<TABLE width=500>
6 ~$ B; D2 \- c<TBODY>( R! i" U: r, U" q/ K& W
<TR>
. A3 v1 m6 \% P! N# l<TD><PRE>Method 01 ! m6 E3 N/ ]& F; U; }1 I
=========! t* g( w" Y4 l/ m/ S
4 M9 O# R9 |+ \This method of detection of SoftICE (as well as the following one) is
# g$ g8 t/ h& f" c% y+ o9 z6 ]used by the majority of packers/encryptors found on Internet.
! v4 a# g. B0 cIt seeks the signature of BoundsChecker in SoftICE/ _1 W1 A' Y* p3 ~* M2 Y/ i
. c! {1 E1 p# H, \: l mov ebp, 04243484Bh ; 'BCHK'. [+ P4 A1 _! [/ q7 d" _, E
mov ax, 04h
9 S5 e* ?2 L8 C6 j5 T int 3
2 m3 }5 |' `8 f% e2 `, m" {! R cmp al,4) X" F4 h# l6 ]! I
jnz SoftICE_Detected2 z. c$ n! Q* u0 h1 H! S5 n
, i {) H9 i' a# L8 h___________________________________________________________________________6 P8 x% L1 c* j. e
7 O& @6 f1 l+ n0 v/ s/ O8 D
Method 02/ _2 P' E+ m0 o/ f6 N
=========
! b1 d4 s# L3 \$ j, c' ~. x
# t2 } m! \. e# f: XStill a method very much used (perhaps the most frequent one). It is used% r& k/ Z. w( L- X3 J4 a% F3 V7 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ z/ c/ u% N- ?* _
or execute SoftICE commands...6 a3 E0 J! x, F8 x% z) H0 H* D6 U
It is also used to crash SoftICE and to force it to execute any commands' I9 H. Y) z9 [; b0 {& ?
(HBOOT...) :-(( ( A3 \( z# O8 e
( m- R) H( I, Z% Y3 q; Z
Here is a quick description:
4 \" d: P& b; L4 J7 v-AX = 0910h (Display string in SIce windows)
% |9 }9 y6 i8 Y. @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. F5 B7 J/ `6 Y' y( W6 x7 h8 w1 ^3 O-AX = 0912h (Get breakpoint infos)
: A& b( @; U5 K8 } g2 g-AX = 0913h (Set Sice breakpoints)5 ~$ t" L( C6 }
-AX = 0914h (Remove SIce breakoints)
. o, g9 ]; q- ` `
5 G/ O8 w: s' T \4 X0 cEach time you'll meet this trick, you'll see:. L2 `$ ~0 {8 u8 p7 {8 d1 R
-SI = 4647h& q* |( z) S$ v8 g5 D
-DI = 4A4Dh
, q/ H- {3 v5 j2 `+ A$ u$ oWhich are the 'magic values' used by SoftIce., k2 m9 W! s3 |' b0 U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; Y. K8 e6 g, s$ C" \! N; x
$ A' _) f2 S1 y, A& b* w$ l0 g( U6 d7 P
Here is one example from the file "Haspinst.exe" which is the dongle HASP
b& ^1 v& k" T7 r9 REnvelope utility use to protect DOS applications:
9 e2 d( A* j8 {, c6 s: Q, _6 I
0 n$ j6 E) f- x4 j) D% r( q1 ~( g
7 B1 a6 u4 ]' P! c* y4C19:0095 MOV AX,0911 ; execute command.8 h4 _- N( I8 O! e2 r- N j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ N+ \2 V* s" s, V5 W( f4C19:009A MOV SI,4647 ; 1st magic value.
$ s$ f# @6 B5 P4 b8 H+ `: D4 `- B4C19:009D MOV DI,4A4D ; 2nd magic value.7 V! n, b; I ?% a' k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( O# Z7 t5 v- Y- |1 N: d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 s# e* ?* a n4C19:00A4 INC CX- M; Q4 S# @5 @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, Q, b; t% ^) k) L# a. ~4C19:00A8 JB 0095 ; 6 different commands.
9 H7 U1 m+ ?& R" O& G9 A; r- {: Y4C19:00AA JMP 0002 ; Bad_Guy jmp back.. x2 u* X1 E3 `4 I1 O& l6 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) g! [. V7 L8 D! |! U/ E
+ N `) p" f6 G4 w5 k5 s
The program will execute 6 different SIce commands located at ds:dx, which" P- _% ]2 v' S3 q7 i6 |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' D0 u2 e) g( t4 O5 r
6 r) \2 k" g5 ?4 m! H5 _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 O7 i9 u) u! y Z& m
___________________________________________________________________________
. u, j2 u: G3 J s
& m" c4 L# B$ v% _. p# {, T+ H* r/ X( X* `
Method 033 D+ v; H) s! ?/ C4 x, d) P) l4 X$ ?
=========: b' @, S* T/ D4 P' J- t+ d* y
1 x4 [$ T, w% G+ k4 z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- S" W2 B* h0 ^. E9 N
(API Get entry point), T, v& h" ? z' n# M. q2 F
+ x# `$ i( {' `+ i/ m% C
# U" }2 z ?- j% n& h; ^" ~! C xor di,di% ?* {' f% a. \
mov es,di) S8 |% ?4 O% p) N. U' X
mov ax, 1684h : Z6 r0 y9 ]- r' k% w' |3 p
mov bx, 0202h ; VxD ID of winice
+ j6 F5 q) W/ Y2 {1 V int 2Fh
* J. l2 l/ [1 p7 Z" y mov ax, es ; ES:DI -> VxD API entry point
, E7 M- s) l9 K `" b: j+ b/ y# q add ax, di" a: A, U! K7 j! U6 J n2 v
test ax,ax
) I% E- ], x" B; {) i% P jnz SoftICE_Detected
# N7 d' W3 p, b) t; i) Y% z
7 c6 V9 g$ p9 n# V) G1 W___________________________________________________________________________
* P1 Y3 X* ?& U
8 E* N4 t* S8 X1 n7 X' fMethod 04
* _; F$ ]+ s. L0 N: \=========
# L5 W5 E1 N4 C/ Z
! X1 [1 H. s, j. nMethod identical to the preceding one except that it seeks the ID of SoftICE
% n( a j U+ @5 z |' I! [1 XGFX VxD.
! }# k, J y+ M( N& u# H5 Y$ K. a' ]; L# `! o
xor di,di
" s- L- F; w- W- k1 I4 n( G! e mov es,di
; P6 u# L$ j* l$ N3 Q mov ax, 1684h ' c G8 ~ i3 H
mov bx, 7a5Fh ; VxD ID of SIWVID& C$ E7 w( ]1 Y
int 2fh: r9 J; e/ I& ~2 T5 {
mov ax, es ; ES:DI -> VxD API entry point9 a$ L2 v) f+ k
add ax, di
% i/ ~4 q( r) ]: O- U$ w' Z4 y test ax,ax
( X6 X0 P! K3 ?1 F( t jnz SoftICE_Detected; _, e; H0 E' n( G
& c- R' @7 q* W l4 ?9 z- e__________________________________________________________________________+ k y' ?8 G8 A
] q5 h1 T% ?+ s
|( w, m7 T9 ^: G9 ^4 n& f7 [1 UMethod 05
7 b4 y Q! z) k2 p8 Z=========/ u6 R7 p$ b- Y* b: C
6 x$ o* |7 a0 n8 F* i/ f% V, gMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 i( O8 S$ L7 T& E4 }debugger. It calls the int 41h, function 4Fh.
Q5 ^3 Y5 g+ n3 G# ]There are several alternatives.
6 \5 t2 |) b" I0 R: r E% Q- e1 \0 d+ W" |1 [' n
The following one is the simplest:
+ w: p+ [- f$ P: D/ F" q" n W3 q/ T" k- K
mov ax,4fh
1 U" m3 n N5 y& }! i% Z9 J/ [: G int 41h
6 U9 E7 u& B" k5 v' ` cmp ax, 0F386( R1 s3 V( [9 c4 @
jz SoftICE_detected
; r- U. V* a6 c H6 B5 `' L: x' K5 i7 W& n$ v
9 S, ~7 f8 v- Y8 ZNext method as well as the following one are 2 examples from Stone's 0 N1 E' W( D0 M/ ^: @' R; I
"stn-wid.zip" (www.cracking.net):
4 e# d' y8 P/ w$ O2 {8 v" p4 i [# E2 T& o% j% @
mov bx, cs
& A. i1 j% }/ k$ R, X lea dx, int41handler2" x% Y# B1 X* L! ]* b
xchg dx, es:[41h*4]
9 I4 j" @, N! S! ~, v8 y xchg bx, es:[41h*4+2]* R5 B* e( H7 I t8 Q6 ^
mov ax,4fh
7 l' G8 }4 S2 h/ ^( a1 h+ E2 r* c/ m int 41h
8 q1 A+ |( j# z$ P# h3 J xchg dx, es:[41h*4]6 g9 q, J" D, x6 d
xchg bx, es:[41h*4+2]
7 d6 z0 B. i- Q- Q cmp ax, 0f386h3 @9 F# `6 y4 a/ z
jz SoftICE_detected5 n3 n% m8 P. H) Z0 [- X
& ]: I: d- X9 X& n- |3 ^
int41handler2 PROC$ E# A+ }( r- g' J" c+ a8 C! V
iret1 i) s- M( Z6 O3 X9 |/ T
int41handler2 ENDP
3 u& [4 @2 @9 ^( [
4 O3 J& Z* H9 g0 W8 R7 n8 P- H# _0 B& i- d, J+ ?
_________________________________________________________________________# g' L3 a+ n' b3 d- ^5 H
, R1 i# {9 _& W, {
4 R. K. A U6 T- p0 h- `Method 063 {1 @4 }7 b7 X2 r
=========
6 i) @% k0 s! q4 U3 \4 Q! `1 |7 d
8 u1 {( O. `. G! S, \
1 q3 ~7 H: \/ k" _- m1 D2nd method similar to the preceding one but more difficult to detect:
) `, q2 ~( c3 @ G" ?/ c8 M7 V! I9 b
- ~9 L2 U* {; |
int41handler PROC
2 M, j' S5 P) b U- R" y mov cl,al/ V9 A- V) ]: g% y
iret
+ `7 N$ g* J! v2 V- j5 [int41handler ENDP
0 p& F- k8 e6 o
* B8 t/ ~( Q1 ~; y7 q: t7 R. c0 q
; r0 g- |0 e8 F" u4 u. \4 ^ k4 s xor ax,ax' u$ K4 G6 k0 P' Z* b! B0 P
mov es,ax' B" t! [' ~6 m/ t. n
mov bx, cs
& i! h+ t0 h' h& O/ x" O lea dx, int41handler* d1 r0 `& `& A& x
xchg dx, es:[41h*4]
3 P! m: N, U$ h" V xchg bx, es:[41h*4+2]& z1 a! f' _- s" B
in al, 40h2 z- b; p. ]/ v0 G9 X$ f: z" @" T
xor cx,cx4 K6 G# T$ y9 S( G5 {
int 41h2 y; s. Q5 ]) W5 O' B
xchg dx, es:[41h*4]- } p* U4 |, G+ P$ ^7 U
xchg bx, es:[41h*4+2]! i+ P1 F6 x3 O! Z
cmp cl,al
8 Z5 x3 D+ ~+ w9 [5 ^ jnz SoftICE_detected. G' k, }+ x/ e+ p, M
7 z' M/ L$ h' n8 {
_________________________________________________________________________* n. @' M) ?$ ~
/ G9 J. m% J$ L. F! ?Method 07% i7 Q7 U9 c/ O1 r9 j
=========( A' {! E- K7 G6 o+ K4 t
- S! y4 D% r# s8 F SMethod of detection of the WinICE handler in the int68h (V86)
! W+ R9 k; g2 Z; c
: [3 ^! ?! K) b0 V7 n* l1 n! j mov ah,43h
" t7 h4 {; Z# a6 h int 68h
9 t0 E J, ^7 b. @' m cmp ax,0F386h
4 J2 Q/ L: K7 M: z: x: v" y) J D0 z jz SoftICE_Detected) r% N! q% x. W% ]8 y1 B/ s3 U% W
: n7 i& o9 M7 j4 D' {! C& d+ N6 G: Y3 _* u/ \' @% m, Z, Z& e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. i8 ^7 j( q- d; N+ ]1 t
app like this:8 v7 @4 E1 b, i9 p1 b
B7 t' X2 d; b/ e3 z8 k$ j BPX exec_int if ax==68
' z$ i- l5 x+ \! {4 n$ b (function called is located at byte ptr [ebp+1Dh] and client eip is2 Y# D* S$ f- t4 E4 p" j
located at [ebp+48h] for 32Bit apps)- c5 T7 Q/ C4 s6 E" s
__________________________________________________________________________& w4 {! F6 ~% ~+ M7 U ^$ C
2 t# i5 k9 `7 W& Y; `9 R3 v
/ [: ^5 v$ n) X* K9 AMethod 08. k8 q' K4 i: ^7 b5 W8 V- T. R
=========
+ E8 c+ M. P2 h) Z, _
' H- y6 m7 |# [: \: J* z! f8 |; `* }It is not a method of detection of SoftICE but a possibility to crash the7 \3 P- ^8 n# F7 n
system by intercepting int 01h and int 03h and redirecting them to another# ~) y! ~. e: `
routine.
+ `* K; i# [7 v- W0 }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ H" f0 J o( t }4 X. i! fto the new routine to execute (hangs computer...)8 j) S* ^1 k0 x
8 H, Y" g6 N+ n$ ^/ m( S. g* G mov ah, 25h" |# \; {; H% ~' }7 }7 e2 ^4 p: D
mov al, Int_Number (01h or 03h)+ F% g9 G* m3 r: J' k: ]
mov dx, offset New_Int_Routine
N5 v# Q. V5 X( Y; q8 H int 21h! N G* B( e( H2 s, a; I
2 J9 j2 W2 Q0 G3 A. o/ h6 H- [
__________________________________________________________________________
" N1 f" ~: \( p& Q/ s ] Y! Z' c, m+ ~: T
Method 095 L1 Z& M! s8 ~7 }4 i! ?
=========
; r9 n; I3 g- O- n6 r( T9 Z3 s; O$ Y2 g0 z' P: I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: e% j9 q. p# |; A' `
performed in ring0 (VxD or a ring3 app using the VxdCall).* x3 \2 u1 c* P9 R
The Get_DDB service is used to determine whether or not a VxD is installed
2 x, J% {5 y5 H ], m+ N8 Cfor the specified device and returns a Device Description Block (in ecx) for
Y/ y! ?) j+ k( { I2 H$ T; u8 {that device if it is installed. J% c/ O9 Y. A% d1 ~
3 v: v# X, @1 v4 ~% R" e9 o5 F+ u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: J1 C; x2 c! b+ m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 G# I# h5 _. X9 c0 U: S' K$ h5 b
VMMCall Get_DDB
N; o7 K" ^0 M+ Y8 L& ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 Z2 P0 H# q8 E
2 f5 I/ L; W! X* c& _: n
Note as well that you can easily detect this method with SoftICE:
5 Y# _" p+ t/ [8 O# C bpx Get_DDB if ax==0202 || ax==7a5fh
: j: q8 B1 f, U" r9 h9 {+ i9 F5 \7 i7 l. @
__________________________________________________________________________& t8 u* B1 J: P: a. S
8 v9 A: D# D& [8 b/ QMethod 10+ a. s& G' T' L
=========) S$ W1 x$ @& ?% E
: d. L: i! r2 Y! |
=>Disable or clear breakpoints before using this feature. DO NOT trace with1 _, J n" F# A! p9 s
SoftICE while the option is enable!!
J3 p/ T3 V2 @! v# e. m" b8 V! C& W6 b5 V
This trick is very efficient:; x1 o A* [% w
by checking the Debug Registers, you can detect if SoftICE is loaded% ^2 V% z( l* T6 M9 h* H+ w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: \* {9 v, n/ w% ?/ G& F
there are some memory breakpoints set (dr0 to dr3) simply by reading their* D3 V0 R. ?: E3 ~! K! m
value (in ring0 only). Values can be manipulated and or changed as well2 A! Z. O/ x0 ^6 \! u; I, |7 v
(clearing BPMs for instance)
2 e& U8 t+ W, t. {
1 e6 G3 Y0 J7 ?, j__________________________________________________________________________
3 e3 V! t, @1 d8 T8 p" }: e5 [7 E% M5 e. K
Method 110 p3 S! p5 b' h( H ~+ ]: m) I2 @" d4 G
=========
) k% x, t* }$ m7 }1 l4 Y; l. f" }
This method is most known as 'MeltICE' because it has been freely distributed
4 l. P _/ q& ]via www.winfiles.com. However it was first used by NuMega people to allow# y- Y& f& ^% I5 k
Symbol Loader to check if SoftICE was active or not (the code is located/ ], K1 W6 b) J( ^) ~" ~# U; h
inside nmtrans.dll).- f" o8 }' o* S0 w5 s8 r8 N3 ~3 C& K
! G6 w+ P$ g& X9 i
The way it works is very simple:- j0 B. t' q" D/ Y, y2 ?0 G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* M/ [/ {+ n& m2 oWinNT) with the CreateFileA API.4 l" j3 j) \: l% O; ?
: U5 J \6 h/ f6 {Here is a sample (checking for 'SICE'):% a E C& \! ?8 `! I
) D& p" G4 t7 x7 ^; z% C) V
BOOL IsSoftIce95Loaded() q1 y4 z, f& i' y
{; |' |# f3 R1 L& Y4 d4 s9 f
HANDLE hFile; ! G4 c* [$ |2 ], a1 u! G6 X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" O* ~0 r& Q4 m0 {4 T FILE_SHARE_READ | FILE_SHARE_WRITE,
7 a. C# E" s; v0 q+ U! g4 T* P NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& J8 t$ b, J$ {) V if( hFile != INVALID_HANDLE_VALUE )5 j: s6 G: }2 G5 W' l
{
6 v9 {. A0 z3 D) B' M2 ^8 ` CloseHandle(hFile);
; ^6 j4 R8 z# K% \8 t- L3 p return TRUE;9 @4 F. a3 V5 M U! t, _" l: {$ p
}4 Z$ |/ b; p) X5 v+ _3 W& C
return FALSE;7 n. X1 I$ i& D _- ~4 Q
}
. |+ X( O/ d6 h5 n& Q
* a) x3 R' T* j- r0 f7 `, R+ `- iAlthough this trick calls the CreateFileA function, don't even expect to be
% I. h: r# t$ W1 R- _ q% _able to intercept it by installing a IFS hook: it will not work, no way!# R- K0 }+ j: Y* W: _, z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) P6 M/ P" I& C( y5 B8 o0 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ }! Y6 Q8 Z9 \! _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 _* ?/ l/ m0 a! h: w5 nfield.
$ |1 Y- j, X9 n* Y7 I7 P& ?: C$ oIn fact, its purpose is not to load/unload VxDs but only to send a
6 T) Y2 ~ m8 ?; B/ T2 }- D% M+ lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: v3 F( n |; Q! rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& d1 q; S, Y* hto load/unload a non-dynamically loadable driver such as SoftICE ;-)." Q! Y5 _1 M# S+ M' M
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 i; _! Z! w* J
its handle to be opened and then, will be detected.! E5 ~# w7 c4 J
You can check that simply by hooking Winice.exe control proc entry point7 `! q7 Q. `6 z. [5 A
while running MeltICE.
5 F7 a) i2 @! L0 \3 A, ]& Q( @' z) M/ Z5 t. q: t
6 N% ^2 p, A" m7 _/ V% B Z% x 00401067: push 00402025 ; \\.\SICE
1 x. \7 T. D5 o: b8 t 0040106C: call CreateFileA
# f2 d8 [% L" K8 M' n$ h$ E 00401071: cmp eax,-0011 N- v! z. Y& f5 {$ X# m7 k
00401074: je 00401091
, t- V! z6 w7 U" U2 f$ ~8 b2 n/ b) f+ G
4 `* F) k: W/ P. k! ~* X1 t% d/ Y% H: [! r
There could be hundreds of BPX you could use to detect this trick., P, @1 z' R- `
-The most classical one is:4 o4 s4 ^' [" D& |6 m
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ H( f/ I/ {& o *(esp->4+4)=='NTIC'- ^7 ]. B P+ j" \' v& w0 V
: E% K; ?+ n: I; \0 C
-The most exotic ones (could be very slooooow :-(: U+ u( I& t" }( r/ r5 ^$ y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " u' f: A+ q2 c1 s
;will break 3 times :-(5 g! Z* G' d0 H2 \& I {( t
7 B& Y. C# M" o/ a. D2 U-or (a bit) faster:
$ W2 T8 f) j( q2 p- ~% S BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): k2 C$ Y. B3 O
0 n) j% B% F' S7 y5 {8 B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " j' W& H: T6 r7 i
;will break 3 times :-(7 J4 d3 V0 J: i& |9 E" z1 `
6 P! P0 Y! g8 J* A8 d: K
-Much faster:
+ n: {- N2 S: g BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': ], O% `5 Q; t4 m
4 _& ^3 F6 F4 _% Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 D/ I. y7 p1 x ?$ K6 t: c
function to do the same job:/ k* R, h Z) h! I
2 r+ }' u1 W: Y; X push 00 ; OF_READ- j6 C6 {! O1 ~( b/ S5 K; s
mov eax,[00656634] ; '\\.\SICE',0
) W' W# i7 ~4 a4 }' O push eax, W7 c6 B! Q7 S$ Z! ~. f8 w4 y
call KERNEL32!_lopen
/ n7 d" a Z9 m) M4 D; Q! | inc eax" \! Y( g3 q: W, M0 f: o
jnz 00650589 ; detected
; p, ]6 @" P t$ ~2 H) ~/ s& H$ n; Y push 00 ; OF_READ7 b' P/ { _+ @! o/ A& K9 }
mov eax,[00656638] ; '\\.\SICE'1 N& b0 g I& n( o; `5 N
push eax+ j; Y( _% D/ ~; s2 ~5 X+ w4 C5 T6 I
call KERNEL32!_lopen T5 t; |, Z3 G" p
inc eax1 p3 q* D* P! Y, a
jz 006505ae ; not detected
8 J* m% ?8 @' Y& |" C5 `5 Y
. [$ ?# A( g& B+ E8 F
; m( F( p# A% I- [0 n__________________________________________________________________________
8 w# X. z8 \ g! s' Z U- L1 @; r
# J2 D# m8 O; `+ @Method 12- e" n9 E' n) Q v, V
=========
1 x/ ~& \" K8 ^9 b& m7 e
0 R7 {2 i6 f6 zThis trick is similar to int41h/4fh Debugger installation check (code 057 \: x2 n6 h( M! }( f
& 06) but very limited because it's only available for Win95/98 (not NT)
% l7 m3 s- V' b9 u" j: i ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 ~1 L; S- |* E& B. f, }6 Q9 O2 V9 F `( |6 _
push 0000004fh ; function 4fh! D e$ V$ o2 `9 z: w) R
push 002a002ah ; high word specifies which VxD (VWIN32)* e: U* `- ^1 `9 D- T+ z
; low word specifies which service9 q' E/ R4 l$ F. M6 I5 p0 x! E
(VWIN32_Int41Dispatch)
3 @9 C- _6 x1 [ call Kernel32!ORD_001 ; VxdCall
$ F: c7 R- ]8 _* a0 f7 e cmp ax, 0f386h ; magic number returned by system debuggers
# b; S9 Z( J& }' L( h' O" d) N jz SoftICE_detected
- U/ J7 H% j4 ]; s3 D _3 J1 m. q9 A' ~* X- |! X
Here again, several ways to detect it:, X1 P+ z" z' ]+ S" G8 g
& \3 K# m# W) V) j1 C/ D0 I
BPINT 41 if ax==4f
( B! e u8 `! m. i4 l! t: \; ]. U5 Q1 a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' y' w' ] X1 [- K7 ~) O6 l& {
+ V0 A* s; }+ ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 e; X; ~7 A5 k0 j/ i4 I' A/ r- v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 g5 H- G/ d$ [' \: v) M+ A; e7 }
9 h- q3 l' x$ R" X5 r8 B- W__________________________________________________________________________! T# E8 l5 j+ V) e; k
' q% k" S$ E% M' G
Method 131 L4 c" j+ V/ V/ U
=========/ B- ~7 G2 W1 g( m" M2 t
* S) D* w! e0 z6 |Not a real method of detection, but a good way to know if SoftICE is+ l. h: e. H# f& ]
installed on a computer and to locate its installation directory.) T6 d4 p4 ]2 H3 U! Q* B
It is used by few softs which access the following registry keys (usually #2) :
/ A5 m! k# a4 c" W8 U4 s6 B9 D( m7 C0 s4 _) p0 U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- C1 [# y+ R7 i8 H* A" ]1 g\Uninstall\SoftICE
. N1 O8 W7 B3 l! L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 [% X: w2 z! L% c- _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* j5 l6 l/ }5 R2 @\App Paths\Loader32.Exe# @0 [6 g+ f5 U( `6 m6 ?; e
; G$ O3 S+ i) Q
$ c, ~* W- Z4 D
Note that some nasty apps could then erase all files from SoftICE directory
4 h6 B& }! z) ?+ h(I faced that once :-(
! \4 T3 ?; f2 _. E
. U) I; ? p1 r- n d0 KUseful breakpoint to detect it:! X u- K" N$ G9 L
; I' m9 u: e; J- k7 h% R" C% a/ L9 n/ \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 |6 g( ~9 B& Y+ b/ w1 {$ m
/ k% `5 o* q) O, G7 v: a__________________________________________________________________________
# z. p# P6 |/ L
. [, c. c3 h4 M+ R1 ?4 W4 t
4 V3 W8 ~ y0 Z |- Z9 d' FMethod 14
* [$ T$ M! J% w=========5 |! {1 K, o. V1 [
5 j, c1 N/ H6 h- y( TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 H! t/ ~9 n6 I* Z( b
is to determines whether a debugger is running on your system (ring0 only).
; c/ [. u* o/ b& v" c8 F9 y G; W) F4 c
VMMCall Test_Debug_Installed H, L3 s! z; r H' \6 K3 d
je not_installed1 b( I2 T) C3 h& y+ N3 P, m7 ?7 V
. X. f: P! f3 A9 N1 ?+ GThis service just checks a flag.
$ N3 ?( t4 D7 Y</PRE></TD></TR></TBODY></TABLE> |