<TABLE width=500>
( I. L2 f- C- W" |: Z<TBODY>) J, a' [4 M; Y, k; F& _. B- K
<TR>
" F f; J3 n" M% U/ k+ }<TD><PRE>Method 01
( I( o, ~& h1 d; o6 @: T& _- j+ L) k=========! E8 c: T5 k( A! T6 v: N
! X. Q0 h4 e* k3 Z& s
This method of detection of SoftICE (as well as the following one) is' g( W3 c* A( |8 k3 t4 U
used by the majority of packers/encryptors found on Internet.0 C: o4 j, H8 U. y' D2 l4 g1 r
It seeks the signature of BoundsChecker in SoftICE" J7 d1 J6 [4 d* Y; R$ z6 c
+ `! L& D5 a! R1 T X. p! l mov ebp, 04243484Bh ; 'BCHK'
. Z) ~/ V6 {- D/ h2 S- _ mov ax, 04h' h- S6 n9 }- t) w; |
int 3
. \' _# ]3 i& ^ cmp al,4$ R# U1 T8 l# J8 V) e* x' }
jnz SoftICE_Detected
) l8 G+ | A) n% v- L Y
) v8 ~ \% f) L- R& L# a g6 G___________________________________________________________________________/ `# r) f% Z e0 A; i+ c
3 _3 ~! |; K2 I: k* xMethod 02
( w P& u( x2 G( [ T=========
9 z) u+ z' \3 O9 P6 K! ^! f* k* y% [/ n" A7 E
Still a method very much used (perhaps the most frequent one). It is used
0 c$ }; X) R" W6 r. Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 E1 G* u! [! b. v
or execute SoftICE commands...
: w8 W- F% {! d# EIt is also used to crash SoftICE and to force it to execute any commands
% i% I# ?9 w6 p$ {5 Z# N. C(HBOOT...) :-(( p9 V( o) A) E% W% Q7 w
5 ]& V% U$ J* |( X
Here is a quick description:% M/ E9 P8 O/ M; P0 K# c
-AX = 0910h (Display string in SIce windows)
; I' ^6 x9 p4 p0 h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). b) A0 e, ]$ X9 a A
-AX = 0912h (Get breakpoint infos)
6 @( J& E; p9 L. z-AX = 0913h (Set Sice breakpoints)
2 E3 o' m6 R9 j; Q2 s! a- \-AX = 0914h (Remove SIce breakoints)
( r% G# s; C5 j4 |& K' y
$ r7 u$ j% D1 @! f( KEach time you'll meet this trick, you'll see:& x5 [8 f2 @ p4 q
-SI = 4647h
9 O* m+ \$ T( z3 z1 J r6 g- l! B-DI = 4A4Dh
( d! d+ j# F. w; ]! ~: lWhich are the 'magic values' used by SoftIce.
- z* I4 D+ ^3 I3 yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 h: n5 }* G1 r2 a+ g
& d% b8 s/ k" [% R" Z+ u
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 m+ m+ h9 p0 {- G: V
Envelope utility use to protect DOS applications:
$ \# ]% f; b; ]( {% Q# i! J$ ^
& r. t' N) u: @2 x% V4 P6 {# |; K& z5 E% q) h
4C19:0095 MOV AX,0911 ; execute command.; G1 c8 {( g; n9 B% ]) h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., y; p! j- u9 R3 V7 l& {
4C19:009A MOV SI,4647 ; 1st magic value.6 T. ^4 N) F6 T4 h/ n
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ O8 o$ j+ m7 t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, x6 j' N+ p$ C/ \" W; m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 z7 n K9 \) i- s0 j; r, u: G
4C19:00A4 INC CX1 ~! h1 {# o. ~ r6 V' Q/ s y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( y: A5 X3 N+ A j$ D; U" k
4C19:00A8 JB 0095 ; 6 different commands.8 C* X% [$ W: C6 O( R( \, L3 B3 Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.; x- `6 `- U9 n( L1 q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& W r) |$ E& U5 Z/ N( O
6 G5 C# |7 P! N, X! f
The program will execute 6 different SIce commands located at ds:dx, which
$ q& Q* k' w# G5 h( Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 r- O+ U' h- e: w u
+ Y/ Z; g: }+ L) _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) d' [) T/ H( u3 C! s# E___________________________________________________________________________+ _( m. w8 E9 j9 x. |$ R
2 l8 v2 Q2 ]$ c
1 m6 h% \+ X5 R; k' f9 {1 QMethod 03
3 S3 r& u$ Q/ {. t p) d=========
, j5 K4 W3 K1 m/ n
+ C6 h8 u1 K( s" w( ^1 z3 [% ?" DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, l; l/ A, W2 f(API Get entry point)
; N2 b2 a C7 e' n5 h) b
7 J( P( d0 z X$ w0 z; `! ^: r0 Y# O8 ^# C+ I$ p' A; Q% [
xor di,di
6 B, I/ Y- b: h# s8 i5 E; ~ mov es,di# s! R+ r+ }' b: X$ v$ E
mov ax, 1684h 9 U) l7 _' V7 a- H
mov bx, 0202h ; VxD ID of winice# G3 G- V8 {9 W% k. u5 [" @7 g
int 2Fh6 ^% H$ q( d& G" b! N0 ~2 L
mov ax, es ; ES:DI -> VxD API entry point' B) Y% _# B/ l. [
add ax, di
& f) q! J" S& s. |) W test ax,ax
, ?& A- z& G- F0 p) R jnz SoftICE_Detected
. o# [) c* h9 t7 j" f
/ @* d7 [% @3 Q___________________________________________________________________________
h$ v$ y/ A1 u: S* B3 ^4 p
3 a* H- x9 n- F; {% j/ d- mMethod 04# ^: o& w/ ]3 H, V: W
=========
) i0 m" P' i* n& W1 g. k! S% T. P9 ^: G; G# x
Method identical to the preceding one except that it seeks the ID of SoftICE
& j$ Y& M# s" Z8 Y# k9 F& m7 u: KGFX VxD. M( O% v( G( f: I
+ [, t* g8 q6 f0 d0 d, e, N
xor di,di
' H. v) B4 W; n mov es,di9 a( w$ w% |$ v6 a' F; P) d/ G: ^
mov ax, 1684h
, K% l: h0 ?) Y. x2 \ mov bx, 7a5Fh ; VxD ID of SIWVID U$ t- K6 q9 e9 W2 r
int 2fh9 P, {5 W/ v: Q! R; `4 q/ l
mov ax, es ; ES:DI -> VxD API entry point
0 v5 d' e r, o: F add ax, di
$ ~+ l9 ~; _8 [5 G7 |$ | test ax,ax" s; ?; v; [: ~7 \/ j4 v9 o
jnz SoftICE_Detected
7 G) F2 P# U( M! x2 y
& f! k/ x( T( ___________________________________________________________________________1 z+ E" B" E; q1 O2 l3 P1 Q0 \
7 z! U" ~0 z, g4 @3 j
- T. Z) z/ G& U G* i
Method 05
% W! l6 }4 w( P8 Q=========
9 ~0 P4 C7 {+ u3 }/ \ y2 p3 f9 ?' U! n$ e' g2 e$ Y3 j
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 l, N% [+ ?# c- F; t/ x
debugger. It calls the int 41h, function 4Fh.7 ^. F) \) E0 Z- ~: U
There are several alternatives.
: o# x1 W, `" G9 R# M
* [; [8 I2 y) i! N' ?- AThe following one is the simplest:
4 |7 }2 a+ |! `& f5 j9 z/ a
* _2 c9 d1 m& ^8 k mov ax,4fh
9 A( i, \8 K! U+ v int 41h4 G2 y3 u, k) k' l
cmp ax, 0F386
- b- G$ P0 u) E. h( q9 U jz SoftICE_detected
4 U# n0 m- g/ F- V
& q& J7 T3 _/ m7 I# }
4 H- W9 a1 f0 e! N" VNext method as well as the following one are 2 examples from Stone's
, U* q w& o, F"stn-wid.zip" (www.cracking.net):
! x, h7 u, x' P) o8 |, {9 K0 _
- ^7 N5 r" ?1 s& U- w mov bx, cs9 k! D2 H: B0 }8 v, k
lea dx, int41handler2! h: E$ x, l% D( K) P
xchg dx, es:[41h*4]
5 H1 H. b x% B) J$ f& | xchg bx, es:[41h*4+2]
7 e6 C' g' c, B mov ax,4fh
9 V0 z. u' U# V; l8 r% [ int 41h
9 s4 g# q/ ]& r6 H+ A2 q2 P; w( ^ xchg dx, es:[41h*4] I# h4 s( X$ M& v0 Z5 R8 L2 g
xchg bx, es:[41h*4+2]
: g' S! G/ U- X: }% O: S9 F cmp ax, 0f386h
' J% i9 c8 l0 o9 E/ ^8 z jz SoftICE_detected% @ |$ _3 f" h
) S$ |; e. K5 y# E' Q
int41handler2 PROC
$ J% C. _$ J; P" z iret$ f9 m3 W& T' e; ~) C
int41handler2 ENDP
0 m/ V! ~$ a7 H6 T! Y3 e) y* X: p& F7 T4 c
% M6 b& A3 H2 w) G& E
_________________________________________________________________________
; {! q9 y" h9 N* t# j1 W1 G7 r1 P' @1 r7 |4 a$ Z
* `9 t" o3 @) f S1 B
Method 06
* i) p9 \ b+ A7 ~) y+ W3 s3 b' ~=========
( Y4 N7 K! q( L( c# P3 F$ @5 g
7 s( }: Z( D# `1 O0 \
4 s& s; ?! W. s7 C, U# z# v2nd method similar to the preceding one but more difficult to detect:
, m1 |8 ~! C3 _/ A
/ y* q3 p2 G! h$ o
5 ~( u- M3 ^, E4 r l9 Wint41handler PROC; [5 e% k; c* B# K, Z I
mov cl,al
! ~% k1 s5 }+ w+ V6 V2 X3 e5 o0 W iret
/ X' ?% H8 X7 {int41handler ENDP
6 O, ^8 E- @. J5 ~8 K7 B8 `1 @
9 o- b7 W# k" r7 T' O( _- X0 L! P4 q- y7 E
xor ax,ax8 T q3 T5 u& e! W( M7 X, w: F" D" ]
mov es,ax
) ^( `' J% [+ U1 `1 w mov bx, cs5 J7 v N: F1 H5 K- v5 s9 E
lea dx, int41handler- i* N' l) ]7 k" \, h. O4 i
xchg dx, es:[41h*4]
5 h' l- k, \/ [; x xchg bx, es:[41h*4+2]
% g4 _# [! P$ D, G* C in al, 40h' }: Y' E- r x' |% c
xor cx,cx& M) I! d, Z; k3 \
int 41h' S! o' N& ^ {
xchg dx, es:[41h*4]6 z$ X) @2 c( I
xchg bx, es:[41h*4+2]
& T7 Z; G% w7 D4 k t7 \5 E cmp cl,al& o' Z, U- a0 ^- F
jnz SoftICE_detected
7 |# P1 C4 t( h+ e) _. Y$ _8 V0 b4 y
_________________________________________________________________________' K y+ i* k7 {& j) x
, y% \8 P9 I$ D. r, EMethod 071 F$ B2 ^" J8 a9 _3 ?! t# U
=========( g; y' |$ M6 u
/ o m6 d J4 _: l' E
Method of detection of the WinICE handler in the int68h (V86)
6 S% f0 s Y" c1 `4 m$ G6 R
$ H7 `1 R: I. d. X mov ah,43h
+ `# B& s$ @! D- [. Z( l& m- |4 t' W int 68h: s, h) z6 B3 Y+ \9 j
cmp ax,0F386h
& P+ z8 q( |8 w) S! N2 v# H jz SoftICE_Detected+ a" P# y( x1 P
7 P7 \* U& A8 p0 y
- C6 ^" N# |# k* a1 `" T5 F
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 }* S' ?* A% M' B* Z app like this:
: f2 h0 |! K( o$ J0 e
" Y* W9 G4 i7 ?' ^8 j% C7 N BPX exec_int if ax==68& A! q6 S8 ]% \5 i
(function called is located at byte ptr [ebp+1Dh] and client eip is9 M& L+ q% e0 T+ l, m0 m& t
located at [ebp+48h] for 32Bit apps): e4 Y/ b! ~ Q2 P8 X
__________________________________________________________________________* G* G6 N& A8 I g; E0 z7 t+ F
6 ~1 A( F/ R" M- J6 I, [: Z: Z! a1 H4 X2 d8 i; B9 A0 m E
Method 08$ D0 D7 _9 ]; n
=========3 R9 t/ i! A( J
' y1 A: j1 V4 A$ j# D3 C) Z9 _
It is not a method of detection of SoftICE but a possibility to crash the( `( l0 J0 U5 L, j t2 c7 U- Y
system by intercepting int 01h and int 03h and redirecting them to another2 S& S- T* a! S: l. s. x
routine.- L8 r+ _. S+ s( n* N0 z: [$ X, g. l* ` Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ s6 d, i5 y# b7 l% V
to the new routine to execute (hangs computer...) e9 N. J7 ^8 M3 O) ^# Y
$ x: Z3 X# n# Z3 P% J# m mov ah, 25h
) d A( _. W6 D; U mov al, Int_Number (01h or 03h)
- G# J% X, d: C2 z' H* L; q mov dx, offset New_Int_Routine7 g* S4 r T9 G# x' k( ]
int 21h
4 y$ A) B b; f% K' t5 ?: u# U7 @
& J( W; ^9 ?+ z- D+ K o8 A$ B) n__________________________________________________________________________
# m' X* j. o+ ]; |9 `) X& J% z
+ \/ |' o$ |/ o4 y$ b) p; Q. rMethod 09
# e0 d' z0 I' [: f4 b$ F=========" m2 l* x& ^1 K3 L! ]% k6 `' P: b
# z2 s4 f7 v, a2 b8 m( f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# P" l) B# k( O; n4 I2 |$ K3 operformed in ring0 (VxD or a ring3 app using the VxdCall).7 i7 j- z) l8 O) I0 ?: B
The Get_DDB service is used to determine whether or not a VxD is installed) L5 f7 T! C$ B+ Q& ]
for the specified device and returns a Device Description Block (in ecx) for
+ ?* L& B! a7 |; uthat device if it is installed.
) |" a8 a. V6 F& w! z2 w% Z6 Q% [; Z# K, P* g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 U- M; o0 j4 [
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ n, I% Z6 C! _) l2 D9 d
VMMCall Get_DDB
& f; f4 }, S" g/ ?5 X0 Y4 P# T- o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 L1 Z) X# X- a
0 f% U% c( Q2 A5 ] |Note as well that you can easily detect this method with SoftICE:" \7 w7 j5 e$ b7 a& T7 [! p! c1 [
bpx Get_DDB if ax==0202 || ax==7a5fh
% q! Y" \# I6 s; V( N6 d! Q. j K; R7 X% B& k- S- z- Z. {
__________________________________________________________________________
0 f/ d: a+ b8 Y) s0 ]7 p% v, ?% x" @3 v2 U6 T
Method 108 l, {( U% e' F% i3 r; {) n. M
=========5 E: O( I* }7 |" F. D
7 j. H) F1 h5 _2 T+ U6 G+ C
=>Disable or clear breakpoints before using this feature. DO NOT trace with
. u9 [1 k" A9 a i- p v0 W+ z9 w8 h SoftICE while the option is enable!!% X5 ^0 h) V0 ^; A
) k: U% ?/ K/ {; \# Y
This trick is very efficient:
4 A/ {5 b7 M4 |* Aby checking the Debug Registers, you can detect if SoftICE is loaded
1 ?" Q4 k) E8 X# Y# r8 x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( x7 R: n C$ L6 L1 l) kthere are some memory breakpoints set (dr0 to dr3) simply by reading their, F7 T- r) |+ c" z9 ^& x7 q
value (in ring0 only). Values can be manipulated and or changed as well
1 h: n' A: I0 P3 l! b6 i(clearing BPMs for instance)0 e6 Y" U7 R4 {2 t
1 f9 s# z7 }2 H__________________________________________________________________________9 T: ^; R. K2 s5 X9 f9 K6 B0 j
: i% W+ V9 h) C. S3 MMethod 11
8 K9 A3 G, s0 a. I0 r1 o+ u- N. h=========
" r4 d+ \0 o" J7 c( N4 ?
4 P$ N. _( G0 N2 K: p# lThis method is most known as 'MeltICE' because it has been freely distributed
, k0 s5 K- G! M6 ?via www.winfiles.com. However it was first used by NuMega people to allow
, H B9 v6 J1 `& a! FSymbol Loader to check if SoftICE was active or not (the code is located) Y, V/ X, A0 v" Z- M
inside nmtrans.dll).$ y: v W: q( l0 h0 |0 Q9 r6 R
0 L6 p0 Q" E9 }* i U s% W
The way it works is very simple:
0 O; B$ r% g, `$ vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( j( A- c3 f2 ^5 Q3 \7 f$ l
WinNT) with the CreateFileA API.
( g* _: B4 B/ S; _
& W1 _: v/ ~8 W8 p9 P lHere is a sample (checking for 'SICE'):
; D4 {9 x' N- ], M' @3 g( [3 i3 y1 {3 v0 d
BOOL IsSoftIce95Loaded()
6 L: |- m4 \! A6 T9 D+ P- q1 e) n{
0 }0 \0 l' r! ~2 w; r. f HANDLE hFile;
! m" [/ A1 B: w- w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) n" }" Z* S5 p, l9 N( E+ l
FILE_SHARE_READ | FILE_SHARE_WRITE,
7 N) A) S! {& v, s: `& } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" X/ m/ `6 S5 M8 _
if( hFile != INVALID_HANDLE_VALUE )
0 e9 g6 B% _: S' w {+ J8 C9 ~# p- U8 h0 X; ?
CloseHandle(hFile);- [" ` Q5 I: d2 I; `
return TRUE;
* V! ^7 U3 q9 E }% X p; A, v" H- [
return FALSE;
+ @% B L1 }2 g}
: e- [. | Y3 G+ ~; P: [, }; o7 P; _: J6 }& h
Although this trick calls the CreateFileA function, don't even expect to be1 [ `2 r, G. }0 S7 N1 F5 R+ y
able to intercept it by installing a IFS hook: it will not work, no way!
% J: g" v& [5 x# T2 W4 M# dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 a/ v r6 f1 D, \4 Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" j) g4 ^7 P' V% I. C5 o6 s) A* ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% o0 F) c! ^$ r0 Q& X
field.
8 M* [$ u; i, _& n" B$ Q1 {/ ~In fact, its purpose is not to load/unload VxDs but only to send a ' S4 \! U, D- Z8 F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 b5 a' v, P2 ], n! Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 y" {5 x7 {0 I& g0 [8 V* t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 E$ x/ [- ]2 J9 O4 X1 W3 s' K% xIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 K2 c, x% z8 D/ d# n( U: X3 U! lits handle to be opened and then, will be detected.
, l. M7 a* X) K' a" E: K- ], o! g% }' LYou can check that simply by hooking Winice.exe control proc entry point
3 B, W9 j1 F6 G7 w, Xwhile running MeltICE.
: I7 C9 F; V1 [8 `+ p2 Q* N( C3 f9 o+ b5 x0 F; d
4 f/ z2 L, c" p7 o; w 00401067: push 00402025 ; \\.\SICE
$ I9 g9 C' j8 H' o 0040106C: call CreateFileA: Z2 d3 K% T; ?/ ~
00401071: cmp eax,-001
" j4 F" q% K! M4 M3 v( `. n 00401074: je 004010911 h6 d2 w# O1 \6 p: R& X
) P9 Q( F& g: P! f1 w
5 Z3 M+ j( K) n7 H, RThere could be hundreds of BPX you could use to detect this trick.) `0 S1 q( c* u" B# q6 `; g" ]) `
-The most classical one is:9 \' Y. P* A! o5 c: |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || {: i8 [# Z2 W, m7 o
*(esp->4+4)=='NTIC') c) }, c$ z" U$ Y. X
- |& |2 B9 O& a, x' z
-The most exotic ones (could be very slooooow :-(* i3 c- h+ W2 w$ K3 u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( w0 n4 {5 i1 H# n3 S1 m1 |
;will break 3 times :-(
4 b7 u* ]. ]9 Z6 H# G$ Z. M) A6 z$ {* D/ _. W7 `7 l& U
-or (a bit) faster:
$ o$ {+ t2 a Q) d& L) W& K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, A x* H4 n! B( _( D) `/ A! ]% |& z+ d$ b4 ~2 B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; T. w M1 i3 C0 ~6 t8 v& n, n ;will break 3 times :-(; a( ^0 ~% Q! d- q
4 p9 y# a# {3 Z- N9 }8 R: a
-Much faster:/ g0 S2 f* W, p* P) q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 {' G' v/ r3 D& }% K% ], V
) A, H% T7 G& j: c# z% WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; |3 b A. ]9 g- ?' k
function to do the same job:: d0 B) t% j& p! l! _, N
) e9 ?$ W% Y# J! P7 z
push 00 ; OF_READ+ |3 T& y/ O) b9 A$ g
mov eax,[00656634] ; '\\.\SICE',07 u3 y) U7 K, P z J' R, V- A
push eax
* ~$ c0 r' I' f9 v6 c call KERNEL32!_lopen8 r. N! B( L" O, U n
inc eax* F1 A, f6 d% B+ f+ X
jnz 00650589 ; detected3 J3 {4 |- W1 `% s
push 00 ; OF_READ
: I# p- F7 @6 f9 w mov eax,[00656638] ; '\\.\SICE'
3 W2 l8 k2 m, b push eax
7 C: X# Z) B# C, ~) ^! q$ a( X call KERNEL32!_lopen
$ }3 O% W: M9 E/ Y( A inc eax
! b( j$ _9 @' f Q. n& N$ [ jz 006505ae ; not detected) G! d. u" E2 a9 @4 N/ W
- s5 i, V/ u/ }, X( f' }8 Q, _
. M5 N. O" Y1 z% S: i% ~__________________________________________________________________________
6 N# x4 x9 g; ^; u) u4 }) D
0 T8 d* _5 `5 e& N+ [( t) IMethod 12
1 ?6 T) ], g* R6 P8 m=========
: p1 H: T9 D( b! S) G- p# M/ Z+ [) m0 o6 A
This trick is similar to int41h/4fh Debugger installation check (code 05
0 P" R/ ] E6 v/ u% f# Q& 06) but very limited because it's only available for Win95/98 (not NT)* U0 \+ o$ S3 l6 G* Q( B9 k7 J( R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. f( N( V. m* q# B1 e/ I2 R# _- ]
0 m* L, {6 }: U( z9 r, \
push 0000004fh ; function 4fh3 `4 a( |' X. [% U" v
push 002a002ah ; high word specifies which VxD (VWIN32)
" }, @' b/ _8 y: J6 q ; low word specifies which service# \ B( t8 Z* @# \
(VWIN32_Int41Dispatch)9 _, Q! V" p. [, ?8 u
call Kernel32!ORD_001 ; VxdCall# p# S C; L D4 ?
cmp ax, 0f386h ; magic number returned by system debuggers
" A* D" f6 e# M5 T5 B! ? jz SoftICE_detected: i+ A2 W8 h% ~( o2 e4 p$ u. z
, m$ T1 E: _0 b
Here again, several ways to detect it:
" [- l- B U5 _
! M: n: U8 x7 u$ Q BPINT 41 if ax==4f* v" D4 P! h* M7 u0 F
- I0 l. _/ \; l, I- J+ [
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 @5 Y3 Q/ I1 L( a* E* Q) G% a
* v* _# y) `" b) p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% W4 U0 ?8 f+ q5 g
/ g: [% f; G& \8 u# f3 b0 p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 f6 ~: I( `3 w/ |6 |8 @$ { y0 h7 u' m# v3 @ a
__________________________________________________________________________
1 K1 X& V- {; Y& a+ |' t
5 Q. M8 t5 N' vMethod 13
5 X- z- A$ L$ j0 y2 u D=========
$ |+ T; Z: K( f6 a) v6 C" n- O5 E$ Q! p6 B5 k2 |' {( S c! ^% y8 M
Not a real method of detection, but a good way to know if SoftICE is
$ R2 ?3 n0 G; z9 Y8 Z2 ?" z: Uinstalled on a computer and to locate its installation directory.& `5 [% X2 m8 x; O
It is used by few softs which access the following registry keys (usually #2) :
) j" l6 }2 O1 Y: ?' Q g- G _0 a7 I& y( G3 q! W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& j; `! L: q- g+ Y# I1 o\Uninstall\SoftICE+ q( j! z L1 N0 l$ g* X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 M9 A8 T, w3 q# o' G7 t! |6 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 l2 d- `& w* K# [- P
\App Paths\Loader32.Exe
. @# R9 x2 P* W; z" Q3 C- I0 ]+ n* f1 n6 \- u
0 A+ S* Y0 Z$ p. P2 ]8 W* ?Note that some nasty apps could then erase all files from SoftICE directory2 L# `) O. K6 q, t' R2 \2 { z
(I faced that once :-(
) Q) n4 x C, V, o4 g7 [8 S
" ^, ^7 O/ s, a' k# `Useful breakpoint to detect it:" W8 k( N# i# X+ h2 \8 [. v
6 N& R3 N+ Y+ f' c! V' d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. G3 q/ e" y: A8 P* \3 {
: ^4 Z3 ?" p7 N: N3 {
__________________________________________________________________________
4 o0 o2 `3 B- s) J8 C! P8 E3 K1 H @* p1 P/ g
) d! @6 P9 Y$ ?( D- sMethod 14
% F) j* ~' C7 W5 h7 c=========7 U/ s# Z* N' X1 ~
9 F. ]0 J% l4 I C( E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ l" T+ f! b8 A6 ^: W' {9 Y
is to determines whether a debugger is running on your system (ring0 only).
$ ~& b, `' F4 T0 {" |4 R/ N& l% B0 N( m& b; ?/ X3 C. `, Q
VMMCall Test_Debug_Installed
: q1 N: L6 x, P, [4 m je not_installed4 K S) e% s6 |3 L" \9 Y; J
% M$ ^5 Y( H* `7 r( uThis service just checks a flag.9 D! X( X5 |8 z" e
</PRE></TD></TR></TBODY></TABLE> |