<TABLE width=500>
/ Q! Q" @" n, Y4 M* x- F<TBODY>
4 O [3 r* S$ S' d0 o( r2 ~" U) g<TR>: X* L* @% }$ J
<TD><PRE>Method 01
}0 ]9 c( P, o9 n=========
" ~4 N9 l# Z( c/ O+ v' w7 D# w0 R& Y. k. x
This method of detection of SoftICE (as well as the following one) is
9 ?4 q3 E% o- tused by the majority of packers/encryptors found on Internet.
6 h. f. r r& ^9 rIt seeks the signature of BoundsChecker in SoftICE3 |& C) z! ?/ s* ?9 |4 o
- l6 v) m* p8 R8 f mov ebp, 04243484Bh ; 'BCHK'" P! x4 }- v$ |4 G$ R" O
mov ax, 04h
& v; P% q, z5 a1 o+ H2 f int 3 , {0 i+ b& ?+ o! ?( @" ]% n
cmp al,4
' B$ F7 d; g/ g/ m jnz SoftICE_Detected& f: I Z# e# U) J
; {3 x. u5 a# t$ R" w
___________________________________________________________________________
8 a( t7 U1 j; S$ _/ K) H$ h
, g0 P5 u5 o1 PMethod 02% E( \6 T& |- \, ^, h2 T
=========' O1 M1 J! y+ f& c0 b1 |
5 `( V+ V, U& b' s" Z2 p! ~, MStill a method very much used (perhaps the most frequent one). It is used
! F( T/ `/ Y) V) R _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! H E: g8 @8 Wor execute SoftICE commands...
1 `& q8 E) {* ]" r9 T3 Z2 Q+ GIt is also used to crash SoftICE and to force it to execute any commands
$ Y0 `0 l% u% ?* k$ v# ?(HBOOT...) :-((
! e1 r! m1 q+ ?2 x" Q
3 C% r6 e# A, S+ V: DHere is a quick description:
- g% q+ h2 f; P; L, z+ h-AX = 0910h (Display string in SIce windows)
- }+ L% [4 L0 }! L9 H+ i-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ t( H$ v3 Y1 D/ l* v/ R. U0 q7 _2 E-AX = 0912h (Get breakpoint infos)% i: i9 q, s; O" @" g5 k
-AX = 0913h (Set Sice breakpoints)
4 _- r- r7 F0 o0 y8 T-AX = 0914h (Remove SIce breakoints)
9 l! q0 j, f8 W2 t
9 T* F2 o& T( e3 WEach time you'll meet this trick, you'll see:
" T- p4 X$ C, Q( {7 X5 |4 Z5 w-SI = 4647h
1 @9 I9 z' n, M8 C, u-DI = 4A4Dh
- [$ i5 Q4 B( K$ Y8 @Which are the 'magic values' used by SoftIce.
- R5 Y7 k" R* n! l; ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: d3 j8 |. v' U
' L: p$ P3 L4 h, X K& m+ DHere is one example from the file "Haspinst.exe" which is the dongle HASP5 g3 K1 v' ~* P) |7 `# p; U) i
Envelope utility use to protect DOS applications:- x, F; o( X0 o, }: G/ a
- p/ o* n# ^' G0 E
+ E/ ?6 U& S6 i' _4C19:0095 MOV AX,0911 ; execute command.
. q& w/ s- Y; n) o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! c" U. z( J; P% [0 j. i
4C19:009A MOV SI,4647 ; 1st magic value.5 m" b6 b9 U. Q/ R
4C19:009D MOV DI,4A4D ; 2nd magic value.
* h; J5 `& k- ]( @4 _4 i; I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), b2 k; k8 N! ~7 V
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 I. C r8 K/ L- _/ V8 [4C19:00A4 INC CX8 \' ]2 I3 O A; {4 S$ I- r& I0 x
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& h9 L/ F& K6 H. H. u' h1 \2 J4C19:00A8 JB 0095 ; 6 different commands." |! s- w5 L$ I1 M# ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 D! G) p: [! R" U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 h, M) D/ y( F& E# J) _* Z
% N6 u# \* @) W+ w; O( G! g! wThe program will execute 6 different SIce commands located at ds:dx, which
7 k9 u- j9 {% _6 L+ P$ {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! Y2 M! y1 s; M
, J& g; f' y4 C+ [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 o$ v4 D! H2 K# f
___________________________________________________________________________
1 Q8 g; u; S1 T2 R" N% N# W- v- _
" K9 R) c0 F% i. \; N# `
4 i: |: v% P, A: UMethod 03
7 X4 j, p Y0 ~=========
# k# c: T3 g% N, Z* `, I7 _/ A7 z1 Q4 t, g" R
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 f5 v, ?- P* Y' {. {
(API Get entry point)/ O# A9 ~/ F( B8 }2 u% W" j
$ W8 \- O, K8 V* A' ^1 ?" A. |; q. a- _% l
xor di,di$ B" w& a6 A" y( \
mov es,di
9 V P1 m! V9 h# y w3 O6 b mov ax, 1684h
) A" h) J" Z9 t' a mov bx, 0202h ; VxD ID of winice
/ D0 m0 L+ J. i5 n6 |4 i2 u( p int 2Fh
$ S$ o' v5 O1 d' \8 B9 i! V: T mov ax, es ; ES:DI -> VxD API entry point- E3 E3 O' j2 K u
add ax, di5 h! Q: i9 P# _
test ax,ax
- G+ K' p# n, t8 A7 C/ s/ i jnz SoftICE_Detected
, v/ v1 y# A0 M6 v: e Z9 |" W$ i/ k) h# }+ d9 E
___________________________________________________________________________
% s' z y' v6 o2 F
# a' C; ]5 B! ^3 G7 Z, h! V& KMethod 04
7 C3 m, J% C! `- P% v$ m=========( v+ ~$ ]4 `/ @( b) m
/ V3 @& |7 e3 D3 l2 {$ cMethod identical to the preceding one except that it seeks the ID of SoftICE# M; b* j+ B r/ B0 _! ~
GFX VxD.4 y$ I* C4 A4 n) P; o4 W" K
9 y4 j# Z1 D) g' g2 Q% i* V
xor di,di
& ^+ g7 @. N* d/ Y$ ] mov es,di4 d& L5 p8 C+ ?% s
mov ax, 1684h
6 P0 S y, f! K/ S! z, p) b8 M mov bx, 7a5Fh ; VxD ID of SIWVID
7 y) R8 Y! f( G% s0 c' g7 F int 2fh! X% f" d0 T& B" Q! E7 u% f
mov ax, es ; ES:DI -> VxD API entry point
- l$ V; o0 e- S+ y8 B add ax, di
* S% E2 K2 }6 ?8 A test ax,ax
( }- ]5 _- k" f6 V3 w q jnz SoftICE_Detected
5 z' Y0 n0 f8 K1 i( r( R6 }' H8 G( @5 E* H2 `/ n
__________________________________________________________________________3 h6 n5 V! R" [; m
9 K, O0 V8 L/ ^: F- |$ w, P
9 w3 n8 T1 b$ ?4 mMethod 05
# Q; x# R5 R' u( I ]3 E! R=========" I1 a( @6 M' n+ l& ?2 {/ J% g
+ X$ e h. k+ T- q" p2 B& e$ v' D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) K. [& l+ ^( P) Y, c! o' v5 Qdebugger. It calls the int 41h, function 4Fh.- Z. h6 C+ l! b. U% z* p' V
There are several alternatives. ( j4 y! _) b! |! r# R3 y# K! h3 |
' C9 l8 J, Z6 T' i( m# I8 LThe following one is the simplest:
1 S% w) D" R: c* N4 ~$ D' y, Y; ^" ~/ f- [4 }
mov ax,4fh2 c) l V2 M$ t- ?
int 41h: }1 k+ D" k$ p# U9 R
cmp ax, 0F386
# p' J) p* _0 n H$ C4 P0 ` jz SoftICE_detected
! i/ H( k$ m f
) F! f/ F6 Q; Q/ |$ N6 y7 \0 _( U! S& E# ^0 a
Next method as well as the following one are 2 examples from Stone's
9 U3 e4 j, P* e. A) Z" h. X"stn-wid.zip" (www.cracking.net):+ G! _7 \. a1 @# F* t2 g' i
! W) \, b A# }* H; C" } mov bx, cs
- D9 r: Y y: }- P& d& Z9 Z, D. @ lea dx, int41handler2
' H3 ?7 v& C2 e# q. P* x* y6 | xchg dx, es:[41h*4]
; k) H* v2 [% v/ `( C- u( Z$ e8 X1 M" P xchg bx, es:[41h*4+2], x) m, P' d0 `8 a- ^& C# x- L
mov ax,4fh
1 L( ^- E, M! N' A) y/ g8 l4 y- Z int 41h) _9 \9 q7 w" F( o( U. Y6 M
xchg dx, es:[41h*4]
% Y* S5 c. j V" `0 T' o xchg bx, es:[41h*4+2]% r7 U& [. ` c9 ^* I3 F
cmp ax, 0f386h: [/ `9 C1 I$ ]2 I& }
jz SoftICE_detected5 Y3 L: R8 T4 I
2 F" u4 r& H, s. n# n5 P* bint41handler2 PROC3 m/ n: |. f5 M5 a
iret; }; `$ F0 Y- r$ w1 |9 H, b) m
int41handler2 ENDP q3 E# U& E, b k
7 F: j" t% ?) h8 p
6 T' G7 ~) Z; J' o! K_________________________________________________________________________
9 c) V: c) ~/ q' _2 Q4 F
5 L, D, S7 y% s- J( Y/ y( R) j& W" t6 ]0 u6 T
Method 06
9 g) S9 ^+ y( N. p$ L=========1 u$ P, R* M! {
* V( S$ k$ j" Q7 p% ]
3 }! v5 e# Q6 b
2nd method similar to the preceding one but more difficult to detect:
6 I! \. E! g: g
8 w* N- n5 w1 X3 @- @/ d+ S2 z1 f( `9 p
int41handler PROC8 ^5 e& K8 c: j1 ^
mov cl,al
* w/ v2 Q F1 ?0 h% H1 O9 R iret
5 ]- u+ p0 M0 pint41handler ENDP7 V- H8 n" D$ q" |: j1 M
7 x% Q9 a- W$ w5 K% J
& a# p* v# b1 s0 u$ E xor ax,ax
4 ?9 t! ~. H. F( E8 z6 p& \0 o mov es,ax
, R' v9 X; G! r. q4 Z1 c3 U mov bx, cs
* ]5 L' k! }/ a r! f/ j lea dx, int41handler
+ i$ ^" q+ p9 K xchg dx, es:[41h*4]/ G4 b2 |) E: ~
xchg bx, es:[41h*4+2]
$ m* u% ]: B+ [ in al, 40h' i4 O' N" Q. X! ^
xor cx,cx
- J2 l- K/ _8 T' k; I) E. M) U int 41h
& k; u2 X: `) \. [% n( c. s xchg dx, es:[41h*4]
3 ~8 L0 n5 R$ J" W$ D xchg bx, es:[41h*4+2]/ k o) O' ]5 M7 F, D
cmp cl,al7 ^8 p# ]/ J& F; b0 _! ?
jnz SoftICE_detected
- H# P8 i5 u2 O+ ^
& S' j8 f) M+ ~- }" o_________________________________________________________________________0 B' H6 B9 g4 B7 V0 z+ A7 K0 ?
& ]1 i; |9 Q1 ^3 N' b
Method 077 H* w% U* `; L, i# X! t% q" t% o( `
=========8 E9 e* O. m0 U, h* y* W
2 Y6 a) j+ K% P/ M
Method of detection of the WinICE handler in the int68h (V86); J2 h. ^4 }6 x. o+ l
; T& a) F l5 n+ \" ~% O mov ah,43h
( M# s6 F" a4 R3 L$ Q$ ` int 68h% l) p* R7 D. d0 J. V$ X! x; L
cmp ax,0F386h7 f& C9 x u" h" o$ v4 d
jz SoftICE_Detected. m. W' n" ]; F5 l+ q9 d# B( D) W
+ ~# R2 H) D; x3 H
) ^3 w( l$ |) P) ~, U$ V' s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. C2 ~+ m. N3 F# c. _ app like this: B, V, U8 R& _ c! Z( j3 |
- s! t; P% v! {
BPX exec_int if ax==68- V/ r$ \1 h" f8 w* e. r, Q- x
(function called is located at byte ptr [ebp+1Dh] and client eip is
3 H, x! g2 T& ~4 D* q* F; n/ _ located at [ebp+48h] for 32Bit apps)
) v6 }6 Z! O- @& X/ X7 \/ T__________________________________________________________________________+ ], m7 D! b4 {. q4 F
6 y3 }) R# ]7 v1 f
- {! B% M& @" O* d- SMethod 08$ A; |# ]7 ~2 M) x* w3 L
=========
$ c F* x0 m8 q: \* X/ m5 m# p" ]; [2 K& p& s {- n1 i3 ?
It is not a method of detection of SoftICE but a possibility to crash the5 j+ i8 _$ h; C1 q2 E2 ~# J1 J1 f
system by intercepting int 01h and int 03h and redirecting them to another3 s5 w3 U8 x0 f" l/ v+ M
routine.) w' Q1 i: R6 ?5 }. S
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 |" M- b* ?7 W# G) i' o0 }. q) [to the new routine to execute (hangs computer...)# q4 O- \3 l: M5 R) u! `) _/ n, d
) R) y2 [' E) _& K. q2 h mov ah, 25h. z' T n* h& V7 t: i! A% j
mov al, Int_Number (01h or 03h)
; U" x# _0 [; P' s. I p1 } mov dx, offset New_Int_Routine4 Z1 _0 r: `& p, b7 c7 ~6 S
int 21h5 B# @, g& z+ s7 p8 V) l# k7 N
1 z. u7 Q- ^4 ]3 t
__________________________________________________________________________
8 f+ J( c/ s3 j6 g
! u' @2 u( ?3 _: }0 jMethod 09
( N! r0 O* r- Z% { U% Z5 x$ k=========( y1 K; q+ b F9 D
+ S4 Y0 B. u- G. K) k0 UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ v3 @+ k; n0 x) o! q' _
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 s' |" h) c) Q, JThe Get_DDB service is used to determine whether or not a VxD is installed
1 b9 ^0 {/ M$ m! w8 v* f; Tfor the specified device and returns a Device Description Block (in ecx) for$ b& q6 `0 h( ~/ @: s
that device if it is installed.7 R5 x0 T. J+ F9 e9 n. A! ^# R
% v0 I/ c+ U& H& S# J( ?7 B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ q" F! k1 J: n9 E$ p, ?; \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); A0 c3 O+ C" d! s
VMMCall Get_DDB
1 X/ ]+ `8 W/ ]5 y4 h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 p3 x3 R+ h7 |. P) A! _5 F+ y
% z Y- B& }$ n. L ^Note as well that you can easily detect this method with SoftICE:
6 U7 p V! O4 z! l/ N8 h) g8 b L0 [ bpx Get_DDB if ax==0202 || ax==7a5fh3 }/ N% a1 m3 d& v3 y
$ B2 h4 O# X: Y$ l__________________________________________________________________________2 L5 O- P( R' z9 ^# t2 P4 U
9 ~& [+ m0 k q: j$ D e4 T9 tMethod 10
. @. t7 D0 [5 M% S5 V9 Q=========6 O5 D# T7 E" \& T2 z1 t# L) ^+ L
- V% s5 s2 j! }2 f
=>Disable or clear breakpoints before using this feature. DO NOT trace with" c6 {& \: k1 t# J! y9 z2 ^
SoftICE while the option is enable!!2 N2 |1 C5 J: z' p, H, p- X
' E4 d$ l! R' X0 `2 \! q8 R* N
This trick is very efficient:
" x' F8 H/ @! Y1 C1 @: u: _by checking the Debug Registers, you can detect if SoftICE is loaded
0 q! i9 I6 J& x7 A& R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ V5 D& O4 ]% C/ N
there are some memory breakpoints set (dr0 to dr3) simply by reading their( p4 F+ W( j7 e% D7 w9 ]) Y
value (in ring0 only). Values can be manipulated and or changed as well: ]. ~( X" q+ A) I% A; Q
(clearing BPMs for instance)
: }; ~3 H# i* H& U3 h) R/ y \ `- `+ P* x% x/ h
__________________________________________________________________________. k' a* z. {- H" `8 }. g
' R: V1 d* b4 K- u6 ~& JMethod 11
! p& S/ b/ `2 \3 x% w=========; C3 K' v e. x' y/ d. _. y
) @0 a& o1 L2 F- p( DThis method is most known as 'MeltICE' because it has been freely distributed3 x# O4 L# Y0 e4 t s. \
via www.winfiles.com. However it was first used by NuMega people to allow
5 R( h1 J. J* `; y" B2 t! F7 nSymbol Loader to check if SoftICE was active or not (the code is located) y1 Z7 R) T F. L; H5 ^5 m
inside nmtrans.dll).1 [+ J5 W$ U$ D% H( a. ]
* h; s+ F9 w+ ^* `4 h
The way it works is very simple:
) R3 n) o7 U' o2 H( Z9 b: n6 F3 _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 B) z9 N l; p& A5 @" cWinNT) with the CreateFileA API.
# d; ]" g: c" w& r# r* ^; m9 F$ n
Here is a sample (checking for 'SICE'):, b+ H+ J' ]! y# t$ z2 A4 F
8 j; d; V$ h+ P, A; }9 rBOOL IsSoftIce95Loaded()4 Y; F" g- h) y4 _
{
( l/ p7 c1 \3 C( X" O2 P( a4 z HANDLE hFile; & r* ?3 G1 z& y5 L& G- q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 ?) z* U* @7 |5 _/ ` FILE_SHARE_READ | FILE_SHARE_WRITE,
, P, _) D. m- Q1 `7 q6 Z5 w NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 A- j6 i" k* l9 c# p N8 H
if( hFile != INVALID_HANDLE_VALUE )
! V2 O' O( H) I# t u; ]# F1 K {0 R8 V; M( H: I6 s
CloseHandle(hFile);& W; v7 b8 r- E; |2 i4 V8 g% m
return TRUE;2 l% i% S, T& Y: e* m0 t
}+ a3 m4 z" z9 U
return FALSE;
" k5 |, B3 e R6 t3 ?5 t} f2 K( o1 z5 O4 s* |, z3 D
8 u$ m$ ^5 O6 G6 h: r
Although this trick calls the CreateFileA function, don't even expect to be6 @7 D/ M. t8 h1 `- j6 ?$ h
able to intercept it by installing a IFS hook: it will not work, no way!
' g. c/ z9 c* t& UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 C3 A+ g( Y1 V2 dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* i8 _ R) o0 xand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 @) m2 ?" c7 I, E: L) c9 n o
field.7 G; f |# {' n3 I
In fact, its purpose is not to load/unload VxDs but only to send a % m: o6 N% x/ V5 [6 o8 |1 I% S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, x; Q$ Z `1 Z8 S8 z. Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try* d6 R: _ V) v2 U) V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 |4 n) X1 i, S2 z) R. [If the VxD is loaded, it will always clear eax and the Carry flag to allow
& v. X" T) j3 \2 G+ Q$ m b! k9 m, |its handle to be opened and then, will be detected.9 { ]+ f# D5 f7 E7 g) {2 O
You can check that simply by hooking Winice.exe control proc entry point
( E ~6 P- L. _7 ?, Iwhile running MeltICE.1 ^8 l* n6 [* @2 B
7 x! @: y+ g7 R6 t* s' ^" A4 Q) w8 F3 \
00401067: push 00402025 ; \\.\SICE
" f6 e) _; b9 R, { ^0 k/ y 0040106C: call CreateFileA
) L& @2 Q5 p5 E% {; H. Y6 A4 E 00401071: cmp eax,-001
8 E* e* G' f% \: t 00401074: je 00401091
! g* U D+ ]/ ?" h& B: I
% r0 s( B; O7 t$ O/ h4 t
0 F+ u8 F" W2 d& o4 x" f; |There could be hundreds of BPX you could use to detect this trick.
; z# E$ t$ h) Z( ^# M8 {+ I' ]-The most classical one is:$ z# v, |8 I% ^1 X/ R1 }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' b& \- ]0 l& c# T
*(esp->4+4)=='NTIC'
1 O/ S \. ?+ _; H e' ?& z
' Q2 ^; c4 D/ D. h* @-The most exotic ones (could be very slooooow :-(0 q/ c% P% n* h3 _* u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - W# F% `: I) R" c
;will break 3 times :-(
) ^' [; u8 f+ F7 N& K2 I4 R# P
- O4 `8 V2 U& E" w# y0 t$ T-or (a bit) faster: : u( r! m, a3 w O% f4 G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- w4 f8 W6 }0 D9 W c( y" V9 O& N" ~2 T' \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% D, `' Q+ J! \, m6 m ;will break 3 times :-(
# ]3 W Y" a% A; R: U7 b- M" m+ U# {& F4 q/ W. ]8 B
-Much faster:$ E9 s" w. q' M. c: J3 E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 y- G1 o; f7 {) P& F1 r7 P% ^9 U \
4 i {: y g! g6 L# _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 X/ X) r2 Q4 w9 U
function to do the same job:: L6 ?) s. x. y- @6 Q6 t( v# {1 N
z G0 y- G" Y7 W push 00 ; OF_READ
$ m. Z, l) U7 I4 c& o J/ _ mov eax,[00656634] ; '\\.\SICE',01 j4 m K# Y+ c: h9 C
push eax1 ]) A$ u0 {6 j
call KERNEL32!_lopen6 u" j' M( U- u4 N. K8 t$ R
inc eax
3 r% V1 L' p [- V( g8 E jnz 00650589 ; detected
( Q$ x( I' \/ y- ^/ g5 C9 d push 00 ; OF_READ! c( c. Z1 z1 L" D0 {6 A, k4 W4 r
mov eax,[00656638] ; '\\.\SICE'
' T: F$ M9 t' r0 j! x push eax
4 f. p% ?" q1 j$ c# E, { call KERNEL32!_lopen/ ?3 S0 Z I! s" P7 i2 h
inc eax
! {+ ], r/ L Z jz 006505ae ; not detected
% E. V( ]$ E6 v$ _/ T
- H$ {4 X7 X* D
" n% c o) h) m; K__________________________________________________________________________* I4 {- R, w: M, ^1 X9 s6 I; y- {
6 o$ |4 [+ j- p) _% ^0 |+ v& jMethod 12. v+ m3 X, a% T! e2 \* X
=========
5 h; B; W' C4 M" Z. C, `( O
6 g$ d/ d# T: \9 x6 y: {" ~; ^This trick is similar to int41h/4fh Debugger installation check (code 05
; v# j0 b) p) ^1 |; y7 {6 v& 06) but very limited because it's only available for Win95/98 (not NT)2 }, v- k! ?! T8 L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, ^8 H3 z" B4 i0 s& M; l1 _9 f% m
" p, u- z3 o, C- }% o push 0000004fh ; function 4fh3 K, @: ~% R% m
push 002a002ah ; high word specifies which VxD (VWIN32)
7 R4 w6 h! |4 ]1 ?, e% s: m ; low word specifies which service6 c8 J/ W9 Q6 E1 l, E; u; J
(VWIN32_Int41Dispatch): J' S& F" F2 M. S) x
call Kernel32!ORD_001 ; VxdCall& F- p/ R \# ~- Q' c8 @
cmp ax, 0f386h ; magic number returned by system debuggers
; f$ ~2 O0 s8 P2 U5 l) v jz SoftICE_detected
# c+ w9 ^& _8 ~4 I) X g; K5 N+ m! t1 i% v i* a0 p' |
Here again, several ways to detect it:
" z$ F9 n7 z" V) Q, y# C _/ x$ X* p3 \& [% v. H$ q. o
BPINT 41 if ax==4f
3 Q1 n: k8 t& O* B7 t' u8 \) G7 P M7 ~' o2 I1 _ F& F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. h6 o# I/ G0 N/ K* k, f, C3 v5 v/ j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 o$ S1 u8 |4 g" L) s- B3 K
7 _9 |6 q* H# c( g7 Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( l* b! v6 z2 A- ? a
+ Z0 [+ k2 f0 M9 l& b- A2 m( [__________________________________________________________________________2 X! u& J- J2 Y3 m' i
8 l$ \* j1 v. A* g, }* @9 `4 L( [
Method 13& z, A! [/ ?! r% b
=========/ w* P: I. A: ^7 O' w- \* w& y
6 I, S- Z- n( R6 R0 i+ k
Not a real method of detection, but a good way to know if SoftICE is
1 i$ D; w9 ~* ?% P1 A) b$ _installed on a computer and to locate its installation directory.& I! B7 r. |& D
It is used by few softs which access the following registry keys (usually #2) :3 P1 @1 ^' n6 [
4 u5 |. u0 q' p4 m; ^9 D7 z: k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 b5 X( O6 `+ |* t: ~9 b\Uninstall\SoftICE
. o! W" [1 M8 w U4 m6 m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; n5 _8 c! J! X4 {2 B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) `; O0 v0 M& o4 W1 c' k\App Paths\Loader32.Exe* \; ~5 C8 h3 `0 r
5 J& |! t4 w! `$ H* i" N
) R2 u( O. _1 ~7 k) u9 m$ P* a
Note that some nasty apps could then erase all files from SoftICE directory. l, J8 n* f& k
(I faced that once :-(4 s* f' }7 p( F6 ?, x# Z+ }( P
+ z# X# R' k" N+ J u- [Useful breakpoint to detect it:8 O Q6 U( Y2 P C( E* e
2 t1 G4 Y0 v6 ^# [! g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'* e8 x' j- _& H* |
. ]6 N. j1 u$ m+ j; c
__________________________________________________________________________9 ^: ^" E& a6 `& ^: u
! C3 t% A3 s+ ?* C4 L4 q
5 X5 D- t, M2 `7 pMethod 14 ; p* o4 {6 }) f
=========$ B9 \' P4 f* H" O7 j; d
3 v& j. ^/ T u; k- Q5 l1 m& v I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; B2 m" c0 g1 _is to determines whether a debugger is running on your system (ring0 only)./ B: U9 T# P. Q( S
' M: [ d. D' k& g& C5 O
VMMCall Test_Debug_Installed$ k9 e: w/ `5 j# \) C) p, J' V* u
je not_installed) p$ D; z+ g) H: \0 T
5 @1 j: V- [. U: I% I$ V, F6 t. y
This service just checks a flag.
5 U: @! ^9 ]6 r+ Y7 T- U: S Y</PRE></TD></TR></TBODY></TABLE> |