<TABLE width=500>
& \2 J$ v2 C" h* ^% `<TBODY>
6 h# ?* g* f1 s2 o<TR>, _9 w& M; @" T/ I* M( }0 h+ `
<TD><PRE>Method 01
* r! q: h% _5 T3 G. K6 x=========1 U. f2 w& Y" P& ?& m: H
; d3 m4 C; p% A( c' P U. b. Y; `
This method of detection of SoftICE (as well as the following one) is
9 j5 g9 b1 `" fused by the majority of packers/encryptors found on Internet.0 _2 d' D7 H0 x2 ]- |
It seeks the signature of BoundsChecker in SoftICE
2 s, E7 ~8 I' ^
% ?: \" X" Q0 c5 I0 z mov ebp, 04243484Bh ; 'BCHK'
# r+ M, T$ r2 l. N mov ax, 04h) l+ J0 P, M ]: `) ]
int 3
, q0 `. U: S5 r8 w5 g( o; L$ V$ z cmp al,4
- ^9 o9 I$ G; I- X: M! u; a) Z& ?- @ jnz SoftICE_Detected
7 [2 m( J" q4 ]0 M# K) r+ F
7 }+ F) w" T, |___________________________________________________________________________9 [) A: o, u4 C! v0 P$ T6 o
% Z/ r* y; E( p- U# W$ DMethod 02
9 S$ C6 F) R2 o" j=========
$ {9 u9 g- o: F& {6 t; H8 ]$ f! e6 b+ Z7 }) l0 M; t1 ~& Z1 _) L0 V8 H1 j! L% g
Still a method very much used (perhaps the most frequent one). It is used3 L$ p- x# _5 I7 w) p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 g. {4 ^$ S& d* \or execute SoftICE commands...
5 H, {9 m! ~; P4 k! H' CIt is also used to crash SoftICE and to force it to execute any commands
1 @8 W1 p, Z% G8 e(HBOOT...) :-((
6 t6 ?* I* u" E, D) Y
0 W5 O# T: U: l4 [( P9 H) ?- j3 jHere is a quick description:; x' v9 J8 j) m4 d! x7 w8 M, V
-AX = 0910h (Display string in SIce windows)
) L; u/ a6 c6 `! R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% t: i( W' b$ y6 N-AX = 0912h (Get breakpoint infos)8 ~+ k7 } j0 T- p5 F9 ~
-AX = 0913h (Set Sice breakpoints)- {. x k) b. Z* h
-AX = 0914h (Remove SIce breakoints)
" u9 [1 N& c' R" u/ d6 Q3 [% j
Each time you'll meet this trick, you'll see:
$ O/ K4 G; i" n5 b. d-SI = 4647h1 o: \/ P: h, M3 h" `& _& U
-DI = 4A4Dh3 i Y @: t2 t" s S5 U0 I
Which are the 'magic values' used by SoftIce.
: X1 H2 h, b5 AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ c4 U7 z& n# {1 t0 Y) ~( Y9 Y; i% k
+ N8 R$ W* n" L- t( K* \0 _& RHere is one example from the file "Haspinst.exe" which is the dongle HASP$ l+ b# n5 P" s
Envelope utility use to protect DOS applications:: e" a0 D5 y6 K
% H+ b7 S& E. e: u1 \% z$ `0 o: y; M) j+ Q
4C19:0095 MOV AX,0911 ; execute command.6 I0 `* Z. h- t# i- H& m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). P# u3 @% v# m$ H
4C19:009A MOV SI,4647 ; 1st magic value.+ l. L6 z& W- |/ b. F) H' e
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 _! q9 Q; I' D$ H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& t7 U2 [7 m8 J1 l0 C: `$ T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; K2 q- C1 }& r7 g5 x0 E* w4C19:00A4 INC CX
2 I. E. C4 [$ ?! x, x9 r4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ y, p2 g, [0 h; @' E1 \* W
4C19:00A8 JB 0095 ; 6 different commands.
% e. b5 Y. v% L( c; K4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 h4 N# P4 W5 T3 A+ Z! n Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% d8 c4 X! A) w4 L* t- S
- w* Q/ R2 |1 KThe program will execute 6 different SIce commands located at ds:dx, which
; h" D& |, \- ]7 D5 \5 o5 @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ k- T) b( \/ ]) `3 {6 u$ A8 s
8 V. T" P) ~1 p2 f4 }2 V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! ]# V0 U3 }% J2 i7 |! i" q* X3 ~
___________________________________________________________________________8 i3 l3 }& _% U
' g- u/ L& W8 |' B1 n! a& ~4 p2 X a( _/ f( N2 Y& Z
Method 03
7 h& a( t2 L& f9 F=========
( N# y& Z- N4 n& O4 Q( D) h
8 u5 n) q2 h, C5 ]( B5 G' iLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 B! Q7 @: M% L: r* P; a
(API Get entry point)* l- I7 q; l; M R
0 \1 e, {: ~1 u' M
6 m/ w+ h1 G: F# ~; W; `
xor di,di
% Q7 }1 Q! u2 j# J mov es,di8 s8 c7 C1 {; D
mov ax, 1684h
6 ]8 x/ t1 V! g+ _7 \ mov bx, 0202h ; VxD ID of winice9 n% N8 {8 K5 t$ U& W7 {; a& \; C
int 2Fh! A7 i9 S0 s1 o0 L+ N
mov ax, es ; ES:DI -> VxD API entry point
O% G' v9 S Y6 ~ add ax, di
4 J( }5 p' k& W& {, N test ax,ax
& G. `- t5 t! e3 h5 x% G: W8 ? jnz SoftICE_Detected
+ R! ]* ^6 A. F2 [* p( H' u2 S& w, r3 I
___________________________________________________________________________; n$ L* F' I8 F; `4 ~
; v" ~9 L0 j/ a6 H( @8 ?- [" `: tMethod 04
9 d, p) V2 T1 D% f=========
# o* G+ }* L0 w- c4 k8 I; H( Q; `8 H* A! B
Method identical to the preceding one except that it seeks the ID of SoftICE. Q# U( @9 ^4 Q$ N/ J
GFX VxD.
2 E+ ?) g- z; A: u
$ e# A" u C4 l& H xor di,di& O( t, U) ~5 |7 }% c2 F# w- S
mov es,di( j! c9 y# g) B# D$ m2 Q0 U
mov ax, 1684h
3 k* r5 e* W J mov bx, 7a5Fh ; VxD ID of SIWVID
, y6 n1 T& ] q int 2fh% Q" n4 T: ?$ A& V
mov ax, es ; ES:DI -> VxD API entry point8 m6 A/ X/ `* n+ N1 m ]3 z
add ax, di
: B9 j+ {* H# Y test ax,ax
2 G& ~7 `6 l% }' L8 c$ _3 G jnz SoftICE_Detected
$ A( M7 q Z# I* f9 I0 l1 j0 `$ B$ Z* x! Q$ h* Z
__________________________________________________________________________6 Y3 \$ B: T6 z4 l
. @* y; z! Z% y& m2 A2 f3 F& c
8 r P8 g- G Z$ _* T. \Method 05
2 H, F. d! C' Y=========( F8 ~3 b x: q1 b& @$ a) P
6 E6 _' O3 m! F6 C) |: E9 zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% n5 o1 L9 c; @' x1 H# h% v) gdebugger. It calls the int 41h, function 4Fh.
6 Z2 T* I9 H9 T F p3 H( [! OThere are several alternatives.
3 c$ N9 I# \1 P. Y" f# N" v2 [+ M5 O. D0 y z
The following one is the simplest:7 x3 `+ `$ W, H% ~# Y: y$ l
0 `( N, _1 C$ o, o* J+ ?
mov ax,4fh9 Q+ n# F; J1 n1 F8 w5 ]
int 41h
8 W: y D; s8 ]* H cmp ax, 0F386) u* ?7 S. ?) T) l8 I8 Z c
jz SoftICE_detected
! i) }7 \, m9 C1 V6 M) o8 ?; B) C- H3 j) q
7 C2 S5 z- O0 [$ G8 V7 z
Next method as well as the following one are 2 examples from Stone's $ V8 |5 c0 D. Q7 C3 [: D3 j: l
"stn-wid.zip" (www.cracking.net):; b: J1 A. N4 l l5 S6 v1 D+ M- f
E0 A- |. {' o j7 r mov bx, cs7 B) U! r1 K7 R7 ~! Q$ f
lea dx, int41handler24 V `. v/ k1 M2 u. G p3 n
xchg dx, es:[41h*4]) l" g% F: E3 S. l7 Z$ f ^ I1 Y
xchg bx, es:[41h*4+2]5 ]# b% n6 f' P. U' k% i
mov ax,4fh1 n6 d, q* {, q( q3 q' Z
int 41h
# t$ x `) B' C xchg dx, es:[41h*4]$ b* a& ?# m# S7 q0 S
xchg bx, es:[41h*4+2], c/ |; s8 r1 O* V* B: f
cmp ax, 0f386h
3 k* K" j& A; G$ r" s( x jz SoftICE_detected
# t3 h. ~- M: Y: ^& @( _
8 \0 Q8 m: l$ M" S6 Z, zint41handler2 PROC ?" R4 r( `# H V$ g, Z: B
iret
. o& R, V3 y4 x1 `; [! K/ H) nint41handler2 ENDP+ E( X, N5 t) z8 b' e
- \3 p% S7 o |4 t, P3 q0 q. N$ r
% s$ h% h9 w, C8 ?5 @1 ]_________________________________________________________________________4 e/ C- s4 ?/ g0 r4 ^6 q# s& L. i
# U5 s0 A+ [; }3 I. s5 ^0 a
4 p, e' A3 U; L) k+ f$ T
Method 06; U+ X9 f/ f" [; W
=========7 i( h% ?" O$ p" T. L% F" T+ r8 r
1 X- [3 m1 ^ p$ p1 y2 t1 }6 ~- N J+ r; N0 Y! C
2nd method similar to the preceding one but more difficult to detect:
3 `4 o( j+ z* @4 @. C, f) d5 p
: Z; B+ m5 {) R3 x! k. x4 o% O
- U0 O: A+ @ n! B" p9 Fint41handler PROC
0 h; M+ @) B/ e9 P) E2 j; |' O! S" ? mov cl,al: y) t0 Q2 \! m2 [5 \3 k( d1 e
iret
. v, W# @% G' b4 \9 W! p4 Mint41handler ENDP, Q" z" ]0 ~7 n3 R$ a- F) \ z! ~
8 j; N! V& z4 [# X! ^: }9 L' Q |0 {
xor ax,ax8 b8 ]" e9 z! N- {* D* U
mov es,ax X% H; f/ P! I3 U" h O) {' s+ d
mov bx, cs5 w) I1 v% S9 |) m; }% c
lea dx, int41handler2 V0 ?* g- I/ i" ^
xchg dx, es:[41h*4]7 @; x- Y& m' p. c7 H% j
xchg bx, es:[41h*4+2]* d% m% ], b5 |* f: t' @
in al, 40h; X: v' D6 \: |( c1 Q2 b
xor cx,cx
# r9 ^7 e5 w X+ N. z E- w int 41h' Y5 U5 C h# T( [, G
xchg dx, es:[41h*4]1 M% R+ S) r( l8 _0 T; T/ i7 o
xchg bx, es:[41h*4+2]
H! j3 ~* v8 b8 j, S: z6 C7 ?) U cmp cl,al. v( j; {7 V( s: M8 P6 L
jnz SoftICE_detected
: i( o5 B9 X. M" K
+ d( {$ ~6 |1 {* {% i_________________________________________________________________________
7 B: F. M; M; O6 K @3 m* s+ O: E3 n8 S
Method 077 n' U6 }2 M4 y+ b! f1 ?' H
=========+ i! o/ A) p7 l8 }
+ H, v( M- D9 R& O
Method of detection of the WinICE handler in the int68h (V86)
) M; t# I2 X$ q' Y8 A* q; ]0 Y% `0 T
mov ah,43h% g4 ~/ s: \0 U, H; Q0 Y: x9 B
int 68h
. z7 p( z$ `8 X* e5 G; t! \ cmp ax,0F386h
7 y; ?6 x5 T9 P; y6 K jz SoftICE_Detected1 L/ L/ C" Y* u2 G% b1 {! P, d
3 r2 r; F, F4 x1 U% N- U
M, M7 W' u. H. T1 @* ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: j1 L- {1 Y/ [) c; B
app like this:
% {. |1 z6 s0 @4 G. c4 d2 I' }7 ]- p4 w
BPX exec_int if ax==688 d3 b. o$ X1 r& O: h) P3 h+ M
(function called is located at byte ptr [ebp+1Dh] and client eip is
~# L2 n1 y$ F' Z7 g located at [ebp+48h] for 32Bit apps)/ u8 z( \2 i. U& `# g# S
__________________________________________________________________________
- a2 h1 _5 z- S$ D# \! h* i* n3 e
. ]) ~) ~: [1 \1 [
* [6 v3 p6 i. {Method 08 f( g; ?$ V4 w& g& W$ V9 p
=========8 y) ~. {4 R9 @+ p. K8 l# K
3 k8 l: z: F( Y7 c- o& _& m. g2 g/ g% m
It is not a method of detection of SoftICE but a possibility to crash the- q, S1 \) Q+ f1 N! y4 j. O
system by intercepting int 01h and int 03h and redirecting them to another
( K d& V" j6 d6 F! R) proutine.
3 ]3 W; V5 T) j2 j1 y5 L6 Z% f$ hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% h4 w& i7 [3 J D E3 Y
to the new routine to execute (hangs computer...)
6 _: e+ F2 f2 N# r
8 O8 \% o, l9 j$ V5 C+ r: Q mov ah, 25h- F( s( i" C8 ~ j8 V
mov al, Int_Number (01h or 03h)
. Y9 X( e5 n1 p3 N mov dx, offset New_Int_Routine
' n) r9 L: f Q4 q4 [' v2 ]' z int 21h
/ n, f3 I |7 W! r3 h, A8 a; v: `, B' X( W
__________________________________________________________________________4 k8 J: f# o3 ]
- c; d* x/ t* k2 f4 o5 W+ l
Method 09
# w& |, v5 G9 v' ~=========, H1 s3 v# V& D8 \$ h
2 F ]+ o4 F ]6 E0 C' l; r: [" qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* l% C" X2 n" h9 vperformed in ring0 (VxD or a ring3 app using the VxdCall).& G8 h0 M4 ^# |" Q6 G" Y; I
The Get_DDB service is used to determine whether or not a VxD is installed% g7 z: L4 a+ t! E! {/ D/ C- x
for the specified device and returns a Device Description Block (in ecx) for' @/ s* V$ Q _' u* b6 m
that device if it is installed.
+ d) h, ]; U9 j3 m4 v, U6 e8 Q8 h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# A9 p/ m& P4 \* t0 D5 r- ?$ Q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 T4 h' ]! S5 Q# J VMMCall Get_DDB1 ]9 b2 ]7 S7 i0 p; q% Y# ~! i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 U7 v2 J' {; w4 W
, `4 u$ A$ \; b E" \$ dNote as well that you can easily detect this method with SoftICE:% [0 ~* N" o+ f: i
bpx Get_DDB if ax==0202 || ax==7a5fh
/ Y& r' o1 u. m- Y- v+ J) G! w" N0 }& ~" J' Q, J
__________________________________________________________________________9 e5 t9 w) R) A2 b
1 r7 n- B0 f3 j4 v6 F' H1 m' B* u* GMethod 10
# f* b/ C& a, U=========
0 P5 |, W; h+ t6 n, [+ ~7 P5 y; A% W+ \; ?( i" P+ z4 r1 e
=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 p9 N3 z# M$ T* D4 H SoftICE while the option is enable!!
$ j- I, A, e( i I: E; g, B1 o6 b L$ y6 n0 n7 A
This trick is very efficient:0 @7 r; |+ U! A" i- U; n4 r
by checking the Debug Registers, you can detect if SoftICE is loaded" E" x) R6 L; I" \1 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# l: L5 W$ K6 F0 Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their% z |! y! `+ ^5 n# E3 ~9 |
value (in ring0 only). Values can be manipulated and or changed as well2 K$ M# g4 ~: {6 I) L, D2 f; M( s S
(clearing BPMs for instance)
8 c- h; l7 g R9 _! C
1 Z8 m: i6 B4 ]0 h$ y__________________________________________________________________________
7 G* i5 t5 m6 a: @) S% r7 W, D* J) a: C8 Q3 F: w$ a$ q
Method 11* [, s- t9 \, l. i! s; m5 ^
=========7 k. s* u2 _9 p; J# s) W9 e: w8 k
) Y: x7 ?* K" k" x0 j0 {' F
This method is most known as 'MeltICE' because it has been freely distributed) @! M% s) t2 M8 \$ Y, T
via www.winfiles.com. However it was first used by NuMega people to allow
. c% K7 ?3 l/ h( l8 O: ?& `+ zSymbol Loader to check if SoftICE was active or not (the code is located) U" U5 D' E& _0 I- _
inside nmtrans.dll).8 t; S* V$ Q. J
5 L4 p: @ B" b) c7 YThe way it works is very simple:9 O( A* R9 C8 p/ [9 F3 h( V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 U) s: e5 K. p7 i6 u( i# j
WinNT) with the CreateFileA API.
' u0 V8 v6 O0 y/ J; s/ y
( N6 k+ K: H* ?3 D5 Y8 ^0 sHere is a sample (checking for 'SICE'):
" m1 Z# |1 L* y( K# F* @' U' W) M4 }* q5 D6 `& _
BOOL IsSoftIce95Loaded()
! Q, w1 e" l$ y. `4 A{
* ^' D( y { e' P, L HANDLE hFile; 6 j' Q% _0 P' a* ?% P& S9 |
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- o9 n8 }' U2 r1 m" \: b7 ` FILE_SHARE_READ | FILE_SHARE_WRITE,+ [1 n1 V0 d E" t% X- k0 b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 |0 B9 U/ T( w& L
if( hFile != INVALID_HANDLE_VALUE )
0 S. M4 D) p5 ~ {* H* h6 c- z& O2 u, ]/ d
CloseHandle(hFile);2 `) Y$ C$ k& Y3 [- S! Z
return TRUE;
) e: x2 Y6 g) m7 n1 k0 N& e: J ~ }
- P9 H* s; v& p) u Y x5 g6 s return FALSE;
/ e& o4 ?9 q! A6 x}
# _6 ]9 B2 |6 d: E N
) t6 F; i* D- w; DAlthough this trick calls the CreateFileA function, don't even expect to be r: W% R0 f( G2 Y; C9 r
able to intercept it by installing a IFS hook: it will not work, no way!9 E! B4 t5 G# o5 w/ ?2 C; R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* K: R: | W" u" X( I* V+ v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 P& T$ G4 P) |5 b, k0 kand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ `. @- d, A$ F6 H
field.* M5 c0 k M% j3 Z" d
In fact, its purpose is not to load/unload VxDs but only to send a
# d4 [: A# F+ BW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ ~0 Q5 {, u* l( @! g+ ?1 k: W5 Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% C7 D0 I L# b' u9 fto load/unload a non-dynamically loadable driver such as SoftICE ;-).) _! P! [0 ]+ W/ W
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 V$ Y8 E& e0 `0 s4 T2 K
its handle to be opened and then, will be detected.0 P# a* ~4 _/ a( o
You can check that simply by hooking Winice.exe control proc entry point' o- L% e& G4 g' L# @0 o+ L6 S3 p
while running MeltICE.# J, N0 G \( O
3 s8 ~6 I" X8 S+ @3 w5 ?& y
- R! N2 K/ _' |: r
00401067: push 00402025 ; \\.\SICE
' n5 a9 @9 U( X- C5 b 0040106C: call CreateFileA
+ G1 {2 ^" a( c6 z% `1 D 00401071: cmp eax,-001
5 C" {, ]. L8 k; i 00401074: je 00401091& m* v z6 L, d3 t% u5 U7 a7 M
$ Q! X* F8 q2 ?5 ?( z& N4 a1 F
: q" [& ^( O; K3 M/ P3 o- G
There could be hundreds of BPX you could use to detect this trick.6 v. _4 q ^* q
-The most classical one is:1 S+ n0 L# f$ b0 S' {2 e
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% U9 A0 O+ v8 r
*(esp->4+4)=='NTIC'
6 ?% u7 f. y9 p. l# n O- l( Q& q$ b) }3 y& @$ b4 {8 ?" o
-The most exotic ones (could be very slooooow :-(
+ J8 Y7 B( z5 f5 h2 r/ ^8 D) S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 C/ k/ D/ X8 {
;will break 3 times :-(
' I* ? m; I1 m( u/ e& O
* ~, f# g; x* P) V3 r-or (a bit) faster:
3 M( w; o2 Y7 k& ^( C. S6 ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 h8 ^* F+ X! U( `
# T( P X$ H( L5 L) J" s% l
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 e& K. ^. O7 [: s
;will break 3 times :-(7 ~9 U7 B) m4 C- a& K
* V! r P/ O! c( o$ c5 n& j
-Much faster:+ H5 B# G, ^5 ?+ u
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'+ W: D. N- R- T9 |3 h/ ^* H
4 t) h( U* A/ N( C, R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, h- W0 a5 B5 q
function to do the same job:
1 y5 d# D J- Y5 \
, x" u/ F' h' D2 y7 q push 00 ; OF_READ9 v1 n4 w" U- O5 W( K. H9 E
mov eax,[00656634] ; '\\.\SICE',0# k2 U/ g# }" }
push eax% y7 _0 D. G' \- S- K& I( n: A
call KERNEL32!_lopen
9 B$ {# w r! H inc eax* U2 y8 e" u d6 T$ t7 s
jnz 00650589 ; detected
9 A: a9 s) ~9 A- w push 00 ; OF_READ
7 ~' T g8 a1 e# i mov eax,[00656638] ; '\\.\SICE'
0 E- U1 ?9 d- ?' c1 \: C" ~6 X" n9 r push eax
" g+ h+ f* N7 Z; c call KERNEL32!_lopen
% g" U5 v. M5 m& u( ^3 K- j inc eax
/ u: w; I. P K+ e4 q) ^0 f jz 006505ae ; not detected
: q7 A- p& x3 {/ _9 p' e2 r- f! i# Y" z: y7 W: b1 P' P9 [- `9 p
& O+ t! j- B3 C7 d* Y% \' b1 A__________________________________________________________________________$ B8 W ?9 B8 S1 I4 {; h; Y$ D' w
# p5 s# a4 O2 D; o. M6 F
Method 12
& {/ B8 E. J) C=========
' i1 ?! Q F! d8 h) B) b
; a, a& ?+ O1 ~( i$ MThis trick is similar to int41h/4fh Debugger installation check (code 05" b7 ^8 ^5 H* @( V# B+ A# @' L
& 06) but very limited because it's only available for Win95/98 (not NT)
1 l. b e4 o# @* M3 vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 k8 @$ c+ X4 p, g- C0 a7 i) R% ]% u* W9 d8 {+ l
push 0000004fh ; function 4fh
* D: w- L' r* d( c T& ]3 e( \4 E push 002a002ah ; high word specifies which VxD (VWIN32)" }6 r$ g3 P, n# V: ^: L' h
; low word specifies which service
* \, J( S m, ?5 W4 \/ U (VWIN32_Int41Dispatch)/ p% o7 [7 N5 r2 i5 v7 n
call Kernel32!ORD_001 ; VxdCall
& b' {/ h6 O& h8 x2 r2 p1 m cmp ax, 0f386h ; magic number returned by system debuggers& x p* C/ A+ ?
jz SoftICE_detected3 f) s9 [6 W4 Z# B+ p
0 H6 ]! ?5 }: P$ o
Here again, several ways to detect it:
9 w8 n: E' R: X/ G; j( f9 b z( I0 Z$ k1 a. g& P) Y: q
BPINT 41 if ax==4f6 l/ r! L( S# S) O
) q! d, N/ t( `* I0 a! U' N BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 P1 J; I, E5 N0 i8 |4 _- @9 q
) P) M6 x9 |$ i/ b- Z$ u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 B! N3 o! ?: p" K3 o
" S( M% e u" o BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, [+ P, P2 Y/ D6 Q. V
0 g0 T! v: f; ^3 x" E/ P8 p
__________________________________________________________________________
^' G7 s! \) ]/ g
$ X, [' P. ^8 @) g! \" ~Method 13
" u& ]! l& ?/ x" w. N* Z) T7 n% b=========
. j4 G* d$ Y8 R) e2 a
/ x9 L9 i+ n- }Not a real method of detection, but a good way to know if SoftICE is
9 A# h& Y7 s7 }; xinstalled on a computer and to locate its installation directory.
' S3 d% O% o5 j( _5 o" lIt is used by few softs which access the following registry keys (usually #2) :
1 l' D2 C) Z5 x4 O3 c% \, l3 j/ w
" n* q4 t5 Z6 B% h5 x* J' l9 \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: y% q- F8 j$ b) E: B3 O! U" z\Uninstall\SoftICE
& ]( g: @! d6 ]$ Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) p* C) x7 n0 O5 X Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' `' W6 ~4 R. v; ~; K1 ~: ?4 \, x\App Paths\Loader32.Exe$ U8 [+ w, @ t& g- l+ ]
7 j v% ?3 {' T3 r. L ^3 _% Q H+ O! ?% U/ {2 M' \
Note that some nasty apps could then erase all files from SoftICE directory4 {, K, b5 w1 [
(I faced that once :-(& _' Q$ h2 M+ w6 V( B
; ~3 ]. Y/ K8 m
Useful breakpoint to detect it:
9 \: y9 t& V3 R# E1 g0 N4 {3 O) j! |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- e) A& a; b; ?$ q! z
7 u6 U' G- U+ p/ L' ]3 |__________________________________________________________________________
; m3 u2 C, q. A
, o0 z7 X$ q$ _6 [( q. [5 [$ o
! Q& b; W$ f6 m- \& \$ d gMethod 14 : G( I9 A. B$ F& W5 H4 G l" x
=========4 Z( L9 L9 F1 M i% }
g/ u# S& V( m4 i( xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ u% t) M8 Q: \
is to determines whether a debugger is running on your system (ring0 only).
2 Q/ d) d! ~5 k! v! N, ~/ u- X- ^0 X
VMMCall Test_Debug_Installed+ ]! E+ |% h2 K8 _: \
je not_installed
# M$ n6 W7 [) a% }( |6 H$ W+ h8 C( i7 C" |6 T
This service just checks a flag.3 ?7 H: g4 M* Q( k9 m: z
</PRE></TD></TR></TBODY></TABLE> |