<TABLE width=500>! G7 A% C0 r8 T% m
<TBODY>
; Q( c; l% O3 K' D<TR>& V: X: }: ]3 p! x# i
<TD><PRE>Method 01
! q; o% L; }5 p=========
$ C3 E# L' A* x. s% O7 Y0 y, z+ a# k. `: S
This method of detection of SoftICE (as well as the following one) is
# C$ ^' u, c( I3 C. Fused by the majority of packers/encryptors found on Internet.
2 s$ t( G4 q3 m7 p/ wIt seeks the signature of BoundsChecker in SoftICE% p. J' U% h: ^) w! Q: |# J0 B9 S
: j( b& b% h# t% @' l8 l
mov ebp, 04243484Bh ; 'BCHK'$ e: c' S% Y6 Z. k
mov ax, 04h
) O, i$ j! R% o8 G int 3
( v+ ?) d; V9 x! n( _ cmp al,4
4 b, g9 i9 z3 G2 a jnz SoftICE_Detected
8 y7 u& `8 V0 f3 i+ {' ]% h( k- i9 D/ E( T. F8 i( m3 `) K
___________________________________________________________________________
( K8 ?9 h. F4 ^6 }/ E
H: |6 }2 b, mMethod 02
: z8 S3 N% M$ J7 V8 x# o7 S=========. |. O2 G% A" t8 O: n" g) X' G
$ y. E- @& T y7 ^Still a method very much used (perhaps the most frequent one). It is used4 H& R9 B# _* [8 H& k7 v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! p: K4 o: f7 f) l5 w$ I+ l9 lor execute SoftICE commands...6 ^7 y) u) W. P* D# g
It is also used to crash SoftICE and to force it to execute any commands
+ y. R% @6 K) D) A0 u+ e(HBOOT...) :-((
6 e( V' l, W3 q; }& F3 [# j5 ?
/ y d2 h. C8 G j; m7 @Here is a quick description:7 Y# D, F/ P e' j( I0 _ c
-AX = 0910h (Display string in SIce windows)4 T7 Y. E; z% e. U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 d$ F [ G! O" G-AX = 0912h (Get breakpoint infos)
0 ?7 k1 N8 I; y2 q" @-AX = 0913h (Set Sice breakpoints)
, l: r# u0 E2 u& L1 [-AX = 0914h (Remove SIce breakoints)
+ f& C9 Q7 k! n7 ~/ c4 H" t4 P! E) v& Z& L9 j. D
Each time you'll meet this trick, you'll see:
H( j& `; j. c8 M, H-SI = 4647h
3 x, F t! l1 ^8 I-DI = 4A4Dh+ ? W; A* [! X
Which are the 'magic values' used by SoftIce.
J2 d& x3 k+ G; P. y; ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* @+ r/ ?4 V8 R
4 t+ G/ I# k. \1 Y% R$ T" ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 @; {& s9 x- [6 p! W, n PEnvelope utility use to protect DOS applications:
; S& O- @3 m; f/ u- b P$ p. @
% {) k4 `6 @2 O, j V5 x& N/ E0 `
+ j& O0 l \" U8 w5 X# h% y4C19:0095 MOV AX,0911 ; execute command.6 M9 z: M9 `& |4 k: _( v3 E! n3 T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 g9 j4 \& s9 X! N. Q- q4C19:009A MOV SI,4647 ; 1st magic value.3 T: @8 ?8 }" R" S. Y" O
4C19:009D MOV DI,4A4D ; 2nd magic value.$ P' H6 ^# n8 l9 v y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& Y1 x, r5 W8 g& n% h% q u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ t1 ?, s3 X _4C19:00A4 INC CX
8 o0 U" S) `3 O( S4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 ]) O1 P* J, t' u: K/ j+ R4C19:00A8 JB 0095 ; 6 different commands.) Q) p7 Z* x3 r$ ]) I( l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- _ [, z4 T, v) F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 c8 u) e( V! M' C0 ~
& d6 {4 P v1 ^! Z! d& ?The program will execute 6 different SIce commands located at ds:dx, which
% W5 r5 q n3 Y/ m H5 o% p2 r: F1 l7 I- zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ A% w: q8 C5 L9 B
* `0 a5 y- E) _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. O4 k# t* i4 Y3 m) ~2 x; R
___________________________________________________________________________% k( H1 N( ^& l
" o' Q: E, n' N
' l9 B- f) Q" q; X# h$ n8 y& n& `
Method 03. {, C+ t1 d1 v; N1 ^
=========
2 Y2 W* ?& G0 Q% C/ ~. q( E4 R2 w$ z) |3 x0 {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& G; |1 k: \. x8 j, Q! O
(API Get entry point)
! y- S) j2 n. H m4 b3 J) C
J* t0 R( u% d3 ]9 j! @0 Y7 x* p8 X9 C3 w
xor di,di# z8 @8 X* \$ ?* w7 N% i6 C3 q
mov es,di. ~$ b( x) H6 h
mov ax, 1684h P# F: I+ N$ U; r8 j
mov bx, 0202h ; VxD ID of winice
4 j2 o" ]( M" y% y int 2Fh
+ a; {2 v3 V2 o& W0 g2 d mov ax, es ; ES:DI -> VxD API entry point
, K7 b9 i8 _( i! h add ax, di! _, S, A0 s+ I
test ax,ax2 a/ Q& ^, L' e7 D* [' H, t4 C
jnz SoftICE_Detected# J5 u+ o% O, Z, @* e) ?
9 i6 x& I) I n6 C___________________________________________________________________________
9 N( v7 l, A! @: C( x a% Z0 b" L3 C+ u0 E3 T
Method 04+ W1 f1 h9 V# A$ k# P7 ~' \
=========
# k+ s3 g; {; F: F& B& b% U
6 ^1 N Y! g7 \: U9 K7 t. lMethod identical to the preceding one except that it seeks the ID of SoftICE- u- A# P1 `9 i
GFX VxD.
" u5 T+ W6 n: b0 s9 S
8 f: S: ]+ z- k Q xor di,di
/ A) v( k( F0 q6 o1 a* D+ |* `! D mov es,di
: {: q1 H/ a) g: T5 p( s# |$ A mov ax, 1684h ( ]; I, \" x* q D+ j
mov bx, 7a5Fh ; VxD ID of SIWVID' K0 G: p6 l& j. n3 J7 p- ]
int 2fh7 ~, R/ W- r8 E o* b7 _* s+ r
mov ax, es ; ES:DI -> VxD API entry point& B" c% V) }% ^
add ax, di
1 j8 [/ V+ k4 Y test ax,ax
6 A5 F. _9 P' b" c( _; M& u" R jnz SoftICE_Detected
! j( ^( R& U$ j
& K( k0 @4 e, v8 e9 [" n__________________________________________________________________________
1 U4 d! M |4 ?
' O" G5 M$ V. f% Q
U" t% y4 {" `2 C! y) @7 V$ D+ TMethod 05
3 J* w9 I8 Q, _7 k1 {=========
# K+ z; F# M8 b% j& a! D2 H0 p* k4 k/ s. A u
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 g: N5 f$ ]0 l S3 p. Q2 l. E& |, o
debugger. It calls the int 41h, function 4Fh.5 N/ @& B+ z: v, M$ v
There are several alternatives. 2 \# o9 [0 C8 q' ?
8 C- S4 P2 @8 o
The following one is the simplest:* Q& @ I! p4 [/ j" X
" G4 u% s$ a# h mov ax,4fh
3 E1 {$ s0 n) A t* `1 W! l int 41h
5 N. I' r! y l8 A# | z$ S' ] cmp ax, 0F386
* h, {* {' Z! T0 r/ F% s jz SoftICE_detected
$ B4 a& A3 _) i* U$ f I
) [. v4 R' a O2 n- J. U1 v2 I0 J7 P1 v4 t: |' w
Next method as well as the following one are 2 examples from Stone's 0 k, T. r4 j/ T4 s
"stn-wid.zip" (www.cracking.net):- d3 V+ K% Q$ J2 A9 a/ N7 p
! `$ c# I" C" l% | mov bx, cs
! {& U' i8 \8 N) W# n1 m lea dx, int41handler2; ?0 q! z$ p6 k
xchg dx, es:[41h*4]
, M$ Z, t8 g. y. Z4 _$ ~$ d3 X xchg bx, es:[41h*4+2]
2 k, Z. L7 f' v P mov ax,4fh
3 Y/ s; @# }- s+ \6 j6 b int 41h$ C2 ~5 T& D) }2 R& V0 T
xchg dx, es:[41h*4]
1 c( m7 t8 T$ O8 j xchg bx, es:[41h*4+2]8 X4 |/ Y/ F; j6 v% D
cmp ax, 0f386h
; i T3 ~9 B R1 b$ I2 `* m jz SoftICE_detected) |9 `9 L) X" `
2 v3 t' _1 z+ Q
int41handler2 PROC1 j# a1 n% k1 u! Q/ I. Q* D& u
iret1 S( \6 j$ i+ P8 R
int41handler2 ENDP4 u3 m o- F' Y) O
1 P1 T6 ?; e s* q8 q/ Y# a
7 k9 U; E5 n6 c# v# Q$ @; @9 V_________________________________________________________________________
4 Z8 B/ d: ~4 ]* v
* {) D( {: B" y# @- q5 `# ?! g- c2 u( e, v% N: x* s
Method 06
# m2 p- b7 T4 n* [9 d, s9 V=========' ]( f% L2 R: h+ x! n8 n
8 Y, {8 w1 j4 ^" K, q- R
) K u" q; d: D. { ?" y, y* V- Y2nd method similar to the preceding one but more difficult to detect:% M3 b4 n( [/ F; f
, ]2 G0 B; Y( X: x3 P
; ?! F5 C" ^: C* vint41handler PROC
1 I1 j' s& F% C8 k0 y mov cl,al
* H' v$ ]# L! u: U- m: I iret
/ l3 h/ M. i2 j4 u* rint41handler ENDP n; S9 z8 r y* h# Y
1 F2 y' o; S* V, o: ^7 D
, k% ^7 e& d/ G( P( K0 o xor ax,ax5 p2 a) b3 o ]; G2 i3 |: Y9 M' v9 m
mov es,ax7 W" O0 x/ X" V. n+ V$ R
mov bx, cs& ]) D( `+ a% F
lea dx, int41handler! }8 X' [9 d6 \5 N6 |, q
xchg dx, es:[41h*4]( W/ q9 Q; F. I7 _* L0 m( n
xchg bx, es:[41h*4+2]! w t, v' i, k$ K: G, q5 x
in al, 40h/ d# w v! `5 s
xor cx,cx
' b( y) Y& _" B int 41h' P+ Z( ^5 r" t% _+ v
xchg dx, es:[41h*4]. d. s+ R A& ^
xchg bx, es:[41h*4+2]2 x% a$ t) w* o3 [/ k
cmp cl,al, l7 z2 m7 G A
jnz SoftICE_detected! x. z# \+ ?0 `' }4 w+ x
; x+ I' {' Y# \" V6 i/ ^, c
_________________________________________________________________________0 ~, I0 n- ]2 L5 d
9 p5 G- H! _) S, B6 v
Method 07+ B: f3 i0 g' Y
=========6 r9 F! O3 H4 n) `2 y' w; X
+ F, N% A# V7 D1 w# c+ LMethod of detection of the WinICE handler in the int68h (V86)+ [( B& m: K: N' C' [" ~! L
5 j. R' V; y" Y" e8 z mov ah,43h" U6 _& W* }8 M
int 68h
; t# q6 f0 l P/ y& B0 J$ r cmp ax,0F386h! A$ ^; ~% Q, w1 I- a) D4 P
jz SoftICE_Detected$ L2 n7 f9 B8 B) o, J7 ~8 H
1 R9 h) S) X0 U1 b
v. Y% [, W) k4 y2 u" p3 I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% M# U4 U' A$ F7 t k7 G* O
app like this:
4 }+ P# |3 C" ^8 [. x
8 w+ Y4 i; G L; V' o BPX exec_int if ax==680 H! |- ]$ r0 K/ X
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 n+ _6 U+ J; f: f$ f located at [ebp+48h] for 32Bit apps)* K- f4 R. t) |5 c4 y# I
__________________________________________________________________________
2 ^4 g7 ?1 V) C- T: o0 Q i! P4 s/ i3 O3 L* u
# M6 Y( O% L* e. z3 `Method 08; o7 M4 w" S6 y. ~! m
=========. d8 O2 ^6 ]4 n/ ]: b+ u) o
o8 i! ` R5 a; g8 `; r
It is not a method of detection of SoftICE but a possibility to crash the
. F1 g; Y) s* e! v) lsystem by intercepting int 01h and int 03h and redirecting them to another
( ]% M/ Z' u+ P7 L* croutine.
. i0 z" p- l- p5 G+ GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
D/ ~. g" {3 _$ Oto the new routine to execute (hangs computer...)! |* G: c0 s0 O7 X
* `2 X/ [4 X: w* @' V7 I: Q# ` ?
mov ah, 25h4 l- P$ Y9 Z' A" ^
mov al, Int_Number (01h or 03h)
4 m% c( [2 k; V# v% x mov dx, offset New_Int_Routine8 }5 @5 t9 j( p+ l
int 21h$ D( K0 }# n: Z+ y& M5 m, e
- m# a! Z; m3 f6 x/ `, d6 @__________________________________________________________________________
% K% I j5 J+ Z; Z1 N& F4 S
; ]- l9 [- r; U e' NMethod 096 v: x- B: c" M4 A" x
=========* _: Z) M/ I* X6 }% |) d
1 S/ _7 K* y/ Q8 F1 x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 Z: H) R' d/ h* T
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 o8 C1 N! A; e: f EThe Get_DDB service is used to determine whether or not a VxD is installed4 Y2 J9 L) B7 ~4 s4 N
for the specified device and returns a Device Description Block (in ecx) for" y& L# g G! B! ?" q
that device if it is installed.* `8 ]1 H1 z. ~" `! K
+ J4 B5 n$ b e# b) V: S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 N4 ^; @+ n: _1 X: L8 u mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! w- _% X# i6 `2 { VMMCall Get_DDB
3 h, d5 i! ^/ u5 Z1 N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: G* N1 X# W# ]9 T( u+ Z4 l8 j' u6 V+ ]. M; O5 N
Note as well that you can easily detect this method with SoftICE:( J( x7 ^, R9 {6 {( q+ }2 D& r
bpx Get_DDB if ax==0202 || ax==7a5fh
( m/ V& a4 b4 _0 | X; y3 Y1 L$ @; [- Z) G( w
__________________________________________________________________________5 @" D. I4 T N; z
6 M" ~. N+ P7 g. X: WMethod 10
; c6 x% x {& }) b7 f4 w l- O=========
5 U* a2 _2 t9 Q& k2 n$ u8 H6 J+ H2 i
=>Disable or clear breakpoints before using this feature. DO NOT trace with& K6 V! l9 T* n6 i( X
SoftICE while the option is enable!!# L) k" V0 }6 H7 B
& N- q4 N4 j) X
This trick is very efficient:, q6 @, \+ k7 t% F% W$ q- |
by checking the Debug Registers, you can detect if SoftICE is loaded
U9 ^$ p/ C) B' u5 ~ A7 d( h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ H0 a2 }% T& `% A5 |$ |/ h
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 `5 x3 c. C) n! H; avalue (in ring0 only). Values can be manipulated and or changed as well* Y5 I% y% ^5 R" L: M! [! a/ }
(clearing BPMs for instance); m0 l6 k; g/ F I5 r
* f7 e( O+ u+ _6 Z% \# a! M# o7 o6 A__________________________________________________________________________% x4 {5 ]1 c4 {) S: f
' `" X+ @* y8 m* LMethod 11$ Q( ~3 p. a8 h7 v$ m0 Q7 f) [
=========
. u* K$ P0 \ k7 W$ Q! x8 p- v; X( Q! e* P7 R6 W. X9 ]3 Y
This method is most known as 'MeltICE' because it has been freely distributed" p. _7 ]! K& l4 f% y M- M
via www.winfiles.com. However it was first used by NuMega people to allow
7 _; ~+ a7 N# s& g! L9 XSymbol Loader to check if SoftICE was active or not (the code is located
2 K% g) L; r& s5 _' ]: Z/ tinside nmtrans.dll).
9 `7 ^ q# h# d$ d; v- W8 a& A
& H1 X |/ A, S2 |The way it works is very simple:
6 ]1 m* Q4 c! G2 R; {3 cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ ^1 W( K% ]. z
WinNT) with the CreateFileA API./ Z) D6 ?. J# o) k4 s
+ C) k& \! `$ U& HHere is a sample (checking for 'SICE'):2 b7 E7 ^% J# M# s# n# B9 J3 r: e
+ P3 w6 l" P0 [5 \0 @
BOOL IsSoftIce95Loaded()' f" l; S2 q# o9 J: U0 [9 M+ ~7 c
{
8 O |( _% H7 _4 q HANDLE hFile; ; a Z7 A& E7 R, w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' m {3 f0 R4 t" t) b" i# d9 x FILE_SHARE_READ | FILE_SHARE_WRITE,5 y& O. H; x# t: X) f
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ C5 N; X4 ~3 k; q2 s
if( hFile != INVALID_HANDLE_VALUE )8 T6 h3 h3 w0 Q( [
{5 J' S8 D' g5 h' H; @# Z: d
CloseHandle(hFile);
& D9 r. _. b$ }% e return TRUE;
1 x% C# ]: u$ |5 L) N }$ |; H# P: v" d( J- x: w
return FALSE;9 ~& z, m9 h. G! n+ X. Q Y
}# x# o" c, Q+ B) Z1 h+ I
/ V3 W* k7 w' R
Although this trick calls the CreateFileA function, don't even expect to be
* D J1 ]8 |( bable to intercept it by installing a IFS hook: it will not work, no way!, X6 G* Y9 I8 i/ B8 M8 y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 y. s) a0 {( Z* ~( kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 }) p% o, E9 Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 c$ m d/ t, X9 H6 g+ |6 U& Qfield.
% O2 {9 S, I4 SIn fact, its purpose is not to load/unload VxDs but only to send a 7 C7 C0 A3 `8 j I! }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ w4 W: a7 s4 U* b5 @. f$ z2 \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 o: e+ {2 } N9 y' Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. {. K+ ] e8 H/ \, P2 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 `, g; z) X5 \, W8 vits handle to be opened and then, will be detected.. |1 ^1 Q# H/ `, Q& l
You can check that simply by hooking Winice.exe control proc entry point
4 L3 t8 o+ q* ?& pwhile running MeltICE.$ h- q: X: ]1 V- n* b! O& o9 {
* e: }: i+ Z; o. v* z9 C
# |2 Y+ M2 k% k; x/ f# E# ^
00401067: push 00402025 ; \\.\SICE
. j. |- [/ T7 A1 | 0040106C: call CreateFileA. K, M" j7 t$ l$ Q; O# Y; O
00401071: cmp eax,-001
# k+ R( A% i& H ~; s, c 00401074: je 004010916 J, r5 n2 K& d3 g
+ p) g* w8 P0 f; E- S& f- {% i4 {2 M) X1 l! O) Q f) v ^3 C
There could be hundreds of BPX you could use to detect this trick.# V0 _1 N( L7 a" R; x3 _6 {* P
-The most classical one is:
9 E% m$ m+ {/ C2 R) E+ J1 m BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% d" y4 u G% t2 U
*(esp->4+4)=='NTIC'3 {- E' W% X8 d8 |2 J
4 E; F2 d0 h) E& S; A0 x
-The most exotic ones (could be very slooooow :-(
3 b' I- W; k& M6 c5 N8 t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. c8 L+ p) y/ @4 y ;will break 3 times :-(. e+ ], f, J* D
* Q7 U, ?) q+ p-or (a bit) faster:
9 R: Z; g& a7 k6 D1 @/ b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 I" E( Y1 y# Y4 R2 b+ Y+ W$ x. v
! A7 M5 Q9 x* l8 S+ h" m- w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! X( I! Z' m6 K ;will break 3 times :-(
# }# p6 R( K; r9 d7 F5 I
9 _" b/ h: D& d3 i, Y. [1 f- I-Much faster:7 l& u1 s/ F+ o& ^, ~" A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': j) Y8 B0 h/ ?" m! k) J; Z/ ]+ [
1 T( M/ k0 [& p4 f! E8 w7 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ E b- ^( l" K2 f6 X4 o9 a
function to do the same job:& h/ Z, h) p i$ m" v
( x! T8 u% [+ o' p9 q3 K
push 00 ; OF_READ
8 `1 ]. V0 ^7 f+ i% D mov eax,[00656634] ; '\\.\SICE',0
! J* g, `: K8 f( G {0 @% ` push eax
- m3 x x! V/ Q2 b call KERNEL32!_lopen
- V4 X( i! z( J4 \* r inc eax
5 A# _ `, x) Q, V1 F7 R: n jnz 00650589 ; detected' }& b! b$ A- x
push 00 ; OF_READ& a8 u/ L4 q2 ?0 N" m
mov eax,[00656638] ; '\\.\SICE'3 Z! {# ?" Z/ c' Q" C
push eax, Y3 }& t4 @" Z4 b' E
call KERNEL32!_lopen
( k& p; a. I. M* O inc eax8 s f7 q3 W) u& V% y# ^0 Q
jz 006505ae ; not detected. N+ z) Y4 Y: V% v
) S& w1 `/ ^' h7 u) z, w; B) L
* ~$ K' z0 M9 C: Q0 V6 E, g& T__________________________________________________________________________2 | d+ H, t$ m- F- r
/ n4 Z- C8 t p5 [0 j$ \: W- vMethod 12/ K S9 i" l( V6 @
=========, {% `4 i( B0 i! x% r
/ E: l' h8 f# U5 e. T; ?
This trick is similar to int41h/4fh Debugger installation check (code 05
3 P2 B: V3 Z! |& Q. t- E& 06) but very limited because it's only available for Win95/98 (not NT)
5 c0 M% g' ]- W6 v. Das it uses the VxDCall backdoor. This detection was found in Bleem Demo., a+ }2 l" b; d% A4 g) P
5 _: S% o! O2 \: b& s push 0000004fh ; function 4fh
' D8 W* Y( W" n push 002a002ah ; high word specifies which VxD (VWIN32)1 |( e1 T% P! |: E B) s
; low word specifies which service" ?3 ?9 H# C8 h% L" e( |* M
(VWIN32_Int41Dispatch)7 z4 _( H7 Q. [# w( k$ T) Z
call Kernel32!ORD_001 ; VxdCall
8 Q, j! D- z1 E! {: n cmp ax, 0f386h ; magic number returned by system debuggers* N' z' X1 w" u8 W& a
jz SoftICE_detected1 N) C6 n4 W9 z, O; r
) s, V5 d1 ^1 i( F# b7 VHere again, several ways to detect it:( W3 j5 d; C# [; o6 Y
; |! W4 @2 z; P' Z9 @* H0 K( ^" d. `5 k BPINT 41 if ax==4f
" p1 Y, S' y3 P1 M5 c3 B, |2 ?4 P# K" n2 L
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* x% [3 n1 L* d, V* O1 a+ b1 N
Q @" ?2 K0 } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 V9 k+ o+ g1 y. U! l- r
, Q4 t" Z8 h6 {! G; R) m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 K a# c. V% I7 `2 j9 Y
4 h: Y" @6 c+ E J1 V6 N- a/ w. d1 s__________________________________________________________________________# D a& c G1 {) q, f5 s
. G( j- m" l' m+ n, F# G9 NMethod 13
, r! \. s" H( g0 Y( \=========
1 C( E1 l+ k K v) g1 S+ j; P" H5 v1 P C( r0 k
Not a real method of detection, but a good way to know if SoftICE is
+ E+ K- o( ]3 g3 k- a6 oinstalled on a computer and to locate its installation directory.
% h3 E$ U" l4 c, nIt is used by few softs which access the following registry keys (usually #2) :
/ l8 z4 i* P9 L0 T* @* t% O
( K: q1 z( O4 N. F& ^4 _3 H- P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ]0 c, O* s/ t0 ?& r, Z+ p
\Uninstall\SoftICE
+ i" {: x i& }9 _5 i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 c V( _. F N' s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ X) W# g b1 D% z
\App Paths\Loader32.Exe1 O$ K. w8 ^% |* |; z" W
. j6 |0 } i' U
$ z- u& g C( A$ V6 K( {
Note that some nasty apps could then erase all files from SoftICE directory
* Y' R8 W4 {- F" R w(I faced that once :-(
2 k4 A0 F ^/ M' S
( _) ?8 a$ M) z( p9 W" ]5 t! _/ Q3 jUseful breakpoint to detect it:$ R8 p) I5 m* V k8 G3 x y
# K0 T* X+ }- l9 q4 H BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ P1 N5 D0 |5 G7 [; F
0 ^( _3 r1 ^! l__________________________________________________________________________# R0 `; F% {$ W* M
+ T5 ^' z- A" ^! v" T6 C& j: ~ ?, X0 J
, R" T. ~8 h/ R9 O7 L3 |) h/ P! P) p
Method 14 % Y2 p6 R& |2 l4 @9 e* {) O
=========
6 B( y+ G0 _- |) f" f6 A" P6 N2 F. n- T3 ]) }1 C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
P% _- F; c& \& _- F6 pis to determines whether a debugger is running on your system (ring0 only).
3 [3 B: F' V+ M9 Z. k: o6 j- b8 l" H0 |5 w" A7 \
VMMCall Test_Debug_Installed
1 h+ S& R' w1 k je not_installed
( u2 ~4 }; u: x" w& C# h/ v$ |% P; K* ^, f3 r+ V2 w
This service just checks a flag.
* r1 h* M! g; P5 N6 v</PRE></TD></TR></TBODY></TABLE> |