<TABLE width=500>
! o" Z1 b1 g+ ^+ G+ g% N<TBODY>1 H) l! k7 u! f, Z' I4 g
<TR>( n3 c0 h2 U, X5 b
<TD><PRE>Method 01
8 Y6 o$ b) v4 `% M# c! T+ J=========: H- Q& }& k7 p" U
) ~4 ~4 ~ W: [# VThis method of detection of SoftICE (as well as the following one) is, G# E8 h( ~1 w5 T
used by the majority of packers/encryptors found on Internet.
( Q2 ?! V4 r4 L( iIt seeks the signature of BoundsChecker in SoftICE
# D3 O- P+ h3 Q* o, m" A# V# }3 G7 f. Y; R8 c7 j: d
mov ebp, 04243484Bh ; 'BCHK' B0 ]& o, x0 g) R
mov ax, 04h; e! Z1 o6 `2 y; e, m
int 3 * G! Z+ q2 ^' I
cmp al,4/ L0 y# x" I/ H- Y! X4 T4 |# S- {
jnz SoftICE_Detected" w8 o( f. A6 d `) g) M3 u' B) z, N
" I- t2 G6 U4 ^+ o___________________________________________________________________________; v+ I! X! ]: |6 d& p8 _& d
, h- c S1 b. e! F, u+ V, rMethod 02
& \% o' j) M6 d( a=========0 u! S8 N$ A b+ ] ?1 [9 |- Y$ A
, [1 G/ N- q& X& Z: A' m0 ^Still a method very much used (perhaps the most frequent one). It is used
8 _: h7 S5 {% O: Z9 b! {. K K1 mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 w' Z2 n2 r, Z5 F0 Dor execute SoftICE commands...
; l# L5 G2 h. V& [. @It is also used to crash SoftICE and to force it to execute any commands. K* {+ y7 j% a0 F$ q7 G9 K
(HBOOT...) :-(( ; p: F) ]- ~/ N. q9 x
/ I6 z9 H5 k: C5 d' {7 C! n$ I* Y
Here is a quick description:
/ x; S$ Y) C* l, p/ E-AX = 0910h (Display string in SIce windows)' f' P9 L' d7 x/ e: ^$ X* y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). v! [2 L7 U: U. B6 q8 A6 K
-AX = 0912h (Get breakpoint infos)% j6 c5 C# Q2 C( r8 V: O
-AX = 0913h (Set Sice breakpoints). r8 p7 J5 R% R. b! a7 v* y9 e* d- T
-AX = 0914h (Remove SIce breakoints)
- v4 Q# `1 Q; G1 w/ x! X) C/ u, M5 y0 A. o" [3 t$ _$ d1 i
Each time you'll meet this trick, you'll see:- ?- _' @' u" L. p" K% M5 }
-SI = 4647h* D4 ~- o* c# Y) _2 x, c7 y* M& _
-DI = 4A4Dh7 o$ L" C( R1 D/ S2 |. z% T
Which are the 'magic values' used by SoftIce.
1 Y! `; R: X2 V' b* v0 QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 O* x# Z9 `; r& c! z* Y9 L K+ [& h: X# c
Here is one example from the file "Haspinst.exe" which is the dongle HASP d) P* y$ m% k6 r# A) V
Envelope utility use to protect DOS applications:7 V+ A$ ^' D' }+ V
0 p6 n( p9 X* u; O+ X% n1 E; L
0 I9 h) d( b) C4 @( B' e* C5 L4C19:0095 MOV AX,0911 ; execute command.
1 g8 K d, c1 Z9 w! o, X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
0 I% M; H- f4 K f, ^6 R4C19:009A MOV SI,4647 ; 1st magic value.5 {. S; v+ n/ Q
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 Q2 r, ?. s1 Y) S9 `7 Q N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 M |1 d6 Q8 p) s1 f2 P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 R8 i7 z$ D' Q( `% n' T4C19:00A4 INC CX
6 |/ t6 ?4 l4 y+ R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% ^ T, D8 p# t& y* t' i* B4C19:00A8 JB 0095 ; 6 different commands.
# o$ c5 `! n4 u, U# l1 k4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: ?8 d' R4 K6 i) y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 C. L6 |3 x, ^5 R1 f# z2 O4 @
: F0 c9 O, c( l" Q O
The program will execute 6 different SIce commands located at ds:dx, which
/ k* Q) M5 D* O1 `# q4 Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. q$ \" F( Z' U7 J3 O b7 h
1 C; \& t; P* V N& s D( S& K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., p. E, w; G7 J0 _* I
___________________________________________________________________________
7 T+ t0 d3 j& {6 q) h
* a0 o8 `4 R7 ?9 i# m) G+ s. f* Y ]8 v8 W5 O& D4 m- _% L0 X; [
Method 03& w9 N* Y- E/ Z; O8 f
=========3 X! D' @2 w* h
4 e! D6 Y8 E5 H7 P: q% b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 y4 v% ^: g1 H: q+ \7 g R1 q2 D(API Get entry point)7 m8 g- _6 ^& c
6 V5 o7 F. b$ u! ~9 E* d
7 X" n9 P0 z; Y" h- k xor di,di4 K# u! B% Z$ S4 \/ ~' n. _
mov es,di
/ R' {/ `7 \0 g; n. c9 m2 l& E mov ax, 1684h
: _4 q! U: a( W8 N3 c mov bx, 0202h ; VxD ID of winice1 Z5 `+ ^. @& L" S/ |
int 2Fh5 g: Y; j0 d; m! z
mov ax, es ; ES:DI -> VxD API entry point
& W* A+ P' o! h7 z! ` add ax, di9 A. r0 u0 G4 x: E* q3 _( Q
test ax,ax
, x. B& K Y: l* T1 ] jnz SoftICE_Detected
- E7 i, a( j) U
( c9 u* H$ o% D7 u___________________________________________________________________________/ M3 c: E0 w+ I8 k
5 H* B2 S u- Y3 xMethod 041 o; x& s+ i) B( s8 Q1 o: b
=========
5 L! N5 p. _) A( Q! F1 Y8 h
- g- p1 m% H. m* s) j6 I) `Method identical to the preceding one except that it seeks the ID of SoftICE- g* z# ]1 o3 Z( M/ U
GFX VxD. @- E1 M6 l4 Q! d" F# i
3 s# r! w9 q* _: {5 D* ^ xor di,di
0 P( X9 _; g- s mov es,di
0 w6 w8 j S" X, l9 p8 h) a+ M mov ax, 1684h ( z9 I" X D. y" U! P* ]& x
mov bx, 7a5Fh ; VxD ID of SIWVID% f$ I7 ~/ b! I1 ?
int 2fh/ a" J, e0 J- P" _+ s& _5 { M
mov ax, es ; ES:DI -> VxD API entry point
$ f6 }! T! S( q add ax, di
N# D. ~" |8 q6 w3 u2 p) w test ax,ax
7 V% r: |# t2 _. x4 L1 k jnz SoftICE_Detected
, K0 i! w3 k1 f1 Z M/ z- g- J% F
' D Z5 G* z F4 Z__________________________________________________________________________1 U. k6 I. t+ V
3 E, c$ g8 ]" f2 C0 c$ ~7 u1 ~7 _) t) U0 Z9 o: J) l# b
Method 055 p8 y! g8 J# K- z& N i0 @- n
=========
8 _5 N% B4 Y9 a/ Z6 H# n/ O3 {8 U2 a, A, x
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 X2 M: V- Y. Jdebugger. It calls the int 41h, function 4Fh.
$ Q& G: \% \6 q3 O: b% L0 F5 |* lThere are several alternatives. , b# Q- ^: ? T: `
* D1 X7 M$ s* M- ?) ZThe following one is the simplest:' {! A6 H- r: o) D* m
. A% _/ e" J1 T" }' { mov ax,4fh' D9 D* O4 t3 j! Q
int 41h5 U5 K5 t8 N, q" F+ J6 i# Y
cmp ax, 0F386
+ w s& I4 l5 [6 t5 H1 f" I: b jz SoftICE_detected% p7 A+ w, }( B i7 t
7 l3 O V( @* [- M( n6 i2 N
/ V7 ]! A% \/ |$ A4 R7 oNext method as well as the following one are 2 examples from Stone's 1 k! R9 E2 O J% P; N/ ^
"stn-wid.zip" (www.cracking.net):8 t5 M6 c9 `: n! C' M8 @. y) q% f
- S# I7 n& r! a4 ?4 A0 U% M
mov bx, cs
! @; B7 `6 `' c1 j lea dx, int41handler2
8 j( u7 M- X$ @6 I1 j1 w: R: Q xchg dx, es:[41h*4]
5 ?9 @6 [$ I$ p" L7 B3 L5 w xchg bx, es:[41h*4+2]% r% l, F' R* u
mov ax,4fh- V- ?5 R& H$ A" N Z
int 41h
! X& ?8 w; ~# Y F5 A, f7 M xchg dx, es:[41h*4]
- \( n6 o7 D& {8 J+ h+ |2 ] xchg bx, es:[41h*4+2]+ V% P( h6 F" F3 `
cmp ax, 0f386h
) c# |) ^4 {6 o0 o: I jz SoftICE_detected
- |4 L/ Q: W; Q4 l
/ h6 k/ `/ a% h9 h* X" M4 uint41handler2 PROC
9 z* M: ]8 h3 k' A iret
6 J8 M' o, |7 ~( i ?9 Hint41handler2 ENDP
* c% q9 }- {7 [/ _" V# ]
; A; J4 q: b; z8 K* c: z: D
. w+ A# V* ]3 \8 e+ d_________________________________________________________________________& N" s4 r& s4 Y. M
9 U& `3 l4 q5 M0 L1 a6 A1 Y4 ?
4 E! b$ l# I, rMethod 06- Q! _9 Q3 q1 P/ P' Z' |( |& T
=========. J9 S0 H4 J3 u) e6 h
7 V6 }$ J' d( q& J% M0 ^' T
4 k; l" Q- t4 {6 @9 h. J2nd method similar to the preceding one but more difficult to detect:# W9 x2 ~; S# @) \
) g/ A0 I: F% t5 D3 F( g* H- }# I# f; J4 I
int41handler PROC& Q, w9 E3 f# y7 Z3 y, J }
mov cl,al; k8 { f* ^. A+ g
iret; Z1 Q5 n, `% V# f" r9 R: h! }
int41handler ENDP
, U. g( K- `$ S$ W, p; z0 b
D0 i" n! @. R7 P: [4 K* v* x, ^5 h# f9 }3 D7 ?! a! {
xor ax,ax
' a+ u: B. m r mov es,ax1 h0 k A* @: e) V& B9 B/ P
mov bx, cs9 Q- y6 \; t5 p5 \9 K2 N
lea dx, int41handler
- R$ w q! Q- F2 [- H9 S# O$ Z xchg dx, es:[41h*4]: |0 G. b/ v; g" q! I" O
xchg bx, es:[41h*4+2]( D0 Q' k* p: S6 o
in al, 40h$ p" v, M b9 u3 L$ v s5 k
xor cx,cx: U ?6 @7 U+ @8 f
int 41h2 b( P6 c% l$ }4 O: U
xchg dx, es:[41h*4]
4 H$ \" G* M3 ~9 x& q xchg bx, es:[41h*4+2]
8 e, ^' E' P3 _ cmp cl,al. [- |) x1 A: E2 n0 o, I
jnz SoftICE_detected
8 M4 r. z9 p% m! ^' Y0 m! t1 Q5 G/ ^( o( q% z6 k
_________________________________________________________________________" D5 R1 \: U) N4 L7 c& v0 v# c
) R, N& z% S$ ~3 F( ]1 @: V4 AMethod 07
; |. i0 e8 |8 l# ]=========
" `, C1 _( h F7 {$ r0 ~) K
$ z* l# |5 j$ H# `- wMethod of detection of the WinICE handler in the int68h (V86)
p; I8 |) M6 ^7 h9 }5 |( |! I# q- y3 `9 D1 `' K, z
mov ah,43h7 [* k [: R; A, d+ t7 u5 X" Y
int 68h( ^1 `/ {4 V/ R! j* T/ d
cmp ax,0F386h$ O2 r$ p- I- O: ~ @
jz SoftICE_Detected
' P) S) ~5 ^% M+ I& p- v; T' ^1 V8 C+ l9 h
1 k S% c0 a4 c& p; T/ B! \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 @9 S7 A6 F& n7 N+ f, [ e8 @6 Y6 I
app like this:
& P2 F, w# X' W: n* U8 F7 d1 Y8 I0 D1 T( Y6 J) ^
BPX exec_int if ax==68; _. R* V! M3 ^' z( p) _
(function called is located at byte ptr [ebp+1Dh] and client eip is
* e' W7 [; t* C' W( [ located at [ebp+48h] for 32Bit apps)) X" g0 P, U$ v2 ?* d
__________________________________________________________________________) m+ R) a- b! j2 R
/ O! i, A8 E! ?, G0 b$ \% `) Z, ~7 V6 f! r! p, t. I1 x9 R
Method 08# ?! Q6 t* G3 r0 e( }
=========; J8 F- W6 o5 K& W3 _3 x
* }* d7 S# X; T: l2 r
It is not a method of detection of SoftICE but a possibility to crash the# {) ^0 d9 k# Y
system by intercepting int 01h and int 03h and redirecting them to another
2 b6 a" b0 L' rroutine. b0 t+ H; m. ^6 j9 d ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 N" Y% R* K: n. S; \to the new routine to execute (hangs computer...)
% p! C9 K0 P, [( u2 D2 \* P }/ Z1 p- h$ w' c# W# H0 z
mov ah, 25h
' Q( V2 p( e5 {2 V) H5 I mov al, Int_Number (01h or 03h)
8 A* ]4 v: `1 M mov dx, offset New_Int_Routine
9 z( ?3 n" h \6 e int 21h+ O. T/ ~" o5 Y, u4 J J" k, T) ?; J
, q% n. \% M, \__________________________________________________________________________
) Q; ]# q8 R2 R. a& ~
7 y }( H5 M2 u. R5 H$ _7 eMethod 09) d- R0 [% L% i. R9 [& a+ ~
=========% [. J* X. u9 R/ K# [
% J' S" e7 U. m: C- r
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only K: ?+ G' D# b' m
performed in ring0 (VxD or a ring3 app using the VxdCall).2 i% _3 G6 b: h+ T2 a0 ?3 Q
The Get_DDB service is used to determine whether or not a VxD is installed
5 g( |4 s* I7 `: J3 Z5 Xfor the specified device and returns a Device Description Block (in ecx) for
/ [* A3 z l0 `; z3 qthat device if it is installed.
( W1 v3 O# Y! r/ B7 X( d9 w$ |" Q1 I# v& m8 S: T9 w7 _; ]' c
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 d" t- n' c6 [7 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), F4 A, \% X2 e' K) |
VMMCall Get_DDB
3 u& L& w8 E3 L" Y- y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# Q+ f K* U# l4 K, f- t6 x% C( Y2 P
Note as well that you can easily detect this method with SoftICE:
" [ [& l& C7 m. D+ H bpx Get_DDB if ax==0202 || ax==7a5fh9 x# ^2 D i! h3 H
( w8 z2 M6 B' C__________________________________________________________________________) p. L$ \4 B2 z, C) R" h
1 E$ m$ }( m# P& q2 m# p! J* kMethod 10/ T( P' l8 z! P* g" ]
=========
) G$ ?+ o0 g' U. V- @1 u$ D6 ]! V5 P. l% M5 m( a4 u2 E2 g
=>Disable or clear breakpoints before using this feature. DO NOT trace with r/ K' h5 M; ]
SoftICE while the option is enable!!
. M9 d( W. y& @7 m; a7 E) s' S, t
: S0 @. R5 i' ]' l- f4 q6 SThis trick is very efficient:$ R) ^$ x! D, { {4 x8 W4 i
by checking the Debug Registers, you can detect if SoftICE is loaded$ n" Q4 A% k" d1 K4 \% ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. ]% E) u1 h( P0 h& p7 ~2 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 ]% d% t+ i, y3 Q+ X+ n. R) h3 C8 T9 O
value (in ring0 only). Values can be manipulated and or changed as well
4 g4 d5 f; Q) M* f1 n9 o(clearing BPMs for instance)8 P, ?8 H/ d2 N
2 `& f* o2 N( A G- N7 ?__________________________________________________________________________, k! n; z& `; m9 E8 y7 B
* o% Q# z6 x) Y# v1 c0 w( |2 K& u( f
Method 11$ w9 b+ M; R7 @5 C4 D
=========
3 E6 m: w W; u* ^
4 k- f# }, Y8 B' MThis method is most known as 'MeltICE' because it has been freely distributed
1 @! o) [3 D0 R! w" p2 M+ Uvia www.winfiles.com. However it was first used by NuMega people to allow7 T& ^3 b( W+ W! O7 n
Symbol Loader to check if SoftICE was active or not (the code is located7 y( P# i- h6 K3 I! m: A0 a1 c* r
inside nmtrans.dll).
+ N$ }/ S5 t- L! ? \) B. b; Z6 u/ K5 U: @8 w
The way it works is very simple:
, z M5 I& ]' x4 k: oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 h, m0 {; C& J6 g* K- XWinNT) with the CreateFileA API.
; P( U; y) p( J" \/ g1 ?/ b9 {) b1 R8 |
Here is a sample (checking for 'SICE'):
4 c4 n2 z! ~- N1 o" k/ H" v' ]
5 Y' @0 u n3 ~7 n, h/ D! i( Z2 zBOOL IsSoftIce95Loaded()
' n) s, e, i# ]4 [3 U{
$ k2 ?- a1 _, Q HANDLE hFile;
: w0 A. @/ Z$ O+ N! {2 `, r* }9 Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ V9 R/ n/ ~( [% z FILE_SHARE_READ | FILE_SHARE_WRITE,8 f* o. o* ^5 i
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ }, c) m, G0 Q4 g7 ^ if( hFile != INVALID_HANDLE_VALUE )
/ @) ~5 H W( @& c {
" U4 S; f$ B0 p CloseHandle(hFile);
( n9 }4 Y$ u1 L. x% D2 P return TRUE;
0 S+ w" s! W+ G0 | }
; |2 g) n6 R9 k2 [( |7 y/ x return FALSE;8 f5 M+ X, s6 z4 Q
}8 g4 H# S6 X0 M5 y* r: w. G
% N- c' H. s6 p, H1 ? C# bAlthough this trick calls the CreateFileA function, don't even expect to be+ ^2 e7 H7 B3 v: |5 j' D3 |
able to intercept it by installing a IFS hook: it will not work, no way!& _6 C* d" f- _) P. w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- B( l8 \+ O% L7 vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ M: g; k# S, |3 A' _and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. j' B( a# `$ C; [2 ]: a. f! `( Ufield.' {3 F$ Z% W% w$ | i' X
In fact, its purpose is not to load/unload VxDs but only to send a
. p/ m3 j9 r: p# n, uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
o5 u9 \; z1 B2 r& X0 Yto the VxD Control_Dispatch proc (how the hell a shareware soft could try- J" Y$ I* w& V7 z9 t! G3 M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 N5 l. N: @# `/ `( f4 v6 N8 K
If the VxD is loaded, it will always clear eax and the Carry flag to allow" D. a0 w9 I9 v3 [' V2 Y
its handle to be opened and then, will be detected.
, g" S" C8 n5 iYou can check that simply by hooking Winice.exe control proc entry point
* U9 W/ c+ {2 k# kwhile running MeltICE.# P8 @& X' F/ N6 w3 r# {+ w
9 k7 U& X: I' F8 j& x# p( T- `$ U! F
00401067: push 00402025 ; \\.\SICE5 z7 I. R' y$ Y& t% a4 t$ @( t
0040106C: call CreateFileA* ?2 T; H# e8 h0 Y; k4 u& h
00401071: cmp eax,-001
8 k; [. _3 L9 j0 z 00401074: je 00401091
: K- g0 z. ?8 {/ y+ V3 b2 o1 S0 U6 a' _. Y. q8 O
1 d( s3 }) K! S5 M
There could be hundreds of BPX you could use to detect this trick.
/ r% t/ b$ x' R-The most classical one is:' O# s3 @3 I I- `* X* o# @
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 m% m: M2 K$ g$ T# K *(esp->4+4)=='NTIC'( z: Z( Q. K9 ?* y. I1 r) N7 q
6 w* ~5 u/ l# }6 M% u# F( {( V' D/ E; @
-The most exotic ones (could be very slooooow :-(
% f8 E7 P( D% u% G% l9 f5 O ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 P8 O* |) B H2 |
;will break 3 times :-(
. i- X; k/ y5 E+ G, [2 f/ h% [; T- Z
-or (a bit) faster:
1 r7 o6 [- M. B0 h0 x. n3 I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 e. s- e+ Y( j$ V$ I) U
7 c+ P2 i" ^* ~ G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " V, v0 e' I$ R7 j- ?% q. f) l
;will break 3 times :-(- B1 b5 I& q2 u9 b( ^; ~
2 U( h5 C7 Z) z8 R$ `# p Y" f% Q) E0 s
-Much faster:+ a+ C, p: a8 R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 Y: R' x: T# t; n
# |. {4 J9 J5 s3 E# |* S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 E- Q$ T- ]% C# U0 [% d
function to do the same job:
& B0 H/ N3 e. I; Q& @6 f/ ~0 D8 Z1 G& l4 [" j( P" m p
push 00 ; OF_READ9 Y2 ?1 S. R* J3 u* ~3 }
mov eax,[00656634] ; '\\.\SICE',0" `( K% J3 ?' F }4 g
push eax
7 i' M( v7 G1 r0 j" u call KERNEL32!_lopen
8 R/ j1 t: X0 X; R, d1 Z, C8 q8 ~ inc eax, q8 W& a% T7 m' N# W% E+ m U- B
jnz 00650589 ; detected
) i+ u0 Q5 l4 T! H push 00 ; OF_READ
2 R3 h+ P% V' [& m- {7 P mov eax,[00656638] ; '\\.\SICE'/ s* Q4 U- a, Q4 {$ o; K! a/ F
push eax$ r7 z, R' u, d+ r! r+ N. K1 i
call KERNEL32!_lopen& d/ _( B* }) _+ A8 P/ z+ N) V
inc eax" X1 F/ R6 {: k2 G
jz 006505ae ; not detected
4 x2 X: T& p8 S/ N2 o. a
& c' o' V/ s0 T4 e& g8 ^. i6 y o5 X2 r! Q1 M" F/ m, ]
__________________________________________________________________________
- o. }1 Q- o3 s( X0 n1 l7 u: w
- N: k; T. P( N0 L m. y) g w# WMethod 125 Y3 e$ t- f$ z1 A5 ?% \) r
=========0 v( V# z$ k# A1 e( {5 ~+ x
) g& n2 T# D$ O! nThis trick is similar to int41h/4fh Debugger installation check (code 05( j1 Y9 s3 V' y3 s* B
& 06) but very limited because it's only available for Win95/98 (not NT)
* c5 E/ C X5 h+ K F) M5 P' |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 X) M0 Z6 J* s& e& j4 }6 h. S
( _% V) u! H; b$ n: b* K! U/ R push 0000004fh ; function 4fh. N7 e+ p% R/ Y' x+ k' _
push 002a002ah ; high word specifies which VxD (VWIN32)
6 U |6 s0 a" M0 L3 Z ; low word specifies which service5 b( ^, E, I. E X: x5 [3 Y8 X
(VWIN32_Int41Dispatch)
, _8 ]1 V+ x* K; y7 m call Kernel32!ORD_001 ; VxdCall
) n# {/ g* @. I" u0 C2 @, G3 N cmp ax, 0f386h ; magic number returned by system debuggers
6 w4 B: o' R: K( G, p; x jz SoftICE_detected; e, Z2 W' {* t# P) C- D
5 F- r! a* k8 Y% u/ y
Here again, several ways to detect it:
& v0 m; ]- D" j& Y4 a
3 N0 U5 J; ^" _# v1 A BPINT 41 if ax==4f
8 Q! f( n: {7 F+ C$ P$ L& G4 V
: @2 [( e8 h; S3 v r1 p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 u8 F% q L5 k% c3 K
" ]* g. w0 _# d8 ]0 x. m- w& Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 I+ C- w/ u( B9 m) A
9 J" }1 ^" B- s! `. Y7 I, y( q+ H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
v q7 K$ |" Q- D2 q* c! {# r3 S6 ]1 h( B. ^
__________________________________________________________________________
% A1 {' `3 d$ U% Y& l% A
# b* m8 l8 Q( I3 l% Q9 sMethod 13' t, v! X: X' {" F8 y- C
=========
4 z% I; y3 D/ e. ?
. f4 C# L8 V' G; k3 pNot a real method of detection, but a good way to know if SoftICE is' v7 y, r; P% h9 I
installed on a computer and to locate its installation directory.
- v+ @; q; @" t3 a% s+ O3 M' dIt is used by few softs which access the following registry keys (usually #2) :
, Q) X: w7 W& P$ x. M4 S( @# H" x4 P# O/ p* g- T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 o' S' P' E# F, v4 Z
\Uninstall\SoftICE& n/ ^ v$ A- K: S- P( Z+ g% X3 t8 W1 r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( l% N0 m* y; Q9 g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 W6 H' K8 l8 G2 U\App Paths\Loader32.Exe
5 H$ |' q) E8 T1 E b/ u6 W- j% F+ Q
$ P, s, W$ R% a
Note that some nasty apps could then erase all files from SoftICE directory, a. N6 [! G6 t# M6 p$ Z
(I faced that once :-(' q5 B% y# M/ J# X2 M5 e4 [
5 g& A+ h6 ^7 [0 S2 [3 g
Useful breakpoint to detect it:6 L. Z8 z p* S& O
+ l( c* f. Q# X, E) G; o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. W. W. m" T9 y( y1 }
4 |- |% W; d; @
__________________________________________________________________________2 h, _: r% G( a ~5 m0 e
% }- T9 f2 a( N+ I, u1 c
1 \; O* Q- q P- Z7 i! mMethod 14 0 n; y: g) q5 I3 V* m) w& \, @
=========4 l3 {0 X' n" u" ~# K
# _7 b7 F! I4 q1 j. g. |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: c4 t* ?, K; s8 e" h
is to determines whether a debugger is running on your system (ring0 only).' e2 z/ a6 b4 s5 X: p% \
4 }- z0 M' N* {! R# w8 h& o* q VMMCall Test_Debug_Installed' K. S2 T# U: }' \. o
je not_installed+ J# K5 f/ \) a. N9 J9 I, H. S
% a$ l) t) Z W A: n9 OThis service just checks a flag.0 W* U" ^8 z D' J& @* C
</PRE></TD></TR></TBODY></TABLE> |