<TABLE width=500>
0 ~" ~8 D7 k5 R$ @% t; s7 M% A<TBODY>+ _6 j) x1 c b! D
<TR>
' J( d. p$ C J+ U4 ?2 r& R<TD><PRE>Method 01 7 I/ E/ M2 \) R
=========
+ j, \ O9 a- N7 p! q( ]
" a, z& O: i! P7 f5 l0 LThis method of detection of SoftICE (as well as the following one) is
2 v* k( k7 n) jused by the majority of packers/encryptors found on Internet.
# J* Z, S5 }# o( oIt seeks the signature of BoundsChecker in SoftICE% ?1 i5 k. e5 y
6 w& l' _8 F9 D
mov ebp, 04243484Bh ; 'BCHK'
& {: x7 i$ M6 T2 b4 d mov ax, 04h `. x4 k* R a; D! i0 n
int 3
# {! w, ^0 F) s. R. c/ i3 z4 p cmp al,4& `6 }: ^( _( D$ _8 |% t
jnz SoftICE_Detected8 S$ @6 |; m: ?. ~3 }4 \
# n- x. G, b+ g# n0 k
___________________________________________________________________________
; @/ {5 v; N/ a& ^
4 Y0 {: t) L, V+ t4 d! K) N. R+ }Method 024 e$ {$ d! U! E3 l
=========6 ^7 T# t7 A" u* ^; C
) ^+ ^% w8 j5 u! ?* k: l/ ~) H' ]Still a method very much used (perhaps the most frequent one). It is used- o0 q+ U% t% w* K! F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 \6 H9 _4 S6 L; q% c f! k! c) V
or execute SoftICE commands...+ W1 f/ s! ]$ `1 p J4 B' }- K: B) F
It is also used to crash SoftICE and to force it to execute any commands
' }2 A: e4 B4 o( ^(HBOOT...) :-(( * w4 e/ i0 r( {6 h8 l# I! s4 J
3 @% I% m) v5 _" C( U3 O h0 E# W
Here is a quick description:
5 D: \( C1 n1 G- a! K& S-AX = 0910h (Display string in SIce windows)9 j$ {8 f9 m2 `! e3 [% x/ U
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ q; R$ c( T. U, S# ?-AX = 0912h (Get breakpoint infos)0 t8 j$ v9 W8 ~1 W$ N% M% w& U# J
-AX = 0913h (Set Sice breakpoints)- r! |2 P3 e$ A3 S" n( G5 u
-AX = 0914h (Remove SIce breakoints)
' N2 {6 {8 Z, z) N; q) z% _0 b+ I) G m. }/ W, Y- j# h' T) v
Each time you'll meet this trick, you'll see:% \, m+ i% k' ?0 M1 m: q2 ?
-SI = 4647h
& ?* p, H! a2 u/ x. Y-DI = 4A4Dh0 [+ m v. b0 i$ S
Which are the 'magic values' used by SoftIce.9 j1 S$ f! o* x( [) x/ n! K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 f7 H, T# i) ~ }0 r9 }% o' i; w5 R, {+ Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
c4 M7 r* r( R* p# q: rEnvelope utility use to protect DOS applications:
/ ?, l1 {1 C0 r3 c4 P1 _
* q4 h. _' ^8 q: d' k8 N5 y0 S2 a& r1 }3 |: ~9 V$ H* F
4C19:0095 MOV AX,0911 ; execute command.
+ p5 x" u' g8 w5 I$ ^+ h+ d( C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, J: K# D8 l6 Q" W4C19:009A MOV SI,4647 ; 1st magic value.- o5 u0 o0 M: X( K8 n8 {- b
4C19:009D MOV DI,4A4D ; 2nd magic value.
3 r6 I5 a3 C% p8 r/ Q- a$ r. V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 L8 m& B0 U( {$ s/ R- O# _/ }. n1 ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* H, o8 m) a- v4C19:00A4 INC CX
/ d! t: c: {/ S( n9 I: k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute* n7 W' t7 t8 C7 y+ E
4C19:00A8 JB 0095 ; 6 different commands.
& z$ L: o! \0 C9 a: I$ j4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" }/ _. }0 @# o! j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 x, }/ h p l A3 x" K8 r, C
5 ?; |, L% Z) o3 l" v+ \# h% E+ ^ a
The program will execute 6 different SIce commands located at ds:dx, which
2 Q7 j1 K) F/ K5 G& dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 x& e# R1 y' ?5 S( u* s8 U- W2 p
- ?4 G2 O" @. G. W6 [) v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. W! l% W0 x8 g8 ?$ ?$ q! q _4 E4 @/ v
___________________________________________________________________________. O0 n5 d: i. _* w8 e; c
/ w! G3 B9 X5 i
0 A% b U. N- e2 FMethod 03
1 P6 O) C% `* b( u- I6 }7 D=========
) a" t) H* U' X7 ~9 |' n6 {2 r4 @! \* ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 u% g3 f2 {6 L _
(API Get entry point). x" q& z( U- n; X% D$ o
6 Y& r' t d+ X6 Z6 d/ I0 Z- x+ i2 T: j9 }- z4 }
xor di,di
2 H; m3 u _) k5 M# a: y mov es,di
6 l1 p* H r1 X9 e1 A: l0 m mov ax, 1684h 6 W4 Y* @ j" ?0 M0 B
mov bx, 0202h ; VxD ID of winice: ^( N. W: C0 U9 R$ W" p% ]8 B8 X
int 2Fh. ^- V* n2 o9 a. r( r- K
mov ax, es ; ES:DI -> VxD API entry point. I5 m' b5 j1 M' p. a% \( i
add ax, di
7 p& t- z/ E& C) F test ax,ax$ a, W; {6 g7 \0 P2 @8 r% O
jnz SoftICE_Detected
! t, P) q2 T) p) r3 l) K% @6 n# l
___________________________________________________________________________
8 j, @4 c: W1 a. T
+ a# c& R6 \5 x' W; }Method 048 q+ P. h F" O" e# I& @
=========
6 ^5 {* x- b M5 Y% J5 ~6 V$ v0 J$ @& u
Method identical to the preceding one except that it seeks the ID of SoftICE5 V5 s$ ] o( G. o! S/ Y5 `
GFX VxD.
?9 }2 N) Y$ l- q4 ?' w( z! o# L8 I; F
xor di,di
; v. J$ G7 l' D: @0 R, m mov es,di
# T5 @4 U( w, K' } mov ax, 1684h 1 `5 t- O" V& W* m
mov bx, 7a5Fh ; VxD ID of SIWVID
$ v, l1 ~# w8 M) S( V' x8 @4 n int 2fh! i2 O4 p1 W. x( n
mov ax, es ; ES:DI -> VxD API entry point5 ?: u1 ]3 Q5 F3 G0 c. o8 o
add ax, di" ? a" Z5 U6 T" l) P
test ax,ax
$ u3 c! Z# c+ \* {2 j. |) b jnz SoftICE_Detected' A9 L! ]* y C
- g# k& B- P$ G1 f2 l# D' b) |
__________________________________________________________________________0 q: A6 E' @! b- M+ b Q
/ y: r% m' |' j# N: Z
- q0 A! n& j3 i& n% A! L& ?
Method 05; E3 s* J/ E0 B0 y7 b4 F3 Z. y
=========# L, P$ B% O4 d+ S' ]0 z
3 v, g5 g. P8 H2 p- A$ |
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 Z! J7 T. A) g' [! L# r7 ]
debugger. It calls the int 41h, function 4Fh.& L% g2 d8 U& e0 M: i j, `
There are several alternatives. ; z% {7 z3 V. ]6 L! C! @; a- ]
' T! g& X7 y$ g; [' hThe following one is the simplest:7 T" l) k; j j) G" b- Q8 X
4 g7 b+ _: p- |0 y! ?
mov ax,4fh3 H% s0 N9 n+ t) w& v9 s
int 41h' G) {) w, x0 M k2 [
cmp ax, 0F386) s; b4 c" R3 j0 ?, W* j
jz SoftICE_detected
9 n( B3 n6 ]7 R' q) O
, q$ B9 r" Z. e8 d- a7 N' e0 {+ J4 q9 ]9 L3 x4 k2 }3 i
Next method as well as the following one are 2 examples from Stone's # N6 X+ K) t2 M0 L( F7 T
"stn-wid.zip" (www.cracking.net):
1 _/ Y6 P% I/ a2 O% l1 _7 `! E1 Y2 k. s) t. h3 x. ^
mov bx, cs
8 n" L( u) K M' K, H" c lea dx, int41handler2
& R$ {$ E A6 x' {9 k" l9 f( n xchg dx, es:[41h*4]+ D( o' V" f2 _& y( @) E4 B b
xchg bx, es:[41h*4+2]' f: I/ _/ E2 ?( s( }
mov ax,4fh+ A' p8 A( y3 {( R% Y- l
int 41h
- L2 A" M3 z0 p2 Z5 A( E6 S6 w xchg dx, es:[41h*4]
4 P/ E4 R# X: |4 B! Y xchg bx, es:[41h*4+2]6 ?$ d2 ?' t# t1 K8 p1 {; E
cmp ax, 0f386h: }; D! G4 |( l% z% s: T' G
jz SoftICE_detected5 K' Y2 |2 [, v- Y" f
! K4 Y: }( L2 L4 j! A
int41handler2 PROC% v y$ R' x3 I3 S; [
iret$ Y1 X3 y# y2 r3 s* C
int41handler2 ENDP
( x- m" i1 b4 X2 S; E6 L# o
1 b% v A& j& H. X# n* n9 z% x
( i7 x( @( h: B- o7 F# L, b, u U_________________________________________________________________________
! E9 A5 X3 ~8 J9 G7 c8 | t: A* m
) W F) u$ f* Y# B% ]/ v
Method 06
% S9 x0 d% I, G. B3 _=========! C. N7 M9 L7 d: E# C% u/ ~# X
0 T9 r' B& o+ {! D$ V
$ x: H& ]7 G7 C8 j7 `5 ?2nd method similar to the preceding one but more difficult to detect:7 z: w. u- v; @0 f7 q
9 T( @5 ?; r8 Q' z
5 L0 M8 _8 C$ q* m% X5 e* A
int41handler PROC( T4 m) Z2 q5 o2 E. z
mov cl,al& g0 ~ A5 ^; p6 M0 `2 K
iret
9 b, n( e( ^7 T* F4 h# Z+ Kint41handler ENDP5 y# X! D) u% k- u5 n1 S& Y
' c$ X8 _1 \! G8 a9 @
- l" P# j- B5 v" G8 R xor ax,ax
6 j( ~' W$ n* B; \) ~3 B9 E: X mov es,ax* I4 M! m: n4 x
mov bx, cs' |+ u: o# M; J. F5 Q
lea dx, int41handler/ z/ e7 C# @- s4 q! R% Y
xchg dx, es:[41h*4]
' I$ X9 g2 \2 P- d4 x* T xchg bx, es:[41h*4+2]
$ \( g, C8 @& t+ I8 e2 f in al, 40h! }% ]& }# G E
xor cx,cx9 e! c( J p; ~% q$ X0 D- c1 h
int 41h
6 x4 G* G5 W! A5 G xchg dx, es:[41h*4]4 F; G+ D2 }3 r8 ~3 d% E
xchg bx, es:[41h*4+2]
4 ], K) r# g& R7 R2 v4 W cmp cl,al
* s+ e8 r( |& k( h jnz SoftICE_detected$ X& w5 l, C0 a) \
9 m7 u( i- s/ f_________________________________________________________________________# n8 A1 h* A5 N8 Q: H3 ^5 ~/ r
( k" N8 s. g9 Y1 f& T8 `Method 07$ F7 b; I5 L3 V& o* n% N: E
=========
9 ^) S: t. i0 c$ ]5 N
$ {. C3 j" e9 T' ~9 y, n: M) rMethod of detection of the WinICE handler in the int68h (V86)
! ?4 v1 l" O$ k% P0 N! W+ H2 L" K+ H4 o! Y& H& I
mov ah,43h) j; n( G" T, G5 ]/ j/ |, e. r7 Q
int 68h
6 n" q9 @! B! Y( l cmp ax,0F386h3 d( D! r: z$ }. g O" n$ c8 d
jz SoftICE_Detected
3 n8 t# |7 S+ Y# J* k+ }4 @8 c. p+ |" R6 @
0 c9 R+ F% U5 J* B) S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; s' g+ }' \7 O. }7 A7 G app like this:3 V. [- _9 D6 z) G- k% v3 v
, d, |9 X6 ?. Q+ S; h BPX exec_int if ax==68
" G# `; a6 e) b0 f (function called is located at byte ptr [ebp+1Dh] and client eip is
) I- s9 P4 S) s- r- v1 a( o( } located at [ebp+48h] for 32Bit apps)
1 N6 K, g! T: A( D- G( Z" l* @__________________________________________________________________________
) R6 y" i2 x$ d2 X R5 H
/ }/ E( w; s* \6 _- E# t% u7 r- |: |+ b: o
Method 084 h- ~; }: T6 @$ R* ^
=========
R, @ M- g) a- j3 s" H7 b$ u6 q' G
It is not a method of detection of SoftICE but a possibility to crash the, o S% H0 k" k+ L; {# d
system by intercepting int 01h and int 03h and redirecting them to another2 T9 J! R* T b' T
routine.# B+ O3 A# r- A. c+ f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& [! a, @& T* i1 x; L- ^
to the new routine to execute (hangs computer...) K' ~% V; ]/ v, y0 S- H! q" Q+ m2 R
. j6 @ t. l @$ n$ W R* x! C }, P
mov ah, 25h. _: H* D4 w& x; @, E. m' Y. M+ |
mov al, Int_Number (01h or 03h)! j$ z2 C) J7 t3 s
mov dx, offset New_Int_Routine9 R/ I- M) n/ i; W) R
int 21h
- S& U; L* T, p) @+ h' B7 Q! u& Y% l5 [$ g) c, c W( D
__________________________________________________________________________
; p$ F* g/ q6 R4 |4 P4 E
4 z3 x) g: u7 Z" H, fMethod 096 {2 @- |+ E" T
=========/ Q6 m+ U: l H+ P+ c i8 y2 I9 V* A
7 h2 E, s% J+ B1 \1 aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 m' s4 o4 F% V9 r
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 b7 i6 c: p; a3 A9 S% C/ B. \3 H: s7 dThe Get_DDB service is used to determine whether or not a VxD is installed
* H% c& R6 p& X% }) Z7 T0 Yfor the specified device and returns a Device Description Block (in ecx) for
- Q3 b w& H( ]+ B& Q4 v! }that device if it is installed.
6 n0 |! }' O `, M$ a1 O1 ^$ S X2 {( W, Q v0 c/ a8 F B4 ~
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ H: g* c( W6 |# i7 p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 L+ t T" e4 \, u6 w VMMCall Get_DDB" @/ X+ M: Y- I7 Q: ?
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 _( q4 Q; I8 F
# ~" e+ L. P) u) l
Note as well that you can easily detect this method with SoftICE:
0 Z# j) D. ~3 b% R! q bpx Get_DDB if ax==0202 || ax==7a5fh9 |; b9 j/ p8 d# e1 e
9 r/ }1 m; e" f( t5 {& y__________________________________________________________________________
C b- s- s( P4 l' L8 }1 `6 Y; Q: A. e% Z0 _
Method 101 ^: k1 W& B7 A
=========
! V7 W% u6 O8 h" y: X
. m* V6 V1 x2 |; R' J=>Disable or clear breakpoints before using this feature. DO NOT trace with
! N: N2 D7 V9 R SoftICE while the option is enable!!
& Y* H |- B8 W
5 Z. }) y: |% [/ p' nThis trick is very efficient:
% r+ J6 s0 s5 D0 @by checking the Debug Registers, you can detect if SoftICE is loaded9 E( E- i# D; U- W Y, ?) B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 R* ~# {) Y* t
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 J, v2 S. s, `. V- x/ C
value (in ring0 only). Values can be manipulated and or changed as well Z5 k8 d* G S, l! _" v
(clearing BPMs for instance)
4 d8 P p2 x1 p
! U# j! U# [1 E U4 ]__________________________________________________________________________2 Z% \( p6 X0 a! v# L* e
5 y% V, s9 h" S+ H& n
Method 112 V; K5 Z- E* s3 e6 f
=========2 z% ~4 k5 P- |
" L- ?5 i; V8 D% XThis method is most known as 'MeltICE' because it has been freely distributed/ e, ^2 G, C7 w9 S5 V
via www.winfiles.com. However it was first used by NuMega people to allow8 n" c" t1 u, ?7 R( e" V
Symbol Loader to check if SoftICE was active or not (the code is located- R4 G! V4 `' X" X# f Q8 b4 I5 y5 ]
inside nmtrans.dll).
1 c3 N/ v) ~$ B3 \ n! }& W ~$ e4 R" n2 ]0 U
The way it works is very simple:
* Q% j7 E5 h$ L' V% H3 o( P5 ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( ]; L( C/ ]# A$ X# \" _) @6 f5 VWinNT) with the CreateFileA API.. P* Q/ b7 U$ h" Q: r) z9 P, q
( O% U9 c2 c6 \0 }
Here is a sample (checking for 'SICE'):
v; o, [/ ` w8 ]. L, q+ _7 o' o( m
BOOL IsSoftIce95Loaded()
' a( \6 s% t1 z8 O* W; T{
6 o+ d. ^5 g2 D; E" y+ s; v HANDLE hFile; . v& n3 d2 S" [( k6 \, u' u7 e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* v+ W" | v/ U4 j1 ~" O6 @2 r
FILE_SHARE_READ | FILE_SHARE_WRITE,% Y, D" `3 R: u. q: Y$ K
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ f+ l1 }( L3 f1 W- X
if( hFile != INVALID_HANDLE_VALUE )- b& I3 `3 t v) e9 u/ i6 y6 H
{( L% C/ n0 A3 F. A; {! \
CloseHandle(hFile);4 i2 I3 B% z$ v6 E
return TRUE;$ L* b1 x1 n" Y( D: s! ~2 K5 l
}
" T+ `: y( A p3 ?" J return FALSE;4 \, U/ w% q: z
}
0 I! s) |( I8 Y# n1 O: I0 r* D' [ b2 }! d" G/ o6 d
Although this trick calls the CreateFileA function, don't even expect to be+ j U4 ]" _9 D$ u4 t& l3 n) a5 B n7 t
able to intercept it by installing a IFS hook: it will not work, no way!7 G8 R% |$ f, A: ]0 e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 \' t$ X# g6 u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 J5 H- W. y7 ^% Z" V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 I1 A7 F/ B }) }$ |0 C' l! S" pfield.3 P7 X0 t7 z/ Z6 ^; T! P7 ~
In fact, its purpose is not to load/unload VxDs but only to send a # Z8 b( n% e$ ] J1 h$ q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& s7 ]5 ~+ m- V3 B7 |( t3 c9 i, l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, A6 g" s2 w( L, lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 Y# M4 o7 v6 ]If the VxD is loaded, it will always clear eax and the Carry flag to allow
! _' _$ q. v& @& b$ J+ ?its handle to be opened and then, will be detected.; }- Q& u% R7 U8 `
You can check that simply by hooking Winice.exe control proc entry point
7 i/ y* |* S. j- y- twhile running MeltICE.
" I7 h7 _" I# V4 n- Y; @& W3 ~ D! |* q- w3 H6 F0 ]( E1 _$ }
. p& w, [) i( u9 B- Y9 O
00401067: push 00402025 ; \\.\SICE2 \* _% N0 r9 s
0040106C: call CreateFileA( J5 J$ a0 ?( S6 b5 U2 K' Y5 \
00401071: cmp eax,-0012 c5 f+ [% q, S6 b$ @* T( \. ]! F$ m
00401074: je 00401091
$ O) h' X }8 P& `+ a6 T8 y
v" x6 h8 z$ ^: S" X6 @) L! E
$ i( T4 v; w2 O+ d B( dThere could be hundreds of BPX you could use to detect this trick.
* s0 W- ~3 E" E0 [0 a-The most classical one is:
3 d! N! I+ H5 u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; Q/ ^! o% @( w$ i+ L; p *(esp->4+4)=='NTIC'3 t; ~* ]0 e6 t: n4 [; P+ p1 H
* |$ t/ u- S1 d-The most exotic ones (could be very slooooow :-(* X/ E! j+ i% Z. |- r! O" T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & e3 U& j+ E% M9 Q& l
;will break 3 times :-(5 K" _) X# W* q4 K/ e; O+ G
" o) [$ r+ t( M7 ?
-or (a bit) faster:
3 Y# {% i- l q. D+ I1 ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 v0 r% F& T5 O! g9 ^5 ~
4 P% r' q* e8 p4 m; N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ ?/ _2 _+ d( S: Q
;will break 3 times :-(4 ]& c; _ E2 M2 {( \
+ S6 S: r" T) y" l0 I
-Much faster:
! U6 s+ n9 s: W$ A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 E; l1 S7 I. C& ]3 J0 x; f! T6 A2 c5 f" _! L `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 G; X0 P2 Y$ R; o) [' j$ Q; u' t
function to do the same job:
' m/ K2 e" y% Y) l5 _ v6 K
: o, h, d5 ^0 \* ~' p u2 l push 00 ; OF_READ
8 w+ {. x* h! t! v mov eax,[00656634] ; '\\.\SICE',0 A# F) U. X% U! J9 C0 n
push eax
- G7 b8 K/ Z$ E" j) q) o# V call KERNEL32!_lopen
, k" n6 J7 _9 N( c7 C inc eax1 E# x. x! Y- P' D7 g
jnz 00650589 ; detected! N4 I; r- I+ h9 U+ i, I
push 00 ; OF_READ
1 \! R/ p' m* l R0 a mov eax,[00656638] ; '\\.\SICE'- |; D' b5 S# k5 {
push eax5 _% `) }1 e; [' _' Y/ X: _
call KERNEL32!_lopen+ N y$ O; ]; ?9 y! L
inc eax0 Q) ~% V/ y3 j
jz 006505ae ; not detected
# |2 {1 G& T& _9 n5 ^
) E7 {, t8 D# c; {1 \+ h1 Y/ I, M9 I* t( Y! i' V6 Y
__________________________________________________________________________
# J" @5 B. q1 B$ k. r' j0 B
9 U. Y4 e3 p" ]' LMethod 12
& L5 A; P. k5 F) t, x=========5 v( `2 e0 S# j- d% `
# O+ S4 B; {4 A$ R; L
This trick is similar to int41h/4fh Debugger installation check (code 05
^" V- o9 m" P4 {- ^3 Q& 06) but very limited because it's only available for Win95/98 (not NT)
- z# x" v: N% r8 ^$ x) ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, G3 l' g1 R" k
`% T$ t5 s$ r) T% N5 D! a& g push 0000004fh ; function 4fh
" s( v. D' ]6 I push 002a002ah ; high word specifies which VxD (VWIN32)
, s6 g# k0 _2 H' T$ r% f ; low word specifies which service Z/ ?7 E: r" v6 A7 y; s! S
(VWIN32_Int41Dispatch)4 L. J) z# L- Q" ?
call Kernel32!ORD_001 ; VxdCall
0 ?6 u. Q" J' H6 s cmp ax, 0f386h ; magic number returned by system debuggers
m8 W* a" o3 T, e jz SoftICE_detected; D# z" q1 r, R: J" |
5 I7 D0 e3 s& x% u0 A2 i, W- hHere again, several ways to detect it:0 Q7 W! b* y+ C4 C
& t" y$ z, S3 v' o0 Y, N m. |4 W
BPINT 41 if ax==4f* A) A: m% g' }5 l3 a
8 A0 l$ ^5 J. I' x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# q/ H" B$ T; Q C7 ~$ K4 N1 c6 F5 D9 R+ @
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 G6 z! s, \9 `
$ T) J6 M# [' A/ B8 f
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
^3 w: `, h( z6 Z# I$ X8 @, d3 L& p) q& P* F" s
__________________________________________________________________________
. X$ Z2 I+ w m+ b: n1 Q; c# T
5 Z8 b- j% V0 ^Method 13; H& X; D m) N0 K" u+ Y* W
=========7 I& `2 I+ r( J% k$ L- L
( C3 P# p# K, j; `/ m" @
Not a real method of detection, but a good way to know if SoftICE is
) u5 g: I8 t2 i M3 H) J9 Rinstalled on a computer and to locate its installation directory.
A5 \- H" u7 J. mIt is used by few softs which access the following registry keys (usually #2) :& S1 H0 d" e/ R7 `# n) P
9 ` g7 a. }$ V4 |3 N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 x* z6 d1 ~1 C, A2 E( L# [
\Uninstall\SoftICE5 u# _5 W% h% Y _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
^7 u$ l2 X# C2 d/ c% i; h$ |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# Q& g; P$ I1 `) Q. G
\App Paths\Loader32.Exe
0 e3 M( G. N/ k/ v" _+ p6 R# N
1 O Q9 K; Y: R. b5 ~$ V* B
" e/ j: o! x# ^Note that some nasty apps could then erase all files from SoftICE directory- S6 S1 a5 v7 B' D* _
(I faced that once :-(
4 Q. E* U3 b: I) e7 U, ]3 l# ^; m/ Z6 \: H: w+ r* R+ ]5 }" H
Useful breakpoint to detect it:: G# q, e. l( j3 e7 b; l* y3 x# q
4 J l3 p! m/ g9 ]$ a2 R7 U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' N5 ~& {+ X& n- _- b- T+ K; H/ p. W6 j7 b. A9 h/ Z4 y q
__________________________________________________________________________* B' L, F- p) }* n0 {8 B/ ~* w, ^
+ k, R2 G) L8 i0 _% t0 x# g6 N
3 w( r3 d( U- K2 [9 w3 {Method 14 @1 L& r5 V3 Q y/ e& I* e
=========
6 L) ~, z1 b, U0 w7 U- {3 q9 {5 \% m2 S! Z. h9 O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# Z1 o; d& u1 ?9 G8 K3 [, e8 yis to determines whether a debugger is running on your system (ring0 only).6 o& e3 c1 K. b- J
& E4 o5 Z. N( D& ?0 s VMMCall Test_Debug_Installed
, ?, h8 M# R3 b* R je not_installed
4 k) C! v+ J9 j0 e
* s! f. I A& W HThis service just checks a flag.% Z, J1 w* F. s8 W3 [' N
</PRE></TD></TR></TBODY></TABLE> |