<TABLE width=500># v4 a" Z- a$ j
<TBODY>
. j) x+ D8 X% y4 P9 v$ ^<TR>
' r. m) Y3 F( N; g5 v<TD><PRE>Method 01
4 }0 {9 V+ f; U5 i=========8 q5 ~7 C( |( F+ d
N# W* h+ c; \1 z8 A* y
This method of detection of SoftICE (as well as the following one) is! P# g7 d+ Y# F: k
used by the majority of packers/encryptors found on Internet.9 [3 C& }7 j/ S# ^0 b4 w c
It seeks the signature of BoundsChecker in SoftICE
# {( P0 d' Y8 b7 n5 J4 ]5 X, I4 }7 W, j7 x0 i3 ]4 `
mov ebp, 04243484Bh ; 'BCHK'- I/ {. L: `/ ]! b7 F5 ~
mov ax, 04h
6 @; {4 D7 |$ W( ]! w: T8 U int 3 W% S0 i' Z7 s1 u- U- ~
cmp al,4# w3 _5 @" V% O4 W4 e
jnz SoftICE_Detected
4 i' q5 z" q2 ~9 m+ V/ _& B" i) d3 b0 ]. ^) F/ N4 t# k' z
___________________________________________________________________________- ^" @2 ^- k3 e+ b- N
" @. Z5 j4 m5 h( h! ~
Method 02" G. W3 H0 Q8 `4 v
=========* K& `) c% k8 n- W. \( W
5 E8 `, Z4 l7 ^, O) I' t
Still a method very much used (perhaps the most frequent one). It is used
) a2 e3 c- g* g8 c% A" r- q; Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) |. X* d9 D- c2 c& l3 |! n: G( @5 uor execute SoftICE commands...
4 N2 `& i. q; |9 @+ [6 [It is also used to crash SoftICE and to force it to execute any commands
" p& \. Y. d: _' J(HBOOT...) :-(( % r6 C4 C# J; P: k/ K* N
9 g5 E( \# ]5 }3 r2 e+ `" rHere is a quick description:
5 a, q0 Q2 }! _6 J* K4 V% n-AX = 0910h (Display string in SIce windows)
- g( `! v3 l1 C( {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. v0 A4 x- g+ Y! G/ |-AX = 0912h (Get breakpoint infos)
3 [2 c2 v( N w$ _% I6 p- x-AX = 0913h (Set Sice breakpoints)+ o8 R3 v" m* ]. |: n m
-AX = 0914h (Remove SIce breakoints)
% D" g3 I1 W5 L! {2 A# L+ W; i6 x A
Each time you'll meet this trick, you'll see:
7 ^* o' F& L6 C, c/ {3 v1 c' m$ s-SI = 4647h- b. l$ J/ o7 p3 _
-DI = 4A4Dh
9 b3 l8 N! q0 M2 f7 R4 e5 N* L ]Which are the 'magic values' used by SoftIce.
, N6 z O0 F. A4 ~$ w' D' p- k: c; EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& | }4 `; `$ E* l% c& t
0 H; q0 ~# K6 S: v+ \: T* ~; _& {Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 {% B2 o3 l- K( I* NEnvelope utility use to protect DOS applications:" h/ \' c, o. i$ ]0 p
5 g1 M( W) G$ y$ [+ }2 N, ]0 r
/ H( @$ w; V( X6 E) g/ v' }
4C19:0095 MOV AX,0911 ; execute command. t& k+ N: m9 d! q; e% [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: p" r* |+ p9 m6 [4C19:009A MOV SI,4647 ; 1st magic value.
% s9 U" E) p. ^0 @5 ^( q4C19:009D MOV DI,4A4D ; 2nd magic value.: i; V" p/ u) F% u, Q3 `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' m3 z' \+ h& N' B, I" R( W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 u% I" J5 ?" j8 I: y$ ~ S- e, [4C19:00A4 INC CX
( x& z* f, F. z; g5 |5 O4 }- j. k& i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 \1 {0 d$ a8 E4C19:00A8 JB 0095 ; 6 different commands.
. K: R4 s- B6 z. e& T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
+ {6 D$ ~" |3 }. F# L; {" E2 M _4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- Q/ F- \' ~( h
- i6 E2 x. J) j6 U2 ]4 y7 v
The program will execute 6 different SIce commands located at ds:dx, which7 P' T2 W" d% z) L- { D! ~- L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* L( H# ^9 M G. z2 v# @9 \/ f) j
; G2 [ |# x9 f: g; ^( C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ D1 s: @$ X" [1 A
___________________________________________________________________________5 z8 h$ l7 A' {9 h" O
% e1 V0 S K" U, O/ i; Q" K: i: B' h7 g- [' O4 I- d; C, m0 e8 W
Method 03" f; [9 R. ~' }
========= ~3 u- W! G5 e
2 _7 G3 Q# R: S* W% [. oLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 O8 o/ [. o6 u: ?" _: F(API Get entry point)
9 N2 h( R. C* z7 O3 [( L ' N% c0 i- i) f# y8 I% H
: v9 |" I# m$ w2 o- u7 | xor di,di ^( m( Y: V l8 g a( W
mov es,di
5 b( u! M. V7 l! M: E5 |- _ mov ax, 1684h $ b* E. `) H( \' U3 L
mov bx, 0202h ; VxD ID of winice
9 M! C. u5 O1 l. k" I/ e int 2Fh
* c$ _" C5 [5 R/ K& [0 g mov ax, es ; ES:DI -> VxD API entry point8 j; @4 i# ^7 w, s" E- M
add ax, di
1 b# D2 g! n3 v. B) T9 { test ax,ax4 A7 x/ k9 [$ o4 C" q6 |) M
jnz SoftICE_Detected
$ a N6 P' \8 k) A q7 l
2 u6 d4 U7 M% s- \8 M; ~___________________________________________________________________________. r/ `/ r/ a; E6 V
, o1 p+ z; M* V% ?7 L S+ PMethod 04
2 \ \7 ~/ b6 J% ~' w6 J=========9 [+ G4 W Z q5 s
5 }: y. r2 V; r% Z8 h0 J
Method identical to the preceding one except that it seeks the ID of SoftICE
+ T( n3 I0 E% s+ N r$ t7 IGFX VxD.
0 @3 }% U7 T6 W: G* ^) E* h: ^7 t" o' v# t5 b( j
xor di,di4 d7 ^, \0 E$ M+ I6 b& x [, G$ ~
mov es,di2 v* h' B3 H" p; ]" U! H
mov ax, 1684h
; a! w: u* x) Z D mov bx, 7a5Fh ; VxD ID of SIWVID
, B6 k5 P U, e/ T& m int 2fh
: M' }1 Z" p, F mov ax, es ; ES:DI -> VxD API entry point
5 _0 M9 z M: t5 r add ax, di4 ~: E6 i- {# q8 u# ^/ N, l. m5 s
test ax,ax+ c. Q) ?- A3 K/ N9 p8 q: v8 F
jnz SoftICE_Detected( [2 l, Z8 {) D" q# w( S
: q, d6 @) l ~- Z1 Z6 l
__________________________________________________________________________, D$ E- h9 F) H3 ?- X
. R" H9 `' H7 o- J
$ r4 s. m9 n, g, R) e0 ~- wMethod 05( P3 l( Q) f# a4 b5 r9 M8 f
=========0 N2 M* I$ j4 f1 e* n6 A' T
! R# \: L/ m; M0 b. R& }$ y" a9 b+ NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% x7 y N' @9 i$ y ~4 I- C( ?2 {1 Pdebugger. It calls the int 41h, function 4Fh.
3 o) w3 O# G& V% l" S8 H$ vThere are several alternatives. 4 L$ ^4 b% }* a( I
! y. l0 K3 N) H5 D
The following one is the simplest:3 ^. U7 s a# C! O! V: H: s" p
: P& b- d% D$ j7 ~; _$ Z
mov ax,4fh* n2 `" c! S" J; Q
int 41h
" V& U% F7 u; M cmp ax, 0F3863 a. l6 I p1 a' a9 s' ?/ }$ H
jz SoftICE_detected
! E+ k* v P ?% L- l/ r! B
! w5 M! v3 \4 D* y( H+ A/ v6 t/ d) T! @! \" y0 \
Next method as well as the following one are 2 examples from Stone's + o* S! j0 r: ^: \$ L
"stn-wid.zip" (www.cracking.net):
1 s9 F# s9 l# B) V0 S4 O. `/ j7 d3 x. @4 N2 l
mov bx, cs% e! i1 \& W0 k8 c- r( s7 ~* X( s+ v
lea dx, int41handler2
6 {/ G6 |/ ?' `9 x7 ]2 a4 w xchg dx, es:[41h*4]. z2 {! @5 G- d
xchg bx, es:[41h*4+2]+ {3 N ?$ b, Z8 X( S q: N) T7 ^
mov ax,4fh
' D5 H/ r" I! K" p( t int 41h" B7 Q4 X4 R. d5 C2 F
xchg dx, es:[41h*4]" s8 c( ]# M u" I
xchg bx, es:[41h*4+2]
$ \' ^* y1 ^, {$ q. n! m, s; v cmp ax, 0f386h
2 q* |" Z/ `: Q- X O8 y* W jz SoftICE_detected
3 }) s, F8 B/ K: V9 N' W. ^8 ~" }! o- c; k
int41handler2 PROC
; u6 q- d U; w$ r" \( Q3 U6 x6 c. D iret
" X: k5 X& E# X, E5 l4 xint41handler2 ENDP9 Q% u% g; x2 Q F, k2 @! ?& w" T1 c
* M' w9 S6 o6 B! H1 e9 a
; _0 c& _1 E, j H1 p3 V
_________________________________________________________________________
) |) P! o1 T; d' I2 z' |% W& I8 Q2 B: C
0 L9 `1 H/ Z V O
Method 06
" V- r3 o' {4 k: x" O=========: O8 }* ]7 K- ]. b
- \5 g: X4 X# y( T6 q+ f
# K E1 @4 o d8 s* W* o
2nd method similar to the preceding one but more difficult to detect:
5 T0 W, Z# q. W9 \7 t) W
/ f* s0 p& @# J/ K" w+ Y7 B& @; o, F q* T
int41handler PROC
$ i" Y$ Z' O: Q3 { mov cl,al
% C+ i2 d5 G$ s: Q) I9 Z iret
. c4 p, v: ^+ K4 G) ?' I+ aint41handler ENDP# v9 w1 n I) f k+ m$ O
2 \5 Q4 J( ]% a) T% g4 Y
" R6 ?% e! O! L* m. }$ J2 L xor ax,ax
: x5 p P Y" A+ W mov es,ax+ ^9 h" z6 Q% n% w
mov bx, cs6 J& V7 {! a* Y! F, n. m0 |
lea dx, int41handler9 |4 P8 q J/ L# d$ i9 k S
xchg dx, es:[41h*4]
+ f0 G* D! |. }: n4 k1 D xchg bx, es:[41h*4+2]+ U+ k E O: c. q" c
in al, 40h
! N* [, A+ [& J0 A9 v xor cx,cx! H/ Y' }0 u- ~: C4 a* M
int 41h; Q5 C0 ?) g" E+ N" a9 I
xchg dx, es:[41h*4]) J. U0 ?. x0 G
xchg bx, es:[41h*4+2]3 p. R9 l- |+ r2 o1 w, B- w
cmp cl,al, J7 u9 {) M8 n* U! \( ` I+ v
jnz SoftICE_detected
* Q1 w2 o* S0 L: [
, Q b' M1 x% g$ I0 o; H' k! M_________________________________________________________________________
) ]+ A( k7 r( g4 P" X: R" n
2 T" w: _9 N! R$ u9 m* cMethod 07
2 J; Q2 s5 b# ?, T ^=========
w% E2 C$ c3 d2 D' i8 S8 f3 Q. w4 n# u6 l5 O6 V/ d
Method of detection of the WinICE handler in the int68h (V86)' d9 q( s3 E$ U# P- R$ }
' f1 L( C1 Q8 w7 ]8 e mov ah,43h- j! G3 b4 E4 { ~0 V
int 68h6 X! }" Z: {0 _5 T1 V& M
cmp ax,0F386h
/ w$ b0 F4 I7 Q% B4 H4 M jz SoftICE_Detected/ U/ B @8 c7 U8 ~" z
6 M& M$ u4 S5 K' J. X4 m4 z' j
2 l( f9 E8 P* z0 n- E+ h& h, }' s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ f9 z* q7 G9 l app like this:* i' n' c2 U6 [- J& Y+ \% q& i
- e' e# G8 n2 ]+ F& G8 ]3 S
BPX exec_int if ax==68# T0 c& {; e( L5 O2 {- u l6 r. Y; G( H
(function called is located at byte ptr [ebp+1Dh] and client eip is9 c7 X) o* Y g2 G- L; ]6 ?# w
located at [ebp+48h] for 32Bit apps)
; }0 f; h, O0 Z1 e7 [9 ]__________________________________________________________________________
( M) I" u" D+ ~* U
6 d0 L/ B" ~" }( A0 C2 h% G5 i1 v/ @& X, k
Method 08
& e( X: L4 u: H4 W=========3 G; X9 M7 M0 m1 _8 J9 D( H/ y
6 M, d+ Y% ?1 r3 M' tIt is not a method of detection of SoftICE but a possibility to crash the
" R) `& b6 n% g' p0 isystem by intercepting int 01h and int 03h and redirecting them to another
9 q0 I, ^0 i- x, Q& C9 Z2 ?/ |$ C( O8 yroutine.
! }' ]* [) J5 I$ tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 s9 q7 B8 @- N8 sto the new routine to execute (hangs computer...). |4 C* w% R8 e
! }3 j! @- a) g% w
mov ah, 25h$ A; p3 p# b1 I4 Z
mov al, Int_Number (01h or 03h)! |% F0 r4 S/ B
mov dx, offset New_Int_Routine7 Q( x3 X& v n6 b2 _- E* M4 [
int 21h( Y6 N6 z6 V6 R1 L
6 a& {; n4 s3 T( Q# w+ V) _3 K9 U__________________________________________________________________________
+ m4 ^7 L8 T( v# c, B( ^ H" N( z: H8 y; X, ?: U+ |$ G
Method 09
! w5 _, H5 K6 _=========
, ?, F) U% {$ Z0 i* j2 A a j W1 G' V% ]/ F$ ]/ ^. C. B p6 X1 J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 X6 o6 |7 S4 o/ D$ @
performed in ring0 (VxD or a ring3 app using the VxdCall).* H, X+ x) t3 w) h4 n9 Q! B
The Get_DDB service is used to determine whether or not a VxD is installed1 r& h6 w; u6 E! l% [
for the specified device and returns a Device Description Block (in ecx) for8 ^; D% X, O+ g- s
that device if it is installed.
0 |, a+ {0 F1 ^, W# N+ ^3 e r4 N# }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( r' S: r/ m2 S0 H# I mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ Z. s2 j6 R: @5 n2 A VMMCall Get_DDB7 X" n$ M* o8 D9 o# M! Z$ B
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% C/ x( }! |+ [4 D
& z. @- I: l! Q
Note as well that you can easily detect this method with SoftICE:
5 R; a0 K1 A) B E4 q bpx Get_DDB if ax==0202 || ax==7a5fh& F/ w; {1 s! v
9 j7 E* S1 G5 B7 q& \+ w0 P__________________________________________________________________________
2 @. i0 t+ B# K" p% f. S9 p# A5 ^) u" L' E9 R1 H
Method 10
* W$ _5 A2 S* U+ G=========
7 ]( [1 H! M& v
g; f x: j+ d& }6 y- Z5 A2 j=>Disable or clear breakpoints before using this feature. DO NOT trace with
' r; p; M) N# u- S* ]: @( s SoftICE while the option is enable!!- m* V4 j+ V* w1 S% H" ^9 i
' j h1 c2 O! `1 ]! i* H6 f
This trick is very efficient:& A2 H) ~" F9 P" i; o
by checking the Debug Registers, you can detect if SoftICE is loaded- x9 Y3 N5 ?: _; B; {9 c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# ]% P, z2 N: L5 \9 Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ l/ G+ ~2 S% N8 m6 P/ evalue (in ring0 only). Values can be manipulated and or changed as well$ t6 i8 v4 ^# N6 X; M
(clearing BPMs for instance)
( B2 d1 G# q# N, U
% X- m# T; n. N( O$ y) a5 Y* [__________________________________________________________________________4 j0 j1 P6 ?9 v+ r5 _
" V) p5 r8 `: t s. B8 k
Method 11
! M6 e* l. a/ ?. O=========# z2 A- a' A7 J- n
( ^5 V Y! W& ?2 ?' nThis method is most known as 'MeltICE' because it has been freely distributed i( K+ ~; M- h" V) [, T
via www.winfiles.com. However it was first used by NuMega people to allow2 f' r7 @1 `! x+ z9 {5 {" Y f
Symbol Loader to check if SoftICE was active or not (the code is located! w4 m- k( M4 a- K; m4 t. |
inside nmtrans.dll).- P# @4 }" j! m2 i
; w& Y }9 ?2 f' E/ T6 pThe way it works is very simple:
$ H7 Z7 @) v* ]! \; \It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( M) Z5 z* Q; k) y( o* n& TWinNT) with the CreateFileA API.. Y1 a E$ [! B
T6 R0 L3 _3 [; I7 c4 R9 c
Here is a sample (checking for 'SICE'):; Z5 M" q$ ~* [2 @
& n# j# p, R2 r4 ^5 F8 y. p! M4 [
BOOL IsSoftIce95Loaded()* g4 j" C" \$ y
{
$ g+ R3 C0 }0 s; X2 r( d$ U HANDLE hFile; e" j( M" B6 u4 n) }/ R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, v! [: I, [: ]
FILE_SHARE_READ | FILE_SHARE_WRITE,
8 F3 X/ E4 k# ?, @7 W" D! A2 B# Q' Z9 \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% F- ^# D* x! T5 L7 ~- I
if( hFile != INVALID_HANDLE_VALUE )
* T/ r N* F( S/ n- B5 n6 \ {0 J* g& L F1 c. J
CloseHandle(hFile);/ a5 M0 m) }* ~7 p
return TRUE;
# g9 ~- S2 ?6 \& e- d' { }
! F. G+ ^- j, L3 L2 G return FALSE;
1 d0 s7 g) z- ]! ]* w7 A4 T4 i% f}! u- a' m* t1 F1 d! G, Y* m; s3 M
& ]7 q! e9 C2 J0 Z) S" \8 v
Although this trick calls the CreateFileA function, don't even expect to be" b4 E3 i8 l* U' U
able to intercept it by installing a IFS hook: it will not work, no way!
& |+ \8 k" C! u- \, U" X$ r: d% g3 sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 O9 z0 l9 z5 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 H3 A" E) K" Y7 S3 c4 Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& |$ h" ]4 H* T7 O' d; G& yfield.
. `: C. s7 v/ u4 YIn fact, its purpose is not to load/unload VxDs but only to send a + x3 l6 v' \2 ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ t* A- V+ H$ Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try# v. H/ k3 ~3 Y3 d5 O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 t4 _' |7 d3 F
If the VxD is loaded, it will always clear eax and the Carry flag to allow# c J& `3 Z& A, H9 A, O% W
its handle to be opened and then, will be detected.0 ]' }* w& i9 M8 O8 \
You can check that simply by hooking Winice.exe control proc entry point
( R0 t' u$ ~6 x: L1 f9 B+ S! q6 jwhile running MeltICE.6 A+ i( ?2 o6 D; J- o
1 `( i$ o+ Z' S! Q
2 v; a/ E9 O; J; a 00401067: push 00402025 ; \\.\SICE7 n' W" |) }; g1 O3 P0 C/ N/ a
0040106C: call CreateFileA7 Z+ v$ e' A) K0 S
00401071: cmp eax,-0018 @7 _0 `, j; G; J% d, X. H9 Q
00401074: je 004010916 i. l9 x) F5 E1 j( y3 t
, B6 e5 ]+ W0 M/ u. R$ y
. [4 A" {) W& m& [0 y
There could be hundreds of BPX you could use to detect this trick.
) |, P, p: z% s-The most classical one is:( p9 h5 B1 J( W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ }0 ^( d( ?+ V. Z2 v, j
*(esp->4+4)=='NTIC'
' k1 Y6 L% F) F& a1 M2 q. y7 ]; Y
8 h: e3 `& ^- ~# z5 [+ O-The most exotic ones (could be very slooooow :-(
+ o( Q1 y, ]1 T$ ~' E& l8 o1 b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , C! J6 Z; ?8 r7 {1 `
;will break 3 times :-(
: y3 S" _- W; {1 z/ `4 Y- C( O# f+ z% T
-or (a bit) faster:
4 ~5 q) V( E; A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! s/ \# {. C' W# d8 e' K
, e! V+ i8 j& i3 l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* C+ x E% p L- W& W0 N ;will break 3 times :-(
3 c' L7 ~3 }3 p) v
r" j- P" m" m% P* r/ X-Much faster:
* S) t" E5 | j$ y: o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 r9 h( S/ o* |% j6 a
/ S$ |9 @$ n5 F5 FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 y$ V, [- I" A! V7 {; ?
function to do the same job:
& b4 Y8 J. g: e% f' e' _1 l8 z
0 B! V8 i1 v6 V6 ` push 00 ; OF_READ- q4 j- Q" k* @" w7 E
mov eax,[00656634] ; '\\.\SICE',0
% ?, G. o4 P! Y. b& V push eax
* o2 d0 x3 Q$ e g/ @ call KERNEL32!_lopen0 c" e3 X8 a2 Y# _0 s) V7 {& t
inc eax: J" V; p- E- s# F
jnz 00650589 ; detected
# n1 f& U, q$ n3 Z, T6 d' P, I push 00 ; OF_READ
4 K9 s I5 @7 ]5 |; Y _2 B* n mov eax,[00656638] ; '\\.\SICE'# Z# c! `. v' N+ A
push eax
. L3 c, P% F8 x: E# Z+ h. m call KERNEL32!_lopen
, F/ ^0 I" V2 T inc eax) W$ |; K2 }9 j( a/ x; f5 e
jz 006505ae ; not detected$ K; q) W( s7 {, k; ^. }
8 }9 Q* N6 W1 h$ n& g
# ]" _) i m- M- E6 c, C8 I; A4 U
__________________________________________________________________________2 z L: S* n% R& F! m& u; Q
8 |4 r1 M2 a, g+ j- g: I
Method 12
% v1 m" G# n) H# e=========
2 F3 e N! B1 V1 v, Y# G
/ e @3 ~$ }+ Z& \. NThis trick is similar to int41h/4fh Debugger installation check (code 05
2 k( v% Z% G+ Z& B `4 |& 06) but very limited because it's only available for Win95/98 (not NT)
6 q% T: X! [7 _: r4 J3 a3 m( Z- l, d2 q( _/ Las it uses the VxDCall backdoor. This detection was found in Bleem Demo.! e/ B8 |$ x( |6 k- D" W- q) H+ T
# N5 l5 b" V" L6 ? X% @ push 0000004fh ; function 4fh
( s9 F S, n9 a8 W push 002a002ah ; high word specifies which VxD (VWIN32)
! @+ P$ U, U" i: o$ ? ; low word specifies which service
: y( E* ^& B# n$ t8 f- \ f# m% ? (VWIN32_Int41Dispatch)
0 n; \$ t; j3 H3 f9 U8 | call Kernel32!ORD_001 ; VxdCall+ T# b/ v6 d1 x8 G
cmp ax, 0f386h ; magic number returned by system debuggers
! S' b' R* v8 O- p& e1 _* q jz SoftICE_detected: E2 s% K5 S3 K N/ d9 w
/ J8 ~/ p5 w0 k# y8 ~* I/ |7 P
Here again, several ways to detect it:
1 S2 ]3 G. r& \. B* f- v q6 H/ q: l3 G& w) n
BPINT 41 if ax==4f9 Q7 A: i. W% u: k" {* \
' Y+ u9 N1 o) S9 t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- m' L9 Y8 F) p% _- g
8 g. v$ h3 W N! [/ o
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: q: S, O# X* f( D4 ~2 J. q! @5 P/ q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 `7 r3 w5 M+ c5 Y: Z4 y
- x4 t( S _ L) M- }__________________________________________________________________________+ l& d9 Q+ Q$ k+ b2 ~
5 u& S: ]) x, \$ z3 N2 \+ S
Method 13
, H3 a H8 U1 \/ P=========
% E, a& A% s- w$ [9 w
. l, i8 E; c* W! c5 u$ X8 g4 bNot a real method of detection, but a good way to know if SoftICE is
9 u9 Q- [& T7 a. Iinstalled on a computer and to locate its installation directory.
4 \$ f2 l' h: |) |& _+ k7 b- _% zIt is used by few softs which access the following registry keys (usually #2) :
5 E' u9 j0 E+ E3 V% Q
4 T) ]+ p {8 i6 P3 J- I; n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 s7 I' A& d4 w2 z9 r+ l
\Uninstall\SoftICE$ @5 p# ]& u* Z! Q2 v. @% n: u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ M8 s: `4 [' k/ {$ _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 Q% B* |7 N4 i G+ o- N0 R
\App Paths\Loader32.Exe2 j8 i. \0 _: b: H, A
3 U- t$ a5 d0 R0 Z% j A
' D* C" X$ ^ B$ ~7 Q/ vNote that some nasty apps could then erase all files from SoftICE directory
* f+ t: f! ?) Z(I faced that once :-(
# m2 l, |( X- W9 }& k
% B: H( u/ f# F- {) @Useful breakpoint to detect it:
, A6 L: k5 ^, _1 E; r
; n1 P0 q$ v4 Q4 R) \* |0 i BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% N* r! t. m) F! w9 J
$ S. p- R; f$ O% M0 m& }! h8 T, b) c
__________________________________________________________________________* v* w7 {3 q5 d; L+ j. @
2 v3 |5 j/ M: y
& q1 x G3 P2 R1 U8 {( `7 KMethod 14 % s; {- G. \# P7 c9 E& z. F
=========
6 e4 t4 L/ u1 E0 p4 ^6 I. a
/ n8 O9 w/ ~* X) LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
o5 ]1 T: U0 Pis to determines whether a debugger is running on your system (ring0 only).
?1 M- Z: t( S) @/ F+ C- x
# a5 @0 ?+ Q, y. ~% x+ Y' f VMMCall Test_Debug_Installed+ E, |: v5 @8 g" y' F% V
je not_installed/ |# d& j! I$ E
4 a* t6 i0 b, S7 s0 J, z! MThis service just checks a flag.
5 Y) U5 U* h0 Y7 I4 Z' t# a</PRE></TD></TR></TBODY></TABLE> |