<TABLE width=500>
0 O, L' W7 V3 P2 Q! Y<TBODY>
0 ]& Z* B) g% ~- C3 o$ s<TR>
$ D; @+ t: Q2 b. N2 Z' V<TD><PRE>Method 01
( g3 `1 q( s# l# \2 j; j7 f9 P4 c=========+ C. ~: a# z* b J7 e
5 F! w7 N1 O2 X$ qThis method of detection of SoftICE (as well as the following one) is, C n B/ }8 g
used by the majority of packers/encryptors found on Internet.
/ H+ @; s7 \( G8 }3 `. eIt seeks the signature of BoundsChecker in SoftICE. W1 i2 S; d) d V; O; ^$ ^: h. u
# j/ O* O( v# }: k7 c3 Z( f$ Y8 D3 W
mov ebp, 04243484Bh ; 'BCHK'- \2 {& B$ l8 X u
mov ax, 04h
0 w2 \( j+ y7 B( q int 3
2 K. m2 e' ]; D$ R cmp al,46 M8 I! \# _& ?5 {$ b4 ~# E4 K. J
jnz SoftICE_Detected
( T+ {9 u0 u% L4 u0 M& \: T: R" Z. Q4 X9 K! Y
___________________________________________________________________________- J6 C6 i* r- L( B
3 ~! G; Y9 j* iMethod 02
' T- L# S; a2 v L=========3 M& ^) t# u# O, q
" {" f, u8 `+ b4 n$ xStill a method very much used (perhaps the most frequent one). It is used
2 c/ X/ X! g0 m$ B9 K" jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) i, g, d; I5 Nor execute SoftICE commands...3 T7 K- ?5 N8 E. k: X9 U
It is also used to crash SoftICE and to force it to execute any commands! e, w( I. I1 e i" t, u2 E9 w, f
(HBOOT...) :-(( $ i* R8 |: z8 {2 L8 z
B# O& E3 [/ l# N) c6 d: UHere is a quick description:
. ~* U$ h# g8 @9 z, e. A# H, ?8 z-AX = 0910h (Display string in SIce windows), J" Y4 B: B3 Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' k9 U! U7 k" H" N# x8 ]: g-AX = 0912h (Get breakpoint infos)
4 o0 G3 @1 `# f& _-AX = 0913h (Set Sice breakpoints)/ F/ V7 S f( s2 \* K% p
-AX = 0914h (Remove SIce breakoints)
2 r! M4 h- ?/ u
Q. w* t9 c: V5 A, E. UEach time you'll meet this trick, you'll see:0 E" y# t, ]" v5 o1 t) U# p
-SI = 4647h" o) h3 d( ?% c4 E7 [0 _
-DI = 4A4Dh
: y7 s E+ [" }7 a" _# V) kWhich are the 'magic values' used by SoftIce.
2 W7 r" T# I& ?9 v5 v2 T+ d: xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 k5 i/ h8 v- }% S
R# F. s& y1 I
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 \" G# W$ ?0 C$ z8 UEnvelope utility use to protect DOS applications:3 J( Y$ \9 M0 Z6 U3 E( a! b. e
. @2 ]* c; o# j1 P7 b9 t
6 B: v. ]% @8 @) W0 l: L4C19:0095 MOV AX,0911 ; execute command.
5 I! V5 g6 ]' d6 @7 I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; X( e4 i1 t) j, [4C19:009A MOV SI,4647 ; 1st magic value.9 s( m7 P1 f3 P" w5 K3 _
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 r% u/ F A: M, e, @9 B9 P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 |" e5 M# h, Y" n X* F4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" ]3 i( U2 N9 t8 K" H7 c7 p$ r/ P
4C19:00A4 INC CX
& q$ B, d2 I* D: F% q0 q6 `4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# k& i+ E# g8 H" R0 t8 l; S$ M* h) Y
4C19:00A8 JB 0095 ; 6 different commands.
, k0 m, ^7 Z& }2 O4C19:00AA JMP 0002 ; Bad_Guy jmp back., o( d2 B5 Y4 T1 n8 T: j
4C19:00AD MOV BX,SP ; Good_Guy go ahead :): j+ C) p' a: f& g, i2 L- B
U3 w2 L! W' q8 {$ l! d) u. ~The program will execute 6 different SIce commands located at ds:dx, which
+ K5 s- [' Y5 o! M" b( sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 q: Z `, `5 j {6 h- ~7 L; @
' M) R! |+ m7 u
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 Z' Q' [, I: z8 G; W- z( r5 [
___________________________________________________________________________2 \; Y1 m9 Y$ x1 N- q
+ W6 {5 \7 i( R: K' h$ j% b. h
. A, @- J( N" PMethod 03
) M+ d: B- C& T4 U7 d, {=========' Q4 O4 Y8 \* {( y
7 w% {# j- m, ]( K( f, A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; p1 x3 P0 g8 k1 W' J
(API Get entry point)& E* T2 j V0 W
+ X) G, R; |. I$ K
9 j! l: X; C$ e8 Y) h, w/ v
xor di,di( f! q0 m3 t3 a
mov es,di6 L9 p4 ~. d7 J! l& @, j% i) W/ m
mov ax, 1684h % f# _/ w/ \1 m2 j( {4 B, l e( x
mov bx, 0202h ; VxD ID of winice8 A0 d* I8 d, Y" m, r' J3 y
int 2Fh
: e6 B$ p% Q2 }+ x; U mov ax, es ; ES:DI -> VxD API entry point/ X @5 E* d3 C5 e* M# g/ {" l
add ax, di
8 S" d; D3 b5 s5 E# Y test ax,ax N, N- l, k# v" m
jnz SoftICE_Detected
9 a# J5 e! H6 ~" ^( b( Y% e7 `. a9 i5 W# u
___________________________________________________________________________
: J, n. {- q) p4 H( k1 Y7 P9 j# x- z2 K8 \+ X c! I
Method 04
1 j+ u+ P* T) q0 W T# d=========
4 O$ a( _: g% q5 Y3 ]# j" d# m6 a; R- N
Method identical to the preceding one except that it seeks the ID of SoftICE. i. L6 L1 v) m
GFX VxD.
+ Y* \* X7 H8 b Z+ f1 G
" m! q s1 \# K' {) M xor di,di
) ~ i* Y: b3 O! L% W2 ] mov es,di# G- y! _7 F; p
mov ax, 1684h
+ F+ X0 L1 L1 S9 T. ^ mov bx, 7a5Fh ; VxD ID of SIWVID
6 J, q4 e- c$ [, z: Q9 e int 2fh
4 G& k/ E6 Z4 G1 O mov ax, es ; ES:DI -> VxD API entry point3 M7 N9 D! C0 r9 y2 F
add ax, di; K4 y6 X1 \, T9 B/ ]
test ax,ax
2 l. H5 k' |. J! D( F* N, d2 J9 R jnz SoftICE_Detected
( L, p+ f( V S& b# ~6 r1 T8 X& h+ @) W$ p; S* p
__________________________________________________________________________! U$ y# k% T8 D$ a. z3 j' |
: i/ }, [$ \/ h# D! j+ n! n1 J
8 i. w' y; l' S. v3 j7 a6 z" b XMethod 05
7 q% b! n9 D5 k( u3 Z=========
) M9 u6 \, ? k; l' I2 p# v$ T& P; ?/ k& n w$ i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, y) i" j# F" ]9 ?- A7 z, X4 Q2 M: |debugger. It calls the int 41h, function 4Fh.
& d0 E2 j* Y- Q, }1 d1 CThere are several alternatives.
; ^" S, `& c: {# y7 B, K8 V
/ Y8 G- {1 J6 G0 S+ FThe following one is the simplest:! C+ y4 _8 r( |6 y, b# I5 I
% h5 {3 X: D) } mov ax,4fh6 @; E4 k1 f" c& v, [
int 41h
. h- a% v8 R! |1 f/ l% g cmp ax, 0F386) K- X" S- K% v. I4 m: ~
jz SoftICE_detected
6 Y+ _& u/ S5 {3 K. T# v" ]3 }' E+ R+ G# \8 A7 [8 u7 H9 \4 S
" f1 {6 u9 J4 L! Y' f8 F3 O" T
Next method as well as the following one are 2 examples from Stone's
% ^, O7 c! W6 |2 m, x7 l/ z1 C) v"stn-wid.zip" (www.cracking.net):* D; E7 J1 i! A+ n
0 W/ m3 ?0 r2 ?" l3 p
mov bx, cs
' Z( w6 l$ L5 [ lea dx, int41handler29 g) V1 d ^" K+ w
xchg dx, es:[41h*4]
/ O+ a; R( m1 P" i; D7 L+ g7 P xchg bx, es:[41h*4+2]- P$ b/ I& ~; x. G e
mov ax,4fh2 L( H5 L& E! J! d
int 41h
$ S# O: T5 V- L xchg dx, es:[41h*4]
B# s% C f3 s4 E L2 G! y xchg bx, es:[41h*4+2], p4 g& ] g: h0 i" }) i" d+ }
cmp ax, 0f386h
2 z" o6 d/ S3 v y( o jz SoftICE_detected
! ]5 A& @ K2 r% S p* [9 d9 @2 @, k( X, b. n/ g) t7 T" y' `4 O- s
int41handler2 PROC
4 z$ r& S7 y+ Z8 d/ l% T, h- @ iret
$ N: k' G) K# T! v' I/ ]5 }' mint41handler2 ENDP4 F8 G9 g! c3 N
. n& g! ]7 X3 T8 F
6 c% B' ~ k% }2 W! y_________________________________________________________________________) x+ ]2 E5 m6 i1 x0 w! @
# ^9 @. A" g$ I3 A" |/ Z
& A: V9 M8 y* X' uMethod 06
2 i) `* N& o9 D) I4 k( s=========
, l0 E8 M' B: a
: U: i; i/ D6 C) P- |( @% v+ K( t$ d
2nd method similar to the preceding one but more difficult to detect:0 K' `5 Y5 g* a+ R" H; R
% k0 K" W. e% V$ n, X5 ^. m
! Z" R# d# s4 F1 iint41handler PROC$ i' g$ s. p& U( L
mov cl,al+ a: n9 A* U2 x$ H' m
iret
5 x( i+ W* g( `" n' n, Fint41handler ENDP+ j9 O% |; v4 R( a1 s" h# T
0 Y& i4 J, M, P E4 a1 A3 D( }
8 f, F8 N6 T$ X- k1 ^- h xor ax,ax* ]8 D$ D, B i$ {5 q
mov es,ax) }# z5 X$ V U. K0 A
mov bx, cs
& P) W+ K8 d9 D7 S% [6 H; b. z2 L lea dx, int41handler3 x# l$ k6 U+ Q) ~
xchg dx, es:[41h*4]
. e. n# X/ R+ B) R8 B xchg bx, es:[41h*4+2]# N$ y2 @% j8 }
in al, 40h
; U6 W2 I9 c" [; X; {" H xor cx,cx7 b3 f* T4 y5 N, P
int 41h4 g N5 o1 Q: u/ v1 c
xchg dx, es:[41h*4]
- W, r1 B; L6 a4 N7 R7 | xchg bx, es:[41h*4+2], \" S1 [( w* e: e
cmp cl,al
. b2 a0 v4 F0 S+ _" G jnz SoftICE_detected7 ~/ \0 _0 t& P( d v4 c
0 v7 E# Z: @9 ^/ y9 d, d1 P% W_________________________________________________________________________" [; y ^, s$ A/ G- l9 V1 H& s
; d. p2 h; T6 [7 V. ~, AMethod 075 k1 {, G; h- U9 f7 t* z
=========0 e: V7 v) L4 A) z2 L
9 ^# H+ n9 J1 w+ e1 B3 Y MMethod of detection of the WinICE handler in the int68h (V86)
4 W1 `/ o4 a5 ], T: q% M( a
7 V2 A8 i( m P% J. f mov ah,43h
' N7 [* {, v$ q5 j' s0 `3 [" ^ int 68h
- r* g: B3 g0 Y' m* Q% s cmp ax,0F386h
" T8 r8 P a& r1 m jz SoftICE_Detected# B4 O) ]. q5 K' r+ o8 ~0 o
* {2 B9 d7 Y& L& g
+ m; ]% m: ?' u+ ]0 u. R8 p& `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: }/ S9 s) U5 P% B6 _
app like this:
\2 f3 z, E7 e1 |$ v" z. W
+ `* Q: C9 n1 W* W& Y" T, s BPX exec_int if ax==68
) g4 d- \6 H+ n5 B5 Z- J8 P (function called is located at byte ptr [ebp+1Dh] and client eip is) P7 m9 o! m' E# c1 C f% d! `8 A
located at [ebp+48h] for 32Bit apps)& n4 D/ }6 {$ @& c8 A) Q+ }- [1 J9 n
__________________________________________________________________________1 T! Y% {, `, N' h
0 J& K; d' O: o4 B, C+ \ ^1 S
, l/ r. B! d' {' S8 V o
Method 08
* ~2 X. [" |2 G=========) ?# Y) v; n5 k- e
- }( |2 @9 P3 x& qIt is not a method of detection of SoftICE but a possibility to crash the0 W/ {. s; j4 D/ B
system by intercepting int 01h and int 03h and redirecting them to another+ g* B4 f7 a7 Q
routine.
% h/ E7 T1 U% eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ X/ w4 h0 {4 ^4 I% mto the new routine to execute (hangs computer...)* s0 J- f$ f: `5 X; x0 }. a0 r- g
9 t" p" t2 ?& u: G. G' P" I
mov ah, 25h- N0 b/ G" j9 K: j
mov al, Int_Number (01h or 03h) v* I" L' c2 B0 \+ z
mov dx, offset New_Int_Routine+ X( d% F5 O; V5 E+ h0 t7 G
int 21h! A5 v& z( n- i9 s8 T3 x4 C
: }) p {3 G, X5 v+ }+ j. Z) Q/ g__________________________________________________________________________
- u9 ?' y7 R" n' a% C, A
; |: z0 W3 f' y2 ?- fMethod 09
1 O5 B: K3 T1 i=========2 d- |6 Q( L$ ~; N5 ?: C! a
% ^' i. l W+ |5 S( f: BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; O: g0 k: a, J) ?( N2 M/ pperformed in ring0 (VxD or a ring3 app using the VxdCall).
|9 c1 r: p& I* _ e; kThe Get_DDB service is used to determine whether or not a VxD is installed
3 v: e" E- w- l* Dfor the specified device and returns a Device Description Block (in ecx) for
$ p' c- w$ Y7 ?that device if it is installed.
6 G+ k1 ^2 s0 r! p
/ {$ R3 y8 Y1 h9 m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ z {4 p0 z0 U
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 {5 ^2 |$ y0 c0 o+ c VMMCall Get_DDB8 a. I9 {% B1 J
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 s. g1 t, ]* U* T7 i
- Q4 F! W) h8 x1 o' UNote as well that you can easily detect this method with SoftICE:, ?8 h! T* B a) {$ {
bpx Get_DDB if ax==0202 || ax==7a5fh( B+ i6 q0 D7 @9 n- v( c, c
0 u1 t5 Z+ k6 |' a
__________________________________________________________________________0 O: L% T; s4 ^: l5 @
/ g6 Z1 V( X; |1 K; Z
Method 10, G8 L0 u% U+ _: l' {6 G- P
=========
" k& P; R" k4 P; s: _
7 N+ s# _$ t4 y=>Disable or clear breakpoints before using this feature. DO NOT trace with
" M: f# h5 y' n" i" V6 c SoftICE while the option is enable!!* f* i) n6 a5 `( B' p) L+ `
! k) J: S7 K! B; ^; P' e, V
This trick is very efficient:
A8 W U2 @6 w, m+ q [by checking the Debug Registers, you can detect if SoftICE is loaded4 q1 D6 r) p! D: X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 ~* R3 X% u: U0 V8 Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ S( J! b6 A( k& ^9 I. S
value (in ring0 only). Values can be manipulated and or changed as well/ h4 Q1 M$ L, }* A
(clearing BPMs for instance)' z/ c4 y" U; n
( k. G2 z' o# x" v7 x0 g__________________________________________________________________________3 h, O5 d% W. j5 N7 b4 X; {# Q
' k+ U4 ]. W0 k
Method 11
2 @+ M) r) t9 n/ I0 m8 Q=========
3 p; s+ N2 v% E7 ]6 m0 ]' C* c" {$ {* q5 \" o* Y Y7 V
This method is most known as 'MeltICE' because it has been freely distributed! ?' [9 h1 K- `5 F2 S W
via www.winfiles.com. However it was first used by NuMega people to allow$ o" O4 E- T# y- A3 z
Symbol Loader to check if SoftICE was active or not (the code is located: i; O5 P$ g2 ?1 _
inside nmtrans.dll).
% _) a: Y; x! e! g5 a6 P' j- d" j" {, U. x
The way it works is very simple:
1 h- n' ?& M: ^; e, ^, Y/ O7 F: \7 EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( U1 ~1 z3 Q) G! O5 Y+ Y
WinNT) with the CreateFileA API.
^- Z1 q9 D' A0 X2 Q0 [; B5 Z' Y3 v" m3 [" q( O9 S$ p" Y
Here is a sample (checking for 'SICE'):
4 C5 X7 O1 [3 X+ L! a/ h) ~+ E( t% T% J: E) K2 ^
BOOL IsSoftIce95Loaded()" E8 m) M9 w7 D* x0 d0 ]
{5 V2 E5 c) U3 w
HANDLE hFile;
$ d W) B# L& l! R) f0 ]7 b; m) [ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! d8 d% K+ k7 Q1 h2 z
FILE_SHARE_READ | FILE_SHARE_WRITE,
; l- F I1 o/ }# Y: n7 t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; b$ o8 [# v# h6 O5 S if( hFile != INVALID_HANDLE_VALUE )
1 t' c$ N1 u0 p% j5 Z2 p {
# A+ |6 p3 }( K, Y) f7 e: e CloseHandle(hFile);0 M+ H: k2 S9 y2 r' f
return TRUE;
# F7 a7 |* x$ I" F4 Q" O }4 a: p% `$ ?- G4 |1 A1 }! P
return FALSE;# Y- o( B# M" d' h1 U8 }
}' v' I$ ]0 S% f( h% s
# s. x5 _+ t# W* W5 p$ r) v7 Z: B
Although this trick calls the CreateFileA function, don't even expect to be
$ F6 t+ P+ k+ J: C( V' L$ rable to intercept it by installing a IFS hook: it will not work, no way!9 Y2 L: z: O2 P7 H* A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: Y% k; `0 X, H6 E) x9 K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ z G* H$ |8 p: P& ^! |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# x7 W: G- R+ |' d& E) ^6 r: Tfield.
& l0 R" {6 Z9 Q$ nIn fact, its purpose is not to load/unload VxDs but only to send a
0 a; B" S- }+ ~, D( nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# @+ G* ^2 I7 q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
I% }9 c* D, a T6 w+ d) vto load/unload a non-dynamically loadable driver such as SoftICE ;-).- h3 d+ b: G& @6 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" n B+ w4 E2 k1 t! C Wits handle to be opened and then, will be detected.4 k4 K( F: m' W3 l% f
You can check that simply by hooking Winice.exe control proc entry point4 a) g$ I x3 } C$ X6 w
while running MeltICE.
! e- e6 [7 Q& Q+ P* x
# {/ E1 m+ S' Q) Y7 n8 V6 O* v+ P5 |! i7 R# k" y2 n% u7 q4 }
00401067: push 00402025 ; \\.\SICE
3 |" B5 _+ n7 Y; D2 j( n: ^, r 0040106C: call CreateFileA
: o* Z/ ]3 b! ?2 W- U 00401071: cmp eax,-001
) u2 F; ^9 N f# m q: W 00401074: je 00401091
0 c% J/ ~4 m7 c* E: {6 |0 F7 r1 k% p7 o( C7 ~
! _- p- y* U1 ^' XThere could be hundreds of BPX you could use to detect this trick.
3 L* K+ E- e0 v4 |4 R, @ H6 ~-The most classical one is:7 j1 \, u" F6 ]8 d( \9 ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 G4 @. ?( I' K% ~ *(esp->4+4)=='NTIC'( W; V" o! J& {- i7 v, k9 z% q
# w7 h3 V3 q9 T: U4 y8 [
-The most exotic ones (could be very slooooow :-(3 G. I( b- |& J4 \
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + N1 G" z/ H6 `
;will break 3 times :-(
- v! N2 S# K! s: u/ h" d4 S9 i9 v# u
-or (a bit) faster:
. M+ L& k" U, t1 _5 H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 A: v8 o5 Y: @8 J/ F
8 \# f1 S9 P! M: F% p; c
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) m k% ?( ^8 \8 z4 Y ;will break 3 times :-(0 K4 k6 l" }0 P. w5 l: U
- q* h0 R9 D5 p% d-Much faster:
) z9 H; r' N& W6 u$ B- I8 O) r z BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 M/ i3 ^* `- F0 u
+ j$ P; D- U$ j( z L! [- sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! W8 X1 u+ E% N6 s( f& v. ^4 gfunction to do the same job:% g5 z5 c8 q2 @4 Z
; a2 J: `- q: a/ L2 k
push 00 ; OF_READ4 W+ A, Z' H6 u$ }! X
mov eax,[00656634] ; '\\.\SICE',0
; O4 c0 Y& G6 a- o! r! |& x push eax
% E! o9 K$ v+ e. ?% s" N call KERNEL32!_lopen
& g2 }' F m6 l) T inc eax
% ~" E! a* I8 V% [! j; @/ `+ Y jnz 00650589 ; detected) a6 k" K3 J' }2 D+ N
push 00 ; OF_READ
% e) `6 H( c/ i4 G: b1 Q mov eax,[00656638] ; '\\.\SICE'
: j* a8 Y3 x8 ^" P) s7 e( { push eax% j" W, F& O: n6 Q. o' K
call KERNEL32!_lopen9 ]# a7 d6 j7 g" a% ]6 C/ j
inc eax, e. Q5 d C8 X2 k- G% j, d5 z0 Y
jz 006505ae ; not detected! a8 M1 t) Y$ {* a3 \
& M7 Z7 o ?. ]$ |( s/ H7 d1 T! i, w; }( W* n! I7 U2 U
__________________________________________________________________________1 \9 p! n) G2 C1 ]
v) {3 C; L6 H3 z3 lMethod 12% ]1 Q \' `% Y. }8 \) j
=========
; t* {! Z' r3 i9 L8 h* E" M0 K* p* w/ c- o( b
This trick is similar to int41h/4fh Debugger installation check (code 05
2 B2 ]& f4 A6 C1 f& 06) but very limited because it's only available for Win95/98 (not NT)
6 |1 G, S6 Z$ \1 r; uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 d% k# b* z0 [( l7 Y
$ e& @3 z/ B- U" n push 0000004fh ; function 4fh
1 \3 l) i0 R- C) }! L push 002a002ah ; high word specifies which VxD (VWIN32)
8 K& G9 ^9 j. d ; low word specifies which service
3 O, Y- \$ U1 L- s8 m. B, @: Y (VWIN32_Int41Dispatch)0 Z( U" D0 {( V8 B
call Kernel32!ORD_001 ; VxdCall$ w1 i. ]$ B! K' `; w- v0 ~
cmp ax, 0f386h ; magic number returned by system debuggers
' d% a+ ^. N6 M! G& A. e jz SoftICE_detected
5 g0 k) I& G) m
5 F Y2 j! ]& G( A* C# QHere again, several ways to detect it:( `% U7 S) I8 K2 P- f8 K
+ {5 q9 a: m, Z+ H8 Y: B1 o
BPINT 41 if ax==4f
/ X. B' |$ ]; ~/ P) ]
. A8 H( q2 V% d; N2 M BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 R/ s! M: s" a
+ P. P% ~' l, m* N0 F- D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- t% I7 @1 T+ m3 p2 y$ A$ E6 i% k
1 c6 ^9 k9 w S; ~3 h" f; _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- F6 F" p P0 a0 B: \
0 _2 N& w& e0 T__________________________________________________________________________7 Y% z" z0 v* }
5 C9 b1 d3 j8 n# H, C0 |5 a
Method 13
4 ~( \0 h' @: e( o& e: _% j- P=========
1 l, q) G" n2 g; w1 G! L; N( _- n5 v' f; x! L9 `1 M# U, k) ]
Not a real method of detection, but a good way to know if SoftICE is
$ S1 ]* r2 |+ Q* o& Z& ^9 P" Zinstalled on a computer and to locate its installation directory.
) M" @# p; v6 ~2 jIt is used by few softs which access the following registry keys (usually #2) :2 F" r* W: f8 N) J. p+ I0 {
% R% G0 c# c9 s3 o: Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 k I, c4 B9 S7 ~* V0 T
\Uninstall\SoftICE5 y+ m( e _. ] [6 t# \2 P" K- _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 V. K r% i/ M9 z3 x) l! Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ J9 R4 h# e+ j8 a
\App Paths\Loader32.Exe
; @- d9 i+ t: z: s4 j" e/ V; x6 [& p
% K3 |0 T8 n2 V6 r r% p
8 W q/ F$ M/ w. |& Y6 L4 ]Note that some nasty apps could then erase all files from SoftICE directory
6 X! g2 ~) i1 }! f* ~3 k(I faced that once :-() Z: S1 G; l+ x1 J, Y7 B5 O9 m% A& j
6 E# |/ C# e n$ }# bUseful breakpoint to detect it:. G2 s8 D7 Y( \
2 Z8 f2 z2 z" ]1 W6 Z, j. m BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, V, l3 |0 u2 M8 z X7 o4 ]& i+ ?8 b. h7 e" D5 k
__________________________________________________________________________3 B* c, ?# y. s1 ^
( U& U% g# L8 J. S' E2 e) G
6 m l* E9 _$ U7 E; w2 g' J0 RMethod 14
# {9 W4 G7 b4 R& M& X: D7 ]=========
4 k4 i# V+ I9 s; w" _" e9 u- G/ B# S9 a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& Q* N* Y \/ wis to determines whether a debugger is running on your system (ring0 only).
, p# ^4 k" S; v7 P- ?
5 X# G" [- k2 j1 t8 L* M7 K VMMCall Test_Debug_Installed" j, w7 h; D" P: Z8 o8 i: O
je not_installed
6 p, N, L% |7 W0 ^& a/ q# _9 ?" |
`* l- t$ C, e9 {This service just checks a flag., u X3 b% {- u7 m
</PRE></TD></TR></TBODY></TABLE> |