<TABLE width=500>
( I. C0 O9 W K# h, v- y9 Z6 x- @<TBODY>$ l' \ a& t& u2 C) V; {* ~& L. e6 w
<TR>/ O9 p+ ?" ]( o, s
<TD><PRE>Method 01 9 K' U6 t+ }# V: T) h
=========0 C$ t0 x( F& _- t% Y" h
# M; K3 X6 g# v) ^This method of detection of SoftICE (as well as the following one) is8 i# y0 U2 X# S# n t
used by the majority of packers/encryptors found on Internet.
# F6 G/ \. P( p9 B7 j5 r% bIt seeks the signature of BoundsChecker in SoftICE
# G9 G; X# l: ~/ d
' |3 z. ~5 w) \* E* u& c3 ] mov ebp, 04243484Bh ; 'BCHK'9 q& N4 |1 `, J& }4 Q
mov ax, 04h# Q4 x4 h7 U# a, b5 j# S
int 3
# s3 N7 O' p1 i. P cmp al,4/ y4 q; D i2 G U, [
jnz SoftICE_Detected
n5 I7 R( a5 ]3 q6 g- l' d/ [; A- M7 |
___________________________________________________________________________7 i6 p; n2 I4 P, p
4 @1 } k0 r% a- @8 wMethod 028 e. r) I* Z& x1 j/ d1 ^
========= M6 t4 u% E; x3 F. Y1 L
5 B9 u* Y8 l& N) m/ F8 A, a
Still a method very much used (perhaps the most frequent one). It is used
' E9 y8 ^8 k0 j3 g* O L: P* Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 _4 U2 r, p1 m" M
or execute SoftICE commands...) a# y: Q" A3 o7 \, ?
It is also used to crash SoftICE and to force it to execute any commands
! A W2 L* K4 S+ D& W/ a& B(HBOOT...) :-(( ; _6 f( l7 B; E9 W! B& p
- \" ]( F, P. q- l: @8 ^Here is a quick description:
* q' U5 B/ r& o" M8 F-AX = 0910h (Display string in SIce windows)) w- |3 T) o+ Q9 F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' `& U/ ~- P3 z3 A7 x) ~: z0 [-AX = 0912h (Get breakpoint infos)/ x8 m8 E9 p7 m" q9 m4 J
-AX = 0913h (Set Sice breakpoints)
. k" @9 U2 I; ]) w8 k-AX = 0914h (Remove SIce breakoints)
6 w9 G I& }; {% K) Q8 ^
; l0 d9 U# }; z- @/ H9 AEach time you'll meet this trick, you'll see:
$ c+ Z& T( U) z, f: [. K-SI = 4647h
* g. ]. C( |4 X-DI = 4A4Dh
+ G: v# Z4 a- }' H' RWhich are the 'magic values' used by SoftIce.) L0 `, f" m2 @$ Q0 p# e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 ?/ g+ r% j5 b$ y+ Q
3 Y6 |4 {+ W6 j$ o/ g, g8 AHere is one example from the file "Haspinst.exe" which is the dongle HASP2 g' j' I/ _+ s6 t" i" R2 Y
Envelope utility use to protect DOS applications:) k8 ?- a" K, c" e9 `$ A
& V3 i; ?! l5 N
3 Y }" o$ }% ~3 B2 p% u9 C
4C19:0095 MOV AX,0911 ; execute command.8 J# w+ k. ^/ k( a; V1 ]- f
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ c# T( {/ H7 S9 G- B4C19:009A MOV SI,4647 ; 1st magic value.. _$ F( ^ s' P: ^3 V
4C19:009D MOV DI,4A4D ; 2nd magic value.1 a0 v/ K) J1 t, ~8 W* F/ Y1 v+ }; u
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 h0 |; D4 q4 c2 E& i, i
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. n" r' B2 D. Z; a( N; p0 w4C19:00A4 INC CX
/ |4 ` m; C5 }7 U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 A4 {& b5 n8 [
4C19:00A8 JB 0095 ; 6 different commands.
' [. `' N7 V- E% a4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 U3 ^2 c! a4 m, M, l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' b$ q0 ]& A4 n2 [% Y! V& T0 O" b, P
The program will execute 6 different SIce commands located at ds:dx, which
, e3 e% P+ U! [9 Z0 w+ d$ Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( _1 }! \) w! P" J2 P
?7 a F3 t3 J# E2 P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 D" D5 G, Y- P
___________________________________________________________________________
( d4 A% n0 C* u) ?/ {
: A0 G: \3 f) E6 I% K& Z& u6 w" A! O
Method 03
+ L/ }1 I. x4 R) l" |=========" |/ s6 F' Z3 r, e5 N5 O
1 g0 s/ M$ _' ~8 p# ^. l0 oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( G6 P2 g) v; `# R( `
(API Get entry point)
* y% V3 B; n+ u ] D; V
, ]2 y% C0 v/ V+ W# S- h% @' L
Z4 A/ r7 y8 g: d, N xor di,di
, Z9 s+ y' `" C! }8 [ mov es,di
* R( F3 @" X( E- u* V" x- J mov ax, 1684h 7 q6 L# `2 p3 u1 L) r+ n
mov bx, 0202h ; VxD ID of winice1 h! J8 h: ~/ p# A/ y
int 2Fh
: w1 Q' W9 O, Z. a) K mov ax, es ; ES:DI -> VxD API entry point
8 g2 k0 l" w; \ add ax, di6 }! j% C9 B% H% q4 [ Q) Y
test ax,ax
' X6 S2 l W5 @7 E/ ?5 j jnz SoftICE_Detected
- w& l4 j9 c6 E1 O" \( f$ F# B A/ h5 k2 i+ `
___________________________________________________________________________
0 V( ]% Y) ~! z$ [ s8 n4 b
6 a% J4 M4 v) w" z, G" BMethod 04
: M T( L9 ]! {) P2 c2 P=========
" j9 V$ ?5 t* p
) X* P9 _, X: c4 ~* h- j6 t+ ^% HMethod identical to the preceding one except that it seeks the ID of SoftICE
, m, [6 p3 u# w+ ]4 R5 J# _+ wGFX VxD.
# {- H8 L- F2 _: K# F `6 S. H% d7 |6 i. J3 o1 l7 K
xor di,di a1 z& N* Y) k% ^1 E; u* ~$ Q
mov es,di
: i: t2 Q; B5 {$ w. b9 | mov ax, 1684h ( a% O/ i6 C; Q l6 I2 a: j, `9 ~
mov bx, 7a5Fh ; VxD ID of SIWVID
7 q! V' x% b/ R R5 C d# u int 2fh
* Y2 Y H6 a- }9 E7 V0 u mov ax, es ; ES:DI -> VxD API entry point
' {7 O! L. S) z! \6 I add ax, di
4 p0 `) U; O6 ~! Y: J3 }$ M test ax,ax6 u: ? e7 w1 @/ N, @8 W% ]6 K
jnz SoftICE_Detected2 }+ K3 v: f# W, c- u# O
1 r0 C6 P3 F, x* C# E4 v__________________________________________________________________________
1 _, q4 F+ S' d0 F7 B% R9 Y- E/ A
t5 D# e+ S2 E. J/ tMethod 05
! i% |7 Q1 m) a0 y& b5 v$ j=========
6 p Q' T: d: l# m) }; m2 n N! `5 c) ?5 f/ C
Method seeking the 'magic number' 0F386h returned (in ax) by all system' V# c3 c* R3 }0 k; r7 v8 o! C
debugger. It calls the int 41h, function 4Fh.
# t5 P9 [# m! y: p! G! W. N- DThere are several alternatives. ) z% p" g. K" Z8 d J# e6 |
! W! G, D4 P- l. W- y
The following one is the simplest:
% |& F0 f- O, A+ N' x. W6 V9 _7 e. t
mov ax,4fh
4 b% l: Z5 i! R5 {! M# l int 41h
& ^4 N# E9 J* |+ V cmp ax, 0F386
- j9 r n3 d+ J jz SoftICE_detected$ ^% a; a8 l! P/ s7 e
( l5 h" }- }! k+ I
( Z9 {. K& V X' r d3 ENext method as well as the following one are 2 examples from Stone's " B& h' t y0 ?2 v( W7 H
"stn-wid.zip" (www.cracking.net):- q8 @ P" c' ~9 h$ `# A7 r
; d2 i8 P* ]1 V
mov bx, cs
, W I2 [: Q/ A' u lea dx, int41handler2 q8 n: [, F. B; g1 }) t
xchg dx, es:[41h*4]
! u, h y0 J& p6 q2 D3 } xchg bx, es:[41h*4+2]
/ s4 t1 w* E8 \$ [ mov ax,4fh8 |$ \0 f* p2 F6 F
int 41h2 }3 H) U/ c; Q- K
xchg dx, es:[41h*4]
( E$ A3 U' D4 ]$ g- |' ~ xchg bx, es:[41h*4+2]
' _6 `& u* A F, v& H cmp ax, 0f386h
5 x0 q( n/ Q: [+ O jz SoftICE_detected) R8 Z6 Y! W3 J1 H: p# P; F; I
) I f6 n3 J$ y7 p Mint41handler2 PROC
2 Q' T# H; k7 ~5 g iret. a4 w* u' ?/ d
int41handler2 ENDP' c; K- t& }' ?; v) I2 V& k
1 D: H6 ~0 r8 c, l; s
2 n- f, m* c, @3 P) n6 Z
_________________________________________________________________________
. z/ k$ H( J# j, L6 W* Z
4 W% L7 D& ~( c1 p5 r# m4 l
. g4 U T g+ w( b M3 T n8 HMethod 06
; U. Z. R" a8 Q6 I; X=========
0 ]* c! h2 y* D
! d4 \7 P: D$ C9 w$ |) h2 B0 R/ e# O x" L7 a3 a A- R
2nd method similar to the preceding one but more difficult to detect:
F2 _6 O% P; q+ C8 E
3 y( J5 `* y" H6 g; a( B l9 l) N: \
; l5 Z" M2 z7 f0 M2 u; hint41handler PROC w$ m, M2 E1 m2 I3 d/ m& Y% O
mov cl,al' U" S# m3 M/ P i$ a9 S
iret9 o9 \ G* C: C% F) R5 H
int41handler ENDP
- o* [& C+ @4 y) F$ K) w% y
6 S5 o4 s H3 e! ~' d/ P" B# a5 S3 z" t7 h$ g% C
xor ax,ax
6 a) y% o8 |) R' b, j0 z% F3 } mov es,ax
( U0 f. ]) F0 L9 L( P; i6 s mov bx, cs# L$ g) W# M5 `+ z
lea dx, int41handler
+ j0 h, c' [" k9 X; H: k xchg dx, es:[41h*4]
$ r( l8 k1 l! M) C* | o$ _# ` xchg bx, es:[41h*4+2]7 b* B* a* Q. o+ g
in al, 40h% O* w7 i# |; i* }( h5 t3 s
xor cx,cx
' d4 D3 Q7 k# l4 O) w& M: W) z$ w* D int 41h% V, o1 D8 ]$ M+ N9 z5 D( k
xchg dx, es:[41h*4]
$ j( K3 F* m& E6 `$ _ xchg bx, es:[41h*4+2]
) W4 m: {0 Q% ]' x+ n' `" ? cmp cl,al
0 d( n7 I# q8 M3 q jnz SoftICE_detected
2 i! W: x. A G4 C! {; r7 e
/ y# r% B7 ]) l: `_________________________________________________________________________
- z7 a# O" Y. X3 m! s) a( e2 l. ^, r
Method 07
, J! {4 E- f4 e% ^" ?# V! x8 b# ?=========
6 p3 u5 q9 |0 Y6 v
# h9 h% X0 u, x* W2 TMethod of detection of the WinICE handler in the int68h (V86)
2 `5 Q# V1 F, s h9 v/ A @0 ~7 ]
- C' y/ H1 z: W2 v$ d8 i4 [$ _) M mov ah,43h
! y; q% r6 g) j! h) o8 ~7 s0 D int 68h. O$ ?7 s* S) y" Q
cmp ax,0F386h
- }3 w+ r1 C2 a4 i/ \6 O9 K/ T, | jz SoftICE_Detected9 G y/ C* c$ D. ]/ o
0 n) H2 h; S$ z$ Z( p3 e x/ @ z e0 I$ t6 A: _9 J/ E: t# e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 h* \; `0 I: P4 u+ T5 P' ` app like this:3 `0 l3 I+ `4 e
. S) e* F% k7 O) a+ b4 W5 D
BPX exec_int if ax==68
6 q7 U% ~, q2 i, _# K! p# z (function called is located at byte ptr [ebp+1Dh] and client eip is
( t' C$ s* d8 N7 s: Z located at [ebp+48h] for 32Bit apps)
; Q* }* s$ ^' Y+ ]' u+ A__________________________________________________________________________
- O4 O) R0 m- v3 k! n4 n3 \9 K/ g, H9 I
8 X' Q* c- Y. n0 s
Method 08% @) z" |8 I! |! N8 e
=========6 q ~- e: b/ {6 c0 v' \6 ?
+ w5 c) j$ W" p0 t! JIt is not a method of detection of SoftICE but a possibility to crash the. O+ |2 {" [! V6 N) z. ~
system by intercepting int 01h and int 03h and redirecting them to another) Z6 q. R7 f7 D+ l, t0 M
routine.
& i; M5 e( O% i3 j$ i' c# U$ l/ sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 i$ g0 ?) B7 k& Ato the new routine to execute (hangs computer...)
: ^0 j; u( x% o4 Z5 q) U% _8 f
; a6 {* M3 u2 D3 I0 x mov ah, 25h6 }7 l, n" F0 C1 w1 I$ }( x
mov al, Int_Number (01h or 03h)3 ` d& X$ Y5 z4 {/ u
mov dx, offset New_Int_Routine( k8 M8 q- V+ A, b
int 21h
; k0 ^! W9 A& `2 D" D8 Q6 U: `: d
- D6 ?: X& E; }% T7 q__________________________________________________________________________4 b" w9 }( X! i. u0 Q
' \! z- a) Z1 q' O2 v3 q, S2 R8 q, SMethod 09
4 T- V. R9 r" r=========+ j# g& g6 b6 t3 L Y
; H) T) J" ?" E" D: MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 U# q& x& j- Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 Y% V8 t/ E/ y, R- i$ OThe Get_DDB service is used to determine whether or not a VxD is installed8 \7 C2 z: U0 ]' R
for the specified device and returns a Device Description Block (in ecx) for1 k2 \5 d1 d. q
that device if it is installed.
% v$ A8 ~. x4 J' o' g- x" |/ ], Y3 g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 u7 M+ X9 i4 d. E, l+ Q5 D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' S% r; T- W. ^' E' d
VMMCall Get_DDB5 l6 e5 r: i" R) P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 t8 ]/ W3 |3 m0 b! F7 F0 A2 V- O9 O* F9 C. V
Note as well that you can easily detect this method with SoftICE:
, w3 a# r8 I/ p2 s; U2 q. ]4 L bpx Get_DDB if ax==0202 || ax==7a5fh7 l0 m% B, z$ S# U0 L; i
" X" U( o! ~1 D1 R5 L u' t3 P__________________________________________________________________________
1 m4 C5 p7 L3 l- H# X+ o R! Z; ~. o% d, v. f+ i7 N x; N" d
Method 10( u* _. f; x- e# |7 r
=========) ~ M3 m2 J U. g. X9 I* M
* _, n, l$ U+ N# I- h
=>Disable or clear breakpoints before using this feature. DO NOT trace with l# S D2 d4 p9 a
SoftICE while the option is enable!!) c7 a7 I: {. ~* b( C3 C/ }! z7 ]* \; s
0 |6 H2 B# H- F$ }9 KThis trick is very efficient:5 R& ]6 | h+ T" d1 y# r4 v
by checking the Debug Registers, you can detect if SoftICE is loaded" U8 N- v+ Y }1 ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 c3 r6 K7 C2 ~8 B# athere are some memory breakpoints set (dr0 to dr3) simply by reading their8 ^/ @) f$ ?9 J3 \
value (in ring0 only). Values can be manipulated and or changed as well/ U- H* t) f1 Z1 F; c$ q1 h+ M
(clearing BPMs for instance)0 f$ `8 m# U% ]
/ O. \5 \3 t, d2 M! q% Q" ~
__________________________________________________________________________
' [5 v S6 d3 ]. N }2 a
4 V. v8 @4 w- _( FMethod 11
5 r/ [+ k) c, _2 i4 N) c=========9 y6 G! @. x% @
: s& `6 L8 O% I! @; f- |This method is most known as 'MeltICE' because it has been freely distributed2 |# Y; C( J" T6 K I% z: E. q
via www.winfiles.com. However it was first used by NuMega people to allow. {8 j S! I9 E0 t6 i) D) F/ L( t! ?
Symbol Loader to check if SoftICE was active or not (the code is located
4 R1 q; D3 s% y) X4 ^+ q, X( U1 F) oinside nmtrans.dll).
4 p4 a! Z8 b1 g* N; q; q* U ]/ ^5 u: H
The way it works is very simple:2 D2 w" t# ~# {( u( b9 Y9 \' B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. T6 s9 L: X9 V! D+ eWinNT) with the CreateFileA API.
/ B/ c1 E0 x I1 F' s' Z7 C) w1 x' W& o; ]6 W# y7 m
Here is a sample (checking for 'SICE'): E. B$ @& `8 Q" r8 M& [+ G
1 t8 J+ Y* }" \: L2 bBOOL IsSoftIce95Loaded()- A/ R2 e3 h; m6 p" h$ f9 B H( s
{6 y& p2 o! i& L7 L8 U5 a
HANDLE hFile;
: M0 ]7 t$ X5 n- o7 I$ P% T2 C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* L2 B3 D+ I2 O1 r FILE_SHARE_READ | FILE_SHARE_WRITE,+ k9 `' G" C; n8 {) F
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ n6 k' _$ S& ?7 a j" ~9 q
if( hFile != INVALID_HANDLE_VALUE )4 k: |) P- M7 G g. K/ I' D
{5 G/ f1 o- f( u5 A- D# g
CloseHandle(hFile);) x! c a1 H* w" {" w+ s& J9 s
return TRUE;$ F% R+ I# s5 z, k* u: k# [ O
}; M( X# ^7 |2 g' r3 F
return FALSE;- _, F+ L4 z5 a# V, _3 U. \
}4 U! ?$ t5 l( v, t7 n/ ^
- ^3 K) z# n1 c; K3 G( GAlthough this trick calls the CreateFileA function, don't even expect to be
! |7 R+ U2 i1 m7 \% u6 nable to intercept it by installing a IFS hook: it will not work, no way!- m" E4 d. H9 \5 Z- R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, J: N4 I1 d7 T) A$ v f; N5 [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 n: `; a5 j- J% e0 z* \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' {& g2 P' Y% i, X5 _field. X5 E: O" W4 _* O
In fact, its purpose is not to load/unload VxDs but only to send a
- W3 e; S( _+ Q. V5 XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 J+ v2 b: F! ~6 S0 ?( Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try( O3 }9 s3 j6 o, o; N' @ C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 l0 t6 ?" y& Y; t8 s( L! ]0 tIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 u; N) s9 v6 W1 I2 g' o5 G6 }& }
its handle to be opened and then, will be detected.* v1 Y6 T# ~9 I
You can check that simply by hooking Winice.exe control proc entry point1 I& H# n& X+ ?
while running MeltICE.
$ I0 X9 B& { Z/ v7 E) B( V
, V- E# a3 ?9 a3 v+ o l) w1 T9 u7 I) A0 y
00401067: push 00402025 ; \\.\SICE
( K: c3 W, D K3 ~ 0040106C: call CreateFileA. b5 K; @" A; `6 P7 v% F6 b8 i
00401071: cmp eax,-001
8 Q$ W$ }# Y9 ~ 00401074: je 00401091
& I! C$ D. r- A6 o
7 r: Q( V1 `9 B5 a7 I4 T! n! [# i- A9 E! Z, b, [ M
There could be hundreds of BPX you could use to detect this trick., r5 ]! q' c# c
-The most classical one is:0 V- P3 p* l9 v/ Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 `8 G. g% [/ l# N' K- Y+ ~$ y
*(esp->4+4)=='NTIC'
, q9 ?7 s. J8 ?9 L) }7 o
: i( N6 _9 |- c5 H7 {3 \' l-The most exotic ones (could be very slooooow :-(
+ ?* j) _$ \* d( s9 Z$ e' W BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ m7 }6 _6 n+ r) N8 M) X3 ~) M# J1 g ;will break 3 times :-(9 I+ H W! X/ e8 ^
I% g( C3 A: q7 Z/ Q4 a
-or (a bit) faster: 2 K7 ^( U+ [( I, v5 k4 U" f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% D" f5 A2 N# ~* G0 Z9 R6 ~% I$ \
% y3 t9 o+ r3 v9 w# n g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 d( h* [9 F |- D0 J ;will break 3 times :-(
9 x) X: N0 B( B9 i! R' m# C/ q
5 {2 Y2 _, s7 ?+ J* M$ w7 i& \-Much faster:
) P6 u. u3 L9 b/ E/ ^; A' r" P0 F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 y# ?/ m3 ?+ }: G
" [' J0 m9 n; E) _/ jNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: x, p- L5 K D" x3 \& B4 f1 _7 ]
function to do the same job:3 V1 X ~1 h1 Q: d# O+ |
8 o+ S! @; }' E! Z push 00 ; OF_READ
8 M" ?( S% M; W" h) B mov eax,[00656634] ; '\\.\SICE',08 r, f4 X9 q8 m& e
push eax
) M1 }6 \8 j; K7 b call KERNEL32!_lopen* z) Y: y4 |- Q
inc eax
" a6 ?6 n6 {8 x! H8 i1 c3 u, L jnz 00650589 ; detected
( Y S. B9 H d push 00 ; OF_READ w9 `- U) Y1 A; E$ }; }0 _
mov eax,[00656638] ; '\\.\SICE'
8 ^; l0 i6 K: t, y/ a! k push eax
1 {6 U+ `1 ~2 K" o call KERNEL32!_lopen
$ D8 Y S0 X4 ~ inc eax* s1 p5 I: e# \
jz 006505ae ; not detected/ F# Q& V8 V& \6 ?7 H0 `- ?
2 }% K+ O1 y/ ], ]
7 w; h% E: r9 H__________________________________________________________________________
8 O% V( [; \9 ?7 \( K
) X# U( P G! A. T/ |Method 12. z9 Z( D5 X3 \; f1 C" l
=========1 t5 N( g: {1 R9 }) A0 J
* m) g0 X& C5 f) C! c. T; ]0 LThis trick is similar to int41h/4fh Debugger installation check (code 05$ \: \6 u8 l# S1 ~$ S
& 06) but very limited because it's only available for Win95/98 (not NT)! H8 y0 E/ }& R! w1 y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ m* ~( B3 A- Q/ ~4 Z- @$ \- V
3 X4 `' f: r3 w% Z; [
push 0000004fh ; function 4fh
% ~. G( ^" ^+ T& F: f/ H' @( | push 002a002ah ; high word specifies which VxD (VWIN32)
) S% _2 k2 s% i2 n- p- K: W ; low word specifies which service
0 C: R; k: a7 g; O% k- k (VWIN32_Int41Dispatch)
' o' Q. y& n, i. `5 g% g4 D call Kernel32!ORD_001 ; VxdCall
6 m+ U! d6 ?6 T% ~' E) K; _ cmp ax, 0f386h ; magic number returned by system debuggers* A# U' L$ K% E
jz SoftICE_detected
$ x, f: R) ?/ M a% i' ?# L5 b/ T. ]' J8 _
Here again, several ways to detect it:% i( R7 a- V$ ^% W( o2 `/ h9 m
8 |& l) M* j" ?( k BPINT 41 if ax==4f. u' K* v3 M0 W5 E q* e
3 r! e, @+ M2 Q% N6 t' g6 P
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 V8 B6 _; Z7 e# \: ]+ M6 i K: L" ?3 W3 |* r8 v2 m% m" n& o' g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 w1 q. H, }/ g, V
& n" P% c1 l7 f& z. h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) W7 T2 W6 m) R, U1 }$ Q
/ E t1 s" \( A__________________________________________________________________________
0 p! h. @) Z# `) t) T8 L$ c; |! W s! N& ~: z: q
Method 13
/ l C- p$ p: f4 Z=========
( F& Q' I) l6 { F2 G0 s1 I5 b2 {4 d, t& {- T% @ F( w
Not a real method of detection, but a good way to know if SoftICE is6 l: d5 P; ^9 Q$ t" k( @
installed on a computer and to locate its installation directory.
6 B l& |! A B2 _It is used by few softs which access the following registry keys (usually #2) :
$ @. u& o6 m3 F' t% N/ b# ^' {
- _/ H. s5 G! K( v( n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ P9 ~ k9 K. j8 s, ~1 A
\Uninstall\SoftICE* i+ b: y v& o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 r7 f! ~2 y1 J- a- w2 Z8 P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: _2 c' L' X @4 S$ t' A
\App Paths\Loader32.Exe
3 q4 n% c2 N8 w7 n5 L/ W4 I( S
* P$ y7 F- t: r# b( X3 i9 U8 I7 Z+ F" O/ M2 j" B1 x, h7 t! B0 z6 j/ C6 ?
Note that some nasty apps could then erase all files from SoftICE directory+ G$ C) W+ K7 M8 K: e3 ?
(I faced that once :-(4 y; O+ m, S9 R3 w- ]
7 j6 D! _; P/ u) k- hUseful breakpoint to detect it:
4 \4 v* Q& k5 K: R3 C6 P B' X
1 w0 Z* Z+ u+ m* M1 a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. b* N; |/ N/ _7 K2 Y, m3 q
9 D y Y6 f2 b) b
__________________________________________________________________________7 D& t% b2 a3 T; Q5 i' k
! K9 a, _+ r; t! X1 M4 V+ ]9 c! _% _9 _, V# A
Method 14 6 F P/ y4 `8 r6 @% g8 e+ P6 J
=========
/ j& J. b4 v @& p j, U/ u+ M" O& {! ^) C- o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 a/ E. f% n. N7 [9 V O- \
is to determines whether a debugger is running on your system (ring0 only).
2 k, y. r: y: r# g) G& J2 I: Q" s+ v6 w7 {) O
VMMCall Test_Debug_Installed
& l9 z: H- Q4 @0 A0 |+ u& h je not_installed1 x: _9 f' y! ^1 ~5 H" a R
/ v3 K9 p u9 C! fThis service just checks a flag.( q+ ]5 ~/ l; T/ x0 P6 z( c& d0 P% q% ^
</PRE></TD></TR></TBODY></TABLE> |