<TABLE width=500>
5 I. x" l; F# {" h<TBODY>) N( ?9 k' T3 v0 T4 Z* F
<TR>( F( y8 ^, E2 [. |1 C
<TD><PRE>Method 01 6 i8 ?' A7 ~# X. o' A6 D4 |8 H" b
=========
0 Z: W9 \ |% I* O7 a/ d( m6 h
- S# Y5 F6 x) A5 I; O4 cThis method of detection of SoftICE (as well as the following one) is$ S1 x' X3 M7 Y. B$ @
used by the majority of packers/encryptors found on Internet.2 P& o8 W$ n% q) p/ q# b
It seeks the signature of BoundsChecker in SoftICE: ?- ]6 j7 D4 \3 w/ ]
( T# _2 Z/ A9 f9 f: } mov ebp, 04243484Bh ; 'BCHK'
7 w+ m/ H8 T! P mov ax, 04h
5 f6 V( X- x) D8 W- Q( i: n, s) h: P int 3
: ?0 h# f1 S% d8 H/ W' _7 b cmp al,4
1 \% C( _- O; Q. A7 O/ T/ x jnz SoftICE_Detected
8 n3 `; l$ G( w" B& e0 x; s6 A. u2 B9 a; D; E' T
___________________________________________________________________________1 a! @$ E! P( p' U c
! j5 t- h2 v h# C
Method 023 V7 r% R" I9 d! }
=========
" A% q8 w/ D" V# s3 \; T8 ^2 L9 M5 B. N! ^% S
Still a method very much used (perhaps the most frequent one). It is used2 Y3 w E! f. J/ e" J1 ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; g: I" a% m; v& c" x/ q
or execute SoftICE commands...; h; g+ G4 o$ {' h; k- r
It is also used to crash SoftICE and to force it to execute any commands$ b. w' X* K1 x) x- N8 s- z5 N* k
(HBOOT...) :-(( ; N" R5 K9 G" {( h' V3 X
( {" f/ p0 I( R2 K1 F o
Here is a quick description:
$ P/ }) E( n" U# p-AX = 0910h (Display string in SIce windows)' S; Q( z |; Y: d! R+ W/ n
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# T8 g6 R& Y& S1 J3 _' m( h. u1 M4 g-AX = 0912h (Get breakpoint infos)
) u2 Q: g8 b/ q! c" _- n% ~-AX = 0913h (Set Sice breakpoints)! e. ^# H( C* Y
-AX = 0914h (Remove SIce breakoints)
( @$ p" C# R3 K- y; ^- u1 j
0 K, t3 m( s! Q7 k$ \6 cEach time you'll meet this trick, you'll see:( A1 m: d/ G# Q: |4 m& G
-SI = 4647h
3 N- m% |( g/ m! P0 V4 I; n2 v-DI = 4A4Dh) w# [* S6 e* c8 a$ C% E
Which are the 'magic values' used by SoftIce.9 P9 V" m& M0 E8 F& m c2 U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- u3 x# L+ ^/ h k) U) h* [" x& t1 g
( e7 |/ `/ x. \7 h: I9 `! {
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. j ]$ ]$ n# [' s8 j0 vEnvelope utility use to protect DOS applications:
4 y5 A/ G: A7 X- H, l9 ~' R: V8 \! G0 o- S
8 {3 z% ~. ?* c, t$ G# C
4C19:0095 MOV AX,0911 ; execute command.
8 |) y& d+ W" d+ h( b* p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; u0 o: D3 a$ K4C19:009A MOV SI,4647 ; 1st magic value.
) [) `1 z4 Y" h5 O, Z4C19:009D MOV DI,4A4D ; 2nd magic value.
1 V$ R" I8 u1 |. `4 X4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ K3 \( j" c! U3 L% e4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# H) } H! n2 p
4C19:00A4 INC CX6 X3 C; f4 a; S' R8 _
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% ~6 l* ]& |6 m2 \) P7 {9 T4 h4C19:00A8 JB 0095 ; 6 different commands.
2 G# C. i5 c# `( R4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) C, X9 Y9 o: d y4 F7 W4C19:00AD MOV BX,SP ; Good_Guy go ahead :); U$ Z- V6 Y; Q
; _# W4 a. B: yThe program will execute 6 different SIce commands located at ds:dx, which8 U& z$ d# Z/ ]( `) x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
m: e& `4 J3 T) A6 u
2 {( c% h! F0 j& e- @* ]! p# L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% E' h+ u, }1 X3 B1 ~___________________________________________________________________________
* B- |/ K$ Q5 x3 C; D' z K4 w! g: L1 R( G4 f. F# l
1 o9 N# q8 f) n( fMethod 03
+ }5 n& e# s& |=========
+ y5 R( ?: C4 ^* M' ]. ~ h6 L" Q5 ~7 F5 v& ` |& W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. [/ }8 a4 p2 ?7 r9 K' l
(API Get entry point)8 p+ b8 g2 q# q: @( o
; E" s2 z8 v; o1 N/ P1 P# H
. w# X5 b2 [) e6 B: \3 ?3 S xor di,di
# @5 u' J9 o7 `1 q& U mov es,di
2 j9 u& v; K8 z- I- y3 J mov ax, 1684h " ]: J% `& ^& b* G
mov bx, 0202h ; VxD ID of winice
; i# j/ @ O$ A int 2Fh( k4 ^+ i, {6 N: g' E/ I' `! Z
mov ax, es ; ES:DI -> VxD API entry point N1 c/ W# {+ Y8 G! y" t3 \2 M
add ax, di
- `' s0 m& n* t! R1 J/ ^+ [ test ax,ax3 n& B, q; t( o' i1 B. V7 a
jnz SoftICE_Detected
+ V8 P6 _) @4 p, c8 `
$ s# G* h+ ?2 B) g- l; R2 E! b u___________________________________________________________________________
8 z( i& }; _7 o/ ~* L
1 l9 v9 |6 W( h# E8 ^Method 04# _" q* p1 \; P$ V7 U
=========7 I) p, Z$ m) p9 T4 Y
! ?" \- ^, l8 X* q$ pMethod identical to the preceding one except that it seeks the ID of SoftICE W2 e: o2 U1 q& N$ \
GFX VxD.3 M3 n2 G0 u: ?. ^' k5 e& t/ U
0 v; a3 V& E( W/ t
xor di,di I5 w' G3 a6 h* X* A' F6 a& y* x
mov es,di
3 [- [1 N& R" S mov ax, 1684h
* U& I$ P+ i+ l mov bx, 7a5Fh ; VxD ID of SIWVID/ \. t ^ i/ l0 e' j6 `' \, o4 v
int 2fh
) `" G9 f9 G7 n8 U1 m mov ax, es ; ES:DI -> VxD API entry point/ h' K+ p6 _1 I/ E7 J
add ax, di
, t" t2 c1 c' a7 g! ^+ o test ax,ax7 z( R% T0 N1 l, z) f
jnz SoftICE_Detected
6 H, ? v/ s6 `& S/ r
6 x6 U: |4 X" D1 N__________________________________________________________________________! l9 I, D9 A( |& x. _& f
0 b% A& `; a1 _4 y7 J1 \# x1 C
Method 05
& y' X* Z$ J5 Y( T+ r& m7 u=========, F3 n' [( |# W% h4 d
5 u6 w. ?0 f' A9 R, e0 j
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# O8 f( S1 @, s8 r8 adebugger. It calls the int 41h, function 4Fh.
: [- m& s, R8 R4 X/ lThere are several alternatives.
& M2 R% c5 d8 h# k% i) i6 w6 @7 V3 C- |8 P3 X, v1 l
The following one is the simplest:
7 _( O6 \' P. H. U7 u4 {+ _0 q* {5 R
mov ax,4fh- y" Y8 W: Z, J2 J7 O+ a" r
int 41h) ~& }* z$ @9 H e
cmp ax, 0F386
' W5 g' }9 h7 e# y jz SoftICE_detected
4 g0 y1 y3 O$ v" P
- T6 {/ u( P6 y6 L
& u4 X W# r% j; s/ cNext method as well as the following one are 2 examples from Stone's
: m: t& g1 {8 {7 f"stn-wid.zip" (www.cracking.net):
' F$ @4 y. m) N* S; i
# ^0 \0 b% D# ], n) J mov bx, cs( Q5 i' d& i) X9 D) i
lea dx, int41handler2
- o; k( X F. r6 I# m xchg dx, es:[41h*4]
+ G6 n: h( b$ @ xchg bx, es:[41h*4+2]
8 R! v) c3 }/ c) d8 d mov ax,4fh0 X; k) P4 }7 T
int 41h6 |6 C: X$ S7 z: c
xchg dx, es:[41h*4]1 y; O- ?4 l6 t
xchg bx, es:[41h*4+2]- _0 ], g- J2 i/ n n
cmp ax, 0f386h
" b7 d* @2 B2 C jz SoftICE_detected
0 E" ?6 G) `, }, c* R! s6 }* {1 v. L; A/ c* j
int41handler2 PROC* t* T# S8 r7 O
iret% a3 K9 v, r! R* [. F n
int41handler2 ENDP
% p3 q# X4 ~% N6 ~# C4 h+ s4 D+ y# q# R3 U4 L
3 U* e5 p. E) P5 U ]/ R8 y_________________________________________________________________________" G& h' R5 ^. I+ n
: x4 M0 G) H, F# X1 ?
/ H1 l" O6 f, \3 o' Z) IMethod 06, q% a% u. {+ [0 V- s- t
=========5 \* Z' z( c8 E0 N) N$ c3 O
5 M* ?( x R) R$ k6 r$ h! `3 Q$ O7 ]' Y
2nd method similar to the preceding one but more difficult to detect: _& b* ?3 @8 P& {+ |
8 Q. P+ }# {/ H- M2 F/ ^* _ q3 z& b* i
int41handler PROC8 c3 V. {, {0 b
mov cl,al
4 ^. ~" G+ ~6 M! c( }6 \6 l iret: ]1 l2 g& R% B6 i* I: V% m
int41handler ENDP
( w2 \' X n/ l7 L( ~" z: ?2 W& X, r! y e, X+ u" _9 X1 B$ l5 G
# K9 `. S) G4 C/ p I
xor ax,ax
6 e! m* W& z# \& N, F mov es,ax3 d3 M& D% _" i. D
mov bx, cs
* x5 e' o2 q* q! T% H lea dx, int41handler% _) K% w8 k% a
xchg dx, es:[41h*4]0 |2 Z' \" ^( E6 O! H; |8 L! Y4 U
xchg bx, es:[41h*4+2]
9 j8 N7 w$ }6 y in al, 40h9 m' Q& s0 [; u
xor cx,cx
5 L- B1 y; g5 B, i8 w! u7 M int 41h
! e8 `! c8 j# M% c3 f# p' Z2 U xchg dx, es:[41h*4]
# @# B: o7 W2 ?% d xchg bx, es:[41h*4+2]8 y$ Q6 L2 O4 x& l! U
cmp cl,al0 B3 h, q; t. x3 h
jnz SoftICE_detected2 v8 P4 l- d, c* c5 r8 @6 `, R
8 M) R; I2 h" E
_________________________________________________________________________
A) h0 Y! m1 A, |6 `& f8 \% v# E' S# a$ P' Q6 ~( M. _" _1 h* |
Method 07
/ x: ~/ A+ |7 }! P=========
4 c) _! ^/ L' W+ o8 E' E6 Y5 r! l2 S4 p* D" U( N, D& B% }
Method of detection of the WinICE handler in the int68h (V86)
2 b& C- Y! N5 Y) ~- ?' P% X. X9 O+ Q0 A3 s! w
mov ah,43h2 G6 r4 }/ |' f: O7 u
int 68h6 a& g4 A$ v, }6 [" i
cmp ax,0F386h
, R6 o: D: [9 T5 H) Z# x jz SoftICE_Detected
" P) C4 b$ s: @: {- W1 J- |* ?# |3 _; q0 U: Y
1 i: x0 I/ i+ T5 @2 q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, o+ Y' Y0 h x3 t, ?: Z
app like this:
2 R6 Z) Y7 r/ d4 ?0 h+ }( F
, k1 l% J- K; F6 h g- j" ?' X BPX exec_int if ax==68
8 P: k/ C" c! m0 @, U3 H (function called is located at byte ptr [ebp+1Dh] and client eip is/ B& M, l4 ?/ O# D
located at [ebp+48h] for 32Bit apps) {/ z% ^) d2 K0 E
__________________________________________________________________________
1 x2 p8 i8 a+ E9 m
% U/ x( y& ?% O; ^( \( K. K0 N* X
/ e0 F J4 @" K& @# F0 r; O; AMethod 088 G: P) \% U2 L
=========
& O( T: c, f% x$ F" L1 R; W+ f; @4 Z% L6 _' Z& r
It is not a method of detection of SoftICE but a possibility to crash the
, B5 M0 E+ C: V) Nsystem by intercepting int 01h and int 03h and redirecting them to another
4 h5 x- h5 p# u. D9 froutine., A! o" p6 }7 S
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ ^$ Z1 a' u) Z+ h ]2 _; Eto the new routine to execute (hangs computer...)
* A: k' U$ J( r6 L; v" P, e; F
mov ah, 25h
9 j; ` F2 |( J, D mov al, Int_Number (01h or 03h)' |! K$ Y; {/ e7 ?) t
mov dx, offset New_Int_Routine
" p. I& r7 q& p( ]) }4 m int 21h
3 T, `5 k% B0 e! ~# U- O+ h \4 B2 h* v% s- B# Z+ W) B- m, K( V
__________________________________________________________________________% [4 D/ H [7 x7 n7 B' f; V/ L
% }3 r0 v3 N- O: @Method 09
5 Q$ s. v. D6 o=========' |% t; o& I8 r* [, r+ W* f# F2 O$ W
$ l, a; t, g/ d9 I9 O4 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. F y* w& z/ s/ {performed in ring0 (VxD or a ring3 app using the VxdCall).
3 G7 M# ^: d. t2 c% F7 |The Get_DDB service is used to determine whether or not a VxD is installed9 c% R& y$ ^2 q3 E! ~9 o9 `
for the specified device and returns a Device Description Block (in ecx) for% U& u: P$ V3 w0 L; Q- M. `
that device if it is installed.
8 X4 u1 t% `; p% S9 |/ G2 U! W+ f5 f& E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 z- ~4 F; N0 O/ [* ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, e* }9 e3 G: u VMMCall Get_DDB
$ I! m* q* c& j& Z( t5 N& } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ C# e4 ?6 `) E& E' P7 r! e
' ]/ F( v! ^3 t/ R
Note as well that you can easily detect this method with SoftICE:
2 X! W7 _ C2 M$ c- I# d bpx Get_DDB if ax==0202 || ax==7a5fh
; G1 c/ D T- O( ]: C3 ?
) @0 ^: ~' x6 p" {+ S__________________________________________________________________________
1 h+ Q# F9 P* e3 s! U' |
+ H- Z) @% ^$ Y6 bMethod 103 K; i, S- F7 i7 a# v" J* O5 U
=========
8 l a* y$ ^* k/ n. Y! Y0 N" H0 R6 ^5 g: B, N" }0 a+ _2 x7 H$ p
=>Disable or clear breakpoints before using this feature. DO NOT trace with, I" w% s+ Z, [ q. c+ f% }, A. @
SoftICE while the option is enable!! t, X* V; v8 \4 i$ k3 H
7 |; [+ H% R9 l1 k( c1 K" Z& ]
This trick is very efficient:
! _/ D0 B& a% |; ~by checking the Debug Registers, you can detect if SoftICE is loaded6 S0 R$ ~, ]" x) F) C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 ~! i5 c2 A# h; z8 bthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 N( y! l6 y: {
value (in ring0 only). Values can be manipulated and or changed as well( f% e- M: p3 b% e6 ?# g% i" Z( X: B9 i
(clearing BPMs for instance)
F3 U! ~9 m% t# `( w5 L
4 z; s- e; j" x0 o9 {& Q" y__________________________________________________________________________; c6 f, I0 u7 B1 p9 t
. J) [$ q7 B8 r% w4 t: C' _+ qMethod 11
; q9 V4 K9 d( J' |=========
; K7 B6 o/ h% ^' S8 R& M7 K% o# a6 _7 `6 g) z3 G% r) q ?
This method is most known as 'MeltICE' because it has been freely distributed# s) g. \, w( @' f4 a# `
via www.winfiles.com. However it was first used by NuMega people to allow h+ q5 C5 l; @
Symbol Loader to check if SoftICE was active or not (the code is located/ V; N% F" u+ P5 ?6 S( ?
inside nmtrans.dll).8 e; u( h6 F% b$ B8 L8 L9 F- _$ a1 A$ C
* k/ X: p. A6 x VThe way it works is very simple:
: ?, j- L" {% N. ]: lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 ~, B2 n1 E. k n* T* B6 F: M
WinNT) with the CreateFileA API.7 H% A3 x. `7 R9 j* `$ {
+ Y# a4 h) a* E1 c
Here is a sample (checking for 'SICE'):
; S( \/ }5 s2 o8 O. P8 \) i: y, X8 k0 `3 F9 {7 t. d, B
BOOL IsSoftIce95Loaded()$ t( _' l9 O$ c$ [( O+ W2 j
{- b4 M9 Z' \7 h) v2 l- {$ j
HANDLE hFile; z7 F& I# g" P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 d: f( v D, }# V# E& E- u+ W, P FILE_SHARE_READ | FILE_SHARE_WRITE,
) a5 g9 s' i& `- a, D4 M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 _; u/ ?* s% ?: [, G
if( hFile != INVALID_HANDLE_VALUE )
( _3 r. _" w0 O0 J' G3 f$ Z) o" ^ {
6 X z; Q) t* ?2 ~$ ^ CloseHandle(hFile);
2 K4 }- a; @) \5 K& }: D return TRUE;8 b( b; R* i% o7 ^ w
}$ }% n4 P2 E# o. u4 B
return FALSE;( t3 n; I2 m& v
}; y. y/ @5 y* Y% m% i
( n6 x& x1 k) m' J2 f
Although this trick calls the CreateFileA function, don't even expect to be
. p. E5 s; P9 y1 |able to intercept it by installing a IFS hook: it will not work, no way!
. W/ W3 {( y. r# W7 N& Q, VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# n6 {/ u# W& O+ w& R3 i9 b. w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ u* O: U- b- \5 Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 d6 Z& O0 V- ?4 _' I
field.
, y! w' u% A- M4 EIn fact, its purpose is not to load/unload VxDs but only to send a
' \, K" }4 w- e; l1 {+ tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% @: ], ]' J g; A2 J/ o9 Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try* R, t. P# U; O P# k4 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ r+ j$ d. N0 @0 f2 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ i. r3 K" a; w8 H+ q9 o8 r6 E$ Z' U8 n/ Xits handle to be opened and then, will be detected.
0 g$ h+ y. k/ w2 p3 {- |2 D w& VYou can check that simply by hooking Winice.exe control proc entry point
' @6 D) v* T% a) hwhile running MeltICE.+ M2 J8 S0 v/ ^$ Z$ \0 u8 e
4 n1 y3 ~8 l |! a0 T5 o
# r: M* u1 c: i) n ] 00401067: push 00402025 ; \\.\SICE
; Z: u8 F" ^. F; O+ ` 0040106C: call CreateFileA7 x \. I! ^" e4 x _1 E1 \
00401071: cmp eax,-001
2 Z- H, g$ G/ m0 Q: [5 R$ f 00401074: je 00401091) S* ?8 t% `; y3 V$ b8 U+ E
5 s! q. p& i, A* v* `1 X
* h- m9 n( ^5 T6 C
There could be hundreds of BPX you could use to detect this trick.
0 `4 Z4 ?1 B. A-The most classical one is:$ E: q: z' E/ g3 J) ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 a& z; O/ I8 M( L! f) ` *(esp->4+4)=='NTIC' x, d8 F/ S" A% B' s
g; `( Z7 k& ]4 M: C' g' i9 Z7 ]-The most exotic ones (could be very slooooow :-(
7 D/ \ c0 Y9 ~$ S4 _& h BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 `9 {2 Y& |& o. ^ ;will break 3 times :-(
5 }( H9 Q6 `4 i3 R0 y% c
& {2 J |6 x: n/ [! H' {) T-or (a bit) faster:
# ]$ ~! F0 w0 P/ S& L) Y0 U4 _& v3 C BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 o3 d3 N; {+ H4 }2 z+ L! ]0 T u/ P- _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! O3 Y) J6 c, e4 \& G6 P" p3 C* K
;will break 3 times :-(+ Q, v: [- K$ i Y( w
! F0 e5 M: {) `% a; L8 c
-Much faster:
1 n0 P" B" a' E BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, h2 B/ g7 ?+ R1 K8 L/ F% h$ s% w1 ?& ?: o& w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' J4 T2 A9 w `1 s' d5 K* O
function to do the same job:2 L- ~1 u+ r6 `$ t5 W' e+ Z7 H) T. z
; {2 p( A0 e4 l% m# T3 p! R4 N
push 00 ; OF_READ
# ^+ `. Q8 _$ ^, s( e9 A4 | mov eax,[00656634] ; '\\.\SICE',04 D1 n2 a, z$ z& H. C; i- H. W
push eax/ I: J% @5 d' b+ d2 l
call KERNEL32!_lopen: d1 {% ~& g' G8 l8 d
inc eax* R1 {2 k6 i% [# ~3 t/ I% |5 S
jnz 00650589 ; detected
& K! |* J( h3 M; g1 v4 _ push 00 ; OF_READ, g6 {9 w5 X4 K) y. j& ]
mov eax,[00656638] ; '\\.\SICE'
2 d2 k5 p. [: Z' L' i& J: n/ H push eax
# c8 [! u; W5 ] p# P8 s* w call KERNEL32!_lopen
& P* X% y- v& S' |+ H inc eax3 ~( g7 y1 F- p/ e
jz 006505ae ; not detected
! N+ H, c5 ]. Y5 B1 i% Z/ e9 _
! S) [1 J5 r6 z2 U: k5 V b1 f
' d; @- k* _( h9 D- }' f__________________________________________________________________________
# _$ H1 L0 x. V9 y2 t3 [# a8 ~( O# |( t" L# t1 C9 G: ]
Method 12" q, C# q) [9 [8 I
=========
+ L* L9 o8 e4 D. ^
9 Y7 M' X& r; {% Z' V; P. bThis trick is similar to int41h/4fh Debugger installation check (code 055 _. [7 |+ V& G q7 J
& 06) but very limited because it's only available for Win95/98 (not NT)
! I) f% m1 K3 _1 u. I$ Y5 E; Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo. ]# q. x1 Z. G
; `/ `3 J1 g, Q: T' b- @" y5 N5 \( E6 Z push 0000004fh ; function 4fh% k% A" t. Z @- Z
push 002a002ah ; high word specifies which VxD (VWIN32)
2 }9 w6 A7 ?" s+ x% q8 h ; low word specifies which service
6 r D: J3 [, m) F% K- O: e (VWIN32_Int41Dispatch). c, g1 d8 O8 a
call Kernel32!ORD_001 ; VxdCall
D) [; j/ l* F+ E- T cmp ax, 0f386h ; magic number returned by system debuggers6 a7 }+ v5 [& i% e6 x
jz SoftICE_detected% ]% @8 a9 ]& t( Y+ a4 C3 {
' ?: P H _. F; X# J
Here again, several ways to detect it:
5 k6 [- W- |4 x5 v5 [
" e+ a; l' N: a2 p6 t) N9 ^- H3 H BPINT 41 if ax==4f
: L. l0 v( C6 N q. X: m& _6 _ k$ R `: U8 u3 F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ w6 n% F- U3 e/ R4 N
# G9 y( a! C% d0 ~* {9 [/ \- g' A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 ]9 n" T2 z+ ?& h3 s4 { F$ g; s: P7 d7 w, m# d2 L$ m4 Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ k% j: u4 x; E+ r3 Y5 Y9 e O. X' z
__________________________________________________________________________2 G: j5 i: g0 c. M% W
7 I7 L% C4 A: }0 x8 ?- ?6 gMethod 13* O% ~0 N& C% F
=========
$ V: @- E6 T6 V% p. c: a" L0 ~; r
$ v b# [' ]. t% d" [Not a real method of detection, but a good way to know if SoftICE is2 e! e$ |4 B8 y, I
installed on a computer and to locate its installation directory.
5 d: @3 b& X9 l, V( D0 v- AIt is used by few softs which access the following registry keys (usually #2) :
/ n# v$ j A* P2 i
S9 d$ _2 G$ R# ^+ r* _) r) i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
k% y6 X+ [( C5 [( R; B! g* `\Uninstall\SoftICE
8 |8 K3 S0 D' |2 Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ D! e- ^0 a J% x* S) E( l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& d& S/ E1 C9 D& ~# o
\App Paths\Loader32.Exe, b8 B9 h! N& L9 e2 [
/ ^; D5 |- }' s8 {% ]4 [$ I s0 J$ A
Note that some nasty apps could then erase all files from SoftICE directory
3 U. \* ^- n8 j(I faced that once :-(* c" i6 n3 o$ k8 Q* a8 V; H
) H4 r4 e1 }: aUseful breakpoint to detect it:/ ~" \; }+ w0 L+ B9 k- J) }$ ~
5 w; X2 w) G& C, C$ X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. R0 v( Q) r# y+ f
( W, \# q7 V# u+ b" T
__________________________________________________________________________7 Q w" G7 B$ ]$ N2 Y
& o. O! p! I* s- m+ ]
! `) @& h. J; f+ f& i; A/ d! ~Method 14
7 {6 g0 T* z. p8 \. z. e=========
. e: c) g, u( W& q5 x
5 V* O- \+ J. c5 @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* [% `, M$ C4 x! e( kis to determines whether a debugger is running on your system (ring0 only).
O2 b& X9 b$ _% N- v
, {2 S" `0 A4 _) ^' M; X; Y2 A VMMCall Test_Debug_Installed0 f* E, V' @/ R- t8 { N
je not_installed' a; [: P6 s6 h5 M
5 B9 j" s1 e3 m( }% M! @This service just checks a flag.& T3 B! z5 T& H; ? }- d4 L6 {
</PRE></TD></TR></TBODY></TABLE> |