<TABLE width=500>
: ~ M5 Z) f; K6 a; z, V! V, A<TBODY> u1 e9 u; |$ ~5 \
<TR>
& h! x+ K9 n `9 J; |" i<TD><PRE>Method 01 8 i G8 v, G# }' j) W* d
=========! k+ y1 G B* J; P. p+ M( C
) r1 z& B- g& e) o! g L* }- v; d. W# MThis method of detection of SoftICE (as well as the following one) is
8 v3 b9 R& M( o7 m, i2 P1 |* `used by the majority of packers/encryptors found on Internet.
- N; g' `/ ^$ W9 j1 b8 O/ eIt seeks the signature of BoundsChecker in SoftICE
1 y' a5 x: h1 Z# h; F: {; [- H: }
mov ebp, 04243484Bh ; 'BCHK'
# R: y1 ^& w4 i' o9 F3 S3 s mov ax, 04h" h0 [1 N6 I% z" p* M! `& \! ~+ i
int 3
& r& ?7 `! V0 X4 N" @% r" ]9 H cmp al,46 o3 j/ Y3 [6 O5 i! m2 \
jnz SoftICE_Detected* K& {* _: P w# ]: }
# ?9 N' _2 B4 G; ]. h4 i___________________________________________________________________________7 G9 l" }9 u, V% C
8 ~. ~" J/ h( s
Method 02
# ^1 q9 m, e" l: F2 m% c=========
2 D; H. ?4 r. e3 S" q
# S' v6 Q/ ?6 AStill a method very much used (perhaps the most frequent one). It is used( G& i& z- F! N8 k+ M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' m1 J7 |2 T4 Y: z- v. ror execute SoftICE commands...* \" E6 ?5 S! I D
It is also used to crash SoftICE and to force it to execute any commands' l/ ~ h& q) Y! |; G& B/ S
(HBOOT...) :-((
, G# y+ K- m z+ Z, y; N
; B; s! F. p# Z! f$ {2 r8 m1 g% BHere is a quick description:
l H/ Z- R. X7 a8 L" x-AX = 0910h (Display string in SIce windows)
4 j, y6 f7 }% f: \/ h2 u0 R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' X9 y3 A9 K; ^% [0 P3 O5 A9 W3 ~
-AX = 0912h (Get breakpoint infos)0 ~8 f' q% u# s$ [: A8 j% ]+ ~
-AX = 0913h (Set Sice breakpoints)
/ P- i6 X" { e. M9 p4 n& y" A. r1 L3 R-AX = 0914h (Remove SIce breakoints)# j! N' d: ~5 W; D( e8 y$ h
$ U! @; A& s" o" X
Each time you'll meet this trick, you'll see:
% A. z8 ]! b J! A% T+ \. z" i-SI = 4647h0 t8 C" ]' ~# y3 ]. Y
-DI = 4A4Dh
, X6 G( Y1 r0 p* ^2 G9 H/ `! b9 p# rWhich are the 'magic values' used by SoftIce.
( b" r. z! Z. B* v% nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' K2 }5 h* U% B2 F" F) b/ y* D" q4 i- v
, g7 Q/ D% q6 w0 t! d1 d" m
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. `4 x/ D+ S% t9 |. k2 k. x9 UEnvelope utility use to protect DOS applications:9 Z5 O, V) c, {! p: T: ^2 m3 I
) G& r0 z8 l( k. r4 E9 V1 Z
' d2 g7 t& j* ]. r8 |
4C19:0095 MOV AX,0911 ; execute command.
( h$ G$ s" X& |% M1 Y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& H" U! i' G* ^8 J5 D' D9 M4C19:009A MOV SI,4647 ; 1st magic value.
c6 H0 j: T# s% o4C19:009D MOV DI,4A4D ; 2nd magic value.
5 ~0 G4 w7 x e9 K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" q+ `. l v9 k5 i1 s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& ~% Q; V4 a" E! G I: K6 E# Y
4C19:00A4 INC CX
; Y/ e9 b+ `( x* w7 P3 }/ N- q/ W0 v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& X2 L4 f0 r; P! Q
4C19:00A8 JB 0095 ; 6 different commands.
9 W: P/ P( l8 O) z- {4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ [) h" W! `6 A d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) d* t1 X5 X# r2 S* s* p
8 V) \0 y P+ G+ L& k' S$ G+ wThe program will execute 6 different SIce commands located at ds:dx, which$ O% h$ {: s" e5 r" l0 Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# G+ ]; |9 [* ~5 C( N# P
; C$ u+ `$ ?6 S& j3 v& m% W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. u: `+ K9 |. u
___________________________________________________________________________
1 w& }6 d$ E' b
- W# { M0 X* {( c! M/ }6 J0 `3 u( a' S+ g, m+ B, X# ]$ d' y3 L
Method 031 Q; t4 S4 P1 Q; B1 o! g; N
=========- V6 e& H$ u) J# S5 b4 \
) E; o# q. L& H2 z& P" q4 {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! X# B* M) P* a3 j; C1 i4 l
(API Get entry point)
4 G" F" Q! C7 U6 m" B. t v' R 7 B9 \+ g4 C* F
' w9 {9 D# B o xor di,di' i* T8 O. c( \( M8 {
mov es,di! a2 n) T4 I/ k x4 \
mov ax, 1684h 3 V% J& i. V2 s$ Z3 t
mov bx, 0202h ; VxD ID of winice
# L8 |- {, n& ^3 D0 i int 2Fh
+ _* O8 j3 [* r, }% ^' _7 U mov ax, es ; ES:DI -> VxD API entry point
' p5 `$ |# ?6 Q add ax, di
M3 |, I) ]9 W# b5 H1 c test ax,ax
: ?% Z2 ]- |( P jnz SoftICE_Detected; x- K' A) L- q3 p, N
( F6 _$ N7 J' A6 Q___________________________________________________________________________3 V5 C: A! Q3 X7 O" t& q0 S
, w9 X0 g: G. A+ m, C' r2 @! EMethod 043 H: Z1 V) Z, t4 ]8 g. g8 Y
=========
* o9 u5 p$ _& T5 S6 h5 n$ b1 h5 f: v% T' K, y
Method identical to the preceding one except that it seeks the ID of SoftICE
- S2 f2 C: Q) e8 M2 z* ]+ yGFX VxD.
$ q/ T2 v9 ^* {1 L8 r! Y6 z$ {8 P- p7 x9 ?
xor di,di% B, t1 v' J7 f. p: {3 i
mov es,di
4 @/ A& }! m" i% W mov ax, 1684h . a1 ~) p" U g) q. p! w, S
mov bx, 7a5Fh ; VxD ID of SIWVID
! n7 n/ e. i) X3 f- [1 J# @+ A int 2fh$ u ]) B% M* S7 v& W/ W7 A8 U) y
mov ax, es ; ES:DI -> VxD API entry point
/ N/ J. E: c9 P% K, E add ax, di, r5 ^6 z( B9 o) J4 u* h
test ax,ax; l3 Z1 n0 X& c" p4 E
jnz SoftICE_Detected9 J( s* z' i1 ~& O2 b
( A1 w0 ]$ S9 U( z0 l/ n
__________________________________________________________________________# i; d0 R, R4 }' g9 Q9 U8 V
* K2 h( L1 L6 J+ Z0 G5 z: t! m @0 _* f B/ R2 J/ R
Method 05
[5 t m. ~4 X" Q4 \% |3 ~+ F$ ]=========
6 K6 }4 q) h4 ?2 j4 p$ v
- r. G, |4 A7 C$ q! L. P' KMethod seeking the 'magic number' 0F386h returned (in ax) by all system* T4 u. X' y9 ~9 H- F# ?% K( ?
debugger. It calls the int 41h, function 4Fh.
( ~/ h% P$ k( z- j( t3 ?: P* jThere are several alternatives. 6 ]2 J6 l0 P$ \ S- r
' c' t- } `) ^; {
The following one is the simplest:% c5 s3 d; U, f1 _
/ s3 @' ?$ ~ @- z! X" |
mov ax,4fh
+ h* r* m& s! @ int 41h9 Z0 ^: o6 T. Y/ v5 k
cmp ax, 0F3860 ^1 X, n; P: R
jz SoftICE_detected
4 z1 \' r# I0 k2 \5 r; s A( R
f9 o8 I. W; `5 h) t1 {+ Z
5 [: u7 P0 ^# Q0 V5 pNext method as well as the following one are 2 examples from Stone's % w, i7 b5 H2 b& B! F- \7 V
"stn-wid.zip" (www.cracking.net):
# w5 J0 V( j) Q
9 G l# i0 L! a mov bx, cs$ P ? ~/ g( e) h, j4 Y
lea dx, int41handler2 V z. d# h, K# R) p
xchg dx, es:[41h*4]
$ x/ O1 }% e0 ^# [9 S( u* S xchg bx, es:[41h*4+2]
) U- d. l/ @- D, Q2 Q mov ax,4fh- R; w2 {# p$ C$ g" H
int 41h4 m9 ~! z! p R
xchg dx, es:[41h*4]
4 V0 v3 ~. X" \! ~: {+ [# T- m xchg bx, es:[41h*4+2]
" @1 m# h7 T7 p4 y/ I' {( ]/ |6 D cmp ax, 0f386h
! s% V p8 J1 s jz SoftICE_detected
0 H0 z+ D- X- H7 `' Z+ r# n
# o# j+ |1 }: U/ j1 n4 q$ ]- j9 `int41handler2 PROC0 p# t$ N# A- s
iret0 _) ~( n' @4 A5 a1 D: D
int41handler2 ENDP
6 v$ Y% f8 L- U" i- K8 z! R6 d) e) w, @& B3 N6 v+ d% t! q
3 J% \+ r9 x7 ]! c_________________________________________________________________________
8 U* M' k" K, ~: L$ v( x& @6 E3 c" H& S* ^: C3 g6 T Y* P! |
B4 g/ E/ [& U' aMethod 06% E7 q# ]+ ^/ l7 d$ o0 }+ _
=========
, ]* ^& J; g j& s" @; M" ~) x9 z( Y
}+ O- p+ m$ s* C# z
2nd method similar to the preceding one but more difficult to detect:+ T+ i5 Y5 x! k) L( F" X- W' D' H0 R
5 r8 \6 L% q# m& F: J+ Y9 z; P" R- }! z0 t [5 [2 o" p& M
int41handler PROC
* c( H% A' G& L4 y$ U6 A mov cl,al
& O8 c1 `4 V4 q- F% U iret
: g \" U, L# oint41handler ENDP& I9 p" A8 I% F: e t
4 Y; a4 | p) I2 R0 g
. f& B! s6 g: A S# y* O: b0 Y
xor ax,ax
/ t( |0 g# {& v( f+ O mov es,ax3 e& y1 T- \3 ~* [0 H
mov bx, cs
# r5 t8 h8 G5 o) ^- f lea dx, int41handler
A2 ?3 n s. a0 T) b% _ xchg dx, es:[41h*4]! U1 W; p% m5 R6 B1 M; R
xchg bx, es:[41h*4+2]5 |# g" x. y$ C H' s2 {, Z
in al, 40h4 g a+ f" ~: [3 {6 X7 k6 a
xor cx,cx
- {. j* i4 S3 T( A int 41h4 a! C3 J- s/ Z% R2 |% E
xchg dx, es:[41h*4]8 U9 _ O; G/ g6 S4 p& t$ e w
xchg bx, es:[41h*4+2]
0 H, p2 g; V1 B- y( W: q cmp cl,al. `0 G7 d' ?6 b6 F
jnz SoftICE_detected5 n. U) v1 T! }: T/ U
7 W; i6 _& a: x, p, T# K
_________________________________________________________________________$ U% z% t& m; e* e
' l) U4 \( u0 B' j" z7 aMethod 07$ P% N; t4 y, n' x
=========
& j4 E) O/ [; i5 Q1 [8 B) I$ O$ P; a5 U$ v' c* T( ]% v
Method of detection of the WinICE handler in the int68h (V86)
+ P! l0 N( B7 d: j9 W
, O1 g3 O: G$ Z+ j mov ah,43h" j9 J' R7 \/ q, U: V" D8 h
int 68h
5 @" E4 N# P3 |' W! c cmp ax,0F386h" W' k9 |. ?9 c8 a2 n
jz SoftICE_Detected
8 a! `( B; N) C( r0 v+ r6 b' m
3 {* K% \) P% ~! H w2 q6 L# c) e
9 V$ |3 n% a; R=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' x0 k5 p' \* D% v# t
app like this:
6 L, S8 O; E5 _ S5 R% [
: X) x" F- _ S/ D0 O! T0 @ BPX exec_int if ax==68
. d6 c, r f. _8 [9 C& G (function called is located at byte ptr [ebp+1Dh] and client eip is0 @0 U0 t5 V" b# X7 a3 Z* _
located at [ebp+48h] for 32Bit apps)
$ _( \5 u3 t, ]' l+ t. g% x4 C__________________________________________________________________________
9 b+ S( p$ g' R0 W6 y' ~# U
- ]' {3 d+ C3 \/ S- `, q- L
+ ^5 D" D: W$ z( }( ?, m* T% J1 nMethod 08: \/ H5 W0 M. c6 F. n$ t. ?0 e" L( E
=========/ |2 h2 j$ L, R8 w" z; t
2 l$ f8 E4 ^ [+ e" P4 DIt is not a method of detection of SoftICE but a possibility to crash the v; k; F8 K0 y+ S8 f! G
system by intercepting int 01h and int 03h and redirecting them to another
2 O& Z3 S& W& G8 J f, Zroutine.
: l7 n8 G- @" o6 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ T0 Z) w) `+ j
to the new routine to execute (hangs computer...)& U, w) W0 l8 S: y0 u! e3 {
& e/ w# e R$ j: j9 n( c+ o
mov ah, 25h
4 U9 _0 S$ S5 u, k mov al, Int_Number (01h or 03h), X. c/ S5 G! h* U
mov dx, offset New_Int_Routine
4 L! W1 V% J) b7 u2 | int 21h' L) L0 {: W2 o: E' v6 c
. _8 u2 {7 F# V# x. R; s% m' C/ U
__________________________________________________________________________* w/ G4 Y1 K' Z e( x, ~$ v; @
% Y' t5 l2 J& Y5 T1 a1 o! k# m4 j
Method 09) }) ]7 U) k e2 |
=========
( z8 Q$ k( `5 O3 ]+ q/ S7 f( R( p% [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- z; l. p+ N/ k2 I0 Nperformed in ring0 (VxD or a ring3 app using the VxdCall).' _1 {* K$ [) I+ m" I
The Get_DDB service is used to determine whether or not a VxD is installed8 r M# V z( b; v% P
for the specified device and returns a Device Description Block (in ecx) for5 W: w+ D6 Y$ q1 b* f
that device if it is installed.
5 V' k3 |" M, K. A- R6 }( R' h. m! _5 w, t* j1 y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, V {" c% Y5 d0 Z% b% k4 X: Z% W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 e+ A2 n, _$ l5 z* t; n3 H VMMCall Get_DDB
6 c) r- |% Q% ~7 m) c; E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 F8 Q+ k. U( w- c4 R4 K
7 E1 X0 ?. W7 W P6 z0 n; V5 x+ |Note as well that you can easily detect this method with SoftICE:
: E _- `& P3 d( ~ bpx Get_DDB if ax==0202 || ax==7a5fh
) B. f" H4 `/ X( E, i; q3 Y# l) }( z- f, p5 D- C
__________________________________________________________________________' Z+ R6 K" w, U
& E& r8 S7 t; p
Method 10" G( I7 j! L6 R; O; f
=========9 |* {! C( M* Q4 ]- Y9 `
) ~5 o5 }, K5 N4 a; S3 h9 E=>Disable or clear breakpoints before using this feature. DO NOT trace with
& M8 _4 a2 D7 w, ` SoftICE while the option is enable!!( }! x" P4 r8 I: B( d( c
" a9 Q9 V. S6 a+ }5 h, nThis trick is very efficient:$ A& B+ r4 J4 E3 L+ m* L* B: A- |, x# n/ d
by checking the Debug Registers, you can detect if SoftICE is loaded
. {' \" k. Z* Q; ]4 x/ s2 n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 b1 V" U, |8 B8 |" ]9 gthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 J- z% ^7 E9 C/ p. H
value (in ring0 only). Values can be manipulated and or changed as well: }; a) d3 o3 D7 V# H1 q8 U
(clearing BPMs for instance)" n. T1 b% b- Q; U9 G3 _
% d' Z* i9 ~ o9 ^
__________________________________________________________________________
- N2 O- M0 K o. ?1 x$ r1 ?) ^
8 i! j6 |- U, G" g3 x: ^& q5 ~Method 11$ B' K7 J: P/ W
=========
2 A. {5 i4 F& n. O/ ]8 _( X; }" v T& N; E- V1 `9 Z
This method is most known as 'MeltICE' because it has been freely distributed
, a8 @" _5 m" L* S3 R8 e- z) Yvia www.winfiles.com. However it was first used by NuMega people to allow
6 F+ ?+ A/ T+ J' ^4 F7 d* G$ RSymbol Loader to check if SoftICE was active or not (the code is located
/ L' h) N* M, Y, [" s( Hinside nmtrans.dll).& M0 d0 V K$ z5 w% B$ b, o, q2 E
' v) u3 v5 J( z
The way it works is very simple:) t+ ]; B: V3 b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: j, Z6 A$ I$ i9 F3 s, i( {7 YWinNT) with the CreateFileA API.
5 s: O* V1 `# }4 a7 X4 P p1 T K @5 \# T% C e
Here is a sample (checking for 'SICE'):' s: ~) }( g- D; J& ^
" y" {) W" ^0 D4 X; } ]
BOOL IsSoftIce95Loaded()
3 m' e; g3 e$ o" C5 D{$ u! N, }7 B; m! D B2 j
HANDLE hFile; " G% y0 d; Y. z/ R$ I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! A8 C+ N0 d' I. z5 ~& R FILE_SHARE_READ | FILE_SHARE_WRITE,/ ]; I0 u# T0 J/ r( ?4 _
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ @1 L3 v* m& i5 x% k
if( hFile != INVALID_HANDLE_VALUE )2 x' q0 J! V/ T$ q
{
a, d, h7 m% d, y CloseHandle(hFile);
! R |; R1 [3 f' l return TRUE;) W/ I. s& i" X; F! W* d; A. Y' s
}3 N) z0 S4 ?! I5 d* D' ~
return FALSE;7 b- R' j, M E- Z# n5 {) j
}
& |# g4 ?1 d' R/ e. u) o( {8 L/ ~! k5 ?; l
Although this trick calls the CreateFileA function, don't even expect to be7 T0 ?7 _- c/ \& T/ K! l9 ~
able to intercept it by installing a IFS hook: it will not work, no way!* k/ ^& | ~" J& m+ N) b9 J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# x ] I; W5 v7 c; yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! I( |1 E( ^( a. d5 t$ Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 i' i" C! }2 y4 p+ J! P
field.
7 c U4 r1 C& D8 m) NIn fact, its purpose is not to load/unload VxDs but only to send a
( `3 o/ ^$ U& RW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; {6 R: w4 E3 Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try: t j0 g( b# p4 \, E9 }" f
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ m; s Y4 a' Y8 L. |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; ]! |: @/ `/ `& Z4 Oits handle to be opened and then, will be detected.# z Z% \. K T! h+ A! f' O
You can check that simply by hooking Winice.exe control proc entry point3 l2 u" P! p$ Z( \0 u7 Z6 p
while running MeltICE.
, m" J, v: D1 w( a6 n/ U3 O( V4 N$ c' Q
+ b+ `( t+ _9 p9 j* f* }4 s( J5 N* j
00401067: push 00402025 ; \\.\SICE5 t; f5 X& N+ E, k9 d( o& Z
0040106C: call CreateFileA9 P# k- ^8 n8 r6 g! K
00401071: cmp eax,-0011 g- K5 C% g% D
00401074: je 004010918 w4 y0 G" O: l+ P7 @6 r5 Q
% H! T! R: L0 t1 h
' l* [+ l6 N3 F/ ~There could be hundreds of BPX you could use to detect this trick.4 b4 ?* N# B0 g1 g- z
-The most classical one is:* e$ W5 Y7 O% s5 D+ x! j) F4 P$ B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# G5 }0 K T4 e3 a- C
*(esp->4+4)=='NTIC'! s: \, ~* O2 G4 _6 Z3 {
6 y6 D( ~7 @0 G: d* O; S& T
-The most exotic ones (could be very slooooow :-(6 c* Z4 P5 u1 ^. J# T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 \; M7 Q0 |$ @! E
;will break 3 times :-(- G: q+ i+ a& A$ ^) I. q
; L \" B4 ]% S8 @
-or (a bit) faster:
$ s. o3 m) n4 |/ g' M3 c6 | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( |; L. |* p2 r' x7 y* b% a3 M
5 m- W7 T$ a( Z) n0 k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 n- i( `1 l+ Q( Y* g% s! v4 \
;will break 3 times :-(7 A2 V* o# f( Z
& z, _% o$ [( B: ]9 J-Much faster:6 A% P2 x6 F% K6 B$ _; \0 m! \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& f7 _" q3 Q4 e$ Z4 g- ~5 g5 C& P9 _$ E% d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* m( V: ]- ~: v. h# f# \) ]8 Xfunction to do the same job:/ I9 n. o' s' R( s% g- R9 [
9 i% Z& x, P$ h push 00 ; OF_READ
+ Q2 h* _6 C \8 q mov eax,[00656634] ; '\\.\SICE',0) X$ m$ x% R4 E$ L
push eax% h: k+ _% C6 ~6 k5 q" N/ z
call KERNEL32!_lopen) W4 s- T9 Q3 k3 ]
inc eax4 L: m) x' p/ X
jnz 00650589 ; detected; H6 M7 }9 E( B5 W
push 00 ; OF_READ& ~ j- Y; ~' R" |+ q
mov eax,[00656638] ; '\\.\SICE'" \" ^& v' l" R
push eax. \2 @/ V' ^+ P K* t' r! X
call KERNEL32!_lopen
) _5 y5 N) e; @; `( R inc eax q* _4 f6 V- ?, T
jz 006505ae ; not detected! k4 K$ M, r1 x t3 v. B, ^0 o2 C8 ^7 i
0 p5 v6 v" S8 f& {( H% I- I1 U' L0 p5 q
+ P. k! N' T) S: j- f__________________________________________________________________________- t' o* S: u8 j1 B8 W
; o) ^0 r+ K& B$ J& `8 y; K' sMethod 12& K# s7 G1 A& e- c
=========
% e4 }5 r) Z T' q# G5 |/ w7 W7 W f! E" _: `0 N! l# P9 m, L
This trick is similar to int41h/4fh Debugger installation check (code 05
2 ?( S6 q" `0 Z1 i k5 a1 \& 06) but very limited because it's only available for Win95/98 (not NT), z! W1 }( R, y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% t [ E x! `' p. f' Y2 p4 ^' M* f; ~& J2 O- X! ?
push 0000004fh ; function 4fh
$ }8 G3 Q2 b. K7 B+ u0 r; y# d push 002a002ah ; high word specifies which VxD (VWIN32)
) e, Y0 h. S/ h ; low word specifies which service# k2 k7 ^, ?4 T; M
(VWIN32_Int41Dispatch)
9 ^& Z) Z& [* g0 ] B" j call Kernel32!ORD_001 ; VxdCall' ?! I5 L& |0 t3 g
cmp ax, 0f386h ; magic number returned by system debuggers( g0 @! c/ {+ U1 o
jz SoftICE_detected
) }1 p( R! O9 c
, h0 ~# E2 j* r/ l: {: oHere again, several ways to detect it:
9 @8 L4 ?2 g, u: T1 g
5 E& m4 ^: r6 p1 K2 P BPINT 41 if ax==4f! C1 p+ j w2 ] G% ?
. a# ?. S/ k0 ?' k0 @. p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, _$ y% ^/ p8 x8 @& i, f- E0 O$ U7 ^
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 H) s+ m$ H- |; F% s8 G" ~
& ^% Y2 }! D; l" i. b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( F/ i* \. o& d5 U7 f P5 U/ j) U
2 ~) k/ P/ S! P; F- O& q8 F__________________________________________________________________________1 y% r; ~% o7 T9 L' a
, z( m- O1 U2 M. G3 O$ ~
Method 13
' R& b' W$ F7 p=========
* P z8 A! V! X$ n. z6 ~, j3 b0 q& Q7 d8 Z5 f, r
Not a real method of detection, but a good way to know if SoftICE is
7 l" l* ^6 |0 h0 j& finstalled on a computer and to locate its installation directory.5 S0 e7 W: r/ e; {4 ]
It is used by few softs which access the following registry keys (usually #2) :. G! i5 P" \) V o0 v
2 L4 P' F9 ^- D0 M- a/ d% q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' e+ S* h5 {& V\Uninstall\SoftICE9 h% l5 U6 b/ \! e8 i, O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) p3 C: V7 h: R: M* F8 {; u
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 X. b% H' p5 y. W. {
\App Paths\Loader32.Exe
" F* J! [1 u1 T! U/ s4 p) W) o9 ^# m1 x% i2 ~6 F# o5 z
5 M. }' {/ z0 p8 T" j
Note that some nasty apps could then erase all files from SoftICE directory
) k8 _/ H' J# R2 k(I faced that once :-(, K* {. |" x' j
" }6 A8 d/ N' [7 Q5 q1 D
Useful breakpoint to detect it:' V1 e. c4 T/ {! a3 Z& D8 ]
9 T) ~+ p2 y: ]7 f) S BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 ]7 Q, y1 K, Q& p2 O: \/ }; _* o+ X) c e! N' j' b3 Z
__________________________________________________________________________6 {" L0 i% A' i# b6 v$ l
+ C' N& N6 S7 x! c$ B5 G3 G
: Y% f- i5 p# P, XMethod 14 5 O. @, R4 W8 c) ]
=========
3 `, l$ L9 m0 I
! p9 p- P$ A* u3 jA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% S$ s4 S8 [- vis to determines whether a debugger is running on your system (ring0 only)./ B3 R* y' C1 f; g* }& A
1 M6 { _. m4 ~! i3 L( a VMMCall Test_Debug_Installed( z5 G0 M! K2 e, p1 [( c
je not_installed* _, S5 a: P5 B' L( T
4 x$ M, j) q& ?This service just checks a flag.
3 b" T( R. p( J( k</PRE></TD></TR></TBODY></TABLE> |