<TABLE width=500>
" ]2 ]9 E. ]: D0 W<TBODY>
4 q8 l! D% f; X. c<TR>5 u1 K; R/ o% F+ E, r9 l
<TD><PRE>Method 01 0 e. C* k# E" Z& _
=========9 U! r9 N* q" G3 @+ |$ D
" m) ]/ d. ]8 ~- i
This method of detection of SoftICE (as well as the following one) is. V- H8 q" g: `$ \7 ~
used by the majority of packers/encryptors found on Internet.
( {, m1 I. O V" c3 lIt seeks the signature of BoundsChecker in SoftICE
# `9 w3 F7 O) D8 g
; n8 j: n6 w% e" C mov ebp, 04243484Bh ; 'BCHK'
5 V( N& t; C% h) j; c5 B: t' b7 e mov ax, 04h
- F1 ^7 m Y2 u. p int 3
! a* h3 B3 {4 D$ G6 A6 F5 ^ cmp al,4- H( o: T, l; J& c
jnz SoftICE_Detected8 O' e9 G4 U& N! g& f$ B
: n8 W4 p7 N# H: H5 x8 D
___________________________________________________________________________
: {! {. d: F9 ?7 H7 q+ Q3 Y5 d- o; m- a+ ~6 B) N# ~
Method 02( ^7 q/ ~+ K6 T" F' ?
=========
: \0 z) y- U. V/ z+ ~0 [ R
0 F/ X* {) \+ yStill a method very much used (perhaps the most frequent one). It is used
# l3 `8 A1 q8 p' X4 Y* {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 U/ l7 h5 c; x
or execute SoftICE commands..., K! w, r, b$ a& ?$ s0 T
It is also used to crash SoftICE and to force it to execute any commands, `5 G- [/ ~: ?3 F9 n: z$ ^
(HBOOT...) :-(( 9 i9 g8 _$ C1 r9 r' F2 n! }
?- o& \& K, R& k1 q( qHere is a quick description:
6 K+ ~* ~ H% e9 z) u! S3 a* p/ X5 X' S4 y-AX = 0910h (Display string in SIce windows)
" L% Y' m" z3 L$ H& W! x/ }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 V( S. q! B* j; t) H* a-AX = 0912h (Get breakpoint infos)2 C- X4 }- _+ \' v% D5 s F
-AX = 0913h (Set Sice breakpoints)" X, Y/ J- o: C% D. W
-AX = 0914h (Remove SIce breakoints)2 N# E7 q# w/ K
3 n1 t1 U- u# K' z( lEach time you'll meet this trick, you'll see:0 K. `; o) O/ C5 |. i
-SI = 4647h
. J/ z% i4 ~0 [' g, u, q-DI = 4A4Dh
& F; ^8 p$ q% d$ s$ Z" e6 z+ iWhich are the 'magic values' used by SoftIce.$ ^& B% P# q# l7 D8 h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 i' C; B$ ~+ Q. j m
9 B+ h% c ~4 J; s6 y* qHere is one example from the file "Haspinst.exe" which is the dongle HASP9 ]6 Q" I1 D. i" e
Envelope utility use to protect DOS applications:
( \" C, y" s( E7 n7 G
0 E' A/ P/ {3 M' `$ q4 F
: A7 E1 N Y$ D& i4C19:0095 MOV AX,0911 ; execute command.
8 M; j+ \5 A- I& m6 M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 q" N4 ]( I# L6 U# U* _4 v4 K1 |% I0 J
4C19:009A MOV SI,4647 ; 1st magic value.* ]+ n9 L- S/ p) c7 Q
4C19:009D MOV DI,4A4D ; 2nd magic value.8 g4 ?5 o7 z' g j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 f6 g! v; K" U1 M- t! O" |% a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ c7 z( m& T$ j3 a4 @* A4C19:00A4 INC CX! A% t5 Q6 M- x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& Z: W( b' \5 L9 {5 W- B4C19:00A8 JB 0095 ; 6 different commands.
/ L/ a# {# M1 o. W' r; F- _4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ Q' I% U9 P+ P2 ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 T/ G) _2 [( N7 A, g7 W$ j) L
* E1 \8 V5 c! Y3 VThe program will execute 6 different SIce commands located at ds:dx, which
2 E$ P' L5 [) D( I# F8 X! A7 H, ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; I9 D# K. l6 m6 w1 Z$ g
6 r8 Z! H' `- U& v. A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; M0 y: D* ?& ]/ l) h
___________________________________________________________________________' ]- v S8 q) a
) R S z3 |/ u; R$ t+ x3 x9 i. o |) `
! N! R. y% l$ k# Q4 d4 Y. \
Method 03! ~" H+ e, k7 x5 J. l
=========- e) x& M. M4 X1 k
( G1 O. Y% j. F- R
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* x1 K o3 C. b) N4 Y( q L% ?(API Get entry point)& o4 D4 {' ~5 D8 a! P- o
) L% T8 @; x" w$ o6 V$ a/ K
9 \$ |) p8 q$ {4 n, L7 U: P. F9 f
xor di,di" j0 N& D0 C2 f2 p
mov es,di* q1 p$ z% ^6 O9 j- S4 c+ S
mov ax, 1684h
$ j9 o, p. `2 k# ` mov bx, 0202h ; VxD ID of winice
d O# l: L) X7 l int 2Fh3 t$ i/ f+ n* \, L; `
mov ax, es ; ES:DI -> VxD API entry point, I% X7 p. I9 G& O6 ~- K0 w. u$ _4 T6 `
add ax, di( O+ D4 I9 F- t$ g" }
test ax,ax
- e+ H3 E( L" K7 n# L jnz SoftICE_Detected
* w0 Q* q- B3 D: L* z3 K. F( J- D& }) V
___________________________________________________________________________
+ z" F! f: c3 u. p' b+ T) ^+ H/ _ A" ~; N: d: `1 y
Method 04
& O, H9 }" @5 g. ?=========
. e. w) Q7 l' R6 e/ F
0 P2 r# K. |9 vMethod identical to the preceding one except that it seeks the ID of SoftICE) d/ l6 b2 H8 Q( ^: y* ^1 U
GFX VxD.7 l/ |, J7 C- I. t: ^" @
$ c$ S# s$ W" v: _* W% j
xor di,di g7 Z* z9 K1 T3 e3 t# g" A5 C: X
mov es,di
- X0 I9 @/ A6 c* q2 [3 \ mov ax, 1684h
: Z _9 N( f& G2 J mov bx, 7a5Fh ; VxD ID of SIWVID
( `+ H3 m2 R7 Z+ r) T int 2fh- z: Q" D0 K5 C9 W
mov ax, es ; ES:DI -> VxD API entry point
) x3 }* s' q7 c8 m- { add ax, di
5 U3 n+ B; G3 j( c8 K( {' Q test ax,ax( }5 u- ?) Z* K# P$ | n) s
jnz SoftICE_Detected7 }8 |. ~6 G: \) q
; C1 S, B' N- N( C% S7 t: t( L
__________________________________________________________________________) Q4 G c% H3 |0 _* u
& m2 u z$ A" L% j, Y# h1 X
- T- D; i% d5 M+ B jMethod 056 M# I: y9 | i! l+ E3 ^
=========% v) F. T* F# U6 i' F( r1 `: R- q
; f0 `8 x3 r" F, M
Method seeking the 'magic number' 0F386h returned (in ax) by all system: u# c/ z$ y7 _ Z( Z+ P3 \. T, `
debugger. It calls the int 41h, function 4Fh.. ^' s0 h7 ]1 s) K
There are several alternatives.
9 I- G! B4 s( r z l2 w& z& o2 [ v7 y, _* N1 p
The following one is the simplest:
1 b9 k2 i& }% Q- P3 \0 H& k' |. d4 Z, d& Y# I
mov ax,4fh
2 m* _+ o" p) Z; q% Z. @" m, n int 41h
( I8 z6 Y& w& k& T8 C$ k cmp ax, 0F386
, g a" @' {, f, \% _ jz SoftICE_detected
# k3 H; D' ^% m2 E6 X; s3 D- M6 ?/ Z% p
i) X9 c( N+ ^6 \Next method as well as the following one are 2 examples from Stone's
" a5 b: X! g+ b6 ^3 s"stn-wid.zip" (www.cracking.net):
" `: r* b/ W1 q' L( u8 a3 J' ]) `8 _$ |; c' {; k2 d
mov bx, cs
% r1 E' I" `9 L% g# q9 c+ M lea dx, int41handler2" H* J3 s7 F6 w
xchg dx, es:[41h*4]3 I% L' |+ D6 r) S9 F
xchg bx, es:[41h*4+2]
" D" Q9 ?% C3 {% r: l; L mov ax,4fh
$ U& d7 H. k7 h int 41h
0 g* P+ W$ F* F L& j7 A8 r T) V xchg dx, es:[41h*4]) z& X' Q) m& g8 p, ~
xchg bx, es:[41h*4+2]
$ {: i( j7 L) \7 I cmp ax, 0f386h. R3 F# m+ |1 i; v( i# Z4 T( T! w% R
jz SoftICE_detected. T2 F8 f# \4 N' O6 d' I% e8 I
Q9 j" r( O" `: T' Aint41handler2 PROC. l, S; z8 V7 o1 i9 y
iret' A5 a# f) @) X, S7 Q7 ?
int41handler2 ENDP2 Q2 x( k+ ?6 T% _0 `9 J7 D
1 L, _+ K4 P* {! ~( o
- Y: a9 a P1 B7 Z2 H) ]6 K( H* L
_________________________________________________________________________# ~* E! }( t5 E f- M% @$ i o3 e6 V
* p/ \. B" z1 B! Z6 n
( w2 e; E' r/ CMethod 06
/ x9 V9 b6 t% X. g, G7 N* X=========
7 d- W7 N; q2 \# L) O
( P; H% S8 @% [/ U" @: t" S( O- p# A
2nd method similar to the preceding one but more difficult to detect:' l( I6 V- Y: F. P
6 i) y) M0 U& |" `& u$ V5 N9 ?
8 i5 o8 j# u- H; Sint41handler PROC
4 E$ E4 B ~+ K u$ G% i3 M3 | mov cl,al
! i7 H! n! Z, `2 `5 I5 S* ] m iret
* d s! `7 | ^2 p( Vint41handler ENDP
% C7 T' G) ?7 N+ s: f8 V
* M5 U! A2 i; z/ f/ i1 f, m/ o1 H4 b% e9 ?
xor ax,ax
; W2 \* x9 L0 G mov es,ax' d& z' z3 X7 F1 C
mov bx, cs0 F3 X& @" R- w6 n
lea dx, int41handler, A. R0 K y! h
xchg dx, es:[41h*4]. }1 v7 b6 u. r8 I
xchg bx, es:[41h*4+2]
/ _& w6 R+ N# k4 o( }$ ~+ ] in al, 40h! V4 C; U" `0 J# h4 w, j
xor cx,cx
. ?' K2 A: i* z7 { int 41h
! \5 n( Y$ K8 f) g2 k, q xchg dx, es:[41h*4]
& O; _* e8 I8 X9 P' q+ [; b xchg bx, es:[41h*4+2]
0 L3 M6 |( N* u, i: t) v cmp cl,al* B' m1 a# E% H
jnz SoftICE_detected/ B# a8 s5 p/ ]4 x0 T
+ J% `0 k j! V5 O c4 H
_________________________________________________________________________7 H' i) v$ x+ `/ X8 I Z8 ^) M
, y: k! I) Y2 s7 u. D
Method 072 P' f2 K) j( V. |& C/ Q
=========
( S6 H+ S/ @ h' w; h7 _0 F1 T, n: P: e. L6 ?! V
Method of detection of the WinICE handler in the int68h (V86)
, i/ Y( V8 @# _0 o( a# h! k9 @0 i$ g- R& [3 h- w
mov ah,43h0 w5 E6 n% w% ~' u) ~, Y( T9 B
int 68h
& U- ~, }( V8 Z; V# s4 j cmp ax,0F386h
4 S$ [. M% S$ F; O jz SoftICE_Detected
0 [' u7 j% V, w3 ?+ O3 u6 p T+ R2 D' `: }2 a: |" z; ?& c, g' D$ c! u/ W+ A2 f
$ E8 I2 [6 P% `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 _; f) R B8 n b app like this:
2 m* Y( n# P1 j8 D
7 T0 v, @7 X; i3 f t BPX exec_int if ax==68
4 k9 g) m* S. g& f0 G7 N (function called is located at byte ptr [ebp+1Dh] and client eip is
+ C: l1 j8 X7 w; p( M located at [ebp+48h] for 32Bit apps); G& d. x+ ~9 X7 D
__________________________________________________________________________, _- E8 T/ Y% S
) H$ `8 g- }$ V$ z2 l& T
. W( [6 k6 ?0 J" h0 {$ n# cMethod 08
: N8 F0 i, x" X3 B- j=========) K3 Q; d. z7 F1 p0 l
3 E9 H; d2 p( w; H2 ]! D& w
It is not a method of detection of SoftICE but a possibility to crash the1 G @9 D4 ]* o' \' u3 [
system by intercepting int 01h and int 03h and redirecting them to another
?1 a h- v5 y7 ]routine.: B' W1 d4 A1 n$ o: l4 I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 l3 `) @- T; Y0 i+ d5 |1 N" ato the new routine to execute (hangs computer...)$ l7 c2 P: H$ U' n. W# ~( N! u% f
0 J' R+ U- C: W0 p& S5 T, o; D: J
mov ah, 25h
+ U4 ?7 \& }" Q2 \0 [ mov al, Int_Number (01h or 03h)6 P" }" c5 z$ V$ G- m, R1 n+ a7 w
mov dx, offset New_Int_Routine
1 X+ s" @- V* c! E int 21h" V$ A/ h, W# r; @; u' P2 x* o# V
0 j4 L' p) z; o/ m! _/ |% b__________________________________________________________________________4 V1 H- m$ a: F1 }/ p0 E: J
* I" ?. H; _, h0 T* K0 L. wMethod 09
& U# H" h6 |' e M0 b=========7 r5 J: z) f, A: D; W
/ M; k) m8 t# K% k1 wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( x4 j& G! K& O9 P1 d& D" X) ^performed in ring0 (VxD or a ring3 app using the VxdCall).
9 P6 w+ I' |' y% Z" k) FThe Get_DDB service is used to determine whether or not a VxD is installed; s4 q9 B: p u
for the specified device and returns a Device Description Block (in ecx) for5 a# y3 R0 S7 q) [' s" j$ {
that device if it is installed.8 u: j ~$ S* [4 g
' J: |3 S2 F6 x/ g mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# Y) [4 ~! P/ C: a y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ n/ H" ?4 ^' B$ r, A n5 E3 l4 \ VMMCall Get_DDB1 N8 X$ Y1 F9 _+ ?6 i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ x' W( N2 }% H& Y4 B$ h6 h, t) x1 M5 ?
Note as well that you can easily detect this method with SoftICE:7 c. n0 J. r% { ?( w3 e& h
bpx Get_DDB if ax==0202 || ax==7a5fh
% R6 q: d, B9 b0 v0 D" G- W5 G4 u6 ?/ m3 o' u
__________________________________________________________________________
5 x, l* g+ _1 ]1 D7 y& p- n/ W$ o4 ^8 k
Method 10
& I+ o* J9 H7 m5 l1 g=========
& {" m; C! P. a5 I4 c% t# p1 d5 J4 |: F Q) d
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 Z* G$ c |( r4 M# j SoftICE while the option is enable!!
1 g* z4 p- d- N0 ?$ T/ s; {
5 r, K: r3 o/ ^4 k/ y1 T( JThis trick is very efficient:
' p: B0 N% l3 F% R" t0 H% h" B" M( Xby checking the Debug Registers, you can detect if SoftICE is loaded! W: s2 g8 i$ H* D- a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 I' v' d D+ v! D. o
there are some memory breakpoints set (dr0 to dr3) simply by reading their
v5 {: t% V' A3 D/ c3 Nvalue (in ring0 only). Values can be manipulated and or changed as well
% ^( Q8 s4 h2 [0 d! P$ e0 q! V# g6 Z(clearing BPMs for instance)2 y9 u) W3 k l+ C8 N
. O3 G. `* C2 C# D( X
__________________________________________________________________________
' \9 P4 ]# Y- I: X) q2 r* u! y1 U+ m. \5 W( U* v2 Y
Method 11* a& }$ p6 K' w; V
=========
7 K7 n9 a- s# V7 X/ S9 A' I* J% i( x; C
This method is most known as 'MeltICE' because it has been freely distributed& s( l* `/ N( s0 R7 W
via www.winfiles.com. However it was first used by NuMega people to allow
, n8 s! C$ o' `( qSymbol Loader to check if SoftICE was active or not (the code is located. ]: R. k/ s/ _( D! {& o, j
inside nmtrans.dll).
* ]4 P! {) ^7 ^( X) @: Z
3 U8 F* {/ s' A3 AThe way it works is very simple:
+ p" [6 _! Y3 a: YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 U2 {6 _+ z1 T! i7 MWinNT) with the CreateFileA API.! Z5 q* s# Z8 K7 A5 \
7 Z9 d* Q8 z+ wHere is a sample (checking for 'SICE'):3 W0 E' Q( b+ z) X+ F1 W8 s
4 l5 \. @9 E( R6 F7 I/ t. G" h" QBOOL IsSoftIce95Loaded()
1 v M# c: n& B9 f% |. D{+ m* {0 Q: Q- P* ^# D8 C9 F
HANDLE hFile; 2 W. l$ g! z. E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, [+ f/ D8 N. r+ J" O) h) m9 M FILE_SHARE_READ | FILE_SHARE_WRITE,
- b7 M) C3 a5 O" C. M NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! `- A5 F) A/ W9 F if( hFile != INVALID_HANDLE_VALUE ). Z+ o% [4 n, a& i$ c
{
+ |9 T4 r7 V) J! h5 G CloseHandle(hFile);
) t- k. p' [2 x, K8 K9 | return TRUE;5 _9 W; X' G9 G: q* l
}! _, S+ U# _/ ^" k% f. y* e
return FALSE;
. f/ v4 n! u4 g/ R# x1 J}; }7 R9 n4 K* A; x1 \3 v0 K2 J
- Q: D& ^4 w$ j2 @3 i- M2 J1 HAlthough this trick calls the CreateFileA function, don't even expect to be
$ `" y0 I; a4 a1 Q& Sable to intercept it by installing a IFS hook: it will not work, no way!
: t: h! U7 S( S2 a$ vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, g3 c9 U4 Y4 d! Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ B# e/ D: K$ }5 t- F5 w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 t8 \( Z* k- r0 f$ _
field.2 H. u8 k/ @& r0 w \- h# o, k
In fact, its purpose is not to load/unload VxDs but only to send a
: \8 R, X& z" B- `2 ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 U8 o4 d" p. N' E1 l1 L: Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 H% l) E7 V; x4 W ^% o% s; x' ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 O8 X) v1 \7 m4 X4 s1 K/ x
If the VxD is loaded, it will always clear eax and the Carry flag to allow; o9 {; a# a5 u+ G
its handle to be opened and then, will be detected.. e% U8 {5 f. }& e1 z- ?+ i0 j* B; A
You can check that simply by hooking Winice.exe control proc entry point2 i& ^4 | d K! Z/ v8 T7 V* j
while running MeltICE.1 H- c' C8 V1 l
9 A7 B7 ~2 h5 M) Z% X9 l, B& t
. S( o5 K* z! m0 Y0 H8 ^ 00401067: push 00402025 ; \\.\SICE
0 y2 }" w: h" }4 E! Q2 j ~, R 0040106C: call CreateFileA" Z3 r9 F/ [3 A" `+ O" u' O: f$ R
00401071: cmp eax,-001
p. q6 l- ~; \% Z0 } 00401074: je 00401091
; h2 ^: J9 g o# e" `; P" J
4 c/ |* L }6 K" A) ~8 V/ m4 N+ v7 b$ x9 w" J$ }* F1 F5 W
There could be hundreds of BPX you could use to detect this trick.7 }% N# w9 @- N! J* @; p4 X4 c
-The most classical one is:! Y J% b6 n' g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, i" E8 K4 n8 C# T *(esp->4+4)=='NTIC'. t: {' a; t6 Z7 ^$ l
8 }2 A! ^/ g( f6 W1 P
-The most exotic ones (could be very slooooow :-(
$ e5 g2 Q7 p3 h# a4 i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * Z/ d- C/ A' Y5 v8 \9 Y
;will break 3 times :-(
, q' }8 \8 ~: o( Z( h5 a# q2 S2 O0 p0 q/ x. s1 a
-or (a bit) faster: # r( A' C( L3 d b' A
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), V! z+ R& d7 }- t* ~2 G$ R
; |- d# n" c& i# N6 ]# L [
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & F; F4 `2 {- d3 [1 i. B
;will break 3 times :-(- n R' w5 ~, u8 p( g
- U7 F' y Q* z2 d2 D' `. L-Much faster:9 b/ t6 T0 t- I9 s% [! x1 a
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', L; O+ U- ?( o6 J* R9 J
1 _1 X6 d& C$ xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" _* d9 k5 L+ ^% xfunction to do the same job:# \# K/ _2 J( E- k" [
/ z) N0 r; Q- T; ?' Z4 m
push 00 ; OF_READ9 s! r7 k: J5 P/ e o0 E! R$ R. A; N
mov eax,[00656634] ; '\\.\SICE',0/ I4 X$ z! t, h3 e! O" W; S7 D
push eax1 E9 L# H' ]: ]9 L& H. \
call KERNEL32!_lopen7 C: T* d4 R" o
inc eax4 y: g* u; Z/ @5 U; b' b+ _( H7 V
jnz 00650589 ; detected {$ [3 H! H& d; F) i
push 00 ; OF_READ2 C r5 I1 \+ q
mov eax,[00656638] ; '\\.\SICE'
* d% C# I. A3 y* o$ ?5 ]' D2 \ push eax
S: D; P+ e( B4 @* M8 Y) m call KERNEL32!_lopen
- Y; b9 P: ^( Z# P inc eax
" b n! d# x ~4 r8 j ^/ x$ R* @ jz 006505ae ; not detected3 q( Y( I+ l N, ]$ |* Y. ^4 J
9 U; h3 G& @! c+ y/ D
: ]$ U6 H9 t i$ R3 N, L/ [: a5 ~9 X__________________________________________________________________________) D7 E% B7 b* ]$ Y9 v3 h% B
% p" I2 Y: S; ]- ?. [+ w
Method 12 w- D% L. ?# G0 }- J1 a
=========
8 F, C% m+ | A* g% d
- f8 J3 J* M8 q& B7 GThis trick is similar to int41h/4fh Debugger installation check (code 055 j2 x+ T9 e; i; G# M& c
& 06) but very limited because it's only available for Win95/98 (not NT)9 a( l* L, Y9 U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! C' I) P6 @0 q! q: ]; F: H8 D3 H: }
& f2 q2 v5 v: w# z2 `: k3 [9 s9 e push 0000004fh ; function 4fh
! s! d- s6 g! J" X* }0 i+ N2 ~% Q' d push 002a002ah ; high word specifies which VxD (VWIN32)* A$ ^( q9 O6 `8 t3 P
; low word specifies which service
# W- ~+ X* ?8 w1 `+ s2 j8 p3 T6 U7 q% z (VWIN32_Int41Dispatch)
: o& E% n6 M* z5 x# Z/ j Y4 N) g call Kernel32!ORD_001 ; VxdCall: y/ i: X0 A0 F4 C6 b
cmp ax, 0f386h ; magic number returned by system debuggers
) p9 [3 }* @* a4 _# ?3 v7 D! ^/ r, I' J jz SoftICE_detected
- W# t7 u4 W& ^# h
3 f! A6 K4 U `/ }Here again, several ways to detect it:
" V7 ]" K) P- `$ B2 Q- d5 g/ u& u
BPINT 41 if ax==4f
, T2 d2 ^7 n! P: X0 c% B! B { l) `
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ A, O2 W6 e" p& _! n
4 V5 M/ z4 P2 J- Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. B/ ^& S" P9 @/ ^
& }; e: g2 X, P1 E& \$ T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
8 F n2 L: R; E6 I) G& W
6 Q& ^5 W- H/ r__________________________________________________________________________
5 w6 U `% I9 ?7 _# Y& g/ @
+ G: _% B9 q) `Method 13
3 _/ G7 U- _$ \* R2 m5 Q=========
, x. w2 I5 q- ^. C
5 S- E Q( t; L8 f* eNot a real method of detection, but a good way to know if SoftICE is/ }! J8 m3 \4 d
installed on a computer and to locate its installation directory.4 Z8 `0 v+ r: q/ q6 _5 ?
It is used by few softs which access the following registry keys (usually #2) :. q, h( x% U. i) n- A
0 s1 {8 j M# D8 w# Y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: r- P" Q6 h7 V& a0 I
\Uninstall\SoftICE8 B! S+ H( a3 m8 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! L" f! I0 J0 [. {% c( i1 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% ?3 o) r# b% s
\App Paths\Loader32.Exe/ @$ X7 [1 b q) D D; S
0 ?/ x' r- O$ W4 m( l* _; e
, J F: ?+ L$ }7 ?/ _3 C- e3 l6 Z MNote that some nasty apps could then erase all files from SoftICE directory2 O# F9 f, e( |- r8 U
(I faced that once :-( Q6 t, a. r; k+ U$ k
" q5 L! o6 o2 H: b: D0 NUseful breakpoint to detect it:; ^7 Z) b8 b& H( O( ^* {$ J, x
* z8 g! G1 B6 F$ n o
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ ?& u! R1 F( m9 }) G' w
) ^# I4 f x6 ]/ S__________________________________________________________________________
1 H" X2 d' l# X* c! p3 D
$ h( Y) O1 b) q, `% K1 b! i, R; f
Method 14
# B3 [& Q! n0 a# h( ?+ L* i; _! k=========
7 L- K% E& [8 S1 s+ M" N5 `8 W1 w3 A* e! m' l- s- ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& F6 v2 Y! G) }
is to determines whether a debugger is running on your system (ring0 only).
* E) k0 I7 Q e- b2 a, f# r B- o1 n+ F
9 X, S* L2 c6 L5 ?5 b6 ^: h# n7 [ VMMCall Test_Debug_Installed
! P( q1 J+ d! { je not_installed
7 _" V; |" ]4 Q! l9 X
# s: y% s q4 i8 e% AThis service just checks a flag. x& n6 n, ?- f4 b9 U
</PRE></TD></TR></TBODY></TABLE> |