<TABLE width=500>
0 A7 K. u m+ t! Q/ |2 d' F* c" E) D9 b. b; L<TBODY>4 q: {/ ?. d) j4 t* ? B, h
<TR>
" O0 D6 y( J) q0 ^; }& `( `# H<TD><PRE>Method 01
( m% [$ Y" B; [3 m=========
& F7 b* S5 k7 r2 \
; x/ U* R% I" k$ |& A2 s2 M9 KThis method of detection of SoftICE (as well as the following one) is9 E$ o. u4 f( S- z
used by the majority of packers/encryptors found on Internet.+ G$ ^1 Y, L$ ? B
It seeks the signature of BoundsChecker in SoftICE; g0 l; K& o! ?; y
$ W0 V* e. `$ b; v- C mov ebp, 04243484Bh ; 'BCHK'9 Z3 {& B, j5 R# S* @
mov ax, 04h
U5 Y* t; J A% F( x int 3
$ w# E. |" ?8 l5 L cmp al,4
( _! E& l T( ?: X* @+ y jnz SoftICE_Detected+ j2 Y8 P7 ]/ y$ C- m) `
% w: o' P8 f/ f) ]6 P: Y2 z___________________________________________________________________________: y- x" K4 w( l- r i( W( l2 j" T/ h
- _5 x+ X/ X5 O R& u7 c5 `Method 024 N- o+ O2 J' J! y2 }
=========) s% G8 y7 i% N+ l8 i2 ~% D- t
2 F* N. V7 M: J$ KStill a method very much used (perhaps the most frequent one). It is used
) I- ~3 u, H# f ?9 Q9 Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& M2 S; v7 B' _2 p* `
or execute SoftICE commands...; V) O8 Z* @7 X' y* h1 H
It is also used to crash SoftICE and to force it to execute any commands; ~0 I' e7 ~6 u5 p8 \1 N6 }
(HBOOT...) :-(( 7 u/ D( U2 g9 ^, b+ q
( G H' t% ?) {! u
Here is a quick description:
% Z' @% n4 t2 R& Y-AX = 0910h (Display string in SIce windows)
p! Z3 d0 T, {( O7 D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! F6 B# F9 H3 ?
-AX = 0912h (Get breakpoint infos)/ l+ Z0 A r W' I- y; [* h1 j
-AX = 0913h (Set Sice breakpoints)
Q8 U7 `9 y7 P' `+ v2 `" n. z-AX = 0914h (Remove SIce breakoints)
. U8 B: j" ~0 V) R3 ? z& h* |! l! r& p
Each time you'll meet this trick, you'll see:2 W7 o z' i1 q1 s
-SI = 4647h* I2 c/ W0 ~0 L4 \' \" A4 Y: N
-DI = 4A4Dh6 p1 u" F* h$ W% N5 t: X3 r& v: W+ r
Which are the 'magic values' used by SoftIce.2 \6 T2 U [) X% ^: y- d$ ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ c6 n7 H0 V/ c& P7 J- q$ m# N4 j+ l9 k4 p
Here is one example from the file "Haspinst.exe" which is the dongle HASP" y: }% a9 S9 m. u
Envelope utility use to protect DOS applications:
; r { G4 _) h, a( p0 }
! M% R3 Z M+ y3 g4 a2 n1 ^. k* T5 Q% c2 ]
4C19:0095 MOV AX,0911 ; execute command.
0 ]2 a6 {- T3 `. h* _1 U' e4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
c- L: [& u4 p% ?' T8 ~) F7 C4C19:009A MOV SI,4647 ; 1st magic value.+ q# v8 Z, ?* F2 g1 e- }
4C19:009D MOV DI,4A4D ; 2nd magic value.
/ L8 f, g- m' ?; O" }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 V+ X+ x2 c" Z; R; l5 l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- a6 d& c0 y/ F6 [8 H7 c b' s* C% B* E
4C19:00A4 INC CX
$ u |0 j$ K7 p' w9 \7 j9 c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 q+ U6 W3 B" |3 L! f/ {( b
4C19:00A8 JB 0095 ; 6 different commands.
9 a# X+ G% [( l4C19:00AA JMP 0002 ; Bad_Guy jmp back.
v+ h& Y2 r- r, e2 E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! l. O" j' W5 A8 i0 K2 e( m! W2 h) x) n9 ]* H9 [8 Z
The program will execute 6 different SIce commands located at ds:dx, which
! f: W6 F3 K6 H' h$ m# v% b4 mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 v& F; f. k' A5 P
# v7 {- Y4 z5 {) E% u3 d* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- C" `9 }! n" `; Y$ f___________________________________________________________________________. _7 W a) ?2 q! R) y% m
3 Y1 h& G0 x6 ^# x. A6 c' j% P2 g: f
" F$ d1 M R' D. [7 R/ y' C6 S h" PMethod 03# a+ W' [( j2 g+ J9 ]
=========
% s7 X- G! j) `. u0 t9 W7 Z& y6 s. n+ V( X. |, g
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ {0 [) ]0 G) {7 F8 z8 W(API Get entry point)- ~5 L* @3 m5 Q, C5 a
: J: m8 J& h. _5 y8 l3 Z% p4 e4 a1 n6 i0 j: h6 ?8 T3 P2 i/ K" }4 b
xor di,di
9 ], g# N( \ l# L2 P" W8 R mov es,di
' C1 u# u' y2 K mov ax, 1684h n; C1 x3 L$ n2 f. W
mov bx, 0202h ; VxD ID of winice5 E/ g: `; y0 T z
int 2Fh! [2 {3 u, x8 T; [, J f
mov ax, es ; ES:DI -> VxD API entry point
: A$ V# l3 K' l' L& F add ax, di
, i* j5 m" P" n2 J* f2 @4 N test ax,ax. b- o2 W7 Z( m! F- }2 F
jnz SoftICE_Detected N: a, g) \9 L/ B! R8 x) ]
+ C3 q9 }# |+ |___________________________________________________________________________
' {$ Z. R. Z) I0 I
! e7 } I: Z- G' W7 W+ Y& Z+ }Method 04
: j& m3 j: K* G1 g=========. O' z9 I2 D+ z# C. c4 r
) A3 b- z: R: i. @: N7 K( b
Method identical to the preceding one except that it seeks the ID of SoftICE: U2 m H" X+ m$ Q; ~
GFX VxD.
# t+ s6 A6 d8 Q% V O5 Y* ?; ~
7 N5 X$ Y7 O5 ] xor di,di" j- a1 p1 H! j+ E( i8 a
mov es,di
: c+ u. H4 F f! E mov ax, 1684h
- x/ ?; x8 u' n1 h mov bx, 7a5Fh ; VxD ID of SIWVID! F0 W8 N& H+ o7 [8 {2 |, O
int 2fh3 |% `. m) g* H) Q
mov ax, es ; ES:DI -> VxD API entry point" d- N" P3 b/ I' o' B
add ax, di
' u, v7 M& l! A" ~. ~5 u8 l& I& D test ax,ax
4 w) M3 Z Z- C2 H) z$ }/ I jnz SoftICE_Detected
" M" _- j* M) b
- l4 K4 h# b- K* p- {# r__________________________________________________________________________
! h( s9 `: l4 |, w$ s% ]3 m4 h k* F" P" v! `4 ~0 V* A
' _# p. A$ P3 ]* R% s- IMethod 05' f2 Y4 y5 x$ \& O# S0 Y5 c
=========
9 w2 T' ^& ?' u
1 Z/ y/ ] o, gMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' y! g' Z# G6 D) H8 jdebugger. It calls the int 41h, function 4Fh. b: d" r9 }0 J2 h! \3 Q
There are several alternatives.
7 E2 ], v0 z) @9 I1 M$ n3 e0 }6 C* E2 Q! m' t
The following one is the simplest:
- A2 ~/ L' o m+ L: i) A
2 `. Y( G" v% c mov ax,4fh' j( q9 P8 }( ^' J4 I$ l0 ^) `
int 41h6 [ v: b! T2 B6 Z0 E
cmp ax, 0F3863 Y0 ~3 ]. _* w, M0 g0 t( j o, d
jz SoftICE_detected
0 y( V1 d- V9 |1 O( M$ q3 M ~% I% z
7 P ~9 d$ q O
Next method as well as the following one are 2 examples from Stone's
- \ G J" @3 Y# }6 @3 r ~8 |"stn-wid.zip" (www.cracking.net):6 v. y3 u' Z- K, u* X
7 k5 _6 J+ X8 X5 j3 i( z mov bx, cs
$ D- s w! \2 r3 \: B# F lea dx, int41handler2
; ~3 W1 b5 U* @5 G$ a) | xchg dx, es:[41h*4]+ t8 f& y a! t1 M
xchg bx, es:[41h*4+2]& ~, Q9 {5 ]) v3 ~4 q
mov ax,4fh
; Y0 W% _8 M* Y0 d int 41h
, P. a6 f/ O$ P- W z& X xchg dx, es:[41h*4]) M& Z6 J- ?8 e
xchg bx, es:[41h*4+2]3 c7 C9 H3 ^4 U2 i" _' ]. v
cmp ax, 0f386h5 |3 N, O1 \/ F0 O5 |0 |% q$ U
jz SoftICE_detected. G( B4 c% Z8 N
& [; r+ J3 L3 o4 aint41handler2 PROC
+ R. s, \! ~. J8 T9 p9 z iret& U$ Z6 y3 \) ?% ] S! `( Q5 m( a7 b
int41handler2 ENDP
1 }4 s% A2 q/ y( d1 ^+ t* O3 q, h- S$ b( M
/ E1 p) @6 d' h" I+ c, q
_________________________________________________________________________
$ b% V F/ Y& q% }
- |1 C/ b0 Z$ R
/ P& ]) L( L: X5 K- ^& |) G& a/ PMethod 06
' N! c" m! z$ }! _2 y# L( {9 k6 }9 O=========1 L! }2 A0 D0 x5 H9 @) e
% |* H# q6 H& l7 ^0 P* r
r: c" f9 z9 J0 ~5 o2nd method similar to the preceding one but more difficult to detect:" A2 A0 Z9 N( v2 H0 v
# r1 K- G! i" r, P
( X/ J Y7 S- O5 N2 l% Sint41handler PROC; k9 P* @8 `. ]" u; W6 h
mov cl,al
: L3 v4 K; P s iret; U+ [2 V5 E Y# M+ H2 K
int41handler ENDP# Q O2 \4 l. @. e* e3 Y% [
3 _# ^" a2 y& J; l( S, s6 ^& l: P' i8 S6 r
xor ax,ax/ {/ y9 D7 Q- j2 Z
mov es,ax7 Q% a9 m- S+ ]) i( f; w! N( S
mov bx, cs
! X, J1 I/ w7 O E; f lea dx, int41handler) v6 z, U2 r+ c( e
xchg dx, es:[41h*4]
2 N3 I' v/ v* |$ }( W6 ?$ y# f xchg bx, es:[41h*4+2]
: Q% q) Z- u j# @" t in al, 40h; o# F5 T# e0 L* E2 ]
xor cx,cx
. Y" M/ U2 d, f) V int 41h
6 E) X& ~ P" [; k' y. a xchg dx, es:[41h*4]" F. v5 |9 p, G3 l
xchg bx, es:[41h*4+2]! F3 H* s+ V# N% _8 ]& c
cmp cl,al+ l9 l4 w3 y8 H* R2 [
jnz SoftICE_detected
% U5 Y3 A$ g [1 P. I& Q) N5 B: [
2 w4 u% N" e& w_________________________________________________________________________
, H" D8 e% W8 ~2 G2 O. c G
: \: G0 t) e b) mMethod 07
4 w5 z8 X' h, [7 L. F" |=========
- g* Q+ E- F" Z
6 t' }$ A; {# N3 W6 C* h( D, uMethod of detection of the WinICE handler in the int68h (V86)
) C( o, b W9 k) b9 Q: Q1 F7 v; q8 }+ x( V( f6 u& T5 t
mov ah,43h
4 J' J7 `, y P! p int 68h3 f* {0 ^& l9 q4 B' x
cmp ax,0F386h
( B( |- E8 Z2 d3 M% j' C6 v' W jz SoftICE_Detected4 ?/ g! A; `/ @' U* P
0 x8 g" ^8 X0 P6 A; f. z. C
0 f3 E( L; b" k# L/ U+ N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: `% [5 ?* N% p4 \2 w6 C: b! R
app like this:+ B8 U4 m. q! m \$ Z& F
5 R6 b7 V% _: G9 W BPX exec_int if ax==68
+ w7 W" k1 l; {7 p* S% @ (function called is located at byte ptr [ebp+1Dh] and client eip is' V- v7 `7 q2 w' d* s
located at [ebp+48h] for 32Bit apps)7 C* k/ d7 u! B/ N; Q
__________________________________________________________________________
' B5 k$ p6 @2 } t
) J$ O7 N& i u9 P
% X1 |. ~9 W4 u- Z7 y, I7 iMethod 08
% Y3 z, ^# S$ P; J: L/ @=========
/ x" n$ b1 k- I% B& z% W. w6 u; U1 O
It is not a method of detection of SoftICE but a possibility to crash the4 Z5 F ~6 v- z L
system by intercepting int 01h and int 03h and redirecting them to another
7 L4 d1 w1 {2 h1 ~+ Droutine.
, q9 A( i7 {9 R' M# f9 ?. \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 q' ~ y$ q/ O( m
to the new routine to execute (hangs computer...)
! l5 y8 Z5 K9 ] d2 g3 [" X! G- j: W1 Y6 T
mov ah, 25h9 ?3 z1 ]0 M. k5 M* N
mov al, Int_Number (01h or 03h)
8 ]' V0 J- f; W9 z mov dx, offset New_Int_Routine
0 k2 r; r- H- r) ]& R int 21h
# T, Z; L5 ^$ b8 O
3 t7 ~* @$ w$ i x: S8 n( ___________________________________________________________________________, N% ~/ b9 S" ?! T) p9 ?
3 ^' P' f( e5 ?9 X9 V H. L9 m: z: oMethod 09
4 d; \% P! R( a7 ~=========
3 _3 w4 v3 [0 y1 g* n* q, I7 K. e7 v% @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, p4 ~6 x1 H. a6 G4 h, |performed in ring0 (VxD or a ring3 app using the VxdCall).
3 ]3 d: |7 b# @- {1 w% G: p3 EThe Get_DDB service is used to determine whether or not a VxD is installed! T2 C& D2 D% _" x( Z/ h4 t# R4 L
for the specified device and returns a Device Description Block (in ecx) for
/ a( [7 P4 ^8 ?" G6 k" @( fthat device if it is installed.
4 y: o/ ?& }' B& R
+ x. ?. R% ]" w# a. N" d3 T mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ ?* w8 X. G6 e9 ^: \
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# [" q) g/ U! u+ s" n
VMMCall Get_DDB' Y8 S5 b$ a9 N& k4 e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" G D0 o: @2 d% r& \, w0 M
# g% Q$ h7 e6 f" R, |% @2 \Note as well that you can easily detect this method with SoftICE:
8 r% A0 ^& r4 R. n2 b, ]2 r" F bpx Get_DDB if ax==0202 || ax==7a5fh
0 E' O9 L, b0 U% [# B8 N" B0 l$ N4 A+ G5 [. C- Z% D
__________________________________________________________________________& Z4 D6 c3 T9 f
2 G0 U* E/ R* F z( O
Method 10
, t3 G( H: n+ U& W9 q) p=========: G) T' u* x4 S j; M
% E& U" s) \- j5 Q' j& G
=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 S: h8 n. M0 `) y SoftICE while the option is enable!!
) _& T9 a- f% X# |' b/ n! s& y3 r3 O" ~% \8 d$ |
This trick is very efficient:9 x S% r# j7 C6 T* Z# y; b' n! E
by checking the Debug Registers, you can detect if SoftICE is loaded
* b" B O3 P4 U) C: I; z! K9 m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 D8 Y4 H3 p7 H ]& ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ \7 U, n! a9 {8 q" Y Jvalue (in ring0 only). Values can be manipulated and or changed as well( u$ T! R5 l5 n" k! E9 s
(clearing BPMs for instance)8 |9 }, @3 X$ A( v; [) }3 C
+ \( m) d$ z# B) i" H6 i) E__________________________________________________________________________
1 ]8 E: }0 l; x
) M% j! I5 t4 L, i" u! b8 UMethod 11& H. B0 c1 I0 x2 ^( N" l# R0 L
=========
2 k9 E& U4 V! G1 P! T
8 I3 t! f9 r b. }This method is most known as 'MeltICE' because it has been freely distributed
# @/ E- O: J3 n9 Fvia www.winfiles.com. However it was first used by NuMega people to allow
2 ?% d2 l) _+ l2 b; \8 OSymbol Loader to check if SoftICE was active or not (the code is located. ~& a* h" a! b( ~: L, [+ I) d8 T
inside nmtrans.dll).6 d( ?- d/ g: g& y
" n& m. h+ l& O0 E2 x! QThe way it works is very simple:
9 F4 K1 w& w- }, \/ n' K) q' |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" ^+ Y! A1 \3 QWinNT) with the CreateFileA API.
/ J, y3 g$ d( N: L
; P* A* r. E$ d& H, Q9 o1 RHere is a sample (checking for 'SICE'):
6 x2 U6 }$ E+ j0 ]8 \8 C0 Z; ?
' R. L5 B. S; {- q- eBOOL IsSoftIce95Loaded()) v7 K9 X9 i5 F$ U n' U
{" S8 \& h1 N& J" l
HANDLE hFile;
7 P! c) W/ r- g; w- |& H; \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' e; E% ?9 J6 s0 Z
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 Z: m& y7 f8 D) L" @1 G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 m3 ?, \* z6 [0 K% n! H
if( hFile != INVALID_HANDLE_VALUE )
7 [( G* P: e/ Q. h9 v$ n, u {0 D* |6 N# w3 l
CloseHandle(hFile);- z4 w$ V" a; B
return TRUE;
/ ?! e" f7 s4 m4 J$ N }
7 [9 e6 B% b# w, z- ~( i+ Q5 A return FALSE;% @6 p# w- j, ^! X% [
}9 g4 f6 ]# p* Z, N( w: ^
6 J9 s) N, M' y& mAlthough this trick calls the CreateFileA function, don't even expect to be5 u# V& L% E$ M, ], w" b
able to intercept it by installing a IFS hook: it will not work, no way!
N5 G! k* D; d# F/ CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& A# R: f- y0 `7 q% J+ u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 Z7 @2 X5 f$ T' N; xand then browse the DDB list until it find the VxD and its DDB_Control_Proc1 `: `* q ~. ]' V% T5 S7 s5 ?0 ?
field.4 C4 o2 m' R, [* H, G
In fact, its purpose is not to load/unload VxDs but only to send a
X( ~3 k4 v- kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& r8 O: ]4 v+ E4 K; fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
! Q; P; E. i5 j0 [- E5 v5 ]5 l% w8 bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 k. ^" R+ H3 ~7 VIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ w0 c& R1 [" s( k7 q c) r5 Rits handle to be opened and then, will be detected.4 d) M7 G& _6 P8 e, U! s
You can check that simply by hooking Winice.exe control proc entry point0 Y/ X/ H* H, C; }& T+ u$ n
while running MeltICE.8 A V4 ?: H5 z$ I, E$ d7 O) q/ K; _ o
+ f4 R B2 N/ j, P$ ]4 E3 e
" U7 E V( ]7 n: V) D5 c 00401067: push 00402025 ; \\.\SICE
2 X4 q; }" C' H 0040106C: call CreateFileA& S9 C( F) y2 @$ J( T2 d5 J, V2 W
00401071: cmp eax,-001
* g% e* e* {1 I 00401074: je 00401091
6 a f( e m9 S B4 b, H& O, S, g+ ]
6 J: J7 f: i+ R) ] s- f
- r5 N/ T% p uThere could be hundreds of BPX you could use to detect this trick.
$ w g8 j/ ?8 Q8 U-The most classical one is:; ?1 k4 }, ]8 V8 R5 E) K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; T W: t, b( Q *(esp->4+4)=='NTIC'
( r/ M; g! C; D+ t1 V9 A: e: D
3 Y: [! B n4 ]: e9 M; v8 e. n; Z-The most exotic ones (could be very slooooow :-(
3 z! t' q3 s! @3 ?4 U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% ~ Y/ Y! k) `, ~3 }" N6 h& f9 ` ;will break 3 times :-() ~0 A6 _9 D$ p0 `5 N! m2 P
8 M0 b9 H+ @4 T* F" m& f0 [
-or (a bit) faster:
2 J$ G: g. s! p2 G, [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 ]: E, P9 L3 z7 x3 ?' R; C" f* k; l4 P0 }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% c$ d9 S+ i. ?$ [8 h/ v6 { ;will break 3 times :-(. x# f7 h7 v9 y$ ]" d
5 y& m# d3 |" e-Much faster:& n0 N; d( U+ j/ e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 Z5 M1 F' b1 N) u( E- W
" ~! I1 p6 Z2 j; o A9 G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. O. k( {9 a- }$ K5 s, D) w0 ?
function to do the same job:* `* C1 O8 {$ e$ O
5 a* M) O$ {: V* B$ K2 F
push 00 ; OF_READ
% o1 ?) E% ] @8 `+ W" m* ]. } mov eax,[00656634] ; '\\.\SICE',02 E2 k& k4 |7 `
push eax4 e) W* g1 @; a% ?' w) M6 b: e
call KERNEL32!_lopen
& l5 L9 r( X7 {3 u t3 a inc eax
/ c2 f; z0 L) N( c; v jnz 00650589 ; detected1 z$ ~* t+ o6 }" R
push 00 ; OF_READ
6 [2 b# I: z( j8 P+ b" Q1 L7 T mov eax,[00656638] ; '\\.\SICE' O* J! ?* c# y, |
push eax
" ]0 n! Y9 r% t+ K2 @ A% j6 U) z call KERNEL32!_lopen
6 T. Y( L z" h/ S, O! P3 ^6 o inc eax
' h$ I0 ?. \1 p5 ?4 B jz 006505ae ; not detected
0 U; c. b% ^, w3 B: F& X) N% ]' p. U( D C: d+ r8 x$ h5 V
5 i' V4 A0 f, c2 _. I* \__________________________________________________________________________
: |. B- S, A6 Z( @* g, n/ U4 W
" w5 o$ C% V" n# L3 K/ r+ ^/ yMethod 12
2 ?3 s# z8 ^% U; L' c$ n=========! F! `+ {. u2 A7 v( Y J
8 H+ P3 W. n* I% L# GThis trick is similar to int41h/4fh Debugger installation check (code 05* s7 M" h' j+ N. e( w, Z: l5 W
& 06) but very limited because it's only available for Win95/98 (not NT)+ A& n5 s: G. k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 a& d" v& I n( x- e3 c1 k$ p2 Y3 B- h6 @& m, k& U
push 0000004fh ; function 4fh9 m) @4 U Z+ R( [
push 002a002ah ; high word specifies which VxD (VWIN32)+ s& O" H' }" ?. I3 y4 G
; low word specifies which service
5 C# {% w1 D! C+ M# a9 ]/ m (VWIN32_Int41Dispatch)% }& M% J3 y$ M2 k7 Y
call Kernel32!ORD_001 ; VxdCall
8 f4 p* x# E- h1 d& I) {# u* I+ f/ n cmp ax, 0f386h ; magic number returned by system debuggers
. B: X7 V& n! E K" W0 B jz SoftICE_detected) W; a+ t2 {/ e
9 I+ G: P8 c: q' Q& D8 V& jHere again, several ways to detect it:9 V0 P" ]$ W" S0 T5 X+ }, I
* h1 t4 \* h e" X
BPINT 41 if ax==4f, s3 N" I; P! f
, I7 P+ Z* W$ G/ i% r) r# j3 N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: {" k& P8 j% K6 f0 [ Y
7 a( I3 M; U& o% K" S$ v+ |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 L# z# y5 _5 F# H
% T, ~2 V) ?+ j- V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- f1 z5 f: z& ]) Z& g
1 x& v$ c' ~5 b7 ^__________________________________________________________________________
# Z t5 A# _+ x5 c! m2 j( D' n) W
5 |* o& {9 e2 d1 P% z( hMethod 13
2 g. \2 Z5 T, q% c1 J! J: N1 s=========6 r4 s {* e% l g- @1 c
4 K& A" A; W' W3 r' gNot a real method of detection, but a good way to know if SoftICE is: l+ T/ q9 ^/ a+ @0 w
installed on a computer and to locate its installation directory.; s+ K0 c* g, z8 l7 j5 k9 y
It is used by few softs which access the following registry keys (usually #2) :2 J; B% F0 t- P
3 W: g" o3 w1 r0 v5 U) ]0 h; {( a1 x2 M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 r6 g: { N# Z0 i0 ~1 Q
\Uninstall\SoftICE4 }& _3 ?8 D- p5 C H7 W! L5 { z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# ~* ?" k) ~) t/ x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- f) l) a% E4 ?, F. H# W; e
\App Paths\Loader32.Exe" S$ t, J- h N. V. ^
9 J/ Q( g" B. z1 E8 A" v
3 i. K" G6 H0 A8 y" G$ yNote that some nasty apps could then erase all files from SoftICE directory0 o3 i- w2 V3 d( z+ o3 r5 p3 h
(I faced that once :-($ C5 o/ W4 ?0 K# @: U6 I9 M" Z
' \1 }, G$ `% ?8 f2 U% h4 Z
Useful breakpoint to detect it:6 U2 m+ F3 l; j
% [& k3 N" I( D& {9 E8 I" k g% j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 C1 r4 y1 o6 I% \5 r: X/ o% M( }) u+ B- R9 E3 f; \; Q
__________________________________________________________________________
! ]6 u( u9 l* C* K4 T
- F* I! ?% Z7 H3 N# ]) u
/ C: j( s) A7 D& f8 L% T. j' [Method 14 @: O! w ~! Z
=========) p' r. [; T. d2 S$ G6 {7 E, k+ w& J' G/ v
5 q. w3 o( u3 Y% _# {" k1 gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 T$ S. a& e; h! {2 O' Fis to determines whether a debugger is running on your system (ring0 only).
" G& M; [# I3 t6 y/ `6 b
$ Q( b( t" F9 C5 p- g* N# k6 _" W# a VMMCall Test_Debug_Installed2 q: h$ B ~. |, H- k! R
je not_installed
. `* h; ^5 A, f& c" i* o/ u' x
8 ] Y+ `7 L; D5 CThis service just checks a flag.
" A/ ]' F3 L( A0 M9 r</PRE></TD></TR></TBODY></TABLE> |