<TABLE width=500>5 L+ @4 C$ B N+ H* ^' O
<TBODY>4 ?" n: }" N) e. n% O
<TR>
# y: \: n! [ f6 j' e9 S4 d, k<TD><PRE>Method 01 6 X) G/ A" G$ w$ B1 J
=========
9 y. f* R6 _; q
' y8 Z2 y; E6 J3 HThis method of detection of SoftICE (as well as the following one) is R7 w% Y% U# w$ W0 @' a8 g
used by the majority of packers/encryptors found on Internet.
; j( U3 y2 i! @0 OIt seeks the signature of BoundsChecker in SoftICE
, J6 u) O2 j( i
) J( Z7 Z7 s/ g, f( B5 R mov ebp, 04243484Bh ; 'BCHK'
* ]6 k$ W- [: d% l5 c3 \" } mov ax, 04h* f9 E# M% w* U( L# i i# |
int 3
. D: V {* |2 N/ f' l) w cmp al,4
% J; Q9 n! t& G* D) F0 G+ C, U/ v jnz SoftICE_Detected
% {7 u. ]/ A# G3 Z1 K' _! u8 ` J6 z d4 ?5 ?* \" _( l1 R
___________________________________________________________________________$ q* _0 r% z1 p9 `3 y& B
: M/ M: ~) P) o, u1 V# n; ?) M
Method 02) t) x7 ~5 @( }% r7 u& w' r2 \
=========
9 h7 r# J, Q- X8 E6 z# r) ^7 O2 j6 N+ g# Q- z2 S% A" I
Still a method very much used (perhaps the most frequent one). It is used! b( d( b. E, `5 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; D/ v' r8 @1 p0 o' f# J2 q
or execute SoftICE commands...( D% n( a! P) {" o
It is also used to crash SoftICE and to force it to execute any commands6 r$ Y! I# r y$ a
(HBOOT...) :-((
( [4 P* }$ `0 W; S+ g0 {( _' b3 M! x; Y q2 }
Here is a quick description:# p% Y2 U; Y1 R! P3 D! y B
-AX = 0910h (Display string in SIce windows)) i" T' v& |" n3 H
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# Q0 L+ i; d8 y' }3 y-AX = 0912h (Get breakpoint infos)
' j: G( l% `8 j0 Z: f' j1 T-AX = 0913h (Set Sice breakpoints)
% ~3 A7 Y7 y" f3 J-AX = 0914h (Remove SIce breakoints)5 y4 u' }' C1 H" s/ V
; J' b8 m( I" P9 ~) T) ZEach time you'll meet this trick, you'll see:# r) t2 m( w q% Y8 ^
-SI = 4647h# M0 r& F3 v7 S* D! u
-DI = 4A4Dh
. J8 ]7 S* w) A) t. d5 eWhich are the 'magic values' used by SoftIce.
* C# u5 _; D9 y2 I ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* H' P1 c% @" F& h4 T
/ j* N; n/ N, I- b% [
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 G! Y6 U y+ I' `( S
Envelope utility use to protect DOS applications:, W7 ~& X3 Z7 G2 V' v7 R8 W
$ O& V- n' R7 Y- ?: Z
$ }" v- O1 k" u5 r. t4C19:0095 MOV AX,0911 ; execute command.
0 x* S: y/ w3 y* ^# j4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 P/ L6 L: V, t$ a: U) d7 J9 e ^
4C19:009A MOV SI,4647 ; 1st magic value.8 F/ x5 n6 K+ {2 n
4C19:009D MOV DI,4A4D ; 2nd magic value.
, o5 t! Q# |& ~9 t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 z! C2 @% O) h% h$ t7 g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, s7 p: A* O0 r% P4C19:00A4 INC CX; X8 i# e5 U! p1 q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! \, i) T1 B* P8 o. A4C19:00A8 JB 0095 ; 6 different commands.! L6 I9 W _- d# D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 }4 k4 J Y8 {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ g1 O2 D: S' b: k2 h9 [% q- O# I! R# @8 ]
The program will execute 6 different SIce commands located at ds:dx, which
* M& h, j7 V2 R1 d/ sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& q" q5 a* Y% c" `+ {/ t. D9 J+ i5 e8 M& U0 K5 S
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) a- B. E: A$ S1 U: v: F0 c
___________________________________________________________________________
9 K% W, [. j, S* h% j
1 d% _0 x2 q( b: L; U( {7 n
8 F2 @4 J! d) c" b; zMethod 03( J' ^- r5 h3 Q) N
=========! q/ k$ C2 e+ I: r$ v
/ L5 m" s E, i9 n* n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 z( m8 e2 |0 M& U% X(API Get entry point)
3 a8 @& ~( p9 k8 \* S8 w t$ i1 d9 G- T
; P# J I) T( v; k3 a# {! [ xor di,di. D. C9 }+ j) o& d' y
mov es,di
$ f( O5 j2 ~, Z mov ax, 1684h
; t; N# @, e9 } {7 z7 e mov bx, 0202h ; VxD ID of winice% A5 |, u0 x0 _6 C1 o
int 2Fh4 Z) q4 m" `- d) d0 a6 \" m# u
mov ax, es ; ES:DI -> VxD API entry point
7 H G4 @+ J, b0 J) K7 N, i add ax, di
% q" V! t$ ?9 [/ h# }# c7 A test ax,ax/ y9 G9 b; \" I; S4 F
jnz SoftICE_Detected
8 E/ s& f8 s2 H' [3 u# H h/ ?! m. r; t) [# X/ A
___________________________________________________________________________
+ C; c2 o3 Y |* l3 q4 r, h* {7 }- z2 M) z1 r7 b9 ^
Method 04* h- v; @. p6 ^
=========' Y+ s e }7 p8 n
* b( X! M) D- t4 L( S5 U0 jMethod identical to the preceding one except that it seeks the ID of SoftICE% B) y. v7 b& @; U+ k6 S
GFX VxD.
. ^; V0 L9 U& a. m8 H
/ m7 Z) X3 y+ w/ n* H% s8 P xor di,di* h) ~0 A! h9 Y, X, H! W
mov es,di
5 _* |9 H* i/ n. H" l mov ax, 1684h
0 Q, _# v' \8 i6 N3 W) | mov bx, 7a5Fh ; VxD ID of SIWVID
7 P: g( _7 O9 z$ f/ l int 2fh) ^: j9 o* p6 M" F. Q
mov ax, es ; ES:DI -> VxD API entry point+ T! s4 X, w1 x4 O( ~
add ax, di
7 [! \- j( q4 b8 b/ P8 y7 \ test ax,ax7 B( Q1 S& p5 D# {
jnz SoftICE_Detected
' ?7 X% Q0 ^$ H5 A/ X0 y0 r+ c# n- L/ I+ U# O0 M. Y/ t
__________________________________________________________________________
6 w, t6 c- y+ }! y3 C( _0 M, u# i3 H0 G
$ U7 {# D+ l$ S/ k+ w+ p+ V" R, V" |" h
Method 054 \) z+ r6 o4 r- C
=========
, U# v* V2 y/ N- p" y: v0 I
4 n0 _" N7 r( a/ P) zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 u8 g1 e7 q' x/ B- y+ bdebugger. It calls the int 41h, function 4Fh.7 N+ F2 l5 U) P3 {0 m
There are several alternatives.
' P/ y6 c' `1 v& ?& q- ?1 b
" e& h1 N' Z, Z1 S3 h- hThe following one is the simplest:2 T9 E ^& H. c+ b+ `& i+ k6 P
5 {* h% M5 { M1 q/ t mov ax,4fh
& i9 D8 g: \% I, Y# ?3 S int 41h0 k/ @4 ]: y. V" z
cmp ax, 0F3868 _8 R$ B/ D& \2 f
jz SoftICE_detected; _ J/ z* u0 B2 v
- Q8 Z/ l. G; h- q+ H9 X4 ?% A
0 t+ R! v/ g4 m) ~6 y5 T2 D
Next method as well as the following one are 2 examples from Stone's
0 n. D0 k1 @/ m4 O' \$ v! Q"stn-wid.zip" (www.cracking.net):
5 }7 d5 u. B! {' a9 S) x' K) \* e! K8 q9 ?! g7 Q+ N; W
mov bx, cs
1 A7 }9 A0 J/ [ lea dx, int41handler2
, M7 r U8 ?; X) R5 N o* a xchg dx, es:[41h*4]
) g: c6 w4 e" D: ?1 @ xchg bx, es:[41h*4+2], q4 V& L5 I4 k# g0 A0 c
mov ax,4fh! N& ?' b" ]0 Q$ s! R
int 41h8 Z* M; V: A& y" D3 ^" n
xchg dx, es:[41h*4]
6 Q- A/ ~, A( }1 A- t- L xchg bx, es:[41h*4+2]
% W) ]3 K3 @3 u9 T' I6 v; X7 ] cmp ax, 0f386h# w* ~0 P. e' k: H
jz SoftICE_detected2 S# _. Y) y% p1 j( Z
. J: s# ~5 I! @int41handler2 PROC
- z1 x/ G) E9 n8 n+ Y7 o iret
* _! H2 s: Y5 X/ Q! j% n! i! _3 j; `int41handler2 ENDP
8 C6 W$ Y7 Q) o' r% w% l# k2 i' K
) d+ H$ u) X4 Z) u' F8 J2 h: }# i% L/ z
_________________________________________________________________________
; `+ D; l& ~5 X0 p; S/ } c& f/ M+ R& M4 U* m' V( K6 a
: S8 u$ d+ H. n8 wMethod 06
8 {7 \* `& u% N( Q=========9 f, l. F9 D2 i
! L w( Q) \6 r4 I% g2 H8 w# `4 `' g; W N: D. D, \
2nd method similar to the preceding one but more difficult to detect:
& {( x4 G) O* |, T5 d) g* M, \3 }2 |4 a' r. S% n% e! w
! ]+ s. t/ H' Eint41handler PROC
# R4 {# K) F) v mov cl,al0 k* m! ?5 V' q. U
iret9 V( [; t. Y* h4 g
int41handler ENDP
. Z! N+ P, G( H5 X! N
0 `9 G) F" U$ a, v: ~ q# @+ F6 P; g+ A" \, a
xor ax,ax- C! K3 D3 s' [* v8 x" E& U- N8 W
mov es,ax
8 u) T5 ~* ]+ { mov bx, cs+ [; `$ |3 n9 v: C! D% Z- e, @
lea dx, int41handler
( @3 P C3 U& }. w8 l: M9 H xchg dx, es:[41h*4]% o1 l1 p5 w- d' {% e
xchg bx, es:[41h*4+2]
8 j2 S, D5 \( T. b/ [0 b9 D9 ] in al, 40h
% } z- d8 W, U* x! V xor cx,cx
8 c' W }% a6 { d: h) u1 C int 41h0 Z( z4 D" L+ ]" x: X
xchg dx, es:[41h*4]
. Y9 F) e" F9 Q" u xchg bx, es:[41h*4+2]5 W+ P/ u! e, S- f7 g
cmp cl,al
. B1 I2 f( C: y1 s jnz SoftICE_detected
4 M# n: F- }7 M% T* N8 k& G+ M; `2 X: i' i* E6 V
_________________________________________________________________________
9 q v) V1 ]2 c2 y( L' T4 K6 @) w- A! N9 H" D2 w
Method 07
) i# \. F& `# h& ?=========
$ S" t3 @. M4 R+ ]5 P: [" a
- t. p2 A1 z2 K/ I7 R4 EMethod of detection of the WinICE handler in the int68h (V86)
+ L6 s) \8 _$ o7 ?/ A3 o/ t
; y% J) y9 E/ Z& L0 b mov ah,43h/ X4 x2 K- a* a2 P# \. T+ I0 t- t1 e
int 68h8 M% \+ K& w% A; J3 ]
cmp ax,0F386h6 u1 C3 e% z& X$ e- B$ o
jz SoftICE_Detected
6 ]; Z. R! s2 c* t/ x7 m( l- `# s9 u. i2 {( K% f, I
" R5 p" @5 N) `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: v) o* f3 G* ^5 x& \2 l
app like this:' p+ |4 J) W1 J* V* C* q- N; P
5 V% U/ P9 o. G1 u- R) X
BPX exec_int if ax==68
' R; B0 s m6 i1 V8 B. G (function called is located at byte ptr [ebp+1Dh] and client eip is, |/ Z, \$ z8 A7 @( j4 R0 x) e
located at [ebp+48h] for 32Bit apps). m9 |7 |. y% ~% u- M
__________________________________________________________________________
: _" \( y$ ?- U& h: E4 Q0 z' M& p* C' g0 A" ]$ e+ t$ [0 E# S6 L2 ~0 a
* \3 O# v0 b ^( zMethod 08
' R' @5 n+ U' }=========- C5 T5 G0 V8 Q/ N+ ~
" k2 Z# g" z9 }- S& oIt is not a method of detection of SoftICE but a possibility to crash the$ N. z( c2 L2 n- E( j
system by intercepting int 01h and int 03h and redirecting them to another0 ^: R2 p% {6 x* i6 K* g% }$ _2 b$ m
routine.
) N f- D( O: B* U3 D( sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& i8 v4 k# ^/ _5 s M. ato the new routine to execute (hangs computer...)' \: _& k: ~0 ~2 M
4 }+ u# @' k1 v
mov ah, 25h) q8 m( w3 i7 U5 c2 S
mov al, Int_Number (01h or 03h)
% R) z$ p- x0 j; O mov dx, offset New_Int_Routine
. R7 z# w/ J5 Z& E int 21h
* g( `/ |% L; L& s7 b
! V0 v( C! P$ t2 _ P0 E7 H/ D__________________________________________________________________________
- m8 |0 |5 N: a! ~0 F+ B# |" P; O3 n M% }5 A J1 x% N Z; y
Method 090 f4 y- H( w- L: A( k* k9 E
=========
' A% Q( L' y) v: p- M5 |7 ?
_8 x2 t/ N3 D, J% KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! u2 a& h" W& J# Z- }; E7 Dperformed in ring0 (VxD or a ring3 app using the VxdCall).4 G# Q7 B" j4 w8 A* `
The Get_DDB service is used to determine whether or not a VxD is installed
/ g# G; h: s) e3 ?for the specified device and returns a Device Description Block (in ecx) for
( D: w5 L% v: U6 d' k, c, \# Xthat device if it is installed.9 k8 ~9 }8 c& m
6 o0 O) W* B. t) R4 D# c# ]. d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 ~9 `$ U0 {) T& [* a* v4 B' r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) S/ {" b( I3 M% t, m: ~
VMMCall Get_DDB: V% A( h7 N, P' Q/ j# h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, p( u) D# H( u" D! a) a
, W0 l) V& }/ I. F3 ^' h3 K% f+ ]
Note as well that you can easily detect this method with SoftICE:
* l! r8 b) S. G bpx Get_DDB if ax==0202 || ax==7a5fh4 T6 J& ?( ?, h+ s& v! \8 c
' P" S! ]7 A/ |# o; y__________________________________________________________________________
: o) u1 V* T8 v$ L- A5 A- y+ j3 U% k$ G2 m8 R4 d* n# J& D. k
Method 10
% N: {$ @7 p* {( Q=========
: j: l" E; n, d2 O
3 K4 u8 I4 z6 ?5 {=>Disable or clear breakpoints before using this feature. DO NOT trace with% @% r7 W" _- A7 ~* o0 {0 J9 r7 ]( k
SoftICE while the option is enable!!
: u2 o1 g0 O+ [! R$ H1 Q7 s+ C- l% Y, _/ Z( r
This trick is very efficient:$ z2 f0 w! C4 k" e$ O& Y1 T
by checking the Debug Registers, you can detect if SoftICE is loaded
! A' ^* s7 Z6 h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; Q2 n" m/ S4 a6 [
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 u# }( q" v1 w# ]. t# Z5 ^' nvalue (in ring0 only). Values can be manipulated and or changed as well
4 @) x( y. Z; b0 o, W3 V. D(clearing BPMs for instance)0 ~, Y/ |! U2 Q+ i
+ l4 _! y& s0 w; r% _/ J1 e
__________________________________________________________________________+ Y- I: L" J- C
4 R8 m, e1 l5 A' [8 W' bMethod 11
- ^4 v) b) P% Y=========3 z( c' n& R7 v5 `9 |
2 j3 D2 b- a. b8 B7 z% b% m1 }& N
This method is most known as 'MeltICE' because it has been freely distributed
2 {5 S% [% F* [% e' A Lvia www.winfiles.com. However it was first used by NuMega people to allow* ^. ], a- _, v- w/ N' l/ h' h5 a
Symbol Loader to check if SoftICE was active or not (the code is located, i5 l3 P* R3 q9 p5 J& D& \, M
inside nmtrans.dll).
/ w9 Z( o- R/ f% o% T$ ?" H" q
: K- x+ R) S8 Y, C; ?4 pThe way it works is very simple:
9 ?! ?9 t: _( Q7 hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ P; H8 [7 d4 o) U
WinNT) with the CreateFileA API.
3 B7 A3 F& c U. V9 s5 g
5 ~# O' ^0 d0 w1 M+ `& xHere is a sample (checking for 'SICE'):
5 O3 x* N3 z: s- S* Y Z: a4 |/ j& G8 Q
BOOL IsSoftIce95Loaded()
& G1 `5 H7 }* F0 Y6 N" A. b{, D7 j- d2 l6 c8 l# U
HANDLE hFile;
3 H6 @ E- ^; [, f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' u; q% Y4 D7 i3 g
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 \8 z8 w9 o! L6 n: O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ R2 ^% R4 j/ E# [0 Y( R if( hFile != INVALID_HANDLE_VALUE )
3 Z, y2 E `- k6 b n {+ v: j0 z0 O+ X" ^! @- n
CloseHandle(hFile);( g1 D+ K1 D% K" m, _! l, y* F
return TRUE;" P2 ~- b, X5 i: t- u: V
}' l9 |2 t% W$ a) _: i
return FALSE;6 ]# G8 Z' h' K" C4 {; {6 T) G
}
4 @) D! v1 z8 \* U3 G# x
5 h7 T: }' w4 j) e* C- }2 v( IAlthough this trick calls the CreateFileA function, don't even expect to be( @* E: b, j& p- X# b
able to intercept it by installing a IFS hook: it will not work, no way!
4 x0 q, B3 I, kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 ?( |0 i7 w+ R9 [/ G; Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ Q: T" z* W2 xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& I- u/ \) x/ Z1 A8 P9 V) afield.
9 f7 A( _- U6 n0 a9 L. |In fact, its purpose is not to load/unload VxDs but only to send a - j# V6 }8 Q, z) j2 Y J8 h6 T6 o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ q& z( A# f0 k+ c# b2 Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 @5 U& z& _2 l. U. M/ F1 `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" M1 x' |+ @ A; |2 o% IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 W* I! q _3 m. g/ i4 Lits handle to be opened and then, will be detected.
g) G- T: J& F2 [# U) oYou can check that simply by hooking Winice.exe control proc entry point
( Z6 ^% X( y1 R. Y! \while running MeltICE.
' ^6 g5 @0 h; R3 |
# S' `7 O; Z6 F$ r4 @
, F8 t1 i1 A7 q 00401067: push 00402025 ; \\.\SICE- p$ r# d3 L/ K9 s8 [+ h# s/ i
0040106C: call CreateFileA U9 S# O0 j$ J& n0 m
00401071: cmp eax,-001, E. G; ?( s/ D2 g# o9 V2 }+ D8 s
00401074: je 00401091
+ h) B d, k# c8 F; y( V: _1 w
: e% z8 z- A8 E3 U* }7 n& d! ~! e" l- J* Z
There could be hundreds of BPX you could use to detect this trick.
( k& h5 `. N8 q. G0 ~-The most classical one is:8 g# b7 C# O, V0 ]5 o1 D+ r8 g. i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! Q+ r- l$ B( L *(esp->4+4)=='NTIC'
3 z) u6 B, z! B: y, Z- F$ j& D% X; n; E. p* p" ^
-The most exotic ones (could be very slooooow :-(* b h J9 m6 U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 Z x2 ^# V8 l2 s7 B' m, |! }
;will break 3 times :-(! E& n/ L/ n9 S' k+ P$ k
/ R. b% K, a; L' K d-or (a bit) faster: 8 J. f1 i3 N5 W& A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. `, A3 P; e2 F8 \* T# f3 z2 A. f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; |* u& j% n% b& o+ E
;will break 3 times :-(! y' n5 r% p. e
0 F, ]: _/ F2 F, p
-Much faster:
% y' b! n9 M4 @! o+ r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 X4 }" B0 _* F+ \7 A
2 t$ |/ j% j& O& b/ [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) L) T; ]. ~) B4 `
function to do the same job:
6 Y E$ W0 P$ t
n: n, ?6 L& R5 o" k* g( _ push 00 ; OF_READ! X# y1 p" N/ `7 `8 K
mov eax,[00656634] ; '\\.\SICE',05 `8 w5 |+ [5 W( f; o4 a
push eax: J; E' I2 z+ s& _$ Q/ X
call KERNEL32!_lopen
& M) y) ?3 |/ l! t' }( s inc eax! N1 X9 |; K( k
jnz 00650589 ; detected/ b) o( Z0 _/ f- G
push 00 ; OF_READ# Z' A3 @8 W: s9 b
mov eax,[00656638] ; '\\.\SICE'
: u2 z: s D+ ^, c! R3 f, [ push eax$ ~# J; S0 P! O% P/ t4 L
call KERNEL32!_lopen
1 z7 A! F0 r4 P inc eax2 c4 ?1 H' T; Q# R+ Y3 p
jz 006505ae ; not detected+ ]7 d% D( ~6 r6 I2 A h0 |6 l
, h1 y1 q2 y: w6 I& {0 ~7 B2 A1 g, D/ I2 v+ A( {. U( m
__________________________________________________________________________
0 }( S* h1 X6 ~+ X4 f
" o' ^# N! M1 ?Method 12
! N3 {: I! v" ?=========3 ?, _' v8 \* x( G
3 K+ B( F: l! _. m% E% m/ n" Y6 n
This trick is similar to int41h/4fh Debugger installation check (code 05
8 s0 d+ Y( k/ }% a) d: ~: S, A- d/ j& 06) but very limited because it's only available for Win95/98 (not NT)$ D; s* H. G5 d2 m5 O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* l- w3 F8 W7 g: k
, n( G+ v+ Y7 s
push 0000004fh ; function 4fh
- K. @. m5 N' x# O% P9 \7 Y, u push 002a002ah ; high word specifies which VxD (VWIN32): ~. @1 Y/ v1 ~: V
; low word specifies which service! v- Y; D1 z- ~- s, N
(VWIN32_Int41Dispatch)5 J1 N5 l5 L% G( Z, \# S' }* I' n q
call Kernel32!ORD_001 ; VxdCall, Q# u8 j, D, C$ l( B
cmp ax, 0f386h ; magic number returned by system debuggers
. j, a4 k S" O$ n0 M( G" g6 L* P( ? jz SoftICE_detected `" A; S% {/ N" c
3 t" k2 m& u8 }: _# `/ M5 dHere again, several ways to detect it:
# K! f. R Y9 k9 W0 \% \
/ g* n) }' E% F3 i4 P BPINT 41 if ax==4f
. `- Q* q. S; c! d6 P# {+ T- P" k8 D
# L9 w) K0 x1 {4 m7 k) M' ? BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% |4 J4 n6 D) H8 w& A+ L7 b* I4 x: H6 c5 ~) ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 Z" z$ g" u" H- ?9 T' ^
) N- z. {& H& B
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
^: L4 X7 r+ r& A5 }8 d+ }/ A3 p9 ~% G1 m* }% }
__________________________________________________________________________# t. Y v+ g. x+ ^+ w+ k7 k5 F
, l, [- R, q# a: J
Method 13& I% Q/ d- j" b* U. X
=========
5 s. b- n# o# t7 m
" B: m" U' d' J6 Q# tNot a real method of detection, but a good way to know if SoftICE is
# \: o7 S7 T) Tinstalled on a computer and to locate its installation directory.( ^# F+ A' j+ o+ H5 _
It is used by few softs which access the following registry keys (usually #2) :
( B/ v) r, s$ t) p6 q) N) P9 x
- z! z% b0 e: h+ t; E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' S/ h) c c$ }4 L# ?
\Uninstall\SoftICE
1 R! T4 J6 ?0 F/ [8 e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE E* `/ e3 Y$ Q* G& N. K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% H# H* H3 Q1 n/ I. O2 u\App Paths\Loader32.Exe" _/ m7 y' S8 z$ O0 }0 V4 |
# ]6 k# T% L U \1 l
" S$ X% N1 B5 B/ V( r+ j8 w0 [Note that some nasty apps could then erase all files from SoftICE directory0 ]/ W1 x7 w' v/ s
(I faced that once :-( H8 v1 R. d ~; I& L
# ~$ q5 A/ L3 k5 i4 P" z
Useful breakpoint to detect it:% U! @, A0 S4 O V# r3 O
1 o! o, @0 ]' F. \; E* w; T2 R* a- |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 V8 X: b! T* N2 u
9 U4 M. l8 p7 P6 \) V) r+ g: W7 t
__________________________________________________________________________- v( l6 J2 a$ z8 h$ U6 n
0 i2 m7 C' g0 _7 Y# E9 h, o, W! N$ l! Q! M7 I( G
Method 14
! ^5 `/ |. p2 ?. t7 s=========! Z! J4 L" f- @1 i0 b" j
+ k! W# Z4 |, o( \% b) X9 a8 b
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( Y, F- n; k# w" S' W$ Yis to determines whether a debugger is running on your system (ring0 only).' C! g" P) |6 `' ~ I
3 i0 N5 n0 w1 W( F VMMCall Test_Debug_Installed) S4 s6 N9 X+ |4 a4 S$ F/ B
je not_installed
6 J2 Z& h3 }3 [# v2 B9 a3 z1 r
+ u8 N6 O5 p; G' p# |This service just checks a flag.
" |9 v" c1 q0 B1 G& |</PRE></TD></TR></TBODY></TABLE> |