<TABLE width=500>
: O' o: Z" v% H<TBODY>
n0 {' e. o) G" s9 q# [# V1 G<TR>
: m# I6 L8 g* O! `/ ?8 w; R<TD><PRE>Method 01
s: q8 `4 E0 p+ d8 \+ I3 E1 W=========) H& X: n9 }7 @& T+ j+ u
% K$ U6 ?1 U0 |$ O" h
This method of detection of SoftICE (as well as the following one) is# W9 `2 y# b7 J" E
used by the majority of packers/encryptors found on Internet.2 ^' L& R# R$ r% h6 `4 x1 p, U6 j
It seeks the signature of BoundsChecker in SoftICE( D F& P% t% E* x4 e
0 L, Q" X4 `# j- T! x+ R mov ebp, 04243484Bh ; 'BCHK'
$ L1 {$ A2 ?% i$ C7 U( h" n mov ax, 04h
+ i4 C( m7 l p; v0 ^7 C int 3 ( o ^ u4 w, }6 O& e' A
cmp al,4
( R; @6 U3 ~; U, e4 B jnz SoftICE_Detected$ ?# d% x: q5 b6 T! ?# {$ l( w
1 j X4 p* b( b' m/ o- R6 f p___________________________________________________________________________
+ t: Q. |; ^ J' M P8 B! I) l# Y5 s
Method 02, m$ j, r) B/ C5 x0 u
=========! `, p# D9 Y5 P) W4 y; L+ X4 T
# [) a6 y- \1 m: h3 E
Still a method very much used (perhaps the most frequent one). It is used7 t' P. n: o# \/ b: ^' \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 \( r; G3 ^! h y( X* I. bor execute SoftICE commands...8 w" b4 C( l# d+ c E6 x
It is also used to crash SoftICE and to force it to execute any commands9 U8 [. ~2 T0 h' ]2 @* A1 j9 p
(HBOOT...) :-(( ; @/ _7 e7 o# h! J3 Q. W5 H
6 N: j7 K% k9 X2 m) i7 k; [/ \5 s
Here is a quick description:
2 N& W& R+ \$ c/ J-AX = 0910h (Display string in SIce windows)
6 D5 N9 O( |# S$ N; B/ e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 E v4 Z. {" {4 q
-AX = 0912h (Get breakpoint infos)
1 { J' C H9 c4 `; S-AX = 0913h (Set Sice breakpoints)
2 q1 L4 w" A# g- b-AX = 0914h (Remove SIce breakoints)
% v4 v& }' P- x% r5 e% j
$ s) l! B. g2 k; }6 FEach time you'll meet this trick, you'll see:" m! T1 ?( L' x0 ~1 p0 a* |& d
-SI = 4647h
2 b8 k! E# }( a9 b-DI = 4A4Dh
( A' L, G V8 ?0 m& Z( cWhich are the 'magic values' used by SoftIce.
2 m1 @5 Z1 @8 N2 QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* D* A; p0 A- k( |( `" V; @" Q/ i% W9 S4 ]. N
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 u( P" a' g9 U0 A3 j; G( ~
Envelope utility use to protect DOS applications:' ]1 M1 q( _2 V) E: A4 e+ a1 M4 K
& W9 u3 C2 C; H( s
' _4 O" ` d: I& b- z4C19:0095 MOV AX,0911 ; execute command.* X* H: k6 m1 a& Q- U
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' Z1 p: [% ~2 `2 `4C19:009A MOV SI,4647 ; 1st magic value.
- q" @/ g6 _3 \2 a4C19:009D MOV DI,4A4D ; 2nd magic value.
( @+ U( I1 E- j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 ^) U; A6 V0 N' `1 M
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( U8 @+ l9 T2 c/ ?' G) H- G
4C19:00A4 INC CX
/ [4 }5 q; A2 @" E5 y9 M4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; m0 G% j" p w$ s h4C19:00A8 JB 0095 ; 6 different commands.
: L' v; G2 S, f$ U! k4 O4C19:00AA JMP 0002 ; Bad_Guy jmp back.; I" |( M! L& g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 E A$ S: x$ {- z( }# k) [8 W0 n) h
# l* Z& h3 g" Z- KThe program will execute 6 different SIce commands located at ds:dx, which- A& \- i# C- w: r+ C" e/ j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 b3 f% _3 \( ?0 c3 C8 [5 d! i P, E2 \' Q1 l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; T% {8 h2 X* U. \! T7 f9 R
___________________________________________________________________________: O4 }- [) U q# S( D% `
' n$ K& K/ z2 a" x6 @% O9 o* R& U T: {
Method 03! u" i* k$ S0 g
=========
) w9 t1 b4 D8 j- k) a+ k' F' Z0 }; _- H0 Y( b7 g% u: Y. @& B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 ]1 F8 u( e7 i' ?7 Y' R
(API Get entry point)
5 ?* n* p* ?' M6 I# h, S 0 C1 l5 R$ v$ Z( O! k
. |. ?, _& F \ X3 J- E8 i xor di,di
( T9 P9 }0 p( p- C; ?; d mov es,di
0 n5 M% Z0 Z; O/ I mov ax, 1684h
Q) _ y. V4 K mov bx, 0202h ; VxD ID of winice
. R) {1 v2 V4 ~3 e' u int 2Fh3 b M1 H2 B/ N e* K; |3 q
mov ax, es ; ES:DI -> VxD API entry point
6 o" ~$ S0 B& \ add ax, di
; g. `9 N# q1 K2 W6 G/ s# O test ax,ax S+ N P- p' Z- L! I
jnz SoftICE_Detected- Y. H5 v5 ]8 W0 G6 v A* E
* C% F: a* {# e___________________________________________________________________________
6 L/ B/ G* x [% a$ L+ `/ X
8 g3 h. {( R" N9 H/ y; pMethod 04$ ]2 i: E0 x- E& Z
=========
0 p5 L' V/ H( {; p- q8 W9 E1 E# a. M+ }: U, J( d
Method identical to the preceding one except that it seeks the ID of SoftICE
2 V, T! U/ J6 B6 A, UGFX VxD.
J4 Y+ u- C% J( b3 s# {- S" W- M6 e' S" r5 k0 W* O, [: J
xor di,di
0 G7 M9 u! d7 r1 h$ g mov es,di
1 Z& _+ f4 B7 g ` mov ax, 1684h 3 C9 B1 o5 z* Q& ~0 B2 g
mov bx, 7a5Fh ; VxD ID of SIWVID
) `+ C7 {/ f5 `$ n+ Z+ _0 f int 2fh5 M$ C. y" B, T: Y! e5 z, y
mov ax, es ; ES:DI -> VxD API entry point
) v* Y* \# L! e6 s: c7 a. O# Y add ax, di" c, R. _8 w, e! R& N" u5 c: S$ v
test ax,ax
7 I. d: {" H$ c0 _ jnz SoftICE_Detected
* T1 |8 Z. k+ W8 ^) f9 o/ ~/ g, R3 t, p& {
__________________________________________________________________________, \6 I0 {3 w( C' U& G" q
T$ C. X4 P; d( Q# M7 E% {0 P% `& w2 [: }4 y2 n# m+ `
Method 05
9 V& T5 {, ^' W) C=========
) A1 C. h/ H8 e6 _9 H6 d7 x
: k2 q7 D- j C$ m# MMethod seeking the 'magic number' 0F386h returned (in ax) by all system \3 N, I6 o" T* x, w
debugger. It calls the int 41h, function 4Fh.
& Q- u/ O8 Z2 F0 M( d0 L. WThere are several alternatives. / O0 D& ]2 ?) b$ R% P
. r3 n1 T1 E e2 [ ]
The following one is the simplest:
- o1 r5 ~5 ^/ ]( E9 |3 x
9 X" m/ o- s P, v mov ax,4fh: [+ z+ C0 Q- O0 H# ^
int 41h2 n2 f7 S5 C5 Z5 F# s1 z; Y* l3 i
cmp ax, 0F386
: s# H1 D- U5 k6 C/ Y- E# w jz SoftICE_detected
: S- q; w# s0 D( C ^* I5 V x7 t5 t$ M7 t z
& O1 D, }$ f: y9 Y( pNext method as well as the following one are 2 examples from Stone's . w! A/ t- A, ?8 M% n
"stn-wid.zip" (www.cracking.net): m2 y5 b# J) S
. `' x) ]( C0 A mov bx, cs* J; d- ^+ S( Y; w& n
lea dx, int41handler2, w$ f9 n8 c. _& P4 o/ u0 I9 S
xchg dx, es:[41h*4]( @% U. e7 h! O; L9 J) \
xchg bx, es:[41h*4+2]: v; m" s$ Y8 P$ _- U o
mov ax,4fh6 z0 W: ]' w- ]
int 41h( u f0 O1 o: N
xchg dx, es:[41h*4], {2 f1 h1 i; X4 q' D0 j
xchg bx, es:[41h*4+2]$ z" P( Z9 \6 ^: e
cmp ax, 0f386h$ [' G% r# j5 i" g# i
jz SoftICE_detected
- ~9 A0 @, d9 [* `7 v' [
. y, C0 U& H/ ~. Jint41handler2 PROC
" @5 f, U8 N8 d# Z7 D% g8 J+ w1 a, Q iret4 Y+ F# l6 V3 X( t
int41handler2 ENDP6 {* G- z p/ s( K
) _4 V4 ^$ }2 Q
0 S4 t3 z7 [- X7 \6 l Q4 F8 Y! F_________________________________________________________________________
( o' u- L: h* Z& F" A
) s- a3 m3 ^1 l# j& Q6 F; c h% |! u! y/ x
Method 06 w% K1 ]' Y1 S
=========
5 u/ }- {1 c: K0 d( j- s" M- q1 D. c: @+ k0 W7 k% Q9 m4 J, m- M' \4 f
! K; D" F& ]& z) X& T, z2nd method similar to the preceding one but more difficult to detect:8 ~! s: X* F/ i" w1 F2 H
- t9 K+ R' ^% i6 {/ w
% X( a: M* ]0 Z* g. R
int41handler PROC" ?% @) C' u8 U0 q' h
mov cl,al
3 B. f- Z) d. {) S2 A iret
6 N: p. w/ }' Iint41handler ENDP
# B' i' L9 l9 x! l1 O! A4 n* F/ { Y: N7 ]) I% }. g& ^ s' f
* X W. x. m7 n7 W/ M xor ax,ax' s2 t6 X7 G! r( K1 X# c
mov es,ax
& K* e/ E# t5 [. G# ~. A: X6 q. D mov bx, cs
3 O5 |% U! `8 S! s lea dx, int41handler7 H+ A3 {5 F7 E: V2 P
xchg dx, es:[41h*4]
, v$ B9 |8 W O xchg bx, es:[41h*4+2]% |1 Z6 g3 B4 }9 p
in al, 40h
/ n& r( @2 N- k8 ? xor cx,cx
, F% i* X, D5 Z4 y% O; ~3 w int 41h* W3 ~- v1 s4 k" n4 O
xchg dx, es:[41h*4]
7 ~ O2 Q4 Z5 g+ L) J! _3 M xchg bx, es:[41h*4+2]; \% o% p, Z& U' j( @
cmp cl,al7 P) Z! t+ {7 W) O# R7 K3 f4 ~
jnz SoftICE_detected
; C0 H2 d1 h- O" D8 y. Z8 K' Z& Z$ p& a: w: W
_________________________________________________________________________( h; V* V9 Z% g5 e1 V1 f0 b
1 ~) M. ~( U5 A x+ D$ F% p
Method 07
- N! Y, I0 a# k( j=========
: E$ R& [1 e6 c4 Y4 n/ I' r, u+ T: w1 g: H
Method of detection of the WinICE handler in the int68h (V86)) e) x4 K6 R" N5 S/ p
4 T5 }! U! r; Y$ H# O0 w) R
mov ah,43h
. c7 c. Q. X A) O- |, | int 68h3 n/ n$ P7 g; |# g: c& {$ V
cmp ax,0F386h
) ^* w: n( f. T jz SoftICE_Detected
% x( G3 d# A; w. i3 l( h0 V2 ?5 z, I( c! r, y" d2 S& I
3 m2 n' n1 N2 N. v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- v4 ^) }5 B) E* D
app like this:
$ x% M0 Q4 D- ]3 x" l
7 D& O" m$ N" B8 x* u6 A BPX exec_int if ax==68
9 M# ]0 a2 Y# p( a. Y1 C1 K (function called is located at byte ptr [ebp+1Dh] and client eip is
4 H" f6 h! ]3 E0 j located at [ebp+48h] for 32Bit apps)" D/ F) k5 k6 N" T0 R1 {2 R( A
__________________________________________________________________________0 ]- ~4 ]# U$ `! `
; n5 \' [9 F' i& X
# m; h& x- v0 w& m- t1 KMethod 08/ l. w; i) f+ A/ X2 k7 M9 d
=========
- V5 j; c, E* [% e# l
. W+ B, o1 U8 v3 [# T4 o" AIt is not a method of detection of SoftICE but a possibility to crash the8 w6 K8 U$ a7 }" Z
system by intercepting int 01h and int 03h and redirecting them to another
5 S+ T8 A! I. I. M' V! h& ~1 vroutine.$ c0 j# {4 a+ K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 S3 p7 A" `- Q# v) h! ^; z+ \7 T6 Mto the new routine to execute (hangs computer...)$ X. t3 {$ s: t7 d2 g
4 s) ~# K; d( |5 Q mov ah, 25h
$ ]2 v' u `, x3 T. o% O mov al, Int_Number (01h or 03h)
% q# r; M5 i+ o* ^: u. w1 o6 V mov dx, offset New_Int_Routine- ]3 t0 u- w; u. e: t. K9 D
int 21h. d* ^& V7 `. [, D( S
. S# k5 H1 G9 {' R3 X__________________________________________________________________________
, X/ W+ v& i$ Z6 S# U0 ] d0 H0 S Z9 ?) t+ t
Method 097 e) {% T* b9 N' ]7 n
=========$ F; m) h( p) K+ b
3 Y+ ]+ N4 M$ oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; M& n6 x, J+ H# r' Tperformed in ring0 (VxD or a ring3 app using the VxdCall).1 P7 }5 B' k5 @
The Get_DDB service is used to determine whether or not a VxD is installed2 u" b6 P0 k. ^) |
for the specified device and returns a Device Description Block (in ecx) for3 m) F. G9 D) s1 t# O; d5 E
that device if it is installed.
& j/ J2 o. Q' n9 T
# {! y8 h# l8 y g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# z. T6 O) Z9 E3 l8 q- A8 E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* V j6 ]9 F3 ] M$ N VMMCall Get_DDB
0 B1 l E5 x$ F mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) e4 Z, z0 S3 F k
, x- \9 l5 p& C% ~% B0 X
Note as well that you can easily detect this method with SoftICE:: h7 [) _4 e- ]. C
bpx Get_DDB if ax==0202 || ax==7a5fh
5 n5 B6 K/ y* M* [: ^/ H3 B$ Q1 g) R/ A' h( G2 F
__________________________________________________________________________8 B" J* ?4 ~3 n0 X
, j+ \( u4 ^- lMethod 106 ~$ x K, X; ~. o, q9 i
=========- K; Q3 j! {& A5 K2 {
7 { J/ k6 G4 `9 _5 r6 z4 X6 @9 f# W$ |=>Disable or clear breakpoints before using this feature. DO NOT trace with
* m% p% T: a O" d$ ] SoftICE while the option is enable!!0 N. q" @6 {& M: m
$ K; M8 J( \. f8 n0 V" z: @+ u9 |This trick is very efficient:: U P6 H; Y3 e8 x- b7 c
by checking the Debug Registers, you can detect if SoftICE is loaded
4 S: T9 u8 q9 P( O4 d. L& p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' b- B# Y" Y5 Q; pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, w. E$ V% u8 tvalue (in ring0 only). Values can be manipulated and or changed as well
* O) L1 v8 L3 u' H(clearing BPMs for instance)
1 V o1 Y8 h. L2 x0 _2 G" ~4 q
__________________________________________________________________________: O5 H0 a8 j( G! _, z1 B% u' l% N
- [( C% A! @3 T$ Y! E' f( F
Method 11/ N* O" C9 o- @4 W3 x
=========* e o9 e7 E! ?% H
$ `: x" Y" U, `- @8 ~1 \ q( u3 `. IThis method is most known as 'MeltICE' because it has been freely distributed% C* ?- n2 V5 S. z" M' i
via www.winfiles.com. However it was first used by NuMega people to allow8 G5 M- J% ?. T$ m0 A' t3 g
Symbol Loader to check if SoftICE was active or not (the code is located
" y" f5 s4 m0 ^) F' T q zinside nmtrans.dll). W5 j# k |6 A/ C4 L
, j6 D5 Z4 x0 X
The way it works is very simple:
. k4 l: w. Q! J; G1 X+ ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 \& V. t7 q; k' [: k1 Z
WinNT) with the CreateFileA API.% M9 f' n+ ]4 x0 W" |6 Z/ `
1 b' G' O% B+ s; o
Here is a sample (checking for 'SICE'):
7 _; M" W2 z2 @ }! ~8 D. y+ O6 ]4 }! K" l8 M( F4 ?1 E
BOOL IsSoftIce95Loaded()
, D4 R; O g! t: W; U4 R# h{
& ]1 U0 }8 Y% ~% D- Y* T' G8 M HANDLE hFile;
* }, Q1 S5 J& k6 ~3 J% q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 Q. G; S; ^& X! ~7 Q
FILE_SHARE_READ | FILE_SHARE_WRITE,6 C: r7 x$ V6 O3 p& p l& v8 E. z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 }8 w" s' c5 P+ ]& i if( hFile != INVALID_HANDLE_VALUE )
1 g C D( R3 q8 u {
1 e" G0 \ x- {$ I1 d7 z" t/ Y CloseHandle(hFile);
' k5 D" i" }) \1 Y; Z/ I+ w: F return TRUE;0 P- [7 }1 a5 K I! L' J+ k
}. B& n3 ?, v% q; x- M: W* @
return FALSE;
' h8 U- H8 y f' D6 D/ Q}
+ Y0 _0 i$ N7 K2 n6 Q! l s9 h$ {' D
Although this trick calls the CreateFileA function, don't even expect to be8 d4 u' M% ?; Q
able to intercept it by installing a IFS hook: it will not work, no way!
* v' b+ }( n8 Z0 B O; [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: j3 \- z! q' p6 I2 lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 U) i" ]$ I! O8 N- E0 I7 Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% _( Q- S" T0 ^( x, S, H, N& X3 m* J- zfield.
6 ^# `: J* G; z6 mIn fact, its purpose is not to load/unload VxDs but only to send a ' E3 O1 J: |# H7 |& D& v& D4 k# o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* `+ x% k" ]; E O4 m/ Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ N2 i M+ K4 n6 r0 ~0 y Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).
! d( x# ^- g" o9 N& Y3 B4 W/ F2 \If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 U4 p' ]) `( oits handle to be opened and then, will be detected.0 R8 q4 o/ T0 T: t6 z) x
You can check that simply by hooking Winice.exe control proc entry point3 K: o" \; @9 o) z5 ~
while running MeltICE.- }2 ^, N, b2 V" e) Z, o& e
- {0 E" s, |7 f
: y% {" j: l' k; G Q* L0 A! p 00401067: push 00402025 ; \\.\SICE
% h+ O1 ^% ?7 r. ~ z. F- k, I1 W 0040106C: call CreateFileA
" W" w4 ]+ T+ b4 d5 t* H 00401071: cmp eax,-001 @3 Q( g5 ?, A/ X1 ?! t
00401074: je 00401091
3 f. I/ W* Z7 {4 J- R' @& g5 J
4 H0 M$ V' D6 j0 `- J- I- n- S( @- Y p
There could be hundreds of BPX you could use to detect this trick.: A: j; f' ~; ~9 W! e
-The most classical one is:5 x# q$ z0 v3 y0 W j
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ {' I V* n& e1 S$ Q, x$ q
*(esp->4+4)=='NTIC'0 t4 K4 A4 _6 h0 Q) x( r
8 c7 ]: F; ]$ @) D
-The most exotic ones (could be very slooooow :-(
; U; k% X" t# Z7 I. K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 j6 D/ f2 v' J% m1 @ ;will break 3 times :-(
) v/ q0 | a V! k
7 h! a" S5 Q# \% N2 o! z5 U-or (a bit) faster:
( n1 g. m/ O' G9 u! i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" l0 D6 l* d& k. ]
0 Z1 k# |5 Q+ v) Z2 [7 d2 g# u W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 u% G. p1 |8 O0 M3 C ;will break 3 times :-(
. X9 T7 c4 r( a5 E; b0 X
8 P; _. d3 H# i6 h/ ~5 N-Much faster:* _5 M L" W- x: ~9 l5 ]- t( T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 P5 z2 s' O. ?0 M2 ^) B" `
9 M7 _6 f d: y0 U5 e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, q8 Q; f* w, O# k% J
function to do the same job:/ I- m7 D5 D6 M) i! J; l
0 A; i7 D) b: l! p push 00 ; OF_READ
5 {7 ~9 C/ J/ Y/ C mov eax,[00656634] ; '\\.\SICE',0' A! G/ l8 P9 \2 ?% ^ F1 A$ [
push eax
3 ]& N* R- Q- x# k8 P0 b2 I call KERNEL32!_lopen
$ A( V" k4 L/ I; F0 ? inc eax/ u9 \8 F( s9 ?7 e; b
jnz 00650589 ; detected2 e# w" m" x- m- I# C& D1 ~
push 00 ; OF_READ
# h5 `8 t1 v: f. `6 _! l+ ? mov eax,[00656638] ; '\\.\SICE'
/ Y" O, [6 N1 w3 ?& Y1 b! @% ?+ K push eax
/ P0 Y! ^+ V5 ^ call KERNEL32!_lopen
2 v4 R4 B+ T& o1 w inc eax
, p' P, ?( x& ]6 e: w jz 006505ae ; not detected
: @: ]5 C8 L: Q2 F+ f7 M+ P" [* L" ~0 o9 w- g0 X
) J, Z) i7 o \ }__________________________________________________________________________
5 ~2 k. C4 V+ p) `
3 z3 k8 X$ P5 BMethod 12- M1 F' X( F" K% Q: `4 B! q
=========( v# e: Y! E1 X! N8 _3 a
' s" _) d/ D! ?2 \0 L! MThis trick is similar to int41h/4fh Debugger installation check (code 05
) L$ x1 w7 r+ N, o$ Q& 06) but very limited because it's only available for Win95/98 (not NT)# G- L; P, I& f: N* B1 w, D' Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: d( j2 Y( Q+ X' P
2 Z, l5 T4 z! d z- j
push 0000004fh ; function 4fh
7 o% q: i2 E4 Z8 S0 l5 v! |2 @! o push 002a002ah ; high word specifies which VxD (VWIN32)5 [+ s* n# y& [
; low word specifies which service3 j; Q2 y( T G$ Y+ p, e
(VWIN32_Int41Dispatch)
( B2 S# e6 Q- y! S6 `9 U call Kernel32!ORD_001 ; VxdCall2 X6 n9 ?: O2 S$ b$ j2 y/ W9 G
cmp ax, 0f386h ; magic number returned by system debuggers0 G5 B# }6 C5 r/ a0 W
jz SoftICE_detected
* Y, V2 Z9 E: i' {( C# Q; ^8 b/ L* C1 s" S4 R- u0 F( f) d5 t
Here again, several ways to detect it:& L/ U- L$ f- F7 W3 ~
4 o. U8 @/ M8 U; {/ M* ]3 f8 }
BPINT 41 if ax==4f
$ l4 z- A9 a' K: }+ h
. g0 F8 S, o4 Y. e' i! T BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 u- [3 d9 Z* F. H3 g0 s2 p! l# @
; r6 D0 g, k) j+ o" c: w) i/ A, u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. `( r6 q4 R8 H n8 u! B7 B
9 M1 g" [2 H2 ~) j7 d( { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# H- v6 R8 \# S, n" f0 J
2 E# |& N4 [( Y) L- _- ]
__________________________________________________________________________" V$ k G) c8 u6 E2 b0 N$ s+ W( w
( ~' h" M1 L) r/ d, ]
Method 13
( [7 v% N! U3 @( I=========' g4 W: D- p. [4 u+ W
. I" G5 f1 T' Z8 A- v* pNot a real method of detection, but a good way to know if SoftICE is
3 E% U1 f) `# G n$ Ninstalled on a computer and to locate its installation directory./ f) B2 Z8 S1 } B/ b1 ? U
It is used by few softs which access the following registry keys (usually #2) :' C6 p' M4 R. T O9 v
6 ~$ A' [- m7 @: F' {2 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, w3 C# |* l) q H) e/ U) q6 ]1 ~\Uninstall\SoftICE
% N! n6 ]* C! b, c: Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ A1 q' @4 v/ H% X) E5 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 ~2 r% I; _" Y7 Z# q, A
\App Paths\Loader32.Exe
& n6 V% |4 k. y6 f: {7 I2 a
+ W- q3 N9 m' U0 `$ o& z% Y6 r T
, t$ g3 b M0 C7 D" gNote that some nasty apps could then erase all files from SoftICE directory7 A- \. A4 Q/ \8 ~& ]- D# C* i2 K6 c
(I faced that once :-(* c- P. S5 s6 H5 J S! M* g, |% a
% P- l0 W W' C- n/ UUseful breakpoint to detect it:& P3 ?7 ]2 J. F
0 J0 D) R: W& H- i; \# V* v5 Y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 u/ s3 z n2 P( L5 ^
6 U# R- O$ s0 k6 g! m4 M1 I$ a
__________________________________________________________________________
* e: A% m) V( h: O
1 \7 B0 X2 D+ n2 B
' _! }* H% f! y/ A# c. H8 OMethod 14
4 w% w& f% _0 _* ~=========
! R( l4 @( C2 L) n* [9 n$ k8 d& p& z Q0 [+ I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 N& U w! _5 b3 @' I- h
is to determines whether a debugger is running on your system (ring0 only).
4 J$ Y; u9 E4 i& {
: y5 n( C# z' Z5 @( f! i! g% w. B VMMCall Test_Debug_Installed G2 c4 n2 d/ |
je not_installed
( i+ [7 B8 F4 o$ H, ~6 K& w: u
( A) U1 \/ h& _% x6 V! \' q. _/ hThis service just checks a flag.& z9 f+ j& t7 K- a: |0 ?
</PRE></TD></TR></TBODY></TABLE> |