<TABLE width=500>
: x; d5 q8 P ~! L2 ^<TBODY>
' l% [3 H- }8 g& A<TR>
( T" h" }$ Z# j; S+ F( U6 }<TD><PRE>Method 01
+ e7 R3 ` j- L=========
7 H9 I( G) L2 j- p) N" y, e u1 |& i. {0 G
This method of detection of SoftICE (as well as the following one) is
5 ~% r0 Z2 F, C8 [* ]9 n* o/ |* gused by the majority of packers/encryptors found on Internet.& u9 s/ z" C1 b; O7 Y
It seeks the signature of BoundsChecker in SoftICE
9 j% `! y* |: L8 U4 q
P7 I# n2 m/ C mov ebp, 04243484Bh ; 'BCHK'
) D3 f6 k7 \: F3 h mov ax, 04h* J2 _9 S0 u6 R& |5 z; y" a
int 3 ( @9 U$ L! {( w3 O6 c$ [7 f! a! K5 G
cmp al,4
& C% ?" I# U; i3 X$ F. c' M jnz SoftICE_Detected* ?1 v- I, j( j2 D5 \
( @1 s) I; ]6 l3 h1 j/ {/ |
___________________________________________________________________________' t# i6 n c6 U
- \5 c& P; k; B* g t( M$ R/ y+ h$ y
Method 02, `5 m+ G# M5 ^ u# c0 C: s$ q
=========
& h) P4 P) Z+ v6 z) }0 \4 J0 V7 d& v$ ` g
Still a method very much used (perhaps the most frequent one). It is used8 R, \" b6 E! o* J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" I, }8 D) [% g7 ior execute SoftICE commands...
7 W: c' b- h b, \: r, rIt is also used to crash SoftICE and to force it to execute any commands% C* U4 l# L! j0 p: M. D5 k
(HBOOT...) :-((
$ w$ d% U- p; K+ l: B7 N8 f$ H8 M4 N4 q, q* N0 \" W) [& `# e" ~* o l2 R
Here is a quick description:. J2 k( I l ^$ q+ r+ O9 A, Z
-AX = 0910h (Display string in SIce windows)
; v q: ]" ?# W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ a4 |0 n' ~2 ]# i* H# M1 y
-AX = 0912h (Get breakpoint infos). ]6 x% F% j- O* a2 o6 H8 i2 P3 t
-AX = 0913h (Set Sice breakpoints)4 R! r* k% V& h/ Y6 M6 k
-AX = 0914h (Remove SIce breakoints)
- M' G: H1 M$ l# F5 e d' T
; f2 v5 a; L/ o7 N! y# K% ^Each time you'll meet this trick, you'll see:
& D3 z3 Y, _) Z, Q3 f7 G-SI = 4647h
- p+ ^4 @3 L3 R! B5 r+ S-DI = 4A4Dh- s# k) P) Q5 v/ o; ^
Which are the 'magic values' used by SoftIce.* D7 j7 t% _; c, y9 z6 m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' A$ g) U8 N& b, o
7 A' k* _8 `4 F, B! |Here is one example from the file "Haspinst.exe" which is the dongle HASP0 R" L: \) T! ^
Envelope utility use to protect DOS applications:
/ B. \3 {4 F& I: k$ U! z
* ]" v. ]% w' A# W# Y$ G% V" ]2 b: v+ H1 }; Z4 `! q, c, F7 |
4C19:0095 MOV AX,0911 ; execute command.
$ [. p3 |0 a. d) h4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ p. \2 d6 m: x* ~4C19:009A MOV SI,4647 ; 1st magic value.
/ u/ ]) u% n; m$ Q4C19:009D MOV DI,4A4D ; 2nd magic value.2 K: O$ P+ b6 G+ F2 i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 `) r2 d0 D- ]/ ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) `5 S) V% E: |5 Y& U
4C19:00A4 INC CX
7 I8 A5 m. v. m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; a9 @% t0 |9 A4C19:00A8 JB 0095 ; 6 different commands.
( U6 A# ^; s5 q& Z( E4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( U7 t$ c9 {$ t. r7 f9 |4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# h: W" b: }# B0 Y2 F5 n) b A
7 k3 u1 X! i% r4 p2 Y+ B" d, w
The program will execute 6 different SIce commands located at ds:dx, which
4 f7 _; y0 n7 `4 z0 {7 t7 y8 Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- T0 A5 E/ t% x6 ~+ x( Z
! v: E8 b: V0 V( Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" X- t ]7 q9 n) t___________________________________________________________________________
& k& e3 ?( s0 B( }+ K% m2 Q- X7 M7 v6 m7 U
. A" Z4 j: _% f" E, X& mMethod 03
. `2 B" }. c+ X; ?9 r0 e=========7 H0 m3 O! }) V
( W- O- Y! Q ^) L; z4 N! a1 Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 Z8 r$ q1 _4 w
(API Get entry point)9 h7 f! c8 o ?9 Y& J2 e- G
u! U. ~$ q- Z) I7 Y( L# G
) ^/ n0 M O& l5 Z4 F xor di,di
& }5 [3 J2 j; P8 ^% Q mov es,di- ]$ _6 k: f' B# [
mov ax, 1684h
, I# T5 _# D/ m' r6 I mov bx, 0202h ; VxD ID of winice' G) ?3 t* r$ @/ y: t$ K9 i
int 2Fh2 J6 n% c4 S/ P
mov ax, es ; ES:DI -> VxD API entry point' N+ a) n0 i( |2 Q3 s
add ax, di8 F9 H5 m( W- G
test ax,ax; C/ y% @: `3 _9 L9 Y1 {
jnz SoftICE_Detected
4 d! N3 b/ R% m* Z( O( q, Y) V7 }: r9 i
___________________________________________________________________________; A" W& A3 O& d h5 i
* M. ]8 }) E, C+ q% }; n
Method 04( c6 s6 f. b: O2 \0 W5 ~/ c$ I% Q- |1 w
=========
: {8 r! K" E9 i% H, \
5 l/ i G) z; ZMethod identical to the preceding one except that it seeks the ID of SoftICE
: C1 a q0 W# ~- rGFX VxD.
- l# w) ?5 B2 ~5 r; W# G! ^( j. W5 X, r8 }; a
xor di,di
1 v0 W8 a* M$ u# J+ Z" c9 z5 G mov es,di
7 T- L( ~* N1 C" x. d mov ax, 1684h
J. ~% f- r3 j Z- H mov bx, 7a5Fh ; VxD ID of SIWVID9 s/ z6 f- C: C1 c4 e1 Z# w4 I9 @
int 2fh I+ t5 k A9 b% P+ U
mov ax, es ; ES:DI -> VxD API entry point1 {6 w7 b% T9 M1 s. }1 F: t1 K- O$ T
add ax, di) |+ S8 V7 g) j0 T& B
test ax,ax
. t6 i! N( }& p$ { jnz SoftICE_Detected
1 b: C; k5 M" a1 b; b
! M/ L5 E* h, _, F__________________________________________________________________________( \6 [1 N3 }$ `7 x" {
$ y x( ~" N6 t' l: f# b( f7 Q9 f
9 d- d. ^) n1 vMethod 05
8 |% L1 t, x0 G4 p% ^# @( y=========1 x0 G( }$ }- K7 G7 u$ g3 `7 O
+ s& }7 \8 O; R; c% [ aMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( _9 M7 C9 x; Q+ y( a" Vdebugger. It calls the int 41h, function 4Fh.
& o; i$ M( w! ?% DThere are several alternatives.
0 f, ^0 j% N: \7 b4 Q2 J2 U4 u. B9 \4 \$ X6 w
The following one is the simplest:
- k9 p: Y0 O* _
% x. i; P b7 E- k mov ax,4fh
' z1 e9 y) g$ N9 {" T int 41h# T6 G5 |2 i# z5 ~
cmp ax, 0F3863 ]5 Y9 m7 \& U* O \2 [/ c
jz SoftICE_detected1 m: b' ?' B# r5 E( P2 `
8 a4 q5 {9 `3 e, [' e$ q; D
) @3 m+ h) k) k3 \6 E+ \# A
Next method as well as the following one are 2 examples from Stone's
; i" z; l: _& |) S"stn-wid.zip" (www.cracking.net):
2 J. h9 [/ o4 C* q- [
# B( }, m. p2 T/ Q# g# @9 W mov bx, cs
4 m! d8 d1 I* Q- e5 V4 M3 l lea dx, int41handler2
1 @$ o. X. l. m" t9 y- L* M xchg dx, es:[41h*4]
9 R# }( g2 U9 y( l5 y% z xchg bx, es:[41h*4+2]
5 n% r5 x6 J7 i+ `4 `; b. i mov ax,4fh
$ I8 A$ u: J3 Y! K1 q% k int 41h- ?- X4 c/ i- O: m. {3 v6 C1 y
xchg dx, es:[41h*4]" r u3 u$ {% Q, L( ~3 }
xchg bx, es:[41h*4+2]
0 B# s, c, a8 n- Z cmp ax, 0f386h
0 }) o. g5 i+ T1 t- | jz SoftICE_detected
4 F6 ?5 V' T2 {" t9 p9 q) p s' K' q" d4 G* v; [
int41handler2 PROC& H C+ v. N. K* T% _* @% ~
iret
1 ~7 q/ {/ N _int41handler2 ENDP/ \; R# G' P* ~ E" \8 }1 z5 x3 q4 |
1 y9 [. V" e/ z6 T h0 H4 q Z+ |. H3 E
' D, a7 [; |7 B/ k0 K9 H& e_________________________________________________________________________
4 B' |/ W0 \* _
8 x- l$ p$ K# Z1 t% {# Q9 X3 R1 m5 m7 f# M3 H$ [& }6 W: {
Method 06
; ?6 M: A0 c7 |2 U=========
$ y- X: J4 w, @$ Y8 K0 T$ z, i' R& l! h$ _0 c5 e" z
' d$ A5 E) U. E& R) X/ q2nd method similar to the preceding one but more difficult to detect:
: y; q! {" A1 |4 b, U. d
: q2 L; r; O6 e6 R9 w) a& o3 w9 h9 j0 v7 C- r
int41handler PROC( C, l1 w) o' d2 {! q
mov cl,al
' z9 J5 [' m- N; \* C iret8 J) S5 w" k$ p# G
int41handler ENDP9 ^ u- }$ n4 B7 Q7 T& }
/ L! w( y/ n0 Y! l2 k/ @ B) B+ E
! ~) [# Q; P/ r xor ax,ax
8 m+ C: ?. w" A# n ?: s mov es,ax0 |" |/ k. Q+ [, `! e' m
mov bx, cs r1 }6 `! s% z$ p: e, w
lea dx, int41handler F1 Z4 s) B R+ ]
xchg dx, es:[41h*4]: k7 O/ F" J; H" u: ]
xchg bx, es:[41h*4+2]
' M6 l/ X0 e% |. P8 S8 y in al, 40h( W2 \' }0 N- D/ i. K- j$ S9 t* E( a
xor cx,cx
) D: J% k0 i' ?4 \" W- W int 41h
1 f3 V R1 E) p2 U xchg dx, es:[41h*4]
7 Y* {5 G% _% A8 I9 d1 N x4 K xchg bx, es:[41h*4+2]
3 Q9 E& o9 o4 c! ` cmp cl,al6 q, j4 h, L7 Z+ M
jnz SoftICE_detected
2 u8 p( P O1 ~( w, i5 n# k/ {& b
_________________________________________________________________________$ w2 y& m; O z. g
! |8 X, z% N7 Y6 ?: ? q- R
Method 07
2 C) k+ f; \* e9 Z: g=========
4 @% l: B; P1 B7 W% @: V
v P4 S7 H/ W3 j$ tMethod of detection of the WinICE handler in the int68h (V86)
/ f7 g4 D3 M3 U [, ^! |1 j
+ O" `' \, Y+ c' ]3 w3 u [. Q mov ah,43h
1 ~% b" ~( `7 x3 p6 A3 P' l2 y int 68h
$ f- M2 J v! W% B3 S cmp ax,0F386h
# S/ `( _) \% t' y3 v0 S jz SoftICE_Detected) g5 S& r, j2 m) f4 m' i' g
+ l9 p+ l. e9 S! Q/ k
7 K5 a, x! T. \1 u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- F& r5 z& L8 K' N0 b. Q+ Z! F+ T
app like this:- R$ s* V M( `0 ?. p5 ]8 ?
; o3 t3 k3 u0 H: I) R! G BPX exec_int if ax==68
' V" ^/ a+ v' H) O, s4 o (function called is located at byte ptr [ebp+1Dh] and client eip is
& K1 v. e& P# m: _; K located at [ebp+48h] for 32Bit apps)$ Q, r; H5 l8 H' p
__________________________________________________________________________" |# o% S' S/ f) U! x/ K
/ ~. v9 K) o- Q
5 L' g9 o: _% N9 j
Method 08: S9 M6 J2 g, u! r
=========
: M5 K3 k* j- S( ~8 m, E; ^
3 q7 I& K3 c a: \- T/ CIt is not a method of detection of SoftICE but a possibility to crash the& T) n$ S2 S2 p; T" S5 Z/ Q, y
system by intercepting int 01h and int 03h and redirecting them to another+ d" T) p" d6 r2 n* k$ Q
routine.5 t! d, ~# j H9 R- `: G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& w: U% m' V+ z" @
to the new routine to execute (hangs computer...)
/ \. |- Z$ e$ s
( T3 u6 m5 _. }" O: l mov ah, 25h
: y8 P% ~" e" z mov al, Int_Number (01h or 03h). n0 Z- ?" W! p
mov dx, offset New_Int_Routine
5 `6 Z8 Y) V0 x- m int 21h: m6 B, M( T7 O
1 ~, B+ _9 u: H3 t$ e- j__________________________________________________________________________
; R" B1 F' q6 E' f% `% i/ e% p0 x/ s- x: |& s0 Y% t9 a; _9 H
Method 09
( }% o" w+ U% R=========
# G) X3 v( Z7 }7 U& K; [9 y* y) S# ^# \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ ]3 \. x( ]! W. k4 @performed in ring0 (VxD or a ring3 app using the VxdCall).
^& t) e; z) z' A3 D, l! |; TThe Get_DDB service is used to determine whether or not a VxD is installed
. z2 L) z' l0 Y$ b$ Q: Afor the specified device and returns a Device Description Block (in ecx) for/ t0 _7 g# o- C- F
that device if it is installed. P. `, P! ` h- G8 A$ F
4 w7 }; p; j% T, T: t1 I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( o. a7 L* O0 P- H3 U3 F% r mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! i# i0 H+ `0 C VMMCall Get_DDB: T' `3 B" R; x: y7 @! l
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, s% c+ \: q# A$ `4 J* t Z4 z
9 \# ]$ q9 A" j$ f X8 o* i
Note as well that you can easily detect this method with SoftICE:
# ^7 ^/ V" E% w! y; F bpx Get_DDB if ax==0202 || ax==7a5fh3 I& e# p9 N4 d# ]
& n! ^; y" X i g, m__________________________________________________________________________
7 R$ b3 m, x. K
2 e% y. y8 j* H3 ^' O+ _Method 10, _: p+ R" m/ d5 Y4 G
=========
( T) y( t$ h5 f* w% ~5 o$ e0 L
. ?$ T( f/ r9 B* Z=>Disable or clear breakpoints before using this feature. DO NOT trace with5 l# v% @: q+ q4 S7 |. x
SoftICE while the option is enable!!- o4 d& @4 x3 I9 F' s
/ h' \' W+ K0 M6 Q {This trick is very efficient:' H( d! J: E; n. r, E
by checking the Debug Registers, you can detect if SoftICE is loaded+ a; O, F( ^ |4 m' J% u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; I6 Q* Y- @1 C) F' x9 [: t. c2 r4 wthere are some memory breakpoints set (dr0 to dr3) simply by reading their& v. q7 F+ |/ v7 x3 v! x
value (in ring0 only). Values can be manipulated and or changed as well, Y; @2 j/ |: m$ H( k. j
(clearing BPMs for instance)2 P) O2 L0 q( d. y
' Z1 _8 O6 G# Q7 B. F U__________________________________________________________________________! h2 O! M0 n" g
+ k; [7 f" I! M# q' J' aMethod 11# `# W2 z+ i9 i. K
=========
2 `8 o1 ?$ T) a( |8 i L( y* Q7 I4 r' T! R+ i& {: _3 ]
This method is most known as 'MeltICE' because it has been freely distributed3 l9 a, _" T. u( w$ ^
via www.winfiles.com. However it was first used by NuMega people to allow
5 _; y# {% @6 W; V9 o- ~5 |& iSymbol Loader to check if SoftICE was active or not (the code is located" y" T1 }/ g6 m0 X0 w( o. T3 I) z
inside nmtrans.dll).
; k! P3 @' u* }6 N. U& i! B6 p
5 b1 {5 A4 E# a3 _. t. ]( z5 l+ lThe way it works is very simple:
9 R4 J/ {: Y2 S k3 ^4 d4 {- R! HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- Q1 b7 H5 U6 m( T/ S |WinNT) with the CreateFileA API.5 \# i( T' P5 P& H5 \5 e
O* m0 `2 O P' P# p0 X6 D6 LHere is a sample (checking for 'SICE'):2 r6 u* |' \' p+ G( Q- T: d, h# D) x
# r1 [) p1 o; @9 I+ G: A; h
BOOL IsSoftIce95Loaded()! J0 J- t' g' L4 y( Y* F
{
% k/ `. c- k$ P( z6 W w HANDLE hFile;
, a2 c) ?0 T( d- L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ a8 O: p0 c$ p5 S1 w2 ^+ _ FILE_SHARE_READ | FILE_SHARE_WRITE,
\: M, X+ S0 ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) {3 X. w1 G9 s- z) i3 [
if( hFile != INVALID_HANDLE_VALUE ), ^' E* M0 a4 T$ o2 N; e# }2 G. A
{: Q7 i, E5 @2 M! G; b
CloseHandle(hFile);3 }6 i- m! v1 D' p4 ?, V" x
return TRUE;
% A7 N" f/ g$ P1 N5 _5 ]4 W }( t6 Z6 q& u. ~$ |. a
return FALSE;
0 P5 } X, O# z. Z}& n+ P5 |$ S7 S% j' S( M
) |1 I3 X8 g# w& h
Although this trick calls the CreateFileA function, don't even expect to be2 M9 q, Z) L" K5 Y5 i* c
able to intercept it by installing a IFS hook: it will not work, no way!0 [8 ~0 t4 h. i- n8 k5 x
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: K2 _. _/ R" ]* y qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* F$ }8 X, R& E* e- `0 Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc' ]$ }: T* T, J
field.
' L& [, R+ \# V2 }& V* {% D3 DIn fact, its purpose is not to load/unload VxDs but only to send a
. Q$ @7 D# G5 ]$ B8 wW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& c( d# ?( f) H9 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( ]0 ]( H4 \0 @0 T$ [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. H8 Z, }' H5 MIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 j, f0 U5 h/ L8 V: U' s$ ?
its handle to be opened and then, will be detected.
& G* r4 |: v+ O8 rYou can check that simply by hooking Winice.exe control proc entry point5 }! Z( v5 ?+ y; I- T
while running MeltICE.2 S4 r ?: P# S ?/ C l+ g! b
b/ t' q0 ] @/ R! N" D
- W8 O7 Q& f2 ?5 M; R8 I 00401067: push 00402025 ; \\.\SICE `0 G& L0 x8 M* z ~# \
0040106C: call CreateFileA( J7 v9 O u) K6 v) S3 D" j
00401071: cmp eax,-001/ X& Y4 E3 e% B% y1 s# c E
00401074: je 004010914 F# C1 ]0 Q& c) B! Q7 n4 o# i
- C, y1 M! [7 Q7 e' _% M/ n2 q
% ^+ k+ l2 X: s8 w4 L: W; |" i0 JThere could be hundreds of BPX you could use to detect this trick.4 q! q) Y* h! ?4 }
-The most classical one is:/ A- h+ z/ i; D, s8 J& O# |* z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
: o7 u0 r. L( W! ]$ Q1 l7 L *(esp->4+4)=='NTIC', I# m9 y$ ~& l8 O9 V5 M% ?; w
/ y! b" y @; \. G-The most exotic ones (could be very slooooow :-(
4 k; }- ?+ o) M- f9 o" X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 {" E6 {7 x! x) b
;will break 3 times :-(
S+ J" b4 \! I0 N2 y/ v- l7 `
0 V8 n: m; t* }2 @( b" V1 _-or (a bit) faster: 5 G6 Z% [5 p3 R1 S" X0 l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 ^# z+ x6 v4 z
1 D- {( k, Y* I, d( L( X9 } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, x% b7 r& e/ E ;will break 3 times :-(1 I: L( @! T0 o$ `
0 ^. d0 ?$ N' g+ z e3 d
-Much faster:4 x; n/ K' v$ u0 y3 a& L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( ]3 }! }5 x. x5 U' `' G
+ t) i/ ~7 d- O* `* x+ Q) o* INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 Y1 S( y; L+ H) W6 P3 I" ffunction to do the same job:! [0 H7 _; z4 B4 Q/ P
+ Z( j; U% i% n2 E# z% d" b2 ? push 00 ; OF_READ
$ q, V! L! |) b0 q R' Y2 c mov eax,[00656634] ; '\\.\SICE',0
: `, b: t' W4 G4 ? push eax% O" x4 K; Y% _9 M* u
call KERNEL32!_lopen# v$ {- P" [ W" L4 |" _- G2 z C
inc eax: R5 Y4 s. x* B# w) k5 X: i$ Y
jnz 00650589 ; detected5 v# X! b8 Q" Q: ~# Q
push 00 ; OF_READ
2 o A/ B, K' _' u( ^. u1 v mov eax,[00656638] ; '\\.\SICE'
+ D2 W* \: x& e, l7 a push eax+ h& A; d8 }/ I6 l
call KERNEL32!_lopen
; L: {8 }8 ^0 t inc eax/ Y9 {. `: A5 d3 x
jz 006505ae ; not detected
0 K6 o* }% {( p3 t9 \( g$ K1 L6 {
& z* }4 z2 N/ T* n% b) _/ ]5 H3 k' C2 i
__________________________________________________________________________
, c, F( P8 w% o4 I! N6 p6 r
1 y7 G( O7 b3 Z5 e& ?! AMethod 12
# ]9 h$ r A7 s8 R& o=========
" s0 l6 J$ L( t: o% \8 ~% T9 _9 q: Y
This trick is similar to int41h/4fh Debugger installation check (code 05+ U& a2 a: h/ m+ M# \0 Y5 r
& 06) but very limited because it's only available for Win95/98 (not NT)& d. {3 ?- h' f# ~3 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ W0 t- b3 E, J1 R" \3 ]
2 n: u. @- e" P push 0000004fh ; function 4fh
% z# O: b- x; k, q6 e; f6 K7 S! m push 002a002ah ; high word specifies which VxD (VWIN32)$ _: n- [# D/ ~! K9 i$ S6 r
; low word specifies which service
/ T; D) d( B' }4 } (VWIN32_Int41Dispatch)% j2 g& T# o& R$ `" [) F5 t
call Kernel32!ORD_001 ; VxdCall$ D5 \ E1 G- k5 \
cmp ax, 0f386h ; magic number returned by system debuggers
' \1 j; y8 K/ |! {/ D& ] ^ jz SoftICE_detected
$ {+ B7 w* w P( Q
, v. {* L* x# E/ ~Here again, several ways to detect it:
" m# K0 B5 Y# B1 C/ \3 k9 S( e) c% B! ]# @
BPINT 41 if ax==4f
/ \$ J# D" N0 e) @9 l6 v4 X
% T7 Q, W- U9 p0 _/ w& x. \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 ?' ?4 Y& ` U
6 g: K, E8 r) D p- q% J BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& W1 I \% E, O' d% ]' {, h* ^; `
) I- S5 \- A* Z" }+ q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) q7 b3 W, O% l* t) y# T( W8 ]! N# ]; y% g7 Q
__________________________________________________________________________* t2 ~" ?( y6 N+ D+ r+ \
; S6 S* y5 }2 r; H, ?
Method 13
+ M8 ^0 e; R6 R=========( M4 U* s, O# O% l1 @9 x3 T
2 K! ?* t1 h/ O% x8 a( |Not a real method of detection, but a good way to know if SoftICE is
' r/ B) {' ?2 }+ L% Winstalled on a computer and to locate its installation directory.
' x+ D( \' T" M: A5 {( u* dIt is used by few softs which access the following registry keys (usually #2) :3 s& Q Q2 v0 C, D1 w7 @5 L/ u
A$ K0 ~6 }3 N# f/ ]* E; G* h' o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion D* i9 G" f% ~1 ~, C, L4 D
\Uninstall\SoftICE
# }6 ` I, g$ H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 k6 S6 P6 u7 o) c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( x" n1 K( k- I) U9 `3 f4 O
\App Paths\Loader32.Exe9 d; ~3 [' Z: x, J: v% Z9 Z- s* V k
- r8 x, y' j! E4 x
2 m4 Y6 w+ \: E! QNote that some nasty apps could then erase all files from SoftICE directory
" t9 W( ?* `( O- y' M. R(I faced that once :-(
, s% O3 s% L+ {* C
o; _, l7 ~- H4 P& XUseful breakpoint to detect it:3 H8 U& g$ s4 \% K7 U6 B" C* H
! l& o+ }3 z/ q# A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 U3 P/ V3 N7 }; o0 t9 x
B7 J$ R$ [4 n% ?* R6 ?
__________________________________________________________________________
1 c% B& T$ {. t- T m
# ^5 K6 G2 t+ w0 X7 ^7 F" K* R8 k8 |+ Z6 X, P
Method 14
0 [2 p0 p; H& _4 I+ }=========3 E# |8 S* `0 K" R1 H
, i4 R" L* F8 ~- ]* d9 K {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 {5 d/ h; H2 W7 W6 X# Z* wis to determines whether a debugger is running on your system (ring0 only).' L5 D8 ^& x' `% E$ e
) M+ k# S0 m: h& ^1 ]# {1 W& [
VMMCall Test_Debug_Installed: T& w$ n# l9 f3 B, ]5 D
je not_installed, ~& S7 U! n! \! |
, G" v1 p$ F- ?+ n
This service just checks a flag.0 f3 `: S# K( V6 t
</PRE></TD></TR></TBODY></TABLE> |