<TABLE width=500>
3 Y3 R7 v' b" g- {, M D3 A- j<TBODY>
8 r, m% b, h- k. |' T D8 ?) o/ z<TR>
/ s, i6 Q2 k% z+ {2 h e7 J<TD><PRE>Method 01
. E! t( W" Y j' ]% c* g3 T; n=========
7 S! j: C6 Z& h% E) F& z+ O$ U
' `- K/ j: Q9 y- M, N: \This method of detection of SoftICE (as well as the following one) is
4 w0 l: t1 Y4 V, `; Vused by the majority of packers/encryptors found on Internet.
% A0 G# n; J* r* mIt seeks the signature of BoundsChecker in SoftICE/ G- m* s4 L8 N$ B: x
& g* z7 J9 Y0 P. @; Q8 R( m mov ebp, 04243484Bh ; 'BCHK'
1 c/ q; }% v, p4 G% R$ l" {9 v mov ax, 04h$ z% P' D$ y: \/ _6 ^8 }
int 3
2 u0 j7 l q. g4 U cmp al,4$ L" L _- n% [3 o! a0 ?2 G+ Q, m
jnz SoftICE_Detected
. o" `# i7 Q/ ?+ m$ `8 v) k2 {" w( J2 W, V5 ^% Q# T
___________________________________________________________________________
4 t7 s! o- U9 o! D8 C& s3 R7 e+ s# |
Method 02
5 J$ [! V z2 }; k: x=========
4 }+ |5 E% S H+ M7 B
' z9 C4 t* E2 D$ ~/ H) MStill a method very much used (perhaps the most frequent one). It is used0 [) B4 Y, N5 T9 S! Q, t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; V5 @- q! d- W$ X, a" N( Y) H
or execute SoftICE commands...; O& C, k9 J. o3 e& w
It is also used to crash SoftICE and to force it to execute any commands# ` H& L" K* b8 k7 ]& ~# K% E ]+ d
(HBOOT...) :-(( - _6 R S/ G6 a
' E: Z% {) y: T+ j: u+ @Here is a quick description:1 E g. y# X3 i
-AX = 0910h (Display string in SIce windows)7 A2 Z6 j1 @" `: D' G4 s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 ~# ~* c# @" l7 \0 R E4 T9 t* ^
-AX = 0912h (Get breakpoint infos)
1 [+ d2 c5 d3 w E/ z! e& [-AX = 0913h (Set Sice breakpoints)
' F# U0 A L' C' C! D-AX = 0914h (Remove SIce breakoints)8 ]( u! M( k. ?; M: t
8 I7 i3 v4 Q. Y& \9 g4 q
Each time you'll meet this trick, you'll see:
9 i t' z+ D7 l7 [' I* P-SI = 4647h
' H' ~5 l9 [ ~7 g' Y1 B-DI = 4A4Dh* m1 D& J" T/ N1 h" _8 i
Which are the 'magic values' used by SoftIce.
s; Q4 i: u3 ]3 h! \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) D8 b8 Y6 b/ K C7 D
$ J2 H1 N1 T0 h+ M7 i, jHere is one example from the file "Haspinst.exe" which is the dongle HASP, j6 {+ r. G: |
Envelope utility use to protect DOS applications:+ O: U) o o( {
8 o! l i4 [/ |: _1 M" h4 l k9 Y) I3 ?
4C19:0095 MOV AX,0911 ; execute command.+ _8 O) c, ~$ Z/ u
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." W; D% n/ E) i w
4C19:009A MOV SI,4647 ; 1st magic value.
& x" s) }5 n. ~. f8 N7 I6 [6 Z4C19:009D MOV DI,4A4D ; 2nd magic value.
3 Z' d! h% Z: f5 v% f2 \+ K/ B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). o& B2 F/ R! _; j# O) f- J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- {; ?. [7 `/ u1 {# T
4C19:00A4 INC CX
& T" S% q8 u$ D7 H4 p/ N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ f' b2 r- {0 r3 w0 T4 H! R4C19:00A8 JB 0095 ; 6 different commands.3 `: H8 |- f& T M4 e1 |- |3 [
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* {& D( a$ c7 R5 x. F: @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' Q& E6 K- C1 W
0 [, G1 q7 O" J( mThe program will execute 6 different SIce commands located at ds:dx, which8 v( \" T s8 \3 s# U! n' W
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ \: }) K" D" P3 l' R4 a5 x, E6 y- v; F' q! ]' u( b4 K3 X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ y+ ~" W/ W2 }___________________________________________________________________________( T3 e0 [! @ V% h0 L; L
4 W9 f6 U& V. v/ J+ z+ I( V T5 x; A$ b6 W4 Z% N. O
Method 03
4 c& A* U+ Y$ J$ u% J- D=========
- y8 {$ v2 t6 U2 a3 |( M7 F
5 m% I3 {7 X8 E9 L0 c. V6 RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ e) y: Y1 H' f(API Get entry point)8 l/ ^3 a0 J+ U% ^- a
* s1 s8 {+ M) @5 @* N# o' L
( Q& H7 L3 o0 r% p$ F xor di,di) p9 e% |# q& G3 C" \6 [4 t
mov es,di
; S( W! [4 y+ r mov ax, 1684h
: f9 [" o7 A+ X# U3 d1 | mov bx, 0202h ; VxD ID of winice! w5 x3 m" u) f' n
int 2Fh' ~% o( U A& `$ h. F$ v
mov ax, es ; ES:DI -> VxD API entry point
/ X3 w6 A% _) t9 ?2 w3 y& ^ add ax, di3 W& t! c$ |. f" n1 c0 ^
test ax,ax
" e+ M/ q) \1 D jnz SoftICE_Detected0 P6 a9 j4 H9 w* J; A1 W$ x) Z
. s* P8 T& G8 r6 H) G___________________________________________________________________________) {- y, f, s, h, g0 b
3 X: W* f0 I3 @6 K |
Method 04
6 j6 a; l% _3 I=========% @7 k4 C" Y4 f* ^! a
1 u# {3 y6 I; h" ]) H/ fMethod identical to the preceding one except that it seeks the ID of SoftICE
1 S) V* ?* F% i$ cGFX VxD.
5 ~; y" C( A. A0 S* m7 G: X6 J% z
xor di,di r- z* ~+ O; p# @/ S3 S7 f- b
mov es,di; q1 ?8 i3 [8 i$ C
mov ax, 1684h ' d# P2 T0 |2 L0 }3 l
mov bx, 7a5Fh ; VxD ID of SIWVID; O/ d% E \6 p: y; n6 S5 K" k
int 2fh
" L6 S4 ^9 L8 ~* {7 M mov ax, es ; ES:DI -> VxD API entry point
- D6 t3 d8 b4 g' F add ax, di. k1 W8 }" Z6 j6 A
test ax,ax
9 J6 {$ _1 S. A jnz SoftICE_Detected3 f3 m3 [5 `+ ]8 k; \
& ~' ^ A( K1 P+ |__________________________________________________________________________0 R; c. N) c% O4 v
+ h4 J" h5 L& _
* M% u/ N- D; @2 m/ a4 GMethod 05
' w9 \" Y% p- L9 s=========8 j( ~& R! ?+ K
9 [8 v# |/ |- j" T* d) OMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 R. B; g) p9 s/ idebugger. It calls the int 41h, function 4Fh.
, ^0 y* O; @ d9 k& ?1 s' g) ZThere are several alternatives. : l+ q9 g4 j E! D6 V# h
7 T: D6 R7 c. I7 h7 H2 B6 g
The following one is the simplest:
$ `1 L t4 i/ V: Y8 p) c) W8 k3 V; N1 D
mov ax,4fh
7 P0 n- m% g# X; |% U: H: w int 41h4 U: e7 w" ^2 v
cmp ax, 0F386
5 l( |+ P5 S5 H" M jz SoftICE_detected1 J* R- T& C7 d3 H1 D- ?
! ~! m/ G0 b5 A! |/ l) E& [% w" c" m$ a
Next method as well as the following one are 2 examples from Stone's
7 O- L& j# A1 f: B2 T"stn-wid.zip" (www.cracking.net):/ {1 I/ y q& t. p# P! i1 V
7 K k" r: U. E, i mov bx, cs
5 e5 R R& l$ \# p/ N+ ^7 d( b8 l lea dx, int41handler2
8 P$ D, K. A& W; i xchg dx, es:[41h*4]5 J5 `( N% J) D& _ ], Y
xchg bx, es:[41h*4+2]0 M+ |7 W8 f6 f0 P, z' S+ B7 m
mov ax,4fh3 q, V" w0 [1 i
int 41h5 G% v( m$ W! T( n
xchg dx, es:[41h*4]
# F4 Y9 C" \! c( T- X( Y xchg bx, es:[41h*4+2]+ E/ S" T1 Z- C+ Y) Z
cmp ax, 0f386h# p+ R! I+ @4 ?& E+ _3 S
jz SoftICE_detected+ {/ [2 x: l9 \6 {( i+ M' v# p
) A% Q, W, d {% V0 ~1 F
int41handler2 PROC4 E7 v8 t$ d! r, I" i0 G
iret
/ t) V* g4 Y: ^ T- V5 y. z4 Tint41handler2 ENDP4 d1 {* s: H1 f
5 m! J7 }- x9 s" G
5 O9 k8 J0 j& K: i. z- X0 h' C# |_________________________________________________________________________
4 h7 x: i* B3 Y, d' u p2 z2 R
6 h' e$ |# O2 ]7 o* R: |; U# f5 |2 O7 |+ g0 p' U- f
Method 06
& ^$ Q! N# M7 ]7 U( d* s=========
3 b1 ]2 ^( @- t
- `4 l% z% B/ p V, I( P8 w* c; p$ X4 s$ I, c
2nd method similar to the preceding one but more difficult to detect:7 o: O5 y# V& K$ T0 l$ h
1 V: d6 j U; q( d# d0 h
; L6 ?1 H( Q, F# J4 Y" Vint41handler PROC
. x& h2 ^, q6 ?$ E mov cl,al Q, g8 G! ^+ d' g8 g7 T* e; J
iret) J6 K8 O4 P5 i5 }
int41handler ENDP
7 H1 P6 S9 D O* R- ~( @5 K9 ^+ e- v! A1 P4 p9 m
2 H8 ]7 y- O& x$ Y* c( A9 \
xor ax,ax, q8 c% I: _5 m) ~" k
mov es,ax
- v5 c v6 @) Z4 K& L/ v& e/ @$ J/ Q mov bx, cs6 F/ H. w G+ j
lea dx, int41handler: \$ k" c7 s" M( }" t
xchg dx, es:[41h*4]6 m: Z( m7 V" G: {( K* M- [
xchg bx, es:[41h*4+2]; o" a8 E4 K' S6 p, J
in al, 40h
, Q4 F8 m- N4 L, S6 T" B xor cx,cx
" }8 x2 v: J9 E2 W6 _4 a- E/ F( L9 u int 41h/ @+ Z) [# d* o x! i; r
xchg dx, es:[41h*4]
/ w! P* V1 v0 p; j) V9 v V5 ^ xchg bx, es:[41h*4+2]2 q( P4 H/ A9 `$ w5 x/ M& I
cmp cl,al
/ X6 ?: g; [$ G& G4 F# x. l Z jnz SoftICE_detected
4 h* r/ R" Y' P4 V/ h' `5 X3 N+ ~( ^ h: `& F7 e3 k* e5 i) v8 m! f
_________________________________________________________________________
' P A/ y( ?& Q5 Y- T
' M7 \; T X$ HMethod 07
, W2 a9 i6 C0 ?=========
6 x; `- B- \- C. m
3 Q5 T- S% g- n' \Method of detection of the WinICE handler in the int68h (V86)
1 O* R" k+ s3 k0 M" J
4 f, w4 y! @ t! ^0 u mov ah,43h( P2 ^# c6 H& J/ n3 c$ U
int 68h
; h$ O- ?# j) l# E) s cmp ax,0F386h4 U( ?* @+ r4 P3 t
jz SoftICE_Detected$ T) U" f8 J4 }) D; G
$ K& b/ X& B( s0 B
1 v( _- _ V' S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 q" q3 R& q8 @2 P app like this:
+ C# p, [* F2 |+ n1 ]* f! O) _& o3 L- j. h" `& C
BPX exec_int if ax==68
& b: L) Q# Z8 _9 E4 ` (function called is located at byte ptr [ebp+1Dh] and client eip is
! h! B; W5 N5 q/ {; U3 g located at [ebp+48h] for 32Bit apps)% i4 A. c. S2 x) z( v* Q* K% `
__________________________________________________________________________: b& O- L- e# P/ S a5 [% n5 t
' w x) j; d8 Q# e" f& X
! `& o/ s# ?" B4 l2 g) WMethod 08
7 j* J( f' J2 g' v- S& V# f9 N=========
. k- k% g! |) z0 X% J; K
' o7 {, S4 K& V; bIt is not a method of detection of SoftICE but a possibility to crash the
- N3 C' t+ Z# Y. Z9 M- b! [' {system by intercepting int 01h and int 03h and redirecting them to another# R( e0 J+ X( \6 B8 E( \3 I
routine.
" U3 @) e: Y- o* p2 JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 Z, d# g6 H6 o6 y( X! Gto the new routine to execute (hangs computer...)# m1 u2 j$ U. S! N" V( V( g
% L$ S3 v- A( H l mov ah, 25h
7 X" H* L) b2 @% o" H* ~/ _ mov al, Int_Number (01h or 03h)
5 U$ j7 {% U0 Y v" p4 o9 g ?. {( W mov dx, offset New_Int_Routine
3 F: |! W( ?* X0 i int 21h7 P/ L5 I* ]- v' L
+ h' u) @! C# v3 W+ {__________________________________________________________________________
! x; E& l* x) ?$ c' o3 |! h# `6 g/ d. N/ T
Method 09
: r8 X" v4 J5 ?! j6 h4 W=========' q% [: M/ e0 x; ]! U4 [, L- g
; M& \! B" d0 B, d- [& H! nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# s" L# {# `: [9 B; {9 R% p# Zperformed in ring0 (VxD or a ring3 app using the VxdCall).
- g3 w$ x8 G$ @5 f" c+ cThe Get_DDB service is used to determine whether or not a VxD is installed
; B, v; j- \: _4 @2 n/ Sfor the specified device and returns a Device Description Block (in ecx) for
% v* y; ~. g; }9 F2 Gthat device if it is installed.0 c8 o# j) {3 d% r
: O2 s0 \# n: ?( B" Q$ L- P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ d1 y! R9 c W. O- E5 L4 V) E: K mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 c8 n) n" X3 l5 d
VMMCall Get_DDB
5 O7 Y) Y+ Y( l1 {0 z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% I+ w, j& k# b: ~; W& Y
9 O, H6 K! r' v0 d/ a4 w' ANote as well that you can easily detect this method with SoftICE:
' e, ]2 Q4 X& b/ p$ n, g, Y bpx Get_DDB if ax==0202 || ax==7a5fh
+ o9 A; Z. Q( G' V
$ d4 A/ u) c& N__________________________________________________________________________
- K1 W% C3 |0 ]1 z5 {, p! @) }* r
+ d, m( M |- YMethod 10
& J3 }5 ]/ X# j% D5 l5 r K3 C=========
$ e% G4 o, o) }/ Y5 i% e; \5 W. D T, k) U7 b4 k0 J
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: u) Y2 f& _" {4 D; q! l SoftICE while the option is enable!!
& X+ l' i( b5 ^$ Z. T
! F0 j9 R7 p1 |, C; fThis trick is very efficient:
% ~6 F+ w( { y; t* w3 ?* X6 fby checking the Debug Registers, you can detect if SoftICE is loaded K2 c% Z1 Y3 v+ K2 X. \9 H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! O% u H5 c6 K) f
there are some memory breakpoints set (dr0 to dr3) simply by reading their. u3 N6 _0 Y0 K, L, r
value (in ring0 only). Values can be manipulated and or changed as well5 U# u0 {3 @7 Z& @$ h+ H$ h
(clearing BPMs for instance)/ o6 o/ k# v; [1 Z
! Q- o" T) ^, Y g% q3 w8 M
__________________________________________________________________________
4 a6 Z8 J5 e5 ~, x( x8 A" Z K( Y2 L$ `( |3 p- x5 C" h# j
Method 11
$ K+ w9 B% W) p) I=========* t( @6 S& |2 ~, G$ I. p5 j
" v8 y8 Q; o: j6 p- B/ yThis method is most known as 'MeltICE' because it has been freely distributed
# M9 ~ ~ a: \! m5 R. y' Uvia www.winfiles.com. However it was first used by NuMega people to allow
- e9 o' R0 F. i4 }! ~Symbol Loader to check if SoftICE was active or not (the code is located) T& E% |# N v+ K; k4 N( D' n
inside nmtrans.dll).) h2 p! ?1 W) X ?+ J9 l
0 r" @; c( h1 i5 o6 i# |6 A E7 D
The way it works is very simple:/ ]4 T% Y- g [8 Y q4 [/ v+ d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# D2 |; u0 s: V( Z- ^" U: c+ W
WinNT) with the CreateFileA API.# w/ H& m6 J4 | {: k
' A; ~' _) z, I! k3 i0 zHere is a sample (checking for 'SICE'):
1 |" k* d6 ^% `4 ~; I/ {: W% `8 k9 s G
BOOL IsSoftIce95Loaded()( p! O9 j( ]/ D, G* ^- ^
{( z9 }( r+ O, A; Q1 f w
HANDLE hFile;
- V, P* ^: L1 T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& I& [, _0 @" w: B# w" h! i FILE_SHARE_READ | FILE_SHARE_WRITE,
$ l/ i* B5 j2 M% q1 w# V. n; F0 Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 A6 k% c5 N }# b) C% Q$ G if( hFile != INVALID_HANDLE_VALUE )1 p/ ] ^& ^+ ^
{) O0 ]$ n0 j% h# c. Y# _. i; t
CloseHandle(hFile);
" T8 z+ _9 P- ^- y: }. a( N W return TRUE;
# M0 k( @) k' J, e6 _ }
1 o" Q" y7 j! d |( Z return FALSE;' r1 l% _1 `( Q. m' A6 I, J) ~
}
* I+ x! n, v8 `: ^; ^, a) W/ K0 h' |3 Q0 e0 j: k& H
Although this trick calls the CreateFileA function, don't even expect to be
6 }4 U4 l1 g+ e, b$ Q" g- iable to intercept it by installing a IFS hook: it will not work, no way!
# Y- w5 P; J/ M; B0 |6 L, QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* y: Y" F: G4 Y/ T5 w, T! ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ q- d: H2 u) }- B4 |: E* ^* K: Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- P& |8 W* Y X% R V
field.. P& [( ^; N! {9 ^
In fact, its purpose is not to load/unload VxDs but only to send a ! a3 \2 S6 v2 ]9 O3 V0 f7 p% l7 b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: G6 r6 I0 V O( _8 ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 z+ r1 b& l: Z$ Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 Z& z2 C5 a% x$ M
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 ^! ^( q. N" z% a& e: |/ @. tits handle to be opened and then, will be detected.% l7 {3 v: l \7 J/ C
You can check that simply by hooking Winice.exe control proc entry point/ u2 p9 `, c' t4 ]
while running MeltICE.
7 G0 v0 W- k- \
3 m* W- Y4 z) [0 T, S7 ^6 |- h3 h" N4 |/ h0 B
00401067: push 00402025 ; \\.\SICE. g: n6 E* A. b8 n( X0 G" w; k3 F
0040106C: call CreateFileA
+ {' ~; z6 a1 p 00401071: cmp eax,-001
" c. N7 I# f+ g8 K9 }9 G8 L 00401074: je 00401091
0 I" u: `; g# Z. j% D
, z4 K0 G7 `' i( C" [ ?
, O! d" t' B* c6 s" BThere could be hundreds of BPX you could use to detect this trick.
0 @% E) ^9 r. ?7 f& q- T-The most classical one is:
: \: @# H$ w/ b( t0 N( i# J: f! _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. }' C9 ^, B# G: m" I9 I
*(esp->4+4)=='NTIC'$ Q" i2 h- B8 n, q7 \0 B3 s
- H& ~6 x. u! P& s-The most exotic ones (could be very slooooow :-(7 r" m9 A% Q9 _/ k1 L3 c
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& E& D5 e) g- V+ Y ;will break 3 times :-(5 G m) h5 c3 d) s# H- \: q
; `6 s0 L$ `8 {" G$ ?% ~-or (a bit) faster: ; I1 S: A" g" F# t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 O8 _3 `; g0 i. m9 {9 n/ U: {7 q( B6 A6 K9 O: p* p' m) A
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& z! d+ r! T0 r! E$ i% v ;will break 3 times :-(
1 Z( }$ ?' e+ X" L9 m
1 F1 `) r- N0 `: J0 _8 d-Much faster:
; p5 [& c/ }1 t" \ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 J+ {3 T2 t9 P9 v9 A! q2 X
Z y1 H* n. dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ ?# t% Y! H" C; m8 S' t: J8 wfunction to do the same job:; R3 ^7 m; j1 ^5 l2 o- S0 f: R8 T
) @! x+ ^$ K" e! q9 R% n3 A push 00 ; OF_READ
2 [9 @7 {! I0 k mov eax,[00656634] ; '\\.\SICE',0
! e% C& O# m" t7 F: Y- J push eax! X/ }/ L3 Y5 L; M2 C' q/ v
call KERNEL32!_lopen' r' Q3 I, l2 p3 T! L+ o
inc eax( n. ?# \3 k0 @; J
jnz 00650589 ; detected- P% d9 w* O v( U6 g; I
push 00 ; OF_READ9 W ]6 _; Y0 k$ c
mov eax,[00656638] ; '\\.\SICE'
; \, l/ {% d5 a4 T% I8 Z. F push eax
* J: }# Q$ n a. T) D call KERNEL32!_lopen
2 l8 J; f7 Z/ J; Q1 p inc eax: ]8 i* G+ @6 Z) a
jz 006505ae ; not detected
& F# z$ }: g! c% {) L% P0 b: T
; M1 m0 o0 U# ]6 }* q
5 u- v3 U e+ `0 W+ v/ Q/ k% `2 O$ [) t__________________________________________________________________________
( [. i7 e. g9 `' A2 N8 r) j( R' p/ R' p- i" e$ ^" V
Method 12
1 H# t3 |: o. @- X, c! @4 f1 x( I=========! b' Q6 w9 p+ i w
, `* u1 |" {% f1 ]) \" _This trick is similar to int41h/4fh Debugger installation check (code 05
6 |0 B L% ?/ ?9 [! U. x& 06) but very limited because it's only available for Win95/98 (not NT)
8 A( _5 i8 t( eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, O! e3 n0 v" P8 N0 S) T) w1 y3 w0 N
7 W3 m5 J6 K& ? push 0000004fh ; function 4fh( H; M' w$ i) @. C3 e- X9 H
push 002a002ah ; high word specifies which VxD (VWIN32)7 k8 u) g+ m) J3 X4 k8 G& b; j1 j
; low word specifies which service
: h. o- U" u$ V: |7 ^! y (VWIN32_Int41Dispatch)
4 w7 S- U9 q! p" O. A2 j2 S& Q' [ call Kernel32!ORD_001 ; VxdCall0 L7 S c& [0 T5 H; w7 n/ I! ?
cmp ax, 0f386h ; magic number returned by system debuggers- T4 D2 P: X+ z! T
jz SoftICE_detected
; h) y/ o& @3 C# k, X8 O3 a+ v4 P y
Here again, several ways to detect it:
0 d- a% K( Z7 q8 t$ ]
" E. E: P2 g) c) M) G4 i, ` BPINT 41 if ax==4f
# [6 z% R% j( Q5 C- I1 A: N4 I
8 l9 B& S" ]) A- S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# i/ ]# a/ q) t$ W) W" |* [/ Q: \( h& t$ u& g0 ^0 I: K$ V% k0 u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; x, H2 e# a, M" ]5 {' V5 F& T0 R0 q' C. u4 ~$ q) g9 ]- W" u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ V9 q: M/ d( Y: ^" H6 z% w; Y C
. c5 k" ]- f' Z( M4 u/ }__________________________________________________________________________: @0 G* [, I- |. l: K
% O2 U8 z9 r. E" C) q$ m
Method 13: j2 U6 \4 ~; L8 m/ H- T4 I
=========
0 C3 i X. G% N* ?
/ Y5 I* o) X4 c0 J) ]Not a real method of detection, but a good way to know if SoftICE is' G7 Q5 H5 w! e- _
installed on a computer and to locate its installation directory.* u5 s$ q1 r$ S% c- w
It is used by few softs which access the following registry keys (usually #2) :
: ]( G9 G6 Z3 e ^) w2 o# F% e; P4 X" }7 |2 d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, s# o7 u1 h& O/ x\Uninstall\SoftICE/ J/ M! R1 O1 X* h5 B& H' D$ u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% p4 @' x% k1 N0 L, G7 |2 c9 R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 d4 t! a: x7 b" T\App Paths\Loader32.Exe3 [+ ?8 ]2 J( }6 ]
/ k+ T2 ?* u+ f& F
, \! m( |( j: v" FNote that some nasty apps could then erase all files from SoftICE directory6 V) U3 X$ w3 m0 K9 {1 x0 N
(I faced that once :-() X, O( t$ ]% \8 v) N8 m
" t) D7 L n9 ^& Q4 EUseful breakpoint to detect it:0 Z1 i! x$ H+ e/ N7 G
5 ]+ }$ x; z0 U4 ^0 q" h) l8 B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# J+ G9 g1 B) G: g; \: y0 E
! s: [" g% [, H' r1 r7 ]( r/ k__________________________________________________________________________6 u4 Q# N7 T2 p" U8 ~- s' P7 E8 W1 f/ B
5 V! {/ O! O0 m+ S1 E
' ^9 O5 j- C) l: fMethod 14 # \8 ^& h! D3 `8 ~
=========* L0 v; \9 Q- @' ]. M7 L* \( M3 c8 [
8 H8 d% h6 f/ F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% @& R2 `$ J1 {is to determines whether a debugger is running on your system (ring0 only).
C1 [/ Q5 ]9 m1 S% j6 r: ~' m0 z- E: Y9 a0 ?
VMMCall Test_Debug_Installed
# z6 d+ {. n( O; u0 d je not_installed
+ H W2 B0 y s! M8 G+ v
. t& M$ O5 \( Q, n/ T) ]; r$ w3 \2 OThis service just checks a flag. A0 i( x2 ?$ k( r
</PRE></TD></TR></TBODY></TABLE> |