<TABLE width=500>
8 v8 m/ g. F7 K<TBODY>
+ {$ e/ a7 M5 O& b$ k& L4 H- o<TR>8 M# S% `+ L8 x: \
<TD><PRE>Method 01
$ W7 K4 f. `( D' k=========& U$ B3 z/ t9 i0 u4 ^2 }
0 v) Y7 j2 d6 E5 S. A3 a
This method of detection of SoftICE (as well as the following one) is3 J. }! }# Z$ H& ]% G, M( R- ^+ T
used by the majority of packers/encryptors found on Internet.
$ y; g% ~9 N5 a zIt seeks the signature of BoundsChecker in SoftICE0 i" E0 O4 h/ q: ?9 x
& e, T Y: L! @
mov ebp, 04243484Bh ; 'BCHK'
1 b8 I5 r6 ?- h" r ?- W mov ax, 04h( F* N7 `& ~8 Y8 f/ [$ b
int 3
+ }; h: g& b" q cmp al,4& s* ]' o' Q" w# o* l
jnz SoftICE_Detected
5 c4 o) b( {* F* Z+ Z% \
0 g) k. ]" M, y4 g( N3 ~: ?& e___________________________________________________________________________; |8 s6 u- g% I4 r' K4 B% c
5 g- ?, v8 [1 E3 l
Method 02
" g; W- Y. t5 T' h=========6 {( S" [/ A* M3 X8 k3 M8 @; V7 ^
2 M! A0 F' {' S# ^3 H
Still a method very much used (perhaps the most frequent one). It is used2 D1 z& y c, u4 @ r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ u \; j1 m) l. [8 \' Uor execute SoftICE commands... ? j% C; W: p7 o7 e2 b' M
It is also used to crash SoftICE and to force it to execute any commands: O& A: \8 C, B" L+ H- w# o" V5 Q
(HBOOT...) :-(( 6 x4 P6 ?9 i4 a& u$ L* L' E
V" V5 m- E+ H) p pHere is a quick description:
. z5 y, B- O5 o1 @, e& L% G) A* C+ o-AX = 0910h (Display string in SIce windows)( O7 j" p8 a* i3 }9 P3 D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ q f0 Y" B* e$ H8 _3 q0 F-AX = 0912h (Get breakpoint infos)5 R) r; M( P3 k) u1 x
-AX = 0913h (Set Sice breakpoints)# d5 G$ L; ?6 w- q; K& S8 T
-AX = 0914h (Remove SIce breakoints)
+ Y9 g7 C- O9 G$ _2 R) F" ~
7 E M% F' t! }. n9 T4 x" lEach time you'll meet this trick, you'll see:! q& U: t5 z6 b* Y9 U* H
-SI = 4647h: M# ^& m, H# x( G, @4 n3 H* W: ~2 m, n
-DI = 4A4Dh1 A \+ K! Q! r
Which are the 'magic values' used by SoftIce.( s: C5 t0 I/ z% @6 {6 K" G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, X e( r& r* s
z+ v6 @8 n9 ~0 g6 l& l+ PHere is one example from the file "Haspinst.exe" which is the dongle HASP; m8 D/ ?- D0 E" s% d7 U' x
Envelope utility use to protect DOS applications:
5 I! A5 n& B" I0 J% g0 `8 |0 J3 x" X5 F8 n! r1 D/ E4 _( h& ?
" Z7 `( i0 ?5 S, z: _# n
4C19:0095 MOV AX,0911 ; execute command.. {% w s- Z" b) ^" x' ?5 h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ V' C! Q) d/ K q1 d3 X
4C19:009A MOV SI,4647 ; 1st magic value./ S, k% K, D! Q& B
4C19:009D MOV DI,4A4D ; 2nd magic value.
O: n4 H3 R" T4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ J" y: B) w: @4 r! Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 u0 D L% M" G
4C19:00A4 INC CX
5 n( k# O# h0 u* j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 m" z5 J, z* X) ^( V( g' U% }
4C19:00A8 JB 0095 ; 6 different commands.! G7 m) s$ m/ `0 q; B" K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; R; }* o5 N- ~( c& P4C19:00AD MOV BX,SP ; Good_Guy go ahead :); d- h. s5 s$ v# ~) Y9 }( H
) G( v. H9 z4 e' X
The program will execute 6 different SIce commands located at ds:dx, which
W, ~6 H- w V5 }2 `: A6 xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) ]. t$ W8 i% O1 r& ~
( A- Y2 d' x! B0 j* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 j7 s0 B/ R% w2 n# t___________________________________________________________________________
3 e% x9 W! C- t, B- S. q1 o; t5 o% G7 R
5 b) y, O0 P. q- r9 D* S# T+ h
Method 037 U) \# F" @+ `' l7 b% X' J4 ?
=========
8 k7 z: Q# [2 y G: w4 G. u1 o v3 c3 A8 a! d) t+ s7 U4 _6 ]8 M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. _% [3 x2 F3 Q; z
(API Get entry point)
7 I+ L$ I" t% c 2 H [2 [& }* Y. E
. k# F& \0 D h" M9 o' q
xor di,di
v! k! g$ p- r9 u( O" q mov es,di: ~1 O8 T2 P2 J1 K6 c8 B
mov ax, 1684h
; X/ @1 w* e" \! P8 @0 U mov bx, 0202h ; VxD ID of winice& P: R/ k+ r3 z7 `3 Y8 S5 ~
int 2Fh
' B4 w$ M' _: y; P0 F/ w, R$ J9 n mov ax, es ; ES:DI -> VxD API entry point
+ v6 m9 `! ^% v" u add ax, di
# h2 [2 x0 d7 Q# R) L ~3 f0 ] test ax,ax' z* p$ Y4 v7 N
jnz SoftICE_Detected% g7 y, h9 s! O0 h/ S2 b8 ^
9 x" L& c1 T. i( W K1 V___________________________________________________________________________
( F( G& D# Y9 D/ M6 {5 |, }. ~' U9 T- g! v. s+ c) A
Method 047 `1 E* r q% _: n
=========
( n$ \7 S# f" T- {; z6 K( }
6 k# S% I5 Y" Q! ?; _Method identical to the preceding one except that it seeks the ID of SoftICE! s! k: L, G8 r: Q4 x
GFX VxD.: @* F1 K4 N; E8 q v$ y- \
: ~& Y! k/ h% k9 g0 b: D# ?: l xor di,di
. }1 k v/ C [2 }; n1 E mov es,di. q6 b7 K8 D! u6 L) h6 Z" u3 W/ q
mov ax, 1684h * |# e6 q4 N; |3 [7 u- D
mov bx, 7a5Fh ; VxD ID of SIWVID% e2 D5 r9 W7 T) y8 e4 B& S
int 2fh% l* V! l# V `8 U0 d7 K! y
mov ax, es ; ES:DI -> VxD API entry point) V, ?( x1 V/ x4 `* M* s2 \
add ax, di) j$ a- m7 l& c; q# ^+ m
test ax,ax
2 i' o9 W. \ a6 v: g jnz SoftICE_Detected' m6 t, F. _; ^( z$ h: t% h
. y8 I8 \0 M4 ]0 J! V" j
__________________________________________________________________________
# C6 m7 S% O _/ G. i! w* x [* c2 E3 u% `% g5 L
, {, ^$ I7 `+ g" A% k* r& _Method 05
# s; d. j0 _* U0 @4 r=========
2 X3 F1 F s" @( ?, o; h5 L8 D9 A, i, t9 I1 R1 Z$ B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 ~3 S+ ^6 ?1 ]$ hdebugger. It calls the int 41h, function 4Fh.. F; y: `$ l1 O3 x
There are several alternatives. h+ n7 ^% D% x6 U( S
( {/ i; i' v% ?; O$ k# F3 p$ Y( vThe following one is the simplest:
+ l0 S' Y$ X! Z( `# g- C$ z" P2 v7 A- V, t
mov ax,4fh! k0 [& w; O3 o/ n% ^+ S* I/ f9 k' S+ x
int 41h
2 x* _' V5 K3 }/ a ?5 i+ x N cmp ax, 0F386* }* r) D4 U, _3 M4 E4 D8 n
jz SoftICE_detected; S& M9 m- ^/ F) o3 c
) t/ |# ^ L! `& }; A. d* E& a9 J' w7 S) {7 k, G. z$ u) A+ H
Next method as well as the following one are 2 examples from Stone's . G( b. T: P# A3 ], h2 c w
"stn-wid.zip" (www.cracking.net):' H, ]( U2 n& }$ T( c. T( C) O
& w; Q6 N1 ~" R
mov bx, cs
, ?6 U6 n8 ?/ A2 F" n! K0 s6 n! b lea dx, int41handler28 h) ]( \2 e& @; v" ^
xchg dx, es:[41h*4]
1 k" I/ P) x, L( l! k xchg bx, es:[41h*4+2]
. {- I1 a7 M. F: [# U mov ax,4fh1 \8 D* k1 B( \8 t; u% \3 v
int 41h
* m; q* P, T' R+ b7 O- Z3 x7 N$ Z9 ^ xchg dx, es:[41h*4]. U) E& t( H' G, {6 E
xchg bx, es:[41h*4+2]
2 u- S: b, a3 l5 X3 P cmp ax, 0f386h2 t# F' N+ K; B; ~7 Q& m6 z
jz SoftICE_detected5 D3 @- B. p- b" m
" _5 d: S8 I' R$ @7 t
int41handler2 PROC3 D0 s. p# s: h* n' ~+ |
iret1 \% Y7 C7 r6 D0 M8 I& O" C/ F
int41handler2 ENDP
; c# K- g. _# U' E3 F5 w! D' m
& a6 B4 j4 g3 u' H! @8 v
& _8 [0 N+ U% V_________________________________________________________________________
1 T3 |2 X. Y! N. L, J9 \* t6 @
, l! S% m" E. c$ Z" h* E j, v9 J
5 I6 ^4 e1 r8 ^; B/ PMethod 06
k8 R4 {! R1 `" m=========
) g0 i, b7 ]' O0 ^3 r# I3 X- z% t7 f& [9 b; j3 e- T7 W: }7 W
: ]8 F1 j3 s* f4 {. R5 Z ~2nd method similar to the preceding one but more difficult to detect:
7 Q1 D5 R- {$ n3 b1 s
1 }" ?0 j. @( }+ p9 J& r3 @ [7 O7 p( a- W1 j& D2 E+ {
int41handler PROC
' @6 z# p) J) O mov cl,al, M/ F& I P5 g' D4 d
iret/ i& m: K% Z: B3 b
int41handler ENDP
9 X ^$ x$ d' o/ O/ T7 r- ~) L5 u5 |& i, q5 _
( e, ~$ V" f4 d2 E% e; Q xor ax,ax8 D. \* o& [4 i
mov es,ax
9 c" N% m$ x& S" D mov bx, cs
/ v- E( r& o4 u lea dx, int41handler* O" K' z* ? d; O. d2 u. _
xchg dx, es:[41h*4]
B4 `, c7 U8 W5 j xchg bx, es:[41h*4+2]( M" d0 P$ n0 z, S9 K2 g* `
in al, 40h2 ~, a8 L. Q. @2 z5 W: T" v
xor cx,cx
5 l1 V( f) V' s0 K) O int 41h3 L7 W- w8 y8 f' @
xchg dx, es:[41h*4]
% }4 `- i" k' S0 R xchg bx, es:[41h*4+2]& q+ G4 R& V4 C$ R( `( b/ {
cmp cl,al
, V7 h9 A/ a- F* j jnz SoftICE_detected- J- W5 A/ z" M; D% N
( j( c6 d a/ {% g' v& Q
_________________________________________________________________________
* e: `& T) x3 r' z6 ] R) Q7 w9 j5 _& H* ?" f
Method 07
* v# C* ^8 z( {8 ]2 j. J# M+ J=========/ \6 }/ g* N; u' q: y: X. a# e( G
4 J9 x C6 Y7 ^3 g) x6 Z
Method of detection of the WinICE handler in the int68h (V86)" z8 k7 ?8 |7 P
) N3 X) l* v; S/ f$ n mov ah,43h8 D7 n# G! E+ h+ ~/ J; O
int 68h
& F& O: ?- s6 @ |7 G0 h' m cmp ax,0F386h4 |% \8 L; s( y0 u/ P
jz SoftICE_Detected
) L4 C4 R4 b: y* o, a1 ^% _! I3 b6 D" s2 T
4 Z% H2 O0 o2 @6 E: o4 e2 q* b
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 h0 ~! Z) ~. D# s9 d
app like this:4 N7 b2 G& `; U( q' t
9 a$ J! r4 F5 W" W9 [6 H
BPX exec_int if ax==68: |& A( U& K! S: W2 c
(function called is located at byte ptr [ebp+1Dh] and client eip is
$ R/ C9 x6 x) C) b2 O9 v located at [ebp+48h] for 32Bit apps)
# c' M+ L- N1 a6 D, l/ C__________________________________________________________________________ G: Q1 T( z# G5 B. K
3 H. {& A& @( E( Z7 @6 }
+ T, R% S- K: F$ k7 J4 {
Method 08- M( \6 a+ o. w" F8 L! I S
=========' A W z1 u* n% z N" u4 I' e, `
) F" g: O9 I" ?/ c/ X _1 f! H
It is not a method of detection of SoftICE but a possibility to crash the
: }" Y$ m, l/ U4 Msystem by intercepting int 01h and int 03h and redirecting them to another
8 W# s1 o' r0 i2 r0 S: k3 croutine.1 {( a- _0 Q. Q7 R3 V: r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 W( j: e# U$ X8 Mto the new routine to execute (hangs computer...)
- ~# T0 }. V5 W& R( K; ]- c5 p) j2 `+ s% `( V1 f
mov ah, 25h
3 J% a" u8 t. g: I$ q mov al, Int_Number (01h or 03h)
, B4 v% n: h; _! ~1 F mov dx, offset New_Int_Routine7 r* \8 ?9 X* c0 f8 O \
int 21h
/ Q4 S$ A# F$ ^7 K3 @
3 w S" K' G* U/ ___________________________________________________________________________+ [# s+ c5 ^, ?
2 Y0 d5 k' @* x& O; cMethod 099 p& y) E/ U/ k' n
=========
* [5 ^* {4 p/ `5 B- m2 n* U
/ G, w: i/ D, F+ d. ^$ D1 k! DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 f) g4 c" D$ h
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 P2 A* T: @( y$ x3 U- h5 N6 BThe Get_DDB service is used to determine whether or not a VxD is installed% S8 z! u2 U" y2 B( f% G( F
for the specified device and returns a Device Description Block (in ecx) for5 Y+ w: X: j. r: I: y/ q8 a3 b
that device if it is installed.
& d# p; x' x* c" A2 k; n# l2 Z4 V# _6 r! h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! E& \$ o9 M: O4 D& _& u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 {+ ?+ R/ c+ y( T# }! W- S0 E2 ] VMMCall Get_DDB
+ T C0 Y3 x1 h- E: Y+ i: b( u1 d0 m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
' m6 Z; E6 N1 P; O$ p
( O: B9 e# O+ f1 zNote as well that you can easily detect this method with SoftICE:
" H- N9 h; h n0 I) n bpx Get_DDB if ax==0202 || ax==7a5fh
8 Q+ K6 K/ z( d+ H! }
4 X: b% V) U# i: B2 B X* ^__________________________________________________________________________
3 Y3 E$ Z' x# x& m$ w+ H: G+ v: Z& W! @
Method 108 E' p, ]# @& `3 j6 b
=========
4 z, @; Z0 A9 O. u7 O5 R, y7 x2 K0 r3 J: r
=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ [3 P' @+ y% S. j/ \ SoftICE while the option is enable!!
* ]" G) a" `2 N# N3 K7 H# y$ b3 V/ r0 q0 D5 M3 {6 r ]
This trick is very efficient:- s- T6 ?) {) X3 M6 [$ N1 C5 q+ ?
by checking the Debug Registers, you can detect if SoftICE is loaded7 _ p2 u" y, D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 d" I/ S7 {( k3 I) e4 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: r, T; i) w7 Fvalue (in ring0 only). Values can be manipulated and or changed as well C: a. j+ z, E7 U8 m* J4 i
(clearing BPMs for instance)+ O6 k. c* R% m! K. {
3 J; @5 r7 j" o__________________________________________________________________________/ E1 [; E# z4 S
! L- t4 T; L, v6 W: I3 EMethod 11% w2 @) \- X8 w# `" t! ^5 U
=========( {+ C0 t$ n# M/ h1 G# @
7 |$ R& i+ }( bThis method is most known as 'MeltICE' because it has been freely distributed) B& z5 h+ w, V* Z2 w3 `. K! w# e
via www.winfiles.com. However it was first used by NuMega people to allow+ @: W, e0 {8 x7 q; b
Symbol Loader to check if SoftICE was active or not (the code is located
" u- s" r* O2 i$ M h. Y3 Minside nmtrans.dll).9 ?# I4 S3 w0 d! H# j5 r& h. @& k
3 z; r& ^# D, r' e& Q VThe way it works is very simple:* e; S; `- T4 w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 z! d: W' q8 t* s$ mWinNT) with the CreateFileA API.
' P4 v9 N2 n5 V& j5 F- S
- O+ t5 j4 a# V# J7 B; ^+ IHere is a sample (checking for 'SICE'):
# \8 _% Z1 f# H7 e9 l9 V2 Q* M# [
; U* R6 C4 D6 b# g8 O4 ^2 o" MBOOL IsSoftIce95Loaded()7 r7 J2 J0 l/ o2 j, I9 r2 Y8 W3 U
{
7 |8 e7 I! V1 X, ~# L& r( G. | HANDLE hFile;
; ?7 g0 t" `( Z m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& |4 g3 [& F/ g4 g/ @ FILE_SHARE_READ | FILE_SHARE_WRITE,5 m8 v% ~" U5 `& v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 h6 B$ G+ ?. m
if( hFile != INVALID_HANDLE_VALUE )
2 W' N' s4 }7 z8 L" O l {" Q* v& o& B8 O# c: Y4 B; `- f* J
CloseHandle(hFile);" G5 m F6 |3 p2 A
return TRUE;* ~" v# }9 B, A
}* v" b" o8 c- A1 k& w0 ]* q/ K
return FALSE;# Q/ b( x$ w, V3 c
}
2 a% i D7 }0 w. l: o- B
& {9 _" e3 X: y% D6 C+ j( DAlthough this trick calls the CreateFileA function, don't even expect to be
( w' t5 x" }0 t' v: t/ u. Y% Zable to intercept it by installing a IFS hook: it will not work, no way!7 C) r5 G2 I8 y w9 F2 u" X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 r% e* J- ]9 ?% lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ g7 d" o! w2 r5 l8 P5 land then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ M* d0 S3 l) ?& R: @6 Pfield.
! z. H( P" M4 Z9 {8 NIn fact, its purpose is not to load/unload VxDs but only to send a $ W4 e7 J0 K/ i0 R0 o; s8 k9 w% V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 c/ V$ Z4 [+ Q6 f$ uto the VxD Control_Dispatch proc (how the hell a shareware soft could try% ]+ }. d, s( O) ?! C: R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; d2 e1 O1 B% R* K* RIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, k) D2 ]% \, H' C! zits handle to be opened and then, will be detected.! W9 R4 q9 G1 `/ m$ G: }, {
You can check that simply by hooking Winice.exe control proc entry point1 L2 S, l1 b+ t* i0 v( Y
while running MeltICE.' e- S' d7 g" E
; U6 }8 e3 r( a2 i2 Z& N/ l
. v- A% ~: Z8 w3 `. b3 T
00401067: push 00402025 ; \\.\SICE% I2 V3 V: Z$ S- i9 e+ g2 q
0040106C: call CreateFileA( @9 X7 g7 w# {% A: L1 {0 h
00401071: cmp eax,-001- B; R: P( B& n
00401074: je 004010917 I7 _5 ?6 [2 L8 q
& {) V# A2 h' I9 C$ Q% b
3 Z0 v2 p/ W' _* U4 WThere could be hundreds of BPX you could use to detect this trick.
/ ]) v9 f3 g& K$ Y! o5 {' v-The most classical one is:
* z& H3 K# `# x" s7 Z# G BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% h: m/ M/ P- J; d% P
*(esp->4+4)=='NTIC') O) q* A/ Q& D
, Z# F7 `, U, b+ e& k2 U-The most exotic ones (could be very slooooow :-(
0 P( l, \% d) @% @8 X2 N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 s. X+ @% `! @5 }" f6 F& E
;will break 3 times :-(2 }, Y2 Q; b0 u7 M
9 h8 M: g/ o1 _, o; i0 \
-or (a bit) faster: . Q% T; n0 F4 |: X5 {3 V
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 d; l Y& q4 i* h; S( ~ r- \! H
# e, [ E* G3 ]2 q6 Y; ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 V G6 C: k/ ] ;will break 3 times :-(- x$ m9 H* Y$ p0 N7 o2 a0 m
2 z% y" F9 E0 E- L3 B-Much faster:
1 I* a3 D) w8 B3 v) } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', {; z0 S% O2 x
0 t' K# g; L2 W5 @9 z$ i, B9 @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen ?* D; p$ b9 l) _( C& \& e
function to do the same job:
3 {: \; K7 _. E- a( d M5 N: z, q+ t/ ?' y1 H: U7 I/ z/ r1 B3 x
push 00 ; OF_READ2 x# x. X0 p7 F/ B3 m
mov eax,[00656634] ; '\\.\SICE',0
( ?( l6 W# y! T% H5 M push eax
, K7 v8 A* \$ u- U# Z& I' R0 i* j call KERNEL32!_lopen
' [$ I( x) F- M inc eax
% D) c1 [: T" \. Z7 ` jnz 00650589 ; detected
- s1 Y2 G# S/ ^' c push 00 ; OF_READ
$ i, }% _) {! c4 u2 @ mov eax,[00656638] ; '\\.\SICE'8 B6 o$ C/ Z; f. d6 `& I& z
push eax
9 j/ E- j1 [, X0 d4 l! h1 {' ?" r+ ]" ] m call KERNEL32!_lopen
9 z8 q3 f# |* Q8 A inc eax! B) D( F C# K/ v9 p$ c
jz 006505ae ; not detected
' F/ H! r+ j2 Y3 [% F9 D0 }( a$ h E& l9 A. x
, f& F5 r) j- I) f+ b1 ___________________________________________________________________________
7 y' c" f f& l) d$ n+ G/ u+ |
: F9 h" o3 b6 N$ P# e' n* iMethod 12
3 n: J! {" M& _3 _1 H; K- Z=========; D/ k2 b& y7 w# x l& i9 r! X8 v2 {
- V# M/ ?/ K# A C" f( U6 WThis trick is similar to int41h/4fh Debugger installation check (code 05' G2 W( ~4 F, q3 e
& 06) but very limited because it's only available for Win95/98 (not NT); C$ \* T$ b5 m+ Y1 r1 f* E7 u' u' h: {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 n2 ^ H& |( c* t: v! c
5 ]: @; q+ P. a9 U: t7 r- E$ I% A push 0000004fh ; function 4fh' y/ @* S% O9 ]9 N
push 002a002ah ; high word specifies which VxD (VWIN32)
# \( ?/ D% l5 N9 e ; low word specifies which service
; c( Y D6 }' z2 k (VWIN32_Int41Dispatch)
% m& w* F- w/ J: y1 Z9 F call Kernel32!ORD_001 ; VxdCall
+ y6 n1 z! G! A8 r, i$ }5 ^" n cmp ax, 0f386h ; magic number returned by system debuggers3 ?1 C3 ^; L" l8 T6 n) S
jz SoftICE_detected# w- c; U' f+ o' k! w+ o
$ E0 \; `4 L4 I' Z* z
Here again, several ways to detect it:7 G2 k) C4 c$ c7 \$ n$ U
# n+ |% O6 b2 _; c
BPINT 41 if ax==4f
4 P- C1 X4 c) w1 ]2 G" s0 C' z% y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 s" _3 l; D5 A& P1 l7 y4 @+ \
) \1 G) Z: a, x9 D; ~* h* ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 g# s+ g7 G X, Z! w' a) p1 f6 D! q4 d& ]
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& \. ?$ o/ S+ w
6 {: Q0 |5 I7 k__________________________________________________________________________
2 v/ s* m3 n3 r0 }( o* T1 {
1 W/ i6 d, D! i! I: ]1 z$ X0 [Method 13- P) U. g$ n e/ I
=========% l) ~/ B( y1 F1 G" `1 O" i
5 Y& F/ q' {/ j& G4 ]Not a real method of detection, but a good way to know if SoftICE is$ u5 ?9 A- G* R' h- J
installed on a computer and to locate its installation directory.
! D% a, Y& L+ k( _% k4 V `It is used by few softs which access the following registry keys (usually #2) :
% G* @" j% S+ [+ _3 E
) L3 ]" A* C# C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 }, X3 n: U+ J0 v" u# U\Uninstall\SoftICE$ J; O; U7 [; l. r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ I3 a3 y4 \ ?% z6 W# k$ @# p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 V- _1 |( j2 `2 A" N; ^3 B\App Paths\Loader32.Exe% |; W1 x# y2 t/ P( t
9 N; |% ~- e/ x
8 @2 Q% G$ Z2 r- |6 m
Note that some nasty apps could then erase all files from SoftICE directory
% e: d. x+ m) \3 [(I faced that once :-(
; u" H; W, ?& b
# o! ~7 p: Y o5 h3 K6 x8 F0 wUseful breakpoint to detect it:. H" j8 |6 R0 N0 c! u, A% l& M# \6 y: l! C
& t( k" Z" V" w# J: m2 h, c. f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- T$ C( w, `% m% w( P
5 c- N. e2 V9 R% _0 S
__________________________________________________________________________
6 t: F' D& E5 j- n$ x: D% |7 i7 q% c2 K8 g
# V9 M6 w4 }" i3 B
Method 14
2 K7 F" x3 f! _/ J=========
% x& W% a3 q) G
( U" J8 J }) s) cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! o/ q1 W) G' j g. n
is to determines whether a debugger is running on your system (ring0 only).
- t+ C# f* w6 q. e' ]% a6 T" w* v/ T" X b( J
VMMCall Test_Debug_Installed
7 s4 ]! s- D" [7 d5 x2 U je not_installed9 f2 P: [# R1 p8 j% e" b
2 s8 O; O' j: b3 c( ]This service just checks a flag.+ f4 C5 u% W2 v
</PRE></TD></TR></TBODY></TABLE> |