<TABLE width=500>
9 o' S- ~. i( m) }' L3 x: I<TBODY>* j; g: d8 J& r, T
<TR>0 b. i! _( Y% `( V. D4 D0 P. r
<TD><PRE>Method 01
8 u, |5 S7 y2 p5 d& D- u3 Q=========
" \7 _+ S0 Y" h& G
: B; f1 ] y1 v4 I4 c& Q% |) {" h( y9 yThis method of detection of SoftICE (as well as the following one) is8 @/ b% p# j6 m) N; H$ R9 [
used by the majority of packers/encryptors found on Internet.0 f1 A4 q: o0 Q5 M# Y4 ~) a! p
It seeks the signature of BoundsChecker in SoftICE
4 n; }! }. S0 M3 z; ?4 m
) f* _4 y8 ?! V1 E8 Z, g3 ~) n# ^ mov ebp, 04243484Bh ; 'BCHK' E2 D; v- t M. u' i
mov ax, 04h
6 e" y; q" J5 p& p7 B: N int 3 ( ?: z3 N( Q' I9 {
cmp al,4
5 [3 Q s: K. s! f/ p; [9 E jnz SoftICE_Detected
0 K2 L, k" I+ s, F C* a
) h8 l) ^! N( r) G4 m9 J0 S4 T___________________________________________________________________________
% |, s6 [/ J( F2 s F- |% x6 T* f9 H. n9 w$ _* _! b" f: e
Method 02
! }4 l# M3 t$ |7 T; `=========
4 v% s6 ~7 M* A; V4 l
. P" P2 `; X" y! b' u' L+ C" `Still a method very much used (perhaps the most frequent one). It is used4 {( i0 g% Z2 Q' C' q' U- @" ^) {# x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" m2 Y9 E! P y( t/ ]or execute SoftICE commands...2 y6 A( T* o6 b# W* ?. B0 G
It is also used to crash SoftICE and to force it to execute any commands* L3 z9 B' g0 N. f. S
(HBOOT...) :-(( * W! r" @( S1 ?
/ D# G: Z* m1 ^6 s; T3 o m
Here is a quick description:/ o' Q% P& J: M+ m' k
-AX = 0910h (Display string in SIce windows)
4 E+ P( H5 N2 v& j: C+ Q$ A R& ^7 Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% W8 f$ M( _, G; W
-AX = 0912h (Get breakpoint infos)$ B# r6 b/ \/ |3 T: Z
-AX = 0913h (Set Sice breakpoints)2 M* u; D; X" Q+ v1 W6 t: y
-AX = 0914h (Remove SIce breakoints)1 V b2 l2 q5 l9 ^9 |
8 D! B: |. K: i: x0 W
Each time you'll meet this trick, you'll see:
0 N% j$ w- s7 P' z l# O-SI = 4647h6 `1 j+ p5 U% y/ N7 m/ w5 s& O/ X
-DI = 4A4Dh% B; @4 U; y. o) f3 n) p2 g
Which are the 'magic values' used by SoftIce.5 Y% _0 l6 S, r( V# o$ u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
D% T& f; Y+ V
. j+ x$ a Q5 b7 B. V! vHere is one example from the file "Haspinst.exe" which is the dongle HASP
- H; K" m- l" ^Envelope utility use to protect DOS applications:
' Q- X5 Q r5 ^4 T/ N: ~& O E7 F& U ?' T# h3 n$ D
& @: ~) H1 Z8 p+ D. @" H% T
4C19:0095 MOV AX,0911 ; execute command.
$ d0 ]: l" G- G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# I( X4 N4 I ] R( q/ ?$ M
4C19:009A MOV SI,4647 ; 1st magic value.
: q' _! \4 K3 ^9 j( I% ^4 F4C19:009D MOV DI,4A4D ; 2nd magic value./ L+ K6 X0 U) D# Q% [# O' D( k6 d
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)$ T, P) E( x5 x" H- f& `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 a& |: L# T( {, I" u% n4C19:00A4 INC CX& r( @- @ ~. y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ k8 I, U* g& l4C19:00A8 JB 0095 ; 6 different commands.
# a5 o) _. Y) R$ m8 r8 x+ I4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 A3 ?. \- B4 y E- ^& `, y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :) @' Y2 N! J. @8 r; e
/ {1 K/ O; l$ K9 b& ^* K: |5 QThe program will execute 6 different SIce commands located at ds:dx, which z H$ E1 x, s# N& A; z, w4 \( g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- w, S4 P6 J, f
5 ?7 s& H3 d2 _% ~! o' h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 \& ^ D/ t/ d$ G9 Z. B o' d
___________________________________________________________________________+ J1 N. `" m: m- {
3 O& q% {* e( _
$ \4 V+ S5 `6 J& d1 EMethod 03
& }$ Y5 g* u. A& U, O; l=========: ~) ], t* h; m& i- L2 W0 }
9 e, Y. e8 X1 x8 O( r9 y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 u0 L8 P" |; p+ f
(API Get entry point)
1 T; E. h3 t+ Z/ V/ ]& i 8 ^+ _: N Y# I; N4 F% J( {
% s3 a; q: b' `. F5 j- } xor di,di
) X% d& w' Q8 s$ g5 K mov es,di
+ F9 I- P4 C" @: }- u# a! n) c mov ax, 1684h 9 N- I) y9 G& p1 L4 t) N" {; \5 Q
mov bx, 0202h ; VxD ID of winice
, j9 m: a3 x+ L3 \4 V# n int 2Fh
6 _9 g7 v: M( K% J. M T8 R mov ax, es ; ES:DI -> VxD API entry point
8 R6 Z! k. q; b; b! ?8 y+ W3 q% g add ax, di* H) o) J; u* S2 ?" N
test ax,ax5 z* G& x5 W& P5 `0 a1 H4 ?4 I9 Y- u
jnz SoftICE_Detected! c9 k0 C, m6 ]7 \
$ r5 F1 D/ ?" D$ y
___________________________________________________________________________
7 v. `/ s# Y# J* O
7 N. O" |" x6 e* v/ ZMethod 044 Z$ z$ t: f; z4 s: a
=========
$ H% q( q" {: Z1 S+ o4 X
# L0 W; l* N a1 {" g2 SMethod identical to the preceding one except that it seeks the ID of SoftICE! P* d) j6 P% b9 Q9 N
GFX VxD.
, j/ B) ]6 [4 R- M9 p
1 s- |0 _: N p3 k; q8 l& c3 v xor di,di5 z2 Z/ Z7 \' U- x6 L. F# L8 L" F( J8 }: V
mov es,di6 u! a$ ^, P7 k5 R! V3 E# A
mov ax, 1684h
; c% c+ c! V1 t' r mov bx, 7a5Fh ; VxD ID of SIWVID6 j* E. o9 N3 G) R
int 2fh
% j8 I/ W' L9 v* c" Z/ O% s9 z mov ax, es ; ES:DI -> VxD API entry point9 h+ r" I. j6 u) G# `0 l b
add ax, di) [8 A. Z1 X0 m8 b8 h3 Z
test ax,ax- a- j9 k3 }$ D! J$ t
jnz SoftICE_Detected
' h8 Q1 B$ y6 `& c
* I$ ~5 f2 y0 s8 ~0 H M__________________________________________________________________________8 B$ U( }: e1 W0 ^1 l
4 x% {* ~1 q4 ]! N$ k7 q
, F4 R- l2 q7 I* R e5 M3 A% W; i2 c
Method 05
! m! H4 \1 c ^+ E1 Z=========
+ w$ \8 Q: G i6 F0 r5 I3 f4 q H
" }2 _$ [: t* U9 H' gMethod seeking the 'magic number' 0F386h returned (in ax) by all system: s6 I; C4 _$ e8 V) N
debugger. It calls the int 41h, function 4Fh.1 o: i. H! j6 M( s: s
There are several alternatives. # g3 w- M6 l* z6 j- Z
% n- y7 F6 M4 ]/ p# RThe following one is the simplest:. p- y8 d# a. b! }0 v, l( d
6 i6 _$ X7 |5 m4 i1 q5 E mov ax,4fh
' K ]3 ~- g ]6 p int 41h
/ l8 P6 v6 n; ?- H( H cmp ax, 0F386* s, ?8 l g1 }9 S p5 L
jz SoftICE_detected
* d1 ~& E2 i! x7 D- H
- U& m1 g6 F3 F; K8 E6 T
; N& p4 U8 ]7 {- y6 lNext method as well as the following one are 2 examples from Stone's - P0 M% H% D7 a" E
"stn-wid.zip" (www.cracking.net):
" x; `0 C8 e/ i) P, F
8 m! O) i, u4 W5 V3 M mov bx, cs. w% K3 k! ^0 S/ n$ L2 Q; T I
lea dx, int41handler2. h4 a) k* K+ o- o( @% M
xchg dx, es:[41h*4]
/ V3 v4 `! Z3 F3 B/ r6 `! x# v; d xchg bx, es:[41h*4+2]
/ g6 o% F. @0 K mov ax,4fh1 f0 q; t1 G5 H# o
int 41h
) a+ J3 c! L5 Q0 d+ a. D9 X( r xchg dx, es:[41h*4]
' a' H' W Q! r$ Z$ J xchg bx, es:[41h*4+2]
! O' u3 E/ q' w" G" X cmp ax, 0f386h
+ w7 g- w% A3 y& q jz SoftICE_detected7 P( k- ]9 ~' Q, n7 r5 G
2 j+ c! f1 i- }" G1 V+ c# K% G
int41handler2 PROC2 @4 W, o( H. u2 ]- m0 H, v2 V0 f
iret
1 [' W" h( | E3 D9 E/ @int41handler2 ENDP4 Y( J5 ^- c9 p% h% o" u
( O* h6 d! [! }$ _5 o% ?6 }& ^% \9 u$ ?; {& v/ K* Q5 q0 V3 Q! N
_________________________________________________________________________9 B3 |5 [) k( l' k
4 o1 C! A) [9 Q4 W9 @
6 H4 V9 @ b2 U6 K& n. vMethod 06
* ]. G4 u2 C+ z=========; w+ `( o/ m$ R0 w
4 D, i/ v: ]7 S! W3 a" C) g
( z+ y; l! t6 G4 R
2nd method similar to the preceding one but more difficult to detect:
. @ M0 z% k1 A- f y- B4 ^3 n/ u/ b- h
- F& T5 x l* T+ Z- g: Aint41handler PROC
, W8 b+ E6 j( F" }4 D mov cl,al6 O9 ~) Z: H" L W6 J
iret$ Q0 m w7 x9 }/ i. }8 V7 m7 `
int41handler ENDP
9 }) q) @) C. v$ Y! s2 z* _/ I [5 L& e+ f# L; J, e) d4 B
! \, _ I0 S' N8 e) |# b) t
xor ax,ax
* E2 n7 H6 [2 t7 L4 h& i0 q( F mov es,ax: J0 p! ^( m$ H5 b5 M: p
mov bx, cs/ [/ `8 o/ }6 t% p d6 k0 c
lea dx, int41handler n7 C: k/ {$ b5 w' B6 ^3 X. q
xchg dx, es:[41h*4] n5 {; D3 M7 E" F) M: E
xchg bx, es:[41h*4+2]
; g9 c7 @ p" g, ]5 s. q b- _ in al, 40h2 i! ?4 c# Q! h# b# @$ X. Q
xor cx,cx" u" u3 v# b" r& J9 ]
int 41h
$ X' q1 \- J3 [. a3 | xchg dx, es:[41h*4]3 u$ v( O8 T' J: \' s |1 X7 b
xchg bx, es:[41h*4+2]
* B( C1 C0 l8 G. U4 d! | cmp cl,al
5 U% i+ o! y, U# t jnz SoftICE_detected- L4 U0 _; z+ s' ~3 f
9 z( q+ h2 T7 Y# u7 R @# c, W
_________________________________________________________________________
1 Q+ z, n% H7 e9 p% r! i+ _. [+ s: s5 S$ `
Method 07
- C! v; N3 {' n; `: }- j+ i=========
% Z% v6 `9 X; }* }: c4 `& U6 u0 k- u5 d( E8 I5 _1 u" d
Method of detection of the WinICE handler in the int68h (V86)7 C, l' J3 `, S G
) F; ^( F( d3 b. K mov ah,43h
- b5 Z6 E& C* @9 B* _9 g int 68h6 p5 Z2 n3 }! P6 f+ X
cmp ax,0F386h
% f7 U3 J# Z; N; O9 x0 o jz SoftICE_Detected
6 i+ p3 w2 Z8 J9 t2 ^
! G" B6 s! U, m$ E- ?
6 q" i% H. _; ~9 F+ Q0 b, X% q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 B4 z) B. D3 ~$ X
app like this:% ?& Y4 g: P7 w1 u
7 l9 m8 C4 p2 o4 T: j8 [9 S% x, ^ BPX exec_int if ax==68( g+ z" @9 p7 C7 R, {* N
(function called is located at byte ptr [ebp+1Dh] and client eip is2 q; V; K1 [0 d3 `6 U S0 D
located at [ebp+48h] for 32Bit apps)$ I3 ` C. h0 H* D
__________________________________________________________________________
& T# M4 I6 Z7 G# r. P% e$ ?: h9 X+ r# R
8 d) D! U- m3 ^+ }Method 08
$ \ J# v* M3 x! M8 u' e% X=========
, C4 o3 B( T5 C$ J$ p. _; w- ~& |( ]2 {
It is not a method of detection of SoftICE but a possibility to crash the
! \& Z8 ?( ?- U! n' c# D: Usystem by intercepting int 01h and int 03h and redirecting them to another9 S; l8 b) w9 Y" |3 U; {2 ?
routine.
1 x# U! w% q, IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, C' |, i2 a; G; M4 t; \( ^9 Cto the new routine to execute (hangs computer...)
; r2 U- Z3 y+ Y3 i1 k9 u- l" ?" d% z- s* I$ p8 D8 k% g
mov ah, 25h
% j: o; R) y+ V& j" A0 ? mov al, Int_Number (01h or 03h)
" B- f# Q# \8 Y. r) u mov dx, offset New_Int_Routine3 h$ V7 H0 Q- W X; w
int 21h2 E( G3 K: k2 o3 o
( [# M; u( w! B3 x5 r% \) ?__________________________________________________________________________+ b, f5 }( u) J2 j/ R: k y
; _+ D% `+ ?% u- [. r! \7 a
Method 09/ e; h3 S U% x! O g
=========: @3 z9 B* w" W7 H! {& w$ M) G
! W8 [/ o0 _8 m: o' [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- J0 g2 J" [3 W7 ^! K7 I6 Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
: F+ ]$ j6 u4 S0 n* \4 aThe Get_DDB service is used to determine whether or not a VxD is installed
7 b& S6 A1 {" Tfor the specified device and returns a Device Description Block (in ecx) for2 S- v* ~) W. q$ s6 e
that device if it is installed.
# S5 t3 S; C% \! N2 E6 n0 N; V5 }, |/ H+ V4 q! _( T3 j: y; d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ K) S4 F/ o1 ~+ J& ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" ~0 D3 V& q1 M/ u7 t2 ]: Q$ \1 V
VMMCall Get_DDB
4 v1 c* q& O1 Z# ~7 S2 k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# J& M& H" U, |& d0 \5 g6 }2 q
- p+ `- T% T2 T! c0 f; [- wNote as well that you can easily detect this method with SoftICE:
. @6 Y# w7 F! k/ p bpx Get_DDB if ax==0202 || ax==7a5fh
2 b8 g# K! v8 Y* H8 W X* Z: d" k4 q% ^& o4 |
__________________________________________________________________________
- y$ O z9 V q% v4 Y; M: W8 ], o l: n4 m% J/ e2 E% _! k, W
Method 10: I5 v# v- | V- _ f7 S& [
=========
- O: Q7 p& M/ m e' v+ w' A1 o/ h" w% b- N
=>Disable or clear breakpoints before using this feature. DO NOT trace with, d3 b. V1 h: n0 x! @! U
SoftICE while the option is enable!!3 @3 N4 ^* i" X8 O& e
, P- J7 E4 T0 @- P5 `4 YThis trick is very efficient:- W/ B$ K2 k# l4 [4 T# Q, V
by checking the Debug Registers, you can detect if SoftICE is loaded* ]/ f# u a, h" G- C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. d! W: ?( w: [& l' m" Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ s% L% j8 Z* L/ J) T( K. |value (in ring0 only). Values can be manipulated and or changed as well
% n: d1 H9 D$ g$ Y(clearing BPMs for instance)' g! Q$ g, |/ I! P+ R( W; O8 B# q' Y& f
j: X2 k4 [6 e! g__________________________________________________________________________
3 h" Q9 ^( v2 Q' N
$ F/ \! X Q: O; LMethod 11
: H) ~6 V$ Z8 l0 ]' g/ [=========& N% c+ ~% u2 s5 ]' U: }0 Y. m6 h! ~
' r9 J# X! `2 V m4 B( E+ R, y" }This method is most known as 'MeltICE' because it has been freely distributed
9 x4 N. } d, c6 H1 W3 Kvia www.winfiles.com. However it was first used by NuMega people to allow) A* g7 S' e$ i
Symbol Loader to check if SoftICE was active or not (the code is located5 p2 E6 R9 G# @* Q* j+ z
inside nmtrans.dll).
) y F/ h& T6 p3 D' l' t- p+ t# y3 C: I7 a- P) }, n
The way it works is very simple:4 z/ P) ?: H- R, P" M8 J; A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 N0 _' E& g( E! w. t& I3 kWinNT) with the CreateFileA API.9 K) t( K2 X2 x7 Z
9 M' r }7 u! H' T9 LHere is a sample (checking for 'SICE'):
' ]+ m! O; B7 N7 }+ E# Q9 D0 l; D2 W
BOOL IsSoftIce95Loaded()5 T3 P" G" P. Z/ _! }% p
{) c* `' \) W0 x6 E4 V5 k* n+ c" @5 U
HANDLE hFile; # Z0 @% K# q3 V- Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ M0 m) s. i. ^. p( D FILE_SHARE_READ | FILE_SHARE_WRITE,# I! i8 s% ^3 o' _# z4 b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; V, S( ?! X' C. P6 E$ n2 {
if( hFile != INVALID_HANDLE_VALUE ); n0 W, \2 h% ^' n6 t4 ~
{; }! j( s! |( u# b
CloseHandle(hFile);( V. K" ]* Q0 Z
return TRUE;
' @7 R- w4 P4 ~+ n5 I }% r/ F; b+ z0 S" c) L' X8 U
return FALSE;
! ~7 j/ H: ?; {" v}
, W) H! M! h ?7 z* Y+ ^
/ \' D s% T( L! hAlthough this trick calls the CreateFileA function, don't even expect to be5 Y2 ~* R* l2 w2 T
able to intercept it by installing a IFS hook: it will not work, no way!
8 R0 q, z9 |" \ ~( |. H. k( {In fact, after the call to CreateFileA it will get through VWIN32 0x001F# `4 P4 z% N' C. W7 q( B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 W* J/ t6 m) }/ o! [
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. n4 y, d3 a. W g! Dfield.7 v d A+ W8 _' t4 g: ~
In fact, its purpose is not to load/unload VxDs but only to send a ; J+ K0 p2 }5 a% j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): ]* ^! h4 A! S" O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 o9 g$ C7 t2 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 c* Y1 y0 w9 h# i @# }" b1 h
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; I) S2 z# c+ l5 {6 vits handle to be opened and then, will be detected.
3 y, ]% ] M2 i! x% g" ^6 M$ V& UYou can check that simply by hooking Winice.exe control proc entry point. q9 ^8 v% W3 D. @
while running MeltICE.; T- _" l# R* L) F' t: X
* \ n @( G. B/ |
- q0 U7 G5 I" C9 p 00401067: push 00402025 ; \\.\SICE! E9 h a5 K! g/ G
0040106C: call CreateFileA6 P3 ?! y# j6 d- p @( F" }
00401071: cmp eax,-0012 c7 @! \/ X' ^ ]% \
00401074: je 004010912 ~5 a7 u6 i; [
$ m% C" [0 J; @; e/ w0 \0 ]
1 F/ O9 J' S& ]5 }. [0 s9 I# P8 DThere could be hundreds of BPX you could use to detect this trick., x2 `. Y0 F- G8 Y9 P
-The most classical one is:1 q* w; H+ u/ S6 }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: w+ C4 p4 M0 U( [) J* m1 d. [
*(esp->4+4)=='NTIC'
$ o) e& Y( M$ z' ~/ d7 J3 x7 @! `% N) b \7 ]0 M
-The most exotic ones (could be very slooooow :-(
, A: z% T" |8 F; |+ b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , a3 P: L. i8 ~" ?
;will break 3 times :-(
s' K9 e/ F3 }# i9 P5 n
& ]3 u8 h. b; m9 f-or (a bit) faster: 2 p3 A4 q6 @! G6 n) J9 \' l
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" R0 U- R2 J/ p2 ?$ s* }
9 R, r- b9 [' S' o7 b+ o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! B1 [ K) M* ?7 q! c# s
;will break 3 times :-(6 j# J& R b Z: R. N3 S
1 U% I+ E& f$ s, A-Much faster:
1 Y' ?- r; c! w BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& e J" `& o% J+ `7 c
. @8 T* y- F% k& E- r; tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. F: D, b9 n2 m& M8 ^; e0 yfunction to do the same job:# S4 O+ }9 c+ S. v; {% l
! R% `8 J, y/ y" |# B8 K
push 00 ; OF_READ6 H4 c; D' I# v6 }
mov eax,[00656634] ; '\\.\SICE',0
# X) S% [" c z6 k7 j" _1 f push eax4 K& W- k) o9 D$ M
call KERNEL32!_lopen
6 u; J) G' O7 |7 @1 w$ F inc eax1 u0 X( f. } ^* F2 [9 \
jnz 00650589 ; detected
5 G" W( \* ~! H, b. o4 }" F push 00 ; OF_READ
- P' `. I6 o9 \ mov eax,[00656638] ; '\\.\SICE'( T$ R% W% g! X1 H- H T
push eax4 W% k' D5 s8 R; D" \6 |, N
call KERNEL32!_lopen5 M% j4 h n) F( @
inc eax
% ?" M H2 J2 t$ u$ C( r jz 006505ae ; not detected5 a+ m0 E* f" [# u# y& y8 a
4 @' Z7 P# [+ t9 E$ z# H
9 c/ Y0 x- A6 L- o' l+ q x" z9 ]__________________________________________________________________________0 @ |8 c$ ]) } m) o8 p
2 [ u5 V6 T3 W# y3 |/ h! n4 vMethod 12' n0 n: H p! T; [' N5 I/ n
=========
8 n: H2 ^0 X/ m/ s. v. J/ [. N8 H7 N; [. ]0 Z) {( k+ ?7 L9 R
This trick is similar to int41h/4fh Debugger installation check (code 05
1 ^, k8 K7 Z/ C5 u* r. z& 06) but very limited because it's only available for Win95/98 (not NT)% j" @. R2 z* A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* N- J# @: F3 A$ y6 m' H
1 X4 U6 d5 v6 V* u3 _: E
push 0000004fh ; function 4fh
; I; J1 N, T, ^# Y% ~7 F2 ? push 002a002ah ; high word specifies which VxD (VWIN32)
: k0 p2 V9 `( @. t" U ; low word specifies which service
+ T( ~% [) j% A: p# d (VWIN32_Int41Dispatch)- U/ R$ y8 [' H0 A% D
call Kernel32!ORD_001 ; VxdCall" W3 ?, b3 V* b' h
cmp ax, 0f386h ; magic number returned by system debuggers
2 J; e' A# j$ B$ {: V- m# e+ y jz SoftICE_detected/ Q. L/ y8 p4 X$ U0 o- u
4 g" i4 p% `8 A7 w# k! x( vHere again, several ways to detect it:
( ~2 t8 \, x; H! ]
3 G) I' Y2 d3 H& B; K" p W6 W BPINT 41 if ax==4f7 D, R% t7 X, u8 ]
. n& o: o4 R# r+ H3 |4 D
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. B$ h6 a0 S$ ?5 t
- Q* W3 c' l9 `; i7 W- d BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; q3 x9 D8 J5 [ I
/ _, b, s3 k+ Z% i BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ W8 `5 t: @1 V7 p; n6 F' e1 n% V7 w4 C4 O$ q# f) x
__________________________________________________________________________ T6 z$ q0 K- h7 v
6 J0 P% r) u& O r! `' ~Method 13
6 X& T9 W0 Y' w5 l$ U% _=========
) A5 s$ f. O1 M$ M7 a( ^
* X* F; q) C0 p* ~( u# S5 O' } G5 ]Not a real method of detection, but a good way to know if SoftICE is
' Y/ Y P7 |: K8 v, |8 q$ C( Ginstalled on a computer and to locate its installation directory." S. \2 H, S/ \$ F. R) M) }
It is used by few softs which access the following registry keys (usually #2) :5 X; w9 z) e3 k; O# i/ ^' I( ]/ }3 [
x! e! D( O" w* g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. P/ P9 E1 U1 q: g. B) h\Uninstall\SoftICE2 g1 T6 L) I: ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% X+ M2 ?. y- ^) C% `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 L+ z/ H% w: f+ |$ h
\App Paths\Loader32.Exe' ~1 f0 y; f6 T! n9 z
2 [/ w, m# p( Q5 `# F
, |. U" C3 B5 a- x0 `8 ]Note that some nasty apps could then erase all files from SoftICE directory# v' |$ q2 O7 v& d9 k
(I faced that once :-(; C& O- e: X9 s. ]* C; p/ R
6 x$ h* S$ C+ I1 H, rUseful breakpoint to detect it:; H& Q# Z2 z# }7 B" Q6 X
* ^, ]; G5 t! M; M8 `1 @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. Z- k0 q# [+ R% d
7 r5 A7 d3 l; J% z- ?5 U
__________________________________________________________________________
" Z2 h6 P) M$ \* [& a4 b
5 V0 L4 z7 ?1 M2 B. r: d
: j4 T7 I1 h7 s) `. H$ u) o yMethod 14
u& g5 T( U8 E3 Q$ O& T% A=========- m- ^- n0 w+ @- d# W- a1 v
4 P3 n% z" S0 O x4 v9 {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" z5 L: f: U2 K% |" R; _is to determines whether a debugger is running on your system (ring0 only).- |; m( L0 ~6 H5 z) R" y8 e1 U( u
6 A$ t. V. i6 H1 y4 i" B% P VMMCall Test_Debug_Installed
# @) C% i6 G4 t! {9 b3 N8 j2 K je not_installed6 A5 b& P5 l7 _* \
8 n4 o% n7 F+ {6 c5 YThis service just checks a flag. t/ m. v- C: [1 l: x
</PRE></TD></TR></TBODY></TABLE> |