<TABLE width=500>
! p4 K: Q# l* I<TBODY>
2 q5 h9 I6 ~# w6 W<TR>
9 V% R2 W5 E) }0 `# U<TD><PRE>Method 01
( {2 O2 L: ~2 e0 Q& p=========" y9 R* n0 ^0 r1 D. a
& `4 z5 i8 X* I! t9 h$ k" F( d- c: w' `This method of detection of SoftICE (as well as the following one) is+ S* Y1 F/ s. G1 ?- V4 i! n1 ?
used by the majority of packers/encryptors found on Internet.
2 {, F7 Q$ P1 C+ ]# H! h4 PIt seeks the signature of BoundsChecker in SoftICE
" w* t+ e: j0 y0 g5 | R; f! ^& z& j6 s4 u
mov ebp, 04243484Bh ; 'BCHK'' h! w' A' \! v: r% L4 g
mov ax, 04h
- K: g0 @" [& g4 z int 3
8 _/ w7 T9 D; t6 u) K cmp al,4
' [ ?3 E* y& U! b4 v. B. f jnz SoftICE_Detected
3 m& o2 ~2 q6 f* L
/ v8 d# P8 D1 B2 a; q___________________________________________________________________________
; m% P1 F! A; x6 ~8 T6 g( v6 i/ c0 s! N, o( Z& F- e1 }5 `
Method 02
$ `2 X1 M4 k9 j9 [5 C' G=========
1 s4 ^1 N+ z" Y( @$ H4 E9 N" s+ |+ `, E- p
Still a method very much used (perhaps the most frequent one). It is used3 q+ F6 P) ?% U i& j9 E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 ]( B1 ]; M% x
or execute SoftICE commands...' b0 r6 t6 I3 M8 l/ q+ U1 f
It is also used to crash SoftICE and to force it to execute any commands' @3 `% A- q4 J( O8 y0 d
(HBOOT...) :-(( ; V( e p7 N8 l/ c
7 B5 T4 d$ }5 o9 q8 n- r7 ~Here is a quick description:, v( M4 w5 ^4 P8 M1 J
-AX = 0910h (Display string in SIce windows). W% T: |6 z% c6 C3 L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). W' U8 V5 N l( z; Z; K
-AX = 0912h (Get breakpoint infos)
3 S* E! o) t6 J2 z4 B! T-AX = 0913h (Set Sice breakpoints)
7 W4 Z3 f6 X* Y' G, z. { y-AX = 0914h (Remove SIce breakoints)
0 Z/ Y3 X& r9 J! E$ I' H) i2 l" ^1 c2 [! b$ F
Each time you'll meet this trick, you'll see:
2 i4 r# j& Y& o3 A% V-SI = 4647h2 z; ?4 @1 M/ ^5 u' }6 x) m5 f
-DI = 4A4Dh
+ G8 l6 q5 J6 n' x7 N# SWhich are the 'magic values' used by SoftIce.
( }7 x" C* ? z! ]2 ]1 f$ ~4 wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ \' w7 f5 p$ S* N
2 h0 S/ p( m, T
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 b* K3 t4 {8 Y) P" {Envelope utility use to protect DOS applications:
* o$ M9 y8 \, S$ P8 Z; [2 c+ \8 ^" y1 X" t5 x
# K7 F& k: l6 b% C. d4C19:0095 MOV AX,0911 ; execute command./ u; J; a% k, ~2 J0 ?& d, v7 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. C4 t' v# d R/ s, w1 t4C19:009A MOV SI,4647 ; 1st magic value.* {# y$ M8 E; u% N
4C19:009D MOV DI,4A4D ; 2nd magic value.) ~% r, S' z+ w4 s9 |: ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 d/ I2 L6 n. n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* j. h; v( q0 P9 m% k$ @5 G4C19:00A4 INC CX
2 h' g1 E7 G9 I' ?- V5 K6 b4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) ?" F. F' ?& q- }7 s& W
4C19:00A8 JB 0095 ; 6 different commands.
5 S) z& j, `2 H2 v2 x* G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) z9 K% ~1 U0 |5 w# o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) c- t7 L( B$ A- J
! r7 f7 d2 A. [1 Y! PThe program will execute 6 different SIce commands located at ds:dx, which+ Q( B9 G& u# Q$ e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ~/ p. G" x h3 z8 b* c
4 J* s8 H' r5 \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 ^9 P" A# f0 N___________________________________________________________________________ @$ w7 ?6 H8 n
- P2 `% x; c1 P) o+ B( e) V) P
" K6 a+ C4 P B
Method 03
# l$ V+ r% }9 c=========
7 s" D3 y7 [& N% F# Q/ X
& {- J* i) Q. A) g9 V6 g5 hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 v5 O/ I6 F9 g. ]8 o1 y(API Get entry point)' [/ s# v9 j; I; X T. ^
3 d; T( M! B x' j: k
% n; Z% n$ q. N" o' K8 R1 V6 b! b xor di,di
, {" A1 a/ @8 S; r! l6 c mov es,di
1 Z$ X4 P, Z& A. J7 O' h: j mov ax, 1684h - o/ R5 N/ g% g6 k& p) q. c
mov bx, 0202h ; VxD ID of winice
$ v$ @6 Y5 t* s$ d8 [$ L int 2Fh9 ^* |' R& l& m3 I8 K
mov ax, es ; ES:DI -> VxD API entry point2 _4 E: _$ J) o0 D- J! Q
add ax, di
; s$ U" a8 y+ v) j test ax,ax4 o% X* Q2 i- H3 x. X& I, S
jnz SoftICE_Detected
3 B$ }+ M/ {- _" J/ s
" c' K) Z u$ {___________________________________________________________________________+ V+ ^5 K# s( J+ V0 Z8 K* U: N% y
% }+ J6 c; V7 Q( G, |. s) I
Method 04' W- K/ B, h. }0 v
=========
% \$ r6 r0 ]) ?+ y* w
5 Z( I: d5 Q/ M; pMethod identical to the preceding one except that it seeks the ID of SoftICE
& N4 I+ x4 p3 @4 N, i+ e0 M3 p$ HGFX VxD.$ N- l, m; m3 d+ r$ [1 ], F
4 a# F5 R+ n8 @1 `, x, K8 ]: {
xor di,di3 t( V) {1 {1 x3 W. E* ?9 z
mov es,di% ` [' ^. r' |% v9 ^- ?9 D
mov ax, 1684h , \. U( U! d! O* x! k W
mov bx, 7a5Fh ; VxD ID of SIWVID$ W) ]/ d! `- E# {
int 2fh" S0 w9 V. n# S$ D+ W
mov ax, es ; ES:DI -> VxD API entry point0 N% {) Q8 X- V
add ax, di
$ d" ?7 z1 Z+ n+ { test ax,ax+ R: B2 k- x9 a/ i3 R3 G3 v# N4 v
jnz SoftICE_Detected
3 { @5 j9 ]- U& m$ k9 u7 P9 ]6 T* U9 F/ z7 r
__________________________________________________________________________' y, ?0 n3 h$ E1 z" P
. B1 o. o+ c" J" E* o
9 G+ J; H0 A3 f0 H1 p! E% TMethod 05
3 z6 e/ ?2 @ A6 v2 b) q9 K=========& ^0 p/ L# W0 X# m1 v, \
W) O- o& t5 I7 g& F0 e
Method seeking the 'magic number' 0F386h returned (in ax) by all system) X0 ]8 o, d: Y/ R+ o$ R
debugger. It calls the int 41h, function 4Fh.: P# Y% Z' W3 M* m
There are several alternatives.
! I& f0 e- k) ]. N% S8 v
: r8 f& ?3 J; ?( pThe following one is the simplest:
8 o3 R7 D2 x& q3 U! ~3 I6 Q: l4 S; h7 ~" G L5 C/ v
mov ax,4fh
+ M" d9 O1 M& L& c( ~& f int 41h: ?9 h4 a1 q$ }3 {( y
cmp ax, 0F386+ G ^, `$ G$ l& [) N7 v
jz SoftICE_detected
7 ^: K% e8 R4 {4 S, l9 y9 h. x6 s6 h+ W4 M8 Y
: y+ d: Z" B( L- C
Next method as well as the following one are 2 examples from Stone's * \6 s: L$ ^! B
"stn-wid.zip" (www.cracking.net):1 e- X1 g i) k- W- W% u
0 F$ D% L6 H/ p9 s, _ mov bx, cs, M) `" V3 i8 E3 I- F4 S5 ]
lea dx, int41handler2
" @2 q# `. l1 k* N- T( Y, Y xchg dx, es:[41h*4]& M# M! |9 Y3 G' Y
xchg bx, es:[41h*4+2]
7 X9 i! K+ [; u! S' d1 r$ L4 r mov ax,4fh
5 X+ y9 b& Y% i$ T( p int 41h
/ l8 P h$ c) P) t xchg dx, es:[41h*4]
& p( n0 k. m3 \, x xchg bx, es:[41h*4+2]
1 J/ `; _2 y5 H' ~2 P cmp ax, 0f386h* _8 x2 O" w( C) T* w+ A0 G7 k
jz SoftICE_detected
5 o& W5 |( k; @8 j$ i& {6 p
) Y. W3 P& |# b. F$ Kint41handler2 PROC' E7 x8 a' P# o) b0 p( r1 X
iret
s! A' }4 r% l5 }int41handler2 ENDP9 K) D7 E- x* n n; } e4 t. n
+ k* L4 Z: O1 K* n! l3 b! [# ?0 y& u1 ]3 A
_________________________________________________________________________5 Z* ^, s2 x/ N3 M3 A. d
, P/ w7 z/ E. w- j, k _; _3 q3 a' v3 t. l. U) \5 K& e
Method 06$ @ F4 r& b, ~0 S( F ^
=========+ Z5 h0 `2 [0 g/ z- E
' B' J% G# T* _5 ~, A
% n! P$ w$ [1 z/ A2nd method similar to the preceding one but more difficult to detect:& F' w; l4 I( d' L9 S9 ^
$ z; j C H w' {, F5 V3 }+ P4 B1 m# Q9 p" x) ]: B' E
int41handler PROC
+ p' }* P5 `, W+ N. r mov cl,al- l7 E4 ?# l! _; p1 n7 Z
iret
* M2 @; X3 R$ C. J) _; [0 Tint41handler ENDP
5 p. k# R8 E3 n) D+ u `
) u& p( U- r* U
# Z8 t9 J" O } xor ax,ax
4 J& K$ {( K. r! S1 C$ X3 s mov es,ax- M/ j2 U2 R; n/ E5 Q" t
mov bx, cs6 i* i* p* ?. V7 Y2 |! f
lea dx, int41handler- e- b3 S+ g; b! P% N( f6 W! e* T
xchg dx, es:[41h*4]# Z1 g. G9 u5 E; [: ?) q4 q
xchg bx, es:[41h*4+2]
% ?+ ^' C; c7 L2 w2 @7 v4 p2 v2 \, G in al, 40h. [6 f! _ w; Y3 X
xor cx,cx& @ q" |$ |8 l& u5 N
int 41h
) U2 d6 Y3 J! j9 F xchg dx, es:[41h*4]; v$ ^- K ^* Q9 d# D; }
xchg bx, es:[41h*4+2]! W: Y1 B/ k, t5 j7 h5 a {
cmp cl,al
) P% _6 j8 F% [6 H jnz SoftICE_detected
1 n1 _( {2 _4 K
& B4 E0 R M# P U_________________________________________________________________________6 c( @5 u% }0 E8 l' p
6 i4 L$ B( |* k
Method 077 B, C5 G9 }: O" J
=========
4 O. Q0 G e6 ^" F( U1 I$ r$ [2 z* q( G4 P
Method of detection of the WinICE handler in the int68h (V86)
+ J4 R, v8 m* f! C& V0 Y# [/ F& w/ O% u, c! |
mov ah,43h; c8 [$ A0 o& l* E
int 68h
) ^& U8 N- Y% @7 l$ @' k$ Q; Q cmp ax,0F386h
+ ^4 x+ C i1 D( l7 R jz SoftICE_Detected4 k7 C1 x% B# p% r/ `
: u7 b; \3 ~/ k, S8 w2 _
5 D$ E8 Y0 ~8 n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 v' ]$ B, B8 y2 \8 t1 O6 |1 o
app like this:: @4 _' X2 O+ ], d r
; {* Y' u: D4 y* R9 ~* Q BPX exec_int if ax==68: U, {9 z# N% \8 v# h
(function called is located at byte ptr [ebp+1Dh] and client eip is
% [" Z8 |( m; r. W9 n9 a located at [ebp+48h] for 32Bit apps)9 ]1 M5 T( D$ w' D* {
__________________________________________________________________________ c% ?8 ^0 M- }4 k9 j; @
1 Y1 k3 s4 Q+ _5 @" |$ P2 Y5 _' ]! ^
Method 08" V( J1 Y }- [* c( i6 u
=========" ?; J* u+ t9 m, O: U
5 n* Q% d: ]; m- E, M2 A. T9 {
It is not a method of detection of SoftICE but a possibility to crash the
7 q& t8 O# z* z1 n$ [system by intercepting int 01h and int 03h and redirecting them to another$ e$ i9 T$ ^/ \1 n
routine.
& }* I5 ~& }: r8 ]1 ?- `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. {, X1 [, R1 V6 x- h+ {- V f
to the new routine to execute (hangs computer...)& S9 J# H. W8 A; a
: q( u( L7 M$ E; {9 F) w( U mov ah, 25h3 g8 }) R3 B. @2 m
mov al, Int_Number (01h or 03h)
0 k- l: V+ \/ E& O7 m: {& r mov dx, offset New_Int_Routine
, z& d! d2 U [; _) ^1 Q int 21h- W9 k$ k, S& i- o( D
9 q) f: I" r8 a \$ q
__________________________________________________________________________. B' k7 n1 W) K* J4 h9 b- U' j& m
0 R- Z7 d6 M% N4 W Z+ @4 G r
Method 09
& r9 e! S8 _" \# [=========9 W7 W1 f6 x; b3 N% M. L3 V% v- x
& Q# i6 j& V+ V N, G( {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& ~2 y8 ^, v. u. V* Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
" b; `; Q H* }The Get_DDB service is used to determine whether or not a VxD is installed5 m6 y* C5 @4 U; S& R1 u4 ^* N& O
for the specified device and returns a Device Description Block (in ecx) for
. n* r. [5 E, A# q- Z. @that device if it is installed.
/ ? z6 \8 `$ I3 S1 G7 I2 T; E- r+ D u R, q+ ]1 s2 Z- A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" b2 `' E" Q @* V# s' } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! |" h4 h. U' I8 i( W VMMCall Get_DDB
# p7 Y1 i, `# o/ ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; [& w) o' p+ w4 A/ q7 z# N* s" e* V% h' ]1 W
Note as well that you can easily detect this method with SoftICE:
$ U5 Y3 w6 U; l0 G. H% ?+ W/ v7 I bpx Get_DDB if ax==0202 || ax==7a5fh* o \( |6 A' ~# P
1 X+ e8 [5 j+ w4 U
__________________________________________________________________________" n A# w4 ^: j- c# u( u1 B
. g: d4 q" F! G( g
Method 10
G8 Y: T4 l( E( T+ v U========= P1 p" L+ W# o0 S# V+ n
9 B# X: v. ^: }
=>Disable or clear breakpoints before using this feature. DO NOT trace with& q$ d: C- M+ f6 v' R, e+ y3 R
SoftICE while the option is enable!!
K0 v0 E2 N7 {- [8 E8 T+ f
/ ]( P- j- t' D$ f2 iThis trick is very efficient:
9 c$ x3 \$ ~1 F/ Q! a+ m% Z9 @2 W: yby checking the Debug Registers, you can detect if SoftICE is loaded
5 Q$ {3 ] [8 F/ a5 K Z: U# j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# V8 l2 ], |: S5 b- f5 a0 L/ V' q) P3 Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their( A7 Q# S0 b& {& z6 h# K
value (in ring0 only). Values can be manipulated and or changed as well
/ f( U* h) K& y) h3 M, L(clearing BPMs for instance)/ p2 i( l6 K* i) S8 h% {4 p1 M
' k9 ?3 ?0 H" Y1 R' v: k& O__________________________________________________________________________
/ ~( z) }- w# ^
! K( G8 n# a. c3 \( K1 TMethod 11! U9 E- k4 b8 q$ J5 x& d4 _
=========
, \7 n9 p! G* H& V
# E& `, K% W/ {4 n; q0 }This method is most known as 'MeltICE' because it has been freely distributed- R* ~2 l8 z1 G2 n' c" c& @
via www.winfiles.com. However it was first used by NuMega people to allow
2 F1 I# `# p+ d. hSymbol Loader to check if SoftICE was active or not (the code is located
0 w W4 u/ _3 G3 w5 zinside nmtrans.dll).
. N, X$ i$ j d3 |$ Q' b
( N5 ?2 }5 A" ?9 G; t- dThe way it works is very simple:9 e/ W. z- a c+ u2 M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
c, I1 B: o: sWinNT) with the CreateFileA API.
* \. G+ v) ^( X/ D$ n5 ]
/ S- L8 E3 N' P2 H0 U5 E RHere is a sample (checking for 'SICE'):+ F7 \4 l1 P. l
. Y% P( k" D# r; m2 hBOOL IsSoftIce95Loaded()$ C( X8 P$ S8 {: j+ B- _
{
$ w+ w7 b: s2 A2 U% D5 @! C h7 R" S HANDLE hFile;
/ q* O( s" _. v: U3 b* @ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 ?- t5 ^- P1 C. U% }+ w" V
FILE_SHARE_READ | FILE_SHARE_WRITE,- s. c/ v0 J. H- B- c
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* F3 t, H+ C- k3 R4 A if( hFile != INVALID_HANDLE_VALUE )! a/ U! k/ x7 S8 Y
{4 Q; B1 |7 K- l' ^- C
CloseHandle(hFile);
( E6 U/ X9 q0 |$ Y return TRUE;' D- P8 Q- S8 i$ M) s! R
}
& c* q/ n3 H! ~7 _# q5 L/ J9 v* V return FALSE;
2 G5 i) b9 h: i}& I4 h+ H& n3 ~5 r7 {
- o! {' M# |! c! a/ _( { UAlthough this trick calls the CreateFileA function, don't even expect to be
" M, i1 ~- A2 B" Q% nable to intercept it by installing a IFS hook: it will not work, no way!, ~8 Q; h4 A i" Z% y& z! y0 d! H# h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 i/ H3 x+ \% z! X/ Z0 r& M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! i* K4 r) \' G w. O& e' h' b u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 C) w% E; E/ n& R( u) x _
field.( Y( u* I2 x% ~1 h! u0 X+ K" D
In fact, its purpose is not to load/unload VxDs but only to send a
1 e7 W9 P0 i7 c0 j! p, N1 @2 w% F' A3 VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- }- U% y. Q' d1 |( d2 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 b) S5 n, m7 y" `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 {- L: q% J* U H7 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 c. A/ O# X6 y7 ~its handle to be opened and then, will be detected.9 ` q i5 p0 X' ^1 {/ O9 [
You can check that simply by hooking Winice.exe control proc entry point
) N+ G! j7 Z& o6 Y, o) }7 r1 a; j0 Bwhile running MeltICE.0 b& P2 x/ a+ L, v# Q1 r8 m
- Z- c1 V: ] [4 y; C
+ j! F C) L9 s* N+ |3 Z 00401067: push 00402025 ; \\.\SICE
5 [) o4 J8 u8 l( M; w* M 0040106C: call CreateFileA- Q$ X4 T1 p# Y
00401071: cmp eax,-001- c/ U. j1 O8 H3 I
00401074: je 00401091& M/ @8 l6 X! I" g2 R0 T# ~
c- h( D/ I" o, G, b# o3 Z. \, I! x' M `" D' Z9 Y! v8 z% w$ N
There could be hundreds of BPX you could use to detect this trick.7 |. i2 l5 k* E* n, F" _
-The most classical one is:
+ u* }- E0 {3 J* Z$ s" x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( _1 d7 A% x5 C/ \* i/ A9 r: E$ ]
*(esp->4+4)=='NTIC'# c# y' G- n$ s1 V. e
" K2 y4 u( C. h1 i. Y+ C3 ?
-The most exotic ones (could be very slooooow :-(
( y1 |; d$ o# _0 g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 [+ s( x2 h4 t& \+ u- R
;will break 3 times :-(
6 _% f+ K7 k$ f8 Z" I, v$ V, |& x8 p: ?. d$ p
-or (a bit) faster: 7 r- D1 n" Z8 b p
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% e/ F9 q7 p9 U' D& e" M5 c3 E8 e# Z- d# S* H
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 J: f7 T4 y0 g
;will break 3 times :-(
; H: v7 W% F% v" _$ v8 \) Q. B9 J2 w5 q: _- q: o) S
-Much faster:: d1 N% n/ z) t( u* s( \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 D) O, d8 L, B7 w- R0 E
9 F# m, y- ?( d# wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 B# z" \ {- e
function to do the same job:/ a/ H& H. A, ~; a) @! {
: H$ I% \3 H! Y9 t* I) Y8 A5 b+ H
push 00 ; OF_READ* W r$ y( i( p. y9 }4 s- h
mov eax,[00656634] ; '\\.\SICE',08 X& j4 T$ a! ]5 ^, O" K0 |3 N
push eax
; m# U1 ~/ E7 W. k7 u call KERNEL32!_lopen p7 W' h; W5 R% y1 r t
inc eax# R- V. q/ }5 r) Q
jnz 00650589 ; detected* | e% i! ]1 g; e+ b
push 00 ; OF_READ' n3 E; N+ P! z' t
mov eax,[00656638] ; '\\.\SICE'+ s4 p' b% O! ~
push eax
* t2 X" Z& N- |1 q- S, I \* P9 j call KERNEL32!_lopen
' h6 P( j! N2 c8 m2 _% T inc eax
$ \6 v2 g9 `" V( b0 D jz 006505ae ; not detected
8 V3 Q6 h% v, q
; G6 i e* x3 ^3 A& M6 Y
3 D5 Q* E& j, l o0 Z__________________________________________________________________________
( O/ r9 o4 D- ]! p! N
! K% j# c# S" ~* Z" v9 l% KMethod 129 r& R' E! }' q& v
=========
, k, y: |9 J. _" f0 ~1 c, M, l( C& s$ T
This trick is similar to int41h/4fh Debugger installation check (code 05; Y. s& o& P. ?7 W( e5 B. T
& 06) but very limited because it's only available for Win95/98 (not NT)- A! _) O6 s% |, w& \7 M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# K) U* e* \1 ^$ E1 o! \4 j, n/ H$ ^/ v0 T/ J4 _# p
push 0000004fh ; function 4fh3 [1 p1 p( g8 M* x: ]
push 002a002ah ; high word specifies which VxD (VWIN32)
) ^& A1 p9 z2 G% | o0 T ; low word specifies which service
1 e* ?3 s. E. ]4 _ (VWIN32_Int41Dispatch)$ {# K D4 I9 N* k; V
call Kernel32!ORD_001 ; VxdCall
) U/ L# [2 L4 ~, P$ r2 R9 t1 w5 q cmp ax, 0f386h ; magic number returned by system debuggers+ O$ b/ Z8 ^0 u9 x6 L
jz SoftICE_detected" B: h) D9 m0 ]% y7 i0 Y
2 w- |: F6 s2 m4 k) w' K
Here again, several ways to detect it:
( |- F4 y* x( V( z2 {+ O2 ]) _! \ G3 y3 X1 F" k7 P2 T; T
BPINT 41 if ax==4f+ V7 f! i( t6 Y, j" \$ k6 V1 Y
! |+ J% [! _) e" a8 Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- Q" w7 h. j3 g. ]
{, O D7 M" a' r& r P; I& S0 G: |* \ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 U0 Z, L7 w, x( G9 R: U+ `8 Q A
5 i6 F4 }9 i* f7 [1 I- n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! I8 x5 v3 d7 P# g4 d% P0 `1 x* {4 c& G
3 w+ G% W9 I/ F, _+ Z
__________________________________________________________________________( S" [: {' o; o" E$ O5 H8 F
& j/ R& b9 t6 ?( y/ y) \
Method 13" u3 }5 a/ P3 d% p
=========6 ^: x, O- t$ }% Z. r
+ j6 y, l9 H% i9 I5 x0 {
Not a real method of detection, but a good way to know if SoftICE is
. w' i# e2 C! k J* H6 Hinstalled on a computer and to locate its installation directory.- r' V# r7 W* ~ @3 D* w7 B
It is used by few softs which access the following registry keys (usually #2) :* y: s6 m9 s' k7 Y: n! c P- n
5 B' |5 T8 m& c) H0 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 x! i3 B D& c0 Q& m. T
\Uninstall\SoftICE# J* R; |9 J2 V H1 l% d+ u% _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 T' J0 |3 d' \* o! h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 n: ]% x- E* P! {4 q
\App Paths\Loader32.Exe2 c3 u6 i! X" J5 |( h( O7 j5 r8 G
% Q1 O) R/ C& X; C. A' Z
1 y) q1 r6 H; i+ K4 P5 b
Note that some nasty apps could then erase all files from SoftICE directory
- L! n7 P( Y$ k" G( G; E(I faced that once :-(
- \" `3 C `, Q3 U0 @. w# k- v
) ]2 g& ]+ ?2 ?Useful breakpoint to detect it:! z/ N1 `3 X5 N. ~
2 O' L# A# R v0 D5 H Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 a! r' x" E8 L$ r5 `) e
: t: o; N, K. m! ?; f4 R/ _ l
__________________________________________________________________________
9 H5 P$ E: S! U
" u+ V- s4 I7 P8 t% v/ ]1 }
& c z+ _ |- b9 L9 YMethod 14
% O/ [5 n3 P8 Q, ^# L6 H9 W& G=========& ? _# e" g; h* @! o7 P
s; I$ x6 e, {! X* l* S8 Q6 ]7 NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. c3 u+ C7 r" o& m9 U* sis to determines whether a debugger is running on your system (ring0 only).
, C! Z5 h3 f+ v& ~6 F( {/ ?, S) K% }6 m8 V4 ^8 t$ d: I5 d
VMMCall Test_Debug_Installed6 ^% ?8 Z2 N" k$ o7 V- v( Q
je not_installed
( H5 ^" T: ] S$ G3 w8 H' }0 p5 _$ @, I9 R5 H
This service just checks a flag.. ]4 J N5 I1 d% b# I3 R6 J
</PRE></TD></TR></TBODY></TABLE> |