<TABLE width=500>
& W. d5 u. z1 z: G9 T; q<TBODY>
c- p& z4 J! e4 O g<TR>! {7 d4 s# _ H6 f
<TD><PRE>Method 01 3 T5 S% G- z5 {
=========
/ o7 J+ ^6 c- I$ S9 e" @
/ |. G# E/ h) f9 uThis method of detection of SoftICE (as well as the following one) is
% f; l m$ i. wused by the majority of packers/encryptors found on Internet.
* j$ E; n! Z" B7 [It seeks the signature of BoundsChecker in SoftICE6 H: E! N9 U- `6 E) P# p
( |/ u/ e" x3 \& N9 b
mov ebp, 04243484Bh ; 'BCHK'
4 w. S! ?% v7 R: k mov ax, 04h
6 `6 {, R/ n+ Q7 W# i |; P int 3
% k6 D4 p, z0 T! j' u, {) ]. ? cmp al,4; {" K1 H$ ?2 e
jnz SoftICE_Detected
- U- S V6 [8 Q( C: L
4 G; Z# z" T, ~___________________________________________________________________________6 Q& T$ u" ^, R+ r/ q& o
0 Y5 Y& S( i7 H0 a% k; I
Method 02
/ U& z3 N' [7 y' a: `/ ?0 V=========6 T1 j# g* P& {1 E6 J
5 J! d! m) W' h( T2 mStill a method very much used (perhaps the most frequent one). It is used
: R1 a0 a, N# c# H3 d7 B, ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: S' z ~" R% Y; m' ^or execute SoftICE commands...8 C0 K( n; Z/ g( {8 e
It is also used to crash SoftICE and to force it to execute any commands3 c) i$ Q/ d1 q& l! w1 N& j3 J
(HBOOT...) :-(( % Y8 o5 J" K$ I" Z( C/ M
! [% o6 u8 M$ ?Here is a quick description:+ f1 v0 T: x. a
-AX = 0910h (Display string in SIce windows)( H. z! N ]1 Z, x/ _3 X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 r3 T, `3 s5 `2 D' p
-AX = 0912h (Get breakpoint infos); U. R4 {) ]6 i% Y
-AX = 0913h (Set Sice breakpoints)
' m) p) A; _1 Z2 O4 Y-AX = 0914h (Remove SIce breakoints)
& O4 s! t: c8 z: k7 r( C# p' ?) k1 U( j& f
Each time you'll meet this trick, you'll see:# a1 @7 z& s* i) s; G2 H3 N
-SI = 4647h2 K# {% @ M- C$ h
-DI = 4A4Dh- w1 P7 F/ A' ]
Which are the 'magic values' used by SoftIce.1 u* L- x; t. I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 L1 N6 y/ F- U' `2 z/ P* d$ y
' l# f/ }$ v: K9 cHere is one example from the file "Haspinst.exe" which is the dongle HASP
) A: k$ X( N6 L3 QEnvelope utility use to protect DOS applications:; d1 T* O. s6 Z9 h
4 M* w; K6 U, n. v) D5 H3 \- z1 B* E
4C19:0095 MOV AX,0911 ; execute command.5 [* o4 N5 U3 k4 w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& l& g) [7 O Z6 e
4C19:009A MOV SI,4647 ; 1st magic value.
7 o/ Z6 u- F" p0 N/ m4C19:009D MOV DI,4A4D ; 2nd magic value.3 T# Z a+ Z7 i- g6 j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), Y p+ ~1 a* {0 |
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( x+ y1 q* i$ z
4C19:00A4 INC CX
! Q. h o( I) `+ T# c# _" \& o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ Q+ |- }+ x+ v4C19:00A8 JB 0095 ; 6 different commands.5 ^3 p& S5 b; N& E1 ?4 W9 X
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ {9 ]/ ^: j; U+ Z8 T* n7 r0 p$ [3 f4C19:00AD MOV BX,SP ; Good_Guy go ahead :) h! @+ x: r3 _' F* B
+ l! ~) V- i: `. {) }/ j* N7 M
The program will execute 6 different SIce commands located at ds:dx, which
: g" O5 j0 c; o2 W. c+ F6 bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 |! S- D5 s1 h% l" a& h# w
3 u, M: ^" ]/ j# b* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 t" z$ i z2 ^+ W4 x" r___________________________________________________________________________: I$ R$ M" M1 S2 @
* G" s+ \, {0 B3 i; x
# @; c6 l) s; N+ ?Method 039 K" q2 G- Y! H. Y
=========$ }/ j# N+ z/ s* d. z
' D) G: Z6 \% N& J# ^' ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( V& A1 h& a& [# r6 ~* f
(API Get entry point)" m) V) p: W2 R8 t
% ^( a7 {) | y, B
6 F* b3 N* b" t3 {: ? xor di,di
* m2 H2 H- r) ~6 V; v mov es,di
1 k4 p9 N5 q. {, T mov ax, 1684h ( L1 s. t3 e- j1 u" a5 u0 P* r" E, e
mov bx, 0202h ; VxD ID of winice
; u( s0 I% a s5 E3 P+ Q: N/ T# J int 2Fh i4 g6 C9 }$ u6 h, w
mov ax, es ; ES:DI -> VxD API entry point5 N* q& H! m+ j# Y& H2 n9 f
add ax, di% w6 O' X! U$ \. _$ v9 g
test ax,ax5 b) G/ ?! [+ I) _
jnz SoftICE_Detected
% J8 K. L1 G# q" M( U) h
2 z% y3 ?! ]$ W7 k$ V) K$ U___________________________________________________________________________
) Y! N! q1 \, ~$ J, Y
6 x, A# [8 i4 e1 M7 S2 [Method 04
1 }' g# c1 ^ k. F=========- m' X% B/ E, I7 u" h1 p
0 X9 T( b# }% F8 u4 H% a* @Method identical to the preceding one except that it seeks the ID of SoftICE1 H* f" ]2 S( S( B" ?5 y
GFX VxD.
: P Y# V/ j9 h/ ?4 ?7 L2 p8 n
! r: }7 ^0 O0 M# ` xor di,di
" n0 S( F* @; V/ I8 k mov es,di
( c& G! W& w3 V7 k( f mov ax, 1684h
4 E# l% [$ `- B4 ~/ C7 l mov bx, 7a5Fh ; VxD ID of SIWVID
6 f4 j! l O5 O) o s" x int 2fh
( K7 P* w- q4 d$ @* G! b( {: [ mov ax, es ; ES:DI -> VxD API entry point
$ C( W0 n8 [6 C7 R) l7 c# g0 [( Z add ax, di7 E/ z( d: G( B3 X
test ax,ax7 g1 R. c, u, L% Q2 g$ d) H( p
jnz SoftICE_Detected
" n0 Y5 Z1 N8 X# T' j
! M# J2 q) t- ?+ U__________________________________________________________________________
) E1 m2 u1 q0 ~
% x U) _2 [8 }& _% b
/ r6 y/ Q$ ?; O' h" `! ]Method 059 N/ R, q3 A$ U& }1 w
=========
v( ?6 K* {- X7 `0 T) E% e- z
. ]: ?, J! F' ~6 G* u3 u- |" q iMethod seeking the 'magic number' 0F386h returned (in ax) by all system- Z4 y" `& i2 c: z
debugger. It calls the int 41h, function 4Fh.
/ M4 k/ z& \3 \# a( b* n6 }% ]; ?There are several alternatives. 6 [8 G9 n9 S5 Y0 J* _; ]+ H
- \: F) _; K9 f e# e$ S$ I, Y9 QThe following one is the simplest:' d7 k8 y! x0 e
9 n5 ~- T/ F; P& _ H& a- d
mov ax,4fh
8 A+ @' T7 R0 A5 y int 41h/ w' D2 V8 U+ ]. v" R
cmp ax, 0F386- ?) N1 o% V: r8 x( @) e/ D* r, S+ c
jz SoftICE_detected) l7 p1 L8 K! k3 ?, P' i' s
$ U% O0 K8 H4 \
6 O r Q' O6 P; JNext method as well as the following one are 2 examples from Stone's ; T* }5 f; g# d- I# _9 o! W
"stn-wid.zip" (www.cracking.net):# Z: F0 y/ U9 q3 f
9 P6 \" n- {; C, ~/ b
mov bx, cs; U( m! A. Z0 [0 A$ W
lea dx, int41handler2
7 ^* G) u* }+ V6 A xchg dx, es:[41h*4]
/ m; K" m4 [ v$ z* {* S xchg bx, es:[41h*4+2]
5 R2 ~# y, ]" X5 Z# ^. U mov ax,4fh8 S8 k; b1 S% ], N& [0 U3 M$ j
int 41h
- y# n# [6 G- F' \ xchg dx, es:[41h*4]
) j2 n0 l( j1 O: Y xchg bx, es:[41h*4+2]$ E3 P1 E6 Y( `" ?1 s3 f
cmp ax, 0f386h! C/ B( C3 r6 a6 b& U
jz SoftICE_detected
) }% }7 V6 G3 x; v. \. ~* `2 z, ?0 u: S
8 h. y+ Y7 a) O+ d" H3 sint41handler2 PROC
6 B7 F$ b1 j, N* y8 y+ J7 y iret
# D8 |1 E( x8 E$ T$ Vint41handler2 ENDP0 s- Z4 A- m+ t1 q _/ V& X8 d
8 `" x; h. a: V' P7 o5 T2 D% e, J4 V& W3 _8 O
_________________________________________________________________________
! [. o, b0 a; [: K0 D1 e4 H3 F) i, G3 S
1 w+ Y4 B# ?* x6 R1 p! [6 mMethod 06
8 ?& ^; ~& C, o4 D F* d8 ?2 z=========
3 K! S" N$ @% z) }9 q+ n$ l3 A2 a3 D, j: g4 C. B l9 v
9 ~8 m* t: e) E
2nd method similar to the preceding one but more difficult to detect:
: \( K, g: Y$ U* }
" H" Q) x6 t; G* E4 p% w/ l+ H9 P# L$ A8 }
int41handler PROC
1 I' ~$ L! k4 Q mov cl,al
4 \6 t# z/ {! P z iret
9 d) r, h- v# `; Rint41handler ENDP
6 C# N! m8 s' X
" y D3 O& N( q w. v! i- v" n! K3 X' y8 ^6 G# j/ j ~5 m7 j3 H
xor ax,ax
K- I- f2 P3 e- t# e) k4 |: y mov es,ax. S8 K1 b+ Z: }
mov bx, cs/ b5 `+ [' C k; W) |% a) H
lea dx, int41handler
3 I# N1 V/ t$ l% l xchg dx, es:[41h*4]
2 J* P, N. g- _) b+ \. ?: T xchg bx, es:[41h*4+2]
& ^) L3 V) c' ^ in al, 40h
! h! L' x( f/ z0 h3 [' U xor cx,cx7 C" A3 [( A- m8 i
int 41h
6 s0 ]3 K# C( U( I xchg dx, es:[41h*4]
$ O+ \! s* X' o+ a. g* h$ c xchg bx, es:[41h*4+2]4 W) f. l3 \+ ]8 S' D+ c! \. ~
cmp cl,al' `- h7 O5 p) g. r* ~7 S0 A; F
jnz SoftICE_detected/ j( ]- o) J; {$ z/ Q* b
: v; d2 Q2 F+ B& |9 ?' g_________________________________________________________________________
, v- e9 W8 I! ]8 f
$ `$ u0 q9 \5 P& d3 YMethod 07
8 U0 }; H$ s% f d: l! n& n: T=========. j' Y: t4 s3 c. b, \
9 D$ j, V3 x. H! g7 T" p6 q, xMethod of detection of the WinICE handler in the int68h (V86)" m2 v9 n7 P3 i# Z) K
( `. Y3 N$ O7 v5 ~
mov ah,43h0 L4 Q! W4 r( [; ^' i
int 68h3 ~' |' Y) J" @
cmp ax,0F386h2 h) u; _ b% j$ J# n
jz SoftICE_Detected9 b* l' U6 r% o% N; Q
4 L7 Y4 }9 j! V' ^7 r8 o& y1 g! e# B$ [3 U" G
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ | o" M0 x6 ?& X* x( c4 |: e app like this:
8 C1 @5 F4 i$ s* H. x7 U- J& j
7 K$ g2 \. _% j BPX exec_int if ax==681 k: E9 T3 P# G' p1 P! M1 n; k
(function called is located at byte ptr [ebp+1Dh] and client eip is
~9 k/ K7 j4 m7 F1 `/ t) R located at [ebp+48h] for 32Bit apps)6 m1 w: x$ p! X' I
__________________________________________________________________________
6 t4 ?8 r) f ^+ j# s/ D6 c0 r/ c
8 v( j8 f/ M; s3 g: Q' Z. q5 \5 ?! p4 n+ M) @! ^
Method 08
# e6 U8 x) U$ G9 o) n=========
* w. ?) n' }5 L2 l, L* B* |7 A# p2 @# u
It is not a method of detection of SoftICE but a possibility to crash the/ \& Y2 U5 }% c: O. Y: V
system by intercepting int 01h and int 03h and redirecting them to another
9 M8 I& F9 e; r5 ^3 f0 `routine.
; Q5 u/ m% o2 y4 F' m' D" WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: W' f% p3 ?6 I8 [) l6 m8 \7 w
to the new routine to execute (hangs computer...)
: l( S7 `" d6 w, n0 ~
! |5 n! ~8 O) T mov ah, 25h. B. e2 ] F" I& M8 F
mov al, Int_Number (01h or 03h)
' ~6 l/ A0 M. W i* F, W' } mov dx, offset New_Int_Routine3 r* d; x- x0 f$ }) p
int 21h) A3 W: p. v4 K0 W$ p [1 y" _5 Q2 V7 Q
8 p" w: S* ^2 z$ b__________________________________________________________________________' f) |" w# m1 A i+ B
% d' t' K9 z" ^ ~2 [Method 09
& w! @* y" w2 E: l8 A+ A9 B=========4 Z) w. y6 U P# _! c' j
$ O7 b( l, p Y W& F! d- I7 \This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 {5 A' ]) C2 a/ T7 J: h9 ~! e6 D- H
performed in ring0 (VxD or a ring3 app using the VxdCall).2 V6 Z7 F0 z+ Q p
The Get_DDB service is used to determine whether or not a VxD is installed& c/ z# r- f+ s" Z! q
for the specified device and returns a Device Description Block (in ecx) for
. P9 o2 ?4 \/ p8 Q1 Athat device if it is installed.9 K4 r. E" P; ]' v
4 w/ D+ g. y ~+ W( Q$ U0 w) C
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 D- S/ `0 H6 C6 b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- y5 _" @* z$ S
VMMCall Get_DDB5 \' c6 N+ J7 h, \9 l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 a& _5 b0 N( q: s( g% L" E; h
. [( U, r0 w p0 K' H6 Q- `Note as well that you can easily detect this method with SoftICE:0 K7 Y" D; r. s7 Q- \
bpx Get_DDB if ax==0202 || ax==7a5fh
F/ s' o. G, m C
/ q, i3 Z/ Q# q7 T* P, b% y6 @3 G5 Z! z__________________________________________________________________________
/ G e. Z, L: M' {" U
! o+ c2 Q# P" C$ h( R2 N) pMethod 101 B$ `6 x9 i, j; Q$ Y9 Z+ \) ?) m
=========
k2 l$ j. I. p$ p, F" X
! l/ J- y1 i( E' G0 u=>Disable or clear breakpoints before using this feature. DO NOT trace with p9 B( K( i3 V: Z" D5 k1 Y
SoftICE while the option is enable!!: c2 b7 I5 b8 e" L& J
" _4 b' q" v- i( {; X, t, MThis trick is very efficient: `7 i8 J8 ?* F
by checking the Debug Registers, you can detect if SoftICE is loaded
$ ~" H4 b3 Q5 x }) m; {# \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 ^ d4 q( N4 _& b6 k% f" x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 h, o4 }8 d+ F/ V5 hvalue (in ring0 only). Values can be manipulated and or changed as well9 ~* P* J; ~' _+ T) k; s, h" t
(clearing BPMs for instance)- \' q5 \% S& l+ \( w, R7 r; G" x
: P+ n' D1 B% q! Z
__________________________________________________________________________$ H; I6 r+ C* I! r
" N- R# z4 x0 p. h2 X/ `$ S wMethod 11
# ]4 C7 c$ O. l+ D& ?=========
5 k9 w" h R0 N8 O" U* m: u5 S) r0 M; y- R: S3 N# Q+ c6 }+ }+ @
This method is most known as 'MeltICE' because it has been freely distributed
. Y, K: w6 G& xvia www.winfiles.com. However it was first used by NuMega people to allow
% v, q" v' e: {9 A8 N9 O# LSymbol Loader to check if SoftICE was active or not (the code is located6 h/ W( m4 z8 ?) R7 r& Z
inside nmtrans.dll).
o; E/ s' ~) N$ D" W1 z5 n
3 p2 b0 U+ R: R8 x* XThe way it works is very simple:
" A/ A+ }6 n. [3 R! |: PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 F& b5 q( H% w) a' p
WinNT) with the CreateFileA API.; ] t5 d! D, \/ R$ _$ _4 [
* S# t2 v* n a$ q7 wHere is a sample (checking for 'SICE'):
' z4 `8 y8 U- v- [& D4 Z: [) }) V6 k0 ~- l
BOOL IsSoftIce95Loaded()8 M. k: D, ^# K: `: N" ]# y8 t
{
1 H/ @* ]9 F4 M+ m+ D/ W( D HANDLE hFile; 6 y- n7 |4 [2 J/ ~# J9 C5 y5 T( j9 q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% S& t0 C( x. ?. w4 I! k
FILE_SHARE_READ | FILE_SHARE_WRITE,6 X7 ^+ @- l) [9 n/ ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 C' ]5 F0 g4 s( w; J& ? if( hFile != INVALID_HANDLE_VALUE )
% f2 q L( l8 j% `9 @! ~ {1 t0 l9 B) h: U2 u
CloseHandle(hFile);
5 Y v( g. g8 F$ ^! ~ return TRUE;6 \& `/ j: G. E ]/ U
}
% N4 H4 Q7 i! U- O2 o7 n return FALSE;
' k: B( [5 {# X* Q}: U9 {; R* Y3 C& E
1 U" U8 J! _6 l6 `' y7 S3 o4 I0 [5 tAlthough this trick calls the CreateFileA function, don't even expect to be
. q, t! d' i) T1 qable to intercept it by installing a IFS hook: it will not work, no way! @2 p, Z1 T2 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 `9 J3 k+ B" a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( m2 {2 h( |6 Q8 U' Rand then browse the DDB list until it find the VxD and its DDB_Control_Proc( ]& x8 B% o3 j, @
field.; @; j& `# L. B' W
In fact, its purpose is not to load/unload VxDs but only to send a - e2 q) t* d: |! @! L7 ^; O: u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 V. w% X- ~' k- w4 Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ ~" v. o1 x6 Z+ Q9 {3 n6 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 y' u: p4 T3 k* L0 T
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: x8 C, W0 D$ c% |* `3 |: }/ k, Gits handle to be opened and then, will be detected.
- ~/ @* v, |9 L8 J( D" V. qYou can check that simply by hooking Winice.exe control proc entry point
, \& o8 g+ ~" ?9 K4 Rwhile running MeltICE.
- d, m. I& r& D% {/ A+ d4 J( h5 W6 a6 G3 y
! }# g: O9 s/ } w* q, h+ d
00401067: push 00402025 ; \\.\SICE+ _; p8 ?- y' _& R; Q
0040106C: call CreateFileA
( o* z5 E' H& c5 x 00401071: cmp eax,-001
3 F7 @, }, l) ~4 { 00401074: je 004010912 k9 E9 ^: D9 ?
) h M) s/ i( b
. t% }4 n+ ~7 Z3 e% @There could be hundreds of BPX you could use to detect this trick.$ s% N0 s [6 g6 p" s- W: o# Y& m8 C
-The most classical one is:5 `. a# g9 m( a4 E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. F$ M6 X* G, ^
*(esp->4+4)=='NTIC'. b; A2 q b4 d6 g# ~, g
$ L, E8 }" O- O2 ?$ J! f5 D1 h-The most exotic ones (could be very slooooow :-(
# z/ E9 H: N+ O: w( n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( L5 \1 r4 o3 _" N- L/ b! f* z ;will break 3 times :-( P) [! n; u! a1 Z3 \6 k r' k( c
+ h# e* l% L) i+ h8 H8 h( E
-or (a bit) faster: g/ f9 D4 q& Y% y2 Q) s( w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 J: @1 j, _) M& t( A8 F
1 p( D. l/ X9 _) C9 h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 C7 F1 B0 N- H! K$ D
;will break 3 times :-(
- M* C1 p' y( t! o
0 E4 `# n! k% S+ L-Much faster:' l& g$ E$ w# T+ g8 h7 [: D& e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# I/ {5 _" G9 F$ w/ [" H
) q# a u" }0 v8 Y, K: `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 u8 _9 h; J& r' D: Y. \. Q5 ofunction to do the same job:
: e2 R( G' d7 g" p) T' V9 Y7 c; D4 _
% v$ v/ r, D; }, ]( ]9 i push 00 ; OF_READ
" ^ o7 C9 [3 n$ m- w/ f mov eax,[00656634] ; '\\.\SICE',0
( Y* y, `; N% Q+ O1 P; \4 D6 j) a push eax. X# q8 B3 F8 s5 R
call KERNEL32!_lopen) u) v; G/ K g
inc eax/ Y1 X" a7 A7 D
jnz 00650589 ; detected
; r8 s( P) J5 m push 00 ; OF_READ' b% [- x9 `4 v
mov eax,[00656638] ; '\\.\SICE'2 I4 {7 t" d& {, S1 x% \
push eax
# r0 D/ l, n& [9 F) ^8 @; j( x. _ call KERNEL32!_lopen/ M/ q8 k7 m6 r/ s2 h3 p
inc eax
; X- F5 ~- ?) |2 @* d jz 006505ae ; not detected
; g" e( c: T8 R0 W! [. K' {$ V0 j. }$ p8 I6 b9 r6 d
# i' a0 @3 P) H) t0 I9 M+ d0 i3 d__________________________________________________________________________$ P9 v% d- L+ S! j$ K; l$ k
" O r9 c& D7 d/ A; u7 ~
Method 12
* N9 }7 u( G) [+ l, j=========
) {8 A9 O. Y7 B
% @. G# a) G8 S, _# ? P: uThis trick is similar to int41h/4fh Debugger installation check (code 05
, Q9 _& u; N ^$ D5 D& g& 06) but very limited because it's only available for Win95/98 (not NT): m' Z; P- C% u. W' ?# D
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 B6 r' Q/ q7 Z- r) s9 W" `
; Q0 F, K1 c* ~) @. ]9 z
push 0000004fh ; function 4fh7 I E0 j# l' y, v( X
push 002a002ah ; high word specifies which VxD (VWIN32), V5 Q# l# Z0 h/ f1 Z3 _6 j3 P
; low word specifies which service$ m9 K$ F% W5 E9 a- L
(VWIN32_Int41Dispatch)
/ R g8 U6 R e1 I' ?/ K) {& u; M call Kernel32!ORD_001 ; VxdCall
, O' {7 {0 |9 R( i3 `) o6 U% [8 e+ W cmp ax, 0f386h ; magic number returned by system debuggers/ n& c) \7 L( S9 O
jz SoftICE_detected3 O7 \, F$ p1 P: H# C+ q6 e
; J! K9 s- F& D+ F' ]Here again, several ways to detect it:
8 `2 A6 \% \# u/ z( b6 J7 o6 j
: u; ^6 G- C2 b" z, q; J BPINT 41 if ax==4f4 `1 y3 d8 o8 z! i. X( r
9 J; A. ]( r+ | f2 d
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 t) o, i% H4 u, N* b
) y4 L2 z& ?; X' } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" ~* U- V8 C/ ? h% W# _6 V6 w( V3 P+ L- @1 N2 `" C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: S7 d$ e5 u" Z2 g) F
H4 u( B8 S# B2 o__________________________________________________________________________! r h, t- }. F) \1 Y/ [8 h
& D' u9 q4 F# c, U7 c1 X
Method 13
/ X4 j3 l' K( T=========' U- T `5 d8 i7 G
" a; ^' q3 V1 |Not a real method of detection, but a good way to know if SoftICE is/ b1 @7 k4 V: [
installed on a computer and to locate its installation directory.
9 N* @% m* b: I# t3 P/ j1 D& bIt is used by few softs which access the following registry keys (usually #2) :
& o- U# O6 U6 U& R ^; f4 C+ T2 C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 D" A4 l9 w# B' J9 w& \\Uninstall\SoftICE
. }' R' D/ K5 {) }. m9 |# b2 I! c: K z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ w% b0 m" Z; l; [, E% ]4 N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 e9 }2 z; Y4 F
\App Paths\Loader32.Exe
& {+ w& @6 p5 z2 q7 }* O m& E# ~1 g% z9 ]. r8 i
3 a4 }& f: P5 B; m5 c
Note that some nasty apps could then erase all files from SoftICE directory
( |. ^ v8 w; M/ v(I faced that once :-(8 ? Y& A _5 D4 p
- G* f {" u) a
Useful breakpoint to detect it:
- D& {9 R& j, }" h3 u4 t
) y I8 V9 s# A9 O* p& Y0 R* o+ d3 v* s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; ?- ^0 l% Q- ?4 {" ?+ k
- b0 E; H; U/ T( H2 A9 m__________________________________________________________________________% N# o1 u7 M4 P! E3 c( m6 |7 P
& V# u0 i( L- d0 s
5 A3 R, R4 W; VMethod 14 ) G7 H! C0 R4 g2 n2 D
=========' U" Y2 I% ?( j8 i2 @
q: Q* z0 R, V/ `+ `) QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% e& V: n. ]% Q" Q5 c
is to determines whether a debugger is running on your system (ring0 only).
! P0 S+ h: a; A, R3 u4 Y
3 T( J. ^3 t" \3 w9 R VMMCall Test_Debug_Installed+ f' S1 J+ I' \& F$ p
je not_installed
' V! v$ n; a! i) k% \0 S9 [/ F
This service just checks a flag.
) x( A; |" [& \; S</PRE></TD></TR></TBODY></TABLE> |