<TABLE width=500>7 S- `+ {( z5 q2 L1 f$ P
<TBODY>; G; q& q+ o3 S# g4 i
<TR>
( N5 H0 d {( L( I$ s$ g& b2 z<TD><PRE>Method 01
' f* b) O' I+ a=========0 [7 S2 ^. [7 ^
- R# L& X" O2 {! i" vThis method of detection of SoftICE (as well as the following one) is8 D1 E+ X+ }* Y2 o% J Y. b
used by the majority of packers/encryptors found on Internet.
# R4 ~8 f3 C4 c+ u1 u# v; i4 xIt seeks the signature of BoundsChecker in SoftICE) F P( \& n: p* G" P7 O
2 b L" {5 y7 E) N9 p mov ebp, 04243484Bh ; 'BCHK'
9 L* M7 p+ n" l. x! [, p+ k mov ax, 04h
( U% J0 ]/ J4 `0 ~0 `5 Z6 { int 3
0 }2 A* \! p# i! i% c2 H cmp al,4% H( X! I8 _% I, B) ?8 v, B3 m3 x* T
jnz SoftICE_Detected6 y% q! R6 v" U# W& c% F
9 @( j# j" E `$ r/ i___________________________________________________________________________; f" m" r/ C# X1 |( J
7 e* K# ~+ [7 u$ N7 O, t& KMethod 02+ R H! d! n1 B0 A2 u5 d2 v
=========
, d3 t2 w2 i' \' g9 W- W. d; f& b' m& `3 A5 H6 H& s' B
Still a method very much used (perhaps the most frequent one). It is used
7 I: Q/ S8 Z6 x, s' ]0 \' P8 d) L9 Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
@5 j4 Z! O/ a" S6 }+ D; ?or execute SoftICE commands...
: s+ ^- K1 i1 b0 a' N |4 |' VIt is also used to crash SoftICE and to force it to execute any commands# t4 |% E4 d) {# C
(HBOOT...) :-(( 9 q* r7 L' t& b4 D8 M
4 n" c9 `; h5 {3 e
Here is a quick description:
1 Q' }+ w2 G& l3 j) m-AX = 0910h (Display string in SIce windows)
/ t7 Q% b5 X1 x8 \; u* j8 U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 |, I* f6 u: z+ Q
-AX = 0912h (Get breakpoint infos)1 k: g$ \5 [, k3 C: h
-AX = 0913h (Set Sice breakpoints)( ?/ ?# B5 g* o7 |
-AX = 0914h (Remove SIce breakoints), d6 y- c9 v: n+ A8 x& h6 H$ Q5 N8 Q
- R, X" Q4 b1 h2 N h
Each time you'll meet this trick, you'll see:
# I+ p, R7 X. S/ V1 J$ f! F: w% W6 [-SI = 4647h
) I% h/ ?% ?# C5 X-DI = 4A4Dh/ \; q E, O1 w
Which are the 'magic values' used by SoftIce.
6 ? |1 h& u/ m) U! k7 U5 mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( W( ?; z8 D, q& v5 Q0 i+ ]
! j( w6 ~, A8 h/ V$ ~9 I' uHere is one example from the file "Haspinst.exe" which is the dongle HASP( h O5 c" _9 w7 j3 G
Envelope utility use to protect DOS applications:1 k# c; y1 K; W0 b5 s/ r
( ^2 s6 w" @ z! `; r( j. e; l' u3 [
4C19:0095 MOV AX,0911 ; execute command.
' I& S8 X' j; c+ H* K6 J1 ]! c/ \! d" z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) d) c# ]) E- c7 d
4C19:009A MOV SI,4647 ; 1st magic value.0 H9 J# ?8 s$ z- U
4C19:009D MOV DI,4A4D ; 2nd magic value.* _- z" C: X/ l+ F8 @ y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# ]- n- j& l: L. e/ U1 e" o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 f! H( Y+ u+ u4C19:00A4 INC CX
' r& n# o8 M, v; a. l6 s- S5 L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# k( Z8 E0 L; N. o- m4C19:00A8 JB 0095 ; 6 different commands.
% [; Y# ^# r+ b2 L, s% p4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( z+ K9 H% ]7 A9 C0 _8 V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 D# I8 v ]3 o3 N6 L- r M% K E$ H
/ |( P M/ H) _* K+ @" b6 A! ?- ZThe program will execute 6 different SIce commands located at ds:dx, which
5 M5 F9 @3 O0 Z6 C. M, zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) c' y3 g, a( @1 H
/ ~- F; W# J; w; T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 \6 K) D9 c' _! _+ y6 b___________________________________________________________________________/ |, f/ M/ H( `- }: Z+ ^1 ^0 U
4 Z. j/ B$ ]% q* ]5 I8 p J
7 q/ }$ ]& y0 B
Method 032 c" \& R; N2 j2 }+ F0 {4 A* `, |
=========- @# O' k/ i/ y% `( i
! ?: I1 y% U4 G A* x, x$ n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. t, I% `$ j3 G" D7 p. g(API Get entry point)" d' d, w% d" F+ N% \- b
2 V6 x: n" H. q. `/ M) u1 w
& e% D, \/ q, y xor di,di% e3 c3 Q V3 x) E: ^
mov es,di
% X1 L3 S0 W" w4 I, p mov ax, 1684h : D" x; j. b. g2 q6 H
mov bx, 0202h ; VxD ID of winice) o' g( i9 T0 w0 _( d
int 2Fh
0 ]+ C: ~* k: C( ^ mov ax, es ; ES:DI -> VxD API entry point
7 ]9 ? _8 d; N2 O5 j( \# w add ax, di! w; N3 j; A2 x) L: I; y0 \( Y
test ax,ax
1 M" K7 z6 b& t: h; N2 k) k jnz SoftICE_Detected7 X& C7 s: {) L
" @$ C. t. a! @2 R
___________________________________________________________________________: B9 O, C9 ]4 O9 e/ s
7 C7 L8 f; F3 h e: I
Method 04
7 _5 L8 s2 U7 _5 t& ?% {=========
! e: B0 T2 V- m! y) T: o4 P, q( N, H( A* g2 W7 i# y, T
Method identical to the preceding one except that it seeks the ID of SoftICE. E4 w. b& Q" T, ?6 M+ L
GFX VxD.; V8 i* L, V5 n8 V u- `
# j6 A+ @& U6 w0 q8 i+ p9 A
xor di,di
# E# D7 h6 \9 b- E ? mov es,di
8 W! E, a2 Z, O* w mov ax, 1684h
) z0 z' C' u1 ?' N4 p" e+ ]7 e mov bx, 7a5Fh ; VxD ID of SIWVID
: L# p6 z; B* c6 b" U int 2fh
5 b7 U/ S0 D* W: v) p+ U mov ax, es ; ES:DI -> VxD API entry point% H/ U( g' Y. Y0 k1 O+ g+ q
add ax, di b$ r J' c, }
test ax,ax3 X: O; E( _& Q% }; ^, z6 J8 u
jnz SoftICE_Detected4 [8 I( @+ B! }1 A: v2 |( n5 C& x9 w
4 t8 P! N! N5 C. ~5 Z
__________________________________________________________________________: P8 d% U" N k0 C
! z4 p, P( B5 C# U' z9 C7 `2 v _# E! e
' \* W" ~8 m0 P8 _4 e0 Y8 PMethod 05
b% a+ D* U7 Y' `! n4 I=========: w1 `" z# t" W( ~' n' w7 a
( Q' i R1 R5 LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ a, T8 p+ m Y ldebugger. It calls the int 41h, function 4Fh.
- `8 `, D( `( VThere are several alternatives.
2 R* M7 X& T. [, s2 J8 o. C) Y% L# v$ g% D
The following one is the simplest:; z9 d0 @5 U8 k$ B7 x: I* c: p
& R3 o% \, z3 v- Y mov ax,4fh
7 u6 R. A- o0 f int 41h
4 U. @8 D0 X x/ a o3 }6 l( q* { cmp ax, 0F386
5 T$ q Y( C' W4 x, j9 b% H5 ?+ ? jz SoftICE_detected3 N9 x' m" R$ W8 W+ ?7 Q& y
# ~# S4 ^3 t; d5 e) A4 l! Q0 N- Q$ L
% |2 p' S. c3 U* ~( B) X
Next method as well as the following one are 2 examples from Stone's
* \/ ]( Y, {3 q8 V% ?- |"stn-wid.zip" (www.cracking.net):! q% e; \7 q3 c
2 q0 u3 w9 n0 h6 n2 S7 Z* Q
mov bx, cs
4 S, r2 b. F$ ?3 p% s x/ h1 @& S5 p lea dx, int41handler2
8 Z7 F. t3 {$ I* _0 E- [ xchg dx, es:[41h*4]: F* ?# }, h' U
xchg bx, es:[41h*4+2]
, }) R9 V1 R! n mov ax,4fh
2 I3 q1 z& @+ B4 S int 41h
9 z" K$ Z% q: t xchg dx, es:[41h*4]- l% Y! r+ g$ c6 X, J; n
xchg bx, es:[41h*4+2]3 K) V+ y9 {( N" U9 f A/ Y* r# m
cmp ax, 0f386h) [/ O; s" t" D5 ^
jz SoftICE_detected' F. W9 X, _+ Z
; ]& }. m; `; Q% S: Sint41handler2 PROC
3 _ s$ O6 o/ l% M) ] iret Y/ {) D- }# c4 Q( p( L
int41handler2 ENDP
& O1 o- F2 T8 h, E B& X# j' L1 U- C) O, ^2 S
! X* v9 C- a, f7 d( c5 g- @% f_________________________________________________________________________
) f4 O$ X7 @7 E( d7 i/ u; n& \: `3 S5 Y8 k- U$ |, G
' r2 H$ T' F6 b
Method 06 w; ]8 s" z$ e( Y
=========/ u, b6 b4 S- C* {
% G* c2 y* T6 j
' Z/ J2 p" F6 b1 A2nd method similar to the preceding one but more difficult to detect:% { P0 r% S9 u0 v5 t4 Y1 K
5 F( x* X* I; J: F5 G6 }# M, c) h4 P
) A- X: k) T1 W K. g" Qint41handler PROC
2 ]' D1 k2 m2 P2 j mov cl,al4 v6 W+ J- u) n D; ?% Z$ r
iret
& y7 k# L: C8 J4 }# mint41handler ENDP
" l- v8 ] b& o; Y
$ E9 ^# t0 W* s* G1 F; p$ b) B F
xor ax,ax
, w0 J$ G( F2 v% Z mov es,ax
6 S( ~. d" p; T& I( U mov bx, cs
2 c) E' X3 M+ @. ]$ S3 h8 I0 _ lea dx, int41handler
8 Z0 f+ X8 ]- B2 U1 R9 o- w xchg dx, es:[41h*4]& H$ i5 ~. C( c9 M& x
xchg bx, es:[41h*4+2]8 H. {" M+ D/ `& `
in al, 40h
3 O, R2 S5 A+ E xor cx,cx
5 X6 d( M8 p5 t+ ~8 E3 A int 41h8 |7 p: l' Q' G$ i: O- V C6 m: }. s
xchg dx, es:[41h*4]+ z( v. t% o& u0 r+ r
xchg bx, es:[41h*4+2]
, `& D; o/ v6 v cmp cl,al
) g- t$ G5 @5 q( K/ t) Z jnz SoftICE_detected
1 t4 m6 \, U$ N* o' E
/ Z, I5 T, T1 ?_________________________________________________________________________+ e2 [/ ~ ?2 f' n
! h0 |$ Z; h S2 C
Method 07+ Q* y M* Z' C6 R! U; c
=========
4 K, K5 I' w* u0 `3 f9 A/ H4 F7 T1 @6 l5 h) P! {& V( h
Method of detection of the WinICE handler in the int68h (V86)9 B ~" g9 X% F" M
: C" j0 t5 O; U* i/ h# K0 d' F mov ah,43h
" I1 J6 m$ Y7 Y4 ?; ~: J0 H6 x int 68h
2 w7 y2 [ [- d @* ? cmp ax,0F386h& q( m Y9 Y$ }. U; t
jz SoftICE_Detected0 c9 g2 Y9 c/ _' E+ g. s
5 N' X, E0 v9 ~
/ {9 E( O" M: R9 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 g S( ?) I. j$ Y% b
app like this:0 S% _8 D$ P' Y- v
' Q. M! h6 o9 e9 G" { BPX exec_int if ax==68
* H1 e+ N3 K0 x" _% I* x# _ (function called is located at byte ptr [ebp+1Dh] and client eip is" {) }3 f: \' @5 K
located at [ebp+48h] for 32Bit apps)& V: A3 q$ \& r$ A/ x9 F7 R Y
__________________________________________________________________________+ @( n$ K" h5 k4 H$ {
9 N+ h" ~" e f5 ]
. g1 R2 u8 H7 F. |' U" j+ L! z4 xMethod 08
* N5 h. d) d* _* U4 |=========- u. ~% F8 w% u/ r7 ~! @6 B% ]
7 Q1 m6 s1 n3 ^* S' d# b. R3 T
It is not a method of detection of SoftICE but a possibility to crash the
8 O& d; A# j2 isystem by intercepting int 01h and int 03h and redirecting them to another! D& d* Q7 ^* I% Q6 B
routine.
" z' x" D/ p" A( U) X0 B( wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. F3 h C5 } s6 O; H
to the new routine to execute (hangs computer...)
0 N! m Z7 i! Q4 ~
3 Y1 C6 `5 W2 R: x+ g( ]: P mov ah, 25h
9 u V6 t1 v" S4 T7 Q* r$ k mov al, Int_Number (01h or 03h). I8 X/ W0 w a4 p A8 ^' l# t
mov dx, offset New_Int_Routine
# b: ]- Y6 h2 A, {; l( ] int 21h8 M% i6 X/ G% G+ M# G
5 h' v o1 U" w& \$ ]__________________________________________________________________________; v: ~) h1 X# ] L" w Y; c
" w5 L4 s$ p q1 f7 d4 B3 uMethod 09! C9 H: b) q g' b ]9 a& x
=========
3 g' }* t T, }( M, ?7 @$ A) M8 I9 f2 T5 o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 N% J e6 {0 V& z# ]0 H: A% B
performed in ring0 (VxD or a ring3 app using the VxdCall).( a$ N1 A: i- e3 a
The Get_DDB service is used to determine whether or not a VxD is installed
0 N6 V2 J C3 |1 N# {3 ^+ \for the specified device and returns a Device Description Block (in ecx) for4 }$ m. n( j1 {7 S
that device if it is installed.
9 x# H+ h$ m+ [/ n' d6 S) A- q) d$ w/ ?) c
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID u$ |. c% \! q8 S- V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 B8 V0 z+ }4 |! I7 x- _6 z VMMCall Get_DDB; Q! b& Z/ p+ W; \! j, A) [+ |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed I' [2 K- r2 A: Q6 O9 d6 k( I
+ u, y* C4 g) [
Note as well that you can easily detect this method with SoftICE:
9 w# f7 t: b( {4 O bpx Get_DDB if ax==0202 || ax==7a5fh
; ]6 R J3 K1 i/ w+ s# y) l' Y, d9 p6 g. @
__________________________________________________________________________9 N) p! Y; T: k* \& ^ h
+ Q* M' s- P3 \$ l- k
Method 10* _- d2 ^+ C- e5 D* K& ]/ m
=========
' B- M8 s! K) E1 f0 q8 R. R- h2 R8 l, N) u4 q! B
=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 ?7 z" N' p, S6 P2 `$ `2 ]8 D SoftICE while the option is enable!!; k5 L% Q0 }3 |, C0 R1 X) t/ C- ]
3 E* T3 {! }; y( xThis trick is very efficient:
2 r6 t# r" m5 m( V$ _9 P9 o' s9 Fby checking the Debug Registers, you can detect if SoftICE is loaded
4 z. a, g; w9 J/ B7 j: s" L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 h' L. h( `9 s0 Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 `; P3 z8 o3 k
value (in ring0 only). Values can be manipulated and or changed as well/ `% h0 w" U2 r
(clearing BPMs for instance)
% u& L( C: z$ \! W
& D' J1 ^% E, M$ u__________________________________________________________________________
) f, O* S8 ?& w2 A8 B# P7 x5 W" A$ K# x( n1 F
Method 11- h1 O, T# q: r+ @5 q
=========
6 z5 Q1 v' G! n$ p! c+ L0 C4 k3 r( @- M4 S) N" k9 k
This method is most known as 'MeltICE' because it has been freely distributed9 Q7 p3 o% J; m6 m1 S r
via www.winfiles.com. However it was first used by NuMega people to allow
0 W% b+ T9 C- w. a' t4 bSymbol Loader to check if SoftICE was active or not (the code is located
5 {6 G( e, T# |' s& {) Xinside nmtrans.dll).
' q' W7 b4 [2 k8 [3 n
: v$ U! s6 E/ F$ v8 }3 V; ~5 L" g+ KThe way it works is very simple:. k n) O& T, m# |7 J: x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 J0 ~( a+ Y, y x# q
WinNT) with the CreateFileA API.! o9 y3 y, @" P$ p, ~8 b
1 O9 J, A7 K- `) u
Here is a sample (checking for 'SICE'):
$ O4 P. W0 J' Y7 k8 Y$ f! r* [$ h2 I- |* h5 a6 I
BOOL IsSoftIce95Loaded()
/ L& Y5 Q) F! Z0 K{
* a8 t' s; \4 V7 l& G HANDLE hFile;
& k( ?! `9 F) { hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) J, r8 O j5 N/ J* Z
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 |" z- ~, x, o+ z% }5 N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 E* E) W2 r* f: I; G
if( hFile != INVALID_HANDLE_VALUE )
1 v8 P) l' f/ n, E {9 L* O8 M% G. ?' E3 T2 s7 v
CloseHandle(hFile);
( N6 r1 m- @' s% Y6 ~# C return TRUE;
- J- v! V) }/ I' \9 d' g7 b2 `1 J }. x' d- T. E2 _; l1 G o
return FALSE;* j- `9 L- L* l. j- J4 T
}
, ~4 a& f' D4 D1 ~% h6 N
k! ^7 Y0 H8 g3 P3 oAlthough this trick calls the CreateFileA function, don't even expect to be
' Z: Z+ G" t2 |, U% C sable to intercept it by installing a IFS hook: it will not work, no way!* Q! u, X+ `7 E. W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* N0 d/ P9 C) z1 \ m, f( ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( X& k9 q7 H' w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ x! Z7 K7 t9 j4 Q, h
field.
9 l y& W6 H9 P; U. q y( v- YIn fact, its purpose is not to load/unload VxDs but only to send a . g+ _/ o) Q M# d& T' D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 t% ]$ L8 o: |, |0 t. P6 }2 Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: ]% c' l) Y9 [0 p5 `. b, ^/ Pto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- T$ g _6 _0 h- ]- w1 N0 bIf the VxD is loaded, it will always clear eax and the Carry flag to allow) n. g: C+ Z5 A- h/ i6 `4 r
its handle to be opened and then, will be detected.7 G$ w0 C* K7 K
You can check that simply by hooking Winice.exe control proc entry point
# O$ w/ `# \- `! t& P1 ~6 qwhile running MeltICE.* S; d8 j% C9 Y/ ?9 S
/ [0 a! E$ ?- x
" M& l3 Z# A( a3 l 00401067: push 00402025 ; \\.\SICE( W7 o* ?! i1 h7 P
0040106C: call CreateFileA! [ l5 k( F5 i1 n0 G" _ r
00401071: cmp eax,-001
5 D- o K y6 E7 a3 s9 C5 w 00401074: je 00401091, H0 x V0 \5 e( Z* g
C( u/ t; t+ a% A9 l5 Y0 D) q! G- l, Z
, E0 S6 a$ a4 W! P+ Y- F. A* D/ eThere could be hundreds of BPX you could use to detect this trick.3 c7 k2 l. g. h3 O' H7 f
-The most classical one is:
9 \! v+ {5 a" ^: I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 B* R) J9 R3 s4 q8 V* l
*(esp->4+4)=='NTIC'
, a+ s+ F1 s" p d, z( y
2 J+ }5 t' J v8 O, M-The most exotic ones (could be very slooooow :-( _3 e3 q- s% |' P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : @# F. f+ Y1 V0 i
;will break 3 times :-(1 e1 @: `5 B6 r
- I7 N9 g4 J2 Y' B+ D; k+ c-or (a bit) faster:
* H/ q; J. h& B% ?( P BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* B) X( t% @5 u' V9 N R$ F
( K9 \4 }$ G. T. e5 O. n6 t1 e BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' B( u9 e6 H' i6 L4 A& @- v# Q9 ~ ;will break 3 times :-(1 z( u2 j1 I8 g1 k# y7 d+ Q: ~/ q
* D1 j, _( {5 o5 o* P& d! J-Much faster:+ z) k$ y9 T* V
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 C6 o( l1 ^ E* m' Y0 ~# z- \% u7 f$ z' u* [' s7 V9 R5 ]( [( A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% w6 r, h+ i) H( w' ^function to do the same job:3 q9 E! v7 m5 {
; F$ s, f( }& U2 @; e$ @( C push 00 ; OF_READ2 S2 m* W- p {+ g
mov eax,[00656634] ; '\\.\SICE',0" t5 g! ~3 x1 t$ F7 B
push eax
. w, ?2 f a/ r: u) g0 v1 q- h- t call KERNEL32!_lopen
! C S/ [, N) y) F* C+ ?; ~5 w inc eax0 }. M( Q' W2 `
jnz 00650589 ; detected
) g: h- J0 j" f" k' o. l, G9 l push 00 ; OF_READ
2 w. k4 Y" ~& o8 Q; Y8 H. B mov eax,[00656638] ; '\\.\SICE'
8 l |1 Y9 N1 @. g: x1 _; k9 q$ n push eax
0 o1 j5 Z8 f( i4 L call KERNEL32!_lopen
' g! ^$ \+ A! ?! G inc eax2 [1 M5 p2 k! Q, r
jz 006505ae ; not detected
+ H. v4 L# F2 f( @# t) _9 o" T
* R! N& Y8 ^1 e7 |% Y8 i. k& a8 _ m) l6 Q/ U3 L; }1 C
__________________________________________________________________________
1 [1 e j& M3 X' z! B" \; O7 C( m! e* Z, X u
Method 12
3 v3 k9 Y6 p& K=========5 Z( I) @& u% ]8 J4 l) x
! T6 L% ^3 [5 @% p& kThis trick is similar to int41h/4fh Debugger installation check (code 05
. x/ j; j$ V' [. c0 A3 T& 06) but very limited because it's only available for Win95/98 (not NT)# y. m- y: B- n7 b7 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- L4 Z& P( S; k! c: F( X
" t$ L7 @7 ^4 h- {9 w6 X* A
push 0000004fh ; function 4fh
1 \6 y X& Q% T. j+ a6 } push 002a002ah ; high word specifies which VxD (VWIN32)
7 [4 f6 n0 L' e- @) \: [% | ; low word specifies which service E, E3 b0 w9 L6 Z0 m! W) K: |* P/ K
(VWIN32_Int41Dispatch)
4 x4 s: O3 ^* C& Q8 C call Kernel32!ORD_001 ; VxdCall
0 R! m S2 _# w1 L cmp ax, 0f386h ; magic number returned by system debuggers
+ Q2 ?( A$ M5 T0 L: s- v8 V jz SoftICE_detected2 N3 A/ t N% e5 n8 F6 c4 K% e
. g( n( v2 F( h0 u% r2 v. ~! _
Here again, several ways to detect it:
/ s, r, h* w) c, v! X6 u5 W0 Q/ c$ }- O
BPINT 41 if ax==4f
o5 ?! B; a/ ?& e8 S# {# d7 |7 B! E/ ~5 D; `: n2 \( t
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ ]% O1 H7 V8 l3 |. C
) ~2 M9 ]2 H3 q5 X8 v
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! @0 }# m. o/ @1 C. u' W
j) d7 Y* _% r! q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 E2 n3 q( u* X. j4 {
; P& z- e! T; V2 X5 i9 e- G9 [9 h__________________________________________________________________________
4 x1 T) \1 S8 i4 p1 ?- q) K- `- u
Method 13
3 |0 {1 B( M: b0 C=========* p/ i1 n( ^0 q( k
0 S9 h/ l% {! H! p1 n$ j
Not a real method of detection, but a good way to know if SoftICE is; a3 I- o! j* g
installed on a computer and to locate its installation directory.6 q2 ?1 \/ Z& Q* j' f
It is used by few softs which access the following registry keys (usually #2) :! v- h7 P8 Z) C7 ^6 [5 H1 \7 h0 U
% S6 a$ F. W% `2 G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* @, O. V R* x# R0 H( D; K
\Uninstall\SoftICE6 J! G$ M5 {/ ^6 l. `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: A* x5 W1 Q0 `3 N7 B, H! p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* m. c, b; }5 K- v/ S# B\App Paths\Loader32.Exe. O6 s+ [1 K5 y$ N! O1 E v
6 X. A$ w+ J5 h: V K" A# G5 s
& N' B2 [. W- \, [
Note that some nasty apps could then erase all files from SoftICE directory
2 ^9 L2 K5 ]0 W$ ?+ c* v( L, U(I faced that once :-(; L. `! d* ?, T6 f q* [
! p( p* E6 b- ]! S, j. Y
Useful breakpoint to detect it:
+ `# ~ R8 v O5 a$ H# t k7 h0 \7 }7 T% R! V# L2 H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 @% k8 P9 Q: w" o* E+ S! w
, t: g, F" a3 W* {" J
__________________________________________________________________________3 [ [/ J8 {3 q/ x! ?/ H
M$ _: A8 d1 x1 y
0 Z1 U6 T; \7 n: n* ~7 GMethod 14
# K* P( A5 h& h/ [* `=========
. [7 H4 O0 c; M* @# C1 M% ~ ?5 b
6 }2 U/ [% ^+ ?2 U7 v5 hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. M+ Y' W# l8 ^" e7 r0 S2 zis to determines whether a debugger is running on your system (ring0 only).
9 J8 N3 d( g0 T% _/ K
+ J2 @6 x' e/ K/ e0 ^, k VMMCall Test_Debug_Installed
& l: y# Z8 z5 b6 A je not_installed2 ^( v9 y* _* D9 m- Q9 c, t5 X* Q/ U
# w1 r3 ?+ F% c& i$ ?2 OThis service just checks a flag.
- m$ o; t$ K2 }. y</PRE></TD></TR></TBODY></TABLE> |