<TABLE width=500>
8 v& M3 p- x h1 @% u, T+ N- d, x<TBODY>
7 s( S& i3 m6 N% o0 w+ z7 D<TR>4 w6 T7 X3 T) `& H3 u7 F
<TD><PRE>Method 01
7 m! p% x5 W4 C0 ?+ b1 N: o; z=========$ a' W/ d' O: g# T4 v3 b
. c: T- o. X3 C( L8 R# K+ P# |! p, f
This method of detection of SoftICE (as well as the following one) is, _8 d) h- k8 h O
used by the majority of packers/encryptors found on Internet., [9 u- t9 k2 e
It seeks the signature of BoundsChecker in SoftICE
9 j" c( z" w7 r" V9 b
: Y4 F) l& a& l/ |0 k mov ebp, 04243484Bh ; 'BCHK'
- M. I$ a% v2 n5 n) g mov ax, 04h8 Y" n3 u, i) Y4 r
int 3 + t& }- Z' o3 l, C; ?, _
cmp al,41 X3 v1 G& b" I: f
jnz SoftICE_Detected! p9 a7 ~' c n7 r
8 I, y1 ^' M$ u- c+ s___________________________________________________________________________
7 L* E+ E8 T; e+ w. ?$ C
0 i8 ~3 t: L1 H( KMethod 020 j' Z. q4 x. W1 Z
=========' M. z# A8 s' s. w
5 e$ b) S& p1 n5 t
Still a method very much used (perhaps the most frequent one). It is used
# T" Q3 U8 A& B& R) S- @7 q8 tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# U' d1 a' o) l/ L0 G
or execute SoftICE commands...
0 {# n/ k* @" C8 [It is also used to crash SoftICE and to force it to execute any commands: N0 x% `2 g. ]9 n
(HBOOT...) :-((
3 B+ Y( ^; T0 f) J' g) X' {1 l- U n7 L q" H
Here is a quick description:( d z0 [ N+ U& J5 q4 y1 f
-AX = 0910h (Display string in SIce windows)
( Q5 L8 G# t: U7 t3 o$ h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). m! s2 w1 w+ _1 D. t8 O
-AX = 0912h (Get breakpoint infos)
: ?$ }+ W# u% g. o' U5 G7 J-AX = 0913h (Set Sice breakpoints)
5 j7 K4 d8 z& R7 x. l! O4 R& J-AX = 0914h (Remove SIce breakoints)% p) m8 ?% d; M3 t" Q2 M. Y+ l
9 n% u }8 M7 ]( q6 T5 S
Each time you'll meet this trick, you'll see:
0 ^3 H0 H& ]$ z$ ~& U7 z0 K-SI = 4647h
/ l j# O4 }7 ]( @& t( v4 q-DI = 4A4Dh
& O$ n$ O! b2 S* W7 YWhich are the 'magic values' used by SoftIce.
/ K7 f/ \2 I' Z/ L1 l/ k+ G8 hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" N( E, I: f" P1 K# d3 y
7 f( j2 G$ A! _- _Here is one example from the file "Haspinst.exe" which is the dongle HASP9 o# b. i6 ]. |' w' Q
Envelope utility use to protect DOS applications:
8 T/ O G: `1 \+ S% v0 ~6 t0 p' A% I: v0 M% T. o# O
! I: q$ z4 L4 U1 K. M7 x& ?
4C19:0095 MOV AX,0911 ; execute command.# Y- o3 `" q4 T1 V
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 K' l2 @( v0 Q3 i
4C19:009A MOV SI,4647 ; 1st magic value.6 o. d7 V% W6 |- }" w B
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 u' |7 M0 b7 F4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). h# Z9 N" M; w4 G1 c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 u: O$ C$ A$ P F3 }% i/ V
4C19:00A4 INC CX
3 g7 P9 _: O; \# O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ u6 C& e/ A, [: |4 w+ v
4C19:00A8 JB 0095 ; 6 different commands.
4 F' F! N; v( u: x6 w4C19:00AA JMP 0002 ; Bad_Guy jmp back.( h2 h2 s/ u5 `4 D, H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 `& J# V4 X0 r0 t
, d% _7 {& B: zThe program will execute 6 different SIce commands located at ds:dx, which
" p' i. u1 W) O6 J0 [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 L$ Z; d3 Q9 A& ?* V5 \7 c
, X' a% L8 @( w: N$ P* H- I/ Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( L) G! E- H* ^( j" ~6 Z___________________________________________________________________________
' Z2 {- R* o) l. F5 i; \! i. w9 p# d3 f: I4 N
: B* J- K" h- }) R
Method 03
! F' ?4 U$ B+ [9 p=========3 [/ ?1 o" _3 K. M6 Q
1 X4 w6 m( r" m: e; g2 L5 }
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 {4 b5 f/ Z, j3 ^- x5 w x$ x
(API Get entry point)% @$ b& l# Q3 q: Q" _7 s8 s ~, o% A
1 F1 N$ |( P2 ~6 H
( o( ` `2 ?3 [2 s xor di,di
4 G( O: Z5 Y- Q: ?- i' E; r* Y mov es,di
3 x) K! M8 N8 d- ] mov ax, 1684h
5 G, \( q$ a& z9 m mov bx, 0202h ; VxD ID of winice C. N* g6 ` |/ [- ?- `: u
int 2Fh
$ J* `+ q/ C! L4 O4 h8 `6 F mov ax, es ; ES:DI -> VxD API entry point0 R+ K9 g" I0 P0 K
add ax, di
3 c% E. o; B6 w+ F* n test ax,ax& c. X7 }5 F9 F7 Z* u
jnz SoftICE_Detected. e6 q& O, v9 b7 R0 b! U: @
! m+ h+ ~) h/ e+ a9 L! x* i( ~
___________________________________________________________________________
" y+ g6 V0 X3 \$ }* C$ D- i3 d$ {0 D7 T | e+ S8 Q
Method 040 P+ [, y8 k/ I& R2 S
=========+ o3 z2 n, r) s) ^1 e
0 m7 T' b a7 Q! y& P
Method identical to the preceding one except that it seeks the ID of SoftICE1 E5 G+ p, \! w$ t- p) T7 _
GFX VxD.
/ j/ j7 J6 E l: |6 X
' q- m) ?2 O4 | xor di,di
& u& C# F3 T/ [6 K! N, e mov es,di
3 g" |. _- z( `+ n7 F+ L% j+ } mov ax, 1684h * o# L. K$ ~8 [" L0 p6 E
mov bx, 7a5Fh ; VxD ID of SIWVID
) S' u F# g- ]% |2 v int 2fh8 v( U/ g* F2 Y7 K4 W
mov ax, es ; ES:DI -> VxD API entry point1 U: A: k; j/ V* G( D
add ax, di- d4 q0 U' B% ]3 f
test ax,ax! g# ^4 m/ n6 h. I; w: j, ^0 i
jnz SoftICE_Detected
; ?2 k6 P( ~) ?: l7 O. x
8 Y# l L& ]4 w__________________________________________________________________________) P% D4 ?: b. w7 A( z% m
# d- n! }( f0 c0 f- H
# t8 E& H% y( [: I1 V. c. yMethod 05
c9 S) w' ~! ]; t=========: ?9 G8 b, ^+ X$ M
& p, a, ?! V* f% {Method seeking the 'magic number' 0F386h returned (in ax) by all system1 [* d( D- a! B2 u
debugger. It calls the int 41h, function 4Fh.# ]1 m4 h6 Y |& y# e
There are several alternatives. 7 W; C& X4 z3 G# G5 r
: L7 g5 a0 n: U
The following one is the simplest:
% c9 U% J: H0 X7 k* x
8 P8 {4 d. o; o$ Q4 ]% \ mov ax,4fh
9 ?9 X6 ]- J/ l int 41h
1 V! ~5 y& B0 Q& Q! O cmp ax, 0F3865 F z0 ^/ F" g
jz SoftICE_detected
6 m4 G' V' e% s D% `. {& U
2 M* A7 n9 m) I+ z3 n; C+ {* d7 v) e
/ z5 r9 Y& u1 z2 ]' k% k' [$ J0 f1 ]Next method as well as the following one are 2 examples from Stone's
- d! ?' C; Z4 n' n% y"stn-wid.zip" (www.cracking.net):0 C( s3 _$ I Z
' A0 h# U- l2 q& e5 T3 b
mov bx, cs
* ~/ A0 c V, b ^ lea dx, int41handler20 N( d4 e! }* C
xchg dx, es:[41h*4]
; m* |5 y9 E3 j xchg bx, es:[41h*4+2]$ q7 M4 k; m' H
mov ax,4fh
" v7 z1 x: s+ D7 y! _" j) J int 41h
8 F6 D" N% z! Q0 w xchg dx, es:[41h*4]+ N' D4 _6 h" D
xchg bx, es:[41h*4+2]
, V1 k9 d, R; a- w; \ cmp ax, 0f386h
: z! [# p# O+ ^/ | jz SoftICE_detected
: O& r- o, C4 F. j! N6 y: g6 g. s$ p
int41handler2 PROC3 H# Z, ^+ T& L- }
iret
' s; _' R: d4 Tint41handler2 ENDP) G- m [1 f( J! {
w& \2 ^5 B0 o( M" p1 d v2 N
6 A2 x( u3 s1 r1 k( F_________________________________________________________________________
0 I) J$ t- X8 @! H. @ _$ n
4 M9 S e7 x* w( G) k: {7 `; e3 ~1 s9 x
Method 065 G+ I) y3 G5 f3 g9 c0 P
=========( j7 i) ^! h* I f
/ P) L" h7 V" o9 u1 r; b' G1 J+ m2 [2 O
2nd method similar to the preceding one but more difficult to detect:5 ^4 R9 [% Y/ ]( B" w( u; I
6 ]- g# X% ?- W$ a5 T+ g3 N/ Z% b! j/ T
int41handler PROC- f; I @$ P2 }8 b9 e% z. x6 A7 B
mov cl,al
/ s7 |' |: l9 K; ]1 e0 z" W iret
; _7 y- K+ f& ]0 O9 {2 g/ \+ N0 Oint41handler ENDP8 g+ A+ g* A1 \
7 @6 H( Y( R' {, ~( t/ v9 T# T" @% u/ L7 c1 R
xor ax,ax
: G5 y& r5 l8 v% L mov es,ax2 _! s$ }; i" Z% U
mov bx, cs7 @; B. Z" F$ a8 O! _
lea dx, int41handler! M5 e) |$ ], ]/ I$ j9 ~
xchg dx, es:[41h*4]' a& N$ f" x0 p2 b# I9 e% {4 y- n
xchg bx, es:[41h*4+2]1 X* q4 r' {/ h' j* Y- k: p" E1 y
in al, 40h
9 Q: ~. L- P& U xor cx,cx
5 j" @! g8 z7 |3 z6 V0 X' h int 41h' U2 z4 f" i; E2 ?
xchg dx, es:[41h*4]
8 i) b2 A2 J( {) J. B* B1 l; X3 D xchg bx, es:[41h*4+2]1 A4 }0 G. [4 Q7 B' j
cmp cl,al' t, n! C9 [ T" R+ a
jnz SoftICE_detected2 e7 m q5 B+ B" T/ ]" i
4 f6 E T" h, S% H; Y. |_________________________________________________________________________2 @6 T+ b1 W# T/ G" E8 K
! P% P0 A6 M* j0 J8 s& eMethod 070 \& w8 W! a' m/ F0 y0 e0 P4 W
=========
8 ~4 r2 R2 R6 E" c% ~0 m& e* F- B0 B% C8 U# b& U1 j
Method of detection of the WinICE handler in the int68h (V86)
4 M1 m; C1 K& \, ?
6 b! E# x7 q/ Y+ h' \% S mov ah,43h
3 \$ [+ Q' t# T5 o/ T% W* N* l int 68h, b, c% D( ?. N8 w0 |) o5 y0 U
cmp ax,0F386h
9 J; m7 o: ?" k; \ u( a jz SoftICE_Detected( n: }8 A. c% s/ w0 I
5 r* t5 {2 [( M& O2 J' A6 S9 O" f. j$ T' M H7 x
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 |4 ?, ^' j# [+ a app like this:
* i: \. e" |( M
' Z# U x( Z9 Q3 S( K3 Z BPX exec_int if ax==68$ K' p9 @ r" [5 j+ |
(function called is located at byte ptr [ebp+1Dh] and client eip is
9 m1 P, \ Y; [! R- ]* { located at [ebp+48h] for 32Bit apps)/ f8 k# B8 p, j: H: ?! D; w+ t- } Y3 j
__________________________________________________________________________! H) ]& w" H8 U. A# e7 P( y
) i6 y7 C, s% G& K. m
' c) H# Z& L4 q# c: H: ?& @2 K5 wMethod 08( B. d7 \2 c& `
=========( e3 ?% p+ E1 v$ d
) z; `+ U) |) e6 v# [/ @& g A
It is not a method of detection of SoftICE but a possibility to crash the
* J' P% e& `( l! xsystem by intercepting int 01h and int 03h and redirecting them to another& M+ Z$ B% A3 p' R) t
routine.
6 G6 B0 v9 Q) ?- p5 |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 A) W( G! w3 [to the new routine to execute (hangs computer...)
6 k' D( Z! |% e R \8 M
2 G4 ~; q) G( u mov ah, 25h
m5 e2 F" b! I mov al, Int_Number (01h or 03h)
' ~" P- c6 C1 [0 z9 _ mov dx, offset New_Int_Routine1 O# q4 |% o% U; l- D e
int 21h
) A; Y8 i8 u3 Z/ ~8 s! B
7 s8 N4 Z4 b8 ]__________________________________________________________________________" K" n2 g I8 P; i7 D" G, Z' j- Q/ ]
. m) m0 f+ \% \5 E5 oMethod 09
. G2 |& m! w L; c=========: D! T! y" x8 x/ K
9 v1 p1 ?" d, @8 I# WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, M+ m9 u4 F. o* wperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 m5 P. ^8 q5 y/ rThe Get_DDB service is used to determine whether or not a VxD is installed
, Q! _# z8 T% ?( g6 R1 f( Xfor the specified device and returns a Device Description Block (in ecx) for( H3 M) z# ~- D) F: a
that device if it is installed.. @9 g9 ?: U1 y4 J, D& V8 x8 c
: [5 m4 f; q6 O @& t) s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 d7 B; L. a, C6 O+ i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' j; }% P& ?. f; {! Y4 Q h/ L) v7 \8 S; k VMMCall Get_DDB$ \- b% a: w. n' [' g6 K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
Q0 Y+ ^6 \0 P/ C5 y; e4 c3 x0 B% A! Y& Y7 s( @0 M
Note as well that you can easily detect this method with SoftICE:
$ |: l8 q9 n5 ~. n bpx Get_DDB if ax==0202 || ax==7a5fh
$ R, v( u, \- _: c
& Y& k" s0 H3 g6 M: m, m__________________________________________________________________________
- r, ~& M, h, j8 c$ {* ~9 ]; G( }
Method 10
0 b* Q1 q& l. R. l4 _( r=========
1 Z2 X% Q0 \; ^6 K8 w% Y+ ^
, ~; A: F" w9 |! ~=>Disable or clear breakpoints before using this feature. DO NOT trace with( H" ^2 e5 L5 M9 T
SoftICE while the option is enable!!
: O1 A+ c* i( Z+ l$ k
* g# f) O# d4 x% w- TThis trick is very efficient:9 K* C+ r" ]6 R! r
by checking the Debug Registers, you can detect if SoftICE is loaded
* Y2 s3 I' Z) v/ E# @- y, x( Y) o: Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! d3 C( C/ x. K! Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 ^$ N" Y/ I4 X3 ~; Hvalue (in ring0 only). Values can be manipulated and or changed as well% ]' R* M1 C# Y
(clearing BPMs for instance)6 x. F9 T: a2 `
( H. ?" i2 J' R! q) D8 f6 d__________________________________________________________________________
6 A3 k* o# L! P
. z2 Y. F; l8 m% x6 h9 N% x+ yMethod 11
1 d1 ]2 {0 t! S& b v0 R=========+ t/ s" i( h: y, E
* t4 l5 f9 t- q! o. ~: u; OThis method is most known as 'MeltICE' because it has been freely distributed
2 X6 _3 v! G$ O: N Evia www.winfiles.com. However it was first used by NuMega people to allow1 R5 e/ t0 Y2 Z5 h
Symbol Loader to check if SoftICE was active or not (the code is located6 p1 L4 S- L' V! ?
inside nmtrans.dll).4 H- c. U4 y% @- \
/ e1 ?( |5 _8 V; {3 ^1 A) C" E
The way it works is very simple:& h% A1 z% t9 h& Z- j- O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 m- j- w& ?) |4 \WinNT) with the CreateFileA API.
0 ]& u3 B0 Z: ~8 i4 _1 z5 X3 R( Q' X: W, G. V; }5 y) y
Here is a sample (checking for 'SICE'):
" K3 o% s& p' S& {, @ e6 J7 w/ d$ z6 t% r
BOOL IsSoftIce95Loaded()1 j- Q' `. a) V O! {9 T
{
+ h2 c) s/ M: b* N4 M HANDLE hFile;
* V2 K4 o# t$ h" S& W( c" O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 B- |2 q' \2 ]# | FILE_SHARE_READ | FILE_SHARE_WRITE,* X: p! |% L* F' b: T1 R) n3 r( p) b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- d$ O. K2 z% X, n) U, C. V' n
if( hFile != INVALID_HANDLE_VALUE )
6 g3 m% |4 p: d: W5 K' B9 D {
1 H7 |: U4 r! T. U2 s( k" a CloseHandle(hFile);& F$ l2 r# x1 s/ m5 D0 z
return TRUE;
5 y( z2 {4 r4 E: f0 t; I }8 e& {' _1 r4 B+ K
return FALSE;
+ @! N; W# M$ b# u! }7 C1 _}$ ]9 f6 p; e' ~' T, M1 ?% e
3 F8 s8 q. `1 `. ?8 h( UAlthough this trick calls the CreateFileA function, don't even expect to be9 A2 o. y* t7 j0 E `
able to intercept it by installing a IFS hook: it will not work, no way!0 v! h! x8 ]7 y+ o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 x1 S* r1 c0 wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, h! _! k; V" nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 ]/ f% G" _3 Ufield.
8 h% P: v# L: M6 S, K3 C0 {' FIn fact, its purpose is not to load/unload VxDs but only to send a
" [7 J* E% K2 ?1 o3 L# NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- Q" i" m! F4 l# D" Y5 G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% R4 H; Z* D1 {- J1 ^1 J& |) sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: d( V7 c, u2 T2 TIf the VxD is loaded, it will always clear eax and the Carry flag to allow* m8 R# H5 ?+ T2 t
its handle to be opened and then, will be detected.( L9 d# ]% X) F9 S
You can check that simply by hooking Winice.exe control proc entry point1 U# _1 p7 q( p9 p+ }$ k! \
while running MeltICE." \* ?9 v0 L$ F; q- [& }
4 h {& N8 [0 I, ]* m
6 b& E7 u0 y! K n, W5 A1 M9 O 00401067: push 00402025 ; \\.\SICE
X/ z8 R3 p* X$ j: x0 U 0040106C: call CreateFileA
5 u3 ?; ?9 J# Y4 x: p2 R& `" @ 00401071: cmp eax,-001
# ?. ~! ]8 s% K" n 00401074: je 00401091
7 V" H9 e4 W" o, n) F! T8 ~' M7 b
2 f& Q2 F. m5 L; F6 M* `2 Y4 e1 B
There could be hundreds of BPX you could use to detect this trick.) \9 T# s6 a' m! Z E/ _( i
-The most classical one is:" F0 D$ r2 y0 z% h- l
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- a. x8 R- z. y5 {+ P1 L7 O/ c) l
*(esp->4+4)=='NTIC'2 M. o1 h1 v4 B$ }4 c# y5 I
% o( x* F' O2 ]3 H" Y-The most exotic ones (could be very slooooow :-(2 X1 |3 L! K+ [. \' J( r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . F2 T, o7 I' Z, V4 T( d
;will break 3 times :-(; v( v4 ^, Y/ K' v1 I6 p
3 y# x* ]6 H3 |6 x u+ n; a6 o( i) {-or (a bit) faster: : d' y/ u% y) ~3 f2 d. Y3 p
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 I- z D1 R. Z$ X
. l; q& W+ c4 \ K, m& b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& Q; p( g1 p9 Z ;will break 3 times :-( {' v. u3 u3 r
8 w# q7 F7 f, _* W4 M2 I-Much faster:
; M- {* k! h5 L) p4 D) S* O7 s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* l6 W" N& q9 [' h# v% w
) A# b1 `/ v% \2 Y" rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ Q+ ]% o' S# o* Sfunction to do the same job:2 p: d& ]$ P6 o" n% d5 A
* d0 X( J$ ?6 T) l- a. [+ z
push 00 ; OF_READ9 c/ h3 ~5 }9 L" L6 \9 D; P& q
mov eax,[00656634] ; '\\.\SICE',04 G$ K; B. ?/ F
push eax
2 E4 C/ h; V2 S) y- q! A1 Y. O( F call KERNEL32!_lopen
+ N' I9 ^2 K5 L0 S inc eax
) P7 V% ^: V% G* |, R jnz 00650589 ; detected
) L Z* }* Z0 T& Y6 G3 |, S6 k/ D push 00 ; OF_READ5 A; Z; `. c5 {9 y9 y
mov eax,[00656638] ; '\\.\SICE'3 f4 P/ @, l( L4 x( R2 A0 ^& e
push eax x; C9 W2 L! o- ?
call KERNEL32!_lopen0 e/ x- y' v9 _0 s [" e, C$ p
inc eax
2 v, x" x$ c. W& L# v jz 006505ae ; not detected
( T) A5 c- l$ H1 z9 r
+ X$ r0 M# ]# Z3 }: |2 g5 U2 @
* E" L7 V+ x5 o' A( M% _2 r" N__________________________________________________________________________
9 e" r. u& j9 S! M3 l) F2 o# M3 {
Method 12$ L. u) j& K2 n l& j8 w, s
=========
7 o; i: k7 [( o
5 r: T; p7 Q: U% W* x5 ?( uThis trick is similar to int41h/4fh Debugger installation check (code 05+ R+ v, V) w- [8 p8 ~
& 06) but very limited because it's only available for Win95/98 (not NT)1 ]+ Q7 {8 ]+ q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo. v3 h& k$ q- c* @
1 k, u: T: _, k1 K0 ~" p! Y push 0000004fh ; function 4fh. W- N. u- j# L
push 002a002ah ; high word specifies which VxD (VWIN32)
2 }* F) |! E, L: D. y ; low word specifies which service5 E( c1 d) o+ |3 W# m+ P7 p
(VWIN32_Int41Dispatch)
/ u/ y! V# X. K7 Q0 M call Kernel32!ORD_001 ; VxdCall. w: n' G+ Q6 H9 ]9 B
cmp ax, 0f386h ; magic number returned by system debuggers3 d$ N/ N% m8 r8 K4 d( h8 \1 X
jz SoftICE_detected9 u9 B. x: E/ J
( |1 q6 F+ y$ Q
Here again, several ways to detect it:0 T E- k2 Z/ Z q
) G/ D& T/ D3 _
BPINT 41 if ax==4f
' o( n2 r: E3 `9 `
% P: [6 g$ j& P5 [7 R8 |3 O7 N$ g+ ?) i7 [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 w% {4 J D0 Q! ^2 i7 E/ K0 R0 S W2 q8 W" J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 T' @* U0 Q* X5 m! m g
4 p% ]( [9 U# U X; N& M: m; N w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 u+ J9 K$ L0 a0 l8 @2 \4 F" t' j
, t9 Z. G0 U3 x__________________________________________________________________________) Y% Z& w! X7 [8 \, @
) f% o) T; ` I3 m9 R. l
Method 13
3 }3 O* Y7 _- K0 I- E' h$ s=========
0 |& ^& F1 E$ o( V* Y. {
* \, A7 ?* I0 r6 `Not a real method of detection, but a good way to know if SoftICE is
; [; x8 [' G' R( {8 A. n0 tinstalled on a computer and to locate its installation directory.
; t: S5 R+ T \; v, F' t2 y/ oIt is used by few softs which access the following registry keys (usually #2) :% @. g B$ y2 A4 E/ P, q
8 g; C! b5 I% _. G; M/ U' o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 u( B$ Q( f4 e( f! R y\Uninstall\SoftICE
" E. a& z0 i; e1 @, K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) }# |* a/ C7 {2 X- ]: D; M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. O- Y- j: M Z* c8 n( M1 n
\App Paths\Loader32.Exe
0 t1 t9 o2 M8 D) ]' W: f
( L% k4 o+ ]0 M* S$ R& c0 d. w0 }1 G% p% y: R7 ^
Note that some nasty apps could then erase all files from SoftICE directory
: {; |7 t7 h- C- \(I faced that once :-( r; `( i' w' H; W; y. Q% q
1 S- c/ j( W1 U5 O8 S" w4 K( nUseful breakpoint to detect it:+ E9 O( [2 Y$ |0 c& b1 U2 {
& x7 H5 W; _( U+ Q1 A BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 ^& v4 ?( W) P1 u1 M; Q3 `9 Z' r0 K( N$ {: o d2 t( P3 {4 c6 y* T
__________________________________________________________________________
% B5 Y. x; ^' K, A; m" Z! D/ v7 p5 n
+ w" l! j# I% wMethod 14 $ N) ^7 H* U4 U9 T+ Y a1 D
=========3 |# j7 t f6 F+ E) s! j/ I
& G& g* T1 C9 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ q3 a' l2 q6 F4 ]is to determines whether a debugger is running on your system (ring0 only).. P* c, @" ?8 d
8 ~$ Z0 K$ T; O: S
VMMCall Test_Debug_Installed& t) @ g: q/ c/ x E7 `* `
je not_installed& ]' v6 H6 H% c8 Y: E ]9 O
e2 p1 I% a; H% ~This service just checks a flag.6 S$ ?# R: K( C; ^3 s7 q9 b
</PRE></TD></TR></TBODY></TABLE> |