<TABLE width=500>
* a0 m- X* x. T. `" ]. q- l3 X& N<TBODY># r6 }4 i4 [: F7 Y1 ]# H
<TR>. l# g% w {% N! N5 f! x* _# g
<TD><PRE>Method 01 7 G5 O1 ?/ q% S; K2 Y9 q
=========
* p Q6 B: `) M: i D& R' C
5 B* I: ^- }3 P( g! T4 sThis method of detection of SoftICE (as well as the following one) is# }' ], m3 i& |9 m
used by the majority of packers/encryptors found on Internet., ^7 f% ?, F5 [# c; y0 H. F$ t) `
It seeks the signature of BoundsChecker in SoftICE
- b, J8 K5 w+ ]5 t" s5 M1 h$ y. `7 E# y' }
mov ebp, 04243484Bh ; 'BCHK'
* b1 f2 F }, ?5 [9 r9 y mov ax, 04h
( i C4 [# r. b2 e8 i int 3 $ k, W( |9 k4 ]8 j/ U+ f
cmp al,47 s* ~; D1 B3 v8 ]5 p% h7 a
jnz SoftICE_Detected% u. X8 i) R0 {6 [0 N$ t7 I: w
) C; ^. Z8 H1 M9 o6 K/ N/ P
___________________________________________________________________________
# X+ f, Y, f: |5 V6 w: j, ~( A9 R) ?, c
Method 027 X, u2 l5 l) T! k
=========
- k; N3 q/ O5 `8 o6 O/ j6 E+ S$ b
9 S) X( M1 y( l; h5 j5 bStill a method very much used (perhaps the most frequent one). It is used- ^! N$ }6 I$ L! n' |. N5 E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 J; r- W* o. [! I/ Y3 n/ E6 e3 D+ y& y
or execute SoftICE commands...
7 w3 E5 v) j4 y5 fIt is also used to crash SoftICE and to force it to execute any commands
& `; |* z" Q5 K2 W(HBOOT...) :-(( ' x# m/ [& \, E$ U3 f; L
% x, u+ g! k2 w+ V4 y6 H1 BHere is a quick description:
' K/ Q0 {7 X/ V-AX = 0910h (Display string in SIce windows): A4 @; z3 d+ b5 z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) X4 A- M: Q- a7 t0 ^- q
-AX = 0912h (Get breakpoint infos); [" o# W8 C h O- B4 v, O7 [
-AX = 0913h (Set Sice breakpoints)5 e, x9 G8 s! S- Y: T. K
-AX = 0914h (Remove SIce breakoints)& `! e* C; ]0 y# Z$ w$ A0 g
* ]" E4 f9 @; J0 o4 v, v& E
Each time you'll meet this trick, you'll see:) r* n( g5 ~3 |+ S) ?
-SI = 4647h% g+ r- z% Y% o* G7 ?" p5 l
-DI = 4A4Dh+ u& ^) F0 m9 d7 n3 l$ z) U
Which are the 'magic values' used by SoftIce.
B( u4 x/ f8 fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." f6 G1 O( \% s! n' v; V
2 H: s* l) |: D3 ?1 }7 j
Here is one example from the file "Haspinst.exe" which is the dongle HASP
B$ d& M8 Y4 V* ~Envelope utility use to protect DOS applications:
8 B6 |4 w n9 @; a' M$ m# A% ^* C* x3 H. g0 F
4 A5 F& L9 B2 K: r d* I: `- s4C19:0095 MOV AX,0911 ; execute command.
( D3 C% \9 ]& g* Y. E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). z6 F" ~, A7 ^2 o" t1 o+ k2 e& K8 |
4C19:009A MOV SI,4647 ; 1st magic value.% G* J$ t, `2 v7 a' ^; w' U
4C19:009D MOV DI,4A4D ; 2nd magic value.& |- F; k5 ~: z: M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ I- C6 p% e6 i7 d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 g2 i L* b) Z' w) e: W3 ]$ p
4C19:00A4 INC CX
7 u, g @ R6 n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 I( w7 W9 \1 q# M4 p! ?
4C19:00A8 JB 0095 ; 6 different commands.
2 b- B, u4 i) Y% k1 h' H4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; o2 e0 z2 L) a1 O4C19:00AD MOV BX,SP ; Good_Guy go ahead :), e, F+ a2 [- A, {: f$ a! M1 [
! M0 K+ _6 j0 @ c5 a) fThe program will execute 6 different SIce commands located at ds:dx, which
. R1 S# g9 B; Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, V' |" i- x9 M
; I3 e/ Z+ ]" N7 n0 o8 n Z) I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# w+ I0 g5 c5 p k___________________________________________________________________________
/ ~, z3 _/ e# W$ {) j/ U! F0 e& X* X
; P$ X& K: k* B: h1 {
Method 03
% `9 h; Q! [. x+ @, m=========
) k% G5 M, d3 @8 N5 m- R
( o0 w4 d# B! g+ kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 W+ t. s; L" P4 |5 k; k
(API Get entry point)
8 P+ M7 J; l- F! [4 K4 R
# }. N/ R' D+ I! i* `
' g/ r, E0 E$ ]. P' }# c: t xor di,di: y, q# N u* O& A# n1 w
mov es,di
% _- z9 U9 [# O- p( r! h6 s5 }' H mov ax, 1684h
: @! D) q! T( N2 Z$ J5 S5 ` mov bx, 0202h ; VxD ID of winice
& K2 T" X/ C* N' O* U9 w int 2Fh7 ~6 [% u) B* ^
mov ax, es ; ES:DI -> VxD API entry point
: g$ n( ?9 i! ]0 W* C! l! Z add ax, di
+ _/ K4 R3 C1 I% T4 E$ \2 J( L% Z, [ test ax,ax
4 M1 B8 `% d P" L) W' d8 M jnz SoftICE_Detected0 A. G- @5 x' f. u O1 V
3 d8 o/ D8 N$ j0 r. f
___________________________________________________________________________( n3 L4 A7 A$ M3 a
; C6 D8 R i4 I: J$ \- P
Method 041 h* ^: s6 [3 ^! T
=========% G- E# ^" _& i. u7 q# R8 a" H
& }7 u0 t6 ?4 `+ J; u7 `, N
Method identical to the preceding one except that it seeks the ID of SoftICE7 A! W, J0 w) q5 S F
GFX VxD.+ |$ x1 r1 m$ t% w) H8 j6 m
8 u# L9 R# n$ }+ a I0 d! d" X4 I7 o
xor di,di
8 ?7 {0 f" z. B8 A9 ~% j7 d1 t0 [ mov es,di
. ]" g! Y- X( R4 C- F; S mov ax, 1684h # _3 ? D% Z+ m$ O. p
mov bx, 7a5Fh ; VxD ID of SIWVID4 E; N" V" y. j, N$ ]7 d
int 2fh- x% `% C" V( ?1 C
mov ax, es ; ES:DI -> VxD API entry point: K$ E7 y9 \- w2 Q8 f
add ax, di1 f6 ^1 |& h- K* `
test ax,ax* f" I, {7 f3 T4 \
jnz SoftICE_Detected- y* O+ V/ A l/ c, E" N
, D0 _, N' g4 B' {4 N4 M: F
__________________________________________________________________________; d* C: E* P$ o, q; m
* W/ |' b. p) j+ L4 w# I) m4 c* U X1 F8 C3 n
Method 05
- R- e8 t& y1 B5 I) [ K) G9 c( e=========
( M5 }8 Q" }/ w' [4 r; A5 w5 `- ^! k% o: N1 p u8 }# D, N* F) M
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 j7 v+ J0 ?* ddebugger. It calls the int 41h, function 4Fh.7 j6 \( |2 b% u. O
There are several alternatives.
+ ^% ?' [. c( R4 |" `; }' B- {# P. y \
The following one is the simplest: F7 x. `9 _: Z% }3 S
3 m3 ]( T( h% h/ ?* ? mov ax,4fh) x- {( b% g, r2 Z& k! ~
int 41h) O1 ]% H$ z5 L' K; S
cmp ax, 0F386$ h& |" }; [$ n/ V0 r2 H
jz SoftICE_detected
% x3 H7 j, L+ _8 i7 e/ \. n2 z, r/ u; p
% a" G$ p2 n3 ?; h. \6 gNext method as well as the following one are 2 examples from Stone's
7 r" X; `% w5 u"stn-wid.zip" (www.cracking.net):
- m$ |$ K! W/ h( }! H: O
, ^- g8 W; o4 G mov bx, cs$ M- _9 I# }4 A& c
lea dx, int41handler2: t7 b! x. V1 l3 r! M
xchg dx, es:[41h*4]
4 _, k7 V! _4 I xchg bx, es:[41h*4+2]
5 l S' H$ P/ @3 d mov ax,4fh8 |$ M% n C: O7 ^1 e3 E
int 41h
% a; P4 e e- ]' \* B% s2 o, \ xchg dx, es:[41h*4]
, o& P8 ~6 p3 e) c xchg bx, es:[41h*4+2]1 \/ v: T3 |8 ~1 S; e( k
cmp ax, 0f386h
+ ?# y2 x- d6 A2 X, t jz SoftICE_detected3 [: e) K+ T& M( u
% R4 n' ^, S9 U- a% o
int41handler2 PROC4 h3 j& B! |8 h* Q, q
iret
: P/ ~4 _3 U. j% A; S' |/ G) X# Hint41handler2 ENDP
9 E. s) ~# z1 z1 J5 K' N' |1 ^0 B' R( d
. @) q+ \7 i1 o! z& Q1 T_________________________________________________________________________1 |; U- ?- F# V+ u0 j: g& d- _
0 j# s; X' N' E( s" }0 W) W( k
# u+ d8 ], E0 v; F
Method 06! d0 g4 B' J3 o+ E! y8 e
=========1 `0 {1 r5 W5 `7 |4 n: @; `" X
6 ? ?5 ~1 K" ^: z6 a* y7 G) |+ q
0 [: c$ b& n/ D8 ^. A8 F2nd method similar to the preceding one but more difficult to detect:
7 a6 V; l3 N4 S5 P8 [( x0 `$ M
6 v6 m0 X8 _3 V8 F, k6 p2 r) l
/ n* f! J0 G1 J& l5 x( i2 hint41handler PROC( N. T* r/ ^- W" a z+ A9 y
mov cl,al. }8 ]5 B& t( H4 `0 }0 Z4 t* `
iret
1 g- w0 h% l. I' I! \1 }8 @1 V9 qint41handler ENDP
. A: I! R7 X" y7 N9 b T; W% o5 c. l, s( M3 |" `2 N% b4 G
0 v* {2 y! J" Y% D, @
xor ax,ax
, Y. y3 |, |$ b: i) y o; Y mov es,ax h; J2 @7 u# B B
mov bx, cs, v: m6 n# M; k) f3 x% [& @6 `# ~
lea dx, int41handler
% _1 x0 j- x' ?1 o- g xchg dx, es:[41h*4]
. S. a* z1 T# ^& r xchg bx, es:[41h*4+2]
' P+ v H' x* |. ~, ^" K in al, 40h
2 A7 a. A4 e- M- U) {& g% ^ xor cx,cx) M. }" R7 M2 h6 ~; J# _+ {! i
int 41h) n( m+ z3 Y0 R% A' \+ r2 u, u
xchg dx, es:[41h*4]
" w' x/ q; [! j f; s8 k xchg bx, es:[41h*4+2]: j* ~' A) r$ Z& P3 d7 i0 R0 u
cmp cl,al. x1 e, G& ]+ L2 U
jnz SoftICE_detected6 c9 \3 m9 |" X8 D3 a8 M
2 j% n3 H$ |: j; y8 ~! Y/ @: n_________________________________________________________________________
2 W9 `0 c/ n0 ]' ^ ]. ^/ f! o; F* O
Method 078 A, U) ?* }5 i& ?6 B; y( a! T
=========1 _3 C7 R2 _2 i6 h
8 N9 F" K4 Z: B
Method of detection of the WinICE handler in the int68h (V86)
1 @7 r8 K: I8 P; B; z; A+ a3 T
( L% }. ^4 z) V mov ah,43h
E7 p, B) @, P! t1 q4 [ int 68h
) v1 }! H: {, D j cmp ax,0F386h& F6 T/ G* X) {/ u, q& ^
jz SoftICE_Detected3 ^) l3 [2 k/ o8 k# z# k& i
9 \% G: \7 v/ Y5 E
& s% z! r6 ` J" X' J=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! z$ V K) W. y app like this:
4 w1 B4 {: H% ~5 N# W/ ] B8 J# c( i' j4 L( b6 u" @
BPX exec_int if ax==68
3 }8 Y& p3 ?$ ~; S6 O3 y/ d8 Q (function called is located at byte ptr [ebp+1Dh] and client eip is! j+ [) S/ d5 T
located at [ebp+48h] for 32Bit apps)7 y( G6 h( P5 c4 M
__________________________________________________________________________! n/ ^3 [2 ^+ _. U4 g
' S6 T/ O8 [0 f7 ^) b# ~# N0 m, ]1 a/ j. s% b% u' s/ |# L
Method 087 t4 R5 y. d! u5 ~, }. g
=========
$ R0 k/ k& e" _2 k6 D
% j6 n, [2 s% q8 F6 V L5 bIt is not a method of detection of SoftICE but a possibility to crash the% n1 ~1 ~( t" V: _+ |+ K
system by intercepting int 01h and int 03h and redirecting them to another
* Z; i0 Q! C+ P7 \/ J; yroutine.( A v, \$ b3 a8 k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points `3 i" n* ?2 Y( Z
to the new routine to execute (hangs computer...)
4 b H8 g* G0 r/ f# R- H4 U$ C9 q. P7 p
4 G3 M C/ v6 J" z4 M; z+ c mov ah, 25h1 g& K; s. s4 N# Y! ~/ z& p- x% d
mov al, Int_Number (01h or 03h)6 p. w* s, E4 w2 @7 {8 b
mov dx, offset New_Int_Routine% _7 U* l) o8 X s+ V
int 21h
. T6 K) e& Q/ W V/ Y5 X2 [& |% `% _
__________________________________________________________________________; ^6 p" `6 J5 D" g7 r0 ^( V# D* R
: n8 t! ^3 }" J$ PMethod 09
o6 ^9 K( M% n7 c# }4 y$ n* V=========
/ t9 k: B# }. L, ^$ l, `
3 S7 C& |/ E0 I+ {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, _. `' L, d U, r0 f/ Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ {! \, r3 _5 IThe Get_DDB service is used to determine whether or not a VxD is installed
, k1 Z* z4 S% x. g$ k& N% F3 pfor the specified device and returns a Device Description Block (in ecx) for5 f9 k2 ~# c4 O1 { h# Z
that device if it is installed.% w& R- c" D: i- H; I
I- e# l" J1 [! ]6 B: X6 E m4 V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 ?9 m, u8 a( a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 @+ W" A& q+ l2 u) E VMMCall Get_DDB
: s% w6 o: b# }& l H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 j* g! T2 r# S: j- H; L2 D
, t- R7 m) l! ] z
Note as well that you can easily detect this method with SoftICE:) F4 \/ m0 v: V& ^* ?* H
bpx Get_DDB if ax==0202 || ax==7a5fh0 H3 j4 Y5 a1 u1 n$ O! z
8 h2 F( N8 l1 R( U; K3 H__________________________________________________________________________) ?5 Q ^6 |* G6 g; G" K
* U# @( }2 ~* e9 h# T7 W2 V9 e9 Q
Method 103 q7 A3 K a$ T6 j8 g9 U0 j
=========
6 |" [9 p' P% F. i# [( Z2 r6 z$ Z6 v% P5 R* g1 }2 f# n$ a
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& i. u, {1 E4 I+ M1 m* ^5 P8 Y SoftICE while the option is enable!!
7 v0 Y; @$ J i( U" V, H
" j2 `4 d6 r J2 _' EThis trick is very efficient:
o- t9 Z: C7 J, ~) |+ Q: O7 nby checking the Debug Registers, you can detect if SoftICE is loaded
% I' i- v1 G6 z' i" m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ G2 o4 H" N2 ~! u2 s0 O; g& f2 u
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 Q3 _* D& L* T
value (in ring0 only). Values can be manipulated and or changed as well
+ P$ F# ], M% |( N# ^& `: D(clearing BPMs for instance)5 K7 h- c: J4 @) A
# E: v d _ @; u3 x
__________________________________________________________________________
9 A2 f& f4 z% `, m' O8 p$ v+ \$ R/ z2 _# H
Method 11
+ R6 K( L4 {& Y=========
& Y" t' ]# Q* p5 O7 a, ~# {
6 Q4 W7 I- ~1 ~( C9 @This method is most known as 'MeltICE' because it has been freely distributed
' r2 X1 y4 p& v# |) x/ xvia www.winfiles.com. However it was first used by NuMega people to allow
3 p/ l/ I1 f0 B- m# C! Y% @7 dSymbol Loader to check if SoftICE was active or not (the code is located
9 J3 x, t. Y7 ]2 @1 Finside nmtrans.dll).8 Z7 m9 v/ i; }. q2 c1 S9 A, x
( ^5 p/ h8 |) V' FThe way it works is very simple:
w8 U z# G; J' D- g3 _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' t3 b% d3 f4 d8 k h+ e9 j
WinNT) with the CreateFileA API.
3 O, W- V4 j- Q. ~1 c4 b* A7 A/ d, e8 j% c5 r! ?$ I
Here is a sample (checking for 'SICE'):) }, ^" \& v. z: k# a
* l7 }/ H. C0 E, `. D+ L+ t1 bBOOL IsSoftIce95Loaded()& A/ a0 p4 V# m9 S. l, h1 Z$ q
{* u, A" F1 @' \, Y0 \3 I* ^
HANDLE hFile; " k, [$ `4 D/ ~) J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 [4 Q* H! k+ ?. A8 ?
FILE_SHARE_READ | FILE_SHARE_WRITE,6 T8 ], t9 ?% n! f/ o) W. l
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); @/ h+ s7 v9 Q! u4 k, Y
if( hFile != INVALID_HANDLE_VALUE )3 V- C- L. h- y- c
{% S, j9 I W+ T! b6 ^# R! p6 {8 u
CloseHandle(hFile);
1 }* _9 h6 _8 Q8 ] return TRUE;1 n$ S6 i3 ?$ E, P0 Q, n0 b
}
1 ~# d7 j( ^' m return FALSE;1 |# e' a" h c, x. G5 B
}
; M: T# r# B* d% q. L, g* k: |3 l4 L$ ], u {0 D; R, O' Z. g
Although this trick calls the CreateFileA function, don't even expect to be' d N" w: N6 H7 |# M: Y7 m! \4 ~
able to intercept it by installing a IFS hook: it will not work, no way!
* K: W3 D0 K+ vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 e0 _6 c: D ~, J
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( H3 ]2 k8 H( ~3 b! R* H( _& [and then browse the DDB list until it find the VxD and its DDB_Control_Proc ?4 `: l8 S( k8 v3 ?
field.
) z0 T6 ^* t9 c( JIn fact, its purpose is not to load/unload VxDs but only to send a
5 _8 a6 [& k% R6 w8 y I# z% zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ a! I: ?2 T' A% ~4 Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try% S- Z1 @) {$ @2 {8 z: A5 s& l3 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, H6 V9 V0 H+ k7 \If the VxD is loaded, it will always clear eax and the Carry flag to allow* f& \/ Z* L3 K! s# t" G
its handle to be opened and then, will be detected.
7 w _: F3 P# o! C9 ?/ F" j) FYou can check that simply by hooking Winice.exe control proc entry point% b5 ^+ d/ T f. ^$ r
while running MeltICE.
3 i. s6 H, K+ x# A
- B+ F4 s2 K( I1 k. j
1 z' ^" ? C, w: l4 Q 00401067: push 00402025 ; \\.\SICE, M) b; Z- B A
0040106C: call CreateFileA
! p) T7 l$ V& `* \& N 00401071: cmp eax,-001
) t- Y, r4 v$ i1 X 00401074: je 00401091: M" f6 i# w, h) K! A
. J8 S! [1 w5 b
% S7 d& b" z" JThere could be hundreds of BPX you could use to detect this trick.
7 u* O+ S4 h5 \. K-The most classical one is:0 x" e# y X9 }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, \' K, w1 l$ G( S3 ^- L *(esp->4+4)=='NTIC') `+ H. j4 Q+ e' e
% ]* z }' }" u& f- O
-The most exotic ones (could be very slooooow :-(& z; v; C2 B8 e( V ]7 H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' ~9 b8 r# R7 g% k0 k ;will break 3 times :-(! g3 o$ q8 u N3 u' o
# V1 `# V: ^- {-or (a bit) faster:
* Q0 w2 h% ?' Z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; j; P2 Q8 y; s: G, L
# W2 `, z$ o6 O7 [' y( h( j BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' P$ S5 g% C2 w: M& r9 |6 j+ h
;will break 3 times :-(
2 u' t8 v- g. ~, l7 r; R8 {& A0 s5 c7 d2 Q0 n
-Much faster:% P0 o/ z) w8 J- O6 a
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* A; o+ T' y6 D, H" g9 O, M+ P+ w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 L6 E/ P4 c. Q7 Hfunction to do the same job:
( Q) K8 Q+ R9 b9 Z- O& r9 H; J: X$ X0 N% b
push 00 ; OF_READ
3 U3 }& U1 T4 w! \, D" y" N mov eax,[00656634] ; '\\.\SICE',06 U% Q# B5 S" U, ?! R- X$ p9 k! |5 Q( r
push eax! M- b* y) g) i( C8 F7 G
call KERNEL32!_lopen
: P0 |1 n5 U1 x% i) u# w( h3 \' P inc eax
0 F" `8 [4 f/ w: _ jnz 00650589 ; detected" x5 O: z) L# L7 R
push 00 ; OF_READ
7 X+ o. x! Z) ~- ~/ `' M$ B mov eax,[00656638] ; '\\.\SICE'
y$ D+ s( ?, h( D# V push eax
/ M$ H* ?: t$ L) H# ]" p( z call KERNEL32!_lopen6 W& [3 J- N$ B* ~- b; F; O
inc eax$ K7 R$ l. v6 m" O
jz 006505ae ; not detected
5 a1 y9 _" D8 V/ R8 M n; C# Q* R$ R* W5 \: X5 n
; @5 E- H$ z# I2 B' y4 b
__________________________________________________________________________, ]; o# ]) E# d/ A# r0 ^
9 e0 j: F. ~' S4 i. |Method 12
6 j7 |: D, Z9 t' \1 K; u: m* f=========! F2 l6 y- w7 o4 t
( S, C1 s6 l+ G/ d/ }This trick is similar to int41h/4fh Debugger installation check (code 05
M7 b1 x9 b" c2 Y) S& 06) but very limited because it's only available for Win95/98 (not NT)
4 ?: m7 s2 Y+ _( ~: J; xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' m+ N3 X, X$ n( l Q# R: z9 c# h0 E! Z+ [7 b0 p4 V0 e
push 0000004fh ; function 4fh0 H! Q \( W! k/ C
push 002a002ah ; high word specifies which VxD (VWIN32)
- L, ]+ p" R8 ]/ v# ^# |1 p ; low word specifies which service
- t9 l) z# F1 D2 C3 ] (VWIN32_Int41Dispatch)
) n$ n- R/ P; h* k G; B call Kernel32!ORD_001 ; VxdCall9 ]7 q+ v& X+ A6 u# r( V& A
cmp ax, 0f386h ; magic number returned by system debuggers
- M+ i* T+ |2 t! i jz SoftICE_detected
" \- s$ Z# f& Z+ I
$ ?. G& C5 w# T) Y6 hHere again, several ways to detect it:# `+ p$ l( c2 {$ J0 @0 o5 _$ U; F
' A1 }* Z7 N# T; D
BPINT 41 if ax==4f6 [9 P0 R N; e- R. }* `1 _% c
" p: I2 k8 {4 e: D( J BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 P# S$ @* R6 z X' ^
5 F8 ~# ]2 z- a8 O* u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" n9 i1 o6 ?! k/ `" ]* z! }. G3 J( n V% d9 t( x, Y9 U G7 `+ N
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. K& b% r3 |9 b" H! w, [- T, N# o/ @' D- z, M! k3 k
__________________________________________________________________________
% F6 n+ k2 o+ P* i% V3 T' Z7 C/ N: W/ h7 d- \. B
Method 13, I8 Y$ w. A' l/ g1 k% i
=========
- v, d) [0 q7 n/ |# G, I4 _2 D8 G6 a' N4 o- X
Not a real method of detection, but a good way to know if SoftICE is
: F# Z! V- t6 a7 @installed on a computer and to locate its installation directory.9 O" J2 X7 X% j
It is used by few softs which access the following registry keys (usually #2) :5 S$ i y+ n3 C" q) D" j `
% K, N8 l( C$ N6 c$ F- W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* r: k4 v9 E3 P& d9 H& d
\Uninstall\SoftICE
0 u' E- m$ T1 g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 Z8 [. R9 M, t; U8 K( }" x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* P y1 m& l/ z: e3 A. ], F
\App Paths\Loader32.Exe5 v3 F7 y- R1 b
* w" i8 C8 {7 a) }
% U1 H/ U' J R7 t5 U' w
Note that some nasty apps could then erase all files from SoftICE directory
3 S2 }# z" U0 n; \(I faced that once :-(
, L# ]0 g* Q* Z: f5 a! h7 }7 s
0 [8 _3 Z, Q% hUseful breakpoint to detect it:
5 k! m8 i3 \8 ~$ [8 T# ~
# M! r- T0 c4 Y8 `) a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" D9 I6 V# ]* R; _# o; H
" ^# y# M0 C M1 k__________________________________________________________________________( i( A _3 T) o
6 N; Y9 A/ q6 ]: l. S
- b4 O3 R& o" I' j5 P
Method 14
I6 }7 A" \; U0 ^6 a0 G1 ~=========
. _9 q, ?3 F0 `* H3 B' K
4 x3 H- ]# ?. |7 V1 U( }- lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- l" _5 D3 e2 Y0 u/ {6 F* dis to determines whether a debugger is running on your system (ring0 only).5 n7 r! t' O' ]
9 d$ `: w' p8 b4 F- ]4 V5 |& s
VMMCall Test_Debug_Installed0 I. T1 a; ]' _1 `4 r! I
je not_installed) ~# z/ V, l3 W0 z6 u' F8 c& c G& |
4 J, O, A% z- M% aThis service just checks a flag.
2 X7 n* I% u0 P9 e9 G% q% C# t</PRE></TD></TR></TBODY></TABLE> |