<TABLE width=500>/ r; z+ f* {: \0 T
<TBODY>
8 x6 D0 W5 ?( T' f" X/ O( y<TR>( B7 m7 w; `; T* d
<TD><PRE>Method 01 0 e( Q5 V' j0 I/ {" n( d; b
=========
8 h3 V+ _+ e1 k7 [
' E: m, P6 q2 {& S0 U h+ `This method of detection of SoftICE (as well as the following one) is- ~& m' u2 X$ ?- e+ m
used by the majority of packers/encryptors found on Internet.
% ~8 K" E5 ~8 o, J- _9 lIt seeks the signature of BoundsChecker in SoftICE
% c L4 }% Z/ u- |) _' a! ^% ]
1 B! n5 ~# S5 P9 q* q7 } mov ebp, 04243484Bh ; 'BCHK'- r7 G2 G0 }# x5 K
mov ax, 04h
8 O* S; q% M3 C" N int 3 ' T/ D- d: O3 c) f0 V- {
cmp al,4
7 j$ D9 `- }) M1 S1 I jnz SoftICE_Detected: s' }* K$ b" N- h8 a6 T; H4 Z
8 s" }" ?$ u7 P2 |! q
___________________________________________________________________________/ X3 ]& [/ d3 I8 z& E7 x
6 D! X+ x6 a" c: a+ q; ~Method 02
; C, `6 _% N! d. O) `! [=========
$ E$ g4 w% H: E0 x6 s6 l; A, B/ E) j+ U* K3 P8 d2 g
Still a method very much used (perhaps the most frequent one). It is used
}7 p- }1 d3 W* tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- \% D5 ]3 q0 a' a; ~: j/ aor execute SoftICE commands...3 i4 t' r, E+ S M+ T" e% Q
It is also used to crash SoftICE and to force it to execute any commands
- {, ?7 ?: u5 Q0 a3 ?0 B(HBOOT...) :-((
# d( x! Q# P# J" A8 H
6 n a1 {3 {( jHere is a quick description:1 X0 Q* i% J" x a9 v# M
-AX = 0910h (Display string in SIce windows): l; s: v9 b- j
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ x9 s: \( t9 E/ r& E* j-AX = 0912h (Get breakpoint infos)
2 y0 S L# |9 C, d2 S: T-AX = 0913h (Set Sice breakpoints)
) Y+ W4 c; A' G-AX = 0914h (Remove SIce breakoints)
/ w2 ^9 x- e" t5 h" `) b7 o( e4 h! [6 C) c$ G# N) A
Each time you'll meet this trick, you'll see:
* o O; {4 u5 @! w8 b/ c-SI = 4647h6 i! F: s$ f- ~+ g
-DI = 4A4Dh3 f5 _7 l( H. D! h3 x/ c
Which are the 'magic values' used by SoftIce.
! N! B9 i' q: L! k% JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* a5 I" q/ Q. s5 F
8 c. _" W) m0 j$ m0 o. B
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( V* |/ C- C5 n& S, g4 ?Envelope utility use to protect DOS applications:' b+ G2 _( l5 l
" E+ V7 ~0 x) O) K0 I$ u9 O8 t: f& J4 Z! a6 C3 o# H
4C19:0095 MOV AX,0911 ; execute command.
- V/ ~" @0 X1 M+ }; s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. E/ U/ d+ A1 ^5 E2 O+ y4C19:009A MOV SI,4647 ; 1st magic value.
, T/ Y' w9 _0 u+ Z; d5 v& }4C19:009D MOV DI,4A4D ; 2nd magic value.7 a' i) x- I# v' f% e- q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*): i; A' K6 X0 H" G/ i" M- g
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# M* }8 `2 J% F* W! T8 K& M4C19:00A4 INC CX6 f% C# I# N% Q$ }4 V: x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" N( h% Z$ E" n+ q3 e7 d! I" z; U
4C19:00A8 JB 0095 ; 6 different commands.
! m& t( }& j+ h, p7 m5 |+ q/ ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 a4 V( I$ ` O+ \/ e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 [8 A/ P7 Z; s q" Q
1 m7 a# T. B1 ?6 C7 N7 X: NThe program will execute 6 different SIce commands located at ds:dx, which' s/ @8 ]* l, U1 N# a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% w" \; }' B# ^
6 n. X8 G* i) v- g2 |2 z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 W7 b" ^! |& T; ]
___________________________________________________________________________. C& ?; E Y$ H8 A' ~8 {* F! h! a
2 p% n2 F$ z8 i- L" }* y% w. h6 p- v Z
* ^2 t; [% R9 L& }
Method 03
/ Q$ P1 M% _; U/ k/ H1 C=========
( M0 x: ^6 d" n! ~4 P" Q- }6 y0 ?$ S! H
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* j, M- K: @- }2 j4 j5 c2 i6 ^4 N0 n
(API Get entry point)
8 P# o1 w' T# ~3 f9 V! @+ z0 w
: \$ E5 H: @( H$ W# s8 H4 f2 P7 A a$ i# `8 I s
xor di,di
6 B6 @) n1 B3 l/ C mov es,di, B% X6 l8 W$ Y4 ~& f
mov ax, 1684h
1 M9 F% ?) L$ ~$ t7 e mov bx, 0202h ; VxD ID of winice
+ ?. ] C _; Y0 v3 L int 2Fh: ~9 W* S6 k5 X- E( f) p
mov ax, es ; ES:DI -> VxD API entry point! L2 z: ~2 K; l0 M7 u8 ~% s5 ^
add ax, di
! }) y y( n5 n* Z0 L& w test ax,ax
0 V1 d( Y$ \+ X G jnz SoftICE_Detected
2 K* n- U0 ]. ~/ c2 V- G: d. b L) f8 d3 B2 C5 \2 J4 u
___________________________________________________________________________
6 ~, g2 C8 G% l- s7 j$ S& k2 p3 H1 a' t* N! \/ K/ u
Method 04 N$ o; s, P; r' W: w1 S
=========
! x- P" t1 J# k) s: F i: v* b4 H9 _' Z) h& F/ a9 m+ Q. `
Method identical to the preceding one except that it seeks the ID of SoftICE
# e# N# L4 _. n. j# E PGFX VxD./ A$ J3 c5 {, Y) X- D
' K" P% M& Y6 e5 P F xor di,di' y/ b5 l: ^: j! Y4 e, b
mov es,di
2 K3 Q% S5 `) C: f mov ax, 1684h
Z$ G, [ J& c5 G9 `$ Z mov bx, 7a5Fh ; VxD ID of SIWVID# }2 }7 b0 O! b
int 2fh
/ C% Z" S2 w M7 K4 _ mov ax, es ; ES:DI -> VxD API entry point
7 Y- s1 F3 }4 y; I4 L/ M5 h3 n add ax, di
1 N- n! e- r$ i) g test ax,ax4 k0 r' P1 J0 Q5 `: _4 P9 i/ z
jnz SoftICE_Detected9 I% t; |/ Z: p5 e6 u
% |1 i( E7 R5 J2 S. u- g
__________________________________________________________________________6 D& I8 Q! s' b V! _' s
0 H3 a. z) X" ?# M5 H- X+ w, i9 T# s4 W/ u+ h/ K
Method 05. C9 |, I' u: R; U# R7 d
=========% r( e, e! b w( P
- o4 }1 ?2 L1 T2 b- UMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 l r8 L; Q/ Tdebugger. It calls the int 41h, function 4Fh.! O3 q! t- m0 i$ B1 [, N+ @
There are several alternatives. 8 k$ U1 j" g; r8 O8 J
( [6 ~1 T# O7 g/ D. d2 s$ o
The following one is the simplest:
" e, p) r; I! k0 H; i- f5 Z0 T2 S2 @
mov ax,4fh
4 u/ {! r' g& a( a' P int 41h
2 l2 _; E3 J) e2 d cmp ax, 0F386+ [% A! n( W" Y( a% T
jz SoftICE_detected
. g! H; y- f# z. ?6 I5 T) G, E- z7 }7 i! U G9 Y& X' C
- [0 s% C: l3 q' r- q; f; M
Next method as well as the following one are 2 examples from Stone's
6 H3 @% M+ ?. j, m5 G3 T" w" \"stn-wid.zip" (www.cracking.net):! K4 l3 f; P' p% Q" H* A
" h; d) c9 a* r6 d# g; q mov bx, cs
4 H& _, i8 Q0 ` M lea dx, int41handler2
$ _2 ~; d5 v- d5 ?4 j# ~; G xchg dx, es:[41h*4]4 g) f) @) U6 {6 S
xchg bx, es:[41h*4+2]
# ]5 T W" w, D2 U mov ax,4fh( j9 J/ K9 f3 X' m# P- b# u
int 41h2 \, @0 U# }2 S- w( U5 N6 N Q
xchg dx, es:[41h*4]
6 \% p. Z: H3 ^9 K* i3 ^8 ^ xchg bx, es:[41h*4+2]# X* C6 h. k4 a' [
cmp ax, 0f386h7 t! S( k/ D7 u X$ ?5 Y+ Y6 m
jz SoftICE_detected
( H$ U6 Z8 A4 l# J7 G0 B
; n% i+ s% ?# \int41handler2 PROC6 Q$ f; O. U' Y+ r! e1 x
iret4 u- i' {: _3 q" w( @% X
int41handler2 ENDP
8 A; T9 e. B5 C% J C4 g$ Z$ M% R$ K9 T& V6 Z6 q
3 x+ f6 \, L4 s( q9 Y. U2 z_________________________________________________________________________2 ~/ W: I: X1 y; }8 R
2 ^/ x' S" I: U* @5 D1 J5 f) Y8 |
, V2 j5 V) B; s0 \Method 06
% y U0 @, e' ]6 `* t=========
7 s g: b* X0 S ^6 q$ `
1 ?; x* l' Y2 h& T( Y$ j. \9 o9 a! h: H7 o
2nd method similar to the preceding one but more difficult to detect:
9 x& m4 I: O- ?0 N; [% X A
& b$ T _$ D. _; N# {: k8 n* r: E8 s- [7 H9 P9 _1 Y [
int41handler PROC
4 Q4 A' p$ E% W8 d7 u$ \ mov cl,al2 h( M9 @' @; P3 Z
iret+ ?% E$ ^. @1 \
int41handler ENDP
9 q* b c: s7 v0 C- N" p, L! P2 E) T1 @6 ^" \7 R9 r$ `
" j2 N4 M! _& b7 T
xor ax,ax
4 a$ y6 t+ }4 e/ {+ ~ mov es,ax
: |3 v4 u; j( R6 z' ?' K mov bx, cs
5 D" n/ A1 `& Z1 X2 O& q lea dx, int41handler6 E2 n" a3 c1 a! q/ t, C
xchg dx, es:[41h*4]1 P, S1 m' N* x; W: H
xchg bx, es:[41h*4+2], T8 m& I1 N4 R
in al, 40h4 f" P7 g# I# E& x, M+ n
xor cx,cx
+ }! t1 t" R- Q: @8 U; b* D E1 } int 41h
& w5 I. Y# m/ u9 w" {0 y0 ] xchg dx, es:[41h*4]6 y/ n- G' ?8 u( @9 y7 @
xchg bx, es:[41h*4+2]( T* v3 L8 u0 y2 n+ R) p
cmp cl,al
) S# @: D3 p: L2 C9 T jnz SoftICE_detected9 _; e6 R. d* ^" _: x9 V5 V" f9 w* W
* q& Y1 a. T. y
_________________________________________________________________________' k2 N; R8 t( k+ f3 s' ^! Y
: W, @# e: h5 C" }9 t4 n( h6 ~Method 07
p, t1 E0 T% c, b( s$ ~" I7 d5 |=========
! H+ K1 i* c* s: B, k
8 Y* N1 @% c- l7 G: d8 lMethod of detection of the WinICE handler in the int68h (V86)
# G4 Q( c- J9 ?1 F( N; v# {/ I
; z- L' j3 U1 H) C2 y mov ah,43h/ P0 f8 j, S* `9 t% K
int 68h
, Q9 D# w, S C! O: r8 F$ p I cmp ax,0F386h+ f: W5 z7 }6 z% ~+ ?
jz SoftICE_Detected$ F2 @. s: ?' D9 d5 g$ w5 B2 \
1 Q* J2 ^- c/ _- v' u
/ _1 Y8 Y& J% ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' L! L% y4 I7 h% V" A/ X$ f$ g app like this:
7 I! {% m- O, I$ {% V+ s' ^$ M- G- a5 u
BPX exec_int if ax==68
9 S/ ?) ~, a8 N" J- Q6 j (function called is located at byte ptr [ebp+1Dh] and client eip is) j' K7 x, d8 z$ R
located at [ebp+48h] for 32Bit apps)/ o- }) ~* G1 H/ n" b
__________________________________________________________________________2 x& w" ~/ Q2 f( B+ {- j% X i
1 x0 M* K+ X" T/ Z& v! [$ N! S6 P3 s' m. L3 n5 V
Method 08
- D6 Z0 I2 l3 x; M& h& f=========
( \' a+ e; c/ ~, w9 z2 g [+ N$ n: k# s) f! P) U
It is not a method of detection of SoftICE but a possibility to crash the. D2 W5 u: U2 P9 q* U% E# z7 ]
system by intercepting int 01h and int 03h and redirecting them to another
6 H$ F" w+ M3 }& a0 @1 M- groutine.
6 h. k% G" Y& ~4 t& h/ yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% P+ C' T" E9 G! y
to the new routine to execute (hangs computer...)
3 F" |% O" U+ l8 c0 D5 }* w
! S, e0 ?: t. ^) x, s3 Q mov ah, 25h9 M+ a* @$ S; b; W) g* f9 E
mov al, Int_Number (01h or 03h)0 R/ t' g6 R9 Z: R5 `: B
mov dx, offset New_Int_Routine$ s) Q( d ^5 I. }2 H3 Y N( u
int 21h( o: q3 ~) N8 L3 T* y
9 U9 F) x9 F% o, p6 P( `__________________________________________________________________________
) ~8 n* X( `) H3 I7 U+ i8 y, `# L. X6 C E3 U
Method 09
- e0 q* p( i2 X=========
, v: `: n% |. o& N7 M
: d- v9 f. Q tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 k' p1 I- Z) J8 }7 r& g7 M
performed in ring0 (VxD or a ring3 app using the VxdCall). c% P! Z9 w2 C
The Get_DDB service is used to determine whether or not a VxD is installed7 J! K$ n. m+ X
for the specified device and returns a Device Description Block (in ecx) for1 O6 e/ D" _* ~5 r
that device if it is installed.6 X/ v# A" |/ G( Z
5 G+ ]: w' W* _$ Z" X$ p) X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ J& c# V8 Z' H( D. m3 g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% I) N0 u) v2 Y+ `* _8 h: O o, O VMMCall Get_DDB9 |! D7 n" [9 G8 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ c2 v8 o: b: |, N+ w
0 D( ^4 w6 _# V( U, \% qNote as well that you can easily detect this method with SoftICE:7 ?% `$ o4 ?7 u! y' |) c
bpx Get_DDB if ax==0202 || ax==7a5fh
2 t( e# d3 L' \& t# U2 E& v3 T5 y8 }2 _5 q# m
__________________________________________________________________________% d' f' K7 K7 A: y3 o0 ?! g
& X3 a6 t( [3 Z( u g; f c
Method 10
. g% E2 l$ k1 v8 V) F=========2 V& ]9 u; P$ m" ~- X
2 \; W3 M; Y; Q; ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 F1 U3 Y8 _7 I. T SoftICE while the option is enable!!
; [0 P! A( s- K6 Q9 R, Q( u7 m5 \: r/ B6 T
This trick is very efficient:- d1 O* @) y. `5 ]1 i5 B9 K8 E7 V
by checking the Debug Registers, you can detect if SoftICE is loaded1 j. R$ V1 ?6 Y+ }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 p0 z/ L! X& K; |3 y4 qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
; @, N# {. A& ~* Dvalue (in ring0 only). Values can be manipulated and or changed as well
' r, A1 v' w/ c$ B# C* r(clearing BPMs for instance)* e4 n' `4 W( [# m& U" Y+ H
/ i, M0 i$ A4 K$ I& s2 r6 G__________________________________________________________________________5 Y5 V) R0 { Z/ L# i( }, p% Y
5 |- t& Y9 ^ i% I
Method 110 j3 j- o" }; q. o
=========, h2 ~* k, E- ~) h6 ?2 |6 H0 Y: R* W
* x* w) R6 J. i4 YThis method is most known as 'MeltICE' because it has been freely distributed( _8 Y) \% \' [2 U& J) P
via www.winfiles.com. However it was first used by NuMega people to allow
3 U' R/ @5 L4 ]9 R, _9 ySymbol Loader to check if SoftICE was active or not (the code is located
4 J" ?+ a3 r& {inside nmtrans.dll).' j0 |6 R3 [4 h; J
' y8 B+ r0 z7 w# u0 |( B
The way it works is very simple:
, y) H0 v5 W6 @( r4 pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' V, Q0 C, Y4 a* yWinNT) with the CreateFileA API.
# S& M# ~7 V# x( U% F, A o; Y! F1 t3 M% t& ^* W
Here is a sample (checking for 'SICE'):3 q8 i- o* w! Z) N' T8 r- m$ V8 c
3 m) `( `7 u7 E" aBOOL IsSoftIce95Loaded(). `& }5 f# V5 S5 i9 M5 x
{: \! m$ m( z& G# U) @- _) Q( U1 m6 C
HANDLE hFile; , B7 `- W- Q7 ]8 W t
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 m; \" _- {' W0 d9 I' o5 ? FILE_SHARE_READ | FILE_SHARE_WRITE,
# O/ D3 b; h9 L, `% B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# v1 M9 J8 [+ L$ M: D
if( hFile != INVALID_HANDLE_VALUE )
! h, h8 G# C5 B+ U9 V {
; a3 v" ? S) v' s, O5 t CloseHandle(hFile);9 h+ c" X" }4 a1 R$ { ]/ l ]+ e
return TRUE;
2 o4 ?7 d* Q5 l1 [ }) H9 \8 d( G4 ~# B7 N1 O0 \8 }
return FALSE;
/ A1 c; v4 v. h}' n' t/ |( F7 u2 N. m
. L. w' |* H% k {) J/ S# j; ZAlthough this trick calls the CreateFileA function, don't even expect to be
+ k, v) |! {( B- W: |able to intercept it by installing a IFS hook: it will not work, no way!
- V0 r% U) s0 s7 r" G: kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 \! ? a) ~7 p8 E: w0 r/ @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! m/ ?2 H+ R( z* K+ cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 t a9 D8 A- Zfield.
' _ b3 w* W5 _1 k# L0 M# TIn fact, its purpose is not to load/unload VxDs but only to send a 0 f3 P( q% _7 a9 m; |6 i5 y1 y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' o. b- l# d0 ?6 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 Q6 G- ]) D* S/ S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% b8 y- a0 D' U& C( M) C2 k
If the VxD is loaded, it will always clear eax and the Carry flag to allow: m* F' K9 i0 L2 Y4 c
its handle to be opened and then, will be detected.
4 T% f4 @; @: C, A) G/ V/ o* T+ pYou can check that simply by hooking Winice.exe control proc entry point1 i* Q0 l0 L& N& b
while running MeltICE.9 Z1 V0 l! _; {, Q
* C2 |" B- e% S
+ a% H6 L5 N6 u1 T% ?1 h. i3 _ 00401067: push 00402025 ; \\.\SICE% ?$ ~6 b: y5 J8 u: z
0040106C: call CreateFileA
; a& T$ O+ {( Z1 t 00401071: cmp eax,-001
$ E4 Z7 F" o( p* k 00401074: je 00401091( M0 {! }* A0 n( [- D8 B6 `! ]
& K" ?) Y- V8 y& N; k% d- k& l& i1 p) X/ X$ V' g
There could be hundreds of BPX you could use to detect this trick.; {8 i3 g1 F4 v0 T, C; v- _& ^, c
-The most classical one is:
) J1 @2 K; [0 B! v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ t6 ^9 o9 h9 q
*(esp->4+4)=='NTIC'
~3 d M( K0 l+ B; v; D M
, S) ~( E( Q5 H1 r, J-The most exotic ones (could be very slooooow :-(7 ^* ]$ @$ q2 V w% [6 H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# \3 ^8 f& L, T& ^ ;will break 3 times :-(% v, C4 g: x- `- K* i) j
; i% S! K0 u% ^4 `: F) n/ W
-or (a bit) faster:
5 I2 ?5 k2 c9 | X3 w6 n5 x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) k" a7 g3 R+ L% k$ u! H0 x' Y
+ w# p/ i' j/ {% q; U0 N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 P, `3 @! x! W/ O* ?# d" n% f5 R4 Q
;will break 3 times :-(8 e% A/ `- Q5 n6 b5 p' B
4 G* P2 u9 j4 z, q- K% C- u1 G" k; \' A-Much faster:5 d( q. {: ~; K$ L0 l( E9 ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) {7 `: N/ d( K: I% R. D C* E! e' u; T# p- X5 Y8 H% |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) s3 r0 U! z3 m' E
function to do the same job:
: Q4 u1 D+ H: h; J+ k! d
6 s6 T) M. {/ W# k* f: E push 00 ; OF_READ
% a$ Q7 }8 e8 Z. p; g# m mov eax,[00656634] ; '\\.\SICE',0
* t- U- g. [0 t push eax% C$ Y1 z' ]+ h' @
call KERNEL32!_lopen
9 p! c" @9 L6 u8 O- k inc eax
! x& i5 E3 \, r: k- a7 {: D jnz 00650589 ; detected
! O" P: l; v' _% K! S: j push 00 ; OF_READ- I/ D1 O3 `# J2 h2 e) G/ A5 M
mov eax,[00656638] ; '\\.\SICE'
0 E* `* N: r# c- `6 v, }( Z push eax
0 D" C; M2 Y% ~: g" @2 i' H) O call KERNEL32!_lopen" y/ E5 y- }0 J7 a1 h& |" `5 l
inc eax# P; s3 u \$ w; N5 J. i
jz 006505ae ; not detected. o# B2 r7 h' a0 m4 { L
$ v# r( @7 r$ y v6 X1 o% g( d4 _/ t) G% O) O
__________________________________________________________________________
7 {1 H( T* n$ R4 q: e! z
0 W) E& ^ B. V1 V+ l8 l, ?' gMethod 12' S7 K h! A/ w; ?
=========5 Z* s; z3 F2 P
7 O, \( P5 U" B- X' f, T+ |This trick is similar to int41h/4fh Debugger installation check (code 05
& l# X# ` ]0 b& ?! z3 J& 06) but very limited because it's only available for Win95/98 (not NT)0 n! ?5 a/ z( W2 i) d1 {( q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; R, }1 j! `( S8 G# h) N+ {1 D/ D
- `, o8 V2 G8 f! e3 j
push 0000004fh ; function 4fh
& v Z) a3 g. m+ l+ a2 L+ I8 r2 w push 002a002ah ; high word specifies which VxD (VWIN32)3 U% D6 O% G1 k" E+ ?! T
; low word specifies which service1 s, U( X3 c0 } ~5 u; V8 p
(VWIN32_Int41Dispatch)
. b3 a( y6 F8 |1 c( e( R call Kernel32!ORD_001 ; VxdCall% ~, `1 v2 W. M1 }) ^! d/ F
cmp ax, 0f386h ; magic number returned by system debuggers
6 w- w+ U5 m* ]( M jz SoftICE_detected
2 a, \* d0 |+ F5 u; U7 w4 ?6 t; U+ N3 k: [" U+ D! w
Here again, several ways to detect it:- b8 h) T+ J- C; _8 E
6 J" v( k3 `0 d( \9 m& Y& ]( J
BPINT 41 if ax==4f
, \, H) `% u2 _4 b% \- ?( N+ e7 s2 F2 I/ p' r
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 U4 V; M; u/ Q) L: C: ]
9 v" s( ^' O0 c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# o" H! F8 @. P# D' H
' I8 ^: p3 `# u4 E% t+ J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* C$ ?2 \' F9 l ~+ b8 b0 a4 v
2 g* y- X3 w* w* `. ^! Q5 k( K6 B__________________________________________________________________________- p0 x2 G; }( k; T: i
# O/ }/ C6 Z6 n' bMethod 13& H1 `: T* j6 p# n$ J8 X
=========
* O, M9 n5 g: y. ^9 ?+ }3 T- M, Q: l# p; V' n* O( |
Not a real method of detection, but a good way to know if SoftICE is# F: j2 E" x( \8 v, E
installed on a computer and to locate its installation directory.
t4 q1 V! a C( e o9 I/ \! K ^It is used by few softs which access the following registry keys (usually #2) :
* Y7 c4 H; Z( p
: M* o3 J' U9 g8 m8 {- P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ _/ A8 U" @$ @/ I6 F7 M\Uninstall\SoftICE
9 [0 ~6 e g5 ^3 V% m: Q, |8 h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
l, D! K. V6 U0 B; L: `, y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ I: t& C0 b( g" U* W/ o& N2 |
\App Paths\Loader32.Exe0 T/ T; ~- _7 t# a- K7 |+ a. a
# E8 T! E' e& ]* h; n1 ^
$ R, L3 R$ O- ONote that some nasty apps could then erase all files from SoftICE directory
" \+ w7 L* K5 s7 \7 k% b6 b$ N2 v(I faced that once :-(- H; m: g% \ G) p
7 Q& N" H4 a! x% c( B) vUseful breakpoint to detect it:
/ G/ K' C5 F. E% C/ {# U, A: y$ D7 l0 X/ ~; H f4 Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 m. |( n' I7 c3 a
1 [" j. ^" J* ~# S4 B6 h5 y
__________________________________________________________________________
( N5 M( q% u5 N: R& F2 q
; J5 O/ D% E8 Z4 ^+ Q. A% I7 V) f8 Z- w1 N, p" f5 o7 L" x
Method 14 . r$ X* l) I% C& ^
=========
: w. }3 a4 B3 n( U; w8 o3 ~: N8 q. M1 o) y$ a: I2 F! A( U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 y6 [7 e7 f3 Q! \- nis to determines whether a debugger is running on your system (ring0 only).' I! k6 a1 U% v
6 ~ z( i4 N. x; ]$ S/ k* S VMMCall Test_Debug_Installed' z( @2 m: I7 F* u
je not_installed" a, {! \" |2 h+ ]( X! u# ~ u& o
/ R% I9 Y8 Y: }This service just checks a flag.
6 U6 f1 \2 @& ^- @4 D7 X</PRE></TD></TR></TBODY></TABLE> |