<TABLE width=500>
5 e& x7 ?9 x c |3 F, T<TBODY>9 t$ G" ^; a: v. w- D: a# a5 I
<TR>9 K, o. V' t6 T- E( a; \
<TD><PRE>Method 01 " w& E. x" ~/ {. g9 X* O
=========" R' k4 g) Z2 ^) k# u, G& i
* g3 e% F/ n9 x& `This method of detection of SoftICE (as well as the following one) is h5 |4 _+ R- g9 [1 d$ m$ H' m
used by the majority of packers/encryptors found on Internet.
2 C6 O( Q" D) m4 \, G6 `, dIt seeks the signature of BoundsChecker in SoftICE6 _9 ?2 p' s k: {3 U; p
8 W0 ]% g! f2 t- ~" B mov ebp, 04243484Bh ; 'BCHK'
% A3 o( L3 q* y' v mov ax, 04h4 A. P' E( X, q; h6 a7 Y: X2 A
int 3
/ m9 |, @- ~+ v) k7 ~' Q cmp al,4
5 D, r7 U( ?$ u2 f! l1 n/ | jnz SoftICE_Detected
6 X6 U& V, j/ o9 c! a2 u8 G; e, s
___________________________________________________________________________
' m) |7 e" Y, f! P
' K# i, y$ \1 sMethod 02& Q2 e D& W6 B) \- N
=========
& k* x k6 q' T1 \0 T) Z- u8 _ M8 {+ b1 A9 T
Still a method very much used (perhaps the most frequent one). It is used# J- L6 g& M- }4 }! ^9 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 H9 U, z% K1 @! r) i; @- x$ r
or execute SoftICE commands...
: G" S6 C" |3 n, m, l9 s6 c' S: nIt is also used to crash SoftICE and to force it to execute any commands
; Q) ~+ Y1 x1 V# F+ a* m) p" U(HBOOT...) :-(( / i7 R& c) u$ r4 m2 d4 t
" |0 Z4 J* i% A: ^Here is a quick description:3 H; e% T T6 l0 b
-AX = 0910h (Display string in SIce windows)
. X% S1 I1 H; @) B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ {$ U2 O5 W" _! S( s
-AX = 0912h (Get breakpoint infos)
. t7 B+ n9 r4 b6 P) m1 l-AX = 0913h (Set Sice breakpoints)( o; u& T- v: _% p
-AX = 0914h (Remove SIce breakoints)
5 h* X) U& z* _! e
8 Q3 H% R" h7 ~5 ~Each time you'll meet this trick, you'll see:
7 p/ e0 K0 ~) m% O-SI = 4647h$ U0 E8 I& @3 ^- r' J( s2 Q) X
-DI = 4A4Dh. m2 ?; ^/ _; F
Which are the 'magic values' used by SoftIce.7 Y; R1 W3 Y$ D+ F, z( e0 f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# w( s3 V" B K% x$ c6 {' ?
) g7 A, ~0 f% t! ]8 C, P
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ B% b9 c7 m% q$ h5 y6 h
Envelope utility use to protect DOS applications:1 l8 e0 B/ ]. r% B
% D: u2 W$ _5 w! D4 E2 ]3 E; _# e& }, S0 f, Z5 P4 K
4C19:0095 MOV AX,0911 ; execute command.; z2 W. N1 n g1 }+ x
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 S, u7 f/ M3 X, Z& c% W- F% \4C19:009A MOV SI,4647 ; 1st magic value.2 o r# k5 w- m' G/ s4 T
4C19:009D MOV DI,4A4D ; 2nd magic value.
) _6 v+ P0 t- M! ~. Q/ y! ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! u) [0 W3 x6 ?' s: S- O& o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 k% M% U; u6 x! K S' K
4C19:00A4 INC CX) p7 o" G* `+ Y( ]# L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 F1 P. b7 ^8 {* [
4C19:00A8 JB 0095 ; 6 different commands.
/ O5 K/ N! C% I5 o4 B' s% K& g' y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* q8 c# @, S+ ]- B$ ?% C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( y' V a3 G4 L) ~8 K1 k8 [ P3 K1 u
/ `' I' R3 m" J# H9 d2 J1 aThe program will execute 6 different SIce commands located at ds:dx, which
' C4 Q/ f( x8 |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& G, v+ u Q# X- W
5 C% g$ E N4 h3 L) G' S$ l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ `" B, s- X, E) b, z" v4 Z___________________________________________________________________________. _9 ?% y% w6 e
/ e/ g, V( h" j+ L
% V" p5 s5 @" T1 C. v
Method 03( i" [* Z; ?5 B0 H& g" s
========= n* M2 ?2 ~- X5 U0 e5 H1 U
; H* Z3 [2 |6 m/ Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( f1 A3 {- P' Y; b/ ^4 E+ o(API Get entry point)& ~4 |# t {. Y5 o# E* Z2 B
( D# _: J& g0 Z+ W; o( K( i
$ w+ ]2 v+ D3 }1 t
xor di,di
. a% E& @$ T5 k1 ? mov es,di+ J* ]3 ?; I& t" s* z
mov ax, 1684h
4 Y6 G A: v& e9 ^ mov bx, 0202h ; VxD ID of winice
) H, b4 ~3 _) H9 s int 2Fh: v2 J: D. ?. z; o# P+ `/ z
mov ax, es ; ES:DI -> VxD API entry point |6 F# x" X. g; L4 s
add ax, di) H3 o/ e/ G/ f& U
test ax,ax
' \" a% L9 |2 x) x- g8 _5 m1 m jnz SoftICE_Detected
' J! W0 h% f8 C) ?, ]6 |3 B) k1 o
- t8 l. {* I$ G___________________________________________________________________________. g n! j) p: k8 T# n
9 d9 D) P: A8 S$ E. H# W
Method 04
9 j0 a" u: F# v1 o, p( b=========
/ D+ s P4 u0 c* J
$ Z+ N% b' Q# D ?& GMethod identical to the preceding one except that it seeks the ID of SoftICE
4 ^# A2 {9 \* zGFX VxD.
) O v4 Q1 [- T- ^1 z5 _ X: }+ n
xor di,di& r7 G7 H) Y$ T, V q9 J5 N p! p
mov es,di% e+ T7 x6 i4 Q5 Y) x, D# O
mov ax, 1684h
! \. }3 T+ \! {, l; Y( y mov bx, 7a5Fh ; VxD ID of SIWVID
& Q7 V! C' j. ?( k3 v) m# G7 c8 a int 2fh
+ l6 ?* b7 h6 b, H mov ax, es ; ES:DI -> VxD API entry point
2 U/ j% |2 L# a# Z8 D add ax, di/ [0 z9 V# C1 D' G5 k5 W
test ax,ax7 {4 Y; P4 T% L: j* I
jnz SoftICE_Detected1 s$ a6 N, S: B6 H
7 e2 @; v! N( P7 s$ t
__________________________________________________________________________, l r: x" n: _; K7 \
/ c0 _# Q0 W2 k5 p2 S; V' s
( l4 |/ |# a S# }Method 054 U3 n0 B J Y% L
=========- L+ m/ V, `' r5 |; P
2 {: @( v: z% U V+ `0 Y6 A- G
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 k! j+ T, B. e# `- y6 c
debugger. It calls the int 41h, function 4Fh.) J! Z" \1 W$ k
There are several alternatives. 1 h; G3 w$ T2 X' m; o
" ]/ Y/ w2 O( h- ~% Q yThe following one is the simplest:# D( _' \5 |, z
0 k% p U, B# H0 e8 @
mov ax,4fh
6 N! G& D% q' ~& J$ Q int 41h
2 q# D9 m) f) K5 ] cmp ax, 0F386
9 B% l0 J |' Z$ r jz SoftICE_detected
/ H- f" L% x% ^# O* p, J# L6 J' w
5 ^- k: ]" Z0 o! D7 x
0 ]) ^- v. N3 q$ W9 V) TNext method as well as the following one are 2 examples from Stone's
, [' \: |1 p8 {( O; ~4 C"stn-wid.zip" (www.cracking.net):
2 x O* T. A9 ~
) U( ]$ o+ x" E& y, c1 @3 |3 d* ?2 h mov bx, cs( c: ?5 m, b/ ` M
lea dx, int41handler2 `9 P# o5 D7 x# ?1 Z5 w1 ]4 G/ D) [
xchg dx, es:[41h*4]
0 A3 j7 k) D* [. D2 K xchg bx, es:[41h*4+2]( s) p) S( c" \4 m
mov ax,4fh
0 j9 R: C; h, t/ s5 N int 41h
' s8 J: Y3 L& F; e# L7 B xchg dx, es:[41h*4]% P+ p8 P2 _0 [# P! i0 B
xchg bx, es:[41h*4+2]
$ b% N0 i" S: V. ^/ G$ q- ] cmp ax, 0f386h) x+ A' O/ d" z/ y9 f! Z
jz SoftICE_detected6 K9 ^ n6 Y) h' s1 ?
+ H4 {( @* ?: H& ]1 j, Q7 _: p
int41handler2 PROC
0 g9 L. w4 S& U" w$ |9 B# H% g iret' f: Q3 c5 B4 _: C: V
int41handler2 ENDP
7 x" X% Q# H* n+ t( T& s6 n
: H) i( x: L' B1 `$ \6 p( z
% _# Q$ }4 P0 u$ n' M_________________________________________________________________________
8 j2 M" v9 W: g) { b# L, F% w! d; }$ ]" i& o$ I4 q F
! _% {6 T! K" ]5 f9 Q$ V
Method 06
# l& ^6 B/ y8 v/ }' f8 N' {=========
- D N- Z p9 v9 e) Z: b
4 A+ Y& p3 \8 y5 H9 k7 S ]6 G! u l! W7 k$ f
2nd method similar to the preceding one but more difficult to detect:
, ~& O' }8 N8 G7 |& z7 H% O: b6 ?2 n9 i) u) R
* }, o. X; C% l" ~2 D h' K
int41handler PROC
5 K. l) W0 q7 z mov cl,al
9 T# u9 J8 e+ e7 Y iret2 U. I2 e- W- X% a0 l! i. g4 ?
int41handler ENDP7 _! P3 J: Y5 r {8 g/ L
{0 {# {5 c6 U4 ]( j
" |- C, t j8 A6 w
xor ax,ax
1 S( P8 T% c' U6 l& B mov es,ax
% x u$ q( l9 R mov bx, cs
% S; B( z H# x4 A8 g6 w+ S8 o/ ^ lea dx, int41handler3 K O& h$ V# w$ ^( Z; x* y
xchg dx, es:[41h*4]2 u$ E; A2 \$ Z+ I) m
xchg bx, es:[41h*4+2]+ e: N6 E6 b" }5 K: F2 _7 X7 ^
in al, 40h c4 Z$ `: T1 s; L) t% W
xor cx,cx
6 I3 M- [3 t, v% e int 41h
. b S# `1 V2 }: ` xchg dx, es:[41h*4]
0 A: i0 R. q/ A! Q" {" q xchg bx, es:[41h*4+2]5 A6 s) |3 H/ f ?& a
cmp cl,al
$ V1 Z, \! ^6 ^# i7 X, ` jnz SoftICE_detected
. N6 k! I3 Y& R6 z' J4 X5 ~" V/ g9 H* F# ]8 }4 x* J
_________________________________________________________________________, O$ J( Q0 p3 r( J6 I# b6 b
2 B* f" J: s6 k# [
Method 07) U# F2 n5 r. z$ f9 P- \. Z" O
=========
" E" t* r: d/ r9 K$ V9 J: {" H( H s; |6 o) m2 ?$ T
Method of detection of the WinICE handler in the int68h (V86)
, H n: R% I' N( g6 K8 j- E% E* X2 M+ K
mov ah,43h
5 X1 T' U7 ?, o7 B& l& c int 68h5 ?9 f' Z6 h/ Q+ g- y
cmp ax,0F386h
6 w# R/ T! t& Z- n2 Q jz SoftICE_Detected
9 ]% H% \+ K# ?( W6 |; A0 ]& g
}& X0 ~. l* a4 x. o$ E
' c" a: ]) a# v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ s# R8 a( x6 O, |# W3 Q
app like this:7 {9 ]6 `2 G$ l! ?! b
: a& }8 V& |: D9 N- _1 K& t! K BPX exec_int if ax==68
3 M* q0 E) w( T9 |) h* t" K+ R (function called is located at byte ptr [ebp+1Dh] and client eip is
) h% V, S) |# p- ~4 M+ _ located at [ebp+48h] for 32Bit apps)
/ a% D- p2 y8 H \( P7 ?__________________________________________________________________________/ y+ T$ W& m' b" p
! U& k& s. O; g: _8 _2 }& d
. l2 O6 N q' mMethod 08' _. A! B6 z |8 U9 S
=========
- q3 T- D; d, [- m/ ]% g, h l# d, G) X9 Q/ h @9 ]
It is not a method of detection of SoftICE but a possibility to crash the# [% r4 E, k+ u* l
system by intercepting int 01h and int 03h and redirecting them to another
: J: m, p3 P7 [) Iroutine.8 H3 M6 e& Y- B) c! f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 J. Y' p2 F2 z0 Y, r
to the new routine to execute (hangs computer...)9 V* Q" a1 f; u7 _ J, l( q
" _# Q; |4 S y" Y' `$ V3 A9 d1 k mov ah, 25h
; t8 O' H5 F& w* a5 V mov al, Int_Number (01h or 03h)1 t- {) W8 T2 J
mov dx, offset New_Int_Routine% ]( l% O# d. I! [
int 21h3 p' N0 N( R9 q, r3 k4 L
$ F& i o( u: ~$ j1 S/ o
__________________________________________________________________________- _/ B, @5 P* w5 C3 R- }
, _7 e0 ^# }/ E( a! X, y& v* I z
Method 09
- B* A+ j; ^- Q1 I- T6 g+ l) D=========1 u8 j3 u, `; j- ` B* R. e
3 o6 _6 s4 [' B, e& O# YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. D" I2 `/ H5 g! W& ^ t* Q" ]/ @3 tperformed in ring0 (VxD or a ring3 app using the VxdCall).' {/ i8 i F/ h" z- b( y: Y
The Get_DDB service is used to determine whether or not a VxD is installed6 p0 @+ G" M+ {$ t5 Y( K1 V
for the specified device and returns a Device Description Block (in ecx) for: U3 u j c$ K E' ?& ]/ y
that device if it is installed., s) b% l( @' m7 i5 K9 y3 f
* r8 r* B5 l- l- N, W- Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
Q7 C5 E9 k3 e, Q9 d* b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 h# y% `( p; v! w8 m VMMCall Get_DDB7 j" t- u% g4 R) I8 q; s$ ~* E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- B ]7 v3 H5 ?; T
$ X7 O. _ E7 `0 O& B v
Note as well that you can easily detect this method with SoftICE:
& D& ^- C4 u2 T* |( c bpx Get_DDB if ax==0202 || ax==7a5fh( M- n$ f3 t! N- {
8 c7 X' o2 Y3 H; Y4 a__________________________________________________________________________
. Q, M R$ G1 ^6 |: `% z* a, L
. N5 Y( k0 Y, }+ h8 Z! v% EMethod 10" R7 w! N9 S8 K/ c+ F! \, o+ m
=========; p4 E! O K# e% e( g& H. m
& ?2 B, K0 z: c6 W: k% u8 k( V=>Disable or clear breakpoints before using this feature. DO NOT trace with
: h0 P3 w7 J p0 ^' y2 T+ g SoftICE while the option is enable!!* `5 ~, e7 }( [ X+ |
# u' x" x! O" l- g4 zThis trick is very efficient:
. h z; I9 Y3 c9 ~: R4 q8 aby checking the Debug Registers, you can detect if SoftICE is loaded
' l2 u$ x |8 Q8 m% q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( s- A) V1 o9 ~1 H, R
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 |+ } [- h+ j0 }3 W
value (in ring0 only). Values can be manipulated and or changed as well
: i" w* z* A$ s' M1 m, N) F(clearing BPMs for instance)
+ s' y, Y; H) H; c
) m6 j3 u; w" O5 K" W& j__________________________________________________________________________
! P' ^7 N( d' ?3 w( j0 M
/ Y% e! g# ]- e; u/ r7 v8 KMethod 11
( @) n: F' Y$ U6 {6 Z9 B' d=========
* `8 E6 k: u; }0 j& H3 w* f8 K. L" p1 C$ ^- R, A1 Y" r1 t' \6 M: h! Z
This method is most known as 'MeltICE' because it has been freely distributed, k9 C. y% M b9 O; r2 |
via www.winfiles.com. However it was first used by NuMega people to allow( `- {6 {* J, |8 o
Symbol Loader to check if SoftICE was active or not (the code is located( g( O0 }8 V" v. z; [; o
inside nmtrans.dll).2 W" ^9 x6 Y4 f" U6 t2 u
& `3 A, h y0 a* p2 |* U% o$ E) LThe way it works is very simple:
& }0 v9 q3 q8 x ^+ a% M3 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ L9 _: _- w# o; ]6 l: TWinNT) with the CreateFileA API.( ]) Q6 a" x! W% w; b* Q
8 C+ _ v( ~6 \6 `4 T9 r" ^5 X$ Z% y
Here is a sample (checking for 'SICE'):1 r P: v2 R6 t6 Y9 ~
+ L+ U% M, B' H2 G( mBOOL IsSoftIce95Loaded()- k' C, s2 U2 [, E* y U, K
{
" U1 `, Y1 ~& M! M ]& S5 z8 Q HANDLE hFile; $ T0 o# C. g8 @$ x# s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! |2 _! E! Q" T7 c
FILE_SHARE_READ | FILE_SHARE_WRITE,
! x. B, [, h" b& g+ B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( s! k) z6 u$ B
if( hFile != INVALID_HANDLE_VALUE )
$ b+ T6 B% p+ j H9 D/ l {# A0 s5 Q6 F6 k
CloseHandle(hFile);
* v+ [& w/ m5 Z2 M2 _! m$ Y return TRUE;
2 _' s3 h: x+ z, R$ i }
8 M7 s0 _ F& f# u, n8 X1 ] return FALSE;1 O, p. r; ~" T7 L8 R
}! r% V9 o$ R/ f5 k
0 m$ d' J* O1 ]) b4 F4 XAlthough this trick calls the CreateFileA function, don't even expect to be5 z& z2 K( D) Z: q. `/ D
able to intercept it by installing a IFS hook: it will not work, no way!
1 \( Q3 F% z' iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, N) p, {* j1 O. w% V# S! H# {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 V9 y9 y" P: T, V# h
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 h8 u2 `/ p, V' z& g% H
field.0 k) ]3 }# z% J7 m6 q5 W
In fact, its purpose is not to load/unload VxDs but only to send a ( s0 z8 @& f" h3 ^$ q) l6 j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* v; q# a% b: z% u5 d0 L" \/ R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 f6 Y$ Q' z0 ~7 m# C& O) dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" l: l1 e8 ]' G1 x5 A( PIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 Z# U9 n& o- G2 `- @! Z4 \5 I
its handle to be opened and then, will be detected.
3 K7 @8 V* r! k4 k- U* i; w5 kYou can check that simply by hooking Winice.exe control proc entry point
2 t' V7 s C7 cwhile running MeltICE.
) m, h+ l, T s5 l* [- }; [
! T/ v- _' N# g3 n
" z. `/ U% o1 q R3 X 00401067: push 00402025 ; \\.\SICE
2 | Y; n: e% ?6 Y 0040106C: call CreateFileA+ [8 N/ P( U+ U% k+ ^
00401071: cmp eax,-001
5 l; F1 j" m, g 00401074: je 00401091
4 m0 D7 ]% Y6 x7 w5 g* `# h
% O1 e3 ?" a% s: ~5 o$ ]
. S% |8 Y3 u8 n! ]- H; E- ]- DThere could be hundreds of BPX you could use to detect this trick.0 [/ u3 \9 X' s1 L) b
-The most classical one is:9 C* a0 Z( Y% L* e+ d4 D: S4 ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& L% S& L# v" Y; [- I
*(esp->4+4)=='NTIC'% i7 M# J* c9 o; K! q) c9 U9 b
" N: r- y. T% W) ~, {8 X0 F
-The most exotic ones (could be very slooooow :-(, N1 z7 M3 ^( w& f8 Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 e1 C* U0 b9 C
;will break 3 times :-(( S" ^$ U$ O9 V* P
9 e: s5 X6 T* c2 ?-or (a bit) faster: ; m( w/ z& x; T0 _
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 ^& q2 `% _( h* R4 c
# ~/ J, I& \2 x- m8 p8 p
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; M5 K: x, ~& W# {: i# X ;will break 3 times :-(/ r2 u/ M: l1 i2 B2 ^9 L
8 t) q" o- y# E# B# E$ w
-Much faster:# |* U+ @/ y& c; Q& P2 R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. F( ~+ ?9 H7 c0 g& h
4 k( D+ m* q& ?0 T3 K- i( p& F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 K( E: ?' [& F3 |& o# d9 h7 Nfunction to do the same job:
- b* r$ {& k" s. b9 D+ m8 s3 E2 Y
push 00 ; OF_READ2 m! H( Q: s+ M0 }9 L
mov eax,[00656634] ; '\\.\SICE',0
4 m' F( M$ W G+ W" } push eax/ P. w: T1 Y y+ V" M% }$ p [0 M8 M) N
call KERNEL32!_lopen
. h5 Q" x- |( B inc eax
9 `1 |. D3 a7 ]8 V4 R: M jnz 00650589 ; detected
: W9 L/ T9 |% R- E push 00 ; OF_READ9 [$ ]3 [! ?7 C; {5 o' A. ~
mov eax,[00656638] ; '\\.\SICE'
6 T; b C) s1 M( v" ^' e* M push eax+ `% X* u) \) R$ G' [
call KERNEL32!_lopen) U* @+ F3 |+ k4 e
inc eax- L: u( Y7 f/ x2 H
jz 006505ae ; not detected
7 z: P8 l4 e$ y& Y& ^
& }4 V: E: F* q& K/ S3 U. y* m1 F6 E* q# O
__________________________________________________________________________3 T2 D+ |* e" }% d1 {% ?/ r
. ?; [9 L# t7 R* P1 v* j# l5 D
Method 12! O8 K0 Q3 a' Q! S
=========% `7 v; Y6 ?* g0 Q
1 h: N) T! E4 Y) e0 e, S- b6 G* L
This trick is similar to int41h/4fh Debugger installation check (code 05
& v# x# I6 L; m, [! s" E0 N& 06) but very limited because it's only available for Win95/98 (not NT)
# N2 v ?; Y- x# y0 W* ]( ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 B$ W4 x B" k, R% p) _9 K* {& g5 w2 R
push 0000004fh ; function 4fh
6 X8 Y5 J& W& F/ o9 `; Q$ P& d+ d% a4 e push 002a002ah ; high word specifies which VxD (VWIN32)
. [: L- @: u; k M, J+ v9 i2 H0 _ ; low word specifies which service) h( c, v- v8 f0 M
(VWIN32_Int41Dispatch)
9 M! P4 F3 k4 O- }' g2 P% W5 | call Kernel32!ORD_001 ; VxdCall% S- s2 w# E7 X6 G4 C1 T
cmp ax, 0f386h ; magic number returned by system debuggers8 `, h/ U# L+ H8 s
jz SoftICE_detected F; u+ n& s$ T- [% I% G( \
( S' o$ H3 Q( p" W% y2 t: @% G
Here again, several ways to detect it:
4 J( ?$ x( y% } r' P
" W0 M# @ C; E BPINT 41 if ax==4f F( g) K( i( P; w8 ~% g
; C5 g! }3 F4 F8 j# G/ ?% P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- N' u# W. I4 c. R3 f
& N4 a1 ^; f8 q5 X8 ^. Q& ]$ A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! t- e' U2 L. \! d
, i8 U' A. s- e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# K5 J l' J. U4 w4 v2 n
2 t0 f* _9 q, n0 B9 @- S5 I__________________________________________________________________________
1 S% m! K( _( j) F# i" T5 [% `; e. z4 k) \7 o( N- [$ ]+ o
Method 13) r. [$ F" W3 T J4 m1 @$ `
=========& g i4 O7 C' w) [3 E
, G- p0 i3 r! J$ T0 Q9 g3 X
Not a real method of detection, but a good way to know if SoftICE is
5 l, x! w5 A, c+ m7 x! ~- Einstalled on a computer and to locate its installation directory.8 k8 T+ | o- q$ `
It is used by few softs which access the following registry keys (usually #2) :
* {1 i0 }1 m. e9 o. ?# J- ~2 X. t
0 Q: P9 p2 O- D0 E# p" e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ a) L) }4 b' G3 ~8 e$ R
\Uninstall\SoftICE2 k9 w( Q d- V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ D6 ?+ s6 i6 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, \, q" Z' m3 X3 S) w. P3 `2 ]' a
\App Paths\Loader32.Exe
E" ]5 E0 N h. j0 }( n% Y6 Z0 w8 t; W; z* v5 C5 G
7 u$ v$ N3 m5 C8 ]$ j7 ]
Note that some nasty apps could then erase all files from SoftICE directory' ^0 |3 ] V$ p2 }2 Y
(I faced that once :-(
1 G' k' D( c9 s2 s. ]6 L6 }3 W- l* S' b1 I
Useful breakpoint to detect it:
* h: B; W `: `: R7 X: g$ E9 {$ \9 f% Q' F9 {) B( `0 e0 O* l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 ^) T8 R1 _( U- n) Q
0 Z" F6 Q7 }: W2 F" n) [__________________________________________________________________________8 n. R( l: ^: @0 g7 B
% r. D3 o+ p# |5 P+ P, L8 q$ {9 ^8 t7 @$ y8 L/ v
Method 14
4 Y9 r$ ]* B8 W ~) R* u=========
! L: l' t( ?5 A) |' M9 z0 \( b3 ?& e) v6 J& t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 P$ y l( N* H5 [1 t! Zis to determines whether a debugger is running on your system (ring0 only).2 C; s% Y. O2 g. e1 R: Q% ~4 R
) ]1 f* l1 N z( c+ {* y0 Q! m VMMCall Test_Debug_Installed; L* |; C& o# k) d+ \5 b
je not_installed' M5 i' M9 O0 Q4 `5 h
0 u7 ]/ p* O, _+ k3 yThis service just checks a flag.1 T9 t4 {9 U f" s5 o; y' S- w( T
</PRE></TD></TR></TBODY></TABLE> |