<TABLE width=500>
, o1 Y- B$ O; A2 [9 p<TBODY>
8 M* X1 W# r9 t6 ?% \1 Q+ S' a<TR>
: B9 y/ e/ O* B$ n<TD><PRE>Method 01 ; D z+ j& [5 m+ B: U
=========
1 M( R7 N, t. O* W: w( d
% a3 R9 N0 H k0 Q9 ?( D: uThis method of detection of SoftICE (as well as the following one) is
7 [# W0 S3 f8 [used by the majority of packers/encryptors found on Internet.
& T7 o2 _! X7 b9 l. m8 |It seeks the signature of BoundsChecker in SoftICE
; d2 ^" b3 R" f# A# s( v0 }* [- a) _7 A
mov ebp, 04243484Bh ; 'BCHK'& w: j1 B' x$ |
mov ax, 04h
" |. t" Q$ d% k+ Y6 [ int 3 $ P4 {! M" {. x5 [% p
cmp al,4" S7 u4 f" [ T; G
jnz SoftICE_Detected' N- D, B$ C% H0 ^& w) \
9 X+ u" i( a" R6 s- q+ y& y___________________________________________________________________________
% `3 p4 V, I) k3 `: z) }3 R7 [5 m g8 o, }, ?7 p( ~
Method 02
0 F: E/ S8 M5 V3 u* r3 |! _' R=========' ]4 i% K$ s P4 c7 s
5 A7 H/ ?2 i1 E& c" M8 f+ D$ ZStill a method very much used (perhaps the most frequent one). It is used) f/ X i2 G S3 W: \' u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) a4 k6 U9 r' |, Q9 R
or execute SoftICE commands..." L T$ n+ `# K, H: c t
It is also used to crash SoftICE and to force it to execute any commands0 G# J8 [+ o/ l# v
(HBOOT...) :-(( S+ s2 I/ u7 [. b* b
# T, C. c- W& {2 Z5 k! a/ O3 P6 b
Here is a quick description:. ~. x9 K& B8 X
-AX = 0910h (Display string in SIce windows)8 y3 w" a) h; ?) K& J9 Q% }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. h& t$ I" @3 i/ R4 c-AX = 0912h (Get breakpoint infos)- t' {3 Y4 }& t) y% ], e
-AX = 0913h (Set Sice breakpoints)( U' ~$ G5 t- ^) e+ B
-AX = 0914h (Remove SIce breakoints)
& F M4 v7 J- a
; i" i% J2 C1 H* iEach time you'll meet this trick, you'll see:
( W, T6 A& \/ c; `-SI = 4647h
& b% e" [6 _& o7 U-DI = 4A4Dh
$ M ?- o. F. f% MWhich are the 'magic values' used by SoftIce.2 b7 f {0 y4 X1 i9 ]) @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# ?7 @) V4 }" P5 e9 z8 m. |
0 H. i4 d; M. I, W5 l( t8 F+ d
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, A3 _4 O6 l0 j {4 K5 i% s1 p2 uEnvelope utility use to protect DOS applications:
. g5 O. o+ Q" Z6 V; g
7 Z8 D5 e$ x# v! e7 z- t2 ^6 b# V
4C19:0095 MOV AX,0911 ; execute command.+ Q; b- Z2 V/ k
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; V3 D+ z1 E u# }; `! z# `" R) e; V4 k
4C19:009A MOV SI,4647 ; 1st magic value.
S" I/ `+ c& a& e+ k. X4C19:009D MOV DI,4A4D ; 2nd magic value.# m5 F7 U1 F. P' R8 v$ z( o# Z( f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' [- Y9 {! Q! n$ N6 Q" p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( O* n$ X) X& Q( J9 V4C19:00A4 INC CX
* g; M$ q, G. `5 G4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 z1 w& z; o/ h1 d8 e- z
4C19:00A8 JB 0095 ; 6 different commands.$ b/ o! ?# c4 v1 J
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# W9 T- H8 E3 V/ |8 _4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! Q8 t- W" N% D2 p0 r
8 l- C( o1 m( {& W/ U/ q. [The program will execute 6 different SIce commands located at ds:dx, which# h! g7 d0 ^" d! D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 X6 ?9 |! l7 ]' L8 y2 Z4 E
: q9 h7 w1 J. I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 \1 p t+ a* w1 `___________________________________________________________________________
$ P" h! z3 @ U' W9 q9 l& L' |
: d X7 p3 x0 w9 v8 M/ ]; s0 N3 q6 R5 f# S& s9 G$ p0 a
Method 03! |6 Z* ?6 _$ m/ c
=========$ ?: S% P2 k* U1 ? g
1 z4 ~2 j. ]6 ]! |& fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; G- `% |5 d; ^6 Q" h, [; M7 \(API Get entry point)
' Q4 j8 c! G4 f8 L' f. z ) v! N1 U1 ?3 ?/ Z3 J
2 l1 x) K) j! F+ q- W/ D; _9 S xor di,di; A2 E F9 \6 f% G: U
mov es,di/ m( q( v$ F0 S+ K$ O0 M
mov ax, 1684h ( Y0 o, d% s) c* d" Q, k0 ^0 { V
mov bx, 0202h ; VxD ID of winice
& F, u: e' J5 l* r0 c+ r int 2Fh
: H5 M' C( o6 d3 D( s' f( K$ l3 X! B* W mov ax, es ; ES:DI -> VxD API entry point
5 `9 B J; U1 @; |$ e$ y9 ` add ax, di' u& k2 L! k& q
test ax,ax
1 P1 C+ X* B7 O: {* s, F0 { jnz SoftICE_Detected
/ K, ?, g) L# X6 P! s2 ^$ {0 o; t! B7 [- F6 [
___________________________________________________________________________$ v! c: S9 T9 u# b% R- k* m
/ `- Z( ]( F0 f$ O, t' a |& AMethod 04" u; s) v: `( X# p! ^8 @
=========
0 Y4 ?$ n5 Q( D' d5 a! Q
* }. i0 j9 s, V2 ?2 BMethod identical to the preceding one except that it seeks the ID of SoftICE
9 }1 r0 X6 t, r& NGFX VxD." P" O1 N8 F- @$ H
! h5 h2 r# }+ X& m# ] xor di,di
4 W7 I7 R/ E) c9 i* a) y) ` mov es,di* u1 @; y2 j3 T
mov ax, 1684h 1 s/ Z$ \* B: I
mov bx, 7a5Fh ; VxD ID of SIWVID
1 Z2 Y$ E# M3 G5 q4 H int 2fh
3 w& w6 l+ w" x2 I' y- W mov ax, es ; ES:DI -> VxD API entry point
1 S+ q6 O& w! N! L: B. R( u. k add ax, di
8 a3 r( g* h0 j* f' q9 T6 ~: v( V test ax,ax% R( A. @( J) a) T
jnz SoftICE_Detected
% i1 }& q6 q( U1 ?3 a( T
! r% H; r5 G2 `__________________________________________________________________________
; m% \+ \ ^0 I$ ?5 u
9 O" C& }! a C! b8 d! r4 @1 `: {8 W' _
Method 05
9 ^& O6 u3 j3 r9 x=========
2 V7 G! c3 L/ q8 @ I" t! o5 K o9 U5 C, s- Z3 p" X0 O, ]0 h
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! n V6 ?+ s# t8 Zdebugger. It calls the int 41h, function 4Fh.
0 P( V! k0 _, y0 `7 `5 KThere are several alternatives.
) A* [1 d1 t& Q7 O0 v& b2 b4 x5 q& r: n# [" {( `
The following one is the simplest:/ x2 m4 k! y% z- d5 w
+ A$ h1 h: w6 C4 ^- E/ D2 c
mov ax,4fh
) S6 P% K9 F, F' h int 41h- ]7 _1 Q. R; _% P `( Z
cmp ax, 0F386
- u; R" F! E" ]3 K& M jz SoftICE_detected! j4 S$ K! E+ X l, X' h- E
2 i3 G* } G6 k- l0 _) k- y* K" }4 A1 `( E; m1 F
Next method as well as the following one are 2 examples from Stone's 8 k" r: o( [; m5 `
"stn-wid.zip" (www.cracking.net):5 ?7 D5 O3 J- [1 n6 {
% Q6 H' O3 v0 E H; j; {4 r/ `
mov bx, cs
. o9 B) r" {9 O: V" h lea dx, int41handler25 g8 @$ w7 @- S- Y
xchg dx, es:[41h*4]8 s/ B y+ y3 O- h
xchg bx, es:[41h*4+2]
+ f5 l3 f% D' h* e mov ax,4fh
( c8 _. S s4 F9 t1 Z( w9 V int 41h4 Z# @4 U( m$ H! A9 @+ U3 N
xchg dx, es:[41h*4]2 r+ v# C' U9 W- R; l
xchg bx, es:[41h*4+2]+ d2 r2 z: c& {& n
cmp ax, 0f386h
( Y7 j1 x, h, W) `$ \. \8 @' R L jz SoftICE_detected5 U. f# S" Y" V
; P% C1 d* ^: z, Q2 |, g6 l
int41handler2 PROC# ]+ V; o1 B3 }/ T
iret
7 Y& p7 @, k. X& Oint41handler2 ENDP% m0 t6 [ d3 X4 h+ Z
1 r( G1 a: v. [& ^3 w' o! s; [, L' ^/ t
_________________________________________________________________________
7 I. X6 c( m- n4 e2 A% b) c' o' w
: r6 k8 Q$ b ^$ ]. j5 {
# g" x0 L( M, f' K& ZMethod 06( n) c9 n6 e& p3 J# E" k
=========/ h6 y1 e! P. } ~# M* j
2 ~! r) G) F, u5 e; w3 x& q
( S8 D% M- Y- ~/ I6 b
2nd method similar to the preceding one but more difficult to detect:
) H6 N& A$ i6 r6 I1 a9 |, k. G4 ~- a/ t5 F( X8 s f
; R1 |9 ~, C& ^int41handler PROC! Q/ `2 K: D7 z3 r& y0 m# J- ?. U; r
mov cl,al
1 P6 H' P j4 I2 l: _9 V _ iret
6 E9 `3 g" e/ h- I+ b4 I: nint41handler ENDP' ?8 ` r2 x L! k8 B5 ?+ ~
5 A' M, ?1 ]1 a4 B9 C# i3 m
, T+ A' _* s, |0 o+ S6 d' _" Y! ~ R xor ax,ax. Q) {) ?7 E2 _- |, c/ o) k8 j( ]
mov es,ax+ y5 \, B& w6 m- L4 q9 X
mov bx, cs' l% \8 Q- P& t
lea dx, int41handler9 @; U1 a# V/ S1 C
xchg dx, es:[41h*4]
2 l( ?& O* @' g xchg bx, es:[41h*4+2]
- I9 } h3 A9 @) y2 n in al, 40h' |: u! E! v/ g! ~- N
xor cx,cx
1 n7 I5 l8 I3 r7 M int 41h
/ x5 Y& Y# a% \! s# w xchg dx, es:[41h*4], D# e! o2 J: t/ H
xchg bx, es:[41h*4+2]
* x7 |8 f7 X* O% {$ q0 o cmp cl,al$ Y) E: f! a+ T! t# |& j
jnz SoftICE_detected
5 w1 `! e( @2 D+ n4 s* ~0 ?
$ i/ b) z& p9 d/ T" I ^9 [7 Z+ o_________________________________________________________________________
7 [# e* y8 j3 x, p4 }; s
& S& g6 q7 P& Q8 b* J7 `) `Method 07
F8 r, c" A' G- y. O" N=========
, k: i4 e9 \; w) U7 L( N, |7 Q* e; p9 Y8 V
Method of detection of the WinICE handler in the int68h (V86) S) x3 R3 W1 R
2 r4 f' C- F4 A9 A mov ah,43h
- U. g" i1 @8 V7 P( q' M; o int 68h
# _$ z, R0 v, o cmp ax,0F386h) z. g5 V+ j! v! C6 U9 U( f' L0 \
jz SoftICE_Detected
1 m4 s0 p4 q% b0 ~
2 V2 }3 k. ], q' i. Y% n! ?, e" q! v' E0 Q2 J0 I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ |0 c- U) S0 t X) B2 x' h app like this:
) a/ L: T, u1 ?! G- ^/ h
" `8 Z) h4 |2 Z, B) q: \. g BPX exec_int if ax==685 r) ? g& W$ h" E# P5 `- W
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 f& S: U' @4 T located at [ebp+48h] for 32Bit apps)
. a n8 V v4 T8 A5 |__________________________________________________________________________, ?7 g! W: H+ B. V/ Y
9 x% o+ \1 p0 a8 y2 [, d2 b& M) M4 j" S; i9 O+ f- G, f' X9 D
Method 08
7 z9 K$ S- h ]# n4 [2 A=========' @, w; l& N/ V+ `* V
5 I& y" U& O& D4 h8 `
It is not a method of detection of SoftICE but a possibility to crash the
k) ~0 n1 W* E5 I6 Lsystem by intercepting int 01h and int 03h and redirecting them to another* X: f" L, N |, E) {' T
routine.
$ K$ U i2 W1 E. G8 Z, K0 I NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ B0 e4 I( }3 Z" x
to the new routine to execute (hangs computer...)
' H" a& w7 b$ L% H" C6 \# p7 Q4 M: U0 } }$ B5 q
mov ah, 25h
7 F5 U0 R0 V& D! k mov al, Int_Number (01h or 03h)
3 y4 y( y, l3 {" p' T- { mov dx, offset New_Int_Routine5 X6 N* U+ i1 ~: J: c
int 21h$ o& n+ _; I7 j% I; ]# F5 x. I( q
3 }" ^* f0 G5 _3 e: f7 z t
__________________________________________________________________________6 f% z. N& X# N- l2 Z
3 o4 v8 O! [. f/ n
Method 09) v2 z* a4 M/ N* Q1 ~" f
=========/ L; h: X) J3 H# |1 t8 C/ q# d8 ~% x
6 V4 K" n) v* @) Z- nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ q: B* W+ ], h+ f& Q7 _0 D7 Vperformed in ring0 (VxD or a ring3 app using the VxdCall)./ O" h, G/ G$ ]/ B
The Get_DDB service is used to determine whether or not a VxD is installed
' n4 Z' E! ^8 u G% _for the specified device and returns a Device Description Block (in ecx) for$ W P' N2 q V4 ~; b
that device if it is installed. _1 t" K, |' Y) V
3 `7 V4 Y5 ]+ `8 M! |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 r$ t7 D& K7 A, z2 @ I2 I: Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ b$ c: h: q1 B; s0 \0 o+ e
VMMCall Get_DDB
1 q! B* [ U# Q! ` mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 p) z7 z2 U7 ?% z; F. p2 Q
0 _ r3 I. u8 K- K; T uNote as well that you can easily detect this method with SoftICE:2 s" U2 ~7 u2 b) J$ N+ M) ^
bpx Get_DDB if ax==0202 || ax==7a5fh
$ d# V" \3 K/ c1 R' d9 s9 r9 i
! z# O: q: i0 B! [$ G. i__________________________________________________________________________
) V5 U& |( N! t# n5 K& O, v: e: a2 k6 [1 [6 Q
Method 10
( B7 V7 I4 Y. n8 p: A J=========
* [4 s- s: `" ` N0 p4 e
8 Q+ m0 y, A7 n# m/ s' x: e=>Disable or clear breakpoints before using this feature. DO NOT trace with) W6 Y* N# I, I- O/ x
SoftICE while the option is enable!!
' p$ T$ @# ?/ L/ h1 q" R% g: T6 ^& R; E2 U
This trick is very efficient:1 w! c" M. O$ ^! u0 `8 Q
by checking the Debug Registers, you can detect if SoftICE is loaded9 I4 M4 d6 M% O7 r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ l8 L( F# U0 ythere are some memory breakpoints set (dr0 to dr3) simply by reading their3 B+ D* t; W$ o9 y
value (in ring0 only). Values can be manipulated and or changed as well2 n: ]% n5 u' g
(clearing BPMs for instance): [5 o7 Z/ F0 h+ T- L
) X3 J& x" v( u8 A7 O__________________________________________________________________________+ S2 x5 s! H8 R: j: g. S0 G9 Y7 t8 Z
1 x1 W" u& g$ L8 n/ t) e0 d3 uMethod 11
! R2 h& @' P1 i% F=========
; k+ g8 w7 k k" }, o& ~% b* f9 ?' @4 K- a1 l7 a) L
This method is most known as 'MeltICE' because it has been freely distributed# C8 U/ o# [* N; C5 `
via www.winfiles.com. However it was first used by NuMega people to allow
# s$ d9 h" r4 O0 I9 N. tSymbol Loader to check if SoftICE was active or not (the code is located
D9 d2 i4 j$ o6 Sinside nmtrans.dll).
( T W8 ?3 j, m+ C+ E+ U5 I0 K+ Y" O& c% b- x# A/ D# |
The way it works is very simple:
: r. D* X7 L: x1 }/ x0 k* LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 | K3 ^+ u4 g" j5 i2 i# d7 q: [% V9 Q
WinNT) with the CreateFileA API.- }$ u P& C$ D# T5 n
' i5 g5 i5 r! O. m+ t& ^" {! CHere is a sample (checking for 'SICE'):9 J, ^0 u; r9 R( h* b. s
/ a8 Z5 Y' T8 W6 z' g. G
BOOL IsSoftIce95Loaded()6 O) ~/ _6 L6 ?- Q. \* q2 w. X2 i
{9 _1 C; M4 S4 i ]1 j
HANDLE hFile; : O5 ]3 V) J( e) V9 m/ Y& ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 G, v9 t' n9 T2 s) O- v, u FILE_SHARE_READ | FILE_SHARE_WRITE,4 c+ q4 h. M8 X3 P& F, w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 N: s5 V) r4 e5 a' n- u% Z5 m
if( hFile != INVALID_HANDLE_VALUE )
: [( G+ K& u4 g" L3 g" } {
8 {. P4 N2 u6 N CloseHandle(hFile);
& T3 y. Y% s- p8 k$ K return TRUE;
6 O* T1 L: R$ k, s }3 d+ M# n* m, v- L; `9 T/ N
return FALSE;8 X; S0 i3 a m1 C$ m! |
}
( D9 ~4 u3 s* B: m- M+ A) | H8 A
Although this trick calls the CreateFileA function, don't even expect to be1 e0 W! ? G+ y
able to intercept it by installing a IFS hook: it will not work, no way!
+ }# |& @* h& a8 C- w- }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. T1 D& }% l7 @; j5 I8 k jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), i8 Y! |" s8 I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ M+ b3 O* o+ @2 x" Y1 k
field.) y8 X( A6 I" p0 S. b
In fact, its purpose is not to load/unload VxDs but only to send a
1 a# m" i1 N5 X4 {" j! W* I. rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( D+ \1 }1 V4 G0 Z) {; I( Y- u- W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- J" i- S# D3 s, J" u! v E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ Z) a! X9 s$ o4 M
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 j8 u8 U* w" Q! E6 ^" Oits handle to be opened and then, will be detected.. l1 T0 M0 B; v1 l; `4 r, I9 h4 Z
You can check that simply by hooking Winice.exe control proc entry point a; b' V8 S! w9 k& @; ]
while running MeltICE.# n: D* N0 }( m% J3 s; Y% L' _
# [$ I4 `6 `( v' u
; j& a5 X0 I/ I. J/ ^" E" e' P 00401067: push 00402025 ; \\.\SICE
) t0 J1 g2 X, V% P" { 0040106C: call CreateFileA+ T; s1 _6 q6 m/ n" G
00401071: cmp eax,-001
! {# g! [8 E( p; f 00401074: je 00401091$ b& D$ S0 ]+ l
- M8 W- U% ?" K! ?& \+ f" l: ^& W4 l I- r
There could be hundreds of BPX you could use to detect this trick.
' b2 Q, S, A; s-The most classical one is:& _; b3 d, B2 H" `0 |+ m
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 Z% I% \% T. K( Q, k' g *(esp->4+4)=='NTIC'
" D/ k9 C: y% |2 h8 i! }4 b* \9 X3 `- ~ p
-The most exotic ones (could be very slooooow :-(
- a# D( i- {- g% Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! u" a$ [7 y7 h4 b
;will break 3 times :-(! H% n9 K1 ?- F* [6 g/ y* J. p
4 Z0 Q h7 ^9 B a" g3 _7 N-or (a bit) faster: , f6 z5 [/ I+ n2 M2 V
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 Y& _, i, d" {
; i8 d4 H. }6 Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . z! T) M+ O- p9 a0 M
;will break 3 times :-(7 @" A0 k6 R9 z7 S, z
" j' d3 x! Z, a5 S-Much faster:+ n: L; `2 o$ P9 ~. e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 t C( D7 \2 {! T+ t
! ~' V$ ]$ R0 g+ |& GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 e; e( ?1 P0 e9 Y4 t+ O5 `( Ufunction to do the same job:
s2 Y% Q! D ^+ y* s3 k( ?. p- j. \8 O) @. d
push 00 ; OF_READ
0 V8 {+ q* F4 t' S) B0 ^5 y mov eax,[00656634] ; '\\.\SICE',0- m: f0 w$ ^2 P0 U
push eax
% F2 v0 d9 l4 i2 `1 _/ ~, K( i call KERNEL32!_lopen
5 R- F- x( W4 ~ ?( X \( W inc eax
$ n6 I/ b6 q X+ g/ u jnz 00650589 ; detected
/ B6 O$ _* A1 r1 q% F8 M! S push 00 ; OF_READ& c2 i ?% _* z( A
mov eax,[00656638] ; '\\.\SICE'
/ C" L5 n7 N, m* p push eax9 y9 |4 d5 Q" j7 T- l
call KERNEL32!_lopen2 O9 U: b9 B6 [$ e; r" w4 R
inc eax
7 k+ z& v: H1 _/ M- ?/ f jz 006505ae ; not detected
, b3 Z; H9 x8 c. o6 `4 j k( b' d
) C9 A) I3 ]+ q9 F
__________________________________________________________________________' D9 R4 z8 X* M1 k
6 o4 @8 {" _: C7 y
Method 128 B0 @- {. b: T$ C8 v2 ~
=========! c# Y& f2 c" O1 j2 g/ E3 T
+ n. y+ n& L" ~( ^2 O: s0 u
This trick is similar to int41h/4fh Debugger installation check (code 05
3 C B- Z- _3 ^& 06) but very limited because it's only available for Win95/98 (not NT)
2 c* _/ k" D/ n4 Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.) J- r6 r5 q& U1 c/ a4 h
" |5 i4 d4 A$ O6 ^6 y push 0000004fh ; function 4fh5 b& d. F, t6 Q4 g, H
push 002a002ah ; high word specifies which VxD (VWIN32)
3 o, p( I# t. C9 y ; low word specifies which service- k1 C' k- O0 D6 R& K7 G2 C4 j, q
(VWIN32_Int41Dispatch)
4 g. s- D2 K% ?5 k call Kernel32!ORD_001 ; VxdCall8 P% }9 G* B& y% ]4 A
cmp ax, 0f386h ; magic number returned by system debuggers# T0 J% y/ x+ M. e
jz SoftICE_detected& T i- {$ d# f' p0 L2 w8 u
: s# l8 b) O* K) {2 |Here again, several ways to detect it:/ R5 o% W+ C2 n1 u u2 {
6 S l" k: O/ ? BPINT 41 if ax==4f! W3 i- J4 z5 d
1 f- ]+ F2 j' r1 S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 d, s+ L% |1 c* N
6 \$ a7 |, A, | BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; O; Z5 C! {# X# \8 D; @) Z9 [& H1 g, V$ F) O d: e
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* {. o% z- F% R) ~2 v# K; w
( ^' x H2 F3 ?* w3 t__________________________________________________________________________
) u* S1 b& r4 g. ?
( Y6 M- P S+ N/ ^0 xMethod 13
# O3 ?+ d, i8 S=========
+ o2 j0 D- C6 O- p9 X( P3 d/ q
1 F5 |8 k4 L! n' \ q* K4 TNot a real method of detection, but a good way to know if SoftICE is
% U, q0 m' s: ^, P! }5 y) jinstalled on a computer and to locate its installation directory.0 j6 A$ P' ]/ e8 m9 v$ V+ {! {, q
It is used by few softs which access the following registry keys (usually #2) :
0 o/ v5 }+ g4 {; v$ u5 O" |; a9 K) w, t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* H$ c, V9 ~# s- L, ]+ X$ a
\Uninstall\SoftICE
+ `& R7 e3 H6 ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 i4 z2 U7 q% v# J- V# q# P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 Y4 D+ |8 R% j" Y s/ A8 a\App Paths\Loader32.Exe5 K- g) k. b4 ?% V5 v" m
5 S' y% S! l0 @1 ]$ ?: {1 y2 m! `4 _6 q( x0 B0 A
Note that some nasty apps could then erase all files from SoftICE directory# q. H; f9 V0 u9 H; w
(I faced that once :-(
U* e ^/ N) |- w5 \$ o0 \
2 a K7 X, g# l1 ]' n& b8 U( {! oUseful breakpoint to detect it:/ \1 T' A0 |9 }9 r Y; M
, i- g4 t5 e, \! F8 \ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 P! j3 ?: O# t, ^7 [% \' Q5 Y- J3 Z9 w( o7 q2 d
__________________________________________________________________________
0 N8 }5 Z, B# j) f' ?7 G5 S' w6 B7 c# z j
$ ~. O6 ?4 G; l4 QMethod 14 $ M2 T3 C& S; \) I
=========' V- t6 }, s0 f) c4 X& u6 @! M# O" M
6 { i* h$ e5 ], K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% o/ ?+ B# V. T8 W+ c8 mis to determines whether a debugger is running on your system (ring0 only). m) t) _1 ^' c: H( ? k" m B
+ ?5 M5 z& z% a) y( Z VMMCall Test_Debug_Installed _, v3 q1 L& j3 N7 X- g0 w# E# `5 F/ e
je not_installed7 U/ N: w5 T5 S- }9 C9 @
: G8 o2 B! c1 @! c9 K5 |This service just checks a flag.
- Z( e- [$ v$ i$ D( q/ G</PRE></TD></TR></TBODY></TABLE> |