<TABLE width=500>
& n6 ?' O. z5 d' E<TBODY>
6 l, l" j. j. ] F0 V<TR>9 \& G4 R+ [" K, p1 O
<TD><PRE>Method 01 1 Z& q& d2 P7 {0 C
=========
* D& }# F5 o9 F% N r! X8 F
# F) }# N8 g1 y+ R& O5 O& |This method of detection of SoftICE (as well as the following one) is: u$ M; ~, K$ E8 v8 o6 |: P
used by the majority of packers/encryptors found on Internet.
" P. {4 d3 s4 B0 {3 M2 w) U+ yIt seeks the signature of BoundsChecker in SoftICE
3 Y k8 P0 t, C. w2 x1 u: E' ^4 }3 n7 n8 V7 r: \
mov ebp, 04243484Bh ; 'BCHK'6 I, N3 w0 }" z9 r# p# q/ U) B
mov ax, 04h
- o! Y5 `& h9 q4 J9 e l1 P int 3 . m! H, ?3 c) l6 E! x
cmp al,4: a1 Y9 }4 W5 O8 n1 G
jnz SoftICE_Detected
0 E6 B, m* P! h/ p: F h* P$ Q5 E* M: G r6 \
___________________________________________________________________________; a- ~: z) _6 [8 d8 ?# X
5 ]. _" g8 m/ m2 r8 I% k( F9 e/ d8 k" M6 k
Method 02
# ~, x1 ^' ?# o \* o=========6 [6 N* j7 m e) {' j2 z
) y% O# U: Z4 R: Q- Z' n$ a$ ]+ BStill a method very much used (perhaps the most frequent one). It is used
' k$ M; E( M) M# bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 b( K7 Y9 |" G! g8 V1 Y7 eor execute SoftICE commands...
; C0 [/ M$ _9 yIt is also used to crash SoftICE and to force it to execute any commands( e; N- ]* l! S0 `. ]
(HBOOT...) :-(( - w3 A& C2 U, { O7 e% m% A
# M3 b- q4 x& i! Q7 b' ]( UHere is a quick description:
7 A$ s* a6 I) D3 {$ o3 z- H-AX = 0910h (Display string in SIce windows)1 l5 E1 _+ p6 b) M& ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) r; W. J `: q& f
-AX = 0912h (Get breakpoint infos)& F5 S4 w6 Y- A; ?3 \# M: G
-AX = 0913h (Set Sice breakpoints) T9 P0 n- F+ r
-AX = 0914h (Remove SIce breakoints)6 f: n" ]. ~3 M v
7 g9 v0 S6 p7 b! V* N9 [% J
Each time you'll meet this trick, you'll see:& ~! w6 t5 E. _/ @9 O- T! Y
-SI = 4647h
. X& }5 h" }8 i! D, _0 r-DI = 4A4Dh2 I/ i/ E* e4 ~" N" t _- `
Which are the 'magic values' used by SoftIce.9 E, f# h! [. w# T$ u4 i8 I+ v( K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
N. s4 R. y v1 j
/ z: \6 F% e6 |$ l' NHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ u" k: B# q( D% R- y9 _* Z8 W9 AEnvelope utility use to protect DOS applications:
- Y- ^4 L7 h% b( S9 ]
6 q$ v" K" i' e; i0 Y1 `2 @+ g5 K
2 w" m* c: n. a$ T4C19:0095 MOV AX,0911 ; execute command.
0 n' [% @/ A) V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- ^/ @& b' l2 {5 r6 a4C19:009A MOV SI,4647 ; 1st magic value." b$ b6 A, V3 C! F: r
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ C. n5 u1 u% H8 e4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 E' E' F# l2 A. p. [6 ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' k( T" e; S8 N: v. e5 w; I4C19:00A4 INC CX
+ Y/ F- b# ]: T3 h, C# H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ p" t% Z+ G, ^4C19:00A8 JB 0095 ; 6 different commands.
. e% T: Y% q0 n" R! o% [% T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ S; W! ]; W, O5 ` A* p h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 i- F3 n" C& U
- Z: y* J8 Q! L K& EThe program will execute 6 different SIce commands located at ds:dx, which
9 s( u' I B% Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; ?$ N' T: o8 P# z. ]9 E; g
, A! B; S! E Y ^9 a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ i6 }1 h% I A( \- l5 K___________________________________________________________________________; \! V! a- J: V( W
$ C/ F" ?$ J; l7 i
0 x: w$ b! v( |
Method 03
# ]# b- d- T$ A; a0 ^' }( O: Y=========# J5 O9 C& H- @
& j# h' Z I$ E, dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. F/ ^5 V, G2 O2 l3 k7 L& S(API Get entry point) s* u0 i4 l- M5 H. A$ f
+ a4 O7 r1 _; e3 W0 B* E* w
7 a+ K' k5 h4 ~& |2 _ X8 K6 Z* j* u xor di,di
/ C, H% F: d4 @! O+ X mov es,di f) Z1 ~" P* S R, w. r: y
mov ax, 1684h
! M+ x) j6 A! I6 ]$ v- P4 D mov bx, 0202h ; VxD ID of winice
- x1 Y- x4 k, Z7 W6 z/ {. S int 2Fh0 F. S4 S& x/ `7 f
mov ax, es ; ES:DI -> VxD API entry point
2 \" O9 y) q7 `6 `% J add ax, di5 r) A* P v2 C) _- X; p
test ax,ax
3 L9 r% w; X5 W8 I6 P jnz SoftICE_Detected5 o6 m8 w p% H: Y3 M$ D; e
( ~. S5 w# \; ^4 {- N+ N2 B___________________________________________________________________________
" b. Q" D/ i. ?4 q! ]. c
( r3 @ ?8 W mMethod 044 T7 p) S" U5 o1 G# j. w k4 \; E
=========
@! p' ]% y4 ?) f* K; v. n' n$ {4 t' J/ Q# }3 I1 A! ?
Method identical to the preceding one except that it seeks the ID of SoftICE% N2 Y8 J5 q, a/ Y
GFX VxD.7 E- v, c. x, z3 o3 Y/ u3 v
' Z# l- |; d# x" q xor di,di
: O5 B# N2 ]% G+ k mov es,di% H" }, F! {& X' ^7 N: K
mov ax, 1684h
, U9 N% q/ T, G mov bx, 7a5Fh ; VxD ID of SIWVID
$ p: V$ ^ b# H% t int 2fh0 `0 O$ [9 |+ m( z$ `7 J
mov ax, es ; ES:DI -> VxD API entry point
+ R# e# h3 R( m" F add ax, di
. Z/ n2 @% s( \5 d, O! ]: o% a test ax,ax
8 a9 L+ N* v1 w9 `6 p4 \3 T5 h4 l: G jnz SoftICE_Detected
$ a% F1 E! G7 K6 @% M5 k) N* b8 i1 ?# Y
__________________________________________________________________________
) G) m7 H4 s. |# q2 C' |0 n& H% L, k* O
/ L& V9 J" i4 o$ s, }6 T( P
Method 057 C0 j6 S! e' T3 Q5 t q
=========
3 ^2 @: D9 k& c! R2 D/ S- s7 v9 q" Y5 L2 Z. F% r+ K3 Z8 l& k
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 I- E( f4 |0 a8 G) S( _1 C3 R
debugger. It calls the int 41h, function 4Fh.' G4 w; |( z$ Q* `4 g
There are several alternatives.
" R" b& r4 `3 Q- Y. \5 P$ z9 P0 [( U0 k
The following one is the simplest:
3 K0 ?$ r" Q f3 [. I( l H: l, j* U. J6 j4 O
mov ax,4fh, b9 h( H6 \$ I% R _! U
int 41h
7 v5 u0 n7 @' z- G$ b# I) ] cmp ax, 0F386
; E8 u) S, g1 s A, l1 A jz SoftICE_detected
; C$ N5 Y) B+ ~! g3 V8 y0 V8 c5 h! z/ T& o! q( S
* T) S( c" ]( KNext method as well as the following one are 2 examples from Stone's
8 d8 M7 Z2 o( R"stn-wid.zip" (www.cracking.net): t/ a. N; C, l' k) L& v# t
! t( W: k( b- b. r: R- a/ w$ @ mov bx, cs
5 _0 u* c0 j2 z% G5 K; a. R( S lea dx, int41handler2
5 |6 @0 {% F: } xchg dx, es:[41h*4]
9 v' v& L0 X* _2 L: i% }9 V xchg bx, es:[41h*4+2]5 N$ k8 d3 }$ b( T
mov ax,4fh7 v2 ^, P0 o1 X& w" V
int 41h
0 a) W# m# ?& l" ~- w0 ` xchg dx, es:[41h*4]
! E! G/ Q6 n" g+ ~' s3 \2 u. X; P xchg bx, es:[41h*4+2]
8 [# {* C, [' Q9 r4 f5 q cmp ax, 0f386h
- I6 N; j" I8 @7 @ jz SoftICE_detected
9 r& g$ i* C; m0 O) g% T: J5 \' w- E
- n4 E! C" M+ d) w5 n" L) mint41handler2 PROC0 U5 t- q; N9 w8 l" D6 z& @; t
iret; b) T! O6 _5 n- J/ o# w( o
int41handler2 ENDP! k1 D6 U( u3 m6 E* C" g8 ~
+ s' D2 A+ f- B
S, Z+ ?) ~, u2 @6 Z. t6 V" s_________________________________________________________________________
9 [0 Y+ N( y$ c: m# S) |6 r6 ]! f; n& H8 h. V
. c! n: U6 v, H7 g& B7 V' w# S: n
Method 06
& I& T G6 n. c/ B) w, [ D/ E+ E=========: J4 n- _' o9 l. y
% w3 k& ?; C3 K, V3 D" I3 r# S: @+ _5 P4 |5 Z% i7 F2 t5 E
2nd method similar to the preceding one but more difficult to detect:
6 w* A: r. O3 t& w9 a: l
. y8 l4 i, Z/ I0 M
: }: B/ t! K" N4 C$ i% Z$ yint41handler PROC; c; s5 R# [# w" @$ [4 I N
mov cl,al' x2 z" p- H+ V8 |
iret* G2 K F6 Q3 M/ P
int41handler ENDP
& S1 o* {8 @) }3 {5 H0 N: V7 {9 i
: F2 a* c2 O% f6 d$ v& V
xor ax,ax
: n. ^3 h. O/ i( N mov es,ax
# T9 e, x4 C; K s" ? mov bx, cs9 p [# w1 ]+ O7 M, ~4 Q
lea dx, int41handler
i" v# M1 ^ Y2 | xchg dx, es:[41h*4]: E, h/ q/ `- {- w
xchg bx, es:[41h*4+2]* `4 s9 [% m; f* D0 o
in al, 40h# f$ u7 [, O' ^9 P! m" B
xor cx,cx4 y! q# M: |* g' x& d8 m8 z
int 41h9 n. t+ c7 g5 f& C/ Q* g6 d
xchg dx, es:[41h*4]
( |7 N" D. i3 E8 L# N4 ?9 M xchg bx, es:[41h*4+2]+ r" O7 n. G3 t. y% f0 o! `2 j
cmp cl,al4 b% P# `) T! h7 u1 P; X/ u
jnz SoftICE_detected& l0 f& B! p2 }% u: o* v; Z+ n
0 i* \% i" y) h3 k0 G1 V/ O1 B
_________________________________________________________________________1 J+ T7 r% g( j* f$ B: x
1 q- H# e9 Y0 r( o& _4 [) ~; j; O# ]; rMethod 073 U" m& |6 ]# ^
=========6 ?& ?; m/ ?. q
. N5 H2 R. [/ r) e# @2 |9 HMethod of detection of the WinICE handler in the int68h (V86), ? A. s" y/ n3 l
8 {/ Q$ f$ [; U) c
mov ah,43h
. `- V9 t* m8 V. B int 68h; E8 ?$ y1 o2 ~6 V( x4 [0 j
cmp ax,0F386h) y3 L) Z# r2 ^; x2 p
jz SoftICE_Detected
& O. ]; D* P" f3 Q- I3 h z5 I& @: x* l- B5 F0 r
* W# `9 U+ b& I" R" g. p/ g+ |
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 { D, L: b6 X: |: ~& _5 I" D7 `
app like this:
0 `/ K/ L7 X; [: l9 W1 A* I9 z3 l* G2 |& Z' e
BPX exec_int if ax==68
0 }+ a9 o! k2 P* H% e (function called is located at byte ptr [ebp+1Dh] and client eip is* O- j8 z/ }/ j- p# x. ?
located at [ebp+48h] for 32Bit apps), x% d* D2 I! l+ U3 T6 A
__________________________________________________________________________
# I% r) q/ I* z8 w8 O$ \6 a9 @+ y( A" W7 o8 y
: _" ]1 x, Z. U. Z
Method 08# B7 y# b" B0 M$ P ^9 g; Q
=========
+ m+ z! S9 ^, X7 H% G0 u6 N# P( ~: c: x8 ^0 d! R/ ]
It is not a method of detection of SoftICE but a possibility to crash the* k3 b! a3 z0 M0 Y! [4 k+ v
system by intercepting int 01h and int 03h and redirecting them to another
% q) R9 ~# V: r( {: f8 Nroutine.
0 E, y! u: g- ^$ ]* R7 k- iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 u3 I9 x6 I+ \$ g, e. T5 {) _, \to the new routine to execute (hangs computer...)8 [1 N7 D% n- E3 S3 _9 A- n7 q
, Z! w( A# b9 e5 i$ M mov ah, 25h$ k, _, X1 w) ^/ [$ M6 f
mov al, Int_Number (01h or 03h)
: O. s2 Z, N: G) h4 X7 t mov dx, offset New_Int_Routine
6 z/ B! y+ y# y) c: q- i) J int 21h+ f& s4 J& F# H4 m/ h
/ C1 q; M. ~$ ~5 P__________________________________________________________________________: g- ^: R! q. R4 H4 ?) A/ h
$ `7 e& N1 C ~$ o- yMethod 09, q+ k7 r6 p7 m
=========7 P: P& p1 H E
; J: {. |* I" ~2 i0 z) s( z5 F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 D! P" U: r ?performed in ring0 (VxD or a ring3 app using the VxdCall).
7 {6 h1 p! s- x2 lThe Get_DDB service is used to determine whether or not a VxD is installed
, v0 i4 D/ D- Hfor the specified device and returns a Device Description Block (in ecx) for% L: b. x: g( m9 Y1 f5 |
that device if it is installed.- C% v( V# J- U' G! b
. P ^$ _% W# J+ e, E {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- F3 b( \7 v3 _7 V0 a l! F N mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). M( B: i4 Y) h% |' ~
VMMCall Get_DDB2 h' @; }7 E$ B" O; a+ Y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* _) j" P! q4 `- B& J9 O! x
! y' q) y) V1 L @! m! }, pNote as well that you can easily detect this method with SoftICE:
8 l' t. M# H5 l* ~1 C7 N bpx Get_DDB if ax==0202 || ax==7a5fh
7 X. g E8 |: T/ H, m, y# g6 {, I8 n) ~& z- q
__________________________________________________________________________; D6 B+ C) q3 N' v) M" P
' G2 ^* ]+ i4 V& w, `Method 10- I* O0 e* P" L
=========6 P9 b. a# |, Q8 s7 [" K7 o
( l! ?" ^: ]5 ]; C4 L# M
=>Disable or clear breakpoints before using this feature. DO NOT trace with* X4 I6 T8 P' E; z: c3 S% d t
SoftICE while the option is enable!! m! L% B, d5 ]: J. A: q
) V3 ~% L# s& G6 s# i+ y& \
This trick is very efficient:+ }( z3 q$ X# E1 R
by checking the Debug Registers, you can detect if SoftICE is loaded
' e, t4 f0 n# b3 j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( [. k; m; l2 V5 e8 C# D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- X6 N. @0 A1 A& x' b7 Wvalue (in ring0 only). Values can be manipulated and or changed as well
7 i- z! z* Q8 V* M: @+ s/ y(clearing BPMs for instance)# @& n/ j5 a" F
/ F: D9 ? t2 M9 }# ?( M; ^__________________________________________________________________________0 E/ q9 w2 H% c" N5 ~
: w" t V% A6 V/ }4 t; _; x
Method 11
% q Y! L! F& m( c! F, ^=========
8 O9 r# ]: U! }( B) E7 p. v+ h( r$ S1 |! N
This method is most known as 'MeltICE' because it has been freely distributed; s8 y+ g: `8 d
via www.winfiles.com. However it was first used by NuMega people to allow. @! ^0 C- [; }
Symbol Loader to check if SoftICE was active or not (the code is located
$ ]; R4 _; o+ f! i$ F5 a- winside nmtrans.dll).1 x( b& ? h" S3 T
& \) D5 z- V6 T/ K2 @' GThe way it works is very simple:$ a& g$ `4 k/ p6 Z. o4 G8 N$ E$ `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! j- B/ t3 [2 x4 j3 g& f
WinNT) with the CreateFileA API. v8 S' ]8 u! l% t7 G
# k$ ]9 v3 H0 i4 U" [
Here is a sample (checking for 'SICE'):) n" o8 b& v5 I
+ u6 S. x1 m9 j- L
BOOL IsSoftIce95Loaded()
( @ n9 y. V1 }{0 \/ |- V0 R# j- |5 q, F1 D* U
HANDLE hFile; $ `1 o5 C' U3 P$ D z1 N0 w$ b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; x9 P6 a- }' r1 x1 i
FILE_SHARE_READ | FILE_SHARE_WRITE,: S9 @. E1 p) @: G ~ z+ v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 c) S6 }3 u! ]# w if( hFile != INVALID_HANDLE_VALUE )# h: Y7 q+ s2 o5 x7 g. H# e$ S
{
$ a6 _# U* N% e CloseHandle(hFile);! x4 i' i5 y. L) M H( Z7 v
return TRUE;
& W) j, i/ i* U, O! f& ] q: l, b# @ }
7 C& v# N9 n5 A. w" R( E7 p5 t return FALSE;6 e2 n5 _( t3 z$ _' W
}
& `3 X9 ^% k* E
) o8 t0 z9 `; Z' d- Z( sAlthough this trick calls the CreateFileA function, don't even expect to be$ V9 Y& F' @/ q' d; Y5 Q9 q# t! C
able to intercept it by installing a IFS hook: it will not work, no way!
. r7 S I0 \! QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( e8 o: i+ @; p9 Z, u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' ]5 r/ I& W( ]& A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc m. r2 t) l- w& m
field.
; P( D& V! ^# y& J6 h6 f# cIn fact, its purpose is not to load/unload VxDs but only to send a ) J- I' b X; y/ E5 `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ N1 {5 r6 x' m; }8 p# D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ O- f' c' N! c5 [% p& O l6 E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: W% V) N4 k5 ~ ]1 S' W& w. h+ q/ jIf the VxD is loaded, it will always clear eax and the Carry flag to allow" w! @; q8 [8 v$ S# j
its handle to be opened and then, will be detected.2 C% y! |0 K& a; x" w, _
You can check that simply by hooking Winice.exe control proc entry point$ Q7 y u. i9 Y- W1 y9 O7 h* s- I
while running MeltICE.: N6 x& T$ s n" B
9 j5 u: f; @0 ?0 Y3 m9 y- a7 }
/ ?7 Q+ F0 _8 Z* Y& W" Z
00401067: push 00402025 ; \\.\SICE, Z* ?# R4 Z- S+ i
0040106C: call CreateFileA
+ w1 t# W# s, m) b9 N! d 00401071: cmp eax,-0012 h( Q- j5 _; |/ [8 k
00401074: je 00401091: d4 F+ |$ n n8 M3 R1 N- A
% ?7 u9 o5 r2 X! O
2 T$ T- b1 D: r- k5 }6 Q. NThere could be hundreds of BPX you could use to detect this trick.5 ~/ _0 i- O7 e2 T6 \' X
-The most classical one is:
/ r3 J4 @/ M2 W* G BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& w4 S, t. t, r( d/ L( R
*(esp->4+4)=='NTIC'
* c9 E7 Z) Q; }; q0 f& X0 J3 m6 n; ?0 W! K0 Q
-The most exotic ones (could be very slooooow :-(
1 a2 d) n& n& q9 Y# G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" t" D1 M. o c2 i# o' T ;will break 3 times :-(
, h6 d* Y! w- d: Q; u* ?; d
; e7 z5 @) Z, {6 M: \6 A-or (a bit) faster: 8 f: Y' ]1 b' W8 W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- U4 a/ Z# z% q2 N
1 i/ F5 J5 I: b2 L4 D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' s$ N' t2 o: A n6 ]" a* Z* b ;will break 3 times :-(
% J: _7 h5 |. j% v$ P+ u0 f e4 @6 E6 R7 b# [* _- O& A+ T
-Much faster:
0 l/ }0 K9 l; M) P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* r4 Q: H8 r, W1 r$ o6 o5 G* }& s7 m2 e2 M% z, ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; j& U6 s6 k: b2 G* l- q8 k" S, }
function to do the same job:
" M9 c- x% n! N9 g$ M. `: D, w3 v' U2 l" |! r2 V/ G5 t- t8 o! Z2 d
push 00 ; OF_READ
, }% _* S/ J8 d mov eax,[00656634] ; '\\.\SICE',0- h( {. n5 `, ]3 r8 D m: m" @
push eax
# s' s7 L z0 o/ f- Q( n call KERNEL32!_lopen6 o+ l" C0 m* _9 \
inc eax/ m) J6 B& y+ V( @) z& r
jnz 00650589 ; detected0 h! b! ~" N, f5 _8 a* K/ Z
push 00 ; OF_READ
8 M, O" K& T( ~( D mov eax,[00656638] ; '\\.\SICE'
8 G- }% H" l( r# a5 J8 @ push eax% g" c7 j; W# N. u) Y5 o
call KERNEL32!_lopen
( M( N9 J/ T% W S5 @- y inc eax
, d3 w6 U# x9 |% j# `0 Z' ] jz 006505ae ; not detected( y' w- H" x$ p2 {; G5 j* a) O9 v
$ B0 H% T* h6 `$ e0 C/ h, e0 a: b
: T+ e5 s. \$ b3 L7 a; ?__________________________________________________________________________4 {8 j/ K6 C( W' M
0 }6 `8 y) v# l+ F; g% d
Method 12: w- _4 w1 u6 T
=========
3 F, s6 l. q) x6 T' ^) r" E
$ w1 Q) u, {2 m$ nThis trick is similar to int41h/4fh Debugger installation check (code 052 x: v' [1 u9 b( j3 q$ |4 C
& 06) but very limited because it's only available for Win95/98 (not NT)6 _( l+ g4 `. v6 j, U1 p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. H5 A6 ]% \2 x# S2 R K; [0 S
) P, O( I/ B, m+ t! {* K, M: \ push 0000004fh ; function 4fh
: Z6 M! o9 b5 j" A push 002a002ah ; high word specifies which VxD (VWIN32)
0 O, M4 T- f! V q ; low word specifies which service, F& ]% b P8 W6 @; F3 R% P$ H
(VWIN32_Int41Dispatch)3 p2 z+ i5 Z/ y9 b5 z; j
call Kernel32!ORD_001 ; VxdCall+ d+ @/ j8 S& i* \( B D
cmp ax, 0f386h ; magic number returned by system debuggers- ]- A, Q- b( Y: F7 X0 D
jz SoftICE_detected
/ `: S" g* |6 W4 c: c& c. s! u* C. I' F Z3 e: [8 B
Here again, several ways to detect it:
% @6 o- d+ b L0 A/ f; ?! p. D" e) m* K8 t- W8 b! j+ y
BPINT 41 if ax==4f
5 J! h: z& `. k' s5 W- S/ y/ g* T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( V1 t6 T6 A* r! C5 U/ @8 S; D, X
* w/ j8 g. d L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, T* D& c- W; a/ n! ? ?+ Y* X: H3 F( X! i O" E/ X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, F- v% L/ V* Y( i8 H: |1 t
& p7 a8 m; Q5 r* i( l" X7 t4 ~__________________________________________________________________________
( Q7 Z/ m8 B# J; J- H# e# p* E
% \ {6 D) @; N: {6 i( u; lMethod 13$ m1 N: j/ y" ~, D) l
=========
# c0 ^1 B! X x; a4 a: j2 X$ F. z- p. K8 z1 O5 W
Not a real method of detection, but a good way to know if SoftICE is
9 a' S& _: E/ Y" z! G1 l. G1 binstalled on a computer and to locate its installation directory.7 g" M9 [2 |2 Y3 B" s3 d
It is used by few softs which access the following registry keys (usually #2) :% s- E7 ^$ C) z9 g* d
7 @* s& }/ \3 C7 C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' F2 k; h7 Y& N/ T% @- N\Uninstall\SoftICE( @% [& s$ O3 e$ C; D4 [' w2 @7 r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. G1 V( |" f) c {. X* J& ]- B' n# |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( u/ {% r8 N% |0 B) d" p
\App Paths\Loader32.Exe# K: z/ t7 K1 ?; i( B
, y# n+ w) j$ A( t+ e8 J8 \8 ]2 P
( y1 b9 I9 I0 U, FNote that some nasty apps could then erase all files from SoftICE directory
: k7 R! b1 \% D/ h(I faced that once :-(
+ n) F( J I* P) e1 Z; b7 D
# k6 z. g& x4 J* }6 D" x3 p+ ?Useful breakpoint to detect it:1 B% C# p7 }7 Z% j0 O/ J3 k* [
" s4 m( V% ]4 R. [8 J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) Y4 R* }# n& r, J* M- T6 R# q5 S( @: o1 `) W( W) B6 H- ~! O$ @
__________________________________________________________________________1 W" J# G' L+ s3 @/ x4 j' A
1 ]. T/ I h$ S* i# p6 y6 e
7 @/ h8 A* s4 B2 D- X# t6 NMethod 14 / M1 \9 T. {4 U$ E
=========
6 u) E6 i; K/ `2 P9 x% g$ v* H
* i- {' ^8 [2 a2 p# Y$ |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 V6 M3 v- |3 g, N1 r6 D- W. Mis to determines whether a debugger is running on your system (ring0 only)., T! Q+ U5 r& T
/ L- _# _4 ~3 |: Z$ Q" w8 B VMMCall Test_Debug_Installed& o0 O* b: ]2 z: S! r
je not_installed7 q% q. ^6 A/ R1 G4 |. _8 m1 `* D* ?9 {
7 a* |* q( M- [ G9 O; F2 NThis service just checks a flag.
* {9 X* k( R$ B) m5 X; }</PRE></TD></TR></TBODY></TABLE> |