<TABLE width=500>* J# ^. k! ~. J8 Y9 U6 {
<TBODY>& t7 y( k Q# S" n8 b1 N
<TR>1 s" d2 |" h$ V b
<TD><PRE>Method 01
' x5 W2 @4 u' Z0 I, _7 t=========3 D9 p* O6 f; X& u+ C* _5 h
8 B4 V; H8 R1 K* U6 }+ eThis method of detection of SoftICE (as well as the following one) is ? ^: ]4 C+ ^5 L Z8 }
used by the majority of packers/encryptors found on Internet.( `9 n! E1 c" ]! O
It seeks the signature of BoundsChecker in SoftICE
: k9 T9 Q2 w0 T& ]4 O* {* l! ^7 q% E5 z3 m! Z) `' h0 m4 s
mov ebp, 04243484Bh ; 'BCHK'& K0 W+ I% [0 F+ |. _7 G
mov ax, 04h7 M7 `# u: G2 [3 r0 ^: s6 U( ]
int 3
$ d! A3 I+ l: d cmp al,4. P( D6 K2 J2 Z$ ^. J
jnz SoftICE_Detected
' P0 f; x/ T# a. H+ f' o$ ~: e" E' Y
7 n' w1 l4 Z+ t5 }6 T6 U___________________________________________________________________________6 @4 w! i8 L* Q! U. \+ |
4 I. b; i* ]% }Method 02
" O% |* o) s( p( p+ K7 l5 m! {=========
5 h2 z9 p$ B" {0 V) Z0 x8 a+ ?2 e0 k
Still a method very much used (perhaps the most frequent one). It is used
! @5 ?5 d* K& n* k! o( J: L( l6 l. Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 [6 p' {: t2 O z0 Y6 z5 {or execute SoftICE commands...8 O# ?0 F. ^; K1 g0 h$ L
It is also used to crash SoftICE and to force it to execute any commands% j" I5 L% m3 I/ w, n
(HBOOT...) :-((
n s `( e5 C! h2 b% O- ^6 Q* p6 ?4 c; s% z
Here is a quick description:
1 m5 a+ |5 |5 ]# b. V- I-AX = 0910h (Display string in SIce windows), O! Z+ j7 H- H" | ^
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# f* l0 _4 v n4 W f-AX = 0912h (Get breakpoint infos)
. y8 f. l! j e8 }4 ?: w-AX = 0913h (Set Sice breakpoints)
% s p" U2 z, N2 g) ~-AX = 0914h (Remove SIce breakoints)/ f* P; Z! l" i' r* N7 o9 X, W$ {
6 ~! m8 F7 [6 P2 R3 XEach time you'll meet this trick, you'll see:& j% O- v7 k$ K4 L+ y0 Z u
-SI = 4647h7 |* f6 `" } c5 U$ P, f" ]7 V
-DI = 4A4Dh3 w0 l6 E* L+ q, D& h n
Which are the 'magic values' used by SoftIce. P8 q; J& B$ R9 _0 e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. [3 H4 w6 @8 v- J
' p3 L$ i0 c/ J% t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% F- K/ R; k4 k8 y( Q( h) [8 k J% \4 OEnvelope utility use to protect DOS applications:6 c2 B: I2 D& N0 |
- [- q; Z1 ^! D/ S. C" |
- [. q M9 E6 r9 w; ]+ e# z
4C19:0095 MOV AX,0911 ; execute command.3 K; |- `' G0 S3 o: R. q8 K( I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 N" l# d( S z4 T1 \* i2 r8 j3 m4C19:009A MOV SI,4647 ; 1st magic value.
! F' G+ a" G& O; g" w& H* T2 G4C19:009D MOV DI,4A4D ; 2nd magic value.
$ X/ s" K, P* s3 m4 _- i4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 W4 `; m1 m4 G' `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 N) ?- G9 \! {8 U. V+ o$ b8 x. U
4C19:00A4 INC CX/ C. z! G1 J5 S* ^
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 D% A% P( y+ H1 U( ~4 X* }# I0 T4C19:00A8 JB 0095 ; 6 different commands.
" Q6 J8 B& o. F4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& o& V4 d+ p+ I$ ~: ^- X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ m4 P" E6 |, }5 ?* B+ \* j' g6 R- ?
The program will execute 6 different SIce commands located at ds:dx, which5 e. k: z% m4 y5 ?! O3 P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 G: ^0 ^" J! ~
% v; C0 z7 D. V. p1 z5 z: E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- [7 j0 D$ T/ k
___________________________________________________________________________
: r1 m0 g# E! r* A" w3 w- N, p5 x$ \! V% S
; s3 C, P8 e) L
Method 03" w9 }7 E1 F; q4 p( p* a4 Y$ {
=========, Z2 a: K( L- G, U; y
_- F0 S5 }3 |. a! B/ ]! ELess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* t- ~% m9 N; D L( g) C! [9 q(API Get entry point)* A$ P" o4 J" j8 P, G
9 a& O* S }9 b$ L/ y4 v6 c: @& d+ `: `
xor di,di0 N( @$ Z, p& ] i) Z
mov es,di
9 t& t$ M! H4 v4 Z mov ax, 1684h
! y. C8 W m ?: d* B mov bx, 0202h ; VxD ID of winice
" q' \; Q/ O' B3 a6 W. M int 2Fh- X3 |7 X# Y1 u
mov ax, es ; ES:DI -> VxD API entry point
, ^1 [. y! N+ t, K add ax, di
p: C1 x% `# v8 k test ax,ax K! S# G% W ^
jnz SoftICE_Detected
7 ^8 y5 c9 c0 y) F0 f& ~/ C3 `: A! X6 q" o; d2 j
___________________________________________________________________________
! C- {9 a6 |, l
1 h- g9 z! U0 G; x _: c# EMethod 04 R. S9 r3 U8 L3 e& k# x
=========
' q! ?0 K: N% h9 x8 x8 ^' J# ?) D% k; z4 T9 Y0 @7 X
Method identical to the preceding one except that it seeks the ID of SoftICE
5 T Y( B- N4 E: F- K9 cGFX VxD.
3 @* u+ @7 o P7 w( N, d. R6 _( O2 g* F
xor di,di
7 G& L" D! a; V# |0 q4 ~- h mov es,di
# b+ R5 Z$ N! z6 O' t: j mov ax, 1684h
* G1 b: a+ {9 Q. b9 x2 B- ?4 N9 O mov bx, 7a5Fh ; VxD ID of SIWVID8 J2 H, y+ i; w3 s& H" I8 }
int 2fh6 a4 t4 A; I% _2 Q" ]) n1 M ]* S
mov ax, es ; ES:DI -> VxD API entry point
; k5 u" r$ k& b: r9 E add ax, di0 G& Y% H% f( x5 }1 H
test ax,ax9 Q2 M% p2 j/ I; \. B# e! i
jnz SoftICE_Detected
, l8 J- N: X/ ^, D' E" A) W$ V
) o7 j- a7 ?/ e/ \9 O& Y__________________________________________________________________________
8 @8 t6 ~. r* w0 o
( q4 x# P X2 m: J5 L! {- F% e1 |8 D* T4 K
Method 05
& @6 ]1 y- U% ~9 l$ N: I=========1 ?0 U/ L; X8 ~/ U6 i
6 N/ q* m) N' h3 B3 @1 ?Method seeking the 'magic number' 0F386h returned (in ax) by all system+ o1 R& Q. ]$ x2 w
debugger. It calls the int 41h, function 4Fh.% Y, J& N9 i: h/ d
There are several alternatives.
/ A- i6 B0 v! u( x+ N* @5 C/ E- _+ O' e* A' {( O: o
The following one is the simplest:
* y2 |* }1 z, ?+ n V0 a/ p" k% L0 k" \, f6 C$ _
mov ax,4fh
2 u4 V, m$ Z% f! ~# p int 41h- G3 Y& S* y" F9 `5 p( _3 W
cmp ax, 0F386& S. k3 ~' k8 ?3 ~9 B% s* P
jz SoftICE_detected1 y! T0 O6 q, E( g* }
* O! U' V8 W1 a1 o" b1 W N
7 m: Y5 N, s0 d
Next method as well as the following one are 2 examples from Stone's
) u$ C' i3 D* p. N! q"stn-wid.zip" (www.cracking.net):
8 w8 w0 x! O2 D7 I/ M; O% H+ S1 a5 l
mov bx, cs9 w% K8 S4 }9 R9 \
lea dx, int41handler2) e+ v% E2 U1 s& n' r* p; O
xchg dx, es:[41h*4]8 Q- e: B: h3 G( B8 [4 j
xchg bx, es:[41h*4+2]) P6 s8 l R; E: ~* X
mov ax,4fh& k7 I4 P* _/ X6 \
int 41h
/ Q$ b- D1 k: a; ^6 B9 {- O xchg dx, es:[41h*4]
9 ^' H' b9 a% B+ |4 X) s( q xchg bx, es:[41h*4+2]
+ _8 H! V1 _0 a9 J% \- Z cmp ax, 0f386h
7 ^; F$ n$ \2 c) N: z! u5 M jz SoftICE_detected
8 y; B+ ~5 A# L2 d# ?
4 |6 Y2 K) f3 w2 w8 ^int41handler2 PROC$ Z! ~ b3 R1 ]7 f
iret. l; p' K/ w1 A) y6 u! N5 w8 r
int41handler2 ENDP, l! [! H9 \: n5 _
, U8 @! N* N7 Y8 F3 E$ s
4 X( z7 p- p# K
_________________________________________________________________________
6 ]' u' t% |: ]8 S" q6 \9 ^6 X
$ a+ U$ c: m9 ]& h! x1 L5 }/ J* K9 M( B5 {" @# H
Method 068 M: q$ @2 e* A+ M) T/ J- F
=========
8 ^; Q" a0 b8 b/ q% r7 I
/ v" h' q$ Q% w4 t2 w! X! |
) G+ \% W, L) J2nd method similar to the preceding one but more difficult to detect:
8 X3 n( s4 {. c) d7 N
; N2 b+ l# A& \
& D5 M) N9 O; ]7 E0 Uint41handler PROC
5 S4 v0 g9 p* c: A7 T- T% I, W: ?% ?. ~ mov cl,al
( z3 q" G' d+ P% Y6 y: C' z iret1 C8 Q$ x9 B/ k3 V3 f; k
int41handler ENDP
# f; I8 a# v( |7 k/ f% w* j" w) r, l6 o$ V( y3 M
, b1 R& g4 [8 u# u xor ax,ax W0 @$ Q: x4 C: l
mov es,ax
N- P7 y% W7 g5 U& x mov bx, cs* ?$ O4 Y; \( m7 G5 P' I# F! k
lea dx, int41handler% N9 k6 y. y6 o7 O. b# E$ w
xchg dx, es:[41h*4]7 Y+ f& Z; ~* R
xchg bx, es:[41h*4+2]+ s) t; w9 R( D2 Z& S3 }% b3 }
in al, 40h
# v1 g, b3 o4 e- C7 s5 j* G- |. p xor cx,cx; V5 }5 i9 _: H7 e, A
int 41h
4 b3 U- p+ L% }% j' X xchg dx, es:[41h*4]
( S; B: ~$ ]4 t9 `# e5 G" e& r4 w xchg bx, es:[41h*4+2]+ p8 y( T2 b9 w" V$ N8 e* K& j& B
cmp cl,al
' H4 N* H, @: o3 y$ p1 K0 H jnz SoftICE_detected! S0 T: V; C6 K! m( w
9 z# q& b1 ~& n. W$ j8 S_________________________________________________________________________6 H/ m1 f+ b! v# \
" o8 d) [/ q H2 L" y$ J8 c1 YMethod 07
. ?( u8 B# ~5 O( k& l1 u0 Z=========. a! D' g4 a% P9 C
" c, q* x4 y. x$ D( rMethod of detection of the WinICE handler in the int68h (V86)
! A; z8 ^4 L! T% t5 ~7 U+ C o; ]% P& c+ @/ _- o9 n
mov ah,43h
% U; U! n/ ]8 b6 O6 N int 68h
% z& u) T( y; y) I cmp ax,0F386h8 b2 |1 ^" u: K; F! y9 m
jz SoftICE_Detected9 C0 ~$ m! \8 l' t6 Q; y
2 Y. ^+ R) Z, i( `1 U
. }$ Y/ ?+ g) a- Q7 O' E4 I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) s: p( o& k n" M: O7 R$ E9 y
app like this:
7 E' G) @% h3 G" ?6 |6 s6 M( \. L; c9 A
BPX exec_int if ax==683 j2 M4 A3 T1 w' W
(function called is located at byte ptr [ebp+1Dh] and client eip is6 B- n8 @% y9 m# ?) ~+ g: j
located at [ebp+48h] for 32Bit apps)
! q. @7 ~* }/ C9 i& M__________________________________________________________________________$ I% r) o o" P
% u, Y6 m8 f! }* A: B/ m
) h: |. w& }0 u6 e6 u7 \$ ]
Method 08
# P/ s3 S# c8 m5 p9 I# Q, }! X=========
1 R* c% t7 j: u6 C3 P3 k8 l$ Y
It is not a method of detection of SoftICE but a possibility to crash the2 Q/ L3 F; u$ d- y( P }
system by intercepting int 01h and int 03h and redirecting them to another) U$ ]; p& f9 A# j/ z' f
routine.6 U7 v0 N( Q" X/ j$ N( Y3 H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 l7 j0 s+ b E
to the new routine to execute (hangs computer...): F, R, o( \, J$ v
$ y1 X5 W7 P& Q* x. G; `9 L# ` mov ah, 25h0 e/ l# M7 G: g" V6 D
mov al, Int_Number (01h or 03h)
- e, I/ A1 w. b, [: p* @ mov dx, offset New_Int_Routine/ c8 W# _% Q8 W5 G& K
int 21h# @6 O) M0 t9 c
$ l& H! z# N9 A7 i+ o
__________________________________________________________________________5 f' [% i+ H" t) s g
2 c8 m- {, A0 p+ m! O' }9 lMethod 09
6 X0 H, f+ D& `. m, X=========
* Z6 M5 q* _8 X+ ]: E6 [+ B4 i9 u0 P0 |& i- t: c. y" B( P$ _9 ?5 }7 p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 I; v3 E n% d" }4 `, Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 F8 i. E* g$ n, X3 W4 w$ fThe Get_DDB service is used to determine whether or not a VxD is installed
]$ [6 s" c4 H* R7 v; y1 ofor the specified device and returns a Device Description Block (in ecx) for
" c+ y( q4 q) t! u# b; ^; Ithat device if it is installed.6 O" {) G$ N w$ {3 a
/ m! r0 v; d8 Q* d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 m! Z V9 K3 C
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 S$ i) U2 s4 \9 i
VMMCall Get_DDB/ o$ g+ w9 g* D0 N% O+ g N
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; O( u/ @# J8 y' w" L# u. k* r' r; q* g
Note as well that you can easily detect this method with SoftICE:
8 g6 N6 A0 Q7 B* V, Q9 y1 S" H bpx Get_DDB if ax==0202 || ax==7a5fh; `$ u' r6 T6 c; A/ w+ l! e1 Q4 h" {9 r
$ b& w: `8 \, r% p__________________________________________________________________________
# [3 t& K3 D8 [- a. Y! o( V1 Z8 U+ z9 l; ]
Method 10
) l% g3 E9 t0 W) K=========
5 n1 y5 ]! w, I F* S. o2 ]- G7 l3 B/ @5 P) [
=>Disable or clear breakpoints before using this feature. DO NOT trace with
m4 K. g1 o; M# ^. Y SoftICE while the option is enable!!
+ L$ _9 t; d* |1 {7 B+ ~
, I8 L# h) a3 o( ~! P9 eThis trick is very efficient:
7 ]% e; Y! j# Fby checking the Debug Registers, you can detect if SoftICE is loaded+ \! u2 c: l! k4 K z8 a3 b$ R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 s% ^$ v5 [. c
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 [, L# R( e( g/ O+ U# n( Fvalue (in ring0 only). Values can be manipulated and or changed as well
! F1 @6 v6 L$ \(clearing BPMs for instance)" l- [; Q8 _" ], C* o4 ]/ u
$ z2 ]8 ?" q; z: B, k2 U__________________________________________________________________________0 t. N1 q) Z$ U: |# I5 \, C0 t+ I
- K- T# P, f9 L7 [
Method 11
8 h8 m1 a# u+ ]: x! P=========' K% f: ~, B2 U5 S
; ]5 M1 \8 `7 f& _5 {
This method is most known as 'MeltICE' because it has been freely distributed8 y5 ^/ D9 ?# k) C% P
via www.winfiles.com. However it was first used by NuMega people to allow
! `- g. n! L* H. F& d- ZSymbol Loader to check if SoftICE was active or not (the code is located
* I2 r' o# t. R0 k. X' _+ }9 Ginside nmtrans.dll).
# B9 K; C/ E! B4 ~1 b6 M' U F5 E9 H$ D6 N7 @$ @3 ^- ]" t$ N
The way it works is very simple:( {- k: Z$ G0 y" U0 W2 p: M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) y5 o( ~- T R/ t4 Q8 Q
WinNT) with the CreateFileA API.
6 R; Z0 M( w# @! |, ]6 p. t7 o, `. x2 l' D# t
Here is a sample (checking for 'SICE'):
3 r, T- j/ B( t( N7 t8 m
$ R4 u" Q0 a3 t1 V+ {( z- fBOOL IsSoftIce95Loaded()
" J) U- ~1 L" I{
) x- P2 U1 C: P) A HANDLE hFile; # ~/ O: a* p7 r7 P1 h
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 z3 u$ B: n' P4 b( {! ` FILE_SHARE_READ | FILE_SHARE_WRITE,. y7 [9 k- s% S$ S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 o3 d% B5 K9 S7 {8 a5 {& P2 e% S9 u
if( hFile != INVALID_HANDLE_VALUE )
* i' C* Y4 R) t/ v {- o/ j6 G) ~% d
CloseHandle(hFile);' ? M& C9 f6 d: G; U: P1 G
return TRUE;
5 D z5 V7 w2 S9 c) t: x1 [* u }
) n" X( h! {' x* P$ a return FALSE;/ ^, X. B! T" C! j; E( l$ U
}
( {( w- |. Y- Y W* j
8 T3 r& M0 T7 h1 X$ o! e" ~Although this trick calls the CreateFileA function, don't even expect to be0 t6 O |& s; G: L& \
able to intercept it by installing a IFS hook: it will not work, no way!
% P: i) T. x: R5 j0 f' QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ A# i+ r0 ]" j+ r" m! Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 y9 v6 I( ]( {' \
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 l( U: V) R) c- Z: ]% H
field.
2 P% i; }- j5 @) b" d! v9 [In fact, its purpose is not to load/unload VxDs but only to send a
- k( _ _! U9 J) pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- z2 T, O& \3 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ U# g7 p. X$ W; A9 m+ v! u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 R1 J7 h( ^1 K& S3 C+ t7 G/ b5 nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 t% h( @& E: T- Dits handle to be opened and then, will be detected.
; g$ H1 d b9 ^3 l: z3 xYou can check that simply by hooking Winice.exe control proc entry point) d3 i! O7 k) o0 R& X& S' C
while running MeltICE.
+ h* [3 |+ U [: c: {" Z
2 v& i+ h( E; N' p* [3 W- r* w) }, H4 Y7 p
00401067: push 00402025 ; \\.\SICE
( ?9 {0 h Y" h0 J4 L" D 0040106C: call CreateFileA
0 |6 R+ r1 p/ R7 X, x( ` 00401071: cmp eax,-001- }# z$ J. _# R7 n- _& I: f/ `
00401074: je 00401091
- F& b: W) c) o0 n8 G) K: V4 Z$ u
( F% y* `4 m+ X- I, t% n- p! y3 i+ O0 l- u: c% x
There could be hundreds of BPX you could use to detect this trick.
5 `9 n! f% n/ w K-The most classical one is:
8 q! y: p5 `# k5 x2 } BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 Z" {4 O' C) `( p% [( s; {2 n# b *(esp->4+4)=='NTIC'
& Y* b. n' u: [+ ?
W! ~! N; {4 R-The most exotic ones (could be very slooooow :-(8 k2 Z6 V/ F& J+ w4 K: u8 K- _- y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 g( z- k( U, {7 d1 ? ;will break 3 times :-(0 l+ L1 F$ W a' b' F2 o7 g
! y) W* g+ x2 @/ k" m8 W
-or (a bit) faster:
* H" B+ \. ~: H4 r0 D8 O8 L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' ~6 g# d8 K _) O; r; {
6 a. F s. T$ h9 v6 G6 w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 n% \% x, |$ n0 H7 T4 {
;will break 3 times :-(2 E" d+ N# [! m$ }+ D$ w
8 |$ k+ A/ _ |# K' Z-Much faster:
/ v) ^8 e4 |9 w* f2 r: i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) }* v* B v0 `5 K/ K8 g$ U- j% I% U, u) Y0 y( U4 M. Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( \1 Y# U- t0 q+ afunction to do the same job:
2 X# u( ?) j) _7 k M/ w
4 ?( I1 W& }0 n push 00 ; OF_READ( B# L7 Z G4 ~6 L7 @
mov eax,[00656634] ; '\\.\SICE',0
7 i& g5 O0 ~9 L5 k( F1 W push eax
: \7 I4 s' h! {) T7 y" B call KERNEL32!_lopen3 N: T+ Z- u1 \1 M5 z* b
inc eax
2 R5 a7 H7 d% p( o+ u0 v- ? jnz 00650589 ; detected
7 n2 X% h! ^6 \0 x# m0 C push 00 ; OF_READ. F4 ]/ b8 H4 o& ]1 l: h- A
mov eax,[00656638] ; '\\.\SICE'
! T( G3 H9 V5 {# P; ] push eax4 h/ q# j+ @6 j4 J- n
call KERNEL32!_lopen
/ n5 D( @9 C( x# G0 \' w inc eax/ [ t% U' u6 A, O, u: X( K7 j
jz 006505ae ; not detected- n3 j s- _9 B' {# x1 r F5 k6 b# I
0 Y0 F9 o9 D3 ~# g
6 t! N8 a6 I4 s& n" ]! B) W__________________________________________________________________________% [$ J% T' A0 w2 `; o5 U y7 u
( w( u6 L# d; Y4 p" l
Method 126 S7 e/ \. G! u
=========
: Q; _: k9 p- ~: {; m
2 J) f" N3 P* W$ x5 sThis trick is similar to int41h/4fh Debugger installation check (code 05; r- V7 L* A2 z0 `8 S* L
& 06) but very limited because it's only available for Win95/98 (not NT): O, n$ P2 H+ j* A2 j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 _/ l5 z0 l* [$ \9 [& {
6 v; i. R% O" j# u' Z) ^) _; q
push 0000004fh ; function 4fh
8 A/ Q* [; ?7 S7 F' G1 p& p- J push 002a002ah ; high word specifies which VxD (VWIN32)0 O& X/ b1 f9 s" H7 Q: w
; low word specifies which service: C; U8 r4 K+ ?% d4 Q
(VWIN32_Int41Dispatch)
& _% a. p1 r) M; \' {% u call Kernel32!ORD_001 ; VxdCall
& S2 y/ F1 X) \& q9 b0 M cmp ax, 0f386h ; magic number returned by system debuggers# \% n8 _. }& B" K$ k |( O
jz SoftICE_detected
, j) a$ L$ r, ] C0 }- Y
2 J! l8 {; @* J. GHere again, several ways to detect it:5 L: |3 [' X, q2 s& Q
1 u$ d0 U* g' b$ _0 e. F' y3 {
BPINT 41 if ax==4f
/ E' `) r+ l8 L' ~# Q1 G5 W a* f7 z; j* a% y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 @ U+ Q m4 e# g, Q$ I* o' ?. D" J% B. f9 n7 x- ^5 O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: a/ T! T/ Q; j, o- e5 i
" M# m# U5 G) `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; D$ e8 ~& ^% ]: q
5 |1 u2 W; f/ o0 f. t__________________________________________________________________________
! s" ~6 l7 y2 |6 ^# S8 r+ |. }7 h# v+ V* l! k! I
Method 13+ N2 y' Q- B7 G, P
=========
: A$ O& O: d$ r
2 a! K) d+ K7 l/ DNot a real method of detection, but a good way to know if SoftICE is" H$ J c/ `( ^( k! ~
installed on a computer and to locate its installation directory.9 `/ O4 U- l: r; z" R% L
It is used by few softs which access the following registry keys (usually #2) :
8 z7 Y G( x7 J3 k3 V
G* }. x6 U- c5 l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: W0 }5 Y+ _3 g% {
\Uninstall\SoftICE
0 E+ z" p: \- Q" \: Q$ j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, l/ h' ?3 [/ f2 ^$ f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 o* Q: }# ~" ?- R9 o
\App Paths\Loader32.Exe
' Y2 H' a) H* ^
3 c# m5 C* @; W& y; q
. N E9 |4 o2 m6 J, F9 PNote that some nasty apps could then erase all files from SoftICE directory
" g2 P, z5 }" D0 t(I faced that once :-(. D2 i! o# e6 x9 Z3 e( `
3 b) _; p+ o2 x
Useful breakpoint to detect it:7 J( r2 F, ]4 ]
6 \8 y; V$ P5 Y: |& b, m7 U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE', |+ j5 N+ s u, d9 [9 s* h
' [0 Q5 d- L5 U. w
__________________________________________________________________________! Y. b* N" d d
7 o# c% w0 L+ I0 H% r. p
( [6 C, q. R$ Y9 J
Method 14
! Z5 q9 @" A L2 v' w=========+ g& t# A) Z+ c! {/ U M! g5 ^
T9 t$ ^3 s7 ~& B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 [1 o! T7 w0 X" \
is to determines whether a debugger is running on your system (ring0 only).2 K, ^0 W+ f4 y/ D) f" G
' q5 p( ^3 C* @
VMMCall Test_Debug_Installed
' }+ F; [4 R* j: m! P' \& _ je not_installed( O* e6 X3 S p+ `$ M5 U3 M
. \4 z- |* L- N# L0 n& H
This service just checks a flag.* b# L, r" {2 K! G2 B
</PRE></TD></TR></TBODY></TABLE> |