<TABLE width=500># M% `- W/ f+ l9 s1 Z7 f
<TBODY>
. P5 M: Z, N3 s: d5 s( j2 S<TR>
" c" ^! L2 i: e* T% j: N4 G<TD><PRE>Method 01 ( P1 h: I5 \7 j- Q0 E
=========
& s2 a) J1 R1 C; u6 c9 T8 z7 X' Q! z b: e! T7 { h
This method of detection of SoftICE (as well as the following one) is
# }% {" u7 E. T, G$ H; Oused by the majority of packers/encryptors found on Internet.6 h. o4 c/ [/ _9 }
It seeks the signature of BoundsChecker in SoftICE
* M' U0 o8 J% u3 j/ _/ X! ?2 ?
3 D- l' @. x- p8 M mov ebp, 04243484Bh ; 'BCHK'! E( h1 ^. V, S( I% w% s
mov ax, 04h3 x; o, m; k1 X8 ^% |2 l
int 3 ( j) a0 T) X1 ~8 `3 {
cmp al,4( R& S ]3 k( O* g) R! r: Z! R! o
jnz SoftICE_Detected
" X( k2 Z1 h8 }* E" }3 W
2 r8 c: O2 B e) k3 N___________________________________________________________________________
9 @: n9 E& }5 ~, G5 o: W) \3 P6 l1 d) S: S |9 ?4 p
Method 02
/ {. ?7 d+ t( N7 j- P2 J: o=========
+ ]% ~' y% V8 \, ]( W
6 X" G7 n1 `. d/ H1 |Still a method very much used (perhaps the most frequent one). It is used
8 L+ E, F, C. `0 Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" \7 `0 m# I- Z5 f. Mor execute SoftICE commands...
* s) Z9 u U% } S* Q3 qIt is also used to crash SoftICE and to force it to execute any commands
" f- m9 [' C+ F3 @* O& W" _% C(HBOOT...) :-(( g/ |4 \. X9 D( r* |
0 Q" g2 v# l @( D# h _) _# W
Here is a quick description:' k9 V- G+ _* Y+ D
-AX = 0910h (Display string in SIce windows)
5 H6 M3 X9 i$ b s# l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ @) g* w! V9 N+ X+ P-AX = 0912h (Get breakpoint infos)
8 {0 k" H: n5 P C6 @-AX = 0913h (Set Sice breakpoints)1 k) I5 j* o k3 F) }% B
-AX = 0914h (Remove SIce breakoints) a F: |+ p4 G9 B, H2 N
; Y$ W- |( ~: G7 E. w# d
Each time you'll meet this trick, you'll see:# e* ?2 K- u' n
-SI = 4647h
+ l* f4 S+ @( o! {% g-DI = 4A4Dh
- {1 J& n' f, v0 j5 A6 F8 ?Which are the 'magic values' used by SoftIce.) L% u6 U# _0 t+ p. B2 W+ Q T0 M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 G4 R. V3 b9 V. s# P
: V) ]/ b* ^4 e- q0 y3 T, w
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ a- e' _5 X ~+ `9 _$ `6 ~
Envelope utility use to protect DOS applications:
`0 j! t' G+ _$ I& }, j3 u
" i" Y8 R) C% V
" q0 D5 d: i. x+ X) K4C19:0095 MOV AX,0911 ; execute command.$ a$ C) W# K- L& C3 M# x; Y, Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 k$ t+ w( M8 i6 m/ d8 P. f
4C19:009A MOV SI,4647 ; 1st magic value.
2 f E0 O' n7 u2 g+ i8 P* S4C19:009D MOV DI,4A4D ; 2nd magic value.
0 a3 X5 [( I3 d/ Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ n5 ?# q3 V# b, D# D4 T1 `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ `/ b5 D* p+ W5 u: x0 q; E1 k
4C19:00A4 INC CX& Q4 v! J, m; y4 i/ x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ y5 n( O: m: b/ u2 P v0 C4 Z
4C19:00A8 JB 0095 ; 6 different commands.. I: [/ I& i. h/ A& b5 `- T1 N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( }% M; [. o( E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 n l6 M4 [/ P& ~' H& u ]0 e# u! F! g% }' U" p: I
The program will execute 6 different SIce commands located at ds:dx, which
( o: E7 a! B0 X/ y6 S; d7 k! tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 _- O) O _; s& F7 t8 z9 s8 i& j6 J3 L! S- b7 _9 J: D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 y* c) \% @+ \___________________________________________________________________________, G! [7 I- k9 N; D3 @: ?" o# n
2 l- E7 c: J! f1 l" U& g2 [. U9 S6 @8 P; h
Method 03
' V' @+ }( M' U6 A$ F% P=========
8 G: F! g1 N* ]$ y7 Y! z# S& s5 s$ v/ |5 U+ U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 a4 s+ T8 ~$ t$ H(API Get entry point)
; f- s o" r) @" U! x5 J4 Q
% N( C. `$ b' Z
# ?2 j7 y+ X2 S( \ xor di,di) }2 a, O, w) f- W: u
mov es,di& |, v: Y* |( H; i Q @
mov ax, 1684h
4 U, b2 c g0 T! h mov bx, 0202h ; VxD ID of winice
; |4 V) [1 C# x int 2Fh
9 M3 N, x7 b$ l6 N mov ax, es ; ES:DI -> VxD API entry point
; G) M' Q0 {" M! y( L( `! A add ax, di
# O" W) r( n$ n: N! V test ax,ax
" L- g9 V( w. g( [4 b) W% U jnz SoftICE_Detected
. r# e- N7 v9 H7 e% g3 D. L, y {2 M1 V& o1 u5 n
___________________________________________________________________________! ]3 j: V# Y" u
0 o; {3 V6 ]/ S4 @Method 04
) I; n! l) q( q2 c=========( D! {3 F1 r9 k9 ?2 Q
* p" A6 [0 ]! \1 g' c; }Method identical to the preceding one except that it seeks the ID of SoftICE! {, T' u% F# S) S( M
GFX VxD.) I$ Q, V- C3 r! ~; S
+ N6 Q$ R! ~( P- k2 ~( @" r
xor di,di
/ ^( \* N9 J% [5 L. W/ _; j mov es,di
1 ^, _) U) z1 q/ }; V6 o mov ax, 1684h ! E, j( F+ D7 M+ i$ R
mov bx, 7a5Fh ; VxD ID of SIWVID, Q3 Z- f9 f# ^( K
int 2fh
& ]" n8 i+ E& s mov ax, es ; ES:DI -> VxD API entry point* {) A' N% {5 C) y
add ax, di- w% v3 d# \1 d7 ]3 Z1 W' P- V( n y
test ax,ax
3 N* C3 V" t9 g: e9 v9 M1 A0 @ jnz SoftICE_Detected+ ~( }# P( t5 o6 v" T
3 J7 E/ z3 v! j
__________________________________________________________________________
. p7 K" ]9 p" o/ Z7 X2 [. [
& `, b$ H n) a0 B, u1 H( J/ H$ c+ J$ \' P; W
Method 054 P/ |6 [* |: d" }) J
=========& Z3 t" l* {' V
: b+ R/ A# w! |6 e. x4 m( i" `
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* x/ j2 O* X8 V, e. }9 Zdebugger. It calls the int 41h, function 4Fh.
6 H: [5 c; p3 SThere are several alternatives.
, z; `4 j+ ~- m& w: M" y% q
" U8 b( U( d6 S4 Y" B# vThe following one is the simplest:' [8 h h G% ?7 b
a* W \: \) h9 z& X
mov ax,4fh$ O* G% F! |, c; X( E2 ^
int 41h: r2 i1 s" G' ~& A+ ]4 e
cmp ax, 0F386' y+ |" |/ ^' q, e
jz SoftICE_detected
, _; ~' c) B- W7 o0 S! ]" {1 j; W
7 X. [7 B: X4 v8 D( d$ P, ]Next method as well as the following one are 2 examples from Stone's
) S$ D4 o$ x% X1 Z"stn-wid.zip" (www.cracking.net):
* t, l4 i, \; k9 Y0 S# U! C! E# A4 E# D% `6 h
mov bx, cs
4 t+ l/ ^5 F+ A5 g5 s& I5 y lea dx, int41handler28 s. c! r2 X6 k! u
xchg dx, es:[41h*4]
! w5 Y) j. N ?9 H3 S( l xchg bx, es:[41h*4+2]( c: M; W0 e3 M' ~8 ]
mov ax,4fh
8 E( ~7 q7 p# Z1 L& | int 41h
1 Z: f; J' q# @" `3 ^ J( f xchg dx, es:[41h*4]
! l h* s0 p5 a9 k4 K* i xchg bx, es:[41h*4+2]8 B4 V: r1 l: F& B0 {- _: q' P
cmp ax, 0f386h
" r* K4 g- c% F0 N jz SoftICE_detected
1 M9 l( q, }9 }5 o! Z" y1 I
" t1 M" B6 o) X' y+ |' ?/ Aint41handler2 PROC
/ l$ Y8 r8 q/ W. C5 K iret, C/ I( k2 G; C- l
int41handler2 ENDP2 C' ^8 r8 u' d9 i1 c
1 s0 l* Y, d3 o" ~$ x
$ J2 s& |- Z6 ~6 T, G) ~_________________________________________________________________________
& @8 [, v4 d I4 K
+ {# [ @4 Q% j ~ ?& z
0 C: f& v, k5 u6 s) ?Method 06
4 h% m$ K! m v! x3 u1 u=========
# s \3 ^- v/ |9 E$ P# C4 Y
0 D' Z) J- Z6 I) k, r) x; B7 H6 K: n8 x! c' B1 [+ P7 l; c/ Z
2nd method similar to the preceding one but more difficult to detect:
& v. o; D8 |9 j, i$ W( V' Z
& e' \3 L. K2 ?; O$ V
% p X) H$ X$ J' p6 eint41handler PROC( b8 O; i4 v6 D6 G" ^( N
mov cl,al
0 L% W6 v# m+ Z1 `" m iret" o3 o1 u- ]9 \
int41handler ENDP) L1 u3 D) y& j! c7 k' F
" s4 ]9 V. C8 a, b6 d# u/ k0 F7 {& y% g4 H
xor ax,ax
, J- S4 X: s8 o- ?& | mov es,ax1 B- w- w4 s L U
mov bx, cs/ }; z' ~4 Y; B& S) G; p
lea dx, int41handler, l$ x1 D9 V$ S$ o. ^9 y
xchg dx, es:[41h*4]
. `: k( b5 J ~! n9 J# K$ f xchg bx, es:[41h*4+2]
R) \' k7 Y3 O2 K in al, 40h
( h' i7 L; F) o: ] xor cx,cx4 g. S& q3 `0 m. h( ^: p5 H
int 41h
( r$ j4 D* k4 l- u8 R xchg dx, es:[41h*4]+ l/ N* E+ l/ Q5 f$ d: C8 r7 [( e
xchg bx, es:[41h*4+2]+ o$ f3 `, N3 p* `3 b7 ]
cmp cl,al y* z& v6 e2 b0 e! `6 x
jnz SoftICE_detected- G! l+ j' N9 L7 C M) [7 Z
3 r b0 Z; f5 P" C% B- {_________________________________________________________________________7 a$ t2 a9 L% S- s2 B
- E6 l2 P; K) M. P8 M$ y
Method 07) }# @7 s2 L2 H. I, z& p2 R6 t
=========
: J8 Z' N. ]7 q* _. E2 g
: o- ]. S$ ?/ [4 |1 \Method of detection of the WinICE handler in the int68h (V86)
$ f1 H! B6 }8 z' o4 O' `3 K9 y& S. c; p/ P' r, O6 N
mov ah,43h3 V1 e% j- w& f9 }7 d5 R o% @9 n
int 68h n) A% w8 G7 m1 V; b4 u0 {
cmp ax,0F386h. c% _7 N1 R) t# C) A& v
jz SoftICE_Detected1 H% h# T* I% d, W7 _
6 [3 c# y& c p: f. Z
$ n2 a% E8 N1 H) [( Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- X# c7 i3 ?/ j$ i! y6 b
app like this:
( v+ v7 Q; _9 ?
$ Z$ {9 n' Y+ G; b BPX exec_int if ax==68
( c' ~, R ?: t7 { (function called is located at byte ptr [ebp+1Dh] and client eip is, n# O1 ^" f0 o* b
located at [ebp+48h] for 32Bit apps)% Z( T W# w8 m3 x$ h
__________________________________________________________________________2 s2 \ Z2 C( I5 [3 s* d
5 a! J0 Y1 @, r/ O; X' F
/ e- [' F( A9 ~8 Y3 ?5 A6 KMethod 087 x- o- G8 W: n2 s% N Y
=========5 u; A V' V0 g* B: X
# N* Q2 j' g" Z* W4 L
It is not a method of detection of SoftICE but a possibility to crash the v% C* H) [, t9 |3 a$ }2 m
system by intercepting int 01h and int 03h and redirecting them to another( |( G+ a" N! J- h' o; G- t8 w
routine.
9 U, y5 v* s. \$ m/ E+ ?4 e- b1 rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& g; s; i% X( g! _$ ? Nto the new routine to execute (hangs computer...)
7 M' _" a( N; a4 z: s$ x$ W7 ^# s3 Q4 @8 D/ `
mov ah, 25h
; Y( Z. V8 L: M1 L: ~! o* _: q mov al, Int_Number (01h or 03h)# h* ~7 O2 u- ]1 @& X% C# B! C
mov dx, offset New_Int_Routine
5 i& d( f! Q' g, u int 21h
( v+ q! v) Q& a7 K- }: b4 g* Z) b
__________________________________________________________________________
: U7 E/ s+ }, d# F7 A }, d
, ]0 t: W q2 h0 N. Z2 T! J( BMethod 09
' S: j x3 C8 U3 q=========
7 P! k/ X# u* j. J" |7 \" X* i9 V: t+ B( i, O3 Q9 f5 `5 }# c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 K' u% J' N" x# Z V8 ]performed in ring0 (VxD or a ring3 app using the VxdCall).+ i1 F0 [3 \# O) C. j3 m$ r
The Get_DDB service is used to determine whether or not a VxD is installed+ g$ a- Q# Q8 \/ [2 y' P! Y
for the specified device and returns a Device Description Block (in ecx) for
8 V- l0 l: L- I# ^4 @that device if it is installed.
1 x8 z& p% p6 q
6 d& \& t; X# `# L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( ?% L( u- j: V, d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). H- m4 P' a, B
VMMCall Get_DDB. k5 N8 q+ E/ F6 C
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 M5 u7 ~' a S& w4 G" H- T& j f
. t0 p' O/ ^& t. Q' }9 t
Note as well that you can easily detect this method with SoftICE:( o' n$ i' E! x: `# m# N2 I
bpx Get_DDB if ax==0202 || ax==7a5fh# U* X) Y# {! r1 {- u
& _9 u) g9 l0 T7 m* L
__________________________________________________________________________1 Z5 L; L, O; m- B1 C9 q% ?* {
% {& c2 ]. z: |% {. r# Z2 u7 \Method 10
8 o. U$ Z0 y* R! G* W=========* _! U8 C% c \# \9 `8 ?* S% @
# u4 Q2 k% H: {& G# w) ]1 t" H=>Disable or clear breakpoints before using this feature. DO NOT trace with
; [8 o# c0 H4 r$ `. E; M SoftICE while the option is enable!!
- Z. } [2 A3 \% X8 A
~: C1 D! }8 _2 v& fThis trick is very efficient:
$ q( [. l4 I3 C6 a# w* l2 i5 X5 hby checking the Debug Registers, you can detect if SoftICE is loaded
4 }5 n" z+ D6 X5 d0 {(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 P, A! E# r# ^there are some memory breakpoints set (dr0 to dr3) simply by reading their
, W; W1 I* }6 | L4 \value (in ring0 only). Values can be manipulated and or changed as well
- ?( U) S/ b2 b$ a& o; I+ T(clearing BPMs for instance)
. [. y2 S2 X2 ^. b/ r
( ]+ ?4 K u, W__________________________________________________________________________
5 ~$ n a+ t0 \6 p! }( M( N
& j- R, s8 u" ^! QMethod 11
( v, }) _, W* w5 J! k. l1 k: {=========7 G7 b; N8 m# j
4 \. U( [& E3 n
This method is most known as 'MeltICE' because it has been freely distributed
9 d7 W" t+ p; q2 }3 }* V* Pvia www.winfiles.com. However it was first used by NuMega people to allow' W0 B5 Y" e( f5 Z
Symbol Loader to check if SoftICE was active or not (the code is located9 u4 V. B1 N" B1 Q8 {
inside nmtrans.dll).2 M4 Q. A* |; \' N$ w7 F
' \1 D o. L( E+ ?2 [+ E
The way it works is very simple:3 \( r. L6 Z7 z6 ]+ m& i
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( S Z: g7 }- S4 \' S6 r
WinNT) with the CreateFileA API.8 \+ H9 S1 ~0 _7 L+ {
3 N# K5 c; j# h. ~
Here is a sample (checking for 'SICE'):/ z; c( Q6 W! D# |2 R
9 ?% k5 ]4 k8 W. ^/ H* \/ W
BOOL IsSoftIce95Loaded()
+ z1 b0 q: h9 q5 B* Q{* g3 K/ ^7 h& F- t1 J
HANDLE hFile; 0 f3 L0 d; b+ U7 K9 _
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' G+ R; O% ~4 `/ Q FILE_SHARE_READ | FILE_SHARE_WRITE,* o% f8 S" G5 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 b% O8 S5 |; x( S
if( hFile != INVALID_HANDLE_VALUE )
" O1 N6 x4 I1 b: J) Q9 e) G {
2 \( x' q8 t- K) x% h! {( l CloseHandle(hFile);5 X+ M+ |0 E' [3 k
return TRUE;
, W0 Z3 P. U+ ^% m2 K. y5 H% G4 x2 D }
4 W' G9 H- d/ d2 {2 T- C return FALSE;
' Z9 S' n7 ?5 z}) x4 A& K, G2 K( G
1 O! W9 e. m& Z Q% o
Although this trick calls the CreateFileA function, don't even expect to be
* p/ k3 B* l/ u/ r) iable to intercept it by installing a IFS hook: it will not work, no way!
. U% m4 C. U5 U- zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F$ m0 ?, G( u: q9 v) h$ e& `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" Q( Z: z# I T2 u) [) W* t; s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! \4 ^. T2 G8 J/ M* z3 S6 t3 v. pfield.8 O9 C2 T8 X% i8 G* {5 f2 |5 W
In fact, its purpose is not to load/unload VxDs but only to send a
2 f0 i. o# }% U% O6 e/ H P$ X) gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# i: F4 M* \' f* M$ N1 `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. u! ^% b$ E# a6 _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' e, H1 h" U2 O G/ r7 E6 F( gIf the VxD is loaded, it will always clear eax and the Carry flag to allow% Q: Q7 q# q% g$ J9 v! R3 ?: k2 Y
its handle to be opened and then, will be detected.
0 T# f9 }4 H5 B8 D, q4 n3 FYou can check that simply by hooking Winice.exe control proc entry point
9 q# {/ j# R Z/ A- a' N5 H3 Lwhile running MeltICE.3 l- @% ]( O4 e
) L( D+ p: H# j1 F4 J! |* _. A
1 N2 z. ^1 ?" `6 O 00401067: push 00402025 ; \\.\SICE& c, I( ]8 w+ I5 @% o- j6 N
0040106C: call CreateFileA( |! n4 V2 _, L0 L% E, O6 S, a0 q
00401071: cmp eax,-001* S' ?* Z! E) X
00401074: je 00401091
8 O; N' N7 C0 I- e* R/ ~8 O, T& T- K3 O9 W, \
9 G% N* O# u; K- T6 L
There could be hundreds of BPX you could use to detect this trick.
& I( \! G: v/ Y. x-The most classical one is:
4 q3 o" L6 M2 L U, {; k/ a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ `3 E1 B1 R9 n; ^& k; e *(esp->4+4)=='NTIC', \8 ^7 |- l1 S) s9 g& C
4 _0 B# V' y( J' g# F& U0 l
-The most exotic ones (could be very slooooow :-(6 O% D8 j5 @4 c6 c. `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') n6 x( E4 r) E/ C+ L7 f. P
;will break 3 times :-(
+ ~* y3 |( @' T3 {! s& `
8 b' z( L' V4 I$ f0 Q-or (a bit) faster:
% `6 W) F6 H; s* T- V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ G2 @. ^; G9 p: L/ J3 ]
5 y6 [& ]8 s! r+ }2 o7 n BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. p g& r& p& b6 E: P ;will break 3 times :-(
: B' b3 V$ T7 K: t1 g6 m
% ?& N( Z6 X5 U4 x( G" S. {-Much faster:* _' s7 a; A s5 ~9 S, L/ Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. P) J7 F: f6 i0 `$ g* l U
+ S% @3 |# q% {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" r5 \9 \2 Y; C4 q1 D
function to do the same job:
- }. Z6 ` Y a6 J; `# D M+ \" a" y8 f: W/ l, B) k5 p) ~ T
push 00 ; OF_READ
6 L" R, Y* P2 L% P. m8 O: Z mov eax,[00656634] ; '\\.\SICE',0
- _8 ]1 G; v5 P# J push eax- i8 Q7 f) [# u& S: O2 F
call KERNEL32!_lopen: T& J; ]' T; s: p* C9 k
inc eax
) |2 L' B) g! d) E) ?6 Z" b jnz 00650589 ; detected
2 a8 P8 t0 u9 K push 00 ; OF_READ7 u! Y! A% r7 L( ]4 X; m
mov eax,[00656638] ; '\\.\SICE'8 n1 u9 g; q5 c9 E/ o( o
push eax: w2 [ i& g3 }% y
call KERNEL32!_lopen" C$ ^- m# Y6 V9 O& ?3 |4 E4 n5 I
inc eax
# I1 O7 `' r9 n0 R% V8 L jz 006505ae ; not detected
% ]. k: Q/ y+ z+ j) ?5 w& ?: M) ]2 Z1 h. m. o, P8 n: i
# o/ L" K# O" }0 R8 u" @1 }* U" Z7 s
__________________________________________________________________________
1 L3 n- K9 V- ?) P- Z& @" p2 J* d ^4 w: k
Method 12& Q0 `/ y, B3 O `
=========
5 c7 K8 `: g* n Z/ C
0 L( P8 P! C+ IThis trick is similar to int41h/4fh Debugger installation check (code 051 y% w: y, m8 p- u
& 06) but very limited because it's only available for Win95/98 (not NT)
0 O* {7 O, M5 B% a+ }: t/ ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. T7 q9 C! m% | Q9 M: Z! y/ s9 a+ ?+ |; a+ B1 c# S5 R
push 0000004fh ; function 4fh. M, x. c' ^, U1 M1 @
push 002a002ah ; high word specifies which VxD (VWIN32)
2 Q8 l+ R. P6 m. w* |& ^ ; low word specifies which service# X# v9 J" y+ u- h
(VWIN32_Int41Dispatch)
) ~5 F& R" X* c' t' v call Kernel32!ORD_001 ; VxdCall
. {; a3 L) S# W2 v8 j7 ~& v0 g cmp ax, 0f386h ; magic number returned by system debuggers
% X2 Z2 x8 y# ^$ C( T9 ` jz SoftICE_detected$ ^% W9 I% h5 I$ D
& n; m6 F3 H7 r- U) p2 F1 Z, ?Here again, several ways to detect it:
! Q$ R: E/ }# l" f# N r" K" H* u' ?) p5 |4 l% V$ g7 ~( m
BPINT 41 if ax==4f, ?( s* k/ B b4 p2 Y6 B N# q
# ]+ ~3 I Y+ Q% Q. Y% D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( P% f) y! Y: e, n: {
* u" T5 S- U7 Q% H0 |( T" J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* \- Y1 } g" F4 H
% o7 A# y9 u8 N
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 C* o( N% u1 I" Z/ O [+ h
. g5 P+ Y. _/ n
__________________________________________________________________________
3 D% S' p( _ h" c6 n9 Q% U# [. z# K; y4 t4 Y, q
Method 131 Y( A" `4 ?- o8 ^2 ~
=========" C( X8 H& h- ^( C# F W2 z& B9 M
2 @# y! a$ S* U2 aNot a real method of detection, but a good way to know if SoftICE is9 ^0 r4 k$ E7 K( c+ {
installed on a computer and to locate its installation directory.9 A& i; d$ E- e
It is used by few softs which access the following registry keys (usually #2) :! Z6 Y1 X/ T% B) R7 W! L
/ t5 V! ?3 v6 T0 V F( Q, [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) q1 D4 @& L0 |. l; n- U/ T\Uninstall\SoftICE
* e0 J) Z# s) U$ V0 ^2 _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- m" k z: E) v9 H1 s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' O, {& `3 t3 N; h b+ `
\App Paths\Loader32.Exe
; s3 k& a* M8 I' V0 E9 R9 W, j# E+ Q- s0 B5 E' r9 q) i
' |" A% l7 d' P1 x6 n
Note that some nasty apps could then erase all files from SoftICE directory/ x$ u ?9 {3 |! [
(I faced that once :-(
" H' j3 y' l) ]& M( e6 U( i! D1 m* ^1 G5 g3 ?& s' O* n
Useful breakpoint to detect it:
2 u% V7 `6 d! o' V
6 Q, R$ c- r: u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" t7 h- b; X& f3 p& ~% B1 v8 Z7 U# s/ |# r* L
__________________________________________________________________________
) w! t' L- g" n! Q% z0 [" v8 T3 n+ t
& s7 l0 a- Q, K* }/ V% s- v( L1 M
Method 14
7 Z9 v) b8 b; r+ w6 K=========
7 \' m# Y& ?; `$ h# ?( [5 R; F# d. i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 |4 r' ^# J. R7 b3 q+ }
is to determines whether a debugger is running on your system (ring0 only).
) W9 A8 f& f: i" U9 |+ c5 u& \& a* |' K) N1 ~
VMMCall Test_Debug_Installed
$ S% u) s- s: } Z, u: g3 l je not_installed! I' r# Z( X" w
/ r) ^$ s# p$ H& ]) j# T9 X! RThis service just checks a flag.
: R/ W2 M" A2 G</PRE></TD></TR></TBODY></TABLE> |