<TABLE width=500>
1 k2 p3 V, H, ^. A<TBODY>
2 g6 x, C P; k: B1 E+ w9 G) a<TR>
9 x9 v* h$ J; s' K<TD><PRE>Method 01
0 } \2 _9 o. @* n6 ^=========
: o: d6 G3 b% I: X: E( z7 ^2 {* k& }' h/ Q
This method of detection of SoftICE (as well as the following one) is
1 d) ^) b2 r( ?+ M! b$ D8 Y6 hused by the majority of packers/encryptors found on Internet.' c$ x4 Y) F1 w9 p
It seeks the signature of BoundsChecker in SoftICE# p( v) Z! y1 G- p2 X6 N# A
- {; X% s6 c4 R/ }* b mov ebp, 04243484Bh ; 'BCHK'# h! [- ?& U6 W: u4 P. `6 X
mov ax, 04h) M1 r! ]3 R1 }( [( s8 ~0 y2 `
int 3 ; j$ o4 A; q. G5 J4 f
cmp al,4* p; k. S4 W. w- X" T' W5 I
jnz SoftICE_Detected! k7 L/ ^% v3 c; o/ Z6 E# {! ]
: W: z2 \; h0 D/ f7 s1 Y% ~( b2 M0 P8 ]___________________________________________________________________________
0 |0 O. w- M2 I" O3 T4 V3 y+ X& D" u8 n1 L; {" ^
Method 02
7 c8 X2 p7 E ?2 X5 E8 w. X( \& j1 b=========5 w' N5 l3 P. V7 e1 o% ~+ g
. x3 l' F$ P! Q* YStill a method very much used (perhaps the most frequent one). It is used
7 h& D$ N: V+ N1 @9 L. Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 F! [# A. j1 T9 O+ Y" Cor execute SoftICE commands...7 e3 N5 E; H- T! S; D5 w
It is also used to crash SoftICE and to force it to execute any commands
+ `" H* Y9 e+ f' ^7 c0 J(HBOOT...) :-((
) i- \& |! s8 O: N2 H- ~5 a( R
3 P- X5 m' U; r7 }% S8 UHere is a quick description:! B+ p5 z; E/ B$ ^$ M
-AX = 0910h (Display string in SIce windows)
8 x" ?& U6 {* q8 o( R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: U6 ]' M5 R7 ] I-AX = 0912h (Get breakpoint infos)$ L3 N x% \! J7 y- d3 q, h
-AX = 0913h (Set Sice breakpoints)
5 R0 @6 N, }8 h! t-AX = 0914h (Remove SIce breakoints)8 q8 I/ z s% a* d9 G
: M- P+ [5 ]$ L* [. f) d
Each time you'll meet this trick, you'll see:
8 ~% F: a8 d4 ]0 M/ U2 _+ N3 J9 w-SI = 4647h
v( n/ U! N, p2 F5 @8 G. x-DI = 4A4Dh
! k1 U7 u' m ^Which are the 'magic values' used by SoftIce.
, E; d! T0 m4 r4 Q" kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 N% I4 U" e7 B: F: {' C0 B0 _6 R D+ s
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' h' D! E- }' Z3 L8 _Envelope utility use to protect DOS applications:
* Q# f$ h; c# G3 H+ L) I4 B! q2 v4 W8 R
9 b& P& e* o& L; ?/ Z6 l+ l9 \) p ~4C19:0095 MOV AX,0911 ; execute command.
8 V! Z& T% x* z: v! @$ y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 W1 ]$ y+ Y, o
4C19:009A MOV SI,4647 ; 1st magic value.
$ M$ w2 m; y2 _% `7 l1 \0 m4C19:009D MOV DI,4A4D ; 2nd magic value.
: @: E3 @- t2 m# d% t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( Y, v- V* I- F& N' U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
j5 z- ^7 X9 N1 ]4C19:00A4 INC CX
$ L9 {( K x7 ~& K6 e- L* O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' r. y1 Z9 F) j) \$ r" e' @1 T
4C19:00A8 JB 0095 ; 6 different commands.5 W. N, X+ V6 \3 E5 d2 Z z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 ~7 {* l( a8 @4C19:00AD MOV BX,SP ; Good_Guy go ahead :) T& d" I0 B5 @* \/ F
; i& v/ ?0 K- w8 D
The program will execute 6 different SIce commands located at ds:dx, which
; W I* P2 s: v& oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. T5 K$ A/ q: y5 v" v4 u) N$ e
9 p( m1 O' W1 O9 v0 ?8 ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) K+ e {$ L' G5 h, u1 ^3 \+ S
___________________________________________________________________________( ?9 `4 G) b0 U
) Q2 s: S* {: X2 F" Q
5 y9 r3 c: h9 F5 i1 JMethod 035 I: z- h8 H% O; m5 r& X
=========
5 c# f' M5 U* H, i9 w
, @ `6 @+ O: Y# |- x+ F o; u9 JLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( |) ], Y0 X/ s8 l6 @ L
(API Get entry point)
' [3 o( e" m* H+ R
% v" ]* G4 y; y- i- D, ^$ @- ]2 t: d' M( J& G& y3 H1 \
xor di,di
8 v, V( Z1 i: z/ O6 w6 l' s l mov es,di
' l* C: q7 b7 F& D) V0 N0 j mov ax, 1684h 2 k, g- T4 H3 P/ g0 c$ K9 y
mov bx, 0202h ; VxD ID of winice4 D! f) L# K2 p; e' c; m
int 2Fh5 b: T ~% N1 u) K
mov ax, es ; ES:DI -> VxD API entry point8 @+ J7 I% I! A6 Z5 m
add ax, di: N( h3 A/ E' b2 c( X! q. V
test ax,ax
7 x$ x- @6 l$ w jnz SoftICE_Detected
" v& Q L: q7 B6 X G; i5 E: G6 A* g3 S- l7 T7 _( [
___________________________________________________________________________
0 \& o: x* @0 Y; _! Q" t/ m
/ ?6 ~; z$ K' J6 s. K7 {Method 04/ j" c I' B, P
=========2 r: r$ T* [8 G( x7 r- ~
) l6 u( f# u# B. sMethod identical to the preceding one except that it seeks the ID of SoftICE
3 ^3 ^4 B: z2 VGFX VxD.
/ {7 n# i7 M3 l! ^
4 `8 O/ O0 H* K; R, p- S xor di,di
1 |( R# W) r( j% p' s: U, ] mov es,di
9 [& O& i1 [! K mov ax, 1684h
# ] }& B+ k& T6 O mov bx, 7a5Fh ; VxD ID of SIWVID! ^& \/ h+ J" b) |
int 2fh
; S! N0 q" `; ]9 A mov ax, es ; ES:DI -> VxD API entry point
& f3 `! B2 Z; _/ q, g1 q1 E add ax, di
2 ~/ ~ q" R% H test ax,ax
2 `% P& z i# n0 N+ S jnz SoftICE_Detected. B2 X9 ]; G. w3 D, `/ o( B
+ \$ G* f" s1 a) o__________________________________________________________________________3 z2 M l2 w' d9 g: @4 K
' d/ t0 V9 H' _3 z }) t, a+ s5 A8 V# L
Method 05
; \/ j! x4 N m: d- f, W3 g% L( \=========; ~# V' L( p; T9 B* A0 ~
. _" ]5 [2 P4 m5 M8 ~5 j
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 X8 Y& }" z/ C/ ]3 u
debugger. It calls the int 41h, function 4Fh.
; d- H0 M' ^* MThere are several alternatives.
5 U# C3 Z0 M6 R; d
- w7 r. U0 V& W9 pThe following one is the simplest:1 r3 q0 a) Q ^( |
% o1 z( z" a1 a# W% ], r
mov ax,4fh
& _3 o5 [4 Y8 n$ w: {( c1 i int 41h
9 C/ t4 J1 C4 y, p- Y c cmp ax, 0F3866 S+ W" d( ] K" R+ C
jz SoftICE_detected
: v6 p: l9 I' S* E6 ^: f Q$ }! V ]- i% {" ^1 z7 P
z- d8 u$ f9 i1 @$ |Next method as well as the following one are 2 examples from Stone's 2 _" O# \4 _9 s, A$ r
"stn-wid.zip" (www.cracking.net):) |( j3 S- n$ B7 d5 N% r
0 V( h, }/ m* x- ^1 y0 S mov bx, cs W: W7 D9 v& R- r6 V }
lea dx, int41handler2) F' N1 a7 ^ \1 J
xchg dx, es:[41h*4]/ X& d' j; c7 P9 I
xchg bx, es:[41h*4+2]& _( c3 o. i8 O. n
mov ax,4fh( c! [# I& S0 G4 R
int 41h* c) T( r2 t0 y8 e3 p5 P6 N
xchg dx, es:[41h*4]
; y2 \, F. J9 y9 B, C/ B xchg bx, es:[41h*4+2]6 D$ ~- h }$ L1 w3 @
cmp ax, 0f386h/ _5 r B/ x6 g f
jz SoftICE_detected h! R& X2 G' W: y
7 l7 G, `: `7 iint41handler2 PROC
7 y3 M5 J" J E. w iret u$ D0 ` X) n8 S5 v7 G7 b" B
int41handler2 ENDP
1 m* }0 q( e! ]" X4 { J2 P K; ^* Y X$ c0 T: q' u
, y& ]6 j" C* M s
_________________________________________________________________________
v7 y6 [, B0 v5 E1 F5 s) l- w: Y
9 Z# B& I, n9 l' X2 J% V
& r: ?- ?/ z+ U) U! ^8 ^3 ~Method 069 N- L$ x: V6 e# Y' f& P9 ^
=========
) {& M9 b! {5 z' T/ f4 k! k) o+ h# t, r& w
- h, C" ^' }9 _( n3 `# I, Z
2nd method similar to the preceding one but more difficult to detect:4 [5 g, K. D. A/ E1 I4 G, Y
. k |. q# @4 h; v0 E- u
3 U, Y, \2 w# X9 aint41handler PROC
: Z: X, ~2 ^) d! k! d mov cl,al& _( o ?% D: N4 S4 L
iret: i% I2 }7 L; k/ r) M0 z3 ?8 [& \
int41handler ENDP
) s( [, Z$ g# L( x3 a' X; B5 i& S$ {& S0 V8 |0 i
; z- e- F) T, j3 K0 a
xor ax,ax
$ X6 m) s/ @# C/ y mov es,ax
! W* M! e$ W p) z, Q. z mov bx, cs
: P+ b$ h2 w' `0 T e: t. F' w- {, \ lea dx, int41handler7 S' k9 g! U" Y
xchg dx, es:[41h*4]
2 {: `, ]! c3 t& F0 f" u xchg bx, es:[41h*4+2]
! r0 i$ {2 E) K in al, 40h9 Y8 ~# U, _' f5 k# c
xor cx,cx
/ N7 [4 Q) v: c7 Q: _. ?$ S$ E int 41h
: A! t* y8 o) E1 ] xchg dx, es:[41h*4]3 T, N: E/ Y( c' B
xchg bx, es:[41h*4+2]
- ^* a8 q& \( Z cmp cl,al
5 I2 I- z( Z6 _ g. t* x, E* ~ jnz SoftICE_detected0 s- o& p2 `4 z9 G; R. k6 y: `
2 j! f5 l1 }! Z& U' Z" r# ~3 c5 d& W
_________________________________________________________________________. L/ |- ]3 |: K! V0 ?
$ @, A5 E1 A, l% a. l; u8 e
Method 07
3 ]4 S# i/ J1 w- L/ {$ p=========& {! t0 W$ C4 }# R
3 o' g) y/ j4 E5 pMethod of detection of the WinICE handler in the int68h (V86)
$ h" u& W( l- S# w6 ?; F6 Z% l; u5 F; W i
mov ah,43h
1 O/ z- M/ r3 e" W7 L) b3 c' x0 B int 68h- \- M2 Q I; A1 F X# D
cmp ax,0F386h
% _, A+ x$ K3 n% Z, ~ jz SoftICE_Detected
, |5 ^8 k& s9 I1 u& s$ y" c+ ]; E& x5 P) ^
* B" o, a! }/ P5 m0 _7 A: k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; i: N; r$ o- R& I3 n% f, Z/ ^8 e$ @ app like this:% |9 o9 K: O8 l1 `& V2 B* Y: \* r
' \' r [$ B: L) c5 ~! N BPX exec_int if ax==68
0 o) @# Z' _8 B, J+ | (function called is located at byte ptr [ebp+1Dh] and client eip is8 h3 T8 f8 [/ O* g4 @* ?
located at [ebp+48h] for 32Bit apps)
2 S) j$ o; m' g7 ^; G# [__________________________________________________________________________
: X _6 @6 _( K1 W5 X( o* z: S6 j9 u0 R' \
, C# `4 ^3 Y8 zMethod 08
( e- u$ U; K4 S5 ^5 r( I=========
( Q3 S* o5 U; `% q- x8 o# b# j+ N+ f6 }, N0 q( D
It is not a method of detection of SoftICE but a possibility to crash the
6 x r& Y& _% A8 z1 E, Q% zsystem by intercepting int 01h and int 03h and redirecting them to another
0 S; x0 ]3 W8 B. \; ~9 [0 Mroutine.8 a! D: U, V7 l. @: m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 I6 V9 v' `' M) X! p0 h
to the new routine to execute (hangs computer...)+ n) Q9 U2 A5 l G( B% V- j2 W
) q4 `6 c; O7 O% U" U* C; P mov ah, 25h
' ]9 U& \6 X w3 } mov al, Int_Number (01h or 03h)
: s$ h6 Z, Z* I: O0 K+ l7 N6 u mov dx, offset New_Int_Routine
3 u! N3 ~+ @' o b8 O8 {: J int 21h
( w5 H* } P+ Q* I+ o) S7 _% x% r4 }& b4 |" G' e' b) j
__________________________________________________________________________0 s4 d4 ]- [/ T5 E2 n
6 Y9 z4 K' ]+ R' d9 fMethod 09) [8 [. d- n) V
=========3 T4 x5 G2 E; ?4 [0 p* w2 U
+ d5 f4 V0 z0 B: {0 j* j! L$ j9 gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 c9 i; |5 j! j; `! Sperformed in ring0 (VxD or a ring3 app using the VxdCall).$ \! v* U( f# i7 Q7 w) W K
The Get_DDB service is used to determine whether or not a VxD is installed# B) _/ l- _6 s& G0 b' J
for the specified device and returns a Device Description Block (in ecx) for1 T) J' f3 ~. H8 Q
that device if it is installed./ ]/ V5 J8 y- E: l! }
2 @& v) C* S3 Y. w7 J' Q; A3 M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 t2 j3 Z1 r2 P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; `3 C% D/ C+ Q6 R9 T) z VMMCall Get_DDB
6 n! t9 m9 ?9 o( ]- n5 J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! o- }3 ~* x$ f. i# m
9 d$ j$ X. E# m$ p. G% |5 TNote as well that you can easily detect this method with SoftICE:
3 X* J- w' U) D* V2 l bpx Get_DDB if ax==0202 || ax==7a5fh
) i' {; U" Q7 T/ }* _ o- L% `0 e! y: Y. h
__________________________________________________________________________
: L9 X/ F( D) z/ `3 @! O- n$ r1 B) {, h9 D0 Q/ A1 p' j) f2 }
Method 10* z# j& Q( c# j# ?6 ?8 P% Q/ i# A
=========( J3 M( x3 ~+ O- |& y
5 \; z5 L! t" a! q! C=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 D! V. C U; B5 U- G& k. r: V SoftICE while the option is enable!!
& p7 ~9 r3 ` y- _- ~4 ?, M# b, o& W" C3 g" r2 e3 }0 E0 ?
This trick is very efficient:
0 y$ |: b/ _% c0 D+ zby checking the Debug Registers, you can detect if SoftICE is loaded
9 ^0 s# D3 a5 o0 M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 p( S; E# j/ G+ `" N7 \& r
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 D# n6 ~4 \. U2 W" ]" h; |
value (in ring0 only). Values can be manipulated and or changed as well
+ O! |8 w+ b5 y" d" z(clearing BPMs for instance)% F$ z6 {) n2 D# R
' Q9 j N8 b2 ^# ^& N* K6 E
__________________________________________________________________________$ Q* N4 Q1 G. S+ I! a
! N2 [5 z7 p" t
Method 110 Q# o, V, z% `' ]% x
=========" P C+ R1 T7 s( ] m& `3 _
# [, P3 [& G3 x' e3 {This method is most known as 'MeltICE' because it has been freely distributed4 t! _( J) X& ~3 E
via www.winfiles.com. However it was first used by NuMega people to allow
+ T4 N$ h2 n( y: D; j5 a8 mSymbol Loader to check if SoftICE was active or not (the code is located6 Y0 T5 @# |$ @: t
inside nmtrans.dll).
, n- \ B, t/ F7 \* U! M6 [. A! L
+ ~& W5 K0 _. ]( a* l9 D" G! {The way it works is very simple:
9 F9 Z" C: Y7 k5 U5 n8 a* lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" ]: g- S5 ?' AWinNT) with the CreateFileA API.
( n3 V' \/ R7 F4 R( V; w" F- M3 s: Y" I- @& W
Here is a sample (checking for 'SICE'):
8 C) U% X- K' E9 t4 d0 ^* ^, t; V9 c5 J2 V
8 ]6 }1 E4 A& m8 lBOOL IsSoftIce95Loaded()/ D8 l& [7 n5 n1 A
{7 {$ F" R% ^& M& I2 ?/ h
HANDLE hFile;
# f& X4 I# H1 a6 b7 |3 C hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, H) I- V5 B- S( @4 C
FILE_SHARE_READ | FILE_SHARE_WRITE,, l7 `, A1 O. S- D3 u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ M' K6 e8 O( A# K7 S* z; w
if( hFile != INVALID_HANDLE_VALUE )
# [9 j8 n- ~0 f8 Y6 S$ ~ {
) h- b) h7 U# v3 I CloseHandle(hFile);
1 Q! Y: B; O! ]& s* s return TRUE;2 Q0 ]7 j; ]* m9 m9 p$ w9 O
}
$ r' A D- Z6 x- X3 }( u return FALSE;
7 l& ]! N1 |+ H& e8 L @8 X" S}
( U; V4 `6 O3 @, Q: z
3 }) U/ r' O: g- ?. ~( O0 A/ i# lAlthough this trick calls the CreateFileA function, don't even expect to be6 k! x( K$ i% J8 R5 Q b; m
able to intercept it by installing a IFS hook: it will not work, no way!
" T9 E5 O5 w5 ]3 `" F0 ]& _6 t3 dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 Z7 e2 }; b5 g* ?
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ Q' J. F# p: K! D! v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' o# w# J" B ^1 L2 gfield.
5 q$ U7 r# x' Q- w7 w- B0 j" iIn fact, its purpose is not to load/unload VxDs but only to send a ?9 B' r+ N& o- {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( s" ]% E/ I3 m" J5 I+ Yto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ y! i- n% J+ z+ j$ F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 P& f$ q* s7 O5 b+ H2 S6 s
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 M0 ^6 |7 C! S. p& q' t4 M' u+ g
its handle to be opened and then, will be detected.
, e! ~/ n8 o! H5 `( G6 X/ |1 mYou can check that simply by hooking Winice.exe control proc entry point
, v! i% Y. U, mwhile running MeltICE.
! p, {+ v! G8 Q* }3 l, U T! o
G( [/ I% h: O/ v: n: @5 [5 y( @8 s. E; R6 x4 N, p
00401067: push 00402025 ; \\.\SICE! J) o; q E1 _+ B& [4 c$ `
0040106C: call CreateFileA
+ V, P) k( p! M0 R ?9 `& q 00401071: cmp eax,-001
7 f. W5 ]+ X& Q6 H7 w- p 00401074: je 00401091
$ z2 `% I4 l; W3 }/ U, V% G0 i* j Y* z: {; x" N8 I
9 Q: j5 |! L9 Z% ^ {6 \, B$ E
There could be hundreds of BPX you could use to detect this trick.7 D, x3 w3 r# y% [6 i
-The most classical one is:# x5 L4 d; D1 _0 i2 g0 l/ W( Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( O( X: ]0 t3 ^- e
*(esp->4+4)=='NTIC'
, O" y% O$ P7 ?% E- c7 j. I4 j9 S0 ?; a2 n
-The most exotic ones (could be very slooooow :-(7 T( z4 l# ~, y0 c: X& R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 ^6 V5 r& `5 Z+ t/ f
;will break 3 times :-(8 V+ Q! q1 d* N6 }/ C- ]' O1 c: {
8 y1 \' i6 }+ T# `-or (a bit) faster: / ~: Y5 h3 I4 B
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' Z+ z4 ? `- A. d3 F
; r# U+ H. s# r1 m& L6 v% ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - `: l' Z$ t! m! P' _6 @
;will break 3 times :-(6 L, D6 Y3 g! l7 T9 ?3 p2 N. F
* ^3 U9 W; L8 D' |8 l-Much faster:8 H0 K' m5 a* K6 |8 q5 _' P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'/ x. i2 T2 a! C2 f, }, R' C! P
% r# N- j) d/ i n+ e( \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' v- R/ y1 W1 }+ S6 ]8 c+ \
function to do the same job:: f: K2 r" o; l7 U
4 ~6 @4 B3 y+ n! t push 00 ; OF_READ
; M& T& G; m* V mov eax,[00656634] ; '\\.\SICE',00 X: V3 _; L/ A2 R( A
push eax8 B4 r4 J1 r- r
call KERNEL32!_lopen
) r) X, a4 e% X( J inc eax" h( J" {0 Q, O( ?
jnz 00650589 ; detected$ j! G( a# f1 U4 a* v9 T2 j+ @
push 00 ; OF_READ4 w b% m0 ]! V9 K* G- e' h& s
mov eax,[00656638] ; '\\.\SICE'- L1 Q- Y9 d2 } Z/ f# R
push eax( Z& S7 _0 o6 Z/ z( |
call KERNEL32!_lopen" A2 x' f5 N0 U0 N0 i- c
inc eax6 h: [$ s/ v$ m+ V
jz 006505ae ; not detected* t# {7 F9 G# F+ z/ I- a d P
$ \/ D8 B5 Y# ^) n+ H' `8 z
7 {; K u; u. P# w# j5 f, K8 U__________________________________________________________________________
: u( v$ q+ }4 p ]* a
. Z, }/ E S( l3 XMethod 12
. h2 R L6 E. e: C=========
% G1 {6 K+ Q9 T# n0 z7 k
0 P; q q+ N: O% z; O1 o( O @This trick is similar to int41h/4fh Debugger installation check (code 05
! M5 W( E: F# |( t$ s. P, q& 06) but very limited because it's only available for Win95/98 (not NT)
: [ S1 q2 G& Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% w& p/ Z- z: w! `1 y6 `3 l8 z
push 0000004fh ; function 4fh
" l' g0 ?# ^5 A( V push 002a002ah ; high word specifies which VxD (VWIN32)
" M& p( z( q9 V& o2 y ; low word specifies which service
3 Z, ~2 ?, |. y; G+ y (VWIN32_Int41Dispatch)
" s+ ^7 ^( C X) r' G call Kernel32!ORD_001 ; VxdCall
# @4 n+ E4 Q9 T9 ?/ _ cmp ax, 0f386h ; magic number returned by system debuggers
' }3 H1 Z g: @$ E0 h jz SoftICE_detected
( {- I H; I! a
! G7 v, I, R! M7 p% ~ VHere again, several ways to detect it:
+ X/ o8 f6 F) r. q+ d
2 e) i4 G e0 W6 B) Z0 a BPINT 41 if ax==4f
( Y2 j; i# r. v9 `4 n: Z- O5 t, Y2 D, p, z1 j! ^* J
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, ^0 F0 T. w% a/ A, g6 L2 z( I2 b% A. \! _9 e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% }- P5 n0 b Z0 U$ o) E
1 I" m0 H) r; C$ P/ ^% x3 [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 O! H+ ]) o& E
& w& p, d+ |* ?1 i/ t3 \! m' p__________________________________________________________________________
, L5 I" U* r, _: K
1 A- ~! u8 m8 F: b- O3 QMethod 13
$ }% }0 t, N- f( ]: U=========
( F# K# i* t* R0 A \+ C/ r0 T0 n( A6 }8 I+ ~* j' P- X" J
Not a real method of detection, but a good way to know if SoftICE is/ @: Q1 ]. e8 Z# S1 C: n2 G
installed on a computer and to locate its installation directory.
, \, ? k; J! @6 T' G4 aIt is used by few softs which access the following registry keys (usually #2) :
: c# {* q" }3 f8 w' v5 G' V/ O5 ?! r1 L: r5 z8 i- i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 m2 p" Q6 P3 W6 s
\Uninstall\SoftICE
/ i. J* I! ?" Z( _# M5 R& K7 m& r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. C2 [$ H3 U X6 f# g% r/ F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, H. t% z( e/ v* h\App Paths\Loader32.Exe
5 E# l. f0 V$ P+ U
/ P* K" l1 L) W! ?8 N
# d' E# S: T% o6 E- y: I$ oNote that some nasty apps could then erase all files from SoftICE directory
* }$ q3 R( @0 Q7 k9 \(I faced that once :-(7 `* K# a' z0 t) t0 T( x% u, b8 @
8 D% j; z: j, ^; K% b+ f8 {& pUseful breakpoint to detect it:
# V/ g7 z- w+ Z0 k7 _+ [" M( H/ _& [+ ^( j# D( {: f+ p8 z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ {$ V2 U6 ~4 n" H( `0 }7 L ?! L4 m/ v J7 k4 a$ H2 S: D
__________________________________________________________________________+ A- j0 G6 i, v" C
9 R1 ]0 M' A; A# N* t v
K+ K2 R% b8 Z
Method 14
, a, P G9 |- q7 H$ V8 ~=========
# p- V, x C8 m& i# U! y" r0 o" `7 M# f8 r) N, T* _1 E, Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% q& C9 x# |* Q! a; G
is to determines whether a debugger is running on your system (ring0 only).( `) |- g2 p" |2 A: e
4 U3 B1 `6 ?* ?* C0 [" u, t! Y( ~ VMMCall Test_Debug_Installed* ]* z& p: @, u0 Q' {; I
je not_installed( M' K! k+ p$ ~+ W1 ]5 D) H# K
: y e, U- M$ s$ J6 Z
This service just checks a flag.7 H, x; i! x! U. \( d8 t
</PRE></TD></TR></TBODY></TABLE> |