<TABLE width=500>
! _1 F1 Q* h% g5 B/ X3 P. ?<TBODY>
0 S; }) f* s- I: p, I<TR>
: b, z# I( U7 p<TD><PRE>Method 01 4 I* l- y( D/ \' H) q* x% A
=========6 S: W( c C* t9 o+ V q' d
* m* h. V8 S4 \ [% P
This method of detection of SoftICE (as well as the following one) is
2 r3 h# v4 l' F C7 c+ m) \6 Rused by the majority of packers/encryptors found on Internet.6 }- m5 L% a( b) I0 Y. t
It seeks the signature of BoundsChecker in SoftICE
& \- {- b" ?0 `/ |9 Z% ], y5 W+ U& {: o0 R8 J
mov ebp, 04243484Bh ; 'BCHK'
" w. a1 @& ~: T" ~' D" o8 Y mov ax, 04h
" Y" ^; K d. t1 T int 3
% K. g7 }; c8 `' I cmp al,49 S9 B$ m7 S: g- D' w ~' f
jnz SoftICE_Detected
9 J. A$ p1 G: S3 S3 V2 o: Z
% A0 @3 U0 T9 y3 M7 w, a& r/ t) {___________________________________________________________________________( ] G0 e0 L3 O! L/ r
! o$ m, F. _3 RMethod 02
F# [8 {0 w: [1 |5 P=========
/ u. G+ i& U T: c' N2 Q! J6 I; f2 o- {, F! T: ~" ~$ K4 h6 T
Still a method very much used (perhaps the most frequent one). It is used
/ R& Q; k3 v9 l- |, A" Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, s) ?4 D' q. d9 X4 p' Tor execute SoftICE commands...
$ @* i) o9 f1 {/ r5 b7 f$ EIt is also used to crash SoftICE and to force it to execute any commands D5 r. l0 H9 h
(HBOOT...) :-(( : V6 u1 Z5 W5 u1 y. p; D
% w4 L* G# l7 |- w
Here is a quick description:
' \5 B4 z# c6 J: A0 }-AX = 0910h (Display string in SIce windows)2 M8 [, z5 N5 G9 J0 k/ G
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! {8 D- k% j( X/ i$ e
-AX = 0912h (Get breakpoint infos)* I9 N8 _# q2 r9 W
-AX = 0913h (Set Sice breakpoints)4 d$ X6 u' c) {( Y9 h) U
-AX = 0914h (Remove SIce breakoints)$ \9 W7 e6 ?& u& U
# ^7 h4 \0 d' N1 b9 IEach time you'll meet this trick, you'll see:
8 W9 {7 j1 r) l L/ I: p; | `-SI = 4647h
5 ?) T4 Q: B1 z3 ~% i* o, t-DI = 4A4Dh) R6 E: b y. ]5 p: f% `/ k
Which are the 'magic values' used by SoftIce.! @7 \, ~' m/ }9 O# S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." L% k( r3 J' s3 d( g
$ Q3 ?% C3 Y9 c4 [3 W' A4 F W0 ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 B' ~" o! W G' J! o+ ]4 Q& hEnvelope utility use to protect DOS applications:
* \& `+ M/ y# g4 M8 x0 [6 V, B: q8 t+ M) ~; J
: Z+ B* I" h/ z P' Q1 H
4C19:0095 MOV AX,0911 ; execute command.+ Q7 k! e4 k, F0 e" H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ s2 {! M- [- C0 E, O8 d
4C19:009A MOV SI,4647 ; 1st magic value.
* P( L& Y% ]$ Z7 Y4C19:009D MOV DI,4A4D ; 2nd magic value.
2 J8 |4 z- ]- m* y2 r1 x4 l5 A: Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 I W! [! f C4 T Y2 \2 V6 M9 E. n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 c$ _% i t; R, \: \6 z
4C19:00A4 INC CX: i0 Y# { E/ t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 `/ a0 G! c, S$ P% C+ g, a
4C19:00A8 JB 0095 ; 6 different commands. i& F1 t% G u3 S, G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) R8 Y5 s! n$ y6 B0 r3 E6 N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" K5 C9 h& | D( h0 I- z
+ V, n a7 _ U. [The program will execute 6 different SIce commands located at ds:dx, which, C: G0 ?6 ?+ u- o$ Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! _" ?7 ~1 Q) U
6 `& u8 `0 D( |3 d* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 c) B1 G& q) ?9 `. H& A) q* R___________________________________________________________________________
" `" a3 t3 l4 T$ {& p' t2 I* ~) q! J
" I( C1 m+ n `+ T, E9 B, E
Method 03
) Y* |7 S; S9 z2 |6 s1 L9 x* G=========" H# P4 k( Z% S! Y+ z
" ~2 @9 I1 E, M* T, V) J) ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% a& K/ J1 o8 l, s8 B(API Get entry point)7 ?" h# f& {) X1 F7 m) R- o$ y) i7 h
* L/ {$ x! z' ?. Q4 ~( \4 p/ j0 m: Y* S
xor di,di" I+ U. p7 }& c- X( {% |* [
mov es,di* e& c) O) ?, B ^/ K
mov ax, 1684h
# ^' {" u4 Y0 A! _6 \ O mov bx, 0202h ; VxD ID of winice
: C9 E. L7 ]" |. I int 2Fh
6 F2 v+ D) |3 V! k. m mov ax, es ; ES:DI -> VxD API entry point! ?( F- \3 m4 t& L8 J
add ax, di' f3 Y9 A- k+ z0 l( P
test ax,ax
+ v. b% f$ w( X- C jnz SoftICE_Detected
3 a( Z+ E+ J0 d! r1 X4 n- m$ X2 ]: ]0 |# ]4 Z) S
___________________________________________________________________________
) X3 m" S m% n1 n/ c1 x) F7 t
& D0 @1 n: z# W2 L pMethod 04
$ X' ^/ d2 ^. e( I6 i=========
! _9 m% {) H1 |, U a& o, W5 @9 t3 W R4 U0 |8 U, \; \
Method identical to the preceding one except that it seeks the ID of SoftICE
6 q A' \2 ]+ {; H: t$ ?GFX VxD.
3 U$ j+ y' M9 D! C' O6 f
3 x6 M2 l& }+ ~3 K' B( l( `9 j xor di,di
6 B- B8 x5 ` o+ g mov es,di/ c" N( H3 v0 `6 W
mov ax, 1684h 0 ]- L& x2 W/ D( g" b% P
mov bx, 7a5Fh ; VxD ID of SIWVID
% O3 m7 T/ {" a3 M$ u' r5 @& W! e% d int 2fh& D+ Y2 e( H3 O4 d' e! T, d+ {
mov ax, es ; ES:DI -> VxD API entry point) B" \ X x4 n; {4 \/ Q7 y4 k/ p+ j
add ax, di
' t* F) y d+ _' i- m" C4 j test ax,ax- ]3 x6 S6 c+ _" e% R
jnz SoftICE_Detected+ f3 Y* J9 p6 {2 [! [4 H" q
3 R- f& M- b% s5 h
__________________________________________________________________________$ n. h0 Q- M$ s7 _4 o
$ S5 h) b5 C, n" Y0 L' B5 K: |5 S4 U) E
Method 05
( v% |" [7 F6 o0 J9 Y& A=========
j5 D" D1 L* D3 r* c
/ z1 {2 }4 W- ?2 K1 aMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 Z9 p" q8 I1 ?. R6 Q/ G7 d
debugger. It calls the int 41h, function 4Fh.
/ Y I6 S. Q# S3 X/ R8 R9 C- v) TThere are several alternatives.
& b* b9 l1 |3 U8 h% H, k9 `5 k5 I; w" M5 \9 p7 ]
The following one is the simplest:
3 q8 W. ?6 U6 m& ~ {: K! D' E g
mov ax,4fh
+ l, L$ ?/ {9 E2 i" g int 41h
1 u3 g8 b* L7 N$ C7 k# X cmp ax, 0F3864 D# l. K4 q, v! t' w
jz SoftICE_detected/ M! ]2 t6 U$ r r
! I6 S6 {5 b. E( S1 N, u& ~ o; o- f0 @+ `
Next method as well as the following one are 2 examples from Stone's : m8 p, t& z6 P/ d# X
"stn-wid.zip" (www.cracking.net):# R5 d& Y! H. B1 W! x2 R! U, o
/ A& P L1 }$ ]: X3 o* z mov bx, cs" V' M" H6 N8 L1 `: E* @/ @' C
lea dx, int41handler2
. w# |, Y) }5 z6 w xchg dx, es:[41h*4]0 S( K3 \( D. y$ ^
xchg bx, es:[41h*4+2]: x5 B! Y- D! e* s9 | ^8 z3 T
mov ax,4fh
( Q) S8 \4 i# [3 g9 X$ c" X4 e% I int 41h
" m. _) K: h2 T* l4 X6 B xchg dx, es:[41h*4]
6 j1 ]0 v i1 n3 Q$ ~( T6 q7 v xchg bx, es:[41h*4+2]
! A7 R! s+ e, c1 a7 g1 S; j+ l cmp ax, 0f386h0 b& v. [* K- _& s& a7 A/ E
jz SoftICE_detected2 ?9 |& l2 D6 |9 d) W# Q) d2 t
+ i/ d$ E4 l5 k# I: H+ c
int41handler2 PROC( A5 m4 ~2 r2 v; R
iret" ]- {8 N/ t* c& ^2 F' H. J7 }
int41handler2 ENDP, z! ?$ U& [0 W2 ?! Z
( a9 a+ [5 p7 O% S. y% c" a# [( A* B& n% ^& V2 [
_________________________________________________________________________
9 z1 i* o' p9 Z1 H
" s6 Y+ ?" a7 }: ]3 V
6 w% f+ r$ f" }Method 068 x6 s; N: [4 a5 r
=========
, l6 M0 H- i/ ?' v( U4 e8 S
. H0 g' S8 s) U) ?& l& P) O
! s' i) H o) C: F9 j5 E( Z/ `2nd method similar to the preceding one but more difficult to detect:
- E% H4 P6 P; o" N" W5 V/ u S0 r( j$ z- `, `
6 w- S3 T9 I2 ]# g, I' U1 z- V
int41handler PROC
# i" z* P# M' L# s+ q1 v mov cl,al
5 m- O7 _. X2 P; ^3 D iret
* ?" s2 R* d* z/ x7 A4 Aint41handler ENDP1 A! D+ D, x2 h4 a( h+ N. m
, f7 K. m# }# O: p6 i
9 ]" `: ^! `# _; x/ |' M xor ax,ax
3 C, t. E; f: Q mov es,ax. ~" y$ w8 @( H4 ?9 l+ T( d" J: |
mov bx, cs1 m: l% C- R% W' j8 W
lea dx, int41handler$ D$ o: B: j9 q( w4 y$ h
xchg dx, es:[41h*4]5 s9 y5 Y/ G: @# T( j' `% d i% ^
xchg bx, es:[41h*4+2]
# L1 ?+ k% P% o in al, 40h: _+ g9 c# _! P& [& D+ A
xor cx,cx
/ i* ?# J2 k; c) ~4 L; ? int 41h
+ ~7 R7 W# {2 F% I6 f5 u Y xchg dx, es:[41h*4]
$ B+ y& u. }8 t: o4 q6 w xchg bx, es:[41h*4+2]
7 b+ r3 p, a2 f x1 o cmp cl,al0 j! J' O' W+ L
jnz SoftICE_detected P h9 B% n% l3 @$ s
0 p0 ^3 B) p8 @" I5 d/ B4 \9 a
_________________________________________________________________________
J" \: u- j% B* @0 Z6 [2 u" t, I6 P! |7 \# ?
Method 073 Y5 |: Q8 g) N
=========
' L0 K+ v% Q, Q) j/ M/ j# t9 o v- V9 C8 `: L4 U+ E
Method of detection of the WinICE handler in the int68h (V86)
}- J' T, M! \1 m
% q3 j9 `( G( l8 T2 N! A* w, i mov ah,43h
2 ^# h; {& c! A! [ int 68h
, T0 c6 ^! H5 x% x! l% G; L# V cmp ax,0F386h
" m( V8 E$ U& k3 D( [ jz SoftICE_Detected4 y3 I M4 F0 g# t" C
8 a; N4 a7 ]) M; c
8 }4 @) \$ G5 N8 K% W=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% i* B4 \8 J+ p3 L7 K app like this:
8 N, j* i5 ~$ P. y4 [
* G3 e6 z& e0 F. h$ C BPX exec_int if ax==68 H7 x" k6 C7 _8 c$ [8 f- P7 G
(function called is located at byte ptr [ebp+1Dh] and client eip is
! h# W5 {% b. _+ n located at [ebp+48h] for 32Bit apps)- ]$ e& z+ ]% y" W+ m$ D2 d
__________________________________________________________________________1 t5 x( \1 q3 j8 N5 X
9 t, c/ R5 ^7 `
& I; }9 |% E% U/ E m( s& c. x
Method 08
, c8 t# i& T! S F8 c3 m4 {& W0 }=========
8 x9 T; v+ ]6 g) U! \7 h. C; R9 x; h/ l N
It is not a method of detection of SoftICE but a possibility to crash the: A6 X% {/ Y, n
system by intercepting int 01h and int 03h and redirecting them to another
( P0 h8 e. p7 L1 Y5 x3 V$ y: ?/ Broutine./ k- C$ ^- R- L P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& {0 {* ]0 ~' |% [' H& z. A$ pto the new routine to execute (hangs computer...)8 J v( v4 y; t7 b/ H
" h4 g" z/ B" R5 ` mov ah, 25h
! n( H/ q0 y0 r9 [ M) q mov al, Int_Number (01h or 03h)" r% \' b( V- L
mov dx, offset New_Int_Routine
+ m3 K t2 B" h" i+ s8 S! F int 21h0 R# v* E4 I. ]1 Z" _& h1 I5 p
/ ?- w" q, }1 u% X8 ___________________________________________________________________________, K3 d ?: |' _
! |1 C2 {/ @8 R1 q
Method 095 v! ?! J. _- A2 k+ V
=========5 W9 V" p/ V1 F! }% l+ E
# e1 Z b: r* U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 p8 x5 ~! P/ W7 D# ]! T+ R5 _5 ]9 ?3 @performed in ring0 (VxD or a ring3 app using the VxdCall).
( w- e; D) h1 |7 P" _, lThe Get_DDB service is used to determine whether or not a VxD is installed
9 y% r, Z# W: y5 J8 F( ^for the specified device and returns a Device Description Block (in ecx) for
' I& r8 T Y' j) cthat device if it is installed.
. ]% ~' L5 f# l6 z2 G" o6 }* B* Q7 D9 ?( X- `# t+ r q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' q: b; I$ E9 c% H. [6 w5 k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" X; u) ?9 L& }9 A
VMMCall Get_DDB& i1 X# d0 j: s& q( g4 U2 X. H1 I
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ _! v7 z: w5 V6 }+ f+ E4 e1 {& y+ y. |9 k1 K
Note as well that you can easily detect this method with SoftICE:# m: G; k) Y& {! B( I
bpx Get_DDB if ax==0202 || ax==7a5fh
1 P: G' \8 s; `- b) Y5 K2 y: c/ m) x/ U
__________________________________________________________________________! y% ?' p/ n+ v/ ]4 X% H/ X2 y
7 `7 |0 o; ~( {Method 10
% k, j: G: h" g+ L8 i1 C9 l=========
$ P; l* e* L9 N" e$ D) C3 K P' E& ~4 b2 h# G! c! `
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 y v' O0 I' |+ S! Q6 Z9 Z( K/ j
SoftICE while the option is enable!!6 f6 K5 \; f. a. z5 s, o: F: ~
( D* H6 ~8 a' ^; W
This trick is very efficient:
/ K' H. @1 a4 Z6 z) f1 B" L+ h# }by checking the Debug Registers, you can detect if SoftICE is loaded3 c( L. f2 n- v3 J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 Q0 r* v$ s* t9 m) {( q2 ?3 L& M$ F! W
there are some memory breakpoints set (dr0 to dr3) simply by reading their; w( ^" r# L+ b2 c8 S3 _+ f# \4 |
value (in ring0 only). Values can be manipulated and or changed as well$ X% F( R7 i# k7 |% k
(clearing BPMs for instance)* ^# a0 g1 e. k, C3 D
4 m7 h9 @, R* ?) q1 t$ }8 b: v! n& D8 R__________________________________________________________________________
3 m/ u, C$ g- }$ \9 Z
" D' E8 G$ h, d3 r0 o* Z! X: a( XMethod 11
: i- f. m; Z: u=========3 t @( v4 Q& f$ I) P
. c% _9 F$ `& z$ n4 I: m c @This method is most known as 'MeltICE' because it has been freely distributed
# D: r, P8 Q8 O- ~3 dvia www.winfiles.com. However it was first used by NuMega people to allow
: c) D7 W7 M/ C4 ~Symbol Loader to check if SoftICE was active or not (the code is located4 L! J( D2 m* v
inside nmtrans.dll).
( C' w3 w2 Q4 s9 W- |$ m( i; a% Y1 c3 M3 P$ m3 d
The way it works is very simple:
3 C5 D6 Y( ?, d6 F: S0 d" C( l& xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. ]1 Z0 I Z* U+ ?
WinNT) with the CreateFileA API.
4 ]. \& s$ ^: \% d! }) C; S2 G8 C- Y' s8 L1 b
Here is a sample (checking for 'SICE'):3 Z! a$ l' \4 X1 a' U
z: @* b/ T- T8 V& }# n
BOOL IsSoftIce95Loaded()1 P5 q$ S G& L! r9 }
{# q/ O2 P/ Z0 \! l8 o
HANDLE hFile; 5 p/ \& l. A8 `) t( x( \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 |# s% n- x) `/ V3 u: x! h
FILE_SHARE_READ | FILE_SHARE_WRITE,- g5 W# u( m2 b8 ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 H) I9 @2 {6 I if( hFile != INVALID_HANDLE_VALUE )7 p; t% \: a9 A
{9 ? I% Z; p4 [* F$ D1 Z
CloseHandle(hFile);) @; w$ `. W/ f" M S
return TRUE;
5 a7 h9 l* Z7 ?& Z3 h }. h3 a- D/ `& E& H
return FALSE;
" y. n: ]$ x7 S; n7 L; F) r) |2 ?}
) w* i4 F$ G' c- Z. A% Y1 L$ d( n5 y( A
Although this trick calls the CreateFileA function, don't even expect to be2 g7 x+ `0 ^5 A9 I! }4 n
able to intercept it by installing a IFS hook: it will not work, no way!1 f( N2 x$ q% Q7 `
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' ]8 }0 [& o7 _0 W E$ j+ g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 S2 [& O: T; o+ u9 t% tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& L1 z7 s* |# L6 ]6 l6 \! J( x8 ofield.
9 s1 r$ H( Z! q, ^In fact, its purpose is not to load/unload VxDs but only to send a # O5 J: Q1 h5 c2 v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 `) ~ r% }* \& \1 |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" M& x9 h8 P( C) {, f9 E, b( B, `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 n7 h+ t# |5 q' t2 j5 |If the VxD is loaded, it will always clear eax and the Carry flag to allow
% F- c" t. o$ W- \; Aits handle to be opened and then, will be detected.3 z: J) z5 f9 J$ w/ Z! S
You can check that simply by hooking Winice.exe control proc entry point
" r) i# o3 b3 }1 Ewhile running MeltICE.- h( G+ t$ C7 |5 z
: S- k0 ~& r) L, A$ i9 ?( u
0 l0 W1 T; A) G: N: w) k; r% c 00401067: push 00402025 ; \\.\SICE4 m/ g' n3 n" m
0040106C: call CreateFileA
. ~* f/ Y) N5 F# G& @/ \ 00401071: cmp eax,-001$ k9 Q y9 U- ]
00401074: je 00401091
# r. \, H/ @9 p' u4 ]3 X' ^) k0 i7 M' _. E5 i/ x
# r6 k3 T& D# b/ w
There could be hundreds of BPX you could use to detect this trick.1 @! M E. j5 T" ?9 D: x" O/ t
-The most classical one is:
& ?9 R" i6 r. U" o! Y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
d) m; u9 G2 i6 L& B1 f) I *(esp->4+4)=='NTIC'
( _ P: G, }2 H$ w1 U1 Q) t* H8 H1 Y; K5 g( |$ L: a4 X+ J; @+ y
-The most exotic ones (could be very slooooow :-(
4 s2 E2 |& R6 Z5 X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( `; ] j. @5 S& ^
;will break 3 times :-(
. W) z2 {1 ?2 u# j' _/ t9 H& q$ J3 d$ L2 q1 \. x. e
-or (a bit) faster:
* v+ s5 k$ ]/ u3 W3 ?$ [9 y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
z X: }9 v, o
& S7 s5 K8 k+ Z" Q# V0 ?. l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
@. K( S9 V) z- n0 ?. { ;will break 3 times :-(& E ?" ~+ V. O$ o6 U( ]
3 N2 x$ R) M+ M ^" D' S7 G
-Much faster:8 s( W: _8 W; H% v: i9 C* r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 Z2 s' I! i& O k/ S; |$ D$ _
7 _( t- p/ j- b1 r! c* I6 J GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. y. ^" g. j: I( A7 I' ]function to do the same job:
% G4 l7 Y4 g2 V
7 P1 T g. ~9 x0 }* z5 s, ^& G push 00 ; OF_READ
5 v$ o2 B1 \7 ^* s* L mov eax,[00656634] ; '\\.\SICE',02 X6 s: i( I; d5 L% j
push eax# p) |- Z: J8 ?3 G @- K& |1 X
call KERNEL32!_lopen; _4 ^" t' o4 ]9 S
inc eax' y, s8 G! w- c" r. q
jnz 00650589 ; detected2 f. ~' \/ j' v/ ^1 h
push 00 ; OF_READ
+ l9 A' V4 N. k- @! \ mov eax,[00656638] ; '\\.\SICE'
4 r# P$ Y7 S1 J push eax% W7 ~; s; i7 u6 ^
call KERNEL32!_lopen1 n' x! U; T$ {) u4 ]; }
inc eax" ?3 a+ w8 t: @9 n# m
jz 006505ae ; not detected
; S: X( [0 E X$ d6 k9 U A3 j
% u! D' L7 _, k6 W, R( \: O3 `' _% W
6 o8 _' ?& Y3 y. p# q; G- |1 G__________________________________________________________________________
! F& G# _( Z3 u3 \- {; y( q- @: P) o/ B# S/ C5 @
Method 12
$ M \/ V+ v: w5 g- Z=========
) h% w5 l; }+ ~/ A' a7 u6 P% f4 Q3 T; w) p" q' P. r
This trick is similar to int41h/4fh Debugger installation check (code 054 T! S1 q- C, D5 h# y3 |
& 06) but very limited because it's only available for Win95/98 (not NT)% I3 G0 T) ~/ c- J0 F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 ]) J4 A' B, t
8 S" j" F- ~9 `
push 0000004fh ; function 4fh9 L$ n. l# F, v
push 002a002ah ; high word specifies which VxD (VWIN32)# M" }3 Q0 N9 F/ V6 C
; low word specifies which service4 Q5 k7 I* O8 {
(VWIN32_Int41Dispatch)
! y* L1 s' j6 u3 n7 D% K call Kernel32!ORD_001 ; VxdCall
/ M" c. f/ U% k9 G1 m7 ? cmp ax, 0f386h ; magic number returned by system debuggers: `8 v9 h* R5 G9 w, p
jz SoftICE_detected! a$ Y' m) N9 t: b1 {- g0 d
9 e& n: n$ ^! m' X) sHere again, several ways to detect it: |8 ]8 {/ v; P) B; F# g
" Q+ R: U" ]; w1 h: ^( p BPINT 41 if ax==4f
7 W5 K. P/ I! _+ d' e9 {: m) ~6 ~% g# `2 u
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 s# Y% Q" b& b+ r5 ]
1 P. ~0 g* _$ j0 \: [" _$ ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 k( g+ o/ ~2 l9 _0 m
( a( c1 [3 ~3 Z$ l; p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!9 I( R6 Y' j$ Y/ T
% v5 Y1 Z* r- `* E2 q; a__________________________________________________________________________
' n7 D+ }# r: j& ]% k; b1 z i, C
1 G8 @" H- b3 F* I3 w/ wMethod 13; m. v3 N! g7 V4 E3 H
=========, s7 F! N) m. V Q0 w+ I
) e/ z4 i6 A' X% |8 g
Not a real method of detection, but a good way to know if SoftICE is3 K6 c2 U0 `# H6 O
installed on a computer and to locate its installation directory.: Z5 k' g; E K, F0 K
It is used by few softs which access the following registry keys (usually #2) :
8 O, n q) P4 _ V- }8 u+ P3 \
3 S6 c( P3 Q% x& D: l! D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 O, r5 q- Z( P8 U7 I! Q5 P7 @7 ~\Uninstall\SoftICE4 |( G! \" t( E; J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' O9 b2 E7 a+ {6 N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- R9 Y! e4 m: O2 f\App Paths\Loader32.Exe, t5 e' X& U% z3 c4 C3 b: L y
4 r; |& T, D- _9 h1 g+ {" n
. n1 a! ? y* r* h' e: M9 }Note that some nasty apps could then erase all files from SoftICE directory0 Z+ x- K: a }6 H6 h
(I faced that once :-(
" O3 W* _! R+ t3 F8 a# R A5 ?
* }$ h% J! x: L( P+ S* zUseful breakpoint to detect it:: o6 ^ [# b" v8 Z* |7 m
9 C$ H6 `" q2 Q% `! J; c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" Q6 \/ k3 L v+ D# J U! S( o4 v4 ~
; N8 y! j% @' v* R
__________________________________________________________________________
* A, a G8 g3 A& {
) l- d2 w0 v6 l8 k8 n$ a0 _
. S- F2 ]& I. B* H* I/ h1 B, fMethod 14 ! G9 r$ G4 I6 |0 S& }
=========5 i* A: n$ \8 t7 B! Y% u) M5 C+ G3 @
) n- a4 Z" a. n# a6 s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 N4 h- V2 e; {3 Q
is to determines whether a debugger is running on your system (ring0 only).$ \6 q4 r8 y$ M; p, u) U. x
* V/ c8 U2 E- E- L/ c
VMMCall Test_Debug_Installed
' {. g0 Y5 H* @6 u- G je not_installed1 i, @" T5 f! P) o4 S
: N0 G- x. I" nThis service just checks a flag.
! x( O6 i: h' B6 E0 ~4 X! j ? f6 z</PRE></TD></TR></TBODY></TABLE> |