<TABLE width=500>
9 [0 Z( c+ z% K% E<TBODY>7 b3 Y1 [; b3 j F1 B1 c
<TR>
B' _9 D! G9 J- e7 g& G2 \<TD><PRE>Method 01
" b/ v) y- Z |' r=========7 J; [/ _0 q2 w. }( @0 d. u
0 B. V+ U- S; _/ g+ K
This method of detection of SoftICE (as well as the following one) is) q3 K2 O+ \' O# c* I6 I" s/ a2 k
used by the majority of packers/encryptors found on Internet.4 C2 b! V. R/ Z, C
It seeks the signature of BoundsChecker in SoftICE
6 Q) t5 F6 w, V* v* y8 _7 Q* i; `8 H6 a. |; V$ Z
mov ebp, 04243484Bh ; 'BCHK'
0 ?- n( Q5 u/ ? mov ax, 04h) E0 R. _" r$ }; T8 G5 C
int 3 9 B1 m3 g. F5 @' F) j# [0 o2 h
cmp al,4& b1 r9 m& q$ ]6 c5 e8 z
jnz SoftICE_Detected1 F, m! N. n/ f- R# u4 e1 e
- x! [) M K& ?3 n1 ]' E& b___________________________________________________________________________; Q5 w4 `2 `7 k( b' B% T+ d
7 q' N. o8 p% @5 S4 \/ d$ t7 _Method 025 U/ l5 a' B' [9 Y
=========% u: |" z3 L" r* I: r- Z
+ V& s. Q* T3 s, l, i; }5 a! AStill a method very much used (perhaps the most frequent one). It is used
8 y7 Z$ Z0 F- H( p3 W* {- xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# Z- ~5 r/ J$ f* `6 i1 hor execute SoftICE commands.... c: w4 `8 |' }& Y2 I1 A# a& B
It is also used to crash SoftICE and to force it to execute any commands9 F! Y; `) q( k
(HBOOT...) :-((
: L) t+ P+ t* z D0 f: x$ S/ o
6 P' A6 G4 R5 T; @. U* K$ mHere is a quick description:
, k' Z) B' F9 I7 C-AX = 0910h (Display string in SIce windows)
7 i; _8 v. |* C7 u6 R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* ^+ Y' k# {( l# Y' V-AX = 0912h (Get breakpoint infos): `. o" f! q; H
-AX = 0913h (Set Sice breakpoints)
, l5 a/ _# j! E) U; e) _8 m7 i-AX = 0914h (Remove SIce breakoints)# z2 I. T4 Z/ @& e: o
* R$ f9 D' E0 |! N4 M$ D) E; R
Each time you'll meet this trick, you'll see:
; O: p" L5 G( k-SI = 4647h1 T6 u+ R7 s$ u1 C; S4 n. ^+ t, B
-DI = 4A4Dh! o' b2 b ]' L1 U
Which are the 'magic values' used by SoftIce.
: l* V$ F, w/ eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& n3 A6 R8 t' C' C
% |: C5 ^8 W2 T) Q, V! V oHere is one example from the file "Haspinst.exe" which is the dongle HASP9 k( I! ^( F1 I' X
Envelope utility use to protect DOS applications:
! n n) o# ~/ p6 M8 a3 I. n6 i6 d( ?' O4 P$ y i# I
{" E7 m/ U& u+ v
4C19:0095 MOV AX,0911 ; execute command.! G# U, W) E+ l% e7 n. v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ B2 F0 p. t7 j# M7 e$ o2 |
4C19:009A MOV SI,4647 ; 1st magic value.
- @9 U! w! e, r; [4C19:009D MOV DI,4A4D ; 2nd magic value.
& c/ C9 a; ?) s, ~4 \( U4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* l& m1 X0 Z5 {# T" V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 C' S/ R. `8 E6 z$ t8 a8 q
4C19:00A4 INC CX4 m- |: x, x5 d( O* i9 N. Q& L x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 N2 f. c) b" B2 y8 _: R$ M. R" v, w4 M" P2 Q4C19:00A8 JB 0095 ; 6 different commands.
4 X' I; k5 u x4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ h( L" Y7 Z0 @: N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 l4 i- \5 o u4 H" ]1 I
4 z' u; @3 Q9 S! ZThe program will execute 6 different SIce commands located at ds:dx, which6 f U* g; Z7 g/ E8 f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* a& |$ r( }- z% B. N# F
; U3 d& X/ }8 t: M! U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- f4 s+ Z/ [% R; @6 L: b/ z
___________________________________________________________________________
3 `' ~% [5 I3 O/ ~( s4 o( E9 y s1 s E" E$ |, p) i
4 k) L' t& _: g1 P3 N* ]5 _( r
Method 03! z! K, ~+ u+ e- T4 v( s! E% `% g
=========
& ?2 _$ h& z0 S* t: _, f; V0 C3 s; h8 ] B3 O8 f2 x7 h+ P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: q! c5 z: _' c H7 W
(API Get entry point)7 f x- \7 w0 Y# a1 D' ~1 D- p
% `7 ~; S* ^' F
9 X" R# w# }9 | Z2 E; d+ Z2 k xor di,di
( n) s: f* f+ B& u) ^* H) H mov es,di
6 g9 V9 f0 {' Z3 c" p, W% g mov ax, 1684h
+ u5 u. G h- Q mov bx, 0202h ; VxD ID of winice2 Z1 D" j" \- n0 ~7 a2 q* u
int 2Fh
F- ~2 H1 |' W( h mov ax, es ; ES:DI -> VxD API entry point5 ~2 N+ L' E. `/ Y g
add ax, di5 `% F3 {+ |, `, L
test ax,ax2 ] l8 w+ W6 C& w3 |2 Y
jnz SoftICE_Detected
: ]- \ x" s2 D+ d3 Q+ F4 o( `
. a. t+ F. s p% {0 Z7 ~___________________________________________________________________________4 p' W8 `: Z/ c
7 w, M# a3 U- H3 s6 T# S% ~9 }Method 04
) d* H! C0 {$ P, }; Z7 f=========
! O$ ^# |1 f* m, u/ \6 ]% x, \
( S: a+ i# g/ E; xMethod identical to the preceding one except that it seeks the ID of SoftICE* \; g) G6 i: J
GFX VxD.
$ P' y6 z6 S* y/ c9 e2 W8 J% \, c% L2 u$ X/ r/ L
xor di,di( E& d9 r/ n" n9 @6 f$ s
mov es,di7 Z' Y# p" K" |: B
mov ax, 1684h / t0 V8 b$ U$ f" [
mov bx, 7a5Fh ; VxD ID of SIWVID0 L2 c) G/ u1 U+ T6 x, t
int 2fh
5 [- d4 ?$ ]/ e9 x mov ax, es ; ES:DI -> VxD API entry point
$ Z [# K3 u$ V2 M- I add ax, di6 z; X4 }, A9 X& [- A3 y
test ax,ax
9 b, P; H0 n( W6 q0 q jnz SoftICE_Detected* h; I- c9 o/ t1 x. ], a# t
+ h7 s4 U+ Q. v0 w: J6 W/ I__________________________________________________________________________
1 A3 J; c, e. I1 b6 o' w; x2 J. R ^! s9 \9 e5 ~( b/ ~8 A$ `1 g9 ~
2 n& i. f# u: ^; M7 M/ b6 P6 ^Method 05+ T, [( f) v& l
=========2 L$ W% E: G; n
. s2 a) `) k! b
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 D/ b; H$ r% T$ I& P8 E
debugger. It calls the int 41h, function 4Fh.
9 E& }7 s0 N8 F/ `, ~# w5 a* m/ cThere are several alternatives.
r- c" m: i' t
) ]6 ~2 S! K8 T. {+ dThe following one is the simplest:
; u; I& h. h$ |7 y' L
' Q/ z7 e8 g) p. Q mov ax,4fh, q/ ~$ ]& L' M
int 41h
6 T" K& u( s1 P1 g: R9 h cmp ax, 0F386' v1 }% k8 b! K, G. `& Q" @3 [
jz SoftICE_detected: ?( m9 x" M1 O8 I+ `) i
7 {2 `3 s: z( ?/ E( c9 e+ ?% L7 w( \/ ~( |
Next method as well as the following one are 2 examples from Stone's
7 K' Z5 z4 A% B5 O"stn-wid.zip" (www.cracking.net):' U. M9 o/ p+ C, `6 c" R" R
1 K m1 F3 s) v! j, f! z mov bx, cs6 L2 B+ f. g7 E ^
lea dx, int41handler2
9 h3 @0 _; l$ l4 P. A/ z @ xchg dx, es:[41h*4]) o$ [+ O1 G3 C1 W
xchg bx, es:[41h*4+2]
9 b7 z5 e% T, r6 z+ j8 X! ] mov ax,4fh
6 i0 |8 X: |0 l: C int 41h( g0 b" G4 \8 ^, F; p
xchg dx, es:[41h*4]1 r# i: z7 C6 p8 P( v% o' ^
xchg bx, es:[41h*4+2]9 o8 R$ l8 e; G+ v( Q2 N; x% s
cmp ax, 0f386h
2 d) q+ w5 r3 ~) i) p jz SoftICE_detected
5 F+ X0 K/ D5 K$ X6 D8 y3 p& e3 k0 U) c9 q! {3 D% [. _ e4 p
int41handler2 PROC
1 w9 v; |/ M1 {- K8 {7 x$ _ iret
5 H5 {: C W0 Eint41handler2 ENDP
5 G$ X3 g! F0 @8 a
' F2 g" o2 G9 |2 \, L. @7 K& u
: E, I1 B$ s, M_________________________________________________________________________
' O4 G' G5 O E! |: n' T; ]& U
B. h4 M( D- \& O3 X- z+ C+ ^/ V$ y" F/ K5 ^$ `
Method 06+ C' H, f' {* {7 q _$ ?: C2 Z# q
=========2 J: X' ~: u, E) P( _. A
8 r! v: o) d' N4 \' t& Y a% _
4 K% d* ^& x5 Z G2nd method similar to the preceding one but more difficult to detect:
' q# P' `" c* p- e. {
- c# [; _* k2 v' k* H9 _
2 l+ M, p) U# y/ B) vint41handler PROC6 p6 @ U3 b) d a" w" d
mov cl,al
6 S& I% T0 }+ `( p7 { iret: ?$ E4 Y R. _% z. W/ e
int41handler ENDP6 K$ O" V! p7 O! N
3 h) i# ]) K" Y0 M. K/ T
/ r! e% n6 y# C' `- K xor ax,ax
: m/ L" q& k& r6 H/ {: a, C mov es,ax- ^) h6 Y/ M( E" ~
mov bx, cs; b% N, P! z1 s' b- h
lea dx, int41handler) M6 V& ]! `% ^/ f' F
xchg dx, es:[41h*4]- X- X6 A u6 A- {
xchg bx, es:[41h*4+2]$ S( {2 Z1 z D/ H! A* w8 ~
in al, 40h
3 G0 O8 @) L2 m% {8 _1 V xor cx,cx
5 x0 f, l" n2 n3 X9 A int 41h
) C- W* n" X! { xchg dx, es:[41h*4]! Z2 ~3 ?8 ^: A& R0 C' v% o/ E6 \
xchg bx, es:[41h*4+2]
: {) I8 u/ c/ s+ N cmp cl,al$ U" j3 U+ S" L& O; n
jnz SoftICE_detected! C. A3 q! o5 ^' o Z& l& y1 s/ t
" [" `( K$ W/ |, N! m5 Q2 M$ g_________________________________________________________________________
. v D. p) d, f \( y" ^& ]6 I! I9 L1 C4 j9 x# C# E
Method 07/ H j4 P+ r4 G8 P' P, ?+ O
=========" r/ u- W' Z5 \9 {/ @9 o
5 G. [5 U' B- Q
Method of detection of the WinICE handler in the int68h (V86)
0 v# _" z" L5 c8 B' c, g+ t# q; W; q- m7 e
mov ah,43h) J. Z; ?- Y. D& y4 k: f" A
int 68h5 @- r+ i% A1 a4 {! ^1 q
cmp ax,0F386h
& l$ H/ b B) f jz SoftICE_Detected0 @* u7 k* Q6 T! G# T" e. x+ m
# t' J5 W; i- y" B, H# M+ y8 w9 @0 G) H
N4 l& p- k; P& ^7 g; y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( _$ a/ b; H2 t) a/ S" t* T G* c app like this: Y# ?: n: U) h
8 O5 z0 V- V& H6 D) ~! g
BPX exec_int if ax==68
. T0 F0 N) ~6 H& i/ d9 u1 c (function called is located at byte ptr [ebp+1Dh] and client eip is2 v+ l8 h4 l, Y* K
located at [ebp+48h] for 32Bit apps)
. L+ R$ q0 c7 c' P# j" ]# O__________________________________________________________________________
: V# n' c0 T7 r" h( z$ k
6 J% J( l$ f$ Y
4 Q5 g8 u* P8 E# _ x7 R- U2 AMethod 08
: q) O& F8 g+ f+ Z=========' o7 s% I1 P+ Y, s6 B( _
! D$ B* S) Q% U
It is not a method of detection of SoftICE but a possibility to crash the4 k4 M- M; _% G9 e0 {! u4 J# O
system by intercepting int 01h and int 03h and redirecting them to another
& F$ j8 o. D$ X1 ~1 t. Sroutine.* R% P, }; q* z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" Z2 |2 \# M4 ~, Q0 D0 Eto the new routine to execute (hangs computer...)" \ z. K8 L+ q% |
; ?: |. V% J) w r5 B5 @- L' }$ ]! l Z: T
mov ah, 25h4 v3 E. d8 W9 r
mov al, Int_Number (01h or 03h)
+ h# G& k& F3 y( |: M mov dx, offset New_Int_Routine- i1 A/ m9 H4 q3 |8 K: O
int 21h
4 K' D3 v: m! d
4 c0 B; V5 L) b L* k; V9 _9 ~__________________________________________________________________________
2 H v) z- P9 F }* d( n* z$ W$ _9 Y
Method 09
6 S8 H% W6 k2 l7 T=========
: I) n, i8 j$ t; s: W! S& D! i' x2 _0 m# {; D
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only m9 P* C. @3 G( w, [: U
performed in ring0 (VxD or a ring3 app using the VxdCall).
# Y( o' \/ u& y% R5 w1 BThe Get_DDB service is used to determine whether or not a VxD is installed! {( Q2 |* K- J
for the specified device and returns a Device Description Block (in ecx) for
( u, r# R0 v7 Dthat device if it is installed.
: ]. g' r& L: k2 l. w$ |- k6 P, y9 E: \ f b! N: |
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; k6 Y/ S0 f' s6 ^, j1 q1 r
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- k o1 R: J/ l VMMCall Get_DDB+ v, E% c# _( r# s3 k( ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& Z, R2 m5 ~6 W
' i# j4 M$ H# t. d$ g2 n9 U! r9 cNote as well that you can easily detect this method with SoftICE:; a# |- o( m, {, o$ ?/ t
bpx Get_DDB if ax==0202 || ax==7a5fh9 T2 ^7 |6 \' V& F" j+ c* k& r
3 ^8 C" |; u' A4 H& u__________________________________________________________________________
+ A2 t8 h0 I. c1 K0 E" F
" D# X/ l5 ~0 ?5 s! H( L2 Q% {" Q/ \Method 10: c" m) }* v2 O" B& o: y( ]
=========
" Y; O; E: b' U( t( `! K7 ?; H1 W* c+ y3 C% v
=>Disable or clear breakpoints before using this feature. DO NOT trace with7 U' L5 g$ p5 g7 P
SoftICE while the option is enable!!) q1 c; Z, h' k0 I$ G
5 ?+ G. k; q# _4 j: |$ }This trick is very efficient:3 z9 B" F/ u9 _6 _/ F5 s
by checking the Debug Registers, you can detect if SoftICE is loaded
; E2 l) v3 [+ Z# z4 u4 k( F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! Z6 k' F! \* E/ I6 ]8 x+ ^there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 t- C, q$ E" }& o3 x8 ovalue (in ring0 only). Values can be manipulated and or changed as well& o, O8 v/ `$ {9 r
(clearing BPMs for instance). q2 i- k% n, W/ \9 k3 z
8 x7 v, r& M' `6 Y' t
__________________________________________________________________________" Q' Q, a2 d; _' `, [: l0 q$ B
& Y7 c' {" u* S3 s4 ^
Method 11: |, b, S$ s6 U' a* [
=========
; @! N2 G, ~1 v0 ]; @! O5 P$ ^+ ^( x* b) F2 [' v- n8 t) s \' J
This method is most known as 'MeltICE' because it has been freely distributed5 D- |2 j+ o2 g5 e. @8 t+ k
via www.winfiles.com. However it was first used by NuMega people to allow
* F1 N- e1 W" W+ Y) x qSymbol Loader to check if SoftICE was active or not (the code is located7 {( o; w J& G+ K* z1 ?# d
inside nmtrans.dll).. G6 _0 W) P w
1 @. H7 [- X7 N8 a/ \The way it works is very simple:) m* I, h) O% v. D% Z3 u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* X: K4 U0 a2 T( }
WinNT) with the CreateFileA API.% w9 |9 y( t0 A$ L
' G w3 I7 f9 l, J0 R, c
Here is a sample (checking for 'SICE'):/ c; @$ K. d% |$ K* T8 {
/ Q! N( e; u( m% u; q5 EBOOL IsSoftIce95Loaded()
3 t& g } x( a{" U `3 K( C" v( {2 J8 v: @% j7 }
HANDLE hFile; , J: ^* I2 t. e6 V; v; S, E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," N! r! S c9 z5 h& ^
FILE_SHARE_READ | FILE_SHARE_WRITE,& Q9 D$ ]4 w& W# z! C7 S4 w
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 F( R& _" S9 N: N; Q) Q: F if( hFile != INVALID_HANDLE_VALUE )# E A- Q5 h L+ e y, G$ `, `/ L3 m
{- m+ B4 ?1 j( X5 I. l+ Z8 t
CloseHandle(hFile);' o' o5 m$ H! v+ N9 r7 W
return TRUE;7 W Y! o9 O3 X4 I- V; F. o
}
! u+ l2 x- J0 u l return FALSE;% a) H ~" d0 i# F1 x. m% w
}8 a X h& l2 S) S
. q6 a. _& g4 D) W
Although this trick calls the CreateFileA function, don't even expect to be8 c0 s# H- C) }% ~
able to intercept it by installing a IFS hook: it will not work, no way!
) p7 [" B y. [- i# sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 a+ T1 ^3 ]% [2 S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" w" T$ _7 D% w6 P" w" J qand then browse the DDB list until it find the VxD and its DDB_Control_Proc; U" n, o/ \1 P" M9 r
field.
+ _( s) Y( Z. c( I+ O1 b0 fIn fact, its purpose is not to load/unload VxDs but only to send a
) k/ a& w' N( RW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- C+ U+ f; V' A' }8 |$ Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ l+ P# M4 G" g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 \1 Z+ I% B9 F4 @
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; [5 M0 o, P7 V7 ~1 D) Pits handle to be opened and then, will be detected.# f1 P! U1 e" b/ l8 R: ]
You can check that simply by hooking Winice.exe control proc entry point' r5 W# F# K5 z" L6 k
while running MeltICE.
, G3 o/ ?! |6 y/ w1 a- i8 U6 K( I/ a* M" e5 ^
( i6 ?9 e7 }4 B ^$ q
00401067: push 00402025 ; \\.\SICE
; p5 q4 i: t7 N) g, a8 u 0040106C: call CreateFileA
" P3 e% ` l" e% A5 X 00401071: cmp eax,-0011 W- S! _- S% I3 Q
00401074: je 004010911 Z/ E" D! P* w
& f. b* q) Y A- k2 z5 r" G
0 X0 Y4 H ^% y; T$ z9 |There could be hundreds of BPX you could use to detect this trick.
- @" L' g6 A) x/ w5 ?# H- H-The most classical one is:
& |* x1 h q. ^5 L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ b% d+ _9 S- r" b" j# n2 A, m$ \
*(esp->4+4)=='NTIC'3 Y8 ^/ ~- ^. E) l5 z+ I
3 ~0 t5 v+ V, Q. O- m" N- a-The most exotic ones (could be very slooooow :-(
4 v; Q- r- @8 r$ z0 Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , [2 p1 o6 f# L( _$ i& M
;will break 3 times :-(# {# a! Z! y1 H$ G6 ]
! g# |% O# B0 {3 V$ c% {1 m+ ~-or (a bit) faster:
?$ h- T4 n3 ~9 e# d Y: T BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& r6 J5 u4 A% B0 b& k( G( ]
9 y \3 F' [& Y9 J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 G3 r4 z6 f$ [7 o ;will break 3 times :-(& c5 G0 F) C0 P: m3 _
: N" U9 d* X+ g$ c" K! R9 M
-Much faster:; a, v4 Z6 r2 x5 _% }: O$ s( h3 c
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. ~* E; \; F8 K% B0 v P
; S1 O' c. O) F% ]/ c9 K3 D1 YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. e# b% ~/ v0 C/ K4 e7 Pfunction to do the same job:
' u! l: w/ e1 E( T. p1 ^# j* n, l
1 `) e/ K% h. C$ V" K5 x; ? push 00 ; OF_READ5 n3 v( G! ^% x2 W, P
mov eax,[00656634] ; '\\.\SICE',0
0 e, f$ j' u6 L, r0 N push eax
$ U7 y1 W6 r k3 b! X7 C9 j call KERNEL32!_lopen
% Y3 m* {; L: P& C6 X# i inc eax" i! e& Z0 E7 U/ b" \* j5 ^
jnz 00650589 ; detected4 ]+ q. w5 B- u8 ]# Y- H
push 00 ; OF_READ1 ^4 C! ?$ ]; N6 \, ?8 y2 m9 z
mov eax,[00656638] ; '\\.\SICE'# R$ T( E3 |/ ?! m- ^7 r
push eax
6 y5 P& Y9 W4 R2 q call KERNEL32!_lopen
: }, Y$ J2 `: O2 Q: S inc eax: c9 c" o" K9 q9 t0 E& K g4 H& J
jz 006505ae ; not detected f ]: N8 |( t. r1 l
/ W, h2 H0 J i* c
/ j8 W) ]( k4 N! e- N__________________________________________________________________________5 {& G4 _/ b U( I$ t( ~( |
1 h( `. G3 H" DMethod 129 A' e/ Q' \. ?6 t- I$ D2 Q8 T
=========
2 S- l, U: N1 V4 w) _* j
- P& F+ ^& \" K. M( FThis trick is similar to int41h/4fh Debugger installation check (code 05
* f$ v/ n" w0 `/ c6 d0 W; X4 Y& 06) but very limited because it's only available for Win95/98 (not NT)
/ ~4 t2 s8 | o% i: vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& Q- p. k+ x7 @& B1 V
; Q/ p; z4 \) c5 b4 l" m$ l$ S. U push 0000004fh ; function 4fh3 W$ [! z) {+ I" p( w k2 M
push 002a002ah ; high word specifies which VxD (VWIN32)1 @: H- j9 [+ G+ i
; low word specifies which service
0 h# A# ^0 ? Z- R0 ?; G" Q (VWIN32_Int41Dispatch)( w8 O P- p! _8 t* L# O% Z
call Kernel32!ORD_001 ; VxdCall+ t3 E4 U7 g$ B' `
cmp ax, 0f386h ; magic number returned by system debuggers
7 F0 Y7 I. J/ d jz SoftICE_detected2 I# ~" G: r% a( _+ R8 Z" P
- k0 [! D$ D" `6 z5 f/ U$ rHere again, several ways to detect it:
/ [9 s- p P H+ I c( v
7 g. C: s/ f7 v5 u$ b- d BPINT 41 if ax==4f9 l8 K e/ ?/ z0 T
- g# q, ?7 b: f3 u* `! k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* k( R1 U5 v1 G, `7 o1 e) X( b
2 _' v5 \8 P5 g& `3 H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 P, }4 n }3 u* ]" \( A$ y- M5 I! q; d3 \8 p7 Z
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ R& I: g+ _8 C+ `2 x- v7 @/ U
5 b0 Z6 S3 q& O- s8 j! [__________________________________________________________________________: D o1 ]5 D6 U1 _7 f3 o9 O
6 Q0 e y! q# a9 x5 y. V" u h1 c2 R% QMethod 13
5 t% c6 k% ?+ W5 [$ |=========. _, [/ N8 J. c' M
) F; B3 y" z7 T. ]0 hNot a real method of detection, but a good way to know if SoftICE is; O4 q1 F1 Q6 `/ O- o
installed on a computer and to locate its installation directory.: Q0 w* {8 X5 O/ k1 n
It is used by few softs which access the following registry keys (usually #2) :
/ s# v) F9 I( C; A$ ^2 A0 @" H% d+ r$ d6 M$ m) {" W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# R' M& Y5 \; H! g% i9 P1 n
\Uninstall\SoftICE
4 U8 y5 ?* W8 j; N2 D! a' k4 h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 J/ t8 P6 z/ h; w! @5 p0 o-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 e. j5 X- b8 l; F" e5 J: ^& _\App Paths\Loader32.Exe
/ d" [ |# T4 k4 }8 P1 x% P2 ^2 U* F! i$ {9 c$ P3 r
A# w( t# a+ i) q( H& ZNote that some nasty apps could then erase all files from SoftICE directory9 M/ B x) V' N; p. t
(I faced that once :-(' o; L I2 I& _' n* j% y
" L$ r- `. u1 \; D: C
Useful breakpoint to detect it:
6 b8 s! X/ ^" {, Q& Z. [/ |' L4 y5 ]% G! _
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% x" [& q5 z; ?0 Y# H8 g
& o" z$ Q# ]: l( B( @" r6 C__________________________________________________________________________" J( O F; [. i) {9 z! q7 }
; T' F% Q) [ Y: m) d" x* A8 r2 G* C" ~' H# L4 L
Method 14 ( x! E6 O2 s. J3 \ W; J
=========
( z0 _1 C# x$ J" B! j1 j I7 s; H2 A9 D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) Z3 X1 ]* K3 Bis to determines whether a debugger is running on your system (ring0 only).& g# J$ }& r) ?4 C% W c8 F* {- }% J
- }! M }' s2 R% i5 G9 |+ v VMMCall Test_Debug_Installed/ N% k/ T% u5 K
je not_installed* R/ P; i) j0 _1 q* S" w, R0 d
, a8 z. t" ~+ `9 I- E# f* k6 p
This service just checks a flag.
- X- Y+ J4 j1 V2 O</PRE></TD></TR></TBODY></TABLE> |