<TABLE width=500>
# x; X2 H1 F% x; f% p3 D Z<TBODY>$ B N# X' q# t7 C: M" V( A
<TR>- {+ {4 l8 w3 F: V/ t
<TD><PRE>Method 01
- D$ e! G, k e=========; c3 u3 y( h! O/ u2 j$ W0 D
; E% o! m b3 u }. w
This method of detection of SoftICE (as well as the following one) is2 ^. Q, N( z9 S( h5 C. M$ j
used by the majority of packers/encryptors found on Internet.5 R) K9 B) B$ v3 n& p1 v
It seeks the signature of BoundsChecker in SoftICE' s7 P. d# L& N+ G r8 F1 g
+ x% w7 j$ U& n7 b& A- k% r
mov ebp, 04243484Bh ; 'BCHK'/ u* m5 \" l" f
mov ax, 04h, F9 @& z3 {; Q
int 3 % r' d. D/ x9 \
cmp al,4; C; ?/ d$ W8 a. E* V$ O# E
jnz SoftICE_Detected- r6 z ?" @8 G; w1 R' A2 o+ Q$ _8 c
s# m0 G h2 Y4 K) r* V6 w
___________________________________________________________________________: N- D+ g4 n# a
% P5 ~% b/ g; y7 oMethod 02 `6 i$ O1 X( Y; Q& a
=========6 O! O9 T- ~5 G0 S$ \4 }
- X' {4 P: y7 t2 u5 \! I5 X
Still a method very much used (perhaps the most frequent one). It is used
: L! W5 M6 y+ {5 i! {2 H, Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 S7 H9 h- H1 a, Kor execute SoftICE commands...6 a( T" c" A, ^
It is also used to crash SoftICE and to force it to execute any commands6 G( u6 h$ q) C- I H& s8 S& @4 k
(HBOOT...) :-(( 3 _$ {# B6 M, T+ |8 o8 Z$ E
5 a5 ~: A) ]" h+ y0 M9 `Here is a quick description:2 Q1 [) d& s6 Q- P/ x
-AX = 0910h (Display string in SIce windows)
# w" q0 Z7 y0 a6 Y1 w: Q9 W2 y) p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 w: P# M. I! ~3 T7 H5 T( |$ }& Z-AX = 0912h (Get breakpoint infos)6 n( O4 H: h/ Q; ~/ e. `
-AX = 0913h (Set Sice breakpoints)
) }) B V8 y: i/ c0 H-AX = 0914h (Remove SIce breakoints) W% Y5 H( i" Y }( D r7 h
: G1 F$ p0 ?4 w+ J1 L
Each time you'll meet this trick, you'll see:' T9 c8 _, t) O" T4 I# ?8 P
-SI = 4647h& T- }$ `+ n) p; n2 a0 H
-DI = 4A4Dh- ~0 m5 J/ C) \: ]' T' o, ~
Which are the 'magic values' used by SoftIce.
0 P" S+ G9 }! S0 SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ b: @2 j) \$ L8 `8 v, U
$ P/ C' U( t3 D, ]& S# }- ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP* c+ k( m2 k7 s; ?2 O
Envelope utility use to protect DOS applications:
( y6 f: n) T A" B# f5 l
8 _! E1 C( H$ h5 M6 I* T3 R: O+ v" c
4C19:0095 MOV AX,0911 ; execute command.
# Z4 X: U) Q5 P+ A4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 _7 L6 N6 d1 w$ X" ^
4C19:009A MOV SI,4647 ; 1st magic value., G7 A' F4 P+ t. \' C2 z! ]
4C19:009D MOV DI,4A4D ; 2nd magic value.
- |) ^& b- u& J0 I9 C6 E, j+ ^, y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), ^0 n7 P ]# u8 ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 q. h) w# _& `
4C19:00A4 INC CX( a: ^ B/ ^2 K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 j9 F. R# O8 x s4C19:00A8 JB 0095 ; 6 different commands.: E/ a ^; |' M6 ~ c. Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 ^3 p2 ]8 x' F1 S' |2 d& T4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- ?. F6 f7 x" V; S Z( q
& o- O+ d6 p' Z+ G1 G3 i8 r2 o6 IThe program will execute 6 different SIce commands located at ds:dx, which
' l/ W. g4 Z) W @5 P6 Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# p: n; b# P" C% @
) E9 n) y0 m* n" k' z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; ?, I' d! i- M( t
___________________________________________________________________________
) Y, d8 q! Q$ A" J2 C# B6 e4 w' x
( B9 P) @. }/ l# G- L L' F1 }Method 03
$ v& \$ u8 n' b# P=========/ b$ `9 t4 T3 U' z3 V2 X5 V! ^
& F5 f2 K6 N2 P V( n8 R2 X" g" O3 QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! y* V8 Q# A1 f& B% Y" |; b/ ~(API Get entry point)2 A; M3 R+ M; D% Q2 z/ [
7 v+ P( N n; o/ o8 i
; I, s# }* K9 R! R* \) ? xor di,di2 K7 G. v' N% g+ G( Z6 v! e8 z+ W
mov es,di9 m" I8 j% j2 F Z; W
mov ax, 1684h
! O: q# P6 k4 V mov bx, 0202h ; VxD ID of winice
( y6 U, A# Z) I int 2Fh
. e# q5 m# q2 i8 q mov ax, es ; ES:DI -> VxD API entry point v: O) X( a3 l, S; N
add ax, di4 ?4 H' ^5 U8 h, S
test ax,ax
6 z7 v R* b/ O* N' B5 m jnz SoftICE_Detected4 O2 E; f5 ]7 p2 r
- L* Y; W5 s6 D& n) y6 z/ `/ D J, ^___________________________________________________________________________- C# J3 C6 q9 `; m+ h2 z
0 T2 |/ i2 H( N$ V# YMethod 04
" R0 I, V v4 h7 G2 p$ ]6 b=========, X' A5 o& @8 J& u$ T
$ _0 u0 R+ \4 @4 a u! M7 V$ }9 s1 UMethod identical to the preceding one except that it seeks the ID of SoftICE5 ]9 r% q9 X5 V. p
GFX VxD.
5 x3 k) {8 ]2 b+ r, w0 m, r
$ r" ~: P g) U xor di,di7 z: H6 Z: x( A$ }, a3 P
mov es,di2 P" N1 j% _" c0 Y. V
mov ax, 1684h
4 {3 L; r) o" v3 K0 P k mov bx, 7a5Fh ; VxD ID of SIWVID. |( Z2 g1 L- N& @/ R
int 2fh# \2 [: q' j( \
mov ax, es ; ES:DI -> VxD API entry point
: _) ]+ V0 c& d4 U ?3 ^ add ax, di
2 H, f% ^6 F2 L4 e test ax,ax
: {; E) L$ G' J' _0 j jnz SoftICE_Detected
" }9 h( x# O+ k* E7 p6 d+ ~) ~1 n$ P# q1 c T5 @; M% q
__________________________________________________________________________. B, G0 h: t* t& J6 O; @ C" L& r
/ N n# t+ x( ~: x; y
$ w7 H& X/ \& c
Method 05
- }! B* T; Q# d/ Q% z=========( G/ C6 c! F& o9 L
6 L# `7 _' \6 x) V# }' Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 u$ x0 }: D: h0 q' g6 Z5 ^' Y0 c6 w; Idebugger. It calls the int 41h, function 4Fh.
$ k( u* Z2 z( v; j6 T7 f* sThere are several alternatives. 2 n3 j' g3 |) T# O' \* E- y+ [: T4 W
5 {& Z- `9 ?, i J) Y2 c& L4 z& q
The following one is the simplest:
0 F2 k- \! z) F* e1 R; ]) I2 l
$ b. I: `8 W7 U mov ax,4fh: M- R9 i2 O7 H% b! Z
int 41h4 c# J! X; g M0 ?7 c+ ?5 W
cmp ax, 0F3863 C. x p" } W1 _" q" |
jz SoftICE_detected
* z3 L7 i( `. X) N, |8 N" n1 w. o5 F9 E3 V- r" e
% k. ~" `8 D' W$ o# r) m
Next method as well as the following one are 2 examples from Stone's M$ _+ | j6 b& [ C( H+ N" f
"stn-wid.zip" (www.cracking.net):
N7 Q7 t1 D S' R- k( L0 _7 J
' R+ q, ~! O3 i/ T7 [ mov bx, cs Q% R1 ?) w, Y# |; j) ]7 Y
lea dx, int41handler2, u) v, k0 O+ R
xchg dx, es:[41h*4]
3 d1 K8 M: G- h+ [5 ~+ c9 V, ~6 P xchg bx, es:[41h*4+2]
* B$ X/ k" W% V% t7 ]. n mov ax,4fh5 L6 E3 ~6 w+ P$ i6 j0 K
int 41h: O! x1 K) `$ v: }
xchg dx, es:[41h*4]8 ~3 o' {, d$ J* D5 c
xchg bx, es:[41h*4+2]
' p. G1 {/ L0 j1 N5 X9 |: }" P cmp ax, 0f386h
) M" f) y$ L( c) p1 n; a1 w jz SoftICE_detected
8 m- I4 J* F+ P
' M, n @* C' H. Oint41handler2 PROC+ P8 [3 s ?6 O# j" Z
iret
# i3 `" g0 v7 `( V8 }: T; `int41handler2 ENDP
) U: T. P. I9 u! y6 `
" O4 |+ [# Z+ M7 f4 s) A: h9 S1 m
, V5 ^' `' y( e_________________________________________________________________________: }( p, h) K/ u
2 o4 Z% B# r' P% B* q, Y, V
8 ^4 y& N2 D. E) D, l: FMethod 06; Z8 h2 \# w$ m2 t. q
=========+ B/ C% _3 m+ N3 \* t
1 z$ {+ x. M- ]6 J$ c3 Z. b. u1 X* R( n3 S. T
2nd method similar to the preceding one but more difficult to detect:4 ^+ @ B0 Q" [8 O# K; Z
5 `+ w0 H$ ~0 e( _; D- `- M4 x
. @: ^9 j& {( E; q0 |; ~! }
int41handler PROC# H3 Y) w' T1 s" {
mov cl,al- O! q; C% w; u# x z
iret S8 e/ o* c6 z& S2 w
int41handler ENDP
& }! E1 R" L1 F' @" r
3 q, _, |1 P) m1 ^" I ]. o$ M' d' {+ \& K) D0 B+ C; I
xor ax,ax
" P! I7 i0 J- [! q# x( I/ h6 u mov es,ax
1 t' J! P+ n' m4 ^/ p- Q9 k5 y' ~ mov bx, cs& b7 r" J* D5 f3 y
lea dx, int41handler8 x( n1 j2 {* p" h, {
xchg dx, es:[41h*4]/ q( f6 ]1 g9 \. V
xchg bx, es:[41h*4+2]
) d K/ g/ `7 P in al, 40h
6 ~# H& ^+ H. |$ F xor cx,cx
3 {& }& e, B/ M8 W int 41h5 n3 k6 t/ \5 M& p1 f) [
xchg dx, es:[41h*4]
2 T) H$ V4 O3 | N- c4 c$ v xchg bx, es:[41h*4+2]# L/ i4 f7 V, [: G6 J6 A
cmp cl,al$ Y7 ] Z' h7 z3 @ W
jnz SoftICE_detected
9 h' t. @" o) I u2 F" Z% N* R
2 t6 d9 S p5 S) a# \& ^+ L5 __________________________________________________________________________7 a& C: w1 r+ H$ u9 j. D
/ e+ H0 [0 i) X& U" w& V5 q" EMethod 07& }. k# B3 v6 |) w
=========% q1 e$ D" O4 ?) h) _
7 n1 r1 {% c a9 q# K4 FMethod of detection of the WinICE handler in the int68h (V86)
" q" ^- Y; \0 S2 p8 E# _; j% D
D @( \. |) w6 K5 U4 X3 Q: ] mov ah,43h
: g9 d- I* h4 k1 [3 V, J v- @* R int 68h
2 p' a: n2 K" c8 D ? cmp ax,0F386h/ b7 k7 S5 j! g8 \: a4 i
jz SoftICE_Detected) e6 c) ^, S. z% }3 H I
/ Y. |( V0 T$ a9 l* |# o
/ F% I, T- ~2 L; p8 ?# v$ ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; c3 u8 t, t* D/ M; c app like this:
& e, L ^8 v, ^; t2 `
( M: `# q A9 h5 m0 _ BPX exec_int if ax==68
% ^0 Z; X2 J9 }- ?6 ^4 G# I/ G (function called is located at byte ptr [ebp+1Dh] and client eip is/ u) ?; ~5 J+ p& P) P: n8 z1 q
located at [ebp+48h] for 32Bit apps)
6 o. z3 @1 _6 i, I' `0 D__________________________________________________________________________
$ b" x/ ^" |& r8 V0 {7 G; N9 t* d9 V4 E; T8 a/ @
" {1 U8 b! ^0 x/ d( ~
Method 08: S3 H: B4 m' |$ a2 t @% e
=========
0 k6 g" T8 E! p6 U; B8 \- q! N( k8 T# Z% `. @: ?+ H
It is not a method of detection of SoftICE but a possibility to crash the' n5 e& L2 \ E: R$ K
system by intercepting int 01h and int 03h and redirecting them to another
) G% r( G9 _4 Z+ P' B8 M5 c1 ]3 proutine.
* W2 x! m1 s0 G9 v- zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ m; |# v% N% w1 [to the new routine to execute (hangs computer...)
4 c$ v9 V/ I% G8 Z; g) u5 {- b [) l
mov ah, 25h
# ^. V+ [8 W& i$ ?7 ]$ b$ `% h mov al, Int_Number (01h or 03h)
+ z, n3 P3 N) g" j% r8 j- _5 D3 s mov dx, offset New_Int_Routine! Q2 s9 S }' u- y. d
int 21h
) N- U5 u* s9 }0 B4 ?. C' I8 z# l1 F- s# m# x/ n
__________________________________________________________________________
$ ?" X# [% c, }0 p/ C: g. n+ g4 p! m/ L. I; i
Method 09
+ V% j8 T% u/ E: ?1 g=========/ i4 ^2 u5 [$ _2 N6 F! U0 E5 ~& n
2 w8 ]: q4 o+ C" ^# {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 Y x1 y; f! f( vperformed in ring0 (VxD or a ring3 app using the VxdCall).
, p: I: E, h1 x, ^, HThe Get_DDB service is used to determine whether or not a VxD is installed
: h- a. Z7 D' l5 Dfor the specified device and returns a Device Description Block (in ecx) for
; x" O) u1 X4 _: Othat device if it is installed.
( E5 H* @- h& M. L1 d. z
% |! U, ?! L) L$ @7 Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' I w) n k# @1 m9 F+ B; d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
t# R' J+ \/ G& T7 O4 t4 q VMMCall Get_DDB
8 M9 i7 g) N4 s1 |6 i; J3 \0 h3 v mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& }' M7 c' z9 W2 h; K( R. t2 y! }6 b9 Z* I' k
Note as well that you can easily detect this method with SoftICE:1 S' \& m) v6 l) Q' R- {
bpx Get_DDB if ax==0202 || ax==7a5fh& W. I( s. K+ m1 y: J9 x# V/ \
. @2 j M% q5 K6 X) c/ g- v; b
__________________________________________________________________________
/ i+ r9 U" A5 i( g6 x. [' N9 K% J4 S( M4 R- r
Method 10
( u# A0 A( B7 v0 |% J4 B1 @=========
+ o, ]* i/ ?" t7 u3 h) x q( f m1 V1 `
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 a! O1 s9 U$ A# _) }) [! F SoftICE while the option is enable!!. |+ m! g! `. L; |
1 P+ a9 L) L' K# T( Y& b* p1 R9 i
This trick is very efficient:" N1 i, _) Y8 f& Y* V0 K X
by checking the Debug Registers, you can detect if SoftICE is loaded
* P8 H* Z. H. A: b; ?) s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( N- J8 C/ O9 M4 x% G& j) P
there are some memory breakpoints set (dr0 to dr3) simply by reading their6 }; [' `8 q2 a
value (in ring0 only). Values can be manipulated and or changed as well! P& T# B" E6 S* N5 i& q; r
(clearing BPMs for instance)" h8 c3 x9 h' k$ `- h' b
$ y. k6 Q+ I% L8 m# p$ `" J9 B__________________________________________________________________________: \& \$ o4 }0 t
( I! [2 b, v; LMethod 115 C" k% U2 M: h( }/ u
=========8 Y( h% ^3 b0 b/ q
- \3 ^4 M( e. f, ]8 FThis method is most known as 'MeltICE' because it has been freely distributed
$ n0 K t/ i# P% J/ G% G. }via www.winfiles.com. However it was first used by NuMega people to allow& S l; f8 L: L# }& ?
Symbol Loader to check if SoftICE was active or not (the code is located
1 m* N$ m/ k) d* M& {' Xinside nmtrans.dll).
0 Y( H/ z$ M( Q& s: o6 C0 G$ X; d0 N: r
The way it works is very simple:
( x' o; s+ u) C/ YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" _" L u( R1 Q" S( g" ]" e' J
WinNT) with the CreateFileA API.
$ c2 ~6 B& h6 u) P# I M3 S. X9 @; X" J H- H4 @; ~
Here is a sample (checking for 'SICE'):
- Q( h9 B7 R$ W) O q) m. o
) e! Q: w" u: t5 ]- j6 sBOOL IsSoftIce95Loaded()% p6 B* i$ v9 ~( C
{
) ^$ K+ g6 q) f8 `# y g HANDLE hFile; E9 x# l4 e; h' o4 U+ f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 o7 p$ N6 B: u' H' b3 K. P FILE_SHARE_READ | FILE_SHARE_WRITE,# g/ D3 a3 ?% K( a7 }2 u4 [7 |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 Y6 o; F" r1 V$ W- o1 I+ o: U D) @
if( hFile != INVALID_HANDLE_VALUE )
" Z2 R- N7 O3 z$ v0 _; y1 a {( K" h5 l- w0 \9 g8 A( [
CloseHandle(hFile);
: e4 \- k$ b/ X) W return TRUE;4 R4 v) h. X, N
}6 q, Y u. W7 y+ a3 ~1 h* n
return FALSE;, V! t7 e) X7 z
}
# q$ y6 ~9 l/ Z% z1 N Y! Q
6 U" k. ]2 e9 o: Y. D" B6 Z# sAlthough this trick calls the CreateFileA function, don't even expect to be3 _: B* V, t; o; S3 j
able to intercept it by installing a IFS hook: it will not work, no way!
; ]; ]3 H0 S) c7 j; y/ F* LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 r/ o: s: \. _5 e: E& v- [6 Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- j2 x- p L* |and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ g/ N( r8 U5 k9 }2 f8 a- efield.0 E, A3 x9 g& K! a
In fact, its purpose is not to load/unload VxDs but only to send a
+ C- C* e" V" Q; ~, l) ?( ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 y8 s5 k3 K. w; o" C% _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 ?6 K, D$ e6 m Cto load/unload a non-dynamically loadable driver such as SoftICE ;-).. ]4 M/ ?: T: v- |6 X* Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) t. p! z1 R; l }! O [% Gits handle to be opened and then, will be detected.
0 ^, j a# |1 QYou can check that simply by hooking Winice.exe control proc entry point
( K/ r: h0 g7 q& u4 `while running MeltICE.5 O, I/ N" g/ j: \! K
8 K ?4 G* q% N7 A i
2 t& O' [3 Q$ P5 O- b 00401067: push 00402025 ; \\.\SICE
1 ?2 I& n1 D, {+ d0 f0 I3 l 0040106C: call CreateFileA- B% Q6 j# z# S# M; L4 v
00401071: cmp eax,-001
& b6 B3 }) o" {* K1 f8 G 00401074: je 00401091& h. P) F; ?' J6 i6 D9 h
" T5 B/ K% ]. G* D! F6 J0 E
! m$ j! ]/ t( @2 _There could be hundreds of BPX you could use to detect this trick.
$ A& z( G1 Y/ i& R-The most classical one is:
/ D# c5 {( U0 n- k BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* ^3 A1 R- Z( C *(esp->4+4)=='NTIC'0 T! U8 M \. C; M' A$ ]- a
! c9 t7 J, ?* _0 z-The most exotic ones (could be very slooooow :-(
$ k! g+ b+ W0 S4 Y `/ ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" X5 i7 l) N& w6 {/ l ;will break 3 times :-(
8 r0 `1 ?2 g3 f" g; q: I2 ?( |7 }; B/ o+ [! v/ d t- b
-or (a bit) faster:
+ U# V8 ^7 ^% b+ r& L1 t9 K0 d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! }% O5 K4 ]1 o( M2 Q
# ~/ @# O+ T0 B" F" \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
d; r, j% J, V; W ;will break 3 times :-(
7 K* R3 Y5 ~4 l. l' X/ V+ h5 L( G- b, N4 t5 \0 u
-Much faster:8 X5 N4 }% U8 O5 ~
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% [. v. p- _0 V! A6 W. d; [
% T7 u W f" F% yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 N4 a( Q2 N: n+ |5 g5 w
function to do the same job:
V: e; Y% `/ ]: M* z# W& b
- \$ R4 u& h. j/ |! J# P push 00 ; OF_READ) I# p2 u! a5 X8 `# _+ c/ e/ T* U
mov eax,[00656634] ; '\\.\SICE',0% d7 M, W. N4 W: Q: _: b" u
push eax
* [7 L/ S2 k. d: C$ K# P1 W e call KERNEL32!_lopen
9 ~# w! t3 E c+ H5 ` inc eax
& j! a/ A& O8 l h- _7 N) s jnz 00650589 ; detected
! }! x2 T7 B+ e- c& t/ k push 00 ; OF_READ0 k+ m$ F1 J& I
mov eax,[00656638] ; '\\.\SICE'5 r+ _& g0 g: d' k+ N6 L
push eax
( g# o, C2 I \/ O7 h- @ call KERNEL32!_lopen
2 _) p4 h. m; K0 B: S, q+ y. P) Q/ I inc eax5 A, u* g* j5 Q3 P4 R4 q
jz 006505ae ; not detected
% U! i: R/ E; G4 {. C. @# S' y% m L8 k7 _5 P
. \5 v V8 @* I# \* U5 D7 G3 \- r
__________________________________________________________________________
+ D' I: l j- Q2 S0 F- f" n) x
: q, n+ l1 ]% W" JMethod 121 S' U3 o* {9 U, b& ~- R
=========
1 F' `% A8 n0 k3 R* w( R$ S/ E+ |4 N9 M0 v$ w+ Z1 N7 r3 |4 x3 t
This trick is similar to int41h/4fh Debugger installation check (code 05
2 j- i8 L( |% ^2 C) [& Y& 06) but very limited because it's only available for Win95/98 (not NT) l) F7 t; n9 O9 C# g" o3 @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 C! f9 V. Q6 t) |& _* L% x) _
- a' ]/ n: P2 R6 u6 @. j/ R- I
push 0000004fh ; function 4fh* q2 G! k$ T/ `1 q2 O
push 002a002ah ; high word specifies which VxD (VWIN32)# r# `8 a+ A6 |: }$ y9 a
; low word specifies which service F8 r. x4 _4 W g9 X) _
(VWIN32_Int41Dispatch)
3 @" f, z; U% W! N5 R. w call Kernel32!ORD_001 ; VxdCall1 U' b) g, Q" a) y3 {1 ]
cmp ax, 0f386h ; magic number returned by system debuggers
! M8 M% v" U8 g$ i) `! a jz SoftICE_detected
( e! k* a) L/ L1 M% J; F: C/ ^. }, l0 k: w
Here again, several ways to detect it:
~7 p6 l: U5 c) O) v @5 [# w' a9 f h3 Y
BPINT 41 if ax==4f# B2 ]! @2 X/ H' d& n2 I8 m7 R1 A
' g$ C! J1 Y. f; N( [
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 x( Q) _+ f% |5 d+ I' S) O& A; E8 G
( f c5 u$ D5 n% S' e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 V' l6 _# b6 D" j E7 m3 P. i% D
. r; E0 i) c3 g# d5 U6 x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# _0 s/ |+ k+ g1 ^4 o2 Y; F! m; Y5 r( Y. l
__________________________________________________________________________
3 V# |! b& l; f% T1 [" a( I# g( j0 v0 Q
Method 13% j" Z, y' h/ N7 K! }0 M) ?
=========' ?3 K0 x9 s7 ]/ R* a
. P* [" T8 p$ C
Not a real method of detection, but a good way to know if SoftICE is T4 s5 b ~; i3 O
installed on a computer and to locate its installation directory.
$ A% a! Y" [7 [9 r) z( F- E- h( lIt is used by few softs which access the following registry keys (usually #2) :
r- w5 O3 ?8 `- A
' q3 s; a; T# l: w1 Y$ F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 a l% ^% S; W$ H( @
\Uninstall\SoftICE7 j, B" B6 c9 B I/ e1 `8 v7 ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 \7 k5 y" C% `* l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( K1 O* q9 x+ O( b+ d& V\App Paths\Loader32.Exe$ ^# U1 |" D/ N* s! }# l
( a( s( r5 T. ^( t: O" U4 y5 K# Z7 Y- X! N' v6 L
Note that some nasty apps could then erase all files from SoftICE directory/ \( Q) x9 W9 ^
(I faced that once :-(
0 M4 b J1 Y& X% }
6 O5 h+ c" U' A0 J* M: JUseful breakpoint to detect it:
: h) a' {5 u4 J9 Y- a
. x# j' f! {4 F: T( ^/ _ `9 b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, P3 f, z" E# U. u; W
$ x" Y1 F- O3 j5 P__________________________________________________________________________
W' @: I' l- R" [) k- V8 T; o, d7 A1 C
' R( e. t3 ~! |. N1 @- o' C
Method 14
' m* _* L+ u1 g" I; x7 W' }=========
3 J# r! W+ o' i3 H4 Z3 N6 q) Z' V/ E* {9 g# S) l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* `4 Q3 c8 U) @* ?! \& L
is to determines whether a debugger is running on your system (ring0 only).
8 C4 D4 ]+ z! s& o' K4 p& d4 N6 ^; Z2 `' V& R
VMMCall Test_Debug_Installed( M; r- m& C, j d2 y; Y
je not_installed
. }; Y( S2 l% V# s, X# ~& x9 q! P9 G+ a( p$ Y5 W8 W7 O8 H0 I
This service just checks a flag.# k Z5 K$ Z% S, N6 Y# M- k1 b
</PRE></TD></TR></TBODY></TABLE> |