<TABLE width=500>
8 {% w2 z/ A c! U" J) u<TBODY>
! Z8 j& A+ p( I- B0 x<TR>
& |, n7 P# ^$ G# o) k, d) o/ X<TD><PRE>Method 01
2 q( D# t- D$ ^, N1 i=========+ F* I6 j2 o1 M( C" t$ m# d
4 n0 f! y' m4 D: EThis method of detection of SoftICE (as well as the following one) is
1 C6 x9 |' S$ E- H7 Oused by the majority of packers/encryptors found on Internet.
g1 p9 X( R6 N* C/ H4 b! N8 gIt seeks the signature of BoundsChecker in SoftICE7 E6 S2 t( S( J6 ~8 }- [% g+ I
$ Z; J1 B7 I2 N5 l7 x3 U
mov ebp, 04243484Bh ; 'BCHK'5 u# C- ^) P5 ]2 l( d8 `
mov ax, 04h
; k7 ?6 Z+ `* d# D- a int 3 1 \& _5 D" e a! w: q
cmp al,4
' W7 D' g; f& T. F$ H8 g jnz SoftICE_Detected/ \7 R L5 X {6 @% X! ^$ H
. Z/ Z' A- ` c5 t8 C+ T
___________________________________________________________________________' j4 b* t6 Q/ t) H2 o( |
0 C3 B- q* o* p1 H* sMethod 02' X0 ~3 Q& x' Y: G
=========
- M2 B2 o4 u% P$ V" ~9 ~3 f' i* ]8 o/ [# K/ Y3 J
Still a method very much used (perhaps the most frequent one). It is used
$ @5 Y6 s4 p, y5 i7 e% h- ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,' P; l2 }( i0 L4 O' e
or execute SoftICE commands... o3 r, H. o- v( S8 `+ K, S: y
It is also used to crash SoftICE and to force it to execute any commands/ o3 y( T8 t$ s; E& c
(HBOOT...) :-((
' T8 s" ?' {2 a% F7 M9 B: o- r+ `2 K1 h
Here is a quick description:7 _+ r1 W; E% F6 I
-AX = 0910h (Display string in SIce windows)
) y, d0 z. j2 I/ L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( [/ Y, S& T% I8 |6 K, m
-AX = 0912h (Get breakpoint infos)
4 \9 c. p" { Z/ n1 p-AX = 0913h (Set Sice breakpoints)7 N# S* p2 s W" X" s2 y) ~+ \
-AX = 0914h (Remove SIce breakoints)
; G4 s4 g3 w9 l, G! q1 r8 [" }$ C4 s$ @) @
Each time you'll meet this trick, you'll see:
5 F5 k% y0 ?) B! G5 k: H+ Y. d( U/ V-SI = 4647h0 {8 O! g) ~- R, a j2 B
-DI = 4A4Dh
% X0 O9 ^# i0 F2 Y% wWhich are the 'magic values' used by SoftIce.
& s8 h" Y: Q8 T( ~' e7 KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% @& e- |% p4 U, w3 W7 d9 ~3 _$ l: ~" V) G( p* i5 [
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 n u0 o8 l9 e( K+ I1 b! G
Envelope utility use to protect DOS applications:
0 j/ O: A7 e' \2 ^% L+ Q$ [+ G/ D; k
# c3 p& C. o& P3 g% F9 d, ]% S( N+ u3 L
4C19:0095 MOV AX,0911 ; execute command.* @$ D1 m9 I+ V4 N* |6 P- {
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: }4 Z8 Y' g6 ]! }. _4C19:009A MOV SI,4647 ; 1st magic value.
2 W2 |6 g* I' G1 j4C19:009D MOV DI,4A4D ; 2nd magic value.3 |( {: k T x' Z, D1 o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 X+ Z+ }: X& {' k
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" k( R/ O3 q% h7 V
4C19:00A4 INC CX8 \2 S/ ~' @) Z) z9 g! G7 y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 m" m5 f% i7 P4 Q* t" C, v
4C19:00A8 JB 0095 ; 6 different commands.
: [' K& u, g6 U! O% d. C. ~% \4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 T3 R% X1 S, b. ^7 C: [' r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ I) e0 H8 G/ `6 F( ~9 Y0 z! F0 L0 s* M% w
The program will execute 6 different SIce commands located at ds:dx, which# V( a$ j2 f' D$ k: w( h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 b6 ?( P/ [! N
7 }% O/ W+ b0 n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 e4 w4 B+ D/ G0 |$ \$ b' J
___________________________________________________________________________
" r" p# Q E; Y( S! r' h' A# ~4 m# H- H: E1 s: W5 K
/ j/ c$ z' \( g- OMethod 03
* E& m3 v3 W2 i% C/ z7 y, j7 D1 m=========
& s! D; s0 D4 ^* H
7 H% F& [2 w! ?" b2 T+ YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. ?+ j( A' c2 m1 s2 @(API Get entry point)" ~( o2 |$ j9 p6 |* l6 l8 t
: f9 p# _3 p9 c* B
! m& Q+ \' r" Y+ o xor di,di& o4 m! Q+ ^- S8 D6 u3 b g
mov es,di
* D" Q/ Q0 j" Q* m1 ~ mov ax, 1684h
2 U4 k4 q* s) E mov bx, 0202h ; VxD ID of winice T" P N/ T3 B
int 2Fh. n9 P" Z6 P9 H9 D
mov ax, es ; ES:DI -> VxD API entry point
. l6 I) v2 k3 q: ?" m3 f/ a add ax, di! A1 i% U& ~. s1 D. i) [' ], f8 Q
test ax,ax
, {8 j& {: n& | ~& Q# s( G jnz SoftICE_Detected" f5 w2 @! l( H7 t
9 l" O M! U1 D: R6 ?3 n; P3 x___________________________________________________________________________
* k7 K* O6 Y r9 E- f. U/ y9 Q* B3 _2 k
Method 04
; w+ C- X5 `' \; j=========7 h6 h: T, _+ A; v
/ _" t) A! X5 C M. h4 s+ DMethod identical to the preceding one except that it seeks the ID of SoftICE
6 Z# z0 d! z+ g) `6 J/ tGFX VxD.; B( ?. l3 x# J+ d; T% Q& Y1 h
, x" t0 S. |. {7 u; _ xor di,di
6 p" t% M2 B& \1 m mov es,di
1 D# t; I' _' P2 A mov ax, 1684h - W7 u X+ A; ~) \6 H
mov bx, 7a5Fh ; VxD ID of SIWVID
# M; v- H2 f* T5 E) L' g5 d9 N- ] int 2fh* j; T9 I: p1 B" Z. Z3 v6 b; s- _
mov ax, es ; ES:DI -> VxD API entry point' I3 d8 m) D* ]: h: R
add ax, di
F9 F% o3 B& O9 E: N1 K' a1 V* c1 k test ax,ax
: P6 ^4 @: Q( @: x5 S jnz SoftICE_Detected" ]8 m$ K8 O+ {( [& z
5 R# u3 }8 v, ^2 |( D8 }__________________________________________________________________________
! S, |$ h. w" D E- t" Y5 z+ m3 G3 |1 K8 y- X/ ^
* g! |2 l8 {8 J/ G" f5 \Method 056 l4 h( B9 n5 V
=========
6 Y/ p( s4 P1 W% J
- }- Z4 l' X3 Z+ @2 ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 \6 Z" {$ ~$ d/ ]
debugger. It calls the int 41h, function 4Fh.
0 a6 r& l5 Z' C8 HThere are several alternatives.
8 R/ W7 w3 I5 x5 c8 }1 N. v
7 C) U5 Y3 u. Z% V9 RThe following one is the simplest:. ]9 F: v r5 r8 `4 Z# v
! D9 M% `, }7 g9 f
mov ax,4fh
4 l; l! X& G* L8 t* G3 m. x Y int 41h
3 f- W6 t! Z% h. H8 R7 q, { cmp ax, 0F3865 M* I$ X! x2 z9 o2 y
jz SoftICE_detected
8 o4 m" P+ N5 q9 g" f) w8 c# G4 k: R3 P
8 G* G. h7 l6 w& n D
Next method as well as the following one are 2 examples from Stone's
$ [1 Y. O$ t# ~2 R"stn-wid.zip" (www.cracking.net):
$ ^6 A- v: c7 Q H0 W
3 O* s1 {$ s/ ^2 ?+ k" _ mov bx, cs6 A9 Y* O' V9 f1 g9 O
lea dx, int41handler24 J/ A; [! w( o1 ~6 O* g& t7 K7 z3 t
xchg dx, es:[41h*4]
2 w$ N7 e! k1 L& N# g# e& @ xchg bx, es:[41h*4+2]
! v$ `) o8 V! h' J& W4 l mov ax,4fh
. e/ S6 p& J, y: S0 R6 t int 41h
: ]# K# y( A' m; W+ v q xchg dx, es:[41h*4]
7 ?0 ^0 P5 N; O9 i6 {$ p) D6 `0 u xchg bx, es:[41h*4+2]+ Z# H5 j+ Q9 T
cmp ax, 0f386h
* I6 L8 v$ q+ D1 i4 W) r jz SoftICE_detected/ |" r6 o( B1 `/ B9 g9 k7 |
: n2 I- Q& Y; g, \4 K" G3 K- pint41handler2 PROC( F% f) l- _" W4 [8 ^7 R
iret0 A v! K/ Y: i. [
int41handler2 ENDP
" h m, G/ f/ @4 t! q
6 _& {7 T a6 p0 ~ a& _6 J: V; ?5 H6 t6 z+ w6 h& _
_________________________________________________________________________; N5 [9 p8 A4 S
2 t6 C# P3 q3 j3 ^; N# B# z/ o( O7 @0 J( g$ l- d
Method 06* F# P$ J' V) |, x/ j
=========
, R9 ^3 t# f2 M) A: E5 s( m h
/ t) O6 U1 v7 M7 T) @1 G! t
+ m L& K5 Q, O2nd method similar to the preceding one but more difficult to detect:
$ l- P4 A* H M/ U- {8 c" g8 }6 q! E0 C
& J4 P4 s4 ~1 u5 F* \4 N; Oint41handler PROC
2 ]! S3 j4 o% @0 _ mov cl,al% ~. N3 r+ ]3 L) {- a9 f, U) |
iret: \% i/ g0 V. n+ l& C! K
int41handler ENDP
4 `- w4 F# Z7 q0 V! }2 d/ e/ {" w- v
: k- t3 N! n1 y; ~' i8 }
xor ax,ax
, m3 k C; W! Q+ c mov es,ax& A/ x5 e1 o) T) V: l$ O S' \8 U
mov bx, cs
1 e5 ^: G, C0 R9 B lea dx, int41handler
* j" \4 r5 }1 m. e- K xchg dx, es:[41h*4]
: k/ u$ v& R# T9 @ xchg bx, es:[41h*4+2], d |, f% d2 C4 o1 O
in al, 40h
& e. P8 j# b+ g xor cx,cx- O1 u/ e: v! C9 E" [$ M1 D4 [
int 41h! B. _) @+ h% f& s& ~4 G" D) I1 D
xchg dx, es:[41h*4]
; o1 e2 |4 j' Z( T. z* I2 w xchg bx, es:[41h*4+2]: B% B/ a5 r( I
cmp cl,al& r- w) n, T, S" h
jnz SoftICE_detected
5 U1 h& P4 }* n, y
6 C# l: L! R! X. {3 X8 H' a_________________________________________________________________________% L' D9 s; t e0 ]8 Y, c
, i/ b8 j6 z q
Method 07( J( Y0 w% P5 g4 @: j" l
=========
% Q& l% q' n n! e9 V* s/ @
: Q: ~+ i+ V1 u, h/ ]Method of detection of the WinICE handler in the int68h (V86). P: n2 F' y. d' Y# J) e7 ?8 i( q# X
+ K0 N# j* G" b- r mov ah,43h# c6 {0 y# ]5 j/ e8 k' Q+ v- d* }# R
int 68h' b6 ?" ?5 i) D% @3 e
cmp ax,0F386h
& {" B, X% O, x* d* C0 H4 `( A jz SoftICE_Detected
+ L+ D4 G* n0 N$ i2 {! z7 T: @3 z1 {9 Y' E$ X6 `5 @$ V& F0 H
- t. r) K2 Q7 R+ M: A; ]
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* D5 e4 H. e- G, s# n8 R7 s0 F
app like this:3 ]9 q1 _$ @6 X5 j# r
" F' |0 ]& I e! c
BPX exec_int if ax==68* y& v; K* Q2 X
(function called is located at byte ptr [ebp+1Dh] and client eip is
& m; `# D& d" ~; c9 C: ?* h6 m located at [ebp+48h] for 32Bit apps)! T& k5 E2 J: X4 h3 V
__________________________________________________________________________
' w& W6 z8 A: g" N: A; b1 t8 k3 s1 ~( X0 j6 z
2 J$ X* V: r" P
Method 08
7 a+ d; d* N. N t% _=========1 p& N7 [; h7 S: U X! W
' d' U. W/ [; @! S+ K; k8 n& x& A& FIt is not a method of detection of SoftICE but a possibility to crash the: _( H- N6 R% B/ b! s1 ?1 I& M
system by intercepting int 01h and int 03h and redirecting them to another2 d }" A4 c- S8 T8 K- T$ H0 i0 K4 M
routine.
+ U" {( S; I& Z: AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) \, @9 _3 [5 ]: Z M9 q6 _
to the new routine to execute (hangs computer...)8 A$ u9 ?8 p8 b5 T
+ l% ~/ f' j% `% G7 V6 v0 ~- p2 j mov ah, 25h
8 m+ U, o- B# {& U* }9 L. q mov al, Int_Number (01h or 03h)4 i: @- u4 A! o6 _8 p
mov dx, offset New_Int_Routine1 ], E3 R6 `" S& k
int 21h
c4 ]: a6 z! J# |6 c
, c4 ?: R. C& x2 F__________________________________________________________________________
2 T, U) _! H0 J" \7 T g- e. `8 {2 R3 } B' }
Method 09
& _2 J: [5 n, k' I0 R& p# Q=========
}( S6 a$ A0 k4 u7 M9 u9 I e+ z9 g/ q" N# b2 A" Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 c# ~" L: U" |% }( c( p
performed in ring0 (VxD or a ring3 app using the VxdCall).
# B9 A1 Q1 i) P9 @- c. ^The Get_DDB service is used to determine whether or not a VxD is installed
6 e% h5 G: u& V1 w% e( R2 T9 ?' \7 Zfor the specified device and returns a Device Description Block (in ecx) for
+ `& Z& E; K9 f( ythat device if it is installed.
6 \$ R. m5 o. `- }5 Q @+ A
& s0 b m9 y* M. [1 B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 v5 K# E& ]( |7 y* x/ L; o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), n& M' S- v8 h0 \0 F5 V1 x# x
VMMCall Get_DDB
5 }6 Y! }1 g% [% I: M# @) o: {- Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) w1 B! [$ F( ^+ f3 W" ?! ~3 z& U0 F3 z6 x) g/ v
Note as well that you can easily detect this method with SoftICE:
( M+ b$ o2 ^( U8 j. T bpx Get_DDB if ax==0202 || ax==7a5fh8 e1 ^) @) G$ h, ^8 [
+ j2 Q3 `$ ~0 s0 j
__________________________________________________________________________/ ~" ~' p/ k2 ]8 i( X" d1 j
0 S$ h# r) t9 b& t5 aMethod 10! u! u( H3 v2 p+ N" K& T: @
=========! ^2 a/ ]$ ^! I1 n( ]2 c
: t9 f% U( ~1 T=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 j7 t6 Z5 l* L* \ SoftICE while the option is enable!!
' p( K6 C1 H7 z/ Z
- |9 e$ h# E- g6 ~This trick is very efficient:
+ _0 T. k% B- Bby checking the Debug Registers, you can detect if SoftICE is loaded) M9 M6 C( B4 r2 T8 t& z
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 \1 Q, X$ C; m
there are some memory breakpoints set (dr0 to dr3) simply by reading their" N' U5 ], s: J# p
value (in ring0 only). Values can be manipulated and or changed as well" N! u/ W2 J3 r! t
(clearing BPMs for instance)
* J5 E6 u# i3 @, }$ K* S/ P- F# f5 l4 H9 R, a; S' q
__________________________________________________________________________
- ~8 d+ z: T1 N \& p
4 ?7 v# F+ l! _/ b( p% PMethod 11
( z$ `3 Q, l$ P$ }# C1 |=========
: j: i2 Y, e u f1 u& q6 x2 X
" Z* a3 c: H% l# X/ P3 A3 p. N JThis method is most known as 'MeltICE' because it has been freely distributed' q' @7 e2 U' c% d$ z& G
via www.winfiles.com. However it was first used by NuMega people to allow
; p1 b* S3 ?' M0 L3 \1 U) ^4 f4 cSymbol Loader to check if SoftICE was active or not (the code is located9 F; Y+ H5 p2 L3 T
inside nmtrans.dll).
+ F- X( M' f, E% I) H" b
& u$ X" o8 m r4 ^/ @- |The way it works is very simple:
% j+ v" _- k' q! XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 r! y4 F5 h2 ]# ^; x: @+ v
WinNT) with the CreateFileA API.
* R5 T+ l+ c: P( Q4 f
! _# |- ]) ?& V9 IHere is a sample (checking for 'SICE'):
+ ~3 t v& C! a' i+ o8 u2 V
7 v5 h3 h+ _' G; ^/ wBOOL IsSoftIce95Loaded()
7 v: P" I& h+ g0 j: m* }5 [) T/ H( x$ d{
3 i0 l" W2 g$ z2 d* h* A HANDLE hFile; }+ ?5 r6 j3 |8 l( E0 Q
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- H8 q2 `6 }" c! `! B) s FILE_SHARE_READ | FILE_SHARE_WRITE,
# n6 I+ N# J4 l/ z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ W3 Q4 E' [& @) z
if( hFile != INVALID_HANDLE_VALUE )% }3 a5 a6 G) @' N" m0 `& u
{/ c5 k- y; l- O, d- Y# O
CloseHandle(hFile);
7 g" _, R K7 h+ c0 F! ` return TRUE;
7 P& ^/ {1 }0 X }! w. \5 h0 V6 _4 ^. K
return FALSE;9 s* U. G! e5 A0 q3 n
}
: R" B- G2 Y' N+ u, j& o
m8 ]8 v, r1 R* L' y; I! z2 r( _Although this trick calls the CreateFileA function, don't even expect to be
( S; Z1 m5 J3 n5 n% b4 fable to intercept it by installing a IFS hook: it will not work, no way!
* K) N3 c3 F. F# u& V6 \6 Q4 w" AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& {9 Q( @8 P7 `; B5 W4 f: E" iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 U- [% `4 @0 M+ z1 Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 _1 W1 ]# r) ifield.
" [# g% e# q* L' z8 ?! \0 S9 WIn fact, its purpose is not to load/unload VxDs but only to send a 6 T7 x* g) ~* E% X' S* T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 \' a" C" A4 L0 G2 U% r# Yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# D5 E* d/ L" ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# t6 r* y* B4 u: ~/ xIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 i6 i x, Q- e
its handle to be opened and then, will be detected.8 M0 K0 `! m* q
You can check that simply by hooking Winice.exe control proc entry point( ^+ V+ u K3 B) `! f! _ p# ?$ z
while running MeltICE./ K6 T1 W# ~5 ]- w% f/ p
. B3 D; D5 J) a8 e# V$ W6 d$ J7 r
0 ]" [ C& O x' G* |! f& M
00401067: push 00402025 ; \\.\SICE
7 L3 n; f7 p: Q% G$ R$ G3 a5 U6 O 0040106C: call CreateFileA7 l, e' p2 |: o6 u, O) {' d) Q9 M" q$ q
00401071: cmp eax,-001/ A$ | j% h( z1 w- P* B
00401074: je 004010917 [( \! [: @: g+ N) S' U
4 [. Q" y2 w; }3 a) C
# e' ^( m# \7 OThere could be hundreds of BPX you could use to detect this trick.' N4 u' M' a: {8 L) u) h9 ?% Q
-The most classical one is:3 ]' d1 m9 M1 S: E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# [1 q/ \, m/ x, j6 B
*(esp->4+4)=='NTIC'$ d; ^1 `/ m! T! p) j
1 x) s3 `# U: G4 U! O- P-The most exotic ones (could be very slooooow :-(3 y, _% ~1 Z3 u* h* h
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; U! r, N/ c; ` ;will break 3 times :-(1 V5 D% p. |& q9 N
5 w% s: f0 m6 w: J* c+ l-or (a bit) faster:
4 e2 O- s' D& q& N4 \7 ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 M5 O8 R4 g. B' k! ^1 v+ @4 U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; R# P: C: X. W, ?9 R# M
;will break 3 times :-(+ o" R# U3 Y- a, z+ l. _. P
; l g$ r! S( Q
-Much faster:, K" G" t% [! Z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 h9 _& ]# Y9 W5 Z3 B
$ J# D$ U+ q$ ?" `0 R, ?, c* vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 x- J9 D. I1 ?3 C+ A$ s1 G) l
function to do the same job:
& s- v! A4 F9 E; I4 ]3 Q9 z ?
, I6 @( s2 b ^$ r3 G2 O' C push 00 ; OF_READ
* k) D) L& C( ~- | n4 Y; s! L mov eax,[00656634] ; '\\.\SICE',0
- t7 y* P; J& |# n push eax: e" v' a7 }: m9 E$ H
call KERNEL32!_lopen$ g" _ i+ X U3 Y
inc eax
2 F: } ]7 o' L3 X" E jnz 00650589 ; detected
0 R2 j6 m9 ]$ u m6 ]1 @- h push 00 ; OF_READ- m( h4 R3 \% m5 o8 S/ d+ A
mov eax,[00656638] ; '\\.\SICE', R! h7 `0 g* E
push eax
7 t1 i6 z$ w% m( x# c call KERNEL32!_lopen
. b) }- O4 K7 n8 C) W+ H inc eax
* F; [$ c- \( |/ C2 W jz 006505ae ; not detected
" |2 d9 w* C0 r* n6 [% z K$ T I
2 L% N$ Y) A0 j) z
' O0 Y; e; @2 Q" z__________________________________________________________________________8 y- \( H4 _% U2 \3 I
) m6 B/ ^& H5 zMethod 12
% A4 P6 [* n3 m+ E=========
- O% B# s4 A/ ^8 ^5 n, @- ?
( b: F' x; a6 m7 E0 M; XThis trick is similar to int41h/4fh Debugger installation check (code 05
0 y# D9 R# @! O2 |' O6 h" Y& 06) but very limited because it's only available for Win95/98 (not NT)
/ e2 w1 D) H6 Y# m# Las it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 [. v% H9 Q7 C% }% _. r2 Q
0 |1 O' |5 e$ d7 V push 0000004fh ; function 4fh
1 s/ C) R+ {) P8 N; H1 J: S6 E push 002a002ah ; high word specifies which VxD (VWIN32). s4 W: p: b/ z' d
; low word specifies which service$ n. {9 @7 w; S7 p$ q6 t
(VWIN32_Int41Dispatch)
5 F9 O' z. A) H# D call Kernel32!ORD_001 ; VxdCall
9 o6 B4 G k+ [9 R7 N7 @" p cmp ax, 0f386h ; magic number returned by system debuggers
, {" \* d" k& z. a8 s8 Z jz SoftICE_detected `' z2 b4 B" u
6 J4 ^2 V" R- I. v: v
Here again, several ways to detect it:
1 m, v* i6 @' v1 G7 |4 ~1 z" ~* ]* c+ P3 X
BPINT 41 if ax==4f L: T6 ^; x3 b2 h$ ~" r
! a0 A" h4 D5 t. \/ i0 K
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 z) y2 I1 q! u1 }% w& g
+ a; x9 ^3 f# d
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( s, c6 e' d* i' ?
1 n) V/ f/ A; t( o8 @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* \( r, h1 j( \0 o. a+ f
0 m( [1 @2 m; S& \. y3 x! P! A, B__________________________________________________________________________6 r0 G" c# Z. w, c; Z- t- i; H
% R- v6 W2 f3 X8 J5 | N8 S: K
Method 130 _- L2 f# m7 u
=========/ ]3 W! U$ v Q. U5 N+ w c" r
( e/ q# _, D% S4 O* X% M
Not a real method of detection, but a good way to know if SoftICE is
4 B4 R. z( x* A0 f4 _0 t5 Einstalled on a computer and to locate its installation directory.7 b$ q+ I( Q6 j6 b! T$ P, B- S$ x
It is used by few softs which access the following registry keys (usually #2) :& U; k% a( A) B$ m" I
- l4 u" w: H* l; H; o: x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, ` S' F: M# o/ V, \\Uninstall\SoftICE! H, }4 ]" B5 X' f0 a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 @3 `/ p* f! Q2 v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion Y/ g! X% U$ j; b+ J
\App Paths\Loader32.Exe
- p- W# }6 F1 l. Z5 W& D' N( k' |5 j4 D4 u; d$ E# G9 x
4 ^" |) S8 k7 Y- W
Note that some nasty apps could then erase all files from SoftICE directory0 l7 H. o" m) w( ]5 S. N
(I faced that once :-(/ G" E6 ]2 O/ X/ h3 v8 V
- W9 U( l! W _+ nUseful breakpoint to detect it:4 i J' R: I5 s% C% b7 I
9 y3 f) x3 g. M# `: A8 l. y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ H. \: C9 w/ V' F6 F( j% J3 a* G% _; `9 _
__________________________________________________________________________5 }# L: V0 l7 @' U2 G
5 V! o! w' M- X/ I
8 ^- m8 Y4 b+ I, b: f+ @5 b/ CMethod 14 p; f# y; [' p: R6 j; I: C
=========
$ ?2 Z2 B! ]; c x; u7 [# W8 O0 c6 v# s5 c0 F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' n, \1 e) l6 m4 X) j- I$ v& d
is to determines whether a debugger is running on your system (ring0 only).
0 c9 i0 x$ T- W- F5 C" V) T" ~" h
6 m1 n' `6 j. e5 t: \% k4 ? VMMCall Test_Debug_Installed
) u. D b* N8 B* l4 x% S3 I je not_installed
: S- m6 h% D6 T) z' `
0 e; \* j+ i1 I/ EThis service just checks a flag.! c9 Y5 `: l! t3 H0 c+ x- B3 \
</PRE></TD></TR></TBODY></TABLE> |