<TABLE width=500>7 V% m3 J4 l* D+ q: w; j
<TBODY>7 ?% V4 j5 ?/ W+ W0 Y$ Y6 h
<TR>$ g. j9 r' @$ r% \, W
<TD><PRE>Method 01 # S2 t# K* q- _$ N2 F0 L! c
=========
, x' Q |7 O9 e1 {. x- a9 k" i' l5 o2 k5 r
This method of detection of SoftICE (as well as the following one) is: K: M6 z. t, z) B X
used by the majority of packers/encryptors found on Internet.9 D$ R# B: W0 f8 q
It seeks the signature of BoundsChecker in SoftICE9 q, |) k1 n6 V; U; G) h" @
# T2 O) z4 k, J* ]$ T mov ebp, 04243484Bh ; 'BCHK'
4 _, o, P( V4 }: B mov ax, 04h
3 g! s3 {; y0 i" S0 v& P int 3
' h4 G3 v; R9 R; o: d cmp al,4
* R' z2 l) h) X* ^7 R& d" N jnz SoftICE_Detected
# |3 B. H& f' G
) R2 n$ i1 l( {, Y: Y___________________________________________________________________________
; g# e7 b3 g- `/ s0 J: l5 K. h% X2 h( ^3 G7 z) N, W3 z" z
Method 02
4 o5 R0 z: U% w4 A4 S1 c& W0 ]=========0 y/ ~/ B1 t9 U( _
5 G1 ~ U2 n2 ^! G4 k9 O& tStill a method very much used (perhaps the most frequent one). It is used
1 y# P0 i, e) x) ]* ]% Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 I' g k: @' b! d, Z
or execute SoftICE commands...
! f! W7 v4 w( D8 VIt is also used to crash SoftICE and to force it to execute any commands
5 l! c! _6 F- f6 I(HBOOT...) :-(( 2 i. J: B! a6 y" M& i8 Y8 F* k" k
0 x5 x) G% v& O5 q' d- h
Here is a quick description:5 g5 a4 i* `9 B) Y0 N4 _3 D! s
-AX = 0910h (Display string in SIce windows)! A$ K( B. N- d f0 ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 s7 B' r1 n: Z1 k-AX = 0912h (Get breakpoint infos)
f3 M; z3 B" s& E8 h( w-AX = 0913h (Set Sice breakpoints)
! V Q. j" x! ^-AX = 0914h (Remove SIce breakoints)3 y- Z- c1 n+ p4 T" @ ~( B. Y$ X
+ Y9 T0 s7 H( hEach time you'll meet this trick, you'll see:) U3 ?5 X* U l6 U
-SI = 4647h
1 [& Q6 M% O5 Q7 P& i-DI = 4A4Dh. Q2 l5 k. P, e q9 x5 i) Z
Which are the 'magic values' used by SoftIce.* S2 }9 k7 |4 ]( P8 z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ A6 g0 Q7 F6 z7 J+ U9 P2 j( |5 v& k! k4 ?: g6 ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP Z8 [0 P* X8 c+ g3 t! p
Envelope utility use to protect DOS applications:
* W: A; k; W# ~
4 L+ ?2 H2 P/ q! B1 b p! [+ D0 j, e# ?6 {' l. {. d5 V U
4C19:0095 MOV AX,0911 ; execute command.
) p% B" [9 B" p8 S2 X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* O1 K' k/ y/ u y
4C19:009A MOV SI,4647 ; 1st magic value.
; E/ S. ?5 V, @: n& {9 h5 k4C19:009D MOV DI,4A4D ; 2nd magic value.
: T! F& k$ I5 I. P6 z; V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: }$ K5 A }( t7 l. x$ i+ h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- X- i3 ?' W: K8 ?# _' v9 c4C19:00A4 INC CX3 C7 \! o+ C3 D: D( I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 i: x+ e/ `& \7 x K
4C19:00A8 JB 0095 ; 6 different commands.+ K' ?0 m, z v4 j$ [
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 s2 s/ m+ T* O1 U' Z& _# J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: `* W: m, h$ P! P% s( ~, D# g
3 G4 x" @* d/ k4 b! ^2 s" H$ @The program will execute 6 different SIce commands located at ds:dx, which0 k) }; [* L4 E$ f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& q6 g0 ]& a8 n3 O$ {! p
2 C: i0 e2 ]- B( C9 Z9 j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' G9 }5 O3 n6 E6 r: H; [
___________________________________________________________________________/ n' q- ]% G, F" O0 Y6 b1 e
0 p+ i$ X' k; i, _
. p7 r4 C9 v7 P
Method 03) k; D# A* H) A8 o
=========
8 G$ M4 j5 I# p4 I) m- B
$ a. t7 R( E9 @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 }2 v1 J* ^" @8 d
(API Get entry point)# c3 L" x! K m& g- `
: ~6 t x* |' `8 n
6 D3 X% x6 x. _6 p% w1 ~0 D4 } xor di,di5 B F O% u! i; S; I8 z, e9 k( T( b
mov es,di
J$ g* B6 g* h. a2 Y mov ax, 1684h ; D) y" q. r& P! U
mov bx, 0202h ; VxD ID of winice+ W! ?( d( @$ f/ E. K3 K
int 2Fh" j/ ^7 b7 D9 u! T1 [/ _5 f
mov ax, es ; ES:DI -> VxD API entry point# m( _! q9 [" q4 C, I% }" ] }
add ax, di
+ F# S' n7 e Y4 F& M: K test ax,ax
2 T& v% K+ h# @% o9 p jnz SoftICE_Detected D) U P! g1 I* T& A1 }3 s& i! V
' L7 `; c8 }. I
___________________________________________________________________________
8 Z3 {+ R: M/ Q& B0 ?
& c! K- P( A8 F9 LMethod 04
! v y) ]. j' ], S. ~=========
* C; U) I1 O+ ?- ^# V0 R* E7 @; M0 A; r. ]7 O) q
Method identical to the preceding one except that it seeks the ID of SoftICE* d) y; u2 g; M5 S& w
GFX VxD.
/ `( z. d k D: ]! ~8 `+ i& x5 E. a% B' H8 u3 n
xor di,di( k- N3 |5 x( q- R" J/ ~4 `' M
mov es,di
# o1 V8 }% a$ P8 u+ N& h/ k mov ax, 1684h 4 n5 [! F: {: c. O+ h% l* N# F6 h
mov bx, 7a5Fh ; VxD ID of SIWVID
6 a4 _) K6 ?. t' Y! v, j( V int 2fh0 u/ W" l2 i' C9 M6 g
mov ax, es ; ES:DI -> VxD API entry point2 z7 k$ q3 x$ ]8 ]: M3 x
add ax, di
6 R+ `; V: b! N) p* k test ax,ax7 s! V8 g% r' U; H: `
jnz SoftICE_Detected+ P! r" o% K, C$ s7 C
' k; B- ? K2 g1 N3 d: [$ k2 M__________________________________________________________________________
0 ?& P4 }8 \$ K7 J7 @) R7 ?0 m+ W2 O
# [. \6 @# c$ ^
Method 050 ~3 V" ]6 M9 ~
=========# G @+ b* d2 B& X: z% l; j% O
9 _; C$ j l9 E% }8 r0 tMethod seeking the 'magic number' 0F386h returned (in ax) by all system) [4 A' l2 t9 d, w) L5 E
debugger. It calls the int 41h, function 4Fh.8 R: P8 V2 F: Q
There are several alternatives.
; T$ @0 G/ S' q* }" p5 N; H9 s9 d9 F8 }* @6 T' m% v: @( T9 t
The following one is the simplest:
; B& }4 a. Q6 u. l- ?: `) i; o$ h; j5 u2 j) `, N
mov ax,4fh u3 C" o& B. B2 `& ]
int 41h
* K: T2 w% R9 @- E, K cmp ax, 0F386' Z8 e" j& ~7 ]) Z, N+ Z# m
jz SoftICE_detected
- o( T/ i* j: v2 e
: d5 v0 N7 g& D) |2 o% O# }2 @0 _4 E+ V9 K& R
Next method as well as the following one are 2 examples from Stone's
6 j5 T0 s5 ~6 M% C" o5 j"stn-wid.zip" (www.cracking.net):* i, n: m' J) F w9 t
( v0 h& g) l- V. R: Y9 {- o3 c
mov bx, cs
/ @0 ~1 m% _$ ^ lea dx, int41handler25 B. D8 |9 {) Y3 ~$ D5 ]( X% Q& b
xchg dx, es:[41h*4]
5 J- m' y$ X ?& J; C xchg bx, es:[41h*4+2]
7 p6 {! l; f/ k. Y' s mov ax,4fh
' Z4 D2 R. d, j) ^ int 41h
" T5 y1 `" Q3 u xchg dx, es:[41h*4]
8 z9 l* W2 J0 Q) ~" K* ~ xchg bx, es:[41h*4+2]- |; l6 k l0 K1 ~; A/ s& o0 R
cmp ax, 0f386h
# c" Q4 ]/ ]# A jz SoftICE_detected
# X; y% f- t, E, E1 r) M# q/ a
7 d( C' l$ L5 @( P% pint41handler2 PROC5 B! @+ J2 [+ G. n
iret; h/ N. q1 K7 W
int41handler2 ENDP6 e# ?9 g* Z7 B3 Y% [: c* j7 T4 b
; Q; E6 U$ S0 h4 q7 C, f7 p' ]+ Q. w2 [4 r
_________________________________________________________________________
9 i# H: I5 n% U C; q9 A3 Z
; c; X* k+ G+ s
+ T" [: X: A. i8 B X; @2 ?Method 060 G5 [3 T0 D5 Z) n$ V- k" `
=========1 W/ Q% u6 c7 u6 i- l
, W9 b$ d+ Q4 a# d# f4 v3 M2 @7 c8 ]4 d6 s: l' c- O/ Q5 x
2nd method similar to the preceding one but more difficult to detect:
2 Z) R( ^5 L0 j9 P: Z, w& ]7 ^6 m' I
- G8 _" e+ X* S* Q9 H+ H4 l2 o. C
8 M% ? O! L) Bint41handler PROC
: i- s; y/ p z" r9 A' c& i- ^; \ mov cl,al
& p, z1 E. }+ R9 B. {) I iret
9 m0 r! r" V* Y4 N" k3 R6 zint41handler ENDP
; L* L1 j3 t, k$ w# k) s
0 [+ D* \) H8 |) V! u) {3 s6 T0 T' J: t& K" e; _- O! \. v7 ^! c
xor ax,ax2 k0 W6 V2 h0 K; q8 e
mov es,ax
) C$ H8 H; F# {' k) j' W0 d& r7 T c mov bx, cs4 b1 s; d+ }. `( r$ ]. b
lea dx, int41handler! |# l! ?$ r& i
xchg dx, es:[41h*4]$ P! q5 Q* A2 q/ U( Y
xchg bx, es:[41h*4+2]
' @1 d) [- U# S: z1 N- H8 D" h+ S in al, 40h
; b. x2 `1 ^; G3 N xor cx,cx
9 z7 F. x C/ }- ~: W int 41h
: r4 ~( f/ R! N( ] xchg dx, es:[41h*4]
. c; _9 i' o) Z( y" e0 b xchg bx, es:[41h*4+2]3 V& _, B; U: {2 q9 U( i( V
cmp cl,al' Q; b6 A. n I& r. V
jnz SoftICE_detected
4 b7 c" n: [5 Q4 W, y% _/ }" P/ a1 u6 \' G1 M) J
_________________________________________________________________________, T' f& u* M: w, [
- \. ~$ q: @8 v" f+ sMethod 07& w) T8 G/ f* F) p1 Q
=========
9 I) z e" s9 b$ Y: e% D0 z2 U8 f/ } h( Z# `
Method of detection of the WinICE handler in the int68h (V86)4 `2 m S8 ~% _( }* z8 A
9 u# l8 c0 ^+ f1 T1 n( N6 t3 a mov ah,43h/ c7 U2 A- y; w5 N
int 68h
$ i7 T' _. a7 {/ @ C) P cmp ax,0F386h5 ~- _- K" G! I) Z" R
jz SoftICE_Detected
- o! m, J8 q6 o# r# `- ~9 ^! h8 y$ f# Q5 w
* b% X7 g- B; ~# K" H$ A
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ S, f" T. l# [/ l+ V! {" x
app like this:
5 s2 q( S/ D; Q, h0 ^* @
8 Z3 j! m5 k6 W. S3 N BPX exec_int if ax==68* H7 ?8 q/ W9 H! o1 Y
(function called is located at byte ptr [ebp+1Dh] and client eip is# I# H( Z! ^, G' i; s% x) e
located at [ebp+48h] for 32Bit apps)9 m2 X# o8 y+ t% [" T" I2 j; |9 F
__________________________________________________________________________& t/ m0 b1 O$ L( e+ D7 A
# X7 m/ m. Z( M
6 b0 N1 C) _$ AMethod 08
' C: @. |/ ^$ W=========
) R& q2 w& u7 }) P8 X# V
% M! r- `; Y" @' {7 U4 AIt is not a method of detection of SoftICE but a possibility to crash the8 s/ t; c* e4 f. A+ H6 D: O4 v
system by intercepting int 01h and int 03h and redirecting them to another
U/ Z2 y* Q! t* Oroutine.
! q. C/ n6 _) E" S8 e3 ]! eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* N" m3 n7 c+ I( W7 n1 I$ z8 `- E2 x
to the new routine to execute (hangs computer...)) N% A5 d2 S* t
& d) X: v# Q2 k5 [/ ]" E; M
mov ah, 25h& y# `" `; Z+ L. ~: o
mov al, Int_Number (01h or 03h)
9 w, h% j% u4 P- C4 ]7 N mov dx, offset New_Int_Routine- W5 ~2 D/ P2 ]
int 21h
, G3 U1 p+ Y- L8 m; M) S8 c
* s3 \! _% n3 e% I5 w: N__________________________________________________________________________
0 I# @2 w* N7 N
# V+ K2 {+ }% i) P& q' s7 UMethod 09
+ W# q* V0 w/ y=========
6 ?1 M7 m6 j0 D' o/ Y+ {7 j; {5 F$ S5 R% k. r% O% ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 T1 [4 M. w+ h& _, o6 @performed in ring0 (VxD or a ring3 app using the VxdCall).
G0 J# q! t! H4 [4 z8 FThe Get_DDB service is used to determine whether or not a VxD is installed! a3 e- ^# L2 K$ c' N1 _! y4 N
for the specified device and returns a Device Description Block (in ecx) for
* I6 | \9 c m0 cthat device if it is installed.
# ]+ ^# C# Z0 U! d
% Z% ~. Q1 f: O& F- ~; G$ f2 y: V; B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( H, D1 I8 ]6 d D# h mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" g0 e8 M5 D9 n' R/ C o( w
VMMCall Get_DDB
2 `! l- I# U& U' D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! }, ^8 I2 B$ R I! B" C
! q% I0 J8 B! H* B( y
Note as well that you can easily detect this method with SoftICE:* w: V5 F/ `& ]; t a! {6 [4 a1 S
bpx Get_DDB if ax==0202 || ax==7a5fh; F. K2 Z# _: z& A6 O8 g( g
' D0 d1 Q; w) I( V) F t4 j2 p
__________________________________________________________________________- S" B2 l$ r/ k
: T6 M- F. {; p; g6 C
Method 10+ {; |& x% d5 i9 M% x
=========
- k5 ?5 M$ h, ]( R5 s6 O* @
4 S& o( o( ^+ r4 u=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 s0 x [7 y# ? SoftICE while the option is enable!!
a4 T. o# ?" s, d2 m; i3 w- c4 O- h& R! F" Y
This trick is very efficient:' D% U0 h$ h1 b/ j5 `: n7 C
by checking the Debug Registers, you can detect if SoftICE is loaded
, N# C# @7 `, ^0 O1 `9 t0 c' g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
`! ]; d( C8 V3 W$ E8 D) F, ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 N. M- g. [6 b( `3 d2 c; \$ L! _8 ^value (in ring0 only). Values can be manipulated and or changed as well
9 F( i% q* `+ R5 m, F(clearing BPMs for instance)7 f T% m2 \+ t& F3 a* x
: x& B9 v1 }. \1 R' x3 g1 n2 w( Q9 y* ]__________________________________________________________________________
* N( f) ~. b3 C2 X' | G
; i+ {1 y$ u" ~Method 11
/ G2 p \* i# i( T=========0 h/ R4 j$ Y! k6 g
% O( L% H' C7 }
This method is most known as 'MeltICE' because it has been freely distributed* o3 R7 b4 t2 p; T- m# S8 T: P6 h7 f
via www.winfiles.com. However it was first used by NuMega people to allow" S- A3 }5 e: }2 S- o# y4 T7 V7 y
Symbol Loader to check if SoftICE was active or not (the code is located* R7 x; L2 ]1 ]5 Z4 D: Z2 [
inside nmtrans.dll).
* V$ |" E# c$ M
1 U4 P) u& O, H3 YThe way it works is very simple:, |3 W7 a. }8 g- |0 Z" W8 E5 u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* Y+ G% z/ [6 |% w# T2 k" bWinNT) with the CreateFileA API.( x% C8 {7 h* c( H' G% s
9 Z9 A3 ~0 z) `( S" }
Here is a sample (checking for 'SICE'):
& ]$ v) Y9 ^8 y& B$ {) A+ G+ I; O+ w7 \- n2 q# S
BOOL IsSoftIce95Loaded()2 ?8 F1 N1 ]% P6 |4 Z0 z: |
{
1 ?$ n& @8 F) t: F6 S: D HANDLE hFile; / k/ B' r& S9 H. l, K; f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 [; n$ R- s# l" ?, |5 W
FILE_SHARE_READ | FILE_SHARE_WRITE,
; s8 a$ H6 d$ k; f% {/ D' Z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- w: t9 u3 }; j4 } if( hFile != INVALID_HANDLE_VALUE )8 m ^! k) T4 s" _3 y& h; q! i0 N
{
! d% y( i3 f+ ^- ?& U9 U- [ CloseHandle(hFile);
* |/ q9 o0 ^; t& J return TRUE;
; R3 u: r4 J4 J+ G }' g6 ] H' R9 U0 D
return FALSE;9 |, e+ @. o5 [# A
}0 j: A3 w0 a; p( _$ }' H7 J& F4 F
5 r8 w0 E% [5 `* _/ m
Although this trick calls the CreateFileA function, don't even expect to be8 U$ ?2 V1 c4 F, k5 j
able to intercept it by installing a IFS hook: it will not work, no way!
" V2 {+ a' m0 f/ [/ kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, P+ U6 G6 L* f1 P9 Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
a5 j! ^; r; l$ y5 p2 l3 M. rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ y. x" K7 f9 C& f3 B% P2 }0 Wfield.
6 O" G! |; _+ z9 l( B0 @+ j6 N) |In fact, its purpose is not to load/unload VxDs but only to send a
( o' {# |% H$ d& }1 C. R% a7 zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
Q1 Q6 ^/ W3 b; fto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ L, x! G) r! }- }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 K% h( `* t R& PIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 m3 {& n1 G% Y$ S1 Nits handle to be opened and then, will be detected.) B" x9 {* ^: p+ q* P, R
You can check that simply by hooking Winice.exe control proc entry point
3 p" ^0 t) `. ~' Awhile running MeltICE.: `' U% k! J: y) X3 m
% S( K" s% d3 L! ?9 D* O9 ], E
D. C S- j' T/ \ 00401067: push 00402025 ; \\.\SICE
* s) O. |% V) U; ] 0040106C: call CreateFileA
* N' G2 T- s. z 00401071: cmp eax,-001, V% d) k9 f, ?2 v! c3 }8 t
00401074: je 004010913 G* O* Z* T0 g+ S
9 r- Y4 ^% e. \% ]; X7 |8 M! y; I) }* L# S2 Z- N1 r
There could be hundreds of BPX you could use to detect this trick.0 L( q0 O) t/ F$ [; q$ ~( W
-The most classical one is:
9 n* H: Q" ]% z) n7 o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- }& b( R5 I/ E! X) l/ w *(esp->4+4)=='NTIC'
- k+ P: @' b) [: ?* t) B. c6 J+ W1 K1 \2 n* z
-The most exotic ones (could be very slooooow :-(" `9 a& t/ }7 ?
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" U' X/ i) K( t; n/ ]/ Z- E ;will break 3 times :-(
?% h; G, M1 `8 K& n( j) S. m- k% B3 ~% k1 k& ]. A
-or (a bit) faster:
9 ~7 z# t; f! i5 @4 ^, A x8 u4 z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 z; H. p% t, F
. U- m' q7 W7 M( p* r | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% d4 c L# W, b2 E7 ^. N) Q ;will break 3 times :-(/ v" K4 B) B1 C3 z/ Z
{2 ^* }$ \4 ^: W' _: Z-Much faster:/ z- ?" A) I% n1 J3 l2 g& N! y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" p/ E3 t$ W# N) p
" j" U$ O+ r O; @; _3 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 f/ K- k3 @, ?1 q9 o2 P! W) ^: S9 wfunction to do the same job:
- _) t/ y7 p8 F% f, m, _' H4 a/ ]- T9 b" E; m
push 00 ; OF_READ
; z1 E( n8 f* a. ^ mov eax,[00656634] ; '\\.\SICE',0( ~8 V- R! q1 ]: x
push eax
. }, a" p5 x( l: k- C call KERNEL32!_lopen* B1 f" j$ }) ^- L0 S& L$ T8 |
inc eax- v2 Y) J/ g7 V0 X+ j- ~- Y: M
jnz 00650589 ; detected2 b+ }. Q2 ]4 c8 t; t* G( P
push 00 ; OF_READ5 z) J% E% v7 H
mov eax,[00656638] ; '\\.\SICE'3 u( ~) _; r& s! y. R$ J! i/ D, a
push eax
3 y6 M/ u2 s# ?. Z& ^. K" E call KERNEL32!_lopen
0 [( _# C3 F V% z% E8 N) s; u9 I inc eax
4 b* p9 ^1 D7 ?0 x jz 006505ae ; not detected
5 K! s% b% x, `& O0 W0 V0 d: ^6 N7 R' y+ q! w4 t4 A
- x+ T$ c' l6 e/ y__________________________________________________________________________5 D* a' m4 w/ ^ x
" \6 ?( o! i( u, s" B+ c' c) E
Method 12, S1 I& _, S: y b; _9 d
=========- P8 V, [) S) m) ~6 S# I
+ I8 Y ]% f- a" L6 S& tThis trick is similar to int41h/4fh Debugger installation check (code 05! x1 Q2 y& k3 v: C5 b. {
& 06) but very limited because it's only available for Win95/98 (not NT)9 O2 o# Y s0 M. c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 _0 p* Y. ]4 h+ q. t: D' z! P& V. l0 M+ H3 J1 Q+ b7 J5 g0 G
push 0000004fh ; function 4fh3 R' s5 O2 O5 @
push 002a002ah ; high word specifies which VxD (VWIN32)# J6 w4 {5 R( ?% l: x8 I h, C; {
; low word specifies which service
+ o. g* p( f& @! _; k5 O8 K) X (VWIN32_Int41Dispatch)6 d8 P, ~$ b, N- m; W& x7 D
call Kernel32!ORD_001 ; VxdCall) H0 {' n/ K, C9 F2 j
cmp ax, 0f386h ; magic number returned by system debuggers
& I9 v s4 _3 j/ m jz SoftICE_detected
* L/ a2 `- _) F0 B! B) r, ]; t/ S/ e1 j$ F2 _- G
Here again, several ways to detect it:8 A! X1 d1 C( R3 c4 x$ v1 i" A. B
$ M7 |) }! ~7 M( n* g3 Q1 ] BPINT 41 if ax==4f1 `1 `3 V9 `0 j0 F
: g( y( C1 b# E BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% W( z$ T1 ` I# U9 _, N5 ^
; q7 U$ h! E! h0 R! D* A$ c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* J: h S% t s% A, t. L! ]) T, q
; s$ Q5 { p0 E& h1 u# p4 q) j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% D' y- F, C8 P ?. o) ^9 j- {, N# e0 [. O; r9 U
__________________________________________________________________________
- ~. M/ x2 ]# H I3 E5 Y
. l7 v4 w0 m( X& UMethod 13* N% N% d0 O' u) b( q2 }# q
=========
, V; ]& c/ n& g1 Y* N0 e' ~' `" S
" N/ @6 v$ T; I! O: V' ~Not a real method of detection, but a good way to know if SoftICE is5 p. r$ W# _8 Y4 s6 ~ _- ~
installed on a computer and to locate its installation directory.
6 y7 f9 f5 D4 z& FIt is used by few softs which access the following registry keys (usually #2) :
+ N4 b6 B% w* h* c3 k+ X8 F1 |# q+ i D9 L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% B1 u+ b' O7 g0 D2 t; O4 u8 K5 c! _\Uninstall\SoftICE5 z6 J& K$ k9 z: M& Q& u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 S/ v4 J5 ] w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 `' e$ G0 R# `. S7 @\App Paths\Loader32.Exe
2 [; C9 n$ c. Z% o- H$ m6 ^( d/ |: T# U. n6 k, ` {% J! o! ~
' S# Z/ N2 I5 C
Note that some nasty apps could then erase all files from SoftICE directory3 q2 x8 b; M; I7 L* I+ A
(I faced that once :-(
+ k, h3 L5 ^1 I! `# y/ D3 w0 w) E1 A* r
Useful breakpoint to detect it:+ o2 C, h+ Y- q/ b, s
+ Q1 T8 ?0 C8 g' ?7 A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 q, Z+ d, ^4 f* \4 V
1 h& a& y. k+ L) [) L
__________________________________________________________________________
$ F! F8 E# ?( F* c
! N4 O: I: r; U+ r
* y- ^4 D% [1 P2 s* F, p+ OMethod 14 0 h T+ q: H/ a1 Z7 L
=========
6 [; a/ H2 e$ }# a) t4 v* d. | b" w7 ~) A+ _; O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' J: g0 H5 T/ I' ^( w' Z0 V* u
is to determines whether a debugger is running on your system (ring0 only).. z5 T! N, ~5 g4 r/ X9 t
( N/ R* g/ v, Q6 I7 m
VMMCall Test_Debug_Installed9 z+ i( b. X. n% N; R# K
je not_installed
5 r3 s+ J! U; G# y
4 F$ g1 Q. H1 NThis service just checks a flag.4 E$ P+ Y' v, n' n! z Z7 R. W
</PRE></TD></TR></TBODY></TABLE> |