<TABLE width=500>
/ ]- z2 I& \, _# w8 w3 I<TBODY>& N P7 C" ]) R3 h% m7 d
<TR>
2 ]$ l4 T1 x; v4 S8 n<TD><PRE>Method 01 * I1 \) h. H& P: Y; g
=========9 \ v1 a/ V; m
) ]1 X0 A: B4 c4 G: F }0 ]
This method of detection of SoftICE (as well as the following one) is" O& \) W# K1 Y0 K
used by the majority of packers/encryptors found on Internet.
6 n, h3 a+ B$ d8 t0 fIt seeks the signature of BoundsChecker in SoftICE
: S: S" r: x6 O) W
2 H2 ]$ w( ?2 ?0 k* [4 l: s mov ebp, 04243484Bh ; 'BCHK'
/ o+ L- c c, A# t mov ax, 04h
% S. a/ `/ j7 [" H. L; w int 3
+ ~: Y0 q6 f* F' r. D cmp al,4
. q( {4 r' l4 P5 F% _% n5 d% z jnz SoftICE_Detected1 N1 _+ p% J" ^( E8 ?$ ^3 k
. t+ p" e) |1 P
___________________________________________________________________________6 B. T8 q: D# ~+ N
# ^! a% `* p2 n8 b& t& X
Method 02
. H+ j# ~/ V' q1 _! }; E=========
5 u5 R2 P, f3 v. }* h
v) H$ J* v3 \" M) hStill a method very much used (perhaps the most frequent one). It is used
1 A! I* M, T2 Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- X; S/ ?/ k6 |9 Y4 g
or execute SoftICE commands...
( U4 w8 g# }& G6 z2 DIt is also used to crash SoftICE and to force it to execute any commands) S: _$ s( O- H
(HBOOT...) :-((
( Q% Q; v6 B' F6 K9 P2 I1 g7 k N: {6 s+ M$ { z. N
Here is a quick description:
/ {: |( e" _( ?4 V4 \# H& C) v( M0 L-AX = 0910h (Display string in SIce windows)* X! h1 w5 z' u# o B9 o `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); ~ N( Q! p7 Y$ D. g
-AX = 0912h (Get breakpoint infos)
! @; y2 l" j1 d# |+ U6 H: _5 e4 a-AX = 0913h (Set Sice breakpoints), C0 F: b- m; o8 O" k5 C- ^
-AX = 0914h (Remove SIce breakoints)* n% z2 H# j/ T. [* T" g/ ?9 l
2 F7 T* a( @8 ^0 l3 v! _
Each time you'll meet this trick, you'll see:
% k* N" M1 D- x-SI = 4647h1 a) X* t! c4 M+ Y9 @, w
-DI = 4A4Dh, ]* ~' p9 |2 X& l, _2 d
Which are the 'magic values' used by SoftIce.
5 z; J* k C1 h; {- M4 K$ q3 J- W4 ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) @5 L5 M/ O( Z: F2 D% z% O& Q
' Z* C: f E1 e& A+ vHere is one example from the file "Haspinst.exe" which is the dongle HASP
# I) B& l. g# X2 D6 rEnvelope utility use to protect DOS applications:
" g2 q' t1 L) h! i f2 b
( s9 Y8 q- {9 W: q. G" L% M
. Y# p# o& O; Z, W9 O8 W8 @4C19:0095 MOV AX,0911 ; execute command.
) u l3 H" k+ o1 E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( r) |* Z/ X$ j. \: |/ W8 U# F; f& W, j4C19:009A MOV SI,4647 ; 1st magic value./ R4 \, q& u0 |; d1 U& [
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 j, v3 M1 q* }7 {. r# d4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 L& U8 [* e; ]% F* ?4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 x/ }1 a7 q- J' [: ~' z
4C19:00A4 INC CX
$ G0 V1 l# o. o, B% p; l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ Y, B. H$ P4 l# i
4C19:00A8 JB 0095 ; 6 different commands.
3 {+ b6 X" i8 \* n N; }4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 [7 A8 O9 I3 {# w. C0 w4 {$ K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 A/ j `' D9 v# {
. h; @. ^! e1 CThe program will execute 6 different SIce commands located at ds:dx, which" |8 ?, p9 H5 c: n d% y# I& `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 N- ^8 x; U0 y/ x1 M- l- q
" D% H# s4 C3 u& H* K5 [+ F. P7 m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" i {* n& \) W3 X @5 B2 k F___________________________________________________________________________) d, g2 ^# u( w$ p" d, e% H% Z
8 H) t Q/ S2 ?# a- v+ v
# ~) y4 V$ T: W# z) L1 G/ F" b
Method 03
' Z3 z# c5 x3 l=========: W$ i1 M. U e
Q, a$ R* }# x3 ]+ z9 v" E- \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! `' d) y" K+ l0 B3 r, e0 C/ ^
(API Get entry point), M) f# j$ ]$ k* N
: y' o$ G% h" [; M% l5 I& l0 Q0 m
xor di,di+ F( X5 L0 e6 c; [( M7 Y1 j
mov es,di4 N2 }, J& J0 ~- e, O; u [5 w
mov ax, 1684h $ L- F! f+ |. n& S) P) s5 l
mov bx, 0202h ; VxD ID of winice
) v3 F0 J% a+ J: a int 2Fh
3 h' c; ?3 g, r4 @' Q r6 q3 [8 i mov ax, es ; ES:DI -> VxD API entry point% d% S/ j5 n. }; D4 \
add ax, di+ J' n$ l. |' x
test ax,ax5 D: J- S( Z4 X5 S. U
jnz SoftICE_Detected
0 M5 e3 |/ O6 e5 T* E0 |4 `
8 k! _8 `8 [4 f) T___________________________________________________________________________
5 l) _. u' O* d+ E- K" i5 E
5 F# E# t- P: T* d( X. i4 OMethod 04
- h7 O- m' T$ o- u& o=========
( M" S4 j/ E% C4 j( P/ u6 N; U# E6 i* }! ^4 Y; [4 w1 Q/ p
Method identical to the preceding one except that it seeks the ID of SoftICE
3 j2 N6 E- T- SGFX VxD.7 Z$ A: M& ?. J% R
) u% q+ V8 x' l/ m% ` xor di,di) k. @8 P/ a7 k' h: x2 o
mov es,di8 C3 Y6 @& r* I6 K1 n
mov ax, 1684h
) ~9 a" Q& Q* {& J6 d# Z mov bx, 7a5Fh ; VxD ID of SIWVID
* _5 @+ M6 k2 D7 h$ y2 a5 X int 2fh
) ` \& u& Y* H2 W) o) Z# G# J mov ax, es ; ES:DI -> VxD API entry point
- _1 V3 m& P+ ^ W6 d add ax, di3 ?: B* W6 o- ?! p+ o; Q
test ax,ax- P; Q b5 u- ~! s7 F. O
jnz SoftICE_Detected! w2 y$ n- ]! `0 n& @6 B: r* Q
4 Q. e0 d" A9 ^& C# z' S( P, X__________________________________________________________________________
5 z4 j, E* V1 l: U' h6 S- N- U3 s( D
) K4 {' p. s4 ?( t2 J( N
Method 05
! t' L* u: W4 [& ^$ |' R8 V=========4 n& R/ P7 | g: D6 r) ~
0 c4 _. j2 \) r& \# z" lMethod seeking the 'magic number' 0F386h returned (in ax) by all system. C1 n5 [& | N' K& z4 k H
debugger. It calls the int 41h, function 4Fh.6 |$ K6 B1 s* c7 V. D/ G
There are several alternatives.
; N* p5 }' v, B) L( ]
: W8 d( q( V. P9 V" t& V; ?The following one is the simplest:4 T* ^5 T# E- O" S
& ~- ?' y' |+ F3 m* x, e! K mov ax,4fh B8 U" C, k% u1 f) ~0 Q% m3 Q
int 41h
/ n2 A$ N% |. n8 C5 b' G cmp ax, 0F386
% P# R4 L! b5 v8 w H jz SoftICE_detected8 z& r( }3 O& \/ r8 C
! K* A' R; t0 w/ Q; p1 d2 }0 y. s) F: H- G
Next method as well as the following one are 2 examples from Stone's
* j; t: }6 P' \) T2 q"stn-wid.zip" (www.cracking.net):5 R6 G. M4 i( ?# X3 r% J. T
' @6 v5 ~- A# o/ d
mov bx, cs
3 C9 @( p! h$ G5 t% t lea dx, int41handler2) W y2 k2 j1 [) L) b
xchg dx, es:[41h*4]2 Q! {5 ~0 x/ K
xchg bx, es:[41h*4+2]8 b( S; N- L- |% X, P
mov ax,4fh' b* Y/ W$ O& f1 J6 t
int 41h8 D8 E1 g& o$ H
xchg dx, es:[41h*4]! A) n+ |1 e9 u8 ?3 y1 G l
xchg bx, es:[41h*4+2]
" @- N3 c7 e: p/ t cmp ax, 0f386h8 M8 n% u' U, `( [
jz SoftICE_detected9 i c9 { h8 R' n7 P
+ e; H- E. @# D; i& zint41handler2 PROC5 W0 y0 }' L9 b" @1 G. F9 n2 a; E$ Q
iret
$ z+ m3 J) ~* i6 {int41handler2 ENDP1 g7 N# G4 C" M; f% P
1 Q; u; P4 h+ L0 C2 X$ L# v% q8 ^* f' @% R7 p' d
_________________________________________________________________________
% m" H% c7 u% q1 ^
6 G3 G9 s* g$ m1 a: l! d. S
9 k0 E8 _: Y1 z( C$ cMethod 068 l) g e, S9 N, V4 a# C5 I
========= {0 b# m# S) R6 |% Z6 B2 y0 _& D
/ S% h, E4 U3 ?4 z I- ]3 g) s7 g* H. R$ [0 @5 s, s
2nd method similar to the preceding one but more difficult to detect:. j& \/ [, s8 c& c
. _4 N# ?4 L o( ^( _$ E; H
2 y9 [* d7 G) X r( aint41handler PROC
/ p, K6 W; o7 Y# R3 F+ u6 @0 |$ | mov cl,al
9 L; | |8 V6 h3 H iret
3 h# D# V# M b( @! `int41handler ENDP; h! }- j$ `0 H4 m; E2 `
2 ]/ N# B- q; x/ `/ T- V. M9 }& _+ k8 U1 [( D5 Z- b+ |
xor ax,ax
2 {" e# V: `0 K* V mov es,ax, h$ P5 s6 z# g, } g7 o
mov bx, cs
2 S: A3 A( F R+ i- p1 G lea dx, int41handler+ [1 e! N* m( F$ N \
xchg dx, es:[41h*4]
, {& q! `* P% V8 a' y xchg bx, es:[41h*4+2]
0 I, B+ \3 Y4 G8 @ in al, 40h
, X2 L5 C# Q0 \ xor cx,cx
# L6 K5 z0 m' [9 k4 D5 n int 41h) T8 K1 g( u- U' u+ I- g# {4 c# y: a
xchg dx, es:[41h*4]
$ k/ z( c0 e) p) ]% y; [ xchg bx, es:[41h*4+2]
: D ? l3 L! w$ P$ l. B cmp cl,al! m; _; [. p) ]" P% {
jnz SoftICE_detected
9 q. v! F. k9 L* q+ f
" Z$ {9 {8 h( ^: g% `+ D_________________________________________________________________________; r/ Z3 V+ f, C& G
6 `- _3 u1 f5 ]6 E* NMethod 07
2 K2 T' j: \% x7 P=========9 O+ {4 H, w- W4 t
6 r9 c" y& S g4 ^" _
Method of detection of the WinICE handler in the int68h (V86)
, {$ f! h7 Z+ P7 D! m. O/ Z: f3 P1 Q* d' W& O$ Z% T
mov ah,43h
! A, p# {" ?9 s" W int 68h
* S* R) S, x( J/ C2 R; G% ~ cmp ax,0F386h% v' l: M' P X: u# E
jz SoftICE_Detected
& y' G8 F$ V* L$ I: W7 h d
- D3 W& I; v' S+ ?" G5 a3 W7 A
; s3 l/ i: u7 h/ i+ K @3 X. Q: p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 S# f6 P. ~$ U3 W v" H$ z
app like this:& }2 a* G& j3 S! L @
' |' n, [$ v1 C
BPX exec_int if ax==68. k0 }9 a" j: F+ v: D1 r4 r( Z
(function called is located at byte ptr [ebp+1Dh] and client eip is
* Z2 C$ L5 c2 f* ?: M" @ located at [ebp+48h] for 32Bit apps)! m0 {, _* k. }2 p/ k
__________________________________________________________________________
" G, h! b x/ O- B
) B3 M. A, a3 d, a% c& Q- d7 A; d) `
Method 08
( j% a+ T3 U$ E9 f% o! E) b=========2 V8 M2 \' K: ^7 M9 c* U' k( Q
" G; \2 _; G: q! T
It is not a method of detection of SoftICE but a possibility to crash the
8 ^: J! F; C/ k0 e; }) Ksystem by intercepting int 01h and int 03h and redirecting them to another1 k2 C" b5 L) i7 ~
routine.) T7 @8 z" m1 [( R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points q: w$ i6 o. A- Q6 [
to the new routine to execute (hangs computer...)
( o( W7 U! {, H2 v! W2 Q3 L9 w! B
. M4 s% u* O8 s+ s mov ah, 25h
) q$ X$ d# m2 _) I8 s4 q( s mov al, Int_Number (01h or 03h)
: m8 I9 I( ?" U% `0 b5 M mov dx, offset New_Int_Routine
0 J3 ~' |# u4 D) U; g int 21h( r b( Q+ w+ D+ n( j1 D+ `
% y( b3 W9 D! _3 t2 \$ b8 l t. H8 |__________________________________________________________________________
" b5 R5 H3 I! Y( e: t% y( x( b( P; w% S u: c9 L$ u( l1 E% K, x2 `
Method 09
2 N& U3 R+ @6 q; ?' f/ _6 L" w=========7 S5 R8 R% T* _( S/ Z+ f) S
, }; T+ B$ B( {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* @- c: z: O" n/ Uperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ q% T" m( z: \2 g ^; V5 ]0 ?- q6 ~* kThe Get_DDB service is used to determine whether or not a VxD is installed
4 Q0 N5 D3 [& Q p3 rfor the specified device and returns a Device Description Block (in ecx) for
$ Q/ ?9 I) h. @4 i% H: }# Mthat device if it is installed.% n' L4 Q* F; L" w( K
' i7 G8 D! {& }9 [0 d" C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) k& c8 d% g3 A) N& I; c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); H) A6 B/ I, E1 u
VMMCall Get_DDB
+ [$ c) _, z# a" ? mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 A5 P9 M, \& D' U7 w7 D& b/ o4 ~& P# Q! ~5 j1 H6 n
Note as well that you can easily detect this method with SoftICE:, r. F5 g7 \& k4 p) C5 R; X: s
bpx Get_DDB if ax==0202 || ax==7a5fh
- P) K' R! i; D. x' w4 H' N) n& J. L3 V9 O1 u
__________________________________________________________________________' Y# R6 p6 P x& s& S I* w
0 }- b8 a, s! Q
Method 10: J- _; H4 L& n& D
=========
: D5 y1 R; I9 I/ t6 F) o3 F8 @# |6 ^+ J0 o9 V" c* Z
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ J- `: j* J7 b
SoftICE while the option is enable!!
) F0 R( p2 R( f- b- u4 i9 {" j1 W/ N9 r* m$ D H# U
This trick is very efficient:
7 p# v/ Y/ @6 J. Qby checking the Debug Registers, you can detect if SoftICE is loaded
$ @# f. a& ]% F; X: d(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ X, K, O% A* f: j
there are some memory breakpoints set (dr0 to dr3) simply by reading their, I/ n+ c8 I. _! x0 K1 }
value (in ring0 only). Values can be manipulated and or changed as well; n; t# x) w* x8 F3 v7 y
(clearing BPMs for instance)
7 M/ Z( a' \$ N" O0 o/ s8 F, w* y$ @% T; W" q3 s
__________________________________________________________________________
" [( }- E# S/ M3 z# l3 u( @, K4 ?, K1 K
Method 110 c" ~* J5 p7 t% m3 B9 ?( v
=========* d9 \# C5 t5 C* X" x t0 L. }
" p0 ^; o+ |# ^/ J
This method is most known as 'MeltICE' because it has been freely distributed
5 ]+ d4 k9 x& Q5 p, ?! u$ O, F2 rvia www.winfiles.com. However it was first used by NuMega people to allow! t, M4 K T7 X( O
Symbol Loader to check if SoftICE was active or not (the code is located$ Y2 T0 \; M" |( V+ z% A N
inside nmtrans.dll).7 W1 N/ U9 ]2 ]: }8 ^3 \
& L& e% N& Z, o% o/ t s
The way it works is very simple:6 t5 m9 V/ h4 ~) a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ }2 ]5 d$ Y1 U( T3 {WinNT) with the CreateFileA API.7 V1 W q6 k9 Y8 k- H2 R
~0 E" Z" ?0 f3 e6 b* rHere is a sample (checking for 'SICE'):
8 Q3 y8 ^" n: L
2 P7 { K6 |' l( I; nBOOL IsSoftIce95Loaded()/ V K1 `2 L) F+ g1 M9 Y7 j; c1 B
{
4 w+ h& Y' @3 D Z7 l1 { HANDLE hFile;
- m8 G) a W+ {0 P+ l5 ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ a- k& m, L& a- @, d
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 y+ z' i: f- l, }2 K* L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
F% z; F. N5 r if( hFile != INVALID_HANDLE_VALUE )' `) ^/ l+ @; }6 ^, H* ~9 ?
{# ?2 l/ c t- |' O
CloseHandle(hFile);
6 P) o _5 ]% K' W$ F0 D9 M return TRUE;* ?# H% [7 U: [* C7 D
}1 S e. v" L" r; {- t4 i3 f) @4 ~
return FALSE;# V6 t- X3 [1 d: K
}2 y& _4 K& [* o ]! n( n
P5 T$ C/ N8 N5 Y$ W2 x+ Q6 |Although this trick calls the CreateFileA function, don't even expect to be1 }( H+ {' \* \3 Y
able to intercept it by installing a IFS hook: it will not work, no way!0 _8 g! {8 K, F7 j' f, S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 n4 l& {% X1 M- q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! O' }5 o7 c+ U8 j/ U. [
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; n5 e0 Z3 D) F# a! K. Bfield.
; g+ B9 r- e4 e( a" a3 h& JIn fact, its purpose is not to load/unload VxDs but only to send a
$ g: Z$ l# V2 g3 G# l% e( l5 \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 Y# b% m1 M# J) cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
! ^* i2 X. i7 j5 t: k$ K! nto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ M: e6 v* _) L! k' X( y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 h6 w7 H/ R, v3 v9 Aits handle to be opened and then, will be detected.
P$ d# H; U, l& L9 d) S. DYou can check that simply by hooking Winice.exe control proc entry point
' S9 L2 M2 p& ?- r/ w. q; Lwhile running MeltICE.2 |/ Q; u! a$ s( C9 L
2 L9 z1 U2 ?6 r' }9 _6 q5 I% F6 l& x9 m% A9 |' a/ i
00401067: push 00402025 ; \\.\SICE
+ Z/ U4 p3 x6 W3 q% T/ U 0040106C: call CreateFileA
: f6 s; u4 C9 R$ f8 _ O 00401071: cmp eax,-001
/ W$ g. O8 @$ J5 N: J 00401074: je 00401091+ C5 B& k, ~- [; h8 j7 [' d; ~4 L
' I( B6 o* o4 S" N# e0 g" g
0 s3 V" N6 p5 H! c; V) t. P
There could be hundreds of BPX you could use to detect this trick.
# V* b, d5 Y0 V( v- t/ w1 W-The most classical one is:3 j% ?/ }* r& e1 N9 Y- L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ R' y6 i- p2 `; g5 {
*(esp->4+4)=='NTIC'
5 d: ^# R. Q0 Y" P! |. X% H% v% {% `3 n7 u6 U8 _
-The most exotic ones (could be very slooooow :-(* X5 T( Y8 F. ~, H. h2 Z) B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') # y |& q/ y) o i4 N/ f" r
;will break 3 times :-(' ~9 F, A3 t5 K/ D# O
# o0 k1 f7 T! n( u- x! U* [" q
-or (a bit) faster:
, w( D p* ?; e8 V, K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! v3 P: t& E0 G
9 m( k9 {, ^5 ^5 |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # p. v) ^& {- n( ?' J4 j
;will break 3 times :-(
* C+ E: y' v4 i+ J* \9 u* _4 S* J% J9 F) e; \ P
-Much faster:/ O6 n$ F0 e- z! ]' w/ B& W6 G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' K/ Q. x* D$ ~8 w# ~6 x$ l! g3 D) e0 @. g, y Y1 V, n" C- W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 k; I* q0 p: A" H2 m1 d+ J, [function to do the same job:
+ S0 S) p- x% O: ]+ [+ A' _( ]; Y: l% x( W$ e V
push 00 ; OF_READ8 R. w, o |$ W3 C
mov eax,[00656634] ; '\\.\SICE',0
" X- P' _+ C' v' f/ h push eax
% `5 D) d6 c6 y/ A call KERNEL32!_lopen
8 a# q8 k1 e2 c* C" O inc eax3 y7 `2 a" T* c' T3 [% p) U& x
jnz 00650589 ; detected, P! T" b3 Y2 D& R2 t0 o( v/ N9 z8 F% q
push 00 ; OF_READ
+ V. l. a& R9 m- H: d, } mov eax,[00656638] ; '\\.\SICE'
~6 ^3 V' Q# S push eax: W6 }0 q# @0 `' l2 a4 K3 k! P
call KERNEL32!_lopen
8 E( d( `) N" _ inc eax
) r* q( l7 K: ?8 h jz 006505ae ; not detected
7 p/ l( a$ r$ e& s/ H' o$ O2 U$ T C% S2 n
5 E& L5 R% y& a3 [6 Z- f: Z
__________________________________________________________________________" ^7 S5 v4 B0 t3 q& x Y
6 P6 K) l* u3 I2 a- oMethod 12
+ p: T1 R# h4 Z; {" _=========+ g: K2 c e1 {' o$ Q& M7 z% @
" h# {% a# l7 g
This trick is similar to int41h/4fh Debugger installation check (code 05; u; u0 [' V( B/ g& z$ Q
& 06) but very limited because it's only available for Win95/98 (not NT)( M: s4 d, I" L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& S/ H) B9 T" Q7 ?* Z5 ^
5 K" Z+ f1 U. {# q0 G0 s
push 0000004fh ; function 4fh
6 E3 Y- P. E! n' i f! z push 002a002ah ; high word specifies which VxD (VWIN32) n: Y1 W/ m; h a
; low word specifies which service, b" |# p3 y% b1 s
(VWIN32_Int41Dispatch)
6 ~0 R& D. R9 x* o+ g$ O call Kernel32!ORD_001 ; VxdCall
4 L( P0 Y+ @+ }: ]6 I! e6 H cmp ax, 0f386h ; magic number returned by system debuggers1 ^! h6 r) ?! T s; L. ^
jz SoftICE_detected5 D, o5 v4 W2 [" A# @
5 E1 C! F( H. u M# B9 T
Here again, several ways to detect it:
9 l/ y; C+ `+ b) F9 D* c( |5 ^3 O/ x
BPINT 41 if ax==4f
6 V+ A. R4 O% e! ~
, y" J4 E6 C% k" [$ W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 D6 c6 E, h# K* ^2 i, t& w
$ }5 g6 y) D$ h9 {4 n8 x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! ?7 F* Q1 s# W v* p
% q+ @6 f' p' o( T# f BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 y n) m; q5 d# L. l9 O/ G8 E* r$ Q' e2 n( c1 Q
__________________________________________________________________________
7 p1 |0 x# S% H3 z. v$ J! E0 `: z. }! c1 T5 @4 ]& ~8 h: _7 e
Method 13) n% a/ Y! p7 d7 w
=========
; V8 e* \$ G7 b: ]' B" {, X O5 k( r3 y
Not a real method of detection, but a good way to know if SoftICE is) M# C4 e* h) K+ r C
installed on a computer and to locate its installation directory.
/ ]# O: k' h2 }- h+ [) m4 ^% v- VIt is used by few softs which access the following registry keys (usually #2) : \1 \- s* V5 g& N
# L# m4 U& j/ b. B5 k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- @* z$ a0 L6 k3 i# S
\Uninstall\SoftICE
0 J0 X# _' ^2 h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ g& Q1 U. J1 W6 _; }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; c& s/ R q+ R/ e" @
\App Paths\Loader32.Exe" y0 R/ o3 K6 ?
* v' W4 i7 R6 _ e) x' U
4 W2 Q; Z6 f$ w1 `Note that some nasty apps could then erase all files from SoftICE directory% a( ^ R! F9 C( X8 B
(I faced that once :-(; Z s6 p" Y# j5 }0 u$ m$ l9 D
" C- r' P( _, e) h [
Useful breakpoint to detect it:; m7 l( g# S' X" c! O6 B9 A
4 [+ v. D0 A+ ^& s% v3 U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 t6 U( C" f- K8 `. L. Q
8 e* J# @5 L& j/ ~__________________________________________________________________________6 Y. [8 V" y4 X2 O
4 s% a4 a! T4 x, J) Z. H0 q
6 H- p& `3 L" }Method 14 / Y+ b d: X7 q
=========
- w9 N+ R$ Q7 s& o
6 X5 I& |" ~* \" V) ]4 WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, a+ }& Q+ h1 ^& i9 b& M
is to determines whether a debugger is running on your system (ring0 only).4 `1 y7 x$ e5 e* e% a8 d$ T# q# t" S
9 E( X# x% n& {8 M ~9 U VMMCall Test_Debug_Installed
( K6 Y' }; X5 |7 R0 S! f5 R je not_installed5 S- I( d# h8 D {' e
( n! L' Q8 @( w2 {" x8 b, \This service just checks a flag.- }2 u- }0 e1 }' ?7 I
</PRE></TD></TR></TBODY></TABLE> |