<TABLE width=500>
9 [ b; _5 j2 \- S/ V/ Z6 ^<TBODY>
( B; ]4 r8 ^0 T, Q! q<TR>; _& t. N0 V. i/ y* C" Y* _" G6 l/ ?
<TD><PRE>Method 01 2 d' W" i0 z! {' H8 X8 `; V, N
=========; h- w) ^! b0 s/ x; N9 g
0 j A) @6 \- G7 v& N+ G( }! r/ ]This method of detection of SoftICE (as well as the following one) is
4 g# r6 A- G8 `; cused by the majority of packers/encryptors found on Internet.1 N8 \" ?) o7 i4 _8 [$ T
It seeks the signature of BoundsChecker in SoftICE
$ x0 `3 A5 O8 w4 {5 ^( r2 g2 q) D; n* k& X. N; t
mov ebp, 04243484Bh ; 'BCHK'
# I" I% X4 F8 C" P: c* j' l' V mov ax, 04h* K8 |3 r1 |/ \: P
int 3 9 _. J, ]& @2 U; D& }1 u
cmp al,4
$ u! O h# v8 {! m6 X jnz SoftICE_Detected% a% b _% v1 H' v8 f/ S
/ b' a) \# J0 }0 ^ i: E___________________________________________________________________________; _" f" J+ _ s- ?; U4 h
9 g, ^+ ~5 A% Q6 Q5 b* U
Method 02 T7 U. h/ c0 V& K: Z }9 E
=========
8 p5 F2 |! g- l
& Z! }5 U& ]2 ?8 A5 X2 m# P4 n' oStill a method very much used (perhaps the most frequent one). It is used a7 }3 D+ @! E* A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* `/ w: ~2 l( q$ {# F8 D9 q7 D: e
or execute SoftICE commands...
. c- y8 z& {; t0 SIt is also used to crash SoftICE and to force it to execute any commands
7 q' _4 @! b' e. _(HBOOT...) :-(( ! Q1 J+ i' u- n0 N
3 I6 ]. Q+ Y. K; |! j8 [/ ^Here is a quick description:
) V) n. M7 I* j& x5 |-AX = 0910h (Display string in SIce windows)
' t0 ^# Y$ {0 ]. i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 b9 c5 O o) x& t-AX = 0912h (Get breakpoint infos)$ F; v+ t) N. e4 @8 O
-AX = 0913h (Set Sice breakpoints)
) O I, ~) E5 ? Q* M& K-AX = 0914h (Remove SIce breakoints)- _1 W6 }" r: B2 p! F
7 B+ [& s, @* v1 l0 `Each time you'll meet this trick, you'll see:' B `4 p& _* K' ] K; b; o
-SI = 4647h
+ S& O5 ]* \* i7 N-DI = 4A4Dh# O8 |9 l* P9 H, i1 o
Which are the 'magic values' used by SoftIce.3 w9 {# p# I1 f+ @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* d7 e8 E5 {( R0 v5 f* c Q9 W
. r5 y( ?& v/ m' |, k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( }: E5 a/ T7 n# H0 BEnvelope utility use to protect DOS applications:8 o% B7 D5 V1 H
/ R' _0 l: X8 X) X$ ]
1 S- v& {3 k7 Y' t1 g
4C19:0095 MOV AX,0911 ; execute command.
9 S" v/ v! V, D% A, q9 Q8 q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. ~1 a+ I, Y7 [& s2 d1 M+ l
4C19:009A MOV SI,4647 ; 1st magic value.! c6 c' f% N5 d
4C19:009D MOV DI,4A4D ; 2nd magic value.3 [( G x$ c. Q/ N7 T! b
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ r+ S9 ]: ^# V4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, Z, C! w$ g7 R
4C19:00A4 INC CX3 X9 b' k7 k& N: n! a' b0 m' M
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& F3 j/ Z% o* Y3 X
4C19:00A8 JB 0095 ; 6 different commands.
' n' Q! o" K0 e+ `4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 b! v5 }% N5 c( w$ X& `
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ R6 S1 z8 m% b/ X, ^, M2 `5 P. m2 y0 d
The program will execute 6 different SIce commands located at ds:dx, which
1 a9 ?( A5 ^8 v! Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) J) p* w6 ^4 d- T7 z) S4 a# T
+ D7 \5 P, A3 q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 A! z4 a- h$ y+ W7 d___________________________________________________________________________ V9 t! ~: `5 I
: H; J) A5 k# B3 ]' _9 {1 ]* V
& R6 q+ ]: L5 C- C3 t" \6 |( WMethod 03$ [4 k0 F0 @1 S- g0 d5 |. n' p
=========5 v9 q. W8 A; i* b* S$ z8 b
6 m3 L- X& g, D2 FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 {1 t$ U8 A8 T: _. }6 k1 h$ Y
(API Get entry point)/ g; N, |6 @( p- Y
- N8 Q8 M- ?1 H# \9 X3 M5 `# B( f- Z) k
xor di,di
" y- l9 e y( U mov es,di$ o. i- Q Q% K% o0 t
mov ax, 1684h
0 Y: W& F0 c8 X" O' p8 a5 n) }; Z mov bx, 0202h ; VxD ID of winice
4 e) S- U' s9 K+ f. A int 2Fh
9 o4 t! O8 F: ~+ g6 E: Q1 z mov ax, es ; ES:DI -> VxD API entry point
$ V: o7 B& l; k" P9 }! t add ax, di- n# O/ n9 }) h% ~ {
test ax,ax
% Y: u1 b/ |4 y$ s! k jnz SoftICE_Detected
5 W) N9 s* |3 z. _
* }! T+ e, ?$ `' i1 W___________________________________________________________________________* p8 ~3 {9 z. s5 {% i* q) Y
6 B7 {/ f9 H5 {# V5 I" @3 L8 X! _Method 04, F! W; j% ] p m O( u8 r b; o
=========- O- x0 r" @; ?" [1 i* @# t, ^
& v( D8 N* h+ G: j u( v7 f% h
Method identical to the preceding one except that it seeks the ID of SoftICE
( Q* G( r2 h6 H MGFX VxD.
( U# j$ _3 b& o) @2 _) w5 |: `) b
# E# ^, W( b9 m( k xor di,di
' U* G1 s I! @; \2 d' C mov es,di$ d# Z( y6 n g/ B
mov ax, 1684h 7 N0 p4 O# V6 T2 o& V" r; Q
mov bx, 7a5Fh ; VxD ID of SIWVID
) J/ _ ]2 l( {1 V3 I. ^ G8 _ int 2fh1 y2 v7 d8 O `; j% Q
mov ax, es ; ES:DI -> VxD API entry point
( h4 S: [! r2 e9 q# ?, x* z, D add ax, di, u/ c4 p6 k5 `: ?8 I. A
test ax,ax
% l' c( N& V1 A1 i# g7 O8 C( ] jnz SoftICE_Detected4 _6 H# `- W- d$ J- x+ ~& ]2 q
- Y' M" s; f. d6 {7 m9 I__________________________________________________________________________
; W6 H G) c4 T
( [: S; X* e* _! n% h* a
$ P; n( c C& u2 a" h, K; ~Method 05
( @ Q; }2 R4 f- k7 I4 R+ K=========* ]/ n8 o2 p! Z/ A% A
$ S& f2 p+ x# Z4 S" H, V4 f8 wMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 C; m+ w5 d! L$ tdebugger. It calls the int 41h, function 4Fh.
# s: e: l6 b8 Q, Y# eThere are several alternatives. & h a: h5 {4 w/ R, a. [
0 V: ] D! B2 @# f E
The following one is the simplest:
/ q, j! P2 A/ w; ~# z# g3 O, {: c3 q6 L' Z. t0 v
mov ax,4fh- Y& L9 q p9 E! _9 L7 _! U+ c
int 41h
4 T5 M5 R& d& y: ^* _ cmp ax, 0F386* Y! T6 b' J' x9 V/ F
jz SoftICE_detected# |+ Y/ P: S' `
. N3 t3 k7 K6 o7 T
; H; `1 }: Z2 G- G) Y; eNext method as well as the following one are 2 examples from Stone's
) H, r9 ~: E7 o/ q( p$ j"stn-wid.zip" (www.cracking.net):9 _% T+ Y, |9 ]' }+ V" P1 {
9 I' G# K. N: \* } mov bx, cs
8 \ @1 g8 a7 e4 x lea dx, int41handler29 H& _! _' _! @1 E7 ?
xchg dx, es:[41h*4]1 e5 ~+ n. a/ m/ g' P* p# U3 u
xchg bx, es:[41h*4+2]+ m7 s; z' \ ?& l* x3 N
mov ax,4fh/ D4 @( R; I% w; k/ {& h
int 41h7 u1 J# I' |: u8 m1 z
xchg dx, es:[41h*4]. R3 T' W$ f7 a/ \/ v+ g
xchg bx, es:[41h*4+2]
; T; O! U6 A9 k& h6 e; I. o cmp ax, 0f386h( o2 g* y- _% t
jz SoftICE_detected6 O) P3 D4 ~7 e' |/ ^; |' I
- \7 s N6 w N* F$ |# S+ O* v
int41handler2 PROC
8 p9 C; t! t/ C iret
7 t/ M8 l/ Z' W* n# Q | Rint41handler2 ENDP
% v4 V Q O" B) ]2 f# M+ p# \) Y0 W" O
) h! e! _' ~+ X
_________________________________________________________________________* c" e% O+ h- O3 K. u' j8 E9 g* L
2 C2 u! O4 n" U: M: [$ M2 Z
% O; c8 ?' k0 w5 UMethod 06" U5 |' N+ G' C$ r
=========' H! F A6 L7 P6 T: W; p6 y
5 ?2 ?( N' {! O* D6 i0 v$ n
5 V4 t' k _4 t3 Q2 `- R
2nd method similar to the preceding one but more difficult to detect:2 Q9 k: i7 }! p0 w# w+ U" J# [ c- G
# R0 X2 G. ?7 ~% H" p4 d& \8 Y' p8 V1 Q, \5 M1 b* b8 t) ?
int41handler PROC
3 s7 w( [/ f$ V% Y mov cl,al
9 h. ]9 X- b7 V iret
& [$ w! F# P, tint41handler ENDP7 [/ k8 [: M- v4 ^
7 P( a% m/ k) o1 {# U4 d
. T& I. C _$ m" f1 E
xor ax,ax4 e$ e, Z- I3 ^' x
mov es,ax X7 y& E. Z- j4 `. f$ S
mov bx, cs" A% o3 t! W; k3 g1 K+ }' ^
lea dx, int41handler* M! X) a4 Z- u) T* n
xchg dx, es:[41h*4]; e. G) d; r# z
xchg bx, es:[41h*4+2]- Y- S( d/ {. c2 q* J* H, F8 ]
in al, 40h
9 G4 ?0 I. Q2 |# ^ xor cx,cx
/ G8 C2 Z; A! S- N int 41h
3 P- c( \% Y* X. H! H xchg dx, es:[41h*4]) F# r7 z$ M2 Q* H3 \4 q& s
xchg bx, es:[41h*4+2]2 K9 J" m+ s6 L! y( r9 `2 _
cmp cl,al
+ B/ i% ]! s7 d4 @3 d5 P: ]6 a jnz SoftICE_detected
8 w( M9 x3 y7 K& ? d
8 f, k% f8 @1 W6 C; [6 C_________________________________________________________________________
- f( ]+ [5 Z2 N+ r- ? B `; _
; T0 ]; b% T1 _7 c- i; _- QMethod 07/ ^6 H' ?0 X4 T8 m4 L! I2 l
=========
' M, P! r- y( Z# H! J( Z! I8 e' q E9 i, Y" x
Method of detection of the WinICE handler in the int68h (V86)
& G+ v3 W. y$ O; ?& x( h7 q& |: G' Z1 a7 N7 |
mov ah,43h( G; P* i6 C+ l; Z/ x, f. a( q
int 68h7 V8 f6 U6 b- a4 j) ^& ~+ d& r4 E
cmp ax,0F386h
8 z3 ^- z( F8 S- c jz SoftICE_Detected
! s8 |& b' @$ Y: ^4 a4 k
3 R! |! s$ ?! i
; R2 }! S3 X9 v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 X& t" ^# s/ B app like this:& Y3 s; a& t+ W- [ `& b
' S, l# P( @2 Y/ W4 b+ x BPX exec_int if ax==68- B& {8 P7 p, U( l# d0 r
(function called is located at byte ptr [ebp+1Dh] and client eip is
) i! t; f9 b+ y' ] located at [ebp+48h] for 32Bit apps)
5 Z% x7 S; P( K% X6 ^6 \& q% |__________________________________________________________________________
) d( S& r) T$ i# w: L5 h' \7 v& z; T& h& J. E
5 @: d8 B' D5 s( i4 s* I( J$ S
Method 08
; R% Z+ ?+ _- ~0 p2 P=========) b- h3 I! Q W, E, A _- B
9 r2 v' _5 T' @0 L( L0 P) J8 f3 pIt is not a method of detection of SoftICE but a possibility to crash the' _9 f1 B$ |! D: E
system by intercepting int 01h and int 03h and redirecting them to another6 H& Q( O+ Y }
routine.
* J& h$ i3 g0 @/ b( B. _+ BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 W/ U$ m& Q* @% Q6 [to the new routine to execute (hangs computer...)
) \* u# E# B+ @, Z8 d! E5 p1 d0 ]2 [
- O6 _! F2 H6 a1 } mov ah, 25h
" Z2 t2 Y6 F- z f mov al, Int_Number (01h or 03h)0 i+ i' F/ S5 \6 M7 m" W7 |
mov dx, offset New_Int_Routine
) e% `) q/ o5 V$ Z! }" p' f% H int 21h
0 w' R: p! s9 X x0 u6 P. c1 a# r" {5 t4 d6 O
__________________________________________________________________________% u& `/ N# K- D7 t' F" d
, _2 R5 ^9 @+ l. U* e
Method 09$ G9 A4 b3 Q9 j3 b: w
=========
( s6 P% O9 v- }9 \- q1 B9 z2 W4 c7 q6 i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 a3 n3 ~1 \8 I2 I
performed in ring0 (VxD or a ring3 app using the VxdCall).
# C" d7 N2 n1 R. I' M6 I0 p6 PThe Get_DDB service is used to determine whether or not a VxD is installed2 [' T2 c9 }( X0 c r
for the specified device and returns a Device Description Block (in ecx) for r" L4 E( ?4 X* p, {
that device if it is installed.# Y) T5 K: s) R/ e% \3 G. V
8 x0 l; _" Y7 f# w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: B/ F8 j$ C3 {; i N
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( a; ` J/ k7 |# `5 ]# `4 [$ V' Q
VMMCall Get_DDB
b0 Z7 H1 ~% l, P/ ?9 ?) ]+ B; K [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 c- S! o) p3 F) H
( V2 Z( \! v# H* CNote as well that you can easily detect this method with SoftICE:6 U1 v4 h2 b# S$ P9 N
bpx Get_DDB if ax==0202 || ax==7a5fh
- }8 v% Z) S) r R2 i
u2 _) v, n o__________________________________________________________________________
2 ~/ v& [/ A( k* k5 b# Y7 F& Z( F. s; H( B Y9 D, u* e
Method 107 |* S. { d2 [% c* @+ c* g0 c
=========( b6 q/ Q0 w1 |3 \; u" ~8 ?
6 n+ E' ^" W) C' B, U/ [=>Disable or clear breakpoints before using this feature. DO NOT trace with T7 H4 T6 E# J& B$ A- x7 x
SoftICE while the option is enable!!
) e8 `$ Q% c& k8 \( @
- D' R2 `! w$ T0 `) n4 JThis trick is very efficient:
/ C! g& D6 d" y6 p! V4 ?by checking the Debug Registers, you can detect if SoftICE is loaded
7 D5 o% O& |- E9 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 D/ }, q3 \3 q3 ^8 |; O4 I, s% H
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 Y* D% E& d2 v) |: o2 i% w) W
value (in ring0 only). Values can be manipulated and or changed as well. A+ o( Y6 E4 C0 ]/ s7 I
(clearing BPMs for instance). W$ s$ W% R- L: R u7 z; v
* Y- s$ C2 U# X
__________________________________________________________________________3 d& F- s% B. ?2 m
% ?' e5 p& l0 GMethod 11
; X4 }3 A: T; b" }0 b( ^' N: V: w=========" @" S* S$ F# e- C
/ R4 J! p- l& S7 HThis method is most known as 'MeltICE' because it has been freely distributed, K3 p& i3 p8 u. M' C+ s
via www.winfiles.com. However it was first used by NuMega people to allow
+ Y3 E! N6 d3 p9 P! p6 N; r$ xSymbol Loader to check if SoftICE was active or not (the code is located
/ R# K$ E6 Z2 O; binside nmtrans.dll).
/ o. h2 \* S' `
`1 Z( v3 r0 G3 x2 |" ]The way it works is very simple:
" Q! D5 N" _. q/ }- I/ k7 u1 A5 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
j3 V8 ?% s, f3 jWinNT) with the CreateFileA API.
# e7 v2 z) j* t, {' l/ a. ]; }1 J! \% q
Here is a sample (checking for 'SICE'):! x x3 s. `9 f1 i* i
0 S+ E) E+ J! c
BOOL IsSoftIce95Loaded()9 z: f- h$ y3 P+ n( {
{
! L, q, d8 a/ N% i0 e5 l' F HANDLE hFile; ( e. G. v; ^8 F, [0 `/ T# ~7 p
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# z. I. }( Y4 H: g# q. Y0 `5 u FILE_SHARE_READ | FILE_SHARE_WRITE,
! V" f# \5 Y! x7 u q8 r7 z* @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ R2 [- S/ Y# X% ^* s if( hFile != INVALID_HANDLE_VALUE )
6 P- T; N2 | W W' a. w! m {
' o! T/ |, U4 m8 N' D3 B3 v CloseHandle(hFile);
( \3 U$ K2 `8 G* G0 V% }& C return TRUE;4 s" @0 J2 L* V# u# H6 P
}7 m& G+ v/ ]$ v/ B
return FALSE;: V. ~& \4 F2 _" }6 K
}
8 g, N: ?# Q. H" S5 G* _+ i/ l, F( n* ?: E9 r/ A) a9 H
Although this trick calls the CreateFileA function, don't even expect to be0 M1 P0 v* v4 c9 s5 v" A+ M
able to intercept it by installing a IFS hook: it will not work, no way!1 _, X3 x/ v* ^7 q" o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 }: g# z( g( i* W2 t K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" j! A/ K9 Y+ E. V2 V% W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ g' q: Z1 p8 R5 I. R) j
field.0 y P( H/ x2 p6 q0 k
In fact, its purpose is not to load/unload VxDs but only to send a
6 p* S! S3 S8 n" i3 S4 b- CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 q. A! q: Q' _to the VxD Control_Dispatch proc (how the hell a shareware soft could try# [: X) G, x h# L, J( [. y2 M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 T; z7 p' Y8 s+ o; _If the VxD is loaded, it will always clear eax and the Carry flag to allow& j! C5 j/ g; e. S8 d
its handle to be opened and then, will be detected. l$ ?' o9 |3 s4 R" W
You can check that simply by hooking Winice.exe control proc entry point! X. v u) m# s$ _' |
while running MeltICE.4 M1 P. [. z, a
) p& l; l1 _. A. a, N- i2 W: k- b0 P/ H$ q6 o/ N# T
00401067: push 00402025 ; \\.\SICE% s3 P4 F) p% E7 G9 j
0040106C: call CreateFileA0 ]- C2 x& D2 Q
00401071: cmp eax,-0014 ~$ Z/ I( E: \1 f( |- V( T( }
00401074: je 00401091
$ L% o( n+ G& E" P& f2 a; @4 l6 n; x! h/ W9 J( E! H% Z
9 z/ k. p; N, k1 j
There could be hundreds of BPX you could use to detect this trick.
; A0 T# r4 e0 ]) l-The most classical one is:8 G6 Q9 i9 |- n- u$ I8 k6 j
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( I$ [4 |3 {. X
*(esp->4+4)=='NTIC') |5 o! N% }# t; A
' i# V" c2 c! G8 [" A. Q' {-The most exotic ones (could be very slooooow :-(
3 v* ` B9 l! v% D4 Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 E* U! U" h0 s3 _( \& Z7 g ;will break 3 times :-(
# q& M2 V6 i9 q* g9 q' F
c8 j* y6 A8 i) d$ V-or (a bit) faster: " P( J F, o( L; X( X. Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( T* c7 x' S8 E4 h, n0 S; q; m$ k) ~" O; F" V" z4 y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 u2 p6 D; f1 i: E
;will break 3 times :-(* N- @9 O# `2 G/ v
4 K0 W% O2 }' L& k5 U9 _6 s
-Much faster:; K# Y& l' g K4 E8 v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ d5 y5 e& j8 }0 Y. ~
: m( T! ~1 g$ r. T1 i3 K. aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 m7 P& H; S$ I
function to do the same job:
- @# u: w( R+ n2 b8 D
) H: f# D3 o& A+ F- ^+ T3 Y* {2 U7 Z push 00 ; OF_READ- P( }; E7 ~( u1 C1 h1 b
mov eax,[00656634] ; '\\.\SICE',0
/ u1 t: E5 i' v" q7 T l" a0 R2 [/ G push eax* r5 y4 L: x8 W8 R8 q6 f, Y
call KERNEL32!_lopen
6 p3 M2 K, f% N. e& O( o2 ^ inc eax/ v) J. S, D% ~/ g
jnz 00650589 ; detected3 H Y- K7 U- b4 a: c( u; a$ y) O4 c
push 00 ; OF_READ
# Q, v$ J. k4 V5 _4 g' }/ A1 o6 m mov eax,[00656638] ; '\\.\SICE'
% k, ?- `/ W I push eax
9 y/ Q) n% [0 E- O7 X call KERNEL32!_lopen+ K6 K' `& O) B% @- ?0 c
inc eax
) E4 V- }' w% N4 r, a jz 006505ae ; not detected# [6 O; [$ m U7 N4 e& p1 e# {) J% y
8 l+ e; n3 B: a% z5 g
3 g- j. _8 z- Y6 [9 [+ O__________________________________________________________________________
7 k1 P! ~; W7 ?' B$ ]
! ^# t# y- k! m2 u2 f2 n# kMethod 12
' ?, \5 Q$ f; O" B% g. E6 {/ ]3 R7 l" J=========3 w6 x0 F# G7 L* O) j. W
% r6 H+ S( y4 [This trick is similar to int41h/4fh Debugger installation check (code 054 h' L& T5 u$ q7 P
& 06) but very limited because it's only available for Win95/98 (not NT)2 |: U8 V- B- B: X R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. h0 w& ]% D2 D6 U, ^% m. z% z; a* M- t+ x
push 0000004fh ; function 4fh
5 J Z# f; [) {9 s+ X, `4 j push 002a002ah ; high word specifies which VxD (VWIN32)
8 \! a: @8 ^ p: Q+ g ; low word specifies which service
4 ]4 l8 h& C( D (VWIN32_Int41Dispatch)
/ \0 w8 q! s, v+ n; c B Z call Kernel32!ORD_001 ; VxdCall4 h7 Y0 J. `' x/ x: r; B
cmp ax, 0f386h ; magic number returned by system debuggers
) J; h' h# i0 T jz SoftICE_detected
. m" R9 z, P' x8 I: Q# x
! A$ k/ J# i. O( G+ A _2 m: m# pHere again, several ways to detect it:
: o5 E3 C% T% L9 D4 ]6 I. l* e5 r5 u& @+ }6 I! Z8 L8 x% N
BPINT 41 if ax==4f
6 D! t; N) ~; t/ {! L
1 z$ ~: c* w# _; M" a BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- H( {$ n4 X6 ^0 ]3 u2 b$ [
: {0 J! R, d' W. Y3 p: k3 s. A BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 q* u U2 E- ?# ^( d: j | v, P
6 d. m, f- d7 J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 I: J; \3 G# y7 P1 n
( x/ j! S0 V) z: ^5 W
__________________________________________________________________________% R" K3 x9 B5 j. J+ H1 L
: p& X2 e z* B& t( L) x
Method 13
. p# `' r/ {! E7 Q5 }5 H2 W' {=========; b9 l/ N2 A$ v7 _% s
" G+ z$ Y9 y/ Q' fNot a real method of detection, but a good way to know if SoftICE is
F7 D3 F3 o2 J( q- `8 b' ?installed on a computer and to locate its installation directory.
+ c% r1 I5 A7 d; b: pIt is used by few softs which access the following registry keys (usually #2) :0 ]( [) N( X5 I( ^# R7 K( X1 W! a; x$ i
) o! b% O% ^8 E! w8 C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- `, y8 q9 z1 N& E% S\Uninstall\SoftICE+ }4 j1 K/ c }- _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ }: r z4 r& Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 H8 L; `: A# m+ T7 U\App Paths\Loader32.Exe, o7 l! V0 c8 ~# l7 w# O+ T
' M- v& @4 N2 i2 K
; h' |5 q0 o! W4 q( ^* A9 D. n, @$ A pNote that some nasty apps could then erase all files from SoftICE directory1 @9 _/ Y7 f1 `% v* i
(I faced that once :-(
% T) ^9 R/ B' Q1 X k$ k" u9 S. g/ S# }4 K) E* P( M- O8 P
Useful breakpoint to detect it:! R0 x" v* u$ N+ `5 q0 R. D: d8 D
q. t/ |, g8 x+ Y' t0 R. ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ K* K" X9 T7 c! f2 w' t1 `0 A9 b) a/ b
__________________________________________________________________________
# S% q( a O5 C3 k' n
4 K4 D9 k6 a/ m3 T# y% w1 ^/ d6 X+ n9 Z. C, ?2 N+ n
Method 14 7 Z7 q/ M& G6 y! T
=========/ q8 n7 E0 u6 J7 s" D& v; C' B4 N1 b
5 \8 O% n# e% @6 n* cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" o3 ~+ l& Y! u. I. w
is to determines whether a debugger is running on your system (ring0 only).
5 A4 \9 ?" M+ w. p# h" @$ r* r
% d9 M/ G& p9 @6 }' V VMMCall Test_Debug_Installed
% t/ j; Y% L$ |* K& f je not_installed
8 z! F2 {$ a$ \* z* `2 s- w; Z( L8 m0 h0 j* ]; s. O# _* k
This service just checks a flag.
& X7 f: P; |3 J( K* X8 E% m</PRE></TD></TR></TBODY></TABLE> |