<TABLE width=500>
3 G" }1 |% e' ?7 D' z<TBODY>1 s) I9 j& r7 {
<TR>
& X: i, P$ x8 P* l$ ?. u<TD><PRE>Method 01
& s3 f6 N3 X4 C=========0 K9 K2 k8 y' g& ?2 o
2 Q: Q D8 O0 p# C
This method of detection of SoftICE (as well as the following one) is
+ n& u' A* a* N4 sused by the majority of packers/encryptors found on Internet." c8 N9 Y0 D8 W& b
It seeks the signature of BoundsChecker in SoftICE
* q5 b- X& w9 _ a+ z1 Q& w, z& h+ Q7 f! T& @) W: L7 F
mov ebp, 04243484Bh ; 'BCHK', L' S2 J7 c8 m5 }# P7 {. U
mov ax, 04h
0 T5 O; n! Z: F# O; b* r* p int 3 ! Z* C$ ^% G/ Z/ T1 c
cmp al,4
4 M- l2 B5 X) N jnz SoftICE_Detected, [: r4 h: V6 }1 a$ S
0 n" Y- d/ t- v. J1 E5 i___________________________________________________________________________
. F- C3 }: v" j
) `4 M# B+ [! N, L: Z' i1 NMethod 02
3 u) x; ~+ g# v3 b% @4 y=========0 [8 ~7 c7 j3 F4 D" i, c# _
- k3 k9 B7 B; G- M: c, C/ t$ [Still a method very much used (perhaps the most frequent one). It is used" e! Y+ Q. n- f$ ]- t4 R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 u* b7 q- }; H- Z% y: b2 l) _6 p2 hor execute SoftICE commands...
: N1 c6 L( U. x1 ~: v) aIt is also used to crash SoftICE and to force it to execute any commands% j" l8 I; s" |& Q3 p
(HBOOT...) :-((
4 F5 \' |4 ?$ Q, M! `' ~3 R6 r& b5 W, ?* _. F% H8 [/ Y! |
Here is a quick description:" T/ o9 M- k; u4 W& ]
-AX = 0910h (Display string in SIce windows)
6 C& M% v; M# T) W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# A' }1 ?4 | o" o/ {-AX = 0912h (Get breakpoint infos)( j+ h+ k/ e1 J9 i, r
-AX = 0913h (Set Sice breakpoints)6 m }, ^! v) @4 D' K
-AX = 0914h (Remove SIce breakoints)
% t- m: l3 [% N0 U# `" U7 I# ` {- b: f
Each time you'll meet this trick, you'll see:, e0 k. z5 W2 |& N8 r0 S8 O
-SI = 4647h
# `7 L) Z$ W7 C6 k1 x0 g-DI = 4A4Dh8 b: ^9 ?, \' f g5 t9 |, R3 {
Which are the 'magic values' used by SoftIce.
$ m# }9 S& p2 q' x* a- q* _0 S7 KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, o3 \% ?; d/ w" s3 A' U2 E
3 I8 q( r: p+ QHere is one example from the file "Haspinst.exe" which is the dongle HASP6 Z2 V: b# U4 ~% g) `0 ~
Envelope utility use to protect DOS applications:! o( _# D# d+ {) \
' _$ b/ P5 g* k) X
" ]' q8 [* R* k) P
4C19:0095 MOV AX,0911 ; execute command.
; x! t6 S7 O/ T9 P! F4 r' e! @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).0 q: M- K4 y) v2 u& i
4C19:009A MOV SI,4647 ; 1st magic value.
: ~8 X- n9 A$ F/ D) E, l$ @4C19:009D MOV DI,4A4D ; 2nd magic value.
+ n9 @- d" d6 ~7 J" B4 k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, H) h9 T0 X: @9 H4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: ~& `+ I2 K" A& M4 b4C19:00A4 INC CX
9 v+ i! O4 e/ a$ t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& c* G( }) i. m, L. s4C19:00A8 JB 0095 ; 6 different commands.+ `+ }& J. x9 `
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! e7 P0 D) F, [) e Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 B" {; c' ^. H- H! l6 L
! x4 @ l1 z ?; S: A( i; n+ p$ T* sThe program will execute 6 different SIce commands located at ds:dx, which; T$ l _ f) y0 S4 c- e2 z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 c9 _: p2 k, T) \0 J+ O, |0 p+ c2 s- x% @% }( I' {. D* m5 x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 w4 a; I9 t- l+ S1 E, {___________________________________________________________________________
' ^: P% p6 w. | b% b, i* J' i5 g) m- S8 L& X! V
: e6 P6 M2 m1 I( `5 g, p
Method 03
- L% K' R! p9 `1 A" s2 [=========
% K1 F; u& X3 e6 h0 p7 u5 y$ e0 i( E( L4 W7 {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; M8 I) Z! m0 ]" M2 J
(API Get entry point)
: u/ Y$ ~* d7 L E s. J / ]" V8 |1 J. P! s1 U* J8 Q5 q& V& A
" w: }6 a4 ?+ i! @# C2 d
xor di,di- V8 b% S2 O& B0 h
mov es,di
- |, E- i- p5 ^5 L4 x mov ax, 1684h 9 |) _( L: B: f7 e. [5 _
mov bx, 0202h ; VxD ID of winice
. u4 ]; \9 \8 N9 Z& g* a% a* ` int 2Fh
8 T/ |! [: _5 ~7 b7 e mov ax, es ; ES:DI -> VxD API entry point
: ?. p: v( T6 z E add ax, di% j4 y( j; J$ B
test ax,ax
5 z4 z3 e7 G% h& ? jnz SoftICE_Detected3 J3 _2 k. b6 `
! d) I& w' U1 ~9 g* {___________________________________________________________________________7 c' }. q' Y b, Q5 {5 O
" j8 B# T( U5 H( c" P) @6 \
Method 04
- R" T* \ H- @! a' k) E=========
" ^" ^# `1 k+ L3 Z, I4 t8 b
* H0 |. B, S' Q# l( P7 y6 t2 S, E$ i6 iMethod identical to the preceding one except that it seeks the ID of SoftICE
! y0 J" G" W# _1 \GFX VxD.1 j. ^7 Z& M' V N! O5 z
" U9 m1 o1 a* x5 g
xor di,di* p x& o3 ?' w1 J; H4 R, [
mov es,di1 G5 z5 a7 X* a3 d# Y. L
mov ax, 1684h
: W$ |2 Z( L- R- g- E mov bx, 7a5Fh ; VxD ID of SIWVID
8 m( n" z1 p T( T int 2fh& m8 j {3 m5 J
mov ax, es ; ES:DI -> VxD API entry point; r( B. T2 W( ]
add ax, di2 \# Z% B E1 B! s& f
test ax,ax: }$ o# E2 M2 ^$ V1 Z- i
jnz SoftICE_Detected
4 ~" I/ W, g* U( l& K( |- z
2 N7 i6 {0 t/ N" N& P. n7 P( P__________________________________________________________________________
+ B. F l3 X4 o# q6 X" s6 R- V8 z) H- y) o
w. X% m) y$ `2 C4 Z/ PMethod 05% z8 E8 @1 x# V* Y- ?
=========$ C) g( z) V, ?/ h/ t" L ?
0 t# `' \2 ~8 P5 [
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 Y* t7 t; _& T
debugger. It calls the int 41h, function 4Fh.3 y0 O) w; e7 ~+ ]; G! s
There are several alternatives.
% _. L3 g' A* G( _8 \* ~9 J. H, Z) B+ _
The following one is the simplest:. ?1 L) t* s3 O% T
" h9 P; _2 ^6 v& M mov ax,4fh+ k- U0 Q( v* |- U( _
int 41h
( ^ A) {& i( B) q r cmp ax, 0F3864 c3 L7 y1 [# [$ |; Z8 Y
jz SoftICE_detected
$ [8 X6 O7 M' s6 Q. E
# D: x$ R% S8 J! F$ i5 [* Z' r) ^% `& Z* _
Next method as well as the following one are 2 examples from Stone's " r3 v4 H3 ?7 A& Q. N: P
"stn-wid.zip" (www.cracking.net):
- D4 p0 Q6 @/ A1 X- O% e; I' s, a: |2 F! Y6 I( b# ~4 p o
mov bx, cs
% b# g2 d/ [& V% s1 F8 Y) | lea dx, int41handler2& O a5 F# P j( ]* l& v' v
xchg dx, es:[41h*4] `6 f$ u. V7 ]
xchg bx, es:[41h*4+2]
9 v7 A3 e8 q! c! o5 q8 ^ mov ax,4fh+ d) t5 P0 L+ e5 }) u% K. i
int 41h
M6 Y' O7 r3 ?% m x, y xchg dx, es:[41h*4]
7 d/ a, m- a6 X0 ? xchg bx, es:[41h*4+2]0 n3 J, U) e$ ?9 D" }
cmp ax, 0f386h/ T# e }7 U* {& j2 Q! n1 g
jz SoftICE_detected
4 ~, w ~0 L. B( p
& g, K' ^) d$ d' K% p1 z! `int41handler2 PROC
4 [5 F# c8 F& V iret+ S- ~1 r& a8 S4 A
int41handler2 ENDP+ a' ?6 D; @% w. T' ?0 `# w8 c% E
" k& g& n( ~( ^9 d4 r5 |: p. A
% S0 ?7 q) E+ J! V' H, E. t_________________________________________________________________________
/ F# ~7 ?; E/ G6 R: F7 v: G; I! W: f I2 h3 J1 M9 } n# i
/ m0 O7 x" t" p( _2 f9 AMethod 06. M; n+ J/ o* o) H! ~1 A
=========/ A" }7 g @0 I M
' z& `8 n! a. C- B! Y0 \1 s3 d/ Y4 M- B2 {* }
2nd method similar to the preceding one but more difficult to detect:7 m- g' @6 w- d9 o. A: j
1 N% o- s8 |" ~, c8 ~" r2 S w" ?( l! _" ~
int41handler PROC2 O2 T# R$ ]) R1 J4 b
mov cl,al
- W6 Y7 A) @- ~/ O8 O iret5 r/ U7 _- k! E; `
int41handler ENDP
9 W$ s, ]2 x1 v, C
5 [1 m; Y: e- i8 G
' c$ r$ i' |6 E! ]) w% n xor ax,ax0 j9 T9 ]) _$ m! K
mov es,ax
4 b1 G( c" F0 v! R5 ? mov bx, cs; q. _- U9 i4 L/ G( T. O
lea dx, int41handler
' Z2 `6 Z8 n% @* A xchg dx, es:[41h*4] ~6 e; z. Y4 B2 L4 T
xchg bx, es:[41h*4+2]
& B9 K1 P9 X) ?% K* W4 | in al, 40h% g3 q& G6 E+ `$ _
xor cx,cx
8 e) H( R" i3 q/ a7 M& v7 ^ int 41h- [* }1 P4 q' Z$ I/ m
xchg dx, es:[41h*4]
m( Z5 Z. l! i; b xchg bx, es:[41h*4+2]+ A" i# J; C& ^9 e
cmp cl,al7 ]: v- [, H& h; G, x
jnz SoftICE_detected
j+ e1 K4 U( {$ M0 ]" g& W4 w3 i1 Z7 [3 D/ b
_________________________________________________________________________# t- v3 P# F0 E r, ]
3 q& y, M3 v6 f6 FMethod 07
- g% i/ k( h7 u5 X% b, k6 u" ]2 u3 h=========) k# G6 I2 c) f U$ v9 U+ b
5 E# l9 @" A, _- @: O3 iMethod of detection of the WinICE handler in the int68h (V86); v( ^ n5 S3 ~4 d+ |; \, J: m
$ G/ J% h2 ~7 B ~ mov ah,43h
8 I& I" V; ?. i( w int 68h
% {1 R5 s3 b% T* R- z0 z cmp ax,0F386h
6 S3 t" w- {" Y: ~* i jz SoftICE_Detected
: G' Q" d9 W% z1 j# Q H6 B$ y$ v3 h4 W) X: \, ]) r' W; ~
( w$ k3 w7 l' E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 b" d) X/ I4 F" M/ o$ A7 G; D app like this:
- m! T9 m4 W8 `* k3 w4 h1 B6 d7 y3 N9 Q7 z: @& T1 n7 b9 h
BPX exec_int if ax==68
, W% N5 Z; }' d8 e7 b& Q& @ (function called is located at byte ptr [ebp+1Dh] and client eip is
- a/ o, _% O3 Y9 k9 y/ p located at [ebp+48h] for 32Bit apps)
6 W$ }5 ]# W/ p C: _; B* h__________________________________________________________________________' P v s* m1 h
1 ]1 w5 c9 u1 j( j$ i/ d* D5 A! t+ Q. e, l% L
Method 087 `/ F4 P. s+ X3 p
=========
' o2 G1 [. J+ @ C
) X3 I0 O0 p2 ~/ s! }3 RIt is not a method of detection of SoftICE but a possibility to crash the( k7 |& U- `4 t- ?2 }, C, {$ U: z
system by intercepting int 01h and int 03h and redirecting them to another
+ I9 @8 P1 A+ p& e- L1 j9 `7 mroutine.2 x: F: R2 h4 z. r# |5 \4 B: k" P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ V6 v% g4 R% J7 c! R# Tto the new routine to execute (hangs computer...)
9 |/ W# q0 q1 l/ }1 d# f& N1 G9 p0 U
mov ah, 25h
X! D: L* j0 l# c/ `+ u7 z) S mov al, Int_Number (01h or 03h) n8 R1 t( N3 ^" N$ B5 T# N$ p' i5 k
mov dx, offset New_Int_Routine G8 V2 k9 A1 f# a5 G! c
int 21h
6 C: K' t2 `3 P/ l8 [$ N; K3 r
x; \! P6 ?; z! W* _. m__________________________________________________________________________! K6 M/ G" c. z" z. H* X
9 C0 N" O0 g4 S4 [
Method 09
' f; |& n" _: Q* h, x2 c1 n; O3 A=========
: l9 G, H7 ?# k# @6 X1 [" {4 c3 c5 R* k, G- O1 z* X* {0 Z6 @; T7 Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# _/ K! t, Q8 T/ M/ M( Q tperformed in ring0 (VxD or a ring3 app using the VxdCall).4 A1 i# a- F2 w; C4 K9 p4 D6 }
The Get_DDB service is used to determine whether or not a VxD is installed0 K+ `# w0 r$ L
for the specified device and returns a Device Description Block (in ecx) for( A9 V+ H5 ^$ g/ H3 z* ?6 |5 Z3 \+ r
that device if it is installed.. k: b) s6 p; P8 @ ]
7 @' c) A- \; b0 @ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' k1 D2 {: X4 C' N7 I: N4 d7 i3 T
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! W0 N h! {1 S, a7 {
VMMCall Get_DDB) m" a% S1 X6 o; k5 I) w
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ E/ n6 q) [" a+ |) ^3 _6 S: ^- v
) @' v2 z! k3 ^& {3 D# r0 h
Note as well that you can easily detect this method with SoftICE:
. |) @# n2 }& ]6 q3 o# K bpx Get_DDB if ax==0202 || ax==7a5fh
) Q$ X* V9 b4 V8 R
: i y' |* l2 x. R3 }__________________________________________________________________________
B+ C! u6 E) M* c$ I5 M6 N
6 Q1 B$ l9 u; q, D5 tMethod 10
* J2 b3 l+ |/ }6 k& c=========
- @( ?% M N% T4 y& q! M4 z' }( b! F4 o/ @8 g O5 Y! s% K8 J/ ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with" }! L; w; o# j6 g7 p
SoftICE while the option is enable!!1 g/ ~0 N9 B; K$ O
* V( V9 b7 D ^) k; eThis trick is very efficient:8 O9 L0 H5 w* \0 p
by checking the Debug Registers, you can detect if SoftICE is loaded+ U0 |& P# d0 p: \
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 G2 i" o8 b8 c+ f4 P- ithere are some memory breakpoints set (dr0 to dr3) simply by reading their2 l. J/ w5 {' ^3 M8 n$ C( j: H
value (in ring0 only). Values can be manipulated and or changed as well
8 D1 x# M% C" S(clearing BPMs for instance)
$ M# y. G& v H% y9 Q% \) |3 I; H+ z c. M: p
__________________________________________________________________________
L7 y/ t. f+ o' a. W. X
0 @: D% N. `4 J+ C$ wMethod 11
/ K: O+ w8 E' d+ h+ x l=========: e/ H+ w' K% i# A* Y
/ ?' @) j" @1 O" X+ F
This method is most known as 'MeltICE' because it has been freely distributed6 k2 ?& [ ]- u( F# V! F8 Y& A
via www.winfiles.com. However it was first used by NuMega people to allow
% u8 _) l$ D- X2 I% ?- RSymbol Loader to check if SoftICE was active or not (the code is located
) p- O# t6 g3 K* E# Ginside nmtrans.dll)./ h# j6 e3 Y2 Z* R
# j5 f7 L$ b; V' K* Y3 K3 m) a: l0 H3 l
The way it works is very simple:
3 \2 @3 f0 q2 i4 R6 d6 RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 O( W! g) N& X" k3 A6 ?WinNT) with the CreateFileA API.( Z3 i2 r* x/ c4 z8 ^2 A
9 O* V+ Q7 k/ ?. `Here is a sample (checking for 'SICE'):
0 z& P7 G4 m7 x( e4 I" c
8 h6 l2 ^( u; y# W r% B8 `BOOL IsSoftIce95Loaded()0 p1 Z% j- V0 n) Y) J- c7 l
{$ w6 v t& X1 i( V& ~
HANDLE hFile; * [; B, k d/ S& ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 ^' w/ m- `$ X/ H8 z7 E* k
FILE_SHARE_READ | FILE_SHARE_WRITE,7 V6 Q" F% v+ o) s* A* U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# E, A: q1 b0 f+ {- M
if( hFile != INVALID_HANDLE_VALUE )
6 k3 c; p3 z; _/ y; ~ {1 p- h0 s3 S# g7 k3 M$ w4 s
CloseHandle(hFile);
2 Q0 \' Z ~, M return TRUE;
8 ?$ G9 m: P& K, ^; r }
- }0 X% B5 i% B. {; n" ^+ N return FALSE;% U# m1 x" |- r
}0 ?' Z9 e/ K6 ~+ ?0 l# F9 k
# i$ C8 z5 v- p/ W. n9 `1 m& XAlthough this trick calls the CreateFileA function, don't even expect to be
! d) Z: L5 a" f7 Bable to intercept it by installing a IFS hook: it will not work, no way!5 w+ @6 ?1 U+ R3 }$ ~- w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 r' q* v2 k8 E# N8 r6 T) ?0 ~2 ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 Q0 ^9 ~/ b# c4 Y2 E
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& `/ r* W# y& v. S
field.
8 Z' g: u2 N/ P+ ]$ l# S* AIn fact, its purpose is not to load/unload VxDs but only to send a $ A$ m2 r* `5 Z8 j# q# Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% a2 w1 C: s. c5 S' F% ^6 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 @/ l. f( A* J" V Q' r& X3 J/ q I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 U% }1 x! j. TIf the VxD is loaded, it will always clear eax and the Carry flag to allow
* {% A) }! [9 ?9 u- y2 \' `its handle to be opened and then, will be detected.
2 o7 \4 f: r$ p& |: f. {' ~- L2 xYou can check that simply by hooking Winice.exe control proc entry point
+ i& P! N, @( d, vwhile running MeltICE.
2 a* y7 H' _ P- g o2 V, F1 f, F; \3 J5 r3 N" o
5 m' J# C$ [/ z, E) e" }& b, Y 00401067: push 00402025 ; \\.\SICE
1 ~2 X6 E* ~8 s$ c$ ]- y5 S 0040106C: call CreateFileA5 W2 D4 ]& q. z5 _
00401071: cmp eax,-0016 k, b5 F! j1 k+ L' M8 E* H
00401074: je 00401091+ B: c6 Z, |& m$ e& u0 o
: |- W6 l) S1 v7 G
; e& a! v' {7 @1 v# B( J
There could be hundreds of BPX you could use to detect this trick.% a) Z* I+ }- f% Z5 L' M1 R( K
-The most classical one is:, ~6 _( r( m8 z% h- |1 T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 a3 M. n8 ?+ b: c5 A
*(esp->4+4)=='NTIC'- l. e& o7 ?; O# ^8 j
% y3 r- G2 q6 J; l, m3 Y5 ^-The most exotic ones (could be very slooooow :-(
2 d3 V, ^4 n& N- g7 A; y- |# P- R+ ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% [. p% d2 P6 e1 C! S ;will break 3 times :-(1 c& z! N7 l% [. t
! \; t9 n! t% L' ~6 I-or (a bit) faster:
& w: \0 p: t7 ~5 M3 n7 w1 n! M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& b+ G* b$ K. ]
y4 W h4 `4 l+ T. [* h8 u" s BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 d) Q2 G2 R- Y% J* o
;will break 3 times :-(7 D; Y6 d+ X: l3 [
# [: t# `) e, z& T) N
-Much faster:
f0 E4 n5 I* h. w BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- I2 R# t f4 B$ _# H* C6 `/ F' Y( e) O+ }& E+ I( E3 ^; b w) y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% D$ K1 `& e6 y" @2 C6 H7 Yfunction to do the same job:
8 k- R* [$ X' b! A5 t4 s- q' \( G0 L# H, e8 \8 L4 _; r6 b
push 00 ; OF_READ! q: h2 h+ P& c
mov eax,[00656634] ; '\\.\SICE',03 ~" i: x; k# A. E" j- s: n; ]
push eax
( N7 n5 h: K. a) [$ z/ Y call KERNEL32!_lopen+ r& I9 G- y; I5 P! M4 l
inc eax
" j5 p v9 H1 v5 r- J* M }+ e) O2 N jnz 00650589 ; detected
1 c8 p% L- i, N0 v% J4 d# p8 y! U push 00 ; OF_READ* A- Z. s9 z! n0 k
mov eax,[00656638] ; '\\.\SICE'& B! g, ~" X' R8 F Q
push eax
/ k% T4 S, \4 k call KERNEL32!_lopen
' l% }" l1 `! B: h. t* m6 Q inc eax
2 w+ F6 A6 I+ q% B4 N% u jz 006505ae ; not detected0 B; j$ o. V9 G8 L5 G. \
: j1 I( z* s* k$ Y$ R+ }1 S6 v$ @) z4 F9 n p5 x& }
__________________________________________________________________________$ I& @+ y& C7 C2 d) L$ V- I3 F
& n: I# Q" ], Z" }Method 12
3 C. j+ K- P }7 C; m* A8 H=========' w9 d/ ~$ }, z) N6 ]
1 A7 h" Q- p$ B0 h3 W
This trick is similar to int41h/4fh Debugger installation check (code 05; ?! ^4 B7 d6 k. P
& 06) but very limited because it's only available for Win95/98 (not NT)
* \( ?1 a9 i! M2 ^7 [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) H m$ A" p4 @) p0 j9 h
" F6 i* `1 m/ ?! k$ o# ]! ~ push 0000004fh ; function 4fh
$ a7 y, | X$ o2 j( f% y. a" u push 002a002ah ; high word specifies which VxD (VWIN32). p. n6 j% o+ |
; low word specifies which service4 j0 j3 {- H! H* k: }# K/ Z
(VWIN32_Int41Dispatch)
5 q! A% h5 \: t$ J5 M call Kernel32!ORD_001 ; VxdCall
- G" G" ~& i D cmp ax, 0f386h ; magic number returned by system debuggers
p) y% l( b5 Z* g jz SoftICE_detected
/ r/ e$ E4 S% ~, b; q: N
) r! F4 o Z' e) [# b* j5 r8 [Here again, several ways to detect it:
& i: y- J) y E; `; }
* ~" j# K2 Q' }5 z! u# m BPINT 41 if ax==4f
+ x* G/ n. s* \& A
& |! B" h8 t9 g& \+ X4 d0 U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 h( s- T; l. X4 M
4 p6 S% k" r& R( H6 w2 e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 m) i- z' }5 A' S
; E& ^2 S2 R7 f% a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ F o2 l- K$ C" l9 V3 m
7 T2 `1 i1 e4 b% ~9 F- v, x) e
__________________________________________________________________________
$ ` @5 M% G# }4 {. J
: m1 H1 E; Q8 l5 o) _* B. e8 W* eMethod 13
5 g( _* H0 [- c1 ?=========. ^5 M$ X: R0 Z+ K2 N. Q
1 `+ u# v+ w, o- T/ @
Not a real method of detection, but a good way to know if SoftICE is4 i2 ?6 L1 x' X% c2 y9 H, `: S
installed on a computer and to locate its installation directory.
4 M# i0 n' V7 I; N2 H1 NIt is used by few softs which access the following registry keys (usually #2) :
, L* G) X) o4 l; p
( h. I. K. ?. x. W0 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 ` f7 r: o6 G0 s. \8 u
\Uninstall\SoftICE
' T x8 s- e- }8 I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# p$ g$ u0 @3 ^* O6 w9 Z a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* J" Q+ X; ?& i( C) M: O
\App Paths\Loader32.Exe- ^; E! T# q, {2 j
8 X. ]+ n$ M# p
1 \( t1 Z8 T* R/ \& \1 E; fNote that some nasty apps could then erase all files from SoftICE directory
a; G% h/ |, `5 k(I faced that once :-(
! J5 [& j; e d. s) d6 ], h* w: B; M
Useful breakpoint to detect it:
) U$ }, ?6 Q* ] r; ?6 E8 S4 S# c* t8 R# p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, I o- n; o. z6 a
! @6 O" a( ~# t+ U5 ___________________________________________________________________________
7 q6 r- G. _; O5 G- ~8 M* \" b% j! t* W: a' ~
$ e# u- ^5 ^ J2 y0 m
Method 14
' t" L: o3 t/ S8 |$ I9 H1 v=========+ B( f6 A! M" m% n' [
3 W- h9 A$ h5 A6 J5 t4 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ i! e; C3 V, x% P/ J4 I. ?is to determines whether a debugger is running on your system (ring0 only).
/ ~' |( S9 X- n- K$ R! |, w! u# d$ m( y F$ S
VMMCall Test_Debug_Installed! e8 X( s6 ^7 _
je not_installed, q8 ^- y( |- Z- X* o
6 s0 | _1 U$ d6 Y2 u9 r
This service just checks a flag.4 v, |) m: w- Z0 _
</PRE></TD></TR></TBODY></TABLE> |