<TABLE width=500>
; G" s- R" A/ q. d8 z( k<TBODY># ?' }9 o& B8 E% S0 w1 ?7 t
<TR>
R* {/ V& }- w0 v<TD><PRE>Method 01 6 D1 H \3 |' c# S8 K! U
=========
! T0 c& l1 y$ m3 {
4 J- Y+ \) d! N% S7 w# j, JThis method of detection of SoftICE (as well as the following one) is
* U9 Z6 g4 a; r4 u& l; qused by the majority of packers/encryptors found on Internet.
+ x6 l7 Y, z) u; \- |: }3 TIt seeks the signature of BoundsChecker in SoftICE3 v K- y2 Y2 A) C4 q: H" [) a7 G% |
5 Y$ {& ~2 W' j0 M
mov ebp, 04243484Bh ; 'BCHK'
, Z7 B! [' U5 G" n" [& w mov ax, 04h
9 x4 R3 V" @* O- A( d5 z9 L4 O1 W int 3 # V! j; P. G" C- J/ C, P/ y
cmp al,4. q& {/ {; P0 v D8 \2 J
jnz SoftICE_Detected
0 }: ~. \: ]& @. V7 \5 p2 j. F: q$ m" C" D$ k! A
___________________________________________________________________________
5 m) |- t. O2 a; f z4 a5 j2 l7 k% S, s7 h2 L8 B- o
Method 02
0 y- _3 o7 s0 T r/ d O. M=========
! V9 V% q* y5 p8 _; i
0 X. i4 ]% B5 S3 o* KStill a method very much used (perhaps the most frequent one). It is used, R% Y0 U- v% e' _8 d* A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 H& o8 p! o2 `- y
or execute SoftICE commands...6 L7 l# P7 ] W' K4 F9 E
It is also used to crash SoftICE and to force it to execute any commands
5 m! I& P: F2 `7 e6 T9 r: y# a(HBOOT...) :-(( % Z" H( W7 u5 {8 d1 I
J/ E4 |, M3 H2 B* k- nHere is a quick description:$ e* m7 G7 p6 s: j% v& E- b) }$ \7 {
-AX = 0910h (Display string in SIce windows)/ ?9 u4 _/ m7 ?0 J$ R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 z- `. n0 N _) P1 p
-AX = 0912h (Get breakpoint infos)
! }0 g' Y) s# e-AX = 0913h (Set Sice breakpoints)% t, ], }, O u& E2 F
-AX = 0914h (Remove SIce breakoints)/ g! X9 k) X6 F" @9 ?# a& i
2 U* i; R- h# ` Z
Each time you'll meet this trick, you'll see:
& j; b$ j, M) u-SI = 4647h& [9 s( Z6 N: {% m( c8 K; f
-DI = 4A4Dh
: E8 @4 _% n+ Z3 q8 F) T! EWhich are the 'magic values' used by SoftIce.
) `7 j, I4 n- L+ P2 M" J1 _ LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., K7 J4 n$ V. r- z4 @! ?" s
6 v# \! f$ n& [1 N* C7 T
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ j, F& f! V' O4 N* Y8 H
Envelope utility use to protect DOS applications:# a7 w( W2 o: _- \. P
8 ` X# H- v- [* Y9 u, s
; ]6 I2 `2 W& |- N8 q
4C19:0095 MOV AX,0911 ; execute command.( U2 B; h+ U1 d, s B- ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 k! B4 p( ]/ h4 s+ H4C19:009A MOV SI,4647 ; 1st magic value.
0 {3 v0 F& _- F: q4C19:009D MOV DI,4A4D ; 2nd magic value.
5 c' d/ ^- ]; f- {: e: j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 }/ M$ x. K! Y% r' d* v9 J% G" o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 j3 o+ i$ {1 B! g4C19:00A4 INC CX
! l! l' y' X/ ?7 v# E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: a, H- A9 I3 a3 C% b8 b2 _, a: E6 C4C19:00A8 JB 0095 ; 6 different commands., ]: ^4 k! _1 [+ r2 R' Y3 s; u4 V- T7 G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& p4 ?0 D' J. W) k$ r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 m# y: D% R: O9 N H; n. `2 |
3 ]+ g. F7 O' e' BThe program will execute 6 different SIce commands located at ds:dx, which
# D4 p- V& M: v5 L- B; x5 c% E% M tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' q. k; G. c' [, }
( Z$ f$ W& h+ }) x/ @; Q/ i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 f1 M5 Q6 D; Y3 _; B
___________________________________________________________________________
7 p C7 p- v# @: d" }4 g! I# s. O+ n1 w, g( J5 }* G, |5 L/ U2 l1 k
- ?) z, |( O" d( t* V0 N5 _" M
Method 03
) m- R! y, J. g- s/ r=========/ |4 b$ g+ V) a, D. _
, K: V- f( S. }! A. w4 I6 M& ?% A" MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: z( N, F/ Q) U! y& S! G; U2 M# n- g(API Get entry point)
' _; f. b* _+ M- Z2 @ ` . p7 r- H& u2 E- l: \5 Y3 P2 B8 x
8 W, @) Q' S6 N! M- j& N3 H# G7 X8 R
xor di,di9 l6 u d s6 o" t& i x9 |$ _
mov es,di8 M0 {3 A/ b& T8 n0 P, {1 W
mov ax, 1684h ' z$ X% C5 e4 U; h
mov bx, 0202h ; VxD ID of winice4 b) C; ~- H0 g" c) r) e8 |- J; @
int 2Fh$ m! g, ]: L- [& v4 j+ ]# m9 N
mov ax, es ; ES:DI -> VxD API entry point: \. K' X# J- U( `& ~
add ax, di
0 u: e5 V: S3 ~. B test ax,ax' v$ Q" L3 Y5 d& f2 f
jnz SoftICE_Detected
* b6 R( U2 d+ G$ f2 c
0 k# s/ E, B8 I+ s' e" }( t___________________________________________________________________________. L; |5 d0 w. v) {. ?
/ C; a- h' V, o+ U! IMethod 04
( p# L) I; A5 j3 [6 v=========
9 }1 Z% y3 S5 ]: s# Z, L: h0 ]+ P, s- `* ]+ j7 P( K( Z
Method identical to the preceding one except that it seeks the ID of SoftICE7 A8 o8 [. z3 d' J5 P* V5 ^
GFX VxD.
' ]2 F1 ?* b% d7 G4 B% e
2 g9 n1 h1 k. F( U! D7 p9 N) o" I xor di,di% m+ J9 @# e0 v+ [2 V/ m& u9 B8 D+ G4 ?
mov es,di
7 N) }. n9 U0 l G mov ax, 1684h
1 |! a5 u z0 a0 L/ x: y. E# \8 i- B mov bx, 7a5Fh ; VxD ID of SIWVID1 O; r1 y a* ~
int 2fh
5 g, J3 x& r# o R6 D mov ax, es ; ES:DI -> VxD API entry point
7 t. G( |% B6 H5 F0 i add ax, di+ P2 z) ]5 U4 X/ ?
test ax,ax
" h9 I) Q% n' ` jnz SoftICE_Detected% l6 p5 H! A; Q7 s6 W J& l
8 `2 A9 |( t. @+ k; n__________________________________________________________________________
6 N8 ]: s% g3 D# k4 f1 X' ^) x' K& q$ }# h9 O9 M9 }1 w
( Q. ^9 p3 H4 i, a+ n, x- c, W. ~% o% XMethod 05
5 S; a9 j1 m3 Z7 J=========
) D, T9 r' b: i. Q7 J- [
* B) G) P: j8 v- X# J: H1 JMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 c& f c8 c' I7 A( \
debugger. It calls the int 41h, function 4Fh.5 j5 S! c' r' T( H! U! V# C/ H
There are several alternatives. ; j W( o: u% Z h) e- P2 D% u
! l9 e$ t7 L. ?7 ^+ D, ]8 o( lThe following one is the simplest:6 T" R9 j X6 O
7 L( w) m& b9 f7 ^/ K6 L mov ax,4fh
: H2 u- }& n( _8 C+ ~9 n# Q) {* R int 41h- O! s a3 w# ~# H& j- ]! E
cmp ax, 0F386
6 _! S/ m6 }% m2 ] jz SoftICE_detected
- Z% i* }4 E9 b% e3 ?1 j8 J; P5 {6 F0 R% Q
; b9 Y4 W3 j' [: u: R% INext method as well as the following one are 2 examples from Stone's
3 v+ h: P1 k) O- i7 t"stn-wid.zip" (www.cracking.net):
4 x$ ]0 u6 m+ _. Q
3 f& Q8 Y. {4 A' ~" w, B8 p/ m mov bx, cs8 G7 v: g0 _# [7 I
lea dx, int41handler2
. O3 q0 ^* x, z9 `; e' g: U xchg dx, es:[41h*4]* a3 L) P# Q8 c- l) S8 A
xchg bx, es:[41h*4+2]
: Y) q- D \, p mov ax,4fh
4 N4 N+ n, y) C6 @3 t6 s int 41h, }& E& u) t$ v" J6 N. S
xchg dx, es:[41h*4] I6 g0 k9 d# e8 R$ v
xchg bx, es:[41h*4+2]2 W5 L: [5 p0 ?- s/ |0 J: g
cmp ax, 0f386h
9 l) z) s* B/ { {5 Q7 V( b jz SoftICE_detected5 ~8 x# H2 E( }& x- q) C
: U Z3 o+ H& G; G4 V4 E% eint41handler2 PROC
5 Z$ o( @( b& s! C8 ]4 T iret6 {! Q- D7 t0 O8 U8 Q
int41handler2 ENDP
, Z% R9 `4 o/ V/ O* e8 d/ k6 R( V/ g! e
+ [7 ~7 Q! p4 @. F. x
_________________________________________________________________________, R7 C' v8 p @, \( f
/ v7 ^9 ]; P% ?+ N; n
. d- `* B$ o3 a# W0 B9 yMethod 06. R8 o/ ~1 L; f% c% F* n( ]/ O
=========3 J3 H+ V/ b/ Z% r
4 l& N' L) H+ \/ w$ L( D/ C2 S& m& B
2nd method similar to the preceding one but more difficult to detect:
: n. D1 w) r/ N' J0 V7 i4 {! J
* P9 A6 H' {3 g$ }9 j% p: b1 e3 a$ `8 g$ J! g6 X8 |& V' q3 m
int41handler PROC! B9 n! ~" V$ T. ~4 B S
mov cl,al
( S) f) w; N: B2 l+ P6 S3 T6 h iret
# X: J6 h9 D1 Z8 E% m$ Vint41handler ENDP' l3 O9 }$ d* q) I: {
) ~# J: B' U% y7 Z
, n$ S, e- p1 [8 k1 L8 j7 T7 c- I xor ax,ax* H( h0 b7 r8 O4 c
mov es,ax
$ }* b+ @2 F6 d: _: d. @& q' N mov bx, cs; _7 u% ]; u3 k$ `3 D; F
lea dx, int41handler
8 \9 n! z4 Y; r2 c" W& p: b xchg dx, es:[41h*4]
4 v* A% A& E" o8 c7 Q xchg bx, es:[41h*4+2]
- f3 P; I$ x: l7 V# B" P6 V in al, 40h
" N1 v4 s. r. `4 X$ G xor cx,cx
: `& B% o0 ?$ y8 n7 m1 H) y int 41h
6 z( f2 T. @* X9 [ xchg dx, es:[41h*4], j) |1 M M- b4 B. }+ ~& M
xchg bx, es:[41h*4+2]4 \6 n. g0 V' u
cmp cl,al
: }% L) i0 C) T% Y jnz SoftICE_detected# F# K5 \/ a( a
& K* j' T" H5 r K5 {_________________________________________________________________________
. P8 I8 V' ~+ q5 g
. S" ?- X/ v9 ?( q0 [5 p4 g1 cMethod 07/ E" ?' T4 `. e1 T& J
=========
3 H$ R! ^! g1 q% d0 a/ \- t( t! w9 S8 ?8 X& }
Method of detection of the WinICE handler in the int68h (V86)! C M @3 E7 w
7 z' D0 j5 f& J
mov ah,43h
7 l: ^! n! T$ S+ k int 68h% S0 L5 n F6 I( h; u
cmp ax,0F386h0 @& y+ x9 G: _$ f7 ^
jz SoftICE_Detected$ \* O3 _, R6 `8 D, W' ]) [
; u! Y# g) D& q2 C& \
( P- V j' ~. {7 o4 q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: W) ^2 T" R& u( @# s. R) ? app like this:
" r% R, O. n6 v* |; E, M; Q' c' k& w2 m
BPX exec_int if ax==68
" b$ h \, Q: o2 C- P) j ? C (function called is located at byte ptr [ebp+1Dh] and client eip is- F" R! i; j0 M5 B, n1 J
located at [ebp+48h] for 32Bit apps)
2 k4 l3 }9 G9 A! d: W( O__________________________________________________________________________7 X9 z E0 \6 y4 |8 f' O
+ u! p2 a( c" C6 k' D7 ]: H9 r
3 }# ]9 r" {! P# t) a0 U9 wMethod 08
2 R, j- j2 G) d" w# @* F; b& W========= V1 E7 T) S$ p; F3 E* g
T% L5 X+ G9 |8 }It is not a method of detection of SoftICE but a possibility to crash the$ V7 q0 J; L& u. k! b2 ~# l* G
system by intercepting int 01h and int 03h and redirecting them to another
( n" t* [1 @ z4 K$ ?' _2 o3 ]routine.* J6 W; E: K H- ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) E4 _9 K) }: v9 i
to the new routine to execute (hangs computer...)1 L3 g/ O: T1 E, N% \) b
2 H% H8 v! i6 \% m+ F9 s0 b( v G
mov ah, 25h2 }$ o" ?0 n+ g8 U
mov al, Int_Number (01h or 03h): ~8 b* x! G9 n8 f
mov dx, offset New_Int_Routine' E7 f% S% @( Y& I$ {
int 21h
) C$ s6 G* V, D: A E- k4 X. b
R6 V$ a: t# l% Q! o0 |$ K__________________________________________________________________________
5 F2 q: v5 @6 P) u8 u( }7 b0 b9 Q
7 G- o. F: g% NMethod 09
- W% p- |# Y: d! T=========" n/ |' Z( K* [( k
# y) W" L, D- h3 HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. @, Y% J: v1 P7 _5 K/ O( Eperformed in ring0 (VxD or a ring3 app using the VxdCall).
: m* q4 P8 [* R" q2 f( bThe Get_DDB service is used to determine whether or not a VxD is installed
! P& j6 q- W5 \8 j$ Afor the specified device and returns a Device Description Block (in ecx) for, {! x4 S7 u, V2 h& s8 ^* O$ p
that device if it is installed.+ D( O# s$ k- [5 h
/ F9 I9 D& z& H7 G- x" A* |9 d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
n$ f9 o/ y0 v$ O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# X7 J. r8 @1 l
VMMCall Get_DDB4 v2 s6 l8 e" l- V' p2 T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* e8 v6 l* a4 R8 C& r! Q; U. M1 ?. r2 O. {; g
Note as well that you can easily detect this method with SoftICE:
8 ^ s% a6 @; ]* E; z$ v bpx Get_DDB if ax==0202 || ax==7a5fh* ?% L u$ ^7 x
; a/ y$ ^2 E- t$ H
__________________________________________________________________________
& o! W0 F b3 N% O- i
, ]* R, [' }6 J! @) eMethod 10; d, Q2 q3 @1 Z
=========, Z/ V, u- ]' [5 ^2 V8 S1 j2 u5 @" T
2 |% ]/ l* p, n C. ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; C6 e, i6 E V; m: _- F% U& \( A SoftICE while the option is enable!!
4 ]1 a" x. }4 [7 A* J2 Z" E' o4 D% z$ Y; w9 j# M- V- p. L
This trick is very efficient:( @' f) |# u3 C D* u+ Y
by checking the Debug Registers, you can detect if SoftICE is loaded
8 e2 o: E) |: ^; j; Y# y* l; C(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. ]8 D* x1 R- n2 L8 u
there are some memory breakpoints set (dr0 to dr3) simply by reading their% ]' m) x) i4 R
value (in ring0 only). Values can be manipulated and or changed as well
$ D$ A0 g6 ^8 V; G+ ~. E0 v) a+ H(clearing BPMs for instance)! s: }" c. z: a, r
8 `! J# U: ^0 c) a" f
__________________________________________________________________________" F9 ~2 i- e; H* y6 J
# Q! r( S y' n3 X
Method 11: |/ p1 S% k, ]8 l' s% |
=========0 a9 U4 T* z& T" h9 T
' C. T# `6 _- b; d; e5 NThis method is most known as 'MeltICE' because it has been freely distributed" t, j$ ~/ T3 A- D) J8 W: b2 t# k c; q
via www.winfiles.com. However it was first used by NuMega people to allow- @! j7 K1 L+ n
Symbol Loader to check if SoftICE was active or not (the code is located
+ v9 K8 @! `$ X7 [inside nmtrans.dll).4 H# S$ {) `2 [6 a9 u7 C& M& v
4 w9 @. f7 z# W- uThe way it works is very simple:
7 g5 ?& s" J c' i5 C+ h' z9 PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. P, [& d s4 N& i# w% oWinNT) with the CreateFileA API.- D9 }1 b) v& T/ m' R) ]
0 V4 C4 h. P( L5 X# K
Here is a sample (checking for 'SICE'):7 m8 ?4 K0 A+ P( L; x V
, _9 O' m" D9 o) ABOOL IsSoftIce95Loaded()
J2 E- Z+ ?. M; _5 ^{( `5 u, @ z2 B) g5 Y. m- N
HANDLE hFile;
4 R1 }. F$ X" S$ T1 S* W7 l hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& s; w8 _ F! a; A& ^; G
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 o4 n. v0 V1 t3 X+ [; T" a/ S) _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ N2 k [1 I! U* R4 D
if( hFile != INVALID_HANDLE_VALUE )
' |/ m5 Q0 h; m+ T {- F y' Z! A8 m/ b" H3 `) E C
CloseHandle(hFile);. S- A( C) _5 I) i b/ v3 T
return TRUE;
) r. F, s/ Z$ H/ j# L }
6 R, |8 r% ]0 b( N return FALSE;
5 c; f; @" @- g" T* r& R9 l}
$ A' S6 z5 V8 m( J) N# Z6 \1 g% l% S# D1 {2 `, i1 ~
Although this trick calls the CreateFileA function, don't even expect to be
% @3 R& u3 h8 Table to intercept it by installing a IFS hook: it will not work, no way!
* ^, a1 f: q j) y& ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 G# M* s9 O5 j8 Z7 r/ `' ^/ d6 I; @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& v( Z% G" k- _& x, e, e7 N, c6 N7 o+ `" ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ h1 z' ~$ G. h
field.
' M! H2 y5 N: Q+ [ h) lIn fact, its purpose is not to load/unload VxDs but only to send a + `9 y" Q% S1 h' M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( n; m8 D% W6 C- ^9 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) c f# }+ ]% pto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 W8 L7 w: V# k* H5 e8 s
If the VxD is loaded, it will always clear eax and the Carry flag to allow' G% w4 ~2 I0 Y2 A1 K' f
its handle to be opened and then, will be detected.
( S* ?+ y0 B0 }9 z6 ]: F0 M* ~You can check that simply by hooking Winice.exe control proc entry point( `. p' {- @, G. R7 {
while running MeltICE.
# O; l k. F& G9 x" ^9 Y3 V. z
, d( j1 h9 B9 X: l0 s; N i5 x9 t 00401067: push 00402025 ; \\.\SICE( J& X+ u+ j& n w$ z+ U) {
0040106C: call CreateFileA* e a" r$ E6 ?. j, l( e
00401071: cmp eax,-0014 w* F& S" b# m
00401074: je 004010913 R* y( X4 E# Z# s5 S
# n+ { ^5 L9 e" g7 P% W I% w6 [0 K$ B5 N1 I1 d
There could be hundreds of BPX you could use to detect this trick.! D7 K9 x# J- }2 v+ s8 c& m) w( n
-The most classical one is:2 h3 y- X/ W, P7 }9 g
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 v, w: j5 e. X5 \8 {2 D
*(esp->4+4)=='NTIC'
8 @- I* n3 r( @& f1 i, T8 R! V" }
+ {0 i* m V/ ~: _1 w-The most exotic ones (could be very slooooow :-( V/ ]2 P% Q! J6 e
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* n/ k' I) ~$ Y T8 C A* [* U% Y ;will break 3 times :-(% ?5 b" \/ x! ?1 U3 G
0 y. g6 Z7 |0 H* X+ t-or (a bit) faster: 2 y& P+ n% Z3 H& j8 [1 s6 R" Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ \ \- \; l/ h1 d7 L Z
$ d0 U- e, z8 w5 [4 Y6 N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 r, d% n3 a, e; j8 A ;will break 3 times :-(
4 i' _1 q$ }. B6 K* {, W# F3 O
-Much faster:% B& E7 o8 Q0 y2 S
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( X* m+ K3 z5 O) k. z5 n( g4 _3 k2 W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; T) E$ Z+ e- i d5 B. [
function to do the same job:
' w/ T N$ t* N! m" z. F2 w+ N% m& h. Y" }* @5 V
push 00 ; OF_READ
) O( p2 x1 u" G4 M2 p mov eax,[00656634] ; '\\.\SICE',0
2 \: C, P J2 J7 p) L3 z! H push eax
3 A" {: t% r$ e+ Q/ L" k call KERNEL32!_lopen
C8 i/ X6 C- {4 j4 y+ H inc eax
1 y' l# D9 f, B5 X2 k% f, F8 h jnz 00650589 ; detected! A' x' O$ a# N2 K
push 00 ; OF_READ9 d! v: p/ V% h9 o- v
mov eax,[00656638] ; '\\.\SICE'7 F& D8 E# l9 _+ Q& ]. L- o( ]
push eax0 W% F9 I" h3 {4 ]) a5 F2 a
call KERNEL32!_lopen
; p2 G6 t! G0 t inc eax$ m$ }% u+ x% x% }
jz 006505ae ; not detected
_0 P) A0 S9 M9 ]
) e* M6 o6 J0 B. Q4 c- W& g% D- n$ R
__________________________________________________________________________# y- u% P3 p+ s! v$ [: j9 v
/ ^& J( M+ |6 m/ ^6 oMethod 12# r* D! y. q1 G1 z. G
=========
% ~( ?, @% {9 c; v
/ o1 {1 G* I$ d# d- w7 CThis trick is similar to int41h/4fh Debugger installation check (code 05
: s3 [1 p+ |3 f {" h* i' j5 c& 06) but very limited because it's only available for Win95/98 (not NT)8 b$ |7 u# `* D; D7 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ P, U" r6 o% F4 [* a
! i0 p& A3 Z9 j
push 0000004fh ; function 4fh
% V2 }6 K& A6 Z9 z push 002a002ah ; high word specifies which VxD (VWIN32)$ C8 U. j( L' |4 e9 A) ]
; low word specifies which service( t) s' A3 g5 L( D2 N5 q" q
(VWIN32_Int41Dispatch)
& @! S/ F8 ^7 h% b3 {! ? call Kernel32!ORD_001 ; VxdCall
`8 r8 ]( U- B8 ` cmp ax, 0f386h ; magic number returned by system debuggers! k h& x) o% u1 g
jz SoftICE_detected3 `; G3 `0 `7 b0 N' B
* Z2 |$ j1 w4 Z! {( _5 J7 M% j+ i
Here again, several ways to detect it:
$ y* @2 E, f. `8 a+ B/ E* Q7 T' h/ x3 P% p
BPINT 41 if ax==4f' T9 u9 y( {# j) }2 X
. u) ]2 `1 }. o: e' K4 o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* }3 H! e! b! P
) ~4 a! p* H: U* t; c. T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. A. W( `- L0 u: P% ~) U" F0 a# L3 h+ X2 \4 Q [4 \0 y/ h; f, {6 C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- C* y0 A9 a$ l6 ?
2 _0 [0 y1 ~# k( q- F
__________________________________________________________________________% b# \* m, T, P& R4 S
% X8 L: O Z8 J( o& bMethod 13* }- W1 D: Z6 j. c( {
=========
" g- U: l7 B+ p0 @ |. K* c# I. i
/ r3 V3 [: L2 q3 G5 }9 t$ wNot a real method of detection, but a good way to know if SoftICE is- Q! Z1 I% c' H$ D
installed on a computer and to locate its installation directory.
d2 n2 @3 C3 W/ rIt is used by few softs which access the following registry keys (usually #2) :
: P- R) P9 S3 F- | w$ i) n9 P5 P1 q* r G1 F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; Z% u/ F3 @; {+ X, d/ N
\Uninstall\SoftICE
" ~* F, `9 ?4 A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' E& t! t' A! F1 I7 m/ I9 C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 P; c; |- O. W( G2 U
\App Paths\Loader32.Exe5 F5 C" J. d" a9 y0 A2 V
7 M6 t4 j% K# G8 W6 F2 |
d9 y! E/ Y& cNote that some nasty apps could then erase all files from SoftICE directory6 {9 F' Z; |" t! H6 Q
(I faced that once :-(
) s' a u! J0 l5 ^4 i* h! b6 b* R2 T& U: s5 W$ H/ s: F
Useful breakpoint to detect it:; @( v0 m2 r! o/ w Q
- ?# g1 I& x: p) M1 q: O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 @2 \9 Y# D' m% ~
7 z: g' Y" D1 Z7 c* G3 c' ^__________________________________________________________________________6 `' C5 Q# s* X! U0 C& o
: d* T3 \8 g* D
$ s7 T$ `6 x; @/ S/ o( r$ A$ _1 @% zMethod 14 9 L4 l5 k r( H' {6 k- v" v7 r
=========
5 [# A3 }% X* G! Q# c. |: r* a$ l5 G3 ~/ R5 b) u; v- i0 ]( \, P* @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 `5 J; S- |# @1 M0 i8 U- ^
is to determines whether a debugger is running on your system (ring0 only).
# t% m: H+ z j/ E9 k, _4 ^$ i; D% Y; \. G# [4 ^( h- O' B9 W
VMMCall Test_Debug_Installed; c& i7 V, Y Z) e8 i
je not_installed
0 k" z4 l4 S5 K# N5 A! `; p% u3 j
' z5 d' ?' l) n# m$ qThis service just checks a flag.( W5 i8 z) p5 o. z
</PRE></TD></TR></TBODY></TABLE> |