<TABLE width=500>& l6 {3 u/ V n+ s7 g
<TBODY>
9 n- j0 `: Z: @8 S* ]3 v<TR>
5 e( m- L, p+ k! h) T2 ] p<TD><PRE>Method 01
$ Q: Q; d( H$ d, `=========
z0 L3 b# g+ g3 }9 H1 m6 A2 n# i4 F+ s' L. p8 X
This method of detection of SoftICE (as well as the following one) is" q2 }2 R8 G* E3 j9 ?
used by the majority of packers/encryptors found on Internet.4 p, e% }3 i) q! S7 N
It seeks the signature of BoundsChecker in SoftICE+ V+ [& C( T- A9 U
3 D: H/ U% W6 i) l [
mov ebp, 04243484Bh ; 'BCHK'
* p3 ~$ o6 n" w0 W6 m mov ax, 04h
, K+ T2 Q3 Q! D Q! ^. i | int 3
6 S" `7 t( K3 f$ H& }* ] cmp al,40 A3 d" l! m' I4 M. f* h
jnz SoftICE_Detected
$ m8 A3 Q2 ]0 t
' {2 E/ ~- g" M1 ?" i: T___________________________________________________________________________2 I6 h$ P7 l6 Z0 k) r
% ?- ?( _) J7 \! x5 |3 TMethod 02/ N' m" R) p- Q2 j9 R- [" ^
=========
. I) g* b9 W: |1 R* I% |# b. h1 e' t
Still a method very much used (perhaps the most frequent one). It is used
: v( V7 S4 ?/ a* ~6 Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 A9 ^& b; H, S/ D# aor execute SoftICE commands...
) E0 f/ a& e6 |1 h% W/ f- KIt is also used to crash SoftICE and to force it to execute any commands$ r- s1 I. D4 f7 c1 T. P7 E
(HBOOT...) :-((
! f+ ~; [, f7 @. ]/ m$ n* }: ^& z6 ?2 m$ k
Here is a quick description:* Z: F+ c1 S6 [. K
-AX = 0910h (Display string in SIce windows)- w2 s; P5 w) d. Z1 o$ F( q
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& e6 R3 h$ K) Q! S$ ?! m+ j-AX = 0912h (Get breakpoint infos)
; y k6 a" E, l# Q. g N% P-AX = 0913h (Set Sice breakpoints)6 |+ V. }% W% _; N1 M, }# }
-AX = 0914h (Remove SIce breakoints)
! }, C0 j: G8 I- M& ], R" F6 `/ r: n, ]8 h1 b$ d% p1 h
Each time you'll meet this trick, you'll see:
4 t- g3 d( Y0 d0 [, v. V3 i$ |-SI = 4647h
3 a! q- h- c/ v4 s-DI = 4A4Dh4 R2 E7 D' ]% U9 X( H" B
Which are the 'magic values' used by SoftIce." h2 X) t' u) m4 O0 `# X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) @) M: m& Y4 F$ D; u, M
6 R7 Y, T* _4 }/ X
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ [% a6 W8 o7 ?1 l* _* ?5 I
Envelope utility use to protect DOS applications:
( K/ f4 z$ m0 x& B. O
) m& Q x! a% u1 f) P
! x( w; u( Y" {2 b& a" C) k# ?* }4C19:0095 MOV AX,0911 ; execute command.2 i/ O( P" i2 f7 x! i1 `$ K/ i" i
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( q) \% s6 B* n7 \" a* ]: n2 Q4C19:009A MOV SI,4647 ; 1st magic value.* Y8 |8 R% m0 Q ~# P
4C19:009D MOV DI,4A4D ; 2nd magic value.$ J5 n) Z, g4 d7 x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 d7 G1 m1 S* c6 _, L. a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! _# J3 I7 z4 S0 e
4C19:00A4 INC CX! W! }" Y; o& M( d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
! J. W0 a( v' k* m& l4C19:00A8 JB 0095 ; 6 different commands.7 g; }2 g: W9 i* Q$ b% u' f2 |, G% w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 T' B# [$ i1 s/ l4 a- S4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 q! E% `; N, v& G4 W8 T7 l/ Y$ ?: n4 h3 f
The program will execute 6 different SIce commands located at ds:dx, which
: Q0 x4 T! \: q. Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* g: o8 A+ y, r1 N
" a1 k! ~3 O8 M& N) N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) W7 }% T1 z" S0 k8 a. |. P___________________________________________________________________________
# r' O( M8 @2 S [5 p& c$ ~* e
# u0 W% s( s% }" u
* Q3 I0 H4 }, d# I+ KMethod 032 F' R2 p2 {. N. P
=========
" m" H, F' s' \
1 l2 y0 h$ H3 B7 k* fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& h1 H ^* f) m' y(API Get entry point)) U& p+ e9 O# o% o8 k( g) X" `
8 A5 Z, F& y R+ M
6 W& v! o# e4 T6 p5 R% e& @" T xor di,di
$ ~* V8 ?- {3 e; t, H9 U& g9 d3 q! n mov es,di4 f1 \! @3 K; N- }# y
mov ax, 1684h
6 V) ]" i6 b! L, [ mov bx, 0202h ; VxD ID of winice
: {" l: \: v, _; G2 M1 n int 2Fh
+ v! S$ B0 T$ g" N9 h mov ax, es ; ES:DI -> VxD API entry point$ q _& A e8 W; l$ _. R
add ax, di. x& e" i0 d' o# i5 l: W9 b5 ^
test ax,ax; c9 x+ Q9 i8 V O- R' J' q; d" B
jnz SoftICE_Detected# }4 C: l6 a3 |) ~# r( n
: Z$ J$ J9 N& k. s: X, {4 I5 H___________________________________________________________________________$ d- n% ^, `9 Q' ~: D9 A
. L! v4 l9 |% x( S! K% _1 cMethod 04
( X0 \+ v. ?/ \* W" A=========3 a" f. Y6 i6 c! R) F9 m) q
M: o( N: ~) o$ s/ o- sMethod identical to the preceding one except that it seeks the ID of SoftICE$ r3 `! [+ z2 U; `7 p, n
GFX VxD.
" y3 e ^( c! i) h l, K' u- Y% j' m+ O& K* F. _
xor di,di
# b: I% G3 C. w3 `& U mov es,di0 G! m8 p+ N( @5 C
mov ax, 1684h
, i& n/ W* w6 H1 G4 E mov bx, 7a5Fh ; VxD ID of SIWVID" V0 M! J4 i! D8 S' E
int 2fh
( Y* Y! [" r, q! S( Y0 | mov ax, es ; ES:DI -> VxD API entry point$ H* T& [- ^! x! {( t4 k4 ?, w
add ax, di
) H$ Z: i" M. L# H& p& d test ax,ax. ?9 L' U8 U# T
jnz SoftICE_Detected% U4 K4 V6 v B6 S2 U. {
, P' ]2 \6 o P1 B__________________________________________________________________________
0 l! V3 T* d! g {$ I! [3 y# o2 I7 i/ w' K; W: R# K e
- u* J: C+ {9 BMethod 051 b |- j, g8 ?! G- d; W8 `
=========
7 N2 h" i, O) d, P. K( K! N6 a/ f4 d" }9 n* a3 i2 Q% ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system* i5 |$ n# f4 E$ M! _
debugger. It calls the int 41h, function 4Fh.* S$ S9 ?- `( v9 ~4 b
There are several alternatives.
, ~ R9 k5 Y# Z+ K" I0 `3 G+ h6 q; D1 s# W# Y+ M- d
The following one is the simplest:% ~: F+ U; _# Y5 O8 ?9 A: z4 b: }
7 \' ?; C8 G! s, ~# T; E' K
mov ax,4fh
, i1 l4 @8 d% w7 e: v int 41h
. z2 o* Z; I3 y2 v! c cmp ax, 0F386
% O5 P- a, ^; _3 h. w9 A jz SoftICE_detected
: d9 n- Q% q! E; X$ u: |, d! R" Q; n( B- \6 U
) S" Y4 v, Y! F; JNext method as well as the following one are 2 examples from Stone's
) C% k- g9 W9 \ d+ ~+ i"stn-wid.zip" (www.cracking.net):% e% r# Q1 p+ B2 \. h x
- m- c- ?4 M& ?! V+ C# M, ? mov bx, cs c* Y) V; I( m5 n/ [" {
lea dx, int41handler2
# M! [- E' T) A- \! X) l xchg dx, es:[41h*4]" g' I( \1 t+ |2 G0 U
xchg bx, es:[41h*4+2]: h) ?& {5 R. b
mov ax,4fh
$ I% Z) P8 J/ A- t/ V5 }# [ int 41h
0 @( g- U1 b/ O xchg dx, es:[41h*4]$ q8 ^0 e" d ^6 S
xchg bx, es:[41h*4+2]
8 C" h5 A$ g( R @ cmp ax, 0f386h& U) R' u1 ^. G1 I
jz SoftICE_detected
0 e" [1 p1 {. O% K0 ~' h6 o: ~/ F2 w5 p, P1 H% o1 H: R# [1 X: ~
int41handler2 PROC3 p; _# H$ U5 g, l
iret- O" v' k q0 K9 h
int41handler2 ENDP# o: w+ e: X5 q! f K
5 d6 P+ }8 U- u) G$ z! n
' B* F; U; d( i) M! R; g \
_________________________________________________________________________
% {3 @; x/ A1 {7 _
# O5 P5 J9 `# \! Z, L
0 R3 ~. R% o: P8 O& r) }$ x9 }Method 06
q& J4 H) R3 w% l* A=========
% s, t# n" i" ]* w6 a9 x0 g: U% L$ n! F" X4 T4 F
3 A; l: t# S' z0 ~% B2nd method similar to the preceding one but more difficult to detect:
0 x7 o, `/ `$ e8 `3 J5 M+ P" p, I, X2 r
4 n' \- X: t1 g$ S ~* r+ t% m8 H; n4 {# S
int41handler PROC
) q0 y7 S" O) e$ } mov cl,al
3 v* |4 I/ ]0 t+ C$ O iret7 s t' v M: H5 I O( O# e
int41handler ENDP
4 d" O; D9 }0 c2 t$ }
/ Y1 o0 _+ q& }
4 a3 M; \, ]2 m/ m- p2 ? xor ax,ax
' A+ h% |3 U6 |& ?7 f( R6 V mov es,ax& D7 m( y$ V; z5 d, u) G
mov bx, cs. \, S4 s( z7 ~( [ [- t* ^
lea dx, int41handler
6 H$ E3 C; q6 [2 [5 i, l8 n xchg dx, es:[41h*4]
" | C; z' T. M3 [ xchg bx, es:[41h*4+2]1 x" f0 J+ t& b1 n
in al, 40h
f$ w% |" j7 h* ?: F xor cx,cx# ?/ h6 c) b. N w0 t
int 41h
) ~4 E: U1 X6 x# e r. @8 n xchg dx, es:[41h*4]
; L+ N$ V7 i0 E7 k% d5 Q xchg bx, es:[41h*4+2]5 Q1 s' `2 i+ ~/ _
cmp cl,al( w5 {5 s2 I4 r+ U
jnz SoftICE_detected
X: O( S# c% m) s: o
9 M7 T2 x0 q3 O# C_________________________________________________________________________; V* d. N& n6 Z$ I2 B) o/ Y
. d* X. y1 @" Y4 m0 nMethod 07
- y1 u$ ?9 z" |2 }. ], S=========
$ F4 L4 ^; B# I, x; z& M4 {
8 E1 f, s& {/ A$ D; MMethod of detection of the WinICE handler in the int68h (V86)6 d2 D0 Q. w4 E5 T5 b+ _& e
: J9 o; V, R- \3 D+ d; q6 f& X1 p. V mov ah,43h& `9 f0 \3 S% m! z2 c. h& Z9 x6 h
int 68h
" @/ o$ M( R1 I. R1 n8 d cmp ax,0F386h+ ~1 m( e9 R2 v) r, [+ h# I
jz SoftICE_Detected1 H! c2 {. k$ T; F. X
& z+ r; Q$ N1 m) s# M9 c# X5 S$ ^( o7 v- t- a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ X) ]6 f+ w/ Q4 H& i3 L: | app like this:
* r' H* u* `& r
. Y) Z# T; Q- z1 f BPX exec_int if ax==68
. Z7 ]1 n$ i" J# W& Q( `# p8 Y (function called is located at byte ptr [ebp+1Dh] and client eip is
3 G& ?' [; r- ~" }* ~+ F located at [ebp+48h] for 32Bit apps)9 y- a- K6 Y% m2 I/ O: ]( l9 I
__________________________________________________________________________+ E3 U: n: K/ O
- P5 F' F5 T8 j# l3 }
7 ]% u/ z. I7 r+ q
Method 08
: ^/ t Q, ?( k3 t: G=========
" Q$ K1 @: U, T) g- E) o7 U$ V, X0 O/ R3 r" e! ]
It is not a method of detection of SoftICE but a possibility to crash the0 V" R4 X: z4 F: H* v S4 K$ p
system by intercepting int 01h and int 03h and redirecting them to another4 q; o( {& V0 r5 a$ A; ?
routine.- s! X. w" M8 |, m2 e7 o, F2 Q) A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& \, V; k; [# x @# Z- Uto the new routine to execute (hangs computer...). E0 Z8 H' `" ~3 g" m5 R
y) C( w3 ~" t6 C1 `9 U mov ah, 25h y5 C. r i9 ?0 ^
mov al, Int_Number (01h or 03h)
# P# }% D9 [8 r: j/ u3 e# [ mov dx, offset New_Int_Routine
1 g. E. t1 N# W; w int 21h6 v& i/ F6 v. x; F' }/ |. h3 ^5 A5 M
4 k- Q# T6 }; G# Y
__________________________________________________________________________
9 R" x s. K5 a) \% g
. t# k; M9 N( w" l) aMethod 09
! u$ c8 g8 h2 m& R# o. w8 x' d=========3 s" g9 x$ E/ @8 L+ v& }5 w
- l% L4 h+ q1 cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" N3 v- Z8 ^5 g) [; u# ^6 j* m3 W0 t
performed in ring0 (VxD or a ring3 app using the VxdCall).6 B! y. t7 {- m" I8 {$ H- r; ?- `
The Get_DDB service is used to determine whether or not a VxD is installed
" |. C2 L7 B! j X/ pfor the specified device and returns a Device Description Block (in ecx) for
7 S" u. g6 m' y4 K2 k# gthat device if it is installed.
. u; U- W* W5 e2 V* K) o% X; U* W+ P' P p9 c4 z, V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ p# }5 U+ n* ` J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 F; H5 a; v2 _& |4 L3 x% V. {
VMMCall Get_DDB
! s9 r8 J# ]& x8 ?; { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' X( d: t, z! h0 g. N+ B" {* {) }$ D0 E; i6 C. x; U2 Y! s
Note as well that you can easily detect this method with SoftICE:; r8 G, I! B! u" q
bpx Get_DDB if ax==0202 || ax==7a5fh: o5 D/ K8 t( ?4 K8 v# X2 p7 `
+ [! A9 ]; e/ t1 ?/ P__________________________________________________________________________
) i. D* L- ?, {9 |% k1 d8 Z1 P8 d
Method 10
: Z. ? ]% E$ k% m7 o) A; C=========2 H. ]7 r+ L3 X/ y* r/ w5 h
0 i0 d. T+ B3 G8 `=>Disable or clear breakpoints before using this feature. DO NOT trace with! v* Y% E( Q* }1 X! M2 _$ X* l* y
SoftICE while the option is enable!!
C, \* K0 [4 b1 W) x& N' B- |2 L6 W! W: M) \+ a" Z
This trick is very efficient:
3 O) k) q% K' l: v+ \2 eby checking the Debug Registers, you can detect if SoftICE is loaded
9 U0 |# w6 \* O- _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, r( F" Q+ I! ?3 T4 v" a: nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& O, z: `# c4 C# `5 A! S+ Wvalue (in ring0 only). Values can be manipulated and or changed as well9 y0 A9 P, b# ?
(clearing BPMs for instance)! g8 p) t D& W# q* X
* c N- Q* m: L; P& L* E( ___________________________________________________________________________
) E3 a8 t$ ^/ L
: s# P, o) }. A' T- q0 J4 k/ H) \Method 11: B# X" i4 _: G& {
=========' ?2 i- y, ^' @/ `6 Y
+ u$ z; M) A4 D, R
This method is most known as 'MeltICE' because it has been freely distributed; s- i [" o& q5 H- e
via www.winfiles.com. However it was first used by NuMega people to allow; X7 {2 m3 R2 B) z* ]
Symbol Loader to check if SoftICE was active or not (the code is located
X, S1 J$ ?# S- R5 ^inside nmtrans.dll)., L3 c; E4 [8 G: F" ]8 u
9 {% z$ J7 H6 V3 g: IThe way it works is very simple:- v( ^3 O; q& K, L1 N# x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 E, ?; V$ g3 C
WinNT) with the CreateFileA API.6 t5 }# _1 M" O
8 ?! M# }2 i) f! c" rHere is a sample (checking for 'SICE'):$ ]' o% @; [3 f6 L
w$ D3 S1 D, }
BOOL IsSoftIce95Loaded()/ }/ C k1 p7 [% \* r3 {$ v7 `$ |
{
0 ^ S/ Z. N7 U4 p7 g4 x5 X HANDLE hFile; 1 S$ O+ Z5 U, D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ \9 C7 |9 i h; g; ^ FILE_SHARE_READ | FILE_SHARE_WRITE,
" ?; X* R$ X, ]0 V. c j7 V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& g. y6 W# T( I" @
if( hFile != INVALID_HANDLE_VALUE )2 Q2 S. \2 z: T3 k( ~
{
' [/ G0 V; k2 t/ Y, r: K CloseHandle(hFile);
! z! ^2 Y6 h1 b return TRUE;
/ N3 I0 x+ @8 k. L9 P% t }
* [; I% F+ C. |( F1 n; v8 W return FALSE;
. A3 a" X G+ J. n1 ^}% O! }/ k# U1 Q7 E' @2 E- G
& _, [( |5 P( v, _! FAlthough this trick calls the CreateFileA function, don't even expect to be+ E9 C4 H/ a& E6 G2 `1 Y: a$ B* u
able to intercept it by installing a IFS hook: it will not work, no way!8 [& d9 N) T% F% T$ p1 y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 J0 I; h+ B9 E2 ~: G' z% w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 T5 X9 z2 p1 P# R, n) I& _3 n4 u. d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 p) C5 ]+ C' c+ X* x5 ~
field.
5 B# `7 ]3 U. y# o8 J. tIn fact, its purpose is not to load/unload VxDs but only to send a
1 d3 w E2 }4 H9 v; a2 Y. s. PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( P; P5 [2 A @3 M) uto the VxD Control_Dispatch proc (how the hell a shareware soft could try C/ D" D2 n4 `; P2 N4 ~# n' K1 |! k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: S5 `1 }: f$ u3 U
If the VxD is loaded, it will always clear eax and the Carry flag to allow. P+ d+ _: V% ` v
its handle to be opened and then, will be detected. L3 Y) \- X8 ?$ K1 C& k" S
You can check that simply by hooking Winice.exe control proc entry point/ b- _& A& I; H, J8 D
while running MeltICE.
1 W* [' H' ?6 D" Q& H- p4 _+ ^: [2 a
( n- R# z6 V8 L2 c n
- |- t( L% s1 l; ]& y 00401067: push 00402025 ; \\.\SICE; I0 E) Y3 `! g4 }. n
0040106C: call CreateFileA
# d: G! N1 C* O; ^- O 00401071: cmp eax,-001' k3 O+ l9 R: b! N! G8 ?8 o
00401074: je 00401091
5 _" A3 [3 h2 E8 I: }+ b
3 I( l `/ x% A7 N' D" p
* r* j, v! j5 s! h$ t( UThere could be hundreds of BPX you could use to detect this trick.( t! w- I8 v$ R& k0 Q: D6 s3 j
-The most classical one is:# x0 L2 r: ]( J) H' G! } H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 F( Z! t+ C* V6 l2 G. I$ n. h *(esp->4+4)=='NTIC'. r* r7 s: o6 `, @1 t
9 O/ F- D. |4 R9 A0 S) e+ K, ]2 l
-The most exotic ones (could be very slooooow :-(
2 p4 l/ w- L" |# G1 l BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 E& R* I+ ~2 M& h ;will break 3 times :-(6 n, \4 z1 H; `- y+ A
2 A' D& `2 H% w9 n$ x
-or (a bit) faster:
5 T! A0 y$ m4 y4 ]4 k3 ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 T" n7 P' H/ j. e G
" a" I1 U H% S9 s& S1 g) s& q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 E0 f( }; U5 i& a- w+ ]6 r, Q
;will break 3 times :-(
0 `9 @0 [# w0 U7 z9 q8 I
# o0 t9 {8 F+ u) Q: b) J-Much faster:
5 V: P: m/ _" o. g' K6 N8 V) J: D BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 ^) ?0 B4 V1 {2 `3 M' d
1 F/ W9 L6 z& n% v' c0 C+ a# \5 j' NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 j, W! D7 z. q- Z7 r- wfunction to do the same job:: P* ?! S+ N4 G6 L
+ \, X8 F, h9 k
push 00 ; OF_READ4 A. |, g1 u% V4 y0 U Y
mov eax,[00656634] ; '\\.\SICE',0
8 d9 c0 g+ {8 i9 t3 M8 H+ W2 v push eax
; f+ A& o% R& T& j+ d% j call KERNEL32!_lopen
\6 b% _; x( X3 C, ?: ]* L inc eax. s$ K, G$ d$ q# K, d4 j9 ]5 j
jnz 00650589 ; detected; p. q8 h7 L+ L* @1 {. u7 V
push 00 ; OF_READ
- P3 X, n4 r* h mov eax,[00656638] ; '\\.\SICE'* F0 k, }+ H7 v, B0 ?+ k
push eax
6 V- Y$ b: O# b% {5 d( E call KERNEL32!_lopen
$ o1 g9 b7 C8 F. ] inc eax
3 d& q7 P! G" i jz 006505ae ; not detected
7 h/ m! q: |- v; r* Q f; c7 E& R) q/ L4 B- j8 X1 m
& F! m o, n: W9 G8 f h. G$ Y__________________________________________________________________________
0 {& Q" q4 H, m# ~
# U V" k0 v# _) a6 I. k/ u1 mMethod 12; v1 h+ S i9 X" T( E# x
=========
! t0 Q( G0 e0 D8 F4 t6 M; b* Z- P2 B. G
This trick is similar to int41h/4fh Debugger installation check (code 05" n1 ~! \ y* A- {* I
& 06) but very limited because it's only available for Win95/98 (not NT)
( d, T( g+ T3 |+ A0 l, O$ T# Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* p0 e2 ]# }# h2 O# x
5 M! F( i; h# x9 {! g& K push 0000004fh ; function 4fh
6 R+ R/ L, h. L* l9 u, e push 002a002ah ; high word specifies which VxD (VWIN32)
& }& f. s+ c* J# H# e6 r ; low word specifies which service
+ |6 k* v0 j7 o' T" h) H (VWIN32_Int41Dispatch)
' O+ [9 l: o( j: A call Kernel32!ORD_001 ; VxdCall6 q/ I, ?2 H, ?, I7 R$ x! L
cmp ax, 0f386h ; magic number returned by system debuggers" Z; Y& l1 G: y2 \$ y
jz SoftICE_detected9 F3 _6 w# b( b3 w8 ~8 m6 q6 ~8 K
- t! F2 a; M7 U O5 Y t; O2 qHere again, several ways to detect it:
0 w' q. F2 A' ~9 ^6 K1 h4 C4 m/ |& Q/ `( W# Z! G$ X. e2 x
BPINT 41 if ax==4f! |: f- J% ?& }: i; o0 @
% a. b( y. X+ I( Z+ L3 w( g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one S# {9 R% j+ e8 v* C+ |
/ q' o& W) h* f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 [3 l" Z, Q( Z1 {
4 U8 i' X( b/ p$ A4 v+ [% E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* R1 e, x! j$ h# J
0 T* p: Z U v* ^# y f, n__________________________________________________________________________/ l0 Y5 a4 x* o
- C9 N7 F6 m2 E- i7 @# LMethod 13" R1 g/ w5 y- Z* D
========= `" \% X: m' Y) p
1 h! U2 o! y# z2 r. j9 ~* ~. S9 W. JNot a real method of detection, but a good way to know if SoftICE is
: ]* a$ m( `1 dinstalled on a computer and to locate its installation directory.
E7 }, b% Y# t! \" q/ ?It is used by few softs which access the following registry keys (usually #2) :
6 W8 h+ T, g ^. z8 `* A! w# i6 \ Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) U- C& ~- I, W' d5 s# \
\Uninstall\SoftICE
! f# O, `" n1 u& m0 v( P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! R( k% P& V5 _% x; Q0 C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 n! ]9 F* y, A3 V4 M: o3 g, J' W' z
\App Paths\Loader32.Exe* t# d% j- Q: ^
5 U4 L' |4 Q7 O/ p
3 G ^" b1 ` q3 y8 |% _
Note that some nasty apps could then erase all files from SoftICE directory- y0 Z% S: {. r8 w7 A. O: N
(I faced that once :-(
% O0 v9 [( {) c8 T* L) X+ R# ]8 g+ K& {
Useful breakpoint to detect it:
# @& `8 \/ P& C# `# [. P+ q: ]# Z1 n( I
" i# V) i' Z8 W; p7 D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' R! S" a2 O7 A c
* N- q% d0 h' t5 f$ _# v7 L/ ?__________________________________________________________________________
' k/ K4 w; W2 {6 B2 n# {
7 D& \4 _" r2 T8 B9 L- m" i: {8 d# C0 O" K7 w& A9 N
Method 14
4 G5 T1 Y! @$ M6 R0 Q=========3 F( c8 J4 R2 f% i
W& M R5 j5 `! b# F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# m: L! t4 G/ r) y5 q/ Y$ S
is to determines whether a debugger is running on your system (ring0 only).9 ]9 @5 r7 D8 {( w E) W
8 H. n/ i% ~; H3 p8 a
VMMCall Test_Debug_Installed
* E6 h1 N3 E# M. d1 b5 L je not_installed ~9 n5 z' G8 o: ?$ K- B
/ W6 ?+ f1 E6 v" f$ J DThis service just checks a flag.3 j$ Y4 r; Y3 ?/ S0 b
</PRE></TD></TR></TBODY></TABLE> |