<TABLE width=500>
; N8 w- @" ], e* n% {4 l<TBODY>" S0 Z, X. T! T F
<TR>
4 U$ G$ t* n9 H y$ B. p<TD><PRE>Method 01 ) f& B! \- H# Y# c: S9 ?) d2 e' Q) H
=========8 O' L1 N( k* O3 [
2 m6 O% f; B. {, GThis method of detection of SoftICE (as well as the following one) is8 q. Q) u* \5 J, w3 R
used by the majority of packers/encryptors found on Internet.
9 _ S* x" l/ _5 G1 I" W" }$ LIt seeks the signature of BoundsChecker in SoftICE; E: J: d; V0 C* z# [
- g6 e0 d( D7 e9 T, L7 J
mov ebp, 04243484Bh ; 'BCHK'& |1 g/ p/ t# u; f& P
mov ax, 04h
6 E9 }) ~; }$ h0 w/ F1 V' Y. w int 3
0 |4 {1 U- R& N cmp al,4
# R2 ]7 k. g: Y1 k" {. \- h- c, a jnz SoftICE_Detected
/ Q" u' d, F3 K, J' ?8 u* L$ X9 r# N1 r, _9 ~5 ?6 Z
___________________________________________________________________________! }- S5 a' F4 v/ Q" D) E% T
0 p5 F E' c/ \: d. ~, BMethod 024 W. |( X7 A5 C' Z- |, I7 B6 @ ?
=========
0 h- J" `+ R7 C6 v! f7 `1 G" [9 `/ H: T) w
Still a method very much used (perhaps the most frequent one). It is used
1 T" t% i* j( G1 W8 yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, D( U4 W6 O2 B$ X8 aor execute SoftICE commands...9 n; o: Q i* Z6 T
It is also used to crash SoftICE and to force it to execute any commands
# {7 ~" K5 j* I3 i# _9 H(HBOOT...) :-(( " r- m( ]4 [2 O7 A6 N
* G) s2 O+ N# {. VHere is a quick description:
8 H8 s0 ]7 `! H% B4 c4 E-AX = 0910h (Display string in SIce windows)
- a; ~* _9 X+ a1 w4 f3 Q, |4 ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), e0 M' t2 Q8 v# h8 X+ h" S; \5 |
-AX = 0912h (Get breakpoint infos)
$ R3 ` X6 u6 V2 ?' B-AX = 0913h (Set Sice breakpoints)
7 q* @2 k4 l% a+ [6 h1 e/ b-AX = 0914h (Remove SIce breakoints)/ t6 r. R9 L1 Q% r+ B/ P
( w7 L' q) |5 l, CEach time you'll meet this trick, you'll see:
2 [9 M! w6 t) L! n0 R/ ~8 C-SI = 4647h
$ O( N3 Q; D. ]: \& w' F7 b1 u-DI = 4A4Dh
: ^8 ~# B( ?& ^; l" W UWhich are the 'magic values' used by SoftIce.
0 g4 D+ t8 h" e/ y1 o; x+ BFor more informations, see "Ralf Brown Interrupt list" chapter int 03h. _& I3 |, F5 b8 f! ^
0 e3 A) ^1 C k" j/ P" q5 PHere is one example from the file "Haspinst.exe" which is the dongle HASP8 E: I5 x" O8 E- ?
Envelope utility use to protect DOS applications:2 H0 |1 X S; b3 c6 d( Z; U
# B( u% h; r- Z, ~$ ?; F
7 H; p. e7 \9 Y% Q+ A3 {4C19:0095 MOV AX,0911 ; execute command.
1 t+ K2 C8 s2 A" q' \. L4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." A# D. D2 e" T+ S. z2 }& ] m; D5 F
4C19:009A MOV SI,4647 ; 1st magic value./ \: s1 ^$ t0 U% V! S' Z
4C19:009D MOV DI,4A4D ; 2nd magic value.
! W! g# k# k# n1 B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 G! z1 }: T4 N5 I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" h- C4 t! q$ ` R9 H5 G4C19:00A4 INC CX
& I7 @2 O2 t1 K1 l! |8 W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 O" H) n% Y3 | o3 Z& ?0 Q6 u
4C19:00A8 JB 0095 ; 6 different commands.
3 _$ G* v6 E# r* b1 h4C19:00AA JMP 0002 ; Bad_Guy jmp back.) k# O& b) J3 `2 c& u# H: G c( w C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); C! J$ F+ B# a
7 e3 S( }4 |& S8 W+ U9 V2 u7 _The program will execute 6 different SIce commands located at ds:dx, which
& N+ C- x6 _# r0 T5 yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 m' \# g' P; v! X; F5 _
% O* g: U, P. h: a0 |- o% j* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: t) p& Z8 c7 m. o) C___________________________________________________________________________/ u+ v6 m) v, k9 C. B8 B
1 A& |7 X% F6 m Q1 I9 P
# [5 L$ l* ]3 j2 v+ h) _$ nMethod 033 M ?* o2 \" d# e( V. C
=========
. I! v( [3 x9 S x4 E% }. ]) d; [7 N8 m
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" G. J1 \7 h% I' ~; L# W* L
(API Get entry point)- M. e+ ?' C3 D% m
8 Z' {2 u ^' E2 l! B$ q
. j+ V* t/ z7 P7 t, a xor di,di) U V. Y8 J) q1 T: Z
mov es,di1 Q& _3 u2 `9 V$ \3 Q4 g1 C9 `* P* A
mov ax, 1684h . s# m8 y+ v/ |) d% Q2 J
mov bx, 0202h ; VxD ID of winice; C" R" A0 h( ~0 o" m
int 2Fh
# z" G# N: u4 t( W mov ax, es ; ES:DI -> VxD API entry point( M1 O1 j4 j& {) U
add ax, di4 E0 K0 O1 D- t6 x
test ax,ax: ` D" j+ t! ]
jnz SoftICE_Detected* ]: o7 F/ E* _" ~. ?: C
1 Y) a7 F8 b5 }___________________________________________________________________________$ n- j1 W0 |, f4 V3 d( [
; g+ I1 T+ j6 KMethod 04
% H$ Q( ^, e r5 r f/ z4 F2 `=========9 S4 G; B9 V; ]- S* T$ k( l6 Z. j
5 Z$ o2 P r0 aMethod identical to the preceding one except that it seeks the ID of SoftICE" f8 Q, Q4 \& J5 J' ] p
GFX VxD.0 B- @- M' V- B9 V/ ~6 E) ?1 ]# y3 \
" l* D' v& F" ^; d# {! l
xor di,di# y4 J* V3 `9 `
mov es,di/ m( [: B7 T8 w# W$ \
mov ax, 1684h
( a, i- z+ E6 v9 j- P mov bx, 7a5Fh ; VxD ID of SIWVID
* p2 T# G5 ]$ M: H, w2 ]; t4 \ int 2fh( k+ V0 [$ S0 K5 A
mov ax, es ; ES:DI -> VxD API entry point' |/ m3 {) m$ m5 A+ O
add ax, di2 C g, P; z% r4 c
test ax,ax" f* l' h, A* d7 N/ V% E
jnz SoftICE_Detected" k5 v8 l' [* p. O s
) k4 i6 n+ D5 ~9 l6 T__________________________________________________________________________
5 ~0 T- y- g' E4 F3 X {! i4 y4 P q3 i: `, n2 [: m
9 [, P* @% ^: J0 sMethod 05
4 N% e4 A& l% p=========
$ H U5 p' @: W4 J4 |# ^) B- B: Y+ \& _! y1 q9 v
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; o2 E* z: {8 c b/ R6 w& q% hdebugger. It calls the int 41h, function 4Fh.
5 r+ p% J4 l% q y3 }There are several alternatives.
" Q( D+ i+ N1 K. L" `0 j6 x2 w& N5 {2 X" N
The following one is the simplest:
/ w0 X' F3 ^3 X$ d2 \
. y& n0 V* q6 y5 ?7 \3 i mov ax,4fh
- ^6 T8 j% D" Z$ a' x' B$ M int 41h/ L% c* c0 z7 Q! M
cmp ax, 0F386
) e7 e, R, R; P3 z1 w jz SoftICE_detected
1 c. u! A' g+ K) k% Y( a2 I, a- I2 V. e5 {8 T* l4 z
. i3 \ f: ~; ~8 f
Next method as well as the following one are 2 examples from Stone's
; K" J" Y4 N# v"stn-wid.zip" (www.cracking.net):+ N, P# `. e3 r" o' _. c
6 d R5 r- @! K! h' p! Q: e) k! k0 ^( u mov bx, cs0 l- [* r9 M: {+ L# O
lea dx, int41handler2
5 Q! V$ }; \' }% G; s: \ xchg dx, es:[41h*4]
, D4 e4 s' p5 F$ W xchg bx, es:[41h*4+2]' K- e. C! C6 H7 i7 C' |: `
mov ax,4fh, ?8 g2 p) j! [
int 41h3 r0 F& n# g$ q' ^9 r& @- S
xchg dx, es:[41h*4]2 j6 {; W8 M; R
xchg bx, es:[41h*4+2]; u" i1 d. B/ S+ l5 _! v2 G2 w
cmp ax, 0f386h5 T) V9 C7 m; g2 l4 _* N$ c* M5 l
jz SoftICE_detected" ]/ h& Z% z7 D4 y
1 I" O5 j2 ~4 P3 Z- n, z) K) T
int41handler2 PROC4 t# ]- `( ^, p0 l
iret& V1 P9 n1 B. u: H
int41handler2 ENDP8 C2 I% }1 r% w2 D
8 h" E# C4 m1 \" F
# d) i- ~5 j w6 V; X8 G. c6 __________________________________________________________________________% \/ p, t- |* _3 \! f f+ y
9 `1 ?' s" A% B5 M3 ?, y* l
+ z% z+ c& N. XMethod 06
+ h) ^/ O" T. `=========
2 W5 J2 v4 C0 h/ J- j' N+ u* x" E$ W; f4 ?# Z7 i+ u" c
k# o. H: T5 E1 ~( t e2nd method similar to the preceding one but more difficult to detect:( r S, g4 E9 E' {. `0 i" U
4 J) H, Z' l/ d+ E. k' z% S. V5 Y" Y5 D, W
int41handler PROC1 k- `4 Z# P# B1 I+ v# f1 E, I
mov cl,al+ m* _ P4 R5 E) P3 p
iret& R# v* A2 N+ K, E; b
int41handler ENDP
1 a1 j6 _+ h" D
1 k; |, d3 o F7 z( ^# H) s h9 ~# ^# ?$ @. H) ~* U3 h
xor ax,ax
' h' H* D+ F) |3 o; l mov es,ax
$ X: n- X* l" Y- _3 x mov bx, cs0 L$ }1 A/ k5 u
lea dx, int41handler
, R5 D% A) E: @6 z% y xchg dx, es:[41h*4]
# w# n+ {3 V0 ^ xchg bx, es:[41h*4+2]" a5 ^' D/ ]8 o
in al, 40h
3 r0 E! H$ s9 v3 X5 d3 p xor cx,cx
, Y* x, C' ?: b+ } int 41h. R" v7 v5 W% k) e
xchg dx, es:[41h*4]
1 _5 d2 T& _$ r* A. e# n xchg bx, es:[41h*4+2]
* B# H/ `3 {" |6 o1 C cmp cl,al
. F7 v5 p9 N0 ?" ^; y4 H. B# n jnz SoftICE_detected
_) X$ ~ E" E( U/ I' O
3 m- h4 ~; i% w6 v# ]) w_________________________________________________________________________
& G1 T; j) L+ f- N9 b
6 m6 c& Q) r1 K" \. SMethod 077 J |8 T# T$ ^0 W* e
=========
. ~1 f$ K" ^" M/ Z) _( Y
3 [" N' S/ \/ H& ?! x8 R3 y& RMethod of detection of the WinICE handler in the int68h (V86)0 D1 K& u& c8 q) U
- V! q0 c9 r! A+ E$ U
mov ah,43h
8 s7 Y# z5 x) P( @' V2 o int 68h
6 ^# L3 @( |) v$ @ cmp ax,0F386h, k% P1 Y. {5 j' }2 A
jz SoftICE_Detected% J- d4 Q8 U4 E8 p, U1 j+ ]. M* A& |
7 G2 }$ i! M2 Z
2 k2 d# s L& m6 P9 `
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% T5 O" W F- e! O7 \: K app like this:
; q& _2 ?8 Q9 J9 f- T# a
% w4 t2 u% ?' ]9 K4 G* z BPX exec_int if ax==68
$ i- I& w+ @7 [8 l/ A (function called is located at byte ptr [ebp+1Dh] and client eip is
, s9 w8 [/ y) q4 S% P; s located at [ebp+48h] for 32Bit apps)+ }; d( X7 \& O0 O* H
__________________________________________________________________________
" o! l7 k1 G2 M7 Y0 ~& d7 h: ]
+ V! X0 h0 t9 B5 v) \# d- H! d' L& ]- v9 h' P. i7 f
Method 08
+ i1 P7 h; r1 ~' _: m. F) b=========; B! K0 F3 V; U+ w+ a
5 f7 B( b4 N" T/ W2 b+ y1 y: DIt is not a method of detection of SoftICE but a possibility to crash the
+ L$ R/ f4 n6 s$ s$ ~9 d* l& Msystem by intercepting int 01h and int 03h and redirecting them to another
- V. w! Q0 Q9 Q. n/ [routine.5 [, g8 b! g2 _- q& A6 p3 I" [8 b$ M7 q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 g4 M8 e* H% C. s$ } M" Q/ eto the new routine to execute (hangs computer...)
( e- C& _% y d) p" u' P
) u( M9 p/ g8 l! K3 W7 ` mov ah, 25h8 y) u! @7 U6 h: V7 Y2 v$ h# X
mov al, Int_Number (01h or 03h)
0 d# u$ t8 [0 ]4 J mov dx, offset New_Int_Routine) R% O( K8 M% t6 L; L) q- E
int 21h
0 E' r) ~. b8 d8 y; z$ C$ @: P6 f
__________________________________________________________________________
# Q. g. J4 p8 v- z+ T8 W' c
+ S" E! K3 }( xMethod 094 S8 C; U. ^0 m, s# z0 ]' E
=========( P; n/ h7 V5 z% ~9 ?$ B$ j
. I0 S2 V" N1 A: s8 dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 l& x; Z/ X* Z4 C5 U
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ s% M l; U8 bThe Get_DDB service is used to determine whether or not a VxD is installed
" r: X' F* q n4 O' Efor the specified device and returns a Device Description Block (in ecx) for
8 P) e) R# i. _; W, |that device if it is installed.
1 Y# M% `6 |! V9 x3 m: g6 _' ]4 C6 r3 Q! A. ?0 {$ l
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& c5 j7 _7 i% Z8 Q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
c) K* B8 k+ W' {8 i VMMCall Get_DDB7 L* D! v+ B1 v4 E+ y3 M% h$ b/ ^3 m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 |2 k; f. Q* [9 a; M. m% ]$ f8 O/ u0 I# j
Note as well that you can easily detect this method with SoftICE:
% v% a8 w2 l2 A8 ~: ~3 f5 ]+ M bpx Get_DDB if ax==0202 || ax==7a5fh
, j4 ^9 m' U' U2 r* [$ c
, h6 d8 `& u4 K$ }__________________________________________________________________________
: @' s" [# }2 I9 q' v
( j- S* U6 H5 @Method 10; i0 r" I4 @ c6 g
=========
% W( G: ]7 h _2 H2 l. d
% W1 }9 V* {2 |& Y1 z; D=>Disable or clear breakpoints before using this feature. DO NOT trace with
& o: {1 A% [* \0 k8 R; I SoftICE while the option is enable!!
/ @& K$ ^7 b; `& ^8 f2 Y4 t% l& V" s! a' f9 a0 A, f
This trick is very efficient:
# s- r2 N0 [$ Y- T6 D% @: |+ |* O- k" i* g. Dby checking the Debug Registers, you can detect if SoftICE is loaded" \+ C) j$ _4 u' x. F. {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: F: G0 L* f2 M P y N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) @) X0 P5 A2 Y% O) N9 B$ ?- _value (in ring0 only). Values can be manipulated and or changed as well
- i5 }6 O9 P, e6 e* d(clearing BPMs for instance), u, {" t$ ^* K4 @ y% Z( j
' p2 l: B W1 B( i
__________________________________________________________________________+ c2 U. u7 c- Z' F
# ~0 N( b9 u0 |1 |( p
Method 11, U$ T. U% x' _
=========) U6 Y6 r4 e$ D- c' j* r+ U
% ]" I) |2 k/ @4 f4 D0 X, ^) TThis method is most known as 'MeltICE' because it has been freely distributed
3 f/ |$ ?: e" Z" u- m* s, Uvia www.winfiles.com. However it was first used by NuMega people to allow
0 b8 D. l+ }/ A8 Y. L$ W2 p: bSymbol Loader to check if SoftICE was active or not (the code is located
7 A+ b H" m: J! a. {3 r/ Cinside nmtrans.dll).
/ e# j8 ]+ S' M0 h% a! W; \6 ?7 A
* t2 [- d. s3 h, aThe way it works is very simple:
# r( L' K( H. PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 y b' u' L( t" F1 K8 H6 K1 F6 W
WinNT) with the CreateFileA API.- {+ M. Z# `& O, h z0 r3 M
1 k* Q: Q8 U p0 c* ~% FHere is a sample (checking for 'SICE'):5 W! L! C( G& |7 k
2 @. r2 }3 K" p' K7 L5 @
BOOL IsSoftIce95Loaded()
% N' K3 i: D! O3 u{+ r5 }6 V$ |3 E7 M% N* |
HANDLE hFile;
9 ^$ T9 _2 s& a/ n) o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 t& ?3 t* K' w" d; C FILE_SHARE_READ | FILE_SHARE_WRITE,2 w H# J0 Q5 |7 e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 g! d2 w$ U8 A1 x
if( hFile != INVALID_HANDLE_VALUE )
& ]% p% M+ v% k; k) r# k {
+ ~% K% k( R5 w. k) B CloseHandle(hFile);
8 N& M! V" A! u# G+ b& ]5 c# y return TRUE;/ C! i1 l7 S; ~% |9 R4 b+ v
}, d: t7 A# D4 q
return FALSE;; c; n: y% \9 `' G
}" F) w& n6 e0 f+ n
" n& q, |# s. @% f' ]: XAlthough this trick calls the CreateFileA function, don't even expect to be
4 l- n# c& l; e4 E; v+ ^" b. y! X1 hable to intercept it by installing a IFS hook: it will not work, no way!1 ^0 V, |: N! H& c; E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 V4 h) ~# w; m5 g# U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ F9 [" j; `, c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* D$ Y9 t( d, P7 {5 o8 j1 C
field.
- C& s+ [) f0 b- XIn fact, its purpose is not to load/unload VxDs but only to send a " J4 E# x5 D& S! d! f2 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 v0 L R" P# |5 s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. X5 d1 s* I3 P4 O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% H, V0 f& F8 S
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ Y. f4 J4 X5 Qits handle to be opened and then, will be detected." Z" t$ s5 Z/ f% |* n7 e* e
You can check that simply by hooking Winice.exe control proc entry point% y2 {1 N4 K+ K9 J# n% L2 `! a- e
while running MeltICE.
+ J$ C% d2 t- ?" B& h3 x1 G7 @% t2 J1 B- Q( I9 g; A' y
$ i8 y# C, F! w3 Q. \+ n 00401067: push 00402025 ; \\.\SICE: A0 @ @# L% M# ]
0040106C: call CreateFileA
( p* `8 h! n2 u 00401071: cmp eax,-001( Y5 t: v6 P* G. v8 G1 f( W Q+ {
00401074: je 00401091
& X5 ~9 |, r6 I2 d. y$ b8 m# X$ T% N
2 Y6 X& {9 @2 |( Y/ W- W6 dThere could be hundreds of BPX you could use to detect this trick.! F% ^# \) }2 A5 W5 h0 P
-The most classical one is:; @4 w- a( x- C1 V( K, `- _& h+ K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; b9 n; w) T' y3 U' E. p% a *(esp->4+4)=='NTIC'6 N3 q2 B/ X& `2 z
2 U$ T8 S. U. [+ c$ m) ^- p-The most exotic ones (could be very slooooow :-(+ H$ j7 N1 A# V3 ~, O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 v3 X% k% x% C( ]; }; f2 A1 g) e ;will break 3 times :-(
/ \ i6 ~ g/ T# _
$ E4 G/ f7 o; ` ^% y6 S-or (a bit) faster: : v) ?! _) B% {; D
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; K% b |; `: W! u3 M3 S& t
/ A# _6 y+ X) F- M! y/ g' t& } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 H6 n2 Z; x( t% G2 r- w
;will break 3 times :-(
# h; k, F/ g4 x _( e" S9 Y8 q' R8 R4 I. y; s5 H1 O0 z2 ~+ Y
-Much faster:
1 b) ~3 {+ j- x2 T BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 h4 d3 U* c" ?+ }
# ]6 I. f( r$ M$ g) {6 A/ h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" f0 W7 y8 Q8 rfunction to do the same job:
% a3 M9 k. \& S" q
3 V* T! c; \6 g$ u' e push 00 ; OF_READ$ q: Y7 N6 }$ w7 n
mov eax,[00656634] ; '\\.\SICE',09 i7 l$ V( A' n
push eax
/ g8 m0 P: E, L1 ~" U o call KERNEL32!_lopen' ?3 Y$ F, N! ]8 d" j) z' H
inc eax
/ p* p. s1 f" @2 s jnz 00650589 ; detected
! D5 O4 E( @0 L$ K$ | ~, l push 00 ; OF_READ
: B! p6 c" M5 _" U mov eax,[00656638] ; '\\.\SICE'8 @& R( J2 _# z( n+ g* ]
push eax
+ {# _ {7 f8 Z7 s. B call KERNEL32!_lopen
5 ~# d4 w5 H, }1 J inc eax
& }; S$ a( V" c$ b+ d9 m9 @ jz 006505ae ; not detected
( M" \, `+ s" o' J
* l# Z* S4 _ [4 K. x! D" z9 Q
: h; o4 R: B* {: E0 k2 h4 \) V# G__________________________________________________________________________
8 t. n: r7 S9 T" A+ B9 v" h! K2 @, a
Method 123 L0 c/ O7 |/ k' f, k( E, L
=========
" ~3 o6 w! E. W
, i# v+ i9 d& N$ T$ M, jThis trick is similar to int41h/4fh Debugger installation check (code 05
) L: U: Q: S1 o& 06) but very limited because it's only available for Win95/98 (not NT)0 G% |' G5 _, c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 r( P" w" B9 w$ x8 }/ B8 G8 o# |1 ]* |' B+ f5 q) J1 H, w# v5 F k
push 0000004fh ; function 4fh
2 I" [" N5 r2 z) [" x push 002a002ah ; high word specifies which VxD (VWIN32)
4 J$ `5 N' U6 X# a. H% ]% W: t ; low word specifies which service
& c! Q6 J M0 U" i. | (VWIN32_Int41Dispatch)
' a' e" `. [3 p0 [# q4 b' ] N+ c% M call Kernel32!ORD_001 ; VxdCall1 }6 v7 n6 n" _2 O) C+ \4 y
cmp ax, 0f386h ; magic number returned by system debuggers! q6 L- c& n' ?" E4 F/ N7 g+ P
jz SoftICE_detected: {+ n2 ~7 y3 k+ y0 n
! [ r. A* z1 D7 CHere again, several ways to detect it:
6 @) }$ W/ O$ K2 _( d( O8 B6 G! i8 i! I2 `
BPINT 41 if ax==4f) V M7 _0 p, T( \5 a0 ?. v
3 M. r( q6 z% d3 T' G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% S5 s2 x# ]4 U2 w* d: {" Y
( m, ]3 U# M! `- {% Q9 T! _9 O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
$ Y* J" W! |. x6 [- }" D2 a' n# m" P" e2 I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& e" P; P7 m' l3 i$ Y; T7 d5 g$ \7 `: d% H9 ~7 ~9 ^7 }. e0 ~3 i
__________________________________________________________________________( z1 ?* n4 ?1 Q* R! x3 k( ~! ?$ ~
$ X x- }" ^3 t: g. s1 e: `$ T5 ^
Method 13! F4 M {+ F. ~( B' R
=========
% V, E( [: D9 U( h3 r/ k% R4 S* y r9 V" R. U
Not a real method of detection, but a good way to know if SoftICE is
& K; s5 G4 z6 N5 i7 Binstalled on a computer and to locate its installation directory.$ E. i: W: Y( {) f6 F* C" j
It is used by few softs which access the following registry keys (usually #2) :6 [ U) s/ D/ V
1 f, l. x3 q9 E. y6 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion o% s! w+ B. F( }& H5 d. n9 q4 l
\Uninstall\SoftICE o, A9 y: h5 F6 d2 _& w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ B" ^8 `1 x9 @" ^' B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) u8 X" }! R* ^+ l6 L& M6 C
\App Paths\Loader32.Exe) b7 q* e* F! g6 G7 m
V6 d2 U6 a# K# |$ p! r& i+ I
7 {; k' D" g1 ?- D7 J5 q
Note that some nasty apps could then erase all files from SoftICE directory* z- R1 [, \( H9 g, C" W
(I faced that once :-(1 _. b, V2 @5 d1 S7 _, J
6 X4 V% k7 W3 g% Z7 r o
Useful breakpoint to detect it:
) x9 a& g0 ~/ ]' U1 |& Q4 ]/ T; h2 Y& A+ Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: q& B# Z. r6 {5 t" n" h8 a, l/ s1 N! I
0 E! ?6 X' C! p( A' o0 N i__________________________________________________________________________/ G; N1 f! [( i3 M4 Q, J
+ z! W; ^- w% Q# i' d% V, y9 P9 z6 `5 a% ^
Method 14
, k2 ~8 e3 \# d! P1 p H% }% H=========
" Z$ m2 X; V, w- d2 L- I7 q
9 U$ e+ e0 T! I4 nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 v5 t! l8 r! Tis to determines whether a debugger is running on your system (ring0 only).9 y1 z c5 N( }, y* X, _0 i
D9 v3 z& c( e0 [. T/ F VMMCall Test_Debug_Installed/ U' p8 J2 ~; X- @2 g; ?
je not_installed+ i: [4 d5 C$ w1 p0 v q
7 E/ F6 u4 W+ q2 ]This service just checks a flag.2 q6 c/ h$ U" x+ `$ `! S, z5 ^
</PRE></TD></TR></TBODY></TABLE> |