<TABLE width=500>
8 H% j3 T$ B: t, p& `$ V e<TBODY>* C Z) C" }( v* Y1 I1 O
<TR>. F8 L" e8 E' p* j6 b: z
<TD><PRE>Method 01
- a1 t3 l6 H* r4 {( q( S2 y1 b=========
/ e: k3 |% {3 F- x9 z, ~ `5 D! F6 l; q9 I! m: ~, h, E& s0 A) J
This method of detection of SoftICE (as well as the following one) is- R( @% E2 Q$ j' t6 B
used by the majority of packers/encryptors found on Internet.
7 T, X) v4 b; {! K, ~% qIt seeks the signature of BoundsChecker in SoftICE
2 ~7 {8 f4 ~) p& P6 O6 w4 X7 _3 }, j
mov ebp, 04243484Bh ; 'BCHK'
2 R e# |3 ~' T& f mov ax, 04h. ]9 B- D+ D6 s' x. |
int 3 ( N, [* j. h- g) t4 O
cmp al,4
. q% i) {) v1 R3 T jnz SoftICE_Detected
/ C' H% w* S; g
( H2 c% }' b0 p" |! ^6 k1 w! f___________________________________________________________________________
+ T* r3 x& Y. s! M9 k3 J
9 X" P0 G6 y- |$ G8 qMethod 02
- ^2 I" @8 }. T; }+ o0 @=========( [7 u9 q- p Q
9 V( j. T# d6 g! G2 a5 |3 s
Still a method very much used (perhaps the most frequent one). It is used- |1 p2 y; {; h! @# u4 g2 x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( ~7 i2 A" c2 x+ R* [8 v
or execute SoftICE commands...2 O O! V) ^8 A- S! P2 k8 _6 e
It is also used to crash SoftICE and to force it to execute any commands- m: Q7 M4 k W0 V) B
(HBOOT...) :-((
: T7 t% }& I9 c9 Q# K
) d9 `& ^8 Q7 ?( I mHere is a quick description:
3 D \: L( L4 V: C' O" `5 _-AX = 0910h (Display string in SIce windows)
- s! _2 H {& ~3 `) X& q8 O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 P9 j' w) q d" J/ U* P
-AX = 0912h (Get breakpoint infos)
9 e/ z' w. I& W( R/ _-AX = 0913h (Set Sice breakpoints)* b( u# u' v) Z; p0 O% y" Y; E
-AX = 0914h (Remove SIce breakoints), @& ?3 Y8 f( r1 y6 `# D
' |; w! F, f' c3 s8 K" X V' [Each time you'll meet this trick, you'll see:( A- s4 C: U4 b; p1 S
-SI = 4647h2 H% b1 k% L, j Y$ J3 `" c1 v( |
-DI = 4A4Dh
: ~+ R- a( s+ ?, k) ~6 {) J1 TWhich are the 'magic values' used by SoftIce.
; C% c1 N& @4 Y _For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: E' ?- \. s8 ~$ S
6 L4 g3 r+ `# X" N' m0 xHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 C! b l* R8 t0 }0 S& @Envelope utility use to protect DOS applications:5 ^$ D# F/ i! V% `" _6 y
* V7 A$ W4 r% M1 {: r2 u
* d/ `% [, {* B5 T0 _$ A/ h4C19:0095 MOV AX,0911 ; execute command.) I! N( C! E0 u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 Y1 t5 m; a O
4C19:009A MOV SI,4647 ; 1st magic value.
3 b# W: [: v% \' J6 l" F4C19:009D MOV DI,4A4D ; 2nd magic value.
) N B/ W! x( z) V1 b5 b7 q0 D4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 v, I3 o! G) R) s# c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 B% m7 G1 g- @2 a) R/ Q5 F9 n
4C19:00A4 INC CX- m) X7 p1 k, r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; k+ I% l1 S9 w, h' k4C19:00A8 JB 0095 ; 6 different commands.
! ^) |6 P9 t7 p9 p, F `4C19:00AA JMP 0002 ; Bad_Guy jmp back.' A& V+ E. e9 x: [3 [0 @" n1 _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# @2 h) N5 K2 c
7 z, W8 s/ y4 i& WThe program will execute 6 different SIce commands located at ds:dx, which4 V4 f1 P' S: n( g" v9 H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. L3 W" @7 u. u" r* V z- a0 _# K
( S& Q- w1 D: j) w% c, n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." V4 U2 o( L5 s7 b( _+ H; o3 N# g
___________________________________________________________________________
/ N- R) L* E7 z4 u$ F! |; \, J7 }7 n& d: |6 {
1 a4 I+ t5 H$ I. s$ z7 `Method 03) ]! s% [9 T5 |' Z2 G3 v3 x* x2 D
=========: u u3 W$ X$ \$ C& ]
% h* x. i" c: T) ~% S; v# ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ i# ^+ p4 |1 L3 P3 j) z- n
(API Get entry point)
; f) c: s. ~% I- e: X % i1 m2 L! ~# q% j7 T
; @8 `* G* f9 ?" q' o xor di,di! ?6 H+ E7 U+ R( l' k
mov es,di
1 q) z; H9 X+ B8 A2 M5 }# ] mov ax, 1684h ( {- V8 m" [2 k. M& Z: D
mov bx, 0202h ; VxD ID of winice6 ]: x. D" l% n. ~, @$ f- D
int 2Fh# Y) A/ l5 ?- b8 H3 `; l
mov ax, es ; ES:DI -> VxD API entry point
: R1 j" X1 u; X4 u! I add ax, di
4 r; v7 H! H% o1 ]) n. T; _! y test ax,ax
; a: C; O" {) u' `$ c jnz SoftICE_Detected
8 x4 L, s5 |4 H- W$ w- l: B
/ L h+ D* x/ [& o! H___________________________________________________________________________
2 H, S1 ^+ K. \' a5 p, u& M4 _1 C- y
Method 04/ ? C/ F: b" ?2 H9 |
=========
5 o: q( F6 |0 g3 w7 `2 |- S/ X( _ v! @ M
Method identical to the preceding one except that it seeks the ID of SoftICE
$ w* Q/ j" s" y p/ X9 \7 mGFX VxD.
: y' u9 |- Z7 E) q1 t
" |- e! n6 e0 c6 U y6 y/ l xor di,di
+ x- j; m# V0 Q/ a* v( k mov es,di
3 D9 t0 W, E& t% S$ y+ F mov ax, 1684h 6 V: I* I8 @ H4 z, G0 O; J
mov bx, 7a5Fh ; VxD ID of SIWVID& \# l- r6 w3 `& o
int 2fh( ]) d. o( h& a( h" h+ K9 A! z* R
mov ax, es ; ES:DI -> VxD API entry point
! [. H& g2 g+ R. `% q! }7 ]5 a add ax, di/ k3 l( q6 h& h9 ?: l7 o
test ax,ax
! E* n& V$ {! D, q9 |$ o jnz SoftICE_Detected
* f5 n( q, l. V9 ]" Z6 n3 ^% k2 k, k
$ u! g. q6 V1 O# f- i# ~: S# s__________________________________________________________________________7 t4 ]8 j8 n0 a+ O; s& n( h- x
& r3 n) _* a( e
7 b" a8 T+ p9 V. r I1 {6 X+ [5 H
Method 053 s( O+ `/ n( W5 ?' l8 d
=========3 x/ h& y& @: `/ _
% L+ y8 J3 w' g; P
Method seeking the 'magic number' 0F386h returned (in ax) by all system; a/ p( Z# k+ f" A; W4 E
debugger. It calls the int 41h, function 4Fh.
7 b& G9 a* v- m$ H: _! W; ^1 ~9 D% [* oThere are several alternatives.
# L/ e5 E, K" m7 O" k3 V6 M5 V! B9 q( O4 a
The following one is the simplest:
: }: \$ a& A) q6 j* c" V1 M' } b& M9 o- h
mov ax,4fh- d: c" M! r, W- ]
int 41h8 v1 L) r/ D; }
cmp ax, 0F386
2 O: r; F. t; b d jz SoftICE_detected
+ {7 N+ X/ p' Z* R1 F" F4 n ^& ^5 I# [
, D* Q L0 q- J6 R8 ^1 tNext method as well as the following one are 2 examples from Stone's
& F# f. F3 K' p' s8 Q"stn-wid.zip" (www.cracking.net):
y5 y: [' ?% g" ^8 P/ D
( s! @ f$ Y1 {% e) Q" _ mov bx, cs$ w, i! T: }: Q0 A/ ?
lea dx, int41handler2
3 t0 i# i' O/ Q8 W' Q1 m xchg dx, es:[41h*4]0 ]4 c- m5 t; q6 ?( F
xchg bx, es:[41h*4+2]3 g( D9 n( c) z
mov ax,4fh
! f J4 g0 [" C int 41h- b$ j$ F4 ^/ z8 A }- v5 h8 f9 ]" J8 {
xchg dx, es:[41h*4] H; i- n3 ^3 F. f; N! k2 p
xchg bx, es:[41h*4+2]0 }6 {( y: j( R
cmp ax, 0f386h
6 M8 q& m# k8 B8 v) P6 c jz SoftICE_detected
' k* W8 c* _. R5 j- \
& ]. b) ?, H" f. z( W5 U: _( yint41handler2 PROC2 N. @# z$ ?, Q8 m) l* ~% u
iret
% J( h3 @2 t/ t! m; Lint41handler2 ENDP; J2 A, {: A& q9 A% O! Y/ p- S
0 v/ o/ Z% V6 a# _$ w/ }- d
. N& G7 Y4 u. j- D. M: k_________________________________________________________________________
) u1 q, U$ {+ _7 q8 p
2 s- ^9 A- ~3 q+ A: Y; R) l
! K* s: ]! D$ w0 I6 k/ ~Method 06
% {$ v! H- r- Z! n2 P=========. @/ M, c) F9 L4 s6 J' P
" w' Q9 U7 V: j- v
. z& h5 I, ]9 \ b: L2nd method similar to the preceding one but more difficult to detect:& a$ D( p% |, K3 h( b7 M0 q9 v
# Q) j9 o! u V1 |1 _* |6 e' A8 _; c# O( t8 L* b- P9 x+ t! x
int41handler PROC6 m6 r) b8 z" S' e5 e
mov cl,al* G b, l6 k/ K, d" f8 ?
iret: c# I, E8 R1 S4 l X4 Y
int41handler ENDP F) M! |( Q' P4 a0 d3 n0 T
4 `7 |; M; \ u" Z$ T
" s$ |& ]* S i) M6 W xor ax,ax
F8 h7 K0 I0 c {2 s, m7 |' | mov es,ax8 y7 A1 }+ Q0 l7 g9 B6 e9 e5 D
mov bx, cs( H, F4 C+ {5 `2 H& M1 c, }2 t
lea dx, int41handler9 ?2 g$ b! d- `# H$ w; U% U
xchg dx, es:[41h*4]& h8 |% X0 u- z
xchg bx, es:[41h*4+2]7 J: s0 M8 P U# r! c
in al, 40h
6 F% V( ?+ |' @& S xor cx,cx' t0 t! P: g! ]8 \
int 41h4 [4 x6 S+ k2 j) E
xchg dx, es:[41h*4]8 t8 @5 k( O+ S2 ~, T; ^
xchg bx, es:[41h*4+2]
/ }/ S, ~) @# c0 ^4 G; |. C# L cmp cl,al- Q0 X- ]* {7 u' P4 }5 V) ]! Q3 ^- B
jnz SoftICE_detected
. B } U8 X# a/ p0 t5 D# y; \# T, O
_________________________________________________________________________6 x# u" }% V E5 s# z* z% c+ [. h
# i- Q. ?5 h+ r5 Y! v
Method 074 T2 g5 H! D8 C" ?. M+ B' F% N, H& n
=========
- i1 l- a3 D5 O- _3 ^6 b# }) p3 D6 t& F& t5 V) H
Method of detection of the WinICE handler in the int68h (V86)
6 ^% Q3 N" A9 m8 \* e0 E" ]6 o
* [1 z; C0 M( B7 H: W" _ mov ah,43h0 [3 ]( P6 y/ U0 z
int 68h
) C$ [8 h. Q; s4 u4 k. r* ~ cmp ax,0F386h
2 y- w2 s( f0 Y6 l5 i* k jz SoftICE_Detected
( a8 H" k! j" \& m
" z$ \0 T2 ]. |7 b
4 F6 r& [$ n( X: P# w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 c) {( N8 O& [3 l: }, w app like this:; e, _( N# T$ h' O( p) a' M8 K( e
0 u F: T5 H" q/ m/ |
BPX exec_int if ax==686 p# ~; J. p. C
(function called is located at byte ptr [ebp+1Dh] and client eip is1 _% O* o' R/ K; E2 `! F$ ~! g
located at [ebp+48h] for 32Bit apps)
' N- p1 i8 H6 K1 T! j__________________________________________________________________________
% R y2 h+ [9 x3 D: k6 N3 s; k) t# t( h: y: k2 N4 }! q& |
1 Y6 }) f/ q8 R- N- `5 |Method 08. U9 A! n0 E ?, {1 x/ {
=========
3 X2 }% z7 k! o9 d# U: `1 I6 }5 k; z9 O
It is not a method of detection of SoftICE but a possibility to crash the
+ [& s; ~% e& h( b5 W: n* Vsystem by intercepting int 01h and int 03h and redirecting them to another' n& a7 J9 X+ E" G8 r
routine.9 B# e% s. V4 l& J, m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: u% E# Q. C2 \; H( w2 Lto the new routine to execute (hangs computer...)
! T% `! `4 ]$ a1 f. y G* n* `5 p6 T$ K% p9 h1 U% I) b
mov ah, 25h* R7 ] _% G) E" {! \
mov al, Int_Number (01h or 03h)
# B8 G. Y+ O S9 g1 q# X mov dx, offset New_Int_Routine8 L. p1 N9 v! X$ z8 _0 q+ H
int 21h
% I! X% i4 c4 G4 Y D! P4 {
8 v- Z+ D1 @, R6 B6 P: p6 a ]__________________________________________________________________________
4 |/ ^) N c' N' |7 c1 b) R9 x- H8 @- d5 s- t$ f
Method 09
# G7 b0 A; E, \7 c C a! j=========
) K( o+ c E$ l0 w7 q; K4 Y( n8 J5 h+ d! b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( }$ r [0 u4 \1 H S2 aperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 G3 x; |1 n/ @ D2 l6 S0 |The Get_DDB service is used to determine whether or not a VxD is installed
" z) g f7 K2 _for the specified device and returns a Device Description Block (in ecx) for
' @9 \; x4 W- ~7 q7 U% ~$ bthat device if it is installed.6 @; y: M, Y) ~ f& ~3 V
6 ^0 C- O: g; ?/ F- Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& u3 n" j7 }2 [- l4 \: N" X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( X K- I7 q+ r- X- x, ^8 u; J VMMCall Get_DDB
4 g7 ]' f9 W' o* E$ q) p# O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ q; m0 C! d/ G
, p( s9 h& p9 s, @Note as well that you can easily detect this method with SoftICE:, S+ \: t2 h6 }' h# i4 D7 V
bpx Get_DDB if ax==0202 || ax==7a5fh/ D2 r2 o3 C: B
7 i4 t9 w/ k4 p" c2 Q__________________________________________________________________________
1 Z0 V @9 e4 \1 r0 v9 M2 i( E) _5 |9 t7 u4 h* \( {* x6 G% }% {
Method 10/ V+ e6 f Z e0 Q5 E# x
=========1 k6 \; f8 Y* E4 I) Y" X! b
( F9 K D+ d8 r( c: D# z& A
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 I. ^) t9 Z% `6 {9 ~; J: A( x
SoftICE while the option is enable!!+ p1 I D6 W4 P; H
G% u% k; m' s
This trick is very efficient:0 Z( Y! A1 B5 u7 `8 I4 k
by checking the Debug Registers, you can detect if SoftICE is loaded3 ~$ y0 w) |4 Y) k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# F, P2 e% ?8 f+ `& X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: {1 q# ] }: H+ Q( p. W$ @value (in ring0 only). Values can be manipulated and or changed as well
/ e% l) H# v- S$ D9 U(clearing BPMs for instance)6 `8 G8 n/ D1 H* r9 N c6 d8 _$ t F
+ g. n" X9 E4 D9 @% H3 M__________________________________________________________________________
2 [3 C k9 ?) L" s
' m3 c. z, r9 j7 RMethod 112 h7 C' L1 w6 u& W* o+ G5 T0 W
=========% U9 v( O# _/ N; r1 X$ a
1 a0 N% e( Q4 O* Z
This method is most known as 'MeltICE' because it has been freely distributed
9 X; @& I4 x2 Avia www.winfiles.com. However it was first used by NuMega people to allow- H" N. I0 y; A+ K+ Q4 ?
Symbol Loader to check if SoftICE was active or not (the code is located
# U9 F" K) m4 P" E. Linside nmtrans.dll).- `2 o2 G# e- f; P4 Y$ R/ [ n
9 x1 Y7 u: M# N; y6 `% g( }- N- {2 b
The way it works is very simple:
% f4 L- b- p) G5 E3 b$ GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 z) W" a- T; @$ p8 `4 @9 GWinNT) with the CreateFileA API.
C: m$ P* }& `2 @, T& n9 o5 S4 I6 H0 K: a
Here is a sample (checking for 'SICE'):
& X7 E; d9 T1 B9 S0 M/ J& @' n2 \' L8 m; g2 [% ~7 P
BOOL IsSoftIce95Loaded()+ R. ~: ]+ y x
{8 P, E/ ?9 o% e+ d6 p8 x
HANDLE hFile;
8 W5 T, V. y) h/ Z& h& F* n% h9 p" P/ a hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# H# ]8 {3 P% B9 d) d% Z% F9 P
FILE_SHARE_READ | FILE_SHARE_WRITE,
; e0 t4 X0 [& ?' N/ D$ [! I+ z' |4 ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' @4 {- Y5 y( i6 H Z if( hFile != INVALID_HANDLE_VALUE )- I6 e( J" h! d& X" ?' _
{9 g0 I* [* W! t5 ~5 Z
CloseHandle(hFile);! a' E2 C- r/ q5 F7 P! U, `; V
return TRUE;
& Q+ u3 i) {4 @0 Y8 u& o }
2 S* V' u7 N9 I- [ return FALSE;: H, i+ s2 v3 k, d. B
}% c$ X4 c4 R8 c2 a7 v. G
/ ?& n. _+ ^8 g( V
Although this trick calls the CreateFileA function, don't even expect to be
8 [! O% I* {- V3 rable to intercept it by installing a IFS hook: it will not work, no way!
/ w/ w. @: Z2 h+ f6 EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; ]( E3 T2 \5 i5 t! j3 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. M* c% O* B0 _. R- oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ _, R# }+ J8 E: F. K% Hfield.
% @" y5 Y; R9 `* I; E$ HIn fact, its purpose is not to load/unload VxDs but only to send a , i: x. Y2 V2 ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& ]0 F4 f& i8 |6 g ^& G5 V4 u* B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 [0 V/ D" z2 I7 ]7 Q; dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ U! d! ~" `) I* PIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. @; Y Y5 r$ {' d G2 H' k* Fits handle to be opened and then, will be detected.7 E& }$ {' J; f' ]; d1 d
You can check that simply by hooking Winice.exe control proc entry point
6 u" q% `0 G* \) [4 i2 Q- Uwhile running MeltICE.- k" R9 ~! G( G. o f0 W) c' ?
: k/ w$ @. S0 S0 d
0 @2 L5 r, p$ V P4 l. H9 Q 00401067: push 00402025 ; \\.\SICE& h; p+ P0 A7 E. c& i- k6 p
0040106C: call CreateFileA X% W) U2 R* ]. K
00401071: cmp eax,-001
* P! D' H3 @* `1 Z 00401074: je 00401091! q5 k- T: f0 v6 m9 F$ p2 O! j& g
) e% o; { }" x z
0 d# R% r9 `+ }5 |8 g4 B7 AThere could be hundreds of BPX you could use to detect this trick./ T4 Q$ M) q5 Z1 c
-The most classical one is:
$ g2 u% r9 F9 O$ n" O0 g4 ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! L2 j. v* y8 ?* v *(esp->4+4)=='NTIC'
% ^* T6 y$ @1 P0 g+ ]+ b( ~% d- }+ y' O* p. }2 E( u2 ]
-The most exotic ones (could be very slooooow :-(
9 w* a& w5 r5 C3 o: m, j2 ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . J/ j3 s5 b2 l) x+ M! P
;will break 3 times :-(- i! E b% j' S2 l V
7 t2 R- x9 f/ p" y1 s
-or (a bit) faster:
6 c3 g# D. f. G/ R: \- Y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 r+ D0 [ p. R5 O7 V- T% h3 L2 {6 c- Q4 [0 ~7 S& e" q. a6 f; p
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , E* w$ T5 n9 e
;will break 3 times :-(
) i" t: a2 g8 O' O: U6 N
4 n5 p. u. N0 V6 H1 X& q4 d-Much faster:
6 b) x# H2 U! B& f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( o7 i# M' b* W9 f: D. _; Z" [. W2 t0 d' }9 x8 N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 h2 d$ `. |" g+ P* Ofunction to do the same job:
2 _5 X& h) J( ]' i$ M7 D& M a3 y' p
push 00 ; OF_READ
: `/ @5 @* k! X mov eax,[00656634] ; '\\.\SICE',0
+ L+ l# \1 B9 x$ P6 L push eax
) u1 g @* M$ o7 v! ^ call KERNEL32!_lopen7 X. ?. a7 _2 H& ~+ K4 l
inc eax
. F3 {! j* C0 K' r) } jnz 00650589 ; detected
3 p" [) W% q& [) b# ~) O2 j push 00 ; OF_READ# X" m) w+ z( a4 P! U& `
mov eax,[00656638] ; '\\.\SICE'
$ y9 m6 K# I! r, ^ push eax( j5 r1 t" c3 L1 T) r {
call KERNEL32!_lopen5 c7 N! Z! H9 w, _1 n
inc eax% ?+ O) g# z) M
jz 006505ae ; not detected3 O+ [$ b: c, P4 H9 g r
( |- u* P. E1 f4 ?
0 J. A7 M" M- C4 @0 p
__________________________________________________________________________+ l" d2 i5 x) b% s0 m* D/ C
3 d# X4 O; ^. M: O
Method 12 g4 j: N* V6 B8 x7 v9 }
=========7 ]2 ^- L3 L1 U
# Q) a: T: w& F% R8 g( D
This trick is similar to int41h/4fh Debugger installation check (code 053 n, _6 J7 ~& s9 a2 c6 j# i& @
& 06) but very limited because it's only available for Win95/98 (not NT)# ]9 K5 a9 ?! t: ], F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 e* Y. J' M( k% ?2 ^7 ~
4 O7 s5 T/ U% u. m* ^- J push 0000004fh ; function 4fh1 Q5 b# ?9 e3 w
push 002a002ah ; high word specifies which VxD (VWIN32)
" U) f8 @9 U7 J @" t9 T ; low word specifies which service- [/ k' r$ k6 r& b8 d& e4 g$ M2 a
(VWIN32_Int41Dispatch)
2 ?7 F# o2 h* Y3 U0 b call Kernel32!ORD_001 ; VxdCall
5 W- p' X7 X$ d! x) ] cmp ax, 0f386h ; magic number returned by system debuggers* u6 ]" c% Y" I7 W% ^: x
jz SoftICE_detected% e; o3 F6 U, Z/ u Y: N
" H6 D7 G1 _! B) F% A1 b$ `Here again, several ways to detect it:/ b( Q |) _: |3 v
: m( O. M% ?( p4 _; Z BPINT 41 if ax==4f
8 U1 N0 N* Q, F' i* _8 g
& V: ?" D$ x: i$ |$ b8 B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 t0 {; u, ~# i: Q* \+ E2 \
/ i% I1 [2 f7 |. [9 ^$ V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 v0 U; p" A6 K5 c1 F) |9 E% T
2 W! U) o& Q3 \9 j5 x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; ?2 ]6 {5 s3 E/ q5 Q5 A. v: u- x* e0 n8 j4 D. f! ~. g* h4 _
__________________________________________________________________________/ J7 v- H3 v; W% X- w4 E- Z
4 M. ~8 Z( f: W8 v
Method 13
* k$ @# M r+ ?7 ]0 I=========
/ l* n9 o+ _8 @9 O+ ~+ v( t
/ h( g2 f) e# I3 q& U/ ^: r$ ?' SNot a real method of detection, but a good way to know if SoftICE is
! R# V* C7 S/ x: A1 C7 ~' I; G0 pinstalled on a computer and to locate its installation directory.; e6 i3 @* b c
It is used by few softs which access the following registry keys (usually #2) :
1 N. l5 `& @5 ]# b; W; W1 V* A, N. E* A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ q2 u% R0 D1 \3 V, _4 W+ j\Uninstall\SoftICE; \7 Q' S' r) @: w* N5 t! C+ b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 x) L* P8 @' ^- Q! v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! r5 z2 t9 ]# d; A! q/ u\App Paths\Loader32.Exe/ q+ b% e8 x; x' K e% ?
$ \& G* x4 H0 o$ U! w' t
4 W) `) Y% Z0 u" m5 N, S# F# r" `) SNote that some nasty apps could then erase all files from SoftICE directory4 {" h. ^- g* Q( p" Q
(I faced that once :-(* I U6 ]0 \ y4 v. d4 i1 l
: v5 W% H* q6 c% l' p( L/ mUseful breakpoint to detect it:
7 ^3 ?# U/ e1 Z( S, i9 r- l+ ^ D! u9 g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- r U) c m6 u7 K O) o8 h8 w7 ?' ]( G
__________________________________________________________________________% I* a! w) _. t7 R' l4 |
8 D8 n5 ]3 l- b3 k, u) ~& d7 | A" X) u+ U) A. |. `% p
Method 14
' j9 K; J: ~$ X, ?9 j( K5 |" { X=========
2 }0 ~. k6 m# Q- P5 t% J
& |+ C, Z4 s* D7 p' fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 `/ f2 q2 H. i
is to determines whether a debugger is running on your system (ring0 only).8 ^6 T! Z0 a- d# g
' Z [* E/ D5 r0 h VMMCall Test_Debug_Installed
) i4 d9 ]8 Z7 }4 H8 A) c je not_installed5 o5 n4 J2 ~4 X, R) N
3 Y9 a) Z8 C8 E( x8 W+ BThis service just checks a flag.
" h- F; D, h# Z6 O) `2 h</PRE></TD></TR></TBODY></TABLE> |