<TABLE width=500>
$ t* W% @! K D; j% ~<TBODY>
8 ]+ Y0 |% z; {& l4 ]<TR>7 U6 }, K: M- T
<TD><PRE>Method 01
, b+ C ~( h$ |+ E=========
1 `6 F( z' p9 ^0 e6 v
7 F& x* G' {# p" R- W0 {This method of detection of SoftICE (as well as the following one) is
; C" v5 O, Z+ y6 W- \' u; T4 F6 |used by the majority of packers/encryptors found on Internet.5 ^4 ^' r, p$ o. z: Q
It seeks the signature of BoundsChecker in SoftICE, T) c2 O; B# u( |/ t+ l7 X2 i
4 e2 E& E4 f% S- ~* J y
mov ebp, 04243484Bh ; 'BCHK'
4 X7 _ p- d' n mov ax, 04h
: R$ o' F2 i0 H7 E int 3 : [' D, V$ R( u
cmp al,46 w7 k7 \7 r4 e; ^' R
jnz SoftICE_Detected
3 [. [% ]& ?5 B- Q- ?$ F, J' P4 S ]$ x) u2 ~9 ^
___________________________________________________________________________
5 R$ ~$ { \8 q; `& N H: D4 \: N- B7 F* O7 m& S
Method 02
/ l3 c! Y6 L b" h5 U=========
. @2 g0 @, h3 c0 Y/ H; E! b1 B" V: S: @. E
Still a method very much used (perhaps the most frequent one). It is used4 p' @$ j5 Y7 _, }9 ?5 r8 U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' V) @: s8 e" F& w# `6 x" o( qor execute SoftICE commands...
) x( R) Z* Z7 w+ k6 W+ ^3 NIt is also used to crash SoftICE and to force it to execute any commands
$ I6 [. `. d: w1 ^& @(HBOOT...) :-(( 5 @% K2 V3 m' N9 S1 Y
) h3 r8 z/ O4 X5 n
Here is a quick description:
2 ~( n" D1 z3 U) C0 L" L-AX = 0910h (Display string in SIce windows)
. T& z8 M, c' I, ?9 d-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 m2 V0 K5 q, \! C-AX = 0912h (Get breakpoint infos)
' E, u6 J: ]+ k. P' z+ j-AX = 0913h (Set Sice breakpoints)
% s8 s# r' O! [$ e6 N7 a/ m% l-AX = 0914h (Remove SIce breakoints)+ I9 q: ^* A1 [8 i* C* K, u
' z8 n5 d4 O! v" P: d
Each time you'll meet this trick, you'll see:
$ \, p& O) E5 B$ G8 D8 v-SI = 4647h
2 o* A; j; _. c- ~-DI = 4A4Dh6 ?/ Q/ T2 C V% w, p
Which are the 'magic values' used by SoftIce.
& l* J% K! G3 _. n+ ?- L6 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- |* T y2 s) d7 U
* M# j+ ]% }) o1 }" ]' X! jHere is one example from the file "Haspinst.exe" which is the dongle HASP% _, @* `, h! k
Envelope utility use to protect DOS applications:6 \5 |% b4 v" z6 c2 z+ n% q
6 F- d& J& ]1 D0 H
% B% C4 R' a0 V7 Q! E4C19:0095 MOV AX,0911 ; execute command.
4 Z" n$ {0 i% r' v9 ?5 l4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) g' D( B+ d0 S; D+ p/ d4 h4C19:009A MOV SI,4647 ; 1st magic value.1 f6 e0 h) B" a9 B# k
4C19:009D MOV DI,4A4D ; 2nd magic value.4 ^3 i5 w$ O5 \8 E V2 R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 c3 M" D% f8 i4 X8 z" h" t+ B' W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 s: p1 d& `/ T+ D- e: ~4C19:00A4 INC CX5 P* z. z) U- y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 J' t" K( `: x( n o$ S+ X* L
4C19:00A8 JB 0095 ; 6 different commands.
4 h {! G4 b* P$ b, m2 `2 ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& E" M8 J) D& f: G' ~6 J5 b' A4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" y, e, O- r1 f7 R p0 d/ H! P. \" h# Q
7 z( |- S* y h, eThe program will execute 6 different SIce commands located at ds:dx, which
- Y& q! K# w y( p' Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; @; }; P5 R' k1 I
$ y- K# q/ h, a5 ~8 y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! N' _+ z8 [$ Q0 u+ {- E/ Q$ q- r
___________________________________________________________________________
7 A" Z3 f( }* H# U+ B+ g0 \" @( e
: W# G" x& [& J: W5 b
+ |' @( }+ m# V1 _- FMethod 034 }% ]" P8 t& q- c6 P
=========
& b; p! N% T) j# Q+ V3 D( G% a. W9 L- K: I
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. g' G( C* Q4 o \( I( l* z(API Get entry point)# V( N2 ^" T# j
; t1 n) Y9 a1 v9 d* ]5 a
8 K9 l; _* Y6 B2 @( W0 e' _5 e xor di,di
+ b+ B* y L( X2 a+ ?$ S! P& J$ y mov es,di! b$ t9 x9 Y" r6 I( W3 f% O0 D8 x
mov ax, 1684h 6 `3 y7 U; d* Q2 t2 B4 A
mov bx, 0202h ; VxD ID of winice
* F% P+ T6 B8 k) @: D" y9 S int 2Fh
O0 {+ s: T: H4 c mov ax, es ; ES:DI -> VxD API entry point4 }# G: [' }! P
add ax, di
# f1 F6 @' b% K ` test ax,ax
; T5 G" b$ C6 V% j8 A jnz SoftICE_Detected; q& s( D( `3 F3 l! }- V! I
5 g7 M( ] I9 x2 @___________________________________________________________________________
8 q+ f) p8 o1 n
! Z& j% z+ K2 K% h7 v/ m ]Method 04
3 L* H6 I' W5 U0 E, Q# K/ j# b2 \=========
& r* z, u! n2 e7 h" k9 y% ?
# ~1 ?0 ^2 J+ I SMethod identical to the preceding one except that it seeks the ID of SoftICE8 o" w. T# G" j$ |3 y! e
GFX VxD.
A; _9 I+ P, G2 L8 ~! q0 B$ V2 |# z! h, T1 N2 B
xor di,di- J& i) D {. @ {/ s
mov es,di) J5 _% l5 G. ~+ j
mov ax, 1684h 4 u2 o6 W* Y7 j6 _+ y
mov bx, 7a5Fh ; VxD ID of SIWVID/ p- L# }" ~ V8 Y3 ^) {8 J5 u
int 2fh
+ o) Z& j* a) m- h. P mov ax, es ; ES:DI -> VxD API entry point# V+ l2 i/ Y; `1 j& u/ `0 n
add ax, di9 E( [1 T. v- y# _6 P
test ax,ax G! ]1 k6 K( O+ O- z- i) C, e0 V
jnz SoftICE_Detected
8 t5 X% k6 U# e0 |% _
4 U4 R5 K8 _# D0 P/ }& @__________________________________________________________________________& Z3 }! \) ^# l( [
! Q9 p! {$ _1 y" d' l
( o8 H& N/ F6 t
Method 05
. C9 I! l5 |! G3 t=========
0 A. Q( T2 N& Q/ W7 |
! G. X, b5 T- j& ]Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ o2 S! I! k( R6 a! ndebugger. It calls the int 41h, function 4Fh.5 x$ U5 i$ G M) k/ y/ _
There are several alternatives. , g; W) F m* b. t- C K
* R8 v( p" E' m# m) J8 j7 qThe following one is the simplest:% m* m" N5 l5 h& ~3 k( ?. `
! g+ d4 G$ ^4 J; t' n) } mov ax,4fh2 u6 q1 K. e, H( K: G" O U+ u
int 41h
4 R: H0 x( a7 ^3 U cmp ax, 0F3863 f. _( z) x# G% `& r% Z
jz SoftICE_detected/ A5 o8 o5 Q4 ~& h; P/ E
O- r- ~1 S) l
* c/ v/ W1 x9 p7 wNext method as well as the following one are 2 examples from Stone's ( Z: K6 t0 w% W3 Z3 b; I/ Z
"stn-wid.zip" (www.cracking.net):% P, U; g [0 X j, J8 G) A. w+ z0 Z, ^
! z0 w( F& N8 z) t mov bx, cs
4 r+ U- v; Z* R/ S lea dx, int41handler2
. G; }/ g8 ~4 v' }% A+ K( K xchg dx, es:[41h*4]! x3 a% J4 f3 |, H) d
xchg bx, es:[41h*4+2]+ q9 R% f5 m; W$ M7 H
mov ax,4fh' i3 n- r% v+ b/ p1 ~
int 41h
0 I) X, U! @ O I1 | xchg dx, es:[41h*4]& L/ L, \0 B9 ^
xchg bx, es:[41h*4+2]
" j1 k8 F+ O! y5 {$ N8 d0 F cmp ax, 0f386h
# b- `) k7 @9 T- o' [4 F7 ~ jz SoftICE_detected( v! o6 ]. H! e' X( a. X
" x% g- k' }8 B' l' U! L9 s3 o! y! ?
int41handler2 PROC
& K% n8 O# U& u" l A/ y; k% e iret
5 r/ V% ~2 |; Cint41handler2 ENDP
9 H/ u4 w$ H% v6 w& v
) b$ A" u+ R# Q# Q7 V6 N9 S, r9 Z2 Z3 Y+ o: w4 G
_________________________________________________________________________
) v2 ~6 [# z0 L+ W, R" Y/ A A4 i9 j) R* {" g/ B
* v& I, @, S" A
Method 066 Y( r8 t" e/ o! a9 b1 o, W8 B/ [
=========" n( ]! R9 p- ]) M& I5 E
& e/ P1 I+ N: G7 b/ x0 y) H& r: d/ E4 J* a
2nd method similar to the preceding one but more difficult to detect:# m! n$ z [/ u# x& X. y% i8 E
4 z6 |% w; A5 |2 V8 N
5 F8 x( H' @! Z. i+ n+ B- c
int41handler PROC
( m, D5 ~, W# m4 R# l1 b mov cl,al
7 N. T& D- x) c iret4 {0 I$ f* o h9 j5 e1 Q
int41handler ENDP, l5 T1 j# c' N1 _% V! V, i, v# R
% u7 j2 {- \. {1 u# ~
( q9 P$ q. ?9 ?6 r xor ax,ax
) |- Z4 t: [1 s$ Y6 u5 p* K mov es,ax) S! {( q2 g: S! p. \" V
mov bx, cs. v6 E7 [6 T6 o) ?. l
lea dx, int41handler$ @( `1 n6 G c3 q. o
xchg dx, es:[41h*4]& W8 }( F+ M" E2 u$ l
xchg bx, es:[41h*4+2]
. P! j: K( N4 c' e2 B in al, 40h) B% q/ b" y. Y. m
xor cx,cx5 N, Z A. m" R
int 41h
% L! a9 l" T2 u4 A xchg dx, es:[41h*4]7 I+ M1 C8 t8 e! t+ b- h
xchg bx, es:[41h*4+2]& `9 c! S# }" A1 e8 a3 X
cmp cl,al
& P+ [. S- G7 C3 C: ~9 T! p( f0 V# u jnz SoftICE_detected
% t k) R v, R8 P } O
O* a" l( | f8 i& }_________________________________________________________________________+ d0 ~* D% E% u( ^ R9 Q
4 B) U' ]5 X* R/ Z1 a
Method 07
$ U6 e; O# _+ o, n7 S1 f=========
% D, q0 A# J2 N- h2 @9 N6 v8 G% x1 C+ p" E
Method of detection of the WinICE handler in the int68h (V86)
* z! T* i+ G* J2 A- K7 p$ F' M; |( L$ x" E
mov ah,43h
% I+ Y) q9 `, [/ {; s9 U4 ^" w3 d int 68h \" o/ z! v4 B$ U0 K
cmp ax,0F386h$ n& }6 n! {" o! Q5 U1 y
jz SoftICE_Detected- |1 P7 C4 d" J; x0 q
4 U {+ z( k2 R( M1 R0 C* ^
/ P. r4 _$ w# h5 b8 w
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- ^8 m( @( b: J5 ` app like this:; V! f" O* S( P0 h+ D0 \
7 C. H `. ^: F: F; H BPX exec_int if ax==68
- a4 H4 V. e- }, D" e# e/ e" f t (function called is located at byte ptr [ebp+1Dh] and client eip is+ [+ ]5 d! |- X1 S
located at [ebp+48h] for 32Bit apps). h8 `4 [. K5 m& r! ^% U; h' M
__________________________________________________________________________" G+ \, _; C* Y3 R% b' H0 K& I1 ~* ^% j
" R2 g' [8 N* s7 o
+ h* V' W7 h3 M+ W. r2 [) J$ U. ]; F
Method 08. }+ ]' E3 p" Z/ D: C
=========
+ F% V9 {+ H1 V3 Y$ Q$ C5 y6 S- X' [) s" p% t7 j( x! V" r
It is not a method of detection of SoftICE but a possibility to crash the5 q- k# \$ w% Z
system by intercepting int 01h and int 03h and redirecting them to another
* E) `- j+ |+ c- j- Y) z7 r3 g5 }9 Aroutine.$ Q7 [' K# q, Z0 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! N8 l8 r3 L1 }9 E; v5 N$ q# gto the new routine to execute (hangs computer...)
& @& ?3 V. R9 M1 f& a: W) a {' Z1 `2 d0 a0 _2 b; y q) p9 M
mov ah, 25h
8 K) {( n {8 h: y, W/ B mov al, Int_Number (01h or 03h)
8 h) N3 \0 X4 f' c3 ~2 z3 i mov dx, offset New_Int_Routine0 K! v, u8 J# Z3 e! e! e6 r% Y
int 21h
8 m1 Z" z) S0 n7 ?. B) V. @/ a# |( l/ o7 {: t% V- b
__________________________________________________________________________
+ [7 L4 s8 L+ W# s* J8 T8 _, q& Y$ S& ~" d' ~. r% G* v
Method 09, x( o) ]1 B2 q+ p( q! m+ F6 w
=========( E# U) \7 _; T) D3 g! n" k
1 H) }& y" p. T5 `3 e4 fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* J$ @, `9 n8 a+ b. rperformed in ring0 (VxD or a ring3 app using the VxdCall).! f1 g6 K: }6 }# K
The Get_DDB service is used to determine whether or not a VxD is installed
' X- V8 |, m6 M" O8 qfor the specified device and returns a Device Description Block (in ecx) for
( T7 A/ W. S: l8 f: E# nthat device if it is installed.
6 U4 T I$ b4 P: m% A
0 Z- q, d+ m4 z. \; q. {7 n$ g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" y: N: T2 g z7 N: f9 K
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- w0 D! ^8 Q& S5 P
VMMCall Get_DDB
# l2 ^( R5 Z) C V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 y5 s7 O8 e- c1 h
* _ ^( g/ i' Q3 T2 DNote as well that you can easily detect this method with SoftICE:
# E/ E5 z- U* K1 Z9 |4 R bpx Get_DDB if ax==0202 || ax==7a5fh2 X' l p. |8 H. e2 |
6 }$ T+ t1 ~9 V
__________________________________________________________________________
* S4 Z# j I# E, p/ ^
2 J. }6 ?, m9 f: X/ `Method 102 g4 L1 \# \( N
=========. U. m* \9 i9 ^3 Z- Y
* i" U, S. W# n$ O7 {=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 J$ j' }; r7 n5 n SoftICE while the option is enable!!6 v4 ^" S# ^# E/ `* Y% X% m! R! \9 e
4 t0 x+ \7 d5 I0 w/ {This trick is very efficient:+ w9 z4 {# [8 r- e# X: K! p, ^1 s
by checking the Debug Registers, you can detect if SoftICE is loaded
9 R/ m- W9 l+ Z7 f S. E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- i7 s& b5 K! x* J# {( ^" ~there are some memory breakpoints set (dr0 to dr3) simply by reading their s6 x) M I5 U: ^. E
value (in ring0 only). Values can be manipulated and or changed as well
C8 _9 R! y) x! n$ J(clearing BPMs for instance)
& e+ m9 I: D1 }" ]. q4 b0 a+ g0 a4 w2 x( ?6 z* w( B
__________________________________________________________________________
; W2 s- x" `- T: d" ?' l# ?! ^# y' l, Y# T. h5 u: w
Method 11
; h9 j$ p" {( v/ B, [: e=========7 R% L% X: K* Q! v p, `( N
; Z9 i6 N3 u' a( r2 o& m% Z) ?
This method is most known as 'MeltICE' because it has been freely distributed
* y3 K5 q0 J/ Hvia www.winfiles.com. However it was first used by NuMega people to allow' j3 J; F# W- B; C3 \
Symbol Loader to check if SoftICE was active or not (the code is located
8 Z9 @7 H+ K3 oinside nmtrans.dll).
7 k/ k2 ~3 p- |" E& g7 M5 \8 U; ^' T
The way it works is very simple:
) ?* n3 U( [4 h2 C: r$ qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. `( _) G' }" S3 E S0 {
WinNT) with the CreateFileA API.
& b6 `) g1 Y* t# y- A% l9 W$ \9 T9 t% [
Here is a sample (checking for 'SICE'):. S" U1 p6 g$ d
r+ ^' U$ v4 g7 ]1 i$ C. U
BOOL IsSoftIce95Loaded()/ U& a9 d+ d' ^( w9 b( O5 w
{# c% c Z2 x8 t9 ~7 W- H$ J! a1 T
HANDLE hFile;
6 X; q1 k2 `2 P; Z( ^) ^1 | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; B- x( } S" U9 @1 a) ]
FILE_SHARE_READ | FILE_SHARE_WRITE, G- w0 U" B r! Z1 K: `6 _5 \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ F* t$ x/ ~( G) Q+ X if( hFile != INVALID_HANDLE_VALUE )/ W4 G9 y/ f# \" x" D0 S
{+ y( h( w% T0 l( F
CloseHandle(hFile); ?2 t, o$ `; `5 V9 S' j5 h$ I- d
return TRUE;
, j& }2 R+ R& n0 J) Q Z }
/ ]" m3 D9 ]$ u9 {' ~+ U7 X return FALSE;
" I- s% ]/ C- G& J}
( b5 J% z+ c' b# B
) u) l2 Q; P2 r+ s# DAlthough this trick calls the CreateFileA function, don't even expect to be# V8 B5 ]. T4 a6 U6 t! t0 S1 W
able to intercept it by installing a IFS hook: it will not work, no way!% k0 a3 ?9 s' D% N. Z6 j6 x0 N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 H. c! H9 z- B- F9 p$ K$ N. f0 }5 ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 B) I3 w I# b' b2 n. L6 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 O# z1 ~) N- Z3 ?' Yfield.* J. P9 Y6 m. O
In fact, its purpose is not to load/unload VxDs but only to send a . b4 l0 A8 i/ c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 q/ |9 l2 g. \0 T' e: _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( b4 b" }- E3 W" U+ ? @$ zto load/unload a non-dynamically loadable driver such as SoftICE ;-).' A! }* l# ?' q) i
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: u3 u7 `6 ~3 p. F' _0 d0 iits handle to be opened and then, will be detected.
8 Y; o) `7 n. t- DYou can check that simply by hooking Winice.exe control proc entry point, |0 T# M) [) `5 ]
while running MeltICE.0 b( _/ y0 n: [) z# M
' x* W W' \: U: m/ ~* k0 P& A/ W" z, T* h$ X& J0 u
00401067: push 00402025 ; \\.\SICE
+ v* D& v1 h. ~3 c, C# M0 Q 0040106C: call CreateFileA
: z! b7 F+ A: m/ |! s: b3 c) w 00401071: cmp eax,-001
3 e8 _1 y+ V2 d0 t 00401074: je 00401091
6 G. w7 e: O8 I9 V4 g1 w3 {. _+ d, k0 }0 L4 O% Z% C* w U
2 P/ T/ H- I) kThere could be hundreds of BPX you could use to detect this trick.
# y$ d% [9 J3 I: K-The most classical one is:
% l$ B5 A/ m6 H! y* S BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 I1 i' w+ {. H7 o5 Z' m" z3 `
*(esp->4+4)=='NTIC'' T4 S. i, v. u3 C' i& d
8 P( E- o4 o/ h; e# B# ^
-The most exotic ones (could be very slooooow :-(
9 ^2 F, t: f" A5 S q0 @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % q$ A. Z5 o& x9 L
;will break 3 times :-(
& F$ x5 M% o7 t2 X6 r
9 p0 Y) y n( C' ?-or (a bit) faster: ! ?- ~4 _! i, `% }
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& o4 p, h2 x4 W# ?
% |0 U7 h4 o/ p) t. J) w0 Q$ w$ U BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ Q2 A* R3 ~, N1 @4 b# b6 d ;will break 3 times :-(
7 ^7 |2 u0 e8 Q5 V1 Z7 S. c1 v7 _1 n0 C( t8 H; K& C4 ^ ~" b
-Much faster:% @0 [7 k8 s: Q# K
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 Q4 k. }" J- H5 F% V4 |" e4 U" }
' T8 q& p4 t: h- m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 O" e% A2 U& U" L+ @0 dfunction to do the same job:6 c& b3 R0 W1 S: K
$ P7 J4 d, J& k; @ C3 {
push 00 ; OF_READ# w7 P, ^$ O6 g- m
mov eax,[00656634] ; '\\.\SICE',05 q. I8 P% W% ]5 s# n6 _4 _$ [
push eax: _+ e! z- D/ p
call KERNEL32!_lopen0 ~& K6 s* b0 e! j, I
inc eax0 A7 a/ l* w/ {- x# q+ ?+ i# ]8 _
jnz 00650589 ; detected+ s4 }/ Z; C8 E" q
push 00 ; OF_READ
: Y9 i% j- Y- v" } a3 P! Q$ d mov eax,[00656638] ; '\\.\SICE'8 b7 n4 O# S1 t' ` \. w
push eax
0 ~2 C7 R+ Y- U& o" M call KERNEL32!_lopen ^! _. b/ y: j9 Z7 ~6 H
inc eax
0 o- t2 ?. u! _2 e jz 006505ae ; not detected, v! C, }5 b C# z0 Q: ?% `+ k6 j+ s
) l3 T' C8 M$ u2 r4 { _% l1 }( Z2 a0 d- u( h, _/ z& A3 A
__________________________________________________________________________, ]) n! ~, |, b3 [5 c" A
m7 t: I+ ~ y4 h' lMethod 12$ h6 y) z- m' _" {3 J0 \
=========3 n3 L) N$ q$ w# R2 ]1 `# Y3 [
& K P Y( @0 {! W
This trick is similar to int41h/4fh Debugger installation check (code 05) _; K( f8 I. H
& 06) but very limited because it's only available for Win95/98 (not NT)9 I9 s, C* _* B& K. k5 Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 ~7 B& I5 J, a6 F7 w/ K
8 n B7 |4 l0 H7 ~- b }6 a push 0000004fh ; function 4fh
8 B" A" N+ H+ B- x V push 002a002ah ; high word specifies which VxD (VWIN32)- l/ c( |' z4 S1 [( T n7 X
; low word specifies which service
7 G) d- z/ [3 ]! T3 K6 V (VWIN32_Int41Dispatch)0 ~( q2 z9 ] l& ]
call Kernel32!ORD_001 ; VxdCall% A& e0 j1 E8 I
cmp ax, 0f386h ; magic number returned by system debuggers
: Z5 d6 f" o8 n( u0 a L9 m. M+ i8 r jz SoftICE_detected1 ?% z$ U6 S i5 D: G9 L
" z) p6 Q$ Y8 I [. ^
Here again, several ways to detect it:
: M# r$ ~( h% a( O& W: Y& Z) d0 q g h( }" A7 x' L7 T) b# S
BPINT 41 if ax==4f! l) ~; N0 n9 J# V- @: t) m! K* e
2 j! K% ]% L( {8 N0 s5 O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ [& F$ R' q' k+ E
) X* z) f$ a" _# ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 w) V7 C- _/ A
* _' \, N, \: k% W* d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 O8 W5 i% U& F; Y
" F+ F2 t. p( A& u+ r__________________________________________________________________________" M& Y4 w8 Y: V0 T: H
# h d' }5 l% L9 p
Method 137 o% n; T9 S4 P" j) a9 o
========= a6 l6 \, o6 t
6 w- H9 C3 m r- M! ?5 U5 J
Not a real method of detection, but a good way to know if SoftICE is% M# [1 I7 A; c8 P V# c! [
installed on a computer and to locate its installation directory.
; G% o7 s7 p6 _' G* ~; d( E+ U* HIt is used by few softs which access the following registry keys (usually #2) :- ]) k4 J$ Y9 | K$ Y
" Z/ C# |; E$ s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ w+ b3 B+ o0 P, p# F\Uninstall\SoftICE* l0 P% [) V- e4 `; }5 e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 h% H: e- F6 y' h6 l+ ^* F, Q5 \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 p0 M* c2 T3 m/ F
\App Paths\Loader32.Exe
" `& g ~7 m( U7 }; _8 s9 q" J( n4 D, H& o( c
/ O L: I& I/ m1 W* Z
Note that some nasty apps could then erase all files from SoftICE directory
9 @. O% @/ F h5 i(I faced that once :-(# \- T% `, V' [4 J) _
! e, Z2 ?. r$ [9 N% e/ V2 \
Useful breakpoint to detect it:
* g5 j8 a2 [2 c( ]+ c' y. J% r5 K1 Y8 ^
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" g0 N& P" T/ ^% v" U8 B
% Y* _+ r, g, H/ x__________________________________________________________________________
/ [2 M6 o/ H: s) M" z# q9 w, c3 s" z0 h5 V2 Y; g% Y
) y# X$ w6 \ F, x; i- UMethod 14 - y& i$ M6 d0 w. d/ y
=========! A# D8 V+ G8 N' q( D+ G0 G
* i/ `: S# F; u& \A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, i/ K. J: y3 ~6 P* n a2 G; s
is to determines whether a debugger is running on your system (ring0 only).
5 A1 m4 L% V! k# s0 Q
" c2 s: c/ c p/ \- T VMMCall Test_Debug_Installed
7 Q% P1 p! p" V) G& n# [5 f je not_installed* A1 k3 n5 c! P3 @0 F( y0 K
- ?% @ I: Z% q" N9 r0 K; `This service just checks a flag.5 z% q, P+ W5 i+ S* R3 V
</PRE></TD></TR></TBODY></TABLE> |