 S8 l
7 D1 F& G2 h, W. G3 r% L sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ g( y4 B( m" E( T& s. ^+ a, p8 v3 {& C
performed in ring0 (VxD or a ring3 app using the VxdCall).
, ~: ~& n2 @; J; ~The Get_DDB service is used to determine whether or not a VxD is installed
: V& x! U; w* ?( U$ Lfor the specified device and returns a Device Description Block (in ecx) for2 Z$ S, n+ ^. L7 G7 V9 U8 b4 ~
that device if it is installed.
* y' J* q# ]1 ?- A; _) s8 ^! ]! K# |( L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 ^! o* x& T, Z9 M+ k
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ {7 r. H6 z& v! D l" J ? VMMCall Get_DDB: _. @/ @3 }( `$ _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 C6 `* R( U* p' {5 k
. V/ {6 {& d' x# h$ YNote as well that you can easily detect this method with SoftICE:" R' d5 ?; g. @/ e( Q5 z# ~
bpx Get_DDB if ax==0202 || ax==7a5fh
; E$ F3 R M" h9 T! F6 P' V1 l) I; u4 x7 j
__________________________________________________________________________- h% S& Q$ ~9 P1 P6 o
M+ c) t4 l/ Z! m! i$ nMethod 10% V* U; }% d: y6 c; G
=========
+ g0 S) n z' L) U" D2 p9 d) F G/ @
=>Disable or clear breakpoints before using this feature. DO NOT trace with# I9 o+ c5 v7 s, D: X1 _% P
SoftICE while the option is enable!!
7 {) _& Y' F9 U$ R. D2 r) }* [) I% ?* r2 b) E% O3 `4 c
This trick is very efficient:' l4 `5 r. p$ o
by checking the Debug Registers, you can detect if SoftICE is loaded( X: u! M& _0 K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, I N- ?6 h S* A+ Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their; [6 H$ Y* Y: `9 \. |0 B. E
value (in ring0 only). Values can be manipulated and or changed as well* d c/ k! X* ?5 k: V# p+ T% E9 q
(clearing BPMs for instance)% I- P+ A. f- ]" m: g+ c+ t+ W) q
' v; n7 b. C, i8 c/ E__________________________________________________________________________
8 g5 B# ^% \' L- W7 A4 {! }0 H+ ]+ q+ ]
Method 11
4 y" C6 j( \( ]4 `1 v3 W=========
6 W' Y2 I3 l8 [& J: L+ J; O
; {+ U; D+ e b& h& F7 cThis method is most known as 'MeltICE' because it has been freely distributed
# M, y7 ]- b) S! A: yvia www.winfiles.com. However it was first used by NuMega people to allow
0 z1 d* ~7 G) `2 P, vSymbol Loader to check if SoftICE was active or not (the code is located+ b5 @% {( k r1 T2 Z7 U7 O
inside nmtrans.dll).
0 D2 q' @, f& k1 \5 i, g `/ q6 c& N
The way it works is very simple:+ ?4 A/ A$ }9 h q- C! v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' m6 q. ~5 }4 a9 N* r, S
WinNT) with the CreateFileA API.; |& z' ?7 h7 ?
1 h" e' h0 ?. G- a, u* ^4 ~; j, pHere is a sample (checking for 'SICE'):( R* m5 T: h0 k- p' ^9 M0 G
7 p) N* `& X1 n- K" H, l! J; `BOOL IsSoftIce95Loaded()
( Y& \+ G" Y$ O8 v{
2 o- O( J5 v" M$ C HANDLE hFile; ( G- z0 Q/ {( O' T' L
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# U* V- Y" |) |, t: S! ?+ M- P FILE_SHARE_READ | FILE_SHARE_WRITE,
6 I" P/ G. l" c. q- ~# v NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ F. k: f0 x* t) G* h2 t9 ?0 R! i
if( hFile != INVALID_HANDLE_VALUE )
$ J# b; h3 R" m" b2 \ ^ {% U: Y. g. G+ i& v+ Z
CloseHandle(hFile);. K1 G% W& V: q8 h7 H
return TRUE;) i2 a0 E/ b3 I1 ]
}
2 L- p; N! r# z return FALSE;
, E5 g/ h9 k+ J" m9 ?; Q}
" ~8 Z2 R8 E& J( Q! `: _
- t9 [$ [/ _- rAlthough this trick calls the CreateFileA function, don't even expect to be
9 y- {% t# m8 X3 Cable to intercept it by installing a IFS hook: it will not work, no way!
' V; d( `, U6 Z7 \+ k: q+ lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F8 S; J) R# ?) v+ x9 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 \) S# f( t4 f' @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 e& a7 r { `9 V2 o, `3 |field.
1 {( Q7 J4 b9 |4 bIn fact, its purpose is not to load/unload VxDs but only to send a
& n3 o+ \ x, a8 G7 b2 D% @3 |3 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# {1 _- i' Y4 P; N: b& W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( M' [2 W8 k; N6 K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 u3 s# ?) E( d( gIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' b- b% C; V; V/ u' X+ L3 U7 hits handle to be opened and then, will be detected.
! ~6 S2 k" m# f3 }* \4 G# U0 kYou can check that simply by hooking Winice.exe control proc entry point: D+ h6 X. u4 q% F4 D
while running MeltICE.
) t% n- o4 U% Z# m' f9 l. y8 C5 T6 t' l* v# x7 u6 K- {4 ~
, f* y9 j$ z# R b* C4 O9 H" Q
00401067: push 00402025 ; \\.\SICE3 P( t2 Z- b4 \; \+ V1 q
0040106C: call CreateFileA
, o9 d* l2 d" \8 l# I A 00401071: cmp eax,-001- X- B; w& X4 k" P
00401074: je 00401091! H2 Q# E! V) y. I, l, g
) f& M/ X0 n; }9 y
! _+ i: A. I' i# e8 eThere could be hundreds of BPX you could use to detect this trick.
8 f6 C8 \/ M6 _4 I9 F-The most classical one is:
, D* b" m# \& s6 ]. |) o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. m v6 p2 b0 M# |6 u *(esp->4+4)=='NTIC' p" [+ M! z! _% g! b
) \! h7 D, Y6 m8 m1 O& r! T
-The most exotic ones (could be very slooooow :-(9 {* W9 s$ w6 J/ H1 l# |+ N
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - C6 F( P, r6 N3 ^) B+ j" f
;will break 3 times :-(; h e2 `; Q' S f8 V2 Q
" e4 ?( _! m- r& h6 w' {# H-or (a bit) faster: ; J2 r8 ^. n$ v7 o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ M8 d; C3 D- o8 R2 J( P# ]3 b
* j+ t# c& w. u. P; U7 o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ n# i# m$ _% U! c
;will break 3 times :-(8 i0 P) |+ ?5 m# Q0 B' J. |
+ D3 M* f, p0 [1 C% Q: H-Much faster:
* J2 b) \1 f9 T! d9 d2 p BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* D0 U& [8 ?. c, }" {6 F# D
) M h8 i3 G& U- I- v9 F" L0 X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# C; i3 u" e1 F- e" Ifunction to do the same job:
8 K+ Y8 V: X0 k2 x
! V- b T' S" g2 }" ]: `1 ? push 00 ; OF_READ) Z C5 F4 v$ o% m* `: n% Q
mov eax,[00656634] ; '\\.\SICE',0" W( o4 h9 ]* F, Z% C4 I: g
push eax
" c" K k. V1 A0 x) s- i call KERNEL32!_lopen" R1 y. X; a0 ^, y$ ~
inc eax
6 h2 A9 x2 H% }# R jnz 00650589 ; detected9 P& D! `2 H2 a6 N, M5 z, }
push 00 ; OF_READ; ]2 l( @" x( e+ y! @7 E6 c; ~) r
mov eax,[00656638] ; '\\.\SICE'
+ r) y& p3 F1 T9 E& `" Y+ r* Q' Y push eax! n* V# K _) @1 q
call KERNEL32!_lopen
; W5 U6 |6 i0 B# g2 g inc eax
& B! T( ` r. g- b& A* ? jz 006505ae ; not detected
- B- ~9 z. y2 \# q5 H% N6 |4 M! @7 K, ~/ V+ k5 i
* U; J) {6 V, l
__________________________________________________________________________! x4 Y$ {, A# [. F9 Q2 _
6 z! y9 @, t0 z+ k: X' W2 K7 zMethod 12
0 m# ^1 \- U9 V' ~4 m" L+ L' a=========
8 i0 F5 L7 l! R( Q2 C% [# u" ^* c" J" t3 B$ _ d
This trick is similar to int41h/4fh Debugger installation check (code 051 _0 U" b8 p* z3 i i3 C
& 06) but very limited because it's only available for Win95/98 (not NT)" Z' G( M5 N8 v* `( l5 g+ G& I1 M8 x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; E% a3 `$ y4 u" O1 ]7 U
# f, x: }! A6 i4 C$ J8 V push 0000004fh ; function 4fh
' ^ b$ }* Q3 V: x3 h7 L push 002a002ah ; high word specifies which VxD (VWIN32)+ K4 u9 r) L4 Y
; low word specifies which service
& f% ?9 ~0 _7 s (VWIN32_Int41Dispatch)/ G* w* c) x$ W Q1 B9 W' y: t
call Kernel32!ORD_001 ; VxdCall4 X: L' ?1 A7 z
cmp ax, 0f386h ; magic number returned by system debuggers
. K; Q, Y, D6 V2 g" b7 j jz SoftICE_detected* F4 J- r( }, Z- }; z4 J/ `
9 M2 d( _2 v" b" R4 y" w
Here again, several ways to detect it:) x/ j2 e' X+ [+ M' l8 w: y
. T) q: l) V( i' H1 T5 ? M
BPINT 41 if ax==4f4 V! K1 ?! u- g0 L4 b. c) m
9 f1 u% x' ?5 H4 Q8 _" m4 `8 e BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ L2 i: ?. c; M) u# B+ L$ Q/ b- t
( B8 }8 L1 H# ` |( d" A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! S* H) Z. W# X |
3 |) q: {& U/ |7 o5 U. {, I7 G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 R8 w" S- J: \- `
3 n0 S2 d. [' n__________________________________________________________________________+ l4 V: {- \4 ?1 [9 T" J
/ L- F: ~2 X6 f: W4 w9 c
Method 13
, p( p8 V$ D3 s6 d; A7 g0 ]0 C=========
$ H6 H! `3 U2 W! ?3 M* f7 j& R3 V3 g* S1 d# e3 I
Not a real method of detection, but a good way to know if SoftICE is
8 o2 J2 `' W/ \% r8 \5 S u) Qinstalled on a computer and to locate its installation directory.. l3 q3 ^) i* W* e* p7 u
It is used by few softs which access the following registry keys (usually #2) :
; n# e C/ |: L0 l( v* e, T6 r3 Z& Z* b0 y. n" v2 ] V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: Y- S2 R: d* ~# K7 y# t! ^
\Uninstall\SoftICE" j: ?% N% s4 y& U8 w, X' K4 P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ c. d& F; V2 T/ W3 s1 q! m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( u7 m W5 E9 T
\App Paths\Loader32.Exe! d o0 Q5 E& y+ X
4 a& `' G3 y8 E w" P- }4 m2 ?( ~! \6 _" F: H' |, j
Note that some nasty apps could then erase all files from SoftICE directory
8 y% {7 |! Y$ w# R* V(I faced that once :-(
% @9 y2 l- H- {. C, [
2 g1 c% K- L& N) uUseful breakpoint to detect it:
1 i3 }, B: P- X- ~: H# A2 `# u- _, x- A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' o9 U r( o2 r4 V o
' t, t [9 O9 I% ]8 Q' o; [1 q
__________________________________________________________________________
6 Y' x8 r: c" U" G0 I2 m5 B- w$ Q. `6 l4 t
# G$ x: v0 A/ B; Y+ l6 w Z) `" u; wMethod 14
0 L% h/ N( J. |. q Q$ |* C=========) x# W7 [7 E B, R# I+ [6 j
& N5 D# |/ b2 p2 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 U! B- O1 `! c* @
is to determines whether a debugger is running on your system (ring0 only).4 y% L0 w% H' w8 }% {% k: s
& Y4 _" X! i: i
VMMCall Test_Debug_Installed
2 _: a, P7 |3 v; l" |8 S$ B. `) l je not_installed
7 {0 e& M8 o) h0 E+ a
7 C# j7 p! d8 L& K% i6 gThis service just checks a flag.
* o: f* W( v" [9 z) }' g) \</PRE></TD></TR></TBODY></TABLE> |