<TABLE width=500>
! k3 f; ?/ p2 Y! H$ q<TBODY>' I9 ^# C$ [! ~! B6 R+ O, ~
<TR>
& Y1 Z. Q1 B; q, j, U& o. o" s<TD><PRE>Method 01
" W) V' E8 ]/ m: d# i1 S) {=========
" F( @. ~* \8 \4 |; O$ F; F
6 e$ K' \9 n+ yThis method of detection of SoftICE (as well as the following one) is
% I* \6 O1 X% l, Eused by the majority of packers/encryptors found on Internet.# v2 l7 ~9 V/ V; r3 {
It seeks the signature of BoundsChecker in SoftICE
/ A& ]+ [; v! A/ y% H) j! @( u+ P
mov ebp, 04243484Bh ; 'BCHK'
% `6 F% E5 P4 z( E8 S+ Z% _ mov ax, 04h
& @$ w7 D) ~8 s: W int 3
1 D0 h1 _8 S' ^# v cmp al,4
2 ]/ C2 [! \8 v2 S# K5 B! K jnz SoftICE_Detected
6 `+ C' S3 X% L+ |% K" G, }5 J0 { X* m" A
___________________________________________________________________________4 n3 p4 V+ \; |8 [
0 m0 K: M$ e) IMethod 02" }* K7 d/ X5 v3 S& U/ i
=========0 r4 Q" e+ Y1 I$ O/ v" Z( g
$ g( [- U1 |8 E9 UStill a method very much used (perhaps the most frequent one). It is used
/ E: ^. H) z2 K- \7 @" Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. i/ }8 h% K+ Y& P$ y/ @4 Eor execute SoftICE commands...( t! k7 q, D+ J' e
It is also used to crash SoftICE and to force it to execute any commands, c& V, V U4 |, ]* d
(HBOOT...) :-(( + W) ^! U6 S0 n7 x. ~
u: [; R& f( e' X$ X4 `4 q' dHere is a quick description:
( C( c& G2 e" N, Y! N% {-AX = 0910h (Display string in SIce windows)9 P8 r7 C3 ^. N5 z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 ]5 h3 R- w8 ~' D, u0 \
-AX = 0912h (Get breakpoint infos): w; J! b5 ~" }. X( b% v+ K) T
-AX = 0913h (Set Sice breakpoints)5 F; P& P4 w. P
-AX = 0914h (Remove SIce breakoints)! V( G9 q2 X% e6 w+ V4 ]& Q( `3 A
4 N) @: ~6 d8 t* @3 Z( ^. N
Each time you'll meet this trick, you'll see:3 a: J8 M z: B/ {& K
-SI = 4647h6 S T4 J& L- K ^* o$ b& N- P
-DI = 4A4Dh4 N) g; x% n9 H, k% u X
Which are the 'magic values' used by SoftIce.
# z% l" y/ L& E% M m8 PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ U' S# h. _4 `, R4 S
; w- [2 P \, L! v/ qHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ m& }# A6 d3 ?9 j) xEnvelope utility use to protect DOS applications:7 \# \) o u( F1 C v+ @9 r
5 \6 ?( N; m; \; ~& C0 {
7 L7 A; V/ \7 N4C19:0095 MOV AX,0911 ; execute command.3 r# Y9 G- L4 H6 K+ f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 N" l8 D2 X% b) l& S/ ]# ~9 T4C19:009A MOV SI,4647 ; 1st magic value.
6 \4 {4 ?- m4 ~1 H* ?4C19:009D MOV DI,4A4D ; 2nd magic value.
/ x) T9 L3 d" a. v0 j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( R4 S0 J% @- _( O4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
' d, u0 b: H+ ?! P5 R- C- t4C19:00A4 INC CX
- f4 Q* R! S! g r, G2 p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* n4 [. Q K# c. o2 ~/ n4C19:00A8 JB 0095 ; 6 different commands.
w8 K* `" U' M0 O) i9 |+ v4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. e0 W: Z' M% Y- K( n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" z2 [2 J$ J$ p2 `
1 G) H+ ^1 n/ T sThe program will execute 6 different SIce commands located at ds:dx, which
, ]/ H( I2 {. R* Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; p" p: S2 R5 Y! t! I N h* P' ^0 \& \3 N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., G! M* R8 ^& I" s# u2 n
___________________________________________________________________________
3 M E0 t1 }/ H1 D: h! C" U7 H8 X8 w7 E. P% F
, e1 T; N3 K5 `" WMethod 03- W" i# j/ q7 O) f
=========( e' c p+ w- v/ v
, ^, i. m- y% h$ i2 h- C% l! KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h q/ r- Y' B8 |* o& r9 f
(API Get entry point)0 A: p* `5 A: c1 T' Z: V1 o0 r
" t8 ]+ R' D, s
( B8 T( p% A: R$ k
xor di,di( e4 ~. G4 h4 h- A. @# ^) U
mov es,di+ J; G& W( ?& t) u9 G$ v4 z
mov ax, 1684h
, r p6 h. v# H" _ mov bx, 0202h ; VxD ID of winice
8 }; I0 l( P' a+ p+ v int 2Fh% Y* ~. d6 _; F) M
mov ax, es ; ES:DI -> VxD API entry point. g) h! C0 X, M3 G7 q% G
add ax, di" I. U/ J, ?5 E
test ax,ax
0 D0 Q" T: v! Y* x% M: l$ V jnz SoftICE_Detected
/ ]$ ^6 C1 ]# s4 r5 Q4 G0 d6 b, _7 `; g
___________________________________________________________________________8 D. A) n) p& f
# w) u& y7 l9 N6 U" R- sMethod 04
4 w. k2 X2 O5 S9 o1 Z=========
8 D I, A1 F- H& I
! b' y' ?8 f2 |+ ]8 E2 z4 q" M$ w( YMethod identical to the preceding one except that it seeks the ID of SoftICE8 S" K: M- r4 S! Y# I
GFX VxD.8 [( `2 ~- [ A3 W" z5 n' N
! C: L/ C9 e9 C4 V! q4 s7 P$ S, V
xor di,di
* D" ?3 I$ i3 [" v% _* N8 [ mov es,di) d$ K j8 }0 M. K$ Z7 O
mov ax, 1684h
5 f( w: E% r6 M k, J; _3 M$ k; Q" ]$ d mov bx, 7a5Fh ; VxD ID of SIWVID( o$ E c* S1 f. h
int 2fh
( z& \4 r/ L* E# o- S) q2 w, [4 A mov ax, es ; ES:DI -> VxD API entry point
9 Z9 A8 d6 v! \4 z add ax, di6 W2 h7 d7 b% y2 T
test ax,ax& @# T: ^6 G" r) T$ ]
jnz SoftICE_Detected
/ L0 O5 h. v9 o$ L3 T
# m1 C( t' J+ N. y+ P__________________________________________________________________________# G" H0 r" U' m# B7 {5 @3 m7 v
0 G- n, U" D6 E; y7 D# x5 V* S
3 ^1 F; c, w, ~; N7 F W6 BMethod 05
/ i& T9 P5 ?" }3 u=========3 Q/ |% q& l; }
% J# `" n' B+ @, E( n( fMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# ]8 f \) C- }9 X0 x$ Y' ~- c0 V( _5 e* Edebugger. It calls the int 41h, function 4Fh.$ z" Q3 a8 {' z; L( k K d
There are several alternatives. 0 A$ p8 Y' v( Y8 Z
8 ^5 w& s) w+ L0 P/ c, eThe following one is the simplest:% ?$ c* b7 n! x: s* @
. o5 q+ u( E" r L7 K mov ax,4fh2 G" A3 o0 [ @& k5 L
int 41h0 D; O6 X# {# t: Q
cmp ax, 0F386
, p; R! P) B3 } jz SoftICE_detected
+ }5 `' J* t! S9 e x4 p# G7 T; i
0 @1 C$ j3 L) Z4 d, p: O, i+ ?
Next method as well as the following one are 2 examples from Stone's 5 A, O% I8 c' `* F- ?/ T: a
"stn-wid.zip" (www.cracking.net):
) d: U F' x$ n* y, J1 D% x- P- f7 Y/ P1 L) \
mov bx, cs/ x: m( M" V' S! X# r0 W1 O+ V
lea dx, int41handler2% E/ d6 b3 G8 r) D/ O
xchg dx, es:[41h*4]1 i& d6 ?: R: ^- A0 V4 L% J8 Y
xchg bx, es:[41h*4+2]* u( {6 H0 A8 j% F
mov ax,4fh- g7 Z, U; v/ h9 O* s0 _; |
int 41h
: H7 C/ n5 i; k- Z xchg dx, es:[41h*4]
8 R) C/ E! C6 _/ W6 _* \ xchg bx, es:[41h*4+2]
" i1 ^' B' o( Q- n J' @& u' W. i cmp ax, 0f386h/ Z8 |& e' F7 T6 }/ }2 b- s
jz SoftICE_detected
5 ^* B3 ^& X" Z: c7 Y) D6 E
: G: z1 w" x% X7 }6 Tint41handler2 PROC5 @, C8 _, X' q. y% e# \
iret
6 z2 W/ C9 Z$ V$ k5 G* ]int41handler2 ENDP( q( e- f! }, F
X- V" s: K# i' o6 ^" l( |' d$ f1 k4 R% K
_________________________________________________________________________
2 L; Z) a X5 L" A- A6 r5 _
) O8 p( X p" J, @+ e. \# L
1 T6 d' g o4 F: E& X1 rMethod 060 H8 u) N* x$ o. {" M+ f: E6 `
=========
3 V* ]1 d' H4 j
2 ?) e2 N) |4 z' G! A( i2 o C$ `
_# t7 ?" u# i" `' }: _: I6 b2nd method similar to the preceding one but more difficult to detect:" H7 l; `3 L; M% ^9 l
. T2 h9 @1 R+ u7 P0 p
7 e- s0 b* O0 s8 r- Rint41handler PROC
1 X: G% k; {" ?% {2 t mov cl,al' i9 ^) C5 b( m6 N9 w
iret3 }. I: {$ K) Q4 r9 k8 s% x3 r
int41handler ENDP- y% H2 X# J1 L7 x; O( w+ B
2 W& B k; S. j+ B) C! Q7 b# F
1 z% W; g$ a2 C6 o/ f0 Z' [3 H
xor ax,ax
# x- e# R$ `+ E8 `! q: ^ mov es,ax
* m _( K2 E- _ {: t, {2 v$ g% ~ mov bx, cs
( c+ r; M: h* K8 f* _. z lea dx, int41handler
3 B" F9 L7 ~+ t4 [! T xchg dx, es:[41h*4]( {9 g/ E) g; p
xchg bx, es:[41h*4+2], a( S& u* \7 E1 ~- N3 k- c1 T l$ P
in al, 40h
/ L. J( s1 b5 G- c& d, H% k xor cx,cx
) A8 Y* q: _) B1 H! T+ X int 41h2 |: x/ E& K5 R9 ^- P# w
xchg dx, es:[41h*4]
9 i3 F K: j* @9 H4 j xchg bx, es:[41h*4+2]
9 N- [/ d9 j8 O! E) c" v cmp cl,al
1 i, C3 ^, [7 b+ Q9 h jnz SoftICE_detected% D6 b7 E. ~9 Z3 `( j
9 u* W) Y4 T; i% H% l
_________________________________________________________________________7 Q2 P" B0 M. l$ i: ^6 {; k3 o
. y! ]9 b% l, `
Method 075 I; s/ o1 ]% h% Q0 m" v' s) R! I
=========
/ t0 e o$ W# V9 w' j; w
7 b& z1 J8 Z2 n, g" {2 ]! NMethod of detection of the WinICE handler in the int68h (V86)
) }6 `8 t3 E( x1 e# Q. @6 V. K5 G
7 e9 t0 ]# ^' V' T8 u8 |* @ mov ah,43h' m7 o, \2 \2 e: H( h7 e
int 68h& x e/ J. X7 Q) a2 C
cmp ax,0F386h0 }8 Z, | n! i. B" c6 K t: L
jz SoftICE_Detected
+ C2 D2 G5 ]4 G) K5 Q+ v5 }2 X+ M Y" t5 x/ N- y. m
, s8 O& m; g( A3 I! x0 ?$ w' {4 ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, @. @5 _$ d: ] app like this:9 |) v. X9 X+ } o0 Z1 U
' W5 [+ |) U v, S- j8 T- u8 [
BPX exec_int if ax==68
9 \; W0 g; U7 f+ ]# G4 u' c (function called is located at byte ptr [ebp+1Dh] and client eip is7 T1 r; W( c: o6 }" d# X
located at [ebp+48h] for 32Bit apps)
2 Y. N* X, s: L7 S0 D__________________________________________________________________________( @8 R$ p+ ]- G
' b) V2 H3 X# D0 X! q; T) Z7 E. Z) \( P8 M- C" A. q% j
Method 089 T( `1 I. M& O( v: F* V! F. ~
=========, j2 P6 Q. ^- i" d
, |2 ]3 v. ]4 ?( u: r7 ]* YIt is not a method of detection of SoftICE but a possibility to crash the
+ t; G; q' o. n+ Tsystem by intercepting int 01h and int 03h and redirecting them to another
5 i0 A, |& V. F. A3 sroutine.
7 z% x+ b8 g5 N6 g1 l8 rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. c- Y, @3 R# P) G2 w4 @* S% fto the new routine to execute (hangs computer...)! f& D2 S1 j6 K8 C
; X8 O5 R7 x: F3 [+ Y
mov ah, 25h
5 ~ c- o& j: E f+ } mov al, Int_Number (01h or 03h)5 D: a% ~% x/ F W: Z& Z4 ~
mov dx, offset New_Int_Routine
* i i. f, X$ a8 _ int 21h
h5 B; d9 y/ B& W( s; s
2 G k8 B7 \, ~* v__________________________________________________________________________5 _* h9 W) V; O# v' \
$ J4 ?. O5 p6 J. Q/ X9 _) j
Method 09
# W( o" w- J( T+ g! _=========/ z) I0 K2 f5 o, g5 j( d+ F
( r1 F5 q; i; t" G* \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 }- `5 `/ L; E D: y7 U
performed in ring0 (VxD or a ring3 app using the VxdCall).( l l1 d, o1 r; l5 ^% u* e
The Get_DDB service is used to determine whether or not a VxD is installed4 R2 D. U1 I; n2 a# P! j" w
for the specified device and returns a Device Description Block (in ecx) for
* U3 c, n. Z/ L3 m9 nthat device if it is installed., o8 B8 S2 u4 [1 b1 R( R
. r% F1 T/ u S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: }7 s6 Y" V# c/ d3 @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' i+ P1 g* i6 {- g( P- N VMMCall Get_DDB
+ s: |: ?. f$ b# w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" {: P6 S ?. U2 S: w# C z5 q; \/ a9 p( r0 D8 X1 l9 _; C
Note as well that you can easily detect this method with SoftICE:
! E. x2 u8 E1 r* r; X$ d bpx Get_DDB if ax==0202 || ax==7a5fh/ j2 n4 l1 T7 T) x
7 M8 E( n5 l4 H, q
__________________________________________________________________________
0 D3 S# d( j& Y8 E& G1 N& w# L. O
Method 10! @5 K: V- u$ i
=========
1 y, i% j8 f3 J
1 s& N3 A8 n( ^' R: x=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 F( _' ^$ v% [& _2 {8 J SoftICE while the option is enable!!
# w; l3 U! c3 W# O+ P7 M9 Z4 [! _/ P- q, k+ a5 p2 U0 @
This trick is very efficient:
+ {: g4 y" w i' k5 i; eby checking the Debug Registers, you can detect if SoftICE is loaded
' ? ^, ?) @% B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 v4 A! l! y- O# W4 `there are some memory breakpoints set (dr0 to dr3) simply by reading their
! ?+ ^# G1 K' z" M: l. ivalue (in ring0 only). Values can be manipulated and or changed as well
( {6 Y$ j& C. u8 V! ~- Z(clearing BPMs for instance)( f5 i- g6 H+ v2 X5 P
* L* m8 d; r% o; r2 }/ @ U__________________________________________________________________________
9 ^9 S* {, W* O% x0 o/ s P1 [' H( N& p9 i6 I5 C$ _4 @8 W
Method 11( G) V+ W* B; a4 o8 D
=========
! g. s; ] f7 ?- i2 S/ j5 N+ W. ~1 i3 y( s) h" `1 b
This method is most known as 'MeltICE' because it has been freely distributed
% |4 Z3 M0 G o( A4 [, xvia www.winfiles.com. However it was first used by NuMega people to allow, K% R$ N4 o0 T4 Q& R. e5 K
Symbol Loader to check if SoftICE was active or not (the code is located
( s. ^/ }5 n3 I% D! E) ?% p" Winside nmtrans.dll).) x8 P4 m( R. r7 \5 N# C& a" _" X
* ^' ~( @- A; l2 dThe way it works is very simple:0 k* j+ p/ k& g7 K
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 b7 A/ i' Q* O8 G( S5 t8 g
WinNT) with the CreateFileA API.. B# }+ I2 w L5 @: d" k$ H: z
4 z2 P( V; X* m6 X& V
Here is a sample (checking for 'SICE'):
8 s2 ?7 p+ K" f6 a. u. i# N* b
' K* C' p; F3 @- pBOOL IsSoftIce95Loaded()7 x& B, {* d% J/ ]) p: N9 [
{
& c: {! k/ m+ S* |2 y, |+ s4 b7 T HANDLE hFile; ; X5 A, K- R& \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. l/ h- m+ o3 r$ x% Y+ e FILE_SHARE_READ | FILE_SHARE_WRITE,
2 z+ e+ U9 G; d! A0 w5 f b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 w: {$ M* { i/ m& F# r
if( hFile != INVALID_HANDLE_VALUE )
: E9 H/ u( ~/ Z+ \ l f {6 e' W' \% ^6 z, N
CloseHandle(hFile);# B* l$ K* l U4 |
return TRUE;
2 I) z1 V; K c$ \$ r }
4 u1 w j' V) C# M return FALSE;
5 {, B4 H6 D- |4 ]}
5 I5 k+ Q ]0 y! t
1 o) a: l' M! a1 x% F- bAlthough this trick calls the CreateFileA function, don't even expect to be, m o+ _3 Z1 `# P
able to intercept it by installing a IFS hook: it will not work, no way!
2 S/ g5 q. U P0 aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, X2 [0 v+ I2 x% K v& d) M3 p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ H% E/ ]/ I* E$ M) ~9 D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 x* h3 K! A' Q i
field.# m8 D6 n; X$ \, `% i( z! f/ n
In fact, its purpose is not to load/unload VxDs but only to send a & X5 i6 K& c1 V5 B3 g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) A3 E8 V/ W4 O, y# M0 Y0 ^* i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ V* y" Q) E4 ato load/unload a non-dynamically loadable driver such as SoftICE ;-)., p+ h2 b7 s2 b, ^0 l2 Y* h
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 a% z: I+ w& P, p& n. @its handle to be opened and then, will be detected.
3 }: g1 `" A* R4 O' [You can check that simply by hooking Winice.exe control proc entry point
- p+ k& @" r8 _5 E% _3 \while running MeltICE.1 H: h* k0 e! k8 Q. t! w' v9 H
" U8 L" }. n5 [1 }2 K& t+ A9 \+ b* o% w5 W$ |
00401067: push 00402025 ; \\.\SICE
1 p: ~* }( ~6 A# Q1 @" G* z 0040106C: call CreateFileA
! V/ b5 U8 V0 |+ ]2 J. ~: g 00401071: cmp eax,-001
/ x, B% V2 k& \, |# Z2 b4 [ 00401074: je 00401091
- B& I3 M( x6 K# |. C( ?- Y/ J" E, V; P! H4 n+ }
# `/ E0 R; ]9 \& R6 r2 e$ |
There could be hundreds of BPX you could use to detect this trick.
6 Y1 |" H8 P9 Z9 g( e1 i5 e, b+ ]5 ^-The most classical one is:
. x" {& G2 R% u' y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- i3 E. D; n/ k$ Q *(esp->4+4)=='NTIC'
( ~5 a& M% Y( q+ [7 l
) B4 A! {$ D3 ?! D* a-The most exotic ones (could be very slooooow :-(
, D2 K5 X2 C! |9 ]2 l7 c7 d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% }3 z) V0 Y6 ? ;will break 3 times :-(, h' A' T$ r5 e0 `2 Z
6 B( A. m' Q6 `/ \4 o, b- V
-or (a bit) faster:
" M6 M/ N' B N& I4 b& C9 L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 y3 c- ^& [) v
/ n2 Q/ C: [0 E1 D$ W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. ~ ? g# J( [( ]1 y ;will break 3 times :-(0 {+ p" b: _) [6 ~$ P S
: J: w) X/ q$ j C& ]
-Much faster: \+ T8 g' X) g# |- q% v8 z2 F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& R P$ A* q+ q! d/ I0 Q* J2 f
6 J3 }4 ^4 u! M" m! e: [1 N1 h5 vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 K! G" e9 M0 L, H! P
function to do the same job: O6 D( d- ~) z/ \4 f: Q
) K) t9 `/ @1 H0 j7 r! y
push 00 ; OF_READ
# ~3 W1 E! C7 @ mov eax,[00656634] ; '\\.\SICE',0, b. o @0 W) X" [: o. W+ I
push eax" \" V. E* C( x0 q" B
call KERNEL32!_lopen2 y" V* W0 C! P
inc eax
* y! K9 o. v5 `- d; {! d$ K3 N jnz 00650589 ; detected
% n( J6 e4 _+ y1 o( Q; I$ w: A4 i push 00 ; OF_READ: E6 k4 I4 B& _+ e: r
mov eax,[00656638] ; '\\.\SICE'0 t' h) x% p# |0 z( `
push eax
6 O1 y- l9 o0 c# t+ b8 h. `! m call KERNEL32!_lopen9 n" A! Z6 e5 D. J" }
inc eax
- D$ i2 u8 s/ Z1 H) C jz 006505ae ; not detected
) P" }7 q$ }4 y+ T
3 R8 w/ p L; v0 E% l% {
; Z4 L) l m; N( E__________________________________________________________________________& i: O7 u& k1 h
' D9 {2 I/ ]7 pMethod 121 e3 a3 w, Z h; l# E. {
=========
7 {7 ^+ d# @9 Z/ O5 r' Y1 R: \2 e+ e( R# V4 H+ e
This trick is similar to int41h/4fh Debugger installation check (code 05
- Z1 b8 b% V- N( j4 M, K& 06) but very limited because it's only available for Win95/98 (not NT)- z* }# x4 f. G3 }9 j" M+ D
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 Z2 u% D: K$ }
5 k9 O) W! e4 q! ]0 n9 x push 0000004fh ; function 4fh
- O' n( p% B0 H7 T3 y6 S0 o push 002a002ah ; high word specifies which VxD (VWIN32)" J; w1 ?5 ~, J) }: L0 ~
; low word specifies which service: o; R8 j& o; A9 N
(VWIN32_Int41Dispatch)) g& W8 ~! E# p$ ?$ {
call Kernel32!ORD_001 ; VxdCall9 c6 t, Y* @6 L7 ]
cmp ax, 0f386h ; magic number returned by system debuggers( {& w9 J5 K- i0 m
jz SoftICE_detected5 b/ ]5 ^; R; O' ~
8 f! e9 [8 R- u- P/ @
Here again, several ways to detect it:
+ q5 w3 p; J4 `8 [* C8 m4 y& M$ Z; i
BPINT 41 if ax==4f
$ r6 D; p+ u6 S6 e( s( B9 c
9 u9 m3 M! }3 v BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( |4 T' _. P' f; }5 B" T
$ d/ S; Z% v0 E% Y+ I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 H( X% y4 |, e5 J* f
5 N; ~3 A9 E a" ~& a' f3 I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: A* o/ |$ L; T5 D) m8 E$ @4 s% C
; M k( R+ n. }& ?4 u6 X__________________________________________________________________________% P% N' G+ H+ D* k( C4 I) J+ [
- ]( K5 b7 X( p9 K- r+ X& E
Method 13
; \/ O j7 A( G4 c7 V8 {=========" \- K2 N0 l( O9 \9 f
0 G j% A7 S' T5 T g. CNot a real method of detection, but a good way to know if SoftICE is( I3 v$ f$ D' o8 ?. b& `7 p! }
installed on a computer and to locate its installation directory." k2 |0 y+ T& Z* y: J
It is used by few softs which access the following registry keys (usually #2) : a% x5 j' k/ s. ~
k* R( m+ [# ^' b# h @# V4 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ ]+ h0 d c9 w" e\Uninstall\SoftICE
# H$ `$ n/ z, {, M& n0 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ o9 t) T% o( z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 J$ [/ d+ s" C) [3 r& x; n\App Paths\Loader32.Exe
3 G1 }' V0 N4 p
6 \5 j0 m" ?& Z& [; [
3 g d. ]8 ^+ t2 _9 B7 U* jNote that some nasty apps could then erase all files from SoftICE directory) `5 A) e& p: |# a9 O$ p4 Y
(I faced that once :-(! d g9 s2 ~* x, H
( G, G( Y1 `! S$ T e- M8 D g
Useful breakpoint to detect it:6 V1 p+ P% @7 E
z0 `+ E9 @# ]- Q- ]$ w" L5 v BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ l1 z( L! }4 W1 j/ }* L- r6 j: R ?/ x0 \) ~$ z
__________________________________________________________________________
4 P( b/ X+ X2 c) J2 g: }3 C- Y, X+ ]3 g" |& _$ w2 \
: y& v/ r! m: M+ b: B+ OMethod 14 . `2 P, S( \+ k, G5 {5 _
=========
* X0 i. z2 f K4 e6 D+ t- X
7 e7 B/ ^- {, H4 L: yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* m+ t8 \- o$ [6 ~% I3 f- t
is to determines whether a debugger is running on your system (ring0 only).
- A J$ j `5 Q" F& b/ O
1 V1 I- K8 I# W( P$ d G VMMCall Test_Debug_Installed( o, h9 I8 ]" O
je not_installed
) z& [- c) m6 w |7 C f1 I$ L: A( i4 b6 w! K) B! f
This service just checks a flag.( b& h) O. P% g% B0 O4 U
</PRE></TD></TR></TBODY></TABLE> |