<TABLE width=500>& n7 u; p4 @% r4 q5 ~
<TBODY>
/ k' ~' u: L5 C- g7 E0 n& i<TR>; L Q* Q0 J( @$ X/ g
<TD><PRE>Method 01 5 e6 A. p( A1 v3 u0 k- @
=========' i, j1 ?9 p+ u/ R
4 C( O" z# {% ]7 y# o# J) L! U
This method of detection of SoftICE (as well as the following one) is
4 _+ j8 A/ w0 s2 m$ {used by the majority of packers/encryptors found on Internet.
# \* p' d% V- x5 @$ e; bIt seeks the signature of BoundsChecker in SoftICE
, i5 |- D% u( S. H
, H- e @4 {8 S" k7 c; @ mov ebp, 04243484Bh ; 'BCHK'
6 a% q5 m1 D* u" P/ w- i mov ax, 04h$ e: M/ ~* O B$ y; h$ `9 M
int 3 * I* W9 _6 U! x4 L# m& B
cmp al,4
. g" U% t. a1 t, C" I9 B# |, r jnz SoftICE_Detected
% O% B+ v/ z! [$ [' e) s5 i
3 v I0 L5 H9 k5 L___________________________________________________________________________2 m4 M3 U4 O% X1 a- u
3 j9 Z# S3 d7 e2 r; qMethod 02
. q. C1 R& Q8 ^: J=========$ [3 C( R& X& t; g3 ^/ e- r
3 a, {- S. F! J6 W2 ^0 z
Still a method very much used (perhaps the most frequent one). It is used e9 d1 r: v. m, }+ o1 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 R# p+ r! ?& j) D S; V# D
or execute SoftICE commands...' }" O: ]" c: e0 l
It is also used to crash SoftICE and to force it to execute any commands2 D. o* f, u! {& u- K' h0 S
(HBOOT...) :-(( 1 Q- V. @# F/ z8 H9 h0 u& |
1 |! n7 Y9 w/ PHere is a quick description:3 i a# m x( k& c) V
-AX = 0910h (Display string in SIce windows)
}) D z" k# B r/ N x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) z9 v- d2 D4 ]/ u8 b3 L1 P' R: k-AX = 0912h (Get breakpoint infos)
\! M' v/ j5 z! \: x-AX = 0913h (Set Sice breakpoints)
) R: K5 V( ` }2 i- p6 ]) ?-AX = 0914h (Remove SIce breakoints)& U, `- k5 V* ~! x+ m1 F
, H* A- I! A+ @. E( ?# J, N
Each time you'll meet this trick, you'll see:
5 x D1 b# b( F' M-SI = 4647h
3 W3 \; a! A" d+ }3 U% N-DI = 4A4Dh i5 B% R) d3 q8 e8 B3 X9 \
Which are the 'magic values' used by SoftIce.
% t% N E$ e/ e7 wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ `- i$ V, V( y& }0 g" T Z- M
/ N2 a1 ]! N9 I; X; b7 C/ T
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, \) F! ?9 _$ W; o xEnvelope utility use to protect DOS applications:
: B! y/ N: d" k+ m' i7 b4 }8 G2 ^: L/ R- G
# K1 G) a5 E% p1 U+ a) x; r' K0 G
4C19:0095 MOV AX,0911 ; execute command.
* a% y( A o2 J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# z6 G3 s$ p$ l
4C19:009A MOV SI,4647 ; 1st magic value.0 R, U) B. ^3 L( r7 f2 A, W
4C19:009D MOV DI,4A4D ; 2nd magic value.- Q( k/ S$ E! _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! m) ], Z$ l( x4 ^" u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 ~% u9 I4 L/ E# q8 B; Q! Q; \4C19:00A4 INC CX/ f/ n D& b. p% ]3 ]" E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 b1 f, b4 C, e& ?
4C19:00A8 JB 0095 ; 6 different commands." w; E) i) j' x% U/ e8 ~3 J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 H+ V$ k- V6 n/ ~) K2 z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 h1 l# ^3 q; Z
: b4 f6 o& D5 s( pThe program will execute 6 different SIce commands located at ds:dx, which+ y# T5 `5 o2 R$ [$ A3 i" \- r5 R" |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 y; N3 I* i! C: q
6 T) t8 H) H- j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- f5 s; w/ s* P2 H6 F
___________________________________________________________________________) S- O* l1 o5 ^! t1 t( `; }+ w
# q6 T0 T! c3 n5 n8 b f4 R
6 l) A# O: x \1 c) M7 n# gMethod 039 r* w1 p1 O1 E5 `- \4 n
=========# ]/ p% U- P8 |& v$ B
( E" ^ q! f9 o% o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 r( J: C+ H, f# B, c$ R" K
(API Get entry point)+ I; t' ?9 w# c! {% g: a" {
@2 m) d5 A0 a' U% w/ E1 b8 G( h; `3 z5 n+ H1 s5 U( n, F
xor di,di
7 q% m' z6 w# H% J mov es,di6 X- {) I5 p' q" {* ]; E
mov ax, 1684h 3 _ _% g5 h; H1 M4 [# d1 q
mov bx, 0202h ; VxD ID of winice1 G- ?( d, T$ o' ?4 s/ d+ {
int 2Fh1 I/ V9 G. H: V8 r( s2 b$ S# F
mov ax, es ; ES:DI -> VxD API entry point
6 A$ A- X: P# U0 ? t- I add ax, di* N5 v7 s) g( u+ E. h0 i0 ^
test ax,ax; t, P* T2 c0 t$ |* @" p
jnz SoftICE_Detected: t' P4 ~0 p a0 d+ g2 F1 i
4 d0 y% k& d) P4 b
___________________________________________________________________________; h4 }, u# q$ }, q
$ d# A/ G; O- dMethod 04
; k R7 ?& o' Y=========( a% D' v% e# W7 j
9 h' Y3 W/ m1 K* f' ]+ j- l
Method identical to the preceding one except that it seeks the ID of SoftICE
0 f& B' b& l$ y7 E- r; s' I: B& GGFX VxD.7 e/ f3 o! l0 E! w
$ m. Z, e7 u0 \( S9 [5 J8 O) i xor di,di# p$ p. K: x7 H/ @6 v' R
mov es,di/ w2 x5 n. \3 H3 M3 Z3 K% k2 G; J
mov ax, 1684h : ~ ~/ s0 u7 D2 G3 b
mov bx, 7a5Fh ; VxD ID of SIWVID* m' W8 G# g3 Q4 \2 V- Z- q! k; l
int 2fh( [3 H* G9 c9 P: ~. \: Q8 J
mov ax, es ; ES:DI -> VxD API entry point/ ]& \, i$ ~, V/ C {2 ?
add ax, di
/ J/ R+ a5 \4 S, D4 F3 e" w test ax,ax
* G* t+ I: M% k9 ~) v+ N7 Q jnz SoftICE_Detected& b9 f6 E0 E/ J4 A1 s# G
2 k! K6 c; l" n4 s, d3 d/ y
__________________________________________________________________________$ B- \& H0 ?) N/ I+ [
/ i9 F& x7 W8 u }) G" u* d, a, N1 @
Method 057 K# z5 j9 l+ X8 t4 ^
=========
( C+ g7 c9 b. _) R* B8 J$ E# T# C, Q; \; ]; }) Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 t! O, f4 v9 [6 w) H/ y% e; w2 _debugger. It calls the int 41h, function 4Fh.% n8 l; j& i7 Y# S' m
There are several alternatives. % |, Z0 r0 {2 E+ x, u) h3 A: ^
$ W( Q! @* O6 Y4 D. L" FThe following one is the simplest:2 k* _# f7 V) s$ H0 y
# X7 V0 @" X* U( z/ G
mov ax,4fh ]1 J6 J$ r* x0 _: @1 X
int 41h9 c: G6 {; n9 D$ Q6 p! N/ Y
cmp ax, 0F386
3 g. k' B. s }6 S2 x jz SoftICE_detected
, N! Z6 ?; N, K, X1 ?
* L, _9 `( W, x0 |, C0 I x" R* C4 u. ^6 B7 R; W" I0 k6 I" ^/ ~
Next method as well as the following one are 2 examples from Stone's
' a! y- V. t' F, P7 L' E* R"stn-wid.zip" (www.cracking.net):2 q$ c; G+ c+ o2 W) `
& {, x- j+ r: l$ h9 e- [ @) a
mov bx, cs
- N5 M B' P# M$ m# h1 N; D lea dx, int41handler2
/ N! \9 U$ Q" S xchg dx, es:[41h*4]; }: q! d. N/ A# [ O, {7 V
xchg bx, es:[41h*4+2]/ n- m% o4 m! E+ M E) v+ Q
mov ax,4fh
" M2 y! E: }0 g* X3 g% f [( [: Q int 41h
$ x+ `9 j% p/ u xchg dx, es:[41h*4]
9 {) P) m' M% Q; N; I/ m xchg bx, es:[41h*4+2]
$ N8 a. _ ?+ ~5 i: ?% i cmp ax, 0f386h$ e3 d- S1 D5 c) T2 V$ y
jz SoftICE_detected
. t) A m" g6 L0 @& _8 O+ s5 A8 V* J/ x6 r. p8 K9 w
int41handler2 PROC. J; c# _, s* ?& E1 W. `
iret
" N4 V5 I1 k" O0 b" a, c4 fint41handler2 ENDP, T% A# v2 D1 Y/ N; y1 z0 I
3 V% e) F2 v; \- A6 O" C, O5 N1 [$ E
_________________________________________________________________________
: l1 B. [+ L# ^3 M
* P9 `7 i; u/ `" d
6 a3 Z. @9 {% t% N* cMethod 06% i( Z `. U% W" _6 W* n% T$ d& h
=========9 g+ K2 Q: l. E5 n2 i
3 S6 U5 e5 L3 q! K6 M) F9 p
, }0 W4 P& e9 E! |6 w- b2nd method similar to the preceding one but more difficult to detect:, v6 v3 ]; |# ^ J4 b4 @
% G% V1 |' n6 w1 D3 `, M% s( U! q/ X
int41handler PROC$ v7 }9 a7 d* A+ [5 J6 Z0 C
mov cl,al
7 R5 h8 r+ G* U iret
% a1 z7 C0 `/ Q: y4 d& b6 J* Cint41handler ENDP
V8 \5 |$ ~3 i9 e/ J: M3 t; X3 H! t9 e
4 u* @9 h% y! j$ B5 W
xor ax,ax
, y: B1 v y& d: i- P* O( [) s mov es,ax; I9 O' ~) P/ z
mov bx, cs7 |9 B: F, q$ ~6 M a# U
lea dx, int41handler
, B5 g' T( b) ]! \) h, B# ^( y xchg dx, es:[41h*4]
# O& {5 M; y* n: \; |& y xchg bx, es:[41h*4+2]
3 \+ s9 _( k8 ^" [9 ? in al, 40h- w4 z9 w. p9 V& C( z
xor cx,cx7 w7 A I6 r0 P
int 41h4 W( Q; B# T& d; A$ O# O( c% l$ \) O
xchg dx, es:[41h*4]% o2 m( @% m/ B2 L Q
xchg bx, es:[41h*4+2], t" k( y1 ^/ D/ [% Q0 O5 |+ C
cmp cl,al" Z% g! V; m/ B, g
jnz SoftICE_detected. e) ]. O: e B
; X# V1 ?8 t. }. U$ d_________________________________________________________________________
9 z( ]/ v/ N$ C N3 }' G" M
, F0 H2 t# Y9 qMethod 07
- y4 ^- l3 h; B- N2 T=========! i; K9 s! Q+ X1 J6 M' T9 A
6 e. k) h) P& R% q0 L/ K: K7 |8 ^2 `Method of detection of the WinICE handler in the int68h (V86)0 E$ r# p4 Z6 p$ H* m) d9 X$ ~
* c6 t( E9 U- u5 i
mov ah,43h' g5 v8 O2 F2 @9 J! s* r* y
int 68h
. Y0 d h9 V# Q0 N3 A7 F( L6 E cmp ax,0F386h
# [( f7 W8 N/ F6 l( w jz SoftICE_Detected2 _, D- [9 w1 [
6 B% k6 U; {; r% w5 R
; r; s( g3 X2 M. Y8 }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ a& ^/ w9 ?* z' L. h
app like this:5 Q- O/ y' g7 l
1 m# q f( }) N1 _& n0 \ BPX exec_int if ax==68
3 W! p+ H) E8 Z (function called is located at byte ptr [ebp+1Dh] and client eip is
0 o+ {2 m- g$ N1 B% a ? located at [ebp+48h] for 32Bit apps)* U: C8 `1 C( B1 X9 e
__________________________________________________________________________5 J. N! {) x% J+ \3 R
" ?) R% y% n2 B$ f4 T4 i
! `, G/ `' c# h) k+ w
Method 08
2 X! ~; N: A- h' y=========6 p9 r. [9 b1 f
/ `8 h' m) B% d/ D
It is not a method of detection of SoftICE but a possibility to crash the
! m8 A: c9 V; k4 ^2 Msystem by intercepting int 01h and int 03h and redirecting them to another, Q& N4 l' h' Q( |1 o- M
routine.
5 S, n( t) M4 h2 V2 D/ V* cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ t i( d( s" s5 U/ p; T
to the new routine to execute (hangs computer...)# H- @3 D1 k6 O+ l9 D# Z
5 u$ ~" H: H. s& s# N' E; q$ {( q
mov ah, 25h
' E q3 ?3 C% }, n mov al, Int_Number (01h or 03h), U$ _% f' ?. k$ I
mov dx, offset New_Int_Routine
* }( W+ N/ h9 i5 k0 N# h' I int 21h
3 B: } O$ R- ?* N4 x6 V9 e+ ^5 [* @, z
__________________________________________________________________________3 v2 C9 T/ J" z* l: H1 [2 i4 h% X
% ]* R* {1 g! Y9 t( `1 `Method 09" M1 m' ?$ S# c
=========6 ]9 G. y; E( C6 O: [
$ W# H$ k" R+ D- o" \6 u% Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" |; |8 m& X9 L1 ^performed in ring0 (VxD or a ring3 app using the VxdCall).& w" x( `& C: A! Z7 `* U
The Get_DDB service is used to determine whether or not a VxD is installed1 c' Z4 o- {0 V& q5 `
for the specified device and returns a Device Description Block (in ecx) for3 g% ^6 r D) f; f5 H
that device if it is installed.4 a0 q! |6 o4 C; c4 m
+ }& }% X' B6 W& D) f( R; e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 K% o' s5 c; n# D) P# L1 w2 a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 f; x4 Q9 G% y2 Y: e& O# y! d9 S- W VMMCall Get_DDB3 A& _+ H9 C2 m0 J$ w$ P6 D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 T e+ t0 n) t5 |
0 t- m! z3 H' x' aNote as well that you can easily detect this method with SoftICE:! F9 j( h- h5 g! n9 c
bpx Get_DDB if ax==0202 || ax==7a5fh+ s# n" l/ n/ {) p& ^/ f5 ~$ ~
" j' C! {4 |3 g8 @+ b; \7 m0 e2 a
__________________________________________________________________________- h) Q; O0 z8 n' o5 N/ E
7 H! [# t0 G5 q) O ^Method 10
0 w8 K2 `+ }9 {, R% c/ N) I=========
9 P9 N5 U: W1 E4 j- k) j& S
* w- p) V" W" T) u. t. v4 m/ T=>Disable or clear breakpoints before using this feature. DO NOT trace with
- p' W7 P1 P! `9 Y0 _ SoftICE while the option is enable!!
7 c: Q7 g- X" A8 D1 x; x: H% x
$ G3 j( }; m8 G- ]7 `This trick is very efficient:
0 y' V; ~) |' \; ^by checking the Debug Registers, you can detect if SoftICE is loaded
" Q* r, r1 h M0 I8 O% \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- F$ k; l/ H2 F; t
there are some memory breakpoints set (dr0 to dr3) simply by reading their [( W: n7 i0 l# u! B% W
value (in ring0 only). Values can be manipulated and or changed as well
# {, P9 _0 l7 I+ x(clearing BPMs for instance)
* O; p& @2 R# O5 c5 ]
2 n6 S7 h8 e8 k. ^+ s__________________________________________________________________________* m P3 M5 T" b2 M
[2 v/ C$ ~8 C% p, l) zMethod 11
4 [& V' Z! b$ j0 W( h7 N ~' P( n=========5 s! c/ C: V. T: d6 k; u
5 h4 R; i. Y0 mThis method is most known as 'MeltICE' because it has been freely distributed3 ^' a( a& u0 R& u0 a! N. H R
via www.winfiles.com. However it was first used by NuMega people to allow
@ g- M$ r: n8 VSymbol Loader to check if SoftICE was active or not (the code is located8 S9 T3 k3 s& c9 _2 K! `$ r9 w
inside nmtrans.dll).
2 r+ `# ?9 k/ D. h- S/ L/ ]8 F5 ^' e8 N( V w# m9 j8 R8 O
The way it works is very simple:$ m' j3 A3 N/ x& X) L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& J4 Z: `% t# b3 w+ EWinNT) with the CreateFileA API.
8 L% T: G* _5 ]+ i! d1 f% e( F, J1 c; ]2 ]
Here is a sample (checking for 'SICE'):* H, ~: \ ]! B
+ X3 A9 l, j, yBOOL IsSoftIce95Loaded()3 [ l! d; B4 N& w6 U; \: f
{
@' ^. |" {7 X- A* l+ U HANDLE hFile;
5 {$ d" m; ]8 ~. d3 g hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 D" n$ |2 P- G# ` FILE_SHARE_READ | FILE_SHARE_WRITE,
+ ^, B, E+ L+ q8 }" ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# `4 s: X! H, C5 F: c( o if( hFile != INVALID_HANDLE_VALUE )
1 G; z, r3 i- l {
6 [8 [# z+ l) r8 _* C: V CloseHandle(hFile);
9 p) b) m# t7 h' ?! W! S! c return TRUE;
& W+ |7 J8 y/ U& Q }4 [' [% v: Y6 d! N
return FALSE;: O. A% j. T6 v, F5 z
}
; n! C9 f3 _; W+ W3 i% r N. s8 F( u2 u5 W* }
Although this trick calls the CreateFileA function, don't even expect to be
2 d B" { B0 ~- Hable to intercept it by installing a IFS hook: it will not work, no way!. F/ j9 A7 J0 l% e% D M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# }! w& J: W7 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# ~ k) H. s# S& |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' Z$ Z( h* P, Q
field.- ] v7 ^5 w5 A1 r* g4 ]9 f- Z
In fact, its purpose is not to load/unload VxDs but only to send a 1 }: {/ K3 K, G/ R- G) P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 v2 q( f; \1 u. M& ^: s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ W, a: X, }9 yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: w$ P& ]7 j5 QIf the VxD is loaded, it will always clear eax and the Carry flag to allow- O8 }$ _) [+ I% i2 }. C' s$ j; w
its handle to be opened and then, will be detected., g0 I# z' p- q6 E! w
You can check that simply by hooking Winice.exe control proc entry point
% w3 o2 y: T9 g7 f' ~while running MeltICE.
0 _ K1 o( R, `6 {' _8 ^1 e9 h: S8 U- q: I, e4 ~9 _
+ a2 v# [. }2 E* ~) _ 00401067: push 00402025 ; \\.\SICE6 N7 S0 w8 A8 r3 i/ w, G; _2 g
0040106C: call CreateFileA
6 j \4 p4 b3 C2 t4 q% r. O5 y 00401071: cmp eax,-001
: X- f" m7 G! m4 y ` 00401074: je 004010915 Z, J5 D z$ B$ X, P
2 Y5 V7 r1 m, h" h# @/ Q- p c- I H; k2 ~9 I: U
There could be hundreds of BPX you could use to detect this trick.; q& }6 K" [6 b2 A" x3 g0 `: l
-The most classical one is:
! R' ^8 d5 s) E z7 w( Y" c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% y" j2 g; e9 e5 b# @
*(esp->4+4)=='NTIC'
4 H6 o) c6 w+ W8 ~3 J# C: [$ {" d h& a: v2 ?+ D7 G
-The most exotic ones (could be very slooooow :-(- V8 ~) p! S0 K: Z" ~: D
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 ^6 ^$ j8 A+ ?; d8 d ;will break 3 times :-(" e. A8 i1 B. h" t
1 H2 `9 X& u; O" e b0 G" V-or (a bit) faster:
9 j9 l7 u! d; |3 c: D9 |& B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 R( k5 l; k( V$ I
- ~/ t) v- }' o5 Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; D9 |" K8 ?/ i8 c4 ]1 j: R
;will break 3 times :-(
5 g' u! B# q3 k2 Z4 h# e ~& h; Z2 B* x! N0 @* r
-Much faster:
s% b+ H% G" K m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( |3 a$ I% R+ z v) E) P; F$ F9 O3 P- i1 B! f0 [& [. E; y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: \( e2 [" E5 c9 I% y- w; O! zfunction to do the same job:6 U+ O. M. N# y3 r+ _! d6 i. C
( ]$ w8 G t0 w% J7 u8 c0 V- R7 V) t
push 00 ; OF_READ
& m* E4 O8 r* r4 b+ j mov eax,[00656634] ; '\\.\SICE',0* h6 r& F/ M3 Y; \ M
push eax$ ?1 D/ ~/ i& f: C/ G
call KERNEL32!_lopen
5 C0 T' a2 h4 z inc eax
0 E3 n; I& y" ]& c. K9 h' _ jnz 00650589 ; detected; d( K4 ]: ^5 e) v9 {
push 00 ; OF_READ9 D4 O; L3 q2 ^. I
mov eax,[00656638] ; '\\.\SICE'
: @. K4 v9 @+ J% u& S m' }1 k push eax
# ?% z- S6 [. W0 z# x) f8 o call KERNEL32!_lopen
- Y. z) u) i4 P- s, X. b+ v) S inc eax
% `8 u+ ]4 C3 i [1 a jz 006505ae ; not detected8 w2 N: T# ~) U5 x3 j
3 |& a. }1 q, W D; Q2 X& p
% T' x% S4 |& H2 _; w__________________________________________________________________________
3 f8 K$ Q8 E) v" j
# K5 a# _5 i- d0 R2 GMethod 12" Q7 i) {$ N( A/ D6 J% A% O
=========
- B/ R6 x- }0 [/ Z9 }# e. J! @/ A" r2 f! g1 r. j ?
This trick is similar to int41h/4fh Debugger installation check (code 05
3 L, {$ u4 G# l* b' ~/ @3 X, U& y& 06) but very limited because it's only available for Win95/98 (not NT); L" C# v% y& c+ `+ q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 q& f/ s @& J; L. ]( s& {4 ^6 Y+ v! I3 G
push 0000004fh ; function 4fh
* d' |* N) K& g r Z push 002a002ah ; high word specifies which VxD (VWIN32)- x: {% a9 C( }; Z% M
; low word specifies which service* G8 U) c' C* m. @) N& Q
(VWIN32_Int41Dispatch)4 _9 `3 n9 I3 J
call Kernel32!ORD_001 ; VxdCall
& f* F7 m7 ] p5 |/ A3 S' W F cmp ax, 0f386h ; magic number returned by system debuggers9 B7 r: Q) Z1 i( M
jz SoftICE_detected- d8 Y( I3 ]; [
1 W$ b8 ~( q8 A% @0 n8 @Here again, several ways to detect it:' `) @. j P7 e/ r. [
, a k D$ M* r9 A H d BPINT 41 if ax==4f
; Q6 f2 S) ?5 u, ?) L; S3 I4 O- {0 m3 N1 ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 Q9 |( M4 J1 m2 V
& ]% {, c& @: u7 D! Q" S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; ~0 @; y; `9 F% E* d% { n5 w/ p
( z) [4 d2 j' X# z( R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
Y$ F3 b) [6 A! M. L0 v1 N' B" ?2 [
__________________________________________________________________________& }$ o# w; |8 T9 u7 Y8 Z6 S
& V+ a$ Y3 d I8 ^# {" d2 |
Method 13
8 C1 u. D; }; S. ?7 O=========! @. Z/ J9 e0 m( ]6 ^
) C. H5 G& N: c' NNot a real method of detection, but a good way to know if SoftICE is
' U- v( ?$ _ S6 z: o# ]installed on a computer and to locate its installation directory.
$ N& C# w8 v) U% AIt is used by few softs which access the following registry keys (usually #2) :5 R( O- v0 S( b' N
9 |% E; i- X& Q, k; O" I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; x7 j) j: F v1 L- S; h\Uninstall\SoftICE
; D* Q/ {% {; E" r# \; n& J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 b P) ]! a+ O1 i. b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 O( z" u# w, E8 m% Y
\App Paths\Loader32.Exe# u! z$ O$ f2 L- w, J* L+ u% j
0 j% Q- g/ _* [% Q2 B8 W( }0 u8 n3 u2 {( d% O+ S6 }
Note that some nasty apps could then erase all files from SoftICE directory0 Q4 h4 d. ?0 Q1 Y# O5 \
(I faced that once :-($ k( [( S! ]( i) h
- ~2 Y$ V8 F! H4 e. k
Useful breakpoint to detect it:
: [' [' q0 [6 y: O
# z) \: q6 I, k9 S/ o" o" t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 Q( T" N6 j( A9 R3 q: o& _
3 ^5 O; o# A8 a V( y& e__________________________________________________________________________
1 X7 s' H& p* w `+ l
# Y! R& L( J1 M. r* @0 E; c4 y+ `; q, I- X M1 }# z0 |9 q
Method 14
! ?; C" G& P2 |3 M=========
+ i: N( r7 g- B5 g3 {6 W' L: c- H" x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; Z0 t7 k" s5 r! y* Nis to determines whether a debugger is running on your system (ring0 only).
" `! c7 ]& r5 S* b5 J7 v) l- T7 N; x8 w
VMMCall Test_Debug_Installed
5 x1 T& L2 z8 n' V) j je not_installed
; v: N2 U, v. u$ A6 H
; X+ b+ s1 X: f: W3 A9 TThis service just checks a flag.
; M' V2 ~6 Z2 E3 |& A0 L</PRE></TD></TR></TBODY></TABLE> |