<TABLE width=500>. x/ a; W( R' k) }. A% o0 V. ]* R
<TBODY>! q0 y3 `3 B& K! M9 m- T) e2 e
<TR>
' K+ n$ b! ^0 T( V) b) o' n" V<TD><PRE>Method 01
* W* N, {1 v3 B$ b L8 G. O=========
, a+ Y$ S4 K, y: r* t6 M$ n: Y( L$ b
This method of detection of SoftICE (as well as the following one) is
5 r* k, Y l( H' O* Q: xused by the majority of packers/encryptors found on Internet.
: D" f. V3 F% X! n+ p, [It seeks the signature of BoundsChecker in SoftICE2 k' R1 J8 ~( S1 x
% Q0 `: w0 i: H; U' Y4 E+ K/ i
mov ebp, 04243484Bh ; 'BCHK'! S# \# H: i" g% x7 _( |; k5 a
mov ax, 04h" W8 S0 _3 ^% K- m& D
int 3 . q) t1 v$ x$ r6 T* U U9 k1 v
cmp al,4
& q8 n" }& }2 Q8 B7 Y jnz SoftICE_Detected
$ n- ]4 I Y+ _/ q d* u( ~
+ f* \4 t, N( z& d8 [* B___________________________________________________________________________- Y; [3 I w( B/ q. V
$ A9 N8 H( z+ D) r" M; Z1 P
Method 02* y5 Z8 ?4 C! C% ]/ N3 F& {
=========
' e- I E) V% ?+ s
, H# }: v: v. _Still a method very much used (perhaps the most frequent one). It is used: n; V1 A" M1 y3 E( G1 C; }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, M. u6 F W& p* ^+ J+ Z
or execute SoftICE commands...
9 Q) G- r& _* y- v2 n* ?" nIt is also used to crash SoftICE and to force it to execute any commands
. i7 N. b+ b: E9 z8 U b(HBOOT...) :-((
, X, x7 l$ Z( F' m; v1 B/ f% p2 l9 {' P3 y6 a& j- p
Here is a quick description:
7 C5 T9 O T3 Z6 u& k9 Z-AX = 0910h (Display string in SIce windows)% T& `: d Z9 m% f" a6 l* z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 }* ^$ n# k/ m8 L& y0 G' j0 }
-AX = 0912h (Get breakpoint infos)
! Z1 H& ^4 o; b. V$ m-AX = 0913h (Set Sice breakpoints)& }& I0 K) C" f, |
-AX = 0914h (Remove SIce breakoints)
5 U! t% l# r1 @- |
* a& k; d) G- m$ z H( vEach time you'll meet this trick, you'll see:1 Q6 S4 O+ ~* o, g$ j9 A6 o' q8 I
-SI = 4647h" x' Z) o: _4 c9 \" F( O& Q( T, \+ N
-DI = 4A4Dh
2 f. f8 x5 l, C9 p6 j+ Q$ a. sWhich are the 'magic values' used by SoftIce.
L/ d ^3 E6 C: F9 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' z! d& d. [* p! {8 Q" T) L8 L1 ^4 B' y9 k! X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ q: o) ^. e3 c: U8 REnvelope utility use to protect DOS applications:6 X% F5 o* `# ] A* y3 U" s% s, H
+ \) ~: a9 C( ^6 p9 q2 t: F, [2 V/ u9 r5 r v! ]( T& r; \
4C19:0095 MOV AX,0911 ; execute command.
/ k, F: a" A$ M* @8 O# x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# c) |4 `/ z. w2 O4 n1 F% e4 |4C19:009A MOV SI,4647 ; 1st magic value.
# n8 t) i- ~: |: A/ m4C19:009D MOV DI,4A4D ; 2nd magic value.0 [' {1 l/ f) S J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 g9 G; ]/ Z& G4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* U! h0 |5 I6 t
4C19:00A4 INC CX
' m/ U }' }; n9 f( S2 F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute W, u( ?* u- P) q8 b
4C19:00A8 JB 0095 ; 6 different commands.& v6 C1 e/ e8 o5 e# L+ x' E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; i) v/ q& D! [' h6 \8 `* }- ~3 F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 \- D+ T! s a( J
& w$ @: W, q; r6 _; T; dThe program will execute 6 different SIce commands located at ds:dx, which
& B4 N8 b, q# u8 f$ n0 \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 t5 y0 t3 t* Z9 m4 B
0 L( }3 X8 f: H5 j: S3 S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 `* v/ r* ~8 V( o* m___________________________________________________________________________" z7 C+ {6 m* B. b6 E; A2 g
( W$ K [% y0 i4 \2 J! ^) `* R5 K3 M1 R5 P' X
Method 03 L; L2 ]) X* a. b6 P4 X3 [1 _
=========
" G. Z t3 V# ~9 Z9 H7 i
, ?& i+ i1 S+ D9 t KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; {9 t+ ?' Q( i0 L' ^* R7 u
(API Get entry point)
T& N' h8 g# k- ?8 R0 `. v . P% y! i3 I' }$ h
/ B$ y7 H* C; |# f( h
xor di,di1 D. Q+ q4 W% U
mov es,di# a. r k* ~$ i
mov ax, 1684h 8 i7 i! d; i+ v6 o3 _
mov bx, 0202h ; VxD ID of winice4 _8 G) ~8 n9 q$ ]; Y
int 2Fh
" K9 v: q, o0 a1 w G. g3 B; b mov ax, es ; ES:DI -> VxD API entry point
6 D# {' ]6 k2 ~9 Y add ax, di
9 G" n0 s: I1 u$ g test ax,ax; U( o9 w. W( j* W, r
jnz SoftICE_Detected M. F, r( k) s! @4 c5 u/ N
8 Z* X' B) K s
___________________________________________________________________________+ k# y8 O/ p0 j; G x
$ n8 o, Y* T/ w6 b4 j& QMethod 048 i/ k8 R# j; a: B* b E* u+ l
=========
: V/ \ p3 w- n, ~0 y u2 N$ b' I
Method identical to the preceding one except that it seeks the ID of SoftICE
d# F9 ^: w; bGFX VxD.
, @5 f. G* m+ K- y5 u, C# k1 Z5 t2 }+ O3 A+ t9 N0 ^7 H
xor di,di
4 n% E6 r& N2 } b5 `/ d; S mov es,di) H; P1 O0 Z$ K- |
mov ax, 1684h 2 B% N$ B( @2 o; C+ P2 b+ J1 ?3 q
mov bx, 7a5Fh ; VxD ID of SIWVID4 D! {, q0 K# k& \7 | V3 @
int 2fh% Y$ y- t( }6 f1 ]& E
mov ax, es ; ES:DI -> VxD API entry point0 Y; o4 @7 s3 }( Z
add ax, di
. ]4 W% m7 H2 {) a test ax,ax
6 u! c' ]2 [2 U jnz SoftICE_Detected
9 c% s* \* |2 C' ^8 R7 I& V
' P, J2 {5 W: w. ?/ [& _. O+ v__________________________________________________________________________- N2 J @) y, G: `+ N7 j! N% Z% I
3 q( a/ _& h, a0 z. Z
7 w; h. |& a, SMethod 05
- }% q3 c' M3 R' `: v=========
& w( G8 s7 T4 n8 O* T) y+ a1 u( A! Z3 i( m' b+ U1 F( Y- S/ o& r
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 }& a' T6 Z# S6 x& @9 ldebugger. It calls the int 41h, function 4Fh.# C r3 D* {1 T. ]
There are several alternatives. 0 _ j" |. o6 N$ E N2 M O
( B( h }; ^, c- w" Y: o/ ^+ @The following one is the simplest:
B @1 s% r4 S3 ?$ W2 F7 @! U
4 z G" I+ @$ V! F mov ax,4fh
5 i: o( l3 c5 ~+ i8 N int 41h
7 v$ z5 y2 r/ B cmp ax, 0F386( p- d& [% A5 ~( K: d" u0 i1 A
jz SoftICE_detected
0 V( i) E8 i# c' ?- W' S. R, [7 L. C1 [) d- h4 [. |) @
?5 G& q& ]* C: ~$ y
Next method as well as the following one are 2 examples from Stone's
% M8 e7 u/ d2 O"stn-wid.zip" (www.cracking.net):
& }& k x4 Y( a
$ o( |6 \' l8 f" x0 {3 a6 u: m3 K mov bx, cs
: T- B# A/ y$ v7 u lea dx, int41handler2
4 A" t' l* P" ?1 b6 a. u2 F, W xchg dx, es:[41h*4]7 a& ^9 l8 t3 p5 g
xchg bx, es:[41h*4+2]$ [! b6 ?* S6 l6 n
mov ax,4fh
: N6 l# e3 U' N J+ n int 41h
. x: a( y- ~, M4 O7 V" m ? xchg dx, es:[41h*4]
; M2 A4 y( s1 ^0 ] xchg bx, es:[41h*4+2]
9 e5 H" ~- B" y cmp ax, 0f386h; n" ~/ \0 Z2 ]
jz SoftICE_detected d* \ M" d' @( v$ f3 q4 h1 Z
# o3 W3 I' a4 ^7 M1 ]int41handler2 PROC$ a) R1 W$ o! S' v7 K
iret
6 w5 S; J9 v0 J4 J jint41handler2 ENDP
) n" T k5 P8 U% o# r) _& e0 E% l( ]! K7 @0 c w+ K; x- r* p
- A* O1 m. o* K- b U/ p# {
_________________________________________________________________________
, Q" u% n/ w0 c7 w) K" ?6 U
0 |3 {+ Z W$ Q- o8 p
% m! Z0 n& h b0 D1 g v" {: aMethod 06
- A" ~( l" [) q7 t2 f0 I K7 r$ z3 o=========0 L3 O- W/ d$ Z8 L
0 |: m3 E* h" h, a
; D# k8 M# b( ~8 L8 w3 j1 _2nd method similar to the preceding one but more difficult to detect:1 k1 q+ | f0 r, `4 X) ^* N
# f0 e" A. A! i0 S; ]7 c% V/ {! \! R8 K0 j, L; K
int41handler PROC, m! K) ?! V& {4 K
mov cl,al. g( U) L, c! @
iret
0 D2 p. ~+ A$ M; R2 H$ h6 o$ O8 wint41handler ENDP* d# p4 G7 T. @ I
8 |% R/ D; ?' R5 ^+ q+ H. V% i0 f; E. K5 e' \
xor ax,ax
0 m8 b! i0 G9 T5 R8 I# u mov es,ax) h" Q2 X; d6 [+ G: D7 }
mov bx, cs
( Z+ L* e* ^( y lea dx, int41handler$ d# w, @5 }9 c( E/ y/ S
xchg dx, es:[41h*4]! o% m) @% Z/ T- B$ L/ i7 ]: o, h
xchg bx, es:[41h*4+2]) F$ y- n$ i9 h% h6 a3 `, ]
in al, 40h# H! j0 v6 y* ]; c$ p9 e
xor cx,cx
' Y! Z c" l H, }% u* M int 41h2 {1 D" e' u% C1 N P9 z
xchg dx, es:[41h*4]* @- j. {, t! W
xchg bx, es:[41h*4+2]/ }% d3 j* `$ Y& B6 V9 G' V
cmp cl,al
2 P+ u% D% L$ w: R1 t$ P) Q jnz SoftICE_detected% j2 r: ]$ m8 V& L/ g
3 h8 S& n# E4 w' n$ ]9 i) P3 y! e
_________________________________________________________________________& [ O+ e$ D# T- \. i4 R
! j% D2 P. h6 T5 E4 |" `3 N* s
Method 07
( b: x& s9 ^$ C. Y2 e) T% [=========
6 L9 \6 V- o& A& u) p
( [) H, u- r! C! MMethod of detection of the WinICE handler in the int68h (V86)1 L5 g% Q+ ^. D$ y$ J% U
5 `& F$ p# e; v; s# @5 F
mov ah,43h$ W; A+ @* _3 B
int 68h: x' ?% ~5 {) O, l2 @. ?
cmp ax,0F386h
" _/ l m3 c" S0 s7 q5 L6 O2 J" x jz SoftICE_Detected
4 W; P; v% u: f# H! x7 O2 Y: ?3 m8 A# [5 O' }- R, ~3 P5 E, V8 ~
; y3 H0 @6 z8 J+ z9 d: b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" h2 }. k) X$ k" T c+ j
app like this:5 ]- ~ h2 C0 R5 I8 j
; O! d( |- y2 M- I8 @- b, U BPX exec_int if ax==68
- O8 ]0 T& {! D; F, `! ~; }/ y: F3 B% D (function called is located at byte ptr [ebp+1Dh] and client eip is
+ Q: m) g8 A7 ] located at [ebp+48h] for 32Bit apps)9 ]7 ?* E& W2 k5 k
__________________________________________________________________________
+ e# K: J) ?! e/ b1 u1 Q7 `
+ S0 m$ h" O* i- c! A
" {: ]# C& }* W- v. m3 wMethod 08
6 x6 Z$ t( i9 ]9 L4 Y0 f=========- s4 S; {5 Q# ?- Y4 O
- z# ?, E" d, B2 G( a6 h3 o
It is not a method of detection of SoftICE but a possibility to crash the
U, a0 ~) W$ k6 |# jsystem by intercepting int 01h and int 03h and redirecting them to another
8 ]" m {' b5 a! D `routine.9 f% \; a1 K) Y) D1 \7 O: @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. E$ M; I( O8 @) i3 \4 v7 ^to the new routine to execute (hangs computer...)
% f5 W: ^- f/ h+ j( Z
% O' a7 ]7 e7 |, V mov ah, 25h
* {# f8 Y+ v Y0 D mov al, Int_Number (01h or 03h)
' w2 u6 [4 g0 i: D mov dx, offset New_Int_Routine
3 E1 w: ]1 g7 _0 { int 21h c" [9 H& D1 F" v( b; G/ l9 y
/ |; n3 G6 L. a( A__________________________________________________________________________4 n: Y" h" T2 ~% a$ i
7 Q; I7 r! L2 V0 Z8 W7 RMethod 09
7 t- c/ E7 M4 A# w4 a=========
2 T0 l' {' K+ m" z" z% S) B; G! p" d) R2 R( h I* }# A, _* i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ ^5 a: S, @1 w9 X; x6 ^
performed in ring0 (VxD or a ring3 app using the VxdCall).
# o' W/ k. u+ v" W& E3 {+ [The Get_DDB service is used to determine whether or not a VxD is installed
2 Y8 v5 q' B6 K. E$ T9 ffor the specified device and returns a Device Description Block (in ecx) for
, [! r7 M& Q5 H2 v% Jthat device if it is installed.
0 _0 ~% i/ c( T% k8 I0 v& [6 K- ~4 h; O, s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 j+ s- v5 f8 ^4 ~: ]; V0 Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* e& O( \. k/ }* ?7 [1 G, f
VMMCall Get_DDB
6 A, G! I1 u4 K$ S4 V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 n4 S$ C9 v& `+ k" V: X/ R. V5 v K7 y/ |' I5 A
Note as well that you can easily detect this method with SoftICE:
3 ~6 w- S- p( e$ w7 S bpx Get_DDB if ax==0202 || ax==7a5fh
2 D/ h- Z2 ^1 Z4 \9 k9 k" g# y3 B3 K2 P4 o4 A
__________________________________________________________________________. v$ j- R, Y0 [' R7 u8 o
0 H# ]4 l! p, m6 l
Method 107 n5 p) i [( U B+ N: D
=========
5 s: E: j, A# ^) G3 k# F% f
# j$ i$ C% D2 F9 K4 z=>Disable or clear breakpoints before using this feature. DO NOT trace with
" L+ A6 e; d$ h! w8 Q SoftICE while the option is enable!!; @, ]& C- G9 [; J
' z3 \ x! V$ rThis trick is very efficient:
9 U$ t# v2 N z* J0 mby checking the Debug Registers, you can detect if SoftICE is loaded
6 X$ O+ ]+ M+ P# t- r+ B9 K9 D% P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 U* J8 k, S8 U9 K
there are some memory breakpoints set (dr0 to dr3) simply by reading their* P" [$ {0 _4 C6 O5 `4 F
value (in ring0 only). Values can be manipulated and or changed as well
# t( {3 y* l; M7 d(clearing BPMs for instance)" M+ Z, p; ~- l6 b/ W, J. ~+ G
b2 s, j) h4 ^6 }3 _5 X
__________________________________________________________________________
8 z( a' J* }; i. _& }
5 D4 r% a- J. }; U# c4 ]* x, m5 |Method 11
9 m/ Y; {4 ?. y- s* ~# H3 A/ X: X=========' T( Q1 g( ^) w! \
& {9 b6 q) u% V: p: j6 W4 A3 NThis method is most known as 'MeltICE' because it has been freely distributed
, ^9 V r6 m5 ]0 ~/ Yvia www.winfiles.com. However it was first used by NuMega people to allow
" c, H/ g& e& z3 LSymbol Loader to check if SoftICE was active or not (the code is located
V" c/ R- {$ I0 h8 Binside nmtrans.dll).
9 z9 }+ ~) s# a9 W; L
- ^# e* Y- K C m" hThe way it works is very simple:% H" s8 V, Z+ }) I; [0 t
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. b* Z2 ^: Z- Q$ O1 r$ aWinNT) with the CreateFileA API.( L! u4 j; ^ Y# z
X0 A4 R1 t6 Q W! r
Here is a sample (checking for 'SICE'):3 q; U0 Q0 H1 g( @
, M" x1 c7 f, ^6 g; d! OBOOL IsSoftIce95Loaded()+ e z# v* w" }
{
% U( A9 z7 F; L9 z HANDLE hFile; 8 H. P# F) i* H: \$ L7 e! @
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 G' z( V' D, }; y
FILE_SHARE_READ | FILE_SHARE_WRITE,8 w; ~# F$ @$ R5 ]" i }5 A2 R# q( z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& o, t- I; Y+ n3 \4 c
if( hFile != INVALID_HANDLE_VALUE )' R+ ^1 `5 D/ y0 A. z r6 C8 M) w
{
( q. R/ w/ Q3 \1 c: K CloseHandle(hFile);
/ w# U1 u" D. S A+ X; C( A" M return TRUE;
4 S, A( s2 d/ x }( h `4 E" }: U$ b1 \+ t1 E2 b3 f
return FALSE;
6 v) v+ ^! ^1 \4 ? E" `. |7 `2 \$ i! {}' N2 I2 _1 ^# Y: @
?% u5 o% w, d ]7 M4 D, z8 pAlthough this trick calls the CreateFileA function, don't even expect to be
! p2 u" F# V4 B# w. F. mable to intercept it by installing a IFS hook: it will not work, no way!# D F7 Z; N2 X" J" p3 e6 |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; ^- F9 k0 q& U8 ^* Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' W6 p4 i2 l1 I* S) \( ]/ s9 |and then browse the DDB list until it find the VxD and its DDB_Control_Proc; I- S9 V, E' K
field.
& {0 {# A4 N* x IIn fact, its purpose is not to load/unload VxDs but only to send a
2 a# ?* x$ k# K* uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). G) q" {) O- u4 U. J$ M: f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ r3 E: y2 w6 b ?; y4 G7 |1 j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 A8 Z+ l6 _# w' f
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 X0 [7 w9 a: Gits handle to be opened and then, will be detected.9 [+ {, z( n5 l$ | l: D; i3 f x
You can check that simply by hooking Winice.exe control proc entry point
8 N5 [- K0 C# J) L) p/ pwhile running MeltICE.1 v$ n# C D$ b2 j$ T# R- @7 \
! x2 \) h' q/ a0 X0 X
* n. H, b" `2 L9 e( j1 q+ x" E
00401067: push 00402025 ; \\.\SICE
% K7 ^5 Q/ F) u0 X5 Q4 E# ]& r 0040106C: call CreateFileA4 Q, Y9 G, E0 O7 u* X8 |( m: R0 _" D( v
00401071: cmp eax,-001
: b1 |5 k, a9 P 00401074: je 00401091
8 P: @3 d9 T/ B& c) r h Q) o4 o& W# e/ _
* Q5 C" s3 _2 s) H. }There could be hundreds of BPX you could use to detect this trick.- Z n. q& Z) Q& q, M
-The most classical one is:9 I$ c9 Q0 g+ A/ C; l
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! }0 \/ `: l' G" x# x: x6 b: x
*(esp->4+4)=='NTIC': c( ~ M W; F6 J
, i. U5 a2 v1 u& n1 ?0 t
-The most exotic ones (could be very slooooow :-(
$ ]7 J8 a- a- d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 l4 d0 F9 l4 ]: L K
;will break 3 times :-(
2 }3 c* n) _% H: U
( ^7 O2 V4 `! b2 _* ^2 P! {# z-or (a bit) faster: : {( L, R8 y7 V- |8 c4 a4 _# o
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') w, p6 u+ h8 U
; C& c# c0 I. b x# H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) I; U7 l4 ?$ L! ^ ;will break 3 times :-(
9 x% m; ^' I5 z' V- @
+ R D4 p* m J+ j- }5 N-Much faster:
' Q& ~; J' i- k" b8 \4 j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; ^, `0 Y4 H7 q0 {. u3 s% F
4 M' A) L8 a6 Q7 t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ Y& D& u! y, B5 Nfunction to do the same job:0 @0 p+ q9 g+ K1 X
. P1 `7 @" H& b2 g* J/ Y& H& {
push 00 ; OF_READ
* ~2 ?! M7 M# u y' b' j# K# Q0 M mov eax,[00656634] ; '\\.\SICE',08 {' c$ ]/ O4 h( |& C/ q
push eax+ C0 H3 B6 d$ O, {
call KERNEL32!_lopen' c- p( L, M# J% t
inc eax' V9 S' s8 \4 Q0 e* ^6 J7 i K! r9 B" C
jnz 00650589 ; detected
) o! R% ?/ e4 m& B! P1 l push 00 ; OF_READ
8 w2 k3 u! ~" X0 I, p/ m% m V X H* d mov eax,[00656638] ; '\\.\SICE'8 A: M6 G, `% `) e( f6 H, D
push eax
7 f* J1 B+ E5 _9 V0 [ call KERNEL32!_lopen" i! U; F" a0 R8 W$ F& C" D1 L
inc eax- r4 J: A! x$ T8 ~ z
jz 006505ae ; not detected: u1 O. N) W& E
; }6 f& m0 u- Z2 c# W6 K, v5 u
2 i8 W' G/ K/ l8 L
__________________________________________________________________________
( H }/ M8 C% j O
* D6 |: A) W: f0 T6 a: r+ C/ JMethod 12
. [: V/ R( j* m( ^=========
- X, W; d! B/ f. o+ x8 m) z6 E: I
$ ]7 p* a& T+ W [, }This trick is similar to int41h/4fh Debugger installation check (code 05
- h2 d4 v& L3 z0 s& 06) but very limited because it's only available for Win95/98 (not NT)
- P; o, C g+ s/ M4 Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 k9 E' ]9 n6 y# h% ]" J8 { f
( O" k) R8 C2 @* V& C- J push 0000004fh ; function 4fh
8 @) W9 A8 O# K! i" y% g push 002a002ah ; high word specifies which VxD (VWIN32)
9 a6 i# P; I/ B ; low word specifies which service
. l: j: [$ d" _5 ] }; E9 ^ (VWIN32_Int41Dispatch)
( E' q' m# `% {/ r9 g2 I0 Y call Kernel32!ORD_001 ; VxdCall
" K! K0 a u; s% m- ?5 e cmp ax, 0f386h ; magic number returned by system debuggers
7 j7 b! p' X! L jz SoftICE_detected
1 L4 P3 J3 u" ^9 o: c
! v* h" R) w: n1 J# u- c/ o5 \' tHere again, several ways to detect it:
" z4 J, w0 l$ i) N4 O0 s, g$ V8 O5 b
BPINT 41 if ax==4f
9 S0 d! q) x) x% M# X
) c! k3 c, M1 g- ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 M6 _5 K) ^( R, [
! a6 d$ P& ~! L! g, s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 I9 p6 i; f- s& f3 v
- R. z3 J+ E) }. M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
t* f, E$ `, l& K! c; ]& q4 J
4 f9 q# m4 Y: h__________________________________________________________________________
% p# I: N/ g6 H: H7 b5 E. C' Y6 Z. J, v4 f
Method 13
+ C% ~( [# ]' r$ L% x. T=========
, X# R8 Z+ Q$ [; o+ M6 z4 b5 F: G2 v5 s. u$ N( a5 `4 L9 `
Not a real method of detection, but a good way to know if SoftICE is- m1 H0 x$ ]" M: j* \: q
installed on a computer and to locate its installation directory.& q4 K- L7 Y# b4 }; w
It is used by few softs which access the following registry keys (usually #2) :
( d' X* p% W$ N" K3 D* \8 y5 L1 A" s4 m4 g9 r: X, |( l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 T3 k0 d- g# m% A' j\Uninstall\SoftICE
/ }& v# y- \/ ^8 r, r: q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) U0 h! n/ \! w7 m5 s, u: ^+ w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. }0 f8 l, A: I4 ^# q\App Paths\Loader32.Exe
) f- G0 M7 l- R3 y/ a! V) y
! ~8 R+ K5 w& F5 U- C9 s/ o7 ]7 e! O |8 ?/ ^5 i
Note that some nasty apps could then erase all files from SoftICE directory! ^( i% t/ h, F: G$ G
(I faced that once :-() r- v& {% ^$ n
! h/ n8 c ^/ l
Useful breakpoint to detect it:
4 u* |# z: T5 K0 `/ n- A5 K) Y" k, R, Y3 a& M5 i. r {3 h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 @0 _3 `9 g! W8 r0 C8 t* O7 O! c8 S+ Z& V
__________________________________________________________________________
& D C% c# n+ g- w
t8 u5 I6 R1 b! Q; {6 { r/ Z
, [. Q' ?* m% f6 j8 _, H- mMethod 14
6 t9 ]3 |* O4 ~2 a$ y' x; q=========
+ g4 X$ f( W6 M6 j3 K
/ a& n4 O! g6 y6 d4 z5 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: k/ F/ |3 k: D
is to determines whether a debugger is running on your system (ring0 only)./ [" ]* Z" I4 l) S2 |6 G" c
. p! S6 n2 q9 L' U
VMMCall Test_Debug_Installed' P: g3 k4 [- B: ^/ Z
je not_installed- o, c5 m) o& v4 w; }/ ~/ q7 b+ e
$ ^5 g O u4 e7 q3 m7 M
This service just checks a flag.! T; B4 u8 V- q' m
</PRE></TD></TR></TBODY></TABLE> |