<TABLE width=500>7 _5 i. ?! j+ m `0 B% R
<TBODY># ^7 F& Z: \7 i* @
<TR>$ j2 w j4 p2 A
<TD><PRE>Method 01 : a( ?) B( k6 W' F$ J; Y( q
=========
1 D6 P4 L, W% o; C2 E( H$ B4 Z/ ]: p$ H
This method of detection of SoftICE (as well as the following one) is! h; L7 ~; z+ `% G6 O
used by the majority of packers/encryptors found on Internet.
@- p% ~$ g# N: p9 _; j) {, [It seeks the signature of BoundsChecker in SoftICE
z8 T$ K0 h) h3 l, y) n
; h8 @# Z4 y- T4 Z& e+ } mov ebp, 04243484Bh ; 'BCHK'
* A9 h3 A$ {+ |" d* Y( l6 G$ M mov ax, 04h
0 E1 F0 B$ ?2 ^, {1 M6 m" s int 3
9 _6 {6 g' k7 N$ d) {! Q" u cmp al,43 S9 _% x' @9 Q9 s
jnz SoftICE_Detected
$ C" ?' M# i& {; ` x! G$ D" Z$ L2 d5 m
___________________________________________________________________________
6 |* d8 W, m4 s2 Q$ E; B$ [4 c7 O, i2 X+ E7 h& w( k
Method 02" B5 e, T& z' V2 C
=========* H x9 ], t; K5 j% I; j
" J* R- [' }& [" g) q4 I* p, PStill a method very much used (perhaps the most frequent one). It is used$ O8 g* Y) v5 j" e' j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ Q9 f* l# f; p4 o0 u: Oor execute SoftICE commands...
. A; {9 h/ A0 T6 f; z" s9 p6 v3 MIt is also used to crash SoftICE and to force it to execute any commands
5 L, h8 M* n% b. n- M; c(HBOOT...) :-(( & A; t, z5 [7 L& p2 [5 ^) b
?+ n; ~& T9 `" J9 WHere is a quick description:
( z7 T! z' q2 P: f9 p-AX = 0910h (Display string in SIce windows)
$ f- A7 k* ~0 `; \$ F9 B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- l1 W3 a& `# t0 ]* X5 M& c-AX = 0912h (Get breakpoint infos)' f: C4 d( V, \/ q C( |! Y/ t
-AX = 0913h (Set Sice breakpoints)
, D' f; C5 g0 J# C3 e+ X-AX = 0914h (Remove SIce breakoints)
) T: r% _2 }& n8 E) G9 K3 l; ? b" l: s( v, U2 e
Each time you'll meet this trick, you'll see:* \3 m1 N0 u0 D+ s. O+ W
-SI = 4647h% S1 h' s$ X/ M1 E& k" C# G
-DI = 4A4Dh
2 c. Q1 i$ ? K8 M* W& e: g' @Which are the 'magic values' used by SoftIce.# M* ?2 s" j/ n3 H2 M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! V3 R( t4 G9 D3 ~0 t- B
% C! w% c5 _7 X0 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP8 \* P9 `' ~* `0 s0 q/ S0 q# O) i/ M
Envelope utility use to protect DOS applications:
' j# a5 S9 W. ^% M8 `0 H$ u( V& D
7 A- y' i% ]3 H* }
r# L3 d# }8 ^: m% S4C19:0095 MOV AX,0911 ; execute command.( ?: g6 Y# q! s* n
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 a; Q4 o* j9 p1 g7 i1 E
4C19:009A MOV SI,4647 ; 1st magic value.
; n9 K5 L4 t. x1 H# w! d* h# |; y4C19:009D MOV DI,4A4D ; 2nd magic value.
$ L, L a) q' A4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( J, C/ B$ q5 l0 Y. m( q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 V- k" A" H- u5 K1 d3 r( @5 N4C19:00A4 INC CX( r9 P' W& v5 j6 O* S
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- k+ v$ t' ?( @1 T9 O4C19:00A8 JB 0095 ; 6 different commands.& x2 R+ y; D4 t7 e, B5 H# s
4C19:00AA JMP 0002 ; Bad_Guy jmp back." E/ { A7 v( e, [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% \; @; {3 d2 f J% w+ [$ v) X
$ ~) C1 ]4 k. ]- v5 h4 |The program will execute 6 different SIce commands located at ds:dx, which
$ s: h& H% T; [! B [2 h3 o+ bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ J: {, c! t% f& t# j% w+ ^+ F
6 p# u2 }5 a8 b1 v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* ]" {3 h! N! V0 o
___________________________________________________________________________
' r7 W' r" u. G
! o/ m. Y& X7 z4 F" ^) n4 `. h: C( S( l& d, e* l4 \& Y
Method 03
! ]6 @$ y: @ M/ N7 m% H s=========: |1 ^% N) C8 G( T- P
1 M3 Y1 |' z4 S) w% OLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, y9 g+ z( z+ ^- h2 {- B(API Get entry point)$ Q1 x6 b) K7 W6 A3 Z$ W* @
* g) s: c5 t% I; n4 v8 _ p K d
. M' b/ G# r/ `0 B D4 U xor di,di
; M5 m! u3 i5 N- X; g mov es,di
" Q+ u" |+ Y7 s$ e' g mov ax, 1684h & x6 }. H5 x7 V t9 s8 L# P
mov bx, 0202h ; VxD ID of winice2 l" v( Y! t0 b* K% ~9 S p
int 2Fh6 o5 Q+ {8 l* r8 u! ~4 t
mov ax, es ; ES:DI -> VxD API entry point% ~1 ]# A! q. H
add ax, di) Q) R" I0 X, W: c2 U
test ax,ax
& I$ x; F; ]* ] jnz SoftICE_Detected9 a- o# E& } I3 D
& x/ L" g& ^. P___________________________________________________________________________
: ^7 w) c! j8 D! S) B9 U- S5 G+ Z5 _. ^
; s. _! O2 R; P2 U' [. F2 RMethod 04
' B d5 ~* {/ X4 Q========= a' Y( ^2 X7 ^7 S$ j, N
; B" A2 K$ Q+ k9 [4 G7 ?
Method identical to the preceding one except that it seeks the ID of SoftICE
5 \2 V) U- T0 C& p9 K5 ~% tGFX VxD.
" e7 ]' t2 R4 W; ?6 T) d# T; {( J2 Z0 a9 W7 G: k0 r
xor di,di5 ^8 B$ ]. {( |% [0 R
mov es,di$ d4 q7 _& C6 w" q) @# u
mov ax, 1684h
4 I; \2 v! s/ h8 Z mov bx, 7a5Fh ; VxD ID of SIWVID8 Z& E7 b/ z7 h
int 2fh
) D, c; l# K1 R1 E3 u( l mov ax, es ; ES:DI -> VxD API entry point
, o0 R* |5 N {0 Y, u. w4 M add ax, di
: L6 d5 S1 N, w) f; ~5 _* j test ax,ax
- G1 Y Z# z8 B2 c- c jnz SoftICE_Detected5 C; R6 q% Z# l+ T3 r* D, o/ e
: K! r4 d, H# S7 ^
__________________________________________________________________________
4 B( Y# Z2 B( g2 e1 c7 c
" c4 n, J3 d* k
' n5 ~# F- P& RMethod 05
, c6 F! ^; j, R) Z* w=========
, L! R8 C H2 k3 [6 O% z" O- x$ ]7 T
$ y6 E' ~' I, m$ l% Y# hMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 @- Q: E p. f
debugger. It calls the int 41h, function 4Fh.
8 T4 v+ O2 p; c4 J8 l5 s$ \1 mThere are several alternatives. : z' w1 v2 ~& r& e+ m
& v- M7 t! B! Z% pThe following one is the simplest:
7 t( k, |3 B: `9 W
; D/ L/ a6 B; o, {) S mov ax,4fh
/ {2 ~5 H1 h, o* _ l* e& ] int 41h# a4 J+ J" `1 e0 [! \2 L' o, e
cmp ax, 0F386
. @+ C9 ~% X) O; F. Y jz SoftICE_detected
1 U% h# I+ V% |7 q) r* Y% C( [' R* G' E; V
4 x3 A0 \9 Y9 @
Next method as well as the following one are 2 examples from Stone's ) I/ j, Z" k' e) b1 t$ I
"stn-wid.zip" (www.cracking.net):9 V) n6 ^6 c! {) r0 o
/ G5 f5 K; q1 T' ] mov bx, cs F* E: O/ R8 a' r# K4 ^9 @9 j
lea dx, int41handler2 \& c) T) i: U2 K% S3 U3 u8 f
xchg dx, es:[41h*4]
: G$ T. _( T) G9 Q xchg bx, es:[41h*4+2]
. ]! s/ n( n. v' O mov ax,4fh
" v. ^0 Q; \3 o0 { int 41h6 X9 [2 O- s* d1 D
xchg dx, es:[41h*4]
7 A: I: T' A( e ~$ u xchg bx, es:[41h*4+2]/ {- z* m- P" ]0 ], Z3 X
cmp ax, 0f386h
3 t/ s7 o$ H: F4 q. I6 ? jz SoftICE_detected: @" @ Y1 m' r# `5 I, A
+ L! S( a A5 C" _$ \0 I) Kint41handler2 PROC4 b& T$ O& q% e: d Z6 K% ]
iret$ y K2 V t) z- G. m- O) n, P
int41handler2 ENDP
. S8 }+ f! ?7 D( t. B: O
& O. V# _6 M. ?3 _+ M# a" F8 `- d( a$ ~$ K
_________________________________________________________________________. K* Q: S! Z3 E Y& d$ }, o6 c
. ` d1 H; a1 m0 P5 v6 \8 L2 h- ^+ X. p
Method 06
4 {1 T# K* E9 _=========( g: ~0 O1 d/ H6 ^" \/ t
0 [# b/ K/ c' X0 z0 e' E
$ p/ M2 F2 ]/ @ [/ s o! ^2nd method similar to the preceding one but more difficult to detect:
0 B& n1 y% N; p( r/ i9 Y- v* m3 e/ H* r
$ \. O3 p5 i, ]6 Y& _' t' ]# }$ }int41handler PROC
: D" u7 O& j" H! I' t, P9 [. L mov cl,al2 Q8 S& [' L% A% V; \
iret
! y/ q6 a$ h/ Gint41handler ENDP
$ w( \+ i( ?# z
* \% \$ M: D! b, L: z; u7 |
9 M* z& H8 d8 W; h& v) l xor ax,ax; s9 ]8 O5 V. a
mov es,ax' s, l& e& t, ^( |( h3 F. S
mov bx, cs( s+ ^$ u% k9 y% x! L- C; A
lea dx, int41handler' E. z7 J6 j: q8 G' P5 {
xchg dx, es:[41h*4]
" r7 q/ |8 \$ i1 {% s) {! [ xchg bx, es:[41h*4+2]
$ W- c8 T3 |7 j c- h' L- i in al, 40h
f4 A4 B- z, g% l6 \) Y3 k" ~. b xor cx,cx9 p# ~5 b3 v/ e2 K' s( F! i
int 41h
7 Q6 T4 E& u& `0 Y6 D9 R xchg dx, es:[41h*4]
$ @$ g8 Z" m: I# q xchg bx, es:[41h*4+2]& E7 H2 n9 |& T, K
cmp cl,al g% l; z; X4 S$ k
jnz SoftICE_detected# l4 C9 p3 t- w' X Q6 _. C, T5 z. A
" U! F9 B2 Y _: W0 j2 M$ N% C0 b! F
_________________________________________________________________________
9 \+ z: A0 C$ N, q, t% d3 i( }7 `' X1 }) M9 c
Method 07
) C$ e b! w, v: B0 W2 [=========) i& f$ Q/ Z) z$ f p( B7 ^5 q
. Z& m4 K/ x( B! i1 ?: iMethod of detection of the WinICE handler in the int68h (V86)
7 b& z5 X m, Q+ N* c- j8 y4 z, Q3 P0 Z1 e8 K$ R, I% w0 Q
mov ah,43h
- `8 X. y. N3 F5 { int 68h
9 ~8 L% Z) P2 i- d5 H) B- x cmp ax,0F386h. i' b6 d8 p8 x) m3 O! \
jz SoftICE_Detected+ P# m ^& g: Q# ~; r/ D
5 B$ i4 m$ D% l! l' b9 K
/ f' Y" W( L+ `9 X3 n5 I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ i# H8 T* S2 g i% ~) a. P. s app like this:6 Z$ u; w1 r; u
& g' W7 P" D' y9 h; T0 O BPX exec_int if ax==68
1 i7 i6 m' w1 @5 Z' L0 q9 B (function called is located at byte ptr [ebp+1Dh] and client eip is
$ S( Y4 O, \2 c, V located at [ebp+48h] for 32Bit apps), l5 H, u9 b) l! A
__________________________________________________________________________0 j! t' _0 X! n: _2 L
$ C) c# C* ?; p# g! ?
- C- u4 K+ u6 g9 l& }Method 083 T/ V/ `4 G$ h* y& X. s
=========9 K2 L8 N6 _+ a0 t$ a% J% e
1 c9 b6 K- a1 c2 O% l( K
It is not a method of detection of SoftICE but a possibility to crash the O. x# d U% w" C$ M7 b% w
system by intercepting int 01h and int 03h and redirecting them to another
: D3 }, F" X# g" D6 i- Lroutine.2 ?" }' `" H$ d' R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) _" p& }1 y1 ^9 A C6 X8 H( ^to the new routine to execute (hangs computer...)
" [2 Y7 V f+ h: o' {: u* s- X! O; ^
mov ah, 25h1 P8 i. ^5 O4 D& k1 x. b) M% [
mov al, Int_Number (01h or 03h)
# D9 L2 O) l3 ?9 x5 A6 y mov dx, offset New_Int_Routine% P% M" T0 E7 a2 ^/ K
int 21h
$ R w7 P/ m. H, z+ Z
) _3 R: x- N/ _7 s0 c__________________________________________________________________________! Q$ `6 c- {& B d
% I! ? L' R: H7 T _5 u' M; B
Method 09
9 e) f6 Q0 t6 J+ \% x=========7 Z9 M( `" h( `% O: ]
. K! e& P0 O, k) VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: U6 i: h; n/ o
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 D8 J o/ d; H2 q% BThe Get_DDB service is used to determine whether or not a VxD is installed
' x# N$ }: l1 _) I5 @. e/ {for the specified device and returns a Device Description Block (in ecx) for' w( {! ]/ U3 h+ x/ X
that device if it is installed.) l, g$ r' V' Y9 l2 |: y
3 u# O) k/ f6 o) m0 i) J! Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) |5 Y( X# P5 ]2 O; ?4 @3 M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) G5 J5 L' c. E; ]' C; V
VMMCall Get_DDB
- I( j, I3 P* \, q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ ~% B- ^) t9 U* }4 R9 J$ {7 `& h
Note as well that you can easily detect this method with SoftICE:& U5 z& E7 `. s
bpx Get_DDB if ax==0202 || ax==7a5fh
' \' ]6 ~& z! l1 i
) |$ c7 S" w( e; o4 {0 E2 W7 a, {__________________________________________________________________________, j" L9 [0 }, e5 @
/ Z6 J( w% r e$ y. N
Method 10
% q+ s. J6 p; c% G/ I3 }' u# `=========
: M) E' T* ~7 T6 j9 S! I% m/ `% z4 u: m x
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 k/ z" o$ Y# R' x
SoftICE while the option is enable!!! o' h7 m: ~; C W% k2 l0 W+ F
" N! G0 M8 q( V4 X- n9 ?! p# }
This trick is very efficient:
6 r& W3 k" |( [. T3 y6 g, C: S lby checking the Debug Registers, you can detect if SoftICE is loaded
4 w0 V7 s+ `6 s1 u/ o U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 H& g# L# t& [" C% J, Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
- e) Q& Z6 B. Cvalue (in ring0 only). Values can be manipulated and or changed as well
; l, b+ l" H5 M0 N. \& b$ \(clearing BPMs for instance)7 ]5 H H* G% R2 b. D5 m
$ M' H* k6 W2 z n. G" g__________________________________________________________________________% t- l/ |8 ~/ {% B4 [0 A
+ M6 p" @3 Y/ i7 d5 _* t( k; F# O3 g; UMethod 11" L' c3 o7 @! J3 E ~6 U _
=========) J5 O u# M- z
3 e8 l6 T1 B% H0 e6 v LThis method is most known as 'MeltICE' because it has been freely distributed3 p% g# [! p/ u, o4 W5 ]/ _4 L
via www.winfiles.com. However it was first used by NuMega people to allow
/ r! r$ l% P. Q2 w' RSymbol Loader to check if SoftICE was active or not (the code is located
8 M3 E3 W+ a4 t1 S$ M& _; |2 W @inside nmtrans.dll).7 F$ }6 r1 D: W, O: h$ g, `& b# ?8 z
& @) _0 F0 _- W+ N0 R" EThe way it works is very simple:
" l# \1 V& R* \/ bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 X4 n% `% N- V( E$ |% z
WinNT) with the CreateFileA API.
/ ], z1 L$ U( @5 N& Y: Z0 q+ K
Q8 z U! W/ W7 J4 jHere is a sample (checking for 'SICE'):$ D# e5 [, `, r1 c
% o6 Z! q$ ? S& L9 d! ^BOOL IsSoftIce95Loaded()3 p8 K& r. Y% r5 {7 J
{- m3 b1 ]* |+ X! k
HANDLE hFile;
; b) A4 |1 L+ u, O2 g4 j0 ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, B |; p- D& |' C
FILE_SHARE_READ | FILE_SHARE_WRITE,
. t( Z8 A( q- X4 K3 K: n NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# i1 }9 ?' h; z u- n
if( hFile != INVALID_HANDLE_VALUE )
# ~( y, c) p, B1 j8 s {+ i4 Z8 P5 @/ l+ q, q
CloseHandle(hFile); B) B+ v q7 \; A. m
return TRUE;5 j# j9 n. Y! d4 e( i Q b) Y
}
% q6 ]0 m5 m/ I K! c return FALSE;! [% w5 K, {$ \; v X( k
}; Z& _' \: Q+ ]# E6 {5 o6 |
: n; M7 ^3 b! J2 ?+ a5 k1 V: S2 z
Although this trick calls the CreateFileA function, don't even expect to be: V2 R' C1 b* f1 N9 q* P3 |3 w9 O w
able to intercept it by installing a IFS hook: it will not work, no way!& j/ }: [* E# W+ i, N7 Z/ J) \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; E1 Z5 e4 ?8 z" }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: A; t- t* n) U7 U) e9 Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 k" Z; u# J1 [3 o4 q! d- \
field.. r0 i$ z4 q' U- Q: q& O$ ~
In fact, its purpose is not to load/unload VxDs but only to send a ) e% h3 O& e6 i7 a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 b- L5 x ?0 C, ` | ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) h, J$ ~ [- w+ A* s) [4 ato load/unload a non-dynamically loadable driver such as SoftICE ;-).7 C, p: ]. e3 ~* D1 {: l, B
If the VxD is loaded, it will always clear eax and the Carry flag to allow' x2 S4 G" @" X9 T
its handle to be opened and then, will be detected.
- _% {7 l/ R1 M" y3 G5 uYou can check that simply by hooking Winice.exe control proc entry point8 y2 t5 w) F3 a# C/ ]6 @) a
while running MeltICE.
, {: |5 h+ h% c1 t+ }3 n9 A
0 M5 `2 m: L1 C! t/ u
4 a) m& C* f& ]/ S 00401067: push 00402025 ; \\.\SICE
9 s! [* V; g" g$ X2 j8 o3 b 0040106C: call CreateFileA
! A( V' \" W2 z/ H4 D 00401071: cmp eax,-0015 {8 l# j* N( c& c; o6 h/ ?
00401074: je 00401091/ w8 o' u2 @( ]3 A
# J! f. A5 }) S& G8 H, X! { q* m' k" f5 T. v
There could be hundreds of BPX you could use to detect this trick.7 _7 @. J# x0 k
-The most classical one is:
: \9 M3 Z+ I4 c7 R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; e) L( U# s# W1 Q, }* V' x *(esp->4+4)=='NTIC'
8 @* E) n% r9 u+ y G& h+ W% z$ x }4 b/ Z+ d% @4 J
-The most exotic ones (could be very slooooow :-(
( a* p% a. z j" ~$ W0 w J& O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; [! {& H" t" a2 b* ~& k m! i ;will break 3 times :-(
' ^: J3 [4 g; a0 w6 c% H5 |" m: R
-or (a bit) faster: 4 g/ \) h! L! l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% q& A- ~9 d' j/ a1 w% \7 p; t
$ J7 s! }5 P# r9 n
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) _$ |9 p- j0 k- q* a& [# g ;will break 3 times :-(: f2 O9 ]3 _/ K3 ~7 Y! Q9 G
! l6 F' X& _7 F5 a6 \-Much faster:
" |$ Q# [: e( H& N: x! Y% J3 ] BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': ?) `* p6 S5 m
# `* [# p! G. C: v# o4 q) ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! T/ }" G4 D) ]4 U e1 [" q
function to do the same job:- p+ V: ?# v' I3 v7 Q
+ D+ X, T% O$ ] push 00 ; OF_READ( r, q' e3 c4 \ q* B9 N
mov eax,[00656634] ; '\\.\SICE',01 C* h' u0 j/ {, n/ E% l
push eax0 X$ N0 ]8 j: D$ b' i1 ]+ e" Q
call KERNEL32!_lopen7 h7 [/ w' E! [7 _+ X
inc eax
4 z. ?4 A6 p, |& T" w; O) u L" @ jnz 00650589 ; detected
3 W. P; j) O0 h2 P+ Z push 00 ; OF_READ
- l1 \9 x$ t6 |& \/ m& Q+ S# ] mov eax,[00656638] ; '\\.\SICE'& N9 `. x# l' L @- C
push eax5 X* Y. M) M" h' m9 S# j( N0 d
call KERNEL32!_lopen' s5 G% M; j) D a! L! T
inc eax$ _5 i& i: {) U0 |
jz 006505ae ; not detected
7 N+ `8 c$ x: d8 P! O+ f
8 m& _* Z0 {2 \7 `6 T3 A
+ Y4 E6 y1 Q' d__________________________________________________________________________0 O" ~5 c/ M" {9 s7 a; L
0 {; E) p {2 EMethod 12
1 @7 s" S4 p0 C7 D& k7 B" I" D7 N=========
1 B! e) G. X1 {& p4 M1 J/ ]
# |2 x. O7 s& ~% p2 u) _This trick is similar to int41h/4fh Debugger installation check (code 05: ^( }5 z9 ~' [) R* a$ F
& 06) but very limited because it's only available for Win95/98 (not NT)1 Y; w: P6 ~+ x U) Z* n: b3 S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* y0 F3 ~7 K# {( L- a% e e0 Y2 Y+ O& A' |9 O: }2 m) G
push 0000004fh ; function 4fh3 d) M4 U, a$ @! v
push 002a002ah ; high word specifies which VxD (VWIN32)% B6 Y- R! I0 _. `8 m
; low word specifies which service
+ T; |- u! g" H, P (VWIN32_Int41Dispatch)
6 P8 S$ B: a3 E- r8 t4 ` call Kernel32!ORD_001 ; VxdCall h( [# e- }- U) ^# \) t
cmp ax, 0f386h ; magic number returned by system debuggers
* |+ U0 D3 o; o B' H jz SoftICE_detected
: u# k# ^7 h/ x- b# ^7 G1 m/ o" @- K) _# A
Here again, several ways to detect it:
6 \) k' F" b4 @3 x) ?: I6 ~7 [; F' P
BPINT 41 if ax==4f/ s+ F8 L5 O* D' ^1 [7 `# }1 Q+ D
8 V. h/ n( U4 q' \" y' ?9 F6 A0 D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ _) b8 T, z7 |8 U! f/ {/ p; D' x( X" c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& U% l6 S6 o; Z" _
! S0 [. @- f. m; D( y9 w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 _0 w4 H# F( l/ K% B
: x# Y, L) W N__________________________________________________________________________" O( b; K( A* P3 |) t; ]6 c
3 _ S+ Q0 Z. H" Z& oMethod 13( e, d: A7 V3 ^( Z" o! u! Y
=========* ^+ f) r* [% w# ^; v
S8 z" G. T; {* ]8 P4 U5 u
Not a real method of detection, but a good way to know if SoftICE is9 f: p( w7 [+ ^+ }6 I
installed on a computer and to locate its installation directory.* [* z, b, ~+ l
It is used by few softs which access the following registry keys (usually #2) :2 Z( U2 x; @6 W( X# f
. Z" N& v9 z" l* K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ~: A8 n; I) c8 g" d8 v
\Uninstall\SoftICE- Z: k$ t, m! B
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' c. v( F x5 h9 ]6 Y1 v; i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, R# X& t/ O7 [\App Paths\Loader32.Exe* G1 a0 ~7 U3 |7 A9 V
; v0 a, t7 B2 n: [9 X% d" w0 V) s# i8 W
( d0 i" {5 Y# b
Note that some nasty apps could then erase all files from SoftICE directory R& d: K/ c" H/ A
(I faced that once :-(# g5 S- Z6 s8 S9 x7 Y- f! [1 |) _
) p. S" e/ v0 a& ]/ s) w, D
Useful breakpoint to detect it:$ h6 W2 R8 @: C3 c3 F
( g# m" Q, p" n3 N BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 x! y+ V/ B z
& ^3 X! b+ J; o/ ~% w__________________________________________________________________________$ D. j& m# {% C8 S
6 T" Y/ L. A' p( c5 J/ [* d# L5 r! [ g+ C( @) R0 E
Method 14
8 q6 c5 T$ a2 v+ d) O( j" B8 h=========
d4 g! a# t v# b* ~/ x8 t% p: d- m0 c+ X$ O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 m0 s" D0 x9 w, m4 F+ k
is to determines whether a debugger is running on your system (ring0 only).1 @$ c9 T% w) B$ a
6 \* w0 H8 \* o0 w: ^+ N- q: j VMMCall Test_Debug_Installed: ]) ]9 R" y ~5 P: K; [2 i* Z* `
je not_installed4 f1 Y7 K" j* v. J
9 K. F1 G. n9 a6 O+ _. ]& `+ b7 E) FThis service just checks a flag.8 j9 t6 d' g. M, C2 {0 k" Q/ ^. R
</PRE></TD></TR></TBODY></TABLE> |