<TABLE width=500>
v9 z3 ?# x" c<TBODY>
1 s+ p( d/ J) _' b8 g) E! h K j+ U<TR>7 b j% [7 {9 }$ ~7 I
<TD><PRE>Method 01
8 O8 L: U' }+ l=========7 Q) P& k& g F9 E0 i0 Q
5 D: m! R8 j# }9 p" W
This method of detection of SoftICE (as well as the following one) is/ X* a0 }5 ], j: l4 r& A
used by the majority of packers/encryptors found on Internet.
# Q! Q- H/ Q' r N: ?It seeks the signature of BoundsChecker in SoftICE, _. u N. `- Q6 M& l. @5 i4 o8 T
, T3 e* U' s$ r
mov ebp, 04243484Bh ; 'BCHK'
2 e: V" g: s# w' N mov ax, 04h
6 `% H+ w9 Z; ~8 Q9 C5 W" R9 s7 h int 3 3 X' Z) n0 Z1 z% r \
cmp al,4! ~& q ?1 C/ q/ I$ |3 m+ W
jnz SoftICE_Detected
2 r) \: |3 n2 ?5 `: g1 J) }' n/ J; ~# t6 ?( I
___________________________________________________________________________; V8 [( o5 o! d* H
4 i# D8 p$ }8 q/ A; f pMethod 025 C0 @5 o4 H1 l* W3 o
=========4 R, f" T! ~5 F6 x( ~
g- y3 Y* K" ^2 \5 Z- A% K' v
Still a method very much used (perhaps the most frequent one). It is used. s. k9 @% \# D q6 r) u: L. R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- p. P7 I' G) a' v/ E5 S* u7 \or execute SoftICE commands...5 i* W3 I# X# e6 z
It is also used to crash SoftICE and to force it to execute any commands
- n4 K; b9 ?4 V1 H(HBOOT...) :-(( ' x i( B& L6 L1 F2 h( j
3 I" X9 m7 Q& u" Z+ o' k- \) Z& Z) P0 JHere is a quick description:! k$ @# T7 \4 B* T. G- a+ @
-AX = 0910h (Display string in SIce windows)5 R2 f; R7 U6 j7 [8 a# |! y$ e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: w) {8 T- O% f% E* v: M-AX = 0912h (Get breakpoint infos)$ r3 ]& b7 B: ]
-AX = 0913h (Set Sice breakpoints)
) o( U* O* Q+ H5 e* Y' Q-AX = 0914h (Remove SIce breakoints)( s0 z0 I# y+ r
* d/ }4 O! h% y) X. KEach time you'll meet this trick, you'll see:
3 Z# E* G; T3 F- r-SI = 4647h+ D0 }, Y) z9 V2 z
-DI = 4A4Dh
0 E' W' ?$ v1 g* I4 W! A& Q9 QWhich are the 'magic values' used by SoftIce.
; o5 x4 G1 r! O2 g' a( }2 UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- R8 P! S; A7 i& C/ Q8 O2 u3 I
( `5 c% l: Z; }0 y% s9 L* Q' KHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 ]) I, w. n- l) \Envelope utility use to protect DOS applications:8 w6 W9 y; \$ Q1 @" L9 ]; D: m
# d# A0 [& J& F2 h
. s7 P5 W& d& B+ B4C19:0095 MOV AX,0911 ; execute command.
* L5 W+ }/ U4 {/ ^- |4 H `0 T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% q4 Q: K. G. U3 C' Q A. L6 f
4C19:009A MOV SI,4647 ; 1st magic value./ G1 F U6 e5 i }+ p3 b3 G) w% m
4C19:009D MOV DI,4A4D ; 2nd magic value.
0 B" v" j5 M3 n1 [7 { m4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- N) a$ u% a- g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute u- T/ P0 }1 D$ V5 F
4C19:00A4 INC CX+ E3 d& `# H7 Y% \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ y+ H) ~4 Y. \$ X( b' \
4C19:00A8 JB 0095 ; 6 different commands.2 R c& T) } Z( I2 v+ b# R- F
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( D+ H8 Z/ r6 l7 G& ^# b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ `( ~+ H6 V0 ~ E. x
0 x) ^2 T1 E4 z5 ^The program will execute 6 different SIce commands located at ds:dx, which
1 _/ j) K* A: s$ u+ f5 L; mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 V; _/ O! Q3 h. _) z
3 G& W8 s, |7 o) j, _* w* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." F$ `5 h1 ], f i& l O
___________________________________________________________________________- }, C7 B+ x8 Q4 E
8 P g7 t$ y' |5 w; D( G
9 t w3 C. ~" _% y1 U5 OMethod 03( D: b% S4 m6 L. V5 n1 f" G# i
=========* v& j4 R/ D+ c2 S/ F+ U
v4 S0 t, K) M6 E( u1 |8 JLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 F! `2 j& M- N1 u$ {8 e( c
(API Get entry point)
! S8 V+ I) j6 x \) O I' l# i
$ K( T; @" Y v( S' P: m+ A* |. ]' I" K6 m1 N$ B, M
xor di,di* N% B2 ]. h% b! U
mov es,di
/ G$ n ~: v6 v, v mov ax, 1684h & J+ a3 s% H ?; i% b- _7 V) ~' g
mov bx, 0202h ; VxD ID of winice! S% F6 l6 ^; [1 `
int 2Fh
. u7 {7 \% ?4 t: ~* l- k mov ax, es ; ES:DI -> VxD API entry point5 T+ ^5 U) S% i3 u" Q
add ax, di
! l/ f& G: J( I& f4 e test ax,ax* D; h+ q) P" x4 g. @
jnz SoftICE_Detected( L6 i6 X$ A+ A% V, f) y
2 R! P9 y6 S' v& y2 ^& j7 G0 U___________________________________________________________________________
% R( D& t. g& n' \5 m" H9 Z& m& t9 L2 L Z u. ^/ t+ o
Method 04, F8 q9 |+ O# K' x, E+ `2 l
=========7 z8 R4 \ L- [* h6 I$ S5 Z9 [& r
1 k9 Q0 L. p G% h4 X f0 Y" IMethod identical to the preceding one except that it seeks the ID of SoftICE- U4 Y& P @1 V
GFX VxD.; U- K7 c) ^. w
, U$ ?2 m( i5 u6 V6 D5 |' n# b2 \' F xor di,di4 v/ E: B7 r$ ~& W# f
mov es,di
6 O3 s }$ v6 n2 q mov ax, 1684h
0 k! [$ U5 t/ H9 j mov bx, 7a5Fh ; VxD ID of SIWVID
0 c8 \/ b, q% t8 y. B4 t int 2fh/ {# D0 Z( b$ k6 ]7 Z
mov ax, es ; ES:DI -> VxD API entry point7 w, D6 B% [5 l: Z
add ax, di
' e; k" [& z; k+ U# o test ax,ax1 d8 p+ Y+ n% u, S. p
jnz SoftICE_Detected z k; Z& M$ q3 d$ b" _
4 i9 Y4 ?" n8 G0 ] r__________________________________________________________________________
- ]; Q, Q/ D: m! d$ A# L0 P' x6 Q- i$ k) j
6 W P. d, O7 \# j# [% K: ?( @# KMethod 05: n5 A: |5 i( l$ w
=========
& m% \4 v6 {7 z5 f
5 {0 ?- P3 U0 A6 ~Method seeking the 'magic number' 0F386h returned (in ax) by all system K( l! w; {7 e1 R* T( i
debugger. It calls the int 41h, function 4Fh.
3 [; R" F1 R( P$ I; i$ _. sThere are several alternatives.
: t' X. N+ M5 b& t0 a
: ?$ j( b; E5 s" \* G2 W, O, eThe following one is the simplest:, K( Z# N w. P' u5 _' ~5 @
) t8 l' q5 Z+ I9 J- Q7 x1 ~9 h mov ax,4fh/ B2 G$ b( w, x# t$ g$ X
int 41h% s5 c. m/ B4 u4 e7 t
cmp ax, 0F386% W- }! u& b+ N" t4 g9 S3 H6 n
jz SoftICE_detected
) y$ o0 X( U5 E) H4 Y8 C
& ^/ t, f2 k- i% k/ K1 H! j f/ y3 Z9 A6 @* s! E; ^$ Y* V
Next method as well as the following one are 2 examples from Stone's
" s" k$ ~* p7 m: c"stn-wid.zip" (www.cracking.net):
3 b- u# J5 k. y F' A. r
+ ?) D/ O o6 {/ G8 t mov bx, cs
3 X" b2 ?8 Q4 {! v& e* N lea dx, int41handler2( r9 T: B7 V6 l! g } ^' g
xchg dx, es:[41h*4]
. j0 F, n2 w& x; m xchg bx, es:[41h*4+2]% I* V! p' D2 m$ D" V
mov ax,4fh) E: K2 ~# e' h, o2 \
int 41h
; g) K4 t. |# b: y/ {8 G9 O7 G xchg dx, es:[41h*4]
0 {1 N" K4 S4 A' n2 X0 B0 | xchg bx, es:[41h*4+2]+ i. x1 }. F* {" X
cmp ax, 0f386h- N6 u8 H- g! l M6 o3 T; ]; m
jz SoftICE_detected
- J# v+ K P8 R# }* \) Z0 ]" P! r- {& J
int41handler2 PROC
9 w6 o& Z1 B- |) B2 c iret0 i4 X+ n1 P; T" }. ]' w
int41handler2 ENDP
1 ^+ o4 i! A: h* K2 B ?3 \ \: b0 s2 I+ ]' t: O
0 e6 E. Q3 U- i/ [0 [& D% L_________________________________________________________________________
8 I1 Y- t6 w) ^* k6 w1 p* I5 R# s: V3 E/ g( |
3 k, x. }' S- n9 R+ u
Method 06
$ _- F' P, ]: n=========7 ?2 _' [9 a8 L7 n* p' Q
0 J7 f4 P+ z' S! i& C" p( o4 I( I- y8 I& ?
2nd method similar to the preceding one but more difficult to detect:! o P; f4 E0 s# b
6 k9 e, J) {5 d* s" z- C* Y1 ?9 G4 j
" X# W8 o6 ~; o* F4 Hint41handler PROC7 X4 L4 ]$ L2 ^% |& N
mov cl,al0 u$ U" V/ C8 x; C$ `
iret
" k: t- `8 ~/ ~. P& uint41handler ENDP
! \$ B% {, Y! x1 S! D% I7 B. {) g; V, O
7 ?. }# M& Z h; H) O C. X8 W xor ax,ax( |' l7 z) a% Z5 V' A% R5 z
mov es,ax
' ^) Q* t7 ~. m: F4 F: A mov bx, cs
' p, `( {- z) G0 n) }0 A+ E lea dx, int41handler
- u7 v1 W5 K9 Z9 h- z% r xchg dx, es:[41h*4]* w: d( B- C7 {/ W0 z; c
xchg bx, es:[41h*4+2]
: t) h7 V% f6 F8 V" J! m in al, 40h
9 T: u: ?9 C" |. J3 B xor cx,cx
. \ ]( W5 `9 g8 O; ?! k) q int 41h) C0 p6 f" A- E' Q4 \+ K7 C
xchg dx, es:[41h*4] r1 f3 G1 J& N& G6 u- y
xchg bx, es:[41h*4+2], d3 |( A; X p; o+ z' E
cmp cl,al
- Y$ F/ k |% ?9 d U jnz SoftICE_detected
r; r- g- l& Z4 @. \! K7 M
* V( W) }% `: |; f_________________________________________________________________________
; q6 y) a7 g, a4 ^
1 P; N! g7 Y3 Z3 W0 J, nMethod 07! f0 I9 ~9 ^7 w! ~9 ?+ c
=========6 G- d' {. U/ y- F- ]7 n# [; s
& e3 J! `2 S0 j: I
Method of detection of the WinICE handler in the int68h (V86), Z4 _" O5 Z. [ |) S" @- V' n
$ w) W N& m; t! H% L( `& }
mov ah,43h
1 H+ F) X X2 j. m int 68h6 ~/ P! j! g2 F9 s! ?3 u
cmp ax,0F386h
* {/ E, A, D9 q jz SoftICE_Detected: n4 g) s$ [% m* Z5 R5 C! ^9 w! Q( L
7 G8 v8 u% [! \ |
^7 i8 Q K. e7 o( n
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& ~) y6 Z+ N" w% e% I4 }% N app like this:/ l& V8 {. r( P" D% j% Y
: E2 k- ?+ E0 |8 M* ]1 ? BPX exec_int if ax==68
2 N @2 V s4 k) }- O (function called is located at byte ptr [ebp+1Dh] and client eip is" f F! ]! _# ^; S
located at [ebp+48h] for 32Bit apps)
! i# }( K4 P) ?' W' M. S__________________________________________________________________________
$ {; D" w$ Q- W. X
2 V& f2 f6 C- L8 { j# A; r
# ]4 }" |0 J6 k5 N: d. YMethod 08
) c: r' \6 }4 W) T5 z, ^. ~=========( x* G$ W$ @, w9 l5 p4 T+ b
- [- R) C; f; C6 U! MIt is not a method of detection of SoftICE but a possibility to crash the
4 o. @4 g' \( q% s: c4 w3 Jsystem by intercepting int 01h and int 03h and redirecting them to another
& D: \! r- z) p P+ u" Nroutine.
l5 Z4 @7 d# _+ g5 R+ lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. `8 E# }) i" O8 [( c/ ~2 o( Z
to the new routine to execute (hangs computer...)
7 y; _' ] m; u1 {% ~3 a8 ~1 |+ i/ A
mov ah, 25h
! i) X1 h9 ]: w7 u0 d) i* y$ r mov al, Int_Number (01h or 03h)
5 B: w: w) Q( X! g2 d mov dx, offset New_Int_Routine* H2 F8 Q# {+ [; T3 b
int 21h% M& i# r! q$ @7 `' p
' D& X8 s# U! k, C5 n$ J
__________________________________________________________________________
5 x; s" q" u9 B3 b( Y) m: q8 O: R9 X; O8 c* _5 q8 X }% ?: e
Method 09
; ]" _; g! r8 t8 X, {5 Q5 N=========9 ^ R+ J2 r X$ ^$ l7 d
^3 @- D3 h0 O& v! ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' f( e5 _; e+ H9 Q6 i, o
performed in ring0 (VxD or a ring3 app using the VxdCall).
# D0 o1 }: x# j9 M% x1 L: _The Get_DDB service is used to determine whether or not a VxD is installed2 b3 |5 \5 @2 r
for the specified device and returns a Device Description Block (in ecx) for
3 O& T I) u/ D; `+ S5 y+ {1 fthat device if it is installed.
1 `/ P: M/ O0 Z3 a
' s! e( c, I! B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 G8 \- L) S- t% {( M
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% S6 @$ j& q- N( P! o% e VMMCall Get_DDB
! i# W) _! a |; w8 E9 ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" ]% y% [1 N+ k- m/ M9 d
6 ?6 A) E' f( K7 j; X
Note as well that you can easily detect this method with SoftICE:
8 h9 t1 L4 X: G& V5 l. Y' L" [ bpx Get_DDB if ax==0202 || ax==7a5fh; y: {2 @& e! y
5 ]6 i) r3 J1 ~$ W1 h5 L3 B+ ` {
__________________________________________________________________________7 L A) U2 o* K7 w" b. r; L* W* y
% M: C. ~1 o% h" \% |+ ]! hMethod 10
3 T7 ?$ s m: Y. i/ W=========
9 ]2 o. k6 p5 d- T: ~, R
( o! c! M7 D N% f# r=>Disable or clear breakpoints before using this feature. DO NOT trace with' o# o4 z7 o6 C8 H7 q
SoftICE while the option is enable!!
+ U8 n" @6 S" c0 t
" I/ i* \& v( ^" aThis trick is very efficient:% B: `$ B5 l8 x+ R9 U
by checking the Debug Registers, you can detect if SoftICE is loaded7 t, D, G [0 H# h0 U% D% K- ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" p/ t) u0 Y/ }$ B5 b) wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 H, P0 L0 f! K5 z8 L. K M9 Mvalue (in ring0 only). Values can be manipulated and or changed as well
4 N2 B) K( i1 L, c2 e(clearing BPMs for instance)
, J G, y m+ W' c1 D, C0 w8 U; h+ [6 ^4 s/ b# m) _# C
__________________________________________________________________________, s. o& ]6 i1 Q' B
6 e; _6 \8 _4 xMethod 11
& z, x4 B' `% o* @2 T3 Y=========2 c2 y+ f) i; W# s) T! w; |! A
5 t- r5 X2 E9 M( f+ t. Z/ OThis method is most known as 'MeltICE' because it has been freely distributed
! N! ]* ?, J* Xvia www.winfiles.com. However it was first used by NuMega people to allow
# U( E9 G+ e0 ~; _# F) S% RSymbol Loader to check if SoftICE was active or not (the code is located' O7 S- ?, H1 z1 e+ D( H
inside nmtrans.dll).
. b# m* b- u7 @ P2 `
+ F, }# V/ p9 t5 o+ W. a mThe way it works is very simple:" G+ F* o6 t# _% N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 C0 f8 l' h! A# D3 O; c" vWinNT) with the CreateFileA API.. N# ^4 Y# [1 h- M6 @/ ~. {: U
6 k! e5 G; `: v( W
Here is a sample (checking for 'SICE'):
6 F' }9 x$ E9 _' ^8 X
8 U; o7 n) j3 a2 F" I% dBOOL IsSoftIce95Loaded()3 j. t% s" r. H' a: L# u& K' N
{ i* U+ q* K) k+ G
HANDLE hFile;
' H. N, T% Z8 g: h8 ^- X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, [! _' y: u3 M" L FILE_SHARE_READ | FILE_SHARE_WRITE,' i" ]4 n# l( p: W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* n# Y9 J+ T# [* e( F* g if( hFile != INVALID_HANDLE_VALUE )
& o4 q: i/ O8 n7 W p6 E1 o; c {
7 w. L+ C- q' Z1 r( x# Y. x8 C$ X CloseHandle(hFile);
1 Q: g+ |9 p$ J# b/ J) h. G7 o return TRUE;$ f, _* [. e; j6 ?; Q
}& n/ M+ } H0 `9 [' h0 w4 M
return FALSE;0 a: E$ m- A- R; h; D9 h
}
, k; M/ Z) n5 W7 m
3 @ w$ m T! T. s9 v: S+ {Although this trick calls the CreateFileA function, don't even expect to be1 V1 a$ r1 x% J; m+ }. Z
able to intercept it by installing a IFS hook: it will not work, no way!
& \, ]* g/ U9 o ?7 OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ W( i% `* Z- mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 j/ Z; v" e( U4 ?! Z+ g& R3 P) fand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 G; j9 @5 w6 M( v( K& }% H# Q
field.
% n8 X- q- [2 Q- V3 CIn fact, its purpose is not to load/unload VxDs but only to send a 2 D: t1 ]9 L0 K, b+ W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 R; N1 v! o( fto the VxD Control_Dispatch proc (how the hell a shareware soft could try, @6 Y( c6 [6 Q; v( x" d
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& I9 L6 O) c! m# o+ @5 q+ n
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 O) E [6 z9 ]8 @( c* Q( n$ xits handle to be opened and then, will be detected.
4 g l/ c- {6 d1 ^4 eYou can check that simply by hooking Winice.exe control proc entry point8 V/ d! ]! W; X4 \
while running MeltICE.: c& G8 u( l$ E* v7 U \! p$ T
( b' u( @ F5 r
8 T; Y( A6 ]0 \ L/ ]6 `: @% @ 00401067: push 00402025 ; \\.\SICE8 U" D- A1 X, G# f+ m4 V' s
0040106C: call CreateFileA* o% m, g( {3 i4 D
00401071: cmp eax,-001
6 F2 z) Y. c- A4 u0 A 00401074: je 00401091) Q# |- A& L% w# b w5 }; O9 v
7 D* e9 Y; Y, P$ l7 [+ x# k# t1 F# o! U/ }1 N9 L. _
There could be hundreds of BPX you could use to detect this trick.
) e$ D3 \5 Y$ m2 Z-The most classical one is:/ y1 f! F/ m! [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- u* t- d/ e# S: x/ r5 w *(esp->4+4)=='NTIC'6 F# B C8 P; y; M7 p0 }) a8 A( Y" v7 E
# `: a3 J: A$ T# a
-The most exotic ones (could be very slooooow :-(; j# I! _, W: ^
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
, M5 \8 b+ R( H- ~% N ;will break 3 times :-(7 T9 X$ H2 V* i& i8 k
; D3 w$ a% V: @- I. K5 H( v: K
-or (a bit) faster: 2 K0 O+ h. X) \- A) I9 m9 O6 P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 N) t8 h' U0 S8 T, F, z9 E1 Q& k+ g) M7 Q( L/ z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 [4 |0 S7 ]& R% J# ?1 J* g
;will break 3 times :-(! d t; [- t6 ~! O# j' X
4 I5 L8 m' b( l5 ]7 Y-Much faster:$ u6 _7 O3 U+ C
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 L1 O4 v# a3 d3 @: ^4 j
. [3 r3 I) y/ {1 G; T5 j6 N9 yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 M7 W. `# |' g* u7 V8 n5 T" Sfunction to do the same job:
7 g4 [; @* A, z! ^, F/ Q& V+ \# |2 y8 y1 v6 V! ]
push 00 ; OF_READ
4 Z1 h U* [* l8 v mov eax,[00656634] ; '\\.\SICE',0
& J, P6 W, r+ Q! O% i }. ?+ J0 z push eax
: I: q b2 a& U' O' u call KERNEL32!_lopen
& v& z8 F R- u3 ]2 ] inc eax
; H9 K+ m0 J) h2 N) Z$ A% } jnz 00650589 ; detected
8 L+ U: `3 [) B8 N X) I push 00 ; OF_READ3 P8 X2 w2 j! h3 D+ A8 F
mov eax,[00656638] ; '\\.\SICE': U; y9 W, b. G# B
push eax" Y% ]5 X4 P2 a9 A' r0 |. Y6 R
call KERNEL32!_lopen5 {* T3 e; o3 @" J' E! p
inc eax& i( w, u1 u% A
jz 006505ae ; not detected, `" z3 N/ o/ v" \
+ [. M+ F1 G1 U: m' P& b4 ~; ~( u, u5 {, i1 N- c% a
__________________________________________________________________________) C. l8 M6 ]2 t0 n) o6 `, a/ h2 u. B
' \& }3 N8 ~9 r! P2 K, Z" kMethod 12
* G( i% B( y4 _- v: Z=========) v3 ^/ t5 ]$ _: V' t$ u
8 w0 w0 }$ V" D3 i) E9 K. d
This trick is similar to int41h/4fh Debugger installation check (code 05
$ w! `3 H+ p' t- B+ @& k+ z! K; }; k& 06) but very limited because it's only available for Win95/98 (not NT)& `$ n' A6 A6 k" J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 Y/ M% ]+ l, y% a j
/ N6 q. z9 }* R5 F! J3 o
push 0000004fh ; function 4fh1 d$ D9 o) a+ C5 j9 w1 D6 K
push 002a002ah ; high word specifies which VxD (VWIN32)& \" g" ?6 G1 A8 \* _2 d; K
; low word specifies which service* ]) }! J: T. O/ w4 O3 v4 L* i) l( g
(VWIN32_Int41Dispatch)
9 S. M" K& U8 w0 K call Kernel32!ORD_001 ; VxdCall4 I' N( m9 D$ Y7 [( {& t' a& t
cmp ax, 0f386h ; magic number returned by system debuggers
2 Q; Z) J2 m- ^. d% ~" y jz SoftICE_detected
* Y; W* O. D! j2 }" E: U" e
$ e5 f% S! b* hHere again, several ways to detect it:
. M5 U- b. r2 |* Q; i$ ]% ?% l) T" g: M1 K( D
BPINT 41 if ax==4f6 l' K9 w* s' V0 z& y
! M9 ?5 z' ]* a6 A: x; }' |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 L, k; N% c% t+ @
! ^0 J' H- o3 ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) K3 @6 P0 g7 ]; l I5 ` z8 y6 U4 M% A6 r) L6 u5 e8 }1 X" v; X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 Y. }8 v/ D4 Y$ J* e7 M( R. I6 G3 x0 z2 f
__________________________________________________________________________) I( j+ s' L/ ~6 C) ~; T: E+ C ^! ^
( S) |9 R: v% ?! I9 b
Method 135 A) Q# A8 p% x0 D4 O9 j
=========
/ f; U4 G; X2 c" ~2 m+ g; m: h# F2 a c9 U% Z" q2 b4 n
Not a real method of detection, but a good way to know if SoftICE is
- p# Z f1 F3 z# \" a) e3 kinstalled on a computer and to locate its installation directory.5 c: V: i* c: ~% D8 R" \
It is used by few softs which access the following registry keys (usually #2) :
6 _ d! N6 H% |8 ]( {4 q5 ]& @; g
8 x4 M4 K h, T6 d5 }0 n2 j/ G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- h# [& T! F/ q5 g; m. X, P\Uninstall\SoftICE$ d6 t: B' h- \ j) k: E/ W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, k* S3 N+ s9 i/ \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 k; l1 Q# ?+ s- B5 l
\App Paths\Loader32.Exe* Y* J! q! D/ U' E& ~1 b
* I# i, i; e& T7 i0 B% @ y
+ H2 S- }2 ^+ P- YNote that some nasty apps could then erase all files from SoftICE directory
- O, ^: y; _# z- T5 V' }# ~(I faced that once :-(
; U( O" i; H6 @2 A# z
1 \0 X. G+ e n2 v8 b; W7 W- y9 nUseful breakpoint to detect it:
8 E# y, X2 ?( g9 g; I% q. b$ I# \
% U$ x/ c+ S, p. h9 n BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, q' ]. v$ o1 x
; @1 x2 r% Q& `. E" C__________________________________________________________________________; H+ q6 [0 r, l- v
3 T) h9 L% Z8 I9 w+ I: H
) |: a2 b3 K y& t0 F; vMethod 14 ( p# y# i% R% K! Q! Y9 D
=========
/ T, \8 z8 ^& T0 K+ ^
$ N5 T: w. \7 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose w a% X7 o$ ?4 O% q/ Y! T' T, j" V( u
is to determines whether a debugger is running on your system (ring0 only).8 A, w4 f& x. [0 m$ C
6 C$ F/ G4 p$ Q5 C VMMCall Test_Debug_Installed
7 X: k* c- I+ H+ f7 u: u$ K0 ~ je not_installed
9 M$ Y9 }, e2 D* R/ E- f
: i- ~7 j0 u2 p5 G& FThis service just checks a flag.
+ f6 E) c$ P+ E3 a3 R% |" Z</PRE></TD></TR></TBODY></TABLE> |