<TABLE width=500>' K; i* [1 p4 ^
<TBODY>- Q* t, j+ O) M7 q6 [, O- W s8 r
<TR>
3 c9 B- ?$ W* v6 Y4 K: b9 {<TD><PRE>Method 01
- w1 V4 ~6 Y- G7 x0 u3 N" Q=========& o4 j1 }3 R; S) a1 Y$ S9 ~4 \# H- b
* r; [$ E7 h; L% C9 z, y o- jThis method of detection of SoftICE (as well as the following one) is' B* I! _) W6 w$ s* C
used by the majority of packers/encryptors found on Internet.
9 z3 |' T( F) ^3 ]0 MIt seeks the signature of BoundsChecker in SoftICE. D! s$ Y2 P$ K9 v( X6 b+ }
7 U: [+ L; M) v7 M- V. ~ mov ebp, 04243484Bh ; 'BCHK'
8 `- d9 u3 Y c% u6 ]: v mov ax, 04h
1 M% q f1 d/ R2 h! \# P% Y, n& B& u% O int 3 ( W' j* @8 n4 `' q- O8 ^6 k/ \$ c
cmp al,4
+ |; m+ I6 K4 d% U jnz SoftICE_Detected9 s1 E. E1 F# i+ b. w3 I- F
& w) V3 y4 s9 D% g___________________________________________________________________________
. P9 s9 p0 Y2 f* B4 Y! a0 p/ X- k! d+ A3 \$ ^7 D
Method 02( @" k, ?+ M# v2 q' ?
=========
/ C( q) N( s$ ?+ [
' R$ F) I$ \5 k) w6 rStill a method very much used (perhaps the most frequent one). It is used
A! p) ~) l7 `" x" ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 S' h7 J2 Z4 O% Z
or execute SoftICE commands...
+ w0 Y) o+ G1 ~) }0 l4 A: zIt is also used to crash SoftICE and to force it to execute any commands7 {- V9 f/ N/ p) C
(HBOOT...) :-(( 0 l% w' x# T- Q4 e
7 V1 ^* M, u4 ?- X% O# }Here is a quick description:
' W; l% a; Y. `2 N8 _+ e$ f-AX = 0910h (Display string in SIce windows)1 J: F* t/ I! Z0 O2 S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! d+ m( p0 [# N: V- l-AX = 0912h (Get breakpoint infos)8 g& |* ^, j( l+ v" o5 j
-AX = 0913h (Set Sice breakpoints)
7 O8 Q) O. {5 L9 O-AX = 0914h (Remove SIce breakoints)- k. p, L$ z! x7 L! G
2 R, ]( `3 V$ x' N0 C1 G; K6 d! ]Each time you'll meet this trick, you'll see:
" d/ |" Q4 m" l-SI = 4647h- ]% J9 I) Q+ N- k `7 z% M2 B3 @% o
-DI = 4A4Dh
( P+ d0 K3 o$ D& U) F r( }1 IWhich are the 'magic values' used by SoftIce.
8 L+ c4 H$ ]+ U# iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' q. D# x8 j1 o$ K2 Y! [
" z0 q0 S* Y/ M, o8 k( RHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 E \2 L5 L% e, fEnvelope utility use to protect DOS applications:# [9 X- y/ g% q; h, o/ l& N
5 G: {4 r. B4 v1 i* H* Y+ @# X
- q0 r8 W5 d8 ]) j4C19:0095 MOV AX,0911 ; execute command.# u$ G2 d4 Q& E7 `& h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 I a& j& h% a# m4C19:009A MOV SI,4647 ; 1st magic value.
; E8 W* g+ h: M" Z& N6 M4C19:009D MOV DI,4A4D ; 2nd magic value.2 P2 B: e7 [1 k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 [) G2 E' h+ Q: D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. ]" z6 z' q9 z z# U; \8 u
4C19:00A4 INC CX* H) w/ |; {$ N' [' t' e
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" a8 a' D' {+ y" v7 c: j5 O: `4C19:00A8 JB 0095 ; 6 different commands.
; [. C0 U3 P7 G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: P, B: N3 D3 D @5 y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* z8 c. o: C( Z7 Q3 b& e
+ A. L3 N. R9 L4 B X# `3 ?- AThe program will execute 6 different SIce commands located at ds:dx, which0 X, _ A5 _; i' J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# w! q5 l7 a/ C/ K1 p% t8 [' ^
" o- ]/ z+ u# a+ ]# l7 Z" y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ a. |% }$ j5 w: X. W: j___________________________________________________________________________
+ F0 x% w4 e0 I& j8 J4 [: s& X9 l, |0 n$ J# L( w% j
9 }% Z4 u9 ]4 J2 t% N `2 `0 Z: ~Method 03
; j8 a* Y) ?: ~$ ?" I$ v3 r0 R=========4 ], t* b& K5 h3 B% z
- s6 J8 V0 N4 c9 O/ L: I- ]% l
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h E0 E% M% x( b+ X# R
(API Get entry point)5 W( x) r- o& H i- |
* O' R7 a; r R
% a0 o; K* L9 z0 u xor di,di& H/ B9 Y$ c5 N( l% ]' W" r
mov es,di
0 u- F4 h' I) ]& W5 N mov ax, 1684h
2 z5 M+ \* ^. G# I" ]* t mov bx, 0202h ; VxD ID of winice
& f+ T) e# ~( L int 2Fh
. v1 f7 r6 F9 ~( S) \ mov ax, es ; ES:DI -> VxD API entry point
5 Y& [$ @5 n2 a% x! G# w, y8 B; y add ax, di- g- S9 o$ g' U! Z
test ax,ax
2 k$ k) k# F/ b% j" N$ ? jnz SoftICE_Detected
. o$ p0 a& T. _
1 ~1 f% A+ ^" z# K___________________________________________________________________________! w# g+ f0 ]. @; r( `4 s/ [
- t9 C' J5 ], \9 N YMethod 04
) X* p' G' m) j3 @8 \=========
7 ?4 b/ w& |1 S% y& i1 }
) f6 p' x6 s. W! `8 T% dMethod identical to the preceding one except that it seeks the ID of SoftICE/ E/ v9 q" C: G2 N7 X
GFX VxD./ @6 b3 B+ E! |- W
0 V/ J' R/ x) h8 ? xor di,di; [& u3 R( o' h% o$ V: h* E% J
mov es,di
5 a% N& ?$ T5 v2 Y mov ax, 1684h 9 w/ B6 I' K( ?# A+ P* M7 [
mov bx, 7a5Fh ; VxD ID of SIWVID5 [$ E! l3 D8 }7 h" t5 Z
int 2fh; i4 }' b. a/ C; f
mov ax, es ; ES:DI -> VxD API entry point+ o1 i, |. g2 w: f, ?" j6 t; s2 p
add ax, di
7 \7 x) {' y- ?2 _ test ax,ax5 \; J* L, C$ d1 [2 f
jnz SoftICE_Detected
! u/ l' B0 k# ~/ V0 C2 F
! ^1 X3 {; k" `# q2 `& L' v) O; I__________________________________________________________________________( i- x+ ^: h% J+ R2 G, e. O
" ?9 W0 b0 D, M! q2 t. f; N- p( s) r- D# C
Method 05! Y1 t- G+ V/ E$ A# c: U _- \* j
=========4 j0 g! M8 P6 x" F' y B
1 T5 e7 N8 J* t- Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 P2 w- z$ h$ |" O. p3 Adebugger. It calls the int 41h, function 4Fh.
# f- q, H( a* s3 aThere are several alternatives. 1 u8 `) H8 y# C5 }- a9 p. B
- v( H, Q4 W# o- x o
The following one is the simplest:
& V8 L1 I1 x7 j& s( r, D4 w; a6 l, k* m
mov ax,4fh5 [" Z7 Q* `4 H' i9 B1 Q
int 41h
3 D& [! @) g) p4 i! \ cmp ax, 0F386
" P+ S, v. ^8 {" E1 I$ F x jz SoftICE_detected* d- C3 i4 I' {
8 ^$ q! X: i9 N+ K0 @" P1 X
9 |( R7 S5 y+ S2 B T/ z
Next method as well as the following one are 2 examples from Stone's
( U, o& t. K5 f* p"stn-wid.zip" (www.cracking.net):
8 q4 A% v* j9 |' Y! @/ q6 `& B w3 u7 p5 _% V3 L9 D; ^- I0 o% ~* K
mov bx, cs9 j( B5 c7 r& q* C1 E) D$ `
lea dx, int41handler2
0 J+ ~2 g" L$ ` j! L4 o% I) I xchg dx, es:[41h*4]
3 o a# J g* G xchg bx, es:[41h*4+2]+ ^: W3 U5 h/ u" [# v
mov ax,4fh- ^& Q C: V+ x2 j3 m
int 41h
' Z% {) J- F1 f: }2 Y xchg dx, es:[41h*4]& N( ?) B5 t: A" t# `. T" T6 c1 H
xchg bx, es:[41h*4+2] k, ?! V& G" {& X; \- T
cmp ax, 0f386h
8 B# M f1 s g- R jz SoftICE_detected
: `2 y- U6 A6 c$ J3 ^' f0 f9 `! O1 C! D! ~0 x4 g2 ^' M
int41handler2 PROC
7 l" c3 }$ f& x8 a iret
/ h8 I/ Q0 d0 f6 C/ q7 v+ O0 K8 Vint41handler2 ENDP7 u8 S& |1 ~ @9 i# J4 J
7 H% F) E( Q5 \
' r5 u$ ?1 S: x. {1 L! [5 n1 z5 __________________________________________________________________________
* H( f9 C& _7 W% p; _0 J H+ s* ]& Q& Z; ^4 q# Y7 Z
( c* y" L+ C* S! S" d
Method 06
* Q/ b E* A/ O2 g=========' ]- e7 T5 n; R, m6 D$ x& n
# c, a$ }0 P+ \
* `0 I- `3 P M. g/ B, o5 Z2nd method similar to the preceding one but more difficult to detect:* [0 W* s6 m/ b# F" i7 o
! ?1 O9 {* P1 Y, X
) A. x) a" D i) I7 Z: g/ K: Qint41handler PROC
! r7 l5 s9 |0 P/ H! `+ f mov cl,al
) }2 Y- }% D# e+ [& F; M iret
: ~1 P8 h" ^; nint41handler ENDP; ?4 o& N1 p; @ o |5 A
7 O- d0 W! a) W. z4 K; N; b6 K* s( e
xor ax,ax
1 T D5 a; s1 r& @ mov es,ax
* @5 B4 g( ^- D/ ~$ ]2 M mov bx, cs ^* q j" g1 A' \
lea dx, int41handler0 M; b2 h6 {" }# g
xchg dx, es:[41h*4]
$ s8 g# p) t4 z$ z2 X8 ] xchg bx, es:[41h*4+2]" M9 l/ n8 j$ P! ]* |+ l' i/ q; `: ^
in al, 40h+ e C) i( B' x) ?
xor cx,cx5 h4 y2 J% r7 |5 e5 v
int 41h+ E3 n! z; C V* \
xchg dx, es:[41h*4]
5 K8 Q3 P: \% @/ j3 D# d% B% P8 J0 u xchg bx, es:[41h*4+2]+ h$ z. z8 o! B- X( C6 R
cmp cl,al
# D% I% }, P: n jnz SoftICE_detected
9 n/ G I) u U) M- c# w Z4 X
% m9 T- t$ c5 v3 M; ~* w( X_________________________________________________________________________5 m6 G1 D6 ^# b, W6 Y& i& o
" d0 [8 H) I$ ZMethod 07& M" y( n2 G% Z. ?" l
=========! b1 Q, u, T% Z' c# Z4 {
6 x4 b) C+ s2 F3 H, g3 ?8 HMethod of detection of the WinICE handler in the int68h (V86)( G7 N7 X3 C3 \4 Q1 F4 H" B; h
6 Z3 r$ h3 l0 X+ p/ s mov ah,43h
! k- l4 o# z _ int 68h @- p' E9 L* h
cmp ax,0F386h
3 M2 Q7 i& e! |9 R jz SoftICE_Detected
; |1 d2 X2 l- ~( |4 ? X; n( i2 D# D; ]/ W
7 I. X6 ]& [: ~4 \1 r4 G4 \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ G! r0 U$ P* ^
app like this:
- p s; `) G) d+ @3 B: h
+ G3 W/ g( t% r! y+ C BPX exec_int if ax==68% F- Y2 A G+ v9 q
(function called is located at byte ptr [ebp+1Dh] and client eip is/ H f. ?: u8 e; J6 y3 M
located at [ebp+48h] for 32Bit apps)
9 f. O% j9 P$ R: g( r__________________________________________________________________________
1 L% I% C! W8 ? X- H, X- A4 B( y6 x$ _- z* m
- k: h' v# I8 }. I2 JMethod 087 x& n9 Z' T/ m6 @( I5 t
=========4 e& s* b/ _' D. Z: R
1 h( o; u% r- n9 ?. V5 W# ^" a
It is not a method of detection of SoftICE but a possibility to crash the3 M" b6 ^3 d, W
system by intercepting int 01h and int 03h and redirecting them to another$ @1 S2 i8 Q- a/ f3 [
routine.6 q; Q; S% @: s1 w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" D/ p, l: E3 C5 I
to the new routine to execute (hangs computer...): {' T1 x g( n+ y
1 b2 \* T. q# H- n0 ?& s6 M: n u
mov ah, 25h
5 X5 s- r5 v9 S' K! v6 O; f+ D% R+ x mov al, Int_Number (01h or 03h)
6 W% n5 U Z' l7 S# G' S0 x) R mov dx, offset New_Int_Routine
" N6 R& T9 Q: }& c int 21h
+ B; T1 O2 o$ t* v0 I. O O/ P/ F% s, |5 O3 {( r7 `' P
__________________________________________________________________________. W ?2 Z" _/ K9 i s
+ Z6 a2 @+ D7 I% i+ U$ B0 w4 E# Z, Y
Method 09* L$ R8 g7 K- \9 K5 w* [
=========
# l. m; w7 |! [$ U( @
. A1 i8 ?8 g: EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# {( v# z1 o! n$ m, jperformed in ring0 (VxD or a ring3 app using the VxdCall)./ Q2 N1 Y0 @& I$ K+ `. L
The Get_DDB service is used to determine whether or not a VxD is installed
) A# R2 {/ K, o0 C1 y3 P2 |for the specified device and returns a Device Description Block (in ecx) for
! t. m& i. ?" |- M5 S: n Ithat device if it is installed.& E% e* Q/ p8 h
1 Z u& o+ n8 v9 s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ Q& l0 \! c, z+ r- [: Y, r* c mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 W1 V9 m7 c( t) t
VMMCall Get_DDB
6 H) Q4 x5 p8 r; C8 u9 Q$ d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 [8 W |9 {9 y; C+ x& h5 Z
( D, X, f. D; C* l9 z& o) kNote as well that you can easily detect this method with SoftICE:
7 z% v+ B1 {! s' w$ B" H, E bpx Get_DDB if ax==0202 || ax==7a5fh- k# e/ b+ n5 G0 j d2 b
5 J9 \2 @8 Z8 A
__________________________________________________________________________/ ^; Q, c" G+ `
: M1 ~: |) h* ` u0 D
Method 10. {/ X4 U+ _0 G4 n/ U
=========
: N+ d% ~+ ^# j* E
' A S2 [/ l* b, h% L=>Disable or clear breakpoints before using this feature. DO NOT trace with1 T9 U6 Q- Y: |! n
SoftICE while the option is enable!!7 _4 M g9 n- y9 W e- w9 U
7 ]' U' ]- }/ m& A2 NThis trick is very efficient:
8 [5 C0 v0 ?: w+ A+ {' F, Uby checking the Debug Registers, you can detect if SoftICE is loaded
( m- O# O! {; U/ ]( X9 B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, _' P* u3 i# V& \9 A9 a! l
there are some memory breakpoints set (dr0 to dr3) simply by reading their) m6 L8 q: e2 v% ^" x$ P2 n6 o
value (in ring0 only). Values can be manipulated and or changed as well
, ]9 s; u( L7 i8 ^# G(clearing BPMs for instance)
% _8 l- B" f% M$ ^& x) Q5 k
a( }7 A9 t1 \__________________________________________________________________________
& i; \( h6 a% r% e
1 Q1 X" p; G; [& KMethod 11* `3 `0 v& s" f% s$ F" U
=========4 G8 C' Q. q: \" p& Z- y8 m3 Z
7 e/ U7 g# O; r. ~$ D
This method is most known as 'MeltICE' because it has been freely distributed% g+ A' Y. d* k0 G
via www.winfiles.com. However it was first used by NuMega people to allow# y2 j s) J! {+ m {4 _5 j
Symbol Loader to check if SoftICE was active or not (the code is located
# ^8 b( w# z8 c2 V$ m: G8 B& Uinside nmtrans.dll).1 Y! _& y+ I# ~
" Y+ M4 ?% n$ T
The way it works is very simple:
# [! Z c( w. t! e$ r! ~, k! E+ KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) H1 q+ q2 ~2 _/ \5 S S L
WinNT) with the CreateFileA API.6 M7 X+ a6 H# A1 N" H9 ?
: \! ^% u( A3 E/ z$ s
Here is a sample (checking for 'SICE'):
, w% G- C; B# [6 z) c: s- A/ p
1 x5 g1 C+ ~6 h ~: R3 f) TBOOL IsSoftIce95Loaded()
3 |3 w0 b6 Z* z9 p+ P& _{
/ v& \4 q1 p' w, q" D- A HANDLE hFile; + r# e& @$ H" m$ d& B9 b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 Q/ t: d5 Y2 S F1 p) g
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ p' v$ ]6 k O8 F3 I+ F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 z# x2 q- J1 c: `1 D3 m if( hFile != INVALID_HANDLE_VALUE ): z4 Y6 K7 U1 \, _7 u6 a# y
{$ f' w* h* b+ h
CloseHandle(hFile);& J7 v! r) z7 ~0 h* v' @( Z6 ?) |
return TRUE;* S; m+ K6 E+ ~- M# j( h
}& F# P; O% v" ] a* F V* w1 N
return FALSE;* x# R" M3 o/ h9 S2 K0 L9 y
}; V! X1 [( Z/ p6 u) v: z
( p7 U0 N: z$ `/ n' UAlthough this trick calls the CreateFileA function, don't even expect to be2 _' u- @8 |! W
able to intercept it by installing a IFS hook: it will not work, no way!8 v& D2 f4 O. E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 h5 s9 z9 C8 \) H$ ]0 K5 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. l: Y$ [9 E" Y1 n- M2 Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc* _, c* R5 L% ^( t& ]" F$ p3 y
field.2 q% Z+ E9 w) T6 v( c' u; p/ |
In fact, its purpose is not to load/unload VxDs but only to send a 7 a. ~$ e; A0 x2 z. L- Y ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 \+ e6 W) J; M" j. n7 ^4 p8 yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& V+ J: \- M! q. ?+ v" hto load/unload a non-dynamically loadable driver such as SoftICE ;-).. e3 ~" m5 E8 ^+ U& A" S) \- K
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: f2 `/ A, N1 k2 v* v" B6 u, O1 y2 Eits handle to be opened and then, will be detected.: Z# J/ e+ Y5 Q& t& f5 M% W7 L0 s
You can check that simply by hooking Winice.exe control proc entry point
) ]) H3 S3 v% a \while running MeltICE.
6 f. r) ?0 c& \* p! j+ e4 F. h$ d( D& N% N4 Z
# r* ~1 |+ m8 x4 g" q
00401067: push 00402025 ; \\.\SICE
# P* G& [6 E) A0 b0 _' l 0040106C: call CreateFileA
7 T0 ^. J5 [2 \" V0 M3 H# I& h 00401071: cmp eax,-0017 U2 ~1 Y, v' D/ H9 J) R8 U
00401074: je 004010911 p: G) n0 o- B3 ], F7 `
# X+ K% l7 T4 a6 i
+ {! l$ r1 T5 z! G
There could be hundreds of BPX you could use to detect this trick.2 [5 a% o4 C: F6 S+ \
-The most classical one is:9 b A/ V9 @" d' o" Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 T3 r) u, j1 k$ }% g4 S *(esp->4+4)=='NTIC'3 p- S) m5 r- q+ h; R
- R6 O8 p4 Y9 `7 B-The most exotic ones (could be very slooooow :-() J; V) _8 o/ [. D
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 Z! R$ l' L$ W; S" r# f2 o, n
;will break 3 times :-(' l, L& ?/ u! E: g& o* B1 Z* U7 x
7 g8 j5 }6 ~1 j0 N; Y- T
-or (a bit) faster: 2 p, s/ W9 Z, j5 q. c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! r# ]$ m* V- {. Q3 K
6 [0 I! H0 d6 K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ B1 [' ]+ V. Q6 f+ l ;will break 3 times :-(- i& z+ g" d4 f5 V9 E
! M0 f( G9 V* e# V: N, M
-Much faster:
2 H0 c! N! o0 q; B" p- J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% l6 ~) r P) w* u. q' R% b
4 g7 Y+ v! ?6 @1 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 c' I' A* o+ \& i( [' W/ f& Y q
function to do the same job:
8 u4 ]$ r- [+ y* G# O4 ~$ f# i; ]$ t& ]
push 00 ; OF_READ/ G0 D g" u& B5 R
mov eax,[00656634] ; '\\.\SICE',0
# T# e _2 b0 E push eax* r& C3 \; @5 ^: m }9 }
call KERNEL32!_lopen9 i* a5 k( Q& |. _; F3 \
inc eax
. f# z* n) {4 W9 j9 r jnz 00650589 ; detected& M' j" o& Q& `: b9 m# S# x& q
push 00 ; OF_READ
. e2 d$ M7 y8 A& x mov eax,[00656638] ; '\\.\SICE'
( ?+ ^9 M* A* t, k push eax$ v# i2 e. K1 p) b
call KERNEL32!_lopen
" N; `" u3 y" E4 y) i inc eax3 U+ I8 K2 z( G$ y0 I: f$ S
jz 006505ae ; not detected
2 Y' |/ X/ X: o; m/ K
6 D/ p- B6 h, Z. e F \5 ?+ E. h8 W' b9 i- \
__________________________________________________________________________
/ l+ ~ g, ^2 p5 A) Y: f# ~0 R# ^3 i6 L8 c
Method 12
( d% w% {& b, _ ~=========
/ `$ R2 }4 ^% y( q' W4 W8 h L$ ~7 D8 k$ X |: Q* U6 Q& _) p
This trick is similar to int41h/4fh Debugger installation check (code 05! }, n& P: L, b" x& c0 U# d5 K2 }
& 06) but very limited because it's only available for Win95/98 (not NT)
0 ~2 ^3 H* t" [4 b; H, K) ~# Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% T. h+ m. X1 V
# G4 b* Q# D* j9 q2 m: A push 0000004fh ; function 4fh
6 d! N% k* B6 x) f4 S( M! P push 002a002ah ; high word specifies which VxD (VWIN32)
% j& l% J' G4 h ; low word specifies which service# D4 x, _* E; C% a c3 O, r
(VWIN32_Int41Dispatch)/ `3 L# C. Z) b C! p7 t8 I! I
call Kernel32!ORD_001 ; VxdCall9 ^/ G, U+ v" a5 h9 s
cmp ax, 0f386h ; magic number returned by system debuggers
+ n+ o7 D, e9 u! q1 k1 F9 W" n: q jz SoftICE_detected
& |$ j# y O9 ^/ r, i& z( E/ ]% o1 d
Here again, several ways to detect it:
- S5 e& H) d0 ^0 J
. t ^6 a* d0 K" L4 Y/ T' w/ O BPINT 41 if ax==4f
9 ` g0 p- _( ?- Z: K& \7 y9 Z" ^! ]" y# l# ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) x9 O) N; }& j2 o; g {$ b, t' [! o1 j3 k- B$ J B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! T: K+ F& m( |! D6 j/ n1 y$ i( O' j) _/ j* z0 ^% b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) P% D9 c6 f: J7 X
1 |4 c' i: W9 g& @: ?
__________________________________________________________________________
% }5 d/ ~" O1 ~ C7 [
* u& o+ O& x. x) M$ e: HMethod 13
4 Q6 L) s- d+ V- K0 d; Q0 K=========6 z) S5 v+ H- L3 j
4 h" m9 A! J7 N T" I- n, Y5 ~" P
Not a real method of detection, but a good way to know if SoftICE is
5 r1 s6 u9 b; k: T4 A# S; Vinstalled on a computer and to locate its installation directory.! r8 s8 t9 P( ?/ V
It is used by few softs which access the following registry keys (usually #2) :
: s5 e* a4 v) N* k# b M1 Z& a5 t8 g4 T& w* x7 v- \$ ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ @2 ^: n4 P- B8 w) Z9 m3 u
\Uninstall\SoftICE9 @. q' h i7 R* s6 V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) L. F# S4 r7 p/ K6 ?; x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 @% r- l, }. x( C y; J3 ]
\App Paths\Loader32.Exe3 K" S& D" J/ H1 _
. L# \2 l4 i B, D
N7 X; [4 N! B' w: \9 N/ mNote that some nasty apps could then erase all files from SoftICE directory$ G- v# S, E4 i/ w$ f/ s
(I faced that once :-(7 S0 K1 _/ q) E# |
4 `5 D) |' }4 m6 G% l9 JUseful breakpoint to detect it:1 g5 E: ~* r. `' H3 y, Y
" O% H B$ n- x0 S7 |' K! ^: Y: O5 t
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( _4 D5 J2 G: L: G$ V4 ?- G" @3 J6 o
__________________________________________________________________________+ b) j1 t$ k' G4 Q' y9 ~
* r* o w0 T7 h8 W9 |
- h* O, E! x( Z% M$ W7 {( [+ gMethod 14
1 M9 f# p7 e* s* e3 G0 Y* T=========! C8 G' D: E6 C2 e f! u
T% O0 ]: z! C2 c9 d6 e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* H2 @# B# f# A' `" Z
is to determines whether a debugger is running on your system (ring0 only).
. h( g6 `/ i. y) \/ E
4 x, J1 K* s" {( o0 z VMMCall Test_Debug_Installed
3 _4 h7 M1 Q. j8 q$ q3 r; |2 g6 @( | je not_installed9 E7 ^( \! Q2 z
9 `) J( ?; f2 s# {+ ^! x* ^' iThis service just checks a flag.& |1 D/ n$ {" @. a; \4 n8 U
</PRE></TD></TR></TBODY></TABLE> |