<TABLE width=500>; E' R% `3 L' X- R( J" S
<TBODY>
) T5 `$ R1 n7 F* N! M! z) I<TR>8 u6 F6 \0 W1 s' l$ N3 d
<TD><PRE>Method 01
! T1 j. d- I* U5 a=========
+ o# K" _$ p; \, y: M3 Y, Y" D; c1 {! s: u
" j; {9 a% f, \* h! M9 |8 t2 L* bThis method of detection of SoftICE (as well as the following one) is/ _% {8 U1 e4 \' r- E3 |: Z
used by the majority of packers/encryptors found on Internet.
* h, |" j8 Y4 z& Y5 Z+ h6 XIt seeks the signature of BoundsChecker in SoftICE/ }; ^8 T P, z& q# F* j* @
$ \$ B5 w) ]2 Z6 H! S8 | V mov ebp, 04243484Bh ; 'BCHK') A7 G$ V( T7 B$ E! ]5 ]5 z, c( k
mov ax, 04h
& c' R$ f! v4 v0 K int 3 ( }0 M; \9 F% r2 `% n
cmp al,4
% g. c* W) |- v( r4 c" N8 P jnz SoftICE_Detected2 W c: {0 R1 ?6 n2 _0 u
8 T0 Z6 S4 e* d
___________________________________________________________________________
4 ?& i' T, `- D- ?# b3 Z3 |/ W( [0 z
Method 02
, j+ C- ^9 I, o; e' _=========: M+ s, P% q/ g# j9 p' G
$ g3 D Z! t- Y$ o
Still a method very much used (perhaps the most frequent one). It is used/ D$ C1 z* \( j/ X- I/ P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 k6 Y0 k: n! R- i% a# N0 X8 kor execute SoftICE commands...
; t0 g8 @' q4 n: @. ^It is also used to crash SoftICE and to force it to execute any commands
7 H$ V+ R4 p2 C$ R* Y' ?(HBOOT...) :-((
# _2 H1 K0 O$ R) u% D8 a) i7 W( T7 @
Here is a quick description:" g4 H; A# x2 V) P
-AX = 0910h (Display string in SIce windows)
M8 {/ f% M$ {/ |-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; Z% B" i2 c O- r: p! P-AX = 0912h (Get breakpoint infos)
: b& O1 h9 H9 G' P' C \-AX = 0913h (Set Sice breakpoints). E+ H W+ ^+ ^" O: W7 R9 V
-AX = 0914h (Remove SIce breakoints)7 L( f1 R) R9 a
$ U' W& c) q6 P& d; V
Each time you'll meet this trick, you'll see:4 J( C' ^" r9 b. o
-SI = 4647h- H8 D8 Q& w# v) c+ X
-DI = 4A4Dh1 e- c, O6 j2 D; M j
Which are the 'magic values' used by SoftIce.
+ |' C$ c7 z% s( aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- U& }! y* x. A1 l2 x/ i& R2 [( P0 M; {
Here is one example from the file "Haspinst.exe" which is the dongle HASP( k2 d' R/ k! Z
Envelope utility use to protect DOS applications:( L: ^$ a) |# Z+ K" J7 u: w! y: ~& `
( k6 j& p" B" l1 z
& f8 C' B6 J5 i9 e0 B$ J
4C19:0095 MOV AX,0911 ; execute command.
2 |' T Q* |7 S3 e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 a% o# F; y0 P. e5 V# @
4C19:009A MOV SI,4647 ; 1st magic value. h9 O! f D7 ]7 K/ m, N
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ I4 ?# E* W* I$ ]( R; X/ O0 X: b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 I% b4 Y6 V& e6 h. {$ `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' u3 U9 s3 Y9 L- i: B H1 d4C19:00A4 INC CX+ k; f4 e: m- X) {% O; W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 f6 W1 _, w7 \: r% ?
4C19:00A8 JB 0095 ; 6 different commands.
( Z( k: n8 {% Y3 V; T) S4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 B) H' Q+ T& @1 M! B, x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) s$ s; ^! \7 }% c! h" v% K4 C6 V
The program will execute 6 different SIce commands located at ds:dx, which
' u2 a: i* J% Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 a v: d) x( H( N) e$ ]% o
4 m6 K1 j i1 |: @4 c4 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, A3 [/ V) y- ____________________________________________________________________________2 D f3 P. E* g$ Y0 u6 m0 x( U4 D2 L
2 X$ \9 V" Z8 W, \4 @1 H9 `( y
' u3 D4 x+ Z0 E UMethod 03
1 \+ w0 B* N0 ~- m) F=========+ ~6 J1 X! u& Z2 e! r$ T
$ O6 o; D, J3 B2 fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. ^9 `: G$ l% c4 c" A0 F6 a3 s; S(API Get entry point)
' X& N5 X/ O( j: U
$ |( _. C/ l' b6 V7 P) O2 L/ k: U6 U
xor di,di# l$ H, o4 W" _9 B0 s! I
mov es,di
! k( b& e# R# L# L mov ax, 1684h ! ~( }6 R' u- J
mov bx, 0202h ; VxD ID of winice w K2 V5 R7 l2 c2 s" e) T
int 2Fh
% h9 K5 n$ X# _+ C+ u; c1 }# ` mov ax, es ; ES:DI -> VxD API entry point
/ S6 S+ n$ s" i* r& l add ax, di
' [9 U+ P: X% d" ^ test ax,ax0 L& p/ x. g6 V+ p* M' S
jnz SoftICE_Detected
5 D! { ~% L' n( h6 g6 A6 r4 G/ i, G3 p
___________________________________________________________________________
' h3 u5 o0 S* F& }1 L9 N3 r0 b* ~9 @ P! Y5 P* G) {- ?( s3 Y& v; m, ?+ c, Q* w' B
Method 04( [$ N% P- ^* B" x5 r! K
=========
0 k9 k$ t9 x1 q7 E$ y* @# F V# {3 b+ G0 J1 {6 A
Method identical to the preceding one except that it seeks the ID of SoftICE0 ?" k$ d8 S/ k' ?+ A6 _' g( @
GFX VxD.
: h: ~" R& Y4 p. s) _
7 z% z( C( e: S- O9 j xor di,di
. Y, M/ F, Y, r& ` mov es,di
& p% I9 [ ?& [6 V mov ax, 1684h
: F; r( W4 S1 r! J8 P) @; O mov bx, 7a5Fh ; VxD ID of SIWVID
; C* k* G; ]; V1 w7 y- H$ ^ int 2fh1 \4 ], b; @6 X/ Z7 M
mov ax, es ; ES:DI -> VxD API entry point& ^& L Q7 U' @
add ax, di
+ X# o' F& B4 D8 Z$ i" @1 q test ax,ax; Q4 l! t3 a+ P# y
jnz SoftICE_Detected/ l T$ a+ o9 W' Q7 ], p/ U, F, ?' H) O; K
, W P6 u" o9 t" s4 M' g__________________________________________________________________________2 ^6 ]. i6 @: o/ n
- [; z$ ^2 @. N
9 h8 q/ y7 b: [- Q7 [4 QMethod 05
/ o) P: `. \& A3 W=========# _/ G' C' b+ z$ W
- i& ^; }9 Z" P* p+ rMethod seeking the 'magic number' 0F386h returned (in ax) by all system- Z$ k8 A. {& y5 h
debugger. It calls the int 41h, function 4Fh.
* S) z0 e( d/ b) m" }There are several alternatives. $ G1 Y! F" M% [
; D6 a# ]& t6 Y+ z& o& z( dThe following one is the simplest:
# Q* f; N2 t& y, [- @8 b/ ^9 D9 l. K3 _5 b: d
mov ax,4fh
' S' m. R& y- [1 A int 41h
- z/ K( ^, ^# t |! o( T# S) B cmp ax, 0F386
! q5 P! t1 I) `# c jz SoftICE_detected
7 o/ }0 a. M/ S( X0 T5 d3 p3 i( o& O% v/ U4 L: }
! F& K6 E, T7 v0 [ o L9 q/ r [
Next method as well as the following one are 2 examples from Stone's ; D* |/ Z* m% f( X3 E
"stn-wid.zip" (www.cracking.net):
* R, r0 p: E- x/ v5 s1 @
9 k+ K4 [. f1 o3 {, ^. W mov bx, cs# i, Z+ p4 ]& s3 k8 t
lea dx, int41handler2
! G1 A7 J7 i" u6 D, ]" k3 T xchg dx, es:[41h*4]! D1 [0 j. D+ W5 e+ h
xchg bx, es:[41h*4+2]1 ^) H! R* X1 N8 b5 i
mov ax,4fh
! L% @# Q3 y8 C1 }1 E int 41h- y$ x# ^# R3 k5 `' {& x, e
xchg dx, es:[41h*4]
p% c# H( P# _% h xchg bx, es:[41h*4+2]' }" E; Q- g# U. ~1 @! p6 P$ e
cmp ax, 0f386h. [$ x8 s- X. O) M* s) t9 A
jz SoftICE_detected2 x- O. s8 O! f0 J! V
5 t- B: `/ F1 Hint41handler2 PROC3 e+ _$ |" h* l
iret# a: v1 y/ ~8 _( o: F3 @
int41handler2 ENDP
2 w* ^5 Q5 I7 F; }
1 l |( ~9 Q* ?. H6 O; _: W a
$ G8 w6 r, k, `* ^, e_________________________________________________________________________7 R7 a& c6 b: R' S/ l, ?) c
; e& y6 h( z/ y) P! T- w% d
: P! p4 }0 L1 q3 {, }Method 06
+ h, d5 i2 L- L9 Z=========
7 }* t% X# N5 f9 E7 y, E0 y: _& {9 d
$ l# @+ l: T+ L2 u2nd method similar to the preceding one but more difficult to detect:
7 B) Q; Q: c4 y' w- u& X+ @! F9 R
. ^; y5 m4 |6 Z- Z
( r( N& t5 X- x; U. A( @int41handler PROC
# I: y7 q' [4 u/ B) w) X mov cl,al; f: c. N b8 u; Z) Z. a3 ^
iret: G6 c# A/ W% A T2 d8 `) k7 D) X1 ~( {
int41handler ENDP
6 ^7 Z3 R4 m% Q9 f& x @9 a. K
& h. z8 h; ]3 B9 v7 z
: l6 ~# Z8 T( O) S xor ax,ax/ u% A0 ]& [3 f( q
mov es,ax1 j( C* H3 i8 x( y+ `* l; w
mov bx, cs
" E9 }$ ~% F" m& i- `. G$ a- j9 v4 Z lea dx, int41handler/ S" B4 L2 Z! F4 k0 k- [3 W
xchg dx, es:[41h*4]/ a- L- `% K T$ S( ?/ }
xchg bx, es:[41h*4+2]
; l$ E. m" S5 j$ f in al, 40h
' {) ~( ]6 D2 |8 Y xor cx,cx& p/ m& P/ ?. V6 {# v/ j
int 41h
) g3 m0 G5 q( J3 e" G' S$ e xchg dx, es:[41h*4]
4 n# S1 l. {/ B. t* E xchg bx, es:[41h*4+2]
( T0 d# `* d' e3 E cmp cl,al5 @2 W/ o. d9 S7 s7 I- {
jnz SoftICE_detected5 t+ |2 c! G# |& J, M7 `4 s
) R& ]9 _& k2 {/ V8 t_________________________________________________________________________/ R% E3 b/ r, h( b
' }. C* A8 y1 r3 R
Method 075 H. l1 c2 W1 x* s8 b' n, x% Y
=========, U( z1 w7 d4 I1 M
* ?4 _# x/ v j( b8 F
Method of detection of the WinICE handler in the int68h (V86)6 |# M3 q; f6 J0 l
- [: h0 h7 p4 \ mov ah,43h
~/ V/ o- _ A int 68h* t& V ]1 z( C1 f6 u! q! u- R0 W
cmp ax,0F386h
$ X4 G& }3 t- M: X& l jz SoftICE_Detected1 p5 C7 A% @+ ~
- [; S3 f+ b% w% |
- O6 F8 t# V) f% p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& A- P7 m( l9 ~' a e0 A
app like this:
& A8 W3 U" p0 S, e
! W! F. w) M0 W; k/ e- P BPX exec_int if ax==68! m! m, N, |" i7 ]
(function called is located at byte ptr [ebp+1Dh] and client eip is2 u* U0 d1 U6 h9 Q. Y
located at [ebp+48h] for 32Bit apps)
0 Z" ] [) [/ B( k3 d8 ^) J__________________________________________________________________________
' q p# M* n/ b
0 L6 M* ] R3 M7 B/ y; y% F v
- @/ @8 x% \* ^( v3 aMethod 080 ]! S6 s, Q( n, f
========= |$ l0 W* t0 @. o0 s: X
: n" X8 ]8 H9 D& `' p" L3 |
It is not a method of detection of SoftICE but a possibility to crash the. r2 G# M, S* R x
system by intercepting int 01h and int 03h and redirecting them to another; D0 r! r+ G6 m3 M& ]6 W! `
routine.6 b$ ]! ]1 G/ M; s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# v, K3 I0 f& ^+ T0 ]- Xto the new routine to execute (hangs computer...)1 E" K3 D- }+ D8 Y% G0 `
- L4 w" z! m, I( T mov ah, 25h
1 i3 e* x4 N$ {" E, ^ mov al, Int_Number (01h or 03h); ]9 k9 {9 G3 q6 C- R
mov dx, offset New_Int_Routine7 g7 @/ c' J3 p1 C
int 21h& |# J$ Y- t. F8 C
, C" J9 m( r2 p7 f, a- A__________________________________________________________________________8 I* Q P' O, w* l# A/ T7 x1 e
5 I2 Z3 e3 d7 A% l6 i
Method 09- a- \1 [- b! _
=========
1 W* W& e; I9 _4 y3 e3 l6 e, r1 t# }
# P8 Q6 f+ T. V1 F# ~8 i, Q5 v/ \3 FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 B4 _2 f+ }9 m4 _ l
performed in ring0 (VxD or a ring3 app using the VxdCall).! w6 y( T5 s4 e N( R4 C5 x
The Get_DDB service is used to determine whether or not a VxD is installed2 A' p! q; D6 V* g) H1 l
for the specified device and returns a Device Description Block (in ecx) for
& C6 K2 P9 ^0 v, \9 Athat device if it is installed.1 i) N* N5 G4 l! y3 C- d" [7 m
' r# F) o+ L& L/ U, u; i2 r mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 h" j$ }2 n; j+ j- i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% K9 m$ `* k n! i VMMCall Get_DDB
`, a% V: |( \' `+ t5 e mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: K2 d2 {1 R! p/ s
& H5 n& B& G* P3 _" j0 m3 B g# D
Note as well that you can easily detect this method with SoftICE:
* ?" n4 E; }" s$ P/ {3 [6 p. I! | B7 M bpx Get_DDB if ax==0202 || ax==7a5fh
^7 z! \# a1 D2 L2 T: e. A' Y+ Q: W$ ^- b/ O$ W
__________________________________________________________________________
2 N- J! S4 _7 Q" {. a d( U `* h: f% G0 m! q I. @' p L' z, h/ F
Method 10
! [! N/ z7 B& [$ I9 g% U7 V5 z0 \=========
- i" @4 W3 \, ?& Q M0 f4 X- F2 h
$ l: e( I4 r5 x. a' w=>Disable or clear breakpoints before using this feature. DO NOT trace with
# I% {7 L1 k7 t5 t. P SoftICE while the option is enable!!
^5 E8 _) Y/ Z. \/ S; j; g, I$ f7 D. ? `' A" _& O; X4 v8 C
This trick is very efficient:( {" K$ n4 t' T
by checking the Debug Registers, you can detect if SoftICE is loaded* ~* c, e. Z* t* U5 a6 ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 p2 ^ b B! d* j. x$ [7 ~there are some memory breakpoints set (dr0 to dr3) simply by reading their4 H- U3 q2 c9 d' E
value (in ring0 only). Values can be manipulated and or changed as well! z2 r' F S2 W% ^. \1 r* |4 W
(clearing BPMs for instance)
2 I9 H2 ^2 Y0 {# w! d7 m
! S+ @1 J2 R2 B& `__________________________________________________________________________/ k# `( \& g$ A' `
8 h+ J* C* b: h) O( e$ fMethod 11 l2 ~! ^4 [4 E$ O
=========2 _, d& a2 y$ ]# t! a6 \2 |
6 e6 W# m3 x- d( e& b& GThis method is most known as 'MeltICE' because it has been freely distributed
2 y e! M* ^ W. Yvia www.winfiles.com. However it was first used by NuMega people to allow/ c3 c' F/ A" k
Symbol Loader to check if SoftICE was active or not (the code is located
+ J3 Q5 X$ V0 y9 cinside nmtrans.dll).
3 x+ y/ |* u9 U+ N7 T7 t/ j U, Z* l' I! k
The way it works is very simple:4 a. _+ P* o/ d+ y% |
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- c2 j& ^* v# ^% aWinNT) with the CreateFileA API.; p1 k( Q) x3 E) m2 g
( j! c1 @. K8 [3 J
Here is a sample (checking for 'SICE'):- L% J! w# l6 o' g4 e
& K2 i+ a* i+ T# X6 b/ ?BOOL IsSoftIce95Loaded()
! y/ E5 C" M1 y2 N; g# l{
% \" U. C2 K' U HANDLE hFile;
5 ~$ u3 N. @( g( S2 D3 O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 H# i2 L U! j* J FILE_SHARE_READ | FILE_SHARE_WRITE,
$ n" c9 W% e! V/ ` ~# @* U NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 B" q9 E% Q- m8 b# t if( hFile != INVALID_HANDLE_VALUE )* Q* u; v7 Y7 ^& D$ C+ W
{
! T+ h5 C" y; s' C CloseHandle(hFile);, N2 P: a4 H( e, w
return TRUE;
c1 K" d; e$ ? w. P }
% v" b+ H% K2 ? return FALSE;
+ L2 z5 H L# A9 E# w5 x: N}
$ j2 {% f6 N( _6 {" R& }/ W, O/ E' r2 V. h" i" b2 \
Although this trick calls the CreateFileA function, don't even expect to be
6 S- U* Z. ~- u; b# [' h: fable to intercept it by installing a IFS hook: it will not work, no way!; d3 m. e0 l. o/ J/ i9 l' d/ h @' [
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 t( w2 O$ F/ @9 F% P% z& [$ x! B: H+ lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* Z6 C2 l X' c( |! e$ Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" E$ {1 D4 \8 wfield.
& `. G C z* o1 v3 z9 E! [- g/ ]In fact, its purpose is not to load/unload VxDs but only to send a 3 q9 B/ C& f7 }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ Z! l( |% G0 a8 g9 K5 v1 h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try' G+ f; I* T( a, L- f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* q* w. v4 @ r: r. f* {If the VxD is loaded, it will always clear eax and the Carry flag to allow
) f. [6 R/ e6 \6 lits handle to be opened and then, will be detected.
1 C( K5 e6 Q7 N$ B2 `) ]You can check that simply by hooking Winice.exe control proc entry point
# y0 ^* D& J+ p2 y) lwhile running MeltICE.+ O& w+ J6 n+ z/ |$ U% u
! ~3 {; P4 T9 @; f, @% r6 T% @
" I7 g7 a$ M0 t( h5 J 00401067: push 00402025 ; \\.\SICE1 L4 j( P( l$ M. s
0040106C: call CreateFileA* ~) b) c$ E& t& ?4 F
00401071: cmp eax,-001
/ D/ o& W! E2 P6 `& }# r$ k4 j 00401074: je 00401091
! t3 _) f+ u' ~( U5 I- f/ i2 Z* ?. H& f+ w4 u3 a
/ L4 D$ k& q( q0 G
There could be hundreds of BPX you could use to detect this trick.! g9 C. C, _ Q$ E
-The most classical one is:* @& x3 }! C s6 A" D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 c' w! q. p" Q- l
*(esp->4+4)=='NTIC'* H* e" x2 G) V( e6 Y, S4 j/ k
# e* p, P8 v; K7 x-The most exotic ones (could be very slooooow :-(
7 ^ b5 k: O" s6 w( U. M8 D# U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % H3 C( Y R# Z: O7 b/ N' P' [3 l
;will break 3 times :-() W3 {9 a! z! K
6 Y$ X) W; T E
-or (a bit) faster: ]1 z3 U, e0 U6 v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% ^1 u( s# `/ N: c0 ^
& a0 E) l+ x7 k5 |. Q3 g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 E* R5 K. B3 w$ @2 {, f
;will break 3 times :-(
$ h: o3 V6 P" @5 s" ^
9 T2 f+ R/ N' V' H t, [-Much faster:
* v5 z. d# v" t* q$ r6 X* o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' J$ o+ C3 ?6 K2 h2 n5 w/ I8 T! O% t2 @" z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 @$ L/ o) W$ }' h
function to do the same job:
3 H5 k! M* {; d8 s1 G
1 Z Q) f/ H& l push 00 ; OF_READ! g" U" x0 ~, D* k: V$ N
mov eax,[00656634] ; '\\.\SICE',0( O, y: X) Z+ D, T; q5 [
push eax2 |! [+ k! n X" p- F5 [
call KERNEL32!_lopen
3 Y+ K z" w" ? inc eax3 m; i* S. G; A+ y% a( c5 m% W# z
jnz 00650589 ; detected
3 F1 N/ h& ^4 p push 00 ; OF_READ" e# M4 H* Z- k3 Z+ t) d. W
mov eax,[00656638] ; '\\.\SICE', U J3 N4 R8 o( Y
push eax
5 i' K, i5 D2 v: O2 C call KERNEL32!_lopen
. G6 e4 \7 C8 o' e6 a5 b$ j inc eax
# M$ H8 |' Y) ?8 U9 G! Q: t$ Z0 ] P. v jz 006505ae ; not detected
C* ^1 i: X3 {
: q R/ i8 a! ?2 E+ }8 U) K: q, k% O7 { M! I1 u, N
__________________________________________________________________________' `% N Y5 u- K3 ^
* Y& Z9 B9 p! {) uMethod 124 b0 n3 h$ c& c$ ~& i( Z
=========
; N0 k3 F# I# a. j% o$ B5 H8 K% t* r e' K: c% X' u* u
This trick is similar to int41h/4fh Debugger installation check (code 059 [$ w9 H6 K7 _0 K' D
& 06) but very limited because it's only available for Win95/98 (not NT)( x5 x) [1 H O8 c3 |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; Z5 \' ], B( Y9 Q
5 ~! g" _0 f7 D5 h& w+ l
push 0000004fh ; function 4fh# i3 |: |/ ^3 M+ L- X
push 002a002ah ; high word specifies which VxD (VWIN32): i7 t$ s4 O# j* V
; low word specifies which service
[& z R2 D M1 \ (VWIN32_Int41Dispatch). Y1 S6 n% F: S) i: N6 h7 _) D
call Kernel32!ORD_001 ; VxdCall/ m2 V$ Y) a& b# ]. f. |
cmp ax, 0f386h ; magic number returned by system debuggers! h6 }. m3 _' j) P
jz SoftICE_detected2 m3 P1 a9 u' U& `7 T
$ y" r3 U7 j6 B: ~' k4 `, F
Here again, several ways to detect it:& ~7 Y" a8 Y% C/ B8 D
; M( P1 z1 x( A7 O. B! j
BPINT 41 if ax==4f8 K9 _) L3 I' T5 Y! U' |- w. \
: l5 I$ f* _% g& u- u( s+ H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 V8 a* ^; y Z/ Q- z# ~) ?4 M
* s6 q% N2 N* p* G/ o% `% P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! h7 ^# P7 o8 Y) h7 j0 J0 T p3 X3 I( U7 e0 e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; }7 {2 ^" h% s U$ ]5 Z
/ T/ z% Q. @5 ]- U* ~
__________________________________________________________________________. a& f" s! N d3 P8 K0 \
( R3 A; Z& r' g3 u" f0 ^* }: H
Method 13& a, [" Y4 ?' v9 t( C. H
=========
$ w, w+ z6 A7 W! Q* b- Q' b5 z5 y$ Z# s7 K- B' F
Not a real method of detection, but a good way to know if SoftICE is
. U5 r% h$ f0 _! d2 V; O+ {installed on a computer and to locate its installation directory.8 p' F3 v/ N# J! u, Z
It is used by few softs which access the following registry keys (usually #2) :+ }& |$ M1 c) d1 g/ ~% d# h
7 P p6 |- F7 b4 H0 P& G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 u0 c; \$ d: S3 d, L* b
\Uninstall\SoftICE6 t! }5 U1 T. v) |! x1 D0 J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ X* t! G; Y; V% v4 M6 w M6 O: ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion G9 t/ Z! b" ^& R9 T( T
\App Paths\Loader32.Exe
$ t# Q1 ]# {; l' B( ^0 v
, }5 ]% U$ H$ a( Y% n7 U" ?4 I+ F: V' e. W/ P- n) c/ k( @
Note that some nasty apps could then erase all files from SoftICE directory( a; A, w. K7 R& j" Z3 H" n' N% V# v3 ]
(I faced that once :-(3 K+ ^, d- U( ]8 w8 J* w8 D, p
4 u. [: U5 i$ ]% ^( H# n3 l# w: R
Useful breakpoint to detect it:: Q; I# C' E$ d* N+ w- p2 S
/ N5 S1 A" t3 y* z+ [/ I, N$ ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( [9 \8 }) G/ m3 n6 c6 B1 @! v3 \- T1 L; |6 h; ~. E$ Q* t
__________________________________________________________________________$ D% T& B/ ~) G
# n( B2 Y! G7 s4 C8 W% b' L
" j' f; B0 a ?/ G
Method 14
$ ~: X5 [# {8 ]: K' A=========7 S7 U L8 O2 H5 L5 ~7 F, s% s
. }9 k- r7 D" }% PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: ]0 e# g4 j( l7 e' I5 Dis to determines whether a debugger is running on your system (ring0 only).( U1 q9 f, u# O/ D/ _% w+ ~8 p
- O7 W: l# c2 e) B
VMMCall Test_Debug_Installed
+ x- g6 s, x* _0 t6 W+ b& Z je not_installed, U3 _) C2 {* N+ i, @( j3 Q
3 ~% M1 I- H. s* O2 q7 `* t, @4 pThis service just checks a flag.
! n0 K- t) F8 i/ j</PRE></TD></TR></TBODY></TABLE> |