<TABLE width=500>1 U' ~* Z+ J* [. R
<TBODY>: }# V/ F% t, x. _- |% s
<TR>
8 r8 W5 A$ f" k( `! ]2 M' b; j<TD><PRE>Method 01 3 q1 U/ d$ d) d8 Q4 S& v
=========
! U. ?0 b: C/ ~9 n6 K5 w4 F" B
1 o. y g8 E- h2 @* W( @( AThis method of detection of SoftICE (as well as the following one) is* [+ Z' o4 f: h, Z: ~
used by the majority of packers/encryptors found on Internet.. P1 _- |6 V. V$ z8 z
It seeks the signature of BoundsChecker in SoftICE
0 C. C+ f( \% W* x4 e W+ a# ?) J) u4 M
mov ebp, 04243484Bh ; 'BCHK'8 T2 T2 a8 [& O/ D$ _3 w+ y
mov ax, 04h
, s/ u+ `3 s. G: x/ L1 S int 3
( H; b$ Y2 @. a cmp al,42 }! G3 U- Z0 [) ]; W$ |: ]
jnz SoftICE_Detected3 ^! e& | @2 _4 \5 {
1 G0 J+ w, z* O! l& H# c___________________________________________________________________________5 k3 o" F" @' e6 {+ J/ v) D4 `& l
& M" k2 f0 q& ?5 V
Method 02
; M) w8 C( w. N" I1 }=========% } b8 {; q* p2 E( c4 Q) ^: o
# t+ |5 |5 B) b0 z5 f
Still a method very much used (perhaps the most frequent one). It is used/ m+ f4 Y7 Y& D5 |" _* x3 d" D& O3 `, O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 g) I$ k, k a8 P
or execute SoftICE commands...
2 c! h9 p. D! _+ i9 C& d% F; yIt is also used to crash SoftICE and to force it to execute any commands6 V, }+ R1 k# b7 O9 i5 f& x% w
(HBOOT...) :-(( 7 f& {, ~/ n4 E, _5 c7 b1 I
' E1 P9 ^! _4 s, EHere is a quick description:2 }& w" _& L( A5 x. `
-AX = 0910h (Display string in SIce windows)/ ?- l+ C- [( X& `
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( W' i$ P+ l! y: y6 A6 [# b-AX = 0912h (Get breakpoint infos)4 @2 P$ |$ k2 ` ^$ F
-AX = 0913h (Set Sice breakpoints)
; O4 M2 T3 d" m2 Q* I( n-AX = 0914h (Remove SIce breakoints)" {7 K+ K0 A+ {( G w" ^
6 w& j- B% g' q" }8 mEach time you'll meet this trick, you'll see:9 s6 [0 { t0 L# @" G
-SI = 4647h
. g8 W; L: W) a9 f. S-DI = 4A4Dh
! p/ I2 s, o( c- s( O% SWhich are the 'magic values' used by SoftIce.
5 D7 h) z: I n1 q' z8 I7 aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- O, v7 p; l6 g0 x& ` ~& _2 K! I% h& M- l; ^6 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP& P' r/ i! B+ V Y
Envelope utility use to protect DOS applications:, y. w0 U. H0 ^& [7 E, l7 k
" Q* a' N, u) B/ {) k" I6 C& Z
; i. Q' B3 h& O1 C- W' A. R4C19:0095 MOV AX,0911 ; execute command.
. M# [1 @7 \% a, H- @0 Y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# | L, F2 F+ Q' V$ ]
4C19:009A MOV SI,4647 ; 1st magic value., T D0 @1 |8 @1 v
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 `: T5 f1 l% @3 q9 ]. j, N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 b. ]( K/ Y4 v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; M! N: X! x2 y! s: B4C19:00A4 INC CX
0 G( U# p3 [6 ~9 Q8 w) u$ C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 l% ^! \2 B, I: R0 Q0 z5 I
4C19:00A8 JB 0095 ; 6 different commands.- J D( d+ f, w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 E, p; X# `2 V1 S0 ]! z" q# N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! G6 _7 ]: t, B+ u
- h; e. V6 T& O/ `" h
The program will execute 6 different SIce commands located at ds:dx, which
* T9 f4 _0 Z; p; n0 Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! }; r, z9 p; s1 ]
8 c- X" B8 P& H2 c$ d1 T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ b$ Q) w: `& S$ q7 A2 X___________________________________________________________________________
- B0 C) B8 L9 X4 K
( @( c/ A/ p5 k6 }2 g" p* C( R/ M! ]7 s1 l S: n" {
Method 036 I0 {2 U- O# n9 f6 f
=========
1 j8 \4 o) w) @: U8 Q4 K J2 |, [& E* \% G
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" Z5 J; S9 S$ T0 d; h _(API Get entry point)
1 Q: l6 d f) j, N0 ?; V ^5 I% [3 Y' h% }+ m
4 Y& U/ p! l- @: ?$ w
xor di,di
5 q, L# N7 Y3 E% H mov es,di6 [/ v; N9 p$ ?$ O. K/ w
mov ax, 1684h . f( h c, @/ t# n
mov bx, 0202h ; VxD ID of winice4 @* H5 U- [9 R+ @+ @( f
int 2Fh
; R9 q' n& F/ _" y5 Y& j mov ax, es ; ES:DI -> VxD API entry point
4 g3 y8 s' Z# W. T/ r add ax, di4 p8 V8 ^7 ~2 y( V0 S8 H7 `0 n
test ax,ax
4 h3 d0 N' C/ I( D8 P! ] jnz SoftICE_Detected3 L; b- e0 F0 M' O; Z$ H
; C9 P, o2 h" x0 U- F" }___________________________________________________________________________
( Q c( h+ v; S+ ^+ r4 V- j
' l& L4 m1 m( L4 GMethod 049 r- _! s* a) M+ P1 B. x
=========- C: d8 X8 ~1 v; P" X- {, P" c
/ s/ F1 V f; sMethod identical to the preceding one except that it seeks the ID of SoftICE
9 V) Z+ z9 r9 l) Y8 }- EGFX VxD.! N q6 u7 B& X2 y% i: k
$ f z" e; e! j( U+ A* \1 J
xor di,di/ w+ [1 o& q$ ~2 ^) g& \3 v0 R
mov es,di: U3 w' T7 p8 K* e
mov ax, 1684h ' j) E$ }6 Q& ^: S, J" T
mov bx, 7a5Fh ; VxD ID of SIWVID
6 H7 ~9 |9 m* r int 2fh
5 H$ y. P- t, g mov ax, es ; ES:DI -> VxD API entry point# Q, a/ h8 d7 l/ H* T
add ax, di
/ [* n+ i- A" d8 `$ `* e test ax,ax, h3 P. i# G0 u; t$ F$ F
jnz SoftICE_Detected
9 W# @4 V6 ?5 y9 \' L" k
/ K, x/ H& c4 _& j5 Q__________________________________________________________________________
: k1 z6 x/ h( g# n
6 x1 Z+ Y1 l: n6 P1 C' ]! H8 x* Q J. n' _4 q8 z8 y" {
Method 054 l8 T1 q: `; n5 q5 Z; ]4 B
=========: P9 [+ {( s9 H% n+ s% K* \
' P+ V2 B* i. PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 b i. D5 J: B2 W8 wdebugger. It calls the int 41h, function 4Fh.' ^& a# L: L z$ L
There are several alternatives. 4 q3 X5 C7 f: F* B5 S% x. L# F. D
; |- L6 l+ ^& r. B% B( b& M4 TThe following one is the simplest:. |2 q4 { z1 b$ i) H
% k# u3 E& z4 g3 [0 Q mov ax,4fh+ t! [0 e! n! r$ G; u6 j
int 41h
" b6 z- H Z; l; c1 Z& y cmp ax, 0F3864 B. C0 i+ \/ L7 U! W
jz SoftICE_detected
9 Q5 p$ Y+ N& s6 Y* U1 V. B4 T; [4 b; o& n
8 g" J( X2 y& M5 w! w
Next method as well as the following one are 2 examples from Stone's 2 M& U. a7 Y1 F) L! q& v1 J
"stn-wid.zip" (www.cracking.net):
3 U1 P* ~$ X( T' t' j& k/ T& k: `, S0 [+ H
mov bx, cs, |6 j/ m3 p7 ]3 f$ ?0 F: J1 s
lea dx, int41handler2
: B) B. z. W9 `$ T; [4 i xchg dx, es:[41h*4]
( i+ ?6 y2 ^! K. X xchg bx, es:[41h*4+2]
% X7 }8 r- @3 h* ?$ P/ {2 Y mov ax,4fh
6 {- @0 @9 O1 R, C# z int 41h8 y1 `- B4 O3 w. V
xchg dx, es:[41h*4]( ~4 n" p) e/ ~0 A/ `6 I$ _
xchg bx, es:[41h*4+2]
+ u# v7 K& \7 c1 j# B2 l. R cmp ax, 0f386h% p/ e2 y P" C$ A+ h& h) E0 c
jz SoftICE_detected
2 i% V* |; N1 k, S
: V$ w* b& g6 |3 f4 dint41handler2 PROC7 i- S$ T9 [3 a
iret
2 g4 B/ s: D1 Y. r- I' S" Dint41handler2 ENDP9 A/ B# u, U( L2 z0 z/ H
, \) }; B2 t. V) V
; C$ r+ _/ N3 h" K+ [! a_________________________________________________________________________+ Z: q, r3 q" A( l2 G6 ]
- o, A3 a' ~# C& ]$ k( S/ e& Q3 n2 N1 h, v7 [
Method 06+ v. }9 G0 U/ `# C! h7 c7 [
=========
% f: K& u% K n1 s# n- L& M$ [+ @' ]8 `4 l& t0 D5 V
' b4 [2 _! p8 ], X! m2nd method similar to the preceding one but more difficult to detect:
- i# N2 a! `% E) Q# x; B2 L& O$ |- _6 x2 o$ X) ^& M+ T1 r
- Z8 Y& ?* \* W+ q: g# C" V0 cint41handler PROC& s9 ?# F2 N, ]# G! \
mov cl,al9 I5 v5 y0 V+ v( G* N! t
iret
; A0 {6 H3 V% K6 x+ e6 Kint41handler ENDP( v" I( f; T& m$ J; p ^& F* W. i
5 l$ C! z7 a3 X9 s
0 `- {6 a) o% K- W
xor ax,ax
+ A, a8 }: t6 p3 x mov es,ax
4 u; P, _, x3 y mov bx, cs
4 G- p6 p6 l. a lea dx, int41handler
' r& B1 G# t) Y% E1 Q xchg dx, es:[41h*4]
6 _* H: r3 }* r W% S7 u xchg bx, es:[41h*4+2]9 v b- a* M' B, Z
in al, 40h- {% b- G) }: w3 s
xor cx,cx; ^# y' ~( f; X# \
int 41h. q6 f9 W7 m3 t" O7 ? A% F
xchg dx, es:[41h*4]
" S# c$ X ^4 v3 t8 {6 e, o3 F0 z xchg bx, es:[41h*4+2]
! u) g1 P% w* z) d4 ~* p( U cmp cl,al' k9 e- D% }" S' B( @" X
jnz SoftICE_detected# l' b7 U; ^; v
) w. c' {! O( P1 {0 X_________________________________________________________________________
- _; Z7 A% R- N! ^/ s
3 E2 Q! u1 ^; c$ ^Method 07; p9 i) [# I. i1 X2 O# ]2 b
=========
: K& H3 W- i( @ i6 k4 y- Z! X0 p9 ^! m
Method of detection of the WinICE handler in the int68h (V86)8 I/ w' S+ o* [) n# P R
$ R6 j3 }9 I9 }
mov ah,43h3 L C6 x# K* n/ n1 A; J
int 68h
2 s8 s( L% r, { a6 ?* m( l; x cmp ax,0F386h' R5 x% \+ X' R. s% F/ w: ^' w
jz SoftICE_Detected/ O. d, a1 H6 K' K" K1 k$ ^
5 X, P! ~ E* X8 [. Q" |( n+ S2 D6 f$ E/ Y2 M5 D4 N% w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" y( h ]6 K/ j+ E# b6 W: S1 N
app like this:
- }/ |$ q4 i/ ?) K6 j7 f# E5 m7 T9 Q$ x6 y
BPX exec_int if ax==68
" ` Z/ t" g' W+ ^; A& Y (function called is located at byte ptr [ebp+1Dh] and client eip is% q2 U3 i/ p: v! ^. w5 c" ]
located at [ebp+48h] for 32Bit apps)6 v8 H: ]2 S0 V# `
__________________________________________________________________________5 u$ v9 T* X3 l* \8 E) S+ K3 B
6 d7 o) D n' y8 ^: M$ w) Y2 X- F: T% R
Method 08" E% X0 c1 }8 q0 S4 P
=========! p; B9 g6 p5 O7 A
0 X- w4 v$ U; Z" gIt is not a method of detection of SoftICE but a possibility to crash the
6 Z {) v. P6 qsystem by intercepting int 01h and int 03h and redirecting them to another
5 }6 M+ B" J4 a4 U1 ?+ ^3 ?routine.
& H9 {0 d# q' IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 j/ B% W+ i( q, R, x/ \
to the new routine to execute (hangs computer...)" V4 v! d, H6 k. O* W8 G
V5 `- K. r7 Y I: M3 z' B# c* z mov ah, 25h
/ q) l" f, e+ N y- _- A) H; k mov al, Int_Number (01h or 03h)
3 I' p$ E! M8 L7 ?. q: t mov dx, offset New_Int_Routine
7 M1 k5 B( h/ B1 w int 21h
# g8 C1 W7 J; h2 p2 I. |( _1 f- o3 F$ R& `7 J! U3 h
__________________________________________________________________________
, f- d5 E' \2 t, @- B# m
) V( n$ t0 ?6 j" R1 u5 D4 XMethod 095 R, w7 q7 @- x0 E, c1 K
=========6 R( u4 g6 {" l) ~) h8 m
4 f) }5 V% A% s4 S$ g5 C, r
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ `$ O0 m Z, O7 Gperformed in ring0 (VxD or a ring3 app using the VxdCall)./ C2 F1 X4 ?# j4 V; b
The Get_DDB service is used to determine whether or not a VxD is installed! d- T0 X2 `* B# O) |3 Z
for the specified device and returns a Device Description Block (in ecx) for9 @* G/ W1 L7 X0 W/ {
that device if it is installed.
* z9 j" s+ K* w1 w' w9 f8 [3 r; q7 o- m& J* _/ m% s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ @) }0 D8 I' \. y: a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 s8 s1 l0 s& N9 v0 [' ^4 U% L
VMMCall Get_DDB
) z3 o1 J# R! M4 E8 W! ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 B7 t5 ?( b- {$ I% x+ ]
7 h1 a( a& w, ~9 ]- B" |) D) o& iNote as well that you can easily detect this method with SoftICE:
! G s* E" l" y5 [ bpx Get_DDB if ax==0202 || ax==7a5fh
' Q: o& _6 T; a j% I
0 b6 H. K% z0 f__________________________________________________________________________' T8 q" j' I& V7 j- ]7 G* Y
; v @/ l* l4 }9 l& K& aMethod 10: D; H5 \# O2 h' F: k- Y2 L
=========
; Y. N. Z: A; g. o$ ^2 k* v) E. G7 s! A# z! f- q
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, a2 b" L* X# H1 X SoftICE while the option is enable!!/ ]' v5 [5 a6 y+ ~! a( I+ S5 e! p
" j4 {4 `( G+ K1 h5 D Z
This trick is very efficient:" X' M+ g' d9 H V# k
by checking the Debug Registers, you can detect if SoftICE is loaded
2 O: ]3 L/ c: s6 v+ y I2 ~$ p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 H# \( k' j- b: Y$ C- Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their7 N. o2 p$ F% S5 {& }0 T7 O
value (in ring0 only). Values can be manipulated and or changed as well' T" h' d2 m# p- s6 v3 B5 a3 w" E- P
(clearing BPMs for instance)0 O. i6 k% j) m3 N }( D
. A6 R8 u1 m' A3 W( a. a
__________________________________________________________________________
5 N7 Y) A9 V8 L) M* [/ c! L* s5 X4 ~8 p5 g g
Method 11, h& j# w& t7 }/ {+ l" y
=========
, ]7 o0 L( X' O, V* o* z
, A2 L) n5 {" g' C- @This method is most known as 'MeltICE' because it has been freely distributed
, c2 ]( j. M% E9 V7 r' Zvia www.winfiles.com. However it was first used by NuMega people to allow
0 g% y: q8 I2 E- e+ H* @* `Symbol Loader to check if SoftICE was active or not (the code is located
, ]- z: Z1 B7 a5 P8 f) T4 A! ainside nmtrans.dll).' h/ C1 d9 \7 d
/ Q6 ~$ C4 {# q( \
The way it works is very simple:( h" a4 n( A/ O3 X, r0 r7 i$ J4 C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" ^7 ^, w. @- uWinNT) with the CreateFileA API.. R2 D" N" n m, l; ?% D
* x8 B' ]" c) n0 I
Here is a sample (checking for 'SICE'):
4 ]! v% A# ]8 l$ k! G/ {5 [* [" {0 q% A
BOOL IsSoftIce95Loaded() f$ d6 q, d6 }' H1 r
{
7 O( u4 I l% I, S. n HANDLE hFile; . c/ z) \4 A4 \/ K2 k* e* q% ?8 k# M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- ]1 v, ?. R, L- q6 U
FILE_SHARE_READ | FILE_SHARE_WRITE,6 x7 Z7 F$ L" h, B& e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 m8 J3 P% {4 I0 g if( hFile != INVALID_HANDLE_VALUE )3 Z5 j8 p# e# `8 ^! s( ^8 R6 _" X
{. X) C4 e2 l+ A7 E4 A+ E& n
CloseHandle(hFile);
- D, L3 X/ U+ r7 [ return TRUE;
* z( F) b; q. l }
- p+ L" K" ~" w1 N7 J) E return FALSE;
. `1 G) b ?; M}$ E: t" x3 \0 N5 a. [) h1 e
$ p+ E; p }+ c1 L' pAlthough this trick calls the CreateFileA function, don't even expect to be) E( n$ @! F' G0 z5 Q
able to intercept it by installing a IFS hook: it will not work, no way!: Q* B5 b9 z/ a4 f! I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ T; {7 x& Q* T F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, K* g& d: Z! E# i$ wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ h8 e9 ~/ L2 Y2 o6 r) x; {field.
t1 w, Y7 n8 t! bIn fact, its purpose is not to load/unload VxDs but only to send a 2 y0 N1 }" m2 R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ S5 d' \ {. l+ g4 @! d9 t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 y2 i. r4 V+ U, xto load/unload a non-dynamically loadable driver such as SoftICE ;-).) i+ Y" d( X: I: }/ v
If the VxD is loaded, it will always clear eax and the Carry flag to allow! P! \2 W/ \! {" V K0 e, L4 Y
its handle to be opened and then, will be detected.
. A+ d- u' p# ?/ ~* bYou can check that simply by hooking Winice.exe control proc entry point/ J6 B' }3 ^& q: S4 o
while running MeltICE.
/ B/ S1 t( b8 X: h( l( f4 m5 @3 N/ d2 o; r2 n0 {/ u6 {2 R
+ J8 P8 r6 k( ?% p* s7 H 00401067: push 00402025 ; \\.\SICE7 T4 B+ |% r8 o, Z
0040106C: call CreateFileA
5 c2 |4 `! L4 R' {8 J1 y 00401071: cmp eax,-0018 g" x, P- F& D. R
00401074: je 00401091" t# m% o: [5 u9 {% A
: a' S& ^- D1 y$ b7 ~; M. p* g
1 }/ L! i0 S" k" @- g I! TThere could be hundreds of BPX you could use to detect this trick.7 b* j( w, ?! _8 D6 n. X
-The most classical one is:' Y, [0 Q* W: x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% s7 B7 S0 H Z' m8 f
*(esp->4+4)=='NTIC'' a* O* S x d7 |# n$ T
8 M# I) _; `2 @/ A( ?, g/ M; ~
-The most exotic ones (could be very slooooow :-(
4 A% l$ F/ ^5 Q# @6 F BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" ?( W- j W9 p2 G. }! D ;will break 3 times :-(. j8 K$ J5 \+ L2 u5 j5 n! ~3 T
% y7 f# ^& g Z/ }, q1 q
-or (a bit) faster:
# A0 m% m% A6 i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ m8 f: U$ O0 j; P
2 N; I2 q3 ^" Q$ S% I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 k% o% `. o# r5 s! T" r
;will break 3 times :-(
/ z$ V D6 {/ h5 {2 d2 d
7 T3 o8 `/ w* }& O! t7 \-Much faster:
% E# E9 ~/ |* m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; B% T. P" X- k* h# D- h, |& |" \- a% U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ s, P4 W% z& s1 V
function to do the same job:
! M$ f+ v1 K* _0 ~7 G# E }9 _
/ R% E, d* h; Y# f3 T* N push 00 ; OF_READ) e0 g8 }0 u( g2 X- B A9 {
mov eax,[00656634] ; '\\.\SICE',0
$ Y- r& N0 e f) u. |+ V! F" M+ N: O push eax1 c3 ?5 o3 s6 z# d% Y0 x2 R- c
call KERNEL32!_lopen
* D: C0 ^6 g7 w* V inc eax; a8 e- J0 l4 J" ?+ `+ k2 Q7 s
jnz 00650589 ; detected
+ l2 G- }: y/ y' X+ M& U3 J, W push 00 ; OF_READ# F; @5 ]' V4 s/ D
mov eax,[00656638] ; '\\.\SICE'
- a+ O0 D& {* U% ?: B; s% l {' o8 J- Y push eax/ s( H; M- T1 x+ D/ K& z
call KERNEL32!_lopen
0 R: e1 ]6 U4 M# m) L inc eax
6 j' A8 V, {2 ?9 R D jz 006505ae ; not detected! U" R9 j: _* N6 h
$ S; N; K& M. L" }9 t3 B
! X4 [: M7 B+ N8 |& i/ q4 F+ p__________________________________________________________________________
7 D5 _: h, y$ L$ q
r8 U& k8 u& K2 T) r# e. DMethod 12! `. K2 Z+ p5 [* g& L6 H9 k
=========
" B. a* g1 F$ V2 \
6 S, _% G; o% ^' d/ `This trick is similar to int41h/4fh Debugger installation check (code 05
9 @1 X1 M9 E7 g" L# p& 06) but very limited because it's only available for Win95/98 (not NT), K* V7 m! W8 }. v3 z& q$ V( B% U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; a# ^1 J# R% E0 x, N( [8 H( x
% u: ]7 K3 M# B% F push 0000004fh ; function 4fh. P1 E$ Y6 d: S# x6 l) j
push 002a002ah ; high word specifies which VxD (VWIN32)
% Y- N. D# i4 `) C, l5 s ; low word specifies which service
: Y5 _) u9 C0 R- ?: L4 [2 O- P (VWIN32_Int41Dispatch)
$ m3 {& H2 Y: w6 [- V; |& }* @ call Kernel32!ORD_001 ; VxdCall1 ?3 B& y! X5 M% Q2 G
cmp ax, 0f386h ; magic number returned by system debuggers+ j/ Q j+ G6 x- l+ b
jz SoftICE_detected
" w: X/ b7 Y) ?5 ?0 F6 s. i3 g. B5 i/ S: T/ ^1 g
Here again, several ways to detect it:7 W" ^. ~. e: i) F( e
5 c6 a5 W& |( c. G, o4 C BPINT 41 if ax==4f
# U1 {: a y; i0 V* H6 ?
) h6 T! S; I' ]; D% B } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, r! o( \: r3 E# z ?/ U5 B8 D7 A3 i% L v: h. [* I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- c, U: n1 N& h
0 `5 o! u9 x! Y ~& {: Z d9 ` BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: J* {! _! ]& m+ L+ `
8 [) L" ?$ ?( P) e \. z
__________________________________________________________________________
* O! ^2 t5 [. W* }
9 J, p( p8 B' `. i% f! R3 Y+ @Method 13
* ~: e; d5 G! ?9 X=========/ J' h! i( \: w3 J% \ P4 R
/ d* Z: x3 i' n3 E, ?Not a real method of detection, but a good way to know if SoftICE is+ I7 o* h e/ V2 d5 _" y
installed on a computer and to locate its installation directory./ i: C9 m6 c* x o
It is used by few softs which access the following registry keys (usually #2) :7 M: Q3 W1 L( _4 ]
( o! Y: p9 ?+ P+ e. `3 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 F$ C6 u$ t4 C" w6 ~/ t% D N
\Uninstall\SoftICE
; G W, r/ V( Z& T _( j' p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 K8 a. B/ X! m; T$ q% W. l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ M* T" K1 F/ E* j9 |0 C) g! M
\App Paths\Loader32.Exe
" v/ r; O) P9 y& w% Y1 Q. m- v1 b% T+ ]0 Y
8 _! G, ^1 K6 e. ?. t, _7 C
Note that some nasty apps could then erase all files from SoftICE directory4 f' A' P7 { e& s2 A, \# O& R
(I faced that once :-(
* M1 P; P+ P. G( m: Y
' Z/ _2 q3 y$ r$ pUseful breakpoint to detect it:+ m* w' N/ W2 Z4 Y& @
4 S4 F& P( T" _- v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, D( j5 K9 I9 E5 O2 c6 b0 O) `. U! T0 y6 M2 g% V3 u
__________________________________________________________________________4 U+ W- R% _5 o# p/ i/ _; y
; C% d+ Z, j% C& a
) j( z I, H1 E C4 @' K" }# [
Method 14
: C" P* O4 y- z2 T8 ^* K9 I& Z=========
; j5 `& i1 y' ~+ N7 q a
+ C `0 T9 n/ f" n3 Z6 Y) J0 oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- _0 w0 F+ {, J( C: p, Qis to determines whether a debugger is running on your system (ring0 only).
" E( J5 T$ t" J1 r. {
0 J$ m i4 }3 O( r7 o" J% V2 N VMMCall Test_Debug_Installed! B% F( J5 ~, q( y( _0 D: _* Z
je not_installed
2 E& Z9 r# X3 q7 Z% y% `* b" m% L9 J2 J8 e: \ |
This service just checks a flag.
0 y+ b/ Z% y/ Y; g</PRE></TD></TR></TBODY></TABLE> |