<TABLE width=500>
5 P' d( [! k# f8 n# U2 y<TBODY>9 Y- B5 X2 V* o L, \; x g
<TR>. v) q7 J" w' l1 S l
<TD><PRE>Method 01 , B( O/ K6 _' R }& p
=========
' w) V' L, B* k7 r2 l
3 `; [$ g4 z: y1 A3 S+ I& ^$ pThis method of detection of SoftICE (as well as the following one) is( q) q* \, b+ D/ E D. }; F w& B
used by the majority of packers/encryptors found on Internet.% _- _2 k- T, R: d: v: p
It seeks the signature of BoundsChecker in SoftICE
( i& {! _( o% k- c; @$ B, F! A+ R2 [0 k; k
mov ebp, 04243484Bh ; 'BCHK' u+ M( u* {5 p3 v/ ~
mov ax, 04h$ [8 ^% o) M4 H2 @5 A' c* k) r; K
int 3 % u7 W, E0 x& L h- E
cmp al,4
& q! }+ A7 o( B jnz SoftICE_Detected% L6 X5 {2 X0 z
+ j" k/ p. ]' _3 \: @
___________________________________________________________________________
, P5 F# D) n: k) V' l" O9 Q3 y# Q) m9 A: w4 q
Method 02
9 H u$ y& T( p. ?+ v=========8 B+ D* p1 E. }. G* ~
z* R# u2 T& N+ CStill a method very much used (perhaps the most frequent one). It is used
: H: a9 c) `! n9 \- Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 K2 W8 S) i- R8 ]' `. For execute SoftICE commands.../ s2 E& g( }, P% q$ M/ T6 Q! p9 Q
It is also used to crash SoftICE and to force it to execute any commands) p+ D: Z/ b. o/ f; y7 B4 j# @
(HBOOT...) :-(( 2 m/ Y# _) n; O7 Z3 }
1 I1 U. q) h7 {. G
Here is a quick description:
) |; T* z8 o1 C6 n, d, ~-AX = 0910h (Display string in SIce windows)
4 b) T/ t8 W) Y( O) P7 G E* ^3 N-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); V R% \1 u2 g9 }
-AX = 0912h (Get breakpoint infos), V$ q; r) \ u
-AX = 0913h (Set Sice breakpoints)8 r R0 H" c" B
-AX = 0914h (Remove SIce breakoints)
) M, t, ^% U7 P9 b9 s8 n' p- k! v8 j5 f6 C9 |* k6 U9 Z
Each time you'll meet this trick, you'll see:/ g, T2 i8 m5 J* A* p
-SI = 4647h
$ X( \' M8 m! b" |1 {-DI = 4A4Dh
+ s$ R. R. t" g' L T& B9 EWhich are the 'magic values' used by SoftIce.0 }% z: g6 q0 m! H+ }* y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 m6 c2 N3 U$ w C
1 ]1 F' i7 T( ]: n& ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! }2 I+ b) c7 _% z2 kEnvelope utility use to protect DOS applications:% b1 G5 w4 O. g
+ t7 z$ c2 O5 Y# t
* Z. l' L1 C% F7 j
4C19:0095 MOV AX,0911 ; execute command.; T, m% {# k3 e+ l+ |. I- I+ h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* X! M9 n* ~- X H2 b1 V# c- a
4C19:009A MOV SI,4647 ; 1st magic value.
# e. M; R4 E- ?4C19:009D MOV DI,4A4D ; 2nd magic value.' {; R( Q4 v& w1 T
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 n2 r, F. w& T& f/ m' E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# C- Y" K' f3 T. p. l
4C19:00A4 INC CX3 O& z, e8 j1 D8 K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 J+ o, w0 S' l2 [; D Y4 t/ Q& f
4C19:00A8 JB 0095 ; 6 different commands.
& b% @% Q$ D' a# c; }7 z2 `4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 g* W4 j( K8 [0 n. {6 n: I4 A
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 t. O/ A; m" H8 [5 c
8 |2 D9 @, ^% V* \1 Y& S: u
The program will execute 6 different SIce commands located at ds:dx, which0 b8 t& U* M0 t. w2 f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' g9 c: U: H) r! V2 b m, v3 \, @
7 r# H5 q5 y& v- [" T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 a$ v5 A5 }: |+ v F: x7 W
___________________________________________________________________________, F$ |1 u3 G. ~" F, @
9 j- Q& u5 ]' p! D) H' ~, I
9 f' U' ?8 z* n6 @
Method 03
* p, K5 d: J- e/ L3 ~=========5 `8 R3 |$ ~4 z3 m4 h% K5 K9 t) d
0 T1 C7 E6 |+ \+ X. fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# u' K. u0 H! J3 J e
(API Get entry point)+ P8 ?6 d8 T& r2 n7 @
$ d& B+ y ^3 e! o* O' }. d" h% D4 |; y# j4 i
xor di,di+ s/ f. t' S" R
mov es,di* S, \1 ?, ?4 X8 \# J1 k2 j
mov ax, 1684h & E A# G/ B2 k$ l7 m
mov bx, 0202h ; VxD ID of winice7 Z) x. ]' b6 A: q, k R
int 2Fh7 \/ p& a$ K0 ?0 f# b) B8 a8 F
mov ax, es ; ES:DI -> VxD API entry point& n2 Q/ B n y8 |# W
add ax, di) L B( N6 k2 H+ s( J; k, i
test ax,ax1 A! a4 {. ]6 P
jnz SoftICE_Detected& R- Z' U9 m3 w8 k) u4 ~
0 R8 e. \4 ^2 k+ e/ H6 _* L# }8 e
___________________________________________________________________________
# ~6 \+ a/ h G3 u) z2 n* L
/ }: |6 h2 `6 WMethod 04" y. ?5 K f! E% o( y
=========
* X" X* z* s# R
+ V: F0 S7 w. s7 T+ TMethod identical to the preceding one except that it seeks the ID of SoftICE! x, T! D- k) n. f' f3 ~
GFX VxD.
0 E( s; E5 C, @/ O$ b
; \8 ~0 j) _5 w7 l; ]0 | xor di,di
# P/ E0 f* r l" n" ^ mov es,di
0 M9 S" `1 f/ x# H% {+ ]( X mov ax, 1684h # f" J8 g, ^/ m9 G
mov bx, 7a5Fh ; VxD ID of SIWVID' E* O8 E5 N/ s6 O6 S( b
int 2fh5 x- y( q$ @7 a! i; A+ o: j8 _8 v; {
mov ax, es ; ES:DI -> VxD API entry point
7 t; l4 v& C6 R% P( V6 Z" N0 B add ax, di+ F \; V3 t( K: K G8 U
test ax,ax1 i( P" _# z$ n/ }9 F3 v2 T
jnz SoftICE_Detected
! a; j. o" \, |; v" Z
, o+ u% o+ L1 h8 I7 j+ v8 M- k__________________________________________________________________________
3 E# B/ W8 ]$ w9 T6 r6 _
o* x8 H3 q! Q- `$ T( h4 S! @7 A0 s
Method 057 u$ n* W6 f. O! h: C, D! k( }
=========
/ x& G H$ V/ r8 {" v' C2 ~
) R+ d. P( m! C! S: Y J, _# W) h" E, wMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 {4 i% X. N- b! K* H0 jdebugger. It calls the int 41h, function 4Fh.
- x8 S e, V6 \1 C" r: E" [There are several alternatives. . d/ } T# P+ ?5 O/ K9 j' S/ G6 \
' W) b3 f% g" n3 d4 |8 p- {
The following one is the simplest:" t- \( G# K& x/ a( f$ m
' a Z# x8 V& r* n- Z
mov ax,4fh m3 E {0 y, [- s3 O
int 41h0 M( }, E0 ^$ x# z8 u9 ~) E
cmp ax, 0F386
$ K2 A( {( F4 P jz SoftICE_detected p! H+ X. ?8 x+ B
+ W+ X* d7 R( _' N# b/ E6 f O+ \( f
Next method as well as the following one are 2 examples from Stone's
! i* t" r" d5 {* k: q9 a- p8 L W"stn-wid.zip" (www.cracking.net):
6 U, C" @5 L6 f6 \( {: Y0 w4 Q* j6 Y. |+ _* v$ E8 L& r1 d
mov bx, cs
1 N* p+ i. M9 X( @' P5 l lea dx, int41handler2
( D* X# z1 C6 O# I6 L. H6 ~ xchg dx, es:[41h*4]
; F2 K& x4 v' [% ^+ ]( L xchg bx, es:[41h*4+2]: x( r- R5 e* z! i# x w6 `
mov ax,4fh
3 Q: Z3 Z8 g2 B/ r' [ int 41h
3 g( p: I7 G( k I. u g. X xchg dx, es:[41h*4]( @9 I" V- d! l+ c8 _8 Y
xchg bx, es:[41h*4+2]
2 L& R7 `0 p, S7 d) q( S cmp ax, 0f386h. Y: F0 z, B. d! P, G
jz SoftICE_detected6 t) ~' i# R+ Z: Z2 o. O
3 n7 N$ @* {) w) o% K/ \3 ]/ lint41handler2 PROC
' ?! _4 D4 O0 f1 | G; q; V" W; Q! Z iret* ?8 w0 q/ e, R# B
int41handler2 ENDP6 W. ?. x. j9 E/ b t
( h, r4 e6 u( G& P" m0 U9 _( s
P$ [" n! W6 M4 V4 N9 V$ l
_________________________________________________________________________9 N4 _; a) J* Z- s. n' y' e
* }+ |# i! W) S7 l5 N) R6 f+ n4 S- K" r5 X/ S1 g! g
Method 066 }7 o3 {' Y7 Y0 E. \4 K4 R4 K
=========
* {$ d5 ?; m! ~* H- [4 t
: D) \* l- V! l) g6 C" _6 @2 [% B6 Q& F" Z3 h
2nd method similar to the preceding one but more difficult to detect:
" y' {! z- e R: B) v" M9 i5 e- Y( B! ?8 y
; b7 z1 i; j1 y& xint41handler PROC
; z c5 |% l! d1 | ] mov cl,al$ b# O- W) S4 U4 l3 H& @
iret. `& k( j/ H6 A; @1 L
int41handler ENDP, |2 Z3 w$ c6 v2 |
1 C$ r( P1 l; A* `- r
9 _1 N) R" p' z* _9 V xor ax,ax$ B, j& y$ g O2 e
mov es,ax, X' P! s0 m* O, P- v d$ z/ w/ T! O
mov bx, cs
9 ~ p* M( U# I6 r1 T lea dx, int41handler
; h+ |& M1 l& Y8 i# \ xchg dx, es:[41h*4]: b+ Z, z/ I! O$ O% C' x
xchg bx, es:[41h*4+2]
9 E% s+ }1 G' F, g& c+ ]) w in al, 40h6 Z; X3 U0 {( k8 t$ g
xor cx,cx
5 s |+ U) o; M" A/ D. \ int 41h
1 C/ r8 w: @( C xchg dx, es:[41h*4]: ^/ f% y0 O3 v# ]9 d! d! ]' n- G6 V% \
xchg bx, es:[41h*4+2]
/ Y% U/ V& ?; q cmp cl,al1 p7 f- N6 H: p! @' c
jnz SoftICE_detected1 ]3 w0 C0 w- r4 k0 f- [
( l% A. @* l5 q6 _/ M
_________________________________________________________________________; @" G8 g( K; V
/ V) [. w. G9 x) |. G" R
Method 07) N" S5 C7 C; Y/ S1 M' G
=========1 j# }1 X* j7 K
% W9 d. \! p/ ^+ x2 w- s
Method of detection of the WinICE handler in the int68h (V86)
/ N. [( Z7 J5 k4 _ M" n+ F6 a; g ^1 |1 }3 D2 P. R
mov ah,43h; L( n% z# v3 O2 j( B+ t
int 68h3 `6 D- S* j! Q5 M3 t2 y
cmp ax,0F386h8 V1 @. y# K+ K# x7 P6 X8 w( E
jz SoftICE_Detected
) @* i" ?% l/ P( g% u( Q$ R* A$ k- c6 v
; `7 V1 n7 m H5 r, A=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 e0 U+ z& b( J. q& w
app like this:
2 t/ d" J9 d' e0 X; c* {) l. q7 e, _0 c/ Q p. Y) [ i
BPX exec_int if ax==68
9 T1 f, ], B) k+ u% I (function called is located at byte ptr [ebp+1Dh] and client eip is
7 n! {3 K7 G5 q' r located at [ebp+48h] for 32Bit apps)
. @7 K( e, N' m( ]: ^__________________________________________________________________________' p K$ j2 \- M, w7 k% p, ^
. O( G9 F. N8 S8 [7 B$ t
" u. Z/ d$ p6 y' P: J
Method 081 K+ _& e0 V3 _4 \3 f
=========" s: \6 K7 H' h' T& }# k
) L( |: Y- {" J/ f/ J# r( B9 z; @9 mIt is not a method of detection of SoftICE but a possibility to crash the
1 M+ F+ u& q& c! e, T n/ U; nsystem by intercepting int 01h and int 03h and redirecting them to another, V" M5 Q9 _1 g( x z; ]
routine.1 Q, Y( d, y. @: @) ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! `3 k' K5 c2 `! Bto the new routine to execute (hangs computer...)
/ h' ~. G1 m$ `8 j) q# N% D
# Q0 _; Y& x) B+ o# X7 E mov ah, 25h( l/ T/ L& O$ [/ v
mov al, Int_Number (01h or 03h)
. u( |) W' ~& X# }3 s$ O mov dx, offset New_Int_Routine1 q" o, P+ N& c* _: c, q3 Q* L; L
int 21h
@; X* O- K" t% s2 N* V- L8 @. b% Y0 a1 \
__________________________________________________________________________
" G+ k& y: x" s5 e
/ Z3 T& x2 T; W6 P8 Q, Y" LMethod 09
$ X2 m4 l8 S M' D" v========= N3 B ]. \3 [! l
# s9 H$ z- R/ K2 Z) i4 JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 A0 X, w/ c5 s' z8 t: v
performed in ring0 (VxD or a ring3 app using the VxdCall).: t% V0 _4 f& W3 y8 j) I6 A& s' v
The Get_DDB service is used to determine whether or not a VxD is installed
) W9 Y! U6 A D0 U+ m. z4 A Cfor the specified device and returns a Device Description Block (in ecx) for9 M, W: K+ N$ J$ D
that device if it is installed.
3 G; X* [, r! Z: Q4 U+ [3 y: ?8 }( c, a9 o) ]; ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ q, p) j' g) G0 W; h* ?( G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 E1 q, r# x p/ Q+ Q9 ^ VMMCall Get_DDB
) s4 E/ Q$ s' T" C+ {7 ~5 W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; N$ h k* S6 \9 G2 x4 a
) p( y- k1 N4 G9 ~+ H8 I( QNote as well that you can easily detect this method with SoftICE:" b! v2 x6 n. V
bpx Get_DDB if ax==0202 || ax==7a5fh
/ ~* t+ ~- W m* L$ r2 X: Y$ v) s+ B5 E) ?0 Q; Z8 n, [1 T, `6 j9 p
__________________________________________________________________________% y8 @- N; r& @
- i) A3 G# A0 W0 o
Method 103 x% o1 E2 H9 r- R0 j
=========! Z, s5 r: X9 C
! F l6 V0 i3 {, ` \+ @
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" `& }2 k* v' b( \ SoftICE while the option is enable!!. z: t/ q/ s2 G ~! f
- I. L3 Z- O$ ?9 i: m
This trick is very efficient:
; E- t }5 q* k& R0 aby checking the Debug Registers, you can detect if SoftICE is loaded! [0 r: b/ y6 Z' `/ }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: T* y0 ~- O2 h+ }' v2 R
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 ^) x; K% ^5 y+ x( u1 ^value (in ring0 only). Values can be manipulated and or changed as well2 z ]8 |0 F1 M6 ~
(clearing BPMs for instance)! d3 f8 Y( L0 m
7 q) r7 K' u% X. f+ Z2 k__________________________________________________________________________ A) S/ H. R" f9 u) F2 c) ]9 l7 u
$ R! I. z7 C+ T! G+ GMethod 114 G0 [ `$ k8 ]- S
=========6 W* d5 b7 T4 ^5 L! ~
+ \2 B+ `# R- b+ N$ k* s. M0 L) @& ?This method is most known as 'MeltICE' because it has been freely distributed/ W# V Q" Y( l+ c- i) x' S
via www.winfiles.com. However it was first used by NuMega people to allow
8 u, w0 x0 [' L$ m9 V6 C5 qSymbol Loader to check if SoftICE was active or not (the code is located: E0 |/ F) u7 c
inside nmtrans.dll).
[) ^$ d& ] @$ {+ y4 d) V1 g, m% Q% `8 ^
The way it works is very simple:
, P: C. F- z% D% z& u7 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& l, W6 F# g1 K" u7 \ }2 V% }1 E
WinNT) with the CreateFileA API.: ~) S% l: t& k
" v3 U8 j" w" S0 ~7 R! JHere is a sample (checking for 'SICE'):1 ~4 J, \. Y0 r: \0 C
) @% V6 C( s, N# a7 t( W5 ?BOOL IsSoftIce95Loaded()$ f9 `* t6 Y0 y- v# M, u+ M
{
" \' K+ H1 G$ z8 \+ W' M HANDLE hFile;
4 F; o, ]- [4 E$ m1 c; c( | hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 _+ f8 i( g; F; ?5 ?2 a3 w
FILE_SHARE_READ | FILE_SHARE_WRITE,) ^0 f* o" L7 L y# f: s- @# v( g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 q: O6 F* y$ U
if( hFile != INVALID_HANDLE_VALUE )9 N, [! U$ s. W
{9 _/ z0 i7 A4 y" {. g/ T
CloseHandle(hFile);
9 B1 \% K7 |+ | return TRUE;( B* x$ G7 Z* Y' @! ^
}$ O) |3 V/ ^2 ~3 }+ r9 N
return FALSE;
* ^1 h, O$ q3 S}
1 ^* m5 ^3 ? O8 X' B8 ^& {) M
8 M( b0 @$ a3 z* [+ J8 u! _Although this trick calls the CreateFileA function, don't even expect to be# w7 J1 \5 G: ?" `/ c: E
able to intercept it by installing a IFS hook: it will not work, no way!- g" J- D4 v' R! l; k& e- a1 Q3 m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" c/ t% { y( w5 r+ Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- L. `- o/ u* ]6 P7 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ q) A4 X! R( p8 f7 |
field." `( O. ~7 x: G
In fact, its purpose is not to load/unload VxDs but only to send a
& u* T! [9 p% ~9 JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- P' F: R: G6 j4 I/ U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! E# o7 @' [, N: Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).1 e7 N2 l" Y3 z/ N/ r) J7 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* \$ i6 x/ }1 R" T7 P. o! `its handle to be opened and then, will be detected.
7 {2 T) V+ x5 c0 l" n, j1 nYou can check that simply by hooking Winice.exe control proc entry point; X" E' r% A/ J3 m4 c ]: h: h e/ j; q
while running MeltICE.4 c7 n/ O2 R2 P6 V, F, D; N$ W
- j% ], k% Q/ ?0 M& O9 @
$ e$ U+ B, i7 m) D- r9 f2 X 00401067: push 00402025 ; \\.\SICE9 {# f- j/ }& o7 ?0 w( {
0040106C: call CreateFileA
' I, j$ ]5 T9 B2 C! X! \: u 00401071: cmp eax,-001
* N$ O: m/ H) ~5 F e# A8 X 00401074: je 00401091
4 c2 j, ], u' q
& D! n7 g7 F* `3 @+ C" d( g8 Q- ^, S2 U# i! M* B! ^
There could be hundreds of BPX you could use to detect this trick.
. e9 ]0 { b) B/ O8 {' s; _-The most classical one is:
! ?/ A6 d, E& @% B BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||, u |5 k3 O% F# c9 H
*(esp->4+4)=='NTIC'
W" j3 V& c, _* u: x5 R: U3 s% ^- L) p/ i
-The most exotic ones (could be very slooooow :-(
& N- W# A: B3 ?/ R% c( l O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 E. l% D0 ?; u4 x4 |5 z& p( l* Q
;will break 3 times :-(; l/ ?1 K$ Q4 q
9 N. S0 ~# `2 r# D9 J& \
-or (a bit) faster: 5 r7 R! @% j& v( e+ U& w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. @! v4 |" Z2 z3 ?2 c: P
9 C; e7 k$ O2 d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : n( l; _) N- f6 D/ m: Z. {
;will break 3 times :-(
- a" N: o! _- b, i- o+ a$ j3 Z- T7 S9 D& F5 P
-Much faster:
{/ {% A/ q/ F7 i B: d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# N8 Y6 T$ E. i' N. J/ t9 q1 O9 W# `3 J# h9 Q. @& Q2 i* n' y7 e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. k5 Q. l" b* b6 z% I& |& z
function to do the same job:$ {- Q+ i7 R/ a `% }7 Q6 G/ } D
) S% i6 J+ z1 S2 }' x& V
push 00 ; OF_READ
! a0 v6 E% v; g/ C mov eax,[00656634] ; '\\.\SICE',0' C3 u9 X Q; P$ h$ C, V- ~
push eax9 H Q4 @$ l! L3 z# Y
call KERNEL32!_lopen: n; O8 i6 U, U. ~
inc eax
$ `3 d, H+ o4 W) q$ o+ u4 ]) ?* R jnz 00650589 ; detected
4 a0 N! ~- u% ?; H! K' F push 00 ; OF_READ
* S& B: H, g$ b9 e mov eax,[00656638] ; '\\.\SICE'
4 g0 P% R! j- ~5 }3 Y( O) Q push eax
4 j( o( f' v, f3 E( F8 o: ^ call KERNEL32!_lopen& D" {* J, c7 M5 t' B
inc eax
# H" {$ p( _2 c" M- q$ Z jz 006505ae ; not detected6 K" H8 \ h8 A7 u
7 Q- z5 a7 `8 F4 D/ j& @' l j" M! [( n) B" M, L: q M0 r
__________________________________________________________________________
2 h e5 C& `1 Y N& y) {" x* b$ y6 F+ r2 L" a! g' P9 `
Method 12( f/ |% ^0 f) w H5 o
=========
8 Y/ v" Q' _1 R" b- w) t* \9 v" D! l/ N
This trick is similar to int41h/4fh Debugger installation check (code 05
2 c" |, H5 P) c% L& 06) but very limited because it's only available for Win95/98 (not NT)
- d* B- s* p4 S( H1 L# Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 M' o4 f1 n, n# O% K" q, w
- f b' ]2 M7 |) Z
push 0000004fh ; function 4fh a# E) b% D* z( G( Y1 x% P3 w/ Z; b
push 002a002ah ; high word specifies which VxD (VWIN32) [, R+ X" B1 B' h% T
; low word specifies which service
+ X$ H$ i# c; [" r/ f8 y! {. P( ]3 J' A (VWIN32_Int41Dispatch)7 ?% t3 Y2 K, m# F2 U) i
call Kernel32!ORD_001 ; VxdCall0 ?, {* Q8 D& r0 d
cmp ax, 0f386h ; magic number returned by system debuggers) M P- o4 D a, E# n& ?
jz SoftICE_detected5 `% f/ v6 r( O& E
r$ A" p9 P* o* a7 k. ?5 w ^Here again, several ways to detect it:
5 y) H* @. b+ w* S5 G k I
5 m% M/ t# s: S4 p% Y$ o. |4 f BPINT 41 if ax==4f. v! F# U' G$ l* d$ Z8 `, |0 C
c- r. r+ i4 ?8 l) s) g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% N: g3 w; B; j2 l
7 k, D. t! E3 B& F& b' s W BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" a; G" w) ~$ [: V2 f2 J+ Q+ e' ]( M4 V( l' E+ Y1 N8 q* v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!% x! ~% M7 K. S
6 g2 `; N6 K8 q5 c2 m__________________________________________________________________________1 @' S+ c4 K/ u
3 h" S5 x& F& l/ B, E- Z
Method 13
2 ]- e* {% [! l1 @0 w=========8 X ^+ m, W2 {
: y. _" t8 O! F. F2 i) c/ n( b) ^( Q
Not a real method of detection, but a good way to know if SoftICE is' t) h: l7 I" ~4 O
installed on a computer and to locate its installation directory.
1 c& {3 t1 L* i! XIt is used by few softs which access the following registry keys (usually #2) :" ]' H6 v6 ^! f, A
1 {& j: Z8 ?7 E0 R4 Y+ n' X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ M- Y& x, B' r
\Uninstall\SoftICE# j- `, N: X0 [8 ^5 B2 h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 l* r3 d0 e1 M8 z7 k2 {: R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* a1 ^8 h+ Q. v) b C7 H) a
\App Paths\Loader32.Exe
+ e# C2 @' P+ R5 ]0 |6 m: B V, Q5 F, K9 ~/ V
, H$ N0 n; T, I7 s7 O9 [6 t# UNote that some nasty apps could then erase all files from SoftICE directory
9 w0 i! Z' y1 d1 u(I faced that once :-(
! N; D7 f! }! f
# C$ K# s( w3 J2 }, I5 T# jUseful breakpoint to detect it:
# t/ `$ Y6 P4 i. h z
8 ~% D4 P8 Z- ]+ V8 [ R( k& R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 `" Q \$ l* m5 E
! h9 i+ D/ h) Y) G! k9 I__________________________________________________________________________- I5 Z9 g; l- M. b4 e; R
+ o1 P) L3 P- v" O0 t1 S
6 y" S* N' ^4 h/ L
Method 14
1 x5 n! z3 m. r* q6 b=========
3 `. d- u5 A( I3 O6 ~2 a5 V5 I
4 E0 ^) J% {4 P4 t; S2 |" `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 I* c5 ?$ u9 k" Uis to determines whether a debugger is running on your system (ring0 only).6 R5 Z y- D' i" o
$ X3 a" D3 P0 k+ v1 m
VMMCall Test_Debug_Installed
* T( B- B+ Q" Z5 `$ r+ j$ {0 E je not_installed
5 R. o* c8 k, r) @4 x$ [# C, M7 {4 N# g" m& h2 e
This service just checks a flag. O# X- |9 u8 s$ F' k! q5 B
</PRE></TD></TR></TBODY></TABLE> |