<TABLE width=500>
/ N' D4 @9 A. E& X9 r<TBODY> S( A( [. C' {
<TR># j. j; T1 Q# L# d0 X
<TD><PRE>Method 01
5 H. D( _* \4 l" _, H" x6 y=========
" H/ S9 W) A& B& G' Z" X$ N
' p8 D2 {/ b' r: T" L& f9 uThis method of detection of SoftICE (as well as the following one) is0 J: N/ R Y; ?3 Q, s! }0 r
used by the majority of packers/encryptors found on Internet.2 b( M; I& M* x; g' B. E7 d
It seeks the signature of BoundsChecker in SoftICE1 N) a9 h. I9 d8 \* ~
& S/ m8 n3 g: ^1 E, O" _ mov ebp, 04243484Bh ; 'BCHK'- R& m0 ~/ H w! k
mov ax, 04h
# Y) B# B4 L! o/ v! u: v+ o& I int 3 ( J; f3 s! \, w/ U; {0 A0 ~
cmp al,4
# P( `3 e# Q* r jnz SoftICE_Detected
% z" Q: C j# W" f7 i6 K
" X: m" |( F- Q4 |5 t o! p___________________________________________________________________________
8 ]' P4 ]* k/ l! M7 }, w. {% Y) i4 v5 W# e' E
Method 02
; y% K& L& t3 |3 K+ x& V9 C+ ?9 I7 M=========
' z( y! F& ~) j0 Y: s
) c/ ~+ U6 d4 E: C2 y* k1 o; R F! cStill a method very much used (perhaps the most frequent one). It is used3 h, p n- ~! b9 d% s5 l9 l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' N. k9 S0 L1 A! f6 B
or execute SoftICE commands...: O7 g& d O8 \; D0 O
It is also used to crash SoftICE and to force it to execute any commands* e" {' y% d0 P7 x' |' I
(HBOOT...) :-(( 2 U) u2 P' n4 w6 b
# B, N0 N4 L( _9 F+ m( p' JHere is a quick description:) p( {# m0 @7 a3 c( a& J' b
-AX = 0910h (Display string in SIce windows)
( Q8 o" `# O* G/ s# p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# H/ z' K1 h9 K) g-AX = 0912h (Get breakpoint infos)
; c" k) H( r$ c4 v-AX = 0913h (Set Sice breakpoints) Y; ~6 e. S# a" _5 Y8 [
-AX = 0914h (Remove SIce breakoints)
; s1 d$ s) N( p. G6 {3 P( G7 [7 F5 j
Each time you'll meet this trick, you'll see:
$ A8 L$ C9 G1 R. I4 u-SI = 4647h
' E/ x- w1 G3 @0 w) M5 K-DI = 4A4Dh4 Q& c4 l8 s3 y& w# @9 r# A# O
Which are the 'magic values' used by SoftIce.
; T- v3 c) m2 W- O2 g$ O+ [! sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 y5 q( v H* q V7 w" d8 Y1 V; N7 g. o6 e
Here is one example from the file "Haspinst.exe" which is the dongle HASP% C0 N" n. U# Z& g
Envelope utility use to protect DOS applications:2 P5 p2 S: ~# W3 k, K7 K r/ d
8 E9 o5 m0 [ x- [
' g+ {# D( L& [8 E3 U
4C19:0095 MOV AX,0911 ; execute command., S4 V# N2 q5 p, m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! y; g( U |8 P9 T% V, ~0 D4C19:009A MOV SI,4647 ; 1st magic value.
/ V0 O6 a' c" W+ G4C19:009D MOV DI,4A4D ; 2nd magic value.% I- T6 j0 E% G) V) Z( T* T
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 d3 r5 K9 Y1 a' n6 }* U; |5 ]; L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* n4 N1 P1 e d+ J% d) g# Q0 E
4C19:00A4 INC CX
0 }3 n6 C( q ~/ ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 F9 M. r; T, H$ ]
4C19:00A8 JB 0095 ; 6 different commands.+ R/ f8 a( s6 I. U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# T( |. K/ R4 X& M7 d/ n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 ^/ A+ K( Y8 c+ G8 s4 `
2 |1 F' }+ M/ q% M0 N
The program will execute 6 different SIce commands located at ds:dx, which
( ?. R$ H6 N, I! x# }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 k: ~2 ~0 O9 [5 H
6 Z4 {2 B- I! z- D+ z$ k5 N7 t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- F) ~% u8 }8 y7 |) h___________________________________________________________________________, N4 f e' P2 ]3 U( D: D
C7 D. E: O! k- K
# |4 ]* R; k2 @. d/ Y; F
Method 03' ^' `5 ?2 S7 ]0 I
=========9 T; k3 w7 u0 t+ P+ J
# r, `2 l% o+ u/ G& u. S4 U& X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ X/ j j' p* `: Z: g8 I! N; |5 k(API Get entry point)
: A) w/ s( P/ G* D5 N! [/ ^ 7 Z* C; S e+ Q- v4 \/ ~
/ `5 M# B: M! e& \* D& |! t9 ` xor di,di' f5 ?" M# z% ?, a
mov es,di
- Q; ?) P* N& m/ N, J6 L mov ax, 1684h 6 @( F) M, n% B a1 U9 y( K
mov bx, 0202h ; VxD ID of winice$ R% y8 ?! P; i& o* X
int 2Fh
+ U: T. f$ y: Y4 C n mov ax, es ; ES:DI -> VxD API entry point9 _9 q+ j; V J3 ]+ M3 T* k
add ax, di R" F, t- K+ x& g1 w* q6 A$ U/ n$ m3 S
test ax,ax! @ e5 M* `4 ?- f- M2 y5 Q1 i" V# j
jnz SoftICE_Detected% m( K" y, I: z9 R5 a- X. l* q
4 l; V" E: b+ `) M
___________________________________________________________________________
8 ?+ Z; s y7 Y& E- K/ l1 ?. j7 {2 Y0 ?$ C6 D
Method 04- f; M3 \- V( c9 b* W
=========# P8 e7 E, o! r( F
& M- q1 L8 e, |0 TMethod identical to the preceding one except that it seeks the ID of SoftICE
# A. h7 _6 ]( j) JGFX VxD.# ?: r. i9 Y& R: y. o3 ^2 z
$ D8 E! S' M- F4 @1 c
xor di,di
# K7 g, F9 W. {/ Y' c& v mov es,di* e5 y) k* l( O% ]% {+ `+ d
mov ax, 1684h
1 m3 U! g1 }6 }$ h2 l; c mov bx, 7a5Fh ; VxD ID of SIWVID% k5 {. k# t0 u7 W$ J- ~
int 2fh
9 E- v7 O2 m) V4 I' Q! P+ L mov ax, es ; ES:DI -> VxD API entry point9 O& _2 o* {$ J4 p( h" b0 d1 x! O
add ax, di
" I+ e/ A2 f; } test ax,ax
( y+ ]; Z7 t! X) h jnz SoftICE_Detected5 d9 K# \8 ?2 T, D" Q, g
: H; K9 ]( n5 Y9 r1 j$ ?' K
__________________________________________________________________________
: e: ^" G8 ]6 S7 s! _- Z7 U
6 ]9 ]0 b- D& M% f* H r
! \5 P2 x. A& M- O7 T" VMethod 05+ E6 W9 r7 B i# m
=========
7 {) I) Q0 q3 e8 J/ j! c+ _
9 v! f; } k. E6 A2 X; Y3 h1 VMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: N% F# U3 Z. ]/ q3 V0 xdebugger. It calls the int 41h, function 4Fh.
" N$ p! }" b- x6 V, n! V1 _4 xThere are several alternatives. 8 ?1 M- z# x, W* }, m: `! u/ L7 \+ [
' [( V r, L' j; B" C8 z2 J8 u0 ^
The following one is the simplest:
) s. B S9 [. G. ~' H$ `7 j& L! O/ f& \! g
mov ax,4fh
: y5 _) A( c/ M: ~1 N1 P* f3 c int 41h% {, @/ }6 A* f3 Y/ S( E
cmp ax, 0F386: x/ H, O/ I7 a
jz SoftICE_detected
" M- H: o" L+ k# P4 l8 ^4 ]$ Q) ^+ D# u8 {. ^
: J' q9 h. k$ u+ Z$ j' d! MNext method as well as the following one are 2 examples from Stone's : o1 ~; F" [1 ]7 n& z) c( ~
"stn-wid.zip" (www.cracking.net):
, h" v' {1 L! r; k1 \9 `& r# j: D. k% R% l
mov bx, cs W" `6 `5 q* r5 j/ k
lea dx, int41handler2
7 I/ z5 x8 v4 J! L* N xchg dx, es:[41h*4]' d) D7 ~6 J2 R M4 I+ \1 I7 r
xchg bx, es:[41h*4+2]
! N$ [3 b y8 V) A2 J' Q mov ax,4fh
- P G( G+ x' P. u7 `" C int 41h
4 [7 ]6 m1 l$ E' ]$ S xchg dx, es:[41h*4]) c L+ ~0 p/ S4 _0 q) m/ v5 ^
xchg bx, es:[41h*4+2]
8 Z; ~7 ` n3 B: ~% w8 J. q( _ cmp ax, 0f386h3 o, Z) U# ?+ r* h
jz SoftICE_detected
6 M1 {9 |" u6 G7 X. p
_5 y* ~$ h _4 ~8 zint41handler2 PROC! W! A" z4 _/ [: ^; z$ A/ N
iret
5 \1 {% p9 Z2 vint41handler2 ENDP, s' h) O" \1 M& K/ E* n. p0 [; H
4 P* S S) _0 L
. y& t! K" h: m: h- [$ l_________________________________________________________________________* @& n: @" s- P5 M0 o
1 y' q4 W( t% C' n0 a* z/ w+ b+ z8 \. `8 n# }
Method 06
! w8 A* g) x! a) _=========) h; w/ a& @# J+ r5 d
# w/ T* @0 G) D5 f
R4 e7 B3 a3 l+ v0 ]2nd method similar to the preceding one but more difficult to detect:" L: _7 I4 T! _! a& [. N4 g
/ O- P4 \. y: q- [4 ^. p9 h& f8 ?
int41handler PROC' _$ ]8 R# M, _
mov cl,al$ \/ ~) J' ]) S- a0 v
iret0 c1 j8 x- ^2 p1 ]; m
int41handler ENDP
/ h+ z. F2 i( ^" k, B; H- R! P5 b+ G/ g" g, c4 ~& t" a5 j2 ^
6 p* s2 W$ ^' v4 p# H) ? xor ax,ax! L4 |+ o' O* ]
mov es,ax
$ U' d& j& g* M, @1 k mov bx, cs2 J6 N9 f1 |/ Q% M5 e4 _1 d7 w
lea dx, int41handler1 V$ C; b9 u* H
xchg dx, es:[41h*4]
5 e' R; ]) @3 `2 x7 b xchg bx, es:[41h*4+2]
8 s* B& {+ P, l7 w3 U" ^ in al, 40h( M' U. S3 g4 d. ]$ P+ ~6 ?8 {
xor cx,cx
G! f! A: H( P8 W* A2 Z2 N$ Y int 41h7 x0 E8 l, V0 S: g
xchg dx, es:[41h*4]) e" |/ o9 i' y# g
xchg bx, es:[41h*4+2]
) R, o. @" c# s# r, k/ G, Z8 ?/ o7 }- D# ` cmp cl,al
" f3 G8 i* A/ b. ] jnz SoftICE_detected
, j3 R" Y$ h$ E4 }/ v0 f" K+ k& m9 X* w8 C
_________________________________________________________________________
% h: Q, y% ]+ h3 U& j/ b: l# X1 G$ w. l z* ]( ~
Method 07; M- A5 \/ l+ T: G, e. s! Y
=========$ m6 B f2 R0 z3 B6 D; O
2 U9 Z: a N( t6 T9 X! C
Method of detection of the WinICE handler in the int68h (V86)
& s( [: c N3 n1 p- f) D/ u3 ^& ~) p% O- ~
mov ah,43h
$ s& o7 V @ y: _/ x) ?4 P3 L int 68h
3 i& D. N t1 J; q* `( o: M cmp ax,0F386h
/ N% C6 b% P' p jz SoftICE_Detected- o$ j' T! q: G9 W! Y' A* Z# C
5 r: X5 U8 |% L
: r$ W$ c+ s! `$ G9 e=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 k+ S& t# |$ `- |; T7 h
app like this:' V0 C2 P: I n. D: I- v
/ U, u7 P e f" P
BPX exec_int if ax==68
' J) ? t2 z: J) v' H; x (function called is located at byte ptr [ebp+1Dh] and client eip is( W( Y; G" B7 M( j
located at [ebp+48h] for 32Bit apps)8 R$ M) n0 k3 g8 O! W9 p2 r& j8 C
__________________________________________________________________________' X6 o9 n/ y& E |: i6 \( j
9 ~/ N* p+ f7 T7 A$ a
L( d8 J, |4 B* H% {6 o
Method 08
+ ^/ L6 C6 n! P# w* q5 F=========+ V" B/ n2 U4 i3 k$ k" ?
5 [8 E8 e6 I4 W. e: iIt is not a method of detection of SoftICE but a possibility to crash the
1 U3 K8 {6 o7 Y9 \7 z) X5 Jsystem by intercepting int 01h and int 03h and redirecting them to another
8 V' [9 t3 s- P! S A4 Lroutine.+ s* w- g4 F! ~+ z4 y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 ^( d! n7 i- Z5 O9 ]to the new routine to execute (hangs computer...)
\( v* k1 ?7 W8 t, m, `2 D2 C. D% q) I& t
mov ah, 25h
5 D' j1 h( c) ]& I! T; J+ v! X mov al, Int_Number (01h or 03h)0 H6 C: l% n# [5 _
mov dx, offset New_Int_Routine
0 p0 ]) N: H& z int 21h3 I! J. Q3 `9 v8 m0 z
5 t1 b2 J6 A" G& v# P4 y__________________________________________________________________________ E7 ]4 P9 E5 y, x0 F9 B L: B
9 M" `3 D; t+ L. z9 Q* o, LMethod 097 v) M9 v+ i- L# b
=========+ v* Z$ @$ I. ~0 Y$ H: g8 u" _
! \. p1 N8 F4 H/ {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* g5 j# R3 t. q( ?/ N2 B4 `
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 ]0 j+ }4 T0 BThe Get_DDB service is used to determine whether or not a VxD is installed
9 g) J1 { |4 I: e" a+ Afor the specified device and returns a Device Description Block (in ecx) for. K3 n7 K2 V; g4 A/ |" T
that device if it is installed.0 {* f% y; K7 ^6 C5 R9 W
3 ~" j" J) `6 r' T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 C% s% _3 v8 K$ z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 y' A% y6 J/ l VMMCall Get_DDB
' n% [" @' q @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 o8 ~6 c' f1 X& D' T! M( o$ i( n* l) P- @. Q- P
Note as well that you can easily detect this method with SoftICE:
9 _4 T# N$ S* u8 | bpx Get_DDB if ax==0202 || ax==7a5fh
. W6 J6 A. |; R! |5 n# [
6 p( B, N) x% f O, f- C__________________________________________________________________________& P$ Z! \' N4 ] P, p! N
0 u j# L. a6 t1 X6 z# DMethod 10
8 a- ]% _; Q+ ~' d9 s=========
L, R5 {& j2 |5 D9 S) n$ G8 Z% t, A( v: W0 W
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' D0 l, O; A* ^" ]/ ~0 t4 V, s0 m SoftICE while the option is enable!!7 W: Y! v* Y4 ^/ _' b' z) Z
h* d1 Q6 ^/ w5 N: c
This trick is very efficient:8 c" J! L. S2 s5 K, Q5 ]# H
by checking the Debug Registers, you can detect if SoftICE is loaded
% o9 Y$ E" Z% ^! Y" c" x$ v* I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; v/ j) G; k2 G% n0 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* K1 Y& f& P& D9 `! Ovalue (in ring0 only). Values can be manipulated and or changed as well
: i8 C# Z; B0 F: ?. y# t) W(clearing BPMs for instance)7 v" P# e' _ P# k6 W4 @; R# L, O
& \& X) U3 W6 @' a- H: z. g2 A0 U# e# ]__________________________________________________________________________
! s6 L7 ~. I: g* g$ C7 P# x
# i% |( D, D# ]; J0 Z1 }Method 11* S1 l1 u2 v6 o0 Z7 ^
=========
! _1 N& O/ M1 L. T7 t5 D# O6 e% T- U2 V( a- `4 O
This method is most known as 'MeltICE' because it has been freely distributed
* h+ W2 M5 b2 k7 V6 V, ~" |via www.winfiles.com. However it was first used by NuMega people to allow
) C0 A& G# u q; L* M% aSymbol Loader to check if SoftICE was active or not (the code is located
& s+ f7 W0 G, T; {3 oinside nmtrans.dll).
/ k, g( L( I7 D j" |
9 B3 L/ x2 O5 v& qThe way it works is very simple:8 X& g4 A" w$ @9 B2 U" ~2 `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 ^& T( C. R( C7 p* H8 `9 |WinNT) with the CreateFileA API.
4 h' i+ F# m8 n& k; z) D i6 H/ }3 d
Here is a sample (checking for 'SICE'):# M+ m7 V) h! M0 p
3 d) v) C3 z! y/ e& x% @: d
BOOL IsSoftIce95Loaded()
( w" d. k* D; _* X6 J4 f$ ]{
- c" D; X; b" K" z7 r) v2 @3 T2 q HANDLE hFile;
7 Y( f$ h5 l: a b/ a. _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ \9 x- i& f0 T: D5 G( b3 t7 l( y) Q
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 G7 K P( T+ t+ x1 E$ Z) @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 h( k6 q# J* C! N9 q' t" k
if( hFile != INVALID_HANDLE_VALUE )
5 @2 T* c, j. d6 l1 r {9 y2 v+ X3 E. i6 q, R a: A! t
CloseHandle(hFile);! y0 i( W, Q) R, ]# E: m
return TRUE;
$ a! A7 ~: [5 M% K* B9 g }
# _9 I4 }' B6 i% }1 O return FALSE;
% |; }& g8 R5 }) l5 W, ]$ A}
! y( u6 b% T. f6 d# H8 s
" {% a4 d/ Z7 H9 J, xAlthough this trick calls the CreateFileA function, don't even expect to be
% w6 Q, L; }; K- U7 `. eable to intercept it by installing a IFS hook: it will not work, no way!: J& K8 M$ [, N, y6 D$ {; n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F B; c; e2 c3 A2 E0 G2 P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* F& r2 C5 f9 Y- e% _and then browse the DDB list until it find the VxD and its DDB_Control_Proc& X: B; b6 w+ k5 L
field." d; Q6 J' \" ^' Y
In fact, its purpose is not to load/unload VxDs but only to send a v) B! |4 t" M# o$ @* d/ r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! J+ K& ?* y, K* `$ tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 R- K4 e' }- y1 O! v5 I- {, pto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# ~* Z/ N; [+ }3 V K, I* `If the VxD is loaded, it will always clear eax and the Carry flag to allow
( k- t2 j4 r5 X% T3 k1 _its handle to be opened and then, will be detected.$ q* E& _, ?, P( d1 V% X
You can check that simply by hooking Winice.exe control proc entry point
. y6 Z: ~! J# _' b5 Pwhile running MeltICE.
" A' X ^3 h2 L' _1 v
6 x$ q ~0 K' E9 U1 _: y
, S. h4 P+ l- F) @ 00401067: push 00402025 ; \\.\SICE
, s/ V6 u& ^9 z& R! L+ i7 j, J 0040106C: call CreateFileA" n& U$ z( z/ S, J( O/ O! X1 ~
00401071: cmp eax,-0012 L _( r+ Y1 q7 \ d; L6 d& p
00401074: je 00401091
/ X& R5 Z$ R4 O
$ W$ O* K1 d( ~" h( h$ W& t, M
' M; n+ e2 {, MThere could be hundreds of BPX you could use to detect this trick.
1 O7 I% A$ v8 }9 L Y" E-The most classical one is:
8 C1 R1 k7 H* P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 Z$ I) e l |
*(esp->4+4)=='NTIC'! _+ i5 q7 u2 @: T0 |
* \5 ~% i* r$ s0 g
-The most exotic ones (could be very slooooow :-(1 i* h, R5 A4 j8 N0 V
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') : ]2 N3 B/ T5 ?1 D
;will break 3 times :-(
* L9 s$ A0 k, a7 K5 z) ~$ N1 u) ]1 j
-or (a bit) faster:
) f2 ^5 p6 C2 d. Z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ G* Z4 w* m" q4 c
; }0 B2 Y& {; x; \8 S2 Q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& E7 v, ]5 D0 O' ^+ b1 z ;will break 3 times :-(
2 S% E9 [' v$ z8 W+ m; A1 Y; p/ ?7 H9 F3 {! L
-Much faster:2 @/ v9 V8 _' S7 D; I# ?* D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; U; R. T4 U# m; W+ T( M" k; U v( ]8 H) x3 j
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& b$ P# F; j/ r9 c9 I
function to do the same job:( s6 n, N4 T. E2 w2 J
' g/ T# t# H. [4 A' i
push 00 ; OF_READ
% `5 |8 k9 \! f1 ?" u/ v) P0 R$ ? mov eax,[00656634] ; '\\.\SICE',0& |& |+ r$ w- I9 j' u- P
push eax N9 @+ P" S& F* z. Y# s
call KERNEL32!_lopen
9 {" g5 k# C0 \0 g8 B inc eax
& @; R0 ^" o8 U: Z3 l jnz 00650589 ; detected
u) ~% D: T5 }# O, C z2 P push 00 ; OF_READ7 P7 X0 `; L$ a' E3 v$ o
mov eax,[00656638] ; '\\.\SICE'
0 O7 t& B/ f# m push eax; U+ S% X& U+ \# Q, t# I% W
call KERNEL32!_lopen; W8 W3 W! q* g/ J' g+ X
inc eax
/ k* [, j6 m1 H8 h: i' x jz 006505ae ; not detected
& h" K9 Y) C4 K2 g+ Z3 c" s( D" a- Y
' o! F- W- `1 W$ J2 Z1 O__________________________________________________________________________
( \0 {; Z$ H( c1 B5 \8 I2 u, b: U0 x. C9 c9 O
Method 127 V. u( N& N& H# N9 J6 H2 v
=========: j l: [; a7 K5 h' x/ S4 z n
: p& Z7 t* o& t1 AThis trick is similar to int41h/4fh Debugger installation check (code 05% ^$ l! ^$ k* r9 S& |! u/ N
& 06) but very limited because it's only available for Win95/98 (not NT)
9 @4 G$ m: q+ ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% u; q. k! ^+ \. ]
( S1 x1 z4 U; k7 c/ A push 0000004fh ; function 4fh
4 v3 Q' K- t4 y' Z' ]" L8 Z push 002a002ah ; high word specifies which VxD (VWIN32)5 f+ A5 [; P3 @2 w+ ?# c4 o+ \; L: _
; low word specifies which service" g, ]' G/ L3 ?+ S) E3 R* }
(VWIN32_Int41Dispatch)$ A, D* o8 p4 [ C" P1 ]6 c2 ]
call Kernel32!ORD_001 ; VxdCall0 T" h3 I/ h5 ?, q6 j9 N
cmp ax, 0f386h ; magic number returned by system debuggers
$ S+ t! q9 S% L( A" x8 x; b jz SoftICE_detected }2 E; g, `+ e( e- w
9 j( r0 u+ V# f0 p5 z
Here again, several ways to detect it:7 z8 ~+ X$ }9 Q
+ T# [& a4 B1 K: Q BPINT 41 if ax==4f
6 M, i1 x- @: o. g3 c
3 O) _1 u. V' I8 e$ [& B1 S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& p7 `% b/ }1 V4 U
6 d0 J( u; A$ N0 c% j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 R# j2 W' _7 c: R* b
8 `% f7 m% y# o2 s BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 {5 j$ w, {/ D' F) f
* X# ]( B% [. I8 A$ Q1 u8 e" Q6 ^7 J
__________________________________________________________________________
|* m$ P% a9 i5 m
2 O' z/ J1 a* F) O8 ^1 QMethod 13
: q- F$ \: A' V: Y=========
7 b$ l6 K( I9 P, r; w( |7 {7 h0 T6 K: }( G
Not a real method of detection, but a good way to know if SoftICE is
" B/ b% l% g% _7 W7 X; p6 winstalled on a computer and to locate its installation directory.6 m9 f. l6 Q, o3 E
It is used by few softs which access the following registry keys (usually #2) :
) ~1 E `. l w, C' g k; \% L+ j% B: x. N- @8 a' Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 p7 R; I/ U+ V4 O/ E; S$ N4 }
\Uninstall\SoftICE
3 F0 x" ?0 U. A+ s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 h% M' ?2 T/ ?4 N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 d5 ~) h1 l2 U `- w3 q3 f( K\App Paths\Loader32.Exe
) l3 u+ k( |: [3 ]( P
0 }/ B6 E; I [- o% P! e; I1 c" C/ J1 R8 X3 {
Note that some nasty apps could then erase all files from SoftICE directory# Q; B- ?$ L, }: |* k
(I faced that once :-(
% p/ n4 b8 I' W4 t, E1 V- q4 L; }+ u, W9 m! P( {4 d
Useful breakpoint to detect it:
) Q" m* g" @3 l7 f+ s' `$ a! e7 o$ e8 K2 G$ O: u: m& [) ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 A1 _( `' d0 g
) G$ w' i7 \1 ~% n- l5 i, {
__________________________________________________________________________( ^4 g& P* J e# J& X1 R% y; I) a+ \
( [6 U3 j3 R u: q0 Q1 Q5 h9 u
' Y% G& {& W }9 Z; s$ w. M
Method 14 " s* N4 J: J. O
=========
8 C$ U8 ~' g& d
2 g6 S# i" Q' k9 b& u- j* DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" G8 p& N* v1 Q a! _2 I
is to determines whether a debugger is running on your system (ring0 only).+ H8 H2 ^; P6 |7 p M' B
" G" Y- X/ R4 w) k: \* \
VMMCall Test_Debug_Installed1 ?0 F& H6 t$ [8 z
je not_installed; ]. |% G3 _5 M9 }4 K/ E
5 ]8 P' H1 J6 I; j& CThis service just checks a flag.( d. |* m: H0 p" y( \
</PRE></TD></TR></TBODY></TABLE> |