<TABLE width=500>
( @0 Z% d# ]6 T- B% k; ]+ l<TBODY>0 x1 X' H# _; N
<TR># G% _* Z2 w: O6 E8 _7 ^% g# P
<TD><PRE>Method 01
T! H8 p% x L=========
! O: S' @" D% L) {( m2 r( C5 ?* ]3 j
# t b5 i! ]3 \5 L+ I- jThis method of detection of SoftICE (as well as the following one) is" V1 M$ T5 _) q# I2 ~
used by the majority of packers/encryptors found on Internet. S. K# G* v1 g$ I; h
It seeks the signature of BoundsChecker in SoftICE
" H% P) R0 J$ v% Q- x8 _
4 J- H1 S* o+ ^6 y) ~. `# A9 } mov ebp, 04243484Bh ; 'BCHK'
1 x) O8 K4 l8 _4 z. f2 @ mov ax, 04h" Y/ l; [* ~3 R
int 3
6 s/ l! q0 u* X& D, {5 Y: K, A cmp al,46 p1 M9 [5 _" _ w+ T2 Q
jnz SoftICE_Detected- {9 T% A3 L& w
. w; c4 \$ j+ p X$ P+ C7 x
___________________________________________________________________________3 Z3 n7 N u8 }* N, P$ H% y# B
( c2 @" P- f3 ~9 d% q: a- K
Method 02
9 |/ H4 w e2 V* ^5 I2 J=========
# t; Z0 e! j) E& e1 _/ e) }8 q& B
Still a method very much used (perhaps the most frequent one). It is used9 p/ [3 J. [; x% k: E5 ]2 A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
~3 J- j$ ]6 ^, Ror execute SoftICE commands...
& ?# z+ r, C: e5 ^0 FIt is also used to crash SoftICE and to force it to execute any commands/ l% a4 a+ b7 F9 s& ]4 H
(HBOOT...) :-((
4 H, Y. `! K! R/ b, Y" C. w4 N3 X* \+ _) |% m
Here is a quick description:( z5 y! U8 S# C% j7 S
-AX = 0910h (Display string in SIce windows)
w, ~ ]5 g' p2 U Q0 ?6 p! @. Q# I-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 T* P8 N1 e' y! s. C
-AX = 0912h (Get breakpoint infos)
+ Y1 U. g( o3 B" V" F-AX = 0913h (Set Sice breakpoints)
0 N1 W- D: \* ^1 d-AX = 0914h (Remove SIce breakoints)
' y0 X9 j0 |7 z' f2 j7 s( O J: U5 m( g9 y+ e7 n6 N
Each time you'll meet this trick, you'll see:! ^( ~/ R. |: @
-SI = 4647h; I9 z/ [6 q) K
-DI = 4A4Dh5 f; @3 Z5 \* l2 g" m# v7 t
Which are the 'magic values' used by SoftIce.
5 b8 } b' n4 Q+ v& W* u q) MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ n1 w4 I: @3 \% S
% T$ w. ^) q8 ~1 M
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 T) X) O- f+ [& ?* ]/ R5 v1 g; [
Envelope utility use to protect DOS applications:+ I5 Q8 W) }9 ]0 v4 N9 V/ J
# \! V7 I6 }8 f7 J l/ i" B
. y! V, \. g9 R7 t6 G6 U4C19:0095 MOV AX,0911 ; execute command.
; O# o! d1 M* D8 X' I4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# E- l5 q9 t! H. R; m# W4C19:009A MOV SI,4647 ; 1st magic value.& u( M% m2 M( u- U* m
4C19:009D MOV DI,4A4D ; 2nd magic value.3 M( z6 N) z; i- H# I9 ~* S# ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), |; ?4 k0 M5 Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 j1 @6 k/ q3 g+ x( H" B4C19:00A4 INC CX, G( `' m. m: I L* ^& W& U
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; f: C/ h! ^8 I9 T
4C19:00A8 JB 0095 ; 6 different commands.& Z% c* X2 M% F3 {4 E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- Z+ T, m) f' k6 `4C19:00AD MOV BX,SP ; Good_Guy go ahead :): h% f, F) |/ Q" e, s' D4 `
' F* V* x. {5 f/ |- G) `$ I5 T
The program will execute 6 different SIce commands located at ds:dx, which% x2 ^1 y8 ~' S4 g" H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) l6 A/ M! o1 _$ }- @' S* { ]* Q- X0 N/ Z0 J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 E: y* Z& G' Z( w
___________________________________________________________________________+ i7 ]8 ?0 O* X) L+ F+ U: ?
/ ?+ _: X6 @3 n
. Z' p7 o" X1 I
Method 03
/ J. O) l8 a5 P: Q3 W=========2 y, J+ b' C: a: W$ g
3 W% K& w1 J! C2 U+ T0 k
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 n& v- q( j3 ~# w4 R( `
(API Get entry point)
4 l+ H% J" m- Q
0 J: A( e/ {3 V3 j7 w8 ?9 |2 l0 w; f& J4 w- x4 j
xor di,di* C! y0 e. K7 l7 Q/ ^# ]
mov es,di
- ?# z% g$ t1 c% Z) }# Q mov ax, 1684h
; l! b. m+ d1 {3 T# x2 q mov bx, 0202h ; VxD ID of winice
( T4 V" ~* ?3 t* G9 T4 H int 2Fh
1 N* k1 d5 Y& j- F+ S) J mov ax, es ; ES:DI -> VxD API entry point; p" A7 ^/ C" k
add ax, di) M6 w+ r' q$ |$ I
test ax,ax
3 M9 Z s. Z( i _9 Q# O jnz SoftICE_Detected
( x1 N9 a% N1 [) r! D3 x0 m6 c5 u" c
& Q; r d N+ s$ J___________________________________________________________________________, |% k0 w" E2 u3 Y+ V3 ~
8 K" ?/ {3 S/ L) e' m
Method 04' i! u+ W1 u2 W% l6 B
=========
* u! X3 i8 O+ T0 l" F n: j- _6 P. R3 ^3 K( Y' J
Method identical to the preceding one except that it seeks the ID of SoftICE
' v- o4 {& [1 s. o0 @5 SGFX VxD.
& w& Y. U% m j( ?/ N+ M" @/ v( Q: v# ~/ d+ X
xor di,di+ _7 f2 _" Q6 S- r) X: h6 m8 W+ W
mov es,di, w7 t$ z+ `' H
mov ax, 1684h v, U( @+ N7 W: Q: |
mov bx, 7a5Fh ; VxD ID of SIWVID
, d$ |+ m9 o1 H1 |! k+ T int 2fh; `- J7 g2 R9 `0 U
mov ax, es ; ES:DI -> VxD API entry point
: s: i$ A& Z) | E+ m% H add ax, di4 @, I! L. s9 O+ s$ U: D$ b- T
test ax,ax: i9 {6 u& v! L8 M6 l I$ a% M- q1 u
jnz SoftICE_Detected
! R4 K" | ^. O/ @* d! d5 S1 d( [
__________________________________________________________________________6 O9 H+ I+ Y5 ~5 J0 A5 L* @, ^
+ p9 l7 r8 ^3 P6 ^3 T1 Y8 V
0 |; a) V/ Z ^0 E; N4 T; ?Method 05* N' r5 \& w" \9 V
=========
# f6 |3 e, p9 r. ?1 M3 b$ H6 T" _' C' a3 _- M9 j
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% h* M- Q6 k1 ~" M6 j9 ~debugger. It calls the int 41h, function 4Fh.: c9 o2 @! H: J
There are several alternatives.
5 S+ ?* ^1 ?3 B$ }9 D! L# Y$ B: N8 f) t
The following one is the simplest:1 s6 {3 l- t+ h1 w; f2 d; y4 z
" R C* h: K0 U/ `: i$ U0 a M1 L mov ax,4fh
/ l2 v+ M# ?! [' K1 W# d/ N int 41h- ]+ @9 N+ P* i: o9 A2 E1 B
cmp ax, 0F386
, ?( H6 w! U% H/ V# \ jz SoftICE_detected
, D+ c2 Q) _! v) e' A" }& t. R3 R) }0 }
3 z0 g9 R; O' A% C
Next method as well as the following one are 2 examples from Stone's
- Z7 s" m# D8 B"stn-wid.zip" (www.cracking.net):
, r0 k; S6 r, a/ s+ J$ j; V& [; U7 \
9 U" V0 F2 ?1 f/ f6 i mov bx, cs
# _/ m- Q+ y2 F+ X6 m v lea dx, int41handler2
* f/ d, A1 r, g7 s P2 X$ O xchg dx, es:[41h*4]( P! c" j$ v; o0 G7 o
xchg bx, es:[41h*4+2]
& _& F; m ]! i$ s. N3 w mov ax,4fh
: X5 X% ?, }# x; X int 41h
8 Y# L6 G& d! c! P xchg dx, es:[41h*4]
0 q- j0 H5 _& e I. a xchg bx, es:[41h*4+2]: O3 f; w/ ~( W; B1 A
cmp ax, 0f386h" i& ?) c5 K( S6 k/ R
jz SoftICE_detected: K& I, ]# M& |( |. P! r
% ]& f t7 r; e5 F6 `
int41handler2 PROC
8 X$ a3 |% P: D& C$ f+ j iret9 Z0 F& \ r+ r
int41handler2 ENDP! B3 Z* A' Q: v
( H& w9 `- O! V) |' p# }% F1 ^$ d4 N
_________________________________________________________________________
! f" P) J) j& q' ]7 P
) y+ i0 h2 {! U& X2 A) [$ k5 c# P9 _$ C
Method 06* a# J0 u! ~+ T) ~# g
=========+ p2 p% |0 Q; ?' @, S! Z
( @- n0 `: ?* E8 P9 v- K6 \4 @3 |9 F6 }" `1 E
2nd method similar to the preceding one but more difficult to detect:: y( e( }. e2 a# w9 ~; I
' o. r0 `- w7 I* k- f0 Q
# t/ A+ o% a7 F& E+ Y$ iint41handler PROC7 w% U: f' m1 f/ I
mov cl,al, Z8 d" g* s( H+ d7 t# ?4 u
iret
; W* U& N$ E8 k& p- X$ ?" eint41handler ENDP
4 U6 z+ |& {# y, R
2 @8 H2 N& t8 E" E$ ?5 A7 U' z4 z2 K# E, ^1 W( }1 o2 f, [" A; F& V
xor ax,ax+ a- ^2 B/ d3 `) F; c5 a+ d
mov es,ax9 a* u5 d. O$ v
mov bx, cs2 M; Q. R; N: O
lea dx, int41handler
& ]+ W- g: ?8 F xchg dx, es:[41h*4]% G8 P' v1 ?6 L7 d
xchg bx, es:[41h*4+2]
; z$ ~6 Z0 Q* k! V in al, 40h
" @1 j& J+ x0 f0 P7 k z xor cx,cx
9 T2 ?8 M7 u; M! s int 41h
$ u1 \- R+ [5 P Y xchg dx, es:[41h*4]
! d% X' _- ~) Q" B3 a% i0 o xchg bx, es:[41h*4+2]7 Z3 q* }7 U( U# l. @- _% r( s2 E
cmp cl,al
) X9 x! {1 O4 ?+ e' r' V' j+ H( H jnz SoftICE_detected
* s9 \9 m' u. A9 ?' s( d6 @' M. X8 X) }' `$ r: C* g
_________________________________________________________________________8 e# X# U+ z. l4 O# N8 G
& P! e2 l! w# P, D* i' fMethod 071 j8 S& \+ b+ ^+ _/ J
=========- K/ Y0 h+ y4 m9 [+ c
( I" @7 b2 ?* i+ }1 J
Method of detection of the WinICE handler in the int68h (V86)! ~! i9 [' l0 h; \
0 l7 I5 g* M8 I3 A0 c2 X# r; \
mov ah,43h0 i/ Q& s" H( b/ ]. z
int 68h1 P' E( {6 s' m' y
cmp ax,0F386h
7 ?; r% V! r* V. `' Y. p jz SoftICE_Detected6 V3 E: _4 t" Z$ Y/ p+ U$ R" e2 n
2 \/ F- y; L( O$ K
$ n4 f2 J" S( ?! y5 u) g. y% f+ K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. G; |6 M: K8 s4 U n/ g ?* A0 W
app like this:
# F4 d' j0 [) ^0 z: I' O, s, n1 U! A& X J& K+ H& u
BPX exec_int if ax==68
& U# ?# }3 B( t6 `7 _, ~6 L (function called is located at byte ptr [ebp+1Dh] and client eip is; G- \& u {6 M) E6 \& Q+ F
located at [ebp+48h] for 32Bit apps)
. z" r* [2 V6 g' C3 z4 |, \__________________________________________________________________________
$ W, I. A9 L* W8 n6 C4 G
7 r. q6 a4 W8 m7 r: j+ E4 C6 G/ X9 E. p b
6 Q+ t; }6 b& zMethod 08
& o5 g! S& h g! y& Z) a+ \=========) Y3 _+ v7 W, c) \ `( {" _+ Z
& }1 l% _5 a o; B8 rIt is not a method of detection of SoftICE but a possibility to crash the
' i# l- ?4 }8 R1 }% l0 k# Csystem by intercepting int 01h and int 03h and redirecting them to another5 f! N. J r! n8 e9 K% m& Q) ~$ r* r
routine.
" k4 N: q0 `( N9 q# \) _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: c t5 ?( l* l$ E2 p. e. w6 lto the new routine to execute (hangs computer...)9 j. e# Z5 C* H4 i1 j
8 {5 E+ ]+ v3 V6 Q$ k7 R; w
mov ah, 25h7 O& H6 b# b, P% u
mov al, Int_Number (01h or 03h)0 |) t* f9 q% O* D( g& H B
mov dx, offset New_Int_Routine a1 F2 |- [, V) A, d" J/ S
int 21h: e4 Y0 X; N/ r: w, ?. A) V# \, h
4 [" `0 c/ w3 J7 {+ e- h__________________________________________________________________________
6 L& U9 [3 _4 E2 u; Y
- ~( _: m M- {Method 095 b. \+ K4 o1 h9 Q1 a
=========( u2 t+ W2 C) O& Y6 T
; g6 Q }( S- { L4 Q V1 G, UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: l7 M1 ~- l0 ~. Z* v/ ]$ c/ D! G ]
performed in ring0 (VxD or a ring3 app using the VxdCall)./ q- {* F; o: Z, x9 i
The Get_DDB service is used to determine whether or not a VxD is installed
: E$ ^5 e, K: [8 Z/ ~5 B4 e8 L4 Vfor the specified device and returns a Device Description Block (in ecx) for: S: x% |& `9 I1 x$ ^5 k' f+ W2 K# c* W8 ^
that device if it is installed.7 F M; w8 I% @ ]8 `7 c
. a5 c; ~1 e/ x$ h mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 n$ {6 h" y/ X mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# p0 B9 ?2 E" o! u, F) i- N ]' H( j, a
VMMCall Get_DDB# Q; h+ i0 o3 M6 e( {
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 g, a# v& S5 j8 a5 v
K4 N; j, F7 _7 s' TNote as well that you can easily detect this method with SoftICE:
4 G8 s. A# m7 k bpx Get_DDB if ax==0202 || ax==7a5fh: i+ \5 Z" o! D! D7 E
1 L8 t3 o" h9 h4 w7 A! o7 r, \__________________________________________________________________________. Z) r; M) r6 t* D
3 |5 F9 C/ Z& {) q: a7 z
Method 10/ T7 r7 K9 o0 {0 T+ o4 p$ X
=========9 m$ K1 I/ n o, p1 m# ~/ Q
" h( W* m* _. \# p=>Disable or clear breakpoints before using this feature. DO NOT trace with* _3 c- Z8 [9 D- K9 w
SoftICE while the option is enable!!
! @2 ? Z8 w4 ^0 P3 N& S+ ^; w, u; ]& H' U1 g6 ?! v K1 ~, o( G5 }0 \
This trick is very efficient:# b* F. M, j" H2 l: `
by checking the Debug Registers, you can detect if SoftICE is loaded
( E' n0 X+ S+ n- d/ \$ y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 P1 p2 A1 E7 c7 f; a3 P( [3 _there are some memory breakpoints set (dr0 to dr3) simply by reading their
; D3 v5 `2 t; g+ d! b9 [value (in ring0 only). Values can be manipulated and or changed as well8 u+ X, u. @- n) O( R" }
(clearing BPMs for instance)9 o; u! A# R( ?: s0 f4 l" r
5 W1 l. F; @+ |" Y% j__________________________________________________________________________, r" P& X4 s; d5 b5 _" x
# U8 q' d/ `/ r# z3 I. j
Method 11
" T6 O# K8 ]6 i=========5 [( Q0 z0 ~7 B( R" _
/ [/ O$ [# N* J: L |4 A5 D( `This method is most known as 'MeltICE' because it has been freely distributed' i7 j8 ]8 A' B- A
via www.winfiles.com. However it was first used by NuMega people to allow) O& u1 ]/ T3 L1 \! l1 Q. H
Symbol Loader to check if SoftICE was active or not (the code is located
0 P0 Z9 R( s. O, Z K! Q/ Ginside nmtrans.dll).
0 w: Q4 M0 d& a. i+ L' l
4 t% R" q/ \5 e# U# h& [/ b& {$ aThe way it works is very simple:$ b* Z8 Y+ ]4 e0 L0 ^5 l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, }* L2 V- ?. I& T" @- ]WinNT) with the CreateFileA API.
# W" l9 A! o* R4 z3 w0 p# g0 |" o0 }7 z8 n) T# @2 R% _$ z N' ~
Here is a sample (checking for 'SICE'):$ m1 b7 s# A+ X- [1 j b
+ s, h. |6 O8 u w" m5 R7 _# P
BOOL IsSoftIce95Loaded()
+ z: y7 ~1 X6 {& `$ P* y" G' K{
+ O4 q+ ]( X; ] HANDLE hFile; + ~8 ^* i3 |3 i7 L' P, H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 e. a, o1 v, N8 R
FILE_SHARE_READ | FILE_SHARE_WRITE,
, N2 E1 H5 C7 F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ U& X7 H+ A/ O$ Y1 E2 ?8 e if( hFile != INVALID_HANDLE_VALUE )
: O" i! N2 h' X: G: A {
" [. u3 H2 C' e, [$ g& ` CloseHandle(hFile);" w7 z3 S k3 u: q% r" V; Z- h
return TRUE;1 F6 E- W+ {. c9 O
}
9 k. z0 c! O7 o/ N U0 z! X- B) t! s return FALSE;) C6 G0 X0 Z) h3 @7 M* w
}( A4 @, f9 b- L
* r$ n2 h; t; r$ i7 I: YAlthough this trick calls the CreateFileA function, don't even expect to be
3 q3 S$ n$ R7 _; @able to intercept it by installing a IFS hook: it will not work, no way!
% h$ l5 ~: \( y# u) pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 x- n+ ^- L% d4 W) M! A4 z: Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& ]6 P b/ k) @9 o0 f0 uand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 o6 O* b/ `8 e
field.
+ m& G% @( m6 t4 X$ D8 G) YIn fact, its purpose is not to load/unload VxDs but only to send a
, ?) O8 D# u% t$ `8 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 w( u# s% C. n+ O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ P/ W% e) F" u8 B% Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 w5 j4 U, x2 H5 n5 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ F7 y! f2 T. I" a8 I* I W; iits handle to be opened and then, will be detected.
8 t* h. M. L0 v8 h% b+ hYou can check that simply by hooking Winice.exe control proc entry point
4 ~- x( _! y% _) W4 ~! swhile running MeltICE.% b# |! D% G P7 z& \; g7 z2 y1 U
, A( e& Y+ A5 F# J$ n( Z+ |; k3 b4 `, j1 r
00401067: push 00402025 ; \\.\SICE8 @, v: c' A( E, T6 z9 z) I
0040106C: call CreateFileA5 b# O. i/ N' `! o
00401071: cmp eax,-001
9 K0 R& s! u& _2 \# ]( Z; V 00401074: je 004010912 r) y& D: b9 f1 s. _
: b8 X: [: [+ D" u' A/ r2 i3 J( b5 `
There could be hundreds of BPX you could use to detect this trick.+ t" o9 {0 s$ j
-The most classical one is:
7 {9 F# U! @" L1 U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; r1 t) ]1 e7 q& N$ t" m
*(esp->4+4)=='NTIC'' z6 F' E& {. U
- U( D1 W7 m. ~+ u) z% j
-The most exotic ones (could be very slooooow :-(# u3 N: x6 e0 ^8 ? u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 p" A) ^( \! H( y3 j O
;will break 3 times :-(. P' W7 D1 k" G, K* k8 z9 S
9 n( [, q" X! X: d0 o R-or (a bit) faster:
* E3 p, M# y5 x1 v) o3 h- F& Y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 j! g4 N9 y2 R- c+ x6 B
4 x$ I+ ? r1 X: ?: Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' f8 \; P( L& |, [
;will break 3 times :-(
" Y0 Q, M6 \) \ G) N4 a! x+ P3 z
-Much faster:+ V7 n5 v( x& n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 g) ^$ G5 g% M7 _0 i7 p
- g# \1 X' i- k" _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: j2 T3 \- I- Ofunction to do the same job:8 A' B* u) V! d( i M f
2 ^: ?' }) i) D9 J push 00 ; OF_READ
: t3 z+ b6 l5 ]) w& C) B: ]. s mov eax,[00656634] ; '\\.\SICE',0' Q8 t! b1 p; a5 j+ W# V* Z4 a* B
push eax
: l# C% U. m+ A+ X( X+ ? call KERNEL32!_lopen) f7 ]* t9 Q- w8 t. c1 e# J
inc eax" m) m# _3 E1 @: Z& p+ L* y: {
jnz 00650589 ; detected/ }9 o0 A6 ~7 A5 K! f' W9 g
push 00 ; OF_READ
6 N t D( V* A/ B$ g mov eax,[00656638] ; '\\.\SICE'
/ s$ R1 H1 R2 J( j$ w: M push eax
0 B8 B0 z$ V1 U/ N call KERNEL32!_lopen6 o3 P/ K, Y4 `! Y$ v7 d1 H/ T
inc eax
; r0 i, p, P% `1 y9 J7 x8 C ^- _5 @ jz 006505ae ; not detected
6 G% @. v( q8 R/ }4 c
) E3 S: _, L0 a- C! u( q7 ~
3 b- @. b% y* T+ d0 z9 n, ~' q7 m__________________________________________________________________________
% }; ^" j' d' i
9 R7 l: f% Q4 u/ Y3 w0 dMethod 12& Y7 e0 I9 \9 ^
=========! y7 O- U$ E: w7 t% |$ B# K, ^
3 }2 o& z; N, {; x( ?0 x5 D
This trick is similar to int41h/4fh Debugger installation check (code 05, ]7 ?8 t2 F& P& W+ Z2 B5 ~
& 06) but very limited because it's only available for Win95/98 (not NT)& N" T6 ^8 S+ x( v3 j: z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) ]3 B' c& D" O% |/ D0 L
" b: j# o! Z. B0 V. o1 z
push 0000004fh ; function 4fh
. z: w5 F7 j! j push 002a002ah ; high word specifies which VxD (VWIN32)
8 u+ _% g5 d @; e E2 K7 Y; [& A ; low word specifies which service
4 f/ Z$ ?( t/ g' N: E$ D: d7 {: v8 l (VWIN32_Int41Dispatch)4 o2 O5 u* F/ ^ P! \2 b0 N
call Kernel32!ORD_001 ; VxdCall* s; m0 v) @, a& ^
cmp ax, 0f386h ; magic number returned by system debuggers$ G& q" e* e, ~
jz SoftICE_detected* X4 V+ `- }6 }
- @7 M4 | U* t
Here again, several ways to detect it:
- v6 R- f! T# @/ {' F+ H& c, O2 o2 b+ s
BPINT 41 if ax==4f
. S7 H0 n1 h* K- u0 ]0 H
9 `. B3 l! A, q0 j, k- I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" A* v. w6 z9 C q
% F8 |5 c2 B! C$ t3 l0 H/ b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 t8 x2 a/ A% o2 M2 o9 M2 F r! z
' w9 q, I$ F6 r BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, m& Z3 ]6 i1 |3 O8 j' n, w
6 b: r. a7 o* x8 _; g5 P
__________________________________________________________________________
$ z) E0 Y& A$ N6 N5 r2 y7 T0 Z0 O) X! {8 L3 o1 P. L9 o. X7 P f' o
Method 130 u+ o# _7 Q* |
=========/ O( @7 t; I( z& f% B9 e D1 o
1 }8 y. R, |6 s; x
Not a real method of detection, but a good way to know if SoftICE is) \( |9 D) Y1 V f3 o1 U4 H
installed on a computer and to locate its installation directory.
1 C" J3 ]6 ^7 O: K! g! i7 ZIt is used by few softs which access the following registry keys (usually #2) :
+ u) s# w" W2 c$ x7 p( G! n) L" H; U* r) V* b+ e9 s7 R- Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- J* E+ Z/ k1 v) P% p\Uninstall\SoftICE
' \0 H5 Z2 ^& W! h) ]% |9 B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 Z/ y& R/ G/ n: T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ B/ ]" `/ K* Z\App Paths\Loader32.Exe
3 u G3 J3 D+ s. Y6 @
2 ~5 `( O0 W" _- C* w/ J7 p5 K0 n1 N4 T
Note that some nasty apps could then erase all files from SoftICE directory
/ |! l9 f* @4 O2 c$ P(I faced that once :-(
1 r' V3 c& u8 x \# ^7 ^4 D
' c1 w% G3 t1 k0 A3 LUseful breakpoint to detect it:
8 P4 ]/ n3 M( \1 g9 M! z
; _- a1 o ]' \8 `) C% w( m( S BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' n/ ]( c$ b+ C5 `6 [0 _4 \& ]* k
7 V* U& C9 O n3 x3 U8 K% ~ O% y
__________________________________________________________________________0 N2 z; v" z! }4 S+ J4 q
2 }8 f# C4 e- U) Y
2 i0 j" H+ a( m" @. [5 Q3 uMethod 14 & O1 O: o6 d. b' q; B* r7 A
=========# j2 o6 C. U S6 }; G, M
* W4 s. _* }2 H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 @- i+ x' A- d! dis to determines whether a debugger is running on your system (ring0 only).
" b5 M( O9 K* Y. {2 x9 i9 o! |# p6 ]7 C7 N
VMMCall Test_Debug_Installed
# i- _% V! O7 B% f! ]/ U je not_installed9 e$ }3 c0 v9 Q) P4 q _$ \. ~+ s
: F+ ?5 F4 y4 ~* ?
This service just checks a flag.0 w/ ^4 |5 c. A+ I0 o6 k
</PRE></TD></TR></TBODY></TABLE> |