<TABLE width=500>
" G% X% j! Z y% C1 o" L<TBODY># o! J( }( S# u# Z0 Z. Y, @. a
<TR>. g/ `0 U. `- C% Y+ S C+ Y
<TD><PRE>Method 01
. x& ?7 b" N4 ^& p=========' h% ^; r9 N" }5 a1 l
& J# Q: b! j& ~1 ^, G! D; cThis method of detection of SoftICE (as well as the following one) is
- |# [: z) n0 Wused by the majority of packers/encryptors found on Internet.8 B$ @% b$ k, p+ C1 m% h8 R
It seeks the signature of BoundsChecker in SoftICE
7 X: q/ q. M: H- l! {- B* F4 Z' p& Y, x' A
mov ebp, 04243484Bh ; 'BCHK'
# ~. R8 R$ g/ z/ C3 W mov ax, 04h
! C) ?0 a3 `6 A3 O int 3
, E) ?2 f$ I( T# A s cmp al,4
- ?; v! G& F2 }; V jnz SoftICE_Detected6 H3 p/ f3 e W
4 I8 s1 r, m/ T3 K# u___________________________________________________________________________" y2 B- M; T6 s! I% z8 n6 L% B* l
- K$ g+ L. d! o4 S
Method 02. @3 {! m+ X: [+ V: T6 c
=========
7 {! O- \7 S1 k7 x( k: e, a4 u0 m6 E. ]5 u' [
Still a method very much used (perhaps the most frequent one). It is used
) ]* p0 ?* J" r9 q7 ~, P7 ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' L: g; N1 I/ o8 g
or execute SoftICE commands.... O* y7 b6 k( [, [" Z2 U+ W; p
It is also used to crash SoftICE and to force it to execute any commands6 H- V7 T# i/ B* D5 h) m
(HBOOT...) :-(( 9 [1 N8 P! A9 w* {3 I$ Y A
9 J R- O- D9 u3 p7 vHere is a quick description:! S* z2 E6 g |3 z
-AX = 0910h (Display string in SIce windows)
% l' T' |' K+ ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ Y2 w- w, E- ?5 J2 a6 t8 T8 O
-AX = 0912h (Get breakpoint infos)
% J5 Y+ j+ T" V) V5 {0 O/ A-AX = 0913h (Set Sice breakpoints)1 j- b; F% |) C2 Q6 i
-AX = 0914h (Remove SIce breakoints)
- L. w* E' @9 D0 @! Z- ?! j3 M, i/ v0 w1 W4 j/ `
Each time you'll meet this trick, you'll see:
4 f a+ ]5 R0 s0 Q/ B- W G-SI = 4647h
" `9 P0 a7 a3 x c$ s7 a: m$ d-DI = 4A4Dh
: q8 K' M0 i' }" b& bWhich are the 'magic values' used by SoftIce.
9 c3 O* ?4 P! EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* ]. m" B9 D4 E4 Y& w: M; T& a1 z
+ | }+ N5 Q/ |8 GHere is one example from the file "Haspinst.exe" which is the dongle HASP& ^) _( U- C! s3 ~1 U
Envelope utility use to protect DOS applications:" J0 ~% ^+ u% f+ s% k& V
* S6 r. r: W' z% k. v1 L: J: H
. @3 q& _9 e4 ]- D0 K! z4C19:0095 MOV AX,0911 ; execute command.5 n9 C- K' G0 P8 X8 a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 C+ \4 n8 B( I( }0 G5 A. v
4C19:009A MOV SI,4647 ; 1st magic value.0 G" i& J5 L6 n4 a3 C, H
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 p" l7 f3 @, \- ?4 W4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 C0 [4 H, q' r- M+ y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 [4 b( I9 A; `6 B
4C19:00A4 INC CX
" v' e% ~' `; R+ ?" B; R! B+ N2 Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
{5 G) R6 G( O# |8 W. c4C19:00A8 JB 0095 ; 6 different commands., ?5 y. T( C9 o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& d* V' K% X! |. Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% F) j: w- q# f0 Q" G; U
1 a; B9 p) [# h9 ?0 ^' [The program will execute 6 different SIce commands located at ds:dx, which
2 ~+ G' T0 n) o4 u9 |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 G5 E; Z% {% A! s- E: b) u
3 U R! g6 x, k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) x7 Q( T' H# Z+ i ?9 b___________________________________________________________________________
8 V. m% d% z" b$ N7 I
3 f5 P, U. D2 u- [& b5 @) D, |; [
Method 03
: w* W+ Q5 j4 e7 v0 |0 z2 F=========, ^' e! o6 |* S+ R, ?
O3 P9 I+ L# Y7 oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ `* o& `0 V1 d(API Get entry point)) U& N* G. |1 m# W9 x
- K& C( `% J2 _) n6 J8 E/ Y1 M- H2 y* }' `+ `
xor di,di7 v- t4 Q0 b# x7 u; A6 D7 \
mov es,di
! K% y) }% l+ d+ l3 c mov ax, 1684h
: n! k1 l/ u1 A9 u+ G mov bx, 0202h ; VxD ID of winice7 q0 M/ U. w' Y9 Q
int 2Fh
! `4 r \$ I/ a/ g; h mov ax, es ; ES:DI -> VxD API entry point
) }2 {/ M" F V9 H @ add ax, di: _/ U$ c9 M) G1 Y: w- A4 U3 y3 z
test ax,ax
: z0 c6 q+ j$ @# P3 G+ k5 J) _6 B jnz SoftICE_Detected" h3 v5 s) w! T
. |* r. f6 f% k& l___________________________________________________________________________1 T5 a. c8 \3 C' _' t; r
# O" K7 Y" f$ G& U7 k+ c/ HMethod 04
* D; E# H) e! I' S8 R=========$ _( S5 M7 ^3 h v& L
; g1 L7 v7 }) x2 p
Method identical to the preceding one except that it seeks the ID of SoftICE
0 o- A! e- B S2 c2 ^/ SGFX VxD.
' e/ {8 [: p1 Y& A3 K$ L
6 z. W8 _6 Q3 ]9 V( {- U xor di,di
}3 K& k0 l/ P/ ]8 p mov es,di
. }' ?, q$ C9 C mov ax, 1684h ( s* M# _% |' _ d' b7 M- x
mov bx, 7a5Fh ; VxD ID of SIWVID7 _/ B4 [' M* ~4 Q- G
int 2fh
! Q$ F- N& ?7 F! v& T mov ax, es ; ES:DI -> VxD API entry point
?+ a% F& G# s/ n9 `" U7 O add ax, di
/ y; _9 c! Y, }" h1 z) ` a test ax,ax
) f( L2 ^ K& N5 L# J jnz SoftICE_Detected, I. O/ w. }1 W& N' u1 t; Q
( J: B" T' K0 B, l) p; V, q b__________________________________________________________________________7 l" l/ |( i) G9 P4 N* V
1 d6 c9 X A" Q7 T p/ J V
2 Z: ~( m; R! v3 B
Method 05
v2 `7 Y5 `) M* |=========& F" R% J5 ^; a" ]2 y# S
4 @/ Q$ [, }7 g! }9 ?: BMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 |# Z3 }5 w% C9 N- v, h% P. Y
debugger. It calls the int 41h, function 4Fh.
* d( Z0 `' M4 S6 n0 @0 C+ QThere are several alternatives. 7 e6 e) P/ e* v& p4 @* `
& O0 g$ } o9 m. F" o
The following one is the simplest:
/ c( N$ G5 Q' G% d5 Y; }1 T. l7 R5 v. d* D+ ^% C2 T. y3 O
mov ax,4fh
# p: d7 p6 s/ B! ~ int 41h/ h. ^3 f% D5 m( e5 s6 ~
cmp ax, 0F386
) Y3 X$ A2 r# H0 u/ Q' F jz SoftICE_detected, S% t) _% {6 Y- A' _. d6 I" p
& i/ `# z# t( J4 F; |
# M+ a9 [) J5 h3 Z* I/ CNext method as well as the following one are 2 examples from Stone's
8 U0 N7 l' \+ `* Z"stn-wid.zip" (www.cracking.net):- s7 U" C$ {2 C1 I# W9 N
6 k6 A; f2 r7 W7 G9 p
mov bx, cs4 }( _: X( S1 L! [1 M
lea dx, int41handler2
F( q1 B1 ~7 B6 j& ?0 r+ [ xchg dx, es:[41h*4]
, ^3 F3 N* ]1 Y# N& F) a xchg bx, es:[41h*4+2]8 w1 Y: e/ {( X H
mov ax,4fh
1 g: B5 F* _1 A int 41h
1 f; F5 D$ V7 z. d xchg dx, es:[41h*4]
( D r/ [& Z; u5 J0 p3 c# R! R* ` xchg bx, es:[41h*4+2]0 l. H3 b' a% ~/ d4 T5 B4 q
cmp ax, 0f386h
8 A( O0 d# [+ o ^& J jz SoftICE_detected' a% }3 o' G+ {
: ?% v# g# h' j! _! Q* r7 t+ F
int41handler2 PROC+ G# q) P& a7 q9 \8 S8 T
iret
+ v6 x! h0 y) F! T! E3 Bint41handler2 ENDP
6 X0 c/ @* f/ {' R7 c5 `: B1 j0 ^/ r1 i; G3 a
, e2 L7 j+ j& L) t4 ?0 ?, H& s8 D
_________________________________________________________________________
6 d& V5 P) |$ ^6 ~. G
# E; g4 ]) ]+ f# ^5 I D, f, p" c+ t
Method 06
/ ]: j* h' H2 A( B# [7 b! Q T=========0 A2 H7 e |+ ^. D
z% r$ S( R& n- P8 X1 ]) Q9 w8 B! H/ i9 @
2nd method similar to the preceding one but more difficult to detect:
+ V8 S* f( Q/ m0 o5 H# g; P
* h) \* ~/ q- l) }, z$ e( C% j, P8 A1 y9 a. j( u( M, v
int41handler PROC
3 { y# e) t/ R mov cl,al) R5 D) M4 U7 p$ U% Y
iret6 ^1 C! J$ t! Y. z6 |% c
int41handler ENDP: L& J" ?( z5 K N
" E r8 E7 S/ `1 f; L9 M7 @
% N" B8 [ K3 D* k' D1 {: ? xor ax,ax
7 e. l% \1 L' A: I* w% d3 ~ mov es,ax/ l8 O0 e1 E6 N5 _; H
mov bx, cs8 ]$ K9 e$ I J/ N5 `
lea dx, int41handler
, Y( X* \! T& O# Q" n- t xchg dx, es:[41h*4]
0 o4 T G# U, O- H8 z xchg bx, es:[41h*4+2]
3 n5 {3 J) `9 r& C' F in al, 40h4 H+ u& n0 \. g4 \: u
xor cx,cx5 ?- i$ C, X* a$ i
int 41h
1 y$ U2 F1 l. g: P9 T xchg dx, es:[41h*4]' R( g8 Q; P) K7 S( E+ ]5 @
xchg bx, es:[41h*4+2]
6 p" t6 D# ]3 N" n! O( d% [1 p8 ] cmp cl,al9 z5 m1 S5 w$ o& q) J( D) N
jnz SoftICE_detected. m8 S2 @5 ^/ x6 K b q& ?! r
7 Y) X& Q7 a# C2 _$ z_________________________________________________________________________" U. D h7 y# w/ H. K3 U
* H9 |5 s h" f% U$ ~) Z8 M _! @
Method 075 J) L/ t0 _0 R" ^ w- d
=========
- m% d5 `. f1 I( E9 k2 _5 i( j+ F2 w
Method of detection of the WinICE handler in the int68h (V86)
" v0 a3 x3 x1 O5 M& Y8 ]; s1 A; _( H4 Y
mov ah,43h9 f/ |# d, B' I4 F6 D
int 68h
& }% s; E: c8 j& b3 q cmp ax,0F386h
) B8 u1 l- b3 l6 k1 t% h# o jz SoftICE_Detected
/ s6 X' ~8 n( H3 J i; t; Y7 D# I: l- X% i
: x I" L+ q/ G0 N=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) @6 ]: t& k9 N/ |) f
app like this:4 |( f: n8 N+ i4 ^4 o
, V; Z7 \0 N+ O' Z0 N4 s! o
BPX exec_int if ax==68$ z5 R& D* R" M% J! `" `9 K8 v3 v
(function called is located at byte ptr [ebp+1Dh] and client eip is5 w7 [7 ^; e, i5 T2 B7 g( H
located at [ebp+48h] for 32Bit apps), y0 V$ Z! y8 U3 Y
__________________________________________________________________________
, K3 w; `4 Q# p( [( X. a
d# i; s4 V; F' S/ f. s- k0 Q" L6 J+ @) w$ f' s
Method 086 }+ A# b0 I. f6 r) ]
=========, m2 S* j8 N$ ^' K% g; W
$ @0 h/ A8 }) f( P( sIt is not a method of detection of SoftICE but a possibility to crash the
: D2 p! K7 n, Z& h% g) L$ nsystem by intercepting int 01h and int 03h and redirecting them to another( x* h' q& h+ B* a
routine.
$ N. M: [+ w3 V. n; GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
m2 `& G% A" o" T9 B# {( |1 lto the new routine to execute (hangs computer...)
h J1 s* m, s6 R5 p
1 p2 \8 z( z6 B+ i2 _! x mov ah, 25h
6 { N) I4 h( N mov al, Int_Number (01h or 03h)
5 l, ~" h- m& Q+ K6 w mov dx, offset New_Int_Routine
: b/ F3 t0 I( h% U0 {6 e5 [ int 21h
6 z: T* M0 [/ A* V0 Q: u# C
; O( b; t; b& Z8 F! t__________________________________________________________________________' ]/ A' S# v1 Y
! T/ G/ j. f/ x
Method 09
; R3 a, Q1 L$ Z8 N3 t$ |=========
1 Z( H7 t' M: q( N, E7 _
4 U+ V- B' D% I) E. I- j O9 xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ O+ g% g/ i4 E8 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).: [6 b" x& {/ B2 }: K- @' `
The Get_DDB service is used to determine whether or not a VxD is installed" A: J3 X2 @; J* [; D
for the specified device and returns a Device Description Block (in ecx) for( a' O) j+ d" T/ n% i) m! w( h* r+ w
that device if it is installed.! x" h, @' W; b* n; d+ k4 s1 |
6 y2 ~2 S0 Y4 a$ z+ f" O, ~5 U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; Z/ Z( f" D# s' y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) O( a6 Y7 f& B/ B
VMMCall Get_DDB8 O6 E) V/ A( L6 C
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: }5 d( Z, M* @; m/ h
: V ~# X6 z A# ~. m) KNote as well that you can easily detect this method with SoftICE:4 |; V2 E* V. l9 ^+ W# V
bpx Get_DDB if ax==0202 || ax==7a5fh
7 t8 G; K8 S K! W! ~' ~
. c% H* d. t1 _5 n; |/ P6 b__________________________________________________________________________
- u( G `% Q2 T5 b" G- {2 e
/ Q) m" R5 T5 k2 e* b/ M" m/ r: n6 rMethod 10
& e1 Q, j1 o# ?' ~=========
8 } a8 u) X1 r! n
/ `9 z( s- |" y- f=>Disable or clear breakpoints before using this feature. DO NOT trace with6 s2 ^7 G+ l, v: g* _2 U
SoftICE while the option is enable!!
- K6 ~" ]8 K- G2 Q% x& [4 M0 ^8 | {: S1 j/ J$ a# |; b
This trick is very efficient: g' l; \: D7 |( W
by checking the Debug Registers, you can detect if SoftICE is loaded
: e r# q- H( l4 b! n* O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 ~! f+ _' d$ k) O# p! K6 C4 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 R( ~) `. p5 a R: M. {- mvalue (in ring0 only). Values can be manipulated and or changed as well/ z* R4 W7 K" e5 D; |! A/ G/ R
(clearing BPMs for instance)
$ V( {4 m. ?+ X6 `$ ^3 ?2 [, N, O1 z
__________________________________________________________________________
' B$ X) S6 Z9 H# n# F
7 g; C+ [+ j' R6 V ]2 MMethod 11 T0 y+ X O2 x+ v. r2 A% h
=========: d* @8 m5 w4 z, a
" L1 l3 Y# x; ZThis method is most known as 'MeltICE' because it has been freely distributed9 _' `3 S0 N! g7 I( Y: `) ] ?
via www.winfiles.com. However it was first used by NuMega people to allow6 [! U9 _. a0 w
Symbol Loader to check if SoftICE was active or not (the code is located
! R8 ^% ~% V1 E8 Xinside nmtrans.dll).
1 i1 A7 H* t3 z5 {5 }9 e* Y) t$ z; b9 ~' w! X
The way it works is very simple:
+ @6 h: S; C/ v. e4 b" LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% ?5 e L1 g8 K5 V2 qWinNT) with the CreateFileA API.
: R6 t3 `( t/ r+ Q7 Y( t; p/ E* Z! e' f# L% G
Here is a sample (checking for 'SICE'):
/ x; I( F0 r0 J/ B- @) E8 e
+ i8 t! V& \; A. J9 @* wBOOL IsSoftIce95Loaded()
$ o- U9 ~5 [4 V# Z F/ N q{9 b- C8 k: q5 w J. a# }0 J
HANDLE hFile; ; t+ R! U" d! a1 _/ L0 K. z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; R. K5 B3 r# i8 a, E1 a
FILE_SHARE_READ | FILE_SHARE_WRITE,- f! j% r* e- @& @8 U9 R4 f* f$ S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) p& \; {* f. g3 u if( hFile != INVALID_HANDLE_VALUE )
* w/ V: Q z/ u7 f9 E { R/ ~2 N# n, Y+ s* ?( ]
CloseHandle(hFile);6 V' ^9 o2 a- {6 V* f, h4 Y
return TRUE;/ ^( `2 w& X6 K
}
8 Q. v9 H- H- v4 B& S6 G return FALSE;
g: c1 Z/ g+ O' _( i}; {$ u$ f2 C4 @4 F8 ^ Q* H
3 l6 d; D: s; a, G4 }6 W+ w/ g
Although this trick calls the CreateFileA function, don't even expect to be
, h; B( V' f, m% W9 a7 J+ @* dable to intercept it by installing a IFS hook: it will not work, no way!
7 `% g/ V" u1 p- N- d0 EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- y. F- h6 g' u9 a/ J9 {# b+ fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); f+ b; H ]- v1 f; J: ?) k4 A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: Q6 p( ^2 I/ q* y
field.) N) J; @' i7 }; X
In fact, its purpose is not to load/unload VxDs but only to send a $ z0 M* u* Z: \5 [- n" e# {7 K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ e% v/ g2 w; N/ rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: z' [- _ R8 i& r5 v: m* \to load/unload a non-dynamically loadable driver such as SoftICE ;-).: v; m- H, W8 E5 C; o \
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 L' Y( s# M! R0 wits handle to be opened and then, will be detected./ Y$ g' u1 ?0 ^8 z/ ^
You can check that simply by hooking Winice.exe control proc entry point, c9 y8 }1 B3 Y) |& W6 c
while running MeltICE.
: n9 l5 P- H# t3 |
# x/ ^2 G; _, e" l4 T9 j, @) n% Z( D5 [
00401067: push 00402025 ; \\.\SICE3 i% j' y3 C% i9 N) [( z& O
0040106C: call CreateFileA
$ ?3 o* M* j8 Q# c7 z 00401071: cmp eax,-0011 ?% l+ g7 ~6 A1 j; _. |
00401074: je 00401091
( S: L9 ^1 y' }2 \( d6 h$ Q
( D0 \2 h2 e1 ?$ o ~; V' U4 _+ Y$ h
7 C7 Q7 l r0 _% wThere could be hundreds of BPX you could use to detect this trick.
2 X) U5 m* ?( q9 v1 m* y1 n6 q% R3 d-The most classical one is:6 f3 Z. `4 J( c$ U8 ^8 D. ?2 g% \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 }0 n. t5 E3 B) p) `8 t8 P
*(esp->4+4)=='NTIC'
) M; d4 O! T3 z4 i: U! ?
- M% F# i8 v( \0 V9 H7 r/ t7 S; ~-The most exotic ones (could be very slooooow :-(1 g2 Q# H" ~, m9 X6 q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 x- H% g" H3 C7 n6 ]. i ;will break 3 times :-(/ \) R' g" ?/ ?* ~5 e4 K% ~
- g0 r& R4 Z( [, u3 X k( B* N-or (a bit) faster: - C. ^/ Q6 ]8 R/ e7 m
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( w* p. [$ t) |4 y% B
* r- e. b# _( g! ]6 j6 t BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
9 l" c4 v9 o9 j7 \4 Y5 \ ;will break 3 times :-(
U T0 @; O; o- W
! ]6 R3 [0 g4 R: F" a-Much faster:
6 |# ]% D. d4 E8 |6 C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, l/ m. P$ h* m+ ^
! n0 Z# k7 d \. W Q. ~9 PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 `7 W4 t9 T0 V' v- K2 w' hfunction to do the same job:
2 b+ G4 I9 E4 W; }5 u6 x, [% _2 s O* C$ ]! U0 p& G
push 00 ; OF_READ. L1 W; K0 C$ Y8 A. G# k
mov eax,[00656634] ; '\\.\SICE',0
1 u* J+ Q# A0 O3 e push eax
( Y+ v3 b- z% B9 z, k call KERNEL32!_lopen. G( K% q, ^3 ^) M/ w
inc eax: B7 I0 E% o4 T8 b; v l
jnz 00650589 ; detected m) \5 E; ]8 ~# }4 N
push 00 ; OF_READ
% k& e' J( k( {* g" v i mov eax,[00656638] ; '\\.\SICE'
2 a2 \; ~: L2 ?( a% `# ] push eax* Z7 m: H; C) J# p) m
call KERNEL32!_lopen
7 Z3 R: i/ g+ c" o7 _ inc eax r s* F) C1 j6 _( G
jz 006505ae ; not detected$ ?6 }4 L/ s6 j7 f: K; O
9 ~; C: K) G; D/ a
% x5 Z0 U& S! @ a. @8 H__________________________________________________________________________: q7 A+ c: E8 _7 d0 [( K8 b; q
+ P# N6 \- e& r: F, J8 p( `Method 12
9 F( a2 L0 K& y( V: _=========& H; z7 o8 G( [0 a3 L. B; e
9 J9 Y: c9 B* D, M
This trick is similar to int41h/4fh Debugger installation check (code 05
( T2 w! C, C8 F) U9 V& 06) but very limited because it's only available for Win95/98 (not NT)
" m2 x/ M* z6 {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# I; P) a0 ]$ K
* i3 H. p8 s' v+ W! J push 0000004fh ; function 4fh; J( T6 E: y. F( [! a
push 002a002ah ; high word specifies which VxD (VWIN32)
8 e1 _& a" F3 a0 ?$ ^4 K ; low word specifies which service+ S1 T4 _* F! \9 g# A; I: c x% M
(VWIN32_Int41Dispatch)9 y, D4 O& J8 Q0 x
call Kernel32!ORD_001 ; VxdCall
& W/ L# B1 _; [9 d cmp ax, 0f386h ; magic number returned by system debuggers
' E. N n1 u: z( x. G/ Q6 U; [ jz SoftICE_detected' V9 w) }7 l$ E8 U* H
! J; @ X; t. S! L+ t8 N( RHere again, several ways to detect it:0 v! S- z" m# o. X7 ]$ t) z
/ s ^8 _, r2 s, M2 q2 @- K
BPINT 41 if ax==4f( j+ D% J7 f8 ?# \
# ~7 x4 u' k. S' F' X, u( d* q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" x r% L' q! I5 S* V
$ `+ t( w }% @+ U' d* D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 g7 Y- `8 l* Q* O; l
# K; W8 R0 U' f" G8 d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ d1 P- U( U, G/ w
2 x! a9 ^7 p, W0 U; A__________________________________________________________________________
, g6 J) ~/ h/ n9 H
' ~! w/ y" | g, U/ A3 B3 V+ lMethod 137 v: g1 o" @! o! K& i2 y, ]
=========
2 `: z" x% I2 ^3 G% ?3 A; R
8 S! L( I) j9 f5 G% o, YNot a real method of detection, but a good way to know if SoftICE is
. j1 s) L1 T. Q" m( j/ finstalled on a computer and to locate its installation directory.; E) X, q# t6 N& ~( \) G7 t: x
It is used by few softs which access the following registry keys (usually #2) :- S$ q& d& { _$ y* n& d6 }
5 D+ X8 [ V L" E# C- X, z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ {2 R! z0 L% l9 f6 F
\Uninstall\SoftICE
2 j, t6 I6 y" f/ @' N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ i$ Q6 W4 }2 E; X& k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# i" o2 i. U# y
\App Paths\Loader32.Exe( p- i- E! R* u' F, L H* j3 j
& h) ^ C+ C$ K6 b. {& U7 W
& q1 S8 _+ O* y+ _9 [
Note that some nasty apps could then erase all files from SoftICE directory
/ m; [7 m1 e( u% M' V1 D2 D! R" {6 T4 R(I faced that once :-(, r" P9 c/ ~; V& U W8 r
) f$ }! @7 o- n
Useful breakpoint to detect it:1 V/ \* c9 x) K% l
) T7 l6 l+ S" y7 j$ x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 v/ F$ c6 l F& K
5 f7 z4 S1 z- u! N% d) b__________________________________________________________________________
& \* s- }- D& @, g1 \6 ^
H7 [/ M& X+ v
& v1 m3 I# m7 Z' [8 L& XMethod 14
- Y* l4 z5 k H! R=========5 X0 v6 e- W7 y
7 T" a, a# E7 l7 QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 s; b% G8 u" }$ W, ]is to determines whether a debugger is running on your system (ring0 only).
9 a" P5 y# k) m3 D6 y
, e. @9 D" ?2 q6 F8 {9 {6 q VMMCall Test_Debug_Installed
% i/ h/ O+ d8 W3 v% l je not_installed
1 a1 N5 X- I5 W5 _
6 O" n8 _7 S8 }6 }, Q! Z% UThis service just checks a flag.
3 J+ x$ P; `5 N0 V3 H/ |7 h- A</PRE></TD></TR></TBODY></TABLE> |