<TABLE width=500>& j7 F7 f, o2 c8 [+ V
<TBODY>
& T. u/ d% a. z+ e& h6 Y9 x6 U2 U<TR>
! f( Y- ^# U. U/ A<TD><PRE>Method 01
/ g! H+ ?8 u& l7 j8 \, R=========
* M0 L: n0 Z& [ n4 F0 S9 I1 [/ e$ ?2 k( a" {
This method of detection of SoftICE (as well as the following one) is2 `+ ^/ w4 p2 C+ |0 t
used by the majority of packers/encryptors found on Internet.
9 \) [: v: V8 b% }6 A* }# mIt seeks the signature of BoundsChecker in SoftICE$ `7 m% A" L+ v! Q# L: m9 V. O/ B
' G& K4 O. ^# K L' _( |
mov ebp, 04243484Bh ; 'BCHK'! q1 I4 M) l; n* N! a- s
mov ax, 04h& I) z, Q/ C- I
int 3 . p& n( Y! H/ U1 ~8 T
cmp al,4
7 R9 l( ]5 M, c$ d% l7 K2 J% i jnz SoftICE_Detected# M# D7 M. y7 H) d t/ F+ o2 n/ L/ X
* }! M3 I* d/ a1 I& }___________________________________________________________________________) i: f3 e- i" t
5 P9 D, f2 `0 |4 Q) `Method 02
M! w8 @! E; G% h" }2 \ j=========4 z5 ^& ^ Z4 {
" o; P/ v/ T2 o( m6 K# v! f- c! l& {
Still a method very much used (perhaps the most frequent one). It is used3 {0 r5 G, [) B; r; O# h v" ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ Y+ v+ q, j9 W; v) J9 L, |9 R- V6 r
or execute SoftICE commands...3 ~: L& Q8 m) B$ o( [$ B* J
It is also used to crash SoftICE and to force it to execute any commands
* b6 n# B( V# ^2 f& j(HBOOT...) :-((
e! `/ |; o" D; {) W: {8 {& s$ K m1 |
Here is a quick description:! K ?+ o0 ?) U( p
-AX = 0910h (Display string in SIce windows)
& @; V$ u4 L0 F; K-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* F% ]$ m) d. ^$ L R-AX = 0912h (Get breakpoint infos)6 n# X5 e% v& `% s% K; U) T
-AX = 0913h (Set Sice breakpoints)
0 \- R; K$ p( [; n. v-AX = 0914h (Remove SIce breakoints)
# O9 Y- m" `. `( Q' ]$ c
% W3 n" ?3 T' a' r! ^- uEach time you'll meet this trick, you'll see:
$ o' n/ B6 t; N1 J/ E-SI = 4647h
: e: G, k* E6 _ Q/ F: Z' j3 b-DI = 4A4Dh& V2 g, u: y% x4 |: l
Which are the 'magic values' used by SoftIce.
! h8 ~. j5 w4 b, v* W3 \8 eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" R+ p" e$ Z9 I1 A: Y! F9 x, Y9 }2 L+ D' k
Here is one example from the file "Haspinst.exe" which is the dongle HASP% M4 M4 o$ u# J2 j
Envelope utility use to protect DOS applications:
4 M- m8 e: ]6 D' S4 ^5 u
M- t$ }( @# U5 ^0 s! K$ B( i$ {3 K
4C19:0095 MOV AX,0911 ; execute command.
% \$ d9 [' h3 _; D1 P8 e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, s+ R+ T4 O' y- y/ s. k# o4C19:009A MOV SI,4647 ; 1st magic value.
+ w; J+ ]) v6 [! W4C19:009D MOV DI,4A4D ; 2nd magic value.
- l0 Y, e1 c g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), ?3 p6 S, J, I/ H5 P2 B! @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 Z6 E9 _& q o4 L# e4C19:00A4 INC CX
W. h x8 }5 h$ ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 [5 `1 [3 c+ X4 k
4C19:00A8 JB 0095 ; 6 different commands.
8 r$ q" N* m2 ^: s: _3 X4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- k/ R U. d7 }# L6 @% y d4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' K) R" c+ g3 i- e# v4 `0 j. _
" z# r! T# `8 {' NThe program will execute 6 different SIce commands located at ds:dx, which
7 U5 [0 L# A" K4 z. T/ W4 U9 eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 A$ |' a( {( ?3 X; }. e% ^0 S
9 [. y7 W+ Q, ~7 m v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. Y. u) F$ p, V' \6 K0 t, k. J
___________________________________________________________________________
, Z- O7 N/ `9 g, R; m1 D/ R5 @$ a/ w5 d* x( x* n* Z# Q
; D, j+ Y& P5 }2 c0 X; UMethod 037 W. S! P7 U- m' I: N% O
=========
8 j. s; p/ _8 P
+ q9 {+ Z; ?2 i- D# aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ N6 ^/ Z3 m! g1 z- r(API Get entry point)
v) i" g' g6 e0 t$ n( p; J, v! ^
" {$ V' @/ r7 ?8 S- K' G }( O, X# C
. v9 L" }3 v9 ^1 n! v xor di,di0 Y5 v, A0 [' W9 c8 F5 o3 z0 W
mov es,di1 Q- ?* z8 q4 N* v" G
mov ax, 1684h 7 }, i$ x y4 Z4 N5 D2 |1 j
mov bx, 0202h ; VxD ID of winice& d# b3 O' A" ^1 d* n7 m$ M, t
int 2Fh) j% u# j& t+ o* l
mov ax, es ; ES:DI -> VxD API entry point
2 E) R2 |! u3 t# z5 C9 F- p4 u add ax, di
" ]: [4 ?$ f6 s9 `: s' e7 C5 j* e test ax,ax+ N' |% Y; q% g+ d' _, `9 z
jnz SoftICE_Detected$ d0 z2 W c8 M. p7 ~2 {
, a( c, A: ?9 q7 W. ?___________________________________________________________________________
6 s. h, t$ x/ u- n3 | D4 ~4 ~
Method 04
5 b, Q0 Q4 G$ |& Q' y=========3 C5 Z' Z* G1 i, P( z$ a
5 Q/ z M1 Y/ w8 p' pMethod identical to the preceding one except that it seeks the ID of SoftICE
! N+ U7 d1 z9 s k6 _' u$ @; HGFX VxD.
: j% I& n* u! b$ o W, R9 M' v) T, _
4 z0 @9 i- t$ o: t' A/ V8 S U xor di,di
: ]3 G \; K* g mov es,di
! H+ v3 d0 t/ D! ~ mov ax, 1684h
% r; E3 Z( O. k% Y6 K mov bx, 7a5Fh ; VxD ID of SIWVID
+ [; L* C( } O2 G int 2fh, ^9 R7 J, v ?! S
mov ax, es ; ES:DI -> VxD API entry point- j( J7 \5 j3 S" q9 { y- P: ]
add ax, di
7 l. F. I; x7 d, X0 i4 D, x- e test ax,ax& d8 o B* B, h9 B1 A; I
jnz SoftICE_Detected6 t+ a7 x! a: x5 z) Y7 o
4 ?. j+ D1 R+ K; k" |" s
__________________________________________________________________________9 h# r* M7 A @% W
# d, D/ e' p/ }2 ?% W1 G3 i
3 j1 d7 ? R ?) a/ uMethod 05/ V7 [# @8 C8 N6 A4 h$ |
=========& x" W" `2 a1 C/ q% H
% e( z: N, k' p9 i5 Y' ]Method seeking the 'magic number' 0F386h returned (in ax) by all system( d" O7 q4 i- I/ X$ Y
debugger. It calls the int 41h, function 4Fh.
, A+ r: B. Z: b6 j. s+ e" XThere are several alternatives.
9 t/ f8 \1 K R% j* w$ M; N5 n
% K' y2 r& `- I' hThe following one is the simplest:
. t7 W/ d7 J- F5 |7 N
2 }: d1 d: t8 l3 q3 Q+ y& C9 O4 {7 N V8 j mov ax,4fh
( w( h2 g N' g( G int 41h
+ f' k- T+ @2 L2 p% b cmp ax, 0F386
. m6 _! J1 O/ h' J; I6 v- W. r% B jz SoftICE_detected) @/ K ?6 c4 G2 W: d
" K! m+ G! G& m. b# {2 V9 h
! A1 I+ z; h: N* {' T* Q. |
Next method as well as the following one are 2 examples from Stone's
" B! Q; g4 o. S9 E, g/ K) i"stn-wid.zip" (www.cracking.net):
/ f' x" c4 s2 V9 I5 e& {
1 |) Z) `6 q* F0 P8 T) Q# n mov bx, cs$ E. @7 B7 K6 D7 `
lea dx, int41handler23 Y& e- b& Q% ? {7 I
xchg dx, es:[41h*4]
. k+ [' R4 r8 V! ?' w2 B \ xchg bx, es:[41h*4+2]0 m# f$ _8 N9 j- U# f/ y+ Q% d# S
mov ax,4fh
1 {6 i7 T' Q2 A8 p; v8 E; U1 G& g int 41h
* B% C( }' ?: {' S4 I xchg dx, es:[41h*4]
2 m8 V6 ^$ Y1 \! h2 E* S8 g xchg bx, es:[41h*4+2]! b' G. a! j. K' K: z$ g
cmp ax, 0f386h- P7 L5 _. H. k4 E- B
jz SoftICE_detected ^6 k! x O; b- F& v0 K
) G1 H( H" e; [$ z( S0 o3 c
int41handler2 PROC
' ]5 M5 g# s1 P5 x& R iret
* G t1 B7 P5 hint41handler2 ENDP
# {, ] N' `: R' e. F7 v" ]0 t3 U1 p3 o
! h$ Q: L3 E$ r" }' \1 W( Y
_________________________________________________________________________
6 l; H( ^5 ` u8 {) E
0 z( \/ Q U, j* o: U3 R9 H& X0 f( _9 ]2 U g
Method 06
8 i, z& _2 {, E8 b' H=========
" v; Q: [" w; P+ d2 o+ _3 r, F# ~4 t+ o* ]3 n
: k5 j2 V- i1 |6 C
2nd method similar to the preceding one but more difficult to detect:
7 S; U L, n: a. Z* R
, F# |/ f% @. l" f$ `$ Z* A- O7 V: |7 N
int41handler PROC
j- z, J Y3 w& g mov cl,al7 o! p5 D7 l9 t1 f
iret4 `4 Q) h5 `) v6 E
int41handler ENDP
$ L7 g4 q4 e1 I, `0 y
+ |; n: e: I- L* `6 b. l8 P. b" E, s8 B8 X9 J% v- y4 A
xor ax,ax8 s: b8 v. L6 y4 F
mov es,ax
- V. o: b3 l8 i6 b mov bx, cs
L7 h, n, G% j4 Y I7 ] lea dx, int41handler
, O, W9 v5 z4 J7 X5 ] xchg dx, es:[41h*4]3 I: K( d- p& V1 W& Q
xchg bx, es:[41h*4+2]
2 l" M8 B3 ^' ]% h# V in al, 40h: L! _* e5 y0 V8 f; U4 p
xor cx,cx& j- a% _1 q- `8 v9 L1 E- U
int 41h
4 c3 O- I6 f7 j$ F xchg dx, es:[41h*4]
5 |# W1 z$ N' ?& L& X6 u6 { xchg bx, es:[41h*4+2]
) x4 B$ r* v8 h" A/ {. Q9 V0 T cmp cl,al/ h% d5 W8 t3 p/ u& r9 L2 O- P
jnz SoftICE_detected
+ I8 R2 o8 Y; y0 ?+ w/ P/ O- x) g; z
_________________________________________________________________________
0 [4 o0 h- X1 Y' G# ?3 }% Q' {$ ^+ d( T( S# l5 t5 Z' B3 Z( s8 Z4 J
Method 073 ?8 ]+ g5 X, _' _! d
=========
* k5 j( ~0 E h6 T8 p% b
; J6 q; S& j# OMethod of detection of the WinICE handler in the int68h (V86)' ^& V C8 P1 B4 t' _; w5 ?
4 z. Y3 r! }2 B6 v
mov ah,43h
) O2 |) C( s( a int 68h0 ]" o; O) k% ]1 [
cmp ax,0F386h j: o+ B% Q# T% v
jz SoftICE_Detected
% S7 S3 G+ ^& Q/ ?/ b4 X0 _0 h* a" U3 ^
( l# W. q/ m, d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; o+ K. E+ ], `( q4 g
app like this:
6 E; z: E; X; O8 s/ ]; L
9 _* C+ `* j) z3 l- `" K BPX exec_int if ax==68+ D" R! Z( P6 _ O V% [+ ~
(function called is located at byte ptr [ebp+1Dh] and client eip is% X; y% Z8 j1 ?# j; _4 [) a
located at [ebp+48h] for 32Bit apps)
4 ~& o! i. u. e; [1 @__________________________________________________________________________/ B5 D- f( u0 y4 C* H& \! K
8 D! ?( c3 ~4 g N" q$ P; d0 n: v
Method 08
5 ~: ]8 a6 B9 [=========" t. f$ G' s+ L3 F2 B8 m" x
7 N2 X* ?! b# B uIt is not a method of detection of SoftICE but a possibility to crash the
' u; [0 ?8 d# d* ~system by intercepting int 01h and int 03h and redirecting them to another0 ~+ X) m; d; H% u+ `- r' l- D
routine.0 W1 m# e% d( P# z6 D9 b( t, A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ ^7 Q4 v+ ?& s) H; I3 j
to the new routine to execute (hangs computer...)8 v% [) `, J" V& f
: Q0 n# Z0 n/ s2 u! @
mov ah, 25h- \/ q# m9 Z, g* i) t/ b- X$ S
mov al, Int_Number (01h or 03h)$ {( }, Q+ \) F# k
mov dx, offset New_Int_Routine
4 z" K# E/ X# D* K4 N4 k int 21h/ x0 w8 h# R' L) ?5 h' S
0 w, d- a, B7 h" n; b7 [, U$ s" E__________________________________________________________________________
$ U. ^1 u% {7 |) z7 ^
- W/ {2 w" ^1 }3 p! D! B- h2 _Method 09' n7 g! q- ~) p4 Y+ r& ]( e
=========
2 C# L1 f ^* i9 x3 C# K
3 u4 O1 ~% F8 p3 QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 }' s: K1 o: H1 w* w0 `% s& q
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 Z4 o5 }. O2 R5 t GThe Get_DDB service is used to determine whether or not a VxD is installed
8 n4 o8 [& j1 Y! H- r7 v8 Xfor the specified device and returns a Device Description Block (in ecx) for
+ Z2 D7 H, d* Zthat device if it is installed.
% J. L7 |. p% m1 K" ^- j D3 z) F- X8 K2 l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 ^) G7 @* }/ w0 n, Q7 J3 j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 L$ K k: l3 k. o% R4 m, { VMMCall Get_DDB
: u% u( V8 o- A mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 Q: L& V4 w7 I' l) \
8 ]. m/ z) s6 M/ e
Note as well that you can easily detect this method with SoftICE:
$ ]/ ~2 c: y4 K0 j4 v6 @! }% |5 o bpx Get_DDB if ax==0202 || ax==7a5fh
3 X; o" b6 T8 h+ R, Z8 r. m+ l% f0 l* h5 A
__________________________________________________________________________ }; q* j+ O# ] n7 k- \/ H# \- x& D
, M" B2 J W4 a+ u
Method 107 Q& P, }+ ? B$ y( Z# Q
=========1 E# J( S5 [" y2 a' V
4 l* @1 h) C; e4 Q/ O
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 Y9 I( Q* I; E* s5 u
SoftICE while the option is enable!!
6 L) E, w5 i* N9 [( [7 E. h7 z# ~5 l5 k% p
This trick is very efficient:
, u' U7 ?8 A5 T2 G0 v, vby checking the Debug Registers, you can detect if SoftICE is loaded7 p; |% i. M4 g
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
@1 [' {' U3 `1 ]; }' Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 p2 r( u: K7 o. r7 hvalue (in ring0 only). Values can be manipulated and or changed as well9 A5 o& `3 U* n
(clearing BPMs for instance)
4 ]2 n1 a7 _" U6 a% J# h7 j! J% C9 Q! a- j ]) T, l9 `
__________________________________________________________________________
' |+ }: {' Z1 ] [ |" ~ D; f* m, |% c, d' p. N1 t+ Y3 I
Method 11- U* t1 q# g) I: W# N; F
=========
, U: X+ K* B/ g
( W# A& i. @4 q$ S. u: S! hThis method is most known as 'MeltICE' because it has been freely distributed
, D# x6 b" _ o& @9 Vvia www.winfiles.com. However it was first used by NuMega people to allow( ]- G3 Z# B* F; j7 G) p9 \
Symbol Loader to check if SoftICE was active or not (the code is located; k! ^* T0 K( c* D+ O' k2 _3 R
inside nmtrans.dll).
1 s9 C& k9 q0 z! k7 ?8 X/ ~2 L
) w# u+ }! L! o' z; AThe way it works is very simple:
5 c' y5 `( F, Q9 s3 X8 y, PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 Z( S; s1 N! _/ P8 e, GWinNT) with the CreateFileA API.2 f# G# W9 s3 R8 d
7 F! }/ Z% w! T8 \! a: r5 O, r
Here is a sample (checking for 'SICE'):3 F# C8 s! I M, l4 l
1 q) I. r; j' N1 b8 c/ h- m/ _
BOOL IsSoftIce95Loaded()
1 c/ x+ C' v3 E$ `- @ S. f; D; u{2 K6 _, [! m% Y+ b
HANDLE hFile; 2 b q, J1 G9 y$ {1 K a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, A' s+ L) b: R+ A: Y FILE_SHARE_READ | FILE_SHARE_WRITE,
6 U2 G0 g5 ?4 i9 u/ H9 e, L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 g+ b- }1 B6 | e* `% Y! O) D* x
if( hFile != INVALID_HANDLE_VALUE )
* @7 M; z# @7 t2 n, w {
/ p0 @. \4 {3 c) X2 T CloseHandle(hFile);* r8 a$ ]% e4 Y9 Y. Y+ c
return TRUE;
5 }5 s% d! z# j/ d }
( b t: P! ?3 `; W) s$ G7 X return FALSE;
& \% b6 A/ c. x4 K6 ]! H" p. q}0 @6 \' n# u* u9 S$ T( |4 U) u
' m* W* `9 `' Q5 J6 V3 B
Although this trick calls the CreateFileA function, don't even expect to be6 j) o! h4 v4 u. c
able to intercept it by installing a IFS hook: it will not work, no way!- E3 O+ e* |" L" F5 z& o; {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ V) i9 ~' f% }$ L2 l1 |( z/ r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 Q9 I0 @3 p" [4 G& d2 c e" Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, w4 p9 y" n8 ~& n/ Zfield.- z6 A6 w( z Q, d" J6 p- m: S
In fact, its purpose is not to load/unload VxDs but only to send a
% E& r$ M) T7 Q$ t) l& iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 t E: ?( F& u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 X9 `" Q% M" z0 K& ]3 Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).' h- g* o4 `2 F' y1 L
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 l) } V) _/ S A
its handle to be opened and then, will be detected.
) `# J* [" v8 Z7 K4 NYou can check that simply by hooking Winice.exe control proc entry point
0 B! e1 r% s1 q9 P7 Cwhile running MeltICE.
2 O; d/ q( |* a8 G/ t. I" o) t& U% G* @9 p) b5 G; `
9 \" l ` D; b: E0 |$ U
00401067: push 00402025 ; \\.\SICE
+ g) Z% ~. U/ \ 0040106C: call CreateFileA
; o: R: y# j o! k# A 00401071: cmp eax,-001 {' o% k& {. C
00401074: je 00401091
X' ?0 b, B9 R* k4 E8 e& W: B! J! R# @" e1 X- w
$ T+ f( R R, j* m+ h6 aThere could be hundreds of BPX you could use to detect this trick.9 f b. o4 V& n2 H
-The most classical one is:$ B3 g, V6 W0 p' i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. l8 @' C: J" U# c4 J *(esp->4+4)=='NTIC'
: C! }6 k. V; Y) G+ _) V2 S9 u1 H& N, V4 F8 ]- S
-The most exotic ones (could be very slooooow :-(
+ A: x+ j5 t2 c BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 ^/ l' D3 S+ c5 h) F" y
;will break 3 times :-(. U1 c- K( t8 V7 }
2 F. A Q: }6 d& r' g: u$ A
-or (a bit) faster:
2 m! \7 W! C1 B& }* B `4 G- x& l BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ Y4 E U. M2 i) u4 g
& c- A" v1 x9 S; J# q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& N& |3 U- r3 t6 o ;will break 3 times :-(
5 z& H( {; m) e+ S6 _2 o, q- t5 K6 N' |: @ r+ S- n
-Much faster:( W, i6 i% }3 U8 ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' H w9 k7 l; P' _( ]2 M- n
* j9 p/ {* f" K6 {4 s" HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 M0 r) J7 ]; z6 {function to do the same job:
2 K! c( s4 t4 z5 ]( X
9 Z- N" u3 ?% [) p& K2 y. @- I push 00 ; OF_READ
) q2 Y9 Z) L2 i" t, c, Y mov eax,[00656634] ; '\\.\SICE',0/ m( t& T8 M, \7 D
push eax
9 q5 v( N) r. g call KERNEL32!_lopen# Q; D; u) M5 S9 G* {: Y# X' A- b% U
inc eax
4 N, u2 Y- u, J7 P2 L9 A jnz 00650589 ; detected; K* n0 I; i3 ~
push 00 ; OF_READ0 @6 F* W) v8 P0 {: [
mov eax,[00656638] ; '\\.\SICE'
1 z" G1 C7 _" t1 o$ d" ` push eax) U F @) I/ H
call KERNEL32!_lopen
1 S z9 ~( O, f2 i inc eax6 ?, z& P1 U5 F) P
jz 006505ae ; not detected
+ C' O. }% `: j3 e: I; g( `, S# ^( W7 l' V8 c4 |' k
0 F5 n- e& K6 C5 c2 m: K+ s' }. s D__________________________________________________________________________
. l5 |& N8 v8 t0 J4 K; e* C a' e9 E) v- c/ p
Method 129 i" i; R3 M6 q8 T, g: M+ K
=========. U, v* o/ B, X
5 ~) F7 V1 r' c$ X( hThis trick is similar to int41h/4fh Debugger installation check (code 05
" _; l/ v( Z$ t$ a& 06) but very limited because it's only available for Win95/98 (not NT)
+ I' k2 E/ E& a8 c+ D* bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- e) L# H1 K! ~2 b- ]
! r7 T, O4 w- R8 e4 Z3 D8 L) m- M: F push 0000004fh ; function 4fh' A% }# f8 g6 h" G, H: Z
push 002a002ah ; high word specifies which VxD (VWIN32)1 o% X& d; y. d& ^
; low word specifies which service4 o# J2 Z6 I# S1 h2 ?
(VWIN32_Int41Dispatch)* j" u5 m. U* x# D1 W# Z" o
call Kernel32!ORD_001 ; VxdCall$ ]/ T- O% @" V# A7 v* B3 ^! f5 Z, G
cmp ax, 0f386h ; magic number returned by system debuggers
; @- {1 S$ L$ Y! Q: V U jz SoftICE_detected
; z( E9 F# N1 V# G4 P6 H* r/ `4 C/ Z' V$ q' E
Here again, several ways to detect it:
" ~" c8 |" l+ J; ]3 W7 ^3 Q R/ l' g3 S) O6 \) [
BPINT 41 if ax==4f
4 y: E* U6 e$ B" d8 I" E, j' Z: S- ^+ @4 s& j
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( w" r1 ?8 ?. @4 X/ j
. c, P3 M, |) r( i) }: Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 \, v) W# ^. {" o* v: R l
8 [) G. e# Y3 G1 `1 D" s+ |" X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- T, A l. l+ Y1 ]2 s5 U
. ^& m3 U# \$ A2 z( m- }) p! H- S__________________________________________________________________________
! F! c% m* C) }' i3 a' u
) V& r4 U7 ?- w5 QMethod 13
+ Z7 G2 }- R# P=========% d7 M# j# W7 B: X2 h" `
+ y+ \) q% c# L+ d/ vNot a real method of detection, but a good way to know if SoftICE is
# d3 @/ a* M! m" f. Minstalled on a computer and to locate its installation directory.
( L7 M9 Z6 q* d0 l6 sIt is used by few softs which access the following registry keys (usually #2) :7 V: H6 J) [0 }: S2 x" P9 d
7 C( x* J. L( U; e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 K6 | o Q7 p' n: h7 k
\Uninstall\SoftICE
4 J% N' r5 m. p+ M6 P2 K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- i- c I) O! C; Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 {+ U0 V$ P/ }2 A( v. R\App Paths\Loader32.Exe. y: J- n j2 i
5 D& M. E/ f2 o; m: g6 K ~: m4 d0 k. g, {
Note that some nasty apps could then erase all files from SoftICE directory
0 {2 V3 X" e6 Y7 Z& Y6 S4 h(I faced that once :-( _' X! r: d; U! `0 _/ [$ P+ i! i" d
4 A9 b! a2 R# E6 Y% X$ z, I! @" y
Useful breakpoint to detect it:
0 `& c! K! {; u
+ o2 W9 u+ O3 Q. j5 z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' ~ I- E+ A' `: y7 T9 e8 p3 H3 s( k# q7 m& c, [, ^
__________________________________________________________________________4 X( _: w: U0 ^
& R7 H* k4 Y1 k; Z
! @) [6 p: K6 f; T$ I$ wMethod 14 & K d! u* Z, R, N2 g* `
=========7 M) q& W: Z: U* m/ k6 ~
, y i3 T1 G+ b) P( T& E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose ]/ [+ ]0 b7 @$ g0 _
is to determines whether a debugger is running on your system (ring0 only).* s" \% x% `8 [" X
/ }( I/ d4 C1 U VMMCall Test_Debug_Installed( i% B2 Y; s0 x+ f a
je not_installed
3 y; h0 y `' y6 M$ G2 \# M2 ^+ i
) l( N9 Z4 c' ^This service just checks a flag.: X* {$ \) ^/ _ M1 z
</PRE></TD></TR></TBODY></TABLE> |