<TABLE width=500>7 i0 b6 b8 j4 A% u+ v C) t
<TBODY>
" N4 W% f$ Q! V8 I# x! b% y6 p<TR>9 U1 v& X8 n4 @ Q( o& N
<TD><PRE>Method 01 2 R! e5 C# K+ M) E' G6 X$ F3 a
=========4 G& o- o( P7 S# z& L: o
: I, l! ]7 T' ^1 K4 U) yThis method of detection of SoftICE (as well as the following one) is/ e" {/ B$ n1 f8 ?6 O% ]7 Z0 g
used by the majority of packers/encryptors found on Internet.
9 V) B8 X& w* S7 j* m! x7 o( }It seeks the signature of BoundsChecker in SoftICE6 |$ v# z+ ]$ k5 R/ t' B; N/ r
; |& [; b. K$ S. t9 J mov ebp, 04243484Bh ; 'BCHK'
/ B# a1 Q# V$ z mov ax, 04h
0 g; m2 c3 C1 l# C2 F Q int 3 : }# |; G3 \# n p4 A7 V3 Q( O
cmp al,48 T% P4 Z3 Y& y* ?9 l
jnz SoftICE_Detected9 h( V/ o# X3 G# E/ Q% ?$ B6 D
3 q! s3 ~: ]2 [/ T! I
___________________________________________________________________________
0 j4 G! w* I h) O3 _6 ^$ w7 j! i6 L: ^
Method 02# u& ?+ a( x! x2 O
=========
0 p: P8 E3 J& q$ I
! D( `! r0 L* t! f* W" j IStill a method very much used (perhaps the most frequent one). It is used
$ `$ S+ w5 h7 w4 @: X+ M* M6 u* Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 c3 f3 I5 T+ C# x2 o" h4 C
or execute SoftICE commands...! k; x% {/ Q! C* l9 w, u3 B
It is also used to crash SoftICE and to force it to execute any commands7 |: ]8 v! _, o7 K" T
(HBOOT...) :-(( & a# c, n2 _5 O
) v9 h2 U0 O) c" e2 ^) r1 J/ j* k1 M e
Here is a quick description:
* |! s4 A/ I2 D5 x8 S-AX = 0910h (Display string in SIce windows)
: e# W% I) Y$ M% \8 b, v4 j-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ J% h9 N4 ]! m( s" w/ e+ e6 x! I' h-AX = 0912h (Get breakpoint infos)
, _9 h$ P( I: x* j/ y3 N8 q-AX = 0913h (Set Sice breakpoints)
$ J& e! v2 Z; ~- T-AX = 0914h (Remove SIce breakoints)
5 x- h; Z. _' g% R7 a7 P0 t7 @% f* w9 g/ n8 a% I
Each time you'll meet this trick, you'll see:
) Q/ v8 z8 x, k$ q+ s8 c-SI = 4647h O' W8 J5 A/ F
-DI = 4A4Dh- L$ |4 T6 h, d. d6 j$ L
Which are the 'magic values' used by SoftIce.
! W; T; W3 Z3 x3 U7 e8 HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ U8 o/ f8 e6 L* n
! W2 v2 `9 x# S# N( Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( o3 G0 `9 P( [* W( t; HEnvelope utility use to protect DOS applications:
- x; b0 i" n4 K5 ]( o
' W6 b: w y- b7 T/ B
, m% U4 T: u: X8 h/ G% }4C19:0095 MOV AX,0911 ; execute command.% a: C- \/ U2 U) C, |1 i
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 g; y% T! a: E9 G6 p4C19:009A MOV SI,4647 ; 1st magic value.
0 K- d3 o) t& o- g4C19:009D MOV DI,4A4D ; 2nd magic value." _1 g6 g. C1 y' ~! ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% f6 }* f# O$ n3 s: N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( o: L! W( v* |4C19:00A4 INC CX7 }" {, ?- g( V8 g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 K. K' r2 ]0 `$ H4C19:00A8 JB 0095 ; 6 different commands.. C: C- P; c" z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# A5 E& d7 m) @* ?" k3 q6 E
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& R# S$ a7 W3 M+ Y# b! u
* v; n6 }4 [. C# W, \The program will execute 6 different SIce commands located at ds:dx, which; h5 Z: Y3 J$ X% O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! L' B1 X% I% {. Q8 } F% X( I {& U* G0 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% N, Z% [8 g' u2 r2 a
___________________________________________________________________________( U* ?$ Y; ~9 a1 e) V
. x' S( v0 w8 v0 i5 A; [+ p* I# y& F& S- X- g) a: M$ r: i
Method 03" j# p% q0 Y% q9 W
=========
) f% M2 |2 S6 {9 T/ z3 D. b$ @+ k" ~4 P U8 P3 B9 U8 {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 A2 R2 ^& C3 F+ r# V. X/ u1 R/ o
(API Get entry point)% c; Q* F1 z+ g- K5 x" B3 Z2 ?
* }: }( k$ S5 Q2 S& B
1 v2 F! a, k( `8 ]4 J. { xor di,di
8 L7 U% H7 @9 r S mov es,di
- g% }& K( e& U0 h mov ax, 1684h 2 ^; Q: r5 I& g
mov bx, 0202h ; VxD ID of winice
$ h- M4 l; I& Y" c8 J2 [7 r- ~ int 2Fh
1 ?4 ^2 m+ l' E5 X. p5 z0 {* t+ X mov ax, es ; ES:DI -> VxD API entry point
( o7 l8 |# R: v9 U& f; b( l add ax, di
' ?1 |* C% b1 d+ m1 K g: C( F test ax,ax
% w3 Y- W6 S: C3 G; n$ P jnz SoftICE_Detected9 N: f; H2 ]0 J2 H
5 O0 \% h, Z) k/ Y. L! ]
___________________________________________________________________________
% g& ~* O. ^* J4 s" C* C/ M8 R. m W0 b" [
Method 04# y+ y F3 y3 v% [
=========
' z& E- V+ z1 u/ T, r K' d/ d( k9 Y" t) A# \1 M- d
Method identical to the preceding one except that it seeks the ID of SoftICE
1 B3 [5 p, U9 z: h3 MGFX VxD.4 z( z8 U/ F9 e( J) N
9 m+ \2 p6 Q' [/ |' m* m" } xor di,di8 x- D' t8 B3 i8 w3 U4 j
mov es,di6 w l" r. S2 H
mov ax, 1684h
- v2 e% h0 A! h! L mov bx, 7a5Fh ; VxD ID of SIWVID0 {- O4 V1 V }* b" }9 g& X
int 2fh- D8 w* M* U+ L: r6 U) E( S9 x
mov ax, es ; ES:DI -> VxD API entry point
6 w5 m9 p2 X0 W+ I- H B add ax, di
3 y S) Q, t, |' { test ax,ax
; }( }$ h0 c; H3 s jnz SoftICE_Detected. i, H; j1 U% M6 q# K6 C6 ]- x' J0 |
- q5 x8 b2 A1 b__________________________________________________________________________
; L; x3 U, \. ?5 F0 Z+ K7 S2 U3 I8 p) G) Y$ s
( o$ V; m. W. V" Y7 V6 x! uMethod 05+ N9 a4 J& V7 l* M
=========
' ^& B: u& a- y) D: S, f6 Y, L
! Q! O/ Y1 g8 s9 c& J5 uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 `6 n3 W6 ?% ~2 ^& u4 X' T* ndebugger. It calls the int 41h, function 4Fh.: h9 f7 o/ ~7 T+ `+ I( s
There are several alternatives.
0 P7 e: w) d6 u. ?; C; f8 ~1 g
The following one is the simplest:5 ~2 {- ]; l3 l
) ], _/ u& n- ? mov ax,4fh3 p- i6 r! @! O- y
int 41h& [4 D( G" p$ u% ^5 x( D
cmp ax, 0F386( ]# a* x$ I# L1 Q
jz SoftICE_detected
+ G: e/ J5 g$ p- k5 f% }
" i2 T% v4 d: F; c" ]( u0 C: w# [
( _7 J P4 F5 m' bNext method as well as the following one are 2 examples from Stone's % W2 S; h! B+ t. p( D1 q( S! Y
"stn-wid.zip" (www.cracking.net):
, ]3 v; }3 L2 g3 G5 F$ e% n& z& B% w( E( B. h2 u9 N0 r% z* z
mov bx, cs
* Z g9 U) c2 z: z" A. v% V5 c lea dx, int41handler2
2 [6 \9 r1 k% [& k) V4 [ xchg dx, es:[41h*4]
" t4 D, |/ [8 D) c" R xchg bx, es:[41h*4+2]5 b" Q" E6 s* O4 a9 a6 r- v; K
mov ax,4fh; u1 M8 |# p. f+ H. y) T F
int 41h4 d( O, k b! g) E: C, R% b0 ~$ m
xchg dx, es:[41h*4]9 S3 C2 j0 {: ]
xchg bx, es:[41h*4+2]
* B1 H1 p) j! k) W5 k cmp ax, 0f386h
" t+ o3 w, H3 E9 f jz SoftICE_detected
+ n2 i. A: ]. W2 m% B9 x: Y& i% A% ?& u
int41handler2 PROC
( Y3 w. ]+ D4 x( K iret; r' U) [6 X. i3 K
int41handler2 ENDP
3 ?5 L, h. n( S! K6 C$ [* Q2 s
# i1 e- d# H/ T% g8 d1 ~' ?( |. {3 _1 s! {' A
_________________________________________________________________________
' n3 r* i, E/ p/ g
) Z: F( ^3 k8 n) j/ I$ Y6 j) J- G
_; }8 r: b- HMethod 063 ?! R3 r+ e" X% Z7 z+ M
=========0 Y. ~: B0 Q& o+ s1 e! @7 ?8 k
7 @# g9 H5 j/ E* G
. _, M. K9 V; W; ?2nd method similar to the preceding one but more difficult to detect:
0 `# U% K: d" e
' k/ V- L# h* |" _! ~; S
4 E7 j* n; w; d H+ d0 Lint41handler PROC
& \' l4 j, }+ U mov cl,al
4 [* \+ ^& I# `( ~5 f" d/ i iret0 A9 W1 S- u. j! T8 S! J# E0 s
int41handler ENDP5 u/ [& C+ C3 C- e5 L& L
4 E2 K. ^+ V0 P1 ]- B$ }* U& m
, ]8 h3 r9 B1 Q; G, o+ x9 h z$ u
xor ax,ax8 O8 Q, y) e: H0 b! R4 ]6 }! L6 P
mov es,ax: Q6 Z0 n8 C/ U* t1 O
mov bx, cs
& C: [' _% S2 A$ G: {7 A lea dx, int41handler/ B5 ?; c1 T9 a2 d7 a
xchg dx, es:[41h*4] I& R; |7 L+ i8 l/ q6 c( K
xchg bx, es:[41h*4+2]0 _/ ?6 e% n ^5 [" z
in al, 40h. s# c% \, ~, m& y
xor cx,cx8 J7 x6 p; u" k P( ~
int 41h
' N" E; }# c, a0 _+ @+ h% N/ x% H xchg dx, es:[41h*4]
$ W( `2 L! u& F xchg bx, es:[41h*4+2]
{, q3 T) b9 p4 s' r4 C( _" R cmp cl,al
/ n8 Q5 U: _% L7 x2 u% |3 N jnz SoftICE_detected" d, R, ^0 I+ z Q' ], \
# h' W$ t K) Q3 `: p$ }, [
_________________________________________________________________________4 K6 K7 C1 c; k2 z9 ^
0 P' L6 t" G, M; _7 X8 ?+ DMethod 07
7 c4 e( {& d' A8 O I. k=========. C0 w2 [' Z6 D9 F9 u
) K7 c. @- I2 c5 V+ z" S* w
Method of detection of the WinICE handler in the int68h (V86)* \: Y' y4 C7 F# n5 i' l
2 p& n+ G1 A+ T x2 p1 p' ? mov ah,43h
; i5 _. G' Y. O0 Y( w" t int 68h
% Q' A' F4 T1 u9 b cmp ax,0F386h
6 g) Z8 ?, w* a( O; | jz SoftICE_Detected
/ J4 x' [9 A, w" s$ J. z
) B7 [6 t9 z' H0 r$ r `8 ]3 g8 c* s. K
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 F) e4 p7 W2 k6 ] app like this:% t+ `- o. g8 m9 t9 |
! H6 \6 t0 B/ E$ O% U
BPX exec_int if ax==68. ?$ x$ t5 j! u
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ I$ }$ M# C. Y2 G& q3 g located at [ebp+48h] for 32Bit apps)
' Z8 i2 ^. w5 ?/ s6 a6 N2 _7 b& p__________________________________________________________________________
: k3 b) {7 o5 |; P- K" z
% n E/ @- `+ }. C/ ?. A' W8 C# d
& D: U: ?- f4 z) |; EMethod 08$ d1 s% L! C9 _' ^
=========/ |! U3 v& s8 A2 n/ w. \
. d$ [9 h n5 x4 B% Y$ z$ G& Q
It is not a method of detection of SoftICE but a possibility to crash the# `3 I1 ] ?4 E% ?
system by intercepting int 01h and int 03h and redirecting them to another) j( ]; P& q( y9 [& P
routine.5 }! d" G1 ^- i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; |3 D: @- n) D+ k
to the new routine to execute (hangs computer...)
i# g, ~+ ?8 B0 D
" U4 p4 r8 [ ]- ?# x0 D' Q& L, I- M2 _ mov ah, 25h0 Q( ]' J7 J" f X
mov al, Int_Number (01h or 03h)
& t2 d3 P- c% D7 }: q# S mov dx, offset New_Int_Routine
. U! f1 j/ P+ l& q* J9 ? int 21h8 t3 N. B8 m4 ?# g9 x
$ R. e' b( w \, Q* n__________________________________________________________________________
8 J0 d& g1 [- R) m8 b5 O, I2 ~6 w1 y o
Method 09
; b3 j- U" n5 H" q7 l2 H* E. l=========7 ^8 B8 D2 j& d' B' X& f- P4 n
@; e) G: H' K Q: y% m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! C$ L3 Q4 I2 C: |) ]6 c0 I
performed in ring0 (VxD or a ring3 app using the VxdCall).
' Y! E, |' U7 `; NThe Get_DDB service is used to determine whether or not a VxD is installed
* A( u6 f8 Y; k6 U! Q, Yfor the specified device and returns a Device Description Block (in ecx) for7 b \% ^2 P Y* S7 \
that device if it is installed.
" ?" j& s0 S$ l( i
* \1 _+ F9 k; D( B( R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ s9 ]( T/ y( q3 S' B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. ^* \ d0 Z. ~, E( W* U1 z VMMCall Get_DDB
9 O% I N( b! t3 a5 R/ { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 ]. h: K& T4 ^* n0 u( s' K
' k# v: P$ R2 A4 {" O ]Note as well that you can easily detect this method with SoftICE:- \ D5 H4 ~( A+ h+ @! u
bpx Get_DDB if ax==0202 || ax==7a5fh' y- |6 ^5 n4 y3 {; U4 k. q7 M
' o; P6 ^+ x7 |4 M& O" U__________________________________________________________________________
4 q3 \. m+ N$ c
1 }2 [4 m! ~; |7 Z6 K5 z: rMethod 10$ [+ ~- O* W4 r! j& Y% ^
=========: M, x n2 T% Y. n6 l
8 z/ m( x5 |/ ]2 p=>Disable or clear breakpoints before using this feature. DO NOT trace with6 N. p# c5 Q$ ]% z3 v3 g
SoftICE while the option is enable!!
# c, ~( [/ I$ w/ ~% C# n) M( F& e2 Q' R% ^$ p8 {" a8 T& ?2 P3 H
This trick is very efficient:
! k$ T/ q1 Y6 {; lby checking the Debug Registers, you can detect if SoftICE is loaded G, e/ [; _: K9 y; d% F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% o* e! R/ m( gthere are some memory breakpoints set (dr0 to dr3) simply by reading their, a6 Z5 x* v: \- ^) U! j% Q
value (in ring0 only). Values can be manipulated and or changed as well- h: w) @3 Y4 G0 g% v
(clearing BPMs for instance)5 o0 z5 d: ?5 R; D
4 M, l- Y" D: @, o" Z+ A, A
__________________________________________________________________________
8 R. y! p- Z* z; I; ~: `- s3 D, d
) Z) u3 |2 P3 N; _; O1 ]9 AMethod 11# G5 ]8 p. A2 m" \& _( I* F
=========
% j4 H3 m0 _8 Q. O f6 r, T# @( M- @$ r' g+ d
This method is most known as 'MeltICE' because it has been freely distributed
9 f/ }# `8 A* q" Wvia www.winfiles.com. However it was first used by NuMega people to allow
1 G5 h" K2 d. Y8 v( y7 S! HSymbol Loader to check if SoftICE was active or not (the code is located
) X2 K% r- f2 ]inside nmtrans.dll)." h2 U3 l) e# ~7 q# w
1 b* y3 }: c( t6 M% J$ C- aThe way it works is very simple:. u3 ?! q7 A% Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' a* h' F# B$ g0 M( F
WinNT) with the CreateFileA API.
) n7 f4 m3 }8 j- G7 X
3 p8 I3 Z2 K2 c) q" WHere is a sample (checking for 'SICE'):
# [( l! a3 d# B2 x% [( A; i
{1 `( p2 e3 m5 v3 ?BOOL IsSoftIce95Loaded()& w. j5 S8 Y! J# t* C
{, n, i' F+ s. Q% ?( B) Y5 W$ o
HANDLE hFile; 8 K+ ^2 l: U* E5 q; b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- Q& g6 G l% N% T* h$ ^
FILE_SHARE_READ | FILE_SHARE_WRITE,2 O5 s5 H1 B+ {7 A9 k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% R4 W0 z8 O9 ^+ O if( hFile != INVALID_HANDLE_VALUE )( ~2 U/ i# c. W2 N" b
{
! `& `% w0 e7 T: k) C. P CloseHandle(hFile);
" Y4 V( o0 n5 M0 }6 X return TRUE; x. J) z4 A% x7 n/ W' w/ D. c% H' S
}
$ i O5 t9 H9 @9 x return FALSE;6 Q& Q, I! P8 o% p1 b' [2 y, M: s5 D
}# B. T# e2 w, F/ M' s4 ~
1 p7 K s9 p7 |, U% d1 e) m, d$ p
Although this trick calls the CreateFileA function, don't even expect to be
6 t) h/ p0 \% @0 `' Nable to intercept it by installing a IFS hook: it will not work, no way!
/ t" i5 @ o* Q6 d' J$ _( e2 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 h" o( O' B1 ]$ Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 I% k0 h# Z& u' {1 Z# land then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 L$ S# Q/ ?& c) ]: T) Q$ K: sfield.5 O8 \1 ?" w7 d( K% k; _9 }
In fact, its purpose is not to load/unload VxDs but only to send a
9 M- T2 c! O U5 jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, Y, @5 A+ r6 j/ Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* ?( S2 T, y( B! gto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ r" f, {+ C+ n$ k% V' d* p
If the VxD is loaded, it will always clear eax and the Carry flag to allow) d5 Y- R* S! d5 @$ {% I+ Z% I
its handle to be opened and then, will be detected.7 _ m: S; Y n2 Q: w! v; }
You can check that simply by hooking Winice.exe control proc entry point$ q7 H$ ~! D3 V4 N" d# h1 y% p
while running MeltICE.
) Z- H `9 |3 Q1 C. Z( E" w' ~6 H% z' ?# T
$ j! f2 [% t+ z$ b3 e0 {* J# Z$ f N4 k 00401067: push 00402025 ; \\.\SICE
" C& j5 ]$ y! @# y1 Y6 S 0040106C: call CreateFileA
# P% f1 d1 X( M$ H 00401071: cmp eax,-0010 R' M2 k5 p, u% p4 g+ a: k
00401074: je 00401091+ |0 B7 _! V/ [
0 K8 j( o9 J) }! ^3 ]3 J4 c
. s% p1 ^2 O& xThere could be hundreds of BPX you could use to detect this trick.4 `) \* F: |; V4 F
-The most classical one is:
* y9 j6 ?# o2 F; r# p/ R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 ~5 I/ d- T$ [0 i& a! [ *(esp->4+4)=='NTIC'
! O2 R" o. u9 @( ?, c; q
: Y# i9 S2 y9 j-The most exotic ones (could be very slooooow :-(7 s+ p: O K: b$ B8 g1 o3 I+ p8 o
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') J4 @* C8 p4 `1 y1 K Q4 ^
;will break 3 times :-(' g) i2 z. w" x0 [5 C& c8 x6 E
7 m, e$ H1 h3 @8 K1 u- Y3 m-or (a bit) faster:
S) q3 N1 u# G+ K+ V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' \& P O0 e+ R) `
# p5 G0 b4 Q8 k: x; z7 L7 q BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' L9 M1 T) e/ X$ Q( V ;will break 3 times :-(
$ P4 w+ l7 R. @1 ?4 Y) d& u& }( \- Z8 w0 q, y; O
-Much faster:
4 x- d t* f3 }% N. g. E1 \+ k6 F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 V2 @# F- e L# {# a
" ^) X' `/ z$ e' CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* i" K, L7 f% K: S# c; z
function to do the same job:
+ ~/ n2 D4 E1 S, e2 n
5 A& _" x; ^2 p( c$ T! i4 B push 00 ; OF_READ
5 A" Q; v! v* y+ }( C+ M mov eax,[00656634] ; '\\.\SICE',0) p* L. s8 L- N
push eax, f8 ~; Z5 I3 i, U) k
call KERNEL32!_lopen
- j6 V: L* _3 d; A: k inc eax# ^' O2 b5 h7 N2 v$ ]: [ Q/ @) z
jnz 00650589 ; detected- d* W( K# V* D& r" v3 r
push 00 ; OF_READ
2 G- N1 l0 ?, `1 g mov eax,[00656638] ; '\\.\SICE'* l% [; c6 ?& K- j4 W9 T, P+ \% Q7 T
push eax
' u. x2 s0 N3 f$ a/ p call KERNEL32!_lopen
* E$ {7 t0 V6 C0 E9 t inc eax
2 U9 n: {1 ~. Q jz 006505ae ; not detected% W) p3 l- l& [/ X
+ E3 k+ L( K( O( h) o7 E
7 W' {$ c2 O8 P- V__________________________________________________________________________ T5 U, n5 ^) E7 U3 t
+ _) A3 \: e. i1 z1 Z1 `! U& u
Method 12
7 B- y! r4 u6 h7 a. {=========# ~: u% r1 l, }7 C
: |, x9 f2 ~* M A4 h6 B5 @$ `This trick is similar to int41h/4fh Debugger installation check (code 05
; f/ g$ Q) m4 ~1 j4 z1 y) t& 06) but very limited because it's only available for Win95/98 (not NT)9 I, N9 b4 Q3 F- n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 ^3 b, l, j+ {* c5 [% g" T y6 @+ M" E `4 C
push 0000004fh ; function 4fh6 ?) `& d5 q" @ _
push 002a002ah ; high word specifies which VxD (VWIN32)3 ?# Y7 b) I8 W" {# W. Z
; low word specifies which service
8 p! y: W f9 f1 U6 J4 t5 d (VWIN32_Int41Dispatch)
$ K, X& {# X' j2 f* Q2 y% ~ call Kernel32!ORD_001 ; VxdCall
: z5 l) z& P7 v. c- V cmp ax, 0f386h ; magic number returned by system debuggers
* C. z; a+ C' l jz SoftICE_detected9 [# M) C1 {9 K& a3 M
. X+ ~% `9 n$ z; V/ r9 ]+ G& qHere again, several ways to detect it:
! V4 ], D# q6 ?
9 H$ d9 }6 |1 M/ @( {& f BPINT 41 if ax==4f) V) G/ v' W" ], J. d
* ]4 g' K; o% \0 Y1 M9 _ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 q3 ]5 \/ y0 Z: D2 [/ g
, f. ]1 V+ Z1 A* H6 S* B3 {
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( p+ x( |: X( F+ C. I- x
& R. r5 P2 w/ s% ]% e6 R BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) @9 v- V. R' f3 x Q, d6 a; d
. X: K/ u1 v; a: G__________________________________________________________________________
' w; X u- i& U" E+ L4 P' i7 c# R. V" k
Method 138 p# h7 C: a# g+ l. F
=========
- n2 u+ E% c2 v
K; h9 A3 d& W- k- bNot a real method of detection, but a good way to know if SoftICE is, v* G/ T" w0 w0 b0 N
installed on a computer and to locate its installation directory.- V5 T) l3 Z8 p* c5 U5 e& S' C) W
It is used by few softs which access the following registry keys (usually #2) :: o3 D% t1 X. ^6 w: ]# z
8 g2 J1 R: v- ^" W: U; ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- v$ A) B3 q( D! q B2 R1 J* x\Uninstall\SoftICE* m5 o- U. b" c% j" m+ D8 }3 w5 T
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) ~* Y* D* v8 `8 M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% l7 |7 y5 @7 X4 {3 J% s! S! w\App Paths\Loader32.Exe
) Y) f7 T+ @! A; y( n4 P4 M* o+ q- D
9 n$ D8 f/ `' T8 v7 ONote that some nasty apps could then erase all files from SoftICE directory
1 Q4 A+ U* s! d' m5 D0 T, s4 ? v: I$ [(I faced that once :-(* N9 `/ f A, Y, u
- J+ [7 C% |; A, S! F* i2 O
Useful breakpoint to detect it:
; n3 f5 {: x6 e7 z1 T1 I7 U
- m# h9 b9 y7 Q; O: m+ q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 b8 ^, H9 K% a: S3 c# L8 p$ R
y, A4 R$ I, v( _7 m9 Q
__________________________________________________________________________
; i- |6 h k% T- m" R. u2 i4 I; R
8 j% S3 P. }6 h' `Method 14 , |4 x" [% q7 p
=========& n; \2 `4 ]4 B+ P, [' Z$ y
' e4 Z8 w6 ^( T3 g- ]) \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: P6 m2 x( w1 G
is to determines whether a debugger is running on your system (ring0 only).( E; v! \) X, m; K* F& Q
* W" k! a6 H* R5 z VMMCall Test_Debug_Installed# y6 v! G+ J0 E) M" w8 Z
je not_installed; y! J7 X( @ G/ {! f
4 B! z J. R! O' z7 l$ g
This service just checks a flag.
9 c1 L) b; x5 V1 g</PRE></TD></TR></TBODY></TABLE> |