<TABLE width=500>2 _! I1 M' N. n, D# ]' l
<TBODY>4 i; @: B5 r+ p; n& K
<TR>- c5 ?0 z7 x$ e
<TD><PRE>Method 01 ) \# K4 ~0 R/ i7 m* V
=========- W6 P( n' T4 j# \
8 N/ |# a8 }0 W
This method of detection of SoftICE (as well as the following one) is* H. L @( }! y
used by the majority of packers/encryptors found on Internet.: j4 O8 c5 Z J0 \7 W
It seeks the signature of BoundsChecker in SoftICE# O. I# \" l/ h- r# g p. |( x
7 a. E7 v0 M" `3 N mov ebp, 04243484Bh ; 'BCHK'% I5 ]6 N/ O( l3 r
mov ax, 04h
/ ?( g: ~- Z" ]* x% }) r, |, r1 N5 Z int 3
X! F$ x! H1 y! A( B# T/ _ cmp al,4
: M% X0 c# L$ \8 V. H, { jnz SoftICE_Detected; D( m$ _. B/ @# r; b! I
. d8 l/ e! ^, P) @% q1 W___________________________________________________________________________
$ A2 w# K6 c. }- [" \8 y: n6 b
) x( ]& n T8 _- ~6 ^0 aMethod 02, i$ g" O2 F8 |& D5 O% L
=========" S0 N' J( u0 |( R( o' \' z8 k
1 _ w, C6 y" N7 G
Still a method very much used (perhaps the most frequent one). It is used5 K( [" k$ `; `2 _3 J3 z$ r( \' U! A) P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% z9 F/ L4 C; ror execute SoftICE commands...
5 N/ R- U- @% a+ K4 u! sIt is also used to crash SoftICE and to force it to execute any commands. r5 O. X Z, `1 f+ w
(HBOOT...) :-((
. c! o/ ~% l' { s0 p+ F! Y" D& L' w9 Y/ a: [
Here is a quick description:
2 a- L9 @9 M2 r+ q-AX = 0910h (Display string in SIce windows), e) M1 F$ w$ \' j; |, P8 @$ O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 X0 a3 h3 o9 y: Z8 D8 u4 f) ]# J
-AX = 0912h (Get breakpoint infos)/ D; a0 ^. x' n
-AX = 0913h (Set Sice breakpoints)
1 t) {# M1 x2 m. J+ |-AX = 0914h (Remove SIce breakoints)# i) _7 y/ ^6 e/ S
( f7 t4 F6 F' ^! j3 R9 o4 ~4 yEach time you'll meet this trick, you'll see:
, F0 c0 s0 J! c& J ]9 K-SI = 4647h
5 z2 q s' H" C, ]! N-DI = 4A4Dh2 R4 O1 a) j- Z, _+ k3 S
Which are the 'magic values' used by SoftIce.
/ P) @0 h& @4 k9 C: u. ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 N( d* U% Q P
* Z, P$ n$ c$ v9 W3 E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ t3 P8 p+ h* O& SEnvelope utility use to protect DOS applications:) `) a9 T# s) `3 O: r# z
8 | q: c0 b5 i; N
* s: F1 Y! `. `3 M: q7 e, p$ H4C19:0095 MOV AX,0911 ; execute command.4 s* R1 B2 Y) S3 B) a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 d2 T/ b& P" ]. m5 J2 ~6 X
4C19:009A MOV SI,4647 ; 1st magic value.
, G. y) [3 o2 Y5 Q% P! I4C19:009D MOV DI,4A4D ; 2nd magic value.
7 N t. x+ R5 Y; S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& }7 g4 i/ ?, |; ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ L( X; D' h6 I* J4C19:00A4 INC CX( u% _- J) Z& b
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 Z0 e, ]0 y0 Y" |1 D) J
4C19:00A8 JB 0095 ; 6 different commands.
* n0 t: h/ G' w+ b: C5 \7 B4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 P# \5 {& [2 ?- |
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- `) I8 b6 }/ L6 o
' ~, R9 d- _7 q* ~ j: F' q, r. ?/ MThe program will execute 6 different SIce commands located at ds:dx, which* W5 w% D! m4 ], N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 s' T2 \3 C. a$ f& W+ M0 E+ C0 b9 |6 n4 P8 V6 l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: X' k% ?0 v c- V5 e1 l ____________________________________________________________________________
' j2 p3 s$ \# _. F0 X- U
0 n4 T3 z. v% A" k9 T8 ~
! S% y/ H% b( X, @6 \+ R! r$ L; @6 uMethod 03
% C! ?! Q0 C- X=========" y5 R- b% }( K# b# R$ H" a( a
; A, q6 ?3 a( ~! U! [3 V* Q9 |# o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ M g3 m, ]# S0 p8 @' L
(API Get entry point)8 W1 S" B1 C/ }. a0 q
( b/ A& j8 ^; {9 {8 f* N; X. L
1 n. o! V" ]$ A- [ [; l: F: X xor di,di( T. ~/ A6 r$ Y6 u' D- B% t! d4 m
mov es,di" ]4 b! l5 C: U; _3 I6 E9 T
mov ax, 1684h ! o( [' E% ~& E# _& |4 g) x+ L7 H
mov bx, 0202h ; VxD ID of winice
) S E q! ?$ m( Q int 2Fh
- n& K9 p1 ]4 q# K mov ax, es ; ES:DI -> VxD API entry point
q8 l) A* V2 u/ M. A1 V add ax, di' a+ k- o. v4 L& o3 J
test ax,ax% T3 [- ]) \9 i/ @! [0 f! T% v. t
jnz SoftICE_Detected: r |8 {' S- E6 @% m
6 s( x" Y& x$ t/ [6 y- E; F: a
___________________________________________________________________________" L9 M1 I, d' w" a6 v0 z
8 ~1 A3 e7 O3 X% X
Method 04( e# f7 T$ y8 a# U7 o
=========/ i9 ?! y9 U7 X" a" c4 `
) @* ^- y! B9 g CMethod identical to the preceding one except that it seeks the ID of SoftICE: y. M6 m# ^3 w; x- }2 V4 o* X
GFX VxD.0 W# S- f% H6 {% ]& |& ~
3 @+ P1 `: i2 h$ u
xor di,di
# v0 G4 S! W+ z mov es,di: a- N+ u" B9 L/ x
mov ax, 1684h 0 }$ B" C) i& f0 K1 m& }
mov bx, 7a5Fh ; VxD ID of SIWVID( S: j' S6 w0 N1 Y% o' w: X1 Z
int 2fh
, r s# E7 d: U7 i5 s! ]2 X mov ax, es ; ES:DI -> VxD API entry point
: I- F! _+ `+ T z add ax, di
% H; s7 M; V$ I0 ~- B+ `' O test ax,ax' G% `' \4 i: r9 C8 @
jnz SoftICE_Detected
: M) w& y2 d5 S+ g8 v$ y& V
9 z! n* P4 X2 h6 b) M__________________________________________________________________________7 |0 t$ Q* _$ i# t% L
7 {' Z( e4 U" i
: @0 x$ M. R* t5 S( I+ k
Method 05& R) ]% z; r& C1 L @9 s& n. l% i
=========7 q0 b& B- q1 q4 `
( p) b) L/ o2 {4 V( X5 G+ @7 i. QMethod seeking the 'magic number' 0F386h returned (in ax) by all system( y9 u( C% E' r* c8 R" u$ w
debugger. It calls the int 41h, function 4Fh." Z: g [8 y4 A9 b& R$ }; V- d8 w# Y
There are several alternatives.
0 O" A. r! O3 ]; U7 r
1 N8 `; o3 I4 \& @% {* }The following one is the simplest:
5 R" _7 }0 j- g4 \+ Q2 N1 B# T0 Z. F0 R' a, u7 \
mov ax,4fh
7 c2 ]$ N0 `* N8 S2 N- n3 K! w* M int 41h
4 Q t- _% b4 ^8 j cmp ax, 0F386$ I! x1 ^ E0 U& b6 {
jz SoftICE_detected0 Q: m6 H" N% ^) E% J' _
0 Y' V7 O8 \2 w0 x: \( C
) G0 @# U6 k, n, j
Next method as well as the following one are 2 examples from Stone's
+ A4 H0 m- q J" W# K, E( m"stn-wid.zip" (www.cracking.net):8 {- E$ W4 V. T
" r# T/ C' W# {6 K mov bx, cs' ^4 G1 T. |! k! Y% }/ B
lea dx, int41handler2
/ m" x e: f& m' A xchg dx, es:[41h*4]
- [. i9 O1 r5 t2 @ xchg bx, es:[41h*4+2], _0 S9 ^5 r/ Q
mov ax,4fh' {8 W+ N' |6 c. @/ g- o( b( `7 ]
int 41h
1 I3 D% p, J- z xchg dx, es:[41h*4]. X3 R x# {6 R- S9 {6 j" U. h0 l
xchg bx, es:[41h*4+2]
* P# q8 S8 J$ y cmp ax, 0f386h
, g# X B1 Q Y' \2 n2 P jz SoftICE_detected
/ T6 L4 T9 ~* M. e" n6 E6 B# z m
int41handler2 PROC: [. X2 Z" |: u/ r: Q
iret1 V# J) K* h! w& G8 o6 T( D' U
int41handler2 ENDP
5 G! W# n. V ~( Z1 b; n; u4 Q8 j! A5 R0 E
1 g0 y& q4 L F7 v_________________________________________________________________________! d2 t% u5 r' h. Y
8 x# a8 J" c0 x8 ?0 X0 X8 L% n, b
( c8 n0 g) B+ f! Q2 I% E3 |$ a6 w
Method 06+ F3 L" E1 `5 U& X; K
=========
4 u/ O% V/ c% a0 b6 U* ~0 B. ?. Y0 H
' F/ b; k& t, H- H1 z. o2nd method similar to the preceding one but more difficult to detect:
- N* h. g' }1 Z0 L
" g; y: l4 @, X: f6 y! m. c2 @7 _4 p! T& b( D- P: J5 U0 N
int41handler PROC
9 T+ Y9 s1 K# H; t' V- L mov cl,al3 a; D C6 v* D" x
iret* W. `/ _1 X [% `
int41handler ENDP
& J6 }% ^: Q* ]) i% S4 |2 Y8 z0 e6 @' i1 y5 ?) x; `
. R& _! c, H0 A- f; n xor ax,ax
9 c% ~' }/ @4 x7 l1 H9 T mov es,ax& t& O7 a" M* |8 F# X) K0 O
mov bx, cs
1 ~* H3 S, L8 z6 k# }2 R* `3 A lea dx, int41handler( O9 r% J* A0 ^3 z6 c
xchg dx, es:[41h*4]5 o- Y7 C$ j0 z- J4 l. O6 ~
xchg bx, es:[41h*4+2] m( R8 l; U; B& |3 \
in al, 40h5 u! c! |6 h" g' f: _4 w
xor cx,cx
5 y- N; s: B* l6 y int 41h1 f- s% P, W9 [: c2 i2 }) t5 X
xchg dx, es:[41h*4]
$ h8 b, B9 [' i0 C1 h% O xchg bx, es:[41h*4+2]
y* S5 m& R- U* c( }/ ~/ P. Z cmp cl,al+ c4 d! A' m* W9 Y0 x5 U
jnz SoftICE_detected$ I4 h5 [: k' W# \7 P
; u3 `: O+ U1 i_________________________________________________________________________: k# W- w- @9 x: {' [
) }# E U1 l% l! {Method 077 ]! y" G( Z- P! e1 T) ^# x; j( ?
=========
. D# ^8 R1 P2 p2 S
! Q, V- i1 h" L4 vMethod of detection of the WinICE handler in the int68h (V86): l& g% O& N/ M: v
$ i, J5 v6 t) N( W# W. C
mov ah,43h
7 q/ @ f5 Y. ]7 x int 68h7 k/ _' T* h4 F; ^* y6 Y% G) |- l
cmp ax,0F386h& V- q# j% J* `8 Y* t l0 \7 p
jz SoftICE_Detected. a9 p4 x1 p1 t1 L* ^
7 R! F" P9 O, K+ G4 f
" U) I% z# _3 ~) s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) t! q8 x) K6 A6 o5 Y8 e app like this:8 ^+ T. R6 V D2 ?' R5 r }
, Y* ~' Q: V* ~# b
BPX exec_int if ax==685 [3 K9 b/ E, I% L8 ]0 R
(function called is located at byte ptr [ebp+1Dh] and client eip is
! z1 g% C* l- i located at [ebp+48h] for 32Bit apps)
* V* o7 k0 Q# t) W: a__________________________________________________________________________+ a2 s. a' ?" B* ]# @
/ E- j5 ^0 |3 C! p4 d7 k
$ h2 B3 H1 t) \Method 08* z7 t, e) o& W7 {+ f: X! E1 B
=========8 ^- t9 ^+ Q( a+ \- ~: I% D+ z% J
! S: _8 I$ X/ J( O* q% h5 Y- R# i
It is not a method of detection of SoftICE but a possibility to crash the$ V, T; g# M: u; G" u) a5 _8 ^/ U
system by intercepting int 01h and int 03h and redirecting them to another! K: o, a8 I8 ~
routine.5 \* X# b; I3 @' S& \$ m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 r. u5 x# X. w& c8 X6 z+ ^4 R
to the new routine to execute (hangs computer...)
8 R/ T! h+ `7 z$ I' |/ k, }! ?
5 ^, q; }7 g0 ?( m8 s/ F$ K+ c mov ah, 25h, s' }" _% f$ ?. E
mov al, Int_Number (01h or 03h)
- {' ~% `* U- w! m mov dx, offset New_Int_Routine
; U. Q8 c8 \* F7 L9 G int 21h: t) f$ V+ g+ X# E5 i, k
4 _" z" d6 G4 h* c1 [; J j& p
__________________________________________________________________________5 h2 o" S( u2 Z
) U* u( T0 F: S8 X3 D' ZMethod 096 q+ W$ a+ s7 ?. s
=========: v" t/ C4 H0 ?: U7 r
# P+ C& Q: A" u' ?4 l7 hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. t; r' D4 g- r2 b4 fperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 A$ ~1 w. X0 uThe Get_DDB service is used to determine whether or not a VxD is installed
& M# y& ?6 C& G/ u2 C, M6 M9 y, ?for the specified device and returns a Device Description Block (in ecx) for K4 W- c# A$ R4 Q- J
that device if it is installed.
- C& O$ ?& l, V! `8 Y$ O' g. `. F& D( t8 |1 ^" O/ b$ z$ F& x1 V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
Y- L- ~4 X1 ]) e% \" l9 L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 Q, p6 g3 ~& w: c VMMCall Get_DDB
; I) A$ t1 @! I# u mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& k' d; M2 |( B/ Q; ^2 V
; I0 o. a7 U1 X9 j# d
Note as well that you can easily detect this method with SoftICE:9 r) p) z3 z+ d
bpx Get_DDB if ax==0202 || ax==7a5fh
+ R8 X8 C( I: s; L
$ Y# i2 W; B2 a. I__________________________________________________________________________
$ F6 S" ?. D) R& `# D+ n5 U- v, n) A
Method 108 U/ r, k: p: z' @- H0 h1 s- l
=========, f8 X2 z; u' c+ Z' Y6 E
# _2 v: s- e- U3 `1 t9 U=>Disable or clear breakpoints before using this feature. DO NOT trace with
. |+ B* b! ]4 N- L9 F SoftICE while the option is enable!!
/ [5 b1 t4 k2 \' e0 X$ X6 q; s0 H/ n) r1 o
/ c. o7 s" G4 V* U& [This trick is very efficient:2 y: ]- a6 }( m& ?$ g8 g( |2 r% }
by checking the Debug Registers, you can detect if SoftICE is loaded' L$ e4 `7 ?& Z6 Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) I* e# {$ E9 M) R( R, |5 ythere are some memory breakpoints set (dr0 to dr3) simply by reading their# j7 ?0 u, {4 `9 t
value (in ring0 only). Values can be manipulated and or changed as well# q1 S, D8 E( k9 E& d% K, g
(clearing BPMs for instance)
' x$ }7 O( s3 f
7 J& i+ U: S j4 U7 P; {, h__________________________________________________________________________
! t9 q/ K3 t$ w7 u6 ^6 M" h$ {* Y; a; k6 Z4 X9 d
Method 11
5 S" c" C0 e: y2 ~) Z=========6 V; s( w6 C6 v# q9 ~( }5 z4 P
4 L- L. Q% m' MThis method is most known as 'MeltICE' because it has been freely distributed" m9 V1 q& k! k" a+ T; r. D; [
via www.winfiles.com. However it was first used by NuMega people to allow+ e2 E6 k6 a0 F* e4 l. g. v5 L; @
Symbol Loader to check if SoftICE was active or not (the code is located% a# F2 d: O! H& S
inside nmtrans.dll).
' A8 K" |0 G/ X" @; F
1 x% [0 i9 `+ t3 uThe way it works is very simple:
2 ?. l& \2 v5 Q& \$ d8 OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 p1 i% P/ k/ L! `1 j# d) ]9 nWinNT) with the CreateFileA API.
2 Z& D! `% n& a% x9 M& Z7 E. C" o3 E" Q9 B q# }8 q6 A
Here is a sample (checking for 'SICE'):( G7 j1 h/ I9 W* y( R H
5 K6 d5 X: p+ d9 I* @BOOL IsSoftIce95Loaded()
+ \5 q( f6 @$ l{
3 j, p" ^$ k+ Y/ m HANDLE hFile; 2 ^1 J5 |5 O4 v4 d! v/ E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# V0 u) {/ q- e- Z( Z3 n/ R8 p# X FILE_SHARE_READ | FILE_SHARE_WRITE,
( P) m r; R) F# J$ W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" `3 b" q& m9 _ s. C# k9 [" Z
if( hFile != INVALID_HANDLE_VALUE )/ o9 k' h% G: o' u( d
{
m. ]6 `! {+ g CloseHandle(hFile);
8 Y3 M# _) X: Y. ~3 |6 b return TRUE;" i/ c) w- M+ _5 L) @6 L
}
$ \0 C8 @/ ]% J! N6 F* Q return FALSE;
5 f* H' h3 E% e}
9 h1 V/ y) }+ A( u- ^, h+ A) q2 {" _1 e$ Y, x0 t
Although this trick calls the CreateFileA function, don't even expect to be' f4 L+ t: y+ X- ~( g' { ?
able to intercept it by installing a IFS hook: it will not work, no way!* l2 f; c, w: X" P B* W' c! ?8 E) A$ w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& u Z8 y( G5 z' P) D
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% Z$ c! E( [( h* T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( f2 y4 s6 C# P! E; v2 A1 Y5 ~+ Bfield.
, v- n z' ]+ O: D. L% IIn fact, its purpose is not to load/unload VxDs but only to send a # L( Y- q# ~' X1 `- H- v+ e. Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 J+ N; M! x5 ~+ e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ S- ]7 s; p9 }/ ~5 N) }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- Q4 {- T1 G o OIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 I0 W: P3 n1 ^3 `9 Qits handle to be opened and then, will be detected.
+ Z/ L) X+ t" C: [7 qYou can check that simply by hooking Winice.exe control proc entry point
! V0 a, V& ]# U# C$ v/ ^- G! Fwhile running MeltICE.
S) r; l1 T" L/ \ _" D3 }
1 W! O* {( h+ `1 a) v) i
" j: T/ q& @5 \/ b `$ h) A 00401067: push 00402025 ; \\.\SICE
- C" C* R9 W; X5 c) @1 S 0040106C: call CreateFileA
. C- z4 F9 b7 x$ U9 z0 Z 00401071: cmp eax,-001
$ p" W% [( e' v- ~; q 00401074: je 00401091% M' q; D* w' C! R, T
+ N( f9 O+ q/ L$ i3 T' n# E/ ?5 d4 p, ~9 i
There could be hundreds of BPX you could use to detect this trick.
" s, U1 {/ o5 U6 B: O# K B5 B-The most classical one is:
3 ?+ s$ b7 l/ h2 n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* J3 f( P; u8 l7 U7 d" r W *(esp->4+4)=='NTIC'. E& K' c8 e9 x: T; C& J
/ H9 U- M3 ?8 v: x5 G6 m-The most exotic ones (could be very slooooow :-(
2 }& D- r' T, e, k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( b+ F3 ^/ a) c ;will break 3 times :-(0 r; Z2 }9 e4 c3 J6 t. s8 _7 F( c2 ?
) P8 j: B9 ?% X) r2 s$ T-or (a bit) faster: # X; @; e0 C. \; t( Z- X- T
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! [1 E. G) `; P) O% z7 V
3 X3 ?" O% \# w; F. m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) h: k$ m0 e, a0 f; X% k
;will break 3 times :-(
- F; @4 q6 b' R0 s v9 m- S7 R) c
-Much faster:
( L) f( `! \( C. ?1 d& c& f8 X* [) n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& q8 ]( q Q* O
$ E9 s D% @$ g. Z' INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- j( _; l6 K7 x) Nfunction to do the same job:; [4 F& h( N# Q9 I4 y8 f5 ^
2 f: G7 W; r3 M) n! ]1 F) E
push 00 ; OF_READ
8 \, b2 z& h# l# S; H7 n mov eax,[00656634] ; '\\.\SICE',0" W* |- `1 [4 C
push eax
2 L) W% `, g9 e) i' ` call KERNEL32!_lopen
+ r" C" v1 j" i+ k- p! O! ~) u- H0 T inc eax
. ^; ~! K) h! S jnz 00650589 ; detected
9 e( K. n" `2 S4 t; v. J push 00 ; OF_READ
6 j# U. ^9 |7 @1 Z) k0 o- R7 e& g mov eax,[00656638] ; '\\.\SICE'1 w3 q' F7 y6 @/ p+ U D
push eax+ P7 m& ]. C( c5 X6 }* j
call KERNEL32!_lopen, A6 Q6 t8 z' R7 b5 s" @3 {$ r
inc eax
( N& j l6 @4 n+ [- |- B jz 006505ae ; not detected7 v' {3 f) @5 x" R4 a
: H( }6 P8 P% J& H
" _5 Q$ ?; C# o' X( k8 l% \0 E__________________________________________________________________________4 v0 X' Q5 r4 m' L8 e9 _ }$ \: ^6 R
1 n! \- w+ [5 ?Method 12
7 l6 k: B9 j/ J( n: l=========
8 N$ G5 i5 E+ \+ P( N( i; n, q/ e' N9 T x
This trick is similar to int41h/4fh Debugger installation check (code 05) n: M, X3 @+ j; D
& 06) but very limited because it's only available for Win95/98 (not NT)
0 M! G- N( M; u# J& qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) T4 A4 C- R* f! G5 [
4 ^0 C" |& r* @( W: s push 0000004fh ; function 4fh0 y( m7 ^. [* y6 a
push 002a002ah ; high word specifies which VxD (VWIN32)
- Q8 ^0 B! q) A& z' \2 K ; low word specifies which service
" B! @# j3 F; r1 B: L | (VWIN32_Int41Dispatch) C6 T$ g7 ?* x1 B" b+ C
call Kernel32!ORD_001 ; VxdCall8 G4 Q- K- Y2 f* r) w9 l
cmp ax, 0f386h ; magic number returned by system debuggers1 w7 g0 R8 x9 V' k8 @* O4 U
jz SoftICE_detected
/ T) x+ |" Q8 z( H8 J) q' K. p1 K; Y1 T+ h8 m
Here again, several ways to detect it:. i- p! \" _" c, X: J
7 J5 w" I6 v9 I' h BPINT 41 if ax==4f
# S, H4 U" v6 u4 T* f
/ N1 L1 {* D2 F0 V BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 u s! R$ R) e5 n
1 B( }5 I$ P- S7 a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 A% K' M; t* m! Y) t
9 m/ `+ B; A# E BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ }/ S2 w, c' ]- W
- j' k: T% S* {__________________________________________________________________________) N) K! n- F8 s- C2 f8 s* M+ U" O
$ J! @6 o- _0 Y9 b, ]0 D) n; h/ G: U7 U
Method 139 a* G2 d1 K& R- F1 w c8 j
=========
! `* s9 t) `: E! i; \8 V' V. P
8 P9 ]- w0 d UNot a real method of detection, but a good way to know if SoftICE is
0 {4 D9 N' ^' ?! |* }" } z+ X9 x7 Tinstalled on a computer and to locate its installation directory.1 M* N1 i" q; p V7 O, l
It is used by few softs which access the following registry keys (usually #2) :7 m9 ^( z( K) y4 I0 c9 r
$ J. F- s Y# S! ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 K+ e* T S/ C- K/ q\Uninstall\SoftICE. N2 T2 @; K n5 ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ N4 o- m$ ]0 l3 S! ^. c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 Y! @$ p8 K, o$ o/ \\App Paths\Loader32.Exe
" \, ~4 E& ^1 t) E
) \. {8 ?! k) t0 U+ e5 L' I$ V5 s" ?% Z; _. E* C N
Note that some nasty apps could then erase all files from SoftICE directory
8 r& K+ X7 e' p7 o6 B, l6 i5 c(I faced that once :-(
4 U# @: z. w3 J/ [* Y
2 M+ @) m5 s2 @0 }6 \! OUseful breakpoint to detect it:+ r4 |9 w7 @& M% p% H
, d7 |( y6 @" t0 B, M' g2 i
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 C+ S# `0 x E Z
( `! }1 w- z# O2 ]8 e! E
__________________________________________________________________________8 X$ a$ A0 e# @0 B! Y) E
+ K9 L5 F' ~: l
! w- D8 x( v: F# Y; m0 k) N0 lMethod 14
1 R* M" G4 c0 ~3 P=========
) M. J2 r% L+ c4 ?
/ A2 |/ j' V5 c7 jA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ O/ @0 L$ d: yis to determines whether a debugger is running on your system (ring0 only)., D( n2 m1 e- c: E
# n6 C) ^- M5 V7 ?9 G% E
VMMCall Test_Debug_Installed
4 G8 t/ T" S1 W# |+ H m* J' ` je not_installed
$ E6 D U- g! N% d
, o' z3 H/ @# F1 j4 a; rThis service just checks a flag.
0 h% F* O3 S4 a( I</PRE></TD></TR></TBODY></TABLE> |