<TABLE width=500>) k: X5 U/ ^; e6 E3 {# C
<TBODY>, M i& t% }2 ^
<TR>
( b( S: m# H1 U, D1 Q5 I _<TD><PRE>Method 01
1 ], q& y( E3 r1 s=========
, V$ G2 x- R' a/ ~$ t
F/ u3 x! i3 B! oThis method of detection of SoftICE (as well as the following one) is" |% q: B& M# {6 V8 H! V2 \( Z
used by the majority of packers/encryptors found on Internet.4 @4 q# B; V/ }
It seeks the signature of BoundsChecker in SoftICE4 W9 ]) }1 S5 \8 y' F
6 Q" h( K- o9 _6 X l: p mov ebp, 04243484Bh ; 'BCHK'
e) S# D" B# @* x% q mov ax, 04h& Z7 ~3 L' Q3 x4 c, Q: ]1 h8 d
int 3
# r3 H+ x/ Z4 }5 r/ \, {' v1 w8 J& } cmp al,4
4 {! A! t/ o$ w2 H jnz SoftICE_Detected$ ^& X$ X8 m- H0 y4 G0 p
# D b2 A- r& q+ j8 R* ?2 }___________________________________________________________________________6 E9 ?! r$ C/ q* z+ E9 m- }
1 F1 s# e$ ~% @. K
Method 02
; U# N8 w: T3 W2 f=========* V; d" r) ~* a U" A T4 w3 H
f3 l5 ?( g5 `. J+ b. bStill a method very much used (perhaps the most frequent one). It is used9 ~4 t! E( Y; R8 g3 @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, G7 Y1 y8 p8 b( ?# I# i cor execute SoftICE commands..., [) t$ d3 w- ?4 ]
It is also used to crash SoftICE and to force it to execute any commands
7 s: S) r; B7 `& d(HBOOT...) :-(( ( @* x' h& a1 @9 ^& T/ e, a+ D* T7 d
* ?7 j6 Q! D( ?7 w- U
Here is a quick description:
, |' D; A3 p3 [6 C' u% j4 ?-AX = 0910h (Display string in SIce windows)$ e) x& |0 e- i8 |7 |5 [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( `- r d$ o3 h7 A-AX = 0912h (Get breakpoint infos)
; g* e; d( f! L& a-AX = 0913h (Set Sice breakpoints)
& B3 n/ i+ Q6 r! u2 ?* f9 E! ]-AX = 0914h (Remove SIce breakoints)
0 U! G7 _/ ]2 [9 Q4 R$ ^# H1 t( ~) H0 D. x& j
Each time you'll meet this trick, you'll see:% B( Z7 u* J8 r2 t8 H
-SI = 4647h
" H @9 V$ N4 K" n0 L6 T-DI = 4A4Dh
+ Y9 |3 b& K6 JWhich are the 'magic values' used by SoftIce.3 V& y8 L) `! l# S! E1 A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; H2 y! E! M9 L* G$ R7 p# H2 a
* u8 E. [4 y& o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ Y0 a* t; C& ~. y7 t! X% FEnvelope utility use to protect DOS applications:4 j& E% Q4 b4 ?; x4 T5 Y
1 z2 T7 O+ u8 G
! z+ m( s+ C6 n, o2 s& k% }4C19:0095 MOV AX,0911 ; execute command.
5 G3 }' M4 _, j0 _: Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* W9 b( n9 N5 G: T4 M# y/ g
4C19:009A MOV SI,4647 ; 1st magic value.- [1 {9 {4 R! G
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 L1 Z1 R* l0 H9 P1 P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ L: b; j. V' N" e# V x2 c8 Z3 p* Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
) [+ A; h( Y- t+ |1 Q8 j; r- b: R* T) m f- @4C19:00A4 INC CX
8 U$ l1 D) L1 e" F. n+ a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 w0 p; ?& B) K/ w: O Q3 l
4C19:00A8 JB 0095 ; 6 different commands.* b/ ?: D H4 \4 R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 {' D$ C& `4 a; s- v" o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 `; q* s: n( m
$ e7 \1 u4 g0 T! p TThe program will execute 6 different SIce commands located at ds:dx, which
6 S# n2 B1 e4 s8 dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 p: L3 \( a4 J
( X% E+ I* K6 P# V7 x& A1 [/ I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" G8 I2 l. r* f% b6 x___________________________________________________________________________
* ^! k9 w$ k6 ]5 e7 W
( o& C/ t' E: P
7 n9 j; T6 Z) ^7 a2 r; bMethod 03
6 B7 V- {4 U3 l5 ?+ ?4 ]=========
8 W4 w t# p! V4 v, Y% J6 d' ~
# t8 J$ F9 R4 T$ w! P. KLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: h4 T, V! T8 C2 L. m1 R(API Get entry point)
) x- c) B2 e* z
, Q1 |: N( i+ S8 E6 @& W
, U- U6 b2 _' h+ W) @ xor di,di
& L! e( Q5 Z0 j% W4 u mov es,di. K2 ~5 n0 e/ K/ ^ F+ e
mov ax, 1684h
5 S1 q8 @5 J) h! j) e* A% d+ w; D mov bx, 0202h ; VxD ID of winice. ?) Z D* w2 k# o: j+ R- W$ K6 o
int 2Fh; C, Z6 j& i+ g* ^/ I
mov ax, es ; ES:DI -> VxD API entry point: _+ `; l3 }) Y: |
add ax, di+ }) }$ s0 i; {8 B' E8 \' G
test ax,ax
7 i0 I0 c2 e9 t5 E/ A jnz SoftICE_Detected
2 w0 `- O0 M# W( E; }& Q$ N# L: X8 O' U/ l# p" b* c1 C2 Y
___________________________________________________________________________
1 Y5 W0 c' N0 }: T" ?( W# y8 x- Z9 Q
Method 04
, M8 h: F( ~' r7 Q% V! v=========# T) ]) [3 E/ H1 k0 v. Q2 T, C
\ C' Z0 L" o9 f
Method identical to the preceding one except that it seeks the ID of SoftICE
5 p& B. j% v' L7 R2 kGFX VxD. J, v5 q) d+ V+ F
0 T1 G% |* h# a* h8 P xor di,di" U% B; H6 v, g' w
mov es,di* h% }0 H2 X8 [* u) y4 Q& F0 Z9 b
mov ax, 1684h ( z% |, D8 D; q, y1 g
mov bx, 7a5Fh ; VxD ID of SIWVID8 j f& O" C4 i1 z( Q
int 2fh
% x7 @$ s. X3 X. b r4 U9 u mov ax, es ; ES:DI -> VxD API entry point
. V+ D& e' D8 q F5 e3 b% L# |5 l add ax, di6 C0 w' b: G5 ~3 ?6 e
test ax,ax2 p6 n$ R9 w; k7 G! P% y. d
jnz SoftICE_Detected! k8 t' [0 g8 r2 z$ @
4 y/ b: \; ^) |# ~ o8 d- i% k
__________________________________________________________________________
# \' q- I& \% b# u8 |0 N( d9 V, I& z) s+ ?5 o z* u
8 m+ ~ l# z7 y1 h5 kMethod 05
7 X5 p) \, ?& ?+ J2 d& ~========= t8 Q9 G' S" S) |3 D% F
& f! K2 |' h( i: n: [5 F5 p
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: D9 `$ z+ w4 R2 |2 Y+ ddebugger. It calls the int 41h, function 4Fh.) b) F g& B0 r. o! W
There are several alternatives. h0 b( ~! ?6 _# [ c
+ z# J4 A, X' F3 E& zThe following one is the simplest:
2 Q" o$ ^3 \3 S @8 x; c( `; B6 E5 f/ I
mov ax,4fh
( l3 Q5 d. K5 H& M/ u int 41h( w# T7 `/ r) j% T# @
cmp ax, 0F386- m9 F2 L# ~# W- G7 M: P8 L8 ?( X
jz SoftICE_detected/ n+ R- U% f9 X
. l# m; `7 }3 E3 o! n
! r& c' h3 W( \, }* D, @Next method as well as the following one are 2 examples from Stone's & X: Q: g$ T, U( D0 J8 z
"stn-wid.zip" (www.cracking.net):
, r7 l! r( E. u
9 D) z- N0 L* V/ w* d% ]$ y. ^ mov bx, cs3 ]2 k4 z; N& a6 }2 v- y
lea dx, int41handler2
8 j$ U7 u% F+ H2 C K3 x xchg dx, es:[41h*4]
% G* j3 u; Z7 D' Y9 h xchg bx, es:[41h*4+2]
6 z9 {- K0 K! b3 s. x; ] mov ax,4fh
9 }. Y W# V3 r8 @ int 41h
# H4 M0 t+ X7 z xchg dx, es:[41h*4]
. v1 z; {1 V D3 J* T+ X6 J I xchg bx, es:[41h*4+2]
( f8 v, c: X9 z cmp ax, 0f386h/ }) d( v- p# }0 }4 ^$ f
jz SoftICE_detected
1 |, o7 m2 k3 J5 D: l; n5 @" ?7 g. P: d: H; ]& |. ^- F/ u
int41handler2 PROC( v) n. {) E! m6 H, v: T4 P9 j
iret
5 n/ s' L) U& l, Bint41handler2 ENDP3 P* g. s) o3 o* D' s
0 H/ P3 Q d% T; s' |, w6 O: M/ y- ?
_________________________________________________________________________ b* k) h2 R! }$ f( I
# q: ~+ a1 K" {' `. t& K" u( ^3 k' L* [+ l
Method 064 \9 E4 ?" Z4 G2 M* J0 I
=========+ }& Q. p& Y8 _. r4 g, s, Z+ a
* J2 L6 M- P1 } Z4 _# K, F7 C2 t
+ b$ L0 m- o+ i* h2nd method similar to the preceding one but more difficult to detect:! R9 {* |+ n2 @( x0 q
3 T; G" L, u3 b7 B/ {. |
1 J( r9 r" H; o+ |; b j. T' F! p* T
int41handler PROC9 |: Y7 w# S. `. }& S5 }. a, q! a
mov cl,al4 R: C! F6 H% i4 T2 i& |' d
iret
) ^; | o5 r. i5 {2 t0 xint41handler ENDP6 L. _! K% O0 x6 Z% c
* [$ r& V7 v" S" W& ]+ \# |* B2 t0 l: A) @9 r. C
xor ax,ax
: H4 B& L( `% i* q8 [4 R! P' t9 j mov es,ax
' O9 M# u6 v; [6 b- @+ i1 I mov bx, cs
( I3 w6 p% O4 P: d4 `! b, y: G' Q H lea dx, int41handler
% a7 {9 I' ]5 ]- Q% M xchg dx, es:[41h*4]$ W& g' H$ e1 ]) L0 Q+ {
xchg bx, es:[41h*4+2]
, m; b/ N8 J) k' C in al, 40h
0 s9 R* Y8 Z. s3 p! B xor cx,cx" P7 @2 [$ N) [9 H0 x$ L7 I
int 41h; J9 |- t0 z8 x( }
xchg dx, es:[41h*4]% ?0 M' p8 d! R! q) D
xchg bx, es:[41h*4+2] R) o3 p, R8 N
cmp cl,al
P; n* X% d- w/ N jnz SoftICE_detected! N& X8 T; V+ o& m( `' N( |4 o
5 r. w( N! ?, M2 A_________________________________________________________________________8 Y" J: `1 {: I$ |
) W0 ^. v7 O3 sMethod 07
; a) C1 x+ [' S9 t9 X. P========= n6 ]/ o W; v$ {. f! j
$ B. k$ h+ U; N0 b- _ a1 A
Method of detection of the WinICE handler in the int68h (V86)
K7 @2 V6 C+ ]9 `$ N; }& D$ s) d. _. ?
mov ah,43h
# q; C6 s9 U4 n( o5 e8 ]* n int 68h1 m5 A: [8 ^ ^! ]" @/ B
cmp ax,0F386h9 r1 {7 x/ A3 W2 ?: X
jz SoftICE_Detected
! G! t1 e, t2 I( V# H7 R2 V9 M) E3 J1 S0 h ~( \
. ?0 c L9 o8 N7 j1 ~3 C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( P5 a5 v8 y+ c+ m% I6 S( c app like this:; E# o& n6 V- V2 i1 {
% t) C: X- H- }" [- w" [ BPX exec_int if ax==680 ]- b; I% h6 l& T5 z7 o5 W" t; }
(function called is located at byte ptr [ebp+1Dh] and client eip is
" x' y( k8 a1 t. k$ w. J located at [ebp+48h] for 32Bit apps)
/ B* T; l. T( h7 u5 k% r__________________________________________________________________________6 v" M) P/ ~. x4 p
0 u, r! ~$ f$ t) R; a/ V' Q3 } ?8 T7 f* y( ]6 c
Method 08' W' a- q( ~; U# i' \ G
=========# X, D9 b- W& M$ w
8 o7 c$ j6 C. H2 uIt is not a method of detection of SoftICE but a possibility to crash the
) \. y! Y+ [1 a8 b2 {system by intercepting int 01h and int 03h and redirecting them to another
" D7 S% [9 W' }" I; L2 I: {$ ?routine.1 |# S+ v8 X$ m0 C6 q. ?$ Q9 v& J; C
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, S5 z8 b, g' f7 `* _1 `to the new routine to execute (hangs computer...)
$ S% j6 k3 B5 L
( b2 U7 b, i G/ \2 o( [+ y* k& j' ^ mov ah, 25h! ?- T/ Z# v2 d" y
mov al, Int_Number (01h or 03h)
% r- i8 j) s9 ]' C9 K, j4 v, M mov dx, offset New_Int_Routine$ C4 q" W; l4 m% m+ Q# P
int 21h* ~( b, ?1 D0 H9 x9 L, e) l( I0 |+ {
9 j8 b3 ^, o' X: g i6 o+ A1 B
__________________________________________________________________________' `1 h n* f) @% m1 R
1 x7 N0 S3 H% u6 ]Method 097 x3 `3 @( F5 J* |
=========
6 }% G; A7 G0 p: m9 E& [; [% C6 r: Z/ ?/ S( n9 B {9 D8 l( \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% ^; k5 q ^& q4 t- {5 mperformed in ring0 (VxD or a ring3 app using the VxdCall).
: a# ^! W( w1 x5 N& o* i1 o- WThe Get_DDB service is used to determine whether or not a VxD is installed
; x0 M% o3 T \for the specified device and returns a Device Description Block (in ecx) for
! W* H5 M! e! `7 A5 N- _5 @% Ethat device if it is installed.
6 a- g9 h4 `3 E( h( e) h$ J
9 u. i! s& w/ J9 u0 J; ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, }9 t: ?7 M F s5 n% N% [( i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 m: I s$ `$ v0 n VMMCall Get_DDB
) v7 ?$ k! m. l, _6 L! x+ }$ ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 }6 I' x1 O* _& |$ d
. ^+ m+ ^0 Y ~9 w5 j. @5 ANote as well that you can easily detect this method with SoftICE:- w! y/ h* Y+ P
bpx Get_DDB if ax==0202 || ax==7a5fh. s' I9 J0 i* w! Z' o: |2 t
; H8 n3 N. Z, I& z, s
__________________________________________________________________________
/ J+ |/ A6 C7 O
) L: J# h4 r9 E& v$ M. T0 I* uMethod 10( I* }0 J( ^6 N- g2 G$ x
=========
! l6 H6 ^" c, o# V" J: J2 [( ?5 L, i. N& S8 X- F- l
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ Z* I, H! T% B0 W2 I! \4 f
SoftICE while the option is enable!!
( }* X' J. k2 w7 {7 F* h% Z; B) }' A4 Z2 d, V! w7 ]2 @, G
This trick is very efficient:
3 ^. R, m8 a+ p! W5 I: ~& nby checking the Debug Registers, you can detect if SoftICE is loaded& }- |/ l9 O4 O+ r4 U# H- j F0 T) B4 N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 I* T' j& a; @+ b3 Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 ?! r9 A8 T9 B( r$ f% x
value (in ring0 only). Values can be manipulated and or changed as well: W5 u& Z5 M& M7 v2 E0 S
(clearing BPMs for instance)
, {& r) f& P* q1 f7 `" S% ]& O6 @/ H* d; J
__________________________________________________________________________8 x0 ~4 F9 b" k3 _6 |$ o" Y
1 E/ {! _9 O3 Q5 ?
Method 11# D' P3 x' z( W; N3 ^$ r$ M
=========
8 N x7 J4 C+ E
: k, _* U, u7 K1 r* yThis method is most known as 'MeltICE' because it has been freely distributed& j2 R, l+ w! f+ |
via www.winfiles.com. However it was first used by NuMega people to allow: ^- l) X$ E1 s& Y
Symbol Loader to check if SoftICE was active or not (the code is located
* _5 l W* r, M$ Y% Minside nmtrans.dll).
; Z3 y5 ?3 _% q: r! D8 a( p
/ V; R# c1 v- e* wThe way it works is very simple:
8 I* e9 P/ s J9 L" Z' _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: q0 y4 ?' {, m/ g% n& O( O7 d) KWinNT) with the CreateFileA API.$ D9 F4 f8 E/ f8 `
0 I! D1 e* o! V3 O
Here is a sample (checking for 'SICE'):
' n e$ L6 b" V
) Y; ^/ |* ^5 q# a9 v) h: ?BOOL IsSoftIce95Loaded()6 M& `! a7 I( ^4 \9 U* m
{
! T5 W( x+ p3 k$ P HANDLE hFile;
7 n: C @6 I" O/ T* W5 t2 l: ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ D* D4 O, q) | FILE_SHARE_READ | FILE_SHARE_WRITE,
$ ?" h, |5 \8 q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: T: ?& q) R4 d7 [6 R if( hFile != INVALID_HANDLE_VALUE )
8 O' O f/ ]6 n" D* d {
0 ?0 Q2 B* f: l7 n, m* c. B" p CloseHandle(hFile);- L' M7 g! V1 W# k o0 R" X
return TRUE;! {: F1 e j; Q6 }1 Z
}
3 K5 R0 p" L- y6 ?; \ return FALSE;. H( X1 ?/ l" ] Y/ ~
}, h ~) N5 Y% P5 l
* H# v/ }) q& N! }9 G. uAlthough this trick calls the CreateFileA function, don't even expect to be
+ i# O+ R6 D b* O! v* Table to intercept it by installing a IFS hook: it will not work, no way!$ f! `8 X/ N4 k& W' Q0 b" c' H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ T3 U! F) D. A; f' P$ B1 W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( o7 y0 s# O3 \" W6 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# F3 T" z7 I" q) G( i+ x- l, jfield.7 q) M0 ^3 g' O: J; G
In fact, its purpose is not to load/unload VxDs but only to send a
, o3 `: R2 N- d9 `6 }9 ]9 BW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): L4 o! T# z8 D, g; t9 p# {9 L
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& m5 u0 M* r+ {, R0 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 J. ^# E ?3 ?% C, z } ?6 d" M2 {If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ G" N) m9 P/ `- ?" pits handle to be opened and then, will be detected.
# C% I, Z$ P G" R4 z; v5 |You can check that simply by hooking Winice.exe control proc entry point7 A7 T2 W6 Y5 Z3 S; U
while running MeltICE.
g" W! ]) ?6 B7 ]+ r% N( n9 H
7 }2 E/ h9 H+ _" J# g1 z- Q& e/ r2 S" K) |6 @6 M" k7 C+ z: c. Q
00401067: push 00402025 ; \\.\SICE4 Y; a" k* Z+ F( e
0040106C: call CreateFileA
5 Q7 X% H- M; I. B3 j 00401071: cmp eax,-001
8 H% f1 j! s1 z6 A' B 00401074: je 00401091
; j/ \4 E$ K, a# O% i, H
+ g( I X( m4 s* F0 F2 u2 `+ z1 I" R3 `" x$ Q
There could be hundreds of BPX you could use to detect this trick.
_* s$ {( X/ Y4 T9 I( W1 `-The most classical one is:
% e& g5 ]: I5 F0 V2 V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 w2 \2 U/ @3 T+ @
*(esp->4+4)=='NTIC'
& _4 I: G! @2 L% o- Z5 B6 G: [4 U) z; q: a+ o% Q# c5 s
-The most exotic ones (could be very slooooow :-(
# H9 S% ^. I% @, f BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 z* R1 o: i& j y4 G3 P$ R e) g
;will break 3 times :-(; [9 q" v* x; i) f
$ U- x/ K+ ^5 o2 e2 D; s' B6 A
-or (a bit) faster:
& n' ?/ h6 G/ u; F$ v! T Q% D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 E9 a' z; ` w
- @/ C6 M- a2 \% {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' v5 I6 P$ m1 w1 Z5 }3 b. J1 Q
;will break 3 times :-(
; {2 l' S' c7 P/ {4 P, |0 y2 K
# W7 W* D' m- C/ q-Much faster:
' t/ M) B( y; b s; R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- o- b# j6 a% f1 O
& I9 m4 T& |; M9 MNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) V5 g: Y" ^/ h
function to do the same job:
$ q; O/ u5 k6 n2 f3 N6 X- V% o( F# V `8 F( m1 R! Z. {; C
push 00 ; OF_READ" ^, p3 r& R# F: v$ y9 g' t
mov eax,[00656634] ; '\\.\SICE',0 s/ W' C8 S# J4 p
push eax0 _0 q# A- K' s- N9 |6 N5 `
call KERNEL32!_lopen4 e" ^* a( I0 f+ W& a
inc eax
- h. G% {- S# Y) J' C8 V& f0 T jnz 00650589 ; detected
, g+ F4 t8 k: r; m2 d& A4 q push 00 ; OF_READ- @0 V$ ^1 l6 L, [! z# S
mov eax,[00656638] ; '\\.\SICE'
; J" S! E, N2 H( j& z' k4 G9 E push eax
4 }; J; a. y, ~; f! p" m call KERNEL32!_lopen
. z* @4 v0 w6 X% i8 j$ N inc eax
9 l8 }1 X2 [0 Y( E( h0 F jz 006505ae ; not detected% K3 ]: l' h; g& v$ j, E
1 I1 u/ o% c# u/ |8 h; R* F
9 y# s, F2 X5 j$ s) b" V3 ?__________________________________________________________________________; O7 l+ P4 b0 c9 g! ]
" @) [9 V! W1 y7 L, p3 `
Method 12
7 {& t- \7 ^7 {9 q# N2 i4 }=========$ @5 {7 ?) Z6 U( z. f2 U% c
" i- D" J+ g& F6 J6 N+ s- N$ p# V
This trick is similar to int41h/4fh Debugger installation check (code 05
x; ~# z3 V, O$ f: b& 06) but very limited because it's only available for Win95/98 (not NT)5 h5 T7 s$ h/ |9 F { P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% w9 P3 r3 g# ], J& N$ G; X
- @0 k5 j6 ?% H# ]3 [7 U push 0000004fh ; function 4fh
9 y" R+ t1 s8 ^4 d" ^ push 002a002ah ; high word specifies which VxD (VWIN32)' |" y+ `0 P" w9 p9 a
; low word specifies which service p% d- `4 y6 ~" b2 Q( }$ k1 E
(VWIN32_Int41Dispatch)( }9 j$ m* Q0 x, s' n; S! f8 r
call Kernel32!ORD_001 ; VxdCall5 i! o9 g+ t% p$ B
cmp ax, 0f386h ; magic number returned by system debuggers
# s& A" n) ?& Y: Y. y jz SoftICE_detected
% p& \7 n- m2 ?) W k1 E
: b# T3 [9 U' \1 I5 rHere again, several ways to detect it:) Y7 n/ V4 s6 e5 L4 ~
2 {3 f- {6 }, b: C+ T- L BPINT 41 if ax==4f" S% _% F& Q3 }. f: h. C# v' ~
/ u0 D$ A( w r5 o" ^8 Z! l2 W BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% i, ]9 T' e J0 s0 \% G: p& R
1 E4 X; e, k4 _6 c2 r& U BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# Y& h( y+ _/ O! _9 e: e, A M
2 k2 q: o/ d& y1 Q0 g2 w1 R3 p BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 E- M! S2 ^+ T
/ d: i# D U, l& A; z* r
__________________________________________________________________________5 u* b, F: ?) S. g5 l1 F
5 ?" }$ G5 L$ K
Method 13
: ?! Y* O/ w6 `( l& r1 x; i& g% i=========
; z/ F6 g" A/ c8 ^0 `+ V E* C& U
Not a real method of detection, but a good way to know if SoftICE is& v! Z; ?( H4 T
installed on a computer and to locate its installation directory.% J7 m: D; D' N( o9 Z: k) Q
It is used by few softs which access the following registry keys (usually #2) :5 k% ~8 E- g* K% v
1 o( p7 i' h0 }1 z1 n, M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 ?( ]4 b& [, Q u( p3 |. U" e\Uninstall\SoftICE
7 a- \" a( G. i1 I* v# A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 Z3 G& w9 D5 W5 E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, K4 Y2 ?3 ^+ ]2 e5 `9 a
\App Paths\Loader32.Exe8 d, ^1 A9 |4 X4 }* z. _( Z
" F8 D, d! m0 O6 y5 J, C& b' ]8 |
8 @! G) g3 M" i w" R! _1 I+ SNote that some nasty apps could then erase all files from SoftICE directory" s2 t- ?6 W: c9 F
(I faced that once :-(
, J8 F' h" U* O P" P8 ]1 J5 m2 G9 ?8 o/ w4 S0 x2 z
Useful breakpoint to detect it:5 O" N& m/ R# @& ?- l; q
?- P E: ?8 W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; p8 @$ d# ^* E1 Q' h) O3 h7 X; I7 }0 T0 _" k! C; F; V
__________________________________________________________________________6 H: q1 z a/ Z6 K" o
# A* A) b0 a) X
5 j) f# b; b4 ?: }' s: R
Method 14 ( e" J6 M' H6 E7 N8 l/ s5 X2 D! e
=========9 j3 ^. ^# S8 x$ U W/ d
" D0 G/ G' ^+ ~- v+ \2 f4 m5 M& f8 IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) I# P/ L, ]% i4 y: J
is to determines whether a debugger is running on your system (ring0 only).; {; c6 A2 E9 O5 u! X" ]
" ~$ R9 G0 h: k: H4 u1 H VMMCall Test_Debug_Installed+ A# H+ V0 @$ }1 q! {% j, t
je not_installed' m! q: A7 A6 }& x" x( ?
, m8 d$ K0 |; t* LThis service just checks a flag.' s1 A; @$ y; l& u' [
</PRE></TD></TR></TBODY></TABLE> |