<TABLE width=500>1 }+ R" n p2 C! F/ Q: i* A
<TBODY>
7 {' s! ^3 z) n5 q5 ?<TR>
6 T" \: k! K9 t, J6 m8 @. @2 [<TD><PRE>Method 01
; C3 p2 L ^/ ~. |3 \=========
8 W; ~$ }& S: K$ t4 q3 R% k! M$ |
' O; B/ K+ H; X8 l6 r o& a: P+ mThis method of detection of SoftICE (as well as the following one) is
8 `5 @6 F, V5 kused by the majority of packers/encryptors found on Internet.( ?! a, B% l7 h7 S" n9 {
It seeks the signature of BoundsChecker in SoftICE: K$ {8 o* R7 T9 Y/ ^0 z3 Z# V* x! B; s
; y8 E0 l) P4 ?7 c7 N! Z* \6 r
mov ebp, 04243484Bh ; 'BCHK'7 q- D9 g1 Y' s' s( Y3 M
mov ax, 04h
2 h; K M" ~$ H1 } int 3
/ c+ c/ `6 b. U3 |% N cmp al,4
% `" |7 {5 E4 ?0 t: S2 D5 z jnz SoftICE_Detected
1 g# F6 d2 K8 n; G, q9 g. i, N1 H
; R: t5 w+ R2 [# j6 C___________________________________________________________________________
' e& z/ l- A+ B4 c. R m" M r+ E# ]: o+ K) v4 x6 b* ~
Method 02; L! ?+ Y- T2 z3 _
=========
- {: J4 H9 E; t
7 _; S5 b' R) I# F" VStill a method very much used (perhaps the most frequent one). It is used$ R; m, o0 W6 O2 {% n; [
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 j% i; e6 F% a- w
or execute SoftICE commands...
B( F6 r1 x7 h5 I& DIt is also used to crash SoftICE and to force it to execute any commands9 Q1 p/ h" U! v4 [, ~3 o
(HBOOT...) :-(( 8 t% Y0 W4 R) b6 A
2 j& `3 X' ]2 a& Q# y1 H2 eHere is a quick description:! x' @2 r& Q% z& v
-AX = 0910h (Display string in SIce windows)
5 |8 q+ E. ?" `6 n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 i$ Z) O; Y- ^0 d-AX = 0912h (Get breakpoint infos)
7 l n+ `) `# D D0 @+ y-AX = 0913h (Set Sice breakpoints). v) k' |; A+ X' l8 P: n
-AX = 0914h (Remove SIce breakoints)) A! v0 g# u2 R) c) y- Q
( W' d& F! i: B8 n. AEach time you'll meet this trick, you'll see:
; h0 Y4 s# V7 g6 M L) a1 I% z+ p-SI = 4647h
6 ]6 q! [7 Q R% R-DI = 4A4Dh
; F" Z! I! W5 H: Z! [; f6 jWhich are the 'magic values' used by SoftIce.
1 F g) z; k/ ]# ~3 T2 EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" {) {" I7 j- J g5 P) P6 R0 s% q: L; i
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ u( k A( y% R9 BEnvelope utility use to protect DOS applications:0 P! I2 ^7 X5 s! j
. g/ z& K7 E0 h6 L7 M) Y/ r7 |* d+ a3 d F
4C19:0095 MOV AX,0911 ; execute command.
5 W# R4 }* r9 R( v: _) s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) F2 d6 J' g/ G8 ~. X# ]) s4C19:009A MOV SI,4647 ; 1st magic value.
- @; v) I; S6 J4C19:009D MOV DI,4A4D ; 2nd magic value.8 V" R% a4 |3 [1 K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) @! Q" I# \) u* g4 u y/ y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ Y+ T- U4 P4 W
4C19:00A4 INC CX# S8 M, V( C& p& S$ r+ g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# T9 O, Y! b& P
4C19:00A8 JB 0095 ; 6 different commands.
8 Z' Z& K8 J% l0 D& @# P) o" Z! q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( D3 f3 q- Z: O0 }/ ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- a- t! q) j6 `
- G+ A& D! n _0 \! lThe program will execute 6 different SIce commands located at ds:dx, which
. O6 C8 R9 `) z3 S6 Z+ \# Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 {3 j5 A: N8 U2 k$ @
3 u" @7 f8 V- O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; ?& S/ e, ]" j8 |, l3 Z% [___________________________________________________________________________2 P* a8 z3 P7 @8 |
( o& R) e, E) N$ |
% i* J. c! N0 }
Method 03
; k' v! x; k: }. _9 z$ b. m=========
+ J% ^; _) p. ]1 X/ S5 Z8 [# W7 V. h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! n: ^- K4 L \, O
(API Get entry point)+ H, h' p8 W* Y& b `% j
) ?& F8 i. G! c8 \
% A& ~+ x3 v: s+ f# O
xor di,di
, V5 r! L f% o# Z- R. g& S mov es,di7 s% q+ B5 h! ^4 O$ F9 h1 k
mov ax, 1684h
) j! h" I4 _1 O$ P( ~ mov bx, 0202h ; VxD ID of winice& _+ o. v0 }5 k
int 2Fh: t! D: T; _- b
mov ax, es ; ES:DI -> VxD API entry point
6 a3 X4 m6 H7 Y% J+ {: } add ax, di2 u$ U' ~8 O4 E
test ax,ax1 H# R2 e$ O6 C4 m
jnz SoftICE_Detected
; ]# r% a% W( M/ L0 l, ^" J& }) k: U. n7 E3 k* O
___________________________________________________________________________
0 t6 W* x% K* n
: K4 d; R: m& Y! V/ bMethod 04. y" ^6 l' R& w4 e, z) d! o: B
=========
# L; T! Q6 ~* }/ x0 T2 l
' r4 ~; h* L& X5 _# XMethod identical to the preceding one except that it seeks the ID of SoftICE: k4 {+ a7 `1 p" Q& p: }* s
GFX VxD.9 I& G1 s) u; N9 [7 U- o
: \7 m. W" h* ^& U
xor di,di7 [) f. m" |" w0 j0 [0 n& _
mov es,di
4 w( Q+ ^$ Z2 Y' N4 \( y mov ax, 1684h
6 H( z& G1 b' ?* n ] mov bx, 7a5Fh ; VxD ID of SIWVID
1 |6 B. G, [. A int 2fh0 k9 N; y. f, l- N7 q& S
mov ax, es ; ES:DI -> VxD API entry point9 R: T7 f# W& o% q3 N, Y+ h" e
add ax, di0 Z, u* C) z- Q
test ax,ax4 ~: x8 m; l9 V( d8 @" n" B
jnz SoftICE_Detected1 A3 N; `( U5 w/ e" G5 _3 t
: Q3 V$ U: D$ D__________________________________________________________________________
) O+ I; j L9 p) t f( J( m0 w4 r* t. w- j" ~6 I% j0 `9 v
9 a; Y: |% i/ |) {4 UMethod 05
' o8 c- Y' n5 \0 J8 S% }& Y3 a=========* a! h& s- @) v) B6 _9 r6 _, q
/ b7 e2 _0 I K/ \+ M! V# B
Method seeking the 'magic number' 0F386h returned (in ax) by all system( Q1 n, x" q) d
debugger. It calls the int 41h, function 4Fh.
- a j9 o: R+ r. C" Q' [, YThere are several alternatives. 0 p. B4 k0 \( c( ^
. F( I/ s2 Z' M+ M2 E1 F" R' z( |1 {) HThe following one is the simplest:. W! h# E1 Y- Q! I# Y
! L" T4 M/ e/ [# v6 d
mov ax,4fh
0 s9 [: [9 l' u# ^! x- \) ~7 E int 41h: u6 ~' q& j4 R. j5 L9 B0 C
cmp ax, 0F386
l/ g; D% B* p! T4 M. u' X7 p r jz SoftICE_detected* M7 J4 k2 g) R% G
0 C0 `* v0 _! x) I C) \, M: j
B3 n8 F/ }+ j4 d1 o
Next method as well as the following one are 2 examples from Stone's
) T5 ?1 Y0 b, l, m"stn-wid.zip" (www.cracking.net):
$ }4 @- z# z, _1 R% K; n! D3 _4 p, k# K; V1 s9 u
mov bx, cs
0 ~" D; R. O9 k lea dx, int41handler2
5 Q7 V, ]+ E( I9 a* s: R H xchg dx, es:[41h*4]1 L; D. W( q- ?9 X. S
xchg bx, es:[41h*4+2]
2 l+ j3 O7 L9 D1 L mov ax,4fh
2 k5 F$ T; N+ e" U8 }& f. n int 41h
, E5 Z! w0 r! j0 X7 j xchg dx, es:[41h*4]
6 x C# t# G$ y xchg bx, es:[41h*4+2]
4 s! _% r4 p) |4 o* k& t cmp ax, 0f386h/ i; d5 ?. T- J% }1 J7 ^
jz SoftICE_detected: F+ @; s b! R9 H; P
) U1 V1 [/ D2 {% M/ Gint41handler2 PROC
. O8 T2 F* x% w$ B. v0 [1 H1 z w$ u iret) h4 T6 R' G& y8 w# p% Z7 W7 a ]
int41handler2 ENDP
: n% U/ }, n9 o: y$ w4 F) U) x0 n ^1 E
9 A: G- S7 {+ v" r4 ?6 k1 m* j; i1 @
_________________________________________________________________________, a. _ x u8 K! `7 e3 N
: S9 f6 z6 b2 H% @: L( Z- Q/ l4 z, u* A3 @
Method 06
4 X! c7 D u' j$ b- B=========1 a: ?" @4 z) S X' n' K
- c o3 C# ^! Z: z% m" o+ ?4 T( j! A, _2 q5 f
2nd method similar to the preceding one but more difficult to detect:
: x7 k' L: {5 l- f/ w3 z$ {, q( q4 J
0 o( }, M9 {5 ]' Jint41handler PROC
8 i. o1 l i9 t/ u" |) O9 F& `5 i mov cl,al
?6 c; j- M( \$ A! C3 O iret
3 ?0 W( ~) m( X& t1 ~5 |int41handler ENDP, o7 y% n- a* z6 n y5 o9 L5 Q) W5 D
( m3 V. c$ g: K! l8 V- x/ S p5 ?: F7 D' c
xor ax,ax8 \) c/ Y m& Y# s/ \
mov es,ax6 b$ Y" G2 H4 H. V( r
mov bx, cs
* f* l+ r% m0 g. ` lea dx, int41handler
$ n( X6 c' k h5 B" b xchg dx, es:[41h*4]0 l, u4 ?8 O* W; \: O
xchg bx, es:[41h*4+2] J5 J7 N% n: n: F" K* e" i
in al, 40h
( C, T) I+ s/ I. d, o xor cx,cx
, P$ X1 l3 v+ j1 r int 41h
7 P7 }$ C' |& [ xchg dx, es:[41h*4]
! x2 U1 y! X7 n/ s6 o2 g1 p5 r8 M+ Q xchg bx, es:[41h*4+2]
' b) u0 O" P! E2 Z2 @% T+ q5 W cmp cl,al
5 \9 K' r! f4 T/ j jnz SoftICE_detected
3 ~4 J6 K' s# J! E- A* l/ t$ ], m$ r# X8 x+ V8 O: C5 {
_________________________________________________________________________6 M. u2 F, F! w* u/ H' Z- O" q
% Y0 j: w+ M5 w! {/ ^
Method 07
& G& ^1 L, F% D K" ]4 G=========: H J& p# M4 t8 O
+ N3 Z7 ]$ N& G0 Q( TMethod of detection of the WinICE handler in the int68h (V86)+ e2 p" a, B+ q# c0 p5 A# t+ K
' t/ a" |) Y% I
mov ah,43h
* w! P3 l9 l* @* O( z( Y; p int 68h
: g* I# u- O, }' w2 |+ b; u+ C cmp ax,0F386h
' K. i/ N% k; f, ]; m1 |" O jz SoftICE_Detected
5 _0 c: W" R( p& k# y' G
8 r( C0 w, |/ b7 q
% z- ~2 o4 N0 j& T& G5 n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit n& C' c! I9 Y; g
app like this:" ~3 A* s, D% w/ k8 R
n9 _; l: q* Z' x6 S
BPX exec_int if ax==683 G6 T! p# ]9 d* A5 c; e1 X7 i
(function called is located at byte ptr [ebp+1Dh] and client eip is
W" n0 T* Z$ _5 {0 Z& n3 E3 W) ^# j located at [ebp+48h] for 32Bit apps)' o; r% O( L: O% C5 z; C/ a
__________________________________________________________________________
7 y+ X4 J4 O: A6 t' Y4 A
2 W) m; O3 y7 Y: N* D) r6 c2 i0 J, S7 n$ j$ @9 u+ `8 k! r
Method 08/ e W; [& n2 p; b- P; g1 r6 I9 q
=========5 [. ^. |4 B3 D% D: A$ N
* S, X0 V3 p* @! \" Y: ]0 NIt is not a method of detection of SoftICE but a possibility to crash the
7 Q8 h' K& \* q' d4 n, O; Wsystem by intercepting int 01h and int 03h and redirecting them to another; d% S+ u" F' ?' a+ }
routine.
1 s0 K; T5 S" \. |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% l3 w1 w2 D$ V) v s2 K% `to the new routine to execute (hangs computer...)( ]- d2 Q* r: B" y
8 `% U, i2 \$ g$ C2 ` mov ah, 25h3 b8 R* j6 _* `2 b/ z8 @- {3 _
mov al, Int_Number (01h or 03h)
# t/ ^% j8 V9 P C6 B0 m9 n mov dx, offset New_Int_Routine
6 ~/ @$ K9 X4 Q) A int 21h: z' a& h/ k& d6 ~
6 {5 O/ b; M+ B__________________________________________________________________________# x1 F) A$ F: ?8 O& }: z5 N
4 |2 j( h) V% | E4 g
Method 09
* M V& S9 r2 V1 V4 O=========. _, q9 C+ I6 |- T" j# c0 q* K' _
. f/ G: u0 I$ I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 T. X% S8 l* ?0 Z. a b6 @
performed in ring0 (VxD or a ring3 app using the VxdCall).( Q0 ~! m3 X# {& ?: ^, V
The Get_DDB service is used to determine whether or not a VxD is installed" _5 y/ e7 I- y% V7 K
for the specified device and returns a Device Description Block (in ecx) for
: N* v% ^# X* u0 }, W1 bthat device if it is installed.
9 X1 _) R: A1 f2 i' i8 e! T! n4 m8 e" G+ i u# n* J2 l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( k2 H$ Q7 v- r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 E- r0 R% i4 `' w2 r
VMMCall Get_DDB3 k, t$ B1 b/ T2 s$ y, O& ^0 N8 E H0 a
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 m4 o2 g* O5 D- I! L1 Z4 O6 X% E4 ?5 d9 l. R* `2 \" c
Note as well that you can easily detect this method with SoftICE:
8 ]5 `3 z2 y R1 Z. \ bpx Get_DDB if ax==0202 || ax==7a5fh
' [ k$ @4 l, l! E) p& h3 t/ q1 _# |3 l
__________________________________________________________________________( ~; ]9 ^* T7 k E- D" t+ A" G
: ]/ J" o! ]6 {Method 10- o8 i' p X3 u; s
=========3 a: o& e2 T( o, X% X0 a8 _) g
& T, ]% ]/ Y1 M; V( b4 _8 | L=>Disable or clear breakpoints before using this feature. DO NOT trace with! S) {( P L/ X) L: [
SoftICE while the option is enable!!
. R3 s" L+ h) M7 v7 J- S5 f/ L {8 h. t) H
This trick is very efficient:
+ u; V6 C' s0 _7 Aby checking the Debug Registers, you can detect if SoftICE is loaded
- X6 ?1 g( z* \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# A1 t8 }( \% n, r& p+ B& V4 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& H6 Y: f+ l4 @3 Z2 Y1 s4 fvalue (in ring0 only). Values can be manipulated and or changed as well
# t! A2 Z' l E$ D(clearing BPMs for instance)
7 u8 R' k: k1 b
9 ^! T3 y/ j) q( F3 U$ x__________________________________________________________________________- [2 Y; _3 O7 I! T5 v
# P* |) q( [9 m; g9 EMethod 11
% U: h0 @6 \% z4 I4 Z' x=========, a# _& v h% p, g
! m. l* \* Q. ~+ q2 C
This method is most known as 'MeltICE' because it has been freely distributed6 B$ C8 e) e1 y% i* G3 K
via www.winfiles.com. However it was first used by NuMega people to allow
# w& h: @' j, n7 |' t; z1 bSymbol Loader to check if SoftICE was active or not (the code is located
6 G$ Z( W8 ^. B8 E, Oinside nmtrans.dll).; Q9 \' R9 L3 V7 A, Q; P! ~: w
& F) w) N$ T v: e' l. {
The way it works is very simple:
- f# I4 ? i. M) k& MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& Q w( u, R$ v. u( _5 J# S% p$ e
WinNT) with the CreateFileA API.9 w. g6 W% r, W* D/ N5 c. [
+ ?3 e0 G4 `& |' @4 C
Here is a sample (checking for 'SICE'):: o. V# n9 l$ f6 t3 c% Q6 P* I* h
, k& t3 k& L3 u5 W2 J( f
BOOL IsSoftIce95Loaded()2 o/ {, O4 ?; k* D' K* o% y
{; {4 g1 F, y8 O; n/ r# [7 O
HANDLE hFile; , e' W4 [+ _( Q/ X9 n. e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( F, B. Q3 R) y& Q M( b
FILE_SHARE_READ | FILE_SHARE_WRITE,
* ~9 O0 u8 D5 m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( y/ Q# S c8 B0 b
if( hFile != INVALID_HANDLE_VALUE )
9 K; o1 j) g7 J6 z+ R% I$ m% b, x {
& y c, K% { g2 ~' e [, e CloseHandle(hFile);5 Z: p: {: v9 v0 t5 R% P1 h7 K
return TRUE;
! z$ A/ O0 `1 J }. n% U4 ?1 F$ h
return FALSE;5 W0 k* E' [$ r' d4 U& T) w( Z) \
}
2 b3 f/ v+ K" `7 F, {1 ]+ u! g
: p: Z9 O1 a$ s7 ^" v# A4 _2 a( ~Although this trick calls the CreateFileA function, don't even expect to be9 H/ J# ^. s. _# {: R5 \
able to intercept it by installing a IFS hook: it will not work, no way!
3 ?% K: q4 V* X# y6 r" A2 P& L' IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) I s8 Z" j2 W7 G* z* P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ E; d; ^+ z: L; aand then browse the DDB list until it find the VxD and its DDB_Control_Proc# j- }* l' j, Y6 J: G1 W3 n
field.
* ^) K+ [8 Y! J7 v9 m% x yIn fact, its purpose is not to load/unload VxDs but only to send a
, `. p( T- c# {, U) v9 ~3 _% m7 RW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ C5 I- S: M' t7 W3 r, S! N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 a4 j2 T8 z* o8 }& ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- Z, k: x7 }% l" Z( I6 DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ i# u! O) Q0 ` j+ n9 o1 Aits handle to be opened and then, will be detected.' m j c2 w* y4 N7 b' Y, u6 Y* a/ c
You can check that simply by hooking Winice.exe control proc entry point! }& o) ^. j/ F" Q4 O
while running MeltICE.$ p, i$ U6 b' m/ ^) Z, P' Y
8 X( _) Z! _2 D, v8 j+ ^6 K( \! E# g6 d
00401067: push 00402025 ; \\.\SICE# O1 |% r. _9 X2 L* b% z
0040106C: call CreateFileA' u( s/ [* W/ G7 s+ k: j2 W: c
00401071: cmp eax,-001
6 {1 I7 r2 ?; N- e: f: x0 J 00401074: je 00401091
4 {1 w) X3 K+ l
8 S' [- x" t. A2 Z$ j
0 \- Z7 ?$ i+ m0 q2 rThere could be hundreds of BPX you could use to detect this trick.
% p+ N0 J$ s) @) d" N2 L7 ]-The most classical one is:( t+ k5 D9 e" C* A4 v( V4 s7 T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# c/ W- S* n4 N2 ]) x* X" X
*(esp->4+4)=='NTIC'2 c- j8 P; L. V {/ Z
, y0 r' Z$ S; L& d! ` ? e* U5 ~# x
-The most exotic ones (could be very slooooow :-(' l* S% [% {/ I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% n- V. T5 M& w$ k ;will break 3 times :-(1 o4 @& P( P) I0 j" h; x
; J% J: u$ U. n f0 r# a8 v
-or (a bit) faster:
& m% y; B+ s7 A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ z( B$ @( `6 D' ^- Y6 [! ^0 t2 ?$ f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, |( u+ k$ K k% | ;will break 3 times :-(
3 {2 ?" d/ w0 \4 J( i7 K4 b5 t4 T2 h, {5 B
-Much faster:
5 s! f8 h8 ?" S8 I4 m+ ~3 s& ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ M. I7 N; _2 ^* {
# p5 h' n |" _- w7 }4 ]8 lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ ~: ?' F+ q) \9 o" W3 Cfunction to do the same job:; ?; t s5 r% m3 h
7 m4 E8 O, I2 n: K
push 00 ; OF_READ. }) V, b& J B# S( b2 x
mov eax,[00656634] ; '\\.\SICE',0
, Z! F+ b8 q( ~' R push eax' o- N8 m$ p/ ~5 S' o7 p: ?* h
call KERNEL32!_lopen" y6 n2 u* @3 F9 ^5 g
inc eax
% ~, Q' J$ G$ D jnz 00650589 ; detected( H: g1 w5 W) G; D/ c
push 00 ; OF_READ
1 f4 g0 Z7 p# ]9 Q mov eax,[00656638] ; '\\.\SICE'% o( R9 s" X. l8 c k% U$ D: x! a
push eax% p3 R8 Z$ P1 H0 |6 T& G0 i& M$ L
call KERNEL32!_lopen
9 W& j' t3 i r inc eax
8 B( G* l$ V6 Z, V! B9 w. D jz 006505ae ; not detected
: z- s6 Y$ f. F, @2 W. u6 u: m+ g4 U2 R4 H- z8 n
& f1 U/ O8 G* a
__________________________________________________________________________
+ d( x( V6 e9 b* V# _3 G
' [) ~3 m+ J# f4 j- PMethod 12
5 u2 X: \6 Z- P1 p" Z$ ?=========
7 v0 f) E2 i4 Y) ~9 ~9 @' n
( i. a# x6 i6 S; VThis trick is similar to int41h/4fh Debugger installation check (code 05$ c7 U# H- [* s6 M. H& k
& 06) but very limited because it's only available for Win95/98 (not NT)
0 f: V" ~4 _/ F: \+ `4 ^+ w0 |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( w) s' e6 b' Y; l! P
! ]" ?& q* w0 N3 R' V% I, _% Y push 0000004fh ; function 4fh
0 w: J) q; Z, Y* m* L push 002a002ah ; high word specifies which VxD (VWIN32)" [6 u8 v: r5 B" ^9 z
; low word specifies which service
7 m: `; F, u6 J (VWIN32_Int41Dispatch)- V/ |) _9 k: r- }* k4 y
call Kernel32!ORD_001 ; VxdCall: W7 x1 ~5 c9 J' B& l
cmp ax, 0f386h ; magic number returned by system debuggers
0 f+ [% q. J. A0 b' ^& X' z& h% R jz SoftICE_detected
7 X, M t. f& \# d) v9 n' E$ n1 r) c7 b
Here again, several ways to detect it:. q& b) X# q$ _6 n! f# ^$ S1 @
& r3 S; t |' J, u1 h( X
BPINT 41 if ax==4f4 w- K+ i" F0 V9 I
- r( p& ^. @+ `9 `9 o' z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& }4 S# ?. ^* p
2 d% P$ q0 Y, Q- S+ j Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 H. k9 z9 Z! E) ]; e: B' m. I
5 E& Z- c9 B4 P3 u% V0 \0 w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- }( ~0 I. P' E! u. r& y+ G( X3 ?" b: G. W3 \
__________________________________________________________________________2 ?4 S) G' U1 i9 ~& }% g9 g
4 j5 H( Z: ]: U* LMethod 13
1 n; {: z% O2 \' J J! t* l=========' M+ R. k1 w- g9 L
* y- z4 d3 A5 V
Not a real method of detection, but a good way to know if SoftICE is
[4 M5 R! ], `installed on a computer and to locate its installation directory.
1 B* {4 u% R* c' [: I7 OIt is used by few softs which access the following registry keys (usually #2) :0 U9 O8 J* u t! h8 r
/ K1 C" A4 F! z2 }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ Z+ l- p* _; C! U9 h\Uninstall\SoftICE* c* Z1 }/ C+ M7 Z6 k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 Y, L" Q/ w! ? k* L0 Z! Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% T" s! Q! \6 G/ J, u% W: E! M\App Paths\Loader32.Exe
2 y& _& @3 u0 w4 n6 C V" @" f8 t2 W0 G/ A& _. t3 S
! D9 S) e4 c1 [9 _0 wNote that some nasty apps could then erase all files from SoftICE directory( M( l* G+ v* }
(I faced that once :-(
& |7 m5 V$ p( X4 \& j2 Q# t7 D2 A. _. ~; P6 `* [; [
Useful breakpoint to detect it:
6 [3 G9 J0 ~2 A+ R; R" g. s9 I" d$ d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- `# y2 F, W- ^, E! ^/ O5 a0 k: p8 p. Q3 P% {* K
__________________________________________________________________________
% _, F8 O I" e+ W c- e% y
4 ?. Q/ W9 m1 b) I6 M: o; M6 E# D. ?. e4 d! G( T6 ^* V U g
Method 14
k1 o8 L! L3 E- L=========
& k$ M+ C* K- K' [4 _( X
2 Q0 S$ F0 `8 P) K+ F# w+ yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) J, z7 G% K! w$ \$ ?
is to determines whether a debugger is running on your system (ring0 only).( [; i! h+ Q: o$ y
" R9 x1 ~, \' [- h$ l! z+ V VMMCall Test_Debug_Installed
) S/ c6 |, I( M je not_installed
: H |7 W. n+ C/ R- S' X2 D+ m$ r9 A
2 l) B" ?4 t+ lThis service just checks a flag.4 {& Y2 n9 a K& d ^
</PRE></TD></TR></TBODY></TABLE> |