<TABLE width=500>" d b, l( h" W# {- q
<TBODY>0 R, e. U" _; n2 L! J' q( A
<TR>
4 S* X' f% [( D {<TD><PRE>Method 01
# V# C0 ?( V2 ^5 m=========
6 Y: ]1 Y& L% u' j
8 y" B3 @' Y/ i {This method of detection of SoftICE (as well as the following one) is2 A1 q+ J( k# E/ Z5 H
used by the majority of packers/encryptors found on Internet./ D1 a- W; w% v7 \! }6 T
It seeks the signature of BoundsChecker in SoftICE
3 a P/ t5 Z7 ~7 A1 R) l2 u9 |4 v* d4 h. B# o9 W
mov ebp, 04243484Bh ; 'BCHK'/ B# V5 P# X8 D3 R7 b3 Y
mov ax, 04h* j. D" p# h7 h1 E0 J
int 3
# f/ `& b3 O' b" E0 ] ^! b cmp al,4
/ o% E. l4 |' V d. A# w" h jnz SoftICE_Detected& _+ X7 }3 W- P$ J) j2 ~# G" N
8 P9 ]$ f6 s. b U+ h1 d) n& p___________________________________________________________________________
7 X! D+ n0 g8 E6 M# v8 y* B+ S% T0 w* p
Method 02. h3 K3 r. A4 u* V9 s& |
=========
% y8 i) q" p& n; N8 W
9 m# z" ]' T6 l/ ]( [Still a method very much used (perhaps the most frequent one). It is used
& K: j9 e; o0 T/ wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,* V9 L0 P, q' y/ {
or execute SoftICE commands...
* o" y7 E w/ Q( q! a7 {It is also used to crash SoftICE and to force it to execute any commands
0 N0 ]/ }: Y0 N9 v3 @0 h, ?8 R(HBOOT...) :-(( + d( B# C; d0 U9 T
& w, F+ ]0 R, t1 I. L. S7 i: c" k7 ?Here is a quick description:: A! Y" m6 |$ _: D: a; E( b
-AX = 0910h (Display string in SIce windows)
' p# y% m, w& c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 m' D. C7 `0 l: |9 t" k* q! e7 [
-AX = 0912h (Get breakpoint infos)6 E# X/ [3 g1 K% U% Q h4 |
-AX = 0913h (Set Sice breakpoints)
8 O; J* g" B( k% I# S-AX = 0914h (Remove SIce breakoints)9 U; A: c. M! v5 k% {8 H+ z
0 m" X( F* b( R1 B2 N
Each time you'll meet this trick, you'll see:
$ H: J2 p0 q. `$ M l-SI = 4647h
+ f3 J$ ~- d+ M% b6 m4 B2 [4 o- j3 {-DI = 4A4Dh
3 k# r8 h! m% ?' hWhich are the 'magic values' used by SoftIce./ W+ U3 B" J7 a2 e. G0 N9 Q0 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 t" \- s7 K$ n% e
2 i# B. n% [: R% c7 p; t
Here is one example from the file "Haspinst.exe" which is the dongle HASP( u c3 e% {( }
Envelope utility use to protect DOS applications:) o6 L2 P8 b# x1 l" c2 o" w) I
% f+ y. U) [ O3 p- `% Q. W9 e( a$ B- T% Z" A7 X* I- R
4C19:0095 MOV AX,0911 ; execute command.
( e9 B5 b. I5 g8 ~3 Q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 f7 }3 R: C x1 }8 ^: s4C19:009A MOV SI,4647 ; 1st magic value.' C9 F+ b4 _5 m) j: I
4C19:009D MOV DI,4A4D ; 2nd magic value.
: q& O* S3 D- ?6 E$ O- K" S1 i$ _: C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 `5 ~ G7 X1 k# B- j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ u3 Q5 |/ |: N$ N6 R+ a4C19:00A4 INC CX
! L) y0 p1 h! E0 n; r# w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ A! f1 ~( X) f: b- L) s4C19:00A8 JB 0095 ; 6 different commands. \' R" R3 N/ U7 t7 `( t1 ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 T& m) m8 ^9 Z& ?# P4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ s' H0 o) Q: a! i7 V/ m
6 V( ] f Q$ k3 ]The program will execute 6 different SIce commands located at ds:dx, which
3 w8 i) X, M5 u* d# Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 o: h$ |# v* T6 n' H. ^/ E
$ z3 I2 Z8 d" q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" x( V+ k5 S! ?- g/ ~___________________________________________________________________________0 z0 q7 u7 z. j* f& |8 b* c9 E
$ D( |; a% |- h ?0 M7 ~" k9 P6 W4 G: Q) }6 ^4 F* Q
Method 03
. B5 v4 W) ~" j$ }. ^. T=========
1 b9 l) N6 J4 O0 l2 _: j7 Y9 ^9 s5 `, ^, y. }; Q- S" X! q' R0 }
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 C3 n2 e3 p2 }* ?+ p: O# y* B(API Get entry point)$ H6 S" I% u. ^- I% ?3 J( q
8 y" G4 z! _: p" b5 y9 F- d, X& \. f) b
xor di,di
" E( R" ~! y" f4 S, {& X mov es,di
: R8 C& L5 `: B' s( ~ mov ax, 1684h 0 H' a- b+ `4 r' s. ?
mov bx, 0202h ; VxD ID of winice
; W" D8 j8 H, x3 s) @# H int 2Fh- u- p- n, |- G5 `) D: W
mov ax, es ; ES:DI -> VxD API entry point$ F3 B5 l2 s F7 S# J
add ax, di. |9 r# ]7 [2 S
test ax,ax
: B( f* ?$ K- ?8 x& x1 v jnz SoftICE_Detected
2 N: ]2 ^" M* P4 s: D& {
3 o2 d" r6 Y: s; x7 p___________________________________________________________________________4 U; C7 i0 d$ Q
& H- d; ?0 H+ eMethod 04) A1 B' t' V' ]- n, T& {% O
=========. t- ?+ b: s& J$ \% q( a
. W% a- N* N6 k f1 b( p8 |Method identical to the preceding one except that it seeks the ID of SoftICE
7 e* ?+ H- w+ @9 EGFX VxD.2 o/ {, L) i9 O1 f3 }. x% W+ c
' X; C4 a) j7 ? K: `$ J xor di,di
( U' i! P* P* W" b mov es,di3 M1 r: d& t# e- ]5 N7 C
mov ax, 1684h . N. }: g5 \3 n0 \8 r5 Y
mov bx, 7a5Fh ; VxD ID of SIWVID; M2 H# {8 j. |5 f1 B. t
int 2fh! q4 ^; \, X8 s. P0 F; {
mov ax, es ; ES:DI -> VxD API entry point
0 c5 V" I) T: l$ ?3 t' ?# q% a! J add ax, di
" I& d5 F5 l8 [3 ?& i! ~) a test ax,ax
' g2 ]% ~2 ~6 H4 [) N9 `: m* ~8 W jnz SoftICE_Detected" l5 O4 m3 e1 a8 B- {; Y
% @8 ]" l& m7 I# m__________________________________________________________________________( L2 R5 _% K+ p8 J; W
7 b+ R# K. o* k6 l6 }" \7 f' L2 R+ J* y6 x
Method 05
5 ^7 _0 `" o# `: D7 Y=========( ?' ^1 u; U# |$ |4 z8 s' u
1 q2 q4 Z0 t* ~+ a. q z2 kMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 i- W2 ?7 k) c% Y; [' J! W! z" Q* u
debugger. It calls the int 41h, function 4Fh.: }1 Z! ~0 U$ B: z. B* f
There are several alternatives. % E* K' u. K* r4 d
/ Y0 W% n! f: K4 }+ a6 W# C* c* BThe following one is the simplest:
7 S- [+ m; D$ ^+ M
2 D* Z$ z% Y: |) ~$ L6 H, H. J' U mov ax,4fh, G' b) [ H- `7 ?# {
int 41h: j3 F- f" H' k) n
cmp ax, 0F386/ F, X/ c P3 @* V) {
jz SoftICE_detected
3 r) I. ?! S- G4 L7 `4 K) Q7 ~& f& z) l7 {: O# L1 H, A
) S1 P# _8 d A; ^
Next method as well as the following one are 2 examples from Stone's
5 u, B O6 K V6 C {"stn-wid.zip" (www.cracking.net):1 k" }* B+ k" n
- P0 }1 T% S7 } mov bx, cs4 n- Y6 L5 K) D/ J2 j5 K
lea dx, int41handler2; v7 z2 E% v, x% K* S
xchg dx, es:[41h*4]/ H& ~2 h1 K1 J7 s
xchg bx, es:[41h*4+2]
& |% r; p+ k' p2 \9 E3 `/ s. D mov ax,4fh
; D \* Z! V! ~9 E$ c int 41h
( @* Y% j5 U1 [" i1 ~% U xchg dx, es:[41h*4], [, G4 }& v5 A/ P- B+ A: j. x
xchg bx, es:[41h*4+2]+ B0 h- i9 {( c7 c; p( c6 }& W
cmp ax, 0f386h1 A4 G2 Q4 c% Z- F; y) j
jz SoftICE_detected
4 E" n/ V6 g3 V& C$ v0 W+ O2 d% _; B2 G. ?" P' V3 a
int41handler2 PROC# [- p2 G1 d9 D/ m# h
iret6 `' o8 t; Y9 \4 v
int41handler2 ENDP" t d5 g) F8 s4 A* F
; f$ ^( b7 \, ^( U* e; [% r
" n# C h6 N# T4 }1 ?% T: M" C* b_________________________________________________________________________' G f4 z, u. M. h! G n
5 Q; x5 h8 {9 v4 n* _7 Q3 ]& {' M" {/ Q( w* d$ l$ G4 Z* U- w3 c
Method 06: _8 L& W2 c2 @$ |! X* S8 ?
=========
7 \% m0 C3 `6 |9 i- g* z
+ I4 c: G' m' u, _+ R# Q5 Q+ N0 v
2nd method similar to the preceding one but more difficult to detect:) }: c" {% f4 T. \7 p
9 ^+ ]/ X! |" Q* f/ M( Y
/ e9 i" S* x. G3 [) O. Uint41handler PROC" V7 _( F7 B9 M* e( A+ n4 \
mov cl,al4 @% p% ^: [& v: O1 m! v# {
iret
! S ?/ F( r/ Q2 ]+ r: Lint41handler ENDP
u+ U0 k% v- O+ p! c5 ^
8 _* l; Q0 e& l2 H: T
6 L2 E5 g+ H9 k( f( x xor ax,ax
$ m( R5 v% `% ~4 p# r mov es,ax! f3 O+ l6 d4 a, q1 D. b
mov bx, cs
8 r6 a6 V s* N8 y9 b( E: g5 k lea dx, int41handler# ?$ g K! F; [! ^6 }/ d
xchg dx, es:[41h*4]
! d$ l+ f' Q& g! J xchg bx, es:[41h*4+2]
; ]2 d X, Y3 D: }4 D! V% B- m6 L! z" Q in al, 40h: l4 K1 g, l/ I* W; B5 d
xor cx,cx+ Q; O% f3 i& y# o
int 41h& L( X4 p, F# L- @9 V
xchg dx, es:[41h*4]
+ L& G5 F# z9 o! b5 n% I8 S xchg bx, es:[41h*4+2]
" s% ~1 t( W& {1 I cmp cl,al+ _+ e" P! o6 a: y& N
jnz SoftICE_detected
$ u# i) [% w! E" }' J J
. L7 N8 p7 ^; N& u+ N_________________________________________________________________________4 P* B' Z! x1 `' K/ ?2 v( o& ?
0 S9 ~* o" w2 `4 S1 \/ n
Method 07
7 j. p4 w6 N0 Y. t2 W: d=========9 ]8 |: _2 G; M, @9 Q' X9 Z" i
7 V& K: ]& _2 v0 B4 dMethod of detection of the WinICE handler in the int68h (V86)
5 k1 T% x: y6 d% K" M. U* [: p+ S O; w6 }5 y7 n* w
mov ah,43h
" i9 C+ C/ z" D! v, e int 68h4 V' B6 T7 _, e- i, R- z
cmp ax,0F386h
9 y% K+ X4 K0 } jz SoftICE_Detected4 E: g& R/ x+ |: L9 s
+ N$ X5 [9 b) z+ X
& j7 i+ C! ~9 R) E, _( M/ t=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. I0 b" w/ K( D$ K4 x# Y& D
app like this:9 t' N) S9 {) \
; b: B. t4 M9 U1 j: N6 L% e BPX exec_int if ax==688 a6 g' p- }( W' {+ v
(function called is located at byte ptr [ebp+1Dh] and client eip is Q# t5 y$ h0 i# o. ~; u& l
located at [ebp+48h] for 32Bit apps) W& \& b$ F I+ J, J
__________________________________________________________________________7 u, d7 M$ {! w& Z6 |9 t
?0 {" _6 `' M1 c/ t
+ p7 }/ c3 X7 Y4 l! F/ i/ yMethod 088 ~. d/ p5 e) c6 |# i5 K
=========
% }/ v( {( y* w; \+ z x7 I; E) ]) k* |1 `
It is not a method of detection of SoftICE but a possibility to crash the
9 v7 I5 G1 C6 jsystem by intercepting int 01h and int 03h and redirecting them to another0 v: n6 W5 }3 D) n$ N8 i3 h; [4 | N
routine.- y+ w Q6 l' R* ^$ A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ B7 W) H/ l: ]; B- v+ v* \" ~: D
to the new routine to execute (hangs computer...)
+ }/ W' N& x- k, w, M' R. n# u8 k
mov ah, 25h
$ D! j1 U& T/ Q7 N8 C, O mov al, Int_Number (01h or 03h)
' q% Z7 D* z9 P' H mov dx, offset New_Int_Routine- K* s; [ {+ h1 e1 r
int 21h4 s4 T# q% }5 B$ Y% @
2 n4 |8 N+ Y$ q9 e/ ?__________________________________________________________________________
. z$ R: \2 C6 M9 G) t1 [. I4 H& {! W- V# W, ^
Method 092 p4 e8 B- z, v6 p4 S
=========
# v' M! N# A" ^3 i
/ m( A9 }/ k" x, VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; F G) c3 K. W7 eperformed in ring0 (VxD or a ring3 app using the VxdCall).* ?0 z, ]6 l8 L7 S G3 h w- W. R6 s
The Get_DDB service is used to determine whether or not a VxD is installed$ G% f3 U7 l9 b L
for the specified device and returns a Device Description Block (in ecx) for
4 `/ w* W) S# }: y. G) [, h( W8 B6 Pthat device if it is installed.8 c& J/ s! F1 t7 R. y- {; X
9 q) d, o1 x. n- |! J8 J1 j mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. B8 P& A6 B1 r! ^4 Y; }. Z* }
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% C# [2 i, X% U5 }3 u/ c VMMCall Get_DDB2 H S* j- }7 ~/ I4 k- z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! z- r- D F7 U, Q# Y
$ b3 h4 m& s0 w: h3 s5 ANote as well that you can easily detect this method with SoftICE:! [( G U3 Z+ A
bpx Get_DDB if ax==0202 || ax==7a5fh, B' e, l" }% }" ~1 F
8 i6 C6 T3 L4 t* W, f
__________________________________________________________________________
: F' L n" I% X# J& z" L, ?2 q/ ]3 C+ B( k. G
Method 10
7 N2 e. c6 A; p" Q* Q7 h6 M=========
/ J2 R- y5 e* v5 ^6 }
. ^( p( w( w+ N. d! V. r& Z! V: I! |4 K=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 d7 {% D p8 D. _) { F. m SoftICE while the option is enable!!
; H, l W) Z: k- Y X
* b/ `8 r. U6 R6 sThis trick is very efficient:
, b7 ` x+ h2 [; A# b. Pby checking the Debug Registers, you can detect if SoftICE is loaded
+ ?% s0 i" r6 K* c" ?$ T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. ^& ]5 t8 f, r
there are some memory breakpoints set (dr0 to dr3) simply by reading their; a0 p V# v! e, q8 i
value (in ring0 only). Values can be manipulated and or changed as well2 }% h. g9 e6 y; ~& d; g
(clearing BPMs for instance)
" ^. R! }/ [' q7 r9 J: J! k8 ~
- S: @1 R' I+ Q j( S, a+ v4 T7 `__________________________________________________________________________% y, W8 e6 C9 a* m
% K/ x1 ]" g8 u. G6 o) tMethod 11
* ?' w/ o J* b1 j* `( ?=========1 ^# c' l9 E1 R2 A1 c" w
. y( m0 G& }8 G" U/ _0 G! u* d. q
This method is most known as 'MeltICE' because it has been freely distributed I( M. Z$ h* N: ]5 B
via www.winfiles.com. However it was first used by NuMega people to allow/ E, v/ t1 ]0 A' W% v
Symbol Loader to check if SoftICE was active or not (the code is located
4 J8 W4 f8 M0 z/ W( W5 Tinside nmtrans.dll).
9 u5 `% ~5 O. ]" d" X( M+ m
) ^8 c! f/ T) h4 h; J. M. x, t& ZThe way it works is very simple:* h+ c# f. j q: N: w2 E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- | T2 s$ g8 |4 t
WinNT) with the CreateFileA API.# j$ f8 d. E( n$ L. N( T
4 }0 o) g$ ]4 |" \Here is a sample (checking for 'SICE'):; L1 X6 r+ t6 u9 H% \
9 F9 R7 B$ P" @+ Z5 F* ^' s0 v# mBOOL IsSoftIce95Loaded()* C2 V e1 Q* y' s7 h0 B) n0 O) N
{+ a5 E! |! S( j5 r# }
HANDLE hFile;
1 U; Z, ~% i' \' L, C- t( H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- d% B/ k$ h' ^) u FILE_SHARE_READ | FILE_SHARE_WRITE,
7 r. ~+ Z0 l# O5 i w1 N' x0 u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% r, u* g( ]# e6 V$ Z if( hFile != INVALID_HANDLE_VALUE ): r" ?! A3 ?1 B/ V& }+ }
{6 A2 N9 [. n) Z. B
CloseHandle(hFile);( J9 [6 D* y, e6 x1 Z
return TRUE;& V5 N9 k5 F G7 J/ p
}2 m' E0 g0 s3 b" A0 v
return FALSE;
2 F/ S8 Z: ^8 J. V0 W}
, S# E! d7 l, M" c5 Y
) S' Y# }& p+ P, u+ E; r. eAlthough this trick calls the CreateFileA function, don't even expect to be
9 i4 e3 d4 ^7 X8 pable to intercept it by installing a IFS hook: it will not work, no way!
' M1 _& ]& |6 ?7 g- i4 QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 [* B% E: {% Q' I( l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" ^' g5 Q2 f0 ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc) s+ J. N' A+ J) M2 U: z, ]
field.
Z0 s0 K- g% SIn fact, its purpose is not to load/unload VxDs but only to send a & D8 Q4 y8 O& e8 `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ x- j3 E' H5 r1 F( D K- J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: t1 ?+ B- J! V0 Y5 e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; d2 |( o0 c# |; KIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 X* o( V8 N* _) p: Z$ G
its handle to be opened and then, will be detected." Z# S. J- t5 v' N: U8 S7 {
You can check that simply by hooking Winice.exe control proc entry point2 z g7 \2 o( E# v; `) L( }% X1 A- f
while running MeltICE.
/ u! q2 B" Y) X" }/ ~; \- i. q
. Q/ _2 i5 q a. ?; a2 H
* |' W' @9 }1 ]1 y" ` 00401067: push 00402025 ; \\.\SICE
( Y/ |: d3 R% l8 x 0040106C: call CreateFileA
' a3 X; m& m1 @8 B2 U6 \& S 00401071: cmp eax,-001+ A2 R% X0 ]3 `' B _0 S) [( L3 g
00401074: je 00401091
+ e% n; ?! j/ {1 Q7 R% l. R# Z' a$ p- ?& Y! f% @3 ?
) W4 ^, M! C, m
There could be hundreds of BPX you could use to detect this trick.1 n, P1 m, G6 w
-The most classical one is:. z a" v6 M: c3 w; h
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 _9 I; m* r& P5 X6 Z" p
*(esp->4+4)=='NTIC'( O# @* ]7 ?# l
: \9 y# O8 M4 f7 j) J-The most exotic ones (could be very slooooow :-(
2 }* d, H6 e N- {3 P: Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 f" H8 w0 B' Q; M( b( z! S% w1 l( @
;will break 3 times :-(8 t! ^- x; u- V2 I- M
: R8 e3 i$ j, T% Z& s; X
-or (a bit) faster: # [1 q- s6 U, d- b! C8 m5 a }
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* F3 @/ X& O2 b# m( n0 A m: R' i. d' P5 f
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 T6 L+ P8 x% l5 ~8 y i
;will break 3 times :-(0 ]) l$ m( W. I9 @- r
( N) w' H( q. c
-Much faster:
! t* S& _* [$ m. ^! [8 V7 Y5 u P& y2 @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 a* f! n' X w: k. T4 {
2 m# r) t( V% s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& }5 P. ~7 M X: ofunction to do the same job:
4 Z6 [2 F, G- ]. k) @2 n5 c5 w4 R) E( Y" f- r+ Q, M& E4 B
push 00 ; OF_READ# c2 w5 I4 v& E8 O; y& ~
mov eax,[00656634] ; '\\.\SICE',0
2 A u9 U; O# y4 A" m) x( Z push eax
' x# I2 f, t$ a* ?) C: o call KERNEL32!_lopen
- U4 I. a y' |! r/ T; `- P inc eax1 P5 e7 K5 ~ y8 k
jnz 00650589 ; detected0 O6 |! c9 y9 ~! `* q4 y* H
push 00 ; OF_READ
. e' _4 P% d" A+ R+ X3 k) R. d7 g* ? mov eax,[00656638] ; '\\.\SICE'
7 M1 i" D2 L0 i% r6 I) t$ l push eax
8 t2 a; q+ h" @" B: Y f call KERNEL32!_lopen
) b/ |( `! P$ m, \9 T$ z( l inc eax; J, J, L7 v9 C3 h
jz 006505ae ; not detected; A, E; t8 w9 `
( B* _" e1 V/ |, l
4 x1 x+ S/ I5 \$ \
__________________________________________________________________________/ p, m: b4 _1 }+ \! |3 [( k
: g$ O4 d7 z n( S5 n
Method 127 R- ]7 H2 e& b# z l
=========3 d/ U! Q# M# h) N: @; z
3 J. y! R/ n5 |1 M
This trick is similar to int41h/4fh Debugger installation check (code 05* k6 z- p$ s* g- U; f# O$ E
& 06) but very limited because it's only available for Win95/98 (not NT)2 N0 T9 Y: K% R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& P% @+ q* }! u8 f" Q; Z1 @0 s! b. D, N, D" \& `0 ^6 Y
push 0000004fh ; function 4fh
* h4 Y& K0 c# x1 `' `9 t1 B9 L3 B push 002a002ah ; high word specifies which VxD (VWIN32)
( h! r5 i& {! H2 a$ Q ; low word specifies which service
! U1 i1 t1 N8 _5 v (VWIN32_Int41Dispatch)
4 I/ V! @6 O* I4 X) R, k8 w7 y call Kernel32!ORD_001 ; VxdCall
+ i# s t* U. @4 T7 g cmp ax, 0f386h ; magic number returned by system debuggers# s0 t M! L/ i+ j1 w: H( u& b; E
jz SoftICE_detected" I* E* m6 G- [1 s
* G; P8 H* A+ U/ N2 i3 \Here again, several ways to detect it:3 I t: e4 \* V
' R& g1 v- T9 v BPINT 41 if ax==4f
( z- G/ Z$ v3 j: C1 f0 X% c
0 q& Z5 ?* S5 Z$ T( N, w( u BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ c) n- M' G0 I# u W! q
* c+ J' \8 d. X( z) X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 Q( o6 S0 F1 A d! Y4 F( X# j
. I& L' \/ X0 e6 ~. ^0 j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) u/ e4 q( S/ s4 P( F+ O) W
/ H: N+ h5 y4 ?! B__________________________________________________________________________# x; ^1 y* T- l
1 H. k; E7 [" k, o+ Y* b( E$ l, gMethod 13# o0 _9 e$ \! K: W
=========
4 p' G0 v5 D, N' Y7 |+ g3 A. b. b. p$ \; k5 G7 B
Not a real method of detection, but a good way to know if SoftICE is+ ~, \4 ]% J$ S; X
installed on a computer and to locate its installation directory.- q; S M- a2 E0 {# s5 s
It is used by few softs which access the following registry keys (usually #2) :+ m5 l) ~9 D7 P0 u
# g& E) U+ m$ h) A3 y. x3 M/ s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 E9 o' d& k0 d0 l8 g. h5 o\Uninstall\SoftICE
( `( ] @/ O; \1 m3 G! w( o-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 C1 k" h4 D* Y* ]/ P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' l/ O" Q4 L" d/ j* ?6 t4 _! J! m\App Paths\Loader32.Exe
6 I' d0 z: k. n% A5 k
2 j. Z9 Y4 k, U, {- t4 R8 H7 B
) V F1 o( ?/ D' d6 }' b% CNote that some nasty apps could then erase all files from SoftICE directory
! m6 c3 {7 s4 R7 N) S(I faced that once :-(8 h8 I- N: K6 P% u& m
( i% j; W4 ~% |5 f) \( V# j7 n
Useful breakpoint to detect it:
" h0 E9 ?7 N4 f/ i, o% V
, @) f. ]* F' v1 j( y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' _0 }- o+ F2 z9 |$ i& F& {$ U4 {
__________________________________________________________________________
; u, O! _8 L7 q$ X* f6 {1 s3 y# T; r+ g1 s% N& A
4 B5 F, Q" K' P) BMethod 14
* M& X5 m- R3 K=========
. R6 p; q: t) I! W9 X0 q: g6 {# m# r0 n! L1 |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, N3 j; D- P; e" ^7 N6 D+ _is to determines whether a debugger is running on your system (ring0 only).
0 j- X3 L2 z% D: F- P# r0 B6 P0 _' X; B7 J, O6 E
VMMCall Test_Debug_Installed6 n& w8 |' I0 _" J! x9 J8 A
je not_installed
% d- i E! R* l; W
7 }& M- J) B0 l8 q) t8 XThis service just checks a flag.
. d, ?6 w9 J8 F% q) `0 |$ o</PRE></TD></TR></TBODY></TABLE> |