<TABLE width=500>
+ h9 e, e j; C/ k \6 l<TBODY>
: S) J L% Y1 \<TR>
1 ~: {. z+ P# g9 } N<TD><PRE>Method 01 / m! t" E. Y9 f( C$ g
=========# y% U$ d! M4 K' X
1 X& h8 f5 ?5 K, {; B
This method of detection of SoftICE (as well as the following one) is; g4 M+ j+ r1 h6 d6 u/ N2 `3 c" t5 M# ~- D
used by the majority of packers/encryptors found on Internet.
$ M, G9 U2 P& O' UIt seeks the signature of BoundsChecker in SoftICE
5 D/ \+ N! Q: F* y6 v. ~5 `' ~. J4 J8 R& I7 {( M
mov ebp, 04243484Bh ; 'BCHK'
. f1 x+ g+ i* ~" k0 Q2 H mov ax, 04h$ V) {* }$ E" r3 e% y
int 3
# J6 G. {9 g ]+ y& E E cmp al,4
& _' w' \( k) T% q, \& Y4 X, W# N jnz SoftICE_Detected9 m& h/ y8 Q7 h4 ^! F* b1 R
+ ]' l. c% y: r$ j# w) U: U& S___________________________________________________________________________* u" f2 ^" g Y
# P; z! A% S+ t5 F
Method 02
7 L7 E. V& J% V( g! E* O2 A" [=========% p5 U5 [6 I, T- E+ q
3 E+ `3 r7 J/ k3 oStill a method very much used (perhaps the most frequent one). It is used! K+ `9 ?+ b% x' N8 c4 S8 U* [; P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' M1 A5 e6 O. C/ p
or execute SoftICE commands...& p! m1 L2 A" y. n, M
It is also used to crash SoftICE and to force it to execute any commands
+ w2 K k9 c$ y8 ~$ R(HBOOT...) :-(( 6 k/ h, @5 g4 V7 C( M1 p
+ F( N4 x1 D U/ H @% f# j
Here is a quick description:
( V* r0 j- S& e' t6 I-AX = 0910h (Display string in SIce windows)) O) g- P& k) b9 _/ }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): E/ |/ V% d2 \& d
-AX = 0912h (Get breakpoint infos)
# D: A# Q' x, c-AX = 0913h (Set Sice breakpoints)! U8 O7 x3 h" Z4 Y$ z% F$ i
-AX = 0914h (Remove SIce breakoints)# r' c: \1 L$ N8 k3 C# d
9 t) G3 y2 q6 |4 I, h2 q
Each time you'll meet this trick, you'll see:
6 Y& i ^8 e) R7 J; E-SI = 4647h- H) o4 t% Q' v# \- I! }2 t+ j
-DI = 4A4Dh- y7 \7 s% H/ [# _$ d( V
Which are the 'magic values' used by SoftIce.
& r: s* m5 m2 R1 {' Y) QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 x0 \5 Z" O# s Q7 y" ^! ~
; `3 {' u- r9 P* B
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 O/ K" D$ y" u- _Envelope utility use to protect DOS applications:
. y( x, }# t$ ?& b, q0 V( T* E' G! V8 W2 W
; E8 ]4 A! I5 k5 n f+ E
4C19:0095 MOV AX,0911 ; execute command.$ N5 g4 ^1 L3 D$ @2 ]: [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; j! i9 r; H# X- }0 U4C19:009A MOV SI,4647 ; 1st magic value.: c' u6 a8 C/ r1 y4 }
4C19:009D MOV DI,4A4D ; 2nd magic value.3 ^# M+ o' E- k* t7 ]0 S" k
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 ~& n3 n7 j d( J0 |8 K+ @& _' s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
s r# ]' r3 W5 [/ f8 K4C19:00A4 INC CX: V& C u2 Z- s. e" H, C" d5 q. O0 c
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 S* a- O/ {8 G, ?1 L( \2 S4C19:00A8 JB 0095 ; 6 different commands.$ z: y* c# g* h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 I4 I3 L4 m+ |' K4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 W7 F+ c: T, J8 | z. K' Z% }
9 [3 s6 X- l* y. AThe program will execute 6 different SIce commands located at ds:dx, which
$ a4 G0 [& d6 }) P j7 i# Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% c) a) N- |0 |' W% h
' o0 A: v0 I2 a) Q) p2 E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' H, _# E2 }& b
___________________________________________________________________________
* F( w& K' {5 _& o" Q+ V1 R5 p( N; n; ]" u% c( q
* a5 s9 x( X5 f& f. h+ I" g) m8 v4 VMethod 03
7 a) ~# s8 F3 h) w=========
2 O+ h2 L8 |% l2 h% d' T6 b7 v0 u- L- v) d( g5 {: f+ C% e& ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" C/ j: J% L1 a8 f! k
(API Get entry point)) N; C* e2 ^! J6 z$ ^. \' O, v. r
# Q1 {0 W/ k: i* ^
! [% K6 S8 m3 E7 D( p2 T
xor di,di
$ n6 D4 V; }; L mov es,di |3 l9 K5 l* e F
mov ax, 1684h
) a) k/ w- \; e* ?0 r0 W- N mov bx, 0202h ; VxD ID of winice& O |7 h: c9 X8 c/ E8 N* K
int 2Fh Z( `- e0 S* \6 _
mov ax, es ; ES:DI -> VxD API entry point
; F1 Z: q8 k: _' L3 ~- O# { add ax, di
. ]) X2 R0 [. M test ax,ax
: n. A" \2 j5 _6 t- V jnz SoftICE_Detected3 U3 ?0 D( I: a
! x% X) ], z/ ] s e6 a; F9 h
___________________________________________________________________________
, Q& R' O$ [* d* j* H% I7 j
" _! P( [0 X, C% I( C4 WMethod 04" s8 i4 N. ]$ l0 W) |# w
=========# M# f/ A4 f3 W3 L% `
1 _9 I/ x6 m" K+ H
Method identical to the preceding one except that it seeks the ID of SoftICE3 ?7 i/ x+ ], c M* n( [$ R
GFX VxD.: v* R2 q' n8 W* J% ~4 Z0 d" k
9 r7 `& |2 f6 Y3 g( [4 a
xor di,di2 N) Y- l" [8 F/ r' _
mov es,di
; i% {* D1 T9 ?) w" [- O) q mov ax, 1684h
% x5 _# M3 F6 ]% x M6 J mov bx, 7a5Fh ; VxD ID of SIWVID) y3 D4 u( z0 s2 r. C
int 2fh# M/ s1 E* f# i6 w% }
mov ax, es ; ES:DI -> VxD API entry point
/ o# Z, ]( T& J, h$ y! J- ~ add ax, di
6 g% Z* p3 j5 }- ]& x test ax,ax& x4 [, D C2 w' r: @
jnz SoftICE_Detected9 s( F* x3 \! r& W! P9 G
- {3 V5 _& q8 A! H
__________________________________________________________________________4 L( J; W* A, X; a) E9 `
; V' b. c4 T; W. R! J$ e8 {+ _! b1 I9 h' v' Q% i2 @
Method 05
4 w K0 c& k1 U* f- r=========
/ ?+ n, t; r) ?1 K3 I+ y) L" Z; y4 L9 Z) \2 Q' g3 [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 @% s# j4 _( C; @1 ~debugger. It calls the int 41h, function 4Fh.0 q) L2 X. w! i3 g% f$ e6 r
There are several alternatives.
6 ^' b1 k' n9 y9 Y* e7 m0 N, K. L+ k! [ |* M
The following one is the simplest: \! k2 }! L# I( P$ v8 g/ U
! O# x3 v1 {& `- }, d+ k% ^7 Z6 Y' S
mov ax,4fh% h# C# a7 f/ \' O) V* p
int 41h
?" S' S: u% g3 p& C; t9 G: } cmp ax, 0F386
6 s; H# G5 i+ T- D jz SoftICE_detected9 `$ Z0 W5 N) v- j
, @* E% {7 [1 F! g( i M7 \" M/ C$ ?
! }# N5 q! d. ~, |5 Q: Q' \- jNext method as well as the following one are 2 examples from Stone's + U A5 y2 z) r% ?. @! r. m2 p
"stn-wid.zip" (www.cracking.net):
0 P% K- r7 d' Q5 ?7 t+ a3 k& R
3 y l& V6 P4 q3 ~* w% a% x* |0 f8 E mov bx, cs
# ]' X7 ], m* A lea dx, int41handler2" F7 c7 H; q/ c1 f8 [
xchg dx, es:[41h*4]
9 U# ^ o0 k _& o xchg bx, es:[41h*4+2]
3 ^- @/ U) _6 v$ m+ U mov ax,4fh6 b. R/ A# }/ b& D( r
int 41h
+ S% g3 Q* T' e# ]0 m; t; H# [ xchg dx, es:[41h*4]0 o- Q$ y4 G( T! ^/ `, [
xchg bx, es:[41h*4+2]3 z( ~) n. y- u$ L+ o; z
cmp ax, 0f386h! A7 }) r$ ?' p' e# f
jz SoftICE_detected/ E. g- C/ i4 T8 v+ Y
$ J7 I3 t. o$ {* H- c7 w6 x
int41handler2 PROC1 h/ {' H3 C% f! d: P; R
iret0 U6 }6 `! K @
int41handler2 ENDP
- Z! _" y0 c8 N' a$ o5 E- A% C- C8 Y5 G+ P5 F
$ Q& e& g# K) W2 n, P# `$ L) P: f9 U
_________________________________________________________________________( Z/ E8 v \: T1 P! q* E
( a, ]5 U$ c' a) M7 Z( b
) I0 z" ^) P6 Z9 y" [$ B; Y1 lMethod 06
. Q! J3 o' e: } N! v1 c; T# [=========
5 A3 C+ l+ J" P E& T( @7 U) C2 k9 @3 K& \ q8 b/ r6 g4 Z$ A7 N
# T0 p' {% {/ n9 n7 Y' r, T. G- z2nd method similar to the preceding one but more difficult to detect:
" X* N7 X, `7 @) M; f; |6 Z
, I* Y: Q2 n2 [
; `/ p! q% e: Y3 ^& Mint41handler PROC
" m! [ o9 W S& S mov cl,al& P$ c3 ^% z) R9 ~
iret
8 f; W: H' Q' a2 Y9 l' k' _3 vint41handler ENDP
8 s: F- t) f/ b7 X# A* r. c+ m' o# R/ C7 k+ q! @) O, [8 \$ u
) `; u$ }8 _$ d. X7 n% u# B. R xor ax,ax
" N: y! g/ p$ u ?: \0 T mov es,ax
6 c9 P2 @. C2 W* \ mov bx, cs
6 e/ a# f4 t x; G lea dx, int41handler
4 n# h; _. b- J; c' v3 e xchg dx, es:[41h*4]" N4 ^* s4 Z+ h* Q. c
xchg bx, es:[41h*4+2]$ b' R) [, e7 g$ J$ n9 U7 b4 g" E7 \
in al, 40h) G, V/ l5 e/ y' t
xor cx,cx
6 j) e$ s7 P$ H/ ^+ b5 ^ int 41h
Z* t% k- w6 e5 Y4 ?9 \ xchg dx, es:[41h*4]: c$ N( h3 r' R, U2 l; |
xchg bx, es:[41h*4+2]
+ x, m* y; ]8 Y) z% M3 Y cmp cl,al% G! u( C: O# w o+ x" T T/ `: W! Q' u
jnz SoftICE_detected
# }4 u0 p2 S \+ H2 M0 g/ O( ]1 O
# @2 \- a9 d' n6 E4 ~_________________________________________________________________________5 l# I/ I+ f6 e9 p! Q/ M
* ^ S0 L6 v h9 c+ @% V T
Method 07, v% H1 O: u1 T+ j
=========9 N A1 ~- k/ y R+ W
, i* W0 l' Y2 }0 j q. d" `Method of detection of the WinICE handler in the int68h (V86)9 I1 t0 N) E* S, P
0 e; R6 D8 b: \& X; D8 O& _ mov ah,43h
! q3 a3 I: G7 O) l, b2 P int 68h% K" s% t6 M# G4 [* I
cmp ax,0F386h1 E0 A5 u/ u' F! D2 `
jz SoftICE_Detected6 n3 C7 \4 F/ G; V8 I$ J
8 Q* N" F# ?! X
3 Q. \. k6 E% z/ r# I
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 }! S4 I/ i8 `
app like this:; v3 ^( {# L# M) @& K* W
/ g7 M% k8 I" j
BPX exec_int if ax==68
' V8 | s9 R" }6 Z6 A. C6 N (function called is located at byte ptr [ebp+1Dh] and client eip is
6 v) Y" f% V8 d2 B located at [ebp+48h] for 32Bit apps)
# a3 b( N$ i/ h; y' o; o__________________________________________________________________________
s8 J* x1 R0 t. H( F6 o& O3 k' R5 W+ n5 Q% u+ l, |
" t \& P' Y; r& b1 kMethod 08
1 |1 ~8 a1 Y4 Z, T/ R=========: S' z& y" G: X- V( S
2 G+ p/ ?6 @4 _/ d8 ?
It is not a method of detection of SoftICE but a possibility to crash the
7 U5 y* r" g( ?- E2 k$ E4 @# c% nsystem by intercepting int 01h and int 03h and redirecting them to another
: Y3 z6 o8 O. b6 v+ x/ Kroutine.6 s( G9 u9 j9 a% \0 N( e* c2 T6 s- q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% s$ R: d' C1 i4 O+ A
to the new routine to execute (hangs computer...)
4 t: E5 x3 O& G7 }0 b! h% _$ a! s
mov ah, 25h9 D: u- k3 l2 W W5 g
mov al, Int_Number (01h or 03h)- h+ D2 o8 Y ?3 P, ^+ D* l5 b
mov dx, offset New_Int_Routine9 a7 H( c( L# }$ X5 C+ {
int 21h
) a$ u; X2 m& S) L- O' r, Y" a% w+ ~7 p& C* u+ s- A
__________________________________________________________________________
$ x7 h% O9 Q. S* A, }- h% x$ d9 F7 P p
Method 09
+ t8 k9 `8 @; k# o2 ^=========
0 r" H4 ~; Z7 E1 N: D1 D* m! Z0 U# O& j$ s; H% ~! @8 V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! U8 p! \9 `3 j6 z; _5 N
performed in ring0 (VxD or a ring3 app using the VxdCall).5 P F& o; Q& }1 R, ]
The Get_DDB service is used to determine whether or not a VxD is installed D+ T, t- T' x4 |1 P$ {% d
for the specified device and returns a Device Description Block (in ecx) for( ?" \! |% w5 u2 P' e. N
that device if it is installed.9 a9 E, p& U g, t' b7 v: E8 M
& \; x9 X/ x/ t, [ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: C$ `9 F1 k* z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 ]) h* D3 Y; W) X
VMMCall Get_DDB
) {- r; e) v0 E: K; P! u3 | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed# a8 f- \0 K+ m6 t
; H d, Z2 u8 A; s& X" N
Note as well that you can easily detect this method with SoftICE:
z* q/ Y7 u+ Z6 I9 r bpx Get_DDB if ax==0202 || ax==7a5fh
, V% k+ R* c3 ?3 u6 C9 V1 x% S. @# _0 f$ J1 O( t& b
__________________________________________________________________________, T% c& q1 l ~. G6 u
0 J* D" z. P2 j/ i
Method 10" k* c+ m5 G! I4 _& P- O3 H
=========# B2 X( j1 n6 @8 P; O
: ^" h. \: ^# ?; x=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 `; P) P+ [0 ~1 f1 o7 d SoftICE while the option is enable!!/ [) P( k6 [) F8 ]- P3 ~$ O' r" q
4 }: ^# D, ?$ sThis trick is very efficient:' u' K* k% O8 a# N
by checking the Debug Registers, you can detect if SoftICE is loaded
* m4 N) ?" G/ r! T& \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( z- l4 r2 ?2 s( R& u0 xthere are some memory breakpoints set (dr0 to dr3) simply by reading their# l5 K7 }" H5 W8 y# c2 c6 E# M( f
value (in ring0 only). Values can be manipulated and or changed as well
) B3 I% e. h# S2 T& W(clearing BPMs for instance)
, q- ?; q. O" {' H4 R6 [% N* S1 }. w! I( `
__________________________________________________________________________; h4 e5 g- v. n/ ^# F( m; q
6 u; P2 u7 {/ Y* g: ?2 r1 dMethod 11
4 d1 D9 Y" V% h7 o) N=========
/ ]# J1 u4 ]+ l' L c v' q
" |1 P4 Z2 B |- Y& j% f/ AThis method is most known as 'MeltICE' because it has been freely distributed' ~6 p- D! ]7 B2 i) h
via www.winfiles.com. However it was first used by NuMega people to allow! j: D3 k) v5 M0 c! r
Symbol Loader to check if SoftICE was active or not (the code is located
, ]1 j& J- I) r f. Ginside nmtrans.dll).. ]6 Z" H7 k( d9 c* X Z
6 t d& o& a0 y2 A1 s9 A- w+ rThe way it works is very simple:
0 ?0 Q4 ^5 p" bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 Y' w7 |* o' A' z4 E0 L
WinNT) with the CreateFileA API./ A" B! _0 O4 y- i2 t9 [8 D* D
" }2 c! a7 G3 [: yHere is a sample (checking for 'SICE'):0 j! R. E7 p" a; ^& t) Y8 G
0 ?2 l- Z5 O; |9 d! p% s" MBOOL IsSoftIce95Loaded()# B0 B, j1 U8 S0 I) u. o" T6 y4 C; e
{" j( X5 l0 u8 Q8 Q/ T2 s1 s
HANDLE hFile; ! C8 n2 s! I1 i) b d
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& k; h/ s3 G3 s" x3 G
FILE_SHARE_READ | FILE_SHARE_WRITE,( v; l8 A% ?5 }' K: X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; [4 u: T- O6 I% E* J if( hFile != INVALID_HANDLE_VALUE ) `2 ?% g) U- G3 W6 Y4 _1 ?
{
1 g6 U2 U c7 D5 t m2 V2 z CloseHandle(hFile);
4 r) f* D1 _* C/ _. z3 L8 j return TRUE;, A2 `9 V3 l$ b( e
}! T0 H' U* g" X6 q( [$ Q' H0 i
return FALSE;- l! v* |) g. w; S j( J# c. O0 s
}
& U% S( O# p/ K
+ t" M2 F, Q u- X4 |Although this trick calls the CreateFileA function, don't even expect to be
$ b% U- X- \% p) e1 [; j: zable to intercept it by installing a IFS hook: it will not work, no way!, b8 w0 ~1 ^4 o" ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, d3 }% ?$ o( y3 @) \4 w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ g6 l3 H4 w: x$ c/ T! l% m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. V$ r" L1 l+ C8 G
field.
5 Z/ c9 Q* g9 t# IIn fact, its purpose is not to load/unload VxDs but only to send a # ~3 n6 e& ?' h/ r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: B7 J5 G% b$ S0 R' B2 ] d* G. }to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 u% p7 @9 F3 b4 {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 @+ A7 n! }' j! Z# {If the VxD is loaded, it will always clear eax and the Carry flag to allow5 T0 E" \$ |" r1 r& U/ H2 Q f
its handle to be opened and then, will be detected.& p4 R9 w, O; K( e9 A7 U
You can check that simply by hooking Winice.exe control proc entry point
9 S0 O, p9 ]) Xwhile running MeltICE.$ L4 S, {* A! s9 F+ e$ b; x
5 e. S. k/ g5 B+ F1 ]+ l8 U5 S8 I3 I4 \
00401067: push 00402025 ; \\.\SICE
) \5 m6 ?3 H. @$ s 0040106C: call CreateFileA
1 X3 v( ?6 M: d, F8 Z! a 00401071: cmp eax,-001
/ K) x( f D c& G/ p& H 00401074: je 00401091" c5 `( s- H3 q# z
4 O6 b$ w; ?4 v' p4 U% q0 V% I4 c/ y6 c+ g* @8 V2 d) z8 w# ], |
There could be hundreds of BPX you could use to detect this trick.3 w6 y7 c' p# n/ k& N" `
-The most classical one is:
7 I7 C+ ]* r4 r* L BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) H. c. V3 C: [2 T
*(esp->4+4)=='NTIC'
; _" X: _9 m% G) U( ]* v% ]% y1 Z& q! D3 U/ X1 Q: H
-The most exotic ones (could be very slooooow :-(
( `8 h d, w( d" C BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 U, i9 r; ^$ c" w* ]
;will break 3 times :-(& f, ?! c+ O, u" A o) f
, E. d6 l5 |. j: m-or (a bit) faster: : o7 M& y% ^0 s2 l2 G" u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). [2 X4 x( J4 O E
& g7 b8 i8 T/ P! X0 | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 z. h1 d+ ~( H& |
;will break 3 times :-(4 P' @ A1 G u' w8 h3 `
$ P5 n( F' P$ S9 y+ h$ w
-Much faster:; L* e) P4 R a: \6 z; t3 ]; x
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 F& ]9 t8 i: o( O% z" f, ?8 n
+ [# T, f3 {6 C ]( s8 D8 I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 @0 }. d% o9 @" u5 k* @. c' o! Ufunction to do the same job:& m& |1 q# P# B& W" E( H# Z
1 O& d8 {: a0 T/ O& F push 00 ; OF_READ3 W( Y6 T; O" v4 ^# L
mov eax,[00656634] ; '\\.\SICE',0
' G: G7 d0 [, b$ J5 z/ U; ]" N push eax: n. }. l E( H: q4 B. D+ ~9 q0 G
call KERNEL32!_lopen
& \1 J+ ~9 r3 A2 I inc eax; {; K4 P) v6 b! P' n" v0 x
jnz 00650589 ; detected- {$ j. z+ `5 m
push 00 ; OF_READ" }. W' W) F& q
mov eax,[00656638] ; '\\.\SICE'6 C1 P$ n5 C# ]- h/ j
push eax, w% e2 O! U6 z5 O' ]2 Q* J a- Q
call KERNEL32!_lopen: ^6 C4 H* Z# ^+ N6 A
inc eax
* z# W/ C/ k0 S( H8 \ jz 006505ae ; not detected5 ^4 V4 G7 z) }
* b+ W' _! R1 z; O4 _
& j% Z- {8 ?- H% L; t8 W__________________________________________________________________________ v. ?6 e9 D2 E9 R* h# K
' u+ X3 K# M- p. `. l1 H
Method 12- f; s- O/ }0 H. m9 }
=========
3 ] c( I0 _8 d6 G7 ^" ]0 y3 ^7 m2 l7 O6 F2 D" `
This trick is similar to int41h/4fh Debugger installation check (code 05
2 H) v1 m/ Z8 H9 ^; o1 z" {& T) H& 06) but very limited because it's only available for Win95/98 (not NT)" q* [2 Q/ l d/ G. G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 S, v; x3 ?% r- ~2 U- z" `
" E0 m0 _# X- V, ~) A
push 0000004fh ; function 4fh) O+ l8 b7 q0 @+ i9 U& ^ u
push 002a002ah ; high word specifies which VxD (VWIN32)2 m- ~, l3 e5 l/ |6 h+ i9 n5 \
; low word specifies which service. U; z/ c9 \ ]% n' ~
(VWIN32_Int41Dispatch)
9 z1 q4 C, O8 c call Kernel32!ORD_001 ; VxdCall: U' |: F/ I* n8 q1 m x
cmp ax, 0f386h ; magic number returned by system debuggers4 \3 P6 U+ p8 n" i+ l$ F, O' x
jz SoftICE_detected
; u; A$ K$ ?- Z. o: t) Y0 E
8 t' S! U0 b% \; \3 wHere again, several ways to detect it:
7 Q- m5 i7 \ E9 k' X
3 J) u. e7 [! d+ b- Q* e$ d BPINT 41 if ax==4f" m) R, \* z4 }# h
: @# o. [+ ]& B2 e3 m0 ? BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" U! \" H- l" u. A, a
, I$ O% [# T2 M) F) g! k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 V) ^, I% C& I. f
$ W ~" d1 U/ ^4 Z2 A5 T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' b; d; O0 h4 U7 P
$ J0 J0 c/ y2 Q$ B. X, N0 i( U__________________________________________________________________________. s& r' h% N* |5 J- s0 p' F
7 M3 D- L- F# J0 U. T" `
Method 130 K7 m& z2 ~' b1 I; x. Q+ d
=========# q# s! b/ e$ ]) D
! R) }7 g% u5 o* h( oNot a real method of detection, but a good way to know if SoftICE is
. _$ i& A2 A+ u3 Q/ Q3 jinstalled on a computer and to locate its installation directory.0 b$ U" M- V1 j( k. v0 `6 @( P1 l2 V
It is used by few softs which access the following registry keys (usually #2) :
8 i9 Y" w9 H6 n2 L& g* n8 f! |' O1 p- C+ o4 S$ Z+ O* i F7 g* {. u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion G0 D+ v* O# z: k q" A
\Uninstall\SoftICE
: U+ s2 r5 }- ?6 O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) ^( c+ y1 k- V+ H% i+ ^5 M# N$ D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* x, s l+ A8 ?9 U\App Paths\Loader32.Exe
0 c! N7 z9 k& O: u6 e8 b: [9 g1 J# S( j7 G# U0 U
& }+ t" x+ F3 `Note that some nasty apps could then erase all files from SoftICE directory
* w, ?) n# u6 U(I faced that once :-(. V0 i, c9 i6 x$ N$ m
0 y+ n) p, k: _! i5 _1 I' g3 [Useful breakpoint to detect it:2 t# }' _3 a. i5 Z
6 N$ w8 V o! J% r& M, s
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% V! e/ Z1 F$ R$ T* O
$ K0 P3 [: v! x9 b__________________________________________________________________________" ]4 i9 i2 a4 O5 O- O
: ?" b- V a V4 \
' u3 H' C8 H" i* ^& j. ?
Method 14
( z8 U H1 r5 E {5 w=========% {0 s, |% H. f
' Y* M5 h$ Q5 \1 D0 sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 V5 j+ ~4 z4 @1 D/ [is to determines whether a debugger is running on your system (ring0 only).
! v/ k0 M( Y f( ], C* X: ]% O5 y7 g* x, H" h u/ R
VMMCall Test_Debug_Installed
# p% D) l6 F z n0 ]7 U je not_installed3 \+ n8 J4 k( L, ~7 q4 p( I% ?$ D
/ Y3 z* |5 C3 W8 d! k" ^
This service just checks a flag.+ V- i8 ]) y( K9 c9 y1 _$ Q! q
</PRE></TD></TR></TBODY></TABLE> |