<TABLE width=500>1 `4 B" M: d; u8 \
<TBODY>
# o0 ]- k# E; O/ i3 z<TR>
0 q0 q7 J, F+ V' U6 C3 p7 q2 J<TD><PRE>Method 01 , ~9 T, r$ G" F2 x. O7 E- j
=========
1 ?& w+ V' H6 v- p7 J
( A) ~, @7 c$ w) \% P& @7 FThis method of detection of SoftICE (as well as the following one) is
! F' P0 E0 W( P2 K7 i) }used by the majority of packers/encryptors found on Internet.
2 _( B& l/ E) NIt seeks the signature of BoundsChecker in SoftICE
7 d3 S8 i8 f5 z% e* k" y0 b& ^9 X
3 i- T7 z* p% ?! ?. _ mov ebp, 04243484Bh ; 'BCHK'
' X3 R+ m3 D0 P# N" a% i mov ax, 04h! d" o0 T; p$ w3 R
int 3 " K& c7 r+ k- g& e
cmp al,4. Z( i3 W& M7 I, G5 F4 Y
jnz SoftICE_Detected) l- m3 C3 |# {! v; y
2 n0 p# g J, I( O2 B, N___________________________________________________________________________
0 D2 U1 A- n! w) F8 W' M( Q7 B3 z' C! R4 `$ p
Method 029 L& U) g' q+ c: ] F6 {: H
=========
# @9 ~* z+ g+ N+ x3 z0 s! }; I5 i$ g2 s# m6 t( k1 N1 _. E+ u& A
Still a method very much used (perhaps the most frequent one). It is used
4 w% Z- ?6 I6 \) E$ Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. X& `3 C# @7 |+ Zor execute SoftICE commands...
3 _( R# {' N' Z" l) V# m2 M' T5 rIt is also used to crash SoftICE and to force it to execute any commands
) t- B, p; }" C% z6 H( S' W(HBOOT...) :-((
4 l5 ?, d$ \: x; S; V8 e' D
/ r5 I: k- Y, S5 ]# o$ uHere is a quick description:, f" X! \8 q- ~
-AX = 0910h (Display string in SIce windows)6 p% A+ t8 V f8 C0 G! r/ |+ C
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ A! O; Y9 T6 A' G% j! N) e-AX = 0912h (Get breakpoint infos)
4 p& u& ]- e4 n* D- T# f# k-AX = 0913h (Set Sice breakpoints)
0 e3 k/ } K5 [1 b1 z-AX = 0914h (Remove SIce breakoints)2 v8 J1 p. g; `4 n- S, k
$ b. |, ]# E& l' P+ |4 pEach time you'll meet this trick, you'll see:) L* \4 \8 s# T8 F9 {! C
-SI = 4647h
% g. z6 f, w5 l3 D3 z-DI = 4A4Dh% z' O" ^5 S/ T, J: O
Which are the 'magic values' used by SoftIce.+ ]; S( P! T& ]5 O! q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( [! D M, p& }( i
! Z% C" v, {5 c: M- i6 _Here is one example from the file "Haspinst.exe" which is the dongle HASP3 x) D+ Y( G) N6 `6 @
Envelope utility use to protect DOS applications:
3 ?) P, f6 j" N# P3 j7 ~) v
3 c5 C- T& a0 z; @5 e
. J& D c; o* h& M/ R; L# _4C19:0095 MOV AX,0911 ; execute command.
8 D' ]$ w: X/ p* {$ g" d# Y8 H+ v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% v+ M$ P, D, Z* ]. J6 F v4C19:009A MOV SI,4647 ; 1st magic value.
$ z6 @7 K" X8 P l. v4C19:009D MOV DI,4A4D ; 2nd magic value.
+ J ?6 l8 R2 J/ a% P5 w9 p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 m' r7 S) {& F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute g3 L7 F( W# J; ~ }
4C19:00A4 INC CX
m$ ~/ s3 ^! x' N! B0 ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- x* |0 \8 O, v
4C19:00A8 JB 0095 ; 6 different commands.* F1 @+ G7 \* @/ t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! P4 f3 T; S q9 q! f/ l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# y) e% N# ?& C& I$ F# e* X3 B( l% R! d2 a5 O
The program will execute 6 different SIce commands located at ds:dx, which
! T4 U# F- {! m- p3 G3 \" M/ }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ R6 Q6 V/ G+ D s+ ^7 G+ Q+ ~' q# y! w5 u" o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& Q; Z8 [8 D3 I4 @5 T+ [$ Q3 G___________________________________________________________________________
. x* q" c& E/ R- c: t6 T O7 q$ d& E$ P$ i3 v
, X( B4 ]7 U) N- @
Method 03
& i! D8 u( H# X" {2 L6 j( e/ b9 N=========, z" X; @9 r0 u0 }- h
; P/ W/ \$ A+ S8 L) SLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 S! _& Z6 o x+ t% o
(API Get entry point)2 M% P2 g( c: P2 ^% t% ]
8 b! C `$ C: e' l$ _; [
' O: {" F! g3 z7 |' y xor di,di$ F7 H! M7 v- Q" @4 `2 t5 g6 a
mov es,di3 S6 k: Y1 B7 M9 \8 M1 b
mov ax, 1684h
- r' ]7 S' {, G) X7 Z% Q# P mov bx, 0202h ; VxD ID of winice5 o) m: S8 z" N3 G7 p o
int 2Fh
* g) ]1 L) Z& S8 h" q9 v" [ mov ax, es ; ES:DI -> VxD API entry point/ \! E( J7 u# Z3 t/ ?* @
add ax, di. u! Q8 y: V1 i
test ax,ax3 V1 Y/ ]7 n6 k
jnz SoftICE_Detected3 ?& n* Z2 r/ l1 F7 F ]2 l5 [
1 a9 W1 P v" U, B4 s) ]___________________________________________________________________________/ R$ z" G' `, Z1 ^
' u4 t( M. T+ I2 q* PMethod 04
+ k8 U1 {9 q; \ q1 i3 S=========
, [4 C; ]. H7 f# m5 b0 R I' A- i
* T; ~- m" p$ g* I) t" s: O. F. wMethod identical to the preceding one except that it seeks the ID of SoftICE( K3 ] N! F" b* ]
GFX VxD.: b. j; R3 w$ C2 E# c
% U! y. C' q$ Y xor di,di; B5 O: `; z S" l b
mov es,di
7 N0 L" T4 ]% b mov ax, 1684h ( A5 l$ g6 ~; B g
mov bx, 7a5Fh ; VxD ID of SIWVID6 W8 O# \# o& B# s, N$ n5 c0 m. x* v
int 2fh
% a1 W/ `+ `) Y4 x2 b J mov ax, es ; ES:DI -> VxD API entry point
* r$ g( ^0 L8 p: S. ?. F add ax, di$ h9 D: g9 ~+ |
test ax,ax1 E9 w, n; a! q# Q) I& M' t2 `
jnz SoftICE_Detected
- @% O, L: `- J) [4 k8 Y) b* [/ s: d( w
__________________________________________________________________________
5 D- X5 H* u- d* c' D+ g, t+ z+ G" e* @3 I4 y: t% z' M
. A. ~! }1 }6 n0 P8 AMethod 05% a8 P- C) a) F+ z
=========( ]: A! ^+ y9 f1 P
5 b. k9 T2 l1 E7 l$ l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 S$ }1 |8 c. [) |3 p; bdebugger. It calls the int 41h, function 4Fh.7 G' T: R" F: [4 \3 y. j$ j* ~
There are several alternatives.
( ?1 m% W( o5 n$ @. d4 b7 o1 r3 N5 E) E) ~. n l
The following one is the simplest:- H s, @. g @; w! i
8 V) b2 p8 c( l
mov ax,4fh$ C% B$ X8 T! S% r/ Y* R9 ?
int 41h/ A# ^. Z$ _3 t' v! t( x# R* V5 P
cmp ax, 0F386" }9 r, F& n" o' ]* o# A0 y
jz SoftICE_detected
7 M: Y0 H3 Q7 z5 m! K9 f& Z( A- c4 I* _% H# C; l
$ F# N0 H* y' a, ENext method as well as the following one are 2 examples from Stone's
0 s' { v3 A$ w! \/ N# V$ Y"stn-wid.zip" (www.cracking.net):/ }% q" w1 u9 b: S% u
9 p J" |; N0 f# E o u mov bx, cs
$ i2 z; |" n) z lea dx, int41handler27 h5 C! T F3 |; d. x9 \# ]
xchg dx, es:[41h*4]9 y R) H, Z1 B0 O% G) w- \9 }* C
xchg bx, es:[41h*4+2]9 G5 j0 ^* e6 M% w# d/ \# ^6 B
mov ax,4fh
! y! D2 \, M5 l) | int 41h1 C3 _( x1 R* }! n
xchg dx, es:[41h*4]
( C+ M5 E0 E; i l: q" E- s% E V xchg bx, es:[41h*4+2]' Z0 ` D# `" [( l
cmp ax, 0f386h
1 S7 C" r4 M7 v7 n. G: Q* ? jz SoftICE_detected
2 [& [) k% X( Z% Q9 _
" u* S# E9 q# R" Eint41handler2 PROC
) N- }3 M; T$ _5 B' i( b iret
' f" J W' M! C2 S8 dint41handler2 ENDP
' z0 j4 P( \0 Q/ r( Q2 f6 P( E& C
& a$ k# R$ Y. Y; l( G/ s
- ~ q o4 j4 a3 b2 q_________________________________________________________________________
" t: A) v* L l- s' a
, M, s3 F+ m3 Y, t. U* _' J% G0 m2 |
Method 06
3 B/ [ T2 v* Q* q) M( i# R=========
" s8 Z5 o3 E U! w3 p9 L4 ~7 z* a( E6 K+ {1 b) n. O& y
j- Y7 Q: }4 x% X/ A2nd method similar to the preceding one but more difficult to detect:, {- C e- P U! `7 O! `( C$ S
/ V1 ^; e! R( N# ^: [4 H
( \) w: E2 C7 E/ S' p$ g( b+ Mint41handler PROC
4 C' x2 t& ]3 C& Q) G mov cl,al$ @. p) S. b: s7 R
iret/ |: T% Y# w6 H' r
int41handler ENDP
. [% O2 Q8 w+ q9 k7 Y
( s# `( z4 ]+ ^" F- `9 N2 O# b
5 ]3 f0 p/ n8 @! P, ^ xor ax,ax
; d0 Z" _. W, ] mov es,ax
/ P& o4 P$ r+ T5 i# m/ J. F mov bx, cs
1 ]1 y8 e! E1 n lea dx, int41handler: q( x; J! P0 t) ]2 O8 D
xchg dx, es:[41h*4]6 |0 h/ e; |4 I2 b
xchg bx, es:[41h*4+2]6 s% X; L" ^/ i' ?$ |
in al, 40h
8 ]7 ^( h H$ k xor cx,cx
. ^. J3 k. O" l }+ d int 41h
, r( ^* ]8 h* P9 d# z& Y! j xchg dx, es:[41h*4]# X) Y. ?2 ]6 w. T8 B( B5 U
xchg bx, es:[41h*4+2]
) Z; P2 I/ v$ o1 _+ D cmp cl,al H: i9 @' n5 P: r( Y7 E. }2 q7 E
jnz SoftICE_detected! [5 U9 u" p: \ x4 s8 r9 Z
* I0 O6 X y. y( U& O_________________________________________________________________________
8 O) D1 Q( A+ Q1 v0 T- m& u
) o- d4 o4 i6 n; h# h: K _Method 07* Y8 d0 n/ m7 B% p2 G9 ` Z* K& S
=========
! E) }+ I, R: w2 w: g3 P0 I$ C! Y
1 U: B4 s( g4 M5 V0 j7 IMethod of detection of the WinICE handler in the int68h (V86)
* c# A" ]6 i8 W# V. b: d: n( c+ f$ M5 Y2 l
mov ah,43h0 s* r& b& T# q, E9 E
int 68h# l, J! D* w7 Y) ^- I3 {7 M
cmp ax,0F386h
3 B4 s, }; L" x* I- n7 Q3 t& b jz SoftICE_Detected6 F% F8 Q; B8 a& ^; @8 z
" L$ ^! M& C2 n/ }
2 _, U. A' I H$ w! Q) e2 `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ q, |7 f L, O# a* C0 T# V
app like this:
9 G2 k, J7 a) b: d
6 Y7 `' U" @- h: B- g5 r0 Y3 V. I BPX exec_int if ax==68
4 o7 L) ?) D( F- D (function called is located at byte ptr [ebp+1Dh] and client eip is
2 i" {$ i/ h% @" ` located at [ebp+48h] for 32Bit apps)0 i% T4 y0 i; n! y+ a( G; N7 j7 v
__________________________________________________________________________+ \* i* M) }6 ^ W: Z
/ u. \4 S2 b: c( X# T8 x% s9 ]8 C, V
Method 08 z- c5 t7 X2 f5 H
=========
8 l( ~' c' q/ G' w7 N6 l" A' E8 z4 L" T) s0 T' u2 h" q# @5 E
It is not a method of detection of SoftICE but a possibility to crash the
1 @, |- ?" I- j7 R. [# }) Zsystem by intercepting int 01h and int 03h and redirecting them to another% ^ t U0 A+ n1 ?4 `) r
routine.& b$ _/ t% O k% Z p# ^# c/ w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; \3 t. J: V! |* z9 n* `( Dto the new routine to execute (hangs computer...)
' f0 A+ V+ H* S5 s V! S& \4 d! B( y1 {8 H
mov ah, 25h8 c, L- n H2 h' ^) v: E3 V
mov al, Int_Number (01h or 03h)
5 J \3 |: j( a4 I( |7 x mov dx, offset New_Int_Routine
( ^" Q, g( J% ]/ n int 21h
. N; r; _) J% d( b2 V5 S, I5 S& ~3 K' I) k
__________________________________________________________________________
6 r, X j& n. K+ D# ?0 d. U2 c& D# `) X0 L) l* h, F" h5 p
Method 09! ^. A: A1 V8 P
=========: l- s! @3 e' |9 H
7 P* m( ~/ f) c- vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. P# ~$ u4 P2 E2 e3 y/ N0 s" aperformed in ring0 (VxD or a ring3 app using the VxdCall).
! u* M1 d1 \( ^5 M+ \% jThe Get_DDB service is used to determine whether or not a VxD is installed
) }/ `. X: N8 e1 W7 \# Vfor the specified device and returns a Device Description Block (in ecx) for8 r- N d2 H$ t% c: z5 R9 q* m
that device if it is installed.- U3 }; o8 S) d8 b: _' ], M
* e% Q# M% v$ T8 v$ K0 \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! W |9 t/ c; d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) r% p- W* V5 t3 E8 r
VMMCall Get_DDB% Y! C/ y5 n8 {, z6 F2 J
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 Y% J3 S0 ^ Q. l8 z8 s/ a( T L3 Y0 `6 j
Note as well that you can easily detect this method with SoftICE:6 S' s5 e% G6 n$ }3 a( Z3 r
bpx Get_DDB if ax==0202 || ax==7a5fh4 _6 @; w% K- t$ U9 _
6 j( w6 a) {' Z) n7 w. U__________________________________________________________________________( l' I+ u* t7 j1 {) r
# [' m) K6 t5 r W5 b. S& nMethod 10
6 K0 v7 M9 c$ d; `: H; E0 t! h=========
* g4 T" B1 j1 _& @/ H2 l) |5 @5 b% G) D; i9 U* _
=>Disable or clear breakpoints before using this feature. DO NOT trace with
% G6 u0 P% q# v3 u/ u6 f SoftICE while the option is enable!!
3 M. e. ~) u1 c' s* e/ J4 w% H/ t
2 G& C6 W1 I2 f! ZThis trick is very efficient:
3 S& N6 X: U) b$ ?" Mby checking the Debug Registers, you can detect if SoftICE is loaded
* ~2 v( t. J/ b) `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 X5 I. q1 w! v* c: ?6 ~" g) N H
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ }7 \/ [" |- K% n2 m/ N
value (in ring0 only). Values can be manipulated and or changed as well8 d! F1 [. ^0 C" E* y( D
(clearing BPMs for instance)3 P9 Y' z# b# `5 @& R. C$ [
* L: M" r% R/ P8 W y
__________________________________________________________________________8 H5 _- `# [# V! Z+ Z* P
$ _0 C$ M1 P" ~$ M5 t
Method 115 K1 J8 ^+ p) ^) B* f
=========
' c; i. K# _5 g; H/ v) F/ v
1 v& P6 D3 h9 w" T1 _% H- ?This method is most known as 'MeltICE' because it has been freely distributed' J9 b" _! h# \& X
via www.winfiles.com. However it was first used by NuMega people to allow. f3 z" u0 o$ e; a& V' I9 Z8 b
Symbol Loader to check if SoftICE was active or not (the code is located' K* T2 H1 f7 y% W
inside nmtrans.dll).1 @' e" [% Y: N! t
1 r; l, o% O2 c- N, QThe way it works is very simple:
& n* S. C1 l( z' rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) ~6 Y7 W; f9 U# R1 ?WinNT) with the CreateFileA API.
$ i! g$ O" o! Y2 ?* b4 V8 k
, X" i; R* V0 J5 X0 zHere is a sample (checking for 'SICE'):
1 B, S4 k* i. ?/ B# z5 D8 b
& R. N! ?& h) I+ b5 w5 `BOOL IsSoftIce95Loaded()
- k" |! g% {" ]7 E9 K% A{ }' W) s: l, \# y+ T2 \) q
HANDLE hFile;
/ V: I& H- d0 q, @4 x5 u hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& o, F" ?% ^( S/ E! `9 I) I
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ M" J& @; S4 g9 n6 a7 z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 B+ Y6 u0 l" y! [2 \ if( hFile != INVALID_HANDLE_VALUE )- s4 y Y3 k8 W, D: Z6 [
{
0 ]; A% b( X% s CloseHandle(hFile);
, U/ `2 t. L8 n, i S- d" B return TRUE;# v3 @' p5 e: I' w
}
5 a4 W' d# f: i! \0 f) [ return FALSE;
2 M4 k3 l6 a& }* k/ ]; N$ ]}
2 c, n/ {$ [, V4 k; L% M/ y
' U' ?; o$ N/ F6 d& e4 B1 Y9 pAlthough this trick calls the CreateFileA function, don't even expect to be
% \; _# q" ^: y! Q! oable to intercept it by installing a IFS hook: it will not work, no way!2 p, _) @$ B" ?' i( Z4 N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 @8 X+ D- @4 q: p, t/ @* bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& ?$ F$ s! ?2 p# h% F0 iand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 H" a9 Z& ~. D4 {7 Z0 x0 t
field.
' ~( j( N, g0 \* i J8 J+ E- xIn fact, its purpose is not to load/unload VxDs but only to send a # x; n5 w+ Y4 {$ n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# G, K) w G2 c p# Y8 |$ Q; R+ K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! S. U' g/ N3 Q- H j6 \
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ x( t9 s& y. k$ A4 T' O
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- _- N3 F3 w, U4 J* u4 Wits handle to be opened and then, will be detected.# q- c5 l/ N) c3 h
You can check that simply by hooking Winice.exe control proc entry point
- k/ P8 P& J @while running MeltICE.
; f$ i/ \4 p/ x( Y$ E) ?2 M- H5 ]7 l3 P) o9 D$ D
$ L U# a$ \3 A1 k. M/ A/ I 00401067: push 00402025 ; \\.\SICE2 O- J1 {: P$ f0 Y5 N5 j. v: E
0040106C: call CreateFileA! U3 M, e" u$ G, B9 \$ A8 T
00401071: cmp eax,-0017 ^3 u% w. V3 E
00401074: je 00401091" V6 k+ i! j, `. o; f) }
9 d7 X) l! m9 ]- D& e
' w/ u2 V7 R- v$ i+ x) CThere could be hundreds of BPX you could use to detect this trick.2 n4 a: o) k3 a
-The most classical one is:! B) V& g$ l3 i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 V. B. ^! _2 E; d4 s+ E
*(esp->4+4)=='NTIC'6 P/ L; C. `; Q; C" u4 e* i/ J# v
H* p# c: E: L# B* u$ a, R
-The most exotic ones (could be very slooooow :-(1 ^5 b0 |. I; U7 w, Z! i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ `; @$ W4 l: m5 d) Q$ ? ;will break 3 times :-(
: d' J6 i- L: j6 v+ d1 L9 ^3 T# A& ^, J
-or (a bit) faster:
4 H+ b$ m! ?$ M$ J$ V7 N0 ]! j BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' q1 y; n! B: f; J, y
8 r Q. Y" U2 s( K9 h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) Y) H; |- F$ q1 [' }
;will break 3 times :-(- `' ?2 o- _3 ?; {! c( T
3 g" H0 D# Z3 h- j6 O. M" a ` j, \-Much faster:
8 f3 e. c. E# a0 V# j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. [* r+ j% p* o/ u. j
4 l5 ~4 C/ }$ m& S7 N; m' u' c( \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! Z/ C7 n: ~3 Dfunction to do the same job:
$ n/ g. E7 g: |! d8 D: g, W
: s" w0 h" |: B push 00 ; OF_READ
* o, \4 F1 ^; k7 O% B1 r$ X mov eax,[00656634] ; '\\.\SICE',00 |4 \2 w' v6 U- I! z* a- d2 p# e1 ~$ h
push eax8 y2 b. C+ r/ p. D ~- u5 ~
call KERNEL32!_lopen! x0 k' L' V6 Z% X5 k8 Y
inc eax
1 z0 K# K: K* J# W4 {- d) ?+ ^ jnz 00650589 ; detected
6 g4 ?8 ~+ a: ? push 00 ; OF_READ
9 b/ o6 b- w0 J* R, U, ? mov eax,[00656638] ; '\\.\SICE'# F- f3 H' f! j. C8 |7 m
push eax
3 R4 V! p1 i. G- T call KERNEL32!_lopen, I9 ]! K5 _: A
inc eax* I3 ?- M' @% @/ g5 Q/ f& N% L
jz 006505ae ; not detected& v' J7 {, Q- L7 v: z
2 ^, I Q% x( M k1 W% S, h: o8 m
; }! y- G* ~) C
__________________________________________________________________________
/ F" d+ c! G w V# f- {( s: G' y: Q
Method 12& s; W1 v7 |0 }- z
=========8 v6 o: p) \) m7 v4 K, x5 U
$ e; ?' E; ~' H; ~& N( x8 b6 ~This trick is similar to int41h/4fh Debugger installation check (code 05
2 V1 X% o- I. P {* m. D& 06) but very limited because it's only available for Win95/98 (not NT)
4 Z6 o8 T# U# `) ~9 k' yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 R/ F0 E0 B- X! e1 X4 J" V* y6 D" b* k/ s1 h: O" J" N2 U5 g7 i
push 0000004fh ; function 4fh/ I) [- r$ Z: |
push 002a002ah ; high word specifies which VxD (VWIN32)' t# I2 R; N' _9 Z) d4 u
; low word specifies which service3 G$ h& M" I9 |2 C
(VWIN32_Int41Dispatch), S6 j9 K) P* g1 M
call Kernel32!ORD_001 ; VxdCall2 H' j( }2 K# z. B3 J: ^
cmp ax, 0f386h ; magic number returned by system debuggers# e7 J" P: P' `
jz SoftICE_detected
7 }, H- U6 w1 q) \9 ~+ ] P; ~. x! @: k6 h- @+ c3 i% R. P' K5 u
Here again, several ways to detect it:
1 G0 W+ g$ i7 c" H6 I" e% ^
6 p0 @; n, M! m, b+ g BPINT 41 if ax==4f
' d1 \+ l3 U$ D; z$ N0 o5 y0 n% ^8 A4 _" d9 U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- B8 j, G& Z: m' Y: F- J
' r2 I9 n# h1 y. y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 w+ [1 v, ~+ I6 `7 p+ T
, S& U3 Q; Y9 c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
[0 \: i1 h. q# f" c, w3 R7 A1 \8 j& o
+ C# y N" Q. |9 s" C5 R__________________________________________________________________________0 A" c- R3 k( P6 h g9 c& w
# m; [( y- S# u. e$ P% {' m
Method 13 {3 M; b4 B" v! a4 C
=========5 r i0 M$ T1 ]9 L/ H8 p% }1 c
$ x0 {, ?/ |" Q
Not a real method of detection, but a good way to know if SoftICE is
3 g* f- P" Q' P5 [8 f4 tinstalled on a computer and to locate its installation directory.. m( i! {' i, f& z5 N, M. M) s
It is used by few softs which access the following registry keys (usually #2) :4 `* X8 a) P' Y& ]' Z" c
9 f! g* `, A2 l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 F' z, Y4 A5 d$ u' Q( ?
\Uninstall\SoftICE3 }2 V1 P/ B. R' N& m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 D r+ [. x1 p) h& E) B# f, N7 T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 v1 @; \* Z7 _) D\App Paths\Loader32.Exe
, ?% m. r+ M7 T1 m* Z; e
0 f* C" k# V/ J: f! o) ?5 S0 K( c2 H7 u+ u9 S, `! h
Note that some nasty apps could then erase all files from SoftICE directory3 O1 f* z4 s$ g! P w1 y
(I faced that once :-(' D! h8 }9 U: a; u; I( q! s" a
2 u2 Z* O$ \ X6 r% h+ a/ E" mUseful breakpoint to detect it:
( {; P! a* x5 Z. F+ W" r8 C( N$ o; y4 N( q% e! Y% ]7 I G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* ?5 ? K+ }6 |% x
# J6 r5 }/ q" U3 ?- J2 d! h* K: q
__________________________________________________________________________
. ?) i4 n) G6 S" }+ z. j$ O8 C2 C$ t1 [+ h0 a, e4 ]; Y
9 s7 T4 Q& r5 M4 a0 A5 yMethod 14 4 p8 m, a' g+ I. x' X, p
=========
( ]9 c" U# F# G! d0 j8 P4 }6 Q0 S+ G6 D0 n" s( x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ q/ |3 P- H+ h V& U4 m3 Sis to determines whether a debugger is running on your system (ring0 only).9 M* l0 g: r( G+ G% L! D0 A9 D* n
( R/ E( K/ K, w9 W4 ?
VMMCall Test_Debug_Installed
, j; Q) c" L# [5 U je not_installed/ l4 g: r/ [, N; c$ O D
0 t! |, d0 e4 {$ z
This service just checks a flag.$ x' t0 f( D+ K) E' d& e
</PRE></TD></TR></TBODY></TABLE> |