<TABLE width=500>
( M# D. _0 A% J) q; ^<TBODY>
% r% |9 k4 r& d" a+ a# A* x<TR>
8 n$ `: J9 P8 Z, z2 _4 ?5 M<TD><PRE>Method 01
% I6 m; u0 v) s/ _=========
, k) I5 @- h+ |
9 R; d; `2 A) ], i( g& f: d5 i) dThis method of detection of SoftICE (as well as the following one) is
$ _4 J3 n' q% X/ x9 P0 N/ qused by the majority of packers/encryptors found on Internet.. R' n: w$ j' \' f2 U
It seeks the signature of BoundsChecker in SoftICE) b% M" N: `' O9 N) P* [7 }: `
& X* M5 @5 n- v: M( Z, w M z mov ebp, 04243484Bh ; 'BCHK'
8 q5 K: Y \6 L% x0 V" s" u mov ax, 04h% y T, v6 p9 K
int 3
, R v' k% W" f: W# J, S cmp al,4
$ u: g9 @5 {, X2 v: T0 j2 m jnz SoftICE_Detected2 F) }9 a X( @/ H6 j
% H# j: o/ B# M3 p7 S___________________________________________________________________________
) T; S( z8 P6 C- k! I, {9 K1 q5 ?# E5 S, |
Method 02
3 |# H3 Q* G( k# r* s/ d2 i/ d=========5 |# h2 c1 v% F, e% I: a
# ?6 T+ h7 D/ o' O) vStill a method very much used (perhaps the most frequent one). It is used6 |2 j( b: | Q5 w R) e( H8 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& m7 r6 k0 T( y9 r3 ]6 X* Aor execute SoftICE commands...( \5 p: N; ~3 D3 u. h
It is also used to crash SoftICE and to force it to execute any commands* v8 ]: a2 L% q
(HBOOT...) :-(( % N- H5 T% W. D8 }& C# R
0 M6 \& l5 g5 n% Q7 U9 mHere is a quick description:' M8 a, w0 s) I
-AX = 0910h (Display string in SIce windows)* V w7 A9 f$ n/ a. M: n" i0 ~0 l8 M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 p4 K! s! `9 {. ^$ c# U( i-AX = 0912h (Get breakpoint infos). l6 ?% c8 L8 L J1 p3 F# { d
-AX = 0913h (Set Sice breakpoints)
# g) w. u6 J" y9 s-AX = 0914h (Remove SIce breakoints)
. N/ f( C# R7 ~9 b6 I5 n
' R; A: S- y8 r2 Y% y9 [- ^Each time you'll meet this trick, you'll see:, M4 U5 P: m; ^8 o7 Z2 T
-SI = 4647h1 q" `2 T s) y
-DI = 4A4Dh
" \% ^$ n6 S) G7 P oWhich are the 'magic values' used by SoftIce.
: }6 G" ?$ k/ v, dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* N% c4 f: k. _! k
0 M0 p _) g: P5 Y8 wHere is one example from the file "Haspinst.exe" which is the dongle HASP! \0 X, |% ^7 r% W( k( ]/ X
Envelope utility use to protect DOS applications:" E0 z0 h8 p7 [5 M C
: T5 k, T* x+ z; c. d
0 o3 e. B4 E0 o6 i4C19:0095 MOV AX,0911 ; execute command.. Z+ o5 h' T; }
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; z1 o5 w, l- t* z4C19:009A MOV SI,4647 ; 1st magic value.
- h; A+ L& ^8 O2 s; [0 @/ ]4C19:009D MOV DI,4A4D ; 2nd magic value.
/ f2 C) m. H! X4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 o! y# i! v" z3 n# R2 V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 q. X/ U9 o' m; M
4C19:00A4 INC CX) u+ h6 K2 U f
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ B M' `1 [8 p4 E s2 L
4C19:00A8 JB 0095 ; 6 different commands.
( K# F) Q- k8 H; O4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ i0 U( t2 d d) g+ g6 u" N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" Z( v7 t/ ~6 o5 W, y) t- O7 O0 E% g$ L& S; |
The program will execute 6 different SIce commands located at ds:dx, which
& a# p% [8 _6 ?6 k6 uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# |3 l! z8 V( q* i' L0 }+ p" Z
% k( a6 h- O* Q# f. e( u) u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) P' Y4 L' n5 _3 z
___________________________________________________________________________6 a8 n& m6 K5 S. l! e0 Y) m, G
8 U! ?2 t+ u' }( w$ ?6 j/ G& a1 ~9 F
Method 03. l8 P7 W! h# p
=========
& s# \" g7 |+ D% E M. K! Y+ a7 D7 C9 v! J; n7 U. ~" y6 U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' c5 e- l/ y/ m) C$ b e& n5 K- z
(API Get entry point)8 |- b7 V# @, h
# r* A8 x% c$ k. m- \; s/ ^4 Z
; d( Z+ L K# J( d8 @) O; U: o# a2 O xor di,di: \0 z& ~$ }% C9 v% u+ u% @
mov es,di0 E7 X Z, ]: n6 P0 |9 u
mov ax, 1684h ! X( i* W( e6 q q: @- \
mov bx, 0202h ; VxD ID of winice4 B$ L9 {0 Y0 M2 Z' Q* L
int 2Fh
1 x- v5 v5 E+ m. u mov ax, es ; ES:DI -> VxD API entry point, C' z/ S" n: \8 o1 B5 {5 Y
add ax, di: D( N. @, e2 I- ]
test ax,ax2 h, w3 I% O1 i V
jnz SoftICE_Detected
8 ?2 E: c4 ?! l5 z2 M
. x/ j, q6 } }: C/ x7 F___________________________________________________________________________2 z) q$ `# `! N( `
5 t* r& m! A8 w+ h& DMethod 04
- c* i+ Q- w& V6 o" M" f v G=========4 w+ y$ X1 F0 a4 p$ Y, R3 F( H0 n# V) W
8 I) Q$ a0 L0 |- j& N- v4 W0 BMethod identical to the preceding one except that it seeks the ID of SoftICE
- ]4 v, t8 _6 SGFX VxD.
' \$ G3 e6 C. z+ a' m3 M$ }: y/ m* R
xor di,di
; N; |% V4 l, a1 G; Y mov es,di
3 v" `9 F; h* I; d+ t" R" N mov ax, 1684h 5 u A: [4 ?+ f5 s- B
mov bx, 7a5Fh ; VxD ID of SIWVID
/ K7 O* D0 S* }# q2 b& L int 2fh
- Z1 |5 ]' g2 Q# J& w, F' x/ H mov ax, es ; ES:DI -> VxD API entry point
" @; S4 `* C# O1 M% o add ax, di
8 o) O7 z! m) T8 _ test ax,ax7 S+ A8 B, Q& `5 k/ l; T5 J$ \
jnz SoftICE_Detected# G. {2 s- l8 f5 A9 s* l2 \+ q
+ |! t1 m1 e% L$ }. O
__________________________________________________________________________' L% K0 F9 b( i6 `. x' k
7 W" N: Z& \8 X1 D8 [- D
7 g7 |% I4 x' u7 j! N* S9 u
Method 05
% D, O5 I2 e! {9 M) t: h* o=========
" A1 g k# G0 e7 p' g4 ?+ f- l# c2 x$ h5 R
Method seeking the 'magic number' 0F386h returned (in ax) by all system; {9 h. B ]8 [* C
debugger. It calls the int 41h, function 4Fh.2 t9 E D' s2 K+ W# m
There are several alternatives.
7 S8 o! [* m" W6 }- c2 h: F0 `6 |/ E
2 ?7 b' P/ \7 R# o1 O. YThe following one is the simplest:
; c' t/ r0 R/ h2 L4 D: s6 s& {* r) U4 n# W+ V* L. i
mov ax,4fh
# h$ N5 k/ S2 d1 D7 V' M) ?# T int 41h9 p& N- j( Q1 \
cmp ax, 0F386/ M: \% [) q- F( l0 t
jz SoftICE_detected
5 c+ r* \( F8 L1 t. T! ]; D) N3 y5 k: Q
1 W7 l, e, f) j6 _ ^. KNext method as well as the following one are 2 examples from Stone's $ r# `1 }5 k1 j9 w3 v4 B
"stn-wid.zip" (www.cracking.net):7 u9 i- G4 g6 M
5 m4 z( i) `$ ^: U5 s6 M x
mov bx, cs1 m) C" T8 z7 ?7 g0 D* L3 r7 V
lea dx, int41handler2
1 b% I0 E* t E$ U8 N( [5 L+ T F6 } xchg dx, es:[41h*4]
8 Q- C: s: k" I$ J xchg bx, es:[41h*4+2]
8 d5 y# ^4 ~& T: P k mov ax,4fh
$ Y! n3 Z2 ?1 M3 o4 m int 41h
( w+ U o4 B3 C; |4 Z4 `. W" i* b" k xchg dx, es:[41h*4]
3 O5 R* c& P% f6 E6 N xchg bx, es:[41h*4+2]6 k' f" i" _1 c9 L9 P
cmp ax, 0f386h
2 @! f, A# n6 O- v8 K. C' a. n jz SoftICE_detected
a; ^; [) v5 _" Q; J
9 S* ]; A) t* s4 }int41handler2 PROC
$ B% X+ v8 C9 K# p iret" Q: ]9 o# C/ x) c/ ^' A
int41handler2 ENDP
- H5 O, p1 D" N3 F
4 e7 @0 T7 y4 m* B N; R( M( `! v) y0 r- W$ \7 b, B% s$ q
_________________________________________________________________________5 G' g q3 `. B
3 s3 b3 N; q% ?5 p8 E1 p# n
; \! G& u4 q+ s
Method 06
+ v0 d! x. n3 }5 h2 J+ W% I=========, O4 A6 `; n- ~7 K
8 T% C, _ v, V' Y4 V+ V
0 q/ i0 d+ p- q# h- j. T! l% g- d
2nd method similar to the preceding one but more difficult to detect:
3 E+ Y" S, k: S" z8 m
2 R- Q/ Z3 L( V" s! _0 [# N4 s
0 ~$ P7 N2 G" o1 Hint41handler PROC
4 d6 l9 F2 q: t/ E+ s( W0 H mov cl,al& p) r6 c* t2 k
iret
' b- m+ g2 B' r7 hint41handler ENDP/ |/ f5 X1 h. S2 ]* P9 k7 Z3 u! V
l2 _/ I/ G% k- [: C* o
" v0 D& ? p5 O7 v, p4 C xor ax,ax: l X0 h. y* ^0 z
mov es,ax
7 | r1 G/ [0 y4 x& C8 f2 `8 A mov bx, cs4 y; @4 s& J- l: f9 _
lea dx, int41handler
# |. o& G" t2 P- ~% o, `0 ^ xchg dx, es:[41h*4]- b2 l, b, v. F6 U
xchg bx, es:[41h*4+2]
- n/ v; j7 O# d% l0 P in al, 40h% k9 X: U% [ Q, d& }( C! \
xor cx,cx
+ |# a6 q! |, G/ D int 41h9 c7 }' Q7 f/ V$ K9 ]
xchg dx, es:[41h*4]
( g6 f' D3 S& @) E, G8 j xchg bx, es:[41h*4+2]
' \( m* X" k* t# C cmp cl,al
' `3 a) T6 p1 k/ c) ` jnz SoftICE_detected, A: ^+ G ` d' S. q( @% _# d
$ t! \) S. u# X2 D_________________________________________________________________________- H1 ^/ d) n, L' V) W. b& i
7 \/ ?% F: P6 K% kMethod 070 Z& B3 T$ q# }; O% G
=========
5 d$ ^+ X) K9 ~1 d
# \- S& G4 i- R8 I8 L; X# o8 }& dMethod of detection of the WinICE handler in the int68h (V86)
$ b& `; g. x" ?- g/ Z
* f# i' A4 N/ T5 K1 G) y O% E( v mov ah,43h
" a4 d6 N% b" O int 68h: L, Y9 F3 m" B/ _; T/ a
cmp ax,0F386h
5 j6 n/ @2 }+ c) ^3 p jz SoftICE_Detected
G% a& O" r# A5 S, N: p+ x2 B8 p( Y, z6 F+ O" b( n/ w
# V$ Q' Y. } e+ _4 N! r
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) L) z) f0 v5 g+ Q; M% T
app like this:* `; P k4 A$ {
; R, S( t1 x5 ` BPX exec_int if ax==68$ b( u K, C6 E
(function called is located at byte ptr [ebp+1Dh] and client eip is" f7 U% @, C( A$ D2 Z) M, M
located at [ebp+48h] for 32Bit apps)0 `1 |6 B* {' Z2 O8 B
__________________________________________________________________________6 k0 \& L- Z9 B4 ^ C, ?" ?# w+ L
+ r T" J. v9 }' ]& }7 m" ^0 \- K4 T- p
Method 08$ h: I/ t+ m3 t1 o# d- a7 `
=========
4 J9 J+ ~5 D* g7 a& r6 D) l. c G2 P$ ?( O' l, |
It is not a method of detection of SoftICE but a possibility to crash the
9 | ]2 h- `( esystem by intercepting int 01h and int 03h and redirecting them to another) B& l$ y8 Y( S9 `' t
routine.
. U( J0 h' W. Z7 E# U: ]% F B% \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
o; u7 Y- c$ p* g1 \1 m* K, N2 sto the new routine to execute (hangs computer...)
. h+ c, T/ D' `# ~* \% N) h# F m4 {: u. a" Z1 w
mov ah, 25h0 N3 t; b9 I3 K! x% z0 K" s
mov al, Int_Number (01h or 03h)2 `. c9 w! z! z- N) ^" K
mov dx, offset New_Int_Routine0 K8 m U* S( Q7 N
int 21h
( S! w4 j/ i* j, _/ Z. R& r7 y. }, t/ K* R% y( B. l& w" I
__________________________________________________________________________
; A) R7 r) l( h, I! y; M
! X% y/ O+ ~6 ~* ?Method 09, u) W, j/ @5 z1 N
=========
$ k1 U' I* H% v2 U* W8 P% j3 f8 C+ Y3 e3 i4 P; l9 s, o2 e9 k+ f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 M7 x" g' B% p# ]3 O0 X
performed in ring0 (VxD or a ring3 app using the VxdCall).- m5 P/ _1 j( D+ J! M
The Get_DDB service is used to determine whether or not a VxD is installed
: q' ^2 F/ s$ f# h$ @# x" Qfor the specified device and returns a Device Description Block (in ecx) for
' x/ G, S4 \( E; H( s$ zthat device if it is installed." ^& _# h/ U6 d8 ]
2 l1 K6 a5 j# Y: m: N# u! B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 G; J2 W/ b. A9 p. Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 w' f$ ~8 c7 P7 s" o6 f; f VMMCall Get_DDB- f& R8 T: Y' t- e- X2 [) ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 e9 j7 f9 O" d2 V0 w6 }. _ y. q5 n2 ?- O9 R. L) N' J) M
Note as well that you can easily detect this method with SoftICE:
, y: h3 o& A. c+ g# \) D bpx Get_DDB if ax==0202 || ax==7a5fh
' N, d( k1 H6 G8 w+ j4 }
+ ~# D$ c" ]% [/ s ?+ P6 }! d) T__________________________________________________________________________' N/ H' j# C! T' j/ \
( U6 X: N- Q# R: e$ h
Method 10* j* M& t6 q( a) {
=========
" Q. n5 K# b2 {& y; f' v3 A5 n1 @& @1 ~0 B9 n4 G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; H: ]* B7 }2 l) B, ~+ \6 c: W7 i SoftICE while the option is enable!!& v) R* o( p% j) m% G4 c
- e' n# ^8 \0 Z* Q D- S
This trick is very efficient:' Z' Z3 Z& z2 o9 ~7 L1 H
by checking the Debug Registers, you can detect if SoftICE is loaded, S/ y0 M- b. _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# l/ R# D% a# c' Y& Y& I
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 Z+ V, W6 Y9 ]$ _7 ^
value (in ring0 only). Values can be manipulated and or changed as well$ S# D* b7 d/ F/ z6 P
(clearing BPMs for instance)1 B7 a# D, i. N( B4 r0 n
- c4 B r. b: T; s7 m! A9 [__________________________________________________________________________
7 x+ D! n: q( E7 d( T
& A, d( t' n& f1 ?) @+ iMethod 11
& W. k4 \2 @0 ^& I+ }/ \( A=========' ^. I# A! L& p& H- k# Q
: Q f; I' X& K- jThis method is most known as 'MeltICE' because it has been freely distributed
E8 y8 s R; y F- H( Cvia www.winfiles.com. However it was first used by NuMega people to allow
1 [4 M* b% o! P1 D# t% BSymbol Loader to check if SoftICE was active or not (the code is located# I, S: k* u/ w1 H" `, b
inside nmtrans.dll).
$ [+ \$ p, j; w4 F( t a/ _0 M I0 T2 Y# G
The way it works is very simple:; X/ J# x2 ]4 F7 ]: s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ o# i- y4 Z8 l1 CWinNT) with the CreateFileA API.
! _0 c d% w9 {
8 u T$ J# j$ R- QHere is a sample (checking for 'SICE'):7 Q' I& l- H4 R3 W0 a
: }1 x; O# N8 Y- Q6 y$ u% D. R/ oBOOL IsSoftIce95Loaded()
5 c* r6 L- ^3 p4 a* g{8 A- ~ Z: L2 S- ?9 k
HANDLE hFile; " i9 b+ p0 F6 ]. e) H0 ]: g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- Y4 a/ S" p1 N5 Q8 `; T+ H FILE_SHARE_READ | FILE_SHARE_WRITE,
. f1 t5 O2 ]4 M+ _4 a# X4 b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) o; F" ~ J4 T' E9 ^6 m2 j if( hFile != INVALID_HANDLE_VALUE )3 K3 w) Q. h% c! ]* w9 p
{- {- x/ B0 G9 i0 ?8 ~, z+ L3 Y' K) A* Y
CloseHandle(hFile);
# K7 a1 f0 Y& T! E; |# c9 f return TRUE;
- _2 {7 P0 ?4 Q1 @# ^. N }+ X3 y2 B/ f- N% ~: {, i, v- h4 \& Y
return FALSE;
- _2 S6 F. X' M) M2 j7 Y}
f% X: U4 L3 \2 m0 z) Q7 `6 r x2 L1 D" E; H B
Although this trick calls the CreateFileA function, don't even expect to be* K( d. b* n4 n, u, h
able to intercept it by installing a IFS hook: it will not work, no way!2 g- e, X+ C4 a$ K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ a1 ? H, I$ ~' C" fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: A# r9 o) k4 C& n k3 r* Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 }' U7 B' c. p5 [, K6 N
field.9 z2 }/ [9 o% [: g" f
In fact, its purpose is not to load/unload VxDs but only to send a
8 O% k" ~' g: x6 eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) G: o; }) q2 t7 m8 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 z/ I, b4 m5 I: u1 X+ I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% E2 l/ C! o% Q, c) S( mIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ A) p+ }2 B+ D, x; o" F! ?
its handle to be opened and then, will be detected.
3 _* R, g+ U( s* ]+ s. P! g' CYou can check that simply by hooking Winice.exe control proc entry point8 ^: v+ Q) y, ^$ c/ C4 E. M" ]. _: ^* j4 m
while running MeltICE.& l/ Z; Y" x( d8 g4 T
1 b5 E, Q6 f# ` t9 C) s
$ B' R6 V5 {# N( ~$ N 00401067: push 00402025 ; \\.\SICE
7 w, m+ m1 c' I 0040106C: call CreateFileA
- ]# R; C0 X; \& W( \7 ?3 c I 00401071: cmp eax,-001
' h+ z6 U1 `0 a4 ^% J 00401074: je 004010916 H5 ?6 f8 \3 O6 v+ }- ]2 \4 g
' w+ g: I% l- c/ N" C2 y4 `9 }: n
There could be hundreds of BPX you could use to detect this trick.# @) n3 O; {6 G
-The most classical one is:7 r" s. M. ]5 x8 g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 o) Y+ y0 j2 D
*(esp->4+4)=='NTIC'
8 j$ n. v1 G; ?& o2 `- g j: T/ d& K7 Q
-The most exotic ones (could be very slooooow :-(' C t: }+ q: d8 h) c7 n* T" b
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " [8 ?. b" e- T A- V
;will break 3 times :-(! ] |+ B& @" e8 ]* E! p
( j9 X9 s0 [6 K-or (a bit) faster:
. n E( A$ W) x: E" H- }# K: v/ D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! K' Q+ O/ A7 E, U ~2 T
( T0 R, l0 m- j; s- N$ @5 Y" X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% T8 B+ H+ } l5 O& L. a' A/ _ ;will break 3 times :-(
7 I# P+ x/ ~3 d7 ~
- S9 i a8 z- \/ m4 I# N( m! _-Much faster:* c* y, i6 A9 ~% p& _& s% P* Y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) K5 \; Z1 M7 m! q, P5 m5 z2 Q. u+ k( Y2 | V1 a6 d6 z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( v" X% M+ s1 b+ W; q
function to do the same job:) O3 o J9 b: x3 u" N$ d$ V( g
2 ?' Q, v& j( t: W" g5 c0 M
push 00 ; OF_READ) Y' Q% F2 e- _+ [2 S7 g
mov eax,[00656634] ; '\\.\SICE',0
9 a' U5 p8 D$ v4 I push eax& |! _& Z7 ^% Z M5 b/ c
call KERNEL32!_lopen; Z& E+ P: i0 `: a, z+ p
inc eax
/ w+ j& t* I/ M' \0 n) f jnz 00650589 ; detected' y7 T5 `- U: e. _) t
push 00 ; OF_READ
7 z- U+ \( F& A mov eax,[00656638] ; '\\.\SICE'- R D4 i) w3 T; ~6 K- O
push eax; R2 x" \3 l/ ]
call KERNEL32!_lopen
0 b* b* L0 {* {) h inc eax2 o+ r4 X: U2 O) v. z
jz 006505ae ; not detected8 O" L# ]( D7 y: O! D2 w R
: W' \" R' [4 M8 I k
n* b. B8 J; S, j__________________________________________________________________________& l& N/ M) j% r( Y3 }' M1 G
8 y) j" x% |/ ~) X1 @
Method 12
" i( N4 L" n% i% i9 O- L8 l: o$ _=========
" B4 y. B- e/ o1 ^2 ^0 l
/ m& B& ~8 R( D% f: e9 @: {This trick is similar to int41h/4fh Debugger installation check (code 05
. E, M! S- Q$ y" T5 Z& 06) but very limited because it's only available for Win95/98 (not NT)$ |8 e- R0 c, ^: R1 k5 S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 O; ~# O, s( I2 G( _, L
) c7 X% i, ?4 q* r& |1 Y U' ` push 0000004fh ; function 4fh+ `" d4 T: l" D. v; v0 P/ n( L
push 002a002ah ; high word specifies which VxD (VWIN32)* W1 w! i0 O( u( N$ u
; low word specifies which service
7 E5 p1 f# E' V* W2 a+ h (VWIN32_Int41Dispatch)
2 Y2 ~* M( @2 N% r5 H8 {* C8 o call Kernel32!ORD_001 ; VxdCall
; n2 x1 B4 Y; O cmp ax, 0f386h ; magic number returned by system debuggers
( h9 t- z* z5 P+ C7 Y' V jz SoftICE_detected
1 q1 @+ q$ ]4 O$ s
# d+ l; w+ f* r4 U: wHere again, several ways to detect it:* A/ t# n9 `) O% ^9 K! z; l
& G; B# l; l# Q: L% D% c
BPINT 41 if ax==4f
& T/ y. O2 Y6 B7 A) P& Q8 B% C, x
7 S+ b, Y& ?+ D+ O _2 m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 s3 i5 u4 C+ J/ z' O( s n# Y/ \! u1 b, t+ K9 e; R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. W3 b2 o; m+ t* P. m4 n4 h
& \- R+ d+ A4 H- Q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' K" ~7 H1 V1 Z' G7 B0 D, \
' h" z+ ]5 ?8 G6 W) L__________________________________________________________________________2 i& _5 w+ X- l6 I+ C3 L' N
p3 H3 N" I4 A& M
Method 13
% i4 ?; I8 S( e. S: f$ H+ ^; v' E=========6 x" P1 @( n; q. V q
5 a% s s6 o' e, P5 g- WNot a real method of detection, but a good way to know if SoftICE is
) [" C$ G. g. u: j/ R ginstalled on a computer and to locate its installation directory.
4 U6 F. p+ g! dIt is used by few softs which access the following registry keys (usually #2) :1 R' c9 t, `7 A/ h6 K
6 B7 M$ I3 t3 r- S6 R. n- R) h+ E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: Y l+ e) }" }! ^$ I: `
\Uninstall\SoftICE; M: f/ m7 I7 r# I5 l) F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 I! Y4 V2 d7 u" I4 c) s# L. z% R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) p& R# ]7 k7 o1 ~; F\App Paths\Loader32.Exe% S2 L) f1 P4 V" \3 ]# \$ R. _
( y0 K, R- X" R" ^7 u
+ C' Q: ?! F( E$ H9 y9 QNote that some nasty apps could then erase all files from SoftICE directory
- v8 K7 I. q f1 [) b% M1 b(I faced that once :-(" |. ]' E8 N P, _6 i
6 r' G X% t% C# ^& y5 J5 G* I7 R- t
Useful breakpoint to detect it:8 x p9 l" k+ e; u5 _
% n' G2 R% z' A+ }6 P& G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# H' r" S$ C, l- |
& j9 o0 y* w& B, `__________________________________________________________________________
8 y- u6 z, F( Y
( K/ L! _8 v6 K# Q0 @ N% }* R9 t) w$ N3 [. M7 |. G& w5 ~5 t
Method 14 * ]9 a- I! R: K) N ]
=========* z' b3 V5 d2 F' Y+ k
, o+ p6 }: y+ D8 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" P, Y3 P' c, g9 I7 bis to determines whether a debugger is running on your system (ring0 only).
# p4 V; h# E4 j, @. k. F5 b. r3 r& R: J; W0 x
VMMCall Test_Debug_Installed2 x! N$ j) \# F' v" [ z9 f
je not_installed
- l' U4 {6 b" G- j! z- b Y- m/ c' G3 [
This service just checks a flag.) M/ D. i: K! y. F" T4 R
</PRE></TD></TR></TBODY></TABLE> |