<TABLE width=500>5 p- ]( m3 j5 G/ h
<TBODY>
' _' _: ^2 X1 b, [8 l<TR>2 J4 y; v; x5 X. f! Q( U! J
<TD><PRE>Method 01
* [) ]9 U! C& W- c% P8 ]( R- N- D=========
" a* K4 n) T7 j$ z4 ?3 R0 D) w0 F1 r7 B8 `3 |/ E6 ]$ W
This method of detection of SoftICE (as well as the following one) is! R& {# Q6 J6 Z) N$ f" G" A
used by the majority of packers/encryptors found on Internet.% [ ?4 q! Y% a) y/ k1 ?! Q
It seeks the signature of BoundsChecker in SoftICE
9 k; K7 h, ]) x5 W: ~$ k) y0 ~: c% {) _
mov ebp, 04243484Bh ; 'BCHK'$ B5 @, y6 V8 q Z* } M4 ~4 k
mov ax, 04h6 f( A9 _% L) b1 Z. R9 n4 ]8 Z
int 3
% K$ O* s+ {0 U! d cmp al,4
. P5 K$ O( ]# V; Z jnz SoftICE_Detected$ T: a8 y( I. |; X% d
/ ]" j5 M- ^: V/ g
___________________________________________________________________________
4 K& b1 R- W- S+ w/ x3 ?2 D" Q! t' O. @# S+ G. j6 K
Method 02! H9 B* ?. n3 i" Y* X7 W
========= F A; i+ l# r) a
9 ]* w$ q/ P7 D+ `1 u% C' A) LStill a method very much used (perhaps the most frequent one). It is used0 @% D; ?* G$ P: R7 D& c; ?3 y; {, K# t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
c: J; r! V$ yor execute SoftICE commands...
" g5 |/ K* x FIt is also used to crash SoftICE and to force it to execute any commands
& L3 O+ G9 ~& x8 Y/ K6 Y/ E6 c(HBOOT...) :-((
8 g5 Q7 ~7 X; c0 C1 S
. ?9 T) P& G- \+ k; p2 WHere is a quick description:
) e. \# f. d- p5 ^5 M8 h-AX = 0910h (Display string in SIce windows)2 g4 e9 J* u; x) T# @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- c( a* u9 W5 Q2 K-AX = 0912h (Get breakpoint infos)
% ~, m$ ]: z" d$ f* M* J& C-AX = 0913h (Set Sice breakpoints)
# T4 C8 H4 z- ~0 k-AX = 0914h (Remove SIce breakoints)3 P0 Q7 y1 }. Y+ [* ]) S
3 S$ p& x- o5 s+ MEach time you'll meet this trick, you'll see:, L" w- S+ g, {2 j
-SI = 4647h
) K# A- V# B: G! k-DI = 4A4Dh: _4 E# O% l2 _% \, g' D! z
Which are the 'magic values' used by SoftIce.( o/ m/ [* W" j2 z2 O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. v, X& c5 s P3 j3 F& J* }
9 a! E* L8 `& \9 b0 y. D; [! w: D
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ l( a3 e0 ~! C! a- zEnvelope utility use to protect DOS applications:
/ ^3 t5 ~3 H, t+ c: k: |" C* w7 w" a, \" ^3 y* B9 C+ y: ~7 o
( Y3 Q' @/ u; t
4C19:0095 MOV AX,0911 ; execute command.
" i. _: c" w% N( X& `9 l. n/ C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." [: ?3 d3 [0 X B6 c
4C19:009A MOV SI,4647 ; 1st magic value.# x, T y% U! {
4C19:009D MOV DI,4A4D ; 2nd magic value.* t5 d# l# W* I n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" W4 ] p' Y; E% F% J4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) ^6 P/ o: H( t8 ]' m7 i0 r4C19:00A4 INC CX* W, i: M3 u2 Z1 V/ q' S; Q0 }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute R+ @9 }# P0 s" T
4C19:00A8 JB 0095 ; 6 different commands.. l; m: i# j1 p+ f: [( M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% l+ S5 j8 t5 {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 {" G! x+ J4 F0 k+ h
4 g; X) s" F% M& r* l, L2 pThe program will execute 6 different SIce commands located at ds:dx, which
" \( }* z2 A" O6 m( O4 x/ Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 n# E. P* ^# R/ e: k
4 P3 b Z9 e/ c1 b' r) \4 a4 C# u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* B- x Z4 z4 u( V
___________________________________________________________________________! x) e: I- ?% Z2 Q0 i
8 Y* @, a7 O9 a* I) s& q* r1 a T9 K" T0 z
Method 037 H) r3 u( u; R
=========
( e/ Y5 z# O. z+ @' S
) }5 G' c q/ f" oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 I# W8 Z. X# b2 P& M(API Get entry point)
/ a1 A# U9 F% \/ u * U$ j+ k- E# B" C" r
- c; N3 G7 m# l6 F# K
xor di,di
$ T- ~: Z& l# F- N& ~, k! { mov es,di2 ]! K- |% w- W0 Y6 i0 l9 t A
mov ax, 1684h
5 f2 ?: Y$ k& _$ e& [ mov bx, 0202h ; VxD ID of winice" w1 G4 z- A1 ~9 o3 |' j% Y! @
int 2Fh& X& C" u; {+ ~0 A! q& b7 @
mov ax, es ; ES:DI -> VxD API entry point
& V& ?1 M- G9 i( o add ax, di4 b+ N7 ?% D0 A9 ]: c( n$ {- {
test ax,ax
0 O* y4 C" X' ~9 r1 D. E3 V5 e; { jnz SoftICE_Detected
/ k7 K5 q6 E3 n5 P* P
; @- t2 ^3 ] x w4 e2 s1 p9 F$ C___________________________________________________________________________: ^4 F' P# w' u1 |3 E. `& S$ X
& ^0 ?5 K) z6 v2 R7 RMethod 04/ K/ H' j; B& o
=========+ Z/ m# g- P( A5 Q. ~
1 R: q9 m% g8 `6 z" ]Method identical to the preceding one except that it seeks the ID of SoftICE s) L* S" V) L! z) \( M( |
GFX VxD.
& _. C7 h+ n; }- w. K8 V' X7 j' ~
+ m; Y+ a l7 Z$ z xor di,di
+ T3 b4 d5 G! K K! k/ ] mov es,di; t' ^" e: E! ]2 Q/ J) f1 ^- A
mov ax, 1684h , T( S9 N# O" z, J j1 Y: c
mov bx, 7a5Fh ; VxD ID of SIWVID
% f# @) @' a. K2 W. h4 Q int 2fh
2 r! Q- \9 |1 j0 T mov ax, es ; ES:DI -> VxD API entry point
6 q) B" v& F) L add ax, di& @( d9 p4 l1 l6 X3 E
test ax,ax. r- W' a0 R* Z9 s- R4 C7 S4 u
jnz SoftICE_Detected9 {. O, v. h9 S( p" ^
0 ]$ C* n5 E# P__________________________________________________________________________
# u( \7 @# E+ L- l- `" t) ~0 Z# |; {1 W7 I+ L3 ^2 m% ?+ D
6 x C- A) e- L# SMethod 05
3 E+ R7 b* L1 e( A2 t6 A=========; R! v1 Z `0 } i+ d& N
N/ I; W: _$ L; t
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 w% t) K) l/ [5 x I
debugger. It calls the int 41h, function 4Fh.
6 k6 k! { X# R: g$ d8 e: NThere are several alternatives.
' s# {! I: T* q0 t. t+ g
* ~9 c0 O9 V' _: W- w) @7 h. FThe following one is the simplest:- I: t1 s8 N Z7 J$ _- l# V
' v( x, ?% X- s+ Y: B1 P' B4 o
mov ax,4fh
* @1 k& G4 e g. `2 b int 41h8 o4 V: R; g4 b5 H$ A3 P
cmp ax, 0F3861 i; r2 u, v9 ^: e
jz SoftICE_detected
0 g' h) }6 ~5 o* l. r" G4 Z# x$ [; T3 _% e% q% N. e) ]/ ^
" m4 @$ g' o+ a7 W- A0 L, i
Next method as well as the following one are 2 examples from Stone's
/ u9 H( Y4 K3 w& {"stn-wid.zip" (www.cracking.net):" a! E3 }% [, a2 c. F& g
3 }# s! g0 V/ V! N- Z! M
mov bx, cs+ w6 i; g# W& k9 I' w
lea dx, int41handler2
: W3 _2 M7 y$ u, x8 S xchg dx, es:[41h*4]- R9 Q! k4 N% c
xchg bx, es:[41h*4+2]6 O9 |6 E" u% g5 g, @
mov ax,4fh
4 c( C7 i9 R; G7 | int 41h
9 h+ I9 Q0 g4 M- J4 j; k xchg dx, es:[41h*4]3 s+ ]2 p0 _" n! o& I$ _6 j4 R8 c
xchg bx, es:[41h*4+2]
. @7 c1 a, t. ~9 p cmp ax, 0f386h7 F+ i8 U( c6 d
jz SoftICE_detected% ?* D2 E, Z j9 Z4 w- }
" y5 R: m( b2 M, e5 h6 gint41handler2 PROC2 i! @- a+ ~3 b2 k& b
iret
2 t+ |0 h% K |int41handler2 ENDP; ^7 t8 a! N1 }$ E. j: P
8 `. b) H/ ~# M4 p9 M2 k8 @) y! ^$ t) p, M
_________________________________________________________________________
% ?! f" M; j2 e F& u0 M9 }! e: ]' U6 y
9 K$ T. U; O5 a- B4 C
Method 06/ Q) G1 G- b2 G, W' }
=========' Q1 O) z. J0 L9 r% ^
! Z* R0 i0 K6 ]! v; e8 z
' F2 m# h1 @6 F6 K% _, \! v! u
2nd method similar to the preceding one but more difficult to detect:
7 N+ D% q8 X: S! t" O
1 W1 K1 f+ \& o5 v: Q% R( u6 T- ?+ B) c8 I/ _8 O) _
int41handler PROC
+ B- X' y x( d8 [ mov cl,al
0 Q& S/ ?4 E) v) E iret) G% B. ~# @: P' ^, C# _0 O
int41handler ENDP
/ Q5 v @6 K$ u4 l3 x
' Y' k9 q& K1 S8 i% a: M1 |
# _6 V0 `6 J- _! [1 ~0 m% a3 Z xor ax,ax1 `- M; M8 h- y0 n1 ]
mov es,ax- s8 N7 [8 v1 e! G
mov bx, cs. s1 t5 \. h0 @' f: m2 g
lea dx, int41handler
- W* [, s) H. i( Z7 \ xchg dx, es:[41h*4]
, ]* t2 J' @: b2 f5 \; } xchg bx, es:[41h*4+2]' Q `) d6 Z4 d
in al, 40h
' E% d/ C! H6 J. f4 ] xor cx,cx
2 b8 d- H `- z0 o# p% A int 41h7 e1 \+ w* B5 P6 c7 ~
xchg dx, es:[41h*4]
- m [# Y& D7 R& w' M5 u0 F& N* r ?$ n xchg bx, es:[41h*4+2]- H0 }: r5 c5 s3 O$ E9 p' M
cmp cl,al
5 [0 [$ a7 Q/ P9 h: p jnz SoftICE_detected
9 A8 q+ e5 Z# p# J5 U) ~4 d1 y; I8 d7 f: c
_________________________________________________________________________
/ s' H2 z) O, Z$ |/ c) x
5 d/ i y7 V# W7 l5 U, e* Q0 J5 m# `Method 07
7 @+ H( g0 Y7 L% i=========. _5 L, K- B/ r8 ?* X
$ s7 y" M. ?6 ^- uMethod of detection of the WinICE handler in the int68h (V86)9 Z+ d6 T/ d& K/ B
1 x: M" A( |" k9 e6 k! Q ~9 { mov ah,43h
+ \7 b% k- U% i/ M+ N int 68h
" q: r9 P. F& W6 M; _" c/ v* S6 e cmp ax,0F386h
7 h1 ^: l# [: o jz SoftICE_Detected7 L: e4 _( C, S1 A
I( x( j# `0 z& K, H# K7 N* U9 _+ |& j& p6 n% d" ?
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ p. H1 F: {$ {0 R1 W
app like this:
N6 z5 P: j1 N
' d" r* D6 g+ [9 e4 \ BPX exec_int if ax==68: ?' _# n8 V, E* p# C- i% b3 P
(function called is located at byte ptr [ebp+1Dh] and client eip is2 F' z" H2 m/ d, i
located at [ebp+48h] for 32Bit apps)7 m& \( [$ h0 J+ w( R
__________________________________________________________________________$ m$ z* V) r; c- g$ e0 h
0 N# n/ Y1 f' l; S5 g+ s- G5 E8 C$ D8 T) l5 h
Method 089 P9 N8 d0 z- Y: q, M5 O* w% k
=========
- T$ `3 i" P, U& l+ ?& F% z
9 i- C+ ^) A" TIt is not a method of detection of SoftICE but a possibility to crash the6 K% T! I7 i1 W8 \9 s
system by intercepting int 01h and int 03h and redirecting them to another
) B9 w) \1 g. I6 g/ Croutine./ k6 w+ {5 [: F0 V( z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' A0 R+ f/ |! n$ N6 e9 n. B6 eto the new routine to execute (hangs computer...)
$ @# a8 D' n4 v. n+ {% O3 u" Y# [, _ e' J* q' a$ `
mov ah, 25h
G: T6 B; C1 S6 J N1 s6 y; L mov al, Int_Number (01h or 03h)# s, A- R0 c: z* G0 r! h
mov dx, offset New_Int_Routine
" s- m' J- {5 b Q int 21h! l6 X6 c+ P( i/ ?3 e& B$ X
! i9 A, a; }9 L7 M
__________________________________________________________________________
& u: C0 J8 P8 {: r- X6 |
: F& `' Y9 a5 M2 A! c+ }Method 09
. m7 G s2 L9 ]( S, ~+ i* M& a=========
) P" ]7 R& k( M }, O( Y) j2 c1 o$ }% j; H! G& y+ \$ q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) m) H8 l5 Y% x+ W) X) f+ bperformed in ring0 (VxD or a ring3 app using the VxdCall).8 H% M; r# I) r, A% d
The Get_DDB service is used to determine whether or not a VxD is installed4 q/ Z/ w3 Y5 h& ^
for the specified device and returns a Device Description Block (in ecx) for' R6 i( ?" F) i0 M& M
that device if it is installed.
8 \3 o1 x2 c' o+ C% _, X' ]1 K; Y6 \. Z) l# J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. [" Y% r0 g- m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" W- n% K( F3 d' r+ U+ u
VMMCall Get_DDB3 S$ d# }6 O' ^3 q" ~. G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 P3 }, I. ]" L+ J
' W7 \- y' z8 Y, U4 T3 pNote as well that you can easily detect this method with SoftICE:- w7 E6 f# l; T z- B- z
bpx Get_DDB if ax==0202 || ax==7a5fh; _7 c. P8 N+ @2 h7 w' J0 z7 X
% k9 |6 c' W$ R
__________________________________________________________________________* S( }5 _; \1 P# M+ c F/ l
* Q. ^; E7 q9 p$ V1 R
Method 10
' a4 B/ [" s2 m$ W" b: H8 e=========
* ^! h9 k7 X* x) D0 j- P5 @" C7 d x4 {+ q U$ E
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# v) o* a5 q" M& l2 } SoftICE while the option is enable!!
$ R& Y$ r# n8 m
& E7 y0 \! Q1 D3 C6 j M) fThis trick is very efficient:
, i5 a: T6 k K& gby checking the Debug Registers, you can detect if SoftICE is loaded' l( N5 n' F* A( T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 ~9 S4 V' `* ~4 v" m6 m3 `/ rthere are some memory breakpoints set (dr0 to dr3) simply by reading their+ B9 Z9 n& @/ l; a9 e* e' K
value (in ring0 only). Values can be manipulated and or changed as well
9 O0 [" t; I. Y; i8 ](clearing BPMs for instance)3 u( A% w2 @- v1 `0 t* p. Y
# J& _0 N; Q8 F0 f8 R6 F1 A
__________________________________________________________________________$ x- P5 w1 q/ {: f3 v" ]& Z- g; q
+ P5 X. {/ t: @8 ?0 Z4 F( L
Method 118 t3 `9 Y1 c' s# `1 A6 O/ w; e
=========
: s; f: r% J- B% m3 l) S& a. O0 c |$ x* t' }' `5 E8 _
This method is most known as 'MeltICE' because it has been freely distributed& U9 [( |/ r9 C- H5 N9 ^* I
via www.winfiles.com. However it was first used by NuMega people to allow
$ S4 m$ I1 V8 S7 z. |4 f0 E6 XSymbol Loader to check if SoftICE was active or not (the code is located1 v: W# Y8 R& O' N( @1 Y5 G
inside nmtrans.dll).
4 E6 [7 D# ]% ?% X- _
! b& r3 ?9 B+ u2 ?: v5 l: Q# dThe way it works is very simple:( _$ |2 u4 M- l! o% W6 U/ w4 l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ l* b* S: |0 |) {
WinNT) with the CreateFileA API.8 I' q( y# d2 X$ c
6 G @6 z# `7 D1 M$ Y( A: U
Here is a sample (checking for 'SICE'):1 L0 T; z) C* Y
8 s0 s; a Z& X* M
BOOL IsSoftIce95Loaded()' p3 e1 G. H% v$ {
{( x5 H% G2 P' L" h0 J: I
HANDLE hFile;
1 l: a# H5 p, G: f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( A t5 |3 G6 C$ x FILE_SHARE_READ | FILE_SHARE_WRITE,1 ]9 e, z. R0 \( T4 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. V' z4 A9 \, s/ `6 m7 l4 g if( hFile != INVALID_HANDLE_VALUE ): \$ }) Y& n4 o
{% ?4 m$ S6 i7 A1 X+ C9 V
CloseHandle(hFile);
5 _( M! j( ~4 I" Q5 l return TRUE;
$ w9 u" W+ Q4 |# |3 K8 X! i9 K }$ q3 A( K: z6 U/ {
return FALSE;" Q& S' D5 c9 j
}( m' z( Q; S) f2 H( A
& Y D! A/ M2 ?4 r7 b v, `$ OAlthough this trick calls the CreateFileA function, don't even expect to be. n. z! p& k: ?. ]3 ?' F
able to intercept it by installing a IFS hook: it will not work, no way!
6 E) u) B; u/ a5 P/ w( l2 d4 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. q9 g& k3 ]/ @6 [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. B P3 z* q% p$ Y( l# ^( L! hand then browse the DDB list until it find the VxD and its DDB_Control_Proc* \1 B; K% @8 j2 Q. D. c" _
field.
: g8 ^ Z+ J7 E# B7 A! y lIn fact, its purpose is not to load/unload VxDs but only to send a
# H' b: s; u' [% z! ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% A3 X2 q- q! t! V+ _3 C; _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 ]( U8 s# V( H3 f( Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. ]) Q9 e, E9 `/ r: H3 }& OIf the VxD is loaded, it will always clear eax and the Carry flag to allow) U5 b' ?' {9 |& X; t/ }4 X
its handle to be opened and then, will be detected.
8 j! p0 Z# \! X8 C, }You can check that simply by hooking Winice.exe control proc entry point
! M4 d& u- @( w" g. M1 `/ Vwhile running MeltICE.
& H+ Q U) S0 G1 F6 ^( z+ p/ o. H6 y4 ~! ~+ ^" N
7 ] E( p9 }0 M4 ^; l* x
00401067: push 00402025 ; \\.\SICE8 r' V; B, q9 t
0040106C: call CreateFileA
) I- Y( V3 t+ j( b/ B% o. w1 ^ 00401071: cmp eax,-0016 B1 n" ^1 ~' U5 l! d& d! e
00401074: je 00401091
* Y7 }8 s: ?! S8 V# b, a2 T" O$ o: ^; Z& b( T4 _
' e: [! a* n- k: F$ }! D: `
There could be hundreds of BPX you could use to detect this trick.
( r6 ]: ?8 Y8 o( z8 X! }8 Q4 X-The most classical one is:) y- t! `5 Z; s4 I+ u/ T( K0 J
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' [" o: O. @, S: p8 C
*(esp->4+4)=='NTIC'
( H: P, l8 g6 K9 w6 e# k' ? J/ \! I
-The most exotic ones (could be very slooooow :-(3 f) K/ L3 X7 N# L5 K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % F/ P6 r* {7 E) v( A
;will break 3 times :-(
I' o$ | l4 P( L2 Y5 g$ g- g* c* T, c8 ]6 U
-or (a bit) faster:
* x/ I ]1 l9 ^! r! x" r! V) x+ T BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 @: C1 i% e4 R& P9 }3 b
; A$ t+ s! O) v. L9 a/ _6 B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / k% {; R) t F) F, S
;will break 3 times :-(
( u4 @9 W% l- [
5 `/ A( L: }- h8 |2 M* g-Much faster:
. }& v: D9 h7 D& _ }4 s9 U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' S* }2 k- E2 y+ u+ R' I
* D/ \0 a9 `1 N9 O9 C0 g8 e9 lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, D8 d0 ^: ~5 Tfunction to do the same job:
& \) h6 G; \5 D# H) Q
2 V, W- f- r, E! ^4 g push 00 ; OF_READ- |* f) t9 t0 k* @" C; I+ W, I
mov eax,[00656634] ; '\\.\SICE',0
. {. r* a$ ^; ~+ y. S push eax" u* B. u Y/ M7 m
call KERNEL32!_lopen
0 J0 g k0 d& V. K inc eax" W2 u- F+ {8 d
jnz 00650589 ; detected
5 \2 G+ V/ n) E- u! _0 r push 00 ; OF_READ! z: r: U& w) t& l( d
mov eax,[00656638] ; '\\.\SICE'+ \' U% z/ o7 y; ~- T
push eax0 m' R: P& C1 C! `, q- m
call KERNEL32!_lopen( g# G7 D5 j# K- g3 C V
inc eax/ b5 E3 ]# s8 }1 P
jz 006505ae ; not detected
. }& D2 t; c% q0 r8 S8 J+ R) _) t
f( |: O2 @! T$ A, ^0 l& P q6 J__________________________________________________________________________
6 F( x2 ~0 t% {4 s! E% J( I. d" O
6 ?$ @2 A$ U9 pMethod 12- N# y* ^3 a* J k
=========" H( L2 h3 j+ x4 z
/ B( w; H' F4 ?7 {2 dThis trick is similar to int41h/4fh Debugger installation check (code 05
# N1 ?* X5 L6 U2 `3 c. r& 06) but very limited because it's only available for Win95/98 (not NT)
, a; C; w2 n& @( F* S8 S" Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( P8 g: Q' H7 n* i
3 r. s! z; O% A. z1 e5 h! ~) I push 0000004fh ; function 4fh' ?$ h) {; T9 N+ N
push 002a002ah ; high word specifies which VxD (VWIN32)
3 [1 U/ |' _, F3 a j ; low word specifies which service
7 X9 f e% y6 ? (VWIN32_Int41Dispatch)
- Q0 t/ l Q) Y2 ?. t, i) | call Kernel32!ORD_001 ; VxdCall
. p! d/ J+ B# \) H0 Y cmp ax, 0f386h ; magic number returned by system debuggers* q* c3 ?# p; y- `( l0 f/ B. S
jz SoftICE_detected- G2 a' w) Z) W
& }1 J, J8 h1 v0 X. C2 a# vHere again, several ways to detect it:; }' W, N) s: v
# K7 g- ^/ z9 i3 Q& h
BPINT 41 if ax==4f3 l$ G; w- l& D9 p0 I6 F! a
+ e: o- b! J& E9 {3 u. H h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ k2 I" t* `( V% o$ l" E
/ d- o+ F, g* q6 d$ Y+ S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. r" w/ D! O) F% q+ D- R' W) i. W! n3 A
& A1 G, V1 m I0 G+ _% U, }& V: j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 T: \2 E) R. _* V! c. x- D; f: n
) h- J' G4 V' y6 {9 L; X4 ~__________________________________________________________________________5 o, \2 P. d3 e4 {) U
" |; h8 b# t# u6 ^# o( }3 rMethod 13( T( j l" C4 {0 S7 n1 d" }% L
=========% e1 W. x1 l) C6 l' e+ r
0 ]0 s8 p2 ?" wNot a real method of detection, but a good way to know if SoftICE is
# `4 T: H/ ~ A, b5 x9 Minstalled on a computer and to locate its installation directory.; [# ^( N% |; d) s2 F/ ]
It is used by few softs which access the following registry keys (usually #2) : J- ?0 l0 M7 ~3 D$ X
0 }/ z* g* P$ F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& j. Y6 ?- D) m+ L; _
\Uninstall\SoftICE: \# T7 `% Z; V e/ U T3 H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 L% F; K2 u/ l A' o" r% y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 W: t, c( m4 x) q/ }% v6 g5 G6 @\App Paths\Loader32.Exe7 `, j; x! U! M* i& W6 \' L/ h
: s* j; V( Y/ K; V. P
' M& w8 _# q, v4 `. n1 M# q; S
Note that some nasty apps could then erase all files from SoftICE directory
; Q) U9 n) b1 u+ |, t(I faced that once :-(
) \, i; ]$ V8 q i
* S- G- E9 F7 p# `9 j) v5 kUseful breakpoint to detect it:0 p3 f. Y0 Y' U" }
5 ]/ x1 L: E& a( x) K! L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- L6 j- s9 {; q' e
5 C* d+ G( |& B__________________________________________________________________________
' ~& y4 M9 `( @+ K3 r* M5 ^1 D) x7 \* P) |2 e4 u8 I! q8 J
% U# f' D! e. RMethod 14 $ ^$ X) L) O# p t ^6 _+ @' h
=========+ g( s* G E, B+ R' Y4 D1 Y O9 n
; i7 t$ J% y9 y: ]3 C, FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' E2 @( z8 H( d4 w- {+ d
is to determines whether a debugger is running on your system (ring0 only).
" w/ ^4 o! U( g- ]" m; n" ?5 q
# }4 V! X8 U7 ?0 t8 z VMMCall Test_Debug_Installed
+ e+ I. [3 E/ |4 c( Y je not_installed) t7 I% o& b( @8 G5 G
. _% @/ ?) w1 [# \& O7 m9 [This service just checks a flag.
. M9 b+ D! |; K" P7 }2 _2 Q; d5 O/ q</PRE></TD></TR></TBODY></TABLE> |