<TABLE width=500>
, ^4 o0 L- g' }5 H6 J; ?. q<TBODY>% z& e8 C7 w& o; w6 f0 W
<TR>! T0 m/ g0 J! P
<TD><PRE>Method 01
/ H% W* o" |- V2 [=========
2 v( }! M2 X. e1 H2 T
+ l o" |- r. E. b$ @& UThis method of detection of SoftICE (as well as the following one) is1 S& j1 p; c r2 Z, ?
used by the majority of packers/encryptors found on Internet.
+ A+ i3 x0 J5 @2 v$ wIt seeks the signature of BoundsChecker in SoftICE
9 c( [; X9 m- X" E! [& v- C+ l5 T$ u' H/ g% B
mov ebp, 04243484Bh ; 'BCHK'
! v/ Q' I- d# q7 n, N+ T mov ax, 04h
v8 q- z. B* P" ] Q int 3
5 T1 j& y% d/ h, ^; p N cmp al,4' B* V3 b" Z0 @4 I1 x/ g
jnz SoftICE_Detected- u5 N# a3 j+ G+ N9 {% q
" M" q. i; s" |" m$ @0 R___________________________________________________________________________
" s- D9 I3 c! j: i* ]
0 y2 i [* z" ^, Z5 |Method 02
4 S/ Y: x' h0 Z, C N- U=========
2 X- J* U2 `+ D Y4 Y0 S5 h. N3 w& w; a* v2 P5 Z4 H3 j7 L
Still a method very much used (perhaps the most frequent one). It is used
9 \5 }/ l! ~7 _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 }/ i2 m$ R8 z& y& O I# O& g
or execute SoftICE commands...4 X( Q7 G/ t" H
It is also used to crash SoftICE and to force it to execute any commands- [% m' i) d. c) g3 | k5 U- j7 a
(HBOOT...) :-(( # B, \* T; P) }% }" V' R+ F
; q5 A+ `$ G( w5 Y
Here is a quick description:
( X' t2 Y* K( l$ K" }-AX = 0910h (Display string in SIce windows)
5 }5 k" Z( s/ [% f$ G, a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" ?2 ]/ E M7 o, @0 M; a-AX = 0912h (Get breakpoint infos)
* j( L( W, W( n3 D-AX = 0913h (Set Sice breakpoints)
* H+ n7 S: W3 |-AX = 0914h (Remove SIce breakoints)
3 V! y$ f4 _& Y) l! B0 l6 W! N2 T8 H, D$ s; ]; a+ T- `& ^
Each time you'll meet this trick, you'll see:
. S( Z8 x# i) l-SI = 4647h
u# m* ?3 P( |# O$ ]1 [-DI = 4A4Dh1 d J/ T5 u# h _, ~7 h4 c; K
Which are the 'magic values' used by SoftIce.+ P: u/ I: m7 I, H3 ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 {9 L+ D% t7 A/ N8 X
0 }4 H4 A( U6 L. V5 X; X+ x, rHere is one example from the file "Haspinst.exe" which is the dongle HASP
6 L. d" `& K g; D+ E1 v. E: WEnvelope utility use to protect DOS applications:
+ L* D% ]' H7 ?2 f n8 f/ W' t5 Y8 \% X: R$ Z. d
$ F; [7 ~8 | j9 u) W/ o( U
4C19:0095 MOV AX,0911 ; execute command.
& D* B* t6 q; q5 n4 ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ u, L& Z, n: S) o0 _# b' }4C19:009A MOV SI,4647 ; 1st magic value.
7 [1 C" e$ e" w" W4 b. d) R4C19:009D MOV DI,4A4D ; 2nd magic value.) N, ]0 n! S% Y/ Y/ Y! w) N6 v
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 c, A9 P% j4 v7 Y. h5 ^6 ~% u1 n$ U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ w3 {# x& a* V6 @) @. A: c* F7 E2 K
4C19:00A4 INC CX9 U( Q2 `) D) O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 \" { C2 |3 ?4C19:00A8 JB 0095 ; 6 different commands.
3 _& X/ ?- A1 k) v5 Q" r4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: H* d5 b2 Z) S; D" t0 b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% R9 Z# _% ~- W: ~! D; b$ ?
6 {6 E! J! a3 y" t( l2 X% RThe program will execute 6 different SIce commands located at ds:dx, which5 p, D! | E) p* I! {* Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., c* M4 e5 _+ M6 S# D- `
" q# c3 c2 W9 o- V! \4 E$ X7 O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 M; m% k4 G) n
___________________________________________________________________________1 D8 Y3 j5 Y8 Z5 f& p8 R% Q
T, i+ e I3 x/ K6 d* O/ c8 u
1 M/ t, ~4 O; u5 M' i2 i: Z& SMethod 03& h/ B/ ?, }7 \5 C
=========
7 R& B, B8 ? V7 d) Y$ L) X
( b0 j# _& _: TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ i1 I5 J$ j3 m6 l& g' K
(API Get entry point), f* P: V2 e8 b4 i; Q
2 C' [ K y) H: ?) {$ D
- l9 G( c I! ^ xor di,di
9 z5 s( Y* k1 X0 b* H+ s mov es,di
8 n5 n& H, [$ P5 Z+ N2 r; s mov ax, 1684h
6 |5 f' p4 N% O W4 U6 G% l mov bx, 0202h ; VxD ID of winice: d$ @9 \$ g# i/ m
int 2Fh6 Q6 V$ n( c# A
mov ax, es ; ES:DI -> VxD API entry point
- x9 y1 `) T2 p; Z add ax, di) b4 O" v8 e4 K
test ax,ax
0 Z3 b, R6 p) ^$ E jnz SoftICE_Detected. X. Q6 M/ b9 f' u1 I y
3 g( R+ G- z- X1 q& d" l
___________________________________________________________________________
6 h# y" ?: `* [3 z/ N
* c+ v" c/ `0 {% O9 y3 gMethod 04
* O5 e* `9 v1 m S7 \=========* R3 m4 ]( L# ~
+ H u6 C0 L! [Method identical to the preceding one except that it seeks the ID of SoftICE* o! o" |4 h" k/ b7 w% j3 r
GFX VxD.
& P) b- E" y+ H+ q
8 g9 r% a* f' n. Z0 s xor di,di7 {4 v: |# R5 k/ ^
mov es,di
3 J8 Q5 H6 e/ l2 V# |$ A# s mov ax, 1684h
% w, E, m$ _, `" t mov bx, 7a5Fh ; VxD ID of SIWVID, c7 q: I0 F3 W0 c' v
int 2fh
# q: o. x9 p( z$ L8 R) {' D3 @9 L7 i mov ax, es ; ES:DI -> VxD API entry point
) x, z5 t: [5 j, B4 U! j, U3 d6 i q add ax, di
- X) G8 k/ ~0 a# l J, E test ax,ax1 o% X% }: u3 e5 |
jnz SoftICE_Detected
O% g$ c5 v/ Y4 J
4 Q' h* s5 n8 \7 w__________________________________________________________________________
% T+ ~$ D+ O0 \) l! @4 l r. G! k, t5 |3 q% R- }" |
5 R. a6 b2 D2 h! @: LMethod 056 u: ?, H% O, K* ?
=========, ?: D/ i- ~4 n) [ i9 S% ~
% U& [) l4 S9 w+ m8 tMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 m3 `5 |6 g9 u9 E% x6 t2 D4 Adebugger. It calls the int 41h, function 4Fh.' A& M7 u& T! ^- ?0 T" b5 h
There are several alternatives. $ @. J' X$ b4 G4 O1 F9 f9 ?
# W" m( M2 d; N* I$ Z: m
The following one is the simplest:
# T/ G% s @" m; m* o0 e0 C; z7 F( |7 E: J- h
mov ax,4fh
8 V, N- S, y+ H" z5 C int 41h d2 X0 h& B+ j1 q6 k
cmp ax, 0F3863 I8 G6 [( O$ M0 S& y7 i! x
jz SoftICE_detected% q: Q5 L$ W; c0 X9 L
' Z% Z, d0 Y+ S) n8 {0 a9 K- I L
% l$ u6 ?/ Y9 Z, X3 l+ ?: a8 |7 J
Next method as well as the following one are 2 examples from Stone's # j7 M- h9 Z; w7 P! A' O4 b
"stn-wid.zip" (www.cracking.net):
7 u: B/ j" u% ]( H6 i( ^1 ]9 r; M7 f& ]# P9 i4 h
mov bx, cs
3 g) e7 H2 x. X+ N lea dx, int41handler2
9 X) \" n* A( e- }7 `' R' e xchg dx, es:[41h*4]' Y; K+ z/ [' d W% n& P
xchg bx, es:[41h*4+2]
Z6 J5 `8 j( \ mov ax,4fh
0 c) D4 y1 M2 J6 A int 41h% }# I* {3 C) `: M
xchg dx, es:[41h*4]
6 X! J; v! v8 H& @2 P xchg bx, es:[41h*4+2]6 q6 q' r6 j# I5 K& V7 e r9 n) U$ w; p
cmp ax, 0f386h
) v, ^& ^0 a8 j4 n3 h, P jz SoftICE_detected" U1 B4 `0 U: g. a5 v! J
2 t) i* Z' X9 ?1 _: J1 Yint41handler2 PROC
/ D* R* S8 |' U; |" N; Y2 u iret
" k1 g: n7 }3 Gint41handler2 ENDP* @* x+ k. p* Y4 K. |
& S; |0 l) A8 U ~4 e. i: ]* y2 n# ?
_________________________________________________________________________
) P8 H( D% b& q6 t3 v: R3 ~2 }; Q2 M
" E/ z% r& [* [: l1 d" G+ R3 IMethod 06
6 X" j) U2 t2 S=========
6 ]& L' a8 `- s1 I6 ^( L4 ^- [6 B7 k3 O. L* Z X) |& u
2 I4 }/ Y- g( [
2nd method similar to the preceding one but more difficult to detect:
7 f+ N: |) k3 c n6 f/ j
7 {. l1 k/ Y) A2 l/ b$ k* S# d/ Q2 y) e9 Q( I: I. t% f
int41handler PROC
6 I9 `. [+ {* T! T3 C$ l. a mov cl,al
* S5 ` F9 U& E+ Z iret# M& ?/ e9 F! M; m7 g
int41handler ENDP
* r# {5 a: d0 z+ Q( ^9 a/ A4 p; n
3 E! o. I* v( H2 @
2 E& Y/ g; q# M- n! Z/ M. s xor ax,ax
; i. |$ ~: w+ X ]# X, r7 b4 g mov es,ax( l6 }. L0 U5 d6 Y' ]
mov bx, cs& g+ e# b4 x( _1 q. v$ \
lea dx, int41handler9 D* Q0 C' \0 z8 H! }
xchg dx, es:[41h*4]2 Q+ U! l" Z3 x: x- _. r
xchg bx, es:[41h*4+2]9 `3 v# ^8 Z" @, R/ q" V% D
in al, 40h5 W w) M' T3 y0 g
xor cx,cx- n9 \& n( U4 C( v4 |! ~
int 41h
. Y! ^* B7 w# k' l3 I- X xchg dx, es:[41h*4]
+ O0 R2 f. j3 K! d) u xchg bx, es:[41h*4+2]
: t8 ~7 K2 E; q5 e# M3 r; b0 c8 q cmp cl,al8 |; x' q O: o, W5 `0 f7 Q
jnz SoftICE_detected2 B. J8 D3 P8 w/ y% _
0 D! [/ c0 u7 O6 G0 P$ y) W_________________________________________________________________________
5 o' u9 R+ B& k: A2 D3 m* F! _) V+ V# w7 `
Method 07
* P) `" d) R D) @$ j( A- o4 D=========% \5 {! z5 W0 g4 U
4 A- e! B; b2 G
Method of detection of the WinICE handler in the int68h (V86)" Q4 U% v( A+ q. f/ ]6 W
0 y1 h, y, @% }% f
mov ah,43h
. s: u3 I1 w5 L int 68h$ h, w' m# O j1 x. i' G
cmp ax,0F386h: E+ P1 ?9 Z7 F _
jz SoftICE_Detected
|( J( L0 w& C8 ~7 F* W
/ _, c- b+ y) I& V$ ?5 v" K3 ~6 Q- l$ E& m# O& R
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ P% Q' R5 g: z9 }1 P) w
app like this:& m1 n6 }: g% t0 j( F: b
% o; v, t; k' Q0 r BPX exec_int if ax==68, {9 z, m) r+ D$ t, o% \( b
(function called is located at byte ptr [ebp+1Dh] and client eip is3 U0 m, b# X' o/ W
located at [ebp+48h] for 32Bit apps)
( o, c$ _8 a3 [! }3 \6 G( [ l__________________________________________________________________________
; O. l4 S1 O7 s8 H' |: t/ [ ]: r8 x! \$ Z
: V( {1 w: m0 v7 f) m& GMethod 08
; q+ _- I; q3 P7 F0 R=========( z4 X! y; s2 S" Z7 B4 r
H+ t$ B; L' \. x2 XIt is not a method of detection of SoftICE but a possibility to crash the F8 _2 |) Y. U, M
system by intercepting int 01h and int 03h and redirecting them to another
$ ]; N0 F5 h2 G+ V& t* oroutine.
( s- v4 k4 Q9 q( _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 C2 y" G& d4 D4 b& V
to the new routine to execute (hangs computer...)2 B2 p$ D6 B3 ^ E
6 G8 p4 b8 Z5 j g) l1 ?7 A6 y
mov ah, 25h
7 ]' W0 R& L; q$ H mov al, Int_Number (01h or 03h)
2 z8 `! R! [) }- \/ K. \4 o mov dx, offset New_Int_Routine. ?9 k. [! V6 Q" ^8 }! L, g
int 21h
# x3 N+ t3 }5 Q' b r- i
* L" i; N7 `+ I+ N__________________________________________________________________________2 u" a8 z2 X2 r6 l7 \
% r g3 ~8 H0 y# m, uMethod 09
$ \4 h. U6 A/ L$ }=========
: ^3 A" E, s$ {3 E7 d% K0 ^$ j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 [* K8 j* `+ h* ^performed in ring0 (VxD or a ring3 app using the VxdCall).0 ^* \9 \6 B; v3 D
The Get_DDB service is used to determine whether or not a VxD is installed, @+ H4 y. K' ?6 a$ K
for the specified device and returns a Device Description Block (in ecx) for
% I/ c5 Z# S' k! `/ u1 |. F Gthat device if it is installed.
' G+ A" G' X9 n9 \; w3 V6 P& g- u1 @
# E; P9 J7 o6 |7 h mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ {1 l' B6 i7 w# ~& } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ r9 d! m: Y0 M
VMMCall Get_DDB
3 l H) g3 d3 K0 l; S- | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, E$ v" L" S# [( e M6 \# N4 Q# l; `3 {) i
Note as well that you can easily detect this method with SoftICE:; p$ N/ [! L$ |3 A8 _! Y: I
bpx Get_DDB if ax==0202 || ax==7a5fh8 S. l/ b$ V6 U+ _# k, x1 ^8 H5 s
' O* ]; ^% l: x( C* s* B! _
__________________________________________________________________________
& I# K0 D5 i+ h3 V9 B
0 E4 a" e# W8 C( d& w c& j- l6 z$ F7 IMethod 10
( X! y$ F+ v/ x' Z2 y=========7 n1 v4 _$ d+ h# e& i+ [
/ i; w/ N! [2 i3 l
=>Disable or clear breakpoints before using this feature. DO NOT trace with) U1 H6 P2 V$ x ]3 ]
SoftICE while the option is enable!!4 ~) ~2 r8 d+ e' q$ r! D
- z! `7 }1 F+ j: ~This trick is very efficient:& x! ?# G/ F7 ]. a, z2 O
by checking the Debug Registers, you can detect if SoftICE is loaded
& v& X- a3 Q. t3 S8 p) K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 ?' K7 C5 I$ p2 t; M. o) {
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 t3 J# I4 Y. F3 L8 W2 Y6 j
value (in ring0 only). Values can be manipulated and or changed as well
. g) P5 O$ |/ k3 C' O# p(clearing BPMs for instance)
/ e" b6 H" ]# T) t; n7 o$ A' v2 o8 M/ S/ R- g3 k3 ^/ j2 h
__________________________________________________________________________/ _5 @* d2 g; q. _8 F0 s" _0 _: z
2 N: q8 d! r# y7 a% S5 V
Method 11
- J! i. J& N6 A4 B) v$ m( L=========/ G& [2 ]9 w7 c3 H6 u# |& m* ?# q
" V; E1 O- n0 O+ q, J. y7 x7 XThis method is most known as 'MeltICE' because it has been freely distributed- [% N9 D6 I# e. w, U
via www.winfiles.com. However it was first used by NuMega people to allow9 w" `$ f8 K( r! Z: u1 K9 r
Symbol Loader to check if SoftICE was active or not (the code is located
/ @' p/ h2 d' c9 f8 ? t; sinside nmtrans.dll).
* J8 K5 p- `2 U* J1 X+ j, k8 _
$ O) [: n' i: e5 W* i) Y3 zThe way it works is very simple:9 l0 Q) w/ Z& @. b9 {' v4 _0 V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 A: c: h5 g1 e3 P' b& k
WinNT) with the CreateFileA API.
+ x. d C( I6 i @$ c
: P# B1 q$ ?- j0 O" A8 g% G3 j" hHere is a sample (checking for 'SICE'):5 V6 ]) e# A. Y5 W
/ o$ Y" S- A* j8 c6 {
BOOL IsSoftIce95Loaded()
3 Y) P9 }$ @; z; H5 n{0 a( M. F6 S8 _# b& @. w
HANDLE hFile; d+ w4 q; S% K! }9 n" c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' y- s3 k7 i5 A FILE_SHARE_READ | FILE_SHARE_WRITE,6 Q5 X+ ~ O# g, |! j: o3 g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. @* o! [% V& D" a3 e
if( hFile != INVALID_HANDLE_VALUE )/ v& T8 E0 w" O9 f
{- F5 f; q( ?3 J- @4 q
CloseHandle(hFile);5 V q7 N) u' {8 X
return TRUE;2 w. z3 r2 U& `+ [. Z( u6 o
}7 l* b8 E; h) a2 \ b
return FALSE;' n4 V9 k$ n( c3 N
}6 M5 U& P& e$ c8 F: ~0 L
6 b6 U1 A$ r( F9 V9 kAlthough this trick calls the CreateFileA function, don't even expect to be* ?' h. e" z0 X) X
able to intercept it by installing a IFS hook: it will not work, no way!
% I/ M5 P3 c" ]1 {0 oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 F# B2 K7 M/ n9 ^, [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! v) O: f1 |3 F0 h- ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ s- u" K4 Y5 Yfield.9 ]7 c0 K; k# P4 f4 _
In fact, its purpose is not to load/unload VxDs but only to send a
. o% V8 b+ A# ?, i: NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 p+ C+ J4 \# j. U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 M; \# ^$ L' ?$ J9 dto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 y+ z# ^, q$ M/ \* t* h e
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 H1 U; ~# x5 c c9 J
its handle to be opened and then, will be detected.- X# G7 v1 h7 J' {
You can check that simply by hooking Winice.exe control proc entry point6 v- ~3 ]8 \5 y& j/ q* V- A
while running MeltICE.! o* t$ {; Y. b( Q9 O% C0 e
' O0 W. c! e: ^0 u1 {# V5 o
' y$ [4 l- _$ t" Q3 v% l& B* y& I 00401067: push 00402025 ; \\.\SICE7 }* u8 P( D; m1 E1 G
0040106C: call CreateFileA
) o0 f' M* o, J, ?; c 00401071: cmp eax,-0017 ]) S/ a1 e9 E: L9 ^2 R1 M
00401074: je 00401091
0 @( z/ h/ K) g( i1 g& _: _9 W. t9 \0 e5 n& R( ]0 V p
! ~8 E! h# I* i3 s, d) M
There could be hundreds of BPX you could use to detect this trick.
; w4 m' ]* b% n( y6 M* l. d-The most classical one is:& ]% T$ U( T; o i) F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 F. {0 D: P0 D$ z3 d" n. |
*(esp->4+4)=='NTIC'& W S& g4 O* U! U
3 O5 d) r. X" ]6 m
-The most exotic ones (could be very slooooow :-(5 h0 w% a$ s1 D- d* j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & f9 y8 M, K% t: V, W2 i
;will break 3 times :-(5 h/ t' y! l! e1 T. H
- P* t& ~3 H) Z0 M-or (a bit) faster:
* Q4 b1 C- M* ~& O( @' T BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 }+ Y; b! Q/ i9 s/ w+ v
% Z8 e# S, R! I# S7 Q$ b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* [. G2 \8 C }0 x8 K" T8 y ;will break 3 times :-(
4 }2 b% w R" i s( f1 Z( c+ p! q8 W; j7 q! _. d! M
-Much faster:
- z9 s! S, S7 P# h BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 g& {$ H; k2 O* C
6 V' G/ {) }, W2 s# O3 k$ sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& |% x+ o; k8 y! o0 y% z3 kfunction to do the same job:! M0 B S0 m h; v. j
2 f* u( f, Q$ _ [' M% ]* [ push 00 ; OF_READ
% W- p6 |5 e/ }+ x mov eax,[00656634] ; '\\.\SICE',0: Q* P3 k. M8 Q; H
push eax8 f. l, C5 G( b; M' a9 c
call KERNEL32!_lopen- V. y/ E4 a& _, \: t
inc eax
8 E. N. o5 L- J( \0 Y6 {* s5 H/ A jnz 00650589 ; detected* W V+ ^* Q: A1 N1 C8 ]
push 00 ; OF_READ; o- Q; u% ^. `! Z/ [
mov eax,[00656638] ; '\\.\SICE'# }0 t- o/ {% r% r
push eax2 ~( [* U9 e( B4 o
call KERNEL32!_lopen
+ J$ D# I2 R3 K# C {; v inc eax" S V8 Y( h2 y' e
jz 006505ae ; not detected3 E( H2 n8 V) D9 a
% `- i5 g# _) ?( q, D
. T9 m6 M9 ]) m1 g4 Q, n4 ^__________________________________________________________________________
" E" M( Q4 e- ^% s2 i& i
$ e0 j- A+ [& u1 P7 i" |$ t; }2 EMethod 12( W! R8 z/ n) B0 ?, V
=========
' W2 g, D2 R v# ~9 R8 G4 `- d4 s# g
This trick is similar to int41h/4fh Debugger installation check (code 05
5 t9 y+ o3 l4 C& 06) but very limited because it's only available for Win95/98 (not NT)- o" ~' j# |8 P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ B+ ^3 g6 Q. `1 j
E# D7 b( \" Q Z. e$ K push 0000004fh ; function 4fh: f: @- l% D! D" J2 X- |
push 002a002ah ; high word specifies which VxD (VWIN32)7 i4 Q/ x1 M1 {. K. z' [6 f" G
; low word specifies which service) A1 F# V+ N2 n J6 Y. M- z" N$ h/ D
(VWIN32_Int41Dispatch), X) V0 ^$ k- m& V- `5 u" [
call Kernel32!ORD_001 ; VxdCall& |4 H9 q6 ? S/ ~1 m9 {
cmp ax, 0f386h ; magic number returned by system debuggers
, t8 |" ~- F' C3 x jz SoftICE_detected
3 x% A% ], p% \6 v2 V& X% N8 w& d1 f; s; e% S3 q5 X
Here again, several ways to detect it:% Z0 c; r& c4 W) {
. h1 o% \% `/ m+ S0 @ BPINT 41 if ax==4f
5 \9 H7 |% r7 T" o; y( z B8 _0 ^: p" m: x0 r4 Z' E& m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 u$ Q6 F/ t/ l( y+ w
7 d$ b% D/ M; H n+ Y% ]
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 O) \1 _6 O/ t5 L4 P# U* _
' _* c) C$ |2 `8 P' T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% S( V H& B7 R4 l- V7 f" }1 a; n1 ] H. |7 i
__________________________________________________________________________! u( s# f$ f' x
: \/ P' U. P; B$ F
Method 13
, p# F8 ?% S" R. d9 O=========" }: [, f* i8 x; q) \2 v' L3 j
5 B8 n& R6 u! L% W: PNot a real method of detection, but a good way to know if SoftICE is# {8 @# L% i# g2 _9 m
installed on a computer and to locate its installation directory." |! m4 u$ ]. c9 S
It is used by few softs which access the following registry keys (usually #2) :
& R1 c/ T% z3 ^, [4 S
9 i+ t9 n# B8 m* u4 _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. h7 F" @5 S$ Y. v$ T\Uninstall\SoftICE6 w4 x: ~$ g: p7 ^; V' V, b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 e7 @- D0 v* p0 I: b3 t8 Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# X% u1 l: n& j" M\App Paths\Loader32.Exe
i/ g8 K8 ^: |: b Z& L& ?' `: Q1 T: k* h! O
- P8 y) C, e0 z" qNote that some nasty apps could then erase all files from SoftICE directory4 X q+ D+ L0 Q* Z7 `* `: B( C
(I faced that once :-(
2 h$ J4 k1 b4 l$ D: H0 \2 n$ T6 V
Useful breakpoint to detect it:
2 k8 w! o2 H5 d1 l- M8 D+ p& N& y. _# ^' K) }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# C1 P9 `* c: f: n1 F8 A; F" Q4 ^/ U
- q8 h& E4 Q7 l__________________________________________________________________________- y' I) O7 a5 F7 J' H" F& r
+ T% F" I# y; K/ r' o6 }% ?
1 u! R4 [. V1 H$ VMethod 14
( A/ o+ C/ O6 i r+ e=========
3 Z- f6 r' n( J7 ^
8 o0 W6 i7 p9 N3 i, x3 vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" e# e/ K. P j3 Gis to determines whether a debugger is running on your system (ring0 only).$ h$ I8 F6 d4 t8 U) Q2 ^
+ w9 j; N7 ?% j+ H* h7 n
VMMCall Test_Debug_Installed
4 k2 T) z- b& h( ~" ` je not_installed4 t, z& P. l. D
% f& j- |$ `# U( l% X4 o, WThis service just checks a flag.
, D" a, J- u$ Y1 l, q6 l- M4 ]</PRE></TD></TR></TBODY></TABLE> |