<TABLE width=500>
/ R* y( o7 S8 K<TBODY>1 o% o, Y! R; H, d0 D; M" H2 V6 k
<TR>" z- T+ k% ^1 k$ W" N
<TD><PRE>Method 01
/ L( f: o% x* D- m/ w( B=========: h* e0 u V* U+ F3 ?( w% a" K
8 w8 A* W. g* M( _8 a% J9 GThis method of detection of SoftICE (as well as the following one) is
6 {; m# I3 v: v. u0 ]7 K; ]used by the majority of packers/encryptors found on Internet.
0 U' P, I* K/ U9 RIt seeks the signature of BoundsChecker in SoftICE. G7 K/ Y v; l- _( c$ n
9 c' S# m, a3 s# ~: f" N
mov ebp, 04243484Bh ; 'BCHK'
0 F, X+ V2 B. [! z. I7 s3 q mov ax, 04h* @0 {4 U5 d+ \4 {, i$ |
int 3 + j1 r7 _/ S* F1 B2 n
cmp al,4
/ l! J$ @4 M. C* }' \ jnz SoftICE_Detected
- b$ @9 Z% i' ~' g. T
) K, n7 R0 z3 H( t8 H9 q___________________________________________________________________________9 X0 K# I" p2 K6 Y& L" U2 Z0 Y
) _0 H; }# Y. dMethod 02
4 W! [' K% s2 F& {, O+ `=========6 m7 ~5 k( t1 K/ i O. D
]. y* {% {: }- y' [
Still a method very much used (perhaps the most frequent one). It is used
% Z& w9 X. b& T, y) pto get SoftICE 'Back Door commands' which gives infos on Breakpoints, h+ `- ]* V' z0 H3 F9 v+ s
or execute SoftICE commands...0 B5 r) A( V3 {$ u8 }2 y( L* I$ C
It is also used to crash SoftICE and to force it to execute any commands
0 m9 B$ O$ h4 _) k(HBOOT...) :-((
, j+ O. d0 i( V! @" o( Z" ]% S) Y& J! \: k M r, V, `
Here is a quick description:
, i( `& y- O3 f* S$ R-AX = 0910h (Display string in SIce windows)2 i& Q/ h( c' G4 U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ X6 S! C! M, b
-AX = 0912h (Get breakpoint infos)
I/ z+ @# N* J# b& e-AX = 0913h (Set Sice breakpoints)0 B6 g" e0 T9 d% }
-AX = 0914h (Remove SIce breakoints)+ Q( h/ M% |# R% L
/ a% s1 l- @* O* s) z' S! g
Each time you'll meet this trick, you'll see:
3 o6 j) X' M$ o% Z3 E+ O0 h* u-SI = 4647h# e; g" E8 o Z/ [ H
-DI = 4A4Dh
2 I& u6 T7 E) J ?Which are the 'magic values' used by SoftIce.0 \, h: Q# D. v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% F3 v2 s$ c9 A
2 E$ q T' R0 h E- j8 ~Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ K: \: M8 d" Q% dEnvelope utility use to protect DOS applications:4 S) e; Y- }6 ] x; ^% e+ R
1 E4 Q) }3 r' y
8 o; F9 N( m1 K1 V' J/ @/ R4C19:0095 MOV AX,0911 ; execute command.
5 B5 d: t7 }6 ~& ]" v; y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 A2 E- x- f% g. I# a, t3 c" J8 r4C19:009A MOV SI,4647 ; 1st magic value.
" `# W, U0 L( J4C19:009D MOV DI,4A4D ; 2nd magic value.
/ K) H5 R! M7 {3 v1 F4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 W, T6 C5 x: _( |! _# Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* v9 _% \; z7 E
4C19:00A4 INC CX
. @: ^5 X+ P' e. [% r: R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 Q. B, O" E) d* p( K; I
4C19:00A8 JB 0095 ; 6 different commands.
, d" {. O6 q+ \% R4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* X A) ]% ^( V, F3 P I1 F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. V4 C9 w8 K- L
5 D" e1 X2 _! X, @8 [: ]: v4 ?8 S7 d9 tThe program will execute 6 different SIce commands located at ds:dx, which; j% u, ?6 \6 ^, a3 z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ M- T3 C& X' C9 P2 U2 B' v( Q4 W' W L2 K9 `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 D2 l/ c# H% R1 g, s___________________________________________________________________________
; x1 ~$ l! q/ t! U, y0 a
0 q6 k9 l) X U
9 b! o/ g, U7 z4 t% iMethod 03. ]! F9 q3 a7 z7 h4 h( q" p& W e* M
=========
2 Z+ L. b1 o; {- R( G/ k8 C. [0 i) _( ~$ M Q+ @( {. R$ @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. S! h6 L- g- p/ t* h% Q1 t(API Get entry point)
$ k; v9 p9 E- A a$ Q( ^ 5 W% L) G, R+ a4 ?
/ a) [* }4 o: @/ O+ g
xor di,di
2 Z% G" a9 Z+ P7 { mov es,di9 [' F9 j1 i9 o2 K+ T E
mov ax, 1684h
" D- d9 \" C) }. y R w mov bx, 0202h ; VxD ID of winice
9 O" {5 V1 Z) o9 Y# Q- h int 2Fh% }) B: ?% R! a0 o' ?) l
mov ax, es ; ES:DI -> VxD API entry point+ Q' I1 Y4 J3 e; W. q) f
add ax, di
6 m& H$ x4 `# h( o O! p test ax,ax; p( Z! T3 i4 @
jnz SoftICE_Detected4 H3 j2 G% I/ H5 @' f. h& z* @
; l a3 _: z/ B% P& |
___________________________________________________________________________/ @! ?0 F+ r6 i( R
$ i7 N3 Q. {$ F8 a5 VMethod 04
. g6 b6 h. N% \5 t& S4 a! [! t4 o=========" O* Z, n- t3 z
# L0 _* N2 `( k4 I: t5 N* \+ r
Method identical to the preceding one except that it seeks the ID of SoftICE
$ r3 D% y0 T. _7 iGFX VxD.; S% z6 L1 g0 |1 ^ Q! C Q$ T1 H
9 f/ S6 C& @/ Q8 ?
xor di,di% c# A# \/ I+ ?( w
mov es,di
7 d$ Y" M4 i) `. W& V% N mov ax, 1684h
. b% ]9 e6 i; r: [- U2 s) ? mov bx, 7a5Fh ; VxD ID of SIWVID
+ ?% r% R$ B/ R% W0 V( S; N+ N int 2fh+ R+ P! D( o# F0 U0 U/ H) m* x/ U
mov ax, es ; ES:DI -> VxD API entry point
; w6 M) f7 I9 m6 ^. P' @ add ax, di
8 T8 i8 g% i' f' E# ]* N! y test ax,ax8 w; z: W* u, A8 |- ?1 i5 Z
jnz SoftICE_Detected
2 t" Z, s( W6 w6 Q3 w( H$ p5 ^$ H5 _5 c" [1 d0 \6 m c
__________________________________________________________________________# g1 l1 ?% N8 m0 u4 g3 L/ E: i
0 q$ V1 G4 |$ a( b- ~
# `) g4 g2 m1 z8 UMethod 05
) ~; Q) `3 m, |2 @" b2 h8 ]=========) Q' N4 q% U) I4 g. E9 v
6 N3 {- w7 b/ ? v/ Q' C3 RMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 u z; e: C# _: Q
debugger. It calls the int 41h, function 4Fh.7 D- V9 ?. K- g( a, a
There are several alternatives. 3 `# S; ` [" d) n5 M% z
+ m* ~2 `0 ^% k: j6 |! xThe following one is the simplest:7 E$ L) ^7 S. D" c3 M6 I
9 I1 q1 t ^# C9 W& @
mov ax,4fh
3 e: \- N; Q5 L5 P3 ?% f& m int 41h' D" r) v' w. w' O0 ^0 d
cmp ax, 0F386
, q7 p! E: ?( L! H4 Z jz SoftICE_detected# ?. {& x4 z- V, R' S; R. [6 a
( X. [& |7 t, T3 c$ o9 d: M& q$ Z, s( {
Next method as well as the following one are 2 examples from Stone's 6 d) a7 \0 ~; P
"stn-wid.zip" (www.cracking.net):$ t, ]- g n1 [& j
9 k6 T5 ?" m9 F4 G mov bx, cs
! N2 l+ Q; [& ^, e$ \. R! l$ v4 _# _ lea dx, int41handler2( C. d& o, z8 F9 D8 H
xchg dx, es:[41h*4]
2 ~8 w! }# A0 ?1 T9 R xchg bx, es:[41h*4+2]
+ }& c9 i6 z% s mov ax,4fh
3 _: M2 T2 }8 X5 e7 Z ~ int 41h& l9 Z. ~& ?. J$ ]
xchg dx, es:[41h*4]# x6 ~2 d5 A3 w" k
xchg bx, es:[41h*4+2]
7 y7 D. q! W+ i cmp ax, 0f386h
! l9 i: n, O5 ?% u6 Z( E$ P jz SoftICE_detected# [9 @, v! L1 L# O
4 w' }8 |8 `6 q& fint41handler2 PROC
% x! p; v8 t9 M' v( ?! E8 L; { iret
/ i. n. f: S3 m/ O! u" ~% v$ Nint41handler2 ENDP) S; l# ^+ z/ {
0 K! |7 k0 O" l2 T. r5 |' k) z/ k
h5 y' Z3 `1 z+ y_________________________________________________________________________
) y; U: E( u" I/ n' Y8 a: q7 Q
0 m; r) F) F" \2 L+ b9 o/ q
" ?7 s6 j, ~; b: Y9 `) g$ _Method 06
! C$ N$ F- [1 i7 r) w% o. l=========
+ k2 \. _1 d" ^6 D' r- f7 y' r3 S* i: t* E4 m0 a
9 c" y x. W R
2nd method similar to the preceding one but more difficult to detect:
# D3 y7 ]' [% T* f2 i
9 y2 k* I: q, ]4 V6 s3 B$ u7 d. I) e5 x2 T& p' m- b m- x
int41handler PROC
/ M; a+ _' X/ T* T- d mov cl,al
) c, L6 Y- Z" D3 M$ p! Y* l iret
( P5 n- M6 ?( x! Nint41handler ENDP
) K$ q. P- A. x: I. C v# w6 O* T
5 k! p) M; T% k3 R) |3 y. \2 Z
s; N4 ]( N6 K3 U& J xor ax,ax
D1 a9 P, p: Q G' q2 O mov es,ax9 q. X- m2 A$ o2 [ R2 C2 ]+ m
mov bx, cs% v% i; {9 `$ U$ [: j; U' C
lea dx, int41handler
& ]8 ?& p% w! ]1 n; b5 e xchg dx, es:[41h*4]
8 w0 u' v8 [- B; I% ~5 M. ? xchg bx, es:[41h*4+2]
B/ u. X( N1 {, L; `- Q) a+ x in al, 40h
& Y" l) |. w. X1 I8 i xor cx,cx( x+ h& u {) ?9 p+ c$ y
int 41h
2 b d. c* [0 J) p% C2 ] xchg dx, es:[41h*4]
9 M, f2 J# \7 Q9 r, w9 x xchg bx, es:[41h*4+2]
5 n4 k& N, r3 z7 [ C2 n5 w cmp cl,al
9 o0 J! S5 x# \5 w! `. e5 B: _ jnz SoftICE_detected
1 B H2 D, W0 m7 v9 P% I0 V2 R& \$ e1 x7 Y" s; O; j
_________________________________________________________________________
+ i. _1 I) S, H& s; q) H' u# L2 K1 c* Z- V- u! i5 C
Method 07
, f" q% E+ H6 z" y=========
% A) |1 q8 v+ P! x8 h3 Q/ u3 C* i4 |3 H. A a: k
Method of detection of the WinICE handler in the int68h (V86), a( R& K% i( H0 o$ F/ s
. `( a. s/ t9 U+ R
mov ah,43h
+ Y/ R B2 E: r% e int 68h% `1 `# F! [1 d6 L! c
cmp ax,0F386h
7 m8 @$ v% p$ c$ N# U jz SoftICE_Detected
R. ^# i7 [. q$ C, f( S7 g4 }; t$ X& x M! |8 ^ Y, v
" {; u9 @) l' B7 [& a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& ?0 \! f4 v* L7 a9 q# d) \' b
app like this:
( }; i6 @2 H5 s w9 s4 H
% K5 l' C2 j' c6 O% M; d5 t BPX exec_int if ax==68
3 G8 E+ d' w7 e. k: e (function called is located at byte ptr [ebp+1Dh] and client eip is+ ^5 C, R* W" t, e
located at [ebp+48h] for 32Bit apps)
( w1 ^7 v2 D, T3 N1 n3 \__________________________________________________________________________9 e; r4 G; c6 f1 y3 l d
6 |& E9 i% \5 U$ ~* ~* Q/ g) V9 o B% \8 Y9 c
Method 08
- k* _3 S/ P5 z$ W=========
) R$ T5 m% V6 n6 z4 G- A, O+ Z. M2 c( B
It is not a method of detection of SoftICE but a possibility to crash the
' P0 [( h- V: e4 p8 Psystem by intercepting int 01h and int 03h and redirecting them to another5 d( A* m5 s( J' |+ L
routine.
6 j9 u4 \/ M4 F" W1 ]' J' zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; U/ Y# B/ V6 L9 `: Cto the new routine to execute (hangs computer...)
3 e! f* ]" J- k
: D7 W. O! M4 _' h5 Z9 b# | mov ah, 25h
7 Y( g0 r% c) X8 C6 n mov al, Int_Number (01h or 03h)3 @, o! \& Q; r2 h6 S- j
mov dx, offset New_Int_Routine
/ [6 a; L4 L3 |$ Q7 V# Q( _ int 21h
1 w" u8 ?7 D" Y8 Q# Q5 D- M. a. B3 I6 V. P& @$ w
__________________________________________________________________________
- |" ~: f- b$ p* g5 x2 P0 ~
+ B% c7 i) p* F; y, c# MMethod 09
. R( C9 h- V; U/ G: k=========
5 D" Y. ~/ W( d8 k3 I6 d* o! d8 {9 C& L9 D
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, @: ~4 F7 {8 G8 c* @
performed in ring0 (VxD or a ring3 app using the VxdCall).) h G# Y# V+ ]' f$ _9 x' g2 u
The Get_DDB service is used to determine whether or not a VxD is installed
+ H" @: P9 j4 t' |, W$ ?3 |for the specified device and returns a Device Description Block (in ecx) for
! r% ?# y# _ othat device if it is installed.# ]# y6 E; Z& a7 J0 c9 z
* J1 r: \6 t% k$ y9 Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# {: m& y. C; ?+ o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# a! F" G% `; p2 \. i; i4 C' b VMMCall Get_DDB# W P' e+ [: q2 Y# Q4 F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( T0 V1 U: n, _9 L3 J/ h* _5 P) O7 E, K1 J8 B' K7 R( R& k3 W* D
Note as well that you can easily detect this method with SoftICE:4 }; x* B( o8 B
bpx Get_DDB if ax==0202 || ax==7a5fh
" O+ r$ |6 S; i) |7 d% g) \; }1 ~
__________________________________________________________________________
2 j5 u, a) z% ]" A# u3 U7 z$ ^2 v# d( {) l
Method 108 K5 m! T4 X+ c6 { w; D
=========% i* ?$ m( W0 r: K
! c% O A; O9 |& U3 M2 @
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 L- P, c6 J9 ` @ SoftICE while the option is enable!!
$ J5 a3 k+ h* v
0 G8 P0 }' U( N5 \2 QThis trick is very efficient:9 `; l/ v- _7 o- R4 X) v. e; u% J
by checking the Debug Registers, you can detect if SoftICE is loaded& W' A% y% V. a- K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
_7 h' F5 D' U5 rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 F) T8 _/ k- v. j0 ?# a# Zvalue (in ring0 only). Values can be manipulated and or changed as well9 k5 A9 `& h; Z9 p0 I
(clearing BPMs for instance)) p& D- O. ?4 [& p1 v
) |- H2 a. }# ?4 _% H__________________________________________________________________________$ F0 Q' \" J3 O2 P- X
4 Z" s |- e3 y* {5 `) aMethod 111 X. \: v6 b' ^) p, F) s; w% o
=========
: o) x" J! l6 @5 y) f
- M: n+ H: s j oThis method is most known as 'MeltICE' because it has been freely distributed
3 j: F% z" e" ~) T! S# U, Pvia www.winfiles.com. However it was first used by NuMega people to allow* \( Q4 i/ F' n( D8 \0 C2 @
Symbol Loader to check if SoftICE was active or not (the code is located" \# A ?( o+ d: K" {
inside nmtrans.dll).
# e' U/ M6 F ^% Z
/ M; T. F. w; g0 x6 J% S& RThe way it works is very simple:4 F0 Z9 Y( e, {# b- v$ r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' [: G5 e& Y- ~3 KWinNT) with the CreateFileA API.
. e0 s2 Z* F6 X) f. B
& X0 }6 h* B# V$ t5 XHere is a sample (checking for 'SICE'):( I3 g2 J0 n4 b L0 S8 K. q
; N1 [# b0 Y% o8 _$ N/ b, b: L
BOOL IsSoftIce95Loaded()
2 Y% x+ F# b, P6 }1 g3 Y7 E{' O l) e: q( Y" K" N9 C
HANDLE hFile; ' h& `3 }7 N# @! E0 x$ l" b0 F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 G: a7 I, C, E; c1 o% z! K, a FILE_SHARE_READ | FILE_SHARE_WRITE,& N! }* A) ?# f- \% ]" h/ f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ E" H+ [% b' N
if( hFile != INVALID_HANDLE_VALUE )
$ }, q6 j9 M9 G# o0 j1 y! F. |8 x {7 d- S! j' j& Z% @ u" l( Y; E. A- M
CloseHandle(hFile);, D" S( z5 a$ e3 j) N% G. J6 I9 r
return TRUE;
8 I/ O. A- j- ~. V }1 `5 W2 v/ b( ?
return FALSE;
2 z u/ i& g9 V& v5 {2 J% `}( H% T9 f7 C7 B1 p6 M% x
6 @0 h& h/ r- K+ Y: ^ C( ?
Although this trick calls the CreateFileA function, don't even expect to be4 B- n O& u; c* r+ x
able to intercept it by installing a IFS hook: it will not work, no way!& k4 `+ I6 }7 b% Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ r4 o+ [" O: ]* ]7 m+ k* |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' a6 M7 X& j8 o2 i! @/ |and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 g- A/ M+ Z- c4 d" V3 ?2 Ofield.# Y8 m8 y3 p! N, w2 R
In fact, its purpose is not to load/unload VxDs but only to send a
7 p/ \( @, C8 k& y' }7 V I1 VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 g; D) i# ~/ V7 q4 [: S1 v8 dto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 R/ i* ]3 V( l+ x. p
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; b" A$ N) Y7 L# L, `
If the VxD is loaded, it will always clear eax and the Carry flag to allow- K9 C9 _" T; c( J8 H* P
its handle to be opened and then, will be detected.
5 b% P+ D0 x: k% G8 \5 l2 C/ u! GYou can check that simply by hooking Winice.exe control proc entry point
) I- ~ ~7 S, j9 p. z1 hwhile running MeltICE., M; \1 g+ N1 v6 D
8 I3 {. s) W$ Z
+ t; R3 j& |8 O- q$ ~9 G0 A
00401067: push 00402025 ; \\.\SICE
7 O. [: e5 Z+ n' C3 d0 H 0040106C: call CreateFileA
) j: B5 G* N9 k3 t9 \! D 00401071: cmp eax,-0014 h \/ O# V. a& l, x
00401074: je 00401091
- @- x( ?# Q) l; O6 b, K6 E7 `9 \5 f
* k; E2 B. A( G+ |3 g a% t( @
There could be hundreds of BPX you could use to detect this trick.
2 S. |7 r2 k5 e: m-The most classical one is:2 W7 T+ F1 ?. o! I) J$ E/ c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || S7 b7 o( w% h3 u' }' C
*(esp->4+4)=='NTIC'0 f8 H8 U) P( q6 ?% v! b
5 |- k, R8 ^& R; c V- U-The most exotic ones (could be very slooooow :-(" `/ t$ w1 d0 [% \$ d% U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , l9 o. ~* |4 J. x
;will break 3 times :-(' R& J* z1 ` X% R* i- c
% A/ f- m* e- @) C+ H: L+ T' v8 ?-or (a bit) faster:
* R; G+ g- ^$ p# Y5 P: l BPINT 30 if (*edi=='SICE' || *edi=='SIWV') ]+ k! o* z6 ?6 e7 I e+ A
. ~6 U+ i Z* z/ n* U3 s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 t! j3 \5 v! O, s D
;will break 3 times :-(
q0 N' g' L; O2 o1 w, O1 g" A2 d3 G0 ^% G
-Much faster:
8 s3 G( j& u% Y: ?$ b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 z6 |- g5 u6 k& `8 b$ Q( m
W; k. z/ E. x8 A0 X1 K- _7 @! _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 I5 F/ C5 \9 P6 @function to do the same job:( |* F6 E. G/ L
+ a _1 P: W: g. \; K
push 00 ; OF_READ: X/ O/ N1 ]4 ^
mov eax,[00656634] ; '\\.\SICE',0
7 K( B1 a. z; s6 @4 O2 G2 o; ]4 i push eax8 a; A9 z' H5 P& o7 X, ~
call KERNEL32!_lopen, E: }5 k7 @- ]6 ?4 d
inc eax7 K" K2 d, y1 E7 [" [# v5 @7 t Y
jnz 00650589 ; detected
' }9 M4 v: x1 T2 n push 00 ; OF_READ/ V# D4 I' l n2 i* P k
mov eax,[00656638] ; '\\.\SICE'
; R5 E N" A* z" I7 J push eax: H6 k) B5 r+ p
call KERNEL32!_lopen
- p/ g: y6 ~% K* z! A- K1 L inc eax) T. ?$ J, @! P W/ g2 R# T" F
jz 006505ae ; not detected
* b1 c+ w+ q8 h8 E; ]' x; s3 I/ d9 h
! m# Z) J. u% D+ {: E6 `( n; P6 O__________________________________________________________________________
: v2 W5 p* ~2 b5 [2 d( t3 Y* N L6 M* ]& Z$ h$ u! V4 n
Method 12
$ R+ t# v2 R' h4 l8 _% a1 g1 x=========
i% F8 A. A9 `0 q
1 }* H# D) f+ d: ~+ [0 gThis trick is similar to int41h/4fh Debugger installation check (code 05( {1 r: p' D4 S8 D y9 ^
& 06) but very limited because it's only available for Win95/98 (not NT)$ x8 L! v9 X& w' j1 P* Z" s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' t$ W q+ l9 a+ a2 `% O/ o5 R0 f: n" s
push 0000004fh ; function 4fh
: c/ D% y6 U1 E4 h7 W push 002a002ah ; high word specifies which VxD (VWIN32)
* L; g: q4 T0 p+ M2 }2 p6 m S ; low word specifies which service( G" K: ]& ~% q3 a7 w6 u1 o4 N
(VWIN32_Int41Dispatch)# |! A3 o N% G: A$ C3 `2 s
call Kernel32!ORD_001 ; VxdCall; y2 z: Q3 [7 E, a
cmp ax, 0f386h ; magic number returned by system debuggers
1 B6 r. ~: N2 m2 K jz SoftICE_detected
, f$ d. I( v4 |/ [5 H4 W8 i9 F9 q! e) i" w8 i4 F
Here again, several ways to detect it:/ R: X7 S: H+ [. r* G0 Q
2 o2 D, Y2 k- o+ @ BPINT 41 if ax==4f
) K, J' D8 }* T; r. j- p& M
/ m; O6 X. P3 a- l( N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( R P# C) g. a1 e; E2 V4 T5 H* e. a% L3 a% _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ i# |% M) o0 S o7 h6 d1 R: E$ g1 v! g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# r! e+ B: `! L& M
/ r3 N7 ^" I0 C$ h$ _+ Z1 l__________________________________________________________________________
* w3 J0 A" [4 i
6 U/ l% Y! F0 B; v' zMethod 13
1 @& _' E( u" C1 p2 K( C=========/ S- D3 \, {/ z0 c& @
/ \ L& Y& A5 s; J& X) P/ q9 ^/ L
Not a real method of detection, but a good way to know if SoftICE is: m" V" u0 Z) g) T' P: A* H0 v
installed on a computer and to locate its installation directory.
* |! \* \; S# k; V9 z* @It is used by few softs which access the following registry keys (usually #2) :
8 a& e4 h7 g3 ?( d1 N
. g" g2 d8 B) A' [, f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ O0 j/ ]# }: n* t* R" k1 P- @
\Uninstall\SoftICE3 K$ x3 n3 V; P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# I" Y% j, p2 \' x" a4 n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) h Y5 ~3 ~6 B7 `+ p% C\App Paths\Loader32.Exe; D6 s( l" P. w1 R) T0 f3 B( f
1 ~4 ^' E* x5 q. w, Q% X" f( `9 Z5 \3 J6 a2 w0 J
Note that some nasty apps could then erase all files from SoftICE directory
2 E3 x* m; h3 r% a(I faced that once :-(: n* H* B% t; U
- W) i" I) h, R5 M; [/ {Useful breakpoint to detect it:4 {! Q: {5 a0 @' N7 {
6 E* Z* H: |; j9 I( K
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 V8 [" n" v; d- |
& r8 N' r1 z- G0 b: F8 G, V% l: T__________________________________________________________________________, Q' T# G2 ?: @ E" Q: J
1 Y. k# T" }, z5 Z6 C4 d0 D5 L- i. T/ x/ i1 P' S& L
Method 14
2 Z' Y; I. T: k D2 W=========
J2 R. C4 F4 @6 U! z6 t0 d& P0 V5 L) f! D6 H- e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; i; g- ?" W6 ^( K/ L
is to determines whether a debugger is running on your system (ring0 only).1 ^# I4 @* v# u2 D1 i1 P# S
$ ?; P9 z5 ~% x% h& E6 O t
VMMCall Test_Debug_Installed* S0 W7 C }1 p, b$ w" V& ^
je not_installed- g! c, m4 k) v% f
0 G0 z: R6 l5 }1 R; E+ ^This service just checks a flag.
" C! \. y- D& y/ c0 Y</PRE></TD></TR></TBODY></TABLE> |