<TABLE width=500>
- a B# I6 ?) n1 Y<TBODY>0 u5 @& c3 K4 Y& h* H/ {: S
<TR>' f/ k0 G; C3 g& h" X
<TD><PRE>Method 01
/ n" r- \3 w# ]+ I7 W=========% h1 F/ N& @, C/ D
% {+ ^- i8 D. B% A W, H: eThis method of detection of SoftICE (as well as the following one) is
! U1 F- b0 l: Q" A0 q4 Z% dused by the majority of packers/encryptors found on Internet.5 _# a; H7 R: I4 t2 x
It seeks the signature of BoundsChecker in SoftICE
' B! k: i- d& {' F: {) T( N
8 o4 ]: J: G$ y3 }! U% ]6 J: a mov ebp, 04243484Bh ; 'BCHK'* [+ i( R7 q4 Z. N; o: {
mov ax, 04h4 f; V. t( e! t9 L# T0 F
int 3 # s2 Z/ [5 Q3 a1 w0 h: E$ m% ~1 r
cmp al,4
* b+ f8 C: T% a( [+ Z jnz SoftICE_Detected* L1 I2 g; L% |: v8 w" E8 n3 R
" N) Z" T# D- K( `
___________________________________________________________________________
G& a% r a7 R7 Y5 o
: l! v) E& n. R! E' R1 }. Y0 r, ]Method 026 n" ]( Y% l1 t% V! L
=========
, V" \0 A! M" ^" P
/ _$ A+ x% z! y% _: H1 }# F0 K5 FStill a method very much used (perhaps the most frequent one). It is used+ T N2 T2 R( S( [) \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, ^ D$ F# y: i5 ?2 Eor execute SoftICE commands...) v# y6 u! T' d! F
It is also used to crash SoftICE and to force it to execute any commands
3 J X8 e: E) M% o; i(HBOOT...) :-(( * Q0 h( @4 x G' ?( `
) J6 M5 @! V% l. ]+ _$ e0 R( J3 @6 b
Here is a quick description:" v0 \# n# F' f/ x! V
-AX = 0910h (Display string in SIce windows)1 o6 m2 J. D! H" E( B1 O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 L9 @8 m; `/ D }6 R-AX = 0912h (Get breakpoint infos)- }. O/ y0 |5 Q {
-AX = 0913h (Set Sice breakpoints)
0 R5 T7 }: Y0 l" h( j-AX = 0914h (Remove SIce breakoints)
. R* Z4 I8 {: z1 }8 {, C' ?' o% h: i+ J9 t: X2 T
Each time you'll meet this trick, you'll see:
+ n3 r# [% w0 \! a) w/ }-SI = 4647h$ q% u9 W; S: c4 O, g
-DI = 4A4Dh
/ T- P+ ` j; T+ NWhich are the 'magic values' used by SoftIce.( i4 [- M. [' {3 l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# L) I, U* f9 P, ^) X# a; }
f- G$ g3 a" SHere is one example from the file "Haspinst.exe" which is the dongle HASP) {. X- d( e- S# P
Envelope utility use to protect DOS applications:
' E, u! L% q1 U' ^8 j$ Y& k8 \
% Z4 Z8 r" a1 n7 B
, t0 D$ H0 q; t0 y2 c4C19:0095 MOV AX,0911 ; execute command.# R$ `, U0 [! A7 t4 E7 N6 T1 p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., D, y- x: l: g/ c k+ A' K u1 M" [) o
4C19:009A MOV SI,4647 ; 1st magic value.; S# P$ ~; {+ j S- X
4C19:009D MOV DI,4A4D ; 2nd magic value.
! G: g* n0 C8 _+ [" U4 j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 a5 _8 J, E# C/ T$ G) t0 w* d3 b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* \0 d% n/ ^1 F. V# ?
4C19:00A4 INC CX) Z4 K( B" S3 C4 `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 \( L) C/ O# a/ h, {. f4C19:00A8 JB 0095 ; 6 different commands.* _" n* B0 e$ p# o& T& Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 u' f. R* a- O7 J* q, ]% Y+ f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 ?8 C1 Z H3 w
$ D2 a9 ?+ W. X8 s/ l
The program will execute 6 different SIce commands located at ds:dx, which% c, y+ ^8 `; V) F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 l8 J7 D$ E. w& N; L
! H1 \; J- i, C `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% D/ ?: q3 l" N; f K___________________________________________________________________________: ?9 N' e, t: T1 G$ o% C
$ g, Q6 }( ?9 l) {! K1 u9 K0 g% J9 z0 e: _8 Z. \
Method 03( @+ s* B# s: `0 |$ E: k6 G/ J
=========/ s) S: E+ C1 r8 g
5 }! h# d' M4 M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
A7 j4 a! J+ r" ^- K9 o(API Get entry point)
+ u: h( ^/ W! q! G: t
" h0 o2 C, u4 ~+ u# d1 Z( Y% a2 r: P8 o) x
xor di,di
5 k& \) c) }) Z, { mov es,di$ H' U- Z4 v2 g* ^3 o5 R- j
mov ax, 1684h
2 f' Z$ i; `* |, X mov bx, 0202h ; VxD ID of winice
" F) s/ ?* y+ @/ k9 D" ~ int 2Fh
/ q9 a* a, y$ ]/ O8 t8 y mov ax, es ; ES:DI -> VxD API entry point
9 x3 `' o# N, v% r6 ] add ax, di2 X! U+ P* G& F8 U
test ax,ax- s( U1 e3 Q( i3 q/ u
jnz SoftICE_Detected
/ [3 W9 e7 b1 T6 }- F; s( D0 ]9 e! }8 ^1 ]% G, j
___________________________________________________________________________4 M. N4 i/ ]$ g2 t+ C% L# J' \
4 x% ^0 q/ j" I% }9 S9 J9 b4 XMethod 04
& j- S. _5 X+ M$ G=========
" }. h L- H: `0 x" d; n
. ?6 T! x: f6 w( f- R( R2 C' \Method identical to the preceding one except that it seeks the ID of SoftICE
6 }" g0 Z( ]0 R5 g2 JGFX VxD.
% j! K# z" r1 e1 B2 F5 V3 f; d$ Z* G+ g
xor di,di
! h( e4 Z# \. d" d) r mov es,di
) g, d( D% ^& w mov ax, 1684h ) U7 g: g/ Q# \ w+ I$ k! q$ J
mov bx, 7a5Fh ; VxD ID of SIWVID3 J/ V/ e, C- Q$ c# O+ q
int 2fh e. W1 e) i4 s
mov ax, es ; ES:DI -> VxD API entry point* v4 w( L- A9 c" m M! Y: {
add ax, di7 K, P) z) o ^. A0 l
test ax,ax
# ~8 t! o# m5 p; D8 r* G jnz SoftICE_Detected2 A% ]" w& d! J
: v9 x! t3 ~- G, |* r__________________________________________________________________________% B+ e, }/ f) X( M h
9 L. o1 V' Q" h$ v* a$ S7 e$ M& {+ Z
& }% l! V; V* Q6 H1 j: O- u% pMethod 05
9 k6 G* g1 p9 ?! F- T5 T: d=========
- f, d" n$ n/ X! J! ?- ?& V( Q. p7 T% ~: d5 x
Method seeking the 'magic number' 0F386h returned (in ax) by all system
N7 _* W& _5 F: O7 ^- |+ mdebugger. It calls the int 41h, function 4Fh.
, u2 B! t6 B6 n6 l+ F) qThere are several alternatives.
6 W& x1 y2 B- y9 |$ G
; q8 R$ w9 f; s: G9 LThe following one is the simplest:1 l2 F+ L: k$ @5 b# V3 D
( x" |7 E8 r- j$ s h0 {& L
mov ax,4fh
# @" h. X; z* g4 p$ T7 N int 41h
3 Q# C7 ?2 X/ M) J4 f* e) `0 M cmp ax, 0F386/ |* g9 H; n4 n: d( v
jz SoftICE_detected
' u8 R$ q) v, }3 b# A
5 }! M" w" g& D; F1 j: W7 z/ x1 | T
Next method as well as the following one are 2 examples from Stone's
* W/ b2 V) o; ^6 ^# ] }! J"stn-wid.zip" (www.cracking.net):
c8 ]% J" v/ O* Y8 F, W$ J+ }0 X& A0 U; [: w7 O
mov bx, cs
% l3 a& u4 v, c( g7 ?2 [ lea dx, int41handler2
+ w# e9 c. e) ^7 F/ i% f xchg dx, es:[41h*4]
+ L! E% Y2 _8 O$ k& M* y0 R8 w% N xchg bx, es:[41h*4+2]6 A: L/ c/ ~; Z( v$ |, N+ {
mov ax,4fh* T H: S q3 |7 K: F
int 41h
$ ^4 ^5 z4 N# M8 ?8 K1 r$ {0 i2 |8 y xchg dx, es:[41h*4]
0 \3 D* i* s$ r xchg bx, es:[41h*4+2]
+ ]9 ~" G7 _, o+ f% W cmp ax, 0f386h
+ k" E* Y1 @; U* E: ] jz SoftICE_detected) B* v# s6 I9 _& P2 f2 P! i: k
' d9 u' b: n: j3 j' {int41handler2 PROC8 l$ X) g7 y& U7 E& R% i5 l- y
iret
! q6 Z; X& r8 W/ {, `" Vint41handler2 ENDP
* F ] Q8 ^6 B `4 U4 j( @& m- }$ `( L
& H6 d2 f* o( S% L# a8 @7 O1 c_________________________________________________________________________
2 o* g1 R3 F, F3 {. K! Y$ K! O- Y
1 {& E( k2 U2 L+ z( ?" N2 g
, T8 Y) B+ O/ m, e2 u! n) k; qMethod 06# e5 X3 T8 L, q& w" i' z" u
=========* Q7 O$ }$ S/ F+ q( z- t- T
) Z% A6 Z4 e J
5 }4 `5 g$ ]( }3 o' }2nd method similar to the preceding one but more difficult to detect:( w2 C Z9 k2 B" ^% T$ j* V, C
k6 M* W& d C B. D, h( t9 T0 S% Y6 f
int41handler PROC; V% n1 F& ~. S9 _, ?% E3 Q
mov cl,al
- `; C& c z- E5 M! |. k iret/ f% D5 A$ v" P
int41handler ENDP
- P6 o1 {/ A4 M, `6 Q+ z) I4 {3 t( ^0 q. q: Y1 |
5 S: ~/ Z% I" h5 D/ u xor ax,ax
# ]7 g: C$ R; f$ S. x% k mov es,ax
# ^. u, D* m3 l& P. J& Y, P mov bx, cs
7 i9 B6 L$ C+ Y. L" M0 ^# g lea dx, int41handler! W g4 T* M6 c& ~" z+ f) m
xchg dx, es:[41h*4]6 s7 M; \6 ?' J' j: ]# h( f
xchg bx, es:[41h*4+2]
! k0 V" v/ g# B! D5 }. K in al, 40h8 _. G3 U& ^3 o& |* m; t8 w4 q
xor cx,cx
" a/ {0 A: Y+ G6 _ int 41h
+ k& d3 J D1 f9 _3 q3 H O( `; z$ F xchg dx, es:[41h*4]% Y* l" J; d" H. C6 }+ w
xchg bx, es:[41h*4+2]
h( I% V6 z# W: L, ?; E cmp cl,al
- E* n4 n% G- x2 c1 {7 y& v) W jnz SoftICE_detected' H6 ~) B: _7 Q0 z0 W
1 O$ ? v" {; e% r: ^_________________________________________________________________________( F R F5 G& K
0 _' i4 M/ F" D6 iMethod 07
5 r+ T3 h, M2 `( u=========
& t- s* w/ u1 b$ }* w
' \) g! z1 X# l' nMethod of detection of the WinICE handler in the int68h (V86)
/ f" k* |1 ~' \: W, ]) w. |% o
( j4 @5 W% @7 ?" \ mov ah,43h1 G5 ?2 ~6 p) ^% T( X9 t
int 68h' ^- F; l) h1 m% R" \, K
cmp ax,0F386h9 Q1 i1 Q1 W' G8 q H# `, E" k- e
jz SoftICE_Detected4 j1 {8 t1 U- F" h
4 _( F7 x( |% h
- Z2 p1 Q# ^; N. {! m3 c* M3 Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& M& ~- z! ]2 Q% ?6 q. A, {) k
app like this:, ~- e# H5 |8 k5 x, h
" _/ h% G0 t4 a; K3 Q0 d BPX exec_int if ax==68
) z$ [; z) @$ }0 ]" A; o, @ (function called is located at byte ptr [ebp+1Dh] and client eip is5 z' X$ }+ E+ O$ c; L4 s+ F8 x3 P: ]& x4 _
located at [ebp+48h] for 32Bit apps), ~* z* }& o( U$ [# `
__________________________________________________________________________( Y M0 F) H. F- a
4 p- ]6 o& b" |
: F! }3 m( K' c1 R4 K u
Method 08- T" x8 I- L) Z8 l4 E/ C) r
=========
; \' @- Z; C( I9 S+ n9 @# o
1 z( [6 k5 \; Z5 D1 NIt is not a method of detection of SoftICE but a possibility to crash the c3 T3 Q# Z& ]4 V
system by intercepting int 01h and int 03h and redirecting them to another
# H8 `' ~% [) p7 K5 k- J, mroutine.: {3 U F" E1 z; S! g. m: N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ {- {: @* N5 W* pto the new routine to execute (hangs computer...)7 z. |6 W2 U4 f+ S/ ?
4 [ \' t, c6 O" v+ c# ]. R5 Q0 e
mov ah, 25h
6 `6 G& z; Y+ o8 v s H: R mov al, Int_Number (01h or 03h)
{( n5 [% u7 Z0 A7 {: y, N mov dx, offset New_Int_Routine
; f" \, J5 v. t: u) v7 \5 P& _' O int 21h
3 V% `/ X! G! J3 p* d0 O- s1 R1 I* |' M7 Z; r7 T
__________________________________________________________________________
# }6 d8 ~9 y" Q! v
3 p& e2 _9 o7 S, H( {# H5 SMethod 09/ z; w5 m( R! ^: Z, m7 ] t
=========
( }3 y" U# d7 b) u/ [5 l f; V, k% }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 b1 b& u3 p) e3 w/ q# {performed in ring0 (VxD or a ring3 app using the VxdCall).
9 o0 F; {& v/ w- dThe Get_DDB service is used to determine whether or not a VxD is installed' h3 ?" F a& u: V- B- ]* m
for the specified device and returns a Device Description Block (in ecx) for
& r" Y3 l( j M" a" gthat device if it is installed.2 r# U8 g* W. n% M/ @
' {) F, }. J" {% {# C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: d# g8 V1 x1 G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& o+ C! W* ?3 @
VMMCall Get_DDB
9 c; Z) f7 \: M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 U+ D+ }1 w3 n' P+ V& }& h
/ w8 V& x, M9 j! v& v
Note as well that you can easily detect this method with SoftICE:( A$ P! p* n" a9 M+ n3 j
bpx Get_DDB if ax==0202 || ax==7a5fh) J5 W$ ^6 C! T; [3 R7 N
5 s) Z- c' E6 ?7 l( K3 L6 E
__________________________________________________________________________
$ a- I' v1 Q; Z p0 \8 J& e) r/ Y% Q$ U; j
Method 10% `$ ^! |! ]* m0 Z
=========
' k4 e7 c) l4 y1 k
1 v/ @2 A7 W6 b! P" {) e, n=>Disable or clear breakpoints before using this feature. DO NOT trace with
' E: Z: j; k9 T; b7 n) o2 z SoftICE while the option is enable!!
, A3 |0 y. r: |2 H* Q; H. f) D# h8 c$ c# ^: U5 J
This trick is very efficient:
+ c& I$ d$ S1 V2 i0 c. ~by checking the Debug Registers, you can detect if SoftICE is loaded6 y4 G) [! Y3 J4 m( y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: w8 H& c. J" m3 W) m
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 U3 {1 {8 U. X: D' e8 wvalue (in ring0 only). Values can be manipulated and or changed as well5 A+ L. i1 n3 `
(clearing BPMs for instance)
/ U$ J+ v% j, X/ C$ }% L! V# x4 l4 Y
__________________________________________________________________________
l/ h. V" x% V7 z
8 t8 V4 M' M: Y, e& I& SMethod 11
( w1 A+ @ Q7 A5 _. B& S=========
3 U! G. Q% O. u; s& I7 c
6 F0 n4 M2 ~. N$ |& s6 p" TThis method is most known as 'MeltICE' because it has been freely distributed
7 i, L: y9 X8 x5 U- Tvia www.winfiles.com. However it was first used by NuMega people to allow
$ {% O& P! P2 B. M0 }Symbol Loader to check if SoftICE was active or not (the code is located
1 \% O9 L% o, W4 ]6 a4 R: Q; C9 pinside nmtrans.dll).( d# \1 ?) U. L2 O
; S4 E+ b1 `8 n+ MThe way it works is very simple:
* x) Y0 N$ Y3 h" X$ c" V7 h. RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% y! ~/ Z9 V2 ^1 [! x5 H1 E" Z
WinNT) with the CreateFileA API.
1 h3 c7 F d- I! @1 e# s$ x( E/ o& i5 x9 i. @
Here is a sample (checking for 'SICE'):- v# t; v1 q6 s5 B, W
& i% D0 f" q& r! E
BOOL IsSoftIce95Loaded(): Y6 _7 L- j) B; N7 z
{
; }, S5 f( ~+ S( I( H4 `2 R8 {- q HANDLE hFile;
4 @# }3 \- m9 i hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ {: X5 |7 d3 F, {
FILE_SHARE_READ | FILE_SHARE_WRITE,$ p+ a) H4 i8 t9 T9 p* {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; Q) ~3 N+ G+ Q3 E, m
if( hFile != INVALID_HANDLE_VALUE )7 P7 O7 V2 b1 @, c9 |/ @) P
{& {& {* d. \$ I2 W- l7 x% O" h8 n
CloseHandle(hFile);- Q( W( a# I8 m v9 ]
return TRUE;
4 \6 Z( G0 D& s2 u }
# I. ^8 |. b0 r# f" r return FALSE;' M) ^" k2 h- l. F: A+ u; E
}% q6 U. W" m H2 P# r
8 y4 Z( X# U3 M, J) E% `( n! CAlthough this trick calls the CreateFileA function, don't even expect to be6 ]7 e# Y, e4 i0 F* H
able to intercept it by installing a IFS hook: it will not work, no way!% d, ?2 j. Q, j) k$ O
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ L5 T/ q' r3 ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 q& O6 u% X- B& C$ sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ Q4 x3 T$ g! y* r @field.
* `# P" c5 ~0 ~5 _5 BIn fact, its purpose is not to load/unload VxDs but only to send a
' T. h: D+ n: S* {1 C! GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( k) U- Y( F% e+ nto the VxD Control_Dispatch proc (how the hell a shareware soft could try2 Y2 j9 W3 q7 }& V/ Q0 p8 Y/ b5 `/ K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% u" X! O3 \/ L' J n% q, Z3 H
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; E I: [4 L* P9 {its handle to be opened and then, will be detected.- t. W4 V1 @8 e+ N
You can check that simply by hooking Winice.exe control proc entry point/ g, R Y, O( x! k3 \7 x) _
while running MeltICE.( j/ h+ A5 ~ O, f6 {. h
8 D& x. i4 I# ]7 g' S7 h/ r
' Z( y6 d, l. i Q 00401067: push 00402025 ; \\.\SICE0 Z4 A a" Z4 C% b: \# d9 I
0040106C: call CreateFileA1 B" z7 }. G. E1 M: Z" \
00401071: cmp eax,-001- O; s* ^2 Y0 j( P& a! U' |5 j
00401074: je 00401091
( Z; f! O; d: X
m* _2 @) h5 _
, y( P: ` ?9 X/ E# |( aThere could be hundreds of BPX you could use to detect this trick.
6 z g0 j# ]1 E' Q9 c-The most classical one is:% _) [: i: ? Y- T4 S( \. I7 |* U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. ?" l" j% g4 n' j! T+ S' C *(esp->4+4)=='NTIC'
! K9 S$ F7 ^7 v- t; w; @$ [9 u8 A$ {* _1 m' I5 G: R5 Z$ R$ G
-The most exotic ones (could be very slooooow :-(
! V. J- \% ]+ V5 f% |. Z0 A& m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 y; Q ~# H j5 Z- O' d: M3 u ;will break 3 times :-(
6 w* p6 R+ U& k' q1 a: f3 h3 I9 y3 ~2 m
-or (a bit) faster:
% Z _0 G0 f4 J! x* g) N3 I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- K3 @5 h# j _+ b# d, [* t3 ~" R6 S+ q9 ?) M2 X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 Q T- i2 D( u& H( f
;will break 3 times :-(
: s2 v1 S+ A4 d1 y/ T
+ _+ Q j4 V- Y-Much faster:
# t& {! N) @% T4 D3 p8 o& c! a BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" @6 y t$ F1 e' ]' Z+ c0 |7 |! M7 N1 @/ ?$ [$ |. i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 d9 e1 {+ M' K2 X2 G% m3 o1 b0 Mfunction to do the same job:$ w- o& t% N* S" W0 s5 e \3 u
T$ x$ ?% m* Z. \0 ~! s; m0 A6 z) ^ push 00 ; OF_READ
. X) C/ M& x3 p x$ z7 E1 z; T mov eax,[00656634] ; '\\.\SICE',0' E2 ~& }& }! Z' X: J, g
push eax. N, P2 s$ g" O6 {) Q1 e; n9 M
call KERNEL32!_lopen
4 I9 ? l$ t( \; J C) Q inc eax/ e- o6 }0 D' R9 A9 o
jnz 00650589 ; detected, {( C! @7 Z4 w* Q5 d
push 00 ; OF_READ/ Q5 v) c3 M0 F' J: L
mov eax,[00656638] ; '\\.\SICE'
2 S/ O9 a# q0 L! T1 H5 x push eax
% @4 `' \) J# G2 d! Q call KERNEL32!_lopen; c* t$ q8 B. k8 _
inc eax
* \8 ~0 W/ D/ G; _) m jz 006505ae ; not detected
* S$ ]% W L: D4 `4 z
6 h! b+ D; y9 C* b+ }- h. j$ X! i
__________________________________________________________________________
; U V; K' X4 ^" p
6 _$ f3 ~* }3 O$ nMethod 12( _" V8 H- {0 N( W
=========
6 S$ H1 a) W1 i7 o+ i6 c0 H
* a' |: u; m5 t# ^) g( cThis trick is similar to int41h/4fh Debugger installation check (code 05
4 N( J) i3 {9 i+ e( m: E& 06) but very limited because it's only available for Win95/98 (not NT)
4 E; e9 N% ^9 Y( Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ ], P0 _+ t& p, q: Z0 x+ |4 }- O2 U
0 e) C6 X( V2 W5 T push 0000004fh ; function 4fh
0 }! J, E) T- t5 G3 E6 p$ p! z push 002a002ah ; high word specifies which VxD (VWIN32)3 E# G, \& r3 L: K' C9 B4 M- a u
; low word specifies which service9 T# b; s0 I- @5 y9 T
(VWIN32_Int41Dispatch)
9 h: f1 ]5 g3 @. O4 G) s call Kernel32!ORD_001 ; VxdCall2 R% |# v+ S3 g" O1 J* T: h
cmp ax, 0f386h ; magic number returned by system debuggers
" t9 U+ S: S: O9 Z3 e, w, B jz SoftICE_detected
# H @# a- c% a5 f: m! J+ f. y! V( A4 n) a) p
Here again, several ways to detect it:: U7 g1 J( A' g3 p( I
& Y Q4 J8 N" M1 ?3 @' X9 ], \# r
BPINT 41 if ax==4f
6 _1 E8 W, z5 B; l, H. `5 ]7 o9 A R! U7 ^8 \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: m* W2 F* X# Z: U, K/ y, [9 h5 r7 `9 c* D, k1 T' v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- R& b" ?$ t, Z& B d" O9 |- p* q0 W. s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) ~9 b) r3 `% q! n# O
3 i. m _* J6 m5 D/ o7 X" r__________________________________________________________________________0 I A8 c( D* ?4 N* S" P( @
, u1 G7 f$ P& @' d; JMethod 13
3 N, H. m' v& P# H1 N3 ~=========8 }) C/ S! h3 {
+ l% i% x; n2 J, Y2 y$ @, [
Not a real method of detection, but a good way to know if SoftICE is) r4 V3 U& H- u0 B. v! [
installed on a computer and to locate its installation directory.% |$ ^: f4 P7 p5 z( q* P
It is used by few softs which access the following registry keys (usually #2) :& X, b z+ D. f5 ]' U3 |/ Q
) ^2 M5 S/ K+ q6 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 Y; A1 W/ J3 f9 ?8 C! W\Uninstall\SoftICE' c' `# K3 t6 W& G# h4 }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 b! H( q" I+ B& @. n: d+ D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 F. M E$ C+ S# o3 u2 p# q
\App Paths\Loader32.Exe2 c$ B, g: `0 L
+ {% w" n9 v( O& ^, i
& {2 H/ [( W7 m( W) G0 H
Note that some nasty apps could then erase all files from SoftICE directory
2 K" T. V" A- t9 g/ x(I faced that once :-(
6 e5 y- M6 {3 t6 ~ V5 \' A2 r9 G: r* f% y7 R! V
Useful breakpoint to detect it:" S: O8 r+ S* m# [! N+ @1 ]' L
$ ^4 l' T' R9 `/ L+ P* S BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
v1 ^9 U$ ]3 P) c' I- F! D( Q
' n4 }: v- `& l" V+ A1 u, H__________________________________________________________________________
: i- i1 J( n3 ^5 k
5 R( b7 ?# ~# s
7 u, m1 o- _6 b. V$ q8 |( pMethod 14
+ T' Y1 @4 R' q1 f7 j% I=========3 \5 H; F/ c) [6 I
( ^! I# V+ p2 HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 p: W; w6 K$ m: s7 Eis to determines whether a debugger is running on your system (ring0 only)./ p3 b/ `& ^0 g
3 h, ^1 v1 m. q6 o VMMCall Test_Debug_Installed
, B: a4 W+ \- a. r3 D! ^ e je not_installed# x9 A# b, X" y- E
+ D4 r# d2 X+ j# IThis service just checks a flag.
, F! y& E& z$ a) j/ R% o0 i</PRE></TD></TR></TBODY></TABLE> |