<TABLE width=500>" x0 F6 P: i* e7 k* H
<TBODY>
( R1 r# c4 l4 w( |6 I<TR>
8 Y7 u: ]3 M* d$ @- f4 N- X: j<TD><PRE>Method 01 ' X! \- l7 c2 L# d
=========. u' i0 d- R8 W. Y) P+ M8 h( f
q/ j: T* L% u% @
This method of detection of SoftICE (as well as the following one) is8 K: J9 [1 j9 V1 A% m L, M
used by the majority of packers/encryptors found on Internet.
" ~3 t" z2 c0 E6 z4 FIt seeks the signature of BoundsChecker in SoftICE. s- }* s; t+ F) e }
, v+ {: M; Q" a4 p$ `
mov ebp, 04243484Bh ; 'BCHK': [% P7 N8 e9 c9 t; C* W; F6 v
mov ax, 04h
7 P) N( _ @6 m int 3
3 M+ `- Z" Q% g$ k u0 m/ N cmp al,49 n1 O( L( Y+ ]7 {
jnz SoftICE_Detected d [3 r& I8 p0 v Z$ b
) v/ U( D- S/ K
___________________________________________________________________________
5 {) S2 |+ f" e
& s/ _3 W! T1 Q0 d2 f. nMethod 023 M/ r! A4 V1 ?* y
=========* Z! O4 F& }: \* V
, S$ h" D: r' u9 `Still a method very much used (perhaps the most frequent one). It is used
P7 v# ^+ R4 Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ ]+ n: g3 D. m& Z+ eor execute SoftICE commands...
0 g0 u; x) h: Z& O$ HIt is also used to crash SoftICE and to force it to execute any commands
1 \, }1 Y, T' i(HBOOT...) :-((
{- J2 f- t! y" d5 f; X. [ F6 E. ]) x
Here is a quick description:& U4 N5 z( z2 Q/ z2 P. C
-AX = 0910h (Display string in SIce windows)
3 Q [1 H$ F: @8 g+ d! y7 Z+ n: \0 `-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* Y& S$ ~9 g- u* i
-AX = 0912h (Get breakpoint infos)
5 x) \6 W5 p$ [; I1 W$ ]+ a-AX = 0913h (Set Sice breakpoints)
- O2 n8 X) w; ]' z-AX = 0914h (Remove SIce breakoints). X# b: ^7 [% [% `6 G
( f6 u' B4 G: kEach time you'll meet this trick, you'll see:! d3 X$ ?; ?* u
-SI = 4647h
, _( d/ q, y1 d-DI = 4A4Dh
* J9 x7 x" G) iWhich are the 'magic values' used by SoftIce.0 z% P T2 a3 L# `1 ^) r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 B5 o/ ]& |4 E5 `# O% z( u
& \: Q& I/ ^* J: S+ O6 AHere is one example from the file "Haspinst.exe" which is the dongle HASP, n0 @* k, B$ w& `. P1 y2 w8 O8 n
Envelope utility use to protect DOS applications:
$ y! i% p& \% ~/ E0 [# a
/ u" R* d. m9 i7 T8 P- t. n
( g1 U" w* w5 J. i4C19:0095 MOV AX,0911 ; execute command.2 k6 \0 t' x) M& ]9 J+ E$ H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) F& y5 d8 |/ m `3 k" I4C19:009A MOV SI,4647 ; 1st magic value.
* H) C; |$ ?& G+ \$ @4C19:009D MOV DI,4A4D ; 2nd magic value.
1 s7 C$ I- a* e9 M/ S5 ^7 ~& j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 U/ P: F) W: J/ U7 p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 E# f) g9 g& L4 |4 \4C19:00A4 INC CX
. X/ J; E$ h/ B I) u4 P2 R* \4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 T1 _+ |+ ?" p, O4C19:00A8 JB 0095 ; 6 different commands.
7 X- ?- X3 {: f) Q; g( o( R% [4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ y2 ?: w9 b. q: L0 n+ n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 n4 z5 _8 t' i, B
+ Q% m! }* _+ t2 N
The program will execute 6 different SIce commands located at ds:dx, which# p. d4 i0 Y8 `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 {' d2 U$ H$ e" ~$ f' Y( Y! Q0 m( j/ u. Y( i7 d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 i' m' D+ k1 u5 Q2 d___________________________________________________________________________! b f Y# X+ ]
; ?+ b) I& X% l% E+ e9 F% w! f/ B$ @
Method 03
$ J2 f: F5 s6 P2 N=========
, n2 n: B2 d4 j$ A5 @
. ]& Z5 \+ T+ b8 o& ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ z! W/ j5 R: o! W# J+ I& b0 q(API Get entry point)
4 [) a; K' p# B8 e( r ) L) L6 s9 ~7 \. m$ ~1 p3 N# c
5 g+ T$ r. q+ f: @& {: u% ? xor di,di1 K A! D t! K$ |2 p
mov es,di# {& X" O* j1 V O
mov ax, 1684h % @% R+ m, i% _0 H$ k
mov bx, 0202h ; VxD ID of winice
0 U% X5 D8 M/ H$ \ int 2Fh+ n( Q. t$ }* K" c7 o
mov ax, es ; ES:DI -> VxD API entry point
) I9 L- m' Z% G; y3 C1 a6 Y add ax, di Z$ c1 l- K4 z" }1 H+ m2 Z* }% T
test ax,ax/ d! [/ z. D5 v1 [" I- t4 j
jnz SoftICE_Detected
$ S1 n1 t2 I+ k d4 y) J6 Y3 U7 _0 w/ B
___________________________________________________________________________
8 v+ L, S8 h6 i) {* y2 G+ r1 E
t7 {3 g) o4 {" K% c8 UMethod 04, w1 k* r7 d r9 U- v0 I
=========
5 x# I% i8 b4 C) Q( l
: y: x% m. V/ V n, aMethod identical to the preceding one except that it seeks the ID of SoftICE6 T; {. R5 q& h
GFX VxD.5 g% ?% Y( }( u; a- Q Y w. ^/ F
& ]9 h& R6 t2 ?3 y; ? xor di,di
) X" l7 Q6 ^: }0 x mov es,di
8 m( O2 |' ?5 r2 p# c% ~ mov ax, 1684h
8 E, r( Y+ b# Y+ T3 @# y1 U mov bx, 7a5Fh ; VxD ID of SIWVID( n# W* f) n# `1 {$ M! @/ \! N
int 2fh: o1 W7 f- W6 G
mov ax, es ; ES:DI -> VxD API entry point7 ^" S; t r) V2 K% k8 ^
add ax, di
2 q# r' ^+ s2 @' K$ [ test ax,ax
* x9 e! `. Q; i7 n# }: o/ }' N jnz SoftICE_Detected
$ Z7 s1 }$ y: J) p: J1 E" c0 [+ Y; T. o9 |# I/ B/ B) ^" R$ X9 F7 i& E/ @
__________________________________________________________________________
6 @3 @" Q- K; b0 q& E, t& }& y' Q+ Z# G, G) M/ n5 s4 z; L6 w
7 V+ a) G+ w. h6 h
Method 05
- C& A3 h/ b' f, N% i+ @=========
y- d9 R8 [5 x9 ]! U. a; W- c1 {' Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system" h- x; I. L& d8 b. n
debugger. It calls the int 41h, function 4Fh.
0 w0 a9 F9 w. T! DThere are several alternatives. 8 }: C0 ^1 ?$ H' @9 B0 e4 ]/ _( O
% T# o! s) @" v6 e2 N m" a) m# \
The following one is the simplest:$ ?- A- B5 W# p, }
& [8 @' p; t/ F( s' f. ^ mov ax,4fh3 d0 Q/ d5 z% J* o' a4 M
int 41h
4 `7 ^# h: Z7 v8 ]0 g, ]+ w( ^ cmp ax, 0F3866 O# P5 c8 ?6 ~4 h! R0 {
jz SoftICE_detected
7 |5 u" g& N$ S1 S
! r$ \: x9 J! D0 E
1 ` e' w% B# ]7 L' FNext method as well as the following one are 2 examples from Stone's $ [2 H# S) _% R+ t1 m A3 B
"stn-wid.zip" (www.cracking.net):1 V; ~; i4 [) T( m5 A) Y+ X' o5 E2 v
: T O! U) b: m, L E
mov bx, cs
2 c8 H6 ?6 N7 } lea dx, int41handler2
8 f8 {! N3 d' P& U: I9 b xchg dx, es:[41h*4]
* p3 h5 _& U: Q$ V& v, t" U& y xchg bx, es:[41h*4+2]6 ~- s5 v3 A, T5 s# r' ~- c# o
mov ax,4fh' r( z6 j# a4 V, ~5 I$ X
int 41h, t4 F4 S5 N1 _8 n' D3 N
xchg dx, es:[41h*4]( c8 \. r9 G0 S1 I* J
xchg bx, es:[41h*4+2]
' S# i/ _& c' f& d cmp ax, 0f386h
% k$ y* j' ?& V K& Y jz SoftICE_detected" o1 k7 `# m0 h5 A
9 g" E1 B* s9 x+ v2 y% W
int41handler2 PROC
; H! @: p( j) I iret$ K4 ]! A+ P4 O% o3 s: O
int41handler2 ENDP
; \3 q9 P! t; x* A& k1 X( k Y% ]) Y# t9 Y6 H, k& y" S7 R
" b+ S8 J' g! T- x# x5 J
_________________________________________________________________________+ z" Y1 z. r: `' v% {( P
9 g/ H* O% ?" ~
: ]; U# y6 r; ~$ m: b4 ~6 n4 pMethod 06* N( \1 i7 I! h7 j4 |" ~( r6 P
=========
, S0 M. `, T/ U; u" S* Y/ @8 B V- o& X k
) J f6 ~/ ^0 P$ H: M( L+ ?
2nd method similar to the preceding one but more difficult to detect:
; V& _) Q4 I6 ^! b; [; i0 x+ R+ Z* `
9 k5 l% @& b7 ^5 Zint41handler PROC2 G4 b" _- t; O; s& z- }5 o: [' b
mov cl,al( V+ y0 [3 b" W) n1 {* S2 }' g
iret
: q+ O" @& B I, Rint41handler ENDP" r( i$ b8 v' ]' L: K( p* r
7 H% v4 g# l: V+ D$ g0 K
1 Q0 U1 b0 {1 ~& k, c% A6 B xor ax,ax/ I7 Y( b# w( T/ U. U
mov es,ax
/ `9 @' I" b O+ S) N M( x. ?6 ?% ~ mov bx, cs
: a4 L1 m# h1 @3 v9 _) m% Z lea dx, int41handler0 ^( t9 q; |) H
xchg dx, es:[41h*4] C, h0 p# h1 ?
xchg bx, es:[41h*4+2]4 S. c x2 z# N& ~8 O/ O
in al, 40h
0 D: V s! I9 ~1 z7 K xor cx,cx
: \+ E) B7 r4 g4 _ u int 41h
& L9 q; C- Y$ E$ X xchg dx, es:[41h*4]
1 N ?0 M. A4 @& T xchg bx, es:[41h*4+2]
; a F6 h$ n4 S+ f( }5 y cmp cl,al, x! B" L, f T; Y2 d: V6 V
jnz SoftICE_detected4 f8 O' P6 D) {* E/ ]
4 N# N- p' u4 y% T' I4 L1 F' g2 T
_________________________________________________________________________
) |6 k k& v' L7 b9 f
; S$ ?& o& r; G& V1 M5 JMethod 07
& k _0 E$ e/ f=========( H# U0 t0 q+ |
5 B7 T7 O/ S- f; E) }9 rMethod of detection of the WinICE handler in the int68h (V86)# e3 c9 D; m' d7 t% q3 r. o+ l
5 s) a5 y- ?, ~4 _0 }! E) m1 c
mov ah,43h
( q) |& b7 r, v7 N R int 68h
/ X* u* ] L5 ~6 e2 L$ o3 H3 q cmp ax,0F386h
: l% X n) Y" E9 t jz SoftICE_Detected+ i8 A3 C, @5 H8 Q) I/ ~
" U) b8 |/ E3 N& T: o" B, m' t$ G& H2 D/ n8 U6 s$ T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& ?2 f7 B" w. F5 B; m' `; q0 N app like this:* b* ^! f# V8 r6 S5 a" h+ N* u, E: |3 \
* U+ s8 t7 e* l# Z8 e* _
BPX exec_int if ax==681 \: M1 E7 k5 ^& d P8 @* v
(function called is located at byte ptr [ebp+1Dh] and client eip is
# W x8 n" \7 M& U0 ~+ e8 p0 {3 i located at [ebp+48h] for 32Bit apps)
! e* k! E, R& c6 ~# }__________________________________________________________________________2 Y) W! D% Z1 K* o
5 \- H; k; A9 \' D
" ~ E1 D/ u3 _
Method 08! W: j2 ~7 r) I' m, q
=========
0 @9 W! l- n8 \" u6 Z2 x. `/ A X; |- E$ |1 T& }) ^! T
It is not a method of detection of SoftICE but a possibility to crash the3 ~7 N9 j0 V+ L. W" O) M, E3 V9 g
system by intercepting int 01h and int 03h and redirecting them to another
3 z `' `: A% Y1 A Q. s4 D" W/ l2 yroutine.- {1 ~" b$ @2 |- M: J8 P6 N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ u# F ^; ~+ fto the new routine to execute (hangs computer...)
# o6 O% K E( e9 [7 j$ k0 M. }4 k+ V6 P4 N, P2 b4 u
mov ah, 25h
9 G5 C1 D- V1 x# [8 g7 ^7 s! y mov al, Int_Number (01h or 03h)
6 @, [* B! {# Z9 ?0 w* W7 _& } mov dx, offset New_Int_Routine
, F5 g- c) Z; W7 C3 t( h4 P int 21h7 I+ B9 h# l% w' u4 ~1 w4 q
0 b2 X+ [5 v; Q8 M% y# I
__________________________________________________________________________: h; P3 n; g. j' _; r- i! ~+ O
. m, Z" L+ y' j5 Y) R0 i4 G6 Y
Method 096 P6 e/ u$ Q4 \" z
=========6 u& m* T: J v0 a- G2 y( L! H: F( E
7 p- `% N6 [" M0 l( Y4 F2 q& P/ B2 k8 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) K9 [; H2 ]$ ?performed in ring0 (VxD or a ring3 app using the VxdCall).6 ]( D6 m# o, G9 L
The Get_DDB service is used to determine whether or not a VxD is installed
@! M, E. m6 y7 l4 Afor the specified device and returns a Device Description Block (in ecx) for/ n8 ~& Q1 o9 i* A5 F1 S
that device if it is installed.
1 d0 X) q* M. w7 m/ [* d3 a6 r) R5 U0 V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 y+ t) Z5 G: _8 G" G& {, P$ `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 A; ~* r9 p' Z( _$ x' _, Z
VMMCall Get_DDB
5 W1 ]; R j! j( } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed. w! } L7 ^/ C9 b8 T9 E
1 n: J; I- c- P# A" [" _6 Z
Note as well that you can easily detect this method with SoftICE:3 e. ?6 t3 D) d0 r) y
bpx Get_DDB if ax==0202 || ax==7a5fh2 X% r0 P5 H/ q
5 u M- T" _) t* h. c
__________________________________________________________________________' r2 R6 N8 ^* `" T g" C
+ {, N2 [4 ?4 X2 C# \/ `Method 10, [( O* h0 Q2 E7 [
=========
1 e, h& B# k B5 W i
7 x% P. M6 }# r& o- g=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 d1 A, i, ?1 M; _) r5 U- D5 l SoftICE while the option is enable!!/ D; s4 g+ W2 C" ~7 Z8 k
6 o8 O& Q8 x) L
This trick is very efficient:
; \1 ]6 U' V. H" J. o3 L5 ^by checking the Debug Registers, you can detect if SoftICE is loaded
2 ^% b. ~' L+ Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 e2 I2 F1 {- I+ |6 F7 Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 m- ^* [" n3 c% `: d, zvalue (in ring0 only). Values can be manipulated and or changed as well( M7 V* V2 r5 J z4 [3 e/ _
(clearing BPMs for instance)
$ g* O4 j8 i4 J5 o; v, P1 h1 v/ S3 k- p0 X# s3 T8 \) U' K
__________________________________________________________________________: U: P; ^7 ]0 j9 v
' Z, @+ u8 i+ }" g) E0 c
Method 11* L9 I# F' J" H+ [
=========3 Q3 p3 Q( v) E) d+ _
' u, H# _$ p. K2 Z# H. Y" xThis method is most known as 'MeltICE' because it has been freely distributed5 {% ~4 O8 ~6 _3 H
via www.winfiles.com. However it was first used by NuMega people to allow
$ M3 B, q# @8 i. Z7 f8 q: v& j; [Symbol Loader to check if SoftICE was active or not (the code is located4 g- x: C+ s. B: e
inside nmtrans.dll).! G% K b7 {' j! P
+ g, Q6 f& _: e6 o1 p
The way it works is very simple:
/ @1 |2 |0 \$ b5 m, H- Y$ Q6 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% J; ]: S& W) `. [) N% ^
WinNT) with the CreateFileA API.) g7 ]2 n6 W+ _* ?
. h. b$ e5 s0 M4 n! p6 c
Here is a sample (checking for 'SICE'):
9 f4 f6 Z7 B& {/ {- u. J; N/ y% Q% x8 k5 n- U
BOOL IsSoftIce95Loaded()
# W! N6 l: V6 E/ g" V0 S{
' z3 I7 B( Y1 G$ a) ]* U3 ` HANDLE hFile; 7 n r& |9 T! d( o, ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& t/ x% B* A. V# ?/ v- f/ e FILE_SHARE_READ | FILE_SHARE_WRITE,
# Q2 W* ^4 C E6 }4 Z | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. D+ C `) u9 ?% x; F9 K1 Y
if( hFile != INVALID_HANDLE_VALUE )
9 R* j+ j& T% g) P {$ @3 ^0 }% ~" Z0 [
CloseHandle(hFile);
8 ~, j+ ]" O. n6 c } return TRUE;
0 G! A* z7 ^) P4 @ }
6 T- v# \! E- y/ |3 D- [ return FALSE;
5 Y) s* P# d/ G' r3 p# c5 ^}/ S5 G% R Z6 e v3 @* }% ~7 T$ w4 l
' D0 y; R" ?7 n( M( L3 f) ], kAlthough this trick calls the CreateFileA function, don't even expect to be
: g6 E0 d; l0 P1 rable to intercept it by installing a IFS hook: it will not work, no way!: n! e' Y, R& L# i) d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* d! H( b" O. o4 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( A: f" @' p5 U4 B( |3 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% G3 Q/ Y/ K, v- n. h# z$ `field.
3 N& V1 t5 v1 nIn fact, its purpose is not to load/unload VxDs but only to send a
3 f- v! a! Q# AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 Z( T9 ~, T% Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" d- `$ ~8 N( M9 j& u3 R6 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( {$ l9 C) E/ t) P# NIf the VxD is loaded, it will always clear eax and the Carry flag to allow- ^: l- O5 b) G( N* I
its handle to be opened and then, will be detected.% b% F; A. B% @0 p; a
You can check that simply by hooking Winice.exe control proc entry point4 g: o8 M4 I7 R8 \5 q9 @* a
while running MeltICE.2 S5 g' x' O8 C# y% F
5 }. H: j U9 [# [! U( u
& e. }5 x$ \4 @* n0 u! C 00401067: push 00402025 ; \\.\SICE9 _+ J7 }/ x& ?- B5 Q% }+ ?% j
0040106C: call CreateFileA
, v5 P0 w3 }& y5 {" y 00401071: cmp eax,-001; c5 H" D& u ?9 x: S0 \
00401074: je 00401091
: F' P3 o8 i! @8 G c: t3 J0 _& c- h# p0 H+ Z
& b4 X+ B( v+ z6 x7 s
There could be hundreds of BPX you could use to detect this trick.* Y/ m* }8 g- J3 w
-The most classical one is:- q% s$ W: M7 s1 Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* n* e5 a( |) f) W *(esp->4+4)=='NTIC'
* g, A4 ^) A9 w. i, p9 C$ `+ p: Y- _& Q" ?' }/ K i: Q5 n7 E1 ]
-The most exotic ones (could be very slooooow :-(/ V9 v+ _" v& ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 |8 k" c( ~- g5 G ;will break 3 times :-(" i* U7 p9 R; L3 e5 R
: M7 j1 v9 e, s& e: {, D: \-or (a bit) faster:
9 A& a9 l; x5 v1 f& \9 k. i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) k7 [. l T* H& g4 }7 x% {0 T/ N) K, S
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. Z1 U r& R: T+ W5 b. H% _ ;will break 3 times :-(
7 a& N' t. ? s1 k8 z7 c. ?) h1 d( P+ n0 M6 H4 S$ u
-Much faster:/ Y* k q' L4 Q6 j2 w! ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- K0 W0 c- g* U# f% h+ c$ z) x: s0 s8 V0 G8 ?0 ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; |3 d" p" d; C$ }7 j" F# |% H0 \
function to do the same job:
, M2 p. P# L0 U' M* f# O* E' O) [. q
push 00 ; OF_READ; L+ Z, {9 k% a* T
mov eax,[00656634] ; '\\.\SICE',0# g* a2 I- b! q7 [' f8 q
push eax
" p/ [2 b, ]" _' \ call KERNEL32!_lopen
+ ^5 y/ y+ e' e$ ?$ M" r+ t5 A8 ^2 z inc eax
5 v( U6 x, r. \& E jnz 00650589 ; detected' j/ F0 I- v H7 j/ n# O7 B& Q
push 00 ; OF_READ/ X( r1 |2 B0 d& Q) _: L
mov eax,[00656638] ; '\\.\SICE'
X4 t, T; [( z* ]5 R' W) @ push eax
0 g3 D; J: V- b' K' p9 P3 k call KERNEL32!_lopen
, k, [ I% C, j; r/ [- ?1 l A inc eax
# N9 U3 U! m( r: F jz 006505ae ; not detected
* o$ U1 P5 S9 c# B1 p E% r# s# T. z; A; A
2 H" W$ {$ F2 u5 y5 \
__________________________________________________________________________
0 q8 x" j$ Z# _5 ~/ w; `( q1 ]# Q" g2 g
Method 125 F# E. _* @! y: A9 L7 W
=========9 l" p! L. P Y; J4 G: g% }# M5 M8 ^
% p# ]% w2 F6 R7 n1 TThis trick is similar to int41h/4fh Debugger installation check (code 05
7 @% q& F% d; k2 Y3 F0 I& 06) but very limited because it's only available for Win95/98 (not NT)$ d; |8 C* ]( z. @! w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 r# Z! v$ w& Z+ r( ?& e/ f# E4 G6 F- m7 g: v1 W ^% e
push 0000004fh ; function 4fh
" H7 l1 y2 s; }/ [ @8 |* Z+ _- E J push 002a002ah ; high word specifies which VxD (VWIN32)0 \! e2 n6 s7 L( C; A/ N! z
; low word specifies which service% Y( P9 ` {2 |& _9 d8 o9 n7 Y
(VWIN32_Int41Dispatch)
Z p. }8 E+ t' C2 \; I9 L call Kernel32!ORD_001 ; VxdCall' E( [; ^3 T8 i3 f0 B& S7 n
cmp ax, 0f386h ; magic number returned by system debuggers' Y$ M9 U5 y* L3 \: D+ z; [1 X( R
jz SoftICE_detected% A6 R& o. R" m( A9 F
6 O, ]4 r( @) D0 E ?
Here again, several ways to detect it:( U! ^0 o, U2 W5 f7 G! m1 x
% s1 o# A! V4 v c BPINT 41 if ax==4f6 ]' k- M) Q$ b0 z) P) S! o% f
- S# c4 l: L3 i6 `/ k! J, z' b5 K# @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ h8 W5 p6 N- E& U
# n) v7 x# P5 N9 X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 j7 v; I, \& a7 M# L% \* n9 |
# C! E; @$ V1 q& f7 E
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: S* }# e0 G, k* D
; Q# v9 |9 u* A4 Z& Z' s6 m__________________________________________________________________________" d3 h5 ^4 w" V( U
* Y+ o7 [3 S5 x" s: m1 G& EMethod 13
+ k/ d6 o4 p! F" `+ j& Q7 c=========8 G ~, f3 k% R" O
7 ~4 p# V) ?; |+ lNot a real method of detection, but a good way to know if SoftICE is
# y& Q: A& K4 p& W& Kinstalled on a computer and to locate its installation directory.7 X+ Q8 I# |% [" j& l2 Q& d
It is used by few softs which access the following registry keys (usually #2) :
9 v6 F+ h+ c4 j+ M- B" q& R
9 w2 T' `6 g# S. A) J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) j4 c. Q- `) n$ |
\Uninstall\SoftICE
; s' P) l$ Q9 U1 q- Q' j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: q. |/ a! A$ I* B1 I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 @+ A0 [7 J: g- V. M
\App Paths\Loader32.Exe
0 x7 n+ i; ^; P6 O5 E$ Q$ p v( a) o: m4 |/ l& Y
9 _$ L: u/ e9 n4 E8 w0 e
Note that some nasty apps could then erase all files from SoftICE directory
3 g. ~ D7 I8 w8 V7 B* e(I faced that once :-(
+ C) g- G, A* L6 ~+ E7 [* J0 E! [3 ?+ M: z2 k
Useful breakpoint to detect it:
1 ]6 |1 {+ `( a9 {# Q9 \- P8 S2 b$ ]6 m
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* w$ [6 l9 E: Z2 G9 P' h1 d8 }8 y5 d' V' W
__________________________________________________________________________# Z$ _ v8 {5 G1 R( R
7 c. n6 |$ b* ?: d; D8 h7 j- w+ \+ A# L; r! t; U' v. q
Method 14
, c' z% z" I' O A=========
9 |4 q# B) t, C/ ~' g; j
- M0 W; S1 D- o- dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 K1 T- M) J7 A, O4 v0 b/ u& w$ |" q
is to determines whether a debugger is running on your system (ring0 only).% x% n- M* b. |1 W( k8 F
o' | x2 E' U8 P0 I% i VMMCall Test_Debug_Installed V: Y) z/ C% _$ _) n4 W! B
je not_installed/ Z5 s% Y, {# B
. E s4 U3 Y! l( v
This service just checks a flag.2 d$ n7 A5 n7 d; r4 M% S+ {/ U& N
</PRE></TD></TR></TBODY></TABLE> |