<TABLE width=500>8 Y2 |7 L) `# V) r
<TBODY>
5 _7 p2 x2 X4 p5 O$ M8 Y( ^<TR>
1 Y' ~% \# q1 {<TD><PRE>Method 01 6 ^8 C9 }! V& q, [' h5 i% N5 g
=========3 G. e$ r- n3 M. F" x* b! h
. C" c( c. R; h# oThis method of detection of SoftICE (as well as the following one) is
7 A# {; Z/ b( X$ Gused by the majority of packers/encryptors found on Internet.0 j, B! t, K7 a M
It seeks the signature of BoundsChecker in SoftICE
) n+ R$ w: B k5 K# t b. b9 e: h% A/ G7 G% a
mov ebp, 04243484Bh ; 'BCHK'( [ B t; U& z* o# p* A
mov ax, 04h, j7 C- w, [. {
int 3 & X. t. B+ v( k* ^
cmp al,4
% M2 O2 [$ i6 \ jnz SoftICE_Detected C; I0 A+ p7 o7 {8 G& {7 E W8 S
; g- R5 |, B q/ Q9 D2 R& c
___________________________________________________________________________
# W3 o; `; f6 K: n# w
p+ V! s& ^ f: N2 p5 @+ oMethod 02
7 g/ D) f' D9 T- I5 N=========# V) ^" d: L, x% ]$ {# W, [( O7 `
! X5 S* d2 S2 f$ e& x7 }1 T
Still a method very much used (perhaps the most frequent one). It is used9 U2 O( x* c1 S' g( g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' F5 V8 B6 B% Z6 ~" d [8 Ror execute SoftICE commands...
- i& U% A; }4 M* m$ F4 CIt is also used to crash SoftICE and to force it to execute any commands
) d. N* O/ I6 z$ \* `; n(HBOOT...) :-(( 4 x. z; h$ d! x) e5 E0 S
; d( h4 T K4 v: X# ~$ \Here is a quick description:# M5 A$ F# K0 d
-AX = 0910h (Display string in SIce windows), J- H. ~ M/ H; b) X$ x) @* B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 `7 F5 F3 j% Z-AX = 0912h (Get breakpoint infos)
) ?/ Z: |# f" F! H, I) a3 i+ d$ k-AX = 0913h (Set Sice breakpoints)/ _* W& S5 d' C- V. C7 j- X% O
-AX = 0914h (Remove SIce breakoints)2 [( o5 x8 @( V* s9 ]
9 T1 X/ s: {' w/ q3 A
Each time you'll meet this trick, you'll see:
6 I0 k' N) `. \+ }0 s-SI = 4647h
4 @. s3 q% z1 j/ u-DI = 4A4Dh
% x" l! ^6 f2 t9 c+ ZWhich are the 'magic values' used by SoftIce.
4 d* w& e' N) X9 `. s5 S7 LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; |( \0 `# C7 V4 b0 g0 B! K
) a1 D; |+ x; b
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- c2 j- C* I c6 ^+ X5 F0 l- [0 c8 kEnvelope utility use to protect DOS applications:
4 ^2 y& A! X/ h
- M6 F' A3 ~' r3 X- e, X( t" y4 A! n+ s: u4 a s
4C19:0095 MOV AX,0911 ; execute command.
$ ]: o; i* t" R6 T$ Y% g( {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; f: v+ w9 L6 s1 j! Y4C19:009A MOV SI,4647 ; 1st magic value./ p& i; o/ D5 V5 ]
4C19:009D MOV DI,4A4D ; 2nd magic value.; p- t2 w3 N1 B0 r* {6 h2 k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 k& w% V$ @% ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 V4 i* O4 ~8 K! A2 T1 }! y4 h
4C19:00A4 INC CX* b# R5 v1 ^6 G' w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) w% [/ T* I- \+ `3 U5 l4C19:00A8 JB 0095 ; 6 different commands.# S. g# S; u+ P6 G- D( o% c
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: d$ R3 U, J+ X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 Q; N: n7 t- ~9 _$ o7 ?0 E; Z
9 c t; R- h( m: r* D4 b' W) _The program will execute 6 different SIce commands located at ds:dx, which7 }" t& _ H& C: x8 R+ e3 ^0 y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 r! m# _$ [. |( [
* e- q5 B9 j" v# s" a. k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# l% Z6 V V( g: p# ^
___________________________________________________________________________
5 s: `2 |! N9 a7 i2 g
( m% c3 ? J2 x5 M6 X( y
* P) P# V( }) z0 g7 U3 S5 [* qMethod 03; K% K* E+ U( U4 ~
=========' d4 [ h/ a x5 b( X1 Y
[3 u# `( p0 ^; c, \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
~! O; R, Y. ~9 f5 }(API Get entry point)
0 u1 _6 |9 h4 C2 a- e: L5 a ( r$ ] n/ [0 R( B9 i' a# g5 Z& J
1 Y% T9 t$ ?% r1 c: v8 F" G, e
xor di,di3 @ W9 e/ [; j1 Z+ H7 w
mov es,di5 b. P3 f S! [- a1 s
mov ax, 1684h
7 J/ W# l Q" Y P; a mov bx, 0202h ; VxD ID of winice
5 `4 r" L+ ~+ u int 2Fh0 i+ V: g( }- |+ |- [6 n
mov ax, es ; ES:DI -> VxD API entry point
4 S2 J. B) B4 d$ r# ~ add ax, di5 T0 y$ s( r4 x9 \ Q" S8 h
test ax,ax
8 q$ Z. e2 O' A/ a6 { {- u jnz SoftICE_Detected) C" I5 ^: b- ^) T
- c/ P. D; A U, w
___________________________________________________________________________
- |9 _* S; T) y' o& I& R' q4 o
& D5 o( ? ]3 H5 |- t0 N. _" bMethod 04
# N4 R0 \4 ?. h# r7 o; c' {=========9 B! q$ O) Q7 y" k& ^
. l; b# p# _+ H/ q5 }+ z9 wMethod identical to the preceding one except that it seeks the ID of SoftICE5 l( ?/ C l; E1 B X$ D
GFX VxD.
4 U6 C& Y( V* U6 W5 F
F- k, [. E; _* J) j q9 a: U xor di,di; a# x2 j$ Z- \# L7 c7 v0 Q
mov es,di
! r; z ?% K( u" {5 p2 M s mov ax, 1684h
4 L/ B% \$ A# g: g+ P+ X$ w mov bx, 7a5Fh ; VxD ID of SIWVID
- [- Y; @# U: x) ]$ d int 2fh H1 u- ^% \: `
mov ax, es ; ES:DI -> VxD API entry point
4 `* i. i& k- @& A' I, N% [( ~ add ax, di
' j1 }7 F ^% g0 y6 k& g test ax,ax. B1 F9 {, ] X$ ^/ D3 `
jnz SoftICE_Detected% d8 d0 W3 e3 K) f, b5 q' H' D
8 I9 e( j. @- F) d__________________________________________________________________________
7 d. ~ N! c' J0 z. |+ U% ?$ X. y0 y7 l" N# a
8 `# }. B8 Z6 v S$ m# zMethod 05. N. r% e# P- t9 j" f+ b
=========
0 `- r8 ?' i) v5 j" }
8 E; T' d0 N4 T6 c- ~" PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& X$ E2 Y- a( V: a$ udebugger. It calls the int 41h, function 4Fh.' i8 d" f* a8 Y8 k2 W3 T% j- R
There are several alternatives. 4 ]. \4 f3 I! j: B; R
. @1 T( ~8 a/ M+ W
The following one is the simplest:7 [( p$ f+ T1 F9 r. W K9 f
0 H, }+ C& g: V) a* ~
mov ax,4fh+ I$ C+ H) [% T' y
int 41h- o% s& k9 A) u1 F
cmp ax, 0F3860 h2 t; Q( b" ?0 h4 j I
jz SoftICE_detected
G/ O ~+ D* Z& t! p# n! ~& c
0 T- B1 d5 x; `# L$ b+ N% a' M& r( H4 O6 D" R5 F& ?4 c, V) p
Next method as well as the following one are 2 examples from Stone's
2 @! S, j, f& C1 \& p2 Y"stn-wid.zip" (www.cracking.net):
0 T: q$ h/ j+ P0 W6 i# C5 W3 ^2 E3 W3 N$ @
mov bx, cs4 |( X7 A) u8 _
lea dx, int41handler2. z: o7 @# J, w4 G9 R* A* N: \
xchg dx, es:[41h*4]
: Y, @& N; `3 T- @* e% m* B xchg bx, es:[41h*4+2]
$ r- B7 O, Z( q) _! I( x) \ mov ax,4fh
- |* ~0 e4 [, W" l int 41h0 c7 W3 v& q: T) _3 b
xchg dx, es:[41h*4]
4 W+ e! e% X) d! R xchg bx, es:[41h*4+2]1 n4 e' p0 v( W7 X
cmp ax, 0f386h
% m# a/ F: l# `: r9 ~' ^: z; r jz SoftICE_detected
% O! A9 x6 |% U) x
$ T4 G+ T- e4 |! m Aint41handler2 PROC
H5 D+ Q2 n; b* f) K$ l/ z iret
4 ?& ], s; L: o4 P" f" Uint41handler2 ENDP
- N8 M6 ]$ o, b) h
W0 k& |3 u6 U( `( h7 Z
- W9 X% I: k& A- k* a, W9 q: ~& ~_________________________________________________________________________
8 W$ P4 T4 U. I, p. Q3 m
1 Q4 @9 l V! L3 b- ^
5 e6 Q, y8 w/ E9 v" S- W YMethod 06
6 y6 M/ |# L; }1 `7 O=========. ` _( k7 W1 A* \; s* v
8 W I5 } s, G0 t! D
) Z: Q7 e" s j- f/ `# o& E2nd method similar to the preceding one but more difficult to detect:
7 H- ]$ ~; i+ T& s- N2 B& u* ^1 K% ~6 G+ @
2 u; g0 a+ X9 K8 I% I" ^. `% {9 C
int41handler PROC
) U4 F% U( x6 @) F- n. l mov cl,al
: e% g0 R8 B( q- O8 u9 F iret
/ m$ @; ~" t4 R! s: Sint41handler ENDP8 X( H9 U K+ J0 v
( p$ C2 T ^( F1 ?* O
: b2 a* f8 [) Z0 L. ?+ c8 R3 o+ W xor ax,ax/ S9 y- Q* A* o
mov es,ax4 S5 ^! i( Y$ c) X( {; O
mov bx, cs
% ~+ E! m4 V: I1 e* | lea dx, int41handler) }( \) |4 N2 j
xchg dx, es:[41h*4] Q: D5 h% A; ~5 w A; C
xchg bx, es:[41h*4+2]
9 O. q, [8 P. m6 l in al, 40h
8 \* S i* U: I5 ]" Z6 ~ xor cx,cx
3 }6 m2 S# n8 w! G' c" o int 41h+ v$ B# x5 d& Z$ k
xchg dx, es:[41h*4]2 U* j; n6 \+ U n7 Z% b3 t+ Q
xchg bx, es:[41h*4+2]( J4 z. |' K7 E( Z. J. C6 F: ]
cmp cl,al
" T3 S" n- a* l r% E jnz SoftICE_detected
( x. R) U# y0 I9 z3 c
- g E' L( a: O% Y. ?# n_________________________________________________________________________4 F* }* B! W) u2 W. M. X8 r- e
8 N# F1 R/ D1 O5 e; i
Method 07" X {: C/ r" d& t9 u6 z5 H$ y
=========; f) H8 h4 E. K W! Q$ `
- s- ^4 p9 A; {. J/ OMethod of detection of the WinICE handler in the int68h (V86)
0 B0 {2 |$ W- y: _1 h9 U" x. Y. {6 t' n! \# d* w
mov ah,43h
1 u4 N$ Q9 w ~" `/ K int 68h
0 O8 m* U+ o% _: x) g: O9 c cmp ax,0F386h
( J Q9 c/ n( i1 J* m' h jz SoftICE_Detected. a& d R, t0 f2 L& m6 T
5 j0 t! V7 s2 f0 n! O) M2 q* T% N7 w/ e$ e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 V7 B: N8 e1 [7 {- F1 a: W! V app like this:
; H0 B! U$ g3 O- X) }/ A" x1 m+ w/ R A' l9 ?
BPX exec_int if ax==68 _& L% e7 _& j+ Q1 r
(function called is located at byte ptr [ebp+1Dh] and client eip is) E/ l3 I- _" {5 m5 K: Q$ Q. J
located at [ebp+48h] for 32Bit apps)
l6 I [# h9 y* H. N& G! T__________________________________________________________________________
6 a0 I' ~/ A# E: p% Q$ r/ Y: G% m; J+ z
2 S# m) W7 W+ Z* FMethod 08
; S9 e' d9 V6 }& [( q' T( R- @=========! r! O; }, E* p1 S! }
4 {( Q: e. G) p- ]
It is not a method of detection of SoftICE but a possibility to crash the
$ m' W+ m. a) ~$ gsystem by intercepting int 01h and int 03h and redirecting them to another
. x3 z2 r* h5 w) L6 Q2 M: Proutine.! e& D e% ^. r! m; y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 g* J. \: m$ U$ a4 ^1 z
to the new routine to execute (hangs computer...)6 u% L6 Z4 M& m. w7 p2 h$ o# s2 `/ l
% a) Z" |3 e2 H8 D mov ah, 25h
7 v4 U$ I! q. S3 r. P3 }; \ mov al, Int_Number (01h or 03h)
9 E/ D! ]2 u; `, A/ @+ f mov dx, offset New_Int_Routine! A. Z/ o. x) f8 I" u. o
int 21h) \# B( ]6 O# Y) ^4 S0 Y( e! h
5 J0 ]; w/ W9 p' D% A6 z__________________________________________________________________________
: J% G- L. G. b+ j( r- Y
' h0 I# D/ {! I+ U2 s7 T4 y" W% |Method 09
( a. s, e1 S& i- ^4 D4 L=========
# B4 y$ L/ w* R* B' s& [) z2 l5 W) [: ^9 A1 k+ {- E& W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ B% ]# k6 ]3 s3 \; A! Xperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 @ s6 n. A" S1 \/ K5 s. {% @The Get_DDB service is used to determine whether or not a VxD is installed
% l4 {: ~7 x+ T, h; I& J+ gfor the specified device and returns a Device Description Block (in ecx) for
; G: d% L+ ?- C0 s6 H9 z9 t8 Zthat device if it is installed.: Y% Q) I. x- u6 c
7 U- X! |* R4 h5 _4 [+ F mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 f/ r" a2 d% r& z/ v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( a% E% T. a \% ~+ z' Y
VMMCall Get_DDB* i' f* e3 Q, ~, \3 D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
r( `' [% ]7 D6 y1 @6 T. t
" r3 c+ o8 w6 dNote as well that you can easily detect this method with SoftICE:
$ b |, d2 k5 ~( i# _ bpx Get_DDB if ax==0202 || ax==7a5fh$ Q% u" t4 s5 V* {! T4 V
1 I* m' c S, h/ ^__________________________________________________________________________
- I r+ e, I: I& ^5 e; u
$ v* I7 h" G1 XMethod 10
2 E) d3 x( K: m! r- t1 `1 \' Q- Z) A=========% e. b& ] ^+ O0 T
/ w1 G/ F4 z' Y( x; h=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 @8 c1 f. [ x SoftICE while the option is enable!!
( K' h4 r; V5 F5 U( r
6 n+ n5 t0 e! A& ~% a# TThis trick is very efficient:
7 L5 O2 e: S0 q, v! y& x7 G/ Aby checking the Debug Registers, you can detect if SoftICE is loaded
. q7 N3 B, h# U* a8 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 M* U' I# w i# S" H" r9 I
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# q3 t" M5 x" l' @6 Yvalue (in ring0 only). Values can be manipulated and or changed as well7 ^9 @3 n# E% c- T/ z- X$ m/ X
(clearing BPMs for instance) F6 c/ Y$ L: F- ?% B/ Q! Z
6 r- ]' J9 k. L. Q4 W; ~, y; E
__________________________________________________________________________7 d6 ^$ @0 i1 B0 k e
# z! t L! K7 S! _& CMethod 11
7 X# K) ]. ` }! ~=========
/ s; a o( B/ B+ q3 H2 t$ b
0 Z$ V" @8 o! t6 Z, ~3 [: aThis method is most known as 'MeltICE' because it has been freely distributed
3 a2 D/ Q; P0 M. s* O1 dvia www.winfiles.com. However it was first used by NuMega people to allow6 I0 v( ], I) N- e/ W c
Symbol Loader to check if SoftICE was active or not (the code is located/ j7 |; u* j+ s. _
inside nmtrans.dll).
# R0 i* a& N) b# r$ `, q; R
3 i5 k2 H- x4 Y1 u2 W- o8 CThe way it works is very simple:6 t; Z% H8 M/ x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 n3 ^$ D7 D- h# p( [' BWinNT) with the CreateFileA API.% U+ T7 Q! `' W. y, `' W
, N9 u A9 B% H& y6 [% c" oHere is a sample (checking for 'SICE'):
! R% L u/ ~9 g _, l: k1 y, t2 u( Z# v1 _1 i
BOOL IsSoftIce95Loaded()4 G8 x9 w" G/ u8 T% I3 b& o4 l
{) M- ]& h* c/ h4 H3 e# ]
HANDLE hFile; 6 H% |8 P! c* y& r# o
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# H) D' }' A6 a8 Q7 ^$ l
FILE_SHARE_READ | FILE_SHARE_WRITE,4 p+ k1 O6 S/ }/ X% X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 A& p" t. l+ x8 U4 G/ H2 p/ | if( hFile != INVALID_HANDLE_VALUE )
: t- \; o8 B- } {; ?' w; ^: a# G
CloseHandle(hFile);9 t7 V' v4 \# A
return TRUE;+ B# o; [: f J" b+ R1 y! r
}
' m! v1 \) n9 P# g+ C3 w return FALSE;
; Z8 X \: e2 W+ ?; h}$ c3 x8 h4 S% M# v0 b3 q* G
, [6 |) \2 F7 x7 S' GAlthough this trick calls the CreateFileA function, don't even expect to be
; p3 z/ b1 Y7 jable to intercept it by installing a IFS hook: it will not work, no way!- ~& E( ?7 `# m! z* j8 }, E! R$ t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. m I, E3 z1 i t4 l+ c- g- j0 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" K, R8 a# _$ _ }4 Y" Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ j. T) I! T% x+ j* m& x# K3 Mfield.
" d, f: r7 c$ K @. R/ g- [In fact, its purpose is not to load/unload VxDs but only to send a ) b9 n- y2 j6 _; _6 }5 n( R/ u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- N5 V. _& m. A: oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 }. p) h4 [0 f# J# f" Q8 t$ eto load/unload a non-dynamically loadable driver such as SoftICE ;-).. g# n6 U; a$ H1 J5 e+ U# W1 x
If the VxD is loaded, it will always clear eax and the Carry flag to allow
x/ e8 g e% iits handle to be opened and then, will be detected.. K: K) Y# \; z/ V8 F% f A
You can check that simply by hooking Winice.exe control proc entry point
( n' D1 q% L. h, D, r& ?while running MeltICE. N( U. e6 |8 \
, W" U+ ~) ? C* R% t& y
* |4 n3 ?1 R$ k. }& K9 j 00401067: push 00402025 ; \\.\SICE
; }3 R$ Y2 B$ K- w; m 0040106C: call CreateFileA
: r' Q* X1 ~7 W: y* Q 00401071: cmp eax,-001
& t! G) D' g' M7 S# E" f 00401074: je 00401091) n# n* U6 R q
$ m3 w) o: }. V! d4 C( S
) s5 g& a3 {, ]! H) h" ^% `' h
There could be hundreds of BPX you could use to detect this trick.( S9 t# |2 O. s( |
-The most classical one is:5 s' E7 P# x8 l( k8 B' e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' E( p( t. G4 y$ p% Y *(esp->4+4)=='NTIC'3 \; K8 M7 m& }
! K: Z1 Z. q# d8 u: S
-The most exotic ones (could be very slooooow :-(: a% q0 i9 x8 E$ a1 ^8 F* u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - {9 c. ], r9 P7 x% g
;will break 3 times :-(6 J( V/ \% m0 D% y, C
/ K; ^9 S; l7 {" v# G: ^- `
-or (a bit) faster: 2 W7 o9 j( o; r7 V
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ x: ]& q- B9 k) S
9 [6 H7 |7 P( [6 L% T% |+ k BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ D/ B" p$ \4 @0 |% \ ;will break 3 times :-(3 s( j' P, m5 j3 E$ I! ]# s4 m
. ~5 q9 Q/ r" f$ a+ E1 Q" z3 y7 _* m-Much faster:
, }/ j0 k( U$ ^. P8 k0 s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# G% H+ U4 F! X
+ Y! ]. w. r q* `) a$ e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. V. R& b7 V/ {/ L, y- e1 s
function to do the same job:
6 M0 B# `2 B; C. ~6 N# F! i& j( T6 a* C& j* P; l3 a" Z
push 00 ; OF_READ
" M# [" r% K) l) \* O) A mov eax,[00656634] ; '\\.\SICE',0
" n5 o9 r, J9 X& H% l0 V push eax/ n. `& o* @' N4 z3 d2 b3 K6 h
call KERNEL32!_lopen6 ^ f( f% i4 b( w
inc eax- j+ |* r, k; z2 E
jnz 00650589 ; detected
, q* C$ M: H& j, r1 c9 x1 ` push 00 ; OF_READ* X& o5 _! X2 o1 K: ?9 n% Q F
mov eax,[00656638] ; '\\.\SICE'
3 s/ R- |7 _1 r6 b W1 K4 z7 i8 p push eax7 k4 y' h2 x9 M5 h$ K
call KERNEL32!_lopen( Y1 S$ P$ t* ]5 b4 N( e; o
inc eax
; M- S) \* L- Q1 p jz 006505ae ; not detected; _8 Y( J4 P8 C2 j5 |$ G
' P& H5 y5 X( j
) q) ^1 ?! t; B, Q# L! k1 G__________________________________________________________________________" Z! D! Y, ^7 r: f4 c! g
! L! q4 v4 C# k
Method 12, ?2 E2 A+ Z& J" {# Z# t0 B
=========
1 _9 F* X% t8 R) ?* m0 A& R9 W' i& S; ]$ R) @" ]
This trick is similar to int41h/4fh Debugger installation check (code 05
1 F: j6 j; w9 a; J5 @+ k& 06) but very limited because it's only available for Win95/98 (not NT)
3 o, S8 y8 C* T Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 \ r1 T$ O5 Y" K7 ?! V' z, B$ ]8 s9 }) \
push 0000004fh ; function 4fh
2 Z& F2 J0 F0 t7 W push 002a002ah ; high word specifies which VxD (VWIN32)
# V3 f* f1 D; z: Z1 | ; low word specifies which service! C1 `) h4 Z7 l, h( ?
(VWIN32_Int41Dispatch)
+ _- m1 h1 t; v1 Q7 E5 G ~ call Kernel32!ORD_001 ; VxdCall1 b" h6 N- z* T# }* P! P
cmp ax, 0f386h ; magic number returned by system debuggers
# ?0 {: j0 c( N; U jz SoftICE_detected
$ _+ L4 l( _/ F; a( w2 D/ I
% F. \) w- O& tHere again, several ways to detect it:9 J+ U' ?& k3 j3 o8 H+ G9 O
& W1 v3 m/ Y/ U3 D* l. U$ r BPINT 41 if ax==4f
" @/ S# y" J" I$ N
( X/ d: E9 b. o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
$ f" f5 W* ?5 w
0 n/ p6 e' N; q) W# p+ M$ S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, \4 z0 @( _* v5 D c, s+ O3 t: ?9 u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( N1 e/ ~" V9 a4 G5 v* V- \
" D0 P! o% ^) X3 t, `" [$ E
__________________________________________________________________________
" S" a- b3 T# h- Y$ Z7 j2 j: s/ ]% k+ c. B% f
Method 13+ k4 f; ?$ [( \ R
=========
/ {3 j/ w) @; M* F# p9 ~7 ^% d8 L1 v! m: X/ K) X B! w
Not a real method of detection, but a good way to know if SoftICE is
$ C7 O) {& N; v2 \! S' ?installed on a computer and to locate its installation directory.
/ T# c8 _9 _( L3 PIt is used by few softs which access the following registry keys (usually #2) :
. K' l y: k, M/ ~4 k U5 L- h% W- b8 Z* f$ \; }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' K# p9 b9 ]) b9 M5 i$ e
\Uninstall\SoftICE
+ t e3 G! p- M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; Z- I: o( e d- M4 z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% ^: U1 t8 q4 S1 f6 ^: O\App Paths\Loader32.Exe3 `& _- p( s" H) F; a4 ?" ~8 J
- r# Z+ d, K7 K1 {/ B0 f
; l, f8 x4 v3 l' Q; z& uNote that some nasty apps could then erase all files from SoftICE directory
$ N" J! P# c" \- w" {(I faced that once :-(5 i5 p2 ^+ e3 c6 t' f- Y7 J
: Y$ ]* E ]- i
Useful breakpoint to detect it:: U8 a8 ~* O: {) [1 u
9 o! t. Q: X! f/ z+ O3 z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& `# y. {- ]) f1 c: x7 g/ v7 v
/ T# G8 e5 y2 b/ r__________________________________________________________________________: b/ V3 @) D# z- _6 f9 }9 C s
* R0 F( N1 s+ e0 M% O$ q- W; M& G4 N3 D9 M9 L
Method 14 - e6 M% e) B& A, T7 k
=========
1 t R+ f8 @9 l8 x) t) l" o4 P5 w6 ?" F& f' b4 i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; f; u# b+ @ m$ z- r% Gis to determines whether a debugger is running on your system (ring0 only).
; _4 c ]& w* Q7 p0 t
. }+ E+ p8 E& `5 i6 M( e VMMCall Test_Debug_Installed6 H: B9 Y6 s1 ^6 U" `8 K
je not_installed
& B# ~' F' F( t% C7 A7 [' i% Q: C( z5 p$ B: U
This service just checks a flag.% Q0 l! A) l1 ^6 P
</PRE></TD></TR></TBODY></TABLE> |