<TABLE width=500>( Y" N! s/ Q$ L2 c, T
<TBODY> C0 B- ^4 `* I3 t: x: r8 A
<TR>( A7 k" O4 E" [* [
<TD><PRE>Method 01
9 b2 V# k; D" A `$ i- \, \! ]=========
9 y- `# }; Z( `3 Z& K7 H
- p- d! }, v. Z8 W- H) G9 m/ LThis method of detection of SoftICE (as well as the following one) is
6 X1 g# j- e. P) O% {used by the majority of packers/encryptors found on Internet.
+ g O5 `% O; sIt seeks the signature of BoundsChecker in SoftICE. `& |. a- X- I) e
9 L) A* S: H* t, |) {1 ^% d mov ebp, 04243484Bh ; 'BCHK'% j, s* w/ a! C2 X
mov ax, 04h
7 T+ }& Y5 c1 q# _8 c int 3
) h5 b; e( R6 m9 A cmp al,4) ~; |, y* V4 ^- \8 C
jnz SoftICE_Detected
/ d1 V9 J; Z& Q& n. h. \( }& u
! B1 X' {& v0 T! f___________________________________________________________________________/ h% ^' p. l7 f
' M7 s- u9 m# u% m$ {
Method 02
' g3 p" a) ]" T0 ~& {=========
8 b1 O% A; p3 j0 A) O* R
; S9 J% _4 p4 I: jStill a method very much used (perhaps the most frequent one). It is used5 V2 Q$ T& ~6 ]5 F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* _& ^* \0 t) }. L& cor execute SoftICE commands...7 E1 B& L# ?7 c
It is also used to crash SoftICE and to force it to execute any commands z y) ], E1 G7 `! m
(HBOOT...) :-((
* ]) W& v5 K& w' C; u4 S
! r; u& q& G1 S: V( yHere is a quick description:4 v% S9 ]' ?; G; Z8 p2 @0 R
-AX = 0910h (Display string in SIce windows)
1 u: E0 Y) }: a" ^" l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! a- s, x8 X- L" S0 A7 w-AX = 0912h (Get breakpoint infos)
; \, K' |; k$ s-AX = 0913h (Set Sice breakpoints)
3 y0 B: U1 p! H: S4 Y8 n( A) a1 t; ?-AX = 0914h (Remove SIce breakoints)
- [' L1 h% y( b2 X" K. Z+ n; R0 |
. q, M# q* o5 ?# D! Z& NEach time you'll meet this trick, you'll see:- Z" Y% E c. H4 q$ p) q, \2 d
-SI = 4647h
$ q# u* S( e: R5 U) l2 s( c, h-DI = 4A4Dh$ B& } K* K9 r; v3 R; j
Which are the 'magic values' used by SoftIce.3 G5 C* ?9 L2 }- m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# s8 A+ v5 _0 q
$ q9 G4 s& I8 G) `Here is one example from the file "Haspinst.exe" which is the dongle HASP9 Q3 x( |( i; E+ U
Envelope utility use to protect DOS applications:
) N" ?( G4 b- I
3 Y& Z+ O9 L; U+ T0 m5 n4 @- |: P8 n5 p/ E" I: S
4C19:0095 MOV AX,0911 ; execute command./ u0 u/ t3 N5 v9 _3 H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) t, o7 H1 Z5 k- h2 s& D4C19:009A MOV SI,4647 ; 1st magic value.. H) ?9 i! w O; D" o1 o8 H
4C19:009D MOV DI,4A4D ; 2nd magic value.; x4 e0 Z' c/ g o, q1 s0 Y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* q( E+ y, Z* F# g+ d% Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 N, I# U1 G8 }" ~, B8 e7 Y& l( v( R
4C19:00A4 INC CX" U. A2 \3 r1 B& ~$ z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 I5 n2 `* |0 n( |7 P g1 b
4C19:00A8 JB 0095 ; 6 different commands.
2 w3 J3 u3 c* {& \1 o3 k1 \4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 }( F; ?. z: A6 b4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 T! p, h) u3 q8 x
8 m0 { m- j/ `( C: TThe program will execute 6 different SIce commands located at ds:dx, which/ O& S0 x# u- v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. o5 I% m R6 J- L0 b+ @
2 e- K# R& L6 ]. D6 H8 B$ w0 R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' Z a. Z! p/ |, [9 W
___________________________________________________________________________
5 _2 C" ]; O( C
/ x! x1 I K8 U, \! u5 @' T$ i; z8 a; U; j2 V
Method 03
2 f4 ]! Z) ^+ @& u7 y, `6 H=========
' _' G4 ^2 B( H; o! B& W# d8 m. E/ H& C3 M1 ~1 T7 k9 o5 D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 [5 S- d: y: w8 w. y
(API Get entry point)
' ~. T H! `8 R
; ]% t$ ^( Z# {% a% A. q. D7 x) P, m2 S, ?9 ]2 I
xor di,di
, u; ~# ?+ [ I6 l* h mov es,di& P% t# ], u. [' c
mov ax, 1684h ) E) ^, D0 M8 d5 L r6 [7 r. _
mov bx, 0202h ; VxD ID of winice9 \2 c- b( m, b7 l4 c+ E
int 2Fh
; Y( C9 K- H! @6 A+ W( K4 |0 g9 @1 u mov ax, es ; ES:DI -> VxD API entry point
# I) v8 Q+ s7 H1 N* |1 Q add ax, di* c$ a' X/ v2 ]
test ax,ax K3 U/ V9 Z+ B# e% x
jnz SoftICE_Detected# d6 K; g) j5 s5 b' T% E
4 l3 n* M0 M0 S# M: \! B) ^___________________________________________________________________________
0 u( ]/ C0 g0 a7 W. {0 j& A) W1 @. n# g& v( r B) ]$ G' c
Method 04
/ F. d; T& r& Y0 a" ]=========% q# y2 k7 h; c0 ?$ v3 A! a1 \3 J! J
7 l3 }( }7 p% b H% P& p1 t* M; U" {
Method identical to the preceding one except that it seeks the ID of SoftICE
8 k" @; v, x8 T5 JGFX VxD.
. B7 G2 O/ U$ T* R0 D- ~2 w1 X5 X. n
% i) C, w0 S) H1 L' G xor di,di
" O9 k0 }, e! ]1 T/ ^ mov es,di
& G2 a, L2 k0 u5 v2 l' U mov ax, 1684h 0 y* m" ^" T* a6 _& b7 s4 {6 D
mov bx, 7a5Fh ; VxD ID of SIWVID; {* u! L# O. l0 I/ L* `$ a0 h9 o
int 2fh. D3 R& J9 t9 S" q$ k4 Q7 t
mov ax, es ; ES:DI -> VxD API entry point
1 c$ `) a3 l; w& R! ` add ax, di
( J8 a/ `7 F% n Y/ K$ i test ax,ax
2 ?4 m8 k. e, M1 ^5 v/ e! u. U. f jnz SoftICE_Detected$ F4 E0 I$ L% M! D2 f
6 G( M/ Y( U' k; Z% v7 ^__________________________________________________________________________0 c J! ]& _8 O4 t
6 s1 S% P* }6 ^9 E* z: y
# A! f9 W: g0 ~6 r$ f" K2 [2 a+ lMethod 05
+ a; a" p6 v' _! \+ s7 L=========
0 a; H) k1 d* r. _8 T3 A
4 R- Q- g# X5 D$ TMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 [3 Y9 @. |# a! b# P v
debugger. It calls the int 41h, function 4Fh.
2 B3 j9 e3 o) X, ^5 B( _There are several alternatives.
4 z! Z* _2 N+ w2 C0 Q- X" ^7 b) \
The following one is the simplest:( L+ U2 C9 H( V: d T1 P) ?* m
4 w r: o! D4 b& U mov ax,4fh
( A/ \" u- n0 Q, ] |$ P int 41h
% J5 ?4 F. k7 h cmp ax, 0F3866 f( }/ @5 v( P$ y- p1 V6 m
jz SoftICE_detected _, Z/ u5 x# T' q1 j
% I1 L. I" m$ O% d; Z
+ q" h) j- z9 R1 m8 V
Next method as well as the following one are 2 examples from Stone's 2 M/ i7 `! m1 d- J r
"stn-wid.zip" (www.cracking.net):7 P7 F1 Z" P, s3 i$ n% O' H( u0 V4 D" V
( S- k3 R m$ g4 \ mov bx, cs
) |3 S; ~4 K) F4 j9 d3 ?" b lea dx, int41handler2
% `3 L# B, L0 G4 q! k xchg dx, es:[41h*4]3 \3 D9 o/ ?2 d- j2 V( M
xchg bx, es:[41h*4+2]0 a1 Z7 S2 x% [+ R' h$ @
mov ax,4fh% ^: @0 l$ i- F1 R" I% z1 f
int 41h$ q7 z$ V' P1 H. Q
xchg dx, es:[41h*4]
2 ^& j4 q' |% c/ h3 d% |8 x xchg bx, es:[41h*4+2]% o3 E: B$ i/ }- P! e( V o
cmp ax, 0f386h" _, c8 \ w X) B7 ?, x6 ^
jz SoftICE_detected- Z" X/ Z9 m0 I8 r! q! J
~6 _: f3 J& f3 p8 N
int41handler2 PROC
! L7 H- o% w& Y8 |( Z1 \ iret r" H' L/ S3 F4 _6 c1 C* X
int41handler2 ENDP0 z( r6 q2 s" X' K4 J
5 J! c6 _9 h! ]$ j9 Z3 j. Z% \3 Q+ a
_________________________________________________________________________% L/ ]) D S0 l- a5 w3 o
}5 h1 N- v+ [7 q3 \7 C3 t* O, |% _) [8 [
Method 061 c- ~: I4 J0 e C, [
=========
: M5 A, E" E; W1 g
- b* ~1 ]# m: d8 x7 K) x/ R! |6 J3 A a9 M: s
2nd method similar to the preceding one but more difficult to detect:% Q) n. J; F. v& g! p
) N" E' F) T5 w# `& J5 t4 U; K. h1 B9 n8 C" L) n, s7 o3 ^9 f3 X8 V! J
int41handler PROC
6 C$ Q% P( t, j8 j mov cl,al
7 n9 v) G- L/ R: d& h iret
9 o; @7 k, g: b* q5 w3 j/ r& aint41handler ENDP
" \( ]9 f9 L) j
# A3 ^' t- s0 p( Y D9 o2 d! R( T1 D( u) B
xor ax,ax
6 H+ t4 L0 V9 z9 d9 l4 K' U mov es,ax
9 t6 `/ y+ G4 c" n7 i! ~6 f mov bx, cs1 E6 D$ p0 a3 b$ c6 r8 ^9 E
lea dx, int41handler
5 m+ d. t! j% x7 d7 g# d2 g. i7 z4 } xchg dx, es:[41h*4], i5 l9 }0 Y( ?" B, o
xchg bx, es:[41h*4+2]2 c6 B0 |6 @7 m/ U% a2 [0 t5 _! {+ w
in al, 40h" [* K* ]1 K, F3 q- O
xor cx,cx
* G- R% i% e+ w ^( I& }+ V int 41h8 n$ ^8 }2 F) N, F) B/ D$ v$ @
xchg dx, es:[41h*4]6 X5 x# D; f- w- J+ l
xchg bx, es:[41h*4+2]$ a8 P: D% A$ o
cmp cl,al
- T1 A! Y0 I: Y$ n/ k% r( v2 e8 y jnz SoftICE_detected2 A! L( }# L" |7 [3 z
* m& K9 k/ u2 o% w0 P/ U$ ]_________________________________________________________________________/ u( h# }; r5 z9 I3 o5 y
7 ^6 E$ w: u6 \& C% |Method 07
; ]4 R j/ M, }, ~0 H=========5 `6 o$ H9 E) }- N9 l8 D ?& {8 Q
! L% E) p9 }8 b5 ^Method of detection of the WinICE handler in the int68h (V86). G1 J: r8 Q; \
8 d7 L4 h7 U5 {
mov ah,43h2 g( X) c1 t0 c& I, U
int 68h0 P0 z5 N7 ~( _) T$ ]
cmp ax,0F386h
, i; w, [* B+ U2 T5 x jz SoftICE_Detected
, r& y9 s4 x2 u3 U& M9 W1 `4 g+ I5 S- b; L' Z7 R u
7 M; K6 Y W3 \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 Z6 p: K6 S( E, Y; L9 X app like this:
, X1 L- O, I0 M9 j$ y" R# t; K0 }( o3 v
BPX exec_int if ax==68
' B" `' @$ \/ _+ ? (function called is located at byte ptr [ebp+1Dh] and client eip is6 O: h/ b, y% {! O5 s
located at [ebp+48h] for 32Bit apps)
/ f9 v" E/ T( |# }, `__________________________________________________________________________- ~, a2 K; o/ F0 s: _( B
) D6 u5 \* S% {" x# H6 b& m* q% R: I# i1 t& P9 R7 _ X, |
Method 08
$ r' l$ ?/ ]: t! [8 J/ q; q, a=========
5 v0 e' T9 U; N: c1 \3 v! B6 e M8 |. B1 [5 ~. y4 n) i
It is not a method of detection of SoftICE but a possibility to crash the
6 {/ E7 [/ ?( K. R- ?- ~system by intercepting int 01h and int 03h and redirecting them to another
9 N s9 K: Y: }& f1 f) }4 [routine.
: K/ H9 N+ c2 p3 D# g4 rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* K$ h$ D# O2 M) x6 K8 W( ?to the new routine to execute (hangs computer...)
5 a5 Y, F& ~, r" Y" p+ z/ M: l9 [3 _* S
4 i9 `3 I9 i2 G! h- b& P9 b5 O mov ah, 25h& `8 _. k5 y6 y+ Y& P$ S
mov al, Int_Number (01h or 03h)
* a/ q) x% y0 W& \6 J, y5 f, K mov dx, offset New_Int_Routine9 u: Z6 j. I4 a! S/ k, f
int 21h
( y$ y0 C- Z @$ y/ P! i
" }4 Y" m* C0 L8 u__________________________________________________________________________
H; |9 y5 L2 a' K3 E
) U- J- \; p6 p. @) kMethod 09' R9 i* [5 H" Y1 Z! _
=========5 ?4 G+ m* l( K5 F
1 A4 R& C8 v! y' o" a! k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: B2 O4 }; G' ~& E% E) Tperformed in ring0 (VxD or a ring3 app using the VxdCall).* S4 \$ W4 K( x% C `
The Get_DDB service is used to determine whether or not a VxD is installed; X, m- ]+ ~( U" r/ f7 A( f
for the specified device and returns a Device Description Block (in ecx) for+ Y& r5 u p3 K0 D% o
that device if it is installed.
1 t) T% R1 u% x
, H. b% M: Y5 B5 ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. z3 g6 w+ o0 ^- ?$ u) j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
C. z4 X u7 W1 Z0 _ VMMCall Get_DDB
$ _! R; h2 A Z) z+ C# Q$ p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 C' w% R; _. Y! x
5 [; L9 x4 F& @6 o( O
Note as well that you can easily detect this method with SoftICE:. G+ B/ { @# Q) O% S1 z' u! I
bpx Get_DDB if ax==0202 || ax==7a5fh
1 \" K, T* I9 @$ B5 r* O
: |4 }& \, ^# U__________________________________________________________________________
0 y1 e$ d x. H6 V& e: ~8 I: N' v" G- S$ o; V) S
Method 10$ ^' F$ v! n: D
=========
# p( c: W% D6 e0 j6 q
3 T; |) H# M; g3 i" Q=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 ]& \" p. T) l0 A SoftICE while the option is enable!!
* S1 i3 |: i2 U; b* I, k. {* Q+ s7 g- \! l7 u0 _
This trick is very efficient:
% ]" T Z T. F/ W* e& S; o( j7 uby checking the Debug Registers, you can detect if SoftICE is loaded1 y, t& U) K! ] b+ n9 u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ {* V7 P% \) `there are some memory breakpoints set (dr0 to dr3) simply by reading their' M2 [ a7 W3 B0 ?9 n$ Q- M) H
value (in ring0 only). Values can be manipulated and or changed as well
3 W& c, A3 y% d. G6 a5 J(clearing BPMs for instance)
- C% X, J( U* x7 k, t
# Y9 ^0 s+ b. F; F, P2 w__________________________________________________________________________) [+ }4 ^1 [8 t+ B, z: }7 S
2 o& l8 f0 w, q- _
Method 11
0 @7 _- J/ \3 o) ^5 Y$ W% d=========. \/ M9 W: V6 U! H" g% _ H" Y R
+ Y2 q2 @7 d/ x5 K0 \+ I7 g
This method is most known as 'MeltICE' because it has been freely distributed
2 h4 B$ u, L) h( A9 ?via www.winfiles.com. However it was first used by NuMega people to allow
# ^: x A; x+ N( jSymbol Loader to check if SoftICE was active or not (the code is located; U9 l& \: k& H, V z
inside nmtrans.dll).
. }3 R6 K; O! r; H
# h5 ?$ J& r5 r2 v& z9 p8 MThe way it works is very simple:# m/ ^& i2 b# j( ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. B' X- R% G$ ]/ ~WinNT) with the CreateFileA API.& G* Q2 W1 G% I2 V2 y, ^
' U! P O, n* yHere is a sample (checking for 'SICE'):/ A: E* j$ W2 p" u! Q' \
) y4 i0 w2 U& P8 dBOOL IsSoftIce95Loaded()
- M4 M2 l4 y1 b. A( R{
( R( u, F' ^, J+ h9 o HANDLE hFile; 5 C9 z" b/ U* b" R2 v; v2 b1 l/ K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& }8 Y7 g- Q5 w# A h7 N
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 R8 e) C$ \8 P$ r" O; B# Q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ c ]; I% ^" y* N- O% G9 b if( hFile != INVALID_HANDLE_VALUE )! C5 }! s+ ^7 n J4 i4 s
{
0 y6 ^ o; y$ d" U7 U N CloseHandle(hFile);
& ]: |) M F* w/ q5 V% ]; E' z return TRUE;' a, f: F1 ]4 ` S4 c
}5 I; o7 }2 d1 y* [4 d$ B
return FALSE;: I$ H. l0 e6 V0 G5 X: |3 ^9 I* J
}
* j' f7 p- S: Z& x7 l4 X7 P
" P, J- F9 s2 m0 l& K, ~Although this trick calls the CreateFileA function, don't even expect to be# X6 [) F# R8 e) n' H
able to intercept it by installing a IFS hook: it will not work, no way!6 t9 c( {3 i/ g P" _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) A& d) f4 Q! I% w+ k: q& m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& s7 m, M5 Y1 _: D2 Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 @6 D2 ?4 G R {7 }; x4 ufield.
% `2 n0 {+ w, z$ e e+ x3 n8 `9 FIn fact, its purpose is not to load/unload VxDs but only to send a " W/ [) n. ~ ^" L: b T' L/ j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* ]" h& S5 @/ B# C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" V; Z7 U- ~+ r- N! X+ ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 L S ^8 \ q3 r# E, r8 NIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ T3 g( N: _( u
its handle to be opened and then, will be detected.
3 S* f! \9 N0 c) _You can check that simply by hooking Winice.exe control proc entry point
1 @; L! X' e; }while running MeltICE.
6 F! G% A2 G5 h! G6 e
1 ? c$ `/ U' g7 t2 k. Q5 i# I- x5 W: z0 A& j! i
00401067: push 00402025 ; \\.\SICE
: R) z$ G$ ^4 N9 \* N9 E- f. @" ? 0040106C: call CreateFileA
8 t$ D/ v% _: K6 ]9 E* Z1 Z 00401071: cmp eax,-001; [: l' q" |; O
00401074: je 004010916 @" k3 v0 P$ |* a3 ~
& {+ Q/ m# S% m0 L9 p; q7 _% H
( n0 S: U5 O4 J% q. v( KThere could be hundreds of BPX you could use to detect this trick." S1 k8 H/ w, z; V. F
-The most classical one is:
5 U+ ?- ], _2 O9 m( ^7 V1 u1 W/ ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 m: b4 H' n A# N4 E- e8 ?( c, b *(esp->4+4)=='NTIC'
( N+ S3 A9 N% s% w: y2 r
" v B5 Y: h2 z4 q-The most exotic ones (could be very slooooow :-(* H/ p9 B2 ?2 ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 z9 A A7 w/ z$ r% A' X0 X8 Y
;will break 3 times :-(4 t9 ^0 ?1 ~% V* U
, V! N+ W9 S& g$ B4 L8 N-or (a bit) faster: $ p3 N5 K) a- W P! L5 w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ g6 n* N- o H! z
+ G! H4 A. @. R/ a; E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / u8 ^) s7 J' X* m- N6 e
;will break 3 times :-(
, T; F2 D4 f$ ^0 _8 p I/ ?7 n% [
6 U5 L+ X5 ~2 r z5 d8 z, P2 G n-Much faster:* o) y% I6 W+ s2 }0 w& ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ \& t" l5 k$ ^6 q5 o' Q4 Q
8 O, Q2 ~/ e% \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" n) i: V! w. h, z( l8 gfunction to do the same job:2 l; n) d, Z) v8 q% j+ w9 Z
9 @& r$ O$ B* E% {# l) l
push 00 ; OF_READ
7 l& A$ M+ E/ j, g mov eax,[00656634] ; '\\.\SICE',0& z" r/ V/ y" {
push eax
! D; a( z' c+ a0 q. D, Q call KERNEL32!_lopen, k3 m/ I7 d) [1 i5 f0 d/ M
inc eax" V/ A: z# e& W7 N; G" j
jnz 00650589 ; detected
C& \% r, T# j2 M push 00 ; OF_READ7 n0 p7 d1 @1 V; {
mov eax,[00656638] ; '\\.\SICE'
, u; {' k4 s5 l0 k& z( M8 L push eax' j# @3 g, }4 Z9 `# [
call KERNEL32!_lopen# ~, l7 u* u* j9 ]+ L
inc eax" ~2 `6 p; L, U. e* O
jz 006505ae ; not detected6 W% Q" R* N! {% ?* a
9 @, g$ N/ Z0 I E4 Y, d$ Q" f
; [; B: I9 H$ k9 S, [
__________________________________________________________________________
! w+ @2 }; A9 t a0 W" k- H% _9 x: Y' p0 S# V( e% l% E
Method 126 O$ V( Z$ `8 ~- i# v. N
=========
2 Z9 E7 c5 h: ]
% K( A( N) R; W) x& e( j5 N4 XThis trick is similar to int41h/4fh Debugger installation check (code 05
# l( O! F" s- }7 c0 s# o* X& 06) but very limited because it's only available for Win95/98 (not NT)
5 @- l( V3 T% g; Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ j* |( p) D- x+ N
( R. V" R. D8 Y
push 0000004fh ; function 4fh
' v3 M% l. ~1 C5 S X push 002a002ah ; high word specifies which VxD (VWIN32). y/ F) P: _6 a+ s5 e9 y/ D' @
; low word specifies which service* d4 U/ z% A' w2 _6 p2 y
(VWIN32_Int41Dispatch)
4 ^9 m+ h: h; a call Kernel32!ORD_001 ; VxdCall! S V/ y: u: y; }) D: {" C
cmp ax, 0f386h ; magic number returned by system debuggers v: j3 h. }* S! H) \+ ~% o5 |
jz SoftICE_detected
) R3 w4 O( j0 V6 I4 W, v" A: l& d& e: k( h
Here again, several ways to detect it:
5 E$ c1 R& M) t" H
0 _2 N- c" P$ i& h/ R0 P7 T BPINT 41 if ax==4f: m* `. Z/ ~0 b6 b8 ?
$ N4 b0 {* r7 v! I8 k7 j7 O, n+ e
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one r% y, t) h; _, b- j
. u) G, a( q# f$ ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: L) V# Z! N+ S& B5 ]6 ^$ |% X9 c3 T$ i0 e* u5 I4 i" C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' {. }, E- }; K) d2 M/ N. c
: y3 v9 Y' K5 z2 D__________________________________________________________________________( o. S5 r( i" M1 B: q& ~8 s
8 ]* x4 A' i# J0 {* sMethod 134 Q& z8 L+ h8 g$ Z9 Z) J
=========
7 D* W f/ X1 k1 N+ O) H7 N( t) H2 F5 k5 e# G
Not a real method of detection, but a good way to know if SoftICE is
, f: [5 ]) @+ q' F* m2 {installed on a computer and to locate its installation directory.
- r4 m; K- X) L8 l* rIt is used by few softs which access the following registry keys (usually #2) :
* C. F b2 K2 ^( L+ d+ K7 f3 \" x( R$ \1 ~5 Z( }1 L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ R; I/ O1 @. H7 @- m\Uninstall\SoftICE5 W9 a: y. ^2 ?+ f5 O0 j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: m5 O' }2 |0 q: l* n, ~2 s! _( R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ k, s! A) h1 t. X
\App Paths\Loader32.Exe
# P& S9 P) h; V- S8 G7 r
5 |0 O1 Q0 J! J; e( f2 y3 R& L
- _# Y" `/ K1 Y7 a3 UNote that some nasty apps could then erase all files from SoftICE directory, ^. |+ `, Q7 e4 H8 O9 k. w
(I faced that once :-(2 q0 i- g* P6 v3 p: T9 z
- q' `% l* I% z' iUseful breakpoint to detect it:
W* B( N2 i* h, D+ n2 y
: o, ?" t# S- r6 i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( L' w( J a( o$ E; D! @9 s' [! q5 b5 f2 x
__________________________________________________________________________
, h2 \1 g! h% _! U7 h1 X P; l' j0 x C% z7 Q# z
3 d7 B. Z$ S( Q1 l3 P$ O) R& _Method 14 5 n1 j8 h F8 b: t( V
=========; S8 e" L% T! A7 I5 w; ?3 m$ I
; {' K& r7 B$ SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 I: ~$ j2 j, s) i; a+ p
is to determines whether a debugger is running on your system (ring0 only).
1 O7 }3 k3 x4 g. ]% Z5 c j/ j" M+ B; o! B5 x) q( I" a% h
VMMCall Test_Debug_Installed& w4 j3 x a1 n) b1 {& q9 x8 [
je not_installed
' ^2 b+ N" \+ T/ F: d0 l) @% F1 b' T% x
This service just checks a flag.' T; J: V T- T/ A+ R" Y
</PRE></TD></TR></TBODY></TABLE> |