<TABLE width=500>2 K7 O. Y( [( i$ F# D: o8 [
<TBODY>
* H2 Z9 I! M o4 n9 m<TR>
7 n, Q( S: Z, [( v- d l1 V: o! P<TD><PRE>Method 01
# D" K. C" C) ]9 R=========/ D5 m- B* N6 X
! C h: \8 J$ _. u! b* ?7 NThis method of detection of SoftICE (as well as the following one) is
; X% f" s1 r# ^! ~! `7 fused by the majority of packers/encryptors found on Internet., t6 l, T* o5 v
It seeks the signature of BoundsChecker in SoftICE
R& h7 S1 L6 {' L0 T3 v/ D. {5 [" P/ A' M4 z% A
mov ebp, 04243484Bh ; 'BCHK'* [& N7 a. A/ N4 ^" F' ^6 z! P
mov ax, 04h
' h0 m; r. T! Q, S! N' a# R9 } int 3
7 |7 @7 E+ k9 ]+ r" n cmp al,4" o. j; g+ J$ X: G6 k H
jnz SoftICE_Detected
* ?+ \- V0 q* T+ ~7 f( b, I' A8 J' z
___________________________________________________________________________
5 C* G8 ^* J t; u9 U
5 Z8 u# n N4 @; b3 Z8 J$ ^Method 02
" `: a' B8 u8 O l5 C) ]=========, ~8 l" `1 m' Q8 P* G5 J/ d& G9 q
" H4 E7 m X0 |+ L* Z2 G0 g8 eStill a method very much used (perhaps the most frequent one). It is used; _4 l$ y: `4 S" \9 Y+ g! ], L" T( S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ E$ c5 e1 ?0 sor execute SoftICE commands...! g1 ~6 S" I: N, K& V$ ~
It is also used to crash SoftICE and to force it to execute any commands, x, J% C; T( U9 [4 q
(HBOOT...) :-(( - t- [% F4 b" ~) V
: Z$ [7 u3 u) Z5 k+ Q3 P: U, ~
Here is a quick description:/ M/ f. v2 o2 l, F6 ? I
-AX = 0910h (Display string in SIce windows)
) p H7 F) X' M# i# g-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# R# F3 q3 @2 k1 P6 l-AX = 0912h (Get breakpoint infos)
$ f9 S2 r/ z7 p' |- W-AX = 0913h (Set Sice breakpoints)+ g) _) c! D0 l6 ^
-AX = 0914h (Remove SIce breakoints)
8 B% h& {+ T7 F* I: B5 i
6 S7 } n; F! |8 B) u. HEach time you'll meet this trick, you'll see:' w4 X. `& `4 C3 e; r6 m1 o, Q1 J
-SI = 4647h
) |3 Z) z! W8 j |3 V-DI = 4A4Dh$ U$ F+ ]7 b3 b: _
Which are the 'magic values' used by SoftIce.
" g* p* b v; MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 {7 r n1 ~$ q6 g% `
# n- a( |4 h Q: J+ Y* H6 L. t+ i
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ o- B9 z6 z/ l: Q, r4 REnvelope utility use to protect DOS applications:: @. @8 h7 X* b$ Q
6 [! ^4 k& U* n2 D; e) |( G
- E4 E; F7 F7 U! V, Z1 s% M
4C19:0095 MOV AX,0911 ; execute command.2 W, T) C1 A( j8 o- K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 T$ k/ w) ]2 i. l+ n( ?4C19:009A MOV SI,4647 ; 1st magic value.
, U6 P S5 ?7 e% D1 r4C19:009D MOV DI,4A4D ; 2nd magic value.
8 ?$ P& j4 ^( L* |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). _7 L( i) B! X. ]4 U0 X. J) Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 b P/ c: O* S
4C19:00A4 INC CX
- i1 d5 T- B9 Q* o2 W; |1 ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 \: x( e' Z3 ` g+ @' A7 C4C19:00A8 JB 0095 ; 6 different commands.% e& V$ A! D5 X6 v% l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' |- Y. s7 h5 Q2 b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 N" U1 V9 I- S9 E! ]9 ?: x
( _4 p9 }4 }, P; L
The program will execute 6 different SIce commands located at ds:dx, which
9 }! }, }' s6 M! O- N/ ~' K I8 T) Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 I1 ^7 r& f; B3 v; f2 M R, | S5 k# u# Z- G) s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- S* ]! R8 O4 y
___________________________________________________________________________) p9 F* [- ^' e+ r$ l" m
/ V9 {! ^. X+ A: g/ v3 |: b; v0 x
4 ?* q' L+ d+ J$ U- eMethod 03
3 P* B6 q2 T4 {% K9 z* {5 X=========! a' K& |# i9 u7 K4 J6 _! Y4 U
" L+ S4 s6 b& p8 s! `0 k/ h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 d/ ^& r+ W' D4 G* M1 X6 H& m
(API Get entry point)
8 d" t$ Z% f1 i1 n) ^, G1 s / J1 |6 o$ P" U3 ?$ j5 B
( ^% ~! S* D' P xor di,di( k$ f; z8 Z- \$ }' L9 T9 C
mov es,di2 e2 t; ?/ w- v
mov ax, 1684h
& ^) S2 R2 x1 } mov bx, 0202h ; VxD ID of winice: ^( L4 f' l% R1 Z. U0 x; `4 _
int 2Fh
: v7 z" \& E, c# {0 P0 Y mov ax, es ; ES:DI -> VxD API entry point
% Z' H: f) x, E add ax, di+ L i& f. J0 M& ?6 m
test ax,ax
0 ~. L! T! M5 P, n9 t* U! X/ |8 q jnz SoftICE_Detected8 H. }: R. k+ e) b7 t7 @, L
# L+ S3 d& g) y+ i+ j* b1 b___________________________________________________________________________
5 y! q8 U1 K. ~& B8 ~
% Z, [5 {% `+ t Y: X$ c0 Q' TMethod 04$ V5 w3 X+ s1 |( ^* \% o
=========1 o! H2 r+ H' C0 `
0 R% u, ]6 T1 J9 M* |- ^Method identical to the preceding one except that it seeks the ID of SoftICE/ a: }5 `1 E k
GFX VxD.5 d j+ X. U; a* Y: _
n" |, J1 x, Z4 y- j$ R$ _ xor di,di& N. ^1 D& ?2 @; s) T2 _& N
mov es,di
( t; ^2 h% |) T4 @2 G# m4 R- T mov ax, 1684h
, _9 s: Q, X7 B: L9 Y mov bx, 7a5Fh ; VxD ID of SIWVID, {+ x$ ~( O5 D, V0 Q: N
int 2fh* L0 b. ^7 s9 b y# s9 p ]. F4 y
mov ax, es ; ES:DI -> VxD API entry point
( q3 U% i; o0 ^; P5 e add ax, di$ U/ J( N% C8 L
test ax,ax
" [- b) y0 N% |5 Q9 F. L7 ~/ ] jnz SoftICE_Detected" }- C* ?6 e( o$ C) z
; b# w2 E0 ]0 P
__________________________________________________________________________" n3 @' Z# U1 }0 Y7 a5 N
! R$ C; l* u4 f# ~/ U8 K/ T
7 s1 o8 v! y2 x8 k( S
Method 05
' C4 e9 x5 r5 v7 n1 Z( u! o- ^=========
2 x5 N t( D& x0 x( D$ R
: m/ d4 o: T0 r z0 W( C7 sMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ K- ]6 m `$ K$ xdebugger. It calls the int 41h, function 4Fh.( X( l9 ?9 w. \& ?/ s8 o
There are several alternatives.
+ `" l0 a4 F1 q9 G1 X
! D' i4 v; m. M: R8 I! _2 N6 vThe following one is the simplest:( s, l7 P5 J4 N0 Z* c9 G
$ r1 n# `3 t' C" {4 f
mov ax,4fh4 x D0 H! Z- b
int 41h0 V- x9 R) X) d+ e, Y p
cmp ax, 0F386; @+ V# m7 |, Z. Y; j
jz SoftICE_detected
: q9 `/ K. t3 S+ S, B; T
+ W1 X& E& w3 t& _" j3 ~% c$ Q
& E2 N2 z- N" E! V% y1 T% F0 |* CNext method as well as the following one are 2 examples from Stone's * _, F: X! X# u& E
"stn-wid.zip" (www.cracking.net):
; C1 |2 Z% h+ u h' F
& t2 ^. L% \- Y8 J& f3 T, s! R mov bx, cs
# L+ R' k. p- a9 c9 V lea dx, int41handler2) X/ b3 y7 i: F: C) v! Q7 {
xchg dx, es:[41h*4], u2 I7 o% b t; R
xchg bx, es:[41h*4+2]9 s! ?9 j3 t, e7 s9 I% H7 C2 f
mov ax,4fh1 t: H# m n4 g$ Q' L6 Z9 [
int 41h
% `; h, s( N" r xchg dx, es:[41h*4]. X% l; a1 j" o' F
xchg bx, es:[41h*4+2]
) J# S7 A& N% A# I cmp ax, 0f386h$ e2 C7 \7 u" T% f: w
jz SoftICE_detected
4 X& A. ~! o" G4 e' _2 E/ g }/ |7 S j7 s% u
int41handler2 PROC
: \' z9 ?/ @ V5 v0 e iret
% k( S+ @9 \: K! O( H5 Wint41handler2 ENDP
1 c+ P9 W, f0 C# _
- a3 S5 s" S; a7 v0 O0 t0 {' U& |% y# H8 ^+ Z
_________________________________________________________________________
( N J e& y7 j3 S: L: ]/ q$ C0 d5 M9 ?
8 ~0 a3 G0 |6 m! S
Method 06+ \ A( M7 N ^$ ?7 x
=========
% t" j5 Q* Y, ] c9 A: O( Q( @8 ^3 T, ]; u
5 w& L z' I7 e/ `& u! V
2nd method similar to the preceding one but more difficult to detect:
. u, ]; C' c* Q
5 K) E. G0 A. `- A& r& B2 E" a0 Y2 t% G0 t" ]
int41handler PROC
% H6 L$ Y$ } O! E mov cl,al
( t; f' ?7 X" v6 p% \ iret
" y k- v: c, p, M2 \- Uint41handler ENDP
$ |; W! V# ^) | B8 J" l2 F! T$ N" [; A" w2 G8 f& n, y
6 ]0 `4 K5 V6 F
xor ax,ax
+ U, n/ r) A; F* f; X8 D7 C mov es,ax3 q+ k+ C& j& I9 {6 c
mov bx, cs$ d/ e) ^; b4 p/ T
lea dx, int41handler
0 Z+ d7 Z* S" Q; f, t" S( j xchg dx, es:[41h*4]7 ~0 H) e; A! v' K
xchg bx, es:[41h*4+2]; w) b0 i9 ^* N9 S
in al, 40h$ S" l/ i7 I* i, m; M' d
xor cx,cx5 A$ {5 i: i$ X" O& C
int 41h
; f" d" a0 x( C1 ]! j xchg dx, es:[41h*4]
8 X+ v4 a* R" A8 ~" L$ M xchg bx, es:[41h*4+2]2 _1 c# }& |6 h) N1 z a# f* ^
cmp cl,al( r0 [ r6 s# o# `
jnz SoftICE_detected
3 k" E1 L" z$ t( e6 p+ e7 p$ ~8 T: ~3 z6 n- W
_________________________________________________________________________
5 U4 D2 f" X- d1 V: ?
" R d% X: k9 t, @Method 071 I, X1 r o, ?( g6 ]
=========
0 I9 R: m' u" `2 H8 p* Q6 r2 X8 o/ H z3 j4 y
Method of detection of the WinICE handler in the int68h (V86)8 G1 R: b- w. C* X- r
( x8 p' G9 S% H( I. M& z; X
mov ah,43h4 I, `( h) n* h& x! Z# q' Z
int 68h; x1 u0 C+ n& j( ?7 I" o/ U& ?9 k
cmp ax,0F386h% n; }6 q6 T$ i0 Q
jz SoftICE_Detected
H3 \, ]+ w4 \) Z+ D; {( e
( M4 s9 K* h$ f# @5 ^
. p4 o! V/ v3 X) }- G4 h$ P9 L+ I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 V, O; s5 J" Z2 U" q app like this:
4 n1 m9 Y0 j" ^/ @( ?$ H, F& x5 v. m) g+ y
BPX exec_int if ax==68; V" M# P, f) I
(function called is located at byte ptr [ebp+1Dh] and client eip is
* i: h4 P: B; r) W. h8 v located at [ebp+48h] for 32Bit apps)
v6 k4 L, @* y: |2 h__________________________________________________________________________ O( Q1 I; Y' M& O, n# j+ v
3 K2 z# J' @) f
( e2 c0 X) A/ F7 l* S3 [Method 08! ~0 P5 l' T, o( h. H3 R
=========
) Y$ q6 H$ |' }# `% q# _- c) B6 U! d: i# {4 o/ R9 H, Z
It is not a method of detection of SoftICE but a possibility to crash the) r. Q& U# a2 U! ~% Z
system by intercepting int 01h and int 03h and redirecting them to another4 p% o M5 T8 Y' I4 p% r% X
routine.
8 O4 W# s- p5 K) P/ d, t5 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 y2 v. `" G3 Ito the new routine to execute (hangs computer...)- l. }/ S' _2 W# {
2 _1 t, Q8 ] `# Q3 V
mov ah, 25h
& _2 g* U; J) f3 m4 q5 t. c mov al, Int_Number (01h or 03h)$ M5 I& K6 V9 a9 m
mov dx, offset New_Int_Routine. e% I2 b- e! e3 ~- k/ O
int 21h; b9 S1 [) x. ^: t
( R6 Z+ Z: }$ B+ J* c$ _/ Y
__________________________________________________________________________
0 z% c5 s1 a6 _" \; H
/ n3 d2 g% r% JMethod 09& R9 T/ T% S8 K8 r9 i# B s
=========
- A! x/ R2 v/ d% f, Z
- q" c0 u' u* |: UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ A. O" i3 _6 A3 |4 h4 f# z! Z
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 n4 K7 F3 Q& E: HThe Get_DDB service is used to determine whether or not a VxD is installed
- u& `$ ]4 u& U! \5 ?% nfor the specified device and returns a Device Description Block (in ecx) for+ U5 `$ @% W/ U. y3 o! s
that device if it is installed.* p3 w6 X" s$ x, e w
, b) @$ i5 p' J0 r: V& u- H9 K mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 j, R0 a! a1 w# L, o+ n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 V- I4 d: R" L* B8 ]7 ?
VMMCall Get_DDB8 [; M7 P8 b% e7 f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ d' o- `5 F! ]/ B$ J% K7 M
M7 Z% B( {7 U, Q- G$ o9 INote as well that you can easily detect this method with SoftICE:
6 \9 f' N3 U3 y2 {* \5 E, Y) z7 ] bpx Get_DDB if ax==0202 || ax==7a5fh+ _2 C7 o& Z% x- o/ K* z
2 z% j. H% M0 X; k' C( E" A6 c6 x
__________________________________________________________________________% s0 i8 a1 V3 t5 A( R
& Y% ?5 q: Z/ B) C+ s) C+ Z! d4 P8 S6 SMethod 105 ?; {% P- G* M2 m( ]
=========
4 Q6 i3 P2 m5 f# J# I5 I0 s) n, x3 c* f) X
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 d% W6 y, O5 V# Z
SoftICE while the option is enable!!
8 q! s0 Q* c8 o/ G& j
- c* }' Z2 z9 DThis trick is very efficient:
) x* B3 m# q' q7 e' h0 ~, Uby checking the Debug Registers, you can detect if SoftICE is loaded3 C" M3 g7 C2 F' B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- [* F, }9 |. ?& F& s: W+ j# Athere are some memory breakpoints set (dr0 to dr3) simply by reading their% z1 s. c" l) v4 q
value (in ring0 only). Values can be manipulated and or changed as well! u5 @7 r1 q) n( [' ^& y1 b, V
(clearing BPMs for instance)1 |) P5 I: H/ w& a( p7 b* g
# n. C0 N5 W: d2 b
__________________________________________________________________________ B5 }8 N' w3 d* v+ @
B/ I& J5 y7 GMethod 11; i! z. [0 J7 M
=========
3 X. o( d( ?* ]& A; _7 n# T: P
3 B% J5 t9 ^/ S# aThis method is most known as 'MeltICE' because it has been freely distributed; {/ o! p( ?" c6 @7 e+ H5 i
via www.winfiles.com. However it was first used by NuMega people to allow
0 M5 Z: x2 ~5 w$ X9 s' d9 J! [ ^Symbol Loader to check if SoftICE was active or not (the code is located$ w# Y4 a) k7 R3 Q; C+ N
inside nmtrans.dll).
" r7 v& k* H. ]3 U7 A/ W; ^! Y) c3 T/ Z; p/ y7 d0 e
The way it works is very simple:3 w: K( n6 j5 G; {2 M, r% b9 D* X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ R* Y: T/ d% G! r* S6 B
WinNT) with the CreateFileA API.
$ ?8 C: [3 f3 f6 c6 G" s9 C+ b& l* u2 `$ g$ n
Here is a sample (checking for 'SICE'):' G1 }- u# F4 q$ o3 Z$ g3 [9 V! t
' w% U1 c. E5 h0 ~# K/ ]5 p' j7 ~
BOOL IsSoftIce95Loaded()
! B+ V* ?7 S6 p{( S3 Z2 A& W! A8 d7 e; M) J3 U% \
HANDLE hFile;
2 i8 D2 C/ n; ^" Z' n w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 l: ]& z% R0 b5 t: U6 C- c+ K6 J: p FILE_SHARE_READ | FILE_SHARE_WRITE,
1 x3 U. e8 m$ v0 ?$ l% ]# q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# a$ Q3 F( U/ O3 w* O4 i% F9 R
if( hFile != INVALID_HANDLE_VALUE )2 U) x/ f* w3 x1 D! z
{6 `- l" H8 n/ ]* `6 U5 u: A
CloseHandle(hFile);0 t2 x! `2 P+ i2 E. ]7 y8 Y
return TRUE;* M! F% @$ u" s
} k- r5 w$ i3 Q6 G, ^' r
return FALSE;
! a3 W* Q/ w& _- i6 k9 X}
% ?% L( M' I0 ~" G1 x, p: J/ V# O, D. r _& p. F& O5 D3 ~: h: x
Although this trick calls the CreateFileA function, don't even expect to be
; F1 e( C/ T' V5 c3 S) G! Table to intercept it by installing a IFS hook: it will not work, no way!
. m X/ { P5 R2 j s d& |! rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ E8 f1 a U$ b& k2 w4 }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) i# Y+ i) t+ d* c* z) |' M9 u Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& Z, S5 Z- k F3 y' bfield.& K1 [: | @2 G; `+ O& x
In fact, its purpose is not to load/unload VxDs but only to send a ! b6 e+ p- \3 j: M9 n, t( \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
J0 u* I( ^2 T3 t: rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, I# l. @: }& m4 e! @. eto load/unload a non-dynamically loadable driver such as SoftICE ;-).) J" F( O: z9 P" Q6 \1 F! h
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' Y9 e' l# r- y6 ]- {its handle to be opened and then, will be detected.
! k7 O2 @! M2 Z" f3 }You can check that simply by hooking Winice.exe control proc entry point
3 b1 P) ^- N/ D. `while running MeltICE.
) X; L, |: v. X* A' I# |9 u1 v; A; I; B$ j8 w( a% }
, p( D- E9 N. h' K" |! {+ T
00401067: push 00402025 ; \\.\SICE
* X) C, `! t) w1 O 0040106C: call CreateFileA, h7 V) K) B1 e1 }8 m. M
00401071: cmp eax,-0013 O, l6 }9 s+ U) V
00401074: je 00401091
7 p) m( f, ?7 Q$ q% s6 |
& ?% t( V3 Q9 \7 t( U* x& r8 O* S6 e4 p: X' x/ V8 p# p, ] f0 H
There could be hundreds of BPX you could use to detect this trick.+ Y& r7 G6 B. f& @
-The most classical one is:
! f' A7 B5 ^& O# \$ C) c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 v0 ]; g6 D( Z" N% t6 Q+ f, T
*(esp->4+4)=='NTIC') u7 }# ?* l; w1 U
, Q* \4 ~$ E5 o5 T5 }
-The most exotic ones (could be very slooooow :-(
3 C7 U. k1 [! ^6 c* h& l0 a2 P5 e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 p( N, x+ E7 X5 ?$ k ;will break 3 times :-(3 T# \ p, t: b
. [0 S8 ~! s# B
-or (a bit) faster:
* {6 d' B# E3 t2 R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 Q" S$ K5 y8 d
1 o+ a( }. W( P. X9 r& t. b9 a3 L5 | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; v7 W( R7 [( U" W+ \" d0 g6 W
;will break 3 times :-(9 b7 n) k1 r4 D4 x% c
! g5 ^# ^( H! u/ O- q% f+ B& y-Much faster:
8 A# l0 f/ h, x7 W" o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- a6 U/ b# l; @) K M& Z
7 C6 t& _0 @8 v/ b+ t$ pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
G, P) Z4 T0 U0 d$ l# Dfunction to do the same job:# v# p7 N9 y# c4 _
* \% j+ K7 v) K6 J push 00 ; OF_READ5 e. |0 u% Y& O8 s+ v
mov eax,[00656634] ; '\\.\SICE',0
/ D" l3 [9 y/ f9 ? push eax6 k0 w! q( `8 R4 L6 C
call KERNEL32!_lopen. d" K- z) i% t: Y5 @+ J$ v
inc eax6 I8 u% b+ @ F0 |
jnz 00650589 ; detected0 Q/ d; G& ~' S
push 00 ; OF_READ
2 P1 k3 g' X2 R: M& ^, | mov eax,[00656638] ; '\\.\SICE'
4 Q ^1 n. n& ^7 Z3 E. |8 o push eax
9 f8 \7 Q, M6 r; e$ w call KERNEL32!_lopen
1 Z4 u% w, k R& {( G- r1 a inc eax! l; P( l1 [9 T
jz 006505ae ; not detected( B5 o6 \8 D( a( [. K- r
1 d) D: \& ~) E9 D7 t
$ ~8 @' i5 M( ~
__________________________________________________________________________5 M# O" J {# j8 r1 t. r
3 e" e7 E- k" c8 Z. @5 e# f$ @
Method 12
9 j* [. w0 v8 p, k; ? a=========
. `- u# |3 |5 Y8 s
+ E3 T& I# }& Z; PThis trick is similar to int41h/4fh Debugger installation check (code 051 W) v: L! I D2 s5 N1 o* d5 R
& 06) but very limited because it's only available for Win95/98 (not NT)+ q- e1 w: G7 C. H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." {1 K, W2 y! E/ n
6 k: L0 |& k2 e8 h; B) K2 N
push 0000004fh ; function 4fh
: F# s q" C% K3 a5 Q3 g push 002a002ah ; high word specifies which VxD (VWIN32)* L. p/ F- H% ^0 r
; low word specifies which service
V" A9 l9 R1 o8 R (VWIN32_Int41Dispatch)3 Z; y$ o, T4 w4 j9 j7 x ~
call Kernel32!ORD_001 ; VxdCall
) m4 t: }& \$ m% W9 o& q! f& W6 J cmp ax, 0f386h ; magic number returned by system debuggers
B( B+ T5 t- n3 s3 q( m jz SoftICE_detected
) }% @) E5 o* W1 A# |% y, s4 ` S
% D5 {1 S% F: q! E0 S# O+ j% M! uHere again, several ways to detect it:
5 O, K/ w! i" V2 ]6 S' p
& Y1 n, R# Y: m" ~. H BPINT 41 if ax==4f9 w! I. k9 U5 b" w" O
+ h% a6 `- h3 j% j0 I4 M! n, T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 @0 Q) F! M2 ?% m! s. @( v& J) t4 _/ h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; G/ M0 o$ C3 n7 S8 z5 m
' ?: C1 X8 i) w# q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. x' z4 d$ ], S8 U4 y& i
2 b7 m: r' m3 [" I$ ___________________________________________________________________________8 S( O! ]4 ^- @7 i w
6 B) g( g% \5 Q* S) `Method 13
* g- Q N6 u4 p7 L; L4 [2 ~=========/ ~. ?* h8 A% p* |6 V( ?
1 P8 t7 ^0 O+ N' L- M
Not a real method of detection, but a good way to know if SoftICE is5 X: ]( ]" {6 f( T% U
installed on a computer and to locate its installation directory.) c: {" w; E" e0 G+ M7 ^
It is used by few softs which access the following registry keys (usually #2) :3 K3 \6 j) B- X/ \' D
+ E5 u* L6 @! ~& O-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ |+ z. F2 a& }4 F, x: H( W) I0 z* Y
\Uninstall\SoftICE
+ |! v+ z7 C7 d- w6 a+ C. ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# `3 ^. j2 z3 K; X; K, f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 a9 I7 h8 J w* S% i\App Paths\Loader32.Exe
$ x0 T$ M8 h& u. |3 O3 O/ q8 c3 {- h& a$ I) T$ U7 R9 k {
0 O# {3 F( C9 k" h; n8 _
Note that some nasty apps could then erase all files from SoftICE directory
- T7 i0 }* {' J# r+ D(I faced that once :-(& Q! B. r6 b) }* z- G' P& ~) q; A
, S E$ C: _) b! y( mUseful breakpoint to detect it:
, A- b" o8 F3 A3 \3 W6 ~* K$ r" X8 a4 ^0 T
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; u+ z+ h- M! d J
- F' c! ?$ ? O2 `0 s
__________________________________________________________________________1 h- S6 X f( d' U
; d T8 n' i$ o5 X" W
2 y5 P8 w0 O* }4 c! iMethod 14 + Y- O' F, ^7 W. I, Q3 g
========= T5 i$ ]6 F5 w. [
# i' N& b( S3 \. x' F! m0 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ F0 u- d2 G/ S# n% _- Uis to determines whether a debugger is running on your system (ring0 only).
- f7 i6 Q$ d( @3 c: a! @4 P) W# s1 w8 |' Y! t c( W
VMMCall Test_Debug_Installed
+ r+ N2 F8 @& `& d8 O# v je not_installed
, X, D& S0 F4 T: m1 v8 Y8 d7 Q. v2 w7 G( I( u8 p! Z
This service just checks a flag.# t; K& c* ~( t
</PRE></TD></TR></TBODY></TABLE> |