<TABLE width=500>7 x2 K4 O1 q% z) X& s
<TBODY>. u! l5 ], ]4 t L Q# u2 m
<TR>0 J2 Y F1 |5 t$ C5 \
<TD><PRE>Method 01 3 _6 M. E; {$ J5 c" i
=========. b+ [' K% d5 L; t1 U
8 E, e- J/ `* e% Q5 S
This method of detection of SoftICE (as well as the following one) is' T4 g7 |9 i; X4 Y
used by the majority of packers/encryptors found on Internet.5 Y! l- T/ I8 j6 y5 u# u1 `& a
It seeks the signature of BoundsChecker in SoftICE
6 l# m, a, l* w0 e
% Q: E* l6 t+ u* | mov ebp, 04243484Bh ; 'BCHK': Q) a3 G5 v% w7 }- |
mov ax, 04h
j( N: a2 L* I! J8 \ int 3 5 f1 ?1 n: S. V0 J) M" \
cmp al,4; Q& a: ?( o) }+ d% H: w1 v- u
jnz SoftICE_Detected
. }2 n5 S$ R' ?$ i; R
& A/ G' t5 j$ M1 m___________________________________________________________________________
9 i2 T! h1 B7 t |3 J
' j# u9 N+ z' E- I! ~2 @! j. m% FMethod 02# x+ \8 ^9 y: d/ t. z
=========9 s7 k# S: Q1 u5 f
1 f! m' T5 i, S6 W3 o& M) fStill a method very much used (perhaps the most frequent one). It is used* \0 T! L$ S# t& z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 i+ b/ o3 b. _ t7 Zor execute SoftICE commands...
! Q1 o9 _) E: Z0 c M, M( w7 XIt is also used to crash SoftICE and to force it to execute any commands
$ u+ P' ]/ W- c1 @/ |(HBOOT...) :-(( 5 L# w8 c' _( u6 U
6 ^, e @9 U& }Here is a quick description:4 {! v. J! G; b* d
-AX = 0910h (Display string in SIce windows)
, u3 \0 u9 V" \2 b# e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! ]1 a0 y5 j ]7 ?: A7 {7 ?9 f
-AX = 0912h (Get breakpoint infos)9 |; ~: S6 i/ o |4 s0 H
-AX = 0913h (Set Sice breakpoints); ?8 g8 G& u0 c( M
-AX = 0914h (Remove SIce breakoints)
; l: k) U j$ ?+ q9 h( o
9 _- r0 `* y$ g& C2 A" ^Each time you'll meet this trick, you'll see:; p7 Z4 P. l8 C
-SI = 4647h3 `! T8 O' d. W9 F0 R
-DI = 4A4Dh
( t& E3 N: S* ?( Q% t, TWhich are the 'magic values' used by SoftIce.; |" `5 S9 j- k0 h' T! K7 s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 R4 ?* c( i: s- ^/ f# g* {
. T% P% l5 W2 A. L+ {Here is one example from the file "Haspinst.exe" which is the dongle HASP3 o0 d# J. Y; `) F! C1 r f! c5 x
Envelope utility use to protect DOS applications:; @2 E [9 x& {; |) f
+ S" y- Q' u, |/ Q: c" h2 X
2 {) T& N, j+ `! I2 l2 ^7 S
4C19:0095 MOV AX,0911 ; execute command.
+ T1 p+ |9 ~$ m4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: b$ x0 h4 m! L, m4 F9 E/ Q
4C19:009A MOV SI,4647 ; 1st magic value.
4 V% b6 D; Q$ v4C19:009D MOV DI,4A4D ; 2nd magic value.
5 i* X1 M; `/ j$ n' H( i5 K. r# R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) O! J+ [# ~5 s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 t) R5 u. g8 }7 E
4C19:00A4 INC CX; X5 I) _0 b: ~9 a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# f# C. W5 h; r
4C19:00A8 JB 0095 ; 6 different commands.
1 n+ R' Q7 u& }% `! |0 d9 @4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 G! Q# s& c/ a+ r+ s4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! Z" Q7 v6 m, `7 U& x
& E7 l! g+ W6 g- o. L% ?/ aThe program will execute 6 different SIce commands located at ds:dx, which% A' `- R6 m, Q$ l: e8 H0 C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." W# ?& }+ p9 O: |# j
7 e5 n; F9 f% _4 N& B5 u% r1 E/ E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 ]" ]: g$ m0 q* X5 N0 ^
___________________________________________________________________________ j% P$ d, h3 ], ~
* T# X; h- T' q7 o
" a5 G# ^$ a0 [ }5 s4 y4 SMethod 03. n" z0 W. ]" }% W9 Q( B
=========) J& _$ U, H$ T) \3 O( b
( X6 e% ]: Y0 r" G* h5 L! u1 f) @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 g/ l: ~0 w3 R5 V4 }: c2 d3 V. V3 y
(API Get entry point), {1 O4 }0 [/ l: e% F& h- }; J/ i# n
1 E9 X, i' m- ]5 @1 R/ }( T% v9 Q8 S. k) ?
xor di,di1 r2 |3 L; o ]4 \
mov es,di
' e2 F# K% F3 Q% ]# J# d mov ax, 1684h ; [6 b( o7 l# {1 _
mov bx, 0202h ; VxD ID of winice2 J: V# q5 I) B7 `! `6 g
int 2Fh4 v- L0 u3 Y6 O# \3 @% P
mov ax, es ; ES:DI -> VxD API entry point5 X6 c- b7 f& x( ?* f9 m
add ax, di
8 ~3 F2 Z5 \3 h& n& e: T test ax,ax6 Y d# k& ~- Y9 Z; y: L
jnz SoftICE_Detected& X! T1 I5 F( Y4 e( z0 a* }+ }9 }
7 \9 k+ ~; c; g( m5 v
___________________________________________________________________________
Q( Y! ^6 g6 s, x9 g
1 ~, k7 ~7 f5 v% l/ RMethod 04
' ?' k) ] g- }3 D0 X o8 z=========
4 a; l: C7 W7 B7 v- N4 A, I9 ^: L x. a" s
Method identical to the preceding one except that it seeks the ID of SoftICE7 w+ D5 s$ u: P. C
GFX VxD.. v: n* Z5 t; f5 v2 ]. Q
$ e! f0 n. d: F! N+ o: x. p
xor di,di- U. p* D! k/ v% m- L* V
mov es,di1 v. n0 t! h; Z6 _2 X
mov ax, 1684h
8 Q* u9 X7 T4 t& a' `% s3 c mov bx, 7a5Fh ; VxD ID of SIWVID
) c' O& O- K" ^ int 2fh
9 Y0 ~) K3 {% T: K: j mov ax, es ; ES:DI -> VxD API entry point3 H& S6 L' {8 U( \, v" C
add ax, di
3 I/ {3 _! r" y2 p/ ?# B test ax,ax
% o/ |4 I- k. t2 m- q jnz SoftICE_Detected) ?- |9 H6 O* _8 z. Y) f9 L( s
& K; ~; V9 r9 X1 R: V__________________________________________________________________________2 X( } V7 c, i( F+ f4 X
: x8 c, n; S6 L; c1 ?8 P3 l
! N) |, @6 t9 ]0 v! |Method 05
. h+ V! S6 _2 y=========
/ N# C& ?: x9 H! ]
: z! \$ S8 K& rMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) a( P( k9 l8 Q2 W& _0 W1 s$ _debugger. It calls the int 41h, function 4Fh.2 Q4 v+ K& \- O/ K+ P8 O/ F$ U
There are several alternatives. . k- @1 l4 V R/ f
1 |" z! |3 c. _5 nThe following one is the simplest:
+ P/ R; p, T- [+ L0 \: Y
/ _5 e4 R' E: w5 }% T mov ax,4fh( R; _4 N# m+ k: A
int 41h
/ \- {) V" Z9 d2 f6 R& \ cmp ax, 0F386% R" _# E: t$ W/ |
jz SoftICE_detected; i% @, T' T! n: z2 _/ X% O
1 G5 {6 e" X7 C1 _ }) D: R
3 I. b) o) p( I8 [, FNext method as well as the following one are 2 examples from Stone's * U; O3 `; M# T& p* C3 g6 W1 h
"stn-wid.zip" (www.cracking.net):
9 E! M0 m! K0 ~( R }5 T' }* O% A0 B0 S5 w
mov bx, cs
( S6 I8 l/ A) K lea dx, int41handler2
$ k3 @7 f5 A4 O6 _8 | xchg dx, es:[41h*4]
* z/ l( Z/ G6 R* Y xchg bx, es:[41h*4+2]
- X5 }) u( n: |, q mov ax,4fh
. h$ f( j7 R5 | int 41h
9 g% Z/ E8 \( \& H xchg dx, es:[41h*4]
% @: M- a0 z: S4 H2 D$ F xchg bx, es:[41h*4+2]# F# K1 T4 O$ B5 V8 {8 x9 w& k
cmp ax, 0f386h
9 Z- h, k4 S [9 \ jz SoftICE_detected5 W! V7 n3 m& o* z i, W4 g9 X
; D3 _2 J. `$ a% f* u5 o( V
int41handler2 PROC
Q- V9 w E0 d8 r9 h! Z0 c iret. m7 ?* T: N* h, e: R
int41handler2 ENDP
' T) P: M3 z% N) W% j
r# P5 ^# L6 D+ e% q- ?. o6 J
9 h3 O' t: h4 K2 F+ U_________________________________________________________________________
% j$ L$ }9 @8 x2 ]6 @! B. _! h6 K. U- w- `- o- G7 m$ o
# D. O. K" C0 n' X
Method 06
4 W% k' p( C8 X4 D- t* @=========
% a4 e+ P- m3 P9 f' m" p6 J0 G: C+ x- v* d1 D& Q8 C8 z% H" f1 s* Z
+ c! ~, _0 G, d# w2nd method similar to the preceding one but more difficult to detect:
& N: P; f0 ?; N2 h4 D+ G+ ^
0 Z5 i* Y9 a# F# J0 W( Q. |
9 W2 W" ^( L8 D- E/ ?' cint41handler PROC
* U0 }: Y8 n+ {% c4 \& V { mov cl,al
0 Q: S2 b' `) Q1 r- S5 Y iret
: x* I5 X+ X |. n/ w! V4 Jint41handler ENDP
7 b; J7 G7 J k, u' W4 I7 k5 b& u8 k7 I. c
9 s! E$ `' P/ I# p6 j8 ~( v xor ax,ax& A" u q& R. [& y2 Y
mov es,ax
: V3 u( k$ z( f ?8 b* I mov bx, cs
# e! U) C3 A3 r$ v0 t lea dx, int41handler; M: ?; f/ Q. T! F" N
xchg dx, es:[41h*4]
; [4 @5 s( v. U% F U xchg bx, es:[41h*4+2]
! v! R' `& {8 O% c! u( o in al, 40h2 V+ ^- b1 T: r: l" z
xor cx,cx9 c1 t. D( k" n# X0 m. F$ P
int 41h
+ ` V8 X) T% r- r e( r( u* {7 U xchg dx, es:[41h*4]# `$ I) r0 h4 U8 t0 H0 e/ w* _+ C
xchg bx, es:[41h*4+2]! J \1 E9 b1 u% D
cmp cl,al* s! Q; [2 o) U0 b2 Q* C2 ~0 l
jnz SoftICE_detected2 r2 g# E8 S( M5 z+ @' ~
0 `+ p8 b8 C" V7 S8 _0 z_________________________________________________________________________
; g% r4 M, L$ B1 G* c4 `
" Z1 g8 e4 r; O2 k2 A& xMethod 070 K" e1 a: ~& h/ h
=========
Y; Y% ]( {3 C# h5 S
; ^2 ~9 W6 B& M7 ]Method of detection of the WinICE handler in the int68h (V86)1 _4 t7 f; m& n6 |3 E4 c% K
: P) ?0 F5 B' D. t! Z mov ah,43h5 ~" u1 c" S( k8 L
int 68h& p* `) L4 Q' Q+ O
cmp ax,0F386h
: J9 B9 o" l3 ~$ j& f jz SoftICE_Detected
" W1 ~! |6 N+ z& z; v. E
1 ^# H1 \* r6 `. U: h- ^8 x5 ?
- u2 H, N* C% b9 c9 v/ I3 P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' ]( }1 c: q. ^2 ~; M/ ]% J9 a
app like this:- ]& R7 ]$ t; ?! x
2 s9 \1 L: r/ Y3 r3 Z* b
BPX exec_int if ax==68
2 K/ ~. j5 p. n% E4 }# a (function called is located at byte ptr [ebp+1Dh] and client eip is
! ]/ T) D$ }% ~- q! G1 a located at [ebp+48h] for 32Bit apps)6 ]% |- j7 u9 w* Y' ]
__________________________________________________________________________
# X, w5 B/ S- F5 O: |9 v
; X" T3 A& d% g& P
& J6 Q4 N' j1 m# O; Y" N* lMethod 08( K/ N- y& w. Y) v! Q
=========$ `4 U5 ^! _, |
& c5 f# V+ ~/ P
It is not a method of detection of SoftICE but a possibility to crash the
8 m$ K1 | ]) y+ b8 Z. gsystem by intercepting int 01h and int 03h and redirecting them to another
6 g: [+ B3 K7 }! n/ Droutine.
7 b; c$ y# u0 \& ?3 JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ J0 G2 F8 t8 Q& M+ P R
to the new routine to execute (hangs computer...)- c8 ~! }5 q. z, k! p: m, k5 M
1 F0 e, a+ H x. \! _' T N+ X/ u mov ah, 25h4 W/ W+ D9 r3 v1 a, |
mov al, Int_Number (01h or 03h)! K2 I8 K+ J4 n% ` H
mov dx, offset New_Int_Routine
! t2 B+ @& R. r, H int 21h
" d& C1 E- L- D8 ~ V0 g |7 n$ A2 n# w4 y' B6 Z9 K, u5 p
__________________________________________________________________________
8 I7 P' Z9 t7 p: K3 e1 d) l6 I
1 t" p" N# m- U5 }Method 09
J2 E4 r' u. D a4 E4 Q) f% N9 e=========! D3 }: V$ A" p; Z: j
1 ~0 z( W1 [! z" v& {, WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 W, z+ Q% O! [# ^; Fperformed in ring0 (VxD or a ring3 app using the VxdCall).3 K1 }) b; N( g3 b5 ?9 Z- v+ ?4 b9 e) P& E
The Get_DDB service is used to determine whether or not a VxD is installed
/ a& a' ~' N) W/ l; M1 ffor the specified device and returns a Device Description Block (in ecx) for6 s5 P3 J8 \7 r1 a7 d% f# j. G
that device if it is installed.
" y i* Q* g% A6 r3 Z: f0 p- a
) b& b' l- ^% w. N; z4 o) R, c" L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 N% g& D" P. m% o+ u3 l7 L
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& @6 j) C8 E( p3 {, N4 X$ Q VMMCall Get_DDB
# \1 w% ?$ r/ x mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ Q2 {6 {: x, P, M
9 r! F2 h# Y! f. |' b( eNote as well that you can easily detect this method with SoftICE:
1 J4 B4 u- H" Y' T+ C# o- ~" f bpx Get_DDB if ax==0202 || ax==7a5fh+ c& w1 l9 t! P; q; Z
" @, \( L+ O, z8 x) P7 b2 r__________________________________________________________________________
3 {$ U2 ~7 v3 c1 j
" j! M7 U, x a+ I0 b0 S& g5 }+ IMethod 100 t/ u/ F- f/ i: ]- C% j& D
=========5 S% k6 T' n% r9 \/ M$ I# G) E
7 |, U- b ~# u9 W( ?' L I8 s=>Disable or clear breakpoints before using this feature. DO NOT trace with$ g1 ~9 r; Z) L$ K$ J
SoftICE while the option is enable!!8 j, E3 r/ X8 E' p
3 b! A- K5 ^7 _- ]3 C8 _. y9 uThis trick is very efficient:
, x" S( [* F# b K* H+ Qby checking the Debug Registers, you can detect if SoftICE is loaded
+ u9 m" _- x3 Z/ E% |. _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 }. D; k2 c& w: w! _
there are some memory breakpoints set (dr0 to dr3) simply by reading their) S' O. q8 m7 l8 e5 M. I
value (in ring0 only). Values can be manipulated and or changed as well
$ C; M+ h- D/ v. \, w(clearing BPMs for instance)
- w1 t% n9 _/ p9 v \& e7 s3 g* `2 J( l
__________________________________________________________________________
* M% T6 B/ C8 p! d4 [: @9 `, Y# l& c$ z, r6 G
Method 113 k; c7 s0 O, N! z2 B
=========
1 g) t- d+ s% @
: {/ Q1 S& w, u: }. J/ G. kThis method is most known as 'MeltICE' because it has been freely distributed
" Z% k4 V; C. L- h9 ]8 C1 b; svia www.winfiles.com. However it was first used by NuMega people to allow
' D N4 y( \$ hSymbol Loader to check if SoftICE was active or not (the code is located, @; g& ^# N- L0 R2 `! t. n0 f
inside nmtrans.dll).
" J. V$ z$ i, W i: U
# v* g1 } S0 {: AThe way it works is very simple:
& e0 l& ?1 ]& T( eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& Z( G: u0 c& ~- g, WWinNT) with the CreateFileA API.
# P/ o5 r; U$ d) Y% P/ R' Y8 C% d) w5 v: w/ Z
Here is a sample (checking for 'SICE'):
+ R3 {) w7 j' @* i: J" ^1 T( ] O8 I/ f" |; A" Q
BOOL IsSoftIce95Loaded()
, J0 O' ~, |+ K& t3 `, U- i" h0 G( M, g{/ [4 A; P* M7 n0 R% O
HANDLE hFile; * L0 ]6 m" Q% W- A
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 x! l. B1 `% |% o: I3 ~
FILE_SHARE_READ | FILE_SHARE_WRITE,. b) S" \# U3 s O$ \4 Z+ Y2 J- ]" E
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ n7 {" p6 G8 V7 H' X
if( hFile != INVALID_HANDLE_VALUE )$ Q0 R2 w, e, |( B7 c" _1 o1 X7 z
{0 |4 O5 u. F: _3 Y
CloseHandle(hFile);
" d/ U% {+ c9 J/ w# M9 Z5 \! \ return TRUE;2 ]/ s$ U: g8 o m5 D X
}. F1 V3 d4 s1 [- l
return FALSE;
/ ~. _' d- V4 {8 r}
( l6 }& E9 Q; M! @0 z6 Z- P
: m% ?" V7 j' i1 QAlthough this trick calls the CreateFileA function, don't even expect to be$ c4 k, B- F" W* w
able to intercept it by installing a IFS hook: it will not work, no way!
# o2 o6 }0 G% q: s. Y& {# CIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# a. ?7 |: y! m# P" a. j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 d7 k1 e, v6 i4 W% P3 f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 v( U7 f( m; `! w
field.
* R4 ?0 S/ g A, {In fact, its purpose is not to load/unload VxDs but only to send a
* z0 @8 B# Z* qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; a B' Z& }1 j! vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ [- M3 W+ I6 }) \to load/unload a non-dynamically loadable driver such as SoftICE ;-).. e7 T, ~- K" V: Q) w& L/ y% {
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) M$ q" M0 X; d9 wits handle to be opened and then, will be detected.
$ n% G+ T) A+ D" Q% s$ }6 D, Z- J# pYou can check that simply by hooking Winice.exe control proc entry point3 f8 E( ?: N& c8 @9 n* w7 R
while running MeltICE.
+ p$ s8 T( D9 w! m! ]6 o% M+ h4 H8 J% F _. p6 E
j8 a6 S! } Q; Y2 U: z& L7 v6 v' e
00401067: push 00402025 ; \\.\SICE
" _5 M1 B% {4 h* e4 U* P 0040106C: call CreateFileA) B" h& O+ F, } [
00401071: cmp eax,-0014 S6 Q8 U0 O5 T2 }$ S; n
00401074: je 00401091
! A( t n( \! W6 Y0 h- T
+ V8 ]! Z( t8 p1 ?6 J! x' r5 ]0 g
% L5 B- ~* ^9 g0 a1 ?4 ` @There could be hundreds of BPX you could use to detect this trick.
% M! @( X. t) Z0 [8 f3 C9 v0 A-The most classical one is:
% E% [& A I' P" z7 x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 v: Y2 z( u5 f* U2 W
*(esp->4+4)=='NTIC'" ^6 [) t# `& g, D1 K5 G4 q0 z! p
* O- H2 T8 |* }. A+ x; M8 o+ g
-The most exotic ones (could be very slooooow :-(3 {8 e$ r" X/ d0 N# e& e3 f
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 | M/ f: s1 v% A, X
;will break 3 times :-(! _) A2 E7 Z$ A
8 ~: _% u4 E2 Y
-or (a bit) faster:
- k9 {" h G& a$ e6 d9 E% \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 J* r( v! q5 \" i. T% ]
- C+ f3 {7 P* O. e# J4 h! ] BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* x, C# V* V& Q* | ;will break 3 times :-(
e0 V5 ]) x6 ?2 ]" e- ~
/ G& q2 P, h9 d. R" W-Much faster:4 \: r/ H% }* N& |4 h- i4 L; Z% b
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 K9 `! b5 b) K2 ?
' A2 O* N9 |/ c" K W0 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. u2 S* x8 `! y0 Ofunction to do the same job:
. i2 ^! }) ?* {" K9 o0 p. T$ O7 P6 p
push 00 ; OF_READ
% R4 s( f+ k c8 u" o P% A- t mov eax,[00656634] ; '\\.\SICE',0
3 o0 a1 ^) o) d* m* H push eax# I# y7 ~; z4 s }7 q
call KERNEL32!_lopen
: K& j8 y9 F1 ?. H, ]& |) \ inc eax2 K- I6 O$ z. Y4 f# P7 Q+ i
jnz 00650589 ; detected$ J, U& K* @6 [, o! I, S
push 00 ; OF_READ
& U# j& D# F( d4 h, k) r# R, h0 M mov eax,[00656638] ; '\\.\SICE'/ C" U; a0 g1 U1 X4 v
push eax
4 P% z' @+ b" v6 N) R: s call KERNEL32!_lopen
! f$ A4 z3 k) ?& y, \7 N) G% ` inc eax: n7 l( u, d. a' `' i; V
jz 006505ae ; not detected
* w( l2 D' V3 l6 R% e- q
: g9 C# n% T+ V. r8 Z7 J
5 o3 P. d1 m' r4 W) m7 B4 |/ Y__________________________________________________________________________5 P! C8 e! }' ?/ {/ [
- ?# [. H3 E" {0 p4 A0 t
Method 12( G J: ^8 n1 L$ } G1 ^
=========# R5 }( q5 k; D; @% e+ }
* v! \+ Q3 t0 I/ [
This trick is similar to int41h/4fh Debugger installation check (code 052 d% j: `: C, z5 Q
& 06) but very limited because it's only available for Win95/98 (not NT)2 ?; A% h6 N, S z/ F( x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 J) r# R$ b' ]7 a5 {6 a0 e5 e4 u2 z& Z! x$ h* n( U. |( g
push 0000004fh ; function 4fh w- B6 h, k9 t- y( M; x
push 002a002ah ; high word specifies which VxD (VWIN32)
3 u) {0 ], P9 `! f; h" r ; low word specifies which service
+ D( o5 V2 w& u) X; |. ] (VWIN32_Int41Dispatch)
8 b2 P6 E9 f8 e; T/ [" H1 I6 F call Kernel32!ORD_001 ; VxdCall
, C, v; f, D* |2 T: e1 J+ `9 i! B cmp ax, 0f386h ; magic number returned by system debuggers
" q( u g% f7 P jz SoftICE_detected: \- ^8 K5 `4 d+ Q( K7 o% F+ W
$ o' k+ n2 F/ K6 H; g1 ?8 YHere again, several ways to detect it:
' ^) R7 l3 K( |2 }7 l$ a3 ?& R0 ^- U2 D7 R7 y% l n9 |
BPINT 41 if ax==4f' I) \* s) u- P- X$ q
( A; ]! b; O8 z$ n# \, U8 p: I
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: R4 N: F9 `! {- a! [4 s& V- [
- x6 x2 N; I- C: f BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 U- U, r# J6 z/ z; s4 N, O
. ^' i2 } U& M7 `/ f. r5 J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 ?# t3 h8 m4 P4 l4 X
" P5 [& q. R7 [2 R$ h/ N' V__________________________________________________________________________ l( P! y% a$ a9 ~0 f
5 x$ L1 f4 f; J0 G9 }
Method 13' k% K# X+ J* u9 F+ c' p9 j
=========+ T- l( i/ b0 H
6 F N; h w' QNot a real method of detection, but a good way to know if SoftICE is1 p0 M" |9 @+ `. F8 ~$ s
installed on a computer and to locate its installation directory.9 O% L0 p$ X7 p; E
It is used by few softs which access the following registry keys (usually #2) :
3 I e# z( b+ J. ~" H
7 @- E* ?' J& u a5 W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- m" R' N" @: p I: I G; J4 I3 ~) N$ _\Uninstall\SoftICE, Y# ?0 E$ |" i% R# N" m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) T' b# R9 n+ `+ e( q1 X% f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 U' j$ j* M/ N$ y* _0 r+ Q\App Paths\Loader32.Exe5 I' E2 u# s! \' s8 }, a. ]4 \
8 U3 c% H8 }4 U. v* k: l( `$ }# A' h) x7 l8 K5 }
Note that some nasty apps could then erase all files from SoftICE directory
4 ~! M( v( _7 R7 h, a, H t1 M, W(I faced that once :-(
: B6 U5 p/ W8 I
+ b3 \1 q+ S, QUseful breakpoint to detect it:- q: ~6 @9 W% g' e
0 r; c! Q0 k" R) a1 `# n O BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 v; B9 E/ [9 ]1 H8 ]5 w9 X
! }5 v d% R% D9 Z0 }
__________________________________________________________________________7 P6 g: ~* D3 }/ ^; v( J! T
( h/ o: j! n" I( P0 Y- k
; z6 x j& a& Y4 P& G* u) ~, eMethod 14 # V) P B1 Y6 l# N ^9 }
=========9 y2 }8 D/ B# E( F4 @4 z
( K0 ?. V$ F: PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 d! s Q; s+ @! G
is to determines whether a debugger is running on your system (ring0 only).
: x% I1 g7 N+ W: j
; X- i, Z7 b2 J$ `0 ? VMMCall Test_Debug_Installed l0 ^- [$ n6 r# G5 w$ @/ K4 E
je not_installed6 L; k: j. ]: S2 ^$ \0 \- @
% L/ K) |6 L" z ?+ SThis service just checks a flag.3 R0 }/ S7 n3 {: N
</PRE></TD></TR></TBODY></TABLE> |