<TABLE width=500>" f" f1 p" t* c7 E
<TBODY>
" }6 F5 a: T3 C6 B/ A" x3 m<TR>
6 c, X$ P# K. d<TD><PRE>Method 01
" U: x n, a& q/ X X I) r=========
& v! c# R0 {9 j. D( ^% \- {
' v& W% t% `" ~* |) zThis method of detection of SoftICE (as well as the following one) is2 T6 W6 q& j8 J6 @' Z( t o8 ]% U5 o
used by the majority of packers/encryptors found on Internet.
0 P% s* E7 P. m" tIt seeks the signature of BoundsChecker in SoftICE6 r9 W; s% B5 Q8 y4 r/ }
$ p" I1 w; u, o0 o; K$ [
mov ebp, 04243484Bh ; 'BCHK'
+ w( ]5 f* V3 K8 h2 z mov ax, 04h
0 v- T& a0 ?/ W5 \- q& ^& A$ N int 3
. V% Y' k! O, F; |3 Q y cmp al,4( e+ s" d( Y; v/ H+ S9 [+ ]
jnz SoftICE_Detected2 R) }2 `+ }; [
2 b" O2 |4 r5 {$ D
___________________________________________________________________________
( n+ a. Y( l5 i: I+ r+ ]+ F' H/ v: m6 @4 Q4 v
Method 02% A* F" m) d# i" c# G2 j
=========
! P/ h* U% J9 Y ?6 e, [$ a5 e2 ^% j9 a0 K
Still a method very much used (perhaps the most frequent one). It is used
' }( k8 {/ j/ Q v' E0 tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 Y- O- f, F) C' V4 W0 z
or execute SoftICE commands...
3 p F P9 j+ D. CIt is also used to crash SoftICE and to force it to execute any commands
4 E) N s8 X1 I! F(HBOOT...) :-((
% m3 E2 z8 `6 ^ x, k7 R" H$ d' h. B( P$ B" o& z5 Y, a
Here is a quick description:
; g# F6 b/ Z% r1 \$ r-AX = 0910h (Display string in SIce windows)
+ w3 K7 G5 r+ i- s, _0 m-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# o8 `& E& w2 L1 Z( z9 f
-AX = 0912h (Get breakpoint infos)
5 {. d4 `. @% M( t& N-AX = 0913h (Set Sice breakpoints)- \0 R1 X: I0 o( c3 ?, ]
-AX = 0914h (Remove SIce breakoints)4 U$ K( e: g8 u* E
8 k# k% f Q5 g' i+ h: kEach time you'll meet this trick, you'll see:
. l3 g9 _: M) ]: d-SI = 4647h0 M) Z0 Z2 `3 H$ N! P) Y3 W
-DI = 4A4Dh
5 S7 e! |+ z6 HWhich are the 'magic values' used by SoftIce.. g' z n$ g: ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. R7 Q- ]" C& |( ^. F# d; ~ E% ]* `$ j
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 D( z9 _) k& Q+ |5 G. P) B# @3 TEnvelope utility use to protect DOS applications:
7 _( ~ a$ s% o O' m* M' g
0 a, y% u" y) N; m! V3 Q# [3 }: s- O% C8 G
4C19:0095 MOV AX,0911 ; execute command.( E+ Q/ h8 d/ b( R% [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 U+ R( j* A: x7 f
4C19:009A MOV SI,4647 ; 1st magic value.3 n$ m% p* t4 n; T( [2 ]8 }
4C19:009D MOV DI,4A4D ; 2nd magic value.) |3 j' R1 @- c5 R8 Z- F! z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& R8 I0 q( I) O8 t1 }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 v( U6 x3 n( |( {! a; j4C19:00A4 INC CX
8 w: R9 {, ?* _1 i4 C; m$ R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( u+ U4 z9 f' U( f1 a. d; G
4C19:00A8 JB 0095 ; 6 different commands.
; S2 _6 {- F+ y( b6 ^& k& o" i4C19:00AA JMP 0002 ; Bad_Guy jmp back.- Z+ n- m; P# r& P; f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ w d% J+ p3 e& t8 V% W
5 \( _: w! _& \! RThe program will execute 6 different SIce commands located at ds:dx, which- Y- \3 H% h1 l$ C) j' J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. ?: N. p- v" N: _2 H& c
% w) Q8 v; c: V- E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" x U" K n( z* D+ e4 }; A3 M5 Z___________________________________________________________________________; q$ E s/ R1 K6 J4 C
$ O' W: w4 O; x+ p. [, @. j- q6 }% ^4 B: U ]5 v
Method 03$ I4 f2 F: N: p' n" h8 H3 }- I. T& X
========= k5 g% k m' v9 A0 C6 F6 F" P. a
; F1 [7 \9 V. O3 p# wLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( j; F4 `5 o0 O* ?% F(API Get entry point)
; E4 C) b. D' @ \, h/ X ( s6 X8 z( a# h+ W# H# G$ ^$ J1 V, n
^8 D+ u9 E- {9 S
xor di,di
, I* J- ?3 ]3 r! ]0 J% `$ ]% z- T mov es,di
/ d# Z/ P0 e0 z' E mov ax, 1684h M# Y" W6 d, n" y
mov bx, 0202h ; VxD ID of winice
+ f; J( e! `1 X int 2Fh
# K7 L- S- _ g c mov ax, es ; ES:DI -> VxD API entry point
, D g& S2 p2 T1 {* \& E5 T* E add ax, di
# `0 k m3 [! a5 R) E test ax,ax
8 J4 ~! A* t; M* p) U2 ?* H# E jnz SoftICE_Detected
6 W/ J6 w* U5 l9 i
) j. v$ i6 @$ O___________________________________________________________________________9 e( D8 X- I6 G6 A5 {0 f+ M
: n( `7 v* L0 u3 y0 U7 @
Method 04
' S6 q' v* G [- U2 ] z=========# B' f8 b3 f; b. X" m2 N, J' x5 k
% o& D8 X7 G+ ?& @$ [
Method identical to the preceding one except that it seeks the ID of SoftICE2 d4 T) E: A) [$ U6 _- j
GFX VxD.
1 l% |6 g6 n7 n1 F7 g* f! Y0 h: }5 d8 p+ z7 v$ P3 p6 ^
xor di,di
! ~9 M) ?2 W3 i& {- `; A) K: ?7 E6 D mov es,di5 o& x% ?5 z; Z0 X0 D2 f3 a
mov ax, 1684h 0 Y, t+ S7 m. R, ]2 Z( @) m
mov bx, 7a5Fh ; VxD ID of SIWVID
' }# [' q! T( y) i4 m2 Q, N$ O int 2fh( S" N5 j0 y$ k* d( x# z5 R+ U) J
mov ax, es ; ES:DI -> VxD API entry point3 u( q( |; Q: E0 ^
add ax, di! }* ?% P K' i; e6 O, i3 U, T
test ax,ax3 B- ] y7 ?3 D3 m) S
jnz SoftICE_Detected$ g7 f. W- \& X5 Z7 R
& `6 r: Y0 B: F& c' ^5 C) E I__________________________________________________________________________
1 z9 h6 l" z% j% Z% ~- j$ O
0 g1 c1 o( l Z. }; J- \5 `) D' v
Method 052 V& K+ B0 {9 e% _
=========- o3 o7 i# j* u1 P: P4 J
2 k5 v3 A' C& f! @; SMethod seeking the 'magic number' 0F386h returned (in ax) by all system
* J& _) U+ z$ ^& _% j4 D3 Ndebugger. It calls the int 41h, function 4Fh. R% e! b; f) U/ {2 v) j
There are several alternatives. 9 n S9 O5 |+ d
! G1 v! R& M. j
The following one is the simplest:
( I# ]. g. N9 L$ J+ Q/ z/ n1 `# H
) |+ R& p% o) G% J' [3 D7 ~ mov ax,4fh% S9 |( A4 S& [( G5 \, C4 k0 @6 y; J4 W
int 41h
$ S$ A. L& \: l+ J0 [" ~" d r cmp ax, 0F386/ a5 t8 S# j+ c/ z; W% e& @% S6 _4 @
jz SoftICE_detected. ~/ m' X# X2 U$ v) U% l
$ ]; V$ x* u! U Z1 `- S+ w) `) o* u1 s" z4 @5 |2 o, j+ h9 v
Next method as well as the following one are 2 examples from Stone's ( J/ ^" `2 A8 H6 v1 M1 T; A. a
"stn-wid.zip" (www.cracking.net):
3 l6 R" K9 C! J1 a5 }
' W% K) t- Y! K( m mov bx, cs
& F5 A6 D, k$ ~) B lea dx, int41handler26 h% k9 |. v) T3 s* x6 j( s
xchg dx, es:[41h*4]
: a- z1 V! j) v$ y4 S) a* T; F+ S xchg bx, es:[41h*4+2], S( f+ n6 w. }: B# [
mov ax,4fh) L& {9 n8 J+ u! ^
int 41h
% F4 A1 {* P3 v e0 N2 ^5 q xchg dx, es:[41h*4]0 P+ G6 \" o. t6 ^* z9 Z/ s6 ]9 Q
xchg bx, es:[41h*4+2]7 C u1 t$ x. i2 g( I
cmp ax, 0f386h
9 j. U: u9 n1 @! ~% O- U, c jz SoftICE_detected! g% E( M4 [8 Z% @
1 g6 `3 j" R* ~5 l d A
int41handler2 PROC
6 n0 f+ J4 a( D5 p9 A; w iret3 }* ]$ P" ?1 _6 h' k# h( p
int41handler2 ENDP
7 d& w" c' Z X5 U3 l+ V: r8 S) M3 `
- {! c3 @- W( l3 y! J# h
_________________________________________________________________________
9 R% P) c* z: m) v; m+ t0 h
; l# {: i' H# k6 i) P& ?/ ^7 c8 N# L2 M% ^
Method 068 c6 L9 S7 i& L' n
=========* W+ n2 R6 y9 t% z: i g% A
/ b: J7 x; y- |; P
% ^% ^) B6 v7 h% n6 v2nd method similar to the preceding one but more difficult to detect:- l- U8 N, z& m4 {
- e: u# r: e r4 z% ~, }: B
- ]% Y- e7 l, z# x+ [; q& O0 Vint41handler PROC
. q- q( C, u4 r( F# U mov cl,al
% O) u& m& X1 ]9 W iret
- `5 b4 v% k8 y$ tint41handler ENDP+ H' P- c; K' M1 n# B
, B8 D# }* }- ~4 I* U' [ F
u* b: T$ b6 p: U$ F4 H xor ax,ax% k2 t; s' z5 X- O0 T% N
mov es,ax
7 S. `0 C9 Y7 A8 r' q mov bx, cs- ^( j+ s! N. d0 j$ o5 ^: _
lea dx, int41handler
% O, I- N$ M8 N xchg dx, es:[41h*4]) D1 N( h9 F: x
xchg bx, es:[41h*4+2]
$ [$ t! Q; Q0 d9 {6 | in al, 40h# G. T* G( }( B6 Q; h
xor cx,cx
, g, j5 z# P$ h, i" @ int 41h
2 {. u; M" N2 {$ h- h1 ?5 r xchg dx, es:[41h*4]
2 ? @ L5 B. o xchg bx, es:[41h*4+2]% j+ l: q Q/ {" |1 r
cmp cl,al
& L. H$ f0 L! k: h jnz SoftICE_detected
2 h( y% x7 X, ^0 e1 \* `0 p9 l/ C5 p% Z
_________________________________________________________________________+ B9 h; f8 N4 f3 Q% ^0 _ {
; j$ ^! g( Z) P/ z8 o" @
Method 07; G; S% T+ T2 t* R c
=========
: e# `0 u3 w, t/ ` r; q M* s( P
9 B# e8 b5 E$ m. h) m! V+ B+ `Method of detection of the WinICE handler in the int68h (V86)
9 F* g& u3 d& M8 k$ K$ g# V% a' I- P- ~2 O4 }
mov ah,43h
3 x0 a+ M) a, ]6 t int 68h0 L" C, ^3 L E
cmp ax,0F386h
2 Y, C7 v7 @# z! M* l8 e! ` jz SoftICE_Detected9 ~ G* G$ C3 E* I9 p, o& l! @
% R# K$ g6 _4 c; f" o0 n4 a) t0 K! [, k+ r9 Z0 }% Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: v% O2 |3 L. m7 O
app like this:" r4 ~$ z# R# x/ v6 S
% ]9 H! K! E% E: a* \ BPX exec_int if ax==68
% F' X4 y/ m$ g( J% ^# y2 X2 J (function called is located at byte ptr [ebp+1Dh] and client eip is4 A* D. n G! t9 I1 _
located at [ebp+48h] for 32Bit apps); y* j" K6 t' @2 I1 A8 H6 _% V7 S
__________________________________________________________________________
$ h9 j+ a8 s+ j1 a5 B: ]: H( |& `5 `" D9 U
, b. {( P& d; |: ^6 ?6 R
Method 08
5 R& K7 I5 w; A& N& b' R=========2 D2 e) m1 \3 i3 L
* W2 q2 M6 _! m5 ~/ v3 @
It is not a method of detection of SoftICE but a possibility to crash the
& f9 U- Y! { C( p, q h+ M- |& wsystem by intercepting int 01h and int 03h and redirecting them to another
/ A! v# j0 s) R0 proutine.
+ V+ e8 i* f0 {) a$ e1 qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 @8 }. J+ \9 J! E: y- p) Yto the new routine to execute (hangs computer...)
! M: x; ]8 ~# J$ \+ T' q
5 Z3 a. g$ {$ s$ K* D, V# T& H& R mov ah, 25h
7 ]- J0 `. W: m* ^7 q mov al, Int_Number (01h or 03h)1 b+ s8 @/ G( s& d* t Y; {
mov dx, offset New_Int_Routine# Z4 t/ J1 e( C# L5 z/ o8 w1 o
int 21h" ?% V2 Z# K3 z) o* u4 l' B
- ~! B% c$ ?0 P2 W) N3 U7 }
__________________________________________________________________________
/ Q! Y5 q" C( {7 Q4 _2 |# r$ U( X: F* r+ V6 D1 e! L
Method 09
( U1 V" B5 A. ^) S% @=========7 a4 z# A2 { d
1 E5 k$ D5 }* PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 A; [' L V* D& f4 ?performed in ring0 (VxD or a ring3 app using the VxdCall).
( n" l2 q/ X8 W( [# K/ xThe Get_DDB service is used to determine whether or not a VxD is installed
) o# S) X& }& N4 n: l! F8 S5 Hfor the specified device and returns a Device Description Block (in ecx) for5 \9 g( \: a+ Z o
that device if it is installed. v1 k* H& N* }" t. i$ [, ` v% T
5 f* y* A9 n9 Q* F3 u! R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 E: N3 i: z+ P8 j; ]4 \* G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, z( g1 R4 F4 N( j5 B VMMCall Get_DDB& J, m1 v* P( C: V6 C" s/ }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" a$ c! ~ `0 }2 H
1 ^! F. q# @. U3 p" J& p# [' s% J
Note as well that you can easily detect this method with SoftICE:
|; S. G* R g/ u# f. c bpx Get_DDB if ax==0202 || ax==7a5fh
6 J! O$ v( I& L4 H9 P( a+ f4 b0 a2 s: F2 \. p, A& [$ t
__________________________________________________________________________; x& \ y4 V/ J, O! G
; K9 A2 A4 x( W) C
Method 105 E: H" w' \# W/ _( ^7 k( G
=========9 e3 a9 _ |0 V! Z! W
3 c( V7 d! H$ N) `5 `" ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, R/ B; u3 V4 N, j) q5 \( s SoftICE while the option is enable!!" l4 H3 c$ \' s; J; i, I" p2 e) P
) `, e* b5 O0 @This trick is very efficient:. d j% O# T, Y! t/ B! N
by checking the Debug Registers, you can detect if SoftICE is loaded8 `" D1 v; J0 P# ~2 O! s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 N9 g$ b% V w _there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 o3 ]$ e8 X- M3 wvalue (in ring0 only). Values can be manipulated and or changed as well
% d5 w! S& P S/ b(clearing BPMs for instance)5 K) Q7 @+ G; o( b* v" q5 n% F
s; p6 X3 R9 N+ S) W, F0 U# W0 c
__________________________________________________________________________. e" Y, X! V/ Y$ i5 F C1 W4 n
( M! q& v( _. l: r( N# H: T
Method 11
/ e0 d ?& M* Q- R=========
' W4 A+ |$ w u0 {: d6 l) t
$ V. i# M- `2 [# l' `This method is most known as 'MeltICE' because it has been freely distributed/ t! s1 E- G! `. i8 ~& U4 y
via www.winfiles.com. However it was first used by NuMega people to allow$ W2 q0 G3 |- D3 h/ D( v
Symbol Loader to check if SoftICE was active or not (the code is located' y# ~; l7 p9 v" w) v. i
inside nmtrans.dll).
* C, D, S1 F a9 J' C% L8 f
% ^& l- X% U. h6 O9 C6 I3 ^. PThe way it works is very simple:. `" h3 \4 ?! b+ r8 d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ _6 M# l' J5 v0 X. ? k f# {% B
WinNT) with the CreateFileA API.
! |% k% O& S2 X, e! C: K; J# ~) M7 B* K1 T
Here is a sample (checking for 'SICE'):" O3 e3 S/ \: C
+ j7 k5 ]/ a! g7 JBOOL IsSoftIce95Loaded()
' y; u& P S i3 o' |' L# x{
1 w1 z# I- g# Z- [ F HANDLE hFile;
# E5 F8 D% k1 e$ r2 k' I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 O5 ]/ O: q& m$ ?
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ a; i" k) c% j( L# W NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 q: o0 z% O# g4 Q: O- A if( hFile != INVALID_HANDLE_VALUE )4 N8 {8 i& m- g
{- C# G9 j5 D5 |% o) W3 Y
CloseHandle(hFile);; `" T) R, p8 H0 T, C; Z% h
return TRUE;2 Y* Y& g* t6 z' ~- y5 B) l
}# O! o3 T. W: F" D+ z3 [# j
return FALSE;6 Y. P* D0 e; u: j& w
}7 g/ @; H' t3 y: v Y" D; S
7 _1 t9 q1 J; ]! \
Although this trick calls the CreateFileA function, don't even expect to be: t3 B# v/ a$ \' s; n1 C$ c
able to intercept it by installing a IFS hook: it will not work, no way!
O* V# z$ w7 a8 q: aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 K8 u! B) J8 x. ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 k, f* ^2 T& ]$ Z9 Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc! Z8 N" Z8 L6 h6 }+ y
field.
" ` g, }6 {, j' U3 b+ YIn fact, its purpose is not to load/unload VxDs but only to send a
: T! ^: [* |* Z) Y$ j# E8 YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! k0 i( _ V+ A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: y% o, r- B' @$ Y7 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 c* p' P+ V9 }: OIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" g9 U; a. \0 wits handle to be opened and then, will be detected.
! `0 c0 m3 Q2 T4 ^8 oYou can check that simply by hooking Winice.exe control proc entry point
+ p* q2 Z0 ]. C! F% P0 twhile running MeltICE.4 l. g7 e1 i4 x; e- V' o: ]9 C, B5 W
: E' F0 ~. H: `/ m* O7 v' Y
$ G+ e! q6 X0 D! X, T5 ?% D 00401067: push 00402025 ; \\.\SICE% k! _0 i: d9 w
0040106C: call CreateFileA
+ l. w9 c0 V! d2 r; ~' c 00401071: cmp eax,-001
+ `# O) L7 ~) y0 D 00401074: je 004010913 M3 @$ M* l T, G; B8 k
+ E9 F9 i! `$ ~& l
$ n. _% u/ \) `( P8 C7 E" XThere could be hundreds of BPX you could use to detect this trick.
, ^+ S2 N2 ^' j" d& G% f# k2 R-The most classical one is:
4 B* f0 f0 q7 r2 Q0 n6 Y- L; q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" e# H+ g4 q( c& z *(esp->4+4)=='NTIC'
& ]8 J& i1 K6 H; L5 s- O9 Q8 T# W3 [) V; n, x% c
-The most exotic ones (could be very slooooow :-(
9 a9 c8 b4 M3 q# Z5 z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 `" G' g/ k- j8 D( |! M ;will break 3 times :-(
0 d; s8 Y) w# a" w& b
4 d+ f( E/ w' I2 @ [/ w$ [-or (a bit) faster: " J" Q4 }( a& @4 m( N. t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) ^" g7 m5 `1 ?
. [) w8 M; @/ `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; K$ j# N& {9 |; S | ;will break 3 times :-(
1 Q/ m. g: h/ u, p- e- ~- Y' k/ v5 U
-Much faster:
W$ v! J- ]; s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'- A" K# ^' ~; E3 O- k+ Z
. n$ r) R9 P4 J% C0 |/ {# y( w. x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 S" i; y2 G$ E8 p
function to do the same job:
/ z- q; F% P: n" I
2 i8 H. W9 J* W' Y- G( r% E4 j$ g; u push 00 ; OF_READ, W# c& x3 O7 r' ?/ Q# O+ f
mov eax,[00656634] ; '\\.\SICE',0
+ b4 Z* { o5 x; x* J! h( [) p5 l push eax: ~9 S9 |8 p( c4 L( C M( u
call KERNEL32!_lopen
/ T3 v: {7 g+ C6 R7 R) C) ]4 G! K inc eax1 F/ F6 e( N2 l3 k# m# _. k! s( ^
jnz 00650589 ; detected {; `' i# q5 s! @/ U% H
push 00 ; OF_READ: z6 n. M; ~ K, A% i- H( U4 q+ {9 K
mov eax,[00656638] ; '\\.\SICE'
9 T8 t5 Y- J9 M push eax3 w: P$ H' t X) K! R
call KERNEL32!_lopen
- {4 _* Y" O$ ^9 v. j inc eax; q& O$ m6 |& O
jz 006505ae ; not detected8 ^6 y! q/ s9 ~1 x. u+ h4 a. P1 O
" N+ d( z# Z1 }# C3 @8 c+ ~
. K3 D5 A4 ~7 t; L- y# |! O__________________________________________________________________________
8 S( s _" P' z' q- }+ W1 F8 I- J6 L( @" Y1 i9 y2 M9 a9 G
Method 12
7 _0 B) m$ f7 }! p: k0 m=========- y5 j9 M6 ]5 s R6 i" |0 }
& r0 y# x3 x3 lThis trick is similar to int41h/4fh Debugger installation check (code 05
6 L0 J T" @$ f! @1 X- Y& 06) but very limited because it's only available for Win95/98 (not NT)$ P' V2 H; g/ H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 k+ U o; Z* n" s4 A' `
' N2 g: u! u8 \- v push 0000004fh ; function 4fh
1 z/ ]: V. D* S% Y5 q$ ?! ` push 002a002ah ; high word specifies which VxD (VWIN32), Y4 }( G( ~0 Y% u( d2 A
; low word specifies which service+ H, i$ C% \) s z6 s
(VWIN32_Int41Dispatch)& y4 c( Y- u/ z( y
call Kernel32!ORD_001 ; VxdCall1 f# V# z/ J# u; h) T
cmp ax, 0f386h ; magic number returned by system debuggers* [4 p! A* [$ Z6 O
jz SoftICE_detected
7 [7 c. B, n6 J( f! `$ U3 ~
5 \! p, `0 y7 `6 eHere again, several ways to detect it:
8 J L2 Z$ o6 G3 U: k. p, x1 V$ l8 [9 @* k% W# H# W
BPINT 41 if ax==4f
: V' m0 k* P2 ?# o/ b9 [$ ]
# a0 n6 O" s' h( y1 p1 y2 n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- c: u$ u8 {9 n( U% \6 I- ~8 p% u2 \& m2 [4 K& R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 I- E& A j+ G1 R
3 @9 x" m0 B4 b3 `% H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. a, q! D, ]1 p& U8 b* M
$ b, m0 t5 b, f& i2 I3 f__________________________________________________________________________1 W3 N+ b# ]. g' S, t! ]
6 U8 S7 \, f1 M+ S8 [5 A% `: i4 b! u
Method 133 w' ^( F+ s7 R# d
=========. [8 u7 R$ B9 e0 Z p. D c* ^
7 W1 L1 ~/ Z% v F9 x3 x4 f
Not a real method of detection, but a good way to know if SoftICE is/ e7 z. u& o' \/ n
installed on a computer and to locate its installation directory.
: ~1 q. Z9 x; x) A, e5 ?/ B* a* R @It is used by few softs which access the following registry keys (usually #2) :
+ V. c% }; i* d+ F3 G6 [* V% }0 w9 Q& b* K: U8 p7 h2 p- s# M) @$ R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 T9 c7 I2 y4 i* g+ w9 T8 A
\Uninstall\SoftICE
7 m) J7 s% A o/ @- _) o-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# v) g" G( h& W+ n4 v) B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 T) G \& J* }
\App Paths\Loader32.Exe9 B: u2 t& c$ C1 L% c
* G6 n6 [) s: Q6 @, H
. z* I+ ~1 I' l% j0 N3 ~8 |
Note that some nasty apps could then erase all files from SoftICE directory
- r; A/ R' z7 Y) A G5 l(I faced that once :-(4 H) p! t2 G( c
5 U( T/ ?3 N' u7 ^2 n' ?Useful breakpoint to detect it:+ J5 v& N @& x, \6 n) a
4 A$ p" f3 z) N6 }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 N" v! ?* ]3 s& p3 F$ `* h: x
2 m& P' l+ K) V" k' E" d0 r2 b* F__________________________________________________________________________
! w- Z A V$ H4 b+ D3 P4 a/ r6 [' \# G& A
, @$ Y7 `* L5 Z/ VMethod 14
1 n: ^3 ^, _: m7 v; |=========
( F# t: ^1 p" X& X" _1 N3 g- _/ ]: D! ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' M' w/ l1 V# w
is to determines whether a debugger is running on your system (ring0 only).
F5 Y% h2 b4 |. }& \" @+ o3 z) `5 R( b3 J6 A5 v
VMMCall Test_Debug_Installed
6 u. E2 d8 S" m9 N' ` je not_installed e3 ?( Z6 c! k( M" r4 S
4 _. }& ^0 l3 m8 K9 MThis service just checks a flag.+ S d- f: n5 A) g7 u* b4 H
</PRE></TD></TR></TBODY></TABLE> |