<TABLE width=500>
' U3 j6 F0 M4 b w) q. S$ @<TBODY>
# ^( k1 @! ?$ [# j( L0 b9 ?<TR>
' _* }2 z9 n) f; S( G7 O; V5 i<TD><PRE>Method 01
9 ^1 O& u- Y. n# ?9 g9 T! \=========
2 ^2 s; F. F- V+ s6 H( A( Y9 d
This method of detection of SoftICE (as well as the following one) is+ N' F0 d2 M8 s& x% l' E
used by the majority of packers/encryptors found on Internet.
: R' N# ?/ B% G) _" b: i" QIt seeks the signature of BoundsChecker in SoftICE
$ ]5 Q8 {0 |/ o! ~( \6 c3 V+ r3 p* o0 |
mov ebp, 04243484Bh ; 'BCHK'6 M: p. z& _ p) U6 f/ c# |
mov ax, 04h
9 O- P) M, Y j# W int 3 0 h7 ~9 X0 X( }# E7 E9 v1 x+ c4 ~
cmp al,4 o3 W0 z$ B+ T9 J8 u
jnz SoftICE_Detected
- I& _! J, H9 M$ A$ y5 N1 j6 X) y% M5 {+ t4 I [+ j
___________________________________________________________________________8 ]7 M3 a0 G8 w4 B" y
0 K" h" w% ~! R' Q8 AMethod 02
. s% h7 i; _- U* v c1 l# ^& `. n=========
: n/ X! U- M0 \/ d4 K) a, O
3 Q1 R9 Y. x1 E5 j6 ]2 gStill a method very much used (perhaps the most frequent one). It is used U& w. S: |( \' w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 F" v1 t* e, i) v- v9 z& Y) [
or execute SoftICE commands...
8 C: X' U9 k5 |' M! G/ `, R9 l, rIt is also used to crash SoftICE and to force it to execute any commands' _# {2 q5 n' y9 e. W* ~- h
(HBOOT...) :-(( ) C+ e ^) [5 L) N& R }7 n @
$ S* x( \8 W2 o: W) pHere is a quick description:9 w5 u4 o/ i+ g9 u7 V
-AX = 0910h (Display string in SIce windows)5 g! q* \3 m7 F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% \* l7 R, b) g) W% K( i
-AX = 0912h (Get breakpoint infos)
4 e5 W+ J& H, r g-AX = 0913h (Set Sice breakpoints)/ j4 d2 A; o {+ j: ^
-AX = 0914h (Remove SIce breakoints)7 u" ]7 `( p: \, e }4 s: G& G/ Y7 b
: ~* t% G: w. U5 K3 L) |4 U ?Each time you'll meet this trick, you'll see: O5 M# {( y; k/ k& e6 K$ }
-SI = 4647h: `+ n0 K3 a" P7 A0 B
-DI = 4A4Dh
7 c0 J/ O, n) s/ G \/ rWhich are the 'magic values' used by SoftIce.
% i" J( A( v) w& vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ t" q0 m3 \. n7 `4 \
; }" m) w3 q! p3 h" a1 i, q4 w, i: yHere is one example from the file "Haspinst.exe" which is the dongle HASP
! }/ z/ q l& c$ ~4 \& W( i) TEnvelope utility use to protect DOS applications:4 g/ H+ u+ Q( L( J k l9 U
) T, x. F( Y4 p3 o0 v% S9 I+ z
g; k) [! U4 P% @4C19:0095 MOV AX,0911 ; execute command.
7 M) g N9 J7 s& F& t* l4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& M2 j* F% t" Q% ?
4C19:009A MOV SI,4647 ; 1st magic value.! k& s$ I$ R4 {9 ?& u
4C19:009D MOV DI,4A4D ; 2nd magic value.
# A! ?- I. v, ?/ C$ }, y! I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% L2 J8 \: q& _9 p- J9 H+ j- K, X5 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 I. s; W+ U" R# X [3 z4C19:00A4 INC CX
& Q; ]1 i* s6 P9 V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: S8 E3 ?2 h( O1 ~* D0 J
4C19:00A8 JB 0095 ; 6 different commands.
! i. h: i* P9 ~' Y" u% e3 Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# R6 p' p3 w' o+ S. I/ S, @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 j# N f; [& z
& o: t) j/ Q$ k- e* j. Z5 f
The program will execute 6 different SIce commands located at ds:dx, which
: N2 R9 r: F! d/ aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 r1 b8 B: i! \+ q. J; u! a! _& _! X
: v9 R: e: K3 p: ]1 e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. ?9 I7 }8 M9 K _( s___________________________________________________________________________
, |8 D& F8 a2 g+ p2 m# T7 T. _9 r0 K2 _' Z. E2 r! \" ?& Y8 l$ m4 C
8 t7 `; H8 ^( J* j2 lMethod 03
7 x; p2 }4 m# Y=========
* k" M1 p8 F% ?" n- y8 Q
" V. A1 h% n7 I3 y* c* @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ @1 a- a. Y4 m' R# z
(API Get entry point)) j4 d' x! i( b2 U7 Q
, b% G# q# C& [: \: e2 J1 O
2 ^' M! @: v q& S6 m8 C v xor di,di R# e0 Y1 h' }$ v& Q
mov es,di
- ?) l( g Z" R5 b% p mov ax, 1684h * b! G% z& h0 J' _, `1 x- W
mov bx, 0202h ; VxD ID of winice
: Q# z! s: A7 e! [. G. X' a int 2Fh
2 E* N. b) c, ?. l P mov ax, es ; ES:DI -> VxD API entry point
( V. \1 I' J+ k. n+ ~; | add ax, di% O' k5 m' _$ y( V" @
test ax,ax
1 e" m. q! C9 n jnz SoftICE_Detected; |1 ~$ |: F$ Q) i
' }( T& Y3 t0 l; E) G% d___________________________________________________________________________
9 f% b- g& e3 U. r) `( d& i& a9 N0 V# ~! w" X9 e- _ \# ?
Method 04& j) Z/ u' z) m T o6 T
=========
% [8 C5 z+ @9 B
) V/ E: x& i* aMethod identical to the preceding one except that it seeks the ID of SoftICE
6 H) r d4 s' } R; KGFX VxD.! C6 m# c! U1 p# M$ L
' w4 K* O/ R/ m' |; }5 W' m9 b
xor di,di% y3 C$ {) T# G, k7 o* m
mov es,di5 Z( { s; L0 b* s3 B7 I3 |
mov ax, 1684h @9 m# ?8 i# V2 t
mov bx, 7a5Fh ; VxD ID of SIWVID# U I1 d# u' ?; M
int 2fh
- f7 y8 B! E* O' i8 b3 {! h" v2 S& r mov ax, es ; ES:DI -> VxD API entry point# j1 f* {+ l6 p. w' @
add ax, di
5 c/ u9 w; a! M l0 E% x* G test ax,ax, S. M# X! l5 |
jnz SoftICE_Detected/ o( e9 `/ j6 ]) b, u! x* j
j6 k: D5 w4 g/ t& a5 {$ @__________________________________________________________________________- I% D4 P* W8 s3 U
# ^; h! ?& Q6 I( e: R# X. m
3 w7 j) S: o2 n
Method 05' x8 J6 @ I) h% v: Q' f" y
=========7 N, r! ]$ x4 ^
$ N# t* S7 P8 E6 W" B% L- dMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& x% F! a! i0 J; h& R# ~! Zdebugger. It calls the int 41h, function 4Fh.
4 h" w0 T+ G8 U3 o$ _There are several alternatives.
+ J) V- d7 M# ~( T$ f Z6 p2 k7 @$ h% i- P0 e
The following one is the simplest:. f" c) s% t4 G& ^ J
7 v( @1 C3 f0 j* _ mov ax,4fh
4 g7 c$ o6 V- X+ n+ X4 i2 f int 41h
; n7 d- a( G' F cmp ax, 0F386
) z7 l; G/ c9 L/ S3 k) A2 Q4 u jz SoftICE_detected- r7 f. J6 e; d$ D3 c# U* |0 J! t
- Z, O7 [' B) Z+ {
5 D+ x F1 o {7 u
Next method as well as the following one are 2 examples from Stone's
' O8 R. r9 v! ?9 D- l' O$ ?"stn-wid.zip" (www.cracking.net):
& D0 i C6 ^' V- u0 v3 B# s% l0 C7 ~% r, `7 C `8 g1 e' r
mov bx, cs2 |- _* q4 }7 Z$ M6 E! V3 `
lea dx, int41handler2
# t5 a% l/ L/ [ xchg dx, es:[41h*4]7 g4 N; [/ u8 z! @: z* J4 E- L
xchg bx, es:[41h*4+2]
( T2 U5 B |. p* n0 q mov ax,4fh3 m" r. \! K& c1 J/ p; @7 m! H
int 41h: q& b$ s& c4 n
xchg dx, es:[41h*4]5 o1 ~( k7 m" {5 D' a: l& ?
xchg bx, es:[41h*4+2]
4 b" L5 Q# ^) M y8 u cmp ax, 0f386h0 u! |' x* z5 f1 ]7 ]
jz SoftICE_detected
9 Q2 O5 P9 W6 E1 F, T- m% d5 I
: y, X# j0 C( zint41handler2 PROC
" a# Q' s8 Y) i5 z; _- { iret+ [5 C# k! q' o, c6 a
int41handler2 ENDP4 u, S' V- S; o p6 q0 s
7 c7 s2 `( M5 W* D
' f$ T9 X+ R; c H8 E$ D4 Q
_________________________________________________________________________
( t4 K9 T* `" U% d \- J8 Y D1 p5 _$ l9 Z* }; v
9 v7 o2 B- n" u5 q$ ~* U+ s
Method 06
1 l0 w6 J/ b4 c=========% t2 q- i+ P1 }+ f/ a3 \
9 f$ ]" E! j6 P) {/ b0 Y9 x) c' O5 _9 ~; E8 G3 p
2nd method similar to the preceding one but more difficult to detect:" Y' S m$ {! U& e, e3 `
+ W% k# C; p% A* ?; n. J( j
5 i$ V3 C% M" `) ^, s* `+ K8 G
int41handler PROC
6 U- \0 R4 d) g Y% T3 N mov cl,al
9 b/ x& C/ o; k1 R& m \ iret
+ L3 F' a' G( ]# {9 Wint41handler ENDP
3 j) F* s2 [5 H. c3 X& {: h) }
3 A u2 ^/ h" M& N7 j8 n# N; Z" L& B N& R3 f
xor ax,ax
9 ^" ^2 D: H! y& l mov es,ax
/ i& g4 e* K" [ mov bx, cs' Q- R' o# j7 D2 j
lea dx, int41handler, ?. n3 t) F. T4 Z
xchg dx, es:[41h*4]
: u) d b9 O4 U, z, `5 d! n( g, I x xchg bx, es:[41h*4+2]0 J0 L- |* t& L
in al, 40h
/ O2 J6 t; n* E; ^8 x xor cx,cx
) r: A0 ^) ]- ~& n2 I) ?' I int 41h
8 Y* w A+ n1 j$ J) R, p xchg dx, es:[41h*4]
- g9 D, {* K- G/ e1 ~# L xchg bx, es:[41h*4+2]- _3 Y; n) m! p% S* K" @# j2 `3 ]: N) w
cmp cl,al
8 z6 b) \# [7 S1 Z6 f' i* ^ jnz SoftICE_detected
- } ?2 d8 Z) _4 R6 ~% x6 q% |; y! Q6 U* C" x4 A d
_________________________________________________________________________
% k* X" t9 X6 f
# u2 T- Y6 B4 HMethod 07
* M/ N7 q* u3 a8 S=========2 e# @% d; J. u" G
8 K+ Z: X' x6 n7 Y8 Q% D e3 mMethod of detection of the WinICE handler in the int68h (V86)
; Q% i3 G7 p- ~8 m6 J
& P, e' t! n. t mov ah,43h
' u1 b/ a7 t* i int 68h
9 L5 O1 Q' f1 Z5 `" M/ i cmp ax,0F386h
- y$ j+ S1 R g- f5 v$ \# r: L& X jz SoftICE_Detected9 U6 h& [; L3 B7 C
- j. H( t! A: r: W2 L
' [1 R- H) h8 {$ O, F* a1 r, p0 r! v
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( i) N! f0 {! I9 U G app like this:$ l0 @) r: O9 x, B X; \. p
* |/ G- L6 ~% \) j1 Q BPX exec_int if ax==68* x2 y3 K; r" Y
(function called is located at byte ptr [ebp+1Dh] and client eip is6 l8 {0 ^9 J M i5 q l- ^
located at [ebp+48h] for 32Bit apps)1 X9 G9 m4 i! |( D. e0 w
__________________________________________________________________________
: }/ q5 f* j! f+ g$ q0 N
% |# G$ m7 Y7 {1 n! X" a( C8 r+ M) f$ N
Method 08
* h8 O! f) h4 U$ K$ H5 L=========
3 u, i% @+ t3 |% i& p" s
6 e6 O8 C4 F- `3 |& Q* h) e' YIt is not a method of detection of SoftICE but a possibility to crash the1 S1 I2 x, p4 }/ h3 ]
system by intercepting int 01h and int 03h and redirecting them to another; d8 t/ J* y' H3 X; F4 y
routine.. M# G$ D( E; ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 l; p, b' l8 u5 J/ w2 L% Z; @: Dto the new routine to execute (hangs computer...)
& x$ M) O: u: V9 C/ G. N% U# S1 H) p; i( V `
mov ah, 25h0 [9 H* T; J: Z8 m
mov al, Int_Number (01h or 03h)
" |+ k. W r- H mov dx, offset New_Int_Routine
( d. v0 v2 [* s$ k3 t. n$ \ int 21h& z# x) q$ p$ Q2 _" O! d2 l# X! [
* R8 G" e9 c8 X+ j$ j- ]8 R) K
__________________________________________________________________________
( Z# R# M# R0 G! F
4 z3 G2 T% ^' C- o1 } }& DMethod 09
6 \' M$ y, q- P- v2 S=========) L) G1 X, z' Y" M3 n! }
4 `2 }4 O5 k* A, t5 Z, l* OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- x/ w4 Y3 y/ @6 J/ s t2 q
performed in ring0 (VxD or a ring3 app using the VxdCall).
, o: ?0 C0 _9 mThe Get_DDB service is used to determine whether or not a VxD is installed8 Z& i" j( K; [ h' I. I
for the specified device and returns a Device Description Block (in ecx) for6 R3 ]' M( y9 V0 f t/ `
that device if it is installed./ |( Q N) ^8 a& K* _' w
% V- M n; i. `* b V: @& K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 W) a1 e. \- Y5 T2 L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. p6 r: o) B$ h VMMCall Get_DDB5 l% |+ z# R, x- i; h0 C
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- j* X. `1 _3 ^' L4 E* J: L1 }- d" {8 O9 c6 K5 x
Note as well that you can easily detect this method with SoftICE:
; [" F3 Q4 x5 u0 @7 }5 c6 y7 f5 |- t bpx Get_DDB if ax==0202 || ax==7a5fh
$ G) g" u. ?1 Z( Z: H& C# \
6 S( b5 \% C& I% M4 f3 T1 d__________________________________________________________________________
' m; i. ?0 l' D
4 H' ]( v( E- G b# G. PMethod 10
- A8 Z5 R+ U, ?- O" h: F=========2 g! L' x$ p$ r( j
4 p3 _$ ]8 W; |( G
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 i2 t1 ~* M# F4 D" X7 W# R4 V
SoftICE while the option is enable!!' P" x! Q% T! o$ c( ^
' r* F n- ?! \This trick is very efficient:
& V" q9 c2 y1 n; ^0 Nby checking the Debug Registers, you can detect if SoftICE is loaded
. P6 a6 Y: |! o6 c& r& J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
o. U ~! ~0 `$ F7 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: j% ]; V/ y+ p9 a! Q- tvalue (in ring0 only). Values can be manipulated and or changed as well$ O& i, Y+ @: E
(clearing BPMs for instance)) F; `7 F4 p* @% g8 _
3 z( B7 ^- [9 r" s__________________________________________________________________________
! u+ z1 |9 B, h: s4 l
% m! L) {+ k: L, M+ ?' bMethod 11
6 e' i0 \; r, e6 R- w c=========0 D5 P4 T: w3 m
& E9 E; W, A9 AThis method is most known as 'MeltICE' because it has been freely distributed7 }% @, T! l: p q4 F
via www.winfiles.com. However it was first used by NuMega people to allow4 {, ~& k7 h% Y
Symbol Loader to check if SoftICE was active or not (the code is located
( C6 d# O4 R# N3 Y$ }! t$ Ginside nmtrans.dll).9 X o2 w, {" M4 D3 }
: q0 {6 d$ W+ q' C. C: z5 g
The way it works is very simple:9 J& ]) \3 m9 Y8 m* Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 M. ~! k5 m1 `WinNT) with the CreateFileA API.* q3 k0 o5 R. g6 q L. E( x
! l3 f' e+ Z& b) P5 yHere is a sample (checking for 'SICE'):/ K( R A/ ]& V4 ]
8 U0 W1 w* q, |& L
BOOL IsSoftIce95Loaded()6 S1 H+ O! M! }
{
! M4 S8 C3 |; p) d HANDLE hFile;
" p. a/ a* L) ? F hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* j9 I, D" I+ X4 n* Q7 _ FILE_SHARE_READ | FILE_SHARE_WRITE,9 \5 s+ S9 k: j. c1 ]7 l4 G9 s
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 a( v/ k4 ?: b! f4 L* G# B: t* l' c, R
if( hFile != INVALID_HANDLE_VALUE )
, C# v8 N/ U4 q8 h- M) _ {
% a4 B" s( a c( Y3 ~: A" j CloseHandle(hFile);! B" G+ p+ K( K# q& Q4 g
return TRUE;
7 H1 C) ]- m# H1 O' d }, R) \! l2 E9 U6 Z% T
return FALSE;0 T' m) P: h/ ?
}. r+ ^$ r- m! H& P; `0 E
9 X. q, ]; Z$ S: d& zAlthough this trick calls the CreateFileA function, don't even expect to be2 n# w, b, e0 E( ^
able to intercept it by installing a IFS hook: it will not work, no way!
6 ^4 D9 W! m$ l) d& \- \, p5 S9 ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; i& A/ u- D3 z: Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 y- g# J: p! H, @& D/ }- I7 O( R0 U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& _1 K/ S* I4 o) `& {2 l( Z- lfield.& x. j0 q# B0 k0 O0 E& F
In fact, its purpose is not to load/unload VxDs but only to send a " s4 ?7 q' V6 _3 }3 @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: L( m6 `/ S7 C6 g& pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ i8 V* y Q+ s* Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).$ D$ @0 h% r3 d& o g% u0 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow# I3 C& v3 s" B" K" I B1 y
its handle to be opened and then, will be detected.2 E. {# {) c/ m$ T( A
You can check that simply by hooking Winice.exe control proc entry point7 M1 H& g" j5 R4 y
while running MeltICE.. G0 ]( v* j7 n3 T! Z: z- M0 t8 I
; u7 S5 m" _6 ]- a5 u- \* o5 A* W, X; n& D3 Y% O9 l$ n
00401067: push 00402025 ; \\.\SICE8 z% V L) Y5 u( W3 J: Q: t
0040106C: call CreateFileA
. `9 e& l* `$ w 00401071: cmp eax,-001$ `2 j# d, o5 y* I8 A! E6 E
00401074: je 004010919 c6 r/ `# x% l& b, z9 j9 W2 k! y
( H6 {$ [% f* p$ U% x0 a, F) ~9 C7 _. y7 k' r
There could be hundreds of BPX you could use to detect this trick.! L2 |5 g( n1 }6 Q
-The most classical one is:
! t; F1 a9 r. N& {) F* f$ \3 C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 j, e- s0 i" H4 Q9 p
*(esp->4+4)=='NTIC'
) i1 }' W: D& l1 u" b! z) S& [/ E) S9 T5 b
-The most exotic ones (could be very slooooow :-(' e. `1 k5 k7 I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& P2 r1 ?; n% d$ K" E6 v ;will break 3 times :-(. g: v7 `1 Q- v% Z" J$ y d
+ s9 }" d2 q" a* V! e8 A
-or (a bit) faster: 8 }; R3 q+ v, V( {5 g- M6 W+ o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
b L, T0 ?' Q; S1 o- p' `4 }7 [5 J
H& M0 G6 x+ r# b- I- w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % j! N I2 |& c% k
;will break 3 times :-(3 N+ I2 f* p0 z+ l2 r4 h, g/ O( p
9 c2 C8 }" L `! `
-Much faster:3 y6 C2 o# p! q# d# u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ t) d j( r Y- J2 b/ j3 u
4 t; v( A( c* w/ D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; m* ]5 v# t" t/ d# [function to do the same job:' C( Q8 ^3 T9 F9 X+ I, I
; N: e% l3 u, v+ S, I7 J push 00 ; OF_READ
6 m* x& }" J: F mov eax,[00656634] ; '\\.\SICE',0
2 D" H+ F* P x5 L( Y* w. g7 ] push eax% t! `, V2 e7 l L( }0 r) Z
call KERNEL32!_lopen
% N" ?) C+ b3 u7 P inc eax
3 L, m% n9 Y) \" ^7 F* F jnz 00650589 ; detected
0 u) x% R& P$ x# l' G push 00 ; OF_READ$ A3 T! P9 R% Z) n
mov eax,[00656638] ; '\\.\SICE'
# z4 Z; h" y0 B) x! x5 [2 J/ i push eax
' }; K0 k* {! }& Q3 }( k. V( @9 S% A3 S call KERNEL32!_lopen$ ?& }* c0 Z4 Q7 S$ T# F+ f& x2 u
inc eax. W8 e7 r8 i: y: q" Q
jz 006505ae ; not detected9 o! |9 K, U3 H: m% f& ^: o( Z
. | X' X# m6 N% @6 C" t
g- R, x8 i" q9 p, Y! t__________________________________________________________________________
6 _! q. I* o& X' Q' g: H' V6 a' _ t
0 i$ [9 d( }7 QMethod 122 u ^, F: _6 z% T6 Y; r6 O
=========
a& ?$ N T1 ?3 v
c+ T. |( w1 B) g# R3 b+ k: wThis trick is similar to int41h/4fh Debugger installation check (code 054 H. t8 z# j1 L3 l
& 06) but very limited because it's only available for Win95/98 (not NT)$ L! y) D& d! D! e& p- J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( }6 q3 ~- x( F& I$ \# M: }
" w2 z: X9 x+ _0 F push 0000004fh ; function 4fh
; |- [. ]9 L4 }: U# H/ ~ U2 p, X# ^3 f push 002a002ah ; high word specifies which VxD (VWIN32)
0 ]+ e/ U$ n% t0 B8 |! l4 o' {. ` ; low word specifies which service
9 m9 Y" f5 K, v1 r6 g& e (VWIN32_Int41Dispatch)# o) \4 W( G; a) D3 N
call Kernel32!ORD_001 ; VxdCall! P2 d7 E4 u* e2 q
cmp ax, 0f386h ; magic number returned by system debuggers
" Z' V* Z& S1 T& ^' u jz SoftICE_detected
) W* m4 u( L# N4 ]0 X: y! y2 Y# U K! V/ ]+ I$ S; d. k6 ]
Here again, several ways to detect it:
: ~+ R3 o+ F9 f1 {
% @" _: b! E* Q5 ]% t7 ? BPINT 41 if ax==4f
* p3 g/ y6 [% I3 O8 D/ B
* N/ a7 G+ C. q! N" e7 ^$ h2 l4 t% q/ Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 A. X" s5 W$ s) m/ z) p
) x" p: u# T& y, l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, n v) G! k# W$ V1 |) ]- U" h* _/ s; }6 ~& v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 K- {4 O" a: Z
, X1 O9 H; G$ N' J. {
__________________________________________________________________________8 D* D+ H7 S! h8 }1 l) e5 v
/ }# W. C) m' C9 D' T5 D, v
Method 13
9 f( Z$ v% p5 [! f$ \# e=========
) T/ g( I; H$ K* e+ u" n* w2 C8 S
/ A9 ~2 s1 k! S0 K, h" L+ V8 i% QNot a real method of detection, but a good way to know if SoftICE is; p" I ?- K. y% }7 h" _$ U8 k) e
installed on a computer and to locate its installation directory.! M' M2 ?& L9 N) X2 X
It is used by few softs which access the following registry keys (usually #2) :
/ e6 K' h2 v ?- d& }" k% Q {9 }; [5 [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 q* K1 F% q0 K
\Uninstall\SoftICE
. _$ k, C- T8 M0 x1 O0 Y& L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ w- f" ~ {# ?- ~ t. S P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ~( B5 G9 G0 X
\App Paths\Loader32.Exe
. H1 c$ H9 f3 e1 @4 _1 C. S, |- M' [" }& _2 R6 V0 g
- }6 O& `3 U6 z7 G0 ~3 X& P+ ]8 gNote that some nasty apps could then erase all files from SoftICE directory! a5 \& h" {5 L- E! E3 N
(I faced that once :-(8 o2 d6 e: _( x, k
/ P& C, h/ ?6 x/ D" t: n2 \Useful breakpoint to detect it:
: O) T" v# ` X7 } s9 F2 f" Q: s- I% k! L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 k" k" ^0 a, R S2 @' S1 B" P
4 F* }* b4 z% F__________________________________________________________________________
8 m" i( \9 ?% ^ S Z7 ]2 d8 c9 d
# N+ {- |6 Q0 O- v7 q8 B T% x* M2 k5 }: ^
Method 14 / c9 N$ H; G# b+ |5 V6 I$ Y
=========$ @0 V* p t3 {
4 Q- g6 M+ T; k7 |' \1 w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 a) M8 E% }# F5 L/ Mis to determines whether a debugger is running on your system (ring0 only).
6 S' a: ]6 l* I m& m/ T% ^$ C6 @) v4 z. x
VMMCall Test_Debug_Installed
# H8 A+ R: ~% p+ w, Y je not_installed' B8 ]7 J2 a! ^: u( T/ `3 o
+ R9 r/ M1 a& V! v( T$ {! D4 XThis service just checks a flag.9 P# m4 F6 ]6 W
</PRE></TD></TR></TBODY></TABLE> |