<TABLE width=500>
7 ^4 P" x7 L9 @, Z! X" l<TBODY>3 i l* @+ j @& O
<TR>6 q7 I s. l6 F, I4 ?7 t0 M
<TD><PRE>Method 01 ) Y* g' Y. J5 r: z" M# ?& Q
=========6 {: A! ~- d/ N% ?+ L4 v' a. b
1 O- y( G3 P6 H6 w' y- NThis method of detection of SoftICE (as well as the following one) is# a* o7 T2 w, K6 B: W( _3 [
used by the majority of packers/encryptors found on Internet.
0 Z$ O. R5 J: C; k0 N5 z* \It seeks the signature of BoundsChecker in SoftICE7 A" r( G/ k6 H2 s6 b/ k
$ V) q) |4 J1 e9 f( V6 Z% l* T
mov ebp, 04243484Bh ; 'BCHK'! e% J9 u1 _: e7 \7 b+ E
mov ax, 04h
$ j& R) i$ q/ [" H int 3
! ~" n0 }: {2 r6 Q& k0 E cmp al,4
) z' S3 b7 L6 k% p jnz SoftICE_Detected2 ]2 |/ n/ S$ N9 ^0 V
2 A% j1 h5 I$ j0 S- u___________________________________________________________________________* n1 i3 d% D& l$ J* Y3 H
8 O( {( }( r3 x3 ?, N2 b y
Method 02" A+ ~' V! d3 w1 o; q
=========
' k! ^. `. e- C1 w3 F" x9 P; y1 D( E( r+ l
Still a method very much used (perhaps the most frequent one). It is used
6 K" [% t% S4 N6 M K6 q6 w/ xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. }/ D% ^2 O" N6 aor execute SoftICE commands...
- \% @% ]3 y. G1 P1 F1 D2 hIt is also used to crash SoftICE and to force it to execute any commands
+ y! n- c, w7 p(HBOOT...) :-((
1 i. r8 j' ?- S! \) S9 @
" Q" r l2 ?- eHere is a quick description:
/ O4 b* Z) C. t' R-AX = 0910h (Display string in SIce windows), w0 g' R6 {& N1 @' J- _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ }- a+ H3 Q7 K% }* J; w$ Q H-AX = 0912h (Get breakpoint infos)
- k1 ?* B7 l2 `9 j8 D-AX = 0913h (Set Sice breakpoints); b$ c! u0 ^# I0 Z
-AX = 0914h (Remove SIce breakoints)
j. k/ i0 Q d2 m5 M! X. C- ^/ e( D) H8 Y* Q2 ]2 \9 H
Each time you'll meet this trick, you'll see:
3 I: b, A2 k6 `; {9 p7 s4 I3 K-SI = 4647h3 h1 m( x' M* |0 ^; v- b$ I0 n
-DI = 4A4Dh
# b) g$ v4 w8 d' d1 J* Z4 iWhich are the 'magic values' used by SoftIce.
* `7 ^# Z( J C9 `! a$ w q/ EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* w1 J" R) A0 ~# E- ^
- Q! [5 O5 }1 x9 bHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 E/ ] ^: w9 W3 z( F- N" p8 FEnvelope utility use to protect DOS applications:
/ W+ h c4 u( i9 n2 K. a6 h+ B# ^& J# |$ m& N7 U9 Q9 J6 H! { m
5 j9 ?4 ?4 q2 x
4C19:0095 MOV AX,0911 ; execute command.0 x q) i* A, T) h$ d0 E5 i
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." l2 p. Y8 |# p& g3 x
4C19:009A MOV SI,4647 ; 1st magic value.
6 B/ t0 ]+ q2 V4 t4C19:009D MOV DI,4A4D ; 2nd magic value.' L4 X3 Q5 u1 I: p8 t' x
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& @4 c, S7 v B) o: i* Q2 f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. {4 Y) w# \1 H/ C" \$ u4C19:00A4 INC CX
& R8 P7 U" ?" W c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 M; h$ |) G: T
4C19:00A8 JB 0095 ; 6 different commands.
( E/ ?2 ?2 v# Z; m4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 L1 W, y; a: s% K2 _8 z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* q& V; ]8 p! p( }5 u( L* C+ X7 C7 y& r9 G, w' _8 X& e
The program will execute 6 different SIce commands located at ds:dx, which" N4 Y. O+ [; j& o Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# b9 J6 K, W7 ^ @$ u7 k7 l+ `) x2 u, Z% f) G {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ }5 e4 l: `2 _( l* d9 o0 z5 }" E___________________________________________________________________________
2 K$ T' W" `$ o; y5 y
% d4 O3 X% F9 {- L Z
7 E4 L8 {# [3 f% a& I! R# WMethod 03
, K6 ^3 D6 Q/ d( S# [2 l=========
0 K6 E8 w1 d2 N9 M( {: G8 r. c3 ~3 J+ W6 Z* U1 I1 z4 u; Y& r- A: `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 m/ q$ ? p# m" @( R(API Get entry point)
- }/ Z8 b0 N& A2 y 0 W* L" E# I% M9 g. C1 @9 b
! Y, W+ t2 f) ^" b& L W( c xor di,di
/ r, j3 _1 g) c5 z/ K mov es,di
+ d. i; P- R) L7 d8 H mov ax, 1684h - R. {, r# W, f( I) p& n
mov bx, 0202h ; VxD ID of winice
5 b. y- Y0 B; S! z int 2Fh0 x1 L- {7 H- c$ q
mov ax, es ; ES:DI -> VxD API entry point
. | [) L1 k' c3 L' Z" z B/ ` add ax, di
- ^# T* e- u! e; {6 Z test ax,ax
+ E" t. t; f. @8 H% M/ _ jnz SoftICE_Detected( X: T% z& R7 i
5 b, N2 f8 R, h( Q8 `___________________________________________________________________________
0 x( M8 Q9 d0 @% R1 w2 p. f
5 N) _; W2 c, R; P4 Q* ]/ sMethod 04# G u) w7 \) ^/ W! ~
=========2 H! n& {% A- W( N/ { o
* R. T1 z+ x8 w( g
Method identical to the preceding one except that it seeks the ID of SoftICE1 i7 ]$ Z8 x6 p$ D& `& V9 f! f5 Q9 R
GFX VxD.
( f# H) \: M( W$ O' L6 ]" i. g. ^# q& G0 u
xor di,di4 }: r$ m+ _+ |$ Y
mov es,di% g$ K* n( d8 j+ Q# _# p0 W
mov ax, 1684h
2 ^5 F) [0 C/ ^ mov bx, 7a5Fh ; VxD ID of SIWVID+ f, ^3 l0 N( t0 F
int 2fh; w6 w$ x) z( G) ~
mov ax, es ; ES:DI -> VxD API entry point$ c3 C5 F0 G' H* g
add ax, di
) @0 r: K4 X( m6 k7 M test ax,ax
# ]% J& T1 c h" z jnz SoftICE_Detected. r7 S- K- S( D l! @
# f; D: I' Q! k__________________________________________________________________________
! p0 U4 i" E9 q! E+ ~1 \/ t$ ]2 h% m- A) b, n! X; c( t0 N2 O
$ L* }" u. k; N, RMethod 05
& m9 _* `2 G5 h6 Y+ R8 w=========5 r( h5 G1 K$ {; o7 x! ?9 R
" u& W! U5 X7 j; C- _' ?6 `
Method seeking the 'magic number' 0F386h returned (in ax) by all system& \9 o4 q" z# Z
debugger. It calls the int 41h, function 4Fh.; d; T8 o9 M, |' W' a
There are several alternatives.
% }. E8 `- D# G3 w( m! R2 B( a5 N# ^( m. p( m! v
The following one is the simplest:
1 M7 y+ ~1 J8 I: c. b, W
. M. z) J8 }& [3 K; W7 g! z mov ax,4fh7 k; M6 r7 X' [& H) j8 @! w, ?
int 41h9 L6 A8 i- S" Q6 L
cmp ax, 0F386! u/ y( D# Q5 A
jz SoftICE_detected3 k: ~, n+ @, F/ [" N
# V. r9 O# z, }- [" I# V2 d- v
* y( v# G1 i: ~7 }# y
Next method as well as the following one are 2 examples from Stone's
. u) d& ^" c! z$ z"stn-wid.zip" (www.cracking.net):# w2 Q+ G! m/ q: n8 y/ M2 V2 n
/ t N9 [, W- d mov bx, cs. R: g+ Y& P5 L0 {+ ?" [+ J' Z' R
lea dx, int41handler2
8 ~) B- f4 N% O1 A% W1 K xchg dx, es:[41h*4]& k* ^7 w+ O0 k z# g
xchg bx, es:[41h*4+2]
0 e# `9 @" _& h1 w mov ax,4fh* d/ b, M# }$ \; G
int 41h
' N$ [% T3 f. k% }3 m0 y, j* ^7 r- r xchg dx, es:[41h*4]8 Z1 D1 y$ b! G
xchg bx, es:[41h*4+2]9 Z4 a+ |2 F6 `0 i9 a; V
cmp ax, 0f386h+ ~ h% O, y3 e. J
jz SoftICE_detected! ~: D2 ^6 V- O' a5 p+ C" f/ f' M/ ]
1 V% X) i. `/ m3 \int41handler2 PROC
: j3 L( v3 m$ f% _# {% Z iret+ u/ H8 b" U4 {2 e, G* b. p
int41handler2 ENDP# J" x* |( T; E; D
% P2 f1 r6 ?/ ]' m+ H* l# a/ u
\/ }; E( {, H_________________________________________________________________________1 O& d6 C& {9 A4 Z9 k$ b; S3 g: B. T
$ E8 [! i! c- X3 A0 `
0 v9 ]" A3 z0 g X# j" TMethod 06+ l. N3 R0 t* a' R% _: ?) H
=========
; J' x! G9 z; z% h% M, g: C9 a3 n
/ X0 o" z( {+ @. Q# ?( w
2nd method similar to the preceding one but more difficult to detect:2 g! M5 @. i$ ?7 O# X. @( E
7 X( o r1 n: }% p0 ^) ]2 m( K
9 M! J' i O4 a% p. D) h$ t$ T
int41handler PROC3 {6 H, _- Y: Z0 j" _- m5 ]
mov cl,al
9 f2 X4 t$ ^0 C* ~4 t1 X! t iret
2 \& ~6 @" U) a- U3 \int41handler ENDP
' r, t' S( \6 R( |2 h+ h# J }1 h4 ^2 M9 B+ r% b/ j+ `( D. G6 U& Q& x7 x
. \! }+ N) T/ `4 ? xor ax,ax
. g) d8 Y9 a3 o8 V% ?7 a mov es,ax
; K- i# x. e. L- K3 v mov bx, cs" h; ?$ }( ~; E; p9 p
lea dx, int41handler4 u% J: A) y8 G: d& z* a6 ~
xchg dx, es:[41h*4]
* H w3 B/ r* Q/ B$ h) m3 F xchg bx, es:[41h*4+2]
4 C: m5 g7 q- p in al, 40h0 T; z+ }* k6 @7 T7 b$ r* k* N$ `& g
xor cx,cx+ o/ w! y' d' e) ~. C8 E
int 41h
) A4 m( o/ i8 @+ c$ h xchg dx, es:[41h*4]
1 x+ Q0 [/ W5 s$ u2 S. m4 k* C8 x xchg bx, es:[41h*4+2]4 E9 \9 Z* O2 _7 i& i: h
cmp cl,al+ f# M4 p$ L# P, H
jnz SoftICE_detected, Z0 q5 a' O1 P
- W V% t. @7 b0 v7 b/ w( h. A
_________________________________________________________________________
. C, \. Q: \4 u- k1 y5 x
) _* q* l3 p" ?5 }Method 07- Z8 W2 N* |! g/ r F
=========' d# G; d4 w- G9 J. {. h
( g* \6 [) V# B6 `6 U8 c
Method of detection of the WinICE handler in the int68h (V86)
" f" {" s' }+ Q/ N8 k
% O# A0 k( f, C6 R# b; \ mov ah,43h. i; \* H h" M, n- {5 T! E9 R
int 68h
$ j v' J: } A3 j# H cmp ax,0F386h8 \, n: n9 P2 {# f' C! O- i* T
jz SoftICE_Detected
# H! h6 Z' |& B7 w& f: Y2 F$ q* K
! ]. u6 C7 q7 W% n; p
' u5 \# g5 T. R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 y3 X, c% f& f. M3 G
app like this:; |% w+ `8 m0 r. D9 O
. W4 w+ R6 j' i1 C( P4 U
BPX exec_int if ax==68. i/ X& @0 ~7 ^: R0 G A7 L
(function called is located at byte ptr [ebp+1Dh] and client eip is
& L+ }( G6 ]9 m( @# T4 k d located at [ebp+48h] for 32Bit apps)9 e( y# g! U( ?: Z
__________________________________________________________________________
- B1 y3 s: D- o4 i* X# e2 R
" K, {1 V6 i4 h* j6 ~
; R1 l' e+ ]) N/ jMethod 08
@* ^( G# t, C0 O6 ?7 e- A) ~( [# }=========
# n& k6 V- J9 w4 R8 i: Y8 T5 p( n0 k5 @8 W" J3 R2 b
It is not a method of detection of SoftICE but a possibility to crash the
} ^( g2 u8 F; J! ~system by intercepting int 01h and int 03h and redirecting them to another
$ Q$ {4 t: J& o% j+ N$ \3 |routine.( M* J0 Z/ H8 K9 e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. I0 n8 u8 ^9 ]( y' V
to the new routine to execute (hangs computer...)
3 D, g; A6 Z$ ^- A! n+ t# G* P
7 I1 [7 U& ^/ g% P: j mov ah, 25h+ k; N' h* l5 f7 x( F) t9 Q
mov al, Int_Number (01h or 03h)
1 }' b2 p* A8 X mov dx, offset New_Int_Routine
4 v/ q5 _0 T4 T, n2 w @# R int 21h4 J! ~6 M6 g. a6 L8 M* e
3 Y) M0 t5 K) l" ?) S* u
__________________________________________________________________________
3 h$ v8 a' E+ F% u% H! b
4 @* Z! v; X! ?4 [$ ~+ {) }Method 09/ j: r. I& o! Y5 j
=========/ u* J. n1 E& v7 R% T
8 l8 g* O/ Q! X4 ^ ?$ R9 n" P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- O4 p3 y% p1 R. b) X% l6 gperformed in ring0 (VxD or a ring3 app using the VxdCall).7 o( w* ^, e* q6 E* F
The Get_DDB service is used to determine whether or not a VxD is installed+ ^) R1 l' d s/ R8 F+ B
for the specified device and returns a Device Description Block (in ecx) for" p2 y+ x" l5 B- [- w5 w. |; W3 D k
that device if it is installed.9 w' @( D. k- F7 g7 T, a+ N
$ ^0 Q' D* t0 p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" g. N8 \ ?# \- k. r$ O$ _2 y, Q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 j3 n O5 }+ y, ` A: b: E, V. ^2 ]
VMMCall Get_DDB
1 Y# E8 c8 H; u mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed5 P1 V4 N* p# B7 s
K3 a9 }& K- R* ]1 z/ b- Y+ SNote as well that you can easily detect this method with SoftICE:* I& P2 z) D0 y+ {% N0 H5 A0 R5 N
bpx Get_DDB if ax==0202 || ax==7a5fh: V0 b* h& M* |7 S/ Q. X
+ A! U+ U" v6 B. g2 E# o# g
__________________________________________________________________________
. }, n7 \* Z3 Q3 j! x& w
9 U0 t9 ^9 D- K* ?" D! rMethod 10# N _9 B9 |' H3 U
=========7 O8 m4 t( Q* c7 n8 x
, G! {3 T0 B0 u% ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ M2 `6 l$ a" H1 p- B0 ^" D2 q SoftICE while the option is enable!!
- g8 M4 M: l, t, ?* T- c9 m; t6 @3 v6 b
This trick is very efficient:! k5 N8 Q9 _2 S! F
by checking the Debug Registers, you can detect if SoftICE is loaded7 m. ]& z* |4 U- D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 {8 f/ D6 I( ^2 d2 f, A
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 A0 L3 [2 K2 I: Dvalue (in ring0 only). Values can be manipulated and or changed as well
3 s5 b: f4 B! ~6 }8 L; y(clearing BPMs for instance) r6 t! B% k3 v% w$ c
/ F u0 v: ^8 @9 X9 x__________________________________________________________________________* a m, K! ^+ P1 F* q8 A* _0 g, f
; Y2 o3 r; A$ `/ G* e% u ^
Method 11
1 u. m, e) P _: p5 q=========0 G7 f7 A" X4 z0 Y& A
( x, q9 e; k/ t) e7 M' Y' W4 TThis method is most known as 'MeltICE' because it has been freely distributed
9 d' H6 K5 E5 P* Yvia www.winfiles.com. However it was first used by NuMega people to allow
( I; R+ E1 T) M2 E" TSymbol Loader to check if SoftICE was active or not (the code is located
2 d+ U2 N2 J3 I; s. b' L2 V5 B' rinside nmtrans.dll).
* n% R2 S6 U+ l8 n2 Y
. h5 k8 S% |# t5 f: Q! ] w8 Q/ xThe way it works is very simple:
9 p( M' K8 t; Z- J. CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! j3 X5 W: P4 d1 |: c" MWinNT) with the CreateFileA API.
/ \2 I- ~, P( L% h
& j* f2 I4 O# t% BHere is a sample (checking for 'SICE'):. I6 _' U2 p' m5 r; x
% F6 T( j$ m! }6 R. @BOOL IsSoftIce95Loaded()
' f, `# i; ?3 s{
# L/ A4 ^# u+ C" _! a1 P HANDLE hFile; 7 T& q3 A* P9 C! O% Z7 t
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 A! D* p( c; ^' [- {2 V FILE_SHARE_READ | FILE_SHARE_WRITE,
" p- e( L0 n% l0 L NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 M- Z! c% J/ O' ]# G2 {$ J if( hFile != INVALID_HANDLE_VALUE )/ v5 k# f' T& u$ T
{
" `7 g7 W1 f' ~9 G CloseHandle(hFile);
, g8 U; B" c# G/ Y. W* M return TRUE;3 k5 s# [7 Y7 y! N6 C9 u; v
}
3 P: U+ t6 E( r return FALSE;
) q+ P1 o7 V( ]) K}+ ?$ [! e2 n7 C: R7 O* g) i4 k) ]
$ _; u9 o2 z$ H- F0 qAlthough this trick calls the CreateFileA function, don't even expect to be L% d7 c* b7 n
able to intercept it by installing a IFS hook: it will not work, no way!
; G' P- V4 y7 q2 `' M7 aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, N+ _4 g. m) J/ Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" y# a4 Y1 \$ f3 _and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 ]1 I5 d* S. Q( |8 [! sfield.
; P7 n7 \& t I' A6 L+ YIn fact, its purpose is not to load/unload VxDs but only to send a
. S0 H$ X8 x* [, x- o: [- K6 t3 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 ^$ O: U2 l, @1 dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; n* J1 [/ d* {8 F. Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. C" |8 J/ V/ lIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 Z0 N% o1 r4 p
its handle to be opened and then, will be detected.+ e9 a5 a+ s0 U
You can check that simply by hooking Winice.exe control proc entry point
' {& G; E6 {# u4 |" A$ U$ Nwhile running MeltICE.( v; X( z7 E5 B6 `4 H. }% Q T0 c
; Q9 [/ \# x# L
; P/ F2 r/ c% P+ M& ^8 t 00401067: push 00402025 ; \\.\SICE e. T) n5 _9 M5 c8 {# K
0040106C: call CreateFileA% H5 R- z. J$ M+ t, S, p J
00401071: cmp eax,-001
& i; D$ J: n! v( J 00401074: je 00401091/ ^% B7 ^+ d8 H9 L6 {
4 r. ^/ A( B7 h ~+ Z5 c3 S7 ` v. {3 P# p }
There could be hundreds of BPX you could use to detect this trick.
: L8 J" X- ~+ n1 P% o6 O-The most classical one is:% G% @& Q# o# z4 S, q V, K; m u3 ? @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 j8 i( [+ e& R" j *(esp->4+4)=='NTIC'# U$ ^3 F* s/ T: V
$ k8 [+ a' n2 @8 e5 b F
-The most exotic ones (could be very slooooow :-(
/ J, H+ `0 o1 ]; Y) e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. X m0 k$ P# V8 ~ ;will break 3 times :-(. w c$ Z8 D; u6 f
/ g! I2 x6 ?$ V: V; c-or (a bit) faster: * M# A! S' [2 j
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') x% o. y S6 H& z! V5 E. G
* V& U8 J, B2 b BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . s6 Q2 r# H. f8 i$ ?
;will break 3 times :-(
2 D9 e6 |' d# H: ^. K/ y& n! \
" [ q; I* L9 y9 B-Much faster:
+ N0 v1 R4 ]' b) m$ O/ O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ f0 w" N: m8 W6 R' O& H0 o. k& b9 ?! \4 w7 C, p( D7 N8 P- f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 v# p, e+ _( R! Lfunction to do the same job:
" x$ p* I+ N: J' D( ^5 s; C, P
! O7 \7 N6 l, W( f; ~" ^ push 00 ; OF_READ7 o8 m2 h) Z) s- I7 B \
mov eax,[00656634] ; '\\.\SICE',0
1 R8 D; q- S7 F- x g% R push eax
, ], |0 ?- v! I% w( H: ` call KERNEL32!_lopen; d2 |! c# I& T3 i
inc eax0 L9 v+ b7 R7 h" E; m
jnz 00650589 ; detected
. j; N/ z( L r; ~ ~3 [- B push 00 ; OF_READ
2 B6 T P7 c$ r2 P. Y mov eax,[00656638] ; '\\.\SICE'
5 o1 e. m* h9 D: X3 Q push eax) k" G- g! y( a+ ]" W: L% L
call KERNEL32!_lopen
- j2 i- X. s$ v: a: `, Z! [. c inc eax
$ Q% R. b+ @& D& O# B8 i g+ T1 w jz 006505ae ; not detected
4 b/ `9 u* g8 w
7 o; e B$ O3 ^/ a+ Q: j9 r3 w; U6 ^ L% `0 ?+ E
__________________________________________________________________________ I( j- J2 F' a: u0 Q
. J0 S0 r- P% X% W
Method 121 U$ l8 x& z$ k& u b3 B
=========
- C- t2 b+ q! n' A+ B8 a
; Y" m+ R& K/ d$ q8 |+ d+ iThis trick is similar to int41h/4fh Debugger installation check (code 050 q1 y! J) j- h7 z
& 06) but very limited because it's only available for Win95/98 (not NT)
9 o2 e4 p+ m8 e# K" v: x; eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. m4 L/ Y& V2 [/ |; ~6 s- D) ^- n9 ~" R1 q
push 0000004fh ; function 4fh3 m Z- X: T6 j
push 002a002ah ; high word specifies which VxD (VWIN32)
3 d' s1 R- O+ m5 g- ]$ A; d ] ; low word specifies which service9 E1 d+ x, z7 _
(VWIN32_Int41Dispatch)
3 p) i+ h: A; h' g) N) W! [ call Kernel32!ORD_001 ; VxdCall( k* x8 d# Q5 K
cmp ax, 0f386h ; magic number returned by system debuggers
F/ E1 ~$ o' z jz SoftICE_detected5 F5 |$ G5 ^1 ]3 R: c' R& |- j
5 q* | h; u/ c! q4 S! VHere again, several ways to detect it:: R# k7 a/ h% u9 i3 S8 q
$ M4 e* N0 a; d+ B BPINT 41 if ax==4f
9 e1 t4 g% m' J3 J5 h' U
+ s9 l; J9 `5 a6 {* q, L2 |& P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 k- e. _" G+ d) s1 o. d: Q, |- H% j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 L: i. [+ P3 |
' D2 m. g7 x G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
H2 p1 W6 L$ L- w. G p4 G$ S: P
__________________________________________________________________________" K; @1 H4 b7 J# C. t$ b7 H; t
9 l# E; D( r9 L$ l# sMethod 138 v0 J0 Q; U- O9 I4 L5 R
=========
% B) A6 l% U1 C$ t7 }" d2 r2 J9 |4 d0 b6 l
Not a real method of detection, but a good way to know if SoftICE is1 c0 p3 V& M( }7 c9 E
installed on a computer and to locate its installation directory.
( Y! H7 @& }: S/ D' ]- u$ l( `; R0 y& xIt is used by few softs which access the following registry keys (usually #2) :
v5 U- t! `: u2 W7 @
* C8 ~# r5 G I: o/ G& u) \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 k+ l W6 _9 b) Z/ v- Y1 v
\Uninstall\SoftICE
- H v f1 q8 B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 B9 g) o8 R6 a; T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, c& o3 U8 Q0 M! Y$ y\App Paths\Loader32.Exe1 }# c- \# Q; c u* g1 }
5 L9 d- k, j# ~2 R- S
[/ U; A7 \" ^5 j- }8 }+ i/ HNote that some nasty apps could then erase all files from SoftICE directory" V; ~* L3 C' @: F+ P" a
(I faced that once :-(
* r/ Z- d; l+ l9 a+ \9 D& h6 _3 ^3 E" w [4 c$ S) q _4 R
Useful breakpoint to detect it:" W% {6 a0 `; R+ o
) x4 R) E- e; Z7 a6 d2 r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 ?/ o8 [% e2 g) e3 \9 w- c+ F
__________________________________________________________________________2 Y3 g& M/ w$ f, y% J2 V
3 k+ r- E8 _1 s+ D& H
$ o+ [4 V* j$ L U8 _' c6 I
Method 14
, C% w: M3 O/ k, t' z=========* h1 [+ c- H) o& u2 u! `3 g
7 o- `( z* o4 H6 @( b5 ~5 B; }7 L$ U3 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* [$ K/ p; p% G. K1 B- c
is to determines whether a debugger is running on your system (ring0 only).
& s, d% }! ~( ~+ f. V$ e- @8 h! z* T5 G. M3 ^
VMMCall Test_Debug_Installed. D% _6 O( L6 l
je not_installed
8 V! q) s# f# m) ]5 l) p% f# y1 k+ I2 I) O
This service just checks a flag.& S* W0 P- u4 e5 R2 X
</PRE></TD></TR></TBODY></TABLE> |