<TABLE width=500>1 L( p4 {! `4 j; F7 J* T
<TBODY>: w$ P. k# G- k$ v' N) M9 c
<TR>6 c( w& |! l) K
<TD><PRE>Method 01
7 k' [0 o. F: Y, N=========
7 j( r) T1 ~, V% [( S4 ?4 O O
; P H# I5 K4 R0 V; kThis method of detection of SoftICE (as well as the following one) is
4 u) s+ y7 @* I9 O. g Jused by the majority of packers/encryptors found on Internet.1 W$ D& G5 t1 V" U. V3 H
It seeks the signature of BoundsChecker in SoftICE
/ o+ U. a& E; p& l0 ]
" \4 S" m# ~3 X' V: d9 h mov ebp, 04243484Bh ; 'BCHK'
7 u. a. }' U; {5 S3 u' d& P. u! n# { ~ mov ax, 04h
3 `% Y8 G8 \2 W: n. `- z2 w int 3 8 x% g7 r5 n7 z0 z
cmp al,4
( U0 o! t3 z/ d8 A6 A jnz SoftICE_Detected
) ]5 B& M2 h0 p6 n+ I) u5 m" |% V' O1 V2 N3 J+ z% _" i: j' P
___________________________________________________________________________' E9 D: q$ w5 z4 S
8 |: l ~8 ]! h* W
Method 02- e1 P& l- O8 a7 R7 a
=========
: M3 e- r% T# X$ @; s% l
, A9 V: f) S# p4 DStill a method very much used (perhaps the most frequent one). It is used! S+ [ P3 b% }% s3 k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- e# Y* i" i" i: Z
or execute SoftICE commands...
- ~. a7 X5 C( e# v' h. l1 _- U/ xIt is also used to crash SoftICE and to force it to execute any commands
: p$ e. L4 }6 x" J(HBOOT...) :-(( 4 P- u* u7 A0 A3 Q* u3 \
* T i/ ]1 z* e3 o% r5 \
Here is a quick description:6 {0 T' X5 v- ~" U
-AX = 0910h (Display string in SIce windows)
2 N! w0 x$ Z9 t* G% ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) e5 C& N! Z) o
-AX = 0912h (Get breakpoint infos)9 I) j& h1 v. X2 g5 B* e
-AX = 0913h (Set Sice breakpoints)- n0 j+ g6 \& k6 w- H; v& `
-AX = 0914h (Remove SIce breakoints)4 Z. C0 b1 Z- Y# j. y" _! |! C
# }! Z. A e( T5 D& `# {% REach time you'll meet this trick, you'll see:, e+ m& C$ M; {6 E3 ]/ i
-SI = 4647h
# R _$ s2 ]' K4 Y-DI = 4A4Dh& ~% n4 x2 m+ D" L& {
Which are the 'magic values' used by SoftIce.
( F$ W: J: _! B4 [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ R: k1 h Y- ?% C' x/ h, t! g
4 E8 l% v( i5 s5 aHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ m; H0 n3 w5 YEnvelope utility use to protect DOS applications:- b/ ?2 l$ m1 V: ^9 G
: _/ H* n& _) i$ e
6 U. U! P. }: ]( C- l" G: d4C19:0095 MOV AX,0911 ; execute command.* c; U3 l! e. a# g6 R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) O$ ^ [( S5 }0 S: h
4C19:009A MOV SI,4647 ; 1st magic value.
+ k; I1 y2 ~8 C5 s4C19:009D MOV DI,4A4D ; 2nd magic value.
, z2 S" W7 p. Y% {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 L& v6 H, K4 I0 ~4 X B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 ~, s+ I2 |: W( F! ?" r
4C19:00A4 INC CX4 O7 H. Y; G O3 B% i
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 [/ Y8 [7 v9 S4C19:00A8 JB 0095 ; 6 different commands.5 U0 ~3 v* E+ V. f- R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 i x, t4 O$ ~# e) V( d7 O* X. d4C19:00AD MOV BX,SP ; Good_Guy go ahead :). B4 l: k/ H: S0 j6 }
" Y, L+ q. v& y+ O
The program will execute 6 different SIce commands located at ds:dx, which
6 k" T3 U- ~# w0 dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
t+ O! q S; L& R0 d6 f! w' p3 A, d8 R& V2 A8 n% a/ q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 U! V/ V' [5 ]' g
___________________________________________________________________________" r5 S0 o2 ]# g- J
/ P* C6 y! O* ?0 I! T
1 T$ q$ H/ J7 Y, I7 O9 x) U8 sMethod 03- Z4 t5 X9 K. U c8 m
=========( I: L& W) y Q" [6 G. W& E, A' I
( _: `- `! o) L0 I% R' B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: f; u) ]7 Y& T ]6 K$ D6 I
(API Get entry point)0 b( i7 b: b* N' T0 K
5 e+ u+ H1 S9 I
" {- C% c5 Z" m
xor di,di7 f0 G0 k, F/ P
mov es,di
& q9 q* T$ h9 D+ ~ mov ax, 1684h
2 }6 ^% ?! f3 [- s) e8 Y mov bx, 0202h ; VxD ID of winice8 _ Z: \7 z- x$ c( E
int 2Fh
- C' i" P! I! E mov ax, es ; ES:DI -> VxD API entry point% [+ R; r! S& S
add ax, di3 f/ t, @. [( d6 C( Z$ I: C& Y
test ax,ax
h4 T. H9 y# k0 R7 d' } jnz SoftICE_Detected
5 u: E* y0 c2 }, @2 c6 O- V1 k3 y. y
___________________________________________________________________________
9 m" s8 q% T/ V; N- f2 Y( \8 B ~4 j+ T7 N5 P( z1 n7 N
Method 04
0 \- `8 ?# J9 S* d8 W2 F, S=========
2 M0 {( p4 u# u0 m2 `
* q6 {, x2 N, [+ c+ t! A4 u( j3 FMethod identical to the preceding one except that it seeks the ID of SoftICE
1 D2 @: }% W8 K' p0 ?0 @+ W: NGFX VxD.$ _) {6 H; m: C2 {; P
0 X$ t5 |& N# W& W3 Z xor di,di
8 c$ O3 k% \% S _7 I mov es,di
2 `3 u, G; l) f mov ax, 1684h P) n, ?+ s' n/ f6 r+ M
mov bx, 7a5Fh ; VxD ID of SIWVID- s$ E. ^& S% y9 Z0 U& F& [
int 2fh
# N* C7 l- P' @9 {* R; g2 ]5 c mov ax, es ; ES:DI -> VxD API entry point' B0 \( V- d4 D% m- {. h# q
add ax, di, x7 i6 l% d5 E+ ^
test ax,ax
" Q2 u0 X: {5 |; e6 W3 E jnz SoftICE_Detected* _4 B) |6 W& }) @
& o- H" E w7 Y* O" T
__________________________________________________________________________
! y4 I( i5 }" B1 T) d% W
" G* I3 J5 @5 u( t6 O8 c- @! S: i4 l+ ~* S. E
Method 052 A6 \! _0 Q$ ?5 s
=========
2 l2 E+ Q+ ^4 z. c5 x- p% L5 }! Y$ F; O4 k1 C: [
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ p% p# {. g/ F( A
debugger. It calls the int 41h, function 4Fh.
( M4 a4 U( {. A: T" yThere are several alternatives. 0 j: Z' }. O7 Y' h
! ?4 \/ W3 y' f2 A! Z3 \5 zThe following one is the simplest:
2 q: i/ S7 C2 x+ x7 p l! Z* n. {- l3 c3 I; {* P& b- b
mov ax,4fh
! g$ n, Q% @6 A, m! f7 u int 41h- r$ b2 _9 X3 @" g
cmp ax, 0F386. E) @- d& e1 t q; C+ t
jz SoftICE_detected: `. L$ l' n8 S4 Z& y+ a9 b
9 o2 h, X7 O$ u `8 A) W. q A5 R! W2 h1 d
Next method as well as the following one are 2 examples from Stone's
0 b% N8 j% l, Q$ n$ r9 C"stn-wid.zip" (www.cracking.net):
& O: p3 G1 s1 r+ I6 O' g6 G, C# L8 n2 U* `% S p' Y
mov bx, cs
7 f7 C8 J) I+ E9 i! { lea dx, int41handler2& O3 D7 a2 T; L, k+ Y7 V
xchg dx, es:[41h*4]! B1 }; o, S3 N) _6 p& B
xchg bx, es:[41h*4+2]4 U, C N. l; A+ @2 ~3 g
mov ax,4fh
+ J* Y4 `/ t+ q; D1 j2 k6 _( Y. u int 41h
3 @1 }$ ]: \/ r xchg dx, es:[41h*4]
2 A1 f2 h$ L. v6 A& r xchg bx, es:[41h*4+2]
v4 h8 B" u8 W: S3 g$ D cmp ax, 0f386h0 Z$ o; M$ L& W: l0 I6 ~- u
jz SoftICE_detected; n9 e% g8 w D" O: b
) ^8 D7 O" P' e" {int41handler2 PROC$ s$ G" x1 r8 E/ w. k/ W8 l3 F
iret: ?7 G8 S# q' H* A; l/ h8 y3 V7 f
int41handler2 ENDP5 E1 D# @+ ]. n
* D0 b! m9 ^6 H$ H5 v
# X1 m. ~% Y7 i" c_________________________________________________________________________. F, s. S1 ]6 J" N- p
: B. B% k. v) g" C1 D
8 t3 g: h; V+ c+ l7 y/ G
Method 06
8 O: g9 f$ O' X& c' n9 |=========9 {' S2 ~6 X! S
! {$ V( s0 H3 k+ r9 |3 K8 }- B
; \7 y! n% Z7 E+ t4 j1 g) _5 U6 m2nd method similar to the preceding one but more difficult to detect:
1 P. e; W9 h/ Y
4 y) f9 U% u2 r; U& q7 o6 ^3 z* c! ^' `& D
int41handler PROC1 P$ J' B, h) j5 i
mov cl,al
9 y6 T% u& n5 k' a iret- y* k( x" H2 X6 }( p
int41handler ENDP
( D, H( M$ ^! ]5 s
" F" X4 K6 z3 a. g2 L8 e' V# [' h$ z1 j
xor ax,ax6 J9 j" f' D0 n; z2 Z
mov es,ax
4 G. u) v: J" F9 p$ k l mov bx, cs
- D9 [' j9 n: E2 m: b lea dx, int41handler
1 w8 c- g0 y* C+ J9 q _ xchg dx, es:[41h*4]
# m5 s3 E6 O* a6 I& N; L# x1 s xchg bx, es:[41h*4+2]7 H+ A7 u1 r8 m, x: e$ h3 z/ y
in al, 40h
- H# F% [2 d# I xor cx,cx
8 M/ A8 k* a& H& j: w6 h O8 F int 41h
/ [# P- T, f A+ `4 s xchg dx, es:[41h*4]
. g+ V! a8 K- k& q! ] xchg bx, es:[41h*4+2]# z9 N; q) ], b# V( Z3 m
cmp cl,al
: r9 o9 A; C4 ]+ A# A6 C jnz SoftICE_detected# @6 d# n5 ~) `. d4 ]" v
, V/ V0 G" n# F* [_________________________________________________________________________: n3 q+ p: R% W) r: f: r
, N5 c: I1 Y! R, j- r; `5 A
Method 079 C& t( q, @8 [9 I9 q
=========* i& g* E8 t! n7 z) F+ U0 K9 F
) z3 s- X" s5 w$ C# `7 A+ YMethod of detection of the WinICE handler in the int68h (V86)
' C/ B7 b4 c5 f- F: ` L6 p* o! P; A+ H6 ^# b2 X; w. H& ]% e$ y2 q
mov ah,43h+ o" T' F6 n; j. @
int 68h5 M' d* X2 j0 R' o9 p4 ?% u
cmp ax,0F386h' P0 j8 a b3 P
jz SoftICE_Detected
! s$ d3 d _/ y0 L0 f# ]
( _- R0 i; m- L6 G9 r) M& e( @1 F$ e) r. Y- ?9 G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. l3 \- {3 Q% g5 T& s; G7 a
app like this:
4 ^% i( M+ K" j' ?+ w5 p" f9 d8 U' e$ v" d6 `* B
BPX exec_int if ax==68
5 @ ]/ `& {- j4 |- ^) ]+ C& O (function called is located at byte ptr [ebp+1Dh] and client eip is
# d; Z4 Y. [2 D# N$ g q/ d8 e located at [ebp+48h] for 32Bit apps)' B6 ^- _; j* M- ~. i+ F! s# b3 z# j* ^
__________________________________________________________________________# u8 E4 L) S3 H1 F6 H
9 x& d1 f# ]4 q" }& R9 g. f# O4 ^& Q) v
Method 08- y" W' g5 l: u# z
=========
9 N$ L& J/ U$ g9 S/ q
2 d0 j& P2 K" Y' \5 W1 Z! K) }It is not a method of detection of SoftICE but a possibility to crash the% W% ^2 N9 K5 `/ h& ]. I
system by intercepting int 01h and int 03h and redirecting them to another
0 q9 B" K2 @' h7 b% q5 m4 E: qroutine.
* B- T; h! Y) q% g. f, H; R3 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* }' o) F0 ^% [* j+ B3 kto the new routine to execute (hangs computer...)
, v2 k: }: ]3 I7 Q
+ Y: o7 i) G. Y7 k% \7 i mov ah, 25h9 n$ x! {" g- q8 ^+ c9 R
mov al, Int_Number (01h or 03h)
% X- e, n7 y3 f mov dx, offset New_Int_Routine
( j1 L' o/ ?4 ]" m int 21h: N& D$ X W. }# q& n$ t5 O
: m5 S# Z8 j Y' n; R% a__________________________________________________________________________
. S" I8 ^% W; d" P0 x0 Z+ ]
/ [& s, s8 R7 I+ J* vMethod 09
( i: p2 c( y$ Q* v; u4 s' B=========
% y+ @- L3 ]- V8 B; X: W% D J2 b# ?1 g$ W( v& Y+ m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: w [* u9 k& k/ V$ l0 _" g( d
performed in ring0 (VxD or a ring3 app using the VxdCall).# T. X+ L+ [: [1 z" L1 I, |
The Get_DDB service is used to determine whether or not a VxD is installed
7 U: J( A" F& L* S- @6 J- J# I7 a$ cfor the specified device and returns a Device Description Block (in ecx) for# }6 U; ^0 {7 b- ?8 Q9 w- v' c8 \
that device if it is installed.
7 p; d" z' {" u" g: n% w
3 \' C% s$ Z9 q. p( D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& W3 s, v) f4 B& V: A; D2 u1 N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! A U& d8 C& r5 q VMMCall Get_DDB
% l* C. s# C; d+ Y; R9 ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 C0 d! i% y' K
3 @! X: O8 N6 c" gNote as well that you can easily detect this method with SoftICE:
1 ]" n k4 g$ U2 }/ P* ?0 Z$ u bpx Get_DDB if ax==0202 || ax==7a5fh
5 J- k" y2 X" N4 Q, o7 T* H0 l' S4 q1 x
__________________________________________________________________________! l( M& r6 q# I+ t$ A" K1 }6 m
5 a5 n" k2 E( T0 D1 _0 m& sMethod 10- |3 Y) Q9 d$ H- C. X9 ?' p
=========
/ ^6 m" f5 W. n3 l( Z
( j4 x8 O, O5 D" ^& @=>Disable or clear breakpoints before using this feature. DO NOT trace with
, ~% r& c# H0 ? SoftICE while the option is enable!!
& N, u$ Y0 V* i+ Y- v5 r
\2 ]- Q: K4 K3 d6 SThis trick is very efficient:
# X$ t% a& j/ @- o1 a' m" Wby checking the Debug Registers, you can detect if SoftICE is loaded
; g$ [9 B8 ?. ?1 ~" N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 m* A1 s0 R8 e7 }there are some memory breakpoints set (dr0 to dr3) simply by reading their* _1 [5 h. M: C& u, z' z# R k& |
value (in ring0 only). Values can be manipulated and or changed as well
0 m! u0 R5 B* D3 X(clearing BPMs for instance)
% l9 T. F. Q- @2 M" _) ^0 O( |3 s7 i( y' D6 p% L
__________________________________________________________________________) j) R, o4 U% l3 |! r" e% [' c
9 s" m* N* m. m( i2 e
Method 11! g( G2 j' R# V) M9 z
=========. S4 P1 J: O( m7 |/ y8 l; C( i! g5 D
% R* x( _! q- `1 R+ WThis method is most known as 'MeltICE' because it has been freely distributed
" G7 U6 n! {4 M& c0 ]* X$ V7 k8 Kvia www.winfiles.com. However it was first used by NuMega people to allow
8 H1 Y) u3 g6 B& B. P, DSymbol Loader to check if SoftICE was active or not (the code is located
' d( V1 N: _- w' C5 {inside nmtrans.dll).* A: T, h" v/ x$ z- \7 H
7 t6 J) c4 e- {2 v+ d3 D9 s" hThe way it works is very simple:
3 t! Y: x; b2 o' z! Y UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 s$ [; Z. {; q3 P) W7 I% Z) B
WinNT) with the CreateFileA API.
" ?; i% W/ `! J/ C2 A) _) z J) H5 e& E) b# \8 f- t
Here is a sample (checking for 'SICE'):( O5 P# {, \) d( g3 ]: y
1 ^7 O* ^- W5 e4 J# Y- o8 R5 K
BOOL IsSoftIce95Loaded()/ K) \7 |& \+ W( u( [" p) }2 r
{
9 t# e3 r4 Z9 h7 s! k! U HANDLE hFile;
6 _8 { k% X3 ?# J' C, ? hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 P8 W, o1 h* l7 H- c FILE_SHARE_READ | FILE_SHARE_WRITE,
4 |0 P+ K( a7 }+ Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 ]- a* B! h6 S1 t if( hFile != INVALID_HANDLE_VALUE )3 q1 |: o# X9 k) J: D" a2 E
{8 ]$ S% B3 A. q; ? }% l
CloseHandle(hFile);
5 E" O4 K( }, V d; ~ return TRUE;
8 V- m' A# [2 L: e' S }6 N! J+ J% e U% ]# o- o
return FALSE;
. Z& R) S/ m6 e$ U t! i}
: c- v7 r! X' L1 p- v1 N3 i; {! z9 ~: c$ Z5 o. |. T
Although this trick calls the CreateFileA function, don't even expect to be, ^5 C9 l' V. e" o" W
able to intercept it by installing a IFS hook: it will not work, no way!
# B c. ^+ N+ g9 AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F8 [# [. D0 N, r7 R4 J2 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 z- \) n0 m! M4 F* I) X; }and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 g$ z( V* O0 C% x6 Q
field.3 H' Z& ^0 V6 X7 Q2 z
In fact, its purpose is not to load/unload VxDs but only to send a 2 P# c2 v" C) Z9 r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) e/ V1 B. e% r4 r- L
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 p0 I3 F7 k+ ~8 e1 i+ S) a$ [6 H5 f% ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 h9 z, t; y( w% RIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 k! a( {1 y( }4 C6 S9 k
its handle to be opened and then, will be detected.8 ^- w/ L3 _" x! q u/ U
You can check that simply by hooking Winice.exe control proc entry point
" w/ B8 d1 Z$ Iwhile running MeltICE.' L5 A% z# u( o( @3 o9 }
y$ k7 P2 v, \8 X
+ D# [" o3 Q( ?9 T/ C/ j+ |# J 00401067: push 00402025 ; \\.\SICE/ e8 N2 ?2 B& `; e d" b3 i% P3 Z
0040106C: call CreateFileA
: w; B$ }3 H% o( H$ g9 \ 00401071: cmp eax,-001
/ u. N1 o% X1 H 00401074: je 004010911 l8 I( B+ ~& o7 k! T5 P0 z3 V
! F7 G' B6 @) Y) S: I
: W7 q' M/ \! M* ?# w, }There could be hundreds of BPX you could use to detect this trick." ` o& t! y* d: a" B j7 f7 X
-The most classical one is:
% o! ^* Q% o) N, Q0 [ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% |) Z! ^& X' s" e1 D B% I: _
*(esp->4+4)=='NTIC'
1 w) ?& w- \- a! q+ X; t4 B
. P9 N: }; c$ X; A-The most exotic ones (could be very slooooow :-(
) M, E8 h" Y* I/ O. ] r& g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 c$ Q! ?# o, I
;will break 3 times :-(
- G: I5 B7 h6 n4 r
* @0 _! {7 w/ S: k-or (a bit) faster: % a+ B* s( i. Z. R) x, E
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* f2 z" _* Q& e. p3 ~3 z* S% G
& m1 w8 ?$ s( ]1 b& q2 q/ Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # r- m* n x; l8 D+ D
;will break 3 times :-(
5 n" K3 n7 r, u1 N2 c6 x
! `% G8 H$ x- `( c* w/ C# @-Much faster:' l- O# } z5 J% X8 b& Q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, d" l% T( q' U/ D) r5 w& y# C: l
% A* r: [9 a& _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
}$ s# d6 `" B" X+ }8 zfunction to do the same job:; J2 u( A" d `
2 u2 H8 _& d/ d2 ^+ A& P push 00 ; OF_READ" z8 e) _, `. L
mov eax,[00656634] ; '\\.\SICE',0
O* l- m2 N- l push eax$ d3 N- d9 b0 S5 V/ d* R$ g( B8 W5 v
call KERNEL32!_lopen$ k8 x1 e" r+ i% `8 @* b" l
inc eax
; V$ n* p, {" x7 Z9 k: m; ] jnz 00650589 ; detected6 P0 P& ?2 q' \8 X6 X4 M* H
push 00 ; OF_READ
: x0 n2 z# x6 U$ V; \3 K( r mov eax,[00656638] ; '\\.\SICE'
- M6 A' v, H( I Q& p% Z push eax
5 c5 h8 ]: h2 E$ p0 W% P% \ call KERNEL32!_lopen
+ _' W" G. i- i% L) u inc eax
6 ?; |" `/ h! L0 u3 m jz 006505ae ; not detected
) m2 l4 M6 B1 s* G& ^
& F7 a+ D, v. X9 Y1 A. N
! X* T) Y' f3 I J__________________________________________________________________________
! K( @2 }$ a+ }" f3 ]
n4 G8 ]0 R3 w* {7 s! p2 _Method 12
7 r6 L/ X' u( I- X1 Q=========. t6 V8 ]4 ]" L, W- G) _+ [
8 J! B* Q' u9 EThis trick is similar to int41h/4fh Debugger installation check (code 05
& D4 y9 d# L1 w2 C! T& 06) but very limited because it's only available for Win95/98 (not NT)( k. {- S- V- B" T: o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., L1 e( X9 J. M/ t
1 | ^9 J" u* s3 U* k; a
push 0000004fh ; function 4fh6 w) |+ A; d6 ]" r" ~8 D; a7 L$ [
push 002a002ah ; high word specifies which VxD (VWIN32)
- l9 r6 v5 e: r3 V ; low word specifies which service
$ S8 X# P7 n+ l9 T (VWIN32_Int41Dispatch)
, C$ u% \" Y" ?) F call Kernel32!ORD_001 ; VxdCall
: { |( g) \# T9 U; M; Y cmp ax, 0f386h ; magic number returned by system debuggers
* e( J/ F2 v+ z jz SoftICE_detected( q! I7 r& i& d1 w
( z# Z- e0 b7 ]( D: w" z# sHere again, several ways to detect it:
0 g. O( p$ {2 R* ?. k, j$ H
% v) y* O) _, n3 V4 s+ b: { BPINT 41 if ax==4f
& N6 R4 o+ l, z6 X: y* \7 @+ B% a: B8 v$ |6 f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 P B0 _- h9 I+ w" W& H7 f% ~1 E" L9 U7 A, U0 g( @3 q* j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: I/ _" ?/ H$ n6 o8 q5 n" \
- k1 D' j! m& D2 g9 u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 X" r; e4 ~' o' _! S* I8 F8 S% o& L; L
__________________________________________________________________________& D0 E5 g: T# g
* c6 p& \: r0 h6 ~
Method 138 o% G i* b8 r: H e4 V
=========! X r3 c( i; }# [: `
. e- C+ `; o/ y" }/ |. }
Not a real method of detection, but a good way to know if SoftICE is7 A, W" T, ~( j$ T3 } T
installed on a computer and to locate its installation directory.' a" s; X1 D N/ `! ]7 s
It is used by few softs which access the following registry keys (usually #2) :9 o9 ^. @2 A/ |# B3 E* r4 W- @9 O: v
' ~% \, F; W2 V6 ^: [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- @+ u6 Y" o- R7 g4 R- _- A\Uninstall\SoftICE
8 b7 S4 k8 }3 ~1 I* L5 Y8 @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; `" ~' y# G) h/ i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' K6 g- x8 u; U
\App Paths\Loader32.Exe
& o7 Q9 U! Y f: y% E7 p; g w' M5 S! z8 c( Y7 K3 c2 H, R
0 x& X" q9 }6 B9 I; L$ ^# Z
Note that some nasty apps could then erase all files from SoftICE directory
3 [ W8 s2 L7 |$ d5 M. E# A6 H. U(I faced that once :-(" d1 B9 m8 i+ J2 I1 ]9 r0 i6 [
6 g9 p$ E3 d2 Y; XUseful breakpoint to detect it:; W8 M- o* a9 P7 H! q$ I
" z7 h* {5 ^# b8 ~& d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 f0 r) t3 X2 }0 N: N1 x# k1 B" y
" h ]0 Y- o9 O6 N H__________________________________________________________________________2 U& Z4 y, s" n7 r/ D
# t/ _- Z) [- s$ n. O
6 y# }. _% a, ]; U- O* R% p
Method 14
7 r' G* j6 y) _3 \+ s=========/ x1 b( F+ ~0 a, M$ |, u" a \
: P# l1 ^1 L% c! @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 s1 o8 i, x3 ^4 B* B, X( ?
is to determines whether a debugger is running on your system (ring0 only).6 ~9 N, z( {7 @) }7 t+ H9 L2 M
! ?' A2 F8 n; W# b# v VMMCall Test_Debug_Installed. w5 ]# m0 ^) J- h
je not_installed k8 y( }4 y; E7 |' y! t
5 p5 X. G+ S+ d# I/ {) q$ _This service just checks a flag.
( K3 v) m3 Y& a3 s5 B6 h+ g: K9 S</PRE></TD></TR></TBODY></TABLE> |