<TABLE width=500>; S3 h! O# U& ]) W$ J
<TBODY>( d" ~# t' K% H: v: F/ o
<TR>: J) {* l0 ~* M& {( a) r# B0 a
<TD><PRE>Method 01 ' ]3 l" g+ m! J; ]( X* V
=========
, @+ w' j4 C6 Y( N0 F2 Y1 v) Z: G6 o* B5 e& h; a% X
This method of detection of SoftICE (as well as the following one) is
" j% i) D/ K: h/ T4 Qused by the majority of packers/encryptors found on Internet.5 o4 `$ j# C& u( O
It seeks the signature of BoundsChecker in SoftICE
# t; s8 @/ l6 u: _# [, i
2 A" J: _$ H _8 I mov ebp, 04243484Bh ; 'BCHK'
# c% k- R6 @1 f1 @3 k mov ax, 04h
) X7 z6 e5 _# c* d5 O$ B ?6 F" y int 3
% W! p, e4 n9 C+ X9 r cmp al,4
, q/ h& j- L' ]. J) e7 l jnz SoftICE_Detected
( \/ {/ k* _1 S+ N2 ?3 l4 C; _9 }/ i; }- r' D$ N
___________________________________________________________________________2 Z& {6 C( q5 I; v: M, e
8 Z6 H" \" ~6 r( xMethod 02$ Y0 A7 D8 B! {6 h' w2 f6 ]* Y$ T
=========. _* }8 M2 I' g. o: N6 S, B% s
$ A b* S9 ]9 Z6 K( D
Still a method very much used (perhaps the most frequent one). It is used
6 B) E8 v3 c% g+ w! v: y9 dto get SoftICE 'Back Door commands' which gives infos on Breakpoints, _2 w* v6 U' _$ n0 R' q y
or execute SoftICE commands...
% l. ^# I7 L) c5 m0 S iIt is also used to crash SoftICE and to force it to execute any commands
( J/ I% e; V. S; i& g1 f(HBOOT...) :-((
8 u$ }0 v r [! O/ D- b
0 \% r3 j U$ J& U% x" tHere is a quick description:
+ k$ `" @3 S5 B1 J- Y p-AX = 0910h (Display string in SIce windows) W. k/ q$ b n% X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), W6 _' e* L1 i+ Y, d
-AX = 0912h (Get breakpoint infos)
# t/ W% `& }) m8 y c9 j' q% J-AX = 0913h (Set Sice breakpoints)
& z% @! c7 E) K* b! ^$ l. |-AX = 0914h (Remove SIce breakoints)- G' l$ r: f( s8 f0 _
" b% l8 @8 Y2 j. ]Each time you'll meet this trick, you'll see:( a- _* U0 t/ ^
-SI = 4647h0 q. W3 L5 O! w% j' G/ O6 J5 t
-DI = 4A4Dh
& E* p) h; V5 z. a2 `Which are the 'magic values' used by SoftIce.; Y* o$ j, `; Q' F% [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! P# E- W* |, o+ Y& B& G" ]
6 T% G: M8 K8 B$ WHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ ]. i. z: ^0 iEnvelope utility use to protect DOS applications:
1 c- |1 e+ b* G7 V; @# E1 A8 P9 J2 Q9 I; p: p) K: z6 b
h5 @5 ]- P% _6 s- h4 I4C19:0095 MOV AX,0911 ; execute command.
( m3 N) f- s2 f8 H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# S M8 Z, }" l6 ]. d
4C19:009A MOV SI,4647 ; 1st magic value.7 ]' @! r) e8 \
4C19:009D MOV DI,4A4D ; 2nd magic value. b9 c* ? a6 \; K' y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ Q L; P6 {4 J" f4 z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; {8 f0 n+ M1 Z8 Q8 s0 E. W: v
4C19:00A4 INC CX
# c# H" p; u3 c4 a2 F9 S4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. F" Z- N3 u8 J+ \# B' R9 f
4C19:00A8 JB 0095 ; 6 different commands.
9 k/ Z" z& M. b& W, e4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 L' C; ^' q2 z% W M$ g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 ]7 M% ]8 u% `* k$ u, C. ^
2 L# z+ B! h6 @/ U' PThe program will execute 6 different SIce commands located at ds:dx, which
& |# N: T. G& ?! {6 I: S1 G& Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& e0 i4 J1 m X% q n+ l
8 v: t- g6 p0 } J, ~ m( }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 g. E9 X& N4 d+ ]___________________________________________________________________________ A4 [3 J7 v) v7 M7 U3 q1 d
. X( g, z3 O% S o8 E
4 M/ c# j" L( ?- A- ~ G7 ^, E
Method 039 D9 Y j' r5 c; f+ j7 d8 w) m; k W
========= B" ?0 u6 {5 t7 E t
0 v/ u/ s$ H- C( k: z/ `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' {& s$ B% z. h8 ~- j3 H! ^# e(API Get entry point)
* F- y" j6 l, R! Q' v2 d
; w% k( ]: H# |) j' b% s& |, c( c0 b! p7 ]/ a$ a
xor di,di
O' W% B E0 K- n& y4 a: ]! d mov es,di
4 L5 f7 `/ I9 A" a- j. G mov ax, 1684h
+ ?; G7 n% |1 Z0 c mov bx, 0202h ; VxD ID of winice* k! ~* V- J- a# Y" j f# \
int 2Fh% w c* R+ _) a0 [
mov ax, es ; ES:DI -> VxD API entry point8 i9 j: o; j5 m: e' Y' \7 M" d
add ax, di' q. W, h& ? H0 r+ Q* ~
test ax,ax
3 o R- B" m3 S; Z. Y' | jnz SoftICE_Detected
' [' ]& y' t2 Q+ }
/ K- r: C* o( b3 J% ]9 J___________________________________________________________________________
3 E" N6 ]( E- a
' t: x7 }6 p6 u0 D7 SMethod 04
4 n6 R6 j0 @7 W: x: o$ A=========
6 Y, E( r, G7 T$ A! B5 V" z3 w
3 }$ l7 k4 B( A* ?# IMethod identical to the preceding one except that it seeks the ID of SoftICE
3 M4 P! R5 g* o1 }! kGFX VxD.
+ m) z1 O% p- `7 ]! u/ L4 f# S2 k w% ~8 U' d6 t+ d
xor di,di5 b. x3 l( U* U/ L' B
mov es,di
! I0 t/ Y: }0 B4 b5 B* s4 y mov ax, 1684h J" z( w0 v2 r8 d
mov bx, 7a5Fh ; VxD ID of SIWVID, H, {3 _, l5 A- U8 d
int 2fh
! @4 |; |5 m- a mov ax, es ; ES:DI -> VxD API entry point
% h. U- N v' K4 w4 g W* [1 t add ax, di
# d& O) k X- `: |. W0 H test ax,ax
9 N3 c% a* ], \7 s% I0 L; O jnz SoftICE_Detected
$ X! A I5 g& k; O' ?6 d; k8 k( y3 ]3 L
__________________________________________________________________________
! }! l$ Y% }3 n. z# s: W! _) \ r8 E$ V2 d4 U. N
9 t+ Z1 Y3 X+ [' `1 M4 @
Method 05
; h7 g& v- E! N2 I. Q) q% j=========6 c+ _$ M$ ~4 `0 q; A
9 C# j- D6 w2 jMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 M, R. ` Q7 Y1 u
debugger. It calls the int 41h, function 4Fh.
7 e% j5 H. w8 _* P# |% |There are several alternatives. 8 g; `9 U4 e3 {; _+ f5 b
7 A2 T; F! `( Z- V6 wThe following one is the simplest:( v% n$ B" F6 ]0 s: ?8 K: x- E! H
3 @$ G# |; u9 K) d
mov ax,4fh6 e) Z$ i3 [" v
int 41h
" _4 b" b) T3 X. s+ k% \ cmp ax, 0F386; q3 c/ b Q5 U9 o" c8 M N
jz SoftICE_detected
9 `* ]; }. w a4 W8 `1 l. I
* S% I6 _: |" i Q5 w3 Z, V/ N' G5 N, m3 R" Y
Next method as well as the following one are 2 examples from Stone's
( s+ h9 m ?: ?* G"stn-wid.zip" (www.cracking.net): C1 U9 X k9 L! W1 X
. s0 y9 [5 C: X% J mov bx, cs6 }7 F+ v( s0 r; w0 S# M
lea dx, int41handler20 I" A$ e& z! F$ I1 Z `
xchg dx, es:[41h*4]+ W9 f6 I4 P( j: g" y& S/ Q
xchg bx, es:[41h*4+2]" \- \ c; v9 z; Q+ `
mov ax,4fh6 f# m- S3 i1 f
int 41h
3 h, n, v; e. G+ a8 t xchg dx, es:[41h*4] `# A) T: i- O; C4 k
xchg bx, es:[41h*4+2]- k' T1 t! T) E+ [9 _% J6 P$ d3 a' ^
cmp ax, 0f386h
' G* I3 Q# ~$ N* q jz SoftICE_detected& n( E2 `% J Q3 q) A
4 a9 H7 R) p: q8 B/ u6 j% t
int41handler2 PROC
' p' F# ^5 H5 `+ `$ A, J iret
5 }" u( x( g9 D# V" `7 N6 sint41handler2 ENDP
& Y3 _) C9 V4 z ]" D" o
$ e) F; ]% n, [0 c4 [: P' s1 T2 ]1 ~" }9 p0 i6 O& ^% _
_________________________________________________________________________
8 }) a1 | @4 X( c; N) b! v
( Y' a" E `1 z, a1 N) R6 L5 `# J7 x
Method 06- \0 V4 G! X0 J: Q
=========
0 X7 x+ Y: g; m2 \
6 F6 I0 G8 r3 v
E4 E' V, |* t2nd method similar to the preceding one but more difficult to detect:1 }! [6 |) n/ g7 K# z
! _4 r9 r9 z/ d; q2 K% j
- n( V5 q, I9 l% V+ b7 r" i1 y
int41handler PROC! ]1 Y' F( o: _1 X. }$ I
mov cl,al
& e: r8 O7 C! K8 f/ I$ `$ M5 _ iret+ P0 A4 j7 K% B" x
int41handler ENDP. j$ b, a8 d' o' v' ]
, T* b# i1 k( w7 I- K5 w. ]5 [
8 ~: u# @4 k6 B" `, S: R' E' m& c5 v2 h- _ xor ax,ax: G, d. f/ L) f( I' M! e7 @
mov es,ax
) _$ E" R% Q+ Q* {; s3 m. B( W mov bx, cs
: U0 o# W* M+ h, [+ c& O* h+ M% v lea dx, int41handler+ q: V+ |, l+ m$ ]* Q M3 r
xchg dx, es:[41h*4]
4 M! l' [( a- Z" c4 J) G xchg bx, es:[41h*4+2]
0 ?! C+ V/ j( ?6 D! P in al, 40h
8 f# F4 F5 L$ s! F9 G% o xor cx,cx- _' U/ }6 G1 p, F4 a
int 41h- S6 J' ~, D6 C, p
xchg dx, es:[41h*4]
, A! e+ k8 c9 ?2 D9 H7 x5 J0 w0 t8 h- r xchg bx, es:[41h*4+2]1 B) c# g8 c5 r
cmp cl,al
0 q8 f0 g! Z6 g6 Y' B jnz SoftICE_detected$ P3 k$ _9 q. M& l
" }+ D1 ^: Y; V3 E' m6 p_________________________________________________________________________
{5 U5 W& Y) |( }2 I- H) E7 S
: h1 @! v) S. q$ l, Y: \Method 07- d1 _6 @$ X5 [
=========# K7 K0 U& \. p( k. t- H, b
H6 o% ^4 J8 _) }& @3 D( r0 V6 @
Method of detection of the WinICE handler in the int68h (V86)% S# O: R3 s P! _, G' j1 K
4 q+ E9 k$ z/ g+ \. g' U) l# @ mov ah,43h1 q5 e4 |: p M$ `# B& n* Q) y/ Q
int 68h
( m+ F/ l, ]5 w. \1 |1 p' w; a- F cmp ax,0F386h
. r5 P2 k4 e, r3 S jz SoftICE_Detected1 ~' |# e5 F' R6 c" [ g5 x4 ^! @5 t
/ k: G& ~" C7 o7 g
/ w: y+ }2 {' ~# S4 W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 q9 C O. |7 C* r1 g; ~6 H app like this:* \* a0 N2 O3 J0 g5 G
6 a+ f C# E" N! Z7 b
BPX exec_int if ax==68
9 _4 P: e8 a3 Q! J (function called is located at byte ptr [ebp+1Dh] and client eip is3 {7 I* x* x+ i7 d
located at [ebp+48h] for 32Bit apps)& Q, `5 Q0 v$ p I! o) n
__________________________________________________________________________' C8 _$ ?, V4 G
) y9 U: j& E% D1 Q
3 P- v3 Z0 m. n( V! s) z5 H/ fMethod 086 W; k2 _: Z+ ^) k* z
=========
. S' t2 @9 [# C' B
3 c8 k6 M8 V# Z- C; B oIt is not a method of detection of SoftICE but a possibility to crash the
* \9 d& x3 @( p5 Y5 E1 F8 Xsystem by intercepting int 01h and int 03h and redirecting them to another
' i! R/ r { h4 p$ Xroutine.* V1 ?+ U* S3 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 L+ e4 o6 A3 vto the new routine to execute (hangs computer...)# |7 c+ e6 m: x$ a. p
4 J9 [" \. {+ r! y) } mov ah, 25h
* K- K# V- z; X) ]( U7 M mov al, Int_Number (01h or 03h)! R5 Y3 F" {. M6 P' Y, r
mov dx, offset New_Int_Routine
- x; O% }5 x" e' b. C2 M int 21h
! s' Q1 [! X' E* Z* R
1 B$ a2 C2 t& [: n. Z__________________________________________________________________________# M% y, H! g( j( \* r8 f% E, i+ V
" o3 T* x+ d$ ]# `! _
Method 09/ ?8 r, k0 ^: c# B# ?2 u9 | M( `
=========/ k. o$ e" L) u4 N( Q" u. U8 |1 a( o
: @! p$ ?& G5 D0 ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only x- N3 e1 ]# B4 J3 v! i9 q* y
performed in ring0 (VxD or a ring3 app using the VxdCall).
! f0 `9 H: B$ w2 J1 gThe Get_DDB service is used to determine whether or not a VxD is installed
3 E, N% K A W7 d |for the specified device and returns a Device Description Block (in ecx) for' K) |) ~ O8 P i! Q' j. a
that device if it is installed.- t4 `) x% t% t: f
' v# K% J5 u* U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' v; s/ N) s: i- N# X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), ]4 t- K- C' f/ }5 E- X# x- l2 f5 D2 G
VMMCall Get_DDB. K4 m# r; R: R4 O) ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 Z& s2 ?3 o- M( g9 i- M, k/ x7 b! A1 ?2 @$ S9 M
Note as well that you can easily detect this method with SoftICE:0 R# P6 O7 f- e
bpx Get_DDB if ax==0202 || ax==7a5fh
+ s" l5 E" d: n! D( V9 n
) B; N1 f H* ~4 }( v__________________________________________________________________________# x! b$ w8 |$ E5 v9 a; P0 K) d+ A
K# W: Y& F# {( @: Y
Method 10
% y1 v6 M' r: S. ~0 ^9 P3 z=========
" G* V9 L- ^- }" e% s1 \- y3 T/ ~4 N* V7 ^( T
=>Disable or clear breakpoints before using this feature. DO NOT trace with
) M: y2 F8 ~$ K. a6 I0 F- L5 k1 p$ I2 ? SoftICE while the option is enable!!
5 x& j5 _- Z4 [6 X/ g$ M* m& s1 t* P# K
This trick is very efficient:- z# T0 {0 O. p8 I0 V o$ `
by checking the Debug Registers, you can detect if SoftICE is loaded* c# i9 b* }/ [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- g! s9 \/ @) n0 a5 V/ ~6 |# ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 V5 A' m6 B4 I7 }+ x* ivalue (in ring0 only). Values can be manipulated and or changed as well! N2 ?" r+ c: q% Z b4 v
(clearing BPMs for instance)) j) J5 v4 F) W5 d3 J# Y# R
+ W( L/ i; d3 g, g& K0 x
__________________________________________________________________________
* { r* q3 _) P. S" N
0 E, b1 a9 B# SMethod 11 n) B) O3 z: A) Z; z0 X+ J# s
=========7 V* ]7 A! C5 j) M
( \; H+ Y3 K) \" `
This method is most known as 'MeltICE' because it has been freely distributed
0 f: i% J. ?+ f, g( u Cvia www.winfiles.com. However it was first used by NuMega people to allow
. D: e. v7 p2 D8 ZSymbol Loader to check if SoftICE was active or not (the code is located4 X7 Z* z8 p. t
inside nmtrans.dll).
" P6 A" \/ q' c# Z: B, Y
7 M! c, h9 u! A: [3 O( E0 Y: JThe way it works is very simple:/ K/ ?1 K# L) o; D' K" n/ j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) m3 @4 u$ @' ^7 ]; L3 o4 D
WinNT) with the CreateFileA API.: Y# M- C, J6 k; d/ b
8 R2 y9 K, {6 E0 s$ Z
Here is a sample (checking for 'SICE'): m. Q( C! p e
( m3 }2 j+ o& K( l7 E) v4 q
BOOL IsSoftIce95Loaded()
& b! ^9 b! \5 [{% T# \0 }0 w0 C2 Z$ Q2 U
HANDLE hFile;
. _* m+ c* y, f# \% N1 y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: S1 l" t% V7 O/ B% c0 E5 z6 V; P FILE_SHARE_READ | FILE_SHARE_WRITE,
( h% e' T! h0 w _: L! F. L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% }( j f* Q$ D$ p f3 c
if( hFile != INVALID_HANDLE_VALUE )
+ a8 ^9 m; |- ~ Q' l3 S2 j7 C! W {* C3 [' x9 p% k* w+ e2 z
CloseHandle(hFile);2 d$ Y: u( V8 C
return TRUE;
* \/ \% c \8 i: S# \6 C1 ^ }) @( f, L/ x# E& ?2 d4 d
return FALSE;% L& Y, y9 p- N5 r3 }/ e
}6 ]$ d; }9 Z' z9 [7 x7 l% z
3 X! u6 h4 W) ~1 c6 {Although this trick calls the CreateFileA function, don't even expect to be
2 b4 f( @; O, g `2 F2 a3 ~. Zable to intercept it by installing a IFS hook: it will not work, no way!
; k5 ]3 [; a/ D! ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 Z7 S, H% j* O4 P* j$ A# g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" b- t V: v' Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ b" _0 o# C, ffield.% @8 K* H% E0 n5 S/ q2 o
In fact, its purpose is not to load/unload VxDs but only to send a 8 G& V& D; i9 e; X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). h4 d! S" p8 M+ w: }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" O9 i. I% D. n6 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 ~0 `2 o. P. E2 SIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- r: K5 V# ]5 p2 Vits handle to be opened and then, will be detected.
) C7 F: w% q+ W: `" _5 {You can check that simply by hooking Winice.exe control proc entry point% D/ T# M! ?- k) P0 Z* o R+ {$ a1 ]
while running MeltICE.
9 h$ n8 Y; |$ Q0 Q2 U6 E# _# S1 M! N
3 D a5 o" u' V5 o: @) _ f% e; d4 U" E
00401067: push 00402025 ; \\.\SICE
1 c: V8 ?. L3 }+ n+ M9 E 0040106C: call CreateFileA6 C( y3 i; q" H+ b+ y
00401071: cmp eax,-0012 Z- \# ?. m/ Q% p3 G
00401074: je 00401091
; Y* s! W/ e2 {2 X& }5 }
& \( d6 D6 Q4 U3 t" B* u" f% U, B" }% T/ J6 T6 C+ F7 N8 {
There could be hundreds of BPX you could use to detect this trick. V6 M3 d, p" i- m
-The most classical one is:4 K$ h4 o, H& I; W0 J: p" C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# ^' R1 Z# T, G' @' B; ~: T *(esp->4+4)=='NTIC'3 d# Q4 K5 w5 V
/ V- P2 G& e3 y- E* s$ g, X-The most exotic ones (could be very slooooow :-(
7 P! @6 f. z1 b7 O/ w BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ d" _' s0 T. r7 V ;will break 3 times :-(
# {9 y' l2 D \! O! d! g9 ^
}! f$ `0 R9 R9 [0 v) \-or (a bit) faster: ' d% c+ s6 n5 g, o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') |, K4 e7 g; z5 K2 ` S
# G. F% u2 H, v# k( v; t BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 W4 I8 c$ |& j8 M) r ;will break 3 times :-(
( ^6 @$ K; j0 N$ i0 S
8 h: x" g4 I6 ]3 ]0 z8 I-Much faster:
4 U1 B8 _7 {6 q- Z" I% q) x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 a; V8 x" q# u. x9 P; u
: Q" o, b3 ~2 ^! m1 P aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 H/ ], Q2 d. w# v4 c! `# M
function to do the same job:/ y+ m8 F! k) e& Y' A7 [
* ?, _0 U: b5 ~) x. l+ C5 x0 y
push 00 ; OF_READ
' ?0 x! G, T$ w' E mov eax,[00656634] ; '\\.\SICE',0
5 P$ ~0 M( H) k2 m; i push eax# Z) P( F) a0 V8 I
call KERNEL32!_lopen8 H6 w# h# I8 c
inc eax, Y% u3 l; ^3 ]6 V7 d
jnz 00650589 ; detected8 ~: O: B' ^* S, {
push 00 ; OF_READ# X1 {# T8 B7 ~3 L6 s
mov eax,[00656638] ; '\\.\SICE'" V1 O$ z* L" }) s4 Z! [
push eax
4 I) ?; u% V& e call KERNEL32!_lopen0 ?) i# U- G, S9 o' Y% x; ~
inc eax. e9 n/ i" G4 h1 C* t+ I
jz 006505ae ; not detected
. `; {; ?2 o# P. C; [. H; ~$ R$ y; A3 o' e4 L, {3 e: \$ n* S8 R
4 z, p8 ~8 t! u__________________________________________________________________________
$ ?( x9 k( H' m3 s! q$ k0 Y% F7 d8 Z! j; Q4 w
Method 12
& U& A: j4 F. i=========+ c8 Y1 l. _) l) S' o0 Z
( Y( j4 H! y* ~% j9 h- h
This trick is similar to int41h/4fh Debugger installation check (code 05
# C, y6 |3 u- |2 z& d+ n- @5 z/ w& 06) but very limited because it's only available for Win95/98 (not NT)
( U, T' @6 x/ i& q) _as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 d, P; [8 U v- j }$ |
" V8 p8 ~' J0 {
push 0000004fh ; function 4fh: X3 _& X( R; b+ n7 W
push 002a002ah ; high word specifies which VxD (VWIN32)" Y5 ]0 [6 f7 M0 L# }" T$ k; N( @! Z9 K
; low word specifies which service# c, H9 Z# ^7 L' d
(VWIN32_Int41Dispatch)
" g) Z* N: Q) S( s+ B call Kernel32!ORD_001 ; VxdCall1 L7 T' g) X9 `, t, A
cmp ax, 0f386h ; magic number returned by system debuggers
* `' k/ D ]- H. y: A- t. X. G3 k jz SoftICE_detected* C/ V! M% o5 d
3 U Y5 T: j5 M8 ]1 Z2 I! h" j+ e3 |Here again, several ways to detect it:
6 d. O& w) o, j/ x. M m
3 ]1 h' K. W+ e8 `7 [& H BPINT 41 if ax==4f1 e7 ]( Z3 \& V! F) V
8 m: g3 _5 X6 M2 } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 |- }. T+ G% `& Z$ w
5 q% Y- I) c: ]% M# `
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' E/ o% k& g3 N \4 c3 z
& @ i+ X @9 v+ s6 K2 Z6 l4 o6 J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* y; G7 [! m2 q8 D
2 P: `5 C! j' v( z9 y7 C
__________________________________________________________________________
* W7 z( B( F% e6 {* {8 @( M& |3 M( U. Y$ c% s" m% C. ?- S
Method 13
1 i( ^* G. g/ F=========
, Q& Y# ?/ V* v- Q& Z/ e! F, v" ^( k, ^' i; K6 Z' [
Not a real method of detection, but a good way to know if SoftICE is
4 T0 a7 \6 V; h0 b: Y( X4 }installed on a computer and to locate its installation directory.
) H1 t! f2 N4 b6 OIt is used by few softs which access the following registry keys (usually #2) :; r7 X8 R' J' l/ Q
( N) m- Y* }1 h* L& h1 R' _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 }+ y$ d9 l7 W7 ~. c: J4 z\Uninstall\SoftICE
" z0 ?2 \ \) t, Q0 e4 @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# t5 l# W1 s3 E" w. e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 p, G4 K7 f! x2 }) O) G' b; X4 p5 k\App Paths\Loader32.Exe
3 L* X- r7 b( F6 {9 W3 P% i2 {/ Z7 P6 {9 P6 V C4 M
! w5 r* e' ]1 B& l4 S, g: ^* N; p/ O
Note that some nasty apps could then erase all files from SoftICE directory
" t$ M, Q+ g% p% f" \! ?( p0 c& M( Z(I faced that once :-(
3 s$ s& k3 j9 p8 ~) Z1 L9 A2 d; s% v0 C& c* {7 p( a
Useful breakpoint to detect it:
' s" }6 M' d: A# k3 V l5 @4 b: y, g; B7 E/ W$ [5 n9 k
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 G, C6 D# A' G+ X- w3 J# ~3 m, [! l
1 `8 P+ e7 m0 A+ H( X__________________________________________________________________________# V: [8 H' A7 T l* n2 Z2 q
$ h2 D: ^6 L: n: E0 E- e: j
/ K2 [1 c- N5 Y9 O
Method 14 6 ]. Y# q! X* P* T: T
=========
' b- A5 V& X3 M/ H6 e2 i6 n8 V" U5 f. S5 e, ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 G( {$ E: Y* M: \0 Mis to determines whether a debugger is running on your system (ring0 only).& i/ e( J2 m3 N/ d' {5 l
7 ^( K) V9 v d; Y( z) p) l
VMMCall Test_Debug_Installed
: j4 ?3 V& v9 H je not_installed
; G. K9 Q* V4 x
* T9 t& m5 N" L& r& @This service just checks a flag./ N) B0 N8 K, g' k1 \# n
</PRE></TD></TR></TBODY></TABLE> |