<TABLE width=500>4 D$ N& J0 E6 U5 w5 D/ e/ a
<TBODY>' J j! F9 k! G" P
<TR>
8 v, s2 Y# }6 ?' @<TD><PRE>Method 01 + x- @; r4 |* {; \5 s9 [6 ]# I! O
=========+ c* g( | w7 t( c" {' B. K/ p5 g
5 g* s7 B, ~" E) `0 V2 w
This method of detection of SoftICE (as well as the following one) is
4 ~/ B" Z6 H- W0 d2 Wused by the majority of packers/encryptors found on Internet.
- m; [$ ?! F; b6 eIt seeks the signature of BoundsChecker in SoftICE
0 ]) t8 B' E; U; X8 _. v+ [
& \" K' P, Z8 T9 x5 @ mov ebp, 04243484Bh ; 'BCHK'
. k% ^# x9 T1 y- r8 \) ~ mov ax, 04h& E7 |' E W1 t4 p$ B" k
int 3 ! B) I$ S! q) w/ M
cmp al,4* s# n; g4 H& y2 r% h, F
jnz SoftICE_Detected
) O- v- y7 x: p' [( x
6 i( _, ^" N q' w- R___________________________________________________________________________9 K0 L: ]+ r. A, z
; [* H( F \& @" y
Method 02
1 d0 T; e& L) z* |+ i=========
1 ^( U r# \2 b
+ e3 W5 N X, S: y, I2 eStill a method very much used (perhaps the most frequent one). It is used4 {! N# k9 A& p4 f' y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 m) A$ v5 z0 ?or execute SoftICE commands...
/ M9 ^) H% ~) {; K) Y& O1 R, aIt is also used to crash SoftICE and to force it to execute any commands1 b) w0 P: x I3 ?9 D
(HBOOT...) :-(( ( J0 B+ ?: \& F2 L) j' z6 a# A
* E8 d$ B6 d Z. X8 d; D3 k GHere is a quick description:
8 ?9 n5 ^: \2 `- M+ f4 [0 u' X-AX = 0910h (Display string in SIce windows)
; I4 ~( N1 F4 u' D; T* @+ @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 D/ J) `5 s1 h: v) k-AX = 0912h (Get breakpoint infos)3 r" K) u4 r2 I$ D6 r c) S4 [ i+ w
-AX = 0913h (Set Sice breakpoints)
' C& u7 F5 S! n) M; [6 D-AX = 0914h (Remove SIce breakoints)
0 _, j( B0 ]# ?4 \0 a8 J% U. {' j5 J& i9 K
Each time you'll meet this trick, you'll see:; T: }0 x# T$ b+ d% I+ K+ T
-SI = 4647h
m+ j0 @* v d# B-DI = 4A4Dh
- v- Y3 W) @- g T4 yWhich are the 'magic values' used by SoftIce.
* @9 o- C% w4 _6 }9 iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( q2 ?2 T* V9 I) M( r N# K" T7 a! j" g' x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" X" T% V6 z/ {5 k# w, mEnvelope utility use to protect DOS applications:
4 ~6 Q; k& X6 W! } u; u" Q* K& F$ m- `1 W
9 _+ x5 `! ]5 u* i: s0 b
4C19:0095 MOV AX,0911 ; execute command.# O( B) a! h/ J4 T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ K' F3 T3 G+ _) W+ m/ Z5 N7 ^; o
4C19:009A MOV SI,4647 ; 1st magic value.8 e y5 J: s1 E) J$ B3 L9 c
4C19:009D MOV DI,4A4D ; 2nd magic value.5 V+ V& [: [# o. h$ o# w
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ @6 Z6 ^$ D( {( Q9 n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% E. ?3 i! L* Z. \. R) m# J4C19:00A4 INC CX
3 U3 d$ _5 g' t2 h4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 k/ U0 T* S0 c1 x Y7 ^
4C19:00A8 JB 0095 ; 6 different commands.* h [5 F7 P- t1 ?1 R2 e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 K0 D! x7 p. @# b1 [4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) L# b7 t$ q0 |! B# Y; r6 i7 e3 o( T, L! M4 [6 A. Y
The program will execute 6 different SIce commands located at ds:dx, which
+ f; y& r; A( C" f. qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, D: @6 D, J" z9 H$ {* a3 Q$ k: m% W, z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ ]/ z, L9 ?4 i3 ~( z5 P3 d
___________________________________________________________________________0 Q4 H* b9 f3 h( ^$ a
7 ~4 r& U$ U: z, _. l3 e
! c9 A1 O! i7 y& G9 hMethod 03
6 S. q$ L+ g6 a4 r! v7 t=========& n* Z1 L2 ?' D# W: i
9 }7 n9 K- G8 b- S
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' V& t6 A+ T; \
(API Get entry point)7 G: x7 U. v5 _7 ^) n( F
, H. ?# J6 K* ?8 D0 j! }) K0 C1 j4 ~% [
xor di,di& l5 y& t. G& g( L6 @
mov es,di b- n+ ~. h1 L# C8 B9 K+ ]. M; E* Q
mov ax, 1684h 1 `& t3 `2 M& g/ l
mov bx, 0202h ; VxD ID of winice
, W$ C- U" @ F+ H! z! B, U int 2Fh9 X- ~# {: C. P; j: U
mov ax, es ; ES:DI -> VxD API entry point& N2 Q4 c9 ]& @+ P
add ax, di
4 J% G" M' c2 c- [8 ?6 F test ax,ax
4 W" ^! q, V9 z# p. | jnz SoftICE_Detected# o& I$ m) x1 T& d/ M
8 s! [' }& W! w4 F___________________________________________________________________________, @- X, V9 G7 E( _: k4 Z
' f" F. {) Q' {; D+ FMethod 04
# r' ?& j6 h( ~/ B4 g=========
9 }# o3 z) @ @4 ], ?3 S& X8 Q! C9 }8 J
Method identical to the preceding one except that it seeks the ID of SoftICE+ |. t4 v* H L5 Y0 g
GFX VxD.
: v$ X2 ^" z5 w6 `3 k
8 u( y. w/ A3 w* a& {4 j xor di,di0 A8 J8 m. J# ~8 v4 _4 ]
mov es,di6 U/ _- w6 `$ o7 Y! ]- C0 y4 g3 k* X
mov ax, 1684h
; H: [0 C9 b9 e9 H& N mov bx, 7a5Fh ; VxD ID of SIWVID4 q3 H2 N _5 f/ v7 [
int 2fh
* x5 z1 x0 {4 Y* S/ H8 }) A Q mov ax, es ; ES:DI -> VxD API entry point
) y$ R5 W, w% I! m* v add ax, di, S6 ^8 o( W% t' F; Z7 r5 S& E
test ax,ax8 |, @3 ~3 t7 c' |. D& S
jnz SoftICE_Detected
( o8 a6 K0 T( C0 g
2 U u8 w7 ?3 a3 s* y__________________________________________________________________________
$ f3 B7 Z) M; v* e% Q; k1 U3 W: d% V3 [) L/ M$ ~. f
, t' T5 n5 X8 v- W) L
Method 05 \( h8 u; u4 q9 c+ o% {
=========
6 l% c8 O, S0 W! ~9 \* D5 H3 W9 J
! k# s8 w5 i/ ^+ d- C' _5 B5 PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ q( {* H" p9 ^! B: Ydebugger. It calls the int 41h, function 4Fh.
: D* F$ g9 b( E" _ { r) dThere are several alternatives.
- q# _6 s. o: e) Y8 i2 n5 d# t: ]6 H0 T; H5 Y1 e8 V
The following one is the simplest:
( C" w, z: U @5 Z- W! `. Q9 n9 @3 }) Q1 u
mov ax,4fh
' @0 f+ p: p' v- C/ X+ q int 41h
+ b+ z# B4 ^# i+ [) i" h9 w cmp ax, 0F386 P+ n! N0 _$ H' j- s$ P
jz SoftICE_detected. [5 u0 E' |" b O: ]
) Z8 e; j7 k0 [* a$ p# E+ I s' ~( W1 k# j" _- s$ A
Next method as well as the following one are 2 examples from Stone's
c" L$ @' X( A6 C: {5 V"stn-wid.zip" (www.cracking.net):2 z M: F# m5 A1 e3 I* e+ _( [8 c
" W- @+ u( ~+ I# I+ Z2 z mov bx, cs5 ], ] d6 c! a) @) X. [8 _
lea dx, int41handler2) b7 j6 Q0 Z3 n/ S3 u" }- y
xchg dx, es:[41h*4]
8 @* @) y# t5 _% ^5 ~, u xchg bx, es:[41h*4+2]9 M; N+ I+ [5 b
mov ax,4fh
" m a) s9 r/ m+ n7 M2 M3 j# \' Y int 41h
0 j/ Y3 y: N3 H* C$ N xchg dx, es:[41h*4]
9 }2 M+ H& X% s1 u xchg bx, es:[41h*4+2]
: |0 w+ H5 l1 g# E! ]2 M; U( t% T8 _ cmp ax, 0f386h% u' {: @; C0 U
jz SoftICE_detected
. a- b2 L, D; F7 P0 N6 l" `2 H
7 O7 ?$ N7 t) d" z! Sint41handler2 PROC& H# t9 D* N% l/ q) {* C5 X
iret
( ?% @1 L' x6 q yint41handler2 ENDP3 }) A$ c4 i# q& n2 N5 ~
8 K/ J9 B6 ~! f% S4 Z8 Z
* w* ?3 P" i. u5 t6 g_________________________________________________________________________
5 Z# M9 j7 `" C4 p4 Y1 d8 s! [$ I# C; [' d% Y
' D" x8 h% ?) {5 A# U
Method 06
5 K+ j4 e: y) x# x1 y& F' n1 c5 v=========5 E* F( n% T9 }$ n! R
& z4 |' t6 [: s+ L
! M& q' V, k! `% b" `; c' b
2nd method similar to the preceding one but more difficult to detect:
& b8 r r1 k" p- H9 ^+ q. k" z/ [, x* J6 b6 Z4 c, w
" v/ G3 l8 {* A3 u' E0 Y0 E7 ]; jint41handler PROC Y- D2 T2 r. _- J# B
mov cl,al
# f" I; M o& p, a* P0 K, K iret
6 h3 x) b( R. z6 W$ W+ \% Wint41handler ENDP& O* q J! C1 t/ e6 U
1 }, G8 F: D0 L# y) \! g+ V& Q, I4 \8 c$ d
xor ax,ax
/ t7 d& f x4 M mov es,ax6 ^# J5 }3 o. f. E+ A
mov bx, cs( q) i' V* J' h/ Z( N
lea dx, int41handler
: |" I; M; [7 B& D xchg dx, es:[41h*4]. _$ ^+ d k. t2 ?. }: x; ]* ~5 [
xchg bx, es:[41h*4+2]# S% a0 G8 m: A
in al, 40h
( S3 v) Q0 Z/ _, b xor cx,cx
" J7 z! \ |% a' ? int 41h
) }0 U) f$ s& E4 P7 l xchg dx, es:[41h*4]
. i7 e8 d; ^: I* G xchg bx, es:[41h*4+2]
, n) J. ^1 M2 [# `3 r cmp cl,al
5 @8 Z: P( y& `9 D) J7 G+ ~. m jnz SoftICE_detected) o8 Y& T; T. H5 z% Q
; Q' ~* ^& X+ y* ~: w
_________________________________________________________________________
) b* G; j, m- B, G0 I) s$ P9 E5 v; C0 P! L4 k c5 z. a# M1 K4 J: m s
Method 07* h( _ {6 H. V5 ~; @! i4 N
=========& F$ V: X! ?+ i$ Y* Z& Z- f3 e
' j! ]4 L# e7 j# a( SMethod of detection of the WinICE handler in the int68h (V86)6 S4 y& u4 ~( X! v' F. F) Y/ ]. p
& |: D" y: O: p9 k/ k mov ah,43h
4 e- I. t- p% U int 68h
& g: |1 C8 I- v; @ cmp ax,0F386h C0 G5 s8 I( H3 E H/ k
jz SoftICE_Detected! \1 v. ]# Q. `. I2 c) j
% h9 z Q" O! F+ i4 J* [" h- o' k) g
1 N: \& y3 k9 c5 `' R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) ?" O) P; b+ J% \+ r( n app like this:# f% h& |" \2 a
7 R, X* Q7 c$ n7 p0 K
BPX exec_int if ax==68& N2 O; M, K% I& w+ b/ G
(function called is located at byte ptr [ebp+1Dh] and client eip is
+ J6 M. d& i4 r) a6 ]; E located at [ebp+48h] for 32Bit apps)
$ _" D w, z' c0 b, x__________________________________________________________________________& K6 i& \/ |1 l: x: b7 {
: z+ o0 R4 W _! |. n/ q
' h' U( a4 N% a) D# z' e
Method 086 ?9 o0 }& T% A2 K$ H
=========* ~5 H' b4 @; S. j/ X8 B2 }
& m, d) {4 y+ [ t+ z4 g' q
It is not a method of detection of SoftICE but a possibility to crash the& ^! e( ]0 f: @+ y* g9 H! d6 Z# t& G6 O
system by intercepting int 01h and int 03h and redirecting them to another
' D0 \+ R/ w8 O8 Kroutine.1 d/ ^9 _! t5 n2 ?, Z3 H& M7 L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 Z9 y7 L4 c( _8 H* E `" N' Y* Ito the new routine to execute (hangs computer...)
5 p, u) u7 W b/ ~7 O+ z8 U6 E
! R. H) n. F! r4 a8 l mov ah, 25h2 h' D0 ^* L9 ?
mov al, Int_Number (01h or 03h)) `6 @' T. |4 A4 [7 \
mov dx, offset New_Int_Routine
# g+ u7 q9 W0 l. {1 w1 h int 21h8 R1 y4 l6 k4 }0 C' h
, T1 a8 `4 X$ j% V4 T1 c
__________________________________________________________________________
5 S* U# {1 `& d4 ~6 \# F# }" @! Q6 ] v, a4 m
Method 09
8 e7 G9 v- D2 q& Z; J& H. O=========) _ e$ j6 ~' m' x- Z; N
' v2 {; g9 Z6 F. x* m5 ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 s- `' V) X" S( o4 o1 D" ]- operformed in ring0 (VxD or a ring3 app using the VxdCall).
- g4 `4 a1 \& W' CThe Get_DDB service is used to determine whether or not a VxD is installed2 R% r/ Z: O) o% `* C- { z3 m
for the specified device and returns a Device Description Block (in ecx) for
" q0 r1 C* `: h; I7 q. ]that device if it is installed.
+ B" r, v% s: `7 s p8 P/ O' x9 ~+ g+ b" J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 f1 W! G6 p+ K) @4 z! @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 F% I: o1 U6 Z& V/ | VMMCall Get_DDB5 }4 k* N3 t# ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 O M( u. C& B3 P0 Y
- z4 s5 |# J$ Y% C" S. PNote as well that you can easily detect this method with SoftICE:
. l- `0 Z+ f+ x9 o bpx Get_DDB if ax==0202 || ax==7a5fh
+ j9 g! x: a% T- n+ h5 |" T) D
) h9 G+ T: r C+ w__________________________________________________________________________
7 s7 y, ?% s1 T. U
% ]: ^ V' ?# F% CMethod 10
: A# E; w* a/ e/ U8 f, v4 n: L" M========= Q% p4 q4 }( f4 R& f
* ?$ T& u$ F! `, Y% z/ w+ J) z5 S+ N=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 y9 D. J) K8 q( L; ^* o8 ~5 j( w+ P SoftICE while the option is enable!!
- K$ s" i8 l; Z z6 L4 a' P/ m7 h& z# q% D8 W- B" m5 \% a& ^
This trick is very efficient:
1 `( W# n5 r# ~: U4 b( Eby checking the Debug Registers, you can detect if SoftICE is loaded
* m1 \# l8 f R1 z1 w8 W8 a% F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ Z8 ]0 D+ ^0 ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
# u6 e& l: C7 v; b6 H" evalue (in ring0 only). Values can be manipulated and or changed as well& m3 B6 J0 G2 i& G
(clearing BPMs for instance)
8 T% j) V% R) d q; H& A3 C
( W8 {! c9 g8 E8 O: h2 ~__________________________________________________________________________% z$ ]) `& t3 A5 p& r9 D
- Q6 N w+ e1 _# }' z
Method 11
! L& J X/ u" u=========" R4 x8 _* @! U _' p/ S- m
$ H5 Y1 |1 j: m; d& ]3 RThis method is most known as 'MeltICE' because it has been freely distributed3 p) e. _; t }* S8 V+ m' H% M
via www.winfiles.com. However it was first used by NuMega people to allow! _4 {8 D$ | H% H5 `( k5 D
Symbol Loader to check if SoftICE was active or not (the code is located/ D! x& y2 A% V
inside nmtrans.dll).
; V4 {, w0 P( f+ X8 y3 h3 E- Q, S1 D/ H F. h% E- f) o
The way it works is very simple:
% M" W/ V$ S5 h- y3 D/ }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
_+ l. C8 @' G2 y9 M; kWinNT) with the CreateFileA API.
, w" ]$ r7 c9 x: \' I
3 |5 O1 T5 a& u5 v2 A! `Here is a sample (checking for 'SICE'):
* F/ P! P" u: U% H& `
# e0 ]9 ]# j. bBOOL IsSoftIce95Loaded()
. @, x5 e# @6 d% ~3 Y{! o% w, q9 \& K, } K
HANDLE hFile; 1 z1 T- ^9 s: Z; v8 \3 M8 X- P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( L( g; j( n7 t3 ~ FILE_SHARE_READ | FILE_SHARE_WRITE,
% \9 E8 ~- n: H$ E, h! T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ E0 I. f/ \) H& p$ G- W1 R if( hFile != INVALID_HANDLE_VALUE )
1 `0 R# p" N) c0 L {
# t# Q* v( S& p7 Y: P' B) P CloseHandle(hFile);
! S3 k: @4 F9 Q* g# x( M; J1 [( ? return TRUE;
! J) z' d' Q# ~0 n- L }
7 h. N/ d7 u" ~7 t return FALSE;3 j0 B! \3 l. s- L, U/ n( W: g4 Y8 Y) l
}2 u! `" N8 Q1 o
( L; G# {5 {& |+ W/ D0 i/ _
Although this trick calls the CreateFileA function, don't even expect to be
. P/ X/ L% e* ~* X0 Y Kable to intercept it by installing a IFS hook: it will not work, no way!- N" y% e) @ T' D+ H$ k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; N3 w, `' c9 m" D* `* uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# q3 m9 t# L& b6 Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 g- g# E& ]* E( k* O- Afield.9 E( D; b7 c+ e. E0 Y( C2 m# I: l
In fact, its purpose is not to load/unload VxDs but only to send a 6 u5 g m0 E" {: o. Y* {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' X; u/ X/ m6 U+ Y/ l& ^5 Y1 wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, ` k }. q8 [7 C% vto load/unload a non-dynamically loadable driver such as SoftICE ;-)." h% i* K; {7 C, r& W
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; J r& |% t8 f) G* y5 E$ K, Nits handle to be opened and then, will be detected.3 D8 K3 F" r3 |2 U6 x5 u q) v
You can check that simply by hooking Winice.exe control proc entry point
+ Y; X% b# E% _6 H9 k& zwhile running MeltICE.
& _4 w5 n3 }/ X8 Y7 t# Q1 j4 w8 Q, T
. u1 m. f! e, |! |/ W1 A) M
8 {1 [# u# U/ u2 H' R. K 00401067: push 00402025 ; \\.\SICE
3 E p* P- `4 n/ o9 H 0040106C: call CreateFileA
1 U# b3 C5 q; } ^. c6 Z 00401071: cmp eax,-001
" c8 }& L% I9 a4 z4 o 00401074: je 00401091
# z4 i" R8 Y _0 E1 l1 B
' a p) p2 D4 ]! y+ \; v9 [
/ \, j* H! n/ c! HThere could be hundreds of BPX you could use to detect this trick." U( l5 p( r% P
-The most classical one is:" m" i& b" `2 [2 G; G0 p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 g. C1 q7 D, K/ c" e, h
*(esp->4+4)=='NTIC'
X% j ^% h4 _9 s% p0 J$ d% p% `0 S v( y! T
-The most exotic ones (could be very slooooow :-(- y$ g x) R _8 v+ G+ }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. g0 U1 [, f) j; W+ | ;will break 3 times :-(
+ X0 p, z, Q( t7 C# X4 o" C2 m- Q; J1 L6 k: P+ P
-or (a bit) faster: ; ~$ L; _: l l- W; c' G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 o, \. F4 \1 u7 p
5 N' Z: o. S) ?( c( a% B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . V& S# ?: X. e$ |' s8 B$ {
;will break 3 times :-( w ^; h& I6 U, |
& p* r- R) U/ B$ G% g
-Much faster:0 @+ ?0 ^8 M) r/ g) ~+ L% U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! g7 ?& X$ ?. t @) x5 c0 L$ A
, g7 b9 f8 C) B& V; Z* ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, S: n1 _( B) q3 E0 Y5 l* Ufunction to do the same job:* ^' K' |. l% I" t; q7 U
% T9 }: f: T1 E3 j8 C; t( `4 c
push 00 ; OF_READ$ B6 f) G( x8 l' M
mov eax,[00656634] ; '\\.\SICE',0( e, s2 x* u# @ h+ ?* j0 y0 R
push eax. l+ x- C; U W9 L { Z
call KERNEL32!_lopen
$ y1 |) m5 Z* N! l" W3 ]! H inc eax
' `' u. h+ s3 ] F* ~ jnz 00650589 ; detected
1 x" S* F% G, v' m push 00 ; OF_READ
7 R% G" d8 T% ~ mov eax,[00656638] ; '\\.\SICE'8 J+ S4 h' k7 `- q
push eax. U6 [4 z ~' Q/ g( x" H/ c
call KERNEL32!_lopen, C# ] |2 O! k; [) g/ Y o
inc eax
8 F% ]% P" x5 z$ \9 G jz 006505ae ; not detected
) c4 }0 j/ m/ Z4 e* k; {. w9 `. u( ]2 B. j4 C+ _
- b- Z% k' m! [( s( U__________________________________________________________________________# ]- } H# R/ |: B: Z
% R s" s A- G" x2 z
Method 129 c; g' I0 L# O. F" g2 V
=========
! _; S4 |! I4 `$ F8 G* ]( B" j; K1 V- J6 a: j7 a- ~, U
This trick is similar to int41h/4fh Debugger installation check (code 055 t. n) T) x8 s* o. a7 E
& 06) but very limited because it's only available for Win95/98 (not NT). o: }: Y% A4 @! B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ A) J i2 H$ b' O2 i
5 t7 {8 B/ j8 L D+ F push 0000004fh ; function 4fh% Q" K+ v9 w5 a+ k& f& K5 Q- H
push 002a002ah ; high word specifies which VxD (VWIN32)
) r& t5 H( f6 |5 o0 h* t, A7 ?4 L# F ; low word specifies which service" ~0 y+ X' ?7 l# b5 x+ i
(VWIN32_Int41Dispatch)
& M3 ^, r. n3 ? call Kernel32!ORD_001 ; VxdCall
0 y' r3 s7 _/ a N; h8 G$ b; K+ H cmp ax, 0f386h ; magic number returned by system debuggers
/ z1 P( R6 a$ p9 [! u jz SoftICE_detected$ C; W* \) L3 C2 K" A- R, @( }7 W
( _1 C& B/ _% f% v2 Y% C& cHere again, several ways to detect it:
+ E' M/ |% A5 p6 q& ]! Z- e4 l( U; O8 D. X: b& `& y
BPINT 41 if ax==4f
5 Q$ R* c. |. M/ n( S: X. B G% A
- v" W6 p* _. P7 a( o ?( d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 g& ?# M: y2 M
2 Y6 [* |1 Q L1 t- {; G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 P1 I- ?' t1 F7 _6 s/ f k K7 ~# N3 s% Y% P% V
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' C$ o: D. K, u2 m. O" o, A
3 O* s6 Z; Q9 @8 c( O& I4 C9 L__________________________________________________________________________$ H& j( H) @1 J4 l" ^: }$ n, n1 U) @
( z& B9 b4 J; c/ O, o
Method 13
2 Q2 `: J# J& L' q8 u=========
+ ~7 \* O! @- ^- @1 ?
( x: @ R; ^& v1 B2 g3 H" ?# WNot a real method of detection, but a good way to know if SoftICE is
; _: [2 {; [ _) Y! Pinstalled on a computer and to locate its installation directory.3 _% o9 m" P5 L* L$ g, r6 Y8 h7 P
It is used by few softs which access the following registry keys (usually #2) :/ L+ z5 z. N# s; J% g+ G7 d o
. v% f$ R) g5 ]- Z2 ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. S9 \) u0 r9 K4 _1 | n- a
\Uninstall\SoftICE( y, J7 @+ ~- Y2 U% ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 o' E A$ A( k5 k) F; d/ S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ X& ^. X `/ Y! z& k- H9 E6 a
\App Paths\Loader32.Exe! v: ]' M# ~2 f7 E n2 m; e a
( f; p" X, d4 C
f$ F+ X, ~0 pNote that some nasty apps could then erase all files from SoftICE directory5 `3 u/ Q$ F6 n5 @6 M% x
(I faced that once :-(
) l0 m# c' B* Y. w) O9 K
. `$ l1 f# X- m" Q, m$ |5 y9 O5 {7 JUseful breakpoint to detect it:! _ d- W# t6 P3 n1 \! w0 p& P
, L3 G' g6 C0 o0 `9 v" J6 F4 a
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ J; ?- h8 K6 `- Y
. j4 i2 T6 d" l u1 m# V: Q__________________________________________________________________________
+ z5 }- L: x* q2 K! U
; f/ x1 b$ v7 q* j! ~
: q! g5 Z% e! Z5 ?5 C# gMethod 14 5 S) r" o" S5 V* w
=========
2 D! }& ^$ E6 p& t: {6 |: E1 t( G6 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 G+ m0 `8 a& C% H" Q' G
is to determines whether a debugger is running on your system (ring0 only).
6 N0 _' i& L9 u/ \3 p8 O( O" f: k/ w' O) i$ I
VMMCall Test_Debug_Installed
1 a' Z, q5 S+ g9 z% F" H* D je not_installed
+ M1 A, P1 b$ X" _% @+ T; g7 U9 ]. I4 r/ f4 u% W" b
This service just checks a flag.
* r- Z4 _+ d% j" q</PRE></TD></TR></TBODY></TABLE> |