<TABLE width=500>( H- I: {5 O' R3 K/ D; S" c0 u
<TBODY>* m( K: T& [" O! l; ~ {
<TR>
8 F+ \4 N$ I" y0 @" l. h* W3 }1 u<TD><PRE>Method 01
. `9 m# B. [9 f9 {7 C: T7 U=========
+ S9 N5 |' c* j# U) |, v+ ]; U/ f t2 N: \" n- n2 f4 M5 j
This method of detection of SoftICE (as well as the following one) is6 U& c5 m9 y/ z- ]
used by the majority of packers/encryptors found on Internet.0 y( A) h# e- @/ A" L) N
It seeks the signature of BoundsChecker in SoftICE
- A& [5 N6 u! k" U4 ?8 a @# ^" d- ~" }; w4 J; [
mov ebp, 04243484Bh ; 'BCHK'9 U6 q8 k* l" x( f) H8 Z
mov ax, 04h
% b$ A% D# Q2 X4 D5 F int 3
+ b9 B/ p1 ]5 P cmp al,4# w4 X& p% a- k4 ? M i8 y; l
jnz SoftICE_Detected
" s+ Y; M. h2 l- f* t1 A, v0 t6 O6 I8 Q9 r: `
___________________________________________________________________________% a$ D5 M$ u; A4 O" W& a
. q$ n. f6 i$ j0 |5 y0 u
Method 02, B$ ]- ^5 N/ T% b$ ?
=========0 J* A+ f! g9 V# s. T, s
) W' J4 N3 S8 }* d- uStill a method very much used (perhaps the most frequent one). It is used7 E5 q' a$ n$ V. F) }7 U/ q+ Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ N0 C$ \# n7 D7 M' ?6 T/ cor execute SoftICE commands...
* k. {; n6 n5 o/ ~* r$ pIt is also used to crash SoftICE and to force it to execute any commands
" f6 m* y7 Z8 ^(HBOOT...) :-(( 5 F8 X# T m1 u0 G0 z L
_' d) h: D+ g1 c
Here is a quick description:/ f# s7 r/ M0 M! N
-AX = 0910h (Display string in SIce windows)) Q! X w: u8 l9 _( `/ M1 p) \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 X, z& B( h3 R/ @' K
-AX = 0912h (Get breakpoint infos)
( z3 | f7 ^$ a6 A- m-AX = 0913h (Set Sice breakpoints)5 ~: w% o3 a* Y& M$ Y
-AX = 0914h (Remove SIce breakoints)
; H# _7 [1 {$ F
. \! |5 O" ~8 W, i8 i r* j: BEach time you'll meet this trick, you'll see:
: x3 @7 P- [& W-SI = 4647h4 H8 x/ Z0 ^$ \( Y: I
-DI = 4A4Dh% S1 U* s: n- ]' Y Z' B) c6 c( h, Q
Which are the 'magic values' used by SoftIce.
2 c1 r( @8 I# C6 F: l0 P& YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 X! Y0 a" t) x( `/ B- j
& d# ~1 `7 _8 t# e! R( ?* P
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. k8 B+ _& x/ `) q- ]9 B$ AEnvelope utility use to protect DOS applications:- C8 P: x: x- @- k
# b/ K9 Y7 @/ C# ]7 E* \: E
. B! ~+ H* D$ }0 [) |4C19:0095 MOV AX,0911 ; execute command.
& V+ T/ R& Q2 i# y8 X1 M" t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ ?& [( U" T+ A. X
4C19:009A MOV SI,4647 ; 1st magic value.6 Y! J* Z" Z2 Z$ W6 t
4C19:009D MOV DI,4A4D ; 2nd magic value.- N. ?5 Y% I/ e& s8 p* N V
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 b! u; T( p: B( m2 C, B& Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 W' \8 c$ G! `4C19:00A4 INC CX
0 p: h3 y8 H4 L% m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 a" ]' p7 ^ P% p# Z2 F
4C19:00A8 JB 0095 ; 6 different commands.
! k# u; k6 x( D% m3 C7 f. M4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 s; M* o" L- M* }0 s
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% C0 N7 O3 _6 g( V D- a4 W: `3 ?* ]) K/ C+ M# ?5 I& Z5 Q
The program will execute 6 different SIce commands located at ds:dx, which6 n' u$ }$ b' U% t) @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 r q* E$ D$ |' F( B, X
% D, ^, P! y7 s+ |; g. K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 W/ x5 h6 ?2 P/ `9 r9 f
___________________________________________________________________________. z8 |8 d' z- d4 p# P0 v
4 v) v+ B8 `- W5 D/ ^6 U& L8 f, Q
Method 03
2 j9 |2 c" K+ L) @8 ^=========
+ ?; e/ x9 o2 g0 e2 S* R6 @
3 M; s3 ~ ?; F/ W+ X: dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ W, {) e2 E% r, E9 m
(API Get entry point)7 k( { d( m/ T
' j8 x7 }0 B( T% {3 f" R& V
% h5 J( d0 ^" G1 N% y0 t% G0 ~
xor di,di- j2 i1 T7 X6 I2 z9 R; T& Y! U
mov es,di& b, M) T5 x" O
mov ax, 1684h ( K6 [. a2 Z6 v4 w& _. X
mov bx, 0202h ; VxD ID of winice6 Y$ w4 }# G3 x4 k% @
int 2Fh$ S+ T- @8 j% V$ r* t" C) r# v+ l+ e
mov ax, es ; ES:DI -> VxD API entry point% U7 y6 x2 A- Z
add ax, di
1 s: | f/ e8 m/ }" g test ax,ax" N9 e/ Q3 j: a, i* S! ]
jnz SoftICE_Detected
5 _: t8 \/ a# Z0 A) p L- Q4 M$ t
___________________________________________________________________________: U2 |) a( E8 C! {" z8 ]1 k8 n
, \4 m1 a8 q1 j% T/ n
Method 04+ S! R1 X* O& p
=========3 U3 V( ]% g( f
3 L5 N: S- x2 D* C0 @9 rMethod identical to the preceding one except that it seeks the ID of SoftICE
" t( v# ~2 l6 R2 \: |0 I8 GGFX VxD.1 ?! j3 s( r$ }6 w3 ^0 }
! E6 c$ y! ?" g8 Q2 ]) R) T3 p xor di,di. u0 b3 ]$ x- c) S, d
mov es,di3 @0 z4 p8 M- l, C8 j: f
mov ax, 1684h * t: v; ~, s }" E$ w6 @! \
mov bx, 7a5Fh ; VxD ID of SIWVID
8 C: W8 L% W% X1 Z int 2fh
9 s5 b1 m( J$ T1 h: X$ j+ G$ T mov ax, es ; ES:DI -> VxD API entry point) C# U* f; n u, r9 k
add ax, di+ n5 k" {% s. o# v& h
test ax,ax
" D7 l0 p, U( D jnz SoftICE_Detected' y8 E$ I q' ?; t
, W5 v7 b# R8 A5 m
__________________________________________________________________________* l0 J( \% K) L( ?: @* v
. D) a9 B. F" W& }2 B& Y
9 {. }+ G- b7 X) Y. _# GMethod 051 y$ u1 E& S/ N* B0 i% M( c
=========" ^* J; s `- S. ?2 B
+ H& H$ N5 y& e* t
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 f! i0 a f, B! x3 i$ d' c& V& p
debugger. It calls the int 41h, function 4Fh.$ T6 ?$ b" k" N# ^- \, c
There are several alternatives. & Q' G5 P( ?1 {2 ]4 F o
/ Q2 ]3 \# q0 D( a) G" }# oThe following one is the simplest:
, D+ ]+ X+ B9 X# h: o1 O6 r# [& L1 x5 p$ S. S
mov ax,4fh
! V% k, a5 \4 n: X( H4 { int 41h
1 N7 [. ^. f1 M2 u$ F$ g cmp ax, 0F386
7 R& g( j6 U9 |* z7 ] jz SoftICE_detected
: |1 V: p4 i! ~5 {" [" {8 Q3 Z/ a( C/ G$ o& c
, ^! k0 N0 M3 N- R6 K9 k9 d; M
Next method as well as the following one are 2 examples from Stone's 6 e: q$ T3 J! k; q
"stn-wid.zip" (www.cracking.net):/ A: I, R6 H) v$ `/ s
# ~2 K+ M5 i' s ]: L) ?7 p5 | mov bx, cs/ B: K; K8 `1 I5 b
lea dx, int41handler2; V1 f3 ]- H9 c2 ~
xchg dx, es:[41h*4]
5 ~0 z1 r) Z) [1 D O! X, g xchg bx, es:[41h*4+2]
8 {, a0 f4 W& p% ?/ O/ ] mov ax,4fh E3 E. T! P7 e0 t* M! t5 W
int 41h
# z. F' X( a+ e' Y, q xchg dx, es:[41h*4]
" d' d6 h! Y0 Y4 x" p" z# K: `* N/ E xchg bx, es:[41h*4+2]: r. U0 j3 A C2 x8 G8 v5 V( C
cmp ax, 0f386h+ l+ k1 @# M; }/ m4 ]3 C: C( |
jz SoftICE_detected
4 R+ R" P# }- {3 W+ l' ]7 |
. l, K3 e0 i, T, w* w, q4 Hint41handler2 PROC- x- I& K1 @' s/ X, @ I) |1 R
iret& `& w! L( ^8 [& U9 ?: Z! ]# |
int41handler2 ENDP
7 O: J9 y! L4 d
: a9 d \4 @/ y3 S1 |# A) K: ]* {- w. x" F& w" V/ x w9 w; I
_________________________________________________________________________+ W0 d& k2 R# r4 B! t$ B' F
, ]: p# @- L% M) W: W9 J5 h5 q
( p9 O$ C: ?9 a! w: e! x+ rMethod 06
i, N' l/ Q: D0 W% d6 y=========
0 Q: ]: C/ _" C3 _; ~% c6 q: u+ N9 l, q4 H' ?: ?. ^
4 ~! }/ D3 U2 O {: G1 S2nd method similar to the preceding one but more difficult to detect:5 c/ \" Q) m+ k4 {: ^/ D
* D# H& o: [) U5 @1 t4 t
/ [: {' Y8 ^1 t) F: t eint41handler PROC
0 s6 s/ K; l+ O( K6 T3 a0 e' a" L! L! O mov cl,al
2 x. p9 @# ]* K8 _6 b# U# g5 y iret; M. n+ K1 q) W" {/ l' B! D
int41handler ENDP
- X( [% | T7 c8 q+ M6 Y) Z) m" z* r/ L+ f% y% {
& G8 C* X# q6 x xor ax,ax
) ~$ T: W+ Q; Z: J mov es,ax( |( ?4 t9 N( M! P \" H
mov bx, cs
' x8 ?+ p" i) m9 P& D0 v7 c2 g$ T lea dx, int41handler
( o$ F' s S* R9 P xchg dx, es:[41h*4], K! v& I! p- T
xchg bx, es:[41h*4+2]: ]; d5 v7 r7 ?9 s
in al, 40h
5 j' `! u" n) X, F T" f, E xor cx,cx
( h6 ~+ ^) b- S int 41h; p/ Q+ L- O+ S; e
xchg dx, es:[41h*4]) }$ T: K* k$ ?5 J# A
xchg bx, es:[41h*4+2]
0 u) g" B/ G$ ]- }4 q' g cmp cl,al
0 ]3 |3 I* p! ?* l jnz SoftICE_detected
$ B; ?5 `, z% r( H$ d5 J. f: w* R$ g
o) H+ d& z* [2 u8 j, R_________________________________________________________________________
' U( T! m! ?" \9 b
( R2 u$ X' Z2 i. yMethod 07; r$ X4 F( Y& i( t8 [, y
=========, v8 J2 @# H1 b- ~" x5 d8 h
7 `. N d' ?: l+ ^5 f& U6 `Method of detection of the WinICE handler in the int68h (V86)" G6 L+ Y1 e3 g9 m# s- {- z
- g# i6 O+ C/ {
mov ah,43h7 {6 v: V& }4 C \# A
int 68h& k" Q2 `) b% _' `0 U7 v
cmp ax,0F386h
2 F! v- B1 L, K& b: j jz SoftICE_Detected
. u- c; h: q# n$ G y' X3 @# R4 D. V: q: E
2 ~( m) L- W: u* Z# |# j+ s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% J3 t( p* K+ k j0 { app like this:! Q) B$ ]( U( T& [7 J, z
U8 I9 y) m* A% ^
BPX exec_int if ax==684 w- A9 ~3 V: }$ ~4 y. Q+ d5 U
(function called is located at byte ptr [ebp+1Dh] and client eip is; w# _% R. e3 E9 }) {/ b
located at [ebp+48h] for 32Bit apps)1 l) P7 {8 g& @; m
__________________________________________________________________________1 n N1 }. |1 `* L
3 x l, R, Z, u# [& P- m- D. W& C; E' O8 @3 q
Method 08
, X; s. [% Z1 ?3 O1 x Y" T=========
v" u& P" w2 x3 c. E- I' c# X3 s
It is not a method of detection of SoftICE but a possibility to crash the
3 I; l1 _4 y& q9 S* |system by intercepting int 01h and int 03h and redirecting them to another
' `9 k. D3 o0 @( u) proutine.
: y9 H6 Z" P0 H7 W9 `% PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ L+ Z G9 Z3 o; K
to the new routine to execute (hangs computer...)2 E0 v' Z# T* @6 N4 U
/ n I2 d# F/ | mov ah, 25h
N8 @/ `4 I8 w9 n" F9 D4 g- Q mov al, Int_Number (01h or 03h)& I+ `' o0 T4 c) C) g) Q: u
mov dx, offset New_Int_Routine# d$ c0 b1 c ^# u4 d. N
int 21h
! V0 I3 g% m- E: V
; y% d& L3 ] z' x k! _% X8 Y__________________________________________________________________________
% J. K: v" {$ b$ o: V ?' t9 R" y) N8 R
Method 09
7 s! q! n; Y! {+ j C=========3 |0 R/ z* R8 E+ q' N n; X# O" o
% K" M7 r6 k# ? Q6 rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ @' y1 Q4 V; N) ?performed in ring0 (VxD or a ring3 app using the VxdCall)./ @' k% N* J+ T' {4 @
The Get_DDB service is used to determine whether or not a VxD is installed
" {' X# ^' U/ D( K# _! _' lfor the specified device and returns a Device Description Block (in ecx) for" N0 c$ B1 P, p9 r" M! `' |. T' c
that device if it is installed.
0 H! q' X* \% c0 F; G+ y
( B- @7 }+ F+ ?% M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( b3 B/ ~; O. @ {" ~+ h6 g mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. \7 Y i# \+ F5 h VMMCall Get_DDB
$ A8 r5 \6 b! h3 X; Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! [( Q0 N$ r6 w Y. t' u. Z; b: a: }- g% m' l7 _8 q) }
Note as well that you can easily detect this method with SoftICE:# p( t& z" D* ~+ B; i) Q. T0 m
bpx Get_DDB if ax==0202 || ax==7a5fh
3 }8 B2 i% W7 j5 S( a' j, r5 D2 J+ N+ y( u" x6 U2 f$ W, W
__________________________________________________________________________3 B0 L+ Q/ T+ r( b+ [# G% w
. P d, f/ e* ?) s" ]5 X) jMethod 10
9 A; B" k$ o$ c6 V; H, V0 }$ x=========: E a( t( B& r2 ?" k; p
: R& J) [( ~6 h' B5 k# F' `=>Disable or clear breakpoints before using this feature. DO NOT trace with
; d2 C. d8 {4 i0 u: P SoftICE while the option is enable!!. C, k7 t! s7 T+ ]5 M$ N& t v
- q$ T, m; p1 T4 ]- Q6 N
This trick is very efficient:
) r. z5 w9 D3 E" m5 hby checking the Debug Registers, you can detect if SoftICE is loaded4 y$ q* S4 B* x) ^4 z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! c0 X- I: i' X8 y& d" Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their) X$ J; B9 l J* t8 K! @6 y
value (in ring0 only). Values can be manipulated and or changed as well2 ]% u' M' ]" @6 Q
(clearing BPMs for instance)
' M) K# G. `3 }& W! W$ Q( n1 ?6 W' d* t) d% P& [0 i* |
__________________________________________________________________________1 X+ Q2 `) x, s# D4 m+ _2 q, h7 Z
& m2 Y# u, C Y" E' ~* vMethod 118 f& f: e& ]+ V7 {$ x, h; u @
=========* J$ `& g- k7 }! ^, N9 A% ^. B
6 M% y: }+ }& \) j: u7 jThis method is most known as 'MeltICE' because it has been freely distributed6 w7 C! b+ x" @, {5 r
via www.winfiles.com. However it was first used by NuMega people to allow0 e6 i2 v6 A: j* g+ k6 B/ y
Symbol Loader to check if SoftICE was active or not (the code is located
7 J* z2 ], G' L7 I* b' iinside nmtrans.dll).
+ d0 C6 s) P0 q! ^+ `, o
! B4 D0 G# ^9 g4 F8 q" _! JThe way it works is very simple:% k# M( [3 r8 d5 E; o( U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ R$ L! {0 ^! A: n$ T
WinNT) with the CreateFileA API.
% V+ ?, C: z6 N3 D8 }2 i# x# K! j5 L2 t' T
Here is a sample (checking for 'SICE'):
@; Y# K" r5 p# _% t
: g" U! J9 n( R3 Y) U0 A S3 F/ v; ~BOOL IsSoftIce95Loaded()# \6 |( {! S/ N( Y
{
$ a5 g! O- U$ l+ u! W$ D$ v HANDLE hFile;
. ?& x* s2 |! ~1 n" A( C' ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 ]* d+ g3 H6 l; r
FILE_SHARE_READ | FILE_SHARE_WRITE,
! v' }" N8 t( ]# y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) I; X- q0 p* a. I
if( hFile != INVALID_HANDLE_VALUE ), C' v& v8 [) e4 f7 r3 R
{
; h! \ K" J- k0 [ CloseHandle(hFile);
' Q3 A0 t# O K) K" O8 n return TRUE;8 D r4 U n" D) X" i
}- B q4 m7 G$ |, y* P) r) [& P! K
return FALSE;! l. @2 N; C' _, i% R
} `8 S+ z8 `: P5 s
0 L. U' b% L/ R, c# g2 f K
Although this trick calls the CreateFileA function, don't even expect to be
0 n; A) d* C o# s qable to intercept it by installing a IFS hook: it will not work, no way!
# s/ g( Z& n- P. n7 p7 LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 @$ t, A% w' E5 S* nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 C- v) o7 S; e* K& c. j5 P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. \/ O. }% `: e; \7 B5 v0 q9 `field.7 r$ g+ u! k" j" L% I2 N3 E
In fact, its purpose is not to load/unload VxDs but only to send a ' T' t+ ^3 F$ K. R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 G) @* v; y$ r) h% A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( U- |2 C& a# \! {; T, C `. @6 jto load/unload a non-dynamically loadable driver such as SoftICE ;-)." ?1 \$ j8 J' T* h
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 k7 ~9 M/ L" ~8 b/ q) X
its handle to be opened and then, will be detected.
7 ~5 X& K2 b7 }, C. [You can check that simply by hooking Winice.exe control proc entry point; o5 b- ^+ \) ^
while running MeltICE.
^& }$ L3 c) J/ b" j" |* o6 o( d2 X4 K8 u* Y! K& M2 b; d
# J- r0 _8 X5 I+ r 00401067: push 00402025 ; \\.\SICE
6 u. ] ^0 C* j" C' ~6 ~ 0040106C: call CreateFileA
* E1 T/ C, X! D n; K2 Q# _ 00401071: cmp eax,-001
8 d/ W3 F1 B$ o5 @) s 00401074: je 004010914 m3 ?4 U; }8 i0 }" @- C
1 z/ t. |3 s7 M+ }
$ U2 `' o. D, p, b/ x
There could be hundreds of BPX you could use to detect this trick.
9 ?: J/ Z* G: i/ |- o5 x-The most classical one is:2 l8 D+ I* ~2 c& d5 _- x' h# L4 G! K" D- G
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 k' O3 R- e: W; M *(esp->4+4)=='NTIC'
! X9 y! }& P- t$ o
# `, u) y( X2 S2 Z6 d-The most exotic ones (could be very slooooow :-(
+ s8 x% L2 W0 M% _* q8 l/ O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# g) }6 K U% T, G# X' Y6 o ;will break 3 times :-(
5 }3 g$ g4 |. B& o7 i* @' X, h/ j! `+ e
6 i; k& K% ]% v! w) ]-or (a bit) faster: / s. H3 f& z- `6 A- s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ `7 e. h+ W/ i" P5 {' x9 q) }8 [+ M; r1 [0 ]7 v3 r5 f" J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 }. ^. b" x- O% _5 k( Z/ b ;will break 3 times :-(
' S4 k+ @* m, z" M0 g q( A( E m- n
$ P! Y3 L7 n% C- [- T8 Y-Much faster: j; n7 \; A* N# i: X. A- w: t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ }! S1 X( o- a2 l8 c L, W% K+ q7 S( j0 ]8 s3 S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen X4 l& |' c q9 A4 j. n$ Q4 b
function to do the same job:9 R* q. c' Z$ g; H* o
, W* O+ d* w% p1 U+ i+ E( ~: n
push 00 ; OF_READ
# O# O1 M- G3 o7 s mov eax,[00656634] ; '\\.\SICE',0
7 S0 ]* T$ K2 w# _$ O. A push eax% v! z7 M6 J6 S& F9 W t
call KERNEL32!_lopen+ Q) T9 C+ f N# `& B) y
inc eax* h6 u3 s/ I; ]% a# f3 v
jnz 00650589 ; detected' U, h( U) A& i6 B( f( {! l
push 00 ; OF_READ6 i: B7 L# ^$ g9 s( {
mov eax,[00656638] ; '\\.\SICE'
: T4 K) p; n2 _1 e push eax6 [- d3 _, y T8 T! k
call KERNEL32!_lopen
9 q* A# i0 ?8 c$ W9 K1 I) q3 ? inc eax- y+ o) W) r) n0 f |1 B4 w) j$ l
jz 006505ae ; not detected/ O" p2 B8 n" x0 b% ]
( c+ r6 [+ a5 |
, _( x0 D$ l/ |7 ?% d9 s- T& h' R2 V
__________________________________________________________________________( a& R! E0 c& L8 Z4 X9 ~- n3 Y
) x5 M+ N0 ?; s
Method 12# m5 g0 F6 d1 v/ b* `
=========
! D2 Y6 g. {- Z' J3 M4 Y
, ?& M: u+ B2 }$ Y2 ]- wThis trick is similar to int41h/4fh Debugger installation check (code 05( I; J0 q4 U' Q) O) M
& 06) but very limited because it's only available for Win95/98 (not NT)
! }& F6 w+ W& i! Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 K, ?$ d3 `0 H$ U
3 e2 T! {; S. g
push 0000004fh ; function 4fh
( j, H+ f% c5 H l push 002a002ah ; high word specifies which VxD (VWIN32)
; B8 p# R! j4 L' }! j' ]) V ; low word specifies which service
3 {5 H* j( T. {# }. a0 P$ n (VWIN32_Int41Dispatch)
% H$ E; y+ E- o# p% Q call Kernel32!ORD_001 ; VxdCall
9 y% d; a; v$ y cmp ax, 0f386h ; magic number returned by system debuggers
5 F6 q( t! l/ _$ } jz SoftICE_detected1 @3 k4 l* f4 |6 U2 i+ H
/ t) I, S! o% x& C" F
Here again, several ways to detect it:
1 d7 B" O* z' I$ J9 M, _( j. r% c9 Y) x/ i/ L% O2 n- L( ~# [
BPINT 41 if ax==4f
* y9 { _6 P' }6 p) t, Z9 [0 m- c2 i- E* C- s% [2 ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 Q" k6 w$ W6 H( j( k- V# ?
$ ]- g* f7 S" l' a! A- j! ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ d: u& I& l# w& p8 f
d! w2 | H& @2 N' q( r4 p+ n$ o+ Y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! ^ H9 h; _* J ]% G# J) v& ~
5 u: \* k7 N8 T9 ? t2 c/ v% p4 K2 z__________________________________________________________________________
0 ^* j" A7 g+ f* H
# Y% o0 M# v2 i2 o ]Method 136 o+ Z. e* c- x# K2 d" h. H
=========/ C1 T& S! R" ~" s
3 S3 M$ K( j; X+ s! i: e4 Y6 Z+ SNot a real method of detection, but a good way to know if SoftICE is
f2 n% V+ X: W4 Tinstalled on a computer and to locate its installation directory.) Z/ X. V, p$ s1 c8 d4 q
It is used by few softs which access the following registry keys (usually #2) :/ q" k$ o5 s$ [* t2 s# t/ i
( k+ H, \5 h9 `4 M. d( n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# u R5 Y: f }, a1 W6 B( w\Uninstall\SoftICE
: O6 ^' D+ K' o# F* o$ N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; m) Q( A7 k9 |4 a+ [! ]
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& R% d4 C2 ]" E S- y4 @
\App Paths\Loader32.Exe
& c% n: E6 [. P/ u t5 b+ ~/ Z
e' w9 c* h& U" @
8 O0 L! s% L" H( \: `Note that some nasty apps could then erase all files from SoftICE directory
) F9 T8 I+ {/ g: P( j- [(I faced that once :-(
- i% N% U1 G7 L/ v5 x
- s: x1 A7 y" s/ x- \Useful breakpoint to detect it:
# ~% d& z" a+ ?5 [ u) x
0 n. W: i/ S+ l- R$ [; N8 ~( Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'( Y0 s/ j# Y( ]/ Q7 [! g' a
7 b' }6 ^3 R( u6 g8 ~
__________________________________________________________________________* C$ j2 _$ t# s/ e- a9 u5 O! w" z% k
, m" Z% J! h( \- w6 v
0 s4 n- d# c& d: C
Method 14 6 y( T \ a/ p i7 x+ g' c+ c
=========& c5 s; A# u; p) k$ d6 c
3 H# H% D" k4 c# L2 ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& l1 r. S6 M- p! Z9 X! Y5 C; H
is to determines whether a debugger is running on your system (ring0 only).
- w$ K+ t3 Q3 s6 ?* D1 _8 R/ \! t* A' s8 t8 Z" L, `
VMMCall Test_Debug_Installed
- T7 e4 z( @+ x1 Q* f9 V, o je not_installed: Z( B1 l' u3 h% ]4 r" W k8 y
9 K X1 B. v! s4 q( v2 T
This service just checks a flag.
! q% \0 g3 a3 d/ c</PRE></TD></TR></TBODY></TABLE> |