<TABLE width=500>7 p6 f, n& l- s" ?* m/ T; l' n
<TBODY>9 I9 Z( M& I- ]! ]5 `) h+ v* u2 }
<TR>
3 n/ w, w: ?, K; T<TD><PRE>Method 01
" |, @' N& d5 J% U, Y1 }$ }' M=========
3 V: `) T, Z1 n c% ~: a, X, B+ M
This method of detection of SoftICE (as well as the following one) is" S( M1 |- y& s- s& X% y( a
used by the majority of packers/encryptors found on Internet.5 i" |* s" T4 p+ _8 ]; p
It seeks the signature of BoundsChecker in SoftICE
; o& D; U0 o6 q; K: ]* T$ n
8 W- P" L5 B5 ^4 T; Y. ? mov ebp, 04243484Bh ; 'BCHK'
% s9 `4 x% ~) o4 L" f' ^) ^5 j mov ax, 04h
7 t! g) E0 \ b7 b int 3
1 z9 c0 x- B7 {1 { cmp al,4
! M' j$ Q/ Q" G jnz SoftICE_Detected6 B& C3 Z( t( S2 m
^8 X ] D% L: q+ Q8 q2 {___________________________________________________________________________
6 [" A( [7 e& c/ ^& r/ A/ W* B |% X$ S& _/ T- m+ |
Method 02
: D" D& s+ @; M9 E( L% q=========9 W/ X7 h# S8 E+ {
8 |$ E- g3 {6 A- k
Still a method very much used (perhaps the most frequent one). It is used
# Q0 g) D* c* Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 J* W" x0 Q, }4 f0 F# j% f
or execute SoftICE commands...
3 Y/ z* `0 r- ?7 Q O8 ]It is also used to crash SoftICE and to force it to execute any commands
/ O1 Z: X7 C3 K: {) _+ U4 J! | W(HBOOT...) :-((
: ~. b8 y; g5 j6 u! A3 h3 e1 k, I% P0 ?) V' o0 A
Here is a quick description:
- B6 l# S& G4 p9 A( C-AX = 0910h (Display string in SIce windows)
8 x" ?% N8 k7 |' c8 S8 ? \/ r! X6 Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): l; Q" Y' [' C, }. Q
-AX = 0912h (Get breakpoint infos)
. V& x- {- Q% ]1 C& i# q! B z-AX = 0913h (Set Sice breakpoints)8 r9 z; n8 I7 B1 X" o
-AX = 0914h (Remove SIce breakoints)
6 M# Q- H1 v% B8 A) u6 j* s( g; e$ ?6 |1 i& s+ q6 T2 p+ b" }
Each time you'll meet this trick, you'll see: q2 f$ e# z6 C0 _
-SI = 4647h
8 L* D4 E0 ~. r. t, T* D1 `( B-DI = 4A4Dh, F8 ?+ m7 p( L
Which are the 'magic values' used by SoftIce.3 ~1 @% v2 {' i; M6 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) U" |/ D: n$ f. `- L. y$ I0 f& `: L0 Y. s0 t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 U( k' j! q% [- WEnvelope utility use to protect DOS applications:
2 G& c$ s8 v3 T) e% p/ b$ k) p9 x+ X) V- a" K M+ ~- P: W2 e
& I8 [7 R8 c8 V3 S. Y- W4C19:0095 MOV AX,0911 ; execute command. L# r( d; f S, P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 M* }. D) `- V# I$ F. e
4C19:009A MOV SI,4647 ; 1st magic value.7 Z5 ~0 h% ^4 ` \
4C19:009D MOV DI,4A4D ; 2nd magic value.
& c/ T, e7 n" V y2 e# {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) S' F3 K- \" s2 @2 K8 k( e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. k6 E: d- ~' O% T) y4C19:00A4 INC CX
% B) J [# H: [. G& d# [4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 w5 [ u( ?+ P+ E, g* X9 m4C19:00A8 JB 0095 ; 6 different commands.
' V; S8 M( `0 h8 o' U4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 F7 N5 r2 @( c- c8 O! W" U4C19:00AD MOV BX,SP ; Good_Guy go ahead :); Z! C( h9 Y' q* g, N$ z
' R6 N# p# m0 r, [" j" i% ^( j. MThe program will execute 6 different SIce commands located at ds:dx, which
0 J' h" C E: ^6 _/ Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 `% l l: t2 [# o0 c
; I3 B. ~& n' {. q3 U# C: K9 U5 \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' l( o: l8 S' ]. @5 p& r* u" @/ k___________________________________________________________________________; P$ Y% j* }$ b3 a: D& ?) X5 f
3 F6 l1 c9 G `2 u, ^/ o# O
: I, Y& F1 k, R9 w/ ]8 }Method 03
) r; W/ J# S4 o; v0 t7 O3 f2 F+ _=========& O$ k* ^6 u0 Y1 }; q5 K
5 X( R+ g" ^1 s+ F
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 H8 K$ w* {, P+ i
(API Get entry point)
* R" _& M& c3 a3 }+ a0 ? 2 X$ h/ T, h% }0 U2 C7 s5 q
$ r, w0 \# A3 H3 x4 Q' W$ J0 R xor di,di
' b! k- V( r, ^ mov es,di
) x7 B3 [; F0 d; x( z1 F6 J mov ax, 1684h
+ O# }% C9 z7 u& D# `4 s mov bx, 0202h ; VxD ID of winice6 M* C, k/ m8 T% A7 X
int 2Fh
7 C. R6 U+ d d5 V8 l mov ax, es ; ES:DI -> VxD API entry point* ? h8 s: C. O4 t' G2 Z/ K4 [4 L/ m
add ax, di
7 y/ g4 R2 ], L3 w5 K. K test ax,ax
/ ? }" _4 x3 t jnz SoftICE_Detected) z: T/ e- T: k& ?
2 n( D H' i$ R; m( c( M: B
___________________________________________________________________________
# Q. F/ T# o1 Q6 L5 @9 K/ S7 c" C4 \
Method 04
1 Z7 s3 c! Y* T2 [( G* K=========
& ?- L7 e$ K. E6 k* P! X2 l
! _* G4 s/ {8 f7 Z8 h7 U! t, uMethod identical to the preceding one except that it seeks the ID of SoftICE% U/ N8 q3 n- }# C6 f2 q7 o; O
GFX VxD.% Z3 y7 n, e/ k) r* m K" K# r
" N6 M, c8 n( I0 X2 w$ O& l, F
xor di,di
. i6 [$ o0 R0 K5 ^2 }' t5 B mov es,di
$ K4 a, l0 k+ J: U2 ^ mov ax, 1684h $ E# I! Y* b/ Q/ t% y; J0 s, x$ R
mov bx, 7a5Fh ; VxD ID of SIWVID
0 g S; L5 C* P: g6 `$ ^6 ` int 2fh
1 h2 Y7 E( x% y; S7 L2 i9 j mov ax, es ; ES:DI -> VxD API entry point. A+ G& D/ h3 A+ y
add ax, di9 t4 O+ z& L8 a2 o4 I6 R
test ax,ax7 I% x# T$ D# m9 Y& c6 m
jnz SoftICE_Detected/ x8 H1 _2 D7 L! F" m) \
$ Q, g0 ~) q% W. {, T$ A__________________________________________________________________________3 v7 Z( g( X: U* g
4 Q4 q5 A, [4 I8 _
" I" u' m0 @6 ?0 k" g3 ]. UMethod 05
E0 D7 K L6 |9 X=========# l# m4 N: M* y/ x
; A) |; L! k4 _" H& GMethod seeking the 'magic number' 0F386h returned (in ax) by all system& z0 v! {# A8 L. C4 s
debugger. It calls the int 41h, function 4Fh.! }4 w! H7 g5 H* Q9 P/ q
There are several alternatives.
9 f8 Q; w* v1 h' l. j+ m) U+ g( z. y2 d) H; @/ K6 L/ D9 T
The following one is the simplest:/ P/ [. P8 k# h, d* Y8 Q
# U `% T! i4 M mov ax,4fh
; B: P& C c4 s# ~ int 41h+ z! R! T9 _: X$ E, d
cmp ax, 0F386
% k3 L7 @: l4 ]/ }; O jz SoftICE_detected
$ O% D9 p2 w' R! f. g' E$ V& L) w( R3 u2 E' f9 \+ E
0 J3 N# t$ d% n, j& B0 m- `4 ` QNext method as well as the following one are 2 examples from Stone's , R: R7 Y- E& n1 p8 z' S
"stn-wid.zip" (www.cracking.net):) v3 U$ r2 h( @- X/ m" q0 k3 O
! a/ i5 X8 P9 n. `* K
mov bx, cs( P' O- P' A- P- Q5 j
lea dx, int41handler26 k- Q- Y) w; J: ?% Y/ G& o# U* a; E% l
xchg dx, es:[41h*4]
* Q, O }$ _ a" A xchg bx, es:[41h*4+2]6 C0 q) ]- u/ s" X5 q$ v9 D
mov ax,4fh. a: H( S$ ~* E5 v3 b! X1 d
int 41h- g) D5 @1 \" a5 m) L
xchg dx, es:[41h*4]
) l/ n0 G9 @. Q9 ~: b6 m1 O xchg bx, es:[41h*4+2] y( p3 J" z6 i( {6 P
cmp ax, 0f386h! {# ^4 @1 `1 ~3 w
jz SoftICE_detected: s9 S' o4 ^" m6 b. F
: t! H: s% L6 @9 _) o" e( d- O
int41handler2 PROC U3 N$ Q% A- H# o d
iret
: k) \2 P, \% p& i3 v1 |int41handler2 ENDP- p9 {+ ^8 v, V6 U% j% y
7 P9 t( j- I, ]: B( X; i' X: n8 B
* s; l, m( ~- }6 L
_________________________________________________________________________
" m9 Q+ ?1 X9 m6 z/ ^
$ Y9 O: Q: c& o* X2 l' @% |* m
2 o p+ a1 B4 m: a5 K7 tMethod 061 W q; [+ E$ Y( s6 X; m' D5 Y8 R
=========
7 r( l2 C6 Z+ f4 T, A7 M
0 C0 T2 s: A# J( T8 g- S% O8 ^) t# M/ q
2nd method similar to the preceding one but more difficult to detect:
1 Y" b+ N# V3 F( y# @, j2 D0 s' ~7 \: G2 U: t5 q4 d
7 g& ?1 s0 }$ ?, `( i2 z- i! b$ T. e% H
int41handler PROC& T$ P: G: _+ `& A* A
mov cl,al
C; ?( F* x8 H iret
0 ~' L! C6 s' [& N( Bint41handler ENDP
3 ?8 ?* s0 H- j) B% W; `/ Q( O& q9 @- `
& S* P5 t! g. u2 c xor ax,ax- _& Q4 R% E( A: s2 T' r
mov es,ax3 o( P2 k% C9 z1 X4 j
mov bx, cs; l% E4 W6 v5 z; ?
lea dx, int41handler _, N+ S: N$ D1 H2 \
xchg dx, es:[41h*4]4 W( S6 A6 U8 _. h
xchg bx, es:[41h*4+2]
2 O) y- q0 R% l& u) v. N in al, 40h
% Y1 J* }+ C: t: w1 v1 Y k& y xor cx,cx
: w; \' W/ R5 J; ]. ^ int 41h
' P+ m3 B) C3 |2 |! q xchg dx, es:[41h*4]) F1 |1 { s9 [9 @5 M% e5 r" H8 [
xchg bx, es:[41h*4+2]
; T6 w9 G( J" K, ?! ? cmp cl,al3 y+ P% C! k' ?. @9 O3 e N) {/ W, q
jnz SoftICE_detected! p: P6 x7 d c( i2 u! t
0 ~! v& |7 d1 M_________________________________________________________________________0 b" {1 d( T% ~% f" f0 p, V5 V
+ T7 A& r- u5 @
Method 07& W3 ?& A% V! J; P1 }
=========
, N+ d' U' G1 s5 e
; K; _: Q! `" B/ S, b' x1 r9 cMethod of detection of the WinICE handler in the int68h (V86)" _; V3 @" D* P% Z
' B; |: H; G/ n4 j. [1 d
mov ah,43h7 W" _5 J* Z X4 _, p. _! g3 R
int 68h* w! p( `9 `7 E A
cmp ax,0F386h
- t9 G; e, r% E5 Z z jz SoftICE_Detected
- C: f$ |! R0 }$ _ j9 \- x* L
: w8 x2 N5 T- d4 j
3 I3 @/ f, ]0 Y4 ^=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ \3 V9 |* P/ @/ O4 j4 s( I6 { app like this:8 |1 v! b W- i* O% J. ~. w' O
5 {1 R& _( N+ J& l9 x \ BPX exec_int if ax==68
2 T; [' F0 n3 f1 r) x (function called is located at byte ptr [ebp+1Dh] and client eip is
0 V* A. q3 e, C/ w located at [ebp+48h] for 32Bit apps)- c, G) ^0 n1 C" j
__________________________________________________________________________
& X9 v# \& T4 ~. x6 g( u# k
' E) ~) W% ]! }0 P% s: B" j4 S2 f
* l7 g+ w1 _/ \$ B a5 TMethod 08
- _0 O% {- D4 ]# |! t=========
% d2 P2 `) Y5 w% S* O S. w5 `' v7 o3 t6 o* Z
It is not a method of detection of SoftICE but a possibility to crash the6 i4 \% Z/ I% G5 ]5 n/ {. ^" U
system by intercepting int 01h and int 03h and redirecting them to another* P U; j/ g/ D6 N) R3 c
routine.* ~- j i9 |- d' k+ {8 k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% h8 N4 P6 u" Y( `- c4 J
to the new routine to execute (hangs computer...)' z: b3 C# Q- N1 w
/ z/ U: g) {, Q9 I9 x
mov ah, 25h3 N, |) ?! g4 E p: X \+ S0 A
mov al, Int_Number (01h or 03h)5 [: C, }& O: i% @# ^
mov dx, offset New_Int_Routine/ S9 O9 T) f, m' G' ~, p8 Y
int 21h
, t# G1 O3 `: ]4 H7 N
$ j% y7 f7 K; C+ l8 g% s& F__________________________________________________________________________
. r$ H+ I! [0 H
# J; t' y8 ]: {$ FMethod 09
9 G. U4 e8 x1 B0 E- Q4 S& \; g=========0 R/ @, f" Q }5 h4 {) ^6 b
3 t6 M2 ]% i% r# a9 vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& @. a+ b3 q$ J- V
performed in ring0 (VxD or a ring3 app using the VxdCall).& Y% g$ I* C3 Y3 G
The Get_DDB service is used to determine whether or not a VxD is installed
( @' P3 L9 y; `$ Wfor the specified device and returns a Device Description Block (in ecx) for
( Z5 F3 K! t9 a$ S* Z1 T/ {that device if it is installed.: L* a4 C# g l8 D5 J# i, z" `
^, \/ _% p/ P5 P% X3 E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" B+ `3 h' b) @2 j* \) @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 I% Q! n# \. c5 B5 n- o9 F VMMCall Get_DDB' Q" E% x$ u3 O- E7 K% `
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( r/ t+ N/ `" [0 k, v! u( X7 t2 o
2 M' N0 Z& w: l9 E5 E. ^Note as well that you can easily detect this method with SoftICE:
: O' h, m+ Y' T bpx Get_DDB if ax==0202 || ax==7a5fh" x0 s- f6 Y! a0 v. o/ x, v
* f5 _" b' E1 I
__________________________________________________________________________
9 m/ W) p2 W) h" r! F- a, C3 X. w$ Y1 ^# e
Method 10
% V7 l3 J% n* ^# a, c4 [9 m/ I=========8 l$ Q4 s# P' l( z
' l" `( `4 v+ |8 r& z6 H=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 l+ ?3 X; L2 Z& @ SoftICE while the option is enable!!
6 m6 V2 F5 G/ Z6 r% J9 ~' l: i2 [! ]- L9 l) Y( }( z' T
This trick is very efficient:- L$ U% U/ v; C! t
by checking the Debug Registers, you can detect if SoftICE is loaded
( L3 [1 F) G7 M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' f; t6 D4 h! `2 p% ?- B8 B
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: F/ Y q0 p: f# s H( `value (in ring0 only). Values can be manipulated and or changed as well
: g) }6 |+ {2 M4 _/ H4 W(clearing BPMs for instance)
; k. R4 |% w( S% R0 ?" e$ |8 C, C9 r! x- W$ m2 N" \. K& b
__________________________________________________________________________6 z& ^7 P8 A, A; g6 P
6 Q3 z" N6 t1 ~5 P) u) J; }
Method 11; z9 L0 F: Y7 U9 l/ `# i
=========, M u" t7 w8 v7 d }
# B3 h; a2 J6 l- O
This method is most known as 'MeltICE' because it has been freely distributed
" H' ?5 T+ z9 p+ u! f' Ivia www.winfiles.com. However it was first used by NuMega people to allow" C% t; q& O3 J( P% p2 `! A
Symbol Loader to check if SoftICE was active or not (the code is located
6 J0 c# B! { k4 e2 q4 y& vinside nmtrans.dll).( m% L7 ~$ O" S! _* l1 W- Z8 H
7 E, S3 L* \/ W( P; C
The way it works is very simple:
8 q4 J5 x8 \1 r2 T' t6 b5 mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" |0 p9 N! J& w% w
WinNT) with the CreateFileA API.
' O% Q, x/ I* t. G9 D/ J2 s
* Y; o& B# N* I0 w( K( d( GHere is a sample (checking for 'SICE'):
5 r+ S( N: N+ N1 T; B6 W, r' v! P" t6 Z" f7 ]
BOOL IsSoftIce95Loaded()
5 K, k' ^, P% w{- R* `) f, q( H, ^. a. N. J
HANDLE hFile;
% p# ?( t& d+ _2 {9 S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 W. b, t4 J4 F- j9 D, N6 m# p
FILE_SHARE_READ | FILE_SHARE_WRITE,
}4 k1 f; _1 w( o' C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- x; s6 A- ]1 Y4 ] if( hFile != INVALID_HANDLE_VALUE )
( Y$ Z* Z3 I+ w {
! y$ M5 b1 ?& U/ P% x4 u CloseHandle(hFile);
/ N. L. g. o, ^* @7 A return TRUE;/ T* ?+ j! {+ W6 C3 a7 H3 j
}: {; ~3 p# @8 Z8 t4 z
return FALSE;% o* Z1 Z t7 j% D9 |7 C5 @# G
}
0 v% E, O" K$ p" h
+ F' C) E) Q/ d1 CAlthough this trick calls the CreateFileA function, don't even expect to be
: j; n4 _0 W; a, ~able to intercept it by installing a IFS hook: it will not work, no way!
& K4 r' x! {/ W# Z, GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; }+ e9 V1 s# O0 h, F7 e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 C7 k( v( w% f7 Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 H' F2 V* K3 x
field.2 R3 [( p$ f g7 z
In fact, its purpose is not to load/unload VxDs but only to send a . Z6 F$ e5 M0 m0 s \3 `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 k m% V1 ^( \: W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 R, \ a+ ?4 p/ C$ t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) S+ F9 O& G0 oIf the VxD is loaded, it will always clear eax and the Carry flag to allow# q: G5 s* i" u( k! ~) z* ]- t
its handle to be opened and then, will be detected.
2 {1 u8 ~/ N; E; K6 Z" XYou can check that simply by hooking Winice.exe control proc entry point8 W; J# z( |1 M* `
while running MeltICE.3 ]7 M- I7 L K1 z2 B# Q
9 B! H' n6 L$ O2 y/ _7 a
) G) I' W/ D% ~0 A 00401067: push 00402025 ; \\.\SICE
# W* P! f- r* H5 C 0040106C: call CreateFileA \* v5 ] w6 Z! v, W3 ]
00401071: cmp eax,-0017 h9 q4 l0 p9 V! J
00401074: je 004010910 y W2 \8 ^$ u$ v( }' {
5 l) A* t4 f% v
( \8 W7 E2 \) Z+ R1 ^
There could be hundreds of BPX you could use to detect this trick.
4 R( X( g& R" b-The most classical one is:
# ]& B( Z7 }1 e1 |9 j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 g' r6 {- M0 e2 y2 }
*(esp->4+4)=='NTIC'+ `% X. p; X% }+ q
7 v# i% a1 {6 F; s+ a- {5 ~- G
-The most exotic ones (could be very slooooow :-(4 L k7 L' @1 h$ P1 ?& ` F- r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . u$ p7 X' G$ ?' Q+ U
;will break 3 times :-(, R. s3 A! O. R
, K$ v6 |+ v7 V. o9 X-or (a bit) faster:
) B m) C. d/ `2 X BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 `2 n. m% l! r8 y5 Q6 `$ Y9 i
6 r" B) p# ]9 `) | A% O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 W! Y9 ]0 J* g3 u+ a1 y ;will break 3 times :-(% |! b& [8 L) D, b7 e v
/ B: G* S V) W
-Much faster:
" O/ [- s( E5 I( | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& g' o$ V$ C/ R* z
& m+ l1 w) d; o% O- Y: G+ a: {Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 g. E( z( t: s* O$ x# R; x' Sfunction to do the same job:, w: i- a% Z4 V" F. o' y% K
0 `7 [) g9 W$ G( e) m5 ~7 S
push 00 ; OF_READ, k8 A: f: e' o; g4 [/ [& M
mov eax,[00656634] ; '\\.\SICE',09 [: D% w W7 j
push eax2 H! P0 q/ [7 `# a9 I
call KERNEL32!_lopen' D/ B3 N- J: C
inc eax
3 D; |9 O$ z& H6 d9 v H jnz 00650589 ; detected
3 g8 F0 c9 M$ i! V4 M2 i push 00 ; OF_READ
# R$ D$ G) K3 D" o Q4 L mov eax,[00656638] ; '\\.\SICE'
8 x. M- x# T9 N- B push eax
* L8 H' _9 z d0 I7 d% [/ k: {8 J. \ call KERNEL32!_lopen
* k. r1 ?' Z* E+ r! s, y' O inc eax! S# S3 \" Z/ c; I' l+ f
jz 006505ae ; not detected
2 q4 _0 }! u: _" [4 c j t/ u. H1 O2 q; t
" R1 C% j- O6 f6 U, _* S
__________________________________________________________________________
, n% c. W s9 `& M; O( a" V% A: b8 A0 D( p( ~% H
Method 129 s% r: G1 F/ Q+ G3 l* L
========= j* h! L% |( @
- P |! M( \( y9 K2 G2 l
This trick is similar to int41h/4fh Debugger installation check (code 05
2 e" }8 o: d4 Z' t2 ^& 06) but very limited because it's only available for Win95/98 (not NT)3 K& A; ], Z$ P+ _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* _4 h# a, ]( U, j
+ E; w" @* C$ D. b# e push 0000004fh ; function 4fh( g8 D1 ^* {$ M1 [# G
push 002a002ah ; high word specifies which VxD (VWIN32)
4 U" e, S# [1 X5 w& ?8 n5 j' M ; low word specifies which service6 x0 g/ r- |0 E# ?; ^. ]8 U0 f" l
(VWIN32_Int41Dispatch)
]$ a+ O9 E* x8 N" S" N- ` call Kernel32!ORD_001 ; VxdCall
3 F) @: R7 P! U- _4 _ cmp ax, 0f386h ; magic number returned by system debuggers9 L7 |' R( e3 Z
jz SoftICE_detected
( R% F# p2 r- t2 z [3 Z0 G8 b
& ^$ n2 P5 r7 x' W( s0 yHere again, several ways to detect it:
R7 ?# E9 l5 S! Y g, `
) j" W4 I0 p. d `' H BPINT 41 if ax==4f* _; J- F1 c8 {1 \8 C; l
$ I. ]# k, C# X# c
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. t1 f3 S, _( @; B( D
9 Y0 Y. R( q0 e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
7 A! Z _% w3 I5 p3 g% o U3 `
& o! p+ f( P0 f$ E& l+ T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 r# Q# J& Z/ E! e. `* I/ U
1 |+ u& o* s& ^$ ]7 x2 p__________________________________________________________________________
: r' w' i" B7 w- q8 d% |: X. t& r# R1 s: x7 W( X
Method 13
" c1 q7 E& P- Z2 {8 ~. v=========# J5 u& v* D9 K, h% K# F
0 n/ l- `# \3 @( w4 }5 TNot a real method of detection, but a good way to know if SoftICE is8 B7 E. w/ e5 z8 T( s. e( G
installed on a computer and to locate its installation directory.
8 X5 D3 B3 Y5 }; iIt is used by few softs which access the following registry keys (usually #2) :2 G: }+ }) ]' d( s: V( u0 ?
" @/ U0 L+ `! R2 F9 _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& S7 |" b5 ]/ Y$ S* K/ c
\Uninstall\SoftICE
, N. S3 W- P0 {" A8 C; n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" f; H% r( a, ?5 @1 b5 ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' m" s# y' \2 k" z/ ]
\App Paths\Loader32.Exe3 {+ x/ T5 {% k7 Z/ J. J, c
, z, r b9 q8 X! f
% k0 a8 o) k: f! ]: G T5 l, \Note that some nasty apps could then erase all files from SoftICE directory' M. B/ `; [5 O+ _" _
(I faced that once :-(6 ~3 K+ J/ p0 l
4 h3 G. s1 y0 |, W) }) FUseful breakpoint to detect it:
4 F% x. E% _ b
5 K( T4 N* \0 L/ X0 t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 F: d6 k' A8 C( F: Z% ?
) c6 u' d& y# d- |__________________________________________________________________________
" C/ ^7 h0 V3 J3 D4 g- l* ^# p% B/ }" r; O5 w" H
9 w0 ^/ x/ O- y6 N# @* a2 k, x1 OMethod 14
) e+ |+ Y* Z" q& C( j6 A=========6 Z: G% S1 H3 Q) U, `3 W h8 A* o
1 k5 w) k) h' m# U2 B! vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" |5 E+ P' G3 r0 y1 e$ U. His to determines whether a debugger is running on your system (ring0 only).$ v+ r5 ?# _) V7 h: j- j2 S
0 x+ R+ Q1 ^4 ]' E: p
VMMCall Test_Debug_Installed3 i/ ^+ s5 b3 S( T1 u
je not_installed
, x3 [; L2 c0 O, M+ ^- q) T
7 }* J. `) \ j2 M: J6 HThis service just checks a flag.. L8 |' @7 `" z; t; ^
</PRE></TD></TR></TBODY></TABLE> |