<TABLE width=500>
" g9 h) Q" Q- i* C8 h! [<TBODY> k2 J1 m) n) l3 ?) d
<TR>
) ?1 w: Z9 _* C g! R' L6 x* E j<TD><PRE>Method 01
) a8 d% [# `) R=========& n; ?$ R" Q7 Y @. I! r
$ M/ g; V6 u% c% c" [1 {1 i; ~' KThis method of detection of SoftICE (as well as the following one) is, ^4 k& }5 p8 x7 c
used by the majority of packers/encryptors found on Internet.* r& q1 d8 B" |% p
It seeks the signature of BoundsChecker in SoftICE5 |7 M% r8 `& Q h' V6 A3 y
. M5 w. L9 ~1 s# k
mov ebp, 04243484Bh ; 'BCHK') E p" c A, v4 u5 M
mov ax, 04h f: B% o: W C" v
int 3
( f# W! B3 m$ T1 m" u cmp al,4 [; Z1 [ W8 P Y- X* R" _
jnz SoftICE_Detected
6 ^, Z# _! C0 Y7 `9 z4 o+ ]) y# Q! T4 C+ y" a( ]7 Y
___________________________________________________________________________
3 O, y$ l- o1 P
% R" @7 b* v, u5 X' fMethod 02) R: ^ X/ U% i$ ~
=========
9 F8 ]7 W9 B2 x7 P. \ M% q6 \9 H* k6 C2 l0 b! n7 e' _- W% D
Still a method very much used (perhaps the most frequent one). It is used. }# S7 `$ X2 o, N1 I3 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 s% n6 L( u/ P+ I. |5 D+ z
or execute SoftICE commands...6 B R1 c: n. I
It is also used to crash SoftICE and to force it to execute any commands
& T7 T7 r# S2 |/ H$ ^- ]+ [(HBOOT...) :-((
, R! \; k! U# M4 X% a# Y% U% A. ^ v% l# u: _. m1 J
Here is a quick description:* P3 I( G2 b; s; u9 z- o
-AX = 0910h (Display string in SIce windows); o+ W) O. m" `* ]" s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! U" d" K) r5 H/ `- f3 p
-AX = 0912h (Get breakpoint infos)
# Z1 j! K7 Y# v- R8 a4 O& _-AX = 0913h (Set Sice breakpoints)$ {8 J/ l4 W# P, [& B3 G
-AX = 0914h (Remove SIce breakoints)
3 Y0 J' s5 y j6 ~3 l( c/ ^& g+ V9 g( I4 ^& R
Each time you'll meet this trick, you'll see:9 G% g3 k' K. o2 c3 @) g# T
-SI = 4647h
) h: }0 A: H( Z8 `3 N& K5 C6 F-DI = 4A4Dh- b. u" d; E. a3 U) J
Which are the 'magic values' used by SoftIce.3 G5 M% D2 u; R7 J( L3 {6 {+ H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 f9 i9 o4 g+ }$ E+ v1 G! @) ]
% l+ l5 B7 d" c4 D9 r! ?9 UHere is one example from the file "Haspinst.exe" which is the dongle HASP/ N+ Z4 N, ~# _- d) J- k! [
Envelope utility use to protect DOS applications:" @4 r! y) X+ |
6 J2 @$ G0 ?: p. G7 O9 F) u8 \- [
: o# Z9 A! X. E& `- W: ~4C19:0095 MOV AX,0911 ; execute command.
* j I3 E/ h' b8 G+ X# M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! }8 N0 ~+ o$ ]3 M$ j8 x- }& V
4C19:009A MOV SI,4647 ; 1st magic value.9 p. Y+ j/ J( ]8 c: T$ Y
4C19:009D MOV DI,4A4D ; 2nd magic value.6 K' o: h Z( }* _' M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' N# N( J: E% T# Q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# g; v* c. E& i6 i: V$ g' d4C19:00A4 INC CX' D; H2 S- U$ O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* p1 f2 g6 J3 j0 R( Z
4C19:00A8 JB 0095 ; 6 different commands.3 z& O% g. K- W, e7 V) A" \4 e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% M% q. U* _$ V: p& O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& N; [" a, m7 T1 ^
: [7 T8 [* ?3 b7 v a4 c R9 C
The program will execute 6 different SIce commands located at ds:dx, which! Z2 P+ |) H( C0 _# n2 ~* Z0 i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% z m. W7 y' X: y4 u# l' Y
$ n8 y5 j$ U3 Z5 r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ }+ @% r* W N% `* F
___________________________________________________________________________
! z+ W7 X: z. @* [& {8 i% w' @ q/ R, M
4 j# R4 Z) t g% vMethod 03! u$ ~, \" @2 G2 o8 y
=========
- `% U+ k& [, J
q4 c0 V. d! Q, q* w7 v+ l- uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 r1 z, n! r6 [4 c2 S% I% h(API Get entry point)
3 s1 Y6 C; B- G) m7 v% L
, G9 \5 M. t6 R8 V7 r& {& \- C5 t5 s) P
xor di,di3 q/ U( K; Z! q+ f3 p4 R F* v
mov es,di
& p* P: H$ ?6 @ i" c mov ax, 1684h
4 K0 M9 [8 H$ H5 p& | mov bx, 0202h ; VxD ID of winice5 C6 }/ X) A, @5 V
int 2Fh
; C' R. R) W& b1 B( M mov ax, es ; ES:DI -> VxD API entry point9 K0 T* z1 Z4 a5 v
add ax, di
* g4 v5 ?& J, f: a2 @1 i test ax,ax
1 j* C5 f$ j) A# v: H9 Z jnz SoftICE_Detected( Z/ f$ b# b7 _, @9 R K
* G1 j* ]6 J: ~
___________________________________________________________________________9 F0 z2 Z% F$ ]: k
& d6 z% \% Q; u/ LMethod 04* W* O. v* D9 Z; F- \& t
=========0 F7 v6 V4 m+ Z. M( K
3 _- `9 f8 ~( |Method identical to the preceding one except that it seeks the ID of SoftICE' t) Z ?, Q( l H- l
GFX VxD.: B. p( S" A/ [. v0 a% n
& h9 X7 d/ M" j ^+ f2 v0 G xor di,di) X' y5 p1 E) ~' E6 E
mov es,di( g! [, u1 u- U0 a7 U9 ~
mov ax, 1684h
4 Y+ u, J, T; Y8 y/ P mov bx, 7a5Fh ; VxD ID of SIWVID
/ v- J% U" Y/ l" A) z ?1 ] int 2fh+ I( J4 f; r8 U" W6 P
mov ax, es ; ES:DI -> VxD API entry point; o4 r& `4 M* o
add ax, di1 Q4 K" r) U$ p1 h1 o
test ax,ax' C( x$ _0 e- w1 E* t2 t7 i
jnz SoftICE_Detected
- ?9 L5 E6 m; m* C* h
8 S9 v: ^& u/ s7 s# F$ g6 \0 R__________________________________________________________________________
! U3 J' _6 ]: S1 ~ [8 K
) r8 X& @' g' L2 p: e% s
! [8 z' q6 }) ]Method 05 T& V1 n4 L$ d5 _
=========1 }/ y( q2 W, c1 W. O( y* j
2 t$ `4 A+ g: n# [Method seeking the 'magic number' 0F386h returned (in ax) by all system5 A7 |5 Q% p6 `& T
debugger. It calls the int 41h, function 4Fh.6 ^4 x1 q. o5 [; |0 ~- g
There are several alternatives.
8 |9 R8 U0 l! x
4 ^8 {" T! J+ W- ]: CThe following one is the simplest:
+ Z# F& D1 k9 n) x
" U' S" B3 s4 P% d3 ~ mov ax,4fh$ M$ B i( J" d+ P+ y
int 41h
1 r+ X. z8 o4 ]9 w cmp ax, 0F386) f4 z, n! J2 X
jz SoftICE_detected
6 n/ l+ Y6 q$ a: y. n" f
( G. \) L6 `! U' |" P6 D; F3 ~0 E" Y9 o4 _
Next method as well as the following one are 2 examples from Stone's
, J$ Q3 U2 v% w' `( E( ?) l"stn-wid.zip" (www.cracking.net):8 h) G6 h& |! `# g7 y
4 f, P( |6 t4 t: _# ~8 L; q mov bx, cs$ C" K3 j. x8 ~. I5 f) X3 p5 W
lea dx, int41handler2- h2 y/ ?+ B/ ~" H* z
xchg dx, es:[41h*4] x' ~. r: o' A0 ?9 S* I; s
xchg bx, es:[41h*4+2]/ `: R. d" \" f& D5 o
mov ax,4fh
& q6 p& U0 ]1 V int 41h
2 u* z" O* \- D9 x' C6 I8 e xchg dx, es:[41h*4]
9 C9 u. ]% x J xchg bx, es:[41h*4+2]6 U2 O/ L; J; ]5 U" Z6 i, ?
cmp ax, 0f386h
3 B; k% q9 k! K3 q jz SoftICE_detected8 e+ }* \; Z9 y/ u7 U
+ ~) B. O. a5 \$ }! f
int41handler2 PROC2 o3 F, h" C" @3 \ d
iret: ~* O7 e& @/ t) N" Q( c4 I. B p
int41handler2 ENDP
( k' P2 K' u4 U/ w& i
; T. ~- C4 B/ `1 Y, h# a+ Y* q
_________________________________________________________________________
/ t9 \! U) `! W! }5 |- ^5 y C2 R* W: a3 Y
I- k8 g) W7 x: I- L* GMethod 06
3 Q8 J S& p- ` v& O) _4 c" h3 S=========
! S) s1 { q3 O$ G
) W7 {# C/ I6 B+ [( `. L2 U3 L# u4 q2 L% {# W; N% O) K
2nd method similar to the preceding one but more difficult to detect:3 z4 }4 W! y) E- ~: s
7 C0 J2 B. h# w. c: D* X7 b9 a2 A. G
1 b# b. J6 z% K; k- i! m0 ?- Cint41handler PROC
4 h) X( T, w8 h mov cl,al
- ]" X$ E3 Z: m& _) }, [ iret5 d1 I7 M5 e; \8 Y: }: o* H
int41handler ENDP
+ b* l* o- x; Y8 F E J, i9 j' [7 R) p4 K Y
- Y9 }6 z+ u/ s( P
xor ax,ax
0 y6 w) J& `; C3 ~ mov es,ax4 @' K) O [* ^4 F- t" E( R
mov bx, cs# |% J: `7 F$ z
lea dx, int41handler
! _( B5 T" U0 P( V xchg dx, es:[41h*4] ^/ W% `4 b( c4 {( c# Z% u6 d; ~3 v
xchg bx, es:[41h*4+2]
7 h! w: P2 |" k/ H' i" J in al, 40h
9 ~, x" G( R* r- s' h$ Q' @ xor cx,cx
! I* o% G) g M- @$ F6 v1 E. P8 b int 41h
. L& F7 o. J& S# ]: N xchg dx, es:[41h*4]
! @6 Q' c5 S" X/ H4 F xchg bx, es:[41h*4+2]
/ x! ^- w5 e# n5 u- Q m# B cmp cl,al
* h' m' g) I/ H0 |9 ]6 m jnz SoftICE_detected
, W& v1 H! s0 i3 ^9 M# d
) \; l9 Z# r' m4 N5 k0 ?( g_________________________________________________________________________/ R5 X3 v" B, G: `6 f
5 s D+ N6 k7 f
Method 079 d L k* `/ Y7 Z4 z1 R+ ~
=========
1 o7 g* J$ d5 v( t. v$ P# v$ _; Y
7 P7 ~& M5 R2 z, @% Z+ A- L: I& lMethod of detection of the WinICE handler in the int68h (V86)
3 m1 E& @. }2 f4 k% q( ]
, D3 \; d1 V y! b1 l1 v mov ah,43h
. R( R. o7 z# }5 w4 l int 68h& K) b" ?6 ]$ U2 x$ C# u
cmp ax,0F386h
1 x. Q; j/ T% e2 a8 o/ Y* e jz SoftICE_Detected2 k8 O9 ]( a% Q' n9 k! u
' V4 x0 x& }! b1 X. S( u
/ ~) P* @* H7 V- \
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 s5 Q9 W4 t; R! k3 }% D; K app like this:3 y9 B7 M6 e! P" d% W e( |
7 U5 D* S$ B% i! N+ l
BPX exec_int if ax==68
6 |+ A5 y( O0 X! e- M (function called is located at byte ptr [ebp+1Dh] and client eip is
% \9 e. l7 I. R1 h; ], o& ~ located at [ebp+48h] for 32Bit apps)% t' h5 Q+ T, ]& q' q7 |8 r* c7 q
__________________________________________________________________________+ n) w5 N3 ^' ]3 `9 l
& N$ n. Q6 b# e- V
) J0 u7 d/ ~2 F$ PMethod 08/ A& h4 I$ g* d# \- B7 F
=========
5 H9 L& F& o8 b- W+ v
6 F! A b& E9 d6 X: N0 q3 ^) D) YIt is not a method of detection of SoftICE but a possibility to crash the& w3 s( W' e. O1 E. o5 X
system by intercepting int 01h and int 03h and redirecting them to another# w2 k/ q: {( u) e9 n3 J0 x5 f
routine.
! Y4 x0 B, [3 f- n9 fIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# N2 @5 }7 l. S) Z) f; C
to the new routine to execute (hangs computer...)
# V) v* H5 i1 G- J! `
6 L8 N1 a0 ]# z) z$ I mov ah, 25h
: s- R5 o |- J mov al, Int_Number (01h or 03h)
. \. u& Z9 m, a! C8 i% [6 p: v mov dx, offset New_Int_Routine
/ a8 @2 w) P5 G# u) d& n! ^( p% l int 21h
+ i- n( y6 V4 U. j; E% `+ Q) b9 o- B2 T; f5 o
__________________________________________________________________________: i6 D0 G! z. c1 ^' T" b2 C
* C/ ~/ V: g6 b2 CMethod 09
+ p+ v: c- b2 \=========
* _2 P7 J; z6 A* [' n8 |
* r$ `4 g( e3 F0 X& n" [3 S- |This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 m' h0 D4 K6 R6 e
performed in ring0 (VxD or a ring3 app using the VxdCall).
: k ]5 P) P' L% }The Get_DDB service is used to determine whether or not a VxD is installed
9 Z& B& Q# x, O8 x: S% L2 _) Tfor the specified device and returns a Device Description Block (in ecx) for5 J/ R+ E( b8 m" F
that device if it is installed.
( \, _ f) N3 M" C' p: ]8 t! u: k6 u) f& L* \" Z& ?2 {. b q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 P0 z" p0 K& c! {6 I7 f+ J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), q& d. K b, r3 Q* n
VMMCall Get_DDB
3 Z7 }9 s8 f6 N& l8 T( r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ R% f! S# X: {. ~
# k% V) l2 ~9 I- S2 ^4 JNote as well that you can easily detect this method with SoftICE:/ S! A3 S6 {: n* X6 O9 D
bpx Get_DDB if ax==0202 || ax==7a5fh) w# x/ ^: t$ m( I5 f: v7 l
) |7 N) B% v8 U D) {" {' Q. P/ Z* F__________________________________________________________________________, l# D2 C* b7 R+ t+ ~
2 M0 E+ h3 X# Y6 P8 R/ Z1 {Method 10; P- I: m0 P2 u& Y# c- V
=========( _/ [. D# V& l+ r2 I9 c
# a' \+ @' I( Q0 G% ^=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 \! S3 A3 Y" E4 G/ V. \ SoftICE while the option is enable!!/ p& s" j1 m9 X1 `
4 _+ u9 p5 c$ S2 R4 e6 NThis trick is very efficient:5 ?/ c4 [) N( @7 K# K. V/ {
by checking the Debug Registers, you can detect if SoftICE is loaded. m" P5 z1 D) x( ^8 E3 ^& t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& _& F* _+ i, V" k$ R. X
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 D( E4 I" G9 b0 \
value (in ring0 only). Values can be manipulated and or changed as well: }6 ]% ~2 `/ p: W/ ^
(clearing BPMs for instance)
8 Q0 f- R9 z8 c+ G% B4 y
; ?/ ]) f. z0 @! P" Y- V5 \; w1 E__________________________________________________________________________
3 [' t. |3 Q# S, W8 ?7 ?. g+ l# B8 R* K- f6 j0 @
Method 11
: u5 C' N# h$ _$ p8 a; Z=========# n8 ^/ E8 V# y1 h _# U
4 W8 P$ d( m4 m+ Z
This method is most known as 'MeltICE' because it has been freely distributed
% e0 Q. D, X# X1 a$ U6 M0 rvia www.winfiles.com. However it was first used by NuMega people to allow, q7 ]& Z4 e! Q* r$ A) }3 G
Symbol Loader to check if SoftICE was active or not (the code is located
[8 @5 s9 x7 w3 l; U+ pinside nmtrans.dll).
+ d$ \. |9 H: {+ X, U1 v
3 S- K% ^6 v5 I2 U; V$ v7 EThe way it works is very simple:! h, Z( K- u. I- b$ r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 h; ^( U* O4 L/ M$ \WinNT) with the CreateFileA API.7 g; `% }7 ? g( Q
/ j5 f5 K. o: w# ~
Here is a sample (checking for 'SICE'):
% b( F8 g" T6 J9 m) Z2 Q' J0 n/ ]0 T+ B1 V4 d( e( B
BOOL IsSoftIce95Loaded()
) S! J; x5 c, a& {# d9 S) [$ u# F{
0 g; {) E+ n R- \6 ?: h HANDLE hFile; # a+ Q9 B: m0 j* }2 T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; g' Y+ Y4 S5 J/ u/ ]: f" t FILE_SHARE_READ | FILE_SHARE_WRITE,5 C% W7 U y+ o+ {" m
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 s$ @2 v% O, e; N8 X if( hFile != INVALID_HANDLE_VALUE )
& x# V. n/ w2 d5 s8 k) o% j: N; t { B1 }/ O9 b% I5 T, _4 j6 U* j
CloseHandle(hFile);$ t/ ^3 a6 A7 C; x
return TRUE;
+ I9 p2 B4 \6 p* p( ]6 S9 ?- X }
! d' x- ?# \! e; P; e- @) W4 G1 V3 z return FALSE;% Y4 Z5 E) q/ d: }8 a- |
}
' ^7 K0 Q; I6 q
) U, }3 {5 @' R( j5 X4 {) j( X" WAlthough this trick calls the CreateFileA function, don't even expect to be" O& f5 V( e, I" [! ?: d
able to intercept it by installing a IFS hook: it will not work, no way!: Y( l" K' q: m5 S& w5 [
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 I( B6 b$ z( \+ L+ ]% Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! y+ k4 [: D# Z6 [: A9 H0 cand then browse the DDB list until it find the VxD and its DDB_Control_Proc) k8 `/ |/ u, L! d
field.% r! ]. E" e8 ?1 ~0 O$ x6 [
In fact, its purpose is not to load/unload VxDs but only to send a
0 H( L( E* @( ]; R, \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ L; h1 w) S+ g/ C+ l0 [: j$ U7 m! ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' i! F) A- @+ {- sto load/unload a non-dynamically loadable driver such as SoftICE ;-).* V6 M8 S7 c9 F' o6 y: F2 m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 J b# A/ J; `! V. }its handle to be opened and then, will be detected." e& l" N' q; W4 d( k$ x m! @+ N
You can check that simply by hooking Winice.exe control proc entry point
4 [$ r! w8 h1 h ewhile running MeltICE.9 l) k: {* M: g {; a& O. U: I" m& E9 `
6 y+ d0 o* f7 c
5 R$ ^7 z0 w* E. G 00401067: push 00402025 ; \\.\SICE
( Z: z, }% U; U* R 0040106C: call CreateFileA
! F4 s6 ^: x1 @# _# C7 E) t9 j 00401071: cmp eax,-001
# \9 m$ f6 ~1 @- w0 m& O 00401074: je 00401091
: ]% e4 B: L; w1 p9 X7 K+ R, b0 ?/ }( K! k6 d) p
/ ]0 L* M- \3 H# A$ k
There could be hundreds of BPX you could use to detect this trick.9 W* Z: J2 U0 @+ P
-The most classical one is:
# [9 ]6 K6 Q* z1 |+ z* O! ~! u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 W; l4 Q5 B9 {, M1 O8 H z) I *(esp->4+4)=='NTIC'& _3 W& W6 X8 \% q" ]
G* Y# q% J, ~-The most exotic ones (could be very slooooow :-(* r2 k7 I1 ?1 L- T Y* l
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . Z; Q' t$ F$ E/ X1 t+ T2 g/ l
;will break 3 times :-(
% h) _4 T8 ? c; C$ q
- V' S: ?& w9 n2 H2 Z( y) ~4 g-or (a bit) faster:
& g8 C4 w7 a9 M/ y2 r! o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! \: X+ ^; M3 \5 S; L) j( k
. R# a N- f! U! K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 e) b9 o! `0 Z& d4 _! J ;will break 3 times :-(
: C# s8 z2 \, s3 D& E5 @) k4 @4 y0 S5 B3 t& z
-Much faster:2 x Z3 E5 M3 i/ z( H
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 z& Q! Q4 {7 e$ _6 h, R% i3 X' S* }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 K) ?; H0 g5 h% N
function to do the same job:
1 a, Q- ]* f% a+ y5 g
- c9 f" E6 v, m# }# { push 00 ; OF_READ+ f, q% q1 w& S- T9 j% L* e- u
mov eax,[00656634] ; '\\.\SICE',0 g6 d1 T$ C5 m# K: g
push eax/ U$ i! {( H0 k( Y: W# f; n
call KERNEL32!_lopen% }: B9 K$ T. \, R6 e
inc eax( e( T% j0 Y/ q& | Q/ K
jnz 00650589 ; detected
7 r; y% f# o) H) q- V8 v$ ~- m push 00 ; OF_READ
* u' J A( d( N. E8 j5 P( q5 z mov eax,[00656638] ; '\\.\SICE'% W# H* g4 R$ G5 p$ ]* W
push eax
( E/ F. t: v7 }0 x. Y call KERNEL32!_lopen' d1 \& C6 K& `- s
inc eax
3 _! I9 ^* b* O L jz 006505ae ; not detected
. H. ^& d+ B; @8 e. I# b
8 @/ o6 X* L1 k3 \" F' V( A, [
9 A6 A3 R* n! ]5 B7 ?__________________________________________________________________________. R9 U- n. ~' k. d& ]8 `* s& r% g
X4 C% ?+ J" \& l. U( I
Method 12. E( a& j+ W1 L# @9 J3 p z1 u
=========" o5 H U4 N0 N
6 @ k, W$ j r$ A. \8 i3 O, a0 @
This trick is similar to int41h/4fh Debugger installation check (code 05
4 x/ A- L1 R( e3 A( N3 a# T& 06) but very limited because it's only available for Win95/98 (not NT)
$ m$ F$ A$ a4 s5 o" H e- sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* @7 P! X T ~3 P {
* |% Z6 u6 R7 a1 W! i push 0000004fh ; function 4fh5 z! z3 `& H+ ?4 {
push 002a002ah ; high word specifies which VxD (VWIN32)
; w* L. i9 \$ y3 W6 S5 ?0 a6 r9 q; i( Q ; low word specifies which service$ }, \- o' a8 v; `. M
(VWIN32_Int41Dispatch)
) a8 ^1 d4 R3 F! J# l; k call Kernel32!ORD_001 ; VxdCall
4 B2 z7 Z7 o& M/ R. @ cmp ax, 0f386h ; magic number returned by system debuggers8 y5 G5 F: n7 T6 B
jz SoftICE_detected
; O- N$ N# E8 T. R$ p+ \
) N0 e1 {. g: U$ }Here again, several ways to detect it:9 B! i! R8 ]- o/ ]6 g
2 D% ~: T. k' H6 k" B
BPINT 41 if ax==4f- O( {4 L& [9 L& j p) r- w
5 n! ^- q" J3 x5 k
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' |; |6 ~0 ]/ |+ m1 S) Q' v
' C9 P1 x) A* j8 j( ~2 k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 N; Y# V! q' ]! l, n, C. I: i: ?) q# d' e5 q7 T5 {) p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 Y* z3 p! `9 _3 [9 Z% d
' L% ]' g4 Q5 V7 q; ?__________________________________________________________________________7 L) o" m! K5 @0 y: U
+ E O' d& `( s
Method 13% I6 r; }$ ?. c8 [6 m; J
=========
7 L3 h7 K/ u3 ^* L E4 H! U1 F2 \
Not a real method of detection, but a good way to know if SoftICE is; f# }# V& B8 Z2 m
installed on a computer and to locate its installation directory.
1 o* C7 t3 h, X" j" a# f/ aIt is used by few softs which access the following registry keys (usually #2) :7 H) i) h a8 |+ Y" F$ ~# H
& |1 ]2 ^2 R6 A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' H, j( K# S/ H
\Uninstall\SoftICE7 V& S/ v9 t4 j! [" p% ]7 r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ ^* [4 G% L0 {/ l) ~3 k+ U-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. L! _! i5 p# C) `) \8 G
\App Paths\Loader32.Exe, D; P- o6 k O2 d0 T4 U
9 D8 e2 g4 \* s+ o9 I& v- T u4 `5 e8 v+ w! X
Note that some nasty apps could then erase all files from SoftICE directory
9 r, X' N y4 I6 k2 ~5 v5 y(I faced that once :-(
0 M, F& D; t. e7 H& N& D
& {6 Z o, ]9 ~" ^Useful breakpoint to detect it:
+ u8 ?' m8 S" t! P% _
% n4 u! r% f. f% x BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 R% V2 }, {- w5 c9 C8 Z( ?" V5 P! O
__________________________________________________________________________
1 Z2 m ^- C0 H5 Z: u4 I. X$ ~4 z/ T' y
3 t+ ]) h; T# u9 H; Z
Method 14 , B- e& r% |. Y$ _
=========
0 J3 v) L0 ^! t' G' D
" F7 ~& |6 ^% d4 `, l( v/ s9 qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' E$ K& @8 V8 n+ {# e- Yis to determines whether a debugger is running on your system (ring0 only).7 [+ X# H* U6 ]
; A1 ~9 a( o5 J& O4 `0 _# t VMMCall Test_Debug_Installed2 S% m; Y& q. V3 Q6 X
je not_installed' S! [$ ^1 I/ Q, `- i. ?
* T L" B* t4 V y$ h
This service just checks a flag.% L* z) G* L4 ]
</PRE></TD></TR></TBODY></TABLE> |