<TABLE width=500>2 a# O$ {( y/ ^/ D3 Z
<TBODY>" ^3 s% r! p; w7 ~$ P
<TR>0 B4 c) A0 ]7 q$ v
<TD><PRE>Method 01 0 H2 T* R& x6 U. `
=========
) z- h) g* a/ x/ o: }9 ~8 _5 e4 U
This method of detection of SoftICE (as well as the following one) is
" [& T$ T1 l& U; W' x) s, c1 C4 Sused by the majority of packers/encryptors found on Internet.
% _% Y# E+ ~9 y' S1 p$ n% L; _. x" CIt seeks the signature of BoundsChecker in SoftICE6 R" N* U% L5 P
* K* Q/ h, F; ?# S; e mov ebp, 04243484Bh ; 'BCHK'- e7 I( j% W8 o# a
mov ax, 04h* }. H) |1 M% C+ V
int 3 + k) [/ v1 f3 z: j0 _
cmp al,4
: b; |1 j2 {, n6 I1 o6 o jnz SoftICE_Detected3 L' L3 L L) G
' [/ @ m- m) W/ P {___________________________________________________________________________. s, l( q! Q( B# p/ q, E
* l2 [2 p6 W) V' T1 U" UMethod 02
' [1 S4 C7 a4 I1 M1 Y6 ~ \; J# D=========0 K& G! Z9 J( r6 R# r' n
: \. y- O2 A4 k
Still a method very much used (perhaps the most frequent one). It is used
- A1 }9 m5 N2 Q& T0 e2 N& p! Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 B0 D- P+ @+ ~# v* t% Ror execute SoftICE commands..." d1 M# j. ]2 B
It is also used to crash SoftICE and to force it to execute any commands" z$ g" a9 b" ?. b: q; c
(HBOOT...) :-((
! R5 A# R+ h5 M7 I7 q
( r/ ~' u3 y$ p7 WHere is a quick description:
# B0 d" z* s; |-AX = 0910h (Display string in SIce windows)
1 w6 P- r4 a& F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) U: @2 G3 M2 I8 T; r
-AX = 0912h (Get breakpoint infos)# o6 D. T1 W! g* m, [* n
-AX = 0913h (Set Sice breakpoints)' q5 ~9 k M x) P1 w
-AX = 0914h (Remove SIce breakoints)
) L4 @: h ^) v, B: O
; s& X/ X, a) C% o' mEach time you'll meet this trick, you'll see:
+ g* N9 @' {; u# c5 K% ]/ D-SI = 4647h
: _6 F9 t4 y6 c6 c2 T: k-DI = 4A4Dh
- S. q" ~- w! M5 r* P2 h" GWhich are the 'magic values' used by SoftIce.
- p& {# N {& a" I( E" ` Z; L eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' n# G; r/ |# h% Y3 ]* l7 H7 P0 P5 K
4 e7 N( C4 x% x2 N+ M, Q2 i
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 m8 X. ]4 P5 j* p# R: H) f
Envelope utility use to protect DOS applications:& g- C {' y) y! J; C
2 F9 h9 _$ n9 O+ T; R/ M& E) B6 {+ | E/ K
4C19:0095 MOV AX,0911 ; execute command.
( q2 p6 e7 k& C3 k ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." q! ]- q/ t; z! I2 F, K8 R H5 S
4C19:009A MOV SI,4647 ; 1st magic value.0 t/ k& S5 B+ F+ a* x' s' M
4C19:009D MOV DI,4A4D ; 2nd magic value.+ q9 Q* h# e, v+ b; e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 I# y8 N' L! O) [/ V4 a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: \7 m1 R2 z" i" |! j3 e4C19:00A4 INC CX2 f/ f# ]2 m6 H/ Y: a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& S3 o9 c- i1 p8 Y* N0 ]3 u. t( M& ~- _, ?
4C19:00A8 JB 0095 ; 6 different commands.
* F7 i) ~* _% v Y" a4C19:00AA JMP 0002 ; Bad_Guy jmp back.- T- t! d9 [; v, ]
4C19:00AD MOV BX,SP ; Good_Guy go ahead :), K& F% O4 X- G" i m
/ Z$ X" w* P5 f2 x& G
The program will execute 6 different SIce commands located at ds:dx, which+ c- @3 ^6 d3 w; Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# N! H4 c, t# r9 E P/ W
2 b1 q* Q7 \# c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, O. t2 _& C' q) r! N6 E___________________________________________________________________________
. `* h O0 a* Q* s8 E1 z
* u S6 l( ~! B, Z$ o, m9 y
. I' _& D% U, c+ ^ _- |! k7 |8 m AMethod 03: Z6 `3 g+ {4 d
=========$ e: y- V/ Q* B# R9 G- M% d) {4 V
. _4 L, B S# L% I) q. GLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 v, V) n4 @7 g3 y) `& i- b
(API Get entry point)# { j: p: f' e; a7 C( F
5 [. m' x% m1 } f- J! H- E
^! o: R4 q* w3 X( n# s$ z- e3 N
xor di,di
8 v! |; Y3 U2 Y) ^7 }+ G8 _ mov es,di( C3 T5 C$ [* _8 J
mov ax, 1684h
# n2 [9 J8 J( }' u. Z$ R# ], ? mov bx, 0202h ; VxD ID of winice
7 p: i8 m8 l3 ?* b; `; w% a" {, Z int 2Fh
4 v! M# M, H. e mov ax, es ; ES:DI -> VxD API entry point: Q" n' R3 ^- v: ~
add ax, di
" R8 y2 C5 k: s test ax,ax! q4 V: m. a- j7 L7 [: Q! m5 u
jnz SoftICE_Detected- I! m, M, W& P$ X7 o
$ L/ P: P" u$ I* {% y) b X___________________________________________________________________________
. T1 _5 q" X2 B7 ?
+ t4 c+ h3 Y( b7 x1 m# [$ VMethod 04
# V, w7 |# i, E, x! w) q; z=========
( ?5 `# h0 M( }$ L5 h0 z9 ^7 Z) @* Q1 k' A. |; W
Method identical to the preceding one except that it seeks the ID of SoftICE; V6 g! }7 q! ]. i% s6 [
GFX VxD., S% D. m+ f" i
) X% L& F9 @0 b- l g
xor di,di
& o/ k' n# D u& l mov es,di) x% z U& |' ]7 ~4 ^' C
mov ax, 1684h 3 U% C2 H/ y3 J# m5 Q+ G3 M( M9 g
mov bx, 7a5Fh ; VxD ID of SIWVID
; K0 W! ]/ |. c2 e/ }7 H int 2fh
; I' i8 z, W `- X/ r# [( N mov ax, es ; ES:DI -> VxD API entry point( C/ F0 H& [, a) `
add ax, di
- G) A7 T* k8 S) V2 Q test ax,ax, M( V+ Q4 u; U2 Y( X6 p
jnz SoftICE_Detected# L- A/ c4 o' x1 U
/ L- G) \) o }+ I% t
__________________________________________________________________________
$ t3 r0 O( v7 G/ H3 Z. i4 H
- n+ M9 t1 i# a0 o5 a0 B. Y0 d) ]% R1 ^( M8 n0 N+ B
Method 05. p9 h5 R6 ^7 I& h- W# A* G
=========
/ f o5 `2 {% F8 ]2 o1 w+ Q7 W: O. P) d6 k' U5 l$ g8 g0 T) ~4 R* b5 n0 d, ?( R9 r9 \
Method seeking the 'magic number' 0F386h returned (in ax) by all system" `$ Q2 c) T) v, Q# F z
debugger. It calls the int 41h, function 4Fh.
; X8 n7 d9 `3 t+ iThere are several alternatives.
# [$ m: S. l: t, z! n
+ Q F. q! v0 @5 r* k6 SThe following one is the simplest:
: l9 a. S4 x3 Z9 k! \8 N, U' |& j+ f1 A
mov ax,4fh
- t" a. Q3 n# N9 C2 m: U' [* y int 41h
7 P+ k: h) a/ j7 }+ p8 H/ D( ]; g1 w cmp ax, 0F386- { i5 y( ]/ g
jz SoftICE_detected. {: R, }; t4 p! L) _0 i4 }- E# n
) m) K) \8 W& b2 H3 z4 E0 S# }9 D/ E% T2 z
Next method as well as the following one are 2 examples from Stone's 5 O0 }' w( x8 g9 ~4 Q$ k
"stn-wid.zip" (www.cracking.net):
) J2 @( ^7 f% I
* i0 x3 U, ^9 S# Q- O: a mov bx, cs
, P3 W2 A: M5 ?! y O) U$ z lea dx, int41handler2
2 d& o: W1 }- D" k$ }( R8 ? xchg dx, es:[41h*4]: O4 E* o, c$ S
xchg bx, es:[41h*4+2]
, n7 J# ~, r% ~ mov ax,4fh
3 ~0 s! p5 a' I$ H/ { int 41h
2 H p. y- C! k9 k xchg dx, es:[41h*4]1 l% L% U$ ~# d' {* N4 k
xchg bx, es:[41h*4+2]3 z8 c+ `, g7 a+ S# F) i V: ~
cmp ax, 0f386h5 O% q7 k# L7 u4 r: y$ N
jz SoftICE_detected7 [* C. W. W8 d! s9 s" O' G* l; j/ e# _
0 a' [* G* B& a/ s% Y
int41handler2 PROC- {& v. r2 W1 x
iret
5 S4 D$ q% y. v0 G1 D1 `% Tint41handler2 ENDP
. ^+ i7 X9 t9 |4 z
0 m, X2 O1 E$ |$ }7 G% p5 Z
9 U: ?% ?/ [4 [6 w% P_________________________________________________________________________
% ~% L- t9 @8 @9 h/ w* E( T7 Z
8 m- [/ _9 k% a- l
& a% J) {; B8 N& ^Method 06
' D( G! M, d5 H6 I/ h=========
6 b% B& U6 Q8 x4 r8 Y- \2 V2 G$ I3 L- ?" s" `3 m/ G
" M/ h+ g) F8 B; n" @6 y) @/ g2nd method similar to the preceding one but more difficult to detect:. d) u" ]6 W# j2 N& l. n' p% a5 \
. T* L: F' _: }4 S M
5 z1 j+ ~! ?3 U' S' P& f- r! n/ yint41handler PROC
$ f7 Q. E; K% O mov cl,al
5 ]( H8 ]+ U9 K& D0 v iret
3 y4 Z! r9 S* n; ?; y. o% M" ?, M- uint41handler ENDP
' ^, V' J7 p# o1 `/ _4 c: m
P* L( j! B2 _
& G. g! J% a, e: v0 k! P" w xor ax,ax" T& y# w* ^" A9 O. B' n5 I
mov es,ax
$ B2 _! D" `. }( p+ t" t$ { mov bx, cs
* y& ]+ p$ ]8 q# C1 h8 @ lea dx, int41handler
3 s: v# U0 _' w+ p" m7 x6 g xchg dx, es:[41h*4]
' C- H$ A. j, q xchg bx, es:[41h*4+2]- ~- Q- v, A/ S, ?# W6 N
in al, 40h* h) R6 ]. I1 Z/ p
xor cx,cx2 q: T4 b1 S! L# u# R! J
int 41h
2 n2 w" K/ c9 c8 y& \0 b$ @/ G0 f xchg dx, es:[41h*4] S; \4 F7 b A6 m' b
xchg bx, es:[41h*4+2]3 ?0 {4 F- P7 p- c
cmp cl,al
6 s6 @; ]" u8 m8 T9 R jnz SoftICE_detected
8 N) E( \5 E: H7 V# E: u% g
- M M# X3 j$ u; W9 Q) z! k5 Q_________________________________________________________________________, I* N4 i/ g% N
& g* Y$ S# X* r3 n1 ~( u" G* X0 q+ OMethod 07
' R8 D' g6 i+ G9 f1 {+ k% N: S* N=========
9 n5 } u8 Q9 i0 C# Y
* Z8 v+ ?" C& A! gMethod of detection of the WinICE handler in the int68h (V86)
* N% A* @- n z* Y8 b" {+ S3 E+ I% f! j$ c/ f
mov ah,43h
' m. I* ~0 f' x- T# j2 ^ int 68h
4 v' Y+ A, Y! ]" |; } C+ i cmp ax,0F386h
' x: Q# `( G" J3 r2 y. ? jz SoftICE_Detected
& F+ ?+ L) V4 ]+ [3 m2 Y% N' y4 Z; ], P9 Z( j0 v% f/ L* D0 x
0 P+ ]1 T- `3 W2 @5 ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- T# _1 f P* l
app like this:! f% w+ g7 B$ O5 A/ _5 d
: @% m6 d' I7 b8 K
BPX exec_int if ax==68
3 N* b1 h& b9 y (function called is located at byte ptr [ebp+1Dh] and client eip is
( R5 H; U" t3 D/ y located at [ebp+48h] for 32Bit apps). n+ w9 G& C( F: l5 H
__________________________________________________________________________* [) |% L1 _9 g' Y4 {* f1 {( ~
/ E: ~' ~$ T$ A Z
# x" c, S! V* B1 v; x9 c, Z' E5 n
Method 08 T3 a$ d- @- }2 U
=========
1 _. v' z0 @! @) ~$ V
! ~$ r! B0 L1 m+ ?2 M" nIt is not a method of detection of SoftICE but a possibility to crash the
0 y( a1 E. ^9 z% Y6 B' y( _system by intercepting int 01h and int 03h and redirecting them to another0 V( q' E5 X. [8 k: f9 l8 q
routine.6 o- X, b! |' [4 d/ i, l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 `4 y$ ~- p( l+ p' Wto the new routine to execute (hangs computer...)
! r. h7 m1 ]1 K( _+ L6 L4 G; E( L
mov ah, 25h0 |7 I9 V w( a, {6 @0 O
mov al, Int_Number (01h or 03h)" N7 U( c8 S, s: f4 e+ d
mov dx, offset New_Int_Routine: o- a( n7 X+ o: t: w4 w3 H
int 21h; ]! C6 ~7 N2 I u5 }; G
; T: C' P; W* C4 E' h
__________________________________________________________________________
1 R. \* v) y/ T$ |1 U. s% |2 ?7 d4 X: S. t
Method 09- E5 J& O9 J0 n
=========5 g" ?2 Y6 i- T8 b' u$ {
: ?8 X/ w9 |- ?: T$ {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. c5 g1 i% m8 w$ e8 z T
performed in ring0 (VxD or a ring3 app using the VxdCall).6 G, \* Z9 E. S, a# c) x
The Get_DDB service is used to determine whether or not a VxD is installed+ q- I' u! c, {$ R7 b2 C4 @6 B
for the specified device and returns a Device Description Block (in ecx) for
# S6 m: u; K* qthat device if it is installed.7 w) _; k6 r2 {1 }
' q/ p$ a+ m3 m1 I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ o+ F% [& Q* a+ Y) C, V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
C+ d$ L L+ Z( Z VMMCall Get_DDB
6 a5 m6 D7 E. p# k* i* @9 w3 O/ C. [ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ j4 m o7 F, f% |* e4 H' w, A
; _! r7 K& n$ e& D' |4 ?Note as well that you can easily detect this method with SoftICE:
n+ o7 k2 r: M bpx Get_DDB if ax==0202 || ax==7a5fh
. {! X" Y% f8 c6 M
$ V1 s: t. A- L8 P__________________________________________________________________________
" _0 M5 W: b" o& P* ^, X
& C2 z* R& Q2 u- N) P& I- U) f5 k5 ]Method 10
. f& q5 _. g3 k: }=========& s; O6 J" d T$ F9 r" z- ^ J
% j6 i9 `" f: h" a& H5 c2 e2 \( [6 u0 B=>Disable or clear breakpoints before using this feature. DO NOT trace with4 V$ p( G) m# T; j A! Z
SoftICE while the option is enable!! G8 f1 c. X5 @! i3 e
2 i1 y8 r! a! x( A
This trick is very efficient:0 e. y( t6 e f- J- M
by checking the Debug Registers, you can detect if SoftICE is loaded& G2 D ]0 `% E2 T' F9 ]( t$ n: x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& M9 |9 r7 e' t& @) U7 A. [( g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ ~0 z: [* r' N. T$ ovalue (in ring0 only). Values can be manipulated and or changed as well
$ U, G2 e6 a. ?* F: H/ j1 y- f(clearing BPMs for instance)
8 [' u8 [; {* I, U1 a3 c# W/ [/ E; J2 Q1 F* x. v
__________________________________________________________________________% z9 Y9 E9 c5 S( {# P% Q4 j/ f l
8 d( D' F; f1 i" h$ P% d \Method 11/ n' U/ x% K# r( X, j( B
=========. O- z3 W4 u* n
' W, p7 v2 w& T4 O3 {This method is most known as 'MeltICE' because it has been freely distributed$ G' b9 z$ X5 Z8 ^: u, w" q- l
via www.winfiles.com. However it was first used by NuMega people to allow
6 {6 P: d+ j1 W7 R) rSymbol Loader to check if SoftICE was active or not (the code is located
$ a, {, t5 [$ E6 V, y2 vinside nmtrans.dll).
# _8 E' ~( q; E" C! }, K8 Y4 p; s
3 S2 t1 C3 h8 XThe way it works is very simple: v: F$ W+ m9 V1 V% s. i
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( B8 l8 a/ ]0 j% ^7 p n
WinNT) with the CreateFileA API.
" p3 m/ _2 E1 Z9 j3 O5 E5 j3 m, L' C# O" c; c2 U
Here is a sample (checking for 'SICE'):
/ r" p1 W8 O6 A! ?- S4 d/ ~
) F; V: Z* ]) d; LBOOL IsSoftIce95Loaded()# y' m9 c1 ~, D1 t' C4 _& s7 l( D
{
9 w1 C) e5 o" g$ E6 P HANDLE hFile;
' j0 E% `0 y' U/ K: F/ _- ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ |& d( c8 n. @2 M7 w FILE_SHARE_READ | FILE_SHARE_WRITE,. q1 \, Y4 u4 M9 {( m4 M. \6 o, L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 ^/ F: i, l$ c- Q: s1 Q! [ if( hFile != INVALID_HANDLE_VALUE )8 G7 h' K) o& N
{' P5 A/ g. g) D- | q: g
CloseHandle(hFile);: D. g9 B) ]7 r* K3 \
return TRUE;
1 T/ m' ?" {% ^2 Y) ` }) `0 Y) p# L* a9 o% R" l" f0 } M; _
return FALSE;
0 R, T9 [/ o1 ?- o. W, O' o) P% m* _}
5 E- Q1 ]1 k" r! s! g+ p: ^% [+ y* y: T& z: z' F! r( x
Although this trick calls the CreateFileA function, don't even expect to be
2 v: m" n0 r; |6 f2 p: i4 d7 ]able to intercept it by installing a IFS hook: it will not work, no way!
% }) d5 [7 B; \3 E# EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 j' h) @5 v. z( H! G% O+ Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). ~% `# X) r! V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- V# y) D3 [+ Rfield.. _5 z! h- Y, X, @/ s$ |
In fact, its purpose is not to load/unload VxDs but only to send a
: h0 ^0 E9 ` z l! p. } XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' @3 r) w) r3 W# C4 A/ G, F* Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( P$ M- p- l, Q+ ^& t' Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).- K1 \8 o9 y A2 s$ ]5 j
If the VxD is loaded, it will always clear eax and the Carry flag to allow' J V1 }1 }) ]* J! Y
its handle to be opened and then, will be detected.3 Q: e' j, s1 H( m) t
You can check that simply by hooking Winice.exe control proc entry point
3 f v2 s# F: Q/ }while running MeltICE.9 I3 W* Y9 i' G5 Q5 j
9 ?" o$ Z) s6 K- M/ Z9 q; j- H7 t0 m& _+ Y% D L. O" t
00401067: push 00402025 ; \\.\SICE
8 M2 w# g- R1 v 0040106C: call CreateFileA Y' ?9 N- r- H$ G8 P
00401071: cmp eax,-001+ Z/ R# X& Y( }( ?( M
00401074: je 00401091% a) ^4 J0 p0 R. ]7 O- r
1 R7 w/ w/ e, ^6 ?3 ]+ |
1 I# v/ M* z3 [# U& P9 H2 fThere could be hundreds of BPX you could use to detect this trick.
( h2 o) G3 V* D4 Y" E; R-The most classical one is:
. J' i* I9 K6 I# g/ l) i BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& u3 ~& H0 d7 \% M( ^: V6 Z, P+ D *(esp->4+4)=='NTIC'
8 B& y: n9 g" r) i' U8 @" v/ D$ e6 v. V! h k
-The most exotic ones (could be very slooooow :-(" ]1 m$ p' U! L) C4 i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / r4 d3 {; |( b7 c
;will break 3 times :-(
% _) j6 J7 R8 `, t d0 {. r/ r; M
! ]- `' l5 S" ^-or (a bit) faster: ) ?; t0 b5 l- Z& b4 W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 j i5 M% V$ l6 G% J
, z3 \7 e& J2 n7 o2 M) ]$ Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 ]5 V1 M0 p+ v8 s, {
;will break 3 times :-(% G, H0 d2 @' n5 J
' r# Q% ~% v$ @$ X, ?& g Z" C, {
-Much faster:" T' U# X: X6 Z7 Q& X) ]: h
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', h5 e) }; E% N, x" g
; j% r) \: `8 t4 V, H- }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 P" d- `: B( q/ o5 a5 l
function to do the same job:
- A" b# f* |* J: H D, O9 X. S- L6 }. _. E1 d4 a
push 00 ; OF_READ
2 O# r! A) _- `# B& \ mov eax,[00656634] ; '\\.\SICE',0
7 P. Z D0 O1 x! x: Z& r9 z/ | push eax0 g; ?, g |5 D3 E
call KERNEL32!_lopen
6 v+ L" y- i" n0 X7 f inc eax
: N$ h1 @; K# v1 G jnz 00650589 ; detected/ Z6 `- w: W$ x7 e/ a% A
push 00 ; OF_READ
( T3 f( D4 o; \, S$ ]2 H7 U t" w mov eax,[00656638] ; '\\.\SICE'
1 T0 F7 m0 W. K4 d( Z+ F push eax8 k& N$ z( t6 R
call KERNEL32!_lopen
) M5 o6 W) ^& X6 g/ f% f inc eax- Q( {% d# P% u! v1 x( V
jz 006505ae ; not detected
0 r+ S2 z# s; }, o ]8 {1 H3 a8 l' \
2 }8 K8 ?% d+ X& r' m) m
__________________________________________________________________________$ x; g/ n. ~0 F4 P1 b: [. ~
' w% P% _+ z+ U) l7 v) gMethod 12# W# m- e* n8 i# K; j
=========
( _) O8 E* c' X) j2 W, o- O" r( d% R4 w
This trick is similar to int41h/4fh Debugger installation check (code 05
8 s7 W8 S+ I2 s; L& 06) but very limited because it's only available for Win95/98 (not NT); y& L- U* ~% S3 o; |! M8 L2 |' P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# e O! p: o! y' \! T! T# A8 {
& C3 N. h. r3 o. S/ ^: D push 0000004fh ; function 4fh8 v; {8 l" E( C' a2 k
push 002a002ah ; high word specifies which VxD (VWIN32)
' |4 P. |, W+ z* q8 K- O ; low word specifies which service3 ] Q) b7 O* f7 C) L9 {1 v
(VWIN32_Int41Dispatch)
% D4 Q& ?, q; P6 j; j call Kernel32!ORD_001 ; VxdCall1 F0 t4 T, `! }6 o2 [4 s+ y- d9 \
cmp ax, 0f386h ; magic number returned by system debuggers" S( X- ^' {) k6 ]1 R7 c
jz SoftICE_detected" e* |4 A& E4 V4 A2 w6 n
+ U8 @9 s+ C) T8 o6 P+ k8 EHere again, several ways to detect it:1 a t1 r* b8 y0 }# i
/ Q: ^) J. c) \9 }; m
BPINT 41 if ax==4f" H" ~: n- @1 G
5 s P! [: v; D1 v/ O( q( k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# C0 T5 U3 ?" t" h9 |
4 E5 C/ ]2 E" _4 m+ M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 e$ P; h4 j' b' N. {* V8 C) l2 k6 S( y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 h, C, x- M* B t# o B
, y8 K3 Z1 j, x- a3 t4 ~. |% q! c
__________________________________________________________________________! P* U& t& a& H |1 P8 o6 D
, q1 A( J+ X5 s0 l9 `1 `Method 13
1 R w0 J0 v; h' l2 S' N=========. b$ X3 `6 g( j, y
: K& W: o( X0 n$ D5 iNot a real method of detection, but a good way to know if SoftICE is
# z5 ~$ [$ t Kinstalled on a computer and to locate its installation directory.
- d# f0 c/ Q# W' |# tIt is used by few softs which access the following registry keys (usually #2) :, ?% ]+ c5 E4 d2 ~3 p$ M
3 O! n9 u$ ~! p. H/ x! `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. S3 x9 l. }: s! M, h. n' ^
\Uninstall\SoftICE. J* W5 W1 A: K# R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, m! ?, Z% P0 o* D) Q3 ^# m2 t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 ^+ Q3 L0 F# y0 @/ I/ g$ h* v( G7 q\App Paths\Loader32.Exe
! ?) P8 w: d! A$ c
. W7 l6 B9 j! `! R- o% O& X, U9 d( [- ^4 U: t
Note that some nasty apps could then erase all files from SoftICE directory
7 D* w4 V0 |+ X4 d( m(I faced that once :-(
3 A: V2 F1 l6 S6 N [" X3 M# V: ?( ]" ]8 q/ l
Useful breakpoint to detect it:' @. y% |3 w; B1 n2 }3 W
8 y; @$ o9 k+ Z* g, T
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 z/ v% J+ x' y% M" \( U4 e6 d
2 W' K& o+ A0 y, y
__________________________________________________________________________$ v: A( a- R' W/ M& T, I8 F
9 ^% i! i" T" k) r# b3 d `3 B& R" u! f y- Q. q
Method 14 2 `3 J4 ^) F$ @/ w9 |2 I' g$ M
=========
5 O1 u+ i& e9 p& u8 v5 U2 }. V" {* O" F$ ^! m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 n8 |6 m6 R8 p) K' G D4 _ @2 C0 U; A# q
is to determines whether a debugger is running on your system (ring0 only)., J- ? Y2 {6 x; ~/ r
& F$ o3 i8 l$ L' b7 z& C1 d7 U% m F, S VMMCall Test_Debug_Installed, B* S5 Y2 G7 C7 x
je not_installed( q8 N) M$ ?2 A+ O. I
5 h4 o. ]. y8 P3 y9 sThis service just checks a flag.
/ i; `5 ~" s" u) Y9 c% _% O% o, z</PRE></TD></TR></TBODY></TABLE> |