<TABLE width=500>9 U7 X4 P. J0 f4 N
<TBODY>% }2 a* m+ m* [+ O/ ^0 x
<TR>9 T# Y. g# u; Z& T
<TD><PRE>Method 01 L, \ C+ A5 J4 E; p/ T. J( c
=========
4 y9 A* z( f5 ^
+ R. K9 K" g, |5 ^5 b8 dThis method of detection of SoftICE (as well as the following one) is
9 E0 L7 I2 R4 t1 k) q: C" L1 aused by the majority of packers/encryptors found on Internet.
# m% _1 Z7 o! L3 `, AIt seeks the signature of BoundsChecker in SoftICE1 n" P0 L* M3 j' h6 I" B
5 f/ j* R3 W8 w2 `
mov ebp, 04243484Bh ; 'BCHK'* Z8 z- ~/ M8 \; l' w
mov ax, 04h9 f8 r ^2 ~0 E. H: c1 K; f8 r
int 3
/ v8 f) h( c6 V2 {: O cmp al,4
( h3 S+ x0 o3 K4 j9 E6 } jnz SoftICE_Detected9 A# b2 w; |$ S2 h6 I0 a5 ?
- G. g. O" V1 W8 i5 E; ?
___________________________________________________________________________
/ F- P2 u: b7 K5 |9 G7 I
E, H R, ^1 Y% M; \Method 028 O! R. ?5 l% d; s- [
=========2 L5 Q+ w: J( p+ m& f2 n: h
8 s: r f! q* | U4 o4 d7 RStill a method very much used (perhaps the most frequent one). It is used! N. X/ s+ h* ^ ~
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 @6 _9 D) {+ dor execute SoftICE commands...1 V% T! U7 V+ s: @) T2 P
It is also used to crash SoftICE and to force it to execute any commands( R% \, W( u% u; R& G
(HBOOT...) :-(( % ^+ `# F0 `, T7 f) }
$ v' b0 d+ H) g3 S2 LHere is a quick description:
/ x% o% q% Q; \* C( u-AX = 0910h (Display string in SIce windows)
( x1 v) f, @/ P1 G7 X8 }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- W0 Y' w, n$ h/ D0 V7 ^# F# G* \& g-AX = 0912h (Get breakpoint infos)9 U( z" G8 u1 s. q( N2 Y) O0 x1 l
-AX = 0913h (Set Sice breakpoints)
% f+ ?4 Q5 P$ i; ] m* }-AX = 0914h (Remove SIce breakoints)
5 {! q, U2 s0 o' k2 K1 f& K: `
" A" r$ o8 D V7 pEach time you'll meet this trick, you'll see:; m; ?8 C' m" K! ?3 l
-SI = 4647h
( p$ L; }/ L; c. m-DI = 4A4Dh
7 |# X% {7 a* f& d% {! C- I$ A8 }Which are the 'magic values' used by SoftIce.
% j) t6 x& K# [- B/ H; cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ J- D) l& ]7 v
* C8 |5 ~; J; @% Z- \/ i1 u* [Here is one example from the file "Haspinst.exe" which is the dongle HASP
: v" @* D/ ]4 Y# u! }3 [% pEnvelope utility use to protect DOS applications:, s4 ]* ]4 o% N6 G; J# k
3 C% J$ X# ?7 b. e E
3 G" S. d2 k( @9 |4C19:0095 MOV AX,0911 ; execute command.- h8 l0 G9 `; r$ v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% y& m" t1 x) I& G4C19:009A MOV SI,4647 ; 1st magic value.
$ C) C! R6 c0 D: }; f3 y4 x2 r4C19:009D MOV DI,4A4D ; 2nd magic value.0 M. f" v4 K$ K- T
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 X* L; |& b% ?. x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: W* ^, d% j! E4C19:00A4 INC CX
6 D. f6 l' q" U0 T6 p* {, d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ C7 p+ i1 i. M4 d/ w; a; u
4C19:00A8 JB 0095 ; 6 different commands.
( ^2 N# D8 V: N: L v h6 s4C19:00AA JMP 0002 ; Bad_Guy jmp back.* T! `4 N' C! f0 }9 g0 f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 s( J& M6 s/ g
9 ~+ [$ \7 O# g0 f$ Z1 H, wThe program will execute 6 different SIce commands located at ds:dx, which
6 h5 o2 E5 M+ Z e6 G L- Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 J& t$ e" M9 y) L
, ?) E2 ?2 a/ m) s3 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: r- t+ f2 g" \ N$ T) N5 ~& b2 k
___________________________________________________________________________3 k/ g, n$ w" B K- y7 N
8 u1 C5 n/ F9 P, p! `0 m1 g C7 ~9 _$ q- M3 d. @
Method 03
+ y: J6 S& O9 I* w' V8 m( G8 A9 R=========* x. ]+ u, p! I' R3 ^
% e% i4 C0 O, H" Q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ f4 O6 A: C2 T) v/ `. c' `' V7 R& F(API Get entry point)
7 L1 N9 b, \3 W
. C* r/ } t9 L6 x1 ^+ c) f4 s: R5 |" O& u
xor di,di
1 N$ a+ R, u9 g* a. r mov es,di
' U. B& ~4 w0 }: Z. |% f. Y mov ax, 1684h
9 j2 h2 `- Q+ T4 p* x, C mov bx, 0202h ; VxD ID of winice
+ _- ?1 J. c% q. M3 d7 q int 2Fh
- ~) A! o' n' { mov ax, es ; ES:DI -> VxD API entry point
6 U0 a2 d! t4 H* U# T* g) v, D* Q4 G add ax, di& B& ^& u* e, i, W J( c8 w* E2 L
test ax,ax
) B( @( d9 A) W jnz SoftICE_Detected
& p' \5 s$ O" ?+ s$ |( X9 S; Z }2 [+ U$ [8 e! H
___________________________________________________________________________; `1 }8 G, J) x, N- e
" g# O2 p) h! `
Method 043 v0 W% K* J# r9 [7 \
=========- b+ T$ T2 w3 c5 L
: I$ H: f$ }" v1 m+ f
Method identical to the preceding one except that it seeks the ID of SoftICE
/ ^0 h7 R4 P1 `$ F$ nGFX VxD.
: q, D1 `, w; k. r o1 K! U) p% ?) `8 S9 a7 e
xor di,di
4 P* _! [0 g% d/ G/ T# [9 h mov es,di% W/ {* X1 M8 W
mov ax, 1684h : ]3 Q7 ?$ ?; t& o
mov bx, 7a5Fh ; VxD ID of SIWVID
2 a) k6 h5 x! ?+ S/ A int 2fh
; Z* l) ~# s5 s( L6 T- ` mov ax, es ; ES:DI -> VxD API entry point
D5 |- X0 E: Z, X: v add ax, di8 D3 B( R" e2 N- j0 i$ x {
test ax,ax- ~7 W6 ?) I) ]/ i! `5 p$ g
jnz SoftICE_Detected3 o7 G3 g z* B8 B h9 V1 Y
5 X+ F6 r6 Q, l; K
__________________________________________________________________________
. B! \! Z- j+ e6 r8 b! |& |' x' t( g% N
1 W- U3 r0 x" l5 I* G* c
Method 05; k4 I; ^" @4 j' R- Y) M
=========
! ]+ D! R& }4 F& X/ T" D' Z. G' B8 q# w) ^7 S! [; N3 q5 `
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 S; }4 A' p9 j; f6 u% F
debugger. It calls the int 41h, function 4Fh.: i% b N5 _$ n3 a, F( _8 L
There are several alternatives.
# H3 K& @# i! c1 N/ a" c
) N Y! N* p% [* VThe following one is the simplest:) q$ z7 c6 ~4 N7 L6 Y( k3 E
8 R. A! e; a% @: X
mov ax,4fh J5 E N1 ^" d
int 41h! c, |5 G; @ n3 M$ q% o6 }
cmp ax, 0F386
! y2 p% L* A, S3 K jz SoftICE_detected
. {( V0 }, s4 d0 O; f8 |3 j: G
$ C2 w5 u7 i$ U" Z$ J
, C3 u& W" {; C2 k0 `Next method as well as the following one are 2 examples from Stone's
" {, `5 X6 C& c- u"stn-wid.zip" (www.cracking.net):7 a* j* _0 D# w: \+ D& a1 |* v% ~
8 d8 ?1 ~0 p/ f/ i. ] mov bx, cs2 o& h0 n u/ ^; J4 T! Y
lea dx, int41handler2
& G* R+ B& |2 C0 y! j4 u3 B* ? xchg dx, es:[41h*4]% ?, c/ g( @9 d& {3 ]/ f: R
xchg bx, es:[41h*4+2]
4 E4 e; b7 c/ \; `$ [ mov ax,4fh
) D. X3 W0 [" T# b, } int 41h4 s$ r* u& _( ]7 h; [0 P
xchg dx, es:[41h*4]
& y$ Q3 K* R2 i. h+ M xchg bx, es:[41h*4+2]
% j I* d# X% i% h9 e8 Z cmp ax, 0f386h% e. A! T( p0 D: B. w2 b- s( h4 z
jz SoftICE_detected
8 d f) ^+ r$ a/ {) H% x
, E- D0 ]/ t5 A0 `1 a6 N& e: lint41handler2 PROC
, c' v% {6 z! X9 u iret
) ]5 m( G2 L. ~: X0 Z. ~( Z' G$ |0 }int41handler2 ENDP
, D5 h& c# ~ @+ E& s
! N1 Q2 f$ @' f C
$ K# `8 B; n5 l& x! A1 R9 J. z: ?_________________________________________________________________________
# E2 w) {! J5 N7 i# U, L0 q$ g! r# j5 D3 r- T% ]. f( l5 G
3 V0 x0 s" V, ZMethod 061 u$ A1 r" H$ D3 {$ _
=========
( c0 R$ w; y. y! K
! w0 g3 b t) |& \: S
1 g9 @& h; ~5 c2nd method similar to the preceding one but more difficult to detect:3 B3 \* Y4 q2 g" t: t; S
! g* C( q. I1 I
' O4 q z% _) Oint41handler PROC
}. |; ^4 V2 B, [9 e" v mov cl,al
- u" ~& r' f; z8 K2 [! N0 g iret
& W/ n8 N( }2 t' {int41handler ENDP
1 s3 S& D; ^' R2 Z3 R" G
" H) b( h1 b8 i# t7 A4 h( N9 D: D2 a! f, d& c N: s6 g
xor ax,ax; I9 X! o8 H% }( r* h5 ]% l2 C
mov es,ax4 o* c% j8 K% C& m! d9 x2 k; n( u' t
mov bx, cs. ^3 ]7 ?. c, o1 B) ~; \
lea dx, int41handler
1 ?( A' K& |8 I' j( }9 \0 b xchg dx, es:[41h*4]
, a3 ^, t& [5 `; I) } xchg bx, es:[41h*4+2]& O9 x2 k; ]# l3 t7 \7 G
in al, 40h% ~: ?. P' i- V: v2 `" p
xor cx,cx
[; D- _ G6 I* O$ ? int 41h3 I H. T! \. t6 S
xchg dx, es:[41h*4]( F" b- f ~' `1 V. v( X
xchg bx, es:[41h*4+2]
) p; `' d' r* s$ X cmp cl,al6 n) T, u9 `4 u# O0 P
jnz SoftICE_detected
e: m0 N& ^& C5 V% D" p* T
- P7 s% N/ S3 R L& J: __________________________________________________________________________6 T/ m& U0 c; z, _
B+ S- n- P1 e) K5 W z6 V# g
Method 075 j! U/ E) L6 h: l; V y6 K6 l
=========) I7 F" W. ~5 V [: u4 f, _0 A
( ?5 E0 t3 |+ o6 k) ?5 n; u& _
Method of detection of the WinICE handler in the int68h (V86)2 _1 D# _9 O' {5 y6 }3 ^
" |; L% c8 H8 \5 M8 J# c$ ^) K
mov ah,43h# O3 a& D* x, b7 w% [
int 68h
`- G6 n4 A j2 h' ^ cmp ax,0F386h
. G1 l6 N' H& W0 `# e2 T$ m! y jz SoftICE_Detected/ G! @' x" Y/ n9 f* C% R+ U6 Z
. @* E3 w3 M: S5 k
6 R6 b4 b, `# X$ J: t& H- J8 v: N' M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 s2 Z. \# |7 L! Z; m
app like this:
( [$ ?3 Y* d( ?4 W- E
; u2 |4 A/ r$ [, S- J: P6 N- j BPX exec_int if ax==68
. T' T4 [* z |9 M9 {" o (function called is located at byte ptr [ebp+1Dh] and client eip is0 S4 }7 k' J, M$ G1 x h
located at [ebp+48h] for 32Bit apps)
# b2 w3 F+ h# V__________________________________________________________________________
# C* A& i3 Z E4 M9 z8 K6 {& n! V R& t7 |6 H
& A0 K: _! w/ V4 ]. {+ N
Method 08
0 J2 d y O l S- k' m=========. f/ u3 L! [* _$ ]' ^ w( O' s! g/ N
2 d5 G) o( d* T
It is not a method of detection of SoftICE but a possibility to crash the9 I3 B; m# f3 N8 @& D0 e
system by intercepting int 01h and int 03h and redirecting them to another
2 n- i2 }! Y9 e. [ Iroutine.
; P) x; T" B! W' A3 ]It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 G% F: d) G% }7 u# n5 C
to the new routine to execute (hangs computer...)" z/ B. q* y! g6 t& ]/ o0 |' d- n" O
' A; x" X, b8 \6 f% m( S2 Q mov ah, 25h
! Q+ _* Z' B$ f6 {4 f ? mov al, Int_Number (01h or 03h)+ K' _, X9 {: `0 V9 e' C; P
mov dx, offset New_Int_Routine6 S0 x$ Z" M+ D& [, ?- e. y
int 21h1 b2 {. a/ D1 g( X0 P& ]6 Y$ D
0 D% s. c8 c! {( M6 q( R7 c__________________________________________________________________________
0 ?! D, @$ G2 B8 F9 q
, M" @3 u" N! s! O! ZMethod 09$ ]% E, c. E; z k/ Z7 L% [9 K `
=========* J) {% [6 i8 |+ \9 ]) ]; k
7 C2 F& G5 x2 W. G9 u: E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: o* U. g# N# z. y% l5 I( Operformed in ring0 (VxD or a ring3 app using the VxdCall)." r: V& ^! S9 V7 `$ o# P! T
The Get_DDB service is used to determine whether or not a VxD is installed0 }- T3 h1 E; F, J, d! l
for the specified device and returns a Device Description Block (in ecx) for& O! A/ O( G& ^- I8 U2 E/ M
that device if it is installed.
- w5 q6 b0 U4 g ~8 p* ?) a" g( o; W! M4 ~; T8 R+ k: v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 I5 m" X; X. B: a% L; `- e9 n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# B6 e- ~; J) U* W# D0 G4 \ VMMCall Get_DDB6 E& D, o1 v* O: m7 {% l' U$ g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 i3 G+ E2 |3 f/ Y3 N
+ F+ x8 h! Y% _# y( |Note as well that you can easily detect this method with SoftICE:
" b/ z$ i: A- c# C: S p3 R bpx Get_DDB if ax==0202 || ax==7a5fh
8 C) h/ O7 X$ C7 |$ {
. B4 v6 g% T/ ~/ X6 E__________________________________________________________________________7 x! |' L+ r9 U( d @" j
/ s: U+ f8 c: h# d- Z9 E! X2 a
Method 10
. t8 n5 q* A2 c; i! g. R=========" k1 ~! k5 t7 z) v9 J; } J4 Z" V. g
8 ^( r% w: ?$ }( B3 ]( b=>Disable or clear breakpoints before using this feature. DO NOT trace with: ^2 ?, v7 P; {! f' \
SoftICE while the option is enable!!& c$ H/ S' M" n$ P7 F) j
, d5 b' M. a Z' p! @% oThis trick is very efficient:
0 e3 u3 L: u* t8 G& A0 Jby checking the Debug Registers, you can detect if SoftICE is loaded
, f9 t- V. ?- b( M; a% T' o% g$ J) B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* x# T* h2 ^/ H4 uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 H. F$ J1 t; [, m, F4 }* @value (in ring0 only). Values can be manipulated and or changed as well
~) [2 x' s; b( W(clearing BPMs for instance)
' F/ e, q$ I. y3 t7 [2 C/ _1 [ h
__________________________________________________________________________. i9 b. W9 z% }& n7 o$ X
) c! O& q9 s; N S, M" VMethod 11" i& o: W+ a- F: _
=========
& k$ t- b+ u9 v8 R. y( J \' n' u: t& J3 ^ l0 U7 ?6 {1 B
This method is most known as 'MeltICE' because it has been freely distributed
9 f. I F: q& w y; Vvia www.winfiles.com. However it was first used by NuMega people to allow0 G$ ^/ N& f% s* e5 G" Q$ p% E
Symbol Loader to check if SoftICE was active or not (the code is located; M; W) e6 d. u. E0 _3 W
inside nmtrans.dll).% P h' n, k, F1 C# V
5 E( O k: F( r' b% k+ J7 lThe way it works is very simple:8 H( T J, I7 b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) l) h3 |( h* E. m" VWinNT) with the CreateFileA API.
' I% O- l1 Q& i% N8 [% b% z) n$ X- u( S, L% [
Here is a sample (checking for 'SICE'):6 R% D; _- ]3 O
3 O) A8 j9 k) D3 Y) M4 EBOOL IsSoftIce95Loaded() Y" U8 \' [( n7 L0 Z# N
{
% e3 ^! v* u* o, p6 E8 x HANDLE hFile; 5 }+ K) J; g# w+ k5 f% G! m) P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ x" p( J/ b. b) D& A5 r+ A" p FILE_SHARE_READ | FILE_SHARE_WRITE,
8 ]1 l) \* G) e. f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) t/ M, d6 N( a
if( hFile != INVALID_HANDLE_VALUE )
8 b3 q% t8 i! @( I$ ` {
0 y% M; g# Y, j' \( c CloseHandle(hFile);, N, T2 a. v+ f# J# v) ~+ U% L
return TRUE;5 @# z! q5 S6 a1 m9 \
}
6 w% d: n2 Y g. l) e return FALSE;5 {& ^6 P: I9 ?6 W( _( w
}
9 U5 N6 O( W! R: M* g' S! ~( L$ H: s- v# q* T2 ~/ l
Although this trick calls the CreateFileA function, don't even expect to be
4 g6 s! J1 M0 \$ {8 e; t7 J% i5 yable to intercept it by installing a IFS hook: it will not work, no way!' b8 m3 ?5 f" {& N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- I; S% C! G$ E" @3 Y6 W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% J& c) q. Q4 ~6 Z8 r# rand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ V0 L. @5 T" S' K. x
field.4 z6 H4 X% t' g3 Q" j7 Q
In fact, its purpose is not to load/unload VxDs but only to send a " F! g( T4 v) l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% ~3 K, L6 r6 Q' e: a7 j e2 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 s) Q* \; t# j9 b4 W4 D7 |: C( ?- D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! r Y! E8 J& I/ V+ m, XIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ g+ M9 ~* [7 j7 j3 t
its handle to be opened and then, will be detected." {: Y" o4 ]" U) b. H
You can check that simply by hooking Winice.exe control proc entry point
1 _' u, c( N- ^; x, e5 o7 o- nwhile running MeltICE.2 n. i* J) w5 I, g
4 h8 ?* X2 L5 ] l6 o. a( T+ x. i# [3 e( ^5 Q
00401067: push 00402025 ; \\.\SICE
; d; a& ~# Z b1 R 0040106C: call CreateFileA
& h0 }* J2 O* c 00401071: cmp eax,-001
8 K/ P* l' _0 X, ~' F 00401074: je 00401091
: j; m1 K' q2 z+ ?9 }0 J _' \! M& _$ G" \, U, l
. U# r$ J* F5 z- ~3 g) M, mThere could be hundreds of BPX you could use to detect this trick.* h7 C- i0 h9 q$ @0 F4 | z/ ?
-The most classical one is:
" B. D: M! \% P% N* ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
7 C4 V2 y5 V7 J- ~$ f2 E, [1 I *(esp->4+4)=='NTIC'$ ~# g) ?+ B! k3 B# v1 M" H7 k
9 r6 {, I. ^; `+ l( L6 j- x
-The most exotic ones (could be very slooooow :-(
4 ~3 {% w: @4 K& r- l BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 n1 i3 \+ {7 p8 V ;will break 3 times :-(; m, Z: t; u; I( @6 f
8 ]9 x3 R: Y; c( Q# y* }-or (a bit) faster:
1 b' w8 v' J% [. x* s: j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% p7 C/ U- O( L/ Z- {0 o8 E/ o; E2 A) c
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, D6 B, J, \; O$ L% y0 v ;will break 3 times :-(
- V3 \( e$ f$ A0 I, [/ h: V/ J9 c- H
-Much faster:
7 `) K C! @) H _( @' O7 A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': v$ {6 V6 J- Z* b, u7 x2 Y/ b% G: L
0 ~0 ]: h; \0 u# WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 g4 E8 J+ P( t2 u" v, X$ j& d
function to do the same job:9 |: V& O! A/ d* X; j9 I) K% a1 @
8 I' g+ j; l" ~* R! @2 o+ ? push 00 ; OF_READ
+ `$ a2 j2 e! G7 V$ t mov eax,[00656634] ; '\\.\SICE',0
% s; m3 g K4 n8 x: P/ p push eax
6 i. X5 q5 h M) ~+ e7 [8 ~ call KERNEL32!_lopen
) w# E4 w2 W* u, S inc eax
* Q+ K+ N% O1 w, Y jnz 00650589 ; detected J) t6 [# c+ E# {- d: C
push 00 ; OF_READ
?6 u2 l: E7 j7 J% ?# c8 ^2 X1 { mov eax,[00656638] ; '\\.\SICE'
/ a& z, o( F# Q- E push eax; F8 a, D% y9 E7 r) D# T* ~" B) m9 K8 |
call KERNEL32!_lopen
3 V- a: C8 ~# H$ q inc eax% E) `6 s, ^. \; P9 E; B
jz 006505ae ; not detected) t u7 t" v+ v$ r7 I* o
% ^) O; V: K( D8 P+ g
3 D3 h5 n. i5 K4 L* T3 D$ S# r__________________________________________________________________________2 u! @" H2 m8 w% V1 Q
% a9 k) a2 ~7 Y$ YMethod 12# ^( ^, r% B5 [4 ^; \
=========
2 ^$ o$ e- k( Q- Q
: N7 m6 i# b, s$ q1 {5 \3 e( ?This trick is similar to int41h/4fh Debugger installation check (code 05
" }4 t1 N8 [3 a& w3 h. U& n5 V6 e% I& 06) but very limited because it's only available for Win95/98 (not NT)
4 n; a" ~9 d* s" \4 L5 o$ F) xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 h, @8 l' J0 ^5 V$ w }# T9 Y, ^
g8 O2 \) S% h. x6 k push 0000004fh ; function 4fh
: g8 _; a/ E6 G% o8 B push 002a002ah ; high word specifies which VxD (VWIN32)
* W. O, r3 I( T+ j4 j ; low word specifies which service5 S, K3 y) t# |0 z* z4 _
(VWIN32_Int41Dispatch)
3 U' C% n2 `3 U8 s call Kernel32!ORD_001 ; VxdCall: O, C2 G$ ^/ X6 W( F. n* ?3 ^# j0 @
cmp ax, 0f386h ; magic number returned by system debuggers
8 w u% F% a- T) ~6 x; m4 t jz SoftICE_detected
* s6 w( ?- m: Y7 S t4 n+ S) V# d. N$ E! X0 z
Here again, several ways to detect it:
% Q6 Q) _+ I0 B* Y( g9 A
0 g7 R. V& a( V1 m* r9 B3 O BPINT 41 if ax==4f
# h1 z. ?) x4 T6 [
J4 J/ | L, z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: @) R+ A; w" y' @1 @/ A* @
& d; ]' e- y/ ~& Q- \5 o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* }5 y, ?# r) a
( ]: e. t* p* B1 `. X. B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ ~; t! A. g2 u! \
0 @% @2 E" f4 z__________________________________________________________________________
8 _& K$ q4 p* A2 t9 e- ^$ L
9 L' V3 g* B) t# m- H# `Method 13, k4 G% I4 y. `0 v" b2 ^
=========
5 X" c# q F- N- S" s+ v- `
2 B7 U) z- G% p4 r7 X3 cNot a real method of detection, but a good way to know if SoftICE is" ]( n0 x M6 q1 g% t: [
installed on a computer and to locate its installation directory.! j4 K0 \- F* o7 b( P6 M
It is used by few softs which access the following registry keys (usually #2) :
/ B) j% o% q. |5 |9 ~. {5 s1 B. ~* v. n' N8 Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 X8 U C$ l& T. ]
\Uninstall\SoftICE; T6 p- P" S* Q/ h( m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& @9 a0 y$ Z1 e" u+ d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 m8 ?+ s1 v6 ~; a( Q\App Paths\Loader32.Exe
% S# v3 c+ w/ b# q0 J$ t. f: P) t/ Y8 O
( z- B% I" R/ a$ R( D" KNote that some nasty apps could then erase all files from SoftICE directory
9 w: {) k4 i$ m& Q' O(I faced that once :-(# X+ U- J- ^( u9 g h; j3 z
2 E* I' t: r" o! Z( A) dUseful breakpoint to detect it:, n8 O7 f5 c* p! d! m1 x" h
3 S7 v! |; `) O! r# E7 U( \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# x' a3 a3 w. k
; }. T, k2 c0 N& d& x+ _( A$ L# Q+ y: E__________________________________________________________________________
# Z5 z9 D& h6 x. m; a+ {7 n- K4 H3 Y N) a/ @( s( \ m0 h3 ~
7 D3 L' {4 K- P; z$ \3 |4 n& Y
Method 14
! W+ n' u0 L- U. K, J8 f=========
+ C: w& U) ~' C) h! h3 O! t+ @8 B3 c2 s( k5 A9 s' E3 K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. z# E$ ]) e7 B4 Z3 s
is to determines whether a debugger is running on your system (ring0 only).3 [2 h ]$ G* S2 `
. X$ I" K7 t6 Z" |# f) x8 }4 F6 r VMMCall Test_Debug_Installed
5 Y( L( n! x! a$ G je not_installed f8 V! e; H h% i: I8 ~
! `$ L K6 r* D5 L! E; AThis service just checks a flag.$ R1 m" B! g+ z
</PRE></TD></TR></TBODY></TABLE> |