<TABLE width=500>1 v2 ?+ ~! j. M
<TBODY>
5 \: E" v2 v+ {) { \/ j<TR>
4 I6 V, X/ F) D9 L# g6 b<TD><PRE>Method 01 + o) N8 e2 W/ X# p
=========
' y" B) ^$ f1 T
- n9 G2 f# c2 o9 H, t; T' @This method of detection of SoftICE (as well as the following one) is
3 A6 {- Z- } Z' N! c8 f4 Yused by the majority of packers/encryptors found on Internet.
5 X' L6 @6 ]. y( P1 P) T9 P: JIt seeks the signature of BoundsChecker in SoftICE& {* U( X% a, t2 r6 c
7 T5 D% A5 C, ^% Y mov ebp, 04243484Bh ; 'BCHK'
3 q' B$ q* ]2 B/ F0 a mov ax, 04h
0 A* X" w1 L% Q int 3 8 r# M! T [& Q( ?* Z
cmp al,4
* v2 p- r. N1 |( s! @% D jnz SoftICE_Detected
$ H! |9 t5 X1 [( x. o" w5 B+ d) Q* e5 l9 M+ T
___________________________________________________________________________
( o4 N7 h" v3 m( r# Y: Z& c5 N; N
- N) }5 a: p2 _* m% U6 dMethod 02! `0 t2 b) [, k! W
=========
) x- `6 G- d+ O. F
5 F% E6 D/ a' ?" H0 q$ VStill a method very much used (perhaps the most frequent one). It is used
6 s; |0 m# H. e. oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 y2 o7 o7 G) Lor execute SoftICE commands..., ~( b5 W! R5 T3 |9 P% W. a
It is also used to crash SoftICE and to force it to execute any commands: P$ y, O- R3 B& y2 J$ O }$ S
(HBOOT...) :-((
% _% ]. ^6 x9 G7 @* h! `& M# @/ C( r" N$ C5 }3 F
Here is a quick description:* K+ F, M( `" Z+ b) `
-AX = 0910h (Display string in SIce windows)
3 w) |' M* I6 u5 n% N7 X$ o" W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 x: y3 K/ O! P* V3 z4 f0 E
-AX = 0912h (Get breakpoint infos)7 _+ e/ s! a% R: m% f' V! Y" E
-AX = 0913h (Set Sice breakpoints)
7 V- y5 y) `' w. `5 q' Q2 q-AX = 0914h (Remove SIce breakoints)8 f, ~9 a9 I9 T7 X- b p
% g9 O; J/ r, f8 s# N
Each time you'll meet this trick, you'll see:8 T* Q; ~$ t7 f' Z7 G3 I
-SI = 4647h3 B8 s. M1 z. c4 m# P( y4 W
-DI = 4A4Dh! m: R1 @' t' U+ P" @1 y
Which are the 'magic values' used by SoftIce.6 M! F. I9 G9 j) Q i6 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 F9 S) Z$ V3 j5 l* G& J. i' @8 C% s3 E" Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 C& d+ N2 W. e9 v; X
Envelope utility use to protect DOS applications:
; D/ s. f/ c3 p, y7 S4 e& P" ^" l7 v) D2 v5 l; U4 H% @! j
3 l: w$ a I- u4C19:0095 MOV AX,0911 ; execute command.6 R. c# K( X3 Z( l1 X( a3 s! I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) A& {4 u }3 l) J' d0 x0 r" v4C19:009A MOV SI,4647 ; 1st magic value.
! d+ z4 E0 D7 e- x2 V4C19:009D MOV DI,4A4D ; 2nd magic value.
$ U' q% [, m/ j9 P& \$ ?- u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 G3 @$ B1 {1 X4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 e8 z, |, J4 m7 m0 i8 m4C19:00A4 INC CX! X4 g1 ?# W% W: \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 a2 I- Q/ \" \' x# P# n4C19:00A8 JB 0095 ; 6 different commands.& H L s- T H; s- M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 g2 x$ k ~; q3 V. J) A& f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& ?; i6 {8 ]2 h! U/ j, M J
4 j9 f4 w; E& z, v8 k) P# MThe program will execute 6 different SIce commands located at ds:dx, which
, F0 W- ]/ C" _0 o. ~/ _+ {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 r7 |3 D0 I% N! Q% |6 O$ X/ t* r4 H0 Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. q# B" M6 b, W8 G$ V/ I
___________________________________________________________________________
% f. f" o3 R( _
. d/ V. l6 l' J: _3 u3 J2 V. a% O( y8 A0 {" V/ h5 U
Method 033 I; V- @! c0 i+ x
=========2 {1 K' P3 Y! h+ S+ q6 l3 L
w C% [! O# n. BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 L# d0 B. E, Z' G" }
(API Get entry point)
. ^; O% E8 F' s3 t/ p " i! l7 i( q/ N5 [! g
% @. g: K' g0 v" V/ c$ C( ^8 ]8 D xor di,di
9 |: G2 M2 T2 e( R" M/ f3 e mov es,di; F. O' _0 N9 S1 A) k" ^# g
mov ax, 1684h
& I5 D0 @7 O0 y0 t: j/ j: i mov bx, 0202h ; VxD ID of winice
8 C) C; \" J) l& x7 G+ c int 2Fh
0 [- M8 t/ ~. J) B" Z mov ax, es ; ES:DI -> VxD API entry point/ ?% N$ j4 c$ u- G8 Z# W2 Y& ]
add ax, di
* d+ K) O$ p/ k0 x! L' a; b test ax,ax. m0 D' x% P. F, }
jnz SoftICE_Detected
( b8 X* {5 a( w) R4 G
7 S" B% }1 Y5 W___________________________________________________________________________0 A7 K: z M( e. V7 b
1 T; M8 p* _0 m( E9 KMethod 04, q& | b$ `. J
=========! ~) Q" I% V0 z5 O }8 m
# r& P, e' q7 U7 G% \! ^7 I1 _; qMethod identical to the preceding one except that it seeks the ID of SoftICE
3 g5 a- F* p2 Z: _9 s% Z! N: LGFX VxD.! ]7 D0 _7 @2 }( I2 ^. R) T. v' Z6 V
8 O, c# n0 V5 p+ j+ I( w- j7 ~: ]' ~# ?2 R
xor di,di" k- w7 C7 q& U9 f
mov es,di
5 f/ _6 [: I: z- q: b \6 ]1 B* s9 H9 ] mov ax, 1684h
7 s' s9 V! Q! y }# A3 L mov bx, 7a5Fh ; VxD ID of SIWVID v# N7 r9 H4 Y
int 2fh G4 r1 k0 b2 Q k0 N0 @
mov ax, es ; ES:DI -> VxD API entry point
. m2 w8 _, {+ N5 {$ h/ _+ x add ax, di4 x$ G0 U* ^' z8 z3 }8 G" M% L
test ax,ax9 W" v+ [3 E5 ]' d
jnz SoftICE_Detected6 U0 Q' Z/ G6 J6 U4 G1 n' X
) ?% f, f4 ], k$ ~) L
__________________________________________________________________________: s7 | V+ M- m+ v2 p( X% [
; ~- z3 v4 g0 A; W
F5 q2 N" Q! @5 {
Method 05
4 S& o3 H' t8 |. u: j=========
Q' f9 T* y# T. t) J
1 P7 a- `3 m/ _6 W4 \Method seeking the 'magic number' 0F386h returned (in ax) by all system0 g6 Y% {! U# b& W/ ?$ U
debugger. It calls the int 41h, function 4Fh.) }2 N' d, o$ @! }) {
There are several alternatives. " Y# E4 f j& y
/ C% L. z5 v9 o+ J9 G% m
The following one is the simplest:# b8 _+ ?' N6 \6 U* C7 S
" G/ c7 i! ^) O+ y0 n3 s
mov ax,4fh
1 S- h: I4 o. r! g2 A int 41h
* N6 ?5 L- c1 s; ~5 _% R& q cmp ax, 0F386, X q# E6 f5 g. ` E
jz SoftICE_detected
' k7 O$ d! [ j/ H0 ^8 a/ ~. p+ z& h* e8 Z( E2 ^- R6 g
, D% g( }& Z" k+ O
Next method as well as the following one are 2 examples from Stone's # x0 q5 n: z) k' q
"stn-wid.zip" (www.cracking.net):2 q) u0 l9 [( a
7 ~( d7 c" {( G7 v6 q% j8 m mov bx, cs
?6 F, d0 P, k. Q( G P lea dx, int41handler2* e, f: G, h; C0 K% X4 K" ~0 d
xchg dx, es:[41h*4]
! M9 L; R1 q, {" \0 x3 H4 u xchg bx, es:[41h*4+2]2 _3 \) R7 l- p3 ^0 I* a
mov ax,4fh
* H0 b8 T, b7 g9 v) l" K) s int 41h
) O7 C; P y) @9 y7 G xchg dx, es:[41h*4]! ~* m z7 Q: c; P( D: d1 K! |7 _
xchg bx, es:[41h*4+2]* Q1 {" ?/ E6 ^$ [ u! M& `! x
cmp ax, 0f386h% T3 j( O4 L! V: A
jz SoftICE_detected
- j) c+ D* `8 t, H+ d
1 u) U$ L, X0 Fint41handler2 PROC/ ?; D/ `' j- N0 J$ t0 w
iret. R$ ]7 h6 J3 C7 x- q! D/ H
int41handler2 ENDP
9 q3 A v a/ R( s* L d' M4 A; k2 h( B( ?
# D7 M$ _7 \% D5 _' P7 B' d
_________________________________________________________________________' R' A% {1 c( p* T0 y. e( P+ W6 |
) U x8 b, B& g5 e- a2 Q& D( D
+ P! O7 Y8 q7 ^Method 06
, {3 E0 y+ z1 {, A* O=========/ E3 b. z; h# P
/ P" X% ~/ h& n9 K. `8 K
% A5 }0 a" J8 f. ~% I
2nd method similar to the preceding one but more difficult to detect: h8 ` w: J- H3 ^' a5 v3 n
5 _- X2 k$ T0 |8 s; y
' |+ e7 l2 ~' T7 c7 U! L
int41handler PROC
$ w) }4 y3 V- ]1 F mov cl,al6 v% I; B. a' P' [! \& D7 C
iret+ F1 g4 j' r1 \1 `% i) _! p% ?
int41handler ENDP; a( z9 e( C& s0 o5 u/ B# {% d
- W, k* H. W: Y/ @
9 n' W7 t# X3 d' q8 s+ z
xor ax,ax$ K; b5 k/ |& i, `
mov es,ax& W" x! Y' Y F3 e1 ]
mov bx, cs4 z. x* Y* A$ N# V [5 _
lea dx, int41handler1 E/ w# i g5 k5 |( _+ z
xchg dx, es:[41h*4]
8 ~; I" D. }. J! d$ o3 J- P xchg bx, es:[41h*4+2]# V( w) i$ }: i1 l2 K' k/ r; I. t
in al, 40h
7 S/ g' y1 b# L xor cx,cx
8 j8 y, e: m' F1 L2 d int 41h
. w. y7 a! R% X& f1 v9 x xchg dx, es:[41h*4]
8 i, b3 a2 J+ p. P G) ?/ h xchg bx, es:[41h*4+2], W5 k7 B5 S5 V
cmp cl,al5 c. o+ v) X- |: r: Z0 C$ j5 Z) P3 o6 i
jnz SoftICE_detected
+ v F! O1 k% j: ^4 i- L
' s# b* [3 f# C8 h% s0 ]5 W1 @_________________________________________________________________________0 x, c# p% B. ^" W) }+ p
. b; i7 o9 E# K& v. M# `
Method 07
: x+ P/ \; I% e=========! v# J0 o# b7 Q( g) Q; H
- z3 ^5 {8 e/ p rMethod of detection of the WinICE handler in the int68h (V86)4 M0 |6 d6 \; M/ x% n" I1 a
- C+ f4 |, E; {( ~6 S4 ~
mov ah,43h
" y! ^7 x3 [) n2 k int 68h
* e" a0 D; M" X4 c& H* r cmp ax,0F386h. v+ C2 g$ D* _
jz SoftICE_Detected
7 z t R" i8 R6 {1 A# Z2 l! s% G, k4 @# u/ a8 j3 ]9 P7 |. _% G
* r- a! C7 a3 A8 O6 I8 \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' c9 ~- O% r) t/ p2 I5 a7 g, z5 d app like this:
9 g' E- O# \6 h v
4 U& P$ q0 }9 V" S BPX exec_int if ax==68
1 B/ z0 C5 u; Y4 Q5 K9 W (function called is located at byte ptr [ebp+1Dh] and client eip is8 v- X3 L9 i' O* g S7 a
located at [ebp+48h] for 32Bit apps)
- e$ f3 l2 W3 L' m/ n__________________________________________________________________________
% I: o' h, Q3 [& z6 s5 Q% ]$ M! G7 n% ^. A; j% K
, v, h# m$ @4 f( R/ Q
Method 087 c0 q1 V1 o% O, ]) Q k
=========
+ {: k9 d, O1 U8 W) Q4 \" Y
$ t, n* s" J5 `" z) W7 D- pIt is not a method of detection of SoftICE but a possibility to crash the
* }$ T/ Q8 G/ P' R$ qsystem by intercepting int 01h and int 03h and redirecting them to another
" q& q5 N. i2 Rroutine.
9 B' L2 T# S& k7 J& fIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 V1 i" Z! y. S. V
to the new routine to execute (hangs computer...)
& X$ ^) }8 k4 H) P. x: X& J T F2 _" {5 A/ Z2 G/ ~
mov ah, 25h
6 ^ A+ _# u9 G4 I, L$ ~ mov al, Int_Number (01h or 03h)
+ b6 @/ }( J( b! T mov dx, offset New_Int_Routine* p, C! u2 [* W* I P
int 21h
: I! p- d: T9 r0 t. |
' `5 ?2 z) Q% x4 ^: `+ Z__________________________________________________________________________
% \; t# K+ }( v( E* ]. Q! {4 ^# |& \% ]! s
Method 09* n K; a7 `* X' W5 }6 j: T7 u; a
=========/ Y3 S) {+ i2 P1 {* u3 O
5 ]: z0 L- P7 v, M$ B9 P4 k' @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: Y7 T' k' Z" c, S# M8 ^6 @
performed in ring0 (VxD or a ring3 app using the VxdCall).
& o X# T( ?9 k: j+ w$ R) F8 ]. JThe Get_DDB service is used to determine whether or not a VxD is installed5 G; _' k3 H2 v+ j
for the specified device and returns a Device Description Block (in ecx) for% v+ N- J; `) G) e9 j/ V% ^$ d! L7 I$ o
that device if it is installed.
( O9 O7 y! _+ E$ U7 `# k4 a
0 ~# [5 C0 _5 O3 D mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 t6 w. [2 y7 u% ?& ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 N/ z" W% o( k! B, p0 _, ] VMMCall Get_DDB3 d! O5 N }; K3 c$ ~3 o1 U+ v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 }: }8 n! e2 t: i1 d" a0 K" f) h, C* N: C6 j/ W+ k* ~
Note as well that you can easily detect this method with SoftICE:
7 s8 t8 \6 o. b" U/ r9 m( k bpx Get_DDB if ax==0202 || ax==7a5fh
+ w) @2 Y' i9 q2 t! e0 p+ A
4 F: V3 ^% ~8 l: [__________________________________________________________________________( G m) {# n* h$ ]! ~
/ I& e0 H7 p) a! x7 ]5 P/ e1 g
Method 10% T) B ~3 R' B3 R
=========
/ I9 ]- C4 y) I& K8 B$ \$ B3 |# [. l; O0 ?6 F
=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 S2 l. E2 |( K8 `8 O) a SoftICE while the option is enable!!
% {2 [: S5 R, d( \
2 Z. [+ X( G1 O& p i {$ yThis trick is very efficient:/ C/ ?; a8 Y6 \2 r2 p1 ^
by checking the Debug Registers, you can detect if SoftICE is loaded# \. F1 f7 J3 [4 X8 p8 ]+ p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 \& O$ K! B: B3 Q( o& k7 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their. C2 u7 a- \- _+ z8 o" C0 y
value (in ring0 only). Values can be manipulated and or changed as well- q$ \% W( B8 v& @& E0 Z- ]: x
(clearing BPMs for instance). {2 x# ]+ g) [+ n: s3 h
3 y. o8 z2 t* l, {4 G$ Q2 A
__________________________________________________________________________1 r' P( b. Y- I3 ~, \4 u
5 O/ B" Z# I1 h: d5 D7 r
Method 114 L) l, a% B; m6 u0 \
=========* f5 m8 h) X( ]
- G* O, ] n, \2 F D9 x8 y
This method is most known as 'MeltICE' because it has been freely distributed
h# _+ ]6 D4 Z$ D) J* j5 Lvia www.winfiles.com. However it was first used by NuMega people to allow# K+ e1 g8 @% f, P, J: x' Z2 P
Symbol Loader to check if SoftICE was active or not (the code is located5 m6 O1 W0 t' M' V& O% @
inside nmtrans.dll)., R' F0 A X( L) D4 O% |
) q' Q: w) j; X7 N' I% T* ?4 i
The way it works is very simple:
8 v7 ^3 R2 S/ ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* ]) w1 O C3 @$ ]0 \& CWinNT) with the CreateFileA API.
8 Z0 B) T% L, v" j/ g; K2 S# a
& i' Q8 B- v7 S0 QHere is a sample (checking for 'SICE'):$ h# y: P' z8 c
- d: a1 |6 d7 K5 M% xBOOL IsSoftIce95Loaded()
d; U8 Z0 Z% D7 c{
! T& }) p- k( d- l HANDLE hFile; 8 h6 ^4 _$ u/ d' _0 C" U: u/ X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 T `- ~$ M5 [5 k FILE_SHARE_READ | FILE_SHARE_WRITE,
' g$ M9 Z$ j. W4 X+ _2 H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 L) s' B, {& i1 f7 C
if( hFile != INVALID_HANDLE_VALUE )( v# Q6 P/ H/ \. Z
{* I3 b5 X" Y: k2 ]
CloseHandle(hFile);
- m ?; k3 q6 Y. q8 C. j return TRUE;- Y: o) @: q9 D0 C$ ^2 O) a
}) }. U; T7 l$ b! ]; N
return FALSE;
4 ]: f: o' m D}( \' ]3 P, V( l0 A/ J* O" s
1 ~& N: `- E1 p0 j3 Y
Although this trick calls the CreateFileA function, don't even expect to be
$ g7 G3 @$ ~" ?8 Yable to intercept it by installing a IFS hook: it will not work, no way!
$ y* K6 |7 L; D1 V! @5 p7 K: ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F! P, {. ^) X2 F$ F1 c; J
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 i# g, a! u" X' C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 p' y5 t7 N4 u6 _field.
C( ?6 I7 a2 S% W" a4 FIn fact, its purpose is not to load/unload VxDs but only to send a + T- M0 x; e8 v3 K# G, C' x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 W; G4 i3 d0 i& f+ q0 l7 bto the VxD Control_Dispatch proc (how the hell a shareware soft could try( ^, ~# ^$ I+ e+ P, U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) W+ j% Q, d1 e6 ^7 T8 G4 i
If the VxD is loaded, it will always clear eax and the Carry flag to allow- _3 X# z6 w7 w0 i7 B' M
its handle to be opened and then, will be detected.! Y+ N3 ], t" ^& a; d
You can check that simply by hooking Winice.exe control proc entry point9 ^0 N [/ f( K8 z
while running MeltICE.& _0 k4 V5 m9 U9 v- K% s, Y& U
* g( Z% N$ |! D, t$ Y
$ E) C5 Y( D& s' k- q* s
00401067: push 00402025 ; \\.\SICE
- ^% c c0 F1 f) w' g: b7 d0 P 0040106C: call CreateFileA
: j# G9 d1 F5 P b# Y 00401071: cmp eax,-001
$ Z" b F$ s; p& x9 a, t 00401074: je 004010913 `) c# P1 b# [& s: [ \' }
- E5 [( Q% a1 R. p4 W" D; _% r: g# Z! r/ |# Y v
There could be hundreds of BPX you could use to detect this trick.
8 r2 @7 }, u) ^0 A/ u7 a; P# l-The most classical one is:
3 m0 Z1 J! P# o, ? BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. t: K0 g. ]2 ~
*(esp->4+4)=='NTIC'
0 g# a2 s# z2 H( }- T8 e
0 `1 Y. s2 A* b) M- {) w9 ^-The most exotic ones (could be very slooooow :-(0 o/ ?( Z& c0 b' X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ U, G* j) c( o ;will break 3 times :-(
2 Q( k8 P) a5 }
* _8 g% }! [5 p. E" s-or (a bit) faster: / W2 N" r2 d6 L0 w3 x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 t! {0 \& I( O" L3 P, n& B
6 u, w' S+ u3 Y, Z: V. B BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* _. }* V+ i( ~0 q4 L ;will break 3 times :-(8 e) H c0 p" Q' w0 y$ Z- y% b" a
1 }9 q3 N9 L/ [' \-Much faster:
. [5 Y0 I: d7 |8 \2 M BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) V) }7 F) T# h2 A2 F: Y5 V+ L' B3 [ X& F. S6 H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ u- h: r7 P2 y; N8 |. Cfunction to do the same job:% n! W. O" f) i' k
" y' V7 Y; k+ D3 r1 i# @; i
push 00 ; OF_READ& l/ t/ i$ e1 d# Q( V0 ]0 {
mov eax,[00656634] ; '\\.\SICE',05 g/ N1 F/ \+ C7 {# a) L) `
push eax
2 ]* Y: R! R) E call KERNEL32!_lopen
, K9 d! |9 n2 ~7 u+ c( D inc eax. @( I/ p; i6 @7 X( x
jnz 00650589 ; detected1 r5 {/ \8 t% k' D
push 00 ; OF_READ
/ t: J! u# p" q" R! F$ | Q8 d* q mov eax,[00656638] ; '\\.\SICE'
0 P1 K: U" [' X y push eax
; u" v. r# ]5 m' R call KERNEL32!_lopen
" w5 {1 {) }3 D6 ^7 p) x" ^0 N inc eax
6 e# V2 H% L2 `4 k2 N jz 006505ae ; not detected7 A7 Y% p b1 P+ I1 S7 D/ C
. D8 a: n, r* s* `8 u* d/ @2 \! w9 k4 x/ u: Y% u, F6 [
__________________________________________________________________________
/ Z3 @) C9 ]" O+ `( `6 M' u
0 U+ W) k/ T) J& J; ~. r. a/ JMethod 12
" u: `8 z+ r6 _0 j4 X: F=========
# X+ P# X4 `& H7 k
# _0 q3 }2 ~5 @& vThis trick is similar to int41h/4fh Debugger installation check (code 05, \- H* L7 A4 \$ G; n
& 06) but very limited because it's only available for Win95/98 (not NT)
# [3 v3 x0 b0 Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# V0 P: [) B3 z# [7 |/ C) \ R6 P4 v
push 0000004fh ; function 4fh
! s1 l; c5 F+ R( Q: a, A) n push 002a002ah ; high word specifies which VxD (VWIN32)
2 g( }, C" _6 w8 A1 b* |3 _ ; low word specifies which service
9 d) Z+ Z4 q3 x3 J0 ]% U (VWIN32_Int41Dispatch). q! Q8 p+ \; y7 z8 ] M+ ?6 R( J
call Kernel32!ORD_001 ; VxdCall3 O5 R/ h, {: n' c% B
cmp ax, 0f386h ; magic number returned by system debuggers
+ e5 G7 ~4 h, _ jz SoftICE_detected
3 _: ^5 }8 V9 Y! |: O5 P0 L2 S2 Q4 Z5 O
Here again, several ways to detect it:
1 h! I, G _! P0 m U( m; r/ n
+ e: Y/ f( V/ D2 \ BPINT 41 if ax==4f, L3 B9 O) s" X# k* n8 W) l
. \) Y; c% m% z# j$ K5 y+ V. v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, k' ]; B5 _9 x# V* c! q+ x$ k7 _' w+ e3 n" t8 T
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
[6 c7 Q' F5 X; @1 {& E L& X% L; t L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% w8 J# @3 i& j; l
' B' L8 ~6 K4 B' l6 \. J__________________________________________________________________________
) Z9 p* l9 ^" B: M. c- i! M. \0 C6 C
Method 13
0 a. w6 A: z% L8 I3 U' n! v=========
+ ~6 r( J9 X- {2 y" t5 q
2 v' Y+ \ J0 L/ d% sNot a real method of detection, but a good way to know if SoftICE is
; ]9 h% G* `# t; R5 cinstalled on a computer and to locate its installation directory.
* |: j# y. ]7 e. s2 G3 `- W' O5 EIt is used by few softs which access the following registry keys (usually #2) :
4 U" y- g8 Q o% f/ d
0 N+ A, ^+ h m' R/ b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 @4 S# R+ \. C8 }$ t% v' b! e\Uninstall\SoftICE. V, ]8 Y( F8 e; K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 e# B- Z) G" K" o% r$ w+ L8 O1 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion d1 k7 U3 @2 U P
\App Paths\Loader32.Exe F0 G! C6 n; a: k7 c4 F. Z+ X9 G
& { \; C) S* r
: x- h+ ^5 ~) D
Note that some nasty apps could then erase all files from SoftICE directory
7 k/ \1 m) A* _6 ^4 K* _(I faced that once :-(
7 c# ~/ T5 |/ M/ e9 f5 n/ b# L" _' y0 B( u% p! V' U2 C
Useful breakpoint to detect it:7 h7 m: K" n J: [9 X3 L
, j% ` Y* e; X& B; f E- y
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ R* r a+ O2 D! F4 j/ A
/ l6 U6 r% K4 H. t7 k__________________________________________________________________________
4 J9 z+ j5 ^2 s" \' i6 C# o- ^$ d+ \8 Q }) R/ u* D- V3 T
# y' J; q! \% G; f) G; jMethod 14
. N3 r/ M5 {% m3 ?8 k" J- N% f=========
* g6 o7 H- q7 J% {. X! G0 u
# H! N# T6 y2 S/ n; e- vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( Z( ^1 {% S' w, U0 ?is to determines whether a debugger is running on your system (ring0 only)., C7 _, O$ T, ^" b: Q* A
6 J* r% a3 \: b: s$ f1 A
VMMCall Test_Debug_Installed% I2 F4 E& {+ {) W8 ?; g3 ^
je not_installed0 ?% W3 s1 F' I; e8 m
% E# |1 V# b' T$ j5 ?- Q g/ UThis service just checks a flag.
, K5 g; B2 t5 a$ o) g4 _+ o i9 b</PRE></TD></TR></TBODY></TABLE> |