<TABLE width=500>
4 d; m+ K8 [1 R<TBODY>
; k1 Z& f( P, z& }' _0 M! x<TR>* R2 g, T$ L" Q& ?3 f
<TD><PRE>Method 01 9 K& E2 t# x- E M- Q0 y+ Y" W9 s {
=========
. `8 j0 j+ i; O9 m- E+ v2 m
: p6 r- a) `2 m& _5 DThis method of detection of SoftICE (as well as the following one) is
& u2 D; X1 z+ M* [! G/ wused by the majority of packers/encryptors found on Internet.' l! W9 s I% ]+ o% B1 ~
It seeks the signature of BoundsChecker in SoftICE5 c6 p$ T) y; C. N- R* C
3 b0 I1 P. G8 h8 `5 e0 ]+ \
mov ebp, 04243484Bh ; 'BCHK'3 }1 t4 z5 k% @. F( }; h
mov ax, 04h
: y; F9 r4 L% L+ F$ ^) X int 3
& V5 m* x& C' f) v& ?( _: ` cmp al,4
" O) ^; {/ N- I5 h6 Z9 y jnz SoftICE_Detected
! u) i2 _2 `( [7 m% R
: R& x3 Q! G( H4 j! a___________________________________________________________________________
! A& a! Q) ]/ }' k* F% a$ b# z$ u9 O' U. k
Method 02& ?+ j' ~ n7 n; m0 x) x1 u
=========
9 |& U1 G1 o" V* D
5 U# U8 n- `' Q8 O7 O8 w3 yStill a method very much used (perhaps the most frequent one). It is used- L% b7 x! O: m) X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% |0 \. m: s, `2 @* T
or execute SoftICE commands...
6 N. @" S u7 B- dIt is also used to crash SoftICE and to force it to execute any commands
# R: O9 l- E3 K# |(HBOOT...) :-((
9 I# x h* {2 M$ A" P1 \. F) |- X* f. D* y8 B/ f2 b) a \4 m
Here is a quick description:
. S, Q y! q/ i/ x3 t% [- ^. T-AX = 0910h (Display string in SIce windows)
: z4 N8 q- z0 ^& _8 E3 Y" b-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- f: C$ p5 h" I$ N0 a6 i$ y' K$ u
-AX = 0912h (Get breakpoint infos)
: ?- a9 U8 K7 {2 O6 u- z-AX = 0913h (Set Sice breakpoints)9 L4 z( T4 a1 ~% B1 x. D
-AX = 0914h (Remove SIce breakoints)
# S. }- M2 J4 w* Z. c. i0 A. D- O9 q7 k% R. q
Each time you'll meet this trick, you'll see:
6 s- z% u4 b- ^5 s0 e. f1 g2 @-SI = 4647h3 r. R0 g* Z$ i
-DI = 4A4Dh2 h+ z1 h3 |% w0 z7 T% i
Which are the 'magic values' used by SoftIce.
% X, |+ Q( F6 J! g! |5 [+ GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 b4 ?4 \; I0 B1 R2 K6 s* F& Z3 l+ a& z
Here is one example from the file "Haspinst.exe" which is the dongle HASP* X: l$ H* s0 }- I- e
Envelope utility use to protect DOS applications:
# d9 a6 x8 r* |; f
9 V1 V% e. B% j* x* }4 w) l3 W4 p1 u' y4 m. r" X2 V3 h
4C19:0095 MOV AX,0911 ; execute command.
0 R4 V) f5 Y" k1 T* v L1 a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# q! u, h& L( O
4C19:009A MOV SI,4647 ; 1st magic value. M, M& J: w7 A; ]3 D
4C19:009D MOV DI,4A4D ; 2nd magic value.2 }0 l( W3 c3 ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 a6 K( ]5 _( G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 b) ?) E9 y9 s3 x$ B/ j' [/ \4C19:00A4 INC CX% ]+ W6 O9 Q" ?. P& b
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 O# @3 M" N+ i5 e
4C19:00A8 JB 0095 ; 6 different commands.% m, X. Q" V/ X. X; a4 Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 x- u/ i2 ~8 J& g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# Q; M6 Q# A) ^. ]
& J {) v) H- `1 L1 p8 i: rThe program will execute 6 different SIce commands located at ds:dx, which
# w9 Y j, v; b& N3 care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 ^* h+ p1 ^. Z9 C
$ |2 N. Y/ x- b7 t8 D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! O$ e4 Q' a, Z6 d4 y___________________________________________________________________________
/ D- a# V9 T) ]- A
; H7 E+ {+ X* ?* a+ ?$ v$ Q3 S' Z2 C/ |3 D9 L
Method 03
) ^1 B$ m; v6 f$ T=========# P0 S; n$ M4 ]& d9 t8 ?, p
# O( Z( \, U+ a+ ], aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( ?9 p4 ]( E( a& M% [(API Get entry point)3 b2 C2 i) A; r
) {, E* T, ~0 k& \; F$ C- M7 B* ]7 B ]. |
xor di,di
/ W7 F, i2 K5 _; f" |- r9 b& k6 J7 | mov es,di: s/ j v0 `: L4 j" e/ K0 v3 w
mov ax, 1684h
) R+ u0 o3 m3 ~; m7 h7 [9 h mov bx, 0202h ; VxD ID of winice) u9 M% w9 i, {. x
int 2Fh
8 F" k* R! r: v* {$ u mov ax, es ; ES:DI -> VxD API entry point
3 P% `% M4 \" d7 w% q4 D8 O+ W9 D- a add ax, di
) h# l' C* F( N' r: r) H6 { test ax,ax
, f, ]4 G* N: B3 K6 I jnz SoftICE_Detected
' @! Z# }2 p h+ e8 p* b6 ^1 ^; ^! p# V+ p6 n3 s4 H. o1 d
___________________________________________________________________________; r5 \, h. F& s z) u0 m4 t6 J2 o
4 }! }; |. N& j3 j# mMethod 04: k6 j+ ?8 E2 |+ {% z# ?6 `& C
=========( m2 Q! u% q) a' O9 P' @2 ~
- c- h. X8 L3 w2 m: h6 _
Method identical to the preceding one except that it seeks the ID of SoftICE) w/ S( _: S1 I& C) |! R9 b* ~
GFX VxD./ X; q. ]9 e/ N r5 m
9 \' A2 {* \: N/ w r/ A xor di,di/ \( `/ o# t+ ^% t7 {5 k$ W
mov es,di* u+ T1 r6 E( z
mov ax, 1684h
1 ?' F9 s+ J# e( q1 Q0 R7 j1 p4 p mov bx, 7a5Fh ; VxD ID of SIWVID
2 h4 O8 P9 T! t6 }) A int 2fh
. v/ m* x5 J& l* ?5 `# Q* ^: R mov ax, es ; ES:DI -> VxD API entry point7 `, L! d% A3 g9 H. K
add ax, di
* }. b& F; x8 F$ o test ax,ax
, L: w T4 j7 q- v6 u4 E) V jnz SoftICE_Detected
" j5 E* f1 Q( H7 V" t- O" @; |" W. V1 i
__________________________________________________________________________* a) w4 O2 d" u* r* S5 _
. I1 w7 _6 p& y, c" N J
9 l* p- k2 K- z# K4 O7 n/ [ O/ g
Method 05
7 p0 s5 C5 y6 m+ p- I=========/ n! L8 }+ M! y, O: a
- s9 X) E+ R q2 A$ U7 Q1 h: yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, N' t0 I8 E6 s7 i T& adebugger. It calls the int 41h, function 4Fh.
4 Q1 [: b; O6 O8 OThere are several alternatives.
$ a. H# l2 N) _1 T6 T9 V, @4 H
6 {# m( g, e+ m; [The following one is the simplest:
; U7 C# T6 c" W: w
+ O8 d5 r; W7 K1 M( q! }) Z mov ax,4fh
& Y9 u! |, x9 q- P7 O4 O. N) u. P int 41h
7 \& D5 k5 N) Y cmp ax, 0F386- N2 R3 I1 w5 i& y1 A
jz SoftICE_detected* ?5 ^7 N- A: N5 \& U
0 S1 ? |# N9 R) x7 k6 e/ h! [" r4 d+ X
Next method as well as the following one are 2 examples from Stone's
# g5 A. l, p' V2 _"stn-wid.zip" (www.cracking.net):
5 J# N% d0 g7 r6 r: y! r5 v
0 A; J1 u# K9 G9 z$ O& [ mov bx, cs
0 [8 d& B7 D" w0 a2 }6 L lea dx, int41handler2" S) N6 n1 N$ |7 ?- ?
xchg dx, es:[41h*4]" m8 G" n/ @) R' J
xchg bx, es:[41h*4+2]! j1 L2 z- | c6 C# C: j: q) Y _
mov ax,4fh
* W2 h+ A' m; v int 41h
$ T* U5 T# ^/ g, Z7 f8 T; M# O; Y xchg dx, es:[41h*4]6 B2 g$ {. d, y$ H, D# U: w
xchg bx, es:[41h*4+2]
# U7 ], ~5 \2 B1 \ cmp ax, 0f386h
Y- O7 [8 n8 E3 }3 m: j jz SoftICE_detected
, s1 |/ C. P8 |( p
& ~3 J# m& _" K% [1 R" `8 h( N9 W! I! aint41handler2 PROC y: b" g* d8 n1 G
iret
. c( R# D& w+ i8 f: X( Zint41handler2 ENDP- f. U# U9 x- O j! e5 p
; d0 l# X7 |9 J6 f$ N% J5 j* A
3 R f( K7 L" i, k_________________________________________________________________________
' }% u' D$ [( ~ q% m
" A6 `; Z) E; C/ i% N
% C( _1 V# O8 L; lMethod 06& Y; ]& h: S& X3 O0 {
=========
{, m; V2 @. @: X/ o& @
4 R* j- k5 b+ ^$ |0 V1 I) |' Q/ O; V. V0 y
2nd method similar to the preceding one but more difficult to detect:
. `9 G9 E8 [ N! b5 a& A. I) d& d! J; F) O Z
. k2 \. x- j7 E) b. f8 xint41handler PROC
3 J5 G% u) ?) o: c' X& o' G' Y mov cl,al. c+ B U; Z) n: n# j+ |8 J/ B. f
iret
) A+ `$ p3 a' g- Cint41handler ENDP6 t2 l9 D% @1 m% _7 K1 \
2 v5 z! n \5 A" q* ?. ^2 C" c, a1 H R
6 D6 b, g i% Q, r% Q& S+ M xor ax,ax
) ~! w) V# G+ j: M( {5 a mov es,ax
% L1 X0 H+ R4 r S+ o mov bx, cs
; J0 U/ N+ L" Y" R" v4 f) I& t lea dx, int41handler8 ]4 p* H8 B7 r! ~
xchg dx, es:[41h*4]( }6 V6 w! D. a# ]' B& f! s
xchg bx, es:[41h*4+2]
' x, d8 D' L) Z" { in al, 40h. M _. p6 ~: U: m
xor cx,cx
- M& u C) |2 P$ p, C: s int 41h
5 R' i Q. C0 Q xchg dx, es:[41h*4], ]) C* s5 O# X+ e+ V- l s+ r
xchg bx, es:[41h*4+2]
3 y. ^- Z4 I4 v& t% n% M& G4 n cmp cl,al
/ k+ W; t/ t, B* `8 J jnz SoftICE_detected G) V+ N4 [. Y; p2 t
, j, u5 z" A* `5 I1 B8 x
_________________________________________________________________________
' I+ j4 @1 _( `! N$ T8 q5 h7 u/ V" l( z6 e2 I' p+ [
Method 07$ K3 I" z4 ~$ D+ M! a7 @& h' A4 `
=========
# J3 q4 n O+ z' z" h0 ~* m# ^+ P* w, y; |5 ^2 z
Method of detection of the WinICE handler in the int68h (V86)/ [" D5 |; v! V
) d5 v* q" J& p S' s mov ah,43h5 {5 u. v- i, w- X
int 68h# }: F9 q1 K% a
cmp ax,0F386h
' I3 c3 {6 v7 k) t- K jz SoftICE_Detected
- w' Q* T# ]7 M# H, `/ l( V
3 |5 P9 T X* o+ j2 n& d/ S9 z/ v( Q* K2 n4 N
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 V- Q2 A1 d9 w; Q
app like this:' T H& i( T' w
& B. ^8 T. e; M$ x( Q* I4 y BPX exec_int if ax==68
* D4 L6 Q6 z/ P" S7 [/ A5 r6 [ (function called is located at byte ptr [ebp+1Dh] and client eip is& o9 @$ `- L& I
located at [ebp+48h] for 32Bit apps)
) {7 L7 h w9 l0 D* m) A% P l__________________________________________________________________________
+ p& S8 s! i' }, V5 b& S' B
2 X% L2 j0 }$ J7 A. E3 F1 F3 j& t- @# y/ d1 K; ^7 q' T
Method 088 d% D" p" O+ H2 _; s5 Y
=========; X: s( Z8 x u( D* T
0 s, u' C: `$ ^, U2 l; W5 b) JIt is not a method of detection of SoftICE but a possibility to crash the9 p, g5 b* S6 M
system by intercepting int 01h and int 03h and redirecting them to another3 d/ _" X2 t- R' `& ^. r
routine.
( m+ o: c" t: i2 F n1 W* @. AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 a/ I( W' I+ k5 _6 r1 g, Oto the new routine to execute (hangs computer...). k/ h% n& X W' O1 a! P
- x( [2 f0 Z1 M$ b/ D4 W/ t mov ah, 25h
& J, X3 h- a# g6 b+ ^ mov al, Int_Number (01h or 03h)& \5 {$ p/ ^! ^' J& `
mov dx, offset New_Int_Routine& o/ Q7 z. |9 p$ Q/ K0 n* u8 l
int 21h
% N2 i: x/ T6 E, d8 J/ `+ {( l2 I8 |5 E8 c
__________________________________________________________________________1 T+ i/ G) Q# k5 ]% F. M o
+ F5 F- F' [# }: o) m
Method 09: }9 e: g" I) |) G! M4 O
=========: ]1 j, W) U ^5 f4 N' ]; t# Q- J6 P
2 `; ^. M8 j x2 Q. B% ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( P( E0 j3 I t$ {1 @
performed in ring0 (VxD or a ring3 app using the VxdCall).# j& A" G) @3 m" D' J
The Get_DDB service is used to determine whether or not a VxD is installed* l* R3 y% [) ~1 j5 [8 ~
for the specified device and returns a Device Description Block (in ecx) for
' v$ a0 H" [+ d/ i) Z: athat device if it is installed.9 o% k; W( m# s3 N. f
* a% k- z) q* [6 X+ P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* ^! R# e) k- Q F# j9 I
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 u) O# W9 p R5 R( G3 p6 R
VMMCall Get_DDB
% D6 u# R8 l' N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 \- p0 a* Q( l) {# u' n# `/ n3 \, i* w- v; N3 r
Note as well that you can easily detect this method with SoftICE:
' ?3 s- E6 a' I6 }' e* x! ` bpx Get_DDB if ax==0202 || ax==7a5fh) E4 {! P; w- @; i8 J: {
6 `/ [2 u; O0 w* w- K: U5 {5 q
__________________________________________________________________________
( e& N& M D E8 n( K Q) x$ b9 _9 w! ~
Method 10
- A' b; L) a0 Y2 A( u=========$ g/ D" e7 \1 C2 Z
# K0 _, P, ?7 h
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 Z1 P _6 d3 x x! @ SoftICE while the option is enable!!; z3 i n; _ A9 i \9 T% {, w
+ ~: V/ ]& D) `8 h. M/ H
This trick is very efficient:
6 B, @0 h- G1 @by checking the Debug Registers, you can detect if SoftICE is loaded' ^) W, K& o2 S$ s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" ^3 s4 d/ W+ B* J
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 i6 j+ h: }) R
value (in ring0 only). Values can be manipulated and or changed as well5 b D* w' v6 X' @3 W% n4 y
(clearing BPMs for instance)5 A8 n/ T" T" @5 K0 X
; R5 k% x5 Q1 }7 u9 d# Y
__________________________________________________________________________8 t8 ~8 ]' S. x e! [. a- Z
" }/ U( Q$ g: x9 V P, H) b0 U6 W
Method 11
3 F+ ]. w+ h& `; A1 w9 {=========
4 v. B1 R8 ]7 ^5 P2 ]; U: C* _$ ?& B& E8 ?0 [
This method is most known as 'MeltICE' because it has been freely distributed
$ e/ ?/ H3 T) m5 b) C2 {via www.winfiles.com. However it was first used by NuMega people to allow' c; n$ x. A- U, p3 d
Symbol Loader to check if SoftICE was active or not (the code is located
/ A. v$ h+ K! einside nmtrans.dll). H4 d7 H' I D# H; y {. \. U
+ r+ y1 ]0 T/ jThe way it works is very simple:9 Y( n' c/ l4 e4 T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 q: Z( A2 t+ c, j" M. C
WinNT) with the CreateFileA API.
1 _. U) \$ r- `
/ L: F, L+ k# _+ O' P$ y/ G7 ~* GHere is a sample (checking for 'SICE'):1 [9 R/ m3 Z( ]5 E4 M
9 B( `! P, H, t
BOOL IsSoftIce95Loaded()) B; a+ R6 F" m. z. Q/ @
{
$ d7 J" R; {* G, b HANDLE hFile;
5 C- V% e, ]% Z/ y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! z- }) |/ c9 @3 t
FILE_SHARE_READ | FILE_SHARE_WRITE,, R) ]6 {9 v" t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 f$ Q' R2 \: x
if( hFile != INVALID_HANDLE_VALUE )
e |# c W# A. B3 f; l {
[0 A& b1 c3 T' v, k; A! u7 E CloseHandle(hFile);- G5 t* ~0 Y( a; i' C8 w
return TRUE;6 x* `% p, |; G6 q# ^2 a. z
}
2 X& ]! ?; d4 I3 U return FALSE;
8 ^' T& ]) U, G}2 a9 A |( t( J; K7 }! h6 y! C" m
) U9 K( B, Z6 b3 [( \Although this trick calls the CreateFileA function, don't even expect to be
7 K+ M |) `' y7 W: |- f: Xable to intercept it by installing a IFS hook: it will not work, no way!
$ f; l: w, I3 E! bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 J+ g! `1 x" G2 Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: J& f* Q3 L j# z( P P- hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 l! t& a# w6 g, ?( b. X K- I. m8 W( ifield.
! O8 e# y" B& b2 ~$ ~: CIn fact, its purpose is not to load/unload VxDs but only to send a
; }) L, m, f6 {0 v" gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
C% m2 Q5 ?$ J3 Z# Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 D2 f* ^& b8 Q" S4 T3 D) @: {) nto load/unload a non-dynamically loadable driver such as SoftICE ;-).6 |! W1 X* T+ M) |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" K7 {9 h* l Fits handle to be opened and then, will be detected.0 ]% m6 h& [% D! D4 `. l2 m
You can check that simply by hooking Winice.exe control proc entry point
2 Z; o7 u8 T6 h. x1 o! Zwhile running MeltICE.
2 P# U: A5 q7 S$ D, v" |% S8 L! F! {/ ~. G
/ N8 r& t2 V# Z% N# w) J
00401067: push 00402025 ; \\.\SICE. w( l' f' Y1 U, I& [' Z# y
0040106C: call CreateFileA
0 ~- ?# p+ Z, M' N 00401071: cmp eax,-001+ ]* `0 [5 Q! b
00401074: je 00401091
& h9 O: |- S! u1 n/ i4 l5 k; m/ D) L+ e- L; v9 T. f. ]; d. X& q" Q
4 O1 v; s5 y KThere could be hundreds of BPX you could use to detect this trick.6 \; y$ z8 v+ j# Z4 G9 U
-The most classical one is:5 t% H2 S, J. j2 a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ z$ f* Q% z n+ [( v *(esp->4+4)=='NTIC'9 s4 L" x" s( V2 i8 V Y0 H8 Q
; E- L; [/ ]) F0 \' e. }7 a-The most exotic ones (could be very slooooow :-(4 _- c& Y) q' R8 y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 p+ F, D) `% ^$ j8 S$ N: @
;will break 3 times :-(
" t6 b, A, B0 c# ]; Q3 r w
7 s- S4 r8 E4 W9 E7 [# l-or (a bit) faster: 2 }4 e0 \1 y- F, C. [* N1 X
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! F6 H- |. N' s! N
' S) Y; O. O" M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 S; H6 S$ e4 P) T9 I% y3 Q ;will break 3 times :-(
* A( S9 }' t$ r5 ]( w. r W! M: m% t- w7 o8 j7 y5 D1 y: C2 m b
-Much faster:3 A! w% w! J/ R* G5 Q+ v* i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# W5 C7 K( c5 `. j$ r6 @8 x. V6 ~+ C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( L, I: U3 X, l
function to do the same job:
9 H" ?% d! ^) @; l2 Y
4 N. _ @- D4 x+ H% Q X3 a+ A push 00 ; OF_READ
. F% k8 ^3 |" J1 l: ^/ h9 S mov eax,[00656634] ; '\\.\SICE',06 v! X( q# |8 u |6 o! j
push eax! c7 V- l% a! Q, C; X4 \3 x0 T
call KERNEL32!_lopen# `( d- S& A1 E% @, X/ W
inc eax7 L Q. ?+ }$ s9 h
jnz 00650589 ; detected- ~+ O4 d+ i7 X! W3 l6 z" R/ }
push 00 ; OF_READ/ o' \0 h: k$ l
mov eax,[00656638] ; '\\.\SICE'
" `0 v* |% {1 r! T/ I& b push eax
- K: F% U. T. E! Z/ C9 W1 \% q+ V. } call KERNEL32!_lopen2 `3 e0 k; Y1 L
inc eax0 K7 i5 y* l5 E
jz 006505ae ; not detected
' @! r. v3 \" u. z+ N5 _; d- L
) T, t9 C" w; T% ]/ P2 w, K
) b8 X7 L/ P7 g/ B__________________________________________________________________________
" W! R) h0 ]! g4 W I* J T
+ B1 ]/ c7 ^ c" N" }Method 12
2 N1 e# H" x' C( j( Z7 }=========
, {/ O/ g& U0 h; z' ~; g
6 _( z/ N* r9 e# eThis trick is similar to int41h/4fh Debugger installation check (code 05( j* Z; H! K! Z, z, }" Z; L
& 06) but very limited because it's only available for Win95/98 (not NT)
3 ~4 C$ |1 { i/ Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, O; i$ n; k J. K f. `7 M6 E& @2 d9 K. R5 f
push 0000004fh ; function 4fh
w+ n; L) a! U- g% o0 V, n2 D. R9 ] push 002a002ah ; high word specifies which VxD (VWIN32)# D3 |# r7 c4 M
; low word specifies which service
, F7 a0 X7 O+ V! o; c# G (VWIN32_Int41Dispatch), n ~) h9 l6 y% [4 k( E0 v9 h
call Kernel32!ORD_001 ; VxdCall8 U6 B9 |! T+ [5 L# y
cmp ax, 0f386h ; magic number returned by system debuggers' Z% g9 `! X( q
jz SoftICE_detected* Q; \7 X1 ]) _1 \
4 { B) x$ B) b8 M% MHere again, several ways to detect it:
3 v4 c: ]/ `$ n7 Z% L( r5 n8 R% v& s; ?+ V& h, c/ S! W' X
BPINT 41 if ax==4f
, L3 U! V8 L" A ^) X0 s7 v8 k0 N% S: J. v5 D. _. f% m2 A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ ^; w+ i5 e& |
2 ?6 z8 A! V6 u! N! u7 i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 V; \ {2 t( d; {* f8 N+ F' c. u5 z, r0 y. Y. y: P4 ?& Z* K% o, u! u# h
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' R ~* l' ]1 @2 \/ ^
& R: a5 o" `4 a6 L8 o5 b4 a
__________________________________________________________________________% n' q: c- c3 M1 @
( q% {% C0 g; I5 l4 F7 v
Method 130 |) z; f2 s7 N, t3 y
=========
, Z& t# |7 Y. l1 R" }
8 o. ~) @( b# S$ y" hNot a real method of detection, but a good way to know if SoftICE is" V% s1 c! s! K0 a0 @
installed on a computer and to locate its installation directory.
7 k& @: }! |' O" a, kIt is used by few softs which access the following registry keys (usually #2) :
- N& Q& v6 e- W2 \6 R
5 Q# W9 z, F: q& k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ [9 F6 A1 x+ `: s' F( a
\Uninstall\SoftICE
1 K5 K$ K* x5 \2 m) |' [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: n# [% j& f$ t+ q7 [% t/ j
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: b* N0 n9 Q$ n, w\App Paths\Loader32.Exe
8 S9 [3 \" B( @9 ], t$ o- u( f- |
* Q5 X# E% I3 L4 e& u
Note that some nasty apps could then erase all files from SoftICE directory
5 I) o9 B( T1 e- h7 J(I faced that once :-(4 }* l' k I* n9 L1 H% @
5 X* ?2 h3 l- Z3 _* H- {Useful breakpoint to detect it:
! E* u3 D4 o! g# r3 J( o; x2 A( `$ G3 F
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ h4 \# I6 ?5 d# t T
9 v8 g2 h1 e: z3 A
__________________________________________________________________________/ c: Z3 Y9 A: u& b* ^
N$ s, V# U7 W3 \5 C
4 l) ]3 ^5 y# z8 U6 ^Method 14
2 b! \1 f5 Q# O A) v% h=========: x x7 j; ~7 q# I9 N0 n) A5 B+ k( |; c
0 W/ I% H4 O6 }4 v' e- f5 {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ ~ h3 E! B% `# l. Z3 Z
is to determines whether a debugger is running on your system (ring0 only).( k8 `5 R/ n: o- q& U
! W9 ~9 l4 r+ U4 `( r VMMCall Test_Debug_Installed! S; Y! z; s( }9 Z9 @
je not_installed
8 _) y& g) _/ a0 |( P8 U. v# e9 g
+ m9 \& y$ d, c ?This service just checks a flag.
7 ?4 B3 v, k) ~! Z- s/ l8 x</PRE></TD></TR></TBODY></TABLE> |