<TABLE width=500>: e8 v7 E! @; N6 X( R1 i
<TBODY>2 z; U- p; |2 h
<TR>1 s C. N/ l1 ~5 c/ d8 y4 u
<TD><PRE>Method 01 7 v2 O4 q1 e8 S# J* E- o: J
=========
`. h# @: @$ B8 y0 @& O7 ~2 Y7 h- h! E g
6 B$ {* n V# @- y' [9 SThis method of detection of SoftICE (as well as the following one) is) a6 z: l( n! s/ b
used by the majority of packers/encryptors found on Internet.
+ n; e. \5 {' O$ OIt seeks the signature of BoundsChecker in SoftICE& m- N) p) B% F8 o3 {7 y
( q0 ]2 k( |1 B' I) c5 X mov ebp, 04243484Bh ; 'BCHK'$ M$ z& `8 O6 h& O" Z6 @
mov ax, 04h$ I8 P8 F3 _$ K3 c7 t$ ]( c
int 3 # ], H8 Z) W: n2 P2 L" d
cmp al,4
6 T K( ^) b$ X6 W% W- ? jnz SoftICE_Detected
+ Z+ I* u: d2 _" m l/ T% g0 H' j/ H. `5 b/ f9 e) t
___________________________________________________________________________
* u3 s; o. ?/ {4 r. O# r1 h5 G! d; }, D7 p( o, J3 A
Method 02' ]; ]* K- G1 n) F
=========
* w/ u$ S* y5 Q7 ]0 ?3 \, T* C
* n$ g* i p5 E& ZStill a method very much used (perhaps the most frequent one). It is used
( U2 U6 V2 F0 Q( Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 B# R+ \- {/ c4 b4 G/ a
or execute SoftICE commands...0 E2 j) U& O* }& g! C
It is also used to crash SoftICE and to force it to execute any commands
: }! @& ~- g$ R2 |(HBOOT...) :-((
* G$ Q P! S0 b% G4 D& v2 E7 |; w" U3 K7 @
Here is a quick description:+ u7 E+ Z) r" P5 N$ D. f5 p+ {+ I
-AX = 0910h (Display string in SIce windows)7 j7 l+ U- i9 ?; g9 P. \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), y0 z' _, H2 S: Y6 f$ r
-AX = 0912h (Get breakpoint infos)
- ]4 z2 g* T) O5 g-AX = 0913h (Set Sice breakpoints)
, j7 Q* j o3 G l3 K4 M$ F-AX = 0914h (Remove SIce breakoints)1 U& ?' M7 \6 {! r8 q
) I! v$ ~' a: F( ?Each time you'll meet this trick, you'll see:
+ B6 k; z+ _0 H8 c$ n, A0 J, ]% H* |% K-SI = 4647h
. K9 U% K" S4 J3 l# H-DI = 4A4Dh7 j) O& f1 ~# z* u( {
Which are the 'magic values' used by SoftIce.
1 _; ~5 b: c h) dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& A% P5 Y2 N+ w8 Y4 _. D
% e# d2 A4 |6 T6 l% q1 sHere is one example from the file "Haspinst.exe" which is the dongle HASP* Q: y7 J' Y4 c) O
Envelope utility use to protect DOS applications:
. f/ h# w+ B8 ]
4 ~9 X( Q$ ^5 _* X* R$ U
9 j% a& A/ W5 @: ]% U6 X4C19:0095 MOV AX,0911 ; execute command.
5 T# O: x, K! x# l$ \. O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& j0 s6 B+ E5 W8 v- I/ h( C4C19:009A MOV SI,4647 ; 1st magic value.
$ y' g! B/ Y) E) {9 f, d) Y4 h4C19:009D MOV DI,4A4D ; 2nd magic value.
) Z9 Z9 s; U& Q N+ w a# t! j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 x5 m/ Y9 C* j; ~
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 N) Z# e8 `; k9 h, ~! R# Q
4C19:00A4 INC CX; f; {9 |3 Y% n! p6 k
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ X; N/ }# ~# D Z$ e3 x( n2 k4 S
4C19:00A8 JB 0095 ; 6 different commands.
$ C4 }1 h; y; J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, {" }8 _! q( n( W: [" v4C19:00AD MOV BX,SP ; Good_Guy go ahead :): M& m" K$ q8 \9 n: E
3 }4 } V! M/ a: pThe program will execute 6 different SIce commands located at ds:dx, which5 A- @, r1 Z G" d. ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 ^/ L0 p0 d/ x: _; B
5 ^3 J; n; _3 G# }& [3 |1 }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 N S9 A# w- ~/ t
___________________________________________________________________________
' s5 E" C# _& \/ ]5 H* J% X7 b( f8 v* A% e2 Z
5 A8 Q; Q, ~- F+ m+ Y
Method 03
* }: e. m! r) O) u9 a) e=========) J8 v$ m: l4 n4 M
4 h, f1 J; B, j, y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 p$ v4 O' e. h# M7 ?2 K, m1 \
(API Get entry point)4 ]3 O- \4 H( Y! o5 o& u. Y
% D/ T3 t' e9 {* r+ [3 V- ^
% V! \1 d2 G# J7 i- h xor di,di6 [: `- H1 v# v7 v1 L
mov es,di
) t y% ^% T, l3 ` mov ax, 1684h ( O% G. w2 r5 D! y! b. c" c+ |+ S
mov bx, 0202h ; VxD ID of winice
4 e5 q! H$ [ N9 _* ]6 X6 V% b' B int 2Fh, e; D+ c0 m3 p, c
mov ax, es ; ES:DI -> VxD API entry point
5 q$ e2 n8 h. R; O4 Z. Q! P; ]0 e add ax, di
9 T& x/ a. z- | test ax,ax8 a$ i2 L! T+ H& Q6 g& a
jnz SoftICE_Detected
: X; a2 A {+ |1 f `5 O8 K, M& l& q$ F4 g e+ _
___________________________________________________________________________
* j# F* B7 u: i9 q3 a+ K" X* n2 p* X# u( D
Method 04) i6 P; `! B; M M5 ], t6 H
=========. z8 N2 G# a! z
5 `" ]8 v3 K' ?7 MMethod identical to the preceding one except that it seeks the ID of SoftICE4 |' F8 E1 u) B& w7 H
GFX VxD.
# _3 O; ?: U1 p# m/ u6 s" r8 ^3 m U1 S/ Z- _: P8 \
xor di,di& e) K5 m/ P" N" q/ n) `4 N
mov es,di3 V& i# {3 r6 q, k
mov ax, 1684h 7 R+ A2 o4 o9 m r- m
mov bx, 7a5Fh ; VxD ID of SIWVID5 _' ~* ?+ _ j& A. q$ M
int 2fh
: e+ ?! O( @# q5 I: {6 u mov ax, es ; ES:DI -> VxD API entry point
% B. F7 y5 R$ Z/ A3 h add ax, di
* W: Y& N9 M( w) k) b" w8 p- J test ax,ax) [" ^4 o$ {. Q, {* H( O' |
jnz SoftICE_Detected5 ]. G8 D% h5 U! V0 h
0 v% g. Q8 f, i. T6 l" y0 @__________________________________________________________________________* T% }3 b; Q# E+ W
8 j J3 g5 K% w1 D! W6 t0 m# J+ ]0 D
# Y% T6 }3 ?. vMethod 05( J- ?6 [0 q0 ^* M: t- x H
=========- w1 E; U7 ~( ]: k$ H3 q9 r; Z9 U4 T
6 y( f2 v$ C, l3 p0 KMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 w3 r1 h+ ]8 T& w4 `$ Y: zdebugger. It calls the int 41h, function 4Fh.! f% q; w8 }+ A5 `
There are several alternatives.
0 G: Z1 e/ v5 A* T, m- K! ?
8 c" [: w% j0 n* ^( h- l2 dThe following one is the simplest:
6 A9 x, Q9 `1 w% M# N2 ?8 _
4 z7 Z Y+ {# C mov ax,4fh ?3 P I+ n, x& e
int 41h
7 [9 `' w( J1 K/ i4 L- o3 n cmp ax, 0F386
$ r6 n& J) y2 T/ P3 G% R9 b jz SoftICE_detected# g5 h5 E' G0 ]- ]( t. G" }+ w
( N% E% ]- i6 G" ?7 J2 m
' c+ J0 I! o% W" a vNext method as well as the following one are 2 examples from Stone's
! I8 o4 s6 {5 u6 ]9 a& n"stn-wid.zip" (www.cracking.net):
O" _6 z' t( h, j$ b: k( _% d. x& Z0 m
mov bx, cs
5 x# F. |* {2 Y lea dx, int41handler26 r* p3 e, n2 q, H
xchg dx, es:[41h*4]" ~4 n7 W9 r% f8 k3 ^8 n
xchg bx, es:[41h*4+2]
5 E7 v7 E4 t7 l7 ^# `0 L7 I% c# i& O mov ax,4fh
$ v4 s' I/ \" J6 Z2 W2 B/ A8 p int 41h
# \$ T7 s0 k* x2 D. p. w% @ xchg dx, es:[41h*4]
3 U, h. P% T- X3 D8 r" x1 R2 R2 } xchg bx, es:[41h*4+2], c" ]" r/ M1 ^ \1 u- l+ a. j' b
cmp ax, 0f386h6 v' J7 F2 Q; q: L+ ?$ T8 B* ^
jz SoftICE_detected
$ S/ s3 ^' J- H( b3 m# y0 L- ~: U t' N
int41handler2 PROC7 ^: S! t9 r! a) a; G$ R; y
iret3 y/ F9 Q2 m) m J
int41handler2 ENDP
\- c/ N* B1 h5 X$ l
5 d# k" H' q( H8 t+ b1 d
8 t# ~; ?- q. o7 O. h_________________________________________________________________________
+ j/ t) l2 Z, |; Z* N5 C) o. S5 d/ w! x) s1 F9 K* g( [; ]1 E
# d4 x/ Q3 k$ EMethod 06
+ N# ^3 C& @, L! W0 V% H=========
5 x- L1 O6 v/ t1 f
8 f; Y4 \: \0 L! M
! D; W1 D% \( g2nd method similar to the preceding one but more difficult to detect:
( e F" ?) h2 C- O) ^6 _3 ?9 U$ g
- o9 p/ f" J- }; p! E0 q% }+ r- B! W5 `3 H
int41handler PROC) S2 Z: ^2 ]- ]# {; ^
mov cl,al
8 V5 @. H. K3 E; F" }/ ^$ k iret
2 A. h0 M( b# V+ q6 M1 m" p( ^int41handler ENDP
. X+ N0 r4 j' C9 k/ V* W
6 ]6 Z6 i# Y- `: Z `* H D2 p0 M
xor ax,ax
w% ^, H4 z0 ~& x# m mov es,ax
, Z9 q% |; V* ?! c mov bx, cs
9 _) e+ p J% i6 x lea dx, int41handler
- p$ |: D6 C4 {4 I6 V xchg dx, es:[41h*4]
! C" E* |, ?: @7 H8 \ xchg bx, es:[41h*4+2]( b+ Z" E8 J1 i" z; C
in al, 40h" W% H2 B7 u z) O
xor cx,cx
. V" v9 Q' o6 n. T int 41h
$ Q- I, \# i7 }& i xchg dx, es:[41h*4]
: v ]- T* ^# u4 j8 O xchg bx, es:[41h*4+2]
?; U- x! M6 Y- E cmp cl,al
' L2 k$ m- F6 ~6 E; ~) z) z# U jnz SoftICE_detected
9 k5 `. e6 j3 V$ }$ i: n" `) n
5 v. k; `8 r( Z b_________________________________________________________________________
i6 J! q1 j W; W; C. H4 k3 J* p. S
Method 07
: `9 f0 q: ]3 r% N# f" M7 i=========
i- `/ `5 s& F
5 T* G* e0 u/ R4 @$ WMethod of detection of the WinICE handler in the int68h (V86)
" h( m/ X5 w5 m- G I R8 ?; \1 v1 h3 R0 R7 N
mov ah,43h. l$ i& G( X6 s- d1 k6 R
int 68h
, C6 x1 E: v* C% m+ ^6 J* K3 | cmp ax,0F386h
a4 l: |; {/ ^ T; q" }3 t jz SoftICE_Detected4 g k0 R0 ?* {8 ~. \, d2 ?7 Z
& m- V B/ z, [' g
7 g$ ^2 \! F, m8 U, F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, `' |2 N- w7 o
app like this:
. q- Q. I& |8 M8 L5 U; s* f) [: C# d0 _
BPX exec_int if ax==688 h9 }, Q5 h2 d, |0 F7 M# ^. _
(function called is located at byte ptr [ebp+1Dh] and client eip is! r Y$ k5 |8 U7 ?8 L' }! m
located at [ebp+48h] for 32Bit apps)" H0 |) e8 S& `2 r! e
__________________________________________________________________________
9 n* Q0 w( L$ |7 i8 g- T1 n$ }4 s- W d7 i1 P6 ~6 `5 s
% Y+ [* F4 B' \5 z
Method 089 m8 @) c# l% w. C, a. T. F% z
=========
; R, F7 I: l. i+ e+ M; @+ o+ O# }, o9 _
It is not a method of detection of SoftICE but a possibility to crash the9 D7 G3 L3 M; c! z4 Y
system by intercepting int 01h and int 03h and redirecting them to another# _% O- t0 U( U/ q- K5 W/ q, F, ~
routine.
9 `- A) w. M7 @: B8 T" jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 e0 Q/ h6 C$ q( J/ k* Eto the new routine to execute (hangs computer...)2 I3 X6 U* W6 M$ _5 Q
) P2 @1 o2 g! H5 S5 U# R. C5 V3 F mov ah, 25h" ]/ g; C0 U. u( }, _
mov al, Int_Number (01h or 03h)1 e, `: d+ n+ N1 ^; v& S& T/ o/ @3 P
mov dx, offset New_Int_Routine+ X+ X! r' B4 {4 e( G
int 21h+ X2 I* V/ j* ]
k1 }9 E! P) m$ H( K$ R0 b__________________________________________________________________________
, _' ?* T& i0 o
& i; ]2 {4 C& AMethod 09/ K9 d5 u9 Y9 y e
=========
/ H0 q! m4 b0 o% j; I
0 d6 L# g. _" J0 t0 mThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( h& c+ `& E, H: xperformed in ring0 (VxD or a ring3 app using the VxdCall).# z4 L; p2 z$ _4 d; U
The Get_DDB service is used to determine whether or not a VxD is installed
^) g: l; e4 V1 ~8 D2 Dfor the specified device and returns a Device Description Block (in ecx) for: b) r1 Y! r, R& `
that device if it is installed.
) A1 T3 }4 G5 k' S! t( Y$ b: E. h0 F! K1 B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 h$ l! u4 @2 K7 K
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 X. _: o, [+ D3 g VMMCall Get_DDB- q z: z- v; P1 d' T6 i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" e# S7 {+ X4 L4 k; h4 D$ h" S# m
* B5 p8 Z5 K5 X+ E: G! Z6 z
Note as well that you can easily detect this method with SoftICE:
6 _. y9 f. t# |' j# g bpx Get_DDB if ax==0202 || ax==7a5fh
2 k3 S9 ^/ p u5 E! }3 N) P( K2 @% L1 b$ Z- r, R6 f# Y
__________________________________________________________________________
# ?2 [- `, O4 o0 Y$ Q2 F; w, t( F4 u6 j: A, I3 i! l& q7 j
Method 10
' j4 J' h5 H# Z2 U; w=========+ H$ G6 X5 P: d2 D1 r, q- Y" u
& _3 n% r$ U+ ^2 P& S* Q5 r
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 e/ a: \3 }1 A# M# Y SoftICE while the option is enable!!
. p/ b# P* y8 `# ?2 e0 T9 [9 y" o' u
This trick is very efficient:( M7 r7 C0 ?$ z1 G3 u" n
by checking the Debug Registers, you can detect if SoftICE is loaded, k- S Q: x; |9 c1 l2 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ |0 \- L" z, i3 H# Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their4 j6 p; N0 v3 k2 z/ R+ Q& X1 h$ G( U
value (in ring0 only). Values can be manipulated and or changed as well5 F. b* \: j; | k; n+ E
(clearing BPMs for instance)9 @8 o6 C( M7 w
5 C# i- x& ]' @- N5 O: C+ X__________________________________________________________________________8 H3 s* k2 m; B/ v% }& c R
* C# d0 U5 D0 ?: h; s2 pMethod 11
5 e: e% r) Z9 y) E1 y+ T" ]=========
$ ^, A+ c- x1 G6 }' r0 O2 s3 R2 q) Q5 ?, T
This method is most known as 'MeltICE' because it has been freely distributed
. t; g+ m ?& u1 W" fvia www.winfiles.com. However it was first used by NuMega people to allow
! ]% I' z* Z: l2 |0 }Symbol Loader to check if SoftICE was active or not (the code is located& a) _6 ?+ ?# ~/ h
inside nmtrans.dll).3 `9 Q$ @% D* X1 Y: n9 q7 w
6 W7 Z' n9 r4 o+ l/ h; B6 fThe way it works is very simple:% X( j2 y) [5 s+ y- z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% `" s5 o9 K' z* N5 `) _
WinNT) with the CreateFileA API.9 m$ t8 ~, v$ t& ?& s0 z
5 ` u9 {# D4 t( ]Here is a sample (checking for 'SICE'):6 [0 D4 L! C; c' G) o) i
0 b% H; Q1 v6 x6 Y9 i* b, |/ e" `BOOL IsSoftIce95Loaded()
: q5 z; [) |4 O+ K0 Q{* |# B G* X' h2 \1 Q& h0 X
HANDLE hFile; / |7 n, ^2 h% t# E+ {" n0 Q0 ^5 y0 e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% }2 H# U/ i+ h2 C G
FILE_SHARE_READ | FILE_SHARE_WRITE,& I4 k0 K. _2 b' Y! @- b1 }
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ H7 q$ P& ^" ]: `( P/ y) ?* v if( hFile != INVALID_HANDLE_VALUE )
% y* o6 L3 o1 w( [5 l A {
l; e7 u' d! z2 W2 Q CloseHandle(hFile);
5 i/ M: s9 K) m# `2 ~- J return TRUE;! |) H( s' D Z5 j8 w. u" d
}
. Z" X& Q u8 X( v return FALSE;: F- x& Q5 }" a7 |9 M( f
}5 [* d! R S) l8 d3 A; S/ o
% U! O3 k4 p9 D: @+ v) K% v- G
Although this trick calls the CreateFileA function, don't even expect to be: P7 L# _% A1 |' }7 p
able to intercept it by installing a IFS hook: it will not work, no way!
2 P+ x9 s V9 |In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: d" y8 v" f9 h, U1 n5 b$ A; @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 x3 v. ^, M, J0 O, f/ M0 qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
. u7 h1 X2 g: R4 q Z0 h2 @! [6 Tfield.- ]2 h, U" ^" K. [2 d0 b
In fact, its purpose is not to load/unload VxDs but only to send a ( N9 M) q; T \5 [7 q! B( x# @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 R" r+ T2 S8 b! W! A7 I0 Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# I# x$ m0 U( jto load/unload a non-dynamically loadable driver such as SoftICE ;-).: D, @3 q$ ]+ |: o& `
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 w; S/ M9 q) Z- u; c% V5 nits handle to be opened and then, will be detected., q2 h5 a1 M6 k7 v# W& y
You can check that simply by hooking Winice.exe control proc entry point4 q G( m$ J' C( y" x% w
while running MeltICE.2 L ?+ i; H# t# T; C
\- O; g6 x* z
/ t7 | Z0 w. R
00401067: push 00402025 ; \\.\SICE
' z% |8 _, \: U) [% n5 l, z 0040106C: call CreateFileA: i/ M: C ]2 J
00401071: cmp eax,-0012 G& L, N6 l9 P' |) x( e
00401074: je 00401091
; u; v! p1 ^. W+ G! J
, K- q- F4 \8 S. s( G, `7 V5 w# {, z' K% H
There could be hundreds of BPX you could use to detect this trick.
: r- f. K2 r& ^; x-The most classical one is:
$ O0 X! h- d; z" q0 r$ W6 z BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* z' m3 L2 a% v p$ _+ Q( D
*(esp->4+4)=='NTIC', c1 d$ v' _2 i" o# f
2 G/ r' ^5 |3 y* R- |2 {! ^-The most exotic ones (could be very slooooow :-(
' `6 R: f8 `: r- R4 ?: X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ ?: `8 @! p5 }) T1 e ;will break 3 times :-(1 b! L! b0 _3 i1 g
% x8 d% B ^+ J$ g4 a/ a! n
-or (a bit) faster: ; Y$ Y. y" w9 U1 f# Y% U: V9 ~8 \' b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
W. ~" j" Q: U) P; h9 C% ~* x8 o, {8 _( q8 x) H% T5 A& \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 o- U, p2 m" O/ \; e: t ;will break 3 times :-(2 n, t& P6 n x) m5 h I4 b
. i8 ^" ^1 `- ]' q: B3 o- h& b-Much faster:8 @: i' X3 a; x3 I, F& K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- D. b. h$ W( F! B' z
* m; Z$ M0 I7 B, U* k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ V: s' p7 z5 F/ o: N5 [
function to do the same job:, V4 G3 Q4 i Y; ^; i l# ?
$ ] x0 V. b3 L1 Y push 00 ; OF_READ0 ?5 |9 S$ a2 v6 e) o0 f
mov eax,[00656634] ; '\\.\SICE',0
- t0 L* |& o! |# T. V push eax
* p% F! f8 I3 u8 m5 a3 Q call KERNEL32!_lopen
G9 t# F5 J4 o5 x3 ]9 j% Q inc eax
) X2 A% U& e' | jnz 00650589 ; detected
& Q0 I' W) C0 J2 f push 00 ; OF_READ
& O$ I/ H* }/ D2 ^) G mov eax,[00656638] ; '\\.\SICE'
0 I# T( e* }/ n push eax: Z9 a1 h( z; `& W0 o
call KERNEL32!_lopen- a( t1 s. q! {2 c1 ~
inc eax) q/ h6 y3 b& n3 U$ }$ E6 m
jz 006505ae ; not detected
" l$ p/ W$ A& n5 x, @" `6 M& Q
4 U' i5 e R) w! w) ]7 N! ]/ H+ [* X: T9 a% K, V% q, Y% y
__________________________________________________________________________* t( ^* R$ r6 Q
: ?9 h+ @+ H& bMethod 12, k( p9 l/ e# y/ e' X( Q
=========
* A" B7 Z8 h0 ^' b% l; A$ f* X
- y: n% b2 C6 [3 TThis trick is similar to int41h/4fh Debugger installation check (code 05
7 }. h: P( ]8 K8 B& 06) but very limited because it's only available for Win95/98 (not NT)
: j5 M. C) b: e! q5 B0 s$ Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 ]8 A/ q$ x8 r& k7 i) p" q
2 u9 D9 z% N) m# t% R. z& J push 0000004fh ; function 4fh! M4 H9 S$ z" ~4 D' a" i# G9 C* c, ]
push 002a002ah ; high word specifies which VxD (VWIN32)3 ^3 X* v. g6 V6 s5 N% c U: H
; low word specifies which service
3 `3 Y! d h/ r) k (VWIN32_Int41Dispatch)
4 B3 ~, Q0 O. w, O- I0 b* V7 n0 O4 v call Kernel32!ORD_001 ; VxdCall3 G! Z5 |9 ?2 \+ }6 l
cmp ax, 0f386h ; magic number returned by system debuggers
" @' W( l/ y# _8 x' L jz SoftICE_detected; t: t1 q. G2 B1 r; D
2 ]9 b& |- D- K& @3 ~5 AHere again, several ways to detect it:
{; C3 `4 A" x: I5 i+ V; h& J9 P/ |
BPINT 41 if ax==4f
+ U+ u; ?0 e) ^$ C% I# ]4 o' o+ p3 O/ ^4 [1 V) |! W
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" I N& X: K; D0 L/ J2 k* {6 ]
# Z) e; }9 J1 A0 `& E BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 N( A" `) U" Z. z% k2 z: J' b5 [* `/ D: k/ X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 s4 Z' F2 m/ ~' o4 U5 `# x" r* f; T |5 U/ |! M8 F
__________________________________________________________________________
o. P2 X+ Z: U/ D! n& E9 Z6 _' R" O+ S3 o% U* I" P \- j: R
Method 13) l) H- z- d6 h& O+ Q
=========7 a* ?/ A$ U9 p9 j6 X
" N& b3 u2 G, u9 e9 r! YNot a real method of detection, but a good way to know if SoftICE is s' ~: @. {! U$ q4 J( c1 f
installed on a computer and to locate its installation directory.0 p, f- Y R3 V' L7 Z2 I
It is used by few softs which access the following registry keys (usually #2) :
! ~ m. s! ~/ q- k, T! _# R! ?0 I9 F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 K+ x! |+ d5 {! D\Uninstall\SoftICE
; Z; A9 D6 H0 F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, _3 W6 X- c3 R" i( x; O" W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 W# v8 L; U! m/ i0 Y5 Q2 V( q
\App Paths\Loader32.Exe+ m* z7 u( ]; v4 J( `. S: h3 w
+ ^ n1 g' I; m5 a3 |
( F E3 M5 U1 _Note that some nasty apps could then erase all files from SoftICE directory( m6 `3 q& }2 w. ^7 q6 h1 e9 e
(I faced that once :-(7 m8 F$ z* W7 ~7 \& S
9 E- T" {$ ?+ B# ^" Y' o4 lUseful breakpoint to detect it:" T: x, k8 N: l, v+ d* X
. W) g& _* `& U: x* F. ~* ?4 L( y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ R6 w- e& p6 a; z/ C( C
3 c3 [3 k0 ~5 B1 W3 r/ ^. J__________________________________________________________________________/ m2 V, F$ b( x1 {2 C: w, H, B/ U
) K- ]! x }) ?( y. P
( i4 H& e" k2 h/ _9 n- W# vMethod 14 ( q0 x4 ?& p) ^4 e! B
=========, w* {5 @+ r/ z# X
0 T+ s- _. R! T- Y6 gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 ?1 _9 l/ A1 {. F9 @, o
is to determines whether a debugger is running on your system (ring0 only).- u2 B5 y0 H4 U; q, F
( ]' O$ |2 D4 U0 O1 X# n5 y: a
VMMCall Test_Debug_Installed
$ i% D* I; T) N Q& f' M4 c je not_installed9 P+ q# \( @ q0 _8 |+ _: j* q
& f# a: r' ~; j2 FThis service just checks a flag.
, `2 Z5 v% N# g& j+ V& @</PRE></TD></TR></TBODY></TABLE> |