<TABLE width=500>
6 o( r* A; `0 w- J<TBODY>4 g8 R1 F& M5 o& P
<TR>
8 F. T/ g+ }8 S, l) q. A- o7 K9 {1 w<TD><PRE>Method 01
! V2 w: \1 V/ c! R& [; z=========
5 n' D1 Z/ H1 ~0 M! U. U5 K% `7 o% c9 P& B) U6 v8 \6 I
This method of detection of SoftICE (as well as the following one) is. n+ V" K1 t1 ~6 F9 k$ N; H4 o
used by the majority of packers/encryptors found on Internet.1 N6 W+ l6 o+ V4 y7 I/ z% |
It seeks the signature of BoundsChecker in SoftICE
) U9 T" L7 U- k/ t/ c* e
/ o3 e6 j& G5 o4 ^* A; I# B6 P mov ebp, 04243484Bh ; 'BCHK'. d- k6 O) K$ u' _. Z% c- w
mov ax, 04h+ w8 g P& U" I6 n8 [& {$ P
int 3 9 F; U% C8 Z4 e7 C* K3 T7 N
cmp al,4# C8 k |7 @, u; {6 I# _; k3 Z- x
jnz SoftICE_Detected1 f4 h# `( k, {; h P: |
- M, E% ^3 B- a, o4 g4 V9 a- f
___________________________________________________________________________4 E; y7 l: P/ H
/ u+ M5 A0 r$ }Method 02) w0 V0 x7 K4 O( o6 D1 u6 Z( E5 ]
=========
. g1 b7 `: e* R* i: o- @
) {1 M% P* t" { ]' u# sStill a method very much used (perhaps the most frequent one). It is used& H7 x3 C# E' g# O1 D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 {4 k' a& r! j/ X% x# g m4 `' mor execute SoftICE commands...
! v- h7 K+ q: c+ {It is also used to crash SoftICE and to force it to execute any commands
. e8 ]; ]! b- i7 v4 v(HBOOT...) :-(( & g6 ?2 k% g( j/ r
9 ~' e0 \6 q# a" MHere is a quick description:! i- J# ?( t6 {9 E+ h4 ^. G6 w
-AX = 0910h (Display string in SIce windows)4 g" a0 z* f T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ `& {# `# J8 I3 n! K
-AX = 0912h (Get breakpoint infos)( l' d) L9 B) E
-AX = 0913h (Set Sice breakpoints)
0 a* H0 h `" W ^) R% I# ?-AX = 0914h (Remove SIce breakoints)
( M( L4 A4 Y8 f) l+ n$ J
9 ~3 W( a; U( {; A0 }7 pEach time you'll meet this trick, you'll see: m+ }) H* m: a/ n8 c2 \
-SI = 4647h1 k" S& P* Y) p$ |" S; B8 h9 i% }4 O
-DI = 4A4Dh9 G9 C9 d& m2 ^0 g m1 F" @
Which are the 'magic values' used by SoftIce.% j$ ]3 N- w5 H: \( R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 S, R( s0 ?7 X* S% m0 _2 b4 O) F6 k& Y' [
Here is one example from the file "Haspinst.exe" which is the dongle HASP" y" x( I3 C0 E; m- ~; F0 `% o( O. l4 N
Envelope utility use to protect DOS applications:7 l- g7 L0 a% z6 H& o
: o* s9 |* }* t* D& L
: \) d- P! _: q& q7 Z
4C19:0095 MOV AX,0911 ; execute command.
7 ^& S" D" ?/ e! t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( l" w. y0 ~/ l' M7 C, p& B, u
4C19:009A MOV SI,4647 ; 1st magic value.
' B8 e2 }4 b5 l* w4C19:009D MOV DI,4A4D ; 2nd magic value.
* ?0 M) q5 B' l, q! x7 y1 y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- ]' }1 F; I$ z \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ @. s8 c9 e) ^% j& F4C19:00A4 INC CX! P: c" C) W$ ]$ X$ p5 t# E) }% A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* N. b5 c5 \/ g( l4C19:00A8 JB 0095 ; 6 different commands. u# e6 m7 ~9 c# [# F* V( k. D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% _- M( V8 h$ V, K3 m9 S6 N* n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& h a- |. q9 [; c; W
& L) Y$ r9 Y' d
The program will execute 6 different SIce commands located at ds:dx, which
( V) B& x5 S7 [/ \7 I$ Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) K$ g' O# T( f- p: x
) m7 B8 N6 F- v! @' o& P/ B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& l# [1 K/ c' k8 P* l% u( c5 T___________________________________________________________________________
# t) p5 H6 R. V2 L" u6 ?2 j
1 |. I0 R* ~/ O) a3 w4 M4 Z
5 q$ I7 c( T( s) g7 _5 q6 yMethod 03
4 H) u f: g& L( B=========( E% w4 U5 a' F+ C% [. _1 v: G8 u1 L, e
+ x/ m8 O! Z8 M" c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 Y0 ^6 a7 ~" z; X: J6 e( d9 x
(API Get entry point)$ X3 |" s- H- @! g! t
# _+ p% m+ V" G1 c, u3 q0 c0 `- d- h7 d$ |$ ], `
xor di,di! R% I/ D5 @ h! q/ Q
mov es,di
$ F! ]. _: ^# ?7 Y7 W mov ax, 1684h " o- ~/ S' A# C1 T( l
mov bx, 0202h ; VxD ID of winice
4 J4 X0 G0 ~1 ^! p int 2Fh
; }* }& L$ i/ b# B# G: C! i mov ax, es ; ES:DI -> VxD API entry point4 q- x' d* g" g* x) X
add ax, di
- O! j$ |' _, m9 x; s7 U5 C# v: ] test ax,ax
# c* U; @4 e. s; w, F jnz SoftICE_Detected
P7 M% U. [* |) k- W
5 J+ D6 j# i9 X2 N, G___________________________________________________________________________
+ i$ A( u, k3 ?/ N$ o' s# J* e3 k I
Method 043 _1 ^$ _0 p5 O6 i, T
=========
% g5 b; c, P( F5 Z
+ X* W- _! |* I% U# ]Method identical to the preceding one except that it seeks the ID of SoftICE" M9 Z0 d: X4 v( @/ u2 Y2 _: W
GFX VxD.3 `% G1 [+ N. K1 r
0 p* I! J' B2 M3 Q3 h, o# e: s
xor di,di
2 ?4 L- B0 n0 o3 J2 Z mov es,di
* { l( C, \" ~9 O! Y mov ax, 1684h
5 G0 t$ l6 p$ T$ ^/ e mov bx, 7a5Fh ; VxD ID of SIWVID
+ A/ p6 }7 B* Y! g# U5 Z( G int 2fh
$ V5 z' M; Z, V, b- t6 Y mov ax, es ; ES:DI -> VxD API entry point
+ q: o! L$ m; q; E/ t1 n" @, \8 N8 a: k add ax, di
5 X+ z _7 V# L test ax,ax& {& r1 _$ b+ m* p! U P! j. n
jnz SoftICE_Detected7 Z/ s. n) C( D! k; D+ M% h6 n
' z0 r2 P# P0 b& M6 A: e! ]& h- D0 `9 M__________________________________________________________________________% ~# ~( ]% z- }, X8 k
# K9 }9 @4 m( \4 @. s b4 \
9 J. \, g: t/ P( |Method 05
6 W1 q/ D, L j( m. [ F6 \8 L=========+ ^( P9 J& M0 W3 @
. ]7 l9 j2 W, ], `1 l3 uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
U/ k7 g/ H4 Z! o. _ g& j& bdebugger. It calls the int 41h, function 4Fh.- [* y2 v! @0 U* s `
There are several alternatives.
4 A6 o6 i7 |- Z9 @% M, @: f# k
% ]' [' E5 l8 i, ?: rThe following one is the simplest:& E0 V5 l b$ M+ w. A+ {9 w
4 |" L" _ [1 \# U
mov ax,4fh' v" |8 v; L- V$ H
int 41h
! Q4 J6 \3 y4 m( X. J3 m) K. z. Y cmp ax, 0F386
- o- _+ `% @2 |& q4 J jz SoftICE_detected
9 c5 B1 A# A1 W% K3 Z4 S: e! ^+ ~5 v
+ k- r1 w9 _; d5 TNext method as well as the following one are 2 examples from Stone's
0 i7 |( j( N3 [( |"stn-wid.zip" (www.cracking.net):
# V3 i* h( ^* x7 m. C' z+ B, Q; _
$ U7 n3 D( `% z& L3 B0 }2 j mov bx, cs
, p6 {. i! Q( G/ J. W* @ lea dx, int41handler26 ?0 J) t/ [$ e) o: L
xchg dx, es:[41h*4]
$ k$ w& p, C0 T9 J, {6 y3 p xchg bx, es:[41h*4+2]9 _* n6 |6 P+ [2 l7 Q& P& t% Q
mov ax,4fh% z- c: ]$ S2 X' @
int 41h
" U' o$ o7 Z# z2 q& O* j xchg dx, es:[41h*4]* _' |2 i4 I6 L" J t
xchg bx, es:[41h*4+2]; i# Z/ T# @' B- E4 u* p5 \
cmp ax, 0f386h
9 J) U5 W% ?+ I9 ]6 G& H jz SoftICE_detected
9 z: M+ U8 ] Q* o5 f8 T6 t& t) ^) d& `. }0 `( n4 @; @$ C
int41handler2 PROC
+ m6 O! g: Z5 F2 [( v8 T# h2 h iret. l+ [& Y; U2 ~9 ~1 j
int41handler2 ENDP
; Z8 H h! i- l0 ?8 z' z6 \
; ?4 q2 V8 Q, r7 ~2 g X
. ^ {/ [: {! P0 M+ M: R3 ~' Q_________________________________________________________________________
; `! J& x* c2 D r0 P- M& I4 X" ^6 ~0 b' J( \
5 j; Y& j( R6 R- f# t8 A0 H
Method 06+ z% Y: F+ W/ O( z! {
=========5 k4 }( L8 j8 Q$ \$ @: y, ]
8 H+ t% i3 Z4 `# c3 l: U- u! m4 S3 G
2nd method similar to the preceding one but more difficult to detect:' r& Y; J. B! N, ? U& K A
; G( ]8 f$ I' W: a( p# I2 ^1 Z9 I' J1 Z# v h" w3 V; m
int41handler PROC
9 I! F' u$ Y/ m& W% w mov cl,al2 O& [ l, ]% d% H% H5 @( C
iret
( P0 y2 Z1 i5 h) d4 S' T8 Nint41handler ENDP
! r5 i! D* K. F0 w6 d( {
5 r s9 b$ G7 F; n; i" `; z# z7 o# J, m, F$ C1 b' R; ^6 L
xor ax,ax
& n5 |. M) T( c6 L" ]5 Y mov es,ax
3 c: f% V2 s k7 ^4 R' b4 Y mov bx, cs/ E9 D' X; ^9 ~8 |9 }! S6 H
lea dx, int41handler
2 X( H1 p& y; e xchg dx, es:[41h*4]3 D) V% g+ n' F2 m- h7 m: b
xchg bx, es:[41h*4+2]
* E. t! n4 {. D# Y& @' n in al, 40h" @+ h Y5 S2 g4 W* H) ]
xor cx,cx+ H k& s+ c* A. M
int 41h
- }9 q; m9 u9 P! g! c* }/ o5 Q1 F% @ xchg dx, es:[41h*4]2 p; @! x `! t" U
xchg bx, es:[41h*4+2]
* S9 L! N/ T+ R$ @$ X) s2 O0 l. H cmp cl,al
: q4 ` m, }1 l: h( X3 u+ j jnz SoftICE_detected
, {% J2 [' S" J1 F* Q/ ^& x1 ^- n! I4 E1 g7 O) M
_________________________________________________________________________7 L8 J" H/ T; P2 k/ w- V# m
$ f; l, ]8 d: G- h* ]
Method 07* F7 Z- z! v9 M% ~& u
=========
0 [( {, k! E; _: u2 M& g* o
( Z1 j' q3 v( m& k* H5 B$ U- wMethod of detection of the WinICE handler in the int68h (V86)
; Z v3 p0 D/ h1 m+ l! n7 Z; k. I: _% {
mov ah,43h
- [% ?- Q" ^* i* ~ K* \% e% j! U int 68h
! y- v$ W) K |' K+ g+ [$ F cmp ax,0F386h
9 i. f9 R3 R; g1 b; i0 ^ jz SoftICE_Detected0 n0 l: R z9 |. `( ?# \. V- g
) F& N, t2 d2 Z' }2 ^" S. e1 T3 e# l4 | g8 d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit V" v4 u/ k9 }. ], n6 y
app like this:
2 C w0 f* [! f" B: `: g# h8 P/ X
# D7 ~4 G8 N# Y; f& \) O BPX exec_int if ax==68" s) q( l3 j* H8 l3 K
(function called is located at byte ptr [ebp+1Dh] and client eip is5 P. _7 j5 n' M7 |0 L
located at [ebp+48h] for 32Bit apps)" K1 H1 S6 N- a: ^, y
__________________________________________________________________________6 }( B3 n$ Y: h
; p1 }& G B, i1 u& k) l7 Y2 r
5 `9 {, k5 u" w! r# JMethod 08
4 v8 p9 `& B# q( w( s=========( B, }, \% e6 s
5 n6 _2 r" l/ B" P
It is not a method of detection of SoftICE but a possibility to crash the
! F2 t4 L: \) C1 u; Ssystem by intercepting int 01h and int 03h and redirecting them to another
6 v) C1 s) l$ R3 R/ ^" u" eroutine.% m' C: ]2 O7 ]( q# |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 m) I7 V d8 E5 |
to the new routine to execute (hangs computer...)5 H6 f0 p% C8 E) X
5 S. I+ j+ q3 j1 x7 N5 U mov ah, 25h
8 ~/ X, |) m* I( K# ^. L mov al, Int_Number (01h or 03h) v3 z. F! S; E& O/ f8 R, S! i* n
mov dx, offset New_Int_Routine1 z+ l' Q" Z2 t
int 21h5 U a' |& d$ C
/ G! z, L7 m" O) p% z- q7 ?% R0 ?
__________________________________________________________________________
4 e+ \* g' e% y4 O( V& Z3 ?% f' U1 g% _3 A4 I; ~
Method 09, \4 N) j1 o$ D! \9 l$ J- p4 N1 Q
=========
! s0 |7 u! x' L6 w
; k( T3 y( S. AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! _& N4 S0 i7 b/ wperformed in ring0 (VxD or a ring3 app using the VxdCall)." ]% {# S7 o: X
The Get_DDB service is used to determine whether or not a VxD is installed- L. G% A" _( y# m
for the specified device and returns a Device Description Block (in ecx) for
- o) u& R5 \! u5 l* Dthat device if it is installed.- p+ Q- n4 o' P, N& `" V
: \# d6 @$ ? T. u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 I6 R8 N, c' r% L: u4 C mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 H: q% Q2 Z4 P4 \0 d0 z VMMCall Get_DDB% Q8 i6 V$ Z+ F+ g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# I) H; ]: l% j% M( d m* E U" l+ d4 q, ]2 b, @
Note as well that you can easily detect this method with SoftICE:' t$ s& A# ~7 ]1 e
bpx Get_DDB if ax==0202 || ax==7a5fh
" U, ]8 J" G. X5 w3 q0 ~4 s" k1 ?! Z b# I/ \* Q7 q
__________________________________________________________________________1 }8 }4 v; N% R, T' y5 S6 m" P
3 G8 b) l* P$ u
Method 102 {3 {5 E3 r* k' A5 ]! T1 `4 G
=========+ I+ g' F# q/ m% R j% H
( a+ z8 D0 v; W=>Disable or clear breakpoints before using this feature. DO NOT trace with! a8 V& H# X" u) ]0 _" f
SoftICE while the option is enable!!
. o+ D; n: T7 X9 x: B; |$ h/ }6 T4 u( R; O- m' d' ~. V& Y( _
This trick is very efficient:
, w" E" @8 H& N; @2 _7 Qby checking the Debug Registers, you can detect if SoftICE is loaded
; h: |' B. B6 z& r8 O5 w. i* ^(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ F+ C" s$ x( j4 |2 Y1 d6 zthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 G8 R+ B" i4 M; e8 G5 I
value (in ring0 only). Values can be manipulated and or changed as well: z+ V0 j2 u3 `; A5 |' z* G" D
(clearing BPMs for instance)
: Y) E# Z# U7 O2 P ]( J
! Q' P7 s& z( t- m) b__________________________________________________________________________
1 O# T/ P6 h2 i( Q# B0 D8 M7 t4 d9 `) m8 h
Method 11
: h+ `: v0 i- _' {6 t: r=========
0 u" W5 f5 O% r
( ~, k, R( [. t+ R( |This method is most known as 'MeltICE' because it has been freely distributed
- ~' J e6 J. c- q. x% m% R6 ~via www.winfiles.com. However it was first used by NuMega people to allow
! ^5 r1 w$ Q" y4 \Symbol Loader to check if SoftICE was active or not (the code is located* H$ J# |' r; _& ^6 \
inside nmtrans.dll).
* y% }' S7 _7 p' D6 e9 h e' @7 i# d, p7 H
The way it works is very simple:
: N. q' z0 W# D$ ~" SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 F3 ^; G, U F: `WinNT) with the CreateFileA API.# S. j: x7 T! M2 S- R
4 ?- F+ g+ R$ y) b/ vHere is a sample (checking for 'SICE'):4 F7 v* _* L1 `" X
/ O9 e9 d; g! i2 d2 {8 Y
BOOL IsSoftIce95Loaded()
9 g9 i$ a% U7 r) C& t( g{
% \1 T) S: W8 p: c HANDLE hFile; * k# Q' l( U+ ^2 Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 a o! R( V( \3 ?% H5 ^ FILE_SHARE_READ | FILE_SHARE_WRITE,
! \, B3 K! E- I. B6 Q9 k4 } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 r+ A% I% y6 B( ` if( hFile != INVALID_HANDLE_VALUE )! l/ e6 k8 h6 x7 x" P
{
\* U" G: T4 P CloseHandle(hFile);8 t$ Y/ P" m9 ?! C2 M p$ t: Z
return TRUE;0 X4 ?0 |, y5 l
}
) P2 C' i |% `+ b* H return FALSE;
: ?) U0 R1 Q' ~}8 D( B v) v# z h. R2 i6 m% k% O
" I5 C# H0 z, g' J+ u% n' aAlthough this trick calls the CreateFileA function, don't even expect to be+ G9 l7 j0 x; R' D: ^: e, y
able to intercept it by installing a IFS hook: it will not work, no way!
8 _8 S7 y( M/ \ {2 _1 ?" JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 ?6 m" d- {$ j0 _% Gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% _# x0 Q" Z. d. qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
' ~8 ^5 z% x2 u, a/ v Dfield.# G: w& H# l% N$ Q: T3 E: @/ ^, A
In fact, its purpose is not to load/unload VxDs but only to send a
: S% J4 _( c Y# xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 U+ E* b0 s* m6 _9 v# F4 Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try: d+ t8 m& L4 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, L" B+ x: Q) R7 ^If the VxD is loaded, it will always clear eax and the Carry flag to allow& j" a1 B. K+ N5 T& ^8 ]" Q( k$ S
its handle to be opened and then, will be detected.
, q, y6 t+ f* N" W1 XYou can check that simply by hooking Winice.exe control proc entry point' ~3 z; M5 T" Q h
while running MeltICE.) ]0 l+ o# K- T9 l% g, L
9 o( f, \: K6 N
5 `& ]1 j8 e5 P4 z3 \+ n! U- u" e
00401067: push 00402025 ; \\.\SICE
Z% G" J: E* S2 I 0040106C: call CreateFileA; a8 S0 [" E& p# B
00401071: cmp eax,-001
5 Z* ?6 [5 W+ s9 j6 g7 g+ w) X 00401074: je 004010915 l0 a! a2 |% {5 f1 u0 v( e
: s1 Q! H T0 n; ~+ R
8 l" A) m' ]; |1 VThere could be hundreds of BPX you could use to detect this trick.8 i1 F R: j+ D) `4 o1 d( v& p
-The most classical one is:! o+ N+ g& V6 B+ j
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- f0 v5 N5 o- H0 r2 A+ a' \3 C
*(esp->4+4)=='NTIC'
0 q3 C3 a" P. M5 z# b. ~* M9 @; W' N2 g& x) H& i! I
-The most exotic ones (could be very slooooow :-(
4 E% K# I/ s5 ^, o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 N+ r( k# n9 e: i% I% E' `! B ;will break 3 times :-(
9 b* s$ E! q" s; h" Y. Q$ k3 G. v; ]* o5 m: |$ a
-or (a bit) faster: 0 {+ o0 u# K' B# J
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* D# y! p' Q! j( m6 y$ S
@" e/ T0 Y& \4 n& M/ E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 E' ?. _, d4 ` ;will break 3 times :-(
& B" j( ~6 U+ ~) J; I& G; }. H/ _; C% u, B
-Much faster:
% M8 o4 ]% x: I }7 q3 V2 C- k2 Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 n% q# l* X$ t1 k
7 s& U) M5 S5 K$ l0 U ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 k$ z3 T/ |/ q. g% e9 I1 Wfunction to do the same job:
# X( e3 b# z( g! r+ T5 E5 d
* T" ^6 o3 C0 n push 00 ; OF_READ
% ^" z' i& ?$ V* Q3 W mov eax,[00656634] ; '\\.\SICE',0
' P; H% Z) o0 k; d, ] push eax
* ~2 h0 i# X4 J/ E call KERNEL32!_lopen! y! j( ?3 ^, J
inc eax7 X" j$ H$ l9 p. S3 G/ v% ?# M
jnz 00650589 ; detected
+ _( x) H; x1 j- v( T" t push 00 ; OF_READ) I. U6 h6 y6 f% {- T3 I
mov eax,[00656638] ; '\\.\SICE'
' }8 P- i1 i4 y6 ]; P, H5 M7 s push eax
- X, u& _' R" O; q! F( U call KERNEL32!_lopen4 |$ `6 s' E+ E7 d0 ^' E
inc eax& i9 \, Q+ f/ V9 k( ?; K( e9 L
jz 006505ae ; not detected( ?% [$ |/ E5 T8 j* {0 {1 ~
& O: q+ d. v% X& i4 b$ H1 D
: Y: E: b- Q4 `8 g0 _4 U7 K__________________________________________________________________________
4 U0 S' t' _& F# {% g) O2 S
. |. K2 U$ ]5 d9 ~6 D, M; C: p) GMethod 12# l) r* W( K0 x0 I3 Z
========= c& n5 F Q* \" r' g% E
d9 ^0 t) U) i4 c* H3 eThis trick is similar to int41h/4fh Debugger installation check (code 05
4 i& |( ]+ [, L9 p: n* E& 06) but very limited because it's only available for Win95/98 (not NT)
: q; }6 D6 d+ v7 oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 H# p& G4 w9 L2 a8 ^! W! O
1 g# U0 A0 I2 b" C4 ?4 }( H( E' e
push 0000004fh ; function 4fh! R2 p5 g; R6 W: k
push 002a002ah ; high word specifies which VxD (VWIN32)
8 o- g( G2 ~; @0 l ; low word specifies which service
% A1 H9 a. T3 B4 I9 t9 V. M0 e" h (VWIN32_Int41Dispatch)
! |/ u, @3 B5 U- e call Kernel32!ORD_001 ; VxdCall: E/ Q- T+ h6 o% d2 D# E& Q1 Y
cmp ax, 0f386h ; magic number returned by system debuggers
! X, _8 k+ S7 P0 ~! ^ jz SoftICE_detected
3 h8 R- r. Z( }
. \( X+ d' ?+ P- K- Z' ?Here again, several ways to detect it:
0 x* C% d, u7 G5 X d: X. B1 a8 b# ^ j$ ^3 W
BPINT 41 if ax==4f
1 j8 B% Q5 p/ |1 \/ I; r# W9 u, ~3 b% P& b: }% A) u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) b: q0 Q, N$ C- u
9 P0 a6 V$ B* s' Y& c2 H) | BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& @8 \2 q) U/ j& i' f3 M* f' U
9 y$ i2 Z2 R/ u( W, p ^ { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& I3 Q. ?( I: |2 l5 w; i
6 D. z N1 [2 K) ^8 n) x, ~__________________________________________________________________________, L8 d1 ]) ^' L" d4 u2 {! ~" s
" r* @* x/ M5 U; ^: |; QMethod 13
+ A5 n% C$ R( k1 J3 k! T; M=========
1 n* w# _/ h% Z+ y$ |: b, l
- ], J# d3 `; n q4 TNot a real method of detection, but a good way to know if SoftICE is+ j0 G/ }( _) _
installed on a computer and to locate its installation directory.& c- h* Q( L0 X- I, O
It is used by few softs which access the following registry keys (usually #2) :
, Q W, y( p* g
3 v+ l8 U5 m' X) c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 u2 ]5 K5 L' [5 y: r) o2 P$ g. b6 s
\Uninstall\SoftICE
" R% @: l% A" ?* @" x( J2 F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# ^, O @2 h$ f- x0 [. f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 ?6 V$ w- g1 Y5 F' a* A
\App Paths\Loader32.Exe( a+ K: x$ o1 ]& N1 F/ e2 u, R
( \5 a& Y# P3 j" o# H
9 d5 H; d" k/ R5 D" X
Note that some nasty apps could then erase all files from SoftICE directory
$ P' ?4 u& ~; g3 r- y(I faced that once :-(
4 G+ b" p' f* m: e8 D& f3 q: ?- O& r( Y" G! ~
Useful breakpoint to detect it:
0 Z. z, X& _: Y: D3 q
- F4 W9 Z! y1 H" W$ @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 K: o o S" B. h1 L
: _4 d7 g" T. P: Z, i__________________________________________________________________________
7 `2 R" E9 @$ p: H" N9 N C
# b; Z6 k' \$ P2 k
4 u4 d, n! Y# R9 KMethod 14
: Z- g6 S" U, N9 y. ?$ v1 A' ?3 s=========
. _ N$ W4 p/ s
( {; b* j& _ G; P! L& nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ p* U; ]7 \8 S' J
is to determines whether a debugger is running on your system (ring0 only).2 P7 k/ A9 E5 X- E% y0 E6 A
0 c4 D, s% w* Z1 H1 O% N9 z
VMMCall Test_Debug_Installed
9 \2 |* u1 | s/ o0 o1 x je not_installed
* C* ]) c4 h6 E4 x1 x; U$ l5 j) V/ S" t# y7 M% u: V: d1 {; g1 @- u
This service just checks a flag.
( K+ C- u3 i/ V, _& Q$ j. y4 m' i: y</PRE></TD></TR></TBODY></TABLE> |