<TABLE width=500>' x) Z0 L+ A( b1 f* V# I+ G1 L
<TBODY>
/ s* _1 p. M1 B6 o$ r# z6 l<TR>- r8 F8 @' T, Y- c3 z- S1 `
<TD><PRE>Method 01 3 l7 v' z. U* R2 C$ |2 c; K( C0 M
=========' q$ N0 O$ ]8 A: ?5 r/ u9 C# s# t
9 V0 w& |6 p' gThis method of detection of SoftICE (as well as the following one) is: o5 ~- J$ A/ ~1 H+ n/ D
used by the majority of packers/encryptors found on Internet.
& k9 o6 k. a( B# O7 m5 i9 I* wIt seeks the signature of BoundsChecker in SoftICE
' B u Q3 I+ v/ m* R6 g6 A" ]. A+ A# [
mov ebp, 04243484Bh ; 'BCHK'
5 t* h$ l+ z; S mov ax, 04h
; _+ k F2 e" h& L int 3 + v9 \0 L. }6 u, y( [+ y' L# p
cmp al,4
* N0 X0 Q7 P# c0 _- D* y4 j" P! P9 q0 A jnz SoftICE_Detected& y; u+ w6 {; ^) z4 I
/ X5 P/ ^) t- g4 ]+ u& u
___________________________________________________________________________
4 y8 a; F. X) p% S, y) Y- m
0 }. T' K2 Q- z& _% l1 A( a& JMethod 02
& @5 ^8 m2 ]8 E& N9 ]9 _! R=========
; p5 p# G+ ]5 A
% x. s* S4 _' x$ n0 CStill a method very much used (perhaps the most frequent one). It is used
+ K* d( b7 C; W. W, r6 Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 _4 S) \* [! R/ W! T$ B, R- f* ior execute SoftICE commands...$ w; N; J1 [" f5 s
It is also used to crash SoftICE and to force it to execute any commands
5 X' J: }2 ?+ L! z* Y(HBOOT...) :-(( 1 X1 S' n: R" e
A8 W8 R7 d9 d4 WHere is a quick description:! q. T- o0 z3 f
-AX = 0910h (Display string in SIce windows)
+ G* |" W" A" o, }( z/ V2 I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# k, \9 J% i, L' Q$ Y-AX = 0912h (Get breakpoint infos) l8 F+ u, X, h( c9 y" V
-AX = 0913h (Set Sice breakpoints)
% R& @& c A) z/ M$ K- w! q; u-AX = 0914h (Remove SIce breakoints)
* E/ O9 P, H7 K+ r& i. Z+ I+ p5 u. q) ~/ @, A
Each time you'll meet this trick, you'll see:
. x, e1 r5 n! p# B3 J2 Z) a% P-SI = 4647h
2 F( w, O; i/ l4 j5 R6 p# }-DI = 4A4Dh6 a: w! j0 `( J) p
Which are the 'magic values' used by SoftIce.
4 s9 z9 h* E* n0 gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 s1 I3 z: P6 N, ?5 p
2 J# a- @7 a; Z! n B# @Here is one example from the file "Haspinst.exe" which is the dongle HASP. T, F0 Z6 D! r( s% W
Envelope utility use to protect DOS applications:
; q6 o; {$ k- H3 _9 E9 ~" j M7 c: T- e' E
: {- r& {5 h3 q$ d2 E4C19:0095 MOV AX,0911 ; execute command.
( G6 g$ H0 g- k3 }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ n) Y2 p8 E2 L- @: E/ T0 Z4C19:009A MOV SI,4647 ; 1st magic value.
9 E2 h+ J- T- V4C19:009D MOV DI,4A4D ; 2nd magic value.
: y- f2 V- k& n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 K+ S% L* r) H3 d1 E1 E9 V, H8 {4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 O6 V) j; ~( S+ L! E
4C19:00A4 INC CX
# S, E9 g- }& W; _, A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 Y& v8 @2 x0 a9 T' \
4C19:00A8 JB 0095 ; 6 different commands.0 f6 o. _3 j! H( N8 i, X. c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 ~/ {) D! f" Z3 _' d1 y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 {4 j3 ?2 N" `4 M3 y+ B4 O5 E/ q1 Q7 E
The program will execute 6 different SIce commands located at ds:dx, which" Z3 m+ [& w# z6 b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! i0 z7 J8 ^$ b. |: i
' x: [& C3 T) P5 T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ N4 h8 _4 {$ P, D# [! U1 Z___________________________________________________________________________
* S y$ `" i5 W! b3 b
6 t3 {" V+ w) d4 u# i$ N
+ ^: E, |# h9 AMethod 03, l0 ?& I- l% X' z
=========
1 [. `& z* t6 E
9 E- n0 E4 G. s; z; f5 SLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 X& j3 {& N% `
(API Get entry point)
9 e/ G, ^. J- C " ]. H0 l! N2 O6 L8 _' l
! [! H2 u V, g- p0 f/ i' s xor di,di
: Z) \8 \7 l( f, t$ P' a mov es,di
u3 h5 J P# Z% Y mov ax, 1684h
% x8 [* d: ?" u, q" E mov bx, 0202h ; VxD ID of winice" p# t: h- ^! ]: g w7 \
int 2Fh
. J ^3 M, Q b5 |# ?7 F4 k mov ax, es ; ES:DI -> VxD API entry point
* S- s' A* F4 I add ax, di5 {5 a) y. f& F \* ?" U
test ax,ax
) }- l8 w) O: g; [) O jnz SoftICE_Detected
5 t0 Z' u$ ^, c, T; a5 g! U n) X4 ~1 |2 Q! [
___________________________________________________________________________
/ J Q/ s8 o! L+ T( C5 [' R: G. H: d0 c/ E/ z3 c$ R
Method 04" R" l9 k" u$ s K* P0 p! i: K: u; U
=========; w5 S. ^2 a4 D( y* ~
6 k# }: B; i2 M& q, Q" n
Method identical to the preceding one except that it seeks the ID of SoftICE
" O4 U* A- `) l. B( RGFX VxD.
8 t- {$ @2 J" B5 t7 W: `# z5 K, C/ y: m" N. i* X, |9 A( _
xor di,di
* ^5 [+ F0 _ W' x8 L/ H mov es,di: ~( s4 @8 @1 f0 A2 B
mov ax, 1684h
K `# ^2 _! h1 z: b# p& m/ E mov bx, 7a5Fh ; VxD ID of SIWVID/ b6 {8 T% D& w9 k% _. l' @0 g
int 2fh
: v' B+ I8 u, D# y mov ax, es ; ES:DI -> VxD API entry point
5 w% k) q* R4 ? add ax, di
`7 i" d4 _* j test ax,ax" c( I8 Y+ X& U: T- g& p+ [- x
jnz SoftICE_Detected
6 U: U, Q1 o2 I' V/ i" G
& L. b' u5 c) q$ ]6 `__________________________________________________________________________3 \$ k' B0 l' W$ j0 T8 k( u2 `' U
& x# {/ F% X4 ?6 p6 s* Z; e+ n3 v$ U6 i* w
Method 05( U. Z( p% k+ ?4 J
=========& I+ @; s9 d) m; s% k
# |7 m" Q* z. [) [* \) c1 e
Method seeking the 'magic number' 0F386h returned (in ax) by all system! o9 N" g3 t4 J( W
debugger. It calls the int 41h, function 4Fh.* H [+ q8 J9 H& S& t; C2 I
There are several alternatives. * ]: c' b0 y5 | X: z2 W
& @* q: r' o* c! ]" s+ w2 Q; |The following one is the simplest:
: y' |% G5 A4 j% o( s: F+ z# I& T
mov ax,4fh6 {( H, L' r! v2 o6 v6 K
int 41h
1 K( b7 s" ~6 t7 ^ cmp ax, 0F386
3 ~3 C ]7 h2 q jz SoftICE_detected2 Z4 Q/ a8 ^0 x% b5 s8 p
M) _1 |8 t9 o& J+ |
; ^: z4 O: i) c( H" B8 fNext method as well as the following one are 2 examples from Stone's + F( _& b# B8 D z3 b* e
"stn-wid.zip" (www.cracking.net):) A4 Z9 _% [. d; v
. ^* Z, r S+ A& R0 T mov bx, cs; M& d6 H; H6 M2 N
lea dx, int41handler2; W1 n: u J1 C% j7 f" { q
xchg dx, es:[41h*4]' b5 |& m% L7 F7 _/ j7 a: x
xchg bx, es:[41h*4+2]1 W$ {. M ^; p1 k0 n' n( `
mov ax,4fh
2 ?$ V3 Q- I, G ~$ e int 41h
( C( w5 X& k" n( B% }, o xchg dx, es:[41h*4]
1 g1 ^; m) M( O& `0 D1 J xchg bx, es:[41h*4+2]
3 w- W3 m2 Y2 }: H9 t& e. p0 ?( r cmp ax, 0f386h; `0 Z( f) y- a$ M, H. h
jz SoftICE_detected
+ N6 T7 _" g7 x0 R0 M
$ o& l7 S& d! Wint41handler2 PROC8 {/ u2 r' j* |4 I$ R S5 }/ R
iret( G# Q5 {) S7 R9 a& T5 b9 A
int41handler2 ENDP1 b2 u4 R. Z5 S
* Z; \6 T4 p1 B: R* W, o
2 Q8 P4 l' s6 l! e2 r_________________________________________________________________________* L; T; r( ?8 A( B$ P/ h
+ I+ F$ b8 X8 k+ u7 G
7 ]6 [' d4 z* v5 W% G4 k, U
Method 06
' _( r- _0 M0 U+ U=========
, \9 O6 X9 E4 c( A8 e, O: n
, Z n0 L1 n) v0 I9 p; y9 W' ]* g" ]) V( |% I
2nd method similar to the preceding one but more difficult to detect:+ ^4 v: O. d! d# W- n$ ~5 A# [
$ [ K u1 _" U- h; E
5 m8 k9 o" L( @- M9 ]3 h4 k3 |" {int41handler PROC0 v2 K2 O' w# S. i0 ^. F
mov cl,al+ m0 D; b% p0 @; i* `* a
iret
' N. \. r+ v( t% aint41handler ENDP
6 X/ F& N1 ?% _# A+ |/ S3 |1 i3 C) d. ` b
3 O) C9 Q6 a2 q/ a
xor ax,ax
4 n) a O) _4 a$ ]! M2 ?' e mov es,ax
& r4 [ {( w5 o mov bx, cs
4 @& b: X) {8 X3 M0 j. j; P0 q$ w. p lea dx, int41handler
/ v. c, p2 m( h" Z# q xchg dx, es:[41h*4]
0 g" `( e9 B* p8 i" n, t1 \. c xchg bx, es:[41h*4+2]
6 e2 o: h' a c* o' H$ B6 a in al, 40h
% R: C# d+ C% ^% b xor cx,cx
) [6 Z9 Y9 l9 L) s int 41h
# p& o& J% m9 q0 o+ ]- ]1 K xchg dx, es:[41h*4]
3 p& Q- N+ H% K8 k xchg bx, es:[41h*4+2]
' B/ S% q+ R8 V; g cmp cl,al
5 D n8 l2 Y0 R+ M jnz SoftICE_detected
* \5 r' A/ ?( _3 r
. K5 w% m# p1 F- x1 V& z, x_________________________________________________________________________
% k" h- F6 G& f" s4 g) J, z' k/ e2 M& U5 [9 H0 o
Method 07
$ p" f4 L; r& V1 T6 {6 a=========
2 ^. |$ l3 g) Y0 D8 c% H* [
' ^0 U3 M6 @/ g1 O+ p$ J/ \( f/ K0 j$ }2 \Method of detection of the WinICE handler in the int68h (V86)0 s* f) l! T, D% F) ^, e6 {% z
. E5 }( R" j! ^1 f
mov ah,43h* D7 D9 H- ~) e# E7 d8 |
int 68h- H* S# F& E8 L# b! W. |
cmp ax,0F386h! i3 L+ U1 B) s6 ~# y
jz SoftICE_Detected$ R+ ]$ w B9 J8 u
% ?+ I* h( ]+ |! ~; g% c' t* V; a R9 Z. h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 x( S4 ?; q+ r- E0 H; O1 w4 [" S app like this:
) t) b1 W) L) X6 f" s
4 _8 h+ X. [8 D, Q8 I# T. ? BPX exec_int if ax==683 ^! e& j1 q ]; M$ D0 B) Y( S
(function called is located at byte ptr [ebp+1Dh] and client eip is* F( |3 N P- Z' i
located at [ebp+48h] for 32Bit apps)3 M+ p/ w6 z5 j: |( P; O" f) z- ?) v' r
__________________________________________________________________________
% Q) s ?2 G8 i
6 \3 B9 K7 D4 d- O7 [* C) z/ Y3 X$ K a
Method 08
$ S' z) x( G$ J# g=========
5 G- g5 d4 q1 u/ }5 Z- W* g" _: C7 l& K6 ?5 E+ e
It is not a method of detection of SoftICE but a possibility to crash the
9 Q3 ^5 u$ ?) V- y. a) usystem by intercepting int 01h and int 03h and redirecting them to another/ a( B& T4 J1 m7 T% H
routine.
" P# G( y" J. [2 ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& ?: Q' R8 V9 X$ U v: [5 fto the new routine to execute (hangs computer...)
, u- T+ ]- M2 m$ n) E$ ?" {9 {* t" }- v0 d' }6 O/ V9 O
mov ah, 25h
& r. g2 q$ a3 I V# h mov al, Int_Number (01h or 03h)
3 r: c7 \, c& \7 e% s8 j/ c mov dx, offset New_Int_Routine
x* s3 \3 T4 N( N) K9 | \ int 21h
& X$ I" B; S" a8 v
, J. U' R# F7 n9 \__________________________________________________________________________& ?* w% w4 u4 S7 R
. I1 J; o( b9 q. v" u9 p
Method 09
6 ^9 J; w# i. O. O, {=========
$ k0 u) N6 e8 H6 f1 d# }. @6 ^2 n0 [" d& ]6 G$ f1 N7 o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 [" Z: a) w+ ?: N3 _) E1 e- j
performed in ring0 (VxD or a ring3 app using the VxdCall).% H( o5 [5 ?3 Q$ x' P$ r3 s' @
The Get_DDB service is used to determine whether or not a VxD is installed
; M9 A$ x: B. k! qfor the specified device and returns a Device Description Block (in ecx) for8 Q# c$ h9 o5 p4 W/ b
that device if it is installed.$ _( u+ [( U4 `" H. G
( F% v" B: N/ w4 A" t, C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# @. U; [1 E6 {2 x7 F8 H mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! Z" E6 E5 V8 k3 F/ g. V: i, L
VMMCall Get_DDB
( i2 O1 w! ?6 i: @- S& l. N% E- m1 g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& j* Y' K# K5 B" Y; |
% S8 f. o% P/ G7 I
Note as well that you can easily detect this method with SoftICE:$ `" c: r4 o* R' U
bpx Get_DDB if ax==0202 || ax==7a5fh$ e# @% G/ O6 S9 e; Q
p# E9 K. o& C2 A1 B0 W. k__________________________________________________________________________
T% X8 \5 ^1 ~ `; E* p4 B Z* ^' C6 f, p
Method 102 u3 u9 Q& A) n3 {
=========6 k, V4 x- @2 f+ O4 d
1 T- |0 J) y5 ^5 J3 ?0 g7 Y& r9 G
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ V" \* j1 u. ^/ p
SoftICE while the option is enable!!
. h. l( d) Z9 j0 `# N5 V6 U
4 ^- Q( f+ y9 D8 i# @, zThis trick is very efficient:
' ^! }% @1 ?/ r1 c% h6 Q7 Bby checking the Debug Registers, you can detect if SoftICE is loaded+ G S- M4 j* x1 l( ~8 f
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: I+ L3 [; d3 P1 F5 }! Q! k, Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" b9 \4 X# M+ o6 vvalue (in ring0 only). Values can be manipulated and or changed as well
4 ]+ S# }, b: b(clearing BPMs for instance)
) f& v! x6 L* c- d9 j9 W$ R' i; ]$ N1 ^3 A& ~
__________________________________________________________________________, R O1 M% c$ [, C3 |, A
- O3 f) P' z( d' ]
Method 11! y5 j* p; A/ J9 @2 B: A
=========# I( f4 m9 y2 K7 m9 l' v
" ]! ?: J) }$ G; `+ Y: I3 b
This method is most known as 'MeltICE' because it has been freely distributed& j- D3 G: L8 ^2 d2 y" I
via www.winfiles.com. However it was first used by NuMega people to allow0 C$ d _1 j. C
Symbol Loader to check if SoftICE was active or not (the code is located3 c4 a) |6 J- F- F; D
inside nmtrans.dll).1 i- g4 c. }# V: J
& O& H# _$ T0 J4 N3 M1 U; b4 bThe way it works is very simple:. T" I" |, A! n" q9 Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ ~0 a; t2 O- ?1 M+ V
WinNT) with the CreateFileA API.
) l3 n8 N7 G3 P0 \# u7 o
; Q. C! N3 H( s5 A8 ?Here is a sample (checking for 'SICE'):
' h% B5 ~2 S0 p
+ r7 q6 B5 _3 F% \: `. @' s0 D+ RBOOL IsSoftIce95Loaded(). s2 @# N0 J2 ]; ?. i1 W+ q( B Z
{
Q1 G8 U' L; d' j HANDLE hFile;
. l5 R- b: l' @# g9 _& A! x: G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 u8 ~2 @! I: R) E* T z, r+ c FILE_SHARE_READ | FILE_SHARE_WRITE,
/ x( S7 w [; h. s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; i3 s; M# O% M0 `0 v: d2 s# f
if( hFile != INVALID_HANDLE_VALUE )8 [5 U8 f- o3 S$ v3 o
{" M; m$ x* ^. t2 J* {
CloseHandle(hFile);
0 c. X% u7 I; a/ f5 W2 Z return TRUE;$ |9 K4 V8 [! b/ H" T
}
& G# i. J5 }4 e' \; C9 v/ V& B return FALSE;" C- a7 V! O: `) c7 T6 ~- |- C6 H
}& z* B; c& w$ x9 H( x
9 R; x- ^5 J( S' m( g8 R( W) gAlthough this trick calls the CreateFileA function, don't even expect to be
# u/ y ]( E. L5 uable to intercept it by installing a IFS hook: it will not work, no way!
) W @+ B! {! G' |In fact, after the call to CreateFileA it will get through VWIN32 0x001F# D2 F O* d& M) }$ ?" h# t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, B7 [3 x: P$ f4 ?" |5 X2 o6 jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, R) K# {+ I2 A7 `: }/ E' Rfield.
7 ], Y @; N% |* n5 U8 k0 n1 pIn fact, its purpose is not to load/unload VxDs but only to send a " [. P8 E% q6 y+ } l( Z5 l. t, v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- l9 W6 N" [- P* L2 F) e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* q( u6 t8 B4 m/ q" \+ B9 p
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 [: ]6 p0 m; G8 ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' A% F9 B8 L! G- Jits handle to be opened and then, will be detected.
8 X# ?8 B- c: A5 m* I RYou can check that simply by hooking Winice.exe control proc entry point
0 u* W% X$ x! l' }while running MeltICE.$ h3 b4 V( t; A: x- J2 w9 ?
5 w0 [* U. z0 @' T' M, c6 r
& @1 Z0 I3 J. [4 W; t# Q/ v
00401067: push 00402025 ; \\.\SICE* E7 I; o) p" M+ X% F
0040106C: call CreateFileA
" K& D w2 M% i x* O) p7 v 00401071: cmp eax,-001
7 K, G/ J; P ]) J 00401074: je 00401091 s) F% S, ] f, [
/ N& z. f! X8 C; k
/ e. ]* k" K7 f4 B. TThere could be hundreds of BPX you could use to detect this trick.
$ S9 ]; j* {, r) s5 X/ {* |8 i& z-The most classical one is:+ F$ q2 ]- F2 m7 B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% h( G5 W' `# J7 R *(esp->4+4)=='NTIC'
: O8 B( F2 o* z3 y; {" ]) q
: I4 N/ Z+ \7 ?-The most exotic ones (could be very slooooow :-(
; K/ k8 X. J' S$ g0 n+ a BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. U9 E: K0 l% T- N4 W ;will break 3 times :-(" w- y s$ X4 E+ R2 d7 L
5 _" v# J7 E3 u: O7 S- g$ h
-or (a bit) faster: & N: R2 L" x& [$ o& p8 I3 R/ y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ `8 v9 ?5 u: Q5 c" L" i$ n
* Y5 F9 v" Y0 A5 U6 G5 ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. b2 ^7 [! g7 P) v) j* h/ p ;will break 3 times :-(5 t7 W# }8 n* d, @9 E) ], ] `
! ^: b" b7 @" W! o# X A-Much faster: I2 |1 l4 d$ k, |) h; \8 d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 w% e! q; D8 T( B Y
; x" E2 B6 p! x9 o4 p7 w1 m( x# b# _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! L& D3 G3 }) f/ |3 K1 c2 ~
function to do the same job:3 o9 I9 j0 v3 X- m! \
) Z( \1 @& e+ s0 D5 Y- U3 z' i push 00 ; OF_READ
- e" e4 q9 V% x. C+ k5 v7 c mov eax,[00656634] ; '\\.\SICE',0
; g# i( I& {+ H/ x; T! ` push eax' D& h* {" ^% }# ]7 {1 I
call KERNEL32!_lopen
; u6 O9 T6 c' x. Z inc eax
, ^6 F2 x/ E8 G* I9 P' q/ F jnz 00650589 ; detected
8 ?* c+ G6 [2 E2 ~; m push 00 ; OF_READ8 o1 H& J' E6 Y3 X8 G: x7 @3 V
mov eax,[00656638] ; '\\.\SICE'
" W3 ]4 V5 X0 n* V& _$ |4 w push eax2 g% G K8 c+ q' N* y- E
call KERNEL32!_lopen2 I: d: x+ W! ^, q V& \) @
inc eax
. q; A$ ? P3 m, F0 \ jz 006505ae ; not detected; Z1 _ `' e& e" V3 ]
/ x) \8 @* P# o! p* q e" o) p4 n
' @* F4 Q- _( L% j4 \__________________________________________________________________________. A2 z3 y" q8 S; i6 D+ K7 ~
% n, K0 P# s8 Y5 e$ j8 m: e
Method 12+ j9 Z. O# e; c6 H! _5 {7 P
=========
7 O# e' [7 a" v1 }, C
" t! N; R+ s7 BThis trick is similar to int41h/4fh Debugger installation check (code 05
+ @' T; `1 y. U& 06) but very limited because it's only available for Win95/98 (not NT)7 g5 o$ b- [1 E+ H+ j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. v) P' g G1 [/ C Q4 Q
$ j8 w" i6 H/ _6 K, D- ~ push 0000004fh ; function 4fh }: |/ U7 [- D* J0 f( ?
push 002a002ah ; high word specifies which VxD (VWIN32)# Q: E6 Z0 N# M* u9 R& p# ?
; low word specifies which service
# P" @9 D3 v. Q5 N (VWIN32_Int41Dispatch): o9 T1 ?( H3 e/ U" h
call Kernel32!ORD_001 ; VxdCall
9 `- n; X3 N! U/ k cmp ax, 0f386h ; magic number returned by system debuggers0 Q7 P: n* f4 G, g' k) T* e
jz SoftICE_detected
; X1 b$ o- i6 A5 \$ t0 ]
7 R2 `& E- d) T2 nHere again, several ways to detect it:$ D' g* v) k! I3 u) `
) N1 u9 u3 ?( N# }" U6 u) u# G* B BPINT 41 if ax==4f% o; ~$ @% i" v
" U/ q- s: p0 t" t/ W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ m, g" T H: T8 t5 R& v
3 s* w; z% g5 m) l- e/ L5 R1 E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ h& B4 \& C8 U; |* ]
" a' l6 Q5 U1 I* z9 `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 Y) V. `/ k7 ~; S6 m( m
3 f; t( D9 T0 E/ `/ w__________________________________________________________________________
9 p- v- K7 U( r: m0 L7 X8 s
1 v& w+ R8 v2 D c" K0 B; z: fMethod 13
( R4 J: g; ^; V=========
v5 V1 m, d" V: w5 g3 H: y3 k& N( s( E6 X
Not a real method of detection, but a good way to know if SoftICE is! c" C8 j5 G) o, z7 e* x" }
installed on a computer and to locate its installation directory.7 {2 Y: R: \( K9 l' s( E
It is used by few softs which access the following registry keys (usually #2) :
# W3 c! I5 X2 J' p, s% j9 a& ?) X
7 [& S- s' u& u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% Q; i- P* y, ?' Z% {8 k3 ]/ I$ l. y\Uninstall\SoftICE
/ I: v9 S& n2 Z+ i: w-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) }1 m+ C; x5 E5 w- v$ |0 A7 H
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 m; G! i4 E. {- Z# O {; G) G
\App Paths\Loader32.Exe9 B8 v/ Q) ~2 u
5 F6 b6 m& x+ p8 U2 ?' d9 f
# N: h: ^1 ?2 _7 j
Note that some nasty apps could then erase all files from SoftICE directory' |1 {. @+ A4 H$ u8 }0 O1 ]; \- h
(I faced that once :-(
: s6 E0 Y3 A3 S
' f1 P; D& |% A8 IUseful breakpoint to detect it:5 g4 A% C+ v2 R$ i" S
) G( W- E8 a4 f/ z8 c: e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 B2 h- x) o; b! ]; N9 o: z
' Q3 w5 y# |3 E6 ]$ Z# b/ s__________________________________________________________________________4 f' h9 T- T- D4 N+ e
5 o" n1 Z( I* e) V ?) Y* P5 k2 x, Z! @- v# ]
Method 14
+ ~, ]0 q j0 n1 A* @# L- ^& M=========; z4 }0 o! n8 A/ @- m
9 N$ V( M8 D" n; o4 {7 v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ Q0 `; H% c! o% C. X* y
is to determines whether a debugger is running on your system (ring0 only).+ T/ B9 l8 o* P; h7 S3 N
3 U$ s5 m4 [+ d9 E, q
VMMCall Test_Debug_Installed
~6 A% r! g1 {6 a je not_installed
5 T5 ]6 ]4 t6 X, t- Y& e
$ k& |$ {5 H) c# Y" rThis service just checks a flag. O1 Q) U$ I/ a
</PRE></TD></TR></TBODY></TABLE> |