<TABLE width=500>
4 @9 c" U" }0 i4 E" U<TBODY>2 u% ~7 N1 S! Q" r9 p+ l; V
<TR>
e5 K& a$ w7 Q<TD><PRE>Method 01
$ ^; b) P% q7 e, r {' L# j=========. p8 a) z: V& @, Q; b2 y
x4 u: J3 p( Z; h' X# e5 rThis method of detection of SoftICE (as well as the following one) is
9 c. y2 l- t( f2 Qused by the majority of packers/encryptors found on Internet.: A% c9 |4 Y1 R6 G1 g* Z9 f
It seeks the signature of BoundsChecker in SoftICE
) c3 n+ c% X5 v5 A
' }. r( m4 ?5 v% K4 V1 R, [, T mov ebp, 04243484Bh ; 'BCHK'
! C$ K$ a: B: `/ }- U mov ax, 04h
* R+ B" L2 u/ A7 D5 M: @" m int 3
6 M6 e+ Z+ R/ t4 \* q cmp al,4. w$ Y2 g/ B* S
jnz SoftICE_Detected G4 _4 u5 q" h0 e/ K1 T
$ d5 V! h# c- C2 a; U___________________________________________________________________________; U% ]- G, n( L% z( \1 f" a6 v
: Q/ R6 c4 x# R, c8 }6 a
Method 02
$ I: M1 E1 f; l) m3 Z) Y=========
& t" G3 W0 r+ ]& [# }4 Y8 ?8 ~# R, Q
9 f9 a9 I) r& l8 v0 m4 O& U# K1 nStill a method very much used (perhaps the most frequent one). It is used
7 S3 y. \5 q% \- \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 q* }( o& e/ P0 A* Z' zor execute SoftICE commands...
3 J6 \& w7 t& o& S" r' w# RIt is also used to crash SoftICE and to force it to execute any commands4 b) q3 E& t9 |0 P
(HBOOT...) :-((
4 O( ]0 `! g: n6 ], l* w# N7 W6 f8 ~ {1 u! ~- F
Here is a quick description:0 B* h( a! p* r; {# ]
-AX = 0910h (Display string in SIce windows)$ ~5 ~7 d+ @# E
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- @/ h% m# x1 g1 Y" D* e; A, J/ p
-AX = 0912h (Get breakpoint infos)' S: T+ o- b% S- v
-AX = 0913h (Set Sice breakpoints)
( C. v( i' l; B' r0 O6 a-AX = 0914h (Remove SIce breakoints)8 {8 e' S0 Q4 ^! Z* e
. `: t& ?4 w6 w, V" kEach time you'll meet this trick, you'll see:
; V. x8 b7 P V, d& Y7 ?' ~-SI = 4647h+ C% U' u M; H& e. @ D+ G9 I0 b
-DI = 4A4Dh
6 `( ?" a/ [( Y5 K- ?Which are the 'magic values' used by SoftIce.
( f5 M# u$ e( ?' [- o2 DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ y5 ^; K" z3 B! J0 R) V
, V6 X, d: t" C# Z2 q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 ` ~8 a6 y/ T" r" K5 |Envelope utility use to protect DOS applications:( y. E' I% i3 M5 R4 k
* ?5 d G% J. ~( Y4 o' N9 p
. T- O% i! p2 q: o
4C19:0095 MOV AX,0911 ; execute command.
% A. P0 D4 A6 z4 C% G2 I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! l: ]/ K4 J4 d# q& P g8 Y1 ?7 P [$ }4C19:009A MOV SI,4647 ; 1st magic value." O. U0 w, x! o8 s+ b3 T
4C19:009D MOV DI,4A4D ; 2nd magic value.: H' r! ~" h6 X; W1 D& }& i7 d& w+ c
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 S; k4 Y8 f( k: w% w8 A8 a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 T6 n( C5 h' C0 A- }4 Z4C19:00A4 INC CX$ B% u- [5 d5 G4 w6 [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- s6 t% U1 F4 J
4C19:00A8 JB 0095 ; 6 different commands.* N- I* ]: i6 l+ ~+ u- @7 a( [9 x
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 ~ |. G# p. R. L9 v9 J+ ]( @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 a7 `% L! H! R# G
$ U ?/ S1 ^" o) `The program will execute 6 different SIce commands located at ds:dx, which- X: ^* ~3 R5 D0 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* ~) B. Y8 N8 T# k( _* D e, b! h9 B
7 z* n) ^% k: y# ?6 J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ o- ^- e R4 E" X' E
___________________________________________________________________________# b# |$ r3 V2 m1 c d% N% W
0 H) G$ _) j7 I* v4 t+ {6 v. Z' o& _
Method 03% d2 K2 r: X% e; N# l. G" y
=========) y. t' D @9 l
. e( C0 A/ K" h' I- z* G0 h1 {; W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 }0 ]3 _& q; ~# I9 f8 n% `/ e
(API Get entry point)
; u- z' Z* v( q; t! g
1 m1 v$ t- i& z# I0 Y* P
' e& A" V* I( D' x xor di,di
7 J- U+ j$ v1 l& \/ B mov es,di- M$ L( N& r5 n% ]% o j
mov ax, 1684h
* Y" K) C0 y: V6 n0 u# m mov bx, 0202h ; VxD ID of winice+ \) x- C. b X8 m2 h L1 s
int 2Fh
" r1 S9 Q2 v' R: U mov ax, es ; ES:DI -> VxD API entry point( M/ S- M: p; r/ R
add ax, di
$ h0 j ` _0 ^' s; A test ax,ax4 ^+ I5 I" I5 b0 h# d3 U9 @
jnz SoftICE_Detected9 E/ ^) o4 e( o9 j0 H
* g s) l6 j: Y% {6 j___________________________________________________________________________* o* V; K7 ^: P, D' b% G
1 b, V& G8 ~3 x% E
Method 043 A# f: d9 O% f7 G# m
=========
4 b/ B6 b6 J& j, r# d8 V: s# a, A7 s$ }6 A1 a) I0 f4 F
Method identical to the preceding one except that it seeks the ID of SoftICE* o1 Y1 E$ J- z6 _: Q' F9 y' G
GFX VxD./ x& O5 ^( N% z, q3 D
) y. @! F7 Z) J I( I8 ^1 W) Y xor di,di0 e9 C8 ~7 J4 O b
mov es,di+ p7 K: E. b1 g! {: r
mov ax, 1684h : }" q- u' ]# e, r
mov bx, 7a5Fh ; VxD ID of SIWVID2 ~" q6 K8 ^% m1 D9 D, r
int 2fh3 p: W& {4 W% w
mov ax, es ; ES:DI -> VxD API entry point
. y2 } b- M) \ add ax, di, k5 x ]# t4 l7 F( x% o
test ax,ax
& M- }" ~' {3 k0 u- s jnz SoftICE_Detected
7 Z" M5 k# Y1 [. U4 Z% t# D& S! B+ {: b
__________________________________________________________________________/ H" }2 _( o& ]0 P% u, E8 l( x( `/ w* I
) i9 p5 c) @& {# i2 f8 k9 D2 y4 H W2 v6 }
Method 05/ H' r: d# H8 u$ n
=========
, B% W) A. t; W1 T7 Y' ~ @9 I( U/ F7 b0 s: y& s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; X; [" `( ^2 ldebugger. It calls the int 41h, function 4Fh.
7 l& S! x/ L9 \There are several alternatives. 2 u3 e( Y, C% o: D3 w3 V0 |4 J# I Z
( _" x c0 u/ RThe following one is the simplest:" K- z/ ^0 E! g1 v' ]+ E/ |, E( G1 }* q
1 d4 y: \1 f2 y+ P
mov ax,4fh0 e5 v \" S6 ~, E2 n
int 41h
- |9 a+ c3 H, N8 m cmp ax, 0F386
2 ^7 y% f P4 F- ]" c- ?( \7 w jz SoftICE_detected
G; |! C! [0 ]5 P( r$ I- S) F( C
9 g0 k/ }% f/ D1 Y9 U0 ?# \
, E0 r( d; I/ K/ n! D' RNext method as well as the following one are 2 examples from Stone's
- m: `' _# a9 x"stn-wid.zip" (www.cracking.net):+ _7 Y/ |4 c% t
% h' I$ E) Q# G' r: ~) o8 x, h, N mov bx, cs
0 A# P$ |( @1 a; P5 U lea dx, int41handler2
8 k" j6 b' z7 u. Z3 n$ l. e! i xchg dx, es:[41h*4]
+ D' A& V% l* ]! q$ V, z xchg bx, es:[41h*4+2]/ @6 \3 r$ p/ e3 a# w
mov ax,4fh
2 }/ h7 T, J1 `' R" U* ` V" U& o int 41h
- [5 z6 ?# W' _, F! G8 ?; { xchg dx, es:[41h*4], H" ^* b U! k; H& j
xchg bx, es:[41h*4+2]
! s" l# c1 i! f- ]7 f& X cmp ax, 0f386h2 B0 R( y# u; H' N
jz SoftICE_detected
7 U" _3 h) h! w' M. q) R/ n! P# r. n9 Q9 V H
int41handler2 PROC7 i8 M; Z0 k2 D( K0 ^0 Y }
iret) k; Q v% y4 L) _1 H7 r
int41handler2 ENDP
# u7 _9 r& Q# a2 Y: c( A) {8 M+ t: ]* ^+ d
, u7 B( X w4 \6 U* f$ a U7 W_________________________________________________________________________
. S) F" k& v% h1 N w9 p- }7 t% j5 P7 x
+ k# X7 x7 r/ K4 _0 y: ]6 b
Method 06
1 W. G; B, D* e3 i9 _5 f+ ]=========
: m9 x$ h+ P# h% G9 I6 X
3 |4 x6 S, T4 s2 L; ?! U% K6 R2 g6 n: ]/ X/ M- L) S9 o
2nd method similar to the preceding one but more difficult to detect:
4 g! O: M" _/ o: g
) \. l d' f4 w8 F9 e. g8 F
( m2 S' a0 l ?8 Y7 { r- Tint41handler PROC
+ {3 w4 E/ L' B" ]7 I mov cl,al* B/ D( p4 y1 d! {
iret
3 k9 J7 `5 z$ l% ]int41handler ENDP
' }$ l) c1 h) j" G( j# o+ o5 k4 d! O
! z, S$ R, i. L2 M6 t6 `) r' f3 B6 R
xor ax,ax
( i* {$ @! _+ C7 t& q) i mov es,ax9 s8 R8 r2 |: U+ x
mov bx, cs
2 a# `1 o' u1 m. s8 g4 t; O6 G; P lea dx, int41handler2 Y7 A& J0 n; U; @" d
xchg dx, es:[41h*4]
S& k; z& y/ L% J- V xchg bx, es:[41h*4+2]
2 M* q7 p6 h" i5 T6 A in al, 40h6 a$ }# N! ?+ F1 s& F( q s
xor cx,cx
- Y* s5 x6 [8 j0 p! Z int 41h& A+ z J- O) d! Y" O# M
xchg dx, es:[41h*4]
5 L4 v4 M7 D0 ^8 K# k# N! y xchg bx, es:[41h*4+2]
' l( n @# n& C2 Y$ N- L cmp cl,al
8 s/ f, \8 R# s; t1 X/ ] jnz SoftICE_detected( }' W9 g3 D0 P+ A6 ~
# J3 N l: h5 G' s_________________________________________________________________________# r/ t! s' ~- b& M9 v; u
3 B) l5 x' A) v3 ]( i! ^
Method 07$ }% U2 i/ k2 H2 d; R
=========
$ o+ x5 I0 W/ T9 T9 H- ^! v* H; r2 H E/ \# f6 @1 R. \
Method of detection of the WinICE handler in the int68h (V86)
' N$ u( n6 o8 L0 o( t' G A a+ d( J5 Z. i/ N" S7 Y0 l. A4 f
mov ah,43h
) S0 w" G E# N int 68h
6 k# ]6 K3 n4 e% k' ?% R9 N cmp ax,0F386h
$ [5 C, @1 b" Z- z4 h) s% l jz SoftICE_Detected
* [* i7 `; s) _: r+ Y. ~
: P$ J6 g) X, P S8 h9 v! i7 W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ p1 N6 B. F% n, ^6 J
app like this:& s- A/ C K7 y! T4 M
% V# I8 b& s. {$ c. n' [
BPX exec_int if ax==68* f* X$ o0 J9 x1 x( w, j
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 j# y) U! L/ | located at [ebp+48h] for 32Bit apps)" Z2 f: q* P7 q- \( T1 A: [, n
__________________________________________________________________________ ^9 A* w5 i h$ v( _$ W7 D! ~
/ Z- K% }8 P% f$ _5 z8 d
0 [- y6 I0 }' R1 w7 cMethod 087 R6 {2 m/ k0 y: N( T+ [
=========
% T: r0 e8 a. F& U' X/ J" H# l1 ?: I$ Y
It is not a method of detection of SoftICE but a possibility to crash the
* v' ]/ T- b- z" Rsystem by intercepting int 01h and int 03h and redirecting them to another
1 |, a& z) d+ c" Q! i( @+ hroutine.8 F" l/ w4 B; z! O2 g; G. g4 H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 A7 }7 Z# Y$ {# W) l; C
to the new routine to execute (hangs computer...): i8 ~3 ^0 I! ]& |: ?
6 Z; j9 L# F* |3 X
mov ah, 25h
; _' R5 g* d3 e$ ?) a2 F mov al, Int_Number (01h or 03h)- b" h7 Y ^: y Y$ m* [
mov dx, offset New_Int_Routine
4 C- N, L+ z% f+ |- t1 ~ int 21h
0 k# ~9 E3 L" u& b; [8 {' S4 U, u7 u" N2 i
__________________________________________________________________________0 p2 I$ D! ^* M6 B, @
8 s6 z3 f6 o- J; q4 c
Method 09) l* z0 U8 \& n$ y" }- u
=========
. a S Z. f4 @3 A" r
0 F, ?$ f% `9 g' ~5 d& DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' d; b3 G3 _4 K3 h+ L1 @
performed in ring0 (VxD or a ring3 app using the VxdCall).( b( Y5 w' _; Z7 O
The Get_DDB service is used to determine whether or not a VxD is installed! P7 u: }2 z4 j1 D
for the specified device and returns a Device Description Block (in ecx) for- Q0 _- R- ?' @2 h5 w& J
that device if it is installed.
. E$ |0 g$ G& A' n/ f5 i
. C; r! a: q2 `5 z mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 P/ I0 c" t+ Z) P* H* G7 t mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% q/ X: _( N; U VMMCall Get_DDB
3 A' a* `1 L9 W2 l( X- Z# W8 w$ d/ x" W mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
]6 p5 A, B- g
" }9 O( {' H8 w7 ^( y* @; gNote as well that you can easily detect this method with SoftICE:" L* ?* c8 H) f& H
bpx Get_DDB if ax==0202 || ax==7a5fh
2 D- Y. W: x1 P8 J( N- K
: c( T5 X/ F" n: r5 k__________________________________________________________________________( i. S7 o$ t; w( f/ s3 D
. I* P& ] i$ c4 k% U* Y9 u5 \' g; |8 L* d
Method 10* n! ^7 _: M: |/ R# `
=========
" ~2 X k+ I" _! S" Z
: t3 ~' t' |, U& ?+ c# s# a) t=>Disable or clear breakpoints before using this feature. DO NOT trace with
' q4 E4 }" v- O: Z6 h SoftICE while the option is enable!!
+ T+ p# {, U; g5 E2 [( ?% x/ k0 J V+ u5 P: Q
This trick is very efficient:5 ^& K5 X8 i \- {! C
by checking the Debug Registers, you can detect if SoftICE is loaded) m6 {: J% H. U8 O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 U! L3 m$ o% c+ {
there are some memory breakpoints set (dr0 to dr3) simply by reading their, d3 u0 N' A9 l0 ^
value (in ring0 only). Values can be manipulated and or changed as well
- [0 p, `7 ]0 j(clearing BPMs for instance)- x4 F& A' I6 W: s# i, |) P/ Z- q, ]
5 o5 e D, \0 t: I
__________________________________________________________________________* A4 C7 k2 Y* u% y; K
$ i4 o/ h9 Y+ h2 k6 e1 k
Method 115 L+ X; ^ W! }3 \$ K0 v
=========6 n1 x0 m' k s: x
8 l) z) I& ]( \3 C+ }' G
This method is most known as 'MeltICE' because it has been freely distributed
% d- C( w0 J# ?% D6 avia www.winfiles.com. However it was first used by NuMega people to allow: r1 m" t6 k1 n+ ]
Symbol Loader to check if SoftICE was active or not (the code is located
5 e/ }1 M( {$ Pinside nmtrans.dll).
3 T! J T" E4 H, D6 R! D( Z( l; |' L$ ~; N. m2 p: D
The way it works is very simple:
1 ^' l; ]- i/ V+ c9 `6 u+ l7 LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% X( L1 ^+ [) u+ M- X
WinNT) with the CreateFileA API.
1 @: W3 f# Z. U+ i0 y2 O
! [& R4 o3 C% Y! N; w) J, U* uHere is a sample (checking for 'SICE'):" Y- i& p9 |2 n. a4 q
2 i: ]; R) a2 t# I
BOOL IsSoftIce95Loaded()
/ o* q8 A( |: |{9 J" R6 t" R9 [% m" F
HANDLE hFile;
7 k8 ^+ I5 \" _2 Q K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; S3 e) z$ M0 ~- d
FILE_SHARE_READ | FILE_SHARE_WRITE,
) o" v! Y5 N: O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 L6 q8 R) q: }; G( q) H if( hFile != INVALID_HANDLE_VALUE )7 Q5 O. M6 M5 H6 c3 m+ O
{
- }# w+ V8 U1 h! [" ~" E S. E CloseHandle(hFile);0 s5 O; [6 B/ T- w- k/ F+ Q
return TRUE;
- c4 ~& X7 ~5 F9 s6 @2 i3 T; y }
4 J4 x3 c7 P/ g return FALSE;
: N7 F: @( F/ {7 x3 b4 L% b}3 |/ y2 h6 ?# d$ ^, G# n
" b1 x2 o4 i" _; A; T* ]4 l
Although this trick calls the CreateFileA function, don't even expect to be. g& g- p d0 {% W- Y
able to intercept it by installing a IFS hook: it will not work, no way!4 d/ z5 J2 h) E5 J& t. S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. [6 i* ]0 D: t0 k) e4 N- Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 _( a" k' D6 Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc) x0 p3 _: J5 f
field.! @0 S; Y$ `$ Z- `
In fact, its purpose is not to load/unload VxDs but only to send a
3 J$ ?9 X* V& z5 ?4 x2 o0 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) v7 f3 ~* Q- [1 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) S; |. ]+ C6 A5 S) D4 J/ F8 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).; V7 G8 c$ h/ h+ }( V* u6 J6 W7 B
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 \9 F# d) O4 w* A- Y$ ~its handle to be opened and then, will be detected.
8 {* ~ q6 K, F$ pYou can check that simply by hooking Winice.exe control proc entry point
& `1 z6 E o7 v! Twhile running MeltICE.
3 v; m$ ?2 r3 Y; c% j8 N( }) l4 j* f# f! O7 }" N
3 h4 p2 J' e& x1 E$ K! M0 y, r 00401067: push 00402025 ; \\.\SICE) a: ^" e6 [& W5 v( ?
0040106C: call CreateFileA( T5 j7 e2 D7 h! m5 Z, J
00401071: cmp eax,-001
) J* v2 r# L' X$ H3 C) X0 ?0 n 00401074: je 004010912 B1 R! A1 `5 @ D2 \
0 X. Z1 O( K; O4 ~( Q" I# g
& X* r$ B# \* _ x1 Q9 i/ O) H2 q1 |There could be hundreds of BPX you could use to detect this trick.
9 `5 ^4 ?# ~! O-The most classical one is:9 v: v# k: G0 n; @; S" ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 G3 r2 W. u( [ *(esp->4+4)=='NTIC'
+ E5 w' B* W/ K. S0 n# Y, Z
0 a3 w3 _$ a; i+ B w6 p _3 Z5 }-The most exotic ones (could be very slooooow :-(
4 H5 P% r J! K3 f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , A6 d, S! S+ i, S5 K3 ]
;will break 3 times :-(; K J7 o9 ]0 k9 E8 X9 l
- x |1 W# E% N, d& d
-or (a bit) faster: 5 y8 p% {3 F4 s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 }. {; j3 g) r3 R! q* r7 o" W- g$ f2 m# C& r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & V4 N2 {1 _! i
;will break 3 times :-($ V3 g& U( Y1 u; H, _ A1 e" L5 ?
+ o- j4 R6 g% y/ u-Much faster:
& }# [7 X: C, U6 @! I" H) | a BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ n9 g8 V. T! n9 }
+ D4 W" O- L1 b+ x6 kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen" }" J8 P" j0 F- j2 g
function to do the same job:8 `7 I$ n) n; D% ~' [3 @
& z( K3 h [3 V, T( w! y
push 00 ; OF_READ
. i4 G# T& ?1 V* m& H mov eax,[00656634] ; '\\.\SICE',0
7 J& h7 J5 j F* k" ]9 o push eax
# ~7 A# M6 H! n7 h" ], K9 j call KERNEL32!_lopen! Q' b F) e( \6 D. B) Z
inc eax
% N6 N y% j |& n) { jnz 00650589 ; detected
9 r: n8 U- J3 N0 }; o push 00 ; OF_READ1 D9 Z7 b8 R; v7 g' X+ k( B
mov eax,[00656638] ; '\\.\SICE': I# p$ N& c' L# d3 L7 v4 {
push eax
$ B4 y/ K8 u$ O call KERNEL32!_lopen2 d( t5 W" N, ]6 F, i( O
inc eax
0 _+ G! p1 ]5 n7 e; l& c jz 006505ae ; not detected: p! X; W9 T: U E5 r8 g* f
( B) J. j" d% f- t. M
( `' x( v7 c; q* E
__________________________________________________________________________
/ N* r2 ]% F. z$ S0 ?& a# @4 p0 j. N+ t6 L2 y
Method 12
4 V$ m4 T; s; u. F q=========4 }$ C$ j+ s; o3 T1 a2 H
! B# m# f: c% h! y9 C7 dThis trick is similar to int41h/4fh Debugger installation check (code 059 ]5 }7 h# Y. G6 L& y
& 06) but very limited because it's only available for Win95/98 (not NT)( G0 D( [: d7 w7 b) E0 ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 A# f! T$ E: _ k2 k; a: @
$ H# w3 g. i* t6 c& b8 S9 a push 0000004fh ; function 4fh7 x& t; x7 Y$ p" ~
push 002a002ah ; high word specifies which VxD (VWIN32)3 E4 |* x5 m3 L. E+ b7 a
; low word specifies which service
1 x3 Z- k" R- L0 \ (VWIN32_Int41Dispatch)
: B$ x9 t! c# f; M/ d call Kernel32!ORD_001 ; VxdCall
% |7 V3 h9 D. G, M( p) h! G' x0 f c cmp ax, 0f386h ; magic number returned by system debuggers
/ y; |, E; T& m) Z5 Y jz SoftICE_detected
$ H6 c( k' j7 k% n4 ]
0 K: W7 c' I4 `0 q% ~% nHere again, several ways to detect it:, d' e; }% d) j% w9 d
6 ]7 T, D/ M- z; f! e BPINT 41 if ax==4f2 ~5 c$ L' L1 i+ V1 R
% V k/ u3 Z. t& ^6 ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% }9 D. [/ o E# m& h l$ @! l' b* a l# G( \' U5 P s# j8 I5 k# ^+ I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- f3 X# t: ^! f/ i
. S2 R3 r+ W8 B! E7 g3 n. Q4 h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, o* f9 H4 J! F G- i- _: h& y4 v, T7 t, E
__________________________________________________________________________* D1 E# H/ ]) B; X1 o
/ O! R1 b9 {+ H0 E* @Method 137 J3 X1 M1 b5 y
=========) U4 j# w- g$ M; t& G# {/ i" Y2 V4 y
) d1 v5 h! l1 L, P, p
Not a real method of detection, but a good way to know if SoftICE is
+ w! c2 T9 o! y* Y3 c+ a; ?installed on a computer and to locate its installation directory.3 I1 A8 ^2 z: Y X% f3 g% q
It is used by few softs which access the following registry keys (usually #2) :1 G( m1 ~: d& O3 P
. q: s9 W7 n. v5 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 B5 S0 X' U3 L2 R9 A: r X- ]# D
\Uninstall\SoftICE
+ k, P/ J s1 Q1 Q W( y$ ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 Y# T4 W" ^1 J3 s4 x9 f1 R1 v B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& m) U) X& f! W; t
\App Paths\Loader32.Exe
+ X( z$ K( j1 C h3 \# h5 y0 m: [# L5 W, z" G
) [; F7 R$ q- Y" B! T. r+ x5 h6 iNote that some nasty apps could then erase all files from SoftICE directory& V7 m7 k* b# w9 c/ f2 c. c
(I faced that once :-(8 r+ j7 M2 H% l& ?$ Z! f2 v X
: |. D6 P0 h; C* M4 MUseful breakpoint to detect it:
0 ]5 J, t' [7 u$ L% e
* X2 ]4 l* u. g% l* Y( Q0 V% z2 @3 G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" j s; y. U6 Z/ ~5 O( h9 a# w& N
. t7 c. g1 H& N6 V! E8 c" f
__________________________________________________________________________9 ?: C& E; A, @1 r. U9 w0 c# a/ w
) j( ` V- V5 K& v- y& M
9 r2 F; B k3 B# U9 j0 t% } yMethod 14 % M* x; Y% O# T, }( y" z h8 i
=========
* d6 h9 R- J. K" U! e5 f3 I1 {% `! ^7 }! K% s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# T7 x9 S$ M9 c2 w f5 sis to determines whether a debugger is running on your system (ring0 only).6 p* H7 S2 t! @# V& r( `
O8 \% l4 M9 f- W# x0 Y- q
VMMCall Test_Debug_Installed) Y3 N- L3 t" _* n4 d( I
je not_installed" g2 D8 z; l6 v7 ]: g
; |1 Z N- P) g
This service just checks a flag.6 v. [* x2 y: D! }- t. _
</PRE></TD></TR></TBODY></TABLE> |