<TABLE width=500> F# {/ n+ O- q# q: c" n& @. G
<TBODY>3 _2 I6 o& h2 e8 M1 B
<TR># w; s/ F: O, x8 t* b4 O
<TD><PRE>Method 01
! r# O+ b C5 D B: T5 _=========
" A6 x( F4 B4 n+ s% }) y4 K1 w* m6 L- m+ m* u' m- X* F4 A& Y, _
This method of detection of SoftICE (as well as the following one) is
' O4 p6 t j( v; |used by the majority of packers/encryptors found on Internet.
5 `" G6 Y9 `1 V2 iIt seeks the signature of BoundsChecker in SoftICE
# B2 C$ Z$ i) u B( P$ h
& \, n' R: K2 W4 m6 n8 D- ` mov ebp, 04243484Bh ; 'BCHK'3 O2 p9 V, Y m5 T
mov ax, 04h
" B7 r6 U0 B$ ~% [5 u$ w int 3 + S4 z! t2 b" F" g
cmp al,4
, k; y$ y+ A2 h1 {. l2 N* c jnz SoftICE_Detected9 S& @4 t7 f4 h* @2 Z
9 n5 ]1 b' c- Q0 w4 f/ j___________________________________________________________________________. A0 U9 _+ j2 Z& N0 V' \
0 v! R+ A) `% _! x, }
Method 02
4 S" l2 }* `+ K, j% Y4 P' R=========
1 T& ]) g5 h9 f) I) k7 E+ `! ]* s$ ]2 s& {7 }
Still a method very much used (perhaps the most frequent one). It is used. C9 c; p+ m& R( u& e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 E! w4 I( J8 Z" J# H5 O# P, Q% N- _or execute SoftICE commands...
& O) _4 \% t! ]( ^% PIt is also used to crash SoftICE and to force it to execute any commands
" a* r, a1 Q2 s. K(HBOOT...) :-((
; a d! q1 w5 d7 w( `3 e) c/ l) H9 y1 {
Here is a quick description:
; K; n p$ T/ X1 q9 K! o" f+ N-AX = 0910h (Display string in SIce windows)9 d3 L) \' Q9 T/ N- Z! Q9 |" r& y2 |& u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 C- T3 _' `5 j6 F) X- `-AX = 0912h (Get breakpoint infos): a& X$ ]- G7 x; _' d; u" C
-AX = 0913h (Set Sice breakpoints)
& m0 B( n' n) s6 x" O$ x-AX = 0914h (Remove SIce breakoints)6 q4 o3 x' y5 n2 k* D8 m
! P# S2 v* b- j: x" z! A! r* uEach time you'll meet this trick, you'll see:
" O5 [2 h* @5 |! T-SI = 4647h
. e+ {$ ^4 Q: X& z1 S2 E o-DI = 4A4Dh3 `) \2 s* p8 k+ N1 F7 N5 `
Which are the 'magic values' used by SoftIce.
, Z3 T+ y# n$ h% oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., Q; {0 o+ o F n; w) a
7 C2 Q, p% E: T4 A1 J5 {
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 H- R6 T; v2 P* R+ ~Envelope utility use to protect DOS applications:! |- `! n/ e* E: a7 k+ G0 B
1 a5 e {% h* a7 e: |5 k
8 _0 z# w% G/ p/ w, x/ a% W: J4C19:0095 MOV AX,0911 ; execute command.3 I( C" W' Y! R/ a% T4 ^* V( `; P
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 ]- n3 A0 g' c3 I8 `9 O" B
4C19:009A MOV SI,4647 ; 1st magic value.0 x' f g% S: v2 a$ o8 ]9 B$ ?8 l
4C19:009D MOV DI,4A4D ; 2nd magic value.4 }' }, V* p$ d# e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) U. v7 y4 R: ]3 S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! E" _: Y4 |& ~% f4C19:00A4 INC CX$ B" E0 x: O# Z8 ~2 d) K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 f$ R" C% O2 \4 }7 E" f
4C19:00A8 JB 0095 ; 6 different commands.
?& z/ D5 x# ?2 V1 ^% B* B v7 m4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- i& B- c/ Y- K6 s$ g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ w9 p* ^: C. I9 u: X/ J% [. z$ p+ N; v0 ^
The program will execute 6 different SIce commands located at ds:dx, which& {, H' l P( w' o" u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 Y# v* a$ \; D) A: Y) h. N) G/ l2 h- A! s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 W: c( Z' \- ?0 e___________________________________________________________________________ [9 ~" [9 @5 z# h. J- T" ?
# _6 H+ K: A( k% u3 l
0 e7 @1 N) c5 j0 b+ A. x4 VMethod 03! O9 R( z- P/ j E* t! U; y/ v
=========
% A6 p. T# m9 P: V
5 w9 S! i: M6 t& a4 `4 n; Y' s: KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 R" o& C% {! _" {4 S n(API Get entry point)
, J0 ~7 I3 q2 m1 \9 \* s8 V! t
" u5 I" w0 @& J) c- k; r( D
( U, j0 |9 ^9 P8 u3 u" W xor di,di5 \, o; D( u3 s
mov es,di
! w9 H; A5 v. E" \# L mov ax, 1684h 8 {7 I3 P' t1 K7 l
mov bx, 0202h ; VxD ID of winice v- X. X4 T: v* G: P& B& o& J
int 2Fh
; w" b/ i/ x) r8 d9 d3 J5 V mov ax, es ; ES:DI -> VxD API entry point
}* n: o2 p# h! ]# I" V add ax, di& E" x& F6 H, v" ~
test ax,ax# r4 r! R7 L( X: y& x3 j
jnz SoftICE_Detected
! Z$ U& X9 a% Y! {7 ]; O1 R% I! ? t, y0 R# D
___________________________________________________________________________ ?5 M8 @* ]3 c0 `5 Z1 l$ p w
. y! |) T' d. J! w
Method 04 \4 T; [2 I/ S
=========
- [% f9 `" z) {1 B2 h' s
7 C( s! w- @( s3 |+ XMethod identical to the preceding one except that it seeks the ID of SoftICE
8 U4 D0 C# a, Q5 e6 L& d, D! i. MGFX VxD.1 X0 [- x, H1 \. n; D% H n
! o& F( l: c. k4 N
xor di,di
4 W" u v4 E) D/ O mov es,di
3 p B/ L4 i* L' S1 w mov ax, 1684h
1 h, B" m7 {" l: G% F mov bx, 7a5Fh ; VxD ID of SIWVID. [( Z) M! v2 }2 V) D) C
int 2fh' H) C' V2 ]7 _& ~8 T5 d
mov ax, es ; ES:DI -> VxD API entry point( W- M/ @; e" i
add ax, di2 N$ e' B2 Y+ Q) o7 |, D
test ax,ax9 C2 u5 ], D5 q& t- R
jnz SoftICE_Detected/ H1 Z1 s# X: G
' M3 G& {4 ]" n% x3 `7 H
__________________________________________________________________________
* X1 C5 i8 E/ J+ }9 h
) G/ W; ~& I. `0 b8 X3 ^6 `0 g2 o2 X! {; X3 E
Method 057 c G% S8 [4 x6 N+ R
=========
7 q" I. z( \. e, e) N0 ?8 V* h8 P( F {) M! {& D
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 H. H( P# q& A7 a
debugger. It calls the int 41h, function 4Fh.9 w) V5 A3 N7 x* L6 _; h1 d
There are several alternatives. 4 k7 p/ y# u* d
: A" A5 J9 U0 _/ x1 D( O
The following one is the simplest:+ }: O% @- f! G3 m- f, v; @
- I. K5 T, `/ I* M; Y1 W/ k mov ax,4fh/ O0 S2 A+ [! b- W) p2 b, C
int 41h$ @3 i: a0 w9 s5 h0 Z
cmp ax, 0F3861 a6 H# U% K; \; G+ X, [
jz SoftICE_detected `( L4 S$ t8 ]0 }& g$ Z
* _3 n5 s! N- C. b3 z5 T) Y; f: _
- ^, S' Y+ A; m7 y) ^( p# l" X' Z L3 qNext method as well as the following one are 2 examples from Stone's
1 O, `( o' Y5 o$ X2 `& J/ K"stn-wid.zip" (www.cracking.net):9 ?1 R( S2 |0 U0 q* E7 s
' \- B" ?7 `, Y( x6 y
mov bx, cs
6 n' J% j% m S lea dx, int41handler2+ `9 b C/ i6 G# Q# W
xchg dx, es:[41h*4]; `6 f. `- R! v6 q
xchg bx, es:[41h*4+2]
4 x* _4 M3 O! z1 s4 | mov ax,4fh; y& d. t! F+ E/ \
int 41h d% v3 K+ v& R8 e2 z4 v
xchg dx, es:[41h*4]+ R# o! y% t: ~9 C6 V0 J9 ?0 F- _9 ]
xchg bx, es:[41h*4+2]
! s7 E" R2 y) T( b; h cmp ax, 0f386h6 T8 {% W+ h5 {# O, z
jz SoftICE_detected* Y0 x) U, r$ a, M* X
) z# v. r1 U' R8 }- K% z* w4 ^
int41handler2 PROC
8 J: s, P, w" X6 u3 y3 J7 q$ ? _ iret
2 K7 F2 N+ F/ P& D2 `6 o: @int41handler2 ENDP# i$ a: C0 d% _
1 H8 P' g! p% c5 J, a
3 Y$ P& M8 U% K, c1 c% J8 I
_________________________________________________________________________! r: H9 \/ U% A. q' x! n4 e
% h4 M9 j1 T; L; J! }9 \; u9 l' k% \0 l1 m/ c& {3 ~
Method 068 v% `: `( C( E8 G
=========4 D% l! L* G+ ], P: R! a' e
/ U( R% b- v5 {- P
& H$ {* N- y- [: x; q. ~
2nd method similar to the preceding one but more difficult to detect:5 I0 P, D4 V/ J7 i2 a
8 v% ?& d) V! ?8 J
9 ^0 N( l; }6 H' i2 l# mint41handler PROC
' {* L3 `7 b3 l/ m+ m. h mov cl,al3 E& W9 w: f8 e" Q
iret
/ [" t! e. n- Vint41handler ENDP
3 T+ D2 O8 h% \- ?2 {7 Z3 ]0 _5 [
! ?4 _4 D; {3 e- |- k, d
2 ~% j3 o: y, o. L( R8 ` xor ax,ax
0 D$ k+ K# y3 s' _. d/ W7 b mov es,ax3 Q. Y; ]+ g2 A# Q- ?% N2 B% s* L
mov bx, cs1 g/ a5 q. \# q1 }! f, i" r& x
lea dx, int41handler
2 _ t \2 p5 U xchg dx, es:[41h*4]
3 y9 r( l3 n R! T; M+ b xchg bx, es:[41h*4+2]
8 f% R* y1 Z$ S. o3 q% P! U in al, 40h
' S' N5 ^+ i( h6 R8 B& P) R' D xor cx,cx
/ ^ @8 Q# ~- b& b9 o" u, S int 41h
$ |* V0 V8 V, I# A f8 A, F7 Q. } xchg dx, es:[41h*4], H/ D8 Y, a: ]# o! o3 Y" M* m" W
xchg bx, es:[41h*4+2]: K; S, H1 T, R
cmp cl,al
- m8 k6 V1 A" I6 } jnz SoftICE_detected; t/ ]2 c1 U F9 B% `7 E' ?( M
/ u$ y4 z- P0 H6 y; x& u, {$ z
_________________________________________________________________________
/ m( Z) Q' S5 I! d7 T/ J N$ U H: W) u7 T, K; }
Method 07
9 g9 X- u1 w& G7 h) |0 a=========
# a( ~- L8 J$ C* T( Q/ H' _ c) `! G2 S4 t+ ]3 S
Method of detection of the WinICE handler in the int68h (V86)
F* B+ E' ?7 y! X! Z8 s9 p6 Q3 D, o" w) ]4 t9 G
mov ah,43h
, j+ S/ b1 P( i) x+ V int 68h
; E: I6 B/ D& i, }- V7 _4 j0 Q cmp ax,0F386h$ |& ?" h0 `1 F( J8 f
jz SoftICE_Detected
( |* f% V5 k5 C4 t7 M. e
" c/ C* c; h |' b) x! L- {
' p) e8 e. G, o, g=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ V% o1 `+ }5 U8 ]3 a
app like this:- {& B8 K5 c$ q: u( v; z6 I
. d4 D5 r: v4 q! W; I1 @* c: P
BPX exec_int if ax==68
8 E! u1 A1 }9 ~: A" g (function called is located at byte ptr [ebp+1Dh] and client eip is& I9 ~* V$ q* H5 g1 p' u
located at [ebp+48h] for 32Bit apps)9 y8 @3 P( B# Q! b4 I) F- e
__________________________________________________________________________1 z( Y* W! @/ Q7 R: p
/ v0 B, j! A% U+ S8 a
& d* z& F& M1 k4 R1 j1 tMethod 08/ p0 G3 j7 E8 d% h# L2 e7 j
=========) ~, R2 X$ d: ^$ ]& a
0 s# Q L/ T3 s5 y
It is not a method of detection of SoftICE but a possibility to crash the
4 @3 {; y8 S5 e7 t4 Isystem by intercepting int 01h and int 03h and redirecting them to another
( A* v- Q; H6 ~& O$ [. Vroutine.
6 n3 _% U. l$ d; {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& @! p" c3 G( o( W
to the new routine to execute (hangs computer...)+ S9 h/ r/ C( d/ A
o1 {7 h; Q& u) s& h w( \: `4 ^1 E mov ah, 25h$ ?$ F+ P/ X$ p& x/ @
mov al, Int_Number (01h or 03h)
" o: Q+ q; M8 d5 r$ c mov dx, offset New_Int_Routine5 ]! [1 p Z. n+ O6 i5 r( k7 w; v0 T% ~6 U
int 21h5 D6 T* ]. B- n7 B: B
) [% y6 k3 j* E__________________________________________________________________________
, \9 v$ ?& Y* w7 d: q8 j9 O6 E9 @' O; c4 O* p d: j* w* ^
Method 09
5 n8 c" {3 h J/ u2 R) ^=========% C1 a- L* h9 j% ~
: S3 U( d' E8 a- T1 c2 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- F) {% @9 J9 ~( N7 }& a% T4 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).* D {' B8 F% D
The Get_DDB service is used to determine whether or not a VxD is installed
) i! X: p8 s5 [- C7 \" o- @; ]for the specified device and returns a Device Description Block (in ecx) for
/ Z9 `0 _# w2 w2 [9 d/ Mthat device if it is installed./ I6 T1 q% p' V t& R t
L' b3 X8 x! O- U; Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ F* X1 b" [: v. I' m4 v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), K( X% g* ?7 Q- Q
VMMCall Get_DDB
& a/ ]/ x3 A( ?) D4 w' r& Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- X7 B! e6 A/ A) K7 }+ }
! w0 e8 a: O! `0 W4 `0 u2 D/ P! xNote as well that you can easily detect this method with SoftICE:
, A/ o+ T( G, ]" J$ O7 Z bpx Get_DDB if ax==0202 || ax==7a5fh
6 Z9 _ q0 a/ C( ~; l% C
0 B; J! V6 R& e; a1 S__________________________________________________________________________; i0 d- Q0 f9 `! n1 H% I' s
' n: |9 S5 N- V* G, ?. E% dMethod 10
: G$ K# b7 @: `) j g- M x=========
+ {7 l. b8 I% k. b4 X. n: x2 o% U# ] Y5 _2 _7 e- Q* k* R
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 S7 h7 T" R5 ~3 f! t: P z
SoftICE while the option is enable!!/ t5 F2 A3 G# j5 G1 T* j; H
- H5 h: _% _ H- \This trick is very efficient:/ d) p+ I9 z0 ~( N
by checking the Debug Registers, you can detect if SoftICE is loaded8 M' v( ~- B7 [) F" u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 O1 f, M5 b/ u. T) N/ m, x/ t. @there are some memory breakpoints set (dr0 to dr3) simply by reading their+ p. P+ U7 U) x
value (in ring0 only). Values can be manipulated and or changed as well
v2 d+ P* V% H& R(clearing BPMs for instance)/ D( y/ t) P+ \ Z8 m8 a4 u
' S/ [! Q* G9 u. D( M- R__________________________________________________________________________
4 N5 I+ q* b1 M6 z& p p& V# `: T+ M2 y* U, K
Method 11
* b$ i/ O4 ]. y o* K1 P! A=========
' V# d! T2 E) J6 E7 ^1 E+ N; n0 {# U7 S4 X
This method is most known as 'MeltICE' because it has been freely distributed; p4 v/ x5 m: D* X) ^4 y
via www.winfiles.com. However it was first used by NuMega people to allow
9 m( Z; B2 t* e$ xSymbol Loader to check if SoftICE was active or not (the code is located
' j; w$ g/ e' t; {inside nmtrans.dll)./ b6 U8 S5 X4 p( `5 `) F; R
- j' ?; y3 E1 i: U) c6 X. G$ pThe way it works is very simple:
( F d: E( i$ i+ p1 O: {* {! ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 U6 w) m3 o. v# pWinNT) with the CreateFileA API.
5 R1 L4 Q% f3 [4 i+ w3 h
0 g4 E) U+ `! ?* v6 DHere is a sample (checking for 'SICE'):
# C) E3 ~% x5 H; [1 B- ~& f; _8 G( g4 t- H6 Q
BOOL IsSoftIce95Loaded()) w" T3 y$ ]4 U
{
7 Q3 ~& e4 v/ E6 X! b HANDLE hFile;
: v8 Y4 S6 x8 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# F. ^& p: T; n& T FILE_SHARE_READ | FILE_SHARE_WRITE,
! ?& ?% c' g, S% [8 ^* V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 H8 z( E% ^* H( b
if( hFile != INVALID_HANDLE_VALUE )
w, K+ c$ R' Z {0 q8 ^2 e" Y; A
CloseHandle(hFile);
2 f; {& i# L1 A- |: C return TRUE;, c5 N0 T6 B0 x8 s; \
}
7 b) T' z% n! ~, Y7 w return FALSE; n1 b. ?! u7 ^
}
}* d2 Y, D ? v' T- x7 R. Z7 N- S5 B
Although this trick calls the CreateFileA function, don't even expect to be8 c- \9 ?' Y1 n0 M/ B, |0 ]
able to intercept it by installing a IFS hook: it will not work, no way!- I' ?% F1 B+ Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ | d$ \6 ]( O2 ~) C7 wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) j6 y O* l0 T1 A8 {0 Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 o+ Q) I C- Dfield.3 I, o4 Y8 ]; @ r* U! J
In fact, its purpose is not to load/unload VxDs but only to send a # C2 z3 n# X; t+ d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! i; W. C4 n5 i2 s. `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 k$ q4 } Q& ?* S. vto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ k! d2 j: W8 O# F3 _) M$ z) m- R3 x0 I
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. f- S) v* u; }8 B8 J# Zits handle to be opened and then, will be detected.
! A7 J3 o( `8 FYou can check that simply by hooking Winice.exe control proc entry point4 e$ E7 Q2 X9 j( Q7 B& R; a
while running MeltICE.) E9 m3 [! B# d+ l7 c( F5 @ l
! u7 ]' B4 }; X: I! q2 ~9 p# J
00401067: push 00402025 ; \\.\SICE# r5 n$ J1 M: I, b, K; [8 z% c
0040106C: call CreateFileA6 d9 e6 u8 n& d0 F8 Q
00401071: cmp eax,-001, ?* I" n/ V. t3 }5 ^3 }* d3 }& O" T
00401074: je 00401091
4 p$ |2 Y- X' B! V9 D" G0 W, S8 w
7 }& J* {* K ^" W8 A
; ^# H* V# ^' C: ?# c' nThere could be hundreds of BPX you could use to detect this trick.
/ h' P7 W5 \! P4 z8 i( P. S-The most classical one is:
; k, V( S) P$ A5 M* ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 d+ f/ ~; [# [ F- a& ^& h; U *(esp->4+4)=='NTIC'
, C$ z" p4 K1 Z8 i7 C1 h/ _. \" U/ R# X0 l
-The most exotic ones (could be very slooooow :-( B5 u5 R3 Q# q6 y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 t+ V9 ~/ y1 m
;will break 3 times :-(
& [# o# H" q( B3 h' w
) ]) ~5 h3 V1 E3 ~7 U-or (a bit) faster:
* y# M+ ~4 F4 q6 R" l8 t5 R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! Q5 m9 ~' l% B4 M- ~$ m* @
- ~8 X3 R$ G1 S4 _ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' v- D# d2 \. C
;will break 3 times :-(
8 z% ?5 T+ ]8 l- a9 d4 v
% x4 x+ H# H: G0 X, _$ V8 _' w-Much faster:
* f: H: ~: B/ s0 r5 P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; }; f9 f8 _ ?, b; p: D/ e' V! i, w- s4 j5 G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* N; J: G; [1 B/ ?4 K; z
function to do the same job:
# @% {+ N4 x7 Z* ^
( l# c& `2 K; _; x; s" E push 00 ; OF_READ( ^1 h0 ^) T# x' v: ?
mov eax,[00656634] ; '\\.\SICE',00 ^. `! r3 F& f0 X& U, r6 ~: m
push eax# T, \/ \7 Z. H' o
call KERNEL32!_lopen
# a. ^/ y& m' u( i3 ] inc eax& u* I g$ u1 O
jnz 00650589 ; detected) P# M5 J1 I7 w9 u$ u
push 00 ; OF_READ
! u2 P6 U$ X, z8 S9 O mov eax,[00656638] ; '\\.\SICE'
, Q2 I0 h/ g, G1 V4 d# |9 S push eax
! P1 C9 ~: o7 _ call KERNEL32!_lopen4 h9 y5 T1 O, X
inc eax; H4 ^* q, z5 p
jz 006505ae ; not detected
; x0 e" g# O6 V. C7 _( y H3 W
- w' L. B3 t$ D2 D
* ]$ K' l% A0 R__________________________________________________________________________
3 C7 w) ^9 x6 ^0 T& P, }$ O( ]; _) Q' q
Method 12
( h% w- p. ?+ v. T, I8 F' {=========
2 h z* \& T) u3 k' M. Q1 ?
4 g1 D8 a6 ^% s) ^% S. f0 M% ?This trick is similar to int41h/4fh Debugger installation check (code 05/ Y& l4 Z r: _2 q
& 06) but very limited because it's only available for Win95/98 (not NT), B( L& x" x |& P# p* d) p5 q* U U6 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. T* }; `8 K ?, c
* w3 v" \' ~0 a$ {1 C
push 0000004fh ; function 4fh
4 d* l; r0 y1 R6 b$ w+ m0 \/ T9 N% t push 002a002ah ; high word specifies which VxD (VWIN32)% S- d$ b" u0 }/ z ]% E4 _
; low word specifies which service$ e3 V" K* f- c* Z% b
(VWIN32_Int41Dispatch)
8 v# b/ p2 j$ R1 t! S call Kernel32!ORD_001 ; VxdCall
7 V" u( E( N3 V( G cmp ax, 0f386h ; magic number returned by system debuggers: `* p0 n( \0 P& A
jz SoftICE_detected
) P4 p; ]/ ~& U) }( y$ E c' \# `; }4 E
Here again, several ways to detect it:! z3 X ^* s# V/ G: `, z! d& U" P' Z
2 ?- m; N% O* O. ^( ~
BPINT 41 if ax==4f' `+ `; U' d( w- V5 k
) s" K( w0 v2 Y. L1 f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" [: A" h2 H9 N& P; e( ]2 N7 c K8 i: H, E. J4 q7 }" e8 ?. Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 V/ d3 U6 b- \5 O; G' _, n/ r* L/ @# {
/ V8 ~1 ]$ X1 O, `% e- O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 a0 C$ h' l1 e3 s9 x" F* Z8 N, v- `% L. ?5 y4 t& E# y
__________________________________________________________________________
; _9 G% R i/ _
: d( v- v2 i' C! K _Method 137 v" x2 o! r4 f9 P
=========) U2 m5 p- U6 _$ Z$ ? M6 [
" d5 w/ v* K% e* d; u$ r
Not a real method of detection, but a good way to know if SoftICE is
3 A( n7 F7 Q3 g' T# n9 Qinstalled on a computer and to locate its installation directory.
. m* F5 s1 V; K+ Q$ ~* cIt is used by few softs which access the following registry keys (usually #2) :
/ d4 @" ?9 F! t: E# g" q% h6 u( T$ U2 H& W. |/ g5 P) f, N8 n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) [+ W& W1 ^( s\Uninstall\SoftICE
8 j/ c: ?- U8 ]6 J. ]% ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) \( B" n, n' h' g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! k$ Z2 Y; v# X
\App Paths\Loader32.Exe
- I. J! Q" Y% M* ?
( W: O$ K% @$ w* c( ]
5 C' ^+ t2 m7 l; R G; ?Note that some nasty apps could then erase all files from SoftICE directory/ R3 Y$ }8 A/ Y. `+ p7 M" o
(I faced that once :-(
7 c% c* e9 V) n* G, W% p9 i: b# F! n7 x/ K6 ^: I4 w
Useful breakpoint to detect it:
% J; x$ a( I8 O: a/ d. {( Q. U) f* [ j0 T# U( W% e
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* Y9 a( M1 C$ M' S: D, Q6 N( t: K2 p* R( ~
__________________________________________________________________________
9 q7 ~# J" ^% U3 X2 ]- F8 s5 e
' e5 A9 V6 F1 X
0 V* E3 I: @; M) @8 F; S! |6 C3 ]Method 14 0 a; {3 d! k# m+ h7 d
=========
: X0 h9 s% |1 u7 y
1 a1 J' ?; Q, r$ h- f& ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ o' }* M u6 }2 u" t
is to determines whether a debugger is running on your system (ring0 only).
, g6 u9 l) L$ N3 ]" r( Q' N- d- r. U) q ~( g
VMMCall Test_Debug_Installed! a# A( M* w. {" e$ v
je not_installed
% t: U5 w. N# F7 {; n+ b8 L4 n" Q: z i
This service just checks a flag.& k! T' w, X( @
</PRE></TD></TR></TBODY></TABLE> |