<TABLE width=500>3 Q$ m2 k; B1 D8 ]' p* \ u: c9 F
<TBODY>0 l* f# `; T& i# h4 ^
<TR>
% f$ z6 D! U3 @: v; \" }/ G<TD><PRE>Method 01
% s8 _) P4 [/ @6 ?. w/ |=========
1 w- F0 ? L& E( R5 j" v5 ^8 c( b: c) ?9 R0 X1 m- c
This method of detection of SoftICE (as well as the following one) is
0 V8 g7 `0 F5 W' b0 U4 z! Wused by the majority of packers/encryptors found on Internet.* E1 Z( \ S$ M% z
It seeks the signature of BoundsChecker in SoftICE
& k7 b4 Y: L: D' ?4 h3 H9 b1 z% a8 C8 v J
mov ebp, 04243484Bh ; 'BCHK'
& ]# _9 k& _3 B9 W mov ax, 04h0 {; i% }. D7 y$ Z( V4 M* b
int 3 5 K: m2 Z8 b$ C* [( _7 a8 z
cmp al,42 n( z! L% m' {* ]* r
jnz SoftICE_Detected
/ t' m# p5 W$ [8 b8 o
y, |0 Q+ }+ b( N/ a+ Z3 U___________________________________________________________________________: e6 @$ m0 K& F) P, ~
% I0 Z2 v7 p; ~4 t) u! eMethod 02
2 m* L" h! `' K+ T Q=========
* Z) X4 N8 }3 F w2 ?( G
8 m/ w3 ^1 A: b& qStill a method very much used (perhaps the most frequent one). It is used
6 o$ N6 l! U) Y4 b. D+ A1 J$ sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ l" Y# n! |+ w+ X7 p. Qor execute SoftICE commands...0 d; P+ V# ^/ s" ]1 x: a. U$ s z
It is also used to crash SoftICE and to force it to execute any commands
% J( y8 l4 v- Y( f5 S( K4 b: {(HBOOT...) :-(( : }4 N% `, g: g: g
" E% m" Y6 i5 N1 r
Here is a quick description:
! l( y( e6 C# f1 d, b, Z6 f0 t-AX = 0910h (Display string in SIce windows)( I* K. [- Q. r" W
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 ~! t4 f8 A9 Z9 v# r# n& G* b-AX = 0912h (Get breakpoint infos): U, t" ^# y; S9 M1 W8 w
-AX = 0913h (Set Sice breakpoints)
% M3 [6 e C8 u d-AX = 0914h (Remove SIce breakoints)
; e- J4 \0 \1 X+ W, d. A, h7 b8 r: v: |9 O3 R+ k3 ~
Each time you'll meet this trick, you'll see:
5 u5 x: M( V0 }, J-SI = 4647h; ?9 S: Z& w6 i! S; j3 J) T2 j
-DI = 4A4Dh# W# |0 X3 J" p, Z
Which are the 'magic values' used by SoftIce.- y$ }) M1 B7 {4 ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." S4 `; `) f! I
}: M4 P% N- {: K: oHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ y; F7 r! f. I: P6 tEnvelope utility use to protect DOS applications:
" n" H( c+ b# d5 A5 \7 D* H0 |% b0 U$ r
4 [% \3 Z+ u/ t) l: Z0 l4C19:0095 MOV AX,0911 ; execute command./ U, X( z) ]. V* l& q+ N$ q7 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' s* ?5 }( p% X6 a
4C19:009A MOV SI,4647 ; 1st magic value.
& R% h( j7 O3 x" P8 }4C19:009D MOV DI,4A4D ; 2nd magic value.
! x, ?! A- H( n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 C( `0 ?& h' a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 L! [) g X t$ M" @% n
4C19:00A4 INC CX
; X0 I+ Y. Y6 m- _, R) a9 z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ o) a3 b: T" F4C19:00A8 JB 0095 ; 6 different commands.
% I! P: h5 Z8 k0 T$ M- ]; J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* H. k- W3 g/ s h7 ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& ]1 [! L* P/ t _# o2 m
! Z& d8 p. E) _! `The program will execute 6 different SIce commands located at ds:dx, which# R$ Q0 l, c4 W% T' _$ u( U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 B+ S( \7 ?6 p0 q5 S* ^9 o& S. C" [- l; J3 u- o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 x/ W7 | K5 j8 ^& y1 a4 D
___________________________________________________________________________9 i) ?; Q6 `6 y( [" I! a0 y# i
% [$ @: [8 c* z" F; V# G, s% I a9 q- d/ S" X/ g+ Q
Method 03
k+ C0 L5 j0 Z, b4 s8 t6 X7 v=========2 ~8 t* z1 T' N6 c& F: R7 J3 }
; C% J) {; F' r2 S
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# @8 n- }& r+ h, x
(API Get entry point)
9 `' O9 \# m) v7 w2 ^& b+ @$ H
' L5 z' M$ Y8 t# |2 t! r; I* y, ~: R
xor di,di
& K7 J( x0 {+ l( Y mov es,di8 R( D9 T8 Y) F4 Y4 [ f
mov ax, 1684h
. b+ H; m* S0 ]# |6 Q' O0 i- x mov bx, 0202h ; VxD ID of winice
% @7 A. h' d4 ?) X$ O1 O. G6 T$ f5 L3 i int 2Fh
' k* z! z$ H N! T9 W- ?% Q: L mov ax, es ; ES:DI -> VxD API entry point% N7 T! g/ G2 I; X1 {7 J! p4 q' V
add ax, di
; O0 `9 o1 ~! ^9 v% B ?* [: U. g test ax,ax" @! A4 ~. o0 j2 x- b$ N0 Z( H: j
jnz SoftICE_Detected
% Q c' r# Y/ ?6 k% J" i) H- z% ], v1 U/ F3 w' j- Z! y( O+ L- H$ h
___________________________________________________________________________
' v! a; V. j( j$ L$ }' M5 G' T! Y
; f K8 B Z+ _2 Z' `4 h& ZMethod 04; K4 _. ~ R2 j* m) G6 W
=========
' ] g o- C; z; x3 g3 S4 L# o3 U2 L' k, s: t' J9 |, N
Method identical to the preceding one except that it seeks the ID of SoftICE: {" c! \3 a4 b2 [: @' v
GFX VxD.. V4 k, n h1 @9 J
$ |1 j9 Z% |0 B8 S
xor di,di6 O2 g7 g. P" e% O
mov es,di
7 A" o6 ~0 |: y5 D9 }* n/ m8 k mov ax, 1684h
A' [/ K. n3 S8 P mov bx, 7a5Fh ; VxD ID of SIWVID% q7 w$ E7 v$ v6 |& s0 L
int 2fh) y& @! n( K. B1 i$ A; X) v6 y# L
mov ax, es ; ES:DI -> VxD API entry point' p2 ?: K1 P( S9 x' d. N' N
add ax, di% p3 G( j! w; X% [/ r8 x4 U
test ax,ax2 g) ]! ~5 V; G4 o
jnz SoftICE_Detected
8 _: c: D5 G0 v. d6 e; f0 a- I2 e, N4 Q. X/ `; [$ ]
__________________________________________________________________________
' U% [5 H) }/ J6 } I* z9 ]& S$ X3 D" D2 P# w0 ]4 L
% }( g$ m+ z9 k
Method 05
; @5 b2 @8 m( y4 [=========) y* P% b" z7 Y6 T% Q( K9 w0 [' r
1 r$ H% Y; Z9 \
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 H" L. a8 s2 @% h, Y) b7 D; c' _9 Adebugger. It calls the int 41h, function 4Fh.- {: M% f9 f$ O6 H% {
There are several alternatives.
# U& W& m {/ D/ d) n4 v
4 x# d, A$ H' l: B" MThe following one is the simplest:7 x: E$ e+ d" d( j2 f/ v
/ m& M6 E0 b% o; J. v, [
mov ax,4fh( [. S7 |3 w0 v( @- b% l
int 41h
! k3 m: f( h! k8 P, S cmp ax, 0F386
0 `" i8 ]; E5 B: A4 C jz SoftICE_detected( ?" D3 T) ]* A! M- z+ a8 y
& D5 ]' [. h+ y6 ` S) E& ]
! I% g+ [+ o% { ^
Next method as well as the following one are 2 examples from Stone's
* Z# I# ]1 c4 O% j l8 b# o, Y"stn-wid.zip" (www.cracking.net):& c* S N( z, u# M# m2 }8 ?, |) Y; S- u
2 e' F O( t9 H9 s; |3 `- J4 s: N1 [
mov bx, cs8 i' P7 L" [! V8 Y# I$ k
lea dx, int41handler2
& x- N7 x7 f( @9 i; i& Z5 s xchg dx, es:[41h*4]
% F Z; `( T4 _: ? xchg bx, es:[41h*4+2]5 b6 |# Y; K. n ?, ]5 K* b
mov ax,4fh/ }. ?% J$ v% z8 l5 H) L
int 41h( Y9 i$ y% ]4 j) ]5 |
xchg dx, es:[41h*4]/ R1 z; w+ |6 ~
xchg bx, es:[41h*4+2]
5 L- u1 ]0 s5 f0 Q' n2 h cmp ax, 0f386h3 C. U! R0 b0 Q& d, [& [2 g+ l
jz SoftICE_detected, \$ H3 \5 `. w8 z# t7 u
( j2 t4 d) y+ m/ f* M, q
int41handler2 PROC |0 [! s( l. X
iret
9 X* c5 P* Y6 ], T% xint41handler2 ENDP, Z( v" W9 _6 W/ i% W, R
: E9 X, B8 z' Q; \5 q& n; Q" f; ]
5 k% r: i8 f" T' K_________________________________________________________________________8 z2 q7 ^' \" R a7 B6 W- @
6 K0 h0 y |# Z2 n& X, `2 ~
- U" z& a9 z$ O: e" l, l! t8 R& CMethod 06
4 P" ]! O9 ? \+ c2 ^% c=========6 A: d- O$ O* ]2 V" r: K) t1 k0 Z
$ ^! Q7 d5 Y7 H
2 a( O1 ?. P; E( u% s2nd method similar to the preceding one but more difficult to detect:
4 L5 U3 E4 s. S) |, E) N. k6 v& y! g& s4 M# ` o
5 N! ^( V$ X1 N9 uint41handler PROC$ q7 }5 w3 y" _# r% o3 Y
mov cl,al g, a) Y5 F& W) B5 k& P0 z- C
iret
' a) v$ P# c7 W1 y3 [int41handler ENDP
* K% c' p" A( I) d% D. Z! p6 d( [8 {! G% M' T* f( O
! E* m! D/ O5 d0 Q xor ax,ax
: U Z3 h2 l, _; K" C" |7 a* _- r mov es,ax5 {& z) |0 E" t3 I, b2 y
mov bx, cs. l- O( s" r( _; G4 C$ c) ?
lea dx, int41handler
, X( h- i0 N& Q5 s" N3 i! B3 l xchg dx, es:[41h*4]
( c" {# e- M" A3 q xchg bx, es:[41h*4+2]
. Y5 x) m( N) Q, V0 ~ in al, 40h3 j& l b. T. a. d
xor cx,cx1 p( \4 i3 F L7 I: [2 M1 L, G
int 41h H- U% M- K8 L1 K0 u
xchg dx, es:[41h*4]) X( B6 o) E/ O% J7 z; A& N) A
xchg bx, es:[41h*4+2]
3 s3 i6 I) V6 c) v9 _ cmp cl,al
1 F: `" G- N1 }# Z jnz SoftICE_detected4 S5 l& V* G% P+ ~) p- D
5 e) i/ w& Q! o9 ]/ i, M! D
_________________________________________________________________________
) k! Q* l, c* h( B! `4 d$ D9 v) [' }! G9 @
Method 07. ^7 }3 {6 B p& e
=========
( Z: W X: U* l* Y/ N* V& X0 X: \$ k5 ]/ b0 z. r& q
Method of detection of the WinICE handler in the int68h (V86)
( f6 ~$ m2 A; L% ~# m8 `' e' @/ R0 B1 H& o' C& ^
mov ah,43h% f3 d4 U# H# c# m/ \! M
int 68h6 @, N i* |& v# h; ^4 c8 N8 ]
cmp ax,0F386h7 j$ ]% t, l% s0 V
jz SoftICE_Detected
, c/ z- R/ `9 I+ B; f7 u% ?3 d- N: V! h, s/ B: D# ?
4 K9 p2 q2 A8 k7 X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 ]% r& e' v; e( [* V9 |% ~ app like this:
: h: E% B" E( N2 o+ r
' d; D2 G6 N' s: H* o0 S BPX exec_int if ax==68, T7 q8 R2 S: P* v0 I% u" {
(function called is located at byte ptr [ebp+1Dh] and client eip is: S- o; K$ o6 N8 X/ l+ U1 }
located at [ebp+48h] for 32Bit apps)
. ]. j, w& _8 N8 ~9 k__________________________________________________________________________/ w5 z1 S% D# Z* K% `3 p; N
5 s- x0 G3 P( ]
W* `) S9 S+ FMethod 08
( T1 V. {1 w6 F+ [=========
1 \! }0 v, S$ w4 ]
# X, Z4 e, C% ?+ C5 ^It is not a method of detection of SoftICE but a possibility to crash the, x6 @9 c# w* {4 ~( y) E' ]
system by intercepting int 01h and int 03h and redirecting them to another
) Y) v9 ^+ V/ C$ Y( B7 m0 ?& Z) Qroutine.
& o2 ]3 Q6 Y% o& Y9 K/ OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 h1 w- O" h. c& J) Tto the new routine to execute (hangs computer...)
7 ]- X& ], ~ r* }8 l2 j
2 Z; s: S# G" G mov ah, 25h
' U) d" h* _- t, t mov al, Int_Number (01h or 03h)
J' W8 L- L: h3 A' B$ E. ]0 L5 t3 X mov dx, offset New_Int_Routine
" h- y2 o; _; l) W int 21h
& B2 n9 z% A$ h) A
. H5 s$ a* \" [: e__________________________________________________________________________
1 m- H7 Q2 K6 Q; C! R/ N0 ^0 j9 ^" F+ p, `
Method 09
3 B1 G; o; ?8 w, x1 n. L: g' N=========
0 l+ g1 a! @& F. U6 k& }$ U
8 i4 \6 z) E* [3 ~ CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 v' I Y" X" D0 T9 T, }- s) vperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ \- p: e. O$ D0 ?- c% `6 aThe Get_DDB service is used to determine whether or not a VxD is installed
2 j5 V* g) z" pfor the specified device and returns a Device Description Block (in ecx) for) f7 q G) v# \2 `. ]
that device if it is installed.0 _& C* _! i8 f) F, L) t# p y. L
) a: Q" m" F) _4 O: {% p. w8 N
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- \( Q( P- s( S, A3 W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 K* a; m5 B3 u2 Y" ]1 i! e VMMCall Get_DDB
1 q# |" d$ X, ~6 ?. h- m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* I) O- J8 |" x* |$ }* \
* A4 r! H8 D/ x/ h/ [4 \* w
Note as well that you can easily detect this method with SoftICE:
6 k. W% F! e, Y bpx Get_DDB if ax==0202 || ax==7a5fh
O9 M( k+ U- S' m, L& v. f, \
__________________________________________________________________________/ c% @; W1 v$ E; f2 g- G1 M( |2 T
: W% r4 ^% j5 F. k* X& WMethod 107 N7 p% V5 q1 c0 G( s+ i# X( j
=========
% x6 b4 d7 r8 Z r9 Q# O% w0 a( r( m9 h* s
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 r3 @; ~9 \2 V, v; f, G, | SoftICE while the option is enable!!+ e2 f: }5 Y h
2 H- b& k9 ?) F& `0 cThis trick is very efficient:9 x/ F8 C; H4 n5 x4 @2 m
by checking the Debug Registers, you can detect if SoftICE is loaded
3 S( |: ^; t5 P3 G" T t% [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 G6 x% W, a8 Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 |6 Y3 u& [# r- X
value (in ring0 only). Values can be manipulated and or changed as well8 J+ P2 A: K( m
(clearing BPMs for instance)
9 O9 N, b0 j5 Q/ I
% J0 w3 k- p, t Q1 ~( `# H__________________________________________________________________________$ I0 C4 _6 h5 ~; @
% V& B, q% i6 v3 C( vMethod 11
$ _: a# M, S7 }4 z3 O- y=========
$ K/ Y) j; B7 q! V! ^# V) b. j E6 `3 O8 }3 i- j2 Z
This method is most known as 'MeltICE' because it has been freely distributed0 b3 P0 O$ k' F, M! ?/ m" R$ n- j
via www.winfiles.com. However it was first used by NuMega people to allow
4 Q$ p% I$ B3 }0 A- ]) S3 CSymbol Loader to check if SoftICE was active or not (the code is located
% }4 V/ Y# c& K0 E: kinside nmtrans.dll).
* ?9 e. J% X$ R. [: p
# ?, m6 @5 r' uThe way it works is very simple:
( a) o! g# t! W$ r# ^, RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. i. ]9 u: l8 Z/ yWinNT) with the CreateFileA API.
8 [( v3 K8 ], s9 l( G; \! |; y; S. N; r# m9 k1 U
Here is a sample (checking for 'SICE'): Y, F! z) b b! R* w& J& X( j
& M" Z/ |4 E h( I2 s. p, h. ~# V6 N `
BOOL IsSoftIce95Loaded()% U+ k2 i5 M! T( L8 C$ Z& s
{- B' i+ H9 Y: q
HANDLE hFile; ; D" G8 i; i7 t; u5 C$ g& S- C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* A& M3 t' U0 o* r FILE_SHARE_READ | FILE_SHARE_WRITE,& i$ _5 U. f4 f# D# U
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 C$ f i: m7 `; }8 _$ F( f if( hFile != INVALID_HANDLE_VALUE )
+ d+ S7 X) J9 f* U+ o {
' i" [6 x; N# d* O3 W! G3 i CloseHandle(hFile);
* c" P+ g# s5 } return TRUE;3 u0 c) K/ s$ _. }
}0 L7 z# u) t& N
return FALSE;) y# V- j5 v: b$ _: h0 M
}
. p' V; d: m7 [, B# g& ^ K+ \8 b4 L
Although this trick calls the CreateFileA function, don't even expect to be. s4 s" y4 S$ s9 S5 S( i/ U( X
able to intercept it by installing a IFS hook: it will not work, no way!5 S8 W: c/ t" I- }0 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* Z2 D# v# i9 x$ E2 o; \3 h9 E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: h3 n0 O- P# }7 Q2 }' o0 w& x. Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc! T. ~/ R/ [2 ~# z
field.
+ G1 R- q0 x. l1 K1 D- H, U. X; r' @In fact, its purpose is not to load/unload VxDs but only to send a 6 @4 |+ L" f% @; w$ j. x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! v7 d' \' ^, z2 Q+ H+ L7 c3 mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
- Q- ]% }& D0 c: a. g" tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# O: Q% a, b3 L* q' UIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 s. {$ i2 i: ?: Lits handle to be opened and then, will be detected./ j" F K% J* L& o0 L) f i2 Y
You can check that simply by hooking Winice.exe control proc entry point/ {' G2 _. ~" _) {4 ]1 |/ g* F
while running MeltICE.
' l l0 Y' E+ v9 T1 U) s% I% O, I) Y
0 a3 F' L3 j( ~+ T% {& O; s7 ?1 r# _1 v- Q
00401067: push 00402025 ; \\.\SICE- _5 f) J2 u$ V. m
0040106C: call CreateFileA5 |8 w, w9 ?+ N* c) F( R
00401071: cmp eax,-001. S0 W. B* n# S: \( _2 j
00401074: je 00401091
! q5 F1 E* d, \- b3 A+ S+ K- ]! l4 \+ O$ s" r0 `
# D: f; h j1 G+ T" x' `( N$ W! X
There could be hundreds of BPX you could use to detect this trick.
- ]9 |: o& \& |* E-The most classical one is:6 R5 A: M# j, G% l
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
@# B. u: s7 M( o0 l0 g: Q *(esp->4+4)=='NTIC'
* x r5 Q3 U; A. E7 J- _' f3 ~) e6 k: K) E$ S* z
-The most exotic ones (could be very slooooow :-(6 e& q/ V4 @5 q" u: j( n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! G- N$ G; O( @/ x" f ;will break 3 times :-(
6 g) |! z- [1 ~
9 }! d z6 @; M9 W/ E* y5 ?; w-or (a bit) faster: 2 J" V4 D; D7 `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), b7 ^# {) y8 }: X+ [, w$ l
9 C( m% q/ k* D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . i* U1 H- \, G9 |; J- |
;will break 3 times :-(0 F0 ~+ Q7 {- W# }+ M( P) s/ d
9 {! O- |9 {3 y' ?7 `! E-Much faster:2 h, k5 \6 ~. h3 m& z
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 Y( Y& w! @) Z; k, J' V1 G9 }* |. V p3 B& ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( c/ @' E F( t+ Gfunction to do the same job:
4 ^- e$ C$ j( k/ B
) O: O7 A* b; P0 g push 00 ; OF_READ& |" z- M: ^6 q/ o: u* A4 f
mov eax,[00656634] ; '\\.\SICE',04 h7 Z4 o1 ~- ]
push eax5 R- X6 b1 N/ w6 C+ _7 ?0 W6 E
call KERNEL32!_lopen
% H" h* X$ Y+ o inc eax5 K0 e- g# z- h* f
jnz 00650589 ; detected
' [$ M1 { T1 _8 \9 a8 I) @ push 00 ; OF_READ, I) i( a% D/ a) C
mov eax,[00656638] ; '\\.\SICE'; {% O8 i% z6 ~" Q: ~
push eax6 ?! u' _+ Y/ Y/ B
call KERNEL32!_lopen! U, u- Z. J- q/ A7 w3 d
inc eax
5 [. a3 j" W; ~$ P8 D4 g jz 006505ae ; not detected
9 s9 M6 u4 c) N$ I6 x! l
; n, X3 C i( i. a! Y* S8 ~4 S: B Z/ X! M, U" S
__________________________________________________________________________
0 C5 g( Q3 x: F. R9 H2 c3 f5 K3 r" p0 D& b& S
Method 12
7 j7 m. q( h8 w) P6 f=========
# {, A% e7 ~$ ^ e' Y
( n* J# t+ Z, R$ P+ @/ NThis trick is similar to int41h/4fh Debugger installation check (code 05
, G( b( \% S$ c& 06) but very limited because it's only available for Win95/98 (not NT)
# R0 Q$ H* o- j6 y" [5 F' D) g2 ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ S8 j1 z! o6 d" X! L! w" R6 V6 F8 C6 R/ t" }+ Q
push 0000004fh ; function 4fh B% n$ M; m9 w- r0 ?
push 002a002ah ; high word specifies which VxD (VWIN32)
, m3 {% N5 y7 `" O& s7 h% g( @+ I1 l ; low word specifies which service
( G' k2 m, h+ _* H (VWIN32_Int41Dispatch)! p3 } c) T0 v
call Kernel32!ORD_001 ; VxdCall
9 V2 Q/ z/ r$ H7 [ cmp ax, 0f386h ; magic number returned by system debuggers) j) K) d/ X0 ]9 |3 M M
jz SoftICE_detected" `3 i0 m# L. |) V" U
" i2 x9 ?" t3 |# h# f1 }
Here again, several ways to detect it:
: }* d2 d' G f- j+ b8 z4 F% _
0 T* R' ~: h, }3 e! o: S BPINT 41 if ax==4f
i. N7 X3 K( r1 r* {* W( m, r* l- K
: i3 L" _ L, L: M* d+ q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& G4 H h* r0 [ K9 S2 C6 {) M
9 ~( k' c6 [1 K4 p$ s8 m$ S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% h* p+ u5 L" J' K! l
" ~# T4 P9 P' ?1 R
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, d! g! O2 _/ q3 L
6 v* G* j$ j$ v; h__________________________________________________________________________* l R0 y2 N: x: V
$ y. k# P; M: |1 v( P
Method 134 i3 t* `; @- z/ D. e& y A; E7 i
=========! F5 m' k4 S( M% f1 T m
0 J- R% K% O6 d7 M: ^: ]4 r; a. RNot a real method of detection, but a good way to know if SoftICE is
3 a' _9 f6 `& k: Z# W2 Pinstalled on a computer and to locate its installation directory.+ t. M9 L; I1 R; A' l
It is used by few softs which access the following registry keys (usually #2) :
; O3 d- A! Z9 |1 T Z/ J. P$ M: C! s8 l" \3 u8 L$ {1 z# f2 {# C7 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ ]! r/ \0 p- T0 J\Uninstall\SoftICE; K2 r; a* m1 n/ _6 i7 G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 P6 v) o" E+ J; I$ \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 G6 I% o* D, b% l1 ^6 v3 v
\App Paths\Loader32.Exe
/ r7 u" }: t! i! |4 `) B6 X, B A$ Z+ \5 q
( U8 }5 ^- R% R$ \/ L% O
Note that some nasty apps could then erase all files from SoftICE directory
% Q# d) U% f$ I( ^4 `, C7 k(I faced that once :-(
, P1 i# W* @/ \# E$ o X' [0 l! l" Z$ W) a- X1 x8 C9 U
Useful breakpoint to detect it:
: l" L' g' u* e; B: L$ M4 X( o. A$ v& F) r: I: D% Z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 S @( S1 X# a2 c3 l+ S; i/ H" V5 i
' @' B6 \1 b, j+ |+ A
__________________________________________________________________________
' H2 ]& [# g3 j% ~1 b! { Z
C& Z+ ]0 H4 s) G: Z- [$ L& y0 c; ^3 E- U& z
Method 14
! g4 Y n, k9 r=========' R+ w" _* q/ Q: {3 y
9 O* [, y0 {; d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ A& L+ @5 M4 S7 h
is to determines whether a debugger is running on your system (ring0 only).
4 V7 x l. d/ T2 K1 u
- ]7 [) D* K% t# E VMMCall Test_Debug_Installed2 _/ S0 V' U. G4 Y/ x" {3 D$ s
je not_installed: J Z; n. \- ~ q( O9 n; O
Z5 c5 s; l. L% d/ d# O: t
This service just checks a flag.
8 D! n5 u+ B" Z4 _# A</PRE></TD></TR></TBODY></TABLE> |