<TABLE width=500>
6 _6 E8 b6 B( \4 W% r<TBODY>
0 }' `! ~9 U( s; K' j<TR>
% \- A/ T) ]7 C0 w: l7 f9 E$ P<TD><PRE>Method 01
& a, k) Z& n1 w, P8 f) Z=========
2 M4 o8 s3 z) S5 C* r' `: }5 Y3 J! k6 p& V
This method of detection of SoftICE (as well as the following one) is
0 l0 T) Q9 J5 Bused by the majority of packers/encryptors found on Internet.
( H9 v- ]) ]& x$ p' _It seeks the signature of BoundsChecker in SoftICE
' I& r. [7 a) {" c% L% U. t* W- M
" k0 M1 B. e, e H6 e mov ebp, 04243484Bh ; 'BCHK'# D& A, J" M* B* N7 C" T
mov ax, 04h
0 c B' ?; d8 G2 |9 f& ? int 3
0 ~5 E) a9 w8 L cmp al,4
& O2 F5 c3 r6 s+ b: }: W m( o% z jnz SoftICE_Detected8 x$ R C8 P, q* T' g
* T2 w" }" z4 ]& F8 v
___________________________________________________________________________
5 L9 ?( R# C5 z5 m6 Z7 X: y5 q; \
# A' _6 b& c; ?7 EMethod 02
2 _8 ^5 F: m6 L' U; g+ F=========+ n" P9 o8 W9 w. z
& `7 t1 v$ I3 H. ~0 }8 N: V N1 ]Still a method very much used (perhaps the most frequent one). It is used
9 W2 g: R8 ~1 jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( A; C; a; `+ _& Y2 u% k+ k! E' xor execute SoftICE commands...
# r, r( g" N% g- HIt is also used to crash SoftICE and to force it to execute any commands
, X( L. W2 v8 K' ^7 W(HBOOT...) :-((
/ }0 R' @% M/ y& U' U7 D- n3 ]: x; D6 p6 F
Here is a quick description:
: `) i& M4 ?- ]# s-AX = 0910h (Display string in SIce windows)
4 k7 v J0 u, c5 R c-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 p7 u6 b% ~3 m- D4 u$ y9 W7 R
-AX = 0912h (Get breakpoint infos)
6 k) J) {/ K' o, q. }( A( b-AX = 0913h (Set Sice breakpoints)
+ z( q% O0 M# p-AX = 0914h (Remove SIce breakoints)
6 R4 N$ T7 [ H8 }! H3 X8 N4 a9 Z4 j5 S3 a! F% Q/ `/ W7 z
Each time you'll meet this trick, you'll see:
. {5 e& Q7 [# ]4 Z& P- g( M-SI = 4647h+ z5 l- z# m- D5 K
-DI = 4A4Dh. f+ ]7 N1 G; e1 n
Which are the 'magic values' used by SoftIce.0 }3 i) s% z3 L8 q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
I8 D' d' m2 |; D* ?: X5 ]3 S, h3 ]- U, ~) F2 J
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 b7 q `+ Q* c1 A5 GEnvelope utility use to protect DOS applications:* G V1 N/ p; X6 e& j
7 a: b7 l' w! q; w7 f
+ |' \2 q) n" U$ a4C19:0095 MOV AX,0911 ; execute command.9 x+ _* V9 o1 _* u, l, f% c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 c# z0 d9 y! n7 @8 P% W, g% Y
4C19:009A MOV SI,4647 ; 1st magic value.
8 c0 O5 L$ F) I4 E) }4C19:009D MOV DI,4A4D ; 2nd magic value.3 O* n, L h9 @) H: j
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), P- n) X" o% u* D% K: R
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' b, R7 N) |" y- e
4C19:00A4 INC CX+ k& z/ W2 F6 \% j, V
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 `, W( N! l7 f% e! N, ^6 c% r* h4 M$ P4C19:00A8 JB 0095 ; 6 different commands.
6 y. c6 P5 W4 w# H1 B* z4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 S& x R9 K7 U1 q8 K; l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 Y8 T( Y, _6 g+ O: g" n
7 p# N* i, Y& }8 TThe program will execute 6 different SIce commands located at ds:dx, which7 w. X9 M& t2 g& d; u7 s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" |# K, o0 T2 y- X. w% P+ P' C& i3 m- `# d6 \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 _7 u9 N1 p0 i7 Q& p& ~4 ~___________________________________________________________________________
/ h9 w/ p8 N- A+ p; {2 C7 k0 |, s- n8 k
6 X: K2 V- O4 }' |* O' [' q* F5 `
Method 03
2 S6 U& o" y+ \$ X5 ^0 C=========, M2 s2 `- {# |- H$ }5 H
+ Y! G) G- h6 R) ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 g0 v+ i$ Q8 E" S5 {( }
(API Get entry point)+ q5 D2 U1 Q4 ?/ o% B5 b
7 W4 K) J1 I0 y9 |. ?6 U4 C, \
* l: N. g$ Z+ P$ h: T xor di,di
9 a' h9 s |* c6 g: ]' Y3 K# L5 b mov es,di
0 j2 c7 W: H7 @' ^ mov ax, 1684h 6 q8 a/ V: |9 K& }+ x
mov bx, 0202h ; VxD ID of winice+ h% ?/ f; F( X
int 2Fh$ I2 g" p# m7 p; r* g9 f9 Z! C2 P
mov ax, es ; ES:DI -> VxD API entry point8 z E9 L% j6 c& |9 Y
add ax, di
' Y# Q: i% Q* E0 x3 g2 v$ }+ Y test ax,ax7 h+ K' i1 _) P2 ~
jnz SoftICE_Detected0 u S: Y8 {& u( [' }& W
2 H) E' R$ P# C0 o7 x
___________________________________________________________________________
5 g9 r' f% a, J& k7 S: h8 k( |- H$ i7 ]& S2 N0 {
Method 04" o. w1 d% A; ]6 `: G: \' [
=========
1 @1 Q8 K: R* _2 D; P- v
% a7 ?% `. E i6 S! E6 }) z4 CMethod identical to the preceding one except that it seeks the ID of SoftICE
. |8 z v, ~4 VGFX VxD.
5 H2 n6 Y$ m+ H# h( K M' F# K; C) O I: h# s% n( h4 g
xor di,di r; H0 j% P5 F( Y
mov es,di z) A7 o- b: J
mov ax, 1684h 7 h# t0 G2 i" f- w
mov bx, 7a5Fh ; VxD ID of SIWVID T( a8 t( D; r* q. f) f
int 2fh
) {8 Q8 m. U4 l1 {7 n* D mov ax, es ; ES:DI -> VxD API entry point
: c! O6 D* a$ i5 P9 s/ A" { add ax, di
- }! z5 _. s2 w# ^% U8 ~' Z" T! s1 H& ^ test ax,ax( u6 M2 X7 ~' {8 I
jnz SoftICE_Detected& F; w+ e6 k6 h7 [, x0 R @
5 t+ N! u5 _% T% s) Z6 A: R: I__________________________________________________________________________, b) g K/ a& Y( q4 {
6 T2 d, _4 O. E8 J# S* P1 U
, r: n/ C! S0 @- B/ S8 h
Method 05
9 O" \' L/ v, D4 L8 X3 e=========
; I: a3 U1 q( e: p- t/ C
8 R& C# `- ]* D5 [7 H+ {Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 c6 _' E5 X, a- e5 Q) o# ldebugger. It calls the int 41h, function 4Fh.. p) p) }# y# ?" c
There are several alternatives.
0 r7 O" g0 b+ Y9 g; M" |
W/ O) p7 q% d `& }The following one is the simplest:
% R5 R! `9 K8 u8 i* e( l; J' S3 }% X0 y- D
mov ax,4fh
& U( ]- \6 \- ~4 e! V int 41h
5 ~% A1 j- v Y& L' B& U cmp ax, 0F3869 ?. D7 C3 C# x/ D' ?
jz SoftICE_detected
& f. j& {6 q# R$ b3 R& h
0 `! V: S% B* X" C, o5 [/ G6 I [: v) S* L5 p7 L
Next method as well as the following one are 2 examples from Stone's
6 T/ R {: d* y/ W"stn-wid.zip" (www.cracking.net):
6 U. ^! v. z& D$ f* u5 V, I! a
q" n. w M9 X" \% Y mov bx, cs
! V: ]: R3 d: _8 d lea dx, int41handler2
d4 [, ]$ V2 [& T( ^* G$ J- ?: K xchg dx, es:[41h*4]+ E! U: a$ z. s
xchg bx, es:[41h*4+2]" ]% l+ T A* D: p% f0 Y& @
mov ax,4fh% u' q3 J) Z+ x9 P9 s
int 41h& P+ Y* K4 c. L+ W) H
xchg dx, es:[41h*4]5 T- Z0 \% e& X1 L9 k6 z; s2 H
xchg bx, es:[41h*4+2]
! @1 V0 m/ W$ F cmp ax, 0f386h
- h- e( P, Q4 e- ^, _ jz SoftICE_detected
( ^! P0 B* O& n+ K
7 i, }' B/ N) t9 a9 C: L+ w( @int41handler2 PROC& H* M% E2 N! d" k# j, V" I
iret. u1 B$ @3 z* b* ?
int41handler2 ENDP
, H8 j7 q# Z) W" s* F5 I
) E; ~2 M) c. f) O3 \. X% `
& F @0 ]' o* m! D$ t_________________________________________________________________________
0 }% q, t$ I# @+ D
# X J: F- ^; Y% |' A$ A: }8 d6 ?+ K' L0 \
Method 06
; R* r" L1 Q! T* O X* E0 l, y" X=========
- n8 ~# C& I/ m5 v
: B9 }7 E1 X0 r& a: G- Z* j' w5 ^; G v% R% j, g
2nd method similar to the preceding one but more difficult to detect:
5 a; i6 Z2 d1 D
+ d' l7 C/ ]" R
- m" `; v( J, K0 n$ ^int41handler PROC8 t8 U# H4 G; ~5 |) R+ E
mov cl,al
1 D5 h& t" d2 F9 W iret' n A# F0 g$ G, j
int41handler ENDP0 ]% Z2 j) \/ V
8 O5 Y" |" E w5 k1 U
- K( S" O+ }% A3 p: ^7 z7 m7 M xor ax,ax9 |3 ~' y" e* l0 ]6 o( E6 X5 k* S# r
mov es,ax
! r& u. {" L- {: ^ mov bx, cs
3 j) K2 }3 H( [, ^5 j lea dx, int41handler1 F& N# L4 i$ C* e( R2 Y1 ?
xchg dx, es:[41h*4]! A2 v' E U7 U' W) H" t3 w2 Y s
xchg bx, es:[41h*4+2]
/ `, H3 j; r- P; e: V in al, 40h
) G! U! d* ~3 J: S xor cx,cx
' m0 t0 O% l7 j0 P int 41h9 `, x- D$ i I& S
xchg dx, es:[41h*4]
5 m, h! b7 j8 U# S R1 f xchg bx, es:[41h*4+2]
) [4 y# s) ^, x i2 c, P3 B/ o0 R# g cmp cl,al' J: D% z% S0 D5 M" p
jnz SoftICE_detected
3 l" O9 x; t3 u! _6 i4 I: `# u/ |2 v# X9 m
_________________________________________________________________________- ?8 @* Y$ w1 T' d, q
9 e+ s% Q _8 e/ JMethod 07
4 q4 e1 B6 s; g) z=========2 J. C! m) \! G& G. Y/ `, g
* q4 U2 R. _3 r. k9 m2 w
Method of detection of the WinICE handler in the int68h (V86)! Y4 N* y; W5 N. P% g
) T1 M) n2 ~* a' m" ^
mov ah,43h
t6 m% f( A& d, f# Y( b W int 68h
' r/ f' y9 t* F% x% p8 b cmp ax,0F386h: I6 Q1 X; k6 W3 e3 K" q
jz SoftICE_Detected6 g) K# a9 x$ ~9 K* r
) ~8 C5 Z- P, r! P( C6 O3 d' K3 |) j* a+ J! \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
u1 W( d1 p# @, @! z- P$ E app like this:% K1 l+ r# s. [! a: K9 q6 |
$ }+ d' g( Z- Y7 d" L0 J BPX exec_int if ax==68
: h- p _4 F: _2 d) Z! | (function called is located at byte ptr [ebp+1Dh] and client eip is
8 B& U/ J. w6 b: o8 j; f3 f5 P located at [ebp+48h] for 32Bit apps)
. _0 d: w Q# D' i0 w; H__________________________________________________________________________
5 v$ V) o" q1 l$ R. m: M8 X
' N, g- v$ W: R8 t" g' g. E, ]9 X0 D O V; _7 P9 N. O
Method 08
& Y, N' Y3 h- y: b7 V9 |1 `! p=========
) ~% s+ p- B$ S
$ y9 r8 [8 T' b; XIt is not a method of detection of SoftICE but a possibility to crash the
. u! m3 V% Z9 f, p5 F# h9 Gsystem by intercepting int 01h and int 03h and redirecting them to another1 `& [. z; |- w7 y9 ?/ E
routine.
- } V# {+ A" b) xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; r7 ^* m8 ~* X4 n$ _. kto the new routine to execute (hangs computer...)
5 m$ N3 _4 v+ D8 V
6 q4 R; g7 g% y; a' `6 |3 C mov ah, 25h9 }3 D! ]/ X6 M |% E& q
mov al, Int_Number (01h or 03h)6 ^* m9 n5 K' U
mov dx, offset New_Int_Routine( v+ n1 ]6 v. l9 l
int 21h+ b0 o2 y0 Q2 d; M. q; u! d
- M7 ?8 ?6 P! n, \; s( i1 V__________________________________________________________________________
8 ^; Q! e2 m N# C1 p0 E2 e; @- u& f7 S8 o2 d' N
Method 09) J8 `9 C3 {7 J1 p- E
=========
C/ }) U' N+ m0 E! r9 K# b3 v; T% J3 i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 r9 ~, b$ ]# c }& M; R d
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 P# L! B8 Q7 t) ^! d: g+ \The Get_DDB service is used to determine whether or not a VxD is installed
; R' G9 r/ K& s; c& `' _for the specified device and returns a Device Description Block (in ecx) for- @1 n% x. U" i5 r: M* l* |
that device if it is installed.
! L8 W3 r/ l [. o8 K. }
( t |; O/ E1 V( n8 M' P g+ h. H. _& v mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 E4 D3 b$ G. {3 T5 ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* ]: e2 N1 Q+ g) \2 R% i
VMMCall Get_DDB
; y- x/ w- p% i0 ]) J( \% ?, p2 k! a# G mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 r# p' i7 u" i/ \8 F+ M
- |3 Z1 l) C m* C% fNote as well that you can easily detect this method with SoftICE:
4 z# l; }: p+ z( t$ K+ r9 ^ bpx Get_DDB if ax==0202 || ax==7a5fh$ P/ a" C3 |$ r/ G* @" l
2 j7 D4 u6 }! G1 n2 H
__________________________________________________________________________; ^1 S% J) N6 ^: G& {' x7 ~/ G9 f4 l" s
0 Q& I2 | ]! R0 z" |
Method 10
8 G/ O2 i+ P* m( U. G=========
! P; j- J7 {" {, r4 W3 r
( N- R) Q' Y6 @4 l9 D; H! Q/ [=>Disable or clear breakpoints before using this feature. DO NOT trace with: e& {. w+ q, @4 `* g& v: J+ J
SoftICE while the option is enable!!5 C( m. M( B# B1 U( V# Q
. ^( _4 }; E- [+ P& y8 \
This trick is very efficient:: L T& y' s: D6 q7 K0 Y
by checking the Debug Registers, you can detect if SoftICE is loaded- [9 o) ?2 g5 z7 q6 r; _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& I( d4 D' y; j+ h' `& m
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 k! l: \1 m6 a: |- C! \3 \2 \value (in ring0 only). Values can be manipulated and or changed as well
* B1 R3 S, d9 Z+ q, E, u(clearing BPMs for instance)
( J. T4 i/ ~; a8 \/ M- S' t; z" `9 P& Q+ Y7 s6 \7 H5 r
__________________________________________________________________________
) G! G2 m6 F0 ?' a2 u, W6 z$ p8 Q* ]# T) w4 W8 x" e
Method 11& B( f% s* V/ q( [3 L. z( f) o
=========
* l: J( n1 L5 S& D/ n9 W4 g
8 {( E1 { I1 ^This method is most known as 'MeltICE' because it has been freely distributed8 V/ [9 r5 k9 G/ F
via www.winfiles.com. However it was first used by NuMega people to allow% q* o8 ^8 w7 b: x* e! g3 @
Symbol Loader to check if SoftICE was active or not (the code is located3 i$ a. B2 B' U1 [) P- v& B# C
inside nmtrans.dll)., G3 {& |+ I; l, ~0 N4 b" V
! s% k3 u3 T9 g
The way it works is very simple:
! o9 A9 w4 x, @8 r4 S, LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
i. R+ G1 c3 O/ z# y# AWinNT) with the CreateFileA API.$ j6 E* z. @' \1 F/ ]; n. g7 C
4 R ~0 T+ f' T" u2 x8 Q4 ZHere is a sample (checking for 'SICE'):9 B7 C1 {2 e& `* L" \0 N
' {7 v$ S; X2 l. D3 eBOOL IsSoftIce95Loaded()' `% E* U" c' ]
{* P/ K: G; ]7 S( t# Q
HANDLE hFile; 0 |, ]& G6 S: ^6 H) S: Y2 q! k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 J- Z) n6 t2 I$ u FILE_SHARE_READ | FILE_SHARE_WRITE,. A" J: b/ k7 B; \% d( l( S9 \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
[; J( r; h$ i" i4 j' @# g if( hFile != INVALID_HANDLE_VALUE )6 G7 t. Y2 f$ O: a8 R
{
0 K8 |7 e l( ~* o CloseHandle(hFile);) F, Y- Z. K6 ?/ X3 H# t; t* K5 {8 [
return TRUE;* K- ^7 \ e* o a" i- l8 o4 p, J# h
}
. L, h2 `9 r- p, ^; A+ x return FALSE;
) K! V; c! s+ e3 F2 D1 t5 @}- Y! l8 w. N9 `7 I& Z/ j' b5 M
* j: x0 ~9 F3 }# E2 V6 ^Although this trick calls the CreateFileA function, don't even expect to be
2 }! L6 j D, u, s1 v5 F; aable to intercept it by installing a IFS hook: it will not work, no way!
* B$ \0 }8 t2 R' }: N6 R6 dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& i. J3 L6 \7 L0 Z# sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 \- A8 B9 c: `& D+ f3 T6 a- ?3 fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
* ]1 @! d+ ~( q: {; ]) zfield.; ~1 d4 Y" B3 I7 v' ^
In fact, its purpose is not to load/unload VxDs but only to send a
$ W2 o& U5 \5 |5 G+ {4 kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 ]- i" V* I3 _to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: I4 d3 O y6 y! [* j$ y- Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).( j6 K: u- e7 k* W
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 ], L2 a T F( W) I+ e
its handle to be opened and then, will be detected.
. t; }% }% t/ n1 h# ?" E9 }You can check that simply by hooking Winice.exe control proc entry point9 D. g$ J8 G1 n' r
while running MeltICE.
4 ]) d0 @' D& T9 K7 L
r& ~ d) P: P9 z) x2 P) w* w
# G* ~! I* g+ j; W8 \0 @ 00401067: push 00402025 ; \\.\SICE3 \4 {7 [/ {# e. I: D
0040106C: call CreateFileA5 y$ X: P7 q1 e* _( z. Z
00401071: cmp eax,-001
% B2 d6 X- a. z& N2 A: k- n 00401074: je 00401091- W8 {6 m% F! x( o
+ i2 Y( \' V$ m: R
( N2 Y0 y8 g% e5 @. u6 xThere could be hundreds of BPX you could use to detect this trick.% m. d+ M" G& F4 G4 C7 X2 j
-The most classical one is:/ N4 I7 z. ?! G2 s6 L; ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( ]' ^6 a& S4 k3 D0 j *(esp->4+4)=='NTIC'
4 u$ m0 a) b+ d' b$ O0 v
* C1 V" _, H; `6 S; a n( A-The most exotic ones (could be very slooooow :-(
: q. g; H& a; p# r, l( e# t/ } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 d" w0 s. e: |, x' c
;will break 3 times :-(
& b( x2 _3 r6 e2 ?" N: D6 `4 _, a7 |/ t! F% j+ `, F0 k
-or (a bit) faster:
/ ]7 e+ c& Y& n* X* b7 B- I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# P5 w% Y$ T* O$ E* d5 X |0 y; P& r' t9 V* }4 D
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 ~: v4 m9 t5 h5 X9 ^' z: F% Z ;will break 3 times :-() N3 |8 ]3 b" B
; ~8 x0 K( u$ P* A
-Much faster:
# s3 R' ]# ^% G) f N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 G6 X% X. a+ ~' z0 G
- O7 e: R/ D' h0 M6 A5 c! w' @* cNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 ~; M5 a4 `0 L4 i0 z7 @3 @
function to do the same job:
$ o5 e1 j1 u6 J* d1 u
% `9 L$ O. e4 b2 q# R push 00 ; OF_READ, q3 S% f/ V* E; t2 s$ @
mov eax,[00656634] ; '\\.\SICE',0
; f& x4 V( i1 c5 M9 m3 v- K5 j2 c' V push eax
5 J% g L- K. A! v call KERNEL32!_lopen
1 p2 B$ l$ t' }1 f% c& R; ~) S inc eax
) F4 s; z5 ]4 b- _ jnz 00650589 ; detected
" J# I/ n$ `- M: | push 00 ; OF_READ' G& ~/ D1 s8 s1 @" V& M4 j- G
mov eax,[00656638] ; '\\.\SICE'( l6 x! ]' f( g
push eax
) R- `6 B' r) E2 R+ L call KERNEL32!_lopen
0 j- ~0 p8 |2 B* e) S8 o inc eax" g' b' C0 `& [
jz 006505ae ; not detected9 ]6 ^; @" \" B/ s
8 r+ G( z* D: u/ p! ^% u0 v% u
% E5 i/ h' f$ ]! N__________________________________________________________________________
$ R5 X, C. K: ~; L' G
3 V" ~" V7 f0 T" @Method 126 }) G3 k& m( w
=========
8 {- S' n+ ^1 C; h$ g, y2 R$ u# s, _7 ?8 P. K8 z2 f6 j% R+ ^
This trick is similar to int41h/4fh Debugger installation check (code 05
- N3 J8 U* ?* ~2 a5 B5 @& 06) but very limited because it's only available for Win95/98 (not NT)0 v! K: b5 {2 ^, x! M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 P& t1 j7 N* P R. U2 p5 [! e
6 Q* T3 x& e" V
push 0000004fh ; function 4fh8 ]" C9 g' |; U9 ~7 K
push 002a002ah ; high word specifies which VxD (VWIN32)
7 }7 e: R7 P4 U6 \7 | ; low word specifies which service
% u( n0 r9 z- h" V, P& B; }) N (VWIN32_Int41Dispatch)
8 {/ J( \3 k2 H4 k, g$ R call Kernel32!ORD_001 ; VxdCall
' Q4 n" `( c0 J! @ cmp ax, 0f386h ; magic number returned by system debuggers
. B H {+ U3 E jz SoftICE_detected
, d" l! X* p. c) Q5 f2 H _9 P# ?$ q( r
Here again, several ways to detect it:! Y, h% b. N, X' o$ k' f
$ ]" K0 d7 X2 u, P
BPINT 41 if ax==4f* r8 l# r, h; _0 ]9 j; [
2 ^9 |$ ~! j2 c BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 O y1 A7 J: W$ |! i7 H9 ^- i0 A. e9 A, m6 H6 d3 ~- D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 @& }! S* Y$ b
! d0 k! p# \$ B% X" k. j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ `, h, J" v( ]
6 s/ A* ?' M2 J4 D: V__________________________________________________________________________% s- y* q0 S2 H) j7 x; _ g
5 B O. G2 `% t& |2 ?: B0 MMethod 136 _& h8 \+ V* C1 ~
=========' A1 Z3 L( X1 M9 z$ F
, s% }% A! B- L; Q9 V+ N
Not a real method of detection, but a good way to know if SoftICE is
9 x. K( K( o( G- j. C( T& ~, N" f7 {installed on a computer and to locate its installation directory.. M7 D; w Y, r& @' }+ s! L
It is used by few softs which access the following registry keys (usually #2) :' j" J# h. O! X
/ p5 K& v% ^8 Z+ f/ ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; I/ o$ _3 {, K8 }1 P7 L0 [3 u\Uninstall\SoftICE
% h) q3 g1 p6 j' ?' U( f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 J* s$ _' O; _2 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 r) P+ X7 c9 f) W q8 F! U\App Paths\Loader32.Exe" ~. a- o, t- f9 `$ }
k7 v- K+ G" }! V9 z6 Q" R/ ~; o
6 G; W% F: r$ H: F' mNote that some nasty apps could then erase all files from SoftICE directory8 g2 |/ D$ o' r4 i1 H; s
(I faced that once :-(
2 V. F1 n' E' f; e% m0 t; t1 C. {) q) Z4 { Q: G: e9 Q
Useful breakpoint to detect it:
* ^$ l) n/ E/ E( i1 ~% Z; I5 K% M3 l- @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" l+ m3 Z3 q4 L* O6 V v
! x6 U1 J8 q; e3 t
__________________________________________________________________________8 e+ P+ {* ?" v, v% d
& {/ w' L3 ?& {
K/ ?4 K. [* F& J/ C0 i C% K
Method 14
# Y, ]0 T& C7 d3 ^=========
4 {; C2 ~7 C1 J. p
4 C8 [; e+ Y7 H1 w7 P0 q4 oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ v+ L7 j6 P! h8 M4 J
is to determines whether a debugger is running on your system (ring0 only)./ f( Z7 J; @6 U5 X& y
# I* e, h T2 ~0 u" b
VMMCall Test_Debug_Installed
3 r4 ?8 v# ]+ {9 }# t je not_installed
8 v! O! P6 s" [
0 H) W. r2 _9 ^6 J, l% XThis service just checks a flag.
# r: R. P' ~' J/ Z</PRE></TD></TR></TBODY></TABLE> |