<TABLE width=500>: m2 F/ W. u1 r
<TBODY>
( D1 m+ K- J4 f: a' p2 I<TR>: `" w8 H$ E6 N5 V* h7 ?: K
<TD><PRE>Method 01 ' Y& H" V5 m _! N! A
=========8 j! C) [! J) G$ K1 F% D
0 C/ H: P& q9 k) n8 E' I- G4 ~
This method of detection of SoftICE (as well as the following one) is
* c# ~3 \5 y6 N8 ]: m8 n( Jused by the majority of packers/encryptors found on Internet.- s2 h/ \. H% R! v3 G0 H& s8 d
It seeks the signature of BoundsChecker in SoftICE
$ _0 ^5 W' v; @
" E4 E: c6 N) n6 U5 } i mov ebp, 04243484Bh ; 'BCHK'
) \% R/ m, ~; G- H! R, b/ l7 W1 p mov ax, 04h3 `% v$ u! M, f9 z h# S) g; Q
int 3 ; s+ B2 ]- o8 i3 G7 }& A
cmp al,4( c$ Z a# U. x% R
jnz SoftICE_Detected
: j7 a; z3 G5 O7 D' C1 H0 j7 H) n* m6 |# z" r9 E2 s/ ~
___________________________________________________________________________
0 q$ l! e# J) i4 [' X, m
) i! L0 f1 M4 v" JMethod 02, T8 r$ a3 \1 n K$ I
=========
6 `* M1 h6 I( Q8 ?$ O4 f
! Z7 A. L, C0 w9 D5 g) L2 j1 r& FStill a method very much used (perhaps the most frequent one). It is used
7 s$ Y1 v+ n* F) lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- t/ r g' X# P2 I9 U$ {or execute SoftICE commands...
! Z9 [" z+ B) C3 n1 {+ HIt is also used to crash SoftICE and to force it to execute any commands3 {3 `6 m/ {. m9 b
(HBOOT...) :-((
' D3 y) b ]: Z5 e: `9 P$ A5 J; v! R# |9 d8 c
Here is a quick description:+ }9 J6 X8 j: |' p7 j2 y
-AX = 0910h (Display string in SIce windows)8 I: R0 O) a% e# W- K" _/ a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( [! x3 z9 F% [
-AX = 0912h (Get breakpoint infos)) T+ j) `% V2 A1 F0 O) P9 |5 f
-AX = 0913h (Set Sice breakpoints)* t8 w3 Y: I5 V8 C
-AX = 0914h (Remove SIce breakoints)" A3 b. [( |! W& o9 z
4 R2 `6 t* B# B3 \" o
Each time you'll meet this trick, you'll see:2 P V! }% _* X2 T
-SI = 4647h T) h$ c# E8 P B0 a$ w
-DI = 4A4Dh6 e" z# D0 `4 W) n2 \: o, b& c
Which are the 'magic values' used by SoftIce.9 F. A: n; v. w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' i( B/ ]: L) V1 G# A" p& N, q. c
3 ]" p/ a9 C0 jHere is one example from the file "Haspinst.exe" which is the dongle HASP
- i" S* k; Y. ]. W" wEnvelope utility use to protect DOS applications:
# b1 r) F8 T8 I* a' B; X$ N H
5 e \1 O8 ?7 |5 n/ m# x3 F: x! Y5 R$ I K
4C19:0095 MOV AX,0911 ; execute command.
3 |# J* w2 U8 B) I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( m; O: H6 h3 Y$ _8 c9 k& r
4C19:009A MOV SI,4647 ; 1st magic value.9 k8 v" A X- r6 v) e
4C19:009D MOV DI,4A4D ; 2nd magic value.0 E* E$ x" z7 n4 a( d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 V X* f$ k, c q. w- F6 f
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- v' U4 ]. ]8 g4 C' ~3 e4C19:00A4 INC CX
$ N- n5 x+ o/ Y6 k) |- D" y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 y: {7 f; Z$ {* @9 X
4C19:00A8 JB 0095 ; 6 different commands.
( b" w* U7 a# ^) }. e* x4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 ^; W* B% e& i" E" R, F4 R. R4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) U/ s, }8 q O. S3 F' z5 a
: |! c3 f- Q3 h& e# i" {The program will execute 6 different SIce commands located at ds:dx, which
$ v- V7 e) C6 {! M$ s: t. h7 y1 Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) E: [# z$ [, J0 a9 }, g; z& M1 m; ^ _7 r+ l7 |8 s$ x2 k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 A; [3 F" O! f% I___________________________________________________________________________0 L- M" y, E6 @2 L2 U9 x
- i6 T& b8 k6 ~
G; g/ {. R0 j2 MMethod 03! Z1 i# A& q& [# } L! k# o
=========* y; L5 o$ V+ C% i
9 [6 v+ F: j: w0 U; z' N: x2 jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 }9 M( a$ ~: ]. a" O(API Get entry point)% q2 q" F3 m- N. P" ?
4 F) K5 v% [; v6 F y4 {2 y! [: Q0 V4 j- t
xor di,di O! M- O! O8 L) c4 o* b D
mov es,di# D: g+ [7 C' y$ L. }2 W: K
mov ax, 1684h
8 h2 e2 o# k" x8 A9 Z2 g9 h mov bx, 0202h ; VxD ID of winice: o% K; u5 p, ?) T% h. o
int 2Fh
v \. e0 k$ H0 U mov ax, es ; ES:DI -> VxD API entry point
. W8 R% w5 Q: o% Z/ Y X add ax, di$ r M M5 h7 l2 S" X+ p4 w
test ax,ax7 ^8 {5 `1 n f. l
jnz SoftICE_Detected
- O* i/ N/ T! a# ?% [! J. U6 w- U0 a
___________________________________________________________________________
& p2 g2 [8 m! V, a$ Z- k
C) |) Y4 x* P: `0 n4 mMethod 04+ g0 H3 V1 r6 t! I
=========% `9 H8 V& Y% m b
" H. J$ B# @$ i0 M* wMethod identical to the preceding one except that it seeks the ID of SoftICE
: ]. R9 x9 U& i8 hGFX VxD.
' b- Q/ v$ I/ [, _, y- N4 T( h, t5 H8 s4 d; p# R/ |- V: _
xor di,di
& \7 H$ h: z8 m b/ S& \ mov es,di: a( S( r& L) V
mov ax, 1684h
1 {: j) _' V5 i+ Z8 M. _5 F# @ mov bx, 7a5Fh ; VxD ID of SIWVID/ {! Q: d8 J3 R5 N& ~
int 2fh
5 Q' w9 m5 Q) T0 [. A/ V6 z" m mov ax, es ; ES:DI -> VxD API entry point- i8 O; {8 s* O; X- h2 u, ` \
add ax, di8 Q; a" Y; T9 A& H
test ax,ax
/ y: A/ a" g) ]' O* T jnz SoftICE_Detected
* v% p W9 a" ^" U' H) B2 I, V* z6 R) a4 [
__________________________________________________________________________
' V$ P3 F' g. |" R. [# J3 j
( D; f) v2 d7 k& Z2 p( X: }3 g' a
Method 05; b1 f3 o/ c# j( }
=========5 q' y# S# `- e* S+ @1 e
: E0 f" a5 r" M) _% T+ L
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ J- v" U% h2 f$ }% x4 m% L: `2 vdebugger. It calls the int 41h, function 4Fh.
& n) U8 I9 t2 D3 r: BThere are several alternatives.
- D5 ]$ d8 Q4 a2 I7 e$ i h5 }
% L) z# U0 U: [7 X4 tThe following one is the simplest:7 u% L2 Q1 C% }* z, F- k9 q7 N
6 a, y! q+ o6 ~- z* K mov ax,4fh
. u' T. ?* s/ B N, t. l int 41h; Z6 {! y4 ? C2 ^; _7 a
cmp ax, 0F3861 ?3 i8 v/ h; n4 ?
jz SoftICE_detected
$ W8 i1 H" H9 E7 d# a
: ?% F- v) v& ?1 Y5 r
% x- x/ c: r M1 \/ _Next method as well as the following one are 2 examples from Stone's 4 F- m( V/ ~' G1 N
"stn-wid.zip" (www.cracking.net):& _( ^5 F C2 j0 J
3 [( n7 D4 q5 Z; p1 e5 b
mov bx, cs0 f$ ~% m: G1 a, s0 X4 r8 M
lea dx, int41handler2- p( v8 Z% L# a2 E& ^2 o: [ Z; Z
xchg dx, es:[41h*4]+ M/ ?* a5 Z1 p. s3 Z
xchg bx, es:[41h*4+2]! s* |9 n9 j$ N% E
mov ax,4fh
4 {/ C9 V5 V7 z: n+ ?7 ~6 V int 41h3 i: |% K" U1 z1 g ~
xchg dx, es:[41h*4], w; P9 K8 y& L. |2 [2 ^
xchg bx, es:[41h*4+2]
/ h- F! ]$ w8 N2 K4 B5 w- ^ ~) V cmp ax, 0f386h
. r. I: U2 [6 O: t/ O% h6 c7 M jz SoftICE_detected
+ T6 J( d9 Z6 q% N' A
% i2 V. n! r6 zint41handler2 PROC
" i4 P& O. I; H6 G iret
, H9 f {- J) K9 [) Qint41handler2 ENDP
- ?4 b1 K5 ^6 e0 e" Q
2 G. [' ]) t9 F: b: Z, k# c( L5 L5 g5 r% T5 l
_________________________________________________________________________( ?( f& w" l2 M: d' r
) ~0 y: ^% c. Y% w$ A
( I- c* X) \1 I8 o, _- k* ]9 G
Method 06
n9 x9 @8 V6 w! H/ i=========) x- R% W7 }% Q; @% j4 h6 D
* t7 j* E+ w) h9 _: J+ u+ w/ X7 j: Q) z+ ?6 r( M: K
2nd method similar to the preceding one but more difficult to detect:1 C# y& K- q! f- v& j
! i0 x" U4 F/ y/ P7 B) m5 S
- {: `+ r: G, }: [* |+ b) x
int41handler PROC5 G: }) t& n$ k( S+ r
mov cl,al2 I( C& w' s; c, x$ Y9 ~
iret
& Z( ^; J) e7 G- ]/ Rint41handler ENDP
5 ]3 `5 @. z0 T( K4 Z7 {+ v9 j) f. U( r$ M* Z5 p- j
3 ?2 }% r& z6 C$ g- q8 ^2 R xor ax,ax
9 E# r/ ~9 x* z1 J mov es,ax. z4 p+ s+ j2 \, U
mov bx, cs
$ E, @* K! k8 {4 f, C5 W lea dx, int41handler; a: ~ Q( C2 I4 d- ~7 T" d% \
xchg dx, es:[41h*4]9 z" v' T' I" s, U4 Z, e
xchg bx, es:[41h*4+2]: ]* T2 w9 X& y$ J
in al, 40h
2 @* E# c( f9 F( f6 I, G xor cx,cx: X' N) z" h7 b& D$ C& L
int 41h
8 t. ^( F+ W( p; M# r4 h) B xchg dx, es:[41h*4]
; ^) d+ b4 m7 p- f; q5 Y4 @5 G4 i xchg bx, es:[41h*4+2]6 m" W3 Q+ {: V- w
cmp cl,al) j9 F; q: j7 ` w4 P
jnz SoftICE_detected2 `& u4 Y. d& n- b. F
- f# l* d7 b% ?3 f& Q_________________________________________________________________________# n& z% U, {; I) H7 T+ G! P9 \
% [; B! }; M5 Y. j$ z
Method 07
8 A l. F. T, A=========; h' A. `' O7 C8 k
0 J2 B. B% h# @: x/ W; YMethod of detection of the WinICE handler in the int68h (V86)
4 J# A' i4 w) r' r+ B" Y
l& b! M6 E' X mov ah,43h' d+ a$ ]' [ S
int 68h: t5 K8 L! x7 W5 B
cmp ax,0F386h
( L% j% F6 x8 W jz SoftICE_Detected6 Y7 Z, O4 k3 E6 F$ y a) W E
+ l& x9 {& C( F& c2 m
! R4 ]+ j! t7 A! [/ s, y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ C4 j- l$ a+ Q. m) p
app like this:
) ^& F, d5 i- Q e
0 v3 g, l. o+ m9 w; j BPX exec_int if ax==682 t+ D( l0 K8 q( C( m" ~4 w+ n4 [
(function called is located at byte ptr [ebp+1Dh] and client eip is3 e* R4 ?4 [3 b- E6 {4 h
located at [ebp+48h] for 32Bit apps)/ U/ ]: h3 Q# O2 y
__________________________________________________________________________
0 G* W# I1 q( t8 @( h) @6 V. n2 p6 W0 F- j. f
$ ~3 G( _- K" C% ]' i9 S$ m
Method 08
j0 D0 k) J$ Z* o5 |& E=========
( W9 x6 R3 q. Y6 H# I& v P; O8 l% d
It is not a method of detection of SoftICE but a possibility to crash the& _0 u& Y1 p, S1 a- x1 Y8 |' w
system by intercepting int 01h and int 03h and redirecting them to another
) ? j1 w( a3 ~4 xroutine.
/ ]1 ]6 W+ Q6 e$ J0 FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 o6 w" K3 b2 j$ u) n1 ]) K% P
to the new routine to execute (hangs computer...)! n6 D/ l7 O( S; c
( W4 r7 w8 ]* p5 G8 V1 E3 c2 O
mov ah, 25h4 y* b! ^+ k; a) V
mov al, Int_Number (01h or 03h)8 F" W* l4 @4 c8 C! a# s1 ~2 J8 c
mov dx, offset New_Int_Routine
. h( R: I6 s4 G int 21h
% T& A, K7 q) F6 N# _, h" \0 i( G$ ^' V
% [' g. b# \! t9 C__________________________________________________________________________) L4 X! e* w6 H; A
7 W% k/ E# m4 ~9 G# l- F3 }% X% D2 X. n
Method 09$ c8 g+ T7 E5 s x
=========
$ E( S$ Y) [. M3 @' o& _
; _1 N& y& Y' m$ z# x& {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ H+ Q: M! q8 U5 U, r! `/ O6 i8 ^
performed in ring0 (VxD or a ring3 app using the VxdCall).) L8 m# U0 _: a! h, k3 j
The Get_DDB service is used to determine whether or not a VxD is installed d: [' }/ r6 o$ x5 |# ], k
for the specified device and returns a Device Description Block (in ecx) for/ H, |8 {; `! t" u7 \
that device if it is installed.; H7 P& _. p+ i- Q. I
Y, _* m# W+ x' u9 C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ G. V% O1 W/ k; r* z& f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" A7 i( O+ M3 ]2 ~
VMMCall Get_DDB
2 i$ e9 u" {; z) ~& r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed+ Y% E7 r4 `) C0 O* e
1 o, U& d6 b. }3 n1 n) Z
Note as well that you can easily detect this method with SoftICE:: ^0 g* ]. o4 a4 F" H1 }) \7 Y# D
bpx Get_DDB if ax==0202 || ax==7a5fh* R# v, @' u+ X# G0 ?2 {
6 w6 x6 \2 F5 g( A( n6 I__________________________________________________________________________/ t! U& y; c0 M2 Y0 C4 v+ m
2 b! K# @6 I5 N! c! o
Method 10
" M6 a1 ]+ A4 d: ~=========
* r6 u0 o7 u7 r0 `
' b: b0 o1 C" T% }0 x6 o=>Disable or clear breakpoints before using this feature. DO NOT trace with* |% l5 x9 C0 K; n2 x
SoftICE while the option is enable!!
: A4 ]! v Y) O1 L7 A; I C$ M; v- _7 W% k( [! y& @6 W1 J* n+ ~' ~
This trick is very efficient:
0 J( \8 ]* F8 b cby checking the Debug Registers, you can detect if SoftICE is loaded( t2 T4 ^. _9 k7 T6 N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 N2 h7 r, M9 t
there are some memory breakpoints set (dr0 to dr3) simply by reading their* k$ i. S% }" M( l" G O
value (in ring0 only). Values can be manipulated and or changed as well/ s0 S- W' [. g
(clearing BPMs for instance)% ^6 @" y# P* P d5 g8 r
; _3 `, D) \) H5 f; E" u# }1 p
__________________________________________________________________________% ?( w/ P; j& p5 |1 I' J
9 k* e0 L0 W/ s6 x# y: f. g
Method 11# x! M: f% W% r# E
=========& q1 [/ G* r' Y6 b7 z9 d2 B* I
* c6 }5 U* T9 u0 Z- {
This method is most known as 'MeltICE' because it has been freely distributed! V$ W4 |8 `, z* y; k2 K
via www.winfiles.com. However it was first used by NuMega people to allow
* b+ D( t% s# ?4 t! l% B6 ?Symbol Loader to check if SoftICE was active or not (the code is located2 o' _- O! f& S* \ Q# F5 w
inside nmtrans.dll).7 J7 ?# |( s" {9 K1 g! U
9 E! [' M' s; t0 K6 ~The way it works is very simple: Z* Z) F2 B% S7 ~/ i) U. O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 `. ?8 c9 g- M3 ^+ V4 cWinNT) with the CreateFileA API./ S+ \" l; }* e% y' i( C$ ?# Y1 I
- M4 ^) d+ b8 Q: K7 o
Here is a sample (checking for 'SICE'):( H/ g4 ]0 \5 L5 G4 \+ v! G
b) I# Q1 I* D
BOOL IsSoftIce95Loaded()
f1 ?! e( A' o" v# a, y8 e2 w- f{2 G. U, P3 M! ?
HANDLE hFile; 0 o5 w. E, U0 x( X% }$ L: n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ ^3 s. v5 b" X% n- C
FILE_SHARE_READ | FILE_SHARE_WRITE,) Z5 F: g- g# @% O" W* D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. V! z0 ^/ q/ h. q
if( hFile != INVALID_HANDLE_VALUE )
- D/ o- Y% k2 A! } {9 \, N \! e( _" H: [
CloseHandle(hFile);, { I0 \' G! c5 l6 o
return TRUE;5 r7 {3 `$ [8 k
}
% I' {" K6 s, i6 Y* M return FALSE;
Y/ [; A- E" L4 \ D} r. v2 g! s9 i$ N: R3 b) b
9 A, z7 S6 @3 S5 I3 [Although this trick calls the CreateFileA function, don't even expect to be$ a7 u D0 V! N7 n1 j
able to intercept it by installing a IFS hook: it will not work, no way!. x: @" o- ?" s1 }& H1 J9 R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 u- {1 q' ^3 L; |" j! H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 B& s' ~) e4 x7 S3 Y* ~3 p
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 M7 }7 g% H4 ~& M" ]
field.
9 T8 H, c8 V2 }) B& ~In fact, its purpose is not to load/unload VxDs but only to send a
+ O5 I5 A/ c. R5 f0 \2 F$ \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# W# f/ s# y8 T {( v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 V, q: s& U6 c2 m- c$ d7 a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 C5 I1 A$ T! d- e
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 I* \- C: I- K- v9 xits handle to be opened and then, will be detected.) B1 I$ Z2 V% V ?- b$ q
You can check that simply by hooking Winice.exe control proc entry point
: H7 u6 }1 r9 p8 O# t, jwhile running MeltICE.
. p; e6 c# ~$ x5 `* I# |& B h) _5 v; U
/ ~- A5 q% m& g( \" o# p 00401067: push 00402025 ; \\.\SICE
( l3 \% T' x: K6 g V 0040106C: call CreateFileA
7 r3 ~) h; d8 ] 00401071: cmp eax,-001
; V8 C- J" O0 A% b 00401074: je 00401091
2 G2 Z) A7 ~! P, j' N& A' E- F+ [: u6 e
" c S) n! Z; g3 S6 Z! H& _" x
There could be hundreds of BPX you could use to detect this trick.
3 Z" }4 C: s: x, H! s0 U/ D8 {" _-The most classical one is:
7 [6 n% _) o: [7 u: X BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ I/ d' W/ T+ S9 O' ^' x *(esp->4+4)=='NTIC'
* S; Y9 \2 `6 B o/ G& w
% E0 V- o& i0 q7 Z! ^) i8 ]6 J-The most exotic ones (could be very slooooow :-(6 R0 u; W. ]' U$ r& f
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; u$ C" ?* b) I* o0 y1 U
;will break 3 times :-(
* [! A5 `; c9 ~$ _" q# N
0 o+ _4 l7 t3 u-or (a bit) faster:
# J, h! n, C. w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( Q- d0 V; K6 L; j
+ c5 s2 |4 w2 L9 f2 `& b
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 k" L# m. X6 p2 ]8 n3 Y ;will break 3 times :-() r: O$ n8 r/ U" F8 e% s6 Z4 W0 F) K
1 G# P/ K8 D9 M+ a- ]( M
-Much faster:
( r1 w J) f: w BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 f+ x; k) J- Q/ y
: x6 T, J8 Z$ C0 G& J: z2 @8 `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" X* S N& P4 `function to do the same job:
: o9 p2 {+ Q7 i
, w: e* d& Z% U& i$ ^9 z push 00 ; OF_READ* \( o$ u/ g1 U
mov eax,[00656634] ; '\\.\SICE',0
* }. S$ U: a0 K" d6 G push eax# w; {4 U* q8 F: R0 g5 R6 A
call KERNEL32!_lopen: @7 C6 W- D/ \, h% @+ N
inc eax
1 E6 g5 ^1 ?# v' S0 R" z- k. b jnz 00650589 ; detected
+ W3 A2 d1 Y" l" D; M. V" B push 00 ; OF_READ- I. W% k( P2 f7 G) V9 J/ A4 z
mov eax,[00656638] ; '\\.\SICE'' _9 z0 Q, i$ t% V+ U2 i
push eax' P2 R8 @6 T3 G9 R- z
call KERNEL32!_lopen
& i' w& \/ J" @1 p7 L) o inc eax
a) ]; X# ~. _% q Q+ M) { jz 006505ae ; not detected
$ q7 ~0 G9 u2 C+ Y
3 `0 J2 ^' Y; j* A7 e: m7 S7 W
" i4 X& e4 D$ l! E2 Q2 H__________________________________________________________________________0 [" T. V" D! s+ ~
1 w: B0 T' }2 ?7 r
Method 12
0 ]" H; `3 B+ Z B/ I( k( M, D=========
" w$ B) s9 V# m" D3 i' a8 C' y0 r$ b3 y$ n) J3 `5 L
This trick is similar to int41h/4fh Debugger installation check (code 05
( p8 c Y' L) J. `& 06) but very limited because it's only available for Win95/98 (not NT)
# L; _2 m |1 y( W5 kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( R5 n, d/ ^" z' ~, M
* {9 }( T% z" J( \ push 0000004fh ; function 4fh5 d8 H; \& ?1 T
push 002a002ah ; high word specifies which VxD (VWIN32)
5 T, p( [% c2 y- s" m( l5 C9 N ; low word specifies which service
: f/ e9 m* x2 Z9 K/ y: b (VWIN32_Int41Dispatch)
& k/ w k2 @# O) H1 _ call Kernel32!ORD_001 ; VxdCall
) X: \" y: L. Y( z7 |0 e% Q' } cmp ax, 0f386h ; magic number returned by system debuggers5 ~0 F7 \) \, G- C6 Y2 [
jz SoftICE_detected
" Y9 T7 L# `+ B" n* j, w
+ E$ i% I3 |4 E6 c& H$ W7 ZHere again, several ways to detect it:3 @* }! h5 W7 @, l
- s* ]; V: Q- Y1 v+ q BPINT 41 if ax==4f
* X/ L( R, e' B, A- g* U t7 B
T5 |( T0 _ ^% f. L/ L7 C% k1 I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 E- @9 E; D4 R+ T( C) M8 }( }
" k6 `! S9 L: \- ?$ y7 f
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 h: N7 I" t. Z& T4 a$ N3 t- h3 W( F
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 G& D/ _, S( Z( a' K
' i. y8 m5 V% j4 s__________________________________________________________________________2 j) [7 Z$ X0 ?! m2 k
) L' c, e/ [, v2 A6 |6 q
Method 13
4 G& A' E( [1 w, I+ q% W! j9 ^3 p=========
F: S y& e- r- J/ Q6 L9 q0 M3 _+ h
Not a real method of detection, but a good way to know if SoftICE is$ m+ O* c4 @5 B
installed on a computer and to locate its installation directory.
! g( z X n2 J* z5 L; FIt is used by few softs which access the following registry keys (usually #2) :
/ ^& b* Z# T& Q1 d+ z8 K. @6 d4 y3 C; U$ s7 E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 M6 U9 S h7 A6 ?' R
\Uninstall\SoftICE# m: d: F- M# D6 }2 k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* L* ^" e" [" Z9 |8 J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 `7 h. @4 m. S s# P0 b. V
\App Paths\Loader32.Exe% }2 L) w5 V+ Q
8 {9 x; n7 n; d
$ F ~* |5 r; m8 i6 {) wNote that some nasty apps could then erase all files from SoftICE directory+ d: y- v8 I: [0 k( i5 N
(I faced that once :-(
$ F3 E; j2 M7 l7 H$ k( Z* c8 z4 \ p
7 Y1 ^+ x8 M9 [, V$ a" G5 {; hUseful breakpoint to detect it:
4 }* K, u% e5 \) T& Y7 _
1 o7 H0 h+ x' n2 m7 J1 ^# ^2 c! N7 O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% X( c. g5 N: F$ F3 o7 M
6 V7 A" D$ w8 P1 c__________________________________________________________________________% G1 I& J P6 w [0 z/ {
6 X& z3 k5 R% G) @! n, ]9 a) f
; u% W. J3 U1 B9 }. Q' u1 ZMethod 14
/ e# k3 @) `; m. m=========3 b: p/ |- F; O7 A+ i2 m
. P0 D9 S: \- b7 F% S' g. |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- U j4 ?! c$ m. I
is to determines whether a debugger is running on your system (ring0 only).
9 B4 j0 z4 C. I- C2 G: e j' I# U, A$ i) a+ \6 G4 ^
VMMCall Test_Debug_Installed
6 t' P+ ?2 S( { [ je not_installed* z. g6 ~: Y& o' t8 u1 }
' e" O1 u7 p& R6 r: O6 @This service just checks a flag.) R" L* J T# l4 d) w0 y1 H
</PRE></TD></TR></TBODY></TABLE> |