<TABLE width=500>
3 l( Z* V) L+ K<TBODY>3 x$ p1 N% T$ \1 V9 d$ E
<TR>
4 ?& r3 ~: m9 |6 C9 Z" O" q<TD><PRE>Method 01 6 i7 u% o) }5 {4 ~- B8 |
=========
) z5 u! f6 X R' l1 d
0 v3 U1 r {+ Q. c U6 RThis method of detection of SoftICE (as well as the following one) is# J0 Q; R6 j Y" a: g6 q" F
used by the majority of packers/encryptors found on Internet.# \. U4 y; V0 B, F `
It seeks the signature of BoundsChecker in SoftICE
3 R# i8 G( g* M$ P6 d2 ?4 @1 _' M# a* D
mov ebp, 04243484Bh ; 'BCHK'
$ a. p D1 C" X( k z: X mov ax, 04h2 j t8 z8 |) p: _# ^: _
int 3
" s3 o4 ^1 V5 N, h cmp al,40 j) ^6 g+ L' y5 m
jnz SoftICE_Detected
9 C; W: c8 Y' Q8 }# f1 e* `' @' Q+ r8 W$ p9 ?3 Q, s$ q
___________________________________________________________________________( `. L5 e. B2 E2 Y
0 f) [8 o8 {* i, Y9 DMethod 02' X+ D; G6 P/ n+ k8 Q5 G
=========
% G4 U- u- p3 s4 T3 \" ^, j- \" s' U2 q( R$ `+ g1 g
Still a method very much used (perhaps the most frequent one). It is used
' h6 n% B4 k2 w$ u% e6 f/ pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 @4 r) x( b, K- O/ qor execute SoftICE commands...( W* a$ k- B" g
It is also used to crash SoftICE and to force it to execute any commands
2 x. ~ v7 l1 K! |" w- ~: W% ^(HBOOT...) :-((
0 m9 m% ?# J9 j6 j3 `3 C( o9 R: o" p" d: q* S2 F
Here is a quick description:
" R& p6 U0 i* m& m-AX = 0910h (Display string in SIce windows)
, R/ m6 L* e/ v% u3 z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; P5 s% |( Z c8 g-AX = 0912h (Get breakpoint infos)3 a( [$ O' C' w0 I
-AX = 0913h (Set Sice breakpoints)
- `) x8 ]3 A6 J* x( e-AX = 0914h (Remove SIce breakoints)
3 h- T" }1 X) W; ^ M' e+ m
( f; f9 x2 d& B! B J/ X# o: i- @Each time you'll meet this trick, you'll see:
, D) R. A4 S# e5 R: Z-SI = 4647h' b; Y. i/ ^5 |) a, j2 L* M' z
-DI = 4A4Dh5 D1 c. a+ [/ l$ \, U. \) A( I
Which are the 'magic values' used by SoftIce.
! K2 v# j4 X+ ~3 p$ M! z; W0 gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: Y/ ^% |/ @* t
7 i4 ?7 I- y, G& }: g; z% ]# ~Here is one example from the file "Haspinst.exe" which is the dongle HASP2 S9 H, e. R, Z8 C: {6 y0 p
Envelope utility use to protect DOS applications: |5 @% G; k: O6 x
D& Y M7 j" L$ F* \
0 C# r- U, y5 d8 C8 c5 |4C19:0095 MOV AX,0911 ; execute command.
5 n% q6 [4 T3 C& o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 |: V1 G3 f0 Y0 e
4C19:009A MOV SI,4647 ; 1st magic value.
+ X1 L. g+ j4 @* S, \4 P- X7 _4C19:009D MOV DI,4A4D ; 2nd magic value.
/ i6 @: l& d5 S8 k4 O' k' ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* _$ [: w. W: U! z6 g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' Y2 B1 w( B9 N8 e9 }! j4C19:00A4 INC CX
: r7 _- H, m9 ~+ b2 Q9 x4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 S- \& r( S1 N- u4C19:00A8 JB 0095 ; 6 different commands.5 z. }2 D! C: d; P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 @ I9 v2 Q. I- e8 V
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( k2 ~) s1 m- d7 E. r/ z3 ]( x; T) h9 C2 [8 K: Z- s/ E9 i
The program will execute 6 different SIce commands located at ds:dx, which
% B' z6 t! a6 ]0 {3 n$ B& iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 T; B9 O, B L' }8 s. q
4 S9 L4 R4 i9 T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 A6 s( w+ g# i) O5 C___________________________________________________________________________
) n6 Y+ y- q: o5 {0 g- V0 c' y& ?$ t: y, E0 [
8 g: H' K8 A2 N0 ]1 r* N. y2 TMethod 03
! f- G! s7 k: r# L=========
2 x* p" N R1 d: [" i; y& n* R& O, X R: Z1 c, t# L; X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 _5 o X2 n( K1 ]1 g(API Get entry point)3 N8 \1 m% b* j4 [
/ z V$ a n7 C# D9 H V( e& l
xor di,di
" q8 B0 {4 T, P" m mov es,di" W- t2 F; }- w- r. o& |
mov ax, 1684h
' B+ j) x; @" q H4 W mov bx, 0202h ; VxD ID of winice6 k( I! ~: y) Q
int 2Fh9 _9 d( c) V0 B
mov ax, es ; ES:DI -> VxD API entry point3 ?; [0 Z9 |) F
add ax, di4 W+ f! p, `( Y' Y
test ax,ax
' N, H" U ^6 y5 P! q' n jnz SoftICE_Detected- A6 R2 `( E& @1 K* u
7 `# \6 u% e5 Y2 N+ ~ z, U# v
___________________________________________________________________________
/ D! l, `8 u* L9 V- z3 H3 U: {3 ]3 r% a! H
Method 04" o9 l( p3 Y7 B5 Z# B8 b/ G
=========. c4 a2 A: v$ A# I$ v, a' t
2 h+ P X& [, L9 v/ } H0 e o$ c
Method identical to the preceding one except that it seeks the ID of SoftICE3 Z1 k. z. Z& j" N3 Z* ]6 z2 A
GFX VxD.5 ?& V0 _4 c {' t" t- f7 z& R# m# o
4 J# d* _+ ^7 M! Y
xor di,di
9 C# l/ X' c6 }! e* g* j mov es,di
/ N# J3 }$ R" ^9 l3 K& e mov ax, 1684h
. d+ k0 ~8 U( M' K- E" I: Y mov bx, 7a5Fh ; VxD ID of SIWVID
. x5 a3 |1 I& x, A' J6 R int 2fh# M. j- O3 @' E) x/ R7 l
mov ax, es ; ES:DI -> VxD API entry point
, M" E# h8 S) B add ax, di; Z5 [& m [/ B
test ax,ax
7 r/ H9 C* q% y1 k: |+ y jnz SoftICE_Detected
( j5 I2 I l6 s: ?6 @9 K9 n: i5 M* S: C, j' E6 ^# l1 [
__________________________________________________________________________
0 X! R, U$ x( v" p5 r
1 h [! F. [3 \' g$ v0 R M' v( K
: v R3 c% i9 x( I* \Method 05; S# s3 H+ G! P( R4 S; G
=========
. j+ o* N, W; I! L- p! u8 N' ]* z. O6 g, d7 d
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! w. z; d, E, ^ o, ?5 Xdebugger. It calls the int 41h, function 4Fh.
8 u+ ]1 |; x* P8 C, EThere are several alternatives. - O& ?2 V0 a; `# ^5 Q
0 `" O( B0 ~7 oThe following one is the simplest:: j' t* q+ e M7 } L. R% r4 [7 J
7 a6 P3 g! ?7 t* d
mov ax,4fh& g& b& s/ U/ Q% F3 N
int 41h3 l5 M4 o; s+ r, O8 ]0 ]
cmp ax, 0F3867 v \& t! Z J
jz SoftICE_detected
4 O* I! c9 h8 Q" ]! s+ E" |
; V/ R2 x# d4 @5 l6 N2 [! o- ~ x; M
5 ~8 k" Y$ b, Q) X5 r; x* kNext method as well as the following one are 2 examples from Stone's - ^$ ~& I6 Y2 R8 a( [; h4 S |
"stn-wid.zip" (www.cracking.net):3 x P2 O* L4 I
/ E' t0 U$ p! F' [$ t0 y$ m5 N' b1 D
mov bx, cs
( \1 C$ d8 y# g. k: C2 I lea dx, int41handler2) W2 w% \ h. N8 s, y7 \* X( n3 j# [1 Y
xchg dx, es:[41h*4]3 _( S7 D/ s4 E8 p: F. o3 S6 ^( T
xchg bx, es:[41h*4+2]( L4 S8 c& T; p1 |4 @3 i+ @' d
mov ax,4fh
U6 B, f# I: X6 D- q% e+ q int 41h7 u5 q, Y6 P# r" }. ~
xchg dx, es:[41h*4]2 S% {% z( |. G' w- @( r
xchg bx, es:[41h*4+2]+ z2 j. o; M. p
cmp ax, 0f386h
+ `2 n1 `/ I! M8 l jz SoftICE_detected
8 _* o3 D6 t; h4 c7 @
, G" H! s0 C' T: M4 \int41handler2 PROC+ H# `8 t d% H0 @
iret: i/ g: M* h1 c$ N# h! L1 c( `$ F
int41handler2 ENDP
, c, w5 b, s; V6 R. I5 t$ U' Y% n% _, m
$ \' u5 _& F% c# P8 Y" B U
_________________________________________________________________________: {3 }7 G" G$ p, o8 v
) ?) k1 Q3 u. I
% s1 f) g# @, b& Q
Method 062 a% J0 h( G: e- X
=========5 k% X# G+ c$ {; C5 }- L" w5 {0 f
; v3 w4 M. ?4 ]1 i5 l, H4 S5 ~6 |6 k
; G0 P: h( N8 d- I) d$ m2nd method similar to the preceding one but more difficult to detect:
3 F. {1 C, E! X: X8 Y+ v1 `5 y5 T" x; M5 X1 y3 ~* P
7 y: w. X9 I% P, i: Y @. ?int41handler PROC! m- A/ ^2 b/ i! K1 m
mov cl,al5 x) ^" |' N4 h
iret
[) W1 j8 K/ G6 A0 ?int41handler ENDP8 b- {0 F/ |0 Y% G
2 E- a6 W/ R; m( f) Z# q$ ?
' V+ h0 G) G0 n9 l O+ F2 _ xor ax,ax
$ M2 J( t* Y! y- o1 ^$ ] mov es,ax# x+ u( U4 c. Q" g$ I* {
mov bx, cs
, A. l1 {5 H$ I& I% k$ b lea dx, int41handler
0 @- T/ K& w ^* F$ r9 G xchg dx, es:[41h*4]* Q2 S$ z, l2 ]
xchg bx, es:[41h*4+2]3 A( r2 `* R/ I. e% l
in al, 40h
: E* C2 c: O* v* p- F D# [ xor cx,cx1 K3 E0 ~" e" D8 _ h: N( Y& W( q4 L' l
int 41h
6 t. Z; v& l9 H5 j/ {; h xchg dx, es:[41h*4]. G! y1 U1 j) Z
xchg bx, es:[41h*4+2]
+ \$ b7 f2 u0 Q" G cmp cl,al5 a2 I4 ]- s6 i% S9 U
jnz SoftICE_detected% Y; u% v: U, G; m
6 {' \2 w8 {0 l4 S$ A0 l. c_________________________________________________________________________6 H: N# I! S1 X4 z6 E+ p! \3 ^
6 c! X/ p5 X- f7 ?% }
Method 07' m0 U! k) g$ F1 A0 F- i! _6 ?# K
=========
. R* y" U9 d1 F. X0 R
; L1 {9 e4 R% B( t7 ?Method of detection of the WinICE handler in the int68h (V86)6 C W0 d) |2 q$ f7 W0 O
; ?) c* P, r: _% c4 v
mov ah,43h
8 F1 \5 c! {2 u4 d# Y! j, k( R int 68h' i6 [2 N1 I" q5 q% f, [3 @
cmp ax,0F386h( G* t, r! x0 ?+ X) V/ @
jz SoftICE_Detected
4 c6 h" ~4 W1 `; i7 E& ~9 x* ]" a5 C! l5 u* K+ w% l
" _, R, M r4 G; n, O( T; D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 t0 I C( A2 X' X4 D6 K1 | app like this:
8 z) c; u. y# e: K5 y }2 b- K: V$ f/ L
BPX exec_int if ax==68$ Y$ j; Z1 L; Q" Y. h7 q
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ z7 U, u7 ^7 A7 J; W located at [ebp+48h] for 32Bit apps)
7 A8 q4 {- z+ u__________________________________________________________________________8 ^/ z D/ r a
3 D) o) Z1 c( T3 Y* ^ w4 n7 Y; R" q* b Z& h3 q
Method 08
I4 I5 a( E4 i+ S1 G. A=========$ Q; f, p1 d0 H6 x/ f; o6 r
+ o7 X( s7 O# M5 j' | v$ `It is not a method of detection of SoftICE but a possibility to crash the8 L5 A3 F5 L$ q9 @# X' _$ E" E
system by intercepting int 01h and int 03h and redirecting them to another7 q6 U/ z3 p0 I9 k- {4 q
routine.
9 @1 X1 I3 D& G* j1 z3 t3 ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. s3 t# P8 a7 q% N( p7 J: U, H
to the new routine to execute (hangs computer...)
! b p9 `) X% ~9 Y/ K
$ ] |( D5 T+ d6 k mov ah, 25h
7 n! j4 l, H5 Y, i$ Y% M p: b mov al, Int_Number (01h or 03h)5 D+ }& r ^) e1 B1 D
mov dx, offset New_Int_Routine
C0 [4 ~& h, ] int 21h$ }/ I! }: v8 H% n
# b6 o- k `9 H6 x
__________________________________________________________________________/ H' h8 R8 @; M3 N- j$ b) h- Q
# K9 V# y. q; m# X) z" \
Method 09
. I; @' `* ^, Q& c5 J4 A" l' F, o=========5 r" Y, d! ~4 v7 f
. N3 u3 V9 @% aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ r/ w8 n) N/ B. {; H' X: p6 kperformed in ring0 (VxD or a ring3 app using the VxdCall)./ M. ` P! P+ s( i# v+ ?. q! x
The Get_DDB service is used to determine whether or not a VxD is installed4 _ X" z; z- m) l5 B4 [* u
for the specified device and returns a Device Description Block (in ecx) for
# q; c3 E. W9 [! ^% zthat device if it is installed.
4 _2 w& A, |; z" ^: p7 \" ]& j1 f+ i; _
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 c9 P* a7 K* l mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), C5 b* t% v ]
VMMCall Get_DDB
7 ]% s8 y6 ]/ i! m' d7 l mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ U, N: Y+ n* C: h; O$ h
2 F9 J R9 [. x1 C7 F& bNote as well that you can easily detect this method with SoftICE:1 C* c0 `" u1 z, i" G# p, W# h
bpx Get_DDB if ax==0202 || ax==7a5fh
0 l+ x+ W9 k' U8 m; P% s. ~( C. [! V7 d! d1 t
__________________________________________________________________________9 q* O6 ~2 ~" X
9 f% |$ I2 t$ F0 `( g( F' Q
Method 10; o. B& M% N E2 \2 f
=========, v; F+ B8 x& Y
2 U B- X1 G( W9 v& z
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 o. B7 ]; M3 C' i' T0 R# }
SoftICE while the option is enable!!& }% l; m) Q: c" R) E: \
% m+ S$ Z& O( k0 ?This trick is very efficient:. P) A5 `# K6 I# L6 Z9 ^4 H2 x( S: W+ ^
by checking the Debug Registers, you can detect if SoftICE is loaded# n, s0 @3 p* }, {. }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 `6 F$ o8 W8 Q; V: A# Z+ ?there are some memory breakpoints set (dr0 to dr3) simply by reading their/ F, }) J- p9 B% F7 Y
value (in ring0 only). Values can be manipulated and or changed as well
$ a6 Q) f, F7 `2 b! i. q* Z(clearing BPMs for instance) i5 v! M; H4 O7 X# F" F
( g& c1 l% J7 V0 s8 c4 }9 L
__________________________________________________________________________, A! f5 p. s6 d2 i1 M5 Z/ n
/ v- k' w, e( M
Method 11
9 h6 E) N* a$ }2 a' t=========: V+ s/ F3 k* a k9 w4 N7 F7 T4 }
! A- t' E. v+ E" aThis method is most known as 'MeltICE' because it has been freely distributed
' z8 }( G0 F" }( K( s* Pvia www.winfiles.com. However it was first used by NuMega people to allow- z/ Y4 d! v- X( h' ]
Symbol Loader to check if SoftICE was active or not (the code is located
}' o- \8 w; q i; L) dinside nmtrans.dll).
+ X1 | w6 B* _! u
3 m6 W2 r5 D% v5 U- J, a1 A6 X4 y pThe way it works is very simple:
' V& j# ~2 a3 K6 n$ ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 o1 q) u1 }6 t7 T8 q
WinNT) with the CreateFileA API.
% X# y( i u6 R/ }$ H7 j; c7 S1 u/ Q: R5 X3 @7 m$ ^6 G
Here is a sample (checking for 'SICE'):
6 } N" G# X; r/ L8 U
, R! |7 s" E t9 ^& }. \BOOL IsSoftIce95Loaded()
8 ]0 [: J r' ?( g& L{
: [$ c4 r! E2 V# O' l S HANDLE hFile;
3 \; d7 E; C' Y& [% o4 b9 h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# d8 V( T5 z" u7 j FILE_SHARE_READ | FILE_SHARE_WRITE,6 X3 U2 \. V% i* z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! ^) }3 N5 c; |5 n7 [) z: l p
if( hFile != INVALID_HANDLE_VALUE )
2 V8 I% \, n/ J7 `, S: K) O {
$ W+ [+ l: ^# V% P& H CloseHandle(hFile);2 g, q2 a' y2 g- a
return TRUE;. f+ a' y6 l4 h2 q% ^
}& Q. l* x5 {% ^* K2 c# f9 i
return FALSE;/ R+ t. @# v6 D4 ~* ?7 l( s
}1 k) B6 U; ^$ b! j% g1 H/ x! W3 O
5 f! n# d0 C! g4 P$ P
Although this trick calls the CreateFileA function, don't even expect to be
, ?, X; P; @% Q, u! Fable to intercept it by installing a IFS hook: it will not work, no way!, u7 k8 u6 @# o- Q$ n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' m8 _4 } r n2 [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 p+ R A' t8 D) u" z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( d% ^$ x! J" H7 B5 L! z
field.
9 v* \- |1 Y% C) [! K, `In fact, its purpose is not to load/unload VxDs but only to send a
9 A1 \9 c+ ~! V- M; qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 ~5 w8 i( @/ F# ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' r* {! X, v/ z3 R) W4 m+ Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# {4 V/ T s3 }+ }' j9 n7 xIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 ^. u! [1 ]6 `3 P1 H2 ?its handle to be opened and then, will be detected.
5 G. x0 S+ c6 p0 M' C0 h1 Y9 wYou can check that simply by hooking Winice.exe control proc entry point
3 G; b( l0 y* y. z/ V' xwhile running MeltICE.' f. H2 e& D' x! g
, [5 Q# P8 |; ]! y; T
( A9 R7 }* I# l
00401067: push 00402025 ; \\.\SICE
5 T# A% p4 u7 ^$ E. F 0040106C: call CreateFileA C% A6 p& c# P2 R. L w1 b
00401071: cmp eax,-001. y& `% D' ]/ n7 `% t6 X
00401074: je 00401091; L# F2 \% L# H0 X) K& {
7 X: N0 y' A9 N# l4 t! ^
3 P S9 `9 Q2 }4 FThere could be hundreds of BPX you could use to detect this trick./ _3 P& r1 D( }% l5 I
-The most classical one is:
1 ^) I* L2 z! {# t, X* l H2 |- ?! f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 P5 r" q# ^# z g *(esp->4+4)=='NTIC'9 |! }/ s3 g: ~
- _& @7 G' q# [( C# a% g& N# H) n-The most exotic ones (could be very slooooow :-(* \' g) s9 S+ A& L, O) R+ \& E
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- T3 M6 F7 J+ l# x1 x( x& i4 {7 R ;will break 3 times :-(
8 V1 A! l9 B) f7 |" ]4 i6 H7 t+ G( `! N6 m8 x2 x& e* f% z$ g
-or (a bit) faster:
. d2 }3 `! N' }* { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& C- E& F+ F7 I) A) ?: P! W( }
- d5 {3 X7 v$ U! a0 @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# C. F8 i0 y) \: }0 l5 W ;will break 3 times :-(1 F! m& s2 [ W, t
( F& u4 e+ y4 d S
-Much faster: y* m Q3 C6 R9 M7 I" K. I U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 ^% U1 y( E: A! K1 p
6 z1 d `: t, I7 h5 C6 k6 TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) w" G% P! ^' R& M' f; r
function to do the same job:
9 o. |. \' i/ |' `) _1 F: k. h
( M$ k0 k2 P+ B# | push 00 ; OF_READ
& M2 S# P; \; _ mov eax,[00656634] ; '\\.\SICE',0
) G) m; i8 I4 p; X s0 h4 C& }( r push eax
+ w- a3 _/ j: C6 T call KERNEL32!_lopen% m: n) |6 |* `
inc eax
: q1 u* W" o9 `& B: l9 Q$ ~ jnz 00650589 ; detected
9 f0 z1 q/ |( J# W1 i1 T0 l; I1 A push 00 ; OF_READ
- y/ d8 [; w2 m9 h# x mov eax,[00656638] ; '\\.\SICE'9 H1 ~% ?4 q& d9 o. I/ e& d1 F) Y% v
push eax# Y- e& x" r5 w8 ]; Q; p
call KERNEL32!_lopen- x8 q% ^3 H0 n1 X3 i/ ?3 @$ M" k
inc eax
1 X6 _- m6 Y4 u jz 006505ae ; not detected
) y7 o& c1 e D5 E. W# Z5 t3 ]- q( h/ f5 F! R6 G
$ s. G/ x6 ^4 \4 h% y. J8 {
__________________________________________________________________________
3 {, V6 R' j6 J
I, \/ d, ?, Z" GMethod 12
: A J9 E( `& S* P=========
$ L7 Z, N; _' S: g
' b% o# b" ]) ]! v6 {This trick is similar to int41h/4fh Debugger installation check (code 059 a4 d# ^* q4 k0 K* c0 \
& 06) but very limited because it's only available for Win95/98 (not NT)7 u0 K8 ^7 Q; G; p" |2 ]1 f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) e/ n: ]6 b, @' Z3 v$ Y% f; o+ X9 W _& f/ m5 l% K
push 0000004fh ; function 4fh
+ S, i) K7 z. Y6 o7 O9 B push 002a002ah ; high word specifies which VxD (VWIN32)- P. t, n' Q# C7 X/ b( r( V8 I
; low word specifies which service- v6 v5 S p9 G" @2 Y2 ^* i
(VWIN32_Int41Dispatch)
! E. O& v! r1 m9 i call Kernel32!ORD_001 ; VxdCall
% V" C$ {& W7 N cmp ax, 0f386h ; magic number returned by system debuggers
0 f: v% r0 v& V* P$ f0 v jz SoftICE_detected5 p) {+ E* s2 t* v, l* J
3 q0 z1 P/ L k: X: [; G VHere again, several ways to detect it:- G* D+ u' C0 b- \" {/ s
2 |9 H# _1 q6 M0 z
BPINT 41 if ax==4f
+ G5 ]( ?- |- I) x# t, U2 o# D/ |- @, S% x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) W2 c4 }8 X `% B- `0 e p" Y, s, ^ H; m
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& U% @! l2 i' M) S! [" p4 G7 S1 I2 ^, ]# W2 A" Q( p2 K
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" h& n: x1 d1 @' n R$ L8 v
" x7 m: e7 X/ ~$ d
__________________________________________________________________________
8 Z8 D% [) d+ `( @. j2 G: ]* W$ ^; L4 i% a- E$ ]
Method 13, X$ h2 q# t' F& n$ L" X
=========' W) ]0 i+ `# o5 n
; L' Y# P8 c' K5 h! V! b
Not a real method of detection, but a good way to know if SoftICE is7 |, s t( r) Q) }* M ~. M
installed on a computer and to locate its installation directory.& ~5 K% b( ?/ e( ]# X9 e f9 k
It is used by few softs which access the following registry keys (usually #2) :3 ^! U" X5 R8 ^8 g; M" E
$ |1 p+ `5 g2 d5 j5 p2 @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# C( D3 _# G7 F! H1 ~& F) O5 z( J
\Uninstall\SoftICE! J5 z7 u: m3 [1 i2 S5 a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: |$ }6 Z6 _! W! }) j1 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) f" B/ r7 m) E e& A. \
\App Paths\Loader32.Exe' n5 z6 Z( j8 J* O
- M& {- n9 L- y _ C
# k8 z9 E5 F* v9 n cNote that some nasty apps could then erase all files from SoftICE directory" a, e Y) \4 K- c* X" ^2 |
(I faced that once :-(
0 V9 U4 |* V& _- |; C, D$ B
# v" W1 ]% p9 s$ I" C1 CUseful breakpoint to detect it:
7 b6 Y8 e1 R9 C7 ]1 Z+ F( y6 r9 ~* w/ K& |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ _1 F* O( s6 _' l' Y& z! _& [* e6 [" \7 h: D3 H
__________________________________________________________________________
9 J& ]) k3 P! N: ~ V# u& C& Z5 O
3 q0 P3 h! ?! Q
; d, F' a/ W8 A5 O7 s CMethod 14
- b5 p4 X1 |/ w- B* Z=========/ K# H7 R9 k( h$ K6 p6 r
0 {& c. C' s" _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( [$ L4 ^+ h, o* b+ |is to determines whether a debugger is running on your system (ring0 only). f1 C$ O& q: S! J
" b# ]- y1 u+ h6 h6 B! K1 g
VMMCall Test_Debug_Installed7 c- y$ A& ~1 A. F# @ _
je not_installed
- _0 d6 {; f' q' v p9 k) _, u* |5 X; ^" J, t0 J) B
This service just checks a flag.1 I3 F9 y, {- g0 n4 w$ Z) P
</PRE></TD></TR></TBODY></TABLE> |