<TABLE width=500>9 T: y# o6 O/ U. }2 t
<TBODY>
. ^: s# N9 a4 i* J: _' o% X<TR> H! o2 j- U5 U3 e _3 p
<TD><PRE>Method 01 d7 G) ?# S5 {- C e0 v4 S- Z
=========6 Q# [; M; A7 _0 D: j9 ^0 f
. ^* g, T. K4 H) T# c9 lThis method of detection of SoftICE (as well as the following one) is- m0 X0 x4 `2 o- S1 R; x* G
used by the majority of packers/encryptors found on Internet.
# q- F( `& S5 |( t% ZIt seeks the signature of BoundsChecker in SoftICE( ~3 ^5 n ]# a' i5 \
4 ~ M, E0 q( n3 t# t
mov ebp, 04243484Bh ; 'BCHK'
5 j/ y. K( B% F! k mov ax, 04h2 C* J1 K1 k; C5 o7 f
int 3
- x6 k7 `8 v' Z# Y0 y/ j cmp al,4
0 M* T; x1 H j( g9 G( p jnz SoftICE_Detected
8 ^6 B6 Y# H: D$ X1 T. _6 `
) v. L- i1 {5 T, Y( d2 T. H___________________________________________________________________________
" U0 J. C2 B* P+ _1 k5 _
& V4 p" {* Y5 l- G. e/ g2 `Method 02% c- v3 z: \2 o0 w8 V+ {
=========
3 g( t7 ~; o& h4 r7 |" M1 I' W' Z) I" a4 y7 e9 K% O7 O7 g
Still a method very much used (perhaps the most frequent one). It is used; {7 M" I3 l/ W% U# L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, Q: t& b# z5 a. i
or execute SoftICE commands...7 z" |5 Q2 S" `' w }1 @
It is also used to crash SoftICE and to force it to execute any commands
% [6 t _. N& }# P2 t( Q) x(HBOOT...) :-(( M$ W, E. ^5 G' t
! ]5 W$ k, L' S
Here is a quick description:
6 g8 e z4 }2 K9 f-AX = 0910h (Display string in SIce windows)" w! C) u6 S* \* l2 \, Y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" N5 E) k! H, H! H# ?' s) [5 y) ]
-AX = 0912h (Get breakpoint infos)
" M" V0 B; z9 F6 @, Y4 C9 n+ z-AX = 0913h (Set Sice breakpoints)' k$ b& c2 \6 ?6 B( E
-AX = 0914h (Remove SIce breakoints)
; ~# |0 f/ y1 i. s" Y- S" X, w9 g- }! p: ]3 t' K+ c
Each time you'll meet this trick, you'll see:
% L ]: w. X0 j' t9 J-SI = 4647h( Q9 z) v1 L8 U. m- d2 B
-DI = 4A4Dh
4 Z8 N% ~! O+ [ xWhich are the 'magic values' used by SoftIce.4 [* [9 Q& r& m' T; |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% I5 f, I- A1 v! P% r9 U2 [8 j/ D, n
! G/ y2 D) o, O4 G3 }! [; O5 THere is one example from the file "Haspinst.exe" which is the dongle HASP* g6 J8 J& ~% w2 G
Envelope utility use to protect DOS applications:
0 K; H) w8 ^, \. k3 G) ?7 {) b$ g) c6 E8 A Z X- I
; B& M" q; L v( s4C19:0095 MOV AX,0911 ; execute command.
" x4 Q1 x) H9 K4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 o: i, R+ P/ U; Y u4C19:009A MOV SI,4647 ; 1st magic value.0 n7 r. \% q. S* X2 G. c+ d4 }
4C19:009D MOV DI,4A4D ; 2nd magic value.
, j' d: u" O0 z8 K& v4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 w% |% J5 \+ S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 K: b+ v3 [! G# n+ ^( Q4C19:00A4 INC CX
. b3 R0 k8 M0 x6 ?; ~' N- z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 V5 A( L7 C( h" S; Q0 n4 c2 \+ S4C19:00A8 JB 0095 ; 6 different commands.; ?: Z+ \9 ]) G% p; t1 a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 a8 S% E9 B% e/ u% d; R
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), n$ @) r7 g0 S- K
+ H; u: f' u2 E- f$ hThe program will execute 6 different SIce commands located at ds:dx, which
- a4 _5 R- Y% ]9 j4 Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 S" m7 n+ J4 b ]
) l) }! r6 ?0 T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# C" l" A# Z1 @8 B# A7 n___________________________________________________________________________
% J8 j; \9 J2 P" F" m2 _+ @: |1 l
9 ]$ Q8 l! i; Y0 B7 ~' |% Z% T6 L3 I' }8 C- R- i9 n" ^+ d( Z9 z
Method 03 t: J* `- \3 v ?& s7 D
=========
( q6 y7 D# T* g) D( D; m, E& G& b8 \# {& d& Y+ L2 ~# g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; o9 {& \! W) F: M7 R2 j* v& M( Q
(API Get entry point)( E, ]- u2 S' [. p1 V. q w
" \7 J9 \9 [7 f1 r0 R2 S1 \1 J) n8 A; \. F' o1 X, B3 z
xor di,di! ]" z, o ~* @+ G9 c- v2 Z
mov es,di
5 K/ m1 R2 Z: @4 o: l% t mov ax, 1684h
8 ~ l- t$ \, f# y7 o4 i mov bx, 0202h ; VxD ID of winice
* e5 H3 i( U8 Q! j) p int 2Fh4 F( f' ]: O- j) j; U6 p9 j
mov ax, es ; ES:DI -> VxD API entry point; c; _* ]" K0 A2 Z$ f* s4 j
add ax, di
7 c9 s4 i8 ?3 _7 [ test ax,ax
( \) l/ w- D" l( m jnz SoftICE_Detected
& P4 X0 W4 j' s& L$ B! [& ]. Q0 q
___________________________________________________________________________; D% q: g2 p# c! p" c
, C) ]! \& x3 Y+ G7 C5 [$ m0 g7 sMethod 04
9 ~& N9 a& T2 {8 N9 x# n* z=========8 ~& N' w4 B; U; b7 p. {1 i
, J5 W' O3 c$ n: m/ rMethod identical to the preceding one except that it seeks the ID of SoftICE
0 j x) x6 W, J! W) k; X1 a! E( VGFX VxD.
7 P, R( k h% o2 B. ]' j3 u
2 U, [2 T- \: { n% E" `+ B xor di,di* `' T( b; p) x# X% j3 P
mov es,di" l+ b% r% s. V) X9 @ ]
mov ax, 1684h ! k; H* m! F. q
mov bx, 7a5Fh ; VxD ID of SIWVID* J1 y. S) H2 L$ y# {
int 2fh# f9 d4 z! O, G# z3 z
mov ax, es ; ES:DI -> VxD API entry point- j7 @ r* x5 l' W
add ax, di( N- v0 K+ h' g7 M
test ax,ax( {$ Q: r' {, ]2 s: ^. O% Y
jnz SoftICE_Detected
# i. W5 r( j' t0 Q: z6 E C1 C5 ]4 u8 D6 {4 o" w; d% p3 I0 I
__________________________________________________________________________
1 E3 q' e! b3 y# s- i- F7 u
3 U3 P1 T8 H( S& a5 c7 E# _0 S
! O k; K7 q$ Z7 H' UMethod 05' c h6 j1 H9 K) x
=========* X g, Q3 G6 i/ ]$ I
6 X/ e: C; C( @( kMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 r$ O+ ]+ H! j3 f: Ddebugger. It calls the int 41h, function 4Fh.
' D4 n$ N% x$ ]& dThere are several alternatives. ( M$ Y: U. D; t% N" w8 }
6 ?; R- C" y- A# H4 B% {3 D
The following one is the simplest:9 d1 I: `. {. ^& G7 c/ Q
- ?# p/ Q; @3 I/ z0 k8 y! {% I
mov ax,4fh, ?- c+ D0 P8 r: k
int 41h
) n! _$ x9 G% b0 W; @( K* I* u cmp ax, 0F386+ X- ~' ~! [1 k0 M+ h
jz SoftICE_detected
9 |( m4 d/ _. U; J- m3 u4 P8 X! [' N9 q, A' I. t+ P4 n [
9 R# h& l0 T; G* K5 ~0 }2 VNext method as well as the following one are 2 examples from Stone's 3 y d2 Z# ^7 v) | y) ]7 b
"stn-wid.zip" (www.cracking.net):9 U1 Z" o S V8 G4 i% V F
& h$ N4 i. E% j. g, I* F& ?
mov bx, cs
5 x( }, n( ]8 u+ m+ l3 A* v5 J lea dx, int41handler25 V$ x' z6 v$ {
xchg dx, es:[41h*4]" k! s& n6 p. q! _; Q( m9 p3 Q D7 Q
xchg bx, es:[41h*4+2]6 K$ Z3 f- z& K/ x! X/ S* d$ u4 o
mov ax,4fh1 ]9 V+ C9 O8 I+ S7 f8 p2 h$ O
int 41h
$ y! X; T$ X+ t3 w4 }# c# s xchg dx, es:[41h*4]0 q/ ?; c; l; X+ O
xchg bx, es:[41h*4+2]
' G% g4 B, S: h5 l9 N2 r% X cmp ax, 0f386h
! u0 q6 v3 d6 B jz SoftICE_detected
* j# y9 m0 V, v |, ]" g) c; k6 l( H" t5 k- C0 z
int41handler2 PROC
& C: [0 F; T/ ~& \$ g$ q iret
' u/ R0 u% j4 P7 s* Mint41handler2 ENDP
+ M: v- B4 e4 n+ ` p
4 r8 z. r' K$ P2 H- K
; l0 Z. \0 x# \_________________________________________________________________________
' a2 U, @: v6 R$ s" L- d/ A# K# z, \& d5 h# A. ]
# o' J3 L; P* S: K
Method 06
o6 |; ~% b1 I; j=========4 z; d9 k" j4 C0 S$ q
! q! h' X' g; K( ]8 ?7 |
# t6 |& }2 n2 K2nd method similar to the preceding one but more difficult to detect:3 y. x, o' {! k' A' c
+ v7 P0 J' t, u8 S: I% S/ e2 q% O
6 a( |1 U- W w2 q! D: T
int41handler PROC
$ @( \; f* L# z mov cl,al
% G: w6 Q* `% ?% ^; @8 a) K iret F5 k" F I# D$ r
int41handler ENDP& _6 t: R' [5 D% M' V) ]
x8 T, H% e$ K$ J' n+ x" m
5 A2 K0 C4 Z9 k
xor ax,ax
( Y# m; ~5 a, h3 i( Y, x# w, b mov es,ax# d u- }4 k2 A& w1 [$ [4 ~
mov bx, cs, R0 F* L F" D, y' d3 x
lea dx, int41handler' n7 |! p! U3 ~2 q8 q
xchg dx, es:[41h*4]* S" N0 ~- o; _
xchg bx, es:[41h*4+2]
9 h2 S# s5 L3 Q. u6 `$ H/ O in al, 40h
# _' P5 E! C c" n xor cx,cx
7 U% x5 `3 c5 p$ \9 ]( d7 A/ e int 41h
! S+ Y$ b7 K/ q$ _0 ^; _9 C/ E xchg dx, es:[41h*4]
$ r, w, F; a' ~; F; U- U% ~ xchg bx, es:[41h*4+2]' y: ^* {# q' j0 {: z7 ?( N9 r7 ? g/ J
cmp cl,al
" J! ^, q( f% F8 n- | jnz SoftICE_detected
5 R5 J! y/ w( O! r9 V
/ n: j; y I8 b) K8 X+ B% b_________________________________________________________________________ a2 j4 `2 Y* [) M1 J8 R
: p+ R3 J) ^) p. W9 _7 e$ \. JMethod 073 i% A, M6 a' k; ?& r0 k/ j2 L& W
=========
; a" g! l$ y3 T; q: E* T2 o; `4 [2 E
Method of detection of the WinICE handler in the int68h (V86)
) b$ e7 S7 J3 B9 U, k _8 I4 s% d: M/ r9 v- ]
mov ah,43h
- F8 O& a3 n' G4 `# } int 68h
5 m. a, l6 i% P R5 l$ x% c P cmp ax,0F386h
6 g. v; h+ z3 Y& [& X2 ^ jz SoftICE_Detected
( I m: b' _2 `5 G5 Q
! j5 d+ I1 v3 h% h! N/ ?) D; p2 X
9 V; ]1 y- Z: s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 s5 A& b1 T( I' b* R/ G' H app like this:/ `! K0 e- q t; a/ Z4 W7 [
0 O9 h0 s% F2 O! ?! |3 T, o2 R
BPX exec_int if ax==68
- P6 _ l) S1 g& W& v (function called is located at byte ptr [ebp+1Dh] and client eip is
9 s% S$ ^9 J5 q2 E& d located at [ebp+48h] for 32Bit apps)3 z& G5 y3 S5 v0 W& ~
__________________________________________________________________________
: l; O. s% d B, U4 u# V( t' [: w
# j* c8 J1 l' Y- w. |Method 08
+ u Q6 p7 Z. `, ^=========( ^9 J3 t$ r/ t9 c: T+ B+ K7 F
% b4 ]- M' i# t
It is not a method of detection of SoftICE but a possibility to crash the
4 d9 _. F6 h/ l9 _; H/ Gsystem by intercepting int 01h and int 03h and redirecting them to another
6 |* N# S; K. t( M+ G5 Z# Hroutine.6 j9 u$ ~. p4 k; x! i9 `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ }, u1 _( V# g' R7 I+ h
to the new routine to execute (hangs computer...)
8 p9 n" w/ L' q7 s- g# d# l2 k" }
8 N x( L t- \( Q" t2 T mov ah, 25h6 E" y0 F4 j; F8 K! J( z5 e* L
mov al, Int_Number (01h or 03h)
/ ]& P/ C' O+ z: e mov dx, offset New_Int_Routine j* A7 h! i% N# i' ]
int 21h
- u- W9 h( f" W, K: S7 `# n, z4 s( p. z1 b- A
__________________________________________________________________________( {$ _5 b& C, ~, r7 x
, q/ T: `8 \ K9 z. nMethod 099 c! K, G# V% _* h% V% f0 o a/ d
=========
9 c$ u# l, h, t3 Q! D; U) I/ G7 t" g5 _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* q" J8 g! j/ Y. A0 [8 }
performed in ring0 (VxD or a ring3 app using the VxdCall).
% f( Y, \/ K0 q' o# ?& J2 l- kThe Get_DDB service is used to determine whether or not a VxD is installed. O/ a- J/ @7 {
for the specified device and returns a Device Description Block (in ecx) for" ~2 v$ H6 Q# b" @6 ^. P" y
that device if it is installed.( A. I) L' N) B+ i- J; ~0 o
" ?. P( a% F# }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 F7 J) }2 Y7 v1 @5 A4 B+ Z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 b& ~( _. S1 V VMMCall Get_DDB, W S- W1 u. M/ Y/ E3 z1 O
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) e$ ]/ k |/ m v5 p& ~
, d4 O/ \' H5 H4 [, d% FNote as well that you can easily detect this method with SoftICE:
% }' M/ O9 o- p/ {( L bpx Get_DDB if ax==0202 || ax==7a5fh- W% o0 T) o( o- W
) I) d4 e, L- O7 K1 R
__________________________________________________________________________' Q2 Y+ Z2 N( c1 K2 @
. f3 ]4 F/ P* vMethod 10
, |. Z1 H( n# F. ~* a- e7 x1 ^( J- A=========
6 u! S, N- c3 E. B# U2 S) p
. A8 L4 M3 @" k/ P K+ H- I5 |=>Disable or clear breakpoints before using this feature. DO NOT trace with
% B7 H" u% T9 z2 c# D SoftICE while the option is enable!!
2 @8 { Z1 |: [/ P
( f f% e# `' h7 `( a# UThis trick is very efficient:
* h4 z8 Q( l; i' y5 r2 u, O3 Kby checking the Debug Registers, you can detect if SoftICE is loaded
! w/ w$ X& h$ S% s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 y* T. G v" T+ athere are some memory breakpoints set (dr0 to dr3) simply by reading their7 X& P+ A3 b5 J
value (in ring0 only). Values can be manipulated and or changed as well
3 y5 X* D2 V' E r0 z(clearing BPMs for instance)5 {) m% P0 M7 Y5 _% {
9 S2 k3 G9 e2 O( F& S
__________________________________________________________________________) N D7 ^( s7 q. F0 P
3 H( p( C Z2 z- @4 A0 i) O% k
Method 11- v$ w9 U* N' O/ I9 `( O
=========. ]3 L7 `6 i- r
]" Z( Q2 ]5 Y) K3 i- f; g
This method is most known as 'MeltICE' because it has been freely distributed
# K' g( K4 W& {' C& t) j0 dvia www.winfiles.com. However it was first used by NuMega people to allow) G: ?8 I9 I: v! X; j
Symbol Loader to check if SoftICE was active or not (the code is located* r( B8 h2 Z; M1 T0 X
inside nmtrans.dll).
% k* p3 N. C4 h2 U& m! F9 ^) J2 C! S. r( L1 D
The way it works is very simple:
6 B$ e4 T* n9 j/ @3 y, z" zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) ^9 E% |! f7 m
WinNT) with the CreateFileA API.
9 `( f) L8 l* z' r0 C
$ p. {. N% ]9 u4 L* o3 x7 |9 YHere is a sample (checking for 'SICE'):+ @) B3 G. T' B- ]: A! {
5 Y! T( L0 d# g/ f* V
BOOL IsSoftIce95Loaded()( C& [2 V6 e4 y2 i1 W+ |7 e1 B3 j
{! J. F6 ]/ S: s% J# F
HANDLE hFile;
0 K7 `3 U* A" R hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 ~; t: Q3 ]* H- s- _8 M3 E3 b FILE_SHARE_READ | FILE_SHARE_WRITE,
2 t2 o4 x% s* P: V* ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- E' S ]' [1 Q( O
if( hFile != INVALID_HANDLE_VALUE ) q* J' _3 t) r
{
3 ?& J( V8 W1 H1 n CloseHandle(hFile);9 v' o {( a8 W
return TRUE;
8 P0 i9 G) T2 s1 C+ z" v2 c }
4 |1 d; m3 P& ?) n3 I, r1 E7 E return FALSE;; G- k8 q9 ^$ V0 u$ P
}0 h% {! d( Q- w, w( i. \
, p: Q( s8 L2 |Although this trick calls the CreateFileA function, don't even expect to be
( u _1 X: i8 Q! |' [able to intercept it by installing a IFS hook: it will not work, no way!( D* n: g5 i: E+ a) y! h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 L2 {/ y7 _; D. X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- B0 f% U0 V* a* h, E- @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, ]6 o3 Q; A% S& o5 Ufield.
" R' @1 @6 j$ F( JIn fact, its purpose is not to load/unload VxDs but only to send a
! O9 M8 \ S. G; \- j5 @7 f% GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- V3 D# o x+ |2 r! }to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 A/ X6 z8 }/ Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 O3 w6 m/ }( N( c }8 i
If the VxD is loaded, it will always clear eax and the Carry flag to allow( n; G# o) ~" h( `# T. N7 f
its handle to be opened and then, will be detected.& `, ]6 D' V/ ~+ N- h" ]7 R3 O+ b; J
You can check that simply by hooking Winice.exe control proc entry point
" h( f: {( N1 u, }# H- j; Gwhile running MeltICE.3 ]4 C: A2 b, i! V
8 M X# R" |/ b- D
( P' ~% F7 j3 O5 n, Z& Y+ e4 G
00401067: push 00402025 ; \\.\SICE
# U% u) d$ H4 N' }" Z 0040106C: call CreateFileA4 [. j$ L" X* p7 O
00401071: cmp eax,-001
# [7 M5 l5 w4 U2 t6 n1 _. a 00401074: je 00401091, n8 q: P4 z1 t; P5 b
/ u# D6 h" c9 H1 [
4 C! |" C7 ~5 F XThere could be hundreds of BPX you could use to detect this trick.0 k% E* U+ e- i2 H' E% v
-The most classical one is:! ^# |( J# c2 Z) j/ d# e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 Q) }/ Z4 I) _8 Z( K. }) ^, E* l *(esp->4+4)=='NTIC'+ I" {# g" @ y& L% [7 h
) W1 w; z; `0 ?5 V& T
-The most exotic ones (could be very slooooow :-(8 M3 j t4 A: |
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( u* `6 }1 V# y( N% S
;will break 3 times :-(
6 J4 P, ~ V8 j3 l- ^# N9 p5 w
2 p4 D) c5 f7 }-or (a bit) faster: ! c& D: y1 y" i) c$ l: }( L
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- r, C+ n: d* r# j
3 Y' L- H, k9 h0 W: [ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. O ^5 E% {2 ~. W ;will break 3 times :-(7 K! H1 K& ^/ h
0 {) n1 H8 S8 F+ m' G- S-Much faster:
5 V2 w: p1 `' m# l% d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% z' W9 S7 h. ?
* H9 \$ W% F# k2 {1 `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 U& }. G5 g3 U5 Rfunction to do the same job:6 L, V: @" N, W4 B5 C: ?3 b0 o" o/ d! Q, k
7 v+ c& `' E" g/ L push 00 ; OF_READ
# n( S' Z7 g; s% @- i+ B/ {% V; c/ t mov eax,[00656634] ; '\\.\SICE',04 [5 [3 ~, G q
push eax3 u2 m6 Q6 B. u7 `; L+ D
call KERNEL32!_lopen. G, c1 a' p; G) I
inc eax! c, x$ p( ~6 O2 c/ A
jnz 00650589 ; detected7 _' _2 T: j$ [' Y# a2 H! s& x
push 00 ; OF_READ
5 m4 S% c8 S5 E mov eax,[00656638] ; '\\.\SICE'
q, ^, A) A- }" q0 b2 N' S push eax3 X( E/ [, B1 [
call KERNEL32!_lopen
8 D9 m/ ?0 f+ u+ G! B9 T. ?( d% l inc eax
8 z2 }1 i2 k/ G) }- P" K jz 006505ae ; not detected5 R/ x+ M6 @6 p) b ^# @0 b8 }# S
: l) n9 w: K, ~2 x, L2 @) b' u( W5 r, b. A
__________________________________________________________________________
3 G. r4 L; N" C" }; H3 G M/ O
' ~) k8 K6 z ?5 T" J- WMethod 123 c. K- v% v: _8 S
=========0 u+ D3 z/ \9 |
* g( [, j; [" G0 c+ i
This trick is similar to int41h/4fh Debugger installation check (code 05. H4 O" Y9 ^, Z2 i& V- I' M+ P
& 06) but very limited because it's only available for Win95/98 (not NT)( P& b) f8 {8 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% h& _, S1 e }7 Y5 j
- E. E$ h0 y7 W g3 { push 0000004fh ; function 4fh8 `0 P" @- c% s; \; S& v9 y, M, p
push 002a002ah ; high word specifies which VxD (VWIN32)1 y. `9 y) l- d/ ^
; low word specifies which service
4 R% g6 V9 ]0 X (VWIN32_Int41Dispatch)$ S- j6 n. a- m5 l i$ ^
call Kernel32!ORD_001 ; VxdCall* @8 G2 B6 A- C
cmp ax, 0f386h ; magic number returned by system debuggers! N0 u+ f; _3 o% `
jz SoftICE_detected- t( k. ]2 L( s" z/ t4 K* a
( c& B' {+ }6 L' w0 ?$ v, w
Here again, several ways to detect it:7 X! `2 E. u6 K
8 _; l# U- K/ H+ e' t
BPINT 41 if ax==4f* w$ Y9 r7 |, ^3 K; _1 p
9 r) g! J3 p4 L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 h; [5 B( ^! g4 r/ k, e
% E! H! {9 c1 A0 T; f2 C% r$ p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) a# T2 ?' F/ z
. I6 O Z7 d' x4 m2 i3 ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 j/ {' t; ]* w, c) K3 b l5 a
0 g) q- P% r% `$ x
__________________________________________________________________________
/ V$ ~. s. v* ~" w
9 }, {2 g( X6 l# Z. @' _; {+ [/ |Method 13
: o* M" a d4 O- A=========
) G: L* _4 j! r; i6 [' h5 h7 X$ J+ x$ u6 q! Q4 J& h
Not a real method of detection, but a good way to know if SoftICE is4 {' r: f' E, W
installed on a computer and to locate its installation directory.
+ b9 ^+ e5 n8 n; n2 f# tIt is used by few softs which access the following registry keys (usually #2) :
. x# |" J1 s' k0 q/ e' I/ t
) z; l# f% R, ~; o0 f; C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ g( G' c. ?% ~/ |! y `# ~\Uninstall\SoftICE
* W5 |; R+ E# U4 p% j, [9 o, G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) w) O. H* ]" P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& ]/ i2 l) |, W, H
\App Paths\Loader32.Exe
1 I, m2 G2 o v/ U4 r$ P3 H6 X3 [
- m% @- [# z, ?( q' n6 O$ ^; _, N' h' P, U" N" t- h. }
Note that some nasty apps could then erase all files from SoftICE directory7 J z% ]6 X0 y, U, c5 h
(I faced that once :-(
+ d8 w- Q/ D) y: j7 j3 d; c% v, l' k
Useful breakpoint to detect it:
& s/ B4 F6 _2 u( k
8 `. l6 J: @: O3 ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 `' [( Q) y; V6 R7 ~% ~, H$ ?7 U5 n( v6 I( h' X
__________________________________________________________________________
7 {" H G2 v Y4 Y8 d' e
7 E- ^9 b5 T( h7 @; Y- k6 ^
# x2 T9 b3 u- I3 l# ~/ ^$ w: rMethod 14
h1 a! H5 Z5 Y1 N1 c8 M=========$ [) W. M0 I7 ?4 _# `3 k3 v9 \9 [
8 b; o; d) F, F. X) D" y3 LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ `" E" f/ y0 \( t$ Mis to determines whether a debugger is running on your system (ring0 only).) r+ {) E( N2 J% e/ |' e/ z' M
$ U4 A2 `0 g; v4 f6 G
VMMCall Test_Debug_Installed$ W$ u3 [1 o& D9 ?- k9 a
je not_installed+ @) w' H# G& D8 Z. r0 M' ~/ \
$ p$ ^% o4 _, L: y: ~" r, Y+ OThis service just checks a flag.
# u2 d% b+ m- ^5 ^2 d0 |0 u</PRE></TD></TR></TBODY></TABLE> |