<TABLE width=500>
8 f" q R2 N. @) I<TBODY>
3 J. Y0 n0 Q/ R<TR>
8 e! j" ~5 H0 `- E! ~- d4 v<TD><PRE>Method 01
8 U, s/ m' m8 I3 y9 I5 A% E+ Z {=========
8 c; X/ y0 p& }) |( A: U/ l1 D! s' s5 l- L" @
This method of detection of SoftICE (as well as the following one) is( q" c. Y6 \6 { q, x& t, L
used by the majority of packers/encryptors found on Internet.
, L3 t3 H' P I, EIt seeks the signature of BoundsChecker in SoftICE) a5 k% L! X- d+ ]# @4 i" r, ?
- d2 f j8 o& h, m; h- u2 c' Q
mov ebp, 04243484Bh ; 'BCHK'
( F. D5 L3 J4 ~0 [1 _8 ]8 x* b9 w) x mov ax, 04h. s% B& y- l6 p
int 3
: b$ s% S, S% R: m% d cmp al,4
* d) a! T% _$ _. f3 x. g jnz SoftICE_Detected2 Z; h0 W1 A6 z* V% W3 O
5 Y8 Y7 f2 v# ~0 R/ o# U___________________________________________________________________________7 `; e- {2 B0 S. D0 M3 I- H
% l: M" H$ P- L: [5 E" Q% M! |Method 02/ d; `5 A2 c2 u6 X6 l' F
=========0 }, p3 N$ t8 T% k2 x8 B6 `
$ P3 ]/ _! v! o! _, T
Still a method very much used (perhaps the most frequent one). It is used
4 |: _/ u0 O0 l. E8 rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ N. ^! b5 S! @( kor execute SoftICE commands...1 t Z" t; b/ g% W
It is also used to crash SoftICE and to force it to execute any commands8 D+ ]9 O# x; M, k$ M/ T
(HBOOT...) :-(( 0 u% [. Z' `4 G9 w
; x' T @0 p- [* p9 N& a2 R" q: l
Here is a quick description:( f0 O) [7 [ z! C2 `4 T8 V* j
-AX = 0910h (Display string in SIce windows)
. o1 ^( s# |# S6 @$ C-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), C% H! C8 k& M7 ~
-AX = 0912h (Get breakpoint infos)
' h3 h7 e9 E8 k( s7 C( v-AX = 0913h (Set Sice breakpoints)0 n1 T" Z; z/ T
-AX = 0914h (Remove SIce breakoints)$ \, o3 H2 Y" g" U0 C4 g
2 _: O0 T" B, H) T7 Y' q3 Z& D$ q. T' M
Each time you'll meet this trick, you'll see:' D ~& u% x& t* F1 M# u
-SI = 4647h0 ?* Q& C. Q/ [
-DI = 4A4Dh
$ G# v, w- r* j- S6 }* MWhich are the 'magic values' used by SoftIce.5 |9 m8 n0 E8 W4 b6 E/ {* e2 _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) |+ `4 I( J/ {2 e9 { [" ?7 o/ ^7 J; x. t0 i
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 \# S: \5 A8 W$ l. c' B' ]
Envelope utility use to protect DOS applications:) w- l% ]3 _6 ^$ \) o$ G' L M* M$ L0 Z6 C
" U7 H! N) t. Z1 D; |+ e* s2 Y9 z
' @$ y; o* x- C% I" _. E
4C19:0095 MOV AX,0911 ; execute command.! G- {6 y. z; h2 f b ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 V) s* M5 J6 e* k8 h& Y8 ^9 |: p( v4C19:009A MOV SI,4647 ; 1st magic value.
7 @% Z& V9 p# D5 h7 ]. c4C19:009D MOV DI,4A4D ; 2nd magic value.9 z0 r. f. Q7 K: g! J3 S" s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) i B' ?3 o1 X6 Q/ E8 y$ p
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 c) ^5 Z3 S# r, G+ i4C19:00A4 INC CX
6 a, d# R& {. d U3 K% B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ \$ {5 Y9 o% A4C19:00A8 JB 0095 ; 6 different commands.
5 T# _5 ^7 s: s& Q" q4 y4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' }( v' N: r5 t6 v0 B4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; |# F1 _- _4 u! _7 Q
+ X) k, Z' C7 \The program will execute 6 different SIce commands located at ds:dx, which
) ]' J9 F" N0 A! V5 C+ \$ h' ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, Y6 b% q& _* | J( M& r6 x
5 o* {$ I7 j% Z% D2 c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* Z6 ~: s$ `% s+ k___________________________________________________________________________
7 m2 _- H8 F# T
( F4 N/ }5 @! X5 [' n+ ?1 i0 T, h/ y! v- J5 ~( b0 z
Method 03
1 m: @' g7 P; ^3 p) ?# @=========
1 ~: I* Y1 D, P: ?* E! y/ }2 V( E! ?" K+ b+ ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' v/ `3 z, ~; m0 \
(API Get entry point)
+ v9 u2 s" `% P/ @' `
- C/ P9 b: q7 n
% X4 l2 O- g/ P" E xor di,di; r- l: c; e# S9 @7 v
mov es,di" k6 E# h) u; F. f' S1 i
mov ax, 1684h 4 h" M) n. y5 ~- t* D5 a% H: A
mov bx, 0202h ; VxD ID of winice
! a5 {- R3 O5 j- s. q# d int 2Fh9 X6 Z" m9 ]8 R4 y$ {
mov ax, es ; ES:DI -> VxD API entry point* p1 v8 W' \/ j) I. f( s
add ax, di
4 v A2 r8 O) g& W( _* L test ax,ax
, z; p) ^6 l3 l+ U- C: S; ]6 T2 m5 I( _ jnz SoftICE_Detected
; y% ~8 b! m' J3 u
! J& ?; P$ N/ [% [5 \) n+ w) S- `___________________________________________________________________________
! a8 {& e0 e! P, X( i' n ]' C: @/ t Y+ |1 W% K
Method 04
# y+ }. l' P' i! k=========6 e) U" x$ A) n% z/ r' h
R5 g! S$ o' _6 c5 \
Method identical to the preceding one except that it seeks the ID of SoftICE/ j# B# P5 A' e4 m( {2 d0 D
GFX VxD.
; h& _1 G0 u1 ]9 D/ H4 b; l0 L5 o4 d) B1 w+ ]9 D" l0 S
xor di,di
9 w' e* Q1 C7 `; E mov es,di
0 x+ C5 t& v/ a0 H6 b$ y7 L mov ax, 1684h + N5 B) E* v) h3 r: i- J# N% M1 M
mov bx, 7a5Fh ; VxD ID of SIWVID7 q) C! {% Z8 Y: T# |0 O8 B
int 2fh h2 @( c; ?, `5 {
mov ax, es ; ES:DI -> VxD API entry point# A0 Z r# Z) a! Q+ t1 [
add ax, di. V6 x" k8 k6 m X. t( b
test ax,ax& O+ u/ c0 h3 _3 [3 R# w
jnz SoftICE_Detected
; T0 q8 [: n' B& @
( F& F0 S9 h5 p, w* U7 [__________________________________________________________________________7 P, ?- A x- J. o
5 e6 c7 t' ]# o
& G- m( w' K* s3 _; p. zMethod 05
+ t0 u( r8 K( m. G( ]7 }$ d( S1 s* [=========; I5 \& V' d! e3 e; Y4 w
8 D) L9 G1 c8 e3 T8 j) J& c- |1 Z D
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 R, T" L8 y, A' S$ i$ g8 q5 I
debugger. It calls the int 41h, function 4Fh.8 @2 I4 Q# t) j
There are several alternatives. 2 c- |% V$ T3 }2 \) M3 l a4 X
6 u6 Y& J3 [; e! \
The following one is the simplest:
+ q0 m2 i6 u6 g5 V4 F% t
9 j2 u3 a8 e( i, e9 N O0 T; r; x mov ax,4fh
3 n- f* M) L. `; v2 A4 S int 41h
! b# F6 ~7 a% w% j" _/ D' B8 ^/ L cmp ax, 0F386
% a! F6 \# ?8 X7 C* v jz SoftICE_detected
; x, M+ J3 T" [* M
4 D. ?# Q. l3 ^6 t F3 H5 g0 S- @, O* l; G4 e
Next method as well as the following one are 2 examples from Stone's $ o( g7 _ d7 a& ?0 @2 o
"stn-wid.zip" (www.cracking.net):
% o' K& g9 R8 f6 x: ^4 E$ u8 i# ?5 l1 R7 I/ L( Y* G; i) Z7 X( z0 T
mov bx, cs( p3 h& A- {! L, Y8 a8 s; V
lea dx, int41handler2
: a; g3 h+ [: v2 u' V xchg dx, es:[41h*4]3 K: E, X8 L. g6 v5 | Y) W4 c
xchg bx, es:[41h*4+2]2 S) y2 j d r* B$ q
mov ax,4fh b% w, U! s) _% s5 f6 [$ t0 S
int 41h
0 Y' U! {$ S4 I! b: q9 t xchg dx, es:[41h*4]% w- s5 {: i4 a1 K9 A' K* \
xchg bx, es:[41h*4+2]7 ~, }6 o3 l O7 _1 Q9 d
cmp ax, 0f386h3 C( W1 O; ^4 [' c
jz SoftICE_detected8 ^ [$ [; f# B2 L
! ?6 c# B, g. \9 p
int41handler2 PROC
, m4 W, `1 {: ~# V1 _" ^# V) y3 X iret/ L [7 ?, H2 J
int41handler2 ENDP
( d+ }5 d7 r1 o! W; o9 Y6 z/ A5 [
# g0 z' f: S/ F2 }* l- I( \: G
_________________________________________________________________________
. K/ B$ q4 ^( `' n! W/ I3 E) [8 B; `
! C7 B: a1 p9 B' j3 O' E. qMethod 06
! ~8 e g: F/ y========= s5 A& k; A4 G
1 f5 Y6 G/ ~' l5 _4 D
0 O" q( h$ }0 J
2nd method similar to the preceding one but more difficult to detect:
7 v7 c' _- Y+ q% Y U: J5 ^4 [
[, ~( w j) O. c3 n0 y- M+ \, r V
int41handler PROC2 M* S8 E7 g3 |
mov cl,al+ o/ ~* K- G: G8 e4 g4 r
iret4 [) g6 w) B# u: L
int41handler ENDP
# P6 j/ M y! k' b0 b, K% a; x! X1 t4 J
) ]3 N& L0 q$ [ xor ax,ax. |0 `5 u; ]' p$ |" N+ p/ T8 W' q
mov es,ax
c# o" P6 b2 u mov bx, cs
$ U% w; d/ s7 j) D# f3 I' O( o lea dx, int41handler
8 O! l7 W) r2 N- {' S xchg dx, es:[41h*4]
, s' T. `' v# _/ s& _ xchg bx, es:[41h*4+2]
4 P% z9 l. A0 H6 m0 R! v+ R in al, 40h
. H. q5 Y8 G$ S) x1 G xor cx,cx
9 U- P* L1 B: J int 41h
6 U/ n+ r' A+ [. l. y6 f xchg dx, es:[41h*4] ^+ ?0 h# n7 }& K8 N" l
xchg bx, es:[41h*4+2]4 V) ~1 U$ I, `+ @" c& K2 I2 t
cmp cl,al* x: J6 f( g/ B
jnz SoftICE_detected. t4 E9 ]+ \1 O4 W
" g5 ~* _ m( r# Z" e2 G_________________________________________________________________________4 l9 K, I+ F# y$ W- t+ n/ c
5 ^6 b) h- K1 ?$ G/ E7 F9 F) i
Method 07
( `' y0 w: g+ L& n5 Z* e7 d% u=========; q0 e* R# A' T# b; ~* j
8 v* W7 C# j8 ?6 R8 V# u. L
Method of detection of the WinICE handler in the int68h (V86)
: ?, p1 i o) E9 H8 a% R
# j, f% o' a5 F8 O2 D mov ah,43h
) h; D u3 d6 `( E& R+ Y int 68h
; p- l+ F, m4 X& C( b cmp ax,0F386h
5 ?2 ^* u- e+ A" K* _ jz SoftICE_Detected9 O3 h4 A E! \& a
7 J: K; M6 i2 x O' I7 D: {5 l% A; l# Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ H& I5 ~" s4 N+ {( H
app like this:
6 {$ z' N8 K' }' O- h' k9 R
: A# V# ], Z9 c% s& l- [# i BPX exec_int if ax==68$ s/ i8 o% `' V& L
(function called is located at byte ptr [ebp+1Dh] and client eip is' g1 C3 D! b( `% ^
located at [ebp+48h] for 32Bit apps)
' G7 ^- T% e9 o" \5 k1 F* d__________________________________________________________________________
" c8 i3 b! [8 K& ~' u5 e9 F6 k, ]' w8 v+ l9 ~/ l. i. i
0 a/ }1 L r. ^8 I+ _' F& n# f
Method 08' s1 u7 d0 Y9 `9 ]
=========
2 |) H0 s7 N) F: _; _! ?
$ d* _: q- h( E5 PIt is not a method of detection of SoftICE but a possibility to crash the2 r+ @* @+ Y+ Z
system by intercepting int 01h and int 03h and redirecting them to another
G7 N( S2 X; @1 C$ ?5 @ j droutine.. @6 M0 x( C6 F3 I+ X: m/ {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) ^* v1 P4 [, L0 H- E
to the new routine to execute (hangs computer...)
; _# q9 B/ F/ c; X \
$ w5 R2 i# T& {& g! f2 f$ o mov ah, 25h
, u* @1 P o, c mov al, Int_Number (01h or 03h)
0 v; o! L! v$ {) V' O! G mov dx, offset New_Int_Routine. r- [) ^) H( k
int 21h, P- T" w2 r0 J g2 _, t! q! m/ e
* q/ g! n: x8 M# D. P' w# t__________________________________________________________________________. b& B% f1 i: v9 L2 r Y% o" x3 [0 }
3 v- ~# b0 p b2 ^6 p
Method 094 ~& F# y& C8 a; z) y4 Y
=========
- _9 t$ _# y/ z0 d5 t5 {
# ?7 F7 c" p& G- C6 \2 Z; A# r7 {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 [; V" }) C* O( h6 @. F
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 z3 X7 E4 K1 b" q5 b% p: }The Get_DDB service is used to determine whether or not a VxD is installed
7 o" d/ a! Z9 ^for the specified device and returns a Device Description Block (in ecx) for
* K: X$ E6 B7 F% `: Othat device if it is installed.
; y% X1 J+ h. w( e. ?) s( P
9 G% m6 S* ^- ~' j3 W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: h) g- R v& r6 D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' c) O3 b4 O& M' @
VMMCall Get_DDB
0 @& @4 e" s) @3 ?1 G& Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; v" |9 B$ Z, K5 S3 s) _
9 Y/ g5 d6 }% D% K, V, ENote as well that you can easily detect this method with SoftICE:# y5 R2 a1 Y# U
bpx Get_DDB if ax==0202 || ax==7a5fh
0 V( a8 b1 U. i1 t
' D$ }3 K; U5 g; Q/ a9 P) P# d2 R__________________________________________________________________________, l$ ^6 b/ i0 }1 K7 v( t0 B' T- h
0 ?3 ~$ f& t4 h. xMethod 10% h% c1 x; `( l2 ], h4 C
========= o2 F5 g: L0 ?' l) P5 b
3 N2 C: o. \9 s0 \' h( X=>Disable or clear breakpoints before using this feature. DO NOT trace with) s4 S9 F2 a9 y ^* @- r" c; m
SoftICE while the option is enable!! P: ~- ]4 M) I
+ j# j5 ]) u0 k. _5 K- }; EThis trick is very efficient:
- ?: `! H+ Z) ~2 K) R5 _5 Kby checking the Debug Registers, you can detect if SoftICE is loaded" D2 ^# _9 P1 H+ B% I+ ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) U2 Z4 T1 C8 J! ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 `/ y/ E! I: ~+ uvalue (in ring0 only). Values can be manipulated and or changed as well
6 K7 b9 c; X# P0 [! u0 f(clearing BPMs for instance)
% }0 ]4 S- f, ~7 s4 [# W
9 y6 Q' z8 X* K3 R+ J8 N__________________________________________________________________________
: O# Q7 B4 _! u s6 l& I7 G4 X7 s+ z. G8 Y: @
Method 11
/ }& A, w% }. C% Q3 g, u=========
/ s& c6 x" U5 `7 d: c% K8 K3 m4 h7 _. d7 W x; E8 B
This method is most known as 'MeltICE' because it has been freely distributed
- Z' b2 U3 r# r8 _/ v, Lvia www.winfiles.com. However it was first used by NuMega people to allow* }- G2 @; a1 W4 q
Symbol Loader to check if SoftICE was active or not (the code is located
0 _. P) H' O1 Y5 j0 }inside nmtrans.dll).- L$ Z& j2 a m1 L$ w
/ G. S6 c }. W* E6 G7 hThe way it works is very simple:$ Z& R; T$ [; v9 h: Q5 V J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% O$ o8 {1 Z$ l, P& X- l
WinNT) with the CreateFileA API.6 I( D+ x- r( z' y; `, M
( ^8 p$ V0 c* C; k7 \2 FHere is a sample (checking for 'SICE'):8 A! }7 m/ l2 V Y: q$ w- j
6 ~! v5 C. O0 B+ q. O. rBOOL IsSoftIce95Loaded()9 P2 ^; v4 m% K4 h: v
{! _ W( }& q! R/ l. w6 ]* ?) ^
HANDLE hFile;
9 `, A: d. D, W' s( Z) p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 _+ h' `2 d9 y- S2 G. l6 [, M# d& Z
FILE_SHARE_READ | FILE_SHARE_WRITE,
; d. f% |! q8 `7 } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
\$ c. B0 O9 c; Y if( hFile != INVALID_HANDLE_VALUE )
) l" \* v, `2 B, E3 t" O {
/ S8 b% s: N6 c! }( D$ y$ s. H CloseHandle(hFile);
4 J' g( K; _+ o% P1 B return TRUE;
& l; p3 x( A$ h( W }
( \- ?- R. T4 f [* Q* F N return FALSE;
: z7 y3 c: q/ w; I# ~$ K5 o3 N}3 j' A- L0 b2 e V. W
) ~# L1 k7 k' f! H" D5 F
Although this trick calls the CreateFileA function, don't even expect to be' D9 a( ~' `! [$ b1 N" h
able to intercept it by installing a IFS hook: it will not work, no way!3 n+ g8 G3 W0 A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 h: U& @+ T1 b% _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( S* X6 J8 e: @4 x4 n+ _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ M2 p, D0 U4 y) H
field.
9 c. e$ j# q* O4 A! oIn fact, its purpose is not to load/unload VxDs but only to send a
2 `* N7 F4 X6 l, p Y, sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' F" R/ h9 [$ k- @- ~. lto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 y+ r4 V' @( t# m" J H8 }5 U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 c( u- |- m; rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 s6 C* a5 D! n) t! ]its handle to be opened and then, will be detected." g) d/ F* Q7 f) b6 x
You can check that simply by hooking Winice.exe control proc entry point
" g, F" Q6 W) A* awhile running MeltICE.
; j/ A3 s/ G/ A6 n# @
9 d% s% E: e9 O+ u, d! Q7 W9 _. c' S
00401067: push 00402025 ; \\.\SICE
& n! h- R% l) `( V/ V) D 0040106C: call CreateFileA/ b8 O7 T: y2 s# h
00401071: cmp eax,-001, K% D L0 d* P8 @
00401074: je 00401091
" d" y1 K: @& ~- r8 E( p0 z$ }! C+ F0 P2 }/ X6 A5 J
3 f3 v2 I }, }& k$ r, }) o
There could be hundreds of BPX you could use to detect this trick.
5 C: f' {( d$ ]4 ^5 |2 x; k5 j2 h-The most classical one is:
+ p. n2 L: n7 U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: u; P2 j. z0 `% I *(esp->4+4)=='NTIC'
) R8 c8 P- E; Y8 R: p4 I6 E" y" z* J
-The most exotic ones (could be very slooooow :-(8 s! i! P2 l: I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( P( f0 @9 g" e. u0 K( |2 G ;will break 3 times :-(
7 w5 W7 T9 j8 s
; l, j6 q0 d! s5 d+ r: c2 p- N-or (a bit) faster: 9 |, w% b( \* L6 k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ I' _4 J( m6 e- P
, H# _ f- Y* z& N' ?" W! O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 x( q# N: @; b& S( c2 G5 I- _ ;will break 3 times :-(6 }8 g: _- a9 X, \! o5 Y
) p* k$ K$ l- r2 P1 W8 K-Much faster:
, V' n$ T: R2 A% p BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: Q N" m5 F, ]3 V) N \$ f5 A2 Y( D: X% H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% u) B+ R b6 g9 ~, [( p6 H: A
function to do the same job:$ F) ^# _. X; ]1 G$ N% X7 h9 Y
" Z/ X1 n5 \8 \
push 00 ; OF_READ4 D. X; R) X8 m: q
mov eax,[00656634] ; '\\.\SICE',0
5 z# ^9 @% U( @4 W push eax
1 s( H2 o' J2 K" {7 ]( N" M call KERNEL32!_lopen5 w1 E1 ?8 p$ `9 K! o% O( X
inc eax( A( I ^' n6 p8 n
jnz 00650589 ; detected
# c: d6 }2 t. }) U$ d push 00 ; OF_READ
/ K) I0 R+ l, O3 I$ C mov eax,[00656638] ; '\\.\SICE'
* j$ \8 w$ Q1 X% G0 |; }. V0 Z R push eax* I# g, z" {. n) |% |! M7 D( h
call KERNEL32!_lopen
* v" @* Y% [0 {* _! X inc eax/ |9 t3 ^( k* Y$ u# \1 ]
jz 006505ae ; not detected
) c2 y; \" n+ G7 ?) I. v& x% c+ `' v4 z" J* C; N
/ J. [- ]4 D: z+ I& T# q2 \5 A__________________________________________________________________________
$ O6 }) Q- v. p! B: l. ^# V4 z. ~. M# s! Q! f
Method 12& F: K3 x' w8 a8 ]2 ]
=========1 f3 \0 Z" g9 w0 r( {7 c/ M0 K
( q9 [! w" `& q/ ?3 y' E: WThis trick is similar to int41h/4fh Debugger installation check (code 059 Y* `. i8 ?( `6 I. B) y8 s) d* O/ |4 D
& 06) but very limited because it's only available for Win95/98 (not NT)3 g, ]$ Z3 M& R) f$ \1 ?6 I8 q7 j2 \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 i+ E+ m; Y7 E# |# p
3 L0 @, f! L1 q/ H" A" a" o
push 0000004fh ; function 4fh. a4 }0 p' C7 W! U' m" @
push 002a002ah ; high word specifies which VxD (VWIN32)
* ^; V* W8 A- `' Z5 o ; low word specifies which service
}6 i7 z! I1 N: h: f: x (VWIN32_Int41Dispatch)( p( H' W# m* G' X% v. h, w: g
call Kernel32!ORD_001 ; VxdCall' `: ^: p- F. q' Y
cmp ax, 0f386h ; magic number returned by system debuggers% a) u* G9 [3 { D* U$ X
jz SoftICE_detected
' r1 m2 s& f. Y* O/ }6 x
% {" [9 Z3 A: `% U& b4 Q& V- YHere again, several ways to detect it:, f# m. _! b) G4 @* x5 p" y
( d( H; w S% j
BPINT 41 if ax==4f- Z3 B5 y/ j' _* c& A; h1 F0 b
- Y+ Q) J" _3 T9 ]) v* I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( Z; a* J4 M+ P% h F
( H; Z" O5 j# l BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- l. Z$ X8 u! G5 L- V5 l/ \2 X" _& S
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( G( r0 V: B5 ?' d3 @, a; \! N
+ E( Y7 r( _; X1 ]4 a7 X4 D# D- ]__________________________________________________________________________2 b/ H. t1 h I2 {. ?8 N
% B4 F# ^( u& m2 U
Method 13
) l0 F' H q% S- o) e5 z=========( x* }; x. n& I5 A2 M- a/ q% \) t
' E0 z! r/ q0 h+ T) H; U
Not a real method of detection, but a good way to know if SoftICE is
8 Q/ \% a5 H7 `. z% Linstalled on a computer and to locate its installation directory.- j. v2 d" ]! D2 U: @3 t
It is used by few softs which access the following registry keys (usually #2) :, v: f5 ]# V( [; e9 c# T% r
, j6 ?$ |0 p ]$ l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- Q8 H6 x! h9 h/ |5 W
\Uninstall\SoftICE, U- d; G& X* u( n2 W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 } p6 q$ O( L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! @2 [( {$ K$ X, ~& q% M\App Paths\Loader32.Exe4 ~6 H3 Y2 a" K- I
4 Z/ o6 j' ~3 x' _3 q. \( `7 T9 C) ~) `; B' \4 |
Note that some nasty apps could then erase all files from SoftICE directory8 M4 \1 g: p. U! i ]4 A
(I faced that once :-(" n/ v% S$ M# ^$ b
/ |) ~) q; `/ \& f* I. L4 zUseful breakpoint to detect it:0 E- \4 |& G9 @/ D1 x2 W
' P4 p( L; A6 T/ X
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 p) U# z% K. @" f4 s; J
% z W( ?& {* Y__________________________________________________________________________
- K3 _5 g) m1 p; i8 {% z
; W* Y+ U0 L7 ] ?& @6 N
6 v3 ^0 ?, _$ m h/ {5 A* yMethod 14
! k# h, I7 i. n, ~4 i: o- ?=========% ^4 `, t: V! V* C# U( t
! `8 A/ t$ ]0 q8 `, }9 H& |% a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) X6 q0 N& }4 _: b$ ^/ Fis to determines whether a debugger is running on your system (ring0 only). H: Q4 w$ H' I$ I' k8 n
# K" B/ O2 |) D9 G VMMCall Test_Debug_Installed
4 L3 V) d! |8 ^0 n# L3 u* v$ H je not_installed% p, D+ C; A% W& K# k" u
9 c7 g4 f: V, VThis service just checks a flag.1 E( V3 R+ I6 [+ ]
</PRE></TD></TR></TBODY></TABLE> |