<TABLE width=500>
) O' @8 ?+ M; H! n<TBODY>0 k# n. N8 a- W! c( \: w9 c
<TR>' s9 O/ n1 s# T- E8 H5 x
<TD><PRE>Method 01
+ O6 y4 A6 f& t' \" d' o=========$ K3 t, U" _- [# N* P
: ^/ d, Z X7 W# }) j0 @( Y
This method of detection of SoftICE (as well as the following one) is; G D4 B$ l* s k
used by the majority of packers/encryptors found on Internet.3 ^% u+ F9 f' m" @0 h m7 j, z% P
It seeks the signature of BoundsChecker in SoftICE
' i& A0 {0 q! R( J$ z3 t# k* p3 E* D* {8 z7 f3 D' [* X- |
mov ebp, 04243484Bh ; 'BCHK'! I6 p, A$ H' a4 ~9 }
mov ax, 04h
: y9 Q5 K; P3 r I5 u4 s9 s int 3
9 m; F% }; K3 g+ o/ }* i6 G cmp al,4
p3 s0 O, M5 g& d jnz SoftICE_Detected5 w" ]/ p. E0 x; T* ?) l/ E# X
5 `$ h2 N7 l; o+ e: D& U___________________________________________________________________________& |, F6 v8 L% J( x
4 \, N5 b/ W$ N4 z$ }* pMethod 02' M' j4 a; k" Z
=========, N6 [) Z1 i$ U! x# w; j* e' O
" l( H2 ?, j+ g* r) Q
Still a method very much used (perhaps the most frequent one). It is used
h( r0 b, K# V% M' sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,, N& F$ n% X8 N7 Y. C3 E
or execute SoftICE commands...
& S% M0 T) T. {/ j* v9 TIt is also used to crash SoftICE and to force it to execute any commands
E* `) c; C' o" [4 `2 z% B w, R(HBOOT...) :-(( ! g! `! \* a. T& _% ?
, @, ?5 B/ Z. u" ?" h
Here is a quick description:
6 x% W& C# ?. S7 l-AX = 0910h (Display string in SIce windows)2 T$ L1 n; Q2 L& R2 }5 Z' F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" S, E: r3 T% g( P% c-AX = 0912h (Get breakpoint infos)) i' ^& w$ J! n- B, Q' W3 ^! B; t
-AX = 0913h (Set Sice breakpoints) Z. V- K" P2 _0 b! U
-AX = 0914h (Remove SIce breakoints)
" B( D5 a. Z& S) z2 f* H3 m* X8 Y- L
Each time you'll meet this trick, you'll see:0 y l" ~( T& B7 N: w" @( I
-SI = 4647h9 J" o! d9 Z, O0 K. [
-DI = 4A4Dh0 E r1 Q8 w# z# v& x
Which are the 'magic values' used by SoftIce.6 S4 J. \) T0 ^/ z. V% j i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 t0 l/ G: m0 C
) V8 ~9 z. r( w* Z; GHere is one example from the file "Haspinst.exe" which is the dongle HASP( V: L' @# o. j( E4 Z% b. n
Envelope utility use to protect DOS applications:# X3 `3 Y6 h+ N
4 Q4 n9 o4 z# o5 k; V$ Y
" {* z9 _7 {8 g+ v7 A7 r8 ^4C19:0095 MOV AX,0911 ; execute command.
( x; a- R- @2 a; G. Q+ j7 o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 u1 h0 q6 s* v# w4C19:009A MOV SI,4647 ; 1st magic value.. E8 T/ B9 M" u- I& r; ]& w0 Y
4C19:009D MOV DI,4A4D ; 2nd magic value.3 C& Y( `2 I7 K5 R/ k+ z) a
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& ~# b% h6 F4 [! b2 l# j; p6 ~4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 b0 ^0 Q8 b/ T: z! f- |" b0 M
4C19:00A4 INC CX
& s- i1 [. V' a! H( m' z5 A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
T0 h/ f* z- x# C, A4C19:00A8 JB 0095 ; 6 different commands.2 ^" N. N* e- d; V" _" z+ a
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 _- q2 Z0 ]% p8 a, ~( W \$ x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! C3 r, b# o6 t ]3 ~$ L! y) T7 I8 P4 C$ j7 N( u) G4 a. T
The program will execute 6 different SIce commands located at ds:dx, which ~8 F* Q& T8 ^, J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* K4 q! p# _ v& {, }7 {0 L) ~
# b1 ]5 ~; Z! v( }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 o8 a9 \$ {9 b1 K' w% z! X z& J* A___________________________________________________________________________5 I4 Z' u9 }) p0 l. ^( I
6 x( F1 \$ k$ [
. ^5 Y- ?# v" w. x& S- C9 c3 gMethod 03
) {" W% ~6 o. l$ `=========
1 K+ {( m. g3 r% u9 ]/ w+ V2 l, l7 W- O* s- x/ R7 a9 U8 @ n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) @, }# F& i8 _: R! j& i(API Get entry point)- ?3 `( y! {' `0 ]: `
( Y/ Y8 v# `( S3 |7 @" h
6 U+ Y& z5 E6 x9 w" p, c xor di,di2 T/ z+ L& W8 e5 |$ ?# Y
mov es,di
: U& L* D$ n0 b+ q3 H6 Q7 i/ x mov ax, 1684h
5 v" g5 p |# [. H mov bx, 0202h ; VxD ID of winice
6 e4 G- ?* _) ^3 E; [7 X! X0 W int 2Fh
2 J1 |. h# U; ?) }1 V' }3 Z mov ax, es ; ES:DI -> VxD API entry point
5 c# W. s6 B' o& {" H add ax, di
6 z! {9 w/ g6 I9 T test ax,ax9 w( G6 I1 W: @) |9 f- p
jnz SoftICE_Detected
8 V7 Y7 |' R: ^' e. c( Q8 m* U5 w* b
___________________________________________________________________________; Y" |6 ^: X2 u% J5 d, j8 |
0 b0 u1 }( i6 e* H1 h3 [Method 040 o6 B3 a* h e
=========& y% f" F0 W9 } l0 G* \( G
4 C) Z, E0 c0 ~# n' E5 H
Method identical to the preceding one except that it seeks the ID of SoftICE& X+ `* f# F }) B- _& V) I
GFX VxD.5 ?0 Q3 P* O7 M$ Y7 R) |" Z# O
, N. A# z& G( P* E" ~4 D& j
xor di,di
9 j8 J$ [" ?( n mov es,di8 a, r1 q0 n/ Y( d. h- |
mov ax, 1684h
& y6 U( i6 z: Q! v: h" e mov bx, 7a5Fh ; VxD ID of SIWVID! S T# y2 j4 Y* ~9 E
int 2fh
4 t2 ]' J- R! W5 {2 D4 a mov ax, es ; ES:DI -> VxD API entry point; x2 ~- n o2 k; E X: c
add ax, di9 B3 \* l& {! e
test ax,ax
% E+ F8 h5 S" T$ ~ jnz SoftICE_Detected
! k7 S, s( ]( E2 y' y$ H7 e% f/ Y H1 h4 w7 V8 |0 m
__________________________________________________________________________/ F' l6 E8 y7 @/ r
4 G4 Q9 r$ i- i+ j& {+ w" H) z5 l) a, T" @8 h b: R5 P# l+ d
Method 05% H; T2 V& `9 E! z$ A
=========( c$ f r5 z) g3 _
8 Y) K: J3 h# O: M( b# ?- gMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, O( A) \! [! W/ K6 B* \5 Adebugger. It calls the int 41h, function 4Fh.
2 R" [+ x6 y( _# e9 p5 H) Z- }There are several alternatives. v1 H' T9 N3 j( L( [1 z7 n" D" I
0 m. u; E# i( t3 g" T# u- xThe following one is the simplest:
: D. \! v( R; V' H \% I
/ S, ~1 y% ^9 ` mov ax,4fh
: g4 |0 b* ?' `9 u int 41h
' |) Y. E4 F7 z) {$ _, Q* B1 ?+ `! ]1 D cmp ax, 0F3869 G0 E% f6 w: g1 @% Q0 i
jz SoftICE_detected
, \) y# ~# n, v! b$ B
& M9 M/ q/ i, ^1 r' L h. h5 t
7 \ ]1 X6 o# y9 Y% GNext method as well as the following one are 2 examples from Stone's
" _) U. |) y. S- v6 |: i1 \"stn-wid.zip" (www.cracking.net):
d5 Y3 l- x4 h6 z. g; N, @/ h7 j% N4 e! t& s; x6 u v
mov bx, cs ^: H* B" n4 d" s8 E% \! y. y i
lea dx, int41handler2
! p4 L& n9 p* G, A0 G4 I1 v! [ xchg dx, es:[41h*4]
% ^# ~ S5 X" }+ ?* l1 U9 G, s2 Y w xchg bx, es:[41h*4+2]
' X, p/ ]4 D1 P& X4 K mov ax,4fh! t, p4 D- l7 _- y
int 41h* z* n1 K0 X6 m" B; j2 ~- [
xchg dx, es:[41h*4]
* j. F# ~0 k6 { xchg bx, es:[41h*4+2]
; w7 c ?" x6 p( a8 v! `5 F& ~* r cmp ax, 0f386h
4 g. z$ E) }$ T8 \8 [ jz SoftICE_detected) ~5 y) I# |3 [
8 M4 C5 ~* R, R# O7 t! h
int41handler2 PROC9 m3 x+ E$ o0 _2 X# s5 b0 ~* @* k
iret
! R- U% U( h" _" M* @int41handler2 ENDP8 m5 Y* H' k- x( g/ ~+ T: b
% `1 {& l9 k" g2 X( y) }8 u
% T4 }; A# n* f' P_________________________________________________________________________
5 R5 |2 ]7 C& T0 m6 j
9 j& _5 u. Y+ d$ Q4 R8 r5 ?! Q5 s" m v
Method 06
. j0 P) l7 ?/ b2 D6 q=========$ E6 x# N, z2 E6 A; {; I) R U7 ?
5 N1 P% u- R1 _% x# W0 g& Y3 p4 W( C% W* M
2nd method similar to the preceding one but more difficult to detect:
- X: P5 `$ B1 D# _2 X! J% M1 x: C" ~: s& v% I& } N! W( g
; a# a& G8 h' w+ bint41handler PROC
/ @! b& ]/ U: z) a: A mov cl,al
1 |- D8 d* n% I* f2 R) s iret
8 b0 n% T2 @7 _* z4 k+ _5 K# @int41handler ENDP
9 x* n$ I1 r4 K' S* z U+ w. d
% ]5 y3 D/ M1 j6 y5 \2 T
) g" b2 K/ g) c! I& J& c xor ax,ax- m8 k) ^) h2 z, T
mov es,ax4 | _" n# A" O& _" n
mov bx, cs4 O2 w7 p! @# d
lea dx, int41handler2 X/ A( q( `3 F( M) B, h1 P
xchg dx, es:[41h*4], C% J/ p& |! s P7 N C+ c" r
xchg bx, es:[41h*4+2]
/ u( t+ [* U z, A- T in al, 40h! B% m1 J* {/ L6 h Z: v
xor cx,cx; _5 I8 C* h' A/ [8 R. g: m$ R
int 41h
- e6 R" p3 Q3 F2 x2 H xchg dx, es:[41h*4]
& v. s& y& n3 z. h* J xchg bx, es:[41h*4+2]* E7 j- b; w z+ o h8 C4 j
cmp cl,al- g4 |" p4 P0 M( n" r
jnz SoftICE_detected8 C0 h1 \- J; I. d |
; l& e5 r9 }5 G; `
_________________________________________________________________________/ d" [ C! l# a& p
0 f- a5 G+ n1 R5 z5 \Method 07
" F4 q9 j8 u+ v. {- C1 Z) ?3 h=========: k! l0 \) C1 E# W6 a6 C( P' J
+ C* u( }6 Z6 M4 L# Q, f. M4 CMethod of detection of the WinICE handler in the int68h (V86)
3 ^; [6 ]! W# A& o V( k/ U( T4 N: c6 v
mov ah,43h
: `+ X4 m/ u6 n ?4 k, w6 U int 68h
6 t7 R8 @0 b6 D8 h cmp ax,0F386h. |7 y* E" }, ]$ W# c; n7 W
jz SoftICE_Detected% s+ u# ^& ^$ V/ `, N
; z0 p) N9 Y2 z, j) `8 M
. @, q/ D% c6 S0 y, Z% O l2 Y8 {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: O0 _3 p- E9 q+ U5 B- r
app like this:
( i. E, W( y* B0 N( S! l1 k
n" [! ~( J% @' e BPX exec_int if ax==68
" x( s4 r6 o4 z5 V+ N: B9 W (function called is located at byte ptr [ebp+1Dh] and client eip is
; d# S1 [/ K: h( I3 c. C located at [ebp+48h] for 32Bit apps)
( m; ?! m! b, v5 K4 `9 ? p9 U( W__________________________________________________________________________
( l4 O4 w. \2 i) U+ L
& c/ l5 t- a# }
5 r9 _3 z% }9 HMethod 088 m8 C: q" X, `* M9 L4 v
=========
! B1 Z6 B$ S9 e' N0 N* `; v- B6 t& v Q; j% H( P
It is not a method of detection of SoftICE but a possibility to crash the' T( D ^. Y) `3 Y$ X
system by intercepting int 01h and int 03h and redirecting them to another8 N# Y& q1 a [$ c; r
routine.
# X3 x# f# e* gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 F$ Q6 y; U$ A# Z0 H$ T. e
to the new routine to execute (hangs computer...) N3 m2 r3 n8 S# d( q( h, L/ f
2 V7 b# d8 E G
mov ah, 25h6 j8 B" l I! g6 t7 o. W' k
mov al, Int_Number (01h or 03h)
1 c, \1 k8 P; m% L mov dx, offset New_Int_Routine& z1 X" ^7 M- J, O2 _) B
int 21h- M0 d& T8 ~' `
* h' d3 _* } n5 v- p
__________________________________________________________________________
$ n1 k1 M" b2 Y6 A" Y8 K3 ]" y. g4 ?
Method 09& P, D3 T" S$ P! B! l3 o; K4 `8 H
=========
+ c* N+ p0 A3 J* p
: M: N( X, ^. }% eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ w0 p& o: h2 B4 I" O% U& F _performed in ring0 (VxD or a ring3 app using the VxdCall).
+ Y# f$ w/ i/ U2 \. p- dThe Get_DDB service is used to determine whether or not a VxD is installed2 F* |. [7 [2 S' ?8 U
for the specified device and returns a Device Description Block (in ecx) for" ^6 ~8 @# v u$ P% N, g
that device if it is installed.
; @/ o+ z r! b
1 R3 b# g0 [& m( ` @ v5 C mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 R7 F7 J7 \: e& J
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& h, E; F: G n1 u VMMCall Get_DDB+ @- a+ \- K" X1 u, n$ `
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 |# j8 ^. x2 E3 @
5 p) [) _' ~+ A9 Y, p- pNote as well that you can easily detect this method with SoftICE:# T6 u6 A& c- V, ^' e x, F7 X' x
bpx Get_DDB if ax==0202 || ax==7a5fh; m" }, ], G/ Z
+ j& b. _' A; L& r& ?+ n( S) E
__________________________________________________________________________% k/ x" p7 a1 ~
6 p& X/ S8 Q- j: ] Z/ c
Method 103 t1 x5 n+ t% ^/ v* F
=========
4 C; ~5 O& F7 m1 @
+ f0 q. I2 B1 X2 S5 p) `1 m7 [=>Disable or clear breakpoints before using this feature. DO NOT trace with* R0 z; D/ {5 z, ^ l& t" e
SoftICE while the option is enable!!% R0 j% d: J, w: d
1 i( R. G6 q0 j. HThis trick is very efficient:( Y' C8 C2 T$ i% I& B! G( u
by checking the Debug Registers, you can detect if SoftICE is loaded
' }2 G, b* h, J; ], N7 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' w7 A+ e' v0 l2 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their' w6 ?1 w$ @* z
value (in ring0 only). Values can be manipulated and or changed as well! p! j2 R$ l4 H! c
(clearing BPMs for instance)! w! T( v, X% P$ _) Y7 H. H
3 S' [/ D) @0 _/ w" U__________________________________________________________________________8 }$ U7 J% A% Z. h/ o
# F% A9 [' E3 d5 ~0 l+ _( GMethod 11
) O" a( w+ w2 n; T9 |=========. \7 } z5 K: m3 S/ D
" m+ |/ y" s1 G- zThis method is most known as 'MeltICE' because it has been freely distributed
, C- K8 T6 }, v8 w$ n. f4 xvia www.winfiles.com. However it was first used by NuMega people to allow
+ { v1 E0 j/ T. F! b9 O BSymbol Loader to check if SoftICE was active or not (the code is located
& [5 T* Z; G6 C8 G7 Ainside nmtrans.dll).
) i2 h( O+ y* n0 T; P7 S$ }# }& x
2 l" S# D' L0 u. j8 L: LThe way it works is very simple:
! m+ G$ o1 s1 C. CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 e6 f$ l* U9 c F; D# S
WinNT) with the CreateFileA API.
/ y) `5 F, [3 z( ^) {$ c$ x
% C, D6 [: \8 _4 j; {1 J+ e" o- NHere is a sample (checking for 'SICE'): O) U8 ?! ~1 C4 N8 [+ X* U
7 _2 \ h% @7 C5 l7 N0 a9 [BOOL IsSoftIce95Loaded()
* P0 w6 r) @7 g- ~4 O) i{/ m8 P4 M; `% l7 i: Q
HANDLE hFile;
- p$ E6 n% n- a( Y$ Y+ S X# w$ L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' O* W7 n# w2 y- n% y4 @ K$ y FILE_SHARE_READ | FILE_SHARE_WRITE,& y2 m5 P4 v! o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 Q, H9 q$ E. L E- p4 A$ h3 V
if( hFile != INVALID_HANDLE_VALUE )
9 }# s$ D. C1 h: v- y; Q8 L: [ {' G+ F b) ]: ?5 r( x# \9 Q
CloseHandle(hFile);/ Y! y! p `1 v) |2 M
return TRUE;
0 H# v, ]! W; C5 S1 }7 _ }
) E* m0 Q4 a, P1 @/ a: z* [( d return FALSE;/ ^/ [/ Y+ q0 h4 L' _
}
+ Q1 c. _9 g9 T5 \/ Q
! S! }% z- [1 a! c" eAlthough this trick calls the CreateFileA function, don't even expect to be7 H( [+ X* r; h: Q; J4 }- K
able to intercept it by installing a IFS hook: it will not work, no way!- X" \- i/ ^% M+ N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) H% Z- t/ S) J, J) F: {0 Y; U3 R: g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" Z' r4 Q; ~* _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 u& z8 q# h# |/ N* g
field.
5 x. k6 q4 [4 |+ w P- w; YIn fact, its purpose is not to load/unload VxDs but only to send a
; i- g% f9 m d! C, g+ ^; rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# z- S( j3 Y8 D8 b3 V6 n. oto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 J7 G6 e7 F- |8 d8 O' e+ E. M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' w, Q! G7 ^1 I( K& N# E* j: I$ W% Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow @( o* B* F$ u
its handle to be opened and then, will be detected.; |& r* B; @$ e1 ~
You can check that simply by hooking Winice.exe control proc entry point/ L6 _/ E. V4 l
while running MeltICE.3 k6 |% x2 V% W) b$ |
* K- D4 D% y. `* V# }' ^! n. }7 {' R7 Y6 h. i
00401067: push 00402025 ; \\.\SICE: g2 V3 b0 n1 J. ^) k. K; Q" }( i
0040106C: call CreateFileA3 x: |( `6 |! Y! U; B
00401071: cmp eax,-001# w& Y/ ?, b4 y' N6 a3 D/ O
00401074: je 004010919 A: B/ j) O! g
- x* T* l: B7 g. @
0 F3 i4 {) G- l* ~! G' D7 gThere could be hundreds of BPX you could use to detect this trick.
7 A) d5 M7 S. y' s' n-The most classical one is:# u9 }, z* @& ]7 t0 l4 `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ S, y5 I j( J& Q8 C *(esp->4+4)=='NTIC', q' u1 ]) R0 ^ U- R2 ~2 n9 e
8 I. ^7 h1 b6 z; X2 I3 C
-The most exotic ones (could be very slooooow :-(. S( m2 n9 r0 s# m' i
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ t* o( x% _5 ^8 u# {) |$ ]5 G' |* }( y/ F ;will break 3 times :-(7 M$ H2 J/ k8 s! `! g) c( k
* L! E( S @+ J/ c/ ^
-or (a bit) faster:
8 j6 K0 k1 @; |. a+ p+ c: Y BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 o# s2 K) p+ C& j
" j: x* {* M4 _! ~( g G, N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 L) l9 G% Y' I- [9 g4 h0 ^; T m' K
;will break 3 times :-(& a, i! ?5 [2 ~/ t
( V+ g1 _6 m4 q8 Z, |( r-Much faster:( E9 R5 q6 _0 o5 a$ _7 t$ [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 f4 }1 g1 S; t; Z, |
% h5 y$ p4 ^( D" l" _& | fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' n- ]! H4 m2 ]. v" kfunction to do the same job:# b y. k6 U6 e) e/ F, v: f
! i% n# U' Z) o0 r$ p# l: e/ c& N push 00 ; OF_READ
5 i0 N! H/ J4 ]0 Y' D/ j9 N- z; g3 P mov eax,[00656634] ; '\\.\SICE',0: m; v/ x4 m" i" o# A/ r
push eax: O! p; Q2 H! n# X) V* i# y" O
call KERNEL32!_lopen2 V% g; O: u3 J# E
inc eax
: {+ O) v: V9 M/ h jnz 00650589 ; detected
( b" I5 N; X( l push 00 ; OF_READ
5 Y0 ]# Y1 x* ]3 p& V7 A mov eax,[00656638] ; '\\.\SICE'0 Q/ W$ K% X; z* s/ X) k' ?: x9 L5 k
push eax
4 F3 K% A3 V, W9 G+ ?& ~ call KERNEL32!_lopen' W+ G7 h5 u: ~- I
inc eax
, z6 Q$ A1 I% y- L. F jz 006505ae ; not detected
( }2 f' y# W* ]# S; f: D1 I8 p
7 [3 `' b, s5 i! n% e8 j9 U* L& o' r8 B( `7 V( e' x; q- N
__________________________________________________________________________1 S6 k o& }1 w( ~3 z& Y+ A1 e7 c3 S
' h( ]8 k, ~7 |, z! R
Method 12' {+ K: \6 [+ H- m S! g
=========
" ^; M' T+ Q; C! G
! @' D9 y* _7 b, X( eThis trick is similar to int41h/4fh Debugger installation check (code 05
* C; U# V- T$ y' @" _: M/ _2 Y' c7 Y9 b& 06) but very limited because it's only available for Win95/98 (not NT)# N6 O1 E* |6 W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." N4 E2 f' K+ |2 r; _/ Y
% `+ m2 n& M( G/ R$ l push 0000004fh ; function 4fh
9 A9 g/ k1 n$ ^* L0 q: n& x* J: g3 i push 002a002ah ; high word specifies which VxD (VWIN32)
( V! ^9 q2 W* u ; low word specifies which service
7 G1 h# M/ G* R/ k6 A" Q (VWIN32_Int41Dispatch): ]* V4 s- n/ J
call Kernel32!ORD_001 ; VxdCall+ O/ L; l9 m$ o+ [6 C% H8 K: j
cmp ax, 0f386h ; magic number returned by system debuggers; i' I' s' o% Z. d" ?5 Y' p
jz SoftICE_detected: e' n1 ~8 E% J1 _* d
" v% I6 S0 j4 t' ]- gHere again, several ways to detect it:
$ f b4 c* h: }. n3 s4 m8 l
( M( { m( D3 Z+ p+ H BPINT 41 if ax==4f
, g; m; i% s* k: `: f6 H
2 C8 |+ }5 g# E. i( k% \+ a, ~) y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. `+ N/ Z& M# [' e6 M+ W, F
- K0 V. k, j" y o( y/ o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 R1 `% L/ ^- o, g( s; k1 i( W9 J" M7 y/ D) X1 O2 G$ w/ b7 k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 ]6 S5 G9 G$ H9 R
: A( ~0 d1 K4 Z0 x8 C# |__________________________________________________________________________. i2 T1 @/ N/ }/ U$ J
; b, n, f2 s" l- [" | {
Method 13
( z D1 Z, k, O: `4 y5 d=========, W3 `- f1 K! W
. w/ r! H0 i. x6 v: `
Not a real method of detection, but a good way to know if SoftICE is7 F( \0 H( @! B" T
installed on a computer and to locate its installation directory.5 W. m4 b5 p) n+ i- @
It is used by few softs which access the following registry keys (usually #2) :
5 a, t: _ a, x* k# k! S: D% Y
2 W; I5 U2 K) \; q W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 l: k& f# P; B/ X
\Uninstall\SoftICE
: s. h/ ?1 X, L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 E- p" W# S l7 r9 U! L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" q; I3 ]$ a6 l( S# E
\App Paths\Loader32.Exe
4 i' o* y: d5 L3 s4 w. k9 O' U8 Q: @9 Z
( g' E/ q3 U5 H. O W3 S
Note that some nasty apps could then erase all files from SoftICE directory! ?2 [- r; w$ m/ {
(I faced that once :-(0 Q' I& {% V4 N* x
7 K. s$ J9 W* m( ]! T; q3 F& o
Useful breakpoint to detect it:
2 R% J; |& o- z5 Z' s! L* @! t* b6 C: }- v! Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- @# m4 o8 r4 R3 J0 U# {7 b3 h" o6 J- c. P1 T: H
__________________________________________________________________________& }# N# o$ g' I3 u5 |- Q( P
$ X; B) v! J1 K; z; y! Y
* j( x- C0 N& o" cMethod 14
# G& Y. }* p9 @1 C: F=========* Z' |1 \+ @, k9 q
0 m& |8 i9 I! ^, {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 |$ `8 r# K/ t- X/ k1 n2 Ois to determines whether a debugger is running on your system (ring0 only).
: i6 t, \; F4 P4 t7 h
/ ]: i' s+ A9 G( B- i2 Z& p8 N VMMCall Test_Debug_Installed; N) V: O k# a: t- l
je not_installed
" s0 s% g9 ?) }* p2 \7 U8 u+ q* a9 v: C9 R4 x
This service just checks a flag.
O O1 ]3 P- ~% [6 {* [</PRE></TD></TR></TBODY></TABLE> |