<TABLE width=500>
* Q: {0 m8 n5 K6 A) Y* Q/ u<TBODY>, C" [7 }2 P, O, `/ L8 X
<TR>
. o3 z" {. J b Y( x& e<TD><PRE>Method 01 2 _, O; E4 a; d0 n% c: B
=========
" ^- B8 Z6 L9 n+ `3 E. g! P5 V. B3 ?: Z" ^6 s3 h8 ?" U
This method of detection of SoftICE (as well as the following one) is
2 l0 o+ ?* J* y6 [3 }' X& Qused by the majority of packers/encryptors found on Internet.% k1 e4 c& Y; J3 P# s
It seeks the signature of BoundsChecker in SoftICE
* y3 r: {& ~7 U* H: @) F' ?+ H
4 ?$ D) L. S; H- p& T: y5 [ mov ebp, 04243484Bh ; 'BCHK'/ M, j, ^, E- V9 U7 v4 }
mov ax, 04h
" Y" j$ H9 C# Y# X" L) g int 3
- t, z# A6 K( g. C cmp al,4
|2 E( w: c- W/ U- Q( Z1 D jnz SoftICE_Detected) i3 V/ Y" E& j0 D' K" B6 g
8 \9 k+ Y0 v& l$ S* ^
___________________________________________________________________________) R6 G9 P3 ~1 H8 e8 f) ?- e0 H# W
0 J6 u1 ]9 B2 w
Method 020 H$ W0 J6 {5 j( _) K, ?
=========
& b6 W& ?" ?/ X( {; w1 G2 Z9 X# N5 q# t- P8 B
Still a method very much used (perhaps the most frequent one). It is used! n- ?* {# Q% Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# A! ~1 J; U. W1 C
or execute SoftICE commands...
8 N' U0 j& ~+ iIt is also used to crash SoftICE and to force it to execute any commands+ b9 A, l" K" M% Y4 p
(HBOOT...) :-((
; R+ u3 m1 `* O" d/ p' Z3 A$ q
3 k1 A% T; R% t4 o8 L# jHere is a quick description:: U+ ]2 n$ Y" K- K- D; s
-AX = 0910h (Display string in SIce windows)6 }9 O e# ?5 d% q3 M) n8 Y7 M# c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 P# b1 L% E: P/ B
-AX = 0912h (Get breakpoint infos)
9 g7 S9 X, n* M- b-AX = 0913h (Set Sice breakpoints)9 H& C3 \6 D4 `& Q
-AX = 0914h (Remove SIce breakoints)
, B2 F/ D- s% |& H; C- A) [; P9 P# c; D
Each time you'll meet this trick, you'll see:
2 `" a- R% n$ n. j' a/ z5 x$ n1 V-SI = 4647h; i2 Z/ `- k8 {3 z. h
-DI = 4A4Dh* I. r6 p: x( M& k" O* m& {
Which are the 'magic values' used by SoftIce.
( T* P; j: T: W: V" LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 W$ B8 m* l* i4 s
" ^( c' V. u+ l. r; f) `7 i9 VHere is one example from the file "Haspinst.exe" which is the dongle HASP% `8 m% u0 c' w: ?9 j V. q$ m: T
Envelope utility use to protect DOS applications:
3 A* q2 e9 w5 ~# ~; @ O1 ~4 p- d/ e& c* L! D. F& M" h! J3 ?
+ g% z: S3 N- C8 t# t# b/ R
4C19:0095 MOV AX,0911 ; execute command.! d1 s V- b/ [& @( B% Y8 o: z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 {$ m+ |7 |" J5 ?# j3 U3 Q3 X9 B5 w4C19:009A MOV SI,4647 ; 1st magic value.7 i( G! r9 v, t
4C19:009D MOV DI,4A4D ; 2nd magic value.9 L" f, P3 [" r9 F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; |& B& c n U4 D: P" y) Z* T4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 ?8 V8 {7 W8 C- ^ K6 `) n0 f# |
4C19:00A4 INC CX- M7 D% u1 |: l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ C/ S2 A* v0 T# V' x( I
4C19:00A8 JB 0095 ; 6 different commands.* {9 r. H# b1 U& T7 O& L0 n& M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 J: A# J. V- k9 H' b L8 N4C19:00AD MOV BX,SP ; Good_Guy go ahead :); L* z% d) a. ~; [* N
) X: z2 @- v$ ]& ~, X1 Z
The program will execute 6 different SIce commands located at ds:dx, which
* @* z$ s8 ^( ^+ D1 X, _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ z% u$ p- \( s+ p |2 ^% _6 G( v2 m" _& S! [6 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% j. \* ^ Q. m0 i/ {
___________________________________________________________________________6 M4 I$ @( ~8 b {
% k/ m! v& }3 `3 R7 a# b
6 I2 e3 p1 ], GMethod 03+ i5 c! E0 m1 U% C' `' e; \3 z
=========
6 z( O9 b I+ {/ i) _* F
: L. B* k: ~- W/ L- w9 }Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 a" {) E" X/ `0 S3 v; x+ \; m(API Get entry point)
) |9 K0 F, }- t( ?$ _
. _. @/ T. P- M0 x3 L! y3 D: H* X$ T7 W2 n0 J
xor di,di/ J I1 M8 X$ P$ x2 j( h& M# f
mov es,di: v- C4 U- @& [* F8 d
mov ax, 1684h
6 T; u! \6 s; \, c: p, a6 f mov bx, 0202h ; VxD ID of winice
# _0 Z* Z$ }+ E1 S a int 2Fh% `" f. n9 z% ]: o8 m- k
mov ax, es ; ES:DI -> VxD API entry point$ x7 \. G4 U: p) w! x
add ax, di
: T, q/ o" i: a9 Y! u" E" t S& X4 ~ test ax,ax/ `- ` K% u7 r' @' B. A0 {( O
jnz SoftICE_Detected; C5 {9 p2 J1 \9 x- x; ^" e4 `
' A; @ }) C$ H5 F+ _" y___________________________________________________________________________% r$ A/ \2 D1 o3 P: J; T
. }' c/ G/ i1 t) n# X7 ]Method 04
7 }5 L- {) F) W% F! t: L3 I/ P=========
! r: \8 x% X& @2 g3 @# Z5 R! P6 }! y5 ]$ {: _0 {- ~/ a' m
Method identical to the preceding one except that it seeks the ID of SoftICE4 n' w1 y& ?$ Q4 [+ P5 ]. x. e* L, V
GFX VxD.9 G9 ` |2 Y% t* [$ c, S! m8 S7 w
3 ?) n8 h1 q( b xor di,di
" D5 \2 R! e9 ^% \ mov es,di
$ p! k( \" G4 M+ Z: C mov ax, 1684h
/ C% J1 U+ ]" Y9 v mov bx, 7a5Fh ; VxD ID of SIWVID5 u4 a w4 d* h8 Z2 @, }1 H
int 2fh
/ n9 g. N. F: ~1 z& ~ mov ax, es ; ES:DI -> VxD API entry point# P( l% J& V, `3 X; r" @& A
add ax, di
# o) k) `/ M4 a( N( Z test ax,ax
# s" e5 T$ G+ L jnz SoftICE_Detected
8 s( c; s+ J Y! Z2 N
) C0 {! h6 o) Y; ]2 H__________________________________________________________________________
2 H6 P7 W2 V& b* t+ ~5 y) ^' N, }+ Y
4 Y! d; y0 C% J/ O+ |/ h: f$ b1 C! I& ^
Method 05
3 z5 C8 x: v0 G1 l=========4 N6 A8 X8 g' T1 y
, `: z# E$ Z* |; ~ [6 {* x/ i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: i# _4 z. Z- ^debugger. It calls the int 41h, function 4Fh.
; a. }# _9 w+ @There are several alternatives.
+ C! \" r5 P p q+ U
6 \& n. Y/ Q9 M% e. y F, Q* lThe following one is the simplest:
$ c k5 P2 H) I0 b, R" g: b) l1 a6 Y! n6 s% s8 `5 T8 r5 {
mov ax,4fh5 N. e) R9 d& o- K
int 41h
3 O( _5 n+ p/ V o# Z cmp ax, 0F3861 B& ?; H2 C& H
jz SoftICE_detected
7 v& U3 h! L9 |4 d7 R
# u3 Z- d# ~; g3 A T4 r) M$ r1 ^' d- A+ f/ a+ p/ m
Next method as well as the following one are 2 examples from Stone's
! N8 p( o! g5 n5 }5 f- L"stn-wid.zip" (www.cracking.net):
' g5 @( T' {6 w8 W, B% k& t8 S
" `' u/ [& y9 c* g* r mov bx, cs
) g f& {/ i) h8 s lea dx, int41handler22 O. R/ _1 `' B. A
xchg dx, es:[41h*4]" x* `/ ~) V# U/ c, f* ^( ?" e& C
xchg bx, es:[41h*4+2]
0 p( h/ ~6 [1 P& s, u/ }4 D mov ax,4fh$ e, l& S( A- f# S3 c/ a* h
int 41h
/ T! J- |; J8 E& p xchg dx, es:[41h*4]) T8 ?- Y+ S) H
xchg bx, es:[41h*4+2]& V8 m& j4 I( ]$ U, X
cmp ax, 0f386h
, E) |6 ^8 C0 w2 E* K/ @" ?% c1 ^ } jz SoftICE_detected q/ ~* X, w8 }0 ]3 E
, X" K9 I. s0 E+ _
int41handler2 PROC: V0 M: |0 W; U6 h, M
iret) M' E$ q% g) u& P
int41handler2 ENDP
$ Y- y4 i# \' r5 v6 A1 Y& I1 ?( J# v- b2 h& V/ A$ S' _' ?
7 Z: I# v3 ^' O' u: E
_________________________________________________________________________! v1 G. U" G2 \( l
3 w0 V5 x1 O2 m; ?$ y3 V8 ?* D
! X. ?* [8 G4 Z5 ]1 o: OMethod 06- \, d& q3 [: \2 ?
=========
5 Z' ?4 Q8 _! y2 V: J& ~$ l+ P9 _/ ~& N- [( b% r% e
9 K+ B& Y* T/ G+ f3 q2nd method similar to the preceding one but more difficult to detect:
& z% u& x( o2 V) H0 O; O4 I" Y; O; E( p
/ B9 U6 \3 `: z+ i. pint41handler PROC
/ x$ N+ ^6 ]# l4 [, ^% { mov cl,al
7 v1 g& n5 G! T7 \. i iret# u' M2 M2 T$ T* T$ \" R
int41handler ENDP' f' ^2 R7 j! Z. P) e
) a# t3 D0 r7 X ?5 p9 L) `6 l1 w; o, E
xor ax,ax6 {3 m7 g) g, n$ l8 R5 P
mov es,ax
0 _' M6 g7 O3 B/ X& [ mov bx, cs
: Q3 w6 ~" F4 c. ]3 ^ lea dx, int41handler4 f# P8 T' G- ~' F
xchg dx, es:[41h*4]# w5 d/ o/ v# w2 O3 U# [* h
xchg bx, es:[41h*4+2]
! B4 A4 y; j$ K0 g5 \) {" v in al, 40h, Q" @0 f% O9 M% V7 y$ Z
xor cx,cx
5 Y4 D% J) L U) x' G int 41h
+ |% K# f% ]! z0 \3 t xchg dx, es:[41h*4]. K& o, ^- E* l2 r4 z, O+ O
xchg bx, es:[41h*4+2]% W! K* H( h* }$ ^9 ]; K }
cmp cl,al9 i& Y7 g* \9 l% h, u+ y) o
jnz SoftICE_detected. \, G# I+ n" ?% Q# y
; {$ |& t4 ]. l( q0 V9 l2 }
_________________________________________________________________________/ z% ]1 P/ |7 J/ p3 Z/ m/ _& E
0 v: L8 n& [9 c- fMethod 07
3 Y2 ^ D0 p/ q* F9 z8 {& `- b=========, [- M, g3 \$ v# C
, t& L) u' Z) Z
Method of detection of the WinICE handler in the int68h (V86)
4 c3 k2 D% _0 T0 C! i7 N* ~0 q8 m1 u8 o! i, j1 `
mov ah,43h
+ x7 N1 P& E& s& L& f: ] int 68h0 n: [# ]7 @- d4 @) X
cmp ax,0F386h# Z" X5 M+ W6 C& K( E+ g
jz SoftICE_Detected
# c' j5 R7 R& a2 |% D% ]
+ F. u! {; h/ G( _7 i- F4 r* G+ e) d& \# u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; R( l1 y4 P: [( s* g
app like this:
* v1 z+ Z3 P0 x: e) X
% }; ]; E9 l/ v+ B BPX exec_int if ax==68: b" s+ C* X1 v) t( \: Q
(function called is located at byte ptr [ebp+1Dh] and client eip is! v3 v- A5 D- T# o
located at [ebp+48h] for 32Bit apps)) z# M' v8 R: Y/ R' U) w
__________________________________________________________________________
" h# g- T$ ~0 K) v6 U$ {" Z) E; s& G2 b* v( ? U% M" e
- N# |! ~5 k8 C% |1 Y3 m1 U2 ^
Method 08( H' u( H8 Z0 y0 `
=========
" F$ Y! u* x5 x
/ ^1 [2 e( |; rIt is not a method of detection of SoftICE but a possibility to crash the
v+ }# Z: n, Bsystem by intercepting int 01h and int 03h and redirecting them to another
0 I H" X- {. w3 jroutine.0 b9 L' f( h5 d6 @0 i6 k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( }6 i/ `0 B7 Q9 z6 y% r( W
to the new routine to execute (hangs computer...)
2 u% _& X: p$ ]9 a4 p
3 Y) O& r' J+ p: Y mov ah, 25h+ o, v& y3 o$ L. Y- e% ^. F
mov al, Int_Number (01h or 03h)# j" l6 Y0 W& b2 [4 F
mov dx, offset New_Int_Routine
1 B f6 x3 X* ? int 21h! V1 Y, z6 ~. t( L: v- ]
* ^( W+ R) ?* W# O: c
__________________________________________________________________________
/ a) p7 i* D m- X& b! A) ~+ N, a5 e3 V+ [. n
Method 09) w# R% R0 x4 n+ e6 r" m# X
=========) d5 }/ U9 I* p2 W7 w, U
' y4 I8 f% M5 \5 qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 m+ D, c% T8 Z* G5 r( eperformed in ring0 (VxD or a ring3 app using the VxdCall).' u( y$ Z5 X' Q" V# e0 E6 x v, C @
The Get_DDB service is used to determine whether or not a VxD is installed
' Y2 p, W: p' @3 k- i: zfor the specified device and returns a Device Description Block (in ecx) for
! `) v1 e; L9 ^that device if it is installed.
0 F, Q' g# h; B* E" r. W1 N( y' m5 ^2 C( ~ K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 k6 X* S: F7 O9 {3 g/ f mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 @$ R% k% ]8 @& K2 k6 u
VMMCall Get_DDB
% A" s9 e3 i3 P6 _+ w4 t2 A mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 B3 ^, A4 H2 s x5 K# I7 C7 V$ a8 R7 Y. l9 Q
Note as well that you can easily detect this method with SoftICE:
/ [8 }3 d* k# L. Y$ l/ P bpx Get_DDB if ax==0202 || ax==7a5fh
2 |+ R6 n! H& b& \" R$ {
+ o; \3 b0 \7 S7 q__________________________________________________________________________7 H2 M: a6 Y3 R& T0 R
* l" l" [$ m& d
Method 10& ~- n' c6 w0 X3 W: c+ D" d
=========# \+ x* O' m3 T+ ]9 }; y
4 I4 I+ [0 @ \2 ?! H=>Disable or clear breakpoints before using this feature. DO NOT trace with
- O* s a H+ H) O0 i SoftICE while the option is enable!!6 a; X" `2 x' x. V
- V) v* p6 n: W9 X- O5 F$ d, ^
This trick is very efficient:
4 P1 B* Z: s+ Z( q- rby checking the Debug Registers, you can detect if SoftICE is loaded
/ `" n, m/ E9 ?9 v ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, f1 O0 T2 R8 h: }# m; S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' I0 T- s0 }9 ivalue (in ring0 only). Values can be manipulated and or changed as well
2 e9 @- F" x& }(clearing BPMs for instance)
- e1 w, r/ H2 \4 w9 P/ A1 B5 b
# {& f6 ]; F: x( M9 S__________________________________________________________________________ `7 g9 g! u: z5 d8 k* ^- q. i X4 j
! ^( {) }- {7 ~) Z2 B sMethod 11
* R* g+ {" [5 t=========
6 t3 N; F: ^% t9 |8 _- \# x: j. K" k# _
This method is most known as 'MeltICE' because it has been freely distributed
! [# V2 ]+ E: W: R; `9 W/ b8 Ivia www.winfiles.com. However it was first used by NuMega people to allow8 w# B: {' @# S
Symbol Loader to check if SoftICE was active or not (the code is located
" D+ ?4 F/ b% M% \3 A4 ginside nmtrans.dll).' ^$ {+ r2 V! H0 m8 N# p% ?$ W
; L! X/ B$ Z9 [2 OThe way it works is very simple:% b1 a" o1 Q# q; e9 ]. Q, E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: b; w5 w/ d& C9 Z0 ~0 Q u0 [
WinNT) with the CreateFileA API.( w- s: k2 G. _, j0 o
6 N7 ?& v+ U& ~Here is a sample (checking for 'SICE'):
& M8 F# t- l: v% N H$ f
$ w1 E: \+ h3 S7 H! U. B8 c- \- p lBOOL IsSoftIce95Loaded(); n# g' ^% t/ P7 X# ~) E! M
{
7 F1 s; l2 q! X8 o: S HANDLE hFile; - {) R; R. @2 _! o. g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ n% J5 e: B4 L" |+ J
FILE_SHARE_READ | FILE_SHARE_WRITE,
4 V( _, ~2 Z4 a( Z6 H; p; W) i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 o+ e1 S+ `: t3 T' _' L
if( hFile != INVALID_HANDLE_VALUE )
% ?, E# d! i* z" y {+ C& p, f( }' }6 \% S% M: Z6 M
CloseHandle(hFile);( U3 Y( F- B3 j- O2 a N3 T$ P
return TRUE;
( ^1 G0 T) b* v) k }8 f* K/ ]# r: G5 X+ l1 Q, e8 Y1 e
return FALSE;. g4 W: g, S# y# f$ `
}
" V" [/ O6 y0 K
) a' i0 {& l& A2 XAlthough this trick calls the CreateFileA function, don't even expect to be8 \( w1 V/ e% n5 v* s3 e! f
able to intercept it by installing a IFS hook: it will not work, no way!
, F# H6 J7 ?$ H) [4 K! yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F s$ [) K; P ~9 c. k; @. |6 E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! R& g9 d! a$ Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 S9 o3 z1 `- n) o% D T
field.' A+ x4 Y9 m9 }9 G- L; d
In fact, its purpose is not to load/unload VxDs but only to send a 1 C' e2 @' U3 [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# O2 Y2 ?9 ?) N6 S" l# E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, c! K$ ]& C9 y4 x5 D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( J( B. e# B, q+ ~ W- U9 N
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 N4 I4 B: n9 F0 U- }5 V( S. i. j
its handle to be opened and then, will be detected.
9 @; @% R: G, x- S8 Q: BYou can check that simply by hooking Winice.exe control proc entry point
* @" `1 W) I- O( |while running MeltICE.0 d6 R! {# i- O3 ?
8 W# E' n) \/ `( y3 B T X
' H2 R" U/ V$ y" b7 |" N 00401067: push 00402025 ; \\.\SICE& |1 F& ~3 m2 p8 z4 Q) I
0040106C: call CreateFileA
. F' A. F) C" N 00401071: cmp eax,-001
8 x) e) I( I: C* N! Y 00401074: je 00401091. `3 @; ]# A7 {( l
N5 _! @ o* i6 N h
! T# ~9 k( ~+ w0 R$ y/ NThere could be hundreds of BPX you could use to detect this trick.; B& T/ T8 Z# \5 f" M/ {
-The most classical one is:! O K( J* \" T+ r; D& W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
! j: g) D1 z" J8 E3 z: X: h *(esp->4+4)=='NTIC'
( h5 j5 v3 i7 @" {
9 g8 \7 f& w! b& I, B-The most exotic ones (could be very slooooow :-(
2 H' q$ O1 ?+ E3 @7 m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ ~$ `. A0 V3 W7 F ;will break 3 times :-(6 A- x4 [0 H6 O$ i7 v: T+ k
9 S: o* |* V5 k3 @1 \5 u& z
-or (a bit) faster:
" f! I& P: p4 m; B BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& X. D A K6 T; K1 x3 O
: Y1 y% h( J$ W- d9 k2 }& p; _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 e( V. H. v+ f9 ]3 A
;will break 3 times :-(
- v6 z% H9 t( S5 L( g! @2 U: u! U' r
-Much faster:( y5 B$ i3 ~' H1 @
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 Z9 N* p3 q6 x4 W& V5 F( e% U
& D6 N; u7 V+ M% m! M6 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: Q! A, A- M# S' j5 C" @
function to do the same job:
- m. ^/ b5 x" g& k: w
% ]3 I# i. t) q8 N push 00 ; OF_READ5 K+ [( `' R8 N1 Q" j& V
mov eax,[00656634] ; '\\.\SICE',0
# h- N. a- R7 n9 U- R push eax
) u+ @/ P2 h8 L2 @# B3 {# n; F call KERNEL32!_lopen
+ ] x/ b% a$ ~ J; B5 f inc eax
3 `2 t3 G9 h7 Z% G) X, M# b. n jnz 00650589 ; detected, ?, |) z, V2 O3 u" b2 X
push 00 ; OF_READ
6 ]3 u3 a3 K L- l; E mov eax,[00656638] ; '\\.\SICE'# m) G* T- h0 a6 w0 B
push eax1 J% i# I' ~0 F4 V
call KERNEL32!_lopen
. v2 T9 X! Z% d. g. @( ~0 ]) ? inc eax
7 }$ L# \' v3 y. N5 H jz 006505ae ; not detected
+ X3 _" i; Z+ r; p! q) t5 i
) ?' l6 L1 I# Z6 D7 w- n) D) H
5 [$ a0 J- }6 d. C/ Y! _% i! g__________________________________________________________________________
4 S# H0 J& f5 A$ p( b5 O: d% p
" @ m6 u+ `6 t6 u/ F1 \7 UMethod 12
- r6 X" C: B/ o! q% `=========
9 V6 h# l8 W6 {, L4 r& K6 I5 T1 s! ~4 W6 T$ n x) U1 ^. ~/ u
This trick is similar to int41h/4fh Debugger installation check (code 055 D% x; B: |% B2 m7 f
& 06) but very limited because it's only available for Win95/98 (not NT)
# Y1 M# b, D% I* `+ _2 s3 G1 i" [9 Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.- `; O$ g0 R1 E1 n7 R& K0 r
- p% ?; L( p) X7 Z8 [ push 0000004fh ; function 4fh0 w" b- ~# p9 h/ J* `
push 002a002ah ; high word specifies which VxD (VWIN32)2 i5 K5 T: i7 T. b& T4 z
; low word specifies which service& h7 ?+ J2 q' P) ]( g7 n" l9 h: _
(VWIN32_Int41Dispatch)# `. f3 k4 x) c) F; R
call Kernel32!ORD_001 ; VxdCall1 O2 u: n" R- m/ G- k9 I
cmp ax, 0f386h ; magic number returned by system debuggers
/ X$ h# o' ~6 J6 c3 D jz SoftICE_detected. Q( }; d/ ^; @' e
7 V+ ~, L8 z! |Here again, several ways to detect it:* L9 K. e2 u- H0 ?' m1 B
& b/ u+ D B, ^ e4 ^% f# K
BPINT 41 if ax==4f/ T# s( x3 Y1 D1 T* O
- N, E$ Y+ ^" g) U9 w" \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) R0 t% e( V5 M7 {
) b" Y) ` H! P! x' o6 S! e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; p+ g) z' r, y% J7 c4 w6 A
; q- f0 h4 t% e# U p* x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- K" S+ H) b( C. X2 {5 a( u( o) c4 `0 l5 y
__________________________________________________________________________
/ }) U8 m% Q+ K) i/ y% ?, W! h8 W( i% j7 l6 [! T8 f8 A
Method 13. X+ p t M) c8 V
=========# F9 Z7 ?5 @7 P5 }* k' U
) }. b: o! k" Y7 O" ?6 W6 s
Not a real method of detection, but a good way to know if SoftICE is
4 t2 X3 ?% ` ?8 _! qinstalled on a computer and to locate its installation directory.- S) F) h& `* v! ]: h! S' c
It is used by few softs which access the following registry keys (usually #2) :# j( j# Z1 R, Q6 i
1 {$ _* W Y0 e. a1 X2 f- M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ o8 [5 J& n$ i2 r
\Uninstall\SoftICE
9 |& V( x% k% F$ ~( g& M" b% c9 W4 J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 k4 {$ F$ b' _; A0 D: O7 _2 k1 O6 e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* p$ W8 o" n7 q. X. w- u\App Paths\Loader32.Exe
2 N3 G0 E; T x5 N, F4 I( H5 N1 M! I
8 E( ]/ Q) a5 |- T8 {
Note that some nasty apps could then erase all files from SoftICE directory
% U8 g' p* G% m' Z( B" e* Y(I faced that once :-(9 K) {/ w- F9 a, u+ o* L
; H' _) V8 }; Y: t
Useful breakpoint to detect it:% }) n/ t. }3 g/ t0 M5 J3 F, ~
& I+ a6 v& e. A- s* U/ } ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 N1 ^0 R' g5 B3 u
* ?7 m+ U5 I( Q0 t4 }
__________________________________________________________________________+ H& w* a7 u7 W2 p: e' b8 F
$ t; @: j! H; @/ {9 i
% { H* ]" D; S; D; c r5 @
Method 14 8 ^6 o( Y# Z9 u* d$ F+ {0 \& {- B4 r
=========- p+ g' m+ }7 f; ] b. q! i
2 j" a9 I% i: Q O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 z1 ]1 \' `$ g# B/ t7 U5 P
is to determines whether a debugger is running on your system (ring0 only).8 _8 e, Y0 M" a) H v1 D9 o& F
0 D$ m: k4 O2 P" y0 m+ l VMMCall Test_Debug_Installed6 F* l$ ^ F l5 v8 D; l
je not_installed! A* f3 s6 A+ h0 f
, }6 E# G( e0 E: q* T, KThis service just checks a flag.
# a% @& y8 _' p: _5 g. Y+ O</PRE></TD></TR></TBODY></TABLE> |