<TABLE width=500>
! P9 e8 M- Z/ A<TBODY>
6 ~# M/ p9 a# p m/ l<TR>8 p/ p* m0 L: ]8 U7 e( N
<TD><PRE>Method 01
2 j( E; t4 \1 L# `( V8 ^# U=========
" e- H `; G0 P, _% D! [) j6 _" c, K6 g' n
This method of detection of SoftICE (as well as the following one) is
9 k( N3 D3 D7 E7 t4 mused by the majority of packers/encryptors found on Internet.
1 q7 o T- b }! VIt seeks the signature of BoundsChecker in SoftICE
# B1 L l! D* t/ K1 h; k
5 p7 S/ C& }% {- H1 S% b1 j mov ebp, 04243484Bh ; 'BCHK'7 Q, ]6 }7 C' p M# w6 z6 I4 G! z
mov ax, 04h
2 p7 a4 Q% p, j6 d7 W- B/ c int 3
: v* _4 f! F1 h. t cmp al,4
$ q% H4 I& c1 u jnz SoftICE_Detected$ y* k3 b; K3 ~* O! \
7 \5 k2 [+ {% |- h, f, e& r7 Q# S* j
___________________________________________________________________________% s* j \" Y8 |" {
- [9 h$ D& B/ y) o$ d- E/ I$ P; @
Method 021 l; [( Q6 X) i5 E
=========" u# F4 Q4 W( x+ p6 K
0 d0 ]5 t: c. P% K
Still a method very much used (perhaps the most frequent one). It is used9 S5 X& |7 j8 k5 E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) [6 D1 B4 m y/ L6 w- F# X0 w! zor execute SoftICE commands...
0 E. X1 l6 p ]It is also used to crash SoftICE and to force it to execute any commands
& _ F* K2 |! e5 u4 \3 x(HBOOT...) :-(( # t' u( y0 b! A. Q, F0 i6 v5 ?& k
4 Q% k9 ?7 U9 e; a. K$ e# N. @
Here is a quick description:& n9 y; i9 G. @) I, B a& t
-AX = 0910h (Display string in SIce windows)4 x& L1 @4 o) P! U D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) ]- f4 ]: d+ s2 Z6 z-AX = 0912h (Get breakpoint infos)
/ h/ h x v9 P( N2 {-AX = 0913h (Set Sice breakpoints)& W V3 A. M9 x1 O* S0 c. p
-AX = 0914h (Remove SIce breakoints)
4 o4 n+ a; G* K- ~. k, Z
; d1 F8 g& Y9 `' N8 ~* dEach time you'll meet this trick, you'll see:
9 z$ W( X% \( k! _& B+ i# g-SI = 4647h
0 h' _6 ^& W4 m) E) [! p: r-DI = 4A4Dh$ {, V, `" j+ n0 @0 E7 c; [
Which are the 'magic values' used by SoftIce.5 G* y. F, Y H) ^' B) h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 c6 b5 z5 ]& s5 G% k( P* {
8 d! _3 q, }/ _# s! z9 FHere is one example from the file "Haspinst.exe" which is the dongle HASP7 A8 z' z8 r5 ?# m+ S: V
Envelope utility use to protect DOS applications:
B& d9 w/ x3 S( T% w
$ {) D/ D# N, a! m. ]) \% `# v0 g) p2 `( Y2 w1 M3 I+ ?
4C19:0095 MOV AX,0911 ; execute command.
. u, R$ ~/ `4 c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., k) D: s$ T1 g# |! {* k& t
4C19:009A MOV SI,4647 ; 1st magic value.
8 ~; p$ H) t* p0 _4C19:009D MOV DI,4A4D ; 2nd magic value./ i; h7 G& K& C7 n, N# J
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 \( Y5 Q1 A z% b7 Q: X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 t. p1 ~- E4 x9 ?; V4C19:00A4 INC CX9 G' E. C3 i- f/ [) D/ \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 v9 C4 C( S4 o4C19:00A8 JB 0095 ; 6 different commands.
) Q& `- J7 [! a1 H! u4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& i! z- \; [' b% Q5 ?, V! W( K4C19:00AD MOV BX,SP ; Good_Guy go ahead :): X5 r6 M5 b" m' U3 b
+ i6 C% J$ q" S# T* A0 kThe program will execute 6 different SIce commands located at ds:dx, which
. `. z4 _, H9 a, B3 j# ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) i4 {5 k# J$ W* Z$ Z# y2 E
; r! M4 n7 U5 ]4 O7 E" Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& i- N' z. e" z# `___________________________________________________________________________
. G* E! [ G9 g7 `/ l
3 e7 p) Q* {- r: v$ E8 `
" F7 |9 R1 H5 D8 I( CMethod 03
! m$ C6 S% w* a+ ?6 q=========
$ M3 I. r; ~. Q
# ~0 W0 e3 @' N. n/ c1 }Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# s$ d# X- X- Y' o
(API Get entry point)" f' L1 x9 t7 I+ W! r1 b2 u
8 M8 l6 x8 Q2 V: [; _ ]+ \8 W: u" Z$ ]% O! w' n/ P# g
xor di,di
- w) t, K& X6 q! H' N" g" e+ p mov es,di
9 X$ W' }4 B+ G2 E9 R1 H( _ mov ax, 1684h / ], B; M3 F. X
mov bx, 0202h ; VxD ID of winice
* z- W U1 Y& g8 `- P3 V2 c int 2Fh, ] Y) {/ o1 d7 O
mov ax, es ; ES:DI -> VxD API entry point
+ E+ s$ l; ~% U; l0 c" c add ax, di
$ q* z( Z# r% s) K4 x4 j test ax,ax
7 L( `, R! P E jnz SoftICE_Detected8 C+ l* c0 w8 O% r/ S3 Y
2 g5 a4 d4 W8 V( q/ r9 ?& a
___________________________________________________________________________
2 ?$ E, ^$ F% X/ s, c" c
- E. h7 X4 E1 i& o( h3 {Method 04
% f. r6 q; N) M6 q2 P C+ h1 |=========
2 Q# Q4 O3 c, w3 _6 h1 c2 h
1 r/ g4 O' L+ |' \Method identical to the preceding one except that it seeks the ID of SoftICE# d6 r7 g" |/ b. e- M
GFX VxD.
$ v, l# N; ] W- t6 U* h- w/ X% i5 ~, ?0 n9 p% q# J
xor di,di
7 Z- j4 a; D7 a2 m2 W1 H+ q2 L+ k; Z- M mov es,di0 ]5 K; k% a. R; H
mov ax, 1684h
( g; P5 a& T8 Y, D: S0 Z% U' j mov bx, 7a5Fh ; VxD ID of SIWVID5 j- q* u7 j) ~
int 2fh6 w& ]$ H1 `8 i* ~
mov ax, es ; ES:DI -> VxD API entry point3 I" _- K+ `# O
add ax, di4 f5 I9 Q2 _& ?" a2 N
test ax,ax
- I: ]7 _) t k4 J$ ~ jnz SoftICE_Detected( z4 S1 A: C9 h, x! t( t
- g4 m1 X/ T. ~! }
__________________________________________________________________________: b. |, }7 ~% r k9 u% }" s
, a# ?; T9 h9 {& b4 q- l, Q0 j
3 ]' k9 Y4 L' e W1 `Method 05
4 |2 A4 V+ O2 @% G6 l5 L3 x4 m3 b=========
3 c5 f; K+ Y+ X, t0 K- }5 J4 C% A/ X- z: M5 |
Method seeking the 'magic number' 0F386h returned (in ax) by all system# g2 Q2 I+ A/ k6 c2 U
debugger. It calls the int 41h, function 4Fh.
0 a! W: b1 @8 O1 ]There are several alternatives.
9 @' d/ N' Y# J5 X+ y7 s& E* O4 F: `6 ?% [" L& s2 g6 ^
The following one is the simplest:" d; d8 _6 W; X$ y
( i* J: y5 j4 A1 Z0 o
mov ax,4fh
w5 C5 \9 \" X( }* m3 O. m" F int 41h3 {4 o9 `9 G8 ?$ {
cmp ax, 0F386" r: m/ W1 M( G& P, h
jz SoftICE_detected
1 Y% T4 x; `$ p! V" K8 k* Q$ S1 a: G9 Q& ^$ ~
3 R. m0 K4 U# F! t; f2 sNext method as well as the following one are 2 examples from Stone's
( w, a# |1 P9 k3 G6 r"stn-wid.zip" (www.cracking.net):; Q! h8 R! `9 P% a* C; G
' Q, b) G% S2 E
mov bx, cs
$ T/ P6 c' I; D% d$ J- ]3 A: Q lea dx, int41handler2; U0 B9 |. r( v8 V
xchg dx, es:[41h*4]
3 E7 r+ P8 }) e, a) A* B xchg bx, es:[41h*4+2]
+ ^) c. n1 g9 G- |" Q8 H- F" Q mov ax,4fh
( a4 \- L: g% c3 T: ] int 41h
E$ f/ a( N$ ` |; H3 s: ^- ` xchg dx, es:[41h*4]2 |( a% m. }8 x5 z& n
xchg bx, es:[41h*4+2]
: Y, v- y, s3 G" G9 ~ cmp ax, 0f386h
$ t- C- t( ?1 y( c/ I- @ jz SoftICE_detected! v; Y9 ]( e: M
2 Z) u, [, d$ o9 N! J8 |/ v
int41handler2 PROC
* c4 B+ ?8 C* h! n iret. s7 w- _. B! g, e
int41handler2 ENDP
4 u& R& K) p# ?% N U7 F
. v7 g" b6 N( M& ^4 D7 V8 ?; Z6 O6 `, s
_________________________________________________________________________
% X% V' ^% w( e) w0 O1 R. o* W6 J0 W1 g- v/ Y$ A9 L
6 r% p+ p7 Z" L; a0 N" i, o/ T
Method 06 }+ P. i2 z W/ O* B
=========& R& J* ~1 l/ ]- L/ X
: w A3 Q# J& f- \$ j2 m9 z+ u# N
' l4 f# Q {- P5 G. N+ m: ?9 a$ Z
2nd method similar to the preceding one but more difficult to detect:2 ~) u6 j) v" L8 Q5 {
! U7 O, A! X7 g& A% X
2 t }/ u; c' r. I3 J" f. U2 D/ |int41handler PROC
! t. c; j e4 R" r& H# P6 @5 x mov cl,al
- Z* x4 ]& {& [( n- Z8 _ F1 A% w: K iret
M$ Y+ K9 z" Uint41handler ENDP
, _) G; \' R1 ^3 n3 I
* }) r9 w: B: J' S( N2 v/ p
: j3 \# O1 e% @- K& X xor ax,ax
" F3 T" G O4 L/ v" J1 f3 W mov es,ax' f% N: e, i/ L$ L3 ? p
mov bx, cs
9 N: x! c O. y" | lea dx, int41handler! D! w) @8 q' C. e" C& W
xchg dx, es:[41h*4]
. r, X9 {3 z' Z2 ~0 ^; u u& Y xchg bx, es:[41h*4+2]+ _6 }8 @3 r$ _/ ~- ~
in al, 40h
% D4 P, \# t" `* M9 ?1 W xor cx,cx
8 g; D% N& d4 F' ^+ J5 K int 41h
& r% }/ |, ]3 Q2 F% |! d* f8 F% m7 y xchg dx, es:[41h*4]9 L) l8 l1 {/ ?3 Y$ y! X
xchg bx, es:[41h*4+2]
3 Z( V' e' l4 ~: x cmp cl,al; r& j8 t% }( q1 j) |2 e% ^
jnz SoftICE_detected5 T" G8 Q2 J( n5 Z8 h/ K3 }
+ k w2 m {9 Y* X_________________________________________________________________________
& R7 }9 o: ]: z6 S+ V" p; Y5 O) o% ^# x# v6 ~ E! \1 a
Method 077 ~' a4 m2 I1 P/ V p5 W& T
========= b/ n Q# T' H
( B% {; D5 W* [
Method of detection of the WinICE handler in the int68h (V86)+ F) [+ m) N' T$ z- a D5 S
/ @% r; Z5 \# W) y1 F mov ah,43h5 n6 M" N7 ^% q* c$ e& Z* m
int 68h( x ]* f' G9 s+ i1 |
cmp ax,0F386h) U9 t- |' k- \8 Y* }5 a! g
jz SoftICE_Detected( n- {! j( x7 m+ V6 r! T
) i0 @- B' y1 A$ w8 @
( X/ b" j0 [0 I* C8 ~, h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 o! B4 n1 H! F- |. b7 `
app like this:
; W1 B' x4 v, y' _% c% z& z+ f6 I+ V) c5 A: W( T
BPX exec_int if ax==68/ o+ c" P, @. D4 O8 ]7 ?
(function called is located at byte ptr [ebp+1Dh] and client eip is
! a# z' B, Z1 [/ {: j located at [ebp+48h] for 32Bit apps)
% Q. J$ h+ c- }( v' p__________________________________________________________________________ M% G* O& @, W0 P, `, ?
& {4 @. `' ~4 I2 [; L% ?: Q& v% P# Y9 E
% u2 a! T1 f' ~1 PMethod 087 E3 X" |) S$ b, R Y8 s5 t
========= w( k9 y5 V; L; G% x! e \
4 I% j; m5 ^& {& ^: @6 hIt is not a method of detection of SoftICE but a possibility to crash the
4 t, c/ ~3 D) z% f8 rsystem by intercepting int 01h and int 03h and redirecting them to another1 ]8 [& f# ]8 \" w9 E; M
routine.
7 l6 \+ _; b9 _. a1 p' T& NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: m0 R3 N3 c6 v, ?- l1 pto the new routine to execute (hangs computer...)% {$ A+ Z& F4 Z4 S( b1 s, k
, N4 f0 b' |' n g* ? mov ah, 25h- @' Z$ Y9 p" k# J8 V- p0 `
mov al, Int_Number (01h or 03h)
1 `; O, {* n* e mov dx, offset New_Int_Routine
9 x% t5 T) g& H% w8 Q0 E int 21h* G: e% T' T+ J3 c4 D6 O
0 b9 b& ^, v) V. K) a9 v
__________________________________________________________________________
! k! w& z# l! W7 j: ~2 q/ p
& ^ Z' r$ H. TMethod 09
9 a- _+ T( ~7 m2 ?6 n=========; l- C9 W+ l2 m
7 S# Y7 B% f+ A9 RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 |- ]1 h% q& Q5 B( p4 Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
! C2 n& d, k9 e7 r* XThe Get_DDB service is used to determine whether or not a VxD is installed. t1 y& L4 c- m6 Q4 A7 Q) m
for the specified device and returns a Device Description Block (in ecx) for
0 r2 x4 b* p$ o) @ lthat device if it is installed.
2 R6 h% K% O) @5 p1 l+ W. |- D/ W: @& ?0 p, J9 W7 ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ J* X s2 e8 Z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ e; l, \; s, H/ f VMMCall Get_DDB) w) f# c8 V; r- K. X' E# B5 u
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. J1 u4 w z8 S5 M) Z* X
3 }2 Y% w0 v3 @- v3 WNote as well that you can easily detect this method with SoftICE:
; t/ }7 V& e) E6 R- o bpx Get_DDB if ax==0202 || ax==7a5fh
( e$ c7 S7 _8 w. S i2 g( P# u
7 B. U. p, p; ?# ^% m__________________________________________________________________________- l, M% `6 q- ~' R/ y
2 t9 e' p \7 L3 c: N' s% r
Method 10
5 s+ u, X7 m B=========' c6 S$ A7 N6 ~: G4 w4 V/ l+ f
& o$ c2 R4 y9 a4 Z8 @6 X=>Disable or clear breakpoints before using this feature. DO NOT trace with5 x. x: L# o/ v) A( c- C
SoftICE while the option is enable!!; e1 n' M$ j* z; \+ b- ?6 T
7 X: D( _; M- Z( W* aThis trick is very efficient:
9 z: `. n/ M' \by checking the Debug Registers, you can detect if SoftICE is loaded
( o+ H9 I; g. H! I! I7 g& E5 X* K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 w6 G+ A# t5 E! e$ J
there are some memory breakpoints set (dr0 to dr3) simply by reading their. W2 a) j7 R4 P! o; K' |3 |* Z
value (in ring0 only). Values can be manipulated and or changed as well
% _) O1 e5 n& d. e/ F. X(clearing BPMs for instance) }2 p' v& V s- c5 a: Z2 D* O
# `8 w$ u0 E0 d! O; C* |
__________________________________________________________________________* O8 b& R& G2 I
8 W* Q6 Z3 t& ]3 }6 t
Method 11- J. S) E3 p" O: H% _. t
=========
' r, Q2 T6 X3 q; p% v o8 V7 P8 d) c0 c: n; G1 S- r7 y: g
This method is most known as 'MeltICE' because it has been freely distributed
% v! f" J; k2 f5 G& @8 z5 E% e" t7 Yvia www.winfiles.com. However it was first used by NuMega people to allow
! Z* a" _! P# V5 g8 {) WSymbol Loader to check if SoftICE was active or not (the code is located' M/ w0 X# N) u! n1 S
inside nmtrans.dll).1 M- s7 ~( Z* @, _
+ l! R! j, S; bThe way it works is very simple:
0 p3 i x i. k/ o. S0 A7 JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 n6 _. v7 ~ b5 t
WinNT) with the CreateFileA API.* a! Z& e5 @, D0 q
5 U9 d3 w# _; G5 i
Here is a sample (checking for 'SICE'):
/ z5 k9 @: Y+ d. B3 v- X# S+ y& }( ^' N4 j, q
BOOL IsSoftIce95Loaded()
3 d5 E; R8 G. X{5 T7 z/ g$ ]: |' v% h* c1 ^% ?
HANDLE hFile;
2 e0 p/ Y7 E: V3 M6 y: T! x7 t2 v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ e; A) O8 w3 R! k+ ]
FILE_SHARE_READ | FILE_SHARE_WRITE,6 C: ?) Y# a: x5 T- a
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 s J) N L7 o; ?7 c5 h' n+ } if( hFile != INVALID_HANDLE_VALUE )" W. m% l1 }7 g: N: Q
{5 B) M, W; k2 U* m S* y$ |+ Z
CloseHandle(hFile);
; k; U. I. O. Q" Z& B7 Y- @ return TRUE;' a: ^: l+ w* N& Y2 n
}, `4 v$ e% V* d- [1 o1 e
return FALSE;
, ^. F5 u- n, G- F, `}
( L! g- {. H, D, a7 U' G, [5 i/ Z. a. N
Although this trick calls the CreateFileA function, don't even expect to be
% i3 P9 v+ K( J6 jable to intercept it by installing a IFS hook: it will not work, no way!
; C7 u6 j' _# {! `( F/ O' a4 wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# n% f L8 C3 @% |2 a2 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 c# j7 Z! Z; H% G. A @; p# z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 p4 K/ v# a4 A" Wfield." B0 C4 Y V/ o4 N- |
In fact, its purpose is not to load/unload VxDs but only to send a
* y1 A' R& j# P- G7 m; AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 B' J$ j/ k: J5 A" S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* a+ p" S T- a2 z' P$ M) t6 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, j+ m2 _ N |, p* O/ P3 P3 r. bIf the VxD is loaded, it will always clear eax and the Carry flag to allow# E% C* h M" @8 D/ c3 L
its handle to be opened and then, will be detected.
: c$ x; d) |4 h" _8 L/ eYou can check that simply by hooking Winice.exe control proc entry point
4 y5 ^: {. S& k+ c8 B" ywhile running MeltICE.: T* }3 L* x! L
+ j, w2 r" X6 C/ E [
. H- X) x9 k9 m2 O; p$ N6 E8 N
00401067: push 00402025 ; \\.\SICE1 R7 F1 u3 L. S) ~1 z6 i' F( r; O
0040106C: call CreateFileA
- o: T5 T5 T8 P; @2 v5 z 00401071: cmp eax,-0015 C/ w2 g8 \5 p8 U; r
00401074: je 004010916 t @" h8 ]4 A# S
8 |$ s/ ~/ m- b& l+ q+ Y
3 B# n% {( n: s6 P+ y0 g
There could be hundreds of BPX you could use to detect this trick.8 I4 I* P e9 M: g1 X
-The most classical one is:0 B$ M, W$ Y/ T& W) j) F$ H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 |) F4 |- G) [ *(esp->4+4)=='NTIC'
1 y( W8 N/ e' [5 b2 c
6 `& k. t7 |) `% [-The most exotic ones (could be very slooooow :-(
* f% p5 w0 J2 ^) t% B: _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 L0 j+ M: C9 v, m% v) d- D ;will break 3 times :-(' ?7 K: L+ @6 h! L+ k, W4 b! T
$ f: [/ g1 K! P1 z, R, }7 {-or (a bit) faster: . W5 U8 r0 y/ e; N r4 W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 b* q2 E+ x; g( e, G% b/ g# ]* C: B; |8 w6 s2 e- t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# F( c% H$ Q* G4 P. q/ D2 R ;will break 3 times :-(0 a4 x) v" T; {7 K5 Q8 V0 O. `
8 ~$ U3 A, K9 M' z9 X6 \
-Much faster:& w3 _* q5 ?8 e: [/ f1 m# x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ m/ g: v7 c. H6 @3 _% z
& m& C) Q, v) d, A0 A. WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( K5 M- G8 y4 d; j9 ofunction to do the same job:
! Q. L, H L3 V2 {
+ ^6 g. ^1 V3 V G2 g push 00 ; OF_READ) H7 M7 D+ t' Y" Y. [
mov eax,[00656634] ; '\\.\SICE',0
4 P: Q! o0 E0 d% P, U push eax
& { u1 K! b5 h# c call KERNEL32!_lopen* t! n f+ x# {+ r, W, ^( j5 r1 D8 X( X
inc eax' y: B7 N( n; Q; W: f
jnz 00650589 ; detected2 Q, |) B' k0 h8 R0 g% ]
push 00 ; OF_READ2 d6 D# Z$ V- C. ^9 G+ o
mov eax,[00656638] ; '\\.\SICE'1 u) R* H/ p$ ~ X9 `
push eax
6 r1 A* [7 Z/ J2 x call KERNEL32!_lopen6 N$ g0 a9 `6 ^6 ~ ?. S
inc eax
5 T5 w* J( P( Y ~5 B1 j jz 006505ae ; not detected
* I: K/ G. Q: ?+ m
) s* h M! E9 i/ \
3 W1 v& \/ j& Q' Z5 R7 E8 U__________________________________________________________________________. i7 Z# Z# k( T8 d* b0 f4 R
% T* O6 \& {( e8 i- o' s& c4 Q4 iMethod 12
& ~+ |# ?$ c+ T: ^! q=========& P5 C& j" z& M. E) \
! j* ]+ C* ?: \0 hThis trick is similar to int41h/4fh Debugger installation check (code 05
: H9 t% s. N& s% I6 }+ y& 06) but very limited because it's only available for Win95/98 (not NT)( z- t i ]' d- d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: Y2 h& t5 S9 k
& ]) |' O2 x8 C4 s push 0000004fh ; function 4fh6 y+ ]; `- N, O+ F% J0 U- i
push 002a002ah ; high word specifies which VxD (VWIN32)8 \( r2 Q# R+ x1 w3 P/ g& w0 s
; low word specifies which service! u* u u$ q/ x1 H5 W( J
(VWIN32_Int41Dispatch) {, u! J2 P' x9 M2 }
call Kernel32!ORD_001 ; VxdCall: I; `3 U5 n' \1 R! i6 x
cmp ax, 0f386h ; magic number returned by system debuggers
7 L$ \/ u# e9 n) k jz SoftICE_detected! L. g1 y) y. [9 R
, ^- z5 U2 p: X! X, x# FHere again, several ways to detect it:
$ z4 v }/ |. s: d. P9 f+ Y6 {: B
5 ~: T* W0 z% E6 C- i3 B BPINT 41 if ax==4f
! m' `, _( P( Q3 M% j+ H' o. {! A" Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 {; V3 ~% R0 N3 E
0 B L' M; Y4 N! G9 J% Q) J( f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ I; R1 F, e& H- x
4 m' o( h9 ]8 ^- O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 f, c% R9 j( s+ a" u W# @# T2 f4 G- \- @% I+ O
__________________________________________________________________________6 W. K' C Y. f( @ h! Y% ?
p# p- L. C# L Y4 gMethod 130 Q/ I- `9 \# X1 C& B! [1 U
=========: W+ D, D6 @6 b1 L
* \/ A, o$ ?1 s$ ?" B7 ]0 H
Not a real method of detection, but a good way to know if SoftICE is w! n9 Y9 Y7 \7 q) |( b+ k
installed on a computer and to locate its installation directory.9 y; `# C9 {/ P, _
It is used by few softs which access the following registry keys (usually #2) :
( Y+ X ?2 F* X
$ E2 k- o7 N8 v( K' p1 K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# o; D' `% }% V$ H
\Uninstall\SoftICE
* a: r$ D, s& `9 _$ l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# ]$ z; t, Y8 z8 {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 S, S0 a5 I5 p7 U8 [- p" H- Q\App Paths\Loader32.Exe" q9 u# Z' u% O. j
9 K6 k. o9 }0 _& ~5 V
5 q# j9 ?; G; A+ F9 W' u4 ~Note that some nasty apps could then erase all files from SoftICE directory* k0 p0 V N" i: `3 D/ c% Y
(I faced that once :-(
7 H0 B, N' u2 O, l/ u0 V5 F& z4 x( I, J1 N7 Y) g3 T
Useful breakpoint to detect it:* w* C5 c+ {$ z6 }7 T* U
$ D9 V; h. `) b$ t* I7 g4 S$ R8 y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 }/ q0 w7 O" F0 N8 Q: V& q# O1 e
3 n/ d Y' b5 E2 R
__________________________________________________________________________6 K0 t7 G, q# v H+ W, ~) r+ ?( N
4 J4 f) E" k/ x. {3 d6 p: N0 {% w, Q
Method 14
. n! Z1 N' _5 x. G6 t6 }. _) F9 u. P=========
2 ^! ?. K. e7 P. T. B; |8 A6 R9 ^* J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% M& Y( I+ V7 k1 `0 T$ C/ Q/ P0 e' ~# _
is to determines whether a debugger is running on your system (ring0 only).$ s, W1 x$ W7 }1 j3 c& N/ }
# b8 m# k: p$ {3 W* Y& ^* j% V$ V
VMMCall Test_Debug_Installed
8 R. R1 u1 i; v6 O* V0 P1 N* f je not_installed
E+ j3 b2 J1 t. g& ?+ [" {; ~% r; |) |! ?' F* S
This service just checks a flag.
* ^7 }, [/ M4 Q# G1 g. Q</PRE></TD></TR></TBODY></TABLE> |