<TABLE width=500>4 x3 B, D8 Y4 `, R, Z5 U$ A) z
<TBODY>
# p4 W: b5 t. |<TR>- }- H1 V5 e2 h7 q0 f/ i, O- N, W
<TD><PRE>Method 01
; R2 x8 R' n; [) t# y=========
3 N6 r" p; `; b
e) i, x1 f5 S, P% IThis method of detection of SoftICE (as well as the following one) is
( H* o& ?. y7 C! Z* Wused by the majority of packers/encryptors found on Internet.
4 Y0 |4 t/ ]# h5 g7 yIt seeks the signature of BoundsChecker in SoftICE6 a6 l) a' M0 C" H* r( H) N0 Q+ ?
9 o6 y) ^; K2 {: F1 |
mov ebp, 04243484Bh ; 'BCHK'& b) C1 U, Q+ ]. q* j- q4 @
mov ax, 04h; U1 _4 P6 B) e- H5 M4 y1 d2 ]
int 3
9 Y# ~: t/ m2 o# s' \0 d cmp al,4
2 p* I: b6 {/ y: X# V: f* \ jnz SoftICE_Detected
* U- p3 g% t+ D. d* e( y( t
' G1 O; {' k) h___________________________________________________________________________6 I5 l8 I! ]6 \1 S0 ^. U2 [
5 F. U# D4 J8 m( P
Method 02# |6 h9 i" ^0 v) f
=========7 f; E, Q; p9 E1 A* A
) |% o% E+ q2 t# p1 cStill a method very much used (perhaps the most frequent one). It is used" S6 o6 `+ n1 @% Q/ p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; M) E6 E4 X! E- y. l1 eor execute SoftICE commands...# [2 ~; ^4 m+ I2 Z! O+ Z
It is also used to crash SoftICE and to force it to execute any commands* M5 M1 Y. h) [7 G% q: P' i8 P3 j
(HBOOT...) :-((
6 Z, r: U! `; c" `" n3 H& @+ v( Z L9 C9 e+ l
Here is a quick description:
$ P* g) k2 ^& e: d-AX = 0910h (Display string in SIce windows)5 r6 @# b2 H% o- F! O3 ~3 q. x
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- a' a) E+ ~6 o7 k% Z4 T" @-AX = 0912h (Get breakpoint infos)
+ r/ i4 P2 s% l8 c+ D-AX = 0913h (Set Sice breakpoints)
& J/ X" i5 P9 ~$ S* u-AX = 0914h (Remove SIce breakoints)6 O% d$ A3 v7 a% s6 Y
/ M2 o: {; F6 X+ @8 ?* ]
Each time you'll meet this trick, you'll see:
0 X0 K' e1 F# g! M* B* m9 v-SI = 4647h
5 ~% E; _% v3 e7 m-DI = 4A4Dh
+ ^. C- Q. z/ z% x- `& G4 EWhich are the 'magic values' used by SoftIce.
2 k! }, t$ d/ j8 V: `% iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
y4 {( s: W: J6 F- W$ e' K8 a" f* T* \5 [ s& E5 Y3 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP' G7 K. z) ]+ l( r* L
Envelope utility use to protect DOS applications:
) G# O" ?( Q5 J( j2 Q+ X8 S$ ]& s( a$ Z
. g5 j1 X: o Z, g4C19:0095 MOV AX,0911 ; execute command., K4 g, }' H/ o* @ E) A
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).. k: X" |# o5 S$ ?0 ]% I
4C19:009A MOV SI,4647 ; 1st magic value.- m' v4 o+ n0 x e6 |! u; e* h
4C19:009D MOV DI,4A4D ; 2nd magic value.
& S7 T3 P6 X4 X0 A1 y7 {% t; n- [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 _+ Z8 Q% J/ T' U. Y$ |' S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( \3 B: E& D- W, n* e, y4C19:00A4 INC CX
7 x7 m; d3 t7 z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) u2 Q% ?* q# K. n4C19:00A8 JB 0095 ; 6 different commands.8 x, p# B3 N1 K& c# n/ e6 s+ y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 ~( }, Y3 _$ K5 a" b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 p% C2 N4 J+ v1 s( `8 \; g7 Z5 f, r' [7 e7 y0 l
The program will execute 6 different SIce commands located at ds:dx, which2 h# l2 l% M' t# N) k1 {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( L- O, S f5 P/ ^2 g
3 ~+ P& b4 _5 ~; [7 r* E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( W k( v8 J! _6 L! A7 C$ ~___________________________________________________________________________! ^, @0 s$ @: [7 N' O- ~; o
) o3 v( j3 b! y: Z* T- `1 O2 L3 t" o9 W' U/ x. e
Method 031 P' t+ d6 Z4 \
=========
4 k; f/ E/ `+ G5 s
& e' s' w) b3 X3 I& z: TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# u3 n$ l- ~# m
(API Get entry point)3 r" y% q7 r, c5 b8 k
/ ]7 L! V) o/ s2 E0 Q
8 U; I7 x' h, c2 b3 E x2 b xor di,di
9 I0 w/ G8 \5 M$ k mov es,di" O* G0 v9 x( x
mov ax, 1684h
. @7 ` q# C s( s& m mov bx, 0202h ; VxD ID of winice; i6 ], w' |' K5 Q& t1 n( \% Z
int 2Fh" n6 I" c- ^2 Y! d0 l, }' @
mov ax, es ; ES:DI -> VxD API entry point9 |9 O1 h) l' L7 G+ [# L, P! [
add ax, di2 p$ K" k9 x( a# j. T/ u! s
test ax,ax C7 q$ ]3 e; E+ f. \
jnz SoftICE_Detected* r7 [3 d- S; R1 \
* ^7 @1 p: q. L
___________________________________________________________________________5 C0 _. O7 b" i ]! |- x
* V) y$ u. u9 k
Method 04( K; P) ~: a& v( S. ^
=========
7 a. l$ i$ T" W- J" S7 |
8 ]% {- q) S' [& E/ C, B, TMethod identical to the preceding one except that it seeks the ID of SoftICE
0 v- B7 g1 @2 t' S9 f2 M. @GFX VxD.* `# e+ s: X5 h
, {, V" k- x/ D
xor di,di3 t$ u" N3 x% N1 w) j
mov es,di
9 F; P- |+ D! b( |9 H2 ?# [, t4 |: D mov ax, 1684h 1 @1 C4 C ~4 J" ]# V- c' t) l
mov bx, 7a5Fh ; VxD ID of SIWVID# _. F2 r4 c) s T" W4 k& g
int 2fh4 F* Y; x3 I& J: s* b9 o
mov ax, es ; ES:DI -> VxD API entry point
$ O" M7 U1 o. r4 e, B" h" w. H add ax, di- o5 s- |- k" F7 a
test ax,ax
7 x/ ?/ M& n6 W* O jnz SoftICE_Detected
, ?6 `( b" S3 s% j3 t& `6 T* C0 O6 u' E% H9 G& P) i9 `
__________________________________________________________________________
' j1 C6 ^/ _+ k4 V" j) s8 U U8 Z' K' E9 t- A& j
' W3 G* i y' a/ b6 p6 ?5 D/ F5 r
Method 05) ^( x: p$ H2 ^; H+ N& I+ ]' Y" V! Z
=========
4 }5 E6 k) z" Z3 U: F% D& y) O! C
& F0 ]7 p3 f' f# E& HMethod seeking the 'magic number' 0F386h returned (in ax) by all system: X) E4 |# b$ I% E! B/ M
debugger. It calls the int 41h, function 4Fh.8 g% @$ o3 _9 ]' `4 u
There are several alternatives.
9 t- I$ W. k1 ?- h" Q0 {0 o9 I0 L# v. T" K! ]9 d+ k
The following one is the simplest:1 p7 l2 E3 _8 w5 m& ?
, E: z) Y# E0 j; H/ H, K
mov ax,4fh3 J3 f- ]) `9 Y/ y! r
int 41h/ A+ N1 M9 Q4 w3 O Z
cmp ax, 0F3860 p) H9 E/ @6 ^# h! g
jz SoftICE_detected
0 X( v. q* ], C0 v6 t/ v/ q/ [, j1 C' w! X+ ~0 K% A3 z, }
8 D, p" q3 i$ @$ \* {) Z! mNext method as well as the following one are 2 examples from Stone's & X. Z+ q/ q: y, Z7 C2 |& o. F
"stn-wid.zip" (www.cracking.net):
5 u1 m1 ?4 S8 r) R8 e& h
* {1 X9 _0 Z5 }- L- X0 C( c) {7 Y mov bx, cs
% B& L3 a% |( `7 } lea dx, int41handler2, I% C! c) U- H" v- {+ A
xchg dx, es:[41h*4]( R7 j! G( K, u1 D' U7 ]
xchg bx, es:[41h*4+2]
' H U4 E9 Y9 |# ]" t mov ax,4fh$ r# d- M9 r3 P2 t
int 41h- T( n& ` |3 w0 ?0 z3 @% |. |
xchg dx, es:[41h*4]
9 y) ~4 A: q' _ xchg bx, es:[41h*4+2]
$ \ o9 O/ j; `" h5 f7 { ? cmp ax, 0f386h
4 T. Q0 A/ n" T2 c9 t jz SoftICE_detected9 e& z: X+ k# V
6 b$ d: v J! _% J7 I9 ?) Mint41handler2 PROC+ C0 [9 W/ `. {, r
iret2 {8 B! i* m) K
int41handler2 ENDP; a2 t9 p8 x1 J& d7 C- z
- o/ V, |, ~. J6 q
M* E1 o9 u. q9 o_________________________________________________________________________/ G# C2 G; A/ ]) u& B
% O0 D" C0 V: {2 I1 c$ z) Q2 Q/ V
7 T! ~' U; I: J4 @9 {& N' WMethod 06" Z2 m# k+ F" r% Q6 @
=========. F7 ? h A, B# P. o) G: O( I9 Z
' {' ]* G2 f4 U% a
+ U' l6 ]7 Y: _/ u# x% U; G1 ]3 T1 ?3 s2nd method similar to the preceding one but more difficult to detect:, j+ l0 \7 k: h/ s8 q. G
: p) u+ {7 c. _9 v# g% j
4 A+ Z6 r, S0 W$ cint41handler PROC
1 Z+ }. a. R5 w* M0 N mov cl,al% i7 ?% e+ `7 I) v" {0 n: S
iret
. v. a' c! Q1 `: p7 @* ^; I4 lint41handler ENDP
( ^3 u0 B! ^8 ~2 E5 g: g& Z* E! j, h- ` F$ j; _3 e
, j- j0 F' U& q6 ~; w xor ax,ax* y' ^1 _" ?. P% C3 p! _
mov es,ax
6 d& b* d+ _ P6 w* ^3 w5 f mov bx, cs
' Q$ ^3 h W( _! K9 P lea dx, int41handler3 |8 x7 y) g6 H/ E9 W
xchg dx, es:[41h*4]
6 @+ [9 o8 q& @ xchg bx, es:[41h*4+2]
( U! c9 V& n/ {6 N7 Z in al, 40h) G4 _$ |4 X. k/ i' [; Z* N Y/ q
xor cx,cx) h9 \; m0 I- z2 n
int 41h- F* W- ]- ~* |2 I1 O( V- q/ r
xchg dx, es:[41h*4]! r$ E- m2 T# B- t/ ?
xchg bx, es:[41h*4+2]8 H# J/ o0 |, f- j5 \
cmp cl,al
' }4 _7 j: A& X' t V7 b$ a jnz SoftICE_detected
- V, O. x* D8 D) ^# y
" \: N: ~5 Y. z_________________________________________________________________________* l0 t! A% _# X
. G* T/ k% w$ U4 `$ E2 |' pMethod 07' l O- A+ V7 Y1 l4 x
=========! Q, M' e Z Z' h. f
" \4 i/ E) j, Q( b, c6 W5 r
Method of detection of the WinICE handler in the int68h (V86)
3 F; _! k B0 m9 U
+ ^$ ]4 O0 m0 G Q" L mov ah,43h
: M. s* C( i7 L- `1 O8 j( l int 68h
) }% ~' U$ m9 e! c cmp ax,0F386h/ v0 A: r3 O( i1 W7 C
jz SoftICE_Detected
' q2 B- W. T; G4 ^% V7 H3 U# n7 w' R
% u6 ]9 M6 J. N/ {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 V9 i+ A8 _. a0 Y. J9 i app like this:
7 q2 C) N2 E' E, s9 w1 @1 n1 j u& V" M
BPX exec_int if ax==68
; q \/ W" P8 T1 [: a, J! F8 x, J' { (function called is located at byte ptr [ebp+1Dh] and client eip is
0 B2 U. W7 W) y: O7 s% {9 y4 } located at [ebp+48h] for 32Bit apps)/ [8 v# E! }. C: m' V6 l" A1 w
__________________________________________________________________________
+ [5 h7 _2 T1 x. V Y* S) O2 X) d, f; g7 M E, C4 T& p. Z) U0 o& t$ b# Z
, _9 G |8 E2 |- B
Method 08
2 n4 j- A' m& Q0 I# y) w=========: X/ H6 }! u3 P: P4 y, q; Y
* T8 U }5 ~4 H/ j6 T0 z, TIt is not a method of detection of SoftICE but a possibility to crash the
# _$ m9 o2 J% t; M' fsystem by intercepting int 01h and int 03h and redirecting them to another1 E G& E( {9 x! N$ y
routine.
% a$ N) z, s9 R7 bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% u9 q0 s3 y" J( O3 G3 B w! d- P& kto the new routine to execute (hangs computer...)
( V* u& e, H" |0 G! l8 U
% P5 U: e1 z2 ~( o& k% | mov ah, 25h
" n( g. ^/ x6 W mov al, Int_Number (01h or 03h)
' Q2 A$ U5 ^, ^& ?& x' I* a& n mov dx, offset New_Int_Routine5 }, C {7 |+ i7 c
int 21h* v2 \, [, l6 Q; ?
0 a/ ?% ?8 W2 t; p. ^, k0 Z__________________________________________________________________________6 b2 C! a# [& u4 X
3 u! m" E. Z- l( k1 XMethod 09' f' m& ?9 z+ y# [+ f. b$ p! V
=========
* x4 B/ v8 }$ ?) ?- V0 y9 e H
% Q( ]* L. v9 U: x, e; R hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' ^7 u M4 o% w" rperformed in ring0 (VxD or a ring3 app using the VxdCall).! Z: z* Z& Q# I+ ~
The Get_DDB service is used to determine whether or not a VxD is installed- S5 C# _8 q2 i1 s
for the specified device and returns a Device Description Block (in ecx) for. T# [+ }4 Z6 @% _, w8 u# P
that device if it is installed.- G. j* s$ x# z/ O" y
1 O; l- r( o+ ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID D! J- k+ z! v. t
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! D1 \/ h5 ?- F; ]" W3 s; G$ Z VMMCall Get_DDB
: R. c% V+ m- L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- W m) _: N. j3 k
! Q4 m4 d/ g4 X: A
Note as well that you can easily detect this method with SoftICE:/ J. C* J% ~* ?& t0 c5 M
bpx Get_DDB if ax==0202 || ax==7a5fh
5 b) M" |7 F( C# z9 f
8 @+ F A J& a: G' [__________________________________________________________________________
- `0 u' j7 ]7 [: s4 _
: ]- I7 n0 \8 R" w XMethod 10
( |& Q0 O% q/ Y9 O2 Q# J w" u=========% g- }% W- v. ^" q! D
2 Z5 M3 m2 I" W1 g) z( ]- o- A7 R( W
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 A5 C! \ }) z" z6 J2 r/ C
SoftICE while the option is enable!!. L, H% [2 `3 h d. d
7 o( Z- o# H( Y) D1 D5 e
This trick is very efficient:
5 { O! ~( {7 |by checking the Debug Registers, you can detect if SoftICE is loaded
5 U; Y" f+ \- b/ Y5 R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# E5 |8 L9 s2 I( L7 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their Z1 O! n/ p. f5 D; g
value (in ring0 only). Values can be manipulated and or changed as well- ~5 t- n& F8 j- L# t9 T$ b
(clearing BPMs for instance)1 h: Z4 ~# N! E( y
$ p( u$ X9 }3 ~* |
__________________________________________________________________________( u0 D0 E- H4 r) N; U' Z3 |# F
* M" b) G9 i3 H) p
Method 116 f2 i9 ^ V( z/ ]7 i( D) J+ n! p8 h2 n
=========
6 Z# L9 b) T1 q' w. p7 X
* E9 m/ N) b8 ]0 i7 W1 Z' u W4 iThis method is most known as 'MeltICE' because it has been freely distributed2 b( J8 z+ T% z0 w
via www.winfiles.com. However it was first used by NuMega people to allow
8 Y' t% L0 H$ F' M8 G) i$ `" Z% jSymbol Loader to check if SoftICE was active or not (the code is located
" _7 \* D% r6 w, y$ |4 h# {) _6 Einside nmtrans.dll).
# b; S6 W5 F) Q6 g' Z' Q% H& D/ {, b$ Z% ^2 R j9 }6 I0 C6 G
The way it works is very simple:
/ h" L# i5 Z4 n; E' D. V- F& D& xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ i# J# ]0 L" M/ ~6 HWinNT) with the CreateFileA API.4 C8 ?; C! N4 b5 x
7 Z" E0 y0 {, X! _: D1 tHere is a sample (checking for 'SICE'): e/ R8 T7 ~. H* m
D7 o( N! n: f* A6 X! T8 G6 F7 j
BOOL IsSoftIce95Loaded(); S& L$ u: H( j) F' U2 n$ v- M) i: a* ]
{
' g5 Q0 W; g/ R HANDLE hFile;
' {4 C; I; L6 ?+ _ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( e, R* H% L0 o+ d
FILE_SHARE_READ | FILE_SHARE_WRITE,. f G4 s2 K8 S, F7 |, P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* d& F; ^: l# y4 z/ L
if( hFile != INVALID_HANDLE_VALUE )0 _* W+ t @, ^; E; U, _/ m
{' d6 N) x: J- K
CloseHandle(hFile);
* ~) Q% q" L* ^6 y return TRUE;) P2 P0 J5 Q! B& z0 _- b" M
}
$ b4 V6 D9 H9 U2 Q return FALSE;
) B. {/ T9 B: ]' x# b4 G}! R) D7 m; n8 N# H9 V
8 ?* E e) Z" \$ C2 g* ~( v
Although this trick calls the CreateFileA function, don't even expect to be, o! k9 a V1 M3 U$ a8 l6 i% {
able to intercept it by installing a IFS hook: it will not work, no way!+ G/ e+ m5 ]5 ~# X$ S$ p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 m* c% Z0 c# @( Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function) g4 {4 p1 C. E( ]! X! u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* ^; y1 Z' K$ ?. w r1 ?
field.
7 i5 ~8 g: w$ ?In fact, its purpose is not to load/unload VxDs but only to send a
& M a4 f4 b0 j5 l, fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 {1 r3 ], [1 ~: A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 h9 J# t; [/ U5 k9 Q2 C$ A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( @ W# M" ^1 ]1 T6 C
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 J$ D3 ?! v0 \$ A2 `& B( E9 Yits handle to be opened and then, will be detected.6 L1 i, `, Q- j& {
You can check that simply by hooking Winice.exe control proc entry point
7 }5 j4 n& C! w. fwhile running MeltICE.* I. P, O1 m; W0 Q
- n( X3 E! x( t- D
8 T" u W, G2 F" V
00401067: push 00402025 ; \\.\SICE
' X2 ?; `( q! Y5 C 0040106C: call CreateFileA
2 L* H7 s; S5 ^3 D! X2 N- t 00401071: cmp eax,-001, W$ t. G( _2 `0 c/ }! p
00401074: je 00401091
- d" Q% H+ S+ g* C" t" n/ A: f! E+ H9 j) q. _: X3 @
9 w: p1 T+ Z' v+ f( [% z. z
There could be hundreds of BPX you could use to detect this trick.
6 N. V7 p( I( ?1 r' F1 K-The most classical one is:
+ Q, B7 l7 C3 @* L4 A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- i6 f* e: |3 n! U8 @
*(esp->4+4)=='NTIC': ~6 u4 w9 x& e. {( Z0 t8 x1 H
+ i9 T6 ^, I) }( [; {5 W! ?+ J-The most exotic ones (could be very slooooow :-(/ q- k1 \6 B& X# U; C: b" R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 k/ }+ d- ]- P1 |
;will break 3 times :-(8 z, O3 \0 N* l" a( w9 o
- D) V9 H5 I) K# H& Z& {-or (a bit) faster:
% g/ X; }( i2 v6 X/ n% W- ]# S3 E BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" T8 S- a! n& {, o ?/ z% W
! D. v( K2 y2 }9 \' @. \* n. K* w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: L/ `4 f1 K: i. ^# r ;will break 3 times :-(2 n1 A$ b8 o6 d( g: M% c+ X& L7 s3 G
" E, w7 G3 \8 M$ P6 o# F& l/ z( L) a+ K-Much faster:2 Q) Z( X, e: i: G: L$ d: Y t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; L5 K, s1 r5 P
1 M- Q: r. S& jNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" _. A1 @6 d3 G3 H/ Qfunction to do the same job:% Q1 ^: Z5 w" R- |! N
& i: \- @% R" J% j, } push 00 ; OF_READ4 r9 u* X' A+ z9 Z9 i1 g$ a+ B
mov eax,[00656634] ; '\\.\SICE',0
7 }8 m0 A% C+ }+ p. ?( R) J push eax+ j/ z4 T7 q3 ?; a2 F
call KERNEL32!_lopen: D. ~; c1 I% |6 B8 { A. \
inc eax( `! Z v+ m) P4 `
jnz 00650589 ; detected
* B; J, P: p2 ~1 \( K |: I) N push 00 ; OF_READ0 w- ]5 i2 o r2 T
mov eax,[00656638] ; '\\.\SICE'
1 Z; t. a( a, l( O push eax% S. f2 c: A0 L5 r& `0 N. W3 B
call KERNEL32!_lopen) p8 {; \1 y+ ^) g6 d, Q2 m2 Q
inc eax* T0 V% r! C9 L% p
jz 006505ae ; not detected
5 ^7 `' y3 h, b _1 F: Z* `# j2 L2 l4 y2 H
2 M8 M+ }/ ^1 u$ @: t+ N__________________________________________________________________________
7 ?& v) F6 n% L' K: U! ~
3 w) z5 K- }& \1 l8 G7 R0 j" zMethod 124 k! {& ^3 C2 {: p+ ~9 t) ~
=========$ V, L: C# g6 p
# B+ ]2 D3 c( {, x
This trick is similar to int41h/4fh Debugger installation check (code 059 \% p9 \2 B% x. S+ J
& 06) but very limited because it's only available for Win95/98 (not NT)
8 ?" z# b: [ H9 L. J1 r$ c7 @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* K. x: l" t6 G$ i
# {- S0 O, o7 _5 R! o/ I5 k* ^ push 0000004fh ; function 4fh# ]2 L; _1 Q# X$ {2 E$ i% ~: ^& r
push 002a002ah ; high word specifies which VxD (VWIN32)' M& e' `9 ?# X7 h- Y d8 c7 |
; low word specifies which service+ c- s& y% M- w+ D5 U
(VWIN32_Int41Dispatch)6 |, z( j/ E6 R' O ~. C6 `( M
call Kernel32!ORD_001 ; VxdCall* N: x& P& V; g' t' x0 t' j
cmp ax, 0f386h ; magic number returned by system debuggers5 z& \/ [& v2 F0 C+ T1 d" y% Y
jz SoftICE_detected
( x7 x; I4 a# [. B8 k2 Q3 |, q9 D2 Y( I. i: D) k8 D
Here again, several ways to detect it:
. p3 ^3 T# V5 b& [
5 {5 a$ h x4 @/ o* A BPINT 41 if ax==4f+ r2 @6 x J2 \: q' W$ Q- n2 v
3 N6 R( ?3 r% D A( D( M BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 o) I9 k* t8 A' X1 A
! C4 t+ v* B. `* P, a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. z0 c. y2 k5 b+ V0 ]& K6 F
7 A6 o: ` j$ G/ ^) ^# n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* f2 i7 i& P! q% S1 W4 A9 M) |8 z7 c; Y7 D5 c+ t
__________________________________________________________________________
' F% _7 M- A& j2 r8 j1 k! S; J2 ^1 c0 r( { m
Method 13) ]. x& s: x$ a" h- s) }; R
=========; o/ |) B" e+ H" L, D, \3 @% P- Q
9 N- g5 ^9 K& G) K5 n; h! s
Not a real method of detection, but a good way to know if SoftICE is& a2 r( h4 k. f' }
installed on a computer and to locate its installation directory.. R* [4 T2 ?% i( K+ I4 d: Y8 ?5 g0 R
It is used by few softs which access the following registry keys (usually #2) :
8 j% p. Q3 ?% F0 ?; ], u; t# Y, k& `
! B8 f* K2 ~4 f3 U& x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. u! l6 w* y- R# m: @
\Uninstall\SoftICE
' P Z' q/ n: m2 n5 R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 L0 U1 c s( [0 B1 O( b' P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ Z& L4 C8 o" z0 b
\App Paths\Loader32.Exe K6 Z' ^ N! T. z4 ~
# N5 ?# U8 M5 }7 l) h; o$ N* c( U# ]; z4 P7 X. N
Note that some nasty apps could then erase all files from SoftICE directory
+ `9 ]; y {' S+ B0 E6 i(I faced that once :-(/ N' i! u. @3 | S! {* G9 N q
& c; X: w/ a w2 @
Useful breakpoint to detect it:1 D1 y; R; z3 r# @
1 ~( o* _" _$ Y" ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 W f2 D8 a0 h/ x8 _# q% U7 H
' L/ R9 S& Y& D0 A( H) ?__________________________________________________________________________5 N C% }3 w" m& t G
h; T3 w/ @- n; c
% s k9 Q7 A/ J# l9 L( Z _' w! d+ hMethod 14 , E0 e* o, q' R a7 }4 l8 N
=========
) }% \* l& v' i# A, }0 |; I
" m; Q* ~8 u$ NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' \' I& z6 [2 g; S, b( Ais to determines whether a debugger is running on your system (ring0 only).
$ A$ F. V8 ^, _: }8 i3 t! Y
7 s" N- }. U3 t4 w" i VMMCall Test_Debug_Installed
) w+ L( m- I* `9 V* L je not_installed6 I) T( C: E8 j: {& n: M
, T& _) d! R% q' YThis service just checks a flag.
d! r7 w' k( D1 Q</PRE></TD></TR></TBODY></TABLE> |