<TABLE width=500>
8 D; E1 \0 }0 \<TBODY>
7 N7 l6 [# F( l<TR>4 l: K- ~ G9 V4 R/ B, a* [
<TD><PRE>Method 01 * R1 E' e5 ?8 l. I8 o3 E: ?
=========5 @' m& J$ F9 H! D% x7 ]1 Y
* T9 _/ @- I" fThis method of detection of SoftICE (as well as the following one) is
k6 r v2 ^; Vused by the majority of packers/encryptors found on Internet.5 ^" R+ x" P, _! i9 `% B! D
It seeks the signature of BoundsChecker in SoftICE
# j$ z- X4 }3 {! j7 Z0 x$ j* M* ?+ q8 c( o* o [) V" ~
mov ebp, 04243484Bh ; 'BCHK'
% r8 e3 D* }+ O6 J- k mov ax, 04h* Y8 ^" H& |. f4 ~% v" N A$ y4 I% M
int 3
1 y: `' I3 l% G h/ X3 {$ g" ^, I cmp al,4
6 ` O$ G( ^+ B% L- L8 H T: a jnz SoftICE_Detected, U$ c4 S# m) r' \/ N: ]- d" O
' e$ k7 J2 p$ R. P0 h___________________________________________________________________________
; {/ e$ [7 A: O5 T3 b8 @& v4 r$ L; J% Z& Q
Method 020 M, B& F2 ]# l
=========
- J$ q" r# j ]3 s
5 E# |/ @" q7 E9 C" j, I2 u: VStill a method very much used (perhaps the most frequent one). It is used" o8 M0 ?& u) j+ S3 o
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' A, B5 [; H: @% P& z
or execute SoftICE commands...
5 s& \3 C& X" w7 g+ |; AIt is also used to crash SoftICE and to force it to execute any commands
: H7 M) `+ v& R# g(HBOOT...) :-(( 8 C' s" p' _ }3 G
( e1 [) q2 _9 k( ^2 K9 y1 nHere is a quick description:' Y0 N( B2 P! v7 S9 O; K
-AX = 0910h (Display string in SIce windows)7 y% k+ G0 S6 l4 C# I `+ y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' v7 a3 F/ f' W, A-AX = 0912h (Get breakpoint infos)
" T& ^, |/ Y% w2 ^( m& l( h* s3 E-AX = 0913h (Set Sice breakpoints)
; R5 p0 z4 k& N5 {- @-AX = 0914h (Remove SIce breakoints)( |/ U2 I3 _8 r" Q% ?* F' N
# |/ s8 A, F/ W$ f5 Y, P
Each time you'll meet this trick, you'll see:
h. v' J6 d" y" I o: l-SI = 4647h
# k @4 P _/ L6 B3 h/ N. D-DI = 4A4Dh
4 {- L! ]* ~7 w( P* B3 fWhich are the 'magic values' used by SoftIce.
: W7 A. ]) s4 s# }- E+ uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 w) M- J) \: b6 c# r
" b4 ~' P0 ]* C1 B' r# b9 Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 l/ p2 l( @. T% G6 EEnvelope utility use to protect DOS applications:5 r* i: |7 B3 S6 v) A
2 ~+ n) \% ]8 f- C4 l, f0 Z3 o0 P& Y
! K: }( A* d" P4C19:0095 MOV AX,0911 ; execute command.
8 f" m$ n" ]/ m5 {) Q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 c! T2 X# w' p/ J6 Q4C19:009A MOV SI,4647 ; 1st magic value.
" P" x/ y6 a. Y4C19:009D MOV DI,4A4D ; 2nd magic value.0 v! d2 S' }8 Q: Y4 i' Z; A# `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 v8 g/ J3 Y B+ O5 s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* a$ x5 {) c6 p$ ]4C19:00A4 INC CX
; O! Y# Y' Q: |7 Y! J9 B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# F! b6 \) a- Y" b
4C19:00A8 JB 0095 ; 6 different commands. @1 B* _% t' Y0 X9 i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 l5 v' z9 m. ~2 `0 L; i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( ^! s7 H! b4 ?; q7 B! j
$ w$ Y" o1 I$ U2 X% b* d# Y, v& ]2 \The program will execute 6 different SIce commands located at ds:dx, which2 s5 i5 v. [8 k/ @( b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 s# h5 A% l; L3 q
( R9 }8 M: h+ e& ~# C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ t* {4 N& l$ r
___________________________________________________________________________
6 c0 x8 N+ P3 N0 N0 E4 s W
- Q2 r5 _ N: v0 k5 A( P) q) S! @5 @6 k- U" x- {
Method 03
/ i9 f7 `1 J& F0 m* e- N/ ^; B=========" n- M/ R8 C- W+ {
# L+ l0 q# x) S$ D- y5 z- ~9 v
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: }; U: H4 V1 N
(API Get entry point)
) ?7 w0 O1 U' A3 R
7 O! _+ X9 X' z( y9 F/ m- [5 d0 n& h8 }; K
xor di,di2 Y& N. r4 Z5 O9 D- Q& G
mov es,di5 Y( X- S7 x) [% _
mov ax, 1684h 0 S$ F6 q" _$ z9 C8 j: t0 L; m
mov bx, 0202h ; VxD ID of winice/ B" P9 S2 `& O+ e
int 2Fh! z& K5 H# |: \2 v' O
mov ax, es ; ES:DI -> VxD API entry point
0 x, y- J5 {/ @0 s. x add ax, di' D7 l. v+ `& l# R& G V
test ax,ax
: m) H0 ]4 s( }7 m* j/ e jnz SoftICE_Detected% Q' u9 o1 |' i$ Y i% K
+ N. c2 h* S+ K) {9 p
___________________________________________________________________________7 T$ J4 B) A g, g9 w" z" Z6 r
0 J$ I& i6 I+ ]
Method 04
7 k0 t9 `+ S( r- d=========
; s8 {1 |7 }7 P/ Q, R3 \ W
4 W( I$ w8 }' L- }7 A, ^9 PMethod identical to the preceding one except that it seeks the ID of SoftICE
/ p9 F5 f+ ^2 f4 e2 sGFX VxD.
* U2 S; `) Z3 c. _6 E
. Q& K: k9 R9 b3 o" J+ I4 g4 h xor di,di8 ^/ |8 p$ r% u0 h) ^& L5 J
mov es,di
; v3 k4 L# u( s/ Q* i mov ax, 1684h
, x4 r" J& T; R mov bx, 7a5Fh ; VxD ID of SIWVID! v0 [3 N- W" S% c; C2 k
int 2fh) l, v( C" z8 S; t4 L) t" @
mov ax, es ; ES:DI -> VxD API entry point
0 m1 `, t+ G+ |4 D. f add ax, di
" [8 Y* [7 O( }$ u- p4 W test ax,ax
3 f. X" a0 j) \, C' m0 } I$ t8 h jnz SoftICE_Detected8 K0 |- A. k9 s! }2 A
n" L2 f# i. l* g% V
__________________________________________________________________________
% r- [* ]- j2 ?1 P* _
6 a7 m; `: p6 g
% i/ t, H0 n: R3 }; XMethod 05! U: d6 z0 G0 O+ j% s F( T
=========
r) o5 }- e5 s& o
' s+ _; W) x% V, b- T* y$ O- h+ ^9 `Method seeking the 'magic number' 0F386h returned (in ax) by all system
! z2 q7 r) E8 f9 y3 Zdebugger. It calls the int 41h, function 4Fh.& Y& [. }/ v, C: v
There are several alternatives.
& E8 }# F0 ?( g6 T7 x7 {$ e
; i. |5 g- D, g3 p4 Z4 j f) ]The following one is the simplest:# E+ Z: t5 a; t' N: V4 [
2 A! Y5 H x' e# B) X% u4 R
mov ax,4fh
* h+ b2 J; @: ^7 x int 41h
( E" k* s# f' j7 @ cmp ax, 0F386
% M' ~* [5 h1 P; b jz SoftICE_detected
) T8 i; @6 r$ |6 u; @" v8 A: j# c7 Y' A1 d6 k* T4 J5 P* X
, ?! {( M' N/ K/ \Next method as well as the following one are 2 examples from Stone's 3 O% V" Q! R* w% p. e6 U
"stn-wid.zip" (www.cracking.net):
: {7 d- t! B0 W+ G$ I! P9 e! F$ ^$ a" A" K m. X
mov bx, cs
N5 l) V* \. Z5 o: w, U% k- F9 ~ lea dx, int41handler2
{* G, c9 O& F0 P* v; k* y xchg dx, es:[41h*4]! F# I" f- m! Y2 ?
xchg bx, es:[41h*4+2]
$ g+ U( Y9 C+ q- T mov ax,4fh9 |) c; z" j: g# \- }
int 41h
& n* N% A7 ]" m' e, m+ o xchg dx, es:[41h*4]
% e8 v. ^5 e# s! ~, w. \5 Y9 _7 O xchg bx, es:[41h*4+2]! r2 Y1 ?0 K5 r3 z3 S
cmp ax, 0f386h" E9 e: J' Q* t; m2 N) h1 S' [
jz SoftICE_detected
# l+ p8 ^2 a: R/ H& |! `, \7 B. X1 j: o. `
int41handler2 PROC& B# \- V3 n. |. E
iret" Z, g3 h6 h. a& i9 @* m/ }
int41handler2 ENDP& }' c) Y* s% n, f" {, [2 J
2 i' _! U& ?) P! A l: ?* z1 Q4 Q8 D1 Q5 |& B9 f: x
_________________________________________________________________________
& J( H5 F, x: _ y9 Q, W) L# Q/ K1 j# k2 | F/ [9 q5 c
% i: B; d: R* w; z, A) A, S& n! a
Method 06
7 P( v6 F9 B, V( Y0 E( l$ c) J' T=========0 _1 t7 |5 z+ X0 Y
7 r$ ]" n8 O0 N
; w/ ?3 u# w2 d9 r g3 r: z* r2nd method similar to the preceding one but more difficult to detect:
% z5 P9 T! J7 Y% l1 o# o: Y. G5 G9 k1 N& T/ w! j" \# V
0 ^" p, y7 z9 o- f: C( T% A' {
int41handler PROC6 B+ b& o6 p9 F. f* a0 P; f7 @
mov cl,al
# p' u3 H) a0 k* _ iret& o0 I2 T7 ]4 H. r8 U* M$ X! R9 V
int41handler ENDP$ O* |' X2 y: z1 l# p
. o" X+ g5 U2 {) F4 U! J3 P* a
' b& k7 l$ d3 S0 e xor ax,ax! u) b; M$ y: v/ _0 _
mov es,ax" ^+ C6 W4 K8 L2 e9 N
mov bx, cs5 T/ h5 t' d* Z) a+ Q" b- n
lea dx, int41handler
$ h1 O+ S5 i7 ?# q xchg dx, es:[41h*4]
( D* l( [; P% l0 a Y xchg bx, es:[41h*4+2]4 `: n" O3 t( K# M; G
in al, 40h
* @! U, h; E- S; ]4 H. ~ xor cx,cx. h/ l) W `2 x& a/ N
int 41h
) M+ R8 z/ F" H& U' p# X V xchg dx, es:[41h*4]
, p1 }0 M9 X. v! g% `# f6 d xchg bx, es:[41h*4+2]
/ r5 L7 N8 G5 a4 Y. J+ B7 C( o6 L cmp cl,al
0 v5 W5 Z7 e; W jnz SoftICE_detected0 s4 |5 g1 s* C, p* t
1 I1 n7 q5 M$ \ m8 ]. A_________________________________________________________________________
9 x3 \+ ]9 [+ B `2 c
7 B2 e% ~$ e! a' U u& A DMethod 07
" l+ z' F8 H: ?=========
- I1 [9 b7 @( a0 Z, N' H1 y' v# g5 U; k
Method of detection of the WinICE handler in the int68h (V86)+ O3 t, R; r& O: I: r8 K( N4 L
8 t) q( {& j1 T1 u* C mov ah,43h
7 Z: X X8 U) g( O* t" O" {% t, E% T9 z int 68h8 `8 [5 G# t0 x' }
cmp ax,0F386h3 S! H8 ] d% j, e
jz SoftICE_Detected6 a' k- \4 W0 U
& p* d0 w+ L- N# R0 A! `
7 U. }1 M+ {5 T; a# Z=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ Q9 W* Z4 F% j" Z app like this:( y) A& ?) v3 b3 Q
2 w/ `, V4 j3 s8 P; n: P M
BPX exec_int if ax==683 W# E' ]7 R$ Z ?2 Z# k7 _5 Q
(function called is located at byte ptr [ebp+1Dh] and client eip is/ |0 p& U5 j9 L
located at [ebp+48h] for 32Bit apps). s; ^: }! O1 ?' h# @
__________________________________________________________________________# ~) x/ x( {! f6 o" A$ f2 r! w
! P P# i$ m1 l1 N
A1 Z6 K0 n8 U5 YMethod 08$ T7 k0 E. q. i# v5 T# G& N
=========
* h [( f7 N( a9 r# r
8 L1 |7 g5 I; d5 IIt is not a method of detection of SoftICE but a possibility to crash the# U' T4 E# c: x8 y
system by intercepting int 01h and int 03h and redirecting them to another
) u5 p- N; N0 a$ r6 c' Froutine.1 x6 R2 G1 R( g9 d- y$ s) G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ Q& t& V' p& Z4 k+ F" ~to the new routine to execute (hangs computer...)$ C5 H, Y0 ^9 O: k. w
/ c T8 X7 X5 _3 W! Z( S F mov ah, 25h) U c D: z* p+ u
mov al, Int_Number (01h or 03h)
5 m1 N! i J1 ~7 O, { mov dx, offset New_Int_Routine
: O0 F8 A7 V; y* Y int 21h
6 ^3 T: `. v6 h2 C# K$ Y( N" j' A7 e- }
__________________________________________________________________________
2 _$ e& N4 S" U* j1 {5 p$ H" d, o5 S& ~ q& e
Method 09
; V7 U: x" I+ J: |=========
( X& K8 O R+ R1 Y8 o- }5 H. V6 N6 C3 f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) \0 h# W) {. a6 O
performed in ring0 (VxD or a ring3 app using the VxdCall).
) e# y7 U! g* k. m6 c# y" `+ cThe Get_DDB service is used to determine whether or not a VxD is installed. g$ J' u4 ]& \. e; d' G- ^
for the specified device and returns a Device Description Block (in ecx) for
( C) {- r% h; B: q/ ~; Hthat device if it is installed.% A8 r% ~* U* e; q: V
5 u2 D8 X) P& H7 f8 ~9 X& T
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* _0 G$ g+ F7 Q/ ~9 b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 w" Y( K' ?# k2 _' d
VMMCall Get_DDB
& g/ `0 G( M5 p# D, b+ o) y$ \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, T* q* ~* L7 n
! a. c* z2 R# u: w$ }
Note as well that you can easily detect this method with SoftICE:
0 C( N& U2 w% s bpx Get_DDB if ax==0202 || ax==7a5fh/ V% B: n% r5 a. V3 l$ N/ t
# _* `9 ^) r8 G( D
__________________________________________________________________________
6 |3 I/ O7 C7 u* c
3 Y j2 U( A" }, Q2 p: dMethod 10) @" W! P" X g# p3 i% x+ S$ U
=========
& A* a" a4 A( X8 |" y
5 Q6 r7 }6 b8 }$ p. `- K1 p2 l# A=>Disable or clear breakpoints before using this feature. DO NOT trace with& H2 F' f7 o4 M
SoftICE while the option is enable!! A1 J# S4 _3 J+ F
/ a0 L8 a0 U, K( [; \
This trick is very efficient:) m1 T% u! q' L. j% W- @8 O8 U0 L
by checking the Debug Registers, you can detect if SoftICE is loaded
$ C% I+ t. p1 V! ?+ @" |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) L6 N% E& [5 n3 ^9 Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" f$ _/ t" \4 g2 z% Y! N: ~value (in ring0 only). Values can be manipulated and or changed as well
C& \$ ]! i; r3 M! L2 s(clearing BPMs for instance)& O" L& i2 L+ o, c3 Y8 I$ F
' K& y; a+ a& s* Z+ R9 U__________________________________________________________________________
/ ?3 f) P; [' c: x
. p# i6 O2 `; {1 _# J8 OMethod 11" ~5 d. \3 _ [
=========' g9 M& Q8 j" y: i
H; p& D( [- w e/ S6 R! ?
This method is most known as 'MeltICE' because it has been freely distributed
7 y+ z8 v" Z: Gvia www.winfiles.com. However it was first used by NuMega people to allow
E; e0 g$ w* E( a/ Y/ ySymbol Loader to check if SoftICE was active or not (the code is located1 n, e# [2 P$ t( B3 n
inside nmtrans.dll).
7 ~6 D/ n( E# O" r% l0 E
/ o3 L: y: i ^! t6 A( v+ v: n& QThe way it works is very simple:
- _9 Z7 ?. Y' L7 s9 XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; \9 l$ {. Z! X" c- A1 ^! v3 sWinNT) with the CreateFileA API.# D' k* M5 c0 ~3 _, Q
: B! ~3 {* Q+ ?* n+ h" Q0 b. hHere is a sample (checking for 'SICE'):
8 I: O! i- z9 f1 U0 |- m7 a
$ R0 w; O4 |, z; a1 s5 P4 G$ }BOOL IsSoftIce95Loaded()- B+ e! f: Z1 H3 W# c3 {
{
. Z% i! M; m' I6 L HANDLE hFile;
o U. {6 U" l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 T% ~1 a5 B; m* g0 t2 E$ ^ FILE_SHARE_READ | FILE_SHARE_WRITE,
; r* r& v( q7 G) ]4 f7 ~' ^" D NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 ]" M3 f- c7 m& A0 f% z
if( hFile != INVALID_HANDLE_VALUE )) q8 `' H* o& c2 z0 m _ G( k
{
# X1 l4 x$ Q; ~ CloseHandle(hFile);
+ T4 ~& ]4 M( i- \. j return TRUE;
! d+ w0 I, L6 |* A- z: Q& p0 Y Z }0 x8 L, @) Q( k+ V4 g8 W% s8 k
return FALSE;& x- u$ \. D; D7 S- ~( v
}$ @5 h/ {! V% `' w- N
7 p2 l, l9 X( d5 P5 BAlthough this trick calls the CreateFileA function, don't even expect to be
4 C& Z( v8 ]! x$ [able to intercept it by installing a IFS hook: it will not work, no way!
4 s. L: m0 J; @% @3 P6 Y ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ H: K: p# E% _9 m A: ^2 L; M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 U) E# \5 l5 _0 B, z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. j) R! T; O- A% | pfield.# k# r* ?. `8 [- O0 g3 L
In fact, its purpose is not to load/unload VxDs but only to send a
1 q& |4 i4 g% D8 ]1 p- AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ x9 }" t: E7 y) t, P. d
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 \: x. q. T6 v: b* @* Gto load/unload a non-dynamically loadable driver such as SoftICE ;-)., J" Z7 @8 B; K# U
If the VxD is loaded, it will always clear eax and the Carry flag to allow H3 E" ]& M$ L4 `/ t$ e
its handle to be opened and then, will be detected.- m* U/ ?1 Y8 \4 N# S; o
You can check that simply by hooking Winice.exe control proc entry point
% x2 Q' @. q$ v4 [while running MeltICE.# J8 D" q: |; l
- G9 M/ G3 }4 [; S; Z+ _8 ?) s
) z( X% z ~2 C' C, ?) n0 _ 00401067: push 00402025 ; \\.\SICE9 R) K5 o6 C: u% N2 ?
0040106C: call CreateFileA
, w: V! r: d- ^7 w 00401071: cmp eax,-001
, L2 D% v- `7 D" n 00401074: je 004010913 L' U* t4 k& S% x
" K5 J8 A# F5 W* ]
. e5 `0 y/ ~* \" A
There could be hundreds of BPX you could use to detect this trick.1 e" \$ s4 T$ j! V2 t+ E- U
-The most classical one is:7 D& R( `1 i- z% D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; l8 ?- S5 {+ k$ S *(esp->4+4)=='NTIC'
8 M, j' I: v7 i9 S$ @( y* p1 N2 v
5 p5 ~" j/ [ m! w+ m-The most exotic ones (could be very slooooow :-(0 d% Y3 J1 y& a( F7 q3 e" Z" W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" l( E; q K' a( A9 v: X ;will break 3 times :-( N9 w, U/ n5 k! q5 c
0 ^4 `% ^: o2 O# `% ~! M
-or (a bit) faster:
1 q, h6 ~+ ^, P( L$ p BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 \& T8 q' k1 K5 |! I+ J) [. B" |
& J, }6 x1 G% ^7 t9 E3 d* k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' {3 W& z5 X' W; S% p ;will break 3 times :-(4 C+ s6 d$ k' {& Y* C- c* Y" Y
2 e( {& f6 r- o7 q-Much faster:
7 g' l6 o( T% t, R/ n# L- E0 r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 g1 B8 k( D6 b( ~* x4 Z
) e4 d: a/ P) d6 aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen% z$ V: H9 y+ L8 ` _2 x8 z. ?
function to do the same job:
7 m% l* p Q0 R+ o% {2 p/ r/ ]" b" ]4 W
push 00 ; OF_READ
8 k" k- I7 L$ [ mov eax,[00656634] ; '\\.\SICE',0
% {! S& q* p- h; P+ _ push eax
0 V4 I e1 s- P7 @1 d call KERNEL32!_lopen& U& [$ }* h; g: ^* c! ^1 H
inc eax
- Q" L+ T6 w7 M+ F/ }- Q jnz 00650589 ; detected
# T/ [) j: Q4 U( \; [# S push 00 ; OF_READ$ c) ?, U4 T. G2 }# n% ]
mov eax,[00656638] ; '\\.\SICE': j2 p* U* Q9 B4 i7 n5 `7 d( C
push eax
" ?4 e3 f% C+ v \ } call KERNEL32!_lopen
5 O; s$ a$ _ C& ~7 x2 x1 m inc eax/ U+ q. b$ ]; B0 O
jz 006505ae ; not detected
% T4 ?2 Q! s* x0 v% {" G( u5 M% r2 `- s, a3 @
; B4 ~8 M Y4 R6 Q n2 o% E& j__________________________________________________________________________+ m; x X, d5 `% O# ]: C
: k1 |0 w* f0 `, A5 R8 |& QMethod 12
R' d0 U4 e; X" v+ F5 w/ H; ~5 T=========7 j4 H" O) {" Z
2 t4 x6 q/ r3 aThis trick is similar to int41h/4fh Debugger installation check (code 05
2 b+ ~2 M4 ^ ?8 v, p& 06) but very limited because it's only available for Win95/98 (not NT); O! z# R5 p8 V; Z7 I) |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; I$ g, q/ X5 D
8 O8 _, @" Q) U+ |# B push 0000004fh ; function 4fh
* _$ s0 G" m; D# v' \& R P push 002a002ah ; high word specifies which VxD (VWIN32)
0 O2 F% U( @ Z8 e1 Z8 y& V ; low word specifies which service* }6 d$ B; ?$ L* o' z, t# q4 V6 Q
(VWIN32_Int41Dispatch)4 ]4 U, B- E; p. D1 i' F4 q3 n/ _
call Kernel32!ORD_001 ; VxdCall
`& F' \) U$ q: Y4 P cmp ax, 0f386h ; magic number returned by system debuggers
! S- x2 e: D! I) i2 } jz SoftICE_detected: l" Q3 \# P! B: Y9 a W
( P2 y1 ^) Q" o! x D( K6 X0 W
Here again, several ways to detect it:
! Z, o7 o, N: w
' [( M8 L9 }2 U8 ?2 s3 I; _8 E& z BPINT 41 if ax==4f& P' `1 q4 {# W" ?& u# J+ J
+ ~+ A8 V" [: J# H
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ g- y/ N1 M6 V6 _( u! L; k% D7 ~5 O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' _) z, u9 R6 |! f3 n* p6 |0 v# v1 m* Y, A9 v8 z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! p) H O* M$ y& q! b
. g# c. f1 U1 K0 k5 ~. Z9 U: A* l4 O
__________________________________________________________________________
6 {. [' C; E" }* c, J7 J& p% c: |+ A- D
Method 13
" U: ]- J0 }( A2 l. R8 q- W0 ^=========0 T$ a: Z* f* h3 G: B7 W; j6 O% z
W4 j* p) o& j/ LNot a real method of detection, but a good way to know if SoftICE is
8 e' a1 ]0 c* {, Yinstalled on a computer and to locate its installation directory.: ]' _; I7 W) K: G5 w3 a8 z
It is used by few softs which access the following registry keys (usually #2) :
1 v' _( g0 h" \9 c1 C6 _9 ~
( k7 J6 h; M0 L: k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. j$ E/ B e7 G/ G' t\Uninstall\SoftICE. H8 s: O! d+ U$ t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% Y6 t% _" n d5 i: s. }" U, D, v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 }9 B- j/ e9 |7 N1 q" U2 J T\App Paths\Loader32.Exe) Z8 g+ a# E. Y- e$ X( O( R6 Y: A
9 x$ T& u: Z* S# ~; w9 d' @% T& d$ o% T) f3 n
Note that some nasty apps could then erase all files from SoftICE directory
2 j# D% p* j: w/ r! r8 }! d(I faced that once :-(
8 E- C, a' l1 q/ t
( z" z. r6 }% y6 hUseful breakpoint to detect it:
8 e8 n: l7 N5 s1 A, N
/ @, C" @5 S8 L+ Y% O3 }6 _5 H4 v, @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 x# z; o- d) r: J- S7 m7 {4 d# [
$ i* d# w* _5 `! V: {0 ~' c8 o( V
__________________________________________________________________________) w. n8 N3 j( J0 q
: k% K# z' ]* Y8 T( A8 ]! p9 g" K$ Z3 [
Method 14
- n, j! c% d, o! n' l4 p=========
) q& t3 g9 |: g$ t5 U! P4 x+ H
9 d" h: K5 k; x& VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' R! s1 U" ^( f4 W9 E: qis to determines whether a debugger is running on your system (ring0 only).: s( T0 g# _6 o5 L9 s$ h
4 T. {, _/ q+ ~( _* L) M+ d5 b* T B VMMCall Test_Debug_Installed
3 d. W3 q* V3 e t9 H2 j6 G7 a# b je not_installed
& I. ^1 }! i, Y' b
$ t1 c9 P$ v' MThis service just checks a flag.
% j# T3 j9 N: j: U/ J) [# c3 P</PRE></TD></TR></TBODY></TABLE> |