<TABLE width=500>
2 Y* Y' `: Z! }<TBODY>
; R4 e6 F) E! d<TR>. h6 v8 y- z; d* j8 q- ]& H# _
<TD><PRE>Method 01
1 y0 u( @. T9 a! m=========
7 K. t0 M# v, k& o$ h# @5 E- b6 b& {+ I# y. ^" g
This method of detection of SoftICE (as well as the following one) is
% n8 f/ R8 m3 ^/ pused by the majority of packers/encryptors found on Internet.
5 K8 T) c+ o& z+ D- Y" lIt seeks the signature of BoundsChecker in SoftICE9 F7 M$ Q1 V7 ~7 g
$ m' a! h; {, O9 g& d4 N
mov ebp, 04243484Bh ; 'BCHK'
6 @" q- G! p0 ?' P% f* b T, j, p mov ax, 04h
, y$ `+ J3 L: q- |# r$ { int 3
* X& r8 Q5 |. h n: L cmp al,4+ y7 Y0 e. o7 z8 A2 _5 l P4 _
jnz SoftICE_Detected
1 C1 [# X" E8 V$ j5 b2 h, s' b1 F' v6 T0 V8 T8 v+ B7 E% a
___________________________________________________________________________
0 m5 f1 O# T, R- S+ J# w/ V; a8 ?6 r* \. _
Method 02$ X4 g. J6 k+ x8 r
=========8 V0 i1 u! O: u& l9 ]
6 N; V8 e4 N& D' B0 m" m4 `
Still a method very much used (perhaps the most frequent one). It is used' _, [8 d" T1 ^3 I0 B5 a" K: f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, P. j8 B+ Q' n3 b8 z
or execute SoftICE commands...
# F2 b* P3 G2 U* `It is also used to crash SoftICE and to force it to execute any commands
2 L) T( C0 O g6 j. S, _0 v; ~(HBOOT...) :-((
, P- g g }) P: A/ D8 b' M3 E5 }, x, V7 w, ]
Here is a quick description:
, s$ L% X3 [& Z! O, g! ^-AX = 0910h (Display string in SIce windows)9 A6 ~' L) [9 A% }# U6 Z; N$ s, P
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)2 e$ J" ]' q1 L/ A. L
-AX = 0912h (Get breakpoint infos); {# D n( Q* i( y6 r5 `
-AX = 0913h (Set Sice breakpoints)
8 l! h* `# [7 a6 Y-AX = 0914h (Remove SIce breakoints)+ O* ]# ?7 A/ R) z7 F2 `! G
' P) X$ m$ h1 }1 `( r& ?; O
Each time you'll meet this trick, you'll see:) Y( `6 v( O* e1 I, G
-SI = 4647h
' M# y- T d( a, l! ^* t. c; M-DI = 4A4Dh; g$ e, D2 Z% `! n/ ]
Which are the 'magic values' used by SoftIce.1 @3 r0 J4 s) L, t+ N* @3 s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) e2 G' Z3 D2 H# C( Y
# A; A. x2 n5 L9 A' B3 i8 C h/ k& x5 w
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. c) r! @/ d+ ] {+ {% V" l: ?Envelope utility use to protect DOS applications:) }# k' l7 `& z. C) m
) d0 a! t3 k2 N- d& P/ W
. K* o0 Y- C( R/ b4C19:0095 MOV AX,0911 ; execute command.) w. y, q" q& Y# Z+ y# i# P- K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" G0 K5 [8 ^/ p M2 ^4C19:009A MOV SI,4647 ; 1st magic value.
+ C8 {& P$ S. y/ _. P6 k2 s4C19:009D MOV DI,4A4D ; 2nd magic value.
9 [0 }! r# j) E0 ~1 E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 I9 p& a, {& m( |+ o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& ?7 |. m* R+ u! c: {7 Q
4C19:00A4 INC CX
! f- m! Y3 m% F0 f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. ~. p& ?& Z; W8 E- D
4C19:00A8 JB 0095 ; 6 different commands.( B! c( h7 W. F: i6 w$ h8 {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; G" X) `# E. Y( E+ s* q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& Y1 y- v% X2 X
+ j1 K9 V2 f' {The program will execute 6 different SIce commands located at ds:dx, which
9 F* F7 \$ z' Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 u g9 x( E1 H3 C8 p0 i9 ]( b
0 S5 s8 q0 |+ e4 r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 T( a: Q* Z7 u1 b9 ~___________________________________________________________________________
( {5 q; ~4 O6 H3 I* h9 x8 |6 e6 d" F1 d- j4 O2 g R0 ?% d
$ C1 H% ?0 {- ~; v1 L6 C5 V
Method 03 d4 E; B2 [6 B8 F. w& R7 f
=========
! V2 d9 g2 _# q& V& S' S7 V3 L3 a( Q0 E& I6 _, C* O0 i
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 h. E' x3 e3 g(API Get entry point)
% i$ l# d, H4 d0 ]3 h* l' \ 4 j; h, _& v! r
4 S4 W, B/ G8 `9 W xor di,di$ h# X& h1 L+ l$ a, l5 U, f
mov es,di
5 \! b. u; @( I" G mov ax, 1684h ; s) A. j# u+ ?9 b. j3 ^5 U
mov bx, 0202h ; VxD ID of winice
" F4 J2 I2 u% z int 2Fh
2 P% s9 V+ f% h' e mov ax, es ; ES:DI -> VxD API entry point
1 D+ S3 g6 E2 v add ax, di" o2 Q/ l, j. E
test ax,ax3 d# T2 b' I( z" D- e$ i% o: v% P, q
jnz SoftICE_Detected6 a6 l; a n# S! I
7 y; \6 K$ \5 n
___________________________________________________________________________
0 F4 f, B! w5 w( [) _+ u+ {2 {6 R$ G- e2 }, u
Method 04
6 b9 }$ F7 d( j6 E3 d5 h=========9 w Q6 j ]1 O- @9 k9 D
: [$ ^5 S% m0 ` [$ Z/ A" o7 tMethod identical to the preceding one except that it seeks the ID of SoftICE
$ G7 P4 p- s4 y3 b' vGFX VxD.
" k" X1 e' g( {, x$ r
3 l% S2 [# [9 J# ^5 ^2 c: ? xor di,di
& T& E2 [9 {* s1 u9 V0 b" d mov es,di
9 c3 @: K: U1 N/ U" O2 P mov ax, 1684h
0 K/ F1 L7 `% @' V3 v mov bx, 7a5Fh ; VxD ID of SIWVID
9 ?, E, C- X* U0 _ int 2fh( Y+ n- Q4 z: f- T W0 v
mov ax, es ; ES:DI -> VxD API entry point- T& b3 W. `$ G. o/ n
add ax, di& } n( a: c% v n
test ax,ax
1 u) e: _* h- S jnz SoftICE_Detected, ?- b, v' D7 x, h; i3 T* |
8 i* G8 {9 @ ~- q: x+ t
__________________________________________________________________________! d, O; n% A* a# m0 E$ X
, D3 p; k( s2 X* \7 w/ p& y' \/ Y9 O- p1 l, l: b- ?
Method 058 J' o2 o2 U& i" `
=========4 P5 V- \) ]. v1 b# B
* a4 [$ y1 ]" \) _3 y" u; l; YMethod seeking the 'magic number' 0F386h returned (in ax) by all system( C& z* a8 {0 Y0 D
debugger. It calls the int 41h, function 4Fh.
* _8 d! \- b% D& ?0 O6 kThere are several alternatives. , G0 [4 y4 i+ Y+ G/ \- j, W- l O5 N2 d
9 I3 E" _" z/ i
The following one is the simplest:
& C' `7 u E7 ]7 V5 B4 a, d
5 R+ k: G% b! D* e' G( B( X mov ax,4fh- f: z! E8 D" r- @6 c
int 41h
; \# n/ m* `' `- f5 t% f: J cmp ax, 0F3861 p" q) Z+ e& r/ S
jz SoftICE_detected6 T3 w4 f1 {+ Y2 t& d2 }
' m& v( D. n5 P9 r) T
! m4 ^* h1 E N6 B& xNext method as well as the following one are 2 examples from Stone's
1 x$ f- o4 r. a1 |. g5 z& {"stn-wid.zip" (www.cracking.net):
, f! d s8 W! S$ L( E/ Q( Y, R% j) n$ R6 _2 M
mov bx, cs
1 B$ F `& u9 T2 A" c lea dx, int41handler2/ b% M( R; i2 J/ L, o
xchg dx, es:[41h*4]
0 N- k6 a6 a8 E# L xchg bx, es:[41h*4+2]3 e+ C1 G2 q' F' _+ f. Z6 ]
mov ax,4fh
7 {9 ?5 Y2 p- K4 T/ l5 m1 |& t$ ~ int 41h# D: `5 D7 K) E2 o1 k. \- n
xchg dx, es:[41h*4]/ u7 [+ _# p3 W; T
xchg bx, es:[41h*4+2]5 p# A- T. [% m2 C. C1 U% ]# I
cmp ax, 0f386h0 e6 q1 f( w8 z/ A
jz SoftICE_detected
1 P! H! P; b. @4 \% \3 F5 t
" k0 h5 f, u8 h8 ~6 }4 u, uint41handler2 PROC8 P( x0 U, X) W% T6 f. [. M
iret
; f0 [( _% E# Z% Q6 J4 t# [int41handler2 ENDP
5 p- i; V! _& n E- H+ i/ R2 Y0 i' Y, g) g I& I: @& X. P. G
; Q2 X1 V) v& Y4 A6 E# ^
_________________________________________________________________________
9 z+ Y# z* I7 |. m9 y, [/ F3 T! c1 N' L$ ^ l i
: Q p* B/ _) [0 W4 ]% S* _Method 060 r5 d5 w# ^6 O* p. k9 x
=========) h% y& w5 x) t
+ u0 k" E: t: o2 l) D) a" G8 L; o8 o8 M% G2 I! M$ | L3 A3 n. O+ s
2nd method similar to the preceding one but more difficult to detect:# t( O" ]/ _9 q' p; Y( q/ A+ {
+ y! I: b+ L: s* c9 d$ g$ N2 X
' P8 D5 |3 H) T" dint41handler PROC: \+ G8 i8 H, U# \
mov cl,al" m7 a5 ^) }, i9 Z
iret
0 p6 p4 E6 H+ c7 \: f ]: oint41handler ENDP
1 n4 ?9 `) T& y' ?9 ^* F9 l5 h$ ~0 u; b
/ V0 B5 K; X6 f9 F
xor ax,ax
3 @$ s9 E5 d! K& p' N2 t mov es,ax
' U$ R4 X' R- Q mov bx, cs" c5 @7 S2 |1 t# S1 x+ ?9 g, P6 M. {
lea dx, int41handler
5 n* j' g: \* ^3 X8 p8 J! O xchg dx, es:[41h*4]4 W; Z7 X; ^; l; ?5 d1 x; F
xchg bx, es:[41h*4+2]
; }, d/ G$ A- Y/ E7 v in al, 40h
# y7 k6 J9 P5 e& z' w4 G8 `7 ] xor cx,cx5 `; d4 k4 K9 l8 F
int 41h0 a% d6 v! [. V
xchg dx, es:[41h*4]2 \1 R1 ]: X% f
xchg bx, es:[41h*4+2]" K1 p9 S' |; e2 g
cmp cl,al
9 c* P7 [5 N* w( c: z, \7 c jnz SoftICE_detected
( L: @0 E3 y v# C2 L* F2 ~: D+ ^2 ?- v* z. p
_________________________________________________________________________, W, h* w; g* R' [+ {# l
" ?! o8 d# u+ R
Method 077 c* P( O t) U8 G7 G6 X6 E
=========
0 R3 G2 w# L( n# K9 R! S W+ r& M6 l. e; v8 B
Method of detection of the WinICE handler in the int68h (V86)" s8 W1 |. A! p. H0 ^
: M' b. T6 l& F! B& `" h
mov ah,43h* Z% V1 G6 Q3 f3 v9 Y9 }) G
int 68h, b6 n3 j" Z5 [& c2 n
cmp ax,0F386h
2 `" S/ t4 d; i& T+ E jz SoftICE_Detected" Z ~( c! F# ]' K! [: A+ \1 x" D
. z5 e5 Z. v. `) y" ~5 W% S. ] a2 O/ B( M/ U/ Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" Z9 a& \0 |7 ^/ E) S1 z
app like this:/ r% x* E+ k& c. x9 c
7 u/ n1 \1 v$ K& @0 b: U, o BPX exec_int if ax==688 f( c+ ]9 a* d* \& G O
(function called is located at byte ptr [ebp+1Dh] and client eip is& L) `( E- O4 {2 ~9 }
located at [ebp+48h] for 32Bit apps)
3 h+ @3 G* Y$ m& ^' v$ R2 N z__________________________________________________________________________
. `: ^$ ~7 ^3 [; T/ i6 {) E% R; ?: Q( \7 i4 x* b
: R o3 D9 n" O2 pMethod 086 u. J' O1 j( \9 E
=========
; Y# ]' _7 X+ Y* D
- A) f: ?- ~) x8 d9 ~. R4 mIt is not a method of detection of SoftICE but a possibility to crash the
% |+ Y; o. Y* _+ m$ @system by intercepting int 01h and int 03h and redirecting them to another
2 O D: X1 ~, O+ lroutine.
7 Y- X8 X9 Z; Q4 ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- ~/ H$ p! G- D9 hto the new routine to execute (hangs computer...)' {: ?- |+ |* E, l& F [+ v
% w" ^' @5 p5 E
mov ah, 25h1 w" Z$ D9 H% a, @
mov al, Int_Number (01h or 03h)
" w/ R5 S( Q6 H( n; X6 ]" ~( N mov dx, offset New_Int_Routine
8 m2 x/ R# X' R2 F v5 C+ }" K4 b int 21h! G2 Q: w# H, A, @
. x3 t$ p- M7 z
__________________________________________________________________________
5 X3 c7 F R) I, \: [
7 ?& z( t' A0 ~% M6 Q9 c5 |Method 09
' d; k/ S7 Y4 p+ s. @; o=========/ g8 T. t* D+ b( [$ |# k9 x
, _$ g3 Q3 P' a2 n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; o# x9 E; D! m0 B
performed in ring0 (VxD or a ring3 app using the VxdCall).1 s9 N. q E+ q! ]" c, ` S
The Get_DDB service is used to determine whether or not a VxD is installed0 t) J/ ~" ^! A, H. \" q
for the specified device and returns a Device Description Block (in ecx) for
1 E Z" F1 e- o% G* ?! u5 Wthat device if it is installed.
2 o, U1 |8 l# N6 D6 ?5 s0 P! n
" ?2 F/ ~/ h- E* X% S0 w4 m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) t. j8 _& a; h6 y' S9 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# z9 f4 j9 o7 d
VMMCall Get_DDB
2 t/ p! \0 c! M' _ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
! O4 r2 W/ Z; O9 y1 p0 j2 ^
% v7 f; ~0 ]/ o3 s! }Note as well that you can easily detect this method with SoftICE:2 s' P3 E+ P/ k7 D
bpx Get_DDB if ax==0202 || ax==7a5fh
8 ?' C& W9 }% A% ]7 a4 `3 t
' u- C; u( W6 @5 X. }- L# ?) t/ L6 Z__________________________________________________________________________9 ~. V: D ~6 ]) I
* k2 b& }3 O$ x& h* VMethod 10
3 _* Q7 S6 I* m- s=========
# E4 W/ s- i- i- Q7 d+ `+ ^# T; \* a' D( B# h% B' X! F
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' {, [$ m) f6 G7 S SoftICE while the option is enable!!
$ }" D! l2 Z) O; I1 I6 o5 m
3 k' H$ k9 A" `5 x) pThis trick is very efficient:# ^- h7 l3 C2 u* I, X- G P
by checking the Debug Registers, you can detect if SoftICE is loaded4 T: r. M5 X; f* {# v9 X* b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 U: a. }% e2 a* ^" `there are some memory breakpoints set (dr0 to dr3) simply by reading their8 T* p1 |6 b! q# e+ o' B7 S
value (in ring0 only). Values can be manipulated and or changed as well
- G6 B# P. U: s& l5 W(clearing BPMs for instance)
4 e9 E# \' F6 h6 M m4 C; e; @8 T) j7 I" M
__________________________________________________________________________$ `8 X8 u* u y4 ^) B
) Z( K- t0 \8 G, l8 p4 ~; MMethod 11* I3 n- \( N, D' w/ p x
=========( S* f: _0 W* S1 N# b( V
, c. ~* Y, N IThis method is most known as 'MeltICE' because it has been freely distributed
, A& X6 X( Q- {/ n" l3 S2 M+ pvia www.winfiles.com. However it was first used by NuMega people to allow# P# x* ~, P, ^+ V
Symbol Loader to check if SoftICE was active or not (the code is located. _1 j+ v* F4 y1 j& }! J! _
inside nmtrans.dll).
/ k5 r% {& `' v% ]( C0 n, t3 U3 M1 _8 V l5 C- ^# j+ Z) e
The way it works is very simple:
& N! y* Q5 k2 Y0 XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; f- v- x# D- x4 z2 p4 N* V- \
WinNT) with the CreateFileA API.
1 r( @6 E1 O( f" T5 @& P$ A. D8 ~1 g. E
Here is a sample (checking for 'SICE'):8 s. j0 z* b8 k
: q; _2 l8 k: o& M
BOOL IsSoftIce95Loaded()
% ^* H c1 a/ F! z6 r( _( r{
& a. u) R5 J0 }6 [ HANDLE hFile;
2 S1 X" P0 _: [, P: w$ n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' s7 ^$ `$ ]8 j/ C
FILE_SHARE_READ | FILE_SHARE_WRITE,
K& _1 ]( c, C9 p$ Z! ~! ^1 h' B6 I NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 }0 l, Y" y+ \( S7 L3 N if( hFile != INVALID_HANDLE_VALUE )8 @4 J: Q0 {) \4 L, |8 j6 ^- e6 Q& F- g8 f
{9 ^6 o+ A, @* [. @& {
CloseHandle(hFile);5 }( O1 P |) r3 {7 f
return TRUE;) c0 V) g# O: p! f* f8 L3 ]
}, Y: |& c. B! t; [- ?8 X0 s) A
return FALSE;
, N/ a) \2 H; A; l+ A7 e: n9 `}
$ A) u7 P6 U* T5 o) j' L0 Z- }9 O4 l
Although this trick calls the CreateFileA function, don't even expect to be* J7 d5 `6 F- B: F: M& m8 L
able to intercept it by installing a IFS hook: it will not work, no way!2 f) C& B& d E9 A2 m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' ~8 K Q+ t" }+ _
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
h# k# g# N4 R9 i: Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( x b5 L/ t8 m: A) o" r7 ?' O& Afield.: |7 L9 g0 C2 [! ~
In fact, its purpose is not to load/unload VxDs but only to send a ) F1 e0 b8 a: G! b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; P; S/ r- R2 @! ^" ?1 kto the VxD Control_Dispatch proc (how the hell a shareware soft could try* x! h+ }3 f, \" x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 q% i5 d7 Y$ h. G
If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ r+ ]* G1 W& o7 d* s4 Nits handle to be opened and then, will be detected.; z X' b3 j* p) @. M* H0 \( B$ x* f4 |
You can check that simply by hooking Winice.exe control proc entry point p7 s' N6 R8 O' g6 i
while running MeltICE." S6 `3 C- b/ H A7 y. o3 r1 b. M
0 t9 ]8 _; F! P! X- N, @
0 f9 L, x5 q3 K# R p 00401067: push 00402025 ; \\.\SICE
0 ?5 l3 R( U, K) h: I 0040106C: call CreateFileA
6 _+ ]& O4 E, o( A/ E3 L3 h 00401071: cmp eax,-001 f T5 }5 J8 ?& r, ?
00401074: je 00401091
8 g) R8 }8 _; k9 H
" Q& X' i# ]4 \2 z' `( g2 [' V4 e
0 _8 s; Q' c" T* N$ C+ EThere could be hundreds of BPX you could use to detect this trick.# `( C6 b$ S5 T
-The most classical one is:4 V4 M0 @' l9 P3 ?; {# b. ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ T6 D7 N2 a. h *(esp->4+4)=='NTIC'
. Q2 U7 ^# @- m3 Q. X+ h: `+ T3 w4 s+ G9 m
-The most exotic ones (could be very slooooow :-(
' Y& }$ U e$ C" _, S2 q- a; K' S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( \; E8 f ~' w2 k
;will break 3 times :-(4 r; w* m! R4 N' q) I. w0 r0 J
$ z6 |6 s1 Y1 Z' W% d) ~$ L) z; L7 G
-or (a bit) faster:
6 `* T0 i* B$ ~- q) Z( @: h- R) z BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ f2 q/ _9 _ r) W) z& [) x
" ~% C; v4 ?0 W$ I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ j) ^: h) D( T% {
;will break 3 times :-(
, i3 |8 ~1 B* i: |
5 o2 ~) @7 X$ O7 P, f( ?& v$ Z-Much faster:
2 ?, Z6 s" d3 L BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'. H0 x- A! L0 N3 U+ }5 N
3 u1 v# h( B* n, DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen$ R2 u! J$ c) S/ l3 s5 K j
function to do the same job:
% J/ w4 w) G( I
c! _' v" ~* t! D* T push 00 ; OF_READ
S5 ~- r9 U3 F/ J9 o+ r' |1 v mov eax,[00656634] ; '\\.\SICE',0( y/ W# t; E0 Y
push eax) I; M8 a* [" q: m# Z; M! M
call KERNEL32!_lopen0 Z8 j* X8 ^$ @( B
inc eax: I9 ~' j% u* s; T1 K5 @6 T2 t& U; H
jnz 00650589 ; detected) z# L3 Z P4 V- R0 A
push 00 ; OF_READ2 n6 R; q3 y" B2 c; s* Z' T5 H
mov eax,[00656638] ; '\\.\SICE'9 o( s c4 ]0 G- L$ ?, d! \
push eax
9 R; ^- B- Q3 {! U8 ^' h call KERNEL32!_lopen9 i5 P" h9 O; u7 s" i; Y& r# b
inc eax
$ s& ?" p$ o; C) e" { jz 006505ae ; not detected
+ j$ C9 m) u& G9 {
8 C* V9 V' V$ }' _2 f6 k0 L5 M5 ~: V" V7 l% Q1 _1 H' M/ b
__________________________________________________________________________0 R% [4 o# S+ g4 w+ |7 d3 F' O* X
; i8 Z, _# b$ M1 x/ bMethod 12, `& F$ b; m- O P/ P
=========; f, V* Z- g8 M- w8 m: l
7 H+ g1 c n& O5 }( N7 X' rThis trick is similar to int41h/4fh Debugger installation check (code 05. e: p" T- M( Y3 d, S. f
& 06) but very limited because it's only available for Win95/98 (not NT)0 b, J' ?1 X' K z: v; n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 ~" }: k! _# j" K! E9 o* K, A1 K% [ d" ]8 X$ @/ G; O7 E
push 0000004fh ; function 4fh! e5 w4 u, e& K. w2 I- i
push 002a002ah ; high word specifies which VxD (VWIN32)3 p6 p V6 B5 n' r/ s: z
; low word specifies which service9 q+ i7 r \: u3 C# K
(VWIN32_Int41Dispatch)' ?" n2 r( n5 M( f) O+ M/ R
call Kernel32!ORD_001 ; VxdCall7 i W7 Q& ?" e/ v7 W6 w; o! @% [
cmp ax, 0f386h ; magic number returned by system debuggers4 |( q5 |( Y7 L7 j
jz SoftICE_detected
( [3 c" Z1 j y& ^( }3 y9 P4 ~* k4 Y
3 j4 T t5 z1 b/ M2 g: {* J- kHere again, several ways to detect it:6 ~1 M8 \1 Q( W/ z- f# G a* P
& J" f4 k4 q! X% j2 X
BPINT 41 if ax==4f
) o5 l$ [+ n; E' x
& b W' c6 u0 G) A& l BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 [+ w& i* x7 | _* c4 d9 [! j, Y
& v* n* w8 V, i+ ?5 V! e0 _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 z6 [' x5 H2 D
' \8 |) J' N: c- v1 Q5 _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. f6 m& z$ _8 \# P- ?) J
, a; o* W$ h4 S! g__________________________________________________________________________
; v, e# K6 Q) f, [* p4 [4 b: u: v: n ]2 p
Method 13
! A$ l5 M) J. u6 a' s=========1 E3 p: f6 T+ k3 a$ b; K- F
. l* O+ e- H1 @4 z1 O( ~8 |Not a real method of detection, but a good way to know if SoftICE is
5 ]$ u2 J- X( j9 G% minstalled on a computer and to locate its installation directory.
* U: H; e: _+ w4 W4 `It is used by few softs which access the following registry keys (usually #2) :& z4 B& o: B/ E! y! p) K
' U- S% \) ~; N: J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ Q5 |# O# P% P3 j" i8 n% P
\Uninstall\SoftICE
1 I0 {0 T& Q" q, h% v5 D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% E/ ~1 V. @# n% Y/ d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ g1 V! A* T7 t; i+ G$ R! Q\App Paths\Loader32.Exe: ?* h5 Q9 K R
1 r" f, p' n- R9 o8 r( ^: w2 Y/ c: J4 J. m$ M
Note that some nasty apps could then erase all files from SoftICE directory9 m: G1 Z. V( R( |
(I faced that once :-(8 ]& Z! m9 n, ^* P( \
$ i3 L0 U' N6 a( m4 SUseful breakpoint to detect it:3 S4 R% _5 U7 L- k5 O( t8 q
3 |* `8 @: k* }; `$ ^! d [( I" ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ i& k" R! o+ k1 {; U+ _) \7 P: x) @% \# S
__________________________________________________________________________
- | a5 C1 V1 i1 _
. Y, K. N; G0 D( j v% K' P% S% U! u- G* E
Method 14 6 n9 Z8 ?! ]+ I4 _5 C* @
=========) @' J! t: \" v- k0 K1 _
1 f6 _5 h" h# ]* ~2 _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 b! e. i9 @% ?! G: ^& k
is to determines whether a debugger is running on your system (ring0 only).1 j3 K2 ]% d8 Y8 ~1 a
) I; R3 n. H! L0 @: ? VMMCall Test_Debug_Installed" `1 \; Y$ [# n) R5 h& @. `
je not_installed
+ f& U& L- Y" v1 L9 |5 e2 z4 U7 w$ Z+ i$ M# }0 [( {) q) i& l$ t! ~
This service just checks a flag.4 r$ ~* R, n9 r8 @+ i6 H4 L
</PRE></TD></TR></TBODY></TABLE> |